Monthly
Double-free vulnerability in PoDoFo 1.0.0 through 1.0.3 allows local attackers with user interaction to trigger heap corruption via failed digest operations in PDF signing routines, potentially causing denial of service. The vulnerability exists in compute_hash_to_sign() where EVP_DigestFinal failure causes buf to be freed twice, corrupting heap metadata. CVSS score is 2.5 (low severity) but exploitation requires local access and user interaction. Patched in version 1.0.4.
Double free in Windows Link-Layer Discovery Protocol (LLDP) allows an authorized attacker to elevate privileges locally.
Double free in Windows Message Queuing allows an authorized attacker to elevate privileges locally.
Double free in Windows Rich Text Edit Control allows an authorized attacker to elevate privileges locally.
Double free vulnerability in Windows Rich Text Edit component allows local authenticated attackers to escalate privileges on Windows 10 and Windows 11 systems through a specially crafted interaction. The flaw requires local access with standard user privileges and user interaction, but enables full system compromise including code execution and privilege elevation. Microsoft has released a vendor patch to address this issue.
Local privilege escalation potential in the Linux kernel's Rockchip Serial Flash Controller (SFC) SPI driver arises from a double-free in the remove() callback path, where the driver calls spi_unregister_controller() manually despite already using the devm-managed registration helper. The flaw affects systems using the rockchip-sfc driver and is not currently in CISA KEV, with no public exploit identified at time of analysis and a very low EPSS score (0.02%, 4th percentile), but CVSS 7.8 reflects high local impact if triggered.
Double-free condition in the Linux kernel's cpufreq governor subsystem affects multiple stable branches and can lead to memory corruption when an error path in cpufreq_dbs_governor_init() is triggered. The flaw stems from redundant cleanup logic that calls gov->exit() and kfree(dbs_data) twice after a kobject_init_and_add() failure, and no public exploit identified at time of analysis. EPSS exploitation probability is very low (0.02%, 7th percentile), consistent with a local memory-safety bug requiring privileged access rather than a remote attack surface.
Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing maliciously crafted CNAME DNS responses. Remote attackers can trigger double-free of C memory in the cgo DNS resolver's LookupCNAME function by sending excessively long CNAME records, causing immediate denial of service. EPSS score of 0.01% (1st percentile) indicates minimal observed exploitation activity despite network-accessible attack vector and no authentication requirement. Vendor patch available via Go 1.25.10 and 1.26.3.
Double-free memory corruption in Linux kernel device-mapper subsystem allows local authenticated users to trigger use-after-free conditions, potentially leading to privilege escalation or denial of service. The vulnerability manifests when using request-based DM targets (e.g., dm-multipath) over NVMe devices, where cloned request bios are freed twice due to stale bio pointers in clone requests. Vendor patches available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% indicates low predicted exploitation probability; no active exploitation confirmed at time of analysis.
In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix double destroy_workqueue on service rescan PCI path While testing corner cases in the driver, a use-after-free crash was found on the service rescan PCI path. When mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup() destroys gc->service_wq. If the subsequent mana_gd_resume() fails with -ETIMEDOUT or -EPROTO, the code falls through to mana_serv_rescan() which triggers pci_stop_and_remove_bus_device(). This invokes the PCI .remove callback (mana_gd_remove), which calls mana_gd_cleanup() a second time, attempting to destroy the already- freed workqueue. Fix this by NULL-checking gc->service_wq in mana_gd_cleanup() and setting it to NULL after destruction. Call stack of issue for reference: [Sat Feb 21 18:53:48 2026] Call Trace: [Sat Feb 21 18:53:48 2026] <TASK> [Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana] [Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana] [Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0 [Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70 [Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250 [Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20 [Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90 [Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30 [Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana] [Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana] [Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0 [Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0 [Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130 [Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30 [Sat Feb 21 18:53:48 2026] </TASK>
Double-free vulnerability in PoDoFo 1.0.0 through 1.0.3 allows local attackers with user interaction to trigger heap corruption via failed digest operations in PDF signing routines, potentially causing denial of service. The vulnerability exists in compute_hash_to_sign() where EVP_DigestFinal failure causes buf to be freed twice, corrupting heap metadata. CVSS score is 2.5 (low severity) but exploitation requires local access and user interaction. Patched in version 1.0.4.
Double free in Windows Link-Layer Discovery Protocol (LLDP) allows an authorized attacker to elevate privileges locally.
Double free in Windows Message Queuing allows an authorized attacker to elevate privileges locally.
Double free in Windows Rich Text Edit Control allows an authorized attacker to elevate privileges locally.
Double free vulnerability in Windows Rich Text Edit component allows local authenticated attackers to escalate privileges on Windows 10 and Windows 11 systems through a specially crafted interaction. The flaw requires local access with standard user privileges and user interaction, but enables full system compromise including code execution and privilege elevation. Microsoft has released a vendor patch to address this issue.
Local privilege escalation potential in the Linux kernel's Rockchip Serial Flash Controller (SFC) SPI driver arises from a double-free in the remove() callback path, where the driver calls spi_unregister_controller() manually despite already using the devm-managed registration helper. The flaw affects systems using the rockchip-sfc driver and is not currently in CISA KEV, with no public exploit identified at time of analysis and a very low EPSS score (0.02%, 4th percentile), but CVSS 7.8 reflects high local impact if triggered.
Double-free condition in the Linux kernel's cpufreq governor subsystem affects multiple stable branches and can lead to memory corruption when an error path in cpufreq_dbs_governor_init() is triggered. The flaw stems from redundant cleanup logic that calls gov->exit() and kfree(dbs_data) twice after a kobject_init_and_add() failure, and no public exploit identified at time of analysis. EPSS exploitation probability is very low (0.02%, 7th percentile), consistent with a local memory-safety bug requiring privileged access rather than a remote attack surface.
Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing maliciously crafted CNAME DNS responses. Remote attackers can trigger double-free of C memory in the cgo DNS resolver's LookupCNAME function by sending excessively long CNAME records, causing immediate denial of service. EPSS score of 0.01% (1st percentile) indicates minimal observed exploitation activity despite network-accessible attack vector and no authentication requirement. Vendor patch available via Go 1.25.10 and 1.26.3.
Double-free memory corruption in Linux kernel device-mapper subsystem allows local authenticated users to trigger use-after-free conditions, potentially leading to privilege escalation or denial of service. The vulnerability manifests when using request-based DM targets (e.g., dm-multipath) over NVMe devices, where cloned request bios are freed twice due to stale bio pointers in clone requests. Vendor patches available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% indicates low predicted exploitation probability; no active exploitation confirmed at time of analysis.
In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix double destroy_workqueue on service rescan PCI path While testing corner cases in the driver, a use-after-free crash was found on the service rescan PCI path. When mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup() destroys gc->service_wq. If the subsequent mana_gd_resume() fails with -ETIMEDOUT or -EPROTO, the code falls through to mana_serv_rescan() which triggers pci_stop_and_remove_bus_device(). This invokes the PCI .remove callback (mana_gd_remove), which calls mana_gd_cleanup() a second time, attempting to destroy the already- freed workqueue. Fix this by NULL-checking gc->service_wq in mana_gd_cleanup() and setting it to NULL after destruction. Call stack of issue for reference: [Sat Feb 21 18:53:48 2026] Call Trace: [Sat Feb 21 18:53:48 2026] <TASK> [Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana] [Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana] [Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0 [Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70 [Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250 [Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20 [Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90 [Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30 [Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana] [Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana] [Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0 [Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0 [Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130 [Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30 [Sat Feb 21 18:53:48 2026] </TASK>