Skip to main content
CVE-2026-41185 MEDIUM PATCH This Month

Credential exposure in Tigera Calico's Azure IPAM integration causes ServiceAccount tokens, client keys, and certificate authority data to be written in plaintext to a node-local log file on every pod scheduling and termination event. Affected deployments include Calico, Calico Enterprise, and Calico Cloud when the Azure IPAM plugin is in use with token-based Kubernetes authentication. Any low-privileged principal able to read /var/log/calico/cni/cni.log on an affected node can extract these credentials and leverage them for cluster-wide Calico networking administration. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the sensitive nature of the exposed material - full Kubernetes auth credentials - makes this a meaningful lateral movement and privilege escalation risk within affected Azure-hosted Kubernetes clusters.

Microsoft Information Disclosure Kubernetes
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-4377 MEDIUM PATCH This Month

Weak default credential generation in the D-Link DWR-X1820 router exposes administrative access to adjacent-network attackers who can derive the device password from its IMEI number. All devices running firmware prior to 1.00B16CP are affected when users have not changed the factory-set password - a common real-world condition for consumer-grade routers. An attacker with knowledge of the IMEI-to-password derivation algorithm and physical or logical access to the IMEI (e.g., from the device label) can authenticate to the router admin interface without prior credentials. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure D-Link
NVD
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-46685 MEDIUM PATCH This Month

CORS origin reflection in RustFS's S3 listener exposes stored object data to cross-origin theft via browser-credentialed requests against all versions prior to 1.0.0-beta.2. When the RUSTFS_CORS_ALLOWED_ORIGINS environment variable is unset - the default state - the ConditionalCorsLayer middleware reflects any incoming Origin header verbatim as Access-Control-Allow-Origin while simultaneously asserting Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: *, including on preflight and error responses, nullifying the browser's same-origin policy protections. An unauthenticated attacker (PR:N) who lures a victim with ambient RustFS credentials to a malicious web page can exfiltrate object storage contents; no confirmed active exploitation (CISA KEV) and no public exploit identified at time of analysis. The fix is vendor-released in 1.0.0-beta.2.

Authentication Bypass Rustfs
NVD GitHub
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-9793 MEDIUM This Month

Signature policy bypass in Red Hat Build of Keycloak's JWE request object handling allows unauthenticated remote attackers to inject unauthorized claims into the OpenID Connect authorization flow. When a JWE-encrypted request object is submitted and its decrypted content is raw JSON, Keycloak improperly skips signature verification, violating both OIDC Core and Financial-grade API (FAPI) signing requirements. No public exploit code exists at time of analysis, but the integrity-only impact (CVSS I:H) is directly relevant to authorization trust boundaries, making this high-priority for FAPI-compliant or financial-sector Keycloak deployments.

Jwt Attack Authentication Bypass
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-9673 MEDIUM PATCH This Month

CSV Injection protection bypass in json-2-csv (npm) allows formula injection to survive the preventCsvInjection sanitization option when injection characters are preceded by leading spaces. Versions 3.15.0 through 5.5.10 are affected. An attacker who can supply JSON input values with space-prefixed formula strings (e.g., ' =SUM(A1:A10)') causes the resulting CSV to carry live spreadsheet formulas, which execute when a recipient opens the file in Excel, Google Sheets, or LibreOffice. Publicly available exploit code exists (Snyk/Gist POC); no confirmed active exploitation (not in CISA KEV).

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-46239 MEDIUM PATCH This Month

Runtime PM reference count leak in the Linux kernel's OmniVision OV5647 camera sensor driver (media/i2c/ov5647) causes availability loss for systems equipped with this camera hardware. The s_ctrl function's handling of three V4L2 controls - AUTOGAIN, EXPOSURE_AUTO, and ANALOGUE_GAIN - returns early without invoking pm_runtime_put(), allowing unpaired runtime PM get/put calls to accumulate. A local user with access to the camera device node can trigger this imbalance repeatedly, exhausting the PM reference count and preventing the device from entering low-power states, ultimately making it unavailable. No public exploit has been identified; EPSS is 0.02% (5th percentile) and this vulnerability does not appear in CISA KEV.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46236 MEDIUM PATCH This Month

Availability impact in the Linux kernel's xbox_remote media/rc driver allows a local, low-privileged user with access to the affected device to crash the kernel via a DMA coherency violation. The IO buffer used for USB transfers is embedded directly within the device structure, which violates DMA coherency rules and can trigger memory corruption leading to kernel panic. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% reflects minimal observed exploitation activity. Vendor-released patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46235 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's saa7164 media driver can crash the kernel when ioremap() fails during PCI device initialization. Systems with SAA7164-based PCIe capture cards (e.g., Phillips/NXP SAA7164) running unpatched kernel versions from 2.6.32 through stable branches prior to 6.6.140, 6.12.90, 6.18.32, and 7.0.9 are affected. A local, low-privileged attacker who can trigger driver initialization under memory pressure conditions may cause a kernel oops or panic, resulting in denial of service. No public exploit exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46233 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's batman-adv Bridge Loop Avoidance (BLA) subsystem enables local denial of service via kernel panic. The race condition exists in batadv_bla_purge_claims(), which traverses the claim hash list under rcu_read_lock() without accounting for concurrent claim releases - when batadv_claim_release() NULLs the backbone_gw pointer mid-traversal, a subsequent call to batadv_bla_claim_get_backbone_gw() on the partially-freed claim triggers a NULL dereference. Exploitation requires local low-privilege access on systems actively running batman-adv with BLA enabled; no active exploitation is confirmed and EPSS stands at 0.02% (5th percentile).

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46231 MEDIUM PATCH This Month

Reference counting failure in the Linux kernel's batman-adv Bridge Loop Avoidance (BLA) subsystem allows a local low-privileged user to cause a slow kernel memory leak and eventual denial of service. Specifically, batadv_bla_add_claim() omits the required batadv_backbone_gw_put() call on the error path when a claim hash insertion fails, preventing the backbone_gw object's reference count from ever reaching zero. The vulnerability has been present since at least kernel 4.7 and is patched across multiple stable branches; no public exploit exists and EPSS is extremely low at 0.02% (5th percentile), placing this firmly in the low-urgency tier except for environments actively running batman-adv with BLA.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46229 MEDIUM PATCH This Month

Stale VRAM exposure in the Linux kernel's amdkfd driver (drm/amdkfd) allows local authenticated users to observe prior occupants' GPU memory contents and crash multi-GPU compute workloads. The KFD allocation path omitted the AMDGPU_GEM_CREATE_VRAM_CLEARED flag - present in every other userspace GEM allocation path - leaving freshly allocated VRAM buffers populated with data from previous processes. The primary documented availability impact is deterministic crashes in RCCL peer-to-peer transport when stale values corrupt the ptrExchange, head, and tail protocol fields; a secondary information-disclosure risk exists because stale page-table remnants are observable by unprivileged compute kernels. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile).

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46226 MEDIUM PATCH This Month

Improper driver teardown ordering in the Linux kernel's Freescale (FSL) SPI controller driver allows a local low-privileged user to trigger a denial-of-service condition during driver unbind. The SPI controller is not deregistered before underlying resources such as DMA are released, creating a window where the controller may reference freed memory. No public exploit has been identified at time of analysis, and EPSS sits at 0.02% (5th percentile), reflecting low real-world exploitation probability.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46225 MEDIUM PATCH This Month

Improper resource deregistration ordering in the Linux kernel's spi/rspi (Renesas SPI controller) driver causes a local denial-of-service condition during driver unbind. The rspi driver releases DMA resources before deregistering the SPI controller, creating a window where in-flight controller operations can reference freed memory, resulting in a kernel crash or panic. With CVSS availability impact rated High and EPSS at 0.02% (5th percentile), this is a low-probability but locally exploitable stability issue affecting systems with Renesas SPI hardware. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46223 MEDIUM PATCH This Month

An A-A (same-task) deadlock in the Linux kernel cgroup rmdir path (versions 7.0 through 7.1-rc2 and 6.19.x) can permanently hang the entire system, requiring a hard reboot. When a process acting as both a PID namespace zombie reaper (e.g., systemd/PID 1) and the cgroup rmdir(2) caller encounters dying tasks still linked to cgroup csets, the kernel blocks the reaper indefinitely in TASK_UNINTERRUPTIBLE, creating a circular dependency from which the system cannot recover. No public exploit has been identified at time of analysis, EPSS exploitation probability is extremely low (0.02%), and no CISA KEV listing exists - consistent with the scenario's narrow, operationally specific triggering conditions.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46222 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's Rockchip RKCIF (Camera Interface) media driver crashes the kernel when a local user enables streaming on a video device with no connected subdevice. Affected systems are Rockchip SoC-based platforms running Linux kernel versions from the introduction of the rkcif driver up through 6.19. A low-privileged local attacker can trigger a kernel panic - full denial of service - via the standard V4L2 VIDIOC_STREAMON ioctl. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.02% (5th percentile) reflects the narrow hardware-specific attack surface.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46220 MEDIUM PATCH This Month

Kernel panic via reachable assertion in the Linux kernel's AMDGPU SDMA v4 driver allows a local low-privileged user to crash the system by submitting crafted GPU command buffers. The sdma_v4_0_ring_emit_fence() function contains BUG_ON() assertions verifying dword-alignment of fence writeback addresses; these assertions are reachable through the DRM_IOCTL_AMDGPU_CS ioctl from unprivileged userspace, causing a fatal panic in a kernel scheduler worker thread. No public exploit or active exploitation has been identified at time of analysis, and EPSS at 0.02% reflects low exploitation likelihood, but the impact on shared GPU compute systems warrants prompt patching.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46217 MEDIUM PATCH This Month

Integer overflow in the AMDGPU VCN4 (Video Core Next 4) multimedia driver within the Linux kernel allows a local low-privileged user to cause a kernel denial of service. The bounds check on incoming messages to the VCN4 encoder/decoder engine contains an overflow-vulnerable condition, meaning a crafted message can bypass intended size validation. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at the 5th percentile, indicating very low real-world exploitation likelihood currently.

Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46216 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's Intel Xe DRM HDCP GSC subsystem allows a local, low-privileged user to crash the kernel when media GT is disabled via configfs. The function `intel_hdcp_gsc_check_status()` evaluates `&gt->uc.gsc` without first verifying that `media_gt` is non-NULL, producing a kernel pagefault on systems where media GT has been explicitly disabled through the configfs interface. Exploitation yields a denial of service (kernel panic) with no confidentiality or integrity impact; no public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating very low exploitation likelihood in the wild.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46214 MEDIUM PATCH This Month

Denial-of-service via accept queue counter leak in the Linux kernel's vsock/virtio subsystem allows an authenticated local attacker to permanently exhaust a listener socket's backlog, causing it to reject all new connections. The flaw exists from kernel 5.5 onward in virtio_transport_recv_listen(), where sk_acceptq_added() is called before vsock_assign_transport() validation; failed transport assignments never call the paired sk_acceptq_removed(), permanently inflating sk_ack_backlog. No public exploit exists and EPSS is at the 5th percentile, but the impact in multi-tenant virtualized environments relying on vsock communication is a complete denial of vsock listener service.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46211 MEDIUM PATCH This Month

NULL pointer dereference and silent error suppression in the Linux kernel's Qualcomm MSM DRM/GEM subsystem allows a low-privileged local user to crash the kernel (denial of service) via a crafted GEM_INFO ioctl call. The msm_ioctl_gem_info_get_metadata() function unconditionally returns 0 on error and fails to check kmemdup() for a NULL return, enabling a dereference in the subsequent copy_to_user() call. No public exploit has been identified at time of analysis and EPSS is 0.02% (5th percentile), reflecting minimal real-world exploitation pressure despite the confirmed availability of upstream patch commits.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46207 MEDIUM PATCH This Month

Uninitialized socket buffer data exposure in the Linux kernel's vsock/virtio transport layer (6.7 and later) corrupts vsockmon tap monitoring output when non-linear skbs are in use. The `virtio_transport_copy_nonlinear_skb()` function constructs an `iov_iter` without setting `iov_iter.count`, causing zero-length copies that leave skb payloads uninitialized on the monitor interface - potentially exposing stale kernel memory to vsockmon consumers. Patched stable releases 6.12.90, 6.18.32, and 7.0.9 are available; no public exploit exists and EPSS stands at 0.02% (5th percentile), placing real-world exploitation risk very low but warranting attention in environments actively using vsockmon debugging.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46200 MEDIUM PATCH This Month

Denial-of-service via improper resource teardown ordering in the Linux kernel's MPC52xx SPI controller driver (spi/mpc52xx) affects systems running PowerPC-based embedded hardware. During driver unbind, the SPI controller was deregistered after - rather than before - disabling underlying resources such as interrupts and GPIOs, creating a window where the kernel could access freed or disabled resources and trigger a system crash. No public exploit has been identified at time of analysis, and with an EPSS of 0.02% (5th percentile), real-world exploitation is assessed as very low probability.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46196 MEDIUM PATCH This Month

Persistent availability degradation in the Linux kernel tracepoint subsystem results from an unbalanced regfunc()/unregfunc() pair when tracepoint_add_func() fails mid-registration. When func_add() returns an error (such as -ENOMEM) after regfunc() has already executed, ext->unregfunc() is never called, leaving side effects permanently in place - for syscall tracepoints, this sticks sys_tracepoint_refcount at a non-zero value and keeps SYSCALL_TRACEPOINT set on every running task, imposing unnecessary syscall trace entry/exit overhead on all processes until reboot. No public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), indicating this is a low-probability exploitation target, though it is a confirmed kernel-quality bug with patches issued across multiple stable branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46193 MEDIUM PATCH This Month

The xfrm AH (Authentication Header) subsystem in the Linux kernel miscalculates ICV buffer offsets during asynchronous callback processing when Extended Sequence Numbers (ESN) are enabled, resulting in 100% packet loss on affected IPsec AH tunnels. Systems running AH with ESN and an async HMAC implementation (confirmed in developer-provided UML repro with forced-async hmac(sha1)) on both IPv4 and IPv6 paths are affected across multiple stable kernel branches going back to the commit introducing ESN async support. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting a correctness defect with no exploitation interest rather than a broad attack surface; patch versions are confirmed across six stable branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46188 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's octeon_ep_vf driver crashes the kernel when napi_build_skb() fails during memory allocation in the receive path. Systems running kernels from the introduction of the octeon_ep_vf driver (commit 1cd3b407977c) through multiple stable branches are affected where Marvell Octeon EP VF network adapters are in use. A local, low-privileged attacker who can induce memory pressure while network traffic flows through an Octeon EP VF interface can trigger a kernel panic, resulting in full system unavailability. No public exploit code exists, EPSS is 0.02% (5th percentile), and this vulnerability has not been added to CISA KEV.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46186 MEDIUM PATCH This Month

Uninitialized memory read in Linux kernel's Bluetooth virtio_bt driver allows a malicious or compromised virtio backend to trigger kernel DoS and potential information disclosure against guest VMs. The driver's virtbt_rx_handle() function fails to validate that received RX socket buffers contain sufficient bytes to cover the fixed HCI header for the declared packet type before forwarding to hci_recv_frame(). A backend-supplied one-byte completion with type HCI_ACLDATA_PKT causes the ACL classification path in hci_dev_classify_pkt_type() to dereference hci_acl_hdr(skb)->handle on an empty buffer when the HCI device holds an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with a kernel subsystem bug requiring privileged backend access in a virtualized environment.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46184 MEDIUM PATCH This Month

Division by zero in the Linux kernel's ua101 USB audio driver allows a local attacker to crash the kernel by presenting a crafted USB device with a malformed audio class descriptor. The ua101 driver's `detect_usb_format()` function fails to validate the `bNrChannels` field before use, so a device reporting `bNrChannels = 0` causes `frame_bytes` to become zero, which is subsequently used as a divisor in both `playback_urb_complete()` and `capture_urb_complete()` URB handlers, triggering a fatal kernel panic. No public exploit has been identified and EPSS is 0.02% (5th percentile), but the vulnerability affects multiple supported stable branches and patches are available across all of them.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46179 MEDIUM PATCH This Month

Divide-by-zero in the Linux kernel ASoC SOF compressed audio subsystem allows a low-privileged local user to crash the kernel by querying stream pointer position before stream parameters are configured. Affected are Linux kernel stable branches 6.6 through 7.0 (pre-patch), all running on hardware with SOF audio drivers loaded. No active exploitation has been confirmed - EPSS sits at 0.02% (5th percentile) and the vulnerability is absent from CISA KEV - making this a medium-severity availability risk relevant primarily to multi-user desktop and embedded audio platforms.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46172 MEDIUM PATCH This Month

Resource exhaustion via dst entry reference leak in the Linux kernel's IPv6 IPsec (xfrm6) receive path allows a local attacker with low privileges to cause a denial of service by exhausting kernel memory. The flaw exists in xfrm6_rcv_encap(), which calls ip6_route_input_lookup() returning a referenced dst entry even for error routes, but fails to release that reference before dropping the packet when dst->error is set. Repeated packets hitting this code path therefore accumulate unreleased dst references, ultimately crashing the system. No public exploit exists and this vulnerability is not in the CISA KEV list; EPSS exploitation probability is extremely low at 0.02% (5th percentile).

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46169 MEDIUM PATCH This Month

Uninitialized memory use in the Linux kernel HFS+ filesystem driver (hfsplus) can crash the kernel when a local user mounts a crafted, corrupted HFS+ image. The flaw in hfs_brec_read() allows a partial catalog record read - as few as 26 bytes into a 520-byte structure - leaving the nodeName field uninitialized; this data then propagates through hfsplus_cat_build_key_uni() into hfsplus_strcasecmp(), where it is used as array indices in case_fold(), triggering a kernel denial of service. No public exploit is identified at time of analysis and EPSS is very low at 0.02% (5th percentile); this is not listed in CISA KEV.

Linux Authentication Bypass
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46168 MEDIUM PATCH This Month

Scheduling-while-atomic kernel panic in the Linux kernel MPTCP subsystem allows a local low-privileged user to crash the host by setting timestamp socket options on an MPTCP socket. The defect stems from invoking sleepable helpers - sock_set_timestamp() and sock_set_timestamping() - inside the atomic context established by lock_sock_fast(), violating the kernel's non-sleeping constraint for spinlock holders. No public exploit code has been identified and EPSS sits at 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time. Note: the 'Information Disclosure' tag applied by some sources appears incorrect - the actual impact is limited to availability (kernel panic/crash) with no confidentiality or integrity consequence per the CVSS vector.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46167 MEDIUM PATCH This Month

Uninitialized heap memory in the Linux kernel's usblp USB printer driver leaks a stale kernel byte to userspace through the LPGETSTATUS ioctl when a malicious or non-compliant USB printer returns zero bytes to a one-byte status request. Affected branches span kernel versions from 2.6.12 through 6.18.x, 7.0.x, and 7.1-rc3, with fixes available in stable releases 6.6.140, 6.12.88, 6.18.30, and 7.0.7. No public exploit exists and EPSS stands at 0.02% (5th percentile); exploitation requires local access, a cooperating malicious USB device, and access to the printer device node - substantially narrowing real-world risk despite the breadth of affected kernel versions.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46165 MEDIUM PATCH This Month

OpenVSwitch tunnel port removal in the Linux kernel triggers a self-deadlock that permanently hangs the kernel's RTNL lock, causing a denial of service requiring system reboot. The flaw affects systems across multiple stable kernel branches (6.6.x, 6.12.x, 6.18.x, 7.0.x) where OVS tunnel vports (VXLAN, GRE, GENEVE) are actively managed. Patched versions are available across all affected stable branches; no public exploit identified at time of analysis, and the EPSS score of 0.02% (5th percentile) indicates negligible observed exploitation probability.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46161 MEDIUM PATCH This Month

Divide-by-zero in the Linux kernel's md/raid10 subsystem allows a local authenticated user to crash the kernel by supplying a zero far_copies value when configuring a RAID10 array with the 'improved' far set layout. The affected function setup_geo() performs the division geo->far_set_size = disks / fc without first validating that fc is non-zero, triggering a kernel oops or panic and producing a high availability impact. EPSS is 0.02% (5th percentile) and this CVE is not listed in CISA KEV, consistent with the local-only, configuration-specific attack vector and no public exploit identified at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46160 MEDIUM PATCH This Month

Filesystem availability loss in the Linux kernel's btrfs subsystem can render a mounted volume unrecoverable after a power failure under specific directory removal conditions. The btrfs directory removal path fails to update the inode's `last_unlink_trans` field, causing a stale transaction ID to persist. When a process holds an open file descriptor to the removed directory and subsequently calls fsync, the incomplete journal entry survives to disk; upon next mount, log replay fails with -EIO and a 'corrupt leaf: invalid nlink' critical error, leaving the filesystem unmountable. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects negligible opportunistic exploitation interest, consistent with a logic-flaw data-integrity bug rather than a memory-corruption primitive.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46156 MEDIUM PATCH This Month

Kernel panic (ADE - Address Error for Memory access) in the LoongArch-specific PCI fixup function loongson_gpu_fixup_dma_hang() crashes systems that boot with a discrete Loongson GPU whose PCI device ID does not match any handled case in the switch statement. The missing default case causes readl() to be called with a garbage MMIO address derived from uninitialized register state, resulting in a hard kernel panic at boot time (PID 1, swapper/0) and rendering the system unavailable. No public exploit identified at time of analysis, and EPSS is 0.02% (5th percentile), consistent with a hardware-specific local DoS requiring no attacker interaction.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46153 MEDIUM PATCH This Month

Memory exhaustion in the Linux kernel's 8021q VLAN subsystem allows a local user with low privileges to cause denial-of-service by repeatedly manipulating VLAN egress QoS priority mappings. The function `vlan_dev_set_egress_priority()` retains cleared priority entries as unreachable tombstones in the kernel hash table across set/clear cycles, accumulating until device teardown and leaking kernel memory. No public exploit exists and EPSS is 0.02% at the 5th percentile, indicating negligible real-world exploitation interest; however, the High availability impact in CVSS reflects potential OOM-triggered system instability on affected hosts.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46151 MEDIUM PATCH This Month

Heap memory disclosure in the Linux kernel usblp USB printer driver allows a local attacker with a malicious USB printer to expose up to 1021 bytes of uninitialized kmalloc heap to userspace. The driver's usblp_cache_device_id_string() blindly trusts a device-supplied 2-byte big-endian length prefix in the IEEE 1284 GET_DEVICE_ID response, leaking stale kernel heap contents via the ieee1284_id sysfs attribute and the IOCNR_GET_DEVICE_ID ioctl. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile) and the vulnerability is not listed in CISA KEV, but vendor patches are confirmed across multiple stable kernel branches.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46146 MEDIUM PATCH This Month

Denial of service in the Linux kernel ALSA USB audio subsystem allows a local attacker to hang a CPU core indefinitely by presenting a malformed USB audio class v3 channel map descriptor. The affected function `convert_chmap_v3()` uses the descriptor field `cs_desc->wLength` as a loop increment without validating it, so a zero-length descriptor causes an unescapable infinite loop that saturates a CPU core until the process is killed or the system rebooted. No active exploitation has been confirmed - the vulnerability is absent from CISA KEV, and the EPSS score of 0.02% at the 5th percentile indicates negligible current attacker interest.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46144 MEDIUM PATCH This Month

Resource leak in the Linux kernel's RDMA/mana driver allows a local low-privileged user to exhaust kernel resources via a missing cleanup in the error unwind path of mana_ib_create_qp_rss(). The Microsoft Azure Network Adapter (MANA) InfiniBand subsystem fails to release mana_ib_cfg_vport_steering() allocations when QP RSS creation fails mid-flight, while the normal destroy path handles cleanup correctly - leaving the error path mismatched. No public exploit is identified and EPSS sits at 0.02% (5th percentile), reflecting very low real-world exploitation probability, though patches are confirmed available across multiple stable kernel branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46143 MEDIUM PATCH This Month

Memory leak in the Linux kernel's Qualcomm ASoC q6apm-lpass-dai audio driver allows a local low-privileged user to exhaust kernel memory by repeatedly invoking the ALSA prepare callback, which opens multiple APM graphs on the playback path without corresponding release. Affected systems are limited to those running Qualcomm LPASS audio hardware across several Linux stable branches (6.6.x, 6.9.x, 6.10, 6.12.x). No public exploit exists and EPSS at 0.02% (5th percentile) reflects negligible real-world exploitation interest; the practical impact is local denial of service on Qualcomm SoC-equipped devices.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46142 MEDIUM PATCH This Month

System hang vulnerability in the Linux kernel's libwx (WangXun) network driver affects systems using SR-IOV Virtual Functions. During VF initialization, the driver attempts to read register WX_CFG_PORT_ST, which is restricted to Physical Functions only; this illegal register access causes the system to hang, resulting in a complete denial of service. No public exploit exists and EPSS is 0.02%, but any system running a WangXun NIC with SR-IOV enabled and attaching a VF is directly exposed.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46139 MEDIUM PATCH This Month

The Linux kernel SMB client transmits uninitialized kernel heap data in the reserved Sbz2 field of Windows ACL security descriptors to remote Samba servers, causing chmod operations on SMB-mounted filesystems to fail with EINVAL. This regression was introduced by commit 62e7dd0a39c2d, which split a struct field but left a newly created 2-byte reserved field unpopulated due to use of kmalloc() instead of kzalloc(). No public exploit exists (EPSS 0.02%, no KEV listing); the practical impact is an operational disruption of file permission management on Samba-backed mounts, with a secondary minor information disclosure of heap contents to the remote server.

Linux Microsoft Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46132 MEDIUM PATCH This Month

Kernel stack information leak in Linux rtnetlink's rtnl_fill_vfinfo() exposes up to 26 bytes of uninitialized kernel stack memory to any unprivileged local user on systems with SR-IOV NICs. The flaw exists because struct ifla_vf_broadcast (32 bytes) is declared on the stack without zeroing, only the first 6 bytes are filled via memcpy on Ethernet devices, and the full struct is transmitted to userspace via RTM_GETLINK responses. No public exploit is identified at time of analysis and EPSS is 0.02% (5th percentile), but the attack is trivially repeatable without any special privileges, making it a practical KASLR bypass primitive or sensitive-data harvesting tool on multi-tenant or shared-access Linux systems.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46131 MEDIUM PATCH This Month

Availability impact in Linux Kernel KVM's x86 nested virtualization subsystem allows a low-privileged user operating within an L2 (nested) guest to trigger a host kernel denial-of-service via incorrect hypercall handling. The root cause is an incorrect guard condition in slow-flush hypercall paths: KVM checks `is_guest_mode(vcpu)` before calling `translate_nested_gpa()`, but that translation function is only valid when the L2 guest is running with nested EPT/NPT actually enabled - not merely when guest mode is active. No public exploit has been identified at time of analysis, and EPSS exploitation probability is 0.02% (5th percentile). Vendor-released patches are available across multiple stable branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46128 MEDIUM PATCH This Month

Denial-of-service in the Linux kernel IPMI subsystem allows a system crash when the BMC (Baseboard Management Controller) returns a malformed empty event message buffer instead of a proper error code. The kernel's IPMI driver defers response size validation to later processing stages rather than checking immediately upon receipt, causing it to process invalid data from certain non-compliant BMC firmware. No public exploit exists and EPSS is 0.02% (5th percentile); the trigger is hardware-driven misbehavior rather than deliberate attacker input, but the availability impact is high (kernel panic). Patched kernel versions are available across multiple stable branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46127 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's RDMA/ocrdma driver crashes systems running Emulex OneConnect RDMA adapters. The flaw exists in `ocrdma_copy_pd_uresp()`, where error-path code dereferences `pd->uctx` before it is initialized, producing a kernel panic and complete system unavailability when triggered. No public exploit code has been identified and EPSS sits at 0.02% (5th percentile), reflecting very low exploitation probability at this time; however, the local low-privilege vector means any unprivileged user on an affected system with ocrdma hardware present could trigger the crash.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46126 MEDIUM PATCH This Month

Improper error-path cleanup in the RDMA/mana driver's `mana_ib_create_qp_rss()` function allows a local low-privileged user on Azure VMs with Microsoft MANA NICs to crash the kernel. Two logic bugs in the WQ table unwind - a redundant `i--` that skips a cleanup iteration, and a missed `mana_destroy_wq_obj()` call when `mana_ib_install_cq_cb()` fails - leave kernel objects in a dangling state, producing a high-availability (DoS) impact. No public exploit exists and EPSS is at the 5th percentile; this vulnerability is not in CISA KEV.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46109 MEDIUM PATCH This Month

Memory leak in the Linux kernel USB ULPI subsystem allows a local low-privilege attacker to gradually exhaust kernel memory by repeatedly triggering registration failures in the ulpi_register() function. A prior fix for a double-free (commit 01af542392b5) removed the kfree(ulpi) call on the device_register() failure path but inadvertently left the allocation unreleased when ulpi_of_register() or ulpi_read_id() fail before device_register() is ever reached. No public exploit exists and EPSS is 0.02%, indicating minimal real-world exploitation pressure; however, patched kernel stable releases are available across all supported branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46108 MEDIUM PATCH This Month

Denial of service in the Linux kernel's IPMI SI (System Interface) driver results from improper state machine recovery when message allocation fails, leaving the driver stuck in a non-normal state and rendering the IPMI subsystem non-functional. Locally authenticated users with low privileges on affected systems with an active ipmi_si module can trigger this condition, typically under memory-pressure scenarios. No public exploit has been identified at time of analysis; EPSS at 0.02% (5th percentile) confirms negligible exploitation interest, and patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy