Debian

Heap corruption in Google Chrome's ANGLE graphics library on Windows versions prior to 146.0.7680.153 can be triggered through integer overflow when processing maliciously crafted HTML pages. An unauthenticated remote attacker can exploit this vulnerability by deceiving users into visiting a malicious website, potentially achieving arbitrary code execution. A patch is available across affected platforms including Google Chrome, Microsoft Edge, and various Linux distributions.

A renderer process sandbox escape vulnerability exists in Google Chrome prior to version 146.0.7680.153 due to insufficient input validation in the Navigation component. An attacker who has already compromised the renderer process can exploit this via a crafted HTML page to escape the sandbox and gain elevated privileges on the host system. A patch is available from Google, and the vulnerability is tracked in the EUVD database with High severity classification.

Heap corruption in Google Chrome's V8 engine prior to version 146.0.7680.153 can be triggered through out-of-bounds memory writes when a user visits a malicious webpage. An unauthenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution with high integrity and confidentiality impact. A security patch is available for affected users on Chrome, Ubuntu, and Debian systems.

Heap memory corruption in Google Chrome's Blink rendering engine prior to version 146.0.7680.153 can be triggered through a malicious HTML page, potentially enabling remote code execution. An unauthenticated attacker requires only user interaction to exploit this use-after-free vulnerability across network boundaries. A patch is available for affected Chrome, Ubuntu, and Debian users.

Heap buffer overflow in Google Chrome's ANGLE graphics library (versions prior to 146.0.7680.153) enables remote attackers to corrupt heap memory and potentially achieve arbitrary code execution through malicious HTML pages requiring only user interaction. The vulnerability affects Chrome on multiple platforms including Ubuntu and Debian systems. A patch is available and should be applied immediately given the high severity and attack accessibility.

A sandbox escape vulnerability exists in Google Chrome's V8 JavaScript engine prior to version 146.0.7680.153, allowing remote attackers to execute arbitrary code within the Chrome sandbox through a crafted HTML page. This is a High severity issue affecting millions of Chrome users across Windows, macOS, and Linux platforms. The vulnerability is triggered via web-based attack vector (HTML page delivery) and does not require user interaction beyond visiting a malicious website.

Heap corruption via use-after-free in Google Chrome's WebRTC implementation (versions prior to 146.0.7680.153) enables remote attackers to achieve arbitrary code execution through malicious HTML pages, requiring only user interaction. The vulnerability affects Chrome, Ubuntu, and Debian systems with a CVSS score of 8.8, though a patch is available.

Heap memory corruption in Google Chrome's WebRTC implementation prior to version 146.0.7680.153 enables remote attackers to execute arbitrary code by tricking users into visiting malicious websites. The use-after-free vulnerability requires only user interaction and affects Chrome on multiple platforms including Ubuntu and Debian systems. A patch is available to address this high-severity flaw.

Stack buffer overflow in Google Chrome's WebRTC implementation prior to version 146.0.7680.153 enables remote attackers to corrupt stack memory and achieve code execution through maliciously crafted HTML pages. The vulnerability affects Chrome, and potentially downstream products including Chromium-based browsers, requiring only user interaction and no authentication. A patch is available across affected platforms including Ubuntu and Debian.

Sandboxed arbitrary code execution in Google Chrome's WebAudio component (versions prior to 146.0.7680.153) can be triggered remotely through malicious HTML, requiring only user interaction. An attacker can craft a weaponized webpage to break out of the Chrome sandbox and execute arbitrary code on affected systems. This high-severity vulnerability impacts Chrome, Ubuntu, and Debian users, with patches now available.

Google Chrome versions prior to 146.0.7680.153 contain a heap buffer overflow in CSS parsing that enables remote code execution when users visit malicious HTML pages. An unauthenticated attacker can trigger heap memory corruption through a crafted webpage, potentially achieving arbitrary code execution with user privileges. A patch is available and should be applied immediately to all affected systems.

Heap corruption in Google Chrome versions before 146.0.7680.153 results from a use-after-free vulnerability in the Base component, enabling remote attackers to execute arbitrary code through malicious HTML pages. The attack requires user interaction but no authentication, affecting Chrome on multiple platforms including Linux distributions. A patch is available to remediate this critical-severity vulnerability.

This is a critical out-of-bounds read and write vulnerability in the WebGL implementation of Google Chrome prior to version 146.0.7680.153. The vulnerability allows a remote attacker to perform arbitrary memory read and write operations by crafting a malicious HTML page, potentially leading to information disclosure, code execution, or complete system compromise. The vulnerability affects multiple Debian releases and has been assigned ENISA EUVD ID EUVD-2026-13447; a vendor patch is available.

Out-of-bounds memory corruption in Google Chrome's WebGL implementation on Android prior to version 146.0.7680.153 enables remote attackers to escape the browser sandbox by delivering a malicious HTML page, requiring only user interaction. This critical vulnerability affects Chrome users on Android devices and could lead to complete system compromise if successfully exploited. A patch is available in Chrome 146.0.7680.153 and later versions.

Buffer overflow vulnerabilities in wolfSSL's CRL parser enable heap and stack memory corruption when processing maliciously crafted Certificate Revocation Lists, allowing potential code execution on affected systems. This vulnerability only impacts installations with explicit CRL support enabled that load CRLs from untrusted sources. No patch is currently available.

HTSlib, a widely-used bioinformatics library for reading and writing sequence alignment formats, contains a critical buffer overflow vulnerability in its CRAM format decoder. The vulnerability exists in the `cram_byte_array_len_decode()` function which fails to validate that unpacked data matches the output buffer size, affecting HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1. An attacker can craft a malicious CRAM file that, when opened by a user, triggers either a heap or stack overflow with attacker-controlled bytes, potentially leading to arbitrary code execution, program crash, or memory corruption.

HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the GZI index loading function `bgzf_index_load_hfile()`. An integer overflow during buffer allocation allows attackers to craft malicious `.gzi` files that trigger heap memory corruption, potentially leading to denial of service, data corruption, or remote code execution when a user opens the compromised file. No evidence of active exploitation in the wild has been reported, but the vulnerability is demonstrable and patch availability is confirmed.

HTSlib versions prior to 1.21.1, 1.22.2, and 1.23.1 contain an out-by-one error in the CRAM decoder's `cram_byte_array_stop_decode_char()` function that allows a single attacker-controlled byte to be written beyond the end of a heap allocation. This heap buffer overflow (CWE-122) affects bioinformatics applications using HTSlib to process CRAM-formatted DNA sequence alignment files, and could enable arbitrary code execution if exploited. No public exploit code or KEV status is currently documented, but patch availability exists for multiple stable release branches.

HTSlib contains a buffer overflow vulnerability in its CRAM format decoder affecting the VARINT and CONST encoding handlers, where incomplete context validation allows writes of up to eight bytes beyond heap allocation boundaries or into stack-allocated single-byte variables. This vulnerability affects HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1, and impacts any application using the library to process CRAM-formatted bioinformatics data files. An attacker can craft a malicious CRAM file to trigger heap or stack overflow conditions, potentially leading to denial of service, memory corruption, or arbitrary code execution when processed by a vulnerable application.

HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain an out-of-bounds read vulnerability in the CRAM file parser where the mate reference ID field is not validated during decoding. An attacker can craft a malicious CRAM file that, when processed by affected applications (particularly those converting CRAM to SAM format), triggers out-of-bounds array access that may leak sensitive information about program state or cause a denial of service through memory access violations. No public exploit has been reported, but no workaround exists, making patching essential.

HTSlib versions prior to 1.21.1, 1.22.2, and 1.23.1 contain a buffer over-read vulnerability in the CRAM decoder's cram_decode_seq() function that fails to properly validate feature data offsets. An attacker can craft malicious CRAM files to read arbitrary data from memory adjacent to reference sequence buffers, leading to information disclosure of program state or denial of service through memory access violations. No active exploitation has been documented, but patches are available from the vendor.

HTSlib contains an out-of-bounds read vulnerability in the cram_decode_slice() function that fails to validate the reference ID field early enough during CRAM file parsing, allowing two separate out-of-bounds reads before error detection. The vulnerability affects HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1, and can result in information disclosure through leaked memory values or application crashes when processing malicious or corrupted CRAM bioinformatics files. While the function reports an error after the reads occur, the window for exploitation exists and the practical impact depends on memory layout and application context.

HTSlib, a bioinformatics library for reading and writing sequence alignment formats, contains a null pointer dereference vulnerability in its CRAM format decoder affecting versions before 1.23.1, 1.22.2, and 1.21.1. The vulnerability exists in the CONST, XPACK, and XRLE encodings which fail to properly handle CRAM records with omitted sequence or quality data, causing attempts to write to NULL pointers when these records are decoded. An attacker can exploit this by providing a malformed CRAM file to any application using vulnerable HTSlib versions, resulting in denial of service through application crash, with no known active exploitation or public proof-of-concept at this time.

HTSlib contains a heap buffer overflow vulnerability in its CRAM decoder caused by an out-by-one error when validating feature boundaries. When a user opens a maliciously crafted CRAM file, an attacker can write one controlled byte beyond the end of a heap buffer, potentially causing application crashes, data corruption, or arbitrary code execution. Versions 1.23.1, 1.22.2, and 1.21.1 include fixes, and patches are available via the official GitHub repository.

HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the cram_decode_seq() function when processing CRAM-formatted bioinformatics files with omitted sequence and quality data. An attacker can craft a malicious CRAM file that triggers an out-of-bounds read followed by an attacker-controlled single-byte write to heap memory, potentially enabling arbitrary code execution, data corruption, or denial of service when a user opens the file. No public exploit proof-of-concept has been identified, but the vulnerability is confirmed and patched by the HTSlib project.

This vulnerability is a race condition in the Linux kernel's F2FS file system that causes flag inconsistency between concurrent atomic commit and checkpoint write operations. The issue affects all Linux kernel versions with F2FS support (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), allowing information disclosure through incorrect inode state recovery after sudden power-off (SPO) scenarios. An attacker with local file system access during atomic write operations could trigger the race condition, leading to potential data inconsistency and information leakage when the system recovers.

A divide-by-zero vulnerability exists in the Linux kernel's rivafb framebuffer driver in the nv3_arb() function, which can be triggered by unprivileged userspace applications via the FBIOPUT_VSCREENINFO ioctl call on /dev/fb* devices. An attacker can crash the kernel by crafting a malicious or misconfigured PCI device that exposes a bogus PRAMDAC MCLK PLL configuration, causing the state->mclk_khz divisor to become zero. This is a Denial of Service vulnerability affecting the Linux kernel across multiple stable versions, with patches available in the kernel git repository.

A vulnerability in the Linux kernel's f2fs (Flash-Friendly File System) implementation fails to validate node footer integrity during asynchronous read and write I/O operations, allowing corrupted node page data to trigger a kernel BUG and cause denial of service. This affects all Linux kernel versions using f2fs, particularly those processing untrusted or fuzzed filesystem images. An attacker with the ability to craft a malicious f2fs filesystem image can trigger a kernel panic when the corrupted node page is written back, resulting in system unavailability.

A logic error in the Linux kernel's AMD GPU driver causes system crashes when two AMD GPUs are present and only one supports ASPM (Active State Power Management). The vulnerability stems from a commit that was erroneously reapplied after being removed in a prior refactoring, leading to incorrect ASPM state evaluation across multiple devices. Systems running affected Linux kernel versions with heterogeneous AMD GPU configurations (mixed ASPM support) will experience denial of service through kernel crashes.

This vulnerability is a memory leak in the Linux kernel's io_uring subsystem, specifically within the zero-copy receive (zcrx) implementation where a page array fails to be deallocated during scatter-gather initialization failures. The vulnerability affects all Linux kernel versions with the vulnerable io_uring/zcrx code path, allowing local attackers with the ability to trigger failed scatter-gather operations to exhaust kernel memory and cause denial of service. No active exploitation has been reported, but this is a kernel memory management issue with straightforward local triggering conditions.

A memory corruption vulnerability exists in the Linux kernel's Google Virtual Ethernet (gve) driver where dynamic queue count changes cause misalignment between the driver's stats region and the NIC's offset calculations. When queue counts increase, the NIC can write past the allocated stats region boundary causing heap corruption; when decreased, stats data becomes misaligned. This affects Linux kernel versions across multiple stable branches (as evidenced by patches in 5.10, 5.15, 6.1, 6.6, 6.7, 6.8, and 6.9 series). The vulnerability is not currently listed as actively exploited in KEV, but represents a critical reliability and security issue for systems using Google Cloud Platform infrastructure with the affected gve driver.

This vulnerability is a resource leak in the Linux kernel's NVMe/FC (NVMe over Fibre Channel) driver where the admin tag set and associated block I/O queue resources fail to be released if controller initialization encounters errors after the admin queue is allocated. The affected product is the Linux kernel across all versions that include the vulnerable nvme-fc code path. An attacker or malicious process could trigger repeated failed NVMe/FC controller initialization attempts to exhaust kernel memory through cumulative tag set leaks, potentially leading to denial of service. This is not actively exploited in the wild (not listed in CISA KEV), but patches are available across multiple kernel branches.

A memory leak vulnerability exists in the Linux kernel's regmap maple tree caching implementation where allocated memory is not freed when the mas_store_gfp() function fails during a write operation. This affects all Linux kernel versions containing the vulnerable regcache_maple_write() function, potentially allowing local attackers to exhaust kernel memory through repeated cache write failures. While no CVSS score or EPSS data is currently available, the vulnerability has been assigned CVE-2026-23260 and multiple stable kernel patches are available, indicating this is a recognized and actively addressed issue.

A memory management vulnerability exists in the Linux kernel's io_uring subsystem where allocated iovec buffers may fail to be properly freed when a read/write request cannot be recycled back to the rw_cache. This affects all Linux kernel versions with the vulnerable io_uring/rw code path, potentially allowing local attackers to trigger memory leaks that degrade system performance or enable denial of service conditions. The vulnerability has been patched in the Linux kernel stable trees as evidenced by the provided commit references.

A memory leak vulnerability exists in the Linux kernel's Liquidio network driver within the setup_nic_devices() function where the netdev pointer is not initialized in the oct->props[i].netdev structure before calling queue setup functions. If netif_set_real_num_rx_queues() or netif_set_real_num_tx_queues() fail, the allocated netdev memory is not freed because the cleanup function liquidio_destroy_nic_device() cannot locate it via the NULL pointer. This affects all Linux kernel versions with the Liquidio driver and allows for memory exhaustion through repeated device initialization failures.

A memory leak vulnerability exists in the Linux kernel's liquidio network driver within the setup_nic_devices() function, where an off-by-one error in the cleanup loop causes failure to deallocate the last successfully allocated device during error handling. The vulnerability affects Linux kernel versions across multiple stable branches (as evidenced by patches in 4.9, 4.14, 4.19, 5.4, 5.10, 5.15, and 5.16 stable trees per the kernel.org references). While this is a local denial-of-service vector through memory exhaustion rather than a direct code execution path, it could be leveraged by unprivileged users to degrade system stability over time.

This vulnerability is an off-by-one error in the Linux kernel's liquidio driver that causes a memory leak during virtual function (VF) setup failure cleanup. The vulnerability affects the Linux kernel across all versions where the liquidio net driver is compiled, as identified through the affected CPE (cpe:2.3:a:linux:linux). While this is a memory leak rather than a direct code execution vulnerability, it can be exploited to exhaust kernel memory resources, leading to denial of service.

A race condition vulnerability exists in the Linux kernel's /proc/net/ptype implementation where concurrent readers and writers violate RCU (Read-Copy-Update) synchronization rules, allowing information disclosure through unsafe access to device pointers. The vulnerability affects all Linux kernel versions with the vulnerable ptype_seq_show() and ptype_seq_next() functions. An attacker with local access can trigger RCU stalls, kernel panics, or read uninitialized kernel memory by racing concurrent packet type structure modifications against /proc/net/ptype reads, potentially leaking sensitive kernel data or causing denial of service.

A vulnerability in the Linux kernel's Generic Receive Offload (GRO) implementation for UDP traffic causes incorrect network offset calculations when processing encapsulated packets. The flaw affects all Linux kernel versions where the GRO subsystem handles UDP encapsulation, as specified in the CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*. When hardware NICs, the tun driver, or veth setups inject packets with the encapsulation flag set, the udp4_gro_complete() function incorrectly computes the outer UDP header pseudo checksum using the inner network offset, leading to checksum validation failures that can disrupt packet processing and potentially cause denial of service or packet drops. No active exploitation has been reported in the wild, and no public proof-of-concept code is known to exist, though the vulnerability is triggered through normal network operations involving UDP-encapsulated traffic.

This vulnerability is a missing exception fixup handler in the LoongArch architecture's BPF JIT compiler that fails to properly recover from memory access exceptions (ADEM) triggered by BPF_PROBE_MEM* instructions. The Linux kernel on LoongArch systems (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) is affected, potentially allowing information disclosure or denial of service when BPF programs attempt to safely probe memory locations. This is not actively exploited (no KEV status), but patches are available across multiple stable kernel branches.

A resource management vulnerability exists in the Linux kernel's Btrfs filesystem implementation where qgroup data reservations are incorrectly freed when an inline extent creation fails due to -ENOSPC (no space available). This causes the kernel to prematurely release qgroup quota accounting for data that will actually be used when the operation falls back to the normal copy-on-write path, potentially leading to qgroup quota inconsistencies and information disclosure about quota state. All Linux distributions using Btrfs with qgroup quota tracking enabled are affected. While no CVSS score or EPSS risk score has been assigned, the vulnerability has stable patches available in the Linux kernel repository.

A resource leak vulnerability exists in the Linux kernel's btrfs filesystem implementation where reserved qgroup data fails to be freed in error paths during inline extent insertion operations. This affects all Linux versions with vulnerable btrfs code, and allows local attackers with filesystem write access to exhaust kernel memory resources through repeated failed inline extent insertions, potentially causing denial of service. No active exploitation in the wild has been reported, but kernel memory exhaustion vulnerabilities are routinely targeted by local privilege escalation chains.

A memory allocation failure vulnerability exists in the Linux kernel's XFS filesystem checking code where the xchk_xfile_*_descr macros call kasprintf with formatted strings that can exceed safe allocation limits, leading to potential denial of service or information disclosure. This affects Linux kernel versions 6.6 through 6.14 and later releases including 6.18.16, 6.19.6, and 7.0-rc1, with the vulnerability discoverable through syzbot fuzzing by researcher Jiaming Zhang. While no active exploitation has been confirmed, the issue represents a path to failure in a core filesystem validation component that could be triggered by malicious or malformed filesystem structures.

This vulnerability in the Linux kernel's XFS filesystem code involves improper pointer validation in xfarray and xfblob destructor functions, where the destructors can be called with invalid (dangling) pointers if the pointer is not properly nulled after deallocation. The vulnerability affects Linux kernel versions 6.9 through 6.10 and later patch versions, potentially allowing information disclosure or system instability. While no CVSS score or exploitation data is publicly available, the fix was backported across multiple kernel versions (6.12.75, 6.18.16, 6.19.6, 7.0-rc1) indicating recognition of the issue's significance across the kernel maintenance community.

A null pointer dereference vulnerability exists in the XFS filesystem checker (xchk_scrub_create_subord) in the Linux kernel, where the function returns a mangled ENOMEM error instead of NULL, and callers fail to properly validate the return value. This affects Linux kernel versions 6.2 through 6.10 and later stable branches, potentially allowing a local attacker with filesystem access to trigger a denial of service condition through unhandled memory allocation failures during XFS filesystem integrity checks.

A null pointer dereference vulnerability exists in the Linux kernel's XFS filesystem repair code when revalidating B-tree structures during fsck operations. The vulnerability affects Linux kernel versions across multiple release branches (6.8, 6.12.75, 6.18.16, 6.19.6, and 7.0-rc1) when the xfs_scrub utility attempts to repair both the free space B-tree (bnobt) and count B-tree (cntbt) simultaneously. An authenticated attacker with fsck/scrub privileges can trigger a kernel crash (denial of service) by injecting corruption markers via XFS_IOC_ERROR_INJECTION ioctl, causing the kernel to crash when the second B-tree revalidation is attempted after the first one fails and nullifies a required cursor.

A predictable secret identifier (XID) vulnerability in Juju versions 3.0.0 through 3.6.18 allows a malicious grantee to enumerate and predict previously granted secrets owned by the same administrator, enabling unauthorized access to resources intended for other applications. An attacker with high privileges and control over at least one deployed application can exploit this to obtain credentials or configuration data from past secret grants, resulting in information disclosure and potential privilege escalation. While the CVSS score is moderate at 6.6 and exploitation requires specific configuration and high privileges, the fundamental weakness in secret ownership verification represents a significant trust boundary violation in Juju's secret management architecture.

An authorization bypass vulnerability in Canonical's Juju versions 3.0.0 through 3.6.18 allows authenticated users with grantee privileges to incorrectly update secret content beyond their intended permissions, potentially accessing or modifying other secrets. The vulnerability (CWE-863: Incorrect Authorization) has a CVSS score of 8.8, indicating high severity with network-based exploitation requiring low attack complexity and low privileges. The flaw is particularly dangerous because even when exploitation attempts are logged as errors, the unauthorized secret updates still persist and become visible to both owners and grantees.

An authorization bypass vulnerability exists in the Vault secrets back-end implementation of Canonical's Juju orchestration tool, allowing authenticated unit agents to perform unauthorized updates to secret revisions beyond their intended scope. Juju versions 3.1.6 through 3.6.18 are affected, and attackers with sufficient information can poison any existing secret revision within the Vault secret back-end scope. With a CVSS score of 7.6 (High severity) featuring network attack vector, low complexity, and high integrity impact, this represents a significant security concern for Juju deployments using Vault as their secrets back-end, though no active exploitation (KEV) status or EPSS score was provided in available data.

Juju 3.0.0 through 3.6.18 contains a race condition in secrets management that allows authenticated unit agents to intercept and claim ownership of newly created secrets due to a timing window between secret ID generation and revision creation. An attacker with valid unit agent credentials can exploit this to read the initial content of secrets intended for other units. The vulnerability requires local authentication and manual interaction but results in high-impact confidentiality disclosure with no available patch.

This vulnerability is an information disclosure issue in the Linux kernel's TCP implementation where the timestamp offset calculation was insufficiently randomized, allowing off-path attackers to leak TCP source ports via a SYN cookie side-channel attack. All Linux kernel versions from 4.11 onwards are affected, with confirmed vulnerable versions including Linux 6.18.17, 6.19.7, and 7.0-rc3. An attacker can exploit this to infer source port numbers used in TCP connections without being on the network path, which can facilitate further network-level attacks such as connection hijacking or targeted DoS.

A memory allocation vulnerability exists in the Linux kernel's NVMe Persistent Reservation implementation where the nvme_pr_read_keys() function fails to properly handle large num_keys values passed from userspace, resulting in excessive memory allocation attempts up to 4MB that trigger page allocator warnings and potential denial of service. This affects Linux kernel versions across multiple stable branches (6.5, 6.12.77, 6.18.17, 6.19.7, and 7.0-rc3) and requires local access with ioctl privileges to trigger. The vulnerability is addressed through replacement of kzalloc() with kvzalloc() to support larger allocations via vmalloc fallback, and patches are available across multiple kernel stable branches.

A denial-of-service vulnerability exists in the Linux kernel's ntfs3 file system driver where a malformed NTFS image with a zero-sized ATTR_LIST attribute triggers an infinite loop during file system mount operations. The vulnerability affects Linux kernel versions across multiple stable branches (5.15, 6.1, 6.6, 6.12, 6.18, 6.19, and 7.0-rc1) and can cause the kernel to hang indefinitely, preventing normal system operation. An attacker can exploit this by providing a crafted NTFS image file that triggers the loop when mounted, requiring no special privileges and resulting in complete denial of service for affected systems.

An infinite loop vulnerability exists in the Linux kernel's ntfs3 filesystem implementation that allows attackers to trigger a denial-of-service condition through malformed NTFS directory entries. A crafted dentry with the HAS_SUB_NODE flag and manipulated VCN pointer can cause the indx_find() function to repeatedly allocate 4 KB memory blocks without proper loop detection, leading to memory exhaustion and kernel out-of-memory crashes. The vulnerability affects multiple stable Linux kernel versions across 5.15, 6.1, 6.6, 6.12, 6.18, and 6.19 series, and patches have been released for all affected branches.

An infinite loop vulnerability exists in the Linux kernel's NTFS3 file system implementation within the attr_load_runs_range() function, triggered by inconsistent metadata where an attribute header claims to be empty (evcn=-1) while directory entries reference it as containing actual data. This vulnerability affects Linux kernel versions across multiple stable branches (5.15, 6.1, 6.6, 6.12, 6.18, 6.19, and 7.0-rc1) and can be exploited by an attacker mounting a malformed NTFS image to cause a Denial-of-Service condition by inducing infinite CPU consumption in kernel space.

Unauthenticated remote attackers can exhaust memory in Red Hat Build of Keycloak 26.4 and 26.4.10 by sending highly compressed SAML requests that bypass decompression size limits, triggering denial of service. The vulnerability affects SAML Redirect Binding implementations that fail to enforce resource constraints during DEFLATE decompression, allowing attackers to crash the application with OutOfMemoryError conditions. No patch is currently available.

An authenticated SQL injection vulnerability exists in Kanboard project management software prior to version 1.2.51. Authenticated attackers with permission to add users to a project can exploit this vulnerability to dump the entire Kanboard database, potentially exposing sensitive project data, user credentials, and application secrets. The vulnerability is confirmed under active tracking by Debian (2 releases) and Ubuntu (medium priority), with a GitHub Security Advisory published.

Kanboard project management software contains a privilege escalation vulnerability in its user invite registration endpoint that allows invited users to inject the 'role=app-admin' parameter during account creation, granting themselves administrator privileges. This affects all Kanboard versions prior to 1.2.51. The vulnerability has documented proof-of-concept exploitation capability (CVSS E:P indicates PoC exists) and carries a CVSS 4.0 score of 7.0 with high integrity impact to both the vulnerable system and subsequent components.

Keycloak contains an authentication bypass vulnerability in its SAML broker functionality that allows remote attackers with low-level privileges to complete IdP-initiated broker logins even when the SAML Identity Provider has been administratively disabled. Red Hat Build of Keycloak versions 26.2 and 26.4 are affected, with patches available in versions 26.2-16, 26.2.14-1, 26.4-12, and 26.4.10-1. The CVSS score of 8.1 reflects high confidentiality and integrity impact, though no evidence of active exploitation (KEV) or public proof-of-concept has been reported at this time.

Keycloak's SAML broker endpoint contains a validation flaw that allows attackers with a valid signed SAML assertion to inject encrypted assertions for arbitrary principals when the overall SAML response is unsigned. This leads to authentication bypass and unauthorized access to protected resources. Red Hat build of Keycloak versions 26.2 and 26.4 are affected, with patches available in versions 26.2-16, 26.2.14-1, 26.4-12, and 26.4.10-1. No evidence of active exploitation (not in CISA KEV) has been reported.

CVE-2026-32953 is a security vulnerability. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Miniaudio versions 0.11.25 and earlier are vulnerable to a heap out-of-bounds read in the WAV BEXT metadata parser when processing specially crafted WAV files. An attacker can exploit improper null-termination handling in the coding history field to trigger memory access violations, causing application crashes or denial of service. No patch is currently available for affected Debian and Miniaudio distributions.

HTTP/2 server implementations in libsoup across Debian and Red Hat Enterprise Linux versions contain a use-after-free vulnerability that allows unauthenticated remote attackers to trigger application crashes through specially crafted requests. Exploitation results in denial of service by forcing the application to access freed memory, causing instability. No patch is currently available for this medium-severity flaw.

CVE-2026-28563 is a security vulnerability (CVSS 4.3) that allows an authenticated user with only dag dependencies permission. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

CVE-2026-30911 is a security vulnerability (CVSS 8.1) that allows any authenticated task instance. High severity vulnerability requiring prompt remediation. Vendor patch is available.

CVE-2026-28779 is a security vulnerability (CVSS 7.5) that allows any application co-hosted under the same domain. High severity vulnerability requiring prompt remediation. Vendor patch is available.

A security vulnerability in A flaw (CVSS 3.9). Remediation should follow standard vulnerability management procedures.

A flaw was found in libsoup, a library used by applications to send network requests.

A security vulnerability in A flaw (CVSS 3.9). Remediation should follow standard vulnerability management procedures.

In the Linux kernel, the following vulnerability has been resolved: audit: add missing syscalls to read class The "at" variant of getxattr() and listxattr() are missing from the audit read class.

In the Linux kernel, the following vulnerability has been resolved: audit: add fchmodat2() to change attributes class fchmodat2(), introduced in version 6.6 is currently not in the change attribute class of audit.

A cryptographic vulnerability in the Stanford Javascript Crypto Library (SJCL) allows attackers to recover victims' ECDH private keys through a missing point-on-curve validation flaw. The vulnerability affects all versions of SJCL and enables remote attackers to send specially crafted off-curve public keys and observe ECDH outputs to extract private key material. A proof-of-concept exploit is publicly available, though the vulnerability is not currently listed in CISA KEV and has no EPSS score assigned yet.

Medium severity vulnerability in ImageMagick. # Specially crafted SVG file make segmentation fault and generate trash files in "/tmp", possible to leverage DoS.

dpkg-deb fails to properly validate zstd-compressed .deb archives during decompression, allowing unauthenticated remote attackers to trigger infinite loops that exhaust CPU resources on Debian systems. This denial of service condition affects the package management system without requiring user interaction or elevated privileges. No patch is currently available for this vulnerability.

In the Linux kernel, the following vulnerability has been resolved: linkwatch: use __dev_put() in callers to prevent UAF After linkwatch_do_dev() calls __dev_put() to release the linkwatch reference, the device refcount may drop to 1.

The Linux kernel bonding driver contains a use-after-free vulnerability in the slave device initialization path that allows local attackers with user privileges to cause memory corruption or denial of service. The flaw occurs when slave array updates happen before XDP setup completion, enabling the new slave to be used for transmission before being freed by error cleanup handlers. This affects Debian, Ubuntu, and other Linux distributions running vulnerable kernel versions.

The Linux kernel netdevsim driver contains a race condition in the bpf_bound_progs list operations where concurrent calls to nsim_bpf_create_prog() and nsim_bpf_destroy_prog() can corrupt the list and trigger kernel crashes. A local attacker with limited privileges can exploit this vulnerability to cause a denial of service by manipulating eBPF program creation and destruction. No patch is currently available for this issue.

In the Linux kernel, the following vulnerability has been resolved: mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode When operating in HS200 or HS400 timing modes, reducing the clock frequency below 52MHz will lead to link broken as the Rockchip DWC MSHC controller requires maintaining a minimum clock of 52MHz in these modes.

Linux kernel null pointer dereference in the tracing subsystem causes a denial of service when synthetic events reference stacktrace fields from other synthetic events. Local users with tracing permissions can trigger a kernel crash by creating chained synthetic events that pass stacktrace data between them. No patch is currently available for this vulnerability.

In the Linux kernel, the following vulnerability has been resolved: tracing: Do not register unsupported perf events Synthetic events currently do not have a function to register perf events.

In the Linux kernel, the following vulnerability has been resolved: ext4: fix string copying in parse_apply_sb_mount_options() strscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term string of possibly bigger size.

In the Linux kernel, the following vulnerability has been resolved: f2fs: ensure node page reads complete before f2fs_put_super() finishes Xfstests generic/335, generic/336 sometimes crash with the following message: F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1 ------------[ cut here ]------------ kernel BUG at fs/f2fs/super.c:1939!

In the Linux kernel, the following vulnerability has been resolved: team: fix check for port enabled in team_queue_override_port_prio_changed() There has been a syzkaller bug reported recently with the following trace: list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:59!

In the Linux kernel, the following vulnerability has been resolved: mptcp: fallback earlier on simult connection Syzkaller reports a simult-connect race leading to inconsistent fallback status: WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Modules linked in: CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 <0f> 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6 RSP: 0018:ffffc900006cf338 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900 R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0 Call Trace: <TASK> tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197 tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922 tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672 tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918 ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500 dst_input include/net/dst.h:471 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092 process_backlog+0x442/0x15e0 net/core/dev.c:6444 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494 napi_poll net/core/dev.c:7557 [inline] net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684 handle_softirqs+0x216/0x8e0 kernel/softirq.c:579 run_ksoftirqd kernel/softirq.c:968 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160 kthread+0x3c2/0x780 kernel/kthread.c:463 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The TCP subflow can process the simult-connect syn-ack packet after transitioning to TCP_FIN1 state, bypassing the MPTCP fallback check, as the sk_state_change() callback is not invoked for * -> FIN_WAIT1 transitions.

In the Linux kernel, the following vulnerability has been resolved: iavf: fix off-by-one issues in iavf_config_rss_reg() There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds writes to device registers.

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid potential deadlock As Jiaming Zhang and syzbot reported, there is potential deadlock in f2fs as below: Chain exists of: &sbi->cp_rwsem --> fs_reclaim --> sb_internal#2 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- rlock(sb_internal#2); lock(fs_reclaim); lock(sb_internal#2); rlock(&sbi->cp_rwsem); *** DEADLOCK *** 3 locks held by kswapd0/73: #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:7015 [inline] #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x951/0x2800 mm/vmscan.c:7389 #1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_trylock_shared fs/super.c:562 [inline] #1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_cache_scan+0x91/0x4b0 fs/super.c:197 #2: ffff888011840610 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x8d9/0x1b60 fs/f2fs/inode.c:890 stack backtrace: CPU: 0 UID: 0 PID: 73 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043 check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175 check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908 __lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868 down_read+0x46/0x2e0 kernel/locking/rwsem.c:1537 f2fs_down_read fs/f2fs/f2fs.h:2278 [inline] f2fs_lock_op fs/f2fs/f2fs.h:2357 [inline] f2fs_do_truncate_blocks+0x21c/0x10c0 fs/f2fs/file.c:791 f2fs_truncate_blocks+0x10a/0x300 fs/f2fs/file.c:867 f2fs_truncate+0x489/0x7c0 fs/f2fs/file.c:925 f2fs_evict_inode+0x9f2/0x1b60 fs/f2fs/inode.c:897 evict+0x504/0x9c0 fs/inode.c:810 f2fs_evict_inode+0x1dc/0x1b60 fs/f2fs/inode.c:853 evict+0x504/0x9c0 fs/inode.c:810 dispose_list fs/inode.c:852 [inline] prune_icache_sb+0x21b/0x2c0 fs/inode.c:1000 super_cache_scan+0x39b/0x4b0 fs/super.c:224 do_shrink_slab+0x6ef/0x1110 mm/shrinker.c:437 shrink_slab_memcg mm/shrinker.c:550 [inline] shrink_slab+0x7ef/0x10d0 mm/shrinker.c:628 shrink_one+0x28a/0x7c0 mm/vmscan.c:4955 shrink_many mm/vmscan.c:5016 [inline] lru_gen_shrink_node mm/vmscan.c:5094 [inline] shrink_node+0x315d/0x3780 mm/vmscan.c:6081 kswapd_shrink_node mm/vmscan.c:6941 [inline] balance_pgdat mm/vmscan.c:7124 [inline] kswapd+0x147c/0x2800 mm/vmscan.c:7389 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The root cause is deadlock among four locks as below: kswapd - fs_reclaim --- Lock A - shrink_one - evict - f2fs_evict_inode - sb_start_intwrite --- Lock B - iput - evict - f2fs_evict_inode - sb_start_intwrite --- Lock B - f2fs_truncate - f2fs_truncate_blocks - f2fs_do_truncate_blocks - f2fs_lock_op --- Lock C ioctl - f2fs_ioc_commit_atomic_write - f2fs_lock_op --- Lock C - __f2fs_commit_atomic_write - __replace_atomic_write_block - f2fs_get_dnode_of_data - __get_node_folio - f2fs_check_nid_range - f2fs_handle_error - f2fs_record_errors - f2fs_down_write --- Lock D open - do_open - do_truncate - security_inode_need_killpriv - f2fs_getxattr - lookup_all_xattrs - f2fs_handle_error - f2fs_record_errors - f2fs_down_write --- Lock D - f2fs_commit_super - read_mapping_folio - filemap_alloc_folio_noprof - prepare_alloc_pages - fs_reclaim_acquire --- Lock A In order to a ---truncated---

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid updating zero-sized extent in extent cache As syzbot reported: F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0] ------------[ cut here ]------------ kernel BUG at fs/f2fs/extent_cache.c:678!

In the Linux kernel, the following vulnerability has been resolved: net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std but doesn't check if the allocation failed.

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix return value of f2fs_recover_fsync_data() With below scripts, it will trigger panic in f2fs: mkfs.f2fs -f /dev/vdd mount /dev/vdd /mnt/f2fs touch /mnt/f2fs/foo sync echo 111 >> /mnt/f2fs/foo f2fs_io fsync /mnt/f2fs/foo f2fs_io shutdown 2 /mnt/f2fs umount /mnt/f2fs mount -o ro,norecovery /dev/vdd /mnt/f2fs or mount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0 F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f F2FS-fs (vdd): Stopped filesystem due to reason: 0 F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1 Filesystem f2fs get_tree() didn't set fc->root, returned 1 ------------[ cut here ]------------ kernel BUG at fs/super.c:1761!

In the Linux kernel, the following vulnerability has been resolved: xsk: avoid data corruption on cq descriptor number Since commit 30f241fcf52a ("xsk: Fix immature cq descriptor production"), the descriptor number is stored in skb control block and xsk_cq_submit_addr_locked() relies on it to put the umem addrs onto pool's completion queue. skb control block shouldn't be used for this purpose as after transmit xsk doesn't have control over it and other subsystems could use it. This leads to the following kernel panic due to a NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 1 PID: 927 Comm: p4xsk.bin Not tainted 6.16.12+deb14-cloud-amd64 #1 PREEMPT(lazy) Debian 6.16.12-1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:xsk_destruct_skb+0xd0/0x180 [...] Call Trace: <IRQ> ? napi_complete_done+0x7a/0x1a0 ip_rcv_core+0x1bb/0x340 ip_rcv+0x30/0x1f0 __netif_receive_skb_one_core+0x85/0xa0 process_backlog+0x87/0x130 __napi_poll+0x28/0x180 net_rx_action+0x339/0x420 handle_softirqs+0xdc/0x320 ? handle_edge_irq+0x90/0x1e0 do_softirq.part.0+0x3b/0x60 </IRQ> <TASK> __local_bh_enable_ip+0x60/0x70 __dev_direct_xmit+0x14e/0x1f0 __xsk_generic_xmit+0x482/0xb70 ? __remove_hrtimer+0x41/0xa0 ? __xsk_generic_xmit+0x51/0xb70 ? _raw_spin_unlock_irqrestore+0xe/0x40 xsk_sendmsg+0xda/0x1c0 __sys_sendto+0x1ee/0x200 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x84/0x2f0 ? __pfx_pollwake+0x10/0x10 ? __rseq_handle_notify_resume+0xad/0x4c0 ? restore_fpregs_from_fpstate+0x3c/0x90 ? switch_fpu_return+0x5b/0xe0 ? do_syscall_64+0x204/0x2f0 ? do_syscall_64+0x204/0x2f0 ? do_syscall_64+0x204/0x2f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> [...] Kernel panic - not syncing: Fatal exception in interrupt Kernel Offset: 0x1c000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) Instead use the skb destructor_arg pointer along with pointer tagging. As pointers are always aligned to 8B, use the bottom bit to indicate whether this a single address or an allocated struct containing several addresses.