Reflected XSS in MapServer 6.0 through 8.6.1 allows unauthenticated remote attackers to inject arbitrary HTML and JavaScript into the browsers of users clicking crafted WMS URLs. The vulnerability exists in the OpenLayers template when FORMAT=application/openlayers is combined with an unsanitized SRS parameter in WMS 1.3.0 requests. MapServer 8.6.2 patches this issue, and no public exploit code or active exploitation has been confirmed, though the attack requires user interaction (clicking a malicious link).
Injection of arbitrary XML/HTML content in fast-xml-builder versions up to 1.1.5 allows unauthenticated remote attackers to break out of XML comments via three consecutive dashes (---), bypassing the regex-based sanitization fix for CVE-GHSA-gh4j-gqv2-49f6. Applications with the comment property enabled are at risk of XSS or malicious code injection in generated XML/HTML output when processing untrusted input. CVSS 6.1 with user interaction required; publicly available advisory but no confirmed POC.
Cross-site scripting (XSS) in SourceCodester Pharmacy Sales and Inventory System 1.0 allows high-privileged users with user interaction to inject malicious scripts via the Name parameter in /index.php?page=users, affecting application integrity with low severity. The vulnerability requires administrative privileges and user interaction to exploit, limiting real-world impact despite public exploit availability.
Proxy credentials in curl leak to unintended destinations when an HTTP redirect points to a proxy endpoint, exposing authentication material beyond its intended scope. This affects the curl library and CLI tool (haxx:curl) across a broad version range from 7.14.1 through 8.19.0, as enumerated in EUVD-2026-29927. A proof of concept exists per SSVC classification (Exploitation: poc), the vendor has issued a patch coordinated via oss-security and HackerOne report #3669637, and downstream distributors Red Hat (RHSA-2026:12916) and SUSE (multiple SU advisories) have released updates.
Path traversal in SharpCompress `WriteToDirectory()` allows malicious ZIP and TAR archives to create directories outside the intended extraction root via relative (`../../`) and absolute path (`/tmp/`) overrides in the directory-entry fast-path. TAR archives can be further escalated to arbitrary file writes when callers implement `SymbolicLinkHandler` without validating symlink targets, enabling an attacker to write files anywhere on the filesystem subject to process permissions. CVSS 5.9 reflects moderate severity; real-world impact depends on whether the application extracts untrusted archives and implements symlink handling.
Resource exhaustion in GPAC up to version 26.02.0 allows local attackers with limited privileges to trigger a denial-of-service condition via the sidx_box_read function in src/isomedia/box_code_base.c. The vulnerability stems from improper validation of allocation size parameters when parsing ISO media files, enabling exhaustion of system memory without requiring elevated privileges. Publicly available exploit code exists, and a patch is available from the vendor.
Denial of service in Open5GS up to version 2.7.7 affects the NSSF component's stream identification function in the nghttp2-server library. Local authenticated attackers can manipulate the ogs_sbi_stream_find_by_id function to cause service unavailability. Publicly available exploit code exists, though the vendor has not yet responded to early disclosure notification.
Connection reuse logic in curl ignores TLS requirements, causing sensitive data to be transmitted in cleartext over channels that should be TLS-encrypted. When curl's connection pool reuses an existing non-encrypted connection to fulfill a subsequent HTTPS request, credentials, tokens, or request payloads may traverse the network without encryption. Affects curl versions 7.20.0 through 8.19.0 (cpe:2.3:a:haxx:curl); no public exploit is identified at time of analysis, SSVC confirms exploitation: none, and EPSS stands at 0.01% (2nd percentile).
Path traversal in ViewComponent system test entrypoint allows local attackers to read arbitrary files outside the intended temp directory by exploiting a flawed string-prefix containment check. The vulnerability affects ViewComponent 3.0.0 through 4.8.x running in Rails test mode; a request with a crafted file parameter containing a sibling directory name (e.g., `../view_components_evil/secret.html.erb`) bypasses validation because `/app/tmp/view_components_evil/secret.html.erb` passes a `start_with?` check against `/app/tmp/view_components`. This is limited to test environments (Rails.env.test?) but poses risk in shared CI systems, staging, or review apps where test mode is accidentally exposed. Public proof-of-concept code is available.
Open redirect vulnerability in Snipe-IT versions prior to 8.4.1 allows authenticated attackers to redirect users to malicious sites by poisoning the session-stored HTTP Referer header, enabling phishing, session hijacking, and malware distribution attacks. Exploitation requires prior session poisoning and user interaction (clicking a form submission), limiting real-world practical impact despite moderate CVSS score of 5.9. Vendor-released patch available in version 8.4.1.
Cross-organization time-entry modification in solidtime 0.12.0 allows authenticated users with time-entries:update:all permission in their own organization to modify and rebind time entries belonging to different organizations by exploiting insufficient route-parameter validation in the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} endpoint. An attacker can supply a known foreign time-entry UUID and reassign it to projects within their own organization, causing unauthorized data manipulation across organizational boundaries. Vendor-released patch: version 0.12.1.
### Summary `eventsource-encoder` does not sanitize the `event` or `id` fields of an `EventSourceMessage` before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (`\n`, `\r`, or `\r\n`) and thereby forge additional SSE fields or entire messages on the stream. This is similar in spirit to [GHSA-4hxc-9384-m385](https://github.com/advisories/GHSA-4hxc-9384-m385) (h3), but the vulnerable fields are `event`/`id` rather than `data`/`comment`. These are less likely to be user-controllable, but should still be sanitized. ### Details In `src/encode.ts`, `encodeMessage` interpolates `event` and `id` into the output without inspecting them for line terminators: ```ts if (message.event) { output += `event: ${message.event}\n` } // ... if (typeof message.id === 'string' || typeof message.id === 'number') { output += `id: ${message.id}\n` } ``` The SSE specification treats `\r`, `\n`, and `\r\n` as line terminators. A `\n` (or `\r`) embedded in either field is rendered as the end of that field, allowing the rest of the input to be interpreted by the client as new SSE fields. By contrast, `data` and `comment` already normalize all three line-terminator forms via `NEWLINES_RE = /(\r\n|\r|\n)/g`, so they are not affected. ### Proof of concept ```js import {encode} from 'eventsource-encoder' // Attacker-controlled value flows into `event` const userSuppliedTopic = 'message\nevent: admin\ndata: {"role":"admin"}' console.log(encode({event: userSuppliedTopic, data: 'hello'})) ``` Output: ``` event: message event: admin data: {"role":"admin"} data: hello ``` The browser sees two events: a forged `admin` event with attacker-chosen payload, followed by the legitimate `message` event. The same primitive works through `id` for any string id value. ### Impact If untrusted input is passed into the `event` or `id` field of a message, an attacker can: - Spoof events of arbitrary type (rerouting payloads to handlers the attacker chooses) - Inject additional SSE fields (`data:`, `id:`, `retry:`) into the stream - Split a single `encode()` call into multiple distinct browser events - Override the client's `Last-Event-ID` via injected `id:` lines The vulnerability requires that an application places attacker-controlled data into `event` or `id`. Applications that only put trusted, statically-defined values into these fields are not affected. ### Patches Fixed in `eventsource-encoder@1.0.2`. The `event` and string `id` fields are now validated; any value containing `\r` or `\n` causes the encoder to throw a `TypeError` rather than emit a malformed stream. ### Workarounds If users cannot upgrade, validate or strip line terminators from any untrusted value before passing it to `encode` / `encodeMessage`: ```js function safeSingleLine(value) { if (/[\r\n]/.test(value)) throw new Error('SSE field must be single-line') return value } encode({event: safeSingleLine(topic), id: safeSingleLine(id), data}) ``` ### Resources - Related advisory (different package, same class): https://github.com/advisories/GHSA-4hxc-9384-m385 - SSE spec, line terminators: https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream ### Credit Discovered while reviewing in light of GHSA-4hxc-9384-m385.
The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.
Linux kernel DMA API debug warnings in V3D rendering driver cause denial of service when CONFIG_DMA_API_DEBUG is enabled and V3D segment sizes exceed the default 64K maximum. The vulnerability affects systems using V3D graphics rendering (particularly Raspberry Pi 5) with debug DMA API enabled, allowing local authenticated users to trigger kernel warnings and potential system instability by creating V3D buffer objects larger than the device's claimed DMA segment size limit.
Memory leak in the Linux kernel xHCI USB host controller driver's xhci_disable_slot() function causes kernel memory exhaustion under error conditions, leading to denial of service. Affected kernels span multiple stable branches from the introduction commit through versions before 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0. A local low-privileged user who can trigger USB xHCI slot disable error paths - requiring specific hardware fault conditions - could accumulate kernel memory leaks over time, ultimately causing system instability. No public exploit identified at time of analysis; EPSS is 0.03% (9th percentile), reflecting negligible real-world exploitation likelihood.
NULL pointer dereference in the Linux kernel's ALSA USB-audio Scarlett2 mixer quirk allows a local low-privileged user to crash the kernel (denial of service) by presenting a malformed USB descriptor with zero endpoints. Affected systems running unpatched kernels from the initial commit onward through stable branches 6.1.x, 6.6.x, 6.12.x, 6.18.x, and 6.19.x are exposed whenever the USB-audio driver enumerates a crafted or emulated Scarlett2-type device. No active exploitation is confirmed (not in CISA KEV) and no public exploit identified at time of analysis; the EPSS score of 0.03% (8th percentile) confirms very low real-world exploitation probability.
Privilege escalation in Suite Numérique People prior to version 1.25.0 allows authenticated domain administrators to remotely promote any existing user to Owner role via a crafted invitation request, without requiring acceptance from the target user. The vulnerability requires valid Administrator credentials on a mail domain but grants immediate full domain ownership, creating a severe lateral privilege escalation risk within multi-tenant deployments.
Denial-of-service via kernel lock-up in the Linux kernel's Hyper-V storage controller driver (hv_storvsc) affects guests running PREEMPT_RT-enabled kernels on Microsoft Hyper-V. The storvsc_queuecommand function disables preemption and then acquires an RT spinlock inside hv_ringbuffer_write; under PREEMPT_RT semantics, RT spinlocks are sleepable, making this a fatal locking-discipline violation that triggers the 'scheduling while atomic' BUG splat and subsequent system lock-up. No public exploit and no public exploit identified at time of analysis, with EPSS at 0.02% (7th percentile) reflecting the niche configuration dependency.
Local denial-of-service in the Linux kernel's mpi3mr SCSI driver causes a system crash via NULL pointer dereference during resource cleanup. An authenticated local user on a system using MPI3-based storage controllers can trigger a kernel panic by inducing the error path where queue creation fails: the driver frees reply or request queue memory but subsequently attempts to memset the now-freed (NULL) pointer, crashing the system. No public exploit exists and EPSS sits at 0.02% (7th percentile), indicating low real-world exploitation probability at time of analysis.
Improper error-path state management in the Linux kernel's unshare(2) syscall leaves calling processes with dangling filesystem root and working-directory pointers after partial namespace creation failure. When a local low-privileged process calls unshare() with both CLONE_NEWNS and CLONE_NEWCGROUP on an unshared fs_struct (users==1), a successful copy_mnt_ns() updates current->fs->root and current->fs->pwd into the new mount namespace before a subsequent copy_cgroup_ns() failure triggers cleanup - dissolving the mount tree while leaving those pointers referencing now-detached mounts. The calling process is stranded in a broken filesystem state, producing high availability impact (CVSS A:H) confined entirely to the calling process. No public exploit has been identified, EPSS is 0.02% (7th percentile), and this is not in CISA KEV, reflecting low real-world exploitation interest despite the bug existing since unshare(2) was first introduced.
Deadlock in the Linux kernel's mlx5 network driver eswitch subsystem allows a local low-privileged user to cause a complete system hang (denial of service) on hosts equipped with Mellanox/NVIDIA ConnectX NICs operating in SR-IOV eswitch mode. The deadlock arises from a lock-ordering inversion: the eswitch work queue acquires the devlink lock while processing VF change events, and concurrently the eswitch mode-set path holds the devlink lock and calls flush_workqueue, producing a circular wait. No public exploit code exists and no active exploitation has been identified at time of analysis; EPSS probability is 0.02%, reflecting the narrow, hardware-specific attack surface.
Memory leak in the Linux kernel's MCTP I2C driver receive path allows a local authenticated attacker to progressively exhaust kernel slab memory, resulting in denial of service. The flaw exists in all kernel versions from 5.18 (when the MCTP I2C driver was introduced at commit f5b8abf9fc3dacd7529d363e26fe8230935d65f8) through multiple stable branches now addressed by patches in 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0. No public exploit identified at time of analysis; the EPSS score of 0.02% (7th percentile) confirms very low exploitation probability, consistent with the niche deployment context of MCTP I2C interfaces.
Race condition in the Linux kernel MCTP route subsystem allows a local, low-privileged attacker to cause a device reference count leak leading to availability impact. The mctp_flow_prepare_output() function in the MCTP (Management Component Transport Protocol) networking stack fails to hold key->lock around the key->dev check-and-set sequence, enabling two concurrent threads to each acquire a device reference while only the final one is tracked for release - gradually exhausting kernel resources. No public exploit exists and EPSS is 0.02% (7th percentile), indicating very low exploitation probability; patch-confirmed fixes are available across multiple stable kernel branches.
Repeated memory exhaustion in the Linux kernel's netfilter nfnetlink_queue subsystem allows a local low-privileged attacker to trigger a denial of service by leaking kernel memory on every crafted PF_BRIDGE verdict. The defect in nfqnl_recv_verdict() causes the nf_queue_entry, its sk_buff, and all held net_device and struct net reference counts to never be released when nfqa_parse_bridge() returns an error due to malformed VLAN netlink attributes. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (7th percentile) reflects the constrained local attack path and low exploitation probability.
DMA mapping resource leak in Linux kernel e1000 and e1000e Intel Ethernet drivers results in local denial-of-service conditions via memory exhaustion. The flaw originates from an off-by-one error in the TX buffer error-cleanup path (dma_error), introduced by commit c1fa347f20f1 which fixed an infinite loop but simultaneously decremented the unmap counter prematurely - causing exactly one DMA mapping to leak per failed multi-buffer TX operation. No public exploit has been identified and no active exploitation is confirmed (not in CISA KEV); EPSS of 0.02% (7th percentile) reflects extremely low weaponization probability.
Indefinite kernel thread hang in the Linux kernel usbtmc (USB Test and Measurement Class) driver allows a local authenticated user to cause a denial of service by supplying an arbitrarily large timeout value via ioctl. The driver previously passed user-controlled timeout values directly to usb_bulk_msg(), which uses unkillable waits, meaning the kernel thread could never be interrupted or killed once blocked. No public exploit or active exploitation has been identified at time of analysis, and EPSS probability is negligible at 0.02%, but the straightforward local trigger path makes this a meaningful availability risk on systems with USBTMC devices.
Unbounded uninterruptible USB synchronous timeout in the Linux kernel's usbcore subsystem allows a local low-privilege user to permanently hang a kernel task with no signal-based kill path. The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs accept arbitrary timeout values and use TASK_UNINTERRUPTIBLE waits, meaning a task blocked on a misbehaving or absent USB device cannot be terminated by SIGKILL - only physical device removal can unblock it. CVSS 5.5 (AV:L/PR:L/A:H), EPSS at 0.02% (7th percentile), no KEV listing, and no public exploit code at time of analysis collectively indicate low active exploitation risk, though the denial-of-service primitive is straightforward once local access is established.
Denial of service in the Linux kernel mdc800 USB imaging driver allows a local low-privileged user to crash the kernel by triggering a URB double-submission race condition. The mdc800_device_read() function submits a USB Request Block (URB) but fails to cancel it on timeout, leaving it active; a subsequent read() resubmits the same in-flight URB, triggering a kernel WARN in usb_submit_urb() that can destabilize the system. No public exploit exists and no active exploitation has been identified - EPSS is 0.02% (7th percentile), reflecting the hardware-specific, local-access-only nature of this flaw.
NULL pointer dereference in the Linux kernel's USB gadget f_tcm (USB Target Controller Module) driver allows an authenticated local attacker with USB host access to trigger a kernel panic by sending Bulk-Only Transport (BOT) commands during a race window where the ConfigFS-managed nexus pointer is uninitialized or torn down. Affected systems are those acting as USB gadgets - primarily embedded devices and single-board computers - running kernel versions from commit c52661d60f636d17e26ad834457db333bd1df494 onward without the applied fix. No public exploit exists and the vulnerability is absent from CISA KEV; EPSS of 0.02% (7th percentile) confirms negligible observed exploitation activity.
NULL pointer dereference in the Linux kernel's ASoC QCOM QDSP6 subsystem crashes systems built on Qualcomm SA8775P and SC8280XP SoCs during ADSP protection-domain restart cycles. The crash occurs because the q6apm-audio .remove callback prematurely deletes Runtime Descriptions (RTDs) containing q6apm DAI components during ASoC teardown, leaving those components still linked to the sound card and triggering a kernel oops on the subsequent rebind. Impact is limited to availability (kernel panic/denial of service); no public exploit has been identified at time of analysis, and EPSS at 0.02% reflects very low widespread exploitation probability.
Divide-by-zero in the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem allows a local low-privileged user to trigger a kernel oops/panic via a crafted setsockopt call. An attacker with local access sets conn_timeout to a value in the range [0, 3] on a TIPC socket, then initiates a connection that receives TIPC_ERR_OVERLOAD, causing integer division by zero in tipc_sk_filter_connect() and crashing the kernel. No public exploit has been identified at time of analysis and EPSS is 0.02%, but the low-complexity, low-privilege local trigger makes this a practical local denial-of-service in shared or container environments.
Out-of-bounds read in the Linux kernel's staging rtl8723bs WiFi driver allows a local low-privileged attacker to crash the system via improper length validation in the rtw_get_ie_ex() information element parser. The flaw mirrors a previously patched issue in the sibling rtw_get_ie() parser (commit 154828bf9559) - the fix was not consistently applied to rtw_get_ie_ex(). With a CVSS score of 5.5, local access requirement, and EPSS of 0.02% (7th percentile), this is a low-urgency availability issue with no public exploit and no KEV listing. Patches have been released across all major active stable kernel branches.
Deadlock in the Linux kernel's batman-adv ELP metric worker allows a local low-privileged user to trigger a kernel hang and cause a denial of service. The flaw exists in batadv_v_elp_get_throughput() where a previous fix using rtnl_trylock() for the ethtool path failed to cover the cfg80211 interface path, which still called batadv_get_real_netdev() - itself internally invoking rtnl_lock(). When batadv_v_elp_iface_disable() cancels the work queue via cancel_delayed_work_sync() while the RTNL lock is already held, this double-lock acquisition produces a deadlock. No public exploit identified at time of analysis, and EPSS of 0.02% confirms very low real-world exploitation probability.
Kernel crash (local denial of service) in the Linux nouveau NVIDIA GPU driver allows a local authenticated user to trigger a kernel WARNING and system instability by accessing the DisplayPort AUX channel (/dev/drm_dp_*) while the GPU is in runtime-suspended state. The driver fails to check device power state before invoking the GSP (GPU System Processor) firmware communication path, causing an unhandled condition in r535_gsp_msgq_wait. No public exploit exists and the EPSS score is 0.02% (7th percentile), but the vulnerability is notable in environments where fwupd or similar firmware tools interact with DP AUX interfaces on systems using the nouveau driver with runtime power management enabled.
Memory leak and denial-of-service in the Linux kernel macb network driver (used in AMD ZynqMP platforms) allows local authenticated users to cause prolonged network disruption and system resource exhaustion. The flaw manifests during suspend/resume cycles when the transmit ring pointer resets incorrectly, silently dropping queued packets without releasing their memory, and causing the driver to become stuck waiting for already-transmitted packets. Real-world impact observed in NFS rootfs recovery delays. EPSS score of 0.02% (7th percentile) indicates low exploitation likelihood. Vendor patches available across multiple stable kernel branches (6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.9).
System hangs on Linux kernel resume from s2ram when firmware re-enables x2apic mode that kernel disabled during boot. Affects x86 systems with APIC hardware where kernel disabled x2apic (due to missing IRQ remapping support or other reasons) but ACPI-compliant firmware restores x2apic to initial boot state per spec. Kernel continues using xapic interface while hardware operates in x2apic mode, causing denial of service through system freezes. CVSS 5.5 (local low-complexity authenticated attack, high availability impact). EPSS 0.02% (7th percentile) indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0 mainline). No KEV listing or public exploit identified at time of analysis.
Filesystem denial-of-service in the Linux kernel's btrfs subsystem allows a local low-privileged user to force a mounted btrfs filesystem into read-only mode by repeatedly snapshotting a received subvolume until the BTRFS_UUID_KEY_RECEIVED_SUBVOL B-tree leaf overflows its maximum item size, triggering a transaction abort in create_pending_snapshot(). Critically, the operations involved - snapshot, send, receive, and set_received_subvol - require only inode_owner_or_capable() rather than CAP_SYS_ADMIN, meaning unprivileged users owning subvolumes can mount this attack. No public exploit identified at time of analysis beyond the detailed reproducer script embedded in the advisory itself; EPSS at 0.02% (7th percentile) reflects low widespread automated exploitation probability, though multi-tenant environments face elevated practical risk.
Btrfs filesystem transaction abort in the Linux kernel allows a local low-privileged user to force any btrfs-mounted volume into read-only mode by deliberately creating files whose names produce identical crc32c hash values. When enough hash-colliding filenames are created in a single directory, the dir item leaf node fills beyond its size limit, triggering a kernel transaction abort that renders the entire btrfs volume inaccessible for all users. A detailed reproducer script including a curated list of crc32c-colliding filenames is embedded directly in the CVE description, making exploitation trivially repeatable; however, the EPSS score of 0.02% (7th percentile) and absence from CISA KEV indicate no confirmed widespread exploitation at time of analysis.
Denial of service via transaction abort in Linux kernel btrfs subsystem when a non-privileged subvolume owner repeatedly calls the set received ioctl with identical UUID values, causing filesystem to transition to read-only mode. The vulnerability exploits insufficient pre-flight validation that allows metadata updates to commence before detecting item overflow conditions, requiring only local access and subvolume ownership rather than root privileges. EPSS score of 0.02% indicates low exploitation probability despite CVSS 5.5 severity, suggesting practical exploitation barriers despite low privilege requirements.
Local denial of service in Linux kernel's MPU3050 gyroscope driver allows authenticated users with low privileges to crash the system by triggering power management failures. The mpu3050-core driver fails to validate pm_runtime_get_sync() return values, enabling hardware access when device resume fails and causing improper reference counting that leads to kernel instability. EPSS score of 0.02% indicates minimal active exploitation likelihood, and patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).
Local attackers with low-level privileges can trigger a denial of service in Linux kernel versions 4.7 through 7.0 by exploiting a power management reference leak in the bh1780 ambient light sensor driver. The vulnerability causes system resource exhaustion through improper PM runtime reference counting in the IIO subsystem's error handling path. Vendor patches are available across multiple stable kernel branches (5.10.253, 6.1.167, 6.6.130, 6.18.19, 6.19.9, 7.0), with EPSS probability of 0.02% indicating low observed exploitation likelihood and no active exploitation confirmed.
Unbalanced reference counting in the Linux kernel USB gadget CDC Subset Ethernet driver (f_subset) causes a resource leak that denies availability of USB gadget reconfiguration. A local authenticated user can trigger the condition by allocating and freeing the geth USB gadget function, leaving the reference count permanently elevated due to a missing decrement in geth_free(). The practical impact is a denial-of-service against the configfs interface for USB gadget management - subsequent attempts to unlink and re-configure the USB function fail silently. No public exploit is identified and EPSS exploitation probability is negligible at 0.02% (7th percentile).
Local denial of service in Linux kernel COMEDI subsystem allows authenticated users to trigger inconsistent lock states when reattaching low-level drivers to legacy COMEDI devices. Exploitation probability is low (EPSS 2%, percentile 7%) with no public exploit identified at time of analysis. Vendor-released patches available across all stable kernel branches from 5.10.253 through 7.0. Affects systems configured with non-zero comedi_num_legacy_minors parameter and requires local authenticated access to COMEDI device nodes.
Kernel NULL pointer dereference in Linux kernel's BPF verifier allows local authenticated users to trigger a denial of service. The vulnerability stems from improper handling of nullable PTR_TO_BUF pointers in check_mem_access(), where map iterator callbacks can dereference NULL ctx->key or ctx->value pointers without validation, causing a kernel crash. Affects Linux kernel versions 5.17 through 7.0-rc4, with patches available across stable branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild, and no evidence of public exploit code or active exploitation exists. Local access with low privileges required makes this a targeted risk rather than widespread threat.
Race condition in Linux kernel's dummy-hcd USB gadget driver causes kernel crash and denial of service when USB reset occurs simultaneously with driver unbind. Syzbot testing triggered NULL pointer dereference in usb_gadget_udc_reset() due to improper spinlock handling in stop_activity() that allowed dum->driver to be cleared prematurely. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) suggests very low observed exploitation probability. Not listed in CISA KEV, indicating no confirmed active exploitation.
An out-of-bounds shift operation in the Linux kernel's solo6x10 media driver causes a local denial of service. Affects Linux kernel versions from the initial commit through 7.0-rc3, with patches available in stable versions 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. The flaw, triggered by improper chip_id bounds checking, causes Clang's undefined behavior sanitizer to instrument code that can lead to system instability when exploited by low-privileged local users. EPSS exploitation probability is 0.02% (7th percentile), indicating minimal widespread threat. Vendor-released patches address the issue by adding explicit bounds validation and using unsigned shift operations.
Local users with low privileges can trigger a denial of service in Linux kernel KVM (Kernel-based Virtual Machine) by manipulating nested virtualization state on AMD SVM systems. The vulnerability allows unprivileged users to cause a kernel warning and potential system instability by modifying CPUID after loading CR3 register state in nested SVM configurations. With CVSS 5.5 (AV:L/AC:L/PR:L) and low EPSS (0.02%), this represents a localized availability risk rather than a critical remote threat. Vendor patches are available across multiple kernel versions (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).
Local attackers with low privileges can cause indefinite system hangs in Linux kernel device-mapper (dm) subsystem by injecting io-timeout-fail errors, triggering CWE-772 resource leaks where I/O requests are never completed. Affects longstanding kernel code from 5.10.x through mainline 6.19.x; vendor-patched versions available (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low real-world exploitation probability. No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis.
NULL pointer dereference in Linux kernel ACPI processor module allows local authenticated attackers to crash the system. The flaw occurs in acpi_processor_errata_piix4() when device lookup logic overwrites a valid pointer with NULL, triggering a crash when accessed by dev_dbg(). Vendor-released patches are available across multiple stable kernel branches (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS exploitation probability is very low (0.02%, 7th percentile), and no public exploit or active exploitation has been identified. The vulnerability requires local access with low privileges (CVSS AV:L/PR:L), making it a lower priority than network-exposed flaws despite the high availability impact.
A use-after-free in the OmniVision OV5647 camera sensor driver (media: i2c: ov5647) can trigger a kernel crash. The ov5647_init_controls() function dereferences an uninitialized subdev pointer via v4l2_get_subdevdata() when error conditions occur during probe. This affects Linux kernel versions from 5.12 through multiple stable branches including 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, and 6.19.x prior to patches. Vendor patches available across all affected stable trees. EPSS exploitation probability is very low (0.02%, 7th percentile) with no public exploit identified at time of analysis.