Skip to main content
CVE-2026-45868 MEDIUM PATCH This Month

Reference count leak in the Linux kernel's pinctrl-single driver (`pcs_add_gpio_func()`) allows a local low-privileged user to cause kernel memory exhaustion and denial of service on affected embedded/SoC platforms. The `of_parse_phandle_with_args()` Device Tree API increments a refcount on the returned device_node pointer, but the iterating loop never calls `of_node_put()` to release it - accumulating leaked references on every GPIO phandle processed. No public exploit exists and EPSS is 0.02%, placing this firmly in the low-urgency patch category; exploitation requires specific hardware and driver configuration not present on typical x86 servers.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45864 MEDIUM PATCH This Month

Infinite loop denial of service in the Linux kernel's ntfs3 filesystem driver allows a local low-privileged user to hang the kernel's I/O subsystem by triggering a non-terminating loop in the file write path. The flaw in `ntfs_file_write_iter` (fs/ntfs3/file.c:1284) occurs when iterating over the valid data range [valid:pos) during a write operation - if the `valid` pointer fails to advance (returning the same value), the loop condition is never satisfied and the inode lock is held indefinitely, causing a full write-path hang. No active exploitation has been identified (absent from CISA KEV) and EPSS of 0.02% at the 7th percentile confirms negligible observed exploitation activity; a patch is available across all affected stable branches.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45857 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's csiostor SCSI driver (Chelsio T5 iSCSI storage controller) causes a local denial-of-service via kernel panic. The flaw resides in the error exit path: when the pointer rn is NULL, the CSIO_INC_STATS macro still dereferences it, triggering a kernel crash. Exploitation requires local low-privilege access on a system equipped with Chelsio csiostor hardware; no active exploitation is confirmed (not in CISA KEV) and EPSS sits at 0.02% (7th percentile), indicating minimal real-world exploitation pressure.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45849 MEDIUM PATCH This Month

Improper locking in the Linux kernel's Microsemi Ocelot network switch driver (`net/mscc/ocelot`) allows a local low-privileged user on hardware running Ocelot switch chips to trigger a race condition in `ocelot_port_xmit_inj()`, potentially causing a kernel panic or system crash. Affected stable branches span 6.1.107-6.1.164, 6.6.48-6.6.127, and 6.10.7 through 6.11 release candidates, with patches confirmed in 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, and 7.0. No public exploit identified at time of analysis; EPSS at 0.02% (7th percentile) reflects extremely low exploitation probability, consistent with the hardware-specific trigger requirement and local-only attack vector.

Code Injection Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45848 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's AppArmor LSM function `aa_sock_file_perm` allows a local authenticated user to crash the kernel (oops) during socket setup or teardown. The flaw affects the fallback mediation path for AF_UNIX sockets and all other socket families when AppArmor is in enforcing mode, because neither `sock` nor `sock->sk` are validated for NULL before dereferencing. Impact is limited to availability (system crash); no confidentiality or integrity loss is possible. No public exploit is identified at time of analysis, and EPSS at 0.02% (7th percentile) indicates negligible exploitation probability.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45847 MEDIUM PATCH This Month

Reachable assertion in the Linux kernel network subsystem allows a local low-privileged user to trigger a WARN_ON_ONCE by constructing a sufficiently long forward path through IPIP tunnels, resulting in a kernel warning and high availability impact. The root cause (CWE-617) is an assertion in the forward path array access code that became reachable after IPIP tunnel support was introduced, expanding the possible depth of forward paths beyond the implicit assumption encoded in the warning. No public exploit code exists and EPSS is extremely low (0.02%, 7th percentile), but the kernel-level denial-of-service impact on local multi-tenant or containerized systems warrants patching.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71305 MEDIUM PATCH This Month

The drm/display/dp_mst subsystem in the Linux kernel crashes with a UBSAN shift-out-of-bounds error when a DP 2.1 monitor disconnects while delayed_destroy_work is still in flight, producing a kernel denial-of-service on affected systems. Systems running unpatched kernel versions across the 6.1.x, 6.6.x, 6.12.x, 6.18.x, and 6.19.x stable branches with DisplayPort Multi-Stream Transport (MST) capable hardware are vulnerable. No public exploit or active exploitation has been identified; patches are available across all affected stable branches with specific fix commits traceable to git.kernel.org.

Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71304 MEDIUM PATCH This Month

Networking denial of service in the Linux kernel's Smack LSM disrupts IPv4 connectivity for all processes carrying non-ambient Smack labels when a previously-used CIPSO DOI value is cycled through /smack/doi. The kernel's smk_cipso_doi function retains decommissioned DOI definitions in netlabel's CIPSO configuration, causing re-add operations to fail with EEXIST (-17); this prevents the default IPv4 domain mapping from being re-established, silently severing label-based network traffic. No public exploit code is identified and EPSS sits at 0.02% (7th percentile), reflecting the very narrow deployment surface - only systems with Smack as the active LSM and CIPSO networking configured are affected.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46018 MEDIUM PATCH This Month

Availability degradation in the Linux kernel ALSA USB audio subsystem allows a local attacker with a crafted UAC2 USB audio device to trigger an unbounded parsing loop that holds register_mutex while repeatedly flooding the kernel log with error messages. Affected systems running snd-usb-audio on multiple stable kernel branches from 3.x through 7.0 are exposed to denial-of-service via mutex contention during USB device probe. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (6th percentile) reflects minimal threat actor interest; no CISA KEV listing exists.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45844 MEDIUM PATCH This Month

Incorrect ARP payload parsing in the Linux kernel's netfilter arptables subsystem causes filtering rules to evaluate against garbage data on systems with IEEE1394 (FireWire) network interfaces. The arp_packet_match() function and arpt_mangle both assume a standard dual-hardware-address ARP layout, but IPv4-over-IEEE1394 per RFC 2734 omits the target hardware address field - the same discrepancy the rest of the kernel ARP stack already handles correctly. The result is that arptables rules on FireWire interfaces silently malfunction: legitimate traffic may be dropped and traffic that should be blocked may be passed, with arpt_mangle additionally writing to wrong offsets and corrupting packets. No public exploit has been identified and EPSS is 0.02% (6th percentile), consistent with the extremely niche attack surface.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-15649 MEDIUM PATCH This Month

Uncaught exception in IO::Uncompress::Unzip before version 2.215 for Perl causes application-level denial of service when parsing ZIP files containing malformed DOS date fields. The `_dosToUnixTime()` function calls `Time::Local::timelocal()` without an `eval` guard, so a ZIP header encoding an out-of-range month, day, or hour causes `timelocal()` to `die`, propagating the exception to the caller rather than returning `undef` with a populated `$UnzipError` as callers expect. Any Perl application that processes untrusted ZIP files locally is affected; no public exploit has been identified at time of analysis, and EPSS exploitation probability is negligible at 0.02%.

Information Disclosure Io Suse Red Hat
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46032 MEDIUM PATCH This Month

Nested SVM virtualization in the Linux kernel KVM subsystem can leave the host hypervisor (L1) running with corrupted page-table state when CR3 restoration fails during a nested #VMEXIT. The root function nested_svm_vmexit() returns an error code that most callers silently ignore, meaning the host continues executing against corrupt address-space mappings rather than triggering the shutdown behavior mandated by the AMD Architecture Programmer's Manual. The fix injects a triple fault - mirroring real hardware behavior - and continues cleanup to avoid leaving vCPU state partially torn down. No public exploit exists and EPSS is 0.02%, but the availability impact is high for any host running nested AMD virtualization.

Linux Code Injection Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45963 MEDIUM PATCH This Month

Kernel crash via use-after-free race in the Linux kernel nau8821 ASoC audio codec driver affects systems including the Valve Steam Deck when a jack detection workqueue item executes after the driver component has been removed. The missing cancel_delayed_work_sync call in the component remove path allows nau8821_jdet_work to dereference freed kernel structures, producing a fatal page fault. No public exploit exists and EPSS is 0.02%, but any NAU8821-equipped system on kernel versions from 5.16 through pre-6.19.4 is vulnerable to local denial-of-service via kernel panic.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46103 MEDIUM PATCH This Month

Memory leak in the Linux kernel's CAN UCAN USB driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering driver unbind cycles without physical device disconnection. The flaw (CWE-401) exists because devres-managed buffers are incorrectly scoped to the parent USB device rather than the USB interface, so they are never released during software-initiated unbind events such as probe deferral or configuration changes. No public exploit code exists and EPSS sits at 0.02% (5th percentile), indicating near-zero real-world exploitation probability despite the CVSS Availability: High rating.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46101 MEDIUM PATCH This Month

Undefined behavior in the Linux kernel's nftables bitwise expression handler allows a local attacker with low privileges to crash the kernel. The nft_bitwise subsystem failed to reject zero-value shift operands during rule initialization; a zero shift causes the carry propagation formula (BITS_PER_TYPE(u32) - shift = 32 - 0 = 32) to perform a 32-bit shift of a 32-bit type, which is undefined behavior in C and can result in a kernel panic. No public exploit is identified at time of analysis, and EPSS at 0.02% (5th percentile) indicates very low automated exploitation activity, consistent with the local-only attack vector requiring nftables configuration privileges.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46098 MEDIUM PATCH This Month

Use-after-free in the Linux kernel CAIF networking subsystem allows a local low-privileged user to crash the kernel via a double invocation of caif_free_client(). The CAIF socket layer in caif_connect() can tear down a client on remote shutdown, freeing the service object via adap_layer->dn but leaving that pointer stale; when the socket is later destroyed, caif_sock_destructor() dereferences the already-freed pointer, triggering a NULL pointer dereference (CWE-476) and kernel oops. No public exploit exists and EPSS sits at 0.02% (5th percentile), but vendor-released patches are available across multiple stable kernel branches.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46092 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel rtw88 PCIe WiFi driver for the Realtek 8821CE adapter crashes the kernel during driver probing when the card is installed directly on a root PCI bus without an upstream PCI-to-PCI bridge. The defect was discovered via Svace static analysis by the Linux Verification Center - not through active exploitation - and no public exploit has been identified at time of analysis. EPSS of 0.02% (5th percentile) reflects the highly hardware-specific triggering condition, though the crash is deterministic when that condition is met.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46091 MEDIUM PATCH This Month

Denial of service in the Linux kernel's igorplugusb infrared remote control driver allows a local low-privileged user to crash the kernel on systems where a compatible USB IR receiver is connected and the host controller performs DMA on control requests. The igorplugusb driver failed to allocate the USB control request structure separately, violating DMA coherency requirements enforced by certain host controllers - an object allocated on the kernel stack or embedded in a larger structure is not guaranteed to be DMA-safe. No public exploit code exists, and EPSS of 0.02% confirms negligible exploitation interest. Vendor-released patches are available across multiple stable branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46089 MEDIUM PATCH This Month

The zram compressed-RAM block device driver in the Linux kernel hangs processes indefinitely when partial discard requests are submitted on systems where the discard granularity is smaller than the system page size (e.g., 4K discards on ARM64 systems with 64K pages). The driver correctly identifies partial discards as unsupported and returns early, but omits calling bio_endio(), leaving submit_bio_wait() blocked forever. Exploitation requires local access to a zram device with low privileges; no public exploit exists and EPSS is 0.02%, consistent with a niche local denial-of-service. Patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46088 MEDIUM PATCH This Month

Kernel panic via exhausted buffer in the ALSA control subsystem affects Linux kernel builds compiled with CONFIG_FORTIFY_SOURCE and Clang, allowing a local low-privileged user to crash the system. The function snd_ctl_elem_init_enum_names() fails to guard against a zero buf_len before invoking strnlen(), and Clang's fortified strnlen fires a BRK exception when it cannot determine the object size of the advanced pointer p inside the loop - panicking the kernel before the intended error-path return. Discovered through kernel fuzz testing on Xiaomi Smartphone hardware; no public exploit and no KEV listing; EPSS is 0.02%.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46086 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel bridge subsystem's FDB (Forwarding Database) RCU readers allows a local low-privileged user to crash the kernel via a sysfs read race. The vulnerability in `br_fdb_fillbuf()` - reached through the `brforward_read()` sysfs path - loads `f->dst` multiple times without synchronization, enabling a concurrent `fdb_delete_local()` call to nullify the pointer between the NULL check and the subsequent `port_no` dereference. No active exploitation has been identified (EPSS 0.02%, not in CISA KEV), but vendor patch commits are available across all active stable kernel branches.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46083 MEDIUM PATCH This Month

Resource leak in the Linux kernel SPI subsystem allows a local low-privileged attacker to exhaust kernel resources and cause denial of service. The flaw affects multiple stable kernel branches (5.4.x through 7.x) and occurs when spi_setup() fails during SPI device registration, leaving resources allocated by setup() unreleased because the controller cleanup() callback is never invoked on the error path. No public exploit exists and EPSS sits at 0.02% (5th percentile), indicating very low real-world exploitation probability; this is a stability fix appropriate for routine patching rather than emergency response.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46082 MEDIUM PATCH This Month

KVM SVM subsystem in the Linux Kernel incorrectly handles the INVLPGA instruction when EFER.SVME=0, failing to inject the required #UD (Undefined Opcode) exception into the guest VM. Systems running AMD hardware virtualization (AMD-V/SVM) under KVM are affected from kernel 2.6.32 through multiple stable branches, with the flaw enabling a low-privileged guest user to trigger a high-severity availability impact. No public exploit exists and EPSS stands at 0.02% (5th percentile), indicating very low current exploitation probability; however, the kernel maintainers tagged this for stable backports across six separate stable branches, reflecting broad deployment surface.

Code Injection Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46080 MEDIUM PATCH This Month

Credit exhaustion in the OCFS2 DIO completion path of the Linux kernel can cause the JBD2 journaling layer to exceed its maximum transaction credit limit, resulting in kernel warnings and a high-availability denial-of-service condition. Systems running the Linux kernel with the OCFS2 cluster filesystem configured for direct I/O workloads across multiple stable branches (6.6.x, 6.12.x, 6.18.x, 7.0.x) are affected. A local attacker with low privileges and write access to an OCFS2 volume can trigger complex extent tree merges that request more than 5449 JBD2 credits, destabilizing the filesystem journal. No public exploit is identified at time of analysis, and EPSS sits at the 5th percentile, reflecting very low real-world exploitation probability.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46079 MEDIUM PATCH This Month

Null-pointer dereference in the Linux kernel's RBD (RADOS Block Device) subsystem crashes the kernel when device_add_disk() fails after device_add() has already succeeded. Systems running Linux kernel with Ceph RBD support enabled are affected across multiple stable branches from the introduction of commit 27c97abc30e2 through the patched releases. A local attacker with sufficient privileges to map RBD images via the sysfs interface can trigger this error path to cause a kernel panic and system-wide denial of service. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.02% at the 5th percentile signals negligible weaponization probability.

Linux Canonical Denial Of Service Null Pointer Dereference Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46077 MEDIUM PATCH This Month

Incorrect DMA synchronization direction in the Linux kernel's atmel-tdes crypto driver exposes systems running on non-coherent cache architectures to stale cache data reads. The atmel-tdes driver incorrectly calls dma_sync_single_for_device() instead of dma_sync_single_for_cpu() before the CPU consumes DMA output, causing cache invalidation to be skipped on non-coherent platforms (typically ARM-based Atmel/Microchip SoCs). This means the CPU may read stale cached data rather than actual DES/3DES operation output, producing incorrect cryptographic results and potential information exposure from prior cache contents. No public exploit exists and EPSS is 0.02%, but hardware-platform specificity limits real-world reach significantly.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46074 MEDIUM PATCH This Month

Memory leak and potential use-after-free in the Linux kernel's spi-ch341 USB driver expose systems to local denial-of-service when CH341 device probe failures occur without proper resource cleanup. Kernels from the commit introducing the spi-ch341 driver (8846739f52afa07e63395c80227dc544f54bd7b1) through the respective stable-branch fix commits across the 6.11 through 7.0 lineages are affected. Repeated probe failures accumulate leaked kernel memory that can exhaust system resources; no active exploitation is identified (EPSS 0.02%, no CISA KEV listing), placing this firmly in the maintenance-priority rather than incident-response category.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46073 MEDIUM PATCH This Month

Linux kernel's hwmon powerz USB power meter driver fails to cancel an in-flight USB Request Block (URB) when a process is interrupted by a signal mid-read, resulting in reads from an unfilled DMA transfer buffer that can cause denial of service and potentially expose stale kernel buffer contents. Affected since commit 4381a36abdf1c5c0323c1c51f869dc000115eb20 and patched in stable releases 6.12.86, 7.0.4, and 6.18.27. No public exploit exists and EPSS is 0.02% (5th percentile), reflecting both the niche hardware dependency and strictly local attack surface; this issue is not listed in CISA KEV.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46072 MEDIUM PATCH This Month

Out-of-bounds heap read in the Linux kernel ntfs3 driver's run_unpack() function allows a local user to crash the kernel by mounting a crafted NTFS image. The flaw affects multiple stable kernel branches from 5.15 onward, where run list parsing in MFT attributes consumes up to 15 bytes beyond the valid buffer boundary without checking remaining buffer size. No public exploit code exists and EPSS sits at 0.02% (5th percentile), but the local denial-of-service impact is A:H and patches are available across all affected stable branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46063 MEDIUM PATCH This Month

Deadlock in the Linux kernel's x86 Control-flow Enforcement Technology (CET) shadow stack implementation can be triggered by a local unprivileged user during signal return, causing a kernel hang and denial of service. The flaw exists in x86 SMP kernels with PER_VMA_LOCK configured where X86_USER_SHADOW_STACK is enabled: holding the mmap read lock while reading the shadow stack signal frame during sigreturn allows a recursive lock acquisition attempt that deadlocks when a concurrent mmap writer is waiting on another CPU. No public exploit has been identified at time of analysis and EPSS exploitation probability is extremely low at 0.02% (5th percentile), but the availability impact is high on affected systems with shadow stack enabled.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46061 MEDIUM PATCH This Month

Deadlock in the Linux kernel jbd2 journal subsystem can hang filesystems and render systems unresponsive when filesystem blocksize is smaller than the system pagesize. Introduced by commit f76d4c28a46a, the flaw breaks the required folio-then-buffer lock ordering in jbd2_journal_cancel_revoke(), causing an ABBA deadlock between concurrent filesystem journal operations and block device writeback. No public exploit is identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with a race-condition kernel bug requiring a non-default configuration that is unlikely to be deliberately weaponized.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46051 MEDIUM PATCH This Month

Soft lockup in the Linux kernel's md/raid5 subsystem allows a local low-privileged user to trigger an infinite loop in the raid5d kernel thread, causing a kernel soft lockup and system-wide denial of service on hosts running RAID5 arrays. The fault lies in retry_aligned_read() using the wrong stripe release path when encountering overlapping stripes, permanently starving handle_stripe() of the work item needed to resolve the overlap. No public exploit has been identified and EPSS at 0.02% (5th percentile) confirms negligible exploitation probability; however, multiple active stable kernel branches from 3.12 onward are affected and vendor-released patches are confirmed across five fix versions.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46050 MEDIUM PATCH This Month

Deadlock in the Linux kernel md/raid10 subsystem causes a permanent denial-of-service when NOWAIT IO requests coincide with an array check (resync) operation. The md resync thread becomes permanently stuck because the nr_pending atomic counter underflows to a large negative value, preventing it from ever reaching the zero threshold needed to proceed. Systems running RAID-10 arrays where applications use O_NOWAIT IO (e.g., filesystem writeback paths via ext4) are affected. No public exploit code exists and EPSS is 0.02%, indicating low exploitation probability, but the bug is deterministically reproducible by any local user with IO access to the affected array.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46049 MEDIUM PATCH This Month

Infinite loop denial-of-service in the Linux kernel ALSA ctxfi audio driver allows a local low-privileged user to hang the kernel by triggering S/PDIF passthrough playback at 32000 Hz on Creative Sound Blaster X-Fi hardware. The root cause is an uninitialized `pll_rate` field that causes a resource-calculation loop to never exit, consuming CPU indefinitely and degrading or halting system availability. No public exploit exists and the EPSS score of 0.02% (5th percentile) confirms negligible real-world exploitation pressure; the vulnerability is not listed in CISA KEV.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46048 MEDIUM PATCH This Month

USB device reference count leak in the Linux kernel ALSA CAIAQ driver allows a local attacker with access to USB hardware to trigger kernel memory exhaustion. The flaw exists because usb_get_dev() is called in create_card() but its matching usb_put_dev() is only installed as a destructor late in init_card(), leaving it unreachable on all intermediate failure paths. Syzbot has reproduced the issue using a malformed UAC3 USB audio device, and patches are available across all affected stable kernel branches. No public exploit has been identified at time of analysis, and EPSS is negligible at 0.02%.

Microsoft Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46046 MEDIUM PATCH This Month

Missing brelse() in the ext4 filesystem's ext4_xattr_inode_dec_ref_all() function causes a buffer head refcount leak that can degrade system availability on affected Linux kernel versions. Introduced by commit c8e008b60492 (

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46041 MEDIUM PATCH This Month

Denial-of-service via kernel panic in the Linux kernel's greybus gb-beagleplay driver allows a local low-privileged user to crash the system by triggering an illegal sleep-in-atomic-context condition. The greybus HDLC TX path calls usleep_range() inside hdlc_append() while the tx_producer_lock spinlock is held, violating the fundamental Linux kernel rule that sleeping is forbidden in atomic context and triggering a 'BUG: scheduling while atomic' kernel oops. No public exploit has been identified at time of analysis, and EPSS at 0.02% (5th percentile) reflects the hardware-specific and local-access-only nature of this flaw. The input tag 'Information Disclosure' appears to be a misclassification - the actual impact is exclusively availability (kernel crash), consistent with the CVSS vector's A:H/C:N/I:N ratings.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46040 MEDIUM PATCH This Month

Resource accounting exhaustion in the Linux kernel's inotify subsystem allows a local low-privileged user to permanently leak watch counts by repeatedly triggering a failure path in inotify_new_watch() that increments the per-namespace watch counter without a corresponding decrement. Over time this exhausts the max_user_watches limit, causing all subsequent inotify watch creation within the namespace to fail with -ENOSPC even when no watches are genuinely active, constituting a local denial-of-service against inotify-dependent applications. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects very low real-world exploitation probability with no CISA KEV listing.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46038 MEDIUM PATCH This Month

Memory exhaustion in the Linux Kernel's QRTR (Qualcomm IPC Router) nameserver subsystem exposes local, low-privileged users to a denial-of-service condition. The `ctrl_cmd_bye()` function, triggered when a QRTR node sends a BYE shutdown packet, fails to remove the node from the Xarray structure or release the associated memory - resulting in a persistent kernel memory leak (CWE-401). Affected systems are Linux kernels from 5.7 through multiple stable branches, with fixes backported to 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No active exploitation is confirmed (not in CISA KEV), and EPSS sits at 0.02% (5th percentile), indicating minimal real-world threat at this time.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46034 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel vfio/cdx subsystem allows a local low-privileged user with access to a CDX VFIO device to crash the kernel by issuing an out-of-order ioctl sequence. Specifically, calling VFIO_DEVICE_SET_IRQS with DATA_BOOL or DATA_NONE flags before ever initializing MSI interrupts via the EVENTFD path dereferences an unallocated cdx_irqs pointer, producing a kernel panic and denial-of-service. No public exploit code exists and EPSS is 0.02%, but vendor-released patches are confirmed available across all affected stable branches.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46026 MEDIUM PATCH This Month

Uncontrolled resource consumption in the Linux kernel's QRTR (Qualcomm IPC Router) nameserver module allows a local authenticated user to exhaust nameserver resources by flooding it with unbounded NEW_LOOKUP messages over a single socket. The affected subsystem (net/qrtr/ns) restricted lookups to local clients but imposed no count limit, enabling a sustained denial-of-service against QRTR-dependent inter-process communication on Qualcomm SoC platforms. No public exploit has been identified and EPSS stands at 0.02% (5th percentile), placing this firmly in the low real-world priority tier despite its High availability impact rating.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46023 MEDIUM PATCH This Month

Integer overflow in the Linux kernel's device mapper mirror (dm-mirror) subsystem allows a local attacker with device mapper configuration privileges to crash the kernel via a denial-of-service condition. The flaw resides in create_dirty_log() where an unchecked unsigned addition of 2 + param_count wraps around to a small value when param_count approaches UINT_MAX, bypassing an argc bounds check and triggering out-of-bounds reads in dm_dirty_log_create(). No public exploit code exists and EPSS is exceptionally low at 0.02% (5th percentile); this CVE has not been added to the CISA KEV catalog, indicating no confirmed active exploitation at time of analysis.

Linux Integer Overflow Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46021 MEDIUM PATCH This Month

Two related memory-management defects in the Linux kernel thermal zone governor subsystem expose local low-privileged users to system availability loss. The first is a memory leak (CWE-401) in the registration error path of thermal_zone_device_register_with_trips(), which fails to remove an attached governor when registration fails mid-way. The second, and more critically impactful, is a race condition in thermal_zone_device_unregister(), which calls thermal_set_governor() without first acquiring the thermal zone lock - permitting a concurrent sysfs-based governor update to produce a use-after-free, which can trigger a kernel panic. No public exploit code exists and EPSS is 0.02% (5th percentile); vendor-released patches are available across multiple stable kernel branches including 6.6.140, 6.12.86, 6.18.27, and 7.0.4.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46019 MEDIUM PATCH This Month

The atmel-aes crypto driver in the Linux kernel leaks 3 pages of kernel memory per cleanup cycle due to a mismatch between allocation and deallocation functions: atmel_aes_buff_init() allocates 4 contiguous pages via __get_free_pages() with ATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() frees only a single page via free_page() instead of the correct free_pages(). Systems running on Atmel/Microchip ARM SoC hardware with this driver loaded are vulnerable to gradual kernel memory exhaustion leading to denial of service. No public exploit code exists and no active exploitation has been confirmed; the EPSS score of 0.02% (5th percentile) reflects the extremely narrow hardware-specific attack surface, and vendor-released patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46016 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's Xilinx remoteproc (xlnx) IPI receive callback enables a local low-privileged user to crash the kernel on Xilinx SoC-based systems. The receive callback unconditionally accesses buffer information without first validating whether the message pointer is NULL, which occurs when IPI is operating in non-buffered mode. No public exploit exists and no active exploitation is confirmed; with EPSS at 0.02% (5th percentile), real-world risk is very low and hardware-specific.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46013 MEDIUM PATCH This Month

Incorrect physical address conversion in the Linux kernel's mm/memfd_luo subsystem can crash the kernel when the put_folios error-cleanup path executes during memfd Live Update Object (LUO) operations. The cleanup passes a raw Page Frame Number (PFN) where kho_restore_folio() requires a phys_addr_t, and a missing sparse-hole guard (pfn==0) risks misprocessing file holes. No public exploit identified at time of analysis; EPSS of 0.02% (5th percentile) and absence from CISA KEV confirm very low real-world exploitation probability, with impact confined to local denial of service on systems running the experimental KHO/LUO subsystem.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46012 MEDIUM PATCH This Month

Memory exhaustion denial-of-service in the Linux kernel's rxkad Kerberos authentication layer allows a local low-privilege attacker to leak kernel memory by repeatedly triggering error paths in rxkad_verify_response(). The vulnerability affects kernels from approximately 5.11 through all unpatched stable series prior to 6.6.140, 6.12.86, 6.18.27, and 7.0.4. No public exploit exists and EPSS sits at 0.02% (5th percentile), indicating minimal real-world exploitation likelihood; however, systems running AFS workloads with rxrpc active warrant patching at next maintenance.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46009 MEDIUM PATCH This Month

Duplicate resource teardown in the Linux kernel's PCI endpoint NTB (Non-Transparent Bridge) driver causes a kernel oops when link state transitions fail or complete, enabling a local low-privileged user to crash the kernel. The `epf_ntb_epc_destroy()` helper performs teardown that its callers also execute, resulting in a double-free-class condition. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV); the EPSS score of 0.02% at the 5th percentile reflects extremely low observed exploitation probability.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46007 MEDIUM PATCH This Month

Cache coherency violation in the Linux kernel hwmon powerz driver allows a local low-privileged user to crash the kernel on architectures where DMA buffer cacheline aliasing with adjacent kernel structures (here, a mutex) produces undefined behavior. Affected systems must have the powerz USB hardware monitor driver loaded and the specific hardware attached. No public exploit code exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation activity; nonetheless the kernel availability impact (system crash) is concrete once triggered on a vulnerable architecture.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46005 MEDIUM PATCH This Month

Resource leak in the Linux kernel's XFS subsystem fails to release a DAX (Direct Access) device reference in the error path of xfs_alloc_buftarg(), leaving a dangling reference that prevents proper cleanup of persistent memory devices. Systems running XFS on DAX-capable persistent memory hardware are affected, spanning multiple stable kernel branches prior to the fix commits documented in EUVD-2026-32302. No public exploit identified at time of analysis, and an EPSS score of 0.02% (5th percentile) confirms negligible exploitation interest; patches are confirmed available across Linux 6.6.x, 6.12.x, 6.18.x, 7.0.x, and 7.1-rc1.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
Prev Page 4 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy