Monthly
A vulnerability was found in libsoup's HTTP/2 protocol implementation. The library fails to correctly release memory context blocks under specific stream termination conditions, such as when an HTTP/2 connection encounters window exhaustion or explicit stream resets. A remote, unauthenticated attacker acting as a malicious network peer can trick the connection engine into allocating stream states that are subsequently leaked during cleanup. Over a sustained period, this flaw allows the remote attacker to consume the system's heap allocations incrementally, triggering a denial of service (DoS) through an ultimate Out-of-Memory (OOM) application crash.
Memory leak regression in Wasmtime 37.0.0 and 37.0.1 causes permanent host-process memory exhaustion when C/C++ embeddings use `externref` or `anyref` WebAssembly reference types. The refactoring from `ManuallyRooted<T>` to `OwnedRooted<T>` introduced three distinct defects - a no-op typo in `wasmtime_val_unroot`, unreleased return values from host-defined callbacks, and missing C++ destructors - that collectively prevent GC roots from ever being freed, even after the WebAssembly store is destroyed. No public exploit confirmed in CISA KEV; a proof-of-concept is publicly available, but EPSS at 0.18% (7th percentile) and SSVC exploitation status of none indicate minimal active threat.
Resource exhaustion in Wasmtime's native WASIp1 implementation allows low-privileged WebAssembly guests to exhaust host-level file descriptors and OS resources by repeatedly invoking fd_renumber in a loop. The affected versions span four distinct release branches - all pre-24.0.10, 25.x-35.x, 37.x-44.x, and 45.0.0-45.0.1 - but only runtimes that both expose fd_renumber and grant guests the ability to open files are vulnerable. No public exploit code exists and the issue is not listed in CISA KEV; however, the attack is mechanically straightforward once the conditions are met, making patching the primary defense.
Remote denial of service in the Zephyr RTOS IPv6 network stack lets unauthenticated attackers permanently halt packet reception by sending a small number of crafted fragmented IPv6 packets. Each malicious fragment leaks its RX network buffer (CWE-772) instead of returning it to the memory slab, so a handful of packets exhausts the fixed RX buffer pool and the device stops receiving all traffic until reboot. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 7.5 (A:H only) reflects high availability impact with no confidentiality or integrity exposure.
TCP connection resource leak in PowerDNS dnsdist allows remote unauthenticated attackers to exhaust backend TCP connection capacity by sending IXFR (Incremental Zone Transfer) queries. Affected dnsdist instances fail to promptly release outgoing TCP connections to backends after IXFR processing, leaving them open until OS-level timeout; under sustained query volume this can exhaust the backend's concurrent connection limit or the dnsdist process's file descriptor table. No public exploit has been identified at time of analysis, and no CISA KEV listing exists, but the AV:N/AC:L/PR:N attack surface makes the trigger trivially automatable from the internet.
Reference leak in the Linux kernel Bluetooth ISO subsystem allows a local low-privileged user to exhaust kernel resources and cause a denial of service. The `iso_conn_big_sync` function acquires an `hci_dev` reference via `hci_dev_hold()` through `hci_get_route()` but never releases it, violating the borrow contract. No active exploitation has been confirmed and EPSS is very low at 0.18% (7th percentile), but the affected surface - the BLE Audio Broadcast Isochronous Group (BIG) synchronization path - is present on any Linux system with a Bluetooth controller.
Hugetlb VMA reservation leak in the Linux kernel mm/hugetlb subsystem allows a local authenticated user to trigger SIGBUS on a process at a previously reserved huge-page address. Two code paths - the UFFDIO_COPY resubmission path and the fork-time copy-on-write path - fail to call restore_reserve_on_error() after copy_user_large_folio() returns an error, leaving the per-VMA reservation map entry marked consumed. No public exploit exists and EPSS is 0.17% (6th percentile), but patches are available in multiple stable branches.
Missing resource cleanup in the Linux kernel's generic power domain (genpd) subsystem causes runtime PM to remain enabled for virtual devices after detach, leading to a NULL pointer dereference in genpd_runtime_suspend() and local denial of service. The flaw affects systems where drivers use genpd_dev_pm_attach_by_id() - predominantly ARM and SoC-based platforms - since the balancing pm_runtime_disable() call is absent from genpd_dev_pm_detach(). No public exploit exists and EPSS at 0.02% (5th percentile) confirms negligible exploitation probability; this is not listed in CISA KEV.
File descriptor exhaustion in go.opentelemetry.io/otel/schema v1.0 and v1.1 enables denial of service against long-running Go processes. The ParseFile function in schema/v1.0/parser.go opens schema files via os.Open but never closes them - neither via defer nor by transferring ownership to the downstream Parse(io.Reader) call - leaving descriptors open until the Go garbage collector finalizes the file object. Publicly available exploit code exists demonstrating that repeated ParseFile calls accumulate leaked descriptors until the process receives EMFILE ('too many open files'), disrupting all subsequent file, socket, and descriptor operations. Exploitation is contingent on an application exposing ParseFile invocation to attacker-controlled or attacker-triggered paths.
Authenticated network-accessible denial of service in Tanium Server affects three active release branches, patched in versions 7.6.4.2190, 7.7.3.8274, and 7.8.2.1176. The vulnerability stems from a CWE-772 resource leak - allocated resources are not released after their effective lifetime, enabling a low-privileged authenticated attacker to exhaust server resources. A notable conflict exists in the available data: the CVSS vector reports C:H/I:N/A:N (high confidentiality impact, no availability impact) while the CVE description, ENISA EUVD tags, and vendor advisory title all characterize this as a denial of service; defenders should treat both confidentiality and availability as potentially affected until Tanium clarifies. No public exploit is identified and EPSS is low at 0.03%.
A vulnerability was found in libsoup's HTTP/2 protocol implementation. The library fails to correctly release memory context blocks under specific stream termination conditions, such as when an HTTP/2 connection encounters window exhaustion or explicit stream resets. A remote, unauthenticated attacker acting as a malicious network peer can trick the connection engine into allocating stream states that are subsequently leaked during cleanup. Over a sustained period, this flaw allows the remote attacker to consume the system's heap allocations incrementally, triggering a denial of service (DoS) through an ultimate Out-of-Memory (OOM) application crash.
Memory leak regression in Wasmtime 37.0.0 and 37.0.1 causes permanent host-process memory exhaustion when C/C++ embeddings use `externref` or `anyref` WebAssembly reference types. The refactoring from `ManuallyRooted<T>` to `OwnedRooted<T>` introduced three distinct defects - a no-op typo in `wasmtime_val_unroot`, unreleased return values from host-defined callbacks, and missing C++ destructors - that collectively prevent GC roots from ever being freed, even after the WebAssembly store is destroyed. No public exploit confirmed in CISA KEV; a proof-of-concept is publicly available, but EPSS at 0.18% (7th percentile) and SSVC exploitation status of none indicate minimal active threat.
Resource exhaustion in Wasmtime's native WASIp1 implementation allows low-privileged WebAssembly guests to exhaust host-level file descriptors and OS resources by repeatedly invoking fd_renumber in a loop. The affected versions span four distinct release branches - all pre-24.0.10, 25.x-35.x, 37.x-44.x, and 45.0.0-45.0.1 - but only runtimes that both expose fd_renumber and grant guests the ability to open files are vulnerable. No public exploit code exists and the issue is not listed in CISA KEV; however, the attack is mechanically straightforward once the conditions are met, making patching the primary defense.
Remote denial of service in the Zephyr RTOS IPv6 network stack lets unauthenticated attackers permanently halt packet reception by sending a small number of crafted fragmented IPv6 packets. Each malicious fragment leaks its RX network buffer (CWE-772) instead of returning it to the memory slab, so a handful of packets exhausts the fixed RX buffer pool and the device stops receiving all traffic until reboot. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 7.5 (A:H only) reflects high availability impact with no confidentiality or integrity exposure.
TCP connection resource leak in PowerDNS dnsdist allows remote unauthenticated attackers to exhaust backend TCP connection capacity by sending IXFR (Incremental Zone Transfer) queries. Affected dnsdist instances fail to promptly release outgoing TCP connections to backends after IXFR processing, leaving them open until OS-level timeout; under sustained query volume this can exhaust the backend's concurrent connection limit or the dnsdist process's file descriptor table. No public exploit has been identified at time of analysis, and no CISA KEV listing exists, but the AV:N/AC:L/PR:N attack surface makes the trigger trivially automatable from the internet.
Reference leak in the Linux kernel Bluetooth ISO subsystem allows a local low-privileged user to exhaust kernel resources and cause a denial of service. The `iso_conn_big_sync` function acquires an `hci_dev` reference via `hci_dev_hold()` through `hci_get_route()` but never releases it, violating the borrow contract. No active exploitation has been confirmed and EPSS is very low at 0.18% (7th percentile), but the affected surface - the BLE Audio Broadcast Isochronous Group (BIG) synchronization path - is present on any Linux system with a Bluetooth controller.
Hugetlb VMA reservation leak in the Linux kernel mm/hugetlb subsystem allows a local authenticated user to trigger SIGBUS on a process at a previously reserved huge-page address. Two code paths - the UFFDIO_COPY resubmission path and the fork-time copy-on-write path - fail to call restore_reserve_on_error() after copy_user_large_folio() returns an error, leaving the per-VMA reservation map entry marked consumed. No public exploit exists and EPSS is 0.17% (6th percentile), but patches are available in multiple stable branches.
Missing resource cleanup in the Linux kernel's generic power domain (genpd) subsystem causes runtime PM to remain enabled for virtual devices after detach, leading to a NULL pointer dereference in genpd_runtime_suspend() and local denial of service. The flaw affects systems where drivers use genpd_dev_pm_attach_by_id() - predominantly ARM and SoC-based platforms - since the balancing pm_runtime_disable() call is absent from genpd_dev_pm_detach(). No public exploit exists and EPSS at 0.02% (5th percentile) confirms negligible exploitation probability; this is not listed in CISA KEV.
File descriptor exhaustion in go.opentelemetry.io/otel/schema v1.0 and v1.1 enables denial of service against long-running Go processes. The ParseFile function in schema/v1.0/parser.go opens schema files via os.Open but never closes them - neither via defer nor by transferring ownership to the downstream Parse(io.Reader) call - leaving descriptors open until the Go garbage collector finalizes the file object. Publicly available exploit code exists demonstrating that repeated ParseFile calls accumulate leaked descriptors until the process receives EMFILE ('too many open files'), disrupting all subsequent file, socket, and descriptor operations. Exploitation is contingent on an application exposing ParseFile invocation to attacker-controlled or attacker-triggered paths.
Authenticated network-accessible denial of service in Tanium Server affects three active release branches, patched in versions 7.6.4.2190, 7.7.3.8274, and 7.8.2.1176. The vulnerability stems from a CWE-772 resource leak - allocated resources are not released after their effective lifetime, enabling a low-privileged authenticated attacker to exhaust server resources. A notable conflict exists in the available data: the CVSS vector reports C:H/I:N/A:N (high confidentiality impact, no availability impact) while the CVE description, ENISA EUVD tags, and vendor advisory title all characterize this as a denial of service; defenders should treat both confidentiality and availability as potentially affected until Tanium clarifies. No public exploit is identified and EPSS is low at 0.03%.