OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the 'proto' parameter in /cgi-bin/cstecgi.cgi CGI handler. A public proof-of-concept exploit exists on GitHub, significantly lowering the barrier for exploitation. CVSS 8.9 with network vector, low complexity, and no authentication requirements makes this immediately exploitable against internet-facing devices running the vulnerable firmware version.
Stack-based buffer overflow in Totolink NR1800X router firmware 9.1.0u.6279_B20210910 allows remote unauthenticated attackers to execute arbitrary code or crash the device by sending malicious HTTP Host headers to the lighttpd web server. The vulnerability has publicly available exploit code (CVSS E:P) but is not currently listed in CISA KEV. EPSS data unavailable, but the combination of remote unauthenticated attack vector (AV:N/PR:N), low complexity (AC:L), and confirmed POC suggests elevated real-world risk for internet-facing devices running this specific firmware version.
Buffer overflow in Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005 enables remote code execution when processing malicious PCAP files. The canformat_pcap.cpp parser fails to validate the phdr.len field, allowing attackers to overflow stack buffers and execute arbitrary code with high confidentiality, integrity, and availability impact. Public proof-of-concept code exists (GitHub Gist), though no active exploitation is confirmed by CISA KEV. SSVC assessment indicates automatable exploitation despite requiring user interaction to open crafted PCAP files.
Malicious code injection in Bitwarden CLI 2026.4.0 distributed via npm for 90 minutes on April 22, 2026, enables remote command execution without authentication. The compromise was part of a broader Checkmarx supply chain attack targeting the npm registry. Users who installed this specific version during the 21:57Z-23:30Z window received a backdoored package capable of executing arbitrary OS commands. EPSS data not available for this recent CVE, but the supply chain vector and brief exposure window suggest targeted rather than mass exploitation.
Incorrect authentication labeling in Linux kernel's Bluetooth SMP legacy pairing allows adjacent attackers to bypass security controls and gain high-level access without proper authentication. The flaw affects the Short Term Key (STK) derivation in Just Works/Confirm pairing modes, where keys are incorrectly marked as authenticated even when Man-in-the-Middle (MITM) protection was not established. With CVSS 8.8 (AV:A/AC:L/PR:N/UI:N), this enables adjacent network attackers to exploit Bluetooth pairing flows without authentication. EPSS score of 0.05% suggests low widespread exploitation likelihood. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Use-after-free in Linux Kernel Bluetooth stack allows adjacent network attackers to execute arbitrary code, escalate privileges, or cause denial of service without authentication. The vulnerability exists in hci_le_remote_conn_param_req_evt where hci_conn lookup and field access occurs outside the hdev lock protection, enabling concurrent memory corruption. Patches are available across multiple stable kernel branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.
Cross-Site Request Forgery in WP Editor plugin through version 1.2.9.2 enables remote attackers to inject arbitrary PHP code into plugin and theme files. The vulnerability requires administrator interaction (clicking a malicious link) but no authentication for the attacker, allowing complete website compromise through file overwrite. EPSS data not available; no confirmed active exploitation at time of analysis. Patch available in changeset 3480577.
Remote unauthenticated attackers can trigger out-of-bounds memory access in the Linux kernel SMB client's DACL parsing code by sending a malicious SMB response with a truncated DACL structure. The vulnerability exists in build_sec_desc() and id_mode_to_cifs_acl() functions which insufficiently validate server-supplied ACL data before rewriting it during chmod/chown operations, allowing ACE traversal beyond validated memory bounds. CVSS 8.8 indicates high severity with network vector requiring user interaction. EPSS score of 0.02% (5th percentile) suggests low observed exploitation probability in the wild, and no active exploitation is confirmed (not in CISA KEV). Vendor patch available targeting Linux kernel 7.0.2 and 7.1-rc1.
Buffer overflow in Linux kernel's ksmbd SMB server allows authenticated remote attackers to trigger ~8 MB heap allocation from manipulated NTACL xattr values, potentially leading to memory exhaustion, information disclosure via uninitialized heap memory, or code execution. Exploitation requires low-privilege SMB authentication plus ability to corrupt backing filesystem metadata (offline xattr tampering or race condition). EPSS score of 0.02% indicates minimal observed exploitation activity. Vendor patches available across multiple stable kernel branches (6.12.84, 6.18.25, 7.0.2, 7.1-rc1).
Missing CRYPTO_ALG_ASYNC flag in Linux kernel's Tegra crypto driver causes the crypto API to incorrectly select asynchronous algorithms for synchronous-only requests, resulting in system crashes. This affects Tegra-based Linux systems (typically NVIDIA Jetson devices) running kernel versions 6.10 through early 7.0 development branches. Vendor patches are available across stable branches (6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability, and no active exploitation or public POC has been identified. The CVSS vector (AV:N/AC:L/PR:L/UI:N) suggests network-based exploitation requiring authenticated access, though this conflicts with the technical nature of a local driver configuration bug.
Linux kernel IOMMU page table unmapping operations fail to invalidate extended memory regions when unmapping lands mid-entry in large/contiguous mappings, causing stale TLB entries. Affects kernel 6.19 through pre-7.0 versions with IOMMU subsystem enabled. Local authenticated attackers with low privileges can potentially access unmapped memory or escalate privileges by exploiting incomplete invalidations during IOMMU unmap operations. EPSS score of 0.02% (5th percentile) suggests minimal real-world exploitation likelihood. No public exploit identified at time of analysis, though vendor acknowledges theoretical risk is low as 'nothing relies on unmapping a large entry.' Vendor-released patches available for stable branches.
Authentication bypass in Linux kernel's ksmbd SMB server allows any authenticated SMB user to hijack orphaned durable file handles by predicting persistent IDs, enabling unauthorized file access with the original owner's privileges. The flaw violates MS-SMB2 requirements for SecurityContext validation during durable handle reconnection. Vendor patches are available across multiple stable kernel branches (6.18.25, 7.0.2, 7.1-rc1). EPSS exploitation probability is low at 0.02% (4th percentile), and no active exploitation or public POC has been identified. CVSS 8.8 reflects high impact but requires low-privilege authentication.
Adjacent network attackers can achieve high-severity code execution, information disclosure, or denial of service in the Linux kernel HID (Human Interface Device) subsystem by exploiting a bounds-checking flaw in hid_report_raw_event(). A bogus memset() operation intended to zero unused buffer space instead creates out-of-bounds read/write conditions when processing malformed HID input reports from adjacent devices (USB, Bluetooth). Vendor patches available for stable branches 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% suggests minimal observed exploitation, but the unauthenticated adjacent-network attack vector with low complexity makes this exploitable in environments with untrusted HID peripherals.
Stack buffer overflow in miaofng/uds-c library allows adjacent network attackers to execute arbitrary code via crafted diagnostic payload. The send_diagnostic_request function allocates only 6 bytes for MAX_DIAGNOSTIC_PAYLOAD_SIZE but accepts up to 7 bytes of payload (MAX_UDS_REQUEST_PAYLOAD_LENGTH), enabling 4-byte overflow when combined with pid_length=2. Affects commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a from October 2016 and likely later versions unless patched. No CISA KEV listing or EPSS data indicates exploitation remains theoretical; vulnerability appears in automotive diagnostic library with limited deployment exposure.
Memory exhaustion in Bandit WebSocket server (versions 0.5.0 through 1.10.x) allows unauthenticated remote attackers to trigger denial of service by sending unbounded WebSocket continuation frames without setting the fin flag. The fragment reassembly logic accumulates payloads without checking cumulative message size, bypassing the max_frame_size limit which only applies to individual frames. Applications using Phoenix Channels or LiveView over Bandit expose this attack surface on any WebSocket endpoint. Patch available in version 1.11.0 introduces max_fragmented_message_size parameter (default 8MB). No public exploit code identified at time of analysis, but trivial to reproduce with standard WebSocket libraries.
Remote code execution in Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005 allows unauthenticated network attackers to execute arbitrary code or crash the system by sending malformed CANswitch frames with invalid DLC (Data Length Code) values. The buffer overflow occurs in the canformat_canswitch.cpp parser module which fails to validate frame length parameters before processing, enabling memory corruption. A proof-of-concept exploit is publicly available on GitHub, and SSVC assessment indicates the vulnerability is automatable with partial technical impact, though no active exploitation has been confirmed by CISA KEV at time of analysis.
Arbitrary code execution in MixPHP Framework 2.x through 2.2.17 allows local attackers to execute malicious PHP closures via unauthenticated TCP connections to the sync-invoke server. The vulnerability stems from unsafe deserialization of untrusted data on localhost-bound port 127.0.0.1, where Server.php directly passes socket data to Opis\Closure\unserialize() and executes the result without authentication or signature verification. Exploitation requires local network access or SSRF capability against the application server. No public exploit code identified at time of analysis, but the attack mechanism is straightforward for attackers with PHP deserialization knowledge.
Unsafe deserialization in Zurich Instruments LabOne Q enables arbitrary code execution when users load malicious experiment files. The import_cls mechanism accepts unvalidated class names from serialized data, allowing attackers to instantiate arbitrary Python classes with controlled constructor arguments. Exploitation requires user interaction to open a crafted file, making this a credible vector for supply chain attacks via shared experiment configurations or support tickets. CVSS 8.4 reflects local attack vector with user interaction requirement. No confirmed active exploitation or public POC at time of analysis.
Stack overflow in Flipper Zero Firmware (commit ad2a80) enables local arbitrary code execution with high privileges through exploitation of the Main function. SSVC framework confirms POC availability and total technical impact. CVSS 8.4 reflects local attack vector with no authentication barrier. No vendor-released patch identified at time of analysis, though GitHub issue tracking indicates developer awareness.
Integer overflow in OpenAMP v2025.10.0 ELF loader enables local attackers to corrupt memory during firmware image parsing on 32-bit embedded systems (STM32MP1, Zynq, i.MX). The vulnerability triggers when elf_loader.c multiplies two attacker-controlled 16-bit values from ELF headers without bounds checking, causing integer wraparound that bypasses allocation size limits. EPSS data not available; no CISA KEV listing confirms exploitation remains theoretical. GitHub references suggest proof-of-concept analysis exists (sgInnora gist), indicating technical feasibility for local privilege escalation or code execution in embedded/IoT firmware update scenarios.
Out-of-bounds read in Linux kernel ksmbd allows authenticated SMB clients to trigger memory corruption by crafting malicious DACL ACEs with undersized headers. Attackers with permission to set ACLs on files can cause kernel KASAN reports and state corruption when subsequent CREATE operations walk the stored DACL via smb_check_perm_dacl(). Vendor patches available for kernel versions 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1. EPSS score of 0.02% (5th percentile) indicates low likelihood of mass exploitation despite network attack vector, consistent with the requirement for authenticated access and specific file permission prerequisites.
Memory exhaustion in Bandit WebSocket server (versions 0.5.9 through 1.10.x) allows unauthenticated remote attackers to crash BEAM nodes via compression bombs when permessage-deflate is enabled. The inflate/2 function decompresses WebSocket frames without output-size limits, enabling attackers to send tiny compressed payloads (~1024:1 ratio) that expand to gigabyte-scale heap allocations. Vendor-released patch available (version 1.11.0). EPSS data not available; no public exploit identified at time of analysis. Exploitation requires non-default configuration (both server-level compress and per-upgrade compress: true options enabled), making stock Phoenix/LiveView applications unaffected.
Client-side remote code execution affects MixPHP Framework 2.x through 2.2.17 when sync-invoke clients connect to attacker-controlled servers. The vulnerability enables malicious servers to execute arbitrary code on connecting clients through unsafe deserialization of server responses (CWE-502). EPSS data unavailable, but SSVC indicates no confirmed exploitation and non-automatable attack complexity aligns with CVSS AC:H rating. Primary risk exists in scenarios where MixPHP clients connect to untrusted external services or where server infrastructure could be compromised.
An out-of-bounds read vulnerability in the Linux kernel's Wacom HID driver (wacom_intuos_bt_irq function) allows adjacent network attackers to cause information disclosure or denial of service through maliciously crafted short Bluetooth HID reports. The vulnerability affects the Bluetooth interface of Wacom Intuos tablets, where report types 0x03 and 0x04 are processed without validating minimum lengths (22 and 32 bytes respectively), enabling memory reads beyond buffer boundaries. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) with no active exploitation confirmed (EPSS 0.02%, not in CISA KEV).
Out-of-bounds read in Linux kernel iwlwifi driver allows adjacent network attackers to disclose sensitive kernel memory or trigger denial of service without authentication. The vulnerability affects the iwlwifi wireless driver's network detection match handler function, where insufficient packet length validation enables memcpy to read beyond allocated buffer boundaries. EPSS probability is low (0.02%, 7th percentile) and no active exploitation confirmed (not in CISA KEV). Vendor patches available across multiple kernel stable branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Out-of-bounds memory read in Linux kernel Bluetooth HCI event processing allows adjacent network attackers to disclose kernel memory or trigger denial of service without authentication. The vulnerability stems from premature wake reason storage before per-event payload length validation, enabling crafted short HCI event frames to reach bacpy() operations before bounds checking. EPSS score is low (0.02%, 6th percentile) with no evidence of active exploitation or public POC at time of analysis. Vendor patches available for kernel versions 5.10+ through 6.19.12 and mainline 7.0.
A malicious SMB server can trigger out-of-bounds heap memory disclosure in Linux kernel SMB client (CIFS) through crafted QUERY_INFO responses. Vulnerable Linux kernel versions 5.1 through 6.12.84 do not validate server-reported OutputBufferLength against actual response size before copying data to userspace, allowing a rogue SMB server to expose adjacent kernel heap contents. Patches available across stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1). EPSS score of 0.02% indicates low exploitation probability; no active exploitation confirmed. Attack requires user interaction to mount malicious SMB share.
Integer underflow in Open-SAE-J1939 Transport Protocol handler allows adjacent network attackers to corrupt memory via crafted CAN frames. Attackers sending J1939 Transport Protocol Data Transfer frames with sequence number 0 trigger underflow to 255, writing 6 bytes beyond a 1785-byte buffer boundary. No authentication required and exploitable over CAN/automotive networks. EPSS data unavailable; no KEV listing or public POC identified at time of analysis, but technical details publicly disclosed in GitHub gist enable proof-of-concept development.
Use-after-free in Imagination Graphics DDK GPU GLES user-space library allows authenticated remote attackers to crash the GPU render process via crafted WebGPU content. CVSS 8.1 (High) with network vector and low complexity. On platforms where the GPU process runs with elevated system privileges, successful exploitation could enable system-level compromise beyond the initial crash. EPSS and KEV data not provided; SSVC framework indicates no confirmed exploitation, non-automatable attack, but total technical impact. Vendor patches available across affected DDK versions 1.18, 23.2, 24.1-24.2, and 25.1-25.3.
Remote authenticated attackers can execute code or cause persistent denial-of-service in Imagination Technologies Graphics DDK by triggering a use-after-free in the GPU GLES render process via specially crafted WebGPU content. On platforms where the GPU driver runs with elevated system privileges, successful exploitation enables device-level compromise beyond the browser sandbox. EPSS data not available, no CISA KEV listing identified, no public POC confirmed. SSVC framework indicates no active exploitation and non-automatable attack requiring authenticated interaction.
Cross-project privilege escalation in OpenStack Keystone (releases 13 through 29) lets a holder of an unrestricted application credential for one project mint an EC2-type credential targeting a different project, because POST /v3/credentials never validates that the caller-supplied project_id matches the authenticating app credential's project. Exchanging that EC2 credential at /v3/ec2tokens then yields a Keystone token scoped to the second project while retaining the original app_cred_id, enabling lateral movement across tenants. There is no public exploit identified at time of analysis and EPSS is very low (0.01%), but the authorization flaw (CWE-863) is confirmed and patched by upstream and distributors.
A heap buffer overflow in the Linux kernel's wilc1000 WiFi driver allows local authenticated users to trigger memory corruption via crafted SSID scan requests. The driver miscalculates buffer size due to u8 integer overflow (330 bytes wrapping to 74), causing kmalloc to allocate 75 bytes while memcpy writes up to 331 bytes - a 256-byte overflow. Patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.03% (9th percentile) suggests low likelihood of widespread exploitation, and CISA KEV does not list this CVE, indicating no confirmed active exploitation at time of analysis.
Use-after-free in Linux kernel virt_wifi driver allows local authenticated users to trigger memory corruption during ethtool operations on virtual WiFi devices being unregistered. The vulnerability stems from improper device parent reference handling via SET_NETDEV_DEV, where ethnl_ops_begin() calls pm_runtime_get_sync() on already-freed memory when a virt_wifi device unregisters concurrently with ethtool operations. Patches are available across multiple stable kernel branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit identified at time of analysis, though CVSS 7.8 reflects potential for complete system compromise if successfully triggered.
Out-of-bounds memory writes in Linux kernel HID multitouch driver allow local authenticated users to achieve code execution or crash systems via malicious USB/HID devices. The vulnerability exists in the HID multitouch report parsing logic where mismatched report IDs in feature requests can confuse the HID core. Vendor-released patches are available across multiple kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score is low (0.02%, 7th percentile), indicating minimal observed exploitation attempts. No public exploit code identified at time of analysis.
Memory corruption in Linux kernel's crypto authencesn subsystem allows local authenticated attackers to disclose sensitive kernel memory, modify data integrity, or cause denial of service through improper handling of sequence bits during out-of-place decryption operations. The vulnerability affects Linux kernel versions from 4.3 through multiple stable branches (5.10.x, 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x) with patches available across all affected branches. EPSS exploitation probability is low (0.02%, 7th percentile) and no active exploitation or public POC has been identified.
A logic error in the Linux kernel's BPF verifier regsafe() function allows local attackers with low privileges to exploit improper state exploration for packet pointer ranges, potentially leading to high confidentiality, integrity, and availability impacts. The vulnerability affects multiple stable kernel branches from 5.10 through 6.19, with vendor patches available across all affected versions. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.
Use-after-free in Linux kernel netfilter subsystem allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs when unregistering connection tracking helpers - expectations referencing the helper survive cleanup and later dereference the freed helper object during expectation dumps or new connection establishment. Vendor-released patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% indicates low observed exploitation probability; no active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.
Race condition in the Linux kernel's Bluetooth SCO socket implementation allows local authenticated users to trigger use-after-free and memory corruption via concurrent connect() syscalls on the same socket. The vulnerability affects the sco_sock_connect() function which fails to properly serialize state checks, enabling two threads to simultaneously progress through connection setup on a socket already marked for cleanup, leading to double-free conditions and connection object leaks. Vendor-released patches are available for kernel versions 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates very low observed exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis.
Stack buffer overflow in Linux kernel Bluetooth MGMT subsystem allows local authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability stems from insufficient validation of the encryption key size (enc_size) parameter when loading Long Term Keys (LTKs) via the Bluetooth management interface. When processing LE LTK requests, the kernel uses the attacker-controlled enc_size value to perform stack operations against a fixed 16-byte buffer, enabling stack corruption through oversized values. Vendor-released patches are available across all active kernel branches. EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit has been identified at time of analysis, though the attack complexity is low once local authenticated access is obtained.
Use-after-free in Linux kernel macb driver allows local authenticated attackers to cause denial of service or potentially escalate privileges during module removal. The vulnerability occurs in the PCI glue driver when platform_device_unregister() triggers a runtime resume callback that attempts to access already-freed clock structures. EPSS score is low (0.02%) with no evidence of active exploitation. Vendor patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0).
Improper Direct Memory Access (DMA) handling in the Linux kernel's ti-adc161s626 Industrial I/O (IIO) analog-to-digital converter driver allows local attackers with low privileges to trigger memory corruption or information disclosure. The vulnerability stems from using stack-allocated memory for SPI read operations instead of DMA-safe buffers, violating SPI subsystem requirements. Patches are available across multiple stable kernel versions (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0). EPSS score of 0.02% indicates very low exploitation probability, and no public exploits or active exploitation (not in CISA KEV) have been identified.
Race condition in the Linux kernel MPU3050 gyroscope driver allows local attackers with low privileges to potentially achieve code execution, data corruption, or information disclosure. The vulnerability stems from premature registration of the IIO device before complete initialization in the probe function, creating a window where userspace can interact with incompletely configured hardware. While CVSS rates this 7.8 HIGH with local attack vector, EPSS score of 0.02% (7th percentile) indicates extremely low probability of active exploitation. Patches available across all maintained kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code.
Double-free memory corruption in Linux kernel USB ULPI subsystem allows local authenticated attackers with low privileges to potentially achieve arbitrary code execution, denial of service, or information disclosure. The flaw exists in ulpi_register_interface() error handling since kernel 4.2 (commit 289fcff4b), where device_register() failure triggers cleanup via put_device() followed by redundant kfree(), corrupting kernel memory. Patches available across stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% suggests low likelihood of mass exploitation despite high CVSS 7.8, likely due to local attack vector and requirement for device registration failure conditions.
Use-after-free condition in Linux kernel USB Test and Measurement Class (USBTMC) driver allows local authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability occurs when the usbtmc_release function fails to properly flush pending anchored URBs, leaving dangling references that can be exploited in the HCD giveback path. Vendor patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0). Despite the high CVSS score of 7.8, the EPSS exploitation probability is very low at 0.02% (7th percentile), indicating limited real-world targeting, and no active exploitation or public POC has been identified.
Buffer overflow in Linux kernel COMEDI me_daq driver allows local authenticated users to achieve arbitrary code execution with kernel privileges. The me2600_xilinx_download() function fails to validate firmware file length before reading data streams, enabling out-of-bounds memory access during firmware loading operations. Patches available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates low probability of widespread exploitation despite high CVSS 7.8 rating, and no active exploitation or public exploit code identified at time of analysis.
Out-of-bounds write in Linux kernel comedi me4000 driver firmware loader allows local authenticated users to achieve high-impact code execution, data corruption, or system crash. The me4000_xilinx_download() function blindly trusts firmware file format headers without validating buffer boundaries, reading a length field from the first 4 bytes and then reading that many bytes from offset 16 without checking total file size. Patch available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating. No public exploit code or active exploitation confirmed.
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_uac1_legacy: validate control request size f_audio_complete() copies req->length bytes into a 4-byte stack variable: u32 data = 0; memcpy(&data, req->buf, req->length); req->length is derived from the host-controlled USB request path, which can lead to a stack out-of-bounds write. Validate req->actual against the expected payload size for the supported control selectors and decode only the expected amount of data. This avoids copying a host-influenced length into a fixed-size stack object.
Buffer overflow in Linux kernel rxrpc subsystem allows local authenticated users to trigger memory corruption via malformed key payloads. The non-XDR parsing path in rxrpc_preparse() fails to validate ticket length against AFSTOKEN_RK_TIX_MAX, enabling unprivileged users to supply oversized tickets that cause WARN_ON() triggers and potential memory corruption when keys are read. Vendor patches available for kernel versions 6.6.136, 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1. EPSS score of 0.02% indicates low observed exploitation probability, with no public exploit identified at time of analysis.
Local privilege escalation in AGL app-framework-binder (afb-daemon) through v19.90.0 allows any low-privileged process to execute privileged supervision commands without authentication via an unprotected abstract Unix socket. Attackers can terminate the daemon (DoS), execute arbitrary API calls, close user sessions, or exfiltrate global configuration data. The vulnerability stems from commit b8c9d5de384 (2017-06-29) implementing 8 supervision commands with zero credential verification, acknowledged by developers as lacking DAC protection. EPSS data unavailable, not in CISA KEV, but technical details are publicly documented with proof-of-concept reference.
Integer underflow in Linux kernel NTFS3 driver during journal replay allows local attackers to trigger massive out-of-bounds memory copies into a 4KB buffer when processing corrupted filesystems. The check_file_record() function fails to validate rec->used field before using it in memmove() length calculations across DeleteAttribute, CreateAttribute, and change_attr_size handlers, enabling slab-out-of-bounds writes. No public exploit identified at time of analysis. EPSS score of 0.02% (5th percentile) indicates low exploitation probability. Vendor-released patches available across kernel versions 6.6.136, 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1.