Lockfile integrity bypass in the pnpm package manager (versions below 10.34.0, and 11.0.0 through 11.4.0) lets a malicious or compromised registry override a package version's previously recorded hash. On a plain `pnpm install` in non-frozen mode, pnpm detects the tarball-vs-lockfile integrity mismatch, warns, then silently performs a 'resolution repair' that accepts the registry's new integrity, rewrites pnpm-lock.yaml, and installs the substituted content while exiting 0. Publicly available exploit code exists (a full reproduction scenario is published in the GitHub advisory), but there is no public exploit identified as used in active attacks; EPSS is low at 0.11%.
Broken access control in the Royal MCP WordPress plugin (versions up to and including 1.4.25) lets authenticated low-privilege users reach functionality that should be restricted, due to a missing authorization check. With a CVSS of 8.1 and high confidentiality and integrity impact, an attacker holding even a basic account can read and alter data they should not be able to touch. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the WordPress 'Meta Data and Taxonomy Filter' (MDTF) plugin by pluginus.net affects all versions up to and including 1.3.8, allowing remote attackers without credentials to coerce the PHP application into including arbitrary local files. Per its CVSS:3.1 vector (AV:N/PR:N), exploitation is network-reachable and unauthenticated, though the high attack complexity (AC:H) implies non-trivial preconditions. This is classified as information disclosure but rated 8.1 with full C/I/A impact; there is no public exploit identified at time of analysis and it is not on the CISA KEV list.
Use-after-free in the Linux kernel's Bluetooth RFCOMM subsystem allows an attacker within Bluetooth range to corrupt kernel memory by racing an incoming RFCOMM connection against the close of a listener socket. The flaw lives in rfcomm_connect_ind(), which uses a listener socket returned by rfcomm_get_sock_by_channel() after the protecting list lock is dropped and without taking a reference, so a concurrent rfcomm_sock_release() can free the parent socket before it is locked and a child is enqueued. KASAN confirmed a slab-use-after-free in lock_sock_nested(); EPSS is low (0.17%, 7th percentile), there is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Cross-bucket read/write in SeaweedFS before 4.30 lets remote attackers escape a bucket's namespace because the S3 API gateway and the Iceberg REST catalog gateway build their gorilla/mux routers with SkipClean(true), letting a literal '..' segment survive routing before downstream path joins collapse it server-side. A request like 'GET /bucket-A/../evil-bucket/key' is routed as bucket=bucket-A but resolves to evil-bucket, allowing an actor to read or write objects in buckets they should not reach. There is no public exploit identified at time of analysis; the issue is fixed in 4.30 via PR #9687.
Out-of-bounds kernel heap write in the AMD Display (amdgpu) driver's HDMI HDCP 2.x repeater authentication path affects Linux kernels from 5.6 through the 7.1 release candidates. When reading a downstream sink's RxStatus register, the driver in mod_hdcp_read_rx_id_list() uses an attacker-influenced 10-bit message-size field (up to 1023 bytes) as the I2C read length without bounding it to the 177-byte rx_id_list buffer, so a malicious HDMI repeater can force a write past the buffer and corrupt kernel memory. There is no public exploit identified at time of analysis and EPSS is low (0.21%, 11th percentile); it is not listed in CISA KEV.
Kernel-level heap buffer overflow (out-of-bounds write) in the Linux kernel's io_ti USB-serial driver (used by Digi Edgeport TI-based USB serial adapters) allows a local low-privileged attacker or a malicious/crafted firmware image to corrupt kernel heap memory. The flaw lives in build_i2c_fw_hdr(), which copies an attacker-influenced 16-bit Length field (up to 65535) from the firmware image into a fixed-size buffer without validating it fits the remaining space after the ti_i2c_firmware_rec header. There is no public exploit identified at time of analysis, EPSS is low (0.20%, 10th percentile), and it is not on the CISA KEV list, so exploitation is theoretical rather than observed.
Heap out-of-bounds write in the Linux kernel's USB serial driver for KL5KUSB105-based adapters (kl5kusb105) lets a write to an attached tty corrupt slab memory two bytes past a 64-byte bulk-out buffer. The flaw is in klsi_105_prepare_write_buffer(), which reserves a two-byte length header but still copies the full buffer size from the write FIFO, overrunning the allocation by KLSI_HDR_LEN (2) bytes. EPSS is low (0.19%, 9th percentile) and there is no public exploit identified at time of analysis; the issue was found via KASAN using emulated hardware (dummy_hcd/raw-gadget), not in-the-wild exploitation.
Local memory corruption in the Linux kernel's Intel VPU accelerator driver (accel/ivpu) lets attacker-influenced firmware data overflow a stack buffer during IPC message receive. The defect is a signed-int truncation of the firmware-supplied data_size in min_t(int, ...), so values >= 0x80000000 turn negative, bypass the size clamp, and drive an oversized memcpy. Rated CVSS 7.8 (AV:L) with a low EPSS of 0.19% (9th percentile); no public exploit identified at time of analysis and it is not in CISA KEV.
Local information disclosure and memory corruption in the Linux kernel's AMD KFD (amdkfd) driver affects GFX11/Navi3x GPUs, where the v11 MQD manager wrongly used CP-compute checkpoint/restore handlers for SDMA queues. During a CRIU checkpoint or restore of an SDMA queue, the driver treats a 512-byte v11_sdma_mqd buffer as a 2048-byte v11_compute_mqd, so it either leaks 1536 bytes of adjacent GTT memory to userspace or overwrites 1536 bytes of neighboring GTT memory (ring buffers or adjacent MQDs). Exploitation requires local access with the ability to drive CRIU checkpoint/restore of a GPU compute process; there is no public exploit identified at time of analysis and EPSS is low (0.18%).
Out-of-bounds kernel memory access in the Linux kernel's AF_XDP (xsk) transmit path allows a local low-privileged process to bypass bounds checking on TX checksum metadata. Because csum_start/csum_offset live in a userspace-mapped UMEM buffer, a malicious application could race to overwrite them between the validation read and the assignment read in xsk_skb_metadata(), defeating the bounds check during checksum computation. No public exploit identified at time of analysis; EPSS is low (0.18%, 8th percentile), consistent with a local-only kernel race rather than a mass-exploited remote bug.
Local privilege escalation via use-after-free in the Linux kernel's XFRM (IPsec) policy subsystem allows a local low-privileged attacker to corrupt kernel memory by racing XFRM_MSG_DELPOLICY and XFRM_MSG_NEWSPDINFO netlink operations. In xfrm_policy_bysel_ctx(), the inexact policy bin was pruned after dropping xfrm_policy_lock, leaving a window where a concurrent xfrm_hash_rebuild() could kfree_rcu() the same bin, leading to a use-after-free. No public exploit identified at time of analysis; EPSS probability is low (0.18%) and it is not listed in CISA KEV.
Local privilege escalation or memory corruption in the Linux kernel's ALSA timer subsystem stems from a use-after-free in snd_timer_user_params() reachable via the SNDRV_TIMER_IOCTL_PARAMS ioctl. A low-privileged local user with access to a timer device (notably userspace timers under CONFIG_SND_UTIMER) can race a concurrent ioctl against timer object release to access freed memory. No public exploit identified at time of analysis, and EPSS is low (0.18%), reflecting the local-only, race-dependent nature of the bug.
Use-after-free in the Linux kernel's transparent huge page code (mm/huge_memory) lets a local low-privileged process read freed folio state when __split_huge_pmd_locked() updates the file/shmem RSS counter only after dropping the PMD mapping's folio reference. On affected kernels (introduced around the 4.19 era through to fixes in 6.x/7.x stable trees), a final folio_put() can free the folio before mm_counter_file() inspects it via folio_test_swapbacked(), enabling reads of freed kernel memory. There is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile), consistent with a hard-to-win race rather than turnkey exploitation.
Local privilege escalation and memory corruption in the Linux kernel's Qualcomm FastRPC misc driver (drivers/misc/fastrpc) arises from a use-after-free of the fastrpc_user structure during concurrent file-descriptor close and DSP response processing. A local user with access to the FastRPC device can race fastrpc_device_release() against the put_work workqueue so that fastrpc_context_free() dereferences an already-freed user object, enabling kernel memory corruption with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and EPSS is low (0.18%), consistent with a hard-to-win kernel race on Qualcomm-only hardware.
Heap out-of-bounds write in the Linux kernel Thunderbolt/USB4 XDomain driver lets a malicious connected peer device corrupt kernel memory. In tb_xdp_properties_request(), the per-packet copy length is taken from the attacker-controlled response header without validating it against the previously kcalloc-allocated data buffer, so a peer advertising a length larger than data_length forces memcpy to write past the allocation. No public exploit identified at time of analysis and EPSS is low (0.18%), but the write-primitive nature (CWE-787) in kernel space makes it a meaningful local/physical attack surface on Thunderbolt-capable hosts.
Kernel panic (denial of service) in the Linux kernel ALSA PCM subsystem occurs when snd_pcm_drain() is called on linked (grouped) audio streams that are concurrently unlinked, corrupting wait queue lists and ultimately dereferencing a NULL function pointer. The flaw stems from init_waitqueue_entry/add_wait_queue not clearing list pointers combined with a conditional remove_wait_queue that is skipped after a concurrent UNLINK, leaving an orphaned wait entry that gets added to two queues at once. It is a local-privilege issue requiring access to ALSA PCM devices; no public exploit has been identified at time of analysis and the EPSS score is very low (0.18%).
Memory corruption in the Linux kernel Bluetooth subsystem (hci_sync) allows a local privileged user to overrun a temporary buffer when the Broadcast Announcement service data is prepended to an already-maximum-sized extended advertising payload. The flaw affects systems using Bluetooth LE Audio / Broadcast Audio Profile advertising; the upstream fix rejects the oversized combination before copying, preserving the existing advertising data. No public exploit identified at time of analysis, and the EPSS probability is very low (0.18%, 8th percentile), indicating no current evidence of widespread exploitation interest.
Heap buffer overflow in the Linux kernel's nl80211 WiFi configuration subsystem (cfg80211) allows a local user with network-configuration privileges to corrupt kernel memory by supplying an oversized EMA (Enhanced Multiple BSSID Advertisement) RNR element list. The parser nl80211_parse_rnr_elems() stores its element count in a u8 field and uses it to size a flexible-array allocation, so submitting 256 or more nested NL80211_ATTR_EMA_RNR_ELEMS attributes wraps the counter and produces an undersized allocation that is then overrun. There is no public exploit identified at time of analysis, EPSS risk is low (0.18%, 8th percentile), and the issue is not in CISA KEV.
Local privilege escalation via use-after-free in the Linux kernel ALSA timer subsystem (sound/core/timer.c) allows an authenticated local user to corrupt kernel memory by triggering dangling references to a freed snd_timer object. When snd_timer_free() unlinked pending instances it left slave timer instances still pointing at the freed master timer; the flaw is readily reachable through the userspace-driven timer interface (CONFIG_SND_UTIMER), where opening/closing a file creates and destroys timer objects while other processes keep accessing them. EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis, but kernel UAF bugs of this class are historically a strong primitive for local privilege escalation.
Use-after-free in the Linux kernel's IBM EMAC Ethernet driver (drivers/net/ethernet/ibm/emac) lets in-flight packet processing touch hardware resources that have already been freed during device removal, because devm_register_netdev() deferred unregister_netdev() until after emac_remove() tore down the hardware. A local attacker who can trigger driver unbind/hot-removal while the interface handles traffic can corrupt kernel memory, potentially escalating to code execution or crashing the system. This is a fixed regression window on IBM PowerPC EMAC hardware; no public exploit identified at time of analysis and EPSS risk is low (0.18%, 7th percentile).
Local privilege escalation potential in the Linux kernel netfilter nf_tables tunnel module (nft_tunnel) stems from a use-after-free triggered when a tunnel object is destroyed while packets still hold a reference to its metadata_dst. The flawed nft_tunnel_obj_destroy() path calls metadata_dst_free(), which kfree()s the structure while ignoring the dst_entry refcount, so packets queued in a qdisc (e.g. netem) later call dst_release() on freed memory. CVSS is 7.8 (high) with CVSS:3.1 vector AV:L/PR:L; EPSS is low at 0.18% (7th percentile), it is not in CISA KEV, and no public exploit identified at time of analysis.
Memory corruption in the Linux kernel's RDMA/umem subsystem occurs because __rdma_block_iter_next() uses 32-bit types to reassemble scatter-gather entries, truncating DMA addresses for block sizes of 4GB or larger when an IOMMU linearizes the mapping. Affected versions span the long-lived 5.2 through 7.1 development line; a low-privileged local actor with RDMA device access can drive the kernel to compute wrong DMA addresses, yielding high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with the narrow hardware/configuration prerequisites.
Local memory corruption (double-free) in the Linux kernel netdev generic-netlink interface affects the device-memory RX binding path (netdev_nl_bind_rx_doit) in kernels 7.1-rc1 through 7.1-rc7 and backport-affected stable branches. Because genlmsg_reply() unconditionally consumes the reply skb, the buggy error path then calls nlmsg_free() on that same buffer, freeing it a second time; a local user able to reach the BIND_RX netlink command and force a reply failure can trigger the flaw. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with a hard-to-reach error path rather than easy exploitation.
Improper completion-flag handling in the Linux kernel's io_uring networking layer (io_uring/net) causes IORING_CQE_F_BUF_MORE to be dropped when a bundled recv operation retries while using incremental provided buffer rings (IOU_PBUF_RING_INC). Local applications using io_uring can be misled into advancing a buffer ring head past an entry the kernel is still using, leading to buffer reuse, data corruption, and potential information disclosure. There is no public exploit identified at time of analysis, EPSS is low (0.18%), and a vendor patch is available across stable trees.
Use-after-free in the Linux kernel zram block-device driver allows local attackers to corrupt freed kernel page memory when a zram device is configured with a writeback (ZRAM_WB) backing device. The flaw is in zram_bvec_write_partial(), which passes its parent bio into zram_read_page(), causing the backing-device read to be dispatched asynchronously and return before completion; the buffer is then copied, rewritten, and freed while the in-flight read still writes into it. With a CVSS of 7.8 (high) but a low EPSS of 0.18% (7th percentile) and no public exploit identified at time of analysis, this is a memory-corruption primitive with potential for privilege escalation but no evidence of real-world abuse.
Local privilege/availability weakness in the Linux kernel memory cgroup (memcg) subsystem stems from refill_stock() calling get_random_u32_below() for victim selection, a routine that is neither reentrant- nor NMI-safe. Because memcg charge draining can occur in NMI context, an NMI landing mid-update of the per-CPU batched_entropy_u32 ChaCha state could corrupt the random subsystem's per-CPU local_lock state. The fix replaces the random pick with a per-CPU round-robin counter serialized by the existing local_trylock; EPSS is very low (0.17%, 7th percentile), this is not in CISA KEV, and no public exploit identified at time of analysis.
Slab use-after-free in the Linux kernel's Phonet subsystem (net/phonet) allows a local privileged actor to trigger memory corruption when a phonet_device is torn down. phonet_device_destroy() unlinks the object from the per-net device list with list_del_rcu() but frees it immediately, so concurrent RCU readers can still dereference the freed object; the fix converts the free to kfree_rcu(). No public exploit identified at time of analysis, EPSS is very low (0.17%, 7th percentile), and it is not on CISA KEV, but the CVSS 3.1 base score is 7.8 (High) reflecting full confidentiality, integrity and availability impact from local exploitation.
Kernel memory corruption in the Linux memory-management list_lru subsystem (memory cgroup reparenting path) allows a local user to corrupt linked-list pointers and destabilize or potentially escalate privileges on the system. The flaw is a race condition in memcg_reparent_list_lrus(), affecting kernels from 6.13 onward; it carries CVSS 7.8 (High) with full confidentiality, integrity and availability impact but a low EPSS of 0.17% (7th percentile). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation and memory corruption in the Linux kernel DRM/GEM subsystem stems from a race condition in the GEM change_handle ioctl when it runs concurrently with gem_close, where botched two-stage idr_replace handling against the wrong idr slot allows a concurrent close to steal the object's only inherited reference. The flaw affects systems using the DRM graphics stack (notably AMD GPU paths, per source tags) and an unprivileged local user with access to a DRM render/card device can trigger a use-after-free, with the upstream resolution disabling the change_handle ioctl entirely until the locking can be proven correct. No public exploit identified at time of analysis and EPSS is low (0.17%, 7th percentile), consistent with a local-only, hard-to-win race rather than mass exploitation.
Local privilege escalation or kernel memory corruption in the Linux kernel's OP-TEE (Trusted Execution Environment) driver arises from a use-after-free in the supplicant request path on ARM TrustZone systems. After commit 70b0d6b0a199 made the client wait killable, a client task can exit and kfree() its request while its ID still lives in supp->idr, so a later supplicant lookup dereferences freed memory. CVSS 7.8 (local, low privilege) with EPSS at 0.17% (7th percentile); no public exploit identified at time of analysis and not listed in CISA KEV.
Use-after-free in the Linux kernel's IPVS (IP Virtual Server) load balancer allows a local privileged user to corrupt kernel memory by editing a virtual service's scheduler. ip_vs_edit_service() cleared svc->scheduler only after the old scheduler module had already initiated RCU callbacks, so in-flight packets could dereference svc->sched_data after it was freed at the end of the RCU grace period. The flaw carries CVSS 7.8 with high confidentiality, integrity, and availability impact; EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis.
Local privilege-escalation/memory-corruption in the Linux kernel device-mapper dm-cache 'smq' policy allows a low-privileged local user to trigger a check-then-act race in smq_invalidate_mapping(). The e->allocated predicate was evaluated outside mq->lock, so two concurrent cache-block invalidators can both see an entry as allocated and free it twice, corrupting the SMQ queues/hash table and tripping the allocation assertion in free_entry(). No public exploit is identified at time of analysis and EPSS exploitation probability is low (0.17%, 7th percentile); the issue is not listed in CISA KEV.
Local privilege-bearing users can trigger a use-after-free in the Linux kernel's net/sched action subsystem (act_api) by racing concurrent NEWTFILTER and DELFILTER operations, where an action object can be kfree()'d immediately on one CPU while another CPU still holds an RCU-protected reference and calls refcount_inc_not_zero() on freed memory. Affecting the tc action lifecycle, exploitation can corrupt kernel memory and lead to local privilege escalation or denial of service (kernel panic). This issue has no public exploit identified at time of analysis and carries a low EPSS exploitation probability (0.17%, 7th percentile).
Local privilege/memory-integrity exposure in the Linux kernel's drm/xe Intel GPU driver stems from a missed TLB invalidation: a previously merged optimization that skipped GuC scheduler suspend toggling when an exec queue was idle has been reverted because it bypassed the context switch that flushes TLB entries for invalidated userptr VMAs. On Intel Xe GPUs running in long-running (LR)/preempt-fence VM mode, this leaves stale TLB mappings to invalidated user pointers, producing page faults and stale-memory access during userptr invalidation. There is no public exploit identified at time of analysis and EPSS is low (0.17%, 7th percentile); the fix is the revert commit itself, restoring unconditional schedule toggling on suspend.
Local privilege escalation and memory corruption in the Linux kernel's fastrpc misc driver allows an attacker with local low-privileged access to a FastRPC device to trigger a use-after-free in fastrpc_map_create by racing a concurrent MEM_UNMAP against map lookup. The flaw stems from fastrpc_map_lookup returning an unprotected raw pointer after dropping fl->lock, which a concurrent unmap can free before the reference is taken. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.17%, 7th percentile), consistent with a kernel race condition requiring local access and precise timing.
Out-of-bounds heap write in the Linux kernel amdgpu DRM display driver (drm/amd/display) arises because the VBIOS integrated info tables (v1_11 and v2_1) expose unvalidated u8 HdmiRegNum and Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C settings into fixed-size arrays (9 and 3 elements). A malformed VBIOS can set these counts up to 255, overrunning the destination arrays during driver probe on AMD GPU systems. No public exploit has been identified and EPSS is very low (0.17%), but the memory-corruption primitive (CWE-787) carries high confidentiality, integrity, and availability impact per the CVSS 7.8 rating.
Local privilege escalation and memory corruption in the Linux kernel's nvmem core subsystem arises from use-after-free bugs in multiple error paths where __nvmem_device_put() releases the nvmem device (and its backing memory/resources) but the code continues to dereference the freed structure before returning. A local, low-privileged user able to trigger these error paths can corrupt kernel memory, potentially leading to code execution or information disclosure. Fix is upstream in stable kernel trees; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.17%).
Use-after-free in the Linux kernel's EROFS filesystem lets a local attacker who can trigger a decompression I/O race during unmount corrupt kernel memory. When z_erofs_decompress_kickoff() queues asynchronous decompression work, a concurrent unmount can free the superblock info (sbi) before the kworker accesses sbi->sync_decompress, producing a CWE-416 use-after-free with high confidentiality, integrity and availability impact (CVSS 7.8). EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis; the flaw is not on CISA KEV.
Stack-based out-of-bounds write in the Linux kernel netfilter nf_tables conntrack (nft_ct) module lets a local actor with rule-loading capability corrupt the kernel stack, enabling privilege escalation or denial of service. When an nftables ruleset attaches a per-CPU template conntrack (e.g. via 'ct zone set') and a subsequent 'ct original/reply' load expression runs on the same packet, nft_ct_get_eval() mistakes the zeroed template ct for a real conntrack and performs a 16-byte memcpy bounded by an untrusted field, overflowing struct nft_regs on the kernel stack. No public exploit identified at time of analysis, though a historic syzkaller report demonstrates the crash; EPSS risk is low (0.16%, 6th percentile).
Local privilege escalation via use-after-free in the Linux kernel's L2TP PPP (pppol2tp) subsystem allows a low-privileged local user holding a pppol2tp socket to corrupt freed kernel memory. The flaw is a race in pppol2tp_ioctl(), where sk_user_data was dereferenced without reference counting; an attacker stalls the ioctl mid-copy (e.g. via a userfaultfd page-fault sleep) while concurrently closing the socket, freeing the l2tp_session and leaving a dangling pointer. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.16%, 6th percentile).
Improper error handling in the Linux kernel's overlayfs (ovl) directory-iteration code causes ovl_iterate_merged() to return a truncated cache pointer as a bogus non-zero error code after a successful ovl_cache_get(). The flaw is reachable by a local user performing a getdents64/readdir on a stacked overlay-on-overlay mount, as demonstrated by a syzbot reproducer; there is no public exploit and it is not actively exploited. EPSS is very low (0.16%, 6th percentile), consistent with a hard-to-leverage local logic bug rather than a broadly weaponizable flaw.
Heap out-of-bounds write in the Linux kernel's accel/ethosu DRM driver (Arm Ethos-U NPU accelerator) allows a local user with access to the device to corrupt kernel heap memory through the command-stream copy-and-validate ioctl. The flaw stems from the parser advancing its index for 64-bit (bit-14-set) command words without re-checking the buffer bound, letting a crafted command stream write four bytes past a DMA allocation of attacker-controlled size. No public exploit is identified at time of analysis, EPSS is low (0.16%), and an upstream fix has landed in the stable trees.
Heap out-of-bounds write in the Linux kernel's Arm Ethos-U NPU accelerator driver (accel/ethosu) lets a local user with access to the NPU device corrupt adjacent kernel heap memory. The command-stream parser masks the IFM region index with 0x7f (max 127) instead of 0x7 (max 7) like every other region assignment, so a crafted NPU_SET_IFM_REGION opcode with param > 7 indexes far past the 8-entry region_size[]/output_region[] arrays, writing up to ~1016 bytes beyond the allocation. No public exploit identified at time of analysis, and EPSS is low (0.16%), but the bug is a classic exploitable heap-overflow primitive in privileged kernel context.
Memory corruption via a use-after-free in the Linux kernel's IPv6 anycast subsystem allows a local attacker to read freed slab memory and potentially corrupt kernel state. The flaw lives in __ipv6_dev_ac_inc()/ipv6_add_acaddr_hash(), where an ifacaddr6 (aca) object is published into the global inet6_acaddr_lst[] hash outside idev->lock, opening a race with device teardown (ipv6_ac_destroy_dev) that frees the object while it is still linked in the RCU-walked hash. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis, but the vendor has shipped a fix.
Local privilege escalation potential via a use-after-free in the Linux kernel's Bluetooth ISO (Isochronous) subsystem affects kernels through 6.19 and related stable trees. In iso_sock_rebind_bc(), the code caches the hci_conn pointer (bis) and then drops the socket lock to acquire hci_dev_lock; a concurrent close() during this unlocked window can destroy the connection and free the bis structure, so the subsequent hci_dev_lock(bis->hdev) dereferences freed memory. There is no public exploit identified at time of analysis and EPSS is low (0.15%, 5th percentile), but a kernel UAF reachable by a local user warrants timely patching.
Local privilege escalation to root in OpenBSD through 7.9 arises from a use-after-free in the System V semaphore subsystem (sys/kern/sysv_sem.c). An authenticated local user calling sys_semget() can trigger a context-switch use-after-free after tsleep(), where a freed semid_ds_kern structure is reused, enabling kernel memory corruption and full root compromise. There is no public exploit identified at time of analysis, EPSS probability is low (0.12%), and the issue is not listed in CISA KEV; the upstream fix adds reference counting (sem_ref/sem_rele) around the sleep window.
Local privilege escalation to code execution affects Dell Display and Peripheral Manager (DDPM) for Windows in all versions prior to 2.3, where an Improper Access Control flaw (CWE-284) lets a low-privileged local user execute arbitrary code in a higher-privileged context. The CVSS 3.1 base score is 7.8 (High), reflecting full confidentiality, integrity, and availability impact from a local, low-privilege starting point with no user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Protection mechanism bypass in Dell Display and Peripheral Manager for Mac (versions prior to 2.3) stems from improper certificate validation, allowing a low-privileged local user to defeat a security control the application relies on. Dell self-reported the issue and there is no public exploit identified at time of analysis; EPSS is very low (0.07%) and CISA SSVC marks exploitation status as 'none', though technical impact is rated 'total'. The flaw affects the macOS build of DDPM, a companion utility for Dell monitors and peripherals.
OS command injection in Dell Display and Peripheral Manager (DDPM) for macOS, all versions prior to 2.3, allows a low-privileged local user to inject and execute arbitrary operating-system commands through improperly neutralized special elements (CWE-78). Because the affected component is a privileged peripheral-management utility, successful injection can yield command execution with full impact to confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, so risk is currently theoretical but high-impact for systems with this Dell utility installed.