Local privilege-escalation-adjacent denial of service and potential memory corruption in the Linux kernel's AMD GPU VCN3 (Video Core Next 3) driver allows a local low-privileged user with GPU access to trigger an integer overflow in the message bound check of the drm/amdgpu/vcn3 subsystem. The flaw was identified by AMD's SDL review and patched upstream, and per CVSS it yields high confidentiality and availability impact without integrity impact. Exploitation status: no public exploit identified at time of analysis, and EPSS is very low at 0.02%.
Out-of-bounds memory access in the Linux kernel's amdgpu (AMD GPU) driver allows local users with low privileges to trigger denial of service or read sensitive kernel memory by interacting with the uvd/vce/vcn IB (indirect buffer) handling paths. The flaw stems from missing bounds checks in ib_get_value and ib_set_value when accessing the IB at predefined offsets, compounded by a signed-integer index that could overflow. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.
Unclocked register access in the Linux kernel's Cadence Quadspi SPI controller driver (spi-cadence-quadspi) occurs during driver unbind, affecting kernel versions through 7.0.x and 7.1-rc1. A local low-privileged user able to trigger driver unbind can cause high-impact confidentiality loss and denial of service on systems using affected SPI hardware. There is no public exploit identified at time of analysis and EPSS rates exploitation probability at just 0.02%.
Out-of-bounds read in the Linux kernel's framebuffer console (fbcon) subsystem allows a local low-privileged attacker to access kernel memory beyond the font buffer when console rotation is enabled and font reallocation fails. The flaw resides in fbcon_rotate_font() which retains the undersized old buffer after a failed reallocation, so printing characters with high-enough codes overflows the font buffer during putcs operations. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%), but the issue is patched across multiple stable kernel branches.
Out-of-bounds read in the Linux kernel's SPI-NOR flash debugfs interface (spi_nor_params_show) allows local authenticated users with debugfs access to trigger memory disclosure or denial of service on 64-bit systems. The flaw stems from sizeof() being used on a pointer array instead of ARRAY_SIZE(), inflating the bounds-check length by 8x. No public exploit identified at time of analysis and EPSS rates exploitation likelihood at 0.02%.
Permission check bypass in the Linux kernel's fanotify subsystem allows local low-privileged users to circumvent access control decisions enforced by fanotify-based security tools. The flaw stems from fsnotify_get_mark_safe() incorrectly returning false for marks on unrelated groups, causing the permission event evaluation to be skipped entirely. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, but the impact on systems relying on fanotify for access control (antivirus, EDR, HSM) is significant.
Out-of-bounds stack read in the Linux kernel SCSI target subsystem's configfs interface allows a local privileged user to trigger a kernel panic or leak adjacent stack memory by reading the tg_pt_gp members sysfs attribute when a long iSCSI IQN fabric WWN (up to 223 bytes) is configured. The flaw stems from misusing the snprintf() return value (which reports intended length, not bytes written) as a memcpy() source length. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 5th percentile).
Out-of-bounds kernel memory read in the Linux kernel's MediaTek Bluetooth driver (btmtk) lets a short or malformed WMT firmware event response trigger reads past the SKB tailroom in btmtk_usb_hci_wmt_sync(), potentially leaking adjacent kernel memory or crashing the host. The flaw affects systems using MediaTek USB Bluetooth controllers (MT76xx family) on kernels around 6.11 through release candidates of 7.1, scoring CVSS 7.1 with high confidentiality and availability impact. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%), but a vendor fix is available across multiple stable branches.
Out-of-bounds read in the Linux kernel's dm-verity-fec (forward error correction) subsystem allows kernel memory disclosure or a crash when decoding Reed-Solomon parity data. The flaw affects the device-mapper verity FEC code where fec_decode_bufs() wrongly assumes parity bytes of the first RS codeword never span a parity-block boundary; with certain non-default fec_roots values combined with low-memory buffer-allocation failures, the decoder reads past the end of the parity block buffer. Tracked as CWE-125, it carries a 7.1 CVSS (local, low complexity per NVD) but a negligible EPSS of 0.02%, and there is no public exploit identified at time of analysis.
Filesystem inconsistency in the Linux kernel's F2FS implementation allows local authenticated users to trigger fsck misinterpretation of node block migration as fsync-written data, resulting in filesystem integrity issues following a sudden power-off (SPO). Affecting Linux kernel versions through 7.0.7 and 7.1-rc1 (with backports to 6.18.30), the flaw stems from Foreground Garbage Collection (FGGC) failing to clear dentry and fsync marks during node block migration. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (4th percentile).
Command injection in the rpmuncompress utility of RPM allows local attackers to execute arbitrary commands when a victim extracts a maliciously crafted ZIP, 7z, or GEM archive whose top-level folder name contains shell metacharacters. The flaw affects Red Hat Enterprise Linux 6 through 10 and downstream products including OpenShift Container Platform 4, Satellite 6, Red Hat Hardened Images, and Quarkus Native Builder. No public exploit identified at time of analysis, and the issue requires user interaction with an attacker-supplied archive, but successful exploitation yields full code execution under the extracting user's identity.
Memory corruption in the Linux kernel's btrfs filesystem can be triggered when create_space_info_sub_group() encounters a kobject initialization failure, causing the sub_group structure to be freed twice. The double-free occurs because btrfs_sysfs_add_space_info_type() already releases the memory via kobject_put() in its error path, after which the caller frees it again. EPSS scores this at 0.02% (5th percentile) and there is no public exploit identified at time of analysis, but a vendor-released patch is available.
Local privilege escalation potential exists in the Linux kernel's sched_ext (SCX) subsystem where a use-after-free condition in cgroup setter operations can be triggered when a BPF scheduler is swapped concurrently with cgroup weight, idle, or bandwidth updates. The flaw affects kernel 6.18 and related stable branches and stems from reading scx_root outside the scx_cgroup_ops_rwsem, allowing a stale pointer to be dereferenced after the previous scheduler is freed via RCU. EPSS is very low (0.02%) and no public exploit is identified at time of analysis.