Skip to main content

Information Disclosure

66671 CVEs technique

Monthly

CVE-2026-53026 HIGH PATCH This Week

Denial of service in the Linux kernel's NFSD (in-kernel NFSv4 server) arises from an nfs4_file reference-count leak in nfsd4_add_rdaccess_to_wrdeleg, where __nfs4_file_get_access is wrongly called even when another thread has already taken READ access on the file. The leaked fi_access count keeps the backing nfsd_file pinned, so stopping the nfs-server service triggers a kernel BUG in kmem_cache_destroy() because nfsd_file objects remain on cache shutdown. The flaw affects systems running the in-kernel NFS server (fixed in 6.18.33, 7.0.10, and 7.1); there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.17%).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53025 HIGH PATCH This Week

Use-after-free in the Linux kernel's greybus 'raw' driver (drivers/staging/greybus/raw.c) allows a local user holding an open character-device handle to trigger memory corruption when the underlying raw bundle is disconnected and the application later closes the cdev. The flaw stems from the gb_raw structure (which embeds the cdev) being freed in the disconnect callback while a userspace reference remains, causing cdev_put to operate on freed memory and a refcount underflow/panic, especially with CONFIG_INIT_ON_FREE_DEFAULT_ON=y. No public exploit identified at time of analysis, and EPSS is low (0.16%, 6th percentile), consistent with a local, niche-driver issue.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53023 MEDIUM PATCH This Month

Missing NUL termination in the Linux kernel's ntfs3 filesystem driver allows a local attacker with filesystem mount privileges to trigger an out-of-bounds memory read, crashing the kernel. The defect in ntfs_fill_super() leaves sbi->volume.label unterminated when a UTF-16 volume label converts to a UTF-8 string that exactly fills the fixed buffer, causing ntfs3_label_show() to read past the buffer boundary via a %s format specifier. No public exploit has been identified at time of analysis and EPSS sits at 0.17% (7th percentile), indicating very low current exploitation interest despite the High availability impact in CVSS.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53022 MEDIUM PATCH This Month

Unbounded string concatenation in the Linux kernel's Dell WMI BIOS interface driver (dell-wmi-sysman) allows a local low-privileged attacker on Dell hardware to crash the kernel. The populate_enum_data() function bounds each individual firmware-provided string but applies no remaining-space check during cumulative strcat() calls into fixed 512-byte struct members, enabling a buffer overflow that results in complete system availability loss. With an EPSS of 0.17% (7th percentile), no public exploit code, and no CISA KEV listing, this is a low-likelihood but straightforward local denial-of-service on Dell platforms running unpatched kernel versions.

Dell Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53020 HIGH PATCH This Week

Local privilege escalation or memory disclosure is possible in the User Mode Linux (UML/'um') architecture of the Linux kernel (affected around 6.19, fixed in 7.0.10 and 7.1) due to a TLB-sync race condition where the page table is traversed and modified without holding the page table lock. Concurrent threads in the same process can corrupt page table state, with CVSS 7.8 (local, low-privilege) and a high-impact triad; there is no public exploit identified at time of analysis and EPSS is low at 0.15% (5th percentile), consistent with a hard-to-trigger local race rather than a mass-exploited flaw.

Linux Information Disclosure Race Condition
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53019 MEDIUM PATCH This Month

Kernel panic in the SpaceMIT clock controller driver (`clk-spacemit-ccu`) can be triggered during CPU frequency scaling on systems running SpaceMIT RISC-V hardware. The root cause is an inverted boolean condition in `ccu_mix_trigger_fc()` that causes the frequency change trigger to be skipped at the wrong time and fired at the wrong time, crashing the kernel under normal cpufreq governor activity. Exploitation requires only local low-privilege access, but is practically limited to the narrow hardware footprint of SpaceMIT K1-based boards; no public exploit or CISA KEV listing exists, and EPSS is 0.17% (6th percentile).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53018 MEDIUM PATCH This Month

Kernel panic in the Linux f2fs garbage collector allows a local low-privileged user to crash the system by triggering a VM_BUG_ON_FOLIO assertion when GC attempts to re-read a page already marked uptodate after multiple block relocations. The affected subsystem is f2fs (Flash-Friendly File System); systems using ext4, XFS, or other filesystems are not impacted. EPSS is extremely low (0.17%, 6th percentile) and no active exploitation has been identified, making this a stability/DoS concern primarily relevant to mobile, embedded, and flash-storage Linux deployments.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53017 MEDIUM PATCH This Month

Data loss in the Linux kernel's f2fs (Flash-Friendly File System) driver exposes files created and synced before any checkpoint has been written to permanent loss on sudden power off. The race condition between fsync on newly created files and concurrent checkpoint operations causes f2fs_need_inode_block_update() to misread prematurely set nat_entry flags (IS_CHECKPOINTED and HAS_LAST_FSYNC), leading fsync to skip the inode block flush it actually requires. No public exploit identified at time of analysis; the EPSS score of 0.16% at the 6th percentile reflects the narrow triggering conditions and local-only attack surface.

Checkpoint Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53016 HIGH PATCH This Week

Out-of-bounds write in the Linux kernel's AMD Cryptographic Coprocessor (ccp) driver allows a local low-privileged user to overrun a caller-supplied IV buffer by 8 bytes when issuing rfc3686(ctr(aes)) requests through the AF_ALG socket interface. The ccp_aes_complete() handler unconditionally copies AES_BLOCK_SIZE (16 bytes) back into the IV buffer, but RFC3686 skciphers expose only an 8-byte IV, corrupting adjacent memory. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS probability is low (0.18%, 7th percentile).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53015 MEDIUM PATCH This Month

Integer truncation in the Linux kernel's EROFS filesystem driver on 32-bit platforms causes logical cluster number (LCN) calculations to overflow at the 4 GiB boundary, resulting in incorrect block addressing and potential kernel-level availability impact. Affected systems are those running 32-bit Linux kernels (where `unsigned long` is 32 bits wide) with EROFS filesystems mounted. No public exploit exists and no active exploitation has been confirmed; EPSS stands at a very low 0.17% (6th percentile), consistent with the niche attack surface of 32-bit deployments.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53014 MEDIUM PATCH This Month

Kernel panic via skb headroom exhaustion in the Linux kernel's Traffic Control (TC) act_mirred subsystem affects systems using block-cast packet redirection across mixed device types. The root cause is a copy-paste error in tcf_blockcast_redir() where dev_is_mac_header_xmit() is queried against the next device in the iteration (dev) rather than the device currently being transmitted to (dev_prev), causing tcf_mirred_to_dev() to make wrong MAC header push/pull decisions for intermediate devices. In the worst case, skb_push_rcsum is called with an incorrect mac_len, exhausting socket buffer headroom and triggering a kernel panic. No public exploit code has been identified and EPSS is 0.17% at the 6th percentile, consistent with low real-world exploitation interest.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53013 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF macvlan_get_size() does not account for IFLA_MACVLAN_BC_CUTOFF, but macvlan_fill_info() conditionally includes it when port->bc_cutoff != 1. This causes nla_put_s32() to fail with -EMSGSIZE when the netlink skb runs out of space, triggering a WARN_ON in rtnetlink and preventing the interface from being dumped. The bug can be reproduced with: ip link add macvlan0 link eth0 type macvlan mode bridge ip link set macvlan0 type macvlan bc_cutoff 0 ip -d link show macvlan0 # fails with -EMSGSIZE The bc_cutoff feature was added in commit 954d1fa1ac93 ("macvlan: Add netlink attribute for broadcast cutoff"), which added the nla_put_s32() call in macvlan_fill_info() but missed adding the corresponding nla_total_size(4) in macvlan_get_size(). A follow-up commit 55cef78c244d ("macvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF") fixed the missing nla_policy entry but still did not fix the size calculation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53011 HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's taprio traffic scheduler (net/sched) arises from a use-after-free in advance_sched() during an admin-to-oper schedule switch, affecting kernels from 5.2 through the fixed releases. After switch_schedules() queues the old oper schedule for RCU freeing, the 'next' pointer still references a freed entry that is then written to and published via rcu_assign_pointer(), letting a local user with network-configuration capability corrupt kernel memory for potential code execution. No public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with a complex local-only TSN feature rather than mass exploitation.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53010 CRITICAL PATCH Act Now

Use-after-free in the Linux kernel's ksmbd in-kernel SMB3 server occurs during durable handle reconnect, where smb2_open prematurely drops the durable file reference via ksmbd_put_durable_fd(fp); a subsequent error path or scavenger access then dereferences freed fp fields (e.g., fp->create_time). Affecting Linux ksmbd across multiple stable branches and fixed in releases such as 6.6.32, 6.18.33, 7.0.10, and 7.1, the flaw is rated CVSS 9.8 but carries a low EPSS of 0.17% (6th percentile); it is not in CISA KEV and no public exploit identified at time of analysis. An attacker with SMB access can trigger memory corruption potentially leading to information disclosure, denial of service, or code execution in kernel context.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53006 CRITICAL PATCH Act Now

Use-after-free in the Linux kernel's IPv6 ICMPv6 receive path (icmpv6_rcv()) allows stale pointers to freed socket buffer memory to be dereferenced after a pskb_pull() call relocates skb->head. The affected code cached the source and destination addresses (saddr/daddr) before the pull, and these stale references were only consumed by net_dbg_ratelimited() in the slow path, limiting practical impact. The flaw is fixed upstream across all maintained stable trees; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53005 HIGH PATCH This Week

Local use-after-free in the Linux kernel's AF_UNIX subsystem occurs when SOCKMAP (BPF socket map) redirects skbs carrying inflight file descriptors, hiding them from the AF_UNIX garbage collector and breaking the Tarjan-based GC's assumption that unix_edge.successor stays alive — producing a slab use-after-free in unix_del_edges() plus inflight-socket leaks and incorrect fdinfo accounting. Affected are kernels supporting SOCKMAP/sk_psock redirect (roughly 5.15 through pre-fix 7.x trees); a local attacker who can set up SOCKMAP redirection and pass SCM_RIGHTS descriptors can corrupt kernel memory toward privilege escalation or denial of service. There is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and it is not in CISA KEV.

Linux Information Disclosure Debian Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53003 HIGH PATCH This Week

Denial of service in the Linux kernel's PPPoE/PPP driver allows a malicious or broken peer to crash affected hosts by sending PPP frames with a compressed (1-byte) Protocol Field. Because pppd never negotiates Protocol Field Compression for PPPoE yet ppp_input() still accepted compressed frames, the payload is shifted one byte, producing a 4-byte misaligned network header that can raise unaligned-access exceptions on architectures that do not tolerate them. There is no public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53001 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: netfilter: xtables: restrict several matches to inet family This is a partial revert of: commit ab4f21e6fb1c ("netfilter: xtables: use NFPROTO_UNSPEC in more extensions") to allow ipv4 and ipv6 only. - xt_mac - xt_owner - xt_physdev These extensions are not used by ebtables in userspace. Moreover, xt_realm is only for ipv4, since dst->tclassid is ipv4 specific.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53000 HIGH PATCH This Week

Local privilege escalation / memory corruption in the Linux kernel's netfilter NAT subsystem (introduced in v5.14) arises because nf_nat_register_fn() freed nf_hook_ops structures immediately rather than deferring the release via RCU. Because the v5.14-era nfnetlink_hook feature lets userspace dump active netfilter hooks by peeking into the ops blob, a concurrent dump racing the NAT (un)register error path can access ops memory after it is freed. No public exploit has been identified at time of analysis and EPSS is low (0.17%), but the high-impact CVSS vector reflects a use-after-free class flaw in a core kernel subsystem.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52999 CRITICAL PATCH Act Now

Out-of-bounds read in the Linux kernel's netfilter nfnetlink_osf (passive OS fingerprinting) module occurs when the shared nf_osf_hdr_ctx->optp pointer is not reset after a fingerprint fully matches during TCP option parsing. Affecting systems that use the osf match with NF_OSF_LOGLEVEL_ALL enabled, the flaw causes subsequent fingerprint checks to parse beyond the end of the TCP options buffer, reading garbage data and producing incorrect or missing match logs. Although carrying a 9.1 CVSS, this is a functional/correctness bug in a niche feature; there is no public exploit identified at time of analysis and EPSS is low (0.18%, 7th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-52996 MEDIUM PATCH This Month

Resource exhaustion in the Linux kernel ksmbd SMB server allows a low-privileged authenticated SMB client to leak kernel file descriptor references by sending repeated SMB2 CREATE requests with a DURABLE_HANDLE_REQUEST_V2 context that produces a CreateGuid hit but a ClientGUID mismatch. Each such request increments the refcount on a ksmbd_file via ksmbd_fp_get() in ksmbd_lookup_fd_cguid() but the mismatch code path never calls the matching release, causing global_ft entries to be pinned indefinitely. Over time this defeats the durable file scavenger and causes long-lived kernel resource leaks that can degrade or deny availability. No public exploit has been identified at time of analysis and EPSS is 0.19% (9th percentile), indicating low opportunistic exploitation probability.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52995 MEDIUM PATCH This Month

Stack memory disclosure in the Linux kernel RDS/IB subsystem exposes up to 26 bytes of uninitialized kernel stack contents - including kernel text and data pointers - to local unprivileged users via the getsockopt(SOL_RDS, RDS_INFO_IB_CONNECTIONS) interface. The leak enables KASLR bypass on systems where the kernel was built without CONFIG_INIT_STACK_ALL_ZERO=y, making this a useful primitive for chaining into privilege escalation. No public exploit code and no CISA KEV listing exist at time of analysis; EPSS is very low at 0.18% (7th percentile), but the CVE description itself supplies a complete, step-by-step reproduction recipe that reduces practical exploitation complexity to near-trivial for any local user with AF_RDS socket access.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52994 MEDIUM PATCH This Month

Improper RLIMIT_MEMLOCK accounting in the Linux kernel's vsock/virtio MSG_ZEROCOPY path allows a local low-privileged user to bypass per-process pinned-page limits, enabling unbounded kernel memory pinning that can drive the system toward memory exhaustion. The flaw is confined to the virtio vsock transport and is not remotely exploitable. No public exploit has been identified and EPSS sits at 0.17% (7th percentile), reflecting low exploitation interest; however, a vendor-confirmed fix is available in stable releases.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52993 CRITICAL PATCH Act Now

Memory corruption in the Linux kernel's TIPC (Transparent Inter-Process Communication) protocol stack allows remote attackers to trigger a double-free in tipc_buf_append() during message reassembly, where tipc_msg_validate() may reallocate and free the working skb while the error path frees a now-stale pointer. Affected systems are those running a vulnerable kernel (introduced around 4.15-era code, present across 5.10-7.0 branches) with the TIPC subsystem in use; successful exploitation can crash the kernel and, depending on heap conditions, potentially lead to privilege escalation. There is no public exploit identified at time of analysis, EPSS risk is low (0.18%, 7th percentile), and it is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52991 HIGH PATCH This Week

Local privilege-escalation-capable memory corruption in the Linux kernel's PSI (Pressure Stall Information) subsystem allows a local user with write access to cgroup pressure files to trigger a use-after-free or NULL-pointer dereference. The flaw stems from a race between pressure_write() and cgroup file release/rmdir on the kernfs_open_file->priv pointer, confirmed via a KASAN slab-use-after-free report in pressure_write+0xa4/0x210. No public exploit identified at time of analysis, and EPSS is low (0.19%, 8th percentile), indicating no observed mass exploitation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52990 MEDIUM PATCH This Month

Resource leak in the Linux kernel fsnotify subsystem causes hung tasks and local denial of service via a race condition in fsnotify_recalc_mask(). A local low-privilege user can trigger concurrent mark addition and removal on a filesystem connector object, causing an inode pointer returned by __fsnotify_recalc_mask() to be silently discarded rather than released via fsnotify_drop_object() - permanently blocking the umount path as fsnotify_sb_delete() waits indefinitely on the leaked reference. No public exploit exists and EPSS is at the 7th percentile, indicating negligible opportunistic exploitation risk.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52988 HIGH PATCH This Week

Kernel-memory disclosure and denial of service in the Linux kernel's netfilter nf_tables subsystem arises from unsafe RCU list traversal: a netlink dump can walk a basechain/flowtable hook list concurrently with a ruleset update, racing on partially-published hooks. The fix publishes new hooks via splice_list_rcu() during the commit phase so RCU readers see a consistent list. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis; the issue is a local race condition affecting privileged ruleset operations rather than a remotely reachable flaw.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52987 HIGH PATCH This Week

Local privilege escalation and kernel memory corruption is possible in the Linux kernel's AMD GPU driver (amdgpu) via a double drm_exec_fini() in the user-queue validation path. When amdgpu_userq_vm_validate() runs with new_addition set, a failure in amdgpu_ttm_tt_get_user_pages() routes execution to a cleanup label that finalizes the already-freed drm_exec object a second time, corrupting kernel state. No public exploit identified at time of analysis, and EPSS rates exploitation probability at only 0.16% (6th percentile), consistent with a hard-to-trigger local bug rather than a mass-exploited flaw.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52985 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: netdevsim: zero initialize struct iphdr in dummy sk_buff Syzbot reports a KMSAN uninit-value originating from nsim_dev_trap_skb_build, with the allocation also being performed in the same function. Fix this by calling skb_put_zero instead of skb_put to guarantee zero initialization of the whole IP header.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52984 MEDIUM PATCH This Month

Unbounded queue growth in the Linux kernel's netem (Network Emulator) traffic control subsystem allows a local low-privileged user to exhaust kernel memory and trigger a denial of service. The flaw exists because netem_enqueue() enforces queue depth limits using only q->t_len (packets in the internal tfifo), while packets placed into sch->q via the reorder path (__qdisc_enqueue_head) are silently excluded from that count, allowing total queue occupancy to grow beyond sch->limit without bound. No public exploit has been identified and the EPSS score of 0.18% (8th percentile) places this in the lowest exploitation-probability tier; however, the vulnerability affects a wide range of active stable kernel branches and patched versions are available.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52983 HIGH PATCH This Week

Denial-of-service (TX queue stall) in the Linux kernel's Airoha QDMA Ethernet driver affects systems running on Airoha/MediaTek SoCs where airoha_dev_xmit() accounts inflight packets only across AIROHA_NUM_TX_RING queues while the NAPI completion path settles all netdev TX queues, corrupting Byte Queue Limits (BQL) state. The mismatch can wedge transmit queues and degrade or halt network throughput on the device. EPSS is 0.17% (7th percentile) and there is no public exploit identified at time of analysis; an upstream stable fix exists.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52982 CRITICAL PATCH Act Now

Use-after-free in the Linux kernel rtl8150 USB-to-Ethernet driver (drivers/net/usb/rtl8150.c) lets the transmit path read freed socket-buffer memory: rtl8150_start_xmit() reads skb->len for TX byte accounting after usb_submit_urb(), but the URB completion handler write_bulk_callback() can free the skb on another CPU first, producing a slab-use-after-free read flagged by KASAN/syzbot. Affected systems are those using an RTL8150-based USB Ethernet adapter; the practical impact is a stale/garbage stat read or a potential crash from freed-memory access rather than reliable info disclosure. There is no public exploit identified at time of analysis (not in CISA KEV, EPSS 0.18%/8th percentile), and the issue was found and fixed via upstream syzbot fuzzing.

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52981 HIGH PATCH This Week

Memory exhaustion in the Linux kernel networking stack stems from a socket buffer (SKB) leak in neigh_xmit(): when the function is called against an uninitialized neighbour table - for example NEIGH_ND_TABLE while IPv6 is disabled - it returns -EAFNOSUPPORT and bypasses its out_kfree_skb path, leaking the packet buffer because callers (originally MPLS) rely on neigh_xmit() to take ownership of the skb. Repeated triggering slowly exhausts kernel memory, leading to denial of service (CVSS 7.5, A:H). There is no public exploit identified at time of analysis, and EPSS is low (0.19%, 9th percentile); the upstream fix makes neigh_xmit() assume full ownership and free the skb on every path.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52979 MEDIUM This Month

Race condition in the Linux kernel PSP network subsystem allows a local low-privileged attacker to crash the kernel through a TOCTOU flaw in device association creation. In `psp_assoc_device_get_locked()`, a device reference acquired under RCU becomes stale before the protecting lock is taken if `psp_dev_unregister()` completes concurrently, leaving the kernel operating on freed or invalid device state. No public exploit has been identified and EPSS stands at 0.17% (6th percentile), reflecting minimal active exploitation risk despite the well-characterized code-level race condition.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52978 MEDIUM This Month

In the Linux kernel, the following vulnerability has been resolved: net: psp: require admin permission for dev-set and key-rotate The dev-set and key-rotate netlink operations modify shared device state (PSP version configuration and cryptographic key material, respectively) but do not require CAP_NET_ADMIN. The only access control is psp_dev_check_access() which merely verifies netns membership.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52977 MEDIUM PATCH This Month

Livelock in the Linux kernel's futex requeue-PI subsystem can hang a system when a signal or timeout interrupts a FUTEX_WAIT_REQUEUE_PI operation concurrently with an active FUTEX_CQ_REQUEUE_PI requeue. The race causes a waiting thread (Task A) to block indefinitely on a hash-bucket lock while a requeue thread (Task B) busy-loops retrying the same operation, consuming all available CPU - worst-case on uniprocessor systems where Task A cannot be scheduled at all. No public exploit is identified and EPSS is 0.17% (7th percentile), but the deterministic nature of the livelock on UP or real-time-scheduled hardware makes this a genuine denial-of-service risk; patches are available across six Linux stable branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52976 HIGH PATCH This Week

Local privilege escalation in the Linux kernel's drm/xe Intel GPU driver arises from two error-handling defects in xe_exec_queue_create_ioctl() that leave a freed exec queue linked into either the VM's preempt-fence compute list or the hardware engine group list, producing a dangling pointer and a use-after-free. A local user with access to the DRM device on systems running the affected Intel Xe driver (introduced around 6.12) can trigger the faulty cleanup paths to corrupt kernel memory, with potential for code execution at kernel privilege. There is no public exploit identified at time of analysis and EPSS is low (0.18%, 7th percentile); the issue is fixed upstream and in stable releases.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52975 HIGH PATCH This Week

Concurrent access to an unprotected pointer in the Linux kernel's 802.3ad (LACP) bonding driver allows a local user to trigger a data race between the AD state-machine worker and the rtnetlink read path that fetches active aggregator info. Discovered by syzbot/KCSAN, the torn read of the `port->aggregator` pointer can disclose kernel memory state or destabilize the bonding driver on systems configured with LACP NIC teaming. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.18%, 7th percentile).

Linux Information Disclosure Google
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52974 HIGH PATCH This Week

Memory exhaustion (denial of service) in the Linux kernel's TLS device-offload receive path, where a failure during hardware offload setup leaks the strparser anchor socket buffer (skb) and never frees it. Affecting kernels from the introduction of the custom strparser (commit 84c61fe1a75b) onward, repeated triggering of the offload setup-failure path slowly drains kernel memory; CVSS rates availability impact High (7.5) but EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis. The regression was introduced by the kTLS-specific strparser rewrite and does not affect kernels using the standard strparser.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52973 HIGH PATCH This Week

Local privilege escalation in the Linux kernel futex subsystem stems from a slab use-after-free in futex_hash_put, triggered when a process shares its mm via CLONE_VM without CLONE_THREAD. The flawed need_futex_hash_allocate_default() check broke the non-concurrency assumption for per-CPU mm->futex_ref allocation, letting a stale +1 bias land on a percpu counter the mm no longer references. Carries CVSS 7.8 (high) with full C/I/A impact; no public exploit identified at time of analysis and EPSS is low (0.17%).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52971 HIGH PATCH This Week

Use-after-free in the Linux kernel's Amazon ENA (Elastic Network Adapter) PTP Hardware Clock (PHC) get_timestamp path lets a local low-privileged user trigger a NULL/dangling pointer dereference via a race between timestamp reads and clock teardown. The driver checked phc->active and cached the resp pointer from ena_dev->phc.virt_addr before taking the spinlock, so a concurrent ena_com_phc_destroy() could free the DMA memory and NULL virt_addr mid-operation. With a CVSS of 7.8 (high) but EPSS of only 0.17% (7th percentile), this is a memory-safety race with no public exploit identified at time of analysis; it is fixed upstream and patched in stable releases.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52970 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: fix missing expect put in obj eval nft_ct_expect_obj_eval() allocates an expectation and may call nf_ct_expect_related(), but never drops its local reference. Add nf_ct_expect_put(exp) before return to balance allocation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52968 HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's KVM s390 PCI adapter-interrupt-forwarding (AIF) code allows a low-privileged local actor on IBM Z (s390x) hosts to read and corrupt kernel memory. The flaw stems from double-scaled pointer arithmetic when indexing the GAIT table in kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and aen_host_forward(), triggered when an adapter interrupt source (aisb) index reaches 32 or higher under ZPCI_NR_DEVICES=512. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.18%, 8th percentile).

Buffer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52967 HIGH PATCH This Week

Out-of-bounds read and denial-of-service in the Linux kernel SMB/CIFS client (cifs.ko) affects systems mounting SMB shares on 32-bit architectures. When parsing a malicious SMB2 error response, the symlink_data() routine mishandles a hostile ErrorDataLength value, causing either an infinite loop or a read past the buffer that can hang the client or leak adjacent kernel memory. There is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile), but the bug is reachable by any malicious or compromised SMB server a vulnerable client connects to.

Linux Denial Of Service Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-52966 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm: Replace old pointer to new idr Commit 5e28b7b94408 introduced a logical error by failing to replace the newly generated IDR pointer to old id's pointer at the correct location within the "change handle" logic; this resulted in the issue reported by syzbot [1]. Specifically, the new IDR object pointer is intended to replace the original id's pointer during the normal execution flow. Additionally, an unnecessary conditional check for the ret exit path has been removed. [1] !RB_EMPTY_ROOT(&prime_fpriv->dmabufs) WARNING: drivers/gpu/drm/drm_prime.c:224 at drm_prime_destroy_file_private+0x48/0x60 drivers/gpu/drm/drm_prime.c:224, CPU#0: syz.0.17/5833 Call Trace: drm_file_free.part.0+0x7e6/0xcc0 drivers/gpu/drm/drm_file.c:269 drm_file_free drivers/gpu/drm/drm_file.c:237 [inline] drm_close_helper.isra.0+0x186/0x200 drivers/gpu/drm/drm_file.c:290 drm_release+0x1ab/0x360 drivers/gpu/drm/drm_file.c:438

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52964 MEDIUM PATCH This Month

Out-of-bounds descriptor read in the Linux kernel ALSA USB MIDI 2.0 subsystem allows a physically proximate or low-privileged local attacker to crash the kernel by presenting a malformed USB audio device with crafted MIDI 2.0 endpoint descriptors. The USB MIDI 2.0 endpoint parser validates bLength against bNumGrpTrmBlock but omits validation against remaining bytes in the endpoint-extra scan, allowing baAssoGrpTrmBlkID[] reads to advance past the descriptor buffer boundary. No public exploit is identified; EPSS stands at 0.18% (7th percentile), consistent with narrow, hardware-dependent attack surface and no active exploitation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52963 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Bound MIDI endpoint descriptor scans snd_usbmidi_get_ms_info() validates the internal MIDIStreaming endpoint descriptor size before using baAssocJackID[], but the descriptor walker can still return a class-specific endpoint descriptor whose bLength exceeds the remaining bytes in the endpoint-extra scan. That leaves later flexible-array reads bounded by bLength, but not by the remaining bytes in the endpoint-extra scan. Stop walking when bLength is zero or extends past the remaining endpoint-extra scan.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52960 HIGH PATCH This Week

Denial of service in the Linux kernel's CephFS (ceph) client allows local users with an active CephFS mount to leak kernel memory by triggering the dirty-page writeback path. The flaw stems from a missing reference release on folios that the writeback batch holds but removes as unsuitable, gradually pinning pages and exhausting kernel memory (CVSS 7.5, availability-only). No public exploit identified at time of analysis; EPSS is low at 0.16% (6th percentile), and it is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52959 HIGH PATCH This Week

Page allocator corruption in the Linux kernel's AMD SEV-SNP guest driver (virt/sev-guest) affects confidential-computing guests running kernels from 6.14 onward. When a guest issues an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST), an untrusted host can return SNP_GUEST_VMM_ERR_INVALID_LEN with a length that does not match the original allocation; the cleanup path then frees pages using a host-controlled page order, corrupting the guest's page allocator. CVSS is 7.8 (local, high C/I/A), but EPSS is just 0.11% (2nd percentile), and there is no public exploit identified at time of analysis and no CISA KEV listing.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-52958 CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's libceph client (osdmap_decode) lets a malicious or compromised Ceph monitor/OSD send a corrupted OSD map whose max_osd field exceeds the actual message length, reading past the allocated buffer. The flaw affects kernels using the in-kernel Ceph client (RBD/CephFS) and is fixed across multiple stable branches. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile), consistent with a memory-safety bug requiring a hostile Ceph endpoint rather than broad internet exposure.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-52956 HIGH PATCH This Week

Denial of service in the Linux kernel's libceph (Ceph client) component allows a malicious or compromised Ceph peer to crash a connecting host during the CephX authentication handshake. The flaw lives in __ceph_x_decrypt(), which reads a ceph_x_encrypt_header (notably hdr->magic) from a decrypted buffer without first verifying the buffer is large enough - a FRAME_TAG_AUTH_REPLY_MORE frame carrying a ciphertext_len of 8 or fewer bytes triggers an out-of-bounds memory access. CVSS is 7.5 (availability-only); EPSS is low at 0.16% (6th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52953 HIGH PATCH This Week

Local denial of service in the Linux kernel's Intel VT-d (iommu/vt-d) driver lets a privileged user crash the host by terminating a QEMU/VFIO guest, triggering a general-protection-fault oops. The flaw lives in domain_remove_dev_pasid(), which dereferences the global static blocked domain - a dummy iommu_domain with no backing dmar_domain - during PASID teardown on device reset. No public exploit is identified at time of analysis; EPSS is low (0.17%, 7th percentile) and it is not in CISA KEV.

Linux Canonical Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52952 HIGH PATCH This Week

Use-after-free in the Linux kernel's IOMMU subsystem allows a local low-privileged actor with device-management access to corrupt kernel memory by racing a domain re-attach against an in-progress PCI device reset. The flaw lies in __iommu_group_set_domain_internal(), where the group->recovery_cnt fence wrongly rejected mandatory detach/teardown callers (IOMMU_SET_DOMAIN_MUST_SUCCEED), so group->domain could be freed while still referenced, and pci_dev_reset_iommu_done() could then re-attach the dangling pointer. EPSS is low at 0.16% (6th percentile) and there is no public exploit identified at time of analysis, but the high CVSS (8.8) reflects full kernel-memory confidentiality, integrity, and availability impact.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-52950 HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's Intel Xe DRM graphics driver (drm/xe) arises from a use-after-free in the dma-buf import path, where an error-handling retry loop operates on a buffer object (bo) that has already been freed. Affecting kernel 6.18 series before the 6.18.33 stable fix, a local low-privileged user with access to the Xe DRM device can trigger the freed-object access to corrupt kernel memory or leak data. There is no public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile), consistent with a local-only, driver-specific bug rather than mass-exploited remote flaw.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52949 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Fix ttm_bo_shrink() infinite LRU walk on backup failure Apply the same fix as b2ed01e7ad ("drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure") to the ttm_bo_shrink() path. Move del_bulk_move from before the backup to after success only, using ttm_resource_del_bulk_move_unevictable() since the resource is now unevictable once fully backed up.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52947 HIGH PATCH This Week

Local privilege escalation and memory corruption is possible in the Linux kernel's QRTR (Qualcomm IPC Router) networking subsystem (net/qrtr/af_qrtr.c), where qrtr_port_remove() decrements a socket's reference count via __sock_put() before erasing the port from the qrtr_ports XArray and before the RCU grace period elapses, violating the RCU update ordering. A concurrent RCU reader (qrtr_reset_ports() or qrtr_port_lookup()) can retrieve the socket and call sock_hold() on an object whose refcount has already reached zero, producing refcount saturation and a use-after-free. The issue was reproduced by syzkaller fuzzing; it carries a CVSS of 7.8 (AV:L), EPSS is low at 0.18% (8th percentile), it is not on CISA KEV, and no public exploit identified at time of analysis.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-57302 MEDIUM This Month

Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Jenkins Information Disclosure Jenkins Fitnesse Plugin
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57289 MEDIUM This Month

Jenkins Bitbucket Push and Pull Request Plugin versions 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for all outbound Bearer token authenticated requests to configured Bitbucket Server endpoints, creating a man-in-the-middle exposure. Any attacker positioned to intercept network traffic on the path between the Jenkins controller and the Bitbucket Server can capture the Bearer token and subsequently authenticate directly to the Bitbucket Server API. No public exploit is identified at time of analysis, and SSVC rates exploitation as none with partial technical impact; however, the token capture risk is non-trivial for deployments routing Jenkins traffic over untrusted or shared network segments.

Jenkins Information Disclosure Jenkins Bitbucket Push And Pull Request Plugin
NVD VulDB
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-57287 MEDIUM This Month

Jenkins Job Configuration History Plugin version 1356.ve360da_6c523a_ and earlier exposes encrypted secret values to any Jenkins user holding Extended Read permission by failing to apply Jenkins' standard secret redaction when rendering historical job and agent configurations. Encrypted credential values that Jenkins would normally mask are displayed in full within the plugin's history view, potentially enabling offline analysis of those values. No public exploit or active exploitation has been identified; SSVC rates this as non-automatable with partial technical impact.

Jenkins Information Disclosure Jenkins Job Configuration History Plugin
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-57284 MEDIUM This Month

Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps.

Jenkins Information Disclosure Jenkins Pipeline
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57281 HIGH This Week

Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.

Jenkins Information Disclosure Jenkins Script Security Plugin
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-56370 NuGet MEDIUM PATCH This Month

Out-of-bounds read in ImageMagick's ConnectedComponentsImage() function allows local attackers to trigger access violations by supplying malformed connected-components artifact definitions via the CLI, leading to denial of service or potential arbitrary code execution. All ImageMagick releases before 7.1.2-19 are affected, as are Magick.NET NuGet packages before 14.12.0. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the RCE and information-disclosure tags warrant attention in environments that process untrusted image inputs through automated pipelines.

Denial Of Service RCE Buffer Overflow Information Disclosure Imagemagick +2
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-56337 MEDIUM PATCH This Month

Unauthenticated app enumeration in Capgo before 12.128.2 allows remote attackers to determine whether specific app_ids exist across all tenants by querying the exposed exist_app_v2 RPC endpoint without credentials. The root cause is a PostgreSQL SECURITY DEFINER function that executes with elevated owner privileges, bypassing row-level security policies and enabling cross-tenant information disclosure via the PostgREST API at POST /rest/v1/rpc/exist_app_v2. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code is identified at time of analysis, though the attack requires no authentication and trivial HTTP tooling.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56272 npm MEDIUM PATCH This Month

Flowise versions up to and including 3.0.12 hash passwords using bcrypt with a default cost factor of 5 rounds - yielding only 32 iterations versus the OWASP-recommended minimum of 1,024 at 10 rounds - making stored password hashes approximately 30 times faster to crack with modern GPU hardware. All deployments where the PASSWORD_SALT_HASH_ROUNDS environment variable has not been manually overridden to 10 or higher are affected, which represents the majority of real-world installs since defaults predominate. In a database breach scenario, an attacker who obtains the hash table can leverage GPU-accelerated tools to recover plaintext passwords at roughly 300,000 attempts per second versus ~10,000 at the recommended work factor; no public exploit identified at time of analysis.

Information Disclosure Flowise
NVD GitHub
CVSS 4.0
5.6
EPSS
0.1%
CVE-2026-56256 HIGH PATCH This Week

Two-factor authentication bypass in Capgo before 12.128.2 allows an authenticated admin who has not completed 2FA enrollment to perform privileged organization management actions by replaying or modifying captured API requests. The flaw stems from 2FA being enforced exclusively in the frontend UI while the backend ORG management endpoints accept requests without verifying 2FA completion. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56244 HIGH PATCH This Week

Webhook signing secret disclosure in Capgo prior to 12.128.2 allows authenticated holders of non-admin API keys to read the webhook signing secret directly from the Supabase REST-exposed webhooks table because row-level security policies are too permissive. Once obtained, the secret lets the attacker forge valid X-Capgo-Signature headers and submit spoofed webhook events to any configured receiver, undermining webhook authenticity and integrity. No public exploit identified at time of analysis.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-52944 MEDIUM PATCH This Month

Unauthorized file attribute modification in the Linux kernel's ksmbd SMB server allows authenticated SMB clients to invoke FSCTL_SET_SPARSE and alter a file's sparse xattr without required permissions, bypassing both share-level and per-handle access controls. Two distinct authorization gaps exist: clients on read-only shares can issue the control code because fsctl_set_sparse() omits the KSMBD_TREE_CONN_FLAG_WRITABLE check that other FSCTL write operations enforce, and clients on writable shares with insufficient handle rights (lacking FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES) can modify the attribute because per-handle checks are entirely absent. No active exploitation is confirmed - the vulnerability is absent from CISA KEV and carries an EPSS of 0.22% (12th percentile) - but the exposure surface is any network-reachable ksmbd deployment serving untrusted SMB clients.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52942 HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel netfilter netdev logger (nf_log_syslog) lets a local low-privileged attacker leak adjacent slab memory into the kernel log and potentially crash the system. The flaw is in dump_mac_header(), whose fallback path tests skb->mac_header != skb->network_header but omits skb_mac_header_was_set(); an unset MAC header (value 0xffff) passes the check and causes a read ~64 KiB past the skb buffer. Fixed in stable kernels (e.g., 6.18.36, 6.12.94, 6.6.143, 6.1.176, 5.15.210, 7.0.13/7.1); no public exploit identified at time of analysis and EPSS is low at 0.17%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52940 MEDIUM PATCH This Month

Kernel stack memory disclosure in the Linux TUN driver exposes 14 bytes of uninitialized stack data to unprivileged local users on every read of a non-tunnel packet. The flaw affects Linux systems where a local user can open a TUN device and issue the TUNSETVNETHDRSZ ioctl to set the vnet header size to 24 bytes. No public exploit or active exploitation has been identified; EPSS is 0.15% (5th percentile), consistent with a local-only information disclosure requiring deliberate TUN device configuration.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52937 MEDIUM PATCH This Month

Stack information disclosure in the Linux kernel's tap/macvtap driver exposes 8 bytes of uninitialized kernel stack contents to local users via the SIOCGIFHWADDR ioctl, leaking kernel .text and direct-map pointers that defeat KASLR. The affected code path in tap_ioctl() copies a 16-byte sockaddr_storage to userspace while netif_get_mac_address() initializes only 8 bytes (sa_family plus 6-byte Ethernet address), leaving the trailing 8 bytes unread. No public exploit is identified at time of analysis and EPSS sits at 0.15% (5th percentile), but KASLR bypass primitives of this type are routinely chained with local privilege-escalation exploits to gain kernel code-execution. NOTE: The provided CVSS vector (C:N/I:N/A:H) appears to misclassify this vulnerability - confidentiality is the impacted property, not availability; the assessed vector below corrects this.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52936 MEDIUM PATCH This Month

CPU stall vulnerability in the Linux kernel jitterentropy subsystem allows local low-privileged users to trigger prolonged non-preemptible spinlock holds by spawning concurrent entropy requests through jent_kcapi_random(), which holds a spinlock across expensive SHA3 conditioning and jitter collection. Systems running kernel versions from approximately 4.2 through pre-fix stable branches face entropy starvation and CPU busy-wait degradation under parallel getrandom() load. No public exploit identified at time of analysis; EPSS is 0.16% at the 5th percentile and no CISA KEV listing applies, making this a low-urgency, operator-pace patch for most deployments.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52934 HIGH PATCH This Week

Kernel heap memory corruption affects the batman-adv (B.A.T.M.A.N. Advanced) mesh routing subsystem of the Linux kernel, where a u16 accumulator in batadv_tvlv_container_list_size() can wrap around when the total size of registered TVLV containers exceeds 65535 bytes, leading to an undersized allocation and a subsequent out-of-bounds memcpy write in batadv_tvlv_container_ogm_append(). An attacker positioned on the mesh able to drive TVLV container accumulation past U16_MAX can corrupt adjacent kernel memory, risking denial of service or potential code execution. This is no public exploit identified at time of analysis, EPSS exploitation probability is low (0.16%), and it is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-52932 HIGH PATCH This Week

Memory leak in the Linux kernel's xfrm IPComp (IP Payload Compression) code allows resource exhaustion because the destination scatter-gather page list is not freed when an asynchronous compression (acomp) operation fails. Affecting Linux 6.15 through the fixed stable releases, the flaw lets repeated compression errors progressively consume kernel memory, with CVSS scoring only availability impact (A:H). There is no public exploit identified at time of analysis and EPSS is low at 0.15%.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52931 CRITICAL PATCH Act Now

Use of uninitialized sender variables in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh networking module allows a malicious mesh peer to trigger undefined behavior on a node acting as a tp_meter receiver. When such a node receives a crafted ACK packet, batadv_tp_recv_ack() and batadv_tp_stop() execute sender-only code paths that read tp_vars members never initialized for the receiver role, potentially leaking memory contents or crashing the kernel. No public exploit identified at time of analysis; EPSS probability is low (0.17%, 6th percentile) and the issue is not in CISA KEV, but a vendor patch is available across multiple stable trees.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52930 MEDIUM PATCH This Month

Race condition in the Linux kernel's System V IPC shared memory subsystem allows a local low-privileged attacker to crash the kernel. The `shm_destroy_orphaned()` cleanup path evaluates whether an orphaned segment is safe to destroy by checking `shm_nattch` without holding `shm_perm.lock`, while the attach/detach paths update that counter independently of `shm_ids(ns).rwsem`, creating a window where a still-attached segment is erroneously destroyed. The EPSS score is 0.17% (6th percentile) and no KEV listing or public exploit exists, placing this firmly in the routine-patching tier rather than emergency response.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52928 MEDIUM PATCH This Month

Availability disruption in the Linux kernel's AF_UNIX socket subsystem allows a local low-privileged user to trigger an unhandled code path by issuing a SIOCATMARK ioctl on non-stream (SOCK_DGRAM or SOCK_SEQPACKET) AF_UNIX sockets, which the kernel incorrectly permits to proceed into receive-queue inspection logic intended only for SOCK_STREAM. The flaw stems from a logic inconsistency: while SOCK_DGRAM and SOCK_SEQPACKET already reject MSG_OOB in sendmsg()/recvmsg(), the SIOCATMARK ioctl handler lacked the corresponding guard, creating an exploitable divergence. No public exploit or CISA KEV listing exists; EPSS at 0.16% (5th percentile) reflects a very low real-world exploitation probability.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52927 HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel ebtables 32-bit compat layer (compat_mtw_from_user) lets a local low-privileged user holding CAP_NET_ADMIN trigger KASAN-detected OOB reads by supplying an undersized match_size/target_size for an extension whose ->compat_from_user() callback assumes it can read compatsize bytes. It affects Linux from 2.6.34 through builds before the fix and is resolved upstream across all maintained stable branches; no public exploit is identified at time of analysis and EPSS is low (0.16%, 6th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52926 MEDIUM PATCH This Month

Stale gateway pointer in the Linux kernel's batman-adv mesh networking subsystem causes availability failures during mesh teardown and recreation. The batman-adv gateway cleanup function `batadv_gw_node_free()` frees gateway list entries without clearing `bat_priv->gw.curr_gw`, leaving a dangling reference that persists across cleanup and breaks subsequent mesh recreation attempts. No public exploit exists and EPSS sits at 0.16% (6th percentile), indicating negligible opportunistic exploitation interest at time of analysis.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52923 HIGH PATCH This Week

Local privilege escalation and information disclosure in the Linux kernel's SysV IPC subsystem stems from an unbounded ID allocation in ipc_idr_alloc() along the checkpoint/restore (CRIU) path, where a user-supplied next_id can spill past the valid ipc_mni range. Because removal truncates the index via ipcid_to_idx(), a high-index object can be freed while its real IDR slot dangles, so a subsequent /proc/sysvipc/shm walk dereferences freed memory - a use-after-free. No public exploit identified at time of analysis; EPSS is low at 0.17% (6th percentile) and the issue is not on CISA KEV.

Linux Information Disclosure Checkpoint
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52920 HIGH PATCH This Week

Incorrect strict-mode policy matching in the Linux kernel's netfilter xt_policy module causes multi-element inbound IPsec policy rules to be evaluated in the wrong order, so packets can be matched against the wrong transform descriptor. On systems that filter inbound traffic with iptables/nftables 'policy' matches in strict mode using multiple policy elements, this can let traffic that should be rejected satisfy the rule (or legitimate IPsec traffic fail it), undermining the intended firewall/IPsec enforcement. There is no public exploit identified at time of analysis and EPSS is low (0.16%, 6th percentile); the issue has been resolved upstream with stable patches available.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-52919 HIGH PATCH This Week

Local privilege escalation via use-after-free in the Linux kernel's batman-adv (B.A.T.M.A.N. advanced) mesh networking module allows a local low-privileged user to crash or potentially gain code execution by triggering a tp_meter counter underflow during interface shutdown. Concurrent shutdown paths (timeout, user cancel, normal finish) each decrement the 'sending' atomic counter, underflowing it to -1, which traps the sender kthread in an infinite loop and produces a use-after-free when the mesh interface is removed while the zombie thread still runs. No public exploit identified at time of analysis, and EPSS is low at 0.16%; a vendor patch is available across multiple stable trees.

Linux Information Disclosure Integer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52918 HIGH PATCH This Week

Use-after-free in the Linux kernel Bluetooth subsystem allows a crafted sequence of socket polling and connection teardown to dereference a freed sock structure, because bt_sock_poll() walks the per-socket accept queue without synchronization while a concurrent child teardown unlinks the same socket and drops its last reference. The flaw has existed since the original Bluetooth import and affects effectively all kernel versions until the fixed stable releases; EPSS is low (0.18%, 7th percentile) and there is no public exploit identified at time of analysis. Successful exploitation of the freed-object access can corrupt kernel memory, enabling denial of service and potentially privilege escalation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-52917 HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel's SCTP sock_diag subsystem allows a local attacker to disclose adjacent kernel memory and potentially crash the system by racing a diag dump against association teardown. The exact sock_diag lookup (dump_one path) can hold a transport reference, block on lock_sock(), and resume after sctp_association_free() has reaped the association and freed its bind-address list, causing inet_diag_msg_sctpasoc_fill() to dereference an emptied bind-address list as a valid sctp_sockaddr_entry. CVSS is 7.1 (local, high confidentiality and availability impact); EPSS is low (0.18%, 7th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52916 MEDIUM PATCH This Month

Stack exhaustion in the Linux kernel batman-adv mesh networking subsystem allows an attacker on the same batman-adv mesh to crash the kernel by sending matryoshka-nested BATADV_UNICAST_FRAG packets. The reassembled payload's packet type is not validated before re-processing, enabling unbounded recursion in batadv_batman_skb_recv() that exhausts kernel stack and causes a hard system crash. No active exploitation is recorded in CISA KEV and EPSS sits at 0.18% (7th percentile), making this a targeted DoS risk limited to environments running batman-adv mesh networking.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-9710 HIGH POC PATCH This Week

Sensitive information disclosure in the premium Cornerstone page builder (bundled with the X theme) versions 3.0.0 through 7.8.7 allows any authenticated WordPress user to extract raw password hashes and other private user metadata. The CSS-preview request handler fails to enforce capability checks while exposing its required nonce on every wp-admin page, and publicly available exploit code exists per WPScan, though no active exploitation has been reported.

WordPress Information Disclosure Cornerstone
NVD WPScan VulDB
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-9709 HIGH POC PATCH This Week

Authenticated information disclosure in the premium Cornerstone page builder (bundled with the X WordPress theme) before version 7.8.9 allows any logged-in user to enumerate other users' metadata via an unprotected REST API route. Disclosed data includes roles, session token previews, and stored billing/shipping fields, enabling account targeting and potential session abuse. Publicly available exploit code exists per WPScan, though there is no public exploit identified as actively used in the wild and the issue is not listed in CISA KEV.

WordPress Information Disclosure Cornerstone
NVD WPScan VulDB
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-10753 LOW POC PATCH Monitor

Insufficient REST API authorization in the Site Kit by Google WordPress plugin before version 1.176.0 permits users with dashboard sharing access - such as those granted the Editor role - to write to a site-wide settings endpoint that should be restricted to administrators. The integrity impact is confined to plugin-level configuration, but the flaw is significant because dashboard sharing is commonly granted to non-admin contributors on multi-author sites. A publicly available proof-of-concept exists per WPScan; exploitation probability remains very low (EPSS 0.13%, 3rd percentile) and the vulnerability is not listed in the CISA KEV catalog.

WordPress Information Disclosure Google Site Kit By Google
NVD WPScan VulDB
CVSS 3.1
2.7
EPSS
0.1%
CVE-2026-10735 HIGH POC PATCH This Week

Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.

Information Disclosure WordPress Smart Post Show Pro Real Testimonials Pro Product Slider For Woocommerce Pro
NVD WPScan VulDB GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-9178 HIGH This Week

Information disclosure in the WP Forms Connector WordPress plugin (versions through 1.8) allows unauthenticated remote attackers to retrieve any user's password hash and email address via the wp/v3/user/list/<id> REST route. The endpoint's permission_callback is hard-coded to __return_true and the bespoke auth check verifies only that the Username header maps to an administrator (typically 'admin') without ever calling wp_check_password() to validate the supplied Password header. No public exploit identified at time of analysis, but the trivial nature of the bypass and the exposure of user_pass hashes make this a credible account-takeover vector.

Information Disclosure Authentication Bypass WordPress Wp Forms Connector
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-9612 MEDIUM This Month

Unauthenticated mass PII harvesting is possible on any WordPress site running the WhatsOrder - Instant Checkout for WooCommerce plugin (all versions through 1.0.1) because the plugin writes customer invoice HTML files to a publicly accessible directory with no access restrictions. The `yapacdev_generate_order_pdf` function deposits invoices under `wp-content/uploads/whatsorder_invoices/` without generating an `.htaccess` deny rule or `index.php` guard, and because WooCommerce uses predictable sequential order IDs, any remote attacker can enumerate and download every customer invoice with no authentication. Exposed data includes full name, email, phone number, billing address, itemized order contents with pricing, applied coupon codes, shipping method, and order total. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure PHP WordPress Whatsorder Instant Checkout For Woocommerce
NVD
CVSS 3.1
5.3
EPSS
0.3%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel's NFSD (in-kernel NFSv4 server) arises from an nfs4_file reference-count leak in nfsd4_add_rdaccess_to_wrdeleg, where __nfs4_file_get_access is wrongly called even when another thread has already taken READ access on the file. The leaked fi_access count keeps the backing nfsd_file pinned, so stopping the nfs-server service triggers a kernel BUG in kmem_cache_destroy() because nfsd_file objects remain on cache shutdown. The flaw affects systems running the in-kernel NFS server (fixed in 6.18.33, 7.0.10, and 7.1); there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.17%).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's greybus 'raw' driver (drivers/staging/greybus/raw.c) allows a local user holding an open character-device handle to trigger memory corruption when the underlying raw bundle is disconnected and the application later closes the cdev. The flaw stems from the gb_raw structure (which embeds the cdev) being freed in the disconnect callback while a userspace reference remains, causing cdev_put to operate on freed memory and a refcount underflow/panic, especially with CONFIG_INIT_ON_FREE_DEFAULT_ON=y. No public exploit identified at time of analysis, and EPSS is low (0.16%, 6th percentile), consistent with a local, niche-driver issue.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Missing NUL termination in the Linux kernel's ntfs3 filesystem driver allows a local attacker with filesystem mount privileges to trigger an out-of-bounds memory read, crashing the kernel. The defect in ntfs_fill_super() leaves sbi->volume.label unterminated when a UTF-16 volume label converts to a UTF-8 string that exactly fills the fixed buffer, causing ntfs3_label_show() to read past the buffer boundary via a %s format specifier. No public exploit has been identified at time of analysis and EPSS sits at 0.17% (7th percentile), indicating very low current exploitation interest despite the High availability impact in CVSS.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Unbounded string concatenation in the Linux kernel's Dell WMI BIOS interface driver (dell-wmi-sysman) allows a local low-privileged attacker on Dell hardware to crash the kernel. The populate_enum_data() function bounds each individual firmware-provided string but applies no remaining-space check during cumulative strcat() calls into fixed 512-byte struct members, enabling a buffer overflow that results in complete system availability loss. With an EPSS of 0.17% (7th percentile), no public exploit code, and no CISA KEV listing, this is a low-likelihood but straightforward local denial-of-service on Dell platforms running unpatched kernel versions.

Dell Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation or memory disclosure is possible in the User Mode Linux (UML/'um') architecture of the Linux kernel (affected around 6.19, fixed in 7.0.10 and 7.1) due to a TLB-sync race condition where the page table is traversed and modified without holding the page table lock. Concurrent threads in the same process can corrupt page table state, with CVSS 7.8 (local, low-privilege) and a high-impact triad; there is no public exploit identified at time of analysis and EPSS is low at 0.15% (5th percentile), consistent with a hard-to-trigger local race rather than a mass-exploited flaw.

Linux Information Disclosure Race Condition
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic in the SpaceMIT clock controller driver (`clk-spacemit-ccu`) can be triggered during CPU frequency scaling on systems running SpaceMIT RISC-V hardware. The root cause is an inverted boolean condition in `ccu_mix_trigger_fc()` that causes the frequency change trigger to be skipped at the wrong time and fired at the wrong time, crashing the kernel under normal cpufreq governor activity. Exploitation requires only local low-privilege access, but is practically limited to the narrow hardware footprint of SpaceMIT K1-based boards; no public exploit or CISA KEV listing exists, and EPSS is 0.17% (6th percentile).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic in the Linux f2fs garbage collector allows a local low-privileged user to crash the system by triggering a VM_BUG_ON_FOLIO assertion when GC attempts to re-read a page already marked uptodate after multiple block relocations. The affected subsystem is f2fs (Flash-Friendly File System); systems using ext4, XFS, or other filesystems are not impacted. EPSS is extremely low (0.17%, 6th percentile) and no active exploitation has been identified, making this a stability/DoS concern primarily relevant to mobile, embedded, and flash-storage Linux deployments.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Data loss in the Linux kernel's f2fs (Flash-Friendly File System) driver exposes files created and synced before any checkpoint has been written to permanent loss on sudden power off. The race condition between fsync on newly created files and concurrent checkpoint operations causes f2fs_need_inode_block_update() to misread prematurely set nat_entry flags (IS_CHECKPOINTED and HAS_LAST_FSYNC), leading fsync to skip the inode block flush it actually requires. No public exploit identified at time of analysis; the EPSS score of 0.16% at the 6th percentile reflects the narrow triggering conditions and local-only attack surface.

Checkpoint Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds write in the Linux kernel's AMD Cryptographic Coprocessor (ccp) driver allows a local low-privileged user to overrun a caller-supplied IV buffer by 8 bytes when issuing rfc3686(ctr(aes)) requests through the AF_ALG socket interface. The ccp_aes_complete() handler unconditionally copies AES_BLOCK_SIZE (16 bytes) back into the IV buffer, but RFC3686 skciphers expose only an 8-byte IV, corrupting adjacent memory. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS probability is low (0.18%, 7th percentile).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Integer truncation in the Linux kernel's EROFS filesystem driver on 32-bit platforms causes logical cluster number (LCN) calculations to overflow at the 4 GiB boundary, resulting in incorrect block addressing and potential kernel-level availability impact. Affected systems are those running 32-bit Linux kernels (where `unsigned long` is 32 bits wide) with EROFS filesystems mounted. No public exploit exists and no active exploitation has been confirmed; EPSS stands at a very low 0.17% (6th percentile), consistent with the niche attack surface of 32-bit deployments.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic via skb headroom exhaustion in the Linux kernel's Traffic Control (TC) act_mirred subsystem affects systems using block-cast packet redirection across mixed device types. The root cause is a copy-paste error in tcf_blockcast_redir() where dev_is_mac_header_xmit() is queried against the next device in the iteration (dev) rather than the device currently being transmitted to (dev_prev), causing tcf_mirred_to_dev() to make wrong MAC header push/pull decisions for intermediate devices. In the worst case, skb_push_rcsum is called with an incorrect mac_len, exhausting socket buffer headroom and triggering a kernel panic. No public exploit code has been identified and EPSS is 0.17% at the 6th percentile, consistent with low real-world exploitation interest.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF macvlan_get_size() does not account for IFLA_MACVLAN_BC_CUTOFF, but macvlan_fill_info() conditionally includes it when port->bc_cutoff != 1. This causes nla_put_s32() to fail with -EMSGSIZE when the netlink skb runs out of space, triggering a WARN_ON in rtnetlink and preventing the interface from being dumped. The bug can be reproduced with: ip link add macvlan0 link eth0 type macvlan mode bridge ip link set macvlan0 type macvlan bc_cutoff 0 ip -d link show macvlan0 # fails with -EMSGSIZE The bc_cutoff feature was added in commit 954d1fa1ac93 ("macvlan: Add netlink attribute for broadcast cutoff"), which added the nla_put_s32() call in macvlan_fill_info() but missed adding the corresponding nla_total_size(4) in macvlan_get_size(). A follow-up commit 55cef78c244d ("macvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF") fixed the missing nla_policy entry but still did not fix the size calculation.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's taprio traffic scheduler (net/sched) arises from a use-after-free in advance_sched() during an admin-to-oper schedule switch, affecting kernels from 5.2 through the fixed releases. After switch_schedules() queues the old oper schedule for RCU freeing, the 'next' pointer still references a freed entry that is then written to and published via rcu_assign_pointer(), letting a local user with network-configuration capability corrupt kernel memory for potential code execution. No public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with a complex local-only TSN feature rather than mass exploitation.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Use-after-free in the Linux kernel's ksmbd in-kernel SMB3 server occurs during durable handle reconnect, where smb2_open prematurely drops the durable file reference via ksmbd_put_durable_fd(fp); a subsequent error path or scavenger access then dereferences freed fp fields (e.g., fp->create_time). Affecting Linux ksmbd across multiple stable branches and fixed in releases such as 6.6.32, 6.18.33, 7.0.10, and 7.1, the flaw is rated CVSS 9.8 but carries a low EPSS of 0.17% (6th percentile); it is not in CISA KEV and no public exploit identified at time of analysis. An attacker with SMB access can trigger memory corruption potentially leading to information disclosure, denial of service, or code execution in kernel context.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Use-after-free in the Linux kernel's IPv6 ICMPv6 receive path (icmpv6_rcv()) allows stale pointers to freed socket buffer memory to be dereferenced after a pskb_pull() call relocates skb->head. The affected code cached the source and destination addresses (saddr/daddr) before the pull, and these stale references were only consumed by net_dbg_ratelimited() in the slow path, limiting practical impact. The flaw is fixed upstream across all maintained stable trees; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local use-after-free in the Linux kernel's AF_UNIX subsystem occurs when SOCKMAP (BPF socket map) redirects skbs carrying inflight file descriptors, hiding them from the AF_UNIX garbage collector and breaking the Tarjan-based GC's assumption that unix_edge.successor stays alive — producing a slab use-after-free in unix_del_edges() plus inflight-socket leaks and incorrect fdinfo accounting. Affected are kernels supporting SOCKMAP/sk_psock redirect (roughly 5.15 through pre-fix 7.x trees); a local attacker who can set up SOCKMAP redirection and pass SCM_RIGHTS descriptors can corrupt kernel memory toward privilege escalation or denial of service. There is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and it is not in CISA KEV.

Linux Information Disclosure Debian +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel's PPPoE/PPP driver allows a malicious or broken peer to crash affected hosts by sending PPP frames with a compressed (1-byte) Protocol Field. Because pppd never negotiates Protocol Field Compression for PPPoE yet ppp_input() still accepted compressed frames, the payload is shifted one byte, producing a 4-byte misaligned network header that can raise unaligned-access exceptions on architectures that do not tolerate them. There is no public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: netfilter: xtables: restrict several matches to inet family This is a partial revert of: commit ab4f21e6fb1c ("netfilter: xtables: use NFPROTO_UNSPEC in more extensions") to allow ipv4 and ipv6 only. - xt_mac - xt_owner - xt_physdev These extensions are not used by ebtables in userspace. Moreover, xt_realm is only for ipv4, since dst->tclassid is ipv4 specific.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation / memory corruption in the Linux kernel's netfilter NAT subsystem (introduced in v5.14) arises because nf_nat_register_fn() freed nf_hook_ops structures immediately rather than deferring the release via RCU. Because the v5.14-era nfnetlink_hook feature lets userspace dump active netfilter hooks by peeking into the ops blob, a concurrent dump racing the NAT (un)register error path can access ops memory after it is freed. No public exploit has been identified at time of analysis and EPSS is low (0.17%), but the high-impact CVSS vector reflects a use-after-free class flaw in a core kernel subsystem.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds read in the Linux kernel's netfilter nfnetlink_osf (passive OS fingerprinting) module occurs when the shared nf_osf_hdr_ctx->optp pointer is not reset after a fingerprint fully matches during TCP option parsing. Affecting systems that use the osf match with NF_OSF_LOGLEVEL_ALL enabled, the flaw causes subsequent fingerprint checks to parse beyond the end of the TCP options buffer, reading garbage data and producing incorrect or missing match logs. Although carrying a 9.1 CVSS, this is a functional/correctness bug in a niche feature; there is no public exploit identified at time of analysis and EPSS is low (0.18%, 7th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource exhaustion in the Linux kernel ksmbd SMB server allows a low-privileged authenticated SMB client to leak kernel file descriptor references by sending repeated SMB2 CREATE requests with a DURABLE_HANDLE_REQUEST_V2 context that produces a CreateGuid hit but a ClientGUID mismatch. Each such request increments the refcount on a ksmbd_file via ksmbd_fp_get() in ksmbd_lookup_fd_cguid() but the mismatch code path never calls the matching release, causing global_ft entries to be pinned indefinitely. Over time this defeats the durable file scavenger and causes long-lived kernel resource leaks that can degrade or deny availability. No public exploit has been identified at time of analysis and EPSS is 0.19% (9th percentile), indicating low opportunistic exploitation probability.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stack memory disclosure in the Linux kernel RDS/IB subsystem exposes up to 26 bytes of uninitialized kernel stack contents - including kernel text and data pointers - to local unprivileged users via the getsockopt(SOL_RDS, RDS_INFO_IB_CONNECTIONS) interface. The leak enables KASLR bypass on systems where the kernel was built without CONFIG_INIT_STACK_ALL_ZERO=y, making this a useful primitive for chaining into privilege escalation. No public exploit code and no CISA KEV listing exist at time of analysis; EPSS is very low at 0.18% (7th percentile), but the CVE description itself supplies a complete, step-by-step reproduction recipe that reduces practical exploitation complexity to near-trivial for any local user with AF_RDS socket access.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper RLIMIT_MEMLOCK accounting in the Linux kernel's vsock/virtio MSG_ZEROCOPY path allows a local low-privileged user to bypass per-process pinned-page limits, enabling unbounded kernel memory pinning that can drive the system toward memory exhaustion. The flaw is confined to the virtio vsock transport and is not remotely exploitable. No public exploit has been identified and EPSS sits at 0.17% (7th percentile), reflecting low exploitation interest; however, a vendor-confirmed fix is available in stable releases.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Memory corruption in the Linux kernel's TIPC (Transparent Inter-Process Communication) protocol stack allows remote attackers to trigger a double-free in tipc_buf_append() during message reassembly, where tipc_msg_validate() may reallocate and free the working skb while the error path frees a now-stale pointer. Affected systems are those running a vulnerable kernel (introduced around 4.15-era code, present across 5.10-7.0 branches) with the TIPC subsystem in use; successful exploitation can crash the kernel and, depending on heap conditions, potentially lead to privilege escalation. There is no public exploit identified at time of analysis, EPSS risk is low (0.18%, 7th percentile), and it is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-escalation-capable memory corruption in the Linux kernel's PSI (Pressure Stall Information) subsystem allows a local user with write access to cgroup pressure files to trigger a use-after-free or NULL-pointer dereference. The flaw stems from a race between pressure_write() and cgroup file release/rmdir on the kernfs_open_file->priv pointer, confirmed via a KASAN slab-use-after-free report in pressure_write+0xa4/0x210. No public exploit identified at time of analysis, and EPSS is low (0.19%, 8th percentile), indicating no observed mass exploitation.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource leak in the Linux kernel fsnotify subsystem causes hung tasks and local denial of service via a race condition in fsnotify_recalc_mask(). A local low-privilege user can trigger concurrent mark addition and removal on a filesystem connector object, causing an inode pointer returned by __fsnotify_recalc_mask() to be silently discarded rather than released via fsnotify_drop_object() - permanently blocking the umount path as fsnotify_sb_delete() waits indefinitely on the leaked reference. No public exploit exists and EPSS is at the 7th percentile, indicating negligible opportunistic exploitation risk.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Kernel-memory disclosure and denial of service in the Linux kernel's netfilter nf_tables subsystem arises from unsafe RCU list traversal: a netlink dump can walk a basechain/flowtable hook list concurrently with a ruleset update, racing on partially-published hooks. The fix publishes new hooks via splice_list_rcu() during the commit phase so RCU readers see a consistent list. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis; the issue is a local race condition affecting privileged ruleset operations rather than a remotely reachable flaw.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and kernel memory corruption is possible in the Linux kernel's AMD GPU driver (amdgpu) via a double drm_exec_fini() in the user-queue validation path. When amdgpu_userq_vm_validate() runs with new_addition set, a failure in amdgpu_ttm_tt_get_user_pages() routes execution to a cleanup label that finalizes the already-freed drm_exec object a second time, corrupting kernel state. No public exploit identified at time of analysis, and EPSS rates exploitation probability at only 0.16% (6th percentile), consistent with a hard-to-trigger local bug rather than a mass-exploited flaw.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: netdevsim: zero initialize struct iphdr in dummy sk_buff Syzbot reports a KMSAN uninit-value originating from nsim_dev_trap_skb_build, with the allocation also being performed in the same function. Fix this by calling skb_put_zero instead of skb_put to guarantee zero initialization of the whole IP header.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Unbounded queue growth in the Linux kernel's netem (Network Emulator) traffic control subsystem allows a local low-privileged user to exhaust kernel memory and trigger a denial of service. The flaw exists because netem_enqueue() enforces queue depth limits using only q->t_len (packets in the internal tfifo), while packets placed into sch->q via the reorder path (__qdisc_enqueue_head) are silently excluded from that count, allowing total queue occupancy to grow beyond sch->limit without bound. No public exploit has been identified and the EPSS score of 0.18% (8th percentile) places this in the lowest exploitation-probability tier; however, the vulnerability affects a wide range of active stable kernel branches and patched versions are available.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial-of-service (TX queue stall) in the Linux kernel's Airoha QDMA Ethernet driver affects systems running on Airoha/MediaTek SoCs where airoha_dev_xmit() accounts inflight packets only across AIROHA_NUM_TX_RING queues while the NAPI completion path settles all netdev TX queues, corrupting Byte Queue Limits (BQL) state. The mismatch can wedge transmit queues and degrade or halt network throughput on the device. EPSS is 0.17% (7th percentile) and there is no public exploit identified at time of analysis; an upstream stable fix exists.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Use-after-free in the Linux kernel rtl8150 USB-to-Ethernet driver (drivers/net/usb/rtl8150.c) lets the transmit path read freed socket-buffer memory: rtl8150_start_xmit() reads skb->len for TX byte accounting after usb_submit_urb(), but the URB completion handler write_bulk_callback() can free the skb on another CPU first, producing a slab-use-after-free read flagged by KASAN/syzbot. Affected systems are those using an RTL8150-based USB Ethernet adapter; the practical impact is a stale/garbage stat read or a potential crash from freed-memory access rather than reliable info disclosure. There is no public exploit identified at time of analysis (not in CISA KEV, EPSS 0.18%/8th percentile), and the issue was found and fixed via upstream syzbot fuzzing.

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Memory exhaustion in the Linux kernel networking stack stems from a socket buffer (SKB) leak in neigh_xmit(): when the function is called against an uninitialized neighbour table - for example NEIGH_ND_TABLE while IPv6 is disabled - it returns -EAFNOSUPPORT and bypasses its out_kfree_skb path, leaking the packet buffer because callers (originally MPLS) rely on neigh_xmit() to take ownership of the skb. Repeated triggering slowly exhausts kernel memory, leading to denial of service (CVSS 7.5, A:H). There is no public exploit identified at time of analysis, and EPSS is low (0.19%, 9th percentile); the upstream fix makes neigh_xmit() assume full ownership and free the skb on every path.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Race condition in the Linux kernel PSP network subsystem allows a local low-privileged attacker to crash the kernel through a TOCTOU flaw in device association creation. In `psp_assoc_device_get_locked()`, a device reference acquired under RCU becomes stale before the protecting lock is taken if `psp_dev_unregister()` completes concurrently, leaving the kernel operating on freed or invalid device state. No public exploit has been identified and EPSS stands at 0.17% (6th percentile), reflecting minimal active exploitation risk despite the well-characterized code-level race condition.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

In the Linux kernel, the following vulnerability has been resolved: net: psp: require admin permission for dev-set and key-rotate The dev-set and key-rotate netlink operations modify shared device state (PSP version configuration and cryptographic key material, respectively) but do not require CAP_NET_ADMIN. The only access control is psp_dev_check_access() which merely verifies netns membership.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Livelock in the Linux kernel's futex requeue-PI subsystem can hang a system when a signal or timeout interrupts a FUTEX_WAIT_REQUEUE_PI operation concurrently with an active FUTEX_CQ_REQUEUE_PI requeue. The race causes a waiting thread (Task A) to block indefinitely on a hash-bucket lock while a requeue thread (Task B) busy-loops retrying the same operation, consuming all available CPU - worst-case on uniprocessor systems where Task A cannot be scheduled at all. No public exploit is identified and EPSS is 0.17% (7th percentile), but the deterministic nature of the livelock on UP or real-time-scheduled hardware makes this a genuine denial-of-service risk; patches are available across six Linux stable branches.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Linux kernel's drm/xe Intel GPU driver arises from two error-handling defects in xe_exec_queue_create_ioctl() that leave a freed exec queue linked into either the VM's preempt-fence compute list or the hardware engine group list, producing a dangling pointer and a use-after-free. A local user with access to the DRM device on systems running the affected Intel Xe driver (introduced around 6.12) can trigger the faulty cleanup paths to corrupt kernel memory, with potential for code execution at kernel privilege. There is no public exploit identified at time of analysis and EPSS is low (0.18%, 7th percentile); the issue is fixed upstream and in stable releases.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Concurrent access to an unprotected pointer in the Linux kernel's 802.3ad (LACP) bonding driver allows a local user to trigger a data race between the AD state-machine worker and the rtnetlink read path that fetches active aggregator info. Discovered by syzbot/KCSAN, the torn read of the `port->aggregator` pointer can disclose kernel memory state or destabilize the bonding driver on systems configured with LACP NIC teaming. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.18%, 7th percentile).

Linux Information Disclosure Google
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Memory exhaustion (denial of service) in the Linux kernel's TLS device-offload receive path, where a failure during hardware offload setup leaks the strparser anchor socket buffer (skb) and never frees it. Affecting kernels from the introduction of the custom strparser (commit 84c61fe1a75b) onward, repeated triggering of the offload setup-failure path slowly drains kernel memory; CVSS rates availability impact High (7.5) but EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis. The regression was introduced by the kTLS-specific strparser rewrite and does not affect kernels using the standard strparser.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Linux kernel futex subsystem stems from a slab use-after-free in futex_hash_put, triggered when a process shares its mm via CLONE_VM without CLONE_THREAD. The flawed need_futex_hash_allocate_default() check broke the non-concurrency assumption for per-CPU mm->futex_ref allocation, letting a stale +1 bias land on a percpu counter the mm no longer references. Carries CVSS 7.8 (high) with full C/I/A impact; no public exploit identified at time of analysis and EPSS is low (0.17%).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's Amazon ENA (Elastic Network Adapter) PTP Hardware Clock (PHC) get_timestamp path lets a local low-privileged user trigger a NULL/dangling pointer dereference via a race between timestamp reads and clock teardown. The driver checked phc->active and cached the resp pointer from ena_dev->phc.virt_addr before taking the spinlock, so a concurrent ena_com_phc_destroy() could free the DMA memory and NULL virt_addr mid-operation. With a CVSS of 7.8 (high) but EPSS of only 0.17% (7th percentile), this is a memory-safety race with no public exploit identified at time of analysis; it is fixed upstream and patched in stable releases.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: fix missing expect put in obj eval nft_ct_expect_obj_eval() allocates an expectation and may call nf_ct_expect_related(), but never drops its local reference. Add nf_ct_expect_put(exp) before return to balance allocation.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's KVM s390 PCI adapter-interrupt-forwarding (AIF) code allows a low-privileged local actor on IBM Z (s390x) hosts to read and corrupt kernel memory. The flaw stems from double-scaled pointer arithmetic when indexing the GAIT table in kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and aen_host_forward(), triggered when an adapter interrupt source (aisb) index reaches 32 or higher under ZPCI_NR_DEVICES=512. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.18%, 8th percentile).

Buffer Overflow Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out-of-bounds read and denial-of-service in the Linux kernel SMB/CIFS client (cifs.ko) affects systems mounting SMB shares on 32-bit architectures. When parsing a malicious SMB2 error response, the symlink_data() routine mishandles a hostile ErrorDataLength value, causing either an infinite loop or a read past the buffer that can hang the client or leak adjacent kernel memory. There is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile), but the bug is reachable by any malicious or compromised SMB server a vulnerable client connects to.

Linux Denial Of Service Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm: Replace old pointer to new idr Commit 5e28b7b94408 introduced a logical error by failing to replace the newly generated IDR pointer to old id's pointer at the correct location within the "change handle" logic; this resulted in the issue reported by syzbot [1]. Specifically, the new IDR object pointer is intended to replace the original id's pointer during the normal execution flow. Additionally, an unnecessary conditional check for the ret exit path has been removed. [1] !RB_EMPTY_ROOT(&prime_fpriv->dmabufs) WARNING: drivers/gpu/drm/drm_prime.c:224 at drm_prime_destroy_file_private+0x48/0x60 drivers/gpu/drm/drm_prime.c:224, CPU#0: syz.0.17/5833 Call Trace: drm_file_free.part.0+0x7e6/0xcc0 drivers/gpu/drm/drm_file.c:269 drm_file_free drivers/gpu/drm/drm_file.c:237 [inline] drm_close_helper.isra.0+0x186/0x200 drivers/gpu/drm/drm_file.c:290 drm_release+0x1ab/0x360 drivers/gpu/drm/drm_file.c:438

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Out-of-bounds descriptor read in the Linux kernel ALSA USB MIDI 2.0 subsystem allows a physically proximate or low-privileged local attacker to crash the kernel by presenting a malformed USB audio device with crafted MIDI 2.0 endpoint descriptors. The USB MIDI 2.0 endpoint parser validates bLength against bNumGrpTrmBlock but omits validation against remaining bytes in the endpoint-extra scan, allowing baAssoGrpTrmBlkID[] reads to advance past the descriptor buffer boundary. No public exploit is identified; EPSS stands at 0.18% (7th percentile), consistent with narrow, hardware-dependent attack surface and no active exploitation.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Bound MIDI endpoint descriptor scans snd_usbmidi_get_ms_info() validates the internal MIDIStreaming endpoint descriptor size before using baAssocJackID[], but the descriptor walker can still return a class-specific endpoint descriptor whose bLength exceeds the remaining bytes in the endpoint-extra scan. That leaves later flexible-array reads bounded by bLength, but not by the remaining bytes in the endpoint-extra scan. Stop walking when bLength is zero or extends past the remaining endpoint-extra scan.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel's CephFS (ceph) client allows local users with an active CephFS mount to leak kernel memory by triggering the dirty-page writeback path. The flaw stems from a missing reference release on folios that the writeback batch holds but removes as unsuitable, gradually pinning pages and exhausting kernel memory (CVSS 7.5, availability-only). No public exploit identified at time of analysis; EPSS is low at 0.16% (6th percentile), and it is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Page allocator corruption in the Linux kernel's AMD SEV-SNP guest driver (virt/sev-guest) affects confidential-computing guests running kernels from 6.14 onward. When a guest issues an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST), an untrusted host can return SNP_GUEST_VMM_ERR_INVALID_LEN with a length that does not match the original allocation; the cleanup path then frees pages using a host-controlled page order, corrupting the guest's page allocator. CVSS is 7.8 (local, high C/I/A), but EPSS is just 0.11% (2nd percentile), and there is no public exploit identified at time of analysis and no CISA KEV listing.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's libceph client (osdmap_decode) lets a malicious or compromised Ceph monitor/OSD send a corrupted OSD map whose max_osd field exceeds the actual message length, reading past the allocated buffer. The flaw affects kernels using the in-kernel Ceph client (RBD/CephFS) and is fixed across multiple stable branches. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile), consistent with a memory-safety bug requiring a hostile Ceph endpoint rather than broad internet exposure.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel's libceph (Ceph client) component allows a malicious or compromised Ceph peer to crash a connecting host during the CephX authentication handshake. The flaw lives in __ceph_x_decrypt(), which reads a ceph_x_encrypt_header (notably hdr->magic) from a decrypted buffer without first verifying the buffer is large enough - a FRAME_TAG_AUTH_REPLY_MORE frame carrying a ciphertext_len of 8 or fewer bytes triggers an out-of-bounds memory access. CVSS is 7.5 (availability-only); EPSS is low at 0.16% (6th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local denial of service in the Linux kernel's Intel VT-d (iommu/vt-d) driver lets a privileged user crash the host by terminating a QEMU/VFIO guest, triggering a general-protection-fault oops. The flaw lives in domain_remove_dev_pasid(), which dereferences the global static blocked domain - a dummy iommu_domain with no backing dmar_domain - during PASID teardown on device reset. No public exploit is identified at time of analysis; EPSS is low (0.17%, 7th percentile) and it is not in CISA KEV.

Linux Canonical Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's IOMMU subsystem allows a local low-privileged actor with device-management access to corrupt kernel memory by racing a domain re-attach against an in-progress PCI device reset. The flaw lies in __iommu_group_set_domain_internal(), where the group->recovery_cnt fence wrongly rejected mandatory detach/teardown callers (IOMMU_SET_DOMAIN_MUST_SUCCEED), so group->domain could be freed while still referenced, and pci_dev_reset_iommu_done() could then re-attach the dangling pointer. EPSS is low at 0.16% (6th percentile) and there is no public exploit identified at time of analysis, but the high CVSS (8.8) reflects full kernel-memory confidentiality, integrity, and availability impact.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's Intel Xe DRM graphics driver (drm/xe) arises from a use-after-free in the dma-buf import path, where an error-handling retry loop operates on a buffer object (bo) that has already been freed. Affecting kernel 6.18 series before the 6.18.33 stable fix, a local low-privileged user with access to the Xe DRM device can trigger the freed-object access to corrupt kernel memory or leak data. There is no public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile), consistent with a local-only, driver-specific bug rather than mass-exploited remote flaw.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Fix ttm_bo_shrink() infinite LRU walk on backup failure Apply the same fix as b2ed01e7ad ("drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure") to the ttm_bo_shrink() path. Move del_bulk_move from before the backup to after success only, using ttm_resource_del_bulk_move_unevictable() since the resource is now unevictable once fully backed up.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption is possible in the Linux kernel's QRTR (Qualcomm IPC Router) networking subsystem (net/qrtr/af_qrtr.c), where qrtr_port_remove() decrements a socket's reference count via __sock_put() before erasing the port from the qrtr_ports XArray and before the RCU grace period elapses, violating the RCU update ordering. A concurrent RCU reader (qrtr_reset_ports() or qrtr_port_lookup()) can retrieve the socket and call sock_hold() on an object whose refcount has already reached zero, producing refcount saturation and a use-after-free. The issue was reproduced by syzkaller fuzzing; it carries a CVSS of 7.8 (AV:L), EPSS is low at 0.18% (8th percentile), it is not on CISA KEV, and no public exploit identified at time of analysis.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Jenkins Information Disclosure Jenkins Fitnesse Plugin
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Jenkins Bitbucket Push and Pull Request Plugin versions 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for all outbound Bearer token authenticated requests to configured Bitbucket Server endpoints, creating a man-in-the-middle exposure. Any attacker positioned to intercept network traffic on the path between the Jenkins controller and the Bitbucket Server can capture the Bearer token and subsequently authenticate directly to the Bitbucket Server API. No public exploit is identified at time of analysis, and SSVC rates exploitation as none with partial technical impact; however, the token capture risk is non-trivial for deployments routing Jenkins traffic over untrusted or shared network segments.

Jenkins Information Disclosure Jenkins Bitbucket Push And Pull Request Plugin
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Jenkins Job Configuration History Plugin version 1356.ve360da_6c523a_ and earlier exposes encrypted secret values to any Jenkins user holding Extended Read permission by failing to apply Jenkins' standard secret redaction when rendering historical job and agent configurations. Encrypted credential values that Jenkins would normally mask are displayed in full within the plugin's history view, potentially enabling offline analysis of those values. No public exploit or active exploitation has been identified; SSVC rates this as non-automatable with partial technical impact.

Jenkins Information Disclosure Jenkins Job Configuration History Plugin
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps.

Jenkins Information Disclosure Jenkins Pipeline
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.

Jenkins Information Disclosure Jenkins Script Security Plugin
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Out-of-bounds read in ImageMagick's ConnectedComponentsImage() function allows local attackers to trigger access violations by supplying malformed connected-components artifact definitions via the CLI, leading to denial of service or potential arbitrary code execution. All ImageMagick releases before 7.1.2-19 are affected, as are Magick.NET NuGet packages before 14.12.0. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the RCE and information-disclosure tags warrant attention in environments that process untrusted image inputs through automated pipelines.

Denial Of Service RCE Buffer Overflow +4
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated app enumeration in Capgo before 12.128.2 allows remote attackers to determine whether specific app_ids exist across all tenants by querying the exposed exist_app_v2 RPC endpoint without credentials. The root cause is a PostgreSQL SECURITY DEFINER function that executes with elevated owner privileges, bypassing row-level security policies and enabling cross-tenant information disclosure via the PostgREST API at POST /rest/v1/rpc/exist_app_v2. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code is identified at time of analysis, though the attack requires no authentication and trivial HTTP tooling.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

Flowise versions up to and including 3.0.12 hash passwords using bcrypt with a default cost factor of 5 rounds - yielding only 32 iterations versus the OWASP-recommended minimum of 1,024 at 10 rounds - making stored password hashes approximately 30 times faster to crack with modern GPU hardware. All deployments where the PASSWORD_SALT_HASH_ROUNDS environment variable has not been manually overridden to 10 or higher are affected, which represents the majority of real-world installs since defaults predominate. In a database breach scenario, an attacker who obtains the hash table can leverage GPU-accelerated tools to recover plaintext passwords at roughly 300,000 attempts per second versus ~10,000 at the recommended work factor; no public exploit identified at time of analysis.

Information Disclosure Flowise
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Two-factor authentication bypass in Capgo before 12.128.2 allows an authenticated admin who has not completed 2FA enrollment to perform privileged organization management actions by replaying or modifying captured API requests. The flaw stems from 2FA being enforced exclusively in the frontend UI while the backend ORG management endpoints accept requests without verifying 2FA completion. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Webhook signing secret disclosure in Capgo prior to 12.128.2 allows authenticated holders of non-admin API keys to read the webhook signing secret directly from the Supabase REST-exposed webhooks table because row-level security policies are too permissive. Once obtained, the secret lets the attacker forge valid X-Capgo-Signature headers and submit spoofed webhook events to any configured receiver, undermining webhook authenticity and integrity. No public exploit identified at time of analysis.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Unauthorized file attribute modification in the Linux kernel's ksmbd SMB server allows authenticated SMB clients to invoke FSCTL_SET_SPARSE and alter a file's sparse xattr without required permissions, bypassing both share-level and per-handle access controls. Two distinct authorization gaps exist: clients on read-only shares can issue the control code because fsctl_set_sparse() omits the KSMBD_TREE_CONN_FLAG_WRITABLE check that other FSCTL write operations enforce, and clients on writable shares with insufficient handle rights (lacking FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES) can modify the attribute because per-handle checks are entirely absent. No active exploitation is confirmed - the vulnerability is absent from CISA KEV and carries an EPSS of 0.22% (12th percentile) - but the exposure surface is any network-reachable ksmbd deployment serving untrusted SMB clients.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel netfilter netdev logger (nf_log_syslog) lets a local low-privileged attacker leak adjacent slab memory into the kernel log and potentially crash the system. The flaw is in dump_mac_header(), whose fallback path tests skb->mac_header != skb->network_header but omits skb_mac_header_was_set(); an unset MAC header (value 0xffff) passes the check and causes a read ~64 KiB past the skb buffer. Fixed in stable kernels (e.g., 6.18.36, 6.12.94, 6.6.143, 6.1.176, 5.15.210, 7.0.13/7.1); no public exploit identified at time of analysis and EPSS is low at 0.17%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel stack memory disclosure in the Linux TUN driver exposes 14 bytes of uninitialized stack data to unprivileged local users on every read of a non-tunnel packet. The flaw affects Linux systems where a local user can open a TUN device and issue the TUNSETVNETHDRSZ ioctl to set the vnet header size to 24 bytes. No public exploit or active exploitation has been identified; EPSS is 0.15% (5th percentile), consistent with a local-only information disclosure requiring deliberate TUN device configuration.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stack information disclosure in the Linux kernel's tap/macvtap driver exposes 8 bytes of uninitialized kernel stack contents to local users via the SIOCGIFHWADDR ioctl, leaking kernel .text and direct-map pointers that defeat KASLR. The affected code path in tap_ioctl() copies a 16-byte sockaddr_storage to userspace while netif_get_mac_address() initializes only 8 bytes (sa_family plus 6-byte Ethernet address), leaving the trailing 8 bytes unread. No public exploit is identified at time of analysis and EPSS sits at 0.15% (5th percentile), but KASLR bypass primitives of this type are routinely chained with local privilege-escalation exploits to gain kernel code-execution. NOTE: The provided CVSS vector (C:N/I:N/A:H) appears to misclassify this vulnerability - confidentiality is the impacted property, not availability; the assessed vector below corrects this.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

CPU stall vulnerability in the Linux kernel jitterentropy subsystem allows local low-privileged users to trigger prolonged non-preemptible spinlock holds by spawning concurrent entropy requests through jent_kcapi_random(), which holds a spinlock across expensive SHA3 conditioning and jitter collection. Systems running kernel versions from approximately 4.2 through pre-fix stable branches face entropy starvation and CPU busy-wait degradation under parallel getrandom() load. No public exploit identified at time of analysis; EPSS is 0.16% at the 5th percentile and no CISA KEV listing applies, making this a low-urgency, operator-pace patch for most deployments.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Kernel heap memory corruption affects the batman-adv (B.A.T.M.A.N. Advanced) mesh routing subsystem of the Linux kernel, where a u16 accumulator in batadv_tvlv_container_list_size() can wrap around when the total size of registered TVLV containers exceeds 65535 bytes, leading to an undersized allocation and a subsequent out-of-bounds memcpy write in batadv_tvlv_container_ogm_append(). An attacker positioned on the mesh able to drive TVLV container accumulation past U16_MAX can corrupt adjacent kernel memory, risking denial of service or potential code execution. This is no public exploit identified at time of analysis, EPSS exploitation probability is low (0.16%), and it is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Memory leak in the Linux kernel's xfrm IPComp (IP Payload Compression) code allows resource exhaustion because the destination scatter-gather page list is not freed when an asynchronous compression (acomp) operation fails. Affecting Linux 6.15 through the fixed stable releases, the flaw lets repeated compression errors progressively consume kernel memory, with CVSS scoring only availability impact (A:H). There is no public exploit identified at time of analysis and EPSS is low at 0.15%.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Use of uninitialized sender variables in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh networking module allows a malicious mesh peer to trigger undefined behavior on a node acting as a tp_meter receiver. When such a node receives a crafted ACK packet, batadv_tp_recv_ack() and batadv_tp_stop() execute sender-only code paths that read tp_vars members never initialized for the receiver role, potentially leaking memory contents or crashing the kernel. No public exploit identified at time of analysis; EPSS probability is low (0.17%, 6th percentile) and the issue is not in CISA KEV, but a vendor patch is available across multiple stable trees.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Race condition in the Linux kernel's System V IPC shared memory subsystem allows a local low-privileged attacker to crash the kernel. The `shm_destroy_orphaned()` cleanup path evaluates whether an orphaned segment is safe to destroy by checking `shm_nattch` without holding `shm_perm.lock`, while the attach/detach paths update that counter independently of `shm_ids(ns).rwsem`, creating a window where a still-attached segment is erroneously destroyed. The EPSS score is 0.17% (6th percentile) and no KEV listing or public exploit exists, placing this firmly in the routine-patching tier rather than emergency response.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Availability disruption in the Linux kernel's AF_UNIX socket subsystem allows a local low-privileged user to trigger an unhandled code path by issuing a SIOCATMARK ioctl on non-stream (SOCK_DGRAM or SOCK_SEQPACKET) AF_UNIX sockets, which the kernel incorrectly permits to proceed into receive-queue inspection logic intended only for SOCK_STREAM. The flaw stems from a logic inconsistency: while SOCK_DGRAM and SOCK_SEQPACKET already reject MSG_OOB in sendmsg()/recvmsg(), the SIOCATMARK ioctl handler lacked the corresponding guard, creating an exploitable divergence. No public exploit or CISA KEV listing exists; EPSS at 0.16% (5th percentile) reflects a very low real-world exploitation probability.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel ebtables 32-bit compat layer (compat_mtw_from_user) lets a local low-privileged user holding CAP_NET_ADMIN trigger KASAN-detected OOB reads by supplying an undersized match_size/target_size for an extension whose ->compat_from_user() callback assumes it can read compatsize bytes. It affects Linux from 2.6.34 through builds before the fix and is resolved upstream across all maintained stable branches; no public exploit is identified at time of analysis and EPSS is low (0.16%, 6th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stale gateway pointer in the Linux kernel's batman-adv mesh networking subsystem causes availability failures during mesh teardown and recreation. The batman-adv gateway cleanup function `batadv_gw_node_free()` frees gateway list entries without clearing `bat_priv->gw.curr_gw`, leaving a dangling reference that persists across cleanup and breaks subsequent mesh recreation attempts. No public exploit exists and EPSS sits at 0.16% (6th percentile), indicating negligible opportunistic exploitation interest at time of analysis.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and information disclosure in the Linux kernel's SysV IPC subsystem stems from an unbounded ID allocation in ipc_idr_alloc() along the checkpoint/restore (CRIU) path, where a user-supplied next_id can spill past the valid ipc_mni range. Because removal truncates the index via ipcid_to_idx(), a high-index object can be freed while its real IDR slot dangles, so a subsequent /proc/sysvipc/shm walk dereferences freed memory - a use-after-free. No public exploit identified at time of analysis; EPSS is low at 0.17% (6th percentile) and the issue is not on CISA KEV.

Linux Information Disclosure Checkpoint
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Incorrect strict-mode policy matching in the Linux kernel's netfilter xt_policy module causes multi-element inbound IPsec policy rules to be evaluated in the wrong order, so packets can be matched against the wrong transform descriptor. On systems that filter inbound traffic with iptables/nftables 'policy' matches in strict mode using multiple policy elements, this can let traffic that should be rejected satisfy the rule (or legitimate IPsec traffic fail it), undermining the intended firewall/IPsec enforcement. There is no public exploit identified at time of analysis and EPSS is low (0.16%, 6th percentile); the issue has been resolved upstream with stable patches available.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation via use-after-free in the Linux kernel's batman-adv (B.A.T.M.A.N. advanced) mesh networking module allows a local low-privileged user to crash or potentially gain code execution by triggering a tp_meter counter underflow during interface shutdown. Concurrent shutdown paths (timeout, user cancel, normal finish) each decrement the 'sending' atomic counter, underflowing it to -1, which traps the sender kthread in an infinite loop and produces a use-after-free when the mesh interface is removed while the zombie thread still runs. No public exploit identified at time of analysis, and EPSS is low at 0.16%; a vendor patch is available across multiple stable trees.

Linux Information Disclosure Integer Overflow
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in the Linux kernel Bluetooth subsystem allows a crafted sequence of socket polling and connection teardown to dereference a freed sock structure, because bt_sock_poll() walks the per-socket accept queue without synchronization while a concurrent child teardown unlinks the same socket and drops its last reference. The flaw has existed since the original Bluetooth import and affects effectively all kernel versions until the fixed stable releases; EPSS is low (0.18%, 7th percentile) and there is no public exploit identified at time of analysis. Successful exploitation of the freed-object access can corrupt kernel memory, enabling denial of service and potentially privilege escalation.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel's SCTP sock_diag subsystem allows a local attacker to disclose adjacent kernel memory and potentially crash the system by racing a diag dump against association teardown. The exact sock_diag lookup (dump_one path) can hold a transport reference, block on lock_sock(), and resume after sctp_association_free() has reaped the association and freed its bind-address list, causing inet_diag_msg_sctpasoc_fill() to dereference an emptied bind-address list as a valid sctp_sockaddr_entry. CVSS is 7.1 (local, high confidentiality and availability impact); EPSS is low (0.18%, 7th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stack exhaustion in the Linux kernel batman-adv mesh networking subsystem allows an attacker on the same batman-adv mesh to crash the kernel by sending matryoshka-nested BATADV_UNICAST_FRAG packets. The reassembled payload's packet type is not validated before re-processing, enabling unbounded recursion in batadv_batman_skb_recv() that exhausts kernel stack and causes a hard system crash. No active exploitation is recorded in CISA KEV and EPSS sits at 0.18% (7th percentile), making this a targeted DoS risk limited to environments running batman-adv mesh networking.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.7
HIGH POC PATCH This Week

Sensitive information disclosure in the premium Cornerstone page builder (bundled with the X theme) versions 3.0.0 through 7.8.7 allows any authenticated WordPress user to extract raw password hashes and other private user metadata. The CSS-preview request handler fails to enforce capability checks while exposing its required nonce on every wp-admin page, and publicly available exploit code exists per WPScan, though no active exploitation has been reported.

WordPress Information Disclosure Cornerstone
NVD WPScan VulDB
EPSS 0% CVSS 7.7
HIGH POC PATCH This Week

Authenticated information disclosure in the premium Cornerstone page builder (bundled with the X WordPress theme) before version 7.8.9 allows any logged-in user to enumerate other users' metadata via an unprotected REST API route. Disclosed data includes roles, session token previews, and stored billing/shipping fields, enabling account targeting and potential session abuse. Publicly available exploit code exists per WPScan, though there is no public exploit identified as actively used in the wild and the issue is not listed in CISA KEV.

WordPress Information Disclosure Cornerstone
NVD WPScan VulDB
EPSS 0% CVSS 2.7
LOW POC PATCH Monitor

Insufficient REST API authorization in the Site Kit by Google WordPress plugin before version 1.176.0 permits users with dashboard sharing access - such as those granted the Editor role - to write to a site-wide settings endpoint that should be restricted to administrators. The integrity impact is confined to plugin-level configuration, but the flaw is significant because dashboard sharing is commonly granted to non-admin contributors on multi-author sites. A publicly available proof-of-concept exists per WPScan; exploitation probability remains very low (EPSS 0.13%, 3rd percentile) and the vulnerability is not listed in the CISA KEV catalog.

WordPress Information Disclosure Google +1
NVD WPScan VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.

Information Disclosure WordPress Smart Post Show Pro +2
NVD WPScan VulDB GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Information disclosure in the WP Forms Connector WordPress plugin (versions through 1.8) allows unauthenticated remote attackers to retrieve any user's password hash and email address via the wp/v3/user/list/<id> REST route. The endpoint's permission_callback is hard-coded to __return_true and the bespoke auth check verifies only that the Username header maps to an administrator (typically 'admin') without ever calling wp_check_password() to validate the supplied Password header. No public exploit identified at time of analysis, but the trivial nature of the bypass and the exposure of user_pass hashes make this a credible account-takeover vector.

Information Disclosure Authentication Bypass WordPress +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated mass PII harvesting is possible on any WordPress site running the WhatsOrder - Instant Checkout for WooCommerce plugin (all versions through 1.0.1) because the plugin writes customer invoice HTML files to a publicly accessible directory with no access restrictions. The `yapacdev_generate_order_pdf` function deposits invoices under `wp-content/uploads/whatsorder_invoices/` without generating an `.htaccess` deny rule or `index.php` guard, and because WooCommerce uses predictable sequential order IDs, any remote attacker can enumerate and download every customer invoice with no authentication. Exposed data includes full name, email, phone number, billing address, itemized order contents with pricing, applied coupon codes, shipping method, and order total. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure PHP WordPress +1
NVD
Prev Page 21 of 741 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy