Monthly
Security policy bypass in Palo Alto Networks PAN-OS exposes protected services behind the firewall to traffic that should be blocked, exploitable by unauthenticated remote attackers via crafted IPv6 packets targeting the dataplane. The CVSS 4.0 score of 1.7 reflects that direct impact on the firewall itself is nil (VC:N/VI:N/VA:N), with only low-severity downstream effect on subsequent systems (SC:L/SI:L), and specific attack conditions must be present (AT:P). No public exploit code exists and no active exploitation has been reported (E:U), though the automatable flag (AU:Y) indicates the attack could in principle be scripted once conditions are met.
Local information disclosure and memory corruption in the Linux kernel's AMD KFD (amdkfd) driver affects GFX11/Navi3x GPUs, where the v11 MQD manager wrongly used CP-compute checkpoint/restore handlers for SDMA queues. During a CRIU checkpoint or restore of an SDMA queue, the driver treats a 512-byte v11_sdma_mqd buffer as a 2048-byte v11_compute_mqd, so it either leaks 1536 bytes of adjacent GTT memory to userspace or overwrites 1536 bytes of neighboring GTT memory (ring buffers or adjacent MQDs). Exploitation requires local access with the ability to drive CRIU checkpoint/restore of a GPU compute process; there is no public exploit identified at time of analysis and EPSS is low (0.18%).
Out-of-bounds memory access in the Linux kernel networking stack (net/core qdisc segmentation path) lets a local user feed malformed GSO (Generic Segmentation Offload) packets whose headers are not present in skb->head, causing drivers and net/core/tso.c (tso_build_hdr) to memcpy beyond valid bounds. The flaw can leak adjacent kernel memory and/or crash the system; it is not in CISA KEV and no public exploit has been identified, with a low EPSS of 0.15% (5th percentile) indicating low near-term exploitation likelihood. The upstream fix adds proper header pulling via pskb_may_pull() and a new SKB_DROP_REASON_SKB_BAD_GSO drop reason so malicious packets are dropped early.
Out-of-bounds memory access in the Linux kernel's libceph CRUSH map decoder (crush_decode()) lets a malicious or compromised Ceph cluster corrupt kernel memory on a connecting client. A crafted CEPH_MSG_OSD_MAP message whose bucket carries mismatched algorithm fields (alg vs b->alg) causes memory to be allocated for one bucket type but processed and later freed as another, leading to OOB access during decode and again during crush map destruction. Despite a 9.8 CVSS, there is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile); the realistic attack surface is limited to hosts mounting/connecting to attacker-controlled Ceph (RBD/CephFS) infrastructure.
Heap-based buffer overflow in OpenVPN's ovpn-dco-win Windows kernel driver (versions 2.0.0-2.8.3) allows a remote authenticated VPN peer to crash the host system by sending a crafted data packet that exploits an incorrect buffer size calculation in the epoch key generator. Because the vulnerable code executes in kernel mode, the resulting memory corruption causes a full system crash (BSOD), not a user-space fault. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis, though the kernel-level availability impact is severe when conditions are met.
Denial-of-service in the Windows TCP/IP stack allows an authenticated attacker on an adjacent network to crash the networking subsystem of affected Windows hosts via an incorrect buffer size calculation. Affected systems span Windows 10 (21H2, 22H2), Windows 11 (23H2 through 26H1), Windows Server 2022, and Windows Server 2025 - all unpatched builds within Microsoft-documented version ranges. No public exploit identified at time of analysis, though Microsoft has released fixes addressable via Windows Update; the vulnerability is not listed in the CISA KEV catalog.
Heap corruption in rust-openssl versions 0.10.50 through 0.10.79 allows attacker-controllable out-of-bounds writes of up to 7 bytes via the `CipherCtxRef::cipher_update_inplace` method when used with AES key-wrap-with-padding ciphers (EVP_aes_128_wrap_pad, EVP_aes_192_wrap_pad, EVP_aes_256_wrap_pad). The buffer sizing logic fails to account for AES-KWP's padding expansion when input length is not a multiple of 8, and because this occurs through FFI into native OpenSSL, Rust's memory safety guarantees do not prevent the corruption. This is a missed case from a prior fix for GHSA-xv59-967r-8726 in the same method; no public exploit has been identified at time of analysis.
Heap buffer over-write in Magick.NET's MIFF encoder triggers an out-of-bounds write when LZMA compression is active, due to a missing buffer size check (CWE-131). All Magick.NET NuGet package variants prior to version 14.13.1 are affected across multiple architectures (AnyCPU, x64, x86, arm64) and depth configurations (Q16, Q16-HDRI, OpenMP). An attacker who can deliver a crafted MIFF file for local processing can crash the consuming application, resulting in a complete availability impact. No public exploit code or CISA KEV listing exists at time of analysis, limiting real-world severity despite the heap write primitive.
Traffic Management Microkernel (TMM) crashes in F5 BIG-IP Virtual Edition and hardware platforms when SSL profiles are configured without hardware crypto acceleration, allowing remote unauthenticated attackers to cause denial of service via undisclosed traffic patterns. CVSS 7.5 (High) with network attack vector and no prerequisites. EPSS data not provided, no CISA KEV listing identified, indicating theoretical rather than observed exploitation. Vendor patch available per F5 advisory K000158082.
Linux kernel DMA API debug warnings in V3D rendering driver cause denial of service when CONFIG_DMA_API_DEBUG is enabled and V3D segment sizes exceed the default 64K maximum. The vulnerability affects systems using V3D graphics rendering (particularly Raspberry Pi 5) with debug DMA API enabled, allowing local authenticated users to trigger kernel warnings and potential system instability by creating V3D buffer objects larger than the device's claimed DMA segment size limit.
Security policy bypass in Palo Alto Networks PAN-OS exposes protected services behind the firewall to traffic that should be blocked, exploitable by unauthenticated remote attackers via crafted IPv6 packets targeting the dataplane. The CVSS 4.0 score of 1.7 reflects that direct impact on the firewall itself is nil (VC:N/VI:N/VA:N), with only low-severity downstream effect on subsequent systems (SC:L/SI:L), and specific attack conditions must be present (AT:P). No public exploit code exists and no active exploitation has been reported (E:U), though the automatable flag (AU:Y) indicates the attack could in principle be scripted once conditions are met.
Local information disclosure and memory corruption in the Linux kernel's AMD KFD (amdkfd) driver affects GFX11/Navi3x GPUs, where the v11 MQD manager wrongly used CP-compute checkpoint/restore handlers for SDMA queues. During a CRIU checkpoint or restore of an SDMA queue, the driver treats a 512-byte v11_sdma_mqd buffer as a 2048-byte v11_compute_mqd, so it either leaks 1536 bytes of adjacent GTT memory to userspace or overwrites 1536 bytes of neighboring GTT memory (ring buffers or adjacent MQDs). Exploitation requires local access with the ability to drive CRIU checkpoint/restore of a GPU compute process; there is no public exploit identified at time of analysis and EPSS is low (0.18%).
Out-of-bounds memory access in the Linux kernel networking stack (net/core qdisc segmentation path) lets a local user feed malformed GSO (Generic Segmentation Offload) packets whose headers are not present in skb->head, causing drivers and net/core/tso.c (tso_build_hdr) to memcpy beyond valid bounds. The flaw can leak adjacent kernel memory and/or crash the system; it is not in CISA KEV and no public exploit has been identified, with a low EPSS of 0.15% (5th percentile) indicating low near-term exploitation likelihood. The upstream fix adds proper header pulling via pskb_may_pull() and a new SKB_DROP_REASON_SKB_BAD_GSO drop reason so malicious packets are dropped early.
Out-of-bounds memory access in the Linux kernel's libceph CRUSH map decoder (crush_decode()) lets a malicious or compromised Ceph cluster corrupt kernel memory on a connecting client. A crafted CEPH_MSG_OSD_MAP message whose bucket carries mismatched algorithm fields (alg vs b->alg) causes memory to be allocated for one bucket type but processed and later freed as another, leading to OOB access during decode and again during crush map destruction. Despite a 9.8 CVSS, there is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile); the realistic attack surface is limited to hosts mounting/connecting to attacker-controlled Ceph (RBD/CephFS) infrastructure.
Heap-based buffer overflow in OpenVPN's ovpn-dco-win Windows kernel driver (versions 2.0.0-2.8.3) allows a remote authenticated VPN peer to crash the host system by sending a crafted data packet that exploits an incorrect buffer size calculation in the epoch key generator. Because the vulnerable code executes in kernel mode, the resulting memory corruption causes a full system crash (BSOD), not a user-space fault. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis, though the kernel-level availability impact is severe when conditions are met.
Denial-of-service in the Windows TCP/IP stack allows an authenticated attacker on an adjacent network to crash the networking subsystem of affected Windows hosts via an incorrect buffer size calculation. Affected systems span Windows 10 (21H2, 22H2), Windows 11 (23H2 through 26H1), Windows Server 2022, and Windows Server 2025 - all unpatched builds within Microsoft-documented version ranges. No public exploit identified at time of analysis, though Microsoft has released fixes addressable via Windows Update; the vulnerability is not listed in the CISA KEV catalog.
Heap corruption in rust-openssl versions 0.10.50 through 0.10.79 allows attacker-controllable out-of-bounds writes of up to 7 bytes via the `CipherCtxRef::cipher_update_inplace` method when used with AES key-wrap-with-padding ciphers (EVP_aes_128_wrap_pad, EVP_aes_192_wrap_pad, EVP_aes_256_wrap_pad). The buffer sizing logic fails to account for AES-KWP's padding expansion when input length is not a multiple of 8, and because this occurs through FFI into native OpenSSL, Rust's memory safety guarantees do not prevent the corruption. This is a missed case from a prior fix for GHSA-xv59-967r-8726 in the same method; no public exploit has been identified at time of analysis.
Heap buffer over-write in Magick.NET's MIFF encoder triggers an out-of-bounds write when LZMA compression is active, due to a missing buffer size check (CWE-131). All Magick.NET NuGet package variants prior to version 14.13.1 are affected across multiple architectures (AnyCPU, x64, x86, arm64) and depth configurations (Q16, Q16-HDRI, OpenMP). An attacker who can deliver a crafted MIFF file for local processing can crash the consuming application, resulting in a complete availability impact. No public exploit code or CISA KEV listing exists at time of analysis, limiting real-world severity despite the heap write primitive.
Traffic Management Microkernel (TMM) crashes in F5 BIG-IP Virtual Edition and hardware platforms when SSL profiles are configured without hardware crypto acceleration, allowing remote unauthenticated attackers to cause denial of service via undisclosed traffic patterns. CVSS 7.5 (High) with network attack vector and no prerequisites. EPSS data not provided, no CISA KEV listing identified, indicating theoretical rather than observed exploitation. Vendor patch available per F5 advisory K000158082.
Linux kernel DMA API debug warnings in V3D rendering driver cause denial of service when CONFIG_DMA_API_DEBUG is enabled and V3D segment sizes exceed the default 64K maximum. The vulnerability affects systems using V3D graphics rendering (particularly Raspberry Pi 5) with debug DMA API enabled, allowing local authenticated users to trigger kernel warnings and potential system instability by creating V3D buffer objects larger than the device's claimed DMA segment size limit.