Authorization bypass in Himmelblau (the open-source Entra ID/Intune interoperability suite) versions 2.0.0 through 3.1.4 and the 2.3.x branch before 2.3.11 lets any authenticated user in the same Entra ID domain obtain a local Unix login session as a different user by presenting only their own valid credentials. The flaw lives in the token_validate function of the Device Authorization Grant flow, which matched only the domain portion of the User Principal Name and ignored the username (local part), so a low-privileged domain member can impersonate higher-value accounts on the host. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the issue is a confirmed identity-spoofing defect fixed by the vendor.
Stored cross-site scripting in Kirby CMS (versions before 4.9.1 and 5.4.1) lets a low-privileged, authenticated Panel user inject dangerous-scheme links (javascript:, vbscript:, data:, livescript:, mocha:, jar:) through the (link:) and (image: link:) KirbyTags, the image block link field, or the blocks HTML importer. When a visitor or admin clicks the injected link on the site frontend, script runs in the site origin — typically the same origin as the Panel — enabling session hijack and escalation to admin. No public exploit is identified at time of analysis and EPSS is very low (0.06%), but exploitation is straightforward on any affected site that accepts content from partially-trusted authors.
Code execution is possible on MB connect line industrial remote-maintenance routers - mbNET/mbNET.rokey, mbNET.mini, and the REX100/REX200/250 families - when a local attacker supplies a specially crafted configuration file on a USB stick that triggers a type-confusion flaw in the device's cfgparser, yielding total loss of confidentiality, integrity, and availability (CVSS 8.4). The flaw requires local/physical access to the device rather than network reach. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.02%, 7th percentile), consistent with the SSVC assessment of no observed exploitation.
Authentication bypass in IBM Operations Analytics - Log Analysis and IBM SmartCloud Analytics - Log Analysis (Operations Analytics versions 1.3.2.0 through 1.3.8.4) stems from hardcoded default credentials baked in during the manufacturing/installation process. An attacker who can reach the installation can authenticate with these known-default passwords, gaining full control with high confidentiality, integrity, and availability impact. The CVSS 3.1 vector scores this as a local-vector issue (AV:L) rather than remote, no public exploit has been identified, and SSVC reports exploitation status of 'none'.
Authorization bypass in Symfony 7.4.x (before 7.4.12) and 8.0.x (before 8.0.12) lets remote attackers reach controllers protected by #[IsGranted], #[IsSignatureValid], or #[IsCsrfTokenValid] attributes configured with methods: ['GET'] by sending an HTTP HEAD request, which the router dispatches to the GET handler while the security check is silently skipped. Affected controllers still execute - leaking response headers (Content-Length, Location, custom headers) and performing side effects such as database writes - despite the missing authorization, signature, or CSRF validation. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.05%), but the flaw is a genuine access-control gap fixed in 7.4.12 and 8.0.12.
Broken access control in Yamcs yamcs-core allows any authenticated user to enumerate all user accounts, superuser status, and group memberships via the IAM API. The four endpoints - listUsers, getUser, listGroups, and getGroup - in IamApi.java (lines 125, 180, 357, 372) fail to call ctx.checkSystemPrivilege(SystemPrivilege.ControlAccess), a guard that is correctly applied to write operations like createUser. Affected versions are all releases prior to 5.12.7; a proof-of-concept using a single bearer-token HTTP GET is publicly documented in the GitHub Security Advisory GHSA-p2rj-mrmc-9w29, and no active exploitation (CISA KEV) has been identified at time of analysis.
NULL pointer dereference in GPAC MP4Box crashes the application when parsing specially crafted truncated MP4 files, resulting in a denial-of-service condition. The vulnerability triggers in the gf_media_map_esd function (media_tools/isom_tools.c, line ~1364) when an invalid or unknown stsd (Sample Table Sample Description) entry leaves codec, mime, or profile descriptor fields uninitialized - the function then calls strlen() on a NULL pointer, producing a segmentation fault (SEGV). A publicly available exploit code exists demonstrating the crash, though EPSS at 0.02% (6th percentile) signals negligible widespread exploitation probability and the vulnerability is not listed in CISA KEV.
Denial of service in the Symfony Yaml component (symfony/yaml and the symfony/symfony monolith) lets remote attackers crash PHP worker processes by submitting a YAML document with deeply nested mappings or sequences. Because neither the block-level parser (Parser::parseBlock()) nor the inline parser (Inline::parseSequence()/parseMapping()) enforced a recursion depth limit, a compact crafted payload exhausts the PHP call stack, killing the process. EPSS is low (0.09%, 26th percentile) and there is no public exploit identified at time of analysis, but the bug is trivially triggerable wherever untrusted YAML is parsed.
Denial of service in CrowdSec's Local API (LAPI) HTTP router, versions 1.7.0 through 1.7.7, lets attackers exhaust process memory by posting small gzip-compressed bodies that decompress into hundreds of megabytes of valid JSON. The global gin-contrib/gzip DefaultDecompressHandle middleware decompressed request bodies with no size cap, and because /v1/watchers and /v1/watchers/login require no authentication, concurrent requests drive the OS OOM-killer to terminate LAPI. No public exploit identified at time of analysis; EPSS is low (0.07%). Impact is bounded in default deployments since LAPI listens only on loopback, but multi-server setups that expose LAPI to the network are at real risk.
Authentication bypass in the KiviCare Clinic & Patient Management WordPress plugin (versions through 4.3.0) lets remote unauthenticated attackers abuse the password-recovery flow as an alternate channel to take over user accounts. Because the recovery process can be exploited to gain access without valid credentials, an attacker can compromise clinic accounts and read sensitive data. No public exploit identified at time of analysis, and the EPSS score is very low (0.04%, 13th percentile), indicating no observed mass-exploitation pressure yet.
Root command injection in pam_usb prior to 0.8.7 lets a local high-privileged user - or an attacker who can present a removable device with an attacker-chosen filesystem UUID - embed shell metacharacters (e.g. $(id>/tmp/rce)) that execute as root when an administrator runs pamusb-conf --reset-pads. A second injection path passes the userName value from the XML configuration directly to os.system() in pamusb-agent. No public exploit identified at time of analysis; the issue is fixed in 0.8.7.
Out-of-bounds read in the Linux kernel's IPv4 ICMP handling allows remote attackers to trigger denial of service and potential information disclosure by sending crafted ICMP Extended Echo Reply packets. The flaw stems from the kernel consulting the icmp_pointers[] array with reply types (ICMP_EXT_ECHOREPLY) that fall outside its bounded range (NR_ICMP_TYPES). No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the network attack vector and high availability impact make patching a priority for exposed Linux hosts.
Out-of-bounds read in the Linux kernel SLIP driver's VJ-compressed TCP header decoder (slhc_uncompress) allows a crafted short compressed frame to leak adjacent memory contents into the cached cstate and into subsequently reconstructed packets. The flaw affects systems using SLIP with Van Jacobson TCP/IP header compression; no public exploit has been identified at time of analysis and EPSS rates exploitation probability at 0.02%. The bug stems from missing bounds checks in decode() and pull16(), where the existing -1 error checks were dead code due to a 0xffff mask.
Identity confusion in GitLab EE's Duo AI workflow runners lets an authenticated, low-privileged user cause specific Duo AI workflows to execute under another user's identity, crossing the trust boundary between accounts (CVSS scope: changed). The flaw stems from improper user identity resolution and affects GitLab Enterprise Edition 18.8 through 18.10.6, 18.11 through 18.11.3, and 19.0, with High confidentiality and integrity impact but no availability impact. No public exploit has been identified, CISA's SSVC marks exploitation as 'none,' and the High attack complexity (AC:H) combined with the 'under certain conditions' caveat indicates exploitation is non-trivial rather than push-button.
Authentication bypass in the Login with NEAR WordPress plugin (all versions through 0.3.3) lets unauthenticated attackers log in as any existing user - including administrators - whose email matches the deterministic <account>@near.org pattern. The flaw stems from the unauthenticated ajaxLoginWithNear() handler issuing a valid WordPress auth cookie based only on a substring check for '.near', with no signature, challenge-response, or nonce verification. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.10%), but the technical impact is total per CISA SSVC.
Path traversal write in Microsoft UFO (build 3.0.1-4-ge2626659) lets an authenticated client smuggle directory-traversal sequences (e.g. ../) inside the user-controlled task_name value, which UFO concatenates directly into session log paths, causing it to create directories and write log files anywhere the process can reach outside the intended logs/ directory. The CVSS 8.1 (CWE-22) rating reflects high integrity and availability impact with no confidentiality loss, consistent with arbitrary file/directory creation rather than data theft. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the only available source is the vendor GitHub Security Advisory GHSA-whcg-fgpx-76f2.
Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authentication step over XDMCP when an administrator has set deny_remote=false - a common tweak for display managers like gdm-password or lightdm. Because the PAM_RHOST remote-client check is gated inside the same deny_remote conditional, disabling deny_remote inadvertently disables the safeguard that rejects remote connections, so a genuine remote XDMCP session is treated like a local one. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the high CVSS (8.1) reflects full compromise of confidentiality, integrity, and availability if the attacker satisfies the configuration prerequisites.
Authentication bypass in Synology DiskStation Manager (DSM) SSO lets remote, unauthenticated attackers who already know a valid account's distinguished name (DN) impersonate that identity and gain access to the NAS, with high confidentiality, integrity, and availability impact (CVSS 8.1). The flaw stems from an improper check of an exceptional condition (CWE-754) in the single sign-on flow. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.05%, 17th percentile), consistent with the high attack complexity Synology assigned.
Stored cross-site scripting in Budibase before 3.39.0 lets any low-privileged BASIC app user with WRITE access to a table inject persistent JavaScript that executes in the browser of anyone who later views the data. The flaw lives in the Text component's Markdown rendering, where untrusted column values are converted to HTML and written directly to the DOM without sanitization. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the issue is fixed in 3.39.0.
Use-after-free in the Linux kernel's IPv6 SR (seg6) and RPL lightweight tunnel input paths can be triggered on PREEMPT_RT builds when a higher-priority task races ksoftirqd during a concurrent FIB lookup on a shared nexthop. The flaw causes dst_cache_set_ip6() to call dst_hold() on a freed per-CPU route, producing a kernel warning or memory corruption that an attacker on the network could leverage for denial of service or potential code execution. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis.
Memory exhaustion handling flaw in the Linux kernel's rxrpc/rxgk subsystem allows network-adjacent attackers to potentially trigger unsafe code paths when rxgk_decrypt_skb() returns -ENOMEM during RxGSS-Kerberos token extraction. Affected kernels include the 6.17 series and specific commits in 6.16.9 onward, fixed in upstream commits and stable backports targeting 6.18.27 and 7.1-rc1. No public exploit identified at time of analysis, and EPSS is very low (0.02%) despite the 8.1 CVSS score.
Disclosure of builder-configured REST Authorization secrets in Budibase before 3.39.0 allows a low-privileged 'Basic' app user to exfiltrate stored credentials to an attacker-controlled server. Because the single-datasource GET/PUT routes enforce only a generic TABLE READ permission (which the Basic role inherits via the WRITE set) instead of a Builder/Admin or ownership check, an authenticated user can repoint a REST datasource's base URL and trigger a saved query that leaks the resolved auth headers. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is rated CVSS 8.1 (high).
{path}` endpoint. The WebDAV controller never attaches an authentication plugin, and `Tree::move()` deletes the source asset before resolving the current user or checking any per-asset permission, so even an unauthenticated request that errors out later still destroys the source file. A working proof-of-concept request is published in the GitHub Security Advisory (GHSA-wc7j-g8wx-m2qx); there is no CISA KEV listing and no EPSS score in the provided data, so this is not confirmed as actively exploited.
Arbitrary file write in Mattermost Plugins (versions ≤1.1.5) lets an administrator of a remote, federated Mattermost server plant files at attacker-chosen paths inside the target server's filestore by supplying a malicious, unsanitized filename through the shared-channel attachment sync protocol. The flaw stems from CWE-22 path traversal in the export-path construction logic and carries CVSS 8.0 with a changed scope, reflecting that a compromised or hostile federation peer can affect resources beyond the plugin's intended boundary. There is no public exploit identified at time of analysis, and CISA's SSVC framework records exploitation status as 'none' but technical impact as 'total'.
PHP object injection in Pimcore (packages pimcore/pimcore and admin-ui-classic-bundle) up to and including version 12.3.6 arises from six code paths calling unserialize() without the allowed_classes restriction on values read from database columns and filesystem files. An attacker who can already write to one of those sources - for example through SQL injection into the tmp_store, sites, or custom_layouts tables, or a file write to the WebDAV delete log - can plant a serialized PHP gadget chain that executes arbitrary code with web-server privileges once the data is deserialized. No public exploit identified at time of analysis (the vendor advisory documents only a conceptual PoC procedure), the CVE is not in CISA KEV, and EPSS is not provided; the issue is fixed in 12.3.7 and rated CVSS 8.0, with the High attack-complexity reflecting its dependence on a separate write primitive and a working gadget chain.
Symlink-based authentication bypass and file corruption in pam_usb before 0.8.7 lets a local, low-privileged user defeat USB hardware authentication and overwrite root-owned files. By planting symlinks in the pad directory or on individual pad files, an attacker abuses CWE-59 link-following during the one-time-pad rotation that pam_usb performs on login, redirecting privileged file operations. No public exploit code has been identified at time of analysis, the issue is not listed in CISA KEV, and no EPSS score is available; exploitation requires local access plus a triggering authentication event.
Privilege escalation and denial of service in the Linux kernel's nested SVM (nSVM) virtualization subsystem allows an L2 guest to issue VMMCALL hypercalls as if it were L1 when nested_svm_l2_tlb_flush_enabled() is true, L1 does not intercept VMMCALL, and the hypercall is not a supported Hyper-V call. The fix forces KVM to synthesize a #UD exception in this scenario, matching architectural behavior; no public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%).
Local privilege escalation via command injection in Raynet rvia (RayVentory) 12.6.4392.49-amd64.deb allows authenticated local users to achieve arbitrary code execution by exploiting an improperly terminated find query the application uses to locate the Java runtime. The flaw is reachable through the getconfig command, the upload URL argument, and the oracle -o flag, and publicly available exploit code exists on GitHub although no active exploitation has been observed.
Arbitrary OS command execution in Microsoft's UFO intelligent-automation framework (tagged releases up to and including v3.0.0) lets a local, low-privileged attacker who can write or modify a per-session action JSON record plant a malicious shell action that is executed via PowerShell when the session is resumed or replayed. The injected command runs with the privileges of the UFO process user, yielding full confidentiality, integrity, and availability impact (CVSS 7.8, CWE-78). There is no public exploit identified at time of analysis, and no EPSS or CISA KEV data was supplied to gauge exploitation likelihood.
Local arbitrary code execution in Raynet rvia 12.6 Update 8 and earlier lets a low-privileged local user inject operating-system commands through the application's Java search feature, which assembles a `find` command from an attacker-controlled path without properly terminating the search criteria (CWE-77 OS command injection). A working proof-of-concept exploit script is publicly available on GitHub (Wise-Security/CVE-2026-38945), and CISA's SSVC framework rates the technical impact as total, though it marks the issue as not automatable and requiring local access. No EPSS score and no CISA KEV listing were supplied, so there is no public exploit identified as actively exploited at time of analysis.
Heap buffer overflow read in the Linux kernel's NTFS3 filesystem driver allows local attackers to trigger out-of-bounds memory access by mounting or processing a maliciously crafted NTFS volume. The flaw resides in the DeleteIndexEntryRoot path of the do_action function, where an attacker-controlled entry size ('esize') bypasses bounds checks and causes memmove to operate on an unsigned-converted negative offset. EPSS scores exploitation probability at 0.03% (9th percentile) and no public exploit has been identified at time of analysis.
Local privilege escalation potential in the Linux kernel's GFS2 filesystem stems from a use-after-free in the inline data write path of gfs2_iomap_begin(), where the inode buffer head is released before iomap->inline_data is consumed by iomap_write_end_inline(). Local users with the ability to write to a GFS2-backed filesystem can trigger memory corruption via a freed page that kswapd has since reclaimed. No public exploit identified at time of analysis, EPSS probability is very low (0.02%), and the issue is not listed in CISA KEV, but vendor patches across multiple stable trees are available.
Use-after-free in the Linux kernel bonding driver's Adaptive Load Balancing (ALB) subsystem allows a local low-privileged user to crash the kernel by racing rlb_arp_recv() against rlb_deinitialize() during rapid bond interface up/down cycling. Specifically, the RX handler continues to dereference rx_hashtbl entries after rlb_deinitialize() frees them, because recv_probe is set to NULL without first draining in-flight softirq handlers via synchronize_net(). Systems running bonded NICs in ALB mode (mode=6) on affected kernel versions - including Dell PowerEdge hardware and Canonical-distributed kernels - are at risk of kernel panic. No public exploit identified at time of analysis, and EPSS at 0.02% (7th percentile) confirms no observed mass exploitation.
Local privilege escalation and memory corruption in the Linux kernel's Exynos DRM VIDI (Virtual Display) driver allows local users with access to the DRM device to trigger null pointer dereferences, garbage value accesses, out-of-bounds reads, or use-after-free conditions via the vidi_connection_ioctl() handler. The flaw stems from an incorrect device-to-context lookup that retrieves driver_data from the exynos-drm master device instead of the VIDI component device. A vendor patch is available across multiple stable branches, no public exploit identified at time of analysis, and EPSS rates exploitation probability at only 0.02%.
Use-after-free in the Linux kernel's ab8500 power supply driver (drivers/power/supply/ab8500) can be triggered during device removal or probe due to incorrect ordering of devm_-managed resource allocation. The race allows an IRQ handler to invoke power_supply_changed() against a freed or uninitialized power_supply handle, typically resulting in a kernel crash or silent memory corruption. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the flaw is not on CISA KEV.
Use-after-free in the Linux kernel's goldfish power-supply driver (drivers/power/supply/goldfish_battery) allows a local attacker to crash the system or corrupt kernel memory by racing device probe/removal against the battery IRQ handler. The driver requested its IRQ via devm_ before registering the power_supply handle, so on teardown the handle is freed while the still-live interrupt can fire and call power_supply_changed() on freed (or, during probe, uninitialized) memory. No public exploit identified at time of analysis; EPSS is negligible (0.02%) and the bug is not in CISA KEV.
Local denial-of-condition in the Linux kernel ext4 filesystem driver allows an internal counter (s_dirtyclusters_counter) to be double-decremented to -1 along the block-allocation error path that triggers during filesystem shutdown, surfacing as a WARNING in ext4_put_super(). The flaw lives between ext4_mb_mark_diskspace_used() and ext4_mb_new_blocks(), where a metadata-write failure causes the dirty-clusters reservation to be released twice. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 7th percentile); despite the CWE-415 (double free) classification and a 7.8 CVSS, the observed effect is cluster-accounting corruption rather than demonstrated memory corruption.
Local privilege-relevant memory corruption in the Linux kernel's sbs-battery power supply driver (drivers/power/supply/sbs-battery) stems from a use-after-free in power_supply_changed(). Because the driver requested its IRQ via devm_ before allocating/registering the power_supply handle, devm teardown frees the handle in reverse order while the interrupt is still live, so an SMBus battery interrupt firing during device removal (or before registration during probe) invokes power_supply_changed() on a freed or uninitialized pointer, typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile), no public exploit is identified, and it is not on CISA KEV; the fix is upstream-committed and shipped in multiple stable releases.
Local memory corruption affects the Linux kernel's hwmon ibmpex driver, where commit 6946c726c3f4 - intended to fix a use-after-free in the high/low sysfs store handlers - instead introduced a new race condition by setting driver data to NULL before removing sensor attributes. The remediation is a revert of that flawed commit across the 6.1, 6.6, 6.12, 6.18, and 6.19 stable trees. With EPSS at 0.02% (7th percentile), no public exploit identified at time of analysis, and no CISA KEV listing, real-world risk is minimal given the obscure IBM PowerExecutive sensor hardware the driver targets.
Local privilege-level use-after-free in the Linux kernel's bq256xx battery charger driver (power: supply: bq256xx) allows memory corruption when a charger IRQ fires during device probe or removal, calling power_supply_changed() against a freed or uninitialized power_supply handle. The flaw stems from devm_ resources being released in reverse order, so the IRQ outlives the power_supply registration; triggering it typically crashes the system or silently corrupts kernel memory. No public exploit is identified at time of analysis and EPSS exploitation probability is negligible (0.02%, 7th percentile), with no CISA KEV listing.
Local privilege-holder denial of service (and potential kernel memory corruption) in the Linux kernel's HiSilicon hns3 network driver allows a user with CAP_NET_ADMIN to trigger a double-free of the tx_spare backup buffer. The flaw lives in hns3_set_ringparam(), where a temporary ring copy is made for rollback but the original ring's tx_spare pointer is left dangling; if a subsequent allocation in hns3_init_all_ring() fails, the error path frees the stale pointer twice (CWE-415). EPSS is negligible (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but a vendor-released patch is available across multiple stable trees.
Local privilege-impacting memory corruption in the Linux kernel's cpcap-battery power supply driver allows a use-after-free in power_supply_changed() triggered during device probe or removal. The driver requested its IRQ via devm_ before registering the power_supply handle, so on teardown the handle is freed while the interrupt handler can still fire, dereferencing freed memory and typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile) and there is no public exploit identified at time of analysis; the issue is confined to Motorola CPCAP PMIC hardware (e.g. Droid 4) rather than general-purpose servers.
Local privilege-level use-after-free in the Linux kernel's bq25980 battery charger power-supply driver (drivers/power/supply/bq25980.c) allows a triggered IRQ to call power_supply_changed() on a freed or uninitialized power_supply handle, typically crashing the system or corrupting memory. The flaw stems from devm-managed IRQ registration ordering relative to power_supply registration, creating a race during driver probe and removal. EPSS is negligible (0.02%, 7th percentile), there is no public exploit identified at time of analysis, and it is not on CISA KEV; the fix is committed upstream and shipped in multiple stable kernels.
Local privilege escalation potential via a use-after-free in the Linux kernel's act8945a power supply driver, where the ACT8945A PMIC IRQ is requested before the power_supply handle is registered (and torn down after it during removal), letting an interrupt invoke power_supply_changed() on a freed or uninitialized handle. Affected systems run vulnerable Linux kernel builds (pre-6.6.128, pre-6.12.75, pre-6.1.165, pre-5.15.202, pre-5.10.252, and others) with the act8945a driver bound to real Atmel/Microchip SAMA5-class hardware. There is no public exploit identified at time of analysis; EPSS is very low (0.02%, 7th percentile) and the flaw is not in CISA KEV.
Local privilege-bounded use-after-free in the Linux kernel's CAIF serial line discipline (caif_serial / CONFIG_CAIF_TTY) lets a local attacker corrupt kernel memory by racing ldisc_close() against packet transmission. ldisc_close() drops the tty reference via tty_kref_put() while the CAIF network device is still live, so a concurrent caif_xmit()/handle_tx() can dereference the freed tty (ser->tty) and call tty->ops->write() on dangling memory, confirmed by a KASAN slab-use-after-free report. A reproducer is published, but no public weaponized exploit and no active exploitation are recorded; EPSS is 0.02% (7th percentile), consistent with a niche driver and a tight race window.
Race condition in the Linux kernel's Intel VT-d IOMMU driver allows non-coherent IOMMU hardware to read uninitialized memory from a freshly allocated PASID table because the PASID directory entry is published before the CPU cache flush completes. With CVSS 7.8 (AV:L/AC:H/PR:L) and EPSS at 0.02% (7th percentile), no public exploit identified at time of analysis, and the issue requires local privileges plus precise timing against non-coherent IOMMU hardware. The fix is included across multiple stable kernel branches.
Local privilege escalation and kernel memory corruption in the Linux kernel's RDMA Soft RoCE (rxe) driver stems from a double-free in rxe_srq_from_init() when copy_to_user() fails after the queue pointer has already been assigned to srq->rq.queue. A local user with permission to create Shared Receive Queues over RDMA can trigger the error path to cause the same memory to be freed twice via rxe_srq_cleanup(), enabling kernel heap corruption with potential for privilege escalation. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 7th percentile).
Local privilege escalation in pam_usb prior to 0.8.7 lets a low-privileged user gain the elevated privileges of the pam_usb tool chain by abusing the pamusb-pinentry helper. The helper trusts the PINENTRY_FALLBACK_APP environment variable and executes its value directly, so any process able to set that variable before pamusb-pinentry runs can have an arbitrary binary executed. There is no public exploit identified at time of analysis, and the issue is fixed in version 0.8.7; the GitHub Security Advisory (GHSA-jxrj-q67x-wr4c) is the sole reference.
Local privilege escalation potential via use-after-free in the Linux kernel's ALSA aloop (snd-aloop) driver allows authenticated local users to trigger memory corruption by racing PCM stream close against a peer format-change stop. The flaw stems from snd_pcm_stop() running after cable->lock is dropped, leaving a stale peer substream pointer that can be freed by a concurrent close. Upstream fixes are merged into stable trees (6.12.88, 6.18.27, 7.0.4, 7.1-rc2); no public exploit identified at time of analysis and EPSS is very low at 0.02%.
Use-after-free in the Linux kernel's RDMA mana_ib driver (Microsoft Azure Network Adapter) lets a local user trigger stale firmware RX steering after destroying an RSS QP, so incoming completions land on reused CQ IDs and corrupt kernel state. It affects Linux deployments on Azure VMs using MANA with RDMA/DPDK; an attacker who can create and destroy RSS QPs (e.g., via a DPDK application exit while a peer keeps transmitting) can drive completions onto TX CQs and crash or corrupt the driver. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 5th percentile), indicating low real-world exploitation likelihood.