Monthly
Local privilege-impacting memory corruption in the Linux kernel's Intel ice network driver allows a double-free of a transmit buffer's skb when the TX offload paths fail. When ice_tso() or ice_tx_csum() return an error, ice_xmit_frame_ring() frees the skb but leaves the 'first' tx_buf still marked ICE_TX_BUF_SKB, so a later ice_clean_tx_ring() during interface teardown frees the same skb a second time. Carries a CVSS 3.1 base of 7.8 (AV:L/PR:L), but with a low EPSS of 0.15% (5th percentile), no KEV listing, and no public exploit identified at time of analysis.
Local privilege escalation and kernel memory corruption is possible in the Linux kernel's AMD GPU driver (amdgpu) via a double drm_exec_fini() in the user-queue validation path. When amdgpu_userq_vm_validate() runs with new_addition set, a failure in amdgpu_ttm_tt_get_user_pages() routes execution to a cleanup label that finalizes the already-freed drm_exec object a second time, corrupting kernel state. No public exploit identified at time of analysis, and EPSS rates exploitation probability at only 0.16% (6th percentile), consistent with a hard-to-trigger local bug rather than a mass-exploited flaw.
Kernel memory corruption in the Linux iWARP Connection Manager (RDMA/iwcm) subsystem can crash systems running RDMA workloads on iWARP-capable hardware such as Intel E830 adapters. The bug, introduced by commit e1168f0 ('RDMA/iwcm: Simplify cm_event_handler()'), causes workqueue list corruption when iwcm_work items from a free list are reused while still queued, triggering a kernel BUG and panic. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile), despite a CVSS base score of 9.8.
Local privilege escalation potential in the Linux kernel's RDS (Reliable Datagram Sockets) subsystem stems from a double-free condition triggered when zerocopy page pinning fails during sendmsg() operations. The flaw, introduced in Linux 4.17, allows local authenticated users to corrupt kernel memory by exploiting an error path in rds_message_zcopy_from_user() that fails to reset op_nents, causing rds_message_purge() to free pages that were already released. Publicly available exploit code exists, though EPSS scoring is very low (0.02%) and the issue is not listed in CISA KEV.
Local privilege-impacting memory corruption in the Linux kernel's Intel ice network driver allows a double-free of a transmit buffer's skb when the TX offload paths fail. When ice_tso() or ice_tx_csum() return an error, ice_xmit_frame_ring() frees the skb but leaves the 'first' tx_buf still marked ICE_TX_BUF_SKB, so a later ice_clean_tx_ring() during interface teardown frees the same skb a second time. Carries a CVSS 3.1 base of 7.8 (AV:L/PR:L), but with a low EPSS of 0.15% (5th percentile), no KEV listing, and no public exploit identified at time of analysis.
Local privilege escalation and kernel memory corruption is possible in the Linux kernel's AMD GPU driver (amdgpu) via a double drm_exec_fini() in the user-queue validation path. When amdgpu_userq_vm_validate() runs with new_addition set, a failure in amdgpu_ttm_tt_get_user_pages() routes execution to a cleanup label that finalizes the already-freed drm_exec object a second time, corrupting kernel state. No public exploit identified at time of analysis, and EPSS rates exploitation probability at only 0.16% (6th percentile), consistent with a hard-to-trigger local bug rather than a mass-exploited flaw.
Kernel memory corruption in the Linux iWARP Connection Manager (RDMA/iwcm) subsystem can crash systems running RDMA workloads on iWARP-capable hardware such as Intel E830 adapters. The bug, introduced by commit e1168f0 ('RDMA/iwcm: Simplify cm_event_handler()'), causes workqueue list corruption when iwcm_work items from a free list are reused while still queued, triggering a kernel BUG and panic. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile), despite a CVSS base score of 9.8.
Local privilege escalation potential in the Linux kernel's RDS (Reliable Datagram Sockets) subsystem stems from a double-free condition triggered when zerocopy page pinning fails during sendmsg() operations. The flaw, introduced in Linux 4.17, allows local authenticated users to corrupt kernel memory by exploiting an error path in rds_message_zcopy_from_user() that fails to reset op_nents, causing rds_message_purge() to free pages that were already released. Publicly available exploit code exists, though EPSS scoring is very low (0.02%) and the issue is not listed in CISA KEV.