Debian

A race condition exists in the Linux kernel's eBPF CPU map implementation on PREEMPT_RT systems, where concurrent access to per-CPU packet queues can cause memory corruption and kernel crashes. This vulnerability affects Linux kernel versions across multiple branches and can be triggered by tasks running on the same CPU, potentially allowing local denial of service or information disclosure. A proof-of-concept has been made available via syzkaller, and patches have been released through the official Linux kernel stable repositories.

A null pointer dereference vulnerability exists in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) that can cause a kernel crash when userspace attempts to destroy a hardware context that has been automatically suspended. The vulnerability affects all Linux kernel versions with the vulnerable amdxdna driver code path; an unprivileged local user with access to the driver's ioctl interface can trigger a denial of service by issuing a destroy context command on a suspended context, causing the kernel to crash when accessing a NULL mailbox channel pointer. No CVSS score, EPSS data, or KEV status is currently available, but the vulnerability is classified as a denial of service with straightforward triggering conditions.

A memory leak vulnerability exists in the Linux kernel's NFC NCI subsystem where the nci_transceive() function fails to free socket buffer (skb) objects on three early error paths (-EPROTO, -EINVAL, -EBUSY), causing kernel memory exhaustion over time. The vulnerability affects all Linux kernel versions with the vulnerable code in the NFC NCI driver, impacting any system with NFC capabilities that processes malformed or resource-constrained NCI transactions. While not directly exploitable for code execution, attackers can trigger memory exhaustion leading to denial of service by sending specially crafted NFC messages that trigger the error paths, and the vulnerability has been confirmed in kernel self-tests via kmemleak detection.

This vulnerability allows userspace applications to trivially trigger kernel warning backtraces in the AMD GPU (amdgpu) driver's user queue (userq) implementation by passing intentionally small num_fences values or exploiting legitimate growth between successive ioctl calls. While not a traditional security vulnerability enabling code execution or data theft, it constitutes an information disclosure issue through kernel log pollution and denial-of-service potential via warning spam. The Linux kernel across all versions utilizing the affected amdgpu userq code path is impacted, though the actual attack surface is limited to systems with AMD GPUs and unprivileged users with access to the amdgpu device interface.

A memory leak vulnerability exists in the Linux kernel's pinctrl subsystem within the pinconf_generic_parse_dt_config() function. When the parse_dt_cfg() function fails, the code returns directly without executing cleanup logic, causing the cfg buffer to be leaked. This affects all Linux kernel versions containing the vulnerable pinctrl-generic code, and while the vulnerability itself does not enable direct code execution, it can lead to denial of service through memory exhaustion over time as the kernel gradually loses available memory.

A kernel stack memory leak exists in the Linux kernel's RDMA/irdma driver within the irdma_create_user_ah() function, where 4 bytes of uninitialized kernel stack memory are leaked to user space through the rsvd (reserved) field of the irdma_create_ah_resp structure. This information disclosure vulnerability affects all Linux kernel versions with the vulnerable irdma driver code, allowing any unprivileged user with access to RDMA operations to read sensitive kernel stack data. While no CVSS score or EPSS metric is currently available, the vulnerability is classified as Information Disclosure and has been patched across multiple stable kernel branches, indicating upstream recognition and remediation.

A buffer handling vulnerability exists in the Linux kernel's CAN USB f81604 driver where improperly sized interrupt URB (USB Request Block) messages are not validated before processing, potentially leading to information disclosure or memory corruption. All Linux kernel versions with the affected CAN f81604 USB driver are impacted. An attacker with physical access to a malicious USB device or local system access could trigger abnormal URB message handling to leak kernel memory or cause denial of service. This vulnerability is not currently listed as actively exploited in known vulnerability databases, and no public proof-of-concept has been widely circulated, though patches are available across multiple kernel stable branches.

A validation bypass vulnerability exists in the Linux kernel's netfilter nft_set_rbtree module that fails to properly validate overlapping open intervals in packet filtering rule sets. This affects all Linux distributions running vulnerable kernel versions, allowing local or remote attackers with network configuration privileges to bypass firewall rules through malformed interval specifications. The vulnerability is classified as an information disclosure issue and has been patched upstream, though no active exploitation in the wild has been documented.

A NULL pointer dereference vulnerability exists in the Linux kernel's intel_pstate CPU frequency scaling driver that crashes the system when turbo boost is disabled on systems with CPU count limitations. This affects Linux kernel versions across multiple releases where the system is booted with 'nosmt' or 'maxcpus' kernel parameters and a user or administrator attempts to disable turbo via sysfs. An unprivileged local attacker with write access to /sys/devices/system/cpu/intel_pstate/no_turbo can trigger a kernel panic, resulting in denial of service. The vulnerability has been patched and fixes are available across multiple stable kernel branches.

A resource management vulnerability in the Linux kernel UDP implementation causes improper handling of socket state during disconnect operations. When a UDP socket is bound to a wildcard address, connected to a remote peer, and then disconnected, the kernel fails to properly remove the socket from the 4-tuple hash table, leaving stale entries that can lead to information disclosure or denial of service conditions. All Linux kernel versions using the affected UDP code path are impacted, with patches available through the Linux kernel stable tree.

A memory leak vulnerability exists in the Linux kernel's NFC (Near Field Communication) NCI subsystem where pending data exchange operations are not properly completed when a device is closed, causing socket references to be held indefinitely. This affects all Linux kernel versions with the vulnerable NFC NCI code path. An attacker with local access to NFC functionality could trigger repeated device close operations to exhaust memory resources, leading to denial of service. While no CVSS score or EPSS data is currently available, the issue is being actively addressed through kernel patches as evidenced by multiple commit references.

A null pointer dereference vulnerability exists in the Linux kernel's libie firmware logging module where the libie_fwlog_deinit() function attempts to unroll firmware logging structures even when logging was never properly initialized, causing kernel panics during driver unload. This affects the ixgbe driver and potentially other devices using the libie_fwlog module across multiple Linux kernel versions. An unprivileged local attacker with module unload capabilities can trigger a denial of service by unloading the affected driver, as demonstrated through rmmod operations in recovery mode.

A NULL pointer dereference vulnerability exists in the Linux kernel's AMD XDena accelerator driver (accel/amdxdna) where the mgmt_chann variable may be set to NULL if firmware returns an unexpected error during management message transmission, subsequently causing a kernel crash when aie2_hw_stop() attempts to access it. This affects Linux kernel versions across the amdxdna subsystem and can be exploited by local attackers with physical access or through malicious firmware to trigger a denial of service condition. Two stable kernel patches are available that introduce proper NULL checks and a dedicated helper function to safely destroy mgmt_chann.

A buffer over-read vulnerability exists in the Linux kernel's CXL mailbox command handler where the cxl_payload_from_user_allowed() function casts and dereferences user-supplied payload data without first validating its size. An unprivileged local attacker can send a raw mailbox command with an undersized payload (e.g., 1 byte instead of the expected 16 bytes for CXL_MBOX_OP_CLEAR_LOG) to trigger a kernel memory read past the allocated buffer, causing a KASAN splat and potential denial of service. While not yet listed in the KEV catalog or with public EPSS/CVSS scoring, patch commits are available in the Linux stable kernel repositories, indicating the vulnerability has been resolved upstream.

This vulnerability is a memory leak in the Linux kernel's AF_XDP socket implementation where buffers fail to be properly returned to the free list due to improper list node reinitialization. The vulnerability affects all Linux kernel versions with the AF_XDP subsystem enabled, potentially allowing local attackers or unprivileged users to exhaust kernel memory over time. While not actively exploited in the wild according to available intelligence, the vulnerability has clear patches available in stable kernel branches and represents a real denial-of-service risk for systems relying on XDP functionality.

An out-of-bounds (OOB) memory access vulnerability exists in the Linux kernel's MediaTek MT7996 WiFi driver (mt76) within the mt7996_mac_write_txwi_80211() function. The vulnerability occurs when the function accesses management frame fields without first validating the frame length, potentially allowing information disclosure or denial of service on systems using affected MT7996 hardware. Multiple stable kernel patches are available across several kernel versions, indicating the issue has been actively remediated in the upstream Linux project.

A resource leak vulnerability exists in the Linux kernel's ETAS ES58X USB CAN driver where URBs (USB Request Blocks) submitted in the read bulk callback are not properly anchored before submission, potentially causing memory leaks when usb_kill_anchored_urbs() is invoked. This affects all Linux kernel versions running the etas_es58x driver. An attacker with local access to trigger device disconnection or system shutdown could cause kernel memory exhaustion through repeated URB leaks, leading to denial of service or information disclosure of kernel memory contents.

The Apple Silicon SMC hwmon driver (macsmc-hwmon) in the Linux kernel contains critical memory safety bugs in sensor population and float conversion logic. Specifically, voltage sensors are incorrectly registered to the temperature sensor array, and float-to-32-bit conversion has flawed exponent handling, potentially leading to out-of-bounds memory access, data corruption, or incorrect fan control on affected Apple Silicon systems. The vulnerability affects Linux kernel versions with the macsmc-hwmon driver and has been patched; no active exploitation or POC is currently known, but the nature of the bugs suggests high real-world risk for systems relying on thermal management.

A use-after-free and list corruption vulnerability exists in the Linux kernel's IPMI (Intelligent Platform Management Interface) subsystem when the SMI sender returns an error. The vulnerability affects all Linux kernel versions with the vulnerable IPMI code path, allowing local attackers or processes with IPMI access to trigger denial of service conditions through list corruption and NULL pointer dereferences. The vulnerability is not currently listed in CISA's KEV catalog, and no CVSS or EPSS scores have been published; however, the technical nature indicates high reliability for exploitation by local actors with kernel interface access.

A logic error in the Linux kernel's MPTCP (MultiPath TCP) path management subsystem fails to properly track endpoint usage state when an endpoint is configured with both 'signal' and 'subflow' flags and subsequently removed. This causes a kernel warning and potential state inconsistency in the MPTCP connection management code. The vulnerability affects Linux kernel versions and is triggered through netlink socket manipulation by unprivileged users, potentially leading to denial of service or unexpected kernel behavior.

A lifecycle management vulnerability in the Linux kernel's USB NCM (Network Control Model) gadget function causes the network device to outlive its parent gadget device, resulting in NULL pointer dereferences and dangling sysfs symlinks when the USB gadget is disconnected. This affects all Linux kernel versions with the vulnerable USB gadget NCM implementation, and an attacker with local access to trigger USB gadget bind/unbind cycles can cause a kernel panic (denial of service). No CVSS vector, EPSS score, or active KEV status is available, but patches are confirmed available in the Linux stable tree.

A use-after-free (UAF) vulnerability exists in the Linux kernel's BPF subsystem within the bpf_trampoline_link_cgroup_shim function, where a race condition allows a process to reference memory after it has been freed. An attacker with CAP_BPF or CAP_PERFMON capabilities can trigger this vulnerability to cause a kernel crash (denial of service). A proof-of-concept has been demonstrated by the reporter, showing the bug can be reliably reproduced; the vulnerability is not listed on the CISA KEV catalog but affects all Linux kernel versions until patched.

A descriptor validation bypass in the Linux kernel's ALSA USB audio subsystem allows malicious USB devices to provide truncated UAC3 (USB Audio Class 3) header descriptors that escape validation checks, potentially causing out-of-bounds memory reads. The vulnerability stems from an incorrect protocol version constant (UAC_VERSION_2 instead of UAC_VERSION_3) in the validator table, causing validation logic to never execute for actual UAC3 devices. Affected are all Linux kernel versions containing the vulnerable code path; while CVSS and EPSS scores are not provided, this is a local privilege escalation / denial of service vector requiring physical USB device access or local code execution capability to exploit.

A memory alignment fault vulnerability exists in the Linux kernel's IPv4 multipath routing hash seed implementation that causes kernel panics on ARM64 systems when compiled with Clang and Link Time Optimization (LTO) enabled. The vulnerability affects all Linux kernel versions with the vulnerable code path in net/ipv4/route.c, specifically impacting ARM64 architectures where strict alignment requirements for Load-Acquire instructions are enforced. An attacker with local access or ability to trigger multipath hash operations could cause a denial of service by crashing the kernel, though no active exploitation has been reported in the wild.

An out-of-bounds (OOB) memory access vulnerability exists in the Linux kernel's mt76 WiFi driver, specifically in the mt76_connac2_mac_write_txwi_80211() function which fails to validate frame length before accessing management frame fields. This affects all Linux kernel versions containing the vulnerable mt76 driver code and could allow an attacker to read sensitive kernel memory or trigger a denial of service through a specially crafted WiFi management frame. The vulnerability has been patched across multiple stable kernel branches with fixes available since the issue was identified.

A device node reference leak exists in the Linux kernel's bq257xx regulator driver within the bq257xx_reg_dt_parse_gpio() function. When the function fails to retrieve a subchild device node, it returns prematurely without properly releasing the reference via of_node_put(child), causing a memory leak. This affects all Linux kernel versions containing this vulnerable code path in the bq257xx regulator driver, and while not directly exploitable for code execution, the memory leak can be triggered repeatedly to degrade system stability and availability.

A preempt count leak exists in the Linux kernel's i40e network driver within the napi poll tracepoint implementation, where get_cpu() is called without a corresponding put_cpu() to restore the preempt count. This affects all Linux kernel versions containing the vulnerable i40e driver code and can cause kernel accounting errors and potential system instability when the tracepoint is enabled. The vulnerability has no known active exploitation or public proof-of-concept code, and while not formally scored with CVSS, it represents a moderate kernel reliability issue that has persisted undetected for over three years.

The Linux kernel's kaweth USB driver fails to validate that probed USB devices have the expected number and types of endpoints before binding to them, allowing a malicious or malformed USB device to cause a kernel crash when the driver blindly accesses non-existent endpoints. This denial-of-service vulnerability affects Linux kernel versions across multiple stable branches and can be triggered by any user with the ability to connect a crafted USB device to a system running the vulnerable kernel. While CVSS and EPSS scores are not available, the vulnerability represents a straightforward crash vector with no reported active exploitation but patches are available across multiple kernel versions.

A lockdep-detected invalid wait context vulnerability exists in the Linux kernel's performance event scheduling subsystem, specifically in the ctx_sched_in() function when handling pinned events. The vulnerability affects all Linux kernel versions (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) and arises when the kernel attempts to acquire a wait-queue lock while already holding a perf-context lock, violating lock ordering rules and potentially causing system hangs or crashes. This is a kernel-level synchronization bug that can be triggered by unprivileged users with access to perf event tracing capabilities, though active exploitation in the wild has not been documented.

A logic error in the Linux kernel's bonding driver allows an unprivileged user to change the xmit_hash_policy parameter to an incompatible value (vlan+srcmac) while an XDP program is loaded, creating an inconsistent state where the kernel cannot safely unload the XDP program during device shutdown. This triggers a kernel warning and potential instability when the bond interface is destroyed. The vulnerability affects Linux kernel versions across multiple stable branches and requires local access to trigger.

A NULL pointer dereference vulnerability exists in the Linux kernel's event tracing subsystem, specifically in the trigger_data_free() function which fails to validate NULL pointers before dereferencing the data->cmd_ops field. This affects all Linux kernel versions where the vulnerable tracing code is present, and can be exploited by local attackers with appropriate privileges to cause a denial of service through kernel panic. The vulnerability was discovered through automated code review rather than active exploitation in the wild, and patches have been committed to stable kernel branches.

A warning trace vulnerability exists in the Linux kernel's pinctrl equilibrium driver where the eqbr_irq_mask_ack() callback function incorrectly calls both eqbr_irq_mask() and eqbr_irq_ack(), causing gpiochip_disable_irq() to be invoked twice and generating spurious kernel warnings on every GPIO during driver load. All Linux kernel versions with the affected equilibrium pinctrl driver are impacted, though this is primarily a kernel stability and logging issue rather than a security vulnerability. The issue has been resolved in multiple stable kernel branches as evidenced by the five stable commit hashes referenced, indicating patches are available.

A buffer overflow vulnerability exists in the Linux kernel's EMS USB CAN driver (ems_usb) in the ems_usb_read_bulk_callback() function, where the driver fails to properly validate USB message lengths before parsing and copying data. An attacker with the ability to supply a malicious USB device or intercept USB communications could trigger a buffer overflow by providing specially crafted messages that exceed the expected message boundaries, potentially leading to kernel memory corruption, denial of service, or privilege escalation. No CVSS score, EPSS risk rating, or active exploitation data (KEV status) is currently available, though multiple stable kernel branches have received patches indicating vendor awareness of the issue's severity.

A memory safety vulnerability exists in the Linux kernel's accel/rocket driver where the error path in rocket_probe() fails to properly unwind resource allocations when rocket_core_init() fails, particularly during EPROBE_DEFER scenarios. This affects all Linux kernel versions containing the vulnerable accel/rocket driver code. An attacker with local access could trigger a probe failure condition to cause out-of-bounds memory accesses, potentially leading to denial of service or privilege escalation.

A NULL pointer dereference vulnerability exists in the Linux kernel's IPv6 routing code within the ip6_rt_get_dev_rcu() function, triggered when a slave device is being un-slaved from a Virtual Routing and Forwarding (VRF) context. The vulnerability affects all Linux kernel versions with the affected code path and can be exploited to cause a kernel panic and denial of service. This issue was introduced by commit 4832c30d5458 which removed the fallback to loopback device handling, and multiple stable kernel branches have received patches to restore the NULL pointer check and fallback logic.

The Linux kernel CIFS client contains an information disclosure vulnerability where debug logging in the cifs_set_cifscreds() function exposes plaintext usernames and passwords in kernel logs when debug logging is enabled. This affects all versions of the Linux kernel with CIFS client support, allowing any local user or administrator with access to kernel logs to recover plaintext SMB credentials. While no CVSS score, EPSS data, or KEV status is publicly available, the severity is elevated due to the direct exposure of authentication credentials in commonly-accessible debug logs.

This vulnerability is a data-race condition in the Linux kernel where socket callback pointers (sk->sk_data_ready and sk->sk_write_space) are being modified concurrently by skmsg and other kernel layers without proper synchronization, potentially leading to information disclosure. All Linux kernel versions are affected across all architectures and distributions (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), with the issue impacting UDP, TCP, and AF_UNIX socket implementations. An attacker with local access could potentially exploit this race condition to read sensitive data or cause memory corruption by triggering concurrent modifications to these critical function pointers.

The Linux kernel contains a memory allocation failure vulnerability in the ASoC SDCA (Serial Data Center Audio) subsystem where the find_sdca_entity_iot() function allocates memory for an Entity name but fails to validate whether the allocation succeeded. An attacker with local access could trigger memory allocation failure conditions to cause an information disclosure or denial of service, depending on how the unvalidated null pointer is subsequently used. No CVSS score, EPSS data, or KEV status is currently available for this vulnerability.

A kernel panic vulnerability exists in Linux IPv6 nexthop handling where standalone IPv6 nexthop objects created with loopback devices are misclassified as reject routes, causing the nhc_pcpu_rth_output field to remain unallocated. When an IPv4 route subsequently references this nexthop, a NULL pointer dereference in __mkroute_output() triggers a kernel panic, resulting in denial of service. All Linux kernel versions with IPv6 nexthop support are affected, and the vulnerability is remotely triggerable by unprivileged users with network configuration capabilities.

This vulnerability is a memory leak in the Linux kernel's Bluetooth subsystem where Socket Buffers (SKBs) queued into the sk_error_queue for TX timestamping are not properly purged during socket destruction, allowing sensitive timestamp data to persist in kernel memory. The vulnerability affects all Linux kernel versions that support Bluetooth with SO_TIMESTAMPING enabled (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*). An attacker with local access could potentially read leaked kernel memory contents including timestamp information that should have been cleaned up, or trigger the leak by unexpectedly removing the Bluetooth controller while timestamped packets remain queued.

A denial-of-service vulnerability exists in the Linux kernel's ucan (CAN-over-USB) driver where malformed USB messages with a zero-length field cause an infinite loop in the ucan_read_bulk_callback() function, hanging the entire system. An attacker with physical access to a USB port can connect a malicious or compromised CAN device to trigger this condition, rendering the affected system unresponsive. While no CVSS or EPSS scores are available, the vulnerability is confirmed as patched across multiple stable kernel branches with six commits addressing the issue.

A credential reference leak exists in the Linux kernel's nfsd (NFS daemon) subsystem, specifically in the nfsd_nl_threads_set_doit() function which handles netlink-based thread configuration. The vulnerability affects all Linux kernel versions containing the vulnerable nfsd code path, allowing local users with netlink access to trigger memory leaks of credential structures through repeated invocations of the affected function. While not directly exploitable for privilege escalation or data theft, the memory leak can lead to denial of service through resource exhaustion and enables information disclosure via leaked kernel memory structures.

A reference count leak in the Linux kernel's SCSI core subsystem causes the tagset_refcnt reference counter to fail to decrement properly, resulting in resource exhaustion and system hangs during SCSI host teardown. This affects all Linux kernel versions with the vulnerable code path, particularly impacting iSCSI configurations where the leak manifests as indefinite blocking in scsi_remove_host() calls. While not actively exploited in the wild (no KEV status), this is a denial-of-service vulnerability that can be triggered by any user with the ability to manage SCSI sessions or trigger host removal operations.

A deadlock vulnerability exists in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) that occurs when an application issues a query IOCTL while the device is undergoing auto-suspend. The vulnerability affects all Linux distributions shipping the vulnerable kernel code. An attacker with local access to the system can trigger this deadlock by issuing query IOCTLs concurrently with power management events, causing a complete hang of the AMD XDNA accelerator subsystem and denial of service to legitimate applications. This vulnerability is not listed in the CISA KEV catalog and no public exploit code has been identified, but the fix has been integrated into the stable Linux kernel.

A NULL pointer dereference vulnerability exists in the Linux kernel's VXLAN implementation when IPv6 is disabled via the 'ipv6.disable=1' boot parameter. When an IPv6 packet is injected into a VXLAN interface, the route_shortcircuit() function attempts to call neigh_lookup() on an uninitialized nd_tbl (neighbor discovery table), causing a kernel panic and denial of service. This affects all Linux distributions shipping vulnerable kernel versions, and while no CVSS score or EPSS data is provided, the presence of six stable kernel commits and reproducible crash conditions indicates high practical impact.

A recursive locking vulnerability exists in the Linux kernel's target core configfs implementation where the target_core_item_dbroot_store() function attempts to open a file using filp_open() while already holding a semaphore (frag_sem) acquired in flush_write_buffer(), creating a deadlock condition when the same configfs file is accessed. This affects all Linux kernel versions with the vulnerable target subsystem code, and while no CVSS score or EPSS data is publicly available, the vulnerability has been resolved across multiple stable kernel branches with patch commits available in the kernel git repository, suggesting active acknowledgment of the issue as a legitimate kernel bug requiring remediation.

This vulnerability involves improper resource cleanup in the Linux kernel's NFC PN533 USB driver, where a reference count on the USB interface is not properly released when a device is disconnected. Affected systems include all Linux kernel versions with the vulnerable PN533 driver code, impacting any system using NFC devices based on the PN533 chipset. While this is a resource management issue rather than a direct memory corruption vulnerability, it can lead to information disclosure or denial of service through USB interface resource exhaustion over repeated device attach/detach cycles. The vulnerability has been resolved in the Linux kernel with multiple backported patches available across stable branches.

The pegasus USB network driver in the Linux kernel fails to validate that connected USB devices have the proper number and types of endpoints before binding to them, allowing a malicious USB device to trigger a kernel crash through null pointer dereference or out-of-bounds memory access. This denial-of-service vulnerability affects Linux kernel versions across multiple stable branches, as evidenced by patches applied to at least six different kernel maintenance branches. An attacker with physical access to a target system or the ability to inject a crafted USB device into the network could crash the kernel without authentication or elevated privileges, though no public exploit code or active exploitation in the wild has been reported.

This vulnerability is a resource leak in the Linux kernel's InfiniBand mthca driver within the mthca_create_srq() function, where the mthca_unmap_user_db() cleanup call is missing on the error path. A user with local access can trigger this leak by causing the mthca_create_srq() system call to fail, resulting in persistent kernel memory not being freed, which could lead to denial of service through memory exhaustion. While no CVSS score, EPSS value, or KEV status is documented, the issue affects all Linux kernel versions using the mthca driver and has been patched across multiple stable kernel branches as evidenced by six linked commit fixes.

A race condition in the SiFive PLIC (Platform Level Interrupt Controller) interrupt handling code can cause interrupts to become frozen when interrupt affinity is modified while an interrupt is being processed. The vulnerability affects Linux kernel implementations using the SiFive PLIC irqchip driver, potentially causing system hangs or device unresponsiveness on RISC-V systems. While not actively exploited in the wild, the issue is easily reproducible through concurrent affinity changes and high interrupt load, making it a practical denial-of-service concern for affected systems.

A null pointer dereference vulnerability exists in the Linux kernel's ATM LANE module (lec_arp_clear_vccs function) where multiple ARP entries can share the same virtual circuit connection (VCC). When a VCC is closed, the kernel iterates through ARP entries and clears associated VCC pointers; if multiple entries share the same VCC, the first iteration frees the vpriv structure and sets it to NULL, causing subsequent iterations to crash when attempting to dereference the now-NULL pointer. A local attacker can trigger this denial of service condition through crafted ATM socket operations, as demonstrated by existing syzkaller reproducers.

A null-pointer dereference vulnerability exists in the Linux kernel's DRBD (Distributed Replicated Block Device) subsystem when handling local read errors. When a READ_COMPLETED_WITH_ERROR event occurs in drbd_request_endio(), a NULL peer_device pointer is passed to the __req_mod() function, which then unconditionally dereferences it in drbd_set_out_of_sync(), causing a kernel panic or system crash. This affects all Linux kernel versions with the vulnerable DRBD code, and while not actively exploited in the wild, it can be triggered by a local user or administrator through normal disk I/O error conditions, resulting in denial of service.

This vulnerability exists in the Linux kernel's MediaTek Ethernet driver (mtk_eth_soc) where an eBPF program pointer is not properly reset to its previous state if the mtk_xdp_setup() function encounters an error during the mtk_open routine. This resource management flaw can lead to incorrect reference counting of eBPF programs, potentially causing use-after-free or memory leak conditions. All Linux kernel versions with the affected MediaTek Ethernet driver (cpe:2.3:a:linux:linux) are impacted, and the vulnerability has been patched across multiple stable kernel branches as evidenced by six commit references spanning different kernel versions.

A PM runtime reference leak exists in the Linux kernel's fp9931 regulator driver hwmon interface, where the pm_runtime_put_autosuspend() function fails to be called when regmap_read() encounters an error, causing the power management reference count to become unbalanced. This affects all Linux kernel versions with the vulnerable fp9931 driver code. While not directly exploitable for code execution, the reference leak can lead to device power management failures, potential denial of service through resource exhaustion, or unexpected device behavior in systems using the FP9931 regulator hardware.

An uninitialized variable vulnerability exists in the Linux kernel's SMB2 client implementation within the smb2_unlink() function, where failure of SMB2_open_init() or SMB2_close_init() operations (such as during reconnection) leaves iovs structures uninitialized. If subsequent cleanup functions like SMB2_open_free(), SMB2_close_free(), or smb2_set_related() attempt to operate on these uninitialized structures, the kernel will oops (crash), resulting in a denial of service condition affecting all Linux distributions and versions using affected kernel code.

A use-after-free vulnerability exists in the Linux kernel's Libertas wireless driver (libertas) in the lbs_free_adapter() function, where timer_delete() is incorrectly used instead of timer_delete_sync() for command_timer and tx_lockup_timer cleanup. If a timer callback is executing when the adapter is freed, the callback will access already-freed memory structures, potentially leading to information disclosure, denial of service, or privilege escalation. This vulnerability affects all Linux kernel versions that include the Libertas driver and has been resolved through multiple commits across stable kernel branches, indicating patches are available but not yet universally deployed.

A NULL pointer dereference vulnerability exists in the Linux kernel's mac80211 mesh networking subsystem (CVE-2026-23279), specifically in the mesh_rx_csa_frame() function which fails to validate the presence of the Mesh Channel Switch Parameters IE before dereferencing it. A remote attacker with an established mesh peer link can trigger a kernel panic by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame that includes matching Mesh ID and configuration elements but omits the required Channel Switch Parameters IE. This vulnerability affects all Linux kernel versions since v3.13 (January 2014) and requires no special authentication beyond the default open mesh peering, making it a trivial denial-of-service vector against systems with mesh networking enabled.

Denial of service in Kea DHCP daemons (versions 2.6.0-2.6.4 and 3.0.0-3.0.2) allows unauthenticated remote attackers to crash affected services by sending maliciously crafted messages to API sockets or HA listeners, triggering a stack overflow. Vulnerable Kea installations across Ubuntu, Red Hat, SUSE, and Debian are susceptible to service interruption attacks with no authentication required. A patch is available for affected distributions.

A signed integer overflow vulnerability exists in the libtiff library's putcontig8bitYCbCr44tile function that leads to out-of-bounds heap writes through incorrect memory pointer calculations. Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10 are confirmed affected. An attacker can exploit this by tricking a user into opening a specially crafted TIFF file, potentially achieving arbitrary code execution or causing application crashes.

Firefox versions prior to 149 contain a privilege escalation vulnerability in the IPC component that allows remote attackers to escalate privileges through user interaction on affected systems. An attacker can exploit this flaw to gain elevated system access and potentially execute arbitrary code with higher privileges. No patch is currently available for this high-severity vulnerability affecting Mozilla and Debian users.

Mozilla Firefox's WebRender graphics component contains a race condition and use-after-free vulnerability that enables remote code execution when a user visits a malicious webpage. The flaw affects Firefox versions prior to 149, Firefox ESR versions before 115.34 and 140.9, and requires user interaction to trigger. No patch is currently available for this high-severity issue.

A NULL pointer dereference vulnerability exists in tmate versions prior to 2.4.0, allowing unauthenticated remote attackers to cause a denial of service condition by crashing the application. The vulnerability has a CVSS score of 5.3 (medium severity) with low attack complexity and no privilege requirements, making it readily exploitable over the network. A patch is available from the vendor, and this issue does not compromise confidentiality or integrity-only availability.

Out-of-bounds read in woof before version 15.3.0 allows remote attackers to trigger information disclosure and denial of service without authentication or user interaction. This critical vulnerability affects Debian systems and can be exploited over the network to leak sensitive data or crash the application. A patch is available and should be applied immediately.

An information disclosure vulnerability exists in albfan miraclecast before version 1.0 that allows unauthenticated attackers on an adjacent network to access sensitive information. The vulnerability affects miraclecast across all versions prior to v1.0 via an unspecified mechanism (CWE-noinfo). While the CVSS score is 6.5 (medium-high), the attack vector is adjacent network (AV:A) rather than network-wide, and no active exploitation in the wild or known public proof-of-concept has been reported at this time.

Remote code execution in Google Chrome's Federated Credential Management (FedCM) prior to version 146.0.7680.165 enables unauthenticated attackers to execute arbitrary code within the browser sandbox through a malicious HTML page. This use-after-free vulnerability in memory management affects Chrome on all supported platforms and requires only user interaction to trigger. A patch is available in Chrome 146.0.7680.165 and later.

Out-of-bounds memory write in Google Chrome's font handling prior to version 146.0.7680.165 enables remote code execution when users visit malicious HTML pages. An unauthenticated attacker can exploit an integer overflow vulnerability to achieve complete system compromise with high integrity and confidentiality impact. Patches are available for Chrome and affected Debian systems.

Sandboxed code execution in Google Chrome's WebGPU implementation (prior to 146.0.7680.165) stems from a use-after-free memory vulnerability that can be triggered via malicious HTML pages. An unauthenticated remote attacker can exploit this to execute arbitrary code within the Chrome sandbox without user interaction beyond viewing a crafted webpage. A patch is available for affected users.

This vulnerability is an out-of-bounds memory read flaw in the WebAudio API implementation within Google Chrome prior to version 146.0.7680.165. A remote attacker can craft a malicious HTML page to trigger the vulnerability and read sensitive memory contents, leading to information disclosure. Although no CVSS score or EPSS data is provided, the Chromium security severity is rated as High, and the vulnerability affects all users of vulnerable Chrome versions until patching.

Sandbox escape in Google Chrome prior to version 146.0.7680.165 via a use-after-free vulnerability in the Dawn graphics component enables remote attackers to execute arbitrary code when users visit malicious HTML pages. The vulnerability affects multiple platforms including Debian systems and requires only user interaction to trigger, bypassing Chrome's sandbox isolation. A patch is available to remediate this high-severity memory corruption flaw.

Google Chrome's WebGL implementation contains a heap buffer overflow that enables remote attackers to read arbitrary memory by serving a specially crafted HTML page to users prior to version 146.0.7680.165. This network-based vulnerability requires only user interaction and affects Chrome on all platforms, granting attackers access to sensitive data in the browser's memory. A patch is available and should be applied immediately given the high severity and potential for exploitation.

Out of bounds memory read in Google Chrome's CSS parser prior to version 146.0.7680.165 allows remote attackers to access sensitive memory contents through a malicious HTML page. The vulnerability requires user interaction and affects Chrome on multiple platforms including Debian systems, enabling attackers to potentially leak confidential data with high impact on confidentiality and integrity.

Unauthenticated remote attackers can exploit a heap buffer overflow in Google Chrome's WebAudio component (versions prior to 146.0.7680.165) by hosting malicious HTML pages that trigger out-of-bounds memory writes. This vulnerability enables arbitrary code execution with full system compromise potential. A patch is available from Google and Debian.

Freeciv21, an open-source turn-based strategy game, contains a stack overflow vulnerability that allows remote attackers to crash servers or client applications through specially-crafted network packets. All versions prior to 3.1.1 are affected, with exploitation requiring no authentication and leaving no useful logs by default. While there is no evidence of active exploitation (not in CISA KEV) or public proof-of-concept code, Debian has issued security advisory DSA-6173-1 indicating distribution-level concern.

Remote code execution in llama.cpp prior to commit b7824 is possible through a crafted GGUF file that exploits an integer overflow in the `ggml_nbytes` function, causing heap buffer overflow during tensor processing. An attacker can bypass memory validation by specifying tensor dimensions that cause the size calculation to underflow dramatically, allowing memory corruption and potential code execution. The vulnerability affects Debian and other systems running vulnerable versions of llama.cpp, with no patch currently available.

FreeIPMI versions before 1.16.17 contain exploitable buffer overflow vulnerabilities in the ipmi-oem command's response message handling for three vendor-specific subcommands: Dell's get-last-post-code, Supermicro's extra-firmware-info, and Wistron's read-proprietary-string. An attacker who can intercept or control IPMI server responses could trigger these buffer overflows to achieve arbitrary code execution on systems running vulnerable versions of FreeIPMI. No CVSS score, EPSS data, or public exploitation confirmation is currently available, but the vulnerabilities are documented in Savannah bug reports with clear technical details.

The antchfx/xpath component in Debian is vulnerable to denial of service when processing specially crafted Boolean XPath expressions, which trigger an infinite loop in the logicalQuery.Select function consuming 100% CPU resources. Unauthenticated remote attackers can exploit this over the network without user interaction to disable affected systems. No patch is currently available.

A NULL pointer dereference vulnerability exists in the Linux kernel's TEQL (Trivial Ethernet Queue Limiting) network scheduler when transmitting through tunnel slave devices, particularly gretap tunnels. The vulnerability occurs because teql_master_xmit() fails to update skb->dev to the slave device before transmission, causing tunnel xmit functions to reference unallocated per-CPU statistics on the TEQL master device. This allows a local or networked attacker to trigger a kernel page fault and crash the system, resulting in a denial of service. No CVSS score, EPSS risk score, or KEV active exploitation status is currently published, but patch commits are available in Linux kernel stable branches (6.18.19, 6.19.9, and 7.0-rc4).

A stack overflow vulnerability exists in the Linux kernel's tunnel transmission functions (iptunnel_xmit and ip6tunnel_xmit) due to missing recursion limits when GRE tap interfaces operate as slaves in bonded devices with broadcast mode enabled. This allows local attackers or legitimate multicast/broadcast traffic to trigger infinite recursion between bond_xmit_broadcast() and tunnel transmission functions, causing kernel stack exhaustion and denial of service. The vulnerability affects multiple Linux kernel versions and has been resolved with the addition of IP_TUNNEL_RECURSION_LIMIT (4) to prevent excessive stack consumption during nested tunnel packet encapsulation.

Heap corruption in Google Chrome's ANGLE graphics library prior to version 146.0.7680.153 can be triggered remotely through a malicious HTML page, potentially enabling arbitrary code execution on affected systems. The vulnerability stems from an integer overflow condition that requires only user interaction with a crafted webpage, affecting Chrome users across Windows, macOS, and Linux platforms. A patch is available and security professionals should prioritize updating to the latest Chrome version to mitigate this high-severity risk.

Heap buffer overflow in Google Chrome's WebRTC component (versions prior to 146.0.7680.153) enables remote code execution when users visit a malicious webpage, requiring only user interaction to trigger the vulnerability. An attacker can exploit this heap corruption to execute arbitrary code with the privileges of the affected browser process. A patch is available for Chrome and affected Linux distributions including Ubuntu and Debian.

An out of bounds read vulnerability exists in the Blink rendering engine of Google Chrome prior to version 146.0.7680.153, allowing remote attackers to read memory outside intended buffer boundaries via a specially crafted HTML page. This vulnerability (CWE-125) has been classified as High severity by the Chromium security team and enables information disclosure attacks without requiring user interaction beyond visiting a malicious webpage. A vendor patch is available, and the vulnerability affects 9 Debian releases, indicating widespread downstream impact across Linux distributions.

Heap corruption in Google Chrome's V8 engine prior to version 146.0.7680.153 enables remote code execution when users visit malicious websites, affecting Chrome, Ubuntu, and Debian systems. An unauthenticated attacker can craft a specially designed HTML page to trigger memory corruption and achieve complete system compromise without user interaction beyond visiting the page. A patch is available for immediate deployment.

Memory disclosure in Google Chrome's Skia rendering engine prior to version 146.0.7680.153 enables unauthenticated attackers to read out-of-bounds memory contents by tricking users into visiting malicious web pages. Affected users across Chrome, Ubuntu, and Debian distributions face potential information leakage including sensitive data from process memory. A patch is available for immediate deployment.

Heap corruption in Google Chrome's WebAudio component (versions prior to 146.0.7680.153) can be triggered through out-of-bounds memory access when processing malicious HTML pages, enabling remote attackers to achieve arbitrary code execution without user interaction beyond viewing the page. The vulnerability affects Chrome, Ubuntu, and Debian systems, with patches now available across all platforms.

Heap memory corruption in Google Chrome prior to version 146.0.7680.153 can be triggered through malicious browser extensions, affecting Chrome users on Google, Ubuntu, and Debian systems. An attacker must convince a user to install a compromised extension to exploit this use-after-free vulnerability and potentially achieve code execution. A patch is available.

Heap memory corruption in Google Chrome's V8 engine (versions prior to 146.0.7680.153) stems from type confusion vulnerabilities that can be triggered through malicious HTML pages without user privileges. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution or crash the browser. The vulnerability affects Chrome, Ubuntu, and Debian systems, with patches now available.

A use-after-free vulnerability in Google Chrome's Digital Credentials API prior to version 146.0.7680.153 enables attackers with a compromised renderer process to escape the sandbox and potentially achieve code execution through a specially crafted HTML page. The vulnerability affects Chrome on multiple platforms including Ubuntu and Debian systems, requiring user interaction to trigger but presenting high impact across confidentiality, integrity, and availability. A patch is available in Chrome 146.0.7680.153 and later versions.

Heap buffer overflow in PDFium within Google Chrome versions prior to 146.0.7680.153 enables remote attackers to corrupt heap memory and potentially achieve code execution by delivering a malicious PDF file. The vulnerability requires user interaction to open the crafted PDF but no authentication or special privileges. Patches are available for affected Google Chrome, Ubuntu, and Debian systems.

Heap memory corruption in Google Chrome versions prior to 146.0.7680.153 can be triggered through a use-after-free vulnerability in the Network component when a user visits a malicious HTML page. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with high integrity and confidentiality impact. A patch is available for Chrome, Ubuntu, and Debian users.

Cross-origin data leakage in Google Chrome's Dawn component on macOS versions prior to 146.0.7680.153 results from an integer overflow vulnerability that can be triggered through a malicious HTML page. An unauthenticated attacker can exploit this to access sensitive information from other origins without user interaction beyond viewing the crafted page. Patches are available for Chrome, Ubuntu, and Debian.