Skip to main content

Denial Of Service

36497 CVEs technique

Monthly

CVE-2026-48824 Go MEDIUM PATCH GHSA This Month

{id}/release` still call `json.NewDecoder(r.Body)` with no body-size cap, allowing a remote unauthenticated attacker to drive process RSS from ~8 MB baseline to ~450 MB with a single 16 MB request (~28× amplification), with no memory recovery between requests. A working proof-of-concept with exact reproduction steps is published in the advisory; no KEV status confirmed at time of analysis.

Denial Of Service Docker
NVD GitHub
CVSS 3.1
5.3
CVE-2026-44937 Go HIGH PATCH GHSA This Week

Unauthenticated webhook request forgery in Rancher Fleet (GitOps controller for Kubernetes) lets remote attackers manipulate GitRepo processing when the webhook endpoint is configured without a shared secret. Because the repository URL and path received from webhooks are used unsanitized as a regex replacement (CWE-345), an attacker who does not know the configured repository can force continuous re-cloning to exhaust management-cluster resources (DoS), and - if they have read access to the target Git repo and know its path - can downgrade running workloads to any historical revision. No public exploit is identified at time of analysis and it is not listed in CISA KEV; SUSE/Rancher has released fixed versions.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.2%
CVE-2026-50521 HIGH PATCH Exploit Unlikely This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw that lets an authorized attacker run arbitrary code over a network within the browser process. Microsoft has shipped an official fix and rates it CVSS 8.3; the exploit-maturity metric is Unproven (E:U), meaning no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is high to confidentiality and integrity with partial availability loss, making it a meaningful but not emergency patch priority for Edge-based endpoints.

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD
CVSS 3.1
8.3
EPSS
0.8%
CVE-2026-54908 MEDIUM PATCH This Month

Remote denial of service in pion/dtls (Go's DTLS implementation) versions prior to 3.1.4 allows an unauthenticated network attacker to crash any application built on this library by sending a crafted ECDHE_PSK ServerKeyExchange message during the DTLS handshake. The CWE-125 out-of-bounds read triggers a Go runtime panic, immediately terminating the host process. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; a vendor-released patch exists in version 3.1.4.

Denial Of Service Buffer Overflow Information Disclosure Dtls
NVD GitHub
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-55595 MEDIUM PATCH This Month

Uncontrolled resource consumption in ImageMagick (all versions prior to 6.9.13-51 and 7.1.2-26) allows a denial-of-service condition by supplying invalid arguments to the connected-components processing option, which causes an infinite loop that exhausts CPU resources indefinitely. The vulnerability requires local access, user interaction, and high attack complexity, confining realistic risk to environments where untrusted input can influence ImageMagick invocations - such as automated image-processing pipelines or web applications that expose connected-components functionality. Vendor-released patches exist for both the 6.x and 7.x branches; no public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis.

Denial Of Service Imagemagick
NVD GitHub
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-55594 MEDIUM PATCH This Month

Stack overflow in ImageMagick's MVG decoder prior to versions 6.9.13-51 and 7.1.2-26 allows remote unauthenticated attackers to crash image-processing services by submitting a crafted MVG image file. The root cause is a missing depth check in the MVG decoder (CWE-400), enabling unbounded recursion that exhausts stack memory. No active exploitation has been confirmed and no public exploit code has been identified at time of analysis, but the zero-friction attack surface - any application accepting image uploads with unpatched ImageMagick - makes patching a practical priority.

Denial Of Service Imagemagick
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-56151 MEDIUM This Month

Fleet policy management in Kibana is vulnerable to denial of service through insufficient validation of user-supplied policy inputs. An authenticated Kibana user with Fleet write access can submit a specially crafted Fleet policy input that bypasses server-side validation, rendering Fleet agent management, server operations, and policy configuration unavailable. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the low authentication bar (any valid low-privilege account) and network accessibility make it a meaningful operational risk for organizations relying on Elastic Agent deployments.

Elastic Denial Of Service Kibana
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-56150 HIGH This Week

Denial of service in Elastic Fleet Server (versions 8.0.0-8.19.10 and 9.0.0-9.2.4) allows remote attackers to exhaust memory by sending a specially crafted request to an upload endpoint, driving excessive allocation until the server becomes unresponsive. The flaw is a resource-throttling failure (CWE-770) with availability-only impact and no confidentiality or integrity loss. No public exploit identified at time of analysis; EPSS is low (0.30%, 22nd percentile) and CISA SSVC records no observed exploitation.

Denial Of Service Fleet Server
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-56149 MEDIUM This Month

Elasticsearch's machine learning API contains an unbounded resource allocation flaw that allows an authenticated user with elevated privileges to crash an affected node by submitting a specially crafted ML request over the network. The absence of throttling or quota enforcement on ML request memory consumption (CWE-770) means the node's JVM heap can be exhausted, rendering it unavailable without any confidentiality or integrity exposure. No public exploit code has been identified at the time of analysis, and this vulnerability does not appear in the CISA KEV catalog.

Elastic Denial Of Service Elasticsearch
NVD VulDB
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-56148 MEDIUM This Month

Denial of service in Elasticsearch allows any authenticated user to crash an affected cluster node by submitting a specially crafted query that triggers uncontrolled recursion during query processing. Excessive resource consumption during request handling can render the targeted node unavailable, disrupting search and indexing operations for all dependent applications. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the low privilege requirement makes it accessible to any user with query access.

Elastic Denial Of Service Elasticsearch
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-49087 MEDIUM This Month

Denial of service in Kibana allows any authenticated user with low-privilege access to exhaust server resources via a specially crafted bulk deletion request, potentially rendering the Kibana interface completely unavailable. Affected are Kibana deployments prior to versions 8.19.15 and 9.3.4 across both the 8.x and 9.x release branches. The vulnerability requires no special configuration to be present and no user interaction beyond submitting the malicious request, making it reliably triggerable by any valid Kibana account holder. No public exploit or CISA KEV listing identified at time of analysis.

Elastic Denial Of Service Kibana
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-20216 HIGH PATCH This Week

Denial of service in ClamAV's InstallShield file format parser allows a remote, unauthenticated attacker (per CVSS PR:N) to crash the scanning engine and temporarily exhaust system resources by submitting a specially crafted InstallShield file for scanning. The flaw stems from improper handling of temporary resources during file scanning (CWE-770), impacting availability only (C:N/I:N/A:H) with no code execution or data exposure. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network attack vector and low complexity make it easy to trigger anywhere ClamAV automatically scans attacker-supplied files.

Denial Of Service Secure Endpoint Clamav Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-49090 MEDIUM This Month

Sustained CPU exhaustion in Elasticsearch allows an authenticated low-privilege user to render an affected node unresponsive by submitting a specially crafted bulk request to the _bulk API endpoint. The root cause is CWE-400 (Uncontrolled Resource Consumption), whereby the bulk request processing path fails to bound CPU allocation per request, aligning with CAPEC-130 (Excessive Allocation). No public exploit identified at time of analysis, and no KEV listing exists; however, the low attack complexity and standard network accessibility of the bulk API make this a credible insider or compromised-credential threat in production environments.

Elastic Denial Of Service Elasticsearch
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54399 HIGH This Week

Denial of service in Apache HttpComponents Core (HttpCore) 5.0-alpha through 5.4.2 and the 5.5 beta line up to 5.5-beta1 allows a remote unauthenticated attacker to exhaust server memory by sending HTTP/1.1 messages containing an excessive number of headers or excessively long headers. The HTTP/1.1 message parser accumulates this header data without enforcing sane bounds, letting a single crafted request drive availability loss (CVSS 7.5, A:H only). There is no public exploit identified at time of analysis, and CISA's SSVC assessment rates exploitation as 'none' with only partial technical impact.

Denial Of Service Apache Httpcomponents Core
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-54428 HIGH This Week

Memory exhaustion denial-of-service in Apache HttpComponents Core's HTTP/2 HPACK decoder allows remote attackers to crash Java services by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement is processed. The root cause is a timing gap in the connection handshake: the server's configured maximum header list size limit is not enforced until after the SETTINGS ACK exchange completes, leaving a window during which an attacker can flood the decoder with arbitrarily large compressed header data. Affected artifacts are org.apache.httpcomponents.core5:httpcore5-h2 versions 5.4.2 and earlier and 5.5-beta1 and earlier. No public exploit or CISA KEV listing has been identified at time of analysis.

Denial Of Service Apache Httpcomponents Core
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-24270 CRITICAL Act Now

Authentication bypass in NVIDIA AIStore, a scalable distributed object-storage framework for AI/ML data pipelines, lets a remote attacker circumvent access controls (CWE-290) and reach protected functionality without valid credentials. Because the flaw yields full confidentiality, integrity, and availability impact (CVSS 9.8), successful exploitation can enable information disclosure of stored datasets, tampering with training data, privilege escalation, and denial of service. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Nvidia Denial Of Service Information Disclosure Aistore Framework
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2026-24266 HIGH This Week

Denial of service in NVIDIA Triton Inference Server for Linux (versions through 26.03) allows a remote attacker to crash the service by triggering a use-after-free (CWE-416) condition, per the NVIDIA product-security advisory. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/A:H) indicates network-reachable, unauthenticated exploitation with high availability impact but no confidentiality or integrity effect. No public exploit identified at time of analysis, and CISA SSVC rates exploitation status as 'none' with an EPSS of 0.54% (41st percentile), consistent with no observed activity.

Memory Corruption Nvidia Denial Of Service Use After Free Triton Inference Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-24264 HIGH This Week

Denial of service in NVIDIA Triton Inference Server for Linux allows remote unauthenticated attackers to exhaust server resources by submitting highly compressed (data-amplification / decompression-bomb) input that the server improperly handles during decompression. The flaw (CWE-409) affects the Linux distribution of Triton and carries a CVSS 7.5 (availability-only impact); there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is limited to availability - no confidentiality or integrity loss.

Nvidia Denial Of Service Triton Inference Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2026-14330 MEDIUM PATCH This Month

Stack exhaustion via multiple unbounded alloca() calls in the PulseAudio protocol server on Red Hat Enterprise Linux 8, 9, and 10 allows a local low-privileged attacker to crash the audio daemon, resulting in denial of service. The root cause (CWE-770) is the absence of size validation on attacker-controlled protocol parameters before passing them to alloca(), a stack-based allocator with no OS-enforced ceiling. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9 Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-14324 MEDIUM PATCH This Month

Denial-of-service via NULL pointer dereference in PipeWire's RAOP (Remote Audio Output Protocol) module affects Red Hat Enterprise Linux 8, 9, and 10. The RAOP module fails to enforce an upper bound on Content-Length values in incoming requests and does not validate the return value of pw_array_add(); when a sufficiently large Content-Length triggers an allocation failure, the unchecked NULL return causes a crash of the PipeWire daemon, resulting in complete loss of audio services. No special authentication is required from the adjacent network, and no public exploit or CISA KEV listing has been identified at time of analysis.

Denial Of Service Null Pointer Dereference Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9 +2
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-2891 HIGH PATCH This Week

Denial of service in HP Poly Voice IP endpoints (CCX, Trio C60, and Edge E series) allows an attacker operating or impersonating a SIP server to render affected devices inoperable by returning malformed data during SIP signaling. The flaw is an uncontrolled-resource-consumption / improper-input-handling issue (CWE-400) that crashes or hangs the phone, disrupting voice service. HP has published advisory hpsbpy04096 and is releasing firmware updates; no public exploit is identified at time of analysis and the issue is not listed in CISA KEV.

HP Denial Of Service Ccx Trio C60 Edge E
NVD VulDB
CVSS 4.0
8.2
EPSS
0.3%
CVE-2026-23537 CRITICAL PATCH Act Now

Arbitrary file write in the Feast Feature Server's `/save-document` endpoint lets an unauthenticated remote attacker write attacker-controlled JSON to the host filesystem, bypassing the endpoint's path restrictions to overwrite application configuration or startup scripts. Because no credentials are required (CVSS 9.1, PR:N), any network-reachable attacker can corrupt system integrity, cause denial of service through disk exhaustion, or potentially achieve remote code execution. This flaw also ships in Red Hat OpenShift AI (RHOAI), which bundles Feast; there is no public exploit identified at time of analysis and it is not in CISA KEV.

Authentication Bypass Denial Of Service RCE Feast Feature Server Red Hat Openshift Ai Rhoai
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.6%
CVE-2026-6684 MEDIUM This Month

Unbounded mount-time loop in FatFs prior to R0.16 allows physical attackers to cause a denial of service by presenting a crafted GPT disk image with an arbitrarily large GPTH_PtNum partition count field. The flaw is present only in builds where the FF_LBA64 = 1 compile-time flag is set, enabling 64-bit LBA and GPT scanning support. A public proof-of-concept is available from runZero; no confirmed active exploitation (CISA KEV) has been observed, and SSVC categorizes technical impact as partial, limited to availability.

Denial Of Service Fatfs
NVD GitHub
CVSS 3.1
4.6
EPSS
0.2%
CVE-2026-53348 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions sdca_dev_unregister_functions() iterates over all SDCA function descriptors and calls sdca_dev_unregister() on each func_dev without checking for NULL. When a function registration has failed partway through, or the device cleanup races with probe deferral, func_dev entries may be NULL, leading to a kernel oops: BUG: kernel NULL pointer dereference, address: 0000000000000040 RIP: 0010:device_del+0x1e/0x3e0 Call Trace: sdca_dev_unregister_functions+0x37/0x60 [snd_soc_sdca] release_nodes+0x35/0xb0 devres_release_all+0x90/0x100 device_unbind_cleanup+0xe/0x80 device_release_driver_internal+0x1c1/0x200 bus_remove_device+0xc6/0x130 device_del+0x161/0x3e0 device_unregister+0x17/0x60 sdw_delete_slave+0xb6/0xd0 [soundwire_bus] sdw_bus_master_delete+0x1e/0x50 [soundwire_bus] ... sof_probe_work+0x19/0x30 [snd_sof] This was observed on a Lenovo ThinkPad X1 Carbon G14 (Panther Lake) with the SOF audio driver probe failing due to missing Panther Lake firmware, causing the subsequent cleanup of SoundWire devices to trigger the crash. Fix this with three changes: 1) Add a NULL guard in sdca_dev_unregister() so that callers do not need to pre-validate the pointer (defense in depth). 2) In sdca_dev_unregister_functions(), skip NULL func_dev entries and clear func_dev to NULL after unregistration, making the function idempotent and safe against double-invocation. 3) In sdca_dev_register_functions(), roll back all previously registered functions when a later one fails, so the function array is never left in a partially-populated state.

Linux Lenovo Denial Of Service
NVD VulDB
EPSS
0.1%
CVE-2026-53347 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: drm/virtio: Fix driver removal with disabled KMS DRM atomic and modesetting aren't initialized if virtio-gpu driver built with disabled KMS, leading to access of uninitialized data on driver removal/unbinding and crashing kernel. Fix it by skipping shutting down atomic core with unavailable KMS.

Linux Denial Of Service
NVD VulDB
EPSS
0.2%
CVE-2026-53346 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES Due to a rustc bug [1] the -Cforce-unwind-tables=y flag only emits the uwtable annotation for functions, but not for the module. This means that compiler-generated functions such as 'asan.module_ctor' do not receive the uwtable annotation. When CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, this leads to boot failures because the dwarf information emitted for the kasan constructors is wrong, which causes the SCS boot patching code to patch the constructor in an illegal manner. Specifically, the paciasp instruction is patched, but the autiasp instruction is not. This mismatch leads to a crash when the constructor is called during boot. ================================================================== BUG: KASAN: global-out-of-bounds in do_basic_setup+0x4c/0x90 Read of size 8 at addr ffffffe3cc7eb488 by task swapper/0/1 Specifically the faulting instruction is the (*fn)() to invoke the constructor in do_ctors() of the init/main.c file. Once the fix lands in rustc, this flag can be made conditional on the rustc version. Note that passing the flag on a rustc with the fix present has no effect. [ The fix [1] has landed for Rust 1.98.0 (expected release on 2026-08-20). Thus add a version check as discussed. - Miguel ] [ Adjusted link and comment. - Miguel ]

Linux Denial Of Service
NVD VulDB
EPSS
0.2%
CVE-2026-53344 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init Regmap initialization triggers regcache_maple_populate() which attempts SPI read to populate cache. SPI read requires mcp->dev and mcp->addr to be set, without them, NULL pointer dereference occurs during probe. Move initialization before mcp23s08_spi_regmap_init() call.

Linux Denial Of Service
NVD VulDB
EPSS
0.1%
CVE-2026-53343 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow Commit 44e9a3bb76e5 ("ARM: 9430/1: entry: Do a dummy read from VMAP shadow") added a dummy read from the KASAN VMAP stack shadow in __switch_to(). The read uses ldr, but the KASAN shadow address is byte-granular and is not guaranteed to be word aligned. ARMv5 faults unaligned word loads. With CONFIG_KASAN_VMALLOC and CONFIG_VMAP_STACK enabled, ARM926/VersatilePB crashes in __switch_to() with an alignment exception before reaching init. Use ldrb for the dummy shadow access. The code only needs to fault in the shadow mapping if the stack shadow is missing, so a byte load is sufficient and matches the granularity of KASAN shadow memory.

Linux Denial Of Service
NVD VulDB
EPSS
0.2%
CVE-2026-53341 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh() may_decode_fh() accesses mount::mnt_ns without holding any locks; that means the mount can concurrently be unmounted, and the mnt_namespace can concurrently be freed after an RCU grace period. This race can happens as follows, assuming that the mount point was created by open_tree(..., OPEN_TREE_CLONE): thread 1 thread 2 RCU __do_sys_open_by_handle_at do_handle_open handle_to_path may_decode_fh is_mounted [mount::mnt_ns access] [mount::mnt_ns access] __do_sys_close fput_close_sync __fput dissolve_on_fput umount_tree class_namespace_excl_destructor namespace_unlock free_mnt_ns mnt_ns_tree_remove call_rcu(mnt_ns_release_rcu) mnt_ns_release_rcu mnt_ns_release kfree [mnt_namespace::user_ns access] **UAF** Fix it by taking rcu_read_lock() around the mount::mnt_ns access, like in __prepend_path(). Additionally, document the semantics of mount::mnt_ns, and use WRITE_ONCE() for writers that can race with lockless readers. This bug is unreachable unless one of the following is set: - CONFIG_PREEMPTION - CONFIG_RCU_STRICT_GRACE_PERIOD because it requires an RCU grace period to happen during a syscall without an explicit preemption. This doesn't seem to have interesting security impact; worst-case, it could leak the result of an integer comparison to userspace (from the level check in cap_capable()), cause an endless loop, or crash the kernel by dereferencing an invalid address.

Linux Denial Of Service
NVD VulDB
EPSS
0.2%
CVE-2026-53340 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: i2c: imx: fix clock and pinctrl state inconsistency in runtime PM In i2c_imx_runtime_suspend(), the clock is disabled before switching the pinctrl state to sleep. If pinctrl_pm_select_sleep_state() fails, the runtime suspend is aborted but the clock remains disabled, causing a system crash when the hardware is subsequently accessed. Fix this by switching the pinctrl state before disabling the clock so that a pinctrl failure leaves the clock enabled and the hardware accessible. In i2c_imx_runtime_resume(), restore the pinctrl state back to sleep if clk_enable() fails to keep the consistent.

Linux Denial Of Service
NVD VulDB
EPSS
0.2%
CVE-2026-53339 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() On all modern platforms Qualcomm CCI controller provides two I2C masters, and on particular boards only one I2C master may be initialized, and in such cases the device unbinding or driver removal causes a NULL pointer dereference, because cci_halt() is called for all two I2C masters, but a completion is initialized only for the single enabled master: % rmmod i2c-qcom-cci Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 <snip> Call trace: __wait_for_common+0x194/0x1a8 (P) wait_for_completion_timeout+0x20/0x2c cci_remove+0xc4/0x138 [i2c_qcom_cci] platform_remove+0x20/0x30 device_remove+0x4c/0x80 device_release_driver_internal+0x1c8/0x224 driver_detach+0x50/0x98 bus_remove_driver+0x6c/0xbc driver_unregister+0x30/0x60 platform_driver_unregister+0x14/0x20 qcom_cci_driver_exit+0x18/0x1008 [i2c_qcom_cci] ....

Linux Denial Of Service Qualcomm
NVD VulDB
EPSS
0.2%
CVE-2026-53338 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues() of_reserved_mem_lookup() may return NULL if the reserved memory region referenced by the "memory-region" phandle is not found in the reserved memory table (e.g. due to a misconfigured DTS or a removed memory-region node). The current code dereferences the returned pointer without checking for NULL, leading to a kernel NULL pointer dereference at the following lines: dma_addr = rmem->base; // line 1156 num_desc = div_u64(rmem->size, buf_size); // line 1160 Add a NULL check after of_reserved_mem_lookup() and return -ENODEV if the lookup fails, which is consistent with the existing error handling for of_parse_phandle() failure in the same code block.

Linux Denial Of Service
NVD VulDB
EPSS
0.2%
CVE-2026-53337 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix NULL pointer dereference in bond_do_ioctl() In bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which can return NULL if the requested interface name does not exist. However, the subsequent slave_dbg() call is placed before the NULL check: slave_dev = __dev_get_by_name(net, ifr->ifr_slave); slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); //here if (!slave_dev) return -ENODEV; The slave_dbg() macro expands to netdev_dbg(bond_dev, "(slave %s): " fmt, (slave_dev)->name, ...) which unconditionally dereferences slave_dev->name before the NULL check is performed. This results in a NULL pointer dereference kernel oops when a user calls bonding ioctl (e.g. SIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave interface name. This is reachable from userspace via the bonding ioctl interface with CAP_NET_ADMIN capability, making it a potential local denial-of-service vector. Fix by moving the slave_dbg() call after the NULL check.

Linux Denial Of Service
NVD VulDB
EPSS
0.2%
CVE-2026-53904 MEDIUM This Month

Account denial-of-service in MyComplianceOffice MCO 25.3.3.1 enables a remote attacker to permanently lock a targeted user out of their account by repeatedly triggering password resets. MCO's reset mechanism invalidates all previously set passwords and temporary credentials on every reset cycle, and imposes no rate limit on how frequently resets can be initiated - so once an attacker supplies the victim's email and a valid security question answer, they can sustain the lockout indefinitely. No public exploit has been identified at time of analysis, and active exploitation is not confirmed, but the attack is conceptually simple and requires no authentication beyond the security question hurdle.

Denial Of Service Mco
NVD
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-14181 HIGH PATCH This Week

Denial of service in @fastify/middie 9.1.0 through 9.3.2 lets remote unauthenticated attackers crash the Node.js process by sending request paths with malformed percent-encoded sequences. The standalone engine's URL normalization step fails to catch a synchronous decoder exception, terminating the process and taking down all connected clients until manual restart. Only applications that invoke middie.run directly on the standalone engine API are affected; there is no public exploit identified at time of analysis, and no EPSS or KEV data was provided.

Node.js Denial Of Service Fastify Middie
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-14258 MEDIUM This Month

Denial of service in dhcpcd's IPv6 Neighbor Discovery Router Advertisement parser allows an adjacent unauthenticated attacker to exhaust CPU resources on any host running dhcpcd with IPv6 enabled. The flaw (CWE-835 - infinite loop) arises because a zero-length Neighbor Discovery option passes initial storage validation but is later reparsed without sufficient bounds enforcement, causing the parser to loop indefinitely without advancing. No active exploitation is confirmed (not in CISA KEV), but the adjacent-network attack vector and zero-privilege requirement make this actionable on shared Layer-2 environments such as enterprise Wi-Fi, cloud VLANs, and data-center segments.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-7831 HIGH This Week

Denial of service in the UltraVNC viewer (vncviewer) through 1.8.2.2 arises from an off-by-one stack buffer overflow in the RFB ServerInit message handler, where a malicious VNC server advertising a desktop name of exactly 2024 bytes forces ReadString to write a NUL terminator at _dn[2024], one byte past a 2024-byte stack buffer. A rogue or compromised server can crash victims who connect to it (reliable process termination on /GS-hardened builds) and potentially corrupt adjacent stack data on canary-less release builds. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; exploitation requires the victim to initiate a connection to the attacker-controlled server.

Denial Of Service Buffer Overflow Ultravnc
NVD GitHub
CVSS 3.1
7.6
EPSS
0.4%
CVE-2026-44041 MEDIUM This Month

Out-of-bounds read in UltraVNC through version 1.8.2.2 allows network-authenticated attackers to potentially crash the VNC server process or leak adjacent memory content via the vncWc2Mb() wide-string conversion helper in rfb/dh.cpp at line 204. The flaw is triggered when wcslen() is called on a caller-supplied WCHAR pointer without a preceding bounds check, enabling memory over-reads if the buffer lacks proper NUL termination. No public exploit code or active exploitation has been identified at time of analysis; the vendor's CVSS 4.3 (Medium) rating reflects the constrained and largely denial-of-service-oriented impact.

Denial Of Service Buffer Overflow Information Disclosure Ultravnc
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-20461 MEDIUM This Month

Out-of-bounds write in MediaTek modem firmware allows a network-adjacent attacker controlling a rogue cellular base station to remotely crash affected User Equipment (UE), resulting in denial of service. Thirty-three distinct MediaTek chipsets - spanning flagship mobile SoCs (MT6991, MT6989, MT6985) to tablet and IoT chipsets (MT8795T, MT8893) - contain the vulnerable modem component identified under Patch IDs MOLY01267281 and MOLY01318201. No public exploit code has been identified at time of analysis, and the attack is non-trivial due to the requirement for attacker-controlled cellular infrastructure, but the sheer deployment scale of affected chipsets across Android devices makes the aggregate exposure significant.

Memory Corruption Denial Of Service Buffer Overflow Mediatek Chipset
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-20459 MEDIUM This Month

Remote denial-of-service in MediaTek modem firmware across 80+ chipset families allows an attacker operating a rogue cellular base station to crash affected devices by sending malformed input the modem fails to validate. The vulnerability (CWE-288) requires no privileges on the target device and no user interaction - a device that autonomously connects to the attacker's false base station is sufficient. No public exploit code has been identified at time of analysis, and SSVC classifies exploitation status as none, though the widespread chipset deployment across Android handsets and IoT hardware makes the affected attack surface extremely broad.

Denial Of Service Mediatek Chipset
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-20457 MEDIUM This Month

Remote denial of service in the MediaTek Modem firmware component affects approximately 60 chipset models via a null pointer dereference triggered when a target device connects to a rogue cellular base station. An attacker controlling a fake eNodeB or gNodeB can transmit crafted modem protocol messages that cause improper input validation to fail, crashing the modem and stripping affected devices of cellular connectivity. No public exploit has been identified at time of analysis, and CISA SSVC rates current exploitation status as none, indicating this remains a theoretical but technically feasible threat for well-resourced actors.

Denial Of Service Null Pointer Dereference Mediatek Chipset
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57962 MEDIUM This Month

A malicious LDAP server, which a Thunderbird user is configured to query for address-book autocomplete, can stash arbitrarily large amounts of attacker-supplied data into the Thunderbird LDAP client until it crashes due to memory exhaustion. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.

Mozilla Thunderbird Denial Of Service
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-36910 MEDIUM This Month

An access violation in the BaseSplitterFile::Read function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Denial Of Service N A Buffer Overflow
NVD GitHub
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-36911 MEDIUM This Month

A division-by-zero vulnerability in the CStreamSwitcherOutputPin::DecideBufferSize function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Denial Of Service N A
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-36912 HIGH This Week

Denial of service in Aleksoid1978 MPC-BE (Media Player Classic - Black Edition) prior to commit 4341cb3 lets an attacker crash the player by supplying a crafted MP4 file that triggers a NULL pointer dereference in the bundled Bento4 AP4_AtomSampleTable::GetSample() routine. A proof-of-concept is referenced (SSVC exploitation: poc), but there is no public exploit identified as weaponized and it is not in CISA KEV; impact is limited to availability with no code execution, data disclosure, or integrity loss. EPSS is low at 0.15% (5th percentile), consistent with a crash-only bug that requires a victim to open a malicious file.

Denial Of Service Null Pointer Dereference N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-36909 MEDIUM This Month

A NULL pointer dereference in the AP4_TkhdAtom::GetTrackId() function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Denial Of Service N A Null Pointer Dereference
NVD GitHub
CVSS 3.1
6.2
EPSS
0.2%
CVE-2026-52198 HIGH This Week

Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_425994 component

Denial Of Service Buffer Overflow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52193 HIGH This Week

Denial of service in the UTT nv518G gateway/router (firmware nv518GV3v3.2.7-210919-161313) allows a remote attacker to crash the device by triggering a buffer overflow in the gohead/sub_447CAC web-server routine. Publicly available exploit code exists (referenced GitHub CVEreport analysis) but it is not listed in CISA KEV; EPSS is low at 0.22% (13th percentile), indicating no observed widespread exploitation. Note a data conflict: the description and tags describe a DoS, yet the supplied CVSS vector encodes a confidentiality impact (C:H/A:N) rather than availability.

Denial Of Service Buffer Overflow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-14149 HIGH PATCH This Week

Use after free in Audio in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14121 CRITICAL PATCH Act Now

Remote code execution in Google Chrome's Chromoting (Chrome Remote Desktop) component on Linux, fixed in 150.0.7871.47, lets a remote attacker corrupt memory via crafted network traffic and potentially run arbitrary code. The flaw is a CWE-416 use-after-free reported by Google's internal Chrome security team; there is no public exploit identified at time of analysis and it is not in CISA KEV. Note a signal conflict: NVD scores this 9.8 (Critical) while Chromium itself rated the security severity 'Low', and EPSS is only 0.20% (10th percentile).

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-14113 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for Windows before 150.0.7871.47 lets an attacker who has already compromised the renderer process abuse a use-after-free in the Updater component via a crafted HTML page to break out of the browser sandbox. It is a second-stage bug that Chromium rated only Low severity despite the CVSS 9.6 score, with no public exploit identified at time of analysis and a low EPSS probability of 0.18% (8th percentile). Google has shipped a fixed Stable-channel build.

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14111 HIGH PATCH This Week

Use after free in WebProtect in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Low)

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-14108 HIGH PATCH This Week

Use after free in PDFium in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14107 HIGH PATCH This Week

Remote code execution in Google Chrome desktop before 150.0.7871.47 stems from a use-after-free in the Scheduling component, letting a remote attacker run arbitrary code within the renderer sandbox when a victim opens a crafted HTML page. There is no public exploit identified at time of analysis and the vulnerability is not in CISA KEV; EPSS is low at 0.21% (12th percentile). Google rates the Chromium security severity as Low despite the NVD CVSS of 8.8, reflecting that code execution is confined to the sandbox rather than the host.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14103 MEDIUM PATCH This Month

Use-after-free in Chrome's SSL handling on ChromeOS exposes process memory contents to remote attackers who can serve a crafted HTML page. Only ChromeOS builds of Chrome prior to 150.0.7871.47 are affected - this is not a cross-platform flaw. SSVC rates exploitation status as none and technical impact as partial, and Chromium's own severity classification is Low, making this a routine patch-cycle priority rather than an emergency response item despite the CVSS 6.5 score.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14102 HIGH PATCH This Week

Heap corruption via use-after-free in Google Chrome's Passwords component affects all desktop builds prior to 150.0.7871.47, letting a remote attacker who lures a victim to a crafted HTML page potentially achieve memory corruption and code execution in the renderer. The CVSS 3.1 vector (8.8) requires user interaction (visiting the page) but no privileges or authentication. No public exploit identified at time of analysis, and the low EPSS score (0.17%, 7th percentile) plus Chromium's own 'Low' severity rating suggest limited real-world exploitation likelihood despite the high CVSS.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14099 HIGH PATCH This Week

Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)

Memory Corruption Google Apple Denial Of Service Use After Free +1
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14094 HIGH PATCH This Week

Use after free in Installer in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Low)

Memory Corruption Google Microsoft Denial Of Service Use After Free +2
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-14093 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Cast component (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, exploiting a use-after-free (CWE-416) memory-corruption bug. Google's Chromium team rated the security severity as Low, and while NVD assigns a 9.6 CVSS reflecting full sandbox-escape impact, exploitation is gated behind a pre-existing renderer compromise. No public exploit was identified at time of analysis, EPSS is very low at 0.17% (7th percentile), and there is no CISA KEV listing.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14091 HIGH PATCH This Week

Use after free in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14067 HIGH PATCH This Week

Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)

Memory Corruption Google Apple Denial Of Service Use After Free +2
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-14064 HIGH PATCH This Week

Use after free in PageInfo in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-14048 MEDIUM PATCH This Month

Use-after-free in Chrome's Chromecast component exposes process memory to attackers on the same local network segment via a malicious peripheral, affecting all Chrome versions prior to 150.0.7871.47. The vulnerability carries a CVSS 3.1 score of 6.5 with high confidentiality impact (C:H), meaning successful exploitation leaks potentially sensitive data from the Chrome process heap. No public exploit or CISA KEV listing is identified at time of analysis, and Google has released a patch in the stable channel.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-14044 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.47) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) and is second-stage: it is not directly exploitable from the open web without a prior renderer compromise. No public exploit has been identified at time of analysis, and its EPSS exploitation probability is low (0.17%, 7th percentile); notably, Google rated the Chromium security severity as Low despite the NVD CVSS of 9.6.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14043 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's GetUserMedia (media capture) implementation before version 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) reported by Google's own security team; despite an NVD CVSS of 9.6, Chromium rates its severity Low, and there is no public exploit identified at time of analysis with an EPSS of only 0.17% (7th percentile).

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14040 HIGH PATCH This Week

Heap corruption in Google Chrome's BrowserTag component affects all desktop builds prior to 150.0.7871.47, where a use-after-free (CWE-416) can be triggered by a crafted Chrome extension. An attacker who convinces a victim to install a malicious extension can potentially exploit the freed-memory condition to corrupt the heap and execute code. No public exploit identified at time of analysis, and EPSS is low (0.12%, 2nd percentile), consistent with the Chromium team's own 'Low' severity rating despite the NVD CVSS of 8.8.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-14032 HIGH PATCH This Week

Use after free in Bluetooth in Google Chrome on Mac prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Low)

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-14027 HIGH PATCH This Week

Use-after-free in Google Chrome's SignIn component (versions prior to 150.0.7871.47) allows a remote attacker to trigger heap corruption and potentially achieve code execution after luring a victim to a crafted HTML page and performing specific UI gestures. No public exploit was identified at time of analysis, and with an EPSS of 0.17% (7th percentile) and Chromium-rated 'Low' severity, near-term mass exploitation appears unlikely despite the high 8.8 CVSS. The flaw is patched in the current stable channel and is not listed in CISA KEV.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14025 HIGH PATCH This Week

Heap corruption in Google Chrome's Views UI framework on macOS (versions before 150.0.7871.47) lets a remote attacker who lures a victim to a crafted HTML page and coaxes them into specific UI gestures trigger a use-after-free, potentially achieving code execution in the renderer. Google rates the Chromium severity as Low, but the NVD CVSS is 8.8 (High), and no public exploit has been identified at time of analysis. EPSS is low at 0.21% (11th percentile), and the flaw is not in CISA KEV.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14024 HIGH PATCH This Week

Use-after-free in Google Chrome's Ozone component on Linux prior to 150.0.7871.47 lets a remote attacker trigger heap corruption after luring a user to a crafted HTML page and inducing specific UI gestures. Rated CVSS 8.8 with high confidentiality, integrity and availability impact, it is patched in the stable channel but requires user interaction (UI:R). No public exploit is identified at time of analysis and EPSS exploitation probability is low (0.21%, 11th percentile), and Google classifies the Chromium severity as Medium.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14018 HIGH PATCH This Week

Local privilege escalation in Google Chrome's Updater component on Windows (versions prior to 150.0.7871.47) allows a local attacker to escalate to OS-level privileges via a malicious file that triggers a use-after-free condition. Google rates the Chromium security severity as Medium, though the CVSS base score is 7.8 (High) because the Updater runs with elevated (SYSTEM) privileges. There is no public exploit identified at time of analysis and EPSS is very low (0.11%, 1st percentile), indicating negligible observed exploitation activity.

Memory Corruption Google Microsoft Denial Of Service Use After Free +2
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-14006 HIGH PATCH This Week

Use after free in Navigation in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14005 HIGH PATCH This Week

Use after free in Omnibox in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13965 HIGH PATCH This Week

Use after free in Oilpan in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13918 HIGH PATCH This Week

Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Google Apple Denial Of Service Use After Free +1
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13915 HIGH PATCH This Week

Heap corruption in Google Chrome for iOS before 150.0.7871.47 lets a remote attacker who lures a user through specific in-page UI gestures on a crafted HTML page trigger a use-after-free (CWE-416), potentially leading to arbitrary code execution in the renderer. Rated Medium by the Chromium security team but scored CVSS 8.8 due to full confidentiality/integrity/availability impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. EPSS is low at 0.21% (11th percentile), consistent with a freshly patched browser bug that has no known weaponization.

Memory Corruption Google Apple Denial Of Service Use After Free +1
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13899 HIGH PATCH This Week

Use after free in HTML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13898 HIGH PATCH This Week

Sandboxed remote code execution in Google Chrome's Cast Receiver component affects all desktop builds prior to 150.0.7871.47, where a use-after-free (CWE-416) can be triggered by luring a victim to a crafted HTML page. Google rates the Chromium severity as Medium because the resulting code execution is confined to the browser sandbox, though NVD scores it CVSS 8.8; there is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.27% (18th percentile).

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13888 HIGH PATCH This Week

Use-after-free in the Extensions component of Google Chrome before 150.0.7871.47 lets a remote attacker execute arbitrary code within the renderer sandbox when a victim opens a crafted HTML page. Chromium rated the security severity Medium, though the associated CVSS score is 8.8 (High) due to network vector and high impact; there is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.26%. Google has shipped a fixed Stable channel build.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13885 HIGH PATCH This Week

Sandboxed remote code execution in Google Chrome for Android before 150.0.7871.47, stemming from a use-after-free in the Skia graphics library, lets a remote attacker run arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. Google rated the Chromium security severity as Medium, and no public exploit has been identified at time of analysis; the EPSS score is low (0.26%, 17th percentile), and the bug is not on CISA KEV. Exploitation requires user interaction (visiting the malicious page) but no authentication.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13880 CRITICAL PATCH Act Now

Use after free in USB in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13879 MEDIUM PATCH This Month

Use-after-free in Google Chrome's Bluetooth subsystem (all versions prior to 150.0.7871.47) enables an unauthenticated attacker within Bluetooth radio range to leak sensitive data from Chrome's process memory by operating a malicious Bluetooth peripheral. The CVSS vector (AV:A/PR:N/UI:N/C:H) confirms no attacker-side authentication is required and impact is confidentiality-only, with no integrity or availability loss. No public exploit code has been identified at time of analysis and CISA has not listed this in KEV; the Chromium security team rated this Medium severity, consistent with the bounded adjacency-only attack vector.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-13878 CRITICAL PATCH Act Now

Use after free in Bluetooth in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13870 HIGH PATCH This Week

Sandboxed remote code execution in the WebView component of Google Chrome for Android before 150.0.7871.47 lets a remote attacker run arbitrary code within the renderer sandbox when a victim loads a crafted HTML page. Rated CVSS 8.8 (network vector, no privileges, requires user interaction), the flaw is a CWE-416 use-after-free, but code execution is confined to the sandbox and would require a separate escape to reach the host. No public exploit identified at time of analysis, and EPSS is low at 0.26% (17th percentile), indicating limited near-term mass-exploitation pressure despite the high base score.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13869 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Device component on Windows (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, exploiting a use-after-free (CWE-416). Google rates the Chromium security severity as Medium, reflecting that it is a second-stage bug requiring prior renderer compromise, though the NVD CVSS of 9.6 is inflated by the sandbox scope change. There is no public exploit identified at time of analysis and EPSS is low (0.21%), indicating no current sign of widespread exploitation.

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13861 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the browser sandbox and reach the host via a crafted HTML page, exploiting a use-after-free (CWE-416) in the Core component. Google-assigned Chromium severity is Medium, though the NVD CVSS is 9.6 due to the cross-boundary scope change. No public exploit identified at time of analysis, and EPSS is low (0.21%, 11th percentile), indicating it is not yet a mass-exploitation target.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13855 HIGH PATCH This Week

Remote code execution in Google Chrome on Linux (versions prior to 150.0.7871.47) stems from a use-after-free in the Ozone platform layer, allowing a remote attacker who lures a victim into performing specific UI gestures on a crafted HTML page to execute arbitrary code in the browser context. Rated High by Chromium and CVSS 7.5, exploitation is gated by required user interaction and high attack complexity. There is no public exploit identified at time of analysis, and the EPSS probability is low at 0.26% (17th percentile).

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-13854 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Linux (versions prior to 150.0.7871.47) stems from a use-after-free in Ozone, Chrome's platform abstraction layer for windowing and graphics. An attacker who has already compromised the renderer process can leverage a crafted HTML page to break out of the browser sandbox and gain code execution at the higher-privileged browser-process level. There is no public exploit identified at time of analysis, and the EPSS score is low (0.21%, 11th percentile), consistent with a second-stage bug that requires a prior renderer compromise rather than a directly weaponizable single-shot flaw.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13853 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop before 150.0.7871.47 stems from a use-after-free in the Journeys (browsing history) component, allowing a remote attacker who has already compromised the renderer process to break out of the sandbox and gain broader code execution on the host via a crafted HTML page. Rated High severity by Chromium and CVSS 9.6, a fix is available from vendor; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.21%, 11th percentile). Exploitation is meaningful only as the second stage of a chain, since it presupposes prior renderer compromise.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13848 HIGH PATCH This Week

Remote code execution in Google Chrome desktop before 150.0.7871.47 stems from a use-after-free in the Forms component, letting a remote attacker who lures a victim to a crafted HTML page corrupt memory and execute arbitrary code within the browser's renderer sandbox. Chromium rates the flaw High severity, CVSS 8.8, requiring only that the user visit a malicious page; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.26%, 17th percentile). A vendor patch is available in the June 2026 Stable channel release.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVSS 5.3
MEDIUM PATCH This Month

{id}/release` still call `json.NewDecoder(r.Body)` with no body-size cap, allowing a remote unauthenticated attacker to drive process RSS from ~8 MB baseline to ~450 MB with a single 16 MB request (~28× amplification), with no memory recovery between requests. A working proof-of-concept with exact reproduction steps is published in the advisory; no KEV status confirmed at time of analysis.

Denial Of Service Docker
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Unauthenticated webhook request forgery in Rancher Fleet (GitOps controller for Kubernetes) lets remote attackers manipulate GitRepo processing when the webhook endpoint is configured without a shared secret. Because the repository URL and path received from webhooks are used unsanitized as a regex replacement (CWE-345), an attacker who does not know the configured repository can force continuous re-cloning to exhaust management-cluster resources (DoS), and - if they have read access to the target Git repo and know its path - can downgrade running workloads to any historical revision. No public exploit is identified at time of analysis and it is not listed in CISA KEV; SUSE/Rancher has released fixed versions.

Denial Of Service
NVD GitHub VulDB
EPSS 1% CVSS 8.3
HIGH PATCH Exploit Unlikely This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw that lets an authorized attacker run arbitrary code over a network within the browser process. Microsoft has shipped an official fix and rates it CVSS 8.3; the exploit-maturity metric is Unproven (E:U), meaning no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is high to confidentiality and integrity with partial availability loss, making it a meaningful but not emergency patch priority for Edge-based endpoints.

Memory Corruption Google Microsoft +3
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Remote denial of service in pion/dtls (Go's DTLS implementation) versions prior to 3.1.4 allows an unauthenticated network attacker to crash any application built on this library by sending a crafted ECDHE_PSK ServerKeyExchange message during the DTLS handshake. The CWE-125 out-of-bounds read triggers a Go runtime panic, immediately terminating the host process. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; a vendor-released patch exists in version 3.1.4.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Uncontrolled resource consumption in ImageMagick (all versions prior to 6.9.13-51 and 7.1.2-26) allows a denial-of-service condition by supplying invalid arguments to the connected-components processing option, which causes an infinite loop that exhausts CPU resources indefinitely. The vulnerability requires local access, user interaction, and high attack complexity, confining realistic risk to environments where untrusted input can influence ImageMagick invocations - such as automated image-processing pipelines or web applications that expose connected-components functionality. Vendor-released patches exist for both the 6.x and 7.x branches; no public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis.

Denial Of Service Imagemagick
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Stack overflow in ImageMagick's MVG decoder prior to versions 6.9.13-51 and 7.1.2-26 allows remote unauthenticated attackers to crash image-processing services by submitting a crafted MVG image file. The root cause is a missing depth check in the MVG decoder (CWE-400), enabling unbounded recursion that exhausts stack memory. No active exploitation has been confirmed and no public exploit code has been identified at time of analysis, but the zero-friction attack surface - any application accepting image uploads with unpatched ImageMagick - makes patching a practical priority.

Denial Of Service Imagemagick
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Fleet policy management in Kibana is vulnerable to denial of service through insufficient validation of user-supplied policy inputs. An authenticated Kibana user with Fleet write access can submit a specially crafted Fleet policy input that bypasses server-side validation, rendering Fleet agent management, server operations, and policy configuration unavailable. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the low authentication bar (any valid low-privilege account) and network accessibility make it a meaningful operational risk for organizations relying on Elastic Agent deployments.

Elastic Denial Of Service Kibana
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in Elastic Fleet Server (versions 8.0.0-8.19.10 and 9.0.0-9.2.4) allows remote attackers to exhaust memory by sending a specially crafted request to an upload endpoint, driving excessive allocation until the server becomes unresponsive. The flaw is a resource-throttling failure (CWE-770) with availability-only impact and no confidentiality or integrity loss. No public exploit identified at time of analysis; EPSS is low (0.30%, 22nd percentile) and CISA SSVC records no observed exploitation.

Denial Of Service Fleet Server
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Elasticsearch's machine learning API contains an unbounded resource allocation flaw that allows an authenticated user with elevated privileges to crash an affected node by submitting a specially crafted ML request over the network. The absence of throttling or quota enforcement on ML request memory consumption (CWE-770) means the node's JVM heap can be exhausted, rendering it unavailable without any confidentiality or integrity exposure. No public exploit code has been identified at the time of analysis, and this vulnerability does not appear in the CISA KEV catalog.

Elastic Denial Of Service Elasticsearch
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Denial of service in Elasticsearch allows any authenticated user to crash an affected cluster node by submitting a specially crafted query that triggers uncontrolled recursion during query processing. Excessive resource consumption during request handling can render the targeted node unavailable, disrupting search and indexing operations for all dependent applications. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the low privilege requirement makes it accessible to any user with query access.

Elastic Denial Of Service Elasticsearch
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Denial of service in Kibana allows any authenticated user with low-privilege access to exhaust server resources via a specially crafted bulk deletion request, potentially rendering the Kibana interface completely unavailable. Affected are Kibana deployments prior to versions 8.19.15 and 9.3.4 across both the 8.x and 9.x release branches. The vulnerability requires no special configuration to be present and no user interaction beyond submitting the malicious request, making it reliably triggerable by any valid Kibana account holder. No public exploit or CISA KEV listing identified at time of analysis.

Elastic Denial Of Service Kibana
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in ClamAV's InstallShield file format parser allows a remote, unauthenticated attacker (per CVSS PR:N) to crash the scanning engine and temporarily exhaust system resources by submitting a specially crafted InstallShield file for scanning. The flaw stems from improper handling of temporary resources during file scanning (CWE-770), impacting availability only (C:N/I:N/A:H) with no code execution or data exposure. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network attack vector and low complexity make it easy to trigger anywhere ClamAV automatically scans attacker-supplied files.

Denial Of Service Secure Endpoint Clamav +2
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Sustained CPU exhaustion in Elasticsearch allows an authenticated low-privilege user to render an affected node unresponsive by submitting a specially crafted bulk request to the _bulk API endpoint. The root cause is CWE-400 (Uncontrolled Resource Consumption), whereby the bulk request processing path fails to bound CPU allocation per request, aligning with CAPEC-130 (Excessive Allocation). No public exploit identified at time of analysis, and no KEV listing exists; however, the low attack complexity and standard network accessibility of the bulk API make this a credible insider or compromised-credential threat in production environments.

Elastic Denial Of Service Elasticsearch
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in Apache HttpComponents Core (HttpCore) 5.0-alpha through 5.4.2 and the 5.5 beta line up to 5.5-beta1 allows a remote unauthenticated attacker to exhaust server memory by sending HTTP/1.1 messages containing an excessive number of headers or excessively long headers. The HTTP/1.1 message parser accumulates this header data without enforcing sane bounds, letting a single crafted request drive availability loss (CVSS 7.5, A:H only). There is no public exploit identified at time of analysis, and CISA's SSVC assessment rates exploitation as 'none' with only partial technical impact.

Denial Of Service Apache Httpcomponents Core
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Memory exhaustion denial-of-service in Apache HttpComponents Core's HTTP/2 HPACK decoder allows remote attackers to crash Java services by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement is processed. The root cause is a timing gap in the connection handshake: the server's configured maximum header list size limit is not enforced until after the SETTINGS ACK exchange completes, leaving a window during which an attacker can flood the decoder with arbitrarily large compressed header data. Affected artifacts are org.apache.httpcomponents.core5:httpcore5-h2 versions 5.4.2 and earlier and 5.5-beta1 and earlier. No public exploit or CISA KEV listing has been identified at time of analysis.

Denial Of Service Apache Httpcomponents Core
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Authentication bypass in NVIDIA AIStore, a scalable distributed object-storage framework for AI/ML data pipelines, lets a remote attacker circumvent access controls (CWE-290) and reach protected functionality without valid credentials. Because the flaw yields full confidentiality, integrity, and availability impact (CVSS 9.8), successful exploitation can enable information disclosure of stored datasets, tampering with training data, privilege escalation, and denial of service. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Nvidia Denial Of Service +2
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Denial of service in NVIDIA Triton Inference Server for Linux (versions through 26.03) allows a remote attacker to crash the service by triggering a use-after-free (CWE-416) condition, per the NVIDIA product-security advisory. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/A:H) indicates network-reachable, unauthenticated exploitation with high availability impact but no confidentiality or integrity effect. No public exploit identified at time of analysis, and CISA SSVC rates exploitation status as 'none' with an EPSS of 0.54% (41st percentile), consistent with no observed activity.

Memory Corruption Nvidia Denial Of Service +2
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Denial of service in NVIDIA Triton Inference Server for Linux allows remote unauthenticated attackers to exhaust server resources by submitting highly compressed (data-amplification / decompression-bomb) input that the server improperly handles during decompression. The flaw (CWE-409) affects the Linux distribution of Triton and carries a CVSS 7.5 (availability-only impact); there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is limited to availability - no confidentiality or integrity loss.

Nvidia Denial Of Service Triton Inference Server
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stack exhaustion via multiple unbounded alloca() calls in the PulseAudio protocol server on Red Hat Enterprise Linux 8, 9, and 10 allows a local low-privileged attacker to crash the audio daemon, resulting in denial of service. The root cause (CWE-770) is the absence of size validation on attacker-controlled protocol parameters before passing them to alloca(), a stack-based allocator with no OS-enforced ceiling. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 8 +3
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Denial-of-service via NULL pointer dereference in PipeWire's RAOP (Remote Audio Output Protocol) module affects Red Hat Enterprise Linux 8, 9, and 10. The RAOP module fails to enforce an upper bound on Content-Length values in incoming requests and does not validate the return value of pw_array_add(); when a sufficiently large Content-Length triggers an allocation failure, the unchecked NULL return causes a crash of the PipeWire daemon, resulting in complete loss of audio services. No special authentication is required from the adjacent network, and no public exploit or CISA KEV listing has been identified at time of analysis.

Denial Of Service Null Pointer Dereference Red Hat Enterprise Linux 10 +4
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Denial of service in HP Poly Voice IP endpoints (CCX, Trio C60, and Edge E series) allows an attacker operating or impersonating a SIP server to render affected devices inoperable by returning malformed data during SIP signaling. The flaw is an uncontrolled-resource-consumption / improper-input-handling issue (CWE-400) that crashes or hangs the phone, disrupting voice service. HP has published advisory hpsbpy04096 and is releasing firmware updates; no public exploit is identified at time of analysis and the issue is not listed in CISA KEV.

HP Denial Of Service Ccx +2
NVD VulDB
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Arbitrary file write in the Feast Feature Server's `/save-document` endpoint lets an unauthenticated remote attacker write attacker-controlled JSON to the host filesystem, bypassing the endpoint's path restrictions to overwrite application configuration or startup scripts. Because no credentials are required (CVSS 9.1, PR:N), any network-reachable attacker can corrupt system integrity, cause denial of service through disk exhaustion, or potentially achieve remote code execution. This flaw also ships in Red Hat OpenShift AI (RHOAI), which bundles Feast; there is no public exploit identified at time of analysis and it is not in CISA KEV.

Authentication Bypass Denial Of Service RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM This Month

Unbounded mount-time loop in FatFs prior to R0.16 allows physical attackers to cause a denial of service by presenting a crafted GPT disk image with an arbitrarily large GPTH_PtNum partition count field. The flaw is present only in builds where the FF_LBA64 = 1 compile-time flag is set, enabling 64-bit LBA and GPT scanning support. A public proof-of-concept is available from runZero; no confirmed active exploitation (CISA KEV) has been observed, and SSVC categorizes technical impact as partial, limited to availability.

Denial Of Service Fatfs
NVD GitHub
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions sdca_dev_unregister_functions() iterates over all SDCA function descriptors and calls sdca_dev_unregister() on each func_dev without checking for NULL. When a function registration has failed partway through, or the device cleanup races with probe deferral, func_dev entries may be NULL, leading to a kernel oops: BUG: kernel NULL pointer dereference, address: 0000000000000040 RIP: 0010:device_del+0x1e/0x3e0 Call Trace: sdca_dev_unregister_functions+0x37/0x60 [snd_soc_sdca] release_nodes+0x35/0xb0 devres_release_all+0x90/0x100 device_unbind_cleanup+0xe/0x80 device_release_driver_internal+0x1c1/0x200 bus_remove_device+0xc6/0x130 device_del+0x161/0x3e0 device_unregister+0x17/0x60 sdw_delete_slave+0xb6/0xd0 [soundwire_bus] sdw_bus_master_delete+0x1e/0x50 [soundwire_bus] ... sof_probe_work+0x19/0x30 [snd_sof] This was observed on a Lenovo ThinkPad X1 Carbon G14 (Panther Lake) with the SOF audio driver probe failing due to missing Panther Lake firmware, causing the subsequent cleanup of SoundWire devices to trigger the crash. Fix this with three changes: 1) Add a NULL guard in sdca_dev_unregister() so that callers do not need to pre-validate the pointer (defense in depth). 2) In sdca_dev_unregister_functions(), skip NULL func_dev entries and clear func_dev to NULL after unregistration, making the function idempotent and safe against double-invocation. 3) In sdca_dev_register_functions(), roll back all previously registered functions when a later one fails, so the function array is never left in a partially-populated state.

Linux Lenovo Denial Of Service
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: drm/virtio: Fix driver removal with disabled KMS DRM atomic and modesetting aren't initialized if virtio-gpu driver built with disabled KMS, leading to access of uninitialized data on driver removal/unbinding and crashing kernel. Fix it by skipping shutting down atomic core with unavailable KMS.

Linux Denial Of Service
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES Due to a rustc bug [1] the -Cforce-unwind-tables=y flag only emits the uwtable annotation for functions, but not for the module. This means that compiler-generated functions such as 'asan.module_ctor' do not receive the uwtable annotation. When CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, this leads to boot failures because the dwarf information emitted for the kasan constructors is wrong, which causes the SCS boot patching code to patch the constructor in an illegal manner. Specifically, the paciasp instruction is patched, but the autiasp instruction is not. This mismatch leads to a crash when the constructor is called during boot. ================================================================== BUG: KASAN: global-out-of-bounds in do_basic_setup+0x4c/0x90 Read of size 8 at addr ffffffe3cc7eb488 by task swapper/0/1 Specifically the faulting instruction is the (*fn)() to invoke the constructor in do_ctors() of the init/main.c file. Once the fix lands in rustc, this flag can be made conditional on the rustc version. Note that passing the flag on a rustc with the fix present has no effect. [ The fix [1] has landed for Rust 1.98.0 (expected release on 2026-08-20). Thus add a version check as discussed. - Miguel ] [ Adjusted link and comment. - Miguel ]

Linux Denial Of Service
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init Regmap initialization triggers regcache_maple_populate() which attempts SPI read to populate cache. SPI read requires mcp->dev and mcp->addr to be set, without them, NULL pointer dereference occurs during probe. Move initialization before mcp23s08_spi_regmap_init() call.

Linux Denial Of Service
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow Commit 44e9a3bb76e5 ("ARM: 9430/1: entry: Do a dummy read from VMAP shadow") added a dummy read from the KASAN VMAP stack shadow in __switch_to(). The read uses ldr, but the KASAN shadow address is byte-granular and is not guaranteed to be word aligned. ARMv5 faults unaligned word loads. With CONFIG_KASAN_VMALLOC and CONFIG_VMAP_STACK enabled, ARM926/VersatilePB crashes in __switch_to() with an alignment exception before reaching init. Use ldrb for the dummy shadow access. The code only needs to fault in the shadow mapping if the stack shadow is missing, so a byte load is sufficient and matches the granularity of KASAN shadow memory.

Linux Denial Of Service
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh() may_decode_fh() accesses mount::mnt_ns without holding any locks; that means the mount can concurrently be unmounted, and the mnt_namespace can concurrently be freed after an RCU grace period. This race can happens as follows, assuming that the mount point was created by open_tree(..., OPEN_TREE_CLONE): thread 1 thread 2 RCU __do_sys_open_by_handle_at do_handle_open handle_to_path may_decode_fh is_mounted [mount::mnt_ns access] [mount::mnt_ns access] __do_sys_close fput_close_sync __fput dissolve_on_fput umount_tree class_namespace_excl_destructor namespace_unlock free_mnt_ns mnt_ns_tree_remove call_rcu(mnt_ns_release_rcu) mnt_ns_release_rcu mnt_ns_release kfree [mnt_namespace::user_ns access] **UAF** Fix it by taking rcu_read_lock() around the mount::mnt_ns access, like in __prepend_path(). Additionally, document the semantics of mount::mnt_ns, and use WRITE_ONCE() for writers that can race with lockless readers. This bug is unreachable unless one of the following is set: - CONFIG_PREEMPTION - CONFIG_RCU_STRICT_GRACE_PERIOD because it requires an RCU grace period to happen during a syscall without an explicit preemption. This doesn't seem to have interesting security impact; worst-case, it could leak the result of an integer comparison to userspace (from the level check in cap_capable()), cause an endless loop, or crash the kernel by dereferencing an invalid address.

Linux Denial Of Service
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: i2c: imx: fix clock and pinctrl state inconsistency in runtime PM In i2c_imx_runtime_suspend(), the clock is disabled before switching the pinctrl state to sleep. If pinctrl_pm_select_sleep_state() fails, the runtime suspend is aborted but the clock remains disabled, causing a system crash when the hardware is subsequently accessed. Fix this by switching the pinctrl state before disabling the clock so that a pinctrl failure leaves the clock enabled and the hardware accessible. In i2c_imx_runtime_resume(), restore the pinctrl state back to sleep if clk_enable() fails to keep the consistent.

Linux Denial Of Service
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() On all modern platforms Qualcomm CCI controller provides two I2C masters, and on particular boards only one I2C master may be initialized, and in such cases the device unbinding or driver removal causes a NULL pointer dereference, because cci_halt() is called for all two I2C masters, but a completion is initialized only for the single enabled master: % rmmod i2c-qcom-cci Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 <snip> Call trace: __wait_for_common+0x194/0x1a8 (P) wait_for_completion_timeout+0x20/0x2c cci_remove+0xc4/0x138 [i2c_qcom_cci] platform_remove+0x20/0x30 device_remove+0x4c/0x80 device_release_driver_internal+0x1c8/0x224 driver_detach+0x50/0x98 bus_remove_driver+0x6c/0xbc driver_unregister+0x30/0x60 platform_driver_unregister+0x14/0x20 qcom_cci_driver_exit+0x18/0x1008 [i2c_qcom_cci] ....

Linux Denial Of Service Qualcomm
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues() of_reserved_mem_lookup() may return NULL if the reserved memory region referenced by the "memory-region" phandle is not found in the reserved memory table (e.g. due to a misconfigured DTS or a removed memory-region node). The current code dereferences the returned pointer without checking for NULL, leading to a kernel NULL pointer dereference at the following lines: dma_addr = rmem->base; // line 1156 num_desc = div_u64(rmem->size, buf_size); // line 1160 Add a NULL check after of_reserved_mem_lookup() and return -ENODEV if the lookup fails, which is consistent with the existing error handling for of_parse_phandle() failure in the same code block.

Linux Denial Of Service
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix NULL pointer dereference in bond_do_ioctl() In bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which can return NULL if the requested interface name does not exist. However, the subsequent slave_dbg() call is placed before the NULL check: slave_dev = __dev_get_by_name(net, ifr->ifr_slave); slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); //here if (!slave_dev) return -ENODEV; The slave_dbg() macro expands to netdev_dbg(bond_dev, "(slave %s): " fmt, (slave_dev)->name, ...) which unconditionally dereferences slave_dev->name before the NULL check is performed. This results in a NULL pointer dereference kernel oops when a user calls bonding ioctl (e.g. SIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave interface name. This is reachable from userspace via the bonding ioctl interface with CAP_NET_ADMIN capability, making it a potential local denial-of-service vector. Fix by moving the slave_dbg() call after the NULL check.

Linux Denial Of Service
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Account denial-of-service in MyComplianceOffice MCO 25.3.3.1 enables a remote attacker to permanently lock a targeted user out of their account by repeatedly triggering password resets. MCO's reset mechanism invalidates all previously set passwords and temporary credentials on every reset cycle, and imposes no rate limit on how frequently resets can be initiated - so once an attacker supplies the victim's email and a valid security question answer, they can sustain the lockout indefinitely. No public exploit has been identified at time of analysis, and active exploitation is not confirmed, but the attack is conceptually simple and requires no authentication beyond the security question hurdle.

Denial Of Service Mco
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in @fastify/middie 9.1.0 through 9.3.2 lets remote unauthenticated attackers crash the Node.js process by sending request paths with malformed percent-encoded sequences. The standalone engine's URL normalization step fails to catch a synchronous decoder exception, terminating the process and taking down all connected clients until manual restart. Only applications that invoke middie.run directly on the standalone engine API are affected; there is no public exploit identified at time of analysis, and no EPSS or KEV data was provided.

Node.js Denial Of Service Fastify Middie
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Denial of service in dhcpcd's IPv6 Neighbor Discovery Router Advertisement parser allows an adjacent unauthenticated attacker to exhaust CPU resources on any host running dhcpcd with IPv6 enabled. The flaw (CWE-835 - infinite loop) arises because a zero-length Neighbor Discovery option passes initial storage validation but is later reparsed without sufficient bounds enforcement, causing the parser to loop indefinitely without advancing. No active exploitation is confirmed (not in CISA KEV), but the adjacent-network attack vector and zero-privilege requirement make this actionable on shared Layer-2 environments such as enterprise Wi-Fi, cloud VLANs, and data-center segments.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Denial of service in the UltraVNC viewer (vncviewer) through 1.8.2.2 arises from an off-by-one stack buffer overflow in the RFB ServerInit message handler, where a malicious VNC server advertising a desktop name of exactly 2024 bytes forces ReadString to write a NUL terminator at _dn[2024], one byte past a 2024-byte stack buffer. A rogue or compromised server can crash victims who connect to it (reliable process termination on /GS-hardened builds) and potentially corrupt adjacent stack data on canary-less release builds. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; exploitation requires the victim to initiate a connection to the attacker-controlled server.

Denial Of Service Buffer Overflow Ultravnc
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Out-of-bounds read in UltraVNC through version 1.8.2.2 allows network-authenticated attackers to potentially crash the VNC server process or leak adjacent memory content via the vncWc2Mb() wide-string conversion helper in rfb/dh.cpp at line 204. The flaw is triggered when wcslen() is called on a caller-supplied WCHAR pointer without a preceding bounds check, enabling memory over-reads if the buffer lacks proper NUL termination. No public exploit code or active exploitation has been identified at time of analysis; the vendor's CVSS 4.3 (Medium) rating reflects the constrained and largely denial-of-service-oriented impact.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Out-of-bounds write in MediaTek modem firmware allows a network-adjacent attacker controlling a rogue cellular base station to remotely crash affected User Equipment (UE), resulting in denial of service. Thirty-three distinct MediaTek chipsets - spanning flagship mobile SoCs (MT6991, MT6989, MT6985) to tablet and IoT chipsets (MT8795T, MT8893) - contain the vulnerable modem component identified under Patch IDs MOLY01267281 and MOLY01318201. No public exploit code has been identified at time of analysis, and the attack is non-trivial due to the requirement for attacker-controlled cellular infrastructure, but the sheer deployment scale of affected chipsets across Android devices makes the aggregate exposure significant.

Memory Corruption Denial Of Service Buffer Overflow +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Remote denial-of-service in MediaTek modem firmware across 80+ chipset families allows an attacker operating a rogue cellular base station to crash affected devices by sending malformed input the modem fails to validate. The vulnerability (CWE-288) requires no privileges on the target device and no user interaction - a device that autonomously connects to the attacker's false base station is sufficient. No public exploit code has been identified at time of analysis, and SSVC classifies exploitation status as none, though the widespread chipset deployment across Android handsets and IoT hardware makes the affected attack surface extremely broad.

Denial Of Service Mediatek Chipset
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Remote denial of service in the MediaTek Modem firmware component affects approximately 60 chipset models via a null pointer dereference triggered when a target device connects to a rogue cellular base station. An attacker controlling a fake eNodeB or gNodeB can transmit crafted modem protocol messages that cause improper input validation to fail, crashing the modem and stripping affected devices of cellular connectivity. No public exploit has been identified at time of analysis, and CISA SSVC rates current exploitation status as none, indicating this remains a theoretical but technically feasible threat for well-resourced actors.

Denial Of Service Null Pointer Dereference Mediatek Chipset
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A malicious LDAP server, which a Thunderbird user is configured to query for address-book autocomplete, can stash arbitrarily large amounts of attacker-supplied data into the Thunderbird LDAP client until it crashes due to memory exhaustion. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.

Mozilla Thunderbird Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

An access violation in the BaseSplitterFile::Read function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Denial Of Service N A Buffer Overflow
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

A division-by-zero vulnerability in the CStreamSwitcherOutputPin::DecideBufferSize function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Denial Of Service N A
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in Aleksoid1978 MPC-BE (Media Player Classic - Black Edition) prior to commit 4341cb3 lets an attacker crash the player by supplying a crafted MP4 file that triggers a NULL pointer dereference in the bundled Bento4 AP4_AtomSampleTable::GetSample() routine. A proof-of-concept is referenced (SSVC exploitation: poc), but there is no public exploit identified as weaponized and it is not in CISA KEV; impact is limited to availability with no code execution, data disclosure, or integrity loss. EPSS is low at 0.15% (5th percentile), consistent with a crash-only bug that requires a victim to open a malicious file.

Denial Of Service Null Pointer Dereference N A
NVD GitHub
EPSS 0% CVSS 6.2
MEDIUM This Month

A NULL pointer dereference in the AP4_TkhdAtom::GetTrackId() function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Denial Of Service N A Null Pointer Dereference
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_425994 component

Denial Of Service Buffer Overflow
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in the UTT nv518G gateway/router (firmware nv518GV3v3.2.7-210919-161313) allows a remote attacker to crash the device by triggering a buffer overflow in the gohead/sub_447CAC web-server routine. Publicly available exploit code exists (referenced GitHub CVEreport analysis) but it is not listed in CISA KEV; EPSS is low at 0.22% (13th percentile), indicating no observed widespread exploitation. Note a data conflict: the description and tags describe a DoS, yet the supplied CVSS vector encodes a confidentiality impact (C:H/A:N) rather than availability.

Denial Of Service Buffer Overflow
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Audio in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in Google Chrome's Chromoting (Chrome Remote Desktop) component on Linux, fixed in 150.0.7871.47, lets a remote attacker corrupt memory via crafted network traffic and potentially run arbitrary code. The flaw is a CWE-416 use-after-free reported by Google's internal Chrome security team; there is no public exploit identified at time of analysis and it is not in CISA KEV. Note a signal conflict: NVD scores this 9.8 (Critical) while Chromium itself rated the security severity 'Low', and EPSS is only 0.20% (10th percentile).

Memory Corruption Google Denial Of Service +3
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for Windows before 150.0.7871.47 lets an attacker who has already compromised the renderer process abuse a use-after-free in the Updater component via a crafted HTML page to break out of the browser sandbox. It is a second-stage bug that Chromium rated only Low severity despite the CVSS 9.6 score, with no public exploit identified at time of analysis and a low EPSS probability of 0.18% (8th percentile). Google has shipped a fixed Stable-channel build.

Memory Corruption Google Microsoft +3
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Use after free in WebProtect in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Low)

Memory Corruption Google Denial Of Service +3
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in PDFium in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)

Memory Corruption Google Denial Of Service +3
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome desktop before 150.0.7871.47 stems from a use-after-free in the Scheduling component, letting a remote attacker run arbitrary code within the renderer sandbox when a victim opens a crafted HTML page. There is no public exploit identified at time of analysis and the vulnerability is not in CISA KEV; EPSS is low at 0.21% (12th percentile). Google rates the Chromium security severity as Low despite the NVD CVSS of 8.8, reflecting that code execution is confined to the sandbox rather than the host.

Memory Corruption Google Denial Of Service +3
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Use-after-free in Chrome's SSL handling on ChromeOS exposes process memory contents to remote attackers who can serve a crafted HTML page. Only ChromeOS builds of Chrome prior to 150.0.7871.47 are affected - this is not a cross-platform flaw. SSVC rates exploitation status as none and technical impact as partial, and Chromium's own severity classification is Low, making this a routine patch-cycle priority rather than an emergency response item despite the CVSS 6.5 score.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption via use-after-free in Google Chrome's Passwords component affects all desktop builds prior to 150.0.7871.47, letting a remote attacker who lures a victim to a crafted HTML page potentially achieve memory corruption and code execution in the renderer. The CVSS 3.1 vector (8.8) requires user interaction (visiting the page) but no privileges or authentication. No public exploit identified at time of analysis, and the low EPSS score (0.17%, 7th percentile) plus Chromium's own 'Low' severity rating suggest limited real-world exploitation likelihood despite the high CVSS.

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)

Memory Corruption Google Apple +3
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use after free in Installer in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Low)

Memory Corruption Google Microsoft +4
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Cast component (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, exploiting a use-after-free (CWE-416) memory-corruption bug. Google's Chromium team rated the security severity as Low, and while NVD assigns a 9.6 CVSS reflecting full sandbox-escape impact, exploitation is gated behind a pre-existing renderer compromise. No public exploit was identified at time of analysis, EPSS is very low at 0.17% (7th percentile), and there is no CISA KEV listing.

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)

Memory Corruption Google Denial Of Service +3
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)

Memory Corruption Google Apple +4
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Use after free in PageInfo in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)

Memory Corruption Google Denial Of Service +3
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Use-after-free in Chrome's Chromecast component exposes process memory to attackers on the same local network segment via a malicious peripheral, affecting all Chrome versions prior to 150.0.7871.47. The vulnerability carries a CVSS 3.1 score of 6.5 with high confidentiality impact (C:H), meaning successful exploitation leaks potentially sensitive data from the Chrome process heap. No public exploit or CISA KEV listing is identified at time of analysis, and Google has released a patch in the stable channel.

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.47) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) and is second-stage: it is not directly exploitable from the open web without a prior renderer compromise. No public exploit has been identified at time of analysis, and its EPSS exploitation probability is low (0.17%, 7th percentile); notably, Google rated the Chromium security severity as Low despite the NVD CVSS of 9.6.

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's GetUserMedia (media capture) implementation before version 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) reported by Google's own security team; despite an NVD CVSS of 9.6, Chromium rates its severity Low, and there is no public exploit identified at time of analysis with an EPSS of only 0.17% (7th percentile).

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption in Google Chrome's BrowserTag component affects all desktop builds prior to 150.0.7871.47, where a use-after-free (CWE-416) can be triggered by a crafted Chrome extension. An attacker who convinces a victim to install a malicious extension can potentially exploit the freed-memory condition to corrupt the heap and execute code. No public exploit identified at time of analysis, and EPSS is low (0.12%, 2nd percentile), consistent with the Chromium team's own 'Low' severity rating despite the NVD CVSS of 8.8.

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Use after free in Bluetooth in Google Chrome on Mac prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Low)

Memory Corruption Google Denial Of Service +3
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in Google Chrome's SignIn component (versions prior to 150.0.7871.47) allows a remote attacker to trigger heap corruption and potentially achieve code execution after luring a victim to a crafted HTML page and performing specific UI gestures. No public exploit was identified at time of analysis, and with an EPSS of 0.17% (7th percentile) and Chromium-rated 'Low' severity, near-term mass exploitation appears unlikely despite the high 8.8 CVSS. The flaw is patched in the current stable channel and is not listed in CISA KEV.

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption in Google Chrome's Views UI framework on macOS (versions before 150.0.7871.47) lets a remote attacker who lures a victim to a crafted HTML page and coaxes them into specific UI gestures trigger a use-after-free, potentially achieving code execution in the renderer. Google rates the Chromium severity as Low, but the NVD CVSS is 8.8 (High), and no public exploit has been identified at time of analysis. EPSS is low at 0.21% (11th percentile), and the flaw is not in CISA KEV.

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in Google Chrome's Ozone component on Linux prior to 150.0.7871.47 lets a remote attacker trigger heap corruption after luring a user to a crafted HTML page and inducing specific UI gestures. Rated CVSS 8.8 with high confidentiality, integrity and availability impact, it is patched in the stable channel but requires user interaction (UI:R). No public exploit is identified at time of analysis and EPSS exploitation probability is low (0.21%, 11th percentile), and Google classifies the Chromium severity as Medium.

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Google Chrome's Updater component on Windows (versions prior to 150.0.7871.47) allows a local attacker to escalate to OS-level privileges via a malicious file that triggers a use-after-free condition. Google rates the Chromium security severity as Medium, though the CVSS base score is 7.8 (High) because the Updater runs with elevated (SYSTEM) privileges. There is no public exploit identified at time of analysis and EPSS is very low (0.11%, 1st percentile), indicating negligible observed exploitation activity.

Memory Corruption Google Microsoft +4
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Navigation in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Google Denial Of Service +3
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Omnibox in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Oilpan in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Google Denial Of Service +3
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Google Apple +3
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption in Google Chrome for iOS before 150.0.7871.47 lets a remote attacker who lures a user through specific in-page UI gestures on a crafted HTML page trigger a use-after-free (CWE-416), potentially leading to arbitrary code execution in the renderer. Rated Medium by the Chromium security team but scored CVSS 8.8 due to full confidentiality/integrity/availability impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. EPSS is low at 0.21% (11th percentile), consistent with a freshly patched browser bug that has no known weaponization.

Memory Corruption Google Apple +3
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in HTML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Google Denial Of Service +3
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Sandboxed remote code execution in Google Chrome's Cast Receiver component affects all desktop builds prior to 150.0.7871.47, where a use-after-free (CWE-416) can be triggered by luring a victim to a crafted HTML page. Google rates the Chromium severity as Medium because the resulting code execution is confined to the browser sandbox, though NVD scores it CVSS 8.8; there is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.27% (18th percentile).

Memory Corruption Google Denial Of Service +3
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in the Extensions component of Google Chrome before 150.0.7871.47 lets a remote attacker execute arbitrary code within the renderer sandbox when a victim opens a crafted HTML page. Chromium rated the security severity Medium, though the associated CVSS score is 8.8 (High) due to network vector and high impact; there is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.26%. Google has shipped a fixed Stable channel build.

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Sandboxed remote code execution in Google Chrome for Android before 150.0.7871.47, stemming from a use-after-free in the Skia graphics library, lets a remote attacker run arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. Google rated the Chromium security severity as Medium, and no public exploit has been identified at time of analysis; the EPSS score is low (0.26%, 17th percentile), and the bug is not on CISA KEV. Exploitation requires user interaction (visiting the malicious page) but no authentication.

Memory Corruption Google Denial Of Service +3
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Use after free in USB in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Use-after-free in Google Chrome's Bluetooth subsystem (all versions prior to 150.0.7871.47) enables an unauthenticated attacker within Bluetooth radio range to leak sensitive data from Chrome's process memory by operating a malicious Bluetooth peripheral. The CVSS vector (AV:A/PR:N/UI:N/C:H) confirms no attacker-side authentication is required and impact is confidentiality-only, with no integrity or availability loss. No public exploit code has been identified at time of analysis and CISA has not listed this in KEV; the Chromium security team rated this Medium severity, consistent with the bounded adjacency-only attack vector.

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Use after free in Bluetooth in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Sandboxed remote code execution in the WebView component of Google Chrome for Android before 150.0.7871.47 lets a remote attacker run arbitrary code within the renderer sandbox when a victim loads a crafted HTML page. Rated CVSS 8.8 (network vector, no privileges, requires user interaction), the flaw is a CWE-416 use-after-free, but code execution is confined to the sandbox and would require a separate escape to reach the host. No public exploit identified at time of analysis, and EPSS is low at 0.26% (17th percentile), indicating limited near-term mass-exploitation pressure despite the high base score.

Memory Corruption Google Denial Of Service +3
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Device component on Windows (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, exploiting a use-after-free (CWE-416). Google rates the Chromium security severity as Medium, reflecting that it is a second-stage bug requiring prior renderer compromise, though the NVD CVSS of 9.6 is inflated by the sandbox scope change. There is no public exploit identified at time of analysis and EPSS is low (0.21%), indicating no current sign of widespread exploitation.

Memory Corruption Google Microsoft +3
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the browser sandbox and reach the host via a crafted HTML page, exploiting a use-after-free (CWE-416) in the Core component. Google-assigned Chromium severity is Medium, though the NVD CVSS is 9.6 due to the cross-boundary scope change. No public exploit identified at time of analysis, and EPSS is low (0.21%, 11th percentile), indicating it is not yet a mass-exploitation target.

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Google Chrome on Linux (versions prior to 150.0.7871.47) stems from a use-after-free in the Ozone platform layer, allowing a remote attacker who lures a victim into performing specific UI gestures on a crafted HTML page to execute arbitrary code in the browser context. Rated High by Chromium and CVSS 7.5, exploitation is gated by required user interaction and high attack complexity. There is no public exploit identified at time of analysis, and the EPSS probability is low at 0.26% (17th percentile).

Memory Corruption Google Denial Of Service +3
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Linux (versions prior to 150.0.7871.47) stems from a use-after-free in Ozone, Chrome's platform abstraction layer for windowing and graphics. An attacker who has already compromised the renderer process can leverage a crafted HTML page to break out of the browser sandbox and gain code execution at the higher-privileged browser-process level. There is no public exploit identified at time of analysis, and the EPSS score is low (0.21%, 11th percentile), consistent with a second-stage bug that requires a prior renderer compromise rather than a directly weaponizable single-shot flaw.

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop before 150.0.7871.47 stems from a use-after-free in the Journeys (browsing history) component, allowing a remote attacker who has already compromised the renderer process to break out of the sandbox and gain broader code execution on the host via a crafted HTML page. Rated High severity by Chromium and CVSS 9.6, a fix is available from vendor; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.21%, 11th percentile). Exploitation is meaningful only as the second stage of a chain, since it presupposes prior renderer compromise.

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome desktop before 150.0.7871.47 stems from a use-after-free in the Forms component, letting a remote attacker who lures a victim to a crafted HTML page corrupt memory and execute arbitrary code within the browser's renderer sandbox. Chromium rates the flaw High severity, CVSS 8.8, requiring only that the user visit a malicious page; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.26%, 17th percentile). A vendor patch is available in the June 2026 Stable channel release.

Memory Corruption Google Denial Of Service +3
NVD VulDB
Prev Page 7 of 406 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy