Skip to main content

Information Disclosure

66681 CVEs technique

Monthly

CVE-2026-46095 MEDIUM PATCH This Month

Race condition in the Linux kernel's md/md-llbitmap subsystem can cause availability loss on systems using software RAID with bitmap tracking. The barrier raise in llbitmap_start_write() and llbitmap_start_discard() occurs after the state machine transition is initiated, creating a window where concurrent state changes proceed without synchronization - potentially crashing the RAID subsystem or rendering an md array unavailable. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects negligible automated exploitation risk. Patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46094 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's ext4 filesystem driver allows a local attacker to read up to 3 bytes beyond a valid extended-attribute (xattr) region, potentially leaking adjacent kernel memory or crashing the system. The flaw lives in check_xattrs(), where a loose bounds check on the next xattr entry lets IS_LAST_ENTRY() perform a 4-byte read that overruns the buffer when parsing a crafted or corrupted ext4 xattr block. It is not in CISA KEV and no public exploit identified at time of analysis; EPSS is negligible at 0.02% (5th percentile), consistent with a low-impact local memory-safety bug that has already been patched upstream.

Linux Buffer Overflow Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46093 HIGH PATCH This Week

Concurrent execution race in the Linux kernel's mm/vmalloc subsystem allows a local low-privileged attacker to trigger memory corruption or leaks by exercising the vmap_node shrinker simultaneously with lazy vmap purge operations. The flaw stems from unserialized invocation of decay_va_pool_node() between __purge_vmap_area_lazy() and the shrinker path. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the issue is patched upstream in the stable tree.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46091 MEDIUM PATCH This Month

Denial of service in the Linux kernel's igorplugusb infrared remote control driver allows a local low-privileged user to crash the kernel on systems where a compatible USB IR receiver is connected and the host controller performs DMA on control requests. The igorplugusb driver failed to allocate the USB control request structure separately, violating DMA coherency requirements enforced by certain host controllers - an object allocated on the kernel stack or embedded in a larger structure is not guaranteed to be DMA-safe. No public exploit code exists, and EPSS of 0.02% confirms negligible exploitation interest. Vendor-released patches are available across multiple stable branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46090 HIGH PATCH This Week

Local privilege escalation potential via use-after-free in the Linux kernel's ALSA aloop (snd-aloop) driver allows authenticated local users to trigger memory corruption by racing PCM stream close against a peer format-change stop. The flaw stems from snd_pcm_stop() running after cable->lock is dropped, leaving a stale peer substream pointer that can be freed by a concurrent close. Upstream fixes are merged into stable trees (6.12.88, 6.18.27, 7.0.4, 7.1-rc2); no public exploit identified at time of analysis and EPSS is very low at 0.02%.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46089 MEDIUM PATCH This Month

The zram compressed-RAM block device driver in the Linux kernel hangs processes indefinitely when partial discard requests are submitted on systems where the discard granularity is smaller than the system page size (e.g., 4K discards on ARM64 systems with 64K pages). The driver correctly identifies partial discards as unsupported and returns early, but omits calling bio_endio(), leaving submit_bio_wait() blocked forever. Exploitation requires local access to a zram device with low privileges; no public exploit exists and EPSS is 0.02%, consistent with a niche local denial-of-service. Patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46088 MEDIUM PATCH This Month

Kernel panic via exhausted buffer in the ALSA control subsystem affects Linux kernel builds compiled with CONFIG_FORTIFY_SOURCE and Clang, allowing a local low-privileged user to crash the system. The function snd_ctl_elem_init_enum_names() fails to guard against a zero buf_len before invoking strnlen(), and Clang's fortified strnlen fires a BRK exception when it cannot determine the object size of the advanced pointer p inside the loop - panicking the kernel before the intended error-path return. Discovered through kernel fuzz testing on Xiaomi Smartphone hardware; no public exploit and no KEV listing; EPSS is 0.02%.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46087 MEDIUM PATCH This Month

Memory leak in the Linux kernel's DAMON statistics subsystem (mm/damon/stat) causes kernel memory exhaustion when damon_start() fails during damon_stat_start(). The allocated DAMON context is never freed on the failure path, and the stale global pointer is overwritten on each subsequent enable attempt, making prior allocations permanently unreachable. Exploitation requires local access with low privileges, yields high availability impact (A:H) via progressive kernel memory exhaustion, and no public exploit or active exploitation has been identified at time of analysis.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46085 HIGH PATCH This Week

Remote denial-of-service in the Linux kernel rxrpc subsystem (rxkad authentication) allows unauthenticated network attackers to crash vulnerable hosts by sending packets with misaligned crypto length fields. The flaw stems from improper handling of decryption errors and a remotely-triggerable WARN_ON_ONCE() in the rxkad packet processing path. EPSS scoring is very low (0.02%) and no public exploit identified at time of analysis, but the CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) rating reflects the unauthenticated remote availability impact.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46084 HIGH PATCH This Week

Use-after-free in the Linux kernel's RDMA mana_ib driver (Microsoft Azure Network Adapter) lets a local user trigger stale firmware RX steering after destroying an RSS QP, so incoming completions land on reused CQ IDs and corrupt kernel state. It affects Linux deployments on Azure VMs using MANA with RDMA/DPDK; an attacker who can create and destroy RSS QPs (e.g., via a DPDK application exit while a peer keeps transmitting) can drive completions onto TX CQs and crash or corrupt the driver. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 5th percentile), indicating low real-world exploitation likelihood.

Memory Corruption Linux Use After Free Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46083 MEDIUM PATCH This Month

Resource leak in the Linux kernel SPI subsystem allows a local low-privileged attacker to exhaust kernel resources and cause denial of service. The flaw affects multiple stable kernel branches (5.4.x through 7.x) and occurs when spi_setup() fails during SPI device registration, leaving resources allocated by setup() unreleased because the controller cleanup() callback is never invoked on the error path. No public exploit exists and EPSS sits at 0.02% (5th percentile), indicating very low real-world exploitation probability; this is a stability fix appropriate for routine patching rather than emergency response.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46078 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's EROFS filesystem driver allows a local attacker to crash the system or potentially leak kernel memory by mounting a crafted EROFS image. The flaw stems from missing validation of the trailing dirent nameoff field, which can underflow during strnlen() and cause reads beyond the directory block. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a vendor patch is available across multiple stable kernel branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46077 MEDIUM PATCH This Month

Incorrect DMA synchronization direction in the Linux kernel's atmel-tdes crypto driver exposes systems running on non-coherent cache architectures to stale cache data reads. The atmel-tdes driver incorrectly calls dma_sync_single_for_device() instead of dma_sync_single_for_cpu() before the CPU consumes DMA output, causing cache invalidation to be skipped on non-coherent platforms (typically ARM-based Atmel/Microchip SoCs). This means the CPU may read stale cached data rather than actual DES/3DES operation output, producing incorrect cryptographic results and potential information exposure from prior cache contents. No public exploit exists and EPSS is 0.02%, but hardware-platform specificity limits real-world reach significantly.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46076 HIGH PATCH This Week

Privilege escalation and denial of service in the Linux kernel's nested SVM (nSVM) virtualization subsystem allows an L2 guest to issue VMMCALL hypercalls as if it were L1 when nested_svm_l2_tlb_flush_enabled() is true, L1 does not intercept VMMCALL, and the hypercall is not a supported Hyper-V call. The fix forces KVM to synthesize a #UD exception in this scenario, matching architectural behavior; no public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.9
EPSS
0.0%
CVE-2026-46075 HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's atmel-sha204a crypto driver allows an attacker who can remove or unbind the device to trigger a use-after-free during the driver teardown path. The flaw stems from failing to unregister the hwrng and flush the Atmel I2C workqueue before teardown, letting a queued ->read() callback execute against freed state, and an early return that also leaks the hwrng.priv allocation. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, so this is a defense-in-depth hardening fix rather than an urgent emergency.

Memory Corruption Linux Use After Free Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46074 MEDIUM PATCH This Month

Memory leak and potential use-after-free in the Linux kernel's spi-ch341 USB driver expose systems to local denial-of-service when CH341 device probe failures occur without proper resource cleanup. Kernels from the commit introducing the spi-ch341 driver (8846739f52afa07e63395c80227dc544f54bd7b1) through the respective stable-branch fix commits across the 6.11 through 7.0 lineages are affected. Repeated probe failures accumulate leaked kernel memory that can exhaust system resources; no active exploitation is identified (EPSS 0.02%, no CISA KEV listing), placing this firmly in the maintenance-priority rather than incident-response category.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46073 MEDIUM PATCH This Month

Linux kernel's hwmon powerz USB power meter driver fails to cancel an in-flight USB Request Block (URB) when a process is interrupted by a signal mid-read, resulting in reads from an unfilled DMA transfer buffer that can cause denial of service and potentially expose stale kernel buffer contents. Affected since commit 4381a36abdf1c5c0323c1c51f869dc000115eb20 and patched in stable releases 6.12.86, 7.0.4, and 6.18.27. No public exploit exists and EPSS is 0.02% (5th percentile), reflecting both the niche hardware dependency and strictly local attack surface; this issue is not listed in CISA KEV.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46072 MEDIUM PATCH This Month

Out-of-bounds heap read in the Linux kernel ntfs3 driver's run_unpack() function allows a local user to crash the kernel by mounting a crafted NTFS image. The flaw affects multiple stable kernel branches from 5.15 onward, where run list parsing in MFT attributes consumes up to 15 bytes beyond the valid buffer boundary without checking remaining buffer size. No public exploit code exists and EPSS sits at 0.02% (5th percentile), but the local denial-of-service impact is A:H and patches are available across all affected stable branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46071 MEDIUM PATCH This Month

KVM nested SVM (AMD virtualization) in the Linux kernel incorrectly marks VMCB_LBR dirty in the guest's vmcb12 during nested VM exit processing, triggering architecturally undefined behavior that results in hypervisor availability loss. Affected are Linux kernels from 5.19 through versions preceding the stable-branch patches at 6.18.27 and 7.0.4. A low-privileged local attacker operating within a nested virtual machine on an AMD SVM-capable host can exploit this to crash or destabilize the host KVM layer. No public exploit and no CISA KEV listing exist; EPSS sits at 0.02% (4th percentile), confirming negligible opportunistic exploitation probability.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46069 HIGH PATCH This Week

Use-after-free in the Linux kernel's mwifiex Wi-Fi driver (Marvell) occurs during adapter teardown: mwifiex_adapter_cleanup() calls the non-synchronous timer_delete() on the wakeup_timer, so a still-running wakeup_timer_fn callback can dereference adapter fields (hw_status, if_ops.card_reset) after mwifiex_free_adapter() frees them along the card-removal path. A local attacker who can trigger device removal while the timer fires could corrupt freed kernel memory, enabling privilege escalation or denial of service. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%, 5th percentile), and the fix (timer_delete_sync()) is merged into stable releases.

Memory Corruption Linux Use After Free Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46067 HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows a local user with access to the DAMON sysfs interface to read out-of-bounds kernel memory or crash the system. The flaw exists because mm/damon/core failed to validate the user-supplied node ID (damos_quota_goal->nid) before using it in NODE_DATA() for the node_memcg_used_bp and node_memcg_free_bp quota goal metrics. The kernel description includes a working reproduction using the user-space 'damo' tool, but no public weaponized exploit and no active exploitation (CISA KEV) have been reported; EPSS is negligible at 0.02%.

Linux Buffer Overflow Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46065 HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel fbdev deferred I/O subsystem allows local low-privileged users to trigger undefined behavior when a framebuffer device is hot-unplugged while user space retains an active memory mapping. The flaw stems from improper lifetime management between struct fb_info and deferred I/O state, leading to use-after-free conditions with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46064 HIGH PATCH This Week

Out-of-bounds heap read in the Linux kernel's ibmasm driver (the IBM Advanced System Management service-processor interface) lets a local privileged user leak adjacent kernel heap memory. The ibmasm_send_i2o_message() function trusts user-controlled command_size and data_size header fields to size a memcpy_toio() without validating them against the real allocation, so a small buffer with inflated header values forces a read of up to ~65 KB past the allocation, which is then forwarded to the service processor over MMIO. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.

Linux Buffer Overflow Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46063 MEDIUM PATCH This Month

Deadlock in the Linux kernel's x86 Control-flow Enforcement Technology (CET) shadow stack implementation can be triggered by a local unprivileged user during signal return, causing a kernel hang and denial of service. The flaw exists in x86 SMP kernels with PER_VMA_LOCK configured where X86_USER_SHADOW_STACK is enabled: holding the mmap read lock while reading the shadow stack signal frame during sigreturn allows a recursive lock acquisition attempt that deadlocks when a concurrent mmap writer is waiting on another CPU. No public exploit has been identified at time of analysis and EPSS exploitation probability is extremely low at 0.02% (5th percentile), but the availability impact is high on affected systems with shadow stack enabled.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46061 MEDIUM PATCH This Month

Deadlock in the Linux kernel jbd2 journal subsystem can hang filesystems and render systems unresponsive when filesystem blocksize is smaller than the system pagesize. Introduced by commit f76d4c28a46a, the flaw breaks the required folio-then-buffer lock ordering in jbd2_journal_cancel_revoke(), causing an ABBA deadlock between concurrent filesystem journal operations and block device writeback. No public exploit is identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with a race-condition kernel bug requiring a non-default configuration that is unlikely to be deliberately weaponized.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46060 MEDIUM PATCH This Month

IRQ handler cleanup failure in the Linux kernel Intel QAT (Quick Assist Technology) crypto driver for 6xxx-series devices causes kernel resource leaks and availability impact when device probe partially fails. The flaw manifests during adf_dev_up() failure: because pcim_enable_device() registers pcim_msi_release() as a devres action that runs in LIFO order, MSI-X vectors are torn down while IRQ handlers such as 'qat0-bundle0' are still attached, producing remove_proc_entry() warnings and leaking procfs entries. No public exploit has been identified at time of analysis, and EPSS at 0.02% (4th percentile) confirms negligible exploitation interest; impact is limited to systems that physically host Intel QAT 6xxx accelerator cards.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46057 LOW PATCH Monitor

Landlock LSM's credential transfer hook in the Linux kernel silently drops the LOG_SUBDOMAINS_OFF audit-muting flag across fork() boundaries, breaking the documented sandboxing pattern where a parent process suppresses subdomain audit logs before spawning sandboxed children. Affected kernels from commit ead9079f75696 onward across the 6.15, 6.18, and 7.x stable branches allow child processes to emit unexpected Landlock audit records the operator explicitly intended to suppress. No public exploit identified at time of analysis; EPSS is 0.02% (4th percentile), and this is a logic correctness defect rather than a privilege-escalation or data-exfiltration path.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-46056 HIGH PATCH This Week

Use-after-free in the Linux kernel Bluetooth subsystem (hci_event) allows an adjacent attacker within Bluetooth range to potentially achieve memory corruption against vulnerable hosts during SSP pairing. The flaw stems from missing hdev locking in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), where an hci_conn structure can be freed concurrently while still in use. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%).

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-46054 HIGH PATCH This Week

Local privilege-bounded information disclosure and integrity compromise in the Linux kernel's SELinux module affects overlayfs mounts where mmap() and mprotect() operations bypass the intended dual-credential access checks. A local authenticated user with access to an overlayfs top-level (user) file can map or change protections on backing files without the mounter's credentials being properly evaluated, undermining the SELinux overlayfs security model. EPSS is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46053 HIGH PATCH This Week

Local privilege escalation risk in the Linux kernel's RDS (Reliable Datagram Sockets) subsystem stems from a double-free condition in __rds_rdma_map() when a put_user() copy of the MR cookie fails after get_mr() has transferred sg/pages ownership to the transport. A local authenticated attacker triggering this race or fault path could cause memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis and EPSS is low at 0.02%, but a vendor-released patch is available across multiple stable branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46052 HIGH PATCH This Week

Denial of service in the Linux kernel Ceph client allows local users with access to a Ceph-mounted filesystem to trigger d_hash list corruption and RCU stalls by inducing path lookups against reused cached negative dentries. The flaw stems from fs/ceph/dir.c calling d_add(dentry, NULL) on already-hashed negative dentries, creating self-loops in the hlist_bl bucket that cause __d_lookup() to spin indefinitely. EPSS is 0.02% (5th percentile) and no public exploit identified at time of analysis, but the bug has been reproduced organically in production (RCU stall on a Dell PowerEdge R7615 running 6.18.17).

Linux Amd Information Disclosure Dell
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46049 MEDIUM PATCH This Month

Infinite loop denial-of-service in the Linux kernel ALSA ctxfi audio driver allows a local low-privileged user to hang the kernel by triggering S/PDIF passthrough playback at 32000 Hz on Creative Sound Blaster X-Fi hardware. The root cause is an uninitialized `pll_rate` field that causes a resource-calculation loop to never exit, consuming CPU indefinitely and degrading or halting system availability. No public exploit exists and the EPSS score of 0.02% (5th percentile) confirms negligible real-world exploitation pressure; the vulnerability is not listed in CISA KEV.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46048 MEDIUM PATCH This Month

USB device reference count leak in the Linux kernel ALSA CAIAQ driver allows a local attacker with access to USB hardware to trigger kernel memory exhaustion. The flaw exists because usb_get_dev() is called in create_card() but its matching usb_put_dev() is only installed as a destructor late in init_card(), leaving it unreachable on all intermediate failure paths. Syzbot has reproduced the issue using a malformed UAC3 USB audio device, and patches are available across all affected stable kernel branches. No public exploit has been identified at time of analysis, and EPSS is negligible at 0.02%.

Microsoft Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46047 HIGH PATCH This Week

Use-after-free in the Linux kernel's QRTR (Qualcomm IPC Router) name service driver remove path allows local low-privileged users to corrupt memory and potentially escalate privileges. The flaw occurs because qrtr_ns_data_ready() can queue work to a workqueue that has already been destroyed during driver teardown, dereferencing freed memory. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the fix has landed across multiple stable kernel trees.

Linux Use After Free Memory Corruption Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46046 MEDIUM PATCH This Month

Missing brelse() in the ext4 filesystem's ext4_xattr_inode_dec_ref_all() function causes a buffer head refcount leak that can degrade system availability on affected Linux kernel versions. Introduced by commit c8e008b60492 (

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46044 MEDIUM PATCH This Month

Resource leak in the Linux kernel IPMI SSIF driver leaves an orphaned kernel thread running when driver initialization fails mid-sequence. Systems with SSIF-capable IPMI hardware (BMC connected via SMBus/I2C) running unpatched kernels are affected across multiple stable branches. If initialization errors occur after the ssif kthread is spawned but before the IPMI core starts the interface, the thread is never stopped, degrading system availability over time. No public exploit exists and EPSS is 0.02% (4th percentile), making this a routine patch-cycle item rather than an emergency; fixes are confirmed in stable kernel releases 6.18.27 and 7.0.4.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46043 CRITICAL PATCH Act Now

Remote denial of service and potential memory corruption in the Linux kernel's RDMA Software RoCE (rxe) driver allows network attackers to send malformed RDMA packets that bypass length validation in rxe_rcv(). Affected systems with the rxe module loaded and reachable on the network can experience integer underflow in payload_size() due to an attacker-controlled BTH pad field, leading to negative values being passed to downstream receive-path handlers. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the CVSS 9.1 rating reflects the unauthenticated network attack surface where rxe is exposed.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-46042 MEDIUM PATCH This Month

Two kernel heap memory leaks in Linux kernel's weighted interleave NUMA memory policy subsystem allow a local low-privilege user to exhaust kernel memory and cause denial of service. The `weighted_interleave_auto_store()` function in `mm/mempolicy.c` fails to free `new_wi_state` on an early-return path and fails to free the old state object when overwritten via `rcu_assign_pointer()` when processing 'true' writes, because `old_wi_state` is only fetched inside the wrong conditional branch. The second leak is trivially automatable - any authorized sysfs writer can loop-write '1' indefinitely to drive the system into OOM - though no public exploit exists and EPSS sits at a negligible 0.02%.

Linux Information Disclosure IBM Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46041 MEDIUM PATCH This Month

Denial-of-service via kernel panic in the Linux kernel's greybus gb-beagleplay driver allows a local low-privileged user to crash the system by triggering an illegal sleep-in-atomic-context condition. The greybus HDLC TX path calls usleep_range() inside hdlc_append() while the tx_producer_lock spinlock is held, violating the fundamental Linux kernel rule that sleeping is forbidden in atomic context and triggering a 'BUG: scheduling while atomic' kernel oops. No public exploit has been identified at time of analysis, and EPSS at 0.02% (5th percentile) reflects the hardware-specific and local-access-only nature of this flaw. The input tag 'Information Disclosure' appears to be a misclassification - the actual impact is exclusively availability (kernel crash), consistent with the CVSS vector's A:H/C:N/I:N ratings.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46040 MEDIUM PATCH This Month

Resource accounting exhaustion in the Linux kernel's inotify subsystem allows a local low-privileged user to permanently leak watch counts by repeatedly triggering a failure path in inotify_new_watch() that increments the per-namespace watch counter without a corresponding decrement. Over time this exhausts the max_user_watches limit, causing all subsequent inotify watch creation within the namespace to fail with -ENOSPC even when no watches are genuinely active, constituting a local denial-of-service against inotify-dependent applications. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects very low real-world exploitation probability with no CISA KEV listing.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46038 MEDIUM PATCH This Month

Memory exhaustion in the Linux Kernel's QRTR (Qualcomm IPC Router) nameserver subsystem exposes local, low-privileged users to a denial-of-service condition. The `ctrl_cmd_bye()` function, triggered when a QRTR node sends a BYE shutdown packet, fails to remove the node from the Xarray structure or release the associated memory - resulting in a persistent kernel memory leak (CWE-401). Affected systems are Linux kernels from 5.7 through multiple stable branches, with fixes backported to 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No active exploitation is confirmed (not in CISA KEV), and EPSS sits at 0.02% (5th percentile), indicating minimal real-world threat at this time.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46037 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's IPv4 ICMP handling allows remote attackers to trigger denial of service and potential information disclosure by sending crafted ICMP Extended Echo Reply packets. The flaw stems from the kernel consulting the icmp_pointers[] array with reply types (ICMP_EXT_ECHOREPLY) that fall outside its bounded range (NR_ICMP_TYPES). No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the network attack vector and high availability impact make patching a priority for exposed Linux hosts.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-46036 HIGH PATCH This Week

Local privilege escalation in the Linux kernel's vfio/cdx (Composable DMA-capable eXtension) driver allows a process with access to a VFIO device file descriptor to trigger a use-after-free of the cdx_irqs array via concurrent VFIO_DEVICE_SET_IRQS ioctls. The race in vfio_cdx_set_msi_trigger() can be exploited by a local low-privileged attacker for memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46035 MEDIUM PATCH This Month

Lock re-entrancy corruption in the Linux kernel's mm/page_alloc subsystem affects uniprocessor (UP/!CONFIG_SMP) builds, allowing freelist corruption that crashes the kernel. On UP kernels, spin_trylock() is a compile-time no-op that unconditionally succeeds; when alloc_frozen_pages_nolock() is invoked from NMI context, it re-enters rmqueue() and acquires the zone lock already held by the interrupted context, corrupting the page allocator's freelists. No public exploit exists and EPSS sits at the 4th percentile (0.02%), consistent with the narrow scope: only non-default UP kernel builds on specific kernel versions are affected, making this a targeted stability concern for embedded or legacy uniprocessor deployments rather than a broad production threat.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46033 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's crypto authencesn AEAD wrapper allows a local user with AF_ALG access to trigger memory disclosure and possible denial of service by instantiating an authencesn transform built on an ahash whose digest size is 1-3 bytes (for example cbcmac(cipher_null)). The flaw stems from crypto_authenc_esn_create() failing to validate the inner digest size, letting an invalid default authsize bypass the existing setauthsize() check. No public exploit identified at time of analysis and EPSS probability is negligible (0.02%), but the upstream fix is shipping across multiple stable trees.

Linux Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46031 HIGH PATCH This Week

Denial of service in the Linux kernel ks8851 Ethernet driver allows a deadlock condition when handling concurrent IRQ and TX softirq processing on systems using the Micrel KS8851 MAC/PHY chip. The flaw manifests when the IRQ handler executes netdev_alloc_skb_ip_align() with bottom-halves enabled, triggering pending softirq processing that re-enters the driver's xmit path and attempts to re-acquire an already-held spinlock. EPSS scores this at 0.02% (5th percentile) and no public exploit identified at time of analysis, consistent with a local hardware-dependent stability bug rather than a remotely weaponizable vulnerability.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46030 MEDIUM PATCH This Month

Memory leak in the Linux kernel's EDAC/versalnet driver (mc_probe()) results in unreleased device_node references, enabling local low-privileged users to cause kernel memory exhaustion and availability degradation on AMD/Xilinx Versal SoC systems. The root cause is a missing of_node_put() call on all exit paths of mc_probe(), with the fix applied across stable branches including 6.18.27 and 7.0.4. No public exploit or CISA KEV listing exists, and EPSS sits at 0.02% (4th percentile), reflecting minimal active exploitation risk.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46029 HIGH PATCH This Week

Slab allocator corruption in the Linux kernel's mm/slab subsystem allows local low-privileged users on uniprocessor (UP, !CONFIG_SMP) builds to potentially corrupt kernel memory state when kmalloc_nolock() is invoked from NMI context. The flaw stems from spin_trylock() being a no-op on UP kernels, allowing re-entry into the slab allocator while n->list_lock is already held by the interrupted context. EPSS is very low (0.02%) and no public exploit has been identified at time of analysis, though an upstream patch is available.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-46028 MEDIUM PATCH This Month

Race condition in the Linux kernel's AF_ALG AEAD AIO interface allows a local low-privileged user to trigger a denial of service by exploiting shared socket-wide IV buffer state across concurrent asynchronous AEAD requests. The algif_aead subsystem fails to snapshot the Initialization Vector into per-request storage before dispatching async operations, meaning any concurrent socket activity that updates the shared IV can corrupt an in-flight request before it completes. No public exploit has been identified and EPSS is extremely low at 0.02% (7th percentile); vendor-released patches are available across all supported stable kernel branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46027 HIGH PATCH This Week

Denial-of-service in the Linux kernel's SMC (Shared Memory Communications) networking subsystem allows remote attackers to crash the kernel by sending a CLC decline message during the early stage of an SMC handshake before the connection is associated with a link group. The flaw, tracked as EUVD-2026-32408, stems from smc_clc_wait_msg() accessing link-group sync state that does not yet exist at that point in the handshake. No public exploit identified at time of analysis and EPSS probability is very low (0.02%, 5th percentile), but the network attack vector and high availability impact warrant patching on systems that use SMC.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46026 MEDIUM PATCH This Month

Uncontrolled resource consumption in the Linux kernel's QRTR (Qualcomm IPC Router) nameserver module allows a local authenticated user to exhaust nameserver resources by flooding it with unbounded NEW_LOOKUP messages over a single socket. The affected subsystem (net/qrtr/ns) restricted lookups to local clients but imposed no count limit, enabling a sustained denial-of-service against QRTR-dependent inter-process communication on Qualcomm SoC platforms. No public exploit has been identified and EPSS stands at 0.02% (5th percentile), placing this firmly in the low real-world priority tier despite its High availability impact rating.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46025 MEDIUM PATCH This Month

Deadlock and memory leak in the Linux kernel DAMON subsystem arise from a race condition between damon_call() request registration and kdamond_fn() thread exit, affecting systems using the Data Access MONitor (DAMON) API. A local low-privileged process can trigger the race at precisely the moment a kdamond thread is terminating - causing the calling thread to wait indefinitely for a handler that has already exited, resulting in a kernel-level availability denial. No active exploitation is confirmed (EPSS 0.02%, not in CISA KEV), and the high attack complexity required to win the race significantly constrains real-world risk.

Race Condition Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-46022 HIGH PATCH This Week

Out-of-bounds MMIO read in the Linux kernel's ibmasm (IBM Advanced System Management) misc driver allows a compromised IBM service processor to read 8 bytes from unintended device registers or trigger a machine check exception (system crash) by writing an out-of-range queue reader/writer index before asserting an interrupt. The flaw resides in ibmasm_handle_mouse_interrupt() where raw readl() values are passed unchecked to get_queue_entry(), and is fixed by bounds-checking both indices against REMOTE_QUEUE_SIZE (60). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%.

Linux Information Disclosure Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46021 MEDIUM PATCH This Month

Two related memory-management defects in the Linux kernel thermal zone governor subsystem expose local low-privileged users to system availability loss. The first is a memory leak (CWE-401) in the registration error path of thermal_zone_device_register_with_trips(), which fails to remove an attached governor when registration fails mid-way. The second, and more critically impactful, is a race condition in thermal_zone_device_unregister(), which calls thermal_set_governor() without first acquiring the thermal zone lock - permitting a concurrent sysfs-based governor update to produce a use-after-free, which can trigger a kernel panic. No public exploit code exists and EPSS is 0.02% (5th percentile); vendor-released patches are available across multiple stable kernel branches including 6.6.140, 6.12.86, 6.18.27, and 7.0.4.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46020 HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows privileged local users to crash the kernel by supplying arbitrary node IDs to damos_quota_goal via DAMON_SYSFS. Affecting Linux 6.16 and fixed in 6.18.27, 7.0.4, and 7.1-rc1, the flaw stems from missing validation before si_meminfo_node()/NODE_DATA() lookups and is reproducible with the upstream 'damo' user-space tool. No public exploit identified at time of analysis and EPSS is very low at 0.02%.

Denial Of Service Linux Information Disclosure Buffer Overflow Red Hat +1
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46019 MEDIUM PATCH This Month

The atmel-aes crypto driver in the Linux kernel leaks 3 pages of kernel memory per cleanup cycle due to a mismatch between allocation and deallocation functions: atmel_aes_buff_init() allocates 4 contiguous pages via __get_free_pages() with ATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() frees only a single page via free_page() instead of the correct free_pages(). Systems running on Atmel/Microchip ARM SoC hardware with this driver loaded are vulnerable to gradual kernel memory exhaustion leading to denial of service. No public exploit code exists and no active exploitation has been confirmed; the EPSS score of 0.02% (5th percentile) reflects the extremely narrow hardware-specific attack surface, and vendor-released patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46018 MEDIUM PATCH This Month

Availability degradation in the Linux kernel ALSA USB audio subsystem allows a local attacker with a crafted UAC2 USB audio device to trigger an unbounded parsing loop that holds register_mutex while repeatedly flooding the kernel log with error messages. Affected systems running snd-usb-audio on multiple stable kernel branches from 3.x through 7.0 are exposed to denial-of-service via mutex contention during USB device probe. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (6th percentile) reflects minimal threat actor interest; no CISA KEV listing exists.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46017 MEDIUM PATCH This Month

Race condition in the Linux kernel memory management subsystem during large-folio migration can cause kernel availability disruption on SMP/NUMA systems. The flaw in migrate_folio_move() causes a destination folio to become visible to concurrent rmap-removal paths before being requeued onto the deferred split queue, triggering a kernel WARN in deferred_split_folio() or silently losing a folio from split_queue when the shrinker races the migration lock. With no public exploit, no CISA KEV listing, and an EPSS of 0.02%, this is a low real-world risk issue primarily relevant to HPC, virtualization, and database workloads with heavy NUMA migration activity.

Nvidia Race Condition Linux Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-46015 HIGH PATCH This Week

Race condition and missed wake-up in the Linux kernel TCP listener migration path (SO_REUSEPORT) allows local low-privileged attackers to cause hangs and potentially exploit a use-after-free on listener sockets. Affects kernels from 5.14 up to versions fixed in 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No public exploit identified at time of analysis, and EPSS is very low (0.02%).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46014 MEDIUM PATCH This Month

Broken LBR MSR save/restore in the Linux kernel KVM/SVM subsystem allows a low-privileged local attacker to cause high-impact availability failures in virtualized environments running on AMD SVM hardware. MSR_IA32_DEBUGCTLMSR and Last Branch Record (LBR) MSRs are not enumerated by KVM_GET_MSR_INDEX_LIST and cannot be set via KVM_SET_MSRS, meaning VM state is not correctly preserved across save/restore or live migration cycles, particularly when L2 guests are running. No public exploit has been identified at time of analysis, and EPSS of 0.02% indicates very low exploitation probability, but the flaw affects a foundational hypervisor state management path on production AMD virtualization infrastructure.

Linux Information Disclosure Intel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46013 MEDIUM PATCH This Month

Incorrect physical address conversion in the Linux kernel's mm/memfd_luo subsystem can crash the kernel when the put_folios error-cleanup path executes during memfd Live Update Object (LUO) operations. The cleanup passes a raw Page Frame Number (PFN) where kho_restore_folio() requires a phys_addr_t, and a missing sparse-hole guard (pfn==0) risks misprocessing file holes. No public exploit identified at time of analysis; EPSS of 0.02% (5th percentile) and absence from CISA KEV confirm very low real-world exploitation probability, with impact confined to local denial of service on systems running the experimental KHO/LUO subsystem.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46011 HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's MediaTek JPEG (mtk-jpeg) media driver allows a local user with access to the device to trigger a use-after-free condition. The flaw occurs in mtk_jpeg_release() which frees the context structure without first cancelling pending workqueue items, creating a race window during device close where the worker thread accesses freed memory. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, but the bug is fixed across multiple stable trees.

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46010 HIGH PATCH This Week

Memory exhaustion handling flaw in the Linux kernel's rxrpc/rxgk subsystem allows network-adjacent attackers to potentially trigger unsafe code paths when rxgk_decrypt_skb() returns -ENOMEM during RxGSS-Kerberos token extraction. Affected kernels include the 6.17 series and specific commits in 6.16.9 onward, fixed in upstream commits and stable backports targeting 6.18.27 and 7.1-rc1. No public exploit identified at time of analysis, and EPSS is very low (0.02%) despite the 8.1 CVSS score.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-46009 MEDIUM PATCH This Month

Duplicate resource teardown in the Linux kernel's PCI endpoint NTB (Non-Transparent Bridge) driver causes a kernel oops when link state transitions fail or complete, enabling a local low-privileged user to crash the kernel. The `epf_ntb_epc_destroy()` helper performs teardown that its callers also execute, resulting in a double-free-class condition. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV); the EPSS score of 0.02% at the 5th percentile reflects extremely low observed exploitation probability.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46008 MEDIUM PATCH This Month

Deadlock in Linux kernel DAMON (Data Access Monitor) subsystem allows a local low-privileged user or kernel code path to cause an indefinite thread hang in the mm/damon/core module via a race condition between damos_walk() request registration and kdamond_fn() exit sequencing. Systems running Linux kernels from commit bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61 through the patch commits are affected, with availability as the sole impact (CVSS C:N/I:N/A:H). No public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating negligible real-world exploitation interest.

Race Condition Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-46007 MEDIUM PATCH This Month

Cache coherency violation in the Linux kernel hwmon powerz driver allows a local low-privileged user to crash the kernel on architectures where DMA buffer cacheline aliasing with adjacent kernel structures (here, a mutex) produces undefined behavior. Affected systems must have the powerz USB hardware monitor driver loaded and the specific hardware attached. No public exploit code exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation activity; nonetheless the kernel availability impact (system crash) is concrete once triggered on a vulnerable architecture.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46005 MEDIUM PATCH This Month

Resource leak in the Linux kernel's XFS subsystem fails to release a DAX (Direct Access) device reference in the error path of xfs_alloc_buftarg(), leaving a dangling reference that prevents proper cleanup of persistent memory devices. Systems running XFS on DAX-capable persistent memory hardware are affected, spanning multiple stable kernel branches prior to the fix commits documented in EUVD-2026-32302. No public exploit identified at time of analysis, and an EPSS score of 0.02% (5th percentile) confirms negligible exploitation interest; patches are confirmed available across Linux 6.6.x, 6.12.x, 6.18.x, 7.0.x, and 7.1-rc1.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46004 HIGH PATCH This Week

Use-after-free in the Linux kernel ALSA caiaq USB audio driver allows local code execution when the device probe path encounters an error during setup_card(). The setup_card() function previously ignored failures from snd_card_register() and continued executing, leaving freed card structures accessible to subsequent initialization calls such as snd_usb_caiaq_control_init(). No public exploit identified at time of analysis, and EPSS is low at 0.02% (5th percentile), consistent with the local attack vector and narrow hardware-driver scope.

Linux Use After Free Memory Corruption Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46003 MEDIUM PATCH This Month

Memory exhaustion in the Linux kernel QRTR nameserver allows a local low-privileged attacker to crash the system by registering an unbounded number of QRTR nodes, consuming all available kernel heap memory. Affected kernels span from the commit introducing the QRTR nameserver without node limits (approximately Linux 5.7, commit 0c2204a4ad710d95d348ea006f14ba926e842ffd) through to patched stable releases 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. With an EPSS of 0.02% (5th percentile), no CISA KEV listing, and no public exploit identified at time of analysis, current exploitation risk is low - however, teams managing Qualcomm SoC-based embedded or mobile Linux deployments should treat this as a targeted patch priority given the trivial attack complexity (AC:L) once local access is obtained.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46002 MEDIUM PATCH This Month

The ext2 filesystem driver in the Linux kernel allows a local user to trigger kernel WARN_ON panics by mounting a crafted ext2 image containing an inode with zero link count (i_nlink=0), non-zero mode, and zero deletion timestamp - a combination that bypasses the incomplete corruption check in ext2_iget() and reaches drop_nlink() in an invalid state. Discovered by the Linux Verification Center using Syzkaller fuzzing, the flaw affects Linux kernel versions from 2.6.12 through multiple stable branches and results in denial of service via kernel instability. No public exploit exists and no KEV listing; EPSS is negligible at 0.02%, consistent with the local access requirement and specialized image-crafting prerequisite.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46000 MEDIUM PATCH This Month

The rxrpc connection-level packet handler in the Linux kernel modifies RESPONSE packet data in-place within a potentially shared sk_buff, exposing decrypted rxrpc authentication material to co-attached packet sniffers and risking kernel instability when a cloned buffer is written without unsharing. Systems running the rxrpc subsystem (primarily AFS clients and servers) from kernel 2.6.22 onward through the affected stable branches are vulnerable. No public exploit exists and EPSS sits at 0.02% (5th percentile) with no CISA KEV listing, indicating minimal real-world exploitation pressure; patches are confirmed across stable branches 6.6.140, 6.12.88, 7.0.4, 6.18.27, and 7.1-rc1.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45999 HIGH PATCH This Week

Local denial of service and potential information disclosure in the Linux kernel's EROFS filesystem affects versions from 5.13 through pre-patch releases, where a crafted EROFS image triggers an unsigned integer underflow in z_erofs_lz4_handle_overlap(). When a malicious image is mounted and a file is read, the LZ4 inplace decompression path wraps the 'outpages - inpages' calculation to a huge value and reads past the decompressed_pages array. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but a reproducible proof-of-concept image is embedded in the upstream commit message.

Linux Information Disclosure Integer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-45998 HIGH PATCH This Week

Use-after-free in the Linux kernel's rxrpc (AF_RXRPC) networking subsystem allows local attackers with low privileges to trigger memory corruption when skb_unshare() fails during packet input handling. Affected Linux kernel versions from 6.2 up to the fixed releases can be exploited to cause a NULL-pointer oops and potentially escalate privileges or crash the system. No public exploit identified at time of analysis; EPSS is very low (0.02%) and the issue is not present in CISA KEV.

Linux Use After Free Memory Corruption Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45997 MEDIUM PATCH This Month

Reference count leak in the Linux kernel SCSI disk driver (drivers/scsi/sd.c) allows a local low-privileged user to cause kernel resource exhaustion and system crash. In sd_probe(), when device_add(&sdkp->disk_dev) fails, the cleanup path correctly invokes put_device() triggering scsi_disk_release() to free the scsi_disk structure, but omits the corresponding put_disk(gd) call - leaving the gendisk object with an unreleased reference. This asymmetry with the device_add_disk() error path means repeated probe failures accumulate reference leaks that can exhaust kernel memory and deny service. No public exploit has been identified and EPSS probability is 0.02% (5th percentile), consistent with a stability fix rather than an attacker-targeted flaw.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45996 HIGH PATCH This Week

Use-after-free in the Linux kernel's i.MX SPI driver (spi-imx) can be triggered when the driver is unbound, allowing a local privileged user to corrupt kernel memory and potentially escalate to full kernel code execution. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a kernel-level UAF with high CIA impact warrants prompt patching on affected i.MX-based systems.

Linux Use After Free Memory Corruption Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45995 HIGH PATCH This Week

Use-after-free in the Linux kernel's io_uring zero-copy receive (zcrx) subsystem allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from io_free_rbuf_ring() accessing a struct user_struct after io_zcrx_ifq_free() has already released the reference, creating a UAF window. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the bug class (UAF in io_uring) has historically been weaponized for LPE.

Linux Use After Free Memory Corruption Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45994 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's ibmasm driver allows a local low-privileged user with write access to the ibmasm command character device to leak kernel heap memory to the IBM Advanced System Management service processor and potentially destabilize the host. The flaw resides in command_file_write(), which trusts attacker-controlled command_size/data_size header fields after allocating a buffer of arbitrary count, enabling get_dot_command_size() to return a value larger than the allocation. EPSS is 0.02% and no public exploit is identified at time of analysis; the issue is not on CISA KEV.

Linux Information Disclosure Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-45993 MEDIUM PATCH This Month

Speculative execution bounds bypass on LoongArch allows a local unprivileged user to trigger out-of-bounds speculative reads against the kernel syscall dispatch table, potentially leaking kernel memory via cache side-channels. Affected are Linux kernel stable branches prior to 6.6.140, 6.12.86, 6.18.27, and 7.0.4 running on LoongArch architecture. No public exploit code has been identified at time of analysis, and EPSS at 0.02% reflects very low observed exploitation probability; patches are available across all affected stable series.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45992 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path The previous fix for handling the error from setup_card() missed that an internal URB cdev->ep1_in_urb might have been already submitted beforehand. In the normal case, this URB gets killed at the disconnection, but in the error path, we didn't do it, hence there can be a potential leak. Fix it in the error path for setup_card(), too.

Information Disclosure Linux
NVD VulDB
EPSS
0.0%
CVE-2026-45989 HIGH PATCH This Week

Use-after-free in the Linux kernel's Open Firmware (OF) device tree unittest driver (testdrv_probe) allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from an erroneous of_node_put() call that releases a device_node reference owned by the device model, which can then be dereferenced later in of_platform_default_populate(). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a vendor patch is available.

Linux Use After Free Memory Corruption Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45988 CRITICAL PATCH Act Now

Improper handling of failed RESPONSE packet decryption in the Linux kernel's rxrpc subsystem can leave packets in a partially decrypted state when requeued for retry after a temporary processing failure. The flaw affects multiple Linux kernel branches and was resolved upstream by discarding such packets and relying on the CHALLENGE/RESPONSE re-handshake. No public exploit identified at time of analysis, and EPSS scoring (0.02%, 5th percentile) indicates very low real-world exploitation probability despite the high CVSS rating.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-45987 MEDIUM PATCH This Month

Interrupt shadow state desynchronization in the Linux kernel KVM nSVM subsystem can hang L2 nested virtual machines on AMD-V hosts when VM state is restored in a specific ioctl ordering. Systems using KVM nested virtualization (kvm_amd with nested=1) are affected when a live migration or checkpoint-restore operation calls KVM_SET_VCPU_EVENTS before KVM_SET_NESTED_STATE, causing the interrupt shadow to be written into vmcb01 (L1 context) instead of vmcb02 (L2 context). No public exploit has been identified and EPSS is 0.02% (5th percentile), placing this squarely as a correctness and operational availability issue for nested virtualization deployments rather than a broadly exploitable security threat.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45986 MEDIUM PATCH This Month

Memory exhaustion in the Linux kernel's ccree (ARM CryptoCell) driver allows a local low-privileged user to cause a denial of service by repeatedly triggering an error path in cc_mac_digest() that fails to release mapped memory. The vulnerability exists because cc_unmap_result() is not called when cc_map_hash_request_final() returns an error, causing each failed MAC digest operation to leak kernel memory. No active exploitation is confirmed; EPSS is 0.02% at the 5th percentile, consistent with a low-severity, hardware-specific kernel maintenance fix. The 'Information Disclosure' tag in the source data is inconsistent with the CVSS vector (C:N) and description - impact is availability-only.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45985 MEDIUM PATCH This Month

Stale data exposure in the Linux kernel's ext4 filesystem affects systems using the dioread_nolock mount option, triggered by a flag-handling logic error in the extent-splitting code path during Direct I/O operations. When `EXT4_GET_BLOCKS_CONVERT` is incorrectly passed during a pre-I/O split of an unwritten extent, a simultaneous `-ENOSPC` failure in `ext4_split_extent_at()` causes the entire on-disk extent to be prematurely converted to written state while the in-memory extent status tree retains an inconsistent unwritten marker for the second half; if the DIO write subsequently fails, a future read of that region exposes stale pre-zero data. No public exploit has been identified at time of analysis, EPSS is 0.02% (7th percentile), and there is no CISA KEV listing, indicating no confirmed active exploitation.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45984 HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's GFS2 filesystem stems from a use-after-free in the inline data write path of gfs2_iomap_begin(), where the inode buffer head is released before iomap->inline_data is consumed by iomap_write_end_inline(). Local users with the ability to write to a GFS2-backed filesystem can trigger memory corruption via a freed page that kswapd has since reclaimed. No public exploit identified at time of analysis, EPSS probability is very low (0.02%), and the issue is not listed in CISA KEV, but vendor patches across multiple stable trees are available.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45983 MEDIUM PATCH This Month

NFSv4 server slot exhaustion in the Linux kernel nfsd subsystem causes persistent denial of service for NFS clients when idmap upcall delays occur during compound argument decoding. Specifically, when a SETATTR or similar compound operation triggers an idmap lookup upcall that exceeds the allowed time limit, cache_check() sets RQ_USEDEFERRAL and drops the request before nfs4svc_encode_compoundres() can execute - meaning the NFSD4_SLOT_INUSE session slot flag is never cleared. All subsequent client requests on that session slot fail with NFSERR_JUKEBOX indefinitely. No public exploit has been identified and EPSS is 0.02% (7th percentile), indicating no active exploitation pressure; this is a logic flaw with confirmed upstream patches across all major stable branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45979 MEDIUM PATCH This Month

Improper mutex cleanup in the Linux kernel's amdgpu DRM driver allows a local low-privileged user to cause a GPU subsystem denial-of-service on systems equipped with AMD GPU hardware. When kmalloc fails under low memory conditions inside amdgpu_cs_parser_bos, the error path previously returned without releasing the held mutex, leaving it permanently locked and stalling GPU command submission for all users. No public exploit exists and the vulnerability is not listed in CISA KEV; with an EPSS of 0.02% (5th percentile), real-world exploitation risk is low.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45977 MEDIUM PATCH This Month

Use-after-free race condition in the Linux kernel's fbnic (Facebook NIC) driver can be triggered by a local attacker to crash the system. The fw_log firmware log buffer is freed during device teardown before the mailbox IRQ is disabled, allowing a concurrent MSIX interrupt handler to dereference a freed or NULL pointer. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.02% (4th percentile) reflects very low real-world exploitation probability; the primary risk is a denial of service to systems hosting fbnic NICs.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45976 MEDIUM PATCH This Month

Memory leak in the Linux kernel's amdgpu DRM driver allows a local low-privileged user to gradually exhaust kernel memory on systems equipped with AMD GPUs. The flaw exists in amdgpu_ras_init(), where a failed call to amdgpu_nbio_ras_sw_init() causes the function to return an error without freeing the previously allocated 'con' context structure, bypassing the existing release_con cleanup label. No public exploit exists and EPSS is 0.02% (5th percentile), classifying this as a low-priority maintenance fix with no confirmed active exploitation.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45975 MEDIUM This Month

Race condition in the Linux kernel's ublk (userspace block device) subsystem allows a local low-privileged attacker to crash the kernel by concurrently modifying io_uring submission queue entries during kernel processing. The ublksrv_ctrl_cmd struct resides in userspace-mapped shared memory, and unguarded normal loads let a racing userspace thread corrupt the kernel's view of the command, triggering a denial-of-service condition. No public exploit exists and EPSS is 0.02%, but fixed kernel versions 6.19.4 and 7.0 are confirmed available.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Race condition in the Linux kernel's md/md-llbitmap subsystem can cause availability loss on systems using software RAID with bitmap tracking. The barrier raise in llbitmap_start_write() and llbitmap_start_discard() occurs after the state machine transition is initiated, creating a window where concurrent state changes proceed without synchronization - potentially crashing the RAID subsystem or rendering an md array unavailable. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects negligible automated exploitation risk. Patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's ext4 filesystem driver allows a local attacker to read up to 3 bytes beyond a valid extended-attribute (xattr) region, potentially leaking adjacent kernel memory or crashing the system. The flaw lives in check_xattrs(), where a loose bounds check on the next xattr entry lets IS_LAST_ENTRY() perform a 4-byte read that overruns the buffer when parsing a crafted or corrupted ext4 xattr block. It is not in CISA KEV and no public exploit identified at time of analysis; EPSS is negligible at 0.02% (5th percentile), consistent with a low-impact local memory-safety bug that has already been patched upstream.

Linux Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Concurrent execution race in the Linux kernel's mm/vmalloc subsystem allows a local low-privileged attacker to trigger memory corruption or leaks by exercising the vmap_node shrinker simultaneously with lazy vmap purge operations. The flaw stems from unserialized invocation of decay_va_pool_node() between __purge_vmap_area_lazy() and the shrinker path. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the issue is patched upstream in the stable tree.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in the Linux kernel's igorplugusb infrared remote control driver allows a local low-privileged user to crash the kernel on systems where a compatible USB IR receiver is connected and the host controller performs DMA on control requests. The igorplugusb driver failed to allocate the USB control request structure separately, violating DMA coherency requirements enforced by certain host controllers - an object allocated on the kernel stack or embedded in a larger structure is not guaranteed to be DMA-safe. No public exploit code exists, and EPSS of 0.02% confirms negligible exploitation interest. Vendor-released patches are available across multiple stable branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation potential via use-after-free in the Linux kernel's ALSA aloop (snd-aloop) driver allows authenticated local users to trigger memory corruption by racing PCM stream close against a peer format-change stop. The flaw stems from snd_pcm_stop() running after cable->lock is dropped, leaving a stale peer substream pointer that can be freed by a concurrent close. Upstream fixes are merged into stable trees (6.12.88, 6.18.27, 7.0.4, 7.1-rc2); no public exploit identified at time of analysis and EPSS is very low at 0.02%.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The zram compressed-RAM block device driver in the Linux kernel hangs processes indefinitely when partial discard requests are submitted on systems where the discard granularity is smaller than the system page size (e.g., 4K discards on ARM64 systems with 64K pages). The driver correctly identifies partial discards as unsupported and returns early, but omits calling bio_endio(), leaving submit_bio_wait() blocked forever. Exploitation requires local access to a zram device with low privileges; no public exploit exists and EPSS is 0.02%, consistent with a niche local denial-of-service. Patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic via exhausted buffer in the ALSA control subsystem affects Linux kernel builds compiled with CONFIG_FORTIFY_SOURCE and Clang, allowing a local low-privileged user to crash the system. The function snd_ctl_elem_init_enum_names() fails to guard against a zero buf_len before invoking strnlen(), and Clang's fortified strnlen fires a BRK exception when it cannot determine the object size of the advanced pointer p inside the loop - panicking the kernel before the intended error-path return. Discovered through kernel fuzz testing on Xiaomi Smartphone hardware; no public exploit and no KEV listing; EPSS is 0.02%.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's DAMON statistics subsystem (mm/damon/stat) causes kernel memory exhaustion when damon_start() fails during damon_stat_start(). The allocated DAMON context is never freed on the failure path, and the stale global pointer is overwritten on each subsequent enable attempt, making prior allocations permanently unreachable. Exploitation requires local access with low privileges, yields high availability impact (A:H) via progressive kernel memory exhaustion, and no public exploit or active exploitation has been identified at time of analysis.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial-of-service in the Linux kernel rxrpc subsystem (rxkad authentication) allows unauthenticated network attackers to crash vulnerable hosts by sending packets with misaligned crypto length fields. The flaw stems from improper handling of decryption errors and a remotely-triggerable WARN_ON_ONCE() in the rxkad packet processing path. EPSS scoring is very low (0.02%) and no public exploit identified at time of analysis, but the CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) rating reflects the unauthenticated remote availability impact.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's RDMA mana_ib driver (Microsoft Azure Network Adapter) lets a local user trigger stale firmware RX steering after destroying an RSS QP, so incoming completions land on reused CQ IDs and corrupt kernel state. It affects Linux deployments on Azure VMs using MANA with RDMA/DPDK; an attacker who can create and destroy RSS QPs (e.g., via a DPDK application exit while a peer keeps transmitting) can drive completions onto TX CQs and crash or corrupt the driver. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 5th percentile), indicating low real-world exploitation likelihood.

Memory Corruption Linux Use After Free +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource leak in the Linux kernel SPI subsystem allows a local low-privileged attacker to exhaust kernel resources and cause denial of service. The flaw affects multiple stable kernel branches (5.4.x through 7.x) and occurs when spi_setup() fails during SPI device registration, leaving resources allocated by setup() unreleased because the controller cleanup() callback is never invoked on the error path. No public exploit exists and EPSS sits at 0.02% (5th percentile), indicating very low real-world exploitation probability; this is a stability fix appropriate for routine patching rather than emergency response.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's EROFS filesystem driver allows a local attacker to crash the system or potentially leak kernel memory by mounting a crafted EROFS image. The flaw stems from missing validation of the trailing dirent nameoff field, which can underflow during strnlen() and cause reads beyond the directory block. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a vendor patch is available across multiple stable kernel branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Incorrect DMA synchronization direction in the Linux kernel's atmel-tdes crypto driver exposes systems running on non-coherent cache architectures to stale cache data reads. The atmel-tdes driver incorrectly calls dma_sync_single_for_device() instead of dma_sync_single_for_cpu() before the CPU consumes DMA output, causing cache invalidation to be skipped on non-coherent platforms (typically ARM-based Atmel/Microchip SoCs). This means the CPU may read stale cached data rather than actual DES/3DES operation output, producing incorrect cryptographic results and potential information exposure from prior cache contents. No public exploit exists and EPSS is 0.02%, but hardware-platform specificity limits real-world reach significantly.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.9
HIGH PATCH This Week

Privilege escalation and denial of service in the Linux kernel's nested SVM (nSVM) virtualization subsystem allows an L2 guest to issue VMMCALL hypercalls as if it were L1 when nested_svm_l2_tlb_flush_enabled() is true, L1 does not intercept VMMCALL, and the hypercall is not a supported Hyper-V call. The fix forces KVM to synthesize a #UD exception in this scenario, matching architectural behavior; no public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's atmel-sha204a crypto driver allows an attacker who can remove or unbind the device to trigger a use-after-free during the driver teardown path. The flaw stems from failing to unregister the hwrng and flush the Atmel I2C workqueue before teardown, letting a queued ->read() callback execute against freed state, and an early return that also leaks the hwrng.priv allocation. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, so this is a defense-in-depth hardening fix rather than an urgent emergency.

Memory Corruption Linux Use After Free +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak and potential use-after-free in the Linux kernel's spi-ch341 USB driver expose systems to local denial-of-service when CH341 device probe failures occur without proper resource cleanup. Kernels from the commit introducing the spi-ch341 driver (8846739f52afa07e63395c80227dc544f54bd7b1) through the respective stable-branch fix commits across the 6.11 through 7.0 lineages are affected. Repeated probe failures accumulate leaked kernel memory that can exhaust system resources; no active exploitation is identified (EPSS 0.02%, no CISA KEV listing), placing this firmly in the maintenance-priority rather than incident-response category.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Linux kernel's hwmon powerz USB power meter driver fails to cancel an in-flight USB Request Block (URB) when a process is interrupted by a signal mid-read, resulting in reads from an unfilled DMA transfer buffer that can cause denial of service and potentially expose stale kernel buffer contents. Affected since commit 4381a36abdf1c5c0323c1c51f869dc000115eb20 and patched in stable releases 6.12.86, 7.0.4, and 6.18.27. No public exploit exists and EPSS is 0.02% (5th percentile), reflecting both the niche hardware dependency and strictly local attack surface; this issue is not listed in CISA KEV.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Out-of-bounds heap read in the Linux kernel ntfs3 driver's run_unpack() function allows a local user to crash the kernel by mounting a crafted NTFS image. The flaw affects multiple stable kernel branches from 5.15 onward, where run list parsing in MFT attributes consumes up to 15 bytes beyond the valid buffer boundary without checking remaining buffer size. No public exploit code exists and EPSS sits at 0.02% (5th percentile), but the local denial-of-service impact is A:H and patches are available across all affected stable branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

KVM nested SVM (AMD virtualization) in the Linux kernel incorrectly marks VMCB_LBR dirty in the guest's vmcb12 during nested VM exit processing, triggering architecturally undefined behavior that results in hypervisor availability loss. Affected are Linux kernels from 5.19 through versions preceding the stable-branch patches at 6.18.27 and 7.0.4. A low-privileged local attacker operating within a nested virtual machine on an AMD SVM-capable host can exploit this to crash or destabilize the host KVM layer. No public exploit and no CISA KEV listing exist; EPSS sits at 0.02% (4th percentile), confirming negligible opportunistic exploitation probability.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's mwifiex Wi-Fi driver (Marvell) occurs during adapter teardown: mwifiex_adapter_cleanup() calls the non-synchronous timer_delete() on the wakeup_timer, so a still-running wakeup_timer_fn callback can dereference adapter fields (hw_status, if_ops.card_reset) after mwifiex_free_adapter() frees them along the card-removal path. A local attacker who can trigger device removal while the timer fires could corrupt freed kernel memory, enabling privilege escalation or denial of service. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%, 5th percentile), and the fix (timer_delete_sync()) is merged into stable releases.

Memory Corruption Linux Use After Free +3
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows a local user with access to the DAMON sysfs interface to read out-of-bounds kernel memory or crash the system. The flaw exists because mm/damon/core failed to validate the user-supplied node ID (damos_quota_goal->nid) before using it in NODE_DATA() for the node_memcg_used_bp and node_memcg_free_bp quota goal metrics. The kernel description includes a working reproduction using the user-space 'damo' tool, but no public weaponized exploit and no active exploitation (CISA KEV) have been reported; EPSS is negligible at 0.02%.

Linux Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel fbdev deferred I/O subsystem allows local low-privileged users to trigger undefined behavior when a framebuffer device is hot-unplugged while user space retains an active memory mapping. The flaw stems from improper lifetime management between struct fb_info and deferred I/O state, leading to use-after-free conditions with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds heap read in the Linux kernel's ibmasm driver (the IBM Advanced System Management service-processor interface) lets a local privileged user leak adjacent kernel heap memory. The ibmasm_send_i2o_message() function trusts user-controlled command_size and data_size header fields to size a memcpy_toio() without validating them against the real allocation, so a small buffer with inflated header values forces a read of up to ~65 KB past the allocation, which is then forwarded to the service processor over MMIO. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.

Linux Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Deadlock in the Linux kernel's x86 Control-flow Enforcement Technology (CET) shadow stack implementation can be triggered by a local unprivileged user during signal return, causing a kernel hang and denial of service. The flaw exists in x86 SMP kernels with PER_VMA_LOCK configured where X86_USER_SHADOW_STACK is enabled: holding the mmap read lock while reading the shadow stack signal frame during sigreturn allows a recursive lock acquisition attempt that deadlocks when a concurrent mmap writer is waiting on another CPU. No public exploit has been identified at time of analysis and EPSS exploitation probability is extremely low at 0.02% (5th percentile), but the availability impact is high on affected systems with shadow stack enabled.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Deadlock in the Linux kernel jbd2 journal subsystem can hang filesystems and render systems unresponsive when filesystem blocksize is smaller than the system pagesize. Introduced by commit f76d4c28a46a, the flaw breaks the required folio-then-buffer lock ordering in jbd2_journal_cancel_revoke(), causing an ABBA deadlock between concurrent filesystem journal operations and block device writeback. No public exploit is identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with a race-condition kernel bug requiring a non-default configuration that is unlikely to be deliberately weaponized.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

IRQ handler cleanup failure in the Linux kernel Intel QAT (Quick Assist Technology) crypto driver for 6xxx-series devices causes kernel resource leaks and availability impact when device probe partially fails. The flaw manifests during adf_dev_up() failure: because pcim_enable_device() registers pcim_msi_release() as a devres action that runs in LIFO order, MSI-X vectors are torn down while IRQ handlers such as 'qat0-bundle0' are still attached, producing remove_proc_entry() warnings and leaking procfs entries. No public exploit has been identified at time of analysis, and EPSS at 0.02% (4th percentile) confirms negligible exploitation interest; impact is limited to systems that physically host Intel QAT 6xxx accelerator cards.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Landlock LSM's credential transfer hook in the Linux kernel silently drops the LOG_SUBDOMAINS_OFF audit-muting flag across fork() boundaries, breaking the documented sandboxing pattern where a parent process suppresses subdomain audit logs before spawning sandboxed children. Affected kernels from commit ead9079f75696 onward across the 6.15, 6.18, and 7.x stable branches allow child processes to emit unexpected Landlock audit records the operator explicitly intended to suppress. No public exploit identified at time of analysis; EPSS is 0.02% (4th percentile), and this is a logic correctness defect rather than a privilege-escalation or data-exfiltration path.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in the Linux kernel Bluetooth subsystem (hci_event) allows an adjacent attacker within Bluetooth range to potentially achieve memory corruption against vulnerable hosts during SSP pairing. The flaw stems from missing hdev locking in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), where an hci_conn structure can be freed concurrently while still in use. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%).

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local privilege-bounded information disclosure and integrity compromise in the Linux kernel's SELinux module affects overlayfs mounts where mmap() and mprotect() operations bypass the intended dual-credential access checks. A local authenticated user with access to an overlayfs top-level (user) file can map or change protections on backing files without the mounter's credentials being properly evaluated, undermining the SELinux overlayfs security model. EPSS is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation risk in the Linux kernel's RDS (Reliable Datagram Sockets) subsystem stems from a double-free condition in __rds_rdma_map() when a put_user() copy of the MR cookie fails after get_mr() has transferred sg/pages ownership to the transport. A local authenticated attacker triggering this race or fault path could cause memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis and EPSS is low at 0.02%, but a vendor-released patch is available across multiple stable branches.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel Ceph client allows local users with access to a Ceph-mounted filesystem to trigger d_hash list corruption and RCU stalls by inducing path lookups against reused cached negative dentries. The flaw stems from fs/ceph/dir.c calling d_add(dentry, NULL) on already-hashed negative dentries, creating self-loops in the hlist_bl bucket that cause __d_lookup() to spin indefinitely. EPSS is 0.02% (5th percentile) and no public exploit identified at time of analysis, but the bug has been reproduced organically in production (RCU stall on a Dell PowerEdge R7615 running 6.18.17).

Linux Amd Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Infinite loop denial-of-service in the Linux kernel ALSA ctxfi audio driver allows a local low-privileged user to hang the kernel by triggering S/PDIF passthrough playback at 32000 Hz on Creative Sound Blaster X-Fi hardware. The root cause is an uninitialized `pll_rate` field that causes a resource-calculation loop to never exit, consuming CPU indefinitely and degrading or halting system availability. No public exploit exists and the EPSS score of 0.02% (5th percentile) confirms negligible real-world exploitation pressure; the vulnerability is not listed in CISA KEV.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

USB device reference count leak in the Linux kernel ALSA CAIAQ driver allows a local attacker with access to USB hardware to trigger kernel memory exhaustion. The flaw exists because usb_get_dev() is called in create_card() but its matching usb_put_dev() is only installed as a destructor late in init_card(), leaving it unreachable on all intermediate failure paths. Syzbot has reproduced the issue using a malformed UAC3 USB audio device, and patches are available across all affected stable kernel branches. No public exploit has been identified at time of analysis, and EPSS is negligible at 0.02%.

Microsoft Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's QRTR (Qualcomm IPC Router) name service driver remove path allows local low-privileged users to corrupt memory and potentially escalate privileges. The flaw occurs because qrtr_ns_data_ready() can queue work to a workqueue that has already been destroyed during driver teardown, dereferencing freed memory. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the fix has landed across multiple stable kernel trees.

Linux Use After Free Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Missing brelse() in the ext4 filesystem's ext4_xattr_inode_dec_ref_all() function causes a buffer head refcount leak that can degrade system availability on affected Linux kernel versions. Introduced by commit c8e008b60492 (

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource leak in the Linux kernel IPMI SSIF driver leaves an orphaned kernel thread running when driver initialization fails mid-sequence. Systems with SSIF-capable IPMI hardware (BMC connected via SMBus/I2C) running unpatched kernels are affected across multiple stable branches. If initialization errors occur after the ssif kthread is spawned but before the IPMI core starts the interface, the thread is never stopped, degrading system availability over time. No public exploit exists and EPSS is 0.02% (4th percentile), making this a routine patch-cycle item rather than an emergency; fixes are confirmed in stable kernel releases 6.18.27 and 7.0.4.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote denial of service and potential memory corruption in the Linux kernel's RDMA Software RoCE (rxe) driver allows network attackers to send malformed RDMA packets that bypass length validation in rxe_rcv(). Affected systems with the rxe module loaded and reachable on the network can experience integer underflow in payload_size() due to an attacker-controlled BTH pad field, leading to negative values being passed to downstream receive-path handlers. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the CVSS 9.1 rating reflects the unauthenticated network attack surface where rxe is exposed.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Two kernel heap memory leaks in Linux kernel's weighted interleave NUMA memory policy subsystem allow a local low-privilege user to exhaust kernel memory and cause denial of service. The `weighted_interleave_auto_store()` function in `mm/mempolicy.c` fails to free `new_wi_state` on an early-return path and fails to free the old state object when overwritten via `rcu_assign_pointer()` when processing 'true' writes, because `old_wi_state` is only fetched inside the wrong conditional branch. The second leak is trivially automatable - any authorized sysfs writer can loop-write '1' indefinitely to drive the system into OOM - though no public exploit exists and EPSS sits at a negligible 0.02%.

Linux Information Disclosure IBM +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial-of-service via kernel panic in the Linux kernel's greybus gb-beagleplay driver allows a local low-privileged user to crash the system by triggering an illegal sleep-in-atomic-context condition. The greybus HDLC TX path calls usleep_range() inside hdlc_append() while the tx_producer_lock spinlock is held, violating the fundamental Linux kernel rule that sleeping is forbidden in atomic context and triggering a 'BUG: scheduling while atomic' kernel oops. No public exploit has been identified at time of analysis, and EPSS at 0.02% (5th percentile) reflects the hardware-specific and local-access-only nature of this flaw. The input tag 'Information Disclosure' appears to be a misclassification - the actual impact is exclusively availability (kernel crash), consistent with the CVSS vector's A:H/C:N/I:N ratings.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource accounting exhaustion in the Linux kernel's inotify subsystem allows a local low-privileged user to permanently leak watch counts by repeatedly triggering a failure path in inotify_new_watch() that increments the per-namespace watch counter without a corresponding decrement. Over time this exhausts the max_user_watches limit, causing all subsequent inotify watch creation within the namespace to fail with -ENOSPC even when no watches are genuinely active, constituting a local denial-of-service against inotify-dependent applications. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects very low real-world exploitation probability with no CISA KEV listing.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory exhaustion in the Linux Kernel's QRTR (Qualcomm IPC Router) nameserver subsystem exposes local, low-privileged users to a denial-of-service condition. The `ctrl_cmd_bye()` function, triggered when a QRTR node sends a BYE shutdown packet, fails to remove the node from the Xarray structure or release the associated memory - resulting in a persistent kernel memory leak (CWE-401). Affected systems are Linux kernels from 5.7 through multiple stable branches, with fixes backported to 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No active exploitation is confirmed (not in CISA KEV), and EPSS sits at 0.02% (5th percentile), indicating minimal real-world threat at this time.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's IPv4 ICMP handling allows remote attackers to trigger denial of service and potential information disclosure by sending crafted ICMP Extended Echo Reply packets. The flaw stems from the kernel consulting the icmp_pointers[] array with reply types (ICMP_EXT_ECHOREPLY) that fall outside its bounded range (NR_ICMP_TYPES). No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the network attack vector and high availability impact make patching a priority for exposed Linux hosts.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Linux kernel's vfio/cdx (Composable DMA-capable eXtension) driver allows a process with access to a VFIO device file descriptor to trigger a use-after-free of the cdx_irqs array via concurrent VFIO_DEVICE_SET_IRQS ioctls. The race in vfio_cdx_set_msi_trigger() can be exploited by a local low-privileged attacker for memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Lock re-entrancy corruption in the Linux kernel's mm/page_alloc subsystem affects uniprocessor (UP/!CONFIG_SMP) builds, allowing freelist corruption that crashes the kernel. On UP kernels, spin_trylock() is a compile-time no-op that unconditionally succeeds; when alloc_frozen_pages_nolock() is invoked from NMI context, it re-enters rmqueue() and acquires the zone lock already held by the interrupted context, corrupting the page allocator's freelists. No public exploit exists and EPSS sits at the 4th percentile (0.02%), consistent with the narrow scope: only non-default UP kernel builds on specific kernel versions are affected, making this a targeted stability concern for embedded or legacy uniprocessor deployments rather than a broad production threat.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's crypto authencesn AEAD wrapper allows a local user with AF_ALG access to trigger memory disclosure and possible denial of service by instantiating an authencesn transform built on an ahash whose digest size is 1-3 bytes (for example cbcmac(cipher_null)). The flaw stems from crypto_authenc_esn_create() failing to validate the inner digest size, letting an invalid default authsize bypass the existing setauthsize() check. No public exploit identified at time of analysis and EPSS probability is negligible (0.02%), but the upstream fix is shipping across multiple stable trees.

Linux Information Disclosure Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel ks8851 Ethernet driver allows a deadlock condition when handling concurrent IRQ and TX softirq processing on systems using the Micrel KS8851 MAC/PHY chip. The flaw manifests when the IRQ handler executes netdev_alloc_skb_ip_align() with bottom-halves enabled, triggering pending softirq processing that re-enters the driver's xmit path and attempts to re-acquire an already-held spinlock. EPSS scores this at 0.02% (5th percentile) and no public exploit identified at time of analysis, consistent with a local hardware-dependent stability bug rather than a remotely weaponizable vulnerability.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's EDAC/versalnet driver (mc_probe()) results in unreleased device_node references, enabling local low-privileged users to cause kernel memory exhaustion and availability degradation on AMD/Xilinx Versal SoC systems. The root cause is a missing of_node_put() call on all exit paths of mc_probe(), with the fix applied across stable branches including 6.18.27 and 7.0.4. No public exploit or CISA KEV listing exists, and EPSS sits at 0.02% (4th percentile), reflecting minimal active exploitation risk.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Slab allocator corruption in the Linux kernel's mm/slab subsystem allows local low-privileged users on uniprocessor (UP, !CONFIG_SMP) builds to potentially corrupt kernel memory state when kmalloc_nolock() is invoked from NMI context. The flaw stems from spin_trylock() being a no-op on UP kernels, allowing re-entry into the slab allocator while n->list_lock is already held by the interrupted context. EPSS is very low (0.02%) and no public exploit has been identified at time of analysis, though an upstream patch is available.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Race condition in the Linux kernel's AF_ALG AEAD AIO interface allows a local low-privileged user to trigger a denial of service by exploiting shared socket-wide IV buffer state across concurrent asynchronous AEAD requests. The algif_aead subsystem fails to snapshot the Initialization Vector into per-request storage before dispatching async operations, meaning any concurrent socket activity that updates the shared IV can corrupt an in-flight request before it completes. No public exploit has been identified and EPSS is extremely low at 0.02% (7th percentile); vendor-released patches are available across all supported stable kernel branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial-of-service in the Linux kernel's SMC (Shared Memory Communications) networking subsystem allows remote attackers to crash the kernel by sending a CLC decline message during the early stage of an SMC handshake before the connection is associated with a link group. The flaw, tracked as EUVD-2026-32408, stems from smc_clc_wait_msg() accessing link-group sync state that does not yet exist at that point in the handshake. No public exploit identified at time of analysis and EPSS probability is very low (0.02%, 5th percentile), but the network attack vector and high availability impact warrant patching on systems that use SMC.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Uncontrolled resource consumption in the Linux kernel's QRTR (Qualcomm IPC Router) nameserver module allows a local authenticated user to exhaust nameserver resources by flooding it with unbounded NEW_LOOKUP messages over a single socket. The affected subsystem (net/qrtr/ns) restricted lookups to local clients but imposed no count limit, enabling a sustained denial-of-service against QRTR-dependent inter-process communication on Qualcomm SoC platforms. No public exploit has been identified and EPSS stands at 0.02% (5th percentile), placing this firmly in the low real-world priority tier despite its High availability impact rating.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Deadlock and memory leak in the Linux kernel DAMON subsystem arise from a race condition between damon_call() request registration and kdamond_fn() thread exit, affecting systems using the Data Access MONitor (DAMON) API. A local low-privileged process can trigger the race at precisely the moment a kdamond thread is terminating - causing the calling thread to wait indefinitely for a handler that has already exited, resulting in a kernel-level availability denial. No active exploitation is confirmed (EPSS 0.02%, not in CISA KEV), and the high attack complexity required to win the race significantly constrains real-world risk.

Race Condition Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds MMIO read in the Linux kernel's ibmasm (IBM Advanced System Management) misc driver allows a compromised IBM service processor to read 8 bytes from unintended device registers or trigger a machine check exception (system crash) by writing an out-of-range queue reader/writer index before asserting an interrupt. The flaw resides in ibmasm_handle_mouse_interrupt() where raw readl() values are passed unchecked to get_queue_entry(), and is fixed by bounds-checking both indices against REMOTE_QUEUE_SIZE (60). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%.

Linux Information Disclosure Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Two related memory-management defects in the Linux kernel thermal zone governor subsystem expose local low-privileged users to system availability loss. The first is a memory leak (CWE-401) in the registration error path of thermal_zone_device_register_with_trips(), which fails to remove an attached governor when registration fails mid-way. The second, and more critically impactful, is a race condition in thermal_zone_device_unregister(), which calls thermal_set_governor() without first acquiring the thermal zone lock - permitting a concurrent sysfs-based governor update to produce a use-after-free, which can trigger a kernel panic. No public exploit code exists and EPSS is 0.02% (5th percentile); vendor-released patches are available across multiple stable kernel branches including 6.6.140, 6.12.86, 6.18.27, and 7.0.4.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows privileged local users to crash the kernel by supplying arbitrary node IDs to damos_quota_goal via DAMON_SYSFS. Affecting Linux 6.16 and fixed in 6.18.27, 7.0.4, and 7.1-rc1, the flaw stems from missing validation before si_meminfo_node()/NODE_DATA() lookups and is reproducible with the upstream 'damo' user-space tool. No public exploit identified at time of analysis and EPSS is very low at 0.02%.

Denial Of Service Linux Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The atmel-aes crypto driver in the Linux kernel leaks 3 pages of kernel memory per cleanup cycle due to a mismatch between allocation and deallocation functions: atmel_aes_buff_init() allocates 4 contiguous pages via __get_free_pages() with ATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() frees only a single page via free_page() instead of the correct free_pages(). Systems running on Atmel/Microchip ARM SoC hardware with this driver loaded are vulnerable to gradual kernel memory exhaustion leading to denial of service. No public exploit code exists and no active exploitation has been confirmed; the EPSS score of 0.02% (5th percentile) reflects the extremely narrow hardware-specific attack surface, and vendor-released patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Availability degradation in the Linux kernel ALSA USB audio subsystem allows a local attacker with a crafted UAC2 USB audio device to trigger an unbounded parsing loop that holds register_mutex while repeatedly flooding the kernel log with error messages. Affected systems running snd-usb-audio on multiple stable kernel branches from 3.x through 7.0 are exposed to denial-of-service via mutex contention during USB device probe. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (6th percentile) reflects minimal threat actor interest; no CISA KEV listing exists.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Race condition in the Linux kernel memory management subsystem during large-folio migration can cause kernel availability disruption on SMP/NUMA systems. The flaw in migrate_folio_move() causes a destination folio to become visible to concurrent rmap-removal paths before being requeued onto the deferred split queue, triggering a kernel WARN in deferred_split_folio() or silently losing a folio from split_queue when the shrinker races the migration lock. With no public exploit, no CISA KEV listing, and an EPSS of 0.02%, this is a low real-world risk issue primarily relevant to HPC, virtualization, and database workloads with heavy NUMA migration activity.

Nvidia Race Condition Linux +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Race condition and missed wake-up in the Linux kernel TCP listener migration path (SO_REUSEPORT) allows local low-privileged attackers to cause hangs and potentially exploit a use-after-free on listener sockets. Affects kernels from 5.14 up to versions fixed in 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No public exploit identified at time of analysis, and EPSS is very low (0.02%).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Broken LBR MSR save/restore in the Linux kernel KVM/SVM subsystem allows a low-privileged local attacker to cause high-impact availability failures in virtualized environments running on AMD SVM hardware. MSR_IA32_DEBUGCTLMSR and Last Branch Record (LBR) MSRs are not enumerated by KVM_GET_MSR_INDEX_LIST and cannot be set via KVM_SET_MSRS, meaning VM state is not correctly preserved across save/restore or live migration cycles, particularly when L2 guests are running. No public exploit has been identified at time of analysis, and EPSS of 0.02% indicates very low exploitation probability, but the flaw affects a foundational hypervisor state management path on production AMD virtualization infrastructure.

Linux Information Disclosure Intel +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Incorrect physical address conversion in the Linux kernel's mm/memfd_luo subsystem can crash the kernel when the put_folios error-cleanup path executes during memfd Live Update Object (LUO) operations. The cleanup passes a raw Page Frame Number (PFN) where kho_restore_folio() requires a phys_addr_t, and a missing sparse-hole guard (pfn==0) risks misprocessing file holes. No public exploit identified at time of analysis; EPSS of 0.02% (5th percentile) and absence from CISA KEV confirm very low real-world exploitation probability, with impact confined to local denial of service on systems running the experimental KHO/LUO subsystem.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's MediaTek JPEG (mtk-jpeg) media driver allows a local user with access to the device to trigger a use-after-free condition. The flaw occurs in mtk_jpeg_release() which frees the context structure without first cancelling pending workqueue items, creating a race window during device close where the worker thread accesses freed memory. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, but the bug is fixed across multiple stable trees.

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Memory exhaustion handling flaw in the Linux kernel's rxrpc/rxgk subsystem allows network-adjacent attackers to potentially trigger unsafe code paths when rxgk_decrypt_skb() returns -ENOMEM during RxGSS-Kerberos token extraction. Affected kernels include the 6.17 series and specific commits in 6.16.9 onward, fixed in upstream commits and stable backports targeting 6.18.27 and 7.1-rc1. No public exploit identified at time of analysis, and EPSS is very low (0.02%) despite the 8.1 CVSS score.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Duplicate resource teardown in the Linux kernel's PCI endpoint NTB (Non-Transparent Bridge) driver causes a kernel oops when link state transitions fail or complete, enabling a local low-privileged user to crash the kernel. The `epf_ntb_epc_destroy()` helper performs teardown that its callers also execute, resulting in a double-free-class condition. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV); the EPSS score of 0.02% at the 5th percentile reflects extremely low observed exploitation probability.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Deadlock in Linux kernel DAMON (Data Access Monitor) subsystem allows a local low-privileged user or kernel code path to cause an indefinite thread hang in the mm/damon/core module via a race condition between damos_walk() request registration and kdamond_fn() exit sequencing. Systems running Linux kernels from commit bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61 through the patch commits are affected, with availability as the sole impact (CVSS C:N/I:N/A:H). No public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating negligible real-world exploitation interest.

Race Condition Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Cache coherency violation in the Linux kernel hwmon powerz driver allows a local low-privileged user to crash the kernel on architectures where DMA buffer cacheline aliasing with adjacent kernel structures (here, a mutex) produces undefined behavior. Affected systems must have the powerz USB hardware monitor driver loaded and the specific hardware attached. No public exploit code exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation activity; nonetheless the kernel availability impact (system crash) is concrete once triggered on a vulnerable architecture.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource leak in the Linux kernel's XFS subsystem fails to release a DAX (Direct Access) device reference in the error path of xfs_alloc_buftarg(), leaving a dangling reference that prevents proper cleanup of persistent memory devices. Systems running XFS on DAX-capable persistent memory hardware are affected, spanning multiple stable kernel branches prior to the fix commits documented in EUVD-2026-32302. No public exploit identified at time of analysis, and an EPSS score of 0.02% (5th percentile) confirms negligible exploitation interest; patches are confirmed available across Linux 6.6.x, 6.12.x, 6.18.x, 7.0.x, and 7.1-rc1.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel ALSA caiaq USB audio driver allows local code execution when the device probe path encounters an error during setup_card(). The setup_card() function previously ignored failures from snd_card_register() and continued executing, leaving freed card structures accessible to subsequent initialization calls such as snd_usb_caiaq_control_init(). No public exploit identified at time of analysis, and EPSS is low at 0.02% (5th percentile), consistent with the local attack vector and narrow hardware-driver scope.

Linux Use After Free Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory exhaustion in the Linux kernel QRTR nameserver allows a local low-privileged attacker to crash the system by registering an unbounded number of QRTR nodes, consuming all available kernel heap memory. Affected kernels span from the commit introducing the QRTR nameserver without node limits (approximately Linux 5.7, commit 0c2204a4ad710d95d348ea006f14ba926e842ffd) through to patched stable releases 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. With an EPSS of 0.02% (5th percentile), no CISA KEV listing, and no public exploit identified at time of analysis, current exploitation risk is low - however, teams managing Qualcomm SoC-based embedded or mobile Linux deployments should treat this as a targeted patch priority given the trivial attack complexity (AC:L) once local access is obtained.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The ext2 filesystem driver in the Linux kernel allows a local user to trigger kernel WARN_ON panics by mounting a crafted ext2 image containing an inode with zero link count (i_nlink=0), non-zero mode, and zero deletion timestamp - a combination that bypasses the incomplete corruption check in ext2_iget() and reaches drop_nlink() in an invalid state. Discovered by the Linux Verification Center using Syzkaller fuzzing, the flaw affects Linux kernel versions from 2.6.12 through multiple stable branches and results in denial of service via kernel instability. No public exploit exists and no KEV listing; EPSS is negligible at 0.02%, consistent with the local access requirement and specialized image-crafting prerequisite.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The rxrpc connection-level packet handler in the Linux kernel modifies RESPONSE packet data in-place within a potentially shared sk_buff, exposing decrypted rxrpc authentication material to co-attached packet sniffers and risking kernel instability when a cloned buffer is written without unsharing. Systems running the rxrpc subsystem (primarily AFS clients and servers) from kernel 2.6.22 onward through the affected stable branches are vulnerable. No public exploit exists and EPSS sits at 0.02% (5th percentile) with no CISA KEV listing, indicating minimal real-world exploitation pressure; patches are confirmed across stable branches 6.6.140, 6.12.88, 7.0.4, 6.18.27, and 7.1-rc1.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local denial of service and potential information disclosure in the Linux kernel's EROFS filesystem affects versions from 5.13 through pre-patch releases, where a crafted EROFS image triggers an unsigned integer underflow in z_erofs_lz4_handle_overlap(). When a malicious image is mounted and a file is read, the LZ4 inplace decompression path wraps the 'outpages - inpages' calculation to a huge value and reads past the decompressed_pages array. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but a reproducible proof-of-concept image is embedded in the upstream commit message.

Linux Information Disclosure Integer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's rxrpc (AF_RXRPC) networking subsystem allows local attackers with low privileges to trigger memory corruption when skb_unshare() fails during packet input handling. Affected Linux kernel versions from 6.2 up to the fixed releases can be exploited to cause a NULL-pointer oops and potentially escalate privileges or crash the system. No public exploit identified at time of analysis; EPSS is very low (0.02%) and the issue is not present in CISA KEV.

Linux Use After Free Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Reference count leak in the Linux kernel SCSI disk driver (drivers/scsi/sd.c) allows a local low-privileged user to cause kernel resource exhaustion and system crash. In sd_probe(), when device_add(&sdkp->disk_dev) fails, the cleanup path correctly invokes put_device() triggering scsi_disk_release() to free the scsi_disk structure, but omits the corresponding put_disk(gd) call - leaving the gendisk object with an unreleased reference. This asymmetry with the device_add_disk() error path means repeated probe failures accumulate reference leaks that can exhaust kernel memory and deny service. No public exploit has been identified and EPSS probability is 0.02% (5th percentile), consistent with a stability fix rather than an attacker-targeted flaw.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's i.MX SPI driver (spi-imx) can be triggered when the driver is unbound, allowing a local privileged user to corrupt kernel memory and potentially escalate to full kernel code execution. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a kernel-level UAF with high CIA impact warrants prompt patching on affected i.MX-based systems.

Linux Use After Free Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's io_uring zero-copy receive (zcrx) subsystem allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from io_free_rbuf_ring() accessing a struct user_struct after io_zcrx_ifq_free() has already released the reference, creating a UAF window. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the bug class (UAF in io_uring) has historically been weaponized for LPE.

Linux Use After Free Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's ibmasm driver allows a local low-privileged user with write access to the ibmasm command character device to leak kernel heap memory to the IBM Advanced System Management service processor and potentially destabilize the host. The flaw resides in command_file_write(), which trusts attacker-controlled command_size/data_size header fields after allocating a buffer of arbitrary count, enabling get_dot_command_size() to return a value larger than the allocation. EPSS is 0.02% and no public exploit is identified at time of analysis; the issue is not on CISA KEV.

Linux Information Disclosure Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Speculative execution bounds bypass on LoongArch allows a local unprivileged user to trigger out-of-bounds speculative reads against the kernel syscall dispatch table, potentially leaking kernel memory via cache side-channels. Affected are Linux kernel stable branches prior to 6.6.140, 6.12.86, 6.18.27, and 7.0.4 running on LoongArch architecture. No public exploit code has been identified at time of analysis, and EPSS at 0.02% reflects very low observed exploitation probability; patches are available across all affected stable series.

Linux Information Disclosure
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path The previous fix for handling the error from setup_card() missed that an internal URB cdev->ep1_in_urb might have been already submitted beforehand. In the normal case, this URB gets killed at the disconnection, but in the error path, we didn't do it, hence there can be a potential leak. Fix it in the error path for setup_card(), too.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's Open Firmware (OF) device tree unittest driver (testdrv_probe) allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from an erroneous of_node_put() call that releases a device_node reference owned by the device model, which can then be dereferenced later in of_platform_default_populate(). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a vendor patch is available.

Linux Use After Free Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Improper handling of failed RESPONSE packet decryption in the Linux kernel's rxrpc subsystem can leave packets in a partially decrypted state when requeued for retry after a temporary processing failure. The flaw affects multiple Linux kernel branches and was resolved upstream by discarding such packets and relying on the CHALLENGE/RESPONSE re-handshake. No public exploit identified at time of analysis, and EPSS scoring (0.02%, 5th percentile) indicates very low real-world exploitation probability despite the high CVSS rating.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Interrupt shadow state desynchronization in the Linux kernel KVM nSVM subsystem can hang L2 nested virtual machines on AMD-V hosts when VM state is restored in a specific ioctl ordering. Systems using KVM nested virtualization (kvm_amd with nested=1) are affected when a live migration or checkpoint-restore operation calls KVM_SET_VCPU_EVENTS before KVM_SET_NESTED_STATE, causing the interrupt shadow to be written into vmcb01 (L1 context) instead of vmcb02 (L2 context). No public exploit has been identified and EPSS is 0.02% (5th percentile), placing this squarely as a correctness and operational availability issue for nested virtualization deployments rather than a broadly exploitable security threat.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory exhaustion in the Linux kernel's ccree (ARM CryptoCell) driver allows a local low-privileged user to cause a denial of service by repeatedly triggering an error path in cc_mac_digest() that fails to release mapped memory. The vulnerability exists because cc_unmap_result() is not called when cc_map_hash_request_final() returns an error, causing each failed MAC digest operation to leak kernel memory. No active exploitation is confirmed; EPSS is 0.02% at the 5th percentile, consistent with a low-severity, hardware-specific kernel maintenance fix. The 'Information Disclosure' tag in the source data is inconsistent with the CVSS vector (C:N) and description - impact is availability-only.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stale data exposure in the Linux kernel's ext4 filesystem affects systems using the dioread_nolock mount option, triggered by a flag-handling logic error in the extent-splitting code path during Direct I/O operations. When `EXT4_GET_BLOCKS_CONVERT` is incorrectly passed during a pre-I/O split of an unwritten extent, a simultaneous `-ENOSPC` failure in `ext4_split_extent_at()` causes the entire on-disk extent to be prematurely converted to written state while the in-memory extent status tree retains an inconsistent unwritten marker for the second half; if the DIO write subsequently fails, a future read of that region exposes stale pre-zero data. No public exploit has been identified at time of analysis, EPSS is 0.02% (7th percentile), and there is no CISA KEV listing, indicating no confirmed active exploitation.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's GFS2 filesystem stems from a use-after-free in the inline data write path of gfs2_iomap_begin(), where the inode buffer head is released before iomap->inline_data is consumed by iomap_write_end_inline(). Local users with the ability to write to a GFS2-backed filesystem can trigger memory corruption via a freed page that kswapd has since reclaimed. No public exploit identified at time of analysis, EPSS probability is very low (0.02%), and the issue is not listed in CISA KEV, but vendor patches across multiple stable trees are available.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NFSv4 server slot exhaustion in the Linux kernel nfsd subsystem causes persistent denial of service for NFS clients when idmap upcall delays occur during compound argument decoding. Specifically, when a SETATTR or similar compound operation triggers an idmap lookup upcall that exceeds the allowed time limit, cache_check() sets RQ_USEDEFERRAL and drops the request before nfs4svc_encode_compoundres() can execute - meaning the NFSD4_SLOT_INUSE session slot flag is never cleared. All subsequent client requests on that session slot fail with NFSERR_JUKEBOX indefinitely. No public exploit has been identified and EPSS is 0.02% (7th percentile), indicating no active exploitation pressure; this is a logic flaw with confirmed upstream patches across all major stable branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper mutex cleanup in the Linux kernel's amdgpu DRM driver allows a local low-privileged user to cause a GPU subsystem denial-of-service on systems equipped with AMD GPU hardware. When kmalloc fails under low memory conditions inside amdgpu_cs_parser_bos, the error path previously returned without releasing the held mutex, leaving it permanently locked and stalling GPU command submission for all users. No public exploit exists and the vulnerability is not listed in CISA KEV; with an EPSS of 0.02% (5th percentile), real-world exploitation risk is low.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Use-after-free race condition in the Linux kernel's fbnic (Facebook NIC) driver can be triggered by a local attacker to crash the system. The fw_log firmware log buffer is freed during device teardown before the mailbox IRQ is disabled, allowing a concurrent MSIX interrupt handler to dereference a freed or NULL pointer. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.02% (4th percentile) reflects very low real-world exploitation probability; the primary risk is a denial of service to systems hosting fbnic NICs.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's amdgpu DRM driver allows a local low-privileged user to gradually exhaust kernel memory on systems equipped with AMD GPUs. The flaw exists in amdgpu_ras_init(), where a failed call to amdgpu_nbio_ras_sw_init() causes the function to return an error without freeing the previously allocated 'con' context structure, bypassing the existing release_con cleanup label. No public exploit exists and EPSS is 0.02% (5th percentile), classifying this as a low-priority maintenance fix with no confirmed active exploitation.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Race condition in the Linux kernel's ublk (userspace block device) subsystem allows a local low-privileged attacker to crash the kernel by concurrently modifying io_uring submission queue entries during kernel processing. The ublksrv_ctrl_cmd struct resides in userspace-mapped shared memory, and unguarded normal loads let a racing userspace thread corrupt the kernel's view of the command, triggering a denial-of-service condition. No public exploit exists and EPSS is 0.02%, but fixed kernel versions 6.19.4 and 7.0 are confirmed available.

Linux Information Disclosure Red Hat +1
NVD VulDB
Prev Page 41 of 741 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy