wolfSSL's ML-KEM ARM64 NEON decapsulation path compares only half of the re-encrypted ciphertext during the Fujisaki-Okamoto implicit rejection step, breaking the IND-CCA2 security proof for post-quantum key exchange on that architecture. This affects any ARM64 deployment of wolfSSL with ML-KEM (FIPS 203) compiled in and in active use. An attacker who can submit adaptively chosen ciphertexts to a decapsulating party - for example via man-in-the-middle position during a post-quantum TLS handshake - may exploit the broken comparison to bypass implicit rejection, potentially enabling shared-secret recovery through repeated adaptive queries. No public exploit has been identified and the vulnerability is not listed in the CISA KEV at time of analysis.
OCSP certificate status lookup in wolfSSL returns the wrong certificate's revocation status when a same-issuer SingleResponse serial number is a byte-prefix of the requested certificate's serial. The `wolfSSL_OCSP_resp_find_status` function in `src/ocsp.c` compared serial bytes via XMEMCMP without first verifying that both serial lengths are equal, allowing a 2-byte serial `01:02` in an OCSP response to satisfy a lookup for a 3-byte certificate serial `01:02:03`. No public exploit has been identified at time of analysis, but the integrity consequence is concrete: a revoked certificate could be incorrectly reported as valid if an attacker can supply a crafted OCSP response.
wolfSSL's certificate chain validation logic incorrectly evaluates wildcard DNS Subject Alternative Names (SANs) against CA-enforced name constraints, allowing certificates that should be rejected under a constrained PKI hierarchy to be silently accepted. Any wolfSSL-powered application that validates certificate chains in a PKI where intermediate or root CAs define permitted or excluded DNS name constraints per RFC 5280 §4.2.1.10 is affected; all versions matching cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:* are listed as affected. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified; an upstream patch is available via PR #10549 but a tagged release version has not been independently confirmed.
Certificate chain validation bypass in wolfSSL's OpenSSL-compatibility layer permits a crafted intermediate CA certificate asserting CA:TRUE but missing the keyCertSign key usage bit to be accepted as a valid signing CA during path building. Affected deployments are those compiled with OPENSSL_EXTRA or OPENSSL_ALL that use the X509_verify_cert/X509_STORE API; native wolfSSL verification is entirely unaffected. No public exploit identified at time of analysis, and no CISA KEV listing exists, but the integrity risk is concrete for any application relying on wolfSSL's OpenSSL-compat path for mutual TLS or client certificate authentication.
Unrestricted PHP file upload in K2 extension for Joomla (versions 1.0–2.26) enables any authenticated K2 Author to achieve remote code execution by uploading a PHP webshell via the frontend article-attachment upload endpoint and executing it through Apache mod_php. Because the upload handler performs no extension filtering, a `.php` file is written to `/media/k2/attachments/` and served by Apache's standard `\.php$` handler, executing arbitrary code as the web server process user. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the attack path is elementary once Author-level access is obtained.
Incorrect authorization in Netflix Lemur's role management API allows any authenticated role member to rewrite the membership list and rename their own role via the PUT /api/1/roles/<id> endpoint in versions up to and including 1.9.1. The RoleMemberPermission check uses OR-semantics, meaning membership of a role is sufficient to mutate it - an authorization oversight confirmed by the asymmetry with the DELETE handler on the same resource, which correctly enforces admin-only access. Exploitation enables lateral privilege escalation within a Lemur PKI deployment: a malicious role member can inject colluders into certificate or authority management roles, remove legitimate members, or rename roles. No public exploit identified at time of analysis, though detailed reproduction steps are published in the GitHub security advisory GHSA-x3vf-mgxj-7785.
Server-Side Request Forgery in Netflix Lemur's certificate verification pipeline allows an authenticated operator-role user to force the Lemur host to issue outbound HTTP requests to arbitrary internal destinations by uploading a crafted certificate whose CRL Distribution Point or OCSP responder extensions point to RFC1918 addresses, link-local endpoints (169.254.169.254), internal Kubernetes API servers, or loopback interfaces. Both `crl_verify` and `ocsp_verify` in `lemur/certificates/verify.py` pass attacker-controlled URLs directly to network sinks with no destination allow-list, scheme restriction beyond LDAP rejection, or private-address filtering. No public exploit confirmed in CISA KEV, but detailed proof-of-concept reproduction steps are published in the GitHub Security Advisory GHSA-54vg-pfh7-jq95; vendor-released patch v1.9.2 is available.
Payment status replay in pretix-mollie allows unauthenticated attackers to obtain multiple valid event tickets by reusing a single legitimate Mollie payment confirmation. The plugin fails to bind payment status responses to their originating transaction, so a successful payment callback for order A can be submitted against order B. No active exploitation or public proof-of-concept has been identified at time of analysis; a vendor patch was released on 2026-06-25 in version 2026.5.2.
Payment response replay vulnerability in the pretix-oppwa integration allows a remote attacker to reuse a legitimate Oppwa payment confirmation from one transaction to authorize separate, unpaid orders - effectively obtaining multiple valid event tickets with a single payment. All known versions of the pretix-oppwa plugin (cpe:2.3:a:pretix:pretix-oppwa:*) are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the business logic bypass enables direct financial fraud for event organizers. A vendor patch was released in conjunction with Pretix version 2026-5.2.
Payment response replay in the pretix-computop integration allows an unauthenticated network attacker to obtain multiple valid event tickets by paying only once. The Pretix Computop plugin fails to bind successful payment status responses to their originating transaction, so a response captured from a completed payment can be submitted against any other pending order. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified, though the vendor disclosed the issue alongside a fix on 2026-06-25.
Cross-site scripting in GitLab CE/EE (18.10 through 18.11.5, 19.0 through 19.0.2, and 19.1.0) lets an unauthenticated attacker run arbitrary JavaScript in a victim's authenticated browser session by abusing improper path validation, but only under specific conditions and after a logged-in user interacts with attacker-controlled content. The CVSS 8.0 rating (scope-changed, high confidentiality and integrity impact) reflects that successful exploitation effectively hijacks the victim's GitLab session. No public exploit has been identified at time of analysis and the issue is not in CISA KEV, though a HackerOne report exists and GitLab shipped fixes in 18.11.6, 19.0.3, and 19.1.1.
K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.
Out-of-bounds read in Vim's text property subsystem allows a crafted undo file to crash the editor and potentially disclose adjacent heap memory. All Vim releases prior to 9.2.0670 are affected; the vulnerability is reachable whenever a user loads a malicious undo file with the persistent-undo feature compiled in and enabled. No public exploit or CISA KEV listing exists at time of analysis, placing real-world risk in the low-to-medium range despite the local crash severity.
Session authentication bypass in wolfSSL exposes servers running multiple TLS virtual hosts to cross-vhost peer-authentication spoofing via stateful session-ID resumption. When a client resumes a cached session using a session ID rather than a session ticket, wolfSSL previously skipped the SNI and ALPN binding verification that was already enforced on the ticket-based resumption path - allowing the cached peerAuthGood state and peer-certificate context from one virtual host to be silently carried into a second virtual host with a different client-authentication policy. The upstream fix (PR #10489) extends the binding check to cover stateful resumption, declining mismatched resumptions and falling back to a full handshake. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 6.0 with AC:H and AT:P reflects the non-trivial configuration prerequisites.
PKCS#12 MAC verification in wolfSSL accepts truncated or zero-length MACs because the comparison uses an attacker-controlled length field parsed from the input structure rather than the expected digest size, completely defeating HMAC integrity protection on PKCS#12 key stores. Any wolfSSL-based application that parses PKCS#12 files from untrusted sources - including certificate import endpoints, VPN provisioning services, or key management systems - can be tricked into accepting a structurally tampered PKCS#12 bundle as MAC-verified. No public exploit code or CISA KEV listing has been identified; the upstream fix is available as GitHub PR #10192 but a tagged patched release has not been independently confirmed.
Post-handshake authentication bypass in wolfSSL TLS 1.3 permits a connected client to skip certificate verification during server-initiated post-handshake re-authentication. When a server has issued a post-handshake CertificateRequest via wolfSSL_request_certificate(), a client can send a Finished message without providing a Certificate or CertificateVerify; the server incorrectly applies an initial-handshake exemption and accepts it, treating the client as authenticated. No public exploit is identified and this is not listed in CISA KEV; the vulnerability was self-disclosed by wolfSSL with a patch available in GitHub PR #10702.
wolfSSL's PKCS#7 EnvelopedData decryption leaks RSA PKCS#1 v1.5 padding validity through distinguishable error codes, enabling a classic Bleichenbacher-style padding oracle attack that allows incremental recovery of the Content Encryption Key (CEK). All wolfSSL versions using PKCS#7 Key Transport Recipient Info (KTRI) with RSA PKCS#1 v1.5 are affected when the decryption interface exposes caller-observable error differentiation. A low-privileged attacker able to submit crafted EnvelopedData messages and observe server error responses can mount an adaptive chosen-ciphertext attack to recover session keys without knowledge of the RSA private key; no public exploit or CISA KEV listing has been identified at time of analysis.
Certificate chain validation bypass in wolfSSL's OpenSSL compatibility layer allows a network attacker to present a chain terminating at an untrusted intermediate they control, which is accepted as valid when X509_V_FLAG_PARTIAL_CHAIN is enabled. The flaw (CWE-295) resided in wolfSSL_X509_verify_cert, where the partial-chain fallback confirmed only that some intermediate was temporarily loaded into the CertManager during path building - not that the terminal certificate was in the caller's actual trust store. No public exploit code exists and no CISA KEV listing is present, but successful exploitation defeats certificate validation entirely, enabling impersonation or MITM in affected configurations.
X.509 DNS name constraint enforcement in wolfSSL fails to evaluate the Subject Common Name when no Subject Alternative Name extension is present, allowing a certificate whose CN violates an issuing CA's DNS name constraints to be accepted as valid. Affected deployments include any application using wolfSSL's certificate manager for chain verification where name-constrained intermediate or root CAs are in use. An attacker who can obtain or forge a certificate with a non-compliant CN and no SAN can bypass the policy boundary the constraining CA was intended to enforce, enabling impersonation of hosts outside the permitted domain set. No public exploit identified at time of analysis; upstream fix available as a GitHub pull request.
Signer confusion in wolfSSL's PKCS7_verify implementation allows a crafted PKCS#7 message to report a trusted certificate as the signer even when an attacker-controlled certificate produced the actual signature. Any application using wolfSSL for PKCS#7 signature verification - including JWT workflows flagged in the CVE tags - may incorrectly authorize operations as if from a trusted party. No public exploit has been identified at time of analysis, but the upstream fix is available as GitHub PR #10203 and the vulnerability is straightforwardly reproducible by anyone familiar with PKCS#7 certificate bundle structure.
MAC forgery in wolfSSL 5.9.0 and later allows an attacker to authenticate arbitrary tampered messages when HMAC-BLAKE2 is used with keys exceeding the BLAKE2 block size. The wc_Blake2bHmacFinal and wc_Blake2sHmacFinal functions incorrectly reused the running message hash state to process oversized keys, discarding accumulated message data and producing a MAC that depends solely on the key, not the message. No public exploit has been identified at time of analysis, but the integrity failure is straightforward to exploit in any protocol or application that uses wolfSSL HMAC-BLAKE2 with keys longer than 128 bytes (BLAKE2b) or 64 bytes (BLAKE2s).
DNSSEC validation in PowerDNS Recursor can be silently undermined by network-positioned attackers who spoof DNS replies to trick the Recursor into permanently marking a legitimate authoritative server's IP as EDNS-incapable. Once that state is poisoned, the Recursor is unable to perform proper DNSSEC validation for any zones served by that authoritative server, effectively disabling a critical security layer for downstream clients. No active exploitation has been confirmed by CISA KEV, and no public proof-of-concept has been identified at time of analysis; however, the attack complexity is rated High due to the spoofing prerequisite.
PowerDNS Recursor crashes when processing a malformed SOA record within a catalog zone, resulting in a denial of service for all DNS resolution handled by the affected instance. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms network-reachable unauthenticated exploitation, but high attack complexity reflects the non-default catalog zone configuration required. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
PowerDNS Recursor crashes when a malicious authoritative DNS server serves a crafted zone via the ZoneToCache function, exploiting insufficient input validation to cause a denial of service. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms this is a remotely triggerable availability-only impact, though high attack complexity reflects the prerequisite of controlling or compromising an authoritative name server in the resolution path. No public exploit code has been identified at time of analysis, and no KEV listing exists, but the impact on DNS infrastructure availability makes this a meaningful operational risk for affected deployments.
Arbitrary filesystem write via zip-slip in K3s etcd snapshot restoration affects all K3s versions prior to 1.35.3+k3s1, 1.34.6+k3s1, and v1.33.10+k3s1. A maliciously crafted zip archive with path-traversal entries in member filenames (e.g., '../../etc/cron.d/evil') can overwrite arbitrary files on the host filesystem when an administrator performs a compressed etcd snapshot restore. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Stack out-of-bounds write in Vim's spell suggestion engine allows a crafted `.spl`/`.sug` file pair to corrupt the call stack and crash the editor when spell suggestions are invoked. All Vim releases prior to 9.2.0653 are affected, with the flaw in `tree_count_words()` and `sug_filltree()` inside `src/spellfile.c`, where three fixed-size MAXWLEN-element stack arrays are indexed by an unbounded depth counter. No public exploit identified at time of analysis (CVSS 4.0 E:U), though the upstream fix commit includes a detailed proof-of-concept test case reproducing the out-of-bounds write.
Certificate IP address name constraint enforcement in wolfSSL is silently disabled when the library is compiled without the WOLFSSL_IP_ALT_NAME preprocessor define, allowing a CA operator to issue certificates bearing IP address Subject Alternative Names that the issuing CA's nameConstraints extension was intended to prohibit. Any wolfSSL-based TLS endpoint built in this configuration will accept these constraint-violating certificates as valid, undermining PKI-enforced IP address restrictions. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 5.7 reflects meaningful exploitation constraints including high-privilege CA access and a specific non-default build configuration.
Invalid pointer free in the Linux kernel's Open vSwitch (OVS) subsystem allows a local low-privileged user to crash the kernel, resulting in denial of service. The net/openvswitch reply skb cleanup code incorrectly assumes allocation always occurs before mutex acquisition; when allocation fails after locking, an ERR_PTR is passed to kfree_skb(), triggering a kernel panic on any host with OVS active. No public exploit has been identified and EPSS is 0.20% (10th percentile), but the crash is likely deterministic once the code path is reached on a vulnerable kernel.
Percpu memory leak in the Linux kernel Bluetooth subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering early failures in Bluetooth HCI UART device initialization. Affected kernels spanning stable branches from 5.10 through 6.16-rc4 fail to invoke cleanup_srcu_struct() when hci_register_dev() never completes, causing the SRCU struct allocated early in hci_alloc_dev() to persist indefinitely. No public exploit code has been identified at time of analysis, and EPSS at 0.19% (9th percentile) reflects negligible exploitation interest; however the availability impact is rated High by NVD given the potential for kernel memory exhaustion.
Unprivileged local users on Linux systems running unpatched kernels can set IPOPT_SSRR (Strict Source and Record Route) and IPOPT_LSRR (Loose Source and Record Route) IPv4 options without the CAP_NET_RAW capability, enabling them to force outbound packets through attacker-controlled network nodes and leak TCP Initial Sequence Numbers (ISN) along with other protocol metadata. Affected systems span Linux kernel versions from 2.6.12 through multiple stable branches prior to their respective patch releases. No public exploit has been identified at time of analysis, and EPSS remains at 0.18% (8th percentile), indicating low automated exploitation risk.
Three distinct logic errors in the Linux kernel's MRP (Multiple Registration Protocol) PDU parser `mrp_pdu_parse_vecattr()` allow an attacker to corrupt kernel MRP applicant state and PDU parsing offsets, resulting in denial of service. Affected systems must have the `mrp` kernel module loaded with an active IEEE 802.1ak bridge interface. No public exploit exists and EPSS is 0.18% (8th percentile), reflecting low active targeting, though patches across multiple stable branches are available and should be applied routinely.
Out-of-bounds read in the Linux kernel netlabel subsystem allows a local low-privileged attacker to crash the kernel by submitting a crafted Generic Netlink request with a valid IPv4/IPv6 address attribute paired with a shorter-than-expected mask attribute. The netlbl_unlabel_addrinfo_get() function relied solely on the address attribute length to determine address family, then unconditionally read the mask attribute as a full struct in_addr (4 bytes) or struct in6_addr (16 bytes) without independently validating the mask length. No public exploit or active exploitation has been identified (EPSS 0.18%, 8th percentile); patches are available across all maintained stable branches.
Netfilter x_tables in the Linux kernel leaks raw percpu counter pointer addresses to userspace on SMP systems via a crafted fault-window attack against the get-entries path. A local user with netfilter access can engineer a userspace buffer that triggers a page fault after the kernel copies the internal percpu allocation pointer (pcnt) but before the sanitized counter snapshot overwrites it, causing the syscall to return -EFAULT while leaving the raw kernel virtual address exposed in the caller's buffer. No public exploit is identified at time of analysis and EPSS sits at 0.18% (8th percentile), but the leaked percpu address functions as a KASLR bypass primitive chainable with a second vulnerability to achieve privilege escalation.
Register tracking corruption in the Linux kernel's netfilter nft_exthdr subsystem allows a local low-privileged attacker with nftables configuration rights to trigger reads of uninitialized stack data from nft_regs, resulting in kernel instability or denial of service. The flaw affects any kernel version since the introduction of commit c078ca3b0c5b through the respective unpatched stable branches. EPSS is 0.18% (8th percentile) and this vulnerability is not listed in CISA KEV, indicating low exploitation activity; however, the ubiquity of Linux deployments means patching across stable LTS branches is warranted.
The vsock/VMCI transport in the Linux kernel silently leaks the accept queue counter (sk_ack_backlog) on every failed vsock connection handshake, eventually causing a permanent denial of service on any vsock listener. Repeated handshake failures caused by malformed packets, queue pair allocation failures, or event subscription failures each increment sk_ack_backlog without a corresponding decrement; once the counter reaches sk_max_ack_backlog, the listener rejects all subsequent connections with -ECONNREFUSED until the owning process is restarted. No public exploit identified at time of analysis; EPSS of 0.18% at the 8th percentile reflects low automated exploitation probability, consistent with the VMware-specific exposure requirement.
Thunderbolt XDomain property validator in the Linux kernel triggers a heap underflow when processing zero-length TEXT property entries, enabling a local low-privileged attacker to crash the kernel (denial of service). The root cause is in tb_property_entry_valid(), which permits length==0 for TEXT entries that subsequently compute an array index of -1 during null-termination (0 * 4 - 1), writing one byte before the allocated buffer. No public exploit has been identified and EPSS is extremely low at 0.18% (8th percentile), indicating negligible opportunistic exploitation pressure despite the kernel's ubiquitous deployment footprint.
Sleep-inside-lock in the Linux kernel's SMC networking subsystem (`__smc_setsockopt()`) allows a local low-privilege user to hold the socket lock indefinitely, exhausting kernel worker threads and triggering the hung task watchdog - producing a local denial of service. Affected systems must have the `net/smc` module loaded and a user-space mechanism (userfaultfd or FUSE) available to stall the in-kernel copy operation. No public exploit has been identified at time of analysis, and EPSS at 0.18% (8th percentile) reflects very low mass-exploitation probability; however, the technique is well-understood in kernel security research.
TCP socket side-channel information disclosure in the Linux kernel allows unprivileged local users to attach classic BPF (cBPF) filters via SO_ATTACH_FILTER to TCP sockets and observe TCP sequence and acknowledgment numbers, potentially enabling session inference or TCP injection assistance. The vulnerability exists because no capability check was enforced before this patch, which now restricts SO_ATTACH_FILTER on TCP sockets to processes holding CAP_NET_ADMIN. No public exploit identified at time of analysis; EPSS stands at 0.18% (8th percentile), and patched releases are available across multiple stable kernel branches including 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, and 7.1.
Memory leak in the Linux kernel's drm/vc4 (Broadcom VideoCore IV DRM) driver allows a local low-privileged user to gradually exhaust kernel memory under allocation-failure conditions. The flaw arises because the return value of krealloc() is assigned directly back to the original pointer without a NULL check - if krealloc() fails and returns NULL, the reference to the previously allocated buffer is silently overwritten, permanently leaking that memory. No public exploit code is identified at time of analysis, and EPSS probability is extremely low at 0.18% (8th percentile), consistent with the local-only, condition-dependent nature of the bug.
Recursive spinlock AA deadlock in the Linux kernel's hugetlb memory-failure subsystem allows a local user to hang or panic the kernel by racing two concurrent madvise(MADV_HWPOISON) calls against a concurrent unmap on the same hugetlb folio. The flaw exists because get_huge_page_for_hwpoison() held hugetlb_lock while calling folio_put(), which - when concurrent unmap had already dropped the page-table reference - triggered free_huge_folio() to re-acquire the non-recursive lock, causing an irrecoverable deadlock. No confirmed active exploitation exists (not in CISA KEV), and EPSS sits at 0.18% (8th percentile), indicating negligible real-world exploitation probability at this time.
Bluetooth L2CAP in the Linux kernel fails to enforce the signaling MTU (MTUsig = 48 bytes) in l2cap_sig_channel(), enabling a nearby BR/EDR peer to send a single oversized fixed-channel signaling packet packed with many ECHO_REQ commands before pairing and force a proportional burst of ECHO_RSP frames. In a confirmed test, one 681-byte CID 0x0001 packet containing 168 ECHO_REQ commands caused the target to emit 168 responses over approximately 220 ms - roughly a 250× frame amplification - constituting a traffic-amplification denial-of-service. No active exploitation has been identified at time of analysis; vendor-released patches are available across multiple stable kernel branches.
Kernel crash via FUSE pagecache misuse in the Linux kernel allows a local low-privileged user controlling a FUSE daemon to trigger a WARN_ON() assertion in fuse_parse_cache() by sending FUSE_NOTIFY_STORE or FUSE_NOTIFY_RETRIEVE notifications targeting directory inodes instead of regular files, causing a denial-of-service kernel crash. The vulnerability specifically affects FUSE filesystems that have directory caching (FOPEN_CACHE_DIR) enabled, a non-default configuration that exposes kernel-internal pagecache storage to invalid manipulation. No public exploit has been identified, EPSS sits at 0.18% (7th percentile), and patches have been released across all active Linux stable branches.
NULL pointer dereference and buffer over-read in the Linux kernel's AMD display driver (drm/amd/display) can be triggered by a local user writing to the sdp_message debugfs node, causing a kernel panic and denial of service. The dp_sdp_message_debugfs_write() function fails to check whether connector->base.state->crtc is NULL - a valid transient state after GPU hotplug before an atomic commit - and unconditionally passes 36 bytes to copy_from_user() regardless of the caller-provided size, enabling a second over-read path. No public exploit or CISA KEV listing exists; EPSS is 0.18% (7th percentile), consistent with a localized, hardware-dependent DoS.
{4,6}_eval() zeroes only the first of four declared registers, leaving three registers holding uninitialized contents from nft_do_chain()'s struct nft_regs stack frame; a downstream nftables expression reading the full IFNAMSIZ span then exposes that data to userspace. No public exploit code has been identified at time of analysis and EPSS sits at the 7th percentile (0.18%), consistent with a narrow, locally-gated exploitation path.
Reference leak in the Linux kernel Bluetooth ISO subsystem allows a local low-privileged user to exhaust kernel resources and cause a denial of service. The `iso_conn_big_sync` function acquires an `hci_dev` reference via `hci_dev_hold()` through `hci_get_route()` but never releases it, violating the borrow contract. No active exploitation has been confirmed and EPSS is very low at 0.18% (7th percentile), but the affected surface - the BLE Audio Broadcast Isochronous Group (BIG) synchronization path - is present on any Linux system with a Bluetooth controller.
Stack overread in the Linux kernel ALSA MIDI sequencer dummy client (snd_seq_dummy) allows a local low-privileged user to crash the kernel or potentially leak kernel stack contents by sending a crafted Universal MIDI Packet (UMP) event. The dummy port copies incoming events into a legacy-sized stack temporary, but when the UMP flag remains set the delivery path calls snd_seq_event_packet_size() and copies a larger UMP-sized packet from that undersized allocation, reading past the stack buffer end. No public exploit has been identified and EPSS is 0.18% (7th percentile), placing this firmly in routine-patch rather than emergency-response territory.
NULL pointer dereference in the Linux kernel's Marvell EBU GPIO driver (gpio/mvebu) causes a kernel oops and system crash during suspend/resume operations on Marvell Armada ARM platforms. The flaw affects all stable kernel branches from 4.12 onward where mvebu_pwm_suspend() and mvebu_pwm_resume() are unconditionally invoked for every GPIO bank, including those where mvchip->mvpwm is NULL due to absent PWM hardware. A local authenticated user with sufficient privileges to trigger system suspend can crash the kernel with no recovery, resulting in full availability loss. No public exploit exists and EPSS is 0.18% (7th percentile), reflecting a niche hardware dependency that sharply limits real-world exposure.
NULL pointer dereference in the Linux kernel netfilter bridge redirect target crashes the kernel when a bridge port is removed or reassigned between an initial NFQUEUE hook invocation and packet reinject. The affected function ebt_redirect_tg() in the ebtables bridge filtering subsystem calls br_port_get_rcu() without guarding against a NULL return, and the additional complexity noted in the fix is that a mere NULL check would still be insufficient - userspace can move the device into a macvlan while the packet is queued, requiring the packet to be dropped entirely. This flaw has existed since commit f350a0a87374418635689471606454abc7beaa3a (kernel 2.6.36), making it a long-standing latent bug. No public exploit identified at time of analysis; EPSS at 0.18% (7th percentile) signals negligible automated exploitation risk.
Memory leak in the Linux kernel TEE subsystem's register_shm_helper() function allows a local low-privileged user to exhaust kernel memory and degrade system availability. Triggering the leak requires calling the TEE_IOC_SHM_REGISTER ioctl with a length of zero, causing the function to allocate shared memory and then skip its deallocation when iov_iter_npages() returns 0. No public exploit has been identified at time of analysis, and EPSS sits at the 7th percentile, indicating very low real-world exploitation probability.
Reference-count leak in the Linux kernel's drm/virtio GPU driver allows a local low-privilege user inside a QEMU/KVM virtual machine to gradually exhaust kernel memory, causing a guest denial of service. The bug exists in virtio_gpu_dma_fence_wait(), where an early error return from inside dma_fence_unwrap_for_each() leaves a dma_fence reference acquired by dma_fence_unwrap_first() unreleased - the only such early-return site in the entire kernel tree. No public exploit is identified at time of analysis and EPSS sits at 0.18% (7th percentile), consistent with the absence from CISA KEV and the non-trivial conditions required to trigger repeated fence-wait failures.