Skip to main content

Denial Of Service

36564 CVEs technique

Monthly

CVE-2026-23473 PATCH Awaiting Data

Linux kernel io_uring/poll multishot recv can hang indefinitely when a socket shutdown occurs concurrently with data reception, due to a race condition where accumulated poll wakeups are drained without consuming the persistent HUP event. The vulnerability affects all Linux kernel versions with io_uring poll support and requires a fix to explicitly check for HUP conditions and re-loop when multiple poll activations are pending.

Linux Linux Kernel Denial Of Service
NVD VulDB
EPSS
0.0%
CVE-2026-23472 MEDIUM PATCH This Month

Infinite loop in Linux kernel serial core driver handle_tx() affects systems using uninitialized PORT_UNKNOWN serial ports, where uart_write_room() and uart_write() behave inconsistently regarding null transmit buffers, causing denial of service through system hangs. The vulnerability impacts caif_serial and other drivers that rely on tty_write_room() to determine write capacity. Patch available in upstream kernel commits; no CVSS score assigned due to kernel-specific nature and relatively limited exposure scope.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23469 MEDIUM PATCH This Month

Linux kernel drm/imagination driver crashes when the GPU runtime PM suspend callback executes concurrently with an IRQ handler attempting to access GPU registers, causing kernel panics with SError interrupts on ARM64 platforms. The vulnerability affects the imagination GPU driver across Linux kernel versions and is triggered when power management suspend operations race with interrupt handling without proper synchronization. The fix adds synchronize_irq() calls to ensure IRQ handlers complete before GPU suspension and removes problematic runtime PM resume calls from the IRQ handler that could cause deadlocks.

Linux Denial Of Service Race Condition
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-23468 MEDIUM PATCH This Month

Denial of service in Linux kernel amdgpu driver allows local attackers to exhaust system memory by passing an arbitrarily large BO (buffer object) list entry count via userspace, bypassing existing overflow checks but causing excessive allocation and processing delays; fixed by enforcing a 128k entry limit per BO list.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23467 MEDIUM PATCH This Month

NULL pointer dereference in Linux kernel DRM i915 GPU driver allows local denial of service during system probe when DMC firmware initialization has not yet completed but hardware has DC6 power state enabled. The vulnerability occurs in intel_dmc_update_dc6_allowed_count() when called from gen9_set_dc_state() during intel_power_domains_init_hw(), which executes before DMC initialization, causing kernel oops if DC6 is unexpectedly enabled by BIOS firmware. No public exploit code identified; this is a kernel crash vulnerability requiring local system access triggered by atypical BIOS behavior.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23460 MEDIUM PATCH This Month

NULL pointer dereference in Linux kernel ROSE socket implementation allows local denial of service when rose_connect() is called twice during an active connection attempt. The vulnerability occurs because rose_connect() fails to validate TCP_SYN_SENT state, permitting rose->neighbour to be overwritten with NULL, which later causes a kernel crash when rose_transmit_link() dereferences the NULL pointer during socket closure. No active exploitation reported; fix available in upstream kernel commits.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23454 HIGH PATCH This Week

Use-after-free in Linux kernel MANA hardware channel teardown (net/mana driver) allows concurrent interrupt handlers to dereference freed memory in mana_hwc_destroy_channel(), potentially causing NULL pointer dereference or memory corruption. The vulnerability stems from improper teardown ordering where hwc->caller_ctx is freed before CQ/EQ IRQ handlers are fully synchronized, affecting all Linux kernel versions with the MANA driver. Fixes are available across stable kernel branches via upstream commit reordering.

Linux Use After Free Denial Of Service Memory Corruption
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-23451 HIGH PATCH This Week

Infinite loop in Linux kernel bonding device header parsing allows local denial of service when two bonding devices are stacked. The bond_header_parse() function can recurse indefinitely because skb->dev always points to the top of the device hierarchy. The fix adds a bounded recursion parameter to the header_ops parse() method to ensure the leaf parse method is called and prevent endless loops. This vulnerability affects all Linux kernel versions with the vulnerable bonding code and requires local access to trigger.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23450 CRITICAL PATCH Act Now

NULL dereference and use-after-free in the Linux kernel's SMC (Shared Memory Communications) socket implementation occur when smc_tcp_syn_recv_sock() races with socket close operations, allowing a local attacker to trigger a kernel panic via concurrent manipulation of TCP SYN handling and SMC listen socket closure. The vulnerability affects the Linux kernel across multiple versions via the net/smc subsystem and is addressed through RCU-protected access and refcount validation rather than lock-based serialization.

Linux Denial Of Service Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-23449 HIGH PATCH This Week

Double-free memory corruption in the Linux kernel's TEQL (Trivial Link Equalizer) qdisc implementation allows local attackers to cause kernel crashes via denial of service. The vulnerability occurs when qdisc_reset is called without proper synchronization on lockless Qdisc root configurations, creating a race condition that results in use-after-free and double-free conditions in packet buffer management. This affects all Linux kernel versions with the vulnerable TEQL code path and requires local access to trigger via specially crafted packet scheduling operations.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23443 MEDIUM PATCH This Month

Use-after-free vulnerability in Linux kernel ACPI processor errata handling allows local attackers to cause denial of service or potentially execute code via device pointer dereference after reference dropping in acpi_processor_errata_piix4(). The vulnerability affects multiple Linux kernel versions and was introduced in a previous fix attempt (commit f132e089fe89); it has been resolved across stable kernel branches with no active public exploitation identified.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23442 MEDIUM PATCH This Month

NULL pointer dereference in Linux kernel IPv6 SRv6 path processing allows local denial of service when __in6_dev_get() returns NULL due to missing IPv6 configuration or device unregistration. The vulnerability affects seg6_hmac_validate_skb() and ipv6_srh_rcv() functions which lacked NULL checks on the returned idev pointer, enabling a local attacker to crash the kernel by triggering these code paths on misconfigured or unregistering network devices.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23439 MEDIUM PATCH This Month

Linux kernel NULL pointer dereference in UDP tunnel socket creation when IPv6 is disabled causes denial of service. When CONFIG_IPV6=n, the udp_sock_create6() function incorrectly returns success (0) without creating a socket, leading callers such as fou_create() to dereference an uninitialized pointer. The vulnerability is triggered via netlink socket operations and requires privileged user access; no public exploit code or active exploitation has been identified at time of analysis.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23438 MEDIUM PATCH This Month

Denial of service in Linux kernel mvpp2 network driver occurs when MTU changes or other operations trigger buffer pool switching on Marvell hardware lacking CM3 SRAM support, causing NULL pointer dereference in flow control register access. Affects systems running vulnerable kernel versions on Marvell Armada platforms where the CM3 SRAM device tree entry is absent; no authentication required. Upstream fix available via stable kernel commits.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23435 MEDIUM PATCH This Month

Linux kernel NULL pointer dereference in the x86 PMU NMI handler on AMD EPYC systems causes denial of service when perf event unthrottling races with PMU rescheduling. The vulnerability stems from commit 7e772a93eb61 moving event pointer initialization later in x86_pmu_enable(), allowing the unthrottle path to set active_mask bits without populating the corresponding events[] array entries, leading to NULL pointer dereference when subsequent PMC overflow interrupts fire. No public exploit code identified at time of analysis; patch fixes are available in upstream Linux kernel stable branches.

Linux Null Pointer Dereference Denial Of Service Amd Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23433 MEDIUM PATCH This Month

Null pointer dereference in Linux kernel arm_mpam memory bandwidth monitoring causes kernel oops when an MSC supporting bandwidth monitoring transitions offline and back online. The mpam_restore_mbwu_state() function fails to initialize a value buffer before passing it to __ris_msmon_read() via IPI, triggering a crash in the bandwidth counter restoration routine. This affects ARM systems with MPAM (Memory Partitioning and Monitoring) support and results in denial of service through system instability when memory controllers are toggled.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23429 HIGH PATCH This Week

Linux kernel crashes in iommu_sva_unbind_device() when accessing a freed mm structure after iommu_domain_free() deallocates domain->mm->iommu_mm, causing denial of service on systems using IOMMU Shared Virtual Addressing (SVA). The fix reorders code to access the structure before the domain is freed. No CVSS score, EPSS, or KEV status available; no public exploit code identified.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-35549 MEDIUM PATCH This Month

Denial of service in MariaDB Server through large packet crashes when the caching_sha2_password authentication plugin is enabled and accounts use it, due to unbounded stack allocation in sha256_crypt_r. Authenticated remote attackers can crash the server by sending a crafted large authentication packet. MariaDB versions before 11.4.10, 11.5.0 through 11.8.5, and 12.0.0 through 12.2.1 are affected. No public exploit code or confirmed active exploitation reported at time of analysis.

Denial Of Service MariaDB
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-35036 Go HIGH PATCH GHSA This Week

Unauthenticated server-side request forgery in Ech0's link preview endpoint allows remote attackers to force the application server to perform HTTP/HTTPS requests to arbitrary internal and external targets. The /api/website/title route requires no authentication, performs no URL validation, follows redirects by default, and disables TLS certificate verification (InsecureSkipVerify: true). Attackers can probe internal networks, access cloud metadata services (169.254.169.254), and trigger denial-

SSRF Denial Of Service Apple Docker Microsoft +1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-34986 Go HIGH POC PATCH GHSA This Week

Denial of service via panic in go-jose library (versions prior to v4.1.4 and v3.0.5) occurs when decrypting malformed JSON Web Encryption (JWE) objects that specify a key wrapping algorithm (e.g., RSA-OAEP-KW, ECDH-ES+A128KW) but contain an empty encrypted_key field. The panic is triggered during slice allocation in cipher.KeyUnwrap() when processing ciphertext under 16 bytes, causing immediate application termination. No public exploit identified at time of analysis, though EPSS score of 0.0004

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-26477 MEDIUM This Month

Denial of service in Dokuwiki version 2025-05-14b 'Librarian' release allows remote attackers to crash or disable the application through improper input handling in the media_upload_xhr() function within media.php. The vulnerability requires network access to the media upload endpoint but does not require authentication. No public exploit code, CVSS scoring, or active exploitation has been confirmed at the time of analysis.

Denial Of Service PHP
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2022-4986 HIGH PATCH This Week

Hirschmann EagleSDV contains a denial-of-service vulnerability that causes the device to crash during session establishment when using TLS 1.0 or TLS 1.1. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Eaglesdv Firmware
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-34829 Ruby HIGH PATCH GHSA This Week

Unbounded disk consumption in Rack's multipart parser allows remote denial of service when HTTP requests lack Content-Length headers. Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 fail to enforce size limits on multipart/form-data uploads sent via chunked transfer encoding, enabling unauthenticated attackers to exhaust disk space by streaming arbitrarily large file uploads. CVSS 7.5 (High) reflects the network-accessible, low-complexity attack requiring no privileges. No public exploit identified at time of analysis, though the attack technique is well-understood.

Denial Of Service File Upload Rack
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-34826 Ruby MEDIUM PATCH GHSA This Month

Denial of service in Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 allows unauthenticated remote attackers to consume disproportionate CPU, memory, I/O, and bandwidth by supplying many small overlapping byte ranges in HTTP Range headers, bypassing the existing CVE-2024-26141 fix that only validates total byte coverage. The vulnerability affects Rack's file-serving paths that process multipart byte range responses, enabling attackers to degrade service availability with minimal request complexity.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-34230 Ruby MEDIUM PATCH GHSA This Month

Denial of service in Rack::Utils.select_best_encoding allows unauthenticated remote attackers to consume disproportionate CPU resources via a crafted Accept-Encoding header containing multiple wildcard entries, affecting Rack versions prior to 2.2.23, 3.1.21, and 3.2.6. The vulnerability exploits quadratic time complexity in the encoding selection algorithm used by Rack::Deflater middleware, enabling a single HTTP request to trigger sustained CPU exhaustion and application unavailability.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-34827 Ruby HIGH PATCH GHSA This Week

Denial of service via algorithmic complexity in Rack multipart parser allows unauthenticated remote attackers to exhaust CPU resources by sending specially crafted multipart/form-data requests with backslash-heavy escaped parameter values. Affects Rack 3.0.0.beta1-3.1.20 and 3.2.0-3.2.5, a critical Ruby web server interface used across Rails and Sinatra applications. CVSS 7.5 (High) with network-accessible attack vector and low complexity. Vendor-released patches available in versions 3.1.21 and 3.2.6. No public exploit identified at time of analysis, though EPSS data not provided to assess probability of exploitation.

Denial Of Service Rack
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-58136 HIGH This Week

Denial of service in Apache Traffic Server 9.0.0-9.2.12 and 10.0.0-10.1.1 caused by improper handling of POST requests that triggers a server crash under specific conditions. The vulnerability affects all instances of the affected versions and requires no authentication or special privileges to exploit. Vendor-released patches are available in versions 9.2.13 and 10.1.2.

Apache Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31935 HIGH PATCH This Week

Memory exhaustion in Suricata network IDS/IPS via HTTP/2 CONTINUATION frame flooding allows remote unauthenticated attackers to trigger denial of service, typically forcing operating system termination of the Suricata process. Affects all versions prior to 7.0.15 and 8.0.4. EPSS data not available, but CVSS 7.5 (High) reflects network-accessible attack with low complexity requiring no privileges. No public exploit identified at time of analysis, though the attack technique (HTTP/2 frame flooding) is well-documented in protocol security research.

Denial Of Service Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31931 HIGH PATCH This Week

NULL pointer dereference in Suricata 8.0.0 through 8.0.3 causes denial of service when processing malformed TLS traffic with the 'tls.alpn' rule keyword. Remote unauthenticated attackers can crash the IDS/IPS engine by sending specially crafted network packets, completely disabling network security monitoring. EPSS data not available, but the low attack complexity (AC:L) and network vector (AV:N) combined with high availability impact (A:H) indicate significant operational risk for organizations relying on Suricata for traffic inspection. No evidence of active exploitation (no CISA KEV listing) or public exploit code identified at time of analysis.

Denial Of Service Null Pointer Dereference Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30867 MEDIUM PATCH GHSA This Month

CocoaMQTT library versions prior to 2.2.2 allow remote denial of service when parsing malformed MQTT packets from a broker, causing immediate application crashes on iOS, macOS, and tvOS devices. An attacker or compromised MQTT broker can publish a 4-byte malformed payload with the RETAIN flag to persist it indefinitely, ensuring every vulnerable client that subscribes receives the crash-inducing packet, effectively bricking the application until manual intervention on the broker. The vulnerability requires an authenticated user context (PR:L in CVSS vector) but impacts application availability with high severity; patch version 2.2.2 is available.

Apple Denial Of Service
NVD GitHub VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-4634 Maven HIGH PATCH GHSA This Week

Denial of Service in Red Hat Build of Keycloak allows unauthenticated remote attackers to exhaust server resources by submitting specially crafted POST requests with excessively long scope parameters to the OpenID Connect token endpoint. No public exploit identified at time of analysis, but CVSS 7.5 (High) with network attack vector and low complexity indicates straightforward exploitation. Authentication requirements: unauthenticated (CVSS PR:N). The vulnerability stems from improper resource management (CWE-1050), enabling attackers to cause prolonged processing times and service disruption without any authentication or user interaction.

Denial Of Service Red Hat Build Of Keycloak
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-32145 HIGH PATCH GHSA This Week

Denial of service in gleam-wisp wisp 0.2.0 through 2.2.1 allows unauthenticated remote attackers to exhaust server memory or disk by sending arbitrarily large multipart form submissions that bypass configured size limits. The multipart_body and multipart_headers parsing functions fail to properly decrement resource quotas for chunks lacking multipart boundaries, enabling attackers to accumulate unbounded data in a single HTTP request. Patch available as of version 2.2.2.

Denial Of Service Wisp
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-5316 LOW POC PATCH Monitor

Resource exhaustion in Nothings stb library versions up to 1.22 allows unauthenticated remote attackers to cause denial of service through the setup_free function in stb_vorbis.c when processing malformed audio data. The vulnerability has publicly available exploit code and a low CVSS score of 4.3 reflecting limited impact, but represents a real availability risk in applications embedding this widely-used header-only graphics and audio library.

Denial Of Service Stb
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-34939 PyPI MEDIUM PATCH GHSA This Month

Denial of service in PraisonAI's MCPToolIndex.search_tools() allows authenticated remote attackers to block the Python thread for hundreds of seconds via a crafted regular expression causing catastrophic backtracking. The vulnerable function compiles caller-supplied query strings directly as regex patterns without validation, timeout, or exception handling. A single malicious request can sustain complete service outage, and the MCP server HTTP transport runs without authentication by default, significantly lowering the practical barrier to exploitation despite the CVSS requiring PR:L.

Python Denial Of Service
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-66487 LOW PATCH Monitor

IBM Aspera Shares 1.9.9 through 1.11.0 lacks proper rate limiting on authenticated user email submissions, allowing high-privilege users to trigger email flooding or denial of service conditions. The vulnerability requires authentication at the admin or high-privilege level and results in service availability degradation rather than data compromise. EPSS exploitation probability is low (2.7 CVSS, high privilege requirement), and no public exploit code or active exploitation has been identified at time of analysis.

IBM Denial Of Service
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-34761 Go MEDIUM PATCH GHSA This Month

Ella Core panics and crashes when processing malformed NGAP handover failure messages from a gNodeB, causing a denial of service for all connected mobile subscribers. An authenticated attacker with high privileges on the radio network can force a gNodeB to send crafted NGAP handover failure messages that trigger a null pointer dereference in Ella Core's handover handler, terminating the core network process. No public exploit code or active exploitation has been identified.

Denial Of Service Null Pointer Dereference
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-34752 npm HIGH PATCH GHSA This Week

Haraka email server crashes when processing emails with `__proto__` as a header name, enabling remote unauthenticated denial of service. Attackers can send a specially crafted email via SMTP to crash worker processes, disrupting email delivery. In single-process deployments, the entire server becomes unavailable; in cluster mode, all active sessions are terminated. No public exploit identified at time of analysis beyond the published proof-of-concept code, though exploitation requires only basic SMTP access.

Denial Of Service Python
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-5313 LOW PATCH Monitor

Denial of service vulnerability in Nothings stb image library (stb_image.h) affecting GIF decoder function stbi__gif_load_next allows remote attackers to trigger application crashes through specially crafted GIF files. The vulnerability impacts stb versions up to 2.30, requires user interaction to open a malicious GIF, and has publicly available exploit code with no vendor patch available despite early disclosure.

Denial Of Service Stb
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-34517 PyPI LOW PATCH GHSA Monitor

Aiohttp prior to version 3.13.4 allocates entire multipart form fields into memory before validating against the client_max_size limit, enabling unauthenticated remote attackers to cause denial of service through memory exhaustion. The vulnerability affects all versions before 3.13.4 and carries a low CVSS score (2.7) reflecting limited availability impact, with no public exploit code or active exploitation confirmed at time of analysis.

Python Denial Of Service
NVD GitHub VulDB
CVSS 4.0
2.7
EPSS
0.0%
CVE-2026-34516 PyPI MEDIUM PATCH GHSA This Month

Memory exhaustion vulnerability in AIOHTTP prior to version 3.13.4 allows unauthenticated remote attackers to trigger denial of service via specially crafted HTTP responses containing excessive multipart headers. The vulnerability exploits insufficient memory limits during multipart header parsing, causing the server or client to consume more memory than intended. CVSS 6.6 (medium-high availability impact) with no public exploit code identified at time of analysis.

Python Denial Of Service Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.6
EPSS
0.0%
CVE-2026-34513 PyPI LOW PATCH GHSA Monitor

Unbounded DNS cache in AIOHTTP prior to version 3.13.4 allows remote attackers to cause denial of service through excessive memory consumption. An attacker can trigger repeated DNS lookups with unique hostnames to grow the in-memory cache without bounds, eventually exhausting available system memory. AIOHTTP 3.13.4 and later include a patch that implements cache limits. This is a network-accessible vulnerability requiring no authentication or user interaction, but exploitation requires deliberate attack traffic and does not result in data compromise or system takeover.

Python Denial Of Service
NVD GitHub VulDB
CVSS 4.0
2.7
EPSS
0.0%
CVE-2026-29782 PHP HIGH PATCH GHSA This Week

Remote code execution in OpenSTAManager v2.10.1 and earlier allows authenticated attackers to achieve unauthenticated RCE via chained exploitation of arbitrary SQL injection (GHSA-2fr7-cc4f-wh98) and insecure PHP deserialization in the oauth2.php endpoint. The unauthenticated oauth2.php file calls unserialize() on attacker-controlled database content without class restrictions, enabling gadget chain exploitation (Laravel/RCE22) to execute arbitrary system commands as www-data. Attack requires in

PHP Deserialization Docker Denial Of Service Google +2
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-28805 PHP HIGH PATCH GHSA This Week

Time-based blind SQL injection in OpenSTAManager ≤2.10.1 allows authenticated users to extract complete database contents including credentials, financial records, and PII through multiple AJAX select handlers. The vulnerability affects three core modules (preventivi, ordini, contratti) where the `options[stato]` GET parameter is concatenated directly into SQL WHERE clauses without validation. Exploitation requires only low-privilege authentication (CVSS PR:L) and has been confirmed with working

PHP SQLi Denial Of Service Information Disclosure XSS
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-22815 PyPI MEDIUM PATCH GHSA This Month

Memory exhaustion in aiohttp's header and trailer handling allows remote attackers to cause denial of service by sending attacker-controlled HTTP requests or responses with uncapped header/trailer values. The vulnerability affects aiohttp Python library across affected versions, enabling attackers to exhaust application memory without authentication. A mitigation is available via reverse proxy configuration, and upstream patch has been released.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-35092 HIGH PATCH This Week

Remote denial of service via integer overflow in Corosync cluster engine affects Red Hat Enterprise Linux 7-10 and OpenShift Container Platform 4. Unauthenticated attackers can send crafted UDP packets to crash Corosync services running in totemudp/totemudpu mode (CVSS 7.5, AV:N/PR:N). EPSS data not provided; no public exploit identified at time of analysis. Impacts high-availability cluster deployments where Corosync provides quorum and messaging services.

Denial Of Service Integer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-35091 HIGH PATCH This Week

Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memory via malformed UDP packets. Affects default totemudp/totemudpu configurations across Red Hat Enterprise Linux 7/8/9/10 and OpenShift Container Platform 4. CVSS 8.2 (High) with network attack vector, low complexity, and no authentication required. EPSS and exploitation status data not available; no public exploit identified at time of analysis. Impacts high-availability clustering infrastructure commonly used in enterprise production environments.

Denial Of Service Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +2
NVD VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-23410 HIGH PATCH This Week

Use-after-free in Linux kernel AppArmor allows local authenticated attackers to achieve high-impact code execution, privilege escalation, or denial of service via race condition on rawdata inode dereference. Affects kernel 4.13+ including current LTS branches. Patches available for 6.6.130, 6.12.77, 6.18.18, 6.19.8, and 7.0-rc4. EPSS score is low (0.02%) with no public exploit identified at time of analysis, but Ubuntu rated this priority=high affecting 729 releases.

Linux Denial Of Service Race Condition
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23409 MEDIUM PATCH This Month

AppArmor differential encoding verification in the Linux kernel contains logic errors that permit infinite loops to be created through abuse of the verification chain mechanism. Two distinct bugs in the verification routine-conflation of checked states with currently-checked states, and incorrect loop iterator comparison-allow malformed differential encoding chains to bypass security checks. This enables potential information disclosure or policy circumvention on systems relying on AppArmor mandatory access control. The vulnerability affects Linux kernel versions prior to fixes applied across multiple stable branches via kernel commits.

Linux Denial Of Service Red Hat
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23404 MEDIUM PATCH This Month

Stack exhaustion in AppArmor profile removal allows local denial of service by crafting deeply nested profiles that trigger recursive kernel stack consumption. The Linux kernel's AppArmor security module can be crashed by a local user with permission to load profiles via the apparmor_parser tool and trigger removal through sysfs, causing kernel stack overflow. The fix replaces recursive profile removal with an iterative approach to prevent stack exhaustion.

Linux Denial Of Service Red Hat
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-5290 CRITICAL PATCH Act Now

Use-after-free in Chrome's compositing engine allows remote attackers who have compromised the renderer process to escape the sandbox via crafted HTML pages in Google Chrome prior to version 146.0.7680.178. This high-severity vulnerability requires prior renderer compromise but enables privilege escalation from the sandboxed renderer to system-level access, making it a critical sandbox bypass vector. Vendor-released patch addresses the issue in Chrome 146.0.7680.178 and later.

Google Use After Free Denial Of Service Memory Corruption Debian +2
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-5289 CRITICAL PATCH Act Now

Use-after-free in Google Chrome's Navigation component prior to version 146.0.7680.178 enables sandbox escape for attackers who have already compromised the renderer process, allowing them to potentially execute arbitrary code with elevated privileges via a malicious HTML page. Chromium rates this as high severity; patch availability confirmed from vendor.

Google Use After Free Denial Of Service Memory Corruption Debian +2
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-5288 CRITICAL PATCH Act Now

Use-after-free in Chrome's WebView on Android prior to version 146.0.7680.178 allows a remote attacker with a compromised renderer process to escape the sandbox via crafted HTML, potentially leading to arbitrary code execution outside the browser's security boundary. This vulnerability requires prior renderer compromise but eliminates a critical containment layer, classified as High severity by Chromium.

Google Use After Free Denial Of Service Memory Corruption Debian +2
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-5287 HIGH PATCH This Week

Remote code execution in Google Chrome prior to version 146.0.7680.178 allows attackers to execute arbitrary code within the Chrome sandbox via a specially crafted PDF file. The vulnerability exists in Chrome's PDF handling component and is caused by a use-after-free memory corruption flaw. Patch availability has been confirmed via vendor release, and the Chromium security team has classified this as High severity.

Google Use After Free RCE Memory Corruption Denial Of Service +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5273 MEDIUM PATCH This Month

Remote code execution in Google Chrome's CSS engine prior to version 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code within the Chrome sandbox via a crafted HTML page. The vulnerability stems from a use-after-free memory error in CSS processing, classified as high severity by the Chromium security team. Vendor-released patch available in Chrome 146.0.7680.178 and later.

Google Use After Free RCE Memory Corruption Denial Of Service +1
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-5286 HIGH PATCH This Week

Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in the Dawn graphics library allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects all Chrome versions below the patched release and carries high severity per Chromium's assessment.

Google Use After Free RCE Memory Corruption Denial Of Service +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5285 HIGH PATCH This Week

Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in WebGL allows unauthenticated remote attackers to execute arbitrary code within the browser sandbox by delivering a crafted HTML page. The vulnerability is marked as High severity by Chromium security and a vendor-released patch is available.

Google Use After Free RCE Memory Corruption Denial Of Service +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5284 HIGH PATCH This Week

Remote code execution in Google Chrome prior to 146.0.7680.178 via use-after-free vulnerability in Dawn graphics subsystem allows an attacker who has already compromised the renderer process to execute arbitrary code through a crafted HTML page. This vulnerability requires prior renderer compromise but presents significant risk in multi-process exploitation chains; vendor has released patched version 146.0.7680.178 to address the issue.

Google Use After Free RCE Memory Corruption Denial Of Service +4
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-5281 HIGH POC KEV PATCH THREAT NEWS Act Now

Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification.

Google Use After Free RCE Memory Corruption Denial Of Service +1
NVD VulDB GitHub
CVSS 3.1
8.8
EPSS
0.0%
Threat
4.8
CVE-2026-5280 HIGH PATCH This Week

Remote code execution in Google Chrome prior to 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code within the Chrome sandbox via a crafted HTML page exploiting a use-after-free vulnerability in the WebCodecs component. The vulnerability affects all versions before the patched release and has been addressed by Google with a vendor-released patch; no public exploit code or active exploitation has been confirmed at the time of analysis.

Google Use After Free RCE Memory Corruption Denial Of Service +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5278 HIGH PATCH This Week

Remote code execution in Google Chrome on Android via use-after-free vulnerability in Web MIDI allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects Chrome versions prior to 146.0.7680.178 and carries high severity per Chromium's security classification. A vendor-released patch is available.

Google Use After Free RCE Memory Corruption Denial Of Service +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-3776 MEDIUM This Month

Denial of service in Foxit PDF Editor and Foxit PDF Reader allows local attackers to crash the application by opening a crafted PDF containing a stamp annotation with missing appearance (AP) data. The vulnerability stems from insufficient validation before dereferencing annotation objects, triggering a null pointer exception. No public exploit code has been identified, and patch availability has not been confirmed from available advisory data.

Denial Of Service Null Pointer Dereference Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-3778 MEDIUM This Month

Foxit PDF Editor and PDF Reader are vulnerable to denial of service via uncontrolled recursion in maliciously crafted PDF documents containing cyclic object references in pages and annotations. When such documents are processed by APIs performing deep object traversal (such as SOAP handlers), the applications exhaust stack memory and crash. The vulnerability requires only local access and no user interaction beyond opening a malicious PDF, making it a practical attack vector for local denial of service.

Denial Of Service Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-34593 HIGH PATCH GHSA This Week

BEAM VM atom table exhaustion in Ash Framework's Module type allows remote denial-of-service against Elixir applications. The ash package (all versions prior to v3.22.0) unconditionally creates Erlang atoms from user-supplied strings in Ash.Type.Module.cast_input/2 before validation, enabling attackers to crash the entire VM by submitting ~1 million unique 'Elixir.*' strings to any API endpoint with :module-typed attributes. Vendor patch released in commit 7031103 (v3.22.0). No public exploit identified at time of analysis, though the advisory provides detailed proof-of-concept code demonstrating trivial exploitation via repeated API requests.

Denial Of Service
NVD GitHub
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-34874 HIGH PATCH This Week

NULL pointer dereference in Mbed TLS distinguished name (X.509) parsing allows remote attackers to trigger a denial of service by writing to address 0, affecting Mbed TLS versions 3.6.5 and earlier, and 4.0.0. The vulnerability is reachable during X.509 certificate processing and does not require authentication. No public exploit code or active exploitation has been confirmed at the time of analysis.

Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-31027 CRITICAL Act Now

Buffer overflow in TOTOlink A3600R v5.9c.4959 setAppEasyWizardConfig interface allows remote code execution or denial of service via unvalidated rootSsid parameter in /lib/cste_modules/app.so. The vulnerability affects a Wi-Fi router's configuration endpoint and enables unauthenticated attackers to trigger memory corruption with potential for arbitrary code execution. No CVSS vector or patch status was available at time of analysis.

Buffer Overflow RCE Denial Of Service
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-34541 MEDIUM This Month

Denial of service in iccDEV prior to version 2.3.1.6 allows local attackers to crash the iccApplyNamedCmm tool by supplying a malformed ICC color profile that triggers a null-pointer dereference in the CIccCombinedConnectionConditions constructor. The vulnerability requires local file system access to provide the crafted profile and causes application termination with no code execution or data corruption, affecting users processing untrusted ICC profiles through the -PCC flag.

Null Pointer Dereference Denial Of Service Iccdev
NVD GitHub
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-34536 MEDIUM This Month

Stack overflow in iccDEV's SIccCalcOp::ArgsUsed() function allows local attackers to trigger a denial of service by supplying a crafted ICC color profile to iccApplyProfiles. The vulnerability affects iccDEV versions prior to 2.3.1.6 and requires no authentication or user interaction; exploitation manifests as application crash during calculator argument computation. No public exploit code or active exploitation has been identified at time of analysis.

Denial Of Service Iccdev
NVD GitHub
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-34552 MEDIUM This Month

Null pointer dereference in iccDEV versions prior to 2.3.1.6 causes denial of service when processing ICC color management profiles with malformed lookup table (LUT) structures. The vulnerability exists in IccTagLut.cpp where CIccApplyCLUT member access occurs without null validation, allowing local attackers to crash applications that parse untrusted color profiles. No public exploit code or active exploitation has been confirmed at time of analysis.

Null Pointer Dereference Denial Of Service Iccdev
NVD GitHub
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-34551 MEDIUM This Month

Denial of service via null-pointer dereference in iccDEV prior to version 2.3.1.6 allows local attackers to crash the application by processing a crafted ICC color profile embedded in a TIFF file. The vulnerability exists in the CIccTagLut16::Write() function and requires local file system access but no authentication or user interaction. No public exploit code or active exploitation has been confirmed; the issue is considered moderate severity due to denial-of-service impact only (no code execution or data compromise).

Null Pointer Dereference Denial Of Service Iccdev
NVD GitHub
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-34404 npm MEDIUM PATCH GHSA This Month

Nuxt OG Image versions prior to 6.2.5 are vulnerable to denial of service through unbounded image dimension parameters in the /_og/d/ endpoint. Attackers can specify arbitrarily large width and height values, causing the image-generation component to consume excessive CPU and memory resources, resulting in application unavailability. No authentication is required to exploit this vulnerability.

Denial Of Service Og Image
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-24165 HIGH This Week

Deserialization of untrusted data in NVIDIA BioNeMo Framework enables local attackers to execute arbitrary code, cause denial of service, disclose sensitive information, or tamper with data when users open malicious files. CVSS 7.8 (High) reflects local attack vector requiring user interaction. EPSS data not available; no public exploit identified at time of analysis. Affects NVIDIA BioNeMo Framework, a platform for AI-driven drug discovery and biomolecular research.

Deserialization RCE Denial Of Service Information Disclosure Nvidia
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-24164 HIGH NEWS This Week

Insecure deserialization in NVIDIA BioNeMo Framework enables remote code execution when attackers can induce users to process malicious serialized data. This vulnerability (CWE-502) affects the BioNeMo Framework with network-reachable attack surface (AV:N) and low complexity (AC:L), requiring only user interaction (UI:R) but no authentication (PR:N). The CVSS 8.8 rating reflects critical impacts across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the deserialization vulnerability class is well-understood and commonly exploited. EPSS data not available for this CVE.

Deserialization RCE Denial Of Service Information Disclosure Nvidia
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-24154 HIGH This Week

Command injection in NVIDIA Jetson Linux initrd allows physical attackers to execute arbitrary code with elevated privileges across Jetson Xavier, Orin, and Thor series devices. An attacker with physical access can inject malicious command-line arguments during boot without authentication (CVSS:3.1/AV:P/AC:L/PR:N), leading to complete system compromise including root-level code execution, denial of service, and data exfiltration. EPSS data not available; no public exploit identified at time of analysis, though the low attack complexity (AC:L) and physical-only requirement (AV:P) suggest exploitation is straightforward for adversaries with device access.

Command Injection RCE Denial Of Service Information Disclosure Nvidia
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-24148 HIGH NEWS This Week

NVIDIA Jetson system initialization flaw allows authenticated remote attackers to exploit insecure default machine IDs, enabling cross-device information disclosure of encrypted data and tampering. Affects JetPack on Xavier and Orin series devices. CVSS 8.3 (High) with network attack vector and low complexity. EPSS data not available; no confirmed active exploitation (CISA KEV status not present). The vulnerability enables attackers with low-level privileges to compromise multiple devices sharing identical default machine identifiers, undermining cryptographic protections and system integrity across the device fleet.

Information Disclosure Denial Of Service Nvidia
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-27854 MEDIUM PATCH This Month

DNSdist instances using custom Lua code can be crashed via denial of service when the DNSQuestion:getEDNSOptions method accesses a modified DNS packet, triggering a use-after-free condition. This affects DNSdist across all versions and requires network access to send crafted DNS queries, but the attack demands specific Lua code patterns and high attack complexity; no public exploit or active exploitation has been confirmed, and the real-world impact is limited to environments where custom Lua DNS query handlers reference EDNS options.

Use After Free Denial Of Service Memory Corruption Dnsdist
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-27853 MEDIUM PATCH This Month

DNSdist fails to validate packet size bounds when rewriting DNS questions or responses via Lua methods (DNSQuestion:changeName, DNSResponse:changeName), allowing unauthenticated remote attackers to craft DNS responses that trigger out-of-bounds writes and exceed the 65535-byte DNS packet size limit, resulting in denial of service via crash. CVSS 5.9 (high availability impact); no public exploit code identified at time of analysis.

Buffer Overflow Denial Of Service Memory Corruption Dnsdist
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24030 MEDIUM PATCH This Month

Memory exhaustion in DNSdist allows remote, unauthenticated attackers to trigger denial of service by crafting malicious DNS over QUIC or DNS over HTTP/3 payloads that force excessive memory allocation. The attack causes the QUIC connection to close abnormally, and in systems with limited memory reserves, can force out-of-memory conditions that terminate the DNSdist process entirely.

Denial Of Service Dnsdist
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24028 MEDIUM PATCH This Month

Out-of-bounds read in PowerDNS dnsdist allows unauthenticated remote attackers to trigger denial of service or potential information disclosure by sending a crafted DNS response packet when custom Lua code uses the newDNSPacketOverlay function to parse packets. CVSS 5.3 indicates moderate severity with network-accessible attack surface and no privilege or user interaction required.

Denial Of Service Information Disclosure Buffer Overflow Dnsdist
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-5201 HIGH PATCH This Week

Heap-based buffer overflow in gdk-pixbuf's JPEG image loader enables remote denial of service through malformed JPEG images without user interaction. The vulnerability triggers during automated image processing operations like thumbnail generation across Red Hat Enterprise Linux 6 through 10, allowing unauthenticated network attackers to crash applications that process JPEG images. EPSS score of 0.09% (25th percentile) suggests low observed exploitation activity, consistent with SSVC assessment showing no active exploitation despite the vulnerability being fully automatable.

Heap Overflow Denial Of Service Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-33995 MEDIUM PATCH This Month

FreeRDP prior to version 3.24.2 contains a double-free vulnerability in Kerberos authentication handling that crashes FreeRDP clients during NLA connection teardown following failed authentication attempts on systems with Kerberos configured. The vulnerability affects all versions before 3.24.2 across multiple Linux distributions (Debian, Ubuntu) and requires network access but no authentication credentials, presenting a denial-of-service vector against RDP clients in enterprise environments using Kerberos or Kerberos U2U authentication. No public exploit code has been identified, and the impact is limited to availability (denial of service) rather than confidentiality or integrity.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-33952 MEDIUM PATCH This Month

FreeRDP clients before version 3.24.2 crash with SIGABRT when connecting through a malicious RDP Gateway due to an unvalidated auth_length field triggering a WINPR_ASSERT() failure in rts_read_auth_verifier_no_checks(). This pre-authentication denial of service affects all FreeRDP clients using RPC-over-HTTP gateway transport, regardless of user authentication status. The vulnerability has been patched in version 3.24.2.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.1%
CVE-2026-33977 MEDIUM PATCH This Month

Denial of service in FreeRDP prior to version 3.24.2 allows remote attackers to crash the client via a malicious RDP server sending IMA ADPCM audio data with an invalid step index value (≥89). The unvalidated network-supplied index causes an out-of-bounds access into an 89-entry lookup table, triggering a WINPR_ASSERT() failure and process abort. This affects all FreeRDP clients with audio redirection enabled (the default configuration), requiring user interaction to establish an RDP connection but no authentication. No public exploit code identified at time of analysis.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-32696 LOW PATCH Monitor

Remote denial of service in NanoMQ MQTT Broker 0.24.6 allows unauthenticated remote attackers to crash the broker by connecting without credentials when HTTP authentication is enabled with username/password placeholders, triggering a null pointer dereference in the auth_http.c module. The vulnerability requires high attack complexity (user interaction via specific MQTT CONNECT configuration) but results in broker unavailability. Vendor-released patch version 0.24.7 addresses the issue.

Null Pointer Dereference Denial Of Service Nanomq
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-21710 HIGH PATCH This Week

Uncaught TypeError in Node.js HTTP server crashes applications when clients send specially crafted `__proto__` headers and code accesses `req.headersDistinct`. The exception occurs synchronously in a property getter, bypassing standard error handling mechanisms and causing immediate service disruption. Affects Node.js versions 20.x, 22.x, 24.x, and 25.x with CVSS 7.5 (High). EPSS data not available; no public exploit identified at time of analysis, though exploitation requires only sending a malformed HTTP header with no authentication (CVSS:3.0/AV:N/AC:L/PR:N/UI:N).

Node.js Denial Of Service Node
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-34165 Go MEDIUM PATCH GHSA This Month

Maliciously crafted `.idx` files in go-git v5 cause asymmetric memory consumption leading to Denial of Service through integer overflow vulnerabilities. Exploitation requires local write access to the `.git` directory, limiting attack surface to scenarios where an attacker has already compromised repository access or can inject files into a shared repository. No public exploit code or active exploitation has been confirmed; however, the low CVSS complexity and requirement for only low-privilege local access make this a moderate operational concern for development environments and CI/CD systems that process untrusted repositories.

Denial Of Service Integer Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-4046 HIGH PATCH This Week

Remote denial of service in GNU C Library (glibc) 2.43 and earlier allows unauthenticated remote attackers to crash applications via malformed input during character set conversion from IBM1390 or IBM1399 encodings. The vulnerability triggers an assertion failure in the iconv() function with high attack reliability (CVSS 7.5, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Proof-of-concept code exists and CISA SSVC assessment confirms the issue is automatable with partial technical impact, making this a practical denial-of-service vector for any networked application processing untrusted character encoding conversions.

Denial Of Service Glibc
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33029 Go MEDIUM PATCH GHSA This Month

Authenticated denial of service in nginx-ui 2.3.3 and earlier allows any user with settings access to submit a negative integer for the logrotate.interval parameter, triggering an infinite loop in the backend that exhausts CPU resources and renders the web interface unresponsive. Vendor-released patch available in v2.3.4. No public exploit code identified beyond proof-of-concept documentation; not confirmed as actively exploited.

Nginx Denial Of Service Docker Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-33028 Go HIGH PATCH GHSA This Week

Race condition in nginx-ui web interface allows remote authenticated attackers to corrupt the primary configuration file (app.ini) through concurrent API requests, resulting in persistent denial of service and potential remote code execution. The vulnerability affects nginx-ui versions prior to 2.3.4 deployed in production environments including Docker containers. Concurrent POST requests to /api/settings trigger unsynchronized file writes that interleave at the OS level, corrupting configuration sections and creating cross-contamination between INI fields. In non-deterministic scenarios, user-controlled input can overwrite shell command fields (ReloadCmd, RestartCmd), enabling arbitrary command execution during nginx reload operations. Public exploit code demonstrates the attack path using standard HTTP testing tools. No CISA KEV listing or EPSS data available at time of analysis, but proof-of-concept with detailed reproduction steps exists in the GitHub security advisory.

Race Condition Denial Of Service RCE Nginx Docker +2
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-33027 Go MEDIUM PATCH GHSA This Month

Authenticated users in nginx-ui v2.3.3 and earlier can delete the entire `/etc/nginx` configuration directory via path traversal using double-encoded sequences (..%252F), causing immediate Nginx service failure and denial of service. The vulnerability exploits improper URL canonicalization combined with unsafe recursive deletion logic that resolves malicious paths to the base configuration directory instead of rejecting them.

Nginx Path Traversal Denial Of Service Docker Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-5170 MEDIUM PATCH This Month

Denial of service in MongoDB Server allows authenticated users with limited cluster privileges to crash a mongod process during replica set to sharded cluster promotion, causing potential primary failure. Affects MongoDB 8.2 before 8.2.2, 8.0.18+, and 7.0.31+. No public exploit code or active exploitation confirmed; CVSS 5.3 reflects the narrow attack window and authentication requirement.

Denial Of Service Mongodb Server
NVD
CVSS 4.0
6.0
EPSS
0.0%
EPSS 0%
PATCH Awaiting Data

Linux kernel io_uring/poll multishot recv can hang indefinitely when a socket shutdown occurs concurrently with data reception, due to a race condition where accumulated poll wakeups are drained without consuming the persistent HUP event. The vulnerability affects all Linux kernel versions with io_uring poll support and requires a fix to explicitly check for HUP conditions and re-loop when multiple poll activations are pending.

Linux Linux Kernel Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Infinite loop in Linux kernel serial core driver handle_tx() affects systems using uninitialized PORT_UNKNOWN serial ports, where uart_write_room() and uart_write() behave inconsistently regarding null transmit buffers, causing denial of service through system hangs. The vulnerability impacts caif_serial and other drivers that rely on tty_write_room() to determine write capacity. Patch available in upstream kernel commits; no CVSS score assigned due to kernel-specific nature and relatively limited exposure scope.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Linux kernel drm/imagination driver crashes when the GPU runtime PM suspend callback executes concurrently with an IRQ handler attempting to access GPU registers, causing kernel panics with SError interrupts on ARM64 platforms. The vulnerability affects the imagination GPU driver across Linux kernel versions and is triggered when power management suspend operations race with interrupt handling without proper synchronization. The fix adds synchronize_irq() calls to ensure IRQ handlers complete before GPU suspension and removes problematic runtime PM resume calls from the IRQ handler that could cause deadlocks.

Linux Denial Of Service Race Condition
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Linux kernel amdgpu driver allows local attackers to exhaust system memory by passing an arbitrarily large BO (buffer object) list entry count via userspace, bypassing existing overflow checks but causing excessive allocation and processing delays; fixed by enforcing a 128k entry limit per BO list.

Linux Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in Linux kernel DRM i915 GPU driver allows local denial of service during system probe when DMC firmware initialization has not yet completed but hardware has DC6 power state enabled. The vulnerability occurs in intel_dmc_update_dc6_allowed_count() when called from gen9_set_dc_state() during intel_power_domains_init_hw(), which executes before DMC initialization, causing kernel oops if DC6 is unexpectedly enabled by BIOS firmware. No public exploit code identified; this is a kernel crash vulnerability requiring local system access triggered by atypical BIOS behavior.

Linux Null Pointer Dereference Denial Of Service +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in Linux kernel ROSE socket implementation allows local denial of service when rose_connect() is called twice during an active connection attempt. The vulnerability occurs because rose_connect() fails to validate TCP_SYN_SENT state, permitting rose->neighbour to be overwritten with NULL, which later causes a kernel crash when rose_transmit_link() dereferences the NULL pointer during socket closure. No active exploitation reported; fix available in upstream kernel commits.

Linux Null Pointer Dereference Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Use-after-free in Linux kernel MANA hardware channel teardown (net/mana driver) allows concurrent interrupt handlers to dereference freed memory in mana_hwc_destroy_channel(), potentially causing NULL pointer dereference or memory corruption. The vulnerability stems from improper teardown ordering where hwc->caller_ctx is freed before CQ/EQ IRQ handlers are fully synchronized, affecting all Linux kernel versions with the MANA driver. Fixes are available across stable kernel branches via upstream commit reordering.

Linux Use After Free Denial Of Service +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Infinite loop in Linux kernel bonding device header parsing allows local denial of service when two bonding devices are stacked. The bond_header_parse() function can recurse indefinitely because skb->dev always points to the top of the device hierarchy. The fix adds a bounded recursion parameter to the header_ops parse() method to ensure the leaf parse method is called and prevent endless loops. This vulnerability affects all Linux kernel versions with the vulnerable bonding code and requires local access to trigger.

Linux Denial Of Service
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

NULL dereference and use-after-free in the Linux kernel's SMC (Shared Memory Communications) socket implementation occur when smc_tcp_syn_recv_sock() races with socket close operations, allowing a local attacker to trigger a kernel panic via concurrent manipulation of TCP SYN handling and SMC listen socket closure. The vulnerability affects the Linux kernel across multiple versions via the net/smc subsystem and is addressed through RCU-protected access and refcount validation rather than lock-based serialization.

Linux Denial Of Service Use After Free +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Double-free memory corruption in the Linux kernel's TEQL (Trivial Link Equalizer) qdisc implementation allows local attackers to cause kernel crashes via denial of service. The vulnerability occurs when qdisc_reset is called without proper synchronization on lockless Qdisc root configurations, creating a race condition that results in use-after-free and double-free conditions in packet buffer management. This affects all Linux kernel versions with the vulnerable TEQL code path and requires local access to trigger via specially crafted packet scheduling operations.

Linux Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Use-after-free vulnerability in Linux kernel ACPI processor errata handling allows local attackers to cause denial of service or potentially execute code via device pointer dereference after reference dropping in acpi_processor_errata_piix4(). The vulnerability affects multiple Linux kernel versions and was introduced in a previous fix attempt (commit f132e089fe89); it has been resolved across stable kernel branches with no active public exploitation identified.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in Linux kernel IPv6 SRv6 path processing allows local denial of service when __in6_dev_get() returns NULL due to missing IPv6 configuration or device unregistration. The vulnerability affects seg6_hmac_validate_skb() and ipv6_srh_rcv() functions which lacked NULL checks on the returned idev pointer, enabling a local attacker to crash the kernel by triggering these code paths on misconfigured or unregistering network devices.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Linux kernel NULL pointer dereference in UDP tunnel socket creation when IPv6 is disabled causes denial of service. When CONFIG_IPV6=n, the udp_sock_create6() function incorrectly returns success (0) without creating a socket, leading callers such as fou_create() to dereference an uninitialized pointer. The vulnerability is triggered via netlink socket operations and requires privileged user access; no public exploit code or active exploitation has been identified at time of analysis.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Linux kernel mvpp2 network driver occurs when MTU changes or other operations trigger buffer pool switching on Marvell hardware lacking CM3 SRAM support, causing NULL pointer dereference in flow control register access. Affects systems running vulnerable kernel versions on Marvell Armada platforms where the CM3 SRAM device tree entry is absent; no authentication required. Upstream fix available via stable kernel commits.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Linux kernel NULL pointer dereference in the x86 PMU NMI handler on AMD EPYC systems causes denial of service when perf event unthrottling races with PMU rescheduling. The vulnerability stems from commit 7e772a93eb61 moving event pointer initialization later in x86_pmu_enable(), allowing the unthrottle path to set active_mask bits without populating the corresponding events[] array entries, leading to NULL pointer dereference when subsequent PMC overflow interrupts fire. No public exploit code identified at time of analysis; patch fixes are available in upstream Linux kernel stable branches.

Linux Null Pointer Dereference Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in Linux kernel arm_mpam memory bandwidth monitoring causes kernel oops when an MSC supporting bandwidth monitoring transitions offline and back online. The mpam_restore_mbwu_state() function fails to initialize a value buffer before passing it to __ris_msmon_read() via IPI, triggering a crash in the bandwidth counter restoration routine. This affects ARM systems with MPAM (Memory Partitioning and Monitoring) support and results in denial of service through system instability when memory controllers are toggled.

Linux Null Pointer Dereference Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Linux kernel crashes in iommu_sva_unbind_device() when accessing a freed mm structure after iommu_domain_free() deallocates domain->mm->iommu_mm, causing denial of service on systems using IOMMU Shared Virtual Addressing (SVA). The fix reorders code to access the structure before the domain is freed. No CVSS score, EPSS, or KEV status available; no public exploit code identified.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Denial of service in MariaDB Server through large packet crashes when the caching_sha2_password authentication plugin is enabled and accounts use it, due to unbounded stack allocation in sha256_crypt_r. Authenticated remote attackers can crash the server by sending a crafted large authentication packet. MariaDB versions before 11.4.10, 11.5.0 through 11.8.5, and 12.0.0 through 12.2.1 are affected. No public exploit code or confirmed active exploitation reported at time of analysis.

Denial Of Service MariaDB
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated server-side request forgery in Ech0's link preview endpoint allows remote attackers to force the application server to perform HTTP/HTTPS requests to arbitrary internal and external targets. The /api/website/title route requires no authentication, performs no URL validation, follows redirects by default, and disables TLS certificate verification (InsecureSkipVerify: true). Attackers can probe internal networks, access cloud metadata services (169.254.169.254), and trigger denial-

SSRF Denial Of Service Apple +3
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Denial of service via panic in go-jose library (versions prior to v4.1.4 and v3.0.5) occurs when decrypting malformed JSON Web Encryption (JWE) objects that specify a key wrapping algorithm (e.g., RSA-OAEP-KW, ECDH-ES+A128KW) but contain an empty encrypted_key field. The panic is triggered during slice allocation in cipher.KeyUnwrap() when processing ciphertext under 16 bytes, causing immediate application termination. No public exploit identified at time of analysis, though EPSS score of 0.0004

Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Denial of service in Dokuwiki version 2025-05-14b 'Librarian' release allows remote attackers to crash or disable the application through improper input handling in the media_upload_xhr() function within media.php. The vulnerability requires network access to the media upload endpoint but does not require authentication. No public exploit code, CVSS scoring, or active exploitation has been confirmed at the time of analysis.

Denial Of Service PHP
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Hirschmann EagleSDV contains a denial-of-service vulnerability that causes the device to crash during session establishment when using TLS 1.0 or TLS 1.1. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Eaglesdv Firmware
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unbounded disk consumption in Rack's multipart parser allows remote denial of service when HTTP requests lack Content-Length headers. Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 fail to enforce size limits on multipart/form-data uploads sent via chunked transfer encoding, enabling unauthenticated attackers to exhaust disk space by streaming arbitrarily large file uploads. CVSS 7.5 (High) reflects the network-accessible, low-complexity attack requiring no privileges. No public exploit identified at time of analysis, though the attack technique is well-understood.

Denial Of Service File Upload Rack
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Denial of service in Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 allows unauthenticated remote attackers to consume disproportionate CPU, memory, I/O, and bandwidth by supplying many small overlapping byte ranges in HTTP Range headers, bypassing the existing CVE-2024-26141 fix that only validates total byte coverage. The vulnerability affects Rack's file-serving paths that process multipart byte range responses, enabling attackers to degrade service availability with minimal request complexity.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Denial of service in Rack::Utils.select_best_encoding allows unauthenticated remote attackers to consume disproportionate CPU resources via a crafted Accept-Encoding header containing multiple wildcard entries, affecting Rack versions prior to 2.2.23, 3.1.21, and 3.2.6. The vulnerability exploits quadratic time complexity in the encoding selection algorithm used by Rack::Deflater middleware, enabling a single HTTP request to trigger sustained CPU exhaustion and application unavailability.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service via algorithmic complexity in Rack multipart parser allows unauthenticated remote attackers to exhaust CPU resources by sending specially crafted multipart/form-data requests with backslash-heavy escaped parameter values. Affects Rack 3.0.0.beta1-3.1.20 and 3.2.0-3.2.5, a critical Ruby web server interface used across Rails and Sinatra applications. CVSS 7.5 (High) with network-accessible attack vector and low complexity. Vendor-released patches available in versions 3.1.21 and 3.2.6. No public exploit identified at time of analysis, though EPSS data not provided to assess probability of exploitation.

Denial Of Service Rack
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in Apache Traffic Server 9.0.0-9.2.12 and 10.0.0-10.1.1 caused by improper handling of POST requests that triggers a server crash under specific conditions. The vulnerability affects all instances of the affected versions and requires no authentication or special privileges to exploit. Vendor-released patches are available in versions 9.2.13 and 10.1.2.

Apache Denial Of Service
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Memory exhaustion in Suricata network IDS/IPS via HTTP/2 CONTINUATION frame flooding allows remote unauthenticated attackers to trigger denial of service, typically forcing operating system termination of the Suricata process. Affects all versions prior to 7.0.15 and 8.0.4. EPSS data not available, but CVSS 7.5 (High) reflects network-accessible attack with low complexity requiring no privileges. No public exploit identified at time of analysis, though the attack technique (HTTP/2 frame flooding) is well-documented in protocol security research.

Denial Of Service Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

NULL pointer dereference in Suricata 8.0.0 through 8.0.3 causes denial of service when processing malformed TLS traffic with the 'tls.alpn' rule keyword. Remote unauthenticated attackers can crash the IDS/IPS engine by sending specially crafted network packets, completely disabling network security monitoring. EPSS data not available, but the low attack complexity (AC:L) and network vector (AV:N) combined with high availability impact (A:H) indicate significant operational risk for organizations relying on Suricata for traffic inspection. No evidence of active exploitation (no CISA KEV listing) or public exploit code identified at time of analysis.

Denial Of Service Null Pointer Dereference Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

CocoaMQTT library versions prior to 2.2.2 allow remote denial of service when parsing malformed MQTT packets from a broker, causing immediate application crashes on iOS, macOS, and tvOS devices. An attacker or compromised MQTT broker can publish a 4-byte malformed payload with the RETAIN flag to persist it indefinitely, ensuring every vulnerable client that subscribes receives the crash-inducing packet, effectively bricking the application until manual intervention on the broker. The vulnerability requires an authenticated user context (PR:L in CVSS vector) but impacts application availability with high severity; patch version 2.2.2 is available.

Apple Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of Service in Red Hat Build of Keycloak allows unauthenticated remote attackers to exhaust server resources by submitting specially crafted POST requests with excessively long scope parameters to the OpenID Connect token endpoint. No public exploit identified at time of analysis, but CVSS 7.5 (High) with network attack vector and low complexity indicates straightforward exploitation. Authentication requirements: unauthenticated (CVSS PR:N). The vulnerability stems from improper resource management (CWE-1050), enabling attackers to cause prolonged processing times and service disruption without any authentication or user interaction.

Denial Of Service Red Hat Build Of Keycloak
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in gleam-wisp wisp 0.2.0 through 2.2.1 allows unauthenticated remote attackers to exhaust server memory or disk by sending arbitrarily large multipart form submissions that bypass configured size limits. The multipart_body and multipart_headers parsing functions fail to properly decrement resource quotas for chunks lacking multipart boundaries, enabling attackers to accumulate unbounded data in a single HTTP request. Patch available as of version 2.2.2.

Denial Of Service Wisp
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Resource exhaustion in Nothings stb library versions up to 1.22 allows unauthenticated remote attackers to cause denial of service through the setup_free function in stb_vorbis.c when processing malformed audio data. The vulnerability has publicly available exploit code and a low CVSS score of 4.3 reflecting limited impact, but represents a real availability risk in applications embedding this widely-used header-only graphics and audio library.

Denial Of Service Stb
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Denial of service in PraisonAI's MCPToolIndex.search_tools() allows authenticated remote attackers to block the Python thread for hundreds of seconds via a crafted regular expression causing catastrophic backtracking. The vulnerable function compiles caller-supplied query strings directly as regex patterns without validation, timeout, or exception handling. A single malicious request can sustain complete service outage, and the MCP server HTTP transport runs without authentication by default, significantly lowering the practical barrier to exploitation despite the CVSS requiring PR:L.

Python Denial Of Service
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

IBM Aspera Shares 1.9.9 through 1.11.0 lacks proper rate limiting on authenticated user email submissions, allowing high-privilege users to trigger email flooding or denial of service conditions. The vulnerability requires authentication at the admin or high-privilege level and results in service availability degradation rather than data compromise. EPSS exploitation probability is low (2.7 CVSS, high privilege requirement), and no public exploit code or active exploitation has been identified at time of analysis.

IBM Denial Of Service
NVD
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Ella Core panics and crashes when processing malformed NGAP handover failure messages from a gNodeB, causing a denial of service for all connected mobile subscribers. An authenticated attacker with high privileges on the radio network can force a gNodeB to send crafted NGAP handover failure messages that trigger a null pointer dereference in Ella Core's handover handler, terminating the core network process. No public exploit code or active exploitation has been identified.

Denial Of Service Null Pointer Dereference
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Haraka email server crashes when processing emails with `__proto__` as a header name, enabling remote unauthenticated denial of service. Attackers can send a specially crafted email via SMTP to crash worker processes, disrupting email delivery. In single-process deployments, the entire server becomes unavailable; in cluster mode, all active sessions are terminated. No public exploit identified at time of analysis beyond the published proof-of-concept code, though exploitation requires only basic SMTP access.

Denial Of Service Python
NVD GitHub
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Denial of service vulnerability in Nothings stb image library (stb_image.h) affecting GIF decoder function stbi__gif_load_next allows remote attackers to trigger application crashes through specially crafted GIF files. The vulnerability impacts stb versions up to 2.30, requires user interaction to open a malicious GIF, and has publicly available exploit code with no vendor patch available despite early disclosure.

Denial Of Service Stb
NVD VulDB
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Aiohttp prior to version 3.13.4 allocates entire multipart form fields into memory before validating against the client_max_size limit, enabling unauthenticated remote attackers to cause denial of service through memory exhaustion. The vulnerability affects all versions before 3.13.4 and carries a low CVSS score (2.7) reflecting limited availability impact, with no public exploit code or active exploitation confirmed at time of analysis.

Python Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Memory exhaustion vulnerability in AIOHTTP prior to version 3.13.4 allows unauthenticated remote attackers to trigger denial of service via specially crafted HTTP responses containing excessive multipart headers. The vulnerability exploits insufficient memory limits during multipart header parsing, causing the server or client to consume more memory than intended. CVSS 6.6 (medium-high availability impact) with no public exploit code identified at time of analysis.

Python Denial Of Service Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Unbounded DNS cache in AIOHTTP prior to version 3.13.4 allows remote attackers to cause denial of service through excessive memory consumption. An attacker can trigger repeated DNS lookups with unique hostnames to grow the in-memory cache without bounds, eventually exhausting available system memory. AIOHTTP 3.13.4 and later include a patch that implements cache limits. This is a network-accessible vulnerability requiring no authentication or user interaction, but exploitation requires deliberate attack traffic and does not result in data compromise or system takeover.

Python Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Remote code execution in OpenSTAManager v2.10.1 and earlier allows authenticated attackers to achieve unauthenticated RCE via chained exploitation of arbitrary SQL injection (GHSA-2fr7-cc4f-wh98) and insecure PHP deserialization in the oauth2.php endpoint. The unauthenticated oauth2.php file calls unserialize() on attacker-controlled database content without class restrictions, enabling gadget chain exploitation (Laravel/RCE22) to execute arbitrary system commands as www-data. Attack requires in

PHP Deserialization Docker +4
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Time-based blind SQL injection in OpenSTAManager ≤2.10.1 allows authenticated users to extract complete database contents including credentials, financial records, and PII through multiple AJAX select handlers. The vulnerability affects three core modules (preventivi, ordini, contratti) where the `options[stato]` GET parameter is concatenated directly into SQL WHERE clauses without validation. Exploitation requires only low-privilege authentication (CVSS PR:L) and has been confirmed with working

PHP SQLi Denial Of Service +2
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Memory exhaustion in aiohttp's header and trailer handling allows remote attackers to cause denial of service by sending attacker-controlled HTTP requests or responses with uncapped header/trailer values. The vulnerability affects aiohttp Python library across affected versions, enabling attackers to exhaust application memory without authentication. A mitigation is available via reverse proxy configuration, and upstream patch has been released.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial of service via integer overflow in Corosync cluster engine affects Red Hat Enterprise Linux 7-10 and OpenShift Container Platform 4. Unauthenticated attackers can send crafted UDP packets to crash Corosync services running in totemudp/totemudpu mode (CVSS 7.5, AV:N/PR:N). EPSS data not provided; no public exploit identified at time of analysis. Impacts high-availability cluster deployments where Corosync provides quorum and messaging services.

Denial Of Service Integer Overflow Red Hat Enterprise Linux 10 +4
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memory via malformed UDP packets. Affects default totemudp/totemudpu configurations across Red Hat Enterprise Linux 7/8/9/10 and OpenShift Container Platform 4. CVSS 8.2 (High) with network attack vector, low complexity, and no authentication required. EPSS and exploitation status data not available; no public exploit identified at time of analysis. Impacts high-availability clustering infrastructure commonly used in enterprise production environments.

Denial Of Service Buffer Overflow Red Hat Enterprise Linux 10 +4
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel AppArmor allows local authenticated attackers to achieve high-impact code execution, privilege escalation, or denial of service via race condition on rawdata inode dereference. Affects kernel 4.13+ including current LTS branches. Patches available for 6.6.130, 6.12.77, 6.18.18, 6.19.8, and 7.0-rc4. EPSS score is low (0.02%) with no public exploit identified at time of analysis, but Ubuntu rated this priority=high affecting 729 releases.

Linux Denial Of Service Race Condition
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

AppArmor differential encoding verification in the Linux kernel contains logic errors that permit infinite loops to be created through abuse of the verification chain mechanism. Two distinct bugs in the verification routine-conflation of checked states with currently-checked states, and incorrect loop iterator comparison-allow malformed differential encoding chains to bypass security checks. This enables potential information disclosure or policy circumvention on systems relying on AppArmor mandatory access control. The vulnerability affects Linux kernel versions prior to fixes applied across multiple stable branches via kernel commits.

Linux Denial Of Service Red Hat
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stack exhaustion in AppArmor profile removal allows local denial of service by crafting deeply nested profiles that trigger recursive kernel stack consumption. The Linux kernel's AppArmor security module can be crashed by a local user with permission to load profiles via the apparmor_parser tool and trigger removal through sysfs, causing kernel stack overflow. The fix replaces recursive profile removal with an iterative approach to prevent stack exhaustion.

Linux Denial Of Service Red Hat
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Use-after-free in Chrome's compositing engine allows remote attackers who have compromised the renderer process to escape the sandbox via crafted HTML pages in Google Chrome prior to version 146.0.7680.178. This high-severity vulnerability requires prior renderer compromise but enables privilege escalation from the sandboxed renderer to system-level access, making it a critical sandbox bypass vector. Vendor-released patch addresses the issue in Chrome 146.0.7680.178 and later.

Google Use After Free Denial Of Service +4
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Use-after-free in Google Chrome's Navigation component prior to version 146.0.7680.178 enables sandbox escape for attackers who have already compromised the renderer process, allowing them to potentially execute arbitrary code with elevated privileges via a malicious HTML page. Chromium rates this as high severity; patch availability confirmed from vendor.

Google Use After Free Denial Of Service +4
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Use-after-free in Chrome's WebView on Android prior to version 146.0.7680.178 allows a remote attacker with a compromised renderer process to escape the sandbox via crafted HTML, potentially leading to arbitrary code execution outside the browser's security boundary. This vulnerability requires prior renderer compromise but eliminates a critical containment layer, classified as High severity by Chromium.

Google Use After Free Denial Of Service +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome prior to version 146.0.7680.178 allows attackers to execute arbitrary code within the Chrome sandbox via a specially crafted PDF file. The vulnerability exists in Chrome's PDF handling component and is caused by a use-after-free memory corruption flaw. Patch availability has been confirmed via vendor release, and the Chromium security team has classified this as High severity.

Google Use After Free RCE +3
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Remote code execution in Google Chrome's CSS engine prior to version 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code within the Chrome sandbox via a crafted HTML page. The vulnerability stems from a use-after-free memory error in CSS processing, classified as high severity by the Chromium security team. Vendor-released patch available in Chrome 146.0.7680.178 and later.

Google Use After Free RCE +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in the Dawn graphics library allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects all Chrome versions below the patched release and carries high severity per Chromium's assessment.

Google Use After Free RCE +6
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in WebGL allows unauthenticated remote attackers to execute arbitrary code within the browser sandbox by delivering a crafted HTML page. The vulnerability is marked as High severity by Chromium security and a vendor-released patch is available.

Google Use After Free RCE +3
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Google Chrome prior to 146.0.7680.178 via use-after-free vulnerability in Dawn graphics subsystem allows an attacker who has already compromised the renderer process to execute arbitrary code through a crafted HTML page. This vulnerability requires prior renderer compromise but presents significant risk in multi-process exploitation chains; vendor has released patched version 146.0.7680.178 to address the issue.

Google Use After Free RCE +6
NVD VulDB
EPSS 0% 4.8 CVSS 8.8
HIGH POC KEV PATCH THREAT Act Now

Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification.

Google Use After Free RCE +3
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome prior to 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code within the Chrome sandbox via a crafted HTML page exploiting a use-after-free vulnerability in the WebCodecs component. The vulnerability affects all versions before the patched release and has been addressed by Google with a vendor-released patch; no public exploit code or active exploitation has been confirmed at the time of analysis.

Google Use After Free RCE +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome on Android via use-after-free vulnerability in Web MIDI allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects Chrome versions prior to 146.0.7680.178 and carries high severity per Chromium's security classification. A vendor-released patch is available.

Google Use After Free RCE +6
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Denial of service in Foxit PDF Editor and Foxit PDF Reader allows local attackers to crash the application by opening a crafted PDF containing a stamp annotation with missing appearance (AP) data. The vulnerability stems from insufficient validation before dereferencing annotation objects, triggering a null pointer exception. No public exploit code has been identified, and patch availability has not been confirmed from available advisory data.

Denial Of Service Null Pointer Dereference Foxit Pdf Editor +1
NVD VulDB
EPSS 0% CVSS 6.2
MEDIUM This Month

Foxit PDF Editor and PDF Reader are vulnerable to denial of service via uncontrolled recursion in maliciously crafted PDF documents containing cyclic object references in pages and annotations. When such documents are processed by APIs performing deep object traversal (such as SOAP handlers), the applications exhaust stack memory and crash. The vulnerability requires only local access and no user interaction beyond opening a malicious PDF, making it a practical attack vector for local denial of service.

Denial Of Service Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

BEAM VM atom table exhaustion in Ash Framework's Module type allows remote denial-of-service against Elixir applications. The ash package (all versions prior to v3.22.0) unconditionally creates Erlang atoms from user-supplied strings in Ash.Type.Module.cast_input/2 before validation, enabling attackers to crash the entire VM by submitting ~1 million unique 'Elixir.*' strings to any API endpoint with :module-typed attributes. Vendor patch released in commit 7031103 (v3.22.0). No public exploit identified at time of analysis, though the advisory provides detailed proof-of-concept code demonstrating trivial exploitation via repeated API requests.

Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

NULL pointer dereference in Mbed TLS distinguished name (X.509) parsing allows remote attackers to trigger a denial of service by writing to address 0, affecting Mbed TLS versions 3.6.5 and earlier, and 4.0.0. The vulnerability is reachable during X.509 certificate processing and does not require authentication. No public exploit code or active exploitation has been confirmed at the time of analysis.

Null Pointer Dereference Denial Of Service
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Buffer overflow in TOTOlink A3600R v5.9c.4959 setAppEasyWizardConfig interface allows remote code execution or denial of service via unvalidated rootSsid parameter in /lib/cste_modules/app.so. The vulnerability affects a Wi-Fi router's configuration endpoint and enables unauthenticated attackers to trigger memory corruption with potential for arbitrary code execution. No CVSS vector or patch status was available at time of analysis.

Buffer Overflow RCE Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 6.2
MEDIUM This Month

Denial of service in iccDEV prior to version 2.3.1.6 allows local attackers to crash the iccApplyNamedCmm tool by supplying a malformed ICC color profile that triggers a null-pointer dereference in the CIccCombinedConnectionConditions constructor. The vulnerability requires local file system access to provide the crafted profile and causes application termination with no code execution or data corruption, affecting users processing untrusted ICC profiles through the -PCC flag.

Null Pointer Dereference Denial Of Service Iccdev
NVD GitHub
EPSS 0% CVSS 6.2
MEDIUM This Month

Stack overflow in iccDEV's SIccCalcOp::ArgsUsed() function allows local attackers to trigger a denial of service by supplying a crafted ICC color profile to iccApplyProfiles. The vulnerability affects iccDEV versions prior to 2.3.1.6 and requires no authentication or user interaction; exploitation manifests as application crash during calculator argument computation. No public exploit code or active exploitation has been identified at time of analysis.

Denial Of Service Iccdev
NVD GitHub
EPSS 0% CVSS 6.2
MEDIUM This Month

Null pointer dereference in iccDEV versions prior to 2.3.1.6 causes denial of service when processing ICC color management profiles with malformed lookup table (LUT) structures. The vulnerability exists in IccTagLut.cpp where CIccApplyCLUT member access occurs without null validation, allowing local attackers to crash applications that parse untrusted color profiles. No public exploit code or active exploitation has been confirmed at time of analysis.

Null Pointer Dereference Denial Of Service Iccdev
NVD GitHub
EPSS 0% CVSS 6.2
MEDIUM This Month

Denial of service via null-pointer dereference in iccDEV prior to version 2.3.1.6 allows local attackers to crash the application by processing a crafted ICC color profile embedded in a TIFF file. The vulnerability exists in the CIccTagLut16::Write() function and requires local file system access but no authentication or user interaction. No public exploit code or active exploitation has been confirmed; the issue is considered moderate severity due to denial-of-service impact only (no code execution or data compromise).

Null Pointer Dereference Denial Of Service Iccdev
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Nuxt OG Image versions prior to 6.2.5 are vulnerable to denial of service through unbounded image dimension parameters in the /_og/d/ endpoint. Attackers can specify arbitrarily large width and height values, causing the image-generation component to consume excessive CPU and memory resources, resulting in application unavailability. No authentication is required to exploit this vulnerability.

Denial Of Service Og Image
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Deserialization of untrusted data in NVIDIA BioNeMo Framework enables local attackers to execute arbitrary code, cause denial of service, disclose sensitive information, or tamper with data when users open malicious files. CVSS 7.8 (High) reflects local attack vector requiring user interaction. EPSS data not available; no public exploit identified at time of analysis. Affects NVIDIA BioNeMo Framework, a platform for AI-driven drug discovery and biomolecular research.

Deserialization RCE Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Insecure deserialization in NVIDIA BioNeMo Framework enables remote code execution when attackers can induce users to process malicious serialized data. This vulnerability (CWE-502) affects the BioNeMo Framework with network-reachable attack surface (AV:N) and low complexity (AC:L), requiring only user interaction (UI:R) but no authentication (PR:N). The CVSS 8.8 rating reflects critical impacts across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the deserialization vulnerability class is well-understood and commonly exploited. EPSS data not available for this CVE.

Deserialization RCE Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Command injection in NVIDIA Jetson Linux initrd allows physical attackers to execute arbitrary code with elevated privileges across Jetson Xavier, Orin, and Thor series devices. An attacker with physical access can inject malicious command-line arguments during boot without authentication (CVSS:3.1/AV:P/AC:L/PR:N), leading to complete system compromise including root-level code execution, denial of service, and data exfiltration. EPSS data not available; no public exploit identified at time of analysis, though the low attack complexity (AC:L) and physical-only requirement (AV:P) suggest exploitation is straightforward for adversaries with device access.

Command Injection RCE Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 8.3
HIGH This Week

NVIDIA Jetson system initialization flaw allows authenticated remote attackers to exploit insecure default machine IDs, enabling cross-device information disclosure of encrypted data and tampering. Affects JetPack on Xavier and Orin series devices. CVSS 8.3 (High) with network attack vector and low complexity. EPSS data not available; no confirmed active exploitation (CISA KEV status not present). The vulnerability enables attackers with low-level privileges to compromise multiple devices sharing identical default machine identifiers, undermining cryptographic protections and system integrity across the device fleet.

Information Disclosure Denial Of Service Nvidia
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

DNSdist instances using custom Lua code can be crashed via denial of service when the DNSQuestion:getEDNSOptions method accesses a modified DNS packet, triggering a use-after-free condition. This affects DNSdist across all versions and requires network access to send crafted DNS queries, but the attack demands specific Lua code patterns and high attack complexity; no public exploit or active exploitation has been confirmed, and the real-world impact is limited to environments where custom Lua DNS query handlers reference EDNS options.

Use After Free Denial Of Service Memory Corruption +1
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

DNSdist fails to validate packet size bounds when rewriting DNS questions or responses via Lua methods (DNSQuestion:changeName, DNSResponse:changeName), allowing unauthenticated remote attackers to craft DNS responses that trigger out-of-bounds writes and exceed the 65535-byte DNS packet size limit, resulting in denial of service via crash. CVSS 5.9 (high availability impact); no public exploit code identified at time of analysis.

Buffer Overflow Denial Of Service Memory Corruption +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Memory exhaustion in DNSdist allows remote, unauthenticated attackers to trigger denial of service by crafting malicious DNS over QUIC or DNS over HTTP/3 payloads that force excessive memory allocation. The attack causes the QUIC connection to close abnormally, and in systems with limited memory reserves, can force out-of-memory conditions that terminate the DNSdist process entirely.

Denial Of Service Dnsdist
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Out-of-bounds read in PowerDNS dnsdist allows unauthenticated remote attackers to trigger denial of service or potential information disclosure by sending a crafted DNS response packet when custom Lua code uses the newDNSPacketOverlay function to parse packets. CVSS 5.3 indicates moderate severity with network-accessible attack surface and no privilege or user interaction required.

Denial Of Service Information Disclosure Buffer Overflow +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Heap-based buffer overflow in gdk-pixbuf's JPEG image loader enables remote denial of service through malformed JPEG images without user interaction. The vulnerability triggers during automated image processing operations like thumbnail generation across Red Hat Enterprise Linux 6 through 10, allowing unauthenticated network attackers to crash applications that process JPEG images. EPSS score of 0.09% (25th percentile) suggests low observed exploitation activity, consistent with SSVC assessment showing no active exploitation despite the vulnerability being fully automatable.

Heap Overflow Denial Of Service Buffer Overflow +5
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

FreeRDP prior to version 3.24.2 contains a double-free vulnerability in Kerberos authentication handling that crashes FreeRDP clients during NLA connection teardown following failed authentication attempts on systems with Kerberos configured. The vulnerability affects all versions before 3.24.2 across multiple Linux distributions (Debian, Ubuntu) and requires network access but no authentication credentials, presenting a denial-of-service vector against RDP clients in enterprise environments using Kerberos or Kerberos U2U authentication. No public exploit code has been identified, and the impact is limited to availability (denial of service) rather than confidentiality or integrity.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

FreeRDP clients before version 3.24.2 crash with SIGABRT when connecting through a malicious RDP Gateway due to an unvalidated auth_length field triggering a WINPR_ASSERT() failure in rts_read_auth_verifier_no_checks(). This pre-authentication denial of service affects all FreeRDP clients using RPC-over-HTTP gateway transport, regardless of user authentication status. The vulnerability has been patched in version 3.24.2.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Denial of service in FreeRDP prior to version 3.24.2 allows remote attackers to crash the client via a malicious RDP server sending IMA ADPCM audio data with an invalid step index value (≥89). The unvalidated network-supplied index causes an out-of-bounds access into an 89-entry lookup table, triggering a WINPR_ASSERT() failure and process abort. This affects all FreeRDP clients with audio redirection enabled (the default configuration), requiring user interaction to establish an RDP connection but no authentication. No public exploit code identified at time of analysis.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Remote denial of service in NanoMQ MQTT Broker 0.24.6 allows unauthenticated remote attackers to crash the broker by connecting without credentials when HTTP authentication is enabled with username/password placeholders, triggering a null pointer dereference in the auth_http.c module. The vulnerability requires high attack complexity (user interaction via specific MQTT CONNECT configuration) but results in broker unavailability. Vendor-released patch version 0.24.7 addresses the issue.

Null Pointer Dereference Denial Of Service Nanomq
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Uncaught TypeError in Node.js HTTP server crashes applications when clients send specially crafted `__proto__` headers and code accesses `req.headersDistinct`. The exception occurs synchronously in a property getter, bypassing standard error handling mechanisms and causing immediate service disruption. Affects Node.js versions 20.x, 22.x, 24.x, and 25.x with CVSS 7.5 (High). EPSS data not available; no public exploit identified at time of analysis, though exploitation requires only sending a malformed HTTP header with no authentication (CVSS:3.0/AV:N/AC:L/PR:N/UI:N).

Node.js Denial Of Service Node
NVD VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Maliciously crafted `.idx` files in go-git v5 cause asymmetric memory consumption leading to Denial of Service through integer overflow vulnerabilities. Exploitation requires local write access to the `.git` directory, limiting attack surface to scenarios where an attacker has already compromised repository access or can inject files into a shared repository. No public exploit code or active exploitation has been confirmed; however, the low CVSS complexity and requirement for only low-privilege local access make this a moderate operational concern for development environments and CI/CD systems that process untrusted repositories.

Denial Of Service Integer Overflow Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial of service in GNU C Library (glibc) 2.43 and earlier allows unauthenticated remote attackers to crash applications via malformed input during character set conversion from IBM1390 or IBM1399 encodings. The vulnerability triggers an assertion failure in the iconv() function with high attack reliability (CVSS 7.5, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Proof-of-concept code exists and CISA SSVC assessment confirms the issue is automatable with partial technical impact, making this a practical denial-of-service vector for any networked application processing untrusted character encoding conversions.

Denial Of Service Glibc
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Authenticated denial of service in nginx-ui 2.3.3 and earlier allows any user with settings access to submit a negative integer for the logrotate.interval parameter, triggering an infinite loop in the backend that exhausts CPU resources and renders the web interface unresponsive. Vendor-released patch available in v2.3.4. No public exploit code identified beyond proof-of-concept documentation; not confirmed as actively exploited.

Nginx Denial Of Service Docker +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Race condition in nginx-ui web interface allows remote authenticated attackers to corrupt the primary configuration file (app.ini) through concurrent API requests, resulting in persistent denial of service and potential remote code execution. The vulnerability affects nginx-ui versions prior to 2.3.4 deployed in production environments including Docker containers. Concurrent POST requests to /api/settings trigger unsynchronized file writes that interleave at the OS level, corrupting configuration sections and creating cross-contamination between INI fields. In non-deterministic scenarios, user-controlled input can overwrite shell command fields (ReloadCmd, RestartCmd), enabling arbitrary command execution during nginx reload operations. Public exploit code demonstrates the attack path using standard HTTP testing tools. No CISA KEV listing or EPSS data available at time of analysis, but proof-of-concept with detailed reproduction steps exists in the GitHub security advisory.

Race Condition Denial Of Service RCE +4
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Authenticated users in nginx-ui v2.3.3 and earlier can delete the entire `/etc/nginx` configuration directory via path traversal using double-encoded sequences (..%252F), causing immediate Nginx service failure and denial of service. The vulnerability exploits improper URL canonicalization combined with unsafe recursive deletion logic that resolves malicious paths to the base configuration directory instead of rejecting them.

Nginx Path Traversal Denial Of Service +2
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Denial of service in MongoDB Server allows authenticated users with limited cluster privileges to crash a mongod process during replica set to sharded cluster promotion, causing potential primary failure. Affects MongoDB 8.2 before 8.2.2, 8.0.18+, and 7.0.31+. No public exploit code or active exploitation confirmed; CVSS 5.3 reflects the narrow attack window and authentication requirement.

Denial Of Service Mongodb Server
NVD
Prev Page 40 of 407 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy