Linux
Monthly
In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix post open error handling Closing a queue doesn't guarantee that all associated page pools are terminated right away, let the refcounting do the work instead of releasing the zcrx ctx directly.
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: xscale: Check for PTP support properly In ixp4xx_get_ts_info() ixp46x_ptp_find() is called unconditionally despite this feature only existing on ixp46x, leading to the following splat from tcpdump: root@OpenWrt:~# tcpdump -vv -X -i eth0 (...) Unable to handle kernel NULL pointer dereference at virtual address 00000238 when read (...) Call trace: ptp_clock_index from ixp46x_ptp_find+0x1c/0x38 ixp46x_ptp_find from ixp4xx_get_ts_info+0x4c/0x64 ixp4xx_get_ts_info from __ethtool_get_ts_info+0x90/0x108 __ethtool_get_ts_info from __dev_ethtool+0xa00/0x2648 __dev_ethtool from dev_ethtool+0x160/0x234 dev_ethtool from dev_ioctl+0x2cc/0x460 dev_ioctl from sock_ioctl+0x1ec/0x524 sock_ioctl from sys_ioctl+0x51c/0xa94 sys_ioctl from ret_fast_syscall+0x0/0x44 (...) Segmentation fault Check for ixp46x in ixp46x_ptp_find() before trying to set up PTP to avoid this. To avoid altering the returned error code from ixp4xx_hwtstamp_set() which before this patch was -EOPNOTSUPP, we return -EOPNOTSUPP from ixp4xx_hwtstamp_set() if ixp46x_ptp_find() fails no matter the error code. The helper function ixp46x_ptp_find() helper returns -ENODEV.
Array bounds overflow in Linux kernel iwlwifi driver for Intel 22000 series wireless chipsets allows adjacent network attackers to achieve arbitrary memory corruption leading to code execution, privilege escalation, or denial of service. The vulnerability stems from insufficient validation of firmware-reported LMAC (Lower MAC) counts in SMEM parsing code, where malicious or corrupted firmware reporting three LMACs (exceeding the hardware-supported two) triggers out-of-bounds array access in fwrt->smem_cfg.lmac[2]. Patches available for kernel 6.18.16, 6.19.6, and mainline 7.0. EPSS exploitation probability is low (0.02%, 5th percentile) with no public exploits or CISA KEV listing, but CVSS 8.8 reflects high impact if exploited through compromised WiFi firmware or adjacent network position.
Integer underflow in the Linux kernel's EFI/CPER firmware error logging function (cper_print_fw_err) allows local authenticated attackers to trigger denial of service via memory dump of unmapped regions, disclose kernel memory contents, or cause system crash when processing malformed EFI firmware error records with invalid offsets. The vulnerability stems from insufficient validation of error record length before subtracting an offset, causing integer wraparound that permits dumping of arbitrary kernel memory regions.
Kernel panic occurs in Linux kernel USB gadget driver (dwc3) when vbus_draw function executes PMIC power-supply APIs from atomic context, causing sleep operations in non-sleepable context. The vulnerability affects Linux kernel versions prior to 5.13 and various stable series (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) and is resolved by deferring vbus_draw operations to workqueue context. Local authenticated users with privilege level PR:L can trigger denial of service by invoking affected USB gadget functionality, with EPSS exploitation probability at 0.02% percentile indicating extremely low practical risk despite moderate CVSS severity.
Denial of service via kernel panic in the DRM buddy allocator when rounded allocation sizes exceed available memory. Local authenticated attackers can trigger a BUG_ON() crash by requesting contiguous or large-aligned GPU memory allocations that, after power-of-two or block-size rounding, exceed the total VRAM size. Example: a 9GB contiguous allocation request on 10GB VRAM rounds to 16GB, causing immediate kernel panic. No authentication bypass or privilege escalation; requires local access and appropriate user permissions to invoke DRM allocator.
Denial of service via incomplete xattr cleanup in the Linux kernel OCFS2 filesystem causes memory corruption when processing reflinked files with extended attributes. A local user with standard privileges can trigger this vulnerability through crafted xattr operations, resulting in system crashes or data integrity issues. The flaw affects Linux kernel versions from 2.6.32 through multiple recent releases (5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19), with vendor-released patches available for supported stable branches.
Resource leak in Linux kernel xfrm (IPsec) subsystem allows local authenticated users to exhaust kernel memory and trigger denial of service by preventing proper cleanup of IPsec hardware offload device references during network device unregistration. The vulnerability affects XFRM state management when IPsec hardware offloading is configured, particularly when the hardware offload capability (NETIF_F_HW_ESP) is disabled after state creation but before device removal.
Out-of-bounds read in Linux kernel EROFS filesystem allows local attackers with user interaction to read kernel memory and cause denial of service via crafted compressed images. The vulnerability stems from incorrect classification of unaligned plain extents, triggering OOB access in z_erofs_transform_plain(). Vendor patches are available across multiple stable kernel branches (6.15, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, with no active exploitation confirmed at time of analysis.
Resource leak in the Linux kernel's hwmon nct7363 hardware monitor driver allows a local, low-privileged user to cause a denial-of-service condition through repeated reference exhaustion. The vulnerability resides in nct7363_present_pwm_fanin, which calls of_parse_phandle_with_args() but never releases the acquired device node reference via of_node_put(), violating the kernel's reference-counting contract for device tree nodes. Exploitation requires physical or local authenticated access to a system equipped with NCT7363 hardware and the driver loaded; no public exploit exists and no active exploitation is confirmed (EPSS: 0.02%, 4th percentile).
Null pointer dereference in Linux kernel UDP-Lite implementation crashes systems when udp_lib_init_sock() fails during socket initialization. Affects mainline 6.18+ through 6.19.5 and stable 7.0. Remote unauthenticated attackers can trigger denial of service by sending crafted UDP-Lite packets that exploit unhandled initialization errors in udplite_sk_init() and udplitev6_sk_init(), causing NULL pointer access in __udp_enqueue_schedule_skb(). Vendor patches available for 6.18.16, 6.19.6, and 7.0 stable trees. EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation is confirmed at time of analysis.
Use-after-free in the Linux kernel's md/bitmap subsystem triggers a General Protection Fault (GPF) in write_page() during MD array resize operations, resulting in a kernel crash and denial of service. Affected are systems using Software RAID (md) with bitmap support across a wide range of stable kernel series from 3.5 through 7.0, with patches backported to 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, and 6.19.6. No public exploit code exists and the EPSS score of 0.02% (7th percentile) indicates very low exploitation probability; however, Red Hat has issued a formal advisory (RHSA-2026:19568), confirming vendor acknowledgment.
Memory leak in the Linux kernel's tegra-video media driver causes local denial-of-service on NVIDIA Tegra-based systems. The `__tegra_channel_try_format()` function fails to free a V4L2 subdev state object on two error paths after `v4l2_subdev_call()` fails, leaking kernel memory on each invocation. A local authenticated attacker with access to a Tegra video capture device can repeatedly trigger the error paths to exhaust kernel memory, degrading or crashing the system. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with a niche, hardware-specific availability issue.
Hard-lock denial of service in the Linux kernel's Intel VT-d IOMMU subsystem affects systems running PCIe passthrough configurations (QEMU, DPDK) without scalable mode enabled. When a PCIe endpoint's link drops - through surprise removal, link fault, or process termination - the kernel enters an indefinite wait inside qi_submit_sync() attempting an ATS invalidation that the disconnected device can never acknowledge. The existing partial fix (commit 4fc82cd907ac) guards this path only when Intel IOMMU scalable mode is active, leaving non-scalable-mode deployments unprotected. No public exploit identified at time of analysis and EPSS is 0.02%, but the impact is a complete host freeze with no recovery path short of power cycling.
NULL pointer dereferences in the Linux kernel's Apple SMC (System Management Controller) MFD driver expose Apple-hardware systems to local denial-of-service. The struct apple_smc mutex was never initialized in apple_smc_probe(), causing occasional crashes when sub-device probe() functions call apple_smc_read() and attempt to acquire the uninitialized lock. Only local, low-privileged users on Apple hardware running an affected kernel can trigger this condition. No public exploit code exists and no active exploitation has been reported; EPSS sits at 0.02% (4th percentile), consistent with a narrow hardware-specific attack surface.
Null pointer dereference in the Linux kernel's rtl8723bs staging Wi-Fi driver allows a locally authenticated user to crash the kernel, resulting in a denial of service. The `pwlan` variable in `find_network()` is not validated for NULL before being passed to `rtw_free_network_nolock()`, which then dereferences it unconditionally. The flaw has been present since Linux 4.12 and is patched across all active stable branches; no public exploit exists and EPSS sits at 0.02%, confirming negligible exploitation activity.
Memory corruption in Linux kernel XFS filesystem allows authenticated users with write access to trigger kernel assertion failures and system shutdowns via crafted extended attribute operations. The vulnerability stems from incorrect freemap adjustment logic when adding xattrs to leaf blocks, causing the entries array and free space tracking to claim overlapping memory regions. This results in firstused pointer corruption where the name area starts below the end of the entries array. Vendor-released patches are available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). Low EPSS score (0.02%, 7th percentile) and no CISA KEV listing indicate no widespread exploitation observed, though the high CVSS 8.8 reflects severe impact on availability and potential for data corruption in XFS filesystems.
Memory leak in the Linux kernel's octeontx2-af CGX driver causes kernel resource exhaustion on systems using Marvell OcteonTX2 network hardware. The rx_fc_pfvf_bmap and tx_fc_pfvf_bmap bitmaps allocated during cgx_lmac_init() are never freed in cgx_lmac_exit(), meaning each unbind/rebind cycle of the driver leaks 16 bytes of kernel memory, detectable via kmemleak. No public exploit is identified at time of analysis, and with an EPSS of 0.02% (7th percentile), real-world exploitation risk is negligible; this is a correctness and stability issue rather than an active security threat.
Denial-of-service in the Linux kernel's pegasus USB-to-Ethernet driver allows a local attacker to crash the kernel by connecting a crafted USB device with mismatched endpoint transfer types. The driver's probe function fills URBs using hardcoded endpoint pipes (bulk RX on ep1, bulk TX on ep2, interrupt on ep3) without first verifying the endpoint descriptors presented by the attached device, leaving it susceptible to assertion failure when types do not match expectations. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.02% reflects the niche local-access-only attack surface; patches have been released across all major stable kernel branches.
Memory leak in the Linux kernel's MMIO mux driver (mux/mmio subsystem) causes kernel memory exhaustion under local access conditions. The mmio regmap allocated during device probe is never released on probe failure paths or driver unbind, resulting in cumulative memory loss that can degrade availability. No active exploitation is confirmed (not in CISA KEV), and EPSS at 0.02% (4th percentile) reflects minimal real-world exploitation interest, consistent with the local-only attack vector and narrow hardware dependency.
Folio reference leaks in the Linux kernel EROFS filesystem driver allow a local low-privileged user to cause gradual memory resource exhaustion by presenting crafted EROFS images with valid but specially structured volume labels. Affected kernel versions span multiple stable branches including the 6.18 and 6.19 series, as confirmed by ENISA EUVD-2026-27717 and upstream kernel commit data. No public exploit has been identified at time of analysis, and the vulnerability description explicitly limits impact to reference leaks without system crashes, which aligns with the low EPSS score of 0.02% (4th percentile).
A use-after-free flaw in the Linux kernel XFS filesystem's xfs_attr_leaf_hasname() function allows local authenticated attackers to potentially execute arbitrary code with kernel privileges or cause denial of service. The function's problematic calling convention can return a pointer to an already-released buffer when xfs_attr3_leaf_lookup_int fails with specific error codes, creating a memory safety issue. Despite a CVSS score of 7.8, EPSS indicates only 0.02% probability of exploitation (5th percentile), suggesting low real-world targeting. Vendor patches are available across multiple stable kernel versions (6.12.75, 6.18.16, 6.19.6, 7.0), and the fix has been committed upstream.
NULL pointer dereference in the Linux kernel's hid-pl driver (Pantherlord/GreenAsia USB game controllers) allows a local low-privileged user to crash the kernel by triggering force feedback on an improperly initialized device. The root cause is unhandled probe errors during driver initialization that leave NULL pointers in place of valid data structures, which are later dereferenced when force feedback is first invoked. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.02% at the 7th percentile reflects negligible real-world exploitation probability.
Local denial-of-service in the Linux kernel's iris media driver (Qualcomm video codec) results from a regression introduced by commit ad699fa78b59241c9d71a8cafb51525f3dab04d4, now reverted. When a media session enters IRIS_INST_ERROR state and userspace subsequently calls stop_streaming for cleanup, the erroneous check skipped the handler entirely - preventing videobuf2 (vb2) buffer returns and leaving firmware in an inconsistent, non-recoverable state. Affected are systems running the iris V4L2 driver on Qualcomm hardware; no public exploit identified at time of analysis and EPSS is 0.02% (percentile 4%), indicating minimal real-world exploitation activity.
Buffer overflow in Linux kernel's ARM CMN performance monitoring driver allows local attackers with low privileges to execute arbitrary code and gain elevated access. The perf/arm-cmn driver fails to validate hardware configuration parameters against assumed maximum sizes, enabling memory corruption through crafted CMN device configurations. While EPSS indicates low exploitation probability (0.02%), patches are available across all maintained kernel branches (6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) per vendor advisories. The local attack vector and requirement for low-privileged user access limit remote exploitation scenarios.
Incorrect DMA buffer cleanup in the Linux kernel's fsl_ucc_hdlc WAN driver (used on Freescale/NXP QorIQ embedded platforms) causes a double-free of coherent DMA memory, resulting in a kernel panic and system crash. The driver allocates rx_buffer and tx_buffer as a single contiguous DMA region in uhdlc_init() but mistakenly calls dma_free_coherent() twice - once per buffer pointer - in uhdlc_memclean(), corrupting the DMA allocator state. Any authenticated local user or kernel path that triggers interface teardown on affected hardware can cause a complete availability loss. No public exploit identified at time of analysis, and EPSS at 0.02% (7th percentile) reflects near-zero opportunistic exploitation probability given the narrow hardware scope.
NULL pointer dereference in the Linux kernel's powerpc/smp subsystem allows a local authenticated user to crash the kernel, causing a denial of service on PowerPC-based systems. The `parse_thread_groups()` function passes the return value of `kcalloc()` directly to `of_property_read_u32_array()` without validating it for NULL, meaning a failed memory allocation - possible under memory pressure - leads to a kernel panic or oops. No public exploit code exists and this vulnerability is not in CISA KEV; with an EPSS of 0.02% (7th percentile) and architecture-specific scope limited to PowerPC, real-world exploitation risk is low but relevant to IBM POWER server deployments running Red Hat or SUSE Linux.
Deadlock in the Linux Kernel PCI/IOV SR-IOV subsystem allows a local low-privileged user to trigger a kernel hang via a recursive mutex acquisition, resulting in a complete denial of service on the affected host. The root cause is commit 05703271c3cd, which added pci_rescan_remove_lock around SR-IOV enable/disable operations without accounting for the re-entrant path where sriov_del_vfs() is invoked from within pci_stop_and_remove_bus_device_locked(), which already holds the same lock. No public exploit has been identified at time of analysis, and EPSS probability is negligible at 0.02%, consistent with the local-only attack vector.
Denial of service in the Linux kernel's iris media driver results from improper error-path handling during internal buffer allocation. When DMA allocation via dma_alloc_attrs() fails, a partially initialized buffer that was prematurely added to the internal buffers->list remains in that list, leading to inconsistent kernel state and potential resource leaks or NULL-pointer dereferences on subsequent access. Affected systems running Linux 6.15 through pre-patch versions of 6.18 and 6.19 with the iris media subsystem active are at risk; no public exploit has been identified and EPSS is 0.02%, indicating low exploitation probability at time of analysis.
Kernel crash in the Linux remoteproc imx_rproc subsystem (NXP i.MX platform) allows a local authenticated attacker to trigger a denial of service by loading firmware that lacks a resource table. The root cause is imx_rproc_elf_find_loaded_rsc_table() returning a stale non-NULL priv->rsc_table pointer even when rproc->table_ptr is NULL, causing the remoteproc core to dereference what it incorrectly treats as a valid loaded resource table. No public exploit has been identified at time of analysis, and EPSS at 0.02% (7th percentile) reflects the narrow hardware-specific attack surface.
Kernel oops (crash) in the Linux kernel brcmfmac SDIO Wi-Fi driver allows a local low-privileged user to cause a denial-of-service by triggering a probe failure on Broadcom SDIO Wi-Fi hardware. The root cause is a double-assignment of sdiodev->bus across brcmf_sdio_probe() and brcmf_sdiod_probe(), leaving an invalid (non-NULL, error-valued) pointer that brcmf_sdio_remove() later dereferences during cleanup. No public exploit has been identified, EPSS is at the 4th percentile, and this is not listed in CISA KEV; risk is primarily a kernel stability concern in specific hardware configurations.
Missing mutex locking around the `mfd_of_node_list` linked list in the Linux kernel's Multi-Function Device (MFD) core subsystem allows a local low-privileged attacker to trigger a race condition, resulting in a kernel crash and denial of service. The vulnerability spans multiple stable kernel branches from the introducing commit 466a62d7642f through patched releases in 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. No public exploit exists and the EPSS score of 0.02% (7th percentile) reflects negligible community exploitation interest; this is not listed in CISA KEV.
Memory exhaustion in the Linux kernel's iris gen1 media driver allows a local low-privileged user to progressively consume kernel memory until session close, causing a denial of service. The iris driver fails to destroy internal firmware-managed buffers upon receiving the firmware release response, with the leak compounding across video resolution changes as each change allocates new buffers without reclaiming the prior set. No public exploit exists and EPSS sits at the 4th percentile, indicating negligible opportunistic exploitation risk; impact is limited to availability on systems with iris-compatible media hardware.
Local denial-of-service and potential memory corruption in the Linux kernel's ntb_hw_switchtec driver allows a low-privileged local user to trigger undefined behavior via a shift-out-of-bounds condition when the Non-Transparent Bridge (NTB) is configured with zero Memory Window LUTs. The flaw stems from rounddown_pow_of_two being invoked on a zero value, and although no public exploit is identified at time of analysis, the upstream fix is available across multiple stable kernel branches. EPSS is very low at 0.02%, consistent with the local attack vector and narrow hardware-dependent trigger.
NULL pointer dereference in the Linux kernel's HID magicmouse driver allows a local attacker with low privileges to crash the kernel by connecting a crafted USB device that impersonates an Apple Magic Mouse. When a fake USB device provides a custom report descriptor, the input_mapping() hook is never called, leaving msc->input as NULL; subsequent access in input_configured() causes a kernel panic and complete availability loss. No public exploit exists and EPSS is negligible at 0.02% (7th percentile), but the impact is a full system denial of service when exploitation conditions are met.
Uninitialized memory use in Linux Kernel's xfrm6_get_saddr() function allows remote attackers to trigger information disclosure and system instability via crafted IPv6 traffic. The vulnerability affects multiple Long-Term Support (LTS) branches from 2.6.19 through 6.19.6, with vendor-released patches available for 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates low observed exploitation probability despite the network-accessible attack vector and lack of required authentication. Not listed in CISA KEV, and no public exploit code identified at time of analysis.
In the Linux kernel, the following vulnerability has been resolved: reset: gpio: suppress bind attributes in sysfs This is a special device that's created dynamically and is supposed to stay in memory forever. We also currently don't have a devlink between it and the actual reset consumer. Suppress sysfs bind attributes so that user-space can't unbind the device because - as of now - it will cause a use-after-free splat from any user that puts the reset control handle.
In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Fix NULL pointer dereference If there's a mismatch between the DAI links in the machine driver and the topology, it is possible that the playback/capture widget is not set, especially in the case of loopback capture for echo reference where we use the dummy DAI link. Return the error when the widget is not set to avoid a null pointer dereference like below when the topology is broken. RIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common]
In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Check maxfield in hidpp_get_report_length() Do not crash when a report has no fields. Fake USB gadgets can send their own HID report descriptors and can define report structures without valid fields. This can be used to crash the kernel over USB.
In the Linux kernel, the following vulnerability has been resolved: media: cx23885: Add missing unmap in snd_cx23885_hw_params() In error path, add cx23885_alsa_dma_unmap() to release the resource acquired by cx23885_alsa_dma_map().
Bluetooth L2CAP implementation in Linux kernel fails to validate encryption key size when processing LE Credit Flow Control connection requests, allowing adjacent network attackers to establish L2CAP connections with insufficient cryptographic strength. This affects kernel versions from 3.14 through 6.19.5, with patches released in stable branches 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, and 6.19.6. EPSS score of 0.01% suggests minimal exploitation likelihood despite the adjacent network attack vector and no authentication requirement. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.
Nested AMD SVM virtualization in Linux kernel KVM incorrectly handles VMLOAD/VMSAVE emulation, allowing local privileged attackers in L2 guests to read and write L1 guest state, potentially escalating privileges or causing denial of service. This affects kernels since commit cc3ed80ae69f (v5.13+) and has been patched in stable releases 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. With 7.9 CVSS (HIGH severity) but only 0.02% EPSS, this is a lower-probability threat requiring local authenticated access to nested virtualization environments. No public exploit or active exploitation (KEV) identified at time of analysis.
Denial of service in Linux kernel dm-verity subsystem allows local authenticated users to crash the system by triggering dm_bufio_client_create() failure in verity_fec_ctr(), which incorrectly passes an error pointer to dm_bufio_client_destroy(). The vulnerability requires local access and authenticated privileges but no user interaction, affecting dm-verity configurations with forward error correction enabled.
Null pointer dereference in the Linux kernel AMD power management (drm/amd/pm) subsystem causes denial of service when SMU (System Management Unit) is disabled during RAS (Reliability, Availability, and Serviceability) initialization. Local authenticated attackers with low privileges can trigger this crash on affected systems, resulting in kernel panic and system unavailability. EPSS exploitation probability is very low (0.02%), indicating this requires specific configuration and local access.
Hard-lockup in Linux kernel IOMMU/VT-d subsystem when flushing device IOTLB during PCIe link-down events affects systems using scalable mode with PASID support. Local authenticated attackers can trigger denial of service by causing PCIe device disconnection followed by resource cleanup operations, such as releasing VFIO group file descriptors, which deadlock the system while attempting ATS invalidation on inaccessible devices. Patch available across multiple stable kernel series.
Linux kernel page fault in ima_restore_measurement_list() when the second-stage kernel is booted via kexec with memory-limiting command lines such as 'mem=<size>' allows local authenticated users to cause a denial of service by triggering an out-of-bounds memory access. The vulnerability occurs on x86_64 architectures when the IMA measurement buffer from the previous kernel falls outside the addressable RAM of the new kernel, resulting in a kernel panic during early IMA restoration.
Double-free vulnerability in Linux kernel RDMA subsystem allows local authenticated attackers to trigger high-severity memory corruption. The flaw in ib_umem_dmabuf_get_pinned_with_dma_device() causes dma_buf_unpin() to be called twice on error paths - once immediately on failure and again during cleanup - enabling potential privilege escalation, system crashes, or information disclosure. Patches available for kernels 6.1.165+, 6.6.128+, 6.12.75+, 6.18.16+, 6.19.6+, and 7.0+. EPSS score of 0.02% indicates low widespread exploitation probability, with no active exploitation or public POCs identified at time of analysis.
A circular locking dependency in the Linux kernel's ntfs3 filesystem driver allows local authenticated attackers with low privileges to cause a denial of service (system hang or crash) by triggering simultaneous operations that deadlock between the MFT run lock and bitmap read-write lock. The vulnerability affects kernel versions prior to 6.18.16, 6.19.6, and 7.0, and requires local access with user-level privileges to exploit.
Use-after-free in Linux kernel ALSA OSS mixer allows authenticated local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability stems from insufficient card disconnection checks when OSS mixer layer calls kcontrol operations individually, creating a race condition window where pending calls continue after device removal. Upstream patches available across kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability, and no KEV listing or public exploit identified at time of analysis.
Remote unauthenticated attackers can cause critical out-of-bounds writes in the Linux kernel's Distributed Lock Manager (DLM) subsystem by sending malformed network messages with unvalidated length parameters to dlm_dump_rsb_name(). When the length exceeds DLM_RESNAME_MAXLEN, dlm_search_rsb_tree() writes beyond allocated buffers, enabling arbitrary code execution, denial of service, or information disclosure. Patches available for kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS exploitation probability is very low (0.02%, 5th percentile), and no public exploit or active exploitation has been identified at time of analysis, despite the critical CVSS 9.8 score.
Denial of service via null pointer dereference in Linux kernel's pstore persistent storage subsystem occurs when the vmap() function fails but the persistent_ram_vmap() function incorrectly returns success if a non-zero offset is present, allowing subsequent buffer access to dereference invalid memory and cause system crashes. Affects Linux kernel versions prior to 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. No public exploit identified at time of analysis, but vendor-released patches are available across multiple stable branches.
In the Linux kernel, the following vulnerability has been resolved: fbcon: check return value of con2fb_acquire_newinfo() If fbcon_open() fails when called from con2fb_acquire_newinfo() then info->fbcon_par pointer remains NULL which is later dereferenced. Add check for return value of the function con2fb_acquire_newinfo() to avoid it. Found by Linux Verification Center (linuxtesting.org) with SVACE.
In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Update cpuidle driver check in __acpi_processor_start() Commit 7a8c994cbb2d ("ACPI: processor: idle: Optimize ACPI idle driver registration") moved the ACPI idle driver registration to acpi_processor_driver_init() and acpi_processor_power_init() does not register an idle driver any more. Accordingly, the cpuidle driver check in __acpi_processor_start() needs to be updated to avoid calling acpi_processor_power_init() without a cpuidle driver, in which case the registration of the cpuidle device in that function would lead to a NULL pointer dereference in __cpuidle_register_device().
In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix user_ref race between scrub and refill paths The io_zcrx_put_niov_uref() function uses a non-atomic check-then-decrement pattern (atomic_read followed by separate atomic_dec) to manipulate user_refs. This is serialized against other callers by rq_lock, but io_zcrx_scrub() modifies the same counter with atomic_xchg() WITHOUT holding rq_lock. On SMP systems, the following race exists: CPU0 (refill, holds rq_lock) CPU1 (scrub, no rq_lock) put_niov_uref: atomic_read(uref) - 1 // window opens atomic_xchg(uref, 0) - 1 return_niov_freelist(niov) [PUSH #1] // window closes atomic_dec(uref) - wraps to -1 returns true return_niov(niov) return_niov_freelist(niov) [PUSH #2: DOUBLE-FREE] The same niov is pushed to the freelist twice, causing free_count to exceed nr_iovs. Subsequent freelist pushes then perform an out-of-bounds write (a u32 value) past the kvmalloc'd freelist array into the adjacent slab object. Fix this by replacing the non-atomic read-then-dec in io_zcrx_put_niov_uref() with an atomic_try_cmpxchg loop that atomically tests and decrements user_refs. This makes the operation safe against concurrent atomic_xchg from scrub without requiring scrub to acquire rq_lock. [pavel: removed a warning and a comment]
Use-after-free vulnerability in the Linux kernel rpmsg subsystem allows local attackers with low privileges to cause denial of service by exploiting a race condition between driver_override_show() and driver_override_store() functions. The show function reads the driver_override string without holding the device_lock while the store function modifies and frees it under lock, creating a window for memory corruption. The vulnerability requires local access and non-default timing conditions (AC:H), limiting real-world exploitation probability to 0.02% per EPSS scoring.
Memory leak in rtw88 WiFi driver allows local authenticated attackers to cause denial of service via supported band allocation failure. The rtw_set_supported_band() function in the rtl8821ce WiFi driver failed to free allocated memory in error paths during hardware registration, enabling a local privilege escalation attack that exhausts kernel memory. EPSS exploitation probability is very low (0.02%), indicating this is a hardening fix rather than a critical vulnerability.
Resource leak in Linux kernel's most_register_interface() function allows local attackers with low privileges to cause denial of service through memory exhaustion. The vulnerability occurs when most_register_interface() fails during early initialization stages, returning error codes without properly releasing allocated device resources via put_device(). Patch versions 6.12.75, 6.18.16, 6.19.6, and 7.0 address this issue.
Memory leak in hfsplus filesystem driver causes denial of service when superblock setup fails during mount operations. The vulnerability affects Linux kernels when hfsplus is mounted and the setup_bdev_super() function fails after superblock allocation but before hfsplus_fill_super() completes, leaving filesystem-specific data unfreed. Local authenticated users can trigger this condition to exhaust kernel memory and crash the system.
Double-free memory corruption in Linux kernel RDMA/irdma driver allows local authenticated users to cause denial of service or potentially escalate privileges. The vulnerability occurs during memory region re-registration (rereg_user_mr) when IB_MR_REREG_TRANS flag is set: if umem allocation succeeds but subsequent steps fail, the umem is freed without nulling the pointer, leading to double-free when userspace calls ibv_dereg_mr. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation in the wild, with no active exploitation confirmed (not in CISA KEV).
Data race conditions in the Linux kernel Bluetooth subsystem allow local authenticated attackers to cause denial of service by triggering concurrent access to hdev->req_status without proper synchronization. The vulnerability exists in the HCI synchronous command processing path where __hci_cmd_sync_sk() and multiple other functions access the same variable across different workqueues without holding locks, potentially causing memory corruption or system hangs.
Data corruption in Linux kernel btrfs filesystem log replay allows local authenticated attackers to cause files to retain incorrect sizes after crash recovery. When a file is truncated to zero bytes, fssynced, and then a hardlink is created, the file incorrectly retains its pre-truncation size after a power failure and log replay, resulting in data integrity violation with availability impact.
A kernel crash occurs in Linux btrfs filesystem tracepoint code when OverlayFS is layered on top of btrfs. The btrfs_sync_file() event handler incorrectly dereferences dentry->d_sb, which resolves to the overlay superblock instead of the underlying btrfs superblock, causing a kernel panic during fsid assignment. This affects Linux kernel versions from initial git commit (1da177e4c3f4) through multiple stable branches until patched releases 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. Vendor patches are available across all affected stable kernel branches.
Use-after-free in Linux kernel netfilter ctnetlink allows local authenticated attackers with low privileges to achieve code execution, privilege escalation, or denial of service. The vulnerability stems from insufficient protection when accessing master conntrack objects through expectations - holding a reference on the expectation alone does not prevent the master conntrack from being freed, creating a window where exp->master points to freed memory. Patched in stable kernel versions 6.18.24, 6.19.14, and mainline 7.0. EPSS score of 0.02% (4th percentile) indicates low probability of widespread exploitation, and no public exploit or CISA KEV listing exists at time of analysis, suggesting this remains a lower-priority item despite the 7.8 CVSS score.
Denial of service in Linux kernel tiny SRCU (Synchronize-RCU) subsystem allows local authenticated attackers to trigger a system hang or crash by invoking call_srcu() while holding scheduler locks, causing a circular lock dependency and potential deadlock. The vulnerability affects kernel versions before 6.19.14 and 7.0, with EPSS score of 0.02% indicating low real-world exploitation probability despite moderate CVSS severity.
A logic error in Linux kernel netfilter's AVX2-accelerated nft_set_pipapo matching allows incorrect element matching when flushing and reloading sets with composite keys (e.g., 'ipv4 . port'). The AVX2 code path prematurely returns non-matching entries during multi-field lookups, causing false collision reports when reinserting elements after a set flush. This affects netfilter firewall rule processing on systems with AVX2 CPU support. With CVSS 9.4 (AV:N/AC:L/PR:N/UI:N), the vector suggests critical network-accessible impact, though the description indicates this is a firewall rule management bug rather than a direct remote exploitation path. EPSS score of 0.02% (5th percentile) and no KEV listing suggest low real-world exploitation likelihood. Patches available across stable kernel branches 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0.
Out-of-bounds array indexing in Linux kernel's wl1251 wireless driver allows adjacent network attackers to achieve high-impact memory corruption without authentication. The wl1251_tx_packet_cb() function uses untrusted firmware completion IDs directly to index a fixed 16-entry tx_frames array without bounds validation, enabling attackers on the same wireless network segment to read/write arbitrary kernel memory. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation or public POC identified. However, CVSS 8.8 reflects genuine risk for systems with wl1251 hardware on untrusted networks.
Out-of-bounds read in Linux kernel CIFS client allows network attackers to achieve high-severity impacts including potential code execution, information disclosure, or denial of service when users access maliciously crafted SMB shares. The vulnerability resides in cifs_sanitize_prepath() which improperly handles empty strings or delimiter-only paths, triggering memory access violations confirmed via AddressSanitizer testing. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low predicted exploitation probability despite high CVSS 8.8, and no active exploitation or public POC identified at time of analysis.
Race condition in Linux kernel HID roccat driver enables local privilege escalation through use-after-free memory corruption. Local authenticated attackers can exploit concurrent access to device reader lists during roccat_report_event() operations, achieving arbitrary code execution with high integrity impact (CVSS 7.8). Vendor-released patches available across multiple kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite moderate severity, suggesting limited weaponization in current threat landscape.
Adjacent network attackers can achieve remote code execution, information disclosure, or denial of service against Linux systems using Broadcom FullMAC wireless drivers by sending malicious WiFi interface events with out-of-bounds bsscfg indices. The brcmfmac driver's firmware event handler fails to validate array indices before accessing the driver's interface list, enabling memory corruption attacks. Vendor patches are available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS exploitation probability is low (0.02%, 5th percentile) and no active exploitation or public POC is identified at time of analysis, but the adjacent network attack vector and high impact warrant priority patching for systems with Broadcom WiFi hardware.
Linux kernel shadow stack implementation fails to check for errors from mmap_read_lock_killable() in shstk_pop_sigframe(), allowing a local authenticated attacker to trigger a denial of service by causing the function to proceed with a failed lock acquisition. The vulnerability affects multiple stable kernel versions prior to patched releases 6.18.24, 6.19.14, and 7.0, with EPSS exploitation probability of 0.02% suggesting low real-world exploit likelihood despite the availability of a vendor patch.
A denial of service vulnerability in the Linux kernel's Qualcomm PD mapper service registry causes system crashes due to mismatched string element length validation in servreg_loc_pfr_req_ei. When a process daemon crashes and triggers a service registry location request, the QMI decoder rejects the reason field because its declared maximum length (65 bytes) is smaller than the actual field size (81 bytes), causing a decoding error and system halt. This affects all Linux kernel versions prior to the patch, triggered by local processes with standard user privileges.
Denial of service in Linux kernel xfrm (IPsec transform) subsystem allows local authenticated attackers to trigger a kernel panic via improper netlink message size calculation when handling XFRM_MSG_GETAE requests for states with interface ID set. The xfrm_aevent_msgsize() function fails to account for XFRMA_IF_ID attribute space, causing build_aevent() to exceed buffer bounds and hit a BUG_ON assertion, resulting in kernel crash. EPSS exploitation probability is very low at 0.02% despite the local attack vector, suggesting limited real-world impact.
A reference counting error in Linux kernel's cachefiles subsystem allows local authenticated users to trigger memory corruption and potentially escalate privileges. The vulnerability stems from cachefiles_cull() passing a dentry with insufficient reference count to cachefiles_bury_object(), causing a use-after-free condition. With CVSS 7.8 (high severity) but only 0.02% EPSS exploitation probability (5th percentile), this represents a kernel memory safety issue requiring local access with low attack complexity. Patches available in stable kernel versions 6.19.14 and 7.0.
Memory leak in the Linux kernel's Direct Rendering Manager (DRM) vc4 driver allows local authenticated attackers to exhaust kernel memory and trigger a denial of service condition. The vulnerability stems from a missing kfree() call in vc4_free_hang_state() that fails to release a separately allocated BO (buffer object) array, enabling persistent memory exhaustion through repeated hang state operations.
Memory leak in the Linux kernel's vc4 DRM driver allows local authenticated attackers to cause denial of service via memory exhaustion in hang state error handling. The vc4_save_hang_state() function fails to free allocated kernel_state memory on early return paths, enabling a local user with limited privileges to trigger repeated memory leaks and degrade system availability.
Denial of service in Linux kernel lapbether driver allows local authenticated attackers to crash the system by triggering a device type change that violates the ARPHRD_ETHER requirement when transmitting data. The vulnerability exists in the lapbeth_data_transmit() function which assumes the underlying device type remains Ethernet; a local user with low privileges can manipulate the bonding driver to change the device type, causing the kernel to reach an unhandled state and crash. EPSS score of 0.02% indicates low real-world exploitation probability despite the vulnerability being patched across multiple kernel versions.
Memory leak in the Airoha QDMA RX packet processing function allows local authenticated attackers to cause a denial of service through resource exhaustion. The vulnerability occurs when page pool fragments fail to properly return to the pool during error handling in airoha_qdma_rx_process(), allowing an attacker with local access and low privileges to exhaust kernel memory and crash the system. EPSS exploitation probability is extremely low at 0.02%, reflecting the local-only attack vector and privilege requirement.
NULL pointer dereferences in Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) trace data handling cause denial of service when network packets trigger the vulnerable code path. Affects Linux kernel 5.15 through 6.19.14 and mainline branches. Despite CVSS 7.5 High severity with network vector and no authentication, EPSS exploitation probability is very low (0.02%, 4th percentile), and no active exploitation or public POC is identified at time of analysis. Vendor patches available via stable kernel commits.
Null pointer dereference in Linux kernel bridge VLAN filtering code allows local authenticated attackers to trigger a denial of service via a crafted RTM_NEWLINK netlink message with BR_BOOLOPT_FDB_LOCAL_VLAN_0 flag when CONFIG_BRIDGE_VLAN_FILTERING is disabled. The vulnerability occurs because br_fdb_delete_locals_per_vlan_port() and br_fdb_insert_locals_per_vlan_port() dereference a NULL vlan group pointer without validation, causing a kernel panic. No public exploit code identified at time of analysis.
Null pointer dereference in Linux kernel ICMP probe handling crashes systems when IPv6 module is configured but not loaded. The icmp_build_probe() function fails to validate ERR_PTR(-EAFNOSUPPORT) from ipv6_stub->ipv6_dev_find(), passing the error pointer directly to dev_hold() and triggering immediate kernel panic. EPSS probability is low (0.02%, 5th percentile) and no active exploitation confirmed, but CVSS 7.5 High severity reflects trivial remote unauthenticated denial-of-service against vulnerable kernel configurations. Patches available across stable branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0) with upstream commit identifiers confirmed.
Denial of service via NULL pointer dereference in the NFC s3fwrn5 driver's UART receive handler allows local authenticated attackers to crash the system. The vulnerability exists in s3fwrn82_uart_read() which consumes bytes from the serial device before allocating a fresh receive buffer; if memory allocation fails after bytes are already consumed, the function incorrectly reports success while leaving the receive buffer NULL, causing a NULL dereference on the next skb_put_u8() call. This affects Linux kernel versions 5.11 and later, with patches available for stable branches 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0.
Double-free vulnerability in the Linux kernel PCI Hyper-V driver allows local authenticated users to trigger kernel memory corruption and potentially escalate privileges. The flaw occurs in hv_pci_probe() error handling where ida_free() is called twice on the same domain number, leading to memory allocator corruption. Patches released in kernel 6.19.14 and 7.0 fix the issue by removing the redundant ida_free call. EPSS score of 0.02% indicates low exploitation probability in the wild, and no public exploit or KEV listing identified at time of analysis.
Infinite vCPU fault loop in the Linux kernel's mshv (Microsoft Hypervisor) subsystem allows a local guest VM process to permanently spin a host vCPU thread, exhausting host CPU resources. The flaw exists in mshv_handle_gpa_intercept(), which unconditionally attempts page remaps on all movable-memory faults regardless of access permission - when a guest writes to a read-only Guest Physical Address region, the remap succeeds but the region retains its read-only designation, causing an immediate re-fault in a tight loop. Affected kernel versions run from commit b9a66cd5ccbb9fade15d0e427e19470d8ad35b75 through the fix commits; patched releases 6.19.14 and 7.0 are available. No public exploit has been identified and EPSS is 0.01%, consistent with the local, hypervisor-specific attack surface.
Linux kernel ASoC SDCA subsystem crashes on sound card teardown due to IRQ lifecycle mismanagement, causing a local denial of service. IRQ handlers registered via devm_request_threaded_irq() during component probe retain stale references to freed card and kcontrol structures after the sound card is torn down, resulting in null or dangling pointer dereferences and kernel panic. Exploitation requires local low-privilege access and SDCA-capable audio hardware; no public exploit exists and EPSS is extremely low at 0.02% (5th percentile).
NULL pointer dereference in the Linux kernel ixgbevf driver crashes Hyper-V guest VMs during device probe, causing a kernel panic and complete denial of service. The regression was introduced when commit a7075f501bd3 added a .negotiate_features callback to ixgbe_mac_operations and populated it for the standard ops table (ixgbevf_mac_ops) but omitted it from the Hyper-V-specific table (ixgbevf_hv_mac_ops), leaving that pointer NULL on Hyper-V guests. Any Linux system running on Microsoft Hyper-V with an Intel ixgbevf virtual NIC is subject to an automatic kernel crash at module load or boot; no public exploit has been identified at time of analysis and EPSS is 0.02%, reflecting a narrow but reliable impact on the specific deployment combination.
Insufficient memory validation in Linux kernel's XSK (AF_XDP socket) UMEM registration allows local authenticated users to corrupt kernel memory structures, potentially leading to privilege escalation or system crashes. The xdp_umem_reg() function fails to validate adequate headroom space for minimum-sized Ethernet frames and skb_shared_info structures in multi-buffer scenarios, enabling memory corruption when XSK frames are processed. Vendor patches are available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% indicates very low probability of mass exploitation, with no active exploitation or public POC identified.
The AF_XDP socket subsystem (xsk) in the Linux kernel fails to validate that a network device's MTU fits within the usable UMEM frame space at bind time, allowing a local low-privileged user to trigger a kernel denial of service. Usable frame space - chunk size minus headroom and tailroom - can fall below a standard 1500-byte MTU when 2k chunks are used, a gap that became exploitable once tailroom subtraction was introduced. The kernel also omits validation of hardware zero-copy capabilities via net_device::xdp_zc_max_segs. No public exploit has been identified and EPSS is 0.02% (5th percentile), indicating low immediate exploitation risk.
Use-after-free in Linux kernel's XFRM subsystem allows local authenticated users to gain elevated privileges through a race condition during network namespace teardown. The xfrm_policy_fini() function frees policy hash tables without waiting for concurrent RCU readers, enabling attackers with low-level privileges to exploit the timing window between policy deletion and memory deallocation. EPSS score is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis, but CVSS 7.8 reflects high impact if successfully exploited. Vendor-released patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, mainline 7.0).
Reference count leak in the Linux kernel's xfrm IPsec subsystem allows a local low-privileged attacker to exhaust kernel memory, resulting in denial of service. The defect resides in xfrm_migrate_policy_find(), where xfrm_pol_hold_rcu() is called twice - once implicitly by the lookup path (which already returns a held reference) and once redundantly - creating a refcount imbalance that prevents memory reclamation. Discovered by the Linux Verification Center using Syzkaller fuzzing; no public exploit identified at time of analysis, and EPSS is very low at 0.02% (5th percentile), indicating minimal observed exploitation activity.
Uninitialized kernel memory is leaked to userspace through the xfrm_user subsystem's build_mapping() function in the Linux Kernel, where a one-byte compiler padding hole in struct xfrm_usersa_id after the proto field is never zeroed before the structure is copied across the kernel/userspace boundary. Authenticated local users with access to XFRM netlink interfaces can read this stale padding byte, potentially extracting kernel stack or heap fragments usable as an information disclosure primitive. No public exploit exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time.
In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix post open error handling Closing a queue doesn't guarantee that all associated page pools are terminated right away, let the refcounting do the work instead of releasing the zcrx ctx directly.
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: xscale: Check for PTP support properly In ixp4xx_get_ts_info() ixp46x_ptp_find() is called unconditionally despite this feature only existing on ixp46x, leading to the following splat from tcpdump: root@OpenWrt:~# tcpdump -vv -X -i eth0 (...) Unable to handle kernel NULL pointer dereference at virtual address 00000238 when read (...) Call trace: ptp_clock_index from ixp46x_ptp_find+0x1c/0x38 ixp46x_ptp_find from ixp4xx_get_ts_info+0x4c/0x64 ixp4xx_get_ts_info from __ethtool_get_ts_info+0x90/0x108 __ethtool_get_ts_info from __dev_ethtool+0xa00/0x2648 __dev_ethtool from dev_ethtool+0x160/0x234 dev_ethtool from dev_ioctl+0x2cc/0x460 dev_ioctl from sock_ioctl+0x1ec/0x524 sock_ioctl from sys_ioctl+0x51c/0xa94 sys_ioctl from ret_fast_syscall+0x0/0x44 (...) Segmentation fault Check for ixp46x in ixp46x_ptp_find() before trying to set up PTP to avoid this. To avoid altering the returned error code from ixp4xx_hwtstamp_set() which before this patch was -EOPNOTSUPP, we return -EOPNOTSUPP from ixp4xx_hwtstamp_set() if ixp46x_ptp_find() fails no matter the error code. The helper function ixp46x_ptp_find() helper returns -ENODEV.
Array bounds overflow in Linux kernel iwlwifi driver for Intel 22000 series wireless chipsets allows adjacent network attackers to achieve arbitrary memory corruption leading to code execution, privilege escalation, or denial of service. The vulnerability stems from insufficient validation of firmware-reported LMAC (Lower MAC) counts in SMEM parsing code, where malicious or corrupted firmware reporting three LMACs (exceeding the hardware-supported two) triggers out-of-bounds array access in fwrt->smem_cfg.lmac[2]. Patches available for kernel 6.18.16, 6.19.6, and mainline 7.0. EPSS exploitation probability is low (0.02%, 5th percentile) with no public exploits or CISA KEV listing, but CVSS 8.8 reflects high impact if exploited through compromised WiFi firmware or adjacent network position.
Integer underflow in the Linux kernel's EFI/CPER firmware error logging function (cper_print_fw_err) allows local authenticated attackers to trigger denial of service via memory dump of unmapped regions, disclose kernel memory contents, or cause system crash when processing malformed EFI firmware error records with invalid offsets. The vulnerability stems from insufficient validation of error record length before subtracting an offset, causing integer wraparound that permits dumping of arbitrary kernel memory regions.
Kernel panic occurs in Linux kernel USB gadget driver (dwc3) when vbus_draw function executes PMIC power-supply APIs from atomic context, causing sleep operations in non-sleepable context. The vulnerability affects Linux kernel versions prior to 5.13 and various stable series (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) and is resolved by deferring vbus_draw operations to workqueue context. Local authenticated users with privilege level PR:L can trigger denial of service by invoking affected USB gadget functionality, with EPSS exploitation probability at 0.02% percentile indicating extremely low practical risk despite moderate CVSS severity.
Denial of service via kernel panic in the DRM buddy allocator when rounded allocation sizes exceed available memory. Local authenticated attackers can trigger a BUG_ON() crash by requesting contiguous or large-aligned GPU memory allocations that, after power-of-two or block-size rounding, exceed the total VRAM size. Example: a 9GB contiguous allocation request on 10GB VRAM rounds to 16GB, causing immediate kernel panic. No authentication bypass or privilege escalation; requires local access and appropriate user permissions to invoke DRM allocator.
Denial of service via incomplete xattr cleanup in the Linux kernel OCFS2 filesystem causes memory corruption when processing reflinked files with extended attributes. A local user with standard privileges can trigger this vulnerability through crafted xattr operations, resulting in system crashes or data integrity issues. The flaw affects Linux kernel versions from 2.6.32 through multiple recent releases (5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19), with vendor-released patches available for supported stable branches.
Resource leak in Linux kernel xfrm (IPsec) subsystem allows local authenticated users to exhaust kernel memory and trigger denial of service by preventing proper cleanup of IPsec hardware offload device references during network device unregistration. The vulnerability affects XFRM state management when IPsec hardware offloading is configured, particularly when the hardware offload capability (NETIF_F_HW_ESP) is disabled after state creation but before device removal.
Out-of-bounds read in Linux kernel EROFS filesystem allows local attackers with user interaction to read kernel memory and cause denial of service via crafted compressed images. The vulnerability stems from incorrect classification of unaligned plain extents, triggering OOB access in z_erofs_transform_plain(). Vendor patches are available across multiple stable kernel branches (6.15, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, with no active exploitation confirmed at time of analysis.
Resource leak in the Linux kernel's hwmon nct7363 hardware monitor driver allows a local, low-privileged user to cause a denial-of-service condition through repeated reference exhaustion. The vulnerability resides in nct7363_present_pwm_fanin, which calls of_parse_phandle_with_args() but never releases the acquired device node reference via of_node_put(), violating the kernel's reference-counting contract for device tree nodes. Exploitation requires physical or local authenticated access to a system equipped with NCT7363 hardware and the driver loaded; no public exploit exists and no active exploitation is confirmed (EPSS: 0.02%, 4th percentile).
Null pointer dereference in Linux kernel UDP-Lite implementation crashes systems when udp_lib_init_sock() fails during socket initialization. Affects mainline 6.18+ through 6.19.5 and stable 7.0. Remote unauthenticated attackers can trigger denial of service by sending crafted UDP-Lite packets that exploit unhandled initialization errors in udplite_sk_init() and udplitev6_sk_init(), causing NULL pointer access in __udp_enqueue_schedule_skb(). Vendor patches available for 6.18.16, 6.19.6, and 7.0 stable trees. EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation is confirmed at time of analysis.
Use-after-free in the Linux kernel's md/bitmap subsystem triggers a General Protection Fault (GPF) in write_page() during MD array resize operations, resulting in a kernel crash and denial of service. Affected are systems using Software RAID (md) with bitmap support across a wide range of stable kernel series from 3.5 through 7.0, with patches backported to 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, and 6.19.6. No public exploit code exists and the EPSS score of 0.02% (7th percentile) indicates very low exploitation probability; however, Red Hat has issued a formal advisory (RHSA-2026:19568), confirming vendor acknowledgment.
Memory leak in the Linux kernel's tegra-video media driver causes local denial-of-service on NVIDIA Tegra-based systems. The `__tegra_channel_try_format()` function fails to free a V4L2 subdev state object on two error paths after `v4l2_subdev_call()` fails, leaking kernel memory on each invocation. A local authenticated attacker with access to a Tegra video capture device can repeatedly trigger the error paths to exhaust kernel memory, degrading or crashing the system. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with a niche, hardware-specific availability issue.
Hard-lock denial of service in the Linux kernel's Intel VT-d IOMMU subsystem affects systems running PCIe passthrough configurations (QEMU, DPDK) without scalable mode enabled. When a PCIe endpoint's link drops - through surprise removal, link fault, or process termination - the kernel enters an indefinite wait inside qi_submit_sync() attempting an ATS invalidation that the disconnected device can never acknowledge. The existing partial fix (commit 4fc82cd907ac) guards this path only when Intel IOMMU scalable mode is active, leaving non-scalable-mode deployments unprotected. No public exploit identified at time of analysis and EPSS is 0.02%, but the impact is a complete host freeze with no recovery path short of power cycling.
NULL pointer dereferences in the Linux kernel's Apple SMC (System Management Controller) MFD driver expose Apple-hardware systems to local denial-of-service. The struct apple_smc mutex was never initialized in apple_smc_probe(), causing occasional crashes when sub-device probe() functions call apple_smc_read() and attempt to acquire the uninitialized lock. Only local, low-privileged users on Apple hardware running an affected kernel can trigger this condition. No public exploit code exists and no active exploitation has been reported; EPSS sits at 0.02% (4th percentile), consistent with a narrow hardware-specific attack surface.
Null pointer dereference in the Linux kernel's rtl8723bs staging Wi-Fi driver allows a locally authenticated user to crash the kernel, resulting in a denial of service. The `pwlan` variable in `find_network()` is not validated for NULL before being passed to `rtw_free_network_nolock()`, which then dereferences it unconditionally. The flaw has been present since Linux 4.12 and is patched across all active stable branches; no public exploit exists and EPSS sits at 0.02%, confirming negligible exploitation activity.
Memory corruption in Linux kernel XFS filesystem allows authenticated users with write access to trigger kernel assertion failures and system shutdowns via crafted extended attribute operations. The vulnerability stems from incorrect freemap adjustment logic when adding xattrs to leaf blocks, causing the entries array and free space tracking to claim overlapping memory regions. This results in firstused pointer corruption where the name area starts below the end of the entries array. Vendor-released patches are available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). Low EPSS score (0.02%, 7th percentile) and no CISA KEV listing indicate no widespread exploitation observed, though the high CVSS 8.8 reflects severe impact on availability and potential for data corruption in XFS filesystems.
Memory leak in the Linux kernel's octeontx2-af CGX driver causes kernel resource exhaustion on systems using Marvell OcteonTX2 network hardware. The rx_fc_pfvf_bmap and tx_fc_pfvf_bmap bitmaps allocated during cgx_lmac_init() are never freed in cgx_lmac_exit(), meaning each unbind/rebind cycle of the driver leaks 16 bytes of kernel memory, detectable via kmemleak. No public exploit is identified at time of analysis, and with an EPSS of 0.02% (7th percentile), real-world exploitation risk is negligible; this is a correctness and stability issue rather than an active security threat.
Denial-of-service in the Linux kernel's pegasus USB-to-Ethernet driver allows a local attacker to crash the kernel by connecting a crafted USB device with mismatched endpoint transfer types. The driver's probe function fills URBs using hardcoded endpoint pipes (bulk RX on ep1, bulk TX on ep2, interrupt on ep3) without first verifying the endpoint descriptors presented by the attached device, leaving it susceptible to assertion failure when types do not match expectations. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.02% reflects the niche local-access-only attack surface; patches have been released across all major stable kernel branches.
Memory leak in the Linux kernel's MMIO mux driver (mux/mmio subsystem) causes kernel memory exhaustion under local access conditions. The mmio regmap allocated during device probe is never released on probe failure paths or driver unbind, resulting in cumulative memory loss that can degrade availability. No active exploitation is confirmed (not in CISA KEV), and EPSS at 0.02% (4th percentile) reflects minimal real-world exploitation interest, consistent with the local-only attack vector and narrow hardware dependency.
Folio reference leaks in the Linux kernel EROFS filesystem driver allow a local low-privileged user to cause gradual memory resource exhaustion by presenting crafted EROFS images with valid but specially structured volume labels. Affected kernel versions span multiple stable branches including the 6.18 and 6.19 series, as confirmed by ENISA EUVD-2026-27717 and upstream kernel commit data. No public exploit has been identified at time of analysis, and the vulnerability description explicitly limits impact to reference leaks without system crashes, which aligns with the low EPSS score of 0.02% (4th percentile).
A use-after-free flaw in the Linux kernel XFS filesystem's xfs_attr_leaf_hasname() function allows local authenticated attackers to potentially execute arbitrary code with kernel privileges or cause denial of service. The function's problematic calling convention can return a pointer to an already-released buffer when xfs_attr3_leaf_lookup_int fails with specific error codes, creating a memory safety issue. Despite a CVSS score of 7.8, EPSS indicates only 0.02% probability of exploitation (5th percentile), suggesting low real-world targeting. Vendor patches are available across multiple stable kernel versions (6.12.75, 6.18.16, 6.19.6, 7.0), and the fix has been committed upstream.
NULL pointer dereference in the Linux kernel's hid-pl driver (Pantherlord/GreenAsia USB game controllers) allows a local low-privileged user to crash the kernel by triggering force feedback on an improperly initialized device. The root cause is unhandled probe errors during driver initialization that leave NULL pointers in place of valid data structures, which are later dereferenced when force feedback is first invoked. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.02% at the 7th percentile reflects negligible real-world exploitation probability.
Local denial-of-service in the Linux kernel's iris media driver (Qualcomm video codec) results from a regression introduced by commit ad699fa78b59241c9d71a8cafb51525f3dab04d4, now reverted. When a media session enters IRIS_INST_ERROR state and userspace subsequently calls stop_streaming for cleanup, the erroneous check skipped the handler entirely - preventing videobuf2 (vb2) buffer returns and leaving firmware in an inconsistent, non-recoverable state. Affected are systems running the iris V4L2 driver on Qualcomm hardware; no public exploit identified at time of analysis and EPSS is 0.02% (percentile 4%), indicating minimal real-world exploitation activity.
Buffer overflow in Linux kernel's ARM CMN performance monitoring driver allows local attackers with low privileges to execute arbitrary code and gain elevated access. The perf/arm-cmn driver fails to validate hardware configuration parameters against assumed maximum sizes, enabling memory corruption through crafted CMN device configurations. While EPSS indicates low exploitation probability (0.02%), patches are available across all maintained kernel branches (6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) per vendor advisories. The local attack vector and requirement for low-privileged user access limit remote exploitation scenarios.
Incorrect DMA buffer cleanup in the Linux kernel's fsl_ucc_hdlc WAN driver (used on Freescale/NXP QorIQ embedded platforms) causes a double-free of coherent DMA memory, resulting in a kernel panic and system crash. The driver allocates rx_buffer and tx_buffer as a single contiguous DMA region in uhdlc_init() but mistakenly calls dma_free_coherent() twice - once per buffer pointer - in uhdlc_memclean(), corrupting the DMA allocator state. Any authenticated local user or kernel path that triggers interface teardown on affected hardware can cause a complete availability loss. No public exploit identified at time of analysis, and EPSS at 0.02% (7th percentile) reflects near-zero opportunistic exploitation probability given the narrow hardware scope.
NULL pointer dereference in the Linux kernel's powerpc/smp subsystem allows a local authenticated user to crash the kernel, causing a denial of service on PowerPC-based systems. The `parse_thread_groups()` function passes the return value of `kcalloc()` directly to `of_property_read_u32_array()` without validating it for NULL, meaning a failed memory allocation - possible under memory pressure - leads to a kernel panic or oops. No public exploit code exists and this vulnerability is not in CISA KEV; with an EPSS of 0.02% (7th percentile) and architecture-specific scope limited to PowerPC, real-world exploitation risk is low but relevant to IBM POWER server deployments running Red Hat or SUSE Linux.
Deadlock in the Linux Kernel PCI/IOV SR-IOV subsystem allows a local low-privileged user to trigger a kernel hang via a recursive mutex acquisition, resulting in a complete denial of service on the affected host. The root cause is commit 05703271c3cd, which added pci_rescan_remove_lock around SR-IOV enable/disable operations without accounting for the re-entrant path where sriov_del_vfs() is invoked from within pci_stop_and_remove_bus_device_locked(), which already holds the same lock. No public exploit has been identified at time of analysis, and EPSS probability is negligible at 0.02%, consistent with the local-only attack vector.
Denial of service in the Linux kernel's iris media driver results from improper error-path handling during internal buffer allocation. When DMA allocation via dma_alloc_attrs() fails, a partially initialized buffer that was prematurely added to the internal buffers->list remains in that list, leading to inconsistent kernel state and potential resource leaks or NULL-pointer dereferences on subsequent access. Affected systems running Linux 6.15 through pre-patch versions of 6.18 and 6.19 with the iris media subsystem active are at risk; no public exploit has been identified and EPSS is 0.02%, indicating low exploitation probability at time of analysis.
Kernel crash in the Linux remoteproc imx_rproc subsystem (NXP i.MX platform) allows a local authenticated attacker to trigger a denial of service by loading firmware that lacks a resource table. The root cause is imx_rproc_elf_find_loaded_rsc_table() returning a stale non-NULL priv->rsc_table pointer even when rproc->table_ptr is NULL, causing the remoteproc core to dereference what it incorrectly treats as a valid loaded resource table. No public exploit has been identified at time of analysis, and EPSS at 0.02% (7th percentile) reflects the narrow hardware-specific attack surface.
Kernel oops (crash) in the Linux kernel brcmfmac SDIO Wi-Fi driver allows a local low-privileged user to cause a denial-of-service by triggering a probe failure on Broadcom SDIO Wi-Fi hardware. The root cause is a double-assignment of sdiodev->bus across brcmf_sdio_probe() and brcmf_sdiod_probe(), leaving an invalid (non-NULL, error-valued) pointer that brcmf_sdio_remove() later dereferences during cleanup. No public exploit has been identified, EPSS is at the 4th percentile, and this is not listed in CISA KEV; risk is primarily a kernel stability concern in specific hardware configurations.
Missing mutex locking around the `mfd_of_node_list` linked list in the Linux kernel's Multi-Function Device (MFD) core subsystem allows a local low-privileged attacker to trigger a race condition, resulting in a kernel crash and denial of service. The vulnerability spans multiple stable kernel branches from the introducing commit 466a62d7642f through patched releases in 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. No public exploit exists and the EPSS score of 0.02% (7th percentile) reflects negligible community exploitation interest; this is not listed in CISA KEV.
Memory exhaustion in the Linux kernel's iris gen1 media driver allows a local low-privileged user to progressively consume kernel memory until session close, causing a denial of service. The iris driver fails to destroy internal firmware-managed buffers upon receiving the firmware release response, with the leak compounding across video resolution changes as each change allocates new buffers without reclaiming the prior set. No public exploit exists and EPSS sits at the 4th percentile, indicating negligible opportunistic exploitation risk; impact is limited to availability on systems with iris-compatible media hardware.
Local denial-of-service and potential memory corruption in the Linux kernel's ntb_hw_switchtec driver allows a low-privileged local user to trigger undefined behavior via a shift-out-of-bounds condition when the Non-Transparent Bridge (NTB) is configured with zero Memory Window LUTs. The flaw stems from rounddown_pow_of_two being invoked on a zero value, and although no public exploit is identified at time of analysis, the upstream fix is available across multiple stable kernel branches. EPSS is very low at 0.02%, consistent with the local attack vector and narrow hardware-dependent trigger.
NULL pointer dereference in the Linux kernel's HID magicmouse driver allows a local attacker with low privileges to crash the kernel by connecting a crafted USB device that impersonates an Apple Magic Mouse. When a fake USB device provides a custom report descriptor, the input_mapping() hook is never called, leaving msc->input as NULL; subsequent access in input_configured() causes a kernel panic and complete availability loss. No public exploit exists and EPSS is negligible at 0.02% (7th percentile), but the impact is a full system denial of service when exploitation conditions are met.
Uninitialized memory use in Linux Kernel's xfrm6_get_saddr() function allows remote attackers to trigger information disclosure and system instability via crafted IPv6 traffic. The vulnerability affects multiple Long-Term Support (LTS) branches from 2.6.19 through 6.19.6, with vendor-released patches available for 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates low observed exploitation probability despite the network-accessible attack vector and lack of required authentication. Not listed in CISA KEV, and no public exploit code identified at time of analysis.
In the Linux kernel, the following vulnerability has been resolved: reset: gpio: suppress bind attributes in sysfs This is a special device that's created dynamically and is supposed to stay in memory forever. We also currently don't have a devlink between it and the actual reset consumer. Suppress sysfs bind attributes so that user-space can't unbind the device because - as of now - it will cause a use-after-free splat from any user that puts the reset control handle.
In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Fix NULL pointer dereference If there's a mismatch between the DAI links in the machine driver and the topology, it is possible that the playback/capture widget is not set, especially in the case of loopback capture for echo reference where we use the dummy DAI link. Return the error when the widget is not set to avoid a null pointer dereference like below when the topology is broken. RIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common]
In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Check maxfield in hidpp_get_report_length() Do not crash when a report has no fields. Fake USB gadgets can send their own HID report descriptors and can define report structures without valid fields. This can be used to crash the kernel over USB.
In the Linux kernel, the following vulnerability has been resolved: media: cx23885: Add missing unmap in snd_cx23885_hw_params() In error path, add cx23885_alsa_dma_unmap() to release the resource acquired by cx23885_alsa_dma_map().
Bluetooth L2CAP implementation in Linux kernel fails to validate encryption key size when processing LE Credit Flow Control connection requests, allowing adjacent network attackers to establish L2CAP connections with insufficient cryptographic strength. This affects kernel versions from 3.14 through 6.19.5, with patches released in stable branches 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, and 6.19.6. EPSS score of 0.01% suggests minimal exploitation likelihood despite the adjacent network attack vector and no authentication requirement. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.
Nested AMD SVM virtualization in Linux kernel KVM incorrectly handles VMLOAD/VMSAVE emulation, allowing local privileged attackers in L2 guests to read and write L1 guest state, potentially escalating privileges or causing denial of service. This affects kernels since commit cc3ed80ae69f (v5.13+) and has been patched in stable releases 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. With 7.9 CVSS (HIGH severity) but only 0.02% EPSS, this is a lower-probability threat requiring local authenticated access to nested virtualization environments. No public exploit or active exploitation (KEV) identified at time of analysis.
Denial of service in Linux kernel dm-verity subsystem allows local authenticated users to crash the system by triggering dm_bufio_client_create() failure in verity_fec_ctr(), which incorrectly passes an error pointer to dm_bufio_client_destroy(). The vulnerability requires local access and authenticated privileges but no user interaction, affecting dm-verity configurations with forward error correction enabled.
Null pointer dereference in the Linux kernel AMD power management (drm/amd/pm) subsystem causes denial of service when SMU (System Management Unit) is disabled during RAS (Reliability, Availability, and Serviceability) initialization. Local authenticated attackers with low privileges can trigger this crash on affected systems, resulting in kernel panic and system unavailability. EPSS exploitation probability is very low (0.02%), indicating this requires specific configuration and local access.
Hard-lockup in Linux kernel IOMMU/VT-d subsystem when flushing device IOTLB during PCIe link-down events affects systems using scalable mode with PASID support. Local authenticated attackers can trigger denial of service by causing PCIe device disconnection followed by resource cleanup operations, such as releasing VFIO group file descriptors, which deadlock the system while attempting ATS invalidation on inaccessible devices. Patch available across multiple stable kernel series.
Linux kernel page fault in ima_restore_measurement_list() when the second-stage kernel is booted via kexec with memory-limiting command lines such as 'mem=<size>' allows local authenticated users to cause a denial of service by triggering an out-of-bounds memory access. The vulnerability occurs on x86_64 architectures when the IMA measurement buffer from the previous kernel falls outside the addressable RAM of the new kernel, resulting in a kernel panic during early IMA restoration.
Double-free vulnerability in Linux kernel RDMA subsystem allows local authenticated attackers to trigger high-severity memory corruption. The flaw in ib_umem_dmabuf_get_pinned_with_dma_device() causes dma_buf_unpin() to be called twice on error paths - once immediately on failure and again during cleanup - enabling potential privilege escalation, system crashes, or information disclosure. Patches available for kernels 6.1.165+, 6.6.128+, 6.12.75+, 6.18.16+, 6.19.6+, and 7.0+. EPSS score of 0.02% indicates low widespread exploitation probability, with no active exploitation or public POCs identified at time of analysis.
A circular locking dependency in the Linux kernel's ntfs3 filesystem driver allows local authenticated attackers with low privileges to cause a denial of service (system hang or crash) by triggering simultaneous operations that deadlock between the MFT run lock and bitmap read-write lock. The vulnerability affects kernel versions prior to 6.18.16, 6.19.6, and 7.0, and requires local access with user-level privileges to exploit.
Use-after-free in Linux kernel ALSA OSS mixer allows authenticated local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability stems from insufficient card disconnection checks when OSS mixer layer calls kcontrol operations individually, creating a race condition window where pending calls continue after device removal. Upstream patches available across kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability, and no KEV listing or public exploit identified at time of analysis.
Remote unauthenticated attackers can cause critical out-of-bounds writes in the Linux kernel's Distributed Lock Manager (DLM) subsystem by sending malformed network messages with unvalidated length parameters to dlm_dump_rsb_name(). When the length exceeds DLM_RESNAME_MAXLEN, dlm_search_rsb_tree() writes beyond allocated buffers, enabling arbitrary code execution, denial of service, or information disclosure. Patches available for kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS exploitation probability is very low (0.02%, 5th percentile), and no public exploit or active exploitation has been identified at time of analysis, despite the critical CVSS 9.8 score.
Denial of service via null pointer dereference in Linux kernel's pstore persistent storage subsystem occurs when the vmap() function fails but the persistent_ram_vmap() function incorrectly returns success if a non-zero offset is present, allowing subsequent buffer access to dereference invalid memory and cause system crashes. Affects Linux kernel versions prior to 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. No public exploit identified at time of analysis, but vendor-released patches are available across multiple stable branches.
In the Linux kernel, the following vulnerability has been resolved: fbcon: check return value of con2fb_acquire_newinfo() If fbcon_open() fails when called from con2fb_acquire_newinfo() then info->fbcon_par pointer remains NULL which is later dereferenced. Add check for return value of the function con2fb_acquire_newinfo() to avoid it. Found by Linux Verification Center (linuxtesting.org) with SVACE.
In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Update cpuidle driver check in __acpi_processor_start() Commit 7a8c994cbb2d ("ACPI: processor: idle: Optimize ACPI idle driver registration") moved the ACPI idle driver registration to acpi_processor_driver_init() and acpi_processor_power_init() does not register an idle driver any more. Accordingly, the cpuidle driver check in __acpi_processor_start() needs to be updated to avoid calling acpi_processor_power_init() without a cpuidle driver, in which case the registration of the cpuidle device in that function would lead to a NULL pointer dereference in __cpuidle_register_device().
In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix user_ref race between scrub and refill paths The io_zcrx_put_niov_uref() function uses a non-atomic check-then-decrement pattern (atomic_read followed by separate atomic_dec) to manipulate user_refs. This is serialized against other callers by rq_lock, but io_zcrx_scrub() modifies the same counter with atomic_xchg() WITHOUT holding rq_lock. On SMP systems, the following race exists: CPU0 (refill, holds rq_lock) CPU1 (scrub, no rq_lock) put_niov_uref: atomic_read(uref) - 1 // window opens atomic_xchg(uref, 0) - 1 return_niov_freelist(niov) [PUSH #1] // window closes atomic_dec(uref) - wraps to -1 returns true return_niov(niov) return_niov_freelist(niov) [PUSH #2: DOUBLE-FREE] The same niov is pushed to the freelist twice, causing free_count to exceed nr_iovs. Subsequent freelist pushes then perform an out-of-bounds write (a u32 value) past the kvmalloc'd freelist array into the adjacent slab object. Fix this by replacing the non-atomic read-then-dec in io_zcrx_put_niov_uref() with an atomic_try_cmpxchg loop that atomically tests and decrements user_refs. This makes the operation safe against concurrent atomic_xchg from scrub without requiring scrub to acquire rq_lock. [pavel: removed a warning and a comment]
Use-after-free vulnerability in the Linux kernel rpmsg subsystem allows local attackers with low privileges to cause denial of service by exploiting a race condition between driver_override_show() and driver_override_store() functions. The show function reads the driver_override string without holding the device_lock while the store function modifies and frees it under lock, creating a window for memory corruption. The vulnerability requires local access and non-default timing conditions (AC:H), limiting real-world exploitation probability to 0.02% per EPSS scoring.
Memory leak in rtw88 WiFi driver allows local authenticated attackers to cause denial of service via supported band allocation failure. The rtw_set_supported_band() function in the rtl8821ce WiFi driver failed to free allocated memory in error paths during hardware registration, enabling a local privilege escalation attack that exhausts kernel memory. EPSS exploitation probability is very low (0.02%), indicating this is a hardening fix rather than a critical vulnerability.
Resource leak in Linux kernel's most_register_interface() function allows local attackers with low privileges to cause denial of service through memory exhaustion. The vulnerability occurs when most_register_interface() fails during early initialization stages, returning error codes without properly releasing allocated device resources via put_device(). Patch versions 6.12.75, 6.18.16, 6.19.6, and 7.0 address this issue.
Memory leak in hfsplus filesystem driver causes denial of service when superblock setup fails during mount operations. The vulnerability affects Linux kernels when hfsplus is mounted and the setup_bdev_super() function fails after superblock allocation but before hfsplus_fill_super() completes, leaving filesystem-specific data unfreed. Local authenticated users can trigger this condition to exhaust kernel memory and crash the system.
Double-free memory corruption in Linux kernel RDMA/irdma driver allows local authenticated users to cause denial of service or potentially escalate privileges. The vulnerability occurs during memory region re-registration (rereg_user_mr) when IB_MR_REREG_TRANS flag is set: if umem allocation succeeds but subsequent steps fail, the umem is freed without nulling the pointer, leading to double-free when userspace calls ibv_dereg_mr. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation in the wild, with no active exploitation confirmed (not in CISA KEV).
Data race conditions in the Linux kernel Bluetooth subsystem allow local authenticated attackers to cause denial of service by triggering concurrent access to hdev->req_status without proper synchronization. The vulnerability exists in the HCI synchronous command processing path where __hci_cmd_sync_sk() and multiple other functions access the same variable across different workqueues without holding locks, potentially causing memory corruption or system hangs.
Data corruption in Linux kernel btrfs filesystem log replay allows local authenticated attackers to cause files to retain incorrect sizes after crash recovery. When a file is truncated to zero bytes, fssynced, and then a hardlink is created, the file incorrectly retains its pre-truncation size after a power failure and log replay, resulting in data integrity violation with availability impact.
A kernel crash occurs in Linux btrfs filesystem tracepoint code when OverlayFS is layered on top of btrfs. The btrfs_sync_file() event handler incorrectly dereferences dentry->d_sb, which resolves to the overlay superblock instead of the underlying btrfs superblock, causing a kernel panic during fsid assignment. This affects Linux kernel versions from initial git commit (1da177e4c3f4) through multiple stable branches until patched releases 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. Vendor patches are available across all affected stable kernel branches.
Use-after-free in Linux kernel netfilter ctnetlink allows local authenticated attackers with low privileges to achieve code execution, privilege escalation, or denial of service. The vulnerability stems from insufficient protection when accessing master conntrack objects through expectations - holding a reference on the expectation alone does not prevent the master conntrack from being freed, creating a window where exp->master points to freed memory. Patched in stable kernel versions 6.18.24, 6.19.14, and mainline 7.0. EPSS score of 0.02% (4th percentile) indicates low probability of widespread exploitation, and no public exploit or CISA KEV listing exists at time of analysis, suggesting this remains a lower-priority item despite the 7.8 CVSS score.
Denial of service in Linux kernel tiny SRCU (Synchronize-RCU) subsystem allows local authenticated attackers to trigger a system hang or crash by invoking call_srcu() while holding scheduler locks, causing a circular lock dependency and potential deadlock. The vulnerability affects kernel versions before 6.19.14 and 7.0, with EPSS score of 0.02% indicating low real-world exploitation probability despite moderate CVSS severity.
A logic error in Linux kernel netfilter's AVX2-accelerated nft_set_pipapo matching allows incorrect element matching when flushing and reloading sets with composite keys (e.g., 'ipv4 . port'). The AVX2 code path prematurely returns non-matching entries during multi-field lookups, causing false collision reports when reinserting elements after a set flush. This affects netfilter firewall rule processing on systems with AVX2 CPU support. With CVSS 9.4 (AV:N/AC:L/PR:N/UI:N), the vector suggests critical network-accessible impact, though the description indicates this is a firewall rule management bug rather than a direct remote exploitation path. EPSS score of 0.02% (5th percentile) and no KEV listing suggest low real-world exploitation likelihood. Patches available across stable kernel branches 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0.
Out-of-bounds array indexing in Linux kernel's wl1251 wireless driver allows adjacent network attackers to achieve high-impact memory corruption without authentication. The wl1251_tx_packet_cb() function uses untrusted firmware completion IDs directly to index a fixed 16-entry tx_frames array without bounds validation, enabling attackers on the same wireless network segment to read/write arbitrary kernel memory. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation or public POC identified. However, CVSS 8.8 reflects genuine risk for systems with wl1251 hardware on untrusted networks.
Out-of-bounds read in Linux kernel CIFS client allows network attackers to achieve high-severity impacts including potential code execution, information disclosure, or denial of service when users access maliciously crafted SMB shares. The vulnerability resides in cifs_sanitize_prepath() which improperly handles empty strings or delimiter-only paths, triggering memory access violations confirmed via AddressSanitizer testing. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low predicted exploitation probability despite high CVSS 8.8, and no active exploitation or public POC identified at time of analysis.
Race condition in Linux kernel HID roccat driver enables local privilege escalation through use-after-free memory corruption. Local authenticated attackers can exploit concurrent access to device reader lists during roccat_report_event() operations, achieving arbitrary code execution with high integrity impact (CVSS 7.8). Vendor-released patches available across multiple kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite moderate severity, suggesting limited weaponization in current threat landscape.
Adjacent network attackers can achieve remote code execution, information disclosure, or denial of service against Linux systems using Broadcom FullMAC wireless drivers by sending malicious WiFi interface events with out-of-bounds bsscfg indices. The brcmfmac driver's firmware event handler fails to validate array indices before accessing the driver's interface list, enabling memory corruption attacks. Vendor patches are available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS exploitation probability is low (0.02%, 5th percentile) and no active exploitation or public POC is identified at time of analysis, but the adjacent network attack vector and high impact warrant priority patching for systems with Broadcom WiFi hardware.
Linux kernel shadow stack implementation fails to check for errors from mmap_read_lock_killable() in shstk_pop_sigframe(), allowing a local authenticated attacker to trigger a denial of service by causing the function to proceed with a failed lock acquisition. The vulnerability affects multiple stable kernel versions prior to patched releases 6.18.24, 6.19.14, and 7.0, with EPSS exploitation probability of 0.02% suggesting low real-world exploit likelihood despite the availability of a vendor patch.
A denial of service vulnerability in the Linux kernel's Qualcomm PD mapper service registry causes system crashes due to mismatched string element length validation in servreg_loc_pfr_req_ei. When a process daemon crashes and triggers a service registry location request, the QMI decoder rejects the reason field because its declared maximum length (65 bytes) is smaller than the actual field size (81 bytes), causing a decoding error and system halt. This affects all Linux kernel versions prior to the patch, triggered by local processes with standard user privileges.
Denial of service in Linux kernel xfrm (IPsec transform) subsystem allows local authenticated attackers to trigger a kernel panic via improper netlink message size calculation when handling XFRM_MSG_GETAE requests for states with interface ID set. The xfrm_aevent_msgsize() function fails to account for XFRMA_IF_ID attribute space, causing build_aevent() to exceed buffer bounds and hit a BUG_ON assertion, resulting in kernel crash. EPSS exploitation probability is very low at 0.02% despite the local attack vector, suggesting limited real-world impact.
A reference counting error in Linux kernel's cachefiles subsystem allows local authenticated users to trigger memory corruption and potentially escalate privileges. The vulnerability stems from cachefiles_cull() passing a dentry with insufficient reference count to cachefiles_bury_object(), causing a use-after-free condition. With CVSS 7.8 (high severity) but only 0.02% EPSS exploitation probability (5th percentile), this represents a kernel memory safety issue requiring local access with low attack complexity. Patches available in stable kernel versions 6.19.14 and 7.0.
Memory leak in the Linux kernel's Direct Rendering Manager (DRM) vc4 driver allows local authenticated attackers to exhaust kernel memory and trigger a denial of service condition. The vulnerability stems from a missing kfree() call in vc4_free_hang_state() that fails to release a separately allocated BO (buffer object) array, enabling persistent memory exhaustion through repeated hang state operations.
Memory leak in the Linux kernel's vc4 DRM driver allows local authenticated attackers to cause denial of service via memory exhaustion in hang state error handling. The vc4_save_hang_state() function fails to free allocated kernel_state memory on early return paths, enabling a local user with limited privileges to trigger repeated memory leaks and degrade system availability.
Denial of service in Linux kernel lapbether driver allows local authenticated attackers to crash the system by triggering a device type change that violates the ARPHRD_ETHER requirement when transmitting data. The vulnerability exists in the lapbeth_data_transmit() function which assumes the underlying device type remains Ethernet; a local user with low privileges can manipulate the bonding driver to change the device type, causing the kernel to reach an unhandled state and crash. EPSS score of 0.02% indicates low real-world exploitation probability despite the vulnerability being patched across multiple kernel versions.
Memory leak in the Airoha QDMA RX packet processing function allows local authenticated attackers to cause a denial of service through resource exhaustion. The vulnerability occurs when page pool fragments fail to properly return to the pool during error handling in airoha_qdma_rx_process(), allowing an attacker with local access and low privileges to exhaust kernel memory and crash the system. EPSS exploitation probability is extremely low at 0.02%, reflecting the local-only attack vector and privilege requirement.
NULL pointer dereferences in Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) trace data handling cause denial of service when network packets trigger the vulnerable code path. Affects Linux kernel 5.15 through 6.19.14 and mainline branches. Despite CVSS 7.5 High severity with network vector and no authentication, EPSS exploitation probability is very low (0.02%, 4th percentile), and no active exploitation or public POC is identified at time of analysis. Vendor patches available via stable kernel commits.
Null pointer dereference in Linux kernel bridge VLAN filtering code allows local authenticated attackers to trigger a denial of service via a crafted RTM_NEWLINK netlink message with BR_BOOLOPT_FDB_LOCAL_VLAN_0 flag when CONFIG_BRIDGE_VLAN_FILTERING is disabled. The vulnerability occurs because br_fdb_delete_locals_per_vlan_port() and br_fdb_insert_locals_per_vlan_port() dereference a NULL vlan group pointer without validation, causing a kernel panic. No public exploit code identified at time of analysis.
Null pointer dereference in Linux kernel ICMP probe handling crashes systems when IPv6 module is configured but not loaded. The icmp_build_probe() function fails to validate ERR_PTR(-EAFNOSUPPORT) from ipv6_stub->ipv6_dev_find(), passing the error pointer directly to dev_hold() and triggering immediate kernel panic. EPSS probability is low (0.02%, 5th percentile) and no active exploitation confirmed, but CVSS 7.5 High severity reflects trivial remote unauthenticated denial-of-service against vulnerable kernel configurations. Patches available across stable branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0) with upstream commit identifiers confirmed.
Denial of service via NULL pointer dereference in the NFC s3fwrn5 driver's UART receive handler allows local authenticated attackers to crash the system. The vulnerability exists in s3fwrn82_uart_read() which consumes bytes from the serial device before allocating a fresh receive buffer; if memory allocation fails after bytes are already consumed, the function incorrectly reports success while leaving the receive buffer NULL, causing a NULL dereference on the next skb_put_u8() call. This affects Linux kernel versions 5.11 and later, with patches available for stable branches 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0.
Double-free vulnerability in the Linux kernel PCI Hyper-V driver allows local authenticated users to trigger kernel memory corruption and potentially escalate privileges. The flaw occurs in hv_pci_probe() error handling where ida_free() is called twice on the same domain number, leading to memory allocator corruption. Patches released in kernel 6.19.14 and 7.0 fix the issue by removing the redundant ida_free call. EPSS score of 0.02% indicates low exploitation probability in the wild, and no public exploit or KEV listing identified at time of analysis.
Infinite vCPU fault loop in the Linux kernel's mshv (Microsoft Hypervisor) subsystem allows a local guest VM process to permanently spin a host vCPU thread, exhausting host CPU resources. The flaw exists in mshv_handle_gpa_intercept(), which unconditionally attempts page remaps on all movable-memory faults regardless of access permission - when a guest writes to a read-only Guest Physical Address region, the remap succeeds but the region retains its read-only designation, causing an immediate re-fault in a tight loop. Affected kernel versions run from commit b9a66cd5ccbb9fade15d0e427e19470d8ad35b75 through the fix commits; patched releases 6.19.14 and 7.0 are available. No public exploit has been identified and EPSS is 0.01%, consistent with the local, hypervisor-specific attack surface.
Linux kernel ASoC SDCA subsystem crashes on sound card teardown due to IRQ lifecycle mismanagement, causing a local denial of service. IRQ handlers registered via devm_request_threaded_irq() during component probe retain stale references to freed card and kcontrol structures after the sound card is torn down, resulting in null or dangling pointer dereferences and kernel panic. Exploitation requires local low-privilege access and SDCA-capable audio hardware; no public exploit exists and EPSS is extremely low at 0.02% (5th percentile).
NULL pointer dereference in the Linux kernel ixgbevf driver crashes Hyper-V guest VMs during device probe, causing a kernel panic and complete denial of service. The regression was introduced when commit a7075f501bd3 added a .negotiate_features callback to ixgbe_mac_operations and populated it for the standard ops table (ixgbevf_mac_ops) but omitted it from the Hyper-V-specific table (ixgbevf_hv_mac_ops), leaving that pointer NULL on Hyper-V guests. Any Linux system running on Microsoft Hyper-V with an Intel ixgbevf virtual NIC is subject to an automatic kernel crash at module load or boot; no public exploit has been identified at time of analysis and EPSS is 0.02%, reflecting a narrow but reliable impact on the specific deployment combination.
Insufficient memory validation in Linux kernel's XSK (AF_XDP socket) UMEM registration allows local authenticated users to corrupt kernel memory structures, potentially leading to privilege escalation or system crashes. The xdp_umem_reg() function fails to validate adequate headroom space for minimum-sized Ethernet frames and skb_shared_info structures in multi-buffer scenarios, enabling memory corruption when XSK frames are processed. Vendor patches are available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% indicates very low probability of mass exploitation, with no active exploitation or public POC identified.
The AF_XDP socket subsystem (xsk) in the Linux kernel fails to validate that a network device's MTU fits within the usable UMEM frame space at bind time, allowing a local low-privileged user to trigger a kernel denial of service. Usable frame space - chunk size minus headroom and tailroom - can fall below a standard 1500-byte MTU when 2k chunks are used, a gap that became exploitable once tailroom subtraction was introduced. The kernel also omits validation of hardware zero-copy capabilities via net_device::xdp_zc_max_segs. No public exploit has been identified and EPSS is 0.02% (5th percentile), indicating low immediate exploitation risk.
Use-after-free in Linux kernel's XFRM subsystem allows local authenticated users to gain elevated privileges through a race condition during network namespace teardown. The xfrm_policy_fini() function frees policy hash tables without waiting for concurrent RCU readers, enabling attackers with low-level privileges to exploit the timing window between policy deletion and memory deallocation. EPSS score is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis, but CVSS 7.8 reflects high impact if successfully exploited. Vendor-released patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, mainline 7.0).
Reference count leak in the Linux kernel's xfrm IPsec subsystem allows a local low-privileged attacker to exhaust kernel memory, resulting in denial of service. The defect resides in xfrm_migrate_policy_find(), where xfrm_pol_hold_rcu() is called twice - once implicitly by the lookup path (which already returns a held reference) and once redundantly - creating a refcount imbalance that prevents memory reclamation. Discovered by the Linux Verification Center using Syzkaller fuzzing; no public exploit identified at time of analysis, and EPSS is very low at 0.02% (5th percentile), indicating minimal observed exploitation activity.
Uninitialized kernel memory is leaked to userspace through the xfrm_user subsystem's build_mapping() function in the Linux Kernel, where a one-byte compiler padding hole in struct xfrm_usersa_id after the proto field is never zeroed before the structure is copied across the kernel/userspace boundary. Authenticated local users with access to XFRM netlink interfaces can read this stale padding byte, potentially extracting kernel stack or heap fragments usable as an information disclosure primitive. No public exploit exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time.