Skip to main content

CWE-826

Premature Release of Resource During Expected Lifetime

6 CVEs Avg CVSS 6.4 MITRE
0
CRITICAL
4
HIGH
0
MEDIUM
2
LOW
0
POC
0
KEV

Monthly

CVE-2026-53322 HIGH PATCH This Week

Resource access-after-free in the Linux kernel's vfio/pci subsystem allows a local user with device access to read or corrupt PCI device resources during a race window on device shutdown, because vfio_pci_core_close_device() disabled the function before tearing down DMABUF exports. During the window the function's Memory Space Enable bit is cleared and its BARs (and their backing resources) are freed and reassignable to another driver, while stale DMABUF mappings still reference them. EPSS is low (0.14%, 4th percentile) and there is no public exploit identified at time of analysis; the upstream fix reorders cleanup to revoke DMABUF access first.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-31663 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: xfrm: hold dev ref until after transport_finish NF_HOOK After async crypto completes, xfrm_input_resume() calls dev_put() immediately on re-entry before the skb reaches transport_finish. The skb->dev pointer is then used inside NF_HOOK and its okfn, which can race with device teardown. Remove the dev_put from the async resumption entry and instead drop the reference after the NF_HOOK call in transport_finish, using a saved device pointer since NF_HOOK may consume the skb. This covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip the okfn. For non-transport exits (decaps, gro, drop) and secondary async return points, release the reference inline when async is set.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-58249 LOW Monitor

In wxWidgets before 3.2.7, a crash can be triggered in wxWidgets apps when connections are refused in wxWebRequestCURL. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service
NVD GitHub
CVSS 3.1
3.7
EPSS
0.3%
CVE-2025-24912 LOW PATCH Monitor

hostapd fails to process crafted RADIUS packets properly. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Code Injection Hostapd
NVD
CVSS 3.0
3.7
EPSS
0.2%
CVE-2024-51727 HIGH This Week

Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x contains a feature that could enable attackers to invalidate a legitimate user's session and cause a denial-of-service attack on a. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Reyee Os
NVD
CVSS 4.0
7.1
EPSS
0.5%
CVE-2023-1297 Go HIGH PATCH This Week

Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service HashiCorp Consul
NVD
CVSS 3.1
7.5
EPSS
0.8%
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Resource access-after-free in the Linux kernel's vfio/pci subsystem allows a local user with device access to read or corrupt PCI device resources during a race window on device shutdown, because vfio_pci_core_close_device() disabled the function before tearing down DMABUF exports. During the window the function's Memory Space Enable bit is cleared and its BARs (and their backing resources) are freed and reassignable to another driver, while stale DMABUF mappings still reference them. EPSS is low (0.14%, 4th percentile) and there is no public exploit identified at time of analysis; the upstream fix reorders cleanup to revoke DMABUF access first.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: xfrm: hold dev ref until after transport_finish NF_HOOK After async crypto completes, xfrm_input_resume() calls dev_put() immediately on re-entry before the skb reaches transport_finish. The skb->dev pointer is then used inside NF_HOOK and its okfn, which can race with device teardown. Remove the dev_put from the async resumption entry and instead drop the reference after the NF_HOOK call in transport_finish, using a saved device pointer since NF_HOOK may consume the skb. This covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip the okfn. For non-transport exits (decaps, gro, drop) and secondary async return points, release the reference inline when async is set.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 3.7
LOW Monitor

In wxWidgets before 3.2.7, a crash can be triggered in wxWidgets apps when connections are refused in wxWebRequestCURL. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service
NVD GitHub
EPSS 0% CVSS 3.7
LOW PATCH Monitor

hostapd fails to process crafted RADIUS packets properly. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Code Injection Hostapd
NVD
EPSS 1% CVSS 7.1
HIGH This Week

Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x contains a feature that could enable attackers to invalidate a legitimate user's session and cause a denial-of-service attack on a. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Reyee Os
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service HashiCorp Consul
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy