Linux
Monthly
Incorrect permission assignment in the NVIDIA Display Driver kernel module on Windows and Linux allows a highly privileged local user to corrupt critical resource permissions, leading to denial of service and potentially data tampering. Affected product lines span GeForce (limited to Maxwell, Volta, and Pascal architectures on some branches), RTX/Quadro/NVS, Tesla, and Guest (vGPU) drivers across multiple version branches. No public exploit exists and no active exploitation has been identified; SSVC assessment rates exploitation as none and impact as partial, consistent with the moderate CVSS score of 4.4.
Local privilege escalation in NVIDIA Display Driver for Linux (GeForce, RTX/Quadro/NVS, Tesla, and vGPU guest drivers) allows an authenticated local user to abuse improper permission handling in a kernel mode layer handler, enabling code execution, privilege elevation, and data tampering. CVSS 7.8 reflects high impact across confidentiality, integrity, and availability, but the attack vector is local and authenticated. No public exploit identified at time of analysis and EPSS is 0.01%, but SSVC marks technical impact as total.
Local privilege escalation in NVIDIA Display Driver for Windows and Linux allows authenticated low-privilege users to improperly access GPU resources via a kernel mode layer flaw, potentially leading to code execution, privilege escalation, information disclosure, data tampering, and denial of service. The issue affects GeForce, RTX/Quadro/NVS, and Tesla product lines across multiple driver branches and carries a CVSS 7.8 (High) score. No public exploit identified at time of analysis, and EPSS probability is very low (0.01%), but the breadth of affected hardware and total technical impact warrant prompt patching.
Race condition exploitation in NVIDIA Display Driver's Linux kernel module allows a local authenticated user to cause denial of service by manipulating compiler or processor memory instruction ordering. Affected product lines span GeForce, RTX/Quadro/NVS, Tesla, and vGPU Guest Driver across multiple driver branches up to the March 2026 release. No active exploitation has been confirmed - this is not listed in CISA KEV, EPSS is 0.01% (1st percentile), and SSVC assessment classifies exploitation status as none - placing this firmly in a patch-and-monitor category rather than emergency response.
Null pointer dereference in the Linux kernel's Bluetooth L2CAP socket layer crashes the kernel when `l2cap_sock_get_sndtimeo_cb()` is invoked with a NULL socket context, resulting in a local denial-of-service (kernel panic). The flaw stems from an oversight where sibling callbacks `l2cap_sock_resume_cb()` and `l2cap_sock_ready_cb()` already carry the required NULL guard, but `l2cap_sock_get_sndtimeo_cb()` does not. With EPSS at 0.02% (5th percentile), no public exploit identified, and no CISA KEV listing, real-world exploitation risk is low - but the vulnerability has persisted since Linux 3.13 and affects every major stable branch until patched versions were released.
Null pointer dereference in the Linux kernel's Bluetooth L2CAP socket layer crashes the kernel when `l2cap_sock_new_connection_cb()` is invoked without the NULL guard present in sibling callbacks. Local unprivileged users on systems with Bluetooth enabled can trigger a kernel oops or panic, resulting in a denial of service. No public exploit or CISA KEV listing exists; EPSS probability is near zero at 0.02% (5th percentile), indicating minimal active exploitation interest at time of analysis.
NULL pointer dereference in the Linux kernel Bluetooth L2CAP subsystem causes a local denial-of-service via kernel panic when `l2cap_sock_state_change_cb()` is invoked with a NULL socket pointer. A local low-privileged user with access to the Bluetooth socket API can trigger a system crash by exercising the L2CAP state change callback path that lacked the NULL guard already applied to sibling callbacks `l2cap_sock_resume_cb()` and `l2cap_sock_ready_cb()`. No active exploitation is confirmed (not in CISA KEV) and EPSS stands at 0.02% (5th percentile), indicating minimal real-world adversarial interest at time of analysis.
Memory corruption and potential information disclosure in the Linux kernel networking stack (skbuff) occurs because skb_try_coalesce() fails to propagate the SKBFL_SHARED_FRAG marker when transferring paged fragments between socket buffers. The flaw breaks an invariant relied upon by IPsec ESP input processing, which may then decrypt data in-place over page-cache-backed fragments belonging to other contexts. No public exploit identified at time of analysis, EPSS sits at 0.02%, and the issue is patched across multiple stable trees.
Local privilege escalation risk in the Linux kernel's RDS (Reliable Datagram Sockets) subsystem stems from an error in zerocopy send cleanup logic where an early-failed send can have its pinned user pages mishandled. The flaw affects multiple kernel branches from 4.17 onward and is fixed across stable trees (6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3). No public exploit identified at time of analysis, and EPSS is very low (0.02%).
Out-of-bounds heap write in the Linux kernel's IPv6 RPL Source Routing Header (SRH) processing path allows local attackers with raw IPv6 socket access to corrupt memory beyond the skb buffer. The flaw in ipv6_rpl_srh_rcv() occurs when a recompressed SRH grows larger than the received one and consumes unchecked headroom, causing skb_mac_header_rebuild() to wrap a u16 offset and trigger a ~64KiB out-of-bounds memmove. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug is reachable from unprivileged userspace via a single crafted AF_INET6/SOCK_RAW packet over loopback per the reporter's KASAN reproduction.
Local privilege escalation and potential memory corruption in the Linux kernel's rtmutex (real-time mutex) subsystem stems from remove_waiter() incorrectly operating on the current task instead of waiter::task during proxy-lock rollback in futex_requeue() paths. Exploitation can leave a dangling pi_blocked_on pointer primed for a use-after-free, with CVSS 7.8 (AV:L/AC:L/PR:L/UI:N) reflecting local low-privileged access. EPSS is 0.02% (7th percentile) and no public exploit identified at time of analysis, but the UAF primitive is a known building block for kernel privilege escalation.
Local privilege-level data corruption in the Linux kernel's accel/ivpu driver (Intel VPU accelerator) allows authenticated local users to trigger incorrect device access and memory corruption by re-exporting imported GEM (Graphics Execution Manager) buffer objects via the DMA-BUF prime interface. The flaw stems from the missing validation that allowed buffer flag settings to be lost on re-export, and while CVSS rates it 7.8 High due to local high-impact effects, EPSS is only 0.02% and no public exploit identified at time of analysis.
Use-after-free in the Linux kernel's udlfb (DisplayLink USB framebuffer) driver allows a local user with access to the framebuffer device to retain read/write access to freed kernel memory pages after a USB disconnect or framebuffer reallocation. The dlfb_ops_mmap() function maps vmalloc-backed framebuffer pages to userspace without installing vm_ops callbacks, so the kernel cannot track active mappings and vfree() is called on pages still referenced by user PTEs. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the issue is not listed in CISA KEV.
Null pointer dereference in the Linux kernel's RED qdisc (sch_red) allows a local user with low privileges to trigger a kernel panic and system crash when a specific nested qdisc hierarchy is configured. The flaw occurs in net/sched/sch_red.c when RED calls its child qdisc's dequeue() directly after a peek() has already cached the packet in QFQ's gso_skb buffer, causing QFQ's dequeue path to dereference a null pointer. No public exploit has been identified at time of analysis, and EPSS is 0.02% (7th percentile), reflecting very low real-world exploitation probability.
Slab-out-of-bounds read in the Linux kernel's t7xx WWAN driver allows a malicious or compromised MediaTek modem to leak up to 262140 bytes of kernel memory by sending a crafted port enumeration message with an inflated port_count field. The flaw affects systems using the t7xx driver (e.g., laptops with MediaTek 5G M.2 modems such as the FM350-GL) and has no public exploit identified at time of analysis, with an EPSS score of 0.02% indicating very low predicted exploitation activity.
Local privilege escalation potential in the Linux kernel's RDS (Reliable Datagram Sockets) subsystem stems from a double-free condition triggered when zerocopy page pinning fails during sendmsg() operations. The flaw, introduced in Linux 4.17, allows local authenticated users to corrupt kernel memory by exploiting an error path in rds_message_zcopy_from_user() that fails to reset op_nents, causing rds_message_purge() to free pages that were already released. Publicly available exploit code exists, though EPSS scoring is very low (0.02%) and the issue is not listed in CISA KEV.
Improper handling of MAY_BACKLOG requests in the Linux kernel's pcrypt (parallel crypto) module can cause incorrect processing of EBUSY return codes and EINPROGRESS notifications, potentially leading to instability or undefined behavior in cryptographic operations. The issue affects Linux kernel versions dating back to 2.6.34 and has been resolved upstream across multiple stable branches including 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. There is no public exploit identified at time of analysis and EPSS scoring (0.02%, 5th percentile) suggests very low real-world exploitation likelihood despite the CVSS 9.8 rating.
Integer underflow in the Linux kernel's MPI crypto library function `mpi_read_raw_from_sgl()` allows a local low-privileged user to trigger an infinite kernel loop via the `KEYCTL_PKEY_ENCRYPT` syscall, causing a system-wide denial of service with soft lockup splats. The flaw was latent since commit `2d4d1eea540b` but became exploitable only after commit `63ba4d67594a` changed how asymmetric key operations construct scatterlists, allowing `out_len > in_len` with a zero-filled buffer to satisfy the underflow condition. No active exploitation is confirmed (EPSS 0.02%, not in CISA KEV), but the attack path is fully described in the upstream commit message, making independent reproduction straightforward.
Memory exhaustion in the Linux kernel's QRTR (Qualcomm IPC Router) namespace subsystem allows a local low-privileged attacker to crash the system by flooding NEW_SERVER registration messages without triggering any bound check. Affected systems are those running kernels between the introducing commit (0c2204a4ad710d95d348ea006f14ba926e842ffd) and the fix commits across stable branches. No public exploit code has been identified and EPSS sits at the 5th percentile, indicating minimal observed exploitation activity.
Local privilege escalation in the Linux kernel ptrace subsystem allows authenticated users to bypass the traditional capability-dropping security model when accessing kernel thread details via PTRACE_MODE_READ_FSCREDS checks. The flaw stems from get_dumpable() logic returning misleading values for tasks without an associated memory map (mm), enabling uid-0 processes that have dropped capabilities to still read sensitive kernel thread information. Publicly available exploit code exists (referenced in OSS-security and a GitHub PoC against ssh-keysign), though EPSS scoring (0.02%) indicates low likelihood of widespread exploitation.
Out-of-bounds read and buffer overflow in the Linux kernel's ksmbd SMB server allows authenticated remote attackers to corrupt memory or read past allocated buffers by sending a malformed inheritable ACE with an inflated num_subauth value. The flaw resides in smb_inherit_dacl() and smb_set_ace(), where the variable-length SID is not bounds-checked during DACL inheritance, enabling heap corruption with potential for remote code execution against any SMB server using ksmbd. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the vendor patch is available across multiple stable branches.
State management failure in the Linux kernel liveupdate subsystem allows a local low-privileged user to trigger a use-after-free or double-free condition by retrying a failed LIVEUPDATE_SESSION_RETRIEVE_FD ioctl, resulting in kernel crash or WARN and full availability loss. The luo_file struct's retrieve status is never recorded on failure, leaving the kernel's serialization state machine inconsistent; a retry re-enters retrieve logic against partially freed data structures such as kho folio mappings. No public exploit exists and EPSS is 0.02%, placing this firmly in low-priority territory absent active use of the liveupdate feature.
Interrupt storm vulnerability in the Linux kernel xHCI USB host controller driver allows a local user to cause a complete system availability loss by triggering a Host Controller Error (HCE) via UAS storage device hotplug events. Affected kernel versions prior to 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0 fail to invoke xhci_halt() when HCE is detected in xhci_irq(), leaving the interrupt uncleared and the controller running - resulting in a continuous interrupt storm. No public exploit has been identified and EPSS is 0.02% (5th percentile), consistent with the hardware-interaction-dependent trigger, but availability impact is high on affected hosts where USB ports are physically accessible.
Random system freeze vulnerability in the Linux kernel's libata-core subsystem affects any Linux host physically equipped with a Seagate ST1000DM010-2EP102 BarraCuda hard drive, where the kernel's default enablement of SATA Link Power Management (LPM) causes the drive to fail its wake sequence and hang the system irrecoverably. The ST1000DM010-2EP102 belongs to the same BarraCuda family as the ST2000DM008-2FR102, for which an LPM quirk already exists in libata - the fix extends that quirk to cover this model. No active exploitation has been identified (absent from CISA KEV), and EPSS at 0.02% reflects negligible adversarial interest, consistent with this being a hardware compatibility defect rather than a traditional security flaw.
Infinite fault loop in the Linux kernel's arm64 contiguous PTE (contpte) subsystem exposes systems using SMMU or CPU configurations without hardware dirty-bit management support to a local denial of service. The defect in `contpte_ptep_set_access_flags()` causes a gathered AF/dirty-bit view across contiguous sub-PTEs to produce false no-ops, leaving individual target sub-PTEs in a stale hardware state that triggers perpetual page faults on non-FEAT_HAFDBS-aware walkers such as SMMMUs without HTTU or CPUs with HA/HD disabled in CD.TCR. No confirmed active exploitation exists; EPSS is 0.02% at the 5th percentile, consistent with the hardware-specific, local-only attack surface.
Spurious WARN_ON assertions in the Linux kernel's nouveau/gsp ACPI probe routines trigger frequently during normal NVIDIA GPU initialization, creating an availability risk on affected systems. On kernels configured with panic_on_warn=1, each triggered WARN_ON escalates to a full kernel panic, while on default configurations it produces excessive kernel log noise that degrades observability. Affected kernel versions range from the introduction of commit 176fdcbddfd2 through stable branches fixed in 6.18.19, 6.19.9, and 7.0; no active exploitation is identified (EPSS 0.02%, not in CISA KEV).
Concurrent bitfield RMW (Read-Modify-Write) corruption in the Linux kernel MMC core subsystem allows a local authenticated user to trigger spurious WARN_ON panics or system instability on MMC-enabled devices. The root cause is that host->claimed and retune control flags shared a single bitfield word; under concurrent access from __mmc_claim_host() and mmc_mq_queue_rq(), non-atomic RMW operations allow one thread's write to silently overwrite bits modified by another, corrupting MMC host state. No public exploit has been identified at time of analysis, and EPSS sits at 0.02% (7th percentile), reflecting the narrow, race-window-dependent trigger and low attacker leverage on commodity systems.
CR8 write interception mismanagement in KVM's AMD SVM implementation crashes Windows guests on AMD hypervisors with AVIC enabled. When KVM emulates INIT→WFS sequences while AVIC is temporarily deactivated, the CR8 write intercept flag is not cleared upon AVIC reactivation, leaving it permanently enabled. In isolation this is a performance regression, but combined with the TPR synchronization flaw addressed by commit d02e48830e3f, the divergence between hardware-visible and guest-visible TPR values becomes fatal to Windows guests. No public exploit identified at time of analysis; EPSS is 0.02% (7th percentile) and no CISA KEV listing exists.
A race condition in the Linux kernel's sched_ext BPF scheduler subsystem allows a local low-privileged user to permanently hang the system when sched_ext is actively loaded. Between scx_claim_exit() atomically marking error exit and the subsequent kick of the helper kthread, a preemption window exists where the BPF scheduler - now with error handling disabled - may fail to reschedule the calling task, leaving the helper work permanently unqueued. The result is bypass mode never activating, task dispatching halting, and a complete system wedge. No public exploit has been identified and EPSS sits at 0.02% (5th percentile), but the availability impact is total for affected systems running a custom BPF scheduler.
Double-free condition in the Linux kernel's net-shapers subsystem allows local low-privileged attackers to corrupt kernel memory via the generic netlink interface. The flaw occurs because net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit() incorrectly call nlmsg_free() on a reply skb that was already consumed by genlmsg_reply(), enabling potential privilege escalation. No public exploit identified at time of analysis and EPSS scoring places exploitation probability at only 0.02%.
Null pointer dereference in the Linux kernel's AMD ASoC ACP3x audio driver (acp3x-rt5682-max9836) allows a local low-privileged user on affected hardware to crash the kernel. The flaw originates in acp3x_5682_init(), which failed to validate the return value of clk_get() before passing it to rt5682_clk_enable(), meaning an error pointer could be dereferenced directly. No public exploit identified at time of analysis and the EPSS score of 0.02% (7th percentile) reflects extremely low exploitation interest; this vulnerability is not listed in the CISA KEV catalog.
Kernel availability disruption in the Linux lan78xx USB-to-Ethernet driver allows a local user with low privileges to trigger a kernel WARN in __netif_napi_del_locked() by disconnecting an affected USB Ethernet adapter. The root cause is a redundant netif_napi_del() call in the driver's disconnect path while NAPI processing is still active, conflicting with the teardown that unregister_netdev() performs automatically. No public exploit exists and EPSS is 0.02% (4th percentile), indicating very low real-world exploitation interest; this is primarily a stability and denial-of-service concern on embedded and desktop Linux systems using the SMSC/Microchip LAN78xx adapter family.
NULL pointer dereference in the Linux kernel's RT1011 ASoC codec driver allows a local, low-privileged user to crash the kernel on systems equipped with Realtek RT1011 smart speaker amplifier hardware. The flaw in rt1011_recv_spk_mode_put() uses an incorrect helper to retrieve the DAPM (Dynamic Audio Power Management) context from a kcontrol object, yielding a NULL pointer that is subsequently dereferenced, triggering a kernel oops or panic. No public exploit is identified and EPSS of 0.02% (5th percentile) reflects negligible real-world exploitation probability, though vendor-confirmed patches are available in Linux 6.19.9 and 7.0.
System hang via Machine Check Error (MCE) in the Linux kernel's Intel i915 DRM driver affects ICL (Ice Lake) generation GPU hardware when VRR timing registers are written before TRANS_DDI_FUNC_CTL is enabled, violating Intel BSpec 22243. Local low-privilege users on ICL systems - particularly those with external displays connected through USB-C docks experiencing link training failure - can trigger an unrecoverable system hang. No public exploit exists and EPSS is 0.02%, consistent with the hardware-specific, condition-dependent nature of the bug; no active exploitation is confirmed.
Local privilege escalation potential exists in the Linux kernel's IIO chemical sensor subsystem, specifically the sps30_i2c driver, where an incorrect sizeof() calculation in sps30_i2c_read_meas() uses sizeof(size_t) instead of sizeof(*meas), creating a buffer size mismatch. Affecting Linux kernel versions from 5.14 onward, the flaw could lead to memory corruption or out-of-bounds access when handling measurement data from Sensirion SPS30 particulate matter sensors over I2C. EPSS is very low at 0.02% and there is no public exploit identified at time of analysis, but a CVSS of 7.8 reflects high local impact on confidentiality, integrity, and availability.
Local privilege escalation in Linux kernel XFRM ESP-in-TCP subsystem (Fragnesia vulnerability) allows authenticated local attackers to overwrite kernel memory structures by exploiting arbitrary byte writes into the kernel page cache of read-only files. CVSS score of 7.8 reflects high impact across confidentiality, integrity, and availability. Low attack complexity (AC:L) and no user interaction requirement (UI:N) make this exploitable by any local user with basic privileges. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis, but the specific vulnerability name 'Fragnesia' suggests coordinated disclosure with security research community.
Linux ksmbd contains a remote memory corruption vulnerability in the ACL inheritance path that allows remote clients with directory creation permissions to trigger a heap out-of-bounds read and subsequent heap corruption by setting a crafted DACL with a malformed SID containing an inflated num_subauth field. Attackers can exploit this vulnerability by creating a directory, setting the malicious DACL via SMB2_SET_INFO, and creating child entries to cause kernel instability, denial of service, or potentially achieve privilege escalation to kernel code execution.
Use after free for some Linux kernel driver for the Intel(R) Ethernet 800 series before version 2.3.14 within Ring 0: Kernel may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts.
Buffer overflow in Linux kernel rxrpc subsystem allows local authenticated attackers to achieve arbitrary code execution with kernel privileges. The vulnerability stems from improper handling of shared fragment memory in DATA and RESPONSE packet processing, where the kernel fails to unshare externally-owned page fragments before in-place decryption operations. This creates a buffer overflow condition (CWE-787) exploitable by local users with low privileges. Patches are available for kernel versions 6.18.29, 7.0.6, and 7.1-rc3. EPSS and KEV status not provided in available data.
Denial-of-service via kernel lock-up in the Linux kernel's Hyper-V storage controller driver (hv_storvsc) affects guests running PREEMPT_RT-enabled kernels on Microsoft Hyper-V. The storvsc_queuecommand function disables preemption and then acquires an RT spinlock inside hv_ringbuffer_write; under PREEMPT_RT semantics, RT spinlocks are sleepable, making this a fatal locking-discipline violation that triggers the 'scheduling while atomic' BUG splat and subsequent system lock-up. No public exploit and no public exploit identified at time of analysis, with EPSS at 0.02% (7th percentile) reflecting the niche configuration dependency.
Denial of service via uninitialized kernel memory in the Linux kernel's FUSE filesystem handler allows a local low-privileged user to crash the kernel by invoking the file_getattr syscall against a FUSE-mounted file. Affected are Linux kernel versions from the initial git history through stable branches predating the 6.18.19, 6.19.9, and 7.0 patch releases. No public exploit is identified at time of analysis, and EPSS sits at 0.02% (4th percentile), reflecting very low observed exploitation probability with no CISA KEV listing.
Local denial-of-service in the Linux kernel's mpi3mr SCSI driver causes a system crash via NULL pointer dereference during resource cleanup. An authenticated local user on a system using MPI3-based storage controllers can trigger a kernel panic by inducing the error path where queue creation fails: the driver frees reply or request queue memory but subsequently attempts to memset the now-freed (NULL) pointer, crashing the system. No public exploit exists and EPSS sits at 0.02% (7th percentile), indicating low real-world exploitation probability at time of analysis.
Improper error-path state management in the Linux kernel's unshare(2) syscall leaves calling processes with dangling filesystem root and working-directory pointers after partial namespace creation failure. When a local low-privileged process calls unshare() with both CLONE_NEWNS and CLONE_NEWCGROUP on an unshared fs_struct (users==1), a successful copy_mnt_ns() updates current->fs->root and current->fs->pwd into the new mount namespace before a subsequent copy_cgroup_ns() failure triggers cleanup - dissolving the mount tree while leaving those pointers referencing now-detached mounts. The calling process is stranded in a broken filesystem state, producing high availability impact (CVSS A:H) confined entirely to the calling process. No public exploit has been identified, EPSS is 0.02% (7th percentile), and this is not in CISA KEV, reflecting low real-world exploitation interest despite the bug existing since unshare(2) was first introduced.
NULL pointer dereference in the Linux kernel's UFS host controller driver crashes the kernel when ufshcd_mcq_req_to_hwq() returns NULL during MCQ command completion, allowing an authenticated local user on affected hardware to trigger a denial of service. The vulnerability is confined to the SCSI UFS subsystem's ufshcd_add_command_trace() function and impacts systems with UFS storage operating in Multi-Circular Queue mode - primarily ARM64 embedded and mobile platforms using MediaTek UFS controllers. No public exploit has been identified at time of analysis, and EPSS at 0.02% (5th percentile) reflects the highly constrained attack surface.
Kernel oops in the Linux NFSv3 client's create path exposes systems to local denial of service when concurrent directory and file creation races produce a directory alias via d_splice_alias. The affected code in nfs3_proc_create silently discards the alias without returning an error, leaving the original dentry in a negative (unresolved) state; a subsequent call from nfs_atomic_open_v23/finish_open passes this negative dentry to do_dentry_open, triggering the oops. No public exploit identified at time of analysis, and EPSS at 0.02% (5th percentile) signals very low probability of exploitation in the wild.
Denial of service in Linux kernel's xprtrdma subsystem causes system hang when memory allocation fails during RDMA receive buffer posting. Affects NFS over RDMA (RoCE/InfiniBand) deployments running kernel versions 5.13 through 6.19.8, 6.18.18 and earlier, 6.12.77 and earlier, 6.6.129 and earlier, 6.1.166 and earlier, and 5.15.202 and earlier. Systems under high memory pressure can trigger hung tasks in the xprtiod workqueue, requiring reboot to recover. EPSS score of 0.02% suggests low widespread exploitation likelihood. Vendor patches available across all affected stable kernel branches.
Deadlock in the Linux kernel's mlx5 network driver eswitch subsystem allows a local low-privileged user to cause a complete system hang (denial of service) on hosts equipped with Mellanox/NVIDIA ConnectX NICs operating in SR-IOV eswitch mode. The deadlock arises from a lock-ordering inversion: the eswitch work queue acquires the devlink lock while processing VF change events, and concurrently the eswitch mode-set path holds the devlink lock and calls flush_workqueue, producing a circular wait. No public exploit code exists and no active exploitation has been identified at time of analysis; EPSS probability is 0.02%, reflecting the narrow, hardware-specific attack surface.
Kernel denial-of-service in the mlx5_core driver (Mellanox/NVIDIA ConnectX) occurs when a privileged local user switches the eswitch to switchdev mode on hardware that does not support IPsec offload. The driver unconditionally invokes IPsec resource cleanup via mlx5e_ipsec_disable_events regardless of hardware capability, dereferencing a null or uninitialized pointer at offset 0xa0 and triggering a kernel page fault that crashes the system. No public exploit identified at time of analysis; EPSS of 0.02% (5th percentile) and no CISA KEV listing indicate negligible real-world exploitation activity.
DMA memory corruption in Linux kernel mlx5e driver allows denial-of-service and potential data integrity violations when recovering from TX error completion queue entries. The vulnerability affects mlx5 Ethernet driver users from kernel 4.17 onwards, causing desynchronization between DMA FIFO producer/consumer counters during error recovery, leading to unmapping of stale DMA addresses and IOMMU warnings. Exploitation probability is low (EPSS 0.02%, 7th percentile) with no public exploit identified at time of analysis. Vendor-released patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).
Reference counting flaw in mlx5e network driver causes kernel memory corruption when XDP multi-buffer programs modify packet layouts via bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). Affects Linux kernel versions 6.18.x through 6.19.9, with vendor patches available for 6.18.19, 6.19.9, and 7.0. The vulnerability triggers negative page pool reference counts leading to memory management errors, discovered by the drivers/net/xdp.py selftest. While CVSS scores this 9.8 Critical with network vector, the technical context suggests local impact requiring specific XDP program execution. EPSS exploitation probability is low (0.02%, 4th percentile) with no evidence of active exploitation or public POC at time of analysis.
Memory corruption in Linux kernel's mlx5 network driver causes denial of service when XDP multi-buffer programs modify packet layout. The flaw specifically affects the mlx5e receive queue fragment tracking logic: when XDP programs call bpf_xdp_pull_data() or bpf_xdp_adjust_tail() to modify buffer layout, the driver fails to properly count dropped fragments, leading to negative page pool reference counts, kernel warnings, and potential system instability. Exploitation requires sending crafted network packets to systems using mlx5 NICs with XDP multi-buffer programs loaded. EPSS score of 0.02% indicates low exploitation probability. Vendor patches available for kernel versions 6.18.19, 6.19.9, and 7.0.
Null pointer dereference in the Linux kernel's rxrpc and AFS subsystems allows a local authenticated attacker to trigger a kernel denial of service. The rxrpc_kernel_lookup_peer() function can return either NULL or an error pointer on failure, but its AFS callers only tested for NULL - leaving unchecked error pointer values that, when dereferenced, cause a kernel panic. No public exploit has been identified and EPSS probability sits at 0.02%, indicating low observed exploitation interest; however, the availability impact is rated High by CVSS due to the potential for full system crash.
DMA mapping resource leaks in the Linux kernel's spacemit Ethernet MAC driver (emac_tx_mem_map function) allow remote attackers to trigger denial of service through network traffic that causes mapping errors, progressively exhausting kernel memory resources. The vulnerability affects Linux kernel versions 6.18.x through 6.19.9, with vendor patches available for stable branches 6.18.19, 6.19.9, and 7.0. EPSS exploitation probability is very low (0.02%, 4th percentile), and no public exploit or active exploitation has been identified at time of analysis.
Memory corruption in Linux kernel's Amlogic SPI Flash Controller A4 driver allows local authenticated attackers with low privileges to escalate privileges, corrupt memory, or cause denial of service through improper DMA mapping error handling. The vulnerability stems from three distinct bugs in aml_sfc_dma_buffer_setup() that can trigger double-unmapping and incorrect DMA synchronization. EPSS score of 0.02% (4th percentile) indicates low exploitation likelihood in the wild. Vendor patches are available for affected kernel versions 6.18.x and 6.19.x, with fixes backported to stable branches.
Local privilege escalation potential in the Linux kernel's Rockchip Serial Flash Controller (SFC) SPI driver arises from a double-free in the remove() callback path, where the driver calls spi_unregister_controller() manually despite already using the devm-managed registration helper. The flaw affects systems using the rockchip-sfc driver and is not currently in CISA KEV, with no public exploit identified at time of analysis and a very low EPSS score (0.02%, 4th percentile), but CVSS 7.8 reflects high local impact if triggered.
Use-after-free in Linux kernel ASoC (ALSA System on Chip) subsystem allows local authenticated users with open audio streams to trigger memory corruption during sound card unbind operations. The flaw occurs when PCM stream closure schedules delayed DAPM (Dynamic Audio Power Management) work after widgets are freed, enabling potential privilege escalation or denial of service. EPSS score of 0.02% indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). No CISA KEV listing or public POC identified at time of analysis.
Local privilege escalation in the Linux kernel's CAIF serial driver allows attackers with local access to trigger a use-after-free condition in pty_write_room() via the caif_serial line discipline. The flaw stems from missing reference counting on tty->link, enabling memory corruption that can lead to arbitrary kernel code execution with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, with an EPSS score of 0.02% (7th percentile) indicating low likelihood of widespread exploitation.
Memory leak in the Linux kernel's MCTP I2C driver receive path allows a local authenticated attacker to progressively exhaust kernel slab memory, resulting in denial of service. The flaw exists in all kernel versions from 5.18 (when the MCTP I2C driver was introduced at commit f5b8abf9fc3dacd7529d363e26fe8230935d65f8) through multiple stable branches now addressed by patches in 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0. No public exploit identified at time of analysis; the EPSS score of 0.02% (7th percentile) confirms very low exploitation probability, consistent with the niche deployment context of MCTP I2C interfaces.
Type confusion in the Linux kernel bonding driver allows local authenticated users to trigger kernel crashes and potentially escalate privileges when non-Ethernet devices (such as GRE tunnels) are enslaved to a bond interface. The vulnerability stems from bond_setup_by_slave() blindly copying header_ops from slave devices without accounting for device-specific private data structures, causing netdev_priv() in functions like ipgre_header() to access incorrect memory layouts. Vendor patches are available for kernel versions 6.12.78, 6.18.19, 6.19.9, and 7.0. EPSS exploitation probability is low (0.02%, 5th percentile) with no public exploit identified at time of analysis.
Race condition in the Linux kernel MCTP route subsystem allows a local, low-privileged attacker to cause a device reference count leak leading to availability impact. The mctp_flow_prepare_output() function in the MCTP (Management Component Transport Protocol) networking stack fails to hold key->lock around the key->dev check-and-set sequence, enabling two concurrent threads to each acquire a device reference while only the final one is tracked for release - gradually exhausting kernel resources. No public exploit exists and EPSS is 0.02% (7th percentile), indicating very low exploitation probability; patch-confirmed fixes are available across multiple stable kernel branches.
Privilege escalation in Linux kernel netfilter subsystem allows local authenticated users to achieve high-impact compromise via duplicate netdev hook registration. The vulnerability affects kernel versions 6.16 through early 7.0 releases, with vendor patches available for stable branches 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (4th percentile) suggests low observed exploitation likelihood despite CVSS 7.8 severity. No active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis.
Stack out-of-bounds read in the Linux kernel's netfilter nft_set_pipapo subsystem allows local low-privileged attackers to read 4 bytes past the end of a stack-allocated rulemap array via pipapo_drop(). The flaw was confirmed by KASAN and affects kernels from 5.6 onward until the fixed stable releases. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 7th percentile), but the CVSS 7.1 score reflects the potential for kernel memory disclosure and availability impact.
Out-of-bounds read in Linux kernel netfilter x_tables module allows remote attackers to disclose kernel memory and potentially cause denial of service. The xt_tcpudp and xt_dccp option walkers fail to validate boundaries when processing the last byte of TCP/UDP/DCCP options, triggering a 1-byte buffer over-read. CVSS 8.2 with network attack vector and no authentication required indicates high exploitability, though EPSS score of 0.02% (7th percentile) suggests minimal observed exploitation attempts. Patches available across all active kernel stable branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). No CISA KEV listing or public exploit code identified at time of analysis.
Repeated memory exhaustion in the Linux kernel's netfilter nfnetlink_queue subsystem allows a local low-privileged attacker to trigger a denial of service by leaking kernel memory on every crafted PF_BRIDGE verdict. The defect in nfqnl_recv_verdict() causes the nf_queue_entry, its sk_buff, and all held net_device and struct net reference counts to never be released when nfqa_parse_bridge() returns an error due to malformed VLAN netlink attributes. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (7th percentile) reflects the constrained local attack path and low exploitation probability.
Out-of-bounds read in the Linux kernel's netfilter nfnetlink_cthelper subsystem allows a local attacker with CAP_NET_ADMIN to trigger an 8-byte OOB read in nfnl_cthelper_dump_table() by racing helper deletion against a netlink dump operation. The flaw stems from a misplaced 'goto restart' that bypasses the for-loop bounds check when cb->args[0] equals nf_ct_helper_hsize, as detected by KASAN. EPSS is 0.02% and no public exploit identified at time of analysis, though a detailed reproducer call trace exists in the commit message.
Out-of-bounds read in the Linux kernel's NVMe PCI driver (nvme_dbbuf_set) allows a local attacker to trigger a slab-out-of-bounds memory access during NVMe controller reset, potentially leading to denial of service or information disclosure. The flaw stems from an incorrect loop bound that iterates past dev->online_queues, reading from kmalloc-2k slab memory belonging to adjacent allocations. No public exploit identified at time of analysis, and the EPSS score of 0.02% reflects a low probability of opportunistic exploitation.
Race condition in the Linux kernel nvme-pci driver's nvme_poll_irqdisable() function causes an unbalanced IRQ enable/disable pair that crashes the kernel with a warning. Affected kernels from 5.7 through multiple stable branches are vulnerable when running PCIe NVMe storage with MSI-X interrupts: a concurrent NVMe device reset can change the IRQ vector between the disable_irq() and enable_irq() calls, making the kernel operate on different IRQ numbers. No public exploit identified at time of analysis and EPSS of 0.02% confirm this is a reliability/stability concern patched in kernel stable releases 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0.
Use-after-free in the Linux kernel iavf driver allows local authenticated users to execute arbitrary code, escalate privileges, or crash the system. The vulnerability affects Intel Ethernet Adaptive Virtual Function (iavf) driver's PTP implementation where a worker thread continues accessing freed memory during network adapter reset or disable operations. Patch available from kernel.org upstream commits across multiple stable branches (6.18.19, 6.19.9, 7.0+). EPSS score of 0.02% (4th percentile) indicates low observed exploitation likelihood, and no CISA KEV listing confirms this remains a theoretical risk requiring local access with low privileges.
Deadlock in the Linux kernel's AMD XDna accelerator driver (accel/amdxdna) causes a local denial-of-service by hanging the runtime power management subsystem. An authenticated local user who triggers job execution on the AMD XDna accelerator while the system simultaneously attempts a runtime suspend can lock the kernel indefinitely. No active exploitation is confirmed and no public exploit code has been identified at time of analysis; the EPSS score of 0.02% (5th percentile) corroborates low exploitation probability.
DMA mapping resource leak in Linux kernel e1000 and e1000e Intel Ethernet drivers results in local denial-of-service conditions via memory exhaustion. The flaw originates from an off-by-one error in the TX buffer error-cleanup path (dma_error), introduced by commit c1fa347f20f1 which fixed an infinite loop but simultaneously decremented the unmap counter prematurely - causing exactly one DMA mapping to leak per failed multi-buffer TX operation. No public exploit has been identified and no active exploitation is confirmed (not in CISA KEV); EPSS of 0.02% (7th percentile) reflects extremely low weaponization probability.
Denial of service in the Linux kernel's drm/amdkfd (AMD GPU Kernel Fusion Driver) subsystem allows a local authenticated user to crash the kernel via a NULL pointer dereference. The flaw originates in the error handling path of the queue update routine, where a buffer object (bo) is not unreserved upon failure, leaving the subsystem in an inconsistent state that triggers a null dereference. No active exploitation is known; EPSS is 0.02% (5th percentile), and the impact is limited strictly to availability - confidentiality and integrity are unaffected.
Null pointer dereference in the Linux kernel's ASoC AMD ACP machine-common driver can be triggered by a local authenticated user to crash the kernel, resulting in a denial of service. The functions acp_card_rt5682_init() and acp_card_rt5682s_init() in sound/soc/amd/acp/acp-mach-common.c fail to validate the return value of clk_get(), allowing an invalid error pointer to be dereferenced by downstream clock core functions. No public exploit code exists and no active exploitation has been confirmed; EPSS probability stands at 0.02% (5th percentile), reflecting very low real-world exploitation likelihood.
Local unprivileged users can trigger out-of-bounds memory reads in Linux kernel's io_uring subsystem (versions 6.19+) via crafted SQE array mappings when IORING_SETUP_SQE_MIXED is enabled without NO_SQARRAY. By manipulating sq_array indices to point to the last physical SQE slot and submitting 128-byte operations, attackers cause a 64-byte buffer over-read during memcpy operations, potentially leaking sensitive kernel memory. Vendor patches available for affected 6.19.x branches. EPSS score of 0.02% indicates very low observed exploitation probability; no CISA KEV listing or public exploit identified at time of analysis.
Null pointer dereference in Linux kernel bonding driver crashes systems running with IPv6 disabled (ipv6.disable=1) when IPv6 Neighbor Solicitation packets arrive on bonded interfaces with ARP/NS validation enabled. Affects Linux kernel versions 5.18+ up to 6.19.9/7.0, with vendor patches available across stable branches (6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS exploitation probability is very low (0.02%, 7th percentile) and no active exploitation or public POC has been identified, but the high CVSS 7.5 reflects trivial remote triggering (AV:N/AC:L/PR:N) for denial-of-service in affected configurations.
Local privilege escalation potential in the Linux kernel's Microsoft Azure Network Adapter (mana) driver allows a low-privileged local user to trigger a use-after-free via a double destroy_workqueue() call on the gc->service_wq pointer when mana_gd_setup() fails. The flaw, fixed in the 6.18.x and 6.19.x stable trees, has no public exploit identified at time of analysis and an EPSS of 0.02% (4th percentile), but carries a CVSS of 7.8 due to high confidentiality, integrity, and availability impact within the kernel.
Race condition in the Linux kernel cgroup subsystem's task iterator exposes local low-privileged users to a denial-of-service condition when task migration and cgroup iteration execute concurrently. The cgroup infrastructure fails to advance active css_task_iters before a task is unlinked from cset->tasks during migration, allowing iterators to reference the wrong linked list and silently skip tasks - or in worst-case scenarios, cause css_task_iter_advance() to crash or loop infinitely on the destination css_set. No public exploit identified at time of analysis; EPSS of 0.02% at the 7th percentile reflects extremely low observed exploitation probability and aligns with the narrow race window required.
Reference count underflow in Linux kernel sched_ext subsystem enables local privilege escalation to execute arbitrary code with kernel privileges. The flaw affects kernel versions 6.12 through 6.19.x (prior to patched releases 6.12.78, 6.18.19, 6.19.9, 7.0), scoring CVSS 7.8 with local attack vector requiring low privileges. Vendor patches available via stable kernel updates. EPSS exploitation probability is low (0.02%, 5th percentile) with no public exploit code or active exploitation confirmed at time of analysis, though the Use-After-Free primitive could enable kernel memory corruption attacks.
Use-after-free in Linux kernel ALSA PCM subsystem allows local authenticated users to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs in snd_pcm_drain() when a linked stream's runtime structure is freed via concurrent close() while still being dereferenced, enabling information disclosure, system crashes, or privilege escalation. With EPSS at 0.02% (7th percentile) and CVSS 7.8, this represents elevated theoretical risk but shows no evidence of active exploitation or public POC at time of analysis. Vendor patches are available across multiple stable kernel branches (5.10.253, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).
NULL pointer dereference in the Linux kernel's ALSA USB-audio Scarlett2 mixer quirk allows a local low-privileged user to crash the kernel (denial of service) by presenting a malformed USB descriptor with zero endpoints. Affected systems running unpatched kernels from the initial commit onward through stable branches 6.1.x, 6.6.x, 6.12.x, 6.18.x, and 6.19.x are exposed whenever the USB-audio driver enumerates a crafted or emulated Scarlett2-type device. No active exploitation is confirmed (not in CISA KEV) and no public exploit identified at time of analysis; the EPSS score of 0.03% (8th percentile) confirms very low real-world exploitation probability.
In the Linux kernel, the following vulnerability has been resolved: rust_binder: fix oneway spam detection The spam detection logic in TreeRange was executed before the current request was inserted into the tree. So the new request was not being factored in the spam calculation. Fix this by moving the logic after the new range has been inserted. Also, the detection logic for ArrayRange was missing altogether which meant large spamming transactions could get away without being detected. Fix this by implementing an equivalent low_oneway_space() in ArrayRange. Note that I looked into centralizing this logic in RangeAllocator but iterating through 'state' and 'size' got a bit too complicated (for me) and I abandoned this effort.
Local privilege escalation in Linux kernel's Rust Binder allows authenticated users to write to normally read-only binder pages, potentially leading to memory corruption and arbitrary code execution. The vulnerability stems from improper VMA (Virtual Memory Area) ownership validation during page installation - if a VMA is closed and replaced at the same address, Rust Binder may install pages into the wrong VMA, converting read-only pages to writable. Affects Linux kernel 6.18+ with Rust Binder enabled. EPSS score of 0.02% suggests low observed exploitation probability. Vendor patches available (6.18.19, 6.19.9, 7.0) via kernel.org stable tree commits.
Time-of-check-to-time-of-use (TOCTOU) race condition in Linux kernel's rust_binder implementation allows local authenticated attackers with low privileges to escalate privileges. The flaw exists in transaction offset array handling where values copied to a target process's read-only VMA are read back without protection against concurrent modification. If an attacker can write to their own supposedly read-only VMA through a separate vulnerability, they can modify offsets between write and read operations, causing the kernel to misinterpret transaction data and potentially enabling privilege escalation into the sending process. Patch available in kernel versions 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% suggests limited real-world exploitation likelihood despite CVSS 7.8 severity.
Memory leak in the Linux kernel xHCI USB host controller driver's xhci_disable_slot() function causes kernel memory exhaustion under error conditions, leading to denial of service. Affected kernels span multiple stable branches from the introduction commit through versions before 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0. A local low-privileged user who can trigger USB xHCI slot disable error paths - requiring specific hardware fault conditions - could accumulate kernel memory leaks over time, ultimately causing system instability. No public exploit identified at time of analysis; EPSS is 0.03% (9th percentile), reflecting negligible real-world exploitation likelihood.
NULL pointer dereference in the Linux kernel's xhci USB host controller debugfs interface allows a local low-privileged user to crash the kernel (denial of service) by reading portli debugfs files. The flaw surfaces when xhci's max_ports count exceeds the number of ports covered by Supported Protocol capabilities - producing NULL rhub pointers - which the portli read handler dereferences without checking. No public exploit has been identified and EPSS is 0.02% (5th percentile), indicating negligible broad exploitation interest; the vulnerability is not listed in CISA KEV.
Race condition in the Linux kernel's yurex USB driver probe function allows a local low-privileged attacker to cause a denial of service by triggering a timing window between URB submission and bbu member initialization. Affected are all kernel versions from the initial commit through the stable branch fix points (patched in 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0). No public exploit exists and the issue is not listed in CISA KEV; EPSS of 0.02% (7th percentile) reflects negligible widespread exploitation probability.
Indefinite kernel thread hang in the Linux kernel usbtmc (USB Test and Measurement Class) driver allows a local authenticated user to cause a denial of service by supplying an arbitrarily large timeout value via ioctl. The driver previously passed user-controlled timeout values directly to usb_bulk_msg(), which uses unkillable waits, meaning the kernel thread could never be interrupted or killed once blocked. No public exploit or active exploitation has been identified at time of analysis, and EPSS probability is negligible at 0.02%, but the straightforward local trigger path makes this a meaningful availability risk on systems with USBTMC devices.
Unbounded uninterruptible USB synchronous timeout in the Linux kernel's usbcore subsystem allows a local low-privilege user to permanently hang a kernel task with no signal-based kill path. The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs accept arbitrary timeout values and use TASK_UNINTERRUPTIBLE waits, meaning a task blocked on a misbehaving or absent USB device cannot be terminated by SIGKILL - only physical device removal can unblock it. CVSS 5.5 (AV:L/PR:L/A:H), EPSS at 0.02% (7th percentile), no KEV listing, and no public exploit code at time of analysis collectively indicate low active exploitation risk, though the denial-of-service primitive is straightforward once local access is established.
Out-of-bounds read in the Linux kernel's USB CDC-WDM (Communication Device Class - Wireless Device Management) driver allows a local low-privileged attacker to disclose uninitialized kernel memory and potentially crash the host through a memory-ordering race between desc->length updates and a memmove() in the read path. The flaw stems from compiler reordering or CPU out-of-order execution that can cause wdm_read() to observe an updated length before the corresponding data is fully copied, leading copy_to_user() to operate on uninitialized memory. EPSS is very low (0.02%, 7th percentile), there is no public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Use-after-free in the Linux kernel's Renesas USB host (renesas_usbhs) driver allows a local low-privileged attacker to potentially corrupt memory or escalate privileges during device removal. The flaw stems from the interrupt handler remaining registered while driver resources, including the pipe array, are freed in usbhs_remove(), creating a race window where the ISR can dereference freed memory. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the kernel-level memory corruption impact (CVSS 7.8) makes it a meaningful local risk on affected Renesas USB hardware.
Denial of service in the Linux kernel mdc800 USB imaging driver allows a local low-privileged user to crash the kernel by triggering a URB double-submission race condition. The mdc800_device_read() function submits a USB Request Block (URB) but fails to cancel it on timeout, leaving it active; a subsequent read() resubmits the same in-flight URB, triggering a kernel WARN in usb_submit_urb() that can destabilize the system. No public exploit exists and no active exploitation has been identified - EPSS is 0.02% (7th percentile), reflecting the hardware-specific, local-access-only nature of this flaw.
Incorrect permission assignment in the NVIDIA Display Driver kernel module on Windows and Linux allows a highly privileged local user to corrupt critical resource permissions, leading to denial of service and potentially data tampering. Affected product lines span GeForce (limited to Maxwell, Volta, and Pascal architectures on some branches), RTX/Quadro/NVS, Tesla, and Guest (vGPU) drivers across multiple version branches. No public exploit exists and no active exploitation has been identified; SSVC assessment rates exploitation as none and impact as partial, consistent with the moderate CVSS score of 4.4.
Local privilege escalation in NVIDIA Display Driver for Linux (GeForce, RTX/Quadro/NVS, Tesla, and vGPU guest drivers) allows an authenticated local user to abuse improper permission handling in a kernel mode layer handler, enabling code execution, privilege elevation, and data tampering. CVSS 7.8 reflects high impact across confidentiality, integrity, and availability, but the attack vector is local and authenticated. No public exploit identified at time of analysis and EPSS is 0.01%, but SSVC marks technical impact as total.
Local privilege escalation in NVIDIA Display Driver for Windows and Linux allows authenticated low-privilege users to improperly access GPU resources via a kernel mode layer flaw, potentially leading to code execution, privilege escalation, information disclosure, data tampering, and denial of service. The issue affects GeForce, RTX/Quadro/NVS, and Tesla product lines across multiple driver branches and carries a CVSS 7.8 (High) score. No public exploit identified at time of analysis, and EPSS probability is very low (0.01%), but the breadth of affected hardware and total technical impact warrant prompt patching.
Race condition exploitation in NVIDIA Display Driver's Linux kernel module allows a local authenticated user to cause denial of service by manipulating compiler or processor memory instruction ordering. Affected product lines span GeForce, RTX/Quadro/NVS, Tesla, and vGPU Guest Driver across multiple driver branches up to the March 2026 release. No active exploitation has been confirmed - this is not listed in CISA KEV, EPSS is 0.01% (1st percentile), and SSVC assessment classifies exploitation status as none - placing this firmly in a patch-and-monitor category rather than emergency response.
Null pointer dereference in the Linux kernel's Bluetooth L2CAP socket layer crashes the kernel when `l2cap_sock_get_sndtimeo_cb()` is invoked with a NULL socket context, resulting in a local denial-of-service (kernel panic). The flaw stems from an oversight where sibling callbacks `l2cap_sock_resume_cb()` and `l2cap_sock_ready_cb()` already carry the required NULL guard, but `l2cap_sock_get_sndtimeo_cb()` does not. With EPSS at 0.02% (5th percentile), no public exploit identified, and no CISA KEV listing, real-world exploitation risk is low - but the vulnerability has persisted since Linux 3.13 and affects every major stable branch until patched versions were released.
Null pointer dereference in the Linux kernel's Bluetooth L2CAP socket layer crashes the kernel when `l2cap_sock_new_connection_cb()` is invoked without the NULL guard present in sibling callbacks. Local unprivileged users on systems with Bluetooth enabled can trigger a kernel oops or panic, resulting in a denial of service. No public exploit or CISA KEV listing exists; EPSS probability is near zero at 0.02% (5th percentile), indicating minimal active exploitation interest at time of analysis.
NULL pointer dereference in the Linux kernel Bluetooth L2CAP subsystem causes a local denial-of-service via kernel panic when `l2cap_sock_state_change_cb()` is invoked with a NULL socket pointer. A local low-privileged user with access to the Bluetooth socket API can trigger a system crash by exercising the L2CAP state change callback path that lacked the NULL guard already applied to sibling callbacks `l2cap_sock_resume_cb()` and `l2cap_sock_ready_cb()`. No active exploitation is confirmed (not in CISA KEV) and EPSS stands at 0.02% (5th percentile), indicating minimal real-world adversarial interest at time of analysis.
Memory corruption and potential information disclosure in the Linux kernel networking stack (skbuff) occurs because skb_try_coalesce() fails to propagate the SKBFL_SHARED_FRAG marker when transferring paged fragments between socket buffers. The flaw breaks an invariant relied upon by IPsec ESP input processing, which may then decrypt data in-place over page-cache-backed fragments belonging to other contexts. No public exploit identified at time of analysis, EPSS sits at 0.02%, and the issue is patched across multiple stable trees.
Local privilege escalation risk in the Linux kernel's RDS (Reliable Datagram Sockets) subsystem stems from an error in zerocopy send cleanup logic where an early-failed send can have its pinned user pages mishandled. The flaw affects multiple kernel branches from 4.17 onward and is fixed across stable trees (6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3). No public exploit identified at time of analysis, and EPSS is very low (0.02%).
Out-of-bounds heap write in the Linux kernel's IPv6 RPL Source Routing Header (SRH) processing path allows local attackers with raw IPv6 socket access to corrupt memory beyond the skb buffer. The flaw in ipv6_rpl_srh_rcv() occurs when a recompressed SRH grows larger than the received one and consumes unchecked headroom, causing skb_mac_header_rebuild() to wrap a u16 offset and trigger a ~64KiB out-of-bounds memmove. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug is reachable from unprivileged userspace via a single crafted AF_INET6/SOCK_RAW packet over loopback per the reporter's KASAN reproduction.
Local privilege escalation and potential memory corruption in the Linux kernel's rtmutex (real-time mutex) subsystem stems from remove_waiter() incorrectly operating on the current task instead of waiter::task during proxy-lock rollback in futex_requeue() paths. Exploitation can leave a dangling pi_blocked_on pointer primed for a use-after-free, with CVSS 7.8 (AV:L/AC:L/PR:L/UI:N) reflecting local low-privileged access. EPSS is 0.02% (7th percentile) and no public exploit identified at time of analysis, but the UAF primitive is a known building block for kernel privilege escalation.
Local privilege-level data corruption in the Linux kernel's accel/ivpu driver (Intel VPU accelerator) allows authenticated local users to trigger incorrect device access and memory corruption by re-exporting imported GEM (Graphics Execution Manager) buffer objects via the DMA-BUF prime interface. The flaw stems from the missing validation that allowed buffer flag settings to be lost on re-export, and while CVSS rates it 7.8 High due to local high-impact effects, EPSS is only 0.02% and no public exploit identified at time of analysis.
Use-after-free in the Linux kernel's udlfb (DisplayLink USB framebuffer) driver allows a local user with access to the framebuffer device to retain read/write access to freed kernel memory pages after a USB disconnect or framebuffer reallocation. The dlfb_ops_mmap() function maps vmalloc-backed framebuffer pages to userspace without installing vm_ops callbacks, so the kernel cannot track active mappings and vfree() is called on pages still referenced by user PTEs. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the issue is not listed in CISA KEV.
Null pointer dereference in the Linux kernel's RED qdisc (sch_red) allows a local user with low privileges to trigger a kernel panic and system crash when a specific nested qdisc hierarchy is configured. The flaw occurs in net/sched/sch_red.c when RED calls its child qdisc's dequeue() directly after a peek() has already cached the packet in QFQ's gso_skb buffer, causing QFQ's dequeue path to dereference a null pointer. No public exploit has been identified at time of analysis, and EPSS is 0.02% (7th percentile), reflecting very low real-world exploitation probability.
Slab-out-of-bounds read in the Linux kernel's t7xx WWAN driver allows a malicious or compromised MediaTek modem to leak up to 262140 bytes of kernel memory by sending a crafted port enumeration message with an inflated port_count field. The flaw affects systems using the t7xx driver (e.g., laptops with MediaTek 5G M.2 modems such as the FM350-GL) and has no public exploit identified at time of analysis, with an EPSS score of 0.02% indicating very low predicted exploitation activity.
Local privilege escalation potential in the Linux kernel's RDS (Reliable Datagram Sockets) subsystem stems from a double-free condition triggered when zerocopy page pinning fails during sendmsg() operations. The flaw, introduced in Linux 4.17, allows local authenticated users to corrupt kernel memory by exploiting an error path in rds_message_zcopy_from_user() that fails to reset op_nents, causing rds_message_purge() to free pages that were already released. Publicly available exploit code exists, though EPSS scoring is very low (0.02%) and the issue is not listed in CISA KEV.
Improper handling of MAY_BACKLOG requests in the Linux kernel's pcrypt (parallel crypto) module can cause incorrect processing of EBUSY return codes and EINPROGRESS notifications, potentially leading to instability or undefined behavior in cryptographic operations. The issue affects Linux kernel versions dating back to 2.6.34 and has been resolved upstream across multiple stable branches including 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. There is no public exploit identified at time of analysis and EPSS scoring (0.02%, 5th percentile) suggests very low real-world exploitation likelihood despite the CVSS 9.8 rating.
Integer underflow in the Linux kernel's MPI crypto library function `mpi_read_raw_from_sgl()` allows a local low-privileged user to trigger an infinite kernel loop via the `KEYCTL_PKEY_ENCRYPT` syscall, causing a system-wide denial of service with soft lockup splats. The flaw was latent since commit `2d4d1eea540b` but became exploitable only after commit `63ba4d67594a` changed how asymmetric key operations construct scatterlists, allowing `out_len > in_len` with a zero-filled buffer to satisfy the underflow condition. No active exploitation is confirmed (EPSS 0.02%, not in CISA KEV), but the attack path is fully described in the upstream commit message, making independent reproduction straightforward.
Memory exhaustion in the Linux kernel's QRTR (Qualcomm IPC Router) namespace subsystem allows a local low-privileged attacker to crash the system by flooding NEW_SERVER registration messages without triggering any bound check. Affected systems are those running kernels between the introducing commit (0c2204a4ad710d95d348ea006f14ba926e842ffd) and the fix commits across stable branches. No public exploit code has been identified and EPSS sits at the 5th percentile, indicating minimal observed exploitation activity.
Local privilege escalation in the Linux kernel ptrace subsystem allows authenticated users to bypass the traditional capability-dropping security model when accessing kernel thread details via PTRACE_MODE_READ_FSCREDS checks. The flaw stems from get_dumpable() logic returning misleading values for tasks without an associated memory map (mm), enabling uid-0 processes that have dropped capabilities to still read sensitive kernel thread information. Publicly available exploit code exists (referenced in OSS-security and a GitHub PoC against ssh-keysign), though EPSS scoring (0.02%) indicates low likelihood of widespread exploitation.
Out-of-bounds read and buffer overflow in the Linux kernel's ksmbd SMB server allows authenticated remote attackers to corrupt memory or read past allocated buffers by sending a malformed inheritable ACE with an inflated num_subauth value. The flaw resides in smb_inherit_dacl() and smb_set_ace(), where the variable-length SID is not bounds-checked during DACL inheritance, enabling heap corruption with potential for remote code execution against any SMB server using ksmbd. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the vendor patch is available across multiple stable branches.
State management failure in the Linux kernel liveupdate subsystem allows a local low-privileged user to trigger a use-after-free or double-free condition by retrying a failed LIVEUPDATE_SESSION_RETRIEVE_FD ioctl, resulting in kernel crash or WARN and full availability loss. The luo_file struct's retrieve status is never recorded on failure, leaving the kernel's serialization state machine inconsistent; a retry re-enters retrieve logic against partially freed data structures such as kho folio mappings. No public exploit exists and EPSS is 0.02%, placing this firmly in low-priority territory absent active use of the liveupdate feature.
Interrupt storm vulnerability in the Linux kernel xHCI USB host controller driver allows a local user to cause a complete system availability loss by triggering a Host Controller Error (HCE) via UAS storage device hotplug events. Affected kernel versions prior to 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0 fail to invoke xhci_halt() when HCE is detected in xhci_irq(), leaving the interrupt uncleared and the controller running - resulting in a continuous interrupt storm. No public exploit has been identified and EPSS is 0.02% (5th percentile), consistent with the hardware-interaction-dependent trigger, but availability impact is high on affected hosts where USB ports are physically accessible.
Random system freeze vulnerability in the Linux kernel's libata-core subsystem affects any Linux host physically equipped with a Seagate ST1000DM010-2EP102 BarraCuda hard drive, where the kernel's default enablement of SATA Link Power Management (LPM) causes the drive to fail its wake sequence and hang the system irrecoverably. The ST1000DM010-2EP102 belongs to the same BarraCuda family as the ST2000DM008-2FR102, for which an LPM quirk already exists in libata - the fix extends that quirk to cover this model. No active exploitation has been identified (absent from CISA KEV), and EPSS at 0.02% reflects negligible adversarial interest, consistent with this being a hardware compatibility defect rather than a traditional security flaw.
Infinite fault loop in the Linux kernel's arm64 contiguous PTE (contpte) subsystem exposes systems using SMMU or CPU configurations without hardware dirty-bit management support to a local denial of service. The defect in `contpte_ptep_set_access_flags()` causes a gathered AF/dirty-bit view across contiguous sub-PTEs to produce false no-ops, leaving individual target sub-PTEs in a stale hardware state that triggers perpetual page faults on non-FEAT_HAFDBS-aware walkers such as SMMMUs without HTTU or CPUs with HA/HD disabled in CD.TCR. No confirmed active exploitation exists; EPSS is 0.02% at the 5th percentile, consistent with the hardware-specific, local-only attack surface.
Spurious WARN_ON assertions in the Linux kernel's nouveau/gsp ACPI probe routines trigger frequently during normal NVIDIA GPU initialization, creating an availability risk on affected systems. On kernels configured with panic_on_warn=1, each triggered WARN_ON escalates to a full kernel panic, while on default configurations it produces excessive kernel log noise that degrades observability. Affected kernel versions range from the introduction of commit 176fdcbddfd2 through stable branches fixed in 6.18.19, 6.19.9, and 7.0; no active exploitation is identified (EPSS 0.02%, not in CISA KEV).
Concurrent bitfield RMW (Read-Modify-Write) corruption in the Linux kernel MMC core subsystem allows a local authenticated user to trigger spurious WARN_ON panics or system instability on MMC-enabled devices. The root cause is that host->claimed and retune control flags shared a single bitfield word; under concurrent access from __mmc_claim_host() and mmc_mq_queue_rq(), non-atomic RMW operations allow one thread's write to silently overwrite bits modified by another, corrupting MMC host state. No public exploit has been identified at time of analysis, and EPSS sits at 0.02% (7th percentile), reflecting the narrow, race-window-dependent trigger and low attacker leverage on commodity systems.
CR8 write interception mismanagement in KVM's AMD SVM implementation crashes Windows guests on AMD hypervisors with AVIC enabled. When KVM emulates INIT→WFS sequences while AVIC is temporarily deactivated, the CR8 write intercept flag is not cleared upon AVIC reactivation, leaving it permanently enabled. In isolation this is a performance regression, but combined with the TPR synchronization flaw addressed by commit d02e48830e3f, the divergence between hardware-visible and guest-visible TPR values becomes fatal to Windows guests. No public exploit identified at time of analysis; EPSS is 0.02% (7th percentile) and no CISA KEV listing exists.
A race condition in the Linux kernel's sched_ext BPF scheduler subsystem allows a local low-privileged user to permanently hang the system when sched_ext is actively loaded. Between scx_claim_exit() atomically marking error exit and the subsequent kick of the helper kthread, a preemption window exists where the BPF scheduler - now with error handling disabled - may fail to reschedule the calling task, leaving the helper work permanently unqueued. The result is bypass mode never activating, task dispatching halting, and a complete system wedge. No public exploit has been identified and EPSS sits at 0.02% (5th percentile), but the availability impact is total for affected systems running a custom BPF scheduler.
Double-free condition in the Linux kernel's net-shapers subsystem allows local low-privileged attackers to corrupt kernel memory via the generic netlink interface. The flaw occurs because net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit() incorrectly call nlmsg_free() on a reply skb that was already consumed by genlmsg_reply(), enabling potential privilege escalation. No public exploit identified at time of analysis and EPSS scoring places exploitation probability at only 0.02%.
Null pointer dereference in the Linux kernel's AMD ASoC ACP3x audio driver (acp3x-rt5682-max9836) allows a local low-privileged user on affected hardware to crash the kernel. The flaw originates in acp3x_5682_init(), which failed to validate the return value of clk_get() before passing it to rt5682_clk_enable(), meaning an error pointer could be dereferenced directly. No public exploit identified at time of analysis and the EPSS score of 0.02% (7th percentile) reflects extremely low exploitation interest; this vulnerability is not listed in the CISA KEV catalog.
Kernel availability disruption in the Linux lan78xx USB-to-Ethernet driver allows a local user with low privileges to trigger a kernel WARN in __netif_napi_del_locked() by disconnecting an affected USB Ethernet adapter. The root cause is a redundant netif_napi_del() call in the driver's disconnect path while NAPI processing is still active, conflicting with the teardown that unregister_netdev() performs automatically. No public exploit exists and EPSS is 0.02% (4th percentile), indicating very low real-world exploitation interest; this is primarily a stability and denial-of-service concern on embedded and desktop Linux systems using the SMSC/Microchip LAN78xx adapter family.
NULL pointer dereference in the Linux kernel's RT1011 ASoC codec driver allows a local, low-privileged user to crash the kernel on systems equipped with Realtek RT1011 smart speaker amplifier hardware. The flaw in rt1011_recv_spk_mode_put() uses an incorrect helper to retrieve the DAPM (Dynamic Audio Power Management) context from a kcontrol object, yielding a NULL pointer that is subsequently dereferenced, triggering a kernel oops or panic. No public exploit is identified and EPSS of 0.02% (5th percentile) reflects negligible real-world exploitation probability, though vendor-confirmed patches are available in Linux 6.19.9 and 7.0.
System hang via Machine Check Error (MCE) in the Linux kernel's Intel i915 DRM driver affects ICL (Ice Lake) generation GPU hardware when VRR timing registers are written before TRANS_DDI_FUNC_CTL is enabled, violating Intel BSpec 22243. Local low-privilege users on ICL systems - particularly those with external displays connected through USB-C docks experiencing link training failure - can trigger an unrecoverable system hang. No public exploit exists and EPSS is 0.02%, consistent with the hardware-specific, condition-dependent nature of the bug; no active exploitation is confirmed.
Local privilege escalation potential exists in the Linux kernel's IIO chemical sensor subsystem, specifically the sps30_i2c driver, where an incorrect sizeof() calculation in sps30_i2c_read_meas() uses sizeof(size_t) instead of sizeof(*meas), creating a buffer size mismatch. Affecting Linux kernel versions from 5.14 onward, the flaw could lead to memory corruption or out-of-bounds access when handling measurement data from Sensirion SPS30 particulate matter sensors over I2C. EPSS is very low at 0.02% and there is no public exploit identified at time of analysis, but a CVSS of 7.8 reflects high local impact on confidentiality, integrity, and availability.
Local privilege escalation in Linux kernel XFRM ESP-in-TCP subsystem (Fragnesia vulnerability) allows authenticated local attackers to overwrite kernel memory structures by exploiting arbitrary byte writes into the kernel page cache of read-only files. CVSS score of 7.8 reflects high impact across confidentiality, integrity, and availability. Low attack complexity (AC:L) and no user interaction requirement (UI:N) make this exploitable by any local user with basic privileges. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis, but the specific vulnerability name 'Fragnesia' suggests coordinated disclosure with security research community.
Linux ksmbd contains a remote memory corruption vulnerability in the ACL inheritance path that allows remote clients with directory creation permissions to trigger a heap out-of-bounds read and subsequent heap corruption by setting a crafted DACL with a malformed SID containing an inflated num_subauth field. Attackers can exploit this vulnerability by creating a directory, setting the malicious DACL via SMB2_SET_INFO, and creating child entries to cause kernel instability, denial of service, or potentially achieve privilege escalation to kernel code execution.
Use after free for some Linux kernel driver for the Intel(R) Ethernet 800 series before version 2.3.14 within Ring 0: Kernel may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts.
Buffer overflow in Linux kernel rxrpc subsystem allows local authenticated attackers to achieve arbitrary code execution with kernel privileges. The vulnerability stems from improper handling of shared fragment memory in DATA and RESPONSE packet processing, where the kernel fails to unshare externally-owned page fragments before in-place decryption operations. This creates a buffer overflow condition (CWE-787) exploitable by local users with low privileges. Patches are available for kernel versions 6.18.29, 7.0.6, and 7.1-rc3. EPSS and KEV status not provided in available data.
Denial-of-service via kernel lock-up in the Linux kernel's Hyper-V storage controller driver (hv_storvsc) affects guests running PREEMPT_RT-enabled kernels on Microsoft Hyper-V. The storvsc_queuecommand function disables preemption and then acquires an RT spinlock inside hv_ringbuffer_write; under PREEMPT_RT semantics, RT spinlocks are sleepable, making this a fatal locking-discipline violation that triggers the 'scheduling while atomic' BUG splat and subsequent system lock-up. No public exploit and no public exploit identified at time of analysis, with EPSS at 0.02% (7th percentile) reflecting the niche configuration dependency.
Denial of service via uninitialized kernel memory in the Linux kernel's FUSE filesystem handler allows a local low-privileged user to crash the kernel by invoking the file_getattr syscall against a FUSE-mounted file. Affected are Linux kernel versions from the initial git history through stable branches predating the 6.18.19, 6.19.9, and 7.0 patch releases. No public exploit is identified at time of analysis, and EPSS sits at 0.02% (4th percentile), reflecting very low observed exploitation probability with no CISA KEV listing.
Local denial-of-service in the Linux kernel's mpi3mr SCSI driver causes a system crash via NULL pointer dereference during resource cleanup. An authenticated local user on a system using MPI3-based storage controllers can trigger a kernel panic by inducing the error path where queue creation fails: the driver frees reply or request queue memory but subsequently attempts to memset the now-freed (NULL) pointer, crashing the system. No public exploit exists and EPSS sits at 0.02% (7th percentile), indicating low real-world exploitation probability at time of analysis.
Improper error-path state management in the Linux kernel's unshare(2) syscall leaves calling processes with dangling filesystem root and working-directory pointers after partial namespace creation failure. When a local low-privileged process calls unshare() with both CLONE_NEWNS and CLONE_NEWCGROUP on an unshared fs_struct (users==1), a successful copy_mnt_ns() updates current->fs->root and current->fs->pwd into the new mount namespace before a subsequent copy_cgroup_ns() failure triggers cleanup - dissolving the mount tree while leaving those pointers referencing now-detached mounts. The calling process is stranded in a broken filesystem state, producing high availability impact (CVSS A:H) confined entirely to the calling process. No public exploit has been identified, EPSS is 0.02% (7th percentile), and this is not in CISA KEV, reflecting low real-world exploitation interest despite the bug existing since unshare(2) was first introduced.
NULL pointer dereference in the Linux kernel's UFS host controller driver crashes the kernel when ufshcd_mcq_req_to_hwq() returns NULL during MCQ command completion, allowing an authenticated local user on affected hardware to trigger a denial of service. The vulnerability is confined to the SCSI UFS subsystem's ufshcd_add_command_trace() function and impacts systems with UFS storage operating in Multi-Circular Queue mode - primarily ARM64 embedded and mobile platforms using MediaTek UFS controllers. No public exploit has been identified at time of analysis, and EPSS at 0.02% (5th percentile) reflects the highly constrained attack surface.
Kernel oops in the Linux NFSv3 client's create path exposes systems to local denial of service when concurrent directory and file creation races produce a directory alias via d_splice_alias. The affected code in nfs3_proc_create silently discards the alias without returning an error, leaving the original dentry in a negative (unresolved) state; a subsequent call from nfs_atomic_open_v23/finish_open passes this negative dentry to do_dentry_open, triggering the oops. No public exploit identified at time of analysis, and EPSS at 0.02% (5th percentile) signals very low probability of exploitation in the wild.
Denial of service in Linux kernel's xprtrdma subsystem causes system hang when memory allocation fails during RDMA receive buffer posting. Affects NFS over RDMA (RoCE/InfiniBand) deployments running kernel versions 5.13 through 6.19.8, 6.18.18 and earlier, 6.12.77 and earlier, 6.6.129 and earlier, 6.1.166 and earlier, and 5.15.202 and earlier. Systems under high memory pressure can trigger hung tasks in the xprtiod workqueue, requiring reboot to recover. EPSS score of 0.02% suggests low widespread exploitation likelihood. Vendor patches available across all affected stable kernel branches.
Deadlock in the Linux kernel's mlx5 network driver eswitch subsystem allows a local low-privileged user to cause a complete system hang (denial of service) on hosts equipped with Mellanox/NVIDIA ConnectX NICs operating in SR-IOV eswitch mode. The deadlock arises from a lock-ordering inversion: the eswitch work queue acquires the devlink lock while processing VF change events, and concurrently the eswitch mode-set path holds the devlink lock and calls flush_workqueue, producing a circular wait. No public exploit code exists and no active exploitation has been identified at time of analysis; EPSS probability is 0.02%, reflecting the narrow, hardware-specific attack surface.
Kernel denial-of-service in the mlx5_core driver (Mellanox/NVIDIA ConnectX) occurs when a privileged local user switches the eswitch to switchdev mode on hardware that does not support IPsec offload. The driver unconditionally invokes IPsec resource cleanup via mlx5e_ipsec_disable_events regardless of hardware capability, dereferencing a null or uninitialized pointer at offset 0xa0 and triggering a kernel page fault that crashes the system. No public exploit identified at time of analysis; EPSS of 0.02% (5th percentile) and no CISA KEV listing indicate negligible real-world exploitation activity.
DMA memory corruption in Linux kernel mlx5e driver allows denial-of-service and potential data integrity violations when recovering from TX error completion queue entries. The vulnerability affects mlx5 Ethernet driver users from kernel 4.17 onwards, causing desynchronization between DMA FIFO producer/consumer counters during error recovery, leading to unmapping of stale DMA addresses and IOMMU warnings. Exploitation probability is low (EPSS 0.02%, 7th percentile) with no public exploit identified at time of analysis. Vendor-released patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).
Reference counting flaw in mlx5e network driver causes kernel memory corruption when XDP multi-buffer programs modify packet layouts via bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). Affects Linux kernel versions 6.18.x through 6.19.9, with vendor patches available for 6.18.19, 6.19.9, and 7.0. The vulnerability triggers negative page pool reference counts leading to memory management errors, discovered by the drivers/net/xdp.py selftest. While CVSS scores this 9.8 Critical with network vector, the technical context suggests local impact requiring specific XDP program execution. EPSS exploitation probability is low (0.02%, 4th percentile) with no evidence of active exploitation or public POC at time of analysis.
Memory corruption in Linux kernel's mlx5 network driver causes denial of service when XDP multi-buffer programs modify packet layout. The flaw specifically affects the mlx5e receive queue fragment tracking logic: when XDP programs call bpf_xdp_pull_data() or bpf_xdp_adjust_tail() to modify buffer layout, the driver fails to properly count dropped fragments, leading to negative page pool reference counts, kernel warnings, and potential system instability. Exploitation requires sending crafted network packets to systems using mlx5 NICs with XDP multi-buffer programs loaded. EPSS score of 0.02% indicates low exploitation probability. Vendor patches available for kernel versions 6.18.19, 6.19.9, and 7.0.
Null pointer dereference in the Linux kernel's rxrpc and AFS subsystems allows a local authenticated attacker to trigger a kernel denial of service. The rxrpc_kernel_lookup_peer() function can return either NULL or an error pointer on failure, but its AFS callers only tested for NULL - leaving unchecked error pointer values that, when dereferenced, cause a kernel panic. No public exploit has been identified and EPSS probability sits at 0.02%, indicating low observed exploitation interest; however, the availability impact is rated High by CVSS due to the potential for full system crash.
DMA mapping resource leaks in the Linux kernel's spacemit Ethernet MAC driver (emac_tx_mem_map function) allow remote attackers to trigger denial of service through network traffic that causes mapping errors, progressively exhausting kernel memory resources. The vulnerability affects Linux kernel versions 6.18.x through 6.19.9, with vendor patches available for stable branches 6.18.19, 6.19.9, and 7.0. EPSS exploitation probability is very low (0.02%, 4th percentile), and no public exploit or active exploitation has been identified at time of analysis.
Memory corruption in Linux kernel's Amlogic SPI Flash Controller A4 driver allows local authenticated attackers with low privileges to escalate privileges, corrupt memory, or cause denial of service through improper DMA mapping error handling. The vulnerability stems from three distinct bugs in aml_sfc_dma_buffer_setup() that can trigger double-unmapping and incorrect DMA synchronization. EPSS score of 0.02% (4th percentile) indicates low exploitation likelihood in the wild. Vendor patches are available for affected kernel versions 6.18.x and 6.19.x, with fixes backported to stable branches.
Local privilege escalation potential in the Linux kernel's Rockchip Serial Flash Controller (SFC) SPI driver arises from a double-free in the remove() callback path, where the driver calls spi_unregister_controller() manually despite already using the devm-managed registration helper. The flaw affects systems using the rockchip-sfc driver and is not currently in CISA KEV, with no public exploit identified at time of analysis and a very low EPSS score (0.02%, 4th percentile), but CVSS 7.8 reflects high local impact if triggered.
Use-after-free in Linux kernel ASoC (ALSA System on Chip) subsystem allows local authenticated users with open audio streams to trigger memory corruption during sound card unbind operations. The flaw occurs when PCM stream closure schedules delayed DAPM (Dynamic Audio Power Management) work after widgets are freed, enabling potential privilege escalation or denial of service. EPSS score of 0.02% indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). No CISA KEV listing or public POC identified at time of analysis.
Local privilege escalation in the Linux kernel's CAIF serial driver allows attackers with local access to trigger a use-after-free condition in pty_write_room() via the caif_serial line discipline. The flaw stems from missing reference counting on tty->link, enabling memory corruption that can lead to arbitrary kernel code execution with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, with an EPSS score of 0.02% (7th percentile) indicating low likelihood of widespread exploitation.
Memory leak in the Linux kernel's MCTP I2C driver receive path allows a local authenticated attacker to progressively exhaust kernel slab memory, resulting in denial of service. The flaw exists in all kernel versions from 5.18 (when the MCTP I2C driver was introduced at commit f5b8abf9fc3dacd7529d363e26fe8230935d65f8) through multiple stable branches now addressed by patches in 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0. No public exploit identified at time of analysis; the EPSS score of 0.02% (7th percentile) confirms very low exploitation probability, consistent with the niche deployment context of MCTP I2C interfaces.
Type confusion in the Linux kernel bonding driver allows local authenticated users to trigger kernel crashes and potentially escalate privileges when non-Ethernet devices (such as GRE tunnels) are enslaved to a bond interface. The vulnerability stems from bond_setup_by_slave() blindly copying header_ops from slave devices without accounting for device-specific private data structures, causing netdev_priv() in functions like ipgre_header() to access incorrect memory layouts. Vendor patches are available for kernel versions 6.12.78, 6.18.19, 6.19.9, and 7.0. EPSS exploitation probability is low (0.02%, 5th percentile) with no public exploit identified at time of analysis.
Race condition in the Linux kernel MCTP route subsystem allows a local, low-privileged attacker to cause a device reference count leak leading to availability impact. The mctp_flow_prepare_output() function in the MCTP (Management Component Transport Protocol) networking stack fails to hold key->lock around the key->dev check-and-set sequence, enabling two concurrent threads to each acquire a device reference while only the final one is tracked for release - gradually exhausting kernel resources. No public exploit exists and EPSS is 0.02% (7th percentile), indicating very low exploitation probability; patch-confirmed fixes are available across multiple stable kernel branches.
Privilege escalation in Linux kernel netfilter subsystem allows local authenticated users to achieve high-impact compromise via duplicate netdev hook registration. The vulnerability affects kernel versions 6.16 through early 7.0 releases, with vendor patches available for stable branches 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (4th percentile) suggests low observed exploitation likelihood despite CVSS 7.8 severity. No active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis.
Stack out-of-bounds read in the Linux kernel's netfilter nft_set_pipapo subsystem allows local low-privileged attackers to read 4 bytes past the end of a stack-allocated rulemap array via pipapo_drop(). The flaw was confirmed by KASAN and affects kernels from 5.6 onward until the fixed stable releases. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 7th percentile), but the CVSS 7.1 score reflects the potential for kernel memory disclosure and availability impact.
Out-of-bounds read in Linux kernel netfilter x_tables module allows remote attackers to disclose kernel memory and potentially cause denial of service. The xt_tcpudp and xt_dccp option walkers fail to validate boundaries when processing the last byte of TCP/UDP/DCCP options, triggering a 1-byte buffer over-read. CVSS 8.2 with network attack vector and no authentication required indicates high exploitability, though EPSS score of 0.02% (7th percentile) suggests minimal observed exploitation attempts. Patches available across all active kernel stable branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). No CISA KEV listing or public exploit code identified at time of analysis.
Repeated memory exhaustion in the Linux kernel's netfilter nfnetlink_queue subsystem allows a local low-privileged attacker to trigger a denial of service by leaking kernel memory on every crafted PF_BRIDGE verdict. The defect in nfqnl_recv_verdict() causes the nf_queue_entry, its sk_buff, and all held net_device and struct net reference counts to never be released when nfqa_parse_bridge() returns an error due to malformed VLAN netlink attributes. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (7th percentile) reflects the constrained local attack path and low exploitation probability.
Out-of-bounds read in the Linux kernel's netfilter nfnetlink_cthelper subsystem allows a local attacker with CAP_NET_ADMIN to trigger an 8-byte OOB read in nfnl_cthelper_dump_table() by racing helper deletion against a netlink dump operation. The flaw stems from a misplaced 'goto restart' that bypasses the for-loop bounds check when cb->args[0] equals nf_ct_helper_hsize, as detected by KASAN. EPSS is 0.02% and no public exploit identified at time of analysis, though a detailed reproducer call trace exists in the commit message.
Out-of-bounds read in the Linux kernel's NVMe PCI driver (nvme_dbbuf_set) allows a local attacker to trigger a slab-out-of-bounds memory access during NVMe controller reset, potentially leading to denial of service or information disclosure. The flaw stems from an incorrect loop bound that iterates past dev->online_queues, reading from kmalloc-2k slab memory belonging to adjacent allocations. No public exploit identified at time of analysis, and the EPSS score of 0.02% reflects a low probability of opportunistic exploitation.
Race condition in the Linux kernel nvme-pci driver's nvme_poll_irqdisable() function causes an unbalanced IRQ enable/disable pair that crashes the kernel with a warning. Affected kernels from 5.7 through multiple stable branches are vulnerable when running PCIe NVMe storage with MSI-X interrupts: a concurrent NVMe device reset can change the IRQ vector between the disable_irq() and enable_irq() calls, making the kernel operate on different IRQ numbers. No public exploit identified at time of analysis and EPSS of 0.02% confirm this is a reliability/stability concern patched in kernel stable releases 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0.
Use-after-free in the Linux kernel iavf driver allows local authenticated users to execute arbitrary code, escalate privileges, or crash the system. The vulnerability affects Intel Ethernet Adaptive Virtual Function (iavf) driver's PTP implementation where a worker thread continues accessing freed memory during network adapter reset or disable operations. Patch available from kernel.org upstream commits across multiple stable branches (6.18.19, 6.19.9, 7.0+). EPSS score of 0.02% (4th percentile) indicates low observed exploitation likelihood, and no CISA KEV listing confirms this remains a theoretical risk requiring local access with low privileges.
Deadlock in the Linux kernel's AMD XDna accelerator driver (accel/amdxdna) causes a local denial-of-service by hanging the runtime power management subsystem. An authenticated local user who triggers job execution on the AMD XDna accelerator while the system simultaneously attempts a runtime suspend can lock the kernel indefinitely. No active exploitation is confirmed and no public exploit code has been identified at time of analysis; the EPSS score of 0.02% (5th percentile) corroborates low exploitation probability.
DMA mapping resource leak in Linux kernel e1000 and e1000e Intel Ethernet drivers results in local denial-of-service conditions via memory exhaustion. The flaw originates from an off-by-one error in the TX buffer error-cleanup path (dma_error), introduced by commit c1fa347f20f1 which fixed an infinite loop but simultaneously decremented the unmap counter prematurely - causing exactly one DMA mapping to leak per failed multi-buffer TX operation. No public exploit has been identified and no active exploitation is confirmed (not in CISA KEV); EPSS of 0.02% (7th percentile) reflects extremely low weaponization probability.
Denial of service in the Linux kernel's drm/amdkfd (AMD GPU Kernel Fusion Driver) subsystem allows a local authenticated user to crash the kernel via a NULL pointer dereference. The flaw originates in the error handling path of the queue update routine, where a buffer object (bo) is not unreserved upon failure, leaving the subsystem in an inconsistent state that triggers a null dereference. No active exploitation is known; EPSS is 0.02% (5th percentile), and the impact is limited strictly to availability - confidentiality and integrity are unaffected.
Null pointer dereference in the Linux kernel's ASoC AMD ACP machine-common driver can be triggered by a local authenticated user to crash the kernel, resulting in a denial of service. The functions acp_card_rt5682_init() and acp_card_rt5682s_init() in sound/soc/amd/acp/acp-mach-common.c fail to validate the return value of clk_get(), allowing an invalid error pointer to be dereferenced by downstream clock core functions. No public exploit code exists and no active exploitation has been confirmed; EPSS probability stands at 0.02% (5th percentile), reflecting very low real-world exploitation likelihood.
Local unprivileged users can trigger out-of-bounds memory reads in Linux kernel's io_uring subsystem (versions 6.19+) via crafted SQE array mappings when IORING_SETUP_SQE_MIXED is enabled without NO_SQARRAY. By manipulating sq_array indices to point to the last physical SQE slot and submitting 128-byte operations, attackers cause a 64-byte buffer over-read during memcpy operations, potentially leaking sensitive kernel memory. Vendor patches available for affected 6.19.x branches. EPSS score of 0.02% indicates very low observed exploitation probability; no CISA KEV listing or public exploit identified at time of analysis.
Null pointer dereference in Linux kernel bonding driver crashes systems running with IPv6 disabled (ipv6.disable=1) when IPv6 Neighbor Solicitation packets arrive on bonded interfaces with ARP/NS validation enabled. Affects Linux kernel versions 5.18+ up to 6.19.9/7.0, with vendor patches available across stable branches (6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS exploitation probability is very low (0.02%, 7th percentile) and no active exploitation or public POC has been identified, but the high CVSS 7.5 reflects trivial remote triggering (AV:N/AC:L/PR:N) for denial-of-service in affected configurations.
Local privilege escalation potential in the Linux kernel's Microsoft Azure Network Adapter (mana) driver allows a low-privileged local user to trigger a use-after-free via a double destroy_workqueue() call on the gc->service_wq pointer when mana_gd_setup() fails. The flaw, fixed in the 6.18.x and 6.19.x stable trees, has no public exploit identified at time of analysis and an EPSS of 0.02% (4th percentile), but carries a CVSS of 7.8 due to high confidentiality, integrity, and availability impact within the kernel.
Race condition in the Linux kernel cgroup subsystem's task iterator exposes local low-privileged users to a denial-of-service condition when task migration and cgroup iteration execute concurrently. The cgroup infrastructure fails to advance active css_task_iters before a task is unlinked from cset->tasks during migration, allowing iterators to reference the wrong linked list and silently skip tasks - or in worst-case scenarios, cause css_task_iter_advance() to crash or loop infinitely on the destination css_set. No public exploit identified at time of analysis; EPSS of 0.02% at the 7th percentile reflects extremely low observed exploitation probability and aligns with the narrow race window required.
Reference count underflow in Linux kernel sched_ext subsystem enables local privilege escalation to execute arbitrary code with kernel privileges. The flaw affects kernel versions 6.12 through 6.19.x (prior to patched releases 6.12.78, 6.18.19, 6.19.9, 7.0), scoring CVSS 7.8 with local attack vector requiring low privileges. Vendor patches available via stable kernel updates. EPSS exploitation probability is low (0.02%, 5th percentile) with no public exploit code or active exploitation confirmed at time of analysis, though the Use-After-Free primitive could enable kernel memory corruption attacks.
Use-after-free in Linux kernel ALSA PCM subsystem allows local authenticated users to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs in snd_pcm_drain() when a linked stream's runtime structure is freed via concurrent close() while still being dereferenced, enabling information disclosure, system crashes, or privilege escalation. With EPSS at 0.02% (7th percentile) and CVSS 7.8, this represents elevated theoretical risk but shows no evidence of active exploitation or public POC at time of analysis. Vendor patches are available across multiple stable kernel branches (5.10.253, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).
NULL pointer dereference in the Linux kernel's ALSA USB-audio Scarlett2 mixer quirk allows a local low-privileged user to crash the kernel (denial of service) by presenting a malformed USB descriptor with zero endpoints. Affected systems running unpatched kernels from the initial commit onward through stable branches 6.1.x, 6.6.x, 6.12.x, 6.18.x, and 6.19.x are exposed whenever the USB-audio driver enumerates a crafted or emulated Scarlett2-type device. No active exploitation is confirmed (not in CISA KEV) and no public exploit identified at time of analysis; the EPSS score of 0.03% (8th percentile) confirms very low real-world exploitation probability.
In the Linux kernel, the following vulnerability has been resolved: rust_binder: fix oneway spam detection The spam detection logic in TreeRange was executed before the current request was inserted into the tree. So the new request was not being factored in the spam calculation. Fix this by moving the logic after the new range has been inserted. Also, the detection logic for ArrayRange was missing altogether which meant large spamming transactions could get away without being detected. Fix this by implementing an equivalent low_oneway_space() in ArrayRange. Note that I looked into centralizing this logic in RangeAllocator but iterating through 'state' and 'size' got a bit too complicated (for me) and I abandoned this effort.
Local privilege escalation in Linux kernel's Rust Binder allows authenticated users to write to normally read-only binder pages, potentially leading to memory corruption and arbitrary code execution. The vulnerability stems from improper VMA (Virtual Memory Area) ownership validation during page installation - if a VMA is closed and replaced at the same address, Rust Binder may install pages into the wrong VMA, converting read-only pages to writable. Affects Linux kernel 6.18+ with Rust Binder enabled. EPSS score of 0.02% suggests low observed exploitation probability. Vendor patches available (6.18.19, 6.19.9, 7.0) via kernel.org stable tree commits.
Time-of-check-to-time-of-use (TOCTOU) race condition in Linux kernel's rust_binder implementation allows local authenticated attackers with low privileges to escalate privileges. The flaw exists in transaction offset array handling where values copied to a target process's read-only VMA are read back without protection against concurrent modification. If an attacker can write to their own supposedly read-only VMA through a separate vulnerability, they can modify offsets between write and read operations, causing the kernel to misinterpret transaction data and potentially enabling privilege escalation into the sending process. Patch available in kernel versions 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% suggests limited real-world exploitation likelihood despite CVSS 7.8 severity.
Memory leak in the Linux kernel xHCI USB host controller driver's xhci_disable_slot() function causes kernel memory exhaustion under error conditions, leading to denial of service. Affected kernels span multiple stable branches from the introduction commit through versions before 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0. A local low-privileged user who can trigger USB xHCI slot disable error paths - requiring specific hardware fault conditions - could accumulate kernel memory leaks over time, ultimately causing system instability. No public exploit identified at time of analysis; EPSS is 0.03% (9th percentile), reflecting negligible real-world exploitation likelihood.
NULL pointer dereference in the Linux kernel's xhci USB host controller debugfs interface allows a local low-privileged user to crash the kernel (denial of service) by reading portli debugfs files. The flaw surfaces when xhci's max_ports count exceeds the number of ports covered by Supported Protocol capabilities - producing NULL rhub pointers - which the portli read handler dereferences without checking. No public exploit has been identified and EPSS is 0.02% (5th percentile), indicating negligible broad exploitation interest; the vulnerability is not listed in CISA KEV.
Race condition in the Linux kernel's yurex USB driver probe function allows a local low-privileged attacker to cause a denial of service by triggering a timing window between URB submission and bbu member initialization. Affected are all kernel versions from the initial commit through the stable branch fix points (patched in 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0). No public exploit exists and the issue is not listed in CISA KEV; EPSS of 0.02% (7th percentile) reflects negligible widespread exploitation probability.
Indefinite kernel thread hang in the Linux kernel usbtmc (USB Test and Measurement Class) driver allows a local authenticated user to cause a denial of service by supplying an arbitrarily large timeout value via ioctl. The driver previously passed user-controlled timeout values directly to usb_bulk_msg(), which uses unkillable waits, meaning the kernel thread could never be interrupted or killed once blocked. No public exploit or active exploitation has been identified at time of analysis, and EPSS probability is negligible at 0.02%, but the straightforward local trigger path makes this a meaningful availability risk on systems with USBTMC devices.
Unbounded uninterruptible USB synchronous timeout in the Linux kernel's usbcore subsystem allows a local low-privilege user to permanently hang a kernel task with no signal-based kill path. The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs accept arbitrary timeout values and use TASK_UNINTERRUPTIBLE waits, meaning a task blocked on a misbehaving or absent USB device cannot be terminated by SIGKILL - only physical device removal can unblock it. CVSS 5.5 (AV:L/PR:L/A:H), EPSS at 0.02% (7th percentile), no KEV listing, and no public exploit code at time of analysis collectively indicate low active exploitation risk, though the denial-of-service primitive is straightforward once local access is established.
Out-of-bounds read in the Linux kernel's USB CDC-WDM (Communication Device Class - Wireless Device Management) driver allows a local low-privileged attacker to disclose uninitialized kernel memory and potentially crash the host through a memory-ordering race between desc->length updates and a memmove() in the read path. The flaw stems from compiler reordering or CPU out-of-order execution that can cause wdm_read() to observe an updated length before the corresponding data is fully copied, leading copy_to_user() to operate on uninitialized memory. EPSS is very low (0.02%, 7th percentile), there is no public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Use-after-free in the Linux kernel's Renesas USB host (renesas_usbhs) driver allows a local low-privileged attacker to potentially corrupt memory or escalate privileges during device removal. The flaw stems from the interrupt handler remaining registered while driver resources, including the pipe array, are freed in usbhs_remove(), creating a race window where the ISR can dereference freed memory. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the kernel-level memory corruption impact (CVSS 7.8) makes it a meaningful local risk on affected Renesas USB hardware.
Denial of service in the Linux kernel mdc800 USB imaging driver allows a local low-privileged user to crash the kernel by triggering a URB double-submission race condition. The mdc800_device_read() function submits a USB Request Block (URB) but fails to cancel it on timeout, leaving it active; a subsequent read() resubmits the same in-flight URB, triggering a kernel WARN in usb_submit_urb() that can destabilize the system. No public exploit exists and no active exploitation has been identified - EPSS is 0.02% (7th percentile), reflecting the hardware-specific, local-access-only nature of this flaw.