Monthly
Uninitialized variable use in Ubuntu Linux 6.8's AppArmor AF_INET/AF_INET6 socket mediation code allows an authenticated local user to cause incorrect enforcement of fine-grained network socket access controls. The flaw resides in Ubuntu-specific SAUCE patches layered on top of the mainline Linux 6.8 kernel, meaning it is not present in upstream distributions. No public exploit code or active exploitation has been identified at time of analysis; Canonical has issued a fix via the Ubuntu Noble kernel repository.
Incorrect caching of AppArmor notification responses in Ubuntu Linux kernel versions 6.8, 7.17, and 7.0 stems from an uninitialized variable (CWE-457) in Ubuntu-specific AppArmor SAUCE patch code. An unprivileged local user can trigger this bug to corrupt the AppArmor notification response cache, producing a low-severity integrity impact. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; the CVSS score of 3.3 (Low) reflects its constrained local-only, limited-impact nature.
Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)
Uninitialized Use in WebCodecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Uninitialized Use in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Uninitialized memory use in the GPU component of Google Chrome prior to version 148.0.7778.96 allows remote attackers who have compromised the renderer process to extract potentially sensitive information from process memory through a malicious HTML page. The vulnerability requires renderer process compromise as a precondition and user interaction to trigger, but once achieved, enables confidentiality breach with no code execution or denial of service impact. Vendor-released patch available in Chrome 148.0.7778.96.
Uninitialized memory use in Dawn (GPU abstraction layer) in Google Chrome prior to version 148.0.7778.96 allows remote attackers to read potentially sensitive information from process memory by opening a crafted HTML page. The vulnerability requires user interaction (clicking/viewing the malicious page) but no authentication, and has a high confidentiality impact. Chromium security team classified this as high severity; no public exploit code or active exploitation has been confirmed at time of analysis.
Uninitialized variable usage in OpenSC's libopensc library enables information disclosure and denial of service when processing specially crafted responses from malicious USB devices or smart cards. Attackers must physically present a crafted USB or smart card device to trigger the vulnerability, which reads uninitialized memory from the stack or heap, potentially exposing sensitive data or causing application crashes. No public exploit code has been identified at time of analysis.
Uninitialized memory access in Firefox's Web Codecs API enables remote attackers to disclose sensitive data, modify limited application state, and potentially trigger denial of service without authentication. The vulnerability affects Firefox versions prior to 150 and Firefox ESR versions prior to 140.10. Mozilla has released patches addressing this memory safety issue. EPSS data not available, but SSVC framework indicates non-automated exploitation with partial technical impact. No public exploit identified at time of analysis.
Uninitialized memory access in Firefox's Web Codecs API enables remote code execution without authentication. Attackers can exploit this CWE-457 (Use of Uninitialized Variable) flaw through network-accessible vectors with low complexity (AV:N/AC:L/PR:N/UI:N) to achieve complete system compromise including data exfiltration, arbitrary code execution, and denial of service. CVSS 9.8 severity is supported by SSVC assessment indicating automatable exploitation with total technical impact. Vendor-released patches available in Firefox 150 and Firefox ESR 140.10. CISA SSVC reports no active exploitation at time of analysis, though the vulnerability is classified as automatable with total technical impact.
Uninitialized variable use in Ubuntu Linux 6.8's AppArmor AF_INET/AF_INET6 socket mediation code allows an authenticated local user to cause incorrect enforcement of fine-grained network socket access controls. The flaw resides in Ubuntu-specific SAUCE patches layered on top of the mainline Linux 6.8 kernel, meaning it is not present in upstream distributions. No public exploit code or active exploitation has been identified at time of analysis; Canonical has issued a fix via the Ubuntu Noble kernel repository.
Incorrect caching of AppArmor notification responses in Ubuntu Linux kernel versions 6.8, 7.17, and 7.0 stems from an uninitialized variable (CWE-457) in Ubuntu-specific AppArmor SAUCE patch code. An unprivileged local user can trigger this bug to corrupt the AppArmor notification response cache, producing a low-severity integrity impact. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; the CVSS score of 3.3 (Low) reflects its constrained local-only, limited-impact nature.
Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)
Uninitialized Use in WebCodecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Uninitialized Use in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Uninitialized memory use in the GPU component of Google Chrome prior to version 148.0.7778.96 allows remote attackers who have compromised the renderer process to extract potentially sensitive information from process memory through a malicious HTML page. The vulnerability requires renderer process compromise as a precondition and user interaction to trigger, but once achieved, enables confidentiality breach with no code execution or denial of service impact. Vendor-released patch available in Chrome 148.0.7778.96.
Uninitialized memory use in Dawn (GPU abstraction layer) in Google Chrome prior to version 148.0.7778.96 allows remote attackers to read potentially sensitive information from process memory by opening a crafted HTML page. The vulnerability requires user interaction (clicking/viewing the malicious page) but no authentication, and has a high confidentiality impact. Chromium security team classified this as high severity; no public exploit code or active exploitation has been confirmed at time of analysis.
Uninitialized variable usage in OpenSC's libopensc library enables information disclosure and denial of service when processing specially crafted responses from malicious USB devices or smart cards. Attackers must physically present a crafted USB or smart card device to trigger the vulnerability, which reads uninitialized memory from the stack or heap, potentially exposing sensitive data or causing application crashes. No public exploit code has been identified at time of analysis.
Uninitialized memory access in Firefox's Web Codecs API enables remote attackers to disclose sensitive data, modify limited application state, and potentially trigger denial of service without authentication. The vulnerability affects Firefox versions prior to 150 and Firefox ESR versions prior to 140.10. Mozilla has released patches addressing this memory safety issue. EPSS data not available, but SSVC framework indicates non-automated exploitation with partial technical impact. No public exploit identified at time of analysis.
Uninitialized memory access in Firefox's Web Codecs API enables remote code execution without authentication. Attackers can exploit this CWE-457 (Use of Uninitialized Variable) flaw through network-accessible vectors with low complexity (AV:N/AC:L/PR:N/UI:N) to achieve complete system compromise including data exfiltration, arbitrary code execution, and denial of service. CVSS 9.8 severity is supported by SSVC assessment indicating automatable exploitation with total technical impact. Vendor-released patches available in Firefox 150 and Firefox ESR 140.10. CISA SSVC reports no active exploitation at time of analysis, though the vulnerability is classified as automatable with total technical impact.