Denial Of Service
Monthly
Null pointer dereference in the Linux kernel's bcm_vk misc driver allows a local authenticated attacker to crash the kernel, resulting in a denial of service. The bcm_vk_read() function checks whether the 'entry' pointer is NULL but fails to prevent subsequent dereferences of that pointer when rc is set to -EMSGSIZE, leading to a kernel panic. No public exploit exists and the vulnerability is not listed in CISA KEV; however, vendor-released patches are available across multiple stable kernel branches, and Red Hat and SUSE have tagged this for attention in their ecosystems.
Null pointer dereference in the Linux kernel QRTR (Qualcomm IPC Router) driver via MHI auto_queue feature causes denial of service on Qualcomm X1E80100 CRD machines during boot. The vulnerability occurs when the MHI stack invokes the DL (downlink) callback before the QRTR client driver is fully probed, accessing uninitialized driver structures. A local privileged attacker can trigger kernel panic by exploiting the race condition between MHI buffer auto-queuing and driver initialization, affecting systems relying on QRTR over MHI transport.
In the Linux kernel, the following vulnerability has been resolved: RDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port The function ionic_query_port() calls ib_device_get_netdev() without checking the return value which could lead to NULL pointer dereference, Fix it by checking the return value and return -ENODEV if the 'ndev' is NULL.
In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix double destroy_workqueue on service rescan PCI path While testing corner cases in the driver, a use-after-free crash was found on the service rescan PCI path. When mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup() destroys gc->service_wq. If the subsequent mana_gd_resume() fails with -ETIMEDOUT or -EPROTO, the code falls through to mana_serv_rescan() which triggers pci_stop_and_remove_bus_device(). This invokes the PCI .remove callback (mana_gd_remove), which calls mana_gd_cleanup() a second time, attempting to destroy the already- freed workqueue. Fix this by NULL-checking gc->service_wq in mana_gd_cleanup() and setting it to NULL after destruction. Call stack of issue for reference: [Sat Feb 21 18:53:48 2026] Call Trace: [Sat Feb 21 18:53:48 2026] <TASK> [Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana] [Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana] [Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0 [Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70 [Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250 [Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20 [Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90 [Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30 [Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana] [Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana] [Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0 [Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0 [Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130 [Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30 [Sat Feb 21 18:53:48 2026] </TASK>
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Flush exception handling work when RPM level is zero Ensure that the exception event handling work is explicitly flushed during suspend when the runtime power management level is set to UFS_PM_LVL_0. When the RPM level is zero, the device power mode and link state both remain active. Previously, the UFS core driver bypassed flushing exception event handling jobs in this configuration. This created a race condition where the driver could attempt to access the host controller to handle an exception after the system had already entered a deep power-down state, resulting in a system crash. Explicitly flush this work and disable auto BKOPs before the suspend callback proceeds. This guarantees that pending exception tasks complete and prevents illegal hardware access during the power-down sequence.
In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix possible dereference of uninitialized pointer There is a pointer head_page in rb_meta_validate_events() which is not initialized at the beginning of a function. This pointer can be dereferenced if there is a failure during reader page validation. In this case the control is passed to "invalid" label where the pointer is dereferenced in a loop. To fix the issue initialize orig_head and head_page before calling rb_validate_buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE.
In the Linux kernel, the following vulnerability has been resolved: md-cluster: fix NULL pointer dereference in process_metadata_update The function process_metadata_update() blindly dereferences the 'thread' pointer (acquired via rcu_dereference_protected) within the wait_event() macro. While the code comment states "daemon thread must exist", there is a valid race condition window during the MD array startup sequence (md_run): 1. bitmap_load() is called, which invokes md_cluster_ops->join(). 2. join() starts the "cluster_recv" thread (recv_daemon). 3. At this point, recv_daemon is active and processing messages. 4. However, mddev->thread (the main MD thread) is not initialized until later in md_run(). If a METADATA_UPDATED message is received from a remote node during this specific window, process_metadata_update() will be called while mddev->thread is still NULL, leading to a kernel panic. To fix this, we must validate the 'thread' pointer. If it is NULL, we release the held lock (no_new_dev_lockres) and return early, safely ignoring the update request as the array is not yet fully ready to process it.
A race condition in the Linux kernel's chips-media wave5 video decoder driver allows local authenticated users to trigger a NULL pointer dereference during concurrent instance creation/destruction, potentially leading to high confidentiality, integrity, and availability impact. The vulnerability affects kernel versions from commit 9707a6254a8a onwards until patched in 6.18.16, 6.19.6, and 7.0. Fixed via interrupt handler refactoring with proper locking. EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, and no public exploit code or CISA KEV listing exists, suggesting limited real-world exploitation despite the high CVSS 7.8 score.
In the Linux kernel, the following vulnerability has been resolved: HID: prodikeys: Check presence of pm->input_ep82 Fake USB devices can send their own report descriptors for which the input_mapping() hook does not get called. In this case, pm->input_ep82 stays NULL, which leads to a crash later. This does not happen with the real device, but can be provoked by imposing as one.
Double-free memory corruption in Linux kernel's Xen 9P filesystem driver (9p/xen) allows adjacent network attackers to crash the kernel or potentially execute arbitrary code. The xenwatch thread racing with back-end state changes triggers use-after-free during teardown of xen_9pfs_front_free(), causing general protection faults. Vendor patches available for mainline 7.0 and stable branches 6.19.6, 6.18.16, and 6.12.75. EPSS score of 0.02% (5th percentile) suggests low exploitation probability in the wild; no public exploit or CISA KEV listing at time of analysis.
A denial of service vulnerability in the Linux kernel's AMD display driver (drm/amd/display) allows local authenticated users to crash the system by accessing link encoder functionality on DisplayPort over USB-C (DPIA) links without proper signal type validation. The vulnerability affects kernel versions before the patches released in stable branches 6.12.75, 6.18.16, 6.19.6, and 7.0. No public exploit code has been identified, and real-world exploitation probability is very low (EPSS 0.02%), suggesting this is primarily an edge-case denial of service affecting specific hardware configurations with DPIA displays.
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash() Commit 38a6f0865796 ("net: sched: support hash selecting tx queue") added SKBEDIT_F_TXQ_SKBHASH support. The inclusive range size is computed as: mapping_mod = queue_mapping_max - queue_mapping + 1; The range size can be 65536 when the requested range covers all possible u16 queue IDs (e.g. queue_mapping=0 and queue_mapping_max=U16_MAX). That value cannot be represented in a u16 and previously wrapped to 0, so tcf_skbedit_hash() could trigger a divide-by-zero: queue_mapping += skb_get_hash(skb) % params->mapping_mod; Compute mapping_mod in a wider type and reject ranges larger than U16_MAX to prevent params->mapping_mod from becoming 0 and avoid the crash.
Use-after-free and reference count underflow in the Linux kernel's amdgpu DRM driver allows local authenticated users with low privileges to cause kernel panic, denial of service, and potentially execute arbitrary code with kernel privileges. The vulnerability affects amdgpu_gem_va_ioctl handling of GPU timeline fences where stale or freed fences are used due to premature fence selection and improper reference management. Patch available in kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit or active exploitation has been identified.
In the Linux kernel, the following vulnerability has been resolved: media: iris: gen2: Add sanity check for session stop In iris_kill_session, inst->state is set to IRIS_INST_ERROR and session_close is executed, which will kfree(inst_hfi_gen2->packet). If stop_streaming is called afterward, it will cause a crash. Add a NULL check for inst_hfi_gen2->packet before sendling STOP packet to firmware to fix that.
Denial of service in the Linux kernel's net subsystem via deadlock in skb_may_tx_timestamp() when socket timestamp completion occurs in interrupt context while sk_callback_lock is write-locked, affecting local attackers with user privileges on systems with network drivers that complete TX timestamps from dedicated interrupt handlers.
Null pointer dereference in Linux kernel Realtek rtw89 WiFi PCI driver allows adjacent network attackers to trigger kernel crashes via malformed TX release reports with abnormal sequence numbers. The vulnerability causes out-of-bounds array access in wd_ring->pages when hardware reports invalid sequence numbers during wireless transmission operations. Vendor-released patches are available for kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation activity, though the CVSS vector (AV:A/AC:H/PR:N/UI:N) shows adjacent network access with high attack complexity enables complete system compromise without authentication.
Resource management flaws in the Linux kernel MediaTek MDP driver allow local authenticated attackers with low privileges to trigger memory corruption via improper error handling during device probe initialization, potentially escalating to kernel code execution. Multiple stable kernel branches (5.10.x through 7.0) are affected, with vendor patches released across all maintained versions. No active exploitation confirmed (EPSS 0.02%, not in CISA KEV), though the local attack vector and low complexity suggest straightforward exploitation once local access is achieved.
Denial of service in Linux kernel PCI endpoint configfs interface allows local attackers with low privileges to crash the kernel via swapped parameters in pci_primary_epc_epf_unlink() and pci_secondary_epc_epf_unlink() functions. When executing the unlink command in configfs, incorrect parameter ordering causes invalid memory access and kernel panic. CVSS 5.5 (local, low complexity, low privilege) with EPSS 0.02% suggests limited real-world exploitation despite confirmed availability of patches across multiple kernel branches.
In the Linux kernel, the following vulnerability has been resolved: erofs: fix incorrect early exits for invalid metabox-enabled images Crafted EROFS images with metadata compression enabled can trigger incorrect early returns, leading to folio reference leaks. However, this does not cause system crashes or other severe issues.
Improper validation in the rtw89 PCI WiFi driver allows adjacent network attackers to trigger kernel crashes via malformed TX release reports on RTL8922DE wireless chipsets. The vulnerability stems from insufficient content validation of release reports before use, which can cause kernel panics when malformed SKB (socket buffer) release reports are processed. EPSS score of 0.02% and absence from CISA KEV suggest limited real-world exploitation, though the 8.8 CVSS reflects the potential for complete system compromise via adjacent network access without authentication. Patches available across multiple stable kernel branches (6.18.16, 6.19.6, 7.0).
In the Linux kernel, the following vulnerability has been resolved: clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841 The 9FGV0841 has 8 outputs and registers 8 struct clk_hw, make sure there are 8 slots for those newly registered clk_hw pointers, else there is going to be out of bounds write when pointers 4..7 are set into struct rs9_driver_data .clk_dif[4..7] field. Since there are other structure members past this struct clk_hw pointer array, writing to .clk_dif[4..7] fields corrupts both the struct rs9_driver_data content and data around it, sometimes without crashing the kernel. However, the kernel does surely crash when the driver is unbound or during suspend. Fix this, increase the struct clk_hw pointer array size to the maximum output count of 9FGV0841, which is the biggest chip that is supported by this driver.
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: xscale: Check for PTP support properly In ixp4xx_get_ts_info() ixp46x_ptp_find() is called unconditionally despite this feature only existing on ixp46x, leading to the following splat from tcpdump: root@OpenWrt:~# tcpdump -vv -X -i eth0 (...) Unable to handle kernel NULL pointer dereference at virtual address 00000238 when read (...) Call trace: ptp_clock_index from ixp46x_ptp_find+0x1c/0x38 ixp46x_ptp_find from ixp4xx_get_ts_info+0x4c/0x64 ixp4xx_get_ts_info from __ethtool_get_ts_info+0x90/0x108 __ethtool_get_ts_info from __dev_ethtool+0xa00/0x2648 __dev_ethtool from dev_ethtool+0x160/0x234 dev_ethtool from dev_ioctl+0x2cc/0x460 dev_ioctl from sock_ioctl+0x1ec/0x524 sock_ioctl from sys_ioctl+0x51c/0xa94 sys_ioctl from ret_fast_syscall+0x0/0x44 (...) Segmentation fault Check for ixp46x in ixp46x_ptp_find() before trying to set up PTP to avoid this. To avoid altering the returned error code from ixp4xx_hwtstamp_set() which before this patch was -EOPNOTSUPP, we return -EOPNOTSUPP from ixp4xx_hwtstamp_set() if ixp46x_ptp_find() fails no matter the error code. The helper function ixp46x_ptp_find() helper returns -ENODEV.
Null pointer dereference in Linux kernel UDP-Lite implementation crashes systems when udp_lib_init_sock() fails during socket initialization. Affects mainline 6.18+ through 6.19.5 and stable 7.0. Remote unauthenticated attackers can trigger denial of service by sending crafted UDP-Lite packets that exploit unhandled initialization errors in udplite_sk_init() and udplitev6_sk_init(), causing NULL pointer access in __udp_enqueue_schedule_skb(). Vendor patches available for 6.18.16, 6.19.6, and 7.0 stable trees. EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation is confirmed at time of analysis.
Null pointer dereference in the Linux kernel's rtl8723bs staging Wi-Fi driver allows a locally authenticated user to crash the kernel, resulting in a denial of service. The `pwlan` variable in `find_network()` is not validated for NULL before being passed to `rtw_free_network_nolock()`, which then dereferences it unconditionally. The flaw has been present since Linux 4.12 and is patched across all active stable branches; no public exploit exists and EPSS sits at 0.02%, confirming negligible exploitation activity.
Denial-of-service in the Linux kernel's pegasus USB-to-Ethernet driver allows a local attacker to crash the kernel by connecting a crafted USB device with mismatched endpoint transfer types. The driver's probe function fills URBs using hardcoded endpoint pipes (bulk RX on ep1, bulk TX on ep2, interrupt on ep3) without first verifying the endpoint descriptors presented by the attached device, leaving it susceptible to assertion failure when types do not match expectations. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.02% reflects the niche local-access-only attack surface; patches have been released across all major stable kernel branches.
Folio reference leaks in the Linux kernel EROFS filesystem driver allow a local low-privileged user to cause gradual memory resource exhaustion by presenting crafted EROFS images with valid but specially structured volume labels. Affected kernel versions span multiple stable branches including the 6.18 and 6.19 series, as confirmed by ENISA EUVD-2026-27717 and upstream kernel commit data. No public exploit has been identified at time of analysis, and the vulnerability description explicitly limits impact to reference leaks without system crashes, which aligns with the low EPSS score of 0.02% (4th percentile).
NULL pointer dereference in the Linux kernel's hid-pl driver (Pantherlord/GreenAsia USB game controllers) allows a local low-privileged user to crash the kernel by triggering force feedback on an improperly initialized device. The root cause is unhandled probe errors during driver initialization that leave NULL pointers in place of valid data structures, which are later dereferenced when force feedback is first invoked. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.02% at the 7th percentile reflects negligible real-world exploitation probability.
NULL pointer dereference in the Linux kernel's powerpc/smp subsystem allows a local authenticated user to crash the kernel, causing a denial of service on PowerPC-based systems. The `parse_thread_groups()` function passes the return value of `kcalloc()` directly to `of_property_read_u32_array()` without validating it for NULL, meaning a failed memory allocation - possible under memory pressure - leads to a kernel panic or oops. No public exploit code exists and this vulnerability is not in CISA KEV; with an EPSS of 0.02% (7th percentile) and architecture-specific scope limited to PowerPC, real-world exploitation risk is low but relevant to IBM POWER server deployments running Red Hat or SUSE Linux.
Kernel crash in the Linux remoteproc imx_rproc subsystem (NXP i.MX platform) allows a local authenticated attacker to trigger a denial of service by loading firmware that lacks a resource table. The root cause is imx_rproc_elf_find_loaded_rsc_table() returning a stale non-NULL priv->rsc_table pointer even when rproc->table_ptr is NULL, causing the remoteproc core to dereference what it incorrectly treats as a valid loaded resource table. No public exploit has been identified at time of analysis, and EPSS at 0.02% (7th percentile) reflects the narrow hardware-specific attack surface.
Kernel oops (crash) in the Linux kernel brcmfmac SDIO Wi-Fi driver allows a local low-privileged user to cause a denial-of-service by triggering a probe failure on Broadcom SDIO Wi-Fi hardware. The root cause is a double-assignment of sdiodev->bus across brcmf_sdio_probe() and brcmf_sdiod_probe(), leaving an invalid (non-NULL, error-valued) pointer that brcmf_sdio_remove() later dereferences during cleanup. No public exploit has been identified, EPSS is at the 4th percentile, and this is not listed in CISA KEV; risk is primarily a kernel stability concern in specific hardware configurations.
Missing mutex locking around the `mfd_of_node_list` linked list in the Linux kernel's Multi-Function Device (MFD) core subsystem allows a local low-privileged attacker to trigger a race condition, resulting in a kernel crash and denial of service. The vulnerability spans multiple stable kernel branches from the introducing commit 466a62d7642f through patched releases in 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. No public exploit exists and the EPSS score of 0.02% (7th percentile) reflects negligible community exploitation interest; this is not listed in CISA KEV.
NULL pointer dereference in the Linux kernel's HID magicmouse driver allows a local attacker with low privileges to crash the kernel by connecting a crafted USB device that impersonates an Apple Magic Mouse. When a fake USB device provides a custom report descriptor, the input_mapping() hook is never called, leaving msc->input as NULL; subsequent access in input_configured() causes a kernel panic and complete availability loss. No public exploit exists and EPSS is negligible at 0.02% (7th percentile), but the impact is a full system denial of service when exploitation conditions are met.
In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Fix NULL pointer dereference If there's a mismatch between the DAI links in the machine driver and the topology, it is possible that the playback/capture widget is not set, especially in the case of loopback capture for echo reference where we use the dummy DAI link. Return the error when the widget is not set to avoid a null pointer dereference like below when the topology is broken. RIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common]
In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Check maxfield in hidpp_get_report_length() Do not crash when a report has no fields. Fake USB gadgets can send their own HID report descriptors and can define report structures without valid fields. This can be used to crash the kernel over USB.
Denial of service in Linux kernel dm-verity subsystem allows local authenticated users to crash the system by triggering dm_bufio_client_create() failure in verity_fec_ctr(), which incorrectly passes an error pointer to dm_bufio_client_destroy(). The vulnerability requires local access and authenticated privileges but no user interaction, affecting dm-verity configurations with forward error correction enabled.
Null pointer dereference in the Linux kernel AMD power management (drm/amd/pm) subsystem causes denial of service when SMU (System Management Unit) is disabled during RAS (Reliability, Availability, and Serviceability) initialization. Local authenticated attackers with low privileges can trigger this crash on affected systems, resulting in kernel panic and system unavailability. EPSS exploitation probability is very low (0.02%), indicating this requires specific configuration and local access.
Denial of service via null pointer dereference in Linux kernel's pstore persistent storage subsystem occurs when the vmap() function fails but the persistent_ram_vmap() function incorrectly returns success if a non-zero offset is present, allowing subsequent buffer access to dereference invalid memory and cause system crashes. Affects Linux kernel versions prior to 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. No public exploit identified at time of analysis, but vendor-released patches are available across multiple stable branches.
In the Linux kernel, the following vulnerability has been resolved: fbcon: check return value of con2fb_acquire_newinfo() If fbcon_open() fails when called from con2fb_acquire_newinfo() then info->fbcon_par pointer remains NULL which is later dereferenced. Add check for return value of the function con2fb_acquire_newinfo() to avoid it. Found by Linux Verification Center (linuxtesting.org) with SVACE.
In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Update cpuidle driver check in __acpi_processor_start() Commit 7a8c994cbb2d ("ACPI: processor: idle: Optimize ACPI idle driver registration") moved the ACPI idle driver registration to acpi_processor_driver_init() and acpi_processor_power_init() does not register an idle driver any more. Accordingly, the cpuidle driver check in __acpi_processor_start() needs to be updated to avoid calling acpi_processor_power_init() without a cpuidle driver, in which case the registration of the cpuidle device in that function would lead to a NULL pointer dereference in __cpuidle_register_device().
A kernel crash occurs in Linux btrfs filesystem tracepoint code when OverlayFS is layered on top of btrfs. The btrfs_sync_file() event handler incorrectly dereferences dentry->d_sb, which resolves to the overlay superblock instead of the underlying btrfs superblock, causing a kernel panic during fsid assignment. This affects Linux kernel versions from initial git commit (1da177e4c3f4) through multiple stable branches until patched releases 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. Vendor patches are available across all affected stable kernel branches.
Out-of-bounds array indexing in Linux kernel's wl1251 wireless driver allows adjacent network attackers to achieve high-impact memory corruption without authentication. The wl1251_tx_packet_cb() function uses untrusted firmware completion IDs directly to index a fixed 16-entry tx_frames array without bounds validation, enabling attackers on the same wireless network segment to read/write arbitrary kernel memory. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation or public POC identified. However, CVSS 8.8 reflects genuine risk for systems with wl1251 hardware on untrusted networks.
A denial of service vulnerability in the Linux kernel's Qualcomm PD mapper service registry causes system crashes due to mismatched string element length validation in servreg_loc_pfr_req_ei. When a process daemon crashes and triggers a service registry location request, the QMI decoder rejects the reason field because its declared maximum length (65 bytes) is smaller than the actual field size (81 bytes), causing a decoding error and system halt. This affects all Linux kernel versions prior to the patch, triggered by local processes with standard user privileges.
NULL pointer dereferences in Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) trace data handling cause denial of service when network packets trigger the vulnerable code path. Affects Linux kernel 5.15 through 6.19.14 and mainline branches. Despite CVSS 7.5 High severity with network vector and no authentication, EPSS exploitation probability is very low (0.02%, 4th percentile), and no active exploitation or public POC is identified at time of analysis. Vendor patches available via stable kernel commits.
Null pointer dereference in Linux kernel bridge VLAN filtering code allows local authenticated attackers to trigger a denial of service via a crafted RTM_NEWLINK netlink message with BR_BOOLOPT_FDB_LOCAL_VLAN_0 flag when CONFIG_BRIDGE_VLAN_FILTERING is disabled. The vulnerability occurs because br_fdb_delete_locals_per_vlan_port() and br_fdb_insert_locals_per_vlan_port() dereference a NULL vlan group pointer without validation, causing a kernel panic. No public exploit code identified at time of analysis.
Null pointer dereference in Linux kernel ICMP probe handling crashes systems when IPv6 module is configured but not loaded. The icmp_build_probe() function fails to validate ERR_PTR(-EAFNOSUPPORT) from ipv6_stub->ipv6_dev_find(), passing the error pointer directly to dev_hold() and triggering immediate kernel panic. EPSS probability is low (0.02%, 5th percentile) and no active exploitation confirmed, but CVSS 7.5 High severity reflects trivial remote unauthenticated denial-of-service against vulnerable kernel configurations. Patches available across stable branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0) with upstream commit identifiers confirmed.
Infinite vCPU fault loop in the Linux kernel's mshv (Microsoft Hypervisor) subsystem allows a local guest VM process to permanently spin a host vCPU thread, exhausting host CPU resources. The flaw exists in mshv_handle_gpa_intercept(), which unconditionally attempts page remaps on all movable-memory faults regardless of access permission - when a guest writes to a read-only Guest Physical Address region, the remap succeeds but the region retains its read-only designation, causing an immediate re-fault in a tight loop. Affected kernel versions run from commit b9a66cd5ccbb9fade15d0e427e19470d8ad35b75 through the fix commits; patched releases 6.19.14 and 7.0 are available. No public exploit has been identified and EPSS is 0.01%, consistent with the local, hypervisor-specific attack surface.
Linux kernel ASoC SDCA subsystem crashes on sound card teardown due to IRQ lifecycle mismanagement, causing a local denial of service. IRQ handlers registered via devm_request_threaded_irq() during component probe retain stale references to freed card and kcontrol structures after the sound card is torn down, resulting in null or dangling pointer dereferences and kernel panic. Exploitation requires local low-privilege access and SDCA-capable audio hardware; no public exploit exists and EPSS is extremely low at 0.02% (5th percentile).
NULL pointer dereference in the Linux kernel ixgbevf driver crashes Hyper-V guest VMs during device probe, causing a kernel panic and complete denial of service. The regression was introduced when commit a7075f501bd3 added a .negotiate_features callback to ixgbe_mac_operations and populated it for the standard ops table (ixgbevf_mac_ops) but omitted it from the Hyper-V-specific table (ixgbevf_hv_mac_ops), leaving that pointer NULL on Hyper-V guests. Any Linux system running on Microsoft Hyper-V with an Intel ixgbevf virtual NIC is subject to an automatic kernel crash at module load or boot; no public exploit has been identified at time of analysis and EPSS is 0.02%, reflecting a narrow but reliable impact on the specific deployment combination.
Kernel crash in the Linux pinctrl mcp23s08 driver triggers a NULL pointer dereference during device probe when an MCP23S08/MCP23008 GPIO expander retains non-zero interrupt-on-change state across a warm reboot. The crash occurs because the driver's IRQ handler fires against pins whose nested IRQ handlers have not yet been registered, causing an unhandled kernel oops and system denial of service. Exploitation is local and device-specific; no public exploit identified at time of analysis, and EPSS remains at 0.02% (5th percentile) consistent with no observed in-the-wild triggering.
NULL pointer dereference in the Linux kernel IPVS subsystem causes a kernel panic during IPVS service creation failure cleanup, resulting in a full host denial of service. Affected kernels from 6.2 onward contain a logic error in ip_vs_add_service() where a successful scheduler bind sets the local sched variable to NULL; if ip_vs_start_estimator() subsequently fails, the error path calls ip_vs_unbind_scheduler() with that NULL pointer, dereferencing offset 0x30 and triggering a general protection fault. Exploitation requires local authenticated access with CAP_NET_ADMIN privileges; no public exploit is identified and EPSS is 0.02%, indicating very low exploitation probability.
Local privilege escalation in Linux kernel netfilter nfnetlink_queue allows authenticated users with low privileges to execute arbitrary code with high integrity and availability impact via race condition in shared hash table. The vulnerability stems from a use-after-free condition when multiple queues share a global hash table, enabling parallel CPU operations to access freed nf_queue_entry structures. EPSS score is low (0.02%, 5th percentile) indicating minimal observed exploitation activity. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.24, 6.19.14) with upstream commits confirmed.
Authenticated subscribers can create arbitrary database tables in WordPress installations running Ninja Tables plugin version 5.2.6 and earlier via missing authorization checks on the createFluentCartTable function. This allows low-privileged users to pollute the database and cause resource exhaustion without requiring administrative access, affecting any site where subscribers have plugin interaction permissions.
Off-by-one error in Velocidex Velociraptor before version 0.76.5 on Windows and Linux causes denial of service when parsing specially crafted .evtx files through the parse_evtx VQL plugin. Local attackers with user-level privileges can crash the Velociraptor process by uploading or providing malformed event log files, disrupting forensic investigations and incident response operations. The vulnerability requires user interaction (file upload/selection) but grants an attacker both integrity and availability impact despite the CVSS 4.4 (Medium) rating.
Remote denial of service in Unisoc T8100/T9100/T8200/T8300 chipset NR modem implementations allows unauthenticated network attackers to crash device cellular connectivity via malformed protocol input. The improper input validation in the 5G New Radio modem stack enables trivial remote service disruption requiring no user interaction or authentication. EPSS data not available; no evidence of active exploitation (not in CISA KEV). Affects mobile devices using these specific Unisoc chipset models in 5G NR mode.
Remote denial of service in Unisoc modem IMS implementation across 16 chipset families (SC7731E through T8300) allows unauthenticated network attackers to crash mobile device modem services via crafted IMS traffic. The improper input validation vulnerability (CVSS 7.5) enables high-impact availability attacks against millions of deployed Android smartphones and IoT devices using Unisoc chipsets. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed January 2025 vulnerability.
Remote denial of service in Unisoc modem IMS (IP Multimedia Subsystem) implementation allows unauthenticated network attackers to crash telephony services on affected chipsets through malformed input. Affects 16 Unisoc chipset models spanning SC and T series (SC7731E through T8300) used in budget and mid-range mobile devices. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects network accessibility and service disruption potential, though EPSS data unavailable for risk prioritization.
Remote denial of service in Unisoc modem IMS stack allows network attackers to crash affected devices through malformed input without authentication. Affects 16 Unisoc chipset families (SC7731E, SC9832E, SC9863A, T-series T310 through T8300) used in mobile devices. No authentication, user interaction, or special configuration required (CVSS AV:N/AC:L/PR:N/UI:N). No public exploit code or CISA KEV listing identified at time of analysis, though EPSS data unavailable for risk quantification.
Remote denial of service in Unisoc Modem IMS stack allows unauthenticated network attackers to crash mobile devices through improper input validation. Affects 16 Unisoc chipset families (SC7731E through T8300) widely deployed in budget smartphones and IoT devices across global markets. No authentication, user interaction, or elevated privileges required for exploitation. EPSS data and KEV status not available; no public exploit identified at time of analysis.
Remote attackers can crash Unisoc chipset IMS (IP Multimedia Subsystem) implementations through network-accessible malformed input, causing complete denial of service with no authentication required. Affects 17 Unisoc chipset models (SC7731E, SC9832E, SC9863A, T-series T310 through T8300) used in mobile devices. CVSS 7.5 (High) reflects direct network exposure and ease of exploitation (AV:N/AC:L/PR:N), though impact is limited to availability. No public exploit code identified at time of analysis, and EPSS data not available for assessment.
Remote denial-of-service in ZTE home routers (H8102E, H168N, H167A, and 15 other models) allows unauthenticated network attackers to crash the web management interface via oversized HTTP POST request with application/x-www-form-urlencoded content, requiring physical device reboot to restore service. ZTE claims devices patched since March 2021, but operator firmware timelines vary. EPSS data not available; no active exploitation confirmed (not in CISA KEV). Publicly available exploit details exist via GitHub gist.
Remote denial of service in vLLM 0.6.1 through 0.19.x allows unauthenticated attackers to crash worker processes by sending text-only prompts containing special multimodal placeholder tokens (e.g., '<|vision_start|><|image_pad|><|vision_end|>') without corresponding image or video data. The vulnerability stems from unprotected array indexing in the input position computation layer when processing vision tokens, causing an IndexError that terminates the worker and degrades service availability. A single malicious request can trigger the fault.
ciguard SCA HTTP clients in osv.py and endoflife.py exhaust process memory by reading unbounded response bodies from OSV.dev and endoflife.date without enforcing a size cap. A hostile or compromised backend service, or a successful TLS MITM attack, could return multi-gigabyte responses causing denial of service via out-of-memory kill or system swap exhaustion in CI environments. No public exploit identified at time of analysis; vendor released patch in v0.8.2.
Unauthenticated path traversal in Grav CMS FormFlash component allows remote attackers to create arbitrary directories and write configuration files (index.yaml) with controlled content. Confirmed actively exploited (CISA KEV). The vulnerability affects all Grav v1.7.x installations with form-enabled pages (default in standard deployments). Attack complexity is low-requires only manipulating the __form-flash-id POST parameter with traversal sequences. Vendor-released patch available in v2.0.0-beta.2 (commit d904efc33) applies strict alphanumeric sanitization to session identifiers. EPSS exploitation probability data not available, but GitHub advisory confirms zero-day status prior to patch, with public proof-of-concept demonstrating directory creation in user/config/ paths leading to configuration injection and potential DoS via inode exhaustion.
Grav CMS Admin Panel allows authenticated users with only user-creation permissions to overwrite administrator accounts by submitting the admin's username when creating a new user. The flawed create-or-update logic replaces the existing super-admin account metadata with attacker-supplied low-privilege data, locking the legitimate administrator out and causing complete loss of management control. Vendor-released patch: fixed in 2.0.0-beta.2 (commit d904efc33). Publicly available exploit code exists (video PoC published by Grav maintainers). EPSS data not provided, but the low attack complexity and confirmed PoC make exploitation straightforward for any low-privileged user with create-user rights.
Denial of service attacks against PHP applications using phpseclib can be triggered by providing maliciously crafted ASN.1 encoded files containing oversized Object Identifiers. The vulnerability bypasses a previous CVE-2024-27355 mitigation, allowing OID amplification attacks that exhaust server resources when processing untrusted X.509 certificates, PKCS8 keys, or other ASN.1 structures. Vendor-released patches are available across all affected major versions (1.x, 2.x, 3.x). CVSS 7.5 indicates network-exploitable, unauthenticated denial of service with no public exploit identified at time of analysis.
Remote denial of service in Twisted's DNS name decompression (twisted.names module) allows unauthenticated attackers to freeze the single-threaded reactor by sending a crafted TCP DNS packet with deeply chained compression pointers and thousands of questions. Publicly available exploit code exists. Despite high CVSS score (7.5), real-world impact is limited to applications using the twisted.names DNS server-not the broader Twisted framework. Vendor-released patch available in version 26.4.0rc2.
GoBGP v4.4.0 crashes with SIGSEGV panic when an unauthenticated remote BGP peer sends malformed UPDATE messages with inconsistent attribute lengths. The nil pointer dereference in AdjRib.Update (adj.go:127) causes complete process termination and loss of BGP service. Publicly available exploit code exists (POC in GitHub advisory GHSA-p3w2-64xm-833j). Vendor-released patch available in v4.5.0. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects the trivial remote exploitation of critical network infrastructure with no mitigating factors.
Authorization bypass in LXC's setuid helper lxc-user-nic allows unprivileged users to delete OpenVSwitch-attached network interfaces belonging to other users. The vulnerability exists in the find_line() function's interface name comparison logic, which sets an authorization flag based on name match alone without re-verifying ownership, enabling a tenant to cause denial of service by disconnecting containers on shared infrastructure. This affects multi-tenant deployments using lxc-user-nic with OpenVSwitch bridges and is patched in LXC 7.0.0.
Local denial of service in Sandboxie 1.17.2 and earlier allows unprivileged processes inside Standard Sandbox configurations to crash the Windows kernel (BSOD) by sending malformed IOCTL requests to the SandboxieDriverApi kernel driver. Fixed in version 1.17.3 released by Sandboxie-Plus. Security Hardened Sandbox configurations are not affected. No active exploitation confirmed (not in CISA KEV), but the vulnerability is trivially exploitable by any process within an affected sandbox, enabling local attackers or malicious sandboxed applications to force immediate system-wide service disruption.
Vaultwarden versions 1.35.4 and earlier allow authenticated attackers to permanently disable WebAuthn two-factor authentication for user credentials by exploiting a logic flaw in the `validate_webauthn_login()` function that updates backup eligibility flags before validating the WebAuthn signature. An attacker with knowledge of a user's password can modify these persistent flags even when providing an invalid WebAuthn signature, causing signature verification to fail without rolling back the database changes, resulting in denial of service of the 2FA mechanism for affected credentials. The vulnerability has been patched in version 1.35.5.
Worker process crashes occur in ModSecurity (libmodsecurity3) when processing query string parameters containing single characters through the t:hexDecode transformation function. Remote unauthenticated attackers can trigger repeated segmentation faults to disrupt web application firewall protection, though service automatically recovers once the attack ceases. All libmodsecurity3 versions before 3.0.15 are affected across Apache, IIS, and Nginx deployments. OWASP confirmed the vulnerability via GitHub security advisory GHSA-qrjc-3jpc-3h2g and released patch version 3.0.15 addressing this buffer overflow (CWE-125: Out-of-bounds Read).
Unauthenticated remote denial-of-service in Phoenix Framework 1.7.0-1.7.21 and 1.8.0-1.8.5 allows attackers to crash Elixir BEAM nodes by sending multi-megabyte HTTP requests filled with newlines to the long-poll transport endpoint. A 1 MB payload of newline characters triggers allocation of approximately one million empty list elements, exhausting scheduler and memory resources. Session token required to trigger the vulnerability is obtainable via unauthenticated GET request, making exploitation trivial. Vendor-released patches (1.7.22, 1.8.6) enforce client-side batching limits. CVSS 8.7 (high availability impact) confirmed; no public exploit or CISA KEV listing identified at time of analysis.
Out-of-bounds read in X.Org X Server XKB modifier map handling allows local authenticated attackers to read sensitive memory or crash the server by sending malformed X11 requests. The vulnerability affects RHEL 6 through 10 and requires local access with user-level privileges; exploitation results in information disclosure or denial of service.
Out-of-bounds read in X.Org X server XKB geometry processing allows local or remote attackers with X11 server access to disclose sensitive memory contents or cause denial of service by crashing the server. The vulnerability exists in CheckSetGeom() and XkbAddGeomKeyAlias functions and requires low privileges but no user interaction. No public exploit code or active exploitation has been identified at time of analysis.
Uncontrolled resource consumption in Apache HTTP Server's mod_md module allows remote unauthenticated attackers to exhaust server resources via malformed OCSP response data, affecting versions 2.4.30 through 2.4.66. The vulnerability enables attackers to achieve confidentiality, integrity, and availability impacts with low complexity exploitation over the network. No active exploitation confirmed (not in CISA KEV), but the network-accessible attack surface and lack of authentication requirement make this a credible threat requiring prompt patching to version 2.4.67.
Remote attackers can crash OpenClaw 2026.4.9 by sending oversized WebSocket frames to the voice-call realtime webhook path, causing complete service unavailability. The vulnerability requires no authentication and affects deployments that expose the WebSocket endpoint externally. Vendor patch released in version 2026.4.10 with commit afadb7dae6738819ad9c7d2597ace0516957d20e. No active exploitation confirmed (not in CISA KEV), but public advisory with commit details provides exploitation blueprint.
Heap buffer overflow in GPAC's SVG attribute parser allows local attackers to cause denial of service by providing crafted SVG input that triggers out-of-bounds memory access in the svg_parse_strings() function. The vulnerability requires user interaction (opening a malicious SVG file) and operates with low complexity on local systems. While CVSS score is moderate (5.5) and EPSS probability is very low (0.02%), the issue affects the widely-used multimedia framework's SVG handling and has been confirmed fixed upstream.
Denial of Service vulnerability in Samsung Exynos chipsets (980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, W920, W930, W1000, and modems 5123, 5300, 5400) allows remote unauthenticated attackers to crash devices by sending malformed 5G NR NAS registration accept messages. The flaw affects the Mobility Management (MM) component's message parser, triggering resource exhaustion (CWE-770) that disrupts cellular connectivity. CVSS 7.5 (High) with network attack vector and no prerequisites, though EPSS indicates only 0.02% exploitation probability and no public exploits identified at time of analysis.
Denial of service in Open5GS up to version 2.7.7 affects the AMF 3GPP access endpoint handler (udm_nudm_uecm_handle_amf_registration_update function), allowing authenticated remote attackers to crash the UDM service via malformed registration update messages. Publicly available exploit code exists, and the vendor was notified early but has not released a patch as of the analysis date.
Denial of service in net-imap SCRAM-SHA1/SHA256 authentication allows a hostile IMAP server to freeze the entire Ruby VM by sending an arbitrarily large PBKDF2 iteration count, blocking all threads for several minutes due to the blocking nature of OpenSSL::KDF.pbkdf2_hmac and its retention of the Global VM Lock. Patched versions 0.4.24, 0.5.14, and 0.6.4 introduce a max_iterations parameter that users must explicitly configure to prevent exploitation.
net-imap ResponseReader exhibits quadratic time complexity O(n²) when parsing IMAP responses containing multiple string literals, allowing hostile IMAP servers to exhaust client CPU and block other threads via denial of service. A maliciously crafted response can consume 100-200ms per regex scan repeated hundreds of thousands of times per megabyte, holding the Global VM lock and starving concurrent threads despite staying within max_response_size limits. Vendor-released patches available in versions 0.4.24, 0.5.14, and 0.6.4.
Denial of service in Open5GS up to version 2.7.7 affects the udm_state_operational function in the smf-registrations endpoint, allowing authenticated remote attackers to manipulate the function and cause service unavailability. The vulnerability has publicly available exploit code and carries a low CVSS score of 2.1 due to required authentication and limited availability impact, though the project has not yet responded to early disclosure.
Network-accessible denial-of-service in HashiCorp Boundary workers allows unauthenticated remote attackers to block legitimate worker connections by manipulating TLS handshake timing during node enrollment. Attackers can connect to the worker authentication listener and intentionally delay or withhold client certificates, causing connection handlers to block and preventing legitimate workers from enrolling or routing traffic. Both Community Edition and Enterprise versions prior to 0.21.3, 0.20.3, and 0.19.5 are vulnerable. EPSS data not provided; no CISA KEV listing indicating limited observed exploitation. Vendor-confirmed vulnerability with patches released across three active release branches.
Apko crashes via denial-of-service when a repository JWKS endpoint returns a non-RSA key due to an unchecked type assertion in the DiscoverKeys function. The vulnerability affects any workflow initializing the APK database and requires user interaction to trigger (e.g., running apko with a malicious repository), with CVSS 6.5 reflecting the availability impact. No patch is currently available, though the issue is confirmed and acknowledged by the apko maintainers.
Authenticated attackers can escalate privileges to administrator in Pelican Web User Interface versions 7.21 through 7.24 by manipulating database records before legitimate admin users log in. This vulnerability was discovered by a Claude coding agent on April 2, 2026, and affects servers with Server.UIAdminUsers or Server.AdminGroups configured where designated admins have not previously authenticated. No public exploit code exists, and Pelican Command Line reports no confirmed exploitation in OSDF-managed services. Vendor patches are available across all affected minor release series (>=v7.21.5, >=v7.22.3, >=v7.23.3, >=v7.24.2), with fix commit 7f73b9c3e677 addressing CWE-863 (Incorrect Authorization).
Authorization bypass in Docker Distribution Registry allows remote clients to delete image tags via the DELETE /v2/<name>/manifests/<tag> endpoint even when the operator has explicitly configured storage.delete.enabled: false. The tag deletion code path in registry/handlers/manifests.go bypasses the deletion authorization check present in digest-based manifest deletion, enabling attackers with network access to cause denial of service by removing tags and disrupting supply chain integrity of registries intended to be immutable.
Denial of service in Open5GS up to version 2.7.7 affects the authentication-subscription endpoint handler, allowing authenticated remote attackers to manipulate the udm_nudr_dr_handle_subscription_authentication function and cause service unavailability. Public exploit code exists and the vulnerability has been reported to the project without a confirmed vendor response or patch release.
Pillow's PDF parser enters an infinite loop when processing maliciously crafted PDF files with circular Prev pointer references in trailer sections, causing 100% CPU consumption and application hang. All versions from 4.2.0 through 12.1.x are affected. The vulnerability is a denial-of-service condition affecting any application using Pillow to parse untrusted PDFs. Vendor-released patch: version 12.2.0.
Memory exhaustion crashes Argo Workflows server via unauthenticated multi-gigabyte webhook requests to the publicly accessible `/api/v1/events/` endpoint. The Webhook Interceptor's `io.ReadAll` call allocates unbounded memory before signature verification, enabling remote attackers to trigger out-of-memory (OOM) conditions without authentication or credentials. Vendor-released patches enforce a 2MB body size limit via `io.LimitReader`. Publicly available exploit code exists (conceptual proof-of-concept published in GitHub security advisory GHSA-jcc8-g2q4-9fxq). No active exploitation confirmed by CISA KEV at time of analysis, but the low attack complexity (CVSS AV:N/AC:L/PR:N) and public PoC create immediate risk for internet-exposed Argo Workflows deployments.
Denial of service via nil pointer dereference in Argo Workflows 4.0.0-4.0.4 affects SSO users with RBAC namespace delegation enabled when their identity claims match a namespace-level RBAC rule but not an SSO-namespace rule. The gatekeeper.go rbacAuthorization() function unconditionally dereferences a nil serviceAccount pointer when comparing rule precedence, causing an HTTP 500 panic on every API request from the affected user. Live-tested exploit confirmed on v4.0.4 with Dex OIDC provider; vendor patch released as v4.0.5.
Null pointer dereference in the Linux kernel's bcm_vk misc driver allows a local authenticated attacker to crash the kernel, resulting in a denial of service. The bcm_vk_read() function checks whether the 'entry' pointer is NULL but fails to prevent subsequent dereferences of that pointer when rc is set to -EMSGSIZE, leading to a kernel panic. No public exploit exists and the vulnerability is not listed in CISA KEV; however, vendor-released patches are available across multiple stable kernel branches, and Red Hat and SUSE have tagged this for attention in their ecosystems.
Null pointer dereference in the Linux kernel QRTR (Qualcomm IPC Router) driver via MHI auto_queue feature causes denial of service on Qualcomm X1E80100 CRD machines during boot. The vulnerability occurs when the MHI stack invokes the DL (downlink) callback before the QRTR client driver is fully probed, accessing uninitialized driver structures. A local privileged attacker can trigger kernel panic by exploiting the race condition between MHI buffer auto-queuing and driver initialization, affecting systems relying on QRTR over MHI transport.
In the Linux kernel, the following vulnerability has been resolved: RDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port The function ionic_query_port() calls ib_device_get_netdev() without checking the return value which could lead to NULL pointer dereference, Fix it by checking the return value and return -ENODEV if the 'ndev' is NULL.
In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix double destroy_workqueue on service rescan PCI path While testing corner cases in the driver, a use-after-free crash was found on the service rescan PCI path. When mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup() destroys gc->service_wq. If the subsequent mana_gd_resume() fails with -ETIMEDOUT or -EPROTO, the code falls through to mana_serv_rescan() which triggers pci_stop_and_remove_bus_device(). This invokes the PCI .remove callback (mana_gd_remove), which calls mana_gd_cleanup() a second time, attempting to destroy the already- freed workqueue. Fix this by NULL-checking gc->service_wq in mana_gd_cleanup() and setting it to NULL after destruction. Call stack of issue for reference: [Sat Feb 21 18:53:48 2026] Call Trace: [Sat Feb 21 18:53:48 2026] <TASK> [Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana] [Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana] [Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0 [Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70 [Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250 [Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20 [Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90 [Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30 [Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana] [Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana] [Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0 [Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0 [Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130 [Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30 [Sat Feb 21 18:53:48 2026] </TASK>
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Flush exception handling work when RPM level is zero Ensure that the exception event handling work is explicitly flushed during suspend when the runtime power management level is set to UFS_PM_LVL_0. When the RPM level is zero, the device power mode and link state both remain active. Previously, the UFS core driver bypassed flushing exception event handling jobs in this configuration. This created a race condition where the driver could attempt to access the host controller to handle an exception after the system had already entered a deep power-down state, resulting in a system crash. Explicitly flush this work and disable auto BKOPs before the suspend callback proceeds. This guarantees that pending exception tasks complete and prevents illegal hardware access during the power-down sequence.
In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix possible dereference of uninitialized pointer There is a pointer head_page in rb_meta_validate_events() which is not initialized at the beginning of a function. This pointer can be dereferenced if there is a failure during reader page validation. In this case the control is passed to "invalid" label where the pointer is dereferenced in a loop. To fix the issue initialize orig_head and head_page before calling rb_validate_buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE.
In the Linux kernel, the following vulnerability has been resolved: md-cluster: fix NULL pointer dereference in process_metadata_update The function process_metadata_update() blindly dereferences the 'thread' pointer (acquired via rcu_dereference_protected) within the wait_event() macro. While the code comment states "daemon thread must exist", there is a valid race condition window during the MD array startup sequence (md_run): 1. bitmap_load() is called, which invokes md_cluster_ops->join(). 2. join() starts the "cluster_recv" thread (recv_daemon). 3. At this point, recv_daemon is active and processing messages. 4. However, mddev->thread (the main MD thread) is not initialized until later in md_run(). If a METADATA_UPDATED message is received from a remote node during this specific window, process_metadata_update() will be called while mddev->thread is still NULL, leading to a kernel panic. To fix this, we must validate the 'thread' pointer. If it is NULL, we release the held lock (no_new_dev_lockres) and return early, safely ignoring the update request as the array is not yet fully ready to process it.
A race condition in the Linux kernel's chips-media wave5 video decoder driver allows local authenticated users to trigger a NULL pointer dereference during concurrent instance creation/destruction, potentially leading to high confidentiality, integrity, and availability impact. The vulnerability affects kernel versions from commit 9707a6254a8a onwards until patched in 6.18.16, 6.19.6, and 7.0. Fixed via interrupt handler refactoring with proper locking. EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, and no public exploit code or CISA KEV listing exists, suggesting limited real-world exploitation despite the high CVSS 7.8 score.
In the Linux kernel, the following vulnerability has been resolved: HID: prodikeys: Check presence of pm->input_ep82 Fake USB devices can send their own report descriptors for which the input_mapping() hook does not get called. In this case, pm->input_ep82 stays NULL, which leads to a crash later. This does not happen with the real device, but can be provoked by imposing as one.
Double-free memory corruption in Linux kernel's Xen 9P filesystem driver (9p/xen) allows adjacent network attackers to crash the kernel or potentially execute arbitrary code. The xenwatch thread racing with back-end state changes triggers use-after-free during teardown of xen_9pfs_front_free(), causing general protection faults. Vendor patches available for mainline 7.0 and stable branches 6.19.6, 6.18.16, and 6.12.75. EPSS score of 0.02% (5th percentile) suggests low exploitation probability in the wild; no public exploit or CISA KEV listing at time of analysis.
A denial of service vulnerability in the Linux kernel's AMD display driver (drm/amd/display) allows local authenticated users to crash the system by accessing link encoder functionality on DisplayPort over USB-C (DPIA) links without proper signal type validation. The vulnerability affects kernel versions before the patches released in stable branches 6.12.75, 6.18.16, 6.19.6, and 7.0. No public exploit code has been identified, and real-world exploitation probability is very low (EPSS 0.02%), suggesting this is primarily an edge-case denial of service affecting specific hardware configurations with DPIA displays.
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash() Commit 38a6f0865796 ("net: sched: support hash selecting tx queue") added SKBEDIT_F_TXQ_SKBHASH support. The inclusive range size is computed as: mapping_mod = queue_mapping_max - queue_mapping + 1; The range size can be 65536 when the requested range covers all possible u16 queue IDs (e.g. queue_mapping=0 and queue_mapping_max=U16_MAX). That value cannot be represented in a u16 and previously wrapped to 0, so tcf_skbedit_hash() could trigger a divide-by-zero: queue_mapping += skb_get_hash(skb) % params->mapping_mod; Compute mapping_mod in a wider type and reject ranges larger than U16_MAX to prevent params->mapping_mod from becoming 0 and avoid the crash.
Use-after-free and reference count underflow in the Linux kernel's amdgpu DRM driver allows local authenticated users with low privileges to cause kernel panic, denial of service, and potentially execute arbitrary code with kernel privileges. The vulnerability affects amdgpu_gem_va_ioctl handling of GPU timeline fences where stale or freed fences are used due to premature fence selection and improper reference management. Patch available in kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit or active exploitation has been identified.
In the Linux kernel, the following vulnerability has been resolved: media: iris: gen2: Add sanity check for session stop In iris_kill_session, inst->state is set to IRIS_INST_ERROR and session_close is executed, which will kfree(inst_hfi_gen2->packet). If stop_streaming is called afterward, it will cause a crash. Add a NULL check for inst_hfi_gen2->packet before sendling STOP packet to firmware to fix that.
Denial of service in the Linux kernel's net subsystem via deadlock in skb_may_tx_timestamp() when socket timestamp completion occurs in interrupt context while sk_callback_lock is write-locked, affecting local attackers with user privileges on systems with network drivers that complete TX timestamps from dedicated interrupt handlers.
Null pointer dereference in Linux kernel Realtek rtw89 WiFi PCI driver allows adjacent network attackers to trigger kernel crashes via malformed TX release reports with abnormal sequence numbers. The vulnerability causes out-of-bounds array access in wd_ring->pages when hardware reports invalid sequence numbers during wireless transmission operations. Vendor-released patches are available for kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation activity, though the CVSS vector (AV:A/AC:H/PR:N/UI:N) shows adjacent network access with high attack complexity enables complete system compromise without authentication.
Resource management flaws in the Linux kernel MediaTek MDP driver allow local authenticated attackers with low privileges to trigger memory corruption via improper error handling during device probe initialization, potentially escalating to kernel code execution. Multiple stable kernel branches (5.10.x through 7.0) are affected, with vendor patches released across all maintained versions. No active exploitation confirmed (EPSS 0.02%, not in CISA KEV), though the local attack vector and low complexity suggest straightforward exploitation once local access is achieved.
Denial of service in Linux kernel PCI endpoint configfs interface allows local attackers with low privileges to crash the kernel via swapped parameters in pci_primary_epc_epf_unlink() and pci_secondary_epc_epf_unlink() functions. When executing the unlink command in configfs, incorrect parameter ordering causes invalid memory access and kernel panic. CVSS 5.5 (local, low complexity, low privilege) with EPSS 0.02% suggests limited real-world exploitation despite confirmed availability of patches across multiple kernel branches.
In the Linux kernel, the following vulnerability has been resolved: erofs: fix incorrect early exits for invalid metabox-enabled images Crafted EROFS images with metadata compression enabled can trigger incorrect early returns, leading to folio reference leaks. However, this does not cause system crashes or other severe issues.
Improper validation in the rtw89 PCI WiFi driver allows adjacent network attackers to trigger kernel crashes via malformed TX release reports on RTL8922DE wireless chipsets. The vulnerability stems from insufficient content validation of release reports before use, which can cause kernel panics when malformed SKB (socket buffer) release reports are processed. EPSS score of 0.02% and absence from CISA KEV suggest limited real-world exploitation, though the 8.8 CVSS reflects the potential for complete system compromise via adjacent network access without authentication. Patches available across multiple stable kernel branches (6.18.16, 6.19.6, 7.0).
In the Linux kernel, the following vulnerability has been resolved: clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841 The 9FGV0841 has 8 outputs and registers 8 struct clk_hw, make sure there are 8 slots for those newly registered clk_hw pointers, else there is going to be out of bounds write when pointers 4..7 are set into struct rs9_driver_data .clk_dif[4..7] field. Since there are other structure members past this struct clk_hw pointer array, writing to .clk_dif[4..7] fields corrupts both the struct rs9_driver_data content and data around it, sometimes without crashing the kernel. However, the kernel does surely crash when the driver is unbound or during suspend. Fix this, increase the struct clk_hw pointer array size to the maximum output count of 9FGV0841, which is the biggest chip that is supported by this driver.
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: xscale: Check for PTP support properly In ixp4xx_get_ts_info() ixp46x_ptp_find() is called unconditionally despite this feature only existing on ixp46x, leading to the following splat from tcpdump: root@OpenWrt:~# tcpdump -vv -X -i eth0 (...) Unable to handle kernel NULL pointer dereference at virtual address 00000238 when read (...) Call trace: ptp_clock_index from ixp46x_ptp_find+0x1c/0x38 ixp46x_ptp_find from ixp4xx_get_ts_info+0x4c/0x64 ixp4xx_get_ts_info from __ethtool_get_ts_info+0x90/0x108 __ethtool_get_ts_info from __dev_ethtool+0xa00/0x2648 __dev_ethtool from dev_ethtool+0x160/0x234 dev_ethtool from dev_ioctl+0x2cc/0x460 dev_ioctl from sock_ioctl+0x1ec/0x524 sock_ioctl from sys_ioctl+0x51c/0xa94 sys_ioctl from ret_fast_syscall+0x0/0x44 (...) Segmentation fault Check for ixp46x in ixp46x_ptp_find() before trying to set up PTP to avoid this. To avoid altering the returned error code from ixp4xx_hwtstamp_set() which before this patch was -EOPNOTSUPP, we return -EOPNOTSUPP from ixp4xx_hwtstamp_set() if ixp46x_ptp_find() fails no matter the error code. The helper function ixp46x_ptp_find() helper returns -ENODEV.
Null pointer dereference in Linux kernel UDP-Lite implementation crashes systems when udp_lib_init_sock() fails during socket initialization. Affects mainline 6.18+ through 6.19.5 and stable 7.0. Remote unauthenticated attackers can trigger denial of service by sending crafted UDP-Lite packets that exploit unhandled initialization errors in udplite_sk_init() and udplitev6_sk_init(), causing NULL pointer access in __udp_enqueue_schedule_skb(). Vendor patches available for 6.18.16, 6.19.6, and 7.0 stable trees. EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation is confirmed at time of analysis.
Null pointer dereference in the Linux kernel's rtl8723bs staging Wi-Fi driver allows a locally authenticated user to crash the kernel, resulting in a denial of service. The `pwlan` variable in `find_network()` is not validated for NULL before being passed to `rtw_free_network_nolock()`, which then dereferences it unconditionally. The flaw has been present since Linux 4.12 and is patched across all active stable branches; no public exploit exists and EPSS sits at 0.02%, confirming negligible exploitation activity.
Denial-of-service in the Linux kernel's pegasus USB-to-Ethernet driver allows a local attacker to crash the kernel by connecting a crafted USB device with mismatched endpoint transfer types. The driver's probe function fills URBs using hardcoded endpoint pipes (bulk RX on ep1, bulk TX on ep2, interrupt on ep3) without first verifying the endpoint descriptors presented by the attached device, leaving it susceptible to assertion failure when types do not match expectations. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.02% reflects the niche local-access-only attack surface; patches have been released across all major stable kernel branches.
Folio reference leaks in the Linux kernel EROFS filesystem driver allow a local low-privileged user to cause gradual memory resource exhaustion by presenting crafted EROFS images with valid but specially structured volume labels. Affected kernel versions span multiple stable branches including the 6.18 and 6.19 series, as confirmed by ENISA EUVD-2026-27717 and upstream kernel commit data. No public exploit has been identified at time of analysis, and the vulnerability description explicitly limits impact to reference leaks without system crashes, which aligns with the low EPSS score of 0.02% (4th percentile).
NULL pointer dereference in the Linux kernel's hid-pl driver (Pantherlord/GreenAsia USB game controllers) allows a local low-privileged user to crash the kernel by triggering force feedback on an improperly initialized device. The root cause is unhandled probe errors during driver initialization that leave NULL pointers in place of valid data structures, which are later dereferenced when force feedback is first invoked. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.02% at the 7th percentile reflects negligible real-world exploitation probability.
NULL pointer dereference in the Linux kernel's powerpc/smp subsystem allows a local authenticated user to crash the kernel, causing a denial of service on PowerPC-based systems. The `parse_thread_groups()` function passes the return value of `kcalloc()` directly to `of_property_read_u32_array()` without validating it for NULL, meaning a failed memory allocation - possible under memory pressure - leads to a kernel panic or oops. No public exploit code exists and this vulnerability is not in CISA KEV; with an EPSS of 0.02% (7th percentile) and architecture-specific scope limited to PowerPC, real-world exploitation risk is low but relevant to IBM POWER server deployments running Red Hat or SUSE Linux.
Kernel crash in the Linux remoteproc imx_rproc subsystem (NXP i.MX platform) allows a local authenticated attacker to trigger a denial of service by loading firmware that lacks a resource table. The root cause is imx_rproc_elf_find_loaded_rsc_table() returning a stale non-NULL priv->rsc_table pointer even when rproc->table_ptr is NULL, causing the remoteproc core to dereference what it incorrectly treats as a valid loaded resource table. No public exploit has been identified at time of analysis, and EPSS at 0.02% (7th percentile) reflects the narrow hardware-specific attack surface.
Kernel oops (crash) in the Linux kernel brcmfmac SDIO Wi-Fi driver allows a local low-privileged user to cause a denial-of-service by triggering a probe failure on Broadcom SDIO Wi-Fi hardware. The root cause is a double-assignment of sdiodev->bus across brcmf_sdio_probe() and brcmf_sdiod_probe(), leaving an invalid (non-NULL, error-valued) pointer that brcmf_sdio_remove() later dereferences during cleanup. No public exploit has been identified, EPSS is at the 4th percentile, and this is not listed in CISA KEV; risk is primarily a kernel stability concern in specific hardware configurations.
Missing mutex locking around the `mfd_of_node_list` linked list in the Linux kernel's Multi-Function Device (MFD) core subsystem allows a local low-privileged attacker to trigger a race condition, resulting in a kernel crash and denial of service. The vulnerability spans multiple stable kernel branches from the introducing commit 466a62d7642f through patched releases in 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. No public exploit exists and the EPSS score of 0.02% (7th percentile) reflects negligible community exploitation interest; this is not listed in CISA KEV.
NULL pointer dereference in the Linux kernel's HID magicmouse driver allows a local attacker with low privileges to crash the kernel by connecting a crafted USB device that impersonates an Apple Magic Mouse. When a fake USB device provides a custom report descriptor, the input_mapping() hook is never called, leaving msc->input as NULL; subsequent access in input_configured() causes a kernel panic and complete availability loss. No public exploit exists and EPSS is negligible at 0.02% (7th percentile), but the impact is a full system denial of service when exploitation conditions are met.
In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Fix NULL pointer dereference If there's a mismatch between the DAI links in the machine driver and the topology, it is possible that the playback/capture widget is not set, especially in the case of loopback capture for echo reference where we use the dummy DAI link. Return the error when the widget is not set to avoid a null pointer dereference like below when the topology is broken. RIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common]
In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Check maxfield in hidpp_get_report_length() Do not crash when a report has no fields. Fake USB gadgets can send their own HID report descriptors and can define report structures without valid fields. This can be used to crash the kernel over USB.
Denial of service in Linux kernel dm-verity subsystem allows local authenticated users to crash the system by triggering dm_bufio_client_create() failure in verity_fec_ctr(), which incorrectly passes an error pointer to dm_bufio_client_destroy(). The vulnerability requires local access and authenticated privileges but no user interaction, affecting dm-verity configurations with forward error correction enabled.
Null pointer dereference in the Linux kernel AMD power management (drm/amd/pm) subsystem causes denial of service when SMU (System Management Unit) is disabled during RAS (Reliability, Availability, and Serviceability) initialization. Local authenticated attackers with low privileges can trigger this crash on affected systems, resulting in kernel panic and system unavailability. EPSS exploitation probability is very low (0.02%), indicating this requires specific configuration and local access.
Denial of service via null pointer dereference in Linux kernel's pstore persistent storage subsystem occurs when the vmap() function fails but the persistent_ram_vmap() function incorrectly returns success if a non-zero offset is present, allowing subsequent buffer access to dereference invalid memory and cause system crashes. Affects Linux kernel versions prior to 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. No public exploit identified at time of analysis, but vendor-released patches are available across multiple stable branches.
In the Linux kernel, the following vulnerability has been resolved: fbcon: check return value of con2fb_acquire_newinfo() If fbcon_open() fails when called from con2fb_acquire_newinfo() then info->fbcon_par pointer remains NULL which is later dereferenced. Add check for return value of the function con2fb_acquire_newinfo() to avoid it. Found by Linux Verification Center (linuxtesting.org) with SVACE.
In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Update cpuidle driver check in __acpi_processor_start() Commit 7a8c994cbb2d ("ACPI: processor: idle: Optimize ACPI idle driver registration") moved the ACPI idle driver registration to acpi_processor_driver_init() and acpi_processor_power_init() does not register an idle driver any more. Accordingly, the cpuidle driver check in __acpi_processor_start() needs to be updated to avoid calling acpi_processor_power_init() without a cpuidle driver, in which case the registration of the cpuidle device in that function would lead to a NULL pointer dereference in __cpuidle_register_device().
A kernel crash occurs in Linux btrfs filesystem tracepoint code when OverlayFS is layered on top of btrfs. The btrfs_sync_file() event handler incorrectly dereferences dentry->d_sb, which resolves to the overlay superblock instead of the underlying btrfs superblock, causing a kernel panic during fsid assignment. This affects Linux kernel versions from initial git commit (1da177e4c3f4) through multiple stable branches until patched releases 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. Vendor patches are available across all affected stable kernel branches.
Out-of-bounds array indexing in Linux kernel's wl1251 wireless driver allows adjacent network attackers to achieve high-impact memory corruption without authentication. The wl1251_tx_packet_cb() function uses untrusted firmware completion IDs directly to index a fixed 16-entry tx_frames array without bounds validation, enabling attackers on the same wireless network segment to read/write arbitrary kernel memory. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation or public POC identified. However, CVSS 8.8 reflects genuine risk for systems with wl1251 hardware on untrusted networks.
A denial of service vulnerability in the Linux kernel's Qualcomm PD mapper service registry causes system crashes due to mismatched string element length validation in servreg_loc_pfr_req_ei. When a process daemon crashes and triggers a service registry location request, the QMI decoder rejects the reason field because its declared maximum length (65 bytes) is smaller than the actual field size (81 bytes), causing a decoding error and system halt. This affects all Linux kernel versions prior to the patch, triggered by local processes with standard user privileges.
NULL pointer dereferences in Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) trace data handling cause denial of service when network packets trigger the vulnerable code path. Affects Linux kernel 5.15 through 6.19.14 and mainline branches. Despite CVSS 7.5 High severity with network vector and no authentication, EPSS exploitation probability is very low (0.02%, 4th percentile), and no active exploitation or public POC is identified at time of analysis. Vendor patches available via stable kernel commits.
Null pointer dereference in Linux kernel bridge VLAN filtering code allows local authenticated attackers to trigger a denial of service via a crafted RTM_NEWLINK netlink message with BR_BOOLOPT_FDB_LOCAL_VLAN_0 flag when CONFIG_BRIDGE_VLAN_FILTERING is disabled. The vulnerability occurs because br_fdb_delete_locals_per_vlan_port() and br_fdb_insert_locals_per_vlan_port() dereference a NULL vlan group pointer without validation, causing a kernel panic. No public exploit code identified at time of analysis.
Null pointer dereference in Linux kernel ICMP probe handling crashes systems when IPv6 module is configured but not loaded. The icmp_build_probe() function fails to validate ERR_PTR(-EAFNOSUPPORT) from ipv6_stub->ipv6_dev_find(), passing the error pointer directly to dev_hold() and triggering immediate kernel panic. EPSS probability is low (0.02%, 5th percentile) and no active exploitation confirmed, but CVSS 7.5 High severity reflects trivial remote unauthenticated denial-of-service against vulnerable kernel configurations. Patches available across stable branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0) with upstream commit identifiers confirmed.
Infinite vCPU fault loop in the Linux kernel's mshv (Microsoft Hypervisor) subsystem allows a local guest VM process to permanently spin a host vCPU thread, exhausting host CPU resources. The flaw exists in mshv_handle_gpa_intercept(), which unconditionally attempts page remaps on all movable-memory faults regardless of access permission - when a guest writes to a read-only Guest Physical Address region, the remap succeeds but the region retains its read-only designation, causing an immediate re-fault in a tight loop. Affected kernel versions run from commit b9a66cd5ccbb9fade15d0e427e19470d8ad35b75 through the fix commits; patched releases 6.19.14 and 7.0 are available. No public exploit has been identified and EPSS is 0.01%, consistent with the local, hypervisor-specific attack surface.
Linux kernel ASoC SDCA subsystem crashes on sound card teardown due to IRQ lifecycle mismanagement, causing a local denial of service. IRQ handlers registered via devm_request_threaded_irq() during component probe retain stale references to freed card and kcontrol structures after the sound card is torn down, resulting in null or dangling pointer dereferences and kernel panic. Exploitation requires local low-privilege access and SDCA-capable audio hardware; no public exploit exists and EPSS is extremely low at 0.02% (5th percentile).
NULL pointer dereference in the Linux kernel ixgbevf driver crashes Hyper-V guest VMs during device probe, causing a kernel panic and complete denial of service. The regression was introduced when commit a7075f501bd3 added a .negotiate_features callback to ixgbe_mac_operations and populated it for the standard ops table (ixgbevf_mac_ops) but omitted it from the Hyper-V-specific table (ixgbevf_hv_mac_ops), leaving that pointer NULL on Hyper-V guests. Any Linux system running on Microsoft Hyper-V with an Intel ixgbevf virtual NIC is subject to an automatic kernel crash at module load or boot; no public exploit has been identified at time of analysis and EPSS is 0.02%, reflecting a narrow but reliable impact on the specific deployment combination.
Kernel crash in the Linux pinctrl mcp23s08 driver triggers a NULL pointer dereference during device probe when an MCP23S08/MCP23008 GPIO expander retains non-zero interrupt-on-change state across a warm reboot. The crash occurs because the driver's IRQ handler fires against pins whose nested IRQ handlers have not yet been registered, causing an unhandled kernel oops and system denial of service. Exploitation is local and device-specific; no public exploit identified at time of analysis, and EPSS remains at 0.02% (5th percentile) consistent with no observed in-the-wild triggering.
NULL pointer dereference in the Linux kernel IPVS subsystem causes a kernel panic during IPVS service creation failure cleanup, resulting in a full host denial of service. Affected kernels from 6.2 onward contain a logic error in ip_vs_add_service() where a successful scheduler bind sets the local sched variable to NULL; if ip_vs_start_estimator() subsequently fails, the error path calls ip_vs_unbind_scheduler() with that NULL pointer, dereferencing offset 0x30 and triggering a general protection fault. Exploitation requires local authenticated access with CAP_NET_ADMIN privileges; no public exploit is identified and EPSS is 0.02%, indicating very low exploitation probability.
Local privilege escalation in Linux kernel netfilter nfnetlink_queue allows authenticated users with low privileges to execute arbitrary code with high integrity and availability impact via race condition in shared hash table. The vulnerability stems from a use-after-free condition when multiple queues share a global hash table, enabling parallel CPU operations to access freed nf_queue_entry structures. EPSS score is low (0.02%, 5th percentile) indicating minimal observed exploitation activity. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.24, 6.19.14) with upstream commits confirmed.
Authenticated subscribers can create arbitrary database tables in WordPress installations running Ninja Tables plugin version 5.2.6 and earlier via missing authorization checks on the createFluentCartTable function. This allows low-privileged users to pollute the database and cause resource exhaustion without requiring administrative access, affecting any site where subscribers have plugin interaction permissions.
Off-by-one error in Velocidex Velociraptor before version 0.76.5 on Windows and Linux causes denial of service when parsing specially crafted .evtx files through the parse_evtx VQL plugin. Local attackers with user-level privileges can crash the Velociraptor process by uploading or providing malformed event log files, disrupting forensic investigations and incident response operations. The vulnerability requires user interaction (file upload/selection) but grants an attacker both integrity and availability impact despite the CVSS 4.4 (Medium) rating.
Remote denial of service in Unisoc T8100/T9100/T8200/T8300 chipset NR modem implementations allows unauthenticated network attackers to crash device cellular connectivity via malformed protocol input. The improper input validation in the 5G New Radio modem stack enables trivial remote service disruption requiring no user interaction or authentication. EPSS data not available; no evidence of active exploitation (not in CISA KEV). Affects mobile devices using these specific Unisoc chipset models in 5G NR mode.
Remote denial of service in Unisoc modem IMS implementation across 16 chipset families (SC7731E through T8300) allows unauthenticated network attackers to crash mobile device modem services via crafted IMS traffic. The improper input validation vulnerability (CVSS 7.5) enables high-impact availability attacks against millions of deployed Android smartphones and IoT devices using Unisoc chipsets. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed January 2025 vulnerability.
Remote denial of service in Unisoc modem IMS (IP Multimedia Subsystem) implementation allows unauthenticated network attackers to crash telephony services on affected chipsets through malformed input. Affects 16 Unisoc chipset models spanning SC and T series (SC7731E through T8300) used in budget and mid-range mobile devices. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects network accessibility and service disruption potential, though EPSS data unavailable for risk prioritization.
Remote denial of service in Unisoc modem IMS stack allows network attackers to crash affected devices through malformed input without authentication. Affects 16 Unisoc chipset families (SC7731E, SC9832E, SC9863A, T-series T310 through T8300) used in mobile devices. No authentication, user interaction, or special configuration required (CVSS AV:N/AC:L/PR:N/UI:N). No public exploit code or CISA KEV listing identified at time of analysis, though EPSS data unavailable for risk quantification.
Remote denial of service in Unisoc Modem IMS stack allows unauthenticated network attackers to crash mobile devices through improper input validation. Affects 16 Unisoc chipset families (SC7731E through T8300) widely deployed in budget smartphones and IoT devices across global markets. No authentication, user interaction, or elevated privileges required for exploitation. EPSS data and KEV status not available; no public exploit identified at time of analysis.
Remote attackers can crash Unisoc chipset IMS (IP Multimedia Subsystem) implementations through network-accessible malformed input, causing complete denial of service with no authentication required. Affects 17 Unisoc chipset models (SC7731E, SC9832E, SC9863A, T-series T310 through T8300) used in mobile devices. CVSS 7.5 (High) reflects direct network exposure and ease of exploitation (AV:N/AC:L/PR:N), though impact is limited to availability. No public exploit code identified at time of analysis, and EPSS data not available for assessment.
Remote denial-of-service in ZTE home routers (H8102E, H168N, H167A, and 15 other models) allows unauthenticated network attackers to crash the web management interface via oversized HTTP POST request with application/x-www-form-urlencoded content, requiring physical device reboot to restore service. ZTE claims devices patched since March 2021, but operator firmware timelines vary. EPSS data not available; no active exploitation confirmed (not in CISA KEV). Publicly available exploit details exist via GitHub gist.
Remote denial of service in vLLM 0.6.1 through 0.19.x allows unauthenticated attackers to crash worker processes by sending text-only prompts containing special multimodal placeholder tokens (e.g., '<|vision_start|><|image_pad|><|vision_end|>') without corresponding image or video data. The vulnerability stems from unprotected array indexing in the input position computation layer when processing vision tokens, causing an IndexError that terminates the worker and degrades service availability. A single malicious request can trigger the fault.
ciguard SCA HTTP clients in osv.py and endoflife.py exhaust process memory by reading unbounded response bodies from OSV.dev and endoflife.date without enforcing a size cap. A hostile or compromised backend service, or a successful TLS MITM attack, could return multi-gigabyte responses causing denial of service via out-of-memory kill or system swap exhaustion in CI environments. No public exploit identified at time of analysis; vendor released patch in v0.8.2.
Unauthenticated path traversal in Grav CMS FormFlash component allows remote attackers to create arbitrary directories and write configuration files (index.yaml) with controlled content. Confirmed actively exploited (CISA KEV). The vulnerability affects all Grav v1.7.x installations with form-enabled pages (default in standard deployments). Attack complexity is low-requires only manipulating the __form-flash-id POST parameter with traversal sequences. Vendor-released patch available in v2.0.0-beta.2 (commit d904efc33) applies strict alphanumeric sanitization to session identifiers. EPSS exploitation probability data not available, but GitHub advisory confirms zero-day status prior to patch, with public proof-of-concept demonstrating directory creation in user/config/ paths leading to configuration injection and potential DoS via inode exhaustion.
Grav CMS Admin Panel allows authenticated users with only user-creation permissions to overwrite administrator accounts by submitting the admin's username when creating a new user. The flawed create-or-update logic replaces the existing super-admin account metadata with attacker-supplied low-privilege data, locking the legitimate administrator out and causing complete loss of management control. Vendor-released patch: fixed in 2.0.0-beta.2 (commit d904efc33). Publicly available exploit code exists (video PoC published by Grav maintainers). EPSS data not provided, but the low attack complexity and confirmed PoC make exploitation straightforward for any low-privileged user with create-user rights.
Denial of service attacks against PHP applications using phpseclib can be triggered by providing maliciously crafted ASN.1 encoded files containing oversized Object Identifiers. The vulnerability bypasses a previous CVE-2024-27355 mitigation, allowing OID amplification attacks that exhaust server resources when processing untrusted X.509 certificates, PKCS8 keys, or other ASN.1 structures. Vendor-released patches are available across all affected major versions (1.x, 2.x, 3.x). CVSS 7.5 indicates network-exploitable, unauthenticated denial of service with no public exploit identified at time of analysis.
Remote denial of service in Twisted's DNS name decompression (twisted.names module) allows unauthenticated attackers to freeze the single-threaded reactor by sending a crafted TCP DNS packet with deeply chained compression pointers and thousands of questions. Publicly available exploit code exists. Despite high CVSS score (7.5), real-world impact is limited to applications using the twisted.names DNS server-not the broader Twisted framework. Vendor-released patch available in version 26.4.0rc2.
GoBGP v4.4.0 crashes with SIGSEGV panic when an unauthenticated remote BGP peer sends malformed UPDATE messages with inconsistent attribute lengths. The nil pointer dereference in AdjRib.Update (adj.go:127) causes complete process termination and loss of BGP service. Publicly available exploit code exists (POC in GitHub advisory GHSA-p3w2-64xm-833j). Vendor-released patch available in v4.5.0. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects the trivial remote exploitation of critical network infrastructure with no mitigating factors.
Authorization bypass in LXC's setuid helper lxc-user-nic allows unprivileged users to delete OpenVSwitch-attached network interfaces belonging to other users. The vulnerability exists in the find_line() function's interface name comparison logic, which sets an authorization flag based on name match alone without re-verifying ownership, enabling a tenant to cause denial of service by disconnecting containers on shared infrastructure. This affects multi-tenant deployments using lxc-user-nic with OpenVSwitch bridges and is patched in LXC 7.0.0.
Local denial of service in Sandboxie 1.17.2 and earlier allows unprivileged processes inside Standard Sandbox configurations to crash the Windows kernel (BSOD) by sending malformed IOCTL requests to the SandboxieDriverApi kernel driver. Fixed in version 1.17.3 released by Sandboxie-Plus. Security Hardened Sandbox configurations are not affected. No active exploitation confirmed (not in CISA KEV), but the vulnerability is trivially exploitable by any process within an affected sandbox, enabling local attackers or malicious sandboxed applications to force immediate system-wide service disruption.
Vaultwarden versions 1.35.4 and earlier allow authenticated attackers to permanently disable WebAuthn two-factor authentication for user credentials by exploiting a logic flaw in the `validate_webauthn_login()` function that updates backup eligibility flags before validating the WebAuthn signature. An attacker with knowledge of a user's password can modify these persistent flags even when providing an invalid WebAuthn signature, causing signature verification to fail without rolling back the database changes, resulting in denial of service of the 2FA mechanism for affected credentials. The vulnerability has been patched in version 1.35.5.
Worker process crashes occur in ModSecurity (libmodsecurity3) when processing query string parameters containing single characters through the t:hexDecode transformation function. Remote unauthenticated attackers can trigger repeated segmentation faults to disrupt web application firewall protection, though service automatically recovers once the attack ceases. All libmodsecurity3 versions before 3.0.15 are affected across Apache, IIS, and Nginx deployments. OWASP confirmed the vulnerability via GitHub security advisory GHSA-qrjc-3jpc-3h2g and released patch version 3.0.15 addressing this buffer overflow (CWE-125: Out-of-bounds Read).
Unauthenticated remote denial-of-service in Phoenix Framework 1.7.0-1.7.21 and 1.8.0-1.8.5 allows attackers to crash Elixir BEAM nodes by sending multi-megabyte HTTP requests filled with newlines to the long-poll transport endpoint. A 1 MB payload of newline characters triggers allocation of approximately one million empty list elements, exhausting scheduler and memory resources. Session token required to trigger the vulnerability is obtainable via unauthenticated GET request, making exploitation trivial. Vendor-released patches (1.7.22, 1.8.6) enforce client-side batching limits. CVSS 8.7 (high availability impact) confirmed; no public exploit or CISA KEV listing identified at time of analysis.
Out-of-bounds read in X.Org X Server XKB modifier map handling allows local authenticated attackers to read sensitive memory or crash the server by sending malformed X11 requests. The vulnerability affects RHEL 6 through 10 and requires local access with user-level privileges; exploitation results in information disclosure or denial of service.
Out-of-bounds read in X.Org X server XKB geometry processing allows local or remote attackers with X11 server access to disclose sensitive memory contents or cause denial of service by crashing the server. The vulnerability exists in CheckSetGeom() and XkbAddGeomKeyAlias functions and requires low privileges but no user interaction. No public exploit code or active exploitation has been identified at time of analysis.
Uncontrolled resource consumption in Apache HTTP Server's mod_md module allows remote unauthenticated attackers to exhaust server resources via malformed OCSP response data, affecting versions 2.4.30 through 2.4.66. The vulnerability enables attackers to achieve confidentiality, integrity, and availability impacts with low complexity exploitation over the network. No active exploitation confirmed (not in CISA KEV), but the network-accessible attack surface and lack of authentication requirement make this a credible threat requiring prompt patching to version 2.4.67.
Remote attackers can crash OpenClaw 2026.4.9 by sending oversized WebSocket frames to the voice-call realtime webhook path, causing complete service unavailability. The vulnerability requires no authentication and affects deployments that expose the WebSocket endpoint externally. Vendor patch released in version 2026.4.10 with commit afadb7dae6738819ad9c7d2597ace0516957d20e. No active exploitation confirmed (not in CISA KEV), but public advisory with commit details provides exploitation blueprint.
Heap buffer overflow in GPAC's SVG attribute parser allows local attackers to cause denial of service by providing crafted SVG input that triggers out-of-bounds memory access in the svg_parse_strings() function. The vulnerability requires user interaction (opening a malicious SVG file) and operates with low complexity on local systems. While CVSS score is moderate (5.5) and EPSS probability is very low (0.02%), the issue affects the widely-used multimedia framework's SVG handling and has been confirmed fixed upstream.
Denial of Service vulnerability in Samsung Exynos chipsets (980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, W920, W930, W1000, and modems 5123, 5300, 5400) allows remote unauthenticated attackers to crash devices by sending malformed 5G NR NAS registration accept messages. The flaw affects the Mobility Management (MM) component's message parser, triggering resource exhaustion (CWE-770) that disrupts cellular connectivity. CVSS 7.5 (High) with network attack vector and no prerequisites, though EPSS indicates only 0.02% exploitation probability and no public exploits identified at time of analysis.
Denial of service in Open5GS up to version 2.7.7 affects the AMF 3GPP access endpoint handler (udm_nudm_uecm_handle_amf_registration_update function), allowing authenticated remote attackers to crash the UDM service via malformed registration update messages. Publicly available exploit code exists, and the vendor was notified early but has not released a patch as of the analysis date.
Denial of service in net-imap SCRAM-SHA1/SHA256 authentication allows a hostile IMAP server to freeze the entire Ruby VM by sending an arbitrarily large PBKDF2 iteration count, blocking all threads for several minutes due to the blocking nature of OpenSSL::KDF.pbkdf2_hmac and its retention of the Global VM Lock. Patched versions 0.4.24, 0.5.14, and 0.6.4 introduce a max_iterations parameter that users must explicitly configure to prevent exploitation.
net-imap ResponseReader exhibits quadratic time complexity O(n²) when parsing IMAP responses containing multiple string literals, allowing hostile IMAP servers to exhaust client CPU and block other threads via denial of service. A maliciously crafted response can consume 100-200ms per regex scan repeated hundreds of thousands of times per megabyte, holding the Global VM lock and starving concurrent threads despite staying within max_response_size limits. Vendor-released patches available in versions 0.4.24, 0.5.14, and 0.6.4.
Denial of service in Open5GS up to version 2.7.7 affects the udm_state_operational function in the smf-registrations endpoint, allowing authenticated remote attackers to manipulate the function and cause service unavailability. The vulnerability has publicly available exploit code and carries a low CVSS score of 2.1 due to required authentication and limited availability impact, though the project has not yet responded to early disclosure.
Network-accessible denial-of-service in HashiCorp Boundary workers allows unauthenticated remote attackers to block legitimate worker connections by manipulating TLS handshake timing during node enrollment. Attackers can connect to the worker authentication listener and intentionally delay or withhold client certificates, causing connection handlers to block and preventing legitimate workers from enrolling or routing traffic. Both Community Edition and Enterprise versions prior to 0.21.3, 0.20.3, and 0.19.5 are vulnerable. EPSS data not provided; no CISA KEV listing indicating limited observed exploitation. Vendor-confirmed vulnerability with patches released across three active release branches.
Apko crashes via denial-of-service when a repository JWKS endpoint returns a non-RSA key due to an unchecked type assertion in the DiscoverKeys function. The vulnerability affects any workflow initializing the APK database and requires user interaction to trigger (e.g., running apko with a malicious repository), with CVSS 6.5 reflecting the availability impact. No patch is currently available, though the issue is confirmed and acknowledged by the apko maintainers.
Authenticated attackers can escalate privileges to administrator in Pelican Web User Interface versions 7.21 through 7.24 by manipulating database records before legitimate admin users log in. This vulnerability was discovered by a Claude coding agent on April 2, 2026, and affects servers with Server.UIAdminUsers or Server.AdminGroups configured where designated admins have not previously authenticated. No public exploit code exists, and Pelican Command Line reports no confirmed exploitation in OSDF-managed services. Vendor patches are available across all affected minor release series (>=v7.21.5, >=v7.22.3, >=v7.23.3, >=v7.24.2), with fix commit 7f73b9c3e677 addressing CWE-863 (Incorrect Authorization).
Authorization bypass in Docker Distribution Registry allows remote clients to delete image tags via the DELETE /v2/<name>/manifests/<tag> endpoint even when the operator has explicitly configured storage.delete.enabled: false. The tag deletion code path in registry/handlers/manifests.go bypasses the deletion authorization check present in digest-based manifest deletion, enabling attackers with network access to cause denial of service by removing tags and disrupting supply chain integrity of registries intended to be immutable.
Denial of service in Open5GS up to version 2.7.7 affects the authentication-subscription endpoint handler, allowing authenticated remote attackers to manipulate the udm_nudr_dr_handle_subscription_authentication function and cause service unavailability. Public exploit code exists and the vulnerability has been reported to the project without a confirmed vendor response or patch release.
Pillow's PDF parser enters an infinite loop when processing maliciously crafted PDF files with circular Prev pointer references in trailer sections, causing 100% CPU consumption and application hang. All versions from 4.2.0 through 12.1.x are affected. The vulnerability is a denial-of-service condition affecting any application using Pillow to parse untrusted PDFs. Vendor-released patch: version 12.2.0.
Memory exhaustion crashes Argo Workflows server via unauthenticated multi-gigabyte webhook requests to the publicly accessible `/api/v1/events/` endpoint. The Webhook Interceptor's `io.ReadAll` call allocates unbounded memory before signature verification, enabling remote attackers to trigger out-of-memory (OOM) conditions without authentication or credentials. Vendor-released patches enforce a 2MB body size limit via `io.LimitReader`. Publicly available exploit code exists (conceptual proof-of-concept published in GitHub security advisory GHSA-jcc8-g2q4-9fxq). No active exploitation confirmed by CISA KEV at time of analysis, but the low attack complexity (CVSS AV:N/AC:L/PR:N) and public PoC create immediate risk for internet-exposed Argo Workflows deployments.
Denial of service via nil pointer dereference in Argo Workflows 4.0.0-4.0.4 affects SSO users with RBAC namespace delegation enabled when their identity claims match a namespace-level RBAC rule but not an SSO-namespace rule. The gatekeeper.go rbacAuthorization() function unconditionally dereferences a nil serviceAccount pointer when comparing rule precedence, causing an HTTP 500 panic on every API request from the affected user. Live-tested exploit confirmed on v4.0.4 with Dex OIDC provider; vendor patch released as v4.0.5.