Denial Of Service
Monthly
NULL pointer dereference in the Linux kernel's sch_dualpi2 queuing discipline (net/sched) allows a local attacker with low privileges to crash the kernel, causing a denial of service. The flaw exists in dualpi2_change(), which enforces updated queue limits after a qdisc reconfiguration: when traffic is exclusively queued in the L-queue and the C-queue is empty, the function unconditionally dereferences the NULL skb returned by the C-queue dequeue path, triggering a kernel panic. No public exploit code has been identified and EPSS sits at 0.17% (7th percentile), consistent with a locally-triggered, configuration-dependent kernel bug.
Out-of-bounds memory access in the Linux kernel's netfilter SIP connection-tracking helper (nf_conntrack_sip) stems from parsing port numbers in non-NUL-terminated socket-buffer data with simple_strtoul() and dereferencing pointers after sip_parse_addr() without bounds checks. Remote attackers sending crafted SIP messages through a host where the SIP conntrack/NAT helper is active could read past the packet buffer, risking information disclosure or instability (tagged Information Disclosure). Despite a CVSS of 9.8, EPSS is only 0.18% (8th percentile) and no public exploit is identified at time of analysis; a vendor fix is available across multiple stable trees.
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Clear rel_deadline when initializing forked entities A yield-triggered crash can happen when a newly forked sched_entity enters the fair class with se->rel_deadline unexpectedly set. The failing sequence is: 1. A task is forked while se->rel_deadline is still set. 2. __sched_fork() initializes vruntime, vlag and other sched_entity state, but does not clear rel_deadline. 3. On the first enqueue, enqueue_entity() calls place_entity(). 4. Because se->rel_deadline is set, place_entity() treats se->deadline as a relative deadline and converts it to an absolute deadline by adding the current vruntime. 5. However, the forked entity's deadline is not a valid inherited relative deadline for this new scheduling instance, so the conversion produces an abnormally large deadline. 6. If the task later calls sched_yield(), yield_task_fair() advances se->vruntime to se->deadline. 7. The inflated vruntime is then used by the following enqueue path, where the vruntime-derived key can overflow when multiplied by the entity weight. 8. This corrupts cfs_rq->sum_w_vruntime, breaks EEVDF eligibility calculation, and can eventually make all entities appear ineligible. pick_next_entity() may then return NULL unexpectedly, leading to a later NULL dereference. A captured trace shows the effect clearly. Before yield, the entity's vruntime was around: 9834017729983308 After yield_task_fair() executed: se->vruntime = se->deadline the vruntime jumped to: 19668035460670230 and the deadline was later advanced further to: 19668035463470230 This shows that the deadline had already become abnormally large before yield_task_fair() copied it into vruntime. rel_deadline is only meaningful when se->deadline really carries a relative deadline that still needs to be placed against vruntime. A freshly forked sched_entity should not inherit or retain this state. Clear se->rel_deadline in __sched_fork(), together with the other sched_entity runtime state, so that the first enqueue does not interpret the new entity's deadline as a stale relative deadline.
Out-of-bounds read and denial-of-service in the Linux kernel SMB/CIFS client (cifs.ko) affects systems mounting SMB shares on 32-bit architectures. When parsing a malicious SMB2 error response, the symlink_data() routine mishandles a hostile ErrorDataLength value, causing either an infinite loop or a read past the buffer that can hang the client or leak adjacent kernel memory. There is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile), but the bug is reachable by any malicious or compromised SMB server a vulnerable client connects to.
In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure When ttm_tt_swapout() fails, the current code calls ttm_resource_add_bulk_move() followed by ttm_resource_move_to_lru_tail() to restore the resource's bulk_move membership. However, ttm_resource_move_to_lru_tail() places the resource at the tail of the LRU list which, relative to the walk cursor's hitch node (placed immediately after the resource when it was yielded), puts the resource *in front of the* the hitch. The next list_for_each_entry_continue() from the hitch finds the same resource again, causing an infinite loop. Fix by deferring del_bulk_move to the success path only. On the success path, TTM_TT_FLAG_SWAPPED has just been set by ttm_tt_swapout() but the resource is still tracked in the bulk_move range, so ttm_resource_del_bulk_move()'s !ttm_resource_unevictable() guard would incorrectly skip the removal. Introduce ttm_resource_del_bulk_move_unevictable() which bypasses that guard.
In the Linux kernel, the following vulnerability has been resolved: ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size The generic/642 test-case can reproduce the kernel crash: [40243.605254] ------------[ cut here ]------------ [40243.605956] kernel BUG at fs/ceph/xattr.c:918! [40243.607142] Oops: invalid opcode: 0000 [#1] SMP PTI [40243.608067] CPU: 7 UID: 0 PID: 498762 Comm: kworker/7:1 Not tainted 7.0.0-rc7+ #3 PREEMPT(full) [40243.609700] Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [40243.611820] Workqueue: ceph-msgr ceph_con_workfn [40243.612715] RIP: 0010:__ceph_build_xattrs_blob+0x1b8/0x1e0 [40243.613731] Code: 0f 84 82 fe ff ff e9 cf 8e 56 ff 48 8d 65 e8 31 c0 5b 41 5c 41 5d 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 c3 cc cc cc cc <0f> 0b 4c 8b 62 08 41 8b 85 24 07 00 00 49 83 c4 04 41 89 44 24 fc [40243.616888] RSP: 0018:ffffcc80c4d4b688 EFLAGS: 00010287 [40243.617773] RAX: 0000000000010026 RBX: 0000000000000001 RCX: 0000000000000000 [40243.618928] RDX: ffff8a773798dee0 RSI: 0000000000000000 RDI: 0000000000000000 [40243.620158] RBP: ffffcc80c4d4b6a0 R08: 0000000000000000 R09: 0000000000000000 [40243.621573] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8a75f3b58000 [40243.622907] R13: ffff8a75f3b58000 R14: 0000000000000080 R15: 000000000000bffd [40243.624054] FS: 0000000000000000(0000) GS:ffff8a787d1b4000(0000) knlGS:0000000000000000 [40243.625331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [40243.626269] CR2: 000072f390b623c0 CR3: 000000011c02a003 CR4: 0000000000372ef0 [40243.627408] Call Trace: [40243.627839] <TASK> [40243.628188] __prep_cap+0x3fd/0x4a0 [40243.628789] ? do_raw_spin_unlock+0x4e/0xe0 [40243.629474] ceph_check_caps+0x46a/0xc80 [40243.630094] ? __lock_acquire+0x4a2/0x2650 [40243.630773] ? find_held_lock+0x31/0x90 [40243.631347] ? handle_cap_grant+0x79f/0x1060 [40243.632068] ? lock_release+0xd9/0x300 [40243.632696] ? __mutex_unlock_slowpath+0x3e/0x340 [40243.633429] ? lock_release+0xd9/0x300 [40243.634052] handle_cap_grant+0xcf6/0x1060 [40243.634745] ceph_handle_caps+0x122b/0x2110 [40243.635415] mds_dispatch+0x5bd/0x2160 [40243.636034] ? ceph_con_process_message+0x65/0x190 [40243.636828] ? lock_release+0xd9/0x300 [40243.637431] ceph_con_process_message+0x7a/0x190 [40243.638184] ? kfree+0x311/0x4f0 [40243.638749] ? kfree+0x311/0x4f0 [40243.639268] process_message+0x16/0x1a0 [40243.639915] ? sg_free_table+0x39/0x90 [40243.640572] ceph_con_v2_try_read+0xf58/0x2120 [40243.641255] ? lock_acquire+0xc8/0x300 [40243.641863] ceph_con_workfn+0x151/0x820 [40243.642493] process_one_work+0x22f/0x630 [40243.643093] ? process_one_work+0x254/0x630 [40243.643770] worker_thread+0x1e2/0x400 [40243.644332] ? __pfx_worker_thread+0x10/0x10 [40243.645020] kthread+0x109/0x140 [40243.645560] ? __pfx_kthread+0x10/0x10 [40243.646125] ret_from_fork+0x3f8/0x480 [40243.646752] ? __pfx_kthread+0x10/0x10 [40243.647316] ? __pfx_kthread+0x10/0x10 [40243.647919] ret_from_fork_asm+0x1a/0x30 [40243.648556] </TASK> [40243.648902] Modules linked in: overlay hctr2 libpolyval chacha libchacha adiantum libnh libpoly1305 essiv intel_rapl_msr intel_rapl_common intel_uncore_frequency_common skx_edac_common nfit kvm_intel kvm irqbypass joydev ghash_clmulni_intel aesni_intel rapl input_leds mac_hid psmouse vga16fb serio_raw vgastate floppy i2c_piix4 pata_acpi bochs qemu_fw_cfg i2c_smbus sch_fq_codel rbd dm_crypt msr parport_pc ppdev lp parport efi_pstore [40243.654766] ---[ end trace 0000000000000000 ]--- Commit d93231a6bc8a ("ceph: prevent a client from exceeding the MDS maximum xattr size") moved the required_blob_size computation to before the __build_xattrs() call, introducing a race. __build_xattrs() releases and reacquires i_ceph_lock during execution. In that window, handle_cap_grant() may update i_xattrs.blob with a newer MDS-provided blob and bump i_xattrs.version. When __bui ---truncated---
Denial of service in the Linux kernel's libceph client allows a malicious or corrupted Ceph cluster to crash the kernel via a null pointer dereference in decode_choose_args(). When processing a CEPH_MSG_OSD_MAP message, a crafted CRUSH map containing choose_args with a bucket_index that points to a NULL (unallocated) bucket triggers the crash, because the code validated only that the index stayed within max_buckets, not that the target bucket was non-NULL. There is no public exploit identified at time of analysis, EPSS exploitation probability is low (0.18%, 8th percentile), and the issue is patched upstream.
Denial of service in the Linux kernel's libceph (Ceph client) subsystem allows a malicious or compromised Ceph monitor/OSD to crash a connected client by sending a crafted CEPH_MSG_OSD_MAP whose embedded CRUSH map carries two choose_args maps sharing the same choose_args_index. The duplicate index trips an assertion in insert_choose_arg_map() during decode_choose_args(), triggering a kernel BUG and panic. CVSS is 7.5 (availability-only); there is no public exploit identified at time of analysis and EPSS is low at 0.18% (8th percentile).
Local denial of service in the Linux kernel's Intel Xe DRM driver (drm/xe/dma-buf) arises from use-after-free and NULL pointer dereference race conditions in the dma-buf import path, affecting kernels from 6.8 through the fixes in 6.12.91, 6.18.33, 7.0.10 and 7.1. When a buffer object is shared from another GPU driver such as amdgpu, the exporter can invoke the Xe invalidate_mappings hook against a partially initialized or already-freed bo, crashing the system; two customers reported NULL ptr derefs in evict_flags. This is tagged Denial of Service, has no public exploit identified at time of analysis, and carries a low EPSS of 0.18% (7th percentile).
In the Linux kernel, the following vulnerability has been resolved: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong timeout value` warning was observed, accompanied by SMBus controller state machine corruption. The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of 10 ms. The user argument is checked against INT_MAX, but it is subsequently multiplied by 10 before being passed to msecs_to_jiffies(). A malicious user can pass a large value (e.g., 429496729) that passes the `arg > INT_MAX` check but overflows when multiplied by 10. This results in a truncated 32-bit unsigned value that bypasses the internal `(int)m < 0` check in `msecs_to_jiffies()`. The truncated value is then assigned to `client->adapter->timeout` (a signed 32-bit int), which is reinterpreted as a negative number. When passed to wait_for_completion_timeout(), this negative value undergoes sign extension to a 64-bit unsigned long, triggering the `schedule_timeout` warning and causing premature returns. This leaves the SMBus state machine in an unrecoverable state, constituting a local Denial of Service (DoS). Fix this by bounding the user argument to `INT_MAX / 10`. [wsa: move the comment as well]
Denial of service in the Linux kernel's WireGuard module causes the receive/decryption path to permanently stall for an individual peer under heavy network load. Affected stable trees (notably 6.12.34 through 6.12.73, with the same defect originating in 5.15/6.1 where threaded NAPI became default) can have inbound traffic to a specific WireGuard peer halt completely once the per-peer rx_queue fills its 1024-packet backlog and wg_packet_rx_poll is never rescheduled. The condition was reported by multiple production Cilium/Kubernetes operators; there is no public exploit identified at time of analysis and EPSS is very low (0.10%, 1st percentile).
Out-of-bounds write in Marlin Firmware (3D printer firmware) through 2.1.2.7 lets attackers corrupt firmware memory through the M421 G-code mesh-bed-leveling handler, which fails to upper-bound the X/Y grid indices before writing a 32-bit float into the z_values array. Any actor able to feed G-code to a printer built with MESH_BED_LEVELING enabled can write an attacker-controlled value past the array, overwriting adjacent firmware state and causing denial of service or unpredictable machine behavior. Publicly available exploit code exists and the fix is committed (1f255d1), but there is no public exploit identified as actively exploited in the wild (not in CISA KEV).
Out-of-bounds read in ImageMagick's ConnectedComponentsImage() function allows local attackers to trigger access violations by supplying malformed connected-components artifact definitions via the CLI, leading to denial of service or potential arbitrary code execution. All ImageMagick releases before 7.1.2-19 are affected, as are Magick.NET NuGet packages before 14.12.0. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the RCE and information-disclosure tags warrant attention in environments that process untrusted image inputs through automated pipelines.
Memory exhaustion via unfreed heap allocations in ImageMagick before 7.1.2-15 enables remote denial of service against services that process untrusted images through the affected raw-pixel-data coders. The flaw (CWE-401) causes 160-byte objects to accumulate on the heap with each crafted image processed, progressively starving the host process of memory. No public exploit code has been identified at time of analysis; the CVSS 4.0 score of 6.3 reflects network reachability offset by high attack complexity and partial attack requirements, limiting realistic mass exploitation.
Denial of service in Capgo's /auth/v1/otp endpoint blocks email-based 2FA enrollment for authenticated users in all versions before 12.128.2. The backend captcha validation subsystem fails to handle exceptions gracefully, consistently returning HTTP 500 errors and preventing users from completing two-factor authentication setup. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the impact is security-control degradation: users cannot activate 2FA, leaving accounts with only single-factor protection.
Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing and quota records by invoking the SECURITY DEFINER record_build_time RPC with only a public anon API key. The flaw stems from missing authorization inside a privilege-elevated PostgREST function, enabling arbitrary build-time inserts against any organization. No public exploit identified at time of analysis, but the trivial network-reachable invocation pattern makes weaponization straightforward.
Cross-tenant build sabotage in Capgo before 12.128.2 allows authenticated users with the app.build_native permission to start or cancel arbitrary builder jobs belonging to other tenants by supplying a victim jobId to the /build/start/:jobId and /build/cancel/:jobId endpoints. The handlers trust the attacker-supplied app_id in the request body and never verify jobId ownership, enabling denial of service, unauthorized compute consumption, and billing impact across tenants. No public exploit identified at time of analysis.
NULL pointer dereference in the Linux kernel SMC subsystem's smc_msg_event tracepoint crashes the kernel when SMC-D socket traffic is processed while the tracepoint is active. Affected kernels from commit aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 across multiple stable branches dereference conn->lnk unconditionally in the tracepoint, though this pointer is only valid for SMC-R connections and is NULL for SMC-D. While activating the tracepoint requires root, the crash itself can be triggered by any unprivileged user via AF_SMC socket operations on SMC-D capable systems (s390 natively, or x86 with loopback ISM loaded). No public exploit or active exploitation confirmed; EPSS sits at 0.16%.
NULL pointer dereference in the Linux kernel RDS/InfiniBand subsystem allows an unprivileged local user to trigger a kernel panic by sending an atomic cmsg over an active RDS/IB connection. The completion handler rds_ib_send_unmap_op() lacks switch cases for masked atomic opcodes (IB_WR_MASKED_ATOMIC_CMP_AND_SWP, IB_WR_MASKED_ATOMIC_FETCH_AND_ADD), returning rm=NULL while the send operation remains flagged, leading to a fatal NULL dereference at rm->m_final_op in softirq context. No public exploit has been identified and EPSS is 0.16% (6th percentile), but the crash is deterministic and reproducible on any system with mlx4/mlx5 InfiniBand hardware running an unpatched kernel with active RDS/IB connections.
NULL pointer dereference in the Linux kernel's BPF socket storage subsystem (net/core/bpf_sk_storage.c) allows a local low-privileged user to crash the kernel. The race condition between bpf_selem_unlink_nofail() - which nulls smap before removing the element from the hlist - and concurrent RCU readers in bpf_sk_storage_clone() and bpf_sk_storage_diag_put_all() can be triggered during TCP SYN handling (socket cloning path), producing a kernel panic. No public exploit identified at time of analysis; EPSS of 0.14% (4th percentile) confirms negligible observed exploitation probability.
Local privilege escalation potential in the Linux kernel's io_uring poll subsystem arises from a signed-comparison flaw in io_poll_get_ownership(), where atomic_read() returns a signed int and the IO_POLL_CANCEL_FLAG (BIT(31)) makes poll_refs negative, so the '>= IO_POLL_REF_BIAS' slowpath check is never taken. Affecting kernels from the 5.15/6.x stable series through pre-patch 7.x, a local user with io_uring access can drive poll-reference accounting into an incorrect state during request cancellation, with CVSS 7.8 (AV:L) rating high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and EPSS is low (0.16%, 6th percentile), but a vendor patch is available across stable branches.
Remote denial-of-service in the Linux kernel SCTP stack arises from incomplete rollback when an ADD_OUT_STREAMS (add outgoing streams) reconfiguration request is denied; the kernel shrinks queued chunks and lowers outcnt but leaves stale stream metadata behind, so a later stream re-add reuses a freed/stale 'ext' object and triggers a NULL-pointer dereference in the scheduler get path. Any remote SCTP peer that can negotiate stream reconfiguration on an established association can crash the host, with no authentication or user interaction required per the CVSS vector (AV:N/AC:L/PR:N/UI:N, A:H). There is no public exploit identified at time of analysis and EPSS is low (0.16%), indicating no observed weaponization.
NULL pointer dereference in the Linux kernel VRF (Virtual Routing and Forwarding) subsystem allows a local low-privileged user to crash the kernel via a race condition between RCU readers and VRF port removal operations, resulting in a complete denial of service on affected systems. Systems using VRF network segmentation are at risk specifically when VRF port membership is dynamically modified concurrent with socket bind() operations. EPSS is 0.16% (6th percentile) and the vulnerability is not listed in CISA KEV; no public exploit code has been identified, but patched kernel versions are available across all active stable branches.
Use-after-free in the Linux kernel SCTP stack (net/sctp) allows a remote peer to crash the kernel by forcing an association to roll back from COOKIE_ECHOED to COOKIE_WAIT via a Stale Cookie ERROR. When sctp_stream_update() rebuilds the stream table during this rollback it leaves the scheduler's cached stream->out_curr pointer referencing freed memory, so the next scheduler dequeue (FCFS/RR/PRIO) dereferences a dangling sctp_stream_out entry. The flaw is tagged as Denial of Service, carries an NVD CVSS of 9.8, but has a low EPSS of 0.17% (6th percentile); no public exploit identified at time of analysis and it is not listed in CISA KEV.
Denial of service in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh routing subsystem allows a crash via NULL pointer dereference in the Distributed ARP Table (DAT) forwarding path. The function batadv_dat_forward_data() fails to check the return value of pskb_copy_for_clone() before passing the cloned skb to batadv_send_skb_prepare_unicast_4addr(), so a failed allocation while forwarding to a DHT candidate triggers a kernel oops. Affects systems running batman-adv mesh networking; this is a memory-pressure-dependent crash with no public exploit identified at time of analysis (EPSS 0.17%, 6th percentile), and it is not listed in CISA KEV.
Denial of service in the Linux kernel netfilter ipset subsystem allows a local low-privileged user to disrupt availability by triggering an iterator overrun in hash:ip,mark, hash:ip,port, hash:ip,port,ip, or hash:ip,port,net set types during IPv4 range iteration. The 32-bit loop iterator is not properly bounded, allowing it to advance past the last address in the requested range; subsequent retry passes then resume from an unintended position, corrupting traversal state. No public exploit is identified at time of analysis, and the EPSS score of 0.16% (6th percentile) confirms very low exploitation probability, making this a routine patching priority rather than an emergency response.
Denial of service in the Linux kernel's batman-adv mesh networking module arises from faulty length accounting during fragment reassembly, where the accumulated payload length can be truncated during updates, letting malformed fragment chains bypass validation and drive reassembly with inconsistent length state. The flaw affects systems running the B.A.T.M.A.N. Advanced (batman-adv) module across many stable kernel series and results in a local denial of service per the upstream description. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 7th percentile), and the NVD CVSS of 9.8 conflicts with the upstream 'local denial of service' characterization.
NULL pointer dereference in the Linux kernel's batman-adv OGMv2 subsystem allows a local low-privilege user to crash the kernel by racing interface teardown against OGM dispatch. When a batman-adv hard interface is disabled and its mesh_iface pointer is set to NULL, the batadv_v_ogm_queue_on_if() function continues to call netdev_priv() on that NULL pointer, triggering a kernel panic. No public exploit exists and EPSS is 0.18% (7th percentile), making this low operational priority except on systems actively running batman-adv mesh networking.
Stack-based buffer overflow (CWE-121) in the GV-Cloud component of GeoVision GV-VMS V20 20.0.2 enables a remote attacker with a network-intercept position to crash the video management system, causing high-impact denial of service against physical security infrastructure. Exploitation requires impersonating the legitimate GV-Cloud server - achieved via MitM techniques - and delivering a specially crafted network payload that corrupts stack memory in the GV-Cloud client handler. Reported by Cisco Talos (TALOS-2026-2411); no public exploit has been identified at time of analysis and no CISA KEV listing exists.
Heap use-after-free in GPAC MP4Box 2.5-DEV-rev1593-gfe88c3545-master crashes the application when a local authenticated user processes a specially crafted MPEG-2 TS or MP4 file. The defect resides in `gf_filter_pid_inst_swap_delete_task()` within `filter_core/filter_pid.c`, where PID instance cleanup dereferences already-freed objects during a swap/delete operation, causing a heap corruption and denial of service. No public exploit has triggered active exploitation per CISA KEV, but a proof-of-concept is publicly available; EPSS sits at 0.18% (7th percentile), consistent with limited real-world targeting.
Denial of service in GPAC (libgpac/MP4Box) before 26.02.0 lets an attacker crash the application by feeding it a crafted media file that triggers a use-after-free in gf_filter_pid_inst_swap_delete_task within the filter-core PID handling code. Any pipeline or user that parses untrusted media through GPAC is affected, with publicly available proof-of-concept code, though no active exploitation has been reported and EPSS exploitation probability is low (0.17%, 6th percentile). Impact is limited to availability - there is no confidentiality or integrity loss per the CVSS vector.
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by supplying a crafted media file. The flaw is an out-of-bounds read of a language metadata string in gf_media_import (media_import.c), where three characters were read without verifying the string's length. Publicly available exploit code exists (sigdevel PoC), but it is not listed in CISA KEV and EPSS is low (0.19%, 8th percentile), indicating minimal observed real-world exploitation.
Use-after-free in GPAC MP4Box before version 26.02.0 allows a local attacker to crash the application by supplying a crafted media file, resulting in Denial of Service. The flaw resides in the filter PID lifecycle management within filter_pid.c, where a PID instance could be freed prematurely while a pending reconfiguration task still held a reference to it. Publicly available exploit code exists, though the attack requires user interaction to process the malicious file and exploitation is limited to DoS with no confidentiality or integrity impact.
Unrestricted TOTP brute-forcing on Snipe-IT versions prior to 8.6.0 allows an attacker holding valid password credentials to bypass two-factor authentication by submitting unlimited guesses against the `POST /two-factor` endpoint, which enforces no rate limit, lockout, or attempt counter. With the `google2fa` window configured at 1, three of one million possible codes are valid at any instant, making statistical exhaustion feasible via scripted requests. Successful exploitation yields full session-level account takeover; in optional-2FA deployments the attacker can additionally call `POST /account/profile` to permanently disable 2FA with no re-verification, and admin-privileged attackers can clear other users' 2FA secrets via `POST /api/v1/users/two_factor_reset`. No public exploit has been identified at time of analysis.
Permanent denial of service in opentelemetry-ebpf-profiler versions 0.0.202527 through 0.0.202621 allows any unprivileged co-located process to halt the agent's ELF analysis goroutine by placing a FIFO or special file at a path the profiler will attempt to open via openat2. Once blocked, the processPIDEvents goroutine never recovers, rendering the profiling agent inoperable for the lifetime of the process. No public exploit has been identified at time of analysis; impact is strictly confined to availability of the profiling agent with no data exposure or privilege escalation possible.
Denial of service in CPython's tarfile module allows remote attackers to trigger an infinite loop by supplying a crafted tar archive opened in streaming mode (mode='r|'). The seek() routine fails to detect EOF and keeps requesting bufsize reads of empty data when a TarInfo header declares a size far larger than the actual stream, exhausting CPU on any Python service that parses untrusted tar streams. No public exploit identified at time of analysis, but the upstream fix and a reproducer test case are both published on GitHub.
Uncontrolled resource consumption in jackson-databind 2.10.0 through 2.13.5 allows unauthenticated remote attackers to cause a Denial-of-Service by submitting small (~2kB), deeply nested JSON payloads that trigger a StackOverflowError when a service reads the input via ObjectMapper.readTree() and serializes the resulting JsonNode using JsonNode.toString(). The root cause is recursive serialization in the toString() call path, which was replaced with an iterative IteratorStack-based implementation in version 2.14.0. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Denial of Service in the collective/icalendar Python library allows attackers to crash or hang applications that process externally supplied iCalendar data. The vulnerability carries a CVSS score of 7.5 High and affects Plone CMS deployments as well as any Python application using the library to parse .ics input. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV.
Denial of service in Plone's RSS feed portlet component (plone.app.portlets) allows an attacker to exhaust server resources by supplying or triggering the parsing of a maliciously crafted RSS/Atom feed, rendering the Plone application unavailable. Disclosed June 23, 2026 as part of a coordinated Plone security release, the issue carries a critical severity rating of 9.1. No public exploit code or CISA KEV listing has been identified at time of analysis.
Denial-of-service via malformed iCalendar import in Plone's plone.app.event package, rated 9.1 critical, enables remote disruption of affected Plone installations by submitting a crafted ICS file to the event import endpoint. Disclosed June 23, 2026 as part of a coordinated Plone security release addressing six distinct vulnerabilities across multiple packages. No public exploit code or CISA KEV listing has been identified at time of analysis, though the critical severity rating and co-disclosure of a related icalendar library CVE (CVE-2026-55099) the same week warrant prompt patching.
Stored cross-site scripting in Plone CMS enables persistent script injection by spoofing file MIME types within the plone.app.textfield and plone.restapi packages, announced June 5, 2026. An attacker with content-upload access can craft a file whose declared MIME type bypasses Plone's content-type enforcement, causing browsers to render the payload as HTML or JavaScript when other users access the stored content. No public exploit code or CISA KEV listing has been identified at time of analysis; the moderate severity rating (4.3) reflects the stored persistence risk offset by the upload-privilege requirement.
Denial of service in MuPDF before 1.27.0-rc1 allows remote attackers to crash any application embedding the library for EPUB rendering by supplying a crafted EPUB file containing deeply nested HTML elements and inline CSS. The flaw lives in the CSS property inheritance walker (value_from_inheritable_property() in css-apply.c), which recurses without a depth bound and exhausts the process stack. Publicly available exploit code exists via the Artifex bug tracker, but the issue is not listed in CISA KEV and CVSS 4.0 base is 7.1 (availability-only impact).
File descriptor exhaustion in the Gogs built-in Go SSH server allows unauthenticated remote attackers to render the SSH service completely unavailable. By opening a large number of TCP connections to the SSH port and withholding the SSH-2.0 protocol banner, an attacker forces Gogs to spawn unbounded goroutines that block indefinitely in `golang.org/x/crypto/ssh.NewServerConn`, consuming one file descriptor per connection. Once the OS `ulimit -n` ceiling is breached, the server can accept no new connections and the entire Gogs process begins failing with cascading I/O errors. No public exploitation (KEV) confirmed, but a fully functional Python PoC is publicly disclosed alongside the advisory and the fix is available in v0.14.3.
Denial of service in dhcpcd through version 10.3.2 allows an adjacent-network attacker to exhaust memory in the daemon by repeatedly sending crafted IPv6 Router Advertisements with zero-lifetime Route Information options. The unfreed allocations in routeinfo_findalloc() accumulate linearly until the daemon crashes, disrupting DHCP client functionality on the affected host. No public exploit identified at time of analysis, but the upstream fix (commit 708b4a5) is available.
Heap use-after-free in dhcpcd through 10.3.2 enables unauthenticated same-link attackers - acting as or impersonating a DHCPv6 server - to crash the daemon by sending a crafted DHCPv6 RENEW reply exploiting a pointer lifecycle flaw in delegated prefix deprecation. The flaw triggers dhcp6_deprecatedele() to free a delegated child address while an outer TAILQ_FOREACH_SAFE iterator in dhcp6_deprecateaddrs() still retains the freed pointer, causing a use-after-free when TAILQ_REMOVE is subsequently reached. Impact is limited to availability (daemon crash); no public exploit or CISA KEV listing exists at time of analysis, but the adjacent-network attack vector and zero-privilege requirement lower the bar for local segment adversaries.
Heap overflow in rsyslog's contributed imhttp module allows remote unauthenticated clients to corrupt the rsyslog process heap by sending an oversized HTTP Basic Authentication header. The root cause is a one-character typo - `calloc(0, len)` instead of `calloc(1, len)` - which allocates zero or minimal bytes before the Base64 decoder writes up to `len` bytes into the buffer. The practical expected impact is denial of service (rsyslog process crash); remote code execution is theoretically possible but depends on heap allocator behavior, compiler hardening, and platform. No public exploit identified at time of analysis, and the vulnerability is not in CISA KEV.
Denial of service in Elixir Plug 1.15.0 through 1.19.2 allows unauthenticated remote attackers to saturate BEAM schedulers by sending HTTP requests with deeply nested bracket-style query parameters (e.g. a[a][a]...=1). Plug.Conn.Query.decode/4 exhibits quadratic algorithmic complexity in the number of nesting levels, so a single 1 MB request can produce ~333,000 levels and freeze a Plug-based server for minutes. No public exploit identified at time of analysis, but the trigger is trivial and the upstream fix is already merged across multiple release branches.
Heap use-after-free in ImageMagick's meta coder allows remote attackers to crash the process by submitting a specially crafted image file that triggers a memory allocation failure, causing a single byte write to a stale (freed) pointer. Affected versions are ImageMagick before 7.1.2-15 and 6.9.13-40, as well as Magick.NET NuGet wrapper packages before 14.10.3. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects that reliable exploitation requires specific memory allocation failure conditions rather than straightforward request-and-crash triggering.
Unauthenticated denial of service in Cap-go capgo (capgo-backend) before 12.128.12 allows remote attackers to exhaust PostgreSQL resources by sending unfiltered queries to the public.audit_logs PostgREST endpoint using the public anon key. Because the query planner runs expensive logic before Row-Level Security rejection, repeated requests trigger statement timeouts (error 57014) and cascade into HTTP 500 failures on unrelated endpoints such as /orgs. No public exploit identified at time of analysis, though the technique is fully described in the GHSA advisory.
Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 /. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
OpenSSH's GSSAPI authentication cleanup routine contains a heap out-of-bounds read (CWE-125) triggered when the auth-indicators array lacks a trailing NULL terminator, allowing a remote unauthenticated attacker to crash the SSH authentication path and deny SSH service availability. Exploitation is constrained by high attack complexity (AC:H) due to the non-default Kerberos/GSSAPI configuration requirement, limiting real-world exposure to a minority of deployments. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and the impact is restricted to partial availability loss with no confidentiality or integrity consequence.
Client-side Denial of Service in OpenSSH's Diffie-Hellman Group Exchange implementation allows a malicious SSH server to crash connecting clients running in FIPS mode. When a victim initiates an SSH connection to an attacker-controlled server, the server sends crafted DH-GEX group parameters that trigger a double free (CWE-415) during FIPS known-group validation, terminating the client process. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the constraint that only FIPS-mode clients are affected limits real-world impact to regulated or government environments.
GPAC MP4Box v2.4 was discovered to contain a NULL pointer dereference in the gf_isom_add_track_kind() function at isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote attackers to crash the database server by submitting crafted SQL statements that trigger a fault in the sqlo_try_in_loop SQL optimizer component. No public exploit identified at time of analysis, though SSVC indicates a proof-of-concept exists in the referenced GitHub issue. The flaw is tagged as SQLi-class (CWE-89) but the demonstrated impact is availability-only, with no confidentiality or integrity loss per the CVSS vector.
Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote attackers to crash the database server by submitting specially crafted SQL statements that trigger a flaw in the sqlo_untry query-optimization component. The CVSS 7.5 score reflects unauthenticated network exploitability with high availability impact, but no public exploit identified at time of analysis and the issue is currently tracked only as an upstream GitHub issue without a released fix.
Denial of service in OpenLink Virtuoso Open-Source Edition 7.2.11 lets attackers crash the database server by submitting crafted SQL statements that mishandle the sqlo_key_part_best query-optimizer routine. The flaw carries no confidentiality or integrity impact (availability-only, CVSS 7.5) and there is no public exploit identified at time of analysis; EPSS is low at 0.15% (4th percentile), and it is not listed in CISA KEV. The only public reference is the upstream GitHub issue (#1222) tracking the crash.
Denial of service in OpenLink Virtuoso Open Source Edition 7.2.11 lets attackers crash the database server by submitting crafted SQL statements that trigger a fault in the sqlo_natural_join_cond query-optimizer component. The flaw carries no confidentiality or integrity impact but fully degrades availability (CVSS 7.5, A:H). There is no public exploit identified at time of analysis and EPSS is low (0.15%), indicating limited near-term exploitation likelihood; only a GitHub issue documenting the defect is published.
Denial of service in OpenLink Virtuoso Open Source Edition 7.2.11 lets attackers crash the database server by submitting crafted SQL statements that reach the time_t_to_dt date/time conversion routine. The defect is availability-only (no data exposure or integrity loss) and is tracked publicly via GitHub issue #1233; it carries a CVSS 3.1 base score of 7.5 but a low EPSS of 0.15% (4th percentile), and there is no public exploit identified at time of analysis and no evidence of active exploitation.
Denial of service in OpenLink Virtuoso (open-source edition) v7.2.11 allows attackers to crash the database server by submitting crafted SQL statements that mishandle the internal st_compare comparison routine. The flaw affects availability only (CVSS A:H, no confidentiality or integrity impact) and carries a 7.5 base score; EPSS is low (0.15%, 5th percentile) with no public exploit identified at time of analysis and no CISA KEV listing. Despite the CWE-89 (SQL Injection) classification, the reported effect is a service crash rather than data manipulation or extraction.
Denial of service in OpenLink Virtuoso Open Source Edition 7.2.11 lets attackers crash the database engine by submitting crafted SQL statements that mishandle the internal t_set_push routine. The flaw carries availability-only impact (CVSS 7.5, A:H) with no confidentiality or integrity loss. EPSS is low (0.15%, 4th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV - so risk is theoretical rather than actively exploited.
Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote unauthenticated attackers to crash the database server by submitting crafted SQL statements that trigger a fault in the sqlo_strip_in_join query-optimization component. The CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N) reflects network-reachable, no-auth exploitation with high availability impact and no confidentiality or integrity loss. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
An issue in the sqlo_place_dt_set component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote attackers to crash the database server by submitting crafted SQL statements that trigger a fault in the sslr_qst_get component. The flaw is classified under CWE-89 (SQL injection class) but the documented impact is availability-only with no confidentiality or integrity loss per the CVSS vector. No public exploit identified at time of analysis, and the issue is tracked only via an upstream GitHub issue (#1229) rather than a tagged fixed release.
Denial of service in OpenLink Virtuoso Open Source Edition v7.2.11 allows remote attackers to crash the database engine by submitting crafted SQL statements that mishandle column predicate processing inside the sqlo_tb_col_preds query optimizer component. CVSS 7.5 reflects high availability impact with no authentication required, though no public exploit identified at time of analysis and the issue is tracked only as an upstream GitHub bug report.
Denial-of-service and potential out-of-bounds read in the Zephyr RTOS Bluetooth Host ISO receive path allows a malicious or compromised Bluetooth controller to crash devices using CONFIG_BT_ISO_RX by sending malformed HCI ISO packets with undersized SDU headers. The flaw resides in bt_iso_recv() within subsys/bluetooth/host/iso.c, where header bytes are pulled without prior length validation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Denial of service in Zephyr RTOS Bluetooth Classic SDP parser allows adjacent Bluetooth attackers to crash devices via a malformed 3-byte SDP attribute that triggers a reachable kernel assertion. The flaw resides in bt_sdp_parse_attribute() in subsys/bluetooth/host/classic/sdp.c, where the parser pulls a value-type byte without first verifying buffer length, causing a kernel panic in assert-enabled builds and an out-of-bounds read with undefined behavior when assertions are disabled. No public exploit identified at time of analysis, though the GHSA advisory describes the trigger conditions in enough detail to reproduce.
Out-of-bounds read and denial-of-service in Zephyr RTOS's ext2 filesystem parser expose embedded devices to filesystem-level attacks via maliciously crafted disk images. The flaw resides in ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), where insufficient validation of on-disk directory entry fields - specifically de_rec_len and de_name_len against block boundaries - allows a crafted ext2 image to trigger an oversized memcpy (out-of-bounds read) or a zero-progress infinite loop when de_rec_len equals zero. All Zephyr versions are indicated as affected per the wildcard CPE, no public exploit code has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.
Unchecked large-array allocation in MessagePack for C# exposes any .NET application deserializing untrusted MessagePack extension payloads to a denial-of-service condition. The UnsafeBlitFormatterBase<T>.Deserialize method trusts an attacker-supplied byteLength field from the inner extension payload and allocates a T[] array of that size before comparing it against the outer extension header length or remaining input bytes, meaning a few-byte payload can trigger gigabyte-scale allocations. No active exploitation has been confirmed (no CISA KEV listing, no public exploit identified at time of analysis), but the attack requires no authentication and no user interaction, lowering the bar for any attacker with network access to an exposed endpoint.
Heap exhaustion via crafted multi-dimensional array payloads in MessagePack-CSharp affects all v2.x releases before 2.5.301 and all v3.x releases before 3.1.7, enabling remote unauthenticated attackers to trigger disproportionately large heap allocations with minimal payload bytes. The multi-dimensional array formatters (T[,], T[,,], T[,,,]) allocate based on attacker-supplied dimension values before cross-validating against the encoded element count, so a payload declaring a 10000×10000 array with only a handful of elements forces a massive allocation before any guard fires. No public exploit or active exploitation has been confirmed; the CVSS 4.0 score of 6.3 reflects high attack complexity and a specific prerequisite condition (AT:P), constraining realistic risk to services that deserialize untrusted MessagePack containing multi-dimensional array types.
CPU denial of service in MessagePack for C# affects applications deserializing ILookup<TKey,TElement> types from untrusted input, exploitable even when the application has explicitly configured MessagePack's untrusted-data security posture. The InterfaceLookupFormatter constructs its internal dictionary with the default equality comparer rather than the security-aware, randomization-backed comparer provided by options.Security.GetEqualityComparer<TKey>(), silently bypassing the protection the developer believed was active. No public exploit code has been identified at time of analysis, and the CVSS 4.0 AC:H/AT:P rating reflects that exploitation requires crafting keys with deliberate hash collisions.
Rate-limit bypass in Capgo versions prior to 12.128.2 lets remote unauthenticated attackers flood the channel_self endpoint by rotating the client-supplied device_id parameter, defeating per-device throttling. Sustained abuse writes unbounded rows into the channel_devices table, exhausting database resources and degrading or denying service to legitimate users. No public exploit identified at time of analysis, but the attack is trivial to script given CVSS 4.0 AV:N/AC:L/PR:N/UI:N.
Unenforced resource limits on the POST /app/demo endpoint in Capgo before 12.128.2 allow any authenticated user holding org write permissions to create unlimited demo applications, each triggering approximately 138 database write operations. Sustained abuse degrades platform performance, inflates infrastructure costs, and can cause service instability for all tenants sharing the backend. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low exploitation complexity for any org-level member makes compromised-account or insider-threat scenarios operationally realistic.
Denial of service in Inspektor Gadget's USDT note parser (pkg/uprobetracer/usdt.go) allows an unprivileged container process to crash or OOM-kill the privileged IG host process by placing a crafted ELF binary at a path targeted by a custom USDT gadget. Two distinct attack vectors exist: a panic from out-of-bounds slice access when DescSize is artificially small, and unbounded memory allocation (~4 GiB) when NameSize or DescSize is set to 0xFFFFFFFF. No public exploit identified at time of analysis; critically, no gadget shipped by the Inspektor Gadget project uses USDT probes, so only deployments running operator-developed custom USDT gadgets are exposed.
Infinite loop denial-of-service in pypdf prior to 6.13.1 allows an attacker to hang any process that merges a crafted PDF containing cyclic article/thread structures. The vulnerability exists in the `_add_articles_thread()` method of `_writer.py`, which traversed PDF article bead linked-list structures without cycle detection, permitting a self-referential `/N` (Next) pointer chain to create an irrecoverable loop. No public exploit code or CISA KEV listing exists at time of analysis, but the upstream PR diff publicly discloses the precise triggering structure, lowering the bar for exploitation against vulnerable merge pipelines.
Memory exhaustion denial of service in Gophish through 0.12.1 allows authenticated low-privilege users to crash the phishing-campaign server by uploading a zip-bomb Office document as an email template attachment. Publicly available exploit code exists, demonstrating that any account with the User role can trigger an OOM kill of the Gophish process and disrupt ongoing campaigns. No CISA KEV listing is present, but the trivial complexity and available POC make opportunistic abuse realistic against multi-tenant or shared Gophish deployments.
LDAP injection in OpenAM (Open Identity Platform) versions <= 16.0.6 allows authenticated attackers to inject arbitrary LDAP metacharacters via the `_queryId` parameter on the CREST REST API user/group endpoints, enabling user enumeration and blind LDAP injection. The flaw stems from `IdentityResourceV1.queryCollection()` explicitly setting `escapeQueryId=false`, regressing the escape protection added for CVE-2021-29156. No public exploit identified at time of analysis, but the issue is fixed upstream in release 16.1.1.
Denial of service in the IBM WebSphere WebServer Plug-in component affects IBM i 7.3 through 7.6, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty via a NULL pointer dereference (CWE-476) triggered by crafted HTTP requests. The CVSS vector (AV:N/AC:H/PR:N/UI:N) confirms remote unauthenticated exploitation, though high attack complexity limits opportunistic mass exploitation. Impact is limited to availability - no confidentiality or integrity compromise - and no public exploit or CISA KEV listing has been identified at time of analysis.
Denial of service in Gogs repository and wiki web interfaces allows any authenticated user with write access to permanently break file listing pages by committing a file whose name contains incomplete git pathspec metacharacters. Affected versions are Gogs <= 0.14.2; the web UI for the targeted repository or wiki returns HTTP 500 on every subsequent page load until an administrator removes the malicious file via CLI. Publicly available exploit code exists as documented in the GHSA-3qq3-668m-v9mj advisory with a specific PoC payload; no active exploitation confirmed (not in CISA KEV).
### Summary The regex validation used to prevent Introspection queries can be bypassed by removing the extra whitespace, carriage return, and line feed characters from the query. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Local privilege escalation and denial of service in qSnapper before 1.3.3 stems from path traversal via the configName D-Bus parameter, allowing local attackers to point the snapper backend at attacker-controlled config files. Per the SUSE security review that produced coordinated fixes for CVE-2026-41045 through CVE-2026-41049, exploitation can crash the service or escalate to root through abuse of snapper configuration handling. No public exploit identified at time of analysis, but the upstream advisory and Bugzilla entry document the issue in detail.
Denial of service in IBM WebSphere Application Server 9.0 and 8.5, and WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6, allows remote unauthenticated attackers to exhaust server memory by sending specially-crafted requests. CVSS 7.5 (availability-only impact) with no public exploit identified at time of analysis and a low EPSS score of 0.31% (23rd percentile). IBM has released a patch via support advisory 7276579; CISA SSVC currently rates exploitation status as 'none'.
Denial of service in IBM WebSphere Application Server 8.5 and 9.0, plus WebSphere Liberty 17.0.0.3 through 26.0.0.6, allows remote unauthenticated attackers to exhaust server memory by sending a specially crafted request. The CVSS 7.5 score reflects high availability impact with no privileges or user interaction required, though no public exploit identified at time of analysis and no EPSS or KEV data is provided.
Remote code execution and denial of service in IBM WebSphere Application Server and WebSphere Application Server Liberty (including IBM i 7.3-7.6) occurs when the WebServer Plug-in component is deployed with Intelligent Management enabled. An attacker who can impersonate a backend application server and return crafted responses can trigger code injection (CWE-94) against the plug-in, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis; EPSS 0.38% and SSVC exploitation 'none' indicate no observed weaponization despite the 9.8 CVSS rating.
Remote code execution and denial of service in the IBM WebSphere Web Server Plug-in shipped with IBM i 7.3, 7.4, 7.5, and 7.6 (through 1.8.4) allows an attacker positioned on the adjacent network to abuse the plug-in's handling of responses from an upstream WebSphere Application Server. By impersonating the application server and returning crafted responses, the attacker can trigger code injection (CWE-94) against the plug-in, leading to full compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and EPSS is low (0.25%), but SSVC rates the technical impact as total.
Heap-based buffer overflow in dnsmasq's DNSSEC logging path enables remote denial of service against instances where both DNSSEC validation and query logging are simultaneously enabled. When dnsmasq receives a DS or DNSKEY DNS response containing an algorithm or digest type it does not recognize, its logging routine writes past the end of an internal heap-allocated buffer, corrupting memory and crashing the process. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the network-deliverable attack vector (PR:N) makes the configuration prerequisite the primary limiting factor for defenders.
IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8,5.0,5.1,5.2,5.3 could allow an authenticated user to cause a denial of service when creating new databases due to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
Use-after-free in libxml2's xmlParseInternalSubset function affects GNOME libxml2 versions 2.9.11 through 2.11.0 and can be triggered remotely by crafted XML containing abusive entity resolution, leading to denial of service of any application that parses untrusted XML with this library. Publicly available exploit code exists (CVSS 4.0 E:P) but the issue is not listed in CISA KEV, indicating proof-of-concept demonstration rather than confirmed active exploitation. The flaw was disclosed by Canonical and tracked in GNOME GitLab work item 1058 and Ubuntu Launchpad bug 2141260.
Local privilege abuse in ASUS Armoury Crate (versions up to and including 6.4.12) allows a local administrator to bypass input validation and perform arbitrary kernel memory read/write or trigger a system crash (BSOD). The flaw is reported by ASUS and tracked as EUVD-2026-38205; no public exploit identified at time of analysis. CVSS 4.0 base score is 7.1 with high attack complexity and high privileges required, reflecting that exploitation needs an existing administrative foothold.
Heap out-of-bounds read in ImageMagick's PCD image decoder (versions prior to 7.1.2-15 and 6.9.13-40) allows unauthenticated network-reachable attackers to cause denial of service and disclose a single adjacent heap byte by supplying a crafted PCD file to an image-processing endpoint. The vulnerability is rooted in the PCD coder's DecodeImage loop and requires high attack complexity (AC:H) with specific attack prerequisites (AT:P), meaning the target application must actively process attacker-supplied PCD files. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis, though .NET bindings via Magick.NET NuGet packages are also affected and carry a separate fix version.
Authentication bypass in Capgo's /build/upload/:jobId/* endpoint exposes all versions before 12.128.2 to unauthenticated denial of service. Remote attackers exploit HTTP OPTIONS request handling to sidestep authentication middleware entirely, forcing tusProxy to execute with invalid credentials and reliably producing HTTP 500 errors at scale. No public exploit code or CISA KEV listing exists at time of analysis, but the trivial attack mechanics - requiring no credentials, tools, or interaction - mean any internet-exposed Capgo instance is at risk of request flooding.
NULL pointer dereference in the Linux kernel's sch_dualpi2 queuing discipline (net/sched) allows a local attacker with low privileges to crash the kernel, causing a denial of service. The flaw exists in dualpi2_change(), which enforces updated queue limits after a qdisc reconfiguration: when traffic is exclusively queued in the L-queue and the C-queue is empty, the function unconditionally dereferences the NULL skb returned by the C-queue dequeue path, triggering a kernel panic. No public exploit code has been identified and EPSS sits at 0.17% (7th percentile), consistent with a locally-triggered, configuration-dependent kernel bug.
Out-of-bounds memory access in the Linux kernel's netfilter SIP connection-tracking helper (nf_conntrack_sip) stems from parsing port numbers in non-NUL-terminated socket-buffer data with simple_strtoul() and dereferencing pointers after sip_parse_addr() without bounds checks. Remote attackers sending crafted SIP messages through a host where the SIP conntrack/NAT helper is active could read past the packet buffer, risking information disclosure or instability (tagged Information Disclosure). Despite a CVSS of 9.8, EPSS is only 0.18% (8th percentile) and no public exploit is identified at time of analysis; a vendor fix is available across multiple stable trees.
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Clear rel_deadline when initializing forked entities A yield-triggered crash can happen when a newly forked sched_entity enters the fair class with se->rel_deadline unexpectedly set. The failing sequence is: 1. A task is forked while se->rel_deadline is still set. 2. __sched_fork() initializes vruntime, vlag and other sched_entity state, but does not clear rel_deadline. 3. On the first enqueue, enqueue_entity() calls place_entity(). 4. Because se->rel_deadline is set, place_entity() treats se->deadline as a relative deadline and converts it to an absolute deadline by adding the current vruntime. 5. However, the forked entity's deadline is not a valid inherited relative deadline for this new scheduling instance, so the conversion produces an abnormally large deadline. 6. If the task later calls sched_yield(), yield_task_fair() advances se->vruntime to se->deadline. 7. The inflated vruntime is then used by the following enqueue path, where the vruntime-derived key can overflow when multiplied by the entity weight. 8. This corrupts cfs_rq->sum_w_vruntime, breaks EEVDF eligibility calculation, and can eventually make all entities appear ineligible. pick_next_entity() may then return NULL unexpectedly, leading to a later NULL dereference. A captured trace shows the effect clearly. Before yield, the entity's vruntime was around: 9834017729983308 After yield_task_fair() executed: se->vruntime = se->deadline the vruntime jumped to: 19668035460670230 and the deadline was later advanced further to: 19668035463470230 This shows that the deadline had already become abnormally large before yield_task_fair() copied it into vruntime. rel_deadline is only meaningful when se->deadline really carries a relative deadline that still needs to be placed against vruntime. A freshly forked sched_entity should not inherit or retain this state. Clear se->rel_deadline in __sched_fork(), together with the other sched_entity runtime state, so that the first enqueue does not interpret the new entity's deadline as a stale relative deadline.
Out-of-bounds read and denial-of-service in the Linux kernel SMB/CIFS client (cifs.ko) affects systems mounting SMB shares on 32-bit architectures. When parsing a malicious SMB2 error response, the symlink_data() routine mishandles a hostile ErrorDataLength value, causing either an infinite loop or a read past the buffer that can hang the client or leak adjacent kernel memory. There is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile), but the bug is reachable by any malicious or compromised SMB server a vulnerable client connects to.
In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure When ttm_tt_swapout() fails, the current code calls ttm_resource_add_bulk_move() followed by ttm_resource_move_to_lru_tail() to restore the resource's bulk_move membership. However, ttm_resource_move_to_lru_tail() places the resource at the tail of the LRU list which, relative to the walk cursor's hitch node (placed immediately after the resource when it was yielded), puts the resource *in front of the* the hitch. The next list_for_each_entry_continue() from the hitch finds the same resource again, causing an infinite loop. Fix by deferring del_bulk_move to the success path only. On the success path, TTM_TT_FLAG_SWAPPED has just been set by ttm_tt_swapout() but the resource is still tracked in the bulk_move range, so ttm_resource_del_bulk_move()'s !ttm_resource_unevictable() guard would incorrectly skip the removal. Introduce ttm_resource_del_bulk_move_unevictable() which bypasses that guard.
In the Linux kernel, the following vulnerability has been resolved: ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size The generic/642 test-case can reproduce the kernel crash: [40243.605254] ------------[ cut here ]------------ [40243.605956] kernel BUG at fs/ceph/xattr.c:918! [40243.607142] Oops: invalid opcode: 0000 [#1] SMP PTI [40243.608067] CPU: 7 UID: 0 PID: 498762 Comm: kworker/7:1 Not tainted 7.0.0-rc7+ #3 PREEMPT(full) [40243.609700] Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [40243.611820] Workqueue: ceph-msgr ceph_con_workfn [40243.612715] RIP: 0010:__ceph_build_xattrs_blob+0x1b8/0x1e0 [40243.613731] Code: 0f 84 82 fe ff ff e9 cf 8e 56 ff 48 8d 65 e8 31 c0 5b 41 5c 41 5d 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 c3 cc cc cc cc <0f> 0b 4c 8b 62 08 41 8b 85 24 07 00 00 49 83 c4 04 41 89 44 24 fc [40243.616888] RSP: 0018:ffffcc80c4d4b688 EFLAGS: 00010287 [40243.617773] RAX: 0000000000010026 RBX: 0000000000000001 RCX: 0000000000000000 [40243.618928] RDX: ffff8a773798dee0 RSI: 0000000000000000 RDI: 0000000000000000 [40243.620158] RBP: ffffcc80c4d4b6a0 R08: 0000000000000000 R09: 0000000000000000 [40243.621573] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8a75f3b58000 [40243.622907] R13: ffff8a75f3b58000 R14: 0000000000000080 R15: 000000000000bffd [40243.624054] FS: 0000000000000000(0000) GS:ffff8a787d1b4000(0000) knlGS:0000000000000000 [40243.625331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [40243.626269] CR2: 000072f390b623c0 CR3: 000000011c02a003 CR4: 0000000000372ef0 [40243.627408] Call Trace: [40243.627839] <TASK> [40243.628188] __prep_cap+0x3fd/0x4a0 [40243.628789] ? do_raw_spin_unlock+0x4e/0xe0 [40243.629474] ceph_check_caps+0x46a/0xc80 [40243.630094] ? __lock_acquire+0x4a2/0x2650 [40243.630773] ? find_held_lock+0x31/0x90 [40243.631347] ? handle_cap_grant+0x79f/0x1060 [40243.632068] ? lock_release+0xd9/0x300 [40243.632696] ? __mutex_unlock_slowpath+0x3e/0x340 [40243.633429] ? lock_release+0xd9/0x300 [40243.634052] handle_cap_grant+0xcf6/0x1060 [40243.634745] ceph_handle_caps+0x122b/0x2110 [40243.635415] mds_dispatch+0x5bd/0x2160 [40243.636034] ? ceph_con_process_message+0x65/0x190 [40243.636828] ? lock_release+0xd9/0x300 [40243.637431] ceph_con_process_message+0x7a/0x190 [40243.638184] ? kfree+0x311/0x4f0 [40243.638749] ? kfree+0x311/0x4f0 [40243.639268] process_message+0x16/0x1a0 [40243.639915] ? sg_free_table+0x39/0x90 [40243.640572] ceph_con_v2_try_read+0xf58/0x2120 [40243.641255] ? lock_acquire+0xc8/0x300 [40243.641863] ceph_con_workfn+0x151/0x820 [40243.642493] process_one_work+0x22f/0x630 [40243.643093] ? process_one_work+0x254/0x630 [40243.643770] worker_thread+0x1e2/0x400 [40243.644332] ? __pfx_worker_thread+0x10/0x10 [40243.645020] kthread+0x109/0x140 [40243.645560] ? __pfx_kthread+0x10/0x10 [40243.646125] ret_from_fork+0x3f8/0x480 [40243.646752] ? __pfx_kthread+0x10/0x10 [40243.647316] ? __pfx_kthread+0x10/0x10 [40243.647919] ret_from_fork_asm+0x1a/0x30 [40243.648556] </TASK> [40243.648902] Modules linked in: overlay hctr2 libpolyval chacha libchacha adiantum libnh libpoly1305 essiv intel_rapl_msr intel_rapl_common intel_uncore_frequency_common skx_edac_common nfit kvm_intel kvm irqbypass joydev ghash_clmulni_intel aesni_intel rapl input_leds mac_hid psmouse vga16fb serio_raw vgastate floppy i2c_piix4 pata_acpi bochs qemu_fw_cfg i2c_smbus sch_fq_codel rbd dm_crypt msr parport_pc ppdev lp parport efi_pstore [40243.654766] ---[ end trace 0000000000000000 ]--- Commit d93231a6bc8a ("ceph: prevent a client from exceeding the MDS maximum xattr size") moved the required_blob_size computation to before the __build_xattrs() call, introducing a race. __build_xattrs() releases and reacquires i_ceph_lock during execution. In that window, handle_cap_grant() may update i_xattrs.blob with a newer MDS-provided blob and bump i_xattrs.version. When __bui ---truncated---
Denial of service in the Linux kernel's libceph client allows a malicious or corrupted Ceph cluster to crash the kernel via a null pointer dereference in decode_choose_args(). When processing a CEPH_MSG_OSD_MAP message, a crafted CRUSH map containing choose_args with a bucket_index that points to a NULL (unallocated) bucket triggers the crash, because the code validated only that the index stayed within max_buckets, not that the target bucket was non-NULL. There is no public exploit identified at time of analysis, EPSS exploitation probability is low (0.18%, 8th percentile), and the issue is patched upstream.
Denial of service in the Linux kernel's libceph (Ceph client) subsystem allows a malicious or compromised Ceph monitor/OSD to crash a connected client by sending a crafted CEPH_MSG_OSD_MAP whose embedded CRUSH map carries two choose_args maps sharing the same choose_args_index. The duplicate index trips an assertion in insert_choose_arg_map() during decode_choose_args(), triggering a kernel BUG and panic. CVSS is 7.5 (availability-only); there is no public exploit identified at time of analysis and EPSS is low at 0.18% (8th percentile).
Local denial of service in the Linux kernel's Intel Xe DRM driver (drm/xe/dma-buf) arises from use-after-free and NULL pointer dereference race conditions in the dma-buf import path, affecting kernels from 6.8 through the fixes in 6.12.91, 6.18.33, 7.0.10 and 7.1. When a buffer object is shared from another GPU driver such as amdgpu, the exporter can invoke the Xe invalidate_mappings hook against a partially initialized or already-freed bo, crashing the system; two customers reported NULL ptr derefs in evict_flags. This is tagged Denial of Service, has no public exploit identified at time of analysis, and carries a low EPSS of 0.18% (7th percentile).
In the Linux kernel, the following vulnerability has been resolved: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong timeout value` warning was observed, accompanied by SMBus controller state machine corruption. The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of 10 ms. The user argument is checked against INT_MAX, but it is subsequently multiplied by 10 before being passed to msecs_to_jiffies(). A malicious user can pass a large value (e.g., 429496729) that passes the `arg > INT_MAX` check but overflows when multiplied by 10. This results in a truncated 32-bit unsigned value that bypasses the internal `(int)m < 0` check in `msecs_to_jiffies()`. The truncated value is then assigned to `client->adapter->timeout` (a signed 32-bit int), which is reinterpreted as a negative number. When passed to wait_for_completion_timeout(), this negative value undergoes sign extension to a 64-bit unsigned long, triggering the `schedule_timeout` warning and causing premature returns. This leaves the SMBus state machine in an unrecoverable state, constituting a local Denial of Service (DoS). Fix this by bounding the user argument to `INT_MAX / 10`. [wsa: move the comment as well]
Denial of service in the Linux kernel's WireGuard module causes the receive/decryption path to permanently stall for an individual peer under heavy network load. Affected stable trees (notably 6.12.34 through 6.12.73, with the same defect originating in 5.15/6.1 where threaded NAPI became default) can have inbound traffic to a specific WireGuard peer halt completely once the per-peer rx_queue fills its 1024-packet backlog and wg_packet_rx_poll is never rescheduled. The condition was reported by multiple production Cilium/Kubernetes operators; there is no public exploit identified at time of analysis and EPSS is very low (0.10%, 1st percentile).
Out-of-bounds write in Marlin Firmware (3D printer firmware) through 2.1.2.7 lets attackers corrupt firmware memory through the M421 G-code mesh-bed-leveling handler, which fails to upper-bound the X/Y grid indices before writing a 32-bit float into the z_values array. Any actor able to feed G-code to a printer built with MESH_BED_LEVELING enabled can write an attacker-controlled value past the array, overwriting adjacent firmware state and causing denial of service or unpredictable machine behavior. Publicly available exploit code exists and the fix is committed (1f255d1), but there is no public exploit identified as actively exploited in the wild (not in CISA KEV).
Out-of-bounds read in ImageMagick's ConnectedComponentsImage() function allows local attackers to trigger access violations by supplying malformed connected-components artifact definitions via the CLI, leading to denial of service or potential arbitrary code execution. All ImageMagick releases before 7.1.2-19 are affected, as are Magick.NET NuGet packages before 14.12.0. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the RCE and information-disclosure tags warrant attention in environments that process untrusted image inputs through automated pipelines.
Memory exhaustion via unfreed heap allocations in ImageMagick before 7.1.2-15 enables remote denial of service against services that process untrusted images through the affected raw-pixel-data coders. The flaw (CWE-401) causes 160-byte objects to accumulate on the heap with each crafted image processed, progressively starving the host process of memory. No public exploit code has been identified at time of analysis; the CVSS 4.0 score of 6.3 reflects network reachability offset by high attack complexity and partial attack requirements, limiting realistic mass exploitation.
Denial of service in Capgo's /auth/v1/otp endpoint blocks email-based 2FA enrollment for authenticated users in all versions before 12.128.2. The backend captcha validation subsystem fails to handle exceptions gracefully, consistently returning HTTP 500 errors and preventing users from completing two-factor authentication setup. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the impact is security-control degradation: users cannot activate 2FA, leaving accounts with only single-factor protection.
Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing and quota records by invoking the SECURITY DEFINER record_build_time RPC with only a public anon API key. The flaw stems from missing authorization inside a privilege-elevated PostgREST function, enabling arbitrary build-time inserts against any organization. No public exploit identified at time of analysis, but the trivial network-reachable invocation pattern makes weaponization straightforward.
Cross-tenant build sabotage in Capgo before 12.128.2 allows authenticated users with the app.build_native permission to start or cancel arbitrary builder jobs belonging to other tenants by supplying a victim jobId to the /build/start/:jobId and /build/cancel/:jobId endpoints. The handlers trust the attacker-supplied app_id in the request body and never verify jobId ownership, enabling denial of service, unauthorized compute consumption, and billing impact across tenants. No public exploit identified at time of analysis.
NULL pointer dereference in the Linux kernel SMC subsystem's smc_msg_event tracepoint crashes the kernel when SMC-D socket traffic is processed while the tracepoint is active. Affected kernels from commit aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 across multiple stable branches dereference conn->lnk unconditionally in the tracepoint, though this pointer is only valid for SMC-R connections and is NULL for SMC-D. While activating the tracepoint requires root, the crash itself can be triggered by any unprivileged user via AF_SMC socket operations on SMC-D capable systems (s390 natively, or x86 with loopback ISM loaded). No public exploit or active exploitation confirmed; EPSS sits at 0.16%.
NULL pointer dereference in the Linux kernel RDS/InfiniBand subsystem allows an unprivileged local user to trigger a kernel panic by sending an atomic cmsg over an active RDS/IB connection. The completion handler rds_ib_send_unmap_op() lacks switch cases for masked atomic opcodes (IB_WR_MASKED_ATOMIC_CMP_AND_SWP, IB_WR_MASKED_ATOMIC_FETCH_AND_ADD), returning rm=NULL while the send operation remains flagged, leading to a fatal NULL dereference at rm->m_final_op in softirq context. No public exploit has been identified and EPSS is 0.16% (6th percentile), but the crash is deterministic and reproducible on any system with mlx4/mlx5 InfiniBand hardware running an unpatched kernel with active RDS/IB connections.
NULL pointer dereference in the Linux kernel's BPF socket storage subsystem (net/core/bpf_sk_storage.c) allows a local low-privileged user to crash the kernel. The race condition between bpf_selem_unlink_nofail() - which nulls smap before removing the element from the hlist - and concurrent RCU readers in bpf_sk_storage_clone() and bpf_sk_storage_diag_put_all() can be triggered during TCP SYN handling (socket cloning path), producing a kernel panic. No public exploit identified at time of analysis; EPSS of 0.14% (4th percentile) confirms negligible observed exploitation probability.
Local privilege escalation potential in the Linux kernel's io_uring poll subsystem arises from a signed-comparison flaw in io_poll_get_ownership(), where atomic_read() returns a signed int and the IO_POLL_CANCEL_FLAG (BIT(31)) makes poll_refs negative, so the '>= IO_POLL_REF_BIAS' slowpath check is never taken. Affecting kernels from the 5.15/6.x stable series through pre-patch 7.x, a local user with io_uring access can drive poll-reference accounting into an incorrect state during request cancellation, with CVSS 7.8 (AV:L) rating high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and EPSS is low (0.16%, 6th percentile), but a vendor patch is available across stable branches.
Remote denial-of-service in the Linux kernel SCTP stack arises from incomplete rollback when an ADD_OUT_STREAMS (add outgoing streams) reconfiguration request is denied; the kernel shrinks queued chunks and lowers outcnt but leaves stale stream metadata behind, so a later stream re-add reuses a freed/stale 'ext' object and triggers a NULL-pointer dereference in the scheduler get path. Any remote SCTP peer that can negotiate stream reconfiguration on an established association can crash the host, with no authentication or user interaction required per the CVSS vector (AV:N/AC:L/PR:N/UI:N, A:H). There is no public exploit identified at time of analysis and EPSS is low (0.16%), indicating no observed weaponization.
NULL pointer dereference in the Linux kernel VRF (Virtual Routing and Forwarding) subsystem allows a local low-privileged user to crash the kernel via a race condition between RCU readers and VRF port removal operations, resulting in a complete denial of service on affected systems. Systems using VRF network segmentation are at risk specifically when VRF port membership is dynamically modified concurrent with socket bind() operations. EPSS is 0.16% (6th percentile) and the vulnerability is not listed in CISA KEV; no public exploit code has been identified, but patched kernel versions are available across all active stable branches.
Use-after-free in the Linux kernel SCTP stack (net/sctp) allows a remote peer to crash the kernel by forcing an association to roll back from COOKIE_ECHOED to COOKIE_WAIT via a Stale Cookie ERROR. When sctp_stream_update() rebuilds the stream table during this rollback it leaves the scheduler's cached stream->out_curr pointer referencing freed memory, so the next scheduler dequeue (FCFS/RR/PRIO) dereferences a dangling sctp_stream_out entry. The flaw is tagged as Denial of Service, carries an NVD CVSS of 9.8, but has a low EPSS of 0.17% (6th percentile); no public exploit identified at time of analysis and it is not listed in CISA KEV.
Denial of service in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh routing subsystem allows a crash via NULL pointer dereference in the Distributed ARP Table (DAT) forwarding path. The function batadv_dat_forward_data() fails to check the return value of pskb_copy_for_clone() before passing the cloned skb to batadv_send_skb_prepare_unicast_4addr(), so a failed allocation while forwarding to a DHT candidate triggers a kernel oops. Affects systems running batman-adv mesh networking; this is a memory-pressure-dependent crash with no public exploit identified at time of analysis (EPSS 0.17%, 6th percentile), and it is not listed in CISA KEV.
Denial of service in the Linux kernel netfilter ipset subsystem allows a local low-privileged user to disrupt availability by triggering an iterator overrun in hash:ip,mark, hash:ip,port, hash:ip,port,ip, or hash:ip,port,net set types during IPv4 range iteration. The 32-bit loop iterator is not properly bounded, allowing it to advance past the last address in the requested range; subsequent retry passes then resume from an unintended position, corrupting traversal state. No public exploit is identified at time of analysis, and the EPSS score of 0.16% (6th percentile) confirms very low exploitation probability, making this a routine patching priority rather than an emergency response.
Denial of service in the Linux kernel's batman-adv mesh networking module arises from faulty length accounting during fragment reassembly, where the accumulated payload length can be truncated during updates, letting malformed fragment chains bypass validation and drive reassembly with inconsistent length state. The flaw affects systems running the B.A.T.M.A.N. Advanced (batman-adv) module across many stable kernel series and results in a local denial of service per the upstream description. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 7th percentile), and the NVD CVSS of 9.8 conflicts with the upstream 'local denial of service' characterization.
NULL pointer dereference in the Linux kernel's batman-adv OGMv2 subsystem allows a local low-privilege user to crash the kernel by racing interface teardown against OGM dispatch. When a batman-adv hard interface is disabled and its mesh_iface pointer is set to NULL, the batadv_v_ogm_queue_on_if() function continues to call netdev_priv() on that NULL pointer, triggering a kernel panic. No public exploit exists and EPSS is 0.18% (7th percentile), making this low operational priority except on systems actively running batman-adv mesh networking.
Stack-based buffer overflow (CWE-121) in the GV-Cloud component of GeoVision GV-VMS V20 20.0.2 enables a remote attacker with a network-intercept position to crash the video management system, causing high-impact denial of service against physical security infrastructure. Exploitation requires impersonating the legitimate GV-Cloud server - achieved via MitM techniques - and delivering a specially crafted network payload that corrupts stack memory in the GV-Cloud client handler. Reported by Cisco Talos (TALOS-2026-2411); no public exploit has been identified at time of analysis and no CISA KEV listing exists.
Heap use-after-free in GPAC MP4Box 2.5-DEV-rev1593-gfe88c3545-master crashes the application when a local authenticated user processes a specially crafted MPEG-2 TS or MP4 file. The defect resides in `gf_filter_pid_inst_swap_delete_task()` within `filter_core/filter_pid.c`, where PID instance cleanup dereferences already-freed objects during a swap/delete operation, causing a heap corruption and denial of service. No public exploit has triggered active exploitation per CISA KEV, but a proof-of-concept is publicly available; EPSS sits at 0.18% (7th percentile), consistent with limited real-world targeting.
Denial of service in GPAC (libgpac/MP4Box) before 26.02.0 lets an attacker crash the application by feeding it a crafted media file that triggers a use-after-free in gf_filter_pid_inst_swap_delete_task within the filter-core PID handling code. Any pipeline or user that parses untrusted media through GPAC is affected, with publicly available proof-of-concept code, though no active exploitation has been reported and EPSS exploitation probability is low (0.17%, 6th percentile). Impact is limited to availability - there is no confidentiality or integrity loss per the CVSS vector.
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by supplying a crafted media file. The flaw is an out-of-bounds read of a language metadata string in gf_media_import (media_import.c), where three characters were read without verifying the string's length. Publicly available exploit code exists (sigdevel PoC), but it is not listed in CISA KEV and EPSS is low (0.19%, 8th percentile), indicating minimal observed real-world exploitation.
Use-after-free in GPAC MP4Box before version 26.02.0 allows a local attacker to crash the application by supplying a crafted media file, resulting in Denial of Service. The flaw resides in the filter PID lifecycle management within filter_pid.c, where a PID instance could be freed prematurely while a pending reconfiguration task still held a reference to it. Publicly available exploit code exists, though the attack requires user interaction to process the malicious file and exploitation is limited to DoS with no confidentiality or integrity impact.
Unrestricted TOTP brute-forcing on Snipe-IT versions prior to 8.6.0 allows an attacker holding valid password credentials to bypass two-factor authentication by submitting unlimited guesses against the `POST /two-factor` endpoint, which enforces no rate limit, lockout, or attempt counter. With the `google2fa` window configured at 1, three of one million possible codes are valid at any instant, making statistical exhaustion feasible via scripted requests. Successful exploitation yields full session-level account takeover; in optional-2FA deployments the attacker can additionally call `POST /account/profile` to permanently disable 2FA with no re-verification, and admin-privileged attackers can clear other users' 2FA secrets via `POST /api/v1/users/two_factor_reset`. No public exploit has been identified at time of analysis.
Permanent denial of service in opentelemetry-ebpf-profiler versions 0.0.202527 through 0.0.202621 allows any unprivileged co-located process to halt the agent's ELF analysis goroutine by placing a FIFO or special file at a path the profiler will attempt to open via openat2. Once blocked, the processPIDEvents goroutine never recovers, rendering the profiling agent inoperable for the lifetime of the process. No public exploit has been identified at time of analysis; impact is strictly confined to availability of the profiling agent with no data exposure or privilege escalation possible.
Denial of service in CPython's tarfile module allows remote attackers to trigger an infinite loop by supplying a crafted tar archive opened in streaming mode (mode='r|'). The seek() routine fails to detect EOF and keeps requesting bufsize reads of empty data when a TarInfo header declares a size far larger than the actual stream, exhausting CPU on any Python service that parses untrusted tar streams. No public exploit identified at time of analysis, but the upstream fix and a reproducer test case are both published on GitHub.
Uncontrolled resource consumption in jackson-databind 2.10.0 through 2.13.5 allows unauthenticated remote attackers to cause a Denial-of-Service by submitting small (~2kB), deeply nested JSON payloads that trigger a StackOverflowError when a service reads the input via ObjectMapper.readTree() and serializes the resulting JsonNode using JsonNode.toString(). The root cause is recursive serialization in the toString() call path, which was replaced with an iterative IteratorStack-based implementation in version 2.14.0. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Denial of Service in the collective/icalendar Python library allows attackers to crash or hang applications that process externally supplied iCalendar data. The vulnerability carries a CVSS score of 7.5 High and affects Plone CMS deployments as well as any Python application using the library to parse .ics input. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV.
Denial of service in Plone's RSS feed portlet component (plone.app.portlets) allows an attacker to exhaust server resources by supplying or triggering the parsing of a maliciously crafted RSS/Atom feed, rendering the Plone application unavailable. Disclosed June 23, 2026 as part of a coordinated Plone security release, the issue carries a critical severity rating of 9.1. No public exploit code or CISA KEV listing has been identified at time of analysis.
Denial-of-service via malformed iCalendar import in Plone's plone.app.event package, rated 9.1 critical, enables remote disruption of affected Plone installations by submitting a crafted ICS file to the event import endpoint. Disclosed June 23, 2026 as part of a coordinated Plone security release addressing six distinct vulnerabilities across multiple packages. No public exploit code or CISA KEV listing has been identified at time of analysis, though the critical severity rating and co-disclosure of a related icalendar library CVE (CVE-2026-55099) the same week warrant prompt patching.
Stored cross-site scripting in Plone CMS enables persistent script injection by spoofing file MIME types within the plone.app.textfield and plone.restapi packages, announced June 5, 2026. An attacker with content-upload access can craft a file whose declared MIME type bypasses Plone's content-type enforcement, causing browsers to render the payload as HTML or JavaScript when other users access the stored content. No public exploit code or CISA KEV listing has been identified at time of analysis; the moderate severity rating (4.3) reflects the stored persistence risk offset by the upload-privilege requirement.
Denial of service in MuPDF before 1.27.0-rc1 allows remote attackers to crash any application embedding the library for EPUB rendering by supplying a crafted EPUB file containing deeply nested HTML elements and inline CSS. The flaw lives in the CSS property inheritance walker (value_from_inheritable_property() in css-apply.c), which recurses without a depth bound and exhausts the process stack. Publicly available exploit code exists via the Artifex bug tracker, but the issue is not listed in CISA KEV and CVSS 4.0 base is 7.1 (availability-only impact).
File descriptor exhaustion in the Gogs built-in Go SSH server allows unauthenticated remote attackers to render the SSH service completely unavailable. By opening a large number of TCP connections to the SSH port and withholding the SSH-2.0 protocol banner, an attacker forces Gogs to spawn unbounded goroutines that block indefinitely in `golang.org/x/crypto/ssh.NewServerConn`, consuming one file descriptor per connection. Once the OS `ulimit -n` ceiling is breached, the server can accept no new connections and the entire Gogs process begins failing with cascading I/O errors. No public exploitation (KEV) confirmed, but a fully functional Python PoC is publicly disclosed alongside the advisory and the fix is available in v0.14.3.
Denial of service in dhcpcd through version 10.3.2 allows an adjacent-network attacker to exhaust memory in the daemon by repeatedly sending crafted IPv6 Router Advertisements with zero-lifetime Route Information options. The unfreed allocations in routeinfo_findalloc() accumulate linearly until the daemon crashes, disrupting DHCP client functionality on the affected host. No public exploit identified at time of analysis, but the upstream fix (commit 708b4a5) is available.
Heap use-after-free in dhcpcd through 10.3.2 enables unauthenticated same-link attackers - acting as or impersonating a DHCPv6 server - to crash the daemon by sending a crafted DHCPv6 RENEW reply exploiting a pointer lifecycle flaw in delegated prefix deprecation. The flaw triggers dhcp6_deprecatedele() to free a delegated child address while an outer TAILQ_FOREACH_SAFE iterator in dhcp6_deprecateaddrs() still retains the freed pointer, causing a use-after-free when TAILQ_REMOVE is subsequently reached. Impact is limited to availability (daemon crash); no public exploit or CISA KEV listing exists at time of analysis, but the adjacent-network attack vector and zero-privilege requirement lower the bar for local segment adversaries.
Heap overflow in rsyslog's contributed imhttp module allows remote unauthenticated clients to corrupt the rsyslog process heap by sending an oversized HTTP Basic Authentication header. The root cause is a one-character typo - `calloc(0, len)` instead of `calloc(1, len)` - which allocates zero or minimal bytes before the Base64 decoder writes up to `len` bytes into the buffer. The practical expected impact is denial of service (rsyslog process crash); remote code execution is theoretically possible but depends on heap allocator behavior, compiler hardening, and platform. No public exploit identified at time of analysis, and the vulnerability is not in CISA KEV.
Denial of service in Elixir Plug 1.15.0 through 1.19.2 allows unauthenticated remote attackers to saturate BEAM schedulers by sending HTTP requests with deeply nested bracket-style query parameters (e.g. a[a][a]...=1). Plug.Conn.Query.decode/4 exhibits quadratic algorithmic complexity in the number of nesting levels, so a single 1 MB request can produce ~333,000 levels and freeze a Plug-based server for minutes. No public exploit identified at time of analysis, but the trigger is trivial and the upstream fix is already merged across multiple release branches.
Heap use-after-free in ImageMagick's meta coder allows remote attackers to crash the process by submitting a specially crafted image file that triggers a memory allocation failure, causing a single byte write to a stale (freed) pointer. Affected versions are ImageMagick before 7.1.2-15 and 6.9.13-40, as well as Magick.NET NuGet wrapper packages before 14.10.3. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects that reliable exploitation requires specific memory allocation failure conditions rather than straightforward request-and-crash triggering.
Unauthenticated denial of service in Cap-go capgo (capgo-backend) before 12.128.12 allows remote attackers to exhaust PostgreSQL resources by sending unfiltered queries to the public.audit_logs PostgREST endpoint using the public anon key. Because the query planner runs expensive logic before Row-Level Security rejection, repeated requests trigger statement timeouts (error 57014) and cascade into HTTP 500 failures on unrelated endpoints such as /orgs. No public exploit identified at time of analysis, though the technique is fully described in the GHSA advisory.
Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 /. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
OpenSSH's GSSAPI authentication cleanup routine contains a heap out-of-bounds read (CWE-125) triggered when the auth-indicators array lacks a trailing NULL terminator, allowing a remote unauthenticated attacker to crash the SSH authentication path and deny SSH service availability. Exploitation is constrained by high attack complexity (AC:H) due to the non-default Kerberos/GSSAPI configuration requirement, limiting real-world exposure to a minority of deployments. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and the impact is restricted to partial availability loss with no confidentiality or integrity consequence.
Client-side Denial of Service in OpenSSH's Diffie-Hellman Group Exchange implementation allows a malicious SSH server to crash connecting clients running in FIPS mode. When a victim initiates an SSH connection to an attacker-controlled server, the server sends crafted DH-GEX group parameters that trigger a double free (CWE-415) during FIPS known-group validation, terminating the client process. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the constraint that only FIPS-mode clients are affected limits real-world impact to regulated or government environments.
GPAC MP4Box v2.4 was discovered to contain a NULL pointer dereference in the gf_isom_add_track_kind() function at isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote attackers to crash the database server by submitting crafted SQL statements that trigger a fault in the sqlo_try_in_loop SQL optimizer component. No public exploit identified at time of analysis, though SSVC indicates a proof-of-concept exists in the referenced GitHub issue. The flaw is tagged as SQLi-class (CWE-89) but the demonstrated impact is availability-only, with no confidentiality or integrity loss per the CVSS vector.
Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote attackers to crash the database server by submitting specially crafted SQL statements that trigger a flaw in the sqlo_untry query-optimization component. The CVSS 7.5 score reflects unauthenticated network exploitability with high availability impact, but no public exploit identified at time of analysis and the issue is currently tracked only as an upstream GitHub issue without a released fix.
Denial of service in OpenLink Virtuoso Open-Source Edition 7.2.11 lets attackers crash the database server by submitting crafted SQL statements that mishandle the sqlo_key_part_best query-optimizer routine. The flaw carries no confidentiality or integrity impact (availability-only, CVSS 7.5) and there is no public exploit identified at time of analysis; EPSS is low at 0.15% (4th percentile), and it is not listed in CISA KEV. The only public reference is the upstream GitHub issue (#1222) tracking the crash.
Denial of service in OpenLink Virtuoso Open Source Edition 7.2.11 lets attackers crash the database server by submitting crafted SQL statements that trigger a fault in the sqlo_natural_join_cond query-optimizer component. The flaw carries no confidentiality or integrity impact but fully degrades availability (CVSS 7.5, A:H). There is no public exploit identified at time of analysis and EPSS is low (0.15%), indicating limited near-term exploitation likelihood; only a GitHub issue documenting the defect is published.
Denial of service in OpenLink Virtuoso Open Source Edition 7.2.11 lets attackers crash the database server by submitting crafted SQL statements that reach the time_t_to_dt date/time conversion routine. The defect is availability-only (no data exposure or integrity loss) and is tracked publicly via GitHub issue #1233; it carries a CVSS 3.1 base score of 7.5 but a low EPSS of 0.15% (4th percentile), and there is no public exploit identified at time of analysis and no evidence of active exploitation.
Denial of service in OpenLink Virtuoso (open-source edition) v7.2.11 allows attackers to crash the database server by submitting crafted SQL statements that mishandle the internal st_compare comparison routine. The flaw affects availability only (CVSS A:H, no confidentiality or integrity impact) and carries a 7.5 base score; EPSS is low (0.15%, 5th percentile) with no public exploit identified at time of analysis and no CISA KEV listing. Despite the CWE-89 (SQL Injection) classification, the reported effect is a service crash rather than data manipulation or extraction.
Denial of service in OpenLink Virtuoso Open Source Edition 7.2.11 lets attackers crash the database engine by submitting crafted SQL statements that mishandle the internal t_set_push routine. The flaw carries availability-only impact (CVSS 7.5, A:H) with no confidentiality or integrity loss. EPSS is low (0.15%, 4th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV - so risk is theoretical rather than actively exploited.
Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote unauthenticated attackers to crash the database server by submitting crafted SQL statements that trigger a fault in the sqlo_strip_in_join query-optimization component. The CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N) reflects network-reachable, no-auth exploitation with high availability impact and no confidentiality or integrity loss. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
An issue in the sqlo_place_dt_set component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote attackers to crash the database server by submitting crafted SQL statements that trigger a fault in the sslr_qst_get component. The flaw is classified under CWE-89 (SQL injection class) but the documented impact is availability-only with no confidentiality or integrity loss per the CVSS vector. No public exploit identified at time of analysis, and the issue is tracked only via an upstream GitHub issue (#1229) rather than a tagged fixed release.
Denial of service in OpenLink Virtuoso Open Source Edition v7.2.11 allows remote attackers to crash the database engine by submitting crafted SQL statements that mishandle column predicate processing inside the sqlo_tb_col_preds query optimizer component. CVSS 7.5 reflects high availability impact with no authentication required, though no public exploit identified at time of analysis and the issue is tracked only as an upstream GitHub bug report.
Denial-of-service and potential out-of-bounds read in the Zephyr RTOS Bluetooth Host ISO receive path allows a malicious or compromised Bluetooth controller to crash devices using CONFIG_BT_ISO_RX by sending malformed HCI ISO packets with undersized SDU headers. The flaw resides in bt_iso_recv() within subsys/bluetooth/host/iso.c, where header bytes are pulled without prior length validation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Denial of service in Zephyr RTOS Bluetooth Classic SDP parser allows adjacent Bluetooth attackers to crash devices via a malformed 3-byte SDP attribute that triggers a reachable kernel assertion. The flaw resides in bt_sdp_parse_attribute() in subsys/bluetooth/host/classic/sdp.c, where the parser pulls a value-type byte without first verifying buffer length, causing a kernel panic in assert-enabled builds and an out-of-bounds read with undefined behavior when assertions are disabled. No public exploit identified at time of analysis, though the GHSA advisory describes the trigger conditions in enough detail to reproduce.
Out-of-bounds read and denial-of-service in Zephyr RTOS's ext2 filesystem parser expose embedded devices to filesystem-level attacks via maliciously crafted disk images. The flaw resides in ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), where insufficient validation of on-disk directory entry fields - specifically de_rec_len and de_name_len against block boundaries - allows a crafted ext2 image to trigger an oversized memcpy (out-of-bounds read) or a zero-progress infinite loop when de_rec_len equals zero. All Zephyr versions are indicated as affected per the wildcard CPE, no public exploit code has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.
Unchecked large-array allocation in MessagePack for C# exposes any .NET application deserializing untrusted MessagePack extension payloads to a denial-of-service condition. The UnsafeBlitFormatterBase<T>.Deserialize method trusts an attacker-supplied byteLength field from the inner extension payload and allocates a T[] array of that size before comparing it against the outer extension header length or remaining input bytes, meaning a few-byte payload can trigger gigabyte-scale allocations. No active exploitation has been confirmed (no CISA KEV listing, no public exploit identified at time of analysis), but the attack requires no authentication and no user interaction, lowering the bar for any attacker with network access to an exposed endpoint.
Heap exhaustion via crafted multi-dimensional array payloads in MessagePack-CSharp affects all v2.x releases before 2.5.301 and all v3.x releases before 3.1.7, enabling remote unauthenticated attackers to trigger disproportionately large heap allocations with minimal payload bytes. The multi-dimensional array formatters (T[,], T[,,], T[,,,]) allocate based on attacker-supplied dimension values before cross-validating against the encoded element count, so a payload declaring a 10000×10000 array with only a handful of elements forces a massive allocation before any guard fires. No public exploit or active exploitation has been confirmed; the CVSS 4.0 score of 6.3 reflects high attack complexity and a specific prerequisite condition (AT:P), constraining realistic risk to services that deserialize untrusted MessagePack containing multi-dimensional array types.
CPU denial of service in MessagePack for C# affects applications deserializing ILookup<TKey,TElement> types from untrusted input, exploitable even when the application has explicitly configured MessagePack's untrusted-data security posture. The InterfaceLookupFormatter constructs its internal dictionary with the default equality comparer rather than the security-aware, randomization-backed comparer provided by options.Security.GetEqualityComparer<TKey>(), silently bypassing the protection the developer believed was active. No public exploit code has been identified at time of analysis, and the CVSS 4.0 AC:H/AT:P rating reflects that exploitation requires crafting keys with deliberate hash collisions.
Rate-limit bypass in Capgo versions prior to 12.128.2 lets remote unauthenticated attackers flood the channel_self endpoint by rotating the client-supplied device_id parameter, defeating per-device throttling. Sustained abuse writes unbounded rows into the channel_devices table, exhausting database resources and degrading or denying service to legitimate users. No public exploit identified at time of analysis, but the attack is trivial to script given CVSS 4.0 AV:N/AC:L/PR:N/UI:N.
Unenforced resource limits on the POST /app/demo endpoint in Capgo before 12.128.2 allow any authenticated user holding org write permissions to create unlimited demo applications, each triggering approximately 138 database write operations. Sustained abuse degrades platform performance, inflates infrastructure costs, and can cause service instability for all tenants sharing the backend. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low exploitation complexity for any org-level member makes compromised-account or insider-threat scenarios operationally realistic.
Denial of service in Inspektor Gadget's USDT note parser (pkg/uprobetracer/usdt.go) allows an unprivileged container process to crash or OOM-kill the privileged IG host process by placing a crafted ELF binary at a path targeted by a custom USDT gadget. Two distinct attack vectors exist: a panic from out-of-bounds slice access when DescSize is artificially small, and unbounded memory allocation (~4 GiB) when NameSize or DescSize is set to 0xFFFFFFFF. No public exploit identified at time of analysis; critically, no gadget shipped by the Inspektor Gadget project uses USDT probes, so only deployments running operator-developed custom USDT gadgets are exposed.
Infinite loop denial-of-service in pypdf prior to 6.13.1 allows an attacker to hang any process that merges a crafted PDF containing cyclic article/thread structures. The vulnerability exists in the `_add_articles_thread()` method of `_writer.py`, which traversed PDF article bead linked-list structures without cycle detection, permitting a self-referential `/N` (Next) pointer chain to create an irrecoverable loop. No public exploit code or CISA KEV listing exists at time of analysis, but the upstream PR diff publicly discloses the precise triggering structure, lowering the bar for exploitation against vulnerable merge pipelines.
Memory exhaustion denial of service in Gophish through 0.12.1 allows authenticated low-privilege users to crash the phishing-campaign server by uploading a zip-bomb Office document as an email template attachment. Publicly available exploit code exists, demonstrating that any account with the User role can trigger an OOM kill of the Gophish process and disrupt ongoing campaigns. No CISA KEV listing is present, but the trivial complexity and available POC make opportunistic abuse realistic against multi-tenant or shared Gophish deployments.
LDAP injection in OpenAM (Open Identity Platform) versions <= 16.0.6 allows authenticated attackers to inject arbitrary LDAP metacharacters via the `_queryId` parameter on the CREST REST API user/group endpoints, enabling user enumeration and blind LDAP injection. The flaw stems from `IdentityResourceV1.queryCollection()` explicitly setting `escapeQueryId=false`, regressing the escape protection added for CVE-2021-29156. No public exploit identified at time of analysis, but the issue is fixed upstream in release 16.1.1.
Denial of service in the IBM WebSphere WebServer Plug-in component affects IBM i 7.3 through 7.6, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty via a NULL pointer dereference (CWE-476) triggered by crafted HTTP requests. The CVSS vector (AV:N/AC:H/PR:N/UI:N) confirms remote unauthenticated exploitation, though high attack complexity limits opportunistic mass exploitation. Impact is limited to availability - no confidentiality or integrity compromise - and no public exploit or CISA KEV listing has been identified at time of analysis.
Denial of service in Gogs repository and wiki web interfaces allows any authenticated user with write access to permanently break file listing pages by committing a file whose name contains incomplete git pathspec metacharacters. Affected versions are Gogs <= 0.14.2; the web UI for the targeted repository or wiki returns HTTP 500 on every subsequent page load until an administrator removes the malicious file via CLI. Publicly available exploit code exists as documented in the GHSA-3qq3-668m-v9mj advisory with a specific PoC payload; no active exploitation confirmed (not in CISA KEV).
### Summary The regex validation used to prevent Introspection queries can be bypassed by removing the extra whitespace, carriage return, and line feed characters from the query. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Local privilege escalation and denial of service in qSnapper before 1.3.3 stems from path traversal via the configName D-Bus parameter, allowing local attackers to point the snapper backend at attacker-controlled config files. Per the SUSE security review that produced coordinated fixes for CVE-2026-41045 through CVE-2026-41049, exploitation can crash the service or escalate to root through abuse of snapper configuration handling. No public exploit identified at time of analysis, but the upstream advisory and Bugzilla entry document the issue in detail.
Denial of service in IBM WebSphere Application Server 9.0 and 8.5, and WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6, allows remote unauthenticated attackers to exhaust server memory by sending specially-crafted requests. CVSS 7.5 (availability-only impact) with no public exploit identified at time of analysis and a low EPSS score of 0.31% (23rd percentile). IBM has released a patch via support advisory 7276579; CISA SSVC currently rates exploitation status as 'none'.
Denial of service in IBM WebSphere Application Server 8.5 and 9.0, plus WebSphere Liberty 17.0.0.3 through 26.0.0.6, allows remote unauthenticated attackers to exhaust server memory by sending a specially crafted request. The CVSS 7.5 score reflects high availability impact with no privileges or user interaction required, though no public exploit identified at time of analysis and no EPSS or KEV data is provided.
Remote code execution and denial of service in IBM WebSphere Application Server and WebSphere Application Server Liberty (including IBM i 7.3-7.6) occurs when the WebServer Plug-in component is deployed with Intelligent Management enabled. An attacker who can impersonate a backend application server and return crafted responses can trigger code injection (CWE-94) against the plug-in, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis; EPSS 0.38% and SSVC exploitation 'none' indicate no observed weaponization despite the 9.8 CVSS rating.
Remote code execution and denial of service in the IBM WebSphere Web Server Plug-in shipped with IBM i 7.3, 7.4, 7.5, and 7.6 (through 1.8.4) allows an attacker positioned on the adjacent network to abuse the plug-in's handling of responses from an upstream WebSphere Application Server. By impersonating the application server and returning crafted responses, the attacker can trigger code injection (CWE-94) against the plug-in, leading to full compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and EPSS is low (0.25%), but SSVC rates the technical impact as total.
Heap-based buffer overflow in dnsmasq's DNSSEC logging path enables remote denial of service against instances where both DNSSEC validation and query logging are simultaneously enabled. When dnsmasq receives a DS or DNSKEY DNS response containing an algorithm or digest type it does not recognize, its logging routine writes past the end of an internal heap-allocated buffer, corrupting memory and crashing the process. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the network-deliverable attack vector (PR:N) makes the configuration prerequisite the primary limiting factor for defenders.
IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8,5.0,5.1,5.2,5.3 could allow an authenticated user to cause a denial of service when creating new databases due to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
Use-after-free in libxml2's xmlParseInternalSubset function affects GNOME libxml2 versions 2.9.11 through 2.11.0 and can be triggered remotely by crafted XML containing abusive entity resolution, leading to denial of service of any application that parses untrusted XML with this library. Publicly available exploit code exists (CVSS 4.0 E:P) but the issue is not listed in CISA KEV, indicating proof-of-concept demonstration rather than confirmed active exploitation. The flaw was disclosed by Canonical and tracked in GNOME GitLab work item 1058 and Ubuntu Launchpad bug 2141260.
Local privilege abuse in ASUS Armoury Crate (versions up to and including 6.4.12) allows a local administrator to bypass input validation and perform arbitrary kernel memory read/write or trigger a system crash (BSOD). The flaw is reported by ASUS and tracked as EUVD-2026-38205; no public exploit identified at time of analysis. CVSS 4.0 base score is 7.1 with high attack complexity and high privileges required, reflecting that exploitation needs an existing administrative foothold.
Heap out-of-bounds read in ImageMagick's PCD image decoder (versions prior to 7.1.2-15 and 6.9.13-40) allows unauthenticated network-reachable attackers to cause denial of service and disclose a single adjacent heap byte by supplying a crafted PCD file to an image-processing endpoint. The vulnerability is rooted in the PCD coder's DecodeImage loop and requires high attack complexity (AC:H) with specific attack prerequisites (AT:P), meaning the target application must actively process attacker-supplied PCD files. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis, though .NET bindings via Magick.NET NuGet packages are also affected and carry a separate fix version.
Authentication bypass in Capgo's /build/upload/:jobId/* endpoint exposes all versions before 12.128.2 to unauthenticated denial of service. Remote attackers exploit HTTP OPTIONS request handling to sidestep authentication middleware entirely, forcing tusProxy to execute with invalid credentials and reliably producing HTTP 500 errors at scale. No public exploit code or CISA KEV listing exists at time of analysis, but the trivial attack mechanics - requiring no credentials, tools, or interaction - mean any internet-exposed Capgo instance is at risk of request flooding.