Skip to main content

Linux

12819 CVEs vendor

Monthly

CVE-2026-43334 HIGH PATCH This Week

Authentication downgrade in Linux kernel Bluetooth SMP allows adjacent network attackers to bypass MITM protection during pairing. When a Bluetooth responder requires BT_SECURITY_HIGH, the SMP implementation incorrectly builds pairing responses before enforcing local MITM requirements, allowing initiators to force weaker 'Just Confirm' authentication even when policy mandates stronger methods. EPSS score of 0.02% indicates low predicted exploitation probability, and no active exploitation or public POC has been identified. Patches available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).

Information Disclosure Linux Red Hat
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43333 MEDIUM PATCH This Month

Kernel NULL pointer dereference in Linux kernel's BPF verifier allows local authenticated users to trigger a denial of service. The vulnerability stems from improper handling of nullable PTR_TO_BUF pointers in check_mem_access(), where map iterator callbacks can dereference NULL ctx->key or ctx->value pointers without validation, causing a kernel crash. Affects Linux kernel versions 5.17 through 7.0-rc4, with patches available across stable branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild, and no evidence of public exploit code or active exploitation exists. Local access with low privileges required makes this a targeted risk rather than widespread threat.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43332 HIGH PATCH This Week

Use-after-free in Linux kernel thermal subsystem allows local authenticated attackers with low privileges to achieve high confidentiality, integrity, and availability impact through race condition during thermal zone device registration failure. The flaw occurs when thermal_zone_device_register_with_trips() fails after registration but before properly cleaning up - if userspace holds a kobject reference, the thermal zone structure can be freed prematurely while still in use. Vendor patches available across stable branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating, suggesting limited real-world attacker interest in this local race condition.

Information Disclosure Linux Red Hat
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43331 MEDIUM PATCH This Month

Kernel crash loop in x86_64 Linux when kexec is executed on a kernel built with both CONFIG_KCOV and CONFIG_KEXEC enabled. The load_segments() function invalidates the GS base register that KCOV relies on for per-cpu data access; any subsequently instrumented C function call (e.g. native_gdt_invalidate()) triggers an endless crash loop resulting in a kernel panic and complete system unavailability. No public exploit exists and EPSS is 0.02% (4th percentile), consistent with the highly constrained triggering environment - this primarily affects kernel developers and syzkaller-based fuzzing infrastructure rather than general-purpose production systems.

Denial Of Service Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43330 HIGH PATCH This Week

Buffer overflow in the Linux kernel's CAAM crypto driver allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with elevated privileges. The vulnerability occurs when HMAC keys exceeding the algorithm's block size are processed - the driver allocates DMA-aligned memory but uses kmemdup() to copy only the actual key length, then reads beyond the source buffer boundary during hashing. EPSS score of 0.02% (5th percentile) indicates low predicted exploitation likelihood. Patches are available across multiple stable kernel branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) via upstream commits, with fixes applied since kernel 6.3 introduced the vulnerable code.

Buffer Overflow Linux Memory Corruption Red Hat
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43329 HIGH PATCH This Week

Buffer overflow in Linux kernel netfilter flowtable hardware offload allows local authenticated users to achieve high confidentiality, integrity, and availability impact via IPv6 flowtable configurations. The vulnerability stems from an off-by-one error where IPv6 setups require 17 actions but the hardcoded limit was 16, enabling memory corruption when complex IPv6 flows with SNAT, DNAT, VLAN manipulation, and tunneling are offloaded to hardware. EPSS exploitation probability is low (0.02%, 7th percentile), and vendor patches are available across multiple stable kernel branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). No public exploit code or CISA KEV listing identified at time of analysis.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43328 HIGH PATCH This Week

Double-free condition in the Linux kernel's cpufreq governor subsystem affects multiple stable branches and can lead to memory corruption when an error path in cpufreq_dbs_governor_init() is triggered. The flaw stems from redundant cleanup logic that calls gov->exit() and kfree(dbs_data) twice after a kobject_init_and_add() failure, and no public exploit identified at time of analysis. EPSS exploitation probability is very low (0.02%, 7th percentile), consistent with a local memory-safety bug requiring privileged access rather than a remote attack surface.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43327 MEDIUM PATCH This Month

Race condition in Linux kernel's dummy-hcd USB gadget driver causes kernel crash and denial of service when USB reset occurs simultaneously with driver unbind. Syzbot testing triggered NULL pointer dereference in usb_gadget_udc_reset() due to improper spinlock handling in stop_activity() that allowed dum->driver to be cleared prematurely. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) suggests very low observed exploitation probability. Not listed in CISA KEV, indicating no confirmed active exploitation.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43326 MEDIUM PATCH This Month

A deadlock vulnerability in the Linux kernel's sched_ext (extensible scheduler) subsystem allows local authenticated users to trigger a denial of service by creating cyclic wait dependencies between CPUs. The flaw exists in the SCX_KICK_WAIT mechanism where busy-waiting in hardirq context prevents rescheduling and kick_sync advancement, causing multi-CPU deadlocks when wait cycles form. Patch available from mainline kernel (commit c3a7903f65cf for mainline, 415cb193bb97 for stable 6.12+). EPSS score of 0.02% suggests minimal real-world exploitation activity. No public exploit code or active exploitation confirmed at time of analysis.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43325 MEDIUM PATCH This Month

A firmware crash in Linux kernel's iwlwifi driver (versions 6.9 through 7.0-rc7) occurs when the AX201 Wi-Fi adapter incorrectly receives a 6GHz-related command (MCC_ALLOWED_AP_TYPE_CMD) despite lacking 6E support. This triggers a local denial of service (CVSS 5.5, AV:L) requiring low privileges. Vendor patches are available across stable branches (6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation risk, with no active exploitation or public POC identified. Priority for systems using Intel AX201 adapters where local users could trigger system instability.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43324 HIGH PATCH This Week

Race condition in the Linux kernel's dummy-hcd USB driver allows local authenticated users to trigger use-after-free conditions during gadget driver unbinding, potentially enabling privilege escalation, information disclosure, or denial of service. The flaw stems from incorrect ordering of interrupt synchronization - emulated synchronize_irq() runs before interrupt-disable, allowing callbacks to execute after the gadget driver is unbound. Patched versions include 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild, with no confirmed active exploitation or public POC identified at time of analysis.

Information Disclosure Linux Red Hat
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43323 MEDIUM PATCH This Month

Local denial of service in Linux kernel scheduler (6.12.78-6.19.12) allows low-privileged users to trigger system-wide instability via stress-ng-yield workloads. The flaw stems from incomplete vruntime tracking in commit b3d99f43c72b, where yield()-heavy tasks can leapfrog past tick updates and cause overflow conditions. EPSS exploitation probability is negligible (0.02%, 5th percentile), and vendor patches are available across all affected stable branches. No active exploitation or public POC identified at time of analysis.

Buffer Overflow Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43322 HIGH PATCH This Week

Use-after-free (UAF) in Linux kernel Bluetooth subsystem allows adjacent network attackers to trigger memory corruption via malformed LE Read Features Complete responses. The vulnerability occurs when hci_conn is freed before le_read_features_complete callback executes but after hci_le_read_remote_features_sync initiates, causing atomic operations on freed memory during hci_conn_drop. Active exploitation status not confirmed (no CISA KEV listing). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. Upstream patches committed to stable kernel branches 6.19.12+ and 7.0+.

Information Disclosure Google Linux Use After Free Memory Corruption +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43321 HIGH PATCH This Week

Improper register liveness tracking in the Linux kernel eBPF verifier allows local authenticated users to potentially achieve information disclosure, privilege escalation, or denial of service through crafted BPF programs. The vulnerability stems from the compute_insn_live_regs() function failing to mark registers as used during indirect jump ('gotox rX') instructions, enabling attackers with BPF program loading privileges to manipulate register state tracking. With EPSS exploitation probability at 0.02% (5th percentile) and no evidence of active exploitation or public POC, this represents a theoretical risk primarily for systems where unprivileged users can load BPF programs. Vendor patches are available for kernel versions 6.18.16, 6.19.6, and 7.0.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43320 MEDIUM PATCH This Month

A null pointer dereference in the AMD Display Core driver's DSC (Display Stream Compression) handling for eDP panels causes local system crashes on Linux kernel 6.12 through 7.0-rc5. The vulnerability stems from missing function hook validation before use, allowing local authenticated users with low privileges to trigger a high-severity denial-of-service condition. Patches available across kernel 6.12.75, 6.18.16, 6.19.6, and 7.0 stable branches. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation activity, and no KEV listing or public POC identified at time of analysis.

Amd Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43319 MEDIUM PATCH This Month

Local denial-of-service deadlock in Linux kernel spidev driver allows authenticated users with low privileges to freeze the SPI subsystem via concurrent write() and ioctl() calls. The AB-BA lock inversion between spi_lock and buf_lock is reproducible with simple multithreaded userspace programs accessing the same spidev file descriptor. Patch available across stable kernel branches (6.12.75, 6.18.16, 6.19.6, 7.0) with extremely low EPSS score (0.02%, 5th percentile) indicating minimal real-world exploitation likelihood. No active exploitation or public POC identified at time of analysis.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43318 MEDIUM PATCH This Month

Race condition in Linux kernel AMDGPU driver allows local attackers with low privileges to trigger denial of service through GPU page faults during DMA buffer operations. The vulnerability affects multi-GPU systems where shared buffer objects are accessed across different GPUs, particularly impacting AMD Radeon graphics driver stability. Patch available from upstream kernel maintainers for versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit code or active exploitation has been identified.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43317 MEDIUM PATCH This Month

Resource leak in Linux kernel MOST (Media Oriented Systems Transport) core driver allows local authenticated users to trigger denial of service through repeated interface registration failures. The vulnerability stems from incomplete error handling in the driver's registration path, where resources allocated for MOST interfaces are not properly released when early registration failures occur. While CVSS rates this 5.5 with local access and low attack complexity, the EPSS score of 0.02% (5th percentile) indicates minimal real-world exploitation likelihood. Vendor patches are available across multiple kernel stable branches (6.12.75, 6.18.16, 6.19.6, 7.0).

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43316 MEDIUM PATCH This Month

An out-of-bounds shift operation in the Linux kernel's solo6x10 media driver causes a local denial of service. Affects Linux kernel versions from the initial commit through 7.0-rc3, with patches available in stable versions 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. The flaw, triggered by improper chip_id bounds checking, causes Clang's undefined behavior sanitizer to instrument code that can lead to system instability when exploited by low-privileged local users. EPSS exploitation probability is 0.02% (7th percentile), indicating minimal widespread threat. Vendor-released patches address the issue by adding explicit bounds validation and using unsigned shift operations.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71302 MEDIUM PATCH This Month

Race condition in drm/panthor GPU driver violates dma-fence safe access rules, allowing local authenticated users to cause denial of service via timeline name retrieval racing with queue freeing. CVSS 5.5 (local, low complexity) with EPSS 0.02% indicating minimal real-world exploitation likelihood despite active kernel-level flaw.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71301 MEDIUM PATCH This Month

Denial of service in Linux kernel DRM GEM shmem helper functions allows local privileged attackers to trigger CPU warnings and system instability via improper reservation lock handling around vmap/vunmap operations. The vulnerability affects Linux 6.16 and multiple stable branches (6.18, 6.19, 7.0) and is resolved in patched versions; exploitation requires local access with limited privileges and produces availability impact through kernel warnings rather than remote compromise.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71300 MEDIUM PATCH This Month

Memory access violations occur in Linux kernel on Xilinx ZynqMP systems when OP-TEE device tree nodes are manually defined, preventing U-Boot's OP-TEE injection logic from properly inserting reserved-memory nodes. This affects Linux kernel versions 6.9 through 7.0 on ARM64 ZynqMP platforms, allowing local authenticated users to cause denial of service through runtime memory access faults. Vendor-released patches are available across multiple stable branches (6.12.75, 6.18.16, 6.19.6, 7.0).

Code Injection Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43315 MEDIUM PATCH This Month

Local users with low privileges can trigger a denial of service in Linux kernel KVM (Kernel-based Virtual Machine) by manipulating nested virtualization state on AMD SVM systems. The vulnerability allows unprivileged users to cause a kernel warning and potential system instability by modifying CPUID after loading CR3 register state in nested SVM configurations. With CVSS 5.5 (AV:L/AC:L/PR:L) and low EPSS (0.02%), this represents a localized availability risk rather than a critical remote threat. Vendor patches are available across multiple kernel versions (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).

Authentication Bypass Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43314 MEDIUM PATCH This Month

Local attackers with low privileges can cause indefinite system hangs in Linux kernel device-mapper (dm) subsystem by injecting io-timeout-fail errors, triggering CWE-772 resource leaks where I/O requests are never completed. Affects longstanding kernel code from 5.10.x through mainline 6.19.x; vendor-patched versions available (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low real-world exploitation probability. No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43313 MEDIUM PATCH This Month

NULL pointer dereference in Linux kernel ACPI processor module allows local authenticated attackers to crash the system. The flaw occurs in acpi_processor_errata_piix4() when device lookup logic overwrites a valid pointer with NULL, triggering a crash when accessed by dev_dbg(). Vendor-released patches are available across multiple stable kernel branches (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS exploitation probability is very low (0.02%, 7th percentile), and no public exploit or active exploitation has been identified. The vulnerability requires local access with low privileges (CVSS AV:L/PR:L), making it a lower priority than network-exposed flaws despite the high availability impact.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43312 MEDIUM PATCH This Month

A use-after-free in the OmniVision OV5647 camera sensor driver (media: i2c: ov5647) can trigger a kernel crash. The ov5647_init_controls() function dereferences an uninitialized subdev pointer via v4l2_get_subdevdata() when error conditions occur during probe. This affects Linux kernel versions from 5.12 through multiple stable branches including 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, and 6.19.x prior to patches. Vendor patches available across all affected stable trees. EPSS exploitation probability is very low (0.02%, 7th percentile) with no public exploit identified at time of analysis.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43311 MEDIUM PATCH This Month

Linux kernel's Tegra PMC driver can trigger kernel warnings and potential denial of service during system resume by calling generic_handle_irq() from non-interrupt context. Affects Tegra186 and later platforms running Linux kernel versions prior to 6.19.6 and 7.0. CVSS 5.5 indicates local low-complexity exploitation requiring authenticated access. EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation activity. Vendor patches available via stable kernel tree commits.

Nvidia Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43310 MEDIUM PATCH This Month

Hardware-level denial of service in Linux kernel verisilicon media driver on i.MX8MQ platform allows local authenticated users to trigger VPU bus errors and system hangs through simultaneous H.264/HEVC decoding. Affects kernel versions 5.14 through pre-6.19.6 and pre-7.0. Patches available via stable kernel commits 286d629d1064 and e0203ddf9af7. EPSS score of 0.02% indicates minimal observed exploitation, and CVSS 5.5 reflects local scope with low complexity. No public exploit code identified, and not listed in CISA KEV.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43309 MEDIUM PATCH This Month

System hang during RAID array teardown affects Linux kernel's dm-raid target when metadata devices are suspended before removal. The vulnerability triggers when stopping dm-raid managed arrays, causing md_stop() to indefinitely block while attempting to flush write-intent bitmaps to already-suspended metadata devices. With EPSS exploitation probability at 0.02% (4th percentile) and vendor patches available for kernel versions 6.18.16, 6.19.6, and 7.0, this represents a local denial-of-service risk requiring low privileges but poses minimal risk in most environments due to the specific dm-raid configuration prerequisite.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43308 MEDIUM PATCH This Month

Denial of service vulnerability in Linux kernel btrfs filesystem allows local authenticated users to trigger a kernel panic via unexpected delayed reference types. The vulnerability stems from improper error handling in run_one_delayed_ref() that invokes BUG() instead of gracefully returning an error. Patched in Linux 6.19.6 and 7.0 with proper error logging. EPSS exploitation probability is very low (0.02%, 5th percentile) with no public exploit or active exploitation reported, indicating minimal real-world risk despite the high availability impact in the CVSS score.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43307 HIGH PATCH This Week

Buffer over-read in the Linux kernel's adxl380 IIO accelerometer driver allows local authenticated users to read arbitrary kernel memory. The FIFO interrupt handler incorrectly calculates batch sizes when multiple channels are enabled, reading more entries than exist in the FIFO buffer. CVSS rates this 7.8 (High) with local access requiring low-privileged credentials. EPSS exploitation probability is minimal (0.02%, 5th percentile), indicating low real-world risk. Patches available in stable kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43306 MEDIUM PATCH This Month

Local denial-of-service in Linux kernel BPF crypto subsystem allows authenticated attackers to crash the system via CFI policy violations. The vulnerability stems from a type mismatch in BPF's crypto destructor function when Control Flow Integrity (CONFIG_CFI) is enabled, causing kernel panics during object cleanup operations. Patches available across kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low likelihood of mass exploitation. No KEV listing or public exploits identified at time of analysis.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43305 MEDIUM PATCH This Month

Denial of service via system hang in Linux kernel's AMD display driver occurs when the DMUB hardware lock evaluation mismatches between lock acquisition and release in the HWSS fast path, affecting ASIC variants without FAMS support. Local authenticated attackers can trigger this condition through display operations, causing a hang with high availability impact. Patch available in stable releases 6.19.6 and 7.0; EPSS score of 0.02% indicates low real-world exploitation probability despite KEV status.

Amd Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43304 CRITICAL PATCH Act Now

Improper key length validation in the Linux kernel's libceph authentication subsystem allows remote unauthenticated attackers to trigger memory corruption during Ceph authentication key decoding. This affects systems using Ceph distributed storage clusters, with EPSS probability 0.02% (percentile 7%), indicating low immediate exploitation likelihood. Patches available across all supported kernel branches (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) with commits linked in multiple stable trees, suggesting coordinated vendor response. No public exploit code or CISA KEV listing identified at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43303 HIGH PATCH This Week

Use-after-free in Linux kernel swap subsystem allows local authenticated users to achieve high-severity code execution, integrity violations, or denial of service. The vulnerability stems from multiple kernel subsystems (SLUB, shmem, TTM) failing to clear page->private fields before freeing memory, causing stale pointers to persist when pages are reallocated and split. The swap code then dereferences these uninitialized LIST_POISON values during swapoff operations, triggering KASAN-detected wild memory access. Patches available across kernel versions 6.18.16, 6.19.6, and 7.0, with EPSS score of 0.02% indicating low observed exploitation probability despite CVSS 7.8 rating.

Denial Of Service Linux Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43302 MEDIUM PATCH This Month

Linux kernel DMA API debug warnings in V3D rendering driver cause denial of service when CONFIG_DMA_API_DEBUG is enabled and V3D segment sizes exceed the default 64K maximum. The vulnerability affects systems using V3D graphics rendering (particularly Raspberry Pi 5) with debug DMA API enabled, allowing local authenticated users to trigger kernel warnings and potential system instability by creating V3D buffer objects larger than the device's claimed DMA segment size limit.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43301 MEDIUM PATCH This Month

A reference count underflow in the Linux kernel's chips-media wave5 video codec driver causes a runtime PM usage count to decrement below zero during module removal, triggering a kernel warning and potentially causing denial of service when the driver is unloaded. The vulnerability affects unprivileged local users on systems with the wave5 codec driver enabled, and occurs when the device has already been suspended via autosuspend before the remove path executes pm_runtime_put_sync(). EPSS score of 0.02% indicates low exploitation probability despite the denial-of-service capability.

Integer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43300 MEDIUM PATCH This Month

Null-pointer dereference in the Linux kernel DRM panel driver (jdi_panel_dsi_remove function) allows local authenticated attackers to cause a denial of service by triggering device removal when the jdi structure is NULL. The vulnerability exists because the function checks for NULL but fails to return early, allowing subsequent code to dereference the NULL pointer. CVSS score is 5.5 (local attack vector, low complexity); EPSS indicates low exploitation probability (0.02%, 5th percentile), and no public exploit code or active exploitation has been confirmed.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43299 MEDIUM PATCH This Month

Linux kernel btrfs filesystem crashes with kernel BUG when read-repair operations execute after filesystem transitions to read-only state during critical ENOSPC errors. Affects btrfs users experiencing metadata space exhaustion, causing denial of service through kernel panic in the bio repair path. Local attackers with low privileges can trigger this condition in specific filesystem states. EPSS score of 0.02% and no KEV listing indicate low probability of widespread exploitation. Vendor-released patches available in kernel versions 6.19.6 and 7.0.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43298 MEDIUM PATCH This Month

Denial of service in Linux kernel drm/amdgpu driver (VCNv2.5) affects virtual function (VF) GPU environments running kernel versions prior to 6.18.16, 6.19.6, and 7.0. During module unload or system deinitialization, VF configurations trigger a kernel warning and potential crash when attempting to release an uninitialized VCN poison interrupt handler. EPSS exploitation probability is very low (0.02%, 4th percentile) with no public exploit or active exploitation (not in CISA KEV). Vendor patches available across multiple stable kernel branches via upstream commits.

Amd Red Hat Information Disclosure Ubuntu Linux +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43297 MEDIUM PATCH This Month

Local denial-of-service in Linux kernel's Rockchip RGA media driver allows authenticated users with low privileges to crash the system through NULL pointer dereference. The vulnerability affects kernel versions 6.8+ containing the Rockchip RGA driver, where rga_buf_init() fails to validate ERR_PTR returns from rga_get_frame() before dereferencing frame size. Vendor patches available across stable branches (6.12.75, 6.18.16, 6.19.6). EPSS score 0.02% (5th percentile) indicates minimal real-world exploitation likelihood, consistent with local-only attack vector requiring authenticated access.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43296 HIGH PATCH This Week

Denial of service in Linux kernel octeontx2-af network driver allows remote unauthenticated attackers to trigger system stalls and deadlocks via network traffic that exploits hardware errata in Marvell OcteonTX2 NIX SQ manager. The vulnerability affects Linux kernel versions from mainline through multiple stable branches, with vendor patches released for 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS exploitation probability is low at 0.02% (7th percentile), and no public exploit or active exploitation is confirmed at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43295 MEDIUM PATCH This Month

Denial of service in Linux kernel RapidIO subsystem occurs when idtab allocation fails during rio_scan_alloc_net(), causing the function to incorrectly invoke rio_free_net() instead of kfree() on unregistered memory, leaving a dangling pointer in mport->net that can be dereferenced later to trigger a crash. Authenticated local attackers with low privilege can trigger this condition on systems with RapidIO support enabled, resulting in kernel panic and service unavailability. EPSS probability is low (0.02%) despite moderate CVSS, indicating limited real-world exploitability; no public exploit code or active KEV exploitation confirmed.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43294 MEDIUM PATCH This Month

Kernel panic occurs in the Renesas RZ/G2L MIPI DSI driver during system reboot when display panels attempt to send DSI commands in their unprepare callback, due to incorrect sequencing of driver shutdown. The vulnerability affects Linux kernel versions from commit 56de5e305d4b onwards on ARM64 systems running RZ/G2L platforms with specific panel types, allowing local users with standard privileges to trigger a denial of service by initiating a reboot.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43293 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix kthread worker destruction in polling mode Fix the cleanup order in polling mode (irq < 0) to prevent kernel warnings during module removal. Cancel the hrtimer before destroying the kthread worker to ensure work queues are empty. In polling mode, the driver uses hrtimer to periodically trigger wave5_vpu_timer_callback() which queues work via kthread_queue_work(). The kthread_destroy_worker() function validates that both work queues are empty with WARN_ON(!list_empty(&worker->work_list)) and WARN_ON(!list_empty(&worker->delayed_work_list)). The original code called kthread_destroy_worker() before hrtimer_cancel(), creating a race condition where the timer could fire during worker destruction and queue new work, triggering the WARN_ON. This causes the following warning on every module unload in polling mode: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1034 at kernel/kthread.c:1430 kthread_destroy_worker+0x84/0x98 Modules linked in: wave5(-) rpmsg_ctrl rpmsg_char ... Call trace: kthread_destroy_worker+0x84/0x98 wave5_vpu_remove+0xc8/0xe0 [wave5] platform_remove+0x30/0x58 ... ---[ end trace 0000000000000000 ]---

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43292 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node When CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during vmalloc cleanup triggers expensive stack unwinding that acquires RCU read locks. Processing a large purge_list without rescheduling can cause the task to hold CPU for extended periods (10+ seconds), leading to RCU stalls and potential OOM conditions. The issue manifests in purge_vmap_node() -> kasan_release_vmalloc_node() where iterating through hundreds or thousands of vmap_area entries and freeing their associated shadow pages causes: rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6229/1:b..l ... task:kworker/0:17 state:R running task stack:28840 pid:6229 ... kasan_release_vmalloc_node+0x1ba/0xad0 mm/vmalloc.c:2299 purge_vmap_node+0x1ba/0xad0 mm/vmalloc.c:2299 Each call to kasan_release_vmalloc() can free many pages, and with page_owner tracking, each free triggers save_stack() which performs stack unwinding under RCU read lock. Without yielding, this creates an unbounded RCU critical section. Add periodic cond_resched() calls within the loop to allow: - RCU grace periods to complete - Other tasks to run - Scheduler to preempt when needed The fix uses need_resched() for immediate response under load, with a batch count of 32 as a guaranteed upper bound to prevent worst-case stalls even under light load.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43291 HIGH PATCH This Week

Improper packet data validation in Linux kernel NCI NFC subsystem breaks communication with NFC chips and creates potential for information disclosure. The vulnerability affects adjacent network attackers (AV:A) who can exploit variable-length packet handling without authentication (PR:N) to achieve high confidentiality impact, low integrity impact, and high availability impact. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability despite CVSS 8.3 severity. Vendor patches available across multiple kernel versions (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) with upstream fixes committed to stable branches.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-43290 HIGH PATCH This Week

A buffer management flaw in the Linux kernel's uvcvideo (USB Video Class) driver allows local authenticated attackers to trigger memory corruption via improper buffer handling when streaming initialization fails. The vulnerability manifests when xHCI controller failures cause uvc_pm_get() errors during start_streaming(), leaving queued video buffers unreturned and potentially causing system instability or privilege escalation. Patches are available from kernel maintainers for versions 6.18.16, 6.19.6, and 7.0+, with upstream fixes committed. EPSS score of 0.02% suggests minimal observed exploitation attempts, and no KEV listing indicates this is not currently exploited in the wild despite the high CVSS 7.8 score.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43289 MEDIUM PATCH This Month

Local denial of service in Linux kernel's kexec subsystem allows authenticated attackers to trigger kernel warning and system instability. The kexec_load_purgatory() function incorrectly derives the purgatory entry point when multiple executable sections have overlapping sh_addr values, causing a WARN condition that disrupts kexec operations. With CVSS 5.5 (AV:L/AC:L/PR:L/UI:N) and EPSS at 0.02%, this represents low real-world exploitation risk. Patches available across multiple stable kernel versions including 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, and 6.19.6.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43288 MEDIUM PATCH This Month

Local privilege escalation in Linux kernel ext4 filesystem causes kernel panic during mount operations when DOUBLE_CHECK is enabled. Affects multiple stable kernel versions from 6.6.128 through 7.0. The initialization race condition allows local authenticated users to trigger a denial of service by mounting specially crafted ext4 filesystems with corrupted block bitmaps. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability. Vendor patches available across all affected stable branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43287 MEDIUM PATCH This Month

Local users with low privileges can trigger unbounded kernel memory consumption in the Linux kernel's DRM subsystem via DRM_IOCTL_MODE_CREATEPROPBLOB, bypassing memory cgroup accounting and causing system-wide denial of service. The vulnerability affects all Linux kernel versions from 2.6.12-rc2 (commit 1da177e4) through 6.19.x until patched in 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS score is low (0.02%) and no active exploitation is documented; however, the attack requires only local access and low privileges (CVSS AV:L/AC:L/PR:L), making it easily exploitable by unprivileged users on multi-tenant systems.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43286 MEDIUM PATCH This Month

Memory accounting errors in Linux kernel hugetlb subsystem cause subpool reservation counters to incorrectly increment on failed global allocations, eventually rendering hugetlb subpools permanently unusable. The vulnerability affects Linux kernels from 6.15 onward where commit a833a693a490 introduced the flaw. When a process requests hugepages that require both subpool and global pool resources, failed global allocations leave the subpool's used_hpages counter elevated despite no actual page consumption, progressively exhausting the subpool's apparent capacity until all future allocations fail. Patches available for kernels 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% and lack of KEV listing indicate low exploitation probability, though local authenticated attackers can trigger the condition to cause denial of service against hugetlb-dependent workloads.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43285 MEDIUM PATCH This Month

Denial of service via NMI-unsafe seqcount access in Linux kernel memory slab allocator allows local privileged attackers to trigger kernel deadlock when get_from_any_partial() is called in NMI context. The vulnerability stems from unsafe access to current->mems_allowed_seq (a spinlock-based seqcount) without NMI-safety guarantees, causing lockdep warnings and potential system hang. EPSS exploitation probability is low at 0.02%, and no active exploitation has been confirmed.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71299 MEDIUM PATCH This Month

A denial of service vulnerability in the Linux kernel's Cadence QSPI driver causes duplicate clock disables during device probe error handling when flash device tree descriptions are missing or malformed. An unprivileged local user can trigger this vulnerability by providing broken device tree configuration for attached SPI flash devices, resulting in kernel warnings and potential system instability.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71298 MEDIUM PATCH This Month

Denial of service via missing reservation lock in drm/tests shmem allows local authenticated users to trigger a kernel warning and crash the DRM graphics subsystem. The vulnerability exists in DRM test code that calls drm_gem_shmem_madvise_locked() without properly acquiring the GEM object's reservation lock, causing CPU warnings and potential system instability on affected kernel versions.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71297 MEDIUM PATCH This Month

Kernel denial of service in rtw88 WiFi driver 8822b chipset allows local authenticated users to trigger a kernel WARNING and potential system instability by setting antenna configuration while the wireless chip is powered off, causing unexpected values when RF registers are read during power-down state.

Lenovo Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71296 MEDIUM PATCH This Month

Denial of service in Linux kernel DRM GEM shmem helper when drm_gem_shmem_purge_locked() is called without properly holding the GEM object's reservation lock, affecting local authenticated users. The vulnerability causes a kernel warning and denial of service condition in the direct rendering manager's shared memory handling code. CVSS 5.5 with low EPSS (0.02%) indicates limited real-world exploitation despite availability of patch. Affected Linux versions prior to kernels with commits cdf8bbbd9017adcfb91ad9a902198d4b507719a9, 8baeee2c1c0cdb3a8eac3b8f38156cce6ee1a69f, and 3f41307d589c2f25d556d47b165df808124cd0c4.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43284 HIGH POC PATCH CISA NEWS Act Now

Use-after-free in Linux kernel ESP (IPsec) allows local authenticated attackers to decrypt shared memory fragments improperly, potentially exposing encrypted network traffic or causing memory corruption. Affects kernel versions 6.5+ where MSG_SPLICE_PAGES can attach pipe pages directly to UDP socket buffers. The IPv4/IPv6 datagram paths fail to mark spliced pages as shared, causing ESP input decryption to modify memory not privately owned by the packet buffer. Public exploit code exists (POC available on GitHub), EPSS score is low (0.01%) indicating limited widespread exploitation risk, and vendor patches are available across affected stable kernel branches (6.6.138, 6.12.87, 6.18.28, 7.0.5).

Information Disclosure Use After Free Memory Corruption Linux
NVD GitHub VulDB Exploit-DB
CVSS 3.1
8.8
EPSS
0.0%
Threat
5.3
CVE-2026-23557 MEDIUM PATCH This Month

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/28. ck_archive() doesn't check for Windows absolute paths in ZIPs (Alan Coopersmith <alan.coopersmith@...cle.com>) Xen Security Advisory 483 v2 (CVE-2026-23556) - oxenstored keeps quota related use counts across domain destruction (Xen.org security team <security@....org>) Xen Security Advisory 484 v2 (CVE-2026-23557) - Xenstored DoS via XS_RESET_WATCHES command (Xen.org security team <security@....org>) Xen Security Advisory 485 v2 (CVE-2026-31786) - Linux kernel out of bounds read via Xen-related sysfs file (Xen.org security team <security@....org>) Xen Security Advisory 486 v2 (CVE-2026-23558) - grant table

Microsoft Buffer Overflow Linux Suse
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23558 HIGH PATCH This Week

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/28. dvisory 484 v2 (CVE-2026-23557) - Xenstored DoS via XS_RESET_WATCHES command (Xen.org security team <security@....org>) Xen Security Advisory 485 v2 (CVE-2026-31786) - Linux kernel out of bounds read via Xen-related sysfs file (Xen.org security team <security@....org>) Xen Security Advisory 486 v2 (CVE-2026-23558) - grant table v2 race in status page mapping (Xen.org security team <security@....org>) Xen Security Advisory 487 v2 (CVE-2026-31787) - Linux kernel double free in Xen privcmd driver (Xen.org security team <security@....org>) Coordinated Disclosure in the LLM Age (Jeremy Stanley <fungi@...goth.org

Buffer Overflow Linux Race Condition Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-71295 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: fs/buffer: add alert in try_to_free_buffers() for folios without buffers try_to_free_buffers() can be called on folios with no buffers attached when filemap_release_folio() is invoked on a folio belonging to a mapping with AS_RELEASE_ALWAYS set but no release_folio operation defined. In such cases, folio_needs_release() returns true because of the AS_RELEASE_ALWAYS flag, but the folio has no private buffer data. This causes try_to_free_buffers() to call drop_buffers() on a folio with no buffers, leading to a null pointer dereference. Adding a check in try_to_free_buffers() to return early if the folio has no buffers attached, with WARN_ON_ONCE() to alert about the misconfiguration. This provides defensive hardening.

Denial Of Service Null Pointer Dereference Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71294 MEDIUM PATCH This Month

Null pointer dereference in the AMD GPU (amdgpu) DRM subsystem can cause denial of service when the SDMA block is disabled and buffer_funcs initialization is skipped, allowing local authenticated users to crash the kernel via uninitialized function pointer access.

Denial Of Service Null Pointer Dereference Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71293 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's amdgpu RAS (Reliability, Availability, and Serviceability) driver crashes the kernel when a local user reads the sysfs badpages interface on a system whose AMD GPU EEPROM contains only invalid address entries. The driver skips RAS data allocation under this condition, and the subsequent read of `amdgpu_ras_sysfs_badpages_read` dereferences the uninitialized pointer, producing a kernel panic and complete denial of service. No public exploit exists and no active exploitation has been identified; EPSS is 0.02% (4th percentile), reflecting very low real-world risk.

Denial Of Service Null Pointer Dereference Ubuntu Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71292 MEDIUM PATCH This Month

Integer wraparound in the Linux kernel JFS (Journaled File System) `jfs_rename` function can be triggered by a local low-privileged user to cause a kernel warning and denial of service. When a directory's hard link count (nlink) is already at its maximum value (-1 as an unsigned overflow scenario), performing an in-place rename of a child subdirectory increments nlink and then decrements it, wrapping the counter to zero and triggering a `drop_nlink` kernel warning. The vulnerability affects a wide range of stable kernel branches from 5.10 through 6.19; no public exploit code exists and CISA has not listed this in KEV, making active exploitation unlikely but not impossible in multi-tenant or container environments where JFS-mounted filesystems are accessible to low-privilege users.

Buffer Overflow Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71291 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's bcm_vk misc driver allows a local authenticated attacker to crash the kernel, resulting in a denial of service. The bcm_vk_read() function checks whether the 'entry' pointer is NULL but fails to prevent subsequent dereferences of that pointer when rc is set to -EMSGSIZE, leading to a kernel panic. No public exploit exists and the vulnerability is not listed in CISA KEV; however, vendor-released patches are available across multiple stable kernel branches, and Red Hat and SUSE have tagged this for attention in their ecosystems.

Denial Of Service Null Pointer Dereference Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71290 MEDIUM PATCH This Month

Memory exhaustion denial-of-service in the Linux kernel's ti_fpc202 misc driver allows a local low-privileged user to degrade system availability through a memory leak introduced in the probe function. The root cause is improper release of device tree child node references during driver initialization when iterating over nodes, classified as CWE-401 (Missing Release of Memory after Effective Lifetime). No active exploitation is confirmed - no public exploit identified at time of analysis - and the extremely low EPSS score of 0.02% (4th percentile) reflects the niche hardware dependency and local-only attack surface.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71289 MEDIUM PATCH This Month

Silent error suppression in the Linux kernel's NTFS3 filesystem driver allows a local authenticated user to trigger inode inconsistency by causing attr_set_size() to fail during file truncation. Affected systems running NTFS3-mounted volumes may experience filesystem corruption or denial of service without any visible error signal to the kernel. No active exploitation has been identified (EPSS 0.02%, not in CISA KEV), and vendor-released patches are available in Linux 7.0 and 6.19.6.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71288 MEDIUM PATCH This Month

Resource leak in the Linux kernel's mtk-smi (MediaTek System Memory Interface) driver allows a local, low-privileged attacker on MediaTek SoC-based systems to cause a denial of service by exhausting kernel device references. The driver fails to call put_device() on the SMI device reference obtained during common probe when late probe failure (e.g., -EPROBE_DEFER) or driver unbind occurs, leaving dangling references that accumulate over repeated cycles. No public exploit identified at time of analysis and EPSS at 0.02% (7th percentile) indicates very low exploitation probability; patches are available across multiple stable branches.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71287 MEDIUM PATCH This Month

Device reference leak in the Linux kernel's MediaTek SMI (mtk-smi) memory driver can cause resource exhaustion and denial of service on affected MediaTek SoC-based systems. The flaw exists in the larb (Local Arbiter) probe path, where a reference acquired during SMI device lookup is never released when late probe failure occurs (e.g., probe deferral) or when the driver is unbound - leaving the kernel device struct's reference count permanently inflated. With EPSS at 0.02% (7th percentile), no KEV listing, and no public exploit identified at time of analysis, real-world exploitation risk is very low and narrowly scoped to hardware running MediaTek SoCs.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71286 MEDIUM PATCH This Month

Memory allocation underflow in the Linux kernel ASoC SOF (Sound Open Firmware) ipc4-topology module allows local authenticated users to trigger a denial of service via bytes control handling that fails to account for the full data structure size. The vulnerability affects kernel versions prior to specific stable releases (6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0) where the allocation size calculation omits the sof_ipc4_control_data structure, potentially causing memory exhaustion or kernel crash when processing audio topology configuration.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71285 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel QRTR (Qualcomm IPC Router) driver via MHI auto_queue feature causes denial of service on Qualcomm X1E80100 CRD machines during boot. The vulnerability occurs when the MHI stack invokes the DL (downlink) callback before the QRTR client driver is fully probed, accessing uninitialized driver structures. A local privileged attacker can trigger kernel panic by exploiting the race condition between MHI buffer auto-queuing and driver initialization, affecting systems relying on QRTR over MHI transport.

Denial Of Service Null Pointer Dereference Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43283 HIGH PATCH This Week

Improper DMA buffer unmapping in the Linux kernel ec_bhf Ethernet driver allows local authenticated attackers with low privileges to trigger memory corruption, potentially achieving arbitrary code execution, information disclosure, or denial of service with container escape capability (scope change). The vulnerability exists in error path handling where dma_free_coherent() receives the wrong DMA handle parameter (alloc_len instead of alloc_phys), causing incorrect buffer unmapping. Patches available across multiple stable kernel versions (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild, and no public exploit identified at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43282 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: RDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port The function ionic_query_port() calls ib_device_get_netdev() without checking the return value which could lead to NULL pointer dereference, Fix it by checking the return value and return -ENODEV if the 'ndev' is NULL.

Denial Of Service Null Pointer Dereference Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43281 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate() Although it is guided that `#mbox-cells` must be at least 1, there are many instances of `#mbox-cells = <0>;` in the device tree. If that is the case and the corresponding mailbox controller does not provide `fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will be used by default and out-of-bounds accesses could occur due to lack of bounds check in that function.

Information Disclosure Buffer Overflow Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43280 HIGH PATCH This Week

Local authenticated attackers can trigger an out-of-bounds kernel memory read in Linux kernel's xe graphics driver (6.18-6.19.x) via malicious pat_index values in the madvise IOCTL. This allows information disclosure from kernel memory and potential denial of service through kernel crashes. The vulnerability exists because madvise_args_are_sane() fails to validate pat_index bounds before passing it to xe_pat_index_get_coh_mode(), which performs unsafe array access into xe->pat.table. Vendor patches available for kernels 6.18.16+ and 6.19.6+ implement bounds checking with array_index_nospec() to prevent both direct exploitation and Spectre-based side-channel attacks. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis.

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43279 HIGH PATCH This Week

Out-of-bounds buffer writes in Linux kernel ALSA USB audio subsystem allow local authenticated attackers to crash the kernel or potentially achieve privilege escalation. The flaw occurs during implicit feedback mode playback when stream configurations mismatch between capture and playback, causing the prepare_silent_urb() function to write beyond allocated buffer boundaries. Affects all Linux kernel versions from initial commit 1da177e4c3f4 through multiple stable branches; vendor patches available for 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploits or active exploitation confirmed.

Linux Memory Corruption Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43278 HIGH PATCH This Week

Double-free memory corruption in Linux kernel device-mapper subsystem allows local authenticated users to trigger use-after-free conditions, potentially leading to privilege escalation or denial of service. The vulnerability manifests when using request-based DM targets (e.g., dm-multipath) over NVMe devices, where cloned request bios are freed twice due to stale bio pointers in clone requests. Vendor patches available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% indicates low predicted exploitation probability; no active exploitation confirmed at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43277 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: APEI/GHES: ensure that won't go past CPER allocated record The logic at ghes_new() prevents allocating too large records, by checking if they're bigger than GHES_ESTATUS_MAX_SIZE (currently, 64KB). Yet, the allocation is done with the actual number of pages from the CPER bios table location, which can be smaller. Yet, a bad firmware could send data with a different size, which might be bigger than the allocated memory, causing an OOPS: Unable to handle kernel paging request at virtual address fff00000f9b40000 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 52-bit VAs, pgdp=000000008ba16000 [fff00000f9b40000] pgd=180000013ffff403, p4d=180000013fffe403, pud=180000013f85b403, pmd=180000013f68d403, pte=0000000000000000 Internal error: Oops: 0000000096000007 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 303 Comm: kworker/0:1 Not tainted 6.19.0-rc1-00002-gda407d200220 #34 PREEMPT Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022 Workqueue: kacpi_notify acpi_os_execute_deferred pstate: 214020c5 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : hex_dump_to_buffer+0x30c/0x4a0 lr : hex_dump_to_buffer+0x328/0x4a0 sp : ffff800080e13880 x29: ffff800080e13880 x28: ffffac9aba86f6a8 x27: 0000000000000083 x26: fff00000f9b3fffc x25: 0000000000000004 x24: 0000000000000004 x23: ffff800080e13905 x22: 0000000000000010 x21: 0000000000000083 x20: 0000000000000001 x19: 0000000000000008 x18: 0000000000000010 x17: 0000000000000001 x16: 00000007c7f20fec x15: 0000000000000020 x14: 0000000000000008 x13: 0000000000081020 x12: 0000000000000008 x11: ffff800080e13905 x10: ffff800080e13988 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000001 x6 : 0000000000000020 x5 : 0000000000000030 x4 : 00000000fffffffe x3 : 0000000000000000 x2 : ffffac9aba78c1c8 x1 : ffffac9aba76d0a8 x0 : 0000000000000008 Call trace: hex_dump_to_buffer+0x30c/0x4a0 (P) print_hex_dump+0xac/0x170 cper_estatus_print_section+0x90c/0x968 cper_estatus_print+0xf0/0x158 __ghes_print_estatus+0xa0/0x148 ghes_proc+0x1bc/0x220 ghes_notify_hed+0x5c/0xb8 notifier_call_chain+0x78/0x148 blocking_notifier_call_chain+0x4c/0x80 acpi_hed_notify+0x28/0x40 acpi_ev_notify_dispatch+0x50/0x80 acpi_os_execute_deferred+0x24/0x48 process_one_work+0x15c/0x3b0 worker_thread+0x2d0/0x400 kthread+0x148/0x228 ret_from_fork+0x10/0x20 Code: 6b14033f 540001ad a94707e2 f100029f (b8747b44) ---[ end trace 0000000000000000 ]--- Prevent that by taking the actual allocated are into account when checking for CPER length. [ rjw: Subject tweaks ]

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43276 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix double destroy_workqueue on service rescan PCI path While testing corner cases in the driver, a use-after-free crash was found on the service rescan PCI path. When mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup() destroys gc->service_wq. If the subsequent mana_gd_resume() fails with -ETIMEDOUT or -EPROTO, the code falls through to mana_serv_rescan() which triggers pci_stop_and_remove_bus_device(). This invokes the PCI .remove callback (mana_gd_remove), which calls mana_gd_cleanup() a second time, attempting to destroy the already- freed workqueue. Fix this by NULL-checking gc->service_wq in mana_gd_cleanup() and setting it to NULL after destruction. Call stack of issue for reference: [Sat Feb 21 18:53:48 2026] Call Trace: [Sat Feb 21 18:53:48 2026] <TASK> [Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana] [Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana] [Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0 [Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70 [Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250 [Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20 [Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90 [Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30 [Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana] [Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana] [Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0 [Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0 [Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130 [Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30 [Sat Feb 21 18:53:48 2026] </TASK>

Denial Of Service Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43275 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Flush exception handling work when RPM level is zero Ensure that the exception event handling work is explicitly flushed during suspend when the runtime power management level is set to UFS_PM_LVL_0. When the RPM level is zero, the device power mode and link state both remain active. Previously, the UFS core driver bypassed flushing exception event handling jobs in this configuration. This created a race condition where the driver could attempt to access the host controller to handle an exception after the system had already entered a deep power-down state, resulting in a system crash. Explicitly flush this work and disable auto BKOPs before the suspend callback proceeds. This guarantees that pending exception tasks complete and prevents illegal hardware access during the power-down sequence.

Denial Of Service Race Condition Linux Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-43274 HIGH PATCH This Week

Out-of-bounds memory access in Linux kernel's Microchip IPC mailbox driver allows local attackers to achieve arbitrary code execution with high integrity and confidentiality impact. The mchp-ipc-sbi driver incorrectly indexes a dynamically allocated cluster configuration array using non-contiguous hardware thread IDs (hartid) instead of sequential CPU IDs, causing reads/writes beyond array bounds on systems where hartid values exceed the number of online CPUs. Vendor patches available for stable kernel series 6.18.16, 6.19.6, and mainline 7.0. EPSS score of 0.02% suggests low probability of mass exploitation despite high CVSS severity, with no active exploitation confirmed at time of analysis.

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-43273 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ceph: supply snapshot context in ceph_zero_partial_object() The ceph_zero_partial_object function was missing proper snapshot context for its OSD write operations, which could lead to data inconsistencies in snapshots. Reproducer: ../src/vstart.sh --new -x --localhost --bluestore ./bin/ceph auth caps client.fs_a mds 'allow rwps fsname=a' mon 'allow r fsname=a' osd 'allow rw tag cephfs data=a' mount -t ceph fs_a@.a=/ /mnt/mycephfs/ -o conf=./ceph.conf dd if=/dev/urandom of=/mnt/mycephfs/foo bs=64K count=1 mkdir /mnt/mycephfs/.snap/snap1 md5sum /mnt/mycephfs/.snap/snap1/foo fallocate -p -o 0 -l 4096 /mnt/mycephfs/foo echo 3 > /proc/sys/vm/drop/caches md5sum /mnt/mycephfs/.snap/snap1/foo # get different md5sum!!

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43272 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix possible dereference of uninitialized pointer There is a pointer head_page in rb_meta_validate_events() which is not initialized at the beginning of a function. This pointer can be dereferenced if there is a failure during reader page validation. In this case the control is passed to "invalid" label where the pointer is dereferenced in a loop. To fix the issue initialize orig_head and head_page before calling rb_validate_buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Denial Of Service Null Pointer Dereference Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43271 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: md-cluster: fix NULL pointer dereference in process_metadata_update The function process_metadata_update() blindly dereferences the 'thread' pointer (acquired via rcu_dereference_protected) within the wait_event() macro. While the code comment states "daemon thread must exist", there is a valid race condition window during the MD array startup sequence (md_run): 1. bitmap_load() is called, which invokes md_cluster_ops->join(). 2. join() starts the "cluster_recv" thread (recv_daemon). 3. At this point, recv_daemon is active and processing messages. 4. However, mddev->thread (the main MD thread) is not initialized until later in md_run(). If a METADATA_UPDATED message is received from a remote node during this specific window, process_metadata_update() will be called while mddev->thread is still NULL, leading to a kernel panic. To fix this, we must validate the 'thread' pointer. If it is NULL, we release the held lock (no_new_dev_lockres) and return early, safely ignoring the update request as the array is not yet fully ready to process it.

Denial Of Service Null Pointer Dereference Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43270 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove() In mtk_mdp_probe(), vpu_get_plat_device() increases the reference count of the returned platform device. Add platform_device_put() to prevent reference leak.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43269 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback After several commits, the slab memory increases. Some drm_crtc_commit objects are not freed. The atomic_destroy_state callback only put the framebuffer. Use the __drm_atomic_helper_plane_destroy_state() function to put all the objects that are no longer needed. It has been seen after hours of usage of a graphics application or using kmemleak: unreferenced object 0xc63a6580 (size 64): comm "egt_basic", pid 171, jiffies 4294940784 hex dump (first 32 bytes): 40 50 34 c5 01 00 00 00 ff ff ff ff 8c 65 3a c6 @P4..........e:. 8c 65 3a c6 ff ff ff ff 98 65 3a c6 98 65 3a c6 .e:......e:..e:. backtrace (crc c25aa925): kmemleak_alloc+0x34/0x3c __kmalloc_cache_noprof+0x150/0x1a4 drm_atomic_helper_setup_commit+0x1e8/0x7bc drm_atomic_helper_commit+0x3c/0x15c drm_atomic_commit+0xc0/0xf4 drm_atomic_helper_set_config+0x84/0xb8 drm_mode_setcrtc+0x32c/0x810 drm_ioctl+0x20c/0x488 sys_ioctl+0x14c/0xc20 ret_fast_syscall+0x0/0x54

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43268 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: hfsplus: pretend special inodes as regular files Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for special inodes.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43267 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix potential zero beacon interval in beacon tracking During fuzz testing, it was discovered that bss_conf->beacon_int might be zero, which could result in a division by zero error in subsequent calculations. Set a default value of 100 TU if the interval is zero to ensure stability.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43266 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: EFI/CPER: don't go past the ARM processor CPER record buffer There's a logic inside GHES/CPER to detect if the section_length is too small, but it doesn't detect if it is too big. Currently, if the firmware receives an ARM processor CPER record stating that a section length is big, kernel will blindly trust section_length, producing a very long dump. For instance, a 67 bytes record with ERR_INFO_NUM set 46198 and section length set to 854918320 would dump a lot of data going a way past the firmware memory-mapped area. Fix it by adding a logic to prevent it to go past the buffer if ERR_INFO_NUM is too big, making it report instead: [Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1 [Hardware Error]: event severity: recoverable [Hardware Error]: Error 0, type: recoverable [Hardware Error]: section_type: ARM processor error [Hardware Error]: MIDR: 0xff304b2f8476870a [Hardware Error]: section length: 854918320, CPER size: 67 [Hardware Error]: section length is too big [Hardware Error]: firmware-generated error record is incorrect [Hardware Error]: ERR_INFO_NUM is 46198 [ rjw: Subject and changelog tweaks ]

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43265 MEDIUM PATCH This Month

Denial of service in Linux kernel KVM x86 nested virtualization allows local privileged attackers to crash virtual machines by manipulating vCPU state through userspace MP_STATE and injected event stuffing. When a vCPU is awakened from a blocking state in L2 (nested guest mode) with an already-injected event, the kernel generates spurious KVM_EXIT_UNKNOWN exits that typically terminate the VM. The vulnerability stems from insufficient validation of impossible vCPU states that userspace can artificially create, despite architectural safeguards that should prevent injected events during blocking. CVSS 5.5 (local, low complexity, high availability impact); EPSS 0.02% indicates minimal widespread exploitation likelihood.

Code Injection Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authentication downgrade in Linux kernel Bluetooth SMP allows adjacent network attackers to bypass MITM protection during pairing. When a Bluetooth responder requires BT_SECURITY_HIGH, the SMP implementation incorrectly builds pairing responses before enforcing local MITM requirements, allowing initiators to force weaker 'Just Confirm' authentication even when policy mandates stronger methods. EPSS score of 0.02% indicates low predicted exploitation probability, and no active exploitation or public POC has been identified. Patches available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).

Information Disclosure Linux Red Hat
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel NULL pointer dereference in Linux kernel's BPF verifier allows local authenticated users to trigger a denial of service. The vulnerability stems from improper handling of nullable PTR_TO_BUF pointers in check_mem_access(), where map iterator callbacks can dereference NULL ctx->key or ctx->value pointers without validation, causing a kernel crash. Affects Linux kernel versions 5.17 through 7.0-rc4, with patches available across stable branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild, and no evidence of public exploit code or active exploitation exists. Local access with low privileges required makes this a targeted risk rather than widespread threat.

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel thermal subsystem allows local authenticated attackers with low privileges to achieve high confidentiality, integrity, and availability impact through race condition during thermal zone device registration failure. The flaw occurs when thermal_zone_device_register_with_trips() fails after registration but before properly cleaning up - if userspace holds a kobject reference, the thermal zone structure can be freed prematurely while still in use. Vendor patches available across stable branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating, suggesting limited real-world attacker interest in this local race condition.

Information Disclosure Linux Red Hat
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel crash loop in x86_64 Linux when kexec is executed on a kernel built with both CONFIG_KCOV and CONFIG_KEXEC enabled. The load_segments() function invalidates the GS base register that KCOV relies on for per-cpu data access; any subsequently instrumented C function call (e.g. native_gdt_invalidate()) triggers an endless crash loop resulting in a kernel panic and complete system unavailability. No public exploit exists and EPSS is 0.02% (4th percentile), consistent with the highly constrained triggering environment - this primarily affects kernel developers and syzkaller-based fuzzing infrastructure rather than general-purpose production systems.

Denial Of Service Linux
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Buffer overflow in the Linux kernel's CAAM crypto driver allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with elevated privileges. The vulnerability occurs when HMAC keys exceeding the algorithm's block size are processed - the driver allocates DMA-aligned memory but uses kmemdup() to copy only the actual key length, then reads beyond the source buffer boundary during hashing. EPSS score of 0.02% (5th percentile) indicates low predicted exploitation likelihood. Patches are available across multiple stable kernel branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) via upstream commits, with fixes applied since kernel 6.3 introduced the vulnerable code.

Buffer Overflow Linux Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Buffer overflow in Linux kernel netfilter flowtable hardware offload allows local authenticated users to achieve high confidentiality, integrity, and availability impact via IPv6 flowtable configurations. The vulnerability stems from an off-by-one error where IPv6 setups require 17 actions but the hardcoded limit was 16, enabling memory corruption when complex IPv6 flows with SNAT, DNAT, VLAN manipulation, and tunneling are offloaded to hardware. EPSS exploitation probability is low (0.02%, 7th percentile), and vendor patches are available across multiple stable kernel branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). No public exploit code or CISA KEV listing identified at time of analysis.

Linux Denial Of Service
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Double-free condition in the Linux kernel's cpufreq governor subsystem affects multiple stable branches and can lead to memory corruption when an error path in cpufreq_dbs_governor_init() is triggered. The flaw stems from redundant cleanup logic that calls gov->exit() and kfree(dbs_data) twice after a kobject_init_and_add() failure, and no public exploit identified at time of analysis. EPSS exploitation probability is very low (0.02%, 7th percentile), consistent with a local memory-safety bug requiring privileged access rather than a remote attack surface.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Race condition in Linux kernel's dummy-hcd USB gadget driver causes kernel crash and denial of service when USB reset occurs simultaneously with driver unbind. Syzbot testing triggered NULL pointer dereference in usb_gadget_udc_reset() due to improper spinlock handling in stop_activity() that allowed dum->driver to be cleared prematurely. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) suggests very low observed exploitation probability. Not listed in CISA KEV, indicating no confirmed active exploitation.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A deadlock vulnerability in the Linux kernel's sched_ext (extensible scheduler) subsystem allows local authenticated users to trigger a denial of service by creating cyclic wait dependencies between CPUs. The flaw exists in the SCX_KICK_WAIT mechanism where busy-waiting in hardirq context prevents rescheduling and kick_sync advancement, causing multi-CPU deadlocks when wait cycles form. Patch available from mainline kernel (commit c3a7903f65cf for mainline, 415cb193bb97 for stable 6.12+). EPSS score of 0.02% suggests minimal real-world exploitation activity. No public exploit code or active exploitation confirmed at time of analysis.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A firmware crash in Linux kernel's iwlwifi driver (versions 6.9 through 7.0-rc7) occurs when the AX201 Wi-Fi adapter incorrectly receives a 6GHz-related command (MCC_ALLOWED_AP_TYPE_CMD) despite lacking 6E support. This triggers a local denial of service (CVSS 5.5, AV:L) requiring low privileges. Vendor patches are available across stable branches (6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation risk, with no active exploitation or public POC identified. Priority for systems using Intel AX201 adapters where local users could trigger system instability.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Race condition in the Linux kernel's dummy-hcd USB driver allows local authenticated users to trigger use-after-free conditions during gadget driver unbinding, potentially enabling privilege escalation, information disclosure, or denial of service. The flaw stems from incorrect ordering of interrupt synchronization - emulated synchronize_irq() runs before interrupt-disable, allowing callbacks to execute after the gadget driver is unbound. Patched versions include 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild, with no confirmed active exploitation or public POC identified at time of analysis.

Information Disclosure Linux Red Hat
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local denial of service in Linux kernel scheduler (6.12.78-6.19.12) allows low-privileged users to trigger system-wide instability via stress-ng-yield workloads. The flaw stems from incomplete vruntime tracking in commit b3d99f43c72b, where yield()-heavy tasks can leapfrog past tick updates and cause overflow conditions. EPSS exploitation probability is negligible (0.02%, 5th percentile), and vendor patches are available across all affected stable branches. No active exploitation or public POC identified at time of analysis.

Buffer Overflow Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free (UAF) in Linux kernel Bluetooth subsystem allows adjacent network attackers to trigger memory corruption via malformed LE Read Features Complete responses. The vulnerability occurs when hci_conn is freed before le_read_features_complete callback executes but after hci_le_read_remote_features_sync initiates, causing atomic operations on freed memory during hci_conn_drop. Active exploitation status not confirmed (no CISA KEV listing). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. Upstream patches committed to stable kernel branches 6.19.12+ and 7.0+.

Information Disclosure Google Linux +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Improper register liveness tracking in the Linux kernel eBPF verifier allows local authenticated users to potentially achieve information disclosure, privilege escalation, or denial of service through crafted BPF programs. The vulnerability stems from the compute_insn_live_regs() function failing to mark registers as used during indirect jump ('gotox rX') instructions, enabling attackers with BPF program loading privileges to manipulate register state tracking. With EPSS exploitation probability at 0.02% (5th percentile) and no evidence of active exploitation or public POC, this represents a theoretical risk primarily for systems where unprivileged users can load BPF programs. Vendor patches are available for kernel versions 6.18.16, 6.19.6, and 7.0.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A null pointer dereference in the AMD Display Core driver's DSC (Display Stream Compression) handling for eDP panels causes local system crashes on Linux kernel 6.12 through 7.0-rc5. The vulnerability stems from missing function hook validation before use, allowing local authenticated users with low privileges to trigger a high-severity denial-of-service condition. Patches available across kernel 6.12.75, 6.18.16, 6.19.6, and 7.0 stable branches. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation activity, and no KEV listing or public POC identified at time of analysis.

Amd Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local denial-of-service deadlock in Linux kernel spidev driver allows authenticated users with low privileges to freeze the SPI subsystem via concurrent write() and ioctl() calls. The AB-BA lock inversion between spi_lock and buf_lock is reproducible with simple multithreaded userspace programs accessing the same spidev file descriptor. Patch available across stable kernel branches (6.12.75, 6.18.16, 6.19.6, 7.0) with extremely low EPSS score (0.02%, 5th percentile) indicating minimal real-world exploitation likelihood. No active exploitation or public POC identified at time of analysis.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Race condition in Linux kernel AMDGPU driver allows local attackers with low privileges to trigger denial of service through GPU page faults during DMA buffer operations. The vulnerability affects multi-GPU systems where shared buffer objects are accessed across different GPUs, particularly impacting AMD Radeon graphics driver stability. Patch available from upstream kernel maintainers for versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit code or active exploitation has been identified.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource leak in Linux kernel MOST (Media Oriented Systems Transport) core driver allows local authenticated users to trigger denial of service through repeated interface registration failures. The vulnerability stems from incomplete error handling in the driver's registration path, where resources allocated for MOST interfaces are not properly released when early registration failures occur. While CVSS rates this 5.5 with local access and low attack complexity, the EPSS score of 0.02% (5th percentile) indicates minimal real-world exploitation likelihood. Vendor patches are available across multiple kernel stable branches (6.12.75, 6.18.16, 6.19.6, 7.0).

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

An out-of-bounds shift operation in the Linux kernel's solo6x10 media driver causes a local denial of service. Affects Linux kernel versions from the initial commit through 7.0-rc3, with patches available in stable versions 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. The flaw, triggered by improper chip_id bounds checking, causes Clang's undefined behavior sanitizer to instrument code that can lead to system instability when exploited by low-privileged local users. EPSS exploitation probability is 0.02% (7th percentile), indicating minimal widespread threat. Vendor-released patches address the issue by adding explicit bounds validation and using unsigned shift operations.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Race condition in drm/panthor GPU driver violates dma-fence safe access rules, allowing local authenticated users to cause denial of service via timeline name retrieval racing with queue freeing. CVSS 5.5 (local, low complexity) with EPSS 0.02% indicating minimal real-world exploitation likelihood despite active kernel-level flaw.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Linux kernel DRM GEM shmem helper functions allows local privileged attackers to trigger CPU warnings and system instability via improper reservation lock handling around vmap/vunmap operations. The vulnerability affects Linux 6.16 and multiple stable branches (6.18, 6.19, 7.0) and is resolved in patched versions; exploitation requires local access with limited privileges and produces availability impact through kernel warnings rather than remote compromise.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory access violations occur in Linux kernel on Xilinx ZynqMP systems when OP-TEE device tree nodes are manually defined, preventing U-Boot's OP-TEE injection logic from properly inserting reserved-memory nodes. This affects Linux kernel versions 6.9 through 7.0 on ARM64 ZynqMP platforms, allowing local authenticated users to cause denial of service through runtime memory access faults. Vendor-released patches are available across multiple stable branches (6.12.75, 6.18.16, 6.19.6, 7.0).

Code Injection Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local users with low privileges can trigger a denial of service in Linux kernel KVM (Kernel-based Virtual Machine) by manipulating nested virtualization state on AMD SVM systems. The vulnerability allows unprivileged users to cause a kernel warning and potential system instability by modifying CPUID after loading CR3 register state in nested SVM configurations. With CVSS 5.5 (AV:L/AC:L/PR:L) and low EPSS (0.02%), this represents a localized availability risk rather than a critical remote threat. Vendor patches are available across multiple kernel versions (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).

Authentication Bypass Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local attackers with low privileges can cause indefinite system hangs in Linux kernel device-mapper (dm) subsystem by injecting io-timeout-fail errors, triggering CWE-772 resource leaks where I/O requests are never completed. Affects longstanding kernel code from 5.10.x through mainline 6.19.x; vendor-patched versions available (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low real-world exploitation probability. No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in Linux kernel ACPI processor module allows local authenticated attackers to crash the system. The flaw occurs in acpi_processor_errata_piix4() when device lookup logic overwrites a valid pointer with NULL, triggering a crash when accessed by dev_dbg(). Vendor-released patches are available across multiple stable kernel branches (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS exploitation probability is very low (0.02%, 7th percentile), and no public exploit or active exploitation has been identified. The vulnerability requires local access with low privileges (CVSS AV:L/PR:L), making it a lower priority than network-exposed flaws despite the high availability impact.

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A use-after-free in the OmniVision OV5647 camera sensor driver (media: i2c: ov5647) can trigger a kernel crash. The ov5647_init_controls() function dereferences an uninitialized subdev pointer via v4l2_get_subdevdata() when error conditions occur during probe. This affects Linux kernel versions from 5.12 through multiple stable branches including 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, and 6.19.x prior to patches. Vendor patches available across all affected stable trees. EPSS exploitation probability is very low (0.02%, 7th percentile) with no public exploit identified at time of analysis.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Linux kernel's Tegra PMC driver can trigger kernel warnings and potential denial of service during system resume by calling generic_handle_irq() from non-interrupt context. Affects Tegra186 and later platforms running Linux kernel versions prior to 6.19.6 and 7.0. CVSS 5.5 indicates local low-complexity exploitation requiring authenticated access. EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation activity. Vendor patches available via stable kernel tree commits.

Nvidia Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Hardware-level denial of service in Linux kernel verisilicon media driver on i.MX8MQ platform allows local authenticated users to trigger VPU bus errors and system hangs through simultaneous H.264/HEVC decoding. Affects kernel versions 5.14 through pre-6.19.6 and pre-7.0. Patches available via stable kernel commits 286d629d1064 and e0203ddf9af7. EPSS score of 0.02% indicates minimal observed exploitation, and CVSS 5.5 reflects local scope with low complexity. No public exploit code identified, and not listed in CISA KEV.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

System hang during RAID array teardown affects Linux kernel's dm-raid target when metadata devices are suspended before removal. The vulnerability triggers when stopping dm-raid managed arrays, causing md_stop() to indefinitely block while attempting to flush write-intent bitmaps to already-suspended metadata devices. With EPSS exploitation probability at 0.02% (4th percentile) and vendor patches available for kernel versions 6.18.16, 6.19.6, and 7.0, this represents a local denial-of-service risk requiring low privileges but poses minimal risk in most environments due to the specific dm-raid configuration prerequisite.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service vulnerability in Linux kernel btrfs filesystem allows local authenticated users to trigger a kernel panic via unexpected delayed reference types. The vulnerability stems from improper error handling in run_one_delayed_ref() that invokes BUG() instead of gracefully returning an error. Patched in Linux 6.19.6 and 7.0 with proper error logging. EPSS exploitation probability is very low (0.02%, 5th percentile) with no public exploit or active exploitation reported, indicating minimal real-world risk despite the high availability impact in the CVSS score.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Buffer over-read in the Linux kernel's adxl380 IIO accelerometer driver allows local authenticated users to read arbitrary kernel memory. The FIFO interrupt handler incorrectly calculates batch sizes when multiple channels are enabled, reading more entries than exist in the FIFO buffer. CVSS rates this 7.8 (High) with local access requiring low-privileged credentials. EPSS exploitation probability is minimal (0.02%, 5th percentile), indicating low real-world risk. Patches available in stable kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local denial-of-service in Linux kernel BPF crypto subsystem allows authenticated attackers to crash the system via CFI policy violations. The vulnerability stems from a type mismatch in BPF's crypto destructor function when Control Flow Integrity (CONFIG_CFI) is enabled, causing kernel panics during object cleanup operations. Patches available across kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low likelihood of mass exploitation. No KEV listing or public exploits identified at time of analysis.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service via system hang in Linux kernel's AMD display driver occurs when the DMUB hardware lock evaluation mismatches between lock acquisition and release in the HWSS fast path, affecting ASIC variants without FAMS support. Local authenticated attackers can trigger this condition through display operations, causing a hang with high availability impact. Patch available in stable releases 6.19.6 and 7.0; EPSS score of 0.02% indicates low real-world exploitation probability despite KEV status.

Amd Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Improper key length validation in the Linux kernel's libceph authentication subsystem allows remote unauthenticated attackers to trigger memory corruption during Ceph authentication key decoding. This affects systems using Ceph distributed storage clusters, with EPSS probability 0.02% (percentile 7%), indicating low immediate exploitation likelihood. Patches available across all supported kernel branches (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) with commits linked in multiple stable trees, suggesting coordinated vendor response. No public exploit code or CISA KEV listing identified at time of analysis.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel swap subsystem allows local authenticated users to achieve high-severity code execution, integrity violations, or denial of service. The vulnerability stems from multiple kernel subsystems (SLUB, shmem, TTM) failing to clear page->private fields before freeing memory, causing stale pointers to persist when pages are reallocated and split. The swap code then dereferences these uninitialized LIST_POISON values during swapoff operations, triggering KASAN-detected wild memory access. Patches available across kernel versions 6.18.16, 6.19.6, and 7.0, with EPSS score of 0.02% indicating low observed exploitation probability despite CVSS 7.8 rating.

Denial Of Service Linux Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Linux kernel DMA API debug warnings in V3D rendering driver cause denial of service when CONFIG_DMA_API_DEBUG is enabled and V3D segment sizes exceed the default 64K maximum. The vulnerability affects systems using V3D graphics rendering (particularly Raspberry Pi 5) with debug DMA API enabled, allowing local authenticated users to trigger kernel warnings and potential system instability by creating V3D buffer objects larger than the device's claimed DMA segment size limit.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A reference count underflow in the Linux kernel's chips-media wave5 video codec driver causes a runtime PM usage count to decrement below zero during module removal, triggering a kernel warning and potentially causing denial of service when the driver is unloaded. The vulnerability affects unprivileged local users on systems with the wave5 codec driver enabled, and occurs when the device has already been suspended via autosuspend before the remove path executes pm_runtime_put_sync(). EPSS score of 0.02% indicates low exploitation probability despite the denial-of-service capability.

Integer Overflow Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null-pointer dereference in the Linux kernel DRM panel driver (jdi_panel_dsi_remove function) allows local authenticated attackers to cause a denial of service by triggering device removal when the jdi structure is NULL. The vulnerability exists because the function checks for NULL but fails to return early, allowing subsequent code to dereference the NULL pointer. CVSS score is 5.5 (local attack vector, low complexity); EPSS indicates low exploitation probability (0.02%, 5th percentile), and no public exploit code or active exploitation has been confirmed.

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Linux kernel btrfs filesystem crashes with kernel BUG when read-repair operations execute after filesystem transitions to read-only state during critical ENOSPC errors. Affects btrfs users experiencing metadata space exhaustion, causing denial of service through kernel panic in the bio repair path. Local attackers with low privileges can trigger this condition in specific filesystem states. EPSS score of 0.02% and no KEV listing indicate low probability of widespread exploitation. Vendor-released patches available in kernel versions 6.19.6 and 7.0.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Linux kernel drm/amdgpu driver (VCNv2.5) affects virtual function (VF) GPU environments running kernel versions prior to 6.18.16, 6.19.6, and 7.0. During module unload or system deinitialization, VF configurations trigger a kernel warning and potential crash when attempting to release an uninitialized VCN poison interrupt handler. EPSS exploitation probability is very low (0.02%, 4th percentile) with no public exploit or active exploitation (not in CISA KEV). Vendor patches available across multiple stable kernel branches via upstream commits.

Amd Red Hat Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local denial-of-service in Linux kernel's Rockchip RGA media driver allows authenticated users with low privileges to crash the system through NULL pointer dereference. The vulnerability affects kernel versions 6.8+ containing the Rockchip RGA driver, where rga_buf_init() fails to validate ERR_PTR returns from rga_get_frame() before dereferencing frame size. Vendor patches available across stable branches (6.12.75, 6.18.16, 6.19.6). EPSS score 0.02% (5th percentile) indicates minimal real-world exploitation likelihood, consistent with local-only attack vector requiring authenticated access.

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Linux kernel octeontx2-af network driver allows remote unauthenticated attackers to trigger system stalls and deadlocks via network traffic that exploits hardware errata in Marvell OcteonTX2 NIX SQ manager. The vulnerability affects Linux kernel versions from mainline through multiple stable branches, with vendor patches released for 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS exploitation probability is low at 0.02% (7th percentile), and no public exploit or active exploitation is confirmed at time of analysis.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Linux kernel RapidIO subsystem occurs when idtab allocation fails during rio_scan_alloc_net(), causing the function to incorrectly invoke rio_free_net() instead of kfree() on unregistered memory, leaving a dangling pointer in mport->net that can be dereferenced later to trigger a crash. Authenticated local attackers with low privilege can trigger this condition on systems with RapidIO support enabled, resulting in kernel panic and service unavailability. EPSS probability is low (0.02%) despite moderate CVSS, indicating limited real-world exploitability; no public exploit code or active KEV exploitation confirmed.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic occurs in the Renesas RZ/G2L MIPI DSI driver during system reboot when display panels attempt to send DSI commands in their unprepare callback, due to incorrect sequencing of driver shutdown. The vulnerability affects Linux kernel versions from commit 56de5e305d4b onwards on ARM64 systems running RZ/G2L platforms with specific panel types, allowing local users with standard privileges to trigger a denial of service by initiating a reboot.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix kthread worker destruction in polling mode Fix the cleanup order in polling mode (irq < 0) to prevent kernel warnings during module removal. Cancel the hrtimer before destroying the kthread worker to ensure work queues are empty. In polling mode, the driver uses hrtimer to periodically trigger wave5_vpu_timer_callback() which queues work via kthread_queue_work(). The kthread_destroy_worker() function validates that both work queues are empty with WARN_ON(!list_empty(&worker->work_list)) and WARN_ON(!list_empty(&worker->delayed_work_list)). The original code called kthread_destroy_worker() before hrtimer_cancel(), creating a race condition where the timer could fire during worker destruction and queue new work, triggering the WARN_ON. This causes the following warning on every module unload in polling mode: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1034 at kernel/kthread.c:1430 kthread_destroy_worker+0x84/0x98 Modules linked in: wave5(-) rpmsg_ctrl rpmsg_char ... Call trace: kthread_destroy_worker+0x84/0x98 wave5_vpu_remove+0xc8/0xe0 [wave5] platform_remove+0x30/0x58 ... ---[ end trace 0000000000000000 ]---

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node When CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during vmalloc cleanup triggers expensive stack unwinding that acquires RCU read locks. Processing a large purge_list without rescheduling can cause the task to hold CPU for extended periods (10+ seconds), leading to RCU stalls and potential OOM conditions. The issue manifests in purge_vmap_node() -> kasan_release_vmalloc_node() where iterating through hundreds or thousands of vmap_area entries and freeing their associated shadow pages causes: rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6229/1:b..l ... task:kworker/0:17 state:R running task stack:28840 pid:6229 ... kasan_release_vmalloc_node+0x1ba/0xad0 mm/vmalloc.c:2299 purge_vmap_node+0x1ba/0xad0 mm/vmalloc.c:2299 Each call to kasan_release_vmalloc() can free many pages, and with page_owner tracking, each free triggers save_stack() which performs stack unwinding under RCU read lock. Without yielding, this creates an unbounded RCU critical section. Add periodic cond_resched() calls within the loop to allow: - RCU grace periods to complete - Other tasks to run - Scheduler to preempt when needed The fix uses need_resched() for immediate response under load, with a batch count of 32 as a guaranteed upper bound to prevent worst-case stalls even under light load.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Improper packet data validation in Linux kernel NCI NFC subsystem breaks communication with NFC chips and creates potential for information disclosure. The vulnerability affects adjacent network attackers (AV:A) who can exploit variable-length packet handling without authentication (PR:N) to achieve high confidentiality impact, low integrity impact, and high availability impact. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability despite CVSS 8.3 severity. Vendor patches available across multiple kernel versions (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) with upstream fixes committed to stable branches.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A buffer management flaw in the Linux kernel's uvcvideo (USB Video Class) driver allows local authenticated attackers to trigger memory corruption via improper buffer handling when streaming initialization fails. The vulnerability manifests when xHCI controller failures cause uvc_pm_get() errors during start_streaming(), leaving queued video buffers unreturned and potentially causing system instability or privilege escalation. Patches are available from kernel maintainers for versions 6.18.16, 6.19.6, and 7.0+, with upstream fixes committed. EPSS score of 0.02% suggests minimal observed exploitation attempts, and no KEV listing indicates this is not currently exploited in the wild despite the high CVSS 7.8 score.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local denial of service in Linux kernel's kexec subsystem allows authenticated attackers to trigger kernel warning and system instability. The kexec_load_purgatory() function incorrectly derives the purgatory entry point when multiple executable sections have overlapping sh_addr values, causing a WARN condition that disrupts kexec operations. With CVSS 5.5 (AV:L/AC:L/PR:L/UI:N) and EPSS at 0.02%, this represents low real-world exploitation risk. Patches available across multiple stable kernel versions including 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, and 6.19.6.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local privilege escalation in Linux kernel ext4 filesystem causes kernel panic during mount operations when DOUBLE_CHECK is enabled. Affects multiple stable kernel versions from 6.6.128 through 7.0. The initialization race condition allows local authenticated users to trigger a denial of service by mounting specially crafted ext4 filesystems with corrupted block bitmaps. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability. Vendor patches available across all affected stable branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local users with low privileges can trigger unbounded kernel memory consumption in the Linux kernel's DRM subsystem via DRM_IOCTL_MODE_CREATEPROPBLOB, bypassing memory cgroup accounting and causing system-wide denial of service. The vulnerability affects all Linux kernel versions from 2.6.12-rc2 (commit 1da177e4) through 6.19.x until patched in 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS score is low (0.02%) and no active exploitation is documented; however, the attack requires only local access and low privileges (CVSS AV:L/AC:L/PR:L), making it easily exploitable by unprivileged users on multi-tenant systems.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory accounting errors in Linux kernel hugetlb subsystem cause subpool reservation counters to incorrectly increment on failed global allocations, eventually rendering hugetlb subpools permanently unusable. The vulnerability affects Linux kernels from 6.15 onward where commit a833a693a490 introduced the flaw. When a process requests hugepages that require both subpool and global pool resources, failed global allocations leave the subpool's used_hpages counter elevated despite no actual page consumption, progressively exhausting the subpool's apparent capacity until all future allocations fail. Patches available for kernels 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% and lack of KEV listing indicate low exploitation probability, though local authenticated attackers can trigger the condition to cause denial of service against hugetlb-dependent workloads.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service via NMI-unsafe seqcount access in Linux kernel memory slab allocator allows local privileged attackers to trigger kernel deadlock when get_from_any_partial() is called in NMI context. The vulnerability stems from unsafe access to current->mems_allowed_seq (a spinlock-based seqcount) without NMI-safety guarantees, causing lockdep warnings and potential system hang. EPSS exploitation probability is low at 0.02%, and no active exploitation has been confirmed.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A denial of service vulnerability in the Linux kernel's Cadence QSPI driver causes duplicate clock disables during device probe error handling when flash device tree descriptions are missing or malformed. An unprivileged local user can trigger this vulnerability by providing broken device tree configuration for attached SPI flash devices, resulting in kernel warnings and potential system instability.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service via missing reservation lock in drm/tests shmem allows local authenticated users to trigger a kernel warning and crash the DRM graphics subsystem. The vulnerability exists in DRM test code that calls drm_gem_shmem_madvise_locked() without properly acquiring the GEM object's reservation lock, causing CPU warnings and potential system instability on affected kernel versions.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel denial of service in rtw88 WiFi driver 8822b chipset allows local authenticated users to trigger a kernel WARNING and potential system instability by setting antenna configuration while the wireless chip is powered off, causing unexpected values when RF registers are read during power-down state.

Lenovo Information Disclosure Linux +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Linux kernel DRM GEM shmem helper when drm_gem_shmem_purge_locked() is called without properly holding the GEM object's reservation lock, affecting local authenticated users. The vulnerability causes a kernel warning and denial of service condition in the direct rendering manager's shared memory handling code. CVSS 5.5 with low EPSS (0.02%) indicates limited real-world exploitation despite availability of patch. Affected Linux versions prior to kernels with commits cdf8bbbd9017adcfb91ad9a902198d4b507719a9, 8baeee2c1c0cdb3a8eac3b8f38156cce6ee1a69f, and 3f41307d589c2f25d556d47b165df808124cd0c4.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% 5.3 CVSS 8.8
HIGH POC PATCH Act Now

Use-after-free in Linux kernel ESP (IPsec) allows local authenticated attackers to decrypt shared memory fragments improperly, potentially exposing encrypted network traffic or causing memory corruption. Affects kernel versions 6.5+ where MSG_SPLICE_PAGES can attach pipe pages directly to UDP socket buffers. The IPv4/IPv6 datagram paths fail to mark spliced pages as shared, causing ESP input decryption to modify memory not privately owned by the packet buffer. Public exploit code exists (POC available on GitHub), EPSS score is low (0.01%) indicating limited widespread exploitation risk, and vendor patches are available across affected stable kernel branches (6.6.138, 6.12.87, 6.18.28, 7.0.5).

Information Disclosure Use After Free Memory Corruption +1
NVD GitHub VulDB Exploit-DB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/28. ck_archive() doesn't check for Windows absolute paths in ZIPs (Alan Coopersmith <alan.coopersmith@...cle.com>) Xen Security Advisory 483 v2 (CVE-2026-23556) - oxenstored keeps quota related use counts across domain destruction (Xen.org security team <security@....org>) Xen Security Advisory 484 v2 (CVE-2026-23557) - Xenstored DoS via XS_RESET_WATCHES command (Xen.org security team <security@....org>) Xen Security Advisory 485 v2 (CVE-2026-31786) - Linux kernel out of bounds read via Xen-related sysfs file (Xen.org security team <security@....org>) Xen Security Advisory 486 v2 (CVE-2026-23558) - grant table

Microsoft Buffer Overflow Linux +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/28. dvisory 484 v2 (CVE-2026-23557) - Xenstored DoS via XS_RESET_WATCHES command (Xen.org security team <security@....org>) Xen Security Advisory 485 v2 (CVE-2026-31786) - Linux kernel out of bounds read via Xen-related sysfs file (Xen.org security team <security@....org>) Xen Security Advisory 486 v2 (CVE-2026-23558) - grant table v2 race in status page mapping (Xen.org security team <security@....org>) Xen Security Advisory 487 v2 (CVE-2026-31787) - Linux kernel double free in Xen privcmd driver (Xen.org security team <security@....org>) Coordinated Disclosure in the LLM Age (Jeremy Stanley <fungi@...goth.org

Buffer Overflow Linux Race Condition +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: fs/buffer: add alert in try_to_free_buffers() for folios without buffers try_to_free_buffers() can be called on folios with no buffers attached when filemap_release_folio() is invoked on a folio belonging to a mapping with AS_RELEASE_ALWAYS set but no release_folio operation defined. In such cases, folio_needs_release() returns true because of the AS_RELEASE_ALWAYS flag, but the folio has no private buffer data. This causes try_to_free_buffers() to call drop_buffers() on a folio with no buffers, leading to a null pointer dereference. Adding a check in try_to_free_buffers() to return early if the folio has no buffers attached, with WARN_ON_ONCE() to alert about the misconfiguration. This provides defensive hardening.

Denial Of Service Null Pointer Dereference Linux +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the AMD GPU (amdgpu) DRM subsystem can cause denial of service when the SDMA block is disabled and buffer_funcs initialization is skipped, allowing local authenticated users to crash the kernel via uninitialized function pointer access.

Denial Of Service Null Pointer Dereference Linux +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's amdgpu RAS (Reliability, Availability, and Serviceability) driver crashes the kernel when a local user reads the sysfs badpages interface on a system whose AMD GPU EEPROM contains only invalid address entries. The driver skips RAS data allocation under this condition, and the subsequent read of `amdgpu_ras_sysfs_badpages_read` dereferences the uninitialized pointer, producing a kernel panic and complete denial of service. No public exploit exists and no active exploitation has been identified; EPSS is 0.02% (4th percentile), reflecting very low real-world risk.

Denial Of Service Null Pointer Dereference Ubuntu +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Integer wraparound in the Linux kernel JFS (Journaled File System) `jfs_rename` function can be triggered by a local low-privileged user to cause a kernel warning and denial of service. When a directory's hard link count (nlink) is already at its maximum value (-1 as an unsigned overflow scenario), performing an in-place rename of a child subdirectory increments nlink and then decrements it, wrapping the counter to zero and triggering a `drop_nlink` kernel warning. The vulnerability affects a wide range of stable kernel branches from 5.10 through 6.19; no public exploit code exists and CISA has not listed this in KEV, making active exploitation unlikely but not impossible in multi-tenant or container environments where JFS-mounted filesystems are accessible to low-privilege users.

Buffer Overflow Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's bcm_vk misc driver allows a local authenticated attacker to crash the kernel, resulting in a denial of service. The bcm_vk_read() function checks whether the 'entry' pointer is NULL but fails to prevent subsequent dereferences of that pointer when rc is set to -EMSGSIZE, leading to a kernel panic. No public exploit exists and the vulnerability is not listed in CISA KEV; however, vendor-released patches are available across multiple stable kernel branches, and Red Hat and SUSE have tagged this for attention in their ecosystems.

Denial Of Service Null Pointer Dereference Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory exhaustion denial-of-service in the Linux kernel's ti_fpc202 misc driver allows a local low-privileged user to degrade system availability through a memory leak introduced in the probe function. The root cause is improper release of device tree child node references during driver initialization when iterating over nodes, classified as CWE-401 (Missing Release of Memory after Effective Lifetime). No active exploitation is confirmed - no public exploit identified at time of analysis - and the extremely low EPSS score of 0.02% (4th percentile) reflects the niche hardware dependency and local-only attack surface.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Silent error suppression in the Linux kernel's NTFS3 filesystem driver allows a local authenticated user to trigger inode inconsistency by causing attr_set_size() to fail during file truncation. Affected systems running NTFS3-mounted volumes may experience filesystem corruption or denial of service without any visible error signal to the kernel. No active exploitation has been identified (EPSS 0.02%, not in CISA KEV), and vendor-released patches are available in Linux 7.0 and 6.19.6.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource leak in the Linux kernel's mtk-smi (MediaTek System Memory Interface) driver allows a local, low-privileged attacker on MediaTek SoC-based systems to cause a denial of service by exhausting kernel device references. The driver fails to call put_device() on the SMI device reference obtained during common probe when late probe failure (e.g., -EPROBE_DEFER) or driver unbind occurs, leaving dangling references that accumulate over repeated cycles. No public exploit identified at time of analysis and EPSS at 0.02% (7th percentile) indicates very low exploitation probability; patches are available across multiple stable branches.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Device reference leak in the Linux kernel's MediaTek SMI (mtk-smi) memory driver can cause resource exhaustion and denial of service on affected MediaTek SoC-based systems. The flaw exists in the larb (Local Arbiter) probe path, where a reference acquired during SMI device lookup is never released when late probe failure occurs (e.g., probe deferral) or when the driver is unbound - leaving the kernel device struct's reference count permanently inflated. With EPSS at 0.02% (7th percentile), no KEV listing, and no public exploit identified at time of analysis, real-world exploitation risk is very low and narrowly scoped to hardware running MediaTek SoCs.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory allocation underflow in the Linux kernel ASoC SOF (Sound Open Firmware) ipc4-topology module allows local authenticated users to trigger a denial of service via bytes control handling that fails to account for the full data structure size. The vulnerability affects kernel versions prior to specific stable releases (6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0) where the allocation size calculation omits the sof_ipc4_control_data structure, potentially causing memory exhaustion or kernel crash when processing audio topology configuration.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel QRTR (Qualcomm IPC Router) driver via MHI auto_queue feature causes denial of service on Qualcomm X1E80100 CRD machines during boot. The vulnerability occurs when the MHI stack invokes the DL (downlink) callback before the QRTR client driver is fully probed, accessing uninitialized driver structures. A local privileged attacker can trigger kernel panic by exploiting the race condition between MHI buffer auto-queuing and driver initialization, affecting systems relying on QRTR over MHI transport.

Denial Of Service Null Pointer Dereference Linux +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Improper DMA buffer unmapping in the Linux kernel ec_bhf Ethernet driver allows local authenticated attackers with low privileges to trigger memory corruption, potentially achieving arbitrary code execution, information disclosure, or denial of service with container escape capability (scope change). The vulnerability exists in error path handling where dma_free_coherent() receives the wrong DMA handle parameter (alloc_len instead of alloc_phys), causing incorrect buffer unmapping. Patches available across multiple stable kernel versions (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild, and no public exploit identified at time of analysis.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: RDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port The function ionic_query_port() calls ib_device_get_netdev() without checking the return value which could lead to NULL pointer dereference, Fix it by checking the return value and return -ENODEV if the 'ndev' is NULL.

Denial Of Service Null Pointer Dereference Linux +2
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate() Although it is guided that `#mbox-cells` must be at least 1, there are many instances of `#mbox-cells = <0>;` in the device tree. If that is the case and the corresponding mailbox controller does not provide `fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will be used by default and out-of-bounds accesses could occur due to lack of bounds check in that function.

Information Disclosure Buffer Overflow Linux
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local authenticated attackers can trigger an out-of-bounds kernel memory read in Linux kernel's xe graphics driver (6.18-6.19.x) via malicious pat_index values in the madvise IOCTL. This allows information disclosure from kernel memory and potential denial of service through kernel crashes. The vulnerability exists because madvise_args_are_sane() fails to validate pat_index bounds before passing it to xe_pat_index_get_coh_mode(), which performs unsafe array access into xe->pat.table. Vendor patches available for kernels 6.18.16+ and 6.19.6+ implement bounds checking with array_index_nospec() to prevent both direct exploitation and Spectre-based side-channel attacks. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis.

Buffer Overflow Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds buffer writes in Linux kernel ALSA USB audio subsystem allow local authenticated attackers to crash the kernel or potentially achieve privilege escalation. The flaw occurs during implicit feedback mode playback when stream configurations mismatch between capture and playback, causing the prepare_silent_urb() function to write beyond allocated buffer boundaries. Affects all Linux kernel versions from initial commit 1da177e4c3f4 through multiple stable branches; vendor patches available for 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploits or active exploitation confirmed.

Linux Memory Corruption Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Double-free memory corruption in Linux kernel device-mapper subsystem allows local authenticated users to trigger use-after-free conditions, potentially leading to privilege escalation or denial of service. The vulnerability manifests when using request-based DM targets (e.g., dm-multipath) over NVMe devices, where cloned request bios are freed twice due to stale bio pointers in clone requests. Vendor patches available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% indicates low predicted exploitation probability; no active exploitation confirmed at time of analysis.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: APEI/GHES: ensure that won't go past CPER allocated record The logic at ghes_new() prevents allocating too large records, by checking if they're bigger than GHES_ESTATUS_MAX_SIZE (currently, 64KB). Yet, the allocation is done with the actual number of pages from the CPER bios table location, which can be smaller. Yet, a bad firmware could send data with a different size, which might be bigger than the allocated memory, causing an OOPS: Unable to handle kernel paging request at virtual address fff00000f9b40000 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 52-bit VAs, pgdp=000000008ba16000 [fff00000f9b40000] pgd=180000013ffff403, p4d=180000013fffe403, pud=180000013f85b403, pmd=180000013f68d403, pte=0000000000000000 Internal error: Oops: 0000000096000007 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 303 Comm: kworker/0:1 Not tainted 6.19.0-rc1-00002-gda407d200220 #34 PREEMPT Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022 Workqueue: kacpi_notify acpi_os_execute_deferred pstate: 214020c5 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : hex_dump_to_buffer+0x30c/0x4a0 lr : hex_dump_to_buffer+0x328/0x4a0 sp : ffff800080e13880 x29: ffff800080e13880 x28: ffffac9aba86f6a8 x27: 0000000000000083 x26: fff00000f9b3fffc x25: 0000000000000004 x24: 0000000000000004 x23: ffff800080e13905 x22: 0000000000000010 x21: 0000000000000083 x20: 0000000000000001 x19: 0000000000000008 x18: 0000000000000010 x17: 0000000000000001 x16: 00000007c7f20fec x15: 0000000000000020 x14: 0000000000000008 x13: 0000000000081020 x12: 0000000000000008 x11: ffff800080e13905 x10: ffff800080e13988 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000001 x6 : 0000000000000020 x5 : 0000000000000030 x4 : 00000000fffffffe x3 : 0000000000000000 x2 : ffffac9aba78c1c8 x1 : ffffac9aba76d0a8 x0 : 0000000000000008 Call trace: hex_dump_to_buffer+0x30c/0x4a0 (P) print_hex_dump+0xac/0x170 cper_estatus_print_section+0x90c/0x968 cper_estatus_print+0xf0/0x158 __ghes_print_estatus+0xa0/0x148 ghes_proc+0x1bc/0x220 ghes_notify_hed+0x5c/0xb8 notifier_call_chain+0x78/0x148 blocking_notifier_call_chain+0x4c/0x80 acpi_hed_notify+0x28/0x40 acpi_ev_notify_dispatch+0x50/0x80 acpi_os_execute_deferred+0x24/0x48 process_one_work+0x15c/0x3b0 worker_thread+0x2d0/0x400 kthread+0x148/0x228 ret_from_fork+0x10/0x20 Code: 6b14033f 540001ad a94707e2 f100029f (b8747b44) ---[ end trace 0000000000000000 ]--- Prevent that by taking the actual allocated are into account when checking for CPER length. [ rjw: Subject tweaks ]

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix double destroy_workqueue on service rescan PCI path While testing corner cases in the driver, a use-after-free crash was found on the service rescan PCI path. When mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup() destroys gc->service_wq. If the subsequent mana_gd_resume() fails with -ETIMEDOUT or -EPROTO, the code falls through to mana_serv_rescan() which triggers pci_stop_and_remove_bus_device(). This invokes the PCI .remove callback (mana_gd_remove), which calls mana_gd_cleanup() a second time, attempting to destroy the already- freed workqueue. Fix this by NULL-checking gc->service_wq in mana_gd_cleanup() and setting it to NULL after destruction. Call stack of issue for reference: [Sat Feb 21 18:53:48 2026] Call Trace: [Sat Feb 21 18:53:48 2026] <TASK> [Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana] [Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana] [Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0 [Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70 [Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250 [Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20 [Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90 [Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30 [Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana] [Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana] [Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0 [Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0 [Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130 [Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30 [Sat Feb 21 18:53:48 2026] </TASK>

Denial Of Service Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Flush exception handling work when RPM level is zero Ensure that the exception event handling work is explicitly flushed during suspend when the runtime power management level is set to UFS_PM_LVL_0. When the RPM level is zero, the device power mode and link state both remain active. Previously, the UFS core driver bypassed flushing exception event handling jobs in this configuration. This created a race condition where the driver could attempt to access the host controller to handle an exception after the system had already entered a deep power-down state, resulting in a system crash. Explicitly flush this work and disable auto BKOPs before the suspend callback proceeds. This guarantees that pending exception tasks complete and prevents illegal hardware access during the power-down sequence.

Denial Of Service Race Condition Linux +2
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Out-of-bounds memory access in Linux kernel's Microchip IPC mailbox driver allows local attackers to achieve arbitrary code execution with high integrity and confidentiality impact. The mchp-ipc-sbi driver incorrectly indexes a dynamically allocated cluster configuration array using non-contiguous hardware thread IDs (hartid) instead of sequential CPU IDs, causing reads/writes beyond array bounds on systems where hartid values exceed the number of online CPUs. Vendor patches available for stable kernel series 6.18.16, 6.19.6, and mainline 7.0. EPSS score of 0.02% suggests low probability of mass exploitation despite high CVSS severity, with no active exploitation confirmed at time of analysis.

Buffer Overflow Linux Information Disclosure +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ceph: supply snapshot context in ceph_zero_partial_object() The ceph_zero_partial_object function was missing proper snapshot context for its OSD write operations, which could lead to data inconsistencies in snapshots. Reproducer: ../src/vstart.sh --new -x --localhost --bluestore ./bin/ceph auth caps client.fs_a mds 'allow rwps fsname=a' mon 'allow r fsname=a' osd 'allow rw tag cephfs data=a' mount -t ceph fs_a@.a=/ /mnt/mycephfs/ -o conf=./ceph.conf dd if=/dev/urandom of=/mnt/mycephfs/foo bs=64K count=1 mkdir /mnt/mycephfs/.snap/snap1 md5sum /mnt/mycephfs/.snap/snap1/foo fallocate -p -o 0 -l 4096 /mnt/mycephfs/foo echo 3 > /proc/sys/vm/drop/caches md5sum /mnt/mycephfs/.snap/snap1/foo # get different md5sum!!

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix possible dereference of uninitialized pointer There is a pointer head_page in rb_meta_validate_events() which is not initialized at the beginning of a function. This pointer can be dereferenced if there is a failure during reader page validation. In this case the control is passed to "invalid" label where the pointer is dereferenced in a loop. To fix the issue initialize orig_head and head_page before calling rb_validate_buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Denial Of Service Null Pointer Dereference Linux +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: md-cluster: fix NULL pointer dereference in process_metadata_update The function process_metadata_update() blindly dereferences the 'thread' pointer (acquired via rcu_dereference_protected) within the wait_event() macro. While the code comment states "daemon thread must exist", there is a valid race condition window during the MD array startup sequence (md_run): 1. bitmap_load() is called, which invokes md_cluster_ops->join(). 2. join() starts the "cluster_recv" thread (recv_daemon). 3. At this point, recv_daemon is active and processing messages. 4. However, mddev->thread (the main MD thread) is not initialized until later in md_run(). If a METADATA_UPDATED message is received from a remote node during this specific window, process_metadata_update() will be called while mddev->thread is still NULL, leading to a kernel panic. To fix this, we must validate the 'thread' pointer. If it is NULL, we release the held lock (no_new_dev_lockres) and return early, safely ignoring the update request as the array is not yet fully ready to process it.

Denial Of Service Null Pointer Dereference Linux +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove() In mtk_mdp_probe(), vpu_get_plat_device() increases the reference count of the returned platform device. Add platform_device_put() to prevent reference leak.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback After several commits, the slab memory increases. Some drm_crtc_commit objects are not freed. The atomic_destroy_state callback only put the framebuffer. Use the __drm_atomic_helper_plane_destroy_state() function to put all the objects that are no longer needed. It has been seen after hours of usage of a graphics application or using kmemleak: unreferenced object 0xc63a6580 (size 64): comm "egt_basic", pid 171, jiffies 4294940784 hex dump (first 32 bytes): 40 50 34 c5 01 00 00 00 ff ff ff ff 8c 65 3a c6 @P4..........e:. 8c 65 3a c6 ff ff ff ff 98 65 3a c6 98 65 3a c6 .e:......e:..e:. backtrace (crc c25aa925): kmemleak_alloc+0x34/0x3c __kmalloc_cache_noprof+0x150/0x1a4 drm_atomic_helper_setup_commit+0x1e8/0x7bc drm_atomic_helper_commit+0x3c/0x15c drm_atomic_commit+0xc0/0xf4 drm_atomic_helper_set_config+0x84/0xb8 drm_mode_setcrtc+0x32c/0x810 drm_ioctl+0x20c/0x488 sys_ioctl+0x14c/0xc20 ret_fast_syscall+0x0/0x54

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: hfsplus: pretend special inodes as regular files Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for special inodes.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix potential zero beacon interval in beacon tracking During fuzz testing, it was discovered that bss_conf->beacon_int might be zero, which could result in a division by zero error in subsequent calculations. Set a default value of 100 TU if the interval is zero to ensure stability.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: EFI/CPER: don't go past the ARM processor CPER record buffer There's a logic inside GHES/CPER to detect if the section_length is too small, but it doesn't detect if it is too big. Currently, if the firmware receives an ARM processor CPER record stating that a section length is big, kernel will blindly trust section_length, producing a very long dump. For instance, a 67 bytes record with ERR_INFO_NUM set 46198 and section length set to 854918320 would dump a lot of data going a way past the firmware memory-mapped area. Fix it by adding a logic to prevent it to go past the buffer if ERR_INFO_NUM is too big, making it report instead: [Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1 [Hardware Error]: event severity: recoverable [Hardware Error]: Error 0, type: recoverable [Hardware Error]: section_type: ARM processor error [Hardware Error]: MIDR: 0xff304b2f8476870a [Hardware Error]: section length: 854918320, CPER size: 67 [Hardware Error]: section length is too big [Hardware Error]: firmware-generated error record is incorrect [Hardware Error]: ERR_INFO_NUM is 46198 [ rjw: Subject and changelog tweaks ]

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Linux kernel KVM x86 nested virtualization allows local privileged attackers to crash virtual machines by manipulating vCPU state through userspace MP_STATE and injected event stuffing. When a vCPU is awakened from a blocking state in L2 (nested guest mode) with an already-injected event, the kernel generates spurious KVM_EXIT_UNKNOWN exits that typically terminate the VM. The vulnerability stems from insufficient validation of impossible vCPU states that userspace can artificially create, despite architectural safeguards that should prevent injected events during blocking. CVSS 5.5 (local, low complexity, high availability impact); EPSS 0.02% indicates minimal widespread exploitation likelihood.

Code Injection Linux Red Hat +1
NVD VulDB
Prev Page 14 of 143 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy