Skip to main content

Linux

12819 CVEs vendor

Monthly

CVE-2026-45917 MEDIUM PATCH This Month

Reference leak in the Linux kernel IPVS (IP Virtual Server) subsystem allows a local low-privileged user to trigger a race condition between the netdev notifier handler and destination cache update logic, potentially causing kernel resource exhaustion. When a network device is shutting down, the FIB routing subsystem may return a valid route after ip_vs_dst_event() finishes processing, allowing that route to be cached against a closing device and leaking a device reference until the IPVS destination is removed. This is a medium-severity availability issue with no public exploit identified at time of analysis and a very low EPSS score of 0.02% (5th percentile), indicating it is not currently a prioritized exploitation target.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45916 HIGH PATCH This Week

Local privilege-relevant memory corruption in the Linux kernel's sbs-battery power supply driver (drivers/power/supply/sbs-battery) stems from a use-after-free in power_supply_changed(). Because the driver requested its IRQ via devm_ before allocating/registering the power_supply handle, devm teardown frees the handle in reverse order while the interrupt is still live, so an SMBus battery interrupt firing during device removal (or before registration during probe) invokes power_supply_changed() on a freed or uninitialized pointer, typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile), no public exploit is identified, and it is not on CISA KEV; the fix is upstream-committed and shipped in multiple stable releases.

Memory Corruption Linux Denial Of Service Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45915 MEDIUM PATCH This Month

Availability impact in the Linux kernel FAT filesystem driver allows a local low-privileged user to trigger a kernel WARN_ON by mounting and operating on a corrupted FAT image with incorrect directory link counts. Specifically, rmdir unconditionally decrements the parent inode's i_nlink without first verifying it is at least 3, allowing underflow to zero on malformed images. No public exploit has been identified and the EPSS probability is 0.02% (7th percentile), but the kernel WARN_ON can cause a system crash, making the real-world availability impact high on affected systems where users can mount FAT images.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45914 HIGH PATCH This Week

Local memory corruption affects the Linux kernel's hwmon ibmpex driver, where commit 6946c726c3f4 - intended to fix a use-after-free in the high/low sysfs store handlers - instead introduced a new race condition by setting driver data to NULL before removing sensor attributes. The remediation is a revert of that flawed commit across the 6.1, 6.6, 6.12, 6.18, and 6.19 stable trees. With EPSS at 0.02% (7th percentile), no public exploit identified at time of analysis, and no CISA KEV listing, real-world risk is minimal given the obscure IBM PowerExecutive sensor hardware the driver targets.

Memory Corruption Linux Denial Of Service Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45913 MEDIUM PATCH This Month

Bridge multicast MDB entry counter underflow in the Linux kernel's `net/bridge/br_multicast.c` allows local attackers with low privileges to trigger a kernel WARN_ON - and a system panic on hosts configured with `panic_on_warn=1` - by manipulating VLAN snooping state on a bridge interface before flushing multicast group entries. Multiple stable kernel branches are affected across all architectures that include the bridge multicast subsystem. No public exploit identified at time of analysis, with an EPSS score of 0.02% (5th percentile) confirming low exploitation probability; patches are available across kernel stable series 6.12, 6.6, 6.18, 6.19, and 7.0.

Linux Information Disclosure Google Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45912 MEDIUM PATCH This Month

Ext4 filesystem extent-splitting logic in the Linux kernel incorrectly caches extents mid-operation, leaving stale hole entries in the in-memory extent status tree (ESTree). When a Direct I/O write partially covers a pre-allocated unwritten extent, ext4_split_extent_at() can insert an incorrect hole entry that persists uncorrected, causing space accounting errors when subsequent delayed buffer writes target the same region. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.02% (7th percentile) reflects negligible real-world exploitation likelihood; this is primarily a kernel correctness and filesystem availability defect rather than a targeted attack surface.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45911 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's cdns3 USB dual-role driver crashes the kernel when a USB OTG role switch to host mode occurs during a system resume from suspend. The host role's resume() operation calls usb_hcd_is_primary_hcd() on an xhci-hcd device whose probe has been deferred by the driver model, yielding a dereference at virtual address 0x208 and a kernel oops. Impact is limited to denial of service (system crash); no privilege escalation or data disclosure is possible. No active exploitation is confirmed (CISA KEV absent, EPSS 0.02%), and the vulnerability is practically relevant only on hardware platforms featuring the Cadence USB3 cdns3 controller.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45910 HIGH PATCH This Week

Use-after-free condition in the Linux kernel's RDMA Soft RoCE (rxe) driver allows local privileged users to trigger memory corruption through a race between the QP retransmit_timer handler and rxe_destroy_qp. The flaw stems from the Queue Pair reference count dropping to zero while a timer callback is still executing, producing refcount underflow warnings and potential kernel memory corruption. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.

Linux Information Disclosure Race Condition
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45909 HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's MediaTek clock gate driver stems from incorrect use of __initconst annotations on mtk_gate structures that are accessed at runtime, not just during initialization. After kernel init completes, the memory backing these structs is freed, so any runtime access reads freed memory - affecting Linux 6.18 prior to stable releases 6.18.14 and 6.19.4. CVSS rates this 7.8 (High) with local attack vector; EPSS is 0.02% and no public exploit identified at time of analysis.

Mediatek Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45908 MEDIUM PATCH This Month

Memory leak in the Linux kernel's AMD XDnA accelerator driver (accel/amdxdna) allows a local low-privileged user to degrade system availability by exhausting kernel memory. The amdxdna_ubuf_map() function fails to release previously allocated scatter-gather (sg) and internal sg table memory when error paths are taken during sg_alloc_table_from_pages or dma_map_sgtable operations. No active exploitation is confirmed (absent from CISA KEV), EPSS stands at 0.02% (4th percentile), and impact is strictly limited to availability - no confidentiality or integrity exposure exists.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45907 MEDIUM PATCH This Month

Deadlock in the Linux kernel mlx5e Mellanox/NVIDIA Ethernet driver allows a low-privileged local attacker to hang the system by triggering network health reporter recovery paths that acquire locks in the wrong order. Specifically, work handlers acquire the netdev instance lock before invoking devlink_health_report, which then attempts to acquire the devlink lock - reversing the mandated devlink → rtnl → netdev ordering and producing an ABBA deadlock. The vulnerability affects systems equipped with Mellanox/NVIDIA ConnectX NICs; no public exploit exists and EPSS sits at 0.02% (4th percentile), consistent with a kernel-internal locking race rather than an externally triggerable flaw.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45906 HIGH PATCH This Week

Use-after-free in the Linux kernel's pf1550 power-supply driver (drivers/power/supply/pf1550) lets a queued hardware interrupt invoke power_supply_changed() on an already-freed power_supply handle during module/device removal, and can also dereference an uninitialized handle during probe. The flaw stems from devm-managed resource ordering: the IRQ was requested before the power_supply was registered, so devm teardown frees the power_supply first. Impact is typically a kernel crash or silent memory corruption. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.

Memory Corruption Linux Denial Of Service Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45905 MEDIUM PATCH This Month

Race condition in the Linux kernel's XFRM ICMP route lookup path causes a kernel WARN_ON that can crash affected systems. Within `icmp_route_lookup()`, a TOCTOU window between a locality check and a subsequent `ip_route_input()` call allows a concurrently executing `ip addr add` to return a LOCAL route whose `dst.output` is set to `ip_rt_bug()` - a debugging stub that fires `WARN_ON` when invoked during ICMP error transmission. Exploitation requires local access, active XFRM/IPsec policy, and precise race-window timing; no active exploitation is confirmed and EPSS sits at 0.02%, though a public reproducer exists that requires kernel modification to reliably trigger.

Linux Race Condition Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-45904 MEDIUM PATCH This Month

Recursive mutex deadlock in the Linux kernel's PowerPC Enhanced Error Handling (EEH) subsystem causes denial of service on IBM POWER systems running affected kernel versions. Commit 1010b4c012b0 inadvertently repositioned pci_lock_rescan_remove() calls so that eeh_handle_normal_event() holds the lock before invoking eeh_pe_bus_get(), which internally attempts to acquire the same mutex, producing a confirmed lockdep-detected deadlock that crashes the EEH daemon and disables PCI error recovery. No public exploit has been identified and the EPSS score of 0.02% (7th percentile) reflects the narrow hardware-specific attack surface; real-world impact is a reliability and availability concern for IBM POWER server operators rather than a traditional security attack vector.

Linux IBM Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45903 HIGH PATCH This Week

Information disclosure in the Linux kernel BPF subsystem allows a local low-privileged user with BPF program load access to leak kernel memory contents. Incorrect memory-access flags on several ARG_PTR_TO_MEM helper prototypes (notably bpf_get_stack_proto_raw_tp) cause the verifier to wrongly assume helper-written buffers are unchanged, optimizing away subsequent reads and producing stale or uninitialized data that can expose kernel memory. There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and it is not in CISA KEV.

Linux Buffer Overflow Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-45902 HIGH PATCH This Week

Local privilege-level use-after-free in the Linux kernel's bq256xx battery charger driver (power: supply: bq256xx) allows memory corruption when a charger IRQ fires during device probe or removal, calling power_supply_changed() against a freed or uninitialized power_supply handle. The flaw stems from devm_ resources being released in reverse order, so the IRQ outlives the power_supply registration; triggering it typically crashes the system or silently corrupts kernel memory. No public exploit is identified at time of analysis and EPSS exploitation probability is negligible (0.02%, 7th percentile), with no CISA KEV listing.

Memory Corruption Linux Denial Of Service Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45901 MEDIUM PATCH This Month

Circular lock dependency in the Linux kernel's netfilter nf_tables subsystem causes kernel deadlock or hang when nft reset, ipset list, and iptables-nft with '-m set' rules execute concurrently, resulting in a local denial of service. The root cause is improper use of commit_mutex in the reset path, which - when interleaved with nfnl_subsys_ipset and nlk_cb_mutex acquisitions - creates a deadlock cycle. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.02% (5th percentile) reflects the low real-world exploitation probability for this class of locking defect.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45900 MEDIUM PATCH This Month

Memory exhaustion vulnerability in the Linux kernel's CAAM DPAA2 crypto driver allows gradual resource depletion on systems with NXP DPAA2 hardware through unreleased per-CPU net_device allocations during failed probe retries. The regression was introduced when commit 0e1a4d427f58 converted embedded net_device structs to dynamically allocated pointers but omitted cleanup in the dpaa2_dpseci_free() error path - meaning every deferred probe retry triggered by a temporarily unavailable DPIO subsystem silently leaks netdev memory. No public exploit exists and EPSS probability is 0.02% (5th percentile), consistent with the hardware-specific, non-user-controlled nature of the defect.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45899 MEDIUM PATCH This Month

Availability impact via stale extent cache corruption in the Linux kernel's ext4 filesystem driver allows a local low-privileged user to trigger a kernel denial-of-service condition. When an ext4 extent-splitting operation fails mid-execution, stale entries are left in the extent status tree, which can cause subsequent filesystem operations to crash the kernel. No public exploit exists and EPSS probability sits at 0.02% (7th percentile), reflecting this as a stability bug rather than a targeted attack vector. Vendor-released patches are available across all active stable branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45898 CRITICAL PATCH Act Now

Kernel memory corruption in the Linux iWARP Connection Manager (RDMA/iwcm) subsystem can crash systems running RDMA workloads on iWARP-capable hardware such as Intel E830 adapters. The bug, introduced by commit e1168f0 ('RDMA/iwcm: Simplify cm_event_handler()'), causes workqueue list corruption when iwcm_work items from a free list are reused while still queued, triggering a kernel BUG and panic. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile), despite a CVSS base score of 9.8.

Debian Ubuntu Information Disclosure Intel Linux
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-45897 MEDIUM PATCH This Month

Counter value underrun in the Linux kernel's netfilter nft_counter subsystem allows a local unprivileged user to corrupt nftables packet and byte counter data through a race condition in concurrent dump-and-reset operations. Two parallel resets can each read the same counter totals and both subtract them, causing the counters to underrun - potentially wrapping unsigned values to astronomically large figures and producing incorrect firewall accounting. No public exploit exists and EPSS is 0.02% (5th percentile), consistent with a low-priority correctness defect rather than a targeted security attack vector.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45896 HIGH PATCH This Week

Out-of-bounds array access in the Linux kernel's Intel Discrete Graphics MTD driver (mtd_intel_dg.c) lets a local actor trigger kernel memory corruption when the driver enumerates NVM regions before nregions is initialized. The flaw, caught by UBSAN as an array-index-out-of-bounds at line 750, affects systems running kernel 6.17 through the pre-patch 6.18/6.19 series with Intel discrete graphics hardware. No public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.02%, 4th percentile).

Linux Buffer Overflow Intel Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45895 MEDIUM PATCH This Month

Linux Kernel quota subsystem livelocks the system when quotactl_block() and freeze_super() execute concurrently on non-preemptible kernels, causing 100% CPU consumption and an indefinite hang of the filesystem freeze process. The root cause is a missing scheduling point in quotactl_block()'s retry loop: on kernels with preemption disabled, the spinning loop never yields the CPU, starving synchronize_rcu() of the RCU quiescent state it needs to advance, which in turn blocks freeze_super() from completing. Affected are Linux kernel versions from commit 576215cffdefc1f0ceebffd87abb390926e6b037 onward, on systems using quota-enabled filesystems; no public exploit or active exploitation has been identified at time of analysis.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45894 HIGH PATCH This Week

Race condition in Linux kernel Intel VT-d IOMMU driver (iommu/vt-d) allows torn reads of Scalable Mode PASID table entries during teardown, producing unpredictable behavior or spurious faults on systems with Intel VT-d enabled. The flaw stems from zeroing the entire 64-byte PASID entry while the Present bit is still set, violating the VT-d spec's invalidation guidance. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but a vendor patch is available across multiple stable branches.

Linux Information Disclosure Intel
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45893 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's AppArmor subsystem allows a local, low-privileged attacker to leak adjacent kernel memory and potentially crash the system when AppArmor parses a policy table built from possibly unaligned, userspace-supplied source data. The flaw stems from unaligned memory accesses during table creation in the policy loader and carries high confidentiality and availability impact. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.02%, 5th percentile), consistent with a hard-to-reach local-only kernel hardening fix rather than a mass-exploitation target.

Linux Buffer Overflow Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-45892 MEDIUM PATCH This Month

Stale unwritten extent retention in the Linux kernel ext4 filesystem's in-memory extent status cache allows a local low-privileged user to trigger filesystem state inconsistency with high availability impact. The flaw manifests in ext4_split_extent() when a PARTIAL_VALID1 zeroout operation succeeds but the subsequent split at the first boundary fails due to temporary memory pressure, leaving the extent status tree out of sync with on-disk extent data. Patched stable releases are available; no public exploit or CISA KEV listing has been identified at time of analysis, and EPSS exploitation probability sits at 0.02% (5th percentile).

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45891 HIGH PATCH This Week

Local privilege-holder denial of service (and potential kernel memory corruption) in the Linux kernel's HiSilicon hns3 network driver allows a user with CAP_NET_ADMIN to trigger a double-free of the tx_spare backup buffer. The flaw lives in hns3_set_ringparam(), where a temporary ring copy is made for rollback but the original ring's tx_spare pointer is left dangling; if a subsequent allocation in hns3_init_all_ring() fails, the error path frees the stale pointer twice (CWE-415). EPSS is negligible (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but a vendor-released patch is available across multiple stable trees.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45890 MEDIUM PATCH This Month

Guest-to-host denial of service in the Linux kernel's xen-netback driver allows a malicious or buggy Xen guest to crash the hypervisor host by writing "0" to the xenbus key multi-queue-num-queues. The connect() function validates only the upper bound of requested_num_queues, permitting a zero value to reach vzalloc(array_size(0, ...)), which triggers WARN_ON_ONCE in __vmalloc_node_range(); on hosts with panic_on_warn=1 this escalates to a full kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with a narrow Xen-specific attack surface, but the guest-controlled code path is trivial to trigger and vendor patches have been backported across seven stable kernel series, confirming the impact is real.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45889 MEDIUM PATCH This Month

Divide-by-zero kernel panic (Oops) in the Linux kernel MPTCP subsystem's `mptcp_rcvbuf_grow()` function can be triggered by a local authenticated user under a rare but specific race condition involving concurrent out-of-order packet arrival and receive buffer initialization. The vulnerability also causes a secondary effect where the MPTCP receive buffer slowly drifts toward the `tcp_rmem[2]` maximum, degrading system performance on MPTCP-heavy workloads. No public exploit identified at time of analysis; EPSS is 0.02% (4th percentile), consistent with its local-only, race-dependent nature.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45888 MEDIUM PATCH This Month

Memory leak in the Linux kernel's md/raid1 subsystem allows a local attacker with access to RAID configuration interfaces to gradually exhaust kernel memory by repeatedly triggering the faulty error path in raid1_run(). Affected kernel versions span multiple stable branches prior to 6.12.75, 6.18.14, 6.19.4, and 7.0. No public exploit identified at time of analysis; EPSS at 0.02% (5th percentile) and confirmed discovery via static analysis rather than active exploitation signals minimal real-world risk. Vendor-released patches are available across all affected stable branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45887 MEDIUM PATCH This Month

Memory leak in the Linux kernel's af_unix subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering a failure path in unix_stream_connect(). When prepare_peercred() fails after unix_create1() has already allocated a new socket object (newsk), the error path omits the required unix_release_sock() call, leaving kernel memory permanently unreleased. No public exploit has been identified at time of analysis; EPSS at 0.02% (4th percentile) reflects negligible widespread exploitation likelihood, consistent with the local-only attack vector.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45886 MEDIUM PATCH This Month

BPF verifier rejection in the Linux kernel's XDP subsystem forces valid BPF programs to fail load-time verification when they pass pointers from BPF_F_RDONLY_PROG maps to the bpf_xdp_store_bytes helper. The root cause is an incorrect argument type annotation - the helper's third argument (source buffer) is declared as ARG_PTR_TO_UNINIT_MEM, which carries the MEM_WRITE flag, causing the verifier to demand write permission on memory that the helper only reads. Separately, this same mistype permits the helper to read from uninitialized memory (CWE-908). No public exploit is identified at time of analysis, and EPSS sits at 0.02%, but kernel patches across all active stable branches have been issued.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45885 HIGH PATCH This Week

Local privilege-impacting memory corruption in the Linux kernel's cpcap-battery power supply driver allows a use-after-free in power_supply_changed() triggered during device probe or removal. The driver requested its IRQ via devm_ before registering the power_supply handle, so on teardown the handle is freed while the interrupt handler can still fire, dereferencing freed memory and typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile) and there is no public exploit identified at time of analysis; the issue is confined to Motorola CPCAP PMIC hardware (e.g. Droid 4) rather than general-purpose servers.

Memory Corruption Linux Denial Of Service Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45884 MEDIUM PATCH This Month

Integer underflow in the Linux kernel's AppArmor subsystem (`aa_get_buffer()`) allows a local low-privileged user to cause per-CPU buffer starvation and system-wide denial of service. The `cache->hold` unsigned counter wraps to UINT_MAX when decremented below zero, permanently preventing `aa_put_buffer()` from recycling buffers back to the global pool and forcing repeated `kmalloc(aa_g_path_max)` heap allocations that starve other CPUs. No public exploit exists and EPSS is 0.02% (5th percentile); this is not in CISA KEV, but patches are available across multiple stable kernel branches.

Integer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45883 MEDIUM PATCH This Month

Resource leak in the Linux kernel's sca3000 IIO accelerometer driver (sca3000_probe()) allows a local low-privileged user on affected hardware to cause IRQ resource exhaustion by repeatedly triggering the error path where iio_device_register() fails without releasing the IRQ registered via request_threaded_irq(). Affected are Linux kernel versions from approximately 4.10 through multiple stable branches, all of which now have upstream fix commits. No public exploit exists and EPSS stands at 0.02% (7th percentile), indicating this is a robustness/maintenance fix rather than an actively targeted vulnerability.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45882 HIGH PATCH This Week

Use-after-free in the Linux kernel's pm8916_bms_vm power-supply driver (for Qualcomm PM8916 battery monitoring on certain Snapdragon SoCs) lets a freed power_supply handle be dereferenced when an IRQ fires during device removal or probe, corrupting kernel memory or crashing the system. The flaw stems from devm-managed IRQ registration occurring before the power_supply handle was registered, so devm's reverse-order teardown frees the handle while the interrupt is still live. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; impact is realistically a local denial of service on the narrow set of devices using this driver.

Memory Corruption Linux Denial Of Service Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45881 MEDIUM PATCH This Month

Memory exhaustion via the MediaTek SVS (Smart Voltage Scaling) debugfs interface in the Linux kernel allows a local attacker with low privileges to leak kernel memory on MediaTek SoC-based systems. The root cause is that `svs_enable_debug_write()` allocates a buffer via `memdup_user_nul()` to copy user-supplied input, but fails to free it when the subsequent `kstrtoint()` call rejects non-integer input - a classic CWE-401 missing-release flaw. No public exploit has been identified and EPSS is 0.02% (7th percentile), making this a low-urgency, patch-when-convenient issue for the narrow device population running affected MediaTek SoC kernels.

Linux Mediatek Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45880 MEDIUM PATCH This Month

PCI/P2PDMA subsystem in the Linux kernel hangs indefinitely on PCI device removal due to a missing percpu_ref_put() call on the error exit path of p2pmem_alloc_mmap(). Low-privileged local users on systems with P2PDMA-capable PCI hardware can trigger a vm_insert_page() failure that leaks a per-CPU pgmap reference, causing memunmap_pages() to stall forever when the PCI device is later removed. No public exploit has been identified and EPSS is at the 5th percentile; this is not in CISA KEV.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45879 HIGH PATCH This Week

Local privilege-level use-after-free in the Linux kernel's bq25980 battery charger power-supply driver (drivers/power/supply/bq25980.c) allows a triggered IRQ to call power_supply_changed() on a freed or uninitialized power_supply handle, typically crashing the system or corrupting memory. The flaw stems from devm-managed IRQ registration ordering relative to power_supply registration, creating a race during driver probe and removal. EPSS is negligible (0.02%, 7th percentile), there is no public exploit identified at time of analysis, and it is not on CISA KEV; the fix is committed upstream and shipped in multiple stable kernels.

Memory Corruption Linux Denial Of Service Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45878 HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's AMD KFD (Kernel Fusion Driver) debug subsystem allows a local user with GPU access to trigger a buffer overflow in the watch_points array via a crafted watch_id value. The flaw stems from signed/unsigned integer mishandling in kfd_dbg_trap_clear_dev_address_watch(), where userspace-supplied watch_id values exceeding INT_MAX cause undefined bit shifts and out-of-bounds memory access. No public exploit identified at time of analysis, and EPSS scores exploitation probability at only 0.02%.

Linux Amd Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45877 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's Intel ISH HID subsystem (`intel_ishtp` module) causes a kernel panic and local denial of service during warm reset operations. The `ishtp_bus_remove_all_clients()` function dereferences `cl->device->reference_count` without a NULL guard, which is reachable when a firmware reset interrupts ISH client enumeration mid-flight. No public exploit or active exploitation (CISA KEV) exists; EPSS probability is 0.02% at the 5th percentile, consistent with a timing-dependent, hardware-specific kernel crash path.

Linux Denial Of Service Intel Null Pointer Dereference Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45876 MEDIUM PATCH This Month

Error handling failure in the Linux kernel's arm64 Guarded Control Stack (GCS) subsystem allows a local low-privileged user on ARMv9 hardware to trigger a kernel denial of service by exploiting an incorrect NULL check in arch_set_shadow_stack_status(). Because alloc_gcs() propagates do_mmap() failures as error-encoded pointers rather than NULL, the existing guard is bypassed and the kernel proceeds to use an invalid GCS address, risking a kernel panic. No public exploit exists and EPSS sits at the 4th percentile, but the vulnerability is confirmed patched in Linux 6.18.14, 6.19.4, and 7.0.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45875 MEDIUM PATCH This Month

Regulator resource leak in the Linux kernel MFD Arizona WM5102 audio codec driver causes availability degradation on affected hardware when the write sequencer error path is triggered. The `wm5102_clear_write_sequencer()` helper returns early on error without jumping to the `err_reset` cleanup label, leaving kernel voltage regulators enabled and leaking resources across repeated invocations. Exploitation requires local low-privilege access on systems with WM5102 hardware; EPSS is 0.02% (7th percentile) and no active exploitation has been identified, placing real-world priority firmly in the low tier.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45874 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's NXP i.MX8QM HSIO PHY driver crashes the kernel on affected embedded hardware. The flaw exists in `imx_hsio_configure_clk_pad()`, which unconditionally dereferences `refclk_pad` even when the `fsl,refclk-pad-mode` devicetree property is absent, setting the pointer to NULL during probe. A local low-privileged user on NXP i.MX8QM-based systems with vulnerable kernel versions can trigger a kernel panic, causing a full denial-of-service. No public exploit or active exploitation (CISA KEV) has been identified; EPSS of 0.02% at the 5th percentile confirms negligible exploitation probability.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45873 MEDIUM PATCH This Month

Denial-of-service via kernel crash in the Linux kernel's netfilter nft_set_rbtree subsystem, exploitable by a local user with nftables manipulation capability. The flaw lies in the partial overlap detection logic for anonymous sets: an optimization that omits end elements for adjacent intervals also inadvertently suppresses overlap checks on start elements, allowing two intervals sharing the same start point (e.g., A-B and A-C where C < B) to be inserted simultaneously, corrupting the red-black tree and triggering a kernel panic. No public exploit code has been identified at time of analysis, and the EPSS score of 0.02% (7th percentile) reflects low real-world exploitation probability, though the vulnerability is present across many long-term stable kernel branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45872 MEDIUM PATCH This Month

Memory exhaustion denial-of-service in the Linux kernel smartpqi SCSI driver allows a local user to degrade system availability through kernel memory leak accumulation. The vulnerability exists in pqi_report_phys_luns(), which fails to release the rpl_list buffer on two distinct error paths - unsupported data format detection and rpl_16byte_wwid_list allocation failure - both of which bypass cleanup logic. No public exploit exists and EPSS sits at 0.02% (7th percentile), but systems running Microsemi/PMC-Sierra SmartPQI RAID controllers on unpatched kernels are at risk of gradual availability degradation.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45871 MEDIUM PATCH This Month

Resource leak in the Linux kernel's st33zp24 TPM driver allows a low-privileged local user to exhaust TPM localities and deny TPM service on systems equipped with STMicroelectronics ST33ZP24 hardware. When get_burstcount() returns -EBUSY on timeout, st33zp24_send() exits without releasing the previously acquired TPM locality, creating a cumulative leak that can render all subsequent TPM operations unavailable. No public exploit code exists and EPSS probability is 0.02% (7th percentile), but systems relying on the ST33ZP24 for measured boot or disk-encryption attestation face meaningful operational risk if exploited.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45870 MEDIUM PATCH This Month

Memory leaks in the Linux kernel's SUNRPC auth_gss subsystem allow a local low-privilege attacker to gradually exhaust kernel heap memory on systems using NFS with Kerberos (RPCSEC_GSS) authentication. The gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() XDR decoding functions fail to release previously allocated kernel buffers when a partial decode sequence errors out mid-function, leaving unreferenced kmemdup() allocations on the heap. No public exploit exists and EPSS is 0.02%, but no public exploit identified at time of analysis; repeated triggering of the vulnerable paths could degrade availability on RPCSEC_GSS-enabled servers.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45869 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's wm97xx battery power supply driver crashes the kernel when a hardware interrupt fires during a narrow initialization race window. Systems running Linux kernel versions from 2.6.32 through various stable branches (pre-patch releases in 5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19, and 7.0 series) with wm97xx-equipped hardware are affected. A local attacker - or natural hardware interrupt timing - can trigger a kernel panic (denial of service) during driver probe; no public exploit has been identified and EPSS sits at the 7th percentile, reflecting the narrow hardware footprint.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45868 MEDIUM PATCH This Month

Reference count leak in the Linux kernel's pinctrl-single driver (`pcs_add_gpio_func()`) allows a local low-privileged user to cause kernel memory exhaustion and denial of service on affected embedded/SoC platforms. The `of_parse_phandle_with_args()` Device Tree API increments a refcount on the returned device_node pointer, but the iterating loop never calls `of_node_put()` to release it - accumulating leaked references on every GPIO phandle processed. No public exploit exists and EPSS is 0.02%, placing this firmly in the low-urgency patch category; exploitation requires specific hardware and driver configuration not present on typical x86 servers.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45867 HIGH PATCH This Week

Local privilege escalation potential via a use-after-free in the Linux kernel's act8945a power supply driver, where the ACT8945A PMIC IRQ is requested before the power_supply handle is registered (and torn down after it during removal), letting an interrupt invoke power_supply_changed() on a freed or uninitialized handle. Affected systems run vulnerable Linux kernel builds (pre-6.6.128, pre-6.12.75, pre-6.1.165, pre-5.15.202, pre-5.10.252, and others) with the act8945a driver bound to real Atmel/Microchip SAMA5-class hardware. There is no public exploit identified at time of analysis; EPSS is very low (0.02%, 7th percentile) and the flaw is not in CISA KEV.

Memory Corruption Linux Denial Of Service Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45866 HIGH PATCH This Week

Local privilege-bounded use-after-free in the Linux kernel's CAIF serial line discipline (caif_serial / CONFIG_CAIF_TTY) lets a local attacker corrupt kernel memory by racing ldisc_close() against packet transmission. ldisc_close() drops the tty reference via tty_kref_put() while the CAIF network device is still live, so a concurrent caif_xmit()/handle_tx() can dereference the freed tty (ser->tty) and call tty->ops->write() on dangling memory, confirmed by a KASAN slab-use-after-free report. A reproducer is published, but no public weaponized exploit and no active exploitation are recorded; EPSS is 0.02% (7th percentile), consistent with a niche driver and a tight race window.

Memory Corruption Linux Use After Free Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45865 MEDIUM PATCH This Month

Uninitialized stack memory exposure in the Linux kernel's MCTP-over-I2C (mctp-i2c) driver affects systems using i2c-aspeed or i2c-npcm7xx bus drivers, particularly server/BMC hardware with Aspeed and Nuvoton chipsets. When a read is performed against an mctp-i2c device instance, the event handler fails to initialize the 'val' byte before returning it to the caller, exposing whatever residual value sits on the kernel stack at that moment. No public exploit has been identified at time of analysis, and with an EPSS of 0.03% (10th percentile), real-world exploitation pressure is currently negligible; however, kernel stack data leakage is a meaningful information disclosure primitive on affected hardware.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45864 MEDIUM PATCH This Month

Infinite loop denial of service in the Linux kernel's ntfs3 filesystem driver allows a local low-privileged user to hang the kernel's I/O subsystem by triggering a non-terminating loop in the file write path. The flaw in `ntfs_file_write_iter` (fs/ntfs3/file.c:1284) occurs when iterating over the valid data range [valid:pos) during a write operation - if the `valid` pointer fails to advance (returning the same value), the loop condition is never satisfied and the inode lock is held indefinitely, causing a full write-path hang. No active exploitation has been identified (absent from CISA KEV) and EPSS of 0.02% at the 7th percentile confirms negligible observed exploitation activity; a patch is available across all affected stable branches.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45863 MEDIUM PATCH This Month

Memory leak in the Linux kernel's DesignWare i3c master driver (`drivers/i3c/master/dw-i3c-master.c`) allows a local low-privileged user on systems equipped with DesignWare i3c hardware to cause gradual kernel memory exhaustion by repeatedly triggering the failure path in `dw_i3c_master_i2c_xfers()`, where `dw_i3c_master_alloc_xfer()` allocates a transfer structure that is never freed when `pm_runtime_resume_and_get()` returns an error. No public exploit identified at time of analysis; EPSS of 0.02% (5th percentile) and the static-analysis discovery method both confirm this is a low-immediacy, low-exploitation-probability issue. Vendor-released patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45862 HIGH PATCH This Week

Race condition in the Linux kernel's Intel VT-d IOMMU driver allows non-coherent IOMMU hardware to read uninitialized memory from a freshly allocated PASID table because the PASID directory entry is published before the CPU cache flush completes. With CVSS 7.8 (AV:L/AC:H/PR:L) and EPSS at 0.02% (7th percentile), no public exploit identified at time of analysis, and the issue requires local privileges plus precise timing against non-coherent IOMMU hardware. The fix is included across multiple stable kernel branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45861 HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's GFS2 (Global File System 2) filesystem stems from a slab-use-after-free in qd_put() that corrupts the quota data LRU list during filesystem shutdown. Local authenticated users with access to a GFS2 mount could trigger the shrinker path (gfs2_qd_shrink_scan) to dereference freed objects, with EPSS at 0.02% indicating no public exploit identified at time of analysis. The flaw was introduced by commit a475c5dd16e5 which began freeing quota data synchronously without removing entries from the LRU list first.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45860 HIGH PATCH This Week

Denial of service in the Linux kernel netfilter nf_conncount subsystem allows remote attackers to trigger erroneous connection limit enforcement by establishing more than 8 new tracked connections per jiffy, causing the garbage collector to fall behind and the connection list to wrongly hit its cap. The flaw affects systems using nft_connlimit, xt_connlimit, or OVS connection limit features, with availability impact only (CVSS 7.5, AV:N/AC:L/PR:N/UI:N/A:H). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the issue is reproducible with common HTTP load tools such as slowhttptest.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-45859 HIGH PATCH This Week

Denial of service in the Linux kernel's netfilter nfnetlink_queue subsystem allows remote attackers to cause packet drops affecting availability when nfqueue is used without the NFQA_CFG_F_GSO capability flag. The flaw is a regression where the shared-unconfirmed conntrack check was performed after skb_gso_segment(), causing GSO UDP packets associated with unconfirmed nf_conn entries to be dropped instead of queued. EPSS is very low (0.02%) with no public exploit identified at time of analysis and no CISA KEV listing, indicating low real-world urgency despite the CVSS 7.5 availability score.

Linux Code Injection
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-45858 MEDIUM PATCH This Month

Stale data exposure and filesystem data corruption in the Linux kernel's ext4 extent-splitting subsystem affects all major stable branches prior to 6.6.130, 6.12.75, 6.18.14, 6.19.4, and 7.0. When ext4_split_extent_at() encounters a transient ENOSPC condition while splitting a large unwritten extent at its first boundary, the error path incorrectly zeroes out and marks the entire extent as written - leaving stale disk content from adjacent regions readable in areas that should remain unwritten or zero-filled. No public exploit identified at time of analysis; EPSS at 0.02% (5th percentile) reflects the narrow, local-only, condition-dependent trigger path that makes automated or widespread exploitation highly unlikely.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45857 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's csiostor SCSI driver (Chelsio T5 iSCSI storage controller) causes a local denial-of-service via kernel panic. The flaw resides in the error exit path: when the pointer rn is NULL, the CSIO_INC_STATS macro still dereferences it, triggering a kernel crash. Exploitation requires local low-privilege access on a system equipped with Chelsio csiostor hardware; no active exploitation is confirmed (not in CISA KEV) and EPSS sits at 0.02% (7th percentile), indicating minimal real-world exploitation pressure.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45856 HIGH PATCH This Week

Out-of-bounds kernel heap read in the Linux kernel's RDMA/uverbs subsystem allows local low-privileged users with access to InfiniBand/RDMA device nodes to leak kernel memory or trigger a denial-of-service WARNING by submitting a crafted ib_uverbs_post_send command with an undersized or oversized wqe_size value. EPSS is very low (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but the bug is fixed upstream across multiple stable trees, so patched versions should be deployed where RDMA is exposed to untrusted local users.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-45855 MEDIUM PATCH This Month

Non-NCQ command starvation in the Linux kernel's libata-scsi layer can cause complete denial of service for certain disk I/O operations on systems using multi-queue ATA host adapters. On affected hardware, when a target storage device is under sustained NCQ (Native Command Queuing) traffic, the SCSI layer's SCSI_MLQUEUE_XXX_BUSY requeue mechanism provides no forward-progress guarantees for non-NCQ commands - other CPU cores can continuously inject new NCQ commands from separate submission queues, indefinitely deferring the non-NCQ command. No public exploit has been identified at time of analysis and EPSS probability is very low (0.02%, 5th percentile), but the bug can manifest naturally under heavy I/O workloads without deliberate exploitation.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45854 MEDIUM PATCH This Month

Kernel panic in the Linux inside-secure/eip93 hardware crypto driver occurs when the driver teardown routine unconditionally unregisters all cryptographic algorithms, including those never registered because the underlying EIP93 silicon does not implement them. Platforms with partial EIP93 silicon support - where only a subset of algorithms are burned into hardware - trigger the panic during module removal or system shutdown. No public exploit exists and EPSS sits at the 4th percentile (0.02%), indicating this is primarily a stability defect with negligible exploitation interest rather than a targeted attack surface.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45853 HIGH PATCH This Week

Memory corruption in the Linux kernel's AMD GPU driver (amdgpu) arises because amdgpu_gmc_get_nps_memranges() releases buffers allocated by amdgpu_discovery_get_nps_info() with kfree() even though that memory may have been allocated via kvcalloc()/vmalloc(), corrupting the kernel allocator state. The flaw affects systems running AMD GPUs on kernels prior to the fixed stable releases (6.12.75, 6.18.14, 6.19.4, and 7.0). There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and the issue was found via static analysis and code review rather than in-the-wild exploitation.

Memory Corruption Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45852 HIGH PATCH This Week

Local privilege escalation and kernel memory corruption in the Linux kernel's RDMA Soft RoCE (rxe) driver stems from a double-free in rxe_srq_from_init() when copy_to_user() fails after the queue pointer has already been assigned to srq->rq.queue. A local user with permission to create Shared Receive Queues over RDMA can trigger the error path to cause the same memory to be freed twice via rxe_srq_cleanup(), enabling kernel heap corruption with potential for privilege escalation. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 7th percentile).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45851 HIGH PATCH This Week

Denial of service in the Linux kernel's EFI unaccepted-memory handling allows a boot-time kernel panic on confidential-computing guests, affecting kernels from 6.6 through the 6.19/7.0 development line. The reserve_unaccepted() routine miscalculates the memblock reservation size when the unaccepted memory table is not page-aligned, leaving the table's tail unreserved so it can be overwritten or rendered inaccessible, triggering a panic in accept_memory(). It is observed on Intel TDX VMs with larger memory sizes (e.g. >64GB); there is no public exploit identified at time of analysis and EPSS is negligible (0.02%).

Linux Intel Buffer Overflow Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-45850 MEDIUM PATCH This Month

Incorrect offset handling in the Linux kernel IPVS subsystem causes IPv6 protocol checksum validation to fail when extension headers precede the transport header, disrupting availability on systems acting as IPv6 load balancers. Affected across a broad kernel version range from 2.6.28 onward, with fixes confirmed in stable releases 6.19.4 and mainline 7.0. No public exploit code exists and no active exploitation has been identified; EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation pressure.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45849 MEDIUM PATCH This Month

Improper locking in the Linux kernel's Microsemi Ocelot network switch driver (`net/mscc/ocelot`) allows a local low-privileged user on hardware running Ocelot switch chips to trigger a race condition in `ocelot_port_xmit_inj()`, potentially causing a kernel panic or system crash. Affected stable branches span 6.1.107-6.1.164, 6.6.48-6.6.127, and 6.10.7 through 6.11 release candidates, with patches confirmed in 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, and 7.0. No public exploit identified at time of analysis; EPSS at 0.02% (7th percentile) reflects extremely low exploitation probability, consistent with the hardware-specific trigger requirement and local-only attack vector.

Code Injection Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45848 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's AppArmor LSM function `aa_sock_file_perm` allows a local authenticated user to crash the kernel (oops) during socket setup or teardown. The flaw affects the fallback mediation path for AF_UNIX sockets and all other socket families when AppArmor is in enforcing mode, because neither `sock` nor `sock->sk` are validated for NULL before dereferencing. Impact is limited to availability (system crash); no confidentiality or integrity loss is possible. No public exploit is identified at time of analysis, and EPSS at 0.02% (7th percentile) indicates negligible exploitation probability.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45847 MEDIUM PATCH This Month

Reachable assertion in the Linux kernel network subsystem allows a local low-privileged user to trigger a WARN_ON_ONCE by constructing a sufficiently long forward path through IPIP tunnels, resulting in a kernel warning and high availability impact. The root cause (CWE-617) is an assertion in the forward path array access code that became reachable after IPIP tunnel support was introduced, expanding the possible depth of forward paths beyond the implicit assumption encoded in the warning. No public exploit code exists and EPSS is extremely low (0.02%, 7th percentile), but the kernel-level denial-of-service impact on local multi-tenant or containerized systems warrants patching.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71312 MEDIUM This Month

Memory leak in the Linux kernel NTFS3 driver's ntfs_fill_super() function allows a local user with mount privileges to gradually exhaust kernel memory by repeatedly mounting NTFS filesystems. The ntfs_mount_options structure (32 bytes per mount) is permanently leaked because fc->fs_private is nulled before ntfs_fs_free() can release it, confirmed by kmemleak tooling. No active exploitation has been identified - EPSS is 0.02% (5th percentile) and this vulnerability is absent from CISA KEV - making it a maintenance-class fix rather than an urgent security priority, though the availability impact is rated High by CVSS.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71311 MEDIUM PATCH This Month

Uninitialized memory use in the Linux kernel's NTFS3 filesystem driver (fs/ntfs3) causes a kernel crash when a local, low-privileged user triggers NTFS compression writes under specific folio allocation conditions. The flaw was surfaced by KMSAN (Kernel Memory Sanitizer) in longest_match_std(), called from ntfs_compress_write(), when newly allocated folios are neither marked uptodate nor initialized before use. No public exploit or active exploitation has been identified; EPSS stands at 0.02% (5th percentile), confirming negligible automated attack activity at time of analysis.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71309 MEDIUM This Month

Deadlock in the Linux kernel's NTFS3 compressed-file read path (fs/ntfs3) causes indefinite task hang and local denial of service when concurrent readers contend over compressed NTFS frames. The inode mutex (ni_lock) and VFS page locks are acquired in inverted order across two concurrent tasks - a classic ABBA deadlock first surfaced by Syzbot. Versions prior to 6.19.4 (stable) and 7.0 (mainline) are affected; no public exploit or active exploitation has been identified, and the EPSS score of 0.02% (5th percentile) reflects the narrow, configuration-specific conditions required.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71308 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's accel/amdxdna driver (AMD AI accelerator/NPU subsystem) allows a local low-privileged user to trigger a kernel crash and denial of service. The flaw arises during error-path execution in aie2_create_context(): when mailbox channel creation fails, the channel pointer remains NULL, yet aie_destroy_context() is unconditionally called assuming it is non-NULL. No public exploit code exists and EPSS probability is 0.02%, indicating very low exploitation activity. Vendor-released patches are available in Linux 6.19.4 and the 7.0 series.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71307 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's drm/panthor subsystem causes a kernel panic and denial of service during GPU firmware unplug operations. The `panthor_fw_unplug()` function incorrectly attempted MCU halt and wait procedures even when firmware was never loaded or fully initialized, dereferencing a NULL pointer in that code path. Systems running a Panthor-based ARM Mali GPU (using the Panthor DRM driver) are affected across kernel versions from the introduction of the driver up to the fixed stable commits; no public exploit exists and EPSS is at the 5th percentile, indicating negligible opportunistic exploitation probability.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71306 HIGH PATCH This Week

Out-of-bounds stack read in the Linux kernel's IMA (Integrity Measurement Architecture) subsystem, in ima_appraise_measurement() reached via is_bprm_creds_for_exec(), affecting kernels from the 6.14 series up to the fixed stable commits. A misuse of container_of() on a *file pointer computes an invalid stack offset, letting a local execution path read one byte past a stack frame object (flagged by KASAN), which can disclose adjacent stack data or crash the task. EPSS is very low (0.02%, 5th percentile), the CVE is not on CISA KEV, and there is no public exploit identified at time of analysis; the issue is patched upstream.

Linux Buffer Overflow Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-71305 MEDIUM PATCH This Month

The drm/display/dp_mst subsystem in the Linux kernel crashes with a UBSAN shift-out-of-bounds error when a DP 2.1 monitor disconnects while delayed_destroy_work is still in flight, producing a kernel denial-of-service on affected systems. Systems running unpatched kernel versions across the 6.1.x, 6.6.x, 6.12.x, 6.18.x, and 6.19.x stable branches with DisplayPort Multi-Stream Transport (MST) capable hardware are vulnerable. No public exploit or active exploitation has been identified; patches are available across all affected stable branches with specific fix commits traceable to git.kernel.org.

Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71304 MEDIUM PATCH This Month

Networking denial of service in the Linux kernel's Smack LSM disrupts IPv4 connectivity for all processes carrying non-ambient Smack labels when a previously-used CIPSO DOI value is cycled through /smack/doi. The kernel's smk_cipso_doi function retains decommissioned DOI definitions in netlabel's CIPSO configuration, causing re-add operations to fail with EEXIST (-17); this prevents the default IPv4 domain mapping from being re-established, silently severing label-based network traffic. No public exploit code is identified and EPSS sits at 0.02% (7th percentile), reflecting the very narrow deployment surface - only systems with Smack as the active LSM and CIPSO networking configured are affected.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71303 MEDIUM PATCH This Month

Race condition in the Linux kernel's accel/amdxdna driver allows a local low-privileged user to cause device availability impact on systems equipped with AMD XDna AI accelerator hardware. The flaw in the rpm_on flag check permits command submissions to the accelerator during a narrow autosuspend transition window before the device has fully resumed, producing undefined hardware behavior or driver crashes. No public exploit exists and EPSS is at the 6th percentile (0.02%), indicating negligible real-world exploitation probability; no active exploitation is confirmed.

Linux Race Condition Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-45846 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel bareudp driver crashes the kernel when Open vSwitch triggers `bareudp_fill_metadata_dst()` against a down IPv6 bareudp tunnel device. The socket pointer (`bareudp->sock`) is NULL between `bareudp_stop()` and `bareudp_open()`, and the IPv6 path passes it unsafely to `udp_tunnel6_dst_lookup()` at `sock->sk` offset 0x18. A local attacker with low privileges and access to OVS netlink commands can force a kernel panic, causing a denial of service. No public exploit code exists and no active exploitation has been identified; EPSS at 0.02% (5th percentile) confirms negligible observed exploitation.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45845 MEDIUM PATCH This Month

Kernel NULL pointer dereference in the Linux TAPRIO traffic scheduler allows a local user with namespace-scoped CAP_NET_ADMIN to trigger a kernel panic. On systems with unprivileged user namespaces enabled - the default on Ubuntu, Fedora, Debian, and most container-oriented distributions - any unprivileged local user can acquire namespace-scoped CAP_NET_ADMIN simply by creating a new network namespace, reducing the effective privilege bar to an ordinary user account. Patched stable releases exist (6.6.141, 6.12.91, 7.0.10, 6.18.33, 7.1-rc2), no active exploitation has been confirmed by CISA KEV, and EPSS is 0.02% (5th percentile), but the straightforward attack sequence and wide Linux footprint make this a priority patch on multi-tenant or container-hosting systems.

Linux Canonical Denial Of Service Null Pointer Dereference Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45844 MEDIUM PATCH This Month

Incorrect ARP payload parsing in the Linux kernel's netfilter arptables subsystem causes filtering rules to evaluate against garbage data on systems with IEEE1394 (FireWire) network interfaces. The arp_packet_match() function and arpt_mangle both assume a standard dual-hardware-address ARP layout, but IPv4-over-IEEE1394 per RFC 2734 omits the target hardware address field - the same discrepancy the rest of the kernel ARP stack already handles correctly. The result is that arptables rules on FireWire interfaces silently malfunction: legitimate traffic may be dropped and traffic that should be blocked may be passed, with arpt_mangle additionally writing to wrong offsets and corrupting packets. No public exploit has been identified and EPSS is 0.02% (6th percentile), consistent with the extremely niche attack surface.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45843 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel SLIP driver's VJ-compressed TCP header decoder (slhc_uncompress) allows a crafted short compressed frame to leak adjacent memory contents into the cached cstate and into subsequently reconstructed packets. The flaw affects systems using SLIP with Van Jacobson TCP/IP header compression; no public exploit has been identified at time of analysis and EPSS rates exploitation probability at 0.02%. The bug stems from missing bounds checks in decode() and pull16(), where the existing -1 error checks were dead code due to a 0xffff mask.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-45842 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel SLIP header compression (slhc) subsystem crashes the kernel when a VJ-compressed frame is received on a PPP instance configured with zero receive slots. An unprivileged local user who can create a user namespace can invoke the PPPIOCSMAXCID ioctl with a crafted argument (0xffff0000) that exploits a signed-integer arithmetic shift to supply rslots=0 to slhc_init(), leaving comp->rstate NULL; any subsequent inbound VJ frame targeting slot 0 then dereferences that NULL pointer in softirq context, producing a kernel panic. No public exploit has been identified at time of analysis, and EPSS probability is negligible at 0.02%, but the attack path is fully reachable from unprivileged user namespaces, making the practical privilege bar lower than the PR:L label implies on systems where user namespaces are enabled.

Linux Canonical Denial Of Service Null Pointer Dereference Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45841 MEDIUM PATCH This Month

Divide-by-zero in the Linux kernel netfilter OSF module (nfnetlink_osf) allows a local user with CAP_NET_ADMIN to crash the kernel. By injecting a crafted OS fingerprint with a zero window scale value (wss.val=0) via nfnetlink, the attacker causes nf_osf_match_one() to execute an unguarded modulo operation when any subsequent matching TCP SYN packet is processed, resulting in a kernel panic and system-wide denial of service. No active exploitation is confirmed; EPSS sits at 0.02% (5th percentile), reflecting very low probability of widespread automated exploitation.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45840 MEDIUM PATCH This Month

Kernel panic in the Linux kernel's Open vSwitch (openvswitch) subsystem allows a low-privileged local user to crash the host kernel on Ubuntu-default and similar configurations. The vport netlink reply handler pre-allocates a fixed-size buffer but lacks an upper-bound check on the upcall PID array size, causing nla_put() to return -EMSGSIZE and BUG_ON(err < 0) to fire in ovs_vport_cmd_set(), triggering a kernel panic. On systems with unprivileged user namespaces enabled (Ubuntu default), any local user can reach this path via unshare -Urn without requiring elevated privileges. No public exploit has been identified at time of analysis, and EPSS at 0.02% reflects low current exploitation probability.

Linux Ubuntu Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45839 HIGH PATCH This Week

Local denial of service in the Linux kernel's BPF CO-RE relocation parser allows a process holding CAP_BPF to deterministically crash the system by loading a BPF program with a negative CO-RE accessor index. The flaw stems from bpf_core_parse_spec() in the libbpf relocation core accepting negative values from sscanf("%d") that bypass upper-bound checks due to integer promotion, ultimately driving an out-of-bounds read past the BTF members array. EPSS is negligible (0.01%) and there is no public exploit identified at time of analysis; a kernel oops backtrace is published in the changelog but it serves as a crash reproducer rather than a weaponized exploit.

Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45838 MEDIUM PATCH This Month

Incorrect end-of-list detection in the Linux kernel's BPF cgroup storage map subsystem allows a local low-privileged user with BPF syscall access to trigger a kernel crash (denial of service) via the `cgroup_storage_get_next_key()` function. The function uses `list_next_entry()`, which never returns NULL but wraps to the list head on the last element, causing the kernel to read `storage->key` from a bogus pointer aliasing internal map fields and copy the result to userspace - a condition that can provoke a kernel oops or panic. No public exploit exists and EPSS is 0.02% (5th percentile), consistent with the local-only attack surface and absence of CISA KEV listing.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45837 HIGH PATCH This Week

Local privilege-escalation-class memory corruption in the Linux kernel's BPF arena subsystem (introduced around 6.9) allows a process holding BPF capabilities to trigger a use-after-free. When a BPF arena VMA is inherited across fork(), arena_vm_open() bumps the mmap refcount but never registers the child VMA in arena->vma_list, leaving vml->vma pointing at the parent VMA; after the parent munmaps, a child call to bpf_arena_free_pages() dereferences the dangling pointer in zap_pages(). No public exploit or active exploitation is identified (EPSS 0.02%, 5th percentile), and vendor patches are available.

Memory Corruption Linux Use After Free Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Reference leak in the Linux kernel IPVS (IP Virtual Server) subsystem allows a local low-privileged user to trigger a race condition between the netdev notifier handler and destination cache update logic, potentially causing kernel resource exhaustion. When a network device is shutting down, the FIB routing subsystem may return a valid route after ip_vs_dst_event() finishes processing, allowing that route to be cached against a closing device and leaking a device reference until the IPVS destination is removed. This is a medium-severity availability issue with no public exploit identified at time of analysis and a very low EPSS score of 0.02% (5th percentile), indicating it is not currently a prioritized exploitation target.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-relevant memory corruption in the Linux kernel's sbs-battery power supply driver (drivers/power/supply/sbs-battery) stems from a use-after-free in power_supply_changed(). Because the driver requested its IRQ via devm_ before allocating/registering the power_supply handle, devm teardown frees the handle in reverse order while the interrupt is still live, so an SMBus battery interrupt firing during device removal (or before registration during probe) invokes power_supply_changed() on a freed or uninitialized pointer, typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile), no public exploit is identified, and it is not on CISA KEV; the fix is upstream-committed and shipped in multiple stable releases.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Availability impact in the Linux kernel FAT filesystem driver allows a local low-privileged user to trigger a kernel WARN_ON by mounting and operating on a corrupted FAT image with incorrect directory link counts. Specifically, rmdir unconditionally decrements the parent inode's i_nlink without first verifying it is at least 3, allowing underflow to zero on malformed images. No public exploit has been identified and the EPSS probability is 0.02% (7th percentile), but the kernel WARN_ON can cause a system crash, making the real-world availability impact high on affected systems where users can mount FAT images.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local memory corruption affects the Linux kernel's hwmon ibmpex driver, where commit 6946c726c3f4 - intended to fix a use-after-free in the high/low sysfs store handlers - instead introduced a new race condition by setting driver data to NULL before removing sensor attributes. The remediation is a revert of that flawed commit across the 6.1, 6.6, 6.12, 6.18, and 6.19 stable trees. With EPSS at 0.02% (7th percentile), no public exploit identified at time of analysis, and no CISA KEV listing, real-world risk is minimal given the obscure IBM PowerExecutive sensor hardware the driver targets.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Bridge multicast MDB entry counter underflow in the Linux kernel's `net/bridge/br_multicast.c` allows local attackers with low privileges to trigger a kernel WARN_ON - and a system panic on hosts configured with `panic_on_warn=1` - by manipulating VLAN snooping state on a bridge interface before flushing multicast group entries. Multiple stable kernel branches are affected across all architectures that include the bridge multicast subsystem. No public exploit identified at time of analysis, with an EPSS score of 0.02% (5th percentile) confirming low exploitation probability; patches are available across kernel stable series 6.12, 6.6, 6.18, 6.19, and 7.0.

Linux Information Disclosure Google +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Ext4 filesystem extent-splitting logic in the Linux kernel incorrectly caches extents mid-operation, leaving stale hole entries in the in-memory extent status tree (ESTree). When a Direct I/O write partially covers a pre-allocated unwritten extent, ext4_split_extent_at() can insert an incorrect hole entry that persists uncorrected, causing space accounting errors when subsequent delayed buffer writes target the same region. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.02% (7th percentile) reflects negligible real-world exploitation likelihood; this is primarily a kernel correctness and filesystem availability defect rather than a targeted attack surface.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's cdns3 USB dual-role driver crashes the kernel when a USB OTG role switch to host mode occurs during a system resume from suspend. The host role's resume() operation calls usb_hcd_is_primary_hcd() on an xhci-hcd device whose probe has been deferred by the driver model, yielding a dereference at virtual address 0x208 and a kernel oops. Impact is limited to denial of service (system crash); no privilege escalation or data disclosure is possible. No active exploitation is confirmed (CISA KEV absent, EPSS 0.02%), and the vulnerability is practically relevant only on hardware platforms featuring the Cadence USB3 cdns3 controller.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free condition in the Linux kernel's RDMA Soft RoCE (rxe) driver allows local privileged users to trigger memory corruption through a race between the QP retransmit_timer handler and rxe_destroy_qp. The flaw stems from the Queue Pair reference count dropping to zero while a timer callback is still executing, producing refcount underflow warnings and potential kernel memory corruption. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.

Linux Information Disclosure Race Condition
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's MediaTek clock gate driver stems from incorrect use of __initconst annotations on mtk_gate structures that are accessed at runtime, not just during initialization. After kernel init completes, the memory backing these structs is freed, so any runtime access reads freed memory - affecting Linux 6.18 prior to stable releases 6.18.14 and 6.19.4. CVSS rates this 7.8 (High) with local attack vector; EPSS is 0.02% and no public exploit identified at time of analysis.

Mediatek Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's AMD XDnA accelerator driver (accel/amdxdna) allows a local low-privileged user to degrade system availability by exhausting kernel memory. The amdxdna_ubuf_map() function fails to release previously allocated scatter-gather (sg) and internal sg table memory when error paths are taken during sg_alloc_table_from_pages or dma_map_sgtable operations. No active exploitation is confirmed (absent from CISA KEV), EPSS stands at 0.02% (4th percentile), and impact is strictly limited to availability - no confidentiality or integrity exposure exists.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Deadlock in the Linux kernel mlx5e Mellanox/NVIDIA Ethernet driver allows a low-privileged local attacker to hang the system by triggering network health reporter recovery paths that acquire locks in the wrong order. Specifically, work handlers acquire the netdev instance lock before invoking devlink_health_report, which then attempts to acquire the devlink lock - reversing the mandated devlink → rtnl → netdev ordering and producing an ABBA deadlock. The vulnerability affects systems equipped with Mellanox/NVIDIA ConnectX NICs; no public exploit exists and EPSS sits at 0.02% (4th percentile), consistent with a kernel-internal locking race rather than an externally triggerable flaw.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's pf1550 power-supply driver (drivers/power/supply/pf1550) lets a queued hardware interrupt invoke power_supply_changed() on an already-freed power_supply handle during module/device removal, and can also dereference an uninitialized handle during probe. The flaw stems from devm-managed resource ordering: the IRQ was requested before the power_supply was registered, so devm teardown frees the power_supply first. Impact is typically a kernel crash or silent memory corruption. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Race condition in the Linux kernel's XFRM ICMP route lookup path causes a kernel WARN_ON that can crash affected systems. Within `icmp_route_lookup()`, a TOCTOU window between a locality check and a subsequent `ip_route_input()` call allows a concurrently executing `ip addr add` to return a LOCAL route whose `dst.output` is set to `ip_rt_bug()` - a debugging stub that fires `WARN_ON` when invoked during ICMP error transmission. Exploitation requires local access, active XFRM/IPsec policy, and precise race-window timing; no active exploitation is confirmed and EPSS sits at 0.02%, though a public reproducer exists that requires kernel modification to reliably trigger.

Linux Race Condition Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Recursive mutex deadlock in the Linux kernel's PowerPC Enhanced Error Handling (EEH) subsystem causes denial of service on IBM POWER systems running affected kernel versions. Commit 1010b4c012b0 inadvertently repositioned pci_lock_rescan_remove() calls so that eeh_handle_normal_event() holds the lock before invoking eeh_pe_bus_get(), which internally attempts to acquire the same mutex, producing a confirmed lockdep-detected deadlock that crashes the EEH daemon and disables PCI error recovery. No public exploit has been identified and the EPSS score of 0.02% (7th percentile) reflects the narrow hardware-specific attack surface; real-world impact is a reliability and availability concern for IBM POWER server operators rather than a traditional security attack vector.

Linux IBM Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Information disclosure in the Linux kernel BPF subsystem allows a local low-privileged user with BPF program load access to leak kernel memory contents. Incorrect memory-access flags on several ARG_PTR_TO_MEM helper prototypes (notably bpf_get_stack_proto_raw_tp) cause the verifier to wrongly assume helper-written buffers are unchanged, optimizing away subsequent reads and producing stale or uninitialized data that can expose kernel memory. There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and it is not in CISA KEV.

Linux Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-level use-after-free in the Linux kernel's bq256xx battery charger driver (power: supply: bq256xx) allows memory corruption when a charger IRQ fires during device probe or removal, calling power_supply_changed() against a freed or uninitialized power_supply handle. The flaw stems from devm_ resources being released in reverse order, so the IRQ outlives the power_supply registration; triggering it typically crashes the system or silently corrupts kernel memory. No public exploit is identified at time of analysis and EPSS exploitation probability is negligible (0.02%, 7th percentile), with no CISA KEV listing.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Circular lock dependency in the Linux kernel's netfilter nf_tables subsystem causes kernel deadlock or hang when nft reset, ipset list, and iptables-nft with '-m set' rules execute concurrently, resulting in a local denial of service. The root cause is improper use of commit_mutex in the reset path, which - when interleaved with nfnl_subsys_ipset and nlk_cb_mutex acquisitions - creates a deadlock cycle. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.02% (5th percentile) reflects the low real-world exploitation probability for this class of locking defect.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory exhaustion vulnerability in the Linux kernel's CAAM DPAA2 crypto driver allows gradual resource depletion on systems with NXP DPAA2 hardware through unreleased per-CPU net_device allocations during failed probe retries. The regression was introduced when commit 0e1a4d427f58 converted embedded net_device structs to dynamically allocated pointers but omitted cleanup in the dpaa2_dpseci_free() error path - meaning every deferred probe retry triggered by a temporarily unavailable DPIO subsystem silently leaks netdev memory. No public exploit exists and EPSS probability is 0.02% (5th percentile), consistent with the hardware-specific, non-user-controlled nature of the defect.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Availability impact via stale extent cache corruption in the Linux kernel's ext4 filesystem driver allows a local low-privileged user to trigger a kernel denial-of-service condition. When an ext4 extent-splitting operation fails mid-execution, stale entries are left in the extent status tree, which can cause subsequent filesystem operations to crash the kernel. No public exploit exists and EPSS probability sits at 0.02% (7th percentile), reflecting this as a stability bug rather than a targeted attack vector. Vendor-released patches are available across all active stable branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Kernel memory corruption in the Linux iWARP Connection Manager (RDMA/iwcm) subsystem can crash systems running RDMA workloads on iWARP-capable hardware such as Intel E830 adapters. The bug, introduced by commit e1168f0 ('RDMA/iwcm: Simplify cm_event_handler()'), causes workqueue list corruption when iwcm_work items from a free list are reused while still queued, triggering a kernel BUG and panic. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile), despite a CVSS base score of 9.8.

Debian Ubuntu Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Counter value underrun in the Linux kernel's netfilter nft_counter subsystem allows a local unprivileged user to corrupt nftables packet and byte counter data through a race condition in concurrent dump-and-reset operations. Two parallel resets can each read the same counter totals and both subtract them, causing the counters to underrun - potentially wrapping unsigned values to astronomically large figures and producing incorrect firewall accounting. No public exploit exists and EPSS is 0.02% (5th percentile), consistent with a low-priority correctness defect rather than a targeted security attack vector.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds array access in the Linux kernel's Intel Discrete Graphics MTD driver (mtd_intel_dg.c) lets a local actor trigger kernel memory corruption when the driver enumerates NVM regions before nregions is initialized. The flaw, caught by UBSAN as an array-index-out-of-bounds at line 750, affects systems running kernel 6.17 through the pre-patch 6.18/6.19 series with Intel discrete graphics hardware. No public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.02%, 4th percentile).

Linux Buffer Overflow Intel +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Linux Kernel quota subsystem livelocks the system when quotactl_block() and freeze_super() execute concurrently on non-preemptible kernels, causing 100% CPU consumption and an indefinite hang of the filesystem freeze process. The root cause is a missing scheduling point in quotactl_block()'s retry loop: on kernels with preemption disabled, the spinning loop never yields the CPU, starving synchronize_rcu() of the RCU quiescent state it needs to advance, which in turn blocks freeze_super() from completing. Affected are Linux kernel versions from commit 576215cffdefc1f0ceebffd87abb390926e6b037 onward, on systems using quota-enabled filesystems; no public exploit or active exploitation has been identified at time of analysis.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Race condition in Linux kernel Intel VT-d IOMMU driver (iommu/vt-d) allows torn reads of Scalable Mode PASID table entries during teardown, producing unpredictable behavior or spurious faults on systems with Intel VT-d enabled. The flaw stems from zeroing the entire 64-byte PASID entry while the Present bit is still set, violating the VT-d spec's invalidation guidance. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but a vendor patch is available across multiple stable branches.

Linux Information Disclosure Intel
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's AppArmor subsystem allows a local, low-privileged attacker to leak adjacent kernel memory and potentially crash the system when AppArmor parses a policy table built from possibly unaligned, userspace-supplied source data. The flaw stems from unaligned memory accesses during table creation in the policy loader and carries high confidentiality and availability impact. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.02%, 5th percentile), consistent with a hard-to-reach local-only kernel hardening fix rather than a mass-exploitation target.

Linux Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stale unwritten extent retention in the Linux kernel ext4 filesystem's in-memory extent status cache allows a local low-privileged user to trigger filesystem state inconsistency with high availability impact. The flaw manifests in ext4_split_extent() when a PARTIAL_VALID1 zeroout operation succeeds but the subsequent split at the first boundary fails due to temporary memory pressure, leaving the extent status tree out of sync with on-disk extent data. Patched stable releases are available; no public exploit or CISA KEV listing has been identified at time of analysis, and EPSS exploitation probability sits at 0.02% (5th percentile).

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-holder denial of service (and potential kernel memory corruption) in the Linux kernel's HiSilicon hns3 network driver allows a user with CAP_NET_ADMIN to trigger a double-free of the tx_spare backup buffer. The flaw lives in hns3_set_ringparam(), where a temporary ring copy is made for rollback but the original ring's tx_spare pointer is left dangling; if a subsequent allocation in hns3_init_all_ring() fails, the error path frees the stale pointer twice (CWE-415). EPSS is negligible (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but a vendor-released patch is available across multiple stable trees.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Guest-to-host denial of service in the Linux kernel's xen-netback driver allows a malicious or buggy Xen guest to crash the hypervisor host by writing "0" to the xenbus key multi-queue-num-queues. The connect() function validates only the upper bound of requested_num_queues, permitting a zero value to reach vzalloc(array_size(0, ...)), which triggers WARN_ON_ONCE in __vmalloc_node_range(); on hosts with panic_on_warn=1 this escalates to a full kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with a narrow Xen-specific attack surface, but the guest-controlled code path is trivial to trigger and vendor patches have been backported across seven stable kernel series, confirming the impact is real.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Divide-by-zero kernel panic (Oops) in the Linux kernel MPTCP subsystem's `mptcp_rcvbuf_grow()` function can be triggered by a local authenticated user under a rare but specific race condition involving concurrent out-of-order packet arrival and receive buffer initialization. The vulnerability also causes a secondary effect where the MPTCP receive buffer slowly drifts toward the `tcp_rmem[2]` maximum, degrading system performance on MPTCP-heavy workloads. No public exploit identified at time of analysis; EPSS is 0.02% (4th percentile), consistent with its local-only, race-dependent nature.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's md/raid1 subsystem allows a local attacker with access to RAID configuration interfaces to gradually exhaust kernel memory by repeatedly triggering the faulty error path in raid1_run(). Affected kernel versions span multiple stable branches prior to 6.12.75, 6.18.14, 6.19.4, and 7.0. No public exploit identified at time of analysis; EPSS at 0.02% (5th percentile) and confirmed discovery via static analysis rather than active exploitation signals minimal real-world risk. Vendor-released patches are available across all affected stable branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's af_unix subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering a failure path in unix_stream_connect(). When prepare_peercred() fails after unix_create1() has already allocated a new socket object (newsk), the error path omits the required unix_release_sock() call, leaving kernel memory permanently unreleased. No public exploit has been identified at time of analysis; EPSS at 0.02% (4th percentile) reflects negligible widespread exploitation likelihood, consistent with the local-only attack vector.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

BPF verifier rejection in the Linux kernel's XDP subsystem forces valid BPF programs to fail load-time verification when they pass pointers from BPF_F_RDONLY_PROG maps to the bpf_xdp_store_bytes helper. The root cause is an incorrect argument type annotation - the helper's third argument (source buffer) is declared as ARG_PTR_TO_UNINIT_MEM, which carries the MEM_WRITE flag, causing the verifier to demand write permission on memory that the helper only reads. Separately, this same mistype permits the helper to read from uninitialized memory (CWE-908). No public exploit is identified at time of analysis, and EPSS sits at 0.02%, but kernel patches across all active stable branches have been issued.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-impacting memory corruption in the Linux kernel's cpcap-battery power supply driver allows a use-after-free in power_supply_changed() triggered during device probe or removal. The driver requested its IRQ via devm_ before registering the power_supply handle, so on teardown the handle is freed while the interrupt handler can still fire, dereferencing freed memory and typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile) and there is no public exploit identified at time of analysis; the issue is confined to Motorola CPCAP PMIC hardware (e.g. Droid 4) rather than general-purpose servers.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Integer underflow in the Linux kernel's AppArmor subsystem (`aa_get_buffer()`) allows a local low-privileged user to cause per-CPU buffer starvation and system-wide denial of service. The `cache->hold` unsigned counter wraps to UINT_MAX when decremented below zero, permanently preventing `aa_put_buffer()` from recycling buffers back to the global pool and forcing repeated `kmalloc(aa_g_path_max)` heap allocations that starve other CPUs. No public exploit exists and EPSS is 0.02% (5th percentile); this is not in CISA KEV, but patches are available across multiple stable kernel branches.

Integer Overflow Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource leak in the Linux kernel's sca3000 IIO accelerometer driver (sca3000_probe()) allows a local low-privileged user on affected hardware to cause IRQ resource exhaustion by repeatedly triggering the error path where iio_device_register() fails without releasing the IRQ registered via request_threaded_irq(). Affected are Linux kernel versions from approximately 4.10 through multiple stable branches, all of which now have upstream fix commits. No public exploit exists and EPSS stands at 0.02% (7th percentile), indicating this is a robustness/maintenance fix rather than an actively targeted vulnerability.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's pm8916_bms_vm power-supply driver (for Qualcomm PM8916 battery monitoring on certain Snapdragon SoCs) lets a freed power_supply handle be dereferenced when an IRQ fires during device removal or probe, corrupting kernel memory or crashing the system. The flaw stems from devm-managed IRQ registration occurring before the power_supply handle was registered, so devm's reverse-order teardown frees the handle while the interrupt is still live. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; impact is realistically a local denial of service on the narrow set of devices using this driver.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory exhaustion via the MediaTek SVS (Smart Voltage Scaling) debugfs interface in the Linux kernel allows a local attacker with low privileges to leak kernel memory on MediaTek SoC-based systems. The root cause is that `svs_enable_debug_write()` allocates a buffer via `memdup_user_nul()` to copy user-supplied input, but fails to free it when the subsequent `kstrtoint()` call rejects non-integer input - a classic CWE-401 missing-release flaw. No public exploit has been identified and EPSS is 0.02% (7th percentile), making this a low-urgency, patch-when-convenient issue for the narrow device population running affected MediaTek SoC kernels.

Linux Mediatek Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

PCI/P2PDMA subsystem in the Linux kernel hangs indefinitely on PCI device removal due to a missing percpu_ref_put() call on the error exit path of p2pmem_alloc_mmap(). Low-privileged local users on systems with P2PDMA-capable PCI hardware can trigger a vm_insert_page() failure that leaks a per-CPU pgmap reference, causing memunmap_pages() to stall forever when the PCI device is later removed. No public exploit has been identified and EPSS is at the 5th percentile; this is not in CISA KEV.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-level use-after-free in the Linux kernel's bq25980 battery charger power-supply driver (drivers/power/supply/bq25980.c) allows a triggered IRQ to call power_supply_changed() on a freed or uninitialized power_supply handle, typically crashing the system or corrupting memory. The flaw stems from devm-managed IRQ registration ordering relative to power_supply registration, creating a race during driver probe and removal. EPSS is negligible (0.02%, 7th percentile), there is no public exploit identified at time of analysis, and it is not on CISA KEV; the fix is committed upstream and shipped in multiple stable kernels.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's AMD KFD (Kernel Fusion Driver) debug subsystem allows a local user with GPU access to trigger a buffer overflow in the watch_points array via a crafted watch_id value. The flaw stems from signed/unsigned integer mishandling in kfd_dbg_trap_clear_dev_address_watch(), where userspace-supplied watch_id values exceeding INT_MAX cause undefined bit shifts and out-of-bounds memory access. No public exploit identified at time of analysis, and EPSS scores exploitation probability at only 0.02%.

Linux Amd Buffer Overflow
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's Intel ISH HID subsystem (`intel_ishtp` module) causes a kernel panic and local denial of service during warm reset operations. The `ishtp_bus_remove_all_clients()` function dereferences `cl->device->reference_count` without a NULL guard, which is reachable when a firmware reset interrupts ISH client enumeration mid-flight. No public exploit or active exploitation (CISA KEV) exists; EPSS probability is 0.02% at the 5th percentile, consistent with a timing-dependent, hardware-specific kernel crash path.

Linux Denial Of Service Intel +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Error handling failure in the Linux kernel's arm64 Guarded Control Stack (GCS) subsystem allows a local low-privileged user on ARMv9 hardware to trigger a kernel denial of service by exploiting an incorrect NULL check in arch_set_shadow_stack_status(). Because alloc_gcs() propagates do_mmap() failures as error-encoded pointers rather than NULL, the existing guard is bypassed and the kernel proceeds to use an invalid GCS address, risking a kernel panic. No public exploit exists and EPSS sits at the 4th percentile, but the vulnerability is confirmed patched in Linux 6.18.14, 6.19.4, and 7.0.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Regulator resource leak in the Linux kernel MFD Arizona WM5102 audio codec driver causes availability degradation on affected hardware when the write sequencer error path is triggered. The `wm5102_clear_write_sequencer()` helper returns early on error without jumping to the `err_reset` cleanup label, leaving kernel voltage regulators enabled and leaking resources across repeated invocations. Exploitation requires local low-privilege access on systems with WM5102 hardware; EPSS is 0.02% (7th percentile) and no active exploitation has been identified, placing real-world priority firmly in the low tier.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's NXP i.MX8QM HSIO PHY driver crashes the kernel on affected embedded hardware. The flaw exists in `imx_hsio_configure_clk_pad()`, which unconditionally dereferences `refclk_pad` even when the `fsl,refclk-pad-mode` devicetree property is absent, setting the pointer to NULL during probe. A local low-privileged user on NXP i.MX8QM-based systems with vulnerable kernel versions can trigger a kernel panic, causing a full denial-of-service. No public exploit or active exploitation (CISA KEV) has been identified; EPSS of 0.02% at the 5th percentile confirms negligible exploitation probability.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial-of-service via kernel crash in the Linux kernel's netfilter nft_set_rbtree subsystem, exploitable by a local user with nftables manipulation capability. The flaw lies in the partial overlap detection logic for anonymous sets: an optimization that omits end elements for adjacent intervals also inadvertently suppresses overlap checks on start elements, allowing two intervals sharing the same start point (e.g., A-B and A-C where C < B) to be inserted simultaneously, corrupting the red-black tree and triggering a kernel panic. No public exploit code has been identified at time of analysis, and the EPSS score of 0.02% (7th percentile) reflects low real-world exploitation probability, though the vulnerability is present across many long-term stable kernel branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory exhaustion denial-of-service in the Linux kernel smartpqi SCSI driver allows a local user to degrade system availability through kernel memory leak accumulation. The vulnerability exists in pqi_report_phys_luns(), which fails to release the rpl_list buffer on two distinct error paths - unsupported data format detection and rpl_16byte_wwid_list allocation failure - both of which bypass cleanup logic. No public exploit exists and EPSS sits at 0.02% (7th percentile), but systems running Microsemi/PMC-Sierra SmartPQI RAID controllers on unpatched kernels are at risk of gradual availability degradation.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource leak in the Linux kernel's st33zp24 TPM driver allows a low-privileged local user to exhaust TPM localities and deny TPM service on systems equipped with STMicroelectronics ST33ZP24 hardware. When get_burstcount() returns -EBUSY on timeout, st33zp24_send() exits without releasing the previously acquired TPM locality, creating a cumulative leak that can render all subsequent TPM operations unavailable. No public exploit code exists and EPSS probability is 0.02% (7th percentile), but systems relying on the ST33ZP24 for measured boot or disk-encryption attestation face meaningful operational risk if exploited.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leaks in the Linux kernel's SUNRPC auth_gss subsystem allow a local low-privilege attacker to gradually exhaust kernel heap memory on systems using NFS with Kerberos (RPCSEC_GSS) authentication. The gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() XDR decoding functions fail to release previously allocated kernel buffers when a partial decode sequence errors out mid-function, leaving unreferenced kmemdup() allocations on the heap. No public exploit exists and EPSS is 0.02%, but no public exploit identified at time of analysis; repeated triggering of the vulnerable paths could degrade availability on RPCSEC_GSS-enabled servers.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's wm97xx battery power supply driver crashes the kernel when a hardware interrupt fires during a narrow initialization race window. Systems running Linux kernel versions from 2.6.32 through various stable branches (pre-patch releases in 5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19, and 7.0 series) with wm97xx-equipped hardware are affected. A local attacker - or natural hardware interrupt timing - can trigger a kernel panic (denial of service) during driver probe; no public exploit has been identified and EPSS sits at the 7th percentile, reflecting the narrow hardware footprint.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Reference count leak in the Linux kernel's pinctrl-single driver (`pcs_add_gpio_func()`) allows a local low-privileged user to cause kernel memory exhaustion and denial of service on affected embedded/SoC platforms. The `of_parse_phandle_with_args()` Device Tree API increments a refcount on the returned device_node pointer, but the iterating loop never calls `of_node_put()` to release it - accumulating leaked references on every GPIO phandle processed. No public exploit exists and EPSS is 0.02%, placing this firmly in the low-urgency patch category; exploitation requires specific hardware and driver configuration not present on typical x86 servers.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation potential via a use-after-free in the Linux kernel's act8945a power supply driver, where the ACT8945A PMIC IRQ is requested before the power_supply handle is registered (and torn down after it during removal), letting an interrupt invoke power_supply_changed() on a freed or uninitialized handle. Affected systems run vulnerable Linux kernel builds (pre-6.6.128, pre-6.12.75, pre-6.1.165, pre-5.15.202, pre-5.10.252, and others) with the act8945a driver bound to real Atmel/Microchip SAMA5-class hardware. There is no public exploit identified at time of analysis; EPSS is very low (0.02%, 7th percentile) and the flaw is not in CISA KEV.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-bounded use-after-free in the Linux kernel's CAIF serial line discipline (caif_serial / CONFIG_CAIF_TTY) lets a local attacker corrupt kernel memory by racing ldisc_close() against packet transmission. ldisc_close() drops the tty reference via tty_kref_put() while the CAIF network device is still live, so a concurrent caif_xmit()/handle_tx() can dereference the freed tty (ser->tty) and call tty->ops->write() on dangling memory, confirmed by a KASAN slab-use-after-free report. A reproducer is published, but no public weaponized exploit and no active exploitation are recorded; EPSS is 0.02% (7th percentile), consistent with a niche driver and a tight race window.

Memory Corruption Linux Use After Free +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Uninitialized stack memory exposure in the Linux kernel's MCTP-over-I2C (mctp-i2c) driver affects systems using i2c-aspeed or i2c-npcm7xx bus drivers, particularly server/BMC hardware with Aspeed and Nuvoton chipsets. When a read is performed against an mctp-i2c device instance, the event handler fails to initialize the 'val' byte before returning it to the caller, exposing whatever residual value sits on the kernel stack at that moment. No public exploit has been identified at time of analysis, and with an EPSS of 0.03% (10th percentile), real-world exploitation pressure is currently negligible; however, kernel stack data leakage is a meaningful information disclosure primitive on affected hardware.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Infinite loop denial of service in the Linux kernel's ntfs3 filesystem driver allows a local low-privileged user to hang the kernel's I/O subsystem by triggering a non-terminating loop in the file write path. The flaw in `ntfs_file_write_iter` (fs/ntfs3/file.c:1284) occurs when iterating over the valid data range [valid:pos) during a write operation - if the `valid` pointer fails to advance (returning the same value), the loop condition is never satisfied and the inode lock is held indefinitely, causing a full write-path hang. No active exploitation has been identified (absent from CISA KEV) and EPSS of 0.02% at the 7th percentile confirms negligible observed exploitation activity; a patch is available across all affected stable branches.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's DesignWare i3c master driver (`drivers/i3c/master/dw-i3c-master.c`) allows a local low-privileged user on systems equipped with DesignWare i3c hardware to cause gradual kernel memory exhaustion by repeatedly triggering the failure path in `dw_i3c_master_i2c_xfers()`, where `dw_i3c_master_alloc_xfer()` allocates a transfer structure that is never freed when `pm_runtime_resume_and_get()` returns an error. No public exploit identified at time of analysis; EPSS of 0.02% (5th percentile) and the static-analysis discovery method both confirm this is a low-immediacy, low-exploitation-probability issue. Vendor-released patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Race condition in the Linux kernel's Intel VT-d IOMMU driver allows non-coherent IOMMU hardware to read uninitialized memory from a freshly allocated PASID table because the PASID directory entry is published before the CPU cache flush completes. With CVSS 7.8 (AV:L/AC:H/PR:L) and EPSS at 0.02% (7th percentile), no public exploit identified at time of analysis, and the issue requires local privileges plus precise timing against non-coherent IOMMU hardware. The fix is included across multiple stable kernel branches.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's GFS2 (Global File System 2) filesystem stems from a slab-use-after-free in qd_put() that corrupts the quota data LRU list during filesystem shutdown. Local authenticated users with access to a GFS2 mount could trigger the shrinker path (gfs2_qd_shrink_scan) to dereference freed objects, with EPSS at 0.02% indicating no public exploit identified at time of analysis. The flaw was introduced by commit a475c5dd16e5 which began freeing quota data synchronously without removing entries from the LRU list first.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel netfilter nf_conncount subsystem allows remote attackers to trigger erroneous connection limit enforcement by establishing more than 8 new tracked connections per jiffy, causing the garbage collector to fall behind and the connection list to wrongly hit its cap. The flaw affects systems using nft_connlimit, xt_connlimit, or OVS connection limit features, with availability impact only (CVSS 7.5, AV:N/AC:L/PR:N/UI:N/A:H). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the issue is reproducible with common HTTP load tools such as slowhttptest.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel's netfilter nfnetlink_queue subsystem allows remote attackers to cause packet drops affecting availability when nfqueue is used without the NFQA_CFG_F_GSO capability flag. The flaw is a regression where the shared-unconfirmed conntrack check was performed after skb_gso_segment(), causing GSO UDP packets associated with unconfirmed nf_conn entries to be dropped instead of queued. EPSS is very low (0.02%) with no public exploit identified at time of analysis and no CISA KEV listing, indicating low real-world urgency despite the CVSS 7.5 availability score.

Linux Code Injection
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stale data exposure and filesystem data corruption in the Linux kernel's ext4 extent-splitting subsystem affects all major stable branches prior to 6.6.130, 6.12.75, 6.18.14, 6.19.4, and 7.0. When ext4_split_extent_at() encounters a transient ENOSPC condition while splitting a large unwritten extent at its first boundary, the error path incorrectly zeroes out and marks the entire extent as written - leaving stale disk content from adjacent regions readable in areas that should remain unwritten or zero-filled. No public exploit identified at time of analysis; EPSS at 0.02% (5th percentile) reflects the narrow, local-only, condition-dependent trigger path that makes automated or widespread exploitation highly unlikely.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's csiostor SCSI driver (Chelsio T5 iSCSI storage controller) causes a local denial-of-service via kernel panic. The flaw resides in the error exit path: when the pointer rn is NULL, the CSIO_INC_STATS macro still dereferences it, triggering a kernel crash. Exploitation requires local low-privilege access on a system equipped with Chelsio csiostor hardware; no active exploitation is confirmed (not in CISA KEV) and EPSS sits at 0.02% (7th percentile), indicating minimal real-world exploitation pressure.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds kernel heap read in the Linux kernel's RDMA/uverbs subsystem allows local low-privileged users with access to InfiniBand/RDMA device nodes to leak kernel memory or trigger a denial-of-service WARNING by submitting a crafted ib_uverbs_post_send command with an undersized or oversized wqe_size value. EPSS is very low (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but the bug is fixed upstream across multiple stable trees, so patched versions should be deployed where RDMA is exposed to untrusted local users.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Non-NCQ command starvation in the Linux kernel's libata-scsi layer can cause complete denial of service for certain disk I/O operations on systems using multi-queue ATA host adapters. On affected hardware, when a target storage device is under sustained NCQ (Native Command Queuing) traffic, the SCSI layer's SCSI_MLQUEUE_XXX_BUSY requeue mechanism provides no forward-progress guarantees for non-NCQ commands - other CPU cores can continuously inject new NCQ commands from separate submission queues, indefinitely deferring the non-NCQ command. No public exploit has been identified at time of analysis and EPSS probability is very low (0.02%, 5th percentile), but the bug can manifest naturally under heavy I/O workloads without deliberate exploitation.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic in the Linux inside-secure/eip93 hardware crypto driver occurs when the driver teardown routine unconditionally unregisters all cryptographic algorithms, including those never registered because the underlying EIP93 silicon does not implement them. Platforms with partial EIP93 silicon support - where only a subset of algorithms are burned into hardware - trigger the panic during module removal or system shutdown. No public exploit exists and EPSS sits at the 4th percentile (0.02%), indicating this is primarily a stability defect with negligible exploitation interest rather than a targeted attack surface.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory corruption in the Linux kernel's AMD GPU driver (amdgpu) arises because amdgpu_gmc_get_nps_memranges() releases buffers allocated by amdgpu_discovery_get_nps_info() with kfree() even though that memory may have been allocated via kvcalloc()/vmalloc(), corrupting the kernel allocator state. The flaw affects systems running AMD GPUs on kernels prior to the fixed stable releases (6.12.75, 6.18.14, 6.19.4, and 7.0). There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and the issue was found via static analysis and code review rather than in-the-wild exploitation.

Memory Corruption Linux Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and kernel memory corruption in the Linux kernel's RDMA Soft RoCE (rxe) driver stems from a double-free in rxe_srq_from_init() when copy_to_user() fails after the queue pointer has already been assigned to srq->rq.queue. A local user with permission to create Shared Receive Queues over RDMA can trigger the error path to cause the same memory to be freed twice via rxe_srq_cleanup(), enabling kernel heap corruption with potential for privilege escalation. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 7th percentile).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in the Linux kernel's EFI unaccepted-memory handling allows a boot-time kernel panic on confidential-computing guests, affecting kernels from 6.6 through the 6.19/7.0 development line. The reserve_unaccepted() routine miscalculates the memblock reservation size when the unaccepted memory table is not page-aligned, leaving the table's tail unreserved so it can be overwritten or rendered inaccessible, triggering a panic in accept_memory(). It is observed on Intel TDX VMs with larger memory sizes (e.g. >64GB); there is no public exploit identified at time of analysis and EPSS is negligible (0.02%).

Linux Intel Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Incorrect offset handling in the Linux kernel IPVS subsystem causes IPv6 protocol checksum validation to fail when extension headers precede the transport header, disrupting availability on systems acting as IPv6 load balancers. Affected across a broad kernel version range from 2.6.28 onward, with fixes confirmed in stable releases 6.19.4 and mainline 7.0. No public exploit code exists and no active exploitation has been identified; EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation pressure.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper locking in the Linux kernel's Microsemi Ocelot network switch driver (`net/mscc/ocelot`) allows a local low-privileged user on hardware running Ocelot switch chips to trigger a race condition in `ocelot_port_xmit_inj()`, potentially causing a kernel panic or system crash. Affected stable branches span 6.1.107-6.1.164, 6.6.48-6.6.127, and 6.10.7 through 6.11 release candidates, with patches confirmed in 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, and 7.0. No public exploit identified at time of analysis; EPSS at 0.02% (7th percentile) reflects extremely low exploitation probability, consistent with the hardware-specific trigger requirement and local-only attack vector.

Code Injection Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's AppArmor LSM function `aa_sock_file_perm` allows a local authenticated user to crash the kernel (oops) during socket setup or teardown. The flaw affects the fallback mediation path for AF_UNIX sockets and all other socket families when AppArmor is in enforcing mode, because neither `sock` nor `sock->sk` are validated for NULL before dereferencing. Impact is limited to availability (system crash); no confidentiality or integrity loss is possible. No public exploit is identified at time of analysis, and EPSS at 0.02% (7th percentile) indicates negligible exploitation probability.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Reachable assertion in the Linux kernel network subsystem allows a local low-privileged user to trigger a WARN_ON_ONCE by constructing a sufficiently long forward path through IPIP tunnels, resulting in a kernel warning and high availability impact. The root cause (CWE-617) is an assertion in the forward path array access code that became reachable after IPIP tunnel support was introduced, expanding the possible depth of forward paths beyond the implicit assumption encoded in the warning. No public exploit code exists and EPSS is extremely low (0.02%, 7th percentile), but the kernel-level denial-of-service impact on local multi-tenant or containerized systems warrants patching.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Memory leak in the Linux kernel NTFS3 driver's ntfs_fill_super() function allows a local user with mount privileges to gradually exhaust kernel memory by repeatedly mounting NTFS filesystems. The ntfs_mount_options structure (32 bytes per mount) is permanently leaked because fc->fs_private is nulled before ntfs_fs_free() can release it, confirmed by kmemleak tooling. No active exploitation has been identified - EPSS is 0.02% (5th percentile) and this vulnerability is absent from CISA KEV - making it a maintenance-class fix rather than an urgent security priority, though the availability impact is rated High by CVSS.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Uninitialized memory use in the Linux kernel's NTFS3 filesystem driver (fs/ntfs3) causes a kernel crash when a local, low-privileged user triggers NTFS compression writes under specific folio allocation conditions. The flaw was surfaced by KMSAN (Kernel Memory Sanitizer) in longest_match_std(), called from ntfs_compress_write(), when newly allocated folios are neither marked uptodate nor initialized before use. No public exploit or active exploitation has been identified; EPSS stands at 0.02% (5th percentile), confirming negligible automated attack activity at time of analysis.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Deadlock in the Linux kernel's NTFS3 compressed-file read path (fs/ntfs3) causes indefinite task hang and local denial of service when concurrent readers contend over compressed NTFS frames. The inode mutex (ni_lock) and VFS page locks are acquired in inverted order across two concurrent tasks - a classic ABBA deadlock first surfaced by Syzbot. Versions prior to 6.19.4 (stable) and 7.0 (mainline) are affected; no public exploit or active exploitation has been identified, and the EPSS score of 0.02% (5th percentile) reflects the narrow, configuration-specific conditions required.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's accel/amdxdna driver (AMD AI accelerator/NPU subsystem) allows a local low-privileged user to trigger a kernel crash and denial of service. The flaw arises during error-path execution in aie2_create_context(): when mailbox channel creation fails, the channel pointer remains NULL, yet aie_destroy_context() is unconditionally called assuming it is non-NULL. No public exploit code exists and EPSS probability is 0.02%, indicating very low exploitation activity. Vendor-released patches are available in Linux 6.19.4 and the 7.0 series.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's drm/panthor subsystem causes a kernel panic and denial of service during GPU firmware unplug operations. The `panthor_fw_unplug()` function incorrectly attempted MCU halt and wait procedures even when firmware was never loaded or fully initialized, dereferencing a NULL pointer in that code path. Systems running a Panthor-based ARM Mali GPU (using the Panthor DRM driver) are affected across kernel versions from the introduction of the driver up to the fixed stable commits; no public exploit exists and EPSS is at the 5th percentile, indicating negligible opportunistic exploitation probability.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds stack read in the Linux kernel's IMA (Integrity Measurement Architecture) subsystem, in ima_appraise_measurement() reached via is_bprm_creds_for_exec(), affecting kernels from the 6.14 series up to the fixed stable commits. A misuse of container_of() on a *file pointer computes an invalid stack offset, letting a local execution path read one byte past a stack frame object (flagged by KASAN), which can disclose adjacent stack data or crash the task. EPSS is very low (0.02%, 5th percentile), the CVE is not on CISA KEV, and there is no public exploit identified at time of analysis; the issue is patched upstream.

Linux Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The drm/display/dp_mst subsystem in the Linux kernel crashes with a UBSAN shift-out-of-bounds error when a DP 2.1 monitor disconnects while delayed_destroy_work is still in flight, producing a kernel denial-of-service on affected systems. Systems running unpatched kernel versions across the 6.1.x, 6.6.x, 6.12.x, 6.18.x, and 6.19.x stable branches with DisplayPort Multi-Stream Transport (MST) capable hardware are vulnerable. No public exploit or active exploitation has been identified; patches are available across all affected stable branches with specific fix commits traceable to git.kernel.org.

Linux Buffer Overflow Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Networking denial of service in the Linux kernel's Smack LSM disrupts IPv4 connectivity for all processes carrying non-ambient Smack labels when a previously-used CIPSO DOI value is cycled through /smack/doi. The kernel's smk_cipso_doi function retains decommissioned DOI definitions in netlabel's CIPSO configuration, causing re-add operations to fail with EEXIST (-17); this prevents the default IPv4 domain mapping from being re-established, silently severing label-based network traffic. No public exploit code is identified and EPSS sits at 0.02% (7th percentile), reflecting the very narrow deployment surface - only systems with Smack as the active LSM and CIPSO networking configured are affected.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Race condition in the Linux kernel's accel/amdxdna driver allows a local low-privileged user to cause device availability impact on systems equipped with AMD XDna AI accelerator hardware. The flaw in the rpm_on flag check permits command submissions to the accelerator during a narrow autosuspend transition window before the device has fully resumed, producing undefined hardware behavior or driver crashes. No public exploit exists and EPSS is at the 6th percentile (0.02%), indicating negligible real-world exploitation probability; no active exploitation is confirmed.

Linux Race Condition Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel bareudp driver crashes the kernel when Open vSwitch triggers `bareudp_fill_metadata_dst()` against a down IPv6 bareudp tunnel device. The socket pointer (`bareudp->sock`) is NULL between `bareudp_stop()` and `bareudp_open()`, and the IPv6 path passes it unsafely to `udp_tunnel6_dst_lookup()` at `sock->sk` offset 0x18. A local attacker with low privileges and access to OVS netlink commands can force a kernel panic, causing a denial of service. No public exploit code exists and no active exploitation has been identified; EPSS at 0.02% (5th percentile) confirms negligible observed exploitation.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel NULL pointer dereference in the Linux TAPRIO traffic scheduler allows a local user with namespace-scoped CAP_NET_ADMIN to trigger a kernel panic. On systems with unprivileged user namespaces enabled - the default on Ubuntu, Fedora, Debian, and most container-oriented distributions - any unprivileged local user can acquire namespace-scoped CAP_NET_ADMIN simply by creating a new network namespace, reducing the effective privilege bar to an ordinary user account. Patched stable releases exist (6.6.141, 6.12.91, 7.0.10, 6.18.33, 7.1-rc2), no active exploitation has been confirmed by CISA KEV, and EPSS is 0.02% (5th percentile), but the straightforward attack sequence and wide Linux footprint make this a priority patch on multi-tenant or container-hosting systems.

Linux Canonical Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Incorrect ARP payload parsing in the Linux kernel's netfilter arptables subsystem causes filtering rules to evaluate against garbage data on systems with IEEE1394 (FireWire) network interfaces. The arp_packet_match() function and arpt_mangle both assume a standard dual-hardware-address ARP layout, but IPv4-over-IEEE1394 per RFC 2734 omits the target hardware address field - the same discrepancy the rest of the kernel ARP stack already handles correctly. The result is that arptables rules on FireWire interfaces silently malfunction: legitimate traffic may be dropped and traffic that should be blocked may be passed, with arpt_mangle additionally writing to wrong offsets and corrupting packets. No public exploit has been identified and EPSS is 0.02% (6th percentile), consistent with the extremely niche attack surface.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel SLIP driver's VJ-compressed TCP header decoder (slhc_uncompress) allows a crafted short compressed frame to leak adjacent memory contents into the cached cstate and into subsequently reconstructed packets. The flaw affects systems using SLIP with Van Jacobson TCP/IP header compression; no public exploit has been identified at time of analysis and EPSS rates exploitation probability at 0.02%. The bug stems from missing bounds checks in decode() and pull16(), where the existing -1 error checks were dead code due to a 0xffff mask.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel SLIP header compression (slhc) subsystem crashes the kernel when a VJ-compressed frame is received on a PPP instance configured with zero receive slots. An unprivileged local user who can create a user namespace can invoke the PPPIOCSMAXCID ioctl with a crafted argument (0xffff0000) that exploits a signed-integer arithmetic shift to supply rslots=0 to slhc_init(), leaving comp->rstate NULL; any subsequent inbound VJ frame targeting slot 0 then dereferences that NULL pointer in softirq context, producing a kernel panic. No public exploit has been identified at time of analysis, and EPSS probability is negligible at 0.02%, but the attack path is fully reachable from unprivileged user namespaces, making the practical privilege bar lower than the PR:L label implies on systems where user namespaces are enabled.

Linux Canonical Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Divide-by-zero in the Linux kernel netfilter OSF module (nfnetlink_osf) allows a local user with CAP_NET_ADMIN to crash the kernel. By injecting a crafted OS fingerprint with a zero window scale value (wss.val=0) via nfnetlink, the attacker causes nf_osf_match_one() to execute an unguarded modulo operation when any subsequent matching TCP SYN packet is processed, resulting in a kernel panic and system-wide denial of service. No active exploitation is confirmed; EPSS sits at 0.02% (5th percentile), reflecting very low probability of widespread automated exploitation.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic in the Linux kernel's Open vSwitch (openvswitch) subsystem allows a low-privileged local user to crash the host kernel on Ubuntu-default and similar configurations. The vport netlink reply handler pre-allocates a fixed-size buffer but lacks an upper-bound check on the upcall PID array size, causing nla_put() to return -EMSGSIZE and BUG_ON(err < 0) to fire in ovs_vport_cmd_set(), triggering a kernel panic. On systems with unprivileged user namespaces enabled (Ubuntu default), any local user can reach this path via unshare -Urn without requiring elevated privileges. No public exploit has been identified at time of analysis, and EPSS at 0.02% reflects low current exploitation probability.

Linux Ubuntu Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local denial of service in the Linux kernel's BPF CO-RE relocation parser allows a process holding CAP_BPF to deterministically crash the system by loading a BPF program with a negative CO-RE accessor index. The flaw stems from bpf_core_parse_spec() in the libbpf relocation core accepting negative values from sscanf("%d") that bypass upper-bound checks due to integer promotion, ultimately driving an out-of-bounds read past the BTF members array. EPSS is negligible (0.01%) and there is no public exploit identified at time of analysis; a kernel oops backtrace is published in the changelog but it serves as a crash reproducer rather than a weaponized exploit.

Linux Buffer Overflow Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Incorrect end-of-list detection in the Linux kernel's BPF cgroup storage map subsystem allows a local low-privileged user with BPF syscall access to trigger a kernel crash (denial of service) via the `cgroup_storage_get_next_key()` function. The function uses `list_next_entry()`, which never returns NULL but wraps to the list head on the last element, causing the kernel to read `storage->key` from a bogus pointer aliasing internal map fields and copy the result to userspace - a condition that can provoke a kernel oops or panic. No public exploit exists and EPSS is 0.02% (5th percentile), consistent with the local-only attack surface and absence of CISA KEV listing.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-escalation-class memory corruption in the Linux kernel's BPF arena subsystem (introduced around 6.9) allows a process holding BPF capabilities to trigger a use-after-free. When a BPF arena VMA is inherited across fork(), arena_vm_open() bumps the mmap refcount but never registers the child VMA in arena->vma_list, leaving vml->vma pointing at the parent VMA; after the parent munmaps, a child call to bpf_arena_free_pages() dereferences the dangling pointer in zap_pages(). No public exploit or active exploitation is identified (EPSS 0.02%, 5th percentile), and vendor patches are available.

Memory Corruption Linux Use After Free +3
NVD VulDB
Prev Page 11 of 143 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy