Cross-Site Request Forgery in WP AutoBuzz (WordPress plugin, all versions ≤1.1.1) enables unauthenticated remote attackers to update plugin settings and inject persistent malicious scripts by tricking an authenticated administrator into clicking a crafted link. The attack carries particular severity because the unsanitized value is written directly via WordPress's update_option at the plugin level, entirely bypassing the DISALLOW_UNFILTERED_HTML hardening constant that would otherwise block unfiltered HTML in post content. No public exploit code and no active exploitation have been identified at time of analysis; EPSS is 0.02% and SSVC classifies exploitation status as none.
Cross-Site Request Forgery in WP Promoter (WordPress plugin, all versions ≤1.3) enables unauthenticated remote attackers to update plugin settings and inject persistent malicious JavaScript by tricking an authenticated administrator into clicking a crafted link. The CVSS changed-scope designation (S:C) signals that successfully injected scripts execute in the browsers of subsequent site visitors - extending impact beyond the targeted administrator. No public exploit code has been identified and EPSS at 0.01% (2nd percentile) reflects negligible observed exploitation activity at time of analysis.
Synology Assistant before version 7.0.6-50085 exposes local users to arbitrary file write with restricted content via an origin validation error triggered during the installation process. The CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H) indicates that while integrity impact is limited, availability impact is rated High - meaning an attacker can corrupt or overwrite files in ways that destabilize the system, even though the written content is constrained. No public exploit code exists and CISA has not added this to KEV; EPSS stands at 0.00%, reflecting minimal observed exploitation interest.
Synology Active Backup for Business Agent before version 3.1.0-4967 contains an origin validation error (CWE-346) that permits local users to write arbitrary files with restricted content during the installation process, resulting in high availability impact and limited integrity compromise. The CVSS vector (AV:L/PR:N/UI:R) indicates exploitation requires local system access and user interaction - specifically, the installation must be in progress. No public exploit code has been identified and EPSS sits at 0.00%, aligning with SSVC's 'exploitation: none' assessment, indicating this is a low-urgency but legitimate local privilege abuse risk during deployment windows.
Arbitrary file write with restricted content in Synology ActiveProtect Agent before 1.1.0-0439 is exploitable by local users during the installation process due to an origin validation error (CWE-346). The CVSS vector (AV:L/AC:L/PR:N/UI:R) indicates a low-complexity local attack requiring user interaction - consistent with exploitation during an installation workflow - and scores high on availability impact (A:H) while integrity impact is limited (I:L), suggesting the file write can disrupt system stability despite content restrictions. No public exploit code exists and CISA SSVC rates exploitation as none with partial technical impact.
Stored cross-site scripting in Webmin's mailboxes component (detach.cgi) allows a remote unauthenticated attacker to execute arbitrary JavaScript in the browser session of an authenticated Webmin user by sending an email containing a crafted SVG attachment. Because detach.cgi served SVG files with the image/svg+xml content type instead of a safe type, browsers treated the SVG as an active document on the Webmin origin, enabling script execution with full same-origin access to the Webmin interface. No public exploit has been identified and CISA has not listed this in KEV, but the attack surface is straightforward given the ubiquity of email as a delivery channel and Webmin's privileged system-administration context.
Stored XSS in Synology Safe Access before 1.3.1-0329 on SRM (Synology Router Manager) allows remote authenticated administrators to inject malicious scripts that execute in the SRM context, enabling limited reads or writes of non-sensitive files and constrained denial-of-service conditions. The CVSS Scope:Changed rating confirms cross-component impact - the vulnerability originates in the Safe Access module but affects the broader SRM platform. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% and SSVC exploitation status of 'none' collectively indicate negligible current threat in the wild.
IBM Operations Analytics - Log Analysis 1.3.5.0, 1.3.5.1, 1.3.5.2, 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0, 1.3.7.1, 1.3.7.2, and 1.3.8.0, 1.3.8.1, 1.3.8.2, 1.3.8.3, 1.3.8.4 IBM SmartCloud Analytics - Log. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Authenticated cross-device task-result injection in Microsoft UFO's constellation architecture allows a low-privileged peer device to hijack the pending task response of a victim device by spoofing a TASK_END message. Specifically in version 3.0.1-4-ge2626659, the constellation server resolves pending Futures keyed solely on session_id without binding verification to the originating device, meaning any authenticated constellation participant who can supply a matching session_id can substitute attacker-controlled result data into the victim device's task flow. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, though the high-complexity CVSS vector (AC:H) reflects the session_id guessing or observation requirement.
Unsalted SHA-256 password hashing in WeGIA exposes all stored credentials to rainbow table attacks in versions prior to 3.7.3. Both the login flow (html/login.php) and the password-change flow (controle/FuncionarioControle.php) use PHP's hash() with SHA-256 and no per-user salt, meaning identical passwords always produce identical digests and a single precomputed table can compromise the entire credential database at once. No public exploit has been identified at time of analysis and no KEV listing exists, but exploitability is high once hash data is obtained - the attack requires only standard rainbow table tooling and no cryptographic skill.
Stored cross-site scripting in ZTE ZXUniPOS NDS-LTE enables an authenticated high-privilege attacker to persist malicious JavaScript within the system, which executes automatically in the browsers of other users who access the affected pages. Affected versions include V24.30.40CP02 and V24.40.40 and their respective earlier releases, confirmed via ENISA EUVD-2026-32041 and ZTE's own security bulletin. No public exploit identified at time of analysis, and an EPSS score of 0.03% (9th percentile) reflects a very low automated exploitation probability.
Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, where each PAM call overwrites a shared static pointer with the address of a stack-local variable. When multiple threads invoke the PAM stack simultaneously - a normal condition in multi-threaded Linux services such as SSH daemons or display managers - one thread's logging pointer can reference another thread's already-deallocated stack frame, causing availability loss (crash/hang) or limited integrity corruption. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV.
Stored cross-site scripting (XSS) in the RabbitMQ Management Plugin web UI allows a high-privileged authenticated attacker to inject malicious script content that executes in the browser of another administrative user viewing the affected page. Affected deployments span RabbitMQ Server 3.7.0 through 4.0.12 and 4.1.0-alpha through 4.1.1. No public exploit code or active exploitation has been identified at time of analysis; however, successful exploitation can result in high confidentiality impact, consistent with session token theft or credential harvesting within the management console.
Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circumvent fingerprint or PIN protection and access locked applications such as Chrome. The flaw stems from the app's reliance on a custom UI overlay rather than enforcing authentication at a deeper system level - cascading interface navigation triggered via advertisement or browser intents exposes routes that allow the attacker to exit the lock screen without re-authenticating. No public exploitation (CISA KEV) has been confirmed, but a researcher-published proof-of-concept exists on GitHub, and EPSS is low at 0.04% (11th percentile), consistent with the physical-access requirement limiting opportunistic exploitation.
Stored cross-site scripting in Jenkins buildgraph-view Plugin 1.8 and earlier allows authenticated attackers with job or view configuration privileges to inject persistent malicious scripts via an unescaped build URL. Any Jenkins user who subsequently views the affected build graph page triggers execution of the attacker-controlled script in their browser context. No active exploitation is confirmed (not in CISA KEV) and no public exploit code is known; SSVC rates exploitation status as none with partial technical impact.
Uninitialized stack memory exposure in the Linux kernel's MCTP-over-I2C (mctp-i2c) driver affects systems using i2c-aspeed or i2c-npcm7xx bus drivers, particularly server/BMC hardware with Aspeed and Nuvoton chipsets. When a read is performed against an mctp-i2c device instance, the event handler fails to initialize the 'val' byte before returning it to the caller, exposing whatever residual value sits on the kernel stack at that moment. No public exploit has been identified at time of analysis, and with an EPSS of 0.03% (10th percentile), real-world exploitation pressure is currently negligible; however, kernel stack data leakage is a meaningful information disclosure primitive on affected hardware.
Race condition in the Linux kernel's AF_ALG AEAD AIO interface allows a local low-privileged user to trigger a denial of service by exploiting shared socket-wide IV buffer state across concurrent asynchronous AEAD requests. The algif_aead subsystem fails to snapshot the Initialization Vector into per-request storage before dispatching async operations, meaning any concurrent socket activity that updates the shared IV can corrupt an in-flight request before it completes. No public exploit has been identified and EPSS is extremely low at 0.02% (7th percentile); vendor-released patches are available across all supported stable kernel branches.
Stale data exposure in the Linux kernel's ext4 filesystem affects systems using the dioread_nolock mount option, triggered by a flag-handling logic error in the extent-splitting code path during Direct I/O operations. When `EXT4_GET_BLOCKS_CONVERT` is incorrectly passed during a pre-I/O split of an unwritten extent, a simultaneous `-ENOSPC` failure in `ext4_split_extent_at()` causes the entire on-disk extent to be prematurely converted to written state while the in-memory extent status tree retains an inconsistent unwritten marker for the second half; if the DIO write subsequently fails, a future read of that region exposes stale pre-zero data. No public exploit has been identified at time of analysis, EPSS is 0.02% (7th percentile), and there is no CISA KEV listing, indicating no confirmed active exploitation.
NFSv4 server slot exhaustion in the Linux kernel nfsd subsystem causes persistent denial of service for NFS clients when idmap upcall delays occur during compound argument decoding. Specifically, when a SETATTR or similar compound operation triggers an idmap lookup upcall that exceeds the allowed time limit, cache_check() sets RQ_USEDEFERRAL and drops the request before nfs4svc_encode_compoundres() can execute - meaning the NFSD4_SLOT_INUSE session slot flag is never cleared. All subsequent client requests on that session slot fail with NFSERR_JUKEBOX indefinitely. No public exploit has been identified and EPSS is 0.02% (7th percentile), indicating no active exploitation pressure; this is a logic flaw with confirmed upstream patches across all major stable branches.
NULL pointer dereference in the Linux kernel's ACPICA subsystem crashes the kernel via a missed execution path in acpi_ev_address_space_dispatch(), resulting in a local denial of service. Affected systems run Linux kernel versions tracing back to commit 0acf24ad7e10f547809faefb8069f8f5482eb4d9, spanning multiple stable branches through at least 6.19.x. No public exploit exists and EPSS is negligible at 0.02% (7th percentile), but the high availability impact and wide kernel version coverage make patching prudent for any multi-tenant or availability-sensitive Linux environment.
Use-after-free and double-free conditions in the Linux kernel's s390/cio Channel I/O subsystem expose IBM Z (mainframe) systems to local denial-of-service attacks via kernel crash. The flaw resides in `css_alloc_subchannel()`, where `device_initialize()` is invoked before DMA mask configuration; if that configuration fails, the error path incorrectly calls `kfree()` directly, bypassing the kernel device model's reference counting and corrupting kernel memory. With a CVSS score of 5.5 (AV:L), an EPSS of 0.02% (7th percentile), no KEV listing, and strict hardware-architecture scope limited to s390/IBM Z, this is no public exploit identified at time of analysis and represents a low-urgency but architecturally significant stability fix.
NULL pointer dereference in the Linux kernel's staging Greybus lights driver (`drivers/staging/greybus/lights.c`) causes a local denial of service via kernel panic. The flaw affects systems running Greybus-enabled kernels since commit 2870b52b (Linux 4.9 onward), where a low-privileged local user can trigger a kernel crash if `kcalloc()` fails during lights channel initialization. No public exploit exists and EPSS is 0.02% (7th percentile), reflecting niche hardware dependency; the vulnerability is not listed in CISA KEV.
Invalid leaf access in the btrfs quota subsystem of the Linux kernel allows a local low-privileged user to crash the system by triggering a denial-of-service condition in `btrfs_quota_enable()`. When `btrfs_search_slot_for_read()` returns 1 - signaling end-of-tree with no valid key found - the function fails to exit its loop and proceeds to dereference the now-invalid path pointer, causing a kernel panic. Patched versions are confirmed across multiple stable series (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0); no public exploit or CISA KEV listing exists at time of analysis.
NULL pointer dereference in the Linux kernel HID PlayStation driver crashes the kernel when force feedback (FF) effects are triggered on a PlayStation controller that experienced a silent initialization failure. Systems running Linux 5.12 through unpatched stable branches with PlayStation controllers (DualSense, DualShock 4, or compatible HID devices) attached are affected. A local low-privileged attacker who can trigger FF effects on a controller where input_ff_create_memless() returned an error can cause a kernel panic, resulting in a full system denial of service. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with a niche hardware driver flaw.
Null pointer dereference in the Linux kernel's cpuidle ladder governor crashes PowerNV systems when only a single idle state is registered - the governor incorrectly indexes into state 1 as if it were the first usable non-polling state, resulting in a NULL enter callback invocation and immediate kernel panic. Systems running IBM PowerNV hardware without a power-mgt device tree node are specifically at risk, as this firmware configuration causes cpuidle to register only the polling state (state 0). No public exploit code exists and EPSS probability is 0.02% (7th percentile), reflecting this is a platform-specific availability issue rather than a broadly exploitable attack surface; it is not listed in CISA KEV.
Kernel NULL pointer dereference in the Linux AppArmor security module allows a local low-privileged user to crash the system by reading an apparmorfs symbolic link under a specific runtime configuration sequence. The flaw exists in rawdata_get_link_base, where profile->rawdata->name is dereferenced without first verifying that rawdata is non-NULL after a profile replacement clears it. No public exploit exists and EPSS stands at 0.02%, though the crash is fully reproducible from the conditions documented in the commit description.
Memory exhaustion in the Linux kernel's SUNRPC GSS authentication subsystem (net/sunrpc/auth_gss/auth_gss.c) allows a local low-privileged user to leak kernel memory by repeatedly triggering a specific error path where kstrdup_const() fails during gss_alloc_msg() processing, preventing gss_auth structures from ever being freed. The defect was introduced by commit 5940d1cf9f42, which added kref_get(&gss_auth->kref) without the corresponding kref_put() on the err_put_pipe_version error path when service_name is non-NULL. With EPSS at 0.02% (7th percentile), no CISA KEV listing, and no public exploit, this is a low-urgency memory management defect primarily relevant to systems running NFS with Kerberos/RPCSEC_GSS authentication.
Out-of-bounds memory access in the Linux kernel ublk (userspace block device) subsystem allows a local low-privilege user to crash the kernel by submitting an io_uring control command without the IO_URING_F_SQE128 flag set. The root cause is that ublk_ctrl_cmd_dump() unconditionally accesses the extended cmd field of a Submission Queue Entry before ublk_ctrl_uring_cmd() validates that the SQE is 128 bytes in size, reading beyond the 64-byte standard SQE boundary. No public exploit is identified at time of analysis, and the EPSS score of 0.02% at the 7th percentile signals very low exploitation probability.
Kernel panic via reference count corruption in the Linux kernel's HFS+ filesystem driver (hfsplus) allows a local attacker with low privileges to crash the system. The function hfs_bnode_create() returns an already-hashed B-tree node without incrementing its reference count when it unexpectedly encounters a node that should not yet exist - a condition triggered by filesystem corruption or a logic error in hfs_bmap_alloc(). When hfs_bnode_put() later decrements the reference count to zero and attempts cleanup, the kernel triggers a fatal BUG_ON(!atomic_read(&node->refcnt)) assertion at bnode.c:676, causing an immediate kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with the local-only attack vector and niche trigger conditions, but the availability impact is total for affected systems.
Memory leak in Linux kernel's fbdev au1200fb framebuffer driver causes resource exhaustion when the probe function encounters IRQ allocation failure. The vulnerability exists in au1200fb_drv_probe() within the au1200fb driver: when platform_get_irq() returns an error, the function returns immediately without releasing previously allocated memory, leading to kernel heap exhaustion over time. Local attackers or repeated probe failures (e.g., via hotplug events on affected MIPS-based Alchemy hardware) can deplete kernel memory, resulting in denial of service. No public exploit has been identified at time of analysis, and EPSS at 0.02% (7th percentile) confirms negligible exploitation interest.
Memory exhaustion in the Linux kernel's ext4 filesystem driver allows a local low-privilege user to gradually degrade system availability by repeatedly triggering a kernel memory leak in ext4_ext_shift_extents(). The flaw, present since approximately kernel 3.15, causes path structures allocated by ext4_find_extent() to go unreleased when a NULL extent is encountered during fallocate shift operations. With no CISA KEV listing, an EPSS of 0.02%, and no public exploit code identified, this is a low-urgency but genuine patch priority for long-lived ext4 systems with unprivileged local users.
TPM locality leak in the Linux kernel's tpm_i2c_infineon driver allows a local user on an affected system to exhaust TPM localities and render the TPM device unavailable. The tpm_tis_i2c_send() function acquires a TPM locality at entry but fails to release it when get_burstcount() times out with -EBUSY, causing a resource leak on every such timeout. Patches are available across multiple stable kernel branches; no public exploit code or active exploitation (CISA KEV) has been identified, and EPSS is 0.02% at the 7th percentile.
Improper lock release in the Linux kernel ksmbd subsystem (in-kernel SMB server) allows a local low-privileged user to trigger a deadlock by inducing error paths in `ksmbd_vfs_kern_path_locked` where `ksmbd_vfs_kern_path_end_removing()` is never called to balance the corresponding `ksmbd_vfs_kern_path_start_removing()`. Affected kernel versions span multiple stable branches from 5.15 through 6.17. No public exploit or active exploitation is known; EPSS stands at 0.02% (7th percentile), confirming low real-world exploitation probability.
Missing endpoint descriptor validation in the Linux kernel catc USB Ethernet driver allows a physically-present attacker with a crafted USB device to cause a kernel denial of service. The catc_probe() function submits URBs against hardcoded endpoint pipes (bulk on endpoint 1, interrupt on endpoint 2) without confirming that the connected device actually presents those endpoint types - a malformed device can exploit this assumption to trigger undefined behavior at the URB submission layer. No active exploitation has been confirmed (not listed in CISA KEV), and the EPSS score is extremely low at 0.02% (7th percentile), reflecting limited real-world exploitation likelihood.
An infinite self-IPI loop in the Linux kernel's real-time scheduler `rto_next_cpu()` function causes a CPU hardlockup, resulting in a complete denial of service on affected multi-CPU systems. Systems with `HAVE_RT_PUSH_IPI` enabled are vulnerable when a specific concurrent mix of CPU-bound RT tasks, non-CPU-bound RT tasks, and kernel-stuck CFS tasks triggers a race condition between `rd->rto_loop` and `rd->rto_loop_next` during RT load balancing. No public exploit exists and this is not listed in CISA KEV; the EPSS score of 0.02% (7th percentile) confirms low real-world exploitation probability.
Availability impact in the Linux kernel FAT filesystem driver allows a local low-privileged user to trigger a kernel WARN_ON by mounting and operating on a corrupted FAT image with incorrect directory link counts. Specifically, rmdir unconditionally decrements the parent inode's i_nlink without first verifying it is at least 3, allowing underflow to zero on malformed images. No public exploit has been identified and the EPSS probability is 0.02% (7th percentile), but the kernel WARN_ON can cause a system crash, making the real-world availability impact high on affected systems where users can mount FAT images.
Ext4 filesystem extent-splitting logic in the Linux kernel incorrectly caches extents mid-operation, leaving stale hole entries in the in-memory extent status tree (ESTree). When a Direct I/O write partially covers a pre-allocated unwritten extent, ext4_split_extent_at() can insert an incorrect hole entry that persists uncorrected, causing space accounting errors when subsequent delayed buffer writes target the same region. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.02% (7th percentile) reflects negligible real-world exploitation likelihood; this is primarily a kernel correctness and filesystem availability defect rather than a targeted attack surface.
NULL pointer dereference in the Linux kernel's cdns3 USB dual-role driver crashes the kernel when a USB OTG role switch to host mode occurs during a system resume from suspend. The host role's resume() operation calls usb_hcd_is_primary_hcd() on an xhci-hcd device whose probe has been deferred by the driver model, yielding a dereference at virtual address 0x208 and a kernel oops. Impact is limited to denial of service (system crash); no privilege escalation or data disclosure is possible. No active exploitation is confirmed (CISA KEV absent, EPSS 0.02%), and the vulnerability is practically relevant only on hardware platforms featuring the Cadence USB3 cdns3 controller.
Recursive mutex deadlock in the Linux kernel's PowerPC Enhanced Error Handling (EEH) subsystem causes denial of service on IBM POWER systems running affected kernel versions. Commit 1010b4c012b0 inadvertently repositioned pci_lock_rescan_remove() calls so that eeh_handle_normal_event() holds the lock before invoking eeh_pe_bus_get(), which internally attempts to acquire the same mutex, producing a confirmed lockdep-detected deadlock that crashes the EEH daemon and disables PCI error recovery. No public exploit has been identified and the EPSS score of 0.02% (7th percentile) reflects the narrow hardware-specific attack surface; real-world impact is a reliability and availability concern for IBM POWER server operators rather than a traditional security attack vector.
Availability impact via stale extent cache corruption in the Linux kernel's ext4 filesystem driver allows a local low-privileged user to trigger a kernel denial-of-service condition. When an ext4 extent-splitting operation fails mid-execution, stale entries are left in the extent status tree, which can cause subsequent filesystem operations to crash the kernel. No public exploit exists and EPSS probability sits at 0.02% (7th percentile), reflecting this as a stability bug rather than a targeted attack vector. Vendor-released patches are available across all active stable branches.
Guest-to-host denial of service in the Linux kernel's xen-netback driver allows a malicious or buggy Xen guest to crash the hypervisor host by writing "0" to the xenbus key multi-queue-num-queues. The connect() function validates only the upper bound of requested_num_queues, permitting a zero value to reach vzalloc(array_size(0, ...)), which triggers WARN_ON_ONCE in __vmalloc_node_range(); on hosts with panic_on_warn=1 this escalates to a full kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with a narrow Xen-specific attack surface, but the guest-controlled code path is trivial to trigger and vendor patches have been backported across seven stable kernel series, confirming the impact is real.
BPF verifier rejection in the Linux kernel's XDP subsystem forces valid BPF programs to fail load-time verification when they pass pointers from BPF_F_RDONLY_PROG maps to the bpf_xdp_store_bytes helper. The root cause is an incorrect argument type annotation - the helper's third argument (source buffer) is declared as ARG_PTR_TO_UNINIT_MEM, which carries the MEM_WRITE flag, causing the verifier to demand write permission on memory that the helper only reads. Separately, this same mistype permits the helper to read from uninitialized memory (CWE-908). No public exploit is identified at time of analysis, and EPSS sits at 0.02%, but kernel patches across all active stable branches have been issued.
Resource leak in the Linux kernel's sca3000 IIO accelerometer driver (sca3000_probe()) allows a local low-privileged user on affected hardware to cause IRQ resource exhaustion by repeatedly triggering the error path where iio_device_register() fails without releasing the IRQ registered via request_threaded_irq(). Affected are Linux kernel versions from approximately 4.10 through multiple stable branches, all of which now have upstream fix commits. No public exploit exists and EPSS stands at 0.02% (7th percentile), indicating this is a robustness/maintenance fix rather than an actively targeted vulnerability.
Memory exhaustion via the MediaTek SVS (Smart Voltage Scaling) debugfs interface in the Linux kernel allows a local attacker with low privileges to leak kernel memory on MediaTek SoC-based systems. The root cause is that `svs_enable_debug_write()` allocates a buffer via `memdup_user_nul()` to copy user-supplied input, but fails to free it when the subsequent `kstrtoint()` call rejects non-integer input - a classic CWE-401 missing-release flaw. No public exploit has been identified and EPSS is 0.02% (7th percentile), making this a low-urgency, patch-when-convenient issue for the narrow device population running affected MediaTek SoC kernels.
Regulator resource leak in the Linux kernel MFD Arizona WM5102 audio codec driver causes availability degradation on affected hardware when the write sequencer error path is triggered. The `wm5102_clear_write_sequencer()` helper returns early on error without jumping to the `err_reset` cleanup label, leaving kernel voltage regulators enabled and leaking resources across repeated invocations. Exploitation requires local low-privilege access on systems with WM5102 hardware; EPSS is 0.02% (7th percentile) and no active exploitation has been identified, placing real-world priority firmly in the low tier.
Denial-of-service via kernel crash in the Linux kernel's netfilter nft_set_rbtree subsystem, exploitable by a local user with nftables manipulation capability. The flaw lies in the partial overlap detection logic for anonymous sets: an optimization that omits end elements for adjacent intervals also inadvertently suppresses overlap checks on start elements, allowing two intervals sharing the same start point (e.g., A-B and A-C where C < B) to be inserted simultaneously, corrupting the red-black tree and triggering a kernel panic. No public exploit code has been identified at time of analysis, and the EPSS score of 0.02% (7th percentile) reflects low real-world exploitation probability, though the vulnerability is present across many long-term stable kernel branches.
Memory exhaustion denial-of-service in the Linux kernel smartpqi SCSI driver allows a local user to degrade system availability through kernel memory leak accumulation. The vulnerability exists in pqi_report_phys_luns(), which fails to release the rpl_list buffer on two distinct error paths - unsupported data format detection and rpl_16byte_wwid_list allocation failure - both of which bypass cleanup logic. No public exploit exists and EPSS sits at 0.02% (7th percentile), but systems running Microsemi/PMC-Sierra SmartPQI RAID controllers on unpatched kernels are at risk of gradual availability degradation.
Resource leak in the Linux kernel's st33zp24 TPM driver allows a low-privileged local user to exhaust TPM localities and deny TPM service on systems equipped with STMicroelectronics ST33ZP24 hardware. When get_burstcount() returns -EBUSY on timeout, st33zp24_send() exits without releasing the previously acquired TPM locality, creating a cumulative leak that can render all subsequent TPM operations unavailable. No public exploit code exists and EPSS probability is 0.02% (7th percentile), but systems relying on the ST33ZP24 for measured boot or disk-encryption attestation face meaningful operational risk if exploited.
Memory leaks in the Linux kernel's SUNRPC auth_gss subsystem allow a local low-privilege attacker to gradually exhaust kernel heap memory on systems using NFS with Kerberos (RPCSEC_GSS) authentication. The gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() XDR decoding functions fail to release previously allocated kernel buffers when a partial decode sequence errors out mid-function, leaving unreferenced kmemdup() allocations on the heap. No public exploit exists and EPSS is 0.02%, but no public exploit identified at time of analysis; repeated triggering of the vulnerable paths could degrade availability on RPCSEC_GSS-enabled servers.
NULL pointer dereference in the Linux kernel's wm97xx battery power supply driver crashes the kernel when a hardware interrupt fires during a narrow initialization race window. Systems running Linux kernel versions from 2.6.32 through various stable branches (pre-patch releases in 5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19, and 7.0 series) with wm97xx-equipped hardware are affected. A local attacker - or natural hardware interrupt timing - can trigger a kernel panic (denial of service) during driver probe; no public exploit has been identified and EPSS sits at the 7th percentile, reflecting the narrow hardware footprint.