Information Disclosure
Monthly
Incorrect caching of AppArmor notification responses in Ubuntu Linux kernel versions 6.8, 7.17, and 7.0 stems from an uninitialized variable (CWE-457) in Ubuntu-specific AppArmor SAUCE patch code. An unprivileged local user can trigger this bug to corrupt the AppArmor notification response cache, producing a low-severity integrity impact. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; the CVSS score of 3.3 (Low) reflects its constrained local-only, limited-impact nature.
Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) improperly validate the size of the name field in AppArmor notification responses, allowing a local low-privileged user to trigger handling of crafted responses with potential limited integrity impact. The vulnerability carries a CVSS score of 3.3 (Low) with a local attack vector, restricted to integrity effects only and no confidentiality or availability consequences. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV.
Privilege escalation in Capsule (the Kubernetes multi-tenancy operator) allows authenticated tenant owners to create cluster-scoped resources - including ClusterRole and ValidatingWebhookConfiguration - by embedding them in TenantResource RawItems, bypassing tenant isolation enforced by the platform. The Capsule Controller's default cluster-admin ClusterRoleBinding means it creates whatever resource it is instructed to process, and its attempt to namespace-scope the resource via obj.SetNamespace() is silently ignored by the Kubernetes API for cluster-scoped kinds. A working proof-of-concept is publicly documented in the GHSA advisory; no CISA KEV listing has been issued at time of analysis.
Namespace hijacking in Capsule (Kubernetes multi-tenancy operator) prior to v0.13.0 allows an authenticated tenant administrator to reassign any namespace to their own tenant by patching it through the namespace/status or namespace/finalize subresource APIs, which bypass Capsule's ValidatingWebhookConfiguration enforcement entirely. The webhook intercepts direct namespace modifications but omits these subresource paths, leaving a gap that an attacker with explicitly delegated RBAC permissions can exploit with a single PATCH request. A complete, working proof-of-concept is publicly available in the GitHub Security Advisory GHSA-2ww6-hf35-mfjm; no CISA KEV listing was identified, indicating no confirmed widespread active exploitation at time of analysis.
Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthenticated attackers to continue using stolen or revoked JWTs indefinitely via the OAuth token exchange endpoint. The GetTokenExchangeToken() function validates JWT signatures but never checks the Token table for revocation status, breaking a core security guarantee of the identity provider. EPSS exploitation probability is currently very low (0.02%, 5th percentile) and no public exploit is identified, though the 9.8 CVSS reflects the high impact on authentication boundaries.
Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by supplying unverified email claims from upstream identity providers. The getExistUserByBindingRule function matches users solely by email address without validating the email_verified claim, enabling cross-IdP account compromise. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02% (5th percentile), but the CVSS 9.1 reflects the severe identity-layer impact.
Credential exposure in Tigera Calico's Azure IPAM integration causes ServiceAccount tokens, client keys, and certificate authority data to be written in plaintext to a node-local log file on every pod scheduling and termination event. Affected deployments include Calico, Calico Enterprise, and Calico Cloud when the Azure IPAM plugin is in use with token-based Kubernetes authentication. Any low-privileged principal able to read /var/log/calico/cni/cni.log on an affected node can extract these credentials and leverage them for cluster-wide Calico networking administration. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the sensitive nature of the exposed material - full Kubernetes auth credentials - makes this a meaningful lateral movement and privilege escalation risk within affected Azure-hosted Kubernetes clusters.
Credential disclosure in Tigera Calico's calicoctl CLI exposes cluster-access secrets through verbose logging output. When operators run calicoctl with --log-level=info or --log-level=debug, the tool serializes its entire connection-configuration struct (including bearer tokens, etcd passwords, and inline PEM client certificates/keys) to stderr in a single log line, making them harvestable by anyone with access to CI logs, terminal recordings, or support transcripts. The issue is patched upstream but no public exploit is identified at time of analysis; default panic-level logging means standard deployments are not exposed.
Calico's install-cni init container leaks live Kubernetes ServiceAccount bearer tokens into pod logs when Canal/Flannel-Calico deployments use the __SERVICEACCOUNT_TOKEN__ placeholder, making the credential readable by any authenticated user with pods/log permission in the calico-node namespace. The exposed token carries patch privileges on pods/status, creating a lateral movement path via annotation-based attacks against cluster workloads. This is a confirmed regression of TTA-2018-001 reported by Tigera; no public exploit has been identified at time of analysis, though upstream patches are available via GitHub.
Credential brute-forcing against TP-Link Archer C64 v1 routers is possible via an undocumented debug SSH service that shares credentials with the web admin interface but enforces no authentication rate-limiting. Adjacent attackers (same Wi-Fi or LAN segment) can iterate password guesses without lockout to recover the administrator password and take full control of the router. No public exploit identified at time of analysis; CVSS 4.0 base score is 8.7 (High) and a vendor patch is available.
IP restriction bypass in Hono's ip-restriction middleware (hono/ip-restriction) prior to version 4.12.21 allows unauthenticated remote attackers to circumvent configured deny and allow rules by submitting non-canonical IPv6 representations of restricted addresses. String equality comparison applied after only partial normalization means that compressed, explicit-zero, or hex-notation IPv4-mapped IPv6 forms of a listed address silently fail to match the normalized rule entry, causing enforcement to be skipped entirely. No public exploit has been identified at time of analysis, but the bypass requires only trivial reformatting of a standard IPv6 address, making it practically low-effort for any attacker aware of the flaw.
HTTP response header injection in Hono's cookie serialize() function allows unauthenticated remote attackers to inject arbitrary Set-Cookie attributes when an application passes user-controlled input into the sameSite or priority cookie options. All Hono releases prior to 4.12.21 are affected across every supported JavaScript runtime. No public exploit code exists at time of analysis, and the vulnerability is not listed in CISA KEV, though the low attack complexity and network-accessible vector make it exploitable wherever the affected code path is reachable by user-supplied data.
Path prefix stripping in Hono's app.mount() API exposes mounted sub-applications to incorrect routing due to a raw-vs-decoded URL path inconsistency, potentially allowing unauthenticated remote attackers to reach unintended endpoints and disclose protected information. All Hono versions prior to 4.12.21 are affected across every supported JavaScript runtime. No public exploit or CISA KEV listing exists at time of analysis; however, the CVSS vector AV:N/AC:L/PR:N/UI:N and the 'Information Disclosure / Request Smuggling' classification make this a meaningful priority for any deployment that relies on mount-prefix path logic for access segregation.
Unconstrained outbound JWKS requests in PyJWT's PyJWKClient.get_signing_key() allow unauthenticated remote attackers to amplify HTTP traffic toward a downstream JWKS endpoint by submitting JWTs carrying arbitrary, unrecognized kid values. All PyJWT versions prior to 2.13.0 are affected when the PyJWKClient class is used for signature verification. The availability impact is low (CVSS A:L) and exploitation success is gated on the upstream JWKS provider exhibiting rate limiting or transient failures; no public exploit code exists and this CVE does not appear in CISA KEV.
Denial-of-service via algorithmic complexity in pypdf before 6.12.0 allows an attacker who can supply a crafted PDF file to cause excessive processing time during cross-reference stream parsing. The vulnerability is triggered by crafting a PDF with /W [0 0 0] field values in a cross-reference stream combined with a large /Size value, which causes the library to perform unbounded iteration over zero-byte entries. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, any application that processes untrusted PDF input using pypdf is exposed.
Untrusted search path in Espressif's shared-github-dangerjs GitHub Action prior to 1.0.1 allows a fork pull request, when processed by a pull_request_target workflow, to substitute attacker-controlled binaries and Node.js modules for the action's own code. Exploitation yields code execution inside the action container with access to repository secrets and write-scoped GITHUB_TOKEN, with no public exploit identified at time of analysis.
Unauthenticated account takeover in phpMyFAQ before 4.1.3 allows remote attackers to forcibly reset any user's password by sending a PUT request to the /api/index.php/user/password/update endpoint with a valid username and email pair. The endpoint also leaks valid credentials through response code differentials (200 vs 409), enabling username/email enumeration before the reset. No public exploit identified at time of analysis, though a detailed PoC is published in the GHSA advisory.
Roundcube Webmail's HTML sanitizer fails to block loopback, localhost, RFC1918, link-local, and ULA addresses when rendering HTML email, even when the user has disabled remote content loading. An unauthenticated remote attacker (PR:N per CVSS) can send a crafted HTML email that - upon the victim previewing it - causes their browser to issue HTTP requests to internal or private-network services, enabling blind probing or interaction with local infrastructure. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis, though the changed scope (S:C in CVSS) reflects that impact extends to resources beyond Roundcube itself.
Weak default credential generation in the D-Link DWR-X1820 router exposes administrative access to adjacent-network attackers who can derive the device password from its IMEI number. All devices running firmware prior to 1.00B16CP are affected when users have not changed the factory-set password - a common real-world condition for consumer-grade routers. An attacker with knowledge of the IMEI-to-password derivation algorithm and physical or logical access to the IMEI (e.g., from the device label) can authenticate to the router admin interface without prior credentials. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Use-after-free in the Linux kernel SPI controller driver for Freescale MPC52xx (spi-mpc52xx) occurs when controller registration fails and the previously requested interrupts are not properly disabled or released, leaving dangling interrupt handlers tied to freed memory. Local users with the ability to load or interact with this SPI driver on affected systems could potentially trigger memory corruption or information disclosure. EPSS is 0.02% and there is no public exploit identified at time of analysis, but the issue is rated CVSS 7.8 due to high impact on confidentiality, integrity, and availability.
Local privilege escalation potential via use-after-free in Linux Kernel iris media driver affects kernels 6.18.16-6.18.31, 6.19.6-6.19.x, and 7.0 series prior to the fix commits. The flaw resides in iris_release_internal_buffers(), where session_release_buf() may free a buffer that the caller subsequently dereferences, a regression introduced by commit 1dabf00ee206. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but local low-privileged attackers on systems with the Qualcomm iris video accelerator driver could potentially leverage the freed-memory access.
Runtime PM reference count leak in the Linux kernel's OmniVision OV5647 camera sensor driver (media/i2c/ov5647) causes availability loss for systems equipped with this camera hardware. The s_ctrl function's handling of three V4L2 controls - AUTOGAIN, EXPOSURE_AUTO, and ANALOGUE_GAIN - returns early without invoking pm_runtime_put(), allowing unpaired runtime PM get/put calls to accumulate. A local user with access to the camera device node can trigger this imbalance repeatedly, exhausting the PM reference count and preventing the device from entering low-power states, ultimately making it unavailable. No public exploit has been identified; EPSS is 0.02% (5th percentile) and this vulnerability does not appear in CISA KEV.
Use-after-free risk in the Linux kernel's batman-adv BAT IV mesh routing implementation allows adjacent network attackers to potentially corrupt memory or disclose information by triggering stale originator pointer dereferences. The flaw affects neigh_node structures that cached an auxiliary originator pointer not owned by the neighbor state, which could dangle after purge handling. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02%, but the CVSS 8.8 rating reflects high impact across confidentiality, integrity, and availability if triggered.
Availability impact in the Linux kernel's xbox_remote media/rc driver allows a local, low-privileged user with access to the affected device to crash the kernel via a DMA coherency violation. The IO buffer used for USB transfers is embedded directly within the device structure, which violates DMA coherency rules and can trigger memory corruption leading to kernel panic. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% reflects minimal observed exploitation activity. Vendor-released patches are available across multiple stable kernel branches.
Out-of-bounds read in the Linux kernel's HID PlayStation driver (dualshock4_parse_report) allows an adjacent attacker with a malicious or spoofed DualShock 4 controller to read up to ~2 KiB beyond the touch_reports array and have portions of that data emitted through evdev. The flaw stems from the driver trusting the device-supplied num_touch_reports field without bounds checking, enabling potential kernel memory disclosure and denial of service. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but an upstream fix is available.
Reference counting failure in the Linux kernel's batman-adv Bridge Loop Avoidance (BLA) subsystem allows a local low-privileged user to cause a slow kernel memory leak and eventual denial of service. Specifically, batadv_bla_add_claim() omits the required batadv_backbone_gw_put() call on the error path when a claim hash insertion fails, preventing the backbone_gw object's reference count from ever reaching zero. The vulnerability has been present since at least kernel 4.7 and is patched across multiple stable branches; no public exploit exists and EPSS is extremely low at 0.02% (5th percentile), placing this firmly in the low-urgency tier except for environments actively running batman-adv with BLA.
Out-of-bounds read in the Linux kernel's AMD GPU VCN3 (Video Core Next, generation 3) decoder message parser allows a local low-privileged user to read kernel memory beyond the buffer object boundary and potentially trigger denial of service. The flaw was resolved by adding bounds checks against the end of the buffer object whenever the dec msg is accessed. EPSS is very low (0.02%, 6th percentile) and no public exploit has been identified at time of analysis.
Stale VRAM exposure in the Linux kernel's amdkfd driver (drm/amdkfd) allows local authenticated users to observe prior occupants' GPU memory contents and crash multi-GPU compute workloads. The KFD allocation path omitted the AMDGPU_GEM_CREATE_VRAM_CLEARED flag - present in every other userspace GEM allocation path - leaving freshly allocated VRAM buffers populated with data from previous processes. The primary documented availability impact is deterministic crashes in RCCL peer-to-peer transport when stale values corrupt the ptrExchange, head, and tail protocol fields; a secondary information-disclosure risk exists because stale page-table remnants are observable by unprivileged compute kernels. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile).
Memory leak in the Linux kernel's spi: ch341 USB-to-SPI driver allows a local user to degrade system availability by triggering driver unbind without physical device disconnection. The defect lies in incorrect devres (device-managed resource) lifetime scoping - resources are anchored to the parent USB device rather than the USB interface, so they are not released when the driver unbinds during events such as probe deferral or runtime configuration changes. No public exploit has been identified at time of analysis, and an EPSS score of 0.02% (4th percentile) indicates negligible exploitation probability in the near term.
Local privilege escalation in the Linux kernel SCTP subsystem allows unprivileged users to trigger a use-after-free or type confusion in the SCTP_SENDALL code path. The flaw stems from a stale iterator cursor in sctp_sendmsg() that survives across a dropped socket lock, and the type-confusion variant yields a controlled indirect call via outqueue.sched->init_sid. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the vendor description explicitly notes both bugs are reachable from CapEff=0.
Improper driver teardown ordering in the Linux kernel's Freescale (FSL) SPI controller driver allows a local low-privileged user to trigger a denial-of-service condition during driver unbind. The SPI controller is not deregistered before underlying resources such as DMA are released, creating a window where the controller may reference freed memory. No public exploit has been identified at time of analysis, and EPSS sits at 0.02% (5th percentile), reflecting low real-world exploitation probability.
Improper resource deregistration ordering in the Linux kernel's spi/rspi (Renesas SPI controller) driver causes a local denial-of-service condition during driver unbind. The rspi driver releases DMA resources before deregistering the SPI controller, creating a window where in-flight controller operations can reference freed memory, resulting in a kernel crash or panic. With CVSS availability impact rated High and EPSS at 0.02% (5th percentile), this is a low-probability but locally exploitable stability issue affecting systems with Renesas SPI hardware. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Memory leak in the Linux kernel's drm/xe Intel Xe GPU driver allows a local, low-privileged user to exhaust kernel memory by repeatedly triggering DMA buffer import failures, leading to denial of service. The bug resides in xe_dma_buf_init_obj(), where a pre-allocated buffer object (bo) is not freed when drm_gpuvm_resv_object_alloc() fails, due to ambiguous ownership semantics between the caller and callee on error paths. No public exploit exists and EPSS probability is extremely low at 0.02% (4th percentile), placing this in the maintenance-priority category rather than urgent remediation for most environments.
An A-A (same-task) deadlock in the Linux kernel cgroup rmdir path (versions 7.0 through 7.1-rc2 and 6.19.x) can permanently hang the entire system, requiring a hard reboot. When a process acting as both a PID namespace zombie reaper (e.g., systemd/PID 1) and the cgroup rmdir(2) caller encounters dying tasks still linked to cgroup csets, the kernel blocks the reaper indefinitely in TASK_UNINTERRUPTIBLE, creating a circular dependency from which the system cannot recover. No public exploit has been identified at time of analysis, EPSS exploitation probability is extremely low (0.02%), and no CISA KEV listing exists - consistent with the scenario's narrow, operationally specific triggering conditions.
Memory leak in the Linux kernel's EDAC/versalnet driver allows a local low-privileged user to gradually exhaust kernel heap memory, rated CVSS 5.5 with high availability impact. The flaw exists in init_one_mc() where a kzalloc()-allocated device name string becomes permanently unreachable after device_register() copies and nullifies the pointer, preventing any subsequent free on device removal. No public exploit identified at time of analysis; EPSS at 0.02% (4th percentile) confirms this is a low-exploitation-probability defect rather than an actively targeted vulnerability.
Use-after-free in the Linux kernel's MPC52xx SPI driver (spi-mpc52xx) can be triggered when the driver is unbound, because the interrupt-scheduled state machine work is not cancelled after interrupts are disabled. Local users with the ability to unbind the driver could potentially corrupt kernel memory, with confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Use-after-free in the Linux kernel's DRM (Direct Rendering Manager) GEM handle subsystem allows a local authenticated attacker to trigger memory corruption via a race condition in the change_handle ioctl. The flaw stems from a window where a single GEM object briefly held two IDR entries, letting a concurrent gem_close call dereference a dangling handle. No public exploit identified at time of analysis and EPSS exploitation probability is low (0.02%), but the CVSS 7.8 reflects full confidentiality, integrity, and availability impact on affected systems.
Denial-of-service via accept queue counter leak in the Linux kernel's vsock/virtio subsystem allows an authenticated local attacker to permanently exhaust a listener socket's backlog, causing it to reject all new connections. The flaw exists from kernel 5.5 onward in virtio_transport_recv_listen(), where sk_acceptq_added() is called before vsock_assign_transport() validation; failed transport assignments never call the paired sk_acceptq_removed(), permanently inflating sk_ack_backlog. No public exploit exists and EPSS is at the 5th percentile, but the impact in multi-tenant virtualized environments relying on vsock communication is a complete denial of vsock listener service.
Use-after-free in the Linux kernel's appletb-kbd HID driver allows local low-privileged users on Apple Touch Bar-equipped MacBooks to potentially trigger memory corruption during driver tear-down. The flaw stems from incorrect ordering of timer cleanup and device reference release in the inactivity-timer cleanup path, leaving two race windows where a softirq can dereference freed backlight_device memory. EPSS is very low (0.02%) and no public exploit identified at time of analysis; impact is limited to systems running the appletb-kbd driver, primarily Apple MacBook Pro hardware with Touch Bars.
Use-after-free in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh networking module's bridge loop avoidance (BLA) subsystem allows adjacent attackers on the same Layer-2 segment to potentially trigger memory corruption when claim entries are deleted. The flaw, with a CVSS of 8.8 (AV:A/AC:L/PR:N/UI:N), exists in batadv_bla_del_backbone_claims() where a claim reference may be released before its final use, enabling exploitation by anyone able to inject mesh traffic. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but upstream fixes have been released across multiple stable kernel branches.
Local privilege escalation and memory corruption in the Linux kernel's iris media driver allows local users with low privileges to trigger a use-after-free condition via concurrent access during Macro Blocks Per Frame (MBPF) checks. The flaw affects Linux kernel 6.18 and stems from improper lock ordering where fmt_src and fmt_dst structures are freed under inst->lock while the instance remains in the core list traversed under core->lock. EPSS is very low at 0.02% (5th percentile) and no public exploit identified at time of analysis, but the high CVSS score reflects severe local impact.
Use-after-free / race condition in the Linux kernel's batman-adv mesh networking module allows a local low-privileged attacker to trigger memory corruption by exploiting unsynchronized tp_meter sessions during mesh interface teardown. The flaw stems from batadv_mesh_free() not draining active tp_meter sessions before shutdown, letting sender threads or late-arriving packets operate on a destroyed mesh instance. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02%.
Uninitialized socket buffer data exposure in the Linux kernel's vsock/virtio transport layer (6.7 and later) corrupts vsockmon tap monitoring output when non-linear skbs are in use. The `virtio_transport_copy_nonlinear_skb()` function constructs an `iov_iter` without setting `iov_iter.count`, causing zero-length copies that leave skb payloads uninitialized on the monitor interface - potentially exposing stale kernel memory to vsockmon consumers. Patched stable releases 6.12.90, 6.18.32, and 7.0.9 are available; no public exploit exists and EPSS stands at 0.02% (5th percentile), placing real-world exploitation risk very low but warranting attention in environments actively using vsockmon debugging.
Local privilege escalation risk in the Linux kernel's batman-adv mesh networking module allows authenticated local users to trigger memory corruption by initiating new tp_meter throughput measurement sessions during mesh teardown. The flaw exists because the tp_meter subsystem failed to reject new sender/receiver sessions after mesh_state transitioned out of BATADV_MESH_ACTIVE, creating a race condition during module shutdown. No public exploit identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02%.
Local privilege escalation risk in the Linux kernel's atomisp staging media driver allows authenticated low-privileged users to potentially abuse private IOCTLs that were not adequately validated. The upstream fix disables all private IOCTLs in the atomisp driver by returning early when the command is non-zero. EPSS is very low at 0.02% (5th percentile) and no public exploit identified at time of analysis, indicating limited real-world exploitation interest.
Out-of-bounds read in the Linux kernel's AMD GPU VCN4 (Video Core Next) driver allows a local user with GPU access to trigger memory disclosure or denial of service by submitting a crafted indirect buffer (IB) to the amdgpu DRM subsystem. The flaw stems from missing bounds checks while parsing IBs in the drm/amdgpu/vcn4 code path, and no public exploit identified at time of analysis. EPSS exploitation probability is very low (0.02%) and the issue is not listed in CISA KEV.
Unclocked register access in the Linux kernel's Cadence Quadspi SPI controller driver (spi-cadence-quadspi) occurs during driver unbind, affecting kernel versions through 7.0.x and 7.1-rc1. A local low-privileged user able to trigger driver unbind can cause high-impact confidentiality loss and denial of service on systems using affected SPI hardware. There is no public exploit identified at time of analysis and EPSS rates exploitation probability at just 0.02%.
Kernel crash (denial of service) in the Linux kernel's hid-appletb-kbd driver results from calling a mutex-acquiring function from softirq and IRQ atomic contexts on Apple Touch Bar MacBooks running Linux. Authenticated local attackers with low privileges can trigger a kernel BUG by inducing Touch Bar inactivity or generating HID events that exercise the broken brightness-reset path, crashing the system. No public exploit has been identified and EPSS is 0.02% (4th percentile), reflecting the niche hardware requirement; patches are available in kernel versions 6.18.32, 7.0.9, and 7.1-rc4.
Local privilege-context resource leak in the Linux kernel's Intel Xe DRM driver allows a local user with GPU access to exhaust dma-buf attachments by repeatedly triggering the failure path in xe_gem_prime_import(). The flaw, addressed across multiple stable trees (6.12.90, 7.0.9, 6.18.32, 7.1-rc2), causes a dma-buf attachment to remain attached when xe_dma_buf_init_obj() fails, producing a kernel-side memory and reference leak. EPSS is 0.02% and the issue is not on the CISA KEV list; no public exploit identified at time of analysis.
Denial-of-service via improper resource teardown ordering in the Linux kernel's MPC52xx SPI controller driver (spi/mpc52xx) affects systems running PowerPC-based embedded hardware. During driver unbind, the SPI controller was deregistered after - rather than before - disabling underlying resources such as interrupts and GPIOs, creating a window where the kernel could access freed or disabled resources and trigger a system crash. No public exploit has been identified at time of analysis, and with an EPSS of 0.02% (5th percentile), real-world exploitation is assessed as very low probability.
Out-of-bounds read in the AMD GPU VCN4 (Video Core Next, 4th generation) decoder message parser of the Linux kernel allows a local low-privileged user to read kernel memory beyond the decoder message buffer object, potentially leading to information disclosure and denial of service. The flaw exists in the drm/amdgpu/vcn4 driver where bounds against the end of the buffer object (BO) were not validated when parsing decoder messages. No public exploit identified at time of analysis and EPSS scores the exploitation probability at just 0.02% (6th percentile), but a vendor patch is available across multiple stable branches.
Persistent availability degradation in the Linux kernel tracepoint subsystem results from an unbalanced regfunc()/unregfunc() pair when tracepoint_add_func() fails mid-registration. When func_add() returns an error (such as -ENOMEM) after regfunc() has already executed, ext->unregfunc() is never called, leaving side effects permanently in place - for syscall tracepoints, this sticks sys_tracepoint_refcount at a non-zero value and keeps SYSCALL_TRACEPOINT set on every running task, imposing unnecessary syscall trace entry/exit overhead on all processes until reboot. No public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), indicating this is a low-probability exploitation target, though it is a confirmed kernel-quality bug with patches issued across multiple stable branches.
Kernel panic via race condition in the f2fs filesystem extent node management affects Linux kernel across multiple stable branches. When f2fs_destroy_extent_node() is invoked from f2fs_drop_inode() with I_SYNC set, a concurrent kworker writeback thread can insert new extent nodes into the same extent tree between lock releases, causing node_cnt to become non-zero upon loop exit and triggering f2fs_bug_on() - a deliberate kernel assertion failure resulting in a system crash. A secondary gap leaves EX_BLOCK_AGE extent tree updates completely unprotected by the FI_NO_EXTENT flag check, compounding the race surface. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile), indicating low exploitation probability in the near term.
The xfrm AH (Authentication Header) subsystem in the Linux kernel miscalculates ICV buffer offsets during asynchronous callback processing when Extended Sequence Numbers (ESN) are enabled, resulting in 100% packet loss on affected IPsec AH tunnels. Systems running AH with ESN and an async HMAC implementation (confirmed in developer-provided UML repro with forced-async hmac(sha1)) on both IPv4 and IPv6 paths are affected across multiple stable kernel branches going back to the commit introducing ESN async support. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting a correctness defect with no exploitation interest rather than a broad attack surface; patch versions are confirmed across six stable branches.
Denial of service in the Linux kernel's Microchip Core QSPI driver corrupts SPI transfers on systems using this controller. The spi-microchip-core-qspi driver incorrectly attempts to transmit garbage data during emulated read-only dual/quad SPI operations - a protocol violation, since QSPI lacks a dedicated MOSI line and the core hardware is expected to generate read clock cycles autonomously. The result is a bricked (permanently failed) SPI transfer, causing availability loss for any kernel component or userspace process depending on that SPI bus. No public exploit exists and EPSS probability is 0.02%, consistent with a hardware-specific, locally-triggered driver defect.
Out-of-bounds read in the Linux kernel's framebuffer console (fbcon) subsystem allows a local low-privileged attacker to access kernel memory beyond the font buffer when console rotation is enabled and font reallocation fails. The flaw resides in fbcon_rotate_font() which retains the undersized old buffer after a failed reallocation, so printing characters with high-enough codes overflows the font buffer during putcs operations. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%), but the issue is patched across multiple stable kernel branches.
Out-of-bounds read in the Linux kernel's SPI-NOR flash debugfs interface (spi_nor_params_show) allows local authenticated users with debugfs access to trigger memory disclosure or denial of service on 64-bit systems. The flaw stems from sizeof() being used on a pointer array instead of ARRAY_SIZE(), inflating the bounds-check length by 8x. No public exploit identified at time of analysis and EPSS rates exploitation likelihood at 0.02%.
Double-free memory corruption in the Linux kernel's vmw_pvrdma (VMware Paravirtual RDMA) driver allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The flaw occurs in the pvrdma_alloc_ucontext() error path where pvrdma_uar_free() is invoked twice - once explicitly and again via pvrdma_dealloc_ucontext(). No public exploit identified at time of analysis, and EPSS (0.02%) indicates very low near-term exploitation probability.
Use-after-free in the Linux kernel's RSI (Redpine Signals) WiFi driver allows a local low-privileged attacker to crash the kernel by exploiting a race condition between kthread self-exit and external stop operations. When `kthread_complete_and_exit` races ahead of `kthread_stop`, the already-freed task struct is dereferenced, causing a kernel denial of service. No public exploit has been identified and EPSS sits at 0.02% (5th percentile), reflecting very low real-world exploitation probability; the vulnerability is not listed in CISA KEV.
Uninitialized memory read in Linux kernel's Bluetooth virtio_bt driver allows a malicious or compromised virtio backend to trigger kernel DoS and potential information disclosure against guest VMs. The driver's virtbt_rx_handle() function fails to validate that received RX socket buffers contain sufficient bytes to cover the fixed HCI header for the declared packet type before forwarding to hci_recv_frame(). A backend-supplied one-byte completion with type HCI_ACLDATA_PKT causes the ACL classification path in hci_dev_classify_pkt_type() to dereference hci_acl_hdr(skb)->handle on an empty buffer when the HCI device holds an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with a kernel subsystem bug requiring privileged backend access in a virtualized environment.
Out-of-bounds read in the Linux kernel's SMB client (smb/client) symlink handling allows a malicious or compromised SMB server to trigger memory disclosure or denial-of-service against Linux clients that mount SMB shares. The flaw resides in symlink_data() where smb2_check_message() does not validate response length before fields beyond the 64-byte SMB2 header are accessed. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, though upstream kernel fixes have already been merged across multiple stable branches.
Use-after-free in the Linux kernel's DAMON (Data Access MONitor) sysfs-schemes interface allows local users with sysfs access to read freed memory by racing concurrent reads and writes of the quota goal 'path' file across separate file descriptors. EPSS is 0.02% and no public exploit identified at time of analysis, but the CVSS 7.8 reflects full CIA impact if a local attacker can win the race.
Kernel stack memory disclosure in the Linux kernel's pseries/papr-hvpipe driver exposes up to 43 bytes of uninitialized stack data to unprivileged local users on IBM Power (pseries) systems. The `struct papr_hvpipe_hdr` reserved padding fields (`reserved[3]` and `reserved2[40]`) are never zeroed before `copy_to_user()` copies the full structure to userspace, allowing a local attacker to harvest stale kernel stack contents - potentially including ASLR offsets or residual cryptographic material. No public exploit exists and no CISA KEV listing applies; EPSS at 0.02% (4th percentile) reflects low exploitation probability consistent with the narrow pseries-only deployment scope. Vendor-released patches are confirmed in stable branches 6.18.30, 7.0.7, and 7.1-rc3.
Local privilege escalation risk in the Linux kernel's brcmfmac Broadcom FullMAC Wi-Fi driver stems from a use-after-free in the watchdog kthread teardown path, where the watchdog task can exit between send_sig() and kthread_stop(), leaving stale memory accessible. Successful exploitation by a local low-privileged attacker who can trigger driver teardown could yield kernel memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis and EPSS is very low (0.02%), suggesting limited near-term exploitation interest.
Divide-by-zero in the Linux kernel ASoC SOF compressed audio subsystem allows a low-privileged local user to crash the kernel by querying stream pointer position before stream parameters are configured. Affected are Linux kernel stable branches 6.6 through 7.0 (pre-patch), all running on hardware with SOF audio drivers loaded. No active exploitation has been confirmed - EPSS sits at 0.02% (5th percentile) and the vulnerability is absent from CISA KEV - making this a medium-severity availability risk relevant primarily to multi-user desktop and embedded audio platforms.
Resource leak in the Linux kernel's RDMA/mlx4 InfiniBand driver allows local authenticated users to trigger kernel memory exhaustion when mlx4_ib_create_srq() fails, because mlx4_srq_alloc() is not properly undone via mlx4_srq_free() during error unwind. CVSS 7.8 (AV:L/AC:L/PR:L) reflects local privileged access required, and EPSS is very low at 0.02% (5th percentile), with no public exploit identified at time of analysis. The fix has been merged upstream and backported across multiple stable trees, indicating broad downstream exposure on systems using Mellanox ConnectX HCAs.
Denial of service in the Linux kernel IPMI driver allows a malicious or buggy BMC (Baseboard Management Controller) to indefinitely stall the driver by never signaling completion on event/message fetches or by keeping the attention (attn) bit asserted. The CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H) score reflects pure availability impact, and the issue has existed since the IPMI driver's inception; no public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), indicating very low exploitation likelihood.
Use-after-free and double-free condition in the Linux kernel RDMA/mlx5 driver allows local privileged users to corrupt kernel memory through error path mishandling in mlx5_ib_dev_res_srq_init(). The flaw stems from incorrect fall-through logic when ib_create_srq() fails for the second Shared Receive Queue (s1), leaving freed s0 pointers and ERR_PTR values assigned to device resource fields. No public exploit identified at time of analysis, with EPSS scoring this at just 0.02% probability of exploitation.
Filesystem inconsistency in the Linux kernel's F2FS implementation allows local authenticated users to trigger fsck misinterpretation of node block migration as fsync-written data, resulting in filesystem integrity issues following a sudden power-off (SPO). Affecting Linux kernel versions through 7.0.7 and 7.1-rc1 (with backports to 6.18.30), the flaw stems from Foreground Garbage Collection (FGGC) failing to clear dentry and fsync marks during node block migration. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (4th percentile).
Local privilege escalation and information disclosure in the Linux kernel on AMD Zen2 CPUs allows low-privileged users to trigger instruction corruption via improper isolation of shared resources in the op cache. Affecting kernels prior to 5.10.256, 5.15.207, 6.1.173, 6.6.139, 6.12.88, 6.18.30, and 7.0.7, the flaw carries a CVSS 8.8 due to scope change (S:C) impacting confidentiality, integrity, and availability beyond the original security boundary. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the architectural nature of the bug (CPU op cache sharing) makes it relevant for multi-tenant and virtualization workloads.
Resource exhaustion via dst entry reference leak in the Linux kernel's IPv6 IPsec (xfrm6) receive path allows a local attacker with low privileges to cause a denial of service by exhausting kernel memory. The flaw exists in xfrm6_rcv_encap(), which calls ip6_route_input_lookup() returning a referenced dst entry even for error routes, but fails to release that reference before dropping the packet when dst->error is set. Repeated packets hitting this code path therefore accumulate unreleased dst references, ultimately crashing the system. No public exploit exists and this vulnerability is not in the CISA KEV list; EPSS exploitation probability is extremely low at 0.02% (5th percentile).
Memory leak in the Linux kernel's RISC-V KVM vector context allocation allows a local low-privileged attacker to exhaust kernel memory, causing denial of service on RISC-V hypervisor hosts. The flaw exists in kvm_riscv_vcpu_alloc_vector_context() where a failed second kzalloc call (host_context.vector.datap) returns an error without freeing the first allocation (guest_context.vector.datap), accumulating unreleased kernel memory across repeated vCPU creation attempts. No public exploit exists and no active exploitation is confirmed; EPSS at 0.02% (4th percentile) reflects the narrow RISC-V KVM deployment surface.
The MPTCP (Multipath TCP) path manager in the Linux kernel mishandles socket reference counting during ADD_ADDR retransmission timer callbacks, resulting in a local denial-of-service. When the retransmit timer fires and holds the last reference to a socket, calling __sock_put() instead of sock_put() leaks the socket; and if sock_put() is used without first marking the timer done, the resulting sk_free() call invokes sk_stop_timer_sync() on the same in-flight timer, causing the kernel to wait indefinitely. No public exploit has been identified at time of analysis; EPSS is 0.02% (4th percentile), and the vulnerability is not listed in CISA KEV.
Scheduling-while-atomic kernel panic in the Linux kernel MPTCP subsystem allows a local low-privileged user to crash the host by setting timestamp socket options on an MPTCP socket. The defect stems from invoking sleepable helpers - sock_set_timestamp() and sock_set_timestamping() - inside the atomic context established by lock_sock_fast(), violating the kernel's non-sleeping constraint for spinlock holders. No public exploit code has been identified and EPSS sits at 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time. Note: the 'Information Disclosure' tag applied by some sources appears incorrect - the actual impact is limited to availability (kernel panic/crash) with no confidentiality or integrity consequence per the CVSS vector.
Uninitialized heap memory in the Linux kernel's usblp USB printer driver leaks a stale kernel byte to userspace through the LPGETSTATUS ioctl when a malicious or non-compliant USB printer returns zero bytes to a one-byte status request. Affected branches span kernel versions from 2.6.12 through 6.18.x, 7.0.x, and 7.1-rc3, with fixes available in stable releases 6.6.140, 6.12.88, 6.18.30, and 7.0.7. No public exploit exists and EPSS stands at 0.02% (5th percentile); exploitation requires local access, a cooperating malicious USB device, and access to the printer device node - substantially narrowing real-world risk despite the breadth of affected kernel versions.
Use-after-free in the Linux kernel mac80211 wireless subsystem allows attackers on the adjacent wireless network to corrupt kernel memory by triggering radar detection cancellation paths that free a channel context still being iterated. No public exploit identified at time of analysis, and EPSS exploitation probability is 0.02% (5th percentile), but the high CVSS reflects severe potential impact on confidentiality, integrity, and availability if exploited. A vendor-released patch is available in stable kernel updates including 6.12.88, 6.18.30, and 7.0.7.
OpenVSwitch tunnel port removal in the Linux kernel triggers a self-deadlock that permanently hangs the kernel's RTNL lock, causing a denial of service requiring system reboot. The flaw affects systems across multiple stable kernel branches (6.6.x, 6.12.x, 6.18.x, 7.0.x) where OVS tunnel vports (VXLAN, GRE, GENEVE) are actively managed. Patched versions are available across all affected stable branches; no public exploit identified at time of analysis, and the EPSS score of 0.02% (5th percentile) indicates negligible observed exploitation probability.
Memory corruption in the Linux kernel's btrfs filesystem can be triggered when create_space_info_sub_group() encounters a kobject initialization failure, causing the sub_group structure to be freed twice. The double-free occurs because btrfs_sysfs_add_space_info_type() already releases the memory via kobject_put() in its error path, after which the caller frees it again. EPSS scores this at 0.02% (5th percentile) and there is no public exploit identified at time of analysis, but a vendor-released patch is available.
Double-free memory corruption in the Linux kernel's Intel ice (E810) network driver occurs in the ice_sf_eth_activate() error path when auxiliary_device_add() fails, causing sf_dev to be freed twice. Affecting Linux kernel versions starting at 6.12 through pre-patch builds, a local privileged user triggering the failure path can corrupt kernel heap state, with no public exploit identified at time of analysis and a very low EPSS score of 0.02%.
Divide-by-zero in the Linux kernel's md/raid10 subsystem allows a local authenticated user to crash the kernel by supplying a zero far_copies value when configuring a RAID10 array with the 'improved' far set layout. The affected function setup_geo() performs the division geo->far_set_size = disks / fc without first validating that fc is non-zero, triggering a kernel oops or panic and producing a high availability impact. EPSS is 0.02% (5th percentile) and this CVE is not listed in CISA KEV, consistent with the local-only, configuration-specific attack vector and no public exploit identified at time of analysis.
Filesystem availability loss in the Linux kernel's btrfs subsystem can render a mounted volume unrecoverable after a power failure under specific directory removal conditions. The btrfs directory removal path fails to update the inode's `last_unlink_trans` field, causing a stale transaction ID to persist. When a process holds an open file descriptor to the removed directory and subsequently calls fsync, the incomplete journal entry survives to disk; upon next mount, log replay fails with -EIO and a 'corrupt leaf: invalid nlink' critical error, leaving the filesystem unmountable. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects negligible opportunistic exploitation interest, consistent with a logic-flaw data-integrity bug rather than a memory-corruption primitive.
Kernel heap memory disclosure in the Linux btrfs subsystem allows a low-privileged local user to read uninitialized kmalloc heap bytes from kernel memory via a TOCTOU race in the btrfs_ioctl_space_info() code path. Affected systems are those running btrfs filesystems on kernel versions dating back to 2.6.34; the race window opens when groups_sem is released between the slot-counting and buffer-filling passes of the ioctl, and concurrent block group removal shrinks the actual entry count below the allocated buffer size, causing copy_to_user() to copy trailing uninitialized heap data into userspace. No public exploit has been identified at time of analysis and EPSS exploitation probability is extremely low (0.02%), but patched stable releases are available.
Socket reference count leak in the Linux kernel MPTCP path manager allows a local low-privilege attacker to cause kernel resource exhaustion and denial of service by repeatedly triggering ADD_ADDR retransmission events. Affected versions span from Linux 5.10 through 7.1-rc2, with patches confirmed available in stable releases 6.18.30, 7.0.7, and 7.1-rc3. No public exploit has been identified and EPSS probability is negligible at 0.02%, placing this firmly in routine maintenance priority rather than emergency response.
Local privilege escalation risk in the Linux kernel's ALSA PCM OSS emulation layer stems from an unprotected concurrent access to the runtime.oss.trigger bit field, allowing racing writes to corrupt adjacent bit fields and destabilize sound device state. The flaw affects Linux kernel versions prior to 6.12.88, 6.18.30, and 7.0.7, and was discovered through fuzzing; no public exploit identified at time of analysis, and EPSS scoring (0.02%) indicates negligible probability of opportunistic exploitation.
Kernel panic (ADE - Address Error for Memory access) in the LoongArch-specific PCI fixup function loongson_gpu_fixup_dma_hang() crashes systems that boot with a discrete Loongson GPU whose PCI device ID does not match any handled case in the switch statement. The missing default case causes readl() to be called with a garbage MMIO address derived from uninitialized register state, resulting in a hard kernel panic at boot time (PID 1, swapper/0) and rendering the system unavailable. No public exploit identified at time of analysis, and EPSS is 0.02% (5th percentile), consistent with a hardware-specific local DoS requiring no attacker interaction.
Out-of-bounds heap read in the Linux kernel's SMB client (smb/client) allows a malicious or compromised SMB server to leak adjacent kernel heap memory to a connected Linux client. The flaw lives in smb2_compound_op() where check_wsl_eas() fails to validate that OutputBufferLength fits within iov_len before a memcpy, so a truncated response with an oversized OutputBufferLength and an early-terminated EA list triggers the read past the rsp_iov allocation. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but upstream patches have been merged across multiple stable branches.
Local privilege escalation potential exists in the Linux kernel's sched_ext (SCX) subsystem where a use-after-free condition in cgroup setter operations can be triggered when a BPF scheduler is swapped concurrently with cgroup weight, idle, or bandwidth updates. The flaw affects kernel 6.18 and related stable branches and stems from reading scx_root outside the scx_cgroup_ops_rwsem, allowing a stale pointer to be dereferenced after the previous scheduler is freed via RCU. EPSS is very low (0.02%) and no public exploit is identified at time of analysis.
Memory exhaustion in the Linux kernel's 8021q VLAN subsystem allows a local user with low privileges to cause denial-of-service by repeatedly manipulating VLAN egress QoS priority mappings. The function `vlan_dev_set_egress_priority()` retains cleared priority entries as unreachable tombstones in the kernel hash table across set/clear cycles, accumulating until device teardown and leaking kernel memory. No public exploit exists and EPSS is 0.02% at the 5th percentile, indicating negligible real-world exploitation interest; however, the High availability impact in CVSS reflects potential OOM-triggered system instability on affected hosts.
Concurrency flaw in the Linux kernel's mac80211 WiFi subsystem (versions from 6.4 onward) can cause misrouted or dropped 802.11 frames on adjacent-network attacks. The bug stems from a stray `static` qualifier on the per-invocation `rx_result` in `ieee80211_invoke_fast_rx()`, which is documented as parallel-RX safe but in practice shares a single result variable across concurrent callers. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the CVSS rating of 8.8 reflects strong CIA impact under adjacent-network conditions.
Heap memory disclosure in the Linux kernel usblp USB printer driver allows a local attacker with a malicious USB printer to expose up to 1021 bytes of uninitialized kmalloc heap to userspace. The driver's usblp_cache_device_id_string() blindly trusts a device-supplied 2-byte big-endian length prefix in the IEEE 1284 GET_DEVICE_ID response, leaking stale kernel heap contents via the ieee1284_id sysfs attribute and the IOCNR_GET_DEVICE_ID ioctl. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile) and the vulnerability is not listed in CISA KEV, but vendor patches are confirmed across multiple stable kernel branches.
Incorrect caching of AppArmor notification responses in Ubuntu Linux kernel versions 6.8, 7.17, and 7.0 stems from an uninitialized variable (CWE-457) in Ubuntu-specific AppArmor SAUCE patch code. An unprivileged local user can trigger this bug to corrupt the AppArmor notification response cache, producing a low-severity integrity impact. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; the CVSS score of 3.3 (Low) reflects its constrained local-only, limited-impact nature.
Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) improperly validate the size of the name field in AppArmor notification responses, allowing a local low-privileged user to trigger handling of crafted responses with potential limited integrity impact. The vulnerability carries a CVSS score of 3.3 (Low) with a local attack vector, restricted to integrity effects only and no confidentiality or availability consequences. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV.
Privilege escalation in Capsule (the Kubernetes multi-tenancy operator) allows authenticated tenant owners to create cluster-scoped resources - including ClusterRole and ValidatingWebhookConfiguration - by embedding them in TenantResource RawItems, bypassing tenant isolation enforced by the platform. The Capsule Controller's default cluster-admin ClusterRoleBinding means it creates whatever resource it is instructed to process, and its attempt to namespace-scope the resource via obj.SetNamespace() is silently ignored by the Kubernetes API for cluster-scoped kinds. A working proof-of-concept is publicly documented in the GHSA advisory; no CISA KEV listing has been issued at time of analysis.
Namespace hijacking in Capsule (Kubernetes multi-tenancy operator) prior to v0.13.0 allows an authenticated tenant administrator to reassign any namespace to their own tenant by patching it through the namespace/status or namespace/finalize subresource APIs, which bypass Capsule's ValidatingWebhookConfiguration enforcement entirely. The webhook intercepts direct namespace modifications but omits these subresource paths, leaving a gap that an attacker with explicitly delegated RBAC permissions can exploit with a single PATCH request. A complete, working proof-of-concept is publicly available in the GitHub Security Advisory GHSA-2ww6-hf35-mfjm; no CISA KEV listing was identified, indicating no confirmed widespread active exploitation at time of analysis.
Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthenticated attackers to continue using stolen or revoked JWTs indefinitely via the OAuth token exchange endpoint. The GetTokenExchangeToken() function validates JWT signatures but never checks the Token table for revocation status, breaking a core security guarantee of the identity provider. EPSS exploitation probability is currently very low (0.02%, 5th percentile) and no public exploit is identified, though the 9.8 CVSS reflects the high impact on authentication boundaries.
Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by supplying unverified email claims from upstream identity providers. The getExistUserByBindingRule function matches users solely by email address without validating the email_verified claim, enabling cross-IdP account compromise. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02% (5th percentile), but the CVSS 9.1 reflects the severe identity-layer impact.
Credential exposure in Tigera Calico's Azure IPAM integration causes ServiceAccount tokens, client keys, and certificate authority data to be written in plaintext to a node-local log file on every pod scheduling and termination event. Affected deployments include Calico, Calico Enterprise, and Calico Cloud when the Azure IPAM plugin is in use with token-based Kubernetes authentication. Any low-privileged principal able to read /var/log/calico/cni/cni.log on an affected node can extract these credentials and leverage them for cluster-wide Calico networking administration. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the sensitive nature of the exposed material - full Kubernetes auth credentials - makes this a meaningful lateral movement and privilege escalation risk within affected Azure-hosted Kubernetes clusters.
Credential disclosure in Tigera Calico's calicoctl CLI exposes cluster-access secrets through verbose logging output. When operators run calicoctl with --log-level=info or --log-level=debug, the tool serializes its entire connection-configuration struct (including bearer tokens, etcd passwords, and inline PEM client certificates/keys) to stderr in a single log line, making them harvestable by anyone with access to CI logs, terminal recordings, or support transcripts. The issue is patched upstream but no public exploit is identified at time of analysis; default panic-level logging means standard deployments are not exposed.
Calico's install-cni init container leaks live Kubernetes ServiceAccount bearer tokens into pod logs when Canal/Flannel-Calico deployments use the __SERVICEACCOUNT_TOKEN__ placeholder, making the credential readable by any authenticated user with pods/log permission in the calico-node namespace. The exposed token carries patch privileges on pods/status, creating a lateral movement path via annotation-based attacks against cluster workloads. This is a confirmed regression of TTA-2018-001 reported by Tigera; no public exploit has been identified at time of analysis, though upstream patches are available via GitHub.
Credential brute-forcing against TP-Link Archer C64 v1 routers is possible via an undocumented debug SSH service that shares credentials with the web admin interface but enforces no authentication rate-limiting. Adjacent attackers (same Wi-Fi or LAN segment) can iterate password guesses without lockout to recover the administrator password and take full control of the router. No public exploit identified at time of analysis; CVSS 4.0 base score is 8.7 (High) and a vendor patch is available.
IP restriction bypass in Hono's ip-restriction middleware (hono/ip-restriction) prior to version 4.12.21 allows unauthenticated remote attackers to circumvent configured deny and allow rules by submitting non-canonical IPv6 representations of restricted addresses. String equality comparison applied after only partial normalization means that compressed, explicit-zero, or hex-notation IPv4-mapped IPv6 forms of a listed address silently fail to match the normalized rule entry, causing enforcement to be skipped entirely. No public exploit has been identified at time of analysis, but the bypass requires only trivial reformatting of a standard IPv6 address, making it practically low-effort for any attacker aware of the flaw.
HTTP response header injection in Hono's cookie serialize() function allows unauthenticated remote attackers to inject arbitrary Set-Cookie attributes when an application passes user-controlled input into the sameSite or priority cookie options. All Hono releases prior to 4.12.21 are affected across every supported JavaScript runtime. No public exploit code exists at time of analysis, and the vulnerability is not listed in CISA KEV, though the low attack complexity and network-accessible vector make it exploitable wherever the affected code path is reachable by user-supplied data.
Path prefix stripping in Hono's app.mount() API exposes mounted sub-applications to incorrect routing due to a raw-vs-decoded URL path inconsistency, potentially allowing unauthenticated remote attackers to reach unintended endpoints and disclose protected information. All Hono versions prior to 4.12.21 are affected across every supported JavaScript runtime. No public exploit or CISA KEV listing exists at time of analysis; however, the CVSS vector AV:N/AC:L/PR:N/UI:N and the 'Information Disclosure / Request Smuggling' classification make this a meaningful priority for any deployment that relies on mount-prefix path logic for access segregation.
Unconstrained outbound JWKS requests in PyJWT's PyJWKClient.get_signing_key() allow unauthenticated remote attackers to amplify HTTP traffic toward a downstream JWKS endpoint by submitting JWTs carrying arbitrary, unrecognized kid values. All PyJWT versions prior to 2.13.0 are affected when the PyJWKClient class is used for signature verification. The availability impact is low (CVSS A:L) and exploitation success is gated on the upstream JWKS provider exhibiting rate limiting or transient failures; no public exploit code exists and this CVE does not appear in CISA KEV.
Denial-of-service via algorithmic complexity in pypdf before 6.12.0 allows an attacker who can supply a crafted PDF file to cause excessive processing time during cross-reference stream parsing. The vulnerability is triggered by crafting a PDF with /W [0 0 0] field values in a cross-reference stream combined with a large /Size value, which causes the library to perform unbounded iteration over zero-byte entries. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, any application that processes untrusted PDF input using pypdf is exposed.
Untrusted search path in Espressif's shared-github-dangerjs GitHub Action prior to 1.0.1 allows a fork pull request, when processed by a pull_request_target workflow, to substitute attacker-controlled binaries and Node.js modules for the action's own code. Exploitation yields code execution inside the action container with access to repository secrets and write-scoped GITHUB_TOKEN, with no public exploit identified at time of analysis.
Unauthenticated account takeover in phpMyFAQ before 4.1.3 allows remote attackers to forcibly reset any user's password by sending a PUT request to the /api/index.php/user/password/update endpoint with a valid username and email pair. The endpoint also leaks valid credentials through response code differentials (200 vs 409), enabling username/email enumeration before the reset. No public exploit identified at time of analysis, though a detailed PoC is published in the GHSA advisory.
Roundcube Webmail's HTML sanitizer fails to block loopback, localhost, RFC1918, link-local, and ULA addresses when rendering HTML email, even when the user has disabled remote content loading. An unauthenticated remote attacker (PR:N per CVSS) can send a crafted HTML email that - upon the victim previewing it - causes their browser to issue HTTP requests to internal or private-network services, enabling blind probing or interaction with local infrastructure. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis, though the changed scope (S:C in CVSS) reflects that impact extends to resources beyond Roundcube itself.
Weak default credential generation in the D-Link DWR-X1820 router exposes administrative access to adjacent-network attackers who can derive the device password from its IMEI number. All devices running firmware prior to 1.00B16CP are affected when users have not changed the factory-set password - a common real-world condition for consumer-grade routers. An attacker with knowledge of the IMEI-to-password derivation algorithm and physical or logical access to the IMEI (e.g., from the device label) can authenticate to the router admin interface without prior credentials. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Use-after-free in the Linux kernel SPI controller driver for Freescale MPC52xx (spi-mpc52xx) occurs when controller registration fails and the previously requested interrupts are not properly disabled or released, leaving dangling interrupt handlers tied to freed memory. Local users with the ability to load or interact with this SPI driver on affected systems could potentially trigger memory corruption or information disclosure. EPSS is 0.02% and there is no public exploit identified at time of analysis, but the issue is rated CVSS 7.8 due to high impact on confidentiality, integrity, and availability.
Local privilege escalation potential via use-after-free in Linux Kernel iris media driver affects kernels 6.18.16-6.18.31, 6.19.6-6.19.x, and 7.0 series prior to the fix commits. The flaw resides in iris_release_internal_buffers(), where session_release_buf() may free a buffer that the caller subsequently dereferences, a regression introduced by commit 1dabf00ee206. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but local low-privileged attackers on systems with the Qualcomm iris video accelerator driver could potentially leverage the freed-memory access.
Runtime PM reference count leak in the Linux kernel's OmniVision OV5647 camera sensor driver (media/i2c/ov5647) causes availability loss for systems equipped with this camera hardware. The s_ctrl function's handling of three V4L2 controls - AUTOGAIN, EXPOSURE_AUTO, and ANALOGUE_GAIN - returns early without invoking pm_runtime_put(), allowing unpaired runtime PM get/put calls to accumulate. A local user with access to the camera device node can trigger this imbalance repeatedly, exhausting the PM reference count and preventing the device from entering low-power states, ultimately making it unavailable. No public exploit has been identified; EPSS is 0.02% (5th percentile) and this vulnerability does not appear in CISA KEV.
Use-after-free risk in the Linux kernel's batman-adv BAT IV mesh routing implementation allows adjacent network attackers to potentially corrupt memory or disclose information by triggering stale originator pointer dereferences. The flaw affects neigh_node structures that cached an auxiliary originator pointer not owned by the neighbor state, which could dangle after purge handling. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02%, but the CVSS 8.8 rating reflects high impact across confidentiality, integrity, and availability if triggered.
Availability impact in the Linux kernel's xbox_remote media/rc driver allows a local, low-privileged user with access to the affected device to crash the kernel via a DMA coherency violation. The IO buffer used for USB transfers is embedded directly within the device structure, which violates DMA coherency rules and can trigger memory corruption leading to kernel panic. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% reflects minimal observed exploitation activity. Vendor-released patches are available across multiple stable kernel branches.
Out-of-bounds read in the Linux kernel's HID PlayStation driver (dualshock4_parse_report) allows an adjacent attacker with a malicious or spoofed DualShock 4 controller to read up to ~2 KiB beyond the touch_reports array and have portions of that data emitted through evdev. The flaw stems from the driver trusting the device-supplied num_touch_reports field without bounds checking, enabling potential kernel memory disclosure and denial of service. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but an upstream fix is available.
Reference counting failure in the Linux kernel's batman-adv Bridge Loop Avoidance (BLA) subsystem allows a local low-privileged user to cause a slow kernel memory leak and eventual denial of service. Specifically, batadv_bla_add_claim() omits the required batadv_backbone_gw_put() call on the error path when a claim hash insertion fails, preventing the backbone_gw object's reference count from ever reaching zero. The vulnerability has been present since at least kernel 4.7 and is patched across multiple stable branches; no public exploit exists and EPSS is extremely low at 0.02% (5th percentile), placing this firmly in the low-urgency tier except for environments actively running batman-adv with BLA.
Out-of-bounds read in the Linux kernel's AMD GPU VCN3 (Video Core Next, generation 3) decoder message parser allows a local low-privileged user to read kernel memory beyond the buffer object boundary and potentially trigger denial of service. The flaw was resolved by adding bounds checks against the end of the buffer object whenever the dec msg is accessed. EPSS is very low (0.02%, 6th percentile) and no public exploit has been identified at time of analysis.
Stale VRAM exposure in the Linux kernel's amdkfd driver (drm/amdkfd) allows local authenticated users to observe prior occupants' GPU memory contents and crash multi-GPU compute workloads. The KFD allocation path omitted the AMDGPU_GEM_CREATE_VRAM_CLEARED flag - present in every other userspace GEM allocation path - leaving freshly allocated VRAM buffers populated with data from previous processes. The primary documented availability impact is deterministic crashes in RCCL peer-to-peer transport when stale values corrupt the ptrExchange, head, and tail protocol fields; a secondary information-disclosure risk exists because stale page-table remnants are observable by unprivileged compute kernels. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile).
Memory leak in the Linux kernel's spi: ch341 USB-to-SPI driver allows a local user to degrade system availability by triggering driver unbind without physical device disconnection. The defect lies in incorrect devres (device-managed resource) lifetime scoping - resources are anchored to the parent USB device rather than the USB interface, so they are not released when the driver unbinds during events such as probe deferral or runtime configuration changes. No public exploit has been identified at time of analysis, and an EPSS score of 0.02% (4th percentile) indicates negligible exploitation probability in the near term.
Local privilege escalation in the Linux kernel SCTP subsystem allows unprivileged users to trigger a use-after-free or type confusion in the SCTP_SENDALL code path. The flaw stems from a stale iterator cursor in sctp_sendmsg() that survives across a dropped socket lock, and the type-confusion variant yields a controlled indirect call via outqueue.sched->init_sid. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the vendor description explicitly notes both bugs are reachable from CapEff=0.
Improper driver teardown ordering in the Linux kernel's Freescale (FSL) SPI controller driver allows a local low-privileged user to trigger a denial-of-service condition during driver unbind. The SPI controller is not deregistered before underlying resources such as DMA are released, creating a window where the controller may reference freed memory. No public exploit has been identified at time of analysis, and EPSS sits at 0.02% (5th percentile), reflecting low real-world exploitation probability.
Improper resource deregistration ordering in the Linux kernel's spi/rspi (Renesas SPI controller) driver causes a local denial-of-service condition during driver unbind. The rspi driver releases DMA resources before deregistering the SPI controller, creating a window where in-flight controller operations can reference freed memory, resulting in a kernel crash or panic. With CVSS availability impact rated High and EPSS at 0.02% (5th percentile), this is a low-probability but locally exploitable stability issue affecting systems with Renesas SPI hardware. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Memory leak in the Linux kernel's drm/xe Intel Xe GPU driver allows a local, low-privileged user to exhaust kernel memory by repeatedly triggering DMA buffer import failures, leading to denial of service. The bug resides in xe_dma_buf_init_obj(), where a pre-allocated buffer object (bo) is not freed when drm_gpuvm_resv_object_alloc() fails, due to ambiguous ownership semantics between the caller and callee on error paths. No public exploit exists and EPSS probability is extremely low at 0.02% (4th percentile), placing this in the maintenance-priority category rather than urgent remediation for most environments.
An A-A (same-task) deadlock in the Linux kernel cgroup rmdir path (versions 7.0 through 7.1-rc2 and 6.19.x) can permanently hang the entire system, requiring a hard reboot. When a process acting as both a PID namespace zombie reaper (e.g., systemd/PID 1) and the cgroup rmdir(2) caller encounters dying tasks still linked to cgroup csets, the kernel blocks the reaper indefinitely in TASK_UNINTERRUPTIBLE, creating a circular dependency from which the system cannot recover. No public exploit has been identified at time of analysis, EPSS exploitation probability is extremely low (0.02%), and no CISA KEV listing exists - consistent with the scenario's narrow, operationally specific triggering conditions.
Memory leak in the Linux kernel's EDAC/versalnet driver allows a local low-privileged user to gradually exhaust kernel heap memory, rated CVSS 5.5 with high availability impact. The flaw exists in init_one_mc() where a kzalloc()-allocated device name string becomes permanently unreachable after device_register() copies and nullifies the pointer, preventing any subsequent free on device removal. No public exploit identified at time of analysis; EPSS at 0.02% (4th percentile) confirms this is a low-exploitation-probability defect rather than an actively targeted vulnerability.
Use-after-free in the Linux kernel's MPC52xx SPI driver (spi-mpc52xx) can be triggered when the driver is unbound, because the interrupt-scheduled state machine work is not cancelled after interrupts are disabled. Local users with the ability to unbind the driver could potentially corrupt kernel memory, with confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Use-after-free in the Linux kernel's DRM (Direct Rendering Manager) GEM handle subsystem allows a local authenticated attacker to trigger memory corruption via a race condition in the change_handle ioctl. The flaw stems from a window where a single GEM object briefly held two IDR entries, letting a concurrent gem_close call dereference a dangling handle. No public exploit identified at time of analysis and EPSS exploitation probability is low (0.02%), but the CVSS 7.8 reflects full confidentiality, integrity, and availability impact on affected systems.
Denial-of-service via accept queue counter leak in the Linux kernel's vsock/virtio subsystem allows an authenticated local attacker to permanently exhaust a listener socket's backlog, causing it to reject all new connections. The flaw exists from kernel 5.5 onward in virtio_transport_recv_listen(), where sk_acceptq_added() is called before vsock_assign_transport() validation; failed transport assignments never call the paired sk_acceptq_removed(), permanently inflating sk_ack_backlog. No public exploit exists and EPSS is at the 5th percentile, but the impact in multi-tenant virtualized environments relying on vsock communication is a complete denial of vsock listener service.
Use-after-free in the Linux kernel's appletb-kbd HID driver allows local low-privileged users on Apple Touch Bar-equipped MacBooks to potentially trigger memory corruption during driver tear-down. The flaw stems from incorrect ordering of timer cleanup and device reference release in the inactivity-timer cleanup path, leaving two race windows where a softirq can dereference freed backlight_device memory. EPSS is very low (0.02%) and no public exploit identified at time of analysis; impact is limited to systems running the appletb-kbd driver, primarily Apple MacBook Pro hardware with Touch Bars.
Use-after-free in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh networking module's bridge loop avoidance (BLA) subsystem allows adjacent attackers on the same Layer-2 segment to potentially trigger memory corruption when claim entries are deleted. The flaw, with a CVSS of 8.8 (AV:A/AC:L/PR:N/UI:N), exists in batadv_bla_del_backbone_claims() where a claim reference may be released before its final use, enabling exploitation by anyone able to inject mesh traffic. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but upstream fixes have been released across multiple stable kernel branches.
Local privilege escalation and memory corruption in the Linux kernel's iris media driver allows local users with low privileges to trigger a use-after-free condition via concurrent access during Macro Blocks Per Frame (MBPF) checks. The flaw affects Linux kernel 6.18 and stems from improper lock ordering where fmt_src and fmt_dst structures are freed under inst->lock while the instance remains in the core list traversed under core->lock. EPSS is very low at 0.02% (5th percentile) and no public exploit identified at time of analysis, but the high CVSS score reflects severe local impact.
Use-after-free / race condition in the Linux kernel's batman-adv mesh networking module allows a local low-privileged attacker to trigger memory corruption by exploiting unsynchronized tp_meter sessions during mesh interface teardown. The flaw stems from batadv_mesh_free() not draining active tp_meter sessions before shutdown, letting sender threads or late-arriving packets operate on a destroyed mesh instance. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02%.
Uninitialized socket buffer data exposure in the Linux kernel's vsock/virtio transport layer (6.7 and later) corrupts vsockmon tap monitoring output when non-linear skbs are in use. The `virtio_transport_copy_nonlinear_skb()` function constructs an `iov_iter` without setting `iov_iter.count`, causing zero-length copies that leave skb payloads uninitialized on the monitor interface - potentially exposing stale kernel memory to vsockmon consumers. Patched stable releases 6.12.90, 6.18.32, and 7.0.9 are available; no public exploit exists and EPSS stands at 0.02% (5th percentile), placing real-world exploitation risk very low but warranting attention in environments actively using vsockmon debugging.
Local privilege escalation risk in the Linux kernel's batman-adv mesh networking module allows authenticated local users to trigger memory corruption by initiating new tp_meter throughput measurement sessions during mesh teardown. The flaw exists because the tp_meter subsystem failed to reject new sender/receiver sessions after mesh_state transitioned out of BATADV_MESH_ACTIVE, creating a race condition during module shutdown. No public exploit identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02%.
Local privilege escalation risk in the Linux kernel's atomisp staging media driver allows authenticated low-privileged users to potentially abuse private IOCTLs that were not adequately validated. The upstream fix disables all private IOCTLs in the atomisp driver by returning early when the command is non-zero. EPSS is very low at 0.02% (5th percentile) and no public exploit identified at time of analysis, indicating limited real-world exploitation interest.
Out-of-bounds read in the Linux kernel's AMD GPU VCN4 (Video Core Next) driver allows a local user with GPU access to trigger memory disclosure or denial of service by submitting a crafted indirect buffer (IB) to the amdgpu DRM subsystem. The flaw stems from missing bounds checks while parsing IBs in the drm/amdgpu/vcn4 code path, and no public exploit identified at time of analysis. EPSS exploitation probability is very low (0.02%) and the issue is not listed in CISA KEV.
Unclocked register access in the Linux kernel's Cadence Quadspi SPI controller driver (spi-cadence-quadspi) occurs during driver unbind, affecting kernel versions through 7.0.x and 7.1-rc1. A local low-privileged user able to trigger driver unbind can cause high-impact confidentiality loss and denial of service on systems using affected SPI hardware. There is no public exploit identified at time of analysis and EPSS rates exploitation probability at just 0.02%.
Kernel crash (denial of service) in the Linux kernel's hid-appletb-kbd driver results from calling a mutex-acquiring function from softirq and IRQ atomic contexts on Apple Touch Bar MacBooks running Linux. Authenticated local attackers with low privileges can trigger a kernel BUG by inducing Touch Bar inactivity or generating HID events that exercise the broken brightness-reset path, crashing the system. No public exploit has been identified and EPSS is 0.02% (4th percentile), reflecting the niche hardware requirement; patches are available in kernel versions 6.18.32, 7.0.9, and 7.1-rc4.
Local privilege-context resource leak in the Linux kernel's Intel Xe DRM driver allows a local user with GPU access to exhaust dma-buf attachments by repeatedly triggering the failure path in xe_gem_prime_import(). The flaw, addressed across multiple stable trees (6.12.90, 7.0.9, 6.18.32, 7.1-rc2), causes a dma-buf attachment to remain attached when xe_dma_buf_init_obj() fails, producing a kernel-side memory and reference leak. EPSS is 0.02% and the issue is not on the CISA KEV list; no public exploit identified at time of analysis.
Denial-of-service via improper resource teardown ordering in the Linux kernel's MPC52xx SPI controller driver (spi/mpc52xx) affects systems running PowerPC-based embedded hardware. During driver unbind, the SPI controller was deregistered after - rather than before - disabling underlying resources such as interrupts and GPIOs, creating a window where the kernel could access freed or disabled resources and trigger a system crash. No public exploit has been identified at time of analysis, and with an EPSS of 0.02% (5th percentile), real-world exploitation is assessed as very low probability.
Out-of-bounds read in the AMD GPU VCN4 (Video Core Next, 4th generation) decoder message parser of the Linux kernel allows a local low-privileged user to read kernel memory beyond the decoder message buffer object, potentially leading to information disclosure and denial of service. The flaw exists in the drm/amdgpu/vcn4 driver where bounds against the end of the buffer object (BO) were not validated when parsing decoder messages. No public exploit identified at time of analysis and EPSS scores the exploitation probability at just 0.02% (6th percentile), but a vendor patch is available across multiple stable branches.
Persistent availability degradation in the Linux kernel tracepoint subsystem results from an unbalanced regfunc()/unregfunc() pair when tracepoint_add_func() fails mid-registration. When func_add() returns an error (such as -ENOMEM) after regfunc() has already executed, ext->unregfunc() is never called, leaving side effects permanently in place - for syscall tracepoints, this sticks sys_tracepoint_refcount at a non-zero value and keeps SYSCALL_TRACEPOINT set on every running task, imposing unnecessary syscall trace entry/exit overhead on all processes until reboot. No public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), indicating this is a low-probability exploitation target, though it is a confirmed kernel-quality bug with patches issued across multiple stable branches.
Kernel panic via race condition in the f2fs filesystem extent node management affects Linux kernel across multiple stable branches. When f2fs_destroy_extent_node() is invoked from f2fs_drop_inode() with I_SYNC set, a concurrent kworker writeback thread can insert new extent nodes into the same extent tree between lock releases, causing node_cnt to become non-zero upon loop exit and triggering f2fs_bug_on() - a deliberate kernel assertion failure resulting in a system crash. A secondary gap leaves EX_BLOCK_AGE extent tree updates completely unprotected by the FI_NO_EXTENT flag check, compounding the race surface. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile), indicating low exploitation probability in the near term.
The xfrm AH (Authentication Header) subsystem in the Linux kernel miscalculates ICV buffer offsets during asynchronous callback processing when Extended Sequence Numbers (ESN) are enabled, resulting in 100% packet loss on affected IPsec AH tunnels. Systems running AH with ESN and an async HMAC implementation (confirmed in developer-provided UML repro with forced-async hmac(sha1)) on both IPv4 and IPv6 paths are affected across multiple stable kernel branches going back to the commit introducing ESN async support. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting a correctness defect with no exploitation interest rather than a broad attack surface; patch versions are confirmed across six stable branches.
Denial of service in the Linux kernel's Microchip Core QSPI driver corrupts SPI transfers on systems using this controller. The spi-microchip-core-qspi driver incorrectly attempts to transmit garbage data during emulated read-only dual/quad SPI operations - a protocol violation, since QSPI lacks a dedicated MOSI line and the core hardware is expected to generate read clock cycles autonomously. The result is a bricked (permanently failed) SPI transfer, causing availability loss for any kernel component or userspace process depending on that SPI bus. No public exploit exists and EPSS probability is 0.02%, consistent with a hardware-specific, locally-triggered driver defect.
Out-of-bounds read in the Linux kernel's framebuffer console (fbcon) subsystem allows a local low-privileged attacker to access kernel memory beyond the font buffer when console rotation is enabled and font reallocation fails. The flaw resides in fbcon_rotate_font() which retains the undersized old buffer after a failed reallocation, so printing characters with high-enough codes overflows the font buffer during putcs operations. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%), but the issue is patched across multiple stable kernel branches.
Out-of-bounds read in the Linux kernel's SPI-NOR flash debugfs interface (spi_nor_params_show) allows local authenticated users with debugfs access to trigger memory disclosure or denial of service on 64-bit systems. The flaw stems from sizeof() being used on a pointer array instead of ARRAY_SIZE(), inflating the bounds-check length by 8x. No public exploit identified at time of analysis and EPSS rates exploitation likelihood at 0.02%.
Double-free memory corruption in the Linux kernel's vmw_pvrdma (VMware Paravirtual RDMA) driver allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The flaw occurs in the pvrdma_alloc_ucontext() error path where pvrdma_uar_free() is invoked twice - once explicitly and again via pvrdma_dealloc_ucontext(). No public exploit identified at time of analysis, and EPSS (0.02%) indicates very low near-term exploitation probability.
Use-after-free in the Linux kernel's RSI (Redpine Signals) WiFi driver allows a local low-privileged attacker to crash the kernel by exploiting a race condition between kthread self-exit and external stop operations. When `kthread_complete_and_exit` races ahead of `kthread_stop`, the already-freed task struct is dereferenced, causing a kernel denial of service. No public exploit has been identified and EPSS sits at 0.02% (5th percentile), reflecting very low real-world exploitation probability; the vulnerability is not listed in CISA KEV.
Uninitialized memory read in Linux kernel's Bluetooth virtio_bt driver allows a malicious or compromised virtio backend to trigger kernel DoS and potential information disclosure against guest VMs. The driver's virtbt_rx_handle() function fails to validate that received RX socket buffers contain sufficient bytes to cover the fixed HCI header for the declared packet type before forwarding to hci_recv_frame(). A backend-supplied one-byte completion with type HCI_ACLDATA_PKT causes the ACL classification path in hci_dev_classify_pkt_type() to dereference hci_acl_hdr(skb)->handle on an empty buffer when the HCI device holds an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with a kernel subsystem bug requiring privileged backend access in a virtualized environment.
Out-of-bounds read in the Linux kernel's SMB client (smb/client) symlink handling allows a malicious or compromised SMB server to trigger memory disclosure or denial-of-service against Linux clients that mount SMB shares. The flaw resides in symlink_data() where smb2_check_message() does not validate response length before fields beyond the 64-byte SMB2 header are accessed. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, though upstream kernel fixes have already been merged across multiple stable branches.
Use-after-free in the Linux kernel's DAMON (Data Access MONitor) sysfs-schemes interface allows local users with sysfs access to read freed memory by racing concurrent reads and writes of the quota goal 'path' file across separate file descriptors. EPSS is 0.02% and no public exploit identified at time of analysis, but the CVSS 7.8 reflects full CIA impact if a local attacker can win the race.
Kernel stack memory disclosure in the Linux kernel's pseries/papr-hvpipe driver exposes up to 43 bytes of uninitialized stack data to unprivileged local users on IBM Power (pseries) systems. The `struct papr_hvpipe_hdr` reserved padding fields (`reserved[3]` and `reserved2[40]`) are never zeroed before `copy_to_user()` copies the full structure to userspace, allowing a local attacker to harvest stale kernel stack contents - potentially including ASLR offsets or residual cryptographic material. No public exploit exists and no CISA KEV listing applies; EPSS at 0.02% (4th percentile) reflects low exploitation probability consistent with the narrow pseries-only deployment scope. Vendor-released patches are confirmed in stable branches 6.18.30, 7.0.7, and 7.1-rc3.
Local privilege escalation risk in the Linux kernel's brcmfmac Broadcom FullMAC Wi-Fi driver stems from a use-after-free in the watchdog kthread teardown path, where the watchdog task can exit between send_sig() and kthread_stop(), leaving stale memory accessible. Successful exploitation by a local low-privileged attacker who can trigger driver teardown could yield kernel memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis and EPSS is very low (0.02%), suggesting limited near-term exploitation interest.
Divide-by-zero in the Linux kernel ASoC SOF compressed audio subsystem allows a low-privileged local user to crash the kernel by querying stream pointer position before stream parameters are configured. Affected are Linux kernel stable branches 6.6 through 7.0 (pre-patch), all running on hardware with SOF audio drivers loaded. No active exploitation has been confirmed - EPSS sits at 0.02% (5th percentile) and the vulnerability is absent from CISA KEV - making this a medium-severity availability risk relevant primarily to multi-user desktop and embedded audio platforms.
Resource leak in the Linux kernel's RDMA/mlx4 InfiniBand driver allows local authenticated users to trigger kernel memory exhaustion when mlx4_ib_create_srq() fails, because mlx4_srq_alloc() is not properly undone via mlx4_srq_free() during error unwind. CVSS 7.8 (AV:L/AC:L/PR:L) reflects local privileged access required, and EPSS is very low at 0.02% (5th percentile), with no public exploit identified at time of analysis. The fix has been merged upstream and backported across multiple stable trees, indicating broad downstream exposure on systems using Mellanox ConnectX HCAs.
Denial of service in the Linux kernel IPMI driver allows a malicious or buggy BMC (Baseboard Management Controller) to indefinitely stall the driver by never signaling completion on event/message fetches or by keeping the attention (attn) bit asserted. The CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H) score reflects pure availability impact, and the issue has existed since the IPMI driver's inception; no public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), indicating very low exploitation likelihood.
Use-after-free and double-free condition in the Linux kernel RDMA/mlx5 driver allows local privileged users to corrupt kernel memory through error path mishandling in mlx5_ib_dev_res_srq_init(). The flaw stems from incorrect fall-through logic when ib_create_srq() fails for the second Shared Receive Queue (s1), leaving freed s0 pointers and ERR_PTR values assigned to device resource fields. No public exploit identified at time of analysis, with EPSS scoring this at just 0.02% probability of exploitation.
Filesystem inconsistency in the Linux kernel's F2FS implementation allows local authenticated users to trigger fsck misinterpretation of node block migration as fsync-written data, resulting in filesystem integrity issues following a sudden power-off (SPO). Affecting Linux kernel versions through 7.0.7 and 7.1-rc1 (with backports to 6.18.30), the flaw stems from Foreground Garbage Collection (FGGC) failing to clear dentry and fsync marks during node block migration. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (4th percentile).
Local privilege escalation and information disclosure in the Linux kernel on AMD Zen2 CPUs allows low-privileged users to trigger instruction corruption via improper isolation of shared resources in the op cache. Affecting kernels prior to 5.10.256, 5.15.207, 6.1.173, 6.6.139, 6.12.88, 6.18.30, and 7.0.7, the flaw carries a CVSS 8.8 due to scope change (S:C) impacting confidentiality, integrity, and availability beyond the original security boundary. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the architectural nature of the bug (CPU op cache sharing) makes it relevant for multi-tenant and virtualization workloads.
Resource exhaustion via dst entry reference leak in the Linux kernel's IPv6 IPsec (xfrm6) receive path allows a local attacker with low privileges to cause a denial of service by exhausting kernel memory. The flaw exists in xfrm6_rcv_encap(), which calls ip6_route_input_lookup() returning a referenced dst entry even for error routes, but fails to release that reference before dropping the packet when dst->error is set. Repeated packets hitting this code path therefore accumulate unreleased dst references, ultimately crashing the system. No public exploit exists and this vulnerability is not in the CISA KEV list; EPSS exploitation probability is extremely low at 0.02% (5th percentile).
Memory leak in the Linux kernel's RISC-V KVM vector context allocation allows a local low-privileged attacker to exhaust kernel memory, causing denial of service on RISC-V hypervisor hosts. The flaw exists in kvm_riscv_vcpu_alloc_vector_context() where a failed second kzalloc call (host_context.vector.datap) returns an error without freeing the first allocation (guest_context.vector.datap), accumulating unreleased kernel memory across repeated vCPU creation attempts. No public exploit exists and no active exploitation is confirmed; EPSS at 0.02% (4th percentile) reflects the narrow RISC-V KVM deployment surface.
The MPTCP (Multipath TCP) path manager in the Linux kernel mishandles socket reference counting during ADD_ADDR retransmission timer callbacks, resulting in a local denial-of-service. When the retransmit timer fires and holds the last reference to a socket, calling __sock_put() instead of sock_put() leaks the socket; and if sock_put() is used without first marking the timer done, the resulting sk_free() call invokes sk_stop_timer_sync() on the same in-flight timer, causing the kernel to wait indefinitely. No public exploit has been identified at time of analysis; EPSS is 0.02% (4th percentile), and the vulnerability is not listed in CISA KEV.
Scheduling-while-atomic kernel panic in the Linux kernel MPTCP subsystem allows a local low-privileged user to crash the host by setting timestamp socket options on an MPTCP socket. The defect stems from invoking sleepable helpers - sock_set_timestamp() and sock_set_timestamping() - inside the atomic context established by lock_sock_fast(), violating the kernel's non-sleeping constraint for spinlock holders. No public exploit code has been identified and EPSS sits at 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time. Note: the 'Information Disclosure' tag applied by some sources appears incorrect - the actual impact is limited to availability (kernel panic/crash) with no confidentiality or integrity consequence per the CVSS vector.
Uninitialized heap memory in the Linux kernel's usblp USB printer driver leaks a stale kernel byte to userspace through the LPGETSTATUS ioctl when a malicious or non-compliant USB printer returns zero bytes to a one-byte status request. Affected branches span kernel versions from 2.6.12 through 6.18.x, 7.0.x, and 7.1-rc3, with fixes available in stable releases 6.6.140, 6.12.88, 6.18.30, and 7.0.7. No public exploit exists and EPSS stands at 0.02% (5th percentile); exploitation requires local access, a cooperating malicious USB device, and access to the printer device node - substantially narrowing real-world risk despite the breadth of affected kernel versions.
Use-after-free in the Linux kernel mac80211 wireless subsystem allows attackers on the adjacent wireless network to corrupt kernel memory by triggering radar detection cancellation paths that free a channel context still being iterated. No public exploit identified at time of analysis, and EPSS exploitation probability is 0.02% (5th percentile), but the high CVSS reflects severe potential impact on confidentiality, integrity, and availability if exploited. A vendor-released patch is available in stable kernel updates including 6.12.88, 6.18.30, and 7.0.7.
OpenVSwitch tunnel port removal in the Linux kernel triggers a self-deadlock that permanently hangs the kernel's RTNL lock, causing a denial of service requiring system reboot. The flaw affects systems across multiple stable kernel branches (6.6.x, 6.12.x, 6.18.x, 7.0.x) where OVS tunnel vports (VXLAN, GRE, GENEVE) are actively managed. Patched versions are available across all affected stable branches; no public exploit identified at time of analysis, and the EPSS score of 0.02% (5th percentile) indicates negligible observed exploitation probability.
Memory corruption in the Linux kernel's btrfs filesystem can be triggered when create_space_info_sub_group() encounters a kobject initialization failure, causing the sub_group structure to be freed twice. The double-free occurs because btrfs_sysfs_add_space_info_type() already releases the memory via kobject_put() in its error path, after which the caller frees it again. EPSS scores this at 0.02% (5th percentile) and there is no public exploit identified at time of analysis, but a vendor-released patch is available.
Double-free memory corruption in the Linux kernel's Intel ice (E810) network driver occurs in the ice_sf_eth_activate() error path when auxiliary_device_add() fails, causing sf_dev to be freed twice. Affecting Linux kernel versions starting at 6.12 through pre-patch builds, a local privileged user triggering the failure path can corrupt kernel heap state, with no public exploit identified at time of analysis and a very low EPSS score of 0.02%.
Divide-by-zero in the Linux kernel's md/raid10 subsystem allows a local authenticated user to crash the kernel by supplying a zero far_copies value when configuring a RAID10 array with the 'improved' far set layout. The affected function setup_geo() performs the division geo->far_set_size = disks / fc without first validating that fc is non-zero, triggering a kernel oops or panic and producing a high availability impact. EPSS is 0.02% (5th percentile) and this CVE is not listed in CISA KEV, consistent with the local-only, configuration-specific attack vector and no public exploit identified at time of analysis.
Filesystem availability loss in the Linux kernel's btrfs subsystem can render a mounted volume unrecoverable after a power failure under specific directory removal conditions. The btrfs directory removal path fails to update the inode's `last_unlink_trans` field, causing a stale transaction ID to persist. When a process holds an open file descriptor to the removed directory and subsequently calls fsync, the incomplete journal entry survives to disk; upon next mount, log replay fails with -EIO and a 'corrupt leaf: invalid nlink' critical error, leaving the filesystem unmountable. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects negligible opportunistic exploitation interest, consistent with a logic-flaw data-integrity bug rather than a memory-corruption primitive.
Kernel heap memory disclosure in the Linux btrfs subsystem allows a low-privileged local user to read uninitialized kmalloc heap bytes from kernel memory via a TOCTOU race in the btrfs_ioctl_space_info() code path. Affected systems are those running btrfs filesystems on kernel versions dating back to 2.6.34; the race window opens when groups_sem is released between the slot-counting and buffer-filling passes of the ioctl, and concurrent block group removal shrinks the actual entry count below the allocated buffer size, causing copy_to_user() to copy trailing uninitialized heap data into userspace. No public exploit has been identified at time of analysis and EPSS exploitation probability is extremely low (0.02%), but patched stable releases are available.
Socket reference count leak in the Linux kernel MPTCP path manager allows a local low-privilege attacker to cause kernel resource exhaustion and denial of service by repeatedly triggering ADD_ADDR retransmission events. Affected versions span from Linux 5.10 through 7.1-rc2, with patches confirmed available in stable releases 6.18.30, 7.0.7, and 7.1-rc3. No public exploit has been identified and EPSS probability is negligible at 0.02%, placing this firmly in routine maintenance priority rather than emergency response.
Local privilege escalation risk in the Linux kernel's ALSA PCM OSS emulation layer stems from an unprotected concurrent access to the runtime.oss.trigger bit field, allowing racing writes to corrupt adjacent bit fields and destabilize sound device state. The flaw affects Linux kernel versions prior to 6.12.88, 6.18.30, and 7.0.7, and was discovered through fuzzing; no public exploit identified at time of analysis, and EPSS scoring (0.02%) indicates negligible probability of opportunistic exploitation.
Kernel panic (ADE - Address Error for Memory access) in the LoongArch-specific PCI fixup function loongson_gpu_fixup_dma_hang() crashes systems that boot with a discrete Loongson GPU whose PCI device ID does not match any handled case in the switch statement. The missing default case causes readl() to be called with a garbage MMIO address derived from uninitialized register state, resulting in a hard kernel panic at boot time (PID 1, swapper/0) and rendering the system unavailable. No public exploit identified at time of analysis, and EPSS is 0.02% (5th percentile), consistent with a hardware-specific local DoS requiring no attacker interaction.
Out-of-bounds heap read in the Linux kernel's SMB client (smb/client) allows a malicious or compromised SMB server to leak adjacent kernel heap memory to a connected Linux client. The flaw lives in smb2_compound_op() where check_wsl_eas() fails to validate that OutputBufferLength fits within iov_len before a memcpy, so a truncated response with an oversized OutputBufferLength and an early-terminated EA list triggers the read past the rsp_iov allocation. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but upstream patches have been merged across multiple stable branches.
Local privilege escalation potential exists in the Linux kernel's sched_ext (SCX) subsystem where a use-after-free condition in cgroup setter operations can be triggered when a BPF scheduler is swapped concurrently with cgroup weight, idle, or bandwidth updates. The flaw affects kernel 6.18 and related stable branches and stems from reading scx_root outside the scx_cgroup_ops_rwsem, allowing a stale pointer to be dereferenced after the previous scheduler is freed via RCU. EPSS is very low (0.02%) and no public exploit is identified at time of analysis.
Memory exhaustion in the Linux kernel's 8021q VLAN subsystem allows a local user with low privileges to cause denial-of-service by repeatedly manipulating VLAN egress QoS priority mappings. The function `vlan_dev_set_egress_priority()` retains cleared priority entries as unreachable tombstones in the kernel hash table across set/clear cycles, accumulating until device teardown and leaking kernel memory. No public exploit exists and EPSS is 0.02% at the 5th percentile, indicating negligible real-world exploitation interest; however, the High availability impact in CVSS reflects potential OOM-triggered system instability on affected hosts.
Concurrency flaw in the Linux kernel's mac80211 WiFi subsystem (versions from 6.4 onward) can cause misrouted or dropped 802.11 frames on adjacent-network attacks. The bug stems from a stray `static` qualifier on the per-invocation `rx_result` in `ieee80211_invoke_fast_rx()`, which is documented as parallel-RX safe but in practice shares a single result variable across concurrent callers. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the CVSS rating of 8.8 reflects strong CIA impact under adjacent-network conditions.
Heap memory disclosure in the Linux kernel usblp USB printer driver allows a local attacker with a malicious USB printer to expose up to 1021 bytes of uninitialized kmalloc heap to userspace. The driver's usblp_cache_device_id_string() blindly trusts a device-supplied 2-byte big-endian length prefix in the IEEE 1284 GET_DEVICE_ID response, leaking stale kernel heap contents via the ieee1284_id sysfs attribute and the IOCNR_GET_DEVICE_ID ioctl. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile) and the vulnerability is not listed in CISA KEV, but vendor patches are confirmed across multiple stable kernel branches.