Use-after-free in the Linux kernel's RDMA mana_ib driver (Microsoft Azure Network Adapter) lets a local user trigger stale firmware RX steering after destroying an RSS QP, so incoming completions land on reused CQ IDs and corrupt kernel state. It affects Linux deployments on Azure VMs using MANA with RDMA/DPDK; an attacker who can create and destroy RSS QPs (e.g., via a DPDK application exit while a peer keeps transmitting) can drive completions onto TX CQs and crash or corrupt the driver. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 5th percentile), indicating low real-world exploitation likelihood.
Local privilege escalation and memory corruption in the Linux kernel's atmel-sha204a crypto driver allows an attacker who can remove or unbind the device to trigger a use-after-free during the driver teardown path. The flaw stems from failing to unregister the hwrng and flush the Atmel I2C workqueue before teardown, letting a queued ->read() callback execute against freed state, and an early return that also leaks the hwrng.priv allocation. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, so this is a defense-in-depth hardening fix rather than an urgent emergency.
Use-after-free in the Linux kernel's mwifiex Wi-Fi driver (Marvell) occurs during adapter teardown: mwifiex_adapter_cleanup() calls the non-synchronous timer_delete() on the wakeup_timer, so a still-running wakeup_timer_fn callback can dereference adapter fields (hw_status, if_ops.card_reset) after mwifiex_free_adapter() frees them along the card-removal path. A local attacker who can trigger device removal while the timer fires could corrupt freed kernel memory, enabling privilege escalation or denial of service. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%, 5th percentile), and the fix (timer_delete_sync()) is merged into stable releases.
Improper memory deallocation in the Linux kernel's NX-842 hardware compression crypto driver (nx842_crypto_alloc_ctx/free_ctx) causes bounce buffers allocated as order-2 (4 pages) to be released with single-page free_page() calls, leaking three of every four pages. The flaw is local-only with no public exploit identified at time of analysis, and EPSS (0.02%, 5th percentile) reflects negligible mass-exploitation interest. Note that the NVD CVSS (7.8, C:H/I:H/A:H) appears overstated for what the upstream commit explicitly describes as a memory leak rather than corruption.
Local privilege escalation and memory corruption in the Linux kernel fbdev deferred I/O subsystem allows local low-privileged users to trigger undefined behavior when a framebuffer device is hot-unplugged while user space retains an active memory mapping. The flaw stems from improper lifetime management between struct fb_info and deferred I/O state, leading to use-after-free conditions with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%).
Integer overflow in the Linux kernel's ntfs3 filesystem driver allows local attackers to bypass volume boundary validation when mounting or accessing a crafted NTFS volume, leading to memory corruption with high confidentiality, integrity, and availability impact. The flaw resides in run_unpack() where the check `lcn + len > sbi->used.bitmap.nbits` performs raw addition that wraps for large values, sidestepping the bounds check. No public exploit identified at time of analysis and EPSS is very low (0.02%), but CVSS 7.8 with required user interaction reflects realistic local privilege-escalation potential when untrusted NTFS media is processed.
Use-after-free in the Linux kernel's amphion VPU media driver allows local privileged users to trigger a kernel panic and potential memory corruption due to a race condition between v4l2_m2m_ctx_release() and v4l2_m2m_try_run(). The flaw affects systems using the amphion video encode/decode driver (introduced in 5.18) and has been resolved upstream by removing reliance on the m2m framework's job scheduling. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the local high-impact CVSS of 7.8 makes it relevant for multi-tenant or hardened kernel deployments.
Local privilege escalation risk in the Linux kernel's RDS (Reliable Datagram Sockets) subsystem stems from a double-free condition in __rds_rdma_map() when a put_user() copy of the MR cookie fails after get_mr() has transferred sg/pages ownership to the transport. A local authenticated attacker triggering this race or fault path could cause memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis and EPSS is low at 0.02%, but a vendor-released patch is available across multiple stable branches.
Use-after-free in the Linux kernel's QRTR (Qualcomm IPC Router) name service driver remove path allows local low-privileged users to corrupt memory and potentially escalate privileges. The flaw occurs because qrtr_ns_data_ready() can queue work to a workqueue that has already been destroyed during driver teardown, dereferencing freed memory. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the fix has landed across multiple stable kernel trees.
Local privilege escalation in the Linux kernel's vfio/cdx (Composable DMA-capable eXtension) driver allows a process with access to a VFIO device file descriptor to trigger a use-after-free of the cdx_irqs array via concurrent VFIO_DEVICE_SET_IRQS ioctls. The race in vfio_cdx_set_msi_trigger() can be exploited by a local low-privileged attacker for memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).
Race condition and missed wake-up in the Linux kernel TCP listener migration path (SO_REUSEPORT) allows local low-privileged attackers to cause hangs and potentially exploit a use-after-free on listener sockets. Affects kernels from 5.14 up to versions fixed in 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No public exploit identified at time of analysis, and EPSS is very low (0.02%).
Local privilege escalation and memory corruption in the Linux kernel's MediaTek JPEG (mtk-jpeg) media driver allows a local user with access to the device to trigger a use-after-free condition. The flaw occurs in mtk_jpeg_release() which frees the context structure without first cancelling pending workqueue items, creating a race window during device close where the worker thread accesses freed memory. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, but the bug is fixed across multiple stable trees.
Local privilege escalation potential in the Linux kernel's Nouveau DRM driver stems from a 32-bit integer overflow in the pushbuf relocation bounds check (nouveau_gem_pushbuf_reloc_apply). Authenticated local users with access to the Nouveau GPU device node can bypass the size validation and trigger out-of-bounds writes against the buffer object, leading to high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but a vendor patch is available across multiple stable kernel branches.
Use-after-free in the Linux kernel ALSA caiaq USB audio driver allows local code execution when the device probe path encounters an error during setup_card(). The setup_card() function previously ignored failures from snd_card_register() and continued executing, leaving freed card structures accessible to subsequent initialization calls such as snd_usb_caiaq_control_init(). No public exploit identified at time of analysis, and EPSS is low at 0.02% (5th percentile), consistent with the local attack vector and narrow hardware-driver scope.
Stack buffer overrun in the Linux kernel's pt5161l hwmon driver allows a malicious or malfunctioning I2C device to write up to 32 bytes into a 24-byte stack buffer during pt5161l_read_block_data(), corrupting kernel memory. The flaw affects Linux 6.9 through versions before the stable fixes, and a secondary bug causes the driver to process stale data as valid when retries are exhausted with a length mismatch. EPSS is very low (0.02%) and no public exploit identified at time of analysis.
Use-after-free in the Linux kernel's rxrpc (AF_RXRPC) networking subsystem allows local attackers with low privileges to trigger memory corruption when skb_unshare() fails during packet input handling. Affected Linux kernel versions from 6.2 up to the fixed releases can be exploited to cause a NULL-pointer oops and potentially escalate privileges or crash the system. No public exploit identified at time of analysis; EPSS is very low (0.02%) and the issue is not present in CISA KEV.
Use-after-free in the Linux kernel's i.MX SPI driver (spi-imx) can be triggered when the driver is unbound, allowing a local privileged user to corrupt kernel memory and potentially escalate to full kernel code execution. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a kernel-level UAF with high CIA impact warrants prompt patching on affected i.MX-based systems.
Use-after-free in the Linux kernel's io_uring zero-copy receive (zcrx) subsystem allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from io_free_rbuf_ring() accessing a struct user_struct after io_zcrx_ifq_free() has already released the reference, creating a UAF window. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the bug class (UAF in io_uring) has historically been weaponized for LPE.
Heap out-of-bounds write in the Linux kernel UDF filesystem driver allows a local attacker to corrupt kernel memory by mounting a crafted UDF image containing repeated partition descriptors. The flaw stems from incorrect bookkeeping in handle_partition_descriptor() where appended slots never record partnum, causing duplicate descriptors to overflow the part_descs_loc[] table. No public exploit identified at time of analysis, and EPSS scores the exploitation probability at only 0.02%.
Use-after-free in the Linux kernel's Open Firmware (OF) device tree unittest driver (testdrv_probe) allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from an erroneous of_node_put() call that releases a device_node reference owned by the device model, which can then be dereferenced later in of_platform_default_populate(). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a vendor patch is available.
Filesystem data integrity issue in the Linux kernel ext4 module allows local low-privileged users to trigger bitmap inconsistencies through a race condition between page migration and ext4 buddy bitmap modification under mixed huge-page workloads. The flaw can produce false group descriptor mismatches and corruption of in-memory block allocation state, with high confidentiality, integrity, and availability impact per CVSS 7.8 (AV:L). No public exploit has been identified at time of analysis and EPSS is very low at 0.02%.
Memory corruption in the Linux kernel's pm8916_lbc power-supply driver (Qualcomm PM8916 PMIC linear battery charger) stems from a use-after-free in power_supply_changed(), where devm-managed teardown ordering lets a charger interrupt fire against a freed or not-yet-initialized power_supply handle during driver probe or removal. Local attackers able to trigger device unbind/rebind or module load/unload can crash the system or silently corrupt kernel memory. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis; the issue is not in CISA KEV.
Local privilege escalation potential in the Linux kernel BPF verifier (introduced in 6.11+ commit 98d7ca374ba4) arises from sync_linked_regs() failing to preserve register IDs when propagating bounds, breaking linked-register tracking and allowing crafted eBPF programs to bypass the verifier's range analysis. EPSS is very low (0.02%) and the issue is not in CISA KEV, but the BPF verifier is a historically high-value local attack surface, and upstream patches landed in 6.12.75, 6.18.14, and 6.19.4. No public exploit identified at time of analysis.
Use-after-free condition in the Linux kernel's RDMA Soft RoCE (rxe) driver allows local privileged users to trigger memory corruption through a race between the QP retransmit_timer handler and rxe_destroy_qp. The flaw stems from the Queue Pair reference count dropping to zero while a timer callback is still executing, producing refcount underflow warnings and potential kernel memory corruption. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Use-after-free in the Linux kernel's pf1550 power-supply driver (drivers/power/supply/pf1550) lets a queued hardware interrupt invoke power_supply_changed() on an already-freed power_supply handle during module/device removal, and can also dereference an uninitialized handle during probe. The flaw stems from devm-managed resource ordering: the IRQ was requested before the power_supply was registered, so devm teardown frees the power_supply first. Impact is typically a kernel crash or silent memory corruption. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.
Race condition in Linux kernel Intel VT-d IOMMU driver (iommu/vt-d) allows torn reads of Scalable Mode PASID table entries during teardown, producing unpredictable behavior or spurious faults on systems with Intel VT-d enabled. The flaw stems from zeroing the entire 64-byte PASID entry while the Present bit is still set, violating the VT-d spec's invalidation guidance. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but a vendor patch is available across multiple stable branches.
Use-after-free in the Linux kernel's pm8916_bms_vm power-supply driver (for Qualcomm PM8916 battery monitoring on certain Snapdragon SoCs) lets a freed power_supply handle be dereferenced when an IRQ fires during device removal or probe, corrupting kernel memory or crashing the system. The flaw stems from devm-managed IRQ registration occurring before the power_supply handle was registered, so devm's reverse-order teardown frees the handle while the interrupt is still live. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; impact is realistically a local denial of service on the narrow set of devices using this driver.
Local privilege escalation potential in the Linux kernel's AMD KFD (Kernel Fusion Driver) debug subsystem allows a local user with GPU access to trigger a buffer overflow in the watch_points array via a crafted watch_id value. The flaw stems from signed/unsigned integer mishandling in kfd_dbg_trap_clear_dev_address_watch(), where userspace-supplied watch_id values exceeding INT_MAX cause undefined bit shifts and out-of-bounds memory access. No public exploit identified at time of analysis, and EPSS scores exploitation probability at only 0.02%.
Local privilege escalation potential in the Linux kernel's GFS2 (Global File System 2) filesystem stems from a slab-use-after-free in qd_put() that corrupts the quota data LRU list during filesystem shutdown. Local authenticated users with access to a GFS2 mount could trigger the shrinker path (gfs2_qd_shrink_scan) to dereference freed objects, with EPSS at 0.02% indicating no public exploit identified at time of analysis. The flaw was introduced by commit a475c5dd16e5 which began freeing quota data synchronously without removing entries from the LRU list first.
Memory corruption in the Linux kernel's AMD GPU driver (amdgpu) arises because amdgpu_gmc_get_nps_memranges() releases buffers allocated by amdgpu_discovery_get_nps_info() with kfree() even though that memory may have been allocated via kvcalloc()/vmalloc(), corrupting the kernel allocator state. The flaw affects systems running AMD GPUs on kernels prior to the fixed stable releases (6.12.75, 6.18.14, 6.19.4, and 7.0). There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and the issue was found via static analysis and code review rather than in-the-wild exploitation.
Local privilege-escalation-class memory corruption in the Linux kernel's BPF arena subsystem (introduced around 6.9) allows a process holding BPF capabilities to trigger a use-after-free. When a BPF arena VMA is inherited across fork(), arena_vm_open() bumps the mmap refcount but never registers the child VMA in arena->vma_list, leaving vml->vma pointing at the parent VMA; after the parent munmaps, a child call to bpf_arena_free_pages() dereferences the dangling pointer in zap_pages(). No public exploit or active exploitation is identified (EPSS 0.02%, 5th percentile), and vendor patches are available.
Local privilege-impacting memory corruption in the Linux kernel's AFS filesystem can be triggered by an authenticated local user mapping AFS files, leading to a refcount leak that can cause kernel resource exhaustion or use-after-free conditions affecting confidentiality, integrity, and availability. The flaw stems from an incorrect conversion of AFS's mmap handler to the new .mmap_prepare() interface (commit 9d5403b1036c), which leaks reference counts when a VMA merge or allocation failure occurs after the prepare call. No public exploit identified at time of analysis and EPSS rates exploitation likelihood at just 0.02%.
Use-after-free in the Linux kernel's edt-ft5x06 capacitive touchscreen driver (CWE-416) lets a local actor with access to the driver's per-client debugfs interface read or corrupt freed kernel memory during device teardown. The regression was introduced by commit 68743c500c6e, which removed manual debugfs cleanup and left a window where debugfs files referencing tsdata->raw_buffer remained accessible after the buffer was freed. No public exploit identified at time of analysis; EPSS is very low (0.02%, 4th percentile) and it is not in CISA KEV, but a vendor (stable-tree) patch is available.
Concurrent execution race in the Linux kernel's mm/vmalloc subsystem allows a local low-privileged attacker to trigger memory corruption or leaks by exercising the vmap_node shrinker simultaneously with lazy vmap purge operations. The flaw stems from unserialized invocation of decay_va_pool_node() between __purge_vmap_area_lazy() and the shrinker path. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the issue is patched upstream in the stable tree.
Local privilege escalation via memory corruption in Linux Kernel crypto subsystem (acomp) affects systems using asynchronous hardware compression accelerators such as Intel QAT. The flaw stems from acomp_save_req() storing the wrong pointer (&req->chain instead of req itself) in req->base.data, causing the completion callback acomp_reqchain_done() to dereference fields at incorrect offsets. No public exploit identified at time of analysis, and EPSS is very low at 0.02%, but the high CVSS (7.8) reflects potential for memory corruption with high confidentiality, integrity, and availability impact.
Data corruption in the Linux kernel md-llbitmap RAID subsystem allows stale bitmap pages to be read from spare disks during rebuild. The md-llbitmap code iterated rdevs checking only raid_disk assignment and the Faulty flag, omitting the In_sync flag, so bitmap data could be sourced from a not-yet-synchronized spare. No public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%), but the bug can silently corrupt arrays during normal operation or recovery.
Local privilege escalation and denial of service in the Linux kernel's AMD XDNA (amdxdna) accelerator driver allows authenticated local users to trigger a use-after-free condition by submitting jobs to a hardware context concurrently with resource release. The flaw affects kernels in the 6.14.9 through 6.15 series and was resolved upstream by stopping job scheduling around aie2_release_resource() and validating context state in aie2_sched_job_run(). No public exploit identified at time of analysis, and EPSS scoring (0.02%) indicates negligible near-term exploitation probability.
Local privilege escalation or denial-of-service in the Linux kernel's AMD CCP (Cryptographic Coprocessor) driver stems from a misuse of the __cleanup(kfree) attribute on a local pointer, causing kfree() to be invoked with the address of a stack variable rather than the heap allocation returned by kmalloc. The resulting invalid deallocation of a stack address crashes the kernel and could be leveraged by a low-privileged local user for impact on confidentiality, integrity, and availability (CVSS 7.8). EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but vendor patches are available in stable trees 6.18.14 and 6.19.4.
Local privilege escalation in the Linux kernel's BPF subsystem stems from incorrect refcounting in check_pseudo_btf_id() that can leave a BTF (BPF Type Format) object with a zero refcount while still in use, creating a use-after-free condition. Affected kernels (around 6.14 through pre-patch 6.18.14/6.19.4) allow a local low-privileged user capable of loading BPF programs to corrupt kernel memory, with no public exploit identified at time of analysis and EPSS scoring exploitation likelihood at only 0.02%.
Local privilege escalation or denial-of-service in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) arises from a use-after-free of the mm structure during iommu_sva_unbind_device(). The driver previously released the mm reference before unbinding, allowing iommu_mm access on freed memory. No public exploit identified at time of analysis and EPSS scores this at 0.02% (4th percentile), indicating very low expected exploitation activity in the near term.
Use-after-free in the Linux kernel's OpenVPN data channel offload (ovpn) module allows a local attacker with low privileges to potentially trigger memory corruption when transmitting shared sk_buff packets through ovpn_net_xmit. The flaw stems from continued use of a stale skb pointer after skb_share_check frees the original buffer, affecting peer lookup, skb_dst_drop, and TX statistics paths. No public exploit identified at time of analysis, and the EPSS probability is very low (0.02%), suggesting the bug is more of a stability and memory-safety concern than an imminently weaponized vector.
Local privilege escalation potential in the Linux kernel's MediaTek clock gate driver stems from incorrect use of __initconst annotations on mtk_gate structures that are accessed at runtime, not just during initialization. After kernel init completes, the memory backing these structs is freed, so any runtime access reads freed memory - affecting Linux 6.18 prior to stable releases 6.18.14 and 6.19.4. CVSS rates this 7.8 (High) with local attack vector; EPSS is 0.02% and no public exploit identified at time of analysis.
Out-of-bounds array access in the Linux kernel's Intel Discrete Graphics MTD driver (mtd_intel_dg.c) lets a local actor trigger kernel memory corruption when the driver enumerates NVM regions before nregions is initialized. The flaw, caught by UBSAN as an array-index-out-of-bounds at line 750, affects systems running kernel 6.17 through the pre-patch 6.18/6.19 series with Intel discrete graphics hardware. No public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.02%, 4th percentile).
Local denial of service in the Linux kernel's BPF CO-RE relocation parser allows a process holding CAP_BPF to deterministically crash the system by loading a BPF program with a negative CO-RE accessor index. The flaw stems from bpf_core_parse_spec() in the libbpf relocation core accepting negative values from sscanf("%d") that bypass upper-bound checks due to integer promotion, ultimately driving an out-of-bounds read past the BTF members array. EPSS is negligible (0.01%) and there is no public exploit identified at time of analysis; a kernel oops backtrace is published in the changelog but it serves as a crash reproducer rather than a weaponized exploit.
Local privilege escalation in IBM Netezza Performance Server Replication Services (versions 3.0.2.0 through 3.0.5.0) allows an already-authenticated, low-privileged user on the appliance to gain full root control. By abusing the over-privileged Replication Services component the attacker can execute root-level commands, spawn a root shell, reset the root password, alter or delete system-wide files, and plant persistent backdoors, resulting in complete loss of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis, and no EPSS score was supplied in the source data, so the issue currently reflects vendor-reported risk rather than observed exploitation.
Uncontrolled search path element vulnerability in OpenSSL DLL component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to execute arbitrary code via unspecified vectors. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
Path traversal in the tmp npm package (versions < 0.2.6) lets callers escape the intended temporary directory by passing traversal sequences or absolute paths in the prefix, postfix, or dir options to tmp.file(), tmp.dir(), or tmp.tmpName(). Applications that forward untrusted input into those options can be coerced into creating files at attacker-chosen filesystem locations with the process's privileges, enabling config poisoning, cache poisoning, or web-shell drops. Publicly available exploit code exists (the advisory ships a working PoC and a regression test), but no public exploit identified at time of analysis indicates active exploitation in the wild.
Sensitive credential disclosure in Budibase low-code platform versions prior to 3.38.3 allows any authenticated low-privilege user to retrieve a configured Snowflake datasource's private key in plaintext. The flaw stems from an incomplete secret-masking filter that only redacts fields typed as PASSWORD, leaving the Snowflake privateKey field (typed SENSITIVE_LONGFORM) exposed through the GET /api/datasources/:datasourceId endpoint. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is fixed in 3.38.3.
Server-side request forgery in Budibase before 3.39.0 lets an authenticated user with the BUILDER role coerce the platform into making attacker-controlled outbound requests by setting a malicious OAuth2 token endpoint URL. Because the token fetch path bypassed the codebase's existing SSRF-blocking HTTP wrapper, responses from internal-only services such as the CouchDB database or cloud instance metadata endpoints can be exfiltrated. No public exploit identified at time of analysis, but the flaw is straightforward to trigger and EPSS/KEV signals were not supplied.
External XML entity resolution in Hitachi Vantara Pentaho Data Integration & Analytics lets an authenticated, low-privileged attacker submit crafted XML that the application's parser resolves, disclosing sensitive local files and enabling server-side request forgery against internal systems. All releases before 10.2.0.7 are affected, as are 11.x branches before 11.0.0.0, explicitly including the 9.3.x and 8.3.x lines. There is no public exploit identified at time of analysis, and the EPSS exploitation probability is very low (0.03%, 8th percentile).