### Summary A server-side authentication bypass in `azureauthextension` allows any party who holds a single valid Azure access token for *any scope the collector's configured identity can mint for* to authenticate to any OpenTelemetry receiver that uses `auth: azure_auth`. The extension's `Authenticate` method does not validate incoming bearer tokens as JWTs. Instead, it calls its own configured credential to obtain an access token and compares the client's token to the result with string equality - and the scope for that server-side token request is taken from the client-supplied `Host` header. As a result, a token minted for any Azure resource the service principal has ever been issued a token for (ARM, Graph, Key Vault, Storage, etc.) will authenticate to the collector if the attacker picks a matching `Host`. Tokens are replayable for the full issued lifetime (commonly several hours for managed identity tokens). Severity: High (CVSS 8.1). See "Threat model" below for the preconditions that inform that score. ### Root cause The extension implements both `extensionauth.HTTPClient` (outbound: "attach my identity to requests I send") and `extensionauth.Server` (inbound: "validate a credential someone presented to me"). Those two interfaces look symmetric but are not: holding a credential to present says nothing about the ability to validate a credential someone else presents. The outbound path only requires `credential.GetToken()`; the inbound path requires JWT signature verification against the issuer's JWKS, issuer/audience/exp/nbf checks, and an algorithm allowlist - none of which the extension does. PR #39178 ("Implement extensionauth.HTTPClient and extensionauth.Server interface functions") added the `Server` path in v0.124.0 by reusing the same credential object and comparing strings. That server-side path is present in every release through v0.150.0. The outbound `HTTPClient` path (used by Azure exporters) is unaffected. ### Details Vulnerable code - `extension/azureauthextension/extension.go:208-235`: ```go func (a *authenticator) Authenticate(ctx context.Context, headers map[string][]string) (context.Context, error) { auth, err := getHeaderValue("Authorization", headers) if err != nil { return ctx, err } host, err := getHeaderValue("Host", headers) if err != nil { return ctx, err } authFormat := strings.Split(auth, " ") if len(authFormat) != 2 { /* ... */ } if authFormat[0] != "Bearer" { /* ... */ } token, err := a.getTokenForHost(ctx, host) // asks the collector's own identity if err != nil { return ctx, err } if authFormat[1] != token { // string comparison, not JWT validation return ctx, errors.New("unauthorized: invalid token") } return ctx, nil } ``` And `getTokenForHost` at `extension.go:187-206`: ```go options := policy.TokenRequestOptions{ Scopes: []string{ fmt.Sprintf("https://%s/.default", host), // client-supplied Host chooses scope }, } ``` Two independent problems compose here: **1. No JWT validation.** Real Entra ID bearer validation requires verifying the JWT signature against the tenant JWKS and checking `iss`, `aud`, `exp`, `nbf`, plus an algorithm allowlist. The extension does none of this. The "expected" value is a token the server mints from its own credential, not a signature to verify. Any party that already holds a valid token for the collector's identity - a co-tenant pod that shares the managed identity, any peer authenticated with the same service principal, any component that retained an `Authorization:` header - can replay it directly. **2. Attacker-controlled audience.** The scope used to mint the "expected" token comes from the client-supplied `Host` header: `https://<Host>/.default`. The `azcore` credential returns a consistent token per (identity, scope) pair within the cache window, so an attacker can pick any scope the SP has been issued a token for and match it by setting `Host` accordingly. This is the sharper of the two flaws: it means a token leaked from an unrelated Azure integration - ARM, Graph, Key Vault, a different Storage account - authenticates to the collector. The correct primitive is a real JWT validator - e.g. `github.com/coreos/go-oidc/v3` pointed at the tenant's discovery endpoint, with audience and issuer pinned *server-side from configuration*, never derived from request headers. ### Proof of concept Both variants assume a collector running with `azureauthextension` v0.124.0-v0.150.0, configured with any credential mode and referenced from a receiver's `auth:` block: ```yaml extensions: azure_auth: managed_identity: client_id: ${CLIENT_ID} receivers: otlp: protocols: http: endpoint: 0.0.0.0:4318 auth: authenticator: azure_auth service: extensions: [azure_auth] pipelines: traces: receivers: [otlp] exporters: [debug] ``` #### Variant A - Replay (same scope) The attacker controls a workload that shares the collector's managed identity (common in AKS when multiple pods bind the same UAMI). Both workloads query IMDS for `https://management.azure.com/.default` and receive the same cached token. The attacker replays: ``` POST /v1/traces HTTP/1.1 Host: management.azure.com Authorization: Bearer eyJ... # token minted for management.azure.com Content-Type: application/json {"resourceSpans":[...]} ``` `Authenticate` calls `getTokenForHost(ctx, "management.azure.com")`, receives the identical cached token, and the string comparison passes. #### Variant B - Scope confusion (the stronger case) The attacker holds a token for the SP issued for a *different* Azure resource - say Key Vault, obtained from an entirely unrelated integration. The collector was never intended to accept Key Vault tokens. The attacker sets `Host` to match: ``` POST /v1/traces HTTP/1.1 Host: vault.azure.net Authorization: Bearer eyJ... # token minted for vault.azure.net Content-Type: application/json {"resourceSpans":[...]} ``` `Authenticate` calls `getTokenForHost(ctx, "vault.azure.net")`. The collector's credential mints (or returns cached) a token for `https://vault.azure.net/.default` - the same token the attacker holds, because both come from the same SP issued for the same scope by the same IdP. Comparison passes. The collector accepts telemetry gated on "proof of identity to Key Vault." In a correct implementation, the JWT's `aud` would be pinned server-side to a value unrelated to `Host`, and Variant B would fail regardless of what the attacker put in the `Host` header. A small Go reproducer can be built around the extension's own test harness: the existing `TestAuthenticate` in `extension_test.go` is effectively a demonstration of the broken behavior - it passes when the client-supplied token equals the server-side token for the given `Host`, which is exactly what an attacker arranges. ### Impact **Vulnerability class:** Improper Authentication (CWE-287), with contributing CWE-347 (Improper Verification of Cryptographic Signature - no JWT validation), CWE-294 (Authentication Bypass by Capture-replay - tokens replayable for full TTL), and CWE-290 (Authentication Bypass by Spoofing - client `Host` header chooses the expected scope). **Threat model / precondition.** The attacker needs to already hold (or be able to obtain) a valid Azure access token issued to the collector's SP for any scope. In practice this is satisfied by: (a) controlling another workload that binds the same managed identity, (b) compromising any peer authenticated with the same SP, or (c) observing an `Authorization:` header from any prior legitimate request for the SP. This is what drives the 8.1 score - the precondition is non-trivial but is routine in multi-workload Azure environments. **Who is impacted.** Any operator of `opentelemetry-collector-contrib` v0.124.0 through v0.150.0 who configured `azureauthextension` on a receiver's `auth:` block. This applies to both HTTP and gRPC receivers - gRPC receivers surface `:authority` as `Host` through the collector's header handling, so the same exploit path applies there. **Deployments most at risk:** - Multi-workload Azure environments where the collector shares a managed identity with other workloads (any such workload can authenticate as an arbitrary telemetry source). - Deployments that forward `Authorization:` headers through proxies, service meshes, or logging pipelines (one leaked token is enough, and persists for the token TTL - typically several hours for MI tokens, not the 60-minute user-token window). - Multi-tenant environments where different customers' telemetry converges at a collector protected by this extension. **Consequences.** Unauthenticated (from the collector's perspective) ingest of arbitrary traces, metrics, and logs. Downstream effects depend on the collector's exporters and include telemetry-backend poisoning, log injection (masking real attacker activity in SIEMs), metric manipulation to trigger or suppress alerts, cost-amplification against pay-per-datapoint backends, and adversarial traces that corrupt service-graph and incident-triage signals. **Not impacted.** The extension's outbound `extensionauth.HTTPClient` path, used by Azure exporters, is unaffected. Operators who use `azureauthextension` only on exporters can continue doing so. ### Mitigation Until a patched release is available, remove `azure_auth` from any receiver `auth:` blocks. For genuine Entra ID JWT validation on OTLP receivers, use `oidcauthextension` pointed at the tenant discovery URL, with audience pinned from configuration: ```yaml extensions: oidc: issuer_url: https://login.microsoftonline.com/<tenant-id>/v2.0 audience: <expected-api-audience> ``` ### Resources - PR introducing the vulnerable server-side path: [#39178](https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/39178) - Affected versions: v0.124.0 - v0.150.0 Assisted-by: Opus 4.7
Out-of-bounds read in Chrome's codec implementation allows remote attackers to extract potentially sensitive data from process memory by delivering a malicious media file. Affects Chrome versions prior to 148.0.7778.96. The vulnerability requires user interaction (opening or playing a crafted file) but operates over the network. Google rated this as Medium severity within the Chromium security framework.
LDAP filter injection in Netflix Lemur certificate management platform allows authenticated users with valid LDAP credentials to escalate privileges to administrator by injecting metacharacters into the username field during login. Attackers manipulate group membership queries to gain unauthorized admin roles, enabling access to all certificates, private keys via /certificates/<id>/key endpoint, and CA configurations. Vendor-released patch confirmed in version 1.9.0 (GitHub advisory GHSA-3r34-vq8m-39gh). CVSS 8.1 indicates high confidentiality and integrity impact with low attack complexity from network-authenticated attackers. No public exploit code identified at time of analysis, though detailed reproduction steps exist in the advisory.
Bluetooth L2CAP implementation in Linux kernel fails to validate encryption key size when processing LE Credit Flow Control connection requests, allowing adjacent network attackers to establish L2CAP connections with insufficient cryptographic strength. This affects kernel versions from 3.14 through 6.19.5, with patches released in stable branches 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, and 6.19.6. EPSS score of 0.01% suggests minimal exploitation likelihood despite the adjacent network attack vector and no authentication requirement. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.
Nested AMD SVM virtualization in Linux kernel KVM incorrectly handles VMLOAD/VMSAVE emulation, allowing local privileged attackers in L2 guests to read and write L1 guest state, potentially escalating privileges or causing denial of service. This affects kernels since commit cc3ed80ae69f (v5.13+) and has been patched in stable releases 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. With 7.9 CVSS (HIGH severity) but only 0.02% EPSS, this is a lower-probability threat requiring local authenticated access to nested virtualization environments. No public exploit or active exploitation (KEV) identified at time of analysis.
Out-of-bounds buffer writes in Linux kernel ALSA USB audio subsystem allow local authenticated attackers to crash the kernel or potentially achieve privilege escalation. The flaw occurs during implicit feedback mode playback when stream configurations mismatch between capture and playback, causing the prepare_silent_urb() function to write beyond allocated buffer boundaries. Affects all Linux kernel versions from initial commit 1da177e4c3f4 through multiple stable branches; vendor patches available for 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploits or active exploitation confirmed.
Double-free memory corruption in Linux kernel device-mapper subsystem allows local authenticated users to trigger use-after-free conditions, potentially leading to privilege escalation or denial of service. The vulnerability manifests when using request-based DM targets (e.g., dm-multipath) over NVMe devices, where cloned request bios are freed twice due to stale bio pointers in clone requests. Vendor patches available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% indicates low predicted exploitation probability; no active exploitation confirmed at time of analysis.
Out-of-bounds memory access in Linux kernel Qualcomm Camera Subsystem (camss) allows local authenticated users to achieve arbitrary code execution, data corruption, or denial of service. The vfe_isr() function iterates beyond the bounds of the vfe->line[] array (size 4) using a loop count of 7, enabling access to memory at offsets +4, +5, and +6. Vendor patches available across multiple stable branches (6.1.167, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score 0.02% (7th percentile) indicates low observed exploitation probability; no active exploitation confirmed (not in CISA KEV).
Use-after-free in Linux kernel's Atmel HLCDC DRM driver allows local authenticated users to execute arbitrary code, escalate privileges, or cause denial of service. The atmel_hlcdc_plane_atomic_duplicate_state() function incorrectly copies plane state without properly duplicating the drm_plane_state structure, leaving a stale commit pointer that triggers use-after-free during subsequent drm_atomic_commit() calls. Vulnerability surfaces when reopening the device node while another DRM client remains attached. EPSS score is low (0.02%) and no active exploitation confirmed at time of analysis, but local privilege escalation potential and vendor-released patches across multiple stable kernel branches indicate genuine risk for systems using Atmel HLCDC display hardware.
Local privilege escalation in Linux Kernel KVM x86 allows authenticated users with low privileges to potentially achieve arbitrary code execution, information disclosure, or denial of service by exploiting a missing SRCU read-side lock when reading PDPTR registers via the KVM_GET_SREGS2 ioctl. The vulnerability triggers a lockdep warning and unsafe memory slot access in __get_sregs2(), affecting Linux kernel versions from 5.14 onward. Vendor patches available across multiple stable branches (6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6). EPSS score of 0.02% (7th percentile) suggests low exploitation probability in the wild, with no public exploit code or CISA KEV listing confirmed at time of analysis.
LoongArch architecture's cpumask_of_node() function in the Linux kernel mishandles NUMA_NO_NODE (-1) as a node index, potentially enabling local authenticated users to achieve high confidentiality, integrity, and availability impacts (CVSS 7.8). Patches available across multiple stable kernel branches (6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) address the improper input validation. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis.
A double-unlock bug in the Linux kernel PCI subsystem allows local authenticated users to trigger lock corruption, leading to privilege escalation, information disclosure, or denial of service. The flaw exists in pci_slot_trylock() where improper error handling after commit a4e772898f8b unlocks a bridge device lock that was never acquired, causing either lock state corruption or unlocking another thread's lock. With CVSS 7.8 (AV:L/AC:L/PR:L) and EPSS of 0.02% (7th percentile), this is a local vulnerability with low exploitation complexity requiring authenticated access. Vendor patches are available across all active kernel stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). No public exploit code or active exploitation confirmed at time of analysis.
Resource management flaws in the Linux kernel MediaTek MDP driver allow local authenticated attackers with low privileges to trigger memory corruption via improper error handling during device probe initialization, potentially escalating to kernel code execution. Multiple stable kernel branches (5.10.x through 7.0) are affected, with vendor patches released across all maintained versions. No active exploitation confirmed (EPSS 0.02%, not in CISA KEV), though the local attack vector and low complexity suggest straightforward exploitation once local access is achieved.
Out-of-bounds kernel memory write in Linux kernel's AMD KFD (Kernel Fusion Driver) allows local authenticated attackers with low privileges to escalate to root privileges. The kfd_event_page_set() function performs unchecked memset operations of fixed size (KFD_SIGNAL_EVENT_LIMIT * 8 bytes) regardless of user-supplied buffer size, enabling unprivileged userspace processes to corrupt kernel memory. Patches are available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability despite high CVSS severity, likely due to the local attack vector and requirement for systems with AMD GPU hardware running the amdkfd driver.
In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds. Add a bound check for num_ifs in dpaa2_switch_init(). dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry. The check uses >= because num_ifs == DPSW_MAX_IF is also functionally broken. build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= ...
Double-free memory corruption in Linux kernel PRUSS (Programmable Real-Time Unit Subsystem) driver allows local authenticated attackers with low privileges to achieve high-impact code execution, information disclosure, or denial of service. The vulnerability exists in pruss_clk_mux_setup() where devm_add_action_or_reset() indirectly calls pruss_of_free_clk_provider() on error path, then erroneously calls of_node_put(clk_mux_np) again afterward. Vendor patches available across stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating; no KEV listing or public POC identified at time of analysis.
Double URB submission in Linux kernel kaweth USB network driver allows local attackers with low privileges to trigger high severity impacts including potential denial of service, information disclosure, or code execution. The flaw occurs when kaweth_set_rx_mode() prematurely re-enables the TX queue via netif_wake_queue() before an in-flight USB transfer completes, enabling kaweth_start_xmit() to submit the same URB twice - a condition explicitly warned against by the USB subsystem. Patches are available across all supported kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). Despite CVSS 7.8 High severity, EPSS score is only 0.02% (7th percentile), indicating low observed exploitation probability. No public exploit or CISA KEV listing identified at time of analysis.
Buffer overflow in Linux kernel's ARM CMN performance monitoring driver allows local attackers with low privileges to execute arbitrary code and gain elevated access. The perf/arm-cmn driver fails to validate hardware configuration parameters against assumed maximum sizes, enabling memory corruption through crafted CMN device configurations. While EPSS indicates low exploitation probability (0.02%), patches are available across all maintained kernel branches (6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) per vendor advisories. The local attack vector and requirement for low-privileged user access limit remote exploitation scenarios.
Double-free vulnerability in Linux kernel RDMA subsystem allows local authenticated attackers to trigger high-severity memory corruption. The flaw in ib_umem_dmabuf_get_pinned_with_dma_device() causes dma_buf_unpin() to be called twice on error paths - once immediately on failure and again during cleanup - enabling potential privilege escalation, system crashes, or information disclosure. Patches available for kernels 6.1.165+, 6.6.128+, 6.12.75+, 6.18.16+, 6.19.6+, and 7.0+. EPSS score of 0.02% indicates low widespread exploitation probability, with no active exploitation or public POCs identified at time of analysis.
Memory corruption in the Linux kernel's AF_ALG crypto subsystem allows local authenticated users to execute arbitrary code or cause denial of service through a page reassignment overflow in af_alg_pull_tsgl. The vulnerability affects multiple stable kernel branches (4.14 through 7.0) and has been patched across all maintained versions. With CVSS 7.8 and low attack complexity (AC:L), this presents a realistic privilege escalation path for local attackers, though EPSS exploitation probability remains low at 0.02% and no public exploit or KEV listing exists at time of analysis.
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix RSS context delete logic We need to free the corresponding RSS context VNIC in FW everytime an RSS context is deleted in driver. Commit 667ac333dbb7 added a check to delete the VNIC in FW only when netif_running() is true to help delete RSS contexts with interface down. Having that condition will make the driver leak VNICs in FW whenever close() happens with active RSS contexts. On the subsequent open(), as part of RSS context restoration, we will end up trying to create extra VNICs for which we did not make any reservation. FW can fail this request, thereby making us lose active RSS contexts. Suppose an RSS context is deleted already and we try to process a delete request again, then the HWRM functions will check for validity of the request and they simply return if the resource is already freed. So, even for delete-when-down cases, netif_running() check is not necessary. Remove the netif_running() condition check when deleting an RSS context.
Local privilege escalation and memory corruption in Linux kernel on Alpha architecture allows authenticated users to execute arbitrary code, corrupt heap memory, or crash systems via insufficient TLB shootdown during memory compaction. The vulnerability affects Alpha systems exclusively and manifests as SIGSEGV crashes, glibc allocator corruption, and compiler failures. EPSS score of 0.02% indicates low likelihood of widespread exploitation, though vendor patches are available across multiple stable kernel branches. Attack requires local authenticated access with low complexity (CVSS AV:L/AC:L/PR:L), limiting remote exploitation scenarios.
In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke() The ChipIdea UDC driver can encounter "not page aligned sg buffer" errors when a USB device is reconnected after being disconnected during an active transfer. This occurs because _ep_nuke() returns requests to the gadget layer without properly unmapping DMA buffers or cleaning up scatter-gather bounce buffers. Root cause: When a disconnect happens during a multi-segment DMA transfer, the request's num_mapped_sgs field and sgt.sgl pointer remain set with stale values. The request is returned to the gadget driver with status -ESHUTDOWN but still has active DMA state. If the gadget driver reuses this request on reconnect without reinitializing it, the stale DMA state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero num_mapped_sgs) and attempt to use freed/invalid DMA addresses, leading to alignment errors and potential memory corruption. The normal completion path via _hardware_dequeue() properly calls usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before returning the request. The _ep_nuke() path must do the same cleanup to ensure requests are returned in a clean, reusable state. Fix: Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror the cleanup sequence in _hardware_dequeue(): - Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set - Call sglist_do_debounce() with copy=false if bounce buffer exists This ensures that when requests are returned due to endpoint shutdown, they don't retain stale DMA mappings. The 'false' parameter to sglist_do_debounce() prevents copying data back (appropriate for shutdown path where transfer was aborted).
Out-of-bounds write in Linux kernel vhost_vdpa subsystem allows local authenticated users to achieve arbitrary kernel memory corruption via ASID group assignment. Affects Linux kernel versions 5.19 through 6.19.x, with vendor patches available for stable branches 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. Exploitation requires local access with low privileges but no user interaction (CVSS:3.1/AV:L/AC:L/PR:L/UI:N). EPSS score of 0.02% (5th percentile) indicates low predicted exploitation probability, and no public exploit code or active exploitation confirmed at time of analysis.
A memory corruption vulnerability in the Linux kernel's Verisilicon AV1 media driver allows local authenticated attackers to write tile info data beyond allocated buffer boundaries, potentially achieving arbitrary code execution with kernel privileges. The vulnerability affects kernel versions from 6.5 onwards where commit 727a400686a2 introduced the flaw. Patches are available across multiple stable kernel branches (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, with no public exploit identified at time of analysis and no CISA KEV listing.
Double memory management structure free (mmput) in Linux kernel procfs allows local authenticated attackers with low privileges to cause high-impact memory corruption, potentially leading to privilege escalation, information disclosure, or denial of service. The flaw triggers when userspace provides an incorrectly sized buffer to the PROCMAP_QUERY interface, causing the kernel to call mmput() twice on the same mm_struct after recent code refactoring moved cleanup logic. Patch available from kernel.org stable trees for versions 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation in the wild, consistent with the local attack vector requiring authenticated access and specific API interaction. No CISA KEV listing or public exploit identified at time of analysis.
A use-after-free flaw in the Linux kernel XFS filesystem's xfs_attr_leaf_hasname() function allows local authenticated attackers to potentially execute arbitrary code with kernel privileges or cause denial of service. The function's problematic calling convention can return a pointer to an already-released buffer when xfs_attr3_leaf_lookup_int fails with specific error codes, creating a memory safety issue. Despite a CVSS score of 7.8, EPSS indicates only 0.02% probability of exploitation (5th percentile), suggesting low real-world targeting. Vendor patches are available across multiple stable kernel versions (6.12.75, 6.18.16, 6.19.6, 7.0), and the fix has been committed upstream.
In the Linux kernel, the following vulnerability has been resolved: reset: gpio: suppress bind attributes in sysfs This is a special device that's created dynamically and is supposed to stay in memory forever. We also currently don't have a devlink between it and the actual reset consumer. Suppress sysfs bind attributes so that user-space can't unbind the device because - as of now - it will cause a use-after-free splat from any user that puts the reset control handle.
Use-after-free in Linux kernel ALSA OSS mixer allows authenticated local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability stems from insufficient card disconnection checks when OSS mixer layer calls kcontrol operations individually, creating a race condition window where pending calls continue after device removal. Upstream patches available across kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability, and no KEV listing or public exploit identified at time of analysis.
Double-free memory corruption in Linux kernel RDMA/irdma driver allows local authenticated users to cause denial of service or potentially escalate privileges. The vulnerability occurs during memory region re-registration (rereg_user_mr) when IB_MR_REREG_TRANS flag is set: if umem allocation succeeds but subsequent steps fail, the umem is freed without nulling the pointer, leading to double-free when userspace calls ibv_dereg_mr. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation in the wild, with no active exploitation confirmed (not in CISA KEV).
Race condition in Linux kernel HID roccat driver enables local privilege escalation through use-after-free memory corruption. Local authenticated attackers can exploit concurrent access to device reader lists during roccat_report_event() operations, achieving arbitrary code execution with high integrity impact (CVSS 7.8). Vendor-released patches available across multiple kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite moderate severity, suggesting limited weaponization in current threat landscape.
A reference counting error in Linux kernel's cachefiles subsystem allows local authenticated users to trigger memory corruption and potentially escalate privileges. The vulnerability stems from cachefiles_cull() passing a dentry with insufficient reference count to cachefiles_bury_object(), causing a use-after-free condition. With CVSS 7.8 (high severity) but only 0.02% EPSS exploitation probability (5th percentile), this represents a kernel memory safety issue requiring local access with low attack complexity. Patches available in stable kernel versions 6.19.14 and 7.0.
Double-free vulnerability in the Linux kernel PCI Hyper-V driver allows local authenticated users to trigger kernel memory corruption and potentially escalate privileges. The flaw occurs in hv_pci_probe() error handling where ida_free() is called twice on the same domain number, leading to memory allocator corruption. Patches released in kernel 6.19.14 and 7.0 fix the issue by removing the redundant ida_free call. EPSS score of 0.02% indicates low exploitation probability in the wild, and no public exploit or KEV listing identified at time of analysis.
Insufficient memory validation in Linux kernel's XSK (AF_XDP socket) UMEM registration allows local authenticated users to corrupt kernel memory structures, potentially leading to privilege escalation or system crashes. The xdp_umem_reg() function fails to validate adequate headroom space for minimum-sized Ethernet frames and skb_shared_info structures in multi-buffer scenarios, enabling memory corruption when XSK frames are processed. Vendor patches are available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% indicates very low probability of mass exploitation, with no active exploitation or public POC identified.
Use-after-free in Linux kernel's XFRM subsystem allows local authenticated users to gain elevated privileges through a race condition during network namespace teardown. The xfrm_policy_fini() function frees policy hash tables without waiting for concurrent RCU readers, enabling attackers with low-level privileges to exploit the timing window between policy deletion and memory deallocation. EPSS score is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis, but CVSS 7.8 reflects high impact if successfully exploited. Vendor-released patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, mainline 7.0).
Local privilege escalation in Linux kernel netfilter nfnetlink_queue allows authenticated users with low privileges to execute arbitrary code with high integrity and availability impact via race condition in shared hash table. The vulnerability stems from a use-after-free condition when multiple queues share a global hash table, enabling parallel CPU operations to access freed nf_queue_entry structures. EPSS score is low (0.02%, 5th percentile) indicating minimal observed exploitation activity. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.24, 6.19.14) with upstream commits confirmed.
Use-after-free in Linux kernel's OCFS2 filesystem allows local attackers with user interaction to achieve arbitrary code execution, privilege escalation, or denial of service via crafted filesystem images. Affects kernels since initial OCFS2 implementation (2.6.16+) through 6.19.13. Vendor patches available across all supported stable branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) suggests low probability of mass exploitation, though CVSS 7.8 reflects high impact if triggered. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.
Out-of-bounds write in Linux kernel's ocfs2 filesystem driver allows local attackers with low privileges to achieve arbitrary code execution or system crash via a corrupted ocfs2 filesystem image. Exploitation occurs during copy_file_range operations when the malicious id_count field in the inode block exceeds physical inline data capacity, causing a buffer overflow past the inode block buffer. Vendor patches are available across multiple stable kernel versions (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS exploitation probability is low (0.02%, 5th percentile), and no active exploitation or public POC is currently identified.
Use-after-free in Linux kernel eventpoll subsystem allows local authenticated attackers with low privileges to achieve high-impact compromise including arbitrary code execution, privilege escalation, or system crash. The vulnerability stems from premature deallocation of the eventpoll structure while still in use by concurrent threads, creating a race condition exploitable on systems running affected kernel versions 6.4 through 6.19.x and 6.6.x through 6.12.x. Vendor patches available across all affected stable branches with EPSS indicating low widespread exploitation probability (0.02%, 5th percentile), though local access requirements limit attack surface to already-authenticated users or containerized environments.
In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix double destroy_workqueue on service rescan PCI path While testing corner cases in the driver, a use-after-free crash was found on the service rescan PCI path. When mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup() destroys gc->service_wq. If the subsequent mana_gd_resume() fails with -ETIMEDOUT or -EPROTO, the code falls through to mana_serv_rescan() which triggers pci_stop_and_remove_bus_device(). This invokes the PCI .remove callback (mana_gd_remove), which calls mana_gd_cleanup() a second time, attempting to destroy the already- freed workqueue. Fix this by NULL-checking gc->service_wq in mana_gd_cleanup() and setting it to NULL after destruction. Call stack of issue for reference: [Sat Feb 21 18:53:48 2026] Call Trace: [Sat Feb 21 18:53:48 2026] <TASK> [Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana] [Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana] [Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0 [Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70 [Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250 [Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20 [Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90 [Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30 [Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana] [Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana] [Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0 [Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0 [Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130 [Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30 [Sat Feb 21 18:53:48 2026] </TASK>
A race condition in the Linux kernel's chips-media wave5 video decoder driver allows local authenticated users to trigger a NULL pointer dereference during concurrent instance creation/destruction, potentially leading to high confidentiality, integrity, and availability impact. The vulnerability affects kernel versions from commit 9707a6254a8a onwards until patched in 6.18.16, 6.19.6, and 7.0. Fixed via interrupt handler refactoring with proper locking. EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, and no public exploit code or CISA KEV listing exists, suggesting limited real-world exploitation despite the high CVSS 7.8 score.
Use-after-free and reference count underflow in the Linux kernel's amdgpu DRM driver allows local authenticated users with low privileges to cause kernel panic, denial of service, and potentially execute arbitrary code with kernel privileges. The vulnerability affects amdgpu_gem_va_ioctl handling of GPU timeline fences where stale or freed fences are used due to premature fence selection and improper reference management. Patch available in kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit or active exploitation has been identified.
Use-after-free in Linux kernel netfilter ctnetlink allows local authenticated attackers with low privileges to achieve code execution, privilege escalation, or denial of service. The vulnerability stems from insufficient protection when accessing master conntrack objects through expectations - holding a reference on the expectation alone does not prevent the master conntrack from being freed, creating a window where exp->master points to freed memory. Patched in stable kernel versions 6.18.24, 6.19.14, and mainline 7.0. EPSS score of 0.02% (4th percentile) indicates low probability of widespread exploitation, and no public exploit or CISA KEV listing exists at time of analysis, suggesting this remains a lower-priority item despite the 7.8 CVSS score.
Local privilege escalation in Google Chrome's macOS Updater component allows attackers to gain OS-level administrative privileges through malicious files. The flaw affects Chrome versions prior to 148.0.7778.96 on macOS and requires user interaction to exploit. Google has released Chrome 148.0.7778.96 to address this vulnerability. Despite the 7.8 CVSS score, Google rates this as Low severity, reflecting the local attack vector and user interaction requirement that significantly constrain real-world exploitation scenarios.
Local privilege escalation in Google Chrome's Windows updater component allows unprivileged users to gain SYSTEM-level access by exploiting insufficient input validation when the updater processes a specially crafted malicious file. Affects all Chrome versions on Windows prior to 148.0.7778.96. Google has released a patched version (148.0.7778.96). No active exploitation confirmed by CISA KEV at time of analysis, though the local attack vector and medium severity rating suggest potential for targeted attacks in enterprise environments where Chrome auto-update may be delayed.
Local privilege escalation in Google Chrome for Android prior to 148.0.7778.96 allows attackers to elevate privileges through malicious files exploiting insufficient policy enforcement in DevTools. The vulnerability requires user interaction to open a crafted file but grants no authentication requirement (PR:N) for the initial attack vector. Google released patch version 148.0.7778.96 addressing this high-severity flaw. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting exploitation remains theoretical or non-widespread.
Local privilege escalation in Google Chrome Chromoting (prior to 148.0.7778.96) on Windows allows attackers to gain elevated OS-level privileges by tricking users into opening a malicious file. While CVSS scores this as high severity (7.8), real-world risk is tempered by local access and required user interaction (CVSS: AV:L/UI:R). Vendor patch available in version 148.0.7778.96 released May 2026. No active exploitation (CISA KEV) or public exploit code identified at time of analysis.
Use-after-free memory corruption in Chrome Remote Desktop (Chromoting) on Windows enables local privilege escalation to SYSTEM via malicious file interaction. Attackers with local access can gain OS-level administrative control by inducing users to open specially crafted files processed by the Chromoting component. Patch available in Chrome 148.0.7778.96. No evidence of active exploitation (not in CISA KEV), but the local attack vector with low complexity and high impact warrants immediate patching for Windows Chrome deployments, especially in multi-user environments where privilege boundaries are critical.
Path traversal in GitPython versions ≤3.1.47 enables arbitrary file write and deletion outside repository boundaries when applications pass attacker-controlled reference paths to reference creation, rename, or delete operations. A fully-functional proof-of-concept demonstrates successful exploitation by crafting reference names with '../../../' sequences to escape the `.git` directory and manipulate files with the process owner's permissions. Applications exposing GitPython reference APIs to user input-particularly Git automation services, CI/CD pipelines, and multi-tenant developer platforms-are at immediate risk, as no authentication is required at the library boundary. Fixed in version 3.1.48 per GitHub advisory GHSA-7545-fcxq-7j24.
Cisco IoT Field Network Director enables authenticated remote attackers with low-level privileges to crash remotely managed routers by submitting crafted requests through the web-based management interface. The vulnerability causes improper error handling that allows requesting unauthorized files from managed routers, forcing them to reload and creating a denial-of-service condition (CVSS 7.7, Changed Scope). No public exploit or active exploitation reported at time of analysis.