Skip to main content

Linux

12819 CVEs vendor

Monthly

CVE-2026-43424 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's USB gadget f_tcm (USB Target Controller Module) driver allows an authenticated local attacker with USB host access to trigger a kernel panic by sending Bulk-Only Transport (BOT) commands during a race window where the ConfigFS-managed nexus pointer is uninitialized or torn down. Affected systems are those acting as USB gadgets - primarily embedded devices and single-board computers - running kernel versions from commit c52661d60f636d17e26ad834457db333bd1df494 onward without the applied fix. No public exploit exists and the vulnerability is absent from CISA KEV; EPSS of 0.02% (7th percentile) confirms negligible observed exploitation activity.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43423 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix atomic context locking issue The ncm_set_alt function was holding a mutex to protect against races with configfs, which invokes the might-sleep function inside an atomic context. Remove the struct net_device pointer from the f_ncm_opts structure to eliminate the contention. The connection state is now managed by a new boolean flag to preserve the use-after-free fix from commit 6334b8e4553c ("usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error"). BUG: sleeping function called from invalid context Call Trace: dump_stack_lvl+0x83/0xc0 dump_stack+0x14/0x16 __might_resched+0x389/0x4c0 __might_sleep+0x8e/0x100 ... __mutex_lock+0x6f/0x1740 ... ncm_set_alt+0x209/0xa40 set_config+0x6b6/0xb40 composite_setup+0x734/0x2b40 ...

Information Disclosure Linux
NVD VulDB
EPSS
0.0%
CVE-2026-43422 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: usb: legacy: ncm: Fix NPE in gncm_bind Commit 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle with bind/unbind") deferred the allocation of the net_device. This change leads to a NULL pointer dereference in the legacy NCM driver as it attempts to access the net_device before it's fully instantiated. Store the provided qmult, host_addr, and dev_addr into the struct ncm_opts->net_opts during gncm_bind(). These values will be properly applied to the net_device when it is allocated and configured later in the binding process by the NCM function driver.

Denial Of Service Linux
NVD VulDB
EPSS
0.0%
CVE-2026-43421 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel USB NCM gadget subsystem (f_ncm) causes kernel crashes during USB device disconnection cycles. The vulnerability stems from a net_device lifecycle management flaw where the network device outlives its parent gadget device, leaving dangling sysfs links that trigger null pointer dereferences. Systems acting as USB NCM gadgets - common in embedded Linux, postmarketOS, and USB tethering scenarios - are exposed to local denial-of-service conditions upon USB reconnection. No public exploit exists and EPSS stands at 0.02%, indicating very low exploitation probability; however, the bug can be triggered by any low-privileged local user on an affected configuration.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43420 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: ceph: fix i_nlink underrun during async unlink During async unlink, we drop the `i_nlink` counter before we receive the completion (that will eventually update the `i_nlink`) because "we assume that the unlink will succeed". That is not a bad idea, but it races against deletions by other clients (or against the completion of our own unlink) and can lead to an underrun which emits a WARNING like this one: WARNING: CPU: 85 PID: 25093 at fs/inode.c:407 drop_nlink+0x50/0x68 Modules linked in: CPU: 85 UID: 3221252029 PID: 25093 Comm: php-cgi8.1 Not tainted 6.14.11-cm4all1-ampere #655 Hardware name: Supermicro ARS-110M-NR/R12SPD-A, BIOS 1.1b 10/17/2023 pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drop_nlink+0x50/0x68 lr : ceph_unlink+0x6c4/0x720 sp : ffff80012173bc90 x29: ffff80012173bc90 x28: ffff086d0a45aaf8 x27: ffff0871d0eb5680 x26: ffff087f2a64a718 x25: 0000020000000180 x24: 0000000061c88647 x23: 0000000000000002 x22: ffff07ff9236d800 x21: 0000000000001203 x20: ffff07ff9237b000 x19: ffff088b8296afc0 x18: 00000000f3c93365 x17: 0000000000070000 x16: ffff08faffcbdfe8 x15: ffff08faffcbdfec x14: 0000000000000000 x13: 45445f65645f3037 x12: 34385f6369706f74 x11: 0000a2653104bb20 x10: ffffd85f26d73290 x9 : ffffd85f25664f94 x8 : 00000000000000c0 x7 : 0000000000000000 x6 : 0000000000000002 x5 : 0000000000000081 x4 : 0000000000000481 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff08727d3f91e8 Call trace: drop_nlink+0x50/0x68 (P) vfs_unlink+0xb0/0x2e8 do_unlinkat+0x204/0x288 __arm64_sys_unlinkat+0x3c/0x80 invoke_syscall.constprop.0+0x54/0xe8 do_el0_svc+0xa4/0xc8 el0_svc+0x18/0x58 el0t_64_sync_handler+0x104/0x130 el0t_64_sync+0x154/0x158 In ceph_unlink(), a call to ceph_mdsc_submit_request() submits the CEPH_MDS_OP_UNLINK to the MDS, but does not wait for completion. Meanwhile, between this call and the following drop_nlink() call, a worker thread may process a CEPH_CAP_OP_IMPORT, CEPH_CAP_OP_GRANT or just a CEPH_MSG_CLIENT_REPLY (the latter of which could be our own completion). These will lead to a set_nlink() call, updating the `i_nlink` counter to the value received from the MDS. If that new `i_nlink` value happens to be zero, it is illegal to decrement it further. But that is exactly what ceph_unlink() will do then. The WARNING can be reproduced this way: 1. Force async unlink; only the async code path is affected. Having no real clue about Ceph internals, I was unable to find out why the MDS wouldn't give me the "Fxr" capabilities, so I patched get_caps_for_async_unlink() to always succeed. (Note that the WARNING dump above was found on an unpatched kernel, without this kludge - this is not a theoretical bug.) 2. Add a sleep call after ceph_mdsc_submit_request() so the unlink completion gets handled by a worker thread before drop_nlink() is called. This guarantees that the `i_nlink` is already zero before drop_nlink() runs. The solution is to skip the counter decrement when it is already zero, but doing so without a lock is still racy (TOCTOU). Since ceph_fill_inode() and handle_cap_grant() both hold the `ceph_inode_info.i_ceph_lock` spinlock while set_nlink() runs, this seems like the proper lock to protect the `i_nlink` updates. I found prior art in NFS and SMB (using `inode.i_lock`) and AFS (using `afs_vnode.cb_lock`). All three have the zero check as well.

Information Disclosure Linux
NVD VulDB
EPSS
0.0%
CVE-2026-43419 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: ceph: fix memory leaks in ceph_mdsc_build_path() Add __putname() calls to error code paths that did not free the "path" pointer obtained by __getname(). If ownership of this pointer is not passed to the caller via path_info.path, the function must free it before returning.

Information Disclosure Linux
NVD VulDB
EPSS
0.0%
CVE-2026-43418 Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Prevent CID stalls due to concurrent forks A newly forked task is accounted as MMCID user before the task is visible in the process' thread list and the global task list. This creates the following problem: CPU1 CPU2 fork() sched_mm_cid_fork(tnew1) tnew1->mm.mm_cid_users++; tnew1->mm_cid.cid = getcid() -> preemption fork() sched_mm_cid_fork(tnew2) tnew2->mm.mm_cid_users++; // Reaches the per CPU threshold mm_cid_fixup_tasks_to_cpus() for_each_other(current, p) .... As tnew1 is not visible yet, this fails to fix up the already allocated CID of tnew1. As a consequence a subsequent schedule in might fail to acquire a (transitional) CID and the machine stalls. Move the invocation of sched_mm_cid_fork() after the new task becomes visible in the thread and the task list to prevent this. This also makes it symmetrical vs. exit() where the task is removed as CID user before the task is removed from the thread and task lists.

Information Disclosure Linux
NVD
EPSS
0.0%
CVE-2026-43417 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Handle vfork()/CLONE_VM correctly Matthieu and Jiri reported stalls where a task endlessly loops in mm_get_cid() when scheduling in. It turned out that the logic which handles vfork()'ed tasks is broken. It is invoked when the number of tasks associated to a process is smaller than the number of MMCID users. It then walks the task list to find the vfork()'ed task, but accounts all the already processed tasks as well. If that double processing brings the number of to be handled tasks to 0, the walk stops and the vfork()'ed task's CID is not fixed up. As a consequence a subsequent schedule in fails to acquire a (transitional) CID and the machine stalls. Cure this by removing the accounting condition and make the fixup always walk the full task list if it could not find the exact number of users in the process' thread list.

Information Disclosure Linux
NVD
EPSS
0.0%
CVE-2026-43416 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's PowerPC perf subsystem crashes the kernel when user callchain collection is attempted after a thread's mm structure has been released. Local authenticated users with BPF execution privileges on PowerPC systems can trigger a kernel panic by running profiling tools such as bcc-tools' profile.py at the moment of thread exit, resulting in a full system denial of service. No public exploit has been identified at time of analysis and EPSS is 0.02% (4th percentile), reflecting low widespread exploitation probability; however, the bug is confirmed by kernel maintainers with a full panic trace and patches are available in stable kernel releases.

Denial Of Service Null Pointer Dereference Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43415 MEDIUM PATCH This Month

Kernel panic triggered by a race condition in the UFS Host Controller Driver (ufshcd) during system suspend affects Linux systems using Universal Flash Storage hardware where UFSHCD_CAP_CLK_GATING is not supported. The flaw allows a local low-privileged user - or automated power management - to crash the kernel by triggering a suspend sequence while ufshcd_rtc_work() is concurrently executing, producing an ARM64 asynchronous SError interrupt that halts the system. No public exploit code exists and no active exploitation has been identified; with an EPSS of 0.02% this is a low-probability but confirmed-availability-destroying defect patched across multiple stable kernel branches.

Information Disclosure Linux Race Condition Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-43414 CRITICAL PATCH Act Now

Double-free vulnerability in Linux kernel's qla2xxx SCSI driver allows remote code execution or denial of service through malformed Fibre Channel ELS commands. The qla24xx_els_dcmd_iocb() function incorrectly frees fcport structures twice during error handling - once via kref_put() calling qla2x00_els_dcmd_sp_free(), then again explicitly afterward. Despite the CVSS:3.1/AV:N score of 9.8, the network vector appears to reflect the driver's network-facing nature (Fibre Channel over IP or similar) rather than internet-accessible exploitation. EPSS score of 0.02% (5th percentile) indicates extremely low observed exploitation probability. Patches available across multiple stable kernel branches (6.9+, 6.19.9+, 7.0+) per upstream commits.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43413 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's hisi_sas SCSI driver crashes systems when a local user triggers a host scan via sysfs. Authenticated local users with low privileges can write to the sysfs scan interface, causing kernel oops due to a channel iteration bug introduced in commit 37c4e72b0651 - the driver supports only one channel (channel 0) but its max_channel is set to 1, causing sas_user_scan() to attempt scanning channel 1 where no valid SAS device structure exists. The result is a denial-of-service via kernel NULL pointer dereference at sas_find_dev_by_rphy(). No public exploit or CISA KEV listing has been identified; EPSS is 0.02% (5th percentile), consistent with low-likelihood opportunistic exploitation.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43412 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's ASoC QCOM QDSP6 subsystem crashes systems built on Qualcomm SA8775P and SC8280XP SoCs during ADSP protection-domain restart cycles. The crash occurs because the q6apm-audio .remove callback prematurely deletes Runtime Descriptions (RTDs) containing q6apm DAI components during ASoC teardown, leaving those components still linked to the sound card and triggering a kernel oops on the subsequent rebind. Impact is limited to availability (kernel panic/denial of service); no public exploit has been identified at time of analysis, and EPSS at 0.02% reflects very low widespread exploitation probability.

Qualcomm Linux Null Pointer Dereference Denial Of Service Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43411 MEDIUM PATCH This Month

Divide-by-zero in the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem allows a local low-privileged user to trigger a kernel oops/panic via a crafted setsockopt call. An attacker with local access sets conn_timeout to a value in the range [0, 3] on a TIPC socket, then initiates a connection that receives TIPC_ERR_OVERLOAD, causing integer division by zero in tipc_sk_filter_connect() and crashing the kernel. No public exploit has been identified at time of analysis and EPSS is 0.02%, but the low-complexity, low-privilege local trigger makes this a practical local denial-of-service in shared or container environments.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43410 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's stratix10-rsu firmware driver triggers a kernel panic (denial of service) on Intel/Altera SoCFPGA Stratix 10 systems running kernel 6.19.x when RSU is disabled in the First Stage Boot Loader. A local authenticated user can cause a full system crash by triggering the svc_normal_to_secure_thread kernel thread, which dereferences an already-freed service channel pointer. No public exploit identified at time of analysis; EPSS score of 0.02% at the 5th percentile reflects the narrow hardware-specific exposure.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43409 MEDIUM PATCH This Month

Kernel crash (page fault) in the Linux kernel's kprobes subsystem allows a local authenticated user to trigger a system denial-of-service by removing a module containing kprobe probes after ftrace has been killed due to prior errors. The affected code path in kprobes_module_callback does not check the kprobe_ftrace_disabled flag set by ftrace_kill(), causing invalid memory access traceable via KASAN at address fffffbfff805000d. No active exploitation has been confirmed; EPSS is 0.02% (5th percentile), reflecting the niche preconditions required.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43408 HIGH PATCH This Week

Memory corruption in the Linux kernel's Ceph filesystem client allows local authenticated users to trigger kernel crashes and potentially escalate privileges. The vulnerability stems from missing zero-initialization of ceph_path_info structures before passing them to ceph_mdsc_build_path(), causing subsequent ceph_mdsc_free_path_info() calls to attempt freeing uninitialized or corrupted memory pointers. Multiple code paths in ceph_open() and related functions are affected, introduced by commit 15f519e9f883. Patches are available for kernel versions 6.12.78, 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation, with no public exploit code or CISA KEV listing at time of analysis.

Denial Of Service Linux Null Pointer Dereference
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43407 CRITICAL PATCH Act Now

Integer overflow in Linux kernel's libceph authentication handler enables remote memory corruption and potential system crash against unpatched systems. A malicious Ceph monitor can send a specially crafted CEPH_MSG_AUTH_REPLY message with payload_len exceeding INT_MAX, causing ceph_handle_auth_reply() to underflow a pointer and trigger out-of-bounds memory access. This allows remote unauthenticated attackers to potentially read sensitive kernel memory (high confidentiality impact) or crash the kernel (high availability impact) on systems using Ceph storage. CVSS 9.1 (Critical) reflects network attack vector with no authentication or user interaction required. EPSS score of 0.02% (7th percentile) suggests low observed exploitation likelihood. Vendor patches available for all affected kernel series (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0), but no active exploitation confirmed via CISA KEV.

Buffer Overflow Debian Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-43406 CRITICAL PATCH Act Now

Out-of-bounds memory reads in Linux kernel's libceph messaging layer allow remote unauthenticated attackers to disclose kernel memory or trigger denial-of-service via malformed Ceph protocol frames. The vulnerability exists in process_message_header() when message frames are corrupted to make the control segment length smaller than the message header size, bypassing length validation. Vendor patches available for stable kernel versions 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% and no KEV listing suggest limited real-world exploitation observed despite network-accessible attack vector and unauthenticated access. Critical CVSS score of 9.1 reflects worst-case impact (high confidentiality and availability risk) if Ceph storage networking is exposed.

Buffer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-43405 HIGH PATCH This Week

Integer signedness vulnerability in Linux kernel's Ceph networking library (libceph) allows remote attackers to trigger denial of service via crafted monitor map messages. The flaw enables bypassing memory allocation limits by exploiting signed/unsigned integer confusion in ceph_monmap_decode(), causing excessive memory allocation attempts that crash the system. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and 0.02% EPSS score, this represents a network-reachable DoS vector against systems using Ceph storage, though low exploitation probability suggests limited attacker interest. Patches available across all maintained kernel branches (5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43404 MEDIUM PATCH This Month

Livelock and CPU starvation in the Linux kernel memory management subsystem allows a local authenticated user to hang the system by triggering an unbounded spin loop in hmm_range_fault(). The root cause is in do_swap_page(), where failure to acquire folio_trylock() on a device-private folio causes the kernel to spin indefinitely while a competing process holding the lock is blocked waiting for work items on the same CPU - work items that are starved by the spinner. This vulnerability requires a highly specific combination of HMM device-private memory migration conditions and is confirmed reproduced by the Intel GPU test suite. No public exploit exists and no active exploitation is identified at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43403 HIGH PATCH This Week

Namespace iteration ioctl permission bypass in Linux kernel allows local privileged users to enumerate namespaces of other privileged services, potentially leaking cross-service information. Affects kernel 6.12 through 6.19.x with patches available in 6.12.78, 6.18.20, 6.19.9, and mainline 7.0. The vulnerability has low EPSS (0.02%, 5th percentile) indicating minimal observed exploitation activity. Vendor patches deployed across stable kernel branches address the issue by enforcing stricter namespace visibility policies via the may_see_all_namespaces() helper.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43402 CRITICAL PATCH Act Now

Use-after-free in Linux kernel kthread subsystem enables memory corruption leading to arbitrary code execution or denial of service. The vulnerability arises when kernel threads exit via make_task_dead() instead of kthread_exit(), bypassing affinity_node cleanup. This causes dangling pointers in the global kthread_affinity_list that corrupt freed memory reused by the SLAB allocator, specifically overwriting RCU callback function pointers in struct pid objects. CVSS rates this 9.8 critical, though the network attack vector appears misclassified since kernel thread manipulation requires local code execution. EPSS score of 0.02% (4th percentile) indicates low predicted exploitation likelihood despite severity. Vendor patches available for Linux 6.18.19, 6.19.9, and 7.0 via upstream commits.

Denial Of Service Linux Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43401 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's intel_pstate cpufreq driver crashes systems booted with the 'nosmt' parameter when CPU QoS requests are processed for SMT sibling threads. On 'nosmt'-booted systems, all_cpu_data[cpu] is NULL for disabled SMT siblings; update_cpu_qos_request() dereferences cpudata->pstate.turbo_freq before validating the policy pointer, producing a kernel panic and local denial of service. EPSS at 0.02% (4th percentile) reflects very low exploitation probability, no public exploit code has been identified, and no CISA KEV listing exists at time of analysis.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43400 MEDIUM PATCH This Month

Out-of-memory exploitation in the Linux kernel's amdgpu DRM subsystem allows a local, low-privileged user to crash the system by supplying unchecked huge values to the amdgpu_userq_signal_ioctl interface. The missing upper-bound validation on user inputs enables resource exhaustion that can destabilize or deny service on any Linux system equipped with a supported AMD GPU. No public exploit code exists and no active exploitation has been confirmed (no CISA KEV listing), with an EPSS of 0.02% placing this firmly in the low-priority tier for most environments outside high-assurance or shared multi-user GPU workloads.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43399 MEDIUM PATCH This Month

Reference leak in the Linux kernel's amdgpu userqueue subsystem allows a local low-privileged user to exhaust kernel resources by repeatedly triggering an early-abort code path in amdgpu_userq_wait_ioctl. When the ioctl aborts because the caller-supplied output array is too small, the kernel omits required reference drops on syncobj and timeline fence objects, preventing those objects from ever being freed. No active exploitation is confirmed (not in CISA KEV), and EPSS sits at 0.02% (4th percentile), signaling negligible real-world exploitation activity.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43398 MEDIUM PATCH This Month

Out-of-memory exploitation in the Linux kernel's amdgpu DRM driver allows a local low-privileged user to crash or destabilize a system by supplying oversized input values to the amdgpu_userq_wait_ioctl interface. Systems running affected kernel versions with AMD GPU hardware are vulnerable to availability loss. No public exploit code has been identified at time of analysis, and an EPSS score of 0.02% (4th percentile) reflects very low real-world exploitation probability; this is not confirmed actively exploited (not in CISA KEV).

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43397 MEDIUM PATCH This Month

Memory leak in the Linux kernel's samsung-dsim DRM bridge driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering error paths in samsung_dsim_host_attach() where drm_bridge_remove() is never called after a failed samsung_dsim_register_te_irq() or host attach operation. Affected systems must be running Samsung MIPI DSI display hardware with the samsung-dsim module loaded. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) combined with absence from CISA KEV confirms this is a low-exploitation-likelihood maintenance fix rather than an active threat.

Information Disclosure Samsung Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43396 MEDIUM PATCH This Month

Memory leak in the Linux kernel's drm/xe (Intel Xe GPU) sync subsystem allows a local low-privileged user to cause a denial of service by exhausting kernel memory. The flaw exists in the drm/xe/sync error-handling path: when dma_fence_chain_alloc() fails, the user fence reference is not properly released (CWE-401), leaving allocated memory permanently inaccessible to the allocator. No active exploitation has been identified (EPSS 0.02%, 4th percentile, not in CISA KEV), and patches have been backported to stable kernel branches including 6.18.20 and 6.19.9.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43395 MEDIUM PATCH This Month

Incomplete cleanup in the Linux kernel's DRM/Xe GPU driver allows a local low-privileged user to leak kernel object references (syncobj, fence, chain fence, or user fence) by triggering error paths in xe_sync_entry_parse(), resulting in kernel memory exhaustion and local denial of service. Affected kernels include those shipping the Intel Xe GPU driver from the introducing commit (dd08ebf6c352) up to the fix commits landed in stable series 6.12, 6.18, 6.19, and 7.0. No public exploit code exists and no active exploitation has been reported; EPSS probability sits at 0.02% (5th percentile), reflecting extremely low real-world exploitation interest.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43394 MEDIUM PATCH This Month

Credential reference leak in the Linux kernel's NFS server daemon (nfsd) subsystem allows a local low-privileged user to cause a denial of service through kernel memory exhaustion. The vulnerable function nfsd_nl_listener_set_doit() calls get_current_cred() without a matching put_cred(), leaking one credential reference on each invocation. No active exploitation has been identified (EPSS 0.02%, 5th percentile; not listed in CISA KEV), and patches are available across multiple stable kernel branches.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43393 MEDIUM PATCH This Month

Memory leak in the Linux kernel btrfs filesystem driver allows a local low-privileged user to cause kernel memory exhaustion leading to denial of service. The defect resides in btrfs_map_block(), which fails to release a chunk map object when btrfs_chunk_map_num_copies() triggers an early return with -EINVAL, leaving the allocation dangling. No public exploit code has been identified at time of analysis, and EPSS sits at the 5th percentile (0.02%), reflecting a low practical exploitation probability consistent with the local-only attack vector.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43392 MEDIUM PATCH This Month

System-hang denial-of-service in the Linux kernel's sched_ext (SCX) extensible scheduler subsystem allows a local low-privileged attacker to indefinitely starve the scx_enable() thread by saturating fair-class workloads, causing the system to hang. Affected are kernel versions containing the SCX subsystem from the introduction commit 8c2090c504e998c8f34ec870bae71dafcc96a6e0 through multiple stable branches including 6.12.x before 6.12.78 and 6.18.x/6.19.x series. EPSS exploitation probability is 0.02% (5th percentile) with no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Linux
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43391 HIGH PATCH This Week

Insufficient permission checks in Linux kernel nsfs (namespace filesystem) allow low-privileged local users to access other processes' namespaces, potentially escalating privileges across namespace boundaries and leaking sensitive information between isolated services. The vulnerability affects kernel versions before 6.19.9 and 7.0, with patches available in stable branches d2324a9317f0 and 1797ee11451f. EPSS score of 0.02% (5th percentile) indicates low current exploitation probability, and no active exploitation or public POC has been identified in CISA KEV or public sources. The CVSS 8.8 (High) rating reflects scope change (S:C) indicating privilege escalation across security boundaries - a critical concern for containerized environments where namespace isolation is foundational to multi-tenant security.

Information Disclosure Linux
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43390 MEDIUM PATCH This Month

Insufficient permission enforcement in the Linux kernel's nstree subsystem allows a local privileged service to enumerate namespace trees belonging to other co-located privileged services, breaking the isolation model that Linux namespaces are designed to enforce. Affected systems include those running Linux kernel versions prior to the fix commits in the 6.19.x stable series and the 7.0 upstream branch, with downstream impact confirmed by Red Hat and SUSE. No public exploit has been identified at time of analysis, and EPSS is 0.02% (5th percentile), making this a low-urgency but architecturally significant issue for multi-tenant and containerized deployments.

Information Disclosure Linux
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43389 MEDIUM PATCH This Month

The memfd_luo (memory file descriptor Live Update Operations) subsystem in the Linux kernel silently discards user data by incorrectly tracking folio dirty state across live kernel updates. Folios that are clean at preserve() time but subsequently written to are serialized as clean, causing the successor kernel to treat them as reclaimable under memory pressure - permanently destroying user data stored in those memory regions. This affects systems using the memfd LUO live kernel update feature, with fixes confirmed in Linux 6.19.9 and 7.0. No public exploit exists and EPSS is 0.02%, reflecting the niche deployment conditions required.

Information Disclosure Linux
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43388 HIGH PATCH This Week

Use-after-free condition in the Linux kernel's DAMON (Data Access MONitor) subsystem affects systems running kernel version 6.14 and related stable branches prior to the patched commits. A local low-privileged user can trigger a dangling pointer to a stack-allocated walk_control structure when damos_walk() is invoked against an inactive DAMON context, with no public exploit identified at time of analysis and an EPSS probability of just 0.02%.

Information Disclosure Use After Free Memory Corruption Linux
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43387 MEDIUM PATCH This Month

Out-of-bounds read in the Linux kernel's staging rtl8723bs WiFi driver allows a local low-privileged attacker to crash the system via improper length validation in the rtw_get_ie_ex() information element parser. The flaw mirrors a previously patched issue in the sibling rtw_get_ie() parser (commit 154828bf9559) - the fix was not consistently applied to rtw_get_ie_ex(). With a CVSS score of 5.5, local access requirement, and EPSS of 0.02% (7th percentile), this is a low-urgency availability issue with no public exploit and no KEV listing. Patches have been released across all major active stable kernel branches.

Buffer Overflow Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43386 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's rtl8723bs staging Wi-Fi driver allows a local authenticated attacker to read memory beyond the WMM IE buffer and potentially crash the kernel. The flaw resides in rtw_restruct_wmm_ie(), which accesses in_ie[i+5] before validating that the index is within in_len. EPSS is 0.02% (7th percentile) and no public exploit identified at time of analysis, but a vendor-released patch is available across multiple stable branches.

Information Disclosure Buffer Overflow Linux
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43385 HIGH PATCH This Week

RCU tasks grace period stalls cause denial of service in Linux kernel's threaded NAPI busypoll implementation (6.19+). When threaded busypoll is enabled on network interfaces, the napi_threaded_poll_loop function resets its quiescent state tracking (last_qs) on every invocation, preventing rcu_softirq_qs_periodic from reporting grace period completion. This triggers kernel stalls lasting hundreds of seconds (400,000+ jiffies observed), causing tools like bpftrace to hang indefinitely and impacting system stability. Vendor patches available for 6.19.9 and 7.0. EPSS score of 0.02% suggests very low active exploitation likelihood, consistent with this being a kernel-internal RCU mechanism issue affecting specific network polling configurations rather than a remotely triggerable network attack surface.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43384 CRITICAL PATCH Act Now

Timing attacks can compromise TCP Authentication Option (TCP-AO) message authentication codes in Linux kernel 6.7+ due to non-constant-time MAC comparison. Remote unauthenticated attackers on the network path can exploit timing differences during MAC validation to extract authentication secrets, defeating TCP-AO's connection authentication mechanism. Exploitation probability is low (EPSS 0.02%, 5th percentile) with no confirmed active exploitation, but vendor patches are available for affected stable branches including 6.12.78, 6.18.19, 6.19.9, and mainline 7.0.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43383 CRITICAL PATCH Act Now

Timing attacks against TCP MD5 authentication in Linux kernel allow remote attackers to forge connection signatures through MAC comparison oracle. The vulnerability exists because MAC (Message Authentication Code) comparisons in the TCP-MD5 implementation are not constant-time, enabling attackers to extract authentication secrets through timing side-channels. All Linux kernel versions from 2.6.20 through 6.19.9 are affected. Patches are available across all actively maintained stable branches (5.10, 6.1, 6.6, 6.12, 6.18, 6.19, 7.0). EPSS score of 0.02% suggests low automated exploitation probability, though the network-accessible attack vector and authentication bypass capability represent significant risk for systems using TCP MD5 signatures (RFC 2385).

Information Disclosure Linux
NVD VulDB
CVSS 3.1
9.4
EPSS
0.0%
CVE-2026-43382 MEDIUM PATCH This Month

Deadlock in the Linux kernel's batman-adv ELP metric worker allows a local low-privileged user to trigger a kernel hang and cause a denial of service. The flaw exists in batadv_v_elp_get_throughput() where a previous fix using rtnl_trylock() for the ethtool path failed to cover the cfg80211 interface path, which still called batadv_get_real_netdev() - itself internally invoking rtnl_lock(). When batadv_v_elp_iface_disable() cancels the work queue via cancel_delayed_work_sync() while the RTNL lock is already held, this double-lock acquisition produces a deadlock. No public exploit identified at time of analysis, and EPSS of 0.02% confirms very low real-world exploitation probability.

Information Disclosure Linux
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43381 MEDIUM PATCH This Month

Kernel crash (local denial of service) in the Linux nouveau NVIDIA GPU driver allows a local authenticated user to trigger a kernel WARNING and system instability by accessing the DisplayPort AUX channel (/dev/drm_dp_*) while the GPU is in runtime-suspended state. The driver fails to check device power state before invoking the GSP (GPU System Processor) firmware communication path, causing an unhandled condition in r535_gsp_msgq_wait. No public exploit exists and the EPSS score is 0.02% (7th percentile), but the vulnerability is notable in environments where fwupd or similar firmware tools interact with DP AUX interfaces on systems using the nouveau driver with runtime power management enabled.

Denial Of Service Lenovo Linux
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43380 HIGH PATCH This Week

Stack buffer overflow in the Linux kernel's pmbus/q54sj108a2 hwmon driver allows local privileged users to corrupt kernel stack memory by reading from a specific debugfs entry. The flaw stems from a misuse of bin2hex() that writes 64 bytes of hex-encoded output into a 34-byte stack buffer, overflowing it by 30 bytes; no public exploit identified at time of analysis and EPSS exploitation probability is negligible at 0.03% (9th percentile).

Information Disclosure Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43379 CRITICAL PATCH Act Now

Use-after-free in Linux kernel ksmbd allows remote unauthenticated attackers to potentially execute arbitrary code, disclose sensitive information, or cause denial of service. The vulnerability stems from improper RCU lock handling in smb_lazy_parent_lease_break_close() where opinfo pointer is dereferenced after RCU read unlock, creating a race condition. Patches available across multiple kernel versions (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). Despite critical CVSS 9.8 score, EPSS exploitation probability is low (0.02%, 5th percentile) and no active exploitation or public POC identified at time of analysis.

Information Disclosure Linux Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43378 CRITICAL PATCH Act Now

Use-after-free in the Linux kernel's ksmbd SMB server (smb2_open()) allows remote attackers to potentially trigger memory corruption when accessing an opinfo pointer dereferenced after rcu_read_unlock(). The flaw is fixed in upstream stable releases (6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0); no public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.

Memory Corruption Information Disclosure Linux Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43377 HIGH PATCH This Week

Linux kernel's ksmbd server exposes SMB3 session, signing, encryption, and decryption keys in debug logs when KSMBD_DEBUG_AUTH is enabled. Authenticated network attackers with access to system logs can retrieve these cryptographic keys to compromise SMB3 session confidentiality and integrity. EPSS probability is very low (0.01%, 3rd percentile) and no active exploitation is documented. Vendor patches available across multiple stable kernel branches (6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.9, 7.0).

Information Disclosure Linux
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-43376 CRITICAL PATCH Act Now

Use-after-free in Linux kernel ksmbd allows remote unauthenticated attackers to execute arbitrary code, escalate privileges, or cause denial of service by racing oplock_info access during concurrent RCU read operations. The vulnerability stems from immediate kfree() without RCU grace period, enabling opinfo_get() to call atomic_inc_not_zero() on freed memory. CVSS 9.8 reflects network exploitability without authentication, though EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation attempts. Vendor patches available across multiple kernel versions (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0) with fixes referenced in five upstream commits. Not listed in CISA KEV; no public exploit code identified at time of analysis.

Information Disclosure Linux Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43375 MEDIUM PATCH This Month

Linux kernel MCTP driver leaks USB device references when probe fails, allowing local authenticated attackers to trigger denial of service through resource exhaustion. The flaw affects kernels from 6.15 through 6.19.9 and has been patched in versions 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% indicates minimal active exploitation risk, and no public exploit code has been identified at time of analysis.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43374 HIGH PATCH This Week

Use-after-free in Linux kernel nexthop routing code allows local authenticated attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs when removing a nexthop from a routing group, where percpu statistics memory is freed before the RCU grace period completes, allowing concurrent readers to access freed memory. Vendor patches available for stable kernel branches 6.12.78, 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV). CVSS 7.8 reflects local attack vector requiring authenticated access.

Information Disclosure Linux Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43373 HIGH PATCH This Week

Memory exhaustion in Linux kernel NCSI protocol handler allows remote denial of service through resource depletion. The Network Controller Sideband Interface (NCSI) receive and Asynchronous Event Notification (AEN) handlers fail to free socket buffers (skbs) in error paths, enabling network attackers to exhaust kernel memory by sending malformed NCSI packets or triggering device resolution failures. CVSS 7.5 (High severity) reflects unauthenticated network exploitation, though low EPSS score (0.02%, 7th percentile) suggests minimal observed exploitation. Vendor patches available across all active kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43372 MEDIUM PATCH This Month

Resource leak in Linux kernel's Microchip DSA PTP driver allows local authenticated users with low privileges to cause denial of service through high availability impact. The ksz_ptp_irq_setup() function fails to dispose of newly created IRQ mappings when request_threaded_irq() fails during PTP message IRQ setup, leading to resource exhaustion. Vendor patches available across multiple stable kernel branches (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation in the wild, and no public exploit identified at time of analysis.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43371 MEDIUM PATCH This Month

Memory leak and denial-of-service in the Linux kernel macb network driver (used in AMD ZynqMP platforms) allows local authenticated users to cause prolonged network disruption and system resource exhaustion. The flaw manifests during suspend/resume cycles when the transmit ring pointer resets incorrectly, silently dropping queued packets without releasing their memory, and causing the driver to become stuck waiting for already-transmitted packets. Real-world impact observed in NFS rootfs recovery delays. EPSS score of 0.02% (7th percentile) indicates low exploitation likelihood. Vendor patches available across multiple stable kernel branches (6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.9).

Amd Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43370 HIGH PATCH This Week

Use-after-free race condition in Linux kernel amdgpu driver allows local authenticated users to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The flaw occurs when parent and child processes sharing a drm_file both attempt to acquire the same virtual memory context after fork(), due to non-atomic vm->process_info assignment. Patches released across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score of 0.02% (7th percentile) indicates very low predicted exploitation probability despite CVSS 7.8 severity, and no active exploitation or public POC identified.

Information Disclosure Linux Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43369 MEDIUM PATCH This Month

A NULL pointer dereference in Linux kernel AMD GPU driver cleanup code causes local denial of service when GPU initialization fails on systems with unsupported AMD hardware blocks. Local authenticated users with low privileges can trigger kernel crashes during device teardown sequences. The vulnerability affects multiple stable kernel versions (6.18.16-6.18.19, 6.19.6-6.19.9) with patches available from upstream. EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, and no active exploitation or public exploits are confirmed. Real-world impact is limited to systems with specific AMD GPU hardware experiencing initialization failures, making this primarily a reliability issue rather than a direct security threat.

Amd Denial Of Service Linux Null Pointer Dereference Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43368 HIGH PATCH This Week

Integer overflow in Linux kernel's i915 graphics driver corrupts memory mapping for DRM/GEM shmem objects larger than 4GB, causing kernel warnings, potential crashes, and incorrect memory access when Intel graphics hardware processes large buffer objects. The vulnerability manifests when scatterlist length fields overflow during folio page allocation, leading to premature termination of backing page iteration. Patch available across multiple stable kernel branches (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0) per upstream commits. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.

Intel Buffer Overflow Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43367 MEDIUM PATCH This Month

Null pointer dereference in Linux kernel's AMD DRM driver causes system crash during device cleanup on unsupported hardware. The flaw (CWE-476) affects multiple 6.18.x and 6.19.x kernel versions, allowing local authenticated users to trigger denial of service through AMD GPU driver initialization or cleanup operations. Patches available via kernel stable tree commits with EPSS score of 0.02% indicating minimal exploitation likelihood. No active exploitation or public POC identified at time of analysis.

Amd Denial Of Service Linux Null Pointer Dereference Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43366 HIGH PATCH This Week

Local privilege escalation in Linux kernel io_uring subsystem allows authenticated attackers with low privileges to achieve high confidentiality, integrity, and availability impact through improper buffer list type validation during recycling operations. The vulnerability stems from a race condition where buffer lists can be upgraded from legacy to ring-provided type between acquisition and recycling when requests are forced through io-wq, potentially leading to type confusion and memory corruption. Patches available across multiple kernel versions (6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0) with upstream commits confirmed. EPSS score is very low (0.02%, 7th percentile) indicating minimal observed exploitation probability despite high CVSS 7.8 rating. No KEV listing or public exploit identified at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43365 HIGH PATCH This Week

Log corruption in Linux kernel XFS filesystem leads to mount failures and potential data integrity loss when superblock lacks log stripe unit configuration. Systems with 4k physical sector disks are vulnerable to torn writes and CRC failures that prevent filesystem mounting. Vendor-released patches available across multiple stable kernel branches (5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score of 0.02% suggests low exploitation probability. No active exploitation confirmed (not in CISA KEV). CVSS 8.2 reflects network vector but description indicates local filesystem operation - attack vector discrepancy requires verification.

Microsoft Information Disclosure Linux
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-43364 MEDIUM PATCH This Month

NULL pointer dereference in Linux kernel's ublk driver allows local authenticated users to crash the system by sending UBLK_CMD_UPDATE_SIZE to a device before it starts or after it stops. The vulnerability exists in ublk_ctrl_set_size() which unconditionally dereferences ub->ub_disk without validating the device state, triggering a kernel panic and causing a denial of service. Patches are available from the Linux kernel maintainers for versions 6.18.20, 6.19.9, and 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, consistent with the local-only attack vector and absence from CISA KEV.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43363 MEDIUM PATCH This Month

System hangs on Linux kernel resume from s2ram when firmware re-enables x2apic mode that kernel disabled during boot. Affects x86 systems with APIC hardware where kernel disabled x2apic (due to missing IRQ remapping support or other reasons) but ACPI-compliant firmware restores x2apic to initial boot state per spec. Kernel continues using xapic interface while hardware operates in x2apic mode, causing denial of service through system freezes. CVSS 5.5 (local low-complexity authenticated attack, high availability impact). EPSS 0.02% (7th percentile) indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0 mainline). No KEV listing or public exploit identified at time of analysis.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43362 HIGH PATCH This Week

In-place encryption in the Linux kernel's SMB client corrupts write payloads during retry attempts, potentially causing data integrity loss and denial of service when SMB connections experience transient failures. The flaw affects SMB3 encrypted writes where the encryption process modifies the original buffer in place; on replayable errors (like network interruptions), retries re-send already-encrypted data as if it were plaintext, resulting in double-encryption and corrupted writes. This particularly impacts special file operations (SFU mknod, MF symlinks) and sync writes on pre-6.10 kernels. Patches are available across multiple stable kernel branches (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score is very low (0.01%), indicating minimal observed exploitation likelihood, and no active exploitation or public POC is documented.

Linux Memory Corruption Buffer Overflow
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-43361 MEDIUM PATCH This Month

Filesystem denial-of-service in the Linux kernel's btrfs subsystem allows a local low-privileged user to force a mounted btrfs filesystem into read-only mode by repeatedly snapshotting a received subvolume until the BTRFS_UUID_KEY_RECEIVED_SUBVOL B-tree leaf overflows its maximum item size, triggering a transaction abort in create_pending_snapshot(). Critically, the operations involved - snapshot, send, receive, and set_received_subvol - require only inode_owner_or_capable() rather than CAP_SYS_ADMIN, meaning unprivileged users owning subvolumes can mount this attack. No public exploit identified at time of analysis beyond the detailed reproducer script embedded in the advisory itself; EPSS at 0.02% (7th percentile) reflects low widespread automated exploitation probability, though multi-tenant environments face elevated practical risk.

Buffer Overflow Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43360 MEDIUM PATCH This Month

Btrfs filesystem transaction abort in the Linux kernel allows a local low-privileged user to force any btrfs-mounted volume into read-only mode by deliberately creating files whose names produce identical crc32c hash values. When enough hash-colliding filenames are created in a single directory, the dir item leaf node fills beyond its size limit, triggering a kernel transaction abort that renders the entire btrfs volume inaccessible for all users. A detailed reproducer script including a curated list of crc32c-colliding filenames is embedded directly in the CVE description, making exploitation trivially repeatable; however, the EPSS score of 0.02% (7th percentile) and absence from CISA KEV indicate no confirmed widespread exploitation at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43359 MEDIUM PATCH This Month

Denial of service via transaction abort in Linux kernel btrfs subsystem when a non-privileged subvolume owner repeatedly calls the set received ioctl with identical UUID values, causing filesystem to transition to read-only mode. The vulnerability exploits insufficient pre-flight validation that allows metadata updates to commence before detecting item overflow conditions, requiring only local access and subvolume ownership rather than root privileges. EPSS score of 0.02% indicates low exploitation probability despite CVSS 5.5 severity, suggesting practical exploitation barriers despite low privilege requirements.

Integer Overflow Buffer Overflow Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43358 MEDIUM PATCH This Month

RCU locking imbalance in Linux kernel btrfs filesystem code causes local denial of service. The try_release_subpage_extent_buffer() function in btrfs can exit an error path without properly releasing an RCU read lock, creating a locking inconsistency that leads to system instability. Affects Linux kernel versions 6.17 through pre-7.0, with patches available in stable branches 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation activity. The flaw was detected through static analysis using Clang's thread-safety analyzer rather than field exploitation, suggesting lower immediate real-world risk despite the high-availability CVSS impact rating.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43357 MEDIUM PATCH This Month

Local denial of service in Linux kernel's MPU3050 gyroscope driver allows authenticated users with low privileges to crash the system by triggering power management failures. The mpu3050-core driver fails to validate pm_runtime_get_sync() return values, enabling hardware access when device resume fails and causing improper reference counting that leads to kernel instability. EPSS score of 0.02% indicates minimal active exploitation likelihood, and patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43356 MEDIUM PATCH This Month

A NULL pointer dereference in the Linux kernel's adis_init() function causes kernel crashes when initializing ADIS IMU drivers (adis16480, adis16490, adis16545). The function attempts to dereference adis->ops without first verifying it is non-NULL, triggering denial of service on affected systems during device probe. Exploitation requires local access with low privileges (CVSS AV:L/AC:L/PR:L). EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation likelihood. Vendor patches available across multiple stable kernel versions (6.19.9, 6.18.19, 7.0).

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43355 MEDIUM PATCH This Month

Local attackers with low-level privileges can trigger a denial of service in Linux kernel versions 4.7 through 7.0 by exploiting a power management reference leak in the bh1780 ambient light sensor driver. The vulnerability causes system resource exhaustion through improper PM runtime reference counting in the IIO subsystem's error handling path. Vendor patches are available across multiple stable kernel branches (5.10.253, 6.1.167, 6.6.130, 6.18.19, 6.19.9, 7.0), with EPSS probability of 0.02% indicating low observed exploitation likelihood and no active exploitation confirmed.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43354 MEDIUM PATCH This Month

Local denial of service in the Linux kernel's HX9023S proximity sensor driver (iio subsystem) allows authenticated users with low privileges to crash the system via division by zero when setting sampling frequency with an unspecified value. Patch available from kernel.org stable trees for versions 6.12.78, 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation activity. No public exploit code or active exploitation (not in CISA KEV) confirmed at time of analysis.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43353 HIGH PATCH This Week

Race condition in Linux kernel I3C HCI DMA dequeue handler allows local authenticated attackers with low privileges to trigger memory corruption leading to privilege escalation, denial of service, or information disclosure. The vulnerability affects kernel versions from 5.11 onwards where the mipi-i3c-hci driver is enabled. EPSS probability is low (0.02%, 4th percentile) and no active exploitation or public POC is identified at time of analysis. Vendor patches available for stable kernel branches 6.18.19, 6.19.9, and 7.0.

Information Disclosure Linux Race Condition
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43352 HIGH PATCH This Week

Flawed DMA ring abort handling in the Linux kernel's MIPI I3C Host Controller Interface driver allows local authenticated attackers with low privileges to cause high-severity impacts including information disclosure, integrity violations, and denial of service. The vulnerability stems from improper abort sequence logic that disrupts controller state by unintentionally clearing hardware enable bits and resetting ring pointers. Vendor patches are available for kernel versions 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% (4th percentile) indicates low probability of mass exploitation, and no active exploitation or public POC has been identified at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43351 MEDIUM PATCH This Month

Denial of service in Linux kernel KVM/arm64 vGIC subsystem allows local authenticated users with low privileges to crash the hypervisor via use-after-free during virtual interrupt controller teardown. CVSS rates this 5.5 (medium severity, local vector), but EPSS exploitation probability is very low at 0.02% (4th percentile). Patches available across multiple stable kernel versions (6.18.19, 6.19.9, 7.0). No active exploitation confirmed per CISA KEV, and the local-only attack vector with specific KVM/ARM64 deployment requirements limits real-world impact to environments running ARM64 virtualization workloads.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43350 HIGH PATCH This Week

Out-of-bounds read in Linux kernel SMB client allows malicious SMB servers to disclose kernel memory and potentially crash systems via crafted NFS mode SIDs in ACL responses. Affects Linux kernel 5.4+ with SMB client enabled. Vendor patches released for stable branches 6.6.136, 6.12.84, 6.18.25, 7.0.2, and mainline 7.1-rc1. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation confirmed (not in CISA KEV). Attack requires user interaction (mounting malicious SMB share), reducing practical risk for environments with controlled server connections.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-43349 MEDIUM PATCH This Month

Use of uninitialized memory in Linux kernel f2fs filesystem node footer validation causes local denial of service. Linux kernel versions 7.0 through 7.1-rc1 with f2fs support allow local authenticated users to trigger a kernel crash by mounting a maliciously crafted f2fs filesystem image. The vulnerability occurs when f2fs_sanity_check_node_footer() accesses uninitialized folio data after a failed disk read operation during filesystem mount, as reported by syzbot. EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation likelihood. Vendor patches available for stable kernel branches 6.18.25, 7.0.2, and 7.1-rc1.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43348 MEDIUM PATCH This Month

The Linux kernel mshv_vtl driver permits local denial-of-service via memory registration failure when VTL0 memory ranges are sufficiently aligned (35+ trailing zeros in physical address). An unclamped vmemmap_shift calculation can exceed MAX_FOLIO_ORDER, causing memremap_pages() to reject the operation and potentially destabilize virtualization infrastructure. CVSS 5.5 indicates local authenticated exploitation with low complexity. EPSS 0.02% suggests minimal real-world targeting. Vendor patches available for kernel 7.0.2 and 7.1-rc1 address both the shift clamping and error propagation issues.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43347 HIGH PATCH This Week

Memory corruption in Linux kernel on Qualcomm Monaco-based ARM64 platforms causes kernel crashes through synchronous external aborts when accessing hypervisor-owned memory incorrectly marked as conventional RAM. The firmware's EFI memory map only reserves 288 KiB of a 512 KiB Gunyah hypervisor metadata region (0x91a80000-0x91afffff), leaving 224 KiB exploitable for triggering fatal aborts. Patches available for stable branches 6.18.24, 6.19.14, and 7.0 series. EPSS exploitation probability is very low (0.02%, 4th percentile) with no known active exploitation or public POC, indicating limited real-world threat despite CVSS 7.5 rating.

Qualcomm Denial Of Service Linux
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43346 MEDIUM PATCH This Month

Local denial of service in Linux kernel PTP (Precision Time Protocol) driver for Intel Ethernet (ice) allows authenticated users with low privileges to crash the system when PF passthrough is configured without the controlling PF. The vulnerability is caused by improper null pointer handling (CWE-617) when ice_ptp_setup_pf() attempts to access an uninitialized PTP controlling PF in VFIO passthrough configurations. Affects Linux kernel 6.13 through 7.0-rc7. EPSS probability is very low (0.02%, 4th percentile) and no active exploitation has been reported. Patches are available in stable branches 6.18.24, 6.19.14, and mainline 7.0.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43345 HIGH PATCH This Week

Linux Kernel versions 6.4 and later containing IPA v5.0+ hardware support experience complete data path failure and indefinite system hangs during suspend or shutdown operations due to a register field misprogramming bug. The event ring index field was incorrectly referenced using an outdated identifier (ERINDEX instead of CH_ERINDEX) in the CH_C_CNTXT_1 register definition, preventing GSI channels from signaling transfer completions. This causes gsi_channel_trans_quiesce() to block indefinitely in wait_for_completion(), resulting in runtime suspend, system suspend, and remoteproc stop operations hanging forever. Patches are available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% indicates very low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV). The CVSS vector indicates network-accessible attack surface, though the actual impact is limited to devices with IPA v5.0+ hardware.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43344 MEDIUM PATCH This Month

Die ID initialization and lookup bugs in the Linux kernel's Intel uncore performance monitoring subsystem (perf/x86/intel/uncore) can cause a reachable assertion trigger or silent loss of PMON unit visibility on Intel Sapphire Rapids (SPR) and Emerald Rapids (EMR) server hardware. Authenticated local users on affected systems may crash the kernel via the WARN_ON_ONCE reachable assertion (CWE-617) or, when NUMA is disabled on a NUMA-capable platform, cause all uncore PMON units to be silently dropped from the RB tree - rendering hardware performance monitoring inoperative. No public exploit exists and EPSS is 0.02%, indicating no active exploitation pressure at time of analysis.

Intel Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43343 MEDIUM PATCH This Month

Unbalanced reference counting in the Linux kernel USB gadget CDC Subset Ethernet driver (f_subset) causes a resource leak that denies availability of USB gadget reconfiguration. A local authenticated user can trigger the condition by allocating and freeing the geth USB gadget function, leaving the reference count permanently elevated due to a missing decrement in geth_free(). The practical impact is a denial-of-service against the configfs interface for USB gadget management - subsequent attempts to unlink and re-configure the USB function fail silently. No public exploit is identified and EPSS exploitation probability is negligible at 0.02% (7th percentile).

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43342 MEDIUM PATCH This Month

Race condition in the Linux kernel's USB RNDIS gadget function driver (f_rndis) allows a local low-privileged attacker to crash the kernel by concurrently manipulating class/subclass/protocol configfs attributes without mutex protection. Identified during code inspection - not observed in active exploitation - this vulnerability affects multiple stable kernel branches from 4.14 through 7.0-rc3, with patches released across all maintained stable series. With an EPSS of 0.02% (7th percentile), no public exploit, and no CISA KEV listing, real-world risk is low but meaningful on embedded or IoT devices using Linux as a USB RNDIS peripheral.

Information Disclosure Race Condition Linux Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-43341 CRITICAL PATCH Act Now

Integer overflow in Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) trace functionality allows remote unauthenticated attackers to trigger buffer overflow conditions. A crafted IOAM trace packet with specific schema configurations causes an 8-bit integer wraparound that bypasses buffer boundary checks, enabling memory corruption with potential for arbitrary code execution at kernel privilege level. CVSS scored 9.8 (Critical) with network attack vector, though EPSS score of 0.02% (7th percentile) suggests minimal observed exploitation activity. Patches available across multiple stable kernel versions (5.15, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) via upstream commits, indicating vendor-prioritized remediation without confirmed active exploitation.

Authentication Bypass Linux
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43340 MEDIUM PATCH This Month

Local denial of service in Linux kernel COMEDI subsystem allows authenticated users to trigger inconsistent lock states when reattaching low-level drivers to legacy COMEDI devices. Exploitation probability is low (EPSS 2%, percentile 7%) with no public exploit identified at time of analysis. Vendor-released patches available across all stable kernel branches from 5.10.253 through 7.0. Affects systems configured with non-zero comedi_num_legacy_minors parameter and requires local authenticated access to COMEDI device nodes.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43339 HIGH PATCH This Week

Local privilege escalation in Linux kernel IPv6 address configuration subsystem enables authenticated local users to gain high-level system access through a use-after-free (UaF) condition in addrconf_permanent_addr(). Patch available across all maintained stable kernel series (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) with fixes backported from commit f1705ec197e7. EPSS score of 0.02% suggests minimal active exploitation likelihood, no KEV listing or public POC identified at time of analysis.

Information Disclosure Linux Use After Free Memory Corruption Red Hat
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43338 MEDIUM PATCH This Month

Transaction abort and denial of service in Linux kernel btrfs qgroup ioctls occurs when quota group operations fail to reserve transaction space for metadata updates and delayed references, resulting in -ENOSPC errors under filesystem pressure. Affected versions include mainline kernel through 6.19.x and stable branches 6.12.x and 6.18.x, with patches available in 6.12.81, 6.18.22, 6.19.12, and 7.0. Local authenticated users can trigger filesystem unavailability through qgroup operations. EPSS exploitation probability is low (0.02%), no active exploitation confirmed, and this represents a stability issue rather than a direct security compromise, though availability impact is high per CVSS 5.5 score.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43337 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's AMD display driver (DRM subsystem) allows local authenticated users to crash the system via dcn401_init_hw() function. Affects kernel 6.12 through 7.0-rc6, specifically the DCN 4.01 hardware sequencer in amdgpu driver. Vendor patches available for stable branches (6.18.22, 6.19.12, 7.0). EPSS exploitation probability is very low (0.02%, 4th percentile), indicating minimal real-world threat despite moderate CVSS score. Not listed in CISA KEV, and no public exploit code identified at time of analysis.

Amd Denial Of Service Linux Null Pointer Dereference Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43336 HIGH PATCH This Week

ChaCha cipher implementation in the Linux kernel leaks cryptographic key material through an improperly zeroized stack variable. The ChaCha permutation function leaves 'permuted_state' on the stack after execution, which can be used to reverse-compute the original encryption key since ChaCha's permutation is mathematically invertible. This information disclosure affects kernel cryptographic operations including the RNG (random number generator). EPSS score of 0.02% indicates very low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV). Patches are available across all maintained kernel versions from 5.10.253 through 6.19.12.

Information Disclosure Linux Red Hat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43335 MEDIUM PATCH This Month

Null pointer dereference in Linux kernel's Qualcomm SM8450 interconnect driver causes local denial of service during device probe. The vulnerability affects Linux kernel 6.19.x through 7.0-rc6 on Qualcomm SM8450 platforms when the interconnect driver initializes. Upstream patches are available (commits 77d22bf3fc5d and dbbd550d7c8d). EPSS score of 0.02% indicates very low observed exploitation probability, and no active exploitation or public POC has been identified. Real-world risk is limited to local authenticated users on affected Qualcomm SoC platforms during driver initialization.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's USB gadget f_tcm (USB Target Controller Module) driver allows an authenticated local attacker with USB host access to trigger a kernel panic by sending Bulk-Only Transport (BOT) commands during a race window where the ConfigFS-managed nexus pointer is uninitialized or torn down. Affected systems are those acting as USB gadgets - primarily embedded devices and single-board computers - running kernel versions from commit c52661d60f636d17e26ad834457db333bd1df494 onward without the applied fix. No public exploit exists and the vulnerability is absent from CISA KEV; EPSS of 0.02% (7th percentile) confirms negligible observed exploitation activity.

Linux Null Pointer Dereference Denial Of Service +2
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix atomic context locking issue The ncm_set_alt function was holding a mutex to protect against races with configfs, which invokes the might-sleep function inside an atomic context. Remove the struct net_device pointer from the f_ncm_opts structure to eliminate the contention. The connection state is now managed by a new boolean flag to preserve the use-after-free fix from commit 6334b8e4553c ("usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error"). BUG: sleeping function called from invalid context Call Trace: dump_stack_lvl+0x83/0xc0 dump_stack+0x14/0x16 __might_resched+0x389/0x4c0 __might_sleep+0x8e/0x100 ... __mutex_lock+0x6f/0x1740 ... ncm_set_alt+0x209/0xa40 set_config+0x6b6/0xb40 composite_setup+0x734/0x2b40 ...

Information Disclosure Linux
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: usb: legacy: ncm: Fix NPE in gncm_bind Commit 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle with bind/unbind") deferred the allocation of the net_device. This change leads to a NULL pointer dereference in the legacy NCM driver as it attempts to access the net_device before it's fully instantiated. Store the provided qmult, host_addr, and dev_addr into the struct ncm_opts->net_opts during gncm_bind(). These values will be properly applied to the net_device when it is allocated and configured later in the binding process by the NCM function driver.

Denial Of Service Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel USB NCM gadget subsystem (f_ncm) causes kernel crashes during USB device disconnection cycles. The vulnerability stems from a net_device lifecycle management flaw where the network device outlives its parent gadget device, leaving dangling sysfs links that trigger null pointer dereferences. Systems acting as USB NCM gadgets - common in embedded Linux, postmarketOS, and USB tethering scenarios - are exposed to local denial-of-service conditions upon USB reconnection. No public exploit exists and EPSS stands at 0.02%, indicating very low exploitation probability; however, the bug can be triggered by any low-privileged local user on an affected configuration.

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: ceph: fix i_nlink underrun during async unlink During async unlink, we drop the `i_nlink` counter before we receive the completion (that will eventually update the `i_nlink`) because "we assume that the unlink will succeed". That is not a bad idea, but it races against deletions by other clients (or against the completion of our own unlink) and can lead to an underrun which emits a WARNING like this one: WARNING: CPU: 85 PID: 25093 at fs/inode.c:407 drop_nlink+0x50/0x68 Modules linked in: CPU: 85 UID: 3221252029 PID: 25093 Comm: php-cgi8.1 Not tainted 6.14.11-cm4all1-ampere #655 Hardware name: Supermicro ARS-110M-NR/R12SPD-A, BIOS 1.1b 10/17/2023 pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drop_nlink+0x50/0x68 lr : ceph_unlink+0x6c4/0x720 sp : ffff80012173bc90 x29: ffff80012173bc90 x28: ffff086d0a45aaf8 x27: ffff0871d0eb5680 x26: ffff087f2a64a718 x25: 0000020000000180 x24: 0000000061c88647 x23: 0000000000000002 x22: ffff07ff9236d800 x21: 0000000000001203 x20: ffff07ff9237b000 x19: ffff088b8296afc0 x18: 00000000f3c93365 x17: 0000000000070000 x16: ffff08faffcbdfe8 x15: ffff08faffcbdfec x14: 0000000000000000 x13: 45445f65645f3037 x12: 34385f6369706f74 x11: 0000a2653104bb20 x10: ffffd85f26d73290 x9 : ffffd85f25664f94 x8 : 00000000000000c0 x7 : 0000000000000000 x6 : 0000000000000002 x5 : 0000000000000081 x4 : 0000000000000481 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff08727d3f91e8 Call trace: drop_nlink+0x50/0x68 (P) vfs_unlink+0xb0/0x2e8 do_unlinkat+0x204/0x288 __arm64_sys_unlinkat+0x3c/0x80 invoke_syscall.constprop.0+0x54/0xe8 do_el0_svc+0xa4/0xc8 el0_svc+0x18/0x58 el0t_64_sync_handler+0x104/0x130 el0t_64_sync+0x154/0x158 In ceph_unlink(), a call to ceph_mdsc_submit_request() submits the CEPH_MDS_OP_UNLINK to the MDS, but does not wait for completion. Meanwhile, between this call and the following drop_nlink() call, a worker thread may process a CEPH_CAP_OP_IMPORT, CEPH_CAP_OP_GRANT or just a CEPH_MSG_CLIENT_REPLY (the latter of which could be our own completion). These will lead to a set_nlink() call, updating the `i_nlink` counter to the value received from the MDS. If that new `i_nlink` value happens to be zero, it is illegal to decrement it further. But that is exactly what ceph_unlink() will do then. The WARNING can be reproduced this way: 1. Force async unlink; only the async code path is affected. Having no real clue about Ceph internals, I was unable to find out why the MDS wouldn't give me the "Fxr" capabilities, so I patched get_caps_for_async_unlink() to always succeed. (Note that the WARNING dump above was found on an unpatched kernel, without this kludge - this is not a theoretical bug.) 2. Add a sleep call after ceph_mdsc_submit_request() so the unlink completion gets handled by a worker thread before drop_nlink() is called. This guarantees that the `i_nlink` is already zero before drop_nlink() runs. The solution is to skip the counter decrement when it is already zero, but doing so without a lock is still racy (TOCTOU). Since ceph_fill_inode() and handle_cap_grant() both hold the `ceph_inode_info.i_ceph_lock` spinlock while set_nlink() runs, this seems like the proper lock to protect the `i_nlink` updates. I found prior art in NFS and SMB (using `inode.i_lock`) and AFS (using `afs_vnode.cb_lock`). All three have the zero check as well.

Information Disclosure Linux
NVD VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: ceph: fix memory leaks in ceph_mdsc_build_path() Add __putname() calls to error code paths that did not free the "path" pointer obtained by __getname(). If ownership of this pointer is not passed to the caller via path_info.path, the function must free it before returning.

Information Disclosure Linux
NVD VulDB
EPSS 0%
Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Prevent CID stalls due to concurrent forks A newly forked task is accounted as MMCID user before the task is visible in the process' thread list and the global task list. This creates the following problem: CPU1 CPU2 fork() sched_mm_cid_fork(tnew1) tnew1->mm.mm_cid_users++; tnew1->mm_cid.cid = getcid() -> preemption fork() sched_mm_cid_fork(tnew2) tnew2->mm.mm_cid_users++; // Reaches the per CPU threshold mm_cid_fixup_tasks_to_cpus() for_each_other(current, p) .... As tnew1 is not visible yet, this fails to fix up the already allocated CID of tnew1. As a consequence a subsequent schedule in might fail to acquire a (transitional) CID and the machine stalls. Move the invocation of sched_mm_cid_fork() after the new task becomes visible in the thread and the task list to prevent this. This also makes it symmetrical vs. exit() where the task is removed as CID user before the task is removed from the thread and task lists.

Information Disclosure Linux
NVD
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Handle vfork()/CLONE_VM correctly Matthieu and Jiri reported stalls where a task endlessly loops in mm_get_cid() when scheduling in. It turned out that the logic which handles vfork()'ed tasks is broken. It is invoked when the number of tasks associated to a process is smaller than the number of MMCID users. It then walks the task list to find the vfork()'ed task, but accounts all the already processed tasks as well. If that double processing brings the number of to be handled tasks to 0, the walk stops and the vfork()'ed task's CID is not fixed up. As a consequence a subsequent schedule in fails to acquire a (transitional) CID and the machine stalls. Cure this by removing the accounting condition and make the fixup always walk the full task list if it could not find the exact number of users in the process' thread list.

Information Disclosure Linux
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's PowerPC perf subsystem crashes the kernel when user callchain collection is attempted after a thread's mm structure has been released. Local authenticated users with BPF execution privileges on PowerPC systems can trigger a kernel panic by running profiling tools such as bcc-tools' profile.py at the moment of thread exit, resulting in a full system denial of service. No public exploit has been identified at time of analysis and EPSS is 0.02% (4th percentile), reflecting low widespread exploitation probability; however, the bug is confirmed by kernel maintainers with a full panic trace and patches are available in stable kernel releases.

Denial Of Service Null Pointer Dereference Linux
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Kernel panic triggered by a race condition in the UFS Host Controller Driver (ufshcd) during system suspend affects Linux systems using Universal Flash Storage hardware where UFSHCD_CAP_CLK_GATING is not supported. The flaw allows a local low-privileged user - or automated power management - to crash the kernel by triggering a suspend sequence while ufshcd_rtc_work() is concurrently executing, producing an ARM64 asynchronous SError interrupt that halts the system. No public exploit code exists and no active exploitation has been identified; with an EPSS of 0.02% this is a low-probability but confirmed-availability-destroying defect patched across multiple stable kernel branches.

Information Disclosure Linux Race Condition +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Double-free vulnerability in Linux kernel's qla2xxx SCSI driver allows remote code execution or denial of service through malformed Fibre Channel ELS commands. The qla24xx_els_dcmd_iocb() function incorrectly frees fcport structures twice during error handling - once via kref_put() calling qla2x00_els_dcmd_sp_free(), then again explicitly afterward. Despite the CVSS:3.1/AV:N score of 9.8, the network vector appears to reflect the driver's network-facing nature (Fibre Channel over IP or similar) rather than internet-accessible exploitation. EPSS score of 0.02% (5th percentile) indicates extremely low observed exploitation probability. Patches available across multiple stable kernel branches (6.9+, 6.19.9+, 7.0+) per upstream commits.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's hisi_sas SCSI driver crashes systems when a local user triggers a host scan via sysfs. Authenticated local users with low privileges can write to the sysfs scan interface, causing kernel oops due to a channel iteration bug introduced in commit 37c4e72b0651 - the driver supports only one channel (channel 0) but its max_channel is set to 1, causing sas_user_scan() to attempt scanning channel 1 where no valid SAS device structure exists. The result is a denial-of-service via kernel NULL pointer dereference at sas_find_dev_by_rphy(). No public exploit or CISA KEV listing has been identified; EPSS is 0.02% (5th percentile), consistent with low-likelihood opportunistic exploitation.

Linux Null Pointer Dereference Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's ASoC QCOM QDSP6 subsystem crashes systems built on Qualcomm SA8775P and SC8280XP SoCs during ADSP protection-domain restart cycles. The crash occurs because the q6apm-audio .remove callback prematurely deletes Runtime Descriptions (RTDs) containing q6apm DAI components during ASoC teardown, leaving those components still linked to the sound card and triggering a kernel oops on the subsequent rebind. Impact is limited to availability (kernel panic/denial of service); no public exploit has been identified at time of analysis, and EPSS at 0.02% reflects very low widespread exploitation probability.

Qualcomm Linux Null Pointer Dereference +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Divide-by-zero in the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem allows a local low-privileged user to trigger a kernel oops/panic via a crafted setsockopt call. An attacker with local access sets conn_timeout to a value in the range [0, 3] on a TIPC socket, then initiates a connection that receives TIPC_ERR_OVERLOAD, causing integer division by zero in tipc_sk_filter_connect() and crashing the kernel. No public exploit has been identified at time of analysis and EPSS is 0.02%, but the low-complexity, low-privilege local trigger makes this a practical local denial-of-service in shared or container environments.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's stratix10-rsu firmware driver triggers a kernel panic (denial of service) on Intel/Altera SoCFPGA Stratix 10 systems running kernel 6.19.x when RSU is disabled in the First Stage Boot Loader. A local authenticated user can cause a full system crash by triggering the svc_normal_to_secure_thread kernel thread, which dereferences an already-freed service channel pointer. No public exploit identified at time of analysis; EPSS score of 0.02% at the 5th percentile reflects the narrow hardware-specific exposure.

Linux Null Pointer Dereference Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel crash (page fault) in the Linux kernel's kprobes subsystem allows a local authenticated user to trigger a system denial-of-service by removing a module containing kprobe probes after ftrace has been killed due to prior errors. The affected code path in kprobes_module_callback does not check the kprobe_ftrace_disabled flag set by ftrace_kill(), causing invalid memory access traceable via KASAN at address fffffbfff805000d. No active exploitation has been confirmed; EPSS is 0.02% (5th percentile), reflecting the niche preconditions required.

Linux Null Pointer Dereference Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory corruption in the Linux kernel's Ceph filesystem client allows local authenticated users to trigger kernel crashes and potentially escalate privileges. The vulnerability stems from missing zero-initialization of ceph_path_info structures before passing them to ceph_mdsc_build_path(), causing subsequent ceph_mdsc_free_path_info() calls to attempt freeing uninitialized or corrupted memory pointers. Multiple code paths in ceph_open() and related functions are affected, introduced by commit 15f519e9f883. Patches are available for kernel versions 6.12.78, 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation, with no public exploit code or CISA KEV listing at time of analysis.

Denial Of Service Linux Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Integer overflow in Linux kernel's libceph authentication handler enables remote memory corruption and potential system crash against unpatched systems. A malicious Ceph monitor can send a specially crafted CEPH_MSG_AUTH_REPLY message with payload_len exceeding INT_MAX, causing ceph_handle_auth_reply() to underflow a pointer and trigger out-of-bounds memory access. This allows remote unauthenticated attackers to potentially read sensitive kernel memory (high confidentiality impact) or crash the kernel (high availability impact) on systems using Ceph storage. CVSS 9.1 (Critical) reflects network attack vector with no authentication or user interaction required. EPSS score of 0.02% (7th percentile) suggests low observed exploitation likelihood. Vendor patches available for all affected kernel series (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0), but no active exploitation confirmed via CISA KEV.

Buffer Overflow Debian Linux +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds memory reads in Linux kernel's libceph messaging layer allow remote unauthenticated attackers to disclose kernel memory or trigger denial-of-service via malformed Ceph protocol frames. The vulnerability exists in process_message_header() when message frames are corrupted to make the control segment length smaller than the message header size, bypassing length validation. Vendor patches available for stable kernel versions 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% and no KEV listing suggest limited real-world exploitation observed despite network-accessible attack vector and unauthenticated access. Critical CVSS score of 9.1 reflects worst-case impact (high confidentiality and availability risk) if Ceph storage networking is exposed.

Buffer Overflow Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Integer signedness vulnerability in Linux kernel's Ceph networking library (libceph) allows remote attackers to trigger denial of service via crafted monitor map messages. The flaw enables bypassing memory allocation limits by exploiting signed/unsigned integer confusion in ceph_monmap_decode(), causing excessive memory allocation attempts that crash the system. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and 0.02% EPSS score, this represents a network-reachable DoS vector against systems using Ceph storage, though low exploitation probability suggests limited attacker interest. Patches available across all maintained kernel branches (5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Livelock and CPU starvation in the Linux kernel memory management subsystem allows a local authenticated user to hang the system by triggering an unbounded spin loop in hmm_range_fault(). The root cause is in do_swap_page(), where failure to acquire folio_trylock() on a device-private folio causes the kernel to spin indefinitely while a competing process holding the lock is blocked waiting for work items on the same CPU - work items that are starved by the spinner. This vulnerability requires a highly specific combination of HMM device-private memory migration conditions and is confirmed reproduced by the Intel GPU test suite. No public exploit exists and no active exploitation is identified at time of analysis.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Namespace iteration ioctl permission bypass in Linux kernel allows local privileged users to enumerate namespaces of other privileged services, potentially leaking cross-service information. Affects kernel 6.12 through 6.19.x with patches available in 6.12.78, 6.18.20, 6.19.9, and mainline 7.0. The vulnerability has low EPSS (0.02%, 5th percentile) indicating minimal observed exploitation activity. Vendor patches deployed across stable kernel branches address the issue by enforcing stricter namespace visibility policies via the may_see_all_namespaces() helper.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Use-after-free in Linux kernel kthread subsystem enables memory corruption leading to arbitrary code execution or denial of service. The vulnerability arises when kernel threads exit via make_task_dead() instead of kthread_exit(), bypassing affinity_node cleanup. This causes dangling pointers in the global kthread_affinity_list that corrupt freed memory reused by the SLAB allocator, specifically overwriting RCU callback function pointers in struct pid objects. CVSS rates this 9.8 critical, though the network attack vector appears misclassified since kernel thread manipulation requires local code execution. EPSS score of 0.02% (4th percentile) indicates low predicted exploitation likelihood despite severity. Vendor patches available for Linux 6.18.19, 6.19.9, and 7.0 via upstream commits.

Denial Of Service Linux Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's intel_pstate cpufreq driver crashes systems booted with the 'nosmt' parameter when CPU QoS requests are processed for SMT sibling threads. On 'nosmt'-booted systems, all_cpu_data[cpu] is NULL for disabled SMT siblings; update_cpu_qos_request() dereferences cpudata->pstate.turbo_freq before validating the policy pointer, producing a kernel panic and local denial of service. EPSS at 0.02% (4th percentile) reflects very low exploitation probability, no public exploit code has been identified, and no CISA KEV listing exists at time of analysis.

Linux Null Pointer Dereference Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Out-of-memory exploitation in the Linux kernel's amdgpu DRM subsystem allows a local, low-privileged user to crash the system by supplying unchecked huge values to the amdgpu_userq_signal_ioctl interface. The missing upper-bound validation on user inputs enables resource exhaustion that can destabilize or deny service on any Linux system equipped with a supported AMD GPU. No public exploit code exists and no active exploitation has been confirmed (no CISA KEV listing), with an EPSS of 0.02% placing this firmly in the low-priority tier for most environments outside high-assurance or shared multi-user GPU workloads.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Reference leak in the Linux kernel's amdgpu userqueue subsystem allows a local low-privileged user to exhaust kernel resources by repeatedly triggering an early-abort code path in amdgpu_userq_wait_ioctl. When the ioctl aborts because the caller-supplied output array is too small, the kernel omits required reference drops on syncobj and timeline fence objects, preventing those objects from ever being freed. No active exploitation is confirmed (not in CISA KEV), and EPSS sits at 0.02% (4th percentile), signaling negligible real-world exploitation activity.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Out-of-memory exploitation in the Linux kernel's amdgpu DRM driver allows a local low-privileged user to crash or destabilize a system by supplying oversized input values to the amdgpu_userq_wait_ioctl interface. Systems running affected kernel versions with AMD GPU hardware are vulnerable to availability loss. No public exploit code has been identified at time of analysis, and an EPSS score of 0.02% (4th percentile) reflects very low real-world exploitation probability; this is not confirmed actively exploited (not in CISA KEV).

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's samsung-dsim DRM bridge driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering error paths in samsung_dsim_host_attach() where drm_bridge_remove() is never called after a failed samsung_dsim_register_te_irq() or host attach operation. Affected systems must be running Samsung MIPI DSI display hardware with the samsung-dsim module loaded. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) combined with absence from CISA KEV confirms this is a low-exploitation-likelihood maintenance fix rather than an active threat.

Information Disclosure Samsung Linux +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's drm/xe (Intel Xe GPU) sync subsystem allows a local low-privileged user to cause a denial of service by exhausting kernel memory. The flaw exists in the drm/xe/sync error-handling path: when dma_fence_chain_alloc() fails, the user fence reference is not properly released (CWE-401), leaving allocated memory permanently inaccessible to the allocator. No active exploitation has been identified (EPSS 0.02%, 4th percentile, not in CISA KEV), and patches have been backported to stable kernel branches including 6.18.20 and 6.19.9.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Incomplete cleanup in the Linux kernel's DRM/Xe GPU driver allows a local low-privileged user to leak kernel object references (syncobj, fence, chain fence, or user fence) by triggering error paths in xe_sync_entry_parse(), resulting in kernel memory exhaustion and local denial of service. Affected kernels include those shipping the Intel Xe GPU driver from the introducing commit (dd08ebf6c352) up to the fix commits landed in stable series 6.12, 6.18, 6.19, and 7.0. No public exploit code exists and no active exploitation has been reported; EPSS probability sits at 0.02% (5th percentile), reflecting extremely low real-world exploitation interest.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Credential reference leak in the Linux kernel's NFS server daemon (nfsd) subsystem allows a local low-privileged user to cause a denial of service through kernel memory exhaustion. The vulnerable function nfsd_nl_listener_set_doit() calls get_current_cred() without a matching put_cred(), leaking one credential reference on each invocation. No active exploitation has been identified (EPSS 0.02%, 5th percentile; not listed in CISA KEV), and patches are available across multiple stable kernel branches.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel btrfs filesystem driver allows a local low-privileged user to cause kernel memory exhaustion leading to denial of service. The defect resides in btrfs_map_block(), which fails to release a chunk map object when btrfs_chunk_map_num_copies() triggers an early return with -EINVAL, leaving the allocation dangling. No public exploit code has been identified at time of analysis, and EPSS sits at the 5th percentile (0.02%), reflecting a low practical exploitation probability consistent with the local-only attack vector.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

System-hang denial-of-service in the Linux kernel's sched_ext (SCX) extensible scheduler subsystem allows a local low-privileged attacker to indefinitely starve the scx_enable() thread by saturating fair-class workloads, causing the system to hang. Affected are kernel versions containing the SCX subsystem from the introduction commit 8c2090c504e998c8f34ec870bae71dafcc96a6e0 through multiple stable branches including 6.12.x before 6.12.78 and 6.18.x/6.19.x series. EPSS exploitation probability is 0.02% (5th percentile) with no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Linux
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Insufficient permission checks in Linux kernel nsfs (namespace filesystem) allow low-privileged local users to access other processes' namespaces, potentially escalating privileges across namespace boundaries and leaking sensitive information between isolated services. The vulnerability affects kernel versions before 6.19.9 and 7.0, with patches available in stable branches d2324a9317f0 and 1797ee11451f. EPSS score of 0.02% (5th percentile) indicates low current exploitation probability, and no active exploitation or public POC has been identified in CISA KEV or public sources. The CVSS 8.8 (High) rating reflects scope change (S:C) indicating privilege escalation across security boundaries - a critical concern for containerized environments where namespace isolation is foundational to multi-tenant security.

Information Disclosure Linux
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Insufficient permission enforcement in the Linux kernel's nstree subsystem allows a local privileged service to enumerate namespace trees belonging to other co-located privileged services, breaking the isolation model that Linux namespaces are designed to enforce. Affected systems include those running Linux kernel versions prior to the fix commits in the 6.19.x stable series and the 7.0 upstream branch, with downstream impact confirmed by Red Hat and SUSE. No public exploit has been identified at time of analysis, and EPSS is 0.02% (5th percentile), making this a low-urgency but architecturally significant issue for multi-tenant and containerized deployments.

Information Disclosure Linux
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The memfd_luo (memory file descriptor Live Update Operations) subsystem in the Linux kernel silently discards user data by incorrectly tracking folio dirty state across live kernel updates. Folios that are clean at preserve() time but subsequently written to are serialized as clean, causing the successor kernel to treat them as reclaimable under memory pressure - permanently destroying user data stored in those memory regions. This affects systems using the memfd LUO live kernel update feature, with fixes confirmed in Linux 6.19.9 and 7.0. No public exploit exists and EPSS is 0.02%, reflecting the niche deployment conditions required.

Information Disclosure Linux
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free condition in the Linux kernel's DAMON (Data Access MONitor) subsystem affects systems running kernel version 6.14 and related stable branches prior to the patched commits. A local low-privileged user can trigger a dangling pointer to a stack-allocated walk_control structure when damos_walk() is invoked against an inactive DAMON context, with no public exploit identified at time of analysis and an EPSS probability of just 0.02%.

Information Disclosure Use After Free Memory Corruption +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Out-of-bounds read in the Linux kernel's staging rtl8723bs WiFi driver allows a local low-privileged attacker to crash the system via improper length validation in the rtw_get_ie_ex() information element parser. The flaw mirrors a previously patched issue in the sibling rtw_get_ie() parser (commit 154828bf9559) - the fix was not consistently applied to rtw_get_ie_ex(). With a CVSS score of 5.5, local access requirement, and EPSS of 0.02% (7th percentile), this is a low-urgency availability issue with no public exploit and no KEV listing. Patches have been released across all major active stable kernel branches.

Buffer Overflow Linux
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's rtl8723bs staging Wi-Fi driver allows a local authenticated attacker to read memory beyond the WMM IE buffer and potentially crash the kernel. The flaw resides in rtw_restruct_wmm_ie(), which accesses in_ie[i+5] before validating that the index is within in_len. EPSS is 0.02% (7th percentile) and no public exploit identified at time of analysis, but a vendor-released patch is available across multiple stable branches.

Information Disclosure Buffer Overflow Linux
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

RCU tasks grace period stalls cause denial of service in Linux kernel's threaded NAPI busypoll implementation (6.19+). When threaded busypoll is enabled on network interfaces, the napi_threaded_poll_loop function resets its quiescent state tracking (last_qs) on every invocation, preventing rcu_softirq_qs_periodic from reporting grace period completion. This triggers kernel stalls lasting hundreds of seconds (400,000+ jiffies observed), causing tools like bpftrace to hang indefinitely and impacting system stability. Vendor patches available for 6.19.9 and 7.0. EPSS score of 0.02% suggests very low active exploitation likelihood, consistent with this being a kernel-internal RCU mechanism issue affecting specific network polling configurations rather than a remotely triggerable network attack surface.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Timing attacks can compromise TCP Authentication Option (TCP-AO) message authentication codes in Linux kernel 6.7+ due to non-constant-time MAC comparison. Remote unauthenticated attackers on the network path can exploit timing differences during MAC validation to extract authentication secrets, defeating TCP-AO's connection authentication mechanism. Exploitation probability is low (EPSS 0.02%, 5th percentile) with no confirmed active exploitation, but vendor patches are available for affected stable branches including 6.12.78, 6.18.19, 6.19.9, and mainline 7.0.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Timing attacks against TCP MD5 authentication in Linux kernel allow remote attackers to forge connection signatures through MAC comparison oracle. The vulnerability exists because MAC (Message Authentication Code) comparisons in the TCP-MD5 implementation are not constant-time, enabling attackers to extract authentication secrets through timing side-channels. All Linux kernel versions from 2.6.20 through 6.19.9 are affected. Patches are available across all actively maintained stable branches (5.10, 6.1, 6.6, 6.12, 6.18, 6.19, 7.0). EPSS score of 0.02% suggests low automated exploitation probability, though the network-accessible attack vector and authentication bypass capability represent significant risk for systems using TCP MD5 signatures (RFC 2385).

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Deadlock in the Linux kernel's batman-adv ELP metric worker allows a local low-privileged user to trigger a kernel hang and cause a denial of service. The flaw exists in batadv_v_elp_get_throughput() where a previous fix using rtnl_trylock() for the ethtool path failed to cover the cfg80211 interface path, which still called batadv_get_real_netdev() - itself internally invoking rtnl_lock(). When batadv_v_elp_iface_disable() cancels the work queue via cancel_delayed_work_sync() while the RTNL lock is already held, this double-lock acquisition produces a deadlock. No public exploit identified at time of analysis, and EPSS of 0.02% confirms very low real-world exploitation probability.

Information Disclosure Linux
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel crash (local denial of service) in the Linux nouveau NVIDIA GPU driver allows a local authenticated user to trigger a kernel WARNING and system instability by accessing the DisplayPort AUX channel (/dev/drm_dp_*) while the GPU is in runtime-suspended state. The driver fails to check device power state before invoking the GSP (GPU System Processor) firmware communication path, causing an unhandled condition in r535_gsp_msgq_wait. No public exploit exists and the EPSS score is 0.02% (7th percentile), but the vulnerability is notable in environments where fwupd or similar firmware tools interact with DP AUX interfaces on systems using the nouveau driver with runtime power management enabled.

Denial Of Service Lenovo Linux
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Stack buffer overflow in the Linux kernel's pmbus/q54sj108a2 hwmon driver allows local privileged users to corrupt kernel stack memory by reading from a specific debugfs entry. The flaw stems from a misuse of bin2hex() that writes 64 bytes of hex-encoded output into a 34-byte stack buffer, overflowing it by 30 bytes; no public exploit identified at time of analysis and EPSS exploitation probability is negligible at 0.03% (9th percentile).

Information Disclosure Linux Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Use-after-free in Linux kernel ksmbd allows remote unauthenticated attackers to potentially execute arbitrary code, disclose sensitive information, or cause denial of service. The vulnerability stems from improper RCU lock handling in smb_lazy_parent_lease_break_close() where opinfo pointer is dereferenced after RCU read unlock, creating a race condition. Patches available across multiple kernel versions (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). Despite critical CVSS 9.8 score, EPSS exploitation probability is low (0.02%, 5th percentile) and no active exploitation or public POC identified at time of analysis.

Information Disclosure Linux Use After Free +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Use-after-free in the Linux kernel's ksmbd SMB server (smb2_open()) allows remote attackers to potentially trigger memory corruption when accessing an opinfo pointer dereferenced after rcu_read_unlock(). The flaw is fixed in upstream stable releases (6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0); no public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.

Memory Corruption Information Disclosure Linux +3
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Linux kernel's ksmbd server exposes SMB3 session, signing, encryption, and decryption keys in debug logs when KSMBD_DEBUG_AUTH is enabled. Authenticated network attackers with access to system logs can retrieve these cryptographic keys to compromise SMB3 session confidentiality and integrity. EPSS probability is very low (0.01%, 3rd percentile) and no active exploitation is documented. Vendor patches available across multiple stable kernel branches (6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.9, 7.0).

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Use-after-free in Linux kernel ksmbd allows remote unauthenticated attackers to execute arbitrary code, escalate privileges, or cause denial of service by racing oplock_info access during concurrent RCU read operations. The vulnerability stems from immediate kfree() without RCU grace period, enabling opinfo_get() to call atomic_inc_not_zero() on freed memory. CVSS 9.8 reflects network exploitability without authentication, though EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation attempts. Vendor patches available across multiple kernel versions (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0) with fixes referenced in five upstream commits. Not listed in CISA KEV; no public exploit code identified at time of analysis.

Information Disclosure Linux Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Linux kernel MCTP driver leaks USB device references when probe fails, allowing local authenticated attackers to trigger denial of service through resource exhaustion. The flaw affects kernels from 6.15 through 6.19.9 and has been patched in versions 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% indicates minimal active exploitation risk, and no public exploit code has been identified at time of analysis.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel nexthop routing code allows local authenticated attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs when removing a nexthop from a routing group, where percpu statistics memory is freed before the RCU grace period completes, allowing concurrent readers to access freed memory. Vendor patches available for stable kernel branches 6.12.78, 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV). CVSS 7.8 reflects local attack vector requiring authenticated access.

Information Disclosure Linux Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Memory exhaustion in Linux kernel NCSI protocol handler allows remote denial of service through resource depletion. The Network Controller Sideband Interface (NCSI) receive and Asynchronous Event Notification (AEN) handlers fail to free socket buffers (skbs) in error paths, enabling network attackers to exhaust kernel memory by sending malformed NCSI packets or triggering device resolution failures. CVSS 7.5 (High severity) reflects unauthenticated network exploitation, though low EPSS score (0.02%, 7th percentile) suggests minimal observed exploitation. Vendor patches available across all active kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource leak in Linux kernel's Microchip DSA PTP driver allows local authenticated users with low privileges to cause denial of service through high availability impact. The ksz_ptp_irq_setup() function fails to dispose of newly created IRQ mappings when request_threaded_irq() fails during PTP message IRQ setup, leading to resource exhaustion. Vendor patches available across multiple stable kernel branches (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation in the wild, and no public exploit identified at time of analysis.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak and denial-of-service in the Linux kernel macb network driver (used in AMD ZynqMP platforms) allows local authenticated users to cause prolonged network disruption and system resource exhaustion. The flaw manifests during suspend/resume cycles when the transmit ring pointer resets incorrectly, silently dropping queued packets without releasing their memory, and causing the driver to become stuck waiting for already-transmitted packets. Real-world impact observed in NFS rootfs recovery delays. EPSS score of 0.02% (7th percentile) indicates low exploitation likelihood. Vendor patches available across multiple stable kernel branches (6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.9).

Amd Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free race condition in Linux kernel amdgpu driver allows local authenticated users to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The flaw occurs when parent and child processes sharing a drm_file both attempt to acquire the same virtual memory context after fork(), due to non-atomic vm->process_info assignment. Patches released across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score of 0.02% (7th percentile) indicates very low predicted exploitation probability despite CVSS 7.8 severity, and no active exploitation or public POC identified.

Information Disclosure Linux Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A NULL pointer dereference in Linux kernel AMD GPU driver cleanup code causes local denial of service when GPU initialization fails on systems with unsupported AMD hardware blocks. Local authenticated users with low privileges can trigger kernel crashes during device teardown sequences. The vulnerability affects multiple stable kernel versions (6.18.16-6.18.19, 6.19.6-6.19.9) with patches available from upstream. EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, and no active exploitation or public exploits are confirmed. Real-world impact is limited to systems with specific AMD GPU hardware experiencing initialization failures, making this primarily a reliability issue rather than a direct security threat.

Amd Denial Of Service Linux +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Integer overflow in Linux kernel's i915 graphics driver corrupts memory mapping for DRM/GEM shmem objects larger than 4GB, causing kernel warnings, potential crashes, and incorrect memory access when Intel graphics hardware processes large buffer objects. The vulnerability manifests when scatterlist length fields overflow during folio page allocation, leading to premature termination of backing page iteration. Patch available across multiple stable kernel branches (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0) per upstream commits. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.

Intel Buffer Overflow Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in Linux kernel's AMD DRM driver causes system crash during device cleanup on unsupported hardware. The flaw (CWE-476) affects multiple 6.18.x and 6.19.x kernel versions, allowing local authenticated users to trigger denial of service through AMD GPU driver initialization or cleanup operations. Patches available via kernel stable tree commits with EPSS score of 0.02% indicating minimal exploitation likelihood. No active exploitation or public POC identified at time of analysis.

Amd Denial Of Service Linux +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Linux kernel io_uring subsystem allows authenticated attackers with low privileges to achieve high confidentiality, integrity, and availability impact through improper buffer list type validation during recycling operations. The vulnerability stems from a race condition where buffer lists can be upgraded from legacy to ring-provided type between acquisition and recycling when requests are forced through io-wq, potentially leading to type confusion and memory corruption. Patches available across multiple kernel versions (6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0) with upstream commits confirmed. EPSS score is very low (0.02%, 7th percentile) indicating minimal observed exploitation probability despite high CVSS 7.8 rating. No KEV listing or public exploit identified at time of analysis.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Log corruption in Linux kernel XFS filesystem leads to mount failures and potential data integrity loss when superblock lacks log stripe unit configuration. Systems with 4k physical sector disks are vulnerable to torn writes and CRC failures that prevent filesystem mounting. Vendor-released patches available across multiple stable kernel branches (5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score of 0.02% suggests low exploitation probability. No active exploitation confirmed (not in CISA KEV). CVSS 8.2 reflects network vector but description indicates local filesystem operation - attack vector discrepancy requires verification.

Microsoft Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in Linux kernel's ublk driver allows local authenticated users to crash the system by sending UBLK_CMD_UPDATE_SIZE to a device before it starts or after it stops. The vulnerability exists in ublk_ctrl_set_size() which unconditionally dereferences ub->ub_disk without validating the device state, triggering a kernel panic and causing a denial of service. Patches are available from the Linux kernel maintainers for versions 6.18.20, 6.19.9, and 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, consistent with the local-only attack vector and absence from CISA KEV.

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

System hangs on Linux kernel resume from s2ram when firmware re-enables x2apic mode that kernel disabled during boot. Affects x86 systems with APIC hardware where kernel disabled x2apic (due to missing IRQ remapping support or other reasons) but ACPI-compliant firmware restores x2apic to initial boot state per spec. Kernel continues using xapic interface while hardware operates in x2apic mode, causing denial of service through system freezes. CVSS 5.5 (local low-complexity authenticated attack, high availability impact). EPSS 0.02% (7th percentile) indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0 mainline). No KEV listing or public exploit identified at time of analysis.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

In-place encryption in the Linux kernel's SMB client corrupts write payloads during retry attempts, potentially causing data integrity loss and denial of service when SMB connections experience transient failures. The flaw affects SMB3 encrypted writes where the encryption process modifies the original buffer in place; on replayable errors (like network interruptions), retries re-send already-encrypted data as if it were plaintext, resulting in double-encryption and corrupted writes. This particularly impacts special file operations (SFU mknod, MF symlinks) and sync writes on pre-6.10 kernels. Patches are available across multiple stable kernel branches (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score is very low (0.01%), indicating minimal observed exploitation likelihood, and no active exploitation or public POC is documented.

Linux Memory Corruption Buffer Overflow
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Filesystem denial-of-service in the Linux kernel's btrfs subsystem allows a local low-privileged user to force a mounted btrfs filesystem into read-only mode by repeatedly snapshotting a received subvolume until the BTRFS_UUID_KEY_RECEIVED_SUBVOL B-tree leaf overflows its maximum item size, triggering a transaction abort in create_pending_snapshot(). Critically, the operations involved - snapshot, send, receive, and set_received_subvol - require only inode_owner_or_capable() rather than CAP_SYS_ADMIN, meaning unprivileged users owning subvolumes can mount this attack. No public exploit identified at time of analysis beyond the detailed reproducer script embedded in the advisory itself; EPSS at 0.02% (7th percentile) reflects low widespread automated exploitation probability, though multi-tenant environments face elevated practical risk.

Buffer Overflow Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Btrfs filesystem transaction abort in the Linux kernel allows a local low-privileged user to force any btrfs-mounted volume into read-only mode by deliberately creating files whose names produce identical crc32c hash values. When enough hash-colliding filenames are created in a single directory, the dir item leaf node fills beyond its size limit, triggering a kernel transaction abort that renders the entire btrfs volume inaccessible for all users. A detailed reproducer script including a curated list of crc32c-colliding filenames is embedded directly in the CVE description, making exploitation trivially repeatable; however, the EPSS score of 0.02% (7th percentile) and absence from CISA KEV indicate no confirmed widespread exploitation at time of analysis.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service via transaction abort in Linux kernel btrfs subsystem when a non-privileged subvolume owner repeatedly calls the set received ioctl with identical UUID values, causing filesystem to transition to read-only mode. The vulnerability exploits insufficient pre-flight validation that allows metadata updates to commence before detecting item overflow conditions, requiring only local access and subvolume ownership rather than root privileges. EPSS score of 0.02% indicates low exploitation probability despite CVSS 5.5 severity, suggesting practical exploitation barriers despite low privilege requirements.

Integer Overflow Buffer Overflow Linux +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

RCU locking imbalance in Linux kernel btrfs filesystem code causes local denial of service. The try_release_subpage_extent_buffer() function in btrfs can exit an error path without properly releasing an RCU read lock, creating a locking inconsistency that leads to system instability. Affects Linux kernel versions 6.17 through pre-7.0, with patches available in stable branches 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation activity. The flaw was detected through static analysis using Clang's thread-safety analyzer rather than field exploitation, suggesting lower immediate real-world risk despite the high-availability CVSS impact rating.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local denial of service in Linux kernel's MPU3050 gyroscope driver allows authenticated users with low privileges to crash the system by triggering power management failures. The mpu3050-core driver fails to validate pm_runtime_get_sync() return values, enabling hardware access when device resume fails and causing improper reference counting that leads to kernel instability. EPSS score of 0.02% indicates minimal active exploitation likelihood, and patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A NULL pointer dereference in the Linux kernel's adis_init() function causes kernel crashes when initializing ADIS IMU drivers (adis16480, adis16490, adis16545). The function attempts to dereference adis->ops without first verifying it is non-NULL, triggering denial of service on affected systems during device probe. Exploitation requires local access with low privileges (CVSS AV:L/AC:L/PR:L). EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation likelihood. Vendor patches available across multiple stable kernel versions (6.19.9, 6.18.19, 7.0).

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local attackers with low-level privileges can trigger a denial of service in Linux kernel versions 4.7 through 7.0 by exploiting a power management reference leak in the bh1780 ambient light sensor driver. The vulnerability causes system resource exhaustion through improper PM runtime reference counting in the IIO subsystem's error handling path. Vendor patches are available across multiple stable kernel branches (5.10.253, 6.1.167, 6.6.130, 6.18.19, 6.19.9, 7.0), with EPSS probability of 0.02% indicating low observed exploitation likelihood and no active exploitation confirmed.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local denial of service in the Linux kernel's HX9023S proximity sensor driver (iio subsystem) allows authenticated users with low privileges to crash the system via division by zero when setting sampling frequency with an unspecified value. Patch available from kernel.org stable trees for versions 6.12.78, 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation activity. No public exploit code or active exploitation (not in CISA KEV) confirmed at time of analysis.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Race condition in Linux kernel I3C HCI DMA dequeue handler allows local authenticated attackers with low privileges to trigger memory corruption leading to privilege escalation, denial of service, or information disclosure. The vulnerability affects kernel versions from 5.11 onwards where the mipi-i3c-hci driver is enabled. EPSS probability is low (0.02%, 4th percentile) and no active exploitation or public POC is identified at time of analysis. Vendor patches available for stable kernel branches 6.18.19, 6.19.9, and 7.0.

Information Disclosure Linux Race Condition
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Flawed DMA ring abort handling in the Linux kernel's MIPI I3C Host Controller Interface driver allows local authenticated attackers with low privileges to cause high-severity impacts including information disclosure, integrity violations, and denial of service. The vulnerability stems from improper abort sequence logic that disrupts controller state by unintentionally clearing hardware enable bits and resetting ring pointers. Vendor patches are available for kernel versions 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% (4th percentile) indicates low probability of mass exploitation, and no active exploitation or public POC has been identified at time of analysis.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Linux kernel KVM/arm64 vGIC subsystem allows local authenticated users with low privileges to crash the hypervisor via use-after-free during virtual interrupt controller teardown. CVSS rates this 5.5 (medium severity, local vector), but EPSS exploitation probability is very low at 0.02% (4th percentile). Patches available across multiple stable kernel versions (6.18.19, 6.19.9, 7.0). No active exploitation confirmed per CISA KEV, and the local-only attack vector with specific KVM/ARM64 deployment requirements limits real-world impact to environments running ARM64 virtualization workloads.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Out-of-bounds read in Linux kernel SMB client allows malicious SMB servers to disclose kernel memory and potentially crash systems via crafted NFS mode SIDs in ACL responses. Affects Linux kernel 5.4+ with SMB client enabled. Vendor patches released for stable branches 6.6.136, 6.12.84, 6.18.25, 7.0.2, and mainline 7.1-rc1. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation confirmed (not in CISA KEV). Attack requires user interaction (mounting malicious SMB share), reducing practical risk for environments with controlled server connections.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Use of uninitialized memory in Linux kernel f2fs filesystem node footer validation causes local denial of service. Linux kernel versions 7.0 through 7.1-rc1 with f2fs support allow local authenticated users to trigger a kernel crash by mounting a maliciously crafted f2fs filesystem image. The vulnerability occurs when f2fs_sanity_check_node_footer() accesses uninitialized folio data after a failed disk read operation during filesystem mount, as reported by syzbot. EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation likelihood. Vendor patches available for stable kernel branches 6.18.25, 7.0.2, and 7.1-rc1.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The Linux kernel mshv_vtl driver permits local denial-of-service via memory registration failure when VTL0 memory ranges are sufficiently aligned (35+ trailing zeros in physical address). An unclamped vmemmap_shift calculation can exceed MAX_FOLIO_ORDER, causing memremap_pages() to reject the operation and potentially destabilize virtualization infrastructure. CVSS 5.5 indicates local authenticated exploitation with low complexity. EPSS 0.02% suggests minimal real-world targeting. Vendor patches available for kernel 7.0.2 and 7.1-rc1 address both the shift clamping and error propagation issues.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Memory corruption in Linux kernel on Qualcomm Monaco-based ARM64 platforms causes kernel crashes through synchronous external aborts when accessing hypervisor-owned memory incorrectly marked as conventional RAM. The firmware's EFI memory map only reserves 288 KiB of a 512 KiB Gunyah hypervisor metadata region (0x91a80000-0x91afffff), leaving 224 KiB exploitable for triggering fatal aborts. Patches available for stable branches 6.18.24, 6.19.14, and 7.0 series. EPSS exploitation probability is very low (0.02%, 4th percentile) with no known active exploitation or public POC, indicating limited real-world threat despite CVSS 7.5 rating.

Qualcomm Denial Of Service Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local denial of service in Linux kernel PTP (Precision Time Protocol) driver for Intel Ethernet (ice) allows authenticated users with low privileges to crash the system when PF passthrough is configured without the controlling PF. The vulnerability is caused by improper null pointer handling (CWE-617) when ice_ptp_setup_pf() attempts to access an uninitialized PTP controlling PF in VFIO passthrough configurations. Affects Linux kernel 6.13 through 7.0-rc7. EPSS probability is very low (0.02%, 4th percentile) and no active exploitation has been reported. Patches are available in stable branches 6.18.24, 6.19.14, and mainline 7.0.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Linux Kernel versions 6.4 and later containing IPA v5.0+ hardware support experience complete data path failure and indefinite system hangs during suspend or shutdown operations due to a register field misprogramming bug. The event ring index field was incorrectly referenced using an outdated identifier (ERINDEX instead of CH_ERINDEX) in the CH_C_CNTXT_1 register definition, preventing GSI channels from signaling transfer completions. This causes gsi_channel_trans_quiesce() to block indefinitely in wait_for_completion(), resulting in runtime suspend, system suspend, and remoteproc stop operations hanging forever. Patches are available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% indicates very low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV). The CVSS vector indicates network-accessible attack surface, though the actual impact is limited to devices with IPA v5.0+ hardware.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Die ID initialization and lookup bugs in the Linux kernel's Intel uncore performance monitoring subsystem (perf/x86/intel/uncore) can cause a reachable assertion trigger or silent loss of PMON unit visibility on Intel Sapphire Rapids (SPR) and Emerald Rapids (EMR) server hardware. Authenticated local users on affected systems may crash the kernel via the WARN_ON_ONCE reachable assertion (CWE-617) or, when NUMA is disabled on a NUMA-capable platform, cause all uncore PMON units to be silently dropped from the RB tree - rendering hardware performance monitoring inoperative. No public exploit exists and EPSS is 0.02%, indicating no active exploitation pressure at time of analysis.

Intel Information Disclosure Linux +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Unbalanced reference counting in the Linux kernel USB gadget CDC Subset Ethernet driver (f_subset) causes a resource leak that denies availability of USB gadget reconfiguration. A local authenticated user can trigger the condition by allocating and freeing the geth USB gadget function, leaving the reference count permanently elevated due to a missing decrement in geth_free(). The practical impact is a denial-of-service against the configfs interface for USB gadget management - subsequent attempts to unlink and re-configure the USB function fail silently. No public exploit is identified and EPSS exploitation probability is negligible at 0.02% (7th percentile).

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Race condition in the Linux kernel's USB RNDIS gadget function driver (f_rndis) allows a local low-privileged attacker to crash the kernel by concurrently manipulating class/subclass/protocol configfs attributes without mutex protection. Identified during code inspection - not observed in active exploitation - this vulnerability affects multiple stable kernel branches from 4.14 through 7.0-rc3, with patches released across all maintained stable series. With an EPSS of 0.02% (7th percentile), no public exploit, and no CISA KEV listing, real-world risk is low but meaningful on embedded or IoT devices using Linux as a USB RNDIS peripheral.

Information Disclosure Race Condition Linux +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Integer overflow in Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) trace functionality allows remote unauthenticated attackers to trigger buffer overflow conditions. A crafted IOAM trace packet with specific schema configurations causes an 8-bit integer wraparound that bypasses buffer boundary checks, enabling memory corruption with potential for arbitrary code execution at kernel privilege level. CVSS scored 9.8 (Critical) with network attack vector, though EPSS score of 0.02% (7th percentile) suggests minimal observed exploitation activity. Patches available across multiple stable kernel versions (5.15, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) via upstream commits, indicating vendor-prioritized remediation without confirmed active exploitation.

Authentication Bypass Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local denial of service in Linux kernel COMEDI subsystem allows authenticated users to trigger inconsistent lock states when reattaching low-level drivers to legacy COMEDI devices. Exploitation probability is low (EPSS 2%, percentile 7%) with no public exploit identified at time of analysis. Vendor-released patches available across all stable kernel branches from 5.10.253 through 7.0. Affects systems configured with non-zero comedi_num_legacy_minors parameter and requires local authenticated access to COMEDI device nodes.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Linux kernel IPv6 address configuration subsystem enables authenticated local users to gain high-level system access through a use-after-free (UaF) condition in addrconf_permanent_addr(). Patch available across all maintained stable kernel series (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) with fixes backported from commit f1705ec197e7. EPSS score of 0.02% suggests minimal active exploitation likelihood, no KEV listing or public POC identified at time of analysis.

Information Disclosure Linux Use After Free +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Transaction abort and denial of service in Linux kernel btrfs qgroup ioctls occurs when quota group operations fail to reserve transaction space for metadata updates and delayed references, resulting in -ENOSPC errors under filesystem pressure. Affected versions include mainline kernel through 6.19.x and stable branches 6.12.x and 6.18.x, with patches available in 6.12.81, 6.18.22, 6.19.12, and 7.0. Local authenticated users can trigger filesystem unavailability through qgroup operations. EPSS exploitation probability is low (0.02%), no active exploitation confirmed, and this represents a stability issue rather than a direct security compromise, though availability impact is high per CVSS 5.5 score.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's AMD display driver (DRM subsystem) allows local authenticated users to crash the system via dcn401_init_hw() function. Affects kernel 6.12 through 7.0-rc6, specifically the DCN 4.01 hardware sequencer in amdgpu driver. Vendor patches available for stable branches (6.18.22, 6.19.12, 7.0). EPSS exploitation probability is very low (0.02%, 4th percentile), indicating minimal real-world threat despite moderate CVSS score. Not listed in CISA KEV, and no public exploit code identified at time of analysis.

Amd Denial Of Service Linux +3
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

ChaCha cipher implementation in the Linux kernel leaks cryptographic key material through an improperly zeroized stack variable. The ChaCha permutation function leaves 'permuted_state' on the stack after execution, which can be used to reverse-compute the original encryption key since ChaCha's permutation is mathematically invertible. This information disclosure affects kernel cryptographic operations including the RNG (random number generator). EPSS score of 0.02% indicates very low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV). Patches are available across all maintained kernel versions from 5.10.253 through 6.19.12.

Information Disclosure Linux Red Hat
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in Linux kernel's Qualcomm SM8450 interconnect driver causes local denial of service during device probe. The vulnerability affects Linux kernel 6.19.x through 7.0-rc6 on Qualcomm SM8450 platforms when the interconnect driver initializes. Upstream patches are available (commits 77d22bf3fc5d and dbbd550d7c8d). EPSS score of 0.02% indicates very low observed exploitation probability, and no active exploitation or public POC has been identified. Real-world risk is limited to local authenticated users on affected Qualcomm SoC platforms during driver initialization.

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
Prev Page 13 of 143 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy