Skip to main content

Linux

12819 CVEs vendor

Monthly

CVE-2026-43264 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: fbdev: of: display_timing: fix refcount leak in of_get_display_timings() of_parse_phandle() returns a device_node with refcount incremented, which is stored in 'entry' and then copied to 'native_mode'. When the error paths at lines 184 or 192 jump to 'entryfail', native_mode's refcount is not decremented, causing a refcount leak. Fix this by changing the goto target from 'entryfail' to 'timingfail', which properly calls of_node_put(native_mode) before cleanup.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43263 HIGH PATCH This Week

A race condition in the Linux kernel's chips-media wave5 video decoder driver allows local authenticated users to trigger a NULL pointer dereference during concurrent instance creation/destruction, potentially leading to high confidentiality, integrity, and availability impact. The vulnerability affects kernel versions from commit 9707a6254a8a onwards until patched in 6.18.16, 6.19.6, and 7.0. Fixed via interrupt handler refactoring with proper locking. EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, and no public exploit code or CISA KEV listing exists, suggesting limited real-world exploitation despite the high CVSS 7.8 score.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43262 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: gfs2: fiemap page fault fix In gfs2_fiemap(), we are calling iomap_fiemap() while holding the inode glock. This can lead to recursive glock taking if the fiemap buffer is memory mapped to the same inode and accessing it triggers a page fault. Fix by disabling page faults for iomap_fiemap() and faulting in the buffer by hand if necessary. Fixes xfstest generic/742.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43261 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: arm64: Add support for TSV110 Spectre-BHB mitigation The TSV110 processor is vulnerable to the Spectre-BHB (Branch History Buffer) attack, which can be exploited to leak information through branch prediction side channels. This commit adds the MIDR of TSV110 to the list for software mitigation.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43260 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix RSS context delete logic We need to free the corresponding RSS context VNIC in FW everytime an RSS context is deleted in driver. Commit 667ac333dbb7 added a check to delete the VNIC in FW only when netif_running() is true to help delete RSS contexts with interface down. Having that condition will make the driver leak VNICs in FW whenever close() happens with active RSS contexts. On the subsequent open(), as part of RSS context restoration, we will end up trying to create extra VNICs for which we did not make any reservation. FW can fail this request, thereby making us lose active RSS contexts. Suppose an RSS context is deleted already and we try to process a delete request again, then the HWRM functions will check for validity of the request and they simply return if the resource is already freed. So, even for delete-when-down cases, netif_running() check is not necessary. Remove the netif_running() condition check when deleting an RSS context.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43259 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: phy: fsl-imx8mq-usb: set platform driver data Add missing platform_set_drvdata() as the data will be used in remove().

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43258 HIGH PATCH This Week

Local privilege escalation and memory corruption in Linux kernel on Alpha architecture allows authenticated users to execute arbitrary code, corrupt heap memory, or crash systems via insufficient TLB shootdown during memory compaction. The vulnerability affects Alpha systems exclusively and manifests as SIGSEGV crashes, glibc allocator corruption, and compiler failures. EPSS score of 0.02% indicates low likelihood of widespread exploitation, though vendor patches are available across multiple stable kernel branches. Attack requires local authenticated access with low complexity (CVSS AV:L/AC:L/PR:L), limiting remote exploitation scenarios.

Linux Buffer Overflow Memory Corruption Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43257 MEDIUM PATCH This Month

Denial of service in Linux kernel media cx88 driver allows local authenticated attackers to exhaust system resources by triggering a missing DMA unmapping in the snd_cx88_hw_params() error path. The vulnerability causes resource leaks when audio hardware parameter initialization fails, potentially rendering the audio subsystem unavailable. CVSS 5.5 reflects local attack vector with low complexity; EPSS 0.02% indicates minimal real-world exploitation probability despite vendor-released patches across multiple kernel versions.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43256 HIGH PATCH This Week

Out-of-bounds memory access in Linux kernel Qualcomm Camera Subsystem (camss) allows local authenticated users to achieve arbitrary code execution, data corruption, or denial of service. The vfe_isr() function iterates beyond the bounds of the vfe->line[] array (size 4) using a loop count of 7, enabling access to memory at offsets +4, +5, and +6. Vendor patches available across multiple stable branches (6.1.167, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score 0.02% (7th percentile) indicates low observed exploitation probability; no active exploitation confirmed (not in CISA KEV).

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43255 MEDIUM PATCH This Month

A use-after-free condition in the libertas USB wireless driver allows local attackers with user privileges to cause a denial of service by triggering a kernel warning and potential crash through rapid firmware loading or repeated usb_tx_block() calls while a USB request is still active. The vulnerability stems from insufficient synchronization of USB URB submissions, enabling concurrent requests on the same URB without enforcing completion of prior transmissions.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43254 HIGH PATCH This Week

A denial-of-service vulnerability in the Linux kernel's OpenVPN TCP stream processing (ovpn_tcp_recv) allows remote unauthenticated attackers to cause packet drops and potential system unavailability through header offset overflow and misaligned protocol headers when handling coalesced TCP packets. The vulnerability affects Linux kernel versions containing commit 11851cbd60ea (OpenVPN driver) through 6.19.6, 6.18.16, and 7.0, with patches available in stable branches. EPSS score of 0.02% (4th percentile) suggests low observed exploitation probability despite the network-accessible attack vector and high availability impact (CVSS 7.5).

RCE Linux Integer Overflow Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43253 HIGH PATCH This Week

AMD IOMMU completion wait operations in the Linux kernel can trigger soft lockups under high load when strict mode is enabled (iommu.strict=1). The vulnerability stems from busy-waiting inside a spinlock with interrupts disabled, causing kernel responsiveness issues and potential denial of service on systems with AMD IOMMU hardware. Patches are available across multiple kernel stable branches (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score is low (0.02%, 5th percentile) with no confirmed active exploitation or public POC identified at time of analysis.

Amd Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43252 MEDIUM PATCH This Month

Denial of service via kernel warning in MPTCP path manager occurs when combining endpoint removal with fullmesh and flag-setting operations through netlink in the Linux kernel. A local attacker with low privileges can trigger a WARNING in net/mptcp/pm_kernel.c:1074 by sending a crafted sequence of netlink commands, causing the system to emit a kernel warning and potentially become unstable. No known public exploit code exists, but the low CVSS (5.5) and minimal EPSS (0.03%) indicate this is a local DoS with limited real-world impact.

Information Disclosure Ubuntu Debian Linux Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43251 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: HID: prodikeys: Check presence of pm->input_ep82 Fake USB devices can send their own report descriptors for which the input_mapping() hook does not get called. In this case, pm->input_ep82 stays NULL, which leads to a crash later. This does not happen with the real device, but can be provoked by imposing as one.

Denial Of Service Null Pointer Dereference Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43250 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke() The ChipIdea UDC driver can encounter "not page aligned sg buffer" errors when a USB device is reconnected after being disconnected during an active transfer. This occurs because _ep_nuke() returns requests to the gadget layer without properly unmapping DMA buffers or cleaning up scatter-gather bounce buffers. Root cause: When a disconnect happens during a multi-segment DMA transfer, the request's num_mapped_sgs field and sgt.sgl pointer remain set with stale values. The request is returned to the gadget driver with status -ESHUTDOWN but still has active DMA state. If the gadget driver reuses this request on reconnect without reinitializing it, the stale DMA state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero num_mapped_sgs) and attempt to use freed/invalid DMA addresses, leading to alignment errors and potential memory corruption. The normal completion path via _hardware_dequeue() properly calls usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before returning the request. The _ep_nuke() path must do the same cleanup to ensure requests are returned in a clean, reusable state. Fix: Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror the cleanup sequence in _hardware_dequeue(): - Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set - Call sglist_do_debounce() with copy=false if bounce buffer exists This ensures that when requests are returned due to endpoint shutdown, they don't retain stale DMA mappings. The 'false' parameter to sglist_do_debounce() prevents copying data back (appropriate for shutdown path where transfer was aborted).

Memory Corruption Buffer Overflow Linux Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43249 HIGH PATCH This Week

Double-free memory corruption in Linux kernel's Xen 9P filesystem driver (9p/xen) allows adjacent network attackers to crash the kernel or potentially execute arbitrary code. The xenwatch thread racing with back-end state changes triggers use-after-free during teardown of xen_9pfs_front_free(), causing general protection faults. Vendor patches available for mainline 7.0 and stable branches 6.19.6, 6.18.16, and 6.12.75. EPSS score of 0.02% (5th percentile) suggests low exploitation probability in the wild; no public exploit or CISA KEV listing at time of analysis.

Canonical Denial Of Service Linux Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43248 HIGH PATCH This Week

Out-of-bounds write in Linux kernel vhost_vdpa subsystem allows local authenticated users to achieve arbitrary kernel memory corruption via ASID group assignment. Affects Linux kernel versions 5.19 through 6.19.x, with vendor patches available for stable branches 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. Exploitation requires local access with low privileges but no user interaction (CVSS:3.1/AV:L/AC:L/PR:L/UI:N). EPSS score of 0.02% (5th percentile) indicates low predicted exploitation probability, and no public exploit code or active exploitation confirmed at time of analysis.

Linux Buffer Overflow Memory Corruption Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43247 MEDIUM PATCH This Month

Kernel panic via SError interrupt in Linux kernel media driver (chips-media wave5) when device enters autosuspend during video decoding operations. Local authenticated attackers can trigger a denial of service by queuing buffers to the wave5 video decoder while autosuspend timeout occurs, causing the CPU to access suspended hardware and generate an unrecoverable asynchronous SError, crashing the system. No privilege escalation or code execution; impact limited to availability.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43246 MEDIUM PATCH This Month

Memory leak in the tw9906 media driver's probe function allows local authenticated attackers to cause denial of service through memory exhaustion. The vulnerability occurs in tw9906_probe() when an error path fails to free memory allocated by v4l2_ctrl_handler_init() and v4l2_ctrl_new_std(), potentially leading to kernel memory depletion on repeated device probe attempts. Vendor-released patches are available across multiple stable kernel branches.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43245 HIGH PATCH This Week

Kernel panic or denial of service occurs in the NTFS filesystem driver when d_compare() operations block on memory allocation. Linux kernel versions from mainline commit 1da177e4c3f4 through 6.18.x, 6.19.x, and early 7.0 are affected. The vulnerability stems from improper use of __getname() within the d_compare() function which can block, violating kernel locking requirements and causing system instability under memory pressure. EPSS score of 0.02% (4th percentile) indicates low observed exploitation likelihood. Vendor patches available for versions 6.18.16, 6.19.6, and 7.0.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43244 MEDIUM PATCH This Month

Denial of service in Linux kernel KCM (kernel connection multiplexer) subsystem when processing messages with zero-fragment skbs in frag_list after partial sendmsg failures. A local authenticated attacker can trigger a kernel warning and potentially crash the system by sending a malformed message that fails during data copy, leaving an empty skb in the fragment list. The vulnerability requires local access and low-level socket manipulation, affecting systems running vulnerable Linux kernel versions prior to patching.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43243 MEDIUM PATCH This Month

A denial of service vulnerability in the Linux kernel's AMD display driver (drm/amd/display) allows local authenticated users to crash the system by accessing link encoder functionality on DisplayPort over USB-C (DPIA) links without proper signal type validation. The vulnerability affects kernel versions before the patches released in stable branches 6.12.75, 6.18.16, 6.19.6, and 7.0. No public exploit code has been identified, and real-world exploitation probability is very low (EPSS 0.02%), suggesting this is primarily an edge-case denial of service affecting specific hardware configurations with DPIA displays.

Denial Of Service Amd Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43242 MEDIUM PATCH This Month

Memory leak in the Linux kernel's TI K3 SoC info driver (soc/ti/k3-socinfo) fails to release an allocated mmio regmap, causing denial of service through resource exhaustion on probe failures and driver unbind. Local attackers with low privileges can trigger probe deferral or driver unbind to exhaust kernel memory, affecting systems running vulnerable Linux kernel versions. The vulnerability has a low EPSS score (0.02%) but enables practical local DoS against systems where low-privilege users can control driver lifecycle.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43241 HIGH PATCH This Week

Out-of-bounds array access in the Linux kernel's NTB Switchtec hardware driver allows authenticated local users with low privileges to read sensitive kernel memory or trigger denial of service. The vulnerability affects the mw_sizes array when NTB (Non-Transparent Bridge) configurations set memory window LUTs to MAX_MWS, enabling access beyond array boundaries. Exploitation probability is low (EPSS 0.02%, 7th percentile) with no confirmed active exploitation or public POC. Vendor patches are available across all affected stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0).

Information Disclosure Buffer Overflow Linux Red Hat Suse
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43240 MEDIUM PATCH This Month

Linux kernel x86 architecture fails to validate IMA measurement list memory bounds during kexec boot with restricted memory parameters, causing kernel panic when the carried-over IMA buffer falls outside truncated RAM. Authenticated local users with kexec privileges can trigger a denial of service. The fix adds a sanity check to validate the previous kernel's IMA kexec buffer against actual memory bounds before restoration, aligning x86 behavior with other architectures.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43239 HIGH PATCH This Week

Race condition in Linux kernel SMB client allows concurrent query interface work items to corrupt network interface state. Affects mainline Linux kernel and stable branches 6.6.x through 7.0. Exploitation requires user interaction (likely mounting/accessing SMB shares) but enables remote attackers to achieve high confidentiality, integrity, and availability impacts. Vendor patches available across multiple stable kernel branches (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS exploitation probability extremely low (0.02%, 5th percentile), no active exploitation confirmed, POC status unknown.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43238 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash() Commit 38a6f0865796 ("net: sched: support hash selecting tx queue") added SKBEDIT_F_TXQ_SKBHASH support. The inclusive range size is computed as: mapping_mod = queue_mapping_max - queue_mapping + 1; The range size can be 65536 when the requested range covers all possible u16 queue IDs (e.g. queue_mapping=0 and queue_mapping_max=U16_MAX). That value cannot be represented in a u16 and previously wrapped to 0, so tcf_skbedit_hash() could trigger a divide-by-zero: queue_mapping += skb_get_hash(skb) % params->mapping_mod; Compute mapping_mod in a wider type and reject ranges larger than U16_MAX to prevent params->mapping_mod from becoming 0 and avoid the crash.

Denial Of Service Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43237 HIGH PATCH This Week

Use-after-free and reference count underflow in the Linux kernel's amdgpu DRM driver allows local authenticated users with low privileges to cause kernel panic, denial of service, and potentially execute arbitrary code with kernel privileges. The vulnerability affects amdgpu_gem_va_ioctl handling of GPU timeline fences where stale or freed fences are used due to premature fence selection and improper reference management. Patch available in kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit or active exploitation has been identified.

Denial Of Service Linux Use After Free Memory Corruption Red Hat +1
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43236 HIGH PATCH This Week

Use-after-free in Linux kernel's Atmel HLCDC DRM driver allows local authenticated users to execute arbitrary code, escalate privileges, or cause denial of service. The atmel_hlcdc_plane_atomic_duplicate_state() function incorrectly copies plane state without properly duplicating the drm_plane_state structure, leaving a stale commit pointer that triggers use-after-free during subsequent drm_atomic_commit() calls. Vulnerability surfaces when reopening the device node while another DRM client remains attached. EPSS score is low (0.02%) and no active exploitation confirmed at time of analysis, but local privilege escalation potential and vendor-released patches across multiple stable kernel branches indicate genuine risk for systems using Atmel HLCDC display hardware.

Information Disclosure Linux Use After Free Memory Corruption Red Hat +1
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43235 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: iris: Add missing platform data entries for SM8750 Two platform-data fields for SM8750 were missed: - get_vpu_buffer_size = iris_vpu33_buf_size Without this, the driver fails to allocate the required internal buffers, leading to basic decode/encode failures during session bring-up. - max_core_mbps = ((7680 * 4320) / 256) * 60 Without this capability exposed, capability checks are incomplete and v4l2-compliance for encoder fails.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43234 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: team: avoid NETDEV_CHANGEMTU event when unregistering slave syzbot is reporting unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3 ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_hold include/linux/netdevice.h:4429 [inline] inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286 inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline] netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886 netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907 dev_set_mtu+0x126/0x260 net/core/dev_api.c:248 team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333 team_del_slave drivers/net/team/team_core.c:1936 [inline] team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2281 [inline] call_netdevice_notifiers net/core/dev.c:2295 [inline] __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592 do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnl_newlink net/core/rtnetlink.c:3935 [inline] rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 problem. Ido Schimmel found steps to reproduce ip link add name team1 type team ip link add name dummy1 mtu 1499 master team1 type dummy ip netns add ns1 ip link set dev dummy1 netns ns1 ip -n ns1 link del dev dummy1 and also found that the same issue was fixed in the bond driver in commit f51048c3e07b ("bonding: avoid NETDEV_CHANGEMTU event when unregistering slave"). Let's do similar thing for the team driver, with commit ad7c7b2172c3 ("net: hold netdev instance lock during sysfs operations") and commit 303a8487a657 ("net: s/__dev_set_mtu/__netif_set_mtu/") also applied.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43233 HIGH PATCH This Week

Heap buffer overflow in Linux kernel's nf_conntrack_h323 netfilter module allows remote unauthenticated attackers to trigger 1-2 byte out-of-bounds read via crafted Q.931 SETUP messages to port 1720. The vulnerability affects firewalls with H.323 connection tracking active and can cause information disclosure or denial of service. EPSS score of 0.02% suggests low exploitation probability despite network-accessible attack vector. Patches available across all maintained stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0).

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-43232 HIGH PATCH This Week

Use-after-free in Linux kernel farsync driver allows remote code execution when FarSync T-series WAN cards are detached while tasklets remain active. The vulnerability occurs when fst_tx_task or fst_int_task continue executing after fst_card_info is freed in fst_remove_one(), causing the kernel to access deallocated memory. Despite the CVSS 8.8 score with network vector, the EPSS score is extremely low (0.02%, 7th percentile), suggesting minimal real-world exploitation likelihood. No active exploitation confirmed (not in CISA KEV). Patches available across multiple stable kernel versions (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).

Information Disclosure Linux Memory Corruption Use After Free Red Hat +1
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43231 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: radio-keene: fix memory leak in error path Fix a memory leak in usb_keene_probe(). The v4l2 control handler is initialized and controls are added, but if v4l2_device_register() or video_register_device() fails afterward, the handler was never freed, leaking memory. Add v4l2_ctrl_handler_free() call in the err_v4l2 error path to ensure the control handler is properly freed for all error paths after it is initialized.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43230 HIGH PATCH This Week

Denial of service in Linux kernel RDS networking module allows remote unauthenticated attackers to cause persistent network reconnection failures through improper bit flag handling. The vulnerability affects the Reliable Datagram Sockets (RDS) protocol implementation where canceling a reconnect worker without clearing the reconnect-pending bit causes a permanent stuck state, preventing legitimate network reconnections. Vendor patches available across multiple stable kernel versions (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS exploitation probability is very low (0.02%, 7th percentile), and no public exploit or active exploitation confirmed at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43229 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix device cleanup order to prevent kernel panic Move video device unregistration to the beginning of the remove function to ensure all video operations are stopped before cleaning up the worker thread and disabling PM runtime. This prevents hardware register access after the device has been powered down. In polling mode, the hrtimer periodically triggers wave5_vpu_timer_callback() which queues work to the kthread worker. The worker executes wave5_vpu_irq_work_fn() which reads hardware registers via wave5_vdi_read_register(). The original cleanup order disabled PM runtime and powered down hardware before unregistering video devices. When autosuspend triggers and powers off the hardware, the video devices are still registered and the worker thread can still be triggered by the hrtimer, causing it to attempt reading registers from powered-off hardware. This results in a bus error (synchronous external abort) and kernel panic. This causes random kernel panics during encoding operations: Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP Modules linked in: wave5 rpmsg_ctrl rpmsg_char ... CPU: 0 UID: 0 PID: 1520 Comm: vpu_irq_thread Tainted: G M W pc : wave5_vdi_read_register+0x10/0x38 [wave5] lr : wave5_vpu_irq_work_fn+0x28/0x60 [wave5] Call trace: wave5_vdi_read_register+0x10/0x38 [wave5] kthread_worker_fn+0xd8/0x238 kthread+0x104/0x120 ret_from_fork+0x10/0x20 Code: aa1e03e9 d503201f f9416800 8b214000 (b9400000) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: synchronous external abort: Fatal exception

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43228 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: hfs: Replace BUG_ON with error handling for CNID count checks In a06ec283e125 next_id, folder_count, and file_count in the super block info were expanded to 64 bits, and BUG_ONs were added to detect overflow. This triggered an error reported by syzbot: if the MDB is corrupted, the BUG_ON is triggered. This patch replaces this mechanism with proper error handling and resolves the syzbot reported bug. Singed-off-by: Jori Koolstra <jkoolstra@xs4all.nl>

Buffer Overflow Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43227 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: clocksource/drivers/sh_tmu: Always leave device running after probe The TMU device can be used as both a clocksource and a clockevent provider. The driver tries to be smart and power itself on and off, as well as enabling and disabling its clock when it's not in operation. This behavior is slightly altered if the TMU is used as an early platform device in which case the device is left powered on after probe, but the clock is still enabled and disabled at runtime. This has worked for a long time, but recent improvements in PREEMPT_RT and PROVE_LOCKING have highlighted an issue. As the TMU registers itself as a clockevent provider, clockevents_register_device(), it needs to use raw spinlocks internally as this is the context of which the clockevent framework interacts with the TMU driver. However in the context of holding a raw spinlock the TMU driver can't really manage its power state or clock with calls to pm_runtime_*() and clk_*() as these calls end up in other platform drivers using regular spinlocks to control power and clocks. This mix of spinlock contexts trips a lockdep warning. ============================= [ BUG: Invalid wait context ] 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 Not tainted ----------------------------- swapper/0/0 is trying to lock: ffff000008c9e180 (&dev->power.lock){-...}-{3:3}, at: __pm_runtime_resume+0x38/0x88 other info that might help us debug this: context-{5:5} 1 lock held by swapper/0/0: ccree e6601000.crypto: ARM CryptoCell 630P Driver: HW version 0xAF400001/0xDCC63000, Driver version 5.0 #0: ffff8000817ec298 ccree e6601000.crypto: ARM ccree device initialized (tick_broadcast_lock){-...}-{2:2}, at: __tick_broadcast_oneshot_control+0xa4/0x3a8 stack backtrace: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 PREEMPT Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) Call trace: show_stack+0x14/0x1c (C) dump_stack_lvl+0x6c/0x90 dump_stack+0x14/0x1c __lock_acquire+0x904/0x1584 lock_acquire+0x220/0x34c _raw_spin_lock_irqsave+0x58/0x80 __pm_runtime_resume+0x38/0x88 sh_tmu_clock_event_set_oneshot+0x84/0xd4 clockevents_switch_state+0xfc/0x13c tick_broadcast_set_event+0x30/0xa4 __tick_broadcast_oneshot_control+0x1e0/0x3a8 tick_broadcast_oneshot_control+0x30/0x40 cpuidle_enter_state+0x40c/0x680 cpuidle_enter+0x30/0x40 do_idle+0x1f4/0x280 cpu_startup_entry+0x34/0x40 kernel_init+0x0/0x130 do_one_initcall+0x0/0x230 __primary_switched+0x88/0x90 For non-PREEMPT_RT builds this is not really an issue, but for PREEMPT_RT builds where normal spinlocks can sleep this might be an issue. Be cautious and always leave the power and clock running after probe.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43226 HIGH PATCH This Week

Denial of service in Linux kernel's RDS/TCP networking subsystem allows remote unauthenticated attackers to trigger connection state machine deadlock, causing persistent service unavailability. The vulnerability stems from improper state transition handling in RDS_CONN_ERROR conditions introduced by multipath changes, where connections can bypass normal shutdown procedures and become permanently stuck with queued shutdown workers. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and EPSS probability of 0.02%, this represents a moderate-severity issue affecting network-facing systems using RDS protocol. Patches available across multiple stable kernel versions (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43225 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix memory leak on failure path cfg80211_inform_bss_frame() may return NULL on failure. In that case, the allocated buffer 'buf' is not freed and the function returns early, leading to potential memory leak. Fix this by ensuring that 'buf' is freed on both success and failure paths.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43224 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix sgtable leak on mapping failures In an unlikely case when io_populate_area_dma() fails, which could only happen on a PAGE_POOL_32BIT_ARCH_WITH_64BIT_DMA machine, io_zcrx_map_area() will have an initialised and not freed table. It was supposed to be cleaned up in the error path, but !is_mapped prevents that.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43223 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix URB leak in pvr2_send_request_ex When pvr2_send_request_ex() submits a write URB successfully but fails to submit the read URB (e.g. returns -ENOMEM), it returns immediately without waiting for the write URB to complete. Since the driver reuses the same URB structure, a subsequent call to pvr2_send_request_ex() attempts to submit the still-active write URB, triggering a 'URB submitted while active' warning in usb_submit_urb(). Fix this by ensuring the write URB is unlinked and waited upon if the read URB submission fails.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43222 HIGH PATCH This Week

A memory corruption vulnerability in the Linux kernel's Verisilicon AV1 media driver allows local authenticated attackers to write tile info data beyond allocated buffer boundaries, potentially achieving arbitrary code execution with kernel privileges. The vulnerability affects kernel versions from 6.5 onwards where commit 727a400686a2 introduced the flaw. Patches are available across multiple stable kernel branches (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, with no public exploit identified at time of analysis and no CISA KEV listing.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43221 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ipmi: ipmb: initialise event handler read bytes IPMB doesn't use i2c reads, but the handler needs to set a value. Otherwise an i2c read will return an uninitialised value from the bus driver.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43220 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: iommu/amd: serialize sequence allocation under concurrent TLB invalidations With concurrent TLB invalidations, completion wait randomly gets timed out because cmd_sem_val was incremented outside the IOMMU spinlock, allowing CMD_COMPL_WAIT commands to be queued out of sequence and breaking the ordering assumption in wait_on_sem(). Move the cmd_sem_val increment under iommu->lock so completion sequence allocation is serialized with command queuing. And remove the unnecessary return.

Amd Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43219 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: net: cpsw_new: Fix potential unregister of netdev that has not been registered yet If an error occurs during register_netdev() for the first MAC in cpsw_register_ports(), even though cpsw->slaves[0].ndev is set to NULL, cpsw->slaves[1].ndev would remain unchanged. This could later cause cpsw_unregister_ports() to attempt unregistering the second MAC. To address this, add a check for ndev->reg_state before calling unregister_netdev(). With this change, setting cpsw->slaves[i].ndev to NULL becomes unnecessary and can be removed accordingly.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43218 MEDIUM PATCH This Month

Memory leak in Linux kernel tw9903 media driver probe function allows local authenticated attackers to cause denial of service through repeated device initialization failures. The v4l2_ctrl_handler_init() and v4l2_ctrl_new_std() allocations are not freed in one error path of tw9903_probe(), enabling exhaustion of kernel memory. CVSS 5.5 (local, low complexity, requires low privileges). EPSS score of 0.02% indicates minimal exploitation probability.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43217 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: iris: gen2: Add sanity check for session stop In iris_kill_session, inst->state is set to IRIS_INST_ERROR and session_close is executed, which will kfree(inst_hfi_gen2->packet). If stop_streaming is called afterward, it will cause a crash. Add a NULL check for inst_hfi_gen2->packet before sendling STOP packet to firmware to fix that.

Denial Of Service Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43216 MEDIUM PATCH This Month

Denial of service in the Linux kernel's net subsystem via deadlock in skb_may_tx_timestamp() when socket timestamp completion occurs in interrupt context while sk_callback_lock is write-locked, affecting local attackers with user privileges on systems with network drivers that complete TX timestamps from dedicated interrupt handlers.

Denial Of Service Null Pointer Dereference Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43215 HIGH PATCH This Week

A race condition in the Linux kernel CIFS (Common Internet File System) implementation allows attackers to exploit improper locking of tcon (tree connection) fields, potentially achieving high confidentiality, integrity, and availability impact. The vulnerability stems from legacy use of cifs_tcp_ses_lock instead of the more granular tc_lock for protecting tcon structure fields, creating synchronization gaps that could be exploited through crafted SMB operations requiring user interaction. Vendor patches are available across multiple stable kernel branches (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0), with EPSS indicating low exploitation probability (0.02%, 5th percentile) and no confirmed active exploitation at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43214 HIGH PATCH This Week

Local privilege escalation in Linux Kernel KVM x86 allows authenticated users with low privileges to potentially achieve arbitrary code execution, information disclosure, or denial of service by exploiting a missing SRCU read-side lock when reading PDPTR registers via the KVM_GET_SREGS2 ioctl. The vulnerability triggers a lockdep warning and unsafe memory slot access in __get_sregs2(), affecting Linux kernel versions from 5.14 onward. Vendor patches available across multiple stable branches (6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6). EPSS score of 0.02% (7th percentile) suggests low exploitation probability in the wild, with no public exploit code or CISA KEV listing confirmed at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43213 HIGH PATCH This Week

Null pointer dereference in Linux kernel Realtek rtw89 WiFi PCI driver allows adjacent network attackers to trigger kernel crashes via malformed TX release reports with abnormal sequence numbers. The vulnerability causes out-of-bounds array access in wd_ring->pages when hardware reports invalid sequence numbers during wireless transmission operations. Vendor-released patches are available for kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation activity, though the CVSS vector (AV:A/AC:H/PR:N/UI:N) shows adjacent network access with high attack complexity enables complete system compromise without authentication.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43212 HIGH PATCH This Week

LoongArch architecture's cpumask_of_node() function in the Linux kernel mishandles NUMA_NO_NODE (-1) as a node index, potentially enabling local authenticated users to achieve high confidentiality, integrity, and availability impacts (CVSS 7.8). Patches available across multiple stable kernel branches (6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) address the improper input validation. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43211 HIGH PATCH This Week

A double-unlock bug in the Linux kernel PCI subsystem allows local authenticated users to trigger lock corruption, leading to privilege escalation, information disclosure, or denial of service. The flaw exists in pci_slot_trylock() where improper error handling after commit a4e772898f8b unlocks a bridge device lock that was never acquired, causing either lock state corruption or unlocking another thread's lock. With CVSS 7.8 (AV:L/AC:L/PR:L) and EPSS of 0.02% (7th percentile), this is a local vulnerability with low exploitation complexity requiring authenticated access. Vendor patches are available across all active kernel stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). No public exploit code or active exploitation confirmed at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43210 MEDIUM PATCH This Month

Local denial of service in Linux kernel ring-buffer tracing code allows authenticated local users to crash the system by triggering invalid memory access through malformed event length fields. The vulnerability exists in rb_read_data_buffer(), which validates possibly corrupted ring buffers at boot but fails to verify event lengths are within acceptable ranges before calculating buffer offsets. EPSS exploitation probability is very low at 0.02%, and no public exploit code or active exploitation has been identified.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43209 MEDIUM PATCH This Month

Denial of service in Linux kernel minix filesystem implementation allows local authenticated users to crash the system via crafted minix superblock structures due to missing validation of s_log_zone_size and other superblock fields in the minix_check_superblock() function.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43208 CRITICAL PATCH Act Now

Out-of-bounds memory access in Linux kernel RPS (Receive Packet Steering) subsystem allows remote unauthenticated attackers to trigger kernel crashes or potentially achieve code execution with SYSTEM privileges. The flaw stems from incorrect assumptions about RPS hash table sizing across receive queues, introduced in commit 48aa30443e52. Exploitation requires no authentication (CVSS AV:N/PR:N) but EPSS probability remains low at 0.02% (4th percentile), suggesting limited real-world targeting. Patches available for stable kernel branches 6.18.16, 6.19.6, and 7.0.

Linux Buffer Overflow Memory Corruption Red Hat Suse
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43207 HIGH PATCH This Week

Resource management flaws in the Linux kernel MediaTek MDP driver allow local authenticated attackers with low privileges to trigger memory corruption via improper error handling during device probe initialization, potentially escalating to kernel code execution. Multiple stable kernel branches (5.10.x through 7.0) are affected, with vendor patches released across all maintained versions. No active exploitation confirmed (EPSS 0.02%, not in CISA KEV), though the local attack vector and low complexity suggest straightforward exploitation once local access is achieved.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43206 HIGH PATCH This Week

Out-of-bounds kernel memory write in Linux kernel's AMD KFD (Kernel Fusion Driver) allows local authenticated attackers with low privileges to escalate to root privileges. The kfd_event_page_set() function performs unchecked memset operations of fixed size (KFD_SIGNAL_EVENT_LIMIT * 8 bytes) regardless of user-supplied buffer size, enabling unprivileged userspace processes to corrupt kernel memory. Patches are available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability despite high CVSS severity, likely due to the local attack vector and requirement for systems with AMD GPU hardware running the amdkfd driver.

Buffer Overflow Linux Memory Corruption Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43205 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds. Add a bound check for num_ifs in dpaa2_switch_init(). dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry. The check uses >= because num_ifs == DPSW_MAX_IF is also functionally broken. build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= ...

Memory Corruption Buffer Overflow Linux Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43204 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6asm: drop DSP responses for closed data streams 'Commit a354f030dbce ("ASoC: qcom: q6asm: handle the responses after closing")' attempted to ignore DSP responses arriving after a stream had been closed. However, those responses were still handled, causing lockups. Fix this by unconditionally dropping all DSP responses associated with closed data streams.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43203 HIGH PATCH This Week

Use-after-free in Linux kernel fore200e ATM driver allows local attackers to achieve high-severity impacts during PCA-200E or SBA-200E adapter removal. When the device is detached, tx_tasklet or rx_tasklet may still be running and access already-freed memory in fore200e_tx_tasklet() or fore200e_rx_tasklet(), potentially leading to code execution, information disclosure, or denial of service. Patches available across stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. Not listed in CISA KEV. Identified through static analysis, suggesting no active in-the-wild exploitation at time of disclosure.

Information Disclosure Linux Use After Free Memory Corruption Red Hat +1
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43202 MEDIUM PATCH This Month

Memory leak in Linux kernel fbdev vt8500lcdfb driver allows local authenticated users to cause denial of service via unfreed DMA-allocated buffer on error path. The vulnerability exists in the framebuffer initialization code where dma_alloc_coherent() allocation for fbi->fb.screen_buffer is not properly freed if an error occurs during probe, leading to memory exhaustion on repeated device initialization attempts. Local privilege required; no remote or unauthenticated attack vector.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43201 MEDIUM PATCH This Month

Denial of service in Linux kernel APEI/GHES ARM processor error handling allows local authenticated attackers to trigger kernel oops by crafting malformed ARM Processor Error records with incomplete or oversized section data, causing out-of-bounds memory dereference. CVSS 5.5 (local, low complexity, authenticated, availability impact only) with EPSS 0.02% indicates low real-world exploitation probability despite public patch availability.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43200 MEDIUM PATCH This Month

Denial of service in Linux kernel PCI endpoint configfs interface allows local attackers with low privileges to crash the kernel via swapped parameters in pci_primary_epc_epf_unlink() and pci_secondary_epc_epf_unlink() functions. When executing the unlink command in configfs, incorrect parameter ordering causes invalid memory access and kernel panic. CVSS 5.5 (local, low complexity, low privilege) with EPSS 0.02% suggests limited real-world exploitation despite confirmed availability of patches across multiple kernel branches.

Denial Of Service Amd Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43199 HIGH PATCH This Week

Linux kernel's mlx5e driver allows local denial of service via kernel crash when IPsec event handling triggers illegal sleeping operations in atomic context. The mlx5e_ipsec_handle_event workqueue calls mlx5_query_mac_address() which invokes hardware command execution requiring sleep, causing a 'scheduling while atomic' bug that crashes the kernel. Affected versions include mainline 6.2+ and stable branches 6.12.x through 7.0. Patches available across all supported branches (6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% indicates minimal exploitation probability; no active exploitation or public POC identified. CVSS 7.5 AV:N rating appears inconsistent with description indicating local kernel-level triggering conditions.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43198 CRITICAL PATCH Act Now

Race condition in Linux kernel TCP/IPv6 stack allows remote unauthenticated attackers to trigger use-after-free conditions during IPv6-mapped IPv4 socket creation, potentially achieving arbitrary code execution or denial of service. The flaw occurs in tcp_v6_syn_recv_sock() where child socket visibility in the TCP hash table races with incomplete IPv6 structure initialization, causing other CPUs to access invalid memory via newinet->pinet6 pointing to listener data. Vendor patches available for kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability despite critical CVSS 9.8 rating, suggesting this requires specific IPv6-mapped IPv4 configuration and precise timing to exploit.

Information Disclosure Linux Race Condition
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43197 CRITICAL PATCH Act Now

Out-of-bounds memory reads in Linux kernel netconsole subsystem allow information disclosure and system crashes via unterminated console messages. The vulnerability affects Linux kernel 6.6+ including 6.18.x and 6.19.x branches, triggered by netconsole's failure to validate message buffer boundaries when converting to NBCON console infrastructure. Vendor patches available for 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% suggests minimal real-world exploitation despite CVSS 9.1 rating. No public exploit identified at time of analysis.

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-43196 HIGH PATCH This Week

Double-free memory corruption in Linux kernel PRUSS (Programmable Real-Time Unit Subsystem) driver allows local authenticated attackers with low privileges to achieve high-impact code execution, information disclosure, or denial of service. The vulnerability exists in pruss_clk_mux_setup() where devm_add_action_or_reset() indirectly calls pruss_of_free_clk_provider() on error path, then erroneously calls of_node_put(clk_mux_np) again afterward. Vendor patches available across stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating; no KEV listing or public POC identified at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43195 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate user queue size constraints Add validation to ensure user queue sizes meet hardware requirements: - Size must be a power of two for efficient ring buffer wrapping - Size must be at least AMDGPU_GPU_PAGE_SIZE to prevent undersized allocations This prevents invalid configurations that could lead to GPU faults or unexpected behavior.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43194 HIGH PATCH This Week

TCP connections through veth interfaces with XDP programs can enter a permanent deadlock state where sender and receiver sequence numbers desynchronize, causing all traffic to stall indefinitely. The vulnerability stems from improper error code handling in GSO (Generic Segmentation Offload) frame transmission when individual segments within a GSO super-frame fail - TCP interprets partial segment loss as complete frame loss, advancing receiver state without sender acknowledgment. Affects Linux kernel versions from 3.18 through 6.19.x with patches available across multiple stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation (KEV) or public exploit code has been identified at time of analysis.

Authentication Bypass Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43193 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfs4_file refcount leak in nfsd_get_dir_deleg() Claude pointed out that there is a nfs4_file refcount leak in nfsd_get_dir_deleg(). Ensure that the reference to "fp" is released before returning.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43192 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: dm mpath: Add missing dm_put_device when failing to get scsi dh name When commit fd81bc5cca8f ("scsi: device_handler: Return error pointer in scsi_dh_attached_handler_name()") added code to fail parsing the path if scsi_dh_attached_handler_name() failed with -ENOMEM, it didn't clean up the reference to the path device that had just been taken. Fix this, and steamline the error paths of parse_path() a little.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43191 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35 [Why] A backport of the change made for DCN401 that addresses an issue where we turn off the PHY PLL when disabling TMDS output, which causes the OTG to remain stuck. The OTG being stuck can lead to a hang in the DCHVM's ability to ACK invalidations when it thinks the HUBP is still on but it's not receiving global sync. The transition to PLL_ON needs to be atomic as there's no guarantee that the thread isn't pre-empted or is able to complete before the IOMMU watchdog times out. [How] Backport the implementation from dcn401 back to dcn35. There's a functional difference in when the eDP output is disabled in dcn401 code so we don't want to utilize it directly.

Amd Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43190 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's netfilter xt_tcpmss module allows remote unauthenticated attackers to leak memory contents and potentially cause system crashes via malformed TCP options. The xt_tcpmss TCP option parser fails to validate remaining option length before reading optlen values, triggering memory access beyond buffer boundaries when processing crafted packets. EPSS exploitation probability is low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the network attack vector (AV:N) and lack of authentication requirements (PR:N) make this exploitable against any system using netfilter with TCP MSS clamping enabled.

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-43189 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: v4l2-async: Fix error handling on steps after finding a match Once an async connection is found to be matching with an fwnode, a sub-device may be registered (in case it wasn't already), its bound operation is called, ancillary links are created, the async connection is added to the sub-device's list of connections and removed from the global waiting connection list. Further on, the sub-device's possible own notifier is searched for possible additional matches. Fix these specific issues: - If v4l2_async_match_notify() failed before the sub-notifier handling, the async connection was unbound and its entry removed from the sub-device's async connection list. The latter part was also done in v4l2_async_match_notify(). - The async connection's sd field was only set after creating ancillary links in v4l2_async_match_notify(). It was however dereferenced in v4l2_async_unbind_subdev_one(), which was called on error path of v4l2_async_match_notify() failure.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43188 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ceph: do not propagate page array emplacement errors as batch errors When fscrypt is enabled, move_dirty_folio_in_page_array() may fail because it needs to allocate bounce buffers to store the encrypted versions of each folio. Each folio beyond the first allocates its bounce buffer with GFP_NOWAIT. Failures are common (and expected) under this allocation mode; they should flush (not abort) the batch. However, ceph_process_folio_batch() uses the same `rc` variable for its own return code and for capturing the return codes of its routine calls; failing to reset `rc` back to 0 results in the error being propagated out to the main writeback loop, which cannot actually tolerate any errors here: once `ceph_wbc.pages` is allocated, it must be passed to ceph_submit_write() to be freed. If it survives until the next iteration (e.g. due to the goto being followed), ceph_allocate_page_array()'s BUG_ON() will oops the worker. Note that this failure mode is currently masked due to another bug (addressed next in this series) that prevents multiple encrypted folios from being selected for the same write. For now, just reset `rc` when redirtying the folio to prevent errors in move_dirty_folio_in_page_array() from propagating. Note that move_dirty_folio_in_page_array() is careful never to return errors on the first folio, so there is no need to check for that. After this change, ceph_process_folio_batch() no longer returns errors; its only remaining failure indicator is `locked_pages == 0`, which the caller already handles correctly.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43187 HIGH PATCH This Week

Data loss and memory corruption in Linux kernel XFS filesystem implementation allows authenticated users with ability to set extended attributes to corrupt xattr leaf blocks and overwrite entries array. The vulnerability stems from improper freemap management when xattr entries array expands, leaving zero-length freemap entries with nonzero base values that can overlap with legitimate freemap entries. Subsequent setxattr operations can allocate namevalue entries on top of the entries array, leading to filesystem data loss. EPSS score of 0.02% suggests low widespread exploitation probability, and no active exploitation is confirmed (not in CISA KEV). Patches are vendor-released for stable kernel versions 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0.

Information Disclosure Linux Integer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43186 CRITICAL PATCH Act Now

Heap buffer overflow in Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) packet processing allows remote unauthenticated attackers to corrupt kernel memory and trigger system crashes. Attackers send crafted IPv6 packets with inconsistent IOAM trace headers (nodelen=0 with type bits set), causing __ioam6_fill_trace_data() to write ~100 bytes beyond allocated memory into skb_shared_info structures. Despite CVSS 9.8 critical rating, EPSS exploitation probability is low (0.05%, 16th percentile) and no active exploitation or public POC has been identified. Vendor patches available across multiple stable kernel branches (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).

Buffer Overflow Linux Memory Corruption Red Hat Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-43185 CRITICAL PATCH Act Now

Heap buffer overflow in Linux kernel ksmbd SMB Direct negotiation allows remote unauthenticated attackers to achieve arbitrary code execution. The vulnerability stems from a signedness bug where a malicious SMB Direct client sends a crafted preferred_send_size value (0x80000000) that bypasses minimum size validation, then follows with an oversized message (>1420 bytes) triggering heap corruption. With CVSS 9.8 critical severity and network-accessible attack vector requiring no authentication, this represents a severe pre-auth remote code execution risk. EPSS score of 0.02% suggests limited observed exploitation activity. Vendor patches available across multiple stable kernel branches.

Buffer Overflow Linux Red Hat Suse
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43184 HIGH PATCH This Week

Information disclosure in Linux kernel's RNBD (RDMA Network Block Device) server component allows remote unauthenticated attackers to read uninitialized kernel memory through response buffers. The rnbd-srv module fails to zero response message buffers before transmission, leaking residual kernel data to network clients, particularly during protocol version mismatches. With CVSS 7.5 (High) and confirmed vendor patches across multiple stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0), this represents a classic uninitialized memory vulnerability. EPSS exploitation probability is low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the network attack vector and lack of authentication requirements warrant prioritization for systems running RNBD server functionality.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43183 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: cx25821: Fix a resource leak in cx25821_dev_setup() Add release_mem_region() if ioremap() fails to release the memory region obtained by cx25821_get_resources().

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43182 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: ccs: Avoid possible division by zero Calculating maximum M for scaler configuration involves dividing by MIN_X_OUTPUT_SIZE limit register's value. Albeit the value is presumably non-zero, the driver was missing the check it in fact was. Fix this.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43181 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: gpio: sysfs: fix chip removal with GPIOs exported over sysfs Currently if we export a GPIO over sysfs and unbind the parent GPIO controller, the exported attribute will remain under /sys/class/gpio because once we remove the parent device, we can no longer associate the descriptor with it in gpiod_unexport() and never drop the final reference. Rework the teardown code: provide an unlocked variant of gpiod_unexport() and remove all exported GPIOs with the sysfs_lock taken before unregistering the parent device itself. This is done to prevent any new exports happening before we unregister the device completely.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43180 HIGH PATCH This Week

Double URB submission in Linux kernel kaweth USB network driver allows local attackers with low privileges to trigger high severity impacts including potential denial of service, information disclosure, or code execution. The flaw occurs when kaweth_set_rx_mode() prematurely re-enables the TX queue via netif_wake_queue() before an in-flight USB transfer completes, enabling kaweth_start_xmit() to submit the same URB twice - a condition explicitly warned against by the USB subsystem. Patches are available across all supported kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). Despite CVSS 7.8 High severity, EPSS score is only 0.02% (7th percentile), indicating low observed exploitation probability. No public exploit or CISA KEV listing identified at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43179 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: erofs: fix incorrect early exits for invalid metabox-enabled images Crafted EROFS images with metadata compression enabled can trigger incorrect early returns, leading to folio reference leaks. However, this does not cause system crashes or other severe issues.

Denial Of Service Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43178 HIGH PATCH This Week

Double memory management structure free (mmput) in Linux kernel procfs allows local authenticated attackers with low privileges to cause high-impact memory corruption, potentially leading to privilege escalation, information disclosure, or denial of service. The flaw triggers when userspace provides an incorrectly sized buffer to the PROCMAP_QUERY interface, causing the kernel to call mmput() twice on the same mm_struct after recent code refactoring moved cleanup logic. Patch available from kernel.org stable trees for versions 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation in the wild, consistent with the local attack vector requiring authenticated access and specific API interaction. No CISA KEV listing or public exploit identified at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43177 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: ipu6: Fix RPM reference leak in probe error paths Several error paths in ipu6_pci_probe() were jumping directly to out_ipu6_bus_del_devices without releasing the runtime PM reference. Add pm_runtime_put_sync() before cleaning up other resources.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43176 HIGH PATCH This Week

Improper validation in the rtw89 PCI WiFi driver allows adjacent network attackers to trigger kernel crashes via malformed TX release reports on RTL8922DE wireless chipsets. The vulnerability stems from insufficient content validation of release reports before use, which can cause kernel panics when malformed SKB (socket buffer) release reports are processed. EPSS score of 0.02% and absence from CISA KEV suggest limited real-world exploitation, though the 8.8 CVSS reflects the potential for complete system compromise via adjacent network access without authentication. Patches available across multiple stable kernel branches (6.18.16, 6.19.6, 7.0).

Denial Of Service Linux Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43175 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841 The 9FGV0841 has 8 outputs and registers 8 struct clk_hw, make sure there are 8 slots for those newly registered clk_hw pointers, else there is going to be out of bounds write when pointers 4..7 are set into struct rs9_driver_data .clk_dif[4..7] field. Since there are other structure members past this struct clk_hw pointer array, writing to .clk_dif[4..7] fields corrupts both the struct rs9_driver_data content and data around it, sometimes without crashing the kernel. However, the kernel does surely crash when the driver is unbound or during suspend. Fix this, increase the struct clk_hw pointer array size to the maximum output count of 9FGV0841, which is the biggest chip that is supported by this driver.

Denial Of Service Buffer Overflow Null Pointer Dereference Linux Red Hat +1
NVD
CVSS 3.1
5.5
EPSS
0.0%
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: fbdev: of: display_timing: fix refcount leak in of_get_display_timings() of_parse_phandle() returns a device_node with refcount incremented, which is stored in 'entry' and then copied to 'native_mode'. When the error paths at lines 184 or 192 jump to 'entryfail', native_mode's refcount is not decremented, causing a refcount leak. Fix this by changing the goto target from 'entryfail' to 'timingfail', which properly calls of_node_put(native_mode) before cleanup.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A race condition in the Linux kernel's chips-media wave5 video decoder driver allows local authenticated users to trigger a NULL pointer dereference during concurrent instance creation/destruction, potentially leading to high confidentiality, integrity, and availability impact. The vulnerability affects kernel versions from commit 9707a6254a8a onwards until patched in 6.18.16, 6.19.6, and 7.0. Fixed via interrupt handler refactoring with proper locking. EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, and no public exploit code or CISA KEV listing exists, suggesting limited real-world exploitation despite the high CVSS 7.8 score.

Linux Null Pointer Dereference Denial Of Service +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: gfs2: fiemap page fault fix In gfs2_fiemap(), we are calling iomap_fiemap() while holding the inode glock. This can lead to recursive glock taking if the fiemap buffer is memory mapped to the same inode and accessing it triggers a page fault. Fix by disabling page faults for iomap_fiemap() and faulting in the buffer by hand if necessary. Fixes xfstest generic/742.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: arm64: Add support for TSV110 Spectre-BHB mitigation The TSV110 processor is vulnerable to the Spectre-BHB (Branch History Buffer) attack, which can be exploited to leak information through branch prediction side channels. This commit adds the MIDR of TSV110 to the list for software mitigation.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix RSS context delete logic We need to free the corresponding RSS context VNIC in FW everytime an RSS context is deleted in driver. Commit 667ac333dbb7 added a check to delete the VNIC in FW only when netif_running() is true to help delete RSS contexts with interface down. Having that condition will make the driver leak VNICs in FW whenever close() happens with active RSS contexts. On the subsequent open(), as part of RSS context restoration, we will end up trying to create extra VNICs for which we did not make any reservation. FW can fail this request, thereby making us lose active RSS contexts. Suppose an RSS context is deleted already and we try to process a delete request again, then the HWRM functions will check for validity of the request and they simply return if the resource is already freed. So, even for delete-when-down cases, netif_running() check is not necessary. Remove the netif_running() condition check when deleting an RSS context.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: phy: fsl-imx8mq-usb: set platform driver data Add missing platform_set_drvdata() as the data will be used in remove().

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in Linux kernel on Alpha architecture allows authenticated users to execute arbitrary code, corrupt heap memory, or crash systems via insufficient TLB shootdown during memory compaction. The vulnerability affects Alpha systems exclusively and manifests as SIGSEGV crashes, glibc allocator corruption, and compiler failures. EPSS score of 0.02% indicates low likelihood of widespread exploitation, though vendor patches are available across multiple stable kernel branches. Attack requires local authenticated access with low complexity (CVSS AV:L/AC:L/PR:L), limiting remote exploitation scenarios.

Linux Buffer Overflow Memory Corruption +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Linux kernel media cx88 driver allows local authenticated attackers to exhaust system resources by triggering a missing DMA unmapping in the snd_cx88_hw_params() error path. The vulnerability causes resource leaks when audio hardware parameter initialization fails, potentially rendering the audio subsystem unavailable. CVSS 5.5 reflects local attack vector with low complexity; EPSS 0.02% indicates minimal real-world exploitation probability despite vendor-released patches across multiple kernel versions.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds memory access in Linux kernel Qualcomm Camera Subsystem (camss) allows local authenticated users to achieve arbitrary code execution, data corruption, or denial of service. The vfe_isr() function iterates beyond the bounds of the vfe->line[] array (size 4) using a loop count of 7, enabling access to memory at offsets +4, +5, and +6. Vendor patches available across multiple stable branches (6.1.167, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score 0.02% (7th percentile) indicates low observed exploitation probability; no active exploitation confirmed (not in CISA KEV).

Buffer Overflow Linux Information Disclosure +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A use-after-free condition in the libertas USB wireless driver allows local attackers with user privileges to cause a denial of service by triggering a kernel warning and potential crash through rapid firmware loading or repeated usb_tx_block() calls while a USB request is still active. The vulnerability stems from insufficient synchronization of USB URB submissions, enabling concurrent requests on the same URB without enforcing completion of prior transmissions.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A denial-of-service vulnerability in the Linux kernel's OpenVPN TCP stream processing (ovpn_tcp_recv) allows remote unauthenticated attackers to cause packet drops and potential system unavailability through header offset overflow and misaligned protocol headers when handling coalesced TCP packets. The vulnerability affects Linux kernel versions containing commit 11851cbd60ea (OpenVPN driver) through 6.19.6, 6.18.16, and 7.0, with patches available in stable branches. EPSS score of 0.02% (4th percentile) suggests low observed exploitation probability despite the network-accessible attack vector and high availability impact (CVSS 7.5).

RCE Linux Integer Overflow +2
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

AMD IOMMU completion wait operations in the Linux kernel can trigger soft lockups under high load when strict mode is enabled (iommu.strict=1). The vulnerability stems from busy-waiting inside a spinlock with interrupts disabled, causing kernel responsiveness issues and potential denial of service on systems with AMD IOMMU hardware. Patches are available across multiple kernel stable branches (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score is low (0.02%, 5th percentile) with no confirmed active exploitation or public POC identified at time of analysis.

Amd Information Disclosure Linux +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service via kernel warning in MPTCP path manager occurs when combining endpoint removal with fullmesh and flag-setting operations through netlink in the Linux kernel. A local attacker with low privileges can trigger a WARNING in net/mptcp/pm_kernel.c:1074 by sending a crafted sequence of netlink commands, causing the system to emit a kernel warning and potentially become unstable. No known public exploit code exists, but the low CVSS (5.5) and minimal EPSS (0.03%) indicate this is a local DoS with limited real-world impact.

Information Disclosure Ubuntu Debian +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: HID: prodikeys: Check presence of pm->input_ep82 Fake USB devices can send their own report descriptors for which the input_mapping() hook does not get called. In this case, pm->input_ep82 stays NULL, which leads to a crash later. This does not happen with the real device, but can be provoked by imposing as one.

Denial Of Service Null Pointer Dereference Linux +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke() The ChipIdea UDC driver can encounter "not page aligned sg buffer" errors when a USB device is reconnected after being disconnected during an active transfer. This occurs because _ep_nuke() returns requests to the gadget layer without properly unmapping DMA buffers or cleaning up scatter-gather bounce buffers. Root cause: When a disconnect happens during a multi-segment DMA transfer, the request's num_mapped_sgs field and sgt.sgl pointer remain set with stale values. The request is returned to the gadget driver with status -ESHUTDOWN but still has active DMA state. If the gadget driver reuses this request on reconnect without reinitializing it, the stale DMA state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero num_mapped_sgs) and attempt to use freed/invalid DMA addresses, leading to alignment errors and potential memory corruption. The normal completion path via _hardware_dequeue() properly calls usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before returning the request. The _ep_nuke() path must do the same cleanup to ensure requests are returned in a clean, reusable state. Fix: Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror the cleanup sequence in _hardware_dequeue(): - Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set - Call sglist_do_debounce() with copy=false if bounce buffer exists This ensures that when requests are returned due to endpoint shutdown, they don't retain stale DMA mappings. The 'false' parameter to sglist_do_debounce() prevents copying data back (appropriate for shutdown path where transfer was aborted).

Memory Corruption Buffer Overflow Linux +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Double-free memory corruption in Linux kernel's Xen 9P filesystem driver (9p/xen) allows adjacent network attackers to crash the kernel or potentially execute arbitrary code. The xenwatch thread racing with back-end state changes triggers use-after-free during teardown of xen_9pfs_front_free(), causing general protection faults. Vendor patches available for mainline 7.0 and stable branches 6.19.6, 6.18.16, and 6.12.75. EPSS score of 0.02% (5th percentile) suggests low exploitation probability in the wild; no public exploit or CISA KEV listing at time of analysis.

Canonical Denial Of Service Linux +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds write in Linux kernel vhost_vdpa subsystem allows local authenticated users to achieve arbitrary kernel memory corruption via ASID group assignment. Affects Linux kernel versions 5.19 through 6.19.x, with vendor patches available for stable branches 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. Exploitation requires local access with low privileges but no user interaction (CVSS:3.1/AV:L/AC:L/PR:L/UI:N). EPSS score of 0.02% (5th percentile) indicates low predicted exploitation probability, and no public exploit code or active exploitation confirmed at time of analysis.

Linux Buffer Overflow Memory Corruption +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic via SError interrupt in Linux kernel media driver (chips-media wave5) when device enters autosuspend during video decoding operations. Local authenticated attackers can trigger a denial of service by queuing buffers to the wave5 video decoder while autosuspend timeout occurs, causing the CPU to access suspended hardware and generate an unrecoverable asynchronous SError, crashing the system. No privilege escalation or code execution; impact limited to availability.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the tw9906 media driver's probe function allows local authenticated attackers to cause denial of service through memory exhaustion. The vulnerability occurs in tw9906_probe() when an error path fails to free memory allocated by v4l2_ctrl_handler_init() and v4l2_ctrl_new_std(), potentially leading to kernel memory depletion on repeated device probe attempts. Vendor-released patches are available across multiple stable kernel branches.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Kernel panic or denial of service occurs in the NTFS filesystem driver when d_compare() operations block on memory allocation. Linux kernel versions from mainline commit 1da177e4c3f4 through 6.18.x, 6.19.x, and early 7.0 are affected. The vulnerability stems from improper use of __getname() within the d_compare() function which can block, violating kernel locking requirements and causing system instability under memory pressure. EPSS score of 0.02% (4th percentile) indicates low observed exploitation likelihood. Vendor patches available for versions 6.18.16, 6.19.6, and 7.0.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Linux kernel KCM (kernel connection multiplexer) subsystem when processing messages with zero-fragment skbs in frag_list after partial sendmsg failures. A local authenticated attacker can trigger a kernel warning and potentially crash the system by sending a malformed message that fails during data copy, leaving an empty skb in the fragment list. The vulnerability requires local access and low-level socket manipulation, affecting systems running vulnerable Linux kernel versions prior to patching.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A denial of service vulnerability in the Linux kernel's AMD display driver (drm/amd/display) allows local authenticated users to crash the system by accessing link encoder functionality on DisplayPort over USB-C (DPIA) links without proper signal type validation. The vulnerability affects kernel versions before the patches released in stable branches 6.12.75, 6.18.16, 6.19.6, and 7.0. No public exploit code has been identified, and real-world exploitation probability is very low (EPSS 0.02%), suggesting this is primarily an edge-case denial of service affecting specific hardware configurations with DPIA displays.

Denial Of Service Amd Linux +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's TI K3 SoC info driver (soc/ti/k3-socinfo) fails to release an allocated mmio regmap, causing denial of service through resource exhaustion on probe failures and driver unbind. Local attackers with low privileges can trigger probe deferral or driver unbind to exhaust kernel memory, affecting systems running vulnerable Linux kernel versions. The vulnerability has a low EPSS score (0.02%) but enables practical local DoS against systems where low-privilege users can control driver lifecycle.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds array access in the Linux kernel's NTB Switchtec hardware driver allows authenticated local users with low privileges to read sensitive kernel memory or trigger denial of service. The vulnerability affects the mw_sizes array when NTB (Non-Transparent Bridge) configurations set memory window LUTs to MAX_MWS, enabling access beyond array boundaries. Exploitation probability is low (EPSS 0.02%, 7th percentile) with no confirmed active exploitation or public POC. Vendor patches are available across all affected stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0).

Information Disclosure Buffer Overflow Linux +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Linux kernel x86 architecture fails to validate IMA measurement list memory bounds during kexec boot with restricted memory parameters, causing kernel panic when the carried-over IMA buffer falls outside truncated RAM. Authenticated local users with kexec privileges can trigger a denial of service. The fix adds a sanity check to validate the previous kernel's IMA kexec buffer against actual memory bounds before restoration, aligning x86 behavior with other architectures.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Race condition in Linux kernel SMB client allows concurrent query interface work items to corrupt network interface state. Affects mainline Linux kernel and stable branches 6.6.x through 7.0. Exploitation requires user interaction (likely mounting/accessing SMB shares) but enables remote attackers to achieve high confidentiality, integrity, and availability impacts. Vendor patches available across multiple stable kernel branches (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS exploitation probability extremely low (0.02%, 5th percentile), no active exploitation confirmed, POC status unknown.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash() Commit 38a6f0865796 ("net: sched: support hash selecting tx queue") added SKBEDIT_F_TXQ_SKBHASH support. The inclusive range size is computed as: mapping_mod = queue_mapping_max - queue_mapping + 1; The range size can be 65536 when the requested range covers all possible u16 queue IDs (e.g. queue_mapping=0 and queue_mapping_max=U16_MAX). That value cannot be represented in a u16 and previously wrapped to 0, so tcf_skbedit_hash() could trigger a divide-by-zero: queue_mapping += skb_get_hash(skb) % params->mapping_mod; Compute mapping_mod in a wider type and reject ranges larger than U16_MAX to prevent params->mapping_mod from becoming 0 and avoid the crash.

Denial Of Service Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free and reference count underflow in the Linux kernel's amdgpu DRM driver allows local authenticated users with low privileges to cause kernel panic, denial of service, and potentially execute arbitrary code with kernel privileges. The vulnerability affects amdgpu_gem_va_ioctl handling of GPU timeline fences where stale or freed fences are used due to premature fence selection and improper reference management. Patch available in kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit or active exploitation has been identified.

Denial Of Service Linux Use After Free +3
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel's Atmel HLCDC DRM driver allows local authenticated users to execute arbitrary code, escalate privileges, or cause denial of service. The atmel_hlcdc_plane_atomic_duplicate_state() function incorrectly copies plane state without properly duplicating the drm_plane_state structure, leaving a stale commit pointer that triggers use-after-free during subsequent drm_atomic_commit() calls. Vulnerability surfaces when reopening the device node while another DRM client remains attached. EPSS score is low (0.02%) and no active exploitation confirmed at time of analysis, but local privilege escalation potential and vendor-released patches across multiple stable kernel branches indicate genuine risk for systems using Atmel HLCDC display hardware.

Information Disclosure Linux Use After Free +3
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: iris: Add missing platform data entries for SM8750 Two platform-data fields for SM8750 were missed: - get_vpu_buffer_size = iris_vpu33_buf_size Without this, the driver fails to allocate the required internal buffers, leading to basic decode/encode failures during session bring-up. - max_core_mbps = ((7680 * 4320) / 256) * 60 Without this capability exposed, capability checks are incomplete and v4l2-compliance for encoder fails.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: team: avoid NETDEV_CHANGEMTU event when unregistering slave syzbot is reporting unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3 ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_hold include/linux/netdevice.h:4429 [inline] inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286 inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline] netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886 netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907 dev_set_mtu+0x126/0x260 net/core/dev_api.c:248 team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333 team_del_slave drivers/net/team/team_core.c:1936 [inline] team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2281 [inline] call_netdevice_notifiers net/core/dev.c:2295 [inline] __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592 do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnl_newlink net/core/rtnetlink.c:3935 [inline] rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 problem. Ido Schimmel found steps to reproduce ip link add name team1 type team ip link add name dummy1 mtu 1499 master team1 type dummy ip netns add ns1 ip link set dev dummy1 netns ns1 ip -n ns1 link del dev dummy1 and also found that the same issue was fixed in the bond driver in commit f51048c3e07b ("bonding: avoid NETDEV_CHANGEMTU event when unregistering slave"). Let's do similar thing for the team driver, with commit ad7c7b2172c3 ("net: hold netdev instance lock during sysfs operations") and commit 303a8487a657 ("net: s/__dev_set_mtu/__netif_set_mtu/") also applied.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Heap buffer overflow in Linux kernel's nf_conntrack_h323 netfilter module allows remote unauthenticated attackers to trigger 1-2 byte out-of-bounds read via crafted Q.931 SETUP messages to port 1720. The vulnerability affects firewalls with H.323 connection tracking active and can cause information disclosure or denial of service. EPSS score of 0.02% suggests low exploitation probability despite network-accessible attack vector. Patches available across all maintained stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0).

Buffer Overflow Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in Linux kernel farsync driver allows remote code execution when FarSync T-series WAN cards are detached while tasklets remain active. The vulnerability occurs when fst_tx_task or fst_int_task continue executing after fst_card_info is freed in fst_remove_one(), causing the kernel to access deallocated memory. Despite the CVSS 8.8 score with network vector, the EPSS score is extremely low (0.02%, 7th percentile), suggesting minimal real-world exploitation likelihood. No active exploitation confirmed (not in CISA KEV). Patches available across multiple stable kernel versions (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).

Information Disclosure Linux Memory Corruption +3
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: radio-keene: fix memory leak in error path Fix a memory leak in usb_keene_probe(). The v4l2 control handler is initialized and controls are added, but if v4l2_device_register() or video_register_device() fails afterward, the handler was never freed, leaking memory. Add v4l2_ctrl_handler_free() call in the err_v4l2 error path to ensure the control handler is properly freed for all error paths after it is initialized.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Linux kernel RDS networking module allows remote unauthenticated attackers to cause persistent network reconnection failures through improper bit flag handling. The vulnerability affects the Reliable Datagram Sockets (RDS) protocol implementation where canceling a reconnect worker without clearing the reconnect-pending bit causes a permanent stuck state, preventing legitimate network reconnections. Vendor patches available across multiple stable kernel versions (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS exploitation probability is very low (0.02%, 7th percentile), and no public exploit or active exploitation confirmed at time of analysis.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix device cleanup order to prevent kernel panic Move video device unregistration to the beginning of the remove function to ensure all video operations are stopped before cleaning up the worker thread and disabling PM runtime. This prevents hardware register access after the device has been powered down. In polling mode, the hrtimer periodically triggers wave5_vpu_timer_callback() which queues work to the kthread worker. The worker executes wave5_vpu_irq_work_fn() which reads hardware registers via wave5_vdi_read_register(). The original cleanup order disabled PM runtime and powered down hardware before unregistering video devices. When autosuspend triggers and powers off the hardware, the video devices are still registered and the worker thread can still be triggered by the hrtimer, causing it to attempt reading registers from powered-off hardware. This results in a bus error (synchronous external abort) and kernel panic. This causes random kernel panics during encoding operations: Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP Modules linked in: wave5 rpmsg_ctrl rpmsg_char ... CPU: 0 UID: 0 PID: 1520 Comm: vpu_irq_thread Tainted: G M W pc : wave5_vdi_read_register+0x10/0x38 [wave5] lr : wave5_vpu_irq_work_fn+0x28/0x60 [wave5] Call trace: wave5_vdi_read_register+0x10/0x38 [wave5] kthread_worker_fn+0xd8/0x238 kthread+0x104/0x120 ret_from_fork+0x10/0x20 Code: aa1e03e9 d503201f f9416800 8b214000 (b9400000) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: synchronous external abort: Fatal exception

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: hfs: Replace BUG_ON with error handling for CNID count checks In a06ec283e125 next_id, folder_count, and file_count in the super block info were expanded to 64 bits, and BUG_ONs were added to detect overflow. This triggered an error reported by syzbot: if the MDB is corrupted, the BUG_ON is triggered. This patch replaces this mechanism with proper error handling and resolves the syzbot reported bug. Singed-off-by: Jori Koolstra <jkoolstra@xs4all.nl>

Buffer Overflow Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: clocksource/drivers/sh_tmu: Always leave device running after probe The TMU device can be used as both a clocksource and a clockevent provider. The driver tries to be smart and power itself on and off, as well as enabling and disabling its clock when it's not in operation. This behavior is slightly altered if the TMU is used as an early platform device in which case the device is left powered on after probe, but the clock is still enabled and disabled at runtime. This has worked for a long time, but recent improvements in PREEMPT_RT and PROVE_LOCKING have highlighted an issue. As the TMU registers itself as a clockevent provider, clockevents_register_device(), it needs to use raw spinlocks internally as this is the context of which the clockevent framework interacts with the TMU driver. However in the context of holding a raw spinlock the TMU driver can't really manage its power state or clock with calls to pm_runtime_*() and clk_*() as these calls end up in other platform drivers using regular spinlocks to control power and clocks. This mix of spinlock contexts trips a lockdep warning. ============================= [ BUG: Invalid wait context ] 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 Not tainted ----------------------------- swapper/0/0 is trying to lock: ffff000008c9e180 (&dev->power.lock){-...}-{3:3}, at: __pm_runtime_resume+0x38/0x88 other info that might help us debug this: context-{5:5} 1 lock held by swapper/0/0: ccree e6601000.crypto: ARM CryptoCell 630P Driver: HW version 0xAF400001/0xDCC63000, Driver version 5.0 #0: ffff8000817ec298 ccree e6601000.crypto: ARM ccree device initialized (tick_broadcast_lock){-...}-{2:2}, at: __tick_broadcast_oneshot_control+0xa4/0x3a8 stack backtrace: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 PREEMPT Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) Call trace: show_stack+0x14/0x1c (C) dump_stack_lvl+0x6c/0x90 dump_stack+0x14/0x1c __lock_acquire+0x904/0x1584 lock_acquire+0x220/0x34c _raw_spin_lock_irqsave+0x58/0x80 __pm_runtime_resume+0x38/0x88 sh_tmu_clock_event_set_oneshot+0x84/0xd4 clockevents_switch_state+0xfc/0x13c tick_broadcast_set_event+0x30/0xa4 __tick_broadcast_oneshot_control+0x1e0/0x3a8 tick_broadcast_oneshot_control+0x30/0x40 cpuidle_enter_state+0x40c/0x680 cpuidle_enter+0x30/0x40 do_idle+0x1f4/0x280 cpu_startup_entry+0x34/0x40 kernel_init+0x0/0x130 do_one_initcall+0x0/0x230 __primary_switched+0x88/0x90 For non-PREEMPT_RT builds this is not really an issue, but for PREEMPT_RT builds where normal spinlocks can sleep this might be an issue. Be cautious and always leave the power and clock running after probe.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Linux kernel's RDS/TCP networking subsystem allows remote unauthenticated attackers to trigger connection state machine deadlock, causing persistent service unavailability. The vulnerability stems from improper state transition handling in RDS_CONN_ERROR conditions introduced by multipath changes, where connections can bypass normal shutdown procedures and become permanently stuck with queued shutdown workers. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and EPSS probability of 0.02%, this represents a moderate-severity issue affecting network-facing systems using RDS protocol. Patches available across multiple stable kernel versions (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix memory leak on failure path cfg80211_inform_bss_frame() may return NULL on failure. In that case, the allocated buffer 'buf' is not freed and the function returns early, leading to potential memory leak. Fix this by ensuring that 'buf' is freed on both success and failure paths.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix sgtable leak on mapping failures In an unlikely case when io_populate_area_dma() fails, which could only happen on a PAGE_POOL_32BIT_ARCH_WITH_64BIT_DMA machine, io_zcrx_map_area() will have an initialised and not freed table. It was supposed to be cleaned up in the error path, but !is_mapped prevents that.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix URB leak in pvr2_send_request_ex When pvr2_send_request_ex() submits a write URB successfully but fails to submit the read URB (e.g. returns -ENOMEM), it returns immediately without waiting for the write URB to complete. Since the driver reuses the same URB structure, a subsequent call to pvr2_send_request_ex() attempts to submit the still-active write URB, triggering a 'URB submitted while active' warning in usb_submit_urb(). Fix this by ensuring the write URB is unlinked and waited upon if the read URB submission fails.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A memory corruption vulnerability in the Linux kernel's Verisilicon AV1 media driver allows local authenticated attackers to write tile info data beyond allocated buffer boundaries, potentially achieving arbitrary code execution with kernel privileges. The vulnerability affects kernel versions from 6.5 onwards where commit 727a400686a2 introduced the flaw. Patches are available across multiple stable kernel branches (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, with no public exploit identified at time of analysis and no CISA KEV listing.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ipmi: ipmb: initialise event handler read bytes IPMB doesn't use i2c reads, but the handler needs to set a value. Otherwise an i2c read will return an uninitialised value from the bus driver.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: iommu/amd: serialize sequence allocation under concurrent TLB invalidations With concurrent TLB invalidations, completion wait randomly gets timed out because cmd_sem_val was incremented outside the IOMMU spinlock, allowing CMD_COMPL_WAIT commands to be queued out of sequence and breaking the ordering assumption in wait_on_sem(). Move the cmd_sem_val increment under iommu->lock so completion sequence allocation is serialized with command queuing. And remove the unnecessary return.

Amd Information Disclosure Linux +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: net: cpsw_new: Fix potential unregister of netdev that has not been registered yet If an error occurs during register_netdev() for the first MAC in cpsw_register_ports(), even though cpsw->slaves[0].ndev is set to NULL, cpsw->slaves[1].ndev would remain unchanged. This could later cause cpsw_unregister_ports() to attempt unregistering the second MAC. To address this, add a check for ndev->reg_state before calling unregister_netdev(). With this change, setting cpsw->slaves[i].ndev to NULL becomes unnecessary and can be removed accordingly.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in Linux kernel tw9903 media driver probe function allows local authenticated attackers to cause denial of service through repeated device initialization failures. The v4l2_ctrl_handler_init() and v4l2_ctrl_new_std() allocations are not freed in one error path of tw9903_probe(), enabling exhaustion of kernel memory. CVSS 5.5 (local, low complexity, requires low privileges). EPSS score of 0.02% indicates minimal exploitation probability.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: iris: gen2: Add sanity check for session stop In iris_kill_session, inst->state is set to IRIS_INST_ERROR and session_close is executed, which will kfree(inst_hfi_gen2->packet). If stop_streaming is called afterward, it will cause a crash. Add a NULL check for inst_hfi_gen2->packet before sendling STOP packet to firmware to fix that.

Denial Of Service Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in the Linux kernel's net subsystem via deadlock in skb_may_tx_timestamp() when socket timestamp completion occurs in interrupt context while sk_callback_lock is write-locked, affecting local attackers with user privileges on systems with network drivers that complete TX timestamps from dedicated interrupt handlers.

Denial Of Service Null Pointer Dereference Linux
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A race condition in the Linux kernel CIFS (Common Internet File System) implementation allows attackers to exploit improper locking of tcon (tree connection) fields, potentially achieving high confidentiality, integrity, and availability impact. The vulnerability stems from legacy use of cifs_tcp_ses_lock instead of the more granular tc_lock for protecting tcon structure fields, creating synchronization gaps that could be exploited through crafted SMB operations requiring user interaction. Vendor patches are available across multiple stable kernel branches (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0), with EPSS indicating low exploitation probability (0.02%, 5th percentile) and no confirmed active exploitation at time of analysis.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Linux Kernel KVM x86 allows authenticated users with low privileges to potentially achieve arbitrary code execution, information disclosure, or denial of service by exploiting a missing SRCU read-side lock when reading PDPTR registers via the KVM_GET_SREGS2 ioctl. The vulnerability triggers a lockdep warning and unsafe memory slot access in __get_sregs2(), affecting Linux kernel versions from 5.14 onward. Vendor patches available across multiple stable branches (6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6). EPSS score of 0.02% (7th percentile) suggests low exploitation probability in the wild, with no public exploit code or CISA KEV listing confirmed at time of analysis.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Null pointer dereference in Linux kernel Realtek rtw89 WiFi PCI driver allows adjacent network attackers to trigger kernel crashes via malformed TX release reports with abnormal sequence numbers. The vulnerability causes out-of-bounds array access in wd_ring->pages when hardware reports invalid sequence numbers during wireless transmission operations. Vendor-released patches are available for kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation activity, though the CVSS vector (AV:A/AC:H/PR:N/UI:N) shows adjacent network access with high attack complexity enables complete system compromise without authentication.

Denial Of Service Linux Null Pointer Dereference +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

LoongArch architecture's cpumask_of_node() function in the Linux kernel mishandles NUMA_NO_NODE (-1) as a node index, potentially enabling local authenticated users to achieve high confidentiality, integrity, and availability impacts (CVSS 7.8). Patches available across multiple stable kernel branches (6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) address the improper input validation. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A double-unlock bug in the Linux kernel PCI subsystem allows local authenticated users to trigger lock corruption, leading to privilege escalation, information disclosure, or denial of service. The flaw exists in pci_slot_trylock() where improper error handling after commit a4e772898f8b unlocks a bridge device lock that was never acquired, causing either lock state corruption or unlocking another thread's lock. With CVSS 7.8 (AV:L/AC:L/PR:L) and EPSS of 0.02% (7th percentile), this is a local vulnerability with low exploitation complexity requiring authenticated access. Vendor patches are available across all active kernel stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). No public exploit code or active exploitation confirmed at time of analysis.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local denial of service in Linux kernel ring-buffer tracing code allows authenticated local users to crash the system by triggering invalid memory access through malformed event length fields. The vulnerability exists in rb_read_data_buffer(), which validates possibly corrupted ring buffers at boot but fails to verify event lengths are within acceptable ranges before calculating buffer offsets. EPSS exploitation probability is very low at 0.02%, and no public exploit code or active exploitation has been identified.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Linux kernel minix filesystem implementation allows local authenticated users to crash the system via crafted minix superblock structures due to missing validation of s_log_zone_size and other superblock fields in the minix_check_superblock() function.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Out-of-bounds memory access in Linux kernel RPS (Receive Packet Steering) subsystem allows remote unauthenticated attackers to trigger kernel crashes or potentially achieve code execution with SYSTEM privileges. The flaw stems from incorrect assumptions about RPS hash table sizing across receive queues, introduced in commit 48aa30443e52. Exploitation requires no authentication (CVSS AV:N/PR:N) but EPSS probability remains low at 0.02% (4th percentile), suggesting limited real-world targeting. Patches available for stable kernel branches 6.18.16, 6.19.6, and 7.0.

Linux Buffer Overflow Memory Corruption +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Resource management flaws in the Linux kernel MediaTek MDP driver allow local authenticated attackers with low privileges to trigger memory corruption via improper error handling during device probe initialization, potentially escalating to kernel code execution. Multiple stable kernel branches (5.10.x through 7.0) are affected, with vendor patches released across all maintained versions. No active exploitation confirmed (EPSS 0.02%, not in CISA KEV), though the local attack vector and low complexity suggest straightforward exploitation once local access is achieved.

Linux Null Pointer Dereference Denial Of Service +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds kernel memory write in Linux kernel's AMD KFD (Kernel Fusion Driver) allows local authenticated attackers with low privileges to escalate to root privileges. The kfd_event_page_set() function performs unchecked memset operations of fixed size (KFD_SIGNAL_EVENT_LIMIT * 8 bytes) regardless of user-supplied buffer size, enabling unprivileged userspace processes to corrupt kernel memory. Patches are available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability despite high CVSS severity, likely due to the local attack vector and requirement for systems with AMD GPU hardware running the amdkfd driver.

Buffer Overflow Linux Memory Corruption +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds. Add a bound check for num_ifs in dpaa2_switch_init(). dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry. The check uses >= because num_ifs == DPSW_MAX_IF is also functionally broken. build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= ...

Memory Corruption Buffer Overflow Linux +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6asm: drop DSP responses for closed data streams 'Commit a354f030dbce ("ASoC: qcom: q6asm: handle the responses after closing")' attempted to ignore DSP responses arriving after a stream had been closed. However, those responses were still handled, causing lockups. Fix this by unconditionally dropping all DSP responses associated with closed data streams.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Use-after-free in Linux kernel fore200e ATM driver allows local attackers to achieve high-severity impacts during PCA-200E or SBA-200E adapter removal. When the device is detached, tx_tasklet or rx_tasklet may still be running and access already-freed memory in fore200e_tx_tasklet() or fore200e_rx_tasklet(), potentially leading to code execution, information disclosure, or denial of service. Patches available across stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. Not listed in CISA KEV. Identified through static analysis, suggesting no active in-the-wild exploitation at time of disclosure.

Information Disclosure Linux Use After Free +3
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in Linux kernel fbdev vt8500lcdfb driver allows local authenticated users to cause denial of service via unfreed DMA-allocated buffer on error path. The vulnerability exists in the framebuffer initialization code where dma_alloc_coherent() allocation for fbi->fb.screen_buffer is not properly freed if an error occurs during probe, leading to memory exhaustion on repeated device initialization attempts. Local privilege required; no remote or unauthenticated attack vector.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Linux kernel APEI/GHES ARM processor error handling allows local authenticated attackers to trigger kernel oops by crafting malformed ARM Processor Error records with incomplete or oversized section data, causing out-of-bounds memory dereference. CVSS 5.5 (local, low complexity, authenticated, availability impact only) with EPSS 0.02% indicates low real-world exploitation probability despite public patch availability.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Linux kernel PCI endpoint configfs interface allows local attackers with low privileges to crash the kernel via swapped parameters in pci_primary_epc_epf_unlink() and pci_secondary_epc_epf_unlink() functions. When executing the unlink command in configfs, incorrect parameter ordering causes invalid memory access and kernel panic. CVSS 5.5 (local, low complexity, low privilege) with EPSS 0.02% suggests limited real-world exploitation despite confirmed availability of patches across multiple kernel branches.

Denial Of Service Amd Linux +2
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Linux kernel's mlx5e driver allows local denial of service via kernel crash when IPsec event handling triggers illegal sleeping operations in atomic context. The mlx5e_ipsec_handle_event workqueue calls mlx5_query_mac_address() which invokes hardware command execution requiring sleep, causing a 'scheduling while atomic' bug that crashes the kernel. Affected versions include mainline 6.2+ and stable branches 6.12.x through 7.0. Patches available across all supported branches (6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% indicates minimal exploitation probability; no active exploitation or public POC identified. CVSS 7.5 AV:N rating appears inconsistent with description indicating local kernel-level triggering conditions.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Race condition in Linux kernel TCP/IPv6 stack allows remote unauthenticated attackers to trigger use-after-free conditions during IPv6-mapped IPv4 socket creation, potentially achieving arbitrary code execution or denial of service. The flaw occurs in tcp_v6_syn_recv_sock() where child socket visibility in the TCP hash table races with incomplete IPv6 structure initialization, causing other CPUs to access invalid memory via newinet->pinet6 pointing to listener data. Vendor patches available for kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability despite critical CVSS 9.8 rating, suggesting this requires specific IPv6-mapped IPv4 configuration and precise timing to exploit.

Information Disclosure Linux Race Condition
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds memory reads in Linux kernel netconsole subsystem allow information disclosure and system crashes via unterminated console messages. The vulnerability affects Linux kernel 6.6+ including 6.18.x and 6.19.x branches, triggered by netconsole's failure to validate message buffer boundaries when converting to NBCON console infrastructure. Vendor patches available for 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% suggests minimal real-world exploitation despite CVSS 9.1 rating. No public exploit identified at time of analysis.

Buffer Overflow Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Double-free memory corruption in Linux kernel PRUSS (Programmable Real-Time Unit Subsystem) driver allows local authenticated attackers with low privileges to achieve high-impact code execution, information disclosure, or denial of service. The vulnerability exists in pruss_clk_mux_setup() where devm_add_action_or_reset() indirectly calls pruss_of_free_clk_provider() on error path, then erroneously calls of_node_put(clk_mux_np) again afterward. Vendor patches available across stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating; no KEV listing or public POC identified at time of analysis.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate user queue size constraints Add validation to ensure user queue sizes meet hardware requirements: - Size must be a power of two for efficient ring buffer wrapping - Size must be at least AMDGPU_GPU_PAGE_SIZE to prevent undersized allocations This prevents invalid configurations that could lead to GPU faults or unexpected behavior.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

TCP connections through veth interfaces with XDP programs can enter a permanent deadlock state where sender and receiver sequence numbers desynchronize, causing all traffic to stall indefinitely. The vulnerability stems from improper error code handling in GSO (Generic Segmentation Offload) frame transmission when individual segments within a GSO super-frame fail - TCP interprets partial segment loss as complete frame loss, advancing receiver state without sender acknowledgment. Affects Linux kernel versions from 3.18 through 6.19.x with patches available across multiple stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation (KEV) or public exploit code has been identified at time of analysis.

Authentication Bypass Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfs4_file refcount leak in nfsd_get_dir_deleg() Claude pointed out that there is a nfs4_file refcount leak in nfsd_get_dir_deleg(). Ensure that the reference to "fp" is released before returning.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: dm mpath: Add missing dm_put_device when failing to get scsi dh name When commit fd81bc5cca8f ("scsi: device_handler: Return error pointer in scsi_dh_attached_handler_name()") added code to fail parsing the path if scsi_dh_attached_handler_name() failed with -ENOMEM, it didn't clean up the reference to the path device that had just been taken. Fix this, and steamline the error paths of parse_path() a little.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35 [Why] A backport of the change made for DCN401 that addresses an issue where we turn off the PHY PLL when disabling TMDS output, which causes the OTG to remain stuck. The OTG being stuck can lead to a hang in the DCHVM's ability to ACK invalidations when it thinks the HUBP is still on but it's not receiving global sync. The transition to PLL_ON needs to be atomic as there's no guarantee that the thread isn't pre-empted or is able to complete before the IOMMU watchdog times out. [How] Backport the implementation from dcn401 back to dcn35. There's a functional difference in when the eDP output is disabled in dcn401 code so we don't want to utilize it directly.

Amd Information Disclosure Linux +2
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's netfilter xt_tcpmss module allows remote unauthenticated attackers to leak memory contents and potentially cause system crashes via malformed TCP options. The xt_tcpmss TCP option parser fails to validate remaining option length before reading optlen values, triggering memory access beyond buffer boundaries when processing crafted packets. EPSS exploitation probability is low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the network attack vector (AV:N) and lack of authentication requirements (PR:N) make this exploitable against any system using netfilter with TCP MSS clamping enabled.

Buffer Overflow Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: v4l2-async: Fix error handling on steps after finding a match Once an async connection is found to be matching with an fwnode, a sub-device may be registered (in case it wasn't already), its bound operation is called, ancillary links are created, the async connection is added to the sub-device's list of connections and removed from the global waiting connection list. Further on, the sub-device's possible own notifier is searched for possible additional matches. Fix these specific issues: - If v4l2_async_match_notify() failed before the sub-notifier handling, the async connection was unbound and its entry removed from the sub-device's async connection list. The latter part was also done in v4l2_async_match_notify(). - The async connection's sd field was only set after creating ancillary links in v4l2_async_match_notify(). It was however dereferenced in v4l2_async_unbind_subdev_one(), which was called on error path of v4l2_async_match_notify() failure.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ceph: do not propagate page array emplacement errors as batch errors When fscrypt is enabled, move_dirty_folio_in_page_array() may fail because it needs to allocate bounce buffers to store the encrypted versions of each folio. Each folio beyond the first allocates its bounce buffer with GFP_NOWAIT. Failures are common (and expected) under this allocation mode; they should flush (not abort) the batch. However, ceph_process_folio_batch() uses the same `rc` variable for its own return code and for capturing the return codes of its routine calls; failing to reset `rc` back to 0 results in the error being propagated out to the main writeback loop, which cannot actually tolerate any errors here: once `ceph_wbc.pages` is allocated, it must be passed to ceph_submit_write() to be freed. If it survives until the next iteration (e.g. due to the goto being followed), ceph_allocate_page_array()'s BUG_ON() will oops the worker. Note that this failure mode is currently masked due to another bug (addressed next in this series) that prevents multiple encrypted folios from being selected for the same write. For now, just reset `rc` when redirtying the folio to prevent errors in move_dirty_folio_in_page_array() from propagating. Note that move_dirty_folio_in_page_array() is careful never to return errors on the first folio, so there is no need to check for that. After this change, ceph_process_folio_batch() no longer returns errors; its only remaining failure indicator is `locked_pages == 0`, which the caller already handles correctly.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Data loss and memory corruption in Linux kernel XFS filesystem implementation allows authenticated users with ability to set extended attributes to corrupt xattr leaf blocks and overwrite entries array. The vulnerability stems from improper freemap management when xattr entries array expands, leaving zero-length freemap entries with nonzero base values that can overlap with legitimate freemap entries. Subsequent setxattr operations can allocate namevalue entries on top of the entries array, leading to filesystem data loss. EPSS score of 0.02% suggests low widespread exploitation probability, and no active exploitation is confirmed (not in CISA KEV). Patches are vendor-released for stable kernel versions 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0.

Information Disclosure Linux Integer Overflow +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Heap buffer overflow in Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) packet processing allows remote unauthenticated attackers to corrupt kernel memory and trigger system crashes. Attackers send crafted IPv6 packets with inconsistent IOAM trace headers (nodelen=0 with type bits set), causing __ioam6_fill_trace_data() to write ~100 bytes beyond allocated memory into skb_shared_info structures. Despite CVSS 9.8 critical rating, EPSS exploitation probability is low (0.05%, 16th percentile) and no active exploitation or public POC has been identified. Vendor patches available across multiple stable kernel branches (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).

Buffer Overflow Linux Memory Corruption +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Heap buffer overflow in Linux kernel ksmbd SMB Direct negotiation allows remote unauthenticated attackers to achieve arbitrary code execution. The vulnerability stems from a signedness bug where a malicious SMB Direct client sends a crafted preferred_send_size value (0x80000000) that bypasses minimum size validation, then follows with an oversized message (>1420 bytes) triggering heap corruption. With CVSS 9.8 critical severity and network-accessible attack vector requiring no authentication, this represents a severe pre-auth remote code execution risk. EPSS score of 0.02% suggests limited observed exploitation activity. Vendor patches available across multiple stable kernel branches.

Buffer Overflow Linux Red Hat +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Information disclosure in Linux kernel's RNBD (RDMA Network Block Device) server component allows remote unauthenticated attackers to read uninitialized kernel memory through response buffers. The rnbd-srv module fails to zero response message buffers before transmission, leaking residual kernel data to network clients, particularly during protocol version mismatches. With CVSS 7.5 (High) and confirmed vendor patches across multiple stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0), this represents a classic uninitialized memory vulnerability. EPSS exploitation probability is low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the network attack vector and lack of authentication requirements warrant prioritization for systems running RNBD server functionality.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: cx25821: Fix a resource leak in cx25821_dev_setup() Add release_mem_region() if ioremap() fails to release the memory region obtained by cx25821_get_resources().

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: ccs: Avoid possible division by zero Calculating maximum M for scaler configuration involves dividing by MIN_X_OUTPUT_SIZE limit register's value. Albeit the value is presumably non-zero, the driver was missing the check it in fact was. Fix this.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: gpio: sysfs: fix chip removal with GPIOs exported over sysfs Currently if we export a GPIO over sysfs and unbind the parent GPIO controller, the exported attribute will remain under /sys/class/gpio because once we remove the parent device, we can no longer associate the descriptor with it in gpiod_unexport() and never drop the final reference. Rework the teardown code: provide an unlocked variant of gpiod_unexport() and remove all exported GPIOs with the sysfs_lock taken before unregistering the parent device itself. This is done to prevent any new exports happening before we unregister the device completely.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Double URB submission in Linux kernel kaweth USB network driver allows local attackers with low privileges to trigger high severity impacts including potential denial of service, information disclosure, or code execution. The flaw occurs when kaweth_set_rx_mode() prematurely re-enables the TX queue via netif_wake_queue() before an in-flight USB transfer completes, enabling kaweth_start_xmit() to submit the same URB twice - a condition explicitly warned against by the USB subsystem. Patches are available across all supported kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). Despite CVSS 7.8 High severity, EPSS score is only 0.02% (7th percentile), indicating low observed exploitation probability. No public exploit or CISA KEV listing identified at time of analysis.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: erofs: fix incorrect early exits for invalid metabox-enabled images Crafted EROFS images with metadata compression enabled can trigger incorrect early returns, leading to folio reference leaks. However, this does not cause system crashes or other severe issues.

Denial Of Service Linux Red Hat +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Double memory management structure free (mmput) in Linux kernel procfs allows local authenticated attackers with low privileges to cause high-impact memory corruption, potentially leading to privilege escalation, information disclosure, or denial of service. The flaw triggers when userspace provides an incorrectly sized buffer to the PROCMAP_QUERY interface, causing the kernel to call mmput() twice on the same mm_struct after recent code refactoring moved cleanup logic. Patch available from kernel.org stable trees for versions 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation in the wild, consistent with the local attack vector requiring authenticated access and specific API interaction. No CISA KEV listing or public exploit identified at time of analysis.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: ipu6: Fix RPM reference leak in probe error paths Several error paths in ipu6_pci_probe() were jumping directly to out_ipu6_bus_del_devices without releasing the runtime PM reference. Add pm_runtime_put_sync() before cleaning up other resources.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Improper validation in the rtw89 PCI WiFi driver allows adjacent network attackers to trigger kernel crashes via malformed TX release reports on RTL8922DE wireless chipsets. The vulnerability stems from insufficient content validation of release reports before use, which can cause kernel panics when malformed SKB (socket buffer) release reports are processed. EPSS score of 0.02% and absence from CISA KEV suggest limited real-world exploitation, though the 8.8 CVSS reflects the potential for complete system compromise via adjacent network access without authentication. Patches available across multiple stable kernel branches (6.18.16, 6.19.6, 7.0).

Denial Of Service Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841 The 9FGV0841 has 8 outputs and registers 8 struct clk_hw, make sure there are 8 slots for those newly registered clk_hw pointers, else there is going to be out of bounds write when pointers 4..7 are set into struct rs9_driver_data .clk_dif[4..7] field. Since there are other structure members past this struct clk_hw pointer array, writing to .clk_dif[4..7] fields corrupts both the struct rs9_driver_data content and data around it, sometimes without crashing the kernel. However, the kernel does surely crash when the driver is unbound or during suspend. Fix this, increase the struct clk_hw pointer array size to the maximum output count of 9FGV0841, which is the biggest chip that is supported by this driver.

Denial Of Service Buffer Overflow Null Pointer Dereference +3
NVD
Prev Page 15 of 143 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy