Information Disclosure
Monthly
Race condition in the Linux kernel's ublk (userspace block device) subsystem allows a local low-privileged attacker to crash the kernel by concurrently modifying io_uring submission queue entries during kernel processing. The ublksrv_ctrl_cmd struct resides in userspace-mapped shared memory, and unguarded normal loads let a racing userspace thread corrupt the kernel's view of the command, triggering a denial-of-service condition. No public exploit exists and EPSS is 0.02%, but fixed kernel versions 6.19.4 and 7.0 are confirmed available.
Invalid leaf access in the btrfs quota subsystem of the Linux kernel allows a local low-privileged user to crash the system by triggering a denial-of-service condition in `btrfs_quota_enable()`. When `btrfs_search_slot_for_read()` returns 1 - signaling end-of-tree with no valid key found - the function fails to exit its loop and proceeds to dereference the now-invalid path pointer, causing a kernel panic. Patched versions are confirmed across multiple stable series (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0); no public exploit or CISA KEV listing exists at time of analysis.
Indefinite kernel hang in the Linux mlx5_ib RDMA driver causes denial of service during device unload when a firmware reset occurs in LAG (Link Aggregation Group) mode. The race condition leaves UMR (User Memory Registration) deregistration operations blocked forever - posted on the master NIC but awaiting completions from a slave that is already dead - deadlocking the teardown sequence and requiring a hard reboot. No public exploit has been identified, EPSS sits at 0.02% (5th percentile), and impact is confined to systems with Mellanox/NVIDIA mlx5 hardware explicitly configured in bonded LAG mode with active RDMA workloads.
Use-after-free and double-free conditions in the Linux kernel's SMB client (smb2_open_file) can be triggered when SMB2_open() retry paths fail to zero out err_iov and err_buftype buffers, leading to memory corruption. The flaw affects multiple stable kernel branches (6.1, 6.6, 6.12, 6.18) and is fixed in upstream patches; no public exploit identified at time of analysis and EPSS is very low (0.02%) despite the 9.8 CVSS score.
Uncontrolled BPF program signature size in the Linux kernel allows a low-privileged local user to force the kernel into expensive memory allocation paths (kmalloc_large or vmalloc) by supplying an arbitrarily large signature size value to the BPF_PROG_LOAD operation. Affected kernel versions prior to 6.18.14, 6.19.4, and 7.0 are vulnerable to local denial-of-service through kernel memory exhaustion. No public exploit has been identified at time of analysis and no active exploitation is confirmed (not in CISA KEV), with an EPSS score of 0.02% (4th percentile) indicating very low automated exploitation probability.
Kernel crash (denial of service) in the Linux kernel BPF subsystem affects local low-privileged users due to a double-offset bug in the instruction array map. The `map_direct_value_addr()` function incorrectly adds the caller-supplied offset to the returned address, then `resolve_pseudo_ldimm64()` adds it a second time, resulting in an incorrect memory address that can trigger a kernel fault. No public exploit exists and the EPSS score is 0.02% (5th percentile), indicating very low opportunistic exploitation risk, but the availability impact is rated High per CVSS.
Memory exhaustion in the Linux kernel's SUNRPC GSS authentication subsystem (net/sunrpc/auth_gss/auth_gss.c) allows a local low-privileged user to leak kernel memory by repeatedly triggering a specific error path where kstrdup_const() fails during gss_alloc_msg() processing, preventing gss_auth structures from ever being freed. The defect was introduced by commit 5940d1cf9f42, which added kref_get(&gss_auth->kref) without the corresponding kref_put() on the err_put_pipe_version error path when service_name is non-NULL. With EPSS at 0.02% (7th percentile), no CISA KEV listing, and no public exploit, this is a low-urgency memory management defect primarily relevant to systems running NFS with Kerberos/RPCSEC_GSS authentication.
Out-of-bounds memory access in the Linux kernel ublk (userspace block device) subsystem allows a local low-privilege user to crash the kernel by submitting an io_uring control command without the IO_URING_F_SQE128 flag set. The root cause is that ublk_ctrl_cmd_dump() unconditionally accesses the extended cmd field of a Submission Queue Entry before ublk_ctrl_uring_cmd() validates that the SQE is 128 bytes in size, reading beyond the 64-byte standard SQE boundary. No public exploit is identified at time of analysis, and the EPSS score of 0.02% at the 7th percentile signals very low exploitation probability.
Kernel panic via reference count corruption in the Linux kernel's HFS+ filesystem driver (hfsplus) allows a local attacker with low privileges to crash the system. The function hfs_bnode_create() returns an already-hashed B-tree node without incrementing its reference count when it unexpectedly encounters a node that should not yet exist - a condition triggered by filesystem corruption or a logic error in hfs_bmap_alloc(). When hfs_bnode_put() later decrements the reference count to zero and attempts cleanup, the kernel triggers a fatal BUG_ON(!atomic_read(&node->refcnt)) assertion at bnode.c:676, causing an immediate kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with the local-only attack vector and niche trigger conditions, but the availability impact is total for affected systems.
Denial of service in the Linux kernel's RCU (Read-Copy-Update) subsystem allows a local condition to trigger an infinite recursion deadloop in rcu_read_unlock_special() when ftrace is enabled, leading to kernel hang or crash. The flaw stems from a missing recursion-protection flag when raise_softirq_irqoff() is invoked from the RCU unlock path, causing repeated re-entry through the softirq/trace stack. No public exploit identified at time of analysis and EPSS rates exploitation probability at 0.02%.
High-impact integrity and availability flaw in the Linux kernel's md-llbitmap (multi-device log-based bitmap) subsystem allows a local low-privileged attacker to render RAID bitmap page control structures permanently unusable. When llbitmap_suspend_timeout() times out, percpu_ref is left in a killed state and never resurrected, breaking subsequent md daemon operations on that page. EPSS is very low (0.02%, 4th percentile) and no public exploit is identified at time of analysis, but vendor-released patches are available in 6.18.14 and 6.19.4.
Memory leak in Linux kernel's fbdev au1200fb framebuffer driver causes resource exhaustion when the probe function encounters IRQ allocation failure. The vulnerability exists in au1200fb_drv_probe() within the au1200fb driver: when platform_get_irq() returns an error, the function returns immediately without releasing previously allocated memory, leading to kernel heap exhaustion over time. Local attackers or repeated probe failures (e.g., via hotplug events on affected MIPS-based Alchemy hardware) can deplete kernel memory, resulting in denial of service. No public exploit has been identified at time of analysis, and EPSS at 0.02% (7th percentile) confirms negligible exploitation interest.
IO deadloop in Linux kernel's md/raid5 subsystem causes complete availability loss on systems running degraded RAID5 arrays with llbitmap enabled. When llbitmap bit state is 'unwritten', the missing synchronization check in need_this_block() diverges from the check present in handle_stripe_dirtying(), trapping handle_stripe() in an infinite loop that never makes progress - effectively hanging all IO on the affected array. No public exploit is identified at time of analysis, and EPSS at 0.02% (4th percentile) reflects very low real-world exploitation probability, consistent with the narrow deployment conditions required.
Missing MTU validation in the Linux kernel fbnic Ethernet driver allows a local low-privileged user to trigger a denial of service by increasing the interface MTU after an XDP program is already attached. Increasing the MTU beyond the HDS (Header Data Split) threshold causes the fbnic hardware to fragment packets across multiple buffers; since single-buffer XDP programs cannot process multi-fragment frames, the driver silently drops them - breaking new TCP streams and discarding oversized non-TCP traffic. No public exploit exists and EPSS is 0.02% (4th percentile), placing this firmly in the low-priority tier despite its High availability rating; patches are confirmed available in Linux 6.18.14, 6.19.4, and 7.0.
Local privilege escalation in the Linux kernel's BPF subsystem stems from incorrect refcounting in check_pseudo_btf_id() that can leave a BTF (BPF Type Format) object with a zero refcount while still in use, creating a use-after-free condition. Affected kernels (around 6.14 through pre-patch 6.18.14/6.19.4) allow a local low-privileged user capable of loading BPF programs to corrupt kernel memory, with no public exploit identified at time of analysis and EPSS scoring exploitation likelihood at only 0.02%.
Memory leak in the Linux kernel's StarFive AES crypto driver allows a local low-privileged user on affected StarFive JH7110 RISC-V hardware to exhaust kernel memory and cause a denial of service. The flaw resides in starfive_aes_aead_do_one_req(), where kzalloc()-allocated memory for rctx->adata is not freed on two distinct error paths - failures in sg_copy_to_buffer() or starfive_aes_hw_init() - resulting in unreleased heap memory each time an AEAD operation fails. No public exploit exists and EPSS is extremely low at 0.02%, consistent with a hardware-specific, analysis-discovered defect rather than an actively targeted weakness.
Use-after-free race condition in the Linux kernel hwrng (hardware random number generator) core subsystem allows a local attacker with low privileges to crash the kernel, causing a denial of service. The race occurs when hwrng_register() and hwrng_unregister() execute concurrently, leaving the hwrng_fill pointer dirty and enabling kthread_stop() to be invoked on an already-freed task_struct - confirmed in the virtrng_remove call path, making virtualized Linux environments a primary real-world attack surface. No public exploit code exists and no active exploitation (KEV) has been confirmed; the EPSS score of 0.02% reflects minimal opportunistic exploitation activity.
Memory exhaustion in the Linux kernel's ext4 filesystem driver allows a local low-privilege user to gradually degrade system availability by repeatedly triggering a kernel memory leak in ext4_ext_shift_extents(). The flaw, present since approximately kernel 3.15, causes path structures allocated by ext4_find_extent() to go unreleased when a NULL extent is encountered during fallocate shift operations. With no CISA KEV listing, an EPSS of 0.02%, and no public exploit code identified, this is a low-urgency but genuine patch priority for long-lived ext4 systems with unprivileged local users.
Memory exhaustion in the Linux kernel's drm/amdgpu driver allows a local low-privileged user on AMD GPU-equipped systems to degrade host availability by repeatedly triggering an error path in amdgpu_acpi_enumerate_xcc() that leaks kernel heap memory. The root cause is a missing free of the xcc_info structure when amdgpu_acpi_dev_init() returns -ENOMEM, identified through static analysis and code review rather than active exploitation. With EPSS at 0.02% (5th percentile) and no CISA KEV listing, this is a low-priority maintenance fix for most environments, most relevant to long-running AMD GPU compute workloads where repeated enumeration failures could accumulate leaked memory.
Race condition in the Linux kernel's Intel VT-d IOMMU driver allows a local low-privileged attacker to trigger inconsistent PASID table state during domain replacement, potentially producing spurious IOMMU faults and unpredictable DMA behavior with cross-scope impact. The flaw stems from non-atomic updates to 512-bit PASID entries while the Present bit is set, and no public exploit identified at time of analysis despite a high CVSS score driven by the scope-changed local attack surface.
Race condition in the Intel VT-d IOMMU driver of the Linux kernel allows a window where hardware can fetch a 'torn' context entry while the Present bit is still set, leading to unpredictable IOMMU behavior or spurious DMA faults on affected systems. The flaw stems from non-atomic teardown of 128-bit context entries via multiple 64-bit writes and is addressed by aligning with the VT-d specification's ownership handshake (Section 6.5.3.3); no public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.
Kernel NULL pointer dereference in the Linux EROFS compressed filesystem driver allows a local user reading from an EROFS image to crash the system. The flaw lives in z_erofs_decompress_pcluster(), where compressed folios for ztailpacking pclusters are added to I/O chains before being validated; if inline-data reading fails (notably when a fatal signal interrupts read_mapping_folio()), decompression assumes the folios are valid and dereferences a NULL pointer. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%), and the issue is not in CISA KEV.
Filesystem data integrity issue in the Linux kernel ext4 module allows local low-privileged users to trigger bitmap inconsistencies through a race condition between page migration and ext4 buddy bitmap modification under mixed huge-page workloads. The flaw can produce false group descriptor mismatches and corruption of in-memory block allocation state, with high confidentiality, integrity, and availability impact per CVSS 7.8 (AV:L). No public exploit has been identified at time of analysis and EPSS is very low at 0.02%.
TPM locality leak in the Linux kernel's tpm_i2c_infineon driver allows a local user on an affected system to exhaust TPM localities and render the TPM device unavailable. The tpm_tis_i2c_send() function acquires a TPM locality at entry but fails to release it when get_burstcount() times out with -EBUSY, causing a resource leak on every such timeout. Patches are available across multiple stable kernel branches; no public exploit code or active exploitation (CISA KEV) has been identified, and EPSS is 0.02% at the 7th percentile.
Kernel crash (oops) in the stmmac GMAC4 Ethernet driver causes a denial of service when split header reception is enabled. The stmmac receive path incorrectly assumes that buf2 of the first DMA descriptor is always fully populated with payload, but the GMAC4 hardware does not guarantee this in all cases. When the assumption is violated, the driver miscalculates the length of buf2 in the second descriptor, resulting in an invalid virtual address dereference deep in the DMA cache-invalidation path, crashing the kernel. No public exploit has been identified at time of analysis, and EPSS is 0.02% (4th percentile), indicating negligible opportunistic exploitation interest.
Memory leak in the Linux kernel's NI USB GPIB driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering a failed initialization path. The flaw exists in ni_usb_init(), where a writes buffer is allocated but never freed when ni_usb_setup_init() returns failure, compounding the issue with an incorrect error code (-EFAULT instead of -EINVAL). No public exploit is identified at time of analysis, and EPSS sits at 0.02%, consistent with the niche hardware driver context and local-only attack surface.
Kernel panic in the Linux kernel's Inside Secure EIP-93 hardware crypto driver occurs during driver detach due to a loop iterator bug that causes the same hash algorithm to be unregistered multiple times. Systems equipped with Inside Secure EIP-93 cryptographic accelerator hardware and running unpatched kernels between the introducing commit (9739f5f93b78) and the fix commits are vulnerable. A local low-privileged user who can trigger driver detach - via module unload or device removal - can crash the kernel, resulting in a full system denial of service. No public exploit exists and EPSS is 0.02% (4th percentile), indicating negligible in-the-wild activity.
Heap buffer overflow read in the Linux kernel's NTFS3 filesystem driver allows local attackers to trigger out-of-bounds memory access by mounting or processing a maliciously crafted NTFS volume. The flaw resides in the DeleteIndexEntryRoot path of the do_action function, where an attacker-controlled entry size ('esize') bypasses bounds checks and causes memmove to operate on an unsigned-converted negative offset. EPSS scores exploitation probability at 0.03% (9th percentile) and no public exploit has been identified at time of analysis.
Btrfs transaction aborts in the Linux kernel allow local low-privileged users to crash the filesystem by triggering a logic defect in DUP chunk allocation that generates overlapping physical address ranges in the chunk map. Systems running btrfs with DUP metadata profiles - the default for single-device btrfs deployments - can encounter EEXIST (-17) errors in insert_dev_extents() during btrfs_create_pending_block_groups(), causing the transaction to abort and the filesystem to enter an error state. No public exploit or active exploitation (CISA KEV) has been identified; with an EPSS of 0.02% (4th percentile), this is a kernel reliability defect of operational concern to btrfs operators rather than a traditional attack vector.
Local privilege escalation potential in the Linux kernel BPF verifier (introduced in 6.11+ commit 98d7ca374ba4) arises from sync_linked_regs() failing to preserve register IDs when propagating bounds, breaking linked-register tracking and allowing crafted eBPF programs to bypass the verifier's range analysis. EPSS is very low (0.02%) and the issue is not in CISA KEV, but the BPF verifier is a historically high-value local attack surface, and upstream patches landed in 6.12.75, 6.18.14, and 6.19.4. No public exploit identified at time of analysis.
Uninitialized kernel memory leaks to local users via the MCTP netlink subsystem in the Linux kernel, where RTM_GETNEIGH responses return stale kernel data in the pad bytes of ndmsg structures across link, addr, and neigh response messages. Any local user with PR:L access to the MCTP netlink interface can extract arbitrary pad-byte contents from kernel memory allocations, potentially exposing pointers, partial stack data, or remnants of prior allocations that could assist in defeating kernel address space layout randomization (KASLR). Disclosed by Syed Faraz Abrar (Zellic) and Pumpkin (DEVCORE Research Team) via Trend Micro Zero Day Initiative; no public exploit code exists and EPSS sits at the 5th percentile (0.02%), indicating negligible active exploitation at time of analysis.
Use-after-free in the Linux kernel's OpenVPN data channel offload (ovpn) module allows a local attacker with low privileges to potentially trigger memory corruption when transmitting shared sk_buff packets through ovpn_net_xmit. The flaw stems from continued use of a stale skb pointer after skb_share_check frees the original buffer, affecting peer lookup, skb_dst_drop, and TX statistics paths. No public exploit identified at time of analysis, and the EPSS probability is very low (0.02%), suggesting the bug is more of a stability and memory-safety concern than an imminently weaponized vector.
Memory leak in the Linux kernel's chips-media wave5 VPU media driver allows a local low-privileged user to exhaust kernel memory, resulting in denial of service. The flaw exists in both the encoder and decoder open paths - wave5_vpu_open_enc() and wave5_vpu_open_dec() - where a VPU instance allocated via kzalloc() is not freed when the subsequent codec_info allocation fails. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting the hardware-specific and local-only nature of this issue.
BPF map hash verification in the Linux kernel is vulnerable to a TOCTOU race condition that allows a local low-privileged attacker to bypass integrity checks enforced by trusted BPF loaders. Userspace can call BPF_OBJ_GET_INFO_BY_FD to prime the hash cache, then modify the map contents in the race window before freezing it, causing a trusted loader to verify the original (stale) hash against the silently-altered map. No active exploitation is confirmed (not in CISA KEV) and EPSS is 0.02%, but the attack's integrity impact appears understated by the published CVSS vector, which records A:H/I:N - inconsistent with a hash-bypass that enables modified code/data to be loaded as trusted.
Memory leak in the Linux kernel's Rust-language PWM subsystem allows a local low-privileged attacker to gradually exhaust kernel memory through repeated PWM chip initialization failures. The `pwmchip_alloc()` function allocates a device structure holding an initial reference that must be explicitly released via `pwmchip_put()` on error paths, but when `__pinned_init()` fails the reference is never dropped, leaking the `pwm_chip` allocation. EPSS stands at 0.02% (5th percentile) and the vulnerability is not listed in CISA KEV, indicating no known active exploitation; no public exploit code has been identified at time of analysis.
Reference leak in the Linux kernel's thermal/of subsystem allows a local low-privileged user to degrade system availability through repeated kernel resource exhaustion. The thermal_of_cm_lookup() function acquires a device_node reference via of_parse_phandle() but never releases it, causing reference counts to accumulate without bound on systems with Device Tree-based thermal configuration. No active exploitation is identified (EPSS 0.02%, 5th percentile; no CISA KEV listing), and this is a reliability and availability defect rather than a code-execution primitive; patched stable kernel versions are available across multiple maintained branches.
Improper lock release in the Linux kernel ksmbd subsystem (in-kernel SMB server) allows a local low-privileged user to trigger a deadlock by inducing error paths in `ksmbd_vfs_kern_path_locked` where `ksmbd_vfs_kern_path_end_removing()` is never called to balance the corresponding `ksmbd_vfs_kern_path_start_removing()`. Affected kernel versions span multiple stable branches from 5.15 through 6.17. No public exploit or active exploitation is known; EPSS stands at 0.02% (7th percentile), confirming low real-world exploitation probability.
Missing endpoint descriptor validation in the Linux kernel catc USB Ethernet driver allows a physically-present attacker with a crafted USB device to cause a kernel denial of service. The catc_probe() function submits URBs against hardcoded endpoint pipes (bulk on endpoint 1, interrupt on endpoint 2) without confirming that the connected device actually presents those endpoint types - a malformed device can exploit this assumption to trigger undefined behavior at the URB submission layer. No active exploitation has been confirmed (not listed in CISA KEV), and the EPSS score is extremely low at 0.02% (7th percentile), reflecting limited real-world exploitation likelihood.
Memory leak in the Linux kernel's RDMA/mlx5 subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering the error path in the GET_DATA_DIRECT_SYSFS_PATH uverbs handler. The flaw affects multiple stable kernel branches requiring mlx5-family InfiniBand/RDMA hardware, and was discovered through static analysis and code review rather than active exploitation. No public exploit exists and EPSS probability is 0.02% (5th percentile), indicating no public exploit or active exploitation at time of analysis.
Memory leak in the Linux kernel's MTD TP-Link SafeLoader partition parser allows a local low-privileged user to cause availability degradation on affected embedded systems. The `mtd_parser_tplink_safeloader_parse()` function omits freeing a temporary buffer `buf` on the error path when a subsequent `kmalloc()` for `parts[idx].name` fails inside the parsing loop. No public exploit exists and EPSS is negligible at 0.02% (5th percentile); this vulnerability was identified via static analysis and code review, not observed exploitation.
Local denial-of-condition in the Linux kernel ext4 filesystem driver allows an internal counter (s_dirtyclusters_counter) to be double-decremented to -1 along the block-allocation error path that triggers during filesystem shutdown, surfacing as a WARNING in ext4_put_super(). The flaw lives between ext4_mb_mark_diskspace_used() and ext4_mb_new_blocks(), where a metadata-write failure causes the dirty-clusters reservation to be released twice. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 7th percentile); despite the CWE-415 (double free) classification and a 7.8 CVSS, the observed effect is cluster-accounting corruption rather than demonstrated memory corruption.
Reference leak in the Linux kernel IPVS (IP Virtual Server) subsystem allows a local low-privileged user to trigger a race condition between the netdev notifier handler and destination cache update logic, potentially causing kernel resource exhaustion. When a network device is shutting down, the FIB routing subsystem may return a valid route after ip_vs_dst_event() finishes processing, allowing that route to be cached against a closing device and leaking a device reference until the IPVS destination is removed. This is a medium-severity availability issue with no public exploit identified at time of analysis and a very low EPSS score of 0.02% (5th percentile), indicating it is not currently a prioritized exploitation target.
Availability impact in the Linux kernel FAT filesystem driver allows a local low-privileged user to trigger a kernel WARN_ON by mounting and operating on a corrupted FAT image with incorrect directory link counts. Specifically, rmdir unconditionally decrements the parent inode's i_nlink without first verifying it is at least 3, allowing underflow to zero on malformed images. No public exploit has been identified and the EPSS probability is 0.02% (7th percentile), but the kernel WARN_ON can cause a system crash, making the real-world availability impact high on affected systems where users can mount FAT images.
Bridge multicast MDB entry counter underflow in the Linux kernel's `net/bridge/br_multicast.c` allows local attackers with low privileges to trigger a kernel WARN_ON - and a system panic on hosts configured with `panic_on_warn=1` - by manipulating VLAN snooping state on a bridge interface before flushing multicast group entries. Multiple stable kernel branches are affected across all architectures that include the bridge multicast subsystem. No public exploit identified at time of analysis, with an EPSS score of 0.02% (5th percentile) confirming low exploitation probability; patches are available across kernel stable series 6.12, 6.6, 6.18, 6.19, and 7.0.
Ext4 filesystem extent-splitting logic in the Linux kernel incorrectly caches extents mid-operation, leaving stale hole entries in the in-memory extent status tree (ESTree). When a Direct I/O write partially covers a pre-allocated unwritten extent, ext4_split_extent_at() can insert an incorrect hole entry that persists uncorrected, causing space accounting errors when subsequent delayed buffer writes target the same region. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.02% (7th percentile) reflects negligible real-world exploitation likelihood; this is primarily a kernel correctness and filesystem availability defect rather than a targeted attack surface.
Use-after-free condition in the Linux kernel's RDMA Soft RoCE (rxe) driver allows local privileged users to trigger memory corruption through a race between the QP retransmit_timer handler and rxe_destroy_qp. The flaw stems from the Queue Pair reference count dropping to zero while a timer callback is still executing, producing refcount underflow warnings and potential kernel memory corruption. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Local privilege escalation potential in the Linux kernel's MediaTek clock gate driver stems from incorrect use of __initconst annotations on mtk_gate structures that are accessed at runtime, not just during initialization. After kernel init completes, the memory backing these structs is freed, so any runtime access reads freed memory - affecting Linux 6.18 prior to stable releases 6.18.14 and 6.19.4. CVSS rates this 7.8 (High) with local attack vector; EPSS is 0.02% and no public exploit identified at time of analysis.
Memory leak in the Linux kernel's AMD XDnA accelerator driver (accel/amdxdna) allows a local low-privileged user to degrade system availability by exhausting kernel memory. The amdxdna_ubuf_map() function fails to release previously allocated scatter-gather (sg) and internal sg table memory when error paths are taken during sg_alloc_table_from_pages or dma_map_sgtable operations. No active exploitation is confirmed (absent from CISA KEV), EPSS stands at 0.02% (4th percentile), and impact is strictly limited to availability - no confidentiality or integrity exposure exists.
Deadlock in the Linux kernel mlx5e Mellanox/NVIDIA Ethernet driver allows a low-privileged local attacker to hang the system by triggering network health reporter recovery paths that acquire locks in the wrong order. Specifically, work handlers acquire the netdev instance lock before invoking devlink_health_report, which then attempts to acquire the devlink lock - reversing the mandated devlink → rtnl → netdev ordering and producing an ABBA deadlock. The vulnerability affects systems equipped with Mellanox/NVIDIA ConnectX NICs; no public exploit exists and EPSS sits at 0.02% (4th percentile), consistent with a kernel-internal locking race rather than an externally triggerable flaw.
Race condition in the Linux kernel's XFRM ICMP route lookup path causes a kernel WARN_ON that can crash affected systems. Within `icmp_route_lookup()`, a TOCTOU window between a locality check and a subsequent `ip_route_input()` call allows a concurrently executing `ip addr add` to return a LOCAL route whose `dst.output` is set to `ip_rt_bug()` - a debugging stub that fires `WARN_ON` when invoked during ICMP error transmission. Exploitation requires local access, active XFRM/IPsec policy, and precise race-window timing; no active exploitation is confirmed and EPSS sits at 0.02%, though a public reproducer exists that requires kernel modification to reliably trigger.
Recursive mutex deadlock in the Linux kernel's PowerPC Enhanced Error Handling (EEH) subsystem causes denial of service on IBM POWER systems running affected kernel versions. Commit 1010b4c012b0 inadvertently repositioned pci_lock_rescan_remove() calls so that eeh_handle_normal_event() holds the lock before invoking eeh_pe_bus_get(), which internally attempts to acquire the same mutex, producing a confirmed lockdep-detected deadlock that crashes the EEH daemon and disables PCI error recovery. No public exploit has been identified and the EPSS score of 0.02% (7th percentile) reflects the narrow hardware-specific attack surface; real-world impact is a reliability and availability concern for IBM POWER server operators rather than a traditional security attack vector.
Information disclosure in the Linux kernel BPF subsystem allows a local low-privileged user with BPF program load access to leak kernel memory contents. Incorrect memory-access flags on several ARG_PTR_TO_MEM helper prototypes (notably bpf_get_stack_proto_raw_tp) cause the verifier to wrongly assume helper-written buffers are unchanged, optimizing away subsequent reads and producing stale or uninitialized data that can expose kernel memory. There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and it is not in CISA KEV.
Circular lock dependency in the Linux kernel's netfilter nf_tables subsystem causes kernel deadlock or hang when nft reset, ipset list, and iptables-nft with '-m set' rules execute concurrently, resulting in a local denial of service. The root cause is improper use of commit_mutex in the reset path, which - when interleaved with nfnl_subsys_ipset and nlk_cb_mutex acquisitions - creates a deadlock cycle. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.02% (5th percentile) reflects the low real-world exploitation probability for this class of locking defect.
Memory exhaustion vulnerability in the Linux kernel's CAAM DPAA2 crypto driver allows gradual resource depletion on systems with NXP DPAA2 hardware through unreleased per-CPU net_device allocations during failed probe retries. The regression was introduced when commit 0e1a4d427f58 converted embedded net_device structs to dynamically allocated pointers but omitted cleanup in the dpaa2_dpseci_free() error path - meaning every deferred probe retry triggered by a temporarily unavailable DPIO subsystem silently leaks netdev memory. No public exploit exists and EPSS probability is 0.02% (5th percentile), consistent with the hardware-specific, non-user-controlled nature of the defect.
Availability impact via stale extent cache corruption in the Linux kernel's ext4 filesystem driver allows a local low-privileged user to trigger a kernel denial-of-service condition. When an ext4 extent-splitting operation fails mid-execution, stale entries are left in the extent status tree, which can cause subsequent filesystem operations to crash the kernel. No public exploit exists and EPSS probability sits at 0.02% (7th percentile), reflecting this as a stability bug rather than a targeted attack vector. Vendor-released patches are available across all active stable branches.
Kernel memory corruption in the Linux iWARP Connection Manager (RDMA/iwcm) subsystem can crash systems running RDMA workloads on iWARP-capable hardware such as Intel E830 adapters. The bug, introduced by commit e1168f0 ('RDMA/iwcm: Simplify cm_event_handler()'), causes workqueue list corruption when iwcm_work items from a free list are reused while still queued, triggering a kernel BUG and panic. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile), despite a CVSS base score of 9.8.
Counter value underrun in the Linux kernel's netfilter nft_counter subsystem allows a local unprivileged user to corrupt nftables packet and byte counter data through a race condition in concurrent dump-and-reset operations. Two parallel resets can each read the same counter totals and both subtract them, causing the counters to underrun - potentially wrapping unsigned values to astronomically large figures and producing incorrect firewall accounting. No public exploit exists and EPSS is 0.02% (5th percentile), consistent with a low-priority correctness defect rather than a targeted security attack vector.
Linux Kernel quota subsystem livelocks the system when quotactl_block() and freeze_super() execute concurrently on non-preemptible kernels, causing 100% CPU consumption and an indefinite hang of the filesystem freeze process. The root cause is a missing scheduling point in quotactl_block()'s retry loop: on kernels with preemption disabled, the spinning loop never yields the CPU, starving synchronize_rcu() of the RCU quiescent state it needs to advance, which in turn blocks freeze_super() from completing. Affected are Linux kernel versions from commit 576215cffdefc1f0ceebffd87abb390926e6b037 onward, on systems using quota-enabled filesystems; no public exploit or active exploitation has been identified at time of analysis.
Race condition in Linux kernel Intel VT-d IOMMU driver (iommu/vt-d) allows torn reads of Scalable Mode PASID table entries during teardown, producing unpredictable behavior or spurious faults on systems with Intel VT-d enabled. The flaw stems from zeroing the entire 64-byte PASID entry while the Present bit is still set, violating the VT-d spec's invalidation guidance. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but a vendor patch is available across multiple stable branches.
Out-of-bounds read in the Linux kernel's AppArmor subsystem allows a local, low-privileged attacker to leak adjacent kernel memory and potentially crash the system when AppArmor parses a policy table built from possibly unaligned, userspace-supplied source data. The flaw stems from unaligned memory accesses during table creation in the policy loader and carries high confidentiality and availability impact. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.02%, 5th percentile), consistent with a hard-to-reach local-only kernel hardening fix rather than a mass-exploitation target.
Stale unwritten extent retention in the Linux kernel ext4 filesystem's in-memory extent status cache allows a local low-privileged user to trigger filesystem state inconsistency with high availability impact. The flaw manifests in ext4_split_extent() when a PARTIAL_VALID1 zeroout operation succeeds but the subsequent split at the first boundary fails due to temporary memory pressure, leaving the extent status tree out of sync with on-disk extent data. Patched stable releases are available; no public exploit or CISA KEV listing has been identified at time of analysis, and EPSS exploitation probability sits at 0.02% (5th percentile).
Local privilege-holder denial of service (and potential kernel memory corruption) in the Linux kernel's HiSilicon hns3 network driver allows a user with CAP_NET_ADMIN to trigger a double-free of the tx_spare backup buffer. The flaw lives in hns3_set_ringparam(), where a temporary ring copy is made for rollback but the original ring's tx_spare pointer is left dangling; if a subsequent allocation in hns3_init_all_ring() fails, the error path frees the stale pointer twice (CWE-415). EPSS is negligible (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but a vendor-released patch is available across multiple stable trees.
Guest-to-host denial of service in the Linux kernel's xen-netback driver allows a malicious or buggy Xen guest to crash the hypervisor host by writing "0" to the xenbus key multi-queue-num-queues. The connect() function validates only the upper bound of requested_num_queues, permitting a zero value to reach vzalloc(array_size(0, ...)), which triggers WARN_ON_ONCE in __vmalloc_node_range(); on hosts with panic_on_warn=1 this escalates to a full kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with a narrow Xen-specific attack surface, but the guest-controlled code path is trivial to trigger and vendor patches have been backported across seven stable kernel series, confirming the impact is real.
Divide-by-zero kernel panic (Oops) in the Linux kernel MPTCP subsystem's `mptcp_rcvbuf_grow()` function can be triggered by a local authenticated user under a rare but specific race condition involving concurrent out-of-order packet arrival and receive buffer initialization. The vulnerability also causes a secondary effect where the MPTCP receive buffer slowly drifts toward the `tcp_rmem[2]` maximum, degrading system performance on MPTCP-heavy workloads. No public exploit identified at time of analysis; EPSS is 0.02% (4th percentile), consistent with its local-only, race-dependent nature.
Memory leak in the Linux kernel's md/raid1 subsystem allows a local attacker with access to RAID configuration interfaces to gradually exhaust kernel memory by repeatedly triggering the faulty error path in raid1_run(). Affected kernel versions span multiple stable branches prior to 6.12.75, 6.18.14, 6.19.4, and 7.0. No public exploit identified at time of analysis; EPSS at 0.02% (5th percentile) and confirmed discovery via static analysis rather than active exploitation signals minimal real-world risk. Vendor-released patches are available across all affected stable branches.
Memory leak in the Linux kernel's af_unix subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering a failure path in unix_stream_connect(). When prepare_peercred() fails after unix_create1() has already allocated a new socket object (newsk), the error path omits the required unix_release_sock() call, leaving kernel memory permanently unreleased. No public exploit has been identified at time of analysis; EPSS at 0.02% (4th percentile) reflects negligible widespread exploitation likelihood, consistent with the local-only attack vector.
BPF verifier rejection in the Linux kernel's XDP subsystem forces valid BPF programs to fail load-time verification when they pass pointers from BPF_F_RDONLY_PROG maps to the bpf_xdp_store_bytes helper. The root cause is an incorrect argument type annotation - the helper's third argument (source buffer) is declared as ARG_PTR_TO_UNINIT_MEM, which carries the MEM_WRITE flag, causing the verifier to demand write permission on memory that the helper only reads. Separately, this same mistype permits the helper to read from uninitialized memory (CWE-908). No public exploit is identified at time of analysis, and EPSS sits at 0.02%, but kernel patches across all active stable branches have been issued.
Integer underflow in the Linux kernel's AppArmor subsystem (`aa_get_buffer()`) allows a local low-privileged user to cause per-CPU buffer starvation and system-wide denial of service. The `cache->hold` unsigned counter wraps to UINT_MAX when decremented below zero, permanently preventing `aa_put_buffer()` from recycling buffers back to the global pool and forcing repeated `kmalloc(aa_g_path_max)` heap allocations that starve other CPUs. No public exploit exists and EPSS is 0.02% (5th percentile); this is not in CISA KEV, but patches are available across multiple stable kernel branches.
Resource leak in the Linux kernel's sca3000 IIO accelerometer driver (sca3000_probe()) allows a local low-privileged user on affected hardware to cause IRQ resource exhaustion by repeatedly triggering the error path where iio_device_register() fails without releasing the IRQ registered via request_threaded_irq(). Affected are Linux kernel versions from approximately 4.10 through multiple stable branches, all of which now have upstream fix commits. No public exploit exists and EPSS stands at 0.02% (7th percentile), indicating this is a robustness/maintenance fix rather than an actively targeted vulnerability.
Memory exhaustion via the MediaTek SVS (Smart Voltage Scaling) debugfs interface in the Linux kernel allows a local attacker with low privileges to leak kernel memory on MediaTek SoC-based systems. The root cause is that `svs_enable_debug_write()` allocates a buffer via `memdup_user_nul()` to copy user-supplied input, but fails to free it when the subsequent `kstrtoint()` call rejects non-integer input - a classic CWE-401 missing-release flaw. No public exploit has been identified and EPSS is 0.02% (7th percentile), making this a low-urgency, patch-when-convenient issue for the narrow device population running affected MediaTek SoC kernels.
PCI/P2PDMA subsystem in the Linux kernel hangs indefinitely on PCI device removal due to a missing percpu_ref_put() call on the error exit path of p2pmem_alloc_mmap(). Low-privileged local users on systems with P2PDMA-capable PCI hardware can trigger a vm_insert_page() failure that leaks a per-CPU pgmap reference, causing memunmap_pages() to stall forever when the PCI device is later removed. No public exploit has been identified and EPSS is at the 5th percentile; this is not in CISA KEV.
Regulator resource leak in the Linux kernel MFD Arizona WM5102 audio codec driver causes availability degradation on affected hardware when the write sequencer error path is triggered. The `wm5102_clear_write_sequencer()` helper returns early on error without jumping to the `err_reset` cleanup label, leaving kernel voltage regulators enabled and leaking resources across repeated invocations. Exploitation requires local low-privilege access on systems with WM5102 hardware; EPSS is 0.02% (7th percentile) and no active exploitation has been identified, placing real-world priority firmly in the low tier.
Denial-of-service via kernel crash in the Linux kernel's netfilter nft_set_rbtree subsystem, exploitable by a local user with nftables manipulation capability. The flaw lies in the partial overlap detection logic for anonymous sets: an optimization that omits end elements for adjacent intervals also inadvertently suppresses overlap checks on start elements, allowing two intervals sharing the same start point (e.g., A-B and A-C where C < B) to be inserted simultaneously, corrupting the red-black tree and triggering a kernel panic. No public exploit code has been identified at time of analysis, and the EPSS score of 0.02% (7th percentile) reflects low real-world exploitation probability, though the vulnerability is present across many long-term stable kernel branches.
Memory exhaustion denial-of-service in the Linux kernel smartpqi SCSI driver allows a local user to degrade system availability through kernel memory leak accumulation. The vulnerability exists in pqi_report_phys_luns(), which fails to release the rpl_list buffer on two distinct error paths - unsupported data format detection and rpl_16byte_wwid_list allocation failure - both of which bypass cleanup logic. No public exploit exists and EPSS sits at 0.02% (7th percentile), but systems running Microsemi/PMC-Sierra SmartPQI RAID controllers on unpatched kernels are at risk of gradual availability degradation.
Resource leak in the Linux kernel's st33zp24 TPM driver allows a low-privileged local user to exhaust TPM localities and deny TPM service on systems equipped with STMicroelectronics ST33ZP24 hardware. When get_burstcount() returns -EBUSY on timeout, st33zp24_send() exits without releasing the previously acquired TPM locality, creating a cumulative leak that can render all subsequent TPM operations unavailable. No public exploit code exists and EPSS probability is 0.02% (7th percentile), but systems relying on the ST33ZP24 for measured boot or disk-encryption attestation face meaningful operational risk if exploited.
Memory leaks in the Linux kernel's SUNRPC auth_gss subsystem allow a local low-privilege attacker to gradually exhaust kernel heap memory on systems using NFS with Kerberos (RPCSEC_GSS) authentication. The gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() XDR decoding functions fail to release previously allocated kernel buffers when a partial decode sequence errors out mid-function, leaving unreferenced kmemdup() allocations on the heap. No public exploit exists and EPSS is 0.02%, but no public exploit identified at time of analysis; repeated triggering of the vulnerable paths could degrade availability on RPCSEC_GSS-enabled servers.
Reference count leak in the Linux kernel's pinctrl-single driver (`pcs_add_gpio_func()`) allows a local low-privileged user to cause kernel memory exhaustion and denial of service on affected embedded/SoC platforms. The `of_parse_phandle_with_args()` Device Tree API increments a refcount on the returned device_node pointer, but the iterating loop never calls `of_node_put()` to release it - accumulating leaked references on every GPIO phandle processed. No public exploit exists and EPSS is 0.02%, placing this firmly in the low-urgency patch category; exploitation requires specific hardware and driver configuration not present on typical x86 servers.
Local privilege-bounded use-after-free in the Linux kernel's CAIF serial line discipline (caif_serial / CONFIG_CAIF_TTY) lets a local attacker corrupt kernel memory by racing ldisc_close() against packet transmission. ldisc_close() drops the tty reference via tty_kref_put() while the CAIF network device is still live, so a concurrent caif_xmit()/handle_tx() can dereference the freed tty (ser->tty) and call tty->ops->write() on dangling memory, confirmed by a KASAN slab-use-after-free report. A reproducer is published, but no public weaponized exploit and no active exploitation are recorded; EPSS is 0.02% (7th percentile), consistent with a niche driver and a tight race window.
Uninitialized stack memory exposure in the Linux kernel's MCTP-over-I2C (mctp-i2c) driver affects systems using i2c-aspeed or i2c-npcm7xx bus drivers, particularly server/BMC hardware with Aspeed and Nuvoton chipsets. When a read is performed against an mctp-i2c device instance, the event handler fails to initialize the 'val' byte before returning it to the caller, exposing whatever residual value sits on the kernel stack at that moment. No public exploit has been identified at time of analysis, and with an EPSS of 0.03% (10th percentile), real-world exploitation pressure is currently negligible; however, kernel stack data leakage is a meaningful information disclosure primitive on affected hardware.
Memory leak in the Linux kernel's DesignWare i3c master driver (`drivers/i3c/master/dw-i3c-master.c`) allows a local low-privileged user on systems equipped with DesignWare i3c hardware to cause gradual kernel memory exhaustion by repeatedly triggering the failure path in `dw_i3c_master_i2c_xfers()`, where `dw_i3c_master_alloc_xfer()` allocates a transfer structure that is never freed when `pm_runtime_resume_and_get()` returns an error. No public exploit identified at time of analysis; EPSS of 0.02% (5th percentile) and the static-analysis discovery method both confirm this is a low-immediacy, low-exploitation-probability issue. Vendor-released patches are available across multiple stable kernel branches.
Race condition in the Linux kernel's Intel VT-d IOMMU driver allows non-coherent IOMMU hardware to read uninitialized memory from a freshly allocated PASID table because the PASID directory entry is published before the CPU cache flush completes. With CVSS 7.8 (AV:L/AC:H/PR:L) and EPSS at 0.02% (7th percentile), no public exploit identified at time of analysis, and the issue requires local privileges plus precise timing against non-coherent IOMMU hardware. The fix is included across multiple stable kernel branches.
Local privilege escalation potential in the Linux kernel's GFS2 (Global File System 2) filesystem stems from a slab-use-after-free in qd_put() that corrupts the quota data LRU list during filesystem shutdown. Local authenticated users with access to a GFS2 mount could trigger the shrinker path (gfs2_qd_shrink_scan) to dereference freed objects, with EPSS at 0.02% indicating no public exploit identified at time of analysis. The flaw was introduced by commit a475c5dd16e5 which began freeing quota data synchronously without removing entries from the LRU list first.
Denial of service in the Linux kernel netfilter nf_conncount subsystem allows remote attackers to trigger erroneous connection limit enforcement by establishing more than 8 new tracked connections per jiffy, causing the garbage collector to fall behind and the connection list to wrongly hit its cap. The flaw affects systems using nft_connlimit, xt_connlimit, or OVS connection limit features, with availability impact only (CVSS 7.5, AV:N/AC:L/PR:N/UI:N/A:H). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the issue is reproducible with common HTTP load tools such as slowhttptest.
Stale data exposure and filesystem data corruption in the Linux kernel's ext4 extent-splitting subsystem affects all major stable branches prior to 6.6.130, 6.12.75, 6.18.14, 6.19.4, and 7.0. When ext4_split_extent_at() encounters a transient ENOSPC condition while splitting a large unwritten extent at its first boundary, the error path incorrectly zeroes out and marks the entire extent as written - leaving stale disk content from adjacent regions readable in areas that should remain unwritten or zero-filled. No public exploit identified at time of analysis; EPSS at 0.02% (5th percentile) reflects the narrow, local-only, condition-dependent trigger path that makes automated or widespread exploitation highly unlikely.
Out-of-bounds kernel heap read in the Linux kernel's RDMA/uverbs subsystem allows local low-privileged users with access to InfiniBand/RDMA device nodes to leak kernel memory or trigger a denial-of-service WARNING by submitting a crafted ib_uverbs_post_send command with an undersized or oversized wqe_size value. EPSS is very low (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but the bug is fixed upstream across multiple stable trees, so patched versions should be deployed where RDMA is exposed to untrusted local users.
Non-NCQ command starvation in the Linux kernel's libata-scsi layer can cause complete denial of service for certain disk I/O operations on systems using multi-queue ATA host adapters. On affected hardware, when a target storage device is under sustained NCQ (Native Command Queuing) traffic, the SCSI layer's SCSI_MLQUEUE_XXX_BUSY requeue mechanism provides no forward-progress guarantees for non-NCQ commands - other CPU cores can continuously inject new NCQ commands from separate submission queues, indefinitely deferring the non-NCQ command. No public exploit has been identified at time of analysis and EPSS probability is very low (0.02%, 5th percentile), but the bug can manifest naturally under heavy I/O workloads without deliberate exploitation.
Kernel panic in the Linux inside-secure/eip93 hardware crypto driver occurs when the driver teardown routine unconditionally unregisters all cryptographic algorithms, including those never registered because the underlying EIP93 silicon does not implement them. Platforms with partial EIP93 silicon support - where only a subset of algorithms are burned into hardware - trigger the panic during module removal or system shutdown. No public exploit exists and EPSS sits at the 4th percentile (0.02%), indicating this is primarily a stability defect with negligible exploitation interest rather than a targeted attack surface.
Local privilege escalation and kernel memory corruption in the Linux kernel's RDMA Soft RoCE (rxe) driver stems from a double-free in rxe_srq_from_init() when copy_to_user() fails after the queue pointer has already been assigned to srq->rq.queue. A local user with permission to create Shared Receive Queues over RDMA can trigger the error path to cause the same memory to be freed twice via rxe_srq_cleanup(), enabling kernel heap corruption with potential for privilege escalation. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 7th percentile).
Denial of service in the Linux kernel's EFI unaccepted-memory handling allows a boot-time kernel panic on confidential-computing guests, affecting kernels from 6.6 through the 6.19/7.0 development line. The reserve_unaccepted() routine miscalculates the memblock reservation size when the unaccepted memory table is not page-aligned, leaving the table's tail unreserved so it can be overwritten or rendered inaccessible, triggering a panic in accept_memory(). It is observed on Intel TDX VMs with larger memory sizes (e.g. >64GB); there is no public exploit identified at time of analysis and EPSS is negligible (0.02%).
Incorrect offset handling in the Linux kernel IPVS subsystem causes IPv6 protocol checksum validation to fail when extension headers precede the transport header, disrupting availability on systems acting as IPv6 load balancers. Affected across a broad kernel version range from 2.6.28 onward, with fixes confirmed in stable releases 6.19.4 and mainline 7.0. No public exploit code exists and no active exploitation has been identified; EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation pressure.
Race condition in the Linux kernel's ublk (userspace block device) subsystem allows a local low-privileged attacker to crash the kernel by concurrently modifying io_uring submission queue entries during kernel processing. The ublksrv_ctrl_cmd struct resides in userspace-mapped shared memory, and unguarded normal loads let a racing userspace thread corrupt the kernel's view of the command, triggering a denial-of-service condition. No public exploit exists and EPSS is 0.02%, but fixed kernel versions 6.19.4 and 7.0 are confirmed available.
Invalid leaf access in the btrfs quota subsystem of the Linux kernel allows a local low-privileged user to crash the system by triggering a denial-of-service condition in `btrfs_quota_enable()`. When `btrfs_search_slot_for_read()` returns 1 - signaling end-of-tree with no valid key found - the function fails to exit its loop and proceeds to dereference the now-invalid path pointer, causing a kernel panic. Patched versions are confirmed across multiple stable series (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0); no public exploit or CISA KEV listing exists at time of analysis.
Indefinite kernel hang in the Linux mlx5_ib RDMA driver causes denial of service during device unload when a firmware reset occurs in LAG (Link Aggregation Group) mode. The race condition leaves UMR (User Memory Registration) deregistration operations blocked forever - posted on the master NIC but awaiting completions from a slave that is already dead - deadlocking the teardown sequence and requiring a hard reboot. No public exploit has been identified, EPSS sits at 0.02% (5th percentile), and impact is confined to systems with Mellanox/NVIDIA mlx5 hardware explicitly configured in bonded LAG mode with active RDMA workloads.
Use-after-free and double-free conditions in the Linux kernel's SMB client (smb2_open_file) can be triggered when SMB2_open() retry paths fail to zero out err_iov and err_buftype buffers, leading to memory corruption. The flaw affects multiple stable kernel branches (6.1, 6.6, 6.12, 6.18) and is fixed in upstream patches; no public exploit identified at time of analysis and EPSS is very low (0.02%) despite the 9.8 CVSS score.
Uncontrolled BPF program signature size in the Linux kernel allows a low-privileged local user to force the kernel into expensive memory allocation paths (kmalloc_large or vmalloc) by supplying an arbitrarily large signature size value to the BPF_PROG_LOAD operation. Affected kernel versions prior to 6.18.14, 6.19.4, and 7.0 are vulnerable to local denial-of-service through kernel memory exhaustion. No public exploit has been identified at time of analysis and no active exploitation is confirmed (not in CISA KEV), with an EPSS score of 0.02% (4th percentile) indicating very low automated exploitation probability.
Kernel crash (denial of service) in the Linux kernel BPF subsystem affects local low-privileged users due to a double-offset bug in the instruction array map. The `map_direct_value_addr()` function incorrectly adds the caller-supplied offset to the returned address, then `resolve_pseudo_ldimm64()` adds it a second time, resulting in an incorrect memory address that can trigger a kernel fault. No public exploit exists and the EPSS score is 0.02% (5th percentile), indicating very low opportunistic exploitation risk, but the availability impact is rated High per CVSS.
Memory exhaustion in the Linux kernel's SUNRPC GSS authentication subsystem (net/sunrpc/auth_gss/auth_gss.c) allows a local low-privileged user to leak kernel memory by repeatedly triggering a specific error path where kstrdup_const() fails during gss_alloc_msg() processing, preventing gss_auth structures from ever being freed. The defect was introduced by commit 5940d1cf9f42, which added kref_get(&gss_auth->kref) without the corresponding kref_put() on the err_put_pipe_version error path when service_name is non-NULL. With EPSS at 0.02% (7th percentile), no CISA KEV listing, and no public exploit, this is a low-urgency memory management defect primarily relevant to systems running NFS with Kerberos/RPCSEC_GSS authentication.
Out-of-bounds memory access in the Linux kernel ublk (userspace block device) subsystem allows a local low-privilege user to crash the kernel by submitting an io_uring control command without the IO_URING_F_SQE128 flag set. The root cause is that ublk_ctrl_cmd_dump() unconditionally accesses the extended cmd field of a Submission Queue Entry before ublk_ctrl_uring_cmd() validates that the SQE is 128 bytes in size, reading beyond the 64-byte standard SQE boundary. No public exploit is identified at time of analysis, and the EPSS score of 0.02% at the 7th percentile signals very low exploitation probability.
Kernel panic via reference count corruption in the Linux kernel's HFS+ filesystem driver (hfsplus) allows a local attacker with low privileges to crash the system. The function hfs_bnode_create() returns an already-hashed B-tree node without incrementing its reference count when it unexpectedly encounters a node that should not yet exist - a condition triggered by filesystem corruption or a logic error in hfs_bmap_alloc(). When hfs_bnode_put() later decrements the reference count to zero and attempts cleanup, the kernel triggers a fatal BUG_ON(!atomic_read(&node->refcnt)) assertion at bnode.c:676, causing an immediate kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with the local-only attack vector and niche trigger conditions, but the availability impact is total for affected systems.
Denial of service in the Linux kernel's RCU (Read-Copy-Update) subsystem allows a local condition to trigger an infinite recursion deadloop in rcu_read_unlock_special() when ftrace is enabled, leading to kernel hang or crash. The flaw stems from a missing recursion-protection flag when raise_softirq_irqoff() is invoked from the RCU unlock path, causing repeated re-entry through the softirq/trace stack. No public exploit identified at time of analysis and EPSS rates exploitation probability at 0.02%.
High-impact integrity and availability flaw in the Linux kernel's md-llbitmap (multi-device log-based bitmap) subsystem allows a local low-privileged attacker to render RAID bitmap page control structures permanently unusable. When llbitmap_suspend_timeout() times out, percpu_ref is left in a killed state and never resurrected, breaking subsequent md daemon operations on that page. EPSS is very low (0.02%, 4th percentile) and no public exploit is identified at time of analysis, but vendor-released patches are available in 6.18.14 and 6.19.4.
Memory leak in Linux kernel's fbdev au1200fb framebuffer driver causes resource exhaustion when the probe function encounters IRQ allocation failure. The vulnerability exists in au1200fb_drv_probe() within the au1200fb driver: when platform_get_irq() returns an error, the function returns immediately without releasing previously allocated memory, leading to kernel heap exhaustion over time. Local attackers or repeated probe failures (e.g., via hotplug events on affected MIPS-based Alchemy hardware) can deplete kernel memory, resulting in denial of service. No public exploit has been identified at time of analysis, and EPSS at 0.02% (7th percentile) confirms negligible exploitation interest.
IO deadloop in Linux kernel's md/raid5 subsystem causes complete availability loss on systems running degraded RAID5 arrays with llbitmap enabled. When llbitmap bit state is 'unwritten', the missing synchronization check in need_this_block() diverges from the check present in handle_stripe_dirtying(), trapping handle_stripe() in an infinite loop that never makes progress - effectively hanging all IO on the affected array. No public exploit is identified at time of analysis, and EPSS at 0.02% (4th percentile) reflects very low real-world exploitation probability, consistent with the narrow deployment conditions required.
Missing MTU validation in the Linux kernel fbnic Ethernet driver allows a local low-privileged user to trigger a denial of service by increasing the interface MTU after an XDP program is already attached. Increasing the MTU beyond the HDS (Header Data Split) threshold causes the fbnic hardware to fragment packets across multiple buffers; since single-buffer XDP programs cannot process multi-fragment frames, the driver silently drops them - breaking new TCP streams and discarding oversized non-TCP traffic. No public exploit exists and EPSS is 0.02% (4th percentile), placing this firmly in the low-priority tier despite its High availability rating; patches are confirmed available in Linux 6.18.14, 6.19.4, and 7.0.
Local privilege escalation in the Linux kernel's BPF subsystem stems from incorrect refcounting in check_pseudo_btf_id() that can leave a BTF (BPF Type Format) object with a zero refcount while still in use, creating a use-after-free condition. Affected kernels (around 6.14 through pre-patch 6.18.14/6.19.4) allow a local low-privileged user capable of loading BPF programs to corrupt kernel memory, with no public exploit identified at time of analysis and EPSS scoring exploitation likelihood at only 0.02%.
Memory leak in the Linux kernel's StarFive AES crypto driver allows a local low-privileged user on affected StarFive JH7110 RISC-V hardware to exhaust kernel memory and cause a denial of service. The flaw resides in starfive_aes_aead_do_one_req(), where kzalloc()-allocated memory for rctx->adata is not freed on two distinct error paths - failures in sg_copy_to_buffer() or starfive_aes_hw_init() - resulting in unreleased heap memory each time an AEAD operation fails. No public exploit exists and EPSS is extremely low at 0.02%, consistent with a hardware-specific, analysis-discovered defect rather than an actively targeted weakness.
Use-after-free race condition in the Linux kernel hwrng (hardware random number generator) core subsystem allows a local attacker with low privileges to crash the kernel, causing a denial of service. The race occurs when hwrng_register() and hwrng_unregister() execute concurrently, leaving the hwrng_fill pointer dirty and enabling kthread_stop() to be invoked on an already-freed task_struct - confirmed in the virtrng_remove call path, making virtualized Linux environments a primary real-world attack surface. No public exploit code exists and no active exploitation (KEV) has been confirmed; the EPSS score of 0.02% reflects minimal opportunistic exploitation activity.
Memory exhaustion in the Linux kernel's ext4 filesystem driver allows a local low-privilege user to gradually degrade system availability by repeatedly triggering a kernel memory leak in ext4_ext_shift_extents(). The flaw, present since approximately kernel 3.15, causes path structures allocated by ext4_find_extent() to go unreleased when a NULL extent is encountered during fallocate shift operations. With no CISA KEV listing, an EPSS of 0.02%, and no public exploit code identified, this is a low-urgency but genuine patch priority for long-lived ext4 systems with unprivileged local users.
Memory exhaustion in the Linux kernel's drm/amdgpu driver allows a local low-privileged user on AMD GPU-equipped systems to degrade host availability by repeatedly triggering an error path in amdgpu_acpi_enumerate_xcc() that leaks kernel heap memory. The root cause is a missing free of the xcc_info structure when amdgpu_acpi_dev_init() returns -ENOMEM, identified through static analysis and code review rather than active exploitation. With EPSS at 0.02% (5th percentile) and no CISA KEV listing, this is a low-priority maintenance fix for most environments, most relevant to long-running AMD GPU compute workloads where repeated enumeration failures could accumulate leaked memory.
Race condition in the Linux kernel's Intel VT-d IOMMU driver allows a local low-privileged attacker to trigger inconsistent PASID table state during domain replacement, potentially producing spurious IOMMU faults and unpredictable DMA behavior with cross-scope impact. The flaw stems from non-atomic updates to 512-bit PASID entries while the Present bit is set, and no public exploit identified at time of analysis despite a high CVSS score driven by the scope-changed local attack surface.
Race condition in the Intel VT-d IOMMU driver of the Linux kernel allows a window where hardware can fetch a 'torn' context entry while the Present bit is still set, leading to unpredictable IOMMU behavior or spurious DMA faults on affected systems. The flaw stems from non-atomic teardown of 128-bit context entries via multiple 64-bit writes and is addressed by aligning with the VT-d specification's ownership handshake (Section 6.5.3.3); no public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.
Kernel NULL pointer dereference in the Linux EROFS compressed filesystem driver allows a local user reading from an EROFS image to crash the system. The flaw lives in z_erofs_decompress_pcluster(), where compressed folios for ztailpacking pclusters are added to I/O chains before being validated; if inline-data reading fails (notably when a fatal signal interrupts read_mapping_folio()), decompression assumes the folios are valid and dereferences a NULL pointer. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%), and the issue is not in CISA KEV.
Filesystem data integrity issue in the Linux kernel ext4 module allows local low-privileged users to trigger bitmap inconsistencies through a race condition between page migration and ext4 buddy bitmap modification under mixed huge-page workloads. The flaw can produce false group descriptor mismatches and corruption of in-memory block allocation state, with high confidentiality, integrity, and availability impact per CVSS 7.8 (AV:L). No public exploit has been identified at time of analysis and EPSS is very low at 0.02%.
TPM locality leak in the Linux kernel's tpm_i2c_infineon driver allows a local user on an affected system to exhaust TPM localities and render the TPM device unavailable. The tpm_tis_i2c_send() function acquires a TPM locality at entry but fails to release it when get_burstcount() times out with -EBUSY, causing a resource leak on every such timeout. Patches are available across multiple stable kernel branches; no public exploit code or active exploitation (CISA KEV) has been identified, and EPSS is 0.02% at the 7th percentile.
Kernel crash (oops) in the stmmac GMAC4 Ethernet driver causes a denial of service when split header reception is enabled. The stmmac receive path incorrectly assumes that buf2 of the first DMA descriptor is always fully populated with payload, but the GMAC4 hardware does not guarantee this in all cases. When the assumption is violated, the driver miscalculates the length of buf2 in the second descriptor, resulting in an invalid virtual address dereference deep in the DMA cache-invalidation path, crashing the kernel. No public exploit has been identified at time of analysis, and EPSS is 0.02% (4th percentile), indicating negligible opportunistic exploitation interest.
Memory leak in the Linux kernel's NI USB GPIB driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering a failed initialization path. The flaw exists in ni_usb_init(), where a writes buffer is allocated but never freed when ni_usb_setup_init() returns failure, compounding the issue with an incorrect error code (-EFAULT instead of -EINVAL). No public exploit is identified at time of analysis, and EPSS sits at 0.02%, consistent with the niche hardware driver context and local-only attack surface.
Kernel panic in the Linux kernel's Inside Secure EIP-93 hardware crypto driver occurs during driver detach due to a loop iterator bug that causes the same hash algorithm to be unregistered multiple times. Systems equipped with Inside Secure EIP-93 cryptographic accelerator hardware and running unpatched kernels between the introducing commit (9739f5f93b78) and the fix commits are vulnerable. A local low-privileged user who can trigger driver detach - via module unload or device removal - can crash the kernel, resulting in a full system denial of service. No public exploit exists and EPSS is 0.02% (4th percentile), indicating negligible in-the-wild activity.
Heap buffer overflow read in the Linux kernel's NTFS3 filesystem driver allows local attackers to trigger out-of-bounds memory access by mounting or processing a maliciously crafted NTFS volume. The flaw resides in the DeleteIndexEntryRoot path of the do_action function, where an attacker-controlled entry size ('esize') bypasses bounds checks and causes memmove to operate on an unsigned-converted negative offset. EPSS scores exploitation probability at 0.03% (9th percentile) and no public exploit has been identified at time of analysis.
Btrfs transaction aborts in the Linux kernel allow local low-privileged users to crash the filesystem by triggering a logic defect in DUP chunk allocation that generates overlapping physical address ranges in the chunk map. Systems running btrfs with DUP metadata profiles - the default for single-device btrfs deployments - can encounter EEXIST (-17) errors in insert_dev_extents() during btrfs_create_pending_block_groups(), causing the transaction to abort and the filesystem to enter an error state. No public exploit or active exploitation (CISA KEV) has been identified; with an EPSS of 0.02% (4th percentile), this is a kernel reliability defect of operational concern to btrfs operators rather than a traditional attack vector.
Local privilege escalation potential in the Linux kernel BPF verifier (introduced in 6.11+ commit 98d7ca374ba4) arises from sync_linked_regs() failing to preserve register IDs when propagating bounds, breaking linked-register tracking and allowing crafted eBPF programs to bypass the verifier's range analysis. EPSS is very low (0.02%) and the issue is not in CISA KEV, but the BPF verifier is a historically high-value local attack surface, and upstream patches landed in 6.12.75, 6.18.14, and 6.19.4. No public exploit identified at time of analysis.
Uninitialized kernel memory leaks to local users via the MCTP netlink subsystem in the Linux kernel, where RTM_GETNEIGH responses return stale kernel data in the pad bytes of ndmsg structures across link, addr, and neigh response messages. Any local user with PR:L access to the MCTP netlink interface can extract arbitrary pad-byte contents from kernel memory allocations, potentially exposing pointers, partial stack data, or remnants of prior allocations that could assist in defeating kernel address space layout randomization (KASLR). Disclosed by Syed Faraz Abrar (Zellic) and Pumpkin (DEVCORE Research Team) via Trend Micro Zero Day Initiative; no public exploit code exists and EPSS sits at the 5th percentile (0.02%), indicating negligible active exploitation at time of analysis.
Use-after-free in the Linux kernel's OpenVPN data channel offload (ovpn) module allows a local attacker with low privileges to potentially trigger memory corruption when transmitting shared sk_buff packets through ovpn_net_xmit. The flaw stems from continued use of a stale skb pointer after skb_share_check frees the original buffer, affecting peer lookup, skb_dst_drop, and TX statistics paths. No public exploit identified at time of analysis, and the EPSS probability is very low (0.02%), suggesting the bug is more of a stability and memory-safety concern than an imminently weaponized vector.
Memory leak in the Linux kernel's chips-media wave5 VPU media driver allows a local low-privileged user to exhaust kernel memory, resulting in denial of service. The flaw exists in both the encoder and decoder open paths - wave5_vpu_open_enc() and wave5_vpu_open_dec() - where a VPU instance allocated via kzalloc() is not freed when the subsequent codec_info allocation fails. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting the hardware-specific and local-only nature of this issue.
BPF map hash verification in the Linux kernel is vulnerable to a TOCTOU race condition that allows a local low-privileged attacker to bypass integrity checks enforced by trusted BPF loaders. Userspace can call BPF_OBJ_GET_INFO_BY_FD to prime the hash cache, then modify the map contents in the race window before freezing it, causing a trusted loader to verify the original (stale) hash against the silently-altered map. No active exploitation is confirmed (not in CISA KEV) and EPSS is 0.02%, but the attack's integrity impact appears understated by the published CVSS vector, which records A:H/I:N - inconsistent with a hash-bypass that enables modified code/data to be loaded as trusted.
Memory leak in the Linux kernel's Rust-language PWM subsystem allows a local low-privileged attacker to gradually exhaust kernel memory through repeated PWM chip initialization failures. The `pwmchip_alloc()` function allocates a device structure holding an initial reference that must be explicitly released via `pwmchip_put()` on error paths, but when `__pinned_init()` fails the reference is never dropped, leaking the `pwm_chip` allocation. EPSS stands at 0.02% (5th percentile) and the vulnerability is not listed in CISA KEV, indicating no known active exploitation; no public exploit code has been identified at time of analysis.
Reference leak in the Linux kernel's thermal/of subsystem allows a local low-privileged user to degrade system availability through repeated kernel resource exhaustion. The thermal_of_cm_lookup() function acquires a device_node reference via of_parse_phandle() but never releases it, causing reference counts to accumulate without bound on systems with Device Tree-based thermal configuration. No active exploitation is identified (EPSS 0.02%, 5th percentile; no CISA KEV listing), and this is a reliability and availability defect rather than a code-execution primitive; patched stable kernel versions are available across multiple maintained branches.
Improper lock release in the Linux kernel ksmbd subsystem (in-kernel SMB server) allows a local low-privileged user to trigger a deadlock by inducing error paths in `ksmbd_vfs_kern_path_locked` where `ksmbd_vfs_kern_path_end_removing()` is never called to balance the corresponding `ksmbd_vfs_kern_path_start_removing()`. Affected kernel versions span multiple stable branches from 5.15 through 6.17. No public exploit or active exploitation is known; EPSS stands at 0.02% (7th percentile), confirming low real-world exploitation probability.
Missing endpoint descriptor validation in the Linux kernel catc USB Ethernet driver allows a physically-present attacker with a crafted USB device to cause a kernel denial of service. The catc_probe() function submits URBs against hardcoded endpoint pipes (bulk on endpoint 1, interrupt on endpoint 2) without confirming that the connected device actually presents those endpoint types - a malformed device can exploit this assumption to trigger undefined behavior at the URB submission layer. No active exploitation has been confirmed (not listed in CISA KEV), and the EPSS score is extremely low at 0.02% (7th percentile), reflecting limited real-world exploitation likelihood.
Memory leak in the Linux kernel's RDMA/mlx5 subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering the error path in the GET_DATA_DIRECT_SYSFS_PATH uverbs handler. The flaw affects multiple stable kernel branches requiring mlx5-family InfiniBand/RDMA hardware, and was discovered through static analysis and code review rather than active exploitation. No public exploit exists and EPSS probability is 0.02% (5th percentile), indicating no public exploit or active exploitation at time of analysis.
Memory leak in the Linux kernel's MTD TP-Link SafeLoader partition parser allows a local low-privileged user to cause availability degradation on affected embedded systems. The `mtd_parser_tplink_safeloader_parse()` function omits freeing a temporary buffer `buf` on the error path when a subsequent `kmalloc()` for `parts[idx].name` fails inside the parsing loop. No public exploit exists and EPSS is negligible at 0.02% (5th percentile); this vulnerability was identified via static analysis and code review, not observed exploitation.
Local denial-of-condition in the Linux kernel ext4 filesystem driver allows an internal counter (s_dirtyclusters_counter) to be double-decremented to -1 along the block-allocation error path that triggers during filesystem shutdown, surfacing as a WARNING in ext4_put_super(). The flaw lives between ext4_mb_mark_diskspace_used() and ext4_mb_new_blocks(), where a metadata-write failure causes the dirty-clusters reservation to be released twice. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 7th percentile); despite the CWE-415 (double free) classification and a 7.8 CVSS, the observed effect is cluster-accounting corruption rather than demonstrated memory corruption.
Reference leak in the Linux kernel IPVS (IP Virtual Server) subsystem allows a local low-privileged user to trigger a race condition between the netdev notifier handler and destination cache update logic, potentially causing kernel resource exhaustion. When a network device is shutting down, the FIB routing subsystem may return a valid route after ip_vs_dst_event() finishes processing, allowing that route to be cached against a closing device and leaking a device reference until the IPVS destination is removed. This is a medium-severity availability issue with no public exploit identified at time of analysis and a very low EPSS score of 0.02% (5th percentile), indicating it is not currently a prioritized exploitation target.
Availability impact in the Linux kernel FAT filesystem driver allows a local low-privileged user to trigger a kernel WARN_ON by mounting and operating on a corrupted FAT image with incorrect directory link counts. Specifically, rmdir unconditionally decrements the parent inode's i_nlink without first verifying it is at least 3, allowing underflow to zero on malformed images. No public exploit has been identified and the EPSS probability is 0.02% (7th percentile), but the kernel WARN_ON can cause a system crash, making the real-world availability impact high on affected systems where users can mount FAT images.
Bridge multicast MDB entry counter underflow in the Linux kernel's `net/bridge/br_multicast.c` allows local attackers with low privileges to trigger a kernel WARN_ON - and a system panic on hosts configured with `panic_on_warn=1` - by manipulating VLAN snooping state on a bridge interface before flushing multicast group entries. Multiple stable kernel branches are affected across all architectures that include the bridge multicast subsystem. No public exploit identified at time of analysis, with an EPSS score of 0.02% (5th percentile) confirming low exploitation probability; patches are available across kernel stable series 6.12, 6.6, 6.18, 6.19, and 7.0.
Ext4 filesystem extent-splitting logic in the Linux kernel incorrectly caches extents mid-operation, leaving stale hole entries in the in-memory extent status tree (ESTree). When a Direct I/O write partially covers a pre-allocated unwritten extent, ext4_split_extent_at() can insert an incorrect hole entry that persists uncorrected, causing space accounting errors when subsequent delayed buffer writes target the same region. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.02% (7th percentile) reflects negligible real-world exploitation likelihood; this is primarily a kernel correctness and filesystem availability defect rather than a targeted attack surface.
Use-after-free condition in the Linux kernel's RDMA Soft RoCE (rxe) driver allows local privileged users to trigger memory corruption through a race between the QP retransmit_timer handler and rxe_destroy_qp. The flaw stems from the Queue Pair reference count dropping to zero while a timer callback is still executing, producing refcount underflow warnings and potential kernel memory corruption. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Local privilege escalation potential in the Linux kernel's MediaTek clock gate driver stems from incorrect use of __initconst annotations on mtk_gate structures that are accessed at runtime, not just during initialization. After kernel init completes, the memory backing these structs is freed, so any runtime access reads freed memory - affecting Linux 6.18 prior to stable releases 6.18.14 and 6.19.4. CVSS rates this 7.8 (High) with local attack vector; EPSS is 0.02% and no public exploit identified at time of analysis.
Memory leak in the Linux kernel's AMD XDnA accelerator driver (accel/amdxdna) allows a local low-privileged user to degrade system availability by exhausting kernel memory. The amdxdna_ubuf_map() function fails to release previously allocated scatter-gather (sg) and internal sg table memory when error paths are taken during sg_alloc_table_from_pages or dma_map_sgtable operations. No active exploitation is confirmed (absent from CISA KEV), EPSS stands at 0.02% (4th percentile), and impact is strictly limited to availability - no confidentiality or integrity exposure exists.
Deadlock in the Linux kernel mlx5e Mellanox/NVIDIA Ethernet driver allows a low-privileged local attacker to hang the system by triggering network health reporter recovery paths that acquire locks in the wrong order. Specifically, work handlers acquire the netdev instance lock before invoking devlink_health_report, which then attempts to acquire the devlink lock - reversing the mandated devlink → rtnl → netdev ordering and producing an ABBA deadlock. The vulnerability affects systems equipped with Mellanox/NVIDIA ConnectX NICs; no public exploit exists and EPSS sits at 0.02% (4th percentile), consistent with a kernel-internal locking race rather than an externally triggerable flaw.
Race condition in the Linux kernel's XFRM ICMP route lookup path causes a kernel WARN_ON that can crash affected systems. Within `icmp_route_lookup()`, a TOCTOU window between a locality check and a subsequent `ip_route_input()` call allows a concurrently executing `ip addr add` to return a LOCAL route whose `dst.output` is set to `ip_rt_bug()` - a debugging stub that fires `WARN_ON` when invoked during ICMP error transmission. Exploitation requires local access, active XFRM/IPsec policy, and precise race-window timing; no active exploitation is confirmed and EPSS sits at 0.02%, though a public reproducer exists that requires kernel modification to reliably trigger.
Recursive mutex deadlock in the Linux kernel's PowerPC Enhanced Error Handling (EEH) subsystem causes denial of service on IBM POWER systems running affected kernel versions. Commit 1010b4c012b0 inadvertently repositioned pci_lock_rescan_remove() calls so that eeh_handle_normal_event() holds the lock before invoking eeh_pe_bus_get(), which internally attempts to acquire the same mutex, producing a confirmed lockdep-detected deadlock that crashes the EEH daemon and disables PCI error recovery. No public exploit has been identified and the EPSS score of 0.02% (7th percentile) reflects the narrow hardware-specific attack surface; real-world impact is a reliability and availability concern for IBM POWER server operators rather than a traditional security attack vector.
Information disclosure in the Linux kernel BPF subsystem allows a local low-privileged user with BPF program load access to leak kernel memory contents. Incorrect memory-access flags on several ARG_PTR_TO_MEM helper prototypes (notably bpf_get_stack_proto_raw_tp) cause the verifier to wrongly assume helper-written buffers are unchanged, optimizing away subsequent reads and producing stale or uninitialized data that can expose kernel memory. There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and it is not in CISA KEV.
Circular lock dependency in the Linux kernel's netfilter nf_tables subsystem causes kernel deadlock or hang when nft reset, ipset list, and iptables-nft with '-m set' rules execute concurrently, resulting in a local denial of service. The root cause is improper use of commit_mutex in the reset path, which - when interleaved with nfnl_subsys_ipset and nlk_cb_mutex acquisitions - creates a deadlock cycle. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.02% (5th percentile) reflects the low real-world exploitation probability for this class of locking defect.
Memory exhaustion vulnerability in the Linux kernel's CAAM DPAA2 crypto driver allows gradual resource depletion on systems with NXP DPAA2 hardware through unreleased per-CPU net_device allocations during failed probe retries. The regression was introduced when commit 0e1a4d427f58 converted embedded net_device structs to dynamically allocated pointers but omitted cleanup in the dpaa2_dpseci_free() error path - meaning every deferred probe retry triggered by a temporarily unavailable DPIO subsystem silently leaks netdev memory. No public exploit exists and EPSS probability is 0.02% (5th percentile), consistent with the hardware-specific, non-user-controlled nature of the defect.
Availability impact via stale extent cache corruption in the Linux kernel's ext4 filesystem driver allows a local low-privileged user to trigger a kernel denial-of-service condition. When an ext4 extent-splitting operation fails mid-execution, stale entries are left in the extent status tree, which can cause subsequent filesystem operations to crash the kernel. No public exploit exists and EPSS probability sits at 0.02% (7th percentile), reflecting this as a stability bug rather than a targeted attack vector. Vendor-released patches are available across all active stable branches.
Kernel memory corruption in the Linux iWARP Connection Manager (RDMA/iwcm) subsystem can crash systems running RDMA workloads on iWARP-capable hardware such as Intel E830 adapters. The bug, introduced by commit e1168f0 ('RDMA/iwcm: Simplify cm_event_handler()'), causes workqueue list corruption when iwcm_work items from a free list are reused while still queued, triggering a kernel BUG and panic. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile), despite a CVSS base score of 9.8.
Counter value underrun in the Linux kernel's netfilter nft_counter subsystem allows a local unprivileged user to corrupt nftables packet and byte counter data through a race condition in concurrent dump-and-reset operations. Two parallel resets can each read the same counter totals and both subtract them, causing the counters to underrun - potentially wrapping unsigned values to astronomically large figures and producing incorrect firewall accounting. No public exploit exists and EPSS is 0.02% (5th percentile), consistent with a low-priority correctness defect rather than a targeted security attack vector.
Linux Kernel quota subsystem livelocks the system when quotactl_block() and freeze_super() execute concurrently on non-preemptible kernels, causing 100% CPU consumption and an indefinite hang of the filesystem freeze process. The root cause is a missing scheduling point in quotactl_block()'s retry loop: on kernels with preemption disabled, the spinning loop never yields the CPU, starving synchronize_rcu() of the RCU quiescent state it needs to advance, which in turn blocks freeze_super() from completing. Affected are Linux kernel versions from commit 576215cffdefc1f0ceebffd87abb390926e6b037 onward, on systems using quota-enabled filesystems; no public exploit or active exploitation has been identified at time of analysis.
Race condition in Linux kernel Intel VT-d IOMMU driver (iommu/vt-d) allows torn reads of Scalable Mode PASID table entries during teardown, producing unpredictable behavior or spurious faults on systems with Intel VT-d enabled. The flaw stems from zeroing the entire 64-byte PASID entry while the Present bit is still set, violating the VT-d spec's invalidation guidance. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but a vendor patch is available across multiple stable branches.
Out-of-bounds read in the Linux kernel's AppArmor subsystem allows a local, low-privileged attacker to leak adjacent kernel memory and potentially crash the system when AppArmor parses a policy table built from possibly unaligned, userspace-supplied source data. The flaw stems from unaligned memory accesses during table creation in the policy loader and carries high confidentiality and availability impact. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.02%, 5th percentile), consistent with a hard-to-reach local-only kernel hardening fix rather than a mass-exploitation target.
Stale unwritten extent retention in the Linux kernel ext4 filesystem's in-memory extent status cache allows a local low-privileged user to trigger filesystem state inconsistency with high availability impact. The flaw manifests in ext4_split_extent() when a PARTIAL_VALID1 zeroout operation succeeds but the subsequent split at the first boundary fails due to temporary memory pressure, leaving the extent status tree out of sync with on-disk extent data. Patched stable releases are available; no public exploit or CISA KEV listing has been identified at time of analysis, and EPSS exploitation probability sits at 0.02% (5th percentile).
Local privilege-holder denial of service (and potential kernel memory corruption) in the Linux kernel's HiSilicon hns3 network driver allows a user with CAP_NET_ADMIN to trigger a double-free of the tx_spare backup buffer. The flaw lives in hns3_set_ringparam(), where a temporary ring copy is made for rollback but the original ring's tx_spare pointer is left dangling; if a subsequent allocation in hns3_init_all_ring() fails, the error path frees the stale pointer twice (CWE-415). EPSS is negligible (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but a vendor-released patch is available across multiple stable trees.
Guest-to-host denial of service in the Linux kernel's xen-netback driver allows a malicious or buggy Xen guest to crash the hypervisor host by writing "0" to the xenbus key multi-queue-num-queues. The connect() function validates only the upper bound of requested_num_queues, permitting a zero value to reach vzalloc(array_size(0, ...)), which triggers WARN_ON_ONCE in __vmalloc_node_range(); on hosts with panic_on_warn=1 this escalates to a full kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with a narrow Xen-specific attack surface, but the guest-controlled code path is trivial to trigger and vendor patches have been backported across seven stable kernel series, confirming the impact is real.
Divide-by-zero kernel panic (Oops) in the Linux kernel MPTCP subsystem's `mptcp_rcvbuf_grow()` function can be triggered by a local authenticated user under a rare but specific race condition involving concurrent out-of-order packet arrival and receive buffer initialization. The vulnerability also causes a secondary effect where the MPTCP receive buffer slowly drifts toward the `tcp_rmem[2]` maximum, degrading system performance on MPTCP-heavy workloads. No public exploit identified at time of analysis; EPSS is 0.02% (4th percentile), consistent with its local-only, race-dependent nature.
Memory leak in the Linux kernel's md/raid1 subsystem allows a local attacker with access to RAID configuration interfaces to gradually exhaust kernel memory by repeatedly triggering the faulty error path in raid1_run(). Affected kernel versions span multiple stable branches prior to 6.12.75, 6.18.14, 6.19.4, and 7.0. No public exploit identified at time of analysis; EPSS at 0.02% (5th percentile) and confirmed discovery via static analysis rather than active exploitation signals minimal real-world risk. Vendor-released patches are available across all affected stable branches.
Memory leak in the Linux kernel's af_unix subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering a failure path in unix_stream_connect(). When prepare_peercred() fails after unix_create1() has already allocated a new socket object (newsk), the error path omits the required unix_release_sock() call, leaving kernel memory permanently unreleased. No public exploit has been identified at time of analysis; EPSS at 0.02% (4th percentile) reflects negligible widespread exploitation likelihood, consistent with the local-only attack vector.
BPF verifier rejection in the Linux kernel's XDP subsystem forces valid BPF programs to fail load-time verification when they pass pointers from BPF_F_RDONLY_PROG maps to the bpf_xdp_store_bytes helper. The root cause is an incorrect argument type annotation - the helper's third argument (source buffer) is declared as ARG_PTR_TO_UNINIT_MEM, which carries the MEM_WRITE flag, causing the verifier to demand write permission on memory that the helper only reads. Separately, this same mistype permits the helper to read from uninitialized memory (CWE-908). No public exploit is identified at time of analysis, and EPSS sits at 0.02%, but kernel patches across all active stable branches have been issued.
Integer underflow in the Linux kernel's AppArmor subsystem (`aa_get_buffer()`) allows a local low-privileged user to cause per-CPU buffer starvation and system-wide denial of service. The `cache->hold` unsigned counter wraps to UINT_MAX when decremented below zero, permanently preventing `aa_put_buffer()` from recycling buffers back to the global pool and forcing repeated `kmalloc(aa_g_path_max)` heap allocations that starve other CPUs. No public exploit exists and EPSS is 0.02% (5th percentile); this is not in CISA KEV, but patches are available across multiple stable kernel branches.
Resource leak in the Linux kernel's sca3000 IIO accelerometer driver (sca3000_probe()) allows a local low-privileged user on affected hardware to cause IRQ resource exhaustion by repeatedly triggering the error path where iio_device_register() fails without releasing the IRQ registered via request_threaded_irq(). Affected are Linux kernel versions from approximately 4.10 through multiple stable branches, all of which now have upstream fix commits. No public exploit exists and EPSS stands at 0.02% (7th percentile), indicating this is a robustness/maintenance fix rather than an actively targeted vulnerability.
Memory exhaustion via the MediaTek SVS (Smart Voltage Scaling) debugfs interface in the Linux kernel allows a local attacker with low privileges to leak kernel memory on MediaTek SoC-based systems. The root cause is that `svs_enable_debug_write()` allocates a buffer via `memdup_user_nul()` to copy user-supplied input, but fails to free it when the subsequent `kstrtoint()` call rejects non-integer input - a classic CWE-401 missing-release flaw. No public exploit has been identified and EPSS is 0.02% (7th percentile), making this a low-urgency, patch-when-convenient issue for the narrow device population running affected MediaTek SoC kernels.
PCI/P2PDMA subsystem in the Linux kernel hangs indefinitely on PCI device removal due to a missing percpu_ref_put() call on the error exit path of p2pmem_alloc_mmap(). Low-privileged local users on systems with P2PDMA-capable PCI hardware can trigger a vm_insert_page() failure that leaks a per-CPU pgmap reference, causing memunmap_pages() to stall forever when the PCI device is later removed. No public exploit has been identified and EPSS is at the 5th percentile; this is not in CISA KEV.
Regulator resource leak in the Linux kernel MFD Arizona WM5102 audio codec driver causes availability degradation on affected hardware when the write sequencer error path is triggered. The `wm5102_clear_write_sequencer()` helper returns early on error without jumping to the `err_reset` cleanup label, leaving kernel voltage regulators enabled and leaking resources across repeated invocations. Exploitation requires local low-privilege access on systems with WM5102 hardware; EPSS is 0.02% (7th percentile) and no active exploitation has been identified, placing real-world priority firmly in the low tier.
Denial-of-service via kernel crash in the Linux kernel's netfilter nft_set_rbtree subsystem, exploitable by a local user with nftables manipulation capability. The flaw lies in the partial overlap detection logic for anonymous sets: an optimization that omits end elements for adjacent intervals also inadvertently suppresses overlap checks on start elements, allowing two intervals sharing the same start point (e.g., A-B and A-C where C < B) to be inserted simultaneously, corrupting the red-black tree and triggering a kernel panic. No public exploit code has been identified at time of analysis, and the EPSS score of 0.02% (7th percentile) reflects low real-world exploitation probability, though the vulnerability is present across many long-term stable kernel branches.
Memory exhaustion denial-of-service in the Linux kernel smartpqi SCSI driver allows a local user to degrade system availability through kernel memory leak accumulation. The vulnerability exists in pqi_report_phys_luns(), which fails to release the rpl_list buffer on two distinct error paths - unsupported data format detection and rpl_16byte_wwid_list allocation failure - both of which bypass cleanup logic. No public exploit exists and EPSS sits at 0.02% (7th percentile), but systems running Microsemi/PMC-Sierra SmartPQI RAID controllers on unpatched kernels are at risk of gradual availability degradation.
Resource leak in the Linux kernel's st33zp24 TPM driver allows a low-privileged local user to exhaust TPM localities and deny TPM service on systems equipped with STMicroelectronics ST33ZP24 hardware. When get_burstcount() returns -EBUSY on timeout, st33zp24_send() exits without releasing the previously acquired TPM locality, creating a cumulative leak that can render all subsequent TPM operations unavailable. No public exploit code exists and EPSS probability is 0.02% (7th percentile), but systems relying on the ST33ZP24 for measured boot or disk-encryption attestation face meaningful operational risk if exploited.
Memory leaks in the Linux kernel's SUNRPC auth_gss subsystem allow a local low-privilege attacker to gradually exhaust kernel heap memory on systems using NFS with Kerberos (RPCSEC_GSS) authentication. The gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() XDR decoding functions fail to release previously allocated kernel buffers when a partial decode sequence errors out mid-function, leaving unreferenced kmemdup() allocations on the heap. No public exploit exists and EPSS is 0.02%, but no public exploit identified at time of analysis; repeated triggering of the vulnerable paths could degrade availability on RPCSEC_GSS-enabled servers.
Reference count leak in the Linux kernel's pinctrl-single driver (`pcs_add_gpio_func()`) allows a local low-privileged user to cause kernel memory exhaustion and denial of service on affected embedded/SoC platforms. The `of_parse_phandle_with_args()` Device Tree API increments a refcount on the returned device_node pointer, but the iterating loop never calls `of_node_put()` to release it - accumulating leaked references on every GPIO phandle processed. No public exploit exists and EPSS is 0.02%, placing this firmly in the low-urgency patch category; exploitation requires specific hardware and driver configuration not present on typical x86 servers.
Local privilege-bounded use-after-free in the Linux kernel's CAIF serial line discipline (caif_serial / CONFIG_CAIF_TTY) lets a local attacker corrupt kernel memory by racing ldisc_close() against packet transmission. ldisc_close() drops the tty reference via tty_kref_put() while the CAIF network device is still live, so a concurrent caif_xmit()/handle_tx() can dereference the freed tty (ser->tty) and call tty->ops->write() on dangling memory, confirmed by a KASAN slab-use-after-free report. A reproducer is published, but no public weaponized exploit and no active exploitation are recorded; EPSS is 0.02% (7th percentile), consistent with a niche driver and a tight race window.
Uninitialized stack memory exposure in the Linux kernel's MCTP-over-I2C (mctp-i2c) driver affects systems using i2c-aspeed or i2c-npcm7xx bus drivers, particularly server/BMC hardware with Aspeed and Nuvoton chipsets. When a read is performed against an mctp-i2c device instance, the event handler fails to initialize the 'val' byte before returning it to the caller, exposing whatever residual value sits on the kernel stack at that moment. No public exploit has been identified at time of analysis, and with an EPSS of 0.03% (10th percentile), real-world exploitation pressure is currently negligible; however, kernel stack data leakage is a meaningful information disclosure primitive on affected hardware.
Memory leak in the Linux kernel's DesignWare i3c master driver (`drivers/i3c/master/dw-i3c-master.c`) allows a local low-privileged user on systems equipped with DesignWare i3c hardware to cause gradual kernel memory exhaustion by repeatedly triggering the failure path in `dw_i3c_master_i2c_xfers()`, where `dw_i3c_master_alloc_xfer()` allocates a transfer structure that is never freed when `pm_runtime_resume_and_get()` returns an error. No public exploit identified at time of analysis; EPSS of 0.02% (5th percentile) and the static-analysis discovery method both confirm this is a low-immediacy, low-exploitation-probability issue. Vendor-released patches are available across multiple stable kernel branches.
Race condition in the Linux kernel's Intel VT-d IOMMU driver allows non-coherent IOMMU hardware to read uninitialized memory from a freshly allocated PASID table because the PASID directory entry is published before the CPU cache flush completes. With CVSS 7.8 (AV:L/AC:H/PR:L) and EPSS at 0.02% (7th percentile), no public exploit identified at time of analysis, and the issue requires local privileges plus precise timing against non-coherent IOMMU hardware. The fix is included across multiple stable kernel branches.
Local privilege escalation potential in the Linux kernel's GFS2 (Global File System 2) filesystem stems from a slab-use-after-free in qd_put() that corrupts the quota data LRU list during filesystem shutdown. Local authenticated users with access to a GFS2 mount could trigger the shrinker path (gfs2_qd_shrink_scan) to dereference freed objects, with EPSS at 0.02% indicating no public exploit identified at time of analysis. The flaw was introduced by commit a475c5dd16e5 which began freeing quota data synchronously without removing entries from the LRU list first.
Denial of service in the Linux kernel netfilter nf_conncount subsystem allows remote attackers to trigger erroneous connection limit enforcement by establishing more than 8 new tracked connections per jiffy, causing the garbage collector to fall behind and the connection list to wrongly hit its cap. The flaw affects systems using nft_connlimit, xt_connlimit, or OVS connection limit features, with availability impact only (CVSS 7.5, AV:N/AC:L/PR:N/UI:N/A:H). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the issue is reproducible with common HTTP load tools such as slowhttptest.
Stale data exposure and filesystem data corruption in the Linux kernel's ext4 extent-splitting subsystem affects all major stable branches prior to 6.6.130, 6.12.75, 6.18.14, 6.19.4, and 7.0. When ext4_split_extent_at() encounters a transient ENOSPC condition while splitting a large unwritten extent at its first boundary, the error path incorrectly zeroes out and marks the entire extent as written - leaving stale disk content from adjacent regions readable in areas that should remain unwritten or zero-filled. No public exploit identified at time of analysis; EPSS at 0.02% (5th percentile) reflects the narrow, local-only, condition-dependent trigger path that makes automated or widespread exploitation highly unlikely.
Out-of-bounds kernel heap read in the Linux kernel's RDMA/uverbs subsystem allows local low-privileged users with access to InfiniBand/RDMA device nodes to leak kernel memory or trigger a denial-of-service WARNING by submitting a crafted ib_uverbs_post_send command with an undersized or oversized wqe_size value. EPSS is very low (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but the bug is fixed upstream across multiple stable trees, so patched versions should be deployed where RDMA is exposed to untrusted local users.
Non-NCQ command starvation in the Linux kernel's libata-scsi layer can cause complete denial of service for certain disk I/O operations on systems using multi-queue ATA host adapters. On affected hardware, when a target storage device is under sustained NCQ (Native Command Queuing) traffic, the SCSI layer's SCSI_MLQUEUE_XXX_BUSY requeue mechanism provides no forward-progress guarantees for non-NCQ commands - other CPU cores can continuously inject new NCQ commands from separate submission queues, indefinitely deferring the non-NCQ command. No public exploit has been identified at time of analysis and EPSS probability is very low (0.02%, 5th percentile), but the bug can manifest naturally under heavy I/O workloads without deliberate exploitation.
Kernel panic in the Linux inside-secure/eip93 hardware crypto driver occurs when the driver teardown routine unconditionally unregisters all cryptographic algorithms, including those never registered because the underlying EIP93 silicon does not implement them. Platforms with partial EIP93 silicon support - where only a subset of algorithms are burned into hardware - trigger the panic during module removal or system shutdown. No public exploit exists and EPSS sits at the 4th percentile (0.02%), indicating this is primarily a stability defect with negligible exploitation interest rather than a targeted attack surface.
Local privilege escalation and kernel memory corruption in the Linux kernel's RDMA Soft RoCE (rxe) driver stems from a double-free in rxe_srq_from_init() when copy_to_user() fails after the queue pointer has already been assigned to srq->rq.queue. A local user with permission to create Shared Receive Queues over RDMA can trigger the error path to cause the same memory to be freed twice via rxe_srq_cleanup(), enabling kernel heap corruption with potential for privilege escalation. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 7th percentile).
Denial of service in the Linux kernel's EFI unaccepted-memory handling allows a boot-time kernel panic on confidential-computing guests, affecting kernels from 6.6 through the 6.19/7.0 development line. The reserve_unaccepted() routine miscalculates the memblock reservation size when the unaccepted memory table is not page-aligned, leaving the table's tail unreserved so it can be overwritten or rendered inaccessible, triggering a panic in accept_memory(). It is observed on Intel TDX VMs with larger memory sizes (e.g. >64GB); there is no public exploit identified at time of analysis and EPSS is negligible (0.02%).
Incorrect offset handling in the Linux kernel IPVS subsystem causes IPv6 protocol checksum validation to fail when extension headers precede the transport header, disrupting availability on systems acting as IPv6 load balancers. Affected across a broad kernel version range from 2.6.28 onward, with fixes confirmed in stable releases 6.19.4 and mainline 7.0. No public exploit code exists and no active exploitation has been identified; EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation pressure.