Skip to main content
CVE-2026-46084 HIGH PATCH This Week

Use-after-free in the Linux kernel's RDMA mana_ib driver (Microsoft Azure Network Adapter) lets a local user trigger stale firmware RX steering after destroying an RSS QP, so incoming completions land on reused CQ IDs and corrupt kernel state. It affects Linux deployments on Azure VMs using MANA with RDMA/DPDK; an attacker who can create and destroy RSS QPs (e.g., via a DPDK application exit while a peer keeps transmitting) can drive completions onto TX CQs and crash or corrupt the driver. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 5th percentile), indicating low real-world exploitation likelihood.

Memory Corruption Linux Use After Free Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46075 HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's atmel-sha204a crypto driver allows an attacker who can remove or unbind the device to trigger a use-after-free during the driver teardown path. The flaw stems from failing to unregister the hwrng and flush the Atmel I2C workqueue before teardown, letting a queued ->read() callback execute against freed state, and an early return that also leaks the hwrng.priv allocation. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, so this is a defense-in-depth hardening fix rather than an urgent emergency.

Memory Corruption Linux Use After Free Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46069 HIGH PATCH This Week

Use-after-free in the Linux kernel's mwifiex Wi-Fi driver (Marvell) occurs during adapter teardown: mwifiex_adapter_cleanup() calls the non-synchronous timer_delete() on the wakeup_timer, so a still-running wakeup_timer_fn callback can dereference adapter fields (hw_status, if_ops.card_reset) after mwifiex_free_adapter() frees them along the card-removal path. A local attacker who can trigger device removal while the timer fires could corrupt freed kernel memory, enabling privilege escalation or denial of service. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%, 5th percentile), and the fix (timer_delete_sync()) is merged into stable releases.

Memory Corruption Linux Use After Free Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46068 HIGH PATCH This Week

Improper memory deallocation in the Linux kernel's NX-842 hardware compression crypto driver (nx842_crypto_alloc_ctx/free_ctx) causes bounce buffers allocated as order-2 (4 pages) to be released with single-page free_page() calls, leaking three of every four pages. The flaw is local-only with no public exploit identified at time of analysis, and EPSS (0.02%, 5th percentile) reflects negligible mass-exploitation interest. Note that the NVD CVSS (7.8, C:H/I:H/A:H) appears overstated for what the upstream commit explicitly describes as a memory leak rather than corruption.

Memory Corruption Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46065 HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel fbdev deferred I/O subsystem allows local low-privileged users to trigger undefined behavior when a framebuffer device is hot-unplugged while user space retains an active memory mapping. The flaw stems from improper lifetime management between struct fb_info and deferred I/O state, leading to use-after-free conditions with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46062 HIGH PATCH This Week

Integer overflow in the Linux kernel's ntfs3 filesystem driver allows local attackers to bypass volume boundary validation when mounting or accessing a crafted NTFS volume, leading to memory corruption with high confidentiality, integrity, and availability impact. The flaw resides in run_unpack() where the check `lcn + len > sbi->used.bitmap.nbits` performs raw addition that wraps for large values, sidestepping the bounds check. No public exploit identified at time of analysis and EPSS is very low (0.02%), but CVSS 7.8 with required user interaction reflects realistic local privilege-escalation potential when untrusted NTFS media is processed.

Linux Buffer Overflow Integer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46058 HIGH PATCH This Week

Use-after-free in the Linux kernel's amphion VPU media driver allows local privileged users to trigger a kernel panic and potential memory corruption due to a race condition between v4l2_m2m_ctx_release() and v4l2_m2m_try_run(). The flaw affects systems using the amphion video encode/decode driver (introduced in 5.18) and has been resolved upstream by removing reliance on the m2m framework's job scheduling. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the local high-impact CVSS of 7.8 makes it relevant for multi-tenant or hardened kernel deployments.

Linux Denial Of Service Race Condition
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46053 HIGH PATCH This Week

Local privilege escalation risk in the Linux kernel's RDS (Reliable Datagram Sockets) subsystem stems from a double-free condition in __rds_rdma_map() when a put_user() copy of the MR cookie fails after get_mr() has transferred sg/pages ownership to the transport. A local authenticated attacker triggering this race or fault path could cause memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis and EPSS is low at 0.02%, but a vendor-released patch is available across multiple stable branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46047 HIGH PATCH This Week

Use-after-free in the Linux kernel's QRTR (Qualcomm IPC Router) name service driver remove path allows local low-privileged users to corrupt memory and potentially escalate privileges. The flaw occurs because qrtr_ns_data_ready() can queue work to a workqueue that has already been destroyed during driver teardown, dereferencing freed memory. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the fix has landed across multiple stable kernel trees.

Linux Use After Free Memory Corruption Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46036 HIGH PATCH This Week

Local privilege escalation in the Linux kernel's vfio/cdx (Composable DMA-capable eXtension) driver allows a process with access to a VFIO device file descriptor to trigger a use-after-free of the cdx_irqs array via concurrent VFIO_DEVICE_SET_IRQS ioctls. The race in vfio_cdx_set_msi_trigger() can be exploited by a local low-privileged attacker for memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46015 HIGH PATCH This Week

Race condition and missed wake-up in the Linux kernel TCP listener migration path (SO_REUSEPORT) allows local low-privileged attackers to cause hangs and potentially exploit a use-after-free on listener sockets. Affects kernels from 5.14 up to versions fixed in 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No public exploit identified at time of analysis, and EPSS is very low (0.02%).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46011 HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's MediaTek JPEG (mtk-jpeg) media driver allows a local user with access to the device to trigger a use-after-free condition. The flaw occurs in mtk_jpeg_release() which frees the context structure without first cancelling pending workqueue items, creating a race window during device close where the worker thread accesses freed memory. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, but the bug is fixed across multiple stable trees.

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46006 HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's Nouveau DRM driver stems from a 32-bit integer overflow in the pushbuf relocation bounds check (nouveau_gem_pushbuf_reloc_apply). Authenticated local users with access to the Nouveau GPU device node can bypass the size validation and trigger out-of-bounds writes against the buffer object, leading to high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but a vendor patch is available across multiple stable kernel branches.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46004 HIGH PATCH This Week

Use-after-free in the Linux kernel ALSA caiaq USB audio driver allows local code execution when the device probe path encounters an error during setup_card(). The setup_card() function previously ignored failures from snd_card_register() and continued executing, leaving freed card structures accessible to subsequent initialization calls such as snd_usb_caiaq_control_init(). No public exploit identified at time of analysis, and EPSS is low at 0.02% (5th percentile), consistent with the local attack vector and narrow hardware-driver scope.

Linux Use After Free Memory Corruption Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46001 HIGH PATCH This Week

Stack buffer overrun in the Linux kernel's pt5161l hwmon driver allows a malicious or malfunctioning I2C device to write up to 32 bytes into a 24-byte stack buffer during pt5161l_read_block_data(), corrupting kernel memory. The flaw affects Linux 6.9 through versions before the stable fixes, and a secondary bug causes the driver to process stale data as valid when retries are exhausted with a length mismatch. EPSS is very low (0.02%) and no public exploit identified at time of analysis.

Linux Memory Corruption Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45998 HIGH PATCH This Week

Use-after-free in the Linux kernel's rxrpc (AF_RXRPC) networking subsystem allows local attackers with low privileges to trigger memory corruption when skb_unshare() fails during packet input handling. Affected Linux kernel versions from 6.2 up to the fixed releases can be exploited to cause a NULL-pointer oops and potentially escalate privileges or crash the system. No public exploit identified at time of analysis; EPSS is very low (0.02%) and the issue is not present in CISA KEV.

Linux Use After Free Memory Corruption Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45996 HIGH PATCH This Week

Use-after-free in the Linux kernel's i.MX SPI driver (spi-imx) can be triggered when the driver is unbound, allowing a local privileged user to corrupt kernel memory and potentially escalate to full kernel code execution. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a kernel-level UAF with high CIA impact warrants prompt patching on affected i.MX-based systems.

Linux Use After Free Memory Corruption Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45995 HIGH PATCH This Week

Use-after-free in the Linux kernel's io_uring zero-copy receive (zcrx) subsystem allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from io_free_rbuf_ring() accessing a struct user_struct after io_zcrx_ifq_free() has already released the reference, creating a UAF window. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the bug class (UAF in io_uring) has historically been weaponized for LPE.

Linux Use After Free Memory Corruption Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45991 HIGH PATCH This Week

Heap out-of-bounds write in the Linux kernel UDF filesystem driver allows a local attacker to corrupt kernel memory by mounting a crafted UDF image containing repeated partition descriptors. The flaw stems from incorrect bookkeeping in handle_partition_descriptor() where appended slots never record partnum, causing duplicate descriptors to overflow the part_descs_loc[] table. No public exploit identified at time of analysis, and EPSS scores the exploitation probability at only 0.02%.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45989 HIGH PATCH This Week

Use-after-free in the Linux kernel's Open Firmware (OF) device tree unittest driver (testdrv_probe) allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from an erroneous of_node_put() call that releases a device_node reference owned by the device model, which can then be dereferenced later in of_platform_default_populate(). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a vendor patch is available.

Linux Use After Free Memory Corruption Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45942 HIGH PATCH This Week

Filesystem data integrity issue in the Linux kernel ext4 module allows local low-privileged users to trigger bitmap inconsistencies through a race condition between page migration and ext4 buddy bitmap modification under mixed huge-page workloads. The flaw can produce false group descriptor mismatches and corruption of in-memory block allocation state, with high confidentiality, integrity, and availability impact per CVSS 7.8 (AV:L). No public exploit has been identified at time of analysis and EPSS is very low at 0.02%.

Linux Information Disclosure Race Condition
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45938 HIGH PATCH This Week

Memory corruption in the Linux kernel's pm8916_lbc power-supply driver (Qualcomm PM8916 PMIC linear battery charger) stems from a use-after-free in power_supply_changed(), where devm-managed teardown ordering lets a charger interrupt fire against a freed or not-yet-initialized power_supply handle during driver probe or removal. Local attackers able to trigger device unbind/rebind or module load/unload can crash the system or silently corrupt kernel memory. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis; the issue is not in CISA KEV.

Memory Corruption Linux Denial Of Service Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45933 HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel BPF verifier (introduced in 6.11+ commit 98d7ca374ba4) arises from sync_linked_regs() failing to preserve register IDs when propagating bounds, breaking linked-register tracking and allowing crafted eBPF programs to bypass the verifier's range analysis. EPSS is very low (0.02%) and the issue is not in CISA KEV, but the BPF verifier is a historically high-value local attack surface, and upstream patches landed in 6.12.75, 6.18.14, and 6.19.4. No public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45910 HIGH PATCH This Week

Use-after-free condition in the Linux kernel's RDMA Soft RoCE (rxe) driver allows local privileged users to trigger memory corruption through a race between the QP retransmit_timer handler and rxe_destroy_qp. The flaw stems from the Queue Pair reference count dropping to zero while a timer callback is still executing, producing refcount underflow warnings and potential kernel memory corruption. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.

Linux Information Disclosure Race Condition
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45906 HIGH PATCH This Week

Use-after-free in the Linux kernel's pf1550 power-supply driver (drivers/power/supply/pf1550) lets a queued hardware interrupt invoke power_supply_changed() on an already-freed power_supply handle during module/device removal, and can also dereference an uninitialized handle during probe. The flaw stems from devm-managed resource ordering: the IRQ was requested before the power_supply was registered, so devm teardown frees the power_supply first. Impact is typically a kernel crash or silent memory corruption. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.

Memory Corruption Linux Denial Of Service Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45894 HIGH PATCH This Week

Race condition in Linux kernel Intel VT-d IOMMU driver (iommu/vt-d) allows torn reads of Scalable Mode PASID table entries during teardown, producing unpredictable behavior or spurious faults on systems with Intel VT-d enabled. The flaw stems from zeroing the entire 64-byte PASID entry while the Present bit is still set, violating the VT-d spec's invalidation guidance. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but a vendor patch is available across multiple stable branches.

Linux Information Disclosure Intel
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45882 HIGH PATCH This Week

Use-after-free in the Linux kernel's pm8916_bms_vm power-supply driver (for Qualcomm PM8916 battery monitoring on certain Snapdragon SoCs) lets a freed power_supply handle be dereferenced when an IRQ fires during device removal or probe, corrupting kernel memory or crashing the system. The flaw stems from devm-managed IRQ registration occurring before the power_supply handle was registered, so devm's reverse-order teardown frees the handle while the interrupt is still live. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; impact is realistically a local denial of service on the narrow set of devices using this driver.

Memory Corruption Linux Denial Of Service Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45878 HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's AMD KFD (Kernel Fusion Driver) debug subsystem allows a local user with GPU access to trigger a buffer overflow in the watch_points array via a crafted watch_id value. The flaw stems from signed/unsigned integer mishandling in kfd_dbg_trap_clear_dev_address_watch(), where userspace-supplied watch_id values exceeding INT_MAX cause undefined bit shifts and out-of-bounds memory access. No public exploit identified at time of analysis, and EPSS scores exploitation probability at only 0.02%.

Linux Amd Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45861 HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's GFS2 (Global File System 2) filesystem stems from a slab-use-after-free in qd_put() that corrupts the quota data LRU list during filesystem shutdown. Local authenticated users with access to a GFS2 mount could trigger the shrinker path (gfs2_qd_shrink_scan) to dereference freed objects, with EPSS at 0.02% indicating no public exploit identified at time of analysis. The flaw was introduced by commit a475c5dd16e5 which began freeing quota data synchronously without removing entries from the LRU list first.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45853 HIGH PATCH This Week

Memory corruption in the Linux kernel's AMD GPU driver (amdgpu) arises because amdgpu_gmc_get_nps_memranges() releases buffers allocated by amdgpu_discovery_get_nps_info() with kfree() even though that memory may have been allocated via kvcalloc()/vmalloc(), corrupting the kernel allocator state. The flaw affects systems running AMD GPUs on kernels prior to the fixed stable releases (6.12.75, 6.18.14, 6.19.4, and 7.0). There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and the issue was found via static analysis and code review rather than in-the-wild exploitation.

Memory Corruption Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45837 HIGH PATCH This Week

Local privilege-escalation-class memory corruption in the Linux kernel's BPF arena subsystem (introduced around 6.9) allows a process holding BPF capabilities to trigger a use-after-free. When a BPF arena VMA is inherited across fork(), arena_vm_open() bumps the mmap refcount but never registers the child VMA in arena->vma_list, leaving vml->vma pointing at the parent VMA; after the parent munmaps, a child call to bpf_arena_free_pages() dereferences the dangling pointer in zap_pages(). No public exploit or active exploitation is identified (EPSS 0.02%, 5th percentile), and vendor patches are available.

Memory Corruption Linux Use After Free Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46100 HIGH PATCH This Week

Local privilege-impacting memory corruption in the Linux kernel's AFS filesystem can be triggered by an authenticated local user mapping AFS files, leading to a refcount leak that can cause kernel resource exhaustion or use-after-free conditions affecting confidentiality, integrity, and availability. The flaw stems from an incorrect conversion of AFS's mmap handler to the new .mmap_prepare() interface (commit 9d5403b1036c), which leaks reference counts when a VMA merge or allocation failure occurs after the prepare call. No public exploit identified at time of analysis and EPSS rates exploitation likelihood at just 0.02%.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46097 HIGH PATCH This Week

Use-after-free in the Linux kernel's edt-ft5x06 capacitive touchscreen driver (CWE-416) lets a local actor with access to the driver's per-client debugfs interface read or corrupt freed kernel memory during device teardown. The regression was introduced by commit 68743c500c6e, which removed manual debugfs cleanup and left a window where debugfs files referencing tsdata->raw_buffer remained accessible after the buffer was freed. No public exploit identified at time of analysis; EPSS is very low (0.02%, 4th percentile) and it is not in CISA KEV, but a vendor (stable-tree) patch is available.

Memory Corruption Linux Use After Free Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46093 HIGH PATCH This Week

Concurrent execution race in the Linux kernel's mm/vmalloc subsystem allows a local low-privileged attacker to trigger memory corruption or leaks by exercising the vmap_node shrinker simultaneously with lazy vmap purge operations. The flaw stems from unserialized invocation of decay_va_pool_node() between __purge_vmap_area_lazy() and the shrinker path. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the issue is patched upstream in the stable tree.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46081 HIGH PATCH This Week

Local privilege escalation via memory corruption in Linux Kernel crypto subsystem (acomp) affects systems using asynchronous hardware compression accelerators such as Intel QAT. The flaw stems from acomp_save_req() storing the wrong pointer (&req->chain instead of req itself) in req->base.data, causing the completion callback acomp_reqchain_done() to dereference fields at incorrect offsets. No public exploit identified at time of analysis, and EPSS is very low at 0.02%, but the high CVSS (7.8) reflects potential for memory corruption with high confidentiality, integrity, and availability impact.

Linux Canonical Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46045 HIGH PATCH This Week

Data corruption in the Linux kernel md-llbitmap RAID subsystem allows stale bitmap pages to be read from spare disks during rebuild. The md-llbitmap code iterated rdevs checking only raid_disk assignment and the Faulty flag, omitting the In_sync flag, so bitmap data could be sourced from a not-yet-synchronized spare. No public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%), but the bug can silently corrupt arrays during normal operation or recovery.

Linux Memory Corruption Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45980 HIGH PATCH This Week

Local privilege escalation and denial of service in the Linux kernel's AMD XDNA (amdxdna) accelerator driver allows authenticated local users to trigger a use-after-free condition by submitting jobs to a hardware context concurrently with resource release. The flaw affects kernels in the 6.14.9 through 6.15 series and was resolved upstream by stopping job scheduling around aie2_release_resource() and validating context state in aie2_sched_job_run(). No public exploit identified at time of analysis, and EPSS scoring (0.02%) indicates negligible near-term exploitation probability.

Linux Denial Of Service Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45959 HIGH PATCH This Week

Local privilege escalation or denial-of-service in the Linux kernel's AMD CCP (Cryptographic Coprocessor) driver stems from a misuse of the __cleanup(kfree) attribute on a local pointer, causing kfree() to be invoked with the address of a stack variable rather than the heap allocation returned by kmalloc. The resulting invalid deallocation of a stack address crashes the kernel and could be leveraged by a low-privileged local user for impact on confidentiality, integrity, and availability (CVSS 7.8). EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but vendor patches are available in stable trees 6.18.14 and 6.19.4.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45951 HIGH PATCH This Week

Local privilege escalation in the Linux kernel's BPF subsystem stems from incorrect refcounting in check_pseudo_btf_id() that can leave a BTF (BPF Type Format) object with a zero refcount while still in use, creating a use-after-free condition. Affected kernels (around 6.14 through pre-patch 6.18.14/6.19.4) allow a local low-privileged user capable of loading BPF programs to corrupt kernel memory, with no public exploit identified at time of analysis and EPSS scoring exploitation likelihood at only 0.02%.

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45931 HIGH PATCH This Week

Local privilege escalation or denial-of-service in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) arises from a use-after-free of the mm structure during iommu_sva_unbind_device(). The driver previously released the mm reference before unbinding, allowing iommu_mm access on freed memory. No public exploit identified at time of analysis and EPSS scores this at 0.02% (4th percentile), indicating very low expected exploitation activity in the near term.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45929 HIGH PATCH This Week

Use-after-free in the Linux kernel's OpenVPN data channel offload (ovpn) module allows a local attacker with low privileges to potentially trigger memory corruption when transmitting shared sk_buff packets through ovpn_net_xmit. The flaw stems from continued use of a stale skb pointer after skb_share_check frees the original buffer, affecting peer lookup, skb_dst_drop, and TX statistics paths. No public exploit identified at time of analysis, and the EPSS probability is very low (0.02%), suggesting the bug is more of a stability and memory-safety concern than an imminently weaponized vector.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45909 HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's MediaTek clock gate driver stems from incorrect use of __initconst annotations on mtk_gate structures that are accessed at runtime, not just during initialization. After kernel init completes, the memory backing these structs is freed, so any runtime access reads freed memory - affecting Linux 6.18 prior to stable releases 6.18.14 and 6.19.4. CVSS rates this 7.8 (High) with local attack vector; EPSS is 0.02% and no public exploit identified at time of analysis.

Mediatek Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45896 HIGH PATCH This Week

Out-of-bounds array access in the Linux kernel's Intel Discrete Graphics MTD driver (mtd_intel_dg.c) lets a local actor trigger kernel memory corruption when the driver enumerates NVM regions before nregions is initialized. The flaw, caught by UBSAN as an array-index-out-of-bounds at line 750, affects systems running kernel 6.17 through the pre-patch 6.18/6.19 series with Intel discrete graphics hardware. No public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.02%, 4th percentile).

Linux Buffer Overflow Intel Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45839 HIGH PATCH This Week

Local denial of service in the Linux kernel's BPF CO-RE relocation parser allows a process holding CAP_BPF to deterministically crash the system by loading a BPF program with a negative CO-RE accessor index. The flaw stems from bpf_core_parse_spec() in the libbpf relocation core accepting negative values from sscanf("%d") that bypass upper-bound checks due to integer promotion, ultimately driving an out-of-bounds read past the BTF members array. EPSS is negligible (0.01%) and there is no public exploit identified at time of analysis; a kernel oops backtrace is published in the changelog but it serves as a crash reproducer rather than a weaponized exploit.

Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-3623 HIGH This Week

Local privilege escalation in IBM Netezza Performance Server Replication Services (versions 3.0.2.0 through 3.0.5.0) allows an already-authenticated, low-privileged user on the appliance to gain full root control. By abusing the over-privileged Replication Services component the attacker can execute root-level commands, spawn a root shell, reset the root password, alter or delete system-wide files, and plant persistent backdoors, resulting in complete loss of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis, and no EPSS score was supplied in the source data, so the issue currently reflects vendor-reported risk rather than observed exploitation.

Privilege Escalation IBM
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2023-52945 HIGH PATCH This Week

Uncontrolled search path element vulnerability in OpenSSL DLL component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to execute arbitrary code via unspecified vectors. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Synology RCE OpenSSL
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-44705 HIGH PATCH GHSA This Week

Path traversal in the tmp npm package (versions < 0.2.6) lets callers escape the intended temporary directory by passing traversal sequences or absolute paths in the prefix, postfix, or dir options to tmp.file(), tmp.dir(), or tmp.tmpName(). Applications that forward untrusted input into those options can be coerced into creating files at attacker-chosen filesystem locations with the process's privileges, enabling config poisoning, cache poisoning, or web-shell drops. Publicly available exploit code exists (the advisory ships a working PoC and a regression test), but no public exploit identified at time of analysis indicates active exploitation in the wild.

Path Traversal PHP Microsoft Node.js Privilege Escalation +2
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-46427 HIGH PATCH This Week

Sensitive credential disclosure in Budibase low-code platform versions prior to 3.38.3 allows any authenticated low-privilege user to retrieve a configured Snowflake datasource's private key in plaintext. The flaw stems from an incomplete secret-masking filter that only redacts fields typed as PASSWORD, leaving the Snowflake privateKey field (typed SENSITIVE_LONGFORM) exposed through the GET /api/datasources/:datasourceId endpoint. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is fixed in 3.38.3.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-48146 HIGH PATCH GHSA This Week

Server-side request forgery in Budibase before 3.39.0 lets an authenticated user with the BUILDER role coerce the platform into making attacker-controlled outbound requests by setting a malicious OAuth2 token endpoint URL. Because the token fetch path bypassed the codebase's existing SSRF-blocking HTTP wrapper, responses from internal-only services such as the CouchDB database or cloud instance metadata endpoints can be exfiltrated. No public exploit identified at time of analysis, but the flaw is straightforward to trigger and EPSS/KEV signals were not supplied.

SSRF Information Disclosure
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-2253 HIGH PATCH This Week

External XML entity resolution in Hitachi Vantara Pentaho Data Integration & Analytics lets an authenticated, low-privileged attacker submit crafted XML that the application's parser resolves, disclosing sensitive local files and enabling server-side request forgery against internal systems. All releases before 10.2.0.7 are affected, as are 11.x branches before 11.0.0.0, explicitly including the 9.3.x and 8.3.x lines. There is no public exploit identified at time of analysis, and the EPSS exploitation probability is very low (0.03%, 8th percentile).

XXE Pentaho Data Integration And Analytics
NVD
CVSS 3.1
7.7
EPSS
0.0%
Prev Page 3 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy