257 CVEs tracked today. 19 Critical, 116 High, 104 Medium, 18 Low.
-
CVE-2026-43039
CRITICAL
CVSS 9.8
Remote code execution and information disclosure in Linux Kernel's TI ICSSG PRU Ethernet driver allows unauthenticated network attackers to leak kernel heap memory to userspace and potentially corrupt page_pool state. The zero-copy RX dispatch path fails to copy received packet data into newly allocated skbs, instead forwarding uninitialized heap memory up the network stack. Vendor patches available for kernel 6.19.12 and 7.0. EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity despite critical CVSS 9.8 rating and network attack vector.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43038
CRITICAL
CVSS 9.8
Memory corruption in Linux kernel IPv6 ICMP error handling allows remote unauthenticated attackers to potentially achieve code execution or information disclosure. The vulnerability arises from incomplete control block (CB) sanitization when converting IPv4 ICMP errors to ICMPv6, enabling forged CIPSO options in outer IPv4 packets to manipulate inner IPv6 packet parsing. This can trigger out-of-bounds memory access extending into skb_shared_info structures. Despite CVSS 9.8 critical rating, EPSS exploitation probability is extremely low (0.02%, 7th percentile), no public exploit code exists, and CISA has not listed this as actively exploited. Patches are available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43037
CRITICAL
CVSS 9.8
A stack-based buffer overflow in the Linux kernel's IPv6-to-IPv4 tunneling (ip6_tunnel) code allows remote unauthenticated attackers to achieve arbitrary code execution. The vulnerability occurs when ip4ip6_err() passes a cloned skb with IPv6-formatted control buffer data to icmp_send(), which misinterprets it as IPv4 control buffer data. This type confusion causes __ip_options_echo() to read attacker-controlled packet data as a length value and copy up to that many bytes into a fixed 40-byte stack buffer, enabling remote exploitation with no prerequisites. EPSS score of 0.02% suggests limited exploitation probability despite critical CVSS 9.8 rating. Vendor-released patches are available across all maintained kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0).
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-43011
CRITICAL
CVSS 9.8
Double-free vulnerability in Linux kernel X.25 networking subsystem allows remote network attackers to potentially achieve denial of service or arbitrary code execution. The flaw occurs in x25_queue_rx_frame when socket buffer allocation fails, causing the same skb to be freed twice through the call chain from x25_backlog_rcv. Despite critical CVSS 9.8 score, exploitation probability remains low (EPSS 2%, 7th percentile) with no confirmed active exploitation (not in CISA KEV) and no public exploit code identified. Patches available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-42996
CRITICAL
CVSS 10.0
Stack-based buffer overflow in JS8Call allows remote code execution via crafted radio transmission containing an oversized Maidenhead grid locator. CVSS 10.0 reflects network-reachable attack with no authentication required. Both JS8Call (through 2.3.1) and JS8Call-improved (before 3.0) are affected by the overflow in grid2deg function within APRSISClient.cpp. Vendor patch available for JS8Call-improved 3.0+; JS8Call project status unclear. No confirmed active exploitation or public POC identified at time of analysis, though attack vector is straightforward for actors with radio transmission capabilities.
Buffer Overflow
Stack Overflow
-
CVE-2026-42779
CRITICAL
CVSS 9.8
Remote unauthenticated code execution in Apache MINA 2.1.0-2.1.11 and 2.2.0-2.2.6 allows attackers to bypass class allowlist protections via unsafe deserialization. The vulnerability exists because the fix for CVE-2026-41635 was not backported to the 2.1.X and 2.2.X branches, leaving AbstractIoBuffer.resolveClass() susceptible to arbitrary class instantiation when applications call IoBuffer.getObject(). Only applications actively using MINA's deserialization features are affected. EPSS data not available; no KEV listing or public POC identified at time of analysis.
RCE
Apache
Deserialization
Red Hat
-
CVE-2026-42778
CRITICAL
CVSS 9.8
Remote code execution in Apache MINA 2.1.0-2.1.11 and 2.2.0-2.2.6 allows unauthenticated attackers to execute arbitrary code via unsafe deserialization. The fix for prior CVE-2024-52046 was incomplete-the classname allowlist protecting IoBuffer.getObject() was applied too late, allowing malicious static initializers to execute before filtering. Confirmed actively exploited (CISA KEV). EPSS exploitation probability not provided, but the network-accessible, unauthenticated attack vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N) combined with KEV status indicates immediate patching is critical for applications calling IoBuffer.getObject().
Apache
Deserialization
Red Hat
-
CVE-2026-42484
CRITICAL
CVSS 9.8
Heap-based buffer overflow in hashcat 7.1.2 enables remote code execution or denial of service through maliciously crafted PKZIP hash files. Attackers can exploit inadequate input validation in the hex_to_binary function affecting PKZIP hash parser modules (17200, 17210, 17220, 17225, 17230) to overflow fixed-size buffers with arbitrary hex data. CVSS 9.8 reflects network-accessible attack vector requiring no authentication or user interaction, though real-world exploitation requires victim to process attacker-supplied hash files. EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation. Public proof-of-concept exists (GitHub Gist), elevating exploitation risk for environments processing untrusted hash files.
RCE
Buffer Overflow
Denial Of Service
Memory Corruption
Suse
-
CVE-2026-42483
CRITICAL
CVSS 9.8
Heap-based buffer overflow in hashcat 7.1.2's Kerberos hash parser enables remote code execution without authentication. Attacker supplies a maliciously crafted Kerberos hash file with manipulated delimiter positions to overflow the fixed-size account_info buffer during memcpy operations in module_hash_decode. The vulnerability affects multiple Kerberos-related hashcat modules due to missing upper-bound validation on account_info_len before memory copy. CVSS 9.8 with network attack vector, but real-world exploitation requires user processing the malicious file. EPSS data not available; no active exploitation confirmed in CISA KEV at time of analysis.
RCE
Buffer Overflow
Denial Of Service
Memory Corruption
Suse
-
CVE-2026-42482
CRITICAL
CVSS 9.8
Stack-based buffer overflow in hashcat 7.1.2's rule processing functions enables remote code execution when processing password candidates of 128+ characters. The vulnerability stems from inadequate bounds checking in mangle_to_hex_lower() and mangle_to_hex_upper() functions that fail to account for 2x memory expansion during byte-to-hex conversion. CVSS 9.8 (critical) with network attack vector and no authentication required. Public proof-of-concept code available via GitHub gist. No CISA KEV listing suggests targeted rather than widespread exploitation despite theoretical network exploitability.
RCE
Buffer Overflow
Denial Of Service
Memory Corruption
Suse
-
CVE-2026-42473
CRITICAL
CVSS 9.8
Remote code execution in MixPHP Framework 2.x through 2.2.17 allows unauthenticated network attackers to execute arbitrary code via unsafe deserialization. The FileHandler class processes session and cache data using PHP's unserialize() on filesystem-sourced content without validation, enabling object injection attacks. CVSS 9.8 critical severity with network attack vector and no privileges required. SSVC assessment confirms automatable exploitation with total technical impact. No active exploitation confirmed at time of analysis (not in CISA KEV), but publicly available proof-of-concept exists (GitHub gist reference).
Deserialization
-
CVE-2026-42472
CRITICAL
CVSS 9.8
Remote unauthenticated code execution in MixPHP Framework 2.x through 2.2.17 allows attackers to execute arbitrary PHP code by injecting malicious serialized objects into Redis-backed session or cache storage. The framework's RedisHandler directly deserializes untrusted data from Redis using PHP's unserialize() function without validation. CVSS 9.8 with network vector, low complexity, and no privileges required. EPSS and KEV status not provided; SSVC framework marks this as automatable with total technical impact, indicating high exploitability despite no confirmed active exploitation at time of analysis.
Deserialization
Redis
-
CVE-2026-37541
CRITICAL
CVSS 10.0
Remote code execution in Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005 allows network-based attackers to execute arbitrary code or crash the system without authentication. A buffer overflow in the GVRET CAN data parser (canformat_gvret.cpp) fails to validate length fields in binary frames, enabling memory corruption. CVSS 10.0 reflects unauthenticated network vector with scope change, but no public exploit or active exploitation confirmed at time of analysis. EPSS data unavailable; real-world risk depends on OVMS3 deployment exposure (typically vehicle telematics environments).
RCE
Buffer Overflow
Denial Of Service
Stack Overflow
-
CVE-2026-37539
CRITICAL
CVSS 9.8
Remote code execution in cannelloni v2.0.0 allows unauthenticated network attackers to crash the service or execute arbitrary code by sending malformed CAN FD frames that trigger buffer overflows in two separate parsing functions (parseCANFrame in parser.cpp and decodeFrame in decoder.cpp). The CVSS score of 9.8 reflects network-accessible exploitation requiring no authentication or user interaction, with complete system compromise possible. Public proof-of-concept code exists (GitHub Gist reference), elevating immediate exploitation risk despite no CISA KEV listing, suggesting targeted rather than mass exploitation scenarios.
RCE
Buffer Overflow
Denial Of Service
Stack Overflow
-
CVE-2026-37534
CRITICAL
CVSS 9.8
Integer underflow in Open-SAE-J1939 library's transport protocol handler enables remote unauthenticated attackers to corrupt arbitrary memory locations via manipulated CAN frame sequence numbers. CVSS 9.8 reflects network-accessible attack surface with no authentication barriers, though exploitation requires deployment in CAN-connected environments (industrial control systems, automotive networks). EPSS data unavailable; SSVC indicates total technical impact with automated exploitation potential but no confirmed active exploitation.
Information Disclosure
Integer Overflow
-
CVE-2026-37531
CRITICAL
CVSS 9.8
Remote unauthenticated arbitrary file write in AGL (Automotive Grade Linux) app-framework-main through version 17.1.12 allows attackers to achieve code execution or system compromise via malicious widget packages. A crafted ZIP archive combining path traversal (../ sequences in filenames) with a time-of-check-time-of-use race condition allows files to be written anywhere on the filesystem before signature validation occurs. Even when signature checks fail, malicious files persist outside the temporary directory. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. Public technical analysis available via GitHub Gist reference suggests proof-of-concept may exist.
Path Traversal
-
CVE-2026-31718
CRITICAL
CVSS 9.8
Use-after-free in Linux kernel ksmbd (SMB server) during durable file handle scavenging allows memory corruption and potential remote code execution. When a durable SMB2 file handle survives session disconnect, the cleanup path dereferences a freed connection object via NULL fp->conn pointer during lock cleanup, causing a slab use-after-free. Exploitation probability is extremely low (EPSS 0.02%, 5th percentile) with no active exploitation confirmed. Vendor patches available across multiple stable kernel branches (6.12.84, 6.18.25, 7.0.2, 7.1-rc1) address the asymmetric cleanup by properly managing byte-range lock lifetimes during durable handle reconnection.
Information Disclosure
Linux
Use After Free
Memory Corruption
-
CVE-2026-31705
CRITICAL
CVSS 9.8
Out-of-bounds write in Linux kernel's ksmbd SMB server allows memory corruption when processing extended attributes (EA) in QUERY_INFO responses. The smb2_get_ea() function performs 4-byte alignment padding without checking remaining buffer space, causing 1-3 bytes to write past allocation boundaries when EA values exactly fill the response buffer. This occurs in compound SMB2 requests where shared response buffers are tightly constrained. EPSS score of 0.02% suggests minimal observed exploitation activity, though the CVSS 9.8 critical rating reflects the theoretical network-accessible, unauthenticated attack surface. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.84, 7.0.2, 7.1-rc1). Not listed in CISA KEV. This represents the third instance of the same vulnerability pattern in ksmbd QUERY_INFO handlers, following fixes in commits beef2634f81f and fda9522ed6af.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-7567
CRITICAL
CVSS 9.8
Authentication bypass in the Temporary Login WordPress plugin (versions ≤1.0.0) allows remote unauthenticated attackers to authenticate as any temporary login user via a single crafted GET request. The vulnerability exploits a type juggling flaw where passing 'temp-login-token' as an array bypasses validation checks and causes WordPress to return all users with temporary login tokens, enabling complete account takeover without knowledge of valid credentials. CVSS 9.8 (Critical) with network attack vector and no prerequisites. EPSS data not available; exploitation requires the presence of active temporary login accounts created by site administrators.
WordPress
Authentication Bypass
-
CVE-2026-43057
HIGH
CVSS 7.5
A denial-of-service vulnerability in the Linux kernel's IPv6 checksum GSO fallback logic allows remote unauthenticated attackers to trigger system instability via specially crafted tunneled IPv6 packets with extension headers. The flaw affects network packet processing when NETIF_F_IPV6_CSUM offload is enabled, causing incorrect handling of tunneled traffic that requires software checksumming. EPSS score is low (0.02%, 7th percentile), indicating minimal observed exploitation activity. Vendor-released patches are available across multiple kernel version branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0), confirmed by upstream Linux kernel commits. No public exploit identified at time of analysis, though CVSS vector indicates straightforward network-based exploitation (AV:N/AC:L/PR:N/UI:N).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43056
HIGH
CVSS 7.8
Use-after-free in Linux kernel's MANA network driver allows local authenticated attackers to corrupt memory and potentially execute code with kernel privileges. The flaw occurs when auxiliary_device_add() fails in add_adev(), triggering cleanup that frees memory still referenced by subsequent error-handling code. Patches available across stable kernel branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public exploit identified at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-43055
HIGH
CVSS 7.5
Uninitialized memory in the Linux kernel SCSI target subsystem (target_core_file) causes write operations to fail unpredictably when bogus ki_write_stream values trigger block device validation checks. Affected versions span Linux kernel 6.16 through development branches, with stable patches released for 6.18.22, 6.19.12, and 7.0. While CVSS scores this as 7.5 High with network vector (AV:N), the description indicates a local kernel subsystem issue affecting SCSI target configurations, suggesting a vector/impact mismatch. EPSS probability is very low (0.02%, 4th percentile) with no evidence of active exploitation or public POC, indicating minimal real-world targeting despite the high CVSS score.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43052
HIGH
CVSS 7.1
Logic error in Linux kernel mac80211 TDLS handling allows local authenticated users to modify wireless channel context and HT protection settings by invoking NL80211_TDLS_ENABLE_LINK on non-TDLS stations. Missing validation causes the kernel to apply TDLS-specific operations to regular Wi-Fi stations, potentially disrupting wireless connectivity and creating integrity/availability impacts. Vendor patches available for kernel 6.12.81, 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation despite CVSS 7.1 rating. No evidence of active exploitation or public POC identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43051
HIGH
CVSS 8.1
An out-of-bounds read vulnerability in the Linux kernel's Wacom HID driver (wacom_intuos_bt_irq function) allows adjacent network attackers to cause information disclosure or denial of service through maliciously crafted short Bluetooth HID reports. The vulnerability affects the Bluetooth interface of Wacom Intuos tablets, where report types 0x03 and 0x04 are processed without validating minimum lengths (22 and 32 bytes respectively), enabling memory reads beyond buffer boundaries. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) with no active exploitation confirmed (EPSS 0.02%, not in CISA KEV).
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43050
HIGH
CVSS 7.0
Race condition in Linux kernel ATM LEC driver allows local attackers with low privileges to trigger use-after-free memory corruption in sock_def_readable(), potentially achieving arbitrary code execution, privilege escalation, or denial of service. The flaw affects systems using ATM (Asynchronous Transfer Mode) LAN Emulation Client functionality, present since Linux kernel version 2.4 (commit 1da177e4c3f4). EPSS score of 0.02% (7th percentile) suggests low probability of mass exploitation. Vendor patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). Not listed in CISA KEV; no public exploit code identified at time of analysis.
Authentication Bypass
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-43049
HIGH
CVSS 7.8
Use-after-free in Linux kernel HID subsystem allows local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service when force feedback initialization fails on Logitech G920 racing wheels. The vulnerability occurs when userspace continues accessing freed memory structures (sysfs and /dev/input) after initialization errors. Vendor patches available across multiple stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of mass exploitation, consistent with hardware-specific local attack surface requiring physical device presence.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-43048
HIGH
CVSS 8.8
Adjacent network attackers can achieve high-severity code execution, information disclosure, or denial of service in the Linux kernel HID (Human Interface Device) subsystem by exploiting a bounds-checking flaw in hid_report_raw_event(). A bogus memset() operation intended to zero unused buffer space instead creates out-of-bounds read/write conditions when processing malformed HID input reports from adjacent devices (USB, Bluetooth). Vendor patches available for stable branches 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% suggests minimal observed exploitation, but the unauthenticated adjacent-network attack vector with low complexity makes this exploitable in environments with untrusted HID peripherals.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43047
HIGH
CVSS 7.8
Out-of-bounds memory writes in Linux kernel HID multitouch driver allow local authenticated users to achieve code execution or crash systems via malicious USB/HID devices. The vulnerability exists in the HID multitouch report parsing logic where mismatched report IDs in feature requests can confuse the HID core. Vendor-released patches are available across multiple kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score is low (0.02%, 7th percentile), indicating minimal observed exploitation attempts. No public exploit code identified at time of analysis.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-43044
HIGH
CVSS 7.8
Memory corruption in the Linux kernel CAAM (Cryptographic Acceleration and Assurance Module) crypto driver allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The vulnerability occurs when HMAC keys longer than the hash block size are processed - the driver allocates a DMA-aligned buffer size but fails to use it, causing the hashed key to overwrite adjacent memory. Vendor patches are available for stable kernel versions 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43042
HIGH
CVSS 7.1
Race condition in Linux kernel MPLS subsystem allows local authenticated users to trigger out-of-bounds memory access via concurrent label table resizing. The vulnerability affects RCU-protected codepaths (mpls_forward, mpls_dump_routes) that can obtain inconsistent snapshots of platform_labels array metadata during resize operations, potentially leading to information disclosure or denial of service. Vendor patch available addressing the issue through seqcount-based synchronization. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no active exploitation or public POC identified.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43040
HIGH
CVSS 7.1
In the Linux kernel, the following vulnerability has been resolved:
net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak
When processing Router Advertisements with user options the kernel
builds an RTM_NEWNDUSEROPT netlink message. The nduserop...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43033
HIGH
CVSS 7.8
Memory corruption in Linux kernel's crypto authencesn subsystem allows local authenticated attackers to disclose sensitive kernel memory, modify data integrity, or cause denial of service through improper handling of sequence bits during out-of-place decryption operations. The vulnerability affects Linux kernel versions from 4.3 through multiple stable branches (5.10.x, 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x) with patches available across all affected branches. EPSS exploitation probability is low (0.02%, 7th percentile) and no active exploitation or public POC has been identified.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43031
HIGH
CVSS 7.5
Linux kernel axienet driver can permanently stall network transmit queues due to incorrect Byte Queue Limits (BQL) accounting when scatter-gather TX packets span multiple NAPI polls. When a multi-buffer-descriptor packet completes across different polling cycles, only partial byte counts are credited to BQL, causing the subsystem to incorrectly believe bytes remain in-flight indefinitely and halting transmission. Vendor patches available for stable branches (6.18.22, 6.19.12, 7.0). EPSS exploitation probability is 2% (4th percentile), no active exploitation confirmed, indicating low real-world targeting despite the 7.5 CVSS score.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43030
HIGH
CVSS 7.8
A logic error in the Linux kernel's BPF verifier regsafe() function allows local attackers with low privileges to exploit improper state exploration for packet pointer ranges, potentially leading to high confidentiality, integrity, and availability impacts. The vulnerability affects multiple stable kernel branches from 5.10 through 6.19, with vendor patches available across all affected versions. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43029
HIGH
CVSS 7.5
Denial of service via soft lockup in Linux kernel MPTCP (Multipath TCP) receive function allows remote unauthenticated attackers to lock up a CPU core indefinitely when applications use MSG_PEEK with MSG_WAITALL flags. The vulnerability stems from improper handling of peeked socket buffers that remain in the receive queue, causing sk_wait_data() to never actually wait and spinning in an infinite loop. EPSS score is low (0.02%, 4th percentile) indicating minimal observed exploitation probability. Vendor patches available for kernel versions 6.18.x and 6.19.x series.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43028
HIGH
CVSS 7.1
Local privilege escalation and information disclosure in Linux kernel netfilter x_tables subsystem allows authenticated local users to leak memory contents or crash the system due to improper null-termination validation of string names passed to c-string functions. CVSS 7.1 (High/Confidentiality, High/Availability impact) but low real-world priority: EPSS 0.02% (7th percentile) indicates minimal observed exploitation likelihood. Patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). No active exploitation confirmed, no POC identified, requires local authenticated access with low privileges.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43027
HIGH
CVSS 7.8
Use-after-free in Linux kernel netfilter subsystem allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs when unregistering connection tracking helpers - expectations referencing the helper survive cleanup and later dereference the freed helper object during expectation dumps or new connection establishment. Vendor-released patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% indicates low observed exploitation probability; no active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-43025
HIGH
CVSS 7.3
A buffer overflow in the Linux kernel netfilter ctnetlink subsystem allows authenticated local attackers to read arbitrary kernel memory. The vulnerability arises when userspace provides a helper name for a new expectation that differs from the master conntrack helper, causing the kernel to read 4 bytes beyond the expectation boundary. Vendor-released patches are available across multiple stable kernel branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). Despite a CVSS base score of 7.3, the EPSS score is exceptionally low (0.02%, 7th percentile), indicating minimal observed exploitation attempts, and the vulnerability is not listed in CISA KEV, suggesting no confirmed active exploitation.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43023
HIGH
CVSS 7.8
Race condition in the Linux kernel's Bluetooth SCO socket implementation allows local authenticated users to trigger use-after-free and memory corruption via concurrent connect() syscalls on the same socket. The vulnerability affects the sco_sock_connect() function which fails to properly serialize state checks, enabling two threads to simultaneously progress through connection setup on a socket already marked for cleanup, leading to double-free conditions and connection object leaks. Vendor-released patches are available for kernel versions 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates very low observed exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis.
Information Disclosure
Linux
Race Condition
Red Hat
Suse
-
CVE-2026-43020
HIGH
CVSS 7.8
Stack buffer overflow in Linux kernel Bluetooth MGMT subsystem allows local authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability stems from insufficient validation of the encryption key size (enc_size) parameter when loading Long Term Keys (LTKs) via the Bluetooth management interface. When processing LE LTK requests, the kernel uses the attacker-controlled enc_size value to perform stack operations against a fixed 16-byte buffer, enabling stack corruption through oversized values. Vendor-released patches are available across all active kernel branches. EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit has been identified at time of analysis, though the attack complexity is low once local authenticated access is obtained.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-43019
HIGH
CVSS 7.8
Use-after-free in Linux kernel Bluetooth subsystem allows local authenticated attackers to achieve arbitrary code execution with high privileges. The vulnerability exists in set_cig_params_sync where hci_conn objects can be freed or modified concurrently during lookup and field access due to inadequate locking. Vendor patches are available across multiple stable kernel branches (6.6, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% indicates low observed exploitation probability, no CISA KEV listing, and no public exploit identified at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-43018
HIGH
CVSS 8.8
Use-after-free in Linux Kernel Bluetooth stack allows adjacent network attackers to execute arbitrary code, escalate privileges, or cause denial of service without authentication. The vulnerability exists in hci_le_remote_conn_param_req_evt where hci_conn lookup and field access occurs outside the hdev lock protection, enabling concurrent memory corruption. Patches are available across multiple stable kernel branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-43016
HIGH
CVSS 7.8
Use-after-free in Linux kernel's BPF sockmap implementation allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs in sk_psock_verdict_data_ready() when handling AF_UNIX sockets, where sk->sk_socket can be accessed after being freed following sock_orphan(). This affects Linux kernel versions 5.15 through 6.19.12, with patches available for stable branches 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates very low observed exploitation probability in the wild, and no active exploitation or public exploit code has been identified at time of analysis.
Information Disclosure
Linux
Google
Use After Free
Memory Corruption
-
CVE-2026-43015
HIGH
CVSS 7.8
Use-after-free in Linux kernel macb driver allows local authenticated attackers to cause denial of service or potentially escalate privileges during module removal. The vulnerability occurs in the PCI glue driver when platform_device_unregister() triggers a runtime resume callback that attempts to access already-freed clock structures. EPSS score is low (0.02%) with no evidence of active exploitation. Vendor patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0).
Denial Of Service
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-43009
HIGH
CVSS 7.8
Linux kernel BPF verifier incorrectly prunes execution paths due to imprecise state tracking in atomic fetch operations, allowing local attackers to bypass security checks in eBPF programs. The verifier's backtracking logic fails to mark stack slots as precise when BPF_ATOMIC instructions with BPF_FETCH modify both memory and destination registers, causing two legitimately different program states to be incorrectly considered equivalent during path pruning. Vendor patches available in kernel versions 6.19.12 and 7.0. EPSS score of 0.02% (5th percentile) indicates low probability of mass exploitation, though successful exploitation grants high confidentiality, integrity, and availability impact per CVSS 7.8.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43007
HIGH
CVSS 7.8
A use-after-free resource management flaw in the Linux kernel's Qualcomm AI accelerator (QAIC) driver allows local authenticated users to cause denial of service and potentially escalate privileges. When a DBC (Device Binding Context) owner process terminates before handling device-initiated deactivation messages, the kernel fails to release DBC resources, causing subsequent activation attempts to hang indefinitely and creating exploitable resource state inconsistencies. The vulnerability affects Linux kernel versions 6.4 through 6.19.12, with vendor patches available across multiple stable branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation or public POC has been identified.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43006
HIGH
CVSS 7.1
Out-of-bounds memory read in Linux kernel io_uring subsystem allows local authenticated users to leak kernel memory or trigger denial of service. The vulnerability exists in io_uring's fixed buffer import logic when registering zero-length buffer regions, causing the bvec skip logic to read beyond allocated slab memory. Patches available across stable kernel branches (6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (4th percentile) indicates low likelihood of widespread exploitation. No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43005
HIGH
CVSS 7.1
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (tps53679) Fix array access with zero-length block read
i2c_smbus_read_block_data() can return 0, indicating a zero-length
read. When this happens, tps53679_identify_chip() accesses buf[ret - 1]
which is buf[-1], reading on...
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43003
HIGH
CVSS 8.0
Code execution in OpenStack Ironic Python Agent 1.0.0-11.5.0 occurs when the service executes grub-install within a chroot of a deployed partition image, allowing attackers with write access to deployment images to run arbitrary code on the bare-metal provisioning infrastructure. The attack requires adjacent network access, low privileges, and high complexity (CVSS 8.0, AV:A/AC:H/PR:L), with changed scope indicating the vulnerability breaks trust boundaries between tenant workloads and the provisioning layer. EPSS data not provided; no CISA KEV listing or public POC identified at time of analysis, suggesting exploitation requires significant operational access rather than opportunistic scanning.
RCE
Python
Red Hat
-
CVE-2026-43001
HIGH
CVSS 7.9
Cross-project credential injection in OpenStack Keystone 13-29 allows highly privileged attackers holding unrestricted application credentials to create EC2 credentials scoped to arbitrary projects within the credential owner's role footprint, enabling unauthorized lateral movement across project boundaries. The POST /v3/credentials endpoint fails to validate project_id alignment, allowing attackers to issue tokens for Project B while authenticated to Project A. No active exploitation confirmed (not in CISA KEV), but exploitation requires network access and high privileges (AV:N/PR:H) with changed scope impact (S:C), indicating potential for significant multi-tenant compromise in affected OpenStack deployments.
Authentication Bypass
Microsoft
-
CVE-2026-42994
HIGH
CVSS 8.8
Malicious code injection in Bitwarden CLI 2026.4.0 distributed via npm for 90 minutes on April 22, 2026, enables remote command execution without authentication. The compromise was part of a broader Checkmarx supply chain attack targeting the npm registry. Users who installed this specific version during the 21:57Z-23:30Z window received a backdoored package capable of executing arbitrary OS commands. EPSS data not available for this recent CVE, but the supply chain vector and brief exposure window suggest targeted rather than mass exploitation.
Command Injection
Node.js
-
CVE-2026-42786
HIGH
CVSS 8.7
Memory exhaustion in Bandit WebSocket server (versions 0.5.0 through 1.10.x) allows unauthenticated remote attackers to trigger denial of service by sending unbounded WebSocket continuation frames without setting the fin flag. The fragment reassembly logic accumulates payloads without checking cumulative message size, bypassing the max_frame_size limit which only applies to individual frames. Applications using Phoenix Channels or LiveView over Bandit expose this attack surface on any WebSocket endpoint. Patch available in version 1.11.0 introduces max_fragmented_message_size parameter (default 8MB). No public exploit code identified at time of analysis, but trivial to reproduce with standard WebSocket libraries.
Denial Of Service
Red Hat
-
CVE-2026-42485
HIGH
CVSS 7.5
Stack buffer overflow in AGL agl-service-can-low-level's uds-c library enables remote code execution on vulnerable automotive ECUs. The send_diagnostic_request function copies up to 7 bytes into a 6-byte stack buffer without bounds checking, allowing 1-4 bytes of controlled stack corruption. On 32-bit ARM ECUs without stack canaries (common in automotive deployments), attackers can overwrite return addresses to achieve arbitrary code execution. CVSS 7.5 with network attack vector and no authentication required indicates critical exposure, though CVSS impact vector (C:N/I:N/A:H) appears inconsistent with RCE capability described - vendor assessment may undervalue confidentiality/integrity impact of code execution.
Buffer Overflow
Stack Overflow
-
CVE-2026-42478
HIGH
CVSS 7.5
Denial of service in Open CASCADE Technology (OCCT) V8_0_0_rc5 occurs when a crafted VRML V2.0 file triggers null pointer dereference during shape construction in the VrmlData_IndexedFaceSet::TShape parser. Remote unauthenticated attackers can crash applications using libTKDEVRML.so by delivering malformed VRML files, requiring no user interaction (CVSS AV:N/AC:L/PR:N/UI:N). EPSS score not available; no public exploit identified at time of analysis. Affects 3D CAD/visualization applications integrating OCCT for VRML import.
Denial Of Service
Null Pointer Dereference
-
CVE-2026-42477
HIGH
CVSS 7.1
Heap-based out-of-bounds read in Open CASCADE Technology V8_0_0_rc5 OBJ file parser allows local attackers to cause denial of service or leak sensitive memory contents when victims open malicious OBJ files. The vulnerability stems from missing buffer length validation in RWObj_Reader::read() after Standard_ReadLineBuffer::ReadLine() returns minimal 1-byte buffers, leading to unsafe memory access at aLine + 2. EPSS data not available; no confirmed active exploitation or public proof-of-concept identified at time of analysis. Requires user interaction, limiting automated exploitation potential.
Buffer Overflow
Denial Of Service
Information Disclosure
-
CVE-2026-42476
HIGH
CVSS 7.1
Heap-based out-of-bounds reads in Open CASCADE Technology (OCCT) V8_0_0_rc5 STL ASCII parser allow local attackers to trigger denial of service or disclose process memory by convincing users to open maliciously crafted STL files with extremely short lines. The vulnerability stems from improper length validation of buffers returned by Standard_ReadLineBuffer::ReadLine() before strncasecmp operations or direct byte access in RWStl_Reader::ReadAscii. CVSS score of 7.1 reflects high confidentiality and availability impact requiring user interaction. No public exploit code, active exploitation (CISA KEV), or vendor patch information identified at time of analysis, though technical details are publicly available via GitHub Gist.
Buffer Overflow
Denial Of Service
Information Disclosure
-
CVE-2026-42471
HIGH
CVSS 8.1
Client-side remote code execution affects MixPHP Framework 2.x through 2.2.17 when sync-invoke clients connect to attacker-controlled servers. The vulnerability enables malicious servers to execute arbitrary code on connecting clients through unsafe deserialization of server responses (CWE-502). EPSS data unavailable, but SSVC indicates no confirmed exploitation and non-automatable attack complexity aligns with CVSS AC:H rating. Primary risk exists in scenarios where MixPHP clients connect to untrusted external services or where server infrastructure could be compromised.
PHP
Deserialization
-
CVE-2026-42469
HIGH
CVSS 8.6
Remote code execution in Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005 allows unauthenticated network attackers to execute arbitrary code or crash the system by sending malformed CANswitch frames with invalid DLC (Data Length Code) values. The buffer overflow occurs in the canformat_canswitch.cpp parser module which fails to validate frame length parameters before processing, enabling memory corruption. A proof-of-concept exploit is publicly available on GitHub, and SSVC assessment indicates the vulnerability is automatable with partial technical impact, though no active exploitation has been confirmed by CISA KEV at time of analysis.
RCE
Buffer Overflow
Denial Of Service
Stack Overflow
-
CVE-2026-42468
HIGH
CVSS 8.8
Buffer overflow in Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005 enables remote code execution when processing malicious PCAP files. The canformat_pcap.cpp parser fails to validate the phdr.len field, allowing attackers to overflow stack buffers and execute arbitrary code with high confidentiality, integrity, and availability impact. Public proof-of-concept code exists (GitHub Gist), though no active exploitation is confirmed by CISA KEV. SSVC assessment indicates automatable exploitation despite requiring user interaction to open crafted PCAP files.
RCE
Buffer Overflow
Denial Of Service
Stack Overflow
-
CVE-2026-42467
HIGH
CVSS 7.5
Remote denial of service in Open-SAE-J1939 library (commit b6caf884 and prior, November 2025) allows unauthenticated attackers to crash SAE J1939 protocol implementations by sending malformed CAN frames to the J1939 bus. Exploitation is straightforward (CVSS AC:L, SSVC automatable:yes) and requires only network access to the CAN bus. No public exploit code confirmed, but GIST reference suggests proof-of-concept research exists. EPSS data unavailable; not in CISA KEV.
Denial Of Service
-
CVE-2026-42403
HIGH
CVSS 7.5
Denial of Service in Apache Neethi WS-Policy processor allows remote unauthenticated attackers to crash applications or cause resource exhaustion by sending crafted policy documents with circular references. The vulnerability (CVSS 7.5) triggers infinite loops or stack overflow during policy normalization when Policy A references Policy B which references Policy A. Apache released version 3.2.2 to address this flaw. With network vector, low complexity, and no authentication required (AV:N/AC:L/PR:N), this represents a readily exploitable attack surface for applications parsing untrusted WS-Policy documents, though no public exploit or active exploitation (KEV) has been identified at time of analysis.
Denial Of Service
Apache
Red Hat
-
CVE-2026-42402
HIGH
CVSS 7.5
Algorithmic complexity denial of service in Apache Neethi allows remote unauthenticated attackers to exhaust JVM heap memory via malicious WS-Policy documents. Specially crafted policy documents trigger exponential Cartesian cross-product expansion during normalization, generating unbounded policy alternatives that consume all available memory. Apache has released version 3.2.2 with normalization limits to prevent exploitation. EPSS data not available; no CISA KEV listing identified at time of analysis.
Denial Of Service
Apache
Red Hat
-
CVE-2026-39804
HIGH
CVSS 8.2
Memory exhaustion in Bandit WebSocket server (versions 0.5.9 through 1.10.x) allows unauthenticated remote attackers to crash BEAM nodes via compression bombs when permessage-deflate is enabled. The inflate/2 function decompresses WebSocket frames without output-size limits, enabling attackers to send tiny compressed payloads (~1024:1 ratio) that expand to gigabyte-scale heap allocations. Vendor-released patch available (version 1.11.0). EPSS data not available; no public exploit identified at time of analysis. Exploitation requires non-default configuration (both server-level compress and per-upgrade compress: true options enabled), making stock Phoenix/LiveView applications unaffected.
Denial Of Service
Red Hat
-
CVE-2026-37554
HIGH
CVSS 7.5
Remote unauthenticated denial of service crashes Vanetza V2X v26.02 receivers via malformed GeoNetworking packets containing invalid ECC points. Uncaught OpenSSL exceptions from elliptic curve point validation (invalid compressed points, points not on curve) in the security layer escape through the Router::indicate() call chain, triggering std::terminate and process termination. No public exploit identified at time of analysis, though EPSS risk assessment unavailable. Attack requires only network access to the V2X receiver endpoint with no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), making this a significant operational risk for deployed V2X infrastructure relying on continuous availability for vehicle safety communications.
Denial Of Service
OpenSSL
-
CVE-2026-37552
HIGH
CVSS 8.4
Arbitrary code execution in MixPHP Framework 2.x through 2.2.17 allows local attackers to execute malicious PHP closures via unauthenticated TCP connections to the sync-invoke server. The vulnerability stems from unsafe deserialization of untrusted data on localhost-bound port 127.0.0.1, where Server.php directly passes socket data to Opis\Closure\unserialize() and executes the result without authentication or signature verification. Exploitation requires local network access or SSRF capability against the application server. No public exploit code identified at time of analysis, but the attack mechanism is straightforward for attackers with PHP deserialization knowledge.
PHP
RCE
Deserialization
-
CVE-2026-37540
HIGH
CVSS 8.4
Integer overflow in OpenAMP v2025.10.0 ELF loader enables local attackers to corrupt memory during firmware image parsing on 32-bit embedded systems (STM32MP1, Zynq, i.MX). The vulnerability triggers when elf_loader.c multiplies two attacker-controlled 16-bit values from ELF headers without bounds checking, causing integer wraparound that bypasses allocation size limits. EPSS data not available; no CISA KEV listing confirms exploitation remains theoretical. GitHub references suggest proof-of-concept analysis exists (sgInnora gist), indicating technical feasibility for local privilege escalation or code execution in embedded/IoT firmware update scenarios.
Buffer Overflow
Integer Overflow
Suse
-
CVE-2026-37538
HIGH
CVSS 7.5
Remote unauthenticated attackers can crash socketcand 0.4.2 daemon by sending a malformed CAN bus name that triggers a stack-based buffer overflow in the main function's socketcand.c implementation. The CVSS vector indicates network-accessible denial of service with no authentication required. A publicly available proof-of-concept exists (GitHub Gist reference), but CISA KEV status is not confirmed, and EPSS data is unavailable. The low attack complexity (AC:L) and network attack vector (AV:N) make this readily exploitable against exposed instances, though the impact is currently limited to availability (A:H) with no confirmed confidentiality or integrity impacts.
Buffer Overflow
Denial Of Service
Stack Overflow
-
CVE-2026-37537
HIGH
CVSS 8.1
Integer underflow in Open-SAE-J1939 Transport Protocol handler allows adjacent network attackers to corrupt memory via crafted CAN frames. Attackers sending J1939 Transport Protocol Data Transfer frames with sequence number 0 trigger underflow to 255, writing 6 bytes beyond a 1785-byte buffer boundary. No authentication required and exploitable over CAN/automotive networks. EPSS data unavailable; no KEV listing or public POC identified at time of analysis, but technical details publicly disclosed in GitHub gist enable proof-of-concept development.
Buffer Overflow
Integer Overflow
-
CVE-2026-37536
HIGH
CVSS 8.8
Stack buffer overflow in miaofng/uds-c library allows adjacent network attackers to execute arbitrary code via crafted diagnostic payload. The send_diagnostic_request function allocates only 6 bytes for MAX_DIAGNOSTIC_PAYLOAD_SIZE but accepts up to 7 bytes of payload (MAX_UDS_REQUEST_PAYLOAD_LENGTH), enabling 4-byte overflow when combined with pid_length=2. Affects commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a from October 2016 and likely later versions unless patched. No CISA KEV listing or EPSS data indicates exploitation remains theoretical; vulnerability appears in automotive diagnostic library with limited deployment exposure.
Buffer Overflow
Stack Overflow
-
CVE-2026-37535
HIGH
CVSS 7.1
Out-of-bounds memory read in openxc/isotp-c ISO-TP Single Frame handler allows adjacent network attackers to trigger denial of service or extract sensitive information via malicious CAN frames. The vulnerability exists in all versions through commit 5a5d19245f65 (August 2021) and stems from unchecked use of a 4-bit payload length field directly as memcpy buffer size. EPSS data unavailable; no CISA KEV listing indicates no confirmed widespread exploitation, though publicly available technical analysis exists (GitHub Gist reference).
Buffer Overflow
Denial Of Service
Information Disclosure
-
CVE-2026-37532
HIGH
CVSS 7.1
Heap buffer over-read in AGL agl-service-can-low-level through version 17.1.12 allows adjacent network attackers to disclose memory contents and cause denial of service without authentication. The vulnerability stems from improper bounds checking in the isotp-c library's Single Frame handling, where a 4-bit payload length field (0-15) is trusted without validating against the 7-byte CAN frame payload capacity, enabling reads up to 8 bytes beyond the buffer. CVSS 7.1 (High) reflects adjacent network attack vector with low confidentiality and high availability impact. No public exploit code or active exploitation confirmed at time of analysis, though the specific line numbers and technical details in the description lower exploitation barriers.
Buffer Overflow
-
CVE-2026-37530
HIGH
CVSS 7.5
Stack buffer overflow in AGL agl-service-can-low-level through version 17.1.12 enables remote code execution on automotive ECUs. The vulnerability exists in the uds-c library's send_diagnostic_request function, where a miscalculation between buffer size (6 bytes) and copy length (7 bytes) allows 1-4 bytes of controlled stack overflow. On 32-bit ARM automotive systems without stack protection, attackers can overwrite return addresses to achieve arbitrary code execution. CVSS 7.5 High severity with network attack vector and no authentication required, though CVSS impact ratings (C:N/I:N/A:H) appear inconsistent with the RCE capability described. No public exploit identified at time of analysis, EPSS data unavailable.
Buffer Overflow
Stack Overflow
-
CVE-2026-37526
HIGH
CVSS 7.8
Local privilege escalation in AGL app-framework-binder (afb-daemon) through v19.90.0 allows any low-privileged process to execute privileged supervision commands without authentication via an unprotected abstract Unix socket. Attackers can terminate the daemon (DoS), execute arbitrary API calls, close user sessions, or exfiltrate global configuration data. The vulnerability stems from commit b8c9d5de384 (2017-06-29) implementing 8 supervision commands with zero credential verification, acknowledged by developers as lacking DAC protection. EPSS data unavailable, not in CISA KEV, but technical details are publicly documented with proof-of-concept reference.
Authentication Bypass
-
CVE-2026-37525
HIGH
CVSS 7.8
Local privilege escalation in Automotive Grade Linux (AGL) app-framework-binder (afb-daemon) through v19.90.0 allows authenticated users to execute arbitrary registered APIs with nullified credentials. The supervision Do command in src/afb-supervision.c explicitly zeroes request credentials before dispatching attacker-controlled API calls, causing authorization checks to fail open when encountering NULL credential contexts. This enables low-privileged users to bypass access controls and execute privileged operations. EPSS data not available; no public exploit code or active exploitation confirmed at time of analysis.
Privilege Escalation
-
CVE-2026-37457
HIGH
CVSS 7.5
Remote denial of service in FRRouting stable/10.0 allows unauthenticated attackers to crash the BGP daemon via malformed FlowSpec NLRI messages. The off-by-one vulnerability in bgp_flowspec_op_decode() enables out-of-bounds writes when parsing crafted BGP FlowSpec components, causing process termination. EPSS exploitation probability data not available, but SSVC marks this as automatable with partial technical impact. No public exploit code identified at time of analysis, and not listed in CISA KEV, suggesting theoretical rather than actively exploited risk.
Buffer Overflow
Denial Of Service
Memory Corruption
Red Hat
-
CVE-2026-31782
HIGH
CVSS 7.8
Out-of-bounds memory read in Linux kernel's Intel PMU (Performance Monitoring Unit) handling allows local authenticated attackers with low privileges to potentially access sensitive kernel memory, modify data, or cause system crashes. The flaw occurs when perf auto counter reload groups contain software events, triggering an unsafe container_of operation that can dereference memory outside valid bounds. EPSS exploitation probability is very low (0.02%, 4th percentile), and no public exploit or active exploitation has been identified at time of analysis. Patches available for kernel versions 6.18.22, 6.19.12, and 7.0.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31780
HIGH
CVSS 7.8
A heap buffer overflow in the Linux kernel's wilc1000 WiFi driver allows local authenticated users to trigger memory corruption via crafted SSID scan requests. The driver miscalculates buffer size due to u8 integer overflow (330 bytes wrapping to 74), causing kmalloc to allocate 75 bytes while memcpy writes up to 331 bytes - a 256-byte overflow. Patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.03% (9th percentile) suggests low likelihood of widespread exploitation, and CISA KEV does not list this CVE, indicating no confirmed active exploitation at time of analysis.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-31779
HIGH
CVSS 8.1
Out-of-bounds read in Linux kernel iwlwifi driver allows adjacent network attackers to disclose sensitive kernel memory or trigger denial of service without authentication. The vulnerability affects the iwlwifi wireless driver's network detection match handler function, where insufficient packet length validation enables memcpy to read beyond allocated buffer boundaries. EPSS probability is low (0.02%, 7th percentile) and no active exploitation confirmed (not in CISA KEV). Vendor patches available across multiple kernel stable branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31778
HIGH
CVSS 7.1
Stack buffer out-of-bounds read in Linux kernel ALSA snd_usb_caiaq driver allows local authenticated users to disclose kernel stack memory and potentially trigger denial of service. The vulnerability affects systems with USB audio devices using the caiaq driver when product names contain many non-ASCII characters. Present since kernel v2.6.31-rc1 (June 2009), this 16-year-old off-by-one error lacks null terminator validation during whitespace stripping. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31776
HIGH
CVSS 7.8
Out-of-bounds array access in Linux kernel ALSA ctxfi driver allows local authenticated users to achieve arbitrary code execution with high integrity and confidentiality impact. The flaw stems from improper SPDIF1 DAIO type handling in daio_device_index() for hw20k2 hardware, which returns -EINVAL instead of a valid index, leading to buffer overflow conditions (CWE-129). Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation activity; no CISA KEV listing or public POC identified at time of analysis.
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-31774
HIGH
CVSS 7.1
Integer overflow in Linux kernel io_uring subsystem allows local authenticated users to trigger slab-out-of-bounds memory reads and denial of service. The vulnerability stems from improper type casting of user-supplied length values in network bundled receive/send operations, where values exceeding INT_MAX cause negative overflow leading to infinite loops and out-of-bounds array access. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. Vendor patches available for affected stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0), making this a straightforward patching priority for systems running vulnerable versions with io_uring enabled.
Buffer Overflow
Denial Of Service
Information Disclosure
Linux
Red Hat
-
CVE-2026-31773
HIGH
CVSS 8.8
Incorrect authentication labeling in Linux kernel's Bluetooth SMP legacy pairing allows adjacent attackers to bypass security controls and gain high-level access without proper authentication. The flaw affects the Short Term Key (STK) derivation in Just Works/Confirm pairing modes, where keys are incorrectly marked as authenticated even when Man-in-the-Middle (MITM) protection was not established. With CVSS 8.8 (AV:A/AC:L/PR:N/UI:N), this enables adjacent network attackers to exploit Bluetooth pairing flows without authentication. EPSS score of 0.05% suggests low widespread exploitation likelihood. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31772
HIGH
CVSS 7.8
Stack buffer overflow in Linux kernel Bluetooth subsystem allows local authenticated attackers to achieve code execution, privilege escalation, or denial of service through malformed ISO socket parameters. The vulnerability occurs when binding an ISO Bluetooth socket with up to 31 BIS entries while the hci_le_big_create_sync() function only allocates stack space for 17 entries, resulting in a 14-byte overflow that corrupts adjacent stack memory. Patches are available across multiple kernel versions (6.12.81, 6.18.22, 6.19.12, 7.0), with EPSS indicating 0.02% exploitation probability and no active exploitation confirmed.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-31771
HIGH
CVSS 8.1
Out-of-bounds memory read in Linux kernel Bluetooth HCI event processing allows adjacent network attackers to disclose kernel memory or trigger denial of service without authentication. The vulnerability stems from premature wake reason storage before per-event payload length validation, enabling crafted short HCI event frames to reach bacpy() operations before bounds checking. EPSS score is low (0.02%, 6th percentile) with no evidence of active exploitation or public POC at time of analysis. Vendor patches available for kernel versions 5.10+ through 6.19.12 and mainline 7.0.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31769
HIGH
CVSS 7.8
Use-after-free in Linux kernel GPIB subsystem allows local authenticated attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs in IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers when concurrent IBCLOSEDEV calls free descriptors still in use by I/O operations. EPSS probability is very low (0.02%, 4th percentile), indicating minimal observed exploitation activity. Vendor patches available for stable branches 6.18.22, 6.19.12, and mainline 7.0 via commits cae26eff, 28c75dd1, and d1857f82.
Authentication Bypass
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31768
HIGH
CVSS 7.8
Improper Direct Memory Access (DMA) handling in the Linux kernel's ti-adc161s626 Industrial I/O (IIO) analog-to-digital converter driver allows local attackers with low privileges to trigger memory corruption or information disclosure. The vulnerability stems from using stack-allocated memory for SPI read operations instead of DMA-safe buffers, violating SPI subsystem requirements. Patches are available across multiple stable kernel versions (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0). EPSS score of 0.02% indicates very low exploitation probability, and no public exploits or active exploitation (not in CISA KEV) have been identified.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31766
HIGH
CVSS 7.1
Integer overflow in AMD GPU driver's user queue doorbell handling allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The amdgpu driver fails to validate user-supplied doorbell_offset values before calculating buffer offsets, enabling out-of-bounds writes to kernel doorbell space. Patches available in Linux 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% (4th percentile) indicates low probability of mass exploitation, though CVSS 7.1 reflects serious local privilege escalation potential. No active exploitation confirmed; attack requires local authenticated access to systems with AMD GPU hardware.
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-31764
HIGH
CVSS 7.8
Out-of-bounds array access in the st_lsm6dsx IMU driver allows local authenticated users with low privileges to achieve high-impact code execution, data disclosure, or denial of service. The vulnerability exists in the buffer sampling frequency sysfs handler, which fails to validate sensor type before indexing a 2-entry array with sensor IDs beyond accelerometer and gyroscope. Exploitation requires write access to sysfs attributes for non-standard sensor types in the driver. EPSS exploitation probability is very low (0.02%, 5th percentile), no active exploitation confirmed, and vendor patches are available for Linux 6.19.12 and 7.0.
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-31761
HIGH
CVSS 7.8
Race condition in the Linux kernel MPU3050 gyroscope driver allows local attackers with low privileges to potentially achieve code execution, data corruption, or information disclosure. The vulnerability stems from premature registration of the IIO device before complete initialization in the probe function, creating a window where userspace can interact with incompletely configured hardware. While CVSS rates this 7.8 HIGH with local attack vector, EPSS score of 0.02% (7th percentile) indicates extremely low probability of active exploitation. Patches available across all maintained kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code.
Information Disclosure
Linux
Race Condition
Red Hat
Suse
-
CVE-2026-31759
HIGH
CVSS 7.8
Double-free memory corruption in Linux kernel USB ULPI subsystem allows local authenticated attackers with low privileges to potentially achieve arbitrary code execution, denial of service, or information disclosure. The flaw exists in ulpi_register_interface() error handling since kernel 4.2 (commit 289fcff4b), where device_register() failure triggers cleanup via put_device() followed by redundant kfree(), corrupting kernel memory. Patches available across stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% suggests low likelihood of mass exploitation despite high CVSS 7.8, likely due to local attack vector and requirement for device registration failure conditions.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31758
HIGH
CVSS 7.8
Use-after-free condition in Linux kernel USB Test and Measurement Class (USBTMC) driver allows local authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability occurs when the usbtmc_release function fails to properly flush pending anchored URBs, leaving dangling references that can be exploited in the HCD giveback path. Vendor patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0). Despite the high CVSS score of 7.8, the EPSS exploitation probability is very low at 0.02% (7th percentile), indicating limited real-world targeting, and no active exploitation or public POC has been identified.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31748
HIGH
CVSS 7.8
Buffer overflow in Linux kernel COMEDI me_daq driver allows local authenticated users to achieve arbitrary code execution with kernel privileges. The me2600_xilinx_download() function fails to validate firmware file length before reading data streams, enabling out-of-bounds memory access during firmware loading operations. Patches available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates low probability of widespread exploitation despite high CVSS 7.8 rating, and no active exploitation or public exploit code identified at time of analysis.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-31747
HIGH
CVSS 7.8
Out-of-bounds write in Linux kernel comedi me4000 driver firmware loader allows local authenticated users to achieve high-impact code execution, data corruption, or system crash. The me4000_xilinx_download() function blindly trusts firmware file format headers without validating buffer boundaries, reading a length field from the first 4 bytes and then reading that many bytes from offset 16 without checking total file size. Patch available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating. No public exploit code or active exploitation confirmed.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-31745
HIGH
CVSS 7.8
Double-free memory corruption in the Linux kernel reset-gpio subsystem allows local authenticated users to escalate privileges or crash the system. The vulnerability exists in reset_add_gpio_aux_device() error handling since commit 5fc4e4cf7a22, where auxiliary_device_uninit() triggers a release callback that frees memory, but the error path then calls kfree() on the same pointer. Patches available for kernel versions 6.19.12+ and 7.0+. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. Not listed in CISA KEV; no public exploit identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31743
HIGH
CVSS 7.8
Memory corruption in the Linux kernel zynqmp_nvmem driver allows local authenticated users to achieve privilege escalation through undersized DMA buffer exploitation. The vulnerability stems from incorrect buffer size calculations in dma_alloc_coherent and memcpy operations, enabling heap or memory corruption that can lead to complete system compromise. With a 7.8 CVSS score but only 0.02% EPSS (5th percentile), this represents a high-severity issue affecting specific Xilinx Zynq UltraScale+ deployments rather than a widespread exploitation target. Patches available across multiple stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0) with upstream fixes confirmed in git commits.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-31742
HIGH
CVSS 7.8
Memory corruption in the Linux kernel virtual terminal (vt) subsystem allows local authenticated users to trigger kernel crashes and potentially escalate privileges. When a console switches to an alternate screen and then gets resized, the saved Unicode buffer retains stale dimensions. Upon returning to the primary screen, operations like screen clearing (csi_J) access memory out of bounds using current dimensions against the old buffer, causing kernel oops. EPSS exploitation probability is low (0.02%, 4th percentile), no active exploitation confirmed, but vendor patches are available across multiple stable kernel branches (5.x, 6.18.x, 6.19.x).
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31739
HIGH
CVSS 8.8
Missing CRYPTO_ALG_ASYNC flag in Linux kernel's Tegra crypto driver causes the crypto API to incorrectly select asynchronous algorithms for synchronous-only requests, resulting in system crashes. This affects Tegra-based Linux systems (typically NVIDIA Jetson devices) running kernel versions 6.10 through early 7.0 development branches. Vendor patches are available across stable branches (6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability, and no active exploitation or public POC has been identified. The CVSS vector (AV:N/AC:L/PR:L/UI:N) suggests network-based exploitation requiring authenticated access, though this conflicts with the technical nature of a local driver configuration bug.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31735
HIGH
CVSS 8.8
Linux kernel IOMMU page table unmapping operations fail to invalidate extended memory regions when unmapping lands mid-entry in large/contiguous mappings, causing stale TLB entries. Affects kernel 6.19 through pre-7.0 versions with IOMMU subsystem enabled. Local authenticated attackers with low privileges can potentially access unmapped memory or escalate privileges by exploiting incomplete invalidations during IOMMU unmap operations. EPSS score of 0.02% (5th percentile) suggests minimal real-world exploitation likelihood. No public exploit identified at time of analysis, though vendor acknowledges theoretical risk is low as 'nothing relies on unmapping a large entry.' Vendor-released patches available for stable branches.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31731
HIGH
CVSS 7.8
Use-after-free in Linux kernel thermal subsystem allows local attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability stems from race conditions between thermal zone removal and power management resume operations, where delayed work items can continue executing after thermal zone objects are freed. EPSS score of 0.02% (5th percentile) suggests low probability of mass exploitation despite high CVSS severity. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.22, 6.19.12, 7.0) via upstream commits. No active exploitation confirmed in CISA KEV at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31730
HIGH
CVSS 7.8
Double-free memory corruption in the Linux kernel's fastrpc driver allows local attackers with low privileges to achieve high-impact code execution, privilege escalation, or denial of service. The vulnerability occurs when fastrpc_init_create_static_process() fails to nullify a freed heap pointer (cctx->remote_heap) in its error path, enabling fastrpc_rpmsg_remove() to free the same memory twice during device removal. Patches available across kernel versions 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates low observed exploitation probability, with no active exploitation confirmed at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31729
HIGH
CVSS 7.8
Out-of-bounds array access in Linux kernel UCSI (USB Type-C Connector System Software Interface) driver allows local authenticated attackers to achieve arbitrary code execution or system crash. A malicious USB-C device or compromised firmware can send a crafted CCI (Connector Change Indicator) message with an invalid connector number (0-127) that exceeds the allocated connector array bounds (typically 2-4 entries), triggering memory corruption in ucsi_connector_change(). Vendor patches available for kernel 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no active exploitation or public POC currently identified.
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-31720
HIGH
CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_uac1_legacy: validate control request size
f_audio_complete() copies req->length bytes into a 4-byte stack
variable:
u32 data = 0;
memcpy(&data, req->buf, req->length);
req->length is derived from the host-con...
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-31719
HIGH
CVSS 7.5
Integrity verification bypass in Linux kernel crypto subsystem's Kerberos 5 encryption module allows remote unauthenticated attackers to bypass cryptographic hash checks when asynchronous decryption completes. The vulnerability stems from incorrect callback chaining that skips krb5enc_dispatch_decrypt_hash() verification entirely during async operations. Exploitation likelihood is low (EPSS 2%, percentile 4%) despite high CVSS severity, though EUVD classifies this as an authentication bypass affecting Linux 6.15+ with patches available for stable branches 6.18.25, 7.0.2, and mainline 7.1-rc1.
Authentication Bypass
Linux
Red Hat
Suse
-
CVE-2026-31717
HIGH
CVSS 8.8
Authentication bypass in Linux kernel's ksmbd SMB server allows any authenticated SMB user to hijack orphaned durable file handles by predicting persistent IDs, enabling unauthorized file access with the original owner's privileges. The flaw violates MS-SMB2 requirements for SecurityContext validation during durable handle reconnection. Vendor patches are available across multiple stable kernel branches (6.18.25, 7.0.2, 7.1-rc1). EPSS exploitation probability is low at 0.02% (4th percentile), and no active exploitation or public POC has been identified. CVSS 8.8 reflects high impact but requires low-privilege authentication.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31716
HIGH
CVSS 7.8
Integer underflow in Linux kernel NTFS3 driver during journal replay allows local attackers to trigger massive out-of-bounds memory copies into a 4KB buffer when processing corrupted filesystems. The check_file_record() function fails to validate rec->used field before using it in memmove() length calculations across DeleteAttribute, CreateAttribute, and change_attr_size handlers, enabling slab-out-of-bounds writes. No public exploit identified at time of analysis. EPSS score of 0.02% (5th percentile) indicates low exploitation probability. Vendor-released patches available across kernel versions 6.6.136, 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-31715
HIGH
CVSS 7.8
Use-after-free in Linux kernel F2FS filesystem allows local authenticated attackers to trigger kernel panic or potentially achieve code execution. The vulnerability (CWE-416) occurs during concurrent write callback and unmount operations when f2fs_write_end_io() decrements page count before checking node inode validity, leading to NULL pointer dereference. Discovered via xfstests generic/107 and syzbot fuzzing. EPSS exploitation probability is low (0.02%, 4th percentile), no active exploitation confirmed. Vendor patches available across stable kernel branches 6.18.25, 7.0.2, and 7.1-rc1.
Information Disclosure
Linux
Use After Free
Memory Corruption
-
CVE-2026-31712
HIGH
CVSS 8.3
Out-of-bounds read in Linux kernel ksmbd allows authenticated SMB clients to trigger memory corruption by crafting malicious DACL ACEs with undersized headers. Attackers with permission to set ACLs on files can cause kernel KASAN reports and state corruption when subsequent CREATE operations walk the stored DACL via smb_check_perm_dacl(). Vendor patches available for kernel versions 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1. EPSS score of 0.02% (5th percentile) indicates low likelihood of mass exploitation despite network attack vector, consistent with the requirement for authenticated access and specific file permission prerequisites.
Buffer Overflow
Linux
Memory Corruption
-
CVE-2026-31711
HIGH
CVSS 7.5
Resource exhaustion in Linux kernel ksmbd server allows remote unauthenticated attackers to permanently deny SMB service by consuming connection slots through forced allocation failures. The vulnerability leaks active_num_conn counter values when alloc_transport() fails during TCP connection setup on port 445, permanently consuming slots from the max_connections pool until module reload. Attackers can accelerate exhaustion by holding open connections with large RFC1002 lengths (up to 16MB) to trigger memory pressure. EPSS score of 0.11% suggests low observed exploitation probability, and no public exploit or CISA KEV listing exists. Vendor patches available for kernel versions 6.6.136, 6.12.84, 7.0.2, and 7.1-rc1.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31709
HIGH
CVSS 8.8
Remote unauthenticated attackers can trigger out-of-bounds memory access in the Linux kernel SMB client's DACL parsing code by sending a malicious SMB response with a truncated DACL structure. The vulnerability exists in build_sec_desc() and id_mode_to_cifs_acl() functions which insufficiently validate server-supplied ACL data before rewriting it during chmod/chown operations, allowing ACE traversal beyond validated memory bounds. CVSS 8.8 indicates high severity with network vector requiring user interaction. EPSS score of 0.02% (5th percentile) suggests low observed exploitation probability in the wild, and no active exploitation is confirmed (not in CISA KEV). Vendor patch available targeting Linux kernel 7.0.2 and 7.1-rc1.
Information Disclosure
Linux
-
CVE-2026-31708
HIGH
CVSS 8.1
A malicious SMB server can trigger out-of-bounds heap memory disclosure in Linux kernel SMB client (CIFS) through crafted QUERY_INFO responses. Vulnerable Linux kernel versions 5.1 through 6.12.84 do not validate server-reported OutputBufferLength against actual response size before copying data to userspace, allowing a rogue SMB server to expose adjacent kernel heap contents. Patches available across stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1). EPSS score of 0.02% indicates low exploitation probability; no active exploitation confirmed. Attack requires user interaction to mount malicious SMB share.
Buffer Overflow
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31707
HIGH
CVSS 7.1
Integer overflow in Linux kernel's ksmbd (SMB server) allows local authenticated attackers to bypass size validation and trigger memory corruption via crafted daemon responses. The vulnerability affects three IPC message handlers that fail to detect arithmetic overflow when computing expected message sizes from attacker-controlled fields (payload_sz, ngroups), enabling out-of-bounds memcpy operations. Vendor patches available for affected 5.15+ kernels. EPSS score 0.02% (5th percentile) indicates low observed exploitation probability. No CISA KEV listing or public exploit identified at time of analysis.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-31706
HIGH
CVSS 8.8
Buffer overflow in Linux kernel's ksmbd SMB server allows authenticated remote attackers to trigger ~8 MB heap allocation from manipulated NTACL xattr values, potentially leading to memory exhaustion, information disclosure via uninitialized heap memory, or code execution. Exploitation requires low-privilege SMB authentication plus ability to corrupt backing filesystem metadata (offline xattr tampering or race condition). EPSS score of 0.02% indicates minimal observed exploitation activity. Vendor patches available across multiple stable kernel branches (6.12.84, 6.18.25, 7.0.2, 7.1-rc1).
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-31703
HIGH
CVSS 7.8
Use-after-free condition in Linux kernel writeback subsystem allows local authenticated attackers to potentially execute arbitrary code, escalate privileges, or trigger kernel crashes. The vulnerability affects Linux kernel versions 6.18.x through 7.1-rc1 and arises from improper synchronization between work queue processing and memory deallocation in inode_switch_wbs_work_fn(). Vendor patches are available across stable kernel branches (6.18.25, 7.0.2, 7.1-rc1) with low EPSS score (0.02%) indicating minimal observed exploitation activity, though the CVSS 7.8 score reflects significant impact if successfully exploited by authenticated local users.
Denial Of Service
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31702
HIGH
CVSS 7.8
Use-after-free in Linux kernel f2fs compressed writeback allows local authenticated users to trigger memory corruption, potentially executing arbitrary code or causing system crashes. Affects f2fs-compressed filesystems in Linux kernel 5.6 through 7.1-rc2, with patches available in 6.6.136, 6.12.84, 7.0.2, and 7.1-rc1. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite CVSS 7.8 rating. This mirrors CVE-2026-23234's race condition pattern but in the compression code path that was missed by the earlier fix. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31700
HIGH
CVSS 7.8
Time-of-check-time-of-use (TOCTOU) race condition in Linux kernel's TPACKET transmission path allows local authenticated attackers with low privileges to bypass vnet_hdr validation checks and potentially achieve privilege escalation, code execution, or system compromise. The vulnerability affects packet socket implementations when PACKET_VNET_HDR is enabled, where concurrent userspace threads can modify mmap'd ring buffer data between kernel validation and use. Vendor-released patches are available for stable kernel branches (6.6.136, 6.12.84, 7.0.2, 7.1-rc1). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV), though the high CVSS 7.8 reflects significant local impact potential.
Authentication Bypass
Linux
Race Condition
Red Hat
Suse
-
CVE-2026-31699
HIGH
CVSS 7.1
Buffer overflow in Linux kernel's AMD CCP (Cryptographic Coprocessor) driver leaks kernel memory to userspace when retrieving PEK CSR (Platform Endorsement Key Certificate Signing Request). Affecting Linux kernel 4.16+ through 7.0.x, the vulnerability allows local authenticated users to read arbitrary kernel memory due to improper error handling when firmware returns invalid buffer length requirements. Patches available across stable branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1). EPSS score of 0.02% indicates minimal observed exploitation probability, though the CVSS 7.1 reflects significant confidentiality impact. No CISA KEV listing or public exploit identified at time of analysis.
Buffer Overflow
Linux
Google
Memory Corruption
Red Hat
-
CVE-2026-31698
HIGH
CVSS 7.1
Information disclosure in Linux kernel's AMD Cryptographic Coprocessor (CCP) driver allows local authenticated attackers to leak kernel memory to userspace via out-of-bounds read. When retrieving PDH certificates through SEV ioctl, the driver incorrectly copies data to userspace even after firmware command failures, potentially reading 2084+ bytes beyond allocated buffer boundaries. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1) per upstream commits.
Buffer Overflow
Linux
Google
Memory Corruption
Red Hat
-
CVE-2026-31697
HIGH
CVSS 7.1
Buffer overflow in Linux kernel CCP SEV driver allows local authenticated users to leak kernel memory to userspace. When the PSP firmware command to retrieve SEV CPU ID fails due to insufficient buffer size, the driver attempts to copy data beyond the allocated kernel buffer boundary, exposing up to 64 bytes of kernel memory. Exploitation requires local access with low privileges (CVSS PR:L) to invoke the SEV ioctl interface. EPSS score is very low (0.02%, 5th percentile) indicating minimal real-world exploitation observed. No public exploit identified at time of analysis, though the KASAN stack trace in the CVE description provides a clear exploitation path. Patches available across multiple stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1).
Buffer Overflow
Linux
Google
Memory Corruption
Red Hat
-
CVE-2026-31696
HIGH
CVSS 7.8
Buffer overflow in Linux kernel rxrpc subsystem allows local authenticated users to trigger memory corruption via malformed key payloads. The non-XDR parsing path in rxrpc_preparse() fails to validate ticket length against AFSTOKEN_RK_TIX_MAX, enabling unprivileged users to supply oversized tickets that cause WARN_ON() triggers and potential memory corruption when keys are read. Vendor patches available for kernel versions 6.6.136, 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1. EPSS score of 0.02% indicates low observed exploitation probability, with no public exploit identified at time of analysis.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-31695
HIGH
CVSS 7.8
Use-after-free in Linux kernel virt_wifi driver allows local authenticated users to trigger memory corruption during ethtool operations on virtual WiFi devices being unregistered. The vulnerability stems from improper device parent reference handling via SET_NETDEV_DEV, where ethnl_ops_begin() calls pm_runtime_get_sync() on already-freed memory when a virt_wifi device unregisters concurrently with ethtool operations. Patches are available across multiple stable kernel branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit identified at time of analysis, though CVSS 7.8 reflects potential for complete system compromise if successfully triggered.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31694
HIGH
CVSS 7.8
A malicious FUSE server can trigger a 24-byte buffer overflow in the Linux kernel's FUSE directory cache implementation on 4 KiB page systems. The fuse_add_dirent_to_cache() function fails to validate that directory entries fit within PAGE_SIZE before copying them to page cache, allowing a server-controlled namelen value of 4095 to produce a 4120-byte serialized record that overflows into adjacent kernel memory. This enables local attackers with FUSE mount privileges to achieve high-severity impacts including arbitrary kernel memory corruption. EPSS exploitation probability is notably low (0.02%, 5th percentile) despite the 7.8 CVSS score, and no public exploit has been identified. Patches are available across multiple stable kernel versions (6.6.136, 6.12.84, 7.0.2, 7.1-rc1, 6.18.25).
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-30363
HIGH
CVSS 8.4
Stack overflow in Flipper Zero Firmware (commit ad2a80) enables local arbitrary code execution with high privileges through exploitation of the Main function. SSVC framework confirms POC availability and total technical impact. CVSS 8.4 reflects local attack vector with no authentication barrier. No vendor-released patch identified at time of analysis, though GitHub issue tracking indicates developer awareness.
Buffer Overflow
Stack Overflow
-
CVE-2026-22167
HIGH
CVSS 7.8
Local privilege escalation in Imagination Technologies Graphics DDK allows low-privileged users to corrupt kernel memory and driver data structures through malicious GPU system calls. The vulnerability affects DDK versions 1.18 RTM, 23.2 RTM, 24.1-24.2 RTM, and 25.1-25.3 RTM. Attackers with local access can force the GPU to write to arbitrary physical memory pages, including restricted internal GPU buffers and kernel memory regions, achieving complete system compromise (CVSS 7.8). EPSS data not available; no active exploitation confirmed per CISA SSVC framework (exploitation status: none), but the local attack vector and total technical impact make this critical for systems with untrusted local users.
Buffer Overflow
-
CVE-2026-22166
HIGH
CVSS 8.1
Use-after-free in Imagination Graphics DDK GPU GLES user-space library allows authenticated remote attackers to crash the GPU render process via crafted WebGPU content. CVSS 8.1 (High) with network vector and low complexity. On platforms where the GPU process runs with elevated system privileges, successful exploitation could enable system-level compromise beyond the initial crash. EPSS and KEV data not provided; SSVC framework indicates no confirmed exploitation, non-automatable attack, but total technical impact. Vendor patches available across affected DDK versions 1.18, 23.2, 24.1-24.2, and 25.1-25.3.
Denial Of Service
Use After Free
Memory Corruption
-
CVE-2026-22165
HIGH
CVSS 8.1
Remote authenticated attackers can execute code or cause persistent denial-of-service in Imagination Technologies Graphics DDK by triggering a use-after-free in the GPU GLES render process via specially crafted WebGPU content. On platforms where the GPU driver runs with elevated system privileges, successful exploitation enables device-level compromise beyond the browser sandbox. EPSS data not available, no CISA KEV listing identified, no public POC confirmed. SSVC framework indicates no active exploitation and non-automatable attack requiring authenticated interaction.
Denial Of Service
Use After Free
Memory Corruption
-
CVE-2026-7584
HIGH
CVSS 8.4
Unsafe deserialization in Zurich Instruments LabOne Q enables arbitrary code execution when users load malicious experiment files. The import_cls mechanism accepts unvalidated class names from serialized data, allowing attackers to instantiate arbitrary Python classes with controlled constructor arguments. Exploitation requires user interaction to open a crafted file, making this a credible vector for supply chain attacks via shared experiment configurations or support tickets. CVSS 8.4 reflects local attack vector with user interaction requirement. No confirmed active exploitation or public POC at time of analysis.
RCE
Python
Deserialization
-
CVE-2026-7548
HIGH
CVSS 7.4
Command injection in Totolink NR1800X router firmware 9.1.0u.6279_B20210910 allows authenticated remote attackers to execute arbitrary system commands via the setUssd parameter in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (POC confirmed via GitHub). EPSS data not provided, but CVSS v4.0 base score of 7.4 with low attack complexity (AC:L) and network attack vector (AV:N) indicates moderate-to-high severity for internet-facing devices with default credentials or weak authentication.
Command Injection
-
CVE-2026-7546
HIGH
CVSS 8.9
Stack-based buffer overflow in Totolink NR1800X router firmware 9.1.0u.6279_B20210910 allows remote unauthenticated attackers to execute arbitrary code or crash the device by sending malicious HTTP Host headers to the lighttpd web server. The vulnerability has publicly available exploit code (CVSS E:P) but is not currently listed in CISA KEV. EPSS data unavailable, but the combination of remote unauthenticated attack vector (AV:N/PR:N), low complexity (AC:L), and confirmed POC suggests elevated real-world risk for internet-facing devices running this specific firmware version.
Buffer Overflow
-
CVE-2026-7538
HIGH
CVSS 8.9
OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the 'proto' parameter in /cgi-bin/cstecgi.cgi CGI handler. A public proof-of-concept exploit exists on GitHub, significantly lowering the barrier for exploitation. CVSS 8.9 with network vector, low complexity, and no authentication requirements makes this immediately exploitable against internet-facing devices running the vulnerable firmware version.
Command Injection
-
CVE-2026-7513
HIGH
CVSS 7.4
Buffer overflow in UTT HiPER 1200GW routers (versions up to 2.5.3-170306) allows authenticated remote attackers to execute arbitrary code or cause denial of service through the strcpy function in the /goform/formRemoteControl endpoint. Public exploit code exists (CVSS 7.4, E:P modifier). EPSS data not available, but low-privilege authenticated requirement and IoT router context suggest targeted attacks against exposed management interfaces rather than mass exploitation.
Buffer Overflow
-
CVE-2026-7512
HIGH
CVSS 7.4
Buffer overflow in UTT HiPER 1200GW router (versions up to 2.5.3-1703) allows authenticated remote attackers to execute arbitrary code with elevated privileges via crafted input to the strcpy function in the /goform/formUser endpoint. Public exploit code exists on GitHub, significantly lowering the barrier to exploitation. While requiring low-privilege authentication (CVSS PR:L), the vulnerability enables full system compromise (VC:H/VI:H/VA:H) and has been assigned an E:P (Proof-of-concept) exploit maturity rating, indicating working demonstration code is available.
Buffer Overflow
-
CVE-2026-3772
HIGH
CVSS 8.8
Cross-Site Request Forgery in WP Editor plugin through version 1.2.9.2 enables remote attackers to inject arbitrary PHP code into plugin and theme files. The vulnerability requires administrator interaction (clicking a malicious link) but no authentication for the attacker, allowing complete website compromise through file overwrite. EPSS data not available; no confirmed active exploitation at time of analysis. Patch available in changeset 3480577.
PHP
WordPress
CSRF
-
CVE-2025-63548
HIGH
CVSS 7.5
Remote denial of service in Eprosima Micro-XRCE-DDS Agent 3.0.1 allows unauthenticated network attackers to crash the DDS agent by sending malformed packets containing invalid boolean field values. The vulnerability is automatable (per SSVC) with proof-of-concept code publicly available, requiring no privileges or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), making it trivial to exploit against internet-exposed DDS deployments. EPSS data not available but SSVC classifies as automatable with partial technical impact.
Denial Of Service
-
CVE-2025-63547
HIGH
CVSS 7.5
Remote denial of service in Eprosima Micro-XRCE-DDS Agent 3.0.1 allows unauthenticated network attackers to crash the agent via malformed packets targeting the MTU length field. The vulnerability is remotely exploitable with no authentication required (CVSS AV:N/AC:L/PR:N/UI:N) and is classified as automatable by SSVC analysis. No active exploitation confirmed at time of analysis, but GitHub issue and researcher documentation provide technical details. EPSS data not available; CVSS 7.5 reflects high availability impact suitable for targeting DDS middleware deployments.
Denial Of Service
-
CVE-2025-52347
HIGH
CVSS 7.8
Kernel memory access and privilege escalation in PassMark DirectIo64.sys driver affect BurnInTest 11.0 Build 1011, OSForensics 11.1 Build 1007, and PerformanceTest 11.1 Build 1004. Local authenticated attackers can send crafted IOCTL 0x8011E044 calls to the vulnerable driver to read arbitrary kernel memory and elevate privileges to SYSTEM level. Public exploit code is available in the researcher's GitHub repository. EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation, though POC availability lowers the barrier for local attacks.
Privilege Escalation
-
CVE-2026-43507
MEDIUM
CVSS 5.3
Denial of service via memory exhaustion in Prosody before 0.12.6 and 1.0.0 through 13.0.4 allows unauthenticated remote attackers to crash the server through XML parsing resource amplification. An attacker can send specially crafted XML payloads to trigger excessive memory consumption without authentication, resulting in service unavailability with a CVSS score of 5.3 indicating low severity availability impact.
Denial Of Service
-
CVE-2026-43506
MEDIUM
CVSS 5.3
Prosody XMPP server versions before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5 are vulnerable to denial of service via memory exhaustion from unauthenticated connections. An attacker can remotely trigger memory leaks by establishing multiple connections without authentication, eventually exhausting server memory and causing service unavailability. No special configuration or user interaction is required; the vulnerability affects default Prosody deployments accessible over the network.
Denial Of Service
-
CVE-2026-43505
MEDIUM
CVSS 6.5
Unauthenticated traffic relay vulnerability in Prosody mod_proxy65 module allows network attackers to bypass access control during SOCKS5 activation, resulting in integrity compromise and service disruption without requiring authentication. Affected versions are Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5 when mod_proxy65 is enabled. CVSS 6.5 reflects medium severity with network-accessible attack surface, low complexity, and non-privileged unauthenticated access, though confirmed availability and integrity impact limits widespread severity.
Information Disclosure
-
CVE-2026-43504
MEDIUM
CVSS 6.5
Improper access control in Prosody's mod_proxy65 module allows unauthenticated relaying of traffic when the module enters a paused state, enabling attackers to bypass authentication and impact data integrity and availability across affected versions. Prosody before 0.12.6 and versions 1.0.0 through 13.0.0 before 13.0.5 are vulnerable when mod_proxy65 is explicitly enabled; no public exploit code or active exploitation has been confirmed at time of analysis, though the network-accessible vulnerability with no authentication requirement and low complexity presents meaningful real-world risk.
Authentication Bypass
-
CVE-2026-43054
MEDIUM
CVSS 5.5
tcm_loop target reset handler fails to drain in-flight SCSI commands, violating SCSI error handling contract and causing LUN reference leaks that deadlock configfs LUN unlink operations. Local users with appropriate privileges can trigger denial of service by initiating reset sequences while SCSI commands are in flight, leaving the kernel in an unkillable D-state waiting for LUN reference counts to clear. This is a local denial of service affecting the SCSI target core's tcm_loop loopback driver across multiple kernel versions.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43053
MEDIUM
CVSS 4.7
XFS filesystem crashes during log recovery when inodes with node-format extended attributes are inactivated following an untimely log shutdown, due to stale metadata block references in the attribute B-tree. Unprivileged local attackers with write access to XFS filesystems can trigger this denial-of-service condition by inducing log shutdown during extended attribute cleanup, causing the filesystem to unmount and require repair. The vulnerability affects Linux kernel versions prior to 6.19.12 and later stable branches.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-43046
MEDIUM
CVSS 5.5
Kernel denial of service via crafted btrfs metadata allowing local attackers to trigger an unguarded BUG_ON() condition during relocation recovery at mount time. The vulnerability arises when a root item on disk contains a non-zero drop_progress with zero drop_level, an invalid state that should not exist but lacks validation on read. CVSS 5.5 reflects local attack vector and availability impact; EPSS 0.02% indicates minimal real-world exploitation likelihood.
Information Disclosure
Linux
Debian
Ubuntu
Red Hat
-
CVE-2026-43045
MEDIUM
CVSS 5.5
Memory corruption and page reference leaks in the Linux kernel mshv (Microsoft Hyper-V) module occur when pin_user_pages_fast() returns a partial pin count, which the current code incorrectly treats as success. A local authenticated attacker with privileges can trigger this vulnerability to corrupt memory or cause denial of service on systems using the mshv module, particularly in Hyper-V guest environments.
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-43043
MEDIUM
CVSS 5.5
Denial of service in the Linux kernel AF_ALG crypto interface allows local authenticated attackers to trigger a NULL pointer dereference and kernel panic by sending sequential sendmsg() calls that cause scatter-gather list chain operations to fail to properly unmark SGL boundaries. The vulnerability occurs when AF_ALG allocates chained SGL structures without clearing end markers on previous entries, causing the crypto scatterwalk to encounter premature termination and dereference NULL pointers. CVSS 5.5 (AV:L/AC:L/PR:L) reflects local-only attack requirement with low complexity; EPSS 0.02% (7th percentile) indicates minimal real-world exploitation risk despite kernel panic severity.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43041
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak
__radix_tree_create() allocates and links intermediate nodes into the
tree one by one. If a subsequent allocation fails, the already-linked
nodes remain in ...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43036
MEDIUM
CVSS 5.5
Linux kernel GSO feature check reads uninitialized IPv4 header data when processing packets from PF_PACKET paths, causing kernel memory disclosure or denial of service. The vulnerability affects multiple kernel versions before 6.12.81, 6.19.12, and 7.0, and requires local user access to trigger via raw packet injection.
Linux
Code Injection
Red Hat
Suse
-
CVE-2026-43035
MEDIUM
CVSS 5.5
Information disclosure in the Linux kernel's traffic control (tc) scheduler allows local users with low privileges to read uninitialized kernel heap memory through the tc_chain_fill_node() function, which fails to zero-initialize the tcm_info field in netlink messages before transmission to userspace. The vulnerability affects multiple stable kernel series and has a vendor-released patch available across all affected versions.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43034
MEDIUM
CVSS 5.5
A local denial of service vulnerability in the Linux kernel bnxt_en driver allows authenticated local users to crash the system by triggering an out-of-bounds array access during backing store capability queries. The vulnerability stems from incorrect use of firmware-provided type values to index fixed metadata arrays, rather than using the known loop iteration index. Exploitation requires local access and user-level privileges (PR:L), and no active exploitation has been reported.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43032
MEDIUM
CVSS 5.5
Denial of service in the Linux kernel NFC PN533 UART driver allows local authenticated attackers to exhaust memory by sending malformed NFC frames without valid headers, causing unbounded socket buffer growth until kernel crash. Affects Linux 5.5 through 7.0 with patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0); EPSS exploitation probability is minimal at 0.02%, but local privilege is required.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43026
MEDIUM
CVSS 5.5
Information disclosure in the Linux kernel netfilter ctnetlink module allows local authenticated users to read stale NAT configuration data from kernel memory via a crafted netlink message. When ctnetlink_alloc_expect() allocates connection tracking expectations without initializing NAT fields, uninitialized memory containing sensitive data from previous slab allocations is exposed to userspace during expectation dumps. This requires local access and low-privileged authentication (PR:L) but carries a high availability impact due to potential memory disclosure vectors.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43024
MEDIUM
CVSS 5.5
Denial of service in Linux kernel netfilter nf_tables subsystem allows local privileged users to crash the system by issuing immediate NF_QUEUE verdicts, which are not properly validated and cause kernel panic when processed through the arp family or other code paths that lack queue support. The vulnerability affects multiple kernel versions and requires local access with limited privileges (CAP_NET_ADMIN or equivalent) to exploit.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43022
MEDIUM
CVSS 5.5
Local privilege escalation in Linux kernel Bluetooth subsystem allows authenticated local users to cause denial of service through improper resource management in hci_cmd_sync_queue_once() function. The vulnerability affects Bluetooth HCI synchronization queue handling, where the function fails to properly indicate queue item addition status, leading to potential resource leaks and system unavailability. EPSS score of 0.02% indicates minimal real-world exploitation probability despite moderate CVSS severity.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43021
MEDIUM
CVSS 5.5
Memory and reference leaks in the Linux kernel Bluetooth hci_sync subsystem allow local authenticated attackers to cause denial of service by triggering hci_cmd_sync_queue_once() failures without invoking the destroy callback, leading to unreclaimed resources. The vulnerability affects Linux kernel versions prior to 6.19.12 and 7.0, with EPSS score of 0.02% indicating very low real-world exploitation probability despite moderate CVSS score.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43017
MEDIUM
CVSS 5.5
Linux kernel Bluetooth MGMT subsystem fails to validate the advertised data length field in mesh send operations, allowing local authenticated attackers to trigger denial of service by reading beyond allocated buffer boundaries. The vulnerability affects the mesh_send() function which accepts a truncated MGMT_OP_MESH_SEND command that passes length checks but contains mismatched adv_data_len and actual payload, leading to out-of-bounds access during async mesh transmission. Patch versions include 6.6.134, 6.12.81, 6.1.168, 6.18.22, and 7.0.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43014
MEDIUM
CVSS 5.5
Memory leak in the MACB (Cadence Gigabit Ethernet Controller) driver allows local authenticated attackers to cause denial of service through resource exhaustion by failing to unregister fixed-rate clocks allocated during device probe, resulting in memory and clock resource depletion. EPSS exploitation probability is minimal at 0.02%, indicating low real-world risk despite CVSS score of 5.5. Patch versions are available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43013
MEDIUM
CVSS 5.5
Null pointer dereference in Linux kernel net/mlx5 LAG (Link Aggregation) driver allows local authenticated attackers to cause denial of service by accessing debugfs interfaces when LAG device context is invalid. The vulnerability exists in mlx5_ldev_add_debugfs() which creates debugfs entries without validating that a valid LAG context exists, exposing the members file and other interfaces that depend on a valid ldev pointer. EPSS exploitation probability is 0.02% (percentile 7%), indicating low real-world exploitation likelihood despite the vulnerability's availability for patching.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43012
MEDIUM
CVSS 5.5
A denial of service vulnerability in the Linux kernel's mlx5 (Mellanox/NVIDIA) network driver causes a kernel panic when switchdev mode initialization fails during rollback to legacy mode. A local unprivileged user on systems with affected mlx5 hardware can trigger improper netdevice unregistration, leading to a kernel BUG at net/core/dev.c:12070 and system crash. The vulnerability affects multiple stable kernel versions; vendor-released patches are available.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43010
MEDIUM
CVSS 5.5
Denial of service in Linux kernel eBPF subsystem allows local attackers with standard privileges to crash the system by attaching sleepable eBPF kprobe_multi programs that invoke non-sleepable contexts. The vulnerability exists because bpf_kprobe_multi_link_attach() fails to validate the sleepable flag before program attachment, permitting sleepable helpers like bpf_copy_from_user() to execute in atomic RCU contexts, triggering kernel panics with 'sleeping function called from invalid context' errors. EPSS exploitation probability is very low at 0.02%, suggesting practical exploitation barriers despite local network access requirements.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-43008
MEDIUM
CVSS 5.5
Denial of service via null pointer dereference in Linux kernel gpio-qixis-fpga driver affects local users with limited privileges. The driver incorrectly checks for NULL return value from devm_regmap_init_mmio(), which returns ERR_PTR() on failure, allowing a local attacker with user-level privileges to trigger a kernel panic by causing improper error handling. EPSS score is low (0.02%), indicating limited exploitation probability despite CVSS 5.5 severity.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-43004
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
spi: stm32-ospi: Fix resource leak in remove() callback
The remove() callback returned early if pm_runtime_resume_and_get()
failed, skipping the cleanup of spi controller and other resources.
Remove the early return so cleanup co...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-42788
MEDIUM
CVSS 6.9
Denial of service in mtrudel bandit via HTTP/2 frame deserialization allows unauthenticated remote attackers to exhaust server memory by sending oversized frames. The vulnerability exists because the HTTP/2 frame parser in 'Elixir.Bandit.HTTP2.Frame':deserialize/2 performs the max frame size check after pattern-matching the entire payload into memory, rather than before, allowing attackers to force buffering of up to 16 MiB frames regardless of negotiated limits. Confirmed actively exploited (CISA KEV status unknown but vendor advisory confirms vulnerability). Patch available in version 1.11.0.
Denial Of Service
Red Hat
-
CVE-2026-42481
MEDIUM
CVSS 5.5
Open CASCADE Technology (OCCT) V8_0_0_rc5 contains multiple out-of-bounds read vulnerabilities and infinite recursion flaws in its IGES and STEP file parsers that can be triggered by maliciously crafted CAD files, resulting in denial of service or memory disclosure. Local attackers with low privilege can exploit these issues without user interaction by supplying crafted IGES or STEP files to applications using OCCT. EPSS-based risk assessment indicates moderate exploitation probability; CISA SSVC framework rates this as non-automated with partial technical impact (denial of service and information disclosure).
Buffer Overflow
Denial Of Service
Information Disclosure
-
CVE-2026-42480
MEDIUM
CVSS 5.5
Stack-based out-of-bounds read in Open CASCADE Technology (OCCT) V8_0_0_rc5 VRML parser allows local attackers with low privileges to cause denial of service by submitting a crafted VRML file. The vulnerability stems from unsafe pointer arithmetic in the quoted-string escape handler that reads past a fixed-size stack buffer without bounds validation. CISA SSVC assessment indicates exploitation is not currently active and not readily automatable, suggesting this is a localized attack requiring user interaction with malicious files.
Buffer Overflow
Denial Of Service
Information Disclosure
-
CVE-2026-42479
MEDIUM
CVSS 5.5
Out-of-bounds read in Open CASCADE Technology V8_0_0_rc5 VRML parser allows denial of service when processing crafted VRML files with invalid coordIndex values. The vulnerability exists in VrmlData_IndexedLineSet::TShape geometry processing, where array indices are used without bounds validation, enabling local attackers with user interaction to crash applications through malformed input.
Buffer Overflow
Denial Of Service
Information Disclosure
-
CVE-2026-42475
MEDIUM
CVSS 6.5
SQL injection in MixPHP Framework versions 2.0 through 2.2.17 allows unauthenticated remote attackers to execute arbitrary SQL queries by supplying crafted array parameters to the joinOn function in BuildHelper.php. The vulnerability has a CVSS score of 6.5 with network-accessible exploitation requiring no authentication or user interaction. SSVC signals indicate exploitation is automatable, though no active exploitation in the wild has been reported at time of analysis.
PHP
SQLi
-
CVE-2026-42474
MEDIUM
CVSS 6.5
SQL injection in MixPHP Framework 2.x through 2.2.17 allows unauthenticated remote attackers to read or modify database contents via a crafted data array passed to the data function in BuildHelper.php. The vulnerability has an automatable exploitation path per CISA SSVC but no public exploit code or active KEV listing identified at analysis time. CVSS 6.5 (medium) reflects network-accessible SQL injection with partial confidentiality and integrity impact but no availability impact.
PHP
SQLi
-
CVE-2026-42404
MEDIUM
CVSS 6.5
Server-Side Request Forgery (SSRF) in Apache Neethi allows remote attackers to make arbitrary outbound requests to internal IP addresses and non-HTTP/HTTPS protocols when an application explicitly calls the PolicyReference API to retrieve remote policies. The vulnerability affects all versions before 3.2.2, which restricts URI schemes to HTTP/HTTPS and blocks link-local, multicast, and any-local addresses. No active exploitation has been confirmed at this time.
Apache
SSRF
Red Hat
-
CVE-2026-40201
MEDIUM
CVSS 5.4
Stored cross-site scripting (XSS) in @diplodoc/search-extension versions 1.0.0 through 3.0.2 allows authenticated users to inject malicious scripts via the title field in Markdown files, which are then executed in the browsers of other users viewing the affected documentation. The vulnerability requires user interaction (rendered content must be viewed) and affects the confidentiality and integrity of affected systems. Vendor-released patch: version 3.0.3.
XSS
-
CVE-2026-39807
MEDIUM
CVSS 6.3
Transport-state spoofing in Bandit 1.0.0 through 1.10.x allows unauthenticated remote attackers to forge HTTPS connections over plaintext HTTP by supplying a malicious URI scheme in HTTP/1.1 absolute-form request targets or HTTP/2 :scheme pseudo-headers. The vulnerable determine_scheme/2 function returns client-supplied scheme values verbatim, causing downstream Plug middlewares to make incorrect security decisions: Plug.SSL skips HTTP→HTTPS redirects, secure cookies are transmitted unencrypted, and CSRF/SameSite protections may be bypassed. CVSS 6.3 (network-accessible, low complexity). Vendor patch available (version 1.11.0+).
CSRF
-
CVE-2026-39805
MEDIUM
CVSS 6.3
HTTP request smuggling in mtrudel bandit before version 1.11.0 allows unauthenticated attackers to bypass edge security controls when the application sits behind a proxy that interprets duplicate Content-Length headers differently. The vulnerability stems from Bandit accepting only the first Content-Length header while proxies may use the last value, causing request framing desynchronization that enables smuggling past WAF rules, path-based ACLs, rate limiting, and audit logging. CVSS 6.3 (AV:N/AC:L/AT:P) indicates network-accessible exploitation with some attack timing complexity; no public exploit code or active KEV listing identified at analysis time, but RFC 9112 non-compliance creates a known attack pattern.
Information Disclosure
Red Hat
Request Smuggling
-
CVE-2026-37505
MEDIUM
CVSS 4.9
Authenticated admin users in V2Board through version 1.7.4 can exploit unsanitized sort parameters in the user management interface to disclose sensitive database information including password hashes and authentication tokens through ORDER BY-based information disclosure. The vulnerability requires admin privileges and does not enable data modification or service disruption, but allows attackers with administrative access to extract confidential user data by analyzing sort order patterns.
PHP
Information Disclosure
SQLi
-
CVE-2026-37504
MEDIUM
CVSS 5.3
V2Board through version 1.7.4 exposes sensitive server authentication tokens via GET parameters in the UniProxy API endpoint, causing tokens to be recorded in web server access logs, browser history, HTTP Referer headers, and intermediary proxies. An attacker who obtains access to any log source can extract the token and impersonate a proxy server node, potentially intercepting all user traffic passing through that node.
PHP
Information Disclosure
-
CVE-2026-37503
MEDIUM
CVSS 6.9
Stored cross-site scripting in V2Board through version 1.7.4 allows authenticated administrators to inject arbitrary JavaScript into the custom_html theme configuration field via the saveThemeConfig API, which is rendered unescaped in the dashboard.blade.php template and executed in the browsers of all site visitors, enabling cookie theft, session hijacking, and phishing attacks.
PHP
XSS
-
CVE-2026-35233
MEDIUM
CVSS 4.4
DTrace kernel instrumentation tool on Linux is vulnerable to a denial-of-service and potential privilege escalation attack when processing malicious ELF binaries with out-of-range sh_link fields. An unprivileged attacker can craft an ELF binary that, when instrumented by a root-level dtrace process, triggers an out-of-bounds heap read in the ELF parser. This can crash the dtrace daemon (DoS) or, depending on heap layout, lead to reading and dereferencing garbage pointers controlled by the attacker, potentially enabling code execution in a privileged context. The vulnerability requires local access and a privileged dtrace instance to be actively instrumentation the malicious process, but carries significant risk given dtrace's typical deployment in system administration and security monitoring contexts.
Buffer Overflow
Denial Of Service
Information Disclosure
-
CVE-2026-31785
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/xe_pagefault: Disallow writes to read-only VMAs
The page fault handler should reject write/atomic access to read only
VMAs. Add code to handle this in xe_pagefault_service after the VMA
lookup.
v2:
- Apply max line length...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31784
MEDIUM
CVSS 5.5
A denial-of-service vulnerability in the Linux kernel's DRM/XE PXP (Protected Execution) driver causes an infinite loop when a restart flag is not cleared after a jump operation, allowing local authenticated users to hang or crash the system. The vulnerability affects multiple kernel versions through a logic error in the pxp_start function that was resolved in stable patches for Linux 6.18.22, 6.19.12, and 7.0.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31783
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
spi: amlogic: spifc-a4: unregister ECC engine on probe failure and remove() callback
aml_sfc_probe() registers the on-host NAND ECC engine, but teardown was
missing from both probe unwind and remove-time cleanup. Add a devm cleanu...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31781
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
drm/ioc32: stop speculation on the drm_compat_ioctl path
The drm compat ioctl path takes a user controlled pointer, and then
dereferences it into a table of function pointers, the signature method
of spectre problems. Fix this up...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31777
MEDIUM
CVSS 5.5
Denial of service in the Linux kernel ALSA ctxfi audio driver allows local authenticated attackers to crash the system via improper error handling in the daio_device_index() function. The ctxfi driver failed to validate return values from index mapping operations, enabling a local user with standard privileges to trigger an unhandled error condition that disables audio functionality or causes system instability.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31775
MEDIUM
CVSS 5.5
Denial of service in Linux kernel ALSA ctxfi audio driver allows local authenticated attackers to crash the system via improper SPDIF1 enumeration during DAIO initialization on hw20k2 hardware. The vulnerability affects kernel versions 6.19 through 7.0 due to a refactoring that loops over all DAIO types including the hw20k2-incompatible SPDIF1 entry, triggering a kernel crash when the undefined hardware info is accessed. Patch available from Linux stable repositories.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31770
MEDIUM
CVSS 5.5
Denial of service via divide-by-zero crash in the hwmon OCC (On-Chip Controller) power monitoring driver affects Linux kernels when the power sensor is queried before initial data samples are collected, typically during early boot. Local attackers with unprivileged user privileges can trigger a kernel panic by accessing the affected sysfs power attribute, causing system availability impact. CVSS 5.5 reflects local attack vector and low complexity; EPSS 0.02% indicates low real-world exploitation probability despite the straightforward trigger condition.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31767
MEDIUM
CVSS 5.5
Division-by-zero denial of service in Linux kernel's Intel i915 DRM driver when loading on certain machines with DSC (Display Stream Compression) enabled in command mode. The driver incorrectly applies horizontal timing adjustments based on compression ratio in command mode, causing line_time_us to become zero and triggering a kernel panic. Affects Linux kernel versions 5.6 and later; patch available via stable kernel releases.
Information Disclosure
Linux
Microsoft
Red Hat
Suse
-
CVE-2026-31765
MEDIUM
CVSS 5.5
Kernel NULL pointer dereference in AMD GPU driver on systems with 64KB page sizes allows local authenticated attackers to crash the system by triggering memory allocation mismatches between reserved trap area (8KB) and required allocation size (128KB) during GPU memory initialization. The vulnerability affects systems running ROCm workloads and causes denial of service when executing rocminfo or rccl unit tests on IBM POWER10 and similar 64K-page architectures. EPSS exploitation probability is very low (0.02%), and no public exploit code or active in-the-wild exploitation has been identified.
Denial Of Service
Linux
Null Pointer Dereference
IBM
Red Hat
-
CVE-2026-31763
MEDIUM
CVSS 5.5
Denial of service in the Linux kernel's mpu3050 gyroscope driver allows local authenticated attackers to crash the system via incorrect IRQ handler cleanup during module unload. A mismatch between the registered IRQ handler (mpu3050->trig) and the handler passed to free_irq() (mpu3050) causes improper cleanup, leading to resource leaks and potential kernel panic when the device is removed or the driver is unloaded. No public exploit code identified; patch available across affected kernel series.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31762
MEDIUM
CVSS 5.5
Resource leak in the Linux kernel MPU3050 gyro driver allows local authenticated users to cause denial of service through memory exhaustion by repeatedly triggering iio_trigger_register() failures that fail to release previously allocated interrupt handlers. The vulnerability affects multiple kernel versions and requires local access with unprivileged user privileges, resulting in potential system availability impact with low real-world exploitation likelihood (EPSS 0.02%).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31760
MEDIUM
CVSS 5.5
Memory leak in the Linux kernel's GPIB lpvo_usb driver allows local authenticated users to cause a denial of service through resource exhaustion by repeatedly connecting and disconnecting USB devices, as the driver fails to release USB device references during interface enumeration. The EPSS score of 0.02% indicates minimal real-world exploitation risk despite the moderate CVSS 5.5 severity, reflecting the combination of local-only access requirement, authentication need, and the niche nature of GPIB USB device usage.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31757
MEDIUM
CVSS 5.5
A memory leak in the Linux kernel's USB misc usbio driver allows local attackers with low privileges to cause a denial of service by exhausting kernel memory through repeated USB device probe failures. The vulnerability arises when usb_submit_urb() fails during device initialization, leaving allocated URB structures unreleased and accumulating with each failed probe attempt.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31756
MEDIUM
CVSS 5.5
Denial of service in Linux kernel USB dwc2 gadget driver allows local authenticated users to trigger a deadlock via improper spin lock handling in dwc2_hsotg_udc_stop(). The vulnerability stems from a locking protocol violation where dwc2_gadget_exit_clock_gating() expects a held lock but is called without one, causing spin_unlock on an unheld lock followed by a lock held indefinitely, resulting in system hang. No public exploit code identified at time of analysis.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31755
MEDIUM
CVSS 5.5
Denial of service via NULL pointer dereference in the Linux kernel USB Cadence 3 (cdns3) gadget driver when ep_queue is called on disabled or unconfigured endpoints. A local authenticated attacker can trigger a kernel crash by invoking the vulnerable code path on systems with cdns3 USB gadget support enabled. No public exploit code has been identified, but the attack requires only local access and low privileges (CVSS 5.5, EPSS 0.02%).
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31754
MEDIUM
CVSS 5.5
A denial of service condition in the Linux kernel's Cadence USB3 (cdns3) gadget driver occurs when gadget initialization fails, leaving the DRD hardware in gadget mode while software state remains inactive. Switching the device to USB host mode via sysfs triggers a synchronous external abort in the xHCI host controller setup, causing a kernel crash. Local authenticated users with access to the USB role-switch sysfs interface can trigger this condition, affecting Linux kernel versions 5.4 through current releases. A patch is available from the Linux kernel project.
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31753
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
auxdisplay: line-display: fix NULL dereference in linedisp_release
linedisp_release() currently retrieves the enclosing struct linedisp via
to_linedisp(). That lookup depends on the attachment list, but the
attachment may already ...
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31752
MEDIUM
CVSS 5.5
Denial of service in Linux kernel bridge module via malformed IPv6 Neighbor Discovery options allows local authenticated attackers to crash the system by crafting packets with invalid ND option lengths that cause memory access violations in the br_nd_send() function. The vulnerability affects kernel versions 4.15 and later across multiple stable branches. EPSS exploitation probability is very low at 0.02%, reflecting the requirement for local authenticated access and low attack complexity.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31751
MEDIUM
CVSS 4.7
Denial of service in the Linux kernel comedi dt2815 driver allows local authenticated users to crash the system by attaching the driver to arbitrary I/O addresses without actual hardware present via the COMEDI_DEVCONFIG ioctl. The vulnerability occurs when outb() operations are performed on non-existent hardware, triggering page faults under race conditions. A patch adding hardware detection via status register reads prevents the crash.
Denial Of Service
Linux
Race Condition
Red Hat
Suse
-
CVE-2026-31750
MEDIUM
CVSS 5.5
Memory leak in Linux kernel comedi subsystem allows local privileged users to exhaust kernel memory and cause denial of service. The vulnerability exists in do_cmd_ioctl() where chanlist memory is not properly freed when runflags is not set following an exceptional exit, due to incomplete reference counting logic introduced in commit 4e1da516debb. CVSS 5.5 (local, low complexity, requires user privilege) with EPSS 0.02% indicates this is a lower-priority local DoS affecting systems with comedi driver loaded and untrusted local users.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31749
MEDIUM
CVSS 5.5
Null pointer dereference and invalid I/O port writes in the Linux kernel's comedi ni_atmio16d driver occur when the device attach handler fails, causing the detach handler to call reset_atmio16d() with uninitialized device state. Local privileged attackers can trigger a denial of service by causing attach to fail, resulting in kernel memory access violations or writes to address zero. No public exploit code or active exploitation has been identified; patch versions are available from the Linux kernel stable branches.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31746
MEDIUM
CVSS 5.5
Memory leak in Linux kernel s390/zcrypt subsystem allows local authenticated attackers to exhaust memory resources by repeatedly using CCA cards as accelerators for clear key RSA requests (ME and CRT operations). The vulnerability stems from incomplete refactoring where AP message allocations via ap_init_apmsg() are not properly freed in two code paths, causing heap memory exhaustion over time and enabling denial of service on s390 systems with CCA cryptographic hardware.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31744
MEDIUM
CVSS 5.5
Denial of service in Linux kernel energy model netlink handler allows local authenticated attackers to crash the system via NULL pointer dereference when requesting non-existent performance domain IDs. The dev_energymodel_nl_get_perf_domains_doit() function fails to validate the return value from em_perf_domain_get_by_id() before dereferencing the performance domain structure, causing immediate kernel panic when an invalid domain ID is supplied. EPSS exploitation probability is very low (0.02%, 5th percentile), and no public exploit code or active exploitation has been identified.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31741
MEDIUM
CVSS 5.5
Denial of service via runtime PM usage count underflow in the rz-mtu3-cnt counter driver allows local privileged users to disable hardware counters and trigger kernel warnings by repeatedly writing to the sysfs enable file. Multiple writes of the same value (0 or 1) to the enable attribute cause the runtime PM reference count to become misaligned with actual hardware state, leading to register access with clocks disabled and potential PWM channel conflicts. EPSS exploitation probability is minimal (0.02%) despite local access requirement, indicating this is primarily a local reliability issue rather than a remote attack vector.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31740
MEDIUM
CVSS 5.5
Denial of service in Linux kernel counter driver (rz-mtu3-cnt) allows local attackers with low privileges to crash the system by exploiting a race condition where counter and PWM sub-drivers overwrite a shared device pointer, causing incorrect runtime power management operations. The vulnerability affects kernel versions prior to specific patch levels across the 6.x and 7.x branches, with EPSS exploitation probability of 0.02% indicating low real-world exploitation likelihood despite the availability of a vendor patch.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31738
MEDIUM
CVSS 5.5
Denial of service in Linux kernel VXLAN module allows local authenticated attackers to crash the system via malformed IPv6 neighbor discovery options in vxlan_na_create(). A crafted ND option with incorrect length values can cause out-of-bounds access or undersized payload reads, triggering a kernel panic. EPSS exploitation probability is low at 0.02%, but the vulnerability is confirmed patched across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12).
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31737
MEDIUM
CVSS 5.5
Memory leaks in the ftgmac100 Ethernet driver's ring allocation function allow local authenticated users to cause a denial of service through resource exhaustion on driver initialization failure. The vulnerability is triggered when ftgmac100_alloc_rings() fails during intermediate allocation stages, returning directly without freeing previously allocated resources (rx_skbs, tx_skbs, rxdes, txdes, rx_scratch). This affects Linux kernel versions prior to fixes released in stable branches 5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31736
MEDIUM
CVSS 5.5
Denial of service via NULL pointer dereference in the MediaTek Ethernet PPE (packet processing engine) driver occurs when gmac0 (the primary ethernet interface) is disabled on affected systems. A local authenticated attacker can trigger a kernel crash by sending traffic through the networking stack when the driver incorrectly checks for a valid ingress device without verifying if the first network device pointer is actually initialized. The vulnerability affects Linux kernel versions prior to fixes released in stable branches 6.18.22, 6.12.81, 6.19.12, and 7.0.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31734
MEDIUM
CVSS 5.5
Denial of service in Linux kernel scheduler extension (sched_ext) allows local privileged attackers to crash systems by triggering incorrect task migration validation. The vulnerability exists in the is_bpf_migration_disabled() function, which fails to correctly identify migration-disabled tasks on non-PREEMPT_RCU configurations, potentially dispatching such tasks to remote CPUs and triggering kernel errors in task_can_run_on_remote_rq(). EPSS exploitation probability is very low at 0.02%, but CVSS 5.5 indicates local attackers with standard user privileges can cause denial of service.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31733
MEDIUM
CVSS 5.5
A denial of service condition in the Linux kernel scheduler extension (sched_ext) subsystem allows local authenticated attackers to trigger a kernel warning and potential crash via improper handling of stale direct dispatch state in the ddsp_dsq_id field. When a task's direct dispatch verdict is not properly cleared across all code paths that consume or cancel such verdicts, a subsequent wakeup operation calling ops.select_cpu() with scx_bpf_dsq_insert() triggers a spurious WARN_ON_ONCE() in mark_direct_dispatch(), exposing the availability impact of the vulnerability. The issue affects Linux kernels with sched_ext enabled and requires local access with low privilege (non-root user capable of triggering task scheduling operations).
Authentication Bypass
Linux
Red Hat
Suse
-
CVE-2026-31732
MEDIUM
CVSS 5.5
Resource leaks in the Linux kernel GPIO subsystem allow local attackers with low privileges to cause denial of service through memory exhaustion during gpiochip initialization error handling. The vulnerability arises from improper reference counting in gpiochip_add_data_with_key() after device initialization, where error paths fail to release device references, leading to memory not being freed on function failure. CVSS 5.5 with EPSS 0.02% indicates low real-world exploitation probability despite local attack vector.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31728
MEDIUM
CVSS 4.7
A race condition in the USB gadget ethernet driver (usb: gadget: u_ether) between gether_disconnect() and eth_stop() causes a NULL pointer dereference and system hardlockup on local systems with low privilege users. When eth_stop() is triggered concurrently during gether_disconnect(), it attempts to access a cleared endpoint descriptor, crashing while holding a spinlock that gether_disconnect() also needs, resulting in kernel panic and denial of service. CVSS 4.7 with low EPSS score (0.02%, percentile 7%) indicates limited real-world exploitation likelihood despite confirmed availability of vendor patches across multiple stable kernel branches.
Denial Of Service
Linux
Race Condition
Red Hat
Suse
-
CVE-2026-31727
MEDIUM
CVSS 5.5
NULL pointer dereference in the USB Ethernet gadget driver (u_ether) allows local attackers with low privileges to cause a denial of service by querying device information via ethtool during device unbind. The vulnerability occurs when userspace tools call eth_get_drvinfo() on a gadget interface after the kernel has cleared the gadget pointer during device reparenting, triggering a crash without authentication or user interaction. EPSS exploitation probability is minimal (0.02%), and this is a localized denial of service with no impact on confidentiality or integrity.
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31726
MEDIUM
CVSS 5.5
A NULL pointer dereference in the Linux kernel USB gadget UVC (USB Video Class) driver during power management transitions allows local authenticated attackers with low privileges to cause a kernel panic and denial of service. The vulnerability occurs when the PM subsystem freezes user space processes during suspend, causing wait_event_interruptible_timeout() to abort early in uvc_function_unbind(), which nullifies the gadget pointer. When tasks are restarted, the V4L2 release path attempts to access the already nullified pointer, triggering a kernel panic. Patches are available across multiple kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Denial Of Service
Linux
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-31725
MEDIUM
CVSS 5.5
Denial of service in the Linux kernel USB gadget ECM (Ethernet Control Model) driver allows local authenticated attackers to crash the system by exploiting improper net_device lifecycle management during bind and unbind cycles. When the gadget device unbinds, the network device survives with dangling sysfs symlinks, causing kernel issues when accessed or when the device tree is traversed. The vulnerability affects Linux kernel versions prior to patches released in 6.12.81, 6.18.22, 6.19.12, and 7.0.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31724
MEDIUM
CVSS 5.5
Denial of service in Linux kernel USB gadget EEM function allows local privileged attackers to crash the system by triggering a dangling sysfs symlink condition during gadget device unbind cycles. The vulnerability arises from improper net_device lifecycle management when the parent gadget device is destroyed while the network device persists, resulting in kernel panic or system instability. CVSS 5.5 reflects local privilege requirement (PR:L) and high availability impact, with EPSS at 0.02% percentile indicating minimal real-world exploitation probability despite patch availability.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31723
MEDIUM
CVSS 5.5
USB gadget subsystem net_device lifecycle mismanagement in Linux kernel allows local privileged users to cause denial of service through sysfs corruption. The f_subset gadget function creates dangling sysfs symlinks when unbinding due to improper device reparenting, resulting in inaccessible network device references and potential system instability. A local user with sufficient privileges can trigger unbind/rebind cycles to exhaust resources or corrupt the sysfs filesystem state.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31722
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_rndis: Fix net_device lifecycle with device_move
The net_device is allocated during function instance creation and
registered during the bind phase with the gadget device as its sysfs
parent. When the function unbin...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31721
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_hid: move list and spinlock inits from bind to alloc
There was an issue when you did the following:
- setup and bind an hid gadget
- open /dev/hidg0
- use the resulting fd in EPOLL_CTL_ADD
- unbind the UDC
- bind th...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31714
MEDIUM
CVSS 5.5
Memory leak in f2fs_rename() function allows local authenticated attackers to cause denial of service through repeated file rename operations. The vulnerability exists in the f2fs filesystem implementation when handling SELinux label initialization during whiteout file creation, due to a missing f2fs_free_filename() call introduced in commit 40b2d55e0452. Vendor patches are available for Linux 6.6.136, 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31713
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
fuse: abort on fatal signal during sync init
When sync init is used and the server exits for some reason (error, crash)
while processing FUSE_INIT, the filesystem creation will hang. The reason
is that while all other threads wil...
Denial Of Service
Linux
Red Hat
Suse
-
CVE-2026-31710
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix dir separator in SMB1 UNIX mounts
When calling cifs_mount_get_tcon() with SMB1 UNIX mounts,
@cifs_sb->mnt_cifs_flags needs to be read or updated only after
calling reset_cifs_unix_caps(), otherwise it might end up...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31704
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes
in u16 variables. When a file has many POSIX ACL entries, the
accumulated size can wrap past ...
Buffer Overflow
Linux
Red Hat
Suse
-
CVE-2026-31701
MEDIUM
CVSS 5.5
Use-after-free vulnerability in the ALSA caiaq USB audio driver allows local authenticated attackers to cause denial of service by triggering asynchronous card free callbacks after USB device disconnection. The vulnerability stems from missing reference counting on the parent USB device pointer, combined with an inappropriate usb_reset_device() call in the card teardown path. EPSS exploitation probability is minimal (0.02%), and no public exploit code or active exploitation has been identified.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-26461
MEDIUM
CVSS 6.5
Command injection in the Aver PTC320UV2 web management interface allows unauthenticated remote attackers to execute arbitrary system commands via crafted web requests. Version 0.1.0000.65 and potentially earlier versions are affected. The vulnerability has a CVSS score of 6.5 (medium severity) with network attack vector and no authentication required, though scope is unchanged and confidentiality/integrity impact is limited. CISA SSVC assessment indicates automation is possible but current exploitation is unconfirmed.
Command Injection
-
CVE-2026-23866
MEDIUM
CVSS 4.3
Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 through v2.26.15.72 and Android v2.25.8.0 through v2.26.7.10 allows authenticated attackers to trigger processing of media content from arbitrary URLs on a victim's device, potentially invoking OS-controlled custom URL scheme handlers to disclose limited information. No active exploitation has been observed in the wild, and CISA SSVC indicates no known exploitation path despite the network attack vector.
Information Disclosure
Google
Apple
-
CVE-2026-23863
MEDIUM
CVSS 6.5
WhatsApp for Windows prior to v2.3000.1032164386.258709 permits attachment spoofing via maliciously formatted documents with embedded NUL bytes in filenames, causing the application to display files as benign types while executing them as executables upon opening. The vulnerability requires user interaction to open a crafted attachment delivered over the network, enabling an attacker to achieve code execution with the privileges of the WhatsApp process. No public exploit code or active exploitation has been confirmed at time of analysis.
Information Disclosure
Microsoft
-
CVE-2026-7598
MEDIUM
CVSS 6.9
Integer overflow in libssh2 up to version 1.11.1 allows remote unauthenticated attackers to cause memory corruption during SSH password authentication. The vulnerability exists in the userauth_password function where inadequate bounds checking on username_len and password_len parameters can trigger integer overflow when calculating buffer sizes, potentially leading to confidentiality breach, integrity compromise, and service disruption. Upstream fix available via GitHub commit 256d04b60d80bf1190e96b0ad1e91b2174d744b1. No active exploitation confirmed (not in CISA KEV), but publicly accessible patch reveals exact exploitation technique.
Buffer Overflow
Integer Overflow
Red Hat
-
CVE-2026-7594
MEDIUM
CVSS 5.5
Path traversal in Flux159 mcp-game-asset-gen 0.1.0 allows remote unauthenticated attackers to read, write, and potentially delete arbitrary files via manipulation of the statusFile parameter in the image_to_3d_async function. The vulnerability is confirmed actively exploited with publicly available exploit code (GitHub issue #3). CVSS 7.3 reflects network-accessible attack with low confidentiality, integrity, and availability impact. Despite early responsible disclosure via issue report, the maintainer has not responded, leaving the open-source project unpatched.
Path Traversal
-
CVE-2026-7593
MEDIUM
CVSS 5.5
OS command injection in Sunwood-ai-labs command-executor-mcp-server versions up to 0.1.0 allows remote unauthenticated attackers to execute arbitrary system commands via the MCP interface execute_command function. The vulnerability carries a CVSS score of 7.3 with a complete remote attack vector (AV:N/AC:L/PR:N/UI:N), enabling unauthorized data access, system modification, and service disruption. A proof-of-concept exploit has been publicly disclosed via GitHub issue #6, significantly lowering the barrier to exploitation. EPSS data not available, but public POC availability and unauthenticated remote vector indicate elevated real-world risk despite the moderate CVSS score.
Command Injection
-
CVE-2026-7592
MEDIUM
CVSS 5.5
SQL injection in itsourcecode Courier Management System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /edit_staff.php, potentially leading to unauthorized database access and data disclosure. The vulnerability has a CVSS score of 5.5 with a publicly available exploit, indicating moderate real-world risk despite the low confidentiality impact rating.
PHP
SQLi
-
CVE-2026-7590
MEDIUM
CVSS 5.5
Remote code execution via OS command injection in eyal-gor p_69_branch_monkey_mcp Preview Endpoint allows unauthenticated remote attackers to execute arbitrary operating system commands by manipulating the dev_script parameter in the advanced.py routes file. The vulnerability affects all commits up to 69bc71874ce40050ef45fde5a435855f18af3373, with publicly available exploit code identified. The project does not use semantic versioning, complicating patch tracking and remediation timelines.
Command Injection
-
CVE-2026-7589
MEDIUM
CVSS 5.5
Path traversal in the CSV Export endpoint of ghantakiran's splunk-mcp-integration allows remote unauthenticated attackers to access arbitrary files on the server by manipulating the job_name parameter in the create_csv_export function. The vulnerability affects all versions up to commit 0b86b09d5e5adf0433acd43c975951224613a1a6, with publicly available exploit code disclosed via GitHub issue; no vendor patch has been released despite early notification.
Path Traversal
Splunk
-
CVE-2026-7588
MEDIUM
CVSS 5.5
Path traversal in ggerve coding-standards-mcp server.py allows remote unauthenticated attackers to access arbitrary files by manipulating the Language parameter in the get_style_guide and get_best_practices functions. The vulnerability has publicly available exploit code and affects the product's rolling-release model where specific vulnerable versions are not formally documented. The project maintainer has not yet responded to the early vulnerability disclosure.
Path Traversal
-
CVE-2026-7579
MEDIUM
CVSS 5.5
Hard-coded credentials in AstrBot Dashboard (versions ≤4.16.0) enable remote unauthenticated attackers to bypass authentication and gain partial system access. The vulnerability resides in astrbot/dashboard/routes/auth.py, allowing complete authentication bypass without network complexity or user interaction. A public exploit exists on GitHub, and the vendor has not responded to responsible disclosure attempts, leaving users exposed to credential-based attacks with moderate impact across confidentiality, integrity, and availability (CVSS 7.3). EPSS data not available; KEV status negative indicates no confirmed widespread exploitation despite public POC.
Authentication Bypass
-
CVE-2026-7555
MEDIUM
CVSS 5.5
SQL injection in itsourcecode Electronic Judging System 1.0 allows remote attackers to manipulate the Username parameter in /intrams/login.php, leading to unauthorized data access and modification. The vulnerability requires no authentication and can be exploited over the network with low complexity. Publicly available exploit code exists, and the CVSS 4.0 vector indicates confidentiality and integrity impact on the affected application.
PHP
SQLi
-
CVE-2026-7550
MEDIUM
CVSS 5.5
SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to read, modify, or delete database records via the ID parameter in /ajax.php?action=save_customer. CVSS 7.3 with low attack complexity and no authentication required. Publicly available exploit code exists (GitHub POC published), elevating immediate risk for exposed installations. EPSS data not available, but the combination of network vector, zero authentication, and public POC indicates high probability of opportunistic scanning and exploitation.
PHP
SQLi
-
CVE-2026-7549
MEDIUM
CVSS 5.5
SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to extract database contents, modify records, or execute unauthorized queries via the ID parameter in /ajax.php?action=delete_customer. Publicly available exploit code exists (GitHub POC), enabling trivial exploitation against exposed instances. CVSS 7.3 reflects network-accessible attack with low complexity and no authentication requirement, though EPSS data unavailable and not currently listed in CISA KEV, suggesting limited widespread exploitation despite POC availability.
PHP
SQLi
-
CVE-2026-7545
MEDIUM
CVSS 5.5
SQL injection in SourceCodester Advanced School Management System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the checkEmail endpoint in commonController.php, potentially exposing or modifying database contents. Publicly available exploit code exists and the vulnerability requires only network access with no authentication, making it a practical exploitation risk for exposed instances.
PHP
SQLi
-
CVE-2026-7536
MEDIUM
CVSS 5.5
Denial of service in Open5GS up to version 2.7.7 allows remote unauthenticated attackers to crash the BSF (Binding Support Function) service by manipulating the ipv4Addr parameter in the /nbsf-management/v1/pcfBindings endpoint. The vulnerability has publicly available exploit code and affects a core 5G network function, creating operational risk for mobile networks relying on this open-source implementation.
Denial Of Service
-
CVE-2026-7519
MEDIUM
CVSS 5.5
Path traversal in Fujian Apex LiveBOS through the /feed/UploadImage.do endpoint allows remote attackers to manipulate the filename parameter and write files to arbitrary locations on the server. Versions up to 2.0 are affected. Public exploit code is available. Upgrading to version 2.1 resolves the vulnerability.
Path Traversal
-
CVE-2026-6127
MEDIUM
CVSS 6.4
Stored cross-site scripting in Elementor Website Builder plugin for WordPress up to version 4.0.4 allows authenticated contributors to inject arbitrary JavaScript via form-encoded REST API requests to the _elementor_data meta field. The vulnerability bypasses sanitization by exploiting a json_decode() failure on non-JSON request bodies, causing unsanitized data to be stored and later output without escaping in widget rendering functions. Contributors and above can inject malicious scripts that execute for all users viewing affected pages, compromising site integrity and user sessions.
WordPress
XSS
-
CVE-2026-3143
MEDIUM
CVSS 5.3
Unauthenticated attackers can cancel pending rollbacks in Total Upkeep WordPress Backup Plugin by BoldGrid (versions up to 1.17.1) due to missing capability checks on the wp_ajax_cli_cancel AJAX function, allowing malicious users to prevent automatic recovery from failed WordPress updates. CVSS 5.3 (network-accessible, low complexity) reflects the integrity impact and lack of authentication requirement, though real-world impact depends on whether rollback operations are actively pending during an update failure.
WordPress
Authentication Bypass
-
CVE-2026-3140
MEDIUM
CVSS 4.3
Cross-Site Request Forgery (CSRF) in Ultimate Dashboard for WordPress up to version 3.8.14 allows unauthenticated attackers to toggle plugin modules on or off by tricking site administrators into clicking a malicious link. The vulnerability stems from flawed nonce validation in the 'handle_module_actions' function, enabling attackers to modify plugin configuration without user consent. No public exploit code or active exploitation has been identified at this time.
WordPress
CSRF
-
CVE-2025-69606
MEDIUM
CVSS 6.1
Reflected cross-site scripting (XSS) in GSVoIP web panel version 2.0.90 allows remote attackers to inject arbitrary JavaScript via the `msg` parameter in the `/painel/gateways.php/error` endpoint. The vulnerability requires user interaction (clicking a malicious link) but can lead to session hijacking, credential theft, or malware distribution. No authentication is required, and public exploit code exists.
PHP
XSS
-
CVE-2026-21996
LOW
CVSS 3.3
DTrace process can be reliably crashed by unprivileged local attackers via a malicious ELF binary that triggers an integer divide-by-zero condition in the Pbuild_file_symtab() function, causing denial of service. CVSS 3.3 (low severity) reflects local-only attack vector and low privileges required, though the reliable crash mechanism and low exploitation complexity may elevate practical risk in multi-tenant or shared-system environments.
Denial Of Service
-
CVE-2026-7599
LOW
CVSS 2.1
Path traversal in Dayoooun hwpx-mcp 0.2.0 allows authenticated remote attackers to manipulate the output_path argument in save_document, export_to_text, and export_to_html functions, enabling arbitrary file write or read operations outside intended directories. The vulnerability affects the MCP Interface component (mcp-server/src/index.ts) with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure.
Path Traversal
-
CVE-2026-7597
LOW
CVSS 2.1
Unsafe pickle deserialization in mem0 up to version 1.0.11 allows authenticated remote attackers to execute arbitrary code via manipulation of the faiss.py vector store module. The vulnerability affects the pickle.load/pickle.dump functions used to serialize docstore data, enabling code execution with moderate impact (confidentiality, integrity, availability). Public exploit code is available, and vendor has released a patched version.
Deserialization
-
CVE-2026-7596
LOW
CVSS 2.1
Cross-site scripting (XSS) vulnerability in nextlevelbuilder ui-ux-pro-max-skill up to version 2.5.0 allows remote attackers to inject malicious scripts via unescaped user input in the Slide Generator component's data.get() function. The vulnerability affects slide generation where user-supplied content (titles, subtitles, company names, feature descriptions) is embedded directly into HTML output without sanitization. Publicly available exploit code exists, and the vendor has released a patch via pull request, though the project has not actively responded to security notifications. CVSS score of 2.1 reflects low severity due to required user interaction, but the public availability of exploit code increases practical exploitation risk.
XSS
-
CVE-2026-7595
LOW
CVSS 2.1
Code injection vulnerability in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0 allows authenticated remote attackers to execute arbitrary code via unsanitized plugin names in the Tailwind Config Generator. The _format_plugins function constructs require() statements without validation, enabling attackers with login credentials to inject malicious JavaScript into the Tailwind configuration. Publicly available exploit code exists and the vendor has released a patch via pull request, though adoption status is unconfirmed.
RCE
Code Injection
-
CVE-2026-7591
LOW
CVSS 2.1
SQL injection in TimBroddin astro-mcp-server up to version 1.1.1 allows authenticated remote attackers to manipulate MCP Tool Query Construction parameters via crafted request.params.arguments, enabling arbitrary SQL query execution. Public exploit code exists and the vendor has not yet responded to early notification, leaving deployed instances at risk.
SQLi
-
CVE-2026-7587
LOW
CVSS 2.1
Denial of service in Open5GS AMF component up to version 2.7.7 allows authenticated remote attackers to trigger resource exhaustion via improper handling of PDU session context update messages in the amf_nsmf_pdusession_handle_update_sm_context function. The vulnerability has a low CVSS score (2.1) but publicly available exploit code exists; however, exploitation requires prior authentication to the 5G network, significantly limiting real-world attack surface.
Denial Of Service
-
CVE-2026-7586
LOW
CVSS 2.1
Denial of service in Open5GS up to version 2.7.7 affects the AMF (Access and Mobility Function) component, specifically the ogs_id_get_value function in nudm-handler.c, allowing remote authenticated attackers to cause service unavailability. Publicly available exploit code exists, and the vulnerability has been reported to the project via GitHub issue #4405 without vendor acknowledgment or patch release at time of analysis.
Denial Of Service
-
CVE-2026-7585
LOW
CVSS 2.1
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the AMF (Access and Mobility Management Function) component via manipulation of the amf_nudm_sdm_handle_provisioned function in the NUDM handler. The vulnerability has publicly available exploit code and affects the authentication and mobility management core of 5G networks, requiring valid credentials to trigger but resulting in service unavailability. Public disclosure has occurred without vendor remediation at the time of analysis.
Denial Of Service
-
CVE-2026-7583
LOW
CVSS 2.1
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the BSF (Binding Support Function) component by manipulating the ipv6Prefix argument in the bsf_sess_find_by_ipv6prefix function. The vulnerability has a low CVSS score of 2.1 due to requiring authentication and causing only availability impact, but publicly available exploit code exists and the vendor has not yet responded to early disclosure.
Denial Of Service
Open5gs
-
CVE-2026-7582
LOW
CVSS 1.9
Out-of-bounds write in AcademySoftwareFoundation OpenImageIO up to version 3.2.0.1-dev occurs in the DDS Image Handler (ddsinput.cpp) when processing specially crafted DDS image files. A local attacker with limited privileges can trigger the vulnerability by opening a malicious DDS file, potentially causing memory corruption and denial of service. Publicly available exploit code exists, though the CVSS score of 1.9 reflects low impact scope and limited privileges required.
Buffer Overflow
-
CVE-2026-7581
LOW
CVSS 2.1
Permissive CORS policy in MeTube up to version 2026.04.09 allows remote attackers to bypass same-origin restrictions by exploiting wildcard origin acceptance (cors_allowed_origins='*') in the on_prepare function of app/main.py, potentially enabling cross-domain data theft or unauthorized API access. The vulnerability requires user interaction (UI:P) but grants information disclosure via cross-domain requests. Publicly available exploit code exists; upgrade to 2026.04.10 fixes the issue by restricting origins to a configurable allowlist.
Information Disclosure
-
CVE-2026-7580
LOW
CVSS 1.9
Code injection in ExifTool versions up to 13.53 allows local attackers with limited privileges to execute arbitrary code via manipulation of the -ee argument in the Process_mrld function when processing JPEG/QuickTime/MOV/MP4 files. The vulnerability has a very low CVSS score of 1.9 due to local-only attack vector and low impact, but is tagged as RCE. Vendor-released patch available in version 13.54.
RCE
Code Injection
-
CVE-2026-7578
LOW
CVSS 2.0
Unrestricted file upload in MacCMS Pro up to version 2022.1.3 allows authenticated high-privilege administrators to upload arbitrary files via the plugin installation handler at /admin/addon/add.html, potentially enabling remote code execution. Publicly available exploit code exists, and the vendor has not responded to early disclosure despite contact.
PHP
File Upload
-
CVE-2026-7554
LOW
CVSS 2.9
Weak password recovery in D-Link M60 up to version 1.20B02 allows remote attackers to compromise device authentication through manipulation of the /usr/bin/httpd binary, requiring high attack complexity but with publicly disclosed exploit code available. The vulnerability enables information disclosure and potential unauthorized access to device management functions despite the low CVSS score of 2.9 reflecting limited confidentiality impact.
Information Disclosure
D-Link
-
CVE-2026-7553
LOW
CVSS 2.0
SQL injection in code-projects Gym Management System 1.0 allows authenticated high-privilege users to manipulate the edit_exercise parameter in /admin/edit_exercises.php, enabling remote database queries with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists; CVSS 4.7 reflects low real-world risk due to high-privilege requirement (PR:H), though the vulnerability remains remotely accessible without user interaction.
PHP
SQLi
-
CVE-2026-7535
LOW
CVSS 2.1
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the AMF (Access and Mobility Function) service by manipulating the ueContextId parameter in the UE context transfer-update endpoint, resulting in service unavailability. Public exploit code is available but the vendor has not issued a patch or official response despite early notification.
Denial Of Service
-
CVE-2026-7518
LOW
CVSS 2.1
Denial of service in Open5GS AMF SBI Endpoint (versions up to 2.7.7) allows authenticated remote attackers to crash the service by manipulating the changeItem.newValue argument in the /namf-callback/v1/{id}/sdmsubscription-notify endpoint. CVSS score of 2.1 reflects low severity despite network accessibility, primarily due to availability impact limitation and authentication requirement. Exploit code is publicly available, though the vendor has not yet responded to the early notification.
Denial Of Service