Denial Of Service
Monthly
Heap corruption in Google Chrome on macOS prior to version 148.0.7778.216 can be triggered remotely through a crafted HTML page combined with specific user interface gestures, leveraging a use-after-free condition in the WebAppInstalls component. Chrome rates this as High severity and has shipped a patched stable channel release, though no public exploit identified at time of analysis and EPSS estimates exploitation probability at just 0.03%.
Sandbox escape in Google Chrome on Linux prior to 148.0.7778.216 allows remote attackers to leverage a WebRTC use-after-free condition through a crafted HTML page to break out of the renderer sandbox. The flaw was reported by the Chrome security team and rated High severity by Chromium, with no public exploit identified at time of analysis and an EPSS score of 0.03% (10th percentile) suggesting low near-term exploitation likelihood. Successful exploitation requires user interaction (visiting a malicious page) and high attack complexity, but the scope-changing impact (S:C) and full CIA compromise make it a meaningful browser-targeted risk.
Remote code execution in Google Chrome for Windows versions prior to 148.0.7778.216 stems from a use-after-free condition in the UI component, allowing remote attackers to execute arbitrary code by luring a user to a crafted HTML page. Chromium rated the issue High severity and CVSS 8.8 reflects the network-reachable, low-complexity nature of the bug, tempered only by required user interaction (visiting the malicious page). No public exploit identified at time of analysis and the CVE is not currently listed in CISA KEV.
Sandboxed remote code execution in Google Chrome desktop versions prior to 148.0.7778.216 stems from a use-after-free defect in the Glic component, allowing a remote attacker to corrupt memory and execute arbitrary code within the renderer sandbox when a victim visits a crafted HTML page. Google has rated the Chromium severity as High and shipped a Stable channel update; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. The CVSS 8.8 score reflects network reachability and user interaction (loading a page), with full impact to confidentiality, integrity, and availability inside the sandboxed process.
Sandbox escape in Google Chrome's WebGL component (versions prior to 148.0.7778.216) allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium, requiring user interaction (visiting a page) and a prior renderer compromise, making it a second-stage exploit primitive. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.03%.
Arbitrary code execution in Google Chrome on macOS prior to 148.0.7778.216 stems from a use-after-free condition in the Bluetooth component, exploitable through a malicious browser extension. Chromium rates the severity as High, and while CVSS scores it 8.1 with network attack vector, real-world exploitation requires the victim to install an attacker-controlled extension. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.01%.
Remote code execution in Google Chrome's WebRTC component (versions prior to 148.0.7778.216) allows a remote attacker to execute arbitrary code within the browser sandbox by enticing a victim to load a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High by Chromium's security team, and while no public exploit identified at time of analysis, the CVSS 8.8 score reflects the low-complexity network-based attack vector combined with the high impact across confidentiality, integrity, and availability. User interaction (visiting a malicious page) is required, but otherwise no authentication or privileges are needed.
Heap corruption in Google Chrome's SurfaceCapture component (versions prior to 148.0.7778.216) allows a remote attacker to potentially execute arbitrary code by luring a user to a crafted HTML page. The flaw is a use-after-free issue rated High severity by the Chromium project, with a CVSS score of 8.8 reflecting low complexity and no authentication, though user interaction is required. There is no public exploit identified at time of analysis and EPSS is very low (0.03%, 11th percentile), but the historical pattern of Chrome UAF bugs being weaponized makes patching urgent.
Heap corruption in Google Chrome's PDFium component before version 148.0.7778.216 lets a remote attacker trigger a use-after-free condition by serving a crafted PDF, opening the door to code execution within the renderer process. The flaw carries a CVSS 8.8 (High) rating and requires user interaction (UI:R) to open or render the malicious document. EPSS is currently very low (0.03%, 11th percentile) and no public exploit has been identified at time of analysis, though Chrome PDFium UAFs have a long history of weaponization in browser exploit chains.
Sandboxed arbitrary code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free condition in the PDF component that remote attackers can trigger by serving a crafted PDF file. The flaw carries a CVSS 8.8 rating reflecting network reach with required user interaction (opening or rendering a malicious PDF), and no public exploit identified at time of analysis though Google rates the underlying Chromium severity as High.
Remote code execution in Google Chrome on iOS prior to 148.0.7778.216 allows attackers to exploit a use-after-free memory corruption flaw when a victim is lured to a malicious HTML page and performs specific UI gestures. The issue carries a CVSS 7.5 (High) score with high attack complexity and required user interaction, and no public exploit has been identified at time of analysis.
Heap corruption in Google Chrome's TabStrip component before version 148.0.7778.216 allows remote attackers to potentially achieve code execution by serving a crafted HTML page and inducing the victim to perform specific UI gestures. Chromium rates the issue High severity, but EPSS places exploitation probability at just 0.03% (11th percentile) and no public exploit identified at time of analysis, reflecting the high attack complexity and required user interaction.
Remote code execution in Google Chrome's WebAudio component (versions prior to 148.0.7778.216) allows a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium, with a CVSS score of 8.8 reflecting low attack complexity and no authentication required, though user interaction (visiting a page) is needed. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 enables remote attackers to break out of the renderer process sandbox by enticing a user to visit a crafted HTML page that triggers a use-after-free condition in the UI component. Chromium rates the severity as High, and a vendor patch is available; no public exploit identified at time of analysis and EPSS exploitation probability is currently very low (0.03%, 11th percentile).
Sandbox escape in Google Chrome on Windows before 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page leveraging a use-after-free in Core. The flaw is rated High by Chromium and carries CVSS 8.3, but EPSS is very low (0.03%) and no public exploit identified at time of analysis, so it is most relevant as the second stage of a multi-bug exploit chain rather than a standalone entry vector.
Sandbox escape in Google Chrome on macOS before 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers a use-after-free in the Views UI component. The flaw is rated High severity by Chromium and carries a CVSS 8.3 due to scope change, but EPSS is only 0.03% and there is no public exploit identified at time of analysis. Exploitation is realistic only as the second stage of a chained renderer compromise rather than a standalone drive-by attack.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the browser's XML handling component, allowing a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. Chromium rates the severity as High with a CVSS 3.1 score of 8.8, and exploitation requires user interaction such as visiting a malicious site. No public exploit identified at time of analysis, but use-after-free flaws in Chrome's XML parsing have historically been chained with sandbox escapes for full system compromise.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free condition in the ANGLE graphics translation layer that lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. Google rates this High severity and a vendor patch is available, but EPSS scoring (0.03%, 11th percentile) is low and no public exploit identified at time of analysis, suggesting it has not yet been weaponized broadly.
Remote code execution in Google Chrome on Windows prior to version 148.0.7778.216 allows attackers to execute arbitrary code within the renderer sandbox by enticing a victim to visit a crafted HTML page that triggers a use-after-free condition in the Media component. Rated High severity by Chromium with a CVSS 8.8 score, the flaw requires user interaction (visiting a malicious page) but no authentication, and no public exploit identified at time of analysis.
Remote code execution in Google Chrome (ANGLE component) prior to version 148.0.7778.216 allows a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. The flaw is a use-after-free memory corruption issue (CWE-416) rated High severity by Chromium and CVSS 8.8, requiring only that a victim visit a malicious page. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Sandbox escape in Google Chrome on Windows versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a use-after-free flaw in the UI component, triggered by a crafted HTML page. Chromium rates this High severity and a vendor patch is available, though no public exploit has been identified at time of analysis and EPSS exploitation probability is very low (0.03%, 11th percentile).
Sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the GPU/GFX sandbox via a crafted HTML page, leveraging a use-after-free condition. The flaw is rated High severity by Chromium (CVSS 8.3) and requires user interaction plus a chained renderer compromise; no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.03%).
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the Aura UI framework component. A remote attacker who lures a user to a malicious HTML page and convinces them to perform specific UI gestures can execute arbitrary code within the browser process. No public exploit identified at time of analysis, and the CVSS 7.5 score reflects high attack complexity combined with required user interaction.
Use-after-free in the Input component of Google Chrome prior to 148.0.7778.216 allows a remote attacker to trigger heap corruption when a victim is lured to a crafted HTML page and performs specific UI gestures. Chromium rates the severity High, and while no public exploit identified at time of analysis and EPSS is very low (0.03%, 11th percentile), the bug class historically yields renderer RCE when chained with a sandbox escape. A vendor patch is available in the stable channel update referenced by Google.
Sandbox escape in Google Chrome on Windows prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the renderer sandbox via a use-after-free in the ANGLE graphics layer. Exploitation requires user interaction (visiting a crafted HTML page) and a pre-existing renderer compromise, so it functions as the second stage of an exploit chain rather than a standalone RCE. No public exploit identified at time of analysis and EPSS is very low (0.03%), but Chrome rates the underlying flaw as High severity.
Sandbox escape in Google Chrome's GPU process prior to version 148.0.7778.216 lets a remote attacker who has already gained code execution inside the renderer process break out of Chrome's sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium and carries CVSS 8.3 (AV:N/AC:H/PR:N/UI:R/S:C). EPSS is very low (0.03%), and there is no public exploit identified at time of analysis, but the bug is part of a stable-channel security release shipped by Google.
Remote code execution in Google Chrome's ANGLE graphics layer prior to version 148.0.7778.216 allows attackers to run arbitrary code inside the browser sandbox when a victim visits a crafted HTML page. The flaw is a use-after-free memory corruption issue (CWE-416) reported internally by the Chrome team and rated High by Chromium; no public exploit identified at time of analysis, though Chrome UAF bugs in ANGLE are historically attractive targets and pair well with sandbox escapes.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 enables remote attackers, who have already compromised the renderer process, to break out of the browser sandbox via a use-after-free flaw in the ANGLE graphics translation layer. Exploitation requires user interaction (visiting a crafted HTML page) and a prior renderer compromise, making this a second-stage primitive in a chained attack. EPSS is low at 0.03% and there is no public exploit identified at time of analysis, though Google rates the underlying Chromium severity as High.
Heap corruption in Google Chrome's Skia graphics library affects all versions prior to 148.0.7778.216 and can be triggered by a remote attacker hosting a crafted HTML page. Successful exploitation requires user interaction (visiting the page) but yields high confidentiality, integrity, and availability impact within the renderer context. No public exploit is identified at time of analysis and EPSS is very low (0.03%), though Chromium rates the severity as High and a vendor patch is available.
Renderer-to-browser sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 enables remote code execution via a use-after-free in the GPU process. An attacker who has already compromised the renderer can leverage a crafted HTML page to corrupt GPU process memory and execute arbitrary code outside the renderer sandbox. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Chromium rates the underlying severity as High.
Sandbox escape in Google Chrome on Windows prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page exploiting a use-after-free in the Accessibility component. Chromium rates the severity as High and a vendor patch is available, but no public exploit has been identified at time of analysis and EPSS exploitation probability remains very low at 0.03%.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free condition in the ANGLE graphics translation layer, triggered when a victim visits a crafted HTML page. Remote attackers can potentially break out of Chrome's renderer sandbox to gain broader access on the host system. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.03% (11th percentile), though the Chromium team rated severity as High.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that triggers a use-after-free in the Accessibility component. Chromium rates the issue High severity and a vendor patch is available, though no public exploit identified at time of analysis and EPSS exploitation probability is currently low (0.03%, 11th percentile).
Sandbox escape and arbitrary code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the ANGLE graphics translation layer. An attacker who has already compromised the renderer process can leverage a crafted HTML page to break memory safety and execute code in a higher-privileged context. No public exploit identified at time of analysis, though Chromium rates the underlying severity as High.
Sandbox escape in Google Chrome's ANGLE graphics layer prior to version 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High severity by Chromium with a CVSS score of 8.3, but EPSS exploitation probability is currently very low at 0.03% and no public exploit has been identified at time of analysis.
Remote code execution in Google Chrome prior to 148.0.7778.216 enables a remote attacker to execute arbitrary code within the renderer sandbox by luring a user to a crafted HTML page that triggers a use-after-free in the DOM implementation. The flaw carries a CVSS 8.8 (High) rating reflecting network reach with required user interaction, and Google has rated the Chromium severity as High; no public exploit is identified at the time of analysis and the issue is not listed in CISA KEV.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of Chrome's sandbox via a use-after-free in the GPU process. Chrome rates the underlying memory corruption as High severity, and while no public exploit identified at time of analysis, the bug is part of a chained-exploit class historically weaponized against browsers. EPSS is very low (0.03%) reflecting the prerequisite of an already-compromised renderer rather than a direct one-shot RCE.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the Chromium sandbox via a crafted HTML page that triggers a use-after-free in the Skia graphics library. Google rated this Critical internally, though no public exploit identified at time of analysis and EPSS scores exploitation probability at just 0.03% (11th percentile). The flaw requires chaining with a separate renderer compromise, so it is a second-stage primitive rather than a single-shot RCE.
Sandbox escape in Google Chrome before 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted Chrome Extension exploiting a use-after-free in the Extensions component. Chromium rates the underlying flaw as Critical severity, though no public exploit has been identified at time of analysis and EPSS exploitation probability sits at 0.03% (11th percentile).
Sandbox escape in Google Chrome on Windows prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page targeting the XR (WebXR) component. The flaw is a use-after-free rated Critical by Chromium and CVSS 8.3 (AV:N/AC:H/PR:N/UI:R/S:C); no public exploit identified at time of analysis and EPSS is low at 0.03%, but the bug forms a key link in a multi-stage browser exploit chain.
Sandbox escape in Google Chrome for Android versions prior to 148.0.7778.216 enables a remote attacker who has already compromised the renderer process to break out of the sandbox via a use-after-free flaw in the WebView component. Chromium rates the severity as Critical, and a vendor patch is available; no public exploit identified at time of analysis and EPSS is very low (0.03%, 10th percentile), but the chained-exploit potential against mobile users makes prompt patching important.
Remote code execution in Google Chrome prior to 148.0.7778.216 allows attackers to exploit a use-after-free condition in the Proxy component via a malicious PAC (Proxy Auto-Config) script delivered through a crafted web page. Chromium rates this as Critical severity, and while no public exploit identified at time of analysis, the EPSS score of 0.04% reflects low predicted exploitation activity despite the high CVSS 8.8 rating. Successful exploitation requires user interaction (UI:R) such as visiting an attacker-controlled page that triggers the vulnerable PAC processing path.
Sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 allows a remote attacker to break out of the renderer sandbox by enticing a user to visit a crafted HTML page that triggers a use-after-free in the Base component. Chromium rates the severity Critical and CVSS scores it 9.6, though no public exploit is identified at time of analysis and EPSS exploitation probability is currently very low (0.03%).
Remote code execution in Google Chrome on macOS prior to version 148.0.7778.216 allows attackers to exploit a use-after-free flaw in the Browser component via a malicious HTML page. Rated Critical by Chromium's security team with a CVSS of 8.8, exploitation requires user interaction (visiting a crafted page) but no authentication, and no public exploit identified at time of analysis. A vendor patch is available through the Chrome stable channel update.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to execute arbitrary code via a crafted HTML page exploiting a use-after-free flaw in the Base component. Chromium classifies the severity as Critical, and Google has shipped a stable channel update; no public exploit has been identified at time of analysis. Exploitation requires user interaction (visiting a malicious page), which is the typical drive-by browser attack model.
Sandbox escape in Google Chrome on macOS versions prior to 148.0.7778.216 allows attackers to break out of the browser's renderer sandbox via a use-after-free flaw in the Bluetooth component. Exploitation requires convincing a user to install a malicious Chrome Extension, which then triggers the bug through crafted extension interactions. Chromium rates this Critical severity; no public exploit identified at time of analysis and EPSS remains low (0.01%) despite the high CVSS of 9.0.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in ANGLE, the graphics abstraction layer that translates OpenGL ES calls to native GPU APIs. A remote attacker who lures a user into visiting a crafted HTML page can execute arbitrary code within the renderer sandbox, with Chromium rating the severity as Critical. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 enables a remote attacker who has already compromised the renderer process to break out of Chrome's sandbox via a use-after-free flaw in the ANGLE graphics translation layer. Exploitation requires user interaction with a crafted HTML page and is typically chained with a separate renderer-compromise bug. No public exploit identified at time of analysis, and EPSS is very low (0.03%), though Google rated the underlying issue Critical severity.
Sandbox escape in Google Chrome for Android prior to 148.0.7778.216 allows a remote attacker who lures a user to a crafted HTML page to break out of the renderer sandbox by exploiting a use-after-free condition in the WebGL component. Chromium rates the issue Critical and CVSS scores it 9.6 due to the scope change from compromised renderer to host, though EPSS is only 0.03% (10th percentile) and no public exploit identified at time of analysis.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to exploit a use-after-free condition in the Dawn WebGPU implementation through a crafted HTML page, leading to potential escape from the browser's renderer sandbox. The flaw carries a CVSS 9.6 with scope change reflecting cross-boundary impact, and while no public exploit identified at time of analysis, Google's own classification of the underlying Chromium severity as Critical signals significant risk to end users. EPSS is currently low (0.03%, 11th percentile), suggesting no widespread exploitation has been observed yet despite the severity.
Remote code execution in Google Chrome desktop versions prior to 148.0.7778.216 allows a remote attacker to execute arbitrary code within the renderer sandbox by serving a crafted HTML page that triggers a use-after-free condition in the Network component. Google rates the underlying Chromium issue as Critical severity, and no public exploit identified at time of analysis, though the bug class and reachable attack surface make it a high-priority browser patch.
{block_id}/execute endpoint, which skips the credit validation logic present in manager.py. An attacker with a low-privilege account - including one with zero remaining credits - can exploit this to exhaust platform resources and obtain unlimited AI execution at the operator's expense. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Remote denial of service in Lakeside SysTrack Agent (lsiagent.exe) allows unauthenticated network attackers to crash the endpoint monitoring agent by sending a single malformed UDP packet to the Command ID 30 handler. The flaw was reported by VulnCheck and carries a CVSS 4.0 score of 8.7 reflecting high availability impact with no privileges or user interaction required; no public exploit identified at time of analysis, though VulnCheck has published an advisory describing the trigger.
Partial denial-of-service in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated remote attackers to degrade availability of the Core component via HTTPS. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the vulnerability is trivially reachable with no authentication, no user interaction, and no special conditions, making automated scanning and opportunistic exploitation straightforward despite the limited availability-only impact. No public exploit code and no CISA KEV listing have been identified at time of analysis, and Oracle disclosed this through its May 2026 Critical Patch Update.
Remote denial of service in Oracle Database Server 23.4.0 through 23.26.2 allows unauthenticated network attackers to crash or hang the Net Service component via crafted TLS traffic. The flaw scores CVSS 7.5 with availability-only impact and was disclosed by Oracle in the May 2026 Critical Patch Update; no public exploit identified at time of analysis.
Remote denial-of-service in Oracle Database Server's Net Service component (versions 23.4.0 through 23.26.2) allows unauthenticated attackers with TLS network access to hang or repeatedly crash the listener, producing a complete DoS of database connectivity. The flaw is rated CVSS 7.5 (availability-only) and was disclosed by Oracle in the May 2026 Critical Patch Update; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Remote denial-of-service in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated network attackers to cause a complete hang or repeatable crash of the service via the Mongoapi component over HTTPS. The vulnerability is rated CVSS 7.5 with availability-only impact and no public exploit identified at time of analysis, but the unauthenticated, low-complexity attack profile makes it operationally significant for any internet-exposed ORDS instance.
Cross-product compromise in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-privileged remote attacker who can lure an authenticated user into interacting with a crafted request to gain high-impact read and write access to ORDS-accessible data and cause partial denial of service. Because the CVSS scope is Changed (S:C), successful exploitation may also impact downstream Oracle components beyond ORDS itself. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the 7.9 base score combined with scope change warrants prompt patching.
Denial of service in Kibana's analytics collections management endpoint allows any authenticated user with viewer-level access to render the service completely unavailable. By submitting a request containing an oversized input value, the attacker causes Kibana to consume excessive CPU and memory, crashing the service for all users and requiring manual intervention to restore. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the low privilege bar - viewer access only - significantly elevates real-world risk in multi-tenant or SaaS Elastic deployments.
Denial of service in Elastic Kibana allows an authenticated low-privileged user to crash the Kibana service and deny access to all users by submitting a maliciously crafted Timelion visualization expression. The Timelion expression parser fails to bound the depth of chained function call processing, causing the resulting data structure to grow exponentially and exhaust available server memory. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and minimal privilege requirements make it an accessible attack surface for any credentialed Kibana user.
Denial of service in Kibana allows any authenticated user to crash or render unresponsive a Kibana instance by sending a specially crafted compressed HTTP request payload. The root cause is an architectural ordering flaw: compressed payloads are decompressed and processed before authorization checks are applied, enabling resource exhaustion (CWE-400, CAPEC-130 Excessive Allocation) at minimal privilege cost. No public exploit identified at time of analysis and no CISA KEV listing, but the low attack complexity and broad authentication base (any valid Kibana login) make this a meaningful availability risk for multi-tenant or internet-exposed deployments.
Denial of service in Kibana allows any authenticated low-privileged user to render the Kibana service unresponsive for all users by submitting an oversized, specially crafted payload to an internal API endpoint. The CVSS vector (AV:N/AC:L/PR:L/UI:N/A:H) confirms straightforward network exploitation requiring only valid low-privileged credentials with no user interaction - a low barrier for any insider or compromised account. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the low complexity and authenticated-but-low-privilege condition makes this a realistic risk in shared Kibana deployments.
Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0-beta.2 allows remote attackers to repeatedly invoke profiling endpoints that the admin router whitelists from authentication. Each request triggers a fixed 60-second CPU profiling operation and leaks the server's absolute filesystem path in the response. CVSS 4.0 scores this 8.8 (High) driven by high availability impact; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
NULL pointer dereference in Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) allows an unprivileged local user to trigger a kernel oops, resulting in a denial of service. The flaw resides specifically in Ubuntu's out-of-tree SAUCE patches for AF_INET/AF_INET6 socket mediation - mainline Linux kernel builds are unaffected. No active exploitation is confirmed (not in CISA KEV), no public exploit has been identified at time of analysis, and the CVSS score of 3.3 (Low) accurately reflects the constrained impact: local access only, no confidentiality or integrity loss, and limited availability degradation.
Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authenticated, unprivileged user to crash the system. The flaw resides in Ubuntu-specific SAUCE patches - out-of-tree modifications maintained by Canonical - meaning the vulnerable code path does not exist in upstream mainline kernels. With a CVSS score of 5.5 and an availability-only impact, the practical consequence is a local denial-of-service: any low-privilege user with shell access can force a kernel panic. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis.
Ubuntu Linux kernels 6.8, 6.17, and 7.0 ship Ubuntu-specific AppArmor SAUCE patches that incorrectly call kfree() on a pointer never allocated via kmalloc(), while simultaneously leaking the legitimately allocated memory. Any unprivileged local user can trigger this kernel memory management flaw, corrupting slab allocator metadata and driving the system toward resource exhaustion or instability. No public exploit code exists and no CISA KEV listing is present at time of analysis; however, CVSS rates availability impact as High given the potential for kernel-level denial of service.
NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash the kernel via the AppArmor notification handling path. The flaw exists exclusively in Ubuntu-specific SAUCE patches layered on top of the upstream Linux kernel, meaning only Ubuntu kernels carrying these versions are affected - not upstream Linux or other distributions. No public exploit code or active exploitation has been identified at time of analysis; the impact is limited to a kernel oops (availability loss, CVSS A:L), with no confidentiality or integrity impact.
Memory exhaustion via AppArmor notification handling affects Ubuntu Linux kernel versions carrying Ubuntu-specific SAUCE patches (6.8, 6.17, 7.0). An unprivileged local user can trigger a memory leak by eliciting large responses to AppArmor userspace notifications, repeatedly consuming kernel memory without release. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified, but the low-privilege local trigger lowers the bar for insider or co-tenant abuse in multi-user and container environments.
Denial of service in the Symfony JsonPath component (json-path 7.3.0-7.4.11 and 8.0.0-8.0.11) lets remote attackers exhaust CPU and worker capacity when an application evaluates attacker-influenced JSONPath expressions server-side. The match()/search() filter functions compile caller-supplied patterns directly into preg_match() with no length cap, i-regexp restriction, or backtracking bound, so a crafted pattern like $[?search(@, "(a+)+$")] triggers catastrophic backtracking that pins a core for seconds per request. There is no public exploit identified at time of analysis and EPSS is very low (0.08%), but the pathological pattern is disclosed in the advisory and the fix is available in 7.4.12 and 8.0.12.
File descriptor exhaustion in go.opentelemetry.io/otel/schema v1.0 and v1.1 enables denial of service against long-running Go processes. The ParseFile function in schema/v1.0/parser.go opens schema files via os.Open but never closes them - neither via defer nor by transferring ownership to the downstream Parse(io.Reader) call - leaving descriptors open until the Go garbage collector finalizes the file object. Publicly available exploit code exists demonstrating that repeated ParseFile calls accumulate leaked descriptors until the process receives EMFILE ('too many open files'), disrupting all subsequent file, socket, and descriptor operations. Exploitation is contingent on an application exposing ParseFile invocation to attacker-controlled or attacker-triggered paths.
Privilege escalation in Capsule (the Kubernetes multi-tenancy operator) allows authenticated tenant owners to create cluster-scoped resources - including ClusterRole and ValidatingWebhookConfiguration - by embedding them in TenantResource RawItems, bypassing tenant isolation enforced by the platform. The Capsule Controller's default cluster-admin ClusterRoleBinding means it creates whatever resource it is instructed to process, and its attempt to namespace-scope the resource via obj.SetNamespace() is silently ignored by the Kubernetes API for cluster-scoped kinds. A working proof-of-concept is publicly documented in the GHSA advisory; no CISA KEV listing has been issued at time of analysis.
SAML assertion time-bound enforcement is missing in Casdoor 2.362.0 and earlier, allowing remote attackers to present SAML assertions whose NotBefore/NotOnOrAfter windows have expired and still obtain valid user sessions. The underlying gosaml2 library does compute the time-validity result, but Casdoor's ParseSamlResponse() never reads the assertionInfo.WarningInfo field where those results are reported, so the check is silently discarded. No public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).
Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijack any user account, including administrators, without credentials or MFA. The SAML service provider implementation lacks assertion ID caching, OneTimeUse condition enforcement, and any form of replay detection, making any intercepted assertion indefinitely reusable. No public exploit identified at time of analysis, but the vulnerability was disclosed via CERT/CC (VU#780781), indicating coordinated vendor notification.
SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arbitrary users by replaying SAML assertions issued for unrelated service providers, because the SP implementation never sets AudienceURI nor inspects NotInAudience warnings from gosaml2. Despite a 9.8 CVSS, EPSS is only 0.02% (5th percentile) and no public exploit identified at time of analysis, though the flaw is reported by CERT/CC which indicates coordinated disclosure rigor.
Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticated attackers to forge SAML assertions signed with attacker-controlled keys, impersonating arbitrary users. The flaw resides in the buildSpCertificateStore function, which trusts the X.509 certificate embedded in the inbound SAMLResponse rather than validating against the pre-configured Identity Provider certificate. No public exploit identified at time of analysis, and EPSS is currently low (0.01%), but SSVC flags the issue as automatable with total technical impact.
Uncontrolled resource consumption in PyJWT 2.8.0-2.12.1 exposes any service that verifies detached JWS tokens to unauthenticated denial-of-service. When the unencoded-payload extension (b64=false, RFC 7797) is in use, PyJWT unnecessarily Base64URL-decodes the compact-serialization payload segment before discarding it in favor of the caller-supplied detached payload - turning that segment into an attacker-controlled amplifier for CPU and memory exhaustion regardless of signature validity. No public exploit has been identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms fully unauthenticated remote exploitation against any affected endpoint using this feature.
Memory exhaustion in pypdf prior to 6.12.0 allows an attacker who supplies a crafted PDF to cause large memory consumption in any application that processes it using layout mode text extraction. The vulnerability is triggered by PDFs containing text positioning operators with abnormally large x- or y-coordinate offsets, causing the library to allocate unbounded whitespace and newline characters during rendering. No confirmed active exploitation exists (not in CISA KEV), and SSVC rates this as non-automatable with partial technical impact, placing it in a lower operational priority tier despite the straightforward exploitation mechanic.
Memory exhaustion in pypdf's XMP metadata parser allows denial of service via specially crafted PDF files containing oversized or element-dense XMP blocks, affecting all versions prior to 6.12.1. The vulnerability stems from an absence of input limits in the XML-based XMP parsing subsystem (CWE-770), meaning processing a malicious PDF can consume unbounded system memory. No public exploit code has been identified at time of analysis, and no confirmed active exploitation exists; however, the patch diff is publicly visible on GitHub, making trivial exploit construction feasible.
Out-of-bounds write in bzip2's bzip2recover utility allows a local attacker to supply a specially crafted file that triggers an off-by-one error, corrupting a global buffer and crashing the process. Per the CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:N), the attack requires no privileges and no user interaction beyond the utility being invoked against a malicious file. Impact is strictly denial of service against the bzip2recover process - no confidentiality or integrity exposure - and the CVSS 4.0 score of 5.1 (Medium) reflects this constrained scope. No public exploit or active exploitation has been identified at time of analysis.
Null pointer dereference in the Linux kernel's saa7164 media driver can crash the kernel when ioremap() fails during PCI device initialization. Systems with SAA7164-based PCIe capture cards (e.g., Phillips/NXP SAA7164) running unpatched kernel versions from 2.6.32 through stable branches prior to 6.6.140, 6.12.90, 6.18.32, and 7.0.9 are affected. A local, low-privileged attacker who can trigger driver initialization under memory pressure conditions may cause a kernel oops or panic, resulting in denial of service. No public exploit exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time.
NULL pointer dereference in the Linux kernel's batman-adv Bridge Loop Avoidance (BLA) subsystem enables local denial of service via kernel panic. The race condition exists in batadv_bla_purge_claims(), which traverses the claim hash list under rcu_read_lock() without accounting for concurrent claim releases - when batadv_claim_release() NULLs the backbone_gw pointer mid-traversal, a subsequent call to batadv_bla_claim_get_backbone_gw() on the partially-freed claim triggers a NULL dereference. Exploitation requires local low-privilege access on systems actively running batman-adv with BLA enabled; no active exploitation is confirmed and EPSS stands at 0.02% (5th percentile).
NULL pointer dereference in the Linux kernel's Rockchip RKCIF (Camera Interface) media driver crashes the kernel when a local user enables streaming on a video device with no connected subdevice. Affected systems are Rockchip SoC-based platforms running Linux kernel versions from the introduction of the rkcif driver up through 6.19. A low-privileged local attacker can trigger a kernel panic - full denial of service - via the standard V4L2 VIDIOC_STREAMON ioctl. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.02% (5th percentile) reflects the narrow hardware-specific attack surface.
Kernel panic via reachable assertion in the Linux kernel's AMDGPU SDMA v4 driver allows a local low-privileged user to crash the system by submitting crafted GPU command buffers. The sdma_v4_0_ring_emit_fence() function contains BUG_ON() assertions verifying dword-alignment of fence writeback addresses; these assertions are reachable through the DRM_IOCTL_AMDGPU_CS ioctl from unprivileged userspace, causing a fatal panic in a kernel scheduler worker thread. No public exploit or active exploitation has been identified at time of analysis, and EPSS at 0.02% reflects low exploitation likelihood, but the impact on shared GPU compute systems warrants prompt patching.
Null pointer dereference in the Linux kernel's Intel Xe DRM HDCP GSC subsystem allows a local, low-privileged user to crash the kernel when media GT is disabled via configfs. The function `intel_hdcp_gsc_check_status()` evaluates `>->uc.gsc` without first verifying that `media_gt` is non-NULL, producing a kernel pagefault on systems where media GT has been explicitly disabled through the configfs interface. Exploitation yields a denial of service (kernel panic) with no confidentiality or integrity impact; no public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating very low exploitation likelihood in the wild.
NULL pointer dereference and silent error suppression in the Linux kernel's Qualcomm MSM DRM/GEM subsystem allows a low-privileged local user to crash the kernel (denial of service) via a crafted GEM_INFO ioctl call. The msm_ioctl_gem_info_get_metadata() function unconditionally returns 0 on error and fails to check kmemdup() for a NULL return, enabling a dereference in the subsequent copy_to_user() call. No public exploit has been identified at time of analysis and EPSS is 0.02% (5th percentile), reflecting minimal real-world exploitation pressure despite the confirmed availability of upstream patch commits.
Memory corruption in the Linux kernel SMB client (cifs) allows a malicious SMB server to trigger out-of-bounds reads and potential dereferences in the DACL parsing path on 32-bit builds. The flaw resides in parse_sec_desc(), build_sec_desc(), and id_mode_to_cifs_acl(), where a server-supplied dacloffset value near U32_MAX can wrap around and bypass pointer-based bounds checks during chmod/chown operations against SMB shares. EPSS is very low at 0.02% and there is no public exploit identified at time of analysis, but the issue is a confirmed kernel bug with upstream fixes already merged.
NULL pointer dereference in the Linux kernel's octeon_ep_vf driver crashes the kernel when napi_build_skb() fails during memory allocation in the receive path. Systems running kernels from the introduction of the octeon_ep_vf driver (commit 1cd3b407977c) through multiple stable branches are affected where Marvell Octeon EP VF network adapters are in use. A local, low-privileged attacker who can induce memory pressure while network traffic flows through an Octeon EP VF interface can trigger a kernel panic, resulting in full system unavailability. No public exploit code exists, EPSS is 0.02% (5th percentile), and this vulnerability has not been added to CISA KEV.
Division by zero in the Linux kernel's ua101 USB audio driver allows a local attacker to crash the kernel by presenting a crafted USB device with a malformed audio class descriptor. The ua101 driver's `detect_usb_format()` function fails to validate the `bNrChannels` field before use, so a device reporting `bNrChannels = 0` causes `frame_bytes` to become zero, which is subsequently used as a divisor in both `playback_urb_complete()` and `capture_urb_complete()` URB handlers, triggering a fatal kernel panic. No public exploit has been identified and EPSS is 0.02% (5th percentile), but the vulnerability affects multiple supported stable branches and patches are available across all of them.
Local privilege escalation or denial-of-service in the Linux kernel's RDMA/mlx4 InfiniBand driver stems from improper RCU synchronization in mlx4_srq_event(), where the mlx4_srq structure is never freed via RCU and can be accessed before initialization completes. Local low-privileged users on systems using Mellanox ConnectX (mlx4) RDMA hardware can trigger a race condition leading to memory corruption or kernel crash, with CVSS 7.8 reflecting high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS scores this at just 0.02%, indicating minimal real-world exploitation likelihood.
Denial of service in the Linux kernel ALSA USB audio subsystem allows a local attacker to hang a CPU core indefinitely by presenting a malformed USB audio class v3 channel map descriptor. The affected function `convert_chmap_v3()` uses the descriptor field `cs_desc->wLength` as a loop increment without validating it, so a zero-length descriptor causes an unescapable infinite loop that saturates a CPU core until the process is killed or the system rebooted. No active exploitation has been confirmed - the vulnerability is absent from CISA KEV, and the EPSS score of 0.02% at the 5th percentile indicates negligible current attacker interest.
Heap corruption in Google Chrome on macOS prior to version 148.0.7778.216 can be triggered remotely through a crafted HTML page combined with specific user interface gestures, leveraging a use-after-free condition in the WebAppInstalls component. Chrome rates this as High severity and has shipped a patched stable channel release, though no public exploit identified at time of analysis and EPSS estimates exploitation probability at just 0.03%.
Sandbox escape in Google Chrome on Linux prior to 148.0.7778.216 allows remote attackers to leverage a WebRTC use-after-free condition through a crafted HTML page to break out of the renderer sandbox. The flaw was reported by the Chrome security team and rated High severity by Chromium, with no public exploit identified at time of analysis and an EPSS score of 0.03% (10th percentile) suggesting low near-term exploitation likelihood. Successful exploitation requires user interaction (visiting a malicious page) and high attack complexity, but the scope-changing impact (S:C) and full CIA compromise make it a meaningful browser-targeted risk.
Remote code execution in Google Chrome for Windows versions prior to 148.0.7778.216 stems from a use-after-free condition in the UI component, allowing remote attackers to execute arbitrary code by luring a user to a crafted HTML page. Chromium rated the issue High severity and CVSS 8.8 reflects the network-reachable, low-complexity nature of the bug, tempered only by required user interaction (visiting the malicious page). No public exploit identified at time of analysis and the CVE is not currently listed in CISA KEV.
Sandboxed remote code execution in Google Chrome desktop versions prior to 148.0.7778.216 stems from a use-after-free defect in the Glic component, allowing a remote attacker to corrupt memory and execute arbitrary code within the renderer sandbox when a victim visits a crafted HTML page. Google has rated the Chromium severity as High and shipped a Stable channel update; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. The CVSS 8.8 score reflects network reachability and user interaction (loading a page), with full impact to confidentiality, integrity, and availability inside the sandboxed process.
Sandbox escape in Google Chrome's WebGL component (versions prior to 148.0.7778.216) allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium, requiring user interaction (visiting a page) and a prior renderer compromise, making it a second-stage exploit primitive. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.03%.
Arbitrary code execution in Google Chrome on macOS prior to 148.0.7778.216 stems from a use-after-free condition in the Bluetooth component, exploitable through a malicious browser extension. Chromium rates the severity as High, and while CVSS scores it 8.1 with network attack vector, real-world exploitation requires the victim to install an attacker-controlled extension. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.01%.
Remote code execution in Google Chrome's WebRTC component (versions prior to 148.0.7778.216) allows a remote attacker to execute arbitrary code within the browser sandbox by enticing a victim to load a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High by Chromium's security team, and while no public exploit identified at time of analysis, the CVSS 8.8 score reflects the low-complexity network-based attack vector combined with the high impact across confidentiality, integrity, and availability. User interaction (visiting a malicious page) is required, but otherwise no authentication or privileges are needed.
Heap corruption in Google Chrome's SurfaceCapture component (versions prior to 148.0.7778.216) allows a remote attacker to potentially execute arbitrary code by luring a user to a crafted HTML page. The flaw is a use-after-free issue rated High severity by the Chromium project, with a CVSS score of 8.8 reflecting low complexity and no authentication, though user interaction is required. There is no public exploit identified at time of analysis and EPSS is very low (0.03%, 11th percentile), but the historical pattern of Chrome UAF bugs being weaponized makes patching urgent.
Heap corruption in Google Chrome's PDFium component before version 148.0.7778.216 lets a remote attacker trigger a use-after-free condition by serving a crafted PDF, opening the door to code execution within the renderer process. The flaw carries a CVSS 8.8 (High) rating and requires user interaction (UI:R) to open or render the malicious document. EPSS is currently very low (0.03%, 11th percentile) and no public exploit has been identified at time of analysis, though Chrome PDFium UAFs have a long history of weaponization in browser exploit chains.
Sandboxed arbitrary code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free condition in the PDF component that remote attackers can trigger by serving a crafted PDF file. The flaw carries a CVSS 8.8 rating reflecting network reach with required user interaction (opening or rendering a malicious PDF), and no public exploit identified at time of analysis though Google rates the underlying Chromium severity as High.
Remote code execution in Google Chrome on iOS prior to 148.0.7778.216 allows attackers to exploit a use-after-free memory corruption flaw when a victim is lured to a malicious HTML page and performs specific UI gestures. The issue carries a CVSS 7.5 (High) score with high attack complexity and required user interaction, and no public exploit has been identified at time of analysis.
Heap corruption in Google Chrome's TabStrip component before version 148.0.7778.216 allows remote attackers to potentially achieve code execution by serving a crafted HTML page and inducing the victim to perform specific UI gestures. Chromium rates the issue High severity, but EPSS places exploitation probability at just 0.03% (11th percentile) and no public exploit identified at time of analysis, reflecting the high attack complexity and required user interaction.
Remote code execution in Google Chrome's WebAudio component (versions prior to 148.0.7778.216) allows a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium, with a CVSS score of 8.8 reflecting low attack complexity and no authentication required, though user interaction (visiting a page) is needed. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 enables remote attackers to break out of the renderer process sandbox by enticing a user to visit a crafted HTML page that triggers a use-after-free condition in the UI component. Chromium rates the severity as High, and a vendor patch is available; no public exploit identified at time of analysis and EPSS exploitation probability is currently very low (0.03%, 11th percentile).
Sandbox escape in Google Chrome on Windows before 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page leveraging a use-after-free in Core. The flaw is rated High by Chromium and carries CVSS 8.3, but EPSS is very low (0.03%) and no public exploit identified at time of analysis, so it is most relevant as the second stage of a multi-bug exploit chain rather than a standalone entry vector.
Sandbox escape in Google Chrome on macOS before 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers a use-after-free in the Views UI component. The flaw is rated High severity by Chromium and carries a CVSS 8.3 due to scope change, but EPSS is only 0.03% and there is no public exploit identified at time of analysis. Exploitation is realistic only as the second stage of a chained renderer compromise rather than a standalone drive-by attack.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the browser's XML handling component, allowing a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. Chromium rates the severity as High with a CVSS 3.1 score of 8.8, and exploitation requires user interaction such as visiting a malicious site. No public exploit identified at time of analysis, but use-after-free flaws in Chrome's XML parsing have historically been chained with sandbox escapes for full system compromise.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free condition in the ANGLE graphics translation layer that lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. Google rates this High severity and a vendor patch is available, but EPSS scoring (0.03%, 11th percentile) is low and no public exploit identified at time of analysis, suggesting it has not yet been weaponized broadly.
Remote code execution in Google Chrome on Windows prior to version 148.0.7778.216 allows attackers to execute arbitrary code within the renderer sandbox by enticing a victim to visit a crafted HTML page that triggers a use-after-free condition in the Media component. Rated High severity by Chromium with a CVSS 8.8 score, the flaw requires user interaction (visiting a malicious page) but no authentication, and no public exploit identified at time of analysis.
Remote code execution in Google Chrome (ANGLE component) prior to version 148.0.7778.216 allows a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. The flaw is a use-after-free memory corruption issue (CWE-416) rated High severity by Chromium and CVSS 8.8, requiring only that a victim visit a malicious page. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Sandbox escape in Google Chrome on Windows versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a use-after-free flaw in the UI component, triggered by a crafted HTML page. Chromium rates this High severity and a vendor patch is available, though no public exploit has been identified at time of analysis and EPSS exploitation probability is very low (0.03%, 11th percentile).
Sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the GPU/GFX sandbox via a crafted HTML page, leveraging a use-after-free condition. The flaw is rated High severity by Chromium (CVSS 8.3) and requires user interaction plus a chained renderer compromise; no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.03%).
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the Aura UI framework component. A remote attacker who lures a user to a malicious HTML page and convinces them to perform specific UI gestures can execute arbitrary code within the browser process. No public exploit identified at time of analysis, and the CVSS 7.5 score reflects high attack complexity combined with required user interaction.
Use-after-free in the Input component of Google Chrome prior to 148.0.7778.216 allows a remote attacker to trigger heap corruption when a victim is lured to a crafted HTML page and performs specific UI gestures. Chromium rates the severity High, and while no public exploit identified at time of analysis and EPSS is very low (0.03%, 11th percentile), the bug class historically yields renderer RCE when chained with a sandbox escape. A vendor patch is available in the stable channel update referenced by Google.
Sandbox escape in Google Chrome on Windows prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the renderer sandbox via a use-after-free in the ANGLE graphics layer. Exploitation requires user interaction (visiting a crafted HTML page) and a pre-existing renderer compromise, so it functions as the second stage of an exploit chain rather than a standalone RCE. No public exploit identified at time of analysis and EPSS is very low (0.03%), but Chrome rates the underlying flaw as High severity.
Sandbox escape in Google Chrome's GPU process prior to version 148.0.7778.216 lets a remote attacker who has already gained code execution inside the renderer process break out of Chrome's sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium and carries CVSS 8.3 (AV:N/AC:H/PR:N/UI:R/S:C). EPSS is very low (0.03%), and there is no public exploit identified at time of analysis, but the bug is part of a stable-channel security release shipped by Google.
Remote code execution in Google Chrome's ANGLE graphics layer prior to version 148.0.7778.216 allows attackers to run arbitrary code inside the browser sandbox when a victim visits a crafted HTML page. The flaw is a use-after-free memory corruption issue (CWE-416) reported internally by the Chrome team and rated High by Chromium; no public exploit identified at time of analysis, though Chrome UAF bugs in ANGLE are historically attractive targets and pair well with sandbox escapes.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 enables remote attackers, who have already compromised the renderer process, to break out of the browser sandbox via a use-after-free flaw in the ANGLE graphics translation layer. Exploitation requires user interaction (visiting a crafted HTML page) and a prior renderer compromise, making this a second-stage primitive in a chained attack. EPSS is low at 0.03% and there is no public exploit identified at time of analysis, though Google rates the underlying Chromium severity as High.
Heap corruption in Google Chrome's Skia graphics library affects all versions prior to 148.0.7778.216 and can be triggered by a remote attacker hosting a crafted HTML page. Successful exploitation requires user interaction (visiting the page) but yields high confidentiality, integrity, and availability impact within the renderer context. No public exploit is identified at time of analysis and EPSS is very low (0.03%), though Chromium rates the severity as High and a vendor patch is available.
Renderer-to-browser sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 enables remote code execution via a use-after-free in the GPU process. An attacker who has already compromised the renderer can leverage a crafted HTML page to corrupt GPU process memory and execute arbitrary code outside the renderer sandbox. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Chromium rates the underlying severity as High.
Sandbox escape in Google Chrome on Windows prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page exploiting a use-after-free in the Accessibility component. Chromium rates the severity as High and a vendor patch is available, but no public exploit has been identified at time of analysis and EPSS exploitation probability remains very low at 0.03%.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free condition in the ANGLE graphics translation layer, triggered when a victim visits a crafted HTML page. Remote attackers can potentially break out of Chrome's renderer sandbox to gain broader access on the host system. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.03% (11th percentile), though the Chromium team rated severity as High.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that triggers a use-after-free in the Accessibility component. Chromium rates the issue High severity and a vendor patch is available, though no public exploit identified at time of analysis and EPSS exploitation probability is currently low (0.03%, 11th percentile).
Sandbox escape and arbitrary code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the ANGLE graphics translation layer. An attacker who has already compromised the renderer process can leverage a crafted HTML page to break memory safety and execute code in a higher-privileged context. No public exploit identified at time of analysis, though Chromium rates the underlying severity as High.
Sandbox escape in Google Chrome's ANGLE graphics layer prior to version 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High severity by Chromium with a CVSS score of 8.3, but EPSS exploitation probability is currently very low at 0.03% and no public exploit has been identified at time of analysis.
Remote code execution in Google Chrome prior to 148.0.7778.216 enables a remote attacker to execute arbitrary code within the renderer sandbox by luring a user to a crafted HTML page that triggers a use-after-free in the DOM implementation. The flaw carries a CVSS 8.8 (High) rating reflecting network reach with required user interaction, and Google has rated the Chromium severity as High; no public exploit is identified at the time of analysis and the issue is not listed in CISA KEV.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of Chrome's sandbox via a use-after-free in the GPU process. Chrome rates the underlying memory corruption as High severity, and while no public exploit identified at time of analysis, the bug is part of a chained-exploit class historically weaponized against browsers. EPSS is very low (0.03%) reflecting the prerequisite of an already-compromised renderer rather than a direct one-shot RCE.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the Chromium sandbox via a crafted HTML page that triggers a use-after-free in the Skia graphics library. Google rated this Critical internally, though no public exploit identified at time of analysis and EPSS scores exploitation probability at just 0.03% (11th percentile). The flaw requires chaining with a separate renderer compromise, so it is a second-stage primitive rather than a single-shot RCE.
Sandbox escape in Google Chrome before 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted Chrome Extension exploiting a use-after-free in the Extensions component. Chromium rates the underlying flaw as Critical severity, though no public exploit has been identified at time of analysis and EPSS exploitation probability sits at 0.03% (11th percentile).
Sandbox escape in Google Chrome on Windows prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page targeting the XR (WebXR) component. The flaw is a use-after-free rated Critical by Chromium and CVSS 8.3 (AV:N/AC:H/PR:N/UI:R/S:C); no public exploit identified at time of analysis and EPSS is low at 0.03%, but the bug forms a key link in a multi-stage browser exploit chain.
Sandbox escape in Google Chrome for Android versions prior to 148.0.7778.216 enables a remote attacker who has already compromised the renderer process to break out of the sandbox via a use-after-free flaw in the WebView component. Chromium rates the severity as Critical, and a vendor patch is available; no public exploit identified at time of analysis and EPSS is very low (0.03%, 10th percentile), but the chained-exploit potential against mobile users makes prompt patching important.
Remote code execution in Google Chrome prior to 148.0.7778.216 allows attackers to exploit a use-after-free condition in the Proxy component via a malicious PAC (Proxy Auto-Config) script delivered through a crafted web page. Chromium rates this as Critical severity, and while no public exploit identified at time of analysis, the EPSS score of 0.04% reflects low predicted exploitation activity despite the high CVSS 8.8 rating. Successful exploitation requires user interaction (UI:R) such as visiting an attacker-controlled page that triggers the vulnerable PAC processing path.
Sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 allows a remote attacker to break out of the renderer sandbox by enticing a user to visit a crafted HTML page that triggers a use-after-free in the Base component. Chromium rates the severity Critical and CVSS scores it 9.6, though no public exploit is identified at time of analysis and EPSS exploitation probability is currently very low (0.03%).
Remote code execution in Google Chrome on macOS prior to version 148.0.7778.216 allows attackers to exploit a use-after-free flaw in the Browser component via a malicious HTML page. Rated Critical by Chromium's security team with a CVSS of 8.8, exploitation requires user interaction (visiting a crafted page) but no authentication, and no public exploit identified at time of analysis. A vendor patch is available through the Chrome stable channel update.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to execute arbitrary code via a crafted HTML page exploiting a use-after-free flaw in the Base component. Chromium classifies the severity as Critical, and Google has shipped a stable channel update; no public exploit has been identified at time of analysis. Exploitation requires user interaction (visiting a malicious page), which is the typical drive-by browser attack model.
Sandbox escape in Google Chrome on macOS versions prior to 148.0.7778.216 allows attackers to break out of the browser's renderer sandbox via a use-after-free flaw in the Bluetooth component. Exploitation requires convincing a user to install a malicious Chrome Extension, which then triggers the bug through crafted extension interactions. Chromium rates this Critical severity; no public exploit identified at time of analysis and EPSS remains low (0.01%) despite the high CVSS of 9.0.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in ANGLE, the graphics abstraction layer that translates OpenGL ES calls to native GPU APIs. A remote attacker who lures a user into visiting a crafted HTML page can execute arbitrary code within the renderer sandbox, with Chromium rating the severity as Critical. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 enables a remote attacker who has already compromised the renderer process to break out of Chrome's sandbox via a use-after-free flaw in the ANGLE graphics translation layer. Exploitation requires user interaction with a crafted HTML page and is typically chained with a separate renderer-compromise bug. No public exploit identified at time of analysis, and EPSS is very low (0.03%), though Google rated the underlying issue Critical severity.
Sandbox escape in Google Chrome for Android prior to 148.0.7778.216 allows a remote attacker who lures a user to a crafted HTML page to break out of the renderer sandbox by exploiting a use-after-free condition in the WebGL component. Chromium rates the issue Critical and CVSS scores it 9.6 due to the scope change from compromised renderer to host, though EPSS is only 0.03% (10th percentile) and no public exploit identified at time of analysis.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to exploit a use-after-free condition in the Dawn WebGPU implementation through a crafted HTML page, leading to potential escape from the browser's renderer sandbox. The flaw carries a CVSS 9.6 with scope change reflecting cross-boundary impact, and while no public exploit identified at time of analysis, Google's own classification of the underlying Chromium severity as Critical signals significant risk to end users. EPSS is currently low (0.03%, 11th percentile), suggesting no widespread exploitation has been observed yet despite the severity.
Remote code execution in Google Chrome desktop versions prior to 148.0.7778.216 allows a remote attacker to execute arbitrary code within the renderer sandbox by serving a crafted HTML page that triggers a use-after-free condition in the Network component. Google rates the underlying Chromium issue as Critical severity, and no public exploit identified at time of analysis, though the bug class and reachable attack surface make it a high-priority browser patch.
{block_id}/execute endpoint, which skips the credit validation logic present in manager.py. An attacker with a low-privilege account - including one with zero remaining credits - can exploit this to exhaust platform resources and obtain unlimited AI execution at the operator's expense. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Remote denial of service in Lakeside SysTrack Agent (lsiagent.exe) allows unauthenticated network attackers to crash the endpoint monitoring agent by sending a single malformed UDP packet to the Command ID 30 handler. The flaw was reported by VulnCheck and carries a CVSS 4.0 score of 8.7 reflecting high availability impact with no privileges or user interaction required; no public exploit identified at time of analysis, though VulnCheck has published an advisory describing the trigger.
Partial denial-of-service in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated remote attackers to degrade availability of the Core component via HTTPS. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the vulnerability is trivially reachable with no authentication, no user interaction, and no special conditions, making automated scanning and opportunistic exploitation straightforward despite the limited availability-only impact. No public exploit code and no CISA KEV listing have been identified at time of analysis, and Oracle disclosed this through its May 2026 Critical Patch Update.
Remote denial of service in Oracle Database Server 23.4.0 through 23.26.2 allows unauthenticated network attackers to crash or hang the Net Service component via crafted TLS traffic. The flaw scores CVSS 7.5 with availability-only impact and was disclosed by Oracle in the May 2026 Critical Patch Update; no public exploit identified at time of analysis.
Remote denial-of-service in Oracle Database Server's Net Service component (versions 23.4.0 through 23.26.2) allows unauthenticated attackers with TLS network access to hang or repeatedly crash the listener, producing a complete DoS of database connectivity. The flaw is rated CVSS 7.5 (availability-only) and was disclosed by Oracle in the May 2026 Critical Patch Update; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Remote denial-of-service in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated network attackers to cause a complete hang or repeatable crash of the service via the Mongoapi component over HTTPS. The vulnerability is rated CVSS 7.5 with availability-only impact and no public exploit identified at time of analysis, but the unauthenticated, low-complexity attack profile makes it operationally significant for any internet-exposed ORDS instance.
Cross-product compromise in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-privileged remote attacker who can lure an authenticated user into interacting with a crafted request to gain high-impact read and write access to ORDS-accessible data and cause partial denial of service. Because the CVSS scope is Changed (S:C), successful exploitation may also impact downstream Oracle components beyond ORDS itself. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the 7.9 base score combined with scope change warrants prompt patching.
Denial of service in Kibana's analytics collections management endpoint allows any authenticated user with viewer-level access to render the service completely unavailable. By submitting a request containing an oversized input value, the attacker causes Kibana to consume excessive CPU and memory, crashing the service for all users and requiring manual intervention to restore. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the low privilege bar - viewer access only - significantly elevates real-world risk in multi-tenant or SaaS Elastic deployments.
Denial of service in Elastic Kibana allows an authenticated low-privileged user to crash the Kibana service and deny access to all users by submitting a maliciously crafted Timelion visualization expression. The Timelion expression parser fails to bound the depth of chained function call processing, causing the resulting data structure to grow exponentially and exhaust available server memory. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and minimal privilege requirements make it an accessible attack surface for any credentialed Kibana user.
Denial of service in Kibana allows any authenticated user to crash or render unresponsive a Kibana instance by sending a specially crafted compressed HTTP request payload. The root cause is an architectural ordering flaw: compressed payloads are decompressed and processed before authorization checks are applied, enabling resource exhaustion (CWE-400, CAPEC-130 Excessive Allocation) at minimal privilege cost. No public exploit identified at time of analysis and no CISA KEV listing, but the low attack complexity and broad authentication base (any valid Kibana login) make this a meaningful availability risk for multi-tenant or internet-exposed deployments.
Denial of service in Kibana allows any authenticated low-privileged user to render the Kibana service unresponsive for all users by submitting an oversized, specially crafted payload to an internal API endpoint. The CVSS vector (AV:N/AC:L/PR:L/UI:N/A:H) confirms straightforward network exploitation requiring only valid low-privileged credentials with no user interaction - a low barrier for any insider or compromised account. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the low complexity and authenticated-but-low-privilege condition makes this a realistic risk in shared Kibana deployments.
Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0-beta.2 allows remote attackers to repeatedly invoke profiling endpoints that the admin router whitelists from authentication. Each request triggers a fixed 60-second CPU profiling operation and leaks the server's absolute filesystem path in the response. CVSS 4.0 scores this 8.8 (High) driven by high availability impact; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
NULL pointer dereference in Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) allows an unprivileged local user to trigger a kernel oops, resulting in a denial of service. The flaw resides specifically in Ubuntu's out-of-tree SAUCE patches for AF_INET/AF_INET6 socket mediation - mainline Linux kernel builds are unaffected. No active exploitation is confirmed (not in CISA KEV), no public exploit has been identified at time of analysis, and the CVSS score of 3.3 (Low) accurately reflects the constrained impact: local access only, no confidentiality or integrity loss, and limited availability degradation.
Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authenticated, unprivileged user to crash the system. The flaw resides in Ubuntu-specific SAUCE patches - out-of-tree modifications maintained by Canonical - meaning the vulnerable code path does not exist in upstream mainline kernels. With a CVSS score of 5.5 and an availability-only impact, the practical consequence is a local denial-of-service: any low-privilege user with shell access can force a kernel panic. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis.
Ubuntu Linux kernels 6.8, 6.17, and 7.0 ship Ubuntu-specific AppArmor SAUCE patches that incorrectly call kfree() on a pointer never allocated via kmalloc(), while simultaneously leaking the legitimately allocated memory. Any unprivileged local user can trigger this kernel memory management flaw, corrupting slab allocator metadata and driving the system toward resource exhaustion or instability. No public exploit code exists and no CISA KEV listing is present at time of analysis; however, CVSS rates availability impact as High given the potential for kernel-level denial of service.
NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash the kernel via the AppArmor notification handling path. The flaw exists exclusively in Ubuntu-specific SAUCE patches layered on top of the upstream Linux kernel, meaning only Ubuntu kernels carrying these versions are affected - not upstream Linux or other distributions. No public exploit code or active exploitation has been identified at time of analysis; the impact is limited to a kernel oops (availability loss, CVSS A:L), with no confidentiality or integrity impact.
Memory exhaustion via AppArmor notification handling affects Ubuntu Linux kernel versions carrying Ubuntu-specific SAUCE patches (6.8, 6.17, 7.0). An unprivileged local user can trigger a memory leak by eliciting large responses to AppArmor userspace notifications, repeatedly consuming kernel memory without release. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified, but the low-privilege local trigger lowers the bar for insider or co-tenant abuse in multi-user and container environments.
Denial of service in the Symfony JsonPath component (json-path 7.3.0-7.4.11 and 8.0.0-8.0.11) lets remote attackers exhaust CPU and worker capacity when an application evaluates attacker-influenced JSONPath expressions server-side. The match()/search() filter functions compile caller-supplied patterns directly into preg_match() with no length cap, i-regexp restriction, or backtracking bound, so a crafted pattern like $[?search(@, "(a+)+$")] triggers catastrophic backtracking that pins a core for seconds per request. There is no public exploit identified at time of analysis and EPSS is very low (0.08%), but the pathological pattern is disclosed in the advisory and the fix is available in 7.4.12 and 8.0.12.
File descriptor exhaustion in go.opentelemetry.io/otel/schema v1.0 and v1.1 enables denial of service against long-running Go processes. The ParseFile function in schema/v1.0/parser.go opens schema files via os.Open but never closes them - neither via defer nor by transferring ownership to the downstream Parse(io.Reader) call - leaving descriptors open until the Go garbage collector finalizes the file object. Publicly available exploit code exists demonstrating that repeated ParseFile calls accumulate leaked descriptors until the process receives EMFILE ('too many open files'), disrupting all subsequent file, socket, and descriptor operations. Exploitation is contingent on an application exposing ParseFile invocation to attacker-controlled or attacker-triggered paths.
Privilege escalation in Capsule (the Kubernetes multi-tenancy operator) allows authenticated tenant owners to create cluster-scoped resources - including ClusterRole and ValidatingWebhookConfiguration - by embedding them in TenantResource RawItems, bypassing tenant isolation enforced by the platform. The Capsule Controller's default cluster-admin ClusterRoleBinding means it creates whatever resource it is instructed to process, and its attempt to namespace-scope the resource via obj.SetNamespace() is silently ignored by the Kubernetes API for cluster-scoped kinds. A working proof-of-concept is publicly documented in the GHSA advisory; no CISA KEV listing has been issued at time of analysis.
SAML assertion time-bound enforcement is missing in Casdoor 2.362.0 and earlier, allowing remote attackers to present SAML assertions whose NotBefore/NotOnOrAfter windows have expired and still obtain valid user sessions. The underlying gosaml2 library does compute the time-validity result, but Casdoor's ParseSamlResponse() never reads the assertionInfo.WarningInfo field where those results are reported, so the check is silently discarded. No public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).
Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijack any user account, including administrators, without credentials or MFA. The SAML service provider implementation lacks assertion ID caching, OneTimeUse condition enforcement, and any form of replay detection, making any intercepted assertion indefinitely reusable. No public exploit identified at time of analysis, but the vulnerability was disclosed via CERT/CC (VU#780781), indicating coordinated vendor notification.
SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arbitrary users by replaying SAML assertions issued for unrelated service providers, because the SP implementation never sets AudienceURI nor inspects NotInAudience warnings from gosaml2. Despite a 9.8 CVSS, EPSS is only 0.02% (5th percentile) and no public exploit identified at time of analysis, though the flaw is reported by CERT/CC which indicates coordinated disclosure rigor.
Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticated attackers to forge SAML assertions signed with attacker-controlled keys, impersonating arbitrary users. The flaw resides in the buildSpCertificateStore function, which trusts the X.509 certificate embedded in the inbound SAMLResponse rather than validating against the pre-configured Identity Provider certificate. No public exploit identified at time of analysis, and EPSS is currently low (0.01%), but SSVC flags the issue as automatable with total technical impact.
Uncontrolled resource consumption in PyJWT 2.8.0-2.12.1 exposes any service that verifies detached JWS tokens to unauthenticated denial-of-service. When the unencoded-payload extension (b64=false, RFC 7797) is in use, PyJWT unnecessarily Base64URL-decodes the compact-serialization payload segment before discarding it in favor of the caller-supplied detached payload - turning that segment into an attacker-controlled amplifier for CPU and memory exhaustion regardless of signature validity. No public exploit has been identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms fully unauthenticated remote exploitation against any affected endpoint using this feature.
Memory exhaustion in pypdf prior to 6.12.0 allows an attacker who supplies a crafted PDF to cause large memory consumption in any application that processes it using layout mode text extraction. The vulnerability is triggered by PDFs containing text positioning operators with abnormally large x- or y-coordinate offsets, causing the library to allocate unbounded whitespace and newline characters during rendering. No confirmed active exploitation exists (not in CISA KEV), and SSVC rates this as non-automatable with partial technical impact, placing it in a lower operational priority tier despite the straightforward exploitation mechanic.
Memory exhaustion in pypdf's XMP metadata parser allows denial of service via specially crafted PDF files containing oversized or element-dense XMP blocks, affecting all versions prior to 6.12.1. The vulnerability stems from an absence of input limits in the XML-based XMP parsing subsystem (CWE-770), meaning processing a malicious PDF can consume unbounded system memory. No public exploit code has been identified at time of analysis, and no confirmed active exploitation exists; however, the patch diff is publicly visible on GitHub, making trivial exploit construction feasible.
Out-of-bounds write in bzip2's bzip2recover utility allows a local attacker to supply a specially crafted file that triggers an off-by-one error, corrupting a global buffer and crashing the process. Per the CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:N), the attack requires no privileges and no user interaction beyond the utility being invoked against a malicious file. Impact is strictly denial of service against the bzip2recover process - no confidentiality or integrity exposure - and the CVSS 4.0 score of 5.1 (Medium) reflects this constrained scope. No public exploit or active exploitation has been identified at time of analysis.
Null pointer dereference in the Linux kernel's saa7164 media driver can crash the kernel when ioremap() fails during PCI device initialization. Systems with SAA7164-based PCIe capture cards (e.g., Phillips/NXP SAA7164) running unpatched kernel versions from 2.6.32 through stable branches prior to 6.6.140, 6.12.90, 6.18.32, and 7.0.9 are affected. A local, low-privileged attacker who can trigger driver initialization under memory pressure conditions may cause a kernel oops or panic, resulting in denial of service. No public exploit exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time.
NULL pointer dereference in the Linux kernel's batman-adv Bridge Loop Avoidance (BLA) subsystem enables local denial of service via kernel panic. The race condition exists in batadv_bla_purge_claims(), which traverses the claim hash list under rcu_read_lock() without accounting for concurrent claim releases - when batadv_claim_release() NULLs the backbone_gw pointer mid-traversal, a subsequent call to batadv_bla_claim_get_backbone_gw() on the partially-freed claim triggers a NULL dereference. Exploitation requires local low-privilege access on systems actively running batman-adv with BLA enabled; no active exploitation is confirmed and EPSS stands at 0.02% (5th percentile).
NULL pointer dereference in the Linux kernel's Rockchip RKCIF (Camera Interface) media driver crashes the kernel when a local user enables streaming on a video device with no connected subdevice. Affected systems are Rockchip SoC-based platforms running Linux kernel versions from the introduction of the rkcif driver up through 6.19. A low-privileged local attacker can trigger a kernel panic - full denial of service - via the standard V4L2 VIDIOC_STREAMON ioctl. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.02% (5th percentile) reflects the narrow hardware-specific attack surface.
Kernel panic via reachable assertion in the Linux kernel's AMDGPU SDMA v4 driver allows a local low-privileged user to crash the system by submitting crafted GPU command buffers. The sdma_v4_0_ring_emit_fence() function contains BUG_ON() assertions verifying dword-alignment of fence writeback addresses; these assertions are reachable through the DRM_IOCTL_AMDGPU_CS ioctl from unprivileged userspace, causing a fatal panic in a kernel scheduler worker thread. No public exploit or active exploitation has been identified at time of analysis, and EPSS at 0.02% reflects low exploitation likelihood, but the impact on shared GPU compute systems warrants prompt patching.
Null pointer dereference in the Linux kernel's Intel Xe DRM HDCP GSC subsystem allows a local, low-privileged user to crash the kernel when media GT is disabled via configfs. The function `intel_hdcp_gsc_check_status()` evaluates `>->uc.gsc` without first verifying that `media_gt` is non-NULL, producing a kernel pagefault on systems where media GT has been explicitly disabled through the configfs interface. Exploitation yields a denial of service (kernel panic) with no confidentiality or integrity impact; no public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating very low exploitation likelihood in the wild.
NULL pointer dereference and silent error suppression in the Linux kernel's Qualcomm MSM DRM/GEM subsystem allows a low-privileged local user to crash the kernel (denial of service) via a crafted GEM_INFO ioctl call. The msm_ioctl_gem_info_get_metadata() function unconditionally returns 0 on error and fails to check kmemdup() for a NULL return, enabling a dereference in the subsequent copy_to_user() call. No public exploit has been identified at time of analysis and EPSS is 0.02% (5th percentile), reflecting minimal real-world exploitation pressure despite the confirmed availability of upstream patch commits.
Memory corruption in the Linux kernel SMB client (cifs) allows a malicious SMB server to trigger out-of-bounds reads and potential dereferences in the DACL parsing path on 32-bit builds. The flaw resides in parse_sec_desc(), build_sec_desc(), and id_mode_to_cifs_acl(), where a server-supplied dacloffset value near U32_MAX can wrap around and bypass pointer-based bounds checks during chmod/chown operations against SMB shares. EPSS is very low at 0.02% and there is no public exploit identified at time of analysis, but the issue is a confirmed kernel bug with upstream fixes already merged.
NULL pointer dereference in the Linux kernel's octeon_ep_vf driver crashes the kernel when napi_build_skb() fails during memory allocation in the receive path. Systems running kernels from the introduction of the octeon_ep_vf driver (commit 1cd3b407977c) through multiple stable branches are affected where Marvell Octeon EP VF network adapters are in use. A local, low-privileged attacker who can induce memory pressure while network traffic flows through an Octeon EP VF interface can trigger a kernel panic, resulting in full system unavailability. No public exploit code exists, EPSS is 0.02% (5th percentile), and this vulnerability has not been added to CISA KEV.
Division by zero in the Linux kernel's ua101 USB audio driver allows a local attacker to crash the kernel by presenting a crafted USB device with a malformed audio class descriptor. The ua101 driver's `detect_usb_format()` function fails to validate the `bNrChannels` field before use, so a device reporting `bNrChannels = 0` causes `frame_bytes` to become zero, which is subsequently used as a divisor in both `playback_urb_complete()` and `capture_urb_complete()` URB handlers, triggering a fatal kernel panic. No public exploit has been identified and EPSS is 0.02% (5th percentile), but the vulnerability affects multiple supported stable branches and patches are available across all of them.
Local privilege escalation or denial-of-service in the Linux kernel's RDMA/mlx4 InfiniBand driver stems from improper RCU synchronization in mlx4_srq_event(), where the mlx4_srq structure is never freed via RCU and can be accessed before initialization completes. Local low-privileged users on systems using Mellanox ConnectX (mlx4) RDMA hardware can trigger a race condition leading to memory corruption or kernel crash, with CVSS 7.8 reflecting high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS scores this at just 0.02%, indicating minimal real-world exploitation likelihood.
Denial of service in the Linux kernel ALSA USB audio subsystem allows a local attacker to hang a CPU core indefinitely by presenting a malformed USB audio class v3 channel map descriptor. The affected function `convert_chmap_v3()` uses the descriptor field `cs_desc->wLength` as a loop increment without validating it, so a zero-length descriptor causes an unescapable infinite loop that saturates a CPU core until the process is killed or the system rebooted. No active exploitation has been confirmed - the vulnerability is absent from CISA KEV, and the EPSS score of 0.02% at the 5th percentile indicates negligible current attacker interest.