Skip to main content
CVE-2026-10833 MEDIUM This Month

Stored Cross-Site Scripting in Essential Blocks for WordPress (all versions through 6.1.4) allows authenticated Contributor-level users to permanently embed malicious JavaScript into pages via the `configurablePrefix` attribute of the Table of Contents block. The payload persists in the database and executes in every subsequent visitor's browser, enabling session hijacking, credential theft, or forced redirects at scale across the site's audience. No public exploit code or CISA KEV listing is present in the available intelligence, but Wordfence's disclosure paired with publicly accessible source-level Trac links substantially lowers the effort required to develop a working exploit.

WordPress XSS Gutenberg Essential Blocks Page Builder For Gutenberg Blocks Patterns
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-57235 MEDIUM PATCH This Month

Out-of-bounds read in Nokogiri's `NodeSet#[]` method (all versions before 1.19.4) enables an attacker who can supply a large negative integer index to bypass a 32-bit-truncated bounds check and trigger a read outside the node set's allocated memory. On CRuby (MRI Ruby), this typically crashes the process - denial of service - with ancillary potential for heap memory disclosure; on JRuby, the runtime's managed memory prevents memory corruption, but an incorrect node is silently returned. No public exploit or active exploitation has been identified; exploitation requires the target application to forward attacker-controlled integers directly to the `NodeSet#[]` or `#slice` API.

Buffer Overflow Information Disclosure Nokogiri Suse
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-6094 MEDIUM PATCH This Month

Heap buffer overread in wolfSSL's PKCS7 EnvelopedData parser allows network-reachable attackers to trigger a low-impact availability disruption or potential memory disclosure by supplying a crafted S/MIME or CMS message. The root cause is a missing integer-overflow-safe bounds check before XMEMCPY calls in wc_PKCS7_DecodeEnvelopedData, wc_PKCS7_DecodeAuthEnvelopedData, and wc_PKCS7_DecodeEncryptedData - all three paths lacked validation that idx + encryptedContentSz does not exceed the input buffer. No public exploit code has been identified at time of analysis, and wolfSSL's own CVSS 4.0 vector classifies attack requirements as present (AT:P), meaning exploitation is not straightforwardly reliable.

Buffer Overflow Information Disclosure Wolfssl
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-12340 MEDIUM PATCH This Month

Out-of-bounds heap read in wolfSSL's SM2/SM3 certificate parser exposes applications to remote denial of service when processing malformed certificates. During Subject Key Identifier computation in SM3wSM2 certificate verification, the library unconditionally reads 65 bytes from the public key field without first validating that the key is at least that long - a crafted certificate with a sub-65-byte public key triggers a heap over-read, crashing the process. This vulnerability is scoped exclusively to wolfSSL builds compiled with SM2 support (--enable-sm2 or --enable-all), and no public exploit or CISA KEV listing exists at time of analysis.

Denial Of Service Buffer Overflow Information Disclosure Wolfssl
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-57522 LOW POC PATCH Monitor

JSON injection in Bitwarden Server's IntegrationTemplateProcessor.ReplaceTokens() allows authenticated organization members to corrupt event-integration payloads delivered to webhook, SIEM, Slack, Teams, or Datadog endpoints. Any organization running Bitwarden Server prior to 2026.5.0 that has configured event integrations referencing user-controlled tokens such as #ActingUserName# or #UserName# is exposed. A public proof-of-concept exists per VulnCheck and independent researcher disclosure; exploitation is constrained by authentication and specific integration-configuration prerequisites, reflected in the low CVSS 4.0 score of 2.3.

Code Injection Server
NVD GitHub
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-56771 MEDIUM PATCH This Month

Server-side request forgery in NewsBlur's add_url endpoint allows any authenticated user to direct the server to issue arbitrary HTTP requests to private, loopback, or link-local addresses, including cloud instance metadata services. All NewsBlur deployments prior to version 14.5.0 (CPE: cpe:2.3:a:samuelclay:newsblur) are affected. An attacker with a valid account can supply a URL resolving to 169.254.169.254 or other internal addresses, enabling exfiltration of cloud provider IAM credentials and internal network reconnaissance. No public exploit identified at time of analysis, though patch commits are publicly available on GitHub and document the exact missing validation check.

SSRF Information Disclosure Newsblur
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-6330 MEDIUM PATCH This Month

wolfSSL's ML-KEM ARM64 NEON decapsulation path compares only half of the re-encrypted ciphertext during the Fujisaki-Okamoto implicit rejection step, breaking the IND-CCA2 security proof for post-quantum key exchange on that architecture. This affects any ARM64 deployment of wolfSSL with ML-KEM (FIPS 203) compiled in and in active use. An attacker who can submit adaptively chosen ciphertexts to a decapsulating party - for example via man-in-the-middle position during a post-quantum TLS handshake - may exploit the broken comparison to bypass implicit rejection, potentially enabling shared-secret recovery through repeated adaptive queries. No public exploit has been identified and the vulnerability is not listed in the CISA KEV at time of analysis.

Information Disclosure Wolfssl
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-10098 MEDIUM PATCH This Month

OCSP certificate status lookup in wolfSSL returns the wrong certificate's revocation status when a same-issuer SingleResponse serial number is a byte-prefix of the requested certificate's serial. The `wolfSSL_OCSP_resp_find_status` function in `src/ocsp.c` compared serial bytes via XMEMCMP without first verifying that both serial lengths are equal, allowing a 2-byte serial `01:02` in an OCSP response to satisfy a lookup for a 3-byte certificate serial `01:02:03`. No public exploit has been identified at time of analysis, but the integrity consequence is concrete: a revoked certificate could be incorrectly reported as valid if an attacker can supply a crafted OCSP response.

Information Disclosure Wolfssl
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-10592 MEDIUM PATCH This Month

wolfSSL's certificate chain validation logic incorrectly evaluates wildcard DNS Subject Alternative Names (SANs) against CA-enforced name constraints, allowing certificates that should be rejected under a constrained PKI hierarchy to be silently accepted. Any wolfSSL-powered application that validates certificate chains in a PKI where intermediate or root CAs define permitted or excluded DNS name constraints per RFC 5280 §4.2.1.10 is affected; all versions matching cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:* are listed as affected. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified; an upstream patch is available via PR #10549 but a tagged release version has not been independently confirmed.

Authentication Bypass Wolfssl
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-55964 MEDIUM PATCH This Month

Certificate chain validation bypass in wolfSSL's OpenSSL-compatibility layer permits a crafted intermediate CA certificate asserting CA:TRUE but missing the keyCertSign key usage bit to be accepted as a valid signing CA during path building. Affected deployments are those compiled with OPENSSL_EXTRA or OPENSSL_ALL that use the X509_verify_cert/X509_STORE API; native wolfSSL verification is entirely unaffected. No public exploit identified at time of analysis, and no CISA KEV listing exists, but the integrity risk is concrete for any application relying on wolfSSL's OpenSSL-compat path for mutual TLS or client certificate authentication.

OpenSSL Information Disclosure Wolfssl
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-48946 MEDIUM This Month

Unrestricted PHP file upload in K2 extension for Joomla (versions 1.0–2.26) enables any authenticated K2 Author to achieve remote code execution by uploading a PHP webshell via the frontend article-attachment upload endpoint and executing it through Apache mod_php. Because the upload handler performs no extension filtering, a `.php` file is written to `/media/k2/attachments/` and served by Apache's standard `\.php$` handler, executing arbitrary code as the web server process user. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the attack path is elementary once Author-level access is obtained.

PHP Apache File Upload K2 Extension For Joomla
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-55163 MEDIUM PATCH GHSA This Month

Incorrect authorization in Netflix Lemur's role management API allows any authenticated role member to rewrite the membership list and rename their own role via the PUT /api/1/roles/<id> endpoint in versions up to and including 1.9.1. The RoleMemberPermission check uses OR-semantics, meaning membership of a role is sufficient to mutate it - an authorization oversight confirmed by the asymmetry with the DELETE handler on the same resource, which correctly enforces admin-only access. Exploitation enables lateral privilege escalation within a Lemur PKI deployment: a malicious role member can inject colluders into certificate or authority management roles, remove legitimate members, or rename roles. No public exploit identified at time of analysis, though detailed reproduction steps are published in the GitHub security advisory GHSA-x3vf-mgxj-7785.

Authentication Bypass Python
NVD GitHub
CVSS 3.1
6.3
CVE-2026-55162 MEDIUM POC PATCH GHSA This Month

Server-Side Request Forgery in Netflix Lemur's certificate verification pipeline allows an authenticated operator-role user to force the Lemur host to issue outbound HTTP requests to arbitrary internal destinations by uploading a crafted certificate whose CRL Distribution Point or OCSP responder extensions point to RFC1918 addresses, link-local endpoints (169.254.169.254), internal Kubernetes API servers, or loopback interfaces. Both `crl_verify` and `ocsp_verify` in `lemur/certificates/verify.py` pass attacker-controlled URLs directly to network sinks with no destination allow-list, scheme restriction beyond LDAP rejection, or private-address filtering. No public exploit confirmed in CISA KEV, but detailed proof-of-concept reproduction steps are published in the GitHub Security Advisory GHSA-54vg-pfh7-jq95; vendor-released patch v1.9.2 is available.

OpenSSL SSRF Python Kubernetes
NVD GitHub
CVSS 3.1
6.3
CVE-2026-57536 MEDIUM PATCH This Month

Payment status replay in pretix-mollie allows unauthenticated attackers to obtain multiple valid event tickets by reusing a single legitimate Mollie payment confirmation. The plugin fails to bind payment status responses to their originating transaction, so a successful payment callback for order A can be submitted against order B. No active exploitation or public proof-of-concept has been identified at time of analysis; a vendor patch was released on 2026-06-25 in version 2026.5.2.

Information Disclosure Pretix Mollie
NVD
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-13222 MEDIUM PATCH This Month

Payment response replay vulnerability in the pretix-oppwa integration allows a remote attacker to reuse a legitimate Oppwa payment confirmation from one transaction to authorize separate, unpaid orders - effectively obtaining multiple valid event tickets with a single payment. All known versions of the pretix-oppwa plugin (cpe:2.3:a:pretix:pretix-oppwa:*) are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the business logic bypass enables direct financial fraud for event organizers. A vendor patch was released in conjunction with Pretix version 2026-5.2.

Information Disclosure Pretix Oppwa
NVD
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-13223 MEDIUM PATCH This Month

Payment response replay in the pretix-computop integration allows an unauthenticated network attacker to obtain multiple valid event tickets by paying only once. The Pretix Computop plugin fails to bind successful payment status responses to their originating transaction, so a response captured from a completed payment can be submitted against any other pending order. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified, though the vendor disclosed the issue alongside a fix on 2026-06-25.

Information Disclosure Pretix Computop
NVD
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-10712 MEDIUM PATCH This Month

Cross-site scripting in GitLab CE/EE (18.10 through 18.11.5, 19.0 through 19.0.2, and 19.1.0) lets an unauthenticated attacker run arbitrary JavaScript in a victim's authenticated browser session by abusing improper path validation, but only under specific conditions and after a logged-in user interacts with attacker-controlled content. The CVSS 8.0 rating (scope-changed, high confidentiality and integrity impact) reflects that successful exploitation effectively hijacks the victim's GitLab session. No public exploit has been identified at time of analysis and the issue is not in CISA KEV, though a HackerOne report exists and GitLab shipped fixes in 18.11.6, 19.0.3, and 19.1.1.

XSS Gitlab
NVD VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-48942 MEDIUM This Month

K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.

XSS K2 Extension For Joomla
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-57451 MEDIUM PATCH This Month

Out-of-bounds read in Vim's text property subsystem allows a crafted undo file to crash the editor and potentially disclose adjacent heap memory. All Vim releases prior to 9.2.0670 are affected; the vulnerability is reachable whenever a user loads a malicious undo file with the persistent-undo feature compiled in and enabled. No public exploit or CISA KEV listing exists at time of analysis, placing real-world risk in the low-to-medium range despite the local crash severity.

Buffer Overflow Information Disclosure Vim Suse
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-11703 MEDIUM PATCH This Month

Session authentication bypass in wolfSSL exposes servers running multiple TLS virtual hosts to cross-vhost peer-authentication spoofing via stateful session-ID resumption. When a client resumes a cached session using a session ID rather than a session ticket, wolfSSL previously skipped the SNI and ALPN binding verification that was already enforced on the ticket-based resumption path - allowing the cached peerAuthGood state and peer-certificate context from one virtual host to be silently carried into a second virtual host with a different client-authentication policy. The upstream fix (PR #10489) extends the binding check to cover stateful resumption, declining mismatched resumptions and falling back to a full handshake. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 6.0 with AC:H and AT:P reflects the non-trivial configuration prerequisites.

Authentication Bypass Wolfssl
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.3%
CVE-2026-6329 MEDIUM PATCH This Month

PKCS#12 MAC verification in wolfSSL accepts truncated or zero-length MACs because the comparison uses an attacker-controlled length field parsed from the input structure rather than the expected digest size, completely defeating HMAC integrity protection on PKCS#12 key stores. Any wolfSSL-based application that parses PKCS#12 files from untrusted sources - including certificate import endpoints, VPN provisioning services, or key management systems - can be tricked into accepting a structurally tampered PKCS#12 bundle as MAC-verified. No public exploit code or CISA KEV listing has been identified; the upstream fix is available as GitHub PR #10192 but a tagged patched release has not been independently confirmed.

Jwt Attack Information Disclosure Wolfssl
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-55962 MEDIUM PATCH This Month

Post-handshake authentication bypass in wolfSSL TLS 1.3 permits a connected client to skip certificate verification during server-initiated post-handshake re-authentication. When a server has issued a post-handshake CertificateRequest via wolfSSL_request_certificate(), a client can send a Finished message without providing a Certificate or CertificateVerify; the server incorrectly applies an initial-handshake exemption and accepts it, treating the client as authenticated. No public exploit is identified and this is not listed in CISA KEV; the vulnerability was self-disclosed by wolfSSL with a patch available in GitHub PR #10702.

Authentication Bypass Wolfssl
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-6291 MEDIUM PATCH This Month

wolfSSL's PKCS#7 EnvelopedData decryption leaks RSA PKCS#1 v1.5 padding validity through distinguishable error codes, enabling a classic Bleichenbacher-style padding oracle attack that allows incremental recovery of the Content Encryption Key (CEK). All wolfSSL versions using PKCS#7 Key Transport Recipient Info (KTRI) with RSA PKCS#1 v1.5 are affected when the decryption interface exposes caller-observable error differentiation. A low-privileged attacker able to submit crafted EnvelopedData messages and observe server error responses can mount an adaptive chosen-ciphertext attack to recover session keys without knowledge of the RSA private key; no public exploit or CISA KEV listing has been identified at time of analysis.

Oracle Information Disclosure Wolfssl
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-6091 MEDIUM PATCH This Month

Certificate chain validation bypass in wolfSSL's OpenSSL compatibility layer allows a network attacker to present a chain terminating at an untrusted intermediate they control, which is accepted as valid when X509_V_FLAG_PARTIAL_CHAIN is enabled. The flaw (CWE-295) resided in wolfSSL_X509_verify_cert, where the partial-chain fallback confirmed only that some intermediate was temporarily loaded into the CertManager during path building - not that the terminal certificate was in the caller's actual trust store. No public exploit code exists and no CISA KEV listing is present, but successful exploitation defeats certificate validation entirely, enabling impersonation or MITM in affected configurations.

OpenSSL Information Disclosure Wolfssl
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-6731 MEDIUM PATCH This Month

X.509 DNS name constraint enforcement in wolfSSL fails to evaluate the Subject Common Name when no Subject Alternative Name extension is present, allowing a certificate whose CN violates an issuing CA's DNS name constraints to be accepted as valid. Affected deployments include any application using wolfSSL's certificate manager for chain verification where name-constrained intermediate or root CAs are in use. An attacker who can obtain or forge a certificate with a non-compliant CN and no SAN can bypass the policy boundary the constraining CA was intended to enforce, enabling impersonation of hosts outside the permitted domain set. No public exploit identified at time of analysis; upstream fix available as a GitHub pull request.

Authentication Bypass Wolfssl
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-7511 MEDIUM PATCH This Month

Signer confusion in wolfSSL's PKCS7_verify implementation allows a crafted PKCS#7 message to report a trusted certificate as the signer even when an attacker-controlled certificate produced the actual signature. Any application using wolfSSL for PKCS#7 signature verification - including JWT workflows flagged in the CVE tags - may incorrectly authorize operations as if from a trusted party. No public exploit has been identified at time of analysis, but the upstream fix is available as GitHub PR #10203 and the vulnerability is straightforwardly reproducible by anyone familiar with PKCS#7 certificate bundle structure.

Jwt Attack Information Disclosure Wolfssl
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.1%
CVE-2026-8720 MEDIUM PATCH This Month

MAC forgery in wolfSSL 5.9.0 and later allows an attacker to authenticate arbitrary tampered messages when HMAC-BLAKE2 is used with keys exceeding the BLAKE2 block size. The wc_Blake2bHmacFinal and wc_Blake2sHmacFinal functions incorrectly reused the running message hash state to process oversized keys, discarding accumulated message data and producing a MAC that depends solely on the key, not the message. No public exploit has been identified at time of analysis, but the integrity failure is straightforward to exploit in any protocol or application that uses wolfSSL HMAC-BLAKE2 with keys longer than 128 bytes (BLAKE2b) or 64 bytes (BLAKE2s).

Information Disclosure Wolfssl
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.1%
CVE-2026-52690 MEDIUM PATCH This Month

DNSSEC validation in PowerDNS Recursor can be silently undermined by network-positioned attackers who spoof DNS replies to trick the Recursor into permanently marking a legitimate authoritative server's IP as EDNS-incapable. Once that state is poisoned, the Recursor is unable to perform proper DNSSEC validation for any zones served by that authoritative server, effectively disabling a critical security layer for downstream clients. No active exploitation has been confirmed by CISA KEV, and no public proof-of-concept has been identified at time of analysis; however, the attack complexity is rated High due to the spoofing prerequisite.

Recursor Authentication Bypass Suse
NVD
CVSS 3.1
5.9
EPSS
0.4%
CVE-2026-42388 MEDIUM PATCH This Month

PowerDNS Recursor crashes when processing a malformed SOA record within a catalog zone, resulting in a denial of service for all DNS resolution handled by the affected instance. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms network-reachable unauthenticated exploitation, but high attack complexity reflects the non-default catalog zone configuration required. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Denial Of Service Recursor Suse
NVD
CVSS 3.1
5.9
EPSS
0.4%
CVE-2026-42387 MEDIUM PATCH This Month

PowerDNS Recursor crashes when a malicious authoritative DNS server serves a crafted zone via the ZoneToCache function, exploiting insufficient input validation to cause a denial of service. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms this is a remotely triggerable availability-only impact, though high attack complexity reflects the prerequisite of controlling or compromising an authoritative name server in the resolution path. No public exploit code has been identified at time of analysis, and no KEV listing exists, but the impact on DNS infrastructure availability makes this a meaningful operational risk for affected deployments.

Denial Of Service Recursor Suse
NVD VulDB
CVSS 3.1
5.9
EPSS
0.4%
CVE-2026-54250 MEDIUM POC PATCH GHSA This Month

Arbitrary filesystem write via zip-slip in K3s etcd snapshot restoration affects all K3s versions prior to 1.35.3+k3s1, 1.34.6+k3s1, and v1.33.10+k3s1. A maliciously crafted zip archive with path-traversal entries in member filenames (e.g., '../../etc/cron.d/evil') can overwrite arbitrary files on the host filesystem when an administrator performs a compressed etcd snapshot restore. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Path Traversal Kubernetes K3S
NVD GitHub
CVSS 3.1
5.8
EPSS
0.1%
CVE-2026-55693 MEDIUM PATCH This Month

Stack out-of-bounds write in Vim's spell suggestion engine allows a crafted `.spl`/`.sug` file pair to corrupt the call stack and crash the editor when spell suggestions are invoked. All Vim releases prior to 9.2.0653 are affected, with the flaw in `tree_count_words()` and `sug_filltree()` inside `src/spellfile.c`, where three fixed-size MAXWLEN-element stack arrays are indexed by an unbounded depth counter. No public exploit identified at time of analysis (CVSS 4.0 E:U), though the upstream fix commit includes a detailed proof-of-concept test case reproducing the out-of-bounds write.

Memory Corruption Buffer Overflow Vim Suse
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-7532 MEDIUM PATCH This Month

Certificate IP address name constraint enforcement in wolfSSL is silently disabled when the library is compiled without the WOLFSSL_IP_ALT_NAME preprocessor define, allowing a CA operator to issue certificates bearing IP address Subject Alternative Names that the issuing CA's nameConstraints extension was intended to prohibit. Any wolfSSL-based TLS endpoint built in this configuration will accept these constraint-violating certificates as valid, undermining PKI-enforced IP address restrictions. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 5.7 reflects meaningful exploitation constraints including high-privilege CA access and a specific non-default build configuration.

Authentication Bypass Wolfssl
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-53227 MEDIUM PATCH This Month

Invalid pointer free in the Linux kernel's Open vSwitch (OVS) subsystem allows a local low-privileged user to crash the kernel, resulting in denial of service. The net/openvswitch reply skb cleanup code incorrectly assumes allocation always occurs before mutex acquisition; when allocation fails after locking, an ERR_PTR is passed to kfree_skb(), triggering a kernel panic on any host with OVS active. No public exploit has been identified and EPSS is 0.20% (10th percentile), but the crash is likely deterministic once the code path is reached on a vulnerable kernel.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53252 MEDIUM PATCH This Month

Percpu memory leak in the Linux kernel Bluetooth subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering early failures in Bluetooth HCI UART device initialization. Affected kernels spanning stable branches from 5.10 through 6.16-rc4 fail to invoke cleanup_srcu_struct() when hci_register_dev() never completes, causing the SRCU struct allocated early in hci_alloc_dev() to persist indefinitely. No public exploit code has been identified at time of analysis, and EPSS at 0.19% (9th percentile) reflects negligible exploitation interest; however the availability impact is rated High by NVD given the potential for kernel memory exhaustion.

Linux Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53249 MEDIUM PATCH This Month

Unprivileged local users on Linux systems running unpatched kernels can set IPOPT_SSRR (Strict Source and Record Route) and IPOPT_LSRR (Loose Source and Record Route) IPv4 options without the CAP_NET_RAW capability, enabling them to force outbound packets through attacker-controlled network nodes and leak TCP Initial Sequence Numbers (ISN) along with other protocol metadata. Affected systems span Linux kernel versions from 2.6.12 through multiple stable branches prior to their respective patch releases. No public exploit has been identified at time of analysis, and EPSS remains at 0.18% (8th percentile), indicating low automated exploitation risk.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53245 MEDIUM PATCH This Month

Three distinct logic errors in the Linux kernel's MRP (Multiple Registration Protocol) PDU parser `mrp_pdu_parse_vecattr()` allow an attacker to corrupt kernel MRP applicant state and PDU parsing offsets, resulting in denial of service. Affected systems must have the `mrp` kernel module loaded with an active IEEE 802.1ak bridge interface. No public exploit exists and EPSS is 0.18% (8th percentile), reflecting low active targeting, though patches across multiple stable branches are available and should be applied routinely.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53238 MEDIUM PATCH This Month

Out-of-bounds read in the Linux kernel netlabel subsystem allows a local low-privileged attacker to crash the kernel by submitting a crafted Generic Netlink request with a valid IPv4/IPv6 address attribute paired with a shorter-than-expected mask attribute. The netlbl_unlabel_addrinfo_get() function relied solely on the address attribute length to determine address family, then unconditionally read the mask attribute as a full struct in_addr (4 bytes) or struct in6_addr (16 bytes) without independently validating the mask length. No public exploit or active exploitation has been identified (EPSS 0.18%, 8th percentile); patches are available across all maintained stable branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53219 MEDIUM PATCH This Month

Netfilter x_tables in the Linux kernel leaks raw percpu counter pointer addresses to userspace on SMP systems via a crafted fault-window attack against the get-entries path. A local user with netfilter access can engineer a userspace buffer that triggers a page fault after the kernel copies the internal percpu allocation pointer (pcnt) but before the sanitized counter snapshot overwrites it, causing the syscall to return -EFAULT while leaving the raw kernel virtual address exposed in the caller's buffer. No public exploit is identified at time of analysis and EPSS sits at 0.18% (8th percentile), but the leaked percpu address functions as a KASLR bypass primitive chainable with a second vulnerability to achieve privilege escalation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53218 MEDIUM PATCH This Month

Register tracking corruption in the Linux kernel's netfilter nft_exthdr subsystem allows a local low-privileged attacker with nftables configuration rights to trigger reads of uninitialized stack data from nft_regs, resulting in kernel instability or denial of service. The flaw affects any kernel version since the introduction of commit c078ca3b0c5b through the respective unpatched stable branches. EPSS is 0.18% (8th percentile) and this vulnerability is not listed in CISA KEV, indicating low exploitation activity; however, the ubiquity of Linux deployments means patching across stable LTS branches is warranted.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53181 MEDIUM PATCH This Month

The vsock/VMCI transport in the Linux kernel silently leaks the accept queue counter (sk_ack_backlog) on every failed vsock connection handshake, eventually causing a permanent denial of service on any vsock listener. Repeated handshake failures caused by malformed packets, queue pair allocation failures, or event subscription failures each increment sk_ack_backlog without a corresponding decrement; once the counter reaches sk_max_ack_backlog, the listener rejects all subsequent connections with -ECONNREFUSED until the owning process is restarted. No public exploit identified at time of analysis; EPSS of 0.18% at the 8th percentile reflects low automated exploitation probability, consistent with the VMware-specific exposure requirement.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53150 MEDIUM PATCH This Month

Thunderbolt XDomain property validator in the Linux kernel triggers a heap underflow when processing zero-length TEXT property entries, enabling a local low-privileged attacker to crash the kernel (denial of service). The root cause is in tb_property_entry_valid(), which permits length==0 for TEXT entries that subsequently compute an array index of -1 during null-termination (0 * 4 - 1), writing one byte before the allocated buffer. No public exploit has been identified and EPSS is extremely low at 0.18% (8th percentile), indicating negligible opportunistic exploitation pressure despite the kernel's ubiquitous deployment footprint.

Integer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53274 MEDIUM PATCH This Month

Sleep-inside-lock in the Linux kernel's SMC networking subsystem (`__smc_setsockopt()`) allows a local low-privilege user to hold the socket lock indefinitely, exhausting kernel worker threads and triggering the hung task watchdog - producing a local denial of service. Affected systems must have the `net/smc` module loaded and a user-space mechanism (userfaultfd or FUSE) available to stall the in-kernel copy operation. No public exploit has been identified at time of analysis, and EPSS at 0.18% (8th percentile) reflects very low mass-exploitation probability; however, the technique is well-understood in kernel security research.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53236 MEDIUM PATCH This Month

TCP socket side-channel information disclosure in the Linux kernel allows unprivileged local users to attach classic BPF (cBPF) filters via SO_ATTACH_FILTER to TCP sockets and observe TCP sequence and acknowledgment numbers, potentially enabling session inference or TCP injection assistance. The vulnerability exists because no capability check was enforced before this patch, which now restricts SO_ATTACH_FILTER on TCP sockets to processes holding CAP_NET_ADMIN. No public exploit identified at time of analysis; EPSS stands at 0.18% (8th percentile), and patched releases are available across multiple stable kernel branches including 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, and 7.1.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53213 MEDIUM PATCH This Month

Memory leak in the Linux kernel's drm/vc4 (Broadcom VideoCore IV DRM) driver allows a local low-privileged user to gradually exhaust kernel memory under allocation-failure conditions. The flaw arises because the return value of krealloc() is assigned directly back to the original pointer without a NULL check - if krealloc() fails and returns NULL, the reference to the previously allocated buffer is silently overwritten, permanently leaking that memory. No public exploit code is identified at time of analysis, and EPSS probability is extremely low at 0.18% (8th percentile), consistent with the local-only, condition-dependent nature of the bug.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53207 MEDIUM PATCH This Month

Recursive spinlock AA deadlock in the Linux kernel's hugetlb memory-failure subsystem allows a local user to hang or panic the kernel by racing two concurrent madvise(MADV_HWPOISON) calls against a concurrent unmap on the same hugetlb folio. The flaw exists because get_huge_page_for_hwpoison() held hugetlb_lock while calling folio_put(), which - when concurrent unmap had already dropped the page-table reference - triggered free_huge_folio() to re-acquire the non-recursive lock, causing an irrecoverable deadlock. No confirmed active exploitation exists (not in CISA KEV), and EPSS sits at 0.18% (8th percentile), indicating negligible real-world exploitation probability at this time.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53208 MEDIUM PATCH This Month

Bluetooth L2CAP in the Linux kernel fails to enforce the signaling MTU (MTUsig = 48 bytes) in l2cap_sig_channel(), enabling a nearby BR/EDR peer to send a single oversized fixed-channel signaling packet packed with many ECHO_REQ commands before pairing and force a proportional burst of ECHO_RSP frames. In a confirmed test, one 681-byte CID 0x0001 packet containing 168 ECHO_REQ commands caused the target to emit 168 responses over approximately 220 ms - roughly a 250× frame amplification - constituting a traffic-amplification denial-of-service. No active exploitation has been identified at time of analysis; vendor-released patches are available across multiple stable kernel branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53168 MEDIUM PATCH This Month

Kernel crash via FUSE pagecache misuse in the Linux kernel allows a local low-privileged user controlling a FUSE daemon to trigger a WARN_ON() assertion in fuse_parse_cache() by sending FUSE_NOTIFY_STORE or FUSE_NOTIFY_RETRIEVE notifications targeting directory inodes instead of regular files, causing a denial-of-service kernel crash. The vulnerability specifically affects FUSE filesystems that have directory caching (FOPEN_CACHE_DIR) enabled, a non-default configuration that exposes kernel-internal pagecache storage to invalid manipulation. No public exploit has been identified, EPSS sits at 0.18% (7th percentile), and patches have been released across all active Linux stable branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53135 MEDIUM PATCH This Month

NULL pointer dereference and buffer over-read in the Linux kernel's AMD display driver (drm/amd/display) can be triggered by a local user writing to the sdp_message debugfs node, causing a kernel panic and denial of service. The dp_sdp_message_debugfs_write() function fails to check whether connector->base.state->crtc is NULL - a valid transient state after GPU hotplug before an atomic commit - and unconditionally passes 36 bytes to copy_from_user() regardless of the caller-provided size, enabling a second over-read path. No public exploit or CISA KEV listing exists; EPSS is 0.18% (7th percentile), consistent with a localized, hardware-dependent DoS.

Linux Amd Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53134 MEDIUM PATCH This Month

{4,6}_eval() zeroes only the first of four declared registers, leaving three registers holding uninitialized contents from nft_do_chain()'s struct nft_regs stack frame; a downstream nftables expression reading the full IFNAMSIZ span then exposes that data to userspace. No public exploit code has been identified at time of analysis and EPSS sits at the 7th percentile (0.18%), consistent with a narrow, locally-gated exploitation path.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
Prev Page 7 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy