Denial Of Service

Regular expression denial of service (ReDoS) in the Addressable Ruby library versions 2.3.0 through 2.8.x allows unauthenticated remote attackers to cause application-level denial of service through maliciously crafted URIs that trigger catastrophic backtracking in URI template expansion. The vulnerability affects URI templates using explode modifiers (e.g., {foo*}, {+var*}) and multi-variable templates with + or # operators (e.g., {+v1,v2,v3}), generating O(2^n) and O(n^k) complexity regex patterns respectively. EPSS exploitation probability and KEV status data not available; no public exploit identified at time of analysis. Vendor-released patch: version 2.9.0.

Unauthenticated attackers can trigger backup upload queue processing in Backup Migration plugin for WordPress (all versions up to 2.0.0) via the 'initializeOfflineAjax' AJAX endpoint, which lacks capability checks and relies on publicly exposed hardcoded tokens for validation. This allows remote attackers to cause unexpected backup transfers to cloud storage and resource exhaustion without authentication or user interaction. CVSS 5.3 (medium), no confirmed active exploitation reported.

Denial of service in Electron's clipboard.readImage() allows local authenticated attackers to crash applications by supplying malformed image data on the system clipboard. The vulnerability affects Electron versions prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, but only impacts apps that explicitly call clipboard.readImage(). No code execution or memory corruption is possible; the attack results in a controlled process abort when a null bitmap is passed unchecked to image construction. Vendor-released patches are available across all supported release lines.

Libarchive's archive_acl_from_text_nl() function fails to validate malformed ACL strings before dereferencing pointers, allowing local attackers to crash applications that process untrusted archives via specially crafted ACL fields. This NULL pointer dereference results in denial of service with high availability impact. CVSS 5.5 reflects local attack vector and user interaction requirement; no public exploit code or active exploitation confirmed at analysis time.

Denial of service in Gotenberg API (≤8.29.1) allows unauthenticated remote attackers to indefinitely hang worker processes via malicious regular expression patterns. The vulnerability stems from missing timeout enforcement in the dlclark/regexp2 library when compiling user-supplied scope patterns, enabling catastrophic backtracking attacks (CWE-1333). With CVSS 4.0 score 8.7 and high availability impact (VA:H), this represents significant service disruption risk. No public exploit identified at time of analysis, though the attack vector is network-accessible without authentication (AV:N/PR:N).

Unbounded memory consumption in Django ASGI applications allows unauthenticated remote attackers to bypass DATA_UPLOAD_MAX_MEMORY_SIZE protections via malformed Content-Length headers, leading to denial of service. Affects Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. CVSS 7.5 (High) with network-accessible, low-complexity attack vector requiring no privileges. EPSS data not available; no public exploit identified at time of analysis. Vendor patches released April 2026 across all affected major branches.

Path traversal in mintplex-labs/anything-llm (versions ≤1.9.1) allows authenticated administrators to read or delete arbitrary JSON files on the server, bypassing directory restrictions in the AgentFlows component. Exploitation requires high privileges (administrator access) but achieves cross-scope impact including leaking sensitive API keys from configuration files or destroying critical package.json files. Fixed in version 1.12.1. No public exploit identified at time of analysis, though technical details are disclosed via Huntr bounty platform.

HTTP request smuggling and denial of service in Tinyproxy through 1.11.3 allows unauthenticated remote attackers to cause backend worker exhaustion and bypass request inspection controls. The vulnerability stems from case-sensitive Transfer-Encoding header parsing that violates RFC 7230, enabling attackers to send 'Transfer-Encoding: Chunked' (capitalized) to desynchronize Tinyproxy's request state from RFC-compliant backends like Node.js and Nginx. No public exploit identified at time of analysis, though EPSS data not available and technical details are publicly documented in GitHub issue #604. Authentication requirements not confirmed from available data, but CVSS vector indicates network-accessible attack requiring no privileges.

Integer overflow in MediaTek secure boot (sec boot) leads to out-of-bounds write causing local denial of service on affected MediaTek chipsets. Attack requires physical device access and local user execution privileges, with no user interaction needed. EPSS score of 0.02% and CISA SSVC assessment of 'none' exploitation status indicate low real-world risk despite the moderate CVSS base score of 4.3.

Remote denial of service in MediaTek modem chipsets allows unauthenticated attackers to crash the system via a logic error when connecting to a rogue base station. The vulnerability affects 19 MediaTek chipset models (MT8678, MT6899, MT6897, and others) with no authentication or user interaction required. EPSS score of 0.08% (24th percentile) and CISA SSVC framework rating of no confirmed exploitation and partial technical impact suggest this is a low real-world priority despite the moderate CVSS 6.5 score.

Denial-of-service vulnerability in go-ipld-prime DAG-CBOR decoder allows remote attackers to cause excessive memory allocation through CBOR headers declaring arbitrarily large collection sizes without preallocation caps. A malicious payload under 100 bytes with nested structures can trigger over 9GB of memory allocation, crashing applications using the library. The vulnerability affects all versions prior to v0.22.0, and while no confirmed active exploitation has been reported, the attack requires only unauthenticated network access and minimal attacker resources.

Resource exhaustion in Android's LocalImageResolver.java onHeaderDecoded function allows local attackers to cause persistent denial of service without requiring special privileges or user interaction. The vulnerability affects Android 14, 15, and 16, with a CVSS score of 6.2 reflecting local attack vector and high availability impact. CISA SSVC assessment indicates no exploitation evidence detected at time of analysis, though the automatable attack vector and partial technical impact warrant prioritization for patching.

Denial of service in Samsung Exynos USIM firmware across mobile, wearable, and modem processors allows unauthenticated remote attackers to crash affected devices via maliciously crafted SIM card proactive commands. The vulnerability affects over 20 Exynos chipset families (980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, 5300, 5400) due to improper handling of USIM proactive commands, classified as CWE-400 (Uncontrolled Resource Consumption). EPSS exploitation probability is low (0.02%, 5th percentile), no public exploit identified at time of analysis, and not currently listed in CISA KEV. Despite the high CVSS base score of 7.5, the practical exploitation requires attacker control over cellular network infrastructure or compromised SIM cards, significantly limiting real-world attack surface.

System crash in Samsung Exynos processors (980/990/850/1080/2100/1280/2200/1330/1380/1480/2400/1580/2500/9110, Wearable W920/W930/W1000, Modems 5123/5300/5400) allows unauthenticated remote attackers to trigger denial-of-service via malformed RRCReconfiguration message exploiting improper memory initialization in the Radio Resource Control (RRC) layer. No public exploit identified at time of analysis. EPSS score of 0.02% (5th percentile) indicates very low probability of imminent exploitation despite network-reachable attack surface and low complexity (CVSS 7.5, AV:N/AC:L/PR:N).

Unauthenticated denial-of-service in Strawberry GraphQL WebSocket handlers allows remote attackers to crash Python servers via subscription flooding. The vulnerability affects both graphql-transport-ws and legacy graphql-ws protocol implementations, which fail to enforce per-connection subscription limits. An attacker can exhaust server memory and saturate the asyncio event loop by sending unlimited subscribe messages over a single WebSocket connection, leading to service degradation or out-of-memory crashes. EPSS data not available for this recent CVE; no public exploit identified at time of analysis, though exploitation is trivial given the low attack complexity (CVSS AC:L) and lack of authentication requirement (PR:N).

Unaligned memory write in OpenEXR DWA decoder causes immediate crashes on ARM/RISC-V architectures and enables potential exploitation on x86 systems via compiler optimization abuse. Affects OpenEXR versions 3.2.0-3.2.6, 3.3.0-3.3.8, and 3.4.0-3.4.8 when processing DWA/DWAB-compressed EXR files with FLOAT-type channels. Remote attackers can trigger this by convincing users to open malicious EXR files (CVSS 7.1, AV:N/PR:N/UI:R). No public exploit identified at time of analysis, though the technical details are fully disclosed in the GitHub security advisory.

Buffer overflow in UTT Aggressive HiPER 810G v3 v1.7.7-171114 formTaskEdit function allows authenticated administrators to cause denial of service through a malformed selDateType parameter. The vulnerability is a classic stack-based buffer overflow (CWE-120) requiring high-privilege local network access; no public exploitation framework has been identified, and CVSS 4.5 reflects the limited scope (DoS only, no code execution or information disclosure).

Buffer overflow in UTT Aggressive 520W v3 firmware version 1.7.7-180627 allows authenticated high-privilege attackers to cause denial of service by supplying crafted input to the addCommand parameter of the formConfigCliForEngineerOnly function. The vulnerability requires administrative-level access and local network connectivity, limiting real-world attack surface despite the buffer overflow class of vulnerability.

Buffer overflow in UTT Aggressive HiPER 1200GW v2.5.3-170306 formArpBindConfig function allows authenticated attackers with high privileges to cause denial of service by supplying a crafted input to the pools parameter. CVSS score of 4.5 reflects limited attack surface (local network access required) and high privilege requirement, though impact is complete availability loss. No public exploit code or active exploitation confirmed at time of analysis.

Buffer overflow in UTT Aggressive 520W v3 v1.7.7-180627 filename parameter of formFtpServerDirConfig function allows authenticated attackers with high privileges to cause denial of service. The vulnerability requires local network access and high-level administrative credentials; no public exploit code or active exploitation has been confirmed at time of analysis.

Buffer overflow in UTT Aggressive HiPER 810G v3 v1.7.7-171114 ConfigAdvideo function allows authenticated local attackers with high privileges to cause denial of service by crafting malicious input to the timestart parameter. The vulnerability scores low-to-moderate risk (CVSS 4.5) due to strict prerequisites: network access limited to adjacent network only, high privilege requirement, and impact restricted to availability.

Buffer overflow in UTT Aggressive HiPER 810G v3 version 1.7.7-171114 within the notes parameter of the formGroupConfig function enables authenticated administrators to trigger a denial of service condition through a crafted input. The vulnerability requires high-privilege access and cannot result in code execution, but represents a threat to device availability. No public exploit code has been independently confirmed, and this CVE does not appear on the CISA KEV catalog at time of analysis.

Buffer overflow in UTT Aggressive HiPER 1200GW v2.5.3-170306 timeRangeName parameter allows authenticated attackers with high privileges to cause denial of service through crafted input to the formConfigDnsFilterGlobal function. CVSS score of 4.5 reflects local/adjacent network attack vector and high-privilege requirement, with no confidentiality or integrity impact. No public exploit code or active exploitation confirmed at time of analysis.

Double free vulnerability in Rizin's LE binary format parser (librz/bin/format/le/le.c) allows local attackers to trigger heap corruption and denial of service by providing a specially crafted LE binary with circular or malformed fixup chains. The le_load_fixup_record() function improperly manages memory during error handling, freeing relocation entries multiple times. With CVSS 6.2 and local attack vector, this poses moderate risk to systems and automated analysis pipelines that process untrusted binaries without sandboxing.

Unbounded HTTP redirect following in Fedify's ActivityPub document loaders enables resource exhaustion attacks. Remote unauthenticated attackers can trigger denial of service by controlling ActivityPub key or actor URLs that redirect indefinitely, forcing affected servers (Fedify versions before 1.9.6, 1.10.5, 2.0.8, and 2.1.1) to make repeated outbound requests from a single inbound request. No public exploit identified at time of analysis, though the attack vector is straightforward given the low complexity (CVSS AC:L). CVSS base score 7.5 (High) reflects network-reachable, unauthenticated access with high availability impact.

Denial of service in Free5GC 4.2.0 NGSetupRequest Handler allows unauthenticated remote attackers to crash the AMF (Access and Mobility Management Function) component via malformed requests. The vulnerability has a publicly available exploit and a vendor-released patch, with EPSS score of 5.3 indicating moderate but real exploitation risk despite low CVSS scoring.

Denial of service in Samsung Exynos chipsets' NAS (Non-Access Stratum) layer allows remote unauthenticated attackers to crash mobile devices via malformed Downlink NAS Transport packets. Affects 23+ Exynos processor and modem variants used in mobile phones, wearables, and cellular modems (980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, 5300, 5400). Despite CVSS 7.5, EPSS shows only 0.02% exploitation probability (5th percentile), and no public exploit or active exploitation confirmed at time of analysis.

Denial of Service in Samsung Exynos processors and modems (including 980, 850, 990, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 1680, 9110, W920, W930, W1000, and Modems 5123, 5300, 5400, 5410) allows unauthenticated remote attackers to cause complete service disruption via network-based attacks requiring low complexity and no user interaction. The vulnerability stems from improper input validation (CWE-20) affecting mobile, wearable, and baseband modem chipsets used across Samsung's semiconductor product line. No public exploit identified at time of analysis, though the CVSS vector indicates trivial exploitation conditions (AV:N/AC:L/PR:N/UI:N) that could enable network-accessible denial of service attacks against devices containing these chipsets.

AMF daemon in OpenAirInterface V2.2.0 crashes upon receipt of malformed NGAP control-plane messages containing mismatched procedure codes or PDU type violations (e.g., successfulOutcome where InitiatingMessage is required). Remote attackers can trigger denial of service without authentication (CVSS AV:N/PR:N), exploiting improper input validation (CWE-20) in 5G core network signaling. Publicly available exploit code exists, SSVC framework classifies as automatable with partial technical impact, and EPSS data not provided but attack simplicity (AC:L) indicates low barrier to exploitation.

Baseband denial-of-service in Samsung Exynos chipsets (980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, 5300, 5400) allows remote attackers to crash mobile device basebands via malformed LTE MAC packets without authentication. The vulnerability affects the L2 layer processing of MAC Control Elements, enabling network-based attacks against cellular connectivity. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit identified at time of analysis, though the CVSS score of 9.1 reflects the severity of remotely disrupting critical cellular communications infrastructure.

Null pointer dereference in Zephyr RTOS TCP stack during connection teardown allows authenticated remote attackers to cause denial of service. A race condition in tcp_recv() processing of SYN packets causes tcp_conn_search() to return NULL on a released connection, which is then dereferenced without validation in tcp_backlog_is_full(), resulting in a crash. The vulnerability requires low-privilege authentication and is moderately complex to trigger due to timing constraints (AC:H), but results in high availability impact.

Memory exhaustion in libp2p-rendezvous allows unauthenticated attackers to cause denial-of-service via unbounded pagination cookie storage. Remote attackers can repeatedly send protocol-compliant DISCOVER requests to force unlimited HashMap growth without authentication or rate limiting. No public exploit identified at time of analysis, though proof-of-concept exists in maintainer-controlled fork. EPSS data not available for this newly-assigned CVE; CVSS 8.2 reflects high availability impact with low attack complexity.

Unbounded namespace registration in libp2p-rendezvous allows remote unauthenticated attackers to trigger out-of-memory conditions on rendezvous servers. The Rust implementation accepts unlimited unique namespace registrations per peer with 72-hour TTLs, enabling resource exhaustion via repeated REGISTER messages. Confirmed publicly available exploit code exists. CVSS 7.5 (High) reflects network accessibility and lack of authentication barriers, while the straightforward attack vector (simple loop of registration requests) presents immediate risk to public rendezvous nodes critical for peer discovery in libp2p networks.

Directus GraphQL endpoints fail to deduplicate resolver invocations within single requests, allowing authenticated users to exploit GraphQL aliasing for denial-of-service attacks. An attacker with minimal read-only permissions can repeat expensive relational queries using multiple aliases in a single request, forcing concurrent execution of numerous complex database queries that exhaust connection pools and server resources, potentially degrading or crashing the service. No public exploit code has been identified, and this vulnerability requires prior authentication to the Directus instance.

Regular Expression Denial of Service (ReDoS) in @hapi/content npm package versions through 6.0.0 allows unauthenticated remote attackers to crash Node.js processes via a single HTTP request containing maliciously crafted Content-Type or Content-Disposition header values. Three regular expressions used for header parsing contain catastrophic backtracking patterns that can consume unbounded CPU resources. Vendor-released patch available via GitHub (PR #38). No public exploit code identified at time of analysis, though the attack vector is straightforward for any attacker with HTTP request capabilities.

Denial of service in Avahi prior to version 0.9-rc4 allows local unprivileged users to crash avahi-daemon by sending a D-Bus method call with conflicting publish flags. The vulnerability requires local access and low privileges but causes immediate service unavailability. No public exploit code or active exploitation has been confirmed; however, the attack is trivial to execute given the low complexity barrier.

Thread exhaustion in Mesop WebSocket handler (pkg:pip/mesop) allows unauthenticated remote attackers to crash applications via message flooding. The framework spawns unbounded OS threads for each received WebSocket message without rate limiting or pooling, enabling complete denial of service with minimal bandwidth. CVSS 7.5 (High). Publicly available exploit code exists. EPSS data not provided, but the low attack complexity (AC:L) and zero authentication requirement (PR:N) combined with working proof-of-concept significantly elevate real-world exploitation risk. Vendor-released patch available in version 1.2.5 (commit 760a207).

Denial of service in vLLM's VideoMediaIO.load_base64() method allows authenticated remote attackers to crash the server via memory exhaustion by sending API requests with thousands of comma-separated base64-encoded JPEG frames. The vulnerability bypasses the default 32-frame limit enforced in other video loading code paths, allowing attackers to decode gigabytes of image data into memory (e.g., 5000 frames ≈ 4.6 GB for 640x480 RGB) with a small compressed payload. CVSS 6.5 (network-accessible, low complexity, requires authentication, high availability impact); no public exploit code identified at time of analysis.

Denial of service in @nyariv/sandboxjs through unbounded recursion in the parser allows remote attackers to crash Node.js processes by submitting deeply nested expressions (approximately 2000 nested parentheses or brackets), triggering a RangeError that terminates the application. All public API methods (Sandbox.parse, Sandbox.compile, Sandbox.compileAsync, Sandbox.compileExpression, Sandbox.compileExpressionAsync) are vulnerable with no input validation or depth limiting. A proof-of-concept demonstrating the crash exists; no public active exploitation has been reported at the time of analysis.

Memory exhaustion denial of service in jupyterhub-litauthenticator 1.6.2 and earlier allows unauthenticated remote attackers to crash the LTI 1.1 validator by submitting repeated requests with unique OAuth nonces. The vulnerability exists because nonces are stored in an unbounded class-level dictionary before signature validation occurs, enabling an attacker with knowledge of a valid consumer key to gradually exhaust server memory without authentication. EPSS score of 5.9 (medium-high) reflects the network attack vector and practical exploitability, though the requirement to know a valid consumer key and achieve high authentication complexity moderates real-world risk.

Resource exhaustion in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows unauthenticated remote attackers to trigger denial of service through maliciously crafted input that overwhelms parsing logic. CVSS 7.5 (High) reflects network-accessible attack vector with low complexity and no prerequisites. EPSS data not provided, but no public exploit or CISA KEV listing identified at time of analysis. Amazon has released patches for Windows, Linux, and macOS platforms.

Denial of service in rust-rpm-sequoia allows local attackers to crash RPM signature verification by submitting specially crafted RPM files that trigger unhandled errors in OpenPGP parsing, preventing legitimate package management operations. CVSS 4.0 (low severity), local attack vector, non-authenticating. No public exploit code or active exploitation confirmed.

Remote code execution in MLflow's FastAPI job endpoints allows unauthenticated attackers to submit and execute arbitrary jobs when basic-auth is enabled. Network-accessible attackers (CVSS AV:N, PR:N) can bypass authentication entirely on `/ajax-api/3.0/jobs/*` endpoints when `MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`, executing privileged operations including shell commands and filesystem modifications through allowlisted job functions. This authentication bypass (CWE-306) also enables job spam, denial of service, and exposure of job execution results. No public exploit identified at time of analysis, though attack complexity is low (AC:L) requiring no user interaction.

Denial of Service in vLLM OpenAI-compatible API server allows unauthenticated remote attackers to crash the service via a single HTTP request containing an extremely large n parameter. The lack of upper bound validation causes the asyncio event loop to freeze while allocating millions of request object copies, leading to rapid Out-Of-Memory crashes. CVSS 6.5 with moderate real-world risk due to authentication requirement in the disclosed CVSS vector (PR:L), though the description indicates unauthenticated exploitability - a significant discrepancy warranting clarification from the vendor.

Email flooding denial of service in Budibase prior to version 3.23.25 allows unauthenticated remote attackers to overwhelm user inboxes by repeatedly triggering password reset requests without rate limiting, CAPTCHA, or abuse prevention controls. An attacker can send hundreds of password reset emails to a target address in a short time window, causing user harassment, inbox denial of service, and potential reputational damage. This vulnerability has been patched in version 3.23.25.

Use-after-free in Linux kernel NFSD /proc/fs/nfs/exports proc entry allows information disclosure when a network namespace is destroyed while an exports file descriptor remains open. The vulnerability occurs because exports_proc_open() captures a network namespace reference without holding a refcount, enabling nfsd_net_exit() to free the export cache while the fd is still active, leading to subsequent reads dereferencing freed memory. The fix holds a struct net reference for the lifetime of the open file descriptor, preventing namespace teardown while any exports fd is open.

Heap overflow in Linux kernel NFSv4.0 LOCK replay cache allows unauthenticated remote attackers to corrupt kernel memory by triggering a denial-of-service or potential code execution. The vulnerability exists in nfsd4_encode_operation() which copies encoded LOCK responses up to 1024 bytes into a fixed 112-byte inline buffer without bounds checking, resulting in up to 944 bytes of slab-out-of-bounds writes. Exploitation requires two cooperating NFSv4.0 clients but no special privileges; upstream fixes are available across multiple stable kernel branches.

Out-of-bounds memory access in the Linux kernel bnxt_en driver allows a malicious or compromised Broadcom NetXtreme network interface card to corrupt kernel heap memory or crash the system by supplying an unvalidated 16-bit type field in a debug buffer producer async event, affecting all Linux kernel versions using the vulnerable bnxt driver code path.

Null pointer dereference in Linux kernel mac80211 IEEE 802.11 wireless subsystem crashes AP_VLAN stations during channel bandwidth change operations. The ieee80211_chan_bw_change() function incorrectly accesses link data on VLAN interfaces (such as 4-address WDS clients) where the link structure is uninitialized, leading to kernel panic when dereferencing a NULL channel pointer. Any system with AP_VLAN wireless configurations and active channel state announcement (CSA) operations is vulnerable to local denial of service.

Out-of-bounds read in Linux kernel Bluetooth L2CAP layer allows remote attackers to read adjacent kernel memory via truncated L2CAP_INFO_RSP packets with insufficient payload length. The l2cap_information_rsp() function validates only the fixed 4-byte header but then unconditionally accesses variable-length payload fields (feat_mask at offset +4 and fixed_chan at offset +1) without verifying the payload is present, triggering kernel memory disclosure on specially crafted Bluetooth frames.

Memory leak in Linux kernel atmel-sha204a cryptographic driver allows local denial of service via resource exhaustion. The vulnerability occurs when memory allocation fails during tfm_count counter management; the counter is not properly decremented, causing subsequent read operations to block indefinitely. This affects all Linux kernel versions with the vulnerable atmel-sha204a implementation until patched.

Linux kernel io_uring/poll multishot recv can hang indefinitely when a socket shutdown occurs concurrently with data reception, due to a race condition where accumulated poll wakeups are drained without consuming the persistent HUP event. The vulnerability affects all Linux kernel versions with io_uring poll support and requires a fix to explicitly check for HUP conditions and re-loop when multiple poll activations are pending.

Infinite loop in Linux kernel serial core driver handle_tx() affects systems using uninitialized PORT_UNKNOWN serial ports, where uart_write_room() and uart_write() behave inconsistently regarding null transmit buffers, causing denial of service through system hangs. The vulnerability impacts caif_serial and other drivers that rely on tty_write_room() to determine write capacity. Patch available in upstream kernel commits; no CVSS score assigned due to kernel-specific nature and relatively limited exposure scope.

Linux kernel drm/imagination driver deadlock in soft reset sequence allows local denial of service when the soft reset handler calls disable_irq() from within a threaded IRQ handler context, creating a self-deadlock condition. The fix replaces disable_irq() with disable_irq_nosync() to prevent the handler from waiting on itself. Affected systems running vulnerable kernel versions with imagination GPU drivers can experience system hangs during GPU reset operations; no public exploit code identified at time of analysis.

Linux kernel drm/imagination driver crashes when the GPU runtime PM suspend callback executes concurrently with an IRQ handler attempting to access GPU registers, causing kernel panics with SError interrupts on ARM64 platforms. The vulnerability affects the imagination GPU driver across Linux kernel versions and is triggered when power management suspend operations race with interrupt handling without proper synchronization. The fix adds synchronize_irq() calls to ensure IRQ handlers complete before GPU suspension and removes problematic runtime PM resume calls from the IRQ handler that could cause deadlocks.

Denial of service in Linux kernel amdgpu driver allows local attackers to exhaust system memory by passing an arbitrarily large BO (buffer object) list entry count via userspace, bypassing existing overflow checks but causing excessive allocation and processing delays; fixed by enforcing a 128k entry limit per BO list.

Memory leak in Linux kernel Microchip MPFS system controller driver (mpfs_sys_controller_probe) allows local attackers to exhaust kernel memory by repeatedly triggering the MTD device lookup failure path, eventually causing denial of service through memory exhaustion.

Memory corruption and potential kernel freezes occur in the Linux kernel's IP tunnel implementation when VXLAN or GENEVE tunnels transmit packets, due to incorrect offset calculations in per-CPU statistics tracking on 32-bit systems. The vulnerability arises from iptunnel_xmit_stats() assuming all tunnels use NETDEV_PCPU_STAT_TSTATS, but VXLAN and GENEVE actually use NETDEV_PCPU_STAT_DSTATS with a different memory layout, causing syncp sequence counter overwrites that corrupt statistics or deadlock the kernel. Patch commits are available in the Linux kernel stable tree and address this by adapting the statistics handler and repositioning the pcpu_stat_type field to improve cache efficiency.

Infinite loop in Linux kernel bonding device header parsing allows local denial of service when two bonding devices are stacked. The bond_header_parse() function can recurse indefinitely because skb->dev always points to the top of the device hierarchy. The fix adds a bounded recursion parameter to the header_ops parse() method to ensure the leaf parse method is called and prevent endless loops. This vulnerability affects all Linux kernel versions with the vulnerable bonding code and requires local access to trigger.

Double-free memory corruption in the Linux kernel's TEQL (Trivial Link Equalizer) qdisc implementation allows local attackers to cause kernel crashes via denial of service. The vulnerability occurs when qdisc_reset is called without proper synchronization on lockless Qdisc root configurations, creating a race condition that results in use-after-free and double-free conditions in packet buffer management. This affects all Linux kernel versions with the vulnerable TEQL code path and requires local access to trigger via specially crafted packet scheduling operations.

Linux kernel aqc111 USB driver deadlock in power management allows local denial of service via task hang during runtime suspend. The vulnerability occurs when aqc111_suspend() calls power-managed write operations during device suspension, triggering nested runtime PM calls that deadlock waiting for a state change that never occurs. This blocks the rtnl_lock and freezes the entire networking stack. Affected systems running vulnerable kernel versions with USB AQC111 network adapters are susceptible to local DoS that requires no authentication or user interaction beyond normal device suspension. No public exploit code identified; fix requires kernel upgrade or manual patch application.

Linux kernel NULL pointer dereference in UDP tunnel socket creation when IPv6 is disabled causes denial of service. When CONFIG_IPV6=n, the udp_sock_create6() function incorrectly returns success (0) without creating a socket, leading callers such as fou_create() to dereference an uninitialized pointer. The vulnerability is triggered via netlink socket operations and requires privileged user access; no public exploit code or active exploitation has been identified at time of analysis.

Denial of service in Linux kernel mvpp2 network driver occurs when MTU changes or other operations trigger buffer pool switching on Marvell hardware lacking CM3 SRAM support, causing NULL pointer dereference in flow control register access. Affects systems running vulnerable kernel versions on Marvell Armada platforms where the CM3 SRAM device tree entry is absent; no authentication required. Upstream fix available via stable kernel commits.

Null pointer dereference in Linux kernel arm_mpam memory bandwidth monitoring causes kernel oops when an MSC supporting bandwidth monitoring transitions offline and back online. The mpam_restore_mbwu_state() function fails to initialize a value buffer before passing it to __ris_msmon_read() via IPI, triggering a crash in the bandwidth counter restoration routine. This affects ARM systems with MPAM (Memory Partitioning and Monitoring) support and results in denial of service through system instability when memory controllers are toggled.

A use-after-free vulnerability in the Linux kernel's mshv (Microsoft Hyper-V) driver allows local attackers to trigger a kernel panic by unmapping user memory after a failed mshv_map_user_memory() call. The error path incorrectly calls vfree() without unregistering the associated MMU notifier, leaving a dangling reference that fires when userspace performs subsequent memory operations. This is a memory safety issue affecting the Hyper-V virtualization subsystem in the Linux kernel.

Linux kernel crashes in iommu_sva_unbind_device() when accessing a freed mm structure after iommu_domain_free() deallocates domain->mm->iommu_mm, causing denial of service on systems using IOMMU Shared Virtual Addressing (SVA). The fix reorders code to access the structure before the domain is freed. No CVSS score, EPSS, or KEV status available; no public exploit code identified.

Interrupt storm in Linux kernel dpaa2-switch driver occurs when a bounds check rejects an out-of-bounds if_id in the IRQ handler but fails to clear the interrupt status, causing repeated spurious interrupts. This denial-of-service condition affects the NXP DPAA2 Ethernet switch driver on systems running vulnerable Linux kernel versions. An attacker with the ability to trigger malformed frames or hardware state transitions could exhaust CPU resources through interrupt flooding.

Linux kernel RDS TCP subsystem resolves circular locking dependency in rds_tcp_tune() function where socket lock contention with fs_reclaim memory allocation creates deadlock potential. The vulnerability affects all Linux kernel versions with the vulnerable code path in net/rds/tcp.c; the fix relocates sk_net_refcnt_upgrade() outside the socket lock critical section to eliminate the circular lock dependency without compromising synchronization semantics.

Denial of service in MariaDB Server through large packet crashes when the caching_sha2_password authentication plugin is enabled and accounts use it, due to unbounded stack allocation in sha256_crypt_r. Authenticated remote attackers can crash the server by sending a crafted large authentication packet. MariaDB versions before 11.4.10, 11.5.0 through 11.8.5, and 12.0.0 through 12.2.1 are affected. No public exploit code or confirmed active exploitation reported at time of analysis.

Unauthenticated server-side request forgery in Ech0's link preview endpoint allows remote attackers to force the application server to perform HTTP/HTTPS requests to arbitrary internal and external targets. The /api/website/title route requires no authentication, performs no URL validation, follows redirects by default, and disables TLS certificate verification (InsecureSkipVerify: true). Attackers can probe internal networks, access cloud metadata services (169.254.169.254), and trigger denial-of-service by forcing the server to download large files into memory via io.ReadAll. Proof-of-concept demonstrates successful exploitation against Docker deployments reaching host-bound services via host.docker.internal. EPSS score not available; no CISA KEV listing indicates this is not yet confirmed as actively exploited in the wild, though publicly available exploit code exists in the GitHub advisory. Vendor-released patch available.

Denial of service via panic in go-jose library (versions prior to v4.1.4 and v3.0.5) occurs when decrypting malformed JSON Web Encryption (JWE) objects that specify a key wrapping algorithm (e.g., RSA-OAEP-KW, ECDH-ES+A128KW) but contain an empty encrypted_key field. The panic is triggered during slice allocation in cipher.KeyUnwrap() when processing ciphertext under 16 bytes, causing immediate application termination. No public exploit identified at time of analysis, though EPSS score of 0.00045 (0.045%) indicates low predicted exploitation probability. Applications limiting accepted key algorithms to non-KW types or using GCM-based key wrapping (A128GCMKW, A192GCMKW, A256GCMKW) are unaffected.

Denial of service in Dokuwiki version 2025-05-14b 'Librarian' release allows remote attackers to crash or disable the application through improper input handling in the media_upload_xhr() function within media.php. The vulnerability requires network access to the media upload endpoint but does not require authentication. No public exploit code, CVSS scoring, or active exploitation has been confirmed at the time of analysis.

Unbounded disk consumption in Rack's multipart parser allows remote denial of service when HTTP requests lack Content-Length headers. Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 fail to enforce size limits on multipart/form-data uploads sent via chunked transfer encoding, enabling unauthenticated attackers to exhaust disk space by streaming arbitrarily large file uploads. CVSS 7.5 (High) reflects the network-accessible, low-complexity attack requiring no privileges. No public exploit identified at time of analysis, though the attack technique is well-understood.

Denial of service in Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 allows unauthenticated remote attackers to consume disproportionate CPU, memory, I/O, and bandwidth by supplying many small overlapping byte ranges in HTTP Range headers, bypassing the existing CVE-2024-26141 fix that only validates total byte coverage. The vulnerability affects Rack's file-serving paths that process multipart byte range responses, enabling attackers to degrade service availability with minimal request complexity.

Denial of service in Rack::Utils.select_best_encoding allows unauthenticated remote attackers to consume disproportionate CPU resources via a crafted Accept-Encoding header containing multiple wildcard entries, affecting Rack versions prior to 2.2.23, 3.1.21, and 3.2.6. The vulnerability exploits quadratic time complexity in the encoding selection algorithm used by Rack::Deflater middleware, enabling a single HTTP request to trigger sustained CPU exhaustion and application unavailability.

Denial of service via algorithmic complexity in Rack multipart parser allows unauthenticated remote attackers to exhaust CPU resources by sending specially crafted multipart/form-data requests with backslash-heavy escaped parameter values. Affects Rack 3.0.0.beta1-3.1.20 and 3.2.0-3.2.5, a critical Ruby web server interface used across Rails and Sinatra applications. CVSS 7.5 (High) with network-accessible attack vector and low complexity. Vendor-released patches available in versions 3.1.21 and 3.2.6. No public exploit identified at time of analysis, though EPSS data not provided to assess probability of exploitation.

Denial of service in Apache Traffic Server 9.0.0-9.2.12 and 10.0.0-10.1.1 caused by improper handling of POST requests that triggers a server crash under specific conditions. The vulnerability affects all instances of the affected versions and requires no authentication or special privileges to exploit. Vendor-released patches are available in versions 9.2.13 and 10.1.2.

Memory exhaustion in Suricata network IDS/IPS via HTTP/2 CONTINUATION frame flooding allows remote unauthenticated attackers to trigger denial of service, typically forcing operating system termination of the Suricata process. Affects all versions prior to 7.0.15 and 8.0.4. EPSS data not available, but CVSS 7.5 (High) reflects network-accessible attack with low complexity requiring no privileges. No public exploit identified at time of analysis, though the attack technique (HTTP/2 frame flooding) is well-documented in protocol security research.

NULL pointer dereference in Suricata 8.0.0 through 8.0.3 causes denial of service when processing malformed TLS traffic with the 'tls.alpn' rule keyword. Remote unauthenticated attackers can crash the IDS/IPS engine by sending specially crafted network packets, completely disabling network security monitoring. EPSS data not available, but the low attack complexity (AC:L) and network vector (AV:N) combined with high availability impact (A:H) indicate significant operational risk for organizations relying on Suricata for traffic inspection. No evidence of active exploitation (no CISA KEV listing) or public exploit code identified at time of analysis.

CocoaMQTT library versions prior to 2.2.2 allow remote denial of service when parsing malformed MQTT packets from a broker, causing immediate application crashes on iOS, macOS, and tvOS devices. An attacker or compromised MQTT broker can publish a 4-byte malformed payload with the RETAIN flag to persist it indefinitely, ensuring every vulnerable client that subscribes receives the crash-inducing packet, effectively bricking the application until manual intervention on the broker. The vulnerability requires an authenticated user context (PR:L in CVSS vector) but impacts application availability with high severity; patch version 2.2.2 is available.

Denial of Service in Red Hat Build of Keycloak allows unauthenticated remote attackers to exhaust server resources by submitting specially crafted POST requests with excessively long scope parameters to the OpenID Connect token endpoint. No public exploit identified at time of analysis, but CVSS 7.5 (High) with network attack vector and low complexity indicates straightforward exploitation. Authentication requirements: unauthenticated (CVSS PR:N). The vulnerability stems from improper resource management (CWE-1050), enabling attackers to cause prolonged processing times and service disruption without any authentication or user interaction.

Denial of service in gleam-wisp wisp 0.2.0 through 2.2.1 allows unauthenticated remote attackers to exhaust server memory or disk by sending arbitrarily large multipart form submissions that bypass configured size limits. The multipart_body and multipart_headers parsing functions fail to properly decrement resource quotas for chunks lacking multipart boundaries, enabling attackers to accumulate unbounded data in a single HTTP request. Patch available as of version 2.2.2.

Resource exhaustion in Nothings stb library versions up to 1.22 allows unauthenticated remote attackers to cause denial of service through the setup_free function in stb_vorbis.c when processing malformed audio data. The vulnerability has publicly available exploit code and a low CVSS score of 4.3 reflecting limited impact, but represents a real availability risk in applications embedding this widely-used header-only graphics and audio library.

Denial of service in PraisonAI's MCPToolIndex.search_tools() allows authenticated remote attackers to block the Python thread for hundreds of seconds via a crafted regular expression causing catastrophic backtracking. The vulnerable function compiles caller-supplied query strings directly as regex patterns without validation, timeout, or exception handling. A single malicious request can sustain complete service outage, and the MCP server HTTP transport runs without authentication by default, significantly lowering the practical barrier to exploitation despite the CVSS requiring PR:L.

IBM Aspera Shares 1.9.9 through 1.11.0 lacks proper rate limiting on authenticated user email submissions, allowing high-privilege users to trigger email flooding or denial of service conditions. The vulnerability requires authentication at the admin or high-privilege level and results in service availability degradation rather than data compromise. EPSS exploitation probability is low (2.7 CVSS, high privilege requirement), and no public exploit code or active exploitation has been identified at time of analysis.

Ella Core panics and crashes when processing malformed NGAP handover failure messages from a gNodeB, causing a denial of service for all connected mobile subscribers. An authenticated attacker with high privileges on the radio network can force a gNodeB to send crafted NGAP handover failure messages that trigger a null pointer dereference in Ella Core's handover handler, terminating the core network process. No public exploit code or active exploitation has been identified.

Haraka email server crashes when processing emails with `__proto__` as a header name, enabling remote unauthenticated denial of service. Attackers can send a specially crafted email via SMTP to crash worker processes, disrupting email delivery. In single-process deployments, the entire server becomes unavailable; in cluster mode, all active sessions are terminated. No public exploit identified at time of analysis beyond the published proof-of-concept code, though exploitation requires only basic SMTP access.

Denial of service vulnerability in Nothings stb image library (stb_image.h) affecting GIF decoder function stbi__gif_load_next allows remote attackers to trigger application crashes through specially crafted GIF files. The vulnerability impacts stb versions up to 2.30, requires user interaction to open a malicious GIF, and has publicly available exploit code with no vendor patch available despite early disclosure.

Aiohttp prior to version 3.13.4 allocates entire multipart form fields into memory before validating against the client_max_size limit, enabling unauthenticated remote attackers to cause denial of service through memory exhaustion. The vulnerability affects all versions before 3.13.4 and carries a low CVSS score (2.7) reflecting limited availability impact, with no public exploit code or active exploitation confirmed at time of analysis.

Memory exhaustion vulnerability in AIOHTTP prior to version 3.13.4 allows unauthenticated remote attackers to trigger denial of service via specially crafted HTTP responses containing excessive multipart headers. The vulnerability exploits insufficient memory limits during multipart header parsing, causing the server or client to consume more memory than intended. CVSS 6.6 (medium-high availability impact) with no public exploit code identified at time of analysis.