Client-side remote code execution affects MixPHP Framework 2.x through 2.2.17 when sync-invoke clients connect to attacker-controlled servers. The vulnerability enables malicious servers to execute arbitrary code on connecting clients through unsafe deserialization of server responses (CWE-502). EPSS data unavailable, but SSVC indicates no confirmed exploitation and non-automatable attack complexity aligns with CVSS AC:H rating. Primary risk exists in scenarios where MixPHP clients connect to untrusted external services or where server infrastructure could be compromised.
An out-of-bounds read vulnerability in the Linux kernel's Wacom HID driver (wacom_intuos_bt_irq function) allows adjacent network attackers to cause information disclosure or denial of service through maliciously crafted short Bluetooth HID reports. The vulnerability affects the Bluetooth interface of Wacom Intuos tablets, where report types 0x03 and 0x04 are processed without validating minimum lengths (22 and 32 bytes respectively), enabling memory reads beyond buffer boundaries. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) with no active exploitation confirmed (EPSS 0.02%, not in CISA KEV).
Out-of-bounds read in Linux kernel iwlwifi driver allows adjacent network attackers to disclose sensitive kernel memory or trigger denial of service without authentication. The vulnerability affects the iwlwifi wireless driver's network detection match handler function, where insufficient packet length validation enables memcpy to read beyond allocated buffer boundaries. EPSS probability is low (0.02%, 7th percentile) and no active exploitation confirmed (not in CISA KEV). Vendor patches available across multiple kernel stable branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Out-of-bounds memory read in Linux kernel Bluetooth HCI event processing allows adjacent network attackers to disclose kernel memory or trigger denial of service without authentication. The vulnerability stems from premature wake reason storage before per-event payload length validation, enabling crafted short HCI event frames to reach bacpy() operations before bounds checking. EPSS score is low (0.02%, 6th percentile) with no evidence of active exploitation or public POC at time of analysis. Vendor patches available for kernel versions 5.10+ through 6.19.12 and mainline 7.0.
A malicious SMB server can trigger out-of-bounds heap memory disclosure in Linux kernel SMB client (CIFS) through crafted QUERY_INFO responses. Vulnerable Linux kernel versions 5.1 through 6.12.84 do not validate server-reported OutputBufferLength against actual response size before copying data to userspace, allowing a rogue SMB server to expose adjacent kernel heap contents. Patches available across stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1). EPSS score of 0.02% indicates low exploitation probability; no active exploitation confirmed. Attack requires user interaction to mount malicious SMB share.
Integer underflow in Open-SAE-J1939 Transport Protocol handler allows adjacent network attackers to corrupt memory via crafted CAN frames. Attackers sending J1939 Transport Protocol Data Transfer frames with sequence number 0 trigger underflow to 255, writing 6 bytes beyond a 1785-byte buffer boundary. No authentication required and exploitable over CAN/automotive networks. EPSS data unavailable; no KEV listing or public POC identified at time of analysis, but technical details publicly disclosed in GitHub gist enable proof-of-concept development.
Use-after-free in Imagination Graphics DDK GPU GLES user-space library allows authenticated remote attackers to crash the GPU render process via crafted WebGPU content. CVSS 8.1 (High) with network vector and low complexity. On platforms where the GPU process runs with elevated system privileges, successful exploitation could enable system-level compromise beyond the initial crash. EPSS and KEV data not provided; SSVC framework indicates no confirmed exploitation, non-automatable attack, but total technical impact. Vendor patches available across affected DDK versions 1.18, 23.2, 24.1-24.2, and 25.1-25.3.
Remote authenticated attackers can execute code or cause persistent denial-of-service in Imagination Technologies Graphics DDK by triggering a use-after-free in the GPU GLES render process via specially crafted WebGPU content. On platforms where the GPU driver runs with elevated system privileges, successful exploitation enables device-level compromise beyond the browser sandbox. EPSS data not available, no CISA KEV listing identified, no public POC confirmed. SSVC framework indicates no active exploitation and non-automatable attack requiring authenticated interaction.
Cross-project privilege escalation in OpenStack Keystone (releases 13 through 29) lets a holder of an unrestricted application credential for one project mint an EC2-type credential targeting a different project, because POST /v3/credentials never validates that the caller-supplied project_id matches the authenticating app credential's project. Exchanging that EC2 credential at /v3/ec2tokens then yields a Keystone token scoped to the second project while retaining the original app_cred_id, enabling lateral movement across tenants. There is no public exploit identified at time of analysis and EPSS is very low (0.01%), but the authorization flaw (CWE-863) is confirmed and patched by upstream and distributors.
A heap buffer overflow in the Linux kernel's wilc1000 WiFi driver allows local authenticated users to trigger memory corruption via crafted SSID scan requests. The driver miscalculates buffer size due to u8 integer overflow (330 bytes wrapping to 74), causing kmalloc to allocate 75 bytes while memcpy writes up to 331 bytes - a 256-byte overflow. Patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.03% (9th percentile) suggests low likelihood of widespread exploitation, and CISA KEV does not list this CVE, indicating no confirmed active exploitation at time of analysis.
Use-after-free in Linux kernel virt_wifi driver allows local authenticated users to trigger memory corruption during ethtool operations on virtual WiFi devices being unregistered. The vulnerability stems from improper device parent reference handling via SET_NETDEV_DEV, where ethnl_ops_begin() calls pm_runtime_get_sync() on already-freed memory when a virt_wifi device unregisters concurrently with ethtool operations. Patches are available across multiple stable kernel branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit identified at time of analysis, though CVSS 7.8 reflects potential for complete system compromise if successfully triggered.
Out-of-bounds memory writes in Linux kernel HID multitouch driver allow local authenticated users to achieve code execution or crash systems via malicious USB/HID devices. The vulnerability exists in the HID multitouch report parsing logic where mismatched report IDs in feature requests can confuse the HID core. Vendor-released patches are available across multiple kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score is low (0.02%, 7th percentile), indicating minimal observed exploitation attempts. No public exploit code identified at time of analysis.
Memory corruption in Linux kernel's crypto authencesn subsystem allows local authenticated attackers to disclose sensitive kernel memory, modify data integrity, or cause denial of service through improper handling of sequence bits during out-of-place decryption operations. The vulnerability affects Linux kernel versions from 4.3 through multiple stable branches (5.10.x, 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x) with patches available across all affected branches. EPSS exploitation probability is low (0.02%, 7th percentile) and no active exploitation or public POC has been identified.
A logic error in the Linux kernel's BPF verifier regsafe() function allows local attackers with low privileges to exploit improper state exploration for packet pointer ranges, potentially leading to high confidentiality, integrity, and availability impacts. The vulnerability affects multiple stable kernel branches from 5.10 through 6.19, with vendor patches available across all affected versions. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.
Use-after-free in Linux kernel netfilter subsystem allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs when unregistering connection tracking helpers - expectations referencing the helper survive cleanup and later dereference the freed helper object during expectation dumps or new connection establishment. Vendor-released patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% indicates low observed exploitation probability; no active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.
Race condition in the Linux kernel's Bluetooth SCO socket implementation allows local authenticated users to trigger use-after-free and memory corruption via concurrent connect() syscalls on the same socket. The vulnerability affects the sco_sock_connect() function which fails to properly serialize state checks, enabling two threads to simultaneously progress through connection setup on a socket already marked for cleanup, leading to double-free conditions and connection object leaks. Vendor-released patches are available for kernel versions 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates very low observed exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis.
Stack buffer overflow in Linux kernel Bluetooth MGMT subsystem allows local authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability stems from insufficient validation of the encryption key size (enc_size) parameter when loading Long Term Keys (LTKs) via the Bluetooth management interface. When processing LE LTK requests, the kernel uses the attacker-controlled enc_size value to perform stack operations against a fixed 16-byte buffer, enabling stack corruption through oversized values. Vendor-released patches are available across all active kernel branches. EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit has been identified at time of analysis, though the attack complexity is low once local authenticated access is obtained.
Use-after-free in Linux kernel macb driver allows local authenticated attackers to cause denial of service or potentially escalate privileges during module removal. The vulnerability occurs in the PCI glue driver when platform_device_unregister() triggers a runtime resume callback that attempts to access already-freed clock structures. EPSS score is low (0.02%) with no evidence of active exploitation. Vendor patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0).
Improper Direct Memory Access (DMA) handling in the Linux kernel's ti-adc161s626 Industrial I/O (IIO) analog-to-digital converter driver allows local attackers with low privileges to trigger memory corruption or information disclosure. The vulnerability stems from using stack-allocated memory for SPI read operations instead of DMA-safe buffers, violating SPI subsystem requirements. Patches are available across multiple stable kernel versions (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0). EPSS score of 0.02% indicates very low exploitation probability, and no public exploits or active exploitation (not in CISA KEV) have been identified.
Race condition in the Linux kernel MPU3050 gyroscope driver allows local attackers with low privileges to potentially achieve code execution, data corruption, or information disclosure. The vulnerability stems from premature registration of the IIO device before complete initialization in the probe function, creating a window where userspace can interact with incompletely configured hardware. While CVSS rates this 7.8 HIGH with local attack vector, EPSS score of 0.02% (7th percentile) indicates extremely low probability of active exploitation. Patches available across all maintained kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code.
Double-free memory corruption in Linux kernel USB ULPI subsystem allows local authenticated attackers with low privileges to potentially achieve arbitrary code execution, denial of service, or information disclosure. The flaw exists in ulpi_register_interface() error handling since kernel 4.2 (commit 289fcff4b), where device_register() failure triggers cleanup via put_device() followed by redundant kfree(), corrupting kernel memory. Patches available across stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% suggests low likelihood of mass exploitation despite high CVSS 7.8, likely due to local attack vector and requirement for device registration failure conditions.
Use-after-free condition in Linux kernel USB Test and Measurement Class (USBTMC) driver allows local authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability occurs when the usbtmc_release function fails to properly flush pending anchored URBs, leaving dangling references that can be exploited in the HCD giveback path. Vendor patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0). Despite the high CVSS score of 7.8, the EPSS exploitation probability is very low at 0.02% (7th percentile), indicating limited real-world targeting, and no active exploitation or public POC has been identified.
Buffer overflow in Linux kernel COMEDI me_daq driver allows local authenticated users to achieve arbitrary code execution with kernel privileges. The me2600_xilinx_download() function fails to validate firmware file length before reading data streams, enabling out-of-bounds memory access during firmware loading operations. Patches available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates low probability of widespread exploitation despite high CVSS 7.8 rating, and no active exploitation or public exploit code identified at time of analysis.
Out-of-bounds write in Linux kernel comedi me4000 driver firmware loader allows local authenticated users to achieve high-impact code execution, data corruption, or system crash. The me4000_xilinx_download() function blindly trusts firmware file format headers without validating buffer boundaries, reading a length field from the first 4 bytes and then reading that many bytes from offset 16 without checking total file size. Patch available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating. No public exploit code or active exploitation confirmed.
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_uac1_legacy: validate control request size f_audio_complete() copies req->length bytes into a 4-byte stack variable: u32 data = 0; memcpy(&data, req->buf, req->length); req->length is derived from the host-controlled USB request path, which can lead to a stack out-of-bounds write. Validate req->actual against the expected payload size for the supported control selectors and decode only the expected amount of data. This avoids copying a host-influenced length into a fixed-size stack object.
Buffer overflow in Linux kernel rxrpc subsystem allows local authenticated users to trigger memory corruption via malformed key payloads. The non-XDR parsing path in rxrpc_preparse() fails to validate ticket length against AFSTOKEN_RK_TIX_MAX, enabling unprivileged users to supply oversized tickets that cause WARN_ON() triggers and potential memory corruption when keys are read. Vendor patches available for kernel versions 6.6.136, 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1. EPSS score of 0.02% indicates low observed exploitation probability, with no public exploit identified at time of analysis.
Local privilege escalation in AGL app-framework-binder (afb-daemon) through v19.90.0 allows any low-privileged process to execute privileged supervision commands without authentication via an unprotected abstract Unix socket. Attackers can terminate the daemon (DoS), execute arbitrary API calls, close user sessions, or exfiltrate global configuration data. The vulnerability stems from commit b8c9d5de384 (2017-06-29) implementing 8 supervision commands with zero credential verification, acknowledged by developers as lacking DAC protection. EPSS data unavailable, not in CISA KEV, but technical details are publicly documented with proof-of-concept reference.
Integer underflow in Linux kernel NTFS3 driver during journal replay allows local attackers to trigger massive out-of-bounds memory copies into a 4KB buffer when processing corrupted filesystems. The check_file_record() function fails to validate rec->used field before using it in memmove() length calculations across DeleteAttribute, CreateAttribute, and change_attr_size handlers, enabling slab-out-of-bounds writes. No public exploit identified at time of analysis. EPSS score of 0.02% (5th percentile) indicates low exploitation probability. Vendor-released patches available across kernel versions 6.6.136, 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1.
Use-after-free in Linux kernel f2fs compressed writeback allows local authenticated users to trigger memory corruption, potentially executing arbitrary code or causing system crashes. Affects f2fs-compressed filesystems in Linux kernel 5.6 through 7.1-rc2, with patches available in 6.6.136, 6.12.84, 7.0.2, and 7.1-rc1. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite CVSS 7.8 rating. This mirrors CVE-2026-23234's race condition pattern but in the compression code path that was missed by the earlier fix. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.
Time-of-check-time-of-use (TOCTOU) race condition in Linux kernel's TPACKET transmission path allows local authenticated attackers with low privileges to bypass vnet_hdr validation checks and potentially achieve privilege escalation, code execution, or system compromise. The vulnerability affects packet socket implementations when PACKET_VNET_HDR is enabled, where concurrent userspace threads can modify mmap'd ring buffer data between kernel validation and use. Vendor-released patches are available for stable kernel branches (6.6.136, 6.12.84, 7.0.2, 7.1-rc1). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV), though the high CVSS 7.8 reflects significant local impact potential.
A malicious FUSE server can trigger a 24-byte buffer overflow in the Linux kernel's FUSE directory cache implementation on 4 KiB page systems. The fuse_add_dirent_to_cache() function fails to validate that directory entries fit within PAGE_SIZE before copying them to page cache, allowing a server-controlled namelen value of 4095 to produce a 4120-byte serialized record that overflows into adjacent kernel memory. This enables local attackers with FUSE mount privileges to achieve high-severity impacts including arbitrary kernel memory corruption. EPSS exploitation probability is notably low (0.02%, 5th percentile) despite the 7.8 CVSS score, and no public exploit has been identified. Patches are available across multiple stable kernel versions (6.6.136, 6.12.84, 7.0.2, 7.1-rc1, 6.18.25).
Use-after-free in Linux kernel's MANA network driver allows local authenticated attackers to corrupt memory and potentially execute code with kernel privileges. The flaw occurs when auxiliary_device_add() fails in add_adev(), triggering cleanup that frees memory still referenced by subsequent error-handling code. Patches available across stable kernel branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public exploit identified at time of analysis.
Use-after-free in Linux kernel HID subsystem allows local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service when force feedback initialization fails on Logitech G920 racing wheels. The vulnerability occurs when userspace continues accessing freed memory structures (sysfs and /dev/input) after initialization errors. Vendor patches available across multiple stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of mass exploitation, consistent with hardware-specific local attack surface requiring physical device presence.
Memory corruption in the Linux kernel CAAM (Cryptographic Acceleration and Assurance Module) crypto driver allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The vulnerability occurs when HMAC keys longer than the hash block size are processed - the driver allocates a DMA-aligned buffer size but fails to use it, causing the hashed key to overwrite adjacent memory. Vendor patches are available for stable kernel versions 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.
Use-after-free in Linux kernel Bluetooth subsystem allows local authenticated attackers to achieve arbitrary code execution with high privileges. The vulnerability exists in set_cig_params_sync where hci_conn objects can be freed or modified concurrently during lookup and field access due to inadequate locking. Vendor patches are available across multiple stable kernel branches (6.6, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% indicates low observed exploitation probability, no CISA KEV listing, and no public exploit identified at time of analysis.
Use-after-free in Linux kernel's BPF sockmap implementation allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs in sk_psock_verdict_data_ready() when handling AF_UNIX sockets, where sk->sk_socket can be accessed after being freed following sock_orphan(). This affects Linux kernel versions 5.15 through 6.19.12, with patches available for stable branches 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates very low observed exploitation probability in the wild, and no active exploitation or public exploit code has been identified at time of analysis.
Linux kernel BPF verifier incorrectly prunes execution paths due to imprecise state tracking in atomic fetch operations, allowing local attackers to bypass security checks in eBPF programs. The verifier's backtracking logic fails to mark stack slots as precise when BPF_ATOMIC instructions with BPF_FETCH modify both memory and destination registers, causing two legitimately different program states to be incorrectly considered equivalent during path pruning. Vendor patches available in kernel versions 6.19.12 and 7.0. EPSS score of 0.02% (5th percentile) indicates low probability of mass exploitation, though successful exploitation grants high confidentiality, integrity, and availability impact per CVSS 7.8.
A use-after-free resource management flaw in the Linux kernel's Qualcomm AI accelerator (QAIC) driver allows local authenticated users to cause denial of service and potentially escalate privileges. When a DBC (Device Binding Context) owner process terminates before handling device-initiated deactivation messages, the kernel fails to release DBC resources, causing subsequent activation attempts to hang indefinitely and creating exploitable resource state inconsistencies. The vulnerability affects Linux kernel versions 6.4 through 6.19.12, with vendor patches available across multiple stable branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation or public POC has been identified.
Out-of-bounds array access in Linux kernel ALSA ctxfi driver allows local authenticated users to achieve arbitrary code execution with high integrity and confidentiality impact. The flaw stems from improper SPDIF1 DAIO type handling in daio_device_index() for hw20k2 hardware, which returns -EINVAL instead of a valid index, leading to buffer overflow conditions (CWE-129). Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation activity; no CISA KEV listing or public POC identified at time of analysis.
Stack buffer overflow in Linux kernel Bluetooth subsystem allows local authenticated attackers to achieve code execution, privilege escalation, or denial of service through malformed ISO socket parameters. The vulnerability occurs when binding an ISO Bluetooth socket with up to 31 BIS entries while the hci_le_big_create_sync() function only allocates stack space for 17 entries, resulting in a 14-byte overflow that corrupts adjacent stack memory. Patches are available across multiple kernel versions (6.12.81, 6.18.22, 6.19.12, 7.0), with EPSS indicating 0.02% exploitation probability and no active exploitation confirmed.
Out-of-bounds array access in the st_lsm6dsx IMU driver allows local authenticated users with low privileges to achieve high-impact code execution, data disclosure, or denial of service. The vulnerability exists in the buffer sampling frequency sysfs handler, which fails to validate sensor type before indexing a 2-entry array with sensor IDs beyond accelerometer and gyroscope. Exploitation requires write access to sysfs attributes for non-standard sensor types in the driver. EPSS exploitation probability is very low (0.02%, 5th percentile), no active exploitation confirmed, and vendor patches are available for Linux 6.19.12 and 7.0.
Double-free memory corruption in the Linux kernel reset-gpio subsystem allows local authenticated users to escalate privileges or crash the system. The vulnerability exists in reset_add_gpio_aux_device() error handling since commit 5fc4e4cf7a22, where auxiliary_device_uninit() triggers a release callback that frees memory, but the error path then calls kfree() on the same pointer. Patches available for kernel versions 6.19.12+ and 7.0+. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. Not listed in CISA KEV; no public exploit identified at time of analysis.
Memory corruption in the Linux kernel zynqmp_nvmem driver allows local authenticated users to achieve privilege escalation through undersized DMA buffer exploitation. The vulnerability stems from incorrect buffer size calculations in dma_alloc_coherent and memcpy operations, enabling heap or memory corruption that can lead to complete system compromise. With a 7.8 CVSS score but only 0.02% EPSS (5th percentile), this represents a high-severity issue affecting specific Xilinx Zynq UltraScale+ deployments rather than a widespread exploitation target. Patches available across multiple stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0) with upstream fixes confirmed in git commits.
Use-after-free in Linux kernel thermal subsystem allows local attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability stems from race conditions between thermal zone removal and power management resume operations, where delayed work items can continue executing after thermal zone objects are freed. EPSS score of 0.02% (5th percentile) suggests low probability of mass exploitation despite high CVSS severity. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.22, 6.19.12, 7.0) via upstream commits. No active exploitation confirmed in CISA KEV at time of analysis.
Double-free memory corruption in the Linux kernel's fastrpc driver allows local attackers with low privileges to achieve high-impact code execution, privilege escalation, or denial of service. The vulnerability occurs when fastrpc_init_create_static_process() fails to nullify a freed heap pointer (cctx->remote_heap) in its error path, enabling fastrpc_rpmsg_remove() to free the same memory twice during device removal. Patches available across kernel versions 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates low observed exploitation probability, with no active exploitation confirmed at time of analysis.
Out-of-bounds array access in Linux kernel UCSI (USB Type-C Connector System Software Interface) driver allows local authenticated attackers to achieve arbitrary code execution or system crash. A malicious USB-C device or compromised firmware can send a crafted CCI (Connector Change Indicator) message with an invalid connector number (0-127) that exceeds the allocated connector array bounds (typically 2-4 entries), triggering memory corruption in ucsi_connector_change(). Vendor patches available for kernel 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no active exploitation or public POC currently identified.
Use-after-free in Linux kernel F2FS filesystem allows local authenticated attackers to trigger kernel panic or potentially achieve code execution. The vulnerability (CWE-416) occurs during concurrent write callback and unmount operations when f2fs_write_end_io() decrements page count before checking node inode validity, leading to NULL pointer dereference. Discovered via xfstests generic/107 and syzbot fuzzing. EPSS exploitation probability is low (0.02%, 4th percentile), no active exploitation confirmed. Vendor patches available across stable kernel branches 6.18.25, 7.0.2, and 7.1-rc1.
Use-after-free condition in Linux kernel writeback subsystem allows local authenticated attackers to potentially execute arbitrary code, escalate privileges, or trigger kernel crashes. The vulnerability affects Linux kernel versions 6.18.x through 7.1-rc1 and arises from improper synchronization between work queue processing and memory deallocation in inode_switch_wbs_work_fn(). Vendor patches are available across stable kernel branches (6.18.25, 7.0.2, 7.1-rc1) with low EPSS score (0.02%) indicating minimal observed exploitation activity, though the CVSS 7.8 score reflects significant impact if successfully exploited by authenticated local users.
Out-of-bounds memory read in Linux kernel's Intel PMU (Performance Monitoring Unit) handling allows local authenticated attackers with low privileges to potentially access sensitive kernel memory, modify data, or cause system crashes. The flaw occurs when perf auto counter reload groups contain software events, triggering an unsafe container_of operation that can dereference memory outside valid bounds. EPSS exploitation probability is very low (0.02%, 4th percentile), and no public exploit or active exploitation has been identified at time of analysis. Patches available for kernel versions 6.18.22, 6.19.12, and 7.0.
Use-after-free in Linux kernel GPIB subsystem allows local authenticated attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs in IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers when concurrent IBCLOSEDEV calls free descriptors still in use by I/O operations. EPSS probability is very low (0.02%, 4th percentile), indicating minimal observed exploitation activity. Vendor patches available for stable branches 6.18.22, 6.19.12, and mainline 7.0 via commits cae26eff, 28c75dd1, and d1857f82.