Skip to main content
CVE-2026-31728 MEDIUM PATCH This Month

A race condition in the USB gadget ethernet driver (usb: gadget: u_ether) between gether_disconnect() and eth_stop() causes a NULL pointer dereference and system hardlockup on local systems with low privilege users. When eth_stop() is triggered concurrently during gether_disconnect(), it attempts to access a cleared endpoint descriptor, crashing while holding a spinlock that gether_disconnect() also needs, resulting in kernel panic and denial of service. CVSS 4.7 with low EPSS score (0.02%, percentile 7%) indicates limited real-world exploitation likelihood despite confirmed availability of vendor patches across multiple stable kernel branches.

Red Hat Suse Denial Of Service Race Condition Linux
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-43053 MEDIUM PATCH This Month

XFS filesystem crashes during log recovery when inodes with node-format extended attributes are inactivated following an untimely log shutdown, due to stale metadata block references in the attribute B-tree. Unprivileged local attackers with write access to XFS filesystems can trigger this denial-of-service condition by inducing log shutdown during extended attribute cleanup, causing the filesystem to unmount and require repair. The vulnerability affects Linux kernel versions prior to 6.19.12 and later stable branches.

Denial Of Service Linux Red Hat Suse
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-35233 MEDIUM NEWS This Month

DTrace kernel instrumentation tool on Linux is vulnerable to a denial-of-service and potential privilege escalation attack when processing malicious ELF binaries with out-of-range sh_link fields. An unprivileged attacker can craft an ELF binary that, when instrumented by a root-level dtrace process, triggers an out-of-bounds heap read in the ELF parser. This can crash the dtrace daemon (DoS) or, depending on heap layout, lead to reading and dereferencing garbage pointers controlled by the attacker, potentially enabling code execution in a privileged context. The vulnerability requires local access and a privileged dtrace instance to be actively instrumentation the malicious process, but carries significant risk given dtrace's typical deployment in system administration and security monitoring contexts.

Denial Of Service Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-3140 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Ultimate Dashboard for WordPress up to version 3.8.14 allows unauthenticated attackers to toggle plugin modules on or off by tricking site administrators into clicking a malicious link. The vulnerability stems from flawed nonce validation in the 'handle_module_actions' function, enabling attackers to modify plugin configuration without user consent. No public exploit code or active exploitation has been identified at this time.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-23866 MEDIUM PATCH This Month

Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 through v2.26.15.72 and Android v2.25.8.0 through v2.26.7.10 allows authenticated attackers to trigger processing of media content from arbitrary URLs on a victim's device, potentially invoking OS-controlled custom URL scheme handlers to disclose limited information. No active exploitation has been observed in the wild, and CISA SSVC indicates no known exploitation path despite the network attack vector.

Google Information Disclosure Apple
NVD
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy