Skip to main content
CVE-2026-44430 MEDIUM PATCH GHSA This Month

Server-side request forgery in MCP Registry's HTTP namespace verification endpoint allows unauthenticated attackers to reach internal IPv4 addresses via specially-crafted IPv6 addresses that encode or tunnel to RFC1918 and cloud-metadata services. The vulnerability exists in the private-address blocklist used by `safeDialContext`, which fails to block IPv6 6to4 (2002::/16), NAT64 well-known (64:ff9b::/96), NAT64 local-use (64:ff9b:1::/48), and deprecated site-local (fec0::/10) prefixes. On dual-stack and IPv6-only cloud deployments (GKE IPv6, AWS IPv6-only EC2, Azure NAT64), this enables direct connections to metadata services and internal Kubernetes API servers. No public exploit code identified at time of analysis, but proof-of-concept has been demonstrated against the production registry.

Kubernetes SSRF Microsoft Open Redirect Oracle
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-42180 MEDIUM PATCH This Month

Server-side request forgery (SSRF) in Lemmy prior to version 0.19.18 allows authenticated low-privileged users to trigger arbitrary HTTP requests to internal services by creating link posts with URLs targeting loopback, private, or link-local addresses. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled URL without validating against internal address ranges, enabling reconnaissance or exploitation of internal services. No public exploit code has been identified at time of analysis, but the vulnerability is straightforward to demonstrate and requires only user-level account access.

SSRF Lemmy
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-42344 MEDIUM This Month

FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts is vulnerable to DNS rebinding (TOCTOU - Time-of-Check to Time-of-Use). The function resolves the hostname via dns.resolve4()/dns.resolve6() and checks resolved IPs against private ranges, but the actual HTTP request happens in a separate call with a new DNS resolution, allowing the DNS record to change between validation and fetch. At time of publication, there are no publicly available patches.

Information Disclosure Fastgpt
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-67886 MEDIUM This Month

Remote code execution in Bitrix24 through version 25.100.300 allows authenticated users with SOURCE/WRITE permissions on the Translate Module to execute arbitrary PHP code by uploading malicious PHP and .htaccess files. The vulnerability exploits unrestricted file upload capability in a high-privilege context; while the vendor disputes this as intended behavior for administrative users, the low EPSS score (0.02%) and lack of evidence of active exploitation suggest this poses minimal real-world risk despite the moderate CVSS rating.

PHP RCE File Upload N A
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-44844 MEDIUM PATCH GHSA This Month

### Summary `EmlParser.get_raw_body_text()` recurses unconditionally for every nested `message/rfc822` attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested `message/rfc822` parts triggers an unhandled `RecursionError` and aborts parsing of the message. A 12 KB EML file is enough to crash a worker. Though this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests. ### Details The vulnerable function is `EmlParser.get_raw_body_text()` in `eml_parser/parser.py`. For every part of type `multipart/*`, the function iterates over its sub-parts; for every sub-part of type `message/rfc822`, it calls itself recursively on the inner message: There is no depth parameter and no early-abort. CPython's default `sys.recursionlimit` is 1000. Each level of `message/rfc822` nesting adds approximately 8 frames to the stack (parser code + stdlib `_header_value_parser` calls), so roughly 120 nested levels exhaust the limit. The `RecursionError` is not caught anywhere along the call chain, so it propagates out of `decode_email_bytes()` and aborts processing of the entire message. ### PoC Environment: Python 3.12.3, eml_parser 3.0.0 (`pip install eml_parser==3.0.0`), default `sys.recursionlimit=1000`, Ubuntu 24.04 aarch64. No special configuration of `EmlParser`, default constructor. Self-contained reproducer that builds the PoC and triggers the crash: ```python import eml_parser def build_poc(depth=124): inner = b"From: a@a\r\nTo: b@b\r\nContent-Type: text/plain\r\n\r\n.\r\n" msg = inner for i in range(depth): b = f"B{i}".encode() msg = ( b'Content-Type: multipart/mixed; boundary="' + b + b'"\r\n\r\n' b'--' + b + b'\r\nContent-Type: message/rfc822\r\n\r\n' ) + msg + b'\r\n--' + b + b'--\r\n' return msg ep = eml_parser.EmlParser() ep.decode_email_bytes(build_poc()) # RecursionError after ~76 ms on Apple Silicon (Ubuntu 24.04 aarch64). ``` Note that the suggested code does not produce an RFC compliant message. Resulting EML payload size: 12,369 bytes. SHA-256 of generated PoC: `00f15f635e21b4144967c2893b37425e6a6bd7b4185c557e5c7e904e1e6d18e8` The crash is deterministic on a stock install. No network, no special headers, no large attachments. ### Impact Denial of service of any pipeline that processes attacker-supplied EML files using `eml_parser`. A single 12 KB email is enough to crash a worker. If the worker is a long-running process triaging multiple emails, the unhandled exception aborts processing of the whole batch unless the caller wraps the call in a broad `try/except`. Even then, attacker-supplied volume can keep workers in a perpetual restart loop. The vulnerability is exploitable pre-authentication in any deployment that ingests emails from external senders which have not been subject to any kind of basic validation. Considering that email messages pass through a mail-server which does some kind of validation, messages as produced by the *build_poc* function would not reach eml_parser. Nonetheless recursion depth checks have been implemented to handle the described issue. ### Reporter Sebastián Alba Vives (`@Sebasteuo`) Independent security researcher, Senior AppSec Consultant LinkedIn: https://www.linkedin.com/in/sebastian-alba Email: sebasjosue84@gmail.com PGP: `0D1A E4C2 CFC8 894F 19EA DA24 45CD CA33 2CF8 31F4`

Python Denial Of Service Apple Ubuntu
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-42451 MEDIUM This Month

Grimmory is a self-hosted digital library. Prior to version 2.3.1, a stored cross-site scripting (XSS) vulnerability in Grimmory's browser-based EPUB reader allows an attacker to embed arbitrary JavaScript in a crafted EPUB file. When a victim opens the book, the script executes in their browser with full access to the Grimmory application's session context. This can enable session token theft and account takeover, including administrative access if an administrator opens the affected book. This issue has been patched in version 2.3.1.

XSS Grimmory
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-44337 MEDIUM PATCH GHSA This Month

SQL and CQL injection vulnerability in PraisonAI multi-agent teams system versions 2.4.1 through 4.6.33 allows authenticated attackers to execute arbitrary SQL or CQL commands by injecting malicious collection names into knowledge-store implementations. The vulnerability affects applications that pass untrusted collection names to optional SQL/CQL-backed storage backends, enabling data exfiltration, modification, or deletion with low complexity exploitation.

Code Injection Praisonai
NVD GitHub
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-44737 MEDIUM PATCH GHSA This Month

Stored cross-site scripting in Grav admin panel allows authenticated attackers to inject malicious JavaScript into page titles via the data[header][title] parameter, which is then executed when other administrators access the affected page or its move function. The vulnerability requires admin authentication to inject the payload but affects all subsequent viewers, enabling session hijacking, credential theft, and administrative impersonation. Publicly available exploit code exists with working proof-of-concept screenshots.

XSS RCE
NVD GitHub
CVSS 4.0
6.2
EPSS
0.0%
CVE-2026-42199 MEDIUM PATCH This Month

Grid is a data structure grid for rust. From version 0.17.0 to before version 1.0.1, an integer overflow in Grid::expand_rows() can corrupt the relationship between the grid’s logical dimensions and its backing storage. After the internal invariant is broken, the safe API get() may invoke get_unchecked() with an invalid index, resulting in Undefined Behavior. This issue has been patched in version 1.0.1.

Integer Overflow Buffer Overflow Grid
NVD GitHub
CVSS 3.1
6.2
EPSS
0.0%
CVE-2023-42345 MEDIUM PATCH This Month

A Cross Site Scripting vulnerability in Alkacon OpenCms before 16 exists via updateModelGroups.jsp. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2022-23961 MEDIUM This Month

In Thruk Monitoring through 2.46.3, the login field of the login form is vulnerable to reflected XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-40295 MEDIUM PATCH GHSA This Month

Open redirect in Devise's Timeoutable module allows unauthenticated attackers to redirect users with expired sessions to arbitrary external URLs via an unvalidated HTTP Referer header on non-GET requests. An attacker can host a page with an auto-submitting form to transparently redirect victims through a trusted domain, enabling credential harvesting or malware distribution without triggering browser phishing warnings. Affects Devise versions up to 5.0.3; patched in 5.0.4.

Open Redirect
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-44708 MEDIUM PATCH GHSA This Month

Cross-site scripting (XSS) vulnerability in the Mistune markdown parser's math plugin bypasses the `escape=True` security setting by rendering inline (`$...$`) and block (`$$...$$`) math content without HTML escaping. Attackers can inject arbitrary JavaScript that executes in the victim's browser session when a developer-controlled application parses untrusted markdown with the math plugin enabled, even when the parser is explicitly configured to sanitize all user input. Proof-of-concept code demonstrates script tag injection and image onerror handler exploitation; no public exploit code identified at time of analysis.

XSS Apple Python Red Hat
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-44665 MEDIUM PATCH GHSA This Month

Attribute injection in fast-xml-builder npm package allows attackers to inject malicious HTML/XML attributes when processEntities flag is disabled. Affected versions through 1.1.6 fail to properly sanitize quote characters in attribute values, enabling injection of arbitrary attributes like onClick handlers for cross-site scripting attacks. Patch available in version 1.1.7. EPSS and KEV data not available for this vulnerability, suggesting limited observed exploitation targeting this specific library, though the attack technique is well-understood.

XXE Red Hat
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-41575 MEDIUM PATCH This Month

DOM-based cross-site scripting (XSS) in th30d4y/IP versions 1.0.1 through 2.0.0 allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting malicious input to the IP Reputation Checker application. The vulnerability requires user interaction (clicking a malicious link) but affects all users of vulnerable versions. Vendor-released patch: version 2.0.1.

XSS W4Nn4D13 Ip
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-42030 MEDIUM PATCH This Month

Reflected XSS in MapServer 6.0 through 8.6.1 allows unauthenticated remote attackers to inject arbitrary HTML and JavaScript into the browsers of users clicking crafted WMS URLs. The vulnerability exists in the OpenLayers template when FORMAT=application/openlayers is combined with an unsanitized SRS parameter in WMS 1.3.0 requests. MapServer 8.6.2 patches this issue, and no public exploit code or active exploitation has been confirmed, though the attack requires user interaction (clicking a malicious link).

XSS Mapserver
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-44664 MEDIUM PATCH GHSA This Month

Injection of arbitrary XML/HTML content in fast-xml-builder versions up to 1.1.5 allows unauthenticated remote attackers to break out of XML comments via three consecutive dashes (---), bypassing the regex-based sanitization fix for CVE-GHSA-gh4j-gqv2-49f6. Applications with the comment property enabled are at risk of XSS or malicious code injection in generated XML/HTML output when processing untrusted input. CVSS 6.1 with user interaction required; publicly available advisory but no confirmed POC.

RCE Red Hat
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-6253 MEDIUM PATCH This Month

Proxy credentials in curl leak to unintended destinations when an HTTP redirect points to a proxy endpoint, exposing authentication material beyond its intended scope. This affects the curl library and CLI tool (haxx:curl) across a broad version range from 7.14.1 through 8.19.0, as enumerated in EUVD-2026-29927. A proof of concept exists per SSVC classification (Exploitation: poc), the vendor has issued a patch coordinated via oss-security and HackerOne report #3669637, and downstream distributors Red Hat (RHSA-2026:12916) and SUSE (multiple SU advisories) have released updates.

Apple Information Disclosure Curl
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-44788 MEDIUM GHSA This Month

Path traversal in SharpCompress `WriteToDirectory()` allows malicious ZIP and TAR archives to create directories outside the intended extraction root via relative (`../../`) and absolute path (`/tmp/`) overrides in the directory-entry fast-path. TAR archives can be further escalated to arbitrary file writes when callers implement `SymbolicLinkHandler` without validating symlink targets, enabling an attacker to write files anywhere on the filesystem subject to process permissions. CVSS 5.9 reflects moderate severity; real-world impact depends on whether the application extracts untrusted archives and implements symlink handling.

Privilege Escalation Path Traversal
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-4873 MEDIUM PATCH This Month

Connection reuse logic in curl ignores TLS requirements, causing sensitive data to be transmitted in cleartext over channels that should be TLS-encrypted. When curl's connection pool reuses an existing non-encrypted connection to fulfill a subsequent HTTPS request, credentials, tokens, or request payloads may traverse the network without encryption. Affects curl versions 7.20.0 through 8.19.0 (cpe:2.3:a:haxx:curl); no public exploit is identified at time of analysis, SSVC confirms exploitation: none, and EPSS stands at 0.01% (2nd percentile).

Buffer Overflow Curl
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-44837 MEDIUM PATCH GHSA This Month

Path traversal in ViewComponent system test entrypoint allows local attackers to read arbitrary files outside the intended temp directory by exploiting a flawed string-prefix containment check. The vulnerability affects ViewComponent 3.0.0 through 4.8.x running in Rails test mode; a request with a crafted file parameter containing a sibling directory name (e.g., `../view_components_evil/secret.html.erb`) bypasses validation because `/app/tmp/view_components_evil/secret.html.erb` passes a `start_with?` check against `/app/tmp/view_components`. This is limited to test environments (Rails.env.test?) but poses risk in shared CI systems, staging, or review apps where test mode is accidentally exposed. Public proof-of-concept code is available.

Path Traversal
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-44833 MEDIUM PATCH GHSA This Month

Open redirect vulnerability in Snipe-IT versions prior to 8.4.1 allows authenticated attackers to redirect users to malicious sites by poisoning the session-stored HTTP Referer header, enabling phishing, session hijacking, and malware distribution attacks. Exploitation requires prior session poisoning and user interaction (clicking a form submission), limiting real-world practical impact despite moderate CVSS score of 5.9. Vendor-released patch available in version 8.4.1.

Open Redirect
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-42279 MEDIUM This Month

Cross-organization time-entry modification in solidtime 0.12.0 allows authenticated users with time-entries:update:all permission in their own organization to modify and rebind time entries belonging to different organizations by exploiting insufficient route-parameter validation in the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} endpoint. An attacker can supply a known foreign time-entry UUID and reassign it to projects within their own organization, causing unauthorized data manipulation across organizational boundaries. Vendor-released patch: version 0.12.1.

Authentication Bypass Solidtime
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-44214 MEDIUM PATCH GHSA This Month

### Summary `eventsource-encoder` does not sanitize the `event` or `id` fields of an `EventSourceMessage` before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (`\n`, `\r`, or `\r\n`) and thereby forge additional SSE fields or entire messages on the stream. This is similar in spirit to [GHSA-4hxc-9384-m385](https://github.com/advisories/GHSA-4hxc-9384-m385) (h3), but the vulnerable fields are `event`/`id` rather than `data`/`comment`. These are less likely to be user-controllable, but should still be sanitized. ### Details In `src/encode.ts`, `encodeMessage` interpolates `event` and `id` into the output without inspecting them for line terminators: ```ts if (message.event) { output += `event: ${message.event}\n` } // ... if (typeof message.id === 'string' || typeof message.id === 'number') { output += `id: ${message.id}\n` } ``` The SSE specification treats `\r`, `\n`, and `\r\n` as line terminators. A `\n` (or `\r`) embedded in either field is rendered as the end of that field, allowing the rest of the input to be interpreted by the client as new SSE fields. By contrast, `data` and `comment` already normalize all three line-terminator forms via `NEWLINES_RE = /(\r\n|\r|\n)/g`, so they are not affected. ### Proof of concept ```js import {encode} from 'eventsource-encoder' // Attacker-controlled value flows into `event` const userSuppliedTopic = 'message\nevent: admin\ndata: {"role":"admin"}' console.log(encode({event: userSuppliedTopic, data: 'hello'})) ``` Output: ``` event: message event: admin data: {"role":"admin"} data: hello ``` The browser sees two events: a forged `admin` event with attacker-chosen payload, followed by the legitimate `message` event. The same primitive works through `id` for any string id value. ### Impact If untrusted input is passed into the `event` or `id` field of a message, an attacker can: - Spoof events of arbitrary type (rerouting payloads to handlers the attacker chooses) - Inject additional SSE fields (`data:`, `id:`, `retry:`) into the stream - Split a single `encode()` call into multiple distinct browser events - Override the client's `Last-Event-ID` via injected `id:` lines The vulnerability requires that an application places attacker-controlled data into `event` or `id`. Applications that only put trusted, statically-defined values into these fields are not affected. ### Patches Fixed in `eventsource-encoder@1.0.2`. The `event` and string `id` fields are now validated; any value containing `\r` or `\n` causes the encoder to throw a `TypeError` rather than emit a malformed stream. ### Workarounds If users cannot upgrade, validate or strip line terminators from any untrusted value before passing it to `encode` / `encodeMessage`: ```js function safeSingleLine(value) { if (/[\r\n]/.test(value)) throw new Error('SSE field must be single-line') return value } encode({event: safeSingleLine(topic), id: safeSingleLine(id), data}) ``` ### Resources - Related advisory (different package, same class): https://github.com/advisories/GHSA-4hxc-9384-m385 - SSE spec, line terminators: https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream ### Credit Discovered while reviewing in light of GHSA-4hxc-9384-m385.

RCE
NVD GitHub VulDB
CVSS 3.1
5.8
EPSS
0.0%
CVE-2022-26523 MEDIUM This Month

The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Denial Of Service RCE Buffer Overflow
NVD VulDB
CVSS 3.1
5.3
EPSS
1.6%
CVE-2026-43302 MEDIUM PATCH This Month

Linux kernel DMA API debug warnings in V3D rendering driver cause denial of service when CONFIG_DMA_API_DEBUG is enabled and V3D segment sizes exceed the default 64K maximum. The vulnerability affects systems using V3D graphics rendering (particularly Raspberry Pi 5) with debug DMA API enabled, allowing local authenticated users to trigger kernel warnings and potential system instability by creating V3D buffer objects larger than the device's claimed DMA segment size limit.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43432 MEDIUM PATCH This Month

Memory leak in the Linux kernel xHCI USB host controller driver's xhci_disable_slot() function causes kernel memory exhaustion under error conditions, leading to denial of service. Affected kernels span multiple stable branches from the introduction commit through versions before 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0. A local low-privileged user who can trigger USB xHCI slot disable error paths - requiring specific hardware fault conditions - could accumulate kernel memory leaks over time, ultimately causing system instability. No public exploit identified at time of analysis; EPSS is 0.03% (9th percentile), reflecting negligible real-world exploitation likelihood.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43436 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's ALSA USB-audio Scarlett2 mixer quirk allows a local low-privileged user to crash the kernel (denial of service) by presenting a malformed USB descriptor with zero endpoints. Affected systems running unpatched kernels from the initial commit onward through stable branches 6.1.x, 6.6.x, 6.12.x, 6.18.x, and 6.19.x are exposed whenever the USB-audio driver enumerates a crafted or emulated Scarlett2-type device. No active exploitation is confirmed (not in CISA KEV) and no public exploit identified at time of analysis; the EPSS score of 0.03% (8th percentile) confirms very low real-world exploitation probability.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-42185 MEDIUM PATCH This Month

Privilege escalation in Suite Numérique People prior to version 1.25.0 allows authenticated domain administrators to remotely promote any existing user to Owner role via a crafted invitation request, without requiring acceptance from the target user. The vulnerability requires valid Administrator credentials on a mail domain but grants immediate full domain ownership, creating a severe lateral privilege escalation risk within multi-tenant deployments.

Privilege Escalation People
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43475 MEDIUM PATCH This Month

Denial-of-service via kernel lock-up in the Linux kernel's Hyper-V storage controller driver (hv_storvsc) affects guests running PREEMPT_RT-enabled kernels on Microsoft Hyper-V. The storvsc_queuecommand function disables preemption and then acquires an RT spinlock inside hv_ringbuffer_write; under PREEMPT_RT semantics, RT spinlocks are sleepable, making this a fatal locking-discipline violation that triggers the 'scheduling while atomic' BUG splat and subsequent system lock-up. No public exploit and no public exploit identified at time of analysis, with EPSS at 0.02% (7th percentile) reflecting the niche configuration dependency.

Microsoft Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43473 MEDIUM PATCH This Month

Local denial-of-service in the Linux kernel's mpi3mr SCSI driver causes a system crash via NULL pointer dereference during resource cleanup. An authenticated local user on a system using MPI3-based storage controllers can trigger a kernel panic by inducing the error path where queue creation fails: the driver frees reply or request queue memory but subsequently attempts to memset the now-freed (NULL) pointer, crashing the system. No public exploit exists and EPSS sits at 0.02% (7th percentile), indicating low real-world exploitation probability at time of analysis.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43472 MEDIUM PATCH This Month

Improper error-path state management in the Linux kernel's unshare(2) syscall leaves calling processes with dangling filesystem root and working-directory pointers after partial namespace creation failure. When a local low-privileged process calls unshare() with both CLONE_NEWNS and CLONE_NEWCGROUP on an unshared fs_struct (users==1), a successful copy_mnt_ns() updates current->fs->root and current->fs->pwd into the new mount namespace before a subsequent copy_cgroup_ns() failure triggers cleanup - dissolving the mount tree while leaving those pointers referencing now-detached mounts. The calling process is stranded in a broken filesystem state, producing high availability impact (CVSS A:H) confined entirely to the calling process. No public exploit has been identified, EPSS is 0.02% (7th percentile), and this is not in CISA KEV, reflecting low real-world exploitation interest despite the bug existing since unshare(2) was first introduced.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43468 MEDIUM PATCH This Month

Deadlock in the Linux kernel's mlx5 network driver eswitch subsystem allows a local low-privileged user to cause a complete system hang (denial of service) on hosts equipped with Mellanox/NVIDIA ConnectX NICs operating in SR-IOV eswitch mode. The deadlock arises from a lock-ordering inversion: the eswitch work queue acquires the devlink lock while processing VF change events, and concurrently the eswitch mode-set path holds the devlink lock and calls flush_workqueue, producing a circular wait. No public exploit code exists and no active exploitation has been identified at time of analysis; EPSS probability is 0.02%, reflecting the narrow, hardware-specific attack surface.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43457 MEDIUM PATCH This Month

Memory leak in the Linux kernel's MCTP I2C driver receive path allows a local authenticated attacker to progressively exhaust kernel slab memory, resulting in denial of service. The flaw exists in all kernel versions from 5.18 (when the MCTP I2C driver was introduced at commit f5b8abf9fc3dacd7529d363e26fe8230935d65f8) through multiple stable branches now addressed by patches in 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0. No public exploit identified at time of analysis; the EPSS score of 0.02% (7th percentile) confirms very low exploitation probability, consistent with the niche deployment context of MCTP I2C interfaces.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43455 MEDIUM PATCH This Month

Race condition in the Linux kernel MCTP route subsystem allows a local, low-privileged attacker to cause a device reference count leak leading to availability impact. The mctp_flow_prepare_output() function in the MCTP (Management Component Transport Protocol) networking stack fails to hold key->lock around the key->dev check-and-set sequence, enabling two concurrent threads to each acquire a device reference while only the final one is tracked for release - gradually exhausting kernel resources. No public exploit exists and EPSS is 0.02% (7th percentile), indicating very low exploitation probability; patch-confirmed fixes are available across multiple stable kernel branches.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43451 MEDIUM PATCH This Month

Repeated memory exhaustion in the Linux kernel's netfilter nfnetlink_queue subsystem allows a local low-privileged attacker to trigger a denial of service by leaking kernel memory on every crafted PF_BRIDGE verdict. The defect in nfqnl_recv_verdict() causes the nf_queue_entry, its sk_buff, and all held net_device and struct net reference counts to never be released when nfqa_parse_bridge() returns an error due to malformed VLAN netlink attributes. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (7th percentile) reflects the constrained local attack path and low exploitation probability.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43445 MEDIUM PATCH This Month

DMA mapping resource leak in Linux kernel e1000 and e1000e Intel Ethernet drivers results in local denial-of-service conditions via memory exhaustion. The flaw originates from an off-by-one error in the TX buffer error-cleanup path (dma_error), introduced by commit c1fa347f20f1 which fixed an infinite loop but simultaneously decremented the unmap counter prematurely - causing exactly one DMA mapping to leak per failed multi-buffer TX operation. No public exploit has been identified and no active exploitation is confirmed (not in CISA KEV); EPSS of 0.02% (7th percentile) reflects extremely low weaponization probability.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43429 MEDIUM PATCH This Month

Indefinite kernel thread hang in the Linux kernel usbtmc (USB Test and Measurement Class) driver allows a local authenticated user to cause a denial of service by supplying an arbitrarily large timeout value via ioctl. The driver previously passed user-controlled timeout values directly to usb_bulk_msg(), which uses unkillable waits, meaning the kernel thread could never be interrupted or killed once blocked. No public exploit or active exploitation has been identified at time of analysis, and EPSS probability is negligible at 0.02%, but the straightforward local trigger path makes this a meaningful availability risk on systems with USBTMC devices.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43428 MEDIUM PATCH This Month

Unbounded uninterruptible USB synchronous timeout in the Linux kernel's usbcore subsystem allows a local low-privilege user to permanently hang a kernel task with no signal-based kill path. The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs accept arbitrary timeout values and use TASK_UNINTERRUPTIBLE waits, meaning a task blocked on a misbehaving or absent USB device cannot be terminated by SIGKILL - only physical device removal can unblock it. CVSS 5.5 (AV:L/PR:L/A:H), EPSS at 0.02% (7th percentile), no KEV listing, and no public exploit code at time of analysis collectively indicate low active exploitation risk, though the denial-of-service primitive is straightforward once local access is established.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43425 MEDIUM PATCH This Month

Denial of service in the Linux kernel mdc800 USB imaging driver allows a local low-privileged user to crash the kernel by triggering a URB double-submission race condition. The mdc800_device_read() function submits a USB Request Block (URB) but fails to cancel it on timeout, leaving it active; a subsequent read() resubmits the same in-flight URB, triggering a kernel WARN in usb_submit_urb() that can destabilize the system. No public exploit exists and no active exploitation has been identified - EPSS is 0.02% (7th percentile), reflecting the hardware-specific, local-access-only nature of this flaw.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43424 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's USB gadget f_tcm (USB Target Controller Module) driver allows an authenticated local attacker with USB host access to trigger a kernel panic by sending Bulk-Only Transport (BOT) commands during a race window where the ConfigFS-managed nexus pointer is uninitialized or torn down. Affected systems are those acting as USB gadgets - primarily embedded devices and single-board computers - running kernel versions from commit c52661d60f636d17e26ad834457db333bd1df494 onward without the applied fix. No public exploit exists and the vulnerability is absent from CISA KEV; EPSS of 0.02% (7th percentile) confirms negligible observed exploitation activity.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43412 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's ASoC QCOM QDSP6 subsystem crashes systems built on Qualcomm SA8775P and SC8280XP SoCs during ADSP protection-domain restart cycles. The crash occurs because the q6apm-audio .remove callback prematurely deletes Runtime Descriptions (RTDs) containing q6apm DAI components during ASoC teardown, leaving those components still linked to the sound card and triggering a kernel oops on the subsequent rebind. Impact is limited to availability (kernel panic/denial of service); no public exploit has been identified at time of analysis, and EPSS at 0.02% reflects very low widespread exploitation probability.

Qualcomm Linux Null Pointer Dereference Denial Of Service Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43411 MEDIUM PATCH This Month

Divide-by-zero in the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem allows a local low-privileged user to trigger a kernel oops/panic via a crafted setsockopt call. An attacker with local access sets conn_timeout to a value in the range [0, 3] on a TIPC socket, then initiates a connection that receives TIPC_ERR_OVERLOAD, causing integer division by zero in tipc_sk_filter_connect() and crashing the kernel. No public exploit has been identified at time of analysis and EPSS is 0.02%, but the low-complexity, low-privilege local trigger makes this a practical local denial-of-service in shared or container environments.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43387 MEDIUM PATCH This Month

Out-of-bounds read in the Linux kernel's staging rtl8723bs WiFi driver allows a local low-privileged attacker to crash the system via improper length validation in the rtw_get_ie_ex() information element parser. The flaw mirrors a previously patched issue in the sibling rtw_get_ie() parser (commit 154828bf9559) - the fix was not consistently applied to rtw_get_ie_ex(). With a CVSS score of 5.5, local access requirement, and EPSS of 0.02% (7th percentile), this is a low-urgency availability issue with no public exploit and no KEV listing. Patches have been released across all major active stable kernel branches.

Buffer Overflow Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43382 MEDIUM PATCH This Month

Deadlock in the Linux kernel's batman-adv ELP metric worker allows a local low-privileged user to trigger a kernel hang and cause a denial of service. The flaw exists in batadv_v_elp_get_throughput() where a previous fix using rtnl_trylock() for the ethtool path failed to cover the cfg80211 interface path, which still called batadv_get_real_netdev() - itself internally invoking rtnl_lock(). When batadv_v_elp_iface_disable() cancels the work queue via cancel_delayed_work_sync() while the RTNL lock is already held, this double-lock acquisition produces a deadlock. No public exploit identified at time of analysis, and EPSS of 0.02% confirms very low real-world exploitation probability.

Information Disclosure Linux
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43381 MEDIUM PATCH This Month

Kernel crash (local denial of service) in the Linux nouveau NVIDIA GPU driver allows a local authenticated user to trigger a kernel WARNING and system instability by accessing the DisplayPort AUX channel (/dev/drm_dp_*) while the GPU is in runtime-suspended state. The driver fails to check device power state before invoking the GSP (GPU System Processor) firmware communication path, causing an unhandled condition in r535_gsp_msgq_wait. No public exploit exists and the EPSS score is 0.02% (7th percentile), but the vulnerability is notable in environments where fwupd or similar firmware tools interact with DP AUX interfaces on systems using the nouveau driver with runtime power management enabled.

Denial Of Service Lenovo Linux
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43371 MEDIUM PATCH This Month

Memory leak and denial-of-service in the Linux kernel macb network driver (used in AMD ZynqMP platforms) allows local authenticated users to cause prolonged network disruption and system resource exhaustion. The flaw manifests during suspend/resume cycles when the transmit ring pointer resets incorrectly, silently dropping queued packets without releasing their memory, and causing the driver to become stuck waiting for already-transmitted packets. Real-world impact observed in NFS rootfs recovery delays. EPSS score of 0.02% (7th percentile) indicates low exploitation likelihood. Vendor patches available across multiple stable kernel branches (6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.9).

Amd Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43363 MEDIUM PATCH This Month

System hangs on Linux kernel resume from s2ram when firmware re-enables x2apic mode that kernel disabled during boot. Affects x86 systems with APIC hardware where kernel disabled x2apic (due to missing IRQ remapping support or other reasons) but ACPI-compliant firmware restores x2apic to initial boot state per spec. Kernel continues using xapic interface while hardware operates in x2apic mode, causing denial of service through system freezes. CVSS 5.5 (local low-complexity authenticated attack, high availability impact). EPSS 0.02% (7th percentile) indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0 mainline). No KEV listing or public exploit identified at time of analysis.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43361 MEDIUM PATCH This Month

Filesystem denial-of-service in the Linux kernel's btrfs subsystem allows a local low-privileged user to force a mounted btrfs filesystem into read-only mode by repeatedly snapshotting a received subvolume until the BTRFS_UUID_KEY_RECEIVED_SUBVOL B-tree leaf overflows its maximum item size, triggering a transaction abort in create_pending_snapshot(). Critically, the operations involved - snapshot, send, receive, and set_received_subvol - require only inode_owner_or_capable() rather than CAP_SYS_ADMIN, meaning unprivileged users owning subvolumes can mount this attack. No public exploit identified at time of analysis beyond the detailed reproducer script embedded in the advisory itself; EPSS at 0.02% (7th percentile) reflects low widespread automated exploitation probability, though multi-tenant environments face elevated practical risk.

Buffer Overflow Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43360 MEDIUM PATCH This Month

Btrfs filesystem transaction abort in the Linux kernel allows a local low-privileged user to force any btrfs-mounted volume into read-only mode by deliberately creating files whose names produce identical crc32c hash values. When enough hash-colliding filenames are created in a single directory, the dir item leaf node fills beyond its size limit, triggering a kernel transaction abort that renders the entire btrfs volume inaccessible for all users. A detailed reproducer script including a curated list of crc32c-colliding filenames is embedded directly in the CVE description, making exploitation trivially repeatable; however, the EPSS score of 0.02% (7th percentile) and absence from CISA KEV indicate no confirmed widespread exploitation at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
Prev Page 2 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy