In the Linux kernel, the following vulnerability has been resolved: drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback After several commits, the slab memory increases. Some drm_crtc_commit objects are not freed. The atomic_destroy_state callback only put the framebuffer. Use the __drm_atomic_helper_plane_destroy_state() function to put all the objects that are no longer needed. It has been seen after hours of usage of a graphics application or using kmemleak: unreferenced object 0xc63a6580 (size 64): comm "egt_basic", pid 171, jiffies 4294940784 hex dump (first 32 bytes): 40 50 34 c5 01 00 00 00 ff ff ff ff 8c 65 3a c6 @P4..........e:. 8c 65 3a c6 ff ff ff ff 98 65 3a c6 98 65 3a c6 .e:......e:..e:. backtrace (crc c25aa925): kmemleak_alloc+0x34/0x3c __kmalloc_cache_noprof+0x150/0x1a4 drm_atomic_helper_setup_commit+0x1e8/0x7bc drm_atomic_helper_commit+0x3c/0x15c drm_atomic_commit+0xc0/0xf4 drm_atomic_helper_set_config+0x84/0xb8 drm_mode_setcrtc+0x32c/0x810 drm_ioctl+0x20c/0x488 sys_ioctl+0x14c/0xc20 ret_fast_syscall+0x0/0x54
In the Linux kernel, the following vulnerability has been resolved: hfsplus: pretend special inodes as regular files Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for special inodes.
In the Linux kernel, the following vulnerability has been resolved: EFI/CPER: don't go past the ARM processor CPER record buffer There's a logic inside GHES/CPER to detect if the section_length is too small, but it doesn't detect if it is too big. Currently, if the firmware receives an ARM processor CPER record stating that a section length is big, kernel will blindly trust section_length, producing a very long dump. For instance, a 67 bytes record with ERR_INFO_NUM set 46198 and section length set to 854918320 would dump a lot of data going a way past the firmware memory-mapped area. Fix it by adding a logic to prevent it to go past the buffer if ERR_INFO_NUM is too big, making it report instead: [Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1 [Hardware Error]: event severity: recoverable [Hardware Error]: Error 0, type: recoverable [Hardware Error]: section_type: ARM processor error [Hardware Error]: MIDR: 0xff304b2f8476870a [Hardware Error]: section length: 854918320, CPER size: 67 [Hardware Error]: section length is too big [Hardware Error]: firmware-generated error record is incorrect [Hardware Error]: ERR_INFO_NUM is 46198 [ rjw: Subject and changelog tweaks ]
Denial of service in Linux kernel KVM x86 nested virtualization allows local privileged attackers to crash virtual machines by manipulating vCPU state through userspace MP_STATE and injected event stuffing. When a vCPU is awakened from a blocking state in L2 (nested guest mode) with an already-injected event, the kernel generates spurious KVM_EXIT_UNKNOWN exits that typically terminate the VM. The vulnerability stems from insufficient validation of impossible vCPU states that userspace can artificially create, despite architectural safeguards that should prevent injected events during blocking. CVSS 5.5 (local, low complexity, high availability impact); EPSS 0.02% indicates minimal widespread exploitation likelihood.
In the Linux kernel, the following vulnerability has been resolved: fbdev: of: display_timing: fix refcount leak in of_get_display_timings() of_parse_phandle() returns a device_node with refcount incremented, which is stored in 'entry' and then copied to 'native_mode'. When the error paths at lines 184 or 192 jump to 'entryfail', native_mode's refcount is not decremented, causing a refcount leak. Fix this by changing the goto target from 'entryfail' to 'timingfail', which properly calls of_node_put(native_mode) before cleanup.
In the Linux kernel, the following vulnerability has been resolved: gfs2: fiemap page fault fix In gfs2_fiemap(), we are calling iomap_fiemap() while holding the inode glock. This can lead to recursive glock taking if the fiemap buffer is memory mapped to the same inode and accessing it triggers a page fault. Fix by disabling page faults for iomap_fiemap() and faulting in the buffer by hand if necessary. Fixes xfstest generic/742.
In the Linux kernel, the following vulnerability has been resolved: arm64: Add support for TSV110 Spectre-BHB mitigation The TSV110 processor is vulnerable to the Spectre-BHB (Branch History Buffer) attack, which can be exploited to leak information through branch prediction side channels. This commit adds the MIDR of TSV110 to the list for software mitigation.
Denial of service in Linux kernel media cx88 driver allows local authenticated attackers to exhaust system resources by triggering a missing DMA unmapping in the snd_cx88_hw_params() error path. The vulnerability causes resource leaks when audio hardware parameter initialization fails, potentially rendering the audio subsystem unavailable. CVSS 5.5 reflects local attack vector with low complexity; EPSS 0.02% indicates minimal real-world exploitation probability despite vendor-released patches across multiple kernel versions.
A use-after-free condition in the libertas USB wireless driver allows local attackers with user privileges to cause a denial of service by triggering a kernel warning and potential crash through rapid firmware loading or repeated usb_tx_block() calls while a USB request is still active. The vulnerability stems from insufficient synchronization of USB URB submissions, enabling concurrent requests on the same URB without enforcing completion of prior transmissions.
In the Linux kernel, the following vulnerability has been resolved: HID: prodikeys: Check presence of pm->input_ep82 Fake USB devices can send their own report descriptors for which the input_mapping() hook does not get called. In this case, pm->input_ep82 stays NULL, which leads to a crash later. This does not happen with the real device, but can be provoked by imposing as one.
Memory leak in the tw9906 media driver's probe function allows local authenticated attackers to cause denial of service through memory exhaustion. The vulnerability occurs in tw9906_probe() when an error path fails to free memory allocated by v4l2_ctrl_handler_init() and v4l2_ctrl_new_std(), potentially leading to kernel memory depletion on repeated device probe attempts. Vendor-released patches are available across multiple stable kernel branches.
Memory leak in the Linux kernel's TI K3 SoC info driver (soc/ti/k3-socinfo) fails to release an allocated mmio regmap, causing denial of service through resource exhaustion on probe failures and driver unbind. Local attackers with low privileges can trigger probe deferral or driver unbind to exhaust kernel memory, affecting systems running vulnerable Linux kernel versions. The vulnerability has a low EPSS score (0.02%) but enables practical local DoS against systems where low-privilege users can control driver lifecycle.
Linux kernel x86 architecture fails to validate IMA measurement list memory bounds during kexec boot with restricted memory parameters, causing kernel panic when the carried-over IMA buffer falls outside truncated RAM. Authenticated local users with kexec privileges can trigger a denial of service. The fix adds a sanity check to validate the previous kernel's IMA kexec buffer against actual memory bounds before restoration, aligning x86 behavior with other architectures.
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash() Commit 38a6f0865796 ("net: sched: support hash selecting tx queue") added SKBEDIT_F_TXQ_SKBHASH support. The inclusive range size is computed as: mapping_mod = queue_mapping_max - queue_mapping + 1; The range size can be 65536 when the requested range covers all possible u16 queue IDs (e.g. queue_mapping=0 and queue_mapping_max=U16_MAX). That value cannot be represented in a u16 and previously wrapped to 0, so tcf_skbedit_hash() could trigger a divide-by-zero: queue_mapping += skb_get_hash(skb) % params->mapping_mod; Compute mapping_mod in a wider type and reject ranges larger than U16_MAX to prevent params->mapping_mod from becoming 0 and avoid the crash.
In the Linux kernel, the following vulnerability has been resolved: media: radio-keene: fix memory leak in error path Fix a memory leak in usb_keene_probe(). The v4l2 control handler is initialized and controls are added, but if v4l2_device_register() or video_register_device() fails afterward, the handler was never freed, leaking memory. Add v4l2_ctrl_handler_free() call in the err_v4l2 error path to ensure the control handler is properly freed for all error paths after it is initialized.
In the Linux kernel, the following vulnerability has been resolved: clocksource/drivers/sh_tmu: Always leave device running after probe The TMU device can be used as both a clocksource and a clockevent provider. The driver tries to be smart and power itself on and off, as well as enabling and disabling its clock when it's not in operation. This behavior is slightly altered if the TMU is used as an early platform device in which case the device is left powered on after probe, but the clock is still enabled and disabled at runtime. This has worked for a long time, but recent improvements in PREEMPT_RT and PROVE_LOCKING have highlighted an issue. As the TMU registers itself as a clockevent provider, clockevents_register_device(), it needs to use raw spinlocks internally as this is the context of which the clockevent framework interacts with the TMU driver. However in the context of holding a raw spinlock the TMU driver can't really manage its power state or clock with calls to pm_runtime_*() and clk_*() as these calls end up in other platform drivers using regular spinlocks to control power and clocks. This mix of spinlock contexts trips a lockdep warning. ============================= [ BUG: Invalid wait context ] 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 Not tainted ----------------------------- swapper/0/0 is trying to lock: ffff000008c9e180 (&dev->power.lock){-...}-{3:3}, at: __pm_runtime_resume+0x38/0x88 other info that might help us debug this: context-{5:5} 1 lock held by swapper/0/0: ccree e6601000.crypto: ARM CryptoCell 630P Driver: HW version 0xAF400001/0xDCC63000, Driver version 5.0 #0: ffff8000817ec298 ccree e6601000.crypto: ARM ccree device initialized (tick_broadcast_lock){-...}-{2:2}, at: __tick_broadcast_oneshot_control+0xa4/0x3a8 stack backtrace: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 PREEMPT Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) Call trace: show_stack+0x14/0x1c (C) dump_stack_lvl+0x6c/0x90 dump_stack+0x14/0x1c __lock_acquire+0x904/0x1584 lock_acquire+0x220/0x34c _raw_spin_lock_irqsave+0x58/0x80 __pm_runtime_resume+0x38/0x88 sh_tmu_clock_event_set_oneshot+0x84/0xd4 clockevents_switch_state+0xfc/0x13c tick_broadcast_set_event+0x30/0xa4 __tick_broadcast_oneshot_control+0x1e0/0x3a8 tick_broadcast_oneshot_control+0x30/0x40 cpuidle_enter_state+0x40c/0x680 cpuidle_enter+0x30/0x40 do_idle+0x1f4/0x280 cpu_startup_entry+0x34/0x40 kernel_init+0x0/0x130 do_one_initcall+0x0/0x230 __primary_switched+0x88/0x90 For non-PREEMPT_RT builds this is not really an issue, but for PREEMPT_RT builds where normal spinlocks can sleep this might be an issue. Be cautious and always leave the power and clock running after probe.
In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix memory leak on failure path cfg80211_inform_bss_frame() may return NULL on failure. In that case, the allocated buffer 'buf' is not freed and the function returns early, leading to potential memory leak. Fix this by ensuring that 'buf' is freed on both success and failure paths.
In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix URB leak in pvr2_send_request_ex When pvr2_send_request_ex() submits a write URB successfully but fails to submit the read URB (e.g. returns -ENOMEM), it returns immediately without waiting for the write URB to complete. Since the driver reuses the same URB structure, a subsequent call to pvr2_send_request_ex() attempts to submit the still-active write URB, triggering a 'URB submitted while active' warning in usb_submit_urb(). Fix this by ensuring the write URB is unlinked and waited upon if the read URB submission fails.
In the Linux kernel, the following vulnerability has been resolved: ipmi: ipmb: initialise event handler read bytes IPMB doesn't use i2c reads, but the handler needs to set a value. Otherwise an i2c read will return an uninitialised value from the bus driver.
Memory leak in Linux kernel tw9903 media driver probe function allows local authenticated attackers to cause denial of service through repeated device initialization failures. The v4l2_ctrl_handler_init() and v4l2_ctrl_new_std() allocations are not freed in one error path of tw9903_probe(), enabling exhaustion of kernel memory. CVSS 5.5 (local, low complexity, requires low privileges). EPSS score of 0.02% indicates minimal exploitation probability.
Denial of service in Linux kernel minix filesystem implementation allows local authenticated users to crash the system via crafted minix superblock structures due to missing validation of s_log_zone_size and other superblock fields in the minix_check_superblock() function.
Memory leak in Linux kernel fbdev vt8500lcdfb driver allows local authenticated users to cause denial of service via unfreed DMA-allocated buffer on error path. The vulnerability exists in the framebuffer initialization code where dma_alloc_coherent() allocation for fbi->fb.screen_buffer is not properly freed if an error occurs during probe, leading to memory exhaustion on repeated device initialization attempts. Local privilege required; no remote or unauthenticated attack vector.
Denial of service in Linux kernel PCI endpoint configfs interface allows local attackers with low privileges to crash the kernel via swapped parameters in pci_primary_epc_epf_unlink() and pci_secondary_epc_epf_unlink() functions. When executing the unlink command in configfs, incorrect parameter ordering causes invalid memory access and kernel panic. CVSS 5.5 (local, low complexity, low privilege) with EPSS 0.02% suggests limited real-world exploitation despite confirmed availability of patches across multiple kernel branches.
In the Linux kernel, the following vulnerability has been resolved: media: cx25821: Fix a resource leak in cx25821_dev_setup() Add release_mem_region() if ioremap() fails to release the memory region obtained by cx25821_get_resources().
In the Linux kernel, the following vulnerability has been resolved: media: ccs: Avoid possible division by zero Calculating maximum M for scaler configuration involves dividing by MIN_X_OUTPUT_SIZE limit register's value. Albeit the value is presumably non-zero, the driver was missing the check it in fact was. Fix this.
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: xscale: Check for PTP support properly In ixp4xx_get_ts_info() ixp46x_ptp_find() is called unconditionally despite this feature only existing on ixp46x, leading to the following splat from tcpdump: root@OpenWrt:~# tcpdump -vv -X -i eth0 (...) Unable to handle kernel NULL pointer dereference at virtual address 00000238 when read (...) Call trace: ptp_clock_index from ixp46x_ptp_find+0x1c/0x38 ixp46x_ptp_find from ixp4xx_get_ts_info+0x4c/0x64 ixp4xx_get_ts_info from __ethtool_get_ts_info+0x90/0x108 __ethtool_get_ts_info from __dev_ethtool+0xa00/0x2648 __dev_ethtool from dev_ethtool+0x160/0x234 dev_ethtool from dev_ioctl+0x2cc/0x460 dev_ioctl from sock_ioctl+0x1ec/0x524 sock_ioctl from sys_ioctl+0x51c/0xa94 sys_ioctl from ret_fast_syscall+0x0/0x44 (...) Segmentation fault Check for ixp46x in ixp46x_ptp_find() before trying to set up PTP to avoid this. To avoid altering the returned error code from ixp4xx_hwtstamp_set() which before this patch was -EOPNOTSUPP, we return -EOPNOTSUPP from ixp4xx_hwtstamp_set() if ixp46x_ptp_find() fails no matter the error code. The helper function ixp46x_ptp_find() helper returns -ENODEV.
Integer underflow in the Linux kernel's EFI/CPER firmware error logging function (cper_print_fw_err) allows local authenticated attackers to trigger denial of service via memory dump of unmapped regions, disclose kernel memory contents, or cause system crash when processing malformed EFI firmware error records with invalid offsets. The vulnerability stems from insufficient validation of error record length before subtracting an offset, causing integer wraparound that permits dumping of arbitrary kernel memory regions.
Denial of service via incomplete xattr cleanup in the Linux kernel OCFS2 filesystem causes memory corruption when processing reflinked files with extended attributes. A local user with standard privileges can trigger this vulnerability through crafted xattr operations, resulting in system crashes or data integrity issues. The flaw affects Linux kernel versions from 2.6.32 through multiple recent releases (5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19), with vendor-released patches available for supported stable branches.
Memory leak in the Linux kernel's tegra-video media driver causes local denial-of-service on NVIDIA Tegra-based systems. The `__tegra_channel_try_format()` function fails to free a V4L2 subdev state object on two error paths after `v4l2_subdev_call()` fails, leaking kernel memory on each invocation. A local authenticated attacker with access to a Tegra video capture device can repeatedly trigger the error paths to exhaust kernel memory, degrading or crashing the system. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with a niche, hardware-specific availability issue.
Null pointer dereference in the Linux kernel's rtl8723bs staging Wi-Fi driver allows a locally authenticated user to crash the kernel, resulting in a denial of service. The `pwlan` variable in `find_network()` is not validated for NULL before being passed to `rtw_free_network_nolock()`, which then dereferences it unconditionally. The flaw has been present since Linux 4.12 and is patched across all active stable branches; no public exploit exists and EPSS sits at 0.02%, confirming negligible exploitation activity.
Memory leak in the Linux kernel's octeontx2-af CGX driver causes kernel resource exhaustion on systems using Marvell OcteonTX2 network hardware. The rx_fc_pfvf_bmap and tx_fc_pfvf_bmap bitmaps allocated during cgx_lmac_init() are never freed in cgx_lmac_exit(), meaning each unbind/rebind cycle of the driver leaks 16 bytes of kernel memory, detectable via kmemleak. No public exploit is identified at time of analysis, and with an EPSS of 0.02% (7th percentile), real-world exploitation risk is negligible; this is a correctness and stability issue rather than an active security threat.
Denial-of-service in the Linux kernel's pegasus USB-to-Ethernet driver allows a local attacker to crash the kernel by connecting a crafted USB device with mismatched endpoint transfer types. The driver's probe function fills URBs using hardcoded endpoint pipes (bulk RX on ep1, bulk TX on ep2, interrupt on ep3) without first verifying the endpoint descriptors presented by the attached device, leaving it susceptible to assertion failure when types do not match expectations. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.02% reflects the niche local-access-only attack surface; patches have been released across all major stable kernel branches.
NULL pointer dereference in the Linux kernel's hid-pl driver (Pantherlord/GreenAsia USB game controllers) allows a local low-privileged user to crash the kernel by triggering force feedback on an improperly initialized device. The root cause is unhandled probe errors during driver initialization that leave NULL pointers in place of valid data structures, which are later dereferenced when force feedback is first invoked. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.02% at the 7th percentile reflects negligible real-world exploitation probability.
Incorrect DMA buffer cleanup in the Linux kernel's fsl_ucc_hdlc WAN driver (used on Freescale/NXP QorIQ embedded platforms) causes a double-free of coherent DMA memory, resulting in a kernel panic and system crash. The driver allocates rx_buffer and tx_buffer as a single contiguous DMA region in uhdlc_init() but mistakenly calls dma_free_coherent() twice - once per buffer pointer - in uhdlc_memclean(), corrupting the DMA allocator state. Any authenticated local user or kernel path that triggers interface teardown on affected hardware can cause a complete availability loss. No public exploit identified at time of analysis, and EPSS at 0.02% (7th percentile) reflects near-zero opportunistic exploitation probability given the narrow hardware scope.
NULL pointer dereference in the Linux kernel's powerpc/smp subsystem allows a local authenticated user to crash the kernel, causing a denial of service on PowerPC-based systems. The `parse_thread_groups()` function passes the return value of `kcalloc()` directly to `of_property_read_u32_array()` without validating it for NULL, meaning a failed memory allocation - possible under memory pressure - leads to a kernel panic or oops. No public exploit code exists and this vulnerability is not in CISA KEV; with an EPSS of 0.02% (7th percentile) and architecture-specific scope limited to PowerPC, real-world exploitation risk is low but relevant to IBM POWER server deployments running Red Hat or SUSE Linux.
Deadlock in the Linux Kernel PCI/IOV SR-IOV subsystem allows a local low-privileged user to trigger a kernel hang via a recursive mutex acquisition, resulting in a complete denial of service on the affected host. The root cause is commit 05703271c3cd, which added pci_rescan_remove_lock around SR-IOV enable/disable operations without accounting for the re-entrant path where sriov_del_vfs() is invoked from within pci_stop_and_remove_bus_device_locked(), which already holds the same lock. No public exploit has been identified at time of analysis, and EPSS probability is negligible at 0.02%, consistent with the local-only attack vector.
Kernel crash in the Linux remoteproc imx_rproc subsystem (NXP i.MX platform) allows a local authenticated attacker to trigger a denial of service by loading firmware that lacks a resource table. The root cause is imx_rproc_elf_find_loaded_rsc_table() returning a stale non-NULL priv->rsc_table pointer even when rproc->table_ptr is NULL, causing the remoteproc core to dereference what it incorrectly treats as a valid loaded resource table. No public exploit has been identified at time of analysis, and EPSS at 0.02% (7th percentile) reflects the narrow hardware-specific attack surface.
Missing mutex locking around the `mfd_of_node_list` linked list in the Linux kernel's Multi-Function Device (MFD) core subsystem allows a local low-privileged attacker to trigger a race condition, resulting in a kernel crash and denial of service. The vulnerability spans multiple stable kernel branches from the introducing commit 466a62d7642f through patched releases in 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. No public exploit exists and the EPSS score of 0.02% (7th percentile) reflects negligible community exploitation interest; this is not listed in CISA KEV.
NULL pointer dereference in the Linux kernel's HID magicmouse driver allows a local attacker with low privileges to crash the kernel by connecting a crafted USB device that impersonates an Apple Magic Mouse. When a fake USB device provides a custom report descriptor, the input_mapping() hook is never called, leaving msc->input as NULL; subsequent access in input_configured() causes a kernel panic and complete availability loss. No public exploit exists and EPSS is negligible at 0.02% (7th percentile), but the impact is a full system denial of service when exploitation conditions are met.
In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Check maxfield in hidpp_get_report_length() Do not crash when a report has no fields. Fake USB gadgets can send their own HID report descriptors and can define report structures without valid fields. This can be used to crash the kernel over USB.
In the Linux kernel, the following vulnerability has been resolved: media: cx23885: Add missing unmap in snd_cx23885_hw_params() In error path, add cx23885_alsa_dma_unmap() to release the resource acquired by cx23885_alsa_dma_map().
Denial of service in Linux kernel dm-verity subsystem allows local authenticated users to crash the system by triggering dm_bufio_client_create() failure in verity_fec_ctr(), which incorrectly passes an error pointer to dm_bufio_client_destroy(). The vulnerability requires local access and authenticated privileges but no user interaction, affecting dm-verity configurations with forward error correction enabled.
Hard-lockup in Linux kernel IOMMU/VT-d subsystem when flushing device IOTLB during PCIe link-down events affects systems using scalable mode with PASID support. Local authenticated attackers can trigger denial of service by causing PCIe device disconnection followed by resource cleanup operations, such as releasing VFIO group file descriptors, which deadlock the system while attempting ATS invalidation on inaccessible devices. Patch available across multiple stable kernel series.
Denial of service via null pointer dereference in Linux kernel's pstore persistent storage subsystem occurs when the vmap() function fails but the persistent_ram_vmap() function incorrectly returns success if a non-zero offset is present, allowing subsequent buffer access to dereference invalid memory and cause system crashes. Affects Linux kernel versions prior to 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. No public exploit identified at time of analysis, but vendor-released patches are available across multiple stable branches.
In the Linux kernel, the following vulnerability has been resolved: fbcon: check return value of con2fb_acquire_newinfo() If fbcon_open() fails when called from con2fb_acquire_newinfo() then info->fbcon_par pointer remains NULL which is later dereferenced. Add check for return value of the function con2fb_acquire_newinfo() to avoid it. Found by Linux Verification Center (linuxtesting.org) with SVACE.
Local denial-of-service in the Linux kernel's AEAD crypto socket interface (`algif_aead`) allows a low-privileged local user to crash the kernel by submitting a decryption request where the minimum receive buffer size check fails to account for the authentication tag length. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms this is a locally exploitable, high-availability-impact issue with no confidentiality or integrity risk. Patches have been released across multiple Linux LTS stable branches (5.10.254, 5.15.204, 6.1.170, 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0) and Ubuntu has issued multiple USN advisories (USN-8277-1 through USN-8281-1). No public exploit code has been identified and EPSS is 0.02%, indicating no public exploitation activity.
In the Linux kernel, the following vulnerability has been resolved: dm mpath: Add missing dm_put_device when failing to get scsi dh name When commit fd81bc5cca8f ("scsi: device_handler: Return error pointer in scsi_dh_attached_handler_name()") added code to fail parsing the path if scsi_dh_attached_handler_name() failed with -ENOMEM, it didn't clean up the reference to the path device that had just been taken. Fix this, and steamline the error paths of parse_path() a little.
Null pointer dereference in the AMD GPU (amdgpu) DRM subsystem can cause denial of service when the SDMA block is disabled and buffer_funcs initialization is skipped, allowing local authenticated users to crash the kernel via uninitialized function pointer access.
Silent error suppression in the Linux kernel's NTFS3 filesystem driver allows a local authenticated user to trigger inode inconsistency by causing attr_set_size() to fail during file truncation. Affected systems running NTFS3-mounted volumes may experience filesystem corruption or denial of service without any visible error signal to the kernel. No active exploitation has been identified (EPSS 0.02%, not in CISA KEV), and vendor-released patches are available in Linux 7.0 and 6.19.6.
Memory allocation underflow in the Linux kernel ASoC SOF (Sound Open Firmware) ipc4-topology module allows local authenticated users to trigger a denial of service via bytes control handling that fails to account for the full data structure size. The vulnerability affects kernel versions prior to specific stable releases (6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0) where the allocation size calculation omits the sof_ipc4_control_data structure, potentially causing memory exhaustion or kernel crash when processing audio topology configuration.