Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows a local user with access to the DAMON sysfs interface to read out-of-bounds kernel memory or crash the system. The flaw exists because mm/damon/core failed to validate the user-supplied node ID (damos_quota_goal->nid) before using it in NODE_DATA() for the node_memcg_used_bp and node_memcg_free_bp quota goal metrics. The kernel description includes a working reproduction using the user-space 'damo' tool, but no public weaponized exploit and no active exploitation (CISA KEV) have been reported; EPSS is negligible at 0.02%.
Out-of-bounds heap read in the Linux kernel's ibmasm driver (the IBM Advanced System Management service-processor interface) lets a local privileged user leak adjacent kernel heap memory. The ibmasm_send_i2o_message() function trusts user-controlled command_size and data_size header fields to size a memcpy_toio() without validating them against the real allocation, so a small buffer with inflated header values forces a read of up to ~65 KB past the allocation, which is then forwarded to the service processor over MMIO. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.
Out-of-bounds read in the Linux kernel's AppArmor LSM subsystem (security/apparmor/match.c) allows a local low-privileged user to trigger a KASAN slab-out-of-bounds read via the mount() syscall on kernels 7.0 through 7.0.3 and 7.1-rc1. The flaw stems from a missing string terminator that causes aa_dfa_match() to read past the end of an 8KB kmalloc buffer when processing mount path strings, resulting in potential information disclosure and system instability (denial of service). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%.
Local privilege-bounded information disclosure and integrity compromise in the Linux kernel's SELinux module affects overlayfs mounts where mmap() and mprotect() operations bypass the intended dual-credential access checks. A local authenticated user with access to an overlayfs top-level (user) file can map or change protections on backing files without the mounter's credentials being properly evaluated, undermining the SELinux overlayfs security model. EPSS is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis.
Out-of-bounds read in the Linux kernel's crypto authencesn AEAD wrapper allows a local user with AF_ALG access to trigger memory disclosure and possible denial of service by instantiating an authencesn transform built on an ahash whose digest size is 1-3 bytes (for example cbcmac(cipher_null)). The flaw stems from crypto_authenc_esn_create() failing to validate the inner digest size, letting an invalid default authsize bypass the existing setauthsize() check. No public exploit identified at time of analysis and EPSS probability is negligible (0.02%), but the upstream fix is shipping across multiple stable trees.
Out-of-bounds MMIO read in the Linux kernel's ibmasm (IBM Advanced System Management) misc driver allows a compromised IBM service processor to read 8 bytes from unintended device registers or trigger a machine check exception (system crash) by writing an out-of-range queue reader/writer index before asserting an interrupt. The flaw resides in ibmasm_handle_mouse_interrupt() where raw readl() values are passed unchecked to get_queue_entry(), and is fixed by bounds-checking both indices against REMOTE_QUEUE_SIZE (60). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%.
Local denial of service and potential information disclosure in the Linux kernel's EROFS filesystem affects versions from 5.13 through pre-patch releases, where a crafted EROFS image triggers an unsigned integer underflow in z_erofs_lz4_handle_overlap(). When a malicious image is mounted and a file is read, the LZ4 inplace decompression path wraps the 'outpages - inpages' calculation to a huge value and reads past the decompressed_pages array. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but a reproducible proof-of-concept image is embedded in the upstream commit message.
Out-of-bounds read in the Linux kernel's ibmasm driver allows a local low-privileged user with write access to the ibmasm command character device to leak kernel heap memory to the IBM Advanced System Management service processor and potentially destabilize the host. The flaw resides in command_file_write(), which trusts attacker-controlled command_size/data_size header fields after allocating a buffer of arbitrary count, enabling get_dot_command_size() to return a value larger than the allocation. EPSS is 0.02% and no public exploit is identified at time of analysis; the issue is not on CISA KEV.
Denial of service in the Linux kernel's RCU (Read-Copy-Update) subsystem allows a local condition to trigger an infinite recursion deadloop in rcu_read_unlock_special() when ftrace is enabled, leading to kernel hang or crash. The flaw stems from a missing recursion-protection flag when raise_softirq_irqoff() is invoked from the RCU unlock path, causing repeated re-entry through the softirq/trace stack. No public exploit identified at time of analysis and EPSS rates exploitation probability at 0.02%.
Kernel NULL pointer dereference in the Linux EROFS compressed filesystem driver allows a local user reading from an EROFS image to crash the system. The flaw lives in z_erofs_decompress_pcluster(), where compressed folios for ztailpacking pclusters are added to I/O chains before being validated; if inline-data reading fails (notably when a fatal signal interrupts read_mapping_folio()), decompression assumes the folios are valid and dereferences a NULL pointer. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%), and the issue is not in CISA KEV.
Out-of-bounds read in the Linux kernel's AppArmor subsystem allows a local, low-privileged attacker to leak adjacent kernel memory and potentially crash the system when AppArmor parses a policy table built from possibly unaligned, userspace-supplied source data. The flaw stems from unaligned memory accesses during table creation in the policy loader and carries high confidentiality and availability impact. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.02%, 5th percentile), consistent with a hard-to-reach local-only kernel hardening fix rather than a mass-exploitation target.
Denial of service in the Linux kernel's EFI unaccepted-memory handling allows a boot-time kernel panic on confidential-computing guests, affecting kernels from 6.6 through the 6.19/7.0 development line. The reserve_unaccepted() routine miscalculates the memblock reservation size when the unaccepted memory table is not page-aligned, leaving the table's tail unreserved so it can be overwritten or rendered inaccessible, triggering a panic in accept_memory(). It is observed on Intel TDX VMs with larger memory sizes (e.g. >64GB); there is no public exploit identified at time of analysis and EPSS is negligible (0.02%).
Out-of-bounds stack read in the Linux kernel's IMA (Integrity Measurement Architecture) subsystem, in ima_appraise_measurement() reached via is_bprm_creds_for_exec(), affecting kernels from the 6.14 series up to the fixed stable commits. A misuse of container_of() on a *file pointer computes an invalid stack offset, letting a local execution path read one byte past a stack frame object (flagged by KASAN), which can disclose adjacent stack data or crash the task. EPSS is very low (0.02%, 5th percentile), the CVE is not on CISA KEV, and there is no public exploit identified at time of analysis; the issue is patched upstream.
Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows privileged local users to crash the kernel by supplying arbitrary node IDs to damos_quota_goal via DAMON_SYSFS. Affecting Linux 6.16 and fixed in 6.18.27, 7.0.4, and 7.1-rc1, the flaw stems from missing validation before si_meminfo_node()/NODE_DATA() lookups and is reproducible with the upstream 'damo' user-space tool. No public exploit identified at time of analysis and EPSS is very low at 0.02%.
High-impact integrity and availability flaw in the Linux kernel's md-llbitmap (multi-device log-based bitmap) subsystem allows a local low-privileged attacker to render RAID bitmap page control structures permanently unusable. When llbitmap_suspend_timeout() times out, percpu_ref is left in a killed state and never resurrected, breaking subsequent md daemon operations on that page. EPSS is very low (0.02%, 4th percentile) and no public exploit is identified at time of analysis, but vendor-released patches are available in 6.18.14 and 6.19.4.
Information disclosure in the Linux kernel BPF subsystem allows a local low-privileged user with BPF program load access to leak kernel memory contents. Incorrect memory-access flags on several ARG_PTR_TO_MEM helper prototypes (notably bpf_get_stack_proto_raw_tp) cause the verifier to wrongly assume helper-written buffers are unchanged, optimizing away subsequent reads and producing stale or uninitialized data that can expose kernel memory. There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and it is not in CISA KEV.
Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by deleting their own ~/.pamusb/device.pad file. The flawed pusb_pad_compare() check in src/pad.c only confirmed the user-side pad was readable and treated its absence as a non-fatal failure in certain code paths, so authentication succeeded without the physical USB device ever being verified. There is no public exploit identified at time of analysis, but the technique is trivial - a single file deletion by the account owner.
Local privilege escalation in presire qSnapper before 1.3.3 lets a low-privileged user bypass Polkit authentication in the privileged D-Bus service by exploiting a PID-reuse race in the UnixProcessSubject authorization check. A successful race grants the attacker the authority of a privileged process, exposing high-impact root-level operations (snapshot/file restore) on the host. EPSS is low (0.13%, 3rd percentile) and no public exploit is identified; the issue was found in a coordinated SUSE security review and fixed in v1.3.3.
SQL injection in the UpdateParam function of admin.mbnetj.php in MB connect line's mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual remote-maintenance portals (versions up to and including 2.20.0) lets a high-privileged remote attacker tamper with a SQL UPDATE command, reading the entire database and modifying values in a non-critical table. The flaw was reported by CERT@VDE (advisory VDE-2026-044) and carries CVSS 4.0 base 7.0. There is no public exploit identified at time of analysis, EPSS is very low (0.03%, 10th percentile), and CISA SSVC rates exploitation as 'none' - indicating low immediate real-world urgency despite the high impact ceiling.
SQL injection in the UpdateParam function of view.html.php affects MB connect line remote-access portals (mbCONNECT24, myREX24V2, mymbCONNECT24, and myREX24V2.virtual) in versions up to and including 2.20.0, letting an attacker inject into a SQL UPDATE statement to read the entire backend database and alter values in a non-critical table. The CVSS 4.0 vector (PR:H) indicates a high-privileged account is required, even though the advisory text labels the flaw 'unauthenticated' - a discrepancy defenders should resolve with the vendor. There is no public exploit identified at time of analysis, EPSS is very low (0.03%), and CISA SSVC rates exploitation as 'none'.
SQL injection in the DeleteSysLogEntry function of MB connect line / Helmholz remote-maintenance platforms - mbCONNECT24, myREX24V2, mymbCONNECT24 and the myREX24V2.virtual variant through version 2.20.0 - lets a network attacker with high privileges inject SQL into a DELETE statement, reading the entire backend database and deleting rows in a non-critical syslog table. The flaw yields full confidentiality loss and limited integrity impact (CVSS 4.0 base 7.0). There is no public exploit identified at time of analysis, EPSS is very low (0.03%, 10th percentile), and CISA SSVC rates exploitation as none, indicating no observed in-the-wild activity. Note the vendor description's 'unauthenticated' wording conflicts with the CVSS PR:H (high privileges required) metric.
SQL injection in the MB connect line remote-maintenance portals mbCONNECT24, myREX24V2, myREX24V2.virtual and mymbCONNECT24 (all versions up to and including 2.20.0) lets a high-privileged remote user manipulate a SQL DELETE statement in the _RemoveRequest function to read the entire backend database and delete rows in a non-critical table. The CVSS 4.0 vector (PR:H) indicates an authenticated, high-privilege account is required despite the description's wording, yielding total confidentiality loss and partial integrity loss. There is no public exploit identified at time of analysis, EPSS is very low (0.03%), and the issue is not listed in CISA KEV.
SQL injection in MB connect line's mbCONNECT24 / myREX24V2 remote-maintenance portals (all releases up to and including 2.20.0) lets an attacker break out of the SQL UPDATE statement bound to the 'devices' parameter in the accountstatus view, yielding full read access to the backend database and limited writes to a non-critical table. The CVSS 4.0 vector requires high privileges (PR:H), so a privileged authenticated user is the realistic threat actor — this directly contradicts the advisory text that labels the flaw 'unauthenticated,' a discrepancy defenders should resolve with the vendor. EPSS is very low (0.03%, 10th percentile) and there is no CISA KEV entry; no public exploit identified at time of analysis.
SQL injection in the mbCONNECT24 / myREX24V2 industrial remote-access platform (all editions through 2.20.0) lets a high-privileged remote attacker inject SQL through the userid parameter of the accountstatus view, which is concatenated unsafely into a SQL UPDATE statement. Successful exploitation yields read access to the entire backend database (total confidentiality loss) plus the ability to alter values in a non-critical table (partial integrity loss). There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS probability is very low at 0.03% (10th percentile).
SQL injection in the DevSerialReset function of MB connect line / Helmholz industrial remote-access portals (mbCONNECT24, mymbCONNECT24, myREX24V2, and the .virtual variants) lets a high-privileged remote attacker read the entire backend database and modify values in a non-critical table. The flaw stems from improper neutralization of special elements within a SQL UPDATE statement (CWE-89), yielding total loss of confidentiality and partial integrity impact. There is no public exploit identified at time of analysis, and EPSS rates exploitation likelihood very low (0.03%, 10th percentile).
Certificate chain forgery in Erlang/OTP's public_key application (pubkey_cert module) lets a non-CA end-entity certificate act as an intermediate issuer, allowing an attacker holding such a certificate's private key to sign forged leaf certificates for arbitrary identities that public_key:pkix_path_validation/3 will accept. This breaks server identity verification for TLS clients and client-certificate verification for mTLS servers across any application using the OTP ssl stack with the default verifier. Tracked as CWE-295 with a CVSS 4.0 base score of 7.0 (subsequent-system confidentiality and integrity rated High); no public exploit identified at time of analysis and it is not listed in CISA KEV, with the only available code being the vendor fix commits.
Information disclosure in ZTE ZXUniPOS NDS-LTE (V24.40.40 and earlier, and V24.30.40CP02 and earlier) stems from an insecure cryptographic password scheme - such as hard-coded keys, weak encryption algorithms, or poor key management - that lets remote, unauthenticated attackers recover or tamper with protected data. The CVSS vector (AV:N/AC:H/PR:N) indicates network reachability without credentials but with high attack complexity, and the primary impact is confidentiality loss (C:H) with minor integrity and availability effects. There is no public exploit identified at time of analysis, and EPSS is very low (0.02%, 7th percentile).
Slab allocator corruption in the Linux kernel's mm/slab subsystem allows local low-privileged users on uniprocessor (UP, !CONFIG_SMP) builds to potentially corrupt kernel memory state when kmalloc_nolock() is invoked from NMI context. The flaw stems from spin_trylock() being a no-op on UP kernels, allowing re-entry into the slab allocator while n->list_lock is already held by the interrupted context. EPSS is very low (0.02%) and no public exploit has been identified at time of analysis, though an upstream patch is available.
Arbitrary file write in the compliance-trestle Python library (versions 4.0.0-4.0.2 and any release below 3.12.2) lets an attacker who controls a referenced OSCAL artifact plant attacker-supplied content anywhere the trestle process can write. The HTTPSFetcher and SFTPFetcher cache layer builds the local cache file path directly from the URL path component, so when trestle imports a remote OSCAL profile whose href contains `../` traversal the fetched HTTP/SFTP response body escapes the .trestle cache directory; overwriting files such as /etc/cron.d entries, ~/.ssh/authorized_keys, or a module on sys.path turns the primitive into code execution. A reproducible public proof-of-concept exists in the GHSA advisory (GHSA-g3vg-vx23-3858); the flaw is not listed in CISA KEV and no CVSS or EPSS scoring is provided, but the maintainers have shipped fixes in 4.0.3 and 3.12.2.
Broken access control in Pimcore's CustomReports bundle (composer package pimcore/pimcore, versions ≤ 12.3.5) lets an authenticated low-privileged backend user who holds only the generic `reports` permission read the full configuration of custom reports they were never granted access to. The report detail endpoint (`getAction`) validates only coarse `reports`/`reports_config` permissions, whereas the listing endpoint enforces per-report sharing rules through `loadForGivenUser()`; consequently a report hidden from a user's visible list can still be retrieved directly by name. A working proof-of-concept is published in the vendor's GitHub Security Advisory (GHSA-jwcc-gv4m-93x6), so publicly available exploit code exists, but there is no public evidence of active exploitation.
Upload filename allowlist bypass in the @hapi/content npm header parser (versions < 6.0.2) lets remote attackers smuggle malicious parameters past upstream validation. The library's Content.disposition() retained the last occurrence of a duplicated parameter while Content.type() retained the first occurrence of charset/boundary, so when a WAF, reverse proxy, or security filter resolves the same duplicate the opposite way, the two layers disagree on values such as the upload filename. No public exploit code or active exploitation has been identified; the GitHub Security Advisory (GHSA-36hh-x5p5-jgc8) documents the exact smuggling header but no CVSS score or EPSS data is provided.