Skip to main content

Buffer Overflow

36135 CVEs technique

Monthly

CVE-2026-9900 HIGH PATCH This Week

Sandbox escape in Google Chrome's ANGLE graphics layer prior to version 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of Chrome's sandbox via a crafted HTML page. Rated High severity by Chromium with a CVSS of 8.3, the issue is patched but no public exploit has been identified at time of analysis, and EPSS exploitation probability is low (0.03%, 11th percentile).

Google Memory Corruption Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-9896 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine prior to version 148.0.7778.216 allows remote attackers to execute arbitrary code inside the renderer sandbox by luring a user to a crafted HTML page. The flaw is a CWE-787 out-of-bounds write in V8 carrying a CVSS 8.8 (High) with Chromium severity rated High; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Google Memory Corruption RCE Buffer Overflow Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9895 HIGH PATCH This Week

Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via an out-of-bounds read in the GPU process triggered by a crafted HTML page. Google rates the underlying issue as High severity, and while a vendor patch is shipped, EPSS shows only 0.03% (11th percentile) exploitation probability and no public exploit code or active exploitation has been identified at the time of analysis.

Google Information Disclosure Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-9889 HIGH PATCH This Week

Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows a remote attacker to break out of the renderer sandbox by serving a crafted HTML page that triggers an out-of-bounds read and write in the Dawn WebGPU implementation. Chromium rates the underlying issue as Critical severity, and CVSS 8.3 with scope change reflects the cross-boundary impact, though EPSS is low at 0.03% and no public exploit has been identified at time of analysis.

Google Information Disclosure Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-9879 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from an out-of-bounds write in the ANGLE graphics translation layer, allowing a remote attacker to execute arbitrary code in the browser's renderer context after a victim visits a crafted HTML page. Chromium rates this severity Critical and CVSS scores it 8.8, with vendor patches released via the Stable channel update; no public exploit identified at time of analysis.

Google Memory Corruption RCE Buffer Overflow Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9875 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows remote attackers to potentially break out of the renderer sandbox via an out-of-bounds read in the WebGL component when a victim visits a crafted HTML page. Chromium rates the underlying issue as Critical severity, and while no public exploit is identified at time of analysis (EPSS 0.03%), the combination of scope-change (S:C) and full CIA impact makes this a high-priority browser patch for Android fleets.

Google Information Disclosure Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-9872 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows remote attackers to corrupt GPU process memory via a crafted HTML page, breaking out of the renderer sandbox boundary. Chromium rates this Critical severity with a CVSS of 9.6 due to scope change, though EPSS remains low at 0.03% and no public exploit identified at time of analysis.

Google Memory Corruption Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-39929 HIGH PATCH This Week

Remote denial of service in Lakeside SysTrack Agent (lsiagent.exe) allows unauthenticated network attackers to crash the endpoint monitoring agent by sending a single malformed UDP packet to the Command ID 30 handler. The flaw was reported by VulnCheck and carries a CVSS 4.0 score of 8.7 reflecting high availability impact with no privileges or user interaction required; no public exploit identified at time of analysis, though VulnCheck has published an advisory describing the trigger.

Information Disclosure Denial Of Service Buffer Overflow Systrack Agent
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-9038 HIGH CISA Act Now

Stack-based buffer overflow in the XCharge C6 charging controller's signal-processing logic enables an attacker with physical access to the charging interface to corrupt memory by sending oversized message fields, potentially gaining code execution with elevated privileges. Reported through CISA's ICS-CERT under advisory ICSA-26-148-08, the flaw carries a CVSS 4.0 score of 8.6 driven by high impact to confidentiality, integrity, and availability of both the vulnerable component and adjacent subsystems. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Stack Overflow C6
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-49127 HIGH PATCH This Week

Stack buffer overflow in Music Player Daemon (MPD) versions prior to 0.24.11 allows remote unauthenticated attackers to crash the daemon or potentially execute code by serving a malicious HTTP audio stream processed by the PCM decoder plugin. The flaw stems from an off-by-one miscalculation in pcm_unpack_24be (src/pcm/Pack.cxx) that writes four bytes (three attacker-controlled) past a 1365-entry int32_t stack array. No public exploit identified at time of analysis, but the upstream fix is confirmed via commit 5991102 and release 0.24.11.

RCE Buffer Overflow Mpd
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-47333 HIGH PATCH This Week

Out-of-bounds heap read in Ubuntu Linux kernels 6.8, 6.17, and 7.0 stems from AppArmor SAUCE patches miscomputing an internal buffer size during notification handling, allowing an unprivileged local user to feed invalid data into the AppArmor DFA policy engine. The flaw carries a CVSS 7.8 (high) and currently has no public exploit identified at time of analysis, though Canonical has shipped an upstream kernel fix. Impact is limited to local attackers but high-severity given full CIA impact in the CVSS vector.

Ubuntu Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-47332 MEDIUM PATCH This Month

Out-of-bounds read in Ubuntu Linux kernels 6.8, 6.17, and 7.0 exposes adjacent slab allocator memory to any local low-privileged user. The flaw originates in Canonical's Ubuntu-specific AppArmor SAUCE patches, which incorrectly validate the size of an internal structure during notification handling, enabling controlled reads past the intended memory boundary. No public exploit identified at time of analysis, and exploitation is strictly local; however, C:H in the CVSS vector confirms that successful exploitation can yield high-sensitivity kernel or cross-process data from slab neighbors.

Ubuntu Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-42250 MEDIUM PATCH This Month

Out-of-bounds write in bzip2's bzip2recover utility allows a local attacker to supply a specially crafted file that triggers an off-by-one error, corrupting a global buffer and crashing the process. Per the CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:N), the attack requires no privileges and no user interaction beyond the utility being invoked against a malicious file. Impact is strictly denial of service against the bzip2recover process - no confidentiality or integrity exposure - and the CVSS 4.0 score of 5.1 (Medium) reflects this constrained scope. No public exploit or active exploitation has been identified at time of analysis.

Memory Corruption Denial Of Service Buffer Overflow Red Hat
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-41565 HIGH PATCH This Week

Denial-of-service via stack buffer overflow in CryptX (Perl cryptography module) versions before 0.088_001 affects four AEAD decryption helpers that copy attacker-controlled authentication tags into a fixed 144-byte stack buffer without bounds checking. Remote attackers can crash any Perl application that passes untrusted tags to gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify, or eax_decrypt_verify, resulting in process termination. No public exploit identified at time of analysis, and EPSS scoring (0.04%, 13th percentile) reflects low expected exploitation activity despite the network attack vector.

Buffer Overflow Stack Overflow Cryptx Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46237 HIGH PATCH This Week

Local privilege-escalation-adjacent denial of service and potential memory corruption in the Linux kernel's AMD GPU VCN3 (Video Core Next 3) driver allows a local low-privileged user with GPU access to trigger an integer overflow in the message bound check of the drm/amdgpu/vcn3 subsystem. The flaw was identified by AMD's SDL review and patched upstream, and per CVSS it yields high confidentiality and availability impact without integrity impact. Exploitation status: no public exploit identified at time of analysis, and EPSS is very low at 0.02%.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46234 HIGH PATCH This Week

Local privilege escalation in the Linux kernel's vsock (virtio sockets) subsystem stems from inverted buffer-size clamping logic in vsock_update_buffer_size(), allowing a local user to grow vsk->buffer_size beyond the configured vsk->buffer_max_size and violate intended socket memory boundaries. Affected branches include stable trees prior to 6.6.140, 6.12.90, 6.18.32, 7.0.9, and 7.1-rc1; no public exploit identified at time of analysis and EPSS is 0.02% (5th percentile).

Linux Memory Corruption Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46230 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's AMD GPU VCN3 (Video Core Next, generation 3) decoder message parser allows a local low-privileged user to read kernel memory beyond the buffer object boundary and potentially trigger denial of service. The flaw was resolved by adding bounds checks against the end of the buffer object whenever the dec msg is accessed. EPSS is very low (0.02%, 6th percentile) and no public exploit has been identified at time of analysis.

Linux Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46217 MEDIUM PATCH This Month

Integer overflow in the AMDGPU VCN4 (Video Core Next 4) multimedia driver within the Linux kernel allows a local low-privileged user to cause a kernel denial of service. The bounds check on incoming messages to the VCN4 encoder/decoder engine contains an overflow-vulnerable condition, meaning a crafted message can bypass intended size validation. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at the 5th percentile, indicating very low real-world exploitation likelihood currently.

Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46209 HIGH PATCH This Week

Local privilege escalation potential exists in the Linux kernel's DRM/GEM framebuffer subsystem (drm_gem_fb_init_with_funcs) where inconsistent plane dimension calculations between integer division and DIV_ROUND_UP cause a size-check bypass. A local low-privileged user able to invoke the framebuffer ioctl with specific pixel formats (e.g., NV12) and crafted dimensions can trigger an out-of-bounds GPU memory access on the chroma plane, leading to memory corruption with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS is very low (0.02%), suggesting limited near-term exploitation risk despite the 7.8 CVSS.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46204 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's AMD GPU VCN4 (Video Core Next) driver allows a local user with GPU access to trigger memory disclosure or denial of service by submitting a crafted indirect buffer (IB) to the amdgpu DRM subsystem. The flaw stems from missing bounds checks while parsing IBs in the drm/amdgpu/vcn4 code path, and no public exploit identified at time of analysis. EPSS exploitation probability is very low (0.02%) and the issue is not listed in CISA KEV.

Linux Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46203 HIGH PATCH This Week

Unclocked register access in the Linux kernel's Cadence Quadspi SPI controller driver (spi-cadence-quadspi) occurs during driver unbind, affecting kernel versions through 7.0.x and 7.1-rc1. A local low-privileged user able to trigger driver unbind can cause high-impact confidentiality loss and denial of service on systems using affected SPI hardware. There is no public exploit identified at time of analysis and EPSS rates exploitation probability at just 0.02%.

Information Disclosure Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46199 HIGH PATCH This Week

Out-of-bounds read in the AMD GPU VCN4 (Video Core Next, 4th generation) decoder message parser of the Linux kernel allows a local low-privileged user to read kernel memory beyond the decoder message buffer object, potentially leading to information disclosure and denial of service. The flaw exists in the drm/amdgpu/vcn4 driver where bounds against the end of the buffer object (BO) were not validated when parsing decoder messages. No public exploit identified at time of analysis and EPSS scores the exploitation probability at just 0.02% (6th percentile), but a vendor patch is available across multiple stable branches.

Linux Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46198 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's batman-adv (B.A.T.M.A.N. advanced) mesh networking module stems from an integer overflow on the s16 buff_pos variable in batadv_iv_ogm_send_to_if, where the size check is performed using int while the position counter uses s16. Adjacent-network attackers on a batman-adv mesh can trigger the overflow by sending crafted OGM (Originator Message) aggregation packets, potentially leaking kernel memory or causing denial of service. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but the issue carries a CVSS of 8.8 due to high impact on confidentiality, integrity, and availability across adjacent networks.

Linux Buffer Overflow Integer Overflow
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-46197 HIGH PATCH This Week

Local privilege escalation via out-of-bounds buffer access in the Linux kernel's AMD KFD (Kernel Fusion Driver) SVM ioctl interface allows authenticated local users to corrupt kernel memory by supplying an attacker-controlled nattr attribute count that exceeds the buffer size. The flaw affects systems running AMD GPUs with the amdkfd driver and has been resolved upstream across multiple stable branches. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but the high CIA impact warrants prompt patching on AMD GPU compute workstations and HPC nodes.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46191 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's framebuffer console (fbcon) subsystem allows a local low-privileged attacker to access kernel memory beyond the font buffer when console rotation is enabled and font reallocation fails. The flaw resides in fbcon_rotate_font() which retains the undersized old buffer after a failed reallocation, so printing characters with high-enough codes overflows the font buffer during putcs operations. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%), but the issue is patched across multiple stable kernel branches.

Linux Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46190 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's SPI-NOR flash debugfs interface (spi_nor_params_show) allows local authenticated users with debugfs access to trigger memory disclosure or denial of service on 64-bit systems. The flaw stems from sizeof() being used on a pointer array instead of ARRAY_SIZE(), inflating the bounds-check length by 8x. No public exploit identified at time of analysis and EPSS rates exploitation likelihood at 0.02%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46185 CRITICAL PATCH Act Now

Out-of-bounds read in the Linux kernel's SMB client (smb/client) symlink handling allows a malicious or compromised SMB server to trigger memory disclosure or denial-of-service against Linux clients that mount SMB shares. The flaw resides in symlink_data() where smb2_check_message() does not validate response length before fields beyond the 64-byte SMB2 header are accessed. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, though upstream kernel fixes have already been merged across multiple stable branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-46173 HIGH PATCH This Week

Memory corruption in the Linux kernel scheduler exit path allows local low-privileged users to trigger use-after-free or double-free of task stacks when an exiting task oopses, per CVE-2026-46173. The flaw stems from make_task_dead() invoking do_task_dead() with preemption enabled, violating the scheduler's requirement that __schedule() run with preemption disabled, which can leave two tasks running on the same stack. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46163 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's b43legacy wireless driver allows a local attacker with low privileges to read beyond the dev->key[] array when firmware reports a key index exceeding dev->max_nr_keys. The existing B43legacy_WARN_ON check was non-enforcing in production builds, permitting memory disclosure during RX packet handling on systems with vulnerable Broadcom legacy WiFi chipsets. No public exploit identified at time of analysis, and EPSS is very low (0.02%), suggesting limited near-term mass exploitation despite a high CVSS of 7.8.

Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46155 CRITICAL PATCH Act Now

Out-of-bounds heap read in the Linux kernel's SMB client (smb/client) allows a malicious or compromised SMB server to leak adjacent kernel heap memory to a connected Linux client. The flaw lives in smb2_compound_op() where check_wsl_eas() fails to validate that OutputBufferLength fits within iov_len before a memcpy, so a truncated response with an oversized OutputBufferLength and an early-terminated EA list triggers the read past the rsp_iov allocation. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but upstream patches have been merged across multiple stable branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-46149 HIGH PATCH This Week

Out-of-bounds stack read in the Linux kernel SCSI target subsystem's configfs interface allows a local privileged user to trigger a kernel panic or leak adjacent stack memory by reading the tg_pt_gp members sysfs attribute when a long iSCSI IQN fabric WWN (up to 223 bytes) is configured. The flaw stems from misusing the snprintf() return value (which reports intended length, not bytes written) as a memcpy() source length. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 5th percentile).

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46145 HIGH PATCH This Week

Local privilege escalation in the Linux kernel's RDMA/mana driver allows an authenticated low-privileged user to corrupt kernel memory by supplying an oversized rx_hash_key_len via the uAPI structure, which is passed unchecked to memcpy. The flaw affects kernels using the Microsoft Azure Network Adapter (MANA) RDMA driver and can lead to heap/stack overflow within kernel space, enabling potential code execution or system compromise. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (5th percentile), indicating limited exploitation interest so far.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46140 HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel's MediaTek Bluetooth driver (btmtk) lets a short or malformed WMT firmware event response trigger reads past the SKB tailroom in btmtk_usb_hci_wmt_sync(), potentially leaking adjacent kernel memory or crashing the host. The flaw affects systems using MediaTek USB Bluetooth controllers (MT76xx family) on kernels around 6.11 through release candidates of 7.1, scoring CVSS 7.1 with high confidentiality and availability impact. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%), but a vendor fix is available across multiple stable branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46138 HIGH PATCH This Week

Out-of-bounds heap read and infinite loop in the Linux kernel Bluetooth HCI event handler (hci_le_create_big_complete_evt) allows an adjacent attacker to trigger denial of service on systems with Bluetooth LE Isochronous (BIG) connections. The flaw arises when a malicious or malformed controller returns an LE_Create_BIG_Complete event with fewer bis_handle entries than expected, causing the kernel to read past the flex array and spin indefinitely while holding hci_dev_lock. No public exploit identified at time of analysis, and EPSS probability is very low (0.02%), but the issue is patched across multiple stable trees.

Linux Denial Of Service Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-46136 HIGH PATCH This Week

Denial-of-service in the Linux kernel mt76/mt7921 MediaTek Wi-Fi driver lets a buffer-length (buf_len) underflow occur while iterating the CLC (country location configuration) power table, producing a near-infinite loop or an invalid power setting that crashes driver initialization. Systems running affected kernels with MediaTek MT7921 Wi-Fi hardware are impacted; classified CWE-787 (out-of-bounds write) with a vendor-assigned CVSS of 7.8 (local, AV:L). No public exploit identified at time of analysis and EPSS is very low (0.02%), consistent with a reliability/DoS defect rather than a readily weaponizable memory-corruption primitive.

Memory Corruption Linux Denial Of Service Buffer Overflow Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46133 HIGH PATCH This Week

Remote denial-of-service in the Linux kernel's Soft RoCE (RDMA/rxe) driver allows unauthenticated attackers to crash the kernel by sending a single crafted 48-byte UDP packet to port 4791 with an undefined BTH opcode. The flaw triggers an out-of-bounds read in rxe_icrc_hdr() via crc32_le() due to zero-initialized rxe_opcode[] entries causing arithmetic underflow, panicking the host with no public exploit identified at time of analysis though EPSS is very low at 0.03%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46130 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's dm-verity-fec (forward error correction) subsystem allows kernel memory disclosure or a crash when decoding Reed-Solomon parity data. The flaw affects the device-mapper verity FEC code where fec_decode_bufs() wrongly assumes parity bytes of the first RS codeword never span a parity-block boundary; with certain non-default fec_roots values combined with low-memory buffer-allocation failures, the decoder reads past the end of the parity block buffer. Tracked as CWE-125, it carries a 7.1 CVSS (local, low complexity per NVD) but a negligible EPSS of 0.02%, and there is no public exploit identified at time of analysis.

Linux Buffer Overflow Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46123 HIGH PATCH This Week

Out-of-bounds read and information disclosure in the Linux kernel's virtio_bt (virtio Bluetooth) driver allows a malicious or buggy virtio backend to leak uninitialized kernel heap memory into received Bluetooth skbs. The virtbt_rx_work() function trusted the device-reported length from virtqueue_get_buf() without clamping it to the 1000-byte buffer actually exposed via sg_init_one(), so a hostile backend can report lengths between 1001 and skb_tailroom() - or 0 - causing skb_put() to expose untouched heap bytes or virtbt_rx_handle() to read an uninitialized pkt_type. No public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), but a vendor patch is available.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-46122 HIGH PATCH This Week

Out-of-bounds memory read in the Linux kernel's b43 Broadcom wireless driver allows leakage of adjacent kernel memory when the device firmware supplies a key index that exceeds the 58-entry dev->key[] array in b43_rx(). The pre-patch guard (B43_WARN_ON) is a no-op in production kernels, so the invalid index was used to index the array unchecked. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%); the fix enforces the bounds check and drops the offending frame.

Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46119 CRITICAL PATCH Act Now

Information disclosure and denial of service in the Linux kernel's libceph subsystem allows remote Ceph servers (or attackers able to spoof/MITM unauthenticated Ceph traffic) to trigger a slab-out-of-bounds read by sending a crafted CEPH_MSG_AUTH_REPLY message with a positive result value. The flaw causes the kernel client to send memory contents past the allocated front-segment buffer back over the wire, potentially leaking adjacent kernel heap data and destabilizing the host. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the CVSS of 9.1 reflects the network-reachable, no-privileges-required nature of the bug in affected Ceph client deployments.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-9803 Maven MEDIUM PATCH This Month

Keycloak's ClientRegistrationAuth component can be crashed by a remote unauthenticated attacker through a specially crafted POST request bearing a malformed 'Authorization: Bearer' header, triggering an unhandled ArrayIndexOutOfBoundsException and returning HTTP 500 to all subsequent callers of the affected endpoint. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero prerequisites for exploitation beyond network reachability, making any publicly exposed Keycloak client registration endpoint a viable target. No public exploit has been identified at time of analysis and no EPSS data was supplied, but the trivial attack mechanics mean no specialized tooling is required to reproduce the denial of service.

Information Disclosure Denial Of Service Buffer Overflow Build Of Keycloak
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-8915 HIGH This Week

Out-of-bounds write in Samsung's Escargot JavaScript engine allows attacker-supplied scripts to corrupt memory through the ArrayBuffer.prototype.transfer() built-in, with high confidentiality, integrity, and availability impact (CVSS 8.8). The flaw stems from a missing length-bounds check when transferring an ArrayBuffer to a new byte length, enabling writes past the allocated buffer that can lead to remote code execution if a victim runs the malicious script. No public exploit has been identified at time of analysis, and no EPSS or CISA KEV data was provided.

Memory Corruption Samsung Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-48065 MEDIUM PATCH This Month

Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32-bit Linux platforms (armv7l, i686) by supplying a crafted configuration file with an excessive device count. The root cause is an unchecked integer multiplication in src/conf.c where n_devices * sizeof(t_pusb_device) wraps around size_t on 32-bit targets, causing xmalloc() to receive a drastically undersized allocation that is silently accepted, enabling out-of-bounds writes into heap memory. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, successful exploitation yields full confidentiality, integrity, and availability impact on the affected host.

Heap Overflow Buffer Overflow Pam Usb
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-8362 CRITICAL PATCH Act Now

Remote code execution in Gladinet Triofox is possible through a stack-based buffer overflow in WOSDefaultHttpModule.dll, which fails to bounds-check overly long URL paths beginning with /woshome. Because the flaw is reachable over the network with no authentication and no user interaction (CVSS 9.8), an attacker who can reach the Triofox web service can corrupt the stack and potentially execute arbitrary code in the context of the web module. No public exploit has been identified at the time of analysis, and the issue was reported by Tenable (TRA-2026-45).

Stack Overflow Buffer Overflow Triofox
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-8363 CRITICAL PATCH Act Now

Remote code execution in Gladinet Triofox is possible through a stack-based buffer overflow in the WOSDeviceDropFolder.dll component, which mishandles overly long URL paths that begin with /resources. The CVSS 9.8 vector indicates an unauthenticated, network-reachable flaw requiring no user interaction, meaning any attacker who can reach the Triofox web service can corrupt the stack and potentially execute arbitrary code. The issue was reported by Tenable (TRA-2026-45); no public exploit identified at time of analysis and no EPSS score was provided in the source data.

Stack Overflow Buffer Overflow Triofox
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4391 MEDIUM This Month

Heap-based buffer overflow in TeamSpeak 3 Server's ECC Key Parser allows remote unauthenticated attackers to crash the server, causing a denial of service against all versions up to and including 3.13.7. The vulnerability was discovered and disclosed by modzero security research (advisory mz-26-01-teamspeak) with a coordinated vendor response resulting in TeamSpeak security advisory TS-SA-2026-001. A proof-of-concept exploit exists per SSVC data, and the attack is automatable, meaning exploitation can be scripted at scale against exposed TeamSpeak server instances. No public exploit identified as confirmed actively exploited in the wild (not listed in CISA KEV at time of analysis).

Buffer Overflow
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-4390 MEDIUM This Month

Use-after-free in TeamSpeak 3 Server versions 3.13.0 through 3.13.7 allows a low-privileged remote attacker to corrupt server memory via the process_resend_queue function within Connection State Management, resulting in limited integrity and availability impact. Discovered and disclosed by modzero.com (advisory MZ-26-01) and acknowledged by TeamSpeak via official security advisory TS-SA-2026-001, the vendor has released version 3.13.8 as the fix. No public exploit code exists and no active exploitation has been identified at time of analysis.

Denial Of Service Buffer Overflow
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-44988 HIGH PATCH This Week

Out-of-bounds write in LibVNCClient (shipped in the LibVNCServer project, versions 0.9.15 and earlier) lets a malicious or compromised VNC server corrupt memory in any client that connects to it. The Tight encoding decoder's Gradient filter uses fixed 2048-pixel scratch buffers but never validates the server-supplied rectangle width, so a crafted FramebufferUpdate with a width above 2048 overruns those buffers, threatening confidentiality, integrity, and availability (CVSS 8.8). There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue is fixed by upstream commit 5b270544.

Memory Corruption Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-70103 HIGH POC PATCH This Week

Heap buffer overflow in libjxl 0.12.0 lets remote attackers corrupt heap memory by feeding a crafted PBM/PNM image to the jxl::extras::DecodeImagePNM routine, which writes decoded rows into an output buffer without first checking that the buffer is large enough for the header-declared dimensions. The CVSS vector (AV:N/AC:L/PR:N/UI:N) describes unauthenticated, low-complexity exploitation with no user interaction, and CISA's SSVC framework rates it automatable with partial technical impact. Publicly available exploit code exists, though it is not listed in CISA KEV and no public exploit has been tied to active exploitation.

Heap Overflow Buffer Overflow Red Hat
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-8179 HIGH This Week

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) arises from a stack-based buffer overflow in the asperahttpd component. An authenticated user with network access can corrupt memory in this HTTP handling component to run code in the context of the service, fully compromising confidentiality, integrity, and availability (CVSS 8.8). No public exploit has been identified at time of analysis, and the CVE is not listed in CISA KEV; EPSS data was not provided.

RCE Stack Overflow IBM Buffer Overflow
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-8175 CRITICAL Act Now

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Transfer Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) through a heap-based buffer overflow in the asperahttpd component. An unauthenticated network attacker can corrupt memory to crash the service (denial of service) and, in the worst case, hijack execution flow to run arbitrary code or bypass authentication. There is no public exploit identified at time of analysis and SSVC lists exploitation as none, but the CVSS 9.8 rating and 'Automatable: yes' assessment mark this as a high-priority patching target.

RCE Denial Of Service Buffer Overflow Heap Overflow Authentication Bypass +1
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-47104 MEDIUM PATCH This Month

Out-of-bounds read in libusb's parse_iad_array() function (descriptor.c) affects all releases before 1.0.30, enabling local attackers in virtualized environments with USB passthrough to crash libusb-dependent processes via a crafted USB descriptor. The off-by-one error causes the bounds check to evaluate against the original total buffer size rather than the remaining unparsed size, allowing a one-byte read past the end of the malloc allocation when a descriptor's bLength is set to exactly (total_size - 1). No public exploit code exists and the vulnerability is absent from CISA KEV; a vendor-released patch is confirmed in v1.0.30.

Denial Of Service Buffer Overflow Information Disclosure Libusb
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-46094 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's ext4 filesystem driver allows a local attacker to read up to 3 bytes beyond a valid extended-attribute (xattr) region, potentially leaking adjacent kernel memory or crashing the system. The flaw lives in check_xattrs(), where a loose bounds check on the next xattr entry lets IS_LAST_ENTRY() perform a 4-byte read that overruns the buffer when parsing a crafted or corrupted ext4 xattr block. It is not in CISA KEV and no public exploit identified at time of analysis; EPSS is negligible at 0.02% (5th percentile), consistent with a low-impact local memory-safety bug that has already been patched upstream.

Linux Buffer Overflow Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46081 HIGH PATCH This Week

Local privilege escalation via memory corruption in Linux Kernel crypto subsystem (acomp) affects systems using asynchronous hardware compression accelerators such as Intel QAT. The flaw stems from acomp_save_req() storing the wrong pointer (&req->chain instead of req itself) in req->base.data, causing the completion callback acomp_reqchain_done() to dereference fields at incorrect offsets. No public exploit identified at time of analysis, and EPSS is very low at 0.02%, but the high CVSS (7.8) reflects potential for memory corruption with high confidentiality, integrity, and availability impact.

Linux Canonical Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46078 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's EROFS filesystem driver allows a local attacker to crash the system or potentially leak kernel memory by mounting a crafted EROFS image. The flaw stems from missing validation of the trailing dirent nameoff field, which can underflow during strnlen() and cause reads beyond the directory block. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a vendor patch is available across multiple stable kernel branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46070 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel md/raid5 journal recovery path allows a local privileged user supplying a corrupted MD RAID5 journal device to trigger memory disclosure or kernel crashes during journal replay. The flaw exists in r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb(), which trusted on-disk payload size fields without validating them against the metadata block's remaining space. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02% (5th percentile).

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46068 HIGH PATCH This Week

Improper memory deallocation in the Linux kernel's NX-842 hardware compression crypto driver (nx842_crypto_alloc_ctx/free_ctx) causes bounce buffers allocated as order-2 (4 pages) to be released with single-page free_page() calls, leaking three of every four pages. The flaw is local-only with no public exploit identified at time of analysis, and EPSS (0.02%, 5th percentile) reflects negligible mass-exploitation interest. Note that the NVD CVSS (7.8, C:H/I:H/A:H) appears overstated for what the upstream commit explicitly describes as a memory leak rather than corruption.

Memory Corruption Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46067 HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows a local user with access to the DAMON sysfs interface to read out-of-bounds kernel memory or crash the system. The flaw exists because mm/damon/core failed to validate the user-supplied node ID (damos_quota_goal->nid) before using it in NODE_DATA() for the node_memcg_used_bp and node_memcg_free_bp quota goal metrics. The kernel description includes a working reproduction using the user-space 'damo' tool, but no public weaponized exploit and no active exploitation (CISA KEV) have been reported; EPSS is negligible at 0.02%.

Linux Buffer Overflow Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46064 HIGH PATCH This Week

Out-of-bounds heap read in the Linux kernel's ibmasm driver (the IBM Advanced System Management service-processor interface) lets a local privileged user leak adjacent kernel heap memory. The ibmasm_send_i2o_message() function trusts user-controlled command_size and data_size header fields to size a memcpy_toio() without validating them against the real allocation, so a small buffer with inflated header values forces a read of up to ~65 KB past the allocation, which is then forwarded to the service processor over MMIO. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.

Linux Buffer Overflow Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46062 HIGH PATCH This Week

Integer overflow in the Linux kernel's ntfs3 filesystem driver allows local attackers to bypass volume boundary validation when mounting or accessing a crafted NTFS volume, leading to memory corruption with high confidentiality, integrity, and availability impact. The flaw resides in run_unpack() where the check `lcn + len > sbi->used.bitmap.nbits` performs raw addition that wraps for large values, sidestepping the bounds check. No public exploit identified at time of analysis and EPSS is very low (0.02%), but CVSS 7.8 with required user interaction reflects realistic local privilege-escalation potential when untrusted NTFS media is processed.

Linux Buffer Overflow Integer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46055 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's AppArmor LSM subsystem (security/apparmor/match.c) allows a local low-privileged user to trigger a KASAN slab-out-of-bounds read via the mount() syscall on kernels 7.0 through 7.0.3 and 7.1-rc1. The flaw stems from a missing string terminator that causes aa_dfa_match() to read past the end of an 8KB kmalloc buffer when processing mount path strings, resulting in potential information disclosure and system instability (denial of service). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%.

Ubuntu Linux Lenovo Qualcomm Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46045 HIGH PATCH This Week

Data corruption in the Linux kernel md-llbitmap RAID subsystem allows stale bitmap pages to be read from spare disks during rebuild. The md-llbitmap code iterated rdevs checking only raid_disk assignment and the Faulty flag, omitting the In_sync flag, so bitmap data could be sourced from a not-yet-synchronized spare. No public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%), but the bug can silently corrupt arrays during normal operation or recovery.

Linux Memory Corruption Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46039 CRITICAL PATCH Act Now

Integer overflow in the Linux kernel's rxgk (RxRPC GSS Kerberos) token extraction routine allows remote attackers to potentially trigger memory corruption via length-check bypass in rxgk_extract_token(). The flaw affects Linux kernel versions in the 6.16.9-to-6.17 range and was fixed by changing the validation to round down available data instead of rounding up the tested value. No public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.02%.

Linux Buffer Overflow Integer Overflow
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-46033 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's crypto authencesn AEAD wrapper allows a local user with AF_ALG access to trigger memory disclosure and possible denial of service by instantiating an authencesn transform built on an ahash whose digest size is 1-3 bytes (for example cbcmac(cipher_null)). The flaw stems from crypto_authenc_esn_create() failing to validate the inner digest size, letting an invalid default authsize bypass the existing setauthsize() check. No public exploit identified at time of analysis and EPSS probability is negligible (0.02%), but the upstream fix is shipping across multiple stable trees.

Linux Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46023 MEDIUM PATCH This Month

Integer overflow in the Linux kernel's device mapper mirror (dm-mirror) subsystem allows a local attacker with device mapper configuration privileges to crash the kernel via a denial-of-service condition. The flaw resides in create_dirty_log() where an unchecked unsigned addition of 2 + param_count wraps around to a small value when param_count approaches UINT_MAX, bypassing an argc bounds check and triggering out-of-bounds reads in dm_dirty_log_create(). No public exploit code exists and EPSS is exceptionally low at 0.02% (5th percentile); this CVE has not been added to the CISA KEV catalog, indicating no confirmed active exploitation at time of analysis.

Linux Integer Overflow Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46022 HIGH PATCH This Week

Out-of-bounds MMIO read in the Linux kernel's ibmasm (IBM Advanced System Management) misc driver allows a compromised IBM service processor to read 8 bytes from unintended device registers or trigger a machine check exception (system crash) by writing an out-of-range queue reader/writer index before asserting an interrupt. The flaw resides in ibmasm_handle_mouse_interrupt() where raw readl() values are passed unchecked to get_queue_entry(), and is fixed by bounds-checking both indices against REMOTE_QUEUE_SIZE (60). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%.

Linux Information Disclosure Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46020 HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows privileged local users to crash the kernel by supplying arbitrary node IDs to damos_quota_goal via DAMON_SYSFS. Affecting Linux 6.16 and fixed in 6.18.27, 7.0.4, and 7.1-rc1, the flaw stems from missing validation before si_meminfo_node()/NODE_DATA() lookups and is reproducible with the upstream 'damo' user-space tool. No public exploit identified at time of analysis and EPSS is very low at 0.02%.

Denial Of Service Linux Information Disclosure Buffer Overflow Red Hat +1
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46006 HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's Nouveau DRM driver stems from a 32-bit integer overflow in the pushbuf relocation bounds check (nouveau_gem_pushbuf_reloc_apply). Authenticated local users with access to the Nouveau GPU device node can bypass the size validation and trigger out-of-bounds writes against the buffer object, leading to high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but a vendor patch is available across multiple stable kernel branches.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46001 HIGH PATCH This Week

Stack buffer overrun in the Linux kernel's pt5161l hwmon driver allows a malicious or malfunctioning I2C device to write up to 32 bytes into a 24-byte stack buffer during pt5161l_read_block_data(), corrupting kernel memory. The flaw affects Linux 6.9 through versions before the stable fixes, and a secondary bug causes the driver to process stale data as valid when retries are exhausted with a length mismatch. EPSS is very low (0.02%) and no public exploit identified at time of analysis.

Linux Memory Corruption Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45994 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's ibmasm driver allows a local low-privileged user with write access to the ibmasm command character device to leak kernel heap memory to the IBM Advanced System Management service processor and potentially destabilize the host. The flaw resides in command_file_write(), which trusts attacker-controlled command_size/data_size header fields after allocating a buffer of arbitrary count, enabling get_dot_command_size() to return a value larger than the allocation. EPSS is 0.02% and no public exploit is identified at time of analysis; the issue is not on CISA KEV.

Linux Information Disclosure Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-45991 HIGH PATCH This Week

Heap out-of-bounds write in the Linux kernel UDF filesystem driver allows a local attacker to corrupt kernel memory by mounting a crafted UDF image containing repeated partition descriptors. The flaw stems from incorrect bookkeeping in handle_partition_descriptor() where appended slots never record partnum, causing duplicate descriptors to overflow the part_descs_loc[] table. No public exploit identified at time of analysis, and EPSS scores the exploitation probability at only 0.02%.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45990 MEDIUM PATCH This Month

Out-of-bounds write and data-loss bugs in the Linux kernel SLUB allocator's krealloc() function affect kernels incorporating commit 2cd8231796b5, which introduced NUMA node and alignment forcing to k[v]realloc(). A local attacker with low privileges who can trigger the krealloc_node_align() or kvrealloc() reallocation fallback path - specifically when shrinking an allocation while simultaneously forcing a new alignment or NUMA node - can cause kernel heap memory corruption leading to a system panic or silent heap object corruption. No public exploit exists beyond the lkdtm reproducer in the CVE description; EPSS stands at the 4th percentile and the vulnerability is not in CISA KEV. Vendor-released patches are confirmed available in Linux 6.18.27, 7.0.4, and 7.1-rc1.

Linux Integer Overflow Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45957 HIGH PATCH This Week

Denial of service in the Linux kernel's RCU (Read-Copy-Update) subsystem allows a local condition to trigger an infinite recursion deadloop in rcu_read_unlock_special() when ftrace is enabled, leading to kernel hang or crash. The flaw stems from a missing recursion-protection flag when raise_softirq_irqoff() is invoked from the RCU unlock path, causing repeated re-entry through the softirq/trace stack. No public exploit identified at time of analysis and EPSS rates exploitation probability at 0.02%.

Denial Of Service Linux Information Disclosure Buffer Overflow Red Hat +1
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-45943 HIGH PATCH This Week

Kernel NULL pointer dereference in the Linux EROFS compressed filesystem driver allows a local user reading from an EROFS image to crash the system. The flaw lives in z_erofs_decompress_pcluster(), where compressed folios for ztailpacking pclusters are added to I/O chains before being validated; if inline-data reading fails (notably when a fatal signal interrupts read_mapping_folio()), decompression assumes the folios are valid and dereferences a NULL pointer. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%), and the issue is not in CISA KEV.

Linux Denial Of Service Buffer Overflow Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-45935 HIGH PATCH This Week

Heap buffer overflow read in the Linux kernel's NTFS3 filesystem driver allows local attackers to trigger out-of-bounds memory access by mounting or processing a maliciously crafted NTFS volume. The flaw resides in the DeleteIndexEntryRoot path of the do_action function, where an attacker-controlled entry size ('esize') bypasses bounds checks and causes memmove to operate on an unsigned-converted negative offset. EPSS scores exploitation probability at 0.03% (9th percentile) and no public exploit has been identified at time of analysis.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45903 HIGH PATCH This Week

Information disclosure in the Linux kernel BPF subsystem allows a local low-privileged user with BPF program load access to leak kernel memory contents. Incorrect memory-access flags on several ARG_PTR_TO_MEM helper prototypes (notably bpf_get_stack_proto_raw_tp) cause the verifier to wrongly assume helper-written buffers are unchanged, optimizing away subsequent reads and producing stale or uninitialized data that can expose kernel memory. There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and it is not in CISA KEV.

Linux Buffer Overflow Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-45896 HIGH PATCH This Week

Out-of-bounds array access in the Linux kernel's Intel Discrete Graphics MTD driver (mtd_intel_dg.c) lets a local actor trigger kernel memory corruption when the driver enumerates NVM regions before nregions is initialized. The flaw, caught by UBSAN as an array-index-out-of-bounds at line 750, affects systems running kernel 6.17 through the pre-patch 6.18/6.19 series with Intel discrete graphics hardware. No public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.02%, 4th percentile).

Linux Buffer Overflow Intel Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45893 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's AppArmor subsystem allows a local, low-privileged attacker to leak adjacent kernel memory and potentially crash the system when AppArmor parses a policy table built from possibly unaligned, userspace-supplied source data. The flaw stems from unaligned memory accesses during table creation in the policy loader and carries high confidentiality and availability impact. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.02%, 5th percentile), consistent with a hard-to-reach local-only kernel hardening fix rather than a mass-exploitation target.

Linux Buffer Overflow Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-45878 HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's AMD KFD (Kernel Fusion Driver) debug subsystem allows a local user with GPU access to trigger a buffer overflow in the watch_points array via a crafted watch_id value. The flaw stems from signed/unsigned integer mishandling in kfd_dbg_trap_clear_dev_address_watch(), where userspace-supplied watch_id values exceeding INT_MAX cause undefined bit shifts and out-of-bounds memory access. No public exploit identified at time of analysis, and EPSS scores exploitation probability at only 0.02%.

Linux Amd Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45856 HIGH PATCH This Week

Out-of-bounds kernel heap read in the Linux kernel's RDMA/uverbs subsystem allows local low-privileged users with access to InfiniBand/RDMA device nodes to leak kernel memory or trigger a denial-of-service WARNING by submitting a crafted ib_uverbs_post_send command with an undersized or oversized wqe_size value. EPSS is very low (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but the bug is fixed upstream across multiple stable trees, so patched versions should be deployed where RDMA is exposed to untrusted local users.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-45853 HIGH PATCH This Week

Memory corruption in the Linux kernel's AMD GPU driver (amdgpu) arises because amdgpu_gmc_get_nps_memranges() releases buffers allocated by amdgpu_discovery_get_nps_info() with kfree() even though that memory may have been allocated via kvcalloc()/vmalloc(), corrupting the kernel allocator state. The flaw affects systems running AMD GPUs on kernels prior to the fixed stable releases (6.12.75, 6.18.14, 6.19.4, and 7.0). There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and the issue was found via static analysis and code review rather than in-the-wild exploitation.

Memory Corruption Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45851 HIGH PATCH This Week

Denial of service in the Linux kernel's EFI unaccepted-memory handling allows a boot-time kernel panic on confidential-computing guests, affecting kernels from 6.6 through the 6.19/7.0 development line. The reserve_unaccepted() routine miscalculates the memblock reservation size when the unaccepted memory table is not page-aligned, leaving the table's tail unreserved so it can be overwritten or rendered inaccessible, triggering a panic in accept_memory(). It is observed on Intel TDX VMs with larger memory sizes (e.g. >64GB); there is no public exploit identified at time of analysis and EPSS is negligible (0.02%).

Linux Intel Buffer Overflow Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-38427 HIGH This Week

Heap buffer overflow in Tasmota IoT firmware (through version 15.3.0.3) lets a remote attacker corrupt heap memory by manipulating the Content-Length of a JPEG stream processed by the fetch_jpg() routine in the scripter driver. Because the length is stored in a 16-bit integer, values above 65535 wrap to a small number, so the firmware allocates an undersized buffer and then reads the full, larger payload into it. Publicly available exploit code exists (a dedicated GitHub repository), CISA's SSVC framework rates exploitation as proof-of-concept and automatable, but the issue is not in CISA KEV and no public active exploitation is identified.

Heap Overflow Buffer Overflow
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-38426 HIGH This Week

Remote code execution in Tasmota firmware (v15.3.0.3 and all earlier releases) stems from an unbounded strcpy() into the fixed 40-byte jpg_task.boundary[40] buffer inside fetch_jpg() in the Scripter driver (xdrv_10_scripter.ino). A network attacker able to reach the device and trigger this code path can overflow the buffer and, per the vendor description, execute arbitrary code on the ESP-based device. Publicly available exploit code exists (a CVE-named GitHub repository), and CISA's SSVC framework rates exploitation as POC with the attack automatable; no active exploitation is confirmed.

RCE Buffer Overflow
NVD GitHub
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-38422 HIGH This Week

Remote code execution in Tasmota firmware version 15.3.0.3 and earlier allows remote unauthenticated attackers to trigger a stack-based buffer overflow in the fetch_jpg() function of the xdrv_10_scripter.ino scripting driver. The flaw is exposed over the network with low complexity and no privileges required (CVSS 7.3 AV:N/AC:L/PR:N/UI:N), and a public proof-of-concept repository has been registered, though no public exploit code was identified in the references at time of analysis. EPSS probability is very low (0.05%, 15th percentile) and the issue is not listed in CISA KEV.

Buffer Overflow RCE Stack Overflow
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-23679 MEDIUM PATCH This Month

NULL pointer dereference in libusb's USB descriptor parser allows any attacker who can supply a crafted configuration descriptor to crash any application that uses libusb for USB device enumeration. Affected versions are all libusb releases before 1.0.30; the flaw resides in parse_interface() within descriptor.c and is reachable through the public APIs libusb_get_active_config_descriptor and libusb_get_config_descriptor. No public exploit code is identified at time of analysis and this CVE does not appear in the CISA KEV catalog, but the availability impact is confirmed high (CVSS 4.0 VA:H) and regression corpus files in the fix commit demonstrate reliable crash reproduction.

Information Disclosure Denial Of Service Buffer Overflow Libusb
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2025-71306 HIGH PATCH This Week

Out-of-bounds stack read in the Linux kernel's IMA (Integrity Measurement Architecture) subsystem, in ima_appraise_measurement() reached via is_bprm_creds_for_exec(), affecting kernels from the 6.14 series up to the fixed stable commits. A misuse of container_of() on a *file pointer computes an invalid stack offset, letting a local execution path read one byte past a stack frame object (flagged by KASAN), which can disclose adjacent stack data or crash the task. EPSS is very low (0.02%, 5th percentile), the CVE is not on CISA KEV, and there is no public exploit identified at time of analysis; the issue is patched upstream.

Linux Buffer Overflow Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-71305 MEDIUM PATCH This Month

The drm/display/dp_mst subsystem in the Linux kernel crashes with a UBSAN shift-out-of-bounds error when a DP 2.1 monitor disconnects while delayed_destroy_work is still in flight, producing a kernel denial-of-service on affected systems. Systems running unpatched kernel versions across the 6.1.x, 6.6.x, 6.12.x, 6.18.x, and 6.19.x stable branches with DisplayPort Multi-Stream Transport (MST) capable hardware are vulnerable. No public exploit or active exploitation has been identified; patches are available across all affected stable branches with specific fix commits traceable to git.kernel.org.

Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45840 MEDIUM PATCH This Month

Kernel panic in the Linux kernel's Open vSwitch (openvswitch) subsystem allows a low-privileged local user to crash the host kernel on Ubuntu-default and similar configurations. The vport netlink reply handler pre-allocates a fixed-size buffer but lacks an upper-bound check on the upcall PID array size, causing nla_put() to return -EMSGSIZE and BUG_ON(err < 0) to fire in ovs_vport_cmd_set(), triggering a kernel panic. On systems with unprivileged user namespaces enabled (Ubuntu default), any local user can reach this path via unshare -Urn without requiring elevated privileges. No public exploit has been identified at time of analysis, and EPSS at 0.02% reflects low current exploitation probability.

Linux Ubuntu Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45839 HIGH PATCH This Week

Local denial of service in the Linux kernel's BPF CO-RE relocation parser allows a process holding CAP_BPF to deterministically crash the system by loading a BPF program with a negative CO-RE accessor index. The flaw stems from bpf_core_parse_spec() in the libbpf relocation core accepting negative values from sscanf("%d") that bypass upper-bound checks due to integer promotion, ultimately driving an out-of-bounds read past the BTF members array. EPSS is negligible (0.01%) and there is no public exploit identified at time of analysis; a kernel oops backtrace is published in the changelog but it serves as a crash reproducer rather than a weaponized exploit.

Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome's ANGLE graphics layer prior to version 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of Chrome's sandbox via a crafted HTML page. Rated High severity by Chromium with a CVSS of 8.3, the issue is patched but no public exploit has been identified at time of analysis, and EPSS exploitation probability is low (0.03%, 11th percentile).

Google Memory Corruption Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine prior to version 148.0.7778.216 allows remote attackers to execute arbitrary code inside the renderer sandbox by luring a user to a crafted HTML page. The flaw is a CWE-787 out-of-bounds write in V8 carrying a CVSS 8.8 (High) with Chromium severity rated High; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Google Memory Corruption RCE +4
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via an out-of-bounds read in the GPU process triggered by a crafted HTML page. Google rates the underlying issue as High severity, and while a vendor patch is shipped, EPSS shows only 0.03% (11th percentile) exploitation probability and no public exploit code or active exploitation has been identified at the time of analysis.

Google Information Disclosure Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows a remote attacker to break out of the renderer sandbox by serving a crafted HTML page that triggers an out-of-bounds read and write in the Dawn WebGPU implementation. Chromium rates the underlying issue as Critical severity, and CVSS 8.3 with scope change reflects the cross-boundary impact, though EPSS is low at 0.03% and no public exploit has been identified at time of analysis.

Google Information Disclosure Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from an out-of-bounds write in the ANGLE graphics translation layer, allowing a remote attacker to execute arbitrary code in the browser's renderer context after a victim visits a crafted HTML page. Chromium rates this severity Critical and CVSS scores it 8.8, with vendor patches released via the Stable channel update; no public exploit identified at time of analysis.

Google Memory Corruption RCE +4
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows remote attackers to potentially break out of the renderer sandbox via an out-of-bounds read in the WebGL component when a victim visits a crafted HTML page. Chromium rates the underlying issue as Critical severity, and while no public exploit is identified at time of analysis (EPSS 0.03%), the combination of scope-change (S:C) and full CIA impact makes this a high-priority browser patch for Android fleets.

Google Information Disclosure Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows remote attackers to corrupt GPU process memory via a crafted HTML page, breaking out of the renderer sandbox boundary. Chromium rates this Critical severity with a CVSS of 9.6 due to scope change, though EPSS remains low at 0.03% and no public exploit identified at time of analysis.

Google Memory Corruption Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote denial of service in Lakeside SysTrack Agent (lsiagent.exe) allows unauthenticated network attackers to crash the endpoint monitoring agent by sending a single malformed UDP packet to the Command ID 30 handler. The flaw was reported by VulnCheck and carries a CVSS 4.0 score of 8.7 reflecting high availability impact with no privileges or user interaction required; no public exploit identified at time of analysis, though VulnCheck has published an advisory describing the trigger.

Information Disclosure Denial Of Service Buffer Overflow +1
NVD
EPSS 0% CVSS 8.6
HIGH Act Now

Stack-based buffer overflow in the XCharge C6 charging controller's signal-processing logic enables an attacker with physical access to the charging interface to corrupt memory by sending oversized message fields, potentially gaining code execution with elevated privileges. Reported through CISA's ICS-CERT under advisory ICSA-26-148-08, the flaw carries a CVSS 4.0 score of 8.6 driven by high impact to confidentiality, integrity, and availability of both the vulnerable component and adjacent subsystems. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Stack Overflow C6
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Stack buffer overflow in Music Player Daemon (MPD) versions prior to 0.24.11 allows remote unauthenticated attackers to crash the daemon or potentially execute code by serving a malicious HTTP audio stream processed by the PCM decoder plugin. The flaw stems from an off-by-one miscalculation in pcm_unpack_24be (src/pcm/Pack.cxx) that writes four bytes (three attacker-controlled) past a 1365-entry int32_t stack array. No public exploit identified at time of analysis, but the upstream fix is confirmed via commit 5991102 and release 0.24.11.

RCE Buffer Overflow Mpd
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds heap read in Ubuntu Linux kernels 6.8, 6.17, and 7.0 stems from AppArmor SAUCE patches miscomputing an internal buffer size during notification handling, allowing an unprivileged local user to feed invalid data into the AppArmor DFA policy engine. The flaw carries a CVSS 7.8 (high) and currently has no public exploit identified at time of analysis, though Canonical has shipped an upstream kernel fix. Impact is limited to local attackers but high-severity given full CIA impact in the CVSS vector.

Ubuntu Information Disclosure Buffer Overflow
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Out-of-bounds read in Ubuntu Linux kernels 6.8, 6.17, and 7.0 exposes adjacent slab allocator memory to any local low-privileged user. The flaw originates in Canonical's Ubuntu-specific AppArmor SAUCE patches, which incorrectly validate the size of an internal structure during notification handling, enabling controlled reads past the intended memory boundary. No public exploit identified at time of analysis, and exploitation is strictly local; however, C:H in the CVSS vector confirms that successful exploitation can yield high-sensitivity kernel or cross-process data from slab neighbors.

Ubuntu Information Disclosure Buffer Overflow
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Out-of-bounds write in bzip2's bzip2recover utility allows a local attacker to supply a specially crafted file that triggers an off-by-one error, corrupting a global buffer and crashing the process. Per the CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:N), the attack requires no privileges and no user interaction beyond the utility being invoked against a malicious file. Impact is strictly denial of service against the bzip2recover process - no confidentiality or integrity exposure - and the CVSS 4.0 score of 5.1 (Medium) reflects this constrained scope. No public exploit or active exploitation has been identified at time of analysis.

Memory Corruption Denial Of Service Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial-of-service via stack buffer overflow in CryptX (Perl cryptography module) versions before 0.088_001 affects four AEAD decryption helpers that copy attacker-controlled authentication tags into a fixed 144-byte stack buffer without bounds checking. Remote attackers can crash any Perl application that passes untrusted tags to gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify, or eax_decrypt_verify, resulting in process termination. No public exploit identified at time of analysis, and EPSS scoring (0.04%, 13th percentile) reflects low expected exploitation activity despite the network attack vector.

Buffer Overflow Stack Overflow Cryptx +2
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local privilege-escalation-adjacent denial of service and potential memory corruption in the Linux kernel's AMD GPU VCN3 (Video Core Next 3) driver allows a local low-privileged user with GPU access to trigger an integer overflow in the message bound check of the drm/amdgpu/vcn3 subsystem. The flaw was identified by AMD's SDL review and patched upstream, and per CVSS it yields high confidentiality and availability impact without integrity impact. Exploitation status: no public exploit identified at time of analysis, and EPSS is very low at 0.02%.

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Linux kernel's vsock (virtio sockets) subsystem stems from inverted buffer-size clamping logic in vsock_update_buffer_size(), allowing a local user to grow vsk->buffer_size beyond the configured vsk->buffer_max_size and violate intended socket memory boundaries. Affected branches include stable trees prior to 6.6.140, 6.12.90, 6.18.32, 7.0.9, and 7.1-rc1; no public exploit identified at time of analysis and EPSS is 0.02% (5th percentile).

Linux Memory Corruption Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's AMD GPU VCN3 (Video Core Next, generation 3) decoder message parser allows a local low-privileged user to read kernel memory beyond the buffer object boundary and potentially trigger denial of service. The flaw was resolved by adding bounds checks against the end of the buffer object whenever the dec msg is accessed. EPSS is very low (0.02%, 6th percentile) and no public exploit has been identified at time of analysis.

Linux Information Disclosure Buffer Overflow
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Integer overflow in the AMDGPU VCN4 (Video Core Next 4) multimedia driver within the Linux kernel allows a local low-privileged user to cause a kernel denial of service. The bounds check on incoming messages to the VCN4 encoder/decoder engine contains an overflow-vulnerable condition, meaning a crafted message can bypass intended size validation. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at the 5th percentile, indicating very low real-world exploitation likelihood currently.

Linux Buffer Overflow Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation potential exists in the Linux kernel's DRM/GEM framebuffer subsystem (drm_gem_fb_init_with_funcs) where inconsistent plane dimension calculations between integer division and DIV_ROUND_UP cause a size-check bypass. A local low-privileged user able to invoke the framebuffer ioctl with specific pixel formats (e.g., NV12) and crafted dimensions can trigger an out-of-bounds GPU memory access on the chroma plane, leading to memory corruption with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS is very low (0.02%), suggesting limited near-term exploitation risk despite the 7.8 CVSS.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's AMD GPU VCN4 (Video Core Next) driver allows a local user with GPU access to trigger memory disclosure or denial of service by submitting a crafted indirect buffer (IB) to the amdgpu DRM subsystem. The flaw stems from missing bounds checks while parsing IBs in the drm/amdgpu/vcn4 code path, and no public exploit identified at time of analysis. EPSS exploitation probability is very low (0.02%) and the issue is not listed in CISA KEV.

Linux Information Disclosure Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Unclocked register access in the Linux kernel's Cadence Quadspi SPI controller driver (spi-cadence-quadspi) occurs during driver unbind, affecting kernel versions through 7.0.x and 7.1-rc1. A local low-privileged user able to trigger driver unbind can cause high-impact confidentiality loss and denial of service on systems using affected SPI hardware. There is no public exploit identified at time of analysis and EPSS rates exploitation probability at just 0.02%.

Information Disclosure Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the AMD GPU VCN4 (Video Core Next, 4th generation) decoder message parser of the Linux kernel allows a local low-privileged user to read kernel memory beyond the decoder message buffer object, potentially leading to information disclosure and denial of service. The flaw exists in the drm/amdgpu/vcn4 driver where bounds against the end of the buffer object (BO) were not validated when parsing decoder messages. No public exploit identified at time of analysis and EPSS scores the exploitation probability at just 0.02% (6th percentile), but a vendor patch is available across multiple stable branches.

Linux Information Disclosure Buffer Overflow
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's batman-adv (B.A.T.M.A.N. advanced) mesh networking module stems from an integer overflow on the s16 buff_pos variable in batadv_iv_ogm_send_to_if, where the size check is performed using int while the position counter uses s16. Adjacent-network attackers on a batman-adv mesh can trigger the overflow by sending crafted OGM (Originator Message) aggregation packets, potentially leaking kernel memory or causing denial of service. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but the issue carries a CVSS of 8.8 due to high impact on confidentiality, integrity, and availability across adjacent networks.

Linux Buffer Overflow Integer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation via out-of-bounds buffer access in the Linux kernel's AMD KFD (Kernel Fusion Driver) SVM ioctl interface allows authenticated local users to corrupt kernel memory by supplying an attacker-controlled nattr attribute count that exceeds the buffer size. The flaw affects systems running AMD GPUs with the amdkfd driver and has been resolved upstream across multiple stable branches. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but the high CIA impact warrants prompt patching on AMD GPU compute workstations and HPC nodes.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's framebuffer console (fbcon) subsystem allows a local low-privileged attacker to access kernel memory beyond the font buffer when console rotation is enabled and font reallocation fails. The flaw resides in fbcon_rotate_font() which retains the undersized old buffer after a failed reallocation, so printing characters with high-enough codes overflows the font buffer during putcs operations. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%), but the issue is patched across multiple stable kernel branches.

Linux Information Disclosure Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's SPI-NOR flash debugfs interface (spi_nor_params_show) allows local authenticated users with debugfs access to trigger memory disclosure or denial of service on 64-bit systems. The flaw stems from sizeof() being used on a pointer array instead of ARRAY_SIZE(), inflating the bounds-check length by 8x. No public exploit identified at time of analysis and EPSS rates exploitation likelihood at 0.02%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds read in the Linux kernel's SMB client (smb/client) symlink handling allows a malicious or compromised SMB server to trigger memory disclosure or denial-of-service against Linux clients that mount SMB shares. The flaw resides in symlink_data() where smb2_check_message() does not validate response length before fields beyond the 64-byte SMB2 header are accessed. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, though upstream kernel fixes have already been merged across multiple stable branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory corruption in the Linux kernel scheduler exit path allows local low-privileged users to trigger use-after-free or double-free of task stacks when an exiting task oopses, per CVE-2026-46173. The flaw stems from make_task_dead() invoking do_task_dead() with preemption enabled, violating the scheduler's requirement that __schedule() run with preemption disabled, which can leave two tasks running on the same stack. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's b43legacy wireless driver allows a local attacker with low privileges to read beyond the dev->key[] array when firmware reports a key index exceeding dev->max_nr_keys. The existing B43legacy_WARN_ON check was non-enforcing in production builds, permitting memory disclosure during RX packet handling on systems with vulnerable Broadcom legacy WiFi chipsets. No public exploit identified at time of analysis, and EPSS is very low (0.02%), suggesting limited near-term mass exploitation despite a high CVSS of 7.8.

Linux Buffer Overflow Red Hat +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds heap read in the Linux kernel's SMB client (smb/client) allows a malicious or compromised SMB server to leak adjacent kernel heap memory to a connected Linux client. The flaw lives in smb2_compound_op() where check_wsl_eas() fails to validate that OutputBufferLength fits within iov_len before a memcpy, so a truncated response with an oversized OutputBufferLength and an early-terminated EA list triggers the read past the rsp_iov allocation. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but upstream patches have been merged across multiple stable branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds stack read in the Linux kernel SCSI target subsystem's configfs interface allows a local privileged user to trigger a kernel panic or leak adjacent stack memory by reading the tg_pt_gp members sysfs attribute when a long iSCSI IQN fabric WWN (up to 223 bytes) is configured. The flaw stems from misusing the snprintf() return value (which reports intended length, not bytes written) as a memcpy() source length. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 5th percentile).

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Linux kernel's RDMA/mana driver allows an authenticated low-privileged user to corrupt kernel memory by supplying an oversized rx_hash_key_len via the uAPI structure, which is passed unchecked to memcpy. The flaw affects kernels using the Microsoft Azure Network Adapter (MANA) RDMA driver and can lead to heap/stack overflow within kernel space, enabling potential code execution or system compromise. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (5th percentile), indicating limited exploitation interest so far.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel's MediaTek Bluetooth driver (btmtk) lets a short or malformed WMT firmware event response trigger reads past the SKB tailroom in btmtk_usb_hci_wmt_sync(), potentially leaking adjacent kernel memory or crashing the host. The flaw affects systems using MediaTek USB Bluetooth controllers (MT76xx family) on kernels around 6.11 through release candidates of 7.1, scoring CVSS 7.1 with high confidentiality and availability impact. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%), but a vendor fix is available across multiple stable branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out-of-bounds heap read and infinite loop in the Linux kernel Bluetooth HCI event handler (hci_le_create_big_complete_evt) allows an adjacent attacker to trigger denial of service on systems with Bluetooth LE Isochronous (BIG) connections. The flaw arises when a malicious or malformed controller returns an LE_Create_BIG_Complete event with fewer bis_handle entries than expected, causing the kernel to read past the flex array and spin indefinitely while holding hci_dev_lock. No public exploit identified at time of analysis, and EPSS probability is very low (0.02%), but the issue is patched across multiple stable trees.

Linux Denial Of Service Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Denial-of-service in the Linux kernel mt76/mt7921 MediaTek Wi-Fi driver lets a buffer-length (buf_len) underflow occur while iterating the CLC (country location configuration) power table, producing a near-infinite loop or an invalid power setting that crashes driver initialization. Systems running affected kernels with MediaTek MT7921 Wi-Fi hardware are impacted; classified CWE-787 (out-of-bounds write) with a vendor-assigned CVSS of 7.8 (local, AV:L). No public exploit identified at time of analysis and EPSS is very low (0.02%), consistent with a reliability/DoS defect rather than a readily weaponizable memory-corruption primitive.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial-of-service in the Linux kernel's Soft RoCE (RDMA/rxe) driver allows unauthenticated attackers to crash the kernel by sending a single crafted 48-byte UDP packet to port 4791 with an undefined BTH opcode. The flaw triggers an out-of-bounds read in rxe_icrc_hdr() via crc32_le() due to zero-initialized rxe_opcode[] entries causing arithmetic underflow, panicking the host with no public exploit identified at time of analysis though EPSS is very low at 0.03%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's dm-verity-fec (forward error correction) subsystem allows kernel memory disclosure or a crash when decoding Reed-Solomon parity data. The flaw affects the device-mapper verity FEC code where fec_decode_bufs() wrongly assumes parity bytes of the first RS codeword never span a parity-block boundary; with certain non-default fec_roots values combined with low-memory buffer-allocation failures, the decoder reads past the end of the parity block buffer. Tracked as CWE-125, it carries a 7.1 CVSS (local, low complexity per NVD) but a negligible EPSS of 0.02%, and there is no public exploit identified at time of analysis.

Linux Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Out-of-bounds read and information disclosure in the Linux kernel's virtio_bt (virtio Bluetooth) driver allows a malicious or buggy virtio backend to leak uninitialized kernel heap memory into received Bluetooth skbs. The virtbt_rx_work() function trusted the device-reported length from virtqueue_get_buf() without clamping it to the 1000-byte buffer actually exposed via sg_init_one(), so a hostile backend can report lengths between 1001 and skb_tailroom() - or 0 - causing skb_put() to expose untouched heap bytes or virtbt_rx_handle() to read an uninitialized pkt_type. No public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), but a vendor patch is available.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds memory read in the Linux kernel's b43 Broadcom wireless driver allows leakage of adjacent kernel memory when the device firmware supplies a key index that exceeds the 58-entry dev->key[] array in b43_rx(). The pre-patch guard (B43_WARN_ON) is a no-op in production kernels, so the invalid index was used to index the array unchecked. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%); the fix enforces the bounds check and drops the offending frame.

Linux Buffer Overflow Red Hat +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Information disclosure and denial of service in the Linux kernel's libceph subsystem allows remote Ceph servers (or attackers able to spoof/MITM unauthenticated Ceph traffic) to trigger a slab-out-of-bounds read by sending a crafted CEPH_MSG_AUTH_REPLY message with a positive result value. The flaw causes the kernel client to send memory contents past the allocated front-segment buffer back over the wire, potentially leaking adjacent kernel heap data and destabilizing the host. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the CVSS of 9.1 reflects the network-reachable, no-privileges-required nature of the bug in affected Ceph client deployments.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Keycloak's ClientRegistrationAuth component can be crashed by a remote unauthenticated attacker through a specially crafted POST request bearing a malformed 'Authorization: Bearer' header, triggering an unhandled ArrayIndexOutOfBoundsException and returning HTTP 500 to all subsequent callers of the affected endpoint. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero prerequisites for exploitation beyond network reachability, making any publicly exposed Keycloak client registration endpoint a viable target. No public exploit has been identified at time of analysis and no EPSS data was supplied, but the trivial attack mechanics mean no specialized tooling is required to reproduce the denial of service.

Information Disclosure Denial Of Service Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Out-of-bounds write in Samsung's Escargot JavaScript engine allows attacker-supplied scripts to corrupt memory through the ArrayBuffer.prototype.transfer() built-in, with high confidentiality, integrity, and availability impact (CVSS 8.8). The flaw stems from a missing length-bounds check when transferring an ArrayBuffer to a new byte length, enabling writes past the allocated buffer that can lead to remote code execution if a victim runs the malicious script. No public exploit has been identified at time of analysis, and no EPSS or CISA KEV data was provided.

Memory Corruption Samsung Buffer Overflow
NVD GitHub VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32-bit Linux platforms (armv7l, i686) by supplying a crafted configuration file with an excessive device count. The root cause is an unchecked integer multiplication in src/conf.c where n_devices * sizeof(t_pusb_device) wraps around size_t on 32-bit targets, causing xmalloc() to receive a drastically undersized allocation that is silently accepted, enabling out-of-bounds writes into heap memory. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, successful exploitation yields full confidentiality, integrity, and availability impact on the affected host.

Heap Overflow Buffer Overflow Pam Usb
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in Gladinet Triofox is possible through a stack-based buffer overflow in WOSDefaultHttpModule.dll, which fails to bounds-check overly long URL paths beginning with /woshome. Because the flaw is reachable over the network with no authentication and no user interaction (CVSS 9.8), an attacker who can reach the Triofox web service can corrupt the stack and potentially execute arbitrary code in the context of the web module. No public exploit has been identified at the time of analysis, and the issue was reported by Tenable (TRA-2026-45).

Stack Overflow Buffer Overflow Triofox
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in Gladinet Triofox is possible through a stack-based buffer overflow in the WOSDeviceDropFolder.dll component, which mishandles overly long URL paths that begin with /resources. The CVSS 9.8 vector indicates an unauthenticated, network-reachable flaw requiring no user interaction, meaning any attacker who can reach the Triofox web service can corrupt the stack and potentially execute arbitrary code. The issue was reported by Tenable (TRA-2026-45); no public exploit identified at time of analysis and no EPSS score was provided in the source data.

Stack Overflow Buffer Overflow Triofox
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Heap-based buffer overflow in TeamSpeak 3 Server's ECC Key Parser allows remote unauthenticated attackers to crash the server, causing a denial of service against all versions up to and including 3.13.7. The vulnerability was discovered and disclosed by modzero security research (advisory mz-26-01-teamspeak) with a coordinated vendor response resulting in TeamSpeak security advisory TS-SA-2026-001. A proof-of-concept exploit exists per SSVC data, and the attack is automatable, meaning exploitation can be scripted at scale against exposed TeamSpeak server instances. No public exploit identified as confirmed actively exploited in the wild (not listed in CISA KEV at time of analysis).

Buffer Overflow
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Use-after-free in TeamSpeak 3 Server versions 3.13.0 through 3.13.7 allows a low-privileged remote attacker to corrupt server memory via the process_resend_queue function within Connection State Management, resulting in limited integrity and availability impact. Discovered and disclosed by modzero.com (advisory MZ-26-01) and acknowledged by TeamSpeak via official security advisory TS-SA-2026-001, the vendor has released version 3.13.8 as the fix. No public exploit code exists and no active exploitation has been identified at time of analysis.

Denial Of Service Buffer Overflow
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out-of-bounds write in LibVNCClient (shipped in the LibVNCServer project, versions 0.9.15 and earlier) lets a malicious or compromised VNC server corrupt memory in any client that connects to it. The Tight encoding decoder's Gradient filter uses fixed 2048-pixel scratch buffers but never validates the server-supplied rectangle width, so a crafted FramebufferUpdate with a width above 2048 overruns those buffers, threatening confidentiality, integrity, and availability (CVSS 8.8). There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue is fixed by upstream commit 5b270544.

Memory Corruption Buffer Overflow
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

Heap buffer overflow in libjxl 0.12.0 lets remote attackers corrupt heap memory by feeding a crafted PBM/PNM image to the jxl::extras::DecodeImagePNM routine, which writes decoded rows into an output buffer without first checking that the buffer is large enough for the header-declared dimensions. The CVSS vector (AV:N/AC:L/PR:N/UI:N) describes unauthenticated, low-complexity exploitation with no user interaction, and CISA's SSVC framework rates it automatable with partial technical impact. Publicly available exploit code exists, though it is not listed in CISA KEV and no public exploit has been tied to active exploitation.

Heap Overflow Buffer Overflow Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) arises from a stack-based buffer overflow in the asperahttpd component. An authenticated user with network access can corrupt memory in this HTTP handling component to run code in the context of the service, fully compromising confidentiality, integrity, and availability (CVSS 8.8). No public exploit has been identified at time of analysis, and the CVE is not listed in CISA KEV; EPSS data was not provided.

RCE Stack Overflow IBM +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Transfer Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) through a heap-based buffer overflow in the asperahttpd component. An unauthenticated network attacker can corrupt memory to crash the service (denial of service) and, in the worst case, hijack execution flow to run arbitrary code or bypass authentication. There is no public exploit identified at time of analysis and SSVC lists exploitation as none, but the CVSS 9.8 rating and 'Automatable: yes' assessment mark this as a high-priority patching target.

RCE Denial Of Service Buffer Overflow +3
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Out-of-bounds read in libusb's parse_iad_array() function (descriptor.c) affects all releases before 1.0.30, enabling local attackers in virtualized environments with USB passthrough to crash libusb-dependent processes via a crafted USB descriptor. The off-by-one error causes the bounds check to evaluate against the original total buffer size rather than the remaining unparsed size, allowing a one-byte read past the end of the malloc allocation when a descriptor's bLength is set to exactly (total_size - 1). No public exploit code exists and the vulnerability is absent from CISA KEV; a vendor-released patch is confirmed in v1.0.30.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's ext4 filesystem driver allows a local attacker to read up to 3 bytes beyond a valid extended-attribute (xattr) region, potentially leaking adjacent kernel memory or crashing the system. The flaw lives in check_xattrs(), where a loose bounds check on the next xattr entry lets IS_LAST_ENTRY() perform a 4-byte read that overruns the buffer when parsing a crafted or corrupted ext4 xattr block. It is not in CISA KEV and no public exploit identified at time of analysis; EPSS is negligible at 0.02% (5th percentile), consistent with a low-impact local memory-safety bug that has already been patched upstream.

Linux Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation via memory corruption in Linux Kernel crypto subsystem (acomp) affects systems using asynchronous hardware compression accelerators such as Intel QAT. The flaw stems from acomp_save_req() storing the wrong pointer (&req->chain instead of req itself) in req->base.data, causing the completion callback acomp_reqchain_done() to dereference fields at incorrect offsets. No public exploit identified at time of analysis, and EPSS is very low at 0.02%, but the high CVSS (7.8) reflects potential for memory corruption with high confidentiality, integrity, and availability impact.

Linux Canonical Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's EROFS filesystem driver allows a local attacker to crash the system or potentially leak kernel memory by mounting a crafted EROFS image. The flaw stems from missing validation of the trailing dirent nameoff field, which can underflow during strnlen() and cause reads beyond the directory block. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a vendor patch is available across multiple stable kernel branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel md/raid5 journal recovery path allows a local privileged user supplying a corrupted MD RAID5 journal device to trigger memory disclosure or kernel crashes during journal replay. The flaw exists in r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb(), which trusted on-disk payload size fields without validating them against the metadata block's remaining space. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02% (5th percentile).

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Improper memory deallocation in the Linux kernel's NX-842 hardware compression crypto driver (nx842_crypto_alloc_ctx/free_ctx) causes bounce buffers allocated as order-2 (4 pages) to be released with single-page free_page() calls, leaking three of every four pages. The flaw is local-only with no public exploit identified at time of analysis, and EPSS (0.02%, 5th percentile) reflects negligible mass-exploitation interest. Note that the NVD CVSS (7.8, C:H/I:H/A:H) appears overstated for what the upstream commit explicitly describes as a memory leak rather than corruption.

Memory Corruption Linux Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows a local user with access to the DAMON sysfs interface to read out-of-bounds kernel memory or crash the system. The flaw exists because mm/damon/core failed to validate the user-supplied node ID (damos_quota_goal->nid) before using it in NODE_DATA() for the node_memcg_used_bp and node_memcg_free_bp quota goal metrics. The kernel description includes a working reproduction using the user-space 'damo' tool, but no public weaponized exploit and no active exploitation (CISA KEV) have been reported; EPSS is negligible at 0.02%.

Linux Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds heap read in the Linux kernel's ibmasm driver (the IBM Advanced System Management service-processor interface) lets a local privileged user leak adjacent kernel heap memory. The ibmasm_send_i2o_message() function trusts user-controlled command_size and data_size header fields to size a memcpy_toio() without validating them against the real allocation, so a small buffer with inflated header values forces a read of up to ~65 KB past the allocation, which is then forwarded to the service processor over MMIO. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.

Linux Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Integer overflow in the Linux kernel's ntfs3 filesystem driver allows local attackers to bypass volume boundary validation when mounting or accessing a crafted NTFS volume, leading to memory corruption with high confidentiality, integrity, and availability impact. The flaw resides in run_unpack() where the check `lcn + len > sbi->used.bitmap.nbits` performs raw addition that wraps for large values, sidestepping the bounds check. No public exploit identified at time of analysis and EPSS is very low (0.02%), but CVSS 7.8 with required user interaction reflects realistic local privilege-escalation potential when untrusted NTFS media is processed.

Linux Buffer Overflow Integer Overflow
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's AppArmor LSM subsystem (security/apparmor/match.c) allows a local low-privileged user to trigger a KASAN slab-out-of-bounds read via the mount() syscall on kernels 7.0 through 7.0.3 and 7.1-rc1. The flaw stems from a missing string terminator that causes aa_dfa_match() to read past the end of an 8KB kmalloc buffer when processing mount path strings, resulting in potential information disclosure and system instability (denial of service). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%.

Ubuntu Linux Lenovo +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Data corruption in the Linux kernel md-llbitmap RAID subsystem allows stale bitmap pages to be read from spare disks during rebuild. The md-llbitmap code iterated rdevs checking only raid_disk assignment and the Faulty flag, omitting the In_sync flag, so bitmap data could be sourced from a not-yet-synchronized spare. No public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%), but the bug can silently corrupt arrays during normal operation or recovery.

Linux Memory Corruption Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Integer overflow in the Linux kernel's rxgk (RxRPC GSS Kerberos) token extraction routine allows remote attackers to potentially trigger memory corruption via length-check bypass in rxgk_extract_token(). The flaw affects Linux kernel versions in the 6.16.9-to-6.17 range and was fixed by changing the validation to round down available data instead of rounding up the tested value. No public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.02%.

Linux Buffer Overflow Integer Overflow
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's crypto authencesn AEAD wrapper allows a local user with AF_ALG access to trigger memory disclosure and possible denial of service by instantiating an authencesn transform built on an ahash whose digest size is 1-3 bytes (for example cbcmac(cipher_null)). The flaw stems from crypto_authenc_esn_create() failing to validate the inner digest size, letting an invalid default authsize bypass the existing setauthsize() check. No public exploit identified at time of analysis and EPSS probability is negligible (0.02%), but the upstream fix is shipping across multiple stable trees.

Linux Information Disclosure Buffer Overflow
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Integer overflow in the Linux kernel's device mapper mirror (dm-mirror) subsystem allows a local attacker with device mapper configuration privileges to crash the kernel via a denial-of-service condition. The flaw resides in create_dirty_log() where an unchecked unsigned addition of 2 + param_count wraps around to a small value when param_count approaches UINT_MAX, bypassing an argc bounds check and triggering out-of-bounds reads in dm_dirty_log_create(). No public exploit code exists and EPSS is exceptionally low at 0.02% (5th percentile); this CVE has not been added to the CISA KEV catalog, indicating no confirmed active exploitation at time of analysis.

Linux Integer Overflow Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds MMIO read in the Linux kernel's ibmasm (IBM Advanced System Management) misc driver allows a compromised IBM service processor to read 8 bytes from unintended device registers or trigger a machine check exception (system crash) by writing an out-of-range queue reader/writer index before asserting an interrupt. The flaw resides in ibmasm_handle_mouse_interrupt() where raw readl() values are passed unchecked to get_queue_entry(), and is fixed by bounds-checking both indices against REMOTE_QUEUE_SIZE (60). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%.

Linux Information Disclosure Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows privileged local users to crash the kernel by supplying arbitrary node IDs to damos_quota_goal via DAMON_SYSFS. Affecting Linux 6.16 and fixed in 6.18.27, 7.0.4, and 7.1-rc1, the flaw stems from missing validation before si_meminfo_node()/NODE_DATA() lookups and is reproducible with the upstream 'damo' user-space tool. No public exploit identified at time of analysis and EPSS is very low at 0.02%.

Denial Of Service Linux Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's Nouveau DRM driver stems from a 32-bit integer overflow in the pushbuf relocation bounds check (nouveau_gem_pushbuf_reloc_apply). Authenticated local users with access to the Nouveau GPU device node can bypass the size validation and trigger out-of-bounds writes against the buffer object, leading to high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but a vendor patch is available across multiple stable kernel branches.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Stack buffer overrun in the Linux kernel's pt5161l hwmon driver allows a malicious or malfunctioning I2C device to write up to 32 bytes into a 24-byte stack buffer during pt5161l_read_block_data(), corrupting kernel memory. The flaw affects Linux 6.9 through versions before the stable fixes, and a secondary bug causes the driver to process stale data as valid when retries are exhausted with a length mismatch. EPSS is very low (0.02%) and no public exploit identified at time of analysis.

Linux Memory Corruption Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's ibmasm driver allows a local low-privileged user with write access to the ibmasm command character device to leak kernel heap memory to the IBM Advanced System Management service processor and potentially destabilize the host. The flaw resides in command_file_write(), which trusts attacker-controlled command_size/data_size header fields after allocating a buffer of arbitrary count, enabling get_dot_command_size() to return a value larger than the allocation. EPSS is 0.02% and no public exploit is identified at time of analysis; the issue is not on CISA KEV.

Linux Information Disclosure Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Heap out-of-bounds write in the Linux kernel UDF filesystem driver allows a local attacker to corrupt kernel memory by mounting a crafted UDF image containing repeated partition descriptors. The flaw stems from incorrect bookkeeping in handle_partition_descriptor() where appended slots never record partnum, causing duplicate descriptors to overflow the part_descs_loc[] table. No public exploit identified at time of analysis, and EPSS scores the exploitation probability at only 0.02%.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Out-of-bounds write and data-loss bugs in the Linux kernel SLUB allocator's krealloc() function affect kernels incorporating commit 2cd8231796b5, which introduced NUMA node and alignment forcing to k[v]realloc(). A local attacker with low privileges who can trigger the krealloc_node_align() or kvrealloc() reallocation fallback path - specifically when shrinking an allocation while simultaneously forcing a new alignment or NUMA node - can cause kernel heap memory corruption leading to a system panic or silent heap object corruption. No public exploit exists beyond the lkdtm reproducer in the CVE description; EPSS stands at the 4th percentile and the vulnerability is not in CISA KEV. Vendor-released patches are confirmed available in Linux 6.18.27, 7.0.4, and 7.1-rc1.

Linux Integer Overflow Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in the Linux kernel's RCU (Read-Copy-Update) subsystem allows a local condition to trigger an infinite recursion deadloop in rcu_read_unlock_special() when ftrace is enabled, leading to kernel hang or crash. The flaw stems from a missing recursion-protection flag when raise_softirq_irqoff() is invoked from the RCU unlock path, causing repeated re-entry through the softirq/trace stack. No public exploit identified at time of analysis and EPSS rates exploitation probability at 0.02%.

Denial Of Service Linux Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Kernel NULL pointer dereference in the Linux EROFS compressed filesystem driver allows a local user reading from an EROFS image to crash the system. The flaw lives in z_erofs_decompress_pcluster(), where compressed folios for ztailpacking pclusters are added to I/O chains before being validated; if inline-data reading fails (notably when a fatal signal interrupts read_mapping_folio()), decompression assumes the folios are valid and dereferences a NULL pointer. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%), and the issue is not in CISA KEV.

Linux Denial Of Service Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Heap buffer overflow read in the Linux kernel's NTFS3 filesystem driver allows local attackers to trigger out-of-bounds memory access by mounting or processing a maliciously crafted NTFS volume. The flaw resides in the DeleteIndexEntryRoot path of the do_action function, where an attacker-controlled entry size ('esize') bypasses bounds checks and causes memmove to operate on an unsigned-converted negative offset. EPSS scores exploitation probability at 0.03% (9th percentile) and no public exploit has been identified at time of analysis.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Information disclosure in the Linux kernel BPF subsystem allows a local low-privileged user with BPF program load access to leak kernel memory contents. Incorrect memory-access flags on several ARG_PTR_TO_MEM helper prototypes (notably bpf_get_stack_proto_raw_tp) cause the verifier to wrongly assume helper-written buffers are unchanged, optimizing away subsequent reads and producing stale or uninitialized data that can expose kernel memory. There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and it is not in CISA KEV.

Linux Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds array access in the Linux kernel's Intel Discrete Graphics MTD driver (mtd_intel_dg.c) lets a local actor trigger kernel memory corruption when the driver enumerates NVM regions before nregions is initialized. The flaw, caught by UBSAN as an array-index-out-of-bounds at line 750, affects systems running kernel 6.17 through the pre-patch 6.18/6.19 series with Intel discrete graphics hardware. No public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.02%, 4th percentile).

Linux Buffer Overflow Intel +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's AppArmor subsystem allows a local, low-privileged attacker to leak adjacent kernel memory and potentially crash the system when AppArmor parses a policy table built from possibly unaligned, userspace-supplied source data. The flaw stems from unaligned memory accesses during table creation in the policy loader and carries high confidentiality and availability impact. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.02%, 5th percentile), consistent with a hard-to-reach local-only kernel hardening fix rather than a mass-exploitation target.

Linux Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's AMD KFD (Kernel Fusion Driver) debug subsystem allows a local user with GPU access to trigger a buffer overflow in the watch_points array via a crafted watch_id value. The flaw stems from signed/unsigned integer mishandling in kfd_dbg_trap_clear_dev_address_watch(), where userspace-supplied watch_id values exceeding INT_MAX cause undefined bit shifts and out-of-bounds memory access. No public exploit identified at time of analysis, and EPSS scores exploitation probability at only 0.02%.

Linux Amd Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds kernel heap read in the Linux kernel's RDMA/uverbs subsystem allows local low-privileged users with access to InfiniBand/RDMA device nodes to leak kernel memory or trigger a denial-of-service WARNING by submitting a crafted ib_uverbs_post_send command with an undersized or oversized wqe_size value. EPSS is very low (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but the bug is fixed upstream across multiple stable trees, so patched versions should be deployed where RDMA is exposed to untrusted local users.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory corruption in the Linux kernel's AMD GPU driver (amdgpu) arises because amdgpu_gmc_get_nps_memranges() releases buffers allocated by amdgpu_discovery_get_nps_info() with kfree() even though that memory may have been allocated via kvcalloc()/vmalloc(), corrupting the kernel allocator state. The flaw affects systems running AMD GPUs on kernels prior to the fixed stable releases (6.12.75, 6.18.14, 6.19.4, and 7.0). There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and the issue was found via static analysis and code review rather than in-the-wild exploitation.

Memory Corruption Linux Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in the Linux kernel's EFI unaccepted-memory handling allows a boot-time kernel panic on confidential-computing guests, affecting kernels from 6.6 through the 6.19/7.0 development line. The reserve_unaccepted() routine miscalculates the memblock reservation size when the unaccepted memory table is not page-aligned, leaving the table's tail unreserved so it can be overwritten or rendered inaccessible, triggering a panic in accept_memory(). It is observed on Intel TDX VMs with larger memory sizes (e.g. >64GB); there is no public exploit identified at time of analysis and EPSS is negligible (0.02%).

Linux Intel Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Heap buffer overflow in Tasmota IoT firmware (through version 15.3.0.3) lets a remote attacker corrupt heap memory by manipulating the Content-Length of a JPEG stream processed by the fetch_jpg() routine in the scripter driver. Because the length is stored in a 16-bit integer, values above 65535 wrap to a small number, so the firmware allocates an undersized buffer and then reads the full, larger payload into it. Publicly available exploit code exists (a dedicated GitHub repository), CISA's SSVC framework rates exploitation as proof-of-concept and automatable, but the issue is not in CISA KEV and no public active exploitation is identified.

Heap Overflow Buffer Overflow
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

Remote code execution in Tasmota firmware (v15.3.0.3 and all earlier releases) stems from an unbounded strcpy() into the fixed 40-byte jpg_task.boundary[40] buffer inside fetch_jpg() in the Scripter driver (xdrv_10_scripter.ino). A network attacker able to reach the device and trigger this code path can overflow the buffer and, per the vendor description, execute arbitrary code on the ESP-based device. Publicly available exploit code exists (a CVE-named GitHub repository), and CISA's SSVC framework rates exploitation as POC with the attack automatable; no active exploitation is confirmed.

RCE Buffer Overflow
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

Remote code execution in Tasmota firmware version 15.3.0.3 and earlier allows remote unauthenticated attackers to trigger a stack-based buffer overflow in the fetch_jpg() function of the xdrv_10_scripter.ino scripting driver. The flaw is exposed over the network with low complexity and no privileges required (CVSS 7.3 AV:N/AC:L/PR:N/UI:N), and a public proof-of-concept repository has been registered, though no public exploit code was identified in the references at time of analysis. EPSS probability is very low (0.05%, 15th percentile) and the issue is not listed in CISA KEV.

Buffer Overflow RCE Stack Overflow
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

NULL pointer dereference in libusb's USB descriptor parser allows any attacker who can supply a crafted configuration descriptor to crash any application that uses libusb for USB device enumeration. Affected versions are all libusb releases before 1.0.30; the flaw resides in parse_interface() within descriptor.c and is reachable through the public APIs libusb_get_active_config_descriptor and libusb_get_config_descriptor. No public exploit code is identified at time of analysis and this CVE does not appear in the CISA KEV catalog, but the availability impact is confirmed high (CVSS 4.0 VA:H) and regression corpus files in the fix commit demonstrate reliable crash reproduction.

Information Disclosure Denial Of Service Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds stack read in the Linux kernel's IMA (Integrity Measurement Architecture) subsystem, in ima_appraise_measurement() reached via is_bprm_creds_for_exec(), affecting kernels from the 6.14 series up to the fixed stable commits. A misuse of container_of() on a *file pointer computes an invalid stack offset, letting a local execution path read one byte past a stack frame object (flagged by KASAN), which can disclose adjacent stack data or crash the task. EPSS is very low (0.02%, 5th percentile), the CVE is not on CISA KEV, and there is no public exploit identified at time of analysis; the issue is patched upstream.

Linux Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The drm/display/dp_mst subsystem in the Linux kernel crashes with a UBSAN shift-out-of-bounds error when a DP 2.1 monitor disconnects while delayed_destroy_work is still in flight, producing a kernel denial-of-service on affected systems. Systems running unpatched kernel versions across the 6.1.x, 6.6.x, 6.12.x, 6.18.x, and 6.19.x stable branches with DisplayPort Multi-Stream Transport (MST) capable hardware are vulnerable. No public exploit or active exploitation has been identified; patches are available across all affected stable branches with specific fix commits traceable to git.kernel.org.

Linux Buffer Overflow Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic in the Linux kernel's Open vSwitch (openvswitch) subsystem allows a low-privileged local user to crash the host kernel on Ubuntu-default and similar configurations. The vport netlink reply handler pre-allocates a fixed-size buffer but lacks an upper-bound check on the upcall PID array size, causing nla_put() to return -EMSGSIZE and BUG_ON(err < 0) to fire in ovs_vport_cmd_set(), triggering a kernel panic. On systems with unprivileged user namespaces enabled (Ubuntu default), any local user can reach this path via unshare -Urn without requiring elevated privileges. No public exploit has been identified at time of analysis, and EPSS at 0.02% reflects low current exploitation probability.

Linux Ubuntu Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local denial of service in the Linux kernel's BPF CO-RE relocation parser allows a process holding CAP_BPF to deterministically crash the system by loading a BPF program with a negative CO-RE accessor index. The flaw stems from bpf_core_parse_spec() in the libbpf relocation core accepting negative values from sscanf("%d") that bypass upper-bound checks due to integer promotion, ultimately driving an out-of-bounds read past the BTF members array. EPSS is negligible (0.01%) and there is no public exploit identified at time of analysis; a kernel oops backtrace is published in the changelog but it serves as a crash reproducer rather than a weaponized exploit.

Linux Buffer Overflow Red Hat +1
NVD VulDB
Prev Page 17 of 402 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy