Broken access control (Insecure Direct Object Reference) in the Paid Member Subscriptions WordPress plugin before 4.16.17 lets any authenticated low-privileged user (Subscriber or above) cancel arbitrary other users' active subscriptions by manipulating the subscription identifier in a subscription-action request. The plugin fails to verify that the requesting account owns the targeted subscription. No public exploit identified at time of analysis, EPSS is low at 0.14% (3rd percentile), and the issue is not in CISA KEV, but the attack is trivial to perform once any account exists on the site.
Local privilege escalation in the FreeBSD kernel sound subsystem lets an unprivileged user map kernel memory outside the audio buffer via an integer-overflow flaw in dsp_mmap_single(). Because /dev/dsp device nodes are world-accessible by default, any local user on a system with an audio device can read and write arbitrary kernel memory, enabling full system compromise or a kernel panic (DoS). No public exploit identified at time of analysis; EPSS is low (0.19%, 9th percentile), and FreeBSD has released errata patches.
Local privilege escalation in the FreeBSD kernel's vt(4) console driver stems from an integer overflow in the CONS_HISTORY ioctl handler, where an unvalidated history-size value undersizes a heap allocation and a subsequent buffer initialization writes past its end. Any unprivileged local user with access to a vt(4) terminal device can corrupt kernel heap memory and potentially escalate to root. Exploitation is local (PR:L) with no public exploit identified at time of analysis and a low EPSS of 0.18% (8th percentile).
Local ASLR bypass in the FreeBSD ELF image activator (kernel) lets an unprivileged user neutralize address-space layout randomization for setuid PIE binaries. By calling procctl(2) to request ASLR disablement before execve(2), the per-process disable flag remains active when the PIE base address is computed, because the activator clears the flag too late. This is a mitigation-weakening flaw that materially eases exploitation of any separate memory-corruption bug in those privileged binaries; there is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile).
Local privilege escalation in the FreeBSD kernel arises from a use-after-free in the IPv6 multicast source-filter handler (IPV6_MSFILTER), affecting FreeBSD 14.3, 14.4, and 15.0 releases before their respective patch levels. An unprivileged local user can win a race against the handler's dropped-then-reacquired serializing lock to free the multicast filter structure out from under the kernel, corrupting memory to gain root-level control. There is no public exploit identified at time of analysis, and EPSS is very low (0.13%), consistent with CISA SSVC marking exploitation as 'none' and not automatable.
Out-of-bounds heap write in the Zephyr RTOS IP socket stack (recvmsg/insert_pktinfo) lets an unprivileged local userspace thread corrupt kernel-heap memory on builds using CONFIG_USERSPACE. Affecting Zephyr v3.6.0 through v4.4.0, the flaw is triggered when an application calls recvmsg() with an undersized ancillary (msg_control) buffer on a UDP/IP socket that has IP_PKTINFO/IPV6_RECVPKTINFO (or hoplimit/timestamping) enabled and a datagram arrives. There is no public exploit identified at time of analysis and EPSS is low (0.12%), but the memory-corruption primitive gives full C/I/A impact locally.
HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables. An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary.
Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping. The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).