Monthly
Kernel object corruption in Zephyr RTOS (v4.1.0 through v4.4.0) lets a deprivileged user thread on CONFIG_USERSPACE builds re-initialize a live k_pipe to which it has been granted access, orphaning threads already blocked on that pipe. Because z_impl_k_pipe_init() unconditionally resets the ring buffer and wait queues without accounting for pended waiters, a subsequent timeout or wake drives sys_dlist_remove() through dangling pointers, producing an attacker-influenced invalid kernel write, list corruption, lost wakeups, and silent data loss. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the fix hardens the k_pipe_init syscall verifier.
Reachable code execution in the Ladybird browser arises from a dangling-reference flaw (CWE-825) in the WebAssembly ESM-integration module loader, where a stack-local Wasm::FunctionType is captured by reference and read after destruction. A malicious web page can chain the resulting stale result-type data into an arbitrary write via the WASM-GC array.set handler and gain code execution in the WebContent process. Reported by VulnCheck with publicly available exploit code exists; it is not listed in CISA KEV, so no confirmed active exploitation, but a working PoC lowers the barrier for weaponization.
Use-after-free in the SSSD PAM responder crashes the authentication daemon when a local attacker manipulates YubiKey or smartcard contents during an authentication attempt on Red Hat Enterprise Linux 6 through 10. The primary realized impact is a denial of service - the PAM responder crash disrupts all authentication - but the underlying memory corruption also presents a difficult-to-exploit privilege escalation path. No public exploit code exists at time of analysis, and the CVSS vector (AV:L/AC:H/PR:H) reflects a tightly constrained local attack requiring high privileges and significant complexity, limiting realistic blast radius to insider-threat and physical-access scenarios.
Local privilege escalation and memory corruption in the Linux kernel BPF subsystem arises from a use-after-free in the open-coded task_vma iterator, which read task->mm locklessly and took mmap_read_trylock() without ever calling mmget(). On kernels where a concurrent task exit frees the mm_struct (not protected by SLAB_TYPESAFE_BY_RCU), a BPF program iterating that task's VMAs can access freed memory, enabling information disclosure or kernel control-flow corruption. The fix has been merged upstream; there is no public exploit identified at time of analysis, EPSS is low (0.16%, 5th percentile), and it is not listed in CISA KEV.
Local privilege escalation via a use-after-free in the Linux kernel's BPF sockmap subsystem (unix_stream_bpf_update_proto) allows a local attacker with BPF/sockmap privileges to corrupt kernel memory by racing a BPF iterator program against an AF_UNIX socket close. The flaw is a race condition where the `peer` pointer becomes stale during a TCP_ESTABLISHED→TCP_CLOSE transition, leading to a sock_hold() on freed memory (confirmed by a KASAN slab-use-after-free report). With a CVSS of 7.8 (local, low complexity, low privileges) it carries high confidentiality, integrity, and availability impact, though EPSS is low (0.19%) and there is no public exploit identified at time of analysis.
Use-after-free in the Linux kernel's IPv6 ICMPv6 receive path (icmpv6_rcv()) allows stale pointers to freed socket buffer memory to be dereferenced after a pskb_pull() call relocates skb->head. The affected code cached the source and destination addresses (saddr/daddr) before the pull, and these stale references were only consumed by net_dbg_ratelimited() in the slow path, limiting practical impact. The flaw is fixed upstream across all maintained stable trees; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile).
Local privilege escalation in the Linux kernel's drm/xe Intel GPU driver arises from two error-handling defects in xe_exec_queue_create_ioctl() that leave a freed exec queue linked into either the VM's preempt-fence compute list or the hardware engine group list, producing a dangling pointer and a use-after-free. A local user with access to the DRM device on systems running the affected Intel Xe driver (introduced around 6.12) can trigger the faulty cleanup paths to corrupt kernel memory, with potential for code execution at kernel privilege. There is no public exploit identified at time of analysis and EPSS is low (0.18%, 7th percentile); the issue is fixed upstream and in stable releases.
Local privilege escalation in the Linux kernel futex subsystem stems from a slab use-after-free in futex_hash_put, triggered when a process shares its mm via CLONE_VM without CLONE_THREAD. The flawed need_futex_hash_allocate_default() check broke the non-concurrency assumption for per-CPU mm->futex_ref allocation, letting a stale +1 bias land on a percpu counter the mm no longer references. Carries CVSS 7.8 (high) with full C/I/A impact; no public exploit identified at time of analysis and EPSS is low (0.17%).
Use-after-free in the Linux kernel's IOMMU subsystem allows a local low-privileged actor with device-management access to corrupt kernel memory by racing a domain re-attach against an in-progress PCI device reset. The flaw lies in __iommu_group_set_domain_internal(), where the group->recovery_cnt fence wrongly rejected mandatory detach/teardown callers (IOMMU_SET_DOMAIN_MUST_SUCCEED), so group->domain could be freed while still referenced, and pci_dev_reset_iommu_done() could then re-attach the dangling pointer. EPSS is low at 0.16% (6th percentile) and there is no public exploit identified at time of analysis, but the high CVSS (8.8) reflects full kernel-memory confidentiality, integrity, and availability impact.
Local privilege escalation and memory corruption in the Linux kernel's Intel Xe DRM graphics driver (drm/xe) arises from a use-after-free in the dma-buf import path, where an error-handling retry loop operates on a buffer object (bo) that has already been freed. Affecting kernel 6.18 series before the 6.18.33 stable fix, a local low-privileged user with access to the Xe DRM device can trigger the freed-object access to corrupt kernel memory or leak data. There is no public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile), consistent with a local-only, driver-specific bug rather than mass-exploited remote flaw.
Kernel object corruption in Zephyr RTOS (v4.1.0 through v4.4.0) lets a deprivileged user thread on CONFIG_USERSPACE builds re-initialize a live k_pipe to which it has been granted access, orphaning threads already blocked on that pipe. Because z_impl_k_pipe_init() unconditionally resets the ring buffer and wait queues without accounting for pended waiters, a subsequent timeout or wake drives sys_dlist_remove() through dangling pointers, producing an attacker-influenced invalid kernel write, list corruption, lost wakeups, and silent data loss. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the fix hardens the k_pipe_init syscall verifier.
Reachable code execution in the Ladybird browser arises from a dangling-reference flaw (CWE-825) in the WebAssembly ESM-integration module loader, where a stack-local Wasm::FunctionType is captured by reference and read after destruction. A malicious web page can chain the resulting stale result-type data into an arbitrary write via the WASM-GC array.set handler and gain code execution in the WebContent process. Reported by VulnCheck with publicly available exploit code exists; it is not listed in CISA KEV, so no confirmed active exploitation, but a working PoC lowers the barrier for weaponization.
Use-after-free in the SSSD PAM responder crashes the authentication daemon when a local attacker manipulates YubiKey or smartcard contents during an authentication attempt on Red Hat Enterprise Linux 6 through 10. The primary realized impact is a denial of service - the PAM responder crash disrupts all authentication - but the underlying memory corruption also presents a difficult-to-exploit privilege escalation path. No public exploit code exists at time of analysis, and the CVSS vector (AV:L/AC:H/PR:H) reflects a tightly constrained local attack requiring high privileges and significant complexity, limiting realistic blast radius to insider-threat and physical-access scenarios.
Local privilege escalation and memory corruption in the Linux kernel BPF subsystem arises from a use-after-free in the open-coded task_vma iterator, which read task->mm locklessly and took mmap_read_trylock() without ever calling mmget(). On kernels where a concurrent task exit frees the mm_struct (not protected by SLAB_TYPESAFE_BY_RCU), a BPF program iterating that task's VMAs can access freed memory, enabling information disclosure or kernel control-flow corruption. The fix has been merged upstream; there is no public exploit identified at time of analysis, EPSS is low (0.16%, 5th percentile), and it is not listed in CISA KEV.
Local privilege escalation via a use-after-free in the Linux kernel's BPF sockmap subsystem (unix_stream_bpf_update_proto) allows a local attacker with BPF/sockmap privileges to corrupt kernel memory by racing a BPF iterator program against an AF_UNIX socket close. The flaw is a race condition where the `peer` pointer becomes stale during a TCP_ESTABLISHED→TCP_CLOSE transition, leading to a sock_hold() on freed memory (confirmed by a KASAN slab-use-after-free report). With a CVSS of 7.8 (local, low complexity, low privileges) it carries high confidentiality, integrity, and availability impact, though EPSS is low (0.19%) and there is no public exploit identified at time of analysis.
Use-after-free in the Linux kernel's IPv6 ICMPv6 receive path (icmpv6_rcv()) allows stale pointers to freed socket buffer memory to be dereferenced after a pskb_pull() call relocates skb->head. The affected code cached the source and destination addresses (saddr/daddr) before the pull, and these stale references were only consumed by net_dbg_ratelimited() in the slow path, limiting practical impact. The flaw is fixed upstream across all maintained stable trees; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile).
Local privilege escalation in the Linux kernel's drm/xe Intel GPU driver arises from two error-handling defects in xe_exec_queue_create_ioctl() that leave a freed exec queue linked into either the VM's preempt-fence compute list or the hardware engine group list, producing a dangling pointer and a use-after-free. A local user with access to the DRM device on systems running the affected Intel Xe driver (introduced around 6.12) can trigger the faulty cleanup paths to corrupt kernel memory, with potential for code execution at kernel privilege. There is no public exploit identified at time of analysis and EPSS is low (0.18%, 7th percentile); the issue is fixed upstream and in stable releases.
Local privilege escalation in the Linux kernel futex subsystem stems from a slab use-after-free in futex_hash_put, triggered when a process shares its mm via CLONE_VM without CLONE_THREAD. The flawed need_futex_hash_allocate_default() check broke the non-concurrency assumption for per-CPU mm->futex_ref allocation, letting a stale +1 bias land on a percpu counter the mm no longer references. Carries CVSS 7.8 (high) with full C/I/A impact; no public exploit identified at time of analysis and EPSS is low (0.17%).
Use-after-free in the Linux kernel's IOMMU subsystem allows a local low-privileged actor with device-management access to corrupt kernel memory by racing a domain re-attach against an in-progress PCI device reset. The flaw lies in __iommu_group_set_domain_internal(), where the group->recovery_cnt fence wrongly rejected mandatory detach/teardown callers (IOMMU_SET_DOMAIN_MUST_SUCCEED), so group->domain could be freed while still referenced, and pci_dev_reset_iommu_done() could then re-attach the dangling pointer. EPSS is low at 0.16% (6th percentile) and there is no public exploit identified at time of analysis, but the high CVSS (8.8) reflects full kernel-memory confidentiality, integrity, and availability impact.
Local privilege escalation and memory corruption in the Linux kernel's Intel Xe DRM graphics driver (drm/xe) arises from a use-after-free in the dma-buf import path, where an error-handling retry loop operates on a buffer object (bo) that has already been freed. Affecting kernel 6.18 series before the 6.18.33 stable fix, a local low-privileged user with access to the Xe DRM device can trigger the freed-object access to corrupt kernel memory or leak data. There is no public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile), consistent with a local-only, driver-specific bug rather than mass-exploited remote flaw.