Skip to main content

Linux

12819 CVEs vendor

Monthly

CVE-2026-43088 MEDIUM PATCH This Month

Linux kernel PF_KEY IPSEC key management exports leak uninitialized kernel memory via SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, and SADB_X_MIGRATE messages, allowing local authenticated users to disclose sensitive kernel memory. EPSS score of 0.02% (percentile 5%) indicates minimal real-world exploitation despite patch availability. The 4-byte information leak per message could enable ASLR bypass and kernel address disclosure attacks.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43087 MEDIUM PATCH This Month

Kernel crash in the Linux pinctrl mcp23s08 driver triggers a NULL pointer dereference during device probe when an MCP23S08/MCP23008 GPIO expander retains non-zero interrupt-on-change state across a warm reboot. The crash occurs because the driver's IRQ handler fires against pins whose nested IRQ handlers have not yet been registered, causing an unhandled kernel oops and system denial of service. Exploitation is local and device-specific; no public exploit identified at time of analysis, and EPSS remains at 0.02% (5th percentile) consistent with no observed in-the-wild triggering.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43086 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel IPVS subsystem causes a kernel panic during IPVS service creation failure cleanup, resulting in a full host denial of service. Affected kernels from 6.2 onward contain a logic error in ip_vs_add_service() where a successful scheduler bind sets the local sched variable to NULL; if ip_vs_start_estimator() subsequently fails, the error path calls ip_vs_unbind_scheduler() with that NULL pointer, dereferencing offset 0x30 and triggering a general protection fault. Exploitation requires local authenticated access with CAP_NET_ADMIN privileges; no public exploit is identified and EPSS is 0.02%, indicating very low exploitation probability.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43085 MEDIUM PATCH This Month

Kernel heap memory disclosure in Linux netfilter's nfnetlink_log subsystem exposes four bytes of stale kernel memory to unprivileged local userspace processes when NFLOG batch mode is active. The flaw exists in __nfulnl_send(), which appends an NLMSG_DONE terminator using nlmsg_put() - a helper that zero-pads alignment bytes but does not initialize the nfgenmsg payload itself - resulting in uninitialized kernel heap data transmitted to any userspace NFLOG consumer. No public exploit code exists and no active exploitation has been confirmed; however, CVSS vector AV:L/AC:L/PR:L signals that low-privileged local users can reliably trigger the leak without any special conditions beyond NFLOG batching being in use.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43084 HIGH PATCH This Week

Local privilege escalation in Linux kernel netfilter nfnetlink_queue allows authenticated users with low privileges to execute arbitrary code with high integrity and availability impact via race condition in shared hash table. The vulnerability stems from a use-after-free condition when multiple queues share a global hash table, enabling parallel CPU operations to access freed nf_queue_entry structures. EPSS score is low (0.02%, 5th percentile) indicating minimal observed exploitation activity. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.24, 6.19.14) with upstream commits confirmed.

Denial Of Service Linux Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43083 CRITICAL PATCH Act Now

Out-of-bounds memory access in Linux kernel IOAM6 networking code allows remote unauthenticated attackers to read sensitive kernel memory or crash systems via crafted IPv6 packets with IOAM trace options. The vulnerability triggers when RX queue indices from ingress devices exceed TX queue counts on egress devices, causing array boundary violations in network qdisc operations. Additionally, a missing spinlock enables race conditions in queue statistics access from concurrent softirq and process contexts. EPSS probability is very low (0.02%, 4th percentile) with no evidence of active exploitation. Vendor patches available across multiple stable kernel branches.

Buffer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-43082 MEDIUM PATCH This Month

Denial-of-service via off-by-one allocation in the Linux kernel txgbe network driver allows a local low-privileged user to crash the kernel on systems hosting Wangxun 10GbE NICs. The driver allocates property_entry struct lists without reserving the mandatory null-terminator sentinel slot, meaning kernel subsystems iterating over the list read beyond allocated memory bounds. No active exploitation has been identified and EPSS is extremely low (0.02%, 5th percentile), but patches are available across multiple stable kernel branches including 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43081 MEDIUM PATCH This Month

Incorrect GENERIC_CMD register field masks in the Linux kernel's IPA (IP Accelerator) network driver for IPA v5.0+ hardware trigger a kernel WARN when a 'stop' command is sent to the MPSS (Modem Processor SubSystem) remoteproc while IPA is active. This availability-only vulnerability (CVSS C:N/I:N/A:H) affects authenticated local users on systems with Qualcomm IPA v5.0+ silicon. No public exploit exists and no KEV listing is present; with an EPSS of 0.02% this is a low-urgency stability fix rather than an active threat.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43080 MEDIUM PATCH This Month

Integer overflow in the Linux kernel's l2tp subsystem allows a local low-privileged attacker to cause a denial of service by sending oversized packets through a PPPoL2TP socket with UDP encapsulation. In l2tp_xmit_core() (net/l2tp/l2tp_core.c:1293), the UDP length field - constrained to 16 bits - is assigned a packet length value without any bounds check, silently truncating values exceeding 65535 bytes and producing malformed UDP frames on the wire or triggering a kernel WARN. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but a syzbot reproducer is publicly documented in the upstream patch discussion.

Linux Debian Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43079 MEDIUM PATCH This Month

Out-of-bounds array write in the Linux kernel's Intel uncore PMU driver (`perf/x86/intel/uncore`) causes denial of service on affected Intel multi-die x86 systems. The driver fails to skip discovery table parsing for dies whose CPUs are all offline at boot, allowing the assignment `pmu->boxes[die] = box` in `uncore_pci_pmu_register()` to overflow the boxes array, triggering a kernel WARN or potential memory corruption. Exploitation requires local low-privilege access under a specific hardware and boot configuration; no public exploit exists and EPSS is 0.02%, indicating negligible real-world exploitation likelihood.

Linux Intel Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43078 HIGH PATCH This Week

Memory corruption in the Linux kernel's AF_ALG crypto subsystem allows local authenticated users to execute arbitrary code or cause denial of service through a page reassignment overflow in af_alg_pull_tsgl. The vulnerability affects multiple stable kernel branches (4.14 through 7.0) and has been patched across all maintained versions. With CVSS 7.8 and low attack complexity (AC:L), this presents a realistic privilege escalation path for local attackers, though EPSS exploitation probability remains low at 0.02% and no public exploit or KEV listing exists at time of analysis.

Buffer Overflow Linux Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43077 MEDIUM PATCH This Month

Local denial-of-service in the Linux kernel's AEAD crypto socket interface (`algif_aead`) allows a low-privileged local user to crash the kernel by submitting a decryption request where the minimum receive buffer size check fails to account for the authentication tag length. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms this is a locally exploitable, high-availability-impact issue with no confidentiality or integrity risk. Patches have been released across multiple Linux LTS stable branches (5.10.254, 5.15.204, 6.1.170, 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0) and Ubuntu has issued multiple USN advisories (USN-8277-1 through USN-8281-1). No public exploit code has been identified and EPSS is 0.02%, indicating no public exploitation activity.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43076 HIGH PATCH This Week

Use-after-free in Linux kernel's OCFS2 filesystem allows local attackers with user interaction to achieve arbitrary code execution, privilege escalation, or denial of service via crafted filesystem images. Affects kernels since initial OCFS2 implementation (2.6.16+) through 6.19.13. Vendor patches available across all supported stable branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) suggests low probability of mass exploitation, though CVSS 7.8 reflects high impact if triggered. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.

Information Disclosure Linux Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43075 HIGH PATCH This Week

Out-of-bounds write in Linux kernel's ocfs2 filesystem driver allows local attackers with low privileges to achieve arbitrary code execution or system crash via a corrupted ocfs2 filesystem image. Exploitation occurs during copy_file_range operations when the malicious id_count field in the inode block exceeds physical inline data capacity, causing a buffer overflow past the inode block buffer. Vendor patches are available across multiple stable kernel versions (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS exploitation probability is low (0.02%, 5th percentile), and no active exploitation or public POC is currently identified.

Buffer Overflow Linux Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43074 HIGH PATCH This Week

Use-after-free in Linux kernel eventpoll subsystem allows local authenticated attackers with low privileges to achieve high-impact compromise including arbitrary code execution, privilege escalation, or system crash. The vulnerability stems from premature deallocation of the eventpoll structure while still in use by concurrent threads, creating a race condition exploitable on systems running affected kernel versions 6.4 through 6.19.x and 6.6.x through 6.12.x. Vendor patches available across all affected stable branches with EPSS indicating low widespread exploitation probability (0.02%, 5th percentile), though local access requirements limit attack surface to already-authenticated users or containerized environments.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43073 MEDIUM PATCH This Month

Misuse of the `__copy_user_nocache()` function in the Linux kernel's x86-64 subsystem - specifically within NTB driver code and several other drivers - causes STAC/CLAC (SMAP-disabling) instructions to execute during kernel-to-kernel memory copies where no user-space access is actually performed. This incorrect usage defeats the Supervisor Mode Access Prevention (SMAP) protection temporarily and, critically, attaches user-space exception handling semantics to pure kernel copies; if a machine check exception or memory fault occurs during this window, the kernel may not handle it gracefully, resulting in a kernel panic. The CVSS availability-high rating (A:H) reflects this crash potential for any local authenticated user able to trigger the affected driver paths. No public exploit has been identified at time of analysis, and EPSS probability is negligible at 0.02%.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43072 MEDIUM PATCH This Month

Unchecked return value in the drm/vc4 DRM driver allows a local low-privileged user to cause a kernel crash and denial of service on systems equipped with Broadcom VideoCore 4 GPU hardware. The driver's initialization path passes the return value of platform_get_irq_byname() - which returns a negative errno on failure - directly into devm_request_threaded_irq() without validation, causing undefined kernel behavior when IRQ resource lookup fails. No public exploit exists and EPSS is 0.02% (7th percentile), but unpatched systems running the vc4 module (primarily Raspberry Pi devices) remain susceptible to local DoS via kernel crash.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43071 CRITICAL PATCH Act Now

Out-of-bounds read in Linux Kernel dentry hashtable can crash the system when dhash_entries boot parameter is set to 1. The vulnerability triggers during directory cache lookups when the hash shift calculation results in access to unallocated memory regions, causing kernel page faults. Affects Linux Kernel versions from initial commit (1da177e4c3f4) through multiple stable branches. Patches available for 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0.1, and 7.1-rc1. EPSS probability of 0.02% (7th percentile) indicates very low likelihood of exploitation in the wild, and no public exploit code or CISA KEV listing exists, suggesting this remains a theoretical edge-case issue requiring specific kernel boot configuration.

Information Disclosure Linux Buffer Overflow
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-43070 HIGH PATCH This Week

eBPF verifier in Linux kernel allows local privilege escalation through incorrect register ID handling during byte-swap operations. When BPF_END instruction performs byte swapping, the verifier fails to reset scalar register IDs, causing it to incorrectly propagate bounds checks between linked registers. This validation bypass allows authenticated local attackers with BPF program loading privileges to craft malicious eBPF programs that pass verification but achieve out-of-bounds memory access at runtime, potentially escalating to kernel-level code execution. Vendor patches available for affected 6.18.x and 6.19.x branches with EPSS score of 0.02% indicating low observed exploitation probability.

Buffer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43069 MEDIUM PATCH This Month

Resource leak in the Linux kernel's Bluetooth hci_ll driver allows a local authenticated user to cause kernel memory exhaustion by repeatedly triggering an error path in download_firmware() where firmware objects allocated by request_firmware() are never released when their content is invalid. Systems equipped with Texas Instruments Bluetooth hardware (using the hci_ll driver) are affected across numerous stable kernel branches dating back to Linux 4.12. No public exploit exists and EPSS is 0.02% (7th percentile), classifying this as a low-urgency maintenance fix; patches are available across all actively maintained stable branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43068 MEDIUM PATCH This Month

Repeated data loss occurs on Linux kernel systems using ext4 filesystems due to the `ext4_mb_find_by_goal()` function failing to skip corrupted block groups during block allocation. Affected kernels from commit 163a203ddb36 through multiple stable branches will continuously attempt to allocate blocks from a group flagged `EXT4_MB_GRP_BBITMAP_CORRUPT`, producing kernel error messages stating 'This should not happen!! Data will be lost' and causing permanent inode data loss. No public exploit has been identified and EPSS is 0.02%, but the availability impact is rated High; this is a resilience defect in ext4 error-handling that requires local access and pre-existing filesystem corruption to manifest.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43067 CRITICAL PATCH Act Now

Linux kernel ext4 filesystem improperly handles block group wraparound in ext4_mb_scan_groups(), allowing allocation of blocks beyond 32-bit limits for indirect-mapped files when stream allocation selects unsupported groups. While CVSS assigns network vector (9.8), this is a local kernel memory corruption issue requiring local filesystem access. EPSS score of 0.02% (7th percentile) indicates low real-world exploitation probability. Patches available across multiple stable kernel branches (6.1.168, 6.6.134, 6.12.80, 6.18.21, 6.19.11). No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43066 MEDIUM PATCH This Month

Buffer-head reference leak in Linux kernel ext4 fast-commit replay (ext4_fc_replay_inode()) allows local authenticated users to exhaust kernel memory, resulting in denial of service. Four distinct error paths in the function skip the mandatory brelse() call on iloc.bh, and the function previously masked all errors by always returning 0. No public exploit identified at time of analysis; EPSS at 0.02% (7th percentile) reflects very low real-world exploitation probability and no CISA KEV listing corroborates the absence of observed active exploitation.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43065 MEDIUM PATCH This Month

Availability impact in the Linux kernel's ext4 filesystem subsystem arises from improperly managed discard workqueue lifecycle during remount and unmount operations. When a filesystem mounted with `-o discard` is remounted with `-o nodiscard` and then immediately unmounted, pending `s_discard_work` workqueue items are neither cancelled nor flushed before superblock teardown, potentially causing the work callback to reference freed memory and crash the kernel. Patch commits are confirmed across multiple stable branches; EPSS is 0.02% (7th percentile) and no KEV listing or public exploit exists, indicating negligible real-world exploitation risk outside of automated fuzzer (syzkaller) scenarios.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43064 MEDIUM PATCH This Month

Resource leak in the Linux kernel dmaengine idxd subsystem allows a local low-privileged user to cause availability impact on systems equipped with Intel DSA (Data Streaming Accelerator) or IAA (Intel Analytics Accelerator) hardware. The .release() callback for the associated workqueue fails to free the workqueue when the device object is destroyed, meaning repeated allocation and deallocation cycles progressively exhaust kernel workqueue resources. No public exploit identified at time of analysis, and an EPSS score of 0.02% (7th percentile) confirms negligible real-world exploitation probability; however, patched stable kernel releases are available and should be applied on affected hardware platforms.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43063 HIGH PATCH This Week

Use-after-free in XFS filesystem recovery code allows local attackers with user interaction to achieve high-severity impacts including potential code execution, data corruption, or denial of service. The vulnerability stems from incorrect error handling in xfs_attri_recover_work() where the code attempts to release an inode pointer that was never successfully allocated, causing a dereference of uninitialized memory. Patches are available across multiple kernel versions (6.12.80, 6.18.21, 6.19.11, 7.0), and EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability with no public exploit identified at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43062 HIGH PATCH This Week

Type confusion in Linux kernel's Bluetooth L2CAP Enhanced Credit-Based Reconfiguration Response handler allows adjacent network attackers to trigger integrity violations and potential denial of service. The vulnerability affects kernel versions from 5.7 onwards (commit 15f02b910562) and has vendor patches available across stable branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability, with no active exploitation confirmed by CISA KEV at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43061 MEDIUM PATCH This Month

TX deadlock in the Linux kernel's 8250 serial UART driver permanently blocks DMA transmissions when a DMA transaction is terminated without its completion callback executing. Specifically, `dmaengine_terminate_async` does not guarantee that `__dma_tx_complete` runs, leaving `dma->tx_running` permanently set and preventing any subsequent TX DMA scheduling. This availability-only denial-of-service (CVSS A:H) requires local low-privileged access and only manifests on systems with 8250 UART hardware operating in DMA mode; no public exploit exists and no KEV listing is present.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43060 HIGH PATCH This Week

Use-after-free in Linux kernel's netfilter nft_ct subsystem allows local authenticated attackers with low privileges to achieve code execution, privilege escalation, or denial of service. The vulnerability stems from stale references to conntrack zone templates, timeout policies, and helper objects in packets queued to nfqueue when these objects are removed. Exploitation probability is low (EPSS 0.02%, 7th percentile) with no active exploitation confirmed at time of analysis. Vendor-released patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0).

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43059 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced mgmt_pending_valid(), which not only validates the pending command but also unlinks it from the pending list if it is valid. This change in semantics requires updates to several completion handlers to avoid list corruption and memory safety issues. This patch addresses two left-over issues from the aforementioned rework: 1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove() is replaced with mgmt_pending_free() in the success path. Since mgmt_pending_valid() already unlinks the command at the beginning of the function, calling mgmt_pending_remove() leads to a double list_del() and subsequent list corruption/kernel panic. 2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error path is removed. Since the current command is already unlinked by mgmt_pending_valid(), this foreach loop would incorrectly target other pending mesh commands, potentially freeing them while they are still being processed concurrently (leading to UAFs). The redundant mgmt_cmd_status() is also simplified to use cmd->opcode directly.

Information Disclosure Linux
NVD VulDB
EPSS
0.0%
CVE-2026-43058 MEDIUM PATCH This Month

Local denial-of-service in the Linux kernel's vidtv virtual DVB media driver allows an authenticated local user to crash the kernel via a NULL pointer dereference triggered by uninitialized struct fields in vidtv_ts_null_write_into() and vidtv_ts_pcr_write_into(). Affected kernel versions span from commit f90cf6079bf6 across multiple stable branches through Linux 5.10, with fixes backported to 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0.1, and 7.1-rc1. No public exploit identified at time of analysis, EPSS is 0.02% (7th percentile), and this CVE is not listed in the CISA KEV catalog, reflecting its low real-world exploitation likelihood.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31719 HIGH PATCH This Week

Integrity verification bypass in Linux kernel crypto subsystem's Kerberos 5 encryption module allows remote unauthenticated attackers to bypass cryptographic hash checks when asynchronous decryption completes. The vulnerability stems from incorrect callback chaining that skips krb5enc_dispatch_decrypt_hash() verification entirely during async operations. Exploitation likelihood is low (EPSS 2%, percentile 4%) despite high CVSS severity, though EUVD classifies this as an authentication bypass affecting Linux 6.15+ with patches available for stable branches 6.18.25, 7.0.2, and mainline 7.1-rc1.

Red Hat Suse Authentication Bypass Linux
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31718 CRITICAL PATCH NEWS Act Now

Use-after-free in Linux kernel ksmbd (SMB server) during durable file handle scavenging allows memory corruption and potential remote code execution. When a durable SMB2 file handle survives session disconnect, the cleanup path dereferences a freed connection object via NULL fp->conn pointer during lock cleanup, causing a slab use-after-free. Exploitation probability is extremely low (EPSS 0.02%, 5th percentile) with no active exploitation confirmed. Vendor patches available across multiple stable kernel branches (6.12.84, 6.18.25, 7.0.2, 7.1-rc1) address the asymmetric cleanup by properly managing byte-range lock lifetimes during durable handle reconnection.

Use After Free Memory Corruption Information Disclosure Linux
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31717 HIGH PATCH This Week

Authentication bypass in Linux kernel's ksmbd SMB server allows any authenticated SMB user to hijack orphaned durable file handles by predicting persistent IDs, enabling unauthorized file access with the original owner's privileges. The flaw violates MS-SMB2 requirements for SecurityContext validation during durable handle reconnection. Vendor patches are available across multiple stable kernel branches (6.18.25, 7.0.2, 7.1-rc1). EPSS exploitation probability is low at 0.02% (4th percentile), and no active exploitation or public POC has been identified. CVSS 8.8 reflects high impact but requires low-privilege authentication.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-31716 HIGH PATCH This Week

Integer underflow in Linux kernel NTFS3 driver during journal replay allows local attackers to trigger massive out-of-bounds memory copies into a 4KB buffer when processing corrupted filesystems. The check_file_record() function fails to validate rec->used field before using it in memmove() length calculations across DeleteAttribute, CreateAttribute, and change_attr_size handlers, enabling slab-out-of-bounds writes. No public exploit identified at time of analysis. EPSS score of 0.02% (5th percentile) indicates low exploitation probability. Vendor-released patches available across kernel versions 6.6.136, 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1.

Memory Corruption Buffer Overflow Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31715 HIGH PATCH This Week

Use-after-free in Linux kernel F2FS filesystem allows local authenticated attackers to trigger kernel panic or potentially achieve code execution. The vulnerability (CWE-416) occurs during concurrent write callback and unmount operations when f2fs_write_end_io() decrements page count before checking node inode validity, leading to NULL pointer dereference. Discovered via xfstests generic/107 and syzbot fuzzing. EPSS exploitation probability is low (0.02%, 4th percentile), no active exploitation confirmed. Vendor patches available across stable kernel branches 6.18.25, 7.0.2, and 7.1-rc1.

Information Disclosure Use After Free Memory Corruption Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31714 MEDIUM PATCH This Month

Memory leak in f2fs_rename() function allows local authenticated attackers to cause denial of service through repeated file rename operations. The vulnerability exists in the f2fs filesystem implementation when handling SELinux label initialization during whiteout file creation, due to a missing f2fs_free_filename() call introduced in commit 40b2d55e0452. Vendor patches are available for Linux 6.6.136, 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1.

Red Hat Suse Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31713 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: fuse: abort on fatal signal during sync init When sync init is used and the server exits for some reason (error, crash) while processing FUSE_INIT, the filesystem creation will hang. The reason is that while all other threads will exit, the mounting thread (or process) will keep the device fd open, which will prevent an abort from happening. This is a regression from the async mount case, where the mount was done first, and the FUSE_INIT processing afterwards, in which case there's no such recursive syscall keeping the fd open.

Red Hat Suse Denial Of Service Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31712 HIGH PATCH This Week

Out-of-bounds read in Linux kernel ksmbd allows authenticated SMB clients to trigger memory corruption by crafting malicious DACL ACEs with undersized headers. Attackers with permission to set ACLs on files can cause kernel KASAN reports and state corruption when subsequent CREATE operations walk the stored DACL via smb_check_perm_dacl(). Vendor patches available for kernel versions 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1. EPSS score of 0.02% (5th percentile) indicates low likelihood of mass exploitation despite network attack vector, consistent with the requirement for authenticated access and specific file permission prerequisites.

Linux Memory Corruption Buffer Overflow
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-31711 HIGH PATCH This Week

Resource exhaustion in Linux kernel ksmbd server allows remote unauthenticated attackers to permanently deny SMB service by consuming connection slots through forced allocation failures. The vulnerability leaks active_num_conn counter values when alloc_transport() fails during TCP connection setup on port 445, permanently consuming slots from the max_connections pool until module reload. Attackers can accelerate exhaustion by holding open connections with large RFC1002 lengths (up to 16MB) to trigger memory pressure. EPSS score of 0.11% suggests low observed exploitation probability, and no public exploit or CISA KEV listing exists. Vendor patches available for kernel versions 6.6.136, 6.12.84, 7.0.2, and 7.1-rc1.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-31710 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix dir separator in SMB1 UNIX mounts When calling cifs_mount_get_tcon() with SMB1 UNIX mounts, @cifs_sb->mnt_cifs_flags needs to be read or updated only after calling reset_cifs_unix_caps(), otherwise it might end up with missing CIFS_MOUNT_POSIXACL and CIFS_MOUNT_POSIX_PATHS bits. This fixes the wrong dir separator used in paths caused by the missing CIFS_MOUNT_POSIX_PATHS bit in cifs_sb_info::mnt_cifs_flags.

Red Hat Suse Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31709 HIGH PATCH This Week

Remote unauthenticated attackers can trigger out-of-bounds memory access in the Linux kernel SMB client's DACL parsing code by sending a malicious SMB response with a truncated DACL structure. The vulnerability exists in build_sec_desc() and id_mode_to_cifs_acl() functions which insufficiently validate server-supplied ACL data before rewriting it during chmod/chown operations, allowing ACE traversal beyond validated memory bounds. CVSS 8.8 indicates high severity with network vector requiring user interaction. EPSS score of 0.02% (5th percentile) suggests low observed exploitation probability in the wild, and no active exploitation is confirmed (not in CISA KEV). Vendor patch available targeting Linux kernel 7.0.2 and 7.1-rc1.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-31708 HIGH PATCH This Week

A malicious SMB server can trigger out-of-bounds heap memory disclosure in Linux kernel SMB client (CIFS) through crafted QUERY_INFO responses. Vulnerable Linux kernel versions 5.1 through 6.12.84 do not validate server-reported OutputBufferLength against actual response size before copying data to userspace, allowing a rogue SMB server to expose adjacent kernel heap contents. Patches available across stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1). EPSS score of 0.02% indicates low exploitation probability; no active exploitation confirmed. Attack requires user interaction to mount malicious SMB share.

Information Disclosure Buffer Overflow Linux
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-31707 HIGH PATCH This Week

Integer overflow in Linux kernel's ksmbd (SMB server) allows local authenticated attackers to bypass size validation and trigger memory corruption via crafted daemon responses. The vulnerability affects three IPC message handlers that fail to detect arithmetic overflow when computing expected message sizes from attacker-controlled fields (payload_sz, ngroups), enabling out-of-bounds memcpy operations. Vendor patches available for affected 5.15+ kernels. EPSS score 0.02% (5th percentile) indicates low observed exploitation probability. No CISA KEV listing or public exploit identified at time of analysis.

Red Hat Suse Memory Corruption Buffer Overflow Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-31706 HIGH PATCH This Week

Buffer overflow in Linux kernel's ksmbd SMB server allows authenticated remote attackers to trigger ~8 MB heap allocation from manipulated NTACL xattr values, potentially leading to memory exhaustion, information disclosure via uninitialized heap memory, or code execution. Exploitation requires low-privilege SMB authentication plus ability to corrupt backing filesystem metadata (offline xattr tampering or race condition). EPSS score of 0.02% indicates minimal observed exploitation activity. Vendor patches available across multiple stable kernel branches (6.12.84, 6.18.25, 7.0.2, 7.1-rc1).

Red Hat Suse Buffer Overflow Linux
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-31705 CRITICAL PATCH NEWS Act Now

Out-of-bounds write in Linux kernel's ksmbd SMB server allows memory corruption when processing extended attributes (EA) in QUERY_INFO responses. The smb2_get_ea() function performs 4-byte alignment padding without checking remaining buffer space, causing 1-3 bytes to write past allocation boundaries when EA values exactly fill the response buffer. This occurs in compound SMB2 requests where shared response buffers are tightly constrained. EPSS score of 0.02% suggests minimal observed exploitation activity, though the CVSS 9.8 critical rating reflects the theoretical network-accessible, unauthenticated attack surface. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.84, 7.0.2, 7.1-rc1). Not listed in CISA KEV. This represents the third instance of the same vulnerability pattern in ksmbd QUERY_INFO handlers, following fixes in commits beef2634f81f and fda9522ed6af.

Memory Corruption Buffer Overflow Linux
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31704 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ksmbd: use check_add_overflow() to prevent u16 DACL size overflow set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes in u16 variables. When a file has many POSIX ACL entries, the accumulated size can wrap past 65535, causing the pointer arithmetic (char *)pndace + *size to land within already-written ACEs. Subsequent writes then overwrite earlier entries, and pndacl->size gets a truncated value. Use check_add_overflow() at each accumulation point to detect the wrap before it corrupts the buffer, consistent with existing check_mul_overflow() usage elsewhere in smbacl.c.

Buffer Overflow Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31703 HIGH PATCH This Week

Use-after-free condition in Linux kernel writeback subsystem allows local authenticated attackers to potentially execute arbitrary code, escalate privileges, or trigger kernel crashes. The vulnerability affects Linux kernel versions 6.18.x through 7.1-rc1 and arises from improper synchronization between work queue processing and memory deallocation in inode_switch_wbs_work_fn(). Vendor patches are available across stable kernel branches (6.18.25, 7.0.2, 7.1-rc1) with low EPSS score (0.02%) indicating minimal observed exploitation activity, though the CVSS 7.8 score reflects significant impact if successfully exploited by authenticated local users.

Denial Of Service Linux Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31702 HIGH PATCH This Week

Use-after-free in Linux kernel f2fs compressed writeback allows local authenticated users to trigger memory corruption, potentially executing arbitrary code or causing system crashes. Affects f2fs-compressed filesystems in Linux kernel 5.6 through 7.1-rc2, with patches available in 6.6.136, 6.12.84, 7.0.2, and 7.1-rc1. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite CVSS 7.8 rating. This mirrors CVE-2026-23234's race condition pattern but in the compression code path that was missed by the earlier fix. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.

Information Disclosure Use After Free Memory Corruption Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31701 MEDIUM PATCH This Month

Use-after-free vulnerability in the ALSA caiaq USB audio driver allows local authenticated attackers to cause denial of service by triggering asynchronous card free callbacks after USB device disconnection. The vulnerability stems from missing reference counting on the parent USB device pointer, combined with an inappropriate usb_reset_device() call in the card teardown path. EPSS exploitation probability is minimal (0.02%), and no public exploit code or active exploitation has been identified.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31700 HIGH PATCH This Week

Time-of-check-time-of-use (TOCTOU) race condition in Linux kernel's TPACKET transmission path allows local authenticated attackers with low privileges to bypass vnet_hdr validation checks and potentially achieve privilege escalation, code execution, or system compromise. The vulnerability affects packet socket implementations when PACKET_VNET_HDR is enabled, where concurrent userspace threads can modify mmap'd ring buffer data between kernel validation and use. Vendor-released patches are available for stable kernel branches (6.6.136, 6.12.84, 7.0.2, 7.1-rc1). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV), though the high CVSS 7.8 reflects significant local impact potential.

Race Condition Authentication Bypass Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31699 HIGH PATCH This Week

Buffer overflow in Linux kernel's AMD CCP (Cryptographic Coprocessor) driver leaks kernel memory to userspace when retrieving PEK CSR (Platform Endorsement Key Certificate Signing Request). Affecting Linux kernel 4.16+ through 7.0.x, the vulnerability allows local authenticated users to read arbitrary kernel memory due to improper error handling when firmware returns invalid buffer length requirements. Patches available across stable branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1). EPSS score of 0.02% indicates minimal observed exploitation probability, though the CVSS 7.1 reflects significant confidentiality impact. No CISA KEV listing or public exploit identified at time of analysis.

Memory Corruption Buffer Overflow Google Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-31698 HIGH PATCH This Week

Information disclosure in Linux kernel's AMD Cryptographic Coprocessor (CCP) driver allows local authenticated attackers to leak kernel memory to userspace via out-of-bounds read. When retrieving PDH certificates through SEV ioctl, the driver incorrectly copies data to userspace even after firmware command failures, potentially reading 2084+ bytes beyond allocated buffer boundaries. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1) per upstream commits.

Memory Corruption Buffer Overflow Google Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-31697 HIGH PATCH This Week

Buffer overflow in Linux kernel CCP SEV driver allows local authenticated users to leak kernel memory to userspace. When the PSP firmware command to retrieve SEV CPU ID fails due to insufficient buffer size, the driver attempts to copy data beyond the allocated kernel buffer boundary, exposing up to 64 bytes of kernel memory. Exploitation requires local access with low privileges (CVSS PR:L) to invoke the SEV ioctl interface. EPSS score is very low (0.02%, 5th percentile) indicating minimal real-world exploitation observed. No public exploit identified at time of analysis, though the KASAN stack trace in the CVE description provides a clear exploitation path. Patches available across multiple stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1).

Memory Corruption Buffer Overflow Google Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-31696 HIGH PATCH This Week

Buffer overflow in Linux kernel rxrpc subsystem allows local authenticated users to trigger memory corruption via malformed key payloads. The non-XDR parsing path in rxrpc_preparse() fails to validate ticket length against AFSTOKEN_RK_TIX_MAX, enabling unprivileged users to supply oversized tickets that cause WARN_ON() triggers and potential memory corruption when keys are read. Vendor patches available for kernel versions 6.6.136, 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1. EPSS score of 0.02% indicates low observed exploitation probability, with no public exploit identified at time of analysis.

Memory Corruption Buffer Overflow Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31695 HIGH PATCH This Week

Use-after-free in Linux kernel virt_wifi driver allows local authenticated users to trigger memory corruption during ethtool operations on virtual WiFi devices being unregistered. The vulnerability stems from improper device parent reference handling via SET_NETDEV_DEV, where ethnl_ops_begin() calls pm_runtime_get_sync() on already-freed memory when a virt_wifi device unregisters concurrently with ethtool operations. Patches are available across multiple stable kernel branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit identified at time of analysis, though CVSS 7.8 reflects potential for complete system compromise if successfully triggered.

Red Hat Suse Memory Corruption Use After Free Information Disclosure +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31694 HIGH PATCH This Week

A malicious FUSE server can trigger a 24-byte buffer overflow in the Linux kernel's FUSE directory cache implementation on 4 KiB page systems. The fuse_add_dirent_to_cache() function fails to validate that directory entries fit within PAGE_SIZE before copying them to page cache, allowing a server-controlled namelen value of 4095 to produce a 4120-byte serialized record that overflows into adjacent kernel memory. This enables local attackers with FUSE mount privileges to achieve high-severity impacts including arbitrary kernel memory corruption. EPSS exploitation probability is notably low (0.02%, 5th percentile) despite the 7.8 CVSS score, and no public exploit has been identified. Patches are available across multiple stable kernel versions (6.6.136, 6.12.84, 7.0.2, 7.1-rc1, 6.18.25).

Buffer Overflow Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43057 HIGH PATCH This Week

A denial-of-service vulnerability in the Linux kernel's IPv6 checksum GSO fallback logic allows remote unauthenticated attackers to trigger system instability via specially crafted tunneled IPv6 packets with extension headers. The flaw affects network packet processing when NETIF_F_IPV6_CSUM offload is enabled, causing incorrect handling of tunneled traffic that requires software checksumming. EPSS score is low (0.02%, 7th percentile), indicating minimal observed exploitation activity. Vendor-released patches are available across multiple kernel version branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0), confirmed by upstream Linux kernel commits. No public exploit identified at time of analysis, though CVSS vector indicates straightforward network-based exploitation (AV:N/AC:L/PR:N/UI:N).

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43056 HIGH PATCH This Week

Use-after-free in Linux kernel's MANA network driver allows local authenticated attackers to corrupt memory and potentially execute code with kernel privileges. The flaw occurs when auxiliary_device_add() fails in add_adev(), triggering cleanup that frees memory still referenced by subsequent error-handling code. Patches available across stable kernel branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public exploit identified at time of analysis.

Information Disclosure Linux Use After Free Memory Corruption Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43055 HIGH PATCH This Week

Uninitialized memory in the Linux kernel SCSI target subsystem (target_core_file) causes write operations to fail unpredictably when bogus ki_write_stream values trigger block device validation checks. Affected versions span Linux kernel 6.16 through development branches, with stable patches released for 6.18.22, 6.19.12, and 7.0. While CVSS scores this as 7.5 High with network vector (AV:N), the description indicates a local kernel subsystem issue affecting SCSI target configurations, suggesting a vector/impact mismatch. EPSS probability is very low (0.02%, 4th percentile) with no evidence of active exploitation or public POC, indicating minimal real-world targeting despite the high CVSS score.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43054 MEDIUM PATCH This Month

tcm_loop target reset handler fails to drain in-flight SCSI commands, violating SCSI error handling contract and causing LUN reference leaks that deadlock configfs LUN unlink operations. Local users with appropriate privileges can trigger denial of service by initiating reset sequences while SCSI commands are in flight, leaving the kernel in an unkillable D-state waiting for LUN reference counts to clear. This is a local denial of service affecting the SCSI target core's tcm_loop loopback driver across multiple kernel versions.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43053 MEDIUM PATCH This Month

XFS filesystem crashes during log recovery when inodes with node-format extended attributes are inactivated following an untimely log shutdown, due to stale metadata block references in the attribute B-tree. Unprivileged local attackers with write access to XFS filesystems can trigger this denial-of-service condition by inducing log shutdown during extended attribute cleanup, causing the filesystem to unmount and require repair. The vulnerability affects Linux kernel versions prior to 6.19.12 and later stable branches.

Denial Of Service Linux Red Hat Suse
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-43052 HIGH PATCH This Week

Logic error in Linux kernel mac80211 TDLS handling allows local authenticated users to modify wireless channel context and HT protection settings by invoking NL80211_TDLS_ENABLE_LINK on non-TDLS stations. Missing validation causes the kernel to apply TDLS-specific operations to regular Wi-Fi stations, potentially disrupting wireless connectivity and creating integrity/availability impacts. Vendor patches available for kernel 6.12.81, 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation despite CVSS 7.1 rating. No evidence of active exploitation or public POC identified at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43051 HIGH PATCH This Week

An out-of-bounds read vulnerability in the Linux kernel's Wacom HID driver (wacom_intuos_bt_irq function) allows adjacent network attackers to cause information disclosure or denial of service through maliciously crafted short Bluetooth HID reports. The vulnerability affects the Bluetooth interface of Wacom Intuos tablets, where report types 0x03 and 0x04 are processed without validating minimum lengths (22 and 32 bytes respectively), enabling memory reads beyond buffer boundaries. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) with no active exploitation confirmed (EPSS 0.02%, not in CISA KEV).

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-43050 HIGH PATCH This Week

Race condition in Linux kernel ATM LEC driver allows local attackers with low privileges to trigger use-after-free memory corruption in sock_def_readable(), potentially achieving arbitrary code execution, privilege escalation, or denial of service. The flaw affects systems using ATM (Asynchronous Transfer Mode) LAN Emulation Client functionality, present since Linux kernel version 2.4 (commit 1da177e4c3f4). EPSS score of 0.02% (7th percentile) suggests low probability of mass exploitation. Vendor patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). Not listed in CISA KEV; no public exploit code identified at time of analysis.

Authentication Bypass Use After Free Memory Corruption Linux Red Hat +1
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-43049 HIGH PATCH This Week

Use-after-free in Linux kernel HID subsystem allows local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service when force feedback initialization fails on Logitech G920 racing wheels. The vulnerability occurs when userspace continues accessing freed memory structures (sysfs and /dev/input) after initialization errors. Vendor patches available across multiple stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of mass exploitation, consistent with hardware-specific local attack surface requiring physical device presence.

Information Disclosure Use After Free Memory Corruption Linux Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43048 HIGH PATCH This Week

Adjacent network attackers can achieve high-severity code execution, information disclosure, or denial of service in the Linux kernel HID (Human Interface Device) subsystem by exploiting a bounds-checking flaw in hid_report_raw_event(). A bogus memset() operation intended to zero unused buffer space instead creates out-of-bounds read/write conditions when processing malformed HID input reports from adjacent devices (USB, Bluetooth). Vendor patches available for stable branches 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% suggests minimal observed exploitation, but the unauthenticated adjacent-network attack vector with low complexity makes this exploitable in environments with untrusted HID peripherals.

Information Disclosure Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43047 HIGH PATCH This Week

Out-of-bounds memory writes in Linux kernel HID multitouch driver allow local authenticated users to achieve code execution or crash systems via malicious USB/HID devices. The vulnerability exists in the HID multitouch report parsing logic where mismatched report IDs in feature requests can confuse the HID core. Vendor-released patches are available across multiple kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score is low (0.02%, 7th percentile), indicating minimal observed exploitation attempts. No public exploit code identified at time of analysis.

Linux Memory Corruption Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43046 MEDIUM PATCH This Month

Kernel denial of service via crafted btrfs metadata allowing local attackers to trigger an unguarded BUG_ON() condition during relocation recovery at mount time. The vulnerability arises when a root item on disk contains a non-zero drop_progress with zero drop_level, an invalid state that should not exist but lacks validation on read. CVSS 5.5 reflects local attack vector and availability impact; EPSS 0.02% indicates minimal real-world exploitation likelihood.

Checkpoint Ubuntu Debian Linux Information Disclosure +2
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43045 MEDIUM PATCH This Month

Memory corruption and page reference leaks in the Linux kernel mshv (Microsoft Hyper-V) module occur when pin_user_pages_fast() returns a partial pin count, which the current code incorrectly treats as success. A local authenticated attacker with privileges can trigger this vulnerability to corrupt memory or cause denial of service on systems using the mshv module, particularly in Hyper-V guest environments.

Buffer Overflow Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43044 HIGH PATCH This Week

Memory corruption in the Linux kernel CAAM (Cryptographic Acceleration and Assurance Module) crypto driver allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The vulnerability occurs when HMAC keys longer than the hash block size are processed - the driver allocates a DMA-aligned buffer size but fails to use it, causing the hashed key to overwrite adjacent memory. Vendor patches are available for stable kernel versions 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43043 MEDIUM PATCH This Month

Denial of service in the Linux kernel AF_ALG crypto interface allows local authenticated attackers to trigger a NULL pointer dereference and kernel panic by sending sequential sendmsg() calls that cause scatter-gather list chain operations to fail to properly unmark SGL boundaries. The vulnerability occurs when AF_ALG allocates chained SGL structures without clearing end markers on previous entries, causing the crypto scatterwalk to encounter premature termination and dereference NULL pointers. CVSS 5.5 (AV:L/AC:L/PR:L) reflects local-only attack requirement with low complexity; EPSS 0.02% (7th percentile) indicates minimal real-world exploitation risk despite kernel panic severity.

Denial Of Service Null Pointer Dereference Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43042 HIGH PATCH This Week

Race condition in Linux kernel MPLS subsystem allows local authenticated users to trigger out-of-bounds memory access via concurrent label table resizing. The vulnerability affects RCU-protected codepaths (mpls_forward, mpls_dump_routes) that can obtain inconsistent snapshots of platform_labels array metadata during resize operations, potentially leading to information disclosure or denial of service. Vendor patch available addressing the issue through seqcount-based synchronization. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no active exploitation or public POC identified.

Information Disclosure Linux Buffer Overflow Red Hat Suse
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43041 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak __radix_tree_create() allocates and links intermediate nodes into the tree one by one. If a subsequent allocation fails, the already-linked nodes remain in the tree with no corresponding leaf entry. These orphaned internal nodes are never reclaimed because radix_tree_for_each_slot() only visits slots containing leaf values. The radix_tree API is deprecated in favor of xarray. As suggested by Matthew Wilcox, migrate qrtr_tx_flow from radix_tree to xarray instead of fixing the radix_tree itself [1]. xarray properly handles cleanup of internal nodes - xa_destroy() frees all internal xarray nodes when the qrtr_node is released, preventing the leak. [1] https://lore.kernel.org/all/20260225071623.41275-1-jiayuan.chen@linux.dev/T/

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43040 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak When processing Router Advertisements with user options the kernel builds an RTM_NEWNDUSEROPT netlink message. The nduseroptmsg struct has three padding fields that are never zeroed and can leak kernel data The fix is simple, just zeroes the padding fields.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43039 CRITICAL PATCH Act Now

Remote code execution and information disclosure in Linux Kernel's TI ICSSG PRU Ethernet driver allows unauthenticated network attackers to leak kernel heap memory to userspace and potentially corrupt page_pool state. The zero-copy RX dispatch path fails to copy received packet data into newly allocated skbs, instead forwarding uninitialized heap memory up the network stack. Vendor patches available for kernel 6.19.12 and 7.0. EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity despite critical CVSS 9.8 rating and network attack vector.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43038 CRITICAL PATCH Act Now

Memory corruption in Linux kernel IPv6 ICMP error handling allows remote unauthenticated attackers to potentially achieve code execution or information disclosure. The vulnerability arises from incomplete control block (CB) sanitization when converting IPv4 ICMP errors to ICMPv6, enabling forged CIPSO options in outer IPv4 packets to manipulate inner IPv6 packet parsing. This can trigger out-of-bounds memory access extending into skb_shared_info structures. Despite CVSS 9.8 critical rating, EPSS exploitation probability is extremely low (0.02%, 7th percentile), no public exploit code exists, and CISA has not listed this as actively exploited. Patches are available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).

Information Disclosure Linux Memory Corruption
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43037 CRITICAL PATCH Act Now

A stack-based buffer overflow in the Linux kernel's IPv6-to-IPv4 tunneling (ip6_tunnel) code allows remote unauthenticated attackers to achieve arbitrary code execution. The vulnerability occurs when ip4ip6_err() passes a cloned skb with IPv6-formatted control buffer data to icmp_send(), which misinterprets it as IPv4 control buffer data. This type confusion causes __ip_options_echo() to read attacker-controlled packet data as a length value and copy up to that many bytes into a fixed 40-byte stack buffer, enabling remote exploitation with no prerequisites. EPSS score of 0.02% suggests limited exploitation probability despite critical CVSS 9.8 rating. Vendor-released patches are available across all maintained kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0).

Linux Memory Corruption Buffer Overflow
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43036 MEDIUM PATCH This Month

Linux kernel GSO feature check reads uninitialized IPv4 header data when processing packets from PF_PACKET paths, causing kernel memory disclosure or denial of service. The vulnerability affects multiple kernel versions before 6.12.81, 6.19.12, and 7.0, and requires local user access to trigger via raw packet injection.

Code Injection Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43035 MEDIUM PATCH This Month

Information disclosure in the Linux kernel's traffic control (tc) scheduler allows local users with low privileges to read uninitialized kernel heap memory through the tc_chain_fill_node() function, which fails to zero-initialize the tcm_info field in netlink messages before transmission to userspace. The vulnerability affects multiple stable kernel series and has a vendor-released patch available across all affected versions.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43034 MEDIUM PATCH This Month

A local denial of service vulnerability in the Linux kernel bnxt_en driver allows authenticated local users to crash the system by triggering an out-of-bounds array access during backing store capability queries. The vulnerability stems from incorrect use of firmware-provided type values to index fixed metadata arrays, rather than using the known loop iteration index. Exploitation requires local access and user-level privileges (PR:L), and no active exploitation has been reported.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43033 HIGH PATCH This Week

Memory corruption in Linux kernel's crypto authencesn subsystem allows local authenticated attackers to disclose sensitive kernel memory, modify data integrity, or cause denial of service through improper handling of sequence bits during out-of-place decryption operations. The vulnerability affects Linux kernel versions from 4.3 through multiple stable branches (5.10.x, 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x) with patches available across all affected branches. EPSS exploitation probability is low (0.02%, 7th percentile) and no active exploitation or public POC has been identified.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43032 MEDIUM PATCH This Month

Denial of service in the Linux kernel NFC PN533 UART driver allows local authenticated attackers to exhaust memory by sending malformed NFC frames without valid headers, causing unbounded socket buffer growth until kernel crash. Affects Linux 5.5 through 7.0 with patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0); EPSS exploitation probability is minimal at 0.02%, but local privilege is required.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43031 HIGH PATCH This Week

Linux kernel axienet driver can permanently stall network transmit queues due to incorrect Byte Queue Limits (BQL) accounting when scatter-gather TX packets span multiple NAPI polls. When a multi-buffer-descriptor packet completes across different polling cycles, only partial byte counts are credited to BQL, causing the subsystem to incorrectly believe bytes remain in-flight indefinitely and halting transmission. Vendor patches available for stable branches (6.18.22, 6.19.12, 7.0). EPSS exploitation probability is 2% (4th percentile), no active exploitation confirmed, indicating low real-world targeting despite the 7.5 CVSS score.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43030 HIGH PATCH This Week

A logic error in the Linux kernel's BPF verifier regsafe() function allows local attackers with low privileges to exploit improper state exploration for packet pointer ranges, potentially leading to high confidentiality, integrity, and availability impacts. The vulnerability affects multiple stable kernel branches from 5.10 through 6.19, with vendor patches available across all affected versions. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43029 HIGH PATCH This Week

Denial of service via soft lockup in Linux kernel MPTCP (Multipath TCP) receive function allows remote unauthenticated attackers to lock up a CPU core indefinitely when applications use MSG_PEEK with MSG_WAITALL flags. The vulnerability stems from improper handling of peeked socket buffers that remain in the receive queue, causing sk_wait_data() to never actually wait and spinning in an infinite loop. EPSS score is low (0.02%, 4th percentile) indicating minimal observed exploitation probability. Vendor patches available for kernel versions 6.18.x and 6.19.x series.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43028 HIGH PATCH This Week

Local privilege escalation and information disclosure in Linux kernel netfilter x_tables subsystem allows authenticated local users to leak memory contents or crash the system due to improper null-termination validation of string names passed to c-string functions. CVSS 7.1 (High/Confidentiality, High/Availability impact) but low real-world priority: EPSS 0.02% (7th percentile) indicates minimal observed exploitation likelihood. Patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). No active exploitation confirmed, no POC identified, requires local authenticated access with low privileges.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43027 HIGH PATCH This Week

Use-after-free in Linux kernel netfilter subsystem allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs when unregistering connection tracking helpers - expectations referencing the helper survive cleanup and later dereference the freed helper object during expectation dumps or new connection establishment. Vendor-released patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% indicates low observed exploitation probability; no active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Information Disclosure Use After Free Memory Corruption Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43026 MEDIUM PATCH This Month

Information disclosure in the Linux kernel netfilter ctnetlink module allows local authenticated users to read stale NAT configuration data from kernel memory via a crafted netlink message. When ctnetlink_alloc_expect() allocates connection tracking expectations without initializing NAT fields, uninitialized memory containing sensitive data from previous slab allocations is exposed to userspace during expectation dumps. This requires local access and low-privileged authentication (PR:L) but carries a high availability impact due to potential memory disclosure vectors.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43025 HIGH PATCH This Week

A buffer overflow in the Linux kernel netfilter ctnetlink subsystem allows authenticated local attackers to read arbitrary kernel memory. The vulnerability arises when userspace provides a helper name for a new expectation that differs from the master conntrack helper, causing the kernel to read 4 bytes beyond the expectation boundary. Vendor-released patches are available across multiple stable kernel branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). Despite a CVSS base score of 7.3, the EPSS score is exceptionally low (0.02%, 7th percentile), indicating minimal observed exploitation attempts, and the vulnerability is not listed in CISA KEV, suggesting no confirmed active exploitation.

Buffer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Linux kernel PF_KEY IPSEC key management exports leak uninitialized kernel memory via SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, and SADB_X_MIGRATE messages, allowing local authenticated users to disclose sensitive kernel memory. EPSS score of 0.02% (percentile 5%) indicates minimal real-world exploitation despite patch availability. The 4-byte information leak per message could enable ASLR bypass and kernel address disclosure attacks.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel crash in the Linux pinctrl mcp23s08 driver triggers a NULL pointer dereference during device probe when an MCP23S08/MCP23008 GPIO expander retains non-zero interrupt-on-change state across a warm reboot. The crash occurs because the driver's IRQ handler fires against pins whose nested IRQ handlers have not yet been registered, causing an unhandled kernel oops and system denial of service. Exploitation is local and device-specific; no public exploit identified at time of analysis, and EPSS remains at 0.02% (5th percentile) consistent with no observed in-the-wild triggering.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel IPVS subsystem causes a kernel panic during IPVS service creation failure cleanup, resulting in a full host denial of service. Affected kernels from 6.2 onward contain a logic error in ip_vs_add_service() where a successful scheduler bind sets the local sched variable to NULL; if ip_vs_start_estimator() subsequently fails, the error path calls ip_vs_unbind_scheduler() with that NULL pointer, dereferencing offset 0x30 and triggering a general protection fault. Exploitation requires local authenticated access with CAP_NET_ADMIN privileges; no public exploit is identified and EPSS is 0.02%, indicating very low exploitation probability.

Linux Null Pointer Dereference Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel heap memory disclosure in Linux netfilter's nfnetlink_log subsystem exposes four bytes of stale kernel memory to unprivileged local userspace processes when NFLOG batch mode is active. The flaw exists in __nfulnl_send(), which appends an NLMSG_DONE terminator using nlmsg_put() - a helper that zero-pads alignment bytes but does not initialize the nfgenmsg payload itself - resulting in uninitialized kernel heap data transmitted to any userspace NFLOG consumer. No public exploit code exists and no active exploitation has been confirmed; however, CVSS vector AV:L/AC:L/PR:L signals that low-privileged local users can reliably trigger the leak without any special conditions beyond NFLOG batching being in use.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Linux kernel netfilter nfnetlink_queue allows authenticated users with low privileges to execute arbitrary code with high integrity and availability impact via race condition in shared hash table. The vulnerability stems from a use-after-free condition when multiple queues share a global hash table, enabling parallel CPU operations to access freed nf_queue_entry structures. EPSS score is low (0.02%, 5th percentile) indicating minimal observed exploitation activity. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.24, 6.19.14) with upstream commits confirmed.

Denial Of Service Linux Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds memory access in Linux kernel IOAM6 networking code allows remote unauthenticated attackers to read sensitive kernel memory or crash systems via crafted IPv6 packets with IOAM trace options. The vulnerability triggers when RX queue indices from ingress devices exceed TX queue counts on egress devices, causing array boundary violations in network qdisc operations. Additionally, a missing spinlock enables race conditions in queue statistics access from concurrent softirq and process contexts. EPSS probability is very low (0.02%, 4th percentile) with no evidence of active exploitation. Vendor patches available across multiple stable kernel branches.

Buffer Overflow Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial-of-service via off-by-one allocation in the Linux kernel txgbe network driver allows a local low-privileged user to crash the kernel on systems hosting Wangxun 10GbE NICs. The driver allocates property_entry struct lists without reserving the mandatory null-terminator sentinel slot, meaning kernel subsystems iterating over the list read beyond allocated memory bounds. No active exploitation has been identified and EPSS is extremely low (0.02%, 5th percentile), but patches are available across multiple stable kernel branches including 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Incorrect GENERIC_CMD register field masks in the Linux kernel's IPA (IP Accelerator) network driver for IPA v5.0+ hardware trigger a kernel WARN when a 'stop' command is sent to the MPSS (Modem Processor SubSystem) remoteproc while IPA is active. This availability-only vulnerability (CVSS C:N/I:N/A:H) affects authenticated local users on systems with Qualcomm IPA v5.0+ silicon. No public exploit exists and no KEV listing is present; with an EPSS of 0.02% this is a low-urgency stability fix rather than an active threat.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Integer overflow in the Linux kernel's l2tp subsystem allows a local low-privileged attacker to cause a denial of service by sending oversized packets through a PPPoL2TP socket with UDP encapsulation. In l2tp_xmit_core() (net/l2tp/l2tp_core.c:1293), the UDP length field - constrained to 16 bits - is assigned a packet length value without any bounds check, silently truncating values exceeding 65535 bytes and producing malformed UDP frames on the wire or triggering a kernel WARN. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but a syzbot reproducer is publicly documented in the upstream patch discussion.

Linux Debian Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Out-of-bounds array write in the Linux kernel's Intel uncore PMU driver (`perf/x86/intel/uncore`) causes denial of service on affected Intel multi-die x86 systems. The driver fails to skip discovery table parsing for dies whose CPUs are all offline at boot, allowing the assignment `pmu->boxes[die] = box` in `uncore_pci_pmu_register()` to overflow the boxes array, triggering a kernel WARN or potential memory corruption. Exploitation requires local low-privilege access under a specific hardware and boot configuration; no public exploit exists and EPSS is 0.02%, indicating negligible real-world exploitation likelihood.

Linux Intel Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory corruption in the Linux kernel's AF_ALG crypto subsystem allows local authenticated users to execute arbitrary code or cause denial of service through a page reassignment overflow in af_alg_pull_tsgl. The vulnerability affects multiple stable kernel branches (4.14 through 7.0) and has been patched across all maintained versions. With CVSS 7.8 and low attack complexity (AC:L), this presents a realistic privilege escalation path for local attackers, though EPSS exploitation probability remains low at 0.02% and no public exploit or KEV listing exists at time of analysis.

Buffer Overflow Linux Memory Corruption
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local denial-of-service in the Linux kernel's AEAD crypto socket interface (`algif_aead`) allows a low-privileged local user to crash the kernel by submitting a decryption request where the minimum receive buffer size check fails to account for the authentication tag length. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms this is a locally exploitable, high-availability-impact issue with no confidentiality or integrity risk. Patches have been released across multiple Linux LTS stable branches (5.10.254, 5.15.204, 6.1.170, 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0) and Ubuntu has issued multiple USN advisories (USN-8277-1 through USN-8281-1). No public exploit code has been identified and EPSS is 0.02%, indicating no public exploitation activity.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel's OCFS2 filesystem allows local attackers with user interaction to achieve arbitrary code execution, privilege escalation, or denial of service via crafted filesystem images. Affects kernels since initial OCFS2 implementation (2.6.16+) through 6.19.13. Vendor patches available across all supported stable branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) suggests low probability of mass exploitation, though CVSS 7.8 reflects high impact if triggered. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.

Information Disclosure Linux Use After Free +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds write in Linux kernel's ocfs2 filesystem driver allows local attackers with low privileges to achieve arbitrary code execution or system crash via a corrupted ocfs2 filesystem image. Exploitation occurs during copy_file_range operations when the malicious id_count field in the inode block exceeds physical inline data capacity, causing a buffer overflow past the inode block buffer. Vendor patches are available across multiple stable kernel versions (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS exploitation probability is low (0.02%, 5th percentile), and no active exploitation or public POC is currently identified.

Buffer Overflow Linux Memory Corruption
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel eventpoll subsystem allows local authenticated attackers with low privileges to achieve high-impact compromise including arbitrary code execution, privilege escalation, or system crash. The vulnerability stems from premature deallocation of the eventpoll structure while still in use by concurrent threads, creating a race condition exploitable on systems running affected kernel versions 6.4 through 6.19.x and 6.6.x through 6.12.x. Vendor patches available across all affected stable branches with EPSS indicating low widespread exploitation probability (0.02%, 5th percentile), though local access requirements limit attack surface to already-authenticated users or containerized environments.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Misuse of the `__copy_user_nocache()` function in the Linux kernel's x86-64 subsystem - specifically within NTB driver code and several other drivers - causes STAC/CLAC (SMAP-disabling) instructions to execute during kernel-to-kernel memory copies where no user-space access is actually performed. This incorrect usage defeats the Supervisor Mode Access Prevention (SMAP) protection temporarily and, critically, attaches user-space exception handling semantics to pure kernel copies; if a machine check exception or memory fault occurs during this window, the kernel may not handle it gracefully, resulting in a kernel panic. The CVSS availability-high rating (A:H) reflects this crash potential for any local authenticated user able to trigger the affected driver paths. No public exploit has been identified at time of analysis, and EPSS probability is negligible at 0.02%.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Unchecked return value in the drm/vc4 DRM driver allows a local low-privileged user to cause a kernel crash and denial of service on systems equipped with Broadcom VideoCore 4 GPU hardware. The driver's initialization path passes the return value of platform_get_irq_byname() - which returns a negative errno on failure - directly into devm_request_threaded_irq() without validation, causing undefined kernel behavior when IRQ resource lookup fails. No public exploit exists and EPSS is 0.02% (7th percentile), but unpatched systems running the vc4 module (primarily Raspberry Pi devices) remain susceptible to local DoS via kernel crash.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds read in Linux Kernel dentry hashtable can crash the system when dhash_entries boot parameter is set to 1. The vulnerability triggers during directory cache lookups when the hash shift calculation results in access to unallocated memory regions, causing kernel page faults. Affects Linux Kernel versions from initial commit (1da177e4c3f4) through multiple stable branches. Patches available for 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0.1, and 7.1-rc1. EPSS probability of 0.02% (7th percentile) indicates very low likelihood of exploitation in the wild, and no public exploit code or CISA KEV listing exists, suggesting this remains a theoretical edge-case issue requiring specific kernel boot configuration.

Information Disclosure Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

eBPF verifier in Linux kernel allows local privilege escalation through incorrect register ID handling during byte-swap operations. When BPF_END instruction performs byte swapping, the verifier fails to reset scalar register IDs, causing it to incorrectly propagate bounds checks between linked registers. This validation bypass allows authenticated local attackers with BPF program loading privileges to craft malicious eBPF programs that pass verification but achieve out-of-bounds memory access at runtime, potentially escalating to kernel-level code execution. Vendor patches available for affected 6.18.x and 6.19.x branches with EPSS score of 0.02% indicating low observed exploitation probability.

Buffer Overflow Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource leak in the Linux kernel's Bluetooth hci_ll driver allows a local authenticated user to cause kernel memory exhaustion by repeatedly triggering an error path in download_firmware() where firmware objects allocated by request_firmware() are never released when their content is invalid. Systems equipped with Texas Instruments Bluetooth hardware (using the hci_ll driver) are affected across numerous stable kernel branches dating back to Linux 4.12. No public exploit exists and EPSS is 0.02% (7th percentile), classifying this as a low-urgency maintenance fix; patches are available across all actively maintained stable branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Repeated data loss occurs on Linux kernel systems using ext4 filesystems due to the `ext4_mb_find_by_goal()` function failing to skip corrupted block groups during block allocation. Affected kernels from commit 163a203ddb36 through multiple stable branches will continuously attempt to allocate blocks from a group flagged `EXT4_MB_GRP_BBITMAP_CORRUPT`, producing kernel error messages stating 'This should not happen!! Data will be lost' and causing permanent inode data loss. No public exploit has been identified and EPSS is 0.02%, but the availability impact is rated High; this is a resilience defect in ext4 error-handling that requires local access and pre-existing filesystem corruption to manifest.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Linux kernel ext4 filesystem improperly handles block group wraparound in ext4_mb_scan_groups(), allowing allocation of blocks beyond 32-bit limits for indirect-mapped files when stream allocation selects unsupported groups. While CVSS assigns network vector (9.8), this is a local kernel memory corruption issue requiring local filesystem access. EPSS score of 0.02% (7th percentile) indicates low real-world exploitation probability. Patches available across multiple stable kernel branches (6.1.168, 6.6.134, 6.12.80, 6.18.21, 6.19.11). No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Buffer-head reference leak in Linux kernel ext4 fast-commit replay (ext4_fc_replay_inode()) allows local authenticated users to exhaust kernel memory, resulting in denial of service. Four distinct error paths in the function skip the mandatory brelse() call on iloc.bh, and the function previously masked all errors by always returning 0. No public exploit identified at time of analysis; EPSS at 0.02% (7th percentile) reflects very low real-world exploitation probability and no CISA KEV listing corroborates the absence of observed active exploitation.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Availability impact in the Linux kernel's ext4 filesystem subsystem arises from improperly managed discard workqueue lifecycle during remount and unmount operations. When a filesystem mounted with `-o discard` is remounted with `-o nodiscard` and then immediately unmounted, pending `s_discard_work` workqueue items are neither cancelled nor flushed before superblock teardown, potentially causing the work callback to reference freed memory and crash the kernel. Patch commits are confirmed across multiple stable branches; EPSS is 0.02% (7th percentile) and no KEV listing or public exploit exists, indicating negligible real-world exploitation risk outside of automated fuzzer (syzkaller) scenarios.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource leak in the Linux kernel dmaengine idxd subsystem allows a local low-privileged user to cause availability impact on systems equipped with Intel DSA (Data Streaming Accelerator) or IAA (Intel Analytics Accelerator) hardware. The .release() callback for the associated workqueue fails to free the workqueue when the device object is destroyed, meaning repeated allocation and deallocation cycles progressively exhaust kernel workqueue resources. No public exploit identified at time of analysis, and an EPSS score of 0.02% (7th percentile) confirms negligible real-world exploitation probability; however, patched stable kernel releases are available and should be applied on affected hardware platforms.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in XFS filesystem recovery code allows local attackers with user interaction to achieve high-severity impacts including potential code execution, data corruption, or denial of service. The vulnerability stems from incorrect error handling in xfs_attri_recover_work() where the code attempts to release an inode pointer that was never successfully allocated, causing a dereference of uninitialized memory. Patches are available across multiple kernel versions (6.12.80, 6.18.21, 6.19.11, 7.0), and EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability with no public exploit identified at time of analysis.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Type confusion in Linux kernel's Bluetooth L2CAP Enhanced Credit-Based Reconfiguration Response handler allows adjacent network attackers to trigger integrity violations and potential denial of service. The vulnerability affects kernel versions from 5.7 onwards (commit 15f02b910562) and has vendor patches available across stable branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability, with no active exploitation confirmed by CISA KEV at time of analysis.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

TX deadlock in the Linux kernel's 8250 serial UART driver permanently blocks DMA transmissions when a DMA transaction is terminated without its completion callback executing. Specifically, `dmaengine_terminate_async` does not guarantee that `__dma_tx_complete` runs, leaving `dma->tx_running` permanently set and preventing any subsequent TX DMA scheduling. This availability-only denial-of-service (CVSS A:H) requires local low-privileged access and only manifests on systems with 8250 UART hardware operating in DMA mode; no public exploit exists and no KEV listing is present.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel's netfilter nft_ct subsystem allows local authenticated attackers with low privileges to achieve code execution, privilege escalation, or denial of service. The vulnerability stems from stale references to conntrack zone templates, timeout policies, and helper objects in packets queued to nfqueue when these objects are removed. Exploitation probability is low (EPSS 0.02%, 7th percentile) with no active exploitation confirmed at time of analysis. Vendor-released patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0).

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced mgmt_pending_valid(), which not only validates the pending command but also unlinks it from the pending list if it is valid. This change in semantics requires updates to several completion handlers to avoid list corruption and memory safety issues. This patch addresses two left-over issues from the aforementioned rework: 1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove() is replaced with mgmt_pending_free() in the success path. Since mgmt_pending_valid() already unlinks the command at the beginning of the function, calling mgmt_pending_remove() leads to a double list_del() and subsequent list corruption/kernel panic. 2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error path is removed. Since the current command is already unlinked by mgmt_pending_valid(), this foreach loop would incorrectly target other pending mesh commands, potentially freeing them while they are still being processed concurrently (leading to UAFs). The redundant mgmt_cmd_status() is also simplified to use cmd->opcode directly.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local denial-of-service in the Linux kernel's vidtv virtual DVB media driver allows an authenticated local user to crash the kernel via a NULL pointer dereference triggered by uninitialized struct fields in vidtv_ts_null_write_into() and vidtv_ts_pcr_write_into(). Affected kernel versions span from commit f90cf6079bf6 across multiple stable branches through Linux 5.10, with fixes backported to 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0.1, and 7.1-rc1. No public exploit identified at time of analysis, EPSS is 0.02% (7th percentile), and this CVE is not listed in the CISA KEV catalog, reflecting its low real-world exploitation likelihood.

Linux Null Pointer Dereference Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Integrity verification bypass in Linux kernel crypto subsystem's Kerberos 5 encryption module allows remote unauthenticated attackers to bypass cryptographic hash checks when asynchronous decryption completes. The vulnerability stems from incorrect callback chaining that skips krb5enc_dispatch_decrypt_hash() verification entirely during async operations. Exploitation likelihood is low (EPSS 2%, percentile 4%) despite high CVSS severity, though EUVD classifies this as an authentication bypass affecting Linux 6.15+ with patches available for stable branches 6.18.25, 7.0.2, and mainline 7.1-rc1.

Red Hat Suse Authentication Bypass +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Use-after-free in Linux kernel ksmbd (SMB server) during durable file handle scavenging allows memory corruption and potential remote code execution. When a durable SMB2 file handle survives session disconnect, the cleanup path dereferences a freed connection object via NULL fp->conn pointer during lock cleanup, causing a slab use-after-free. Exploitation probability is extremely low (EPSS 0.02%, 5th percentile) with no active exploitation confirmed. Vendor patches available across multiple stable kernel branches (6.12.84, 6.18.25, 7.0.2, 7.1-rc1) address the asymmetric cleanup by properly managing byte-range lock lifetimes during durable handle reconnection.

Use After Free Memory Corruption Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authentication bypass in Linux kernel's ksmbd SMB server allows any authenticated SMB user to hijack orphaned durable file handles by predicting persistent IDs, enabling unauthorized file access with the original owner's privileges. The flaw violates MS-SMB2 requirements for SecurityContext validation during durable handle reconnection. Vendor patches are available across multiple stable kernel branches (6.18.25, 7.0.2, 7.1-rc1). EPSS exploitation probability is low at 0.02% (4th percentile), and no active exploitation or public POC has been identified. CVSS 8.8 reflects high impact but requires low-privilege authentication.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Integer underflow in Linux kernel NTFS3 driver during journal replay allows local attackers to trigger massive out-of-bounds memory copies into a 4KB buffer when processing corrupted filesystems. The check_file_record() function fails to validate rec->used field before using it in memmove() length calculations across DeleteAttribute, CreateAttribute, and change_attr_size handlers, enabling slab-out-of-bounds writes. No public exploit identified at time of analysis. EPSS score of 0.02% (5th percentile) indicates low exploitation probability. Vendor-released patches available across kernel versions 6.6.136, 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1.

Memory Corruption Buffer Overflow Linux
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel F2FS filesystem allows local authenticated attackers to trigger kernel panic or potentially achieve code execution. The vulnerability (CWE-416) occurs during concurrent write callback and unmount operations when f2fs_write_end_io() decrements page count before checking node inode validity, leading to NULL pointer dereference. Discovered via xfstests generic/107 and syzbot fuzzing. EPSS exploitation probability is low (0.02%, 4th percentile), no active exploitation confirmed. Vendor patches available across stable kernel branches 6.18.25, 7.0.2, and 7.1-rc1.

Information Disclosure Use After Free Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in f2fs_rename() function allows local authenticated attackers to cause denial of service through repeated file rename operations. The vulnerability exists in the f2fs filesystem implementation when handling SELinux label initialization during whiteout file creation, due to a missing f2fs_free_filename() call introduced in commit 40b2d55e0452. Vendor patches are available for Linux 6.6.136, 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1.

Red Hat Suse Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: fuse: abort on fatal signal during sync init When sync init is used and the server exits for some reason (error, crash) while processing FUSE_INIT, the filesystem creation will hang. The reason is that while all other threads will exit, the mounting thread (or process) will keep the device fd open, which will prevent an abort from happening. This is a regression from the async mount case, where the mount was done first, and the FUSE_INIT processing afterwards, in which case there's no such recursive syscall keeping the fd open.

Red Hat Suse Denial Of Service +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Out-of-bounds read in Linux kernel ksmbd allows authenticated SMB clients to trigger memory corruption by crafting malicious DACL ACEs with undersized headers. Attackers with permission to set ACLs on files can cause kernel KASAN reports and state corruption when subsequent CREATE operations walk the stored DACL via smb_check_perm_dacl(). Vendor patches available for kernel versions 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1. EPSS score of 0.02% (5th percentile) indicates low likelihood of mass exploitation despite network attack vector, consistent with the requirement for authenticated access and specific file permission prerequisites.

Linux Memory Corruption Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Resource exhaustion in Linux kernel ksmbd server allows remote unauthenticated attackers to permanently deny SMB service by consuming connection slots through forced allocation failures. The vulnerability leaks active_num_conn counter values when alloc_transport() fails during TCP connection setup on port 445, permanently consuming slots from the max_connections pool until module reload. Attackers can accelerate exhaustion by holding open connections with large RFC1002 lengths (up to 16MB) to trigger memory pressure. EPSS score of 0.11% suggests low observed exploitation probability, and no public exploit or CISA KEV listing exists. Vendor patches available for kernel versions 6.6.136, 6.12.84, 7.0.2, and 7.1-rc1.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix dir separator in SMB1 UNIX mounts When calling cifs_mount_get_tcon() with SMB1 UNIX mounts, @cifs_sb->mnt_cifs_flags needs to be read or updated only after calling reset_cifs_unix_caps(), otherwise it might end up with missing CIFS_MOUNT_POSIXACL and CIFS_MOUNT_POSIX_PATHS bits. This fixes the wrong dir separator used in paths caused by the missing CIFS_MOUNT_POSIX_PATHS bit in cifs_sb_info::mnt_cifs_flags.

Red Hat Suse Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote unauthenticated attackers can trigger out-of-bounds memory access in the Linux kernel SMB client's DACL parsing code by sending a malicious SMB response with a truncated DACL structure. The vulnerability exists in build_sec_desc() and id_mode_to_cifs_acl() functions which insufficiently validate server-supplied ACL data before rewriting it during chmod/chown operations, allowing ACE traversal beyond validated memory bounds. CVSS 8.8 indicates high severity with network vector requiring user interaction. EPSS score of 0.02% (5th percentile) suggests low observed exploitation probability in the wild, and no active exploitation is confirmed (not in CISA KEV). Vendor patch available targeting Linux kernel 7.0.2 and 7.1-rc1.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A malicious SMB server can trigger out-of-bounds heap memory disclosure in Linux kernel SMB client (CIFS) through crafted QUERY_INFO responses. Vulnerable Linux kernel versions 5.1 through 6.12.84 do not validate server-reported OutputBufferLength against actual response size before copying data to userspace, allowing a rogue SMB server to expose adjacent kernel heap contents. Patches available across stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1). EPSS score of 0.02% indicates low exploitation probability; no active exploitation confirmed. Attack requires user interaction to mount malicious SMB share.

Information Disclosure Buffer Overflow Linux
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Integer overflow in Linux kernel's ksmbd (SMB server) allows local authenticated attackers to bypass size validation and trigger memory corruption via crafted daemon responses. The vulnerability affects three IPC message handlers that fail to detect arithmetic overflow when computing expected message sizes from attacker-controlled fields (payload_sz, ngroups), enabling out-of-bounds memcpy operations. Vendor patches available for affected 5.15+ kernels. EPSS score 0.02% (5th percentile) indicates low observed exploitation probability. No CISA KEV listing or public exploit identified at time of analysis.

Red Hat Suse Memory Corruption +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Buffer overflow in Linux kernel's ksmbd SMB server allows authenticated remote attackers to trigger ~8 MB heap allocation from manipulated NTACL xattr values, potentially leading to memory exhaustion, information disclosure via uninitialized heap memory, or code execution. Exploitation requires low-privilege SMB authentication plus ability to corrupt backing filesystem metadata (offline xattr tampering or race condition). EPSS score of 0.02% indicates minimal observed exploitation activity. Vendor patches available across multiple stable kernel branches (6.12.84, 6.18.25, 7.0.2, 7.1-rc1).

Red Hat Suse Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Out-of-bounds write in Linux kernel's ksmbd SMB server allows memory corruption when processing extended attributes (EA) in QUERY_INFO responses. The smb2_get_ea() function performs 4-byte alignment padding without checking remaining buffer space, causing 1-3 bytes to write past allocation boundaries when EA values exactly fill the response buffer. This occurs in compound SMB2 requests where shared response buffers are tightly constrained. EPSS score of 0.02% suggests minimal observed exploitation activity, though the CVSS 9.8 critical rating reflects the theoretical network-accessible, unauthenticated attack surface. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.84, 7.0.2, 7.1-rc1). Not listed in CISA KEV. This represents the third instance of the same vulnerability pattern in ksmbd QUERY_INFO handlers, following fixes in commits beef2634f81f and fda9522ed6af.

Memory Corruption Buffer Overflow Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ksmbd: use check_add_overflow() to prevent u16 DACL size overflow set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes in u16 variables. When a file has many POSIX ACL entries, the accumulated size can wrap past 65535, causing the pointer arithmetic (char *)pndace + *size to land within already-written ACEs. Subsequent writes then overwrite earlier entries, and pndacl->size gets a truncated value. Use check_add_overflow() at each accumulation point to detect the wrap before it corrupts the buffer, consistent with existing check_mul_overflow() usage elsewhere in smbacl.c.

Buffer Overflow Linux
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free condition in Linux kernel writeback subsystem allows local authenticated attackers to potentially execute arbitrary code, escalate privileges, or trigger kernel crashes. The vulnerability affects Linux kernel versions 6.18.x through 7.1-rc1 and arises from improper synchronization between work queue processing and memory deallocation in inode_switch_wbs_work_fn(). Vendor patches are available across stable kernel branches (6.18.25, 7.0.2, 7.1-rc1) with low EPSS score (0.02%) indicating minimal observed exploitation activity, though the CVSS 7.8 score reflects significant impact if successfully exploited by authenticated local users.

Denial Of Service Linux Use After Free +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel f2fs compressed writeback allows local authenticated users to trigger memory corruption, potentially executing arbitrary code or causing system crashes. Affects f2fs-compressed filesystems in Linux kernel 5.6 through 7.1-rc2, with patches available in 6.6.136, 6.12.84, 7.0.2, and 7.1-rc1. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite CVSS 7.8 rating. This mirrors CVE-2026-23234's race condition pattern but in the compression code path that was missed by the earlier fix. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.

Information Disclosure Use After Free Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Use-after-free vulnerability in the ALSA caiaq USB audio driver allows local authenticated attackers to cause denial of service by triggering asynchronous card free callbacks after USB device disconnection. The vulnerability stems from missing reference counting on the parent USB device pointer, combined with an inappropriate usb_reset_device() call in the card teardown path. EPSS exploitation probability is minimal (0.02%), and no public exploit code or active exploitation has been identified.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Time-of-check-time-of-use (TOCTOU) race condition in Linux kernel's TPACKET transmission path allows local authenticated attackers with low privileges to bypass vnet_hdr validation checks and potentially achieve privilege escalation, code execution, or system compromise. The vulnerability affects packet socket implementations when PACKET_VNET_HDR is enabled, where concurrent userspace threads can modify mmap'd ring buffer data between kernel validation and use. Vendor-released patches are available for stable kernel branches (6.6.136, 6.12.84, 7.0.2, 7.1-rc1). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV), though the high CVSS 7.8 reflects significant local impact potential.

Race Condition Authentication Bypass Linux
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Buffer overflow in Linux kernel's AMD CCP (Cryptographic Coprocessor) driver leaks kernel memory to userspace when retrieving PEK CSR (Platform Endorsement Key Certificate Signing Request). Affecting Linux kernel 4.16+ through 7.0.x, the vulnerability allows local authenticated users to read arbitrary kernel memory due to improper error handling when firmware returns invalid buffer length requirements. Patches available across stable branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1). EPSS score of 0.02% indicates minimal observed exploitation probability, though the CVSS 7.1 reflects significant confidentiality impact. No CISA KEV listing or public exploit identified at time of analysis.

Memory Corruption Buffer Overflow Google +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Information disclosure in Linux kernel's AMD Cryptographic Coprocessor (CCP) driver allows local authenticated attackers to leak kernel memory to userspace via out-of-bounds read. When retrieving PDH certificates through SEV ioctl, the driver incorrectly copies data to userspace even after firmware command failures, potentially reading 2084+ bytes beyond allocated buffer boundaries. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1) per upstream commits.

Memory Corruption Buffer Overflow Google +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Buffer overflow in Linux kernel CCP SEV driver allows local authenticated users to leak kernel memory to userspace. When the PSP firmware command to retrieve SEV CPU ID fails due to insufficient buffer size, the driver attempts to copy data beyond the allocated kernel buffer boundary, exposing up to 64 bytes of kernel memory. Exploitation requires local access with low privileges (CVSS PR:L) to invoke the SEV ioctl interface. EPSS score is very low (0.02%, 5th percentile) indicating minimal real-world exploitation observed. No public exploit identified at time of analysis, though the KASAN stack trace in the CVE description provides a clear exploitation path. Patches available across multiple stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1).

Memory Corruption Buffer Overflow Google +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Buffer overflow in Linux kernel rxrpc subsystem allows local authenticated users to trigger memory corruption via malformed key payloads. The non-XDR parsing path in rxrpc_preparse() fails to validate ticket length against AFSTOKEN_RK_TIX_MAX, enabling unprivileged users to supply oversized tickets that cause WARN_ON() triggers and potential memory corruption when keys are read. Vendor patches available for kernel versions 6.6.136, 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1. EPSS score of 0.02% indicates low observed exploitation probability, with no public exploit identified at time of analysis.

Memory Corruption Buffer Overflow Linux
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel virt_wifi driver allows local authenticated users to trigger memory corruption during ethtool operations on virtual WiFi devices being unregistered. The vulnerability stems from improper device parent reference handling via SET_NETDEV_DEV, where ethnl_ops_begin() calls pm_runtime_get_sync() on already-freed memory when a virt_wifi device unregisters concurrently with ethtool operations. Patches are available across multiple stable kernel branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit identified at time of analysis, though CVSS 7.8 reflects potential for complete system compromise if successfully triggered.

Red Hat Suse Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A malicious FUSE server can trigger a 24-byte buffer overflow in the Linux kernel's FUSE directory cache implementation on 4 KiB page systems. The fuse_add_dirent_to_cache() function fails to validate that directory entries fit within PAGE_SIZE before copying them to page cache, allowing a server-controlled namelen value of 4095 to produce a 4120-byte serialized record that overflows into adjacent kernel memory. This enables local attackers with FUSE mount privileges to achieve high-severity impacts including arbitrary kernel memory corruption. EPSS exploitation probability is notably low (0.02%, 5th percentile) despite the 7.8 CVSS score, and no public exploit has been identified. Patches are available across multiple stable kernel versions (6.6.136, 6.12.84, 7.0.2, 7.1-rc1, 6.18.25).

Buffer Overflow Linux
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A denial-of-service vulnerability in the Linux kernel's IPv6 checksum GSO fallback logic allows remote unauthenticated attackers to trigger system instability via specially crafted tunneled IPv6 packets with extension headers. The flaw affects network packet processing when NETIF_F_IPV6_CSUM offload is enabled, causing incorrect handling of tunneled traffic that requires software checksumming. EPSS score is low (0.02%, 7th percentile), indicating minimal observed exploitation activity. Vendor-released patches are available across multiple kernel version branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0), confirmed by upstream Linux kernel commits. No public exploit identified at time of analysis, though CVSS vector indicates straightforward network-based exploitation (AV:N/AC:L/PR:N/UI:N).

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel's MANA network driver allows local authenticated attackers to corrupt memory and potentially execute code with kernel privileges. The flaw occurs when auxiliary_device_add() fails in add_adev(), triggering cleanup that frees memory still referenced by subsequent error-handling code. Patches available across stable kernel branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public exploit identified at time of analysis.

Information Disclosure Linux Use After Free +3
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Uninitialized memory in the Linux kernel SCSI target subsystem (target_core_file) causes write operations to fail unpredictably when bogus ki_write_stream values trigger block device validation checks. Affected versions span Linux kernel 6.16 through development branches, with stable patches released for 6.18.22, 6.19.12, and 7.0. While CVSS scores this as 7.5 High with network vector (AV:N), the description indicates a local kernel subsystem issue affecting SCSI target configurations, suggesting a vector/impact mismatch. EPSS probability is very low (0.02%, 4th percentile) with no evidence of active exploitation or public POC, indicating minimal real-world targeting despite the high CVSS score.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

tcm_loop target reset handler fails to drain in-flight SCSI commands, violating SCSI error handling contract and causing LUN reference leaks that deadlock configfs LUN unlink operations. Local users with appropriate privileges can trigger denial of service by initiating reset sequences while SCSI commands are in flight, leaving the kernel in an unkillable D-state waiting for LUN reference counts to clear. This is a local denial of service affecting the SCSI target core's tcm_loop loopback driver across multiple kernel versions.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

XFS filesystem crashes during log recovery when inodes with node-format extended attributes are inactivated following an untimely log shutdown, due to stale metadata block references in the attribute B-tree. Unprivileged local attackers with write access to XFS filesystems can trigger this denial-of-service condition by inducing log shutdown during extended attribute cleanup, causing the filesystem to unmount and require repair. The vulnerability affects Linux kernel versions prior to 6.19.12 and later stable branches.

Denial Of Service Linux Red Hat +1
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Logic error in Linux kernel mac80211 TDLS handling allows local authenticated users to modify wireless channel context and HT protection settings by invoking NL80211_TDLS_ENABLE_LINK on non-TDLS stations. Missing validation causes the kernel to apply TDLS-specific operations to regular Wi-Fi stations, potentially disrupting wireless connectivity and creating integrity/availability impacts. Vendor patches available for kernel 6.12.81, 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation despite CVSS 7.1 rating. No evidence of active exploitation or public POC identified at time of analysis.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

An out-of-bounds read vulnerability in the Linux kernel's Wacom HID driver (wacom_intuos_bt_irq function) allows adjacent network attackers to cause information disclosure or denial of service through maliciously crafted short Bluetooth HID reports. The vulnerability affects the Bluetooth interface of Wacom Intuos tablets, where report types 0x03 and 0x04 are processed without validating minimum lengths (22 and 32 bytes respectively), enabling memory reads beyond buffer boundaries. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) with no active exploitation confirmed (EPSS 0.02%, not in CISA KEV).

Buffer Overflow Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Race condition in Linux kernel ATM LEC driver allows local attackers with low privileges to trigger use-after-free memory corruption in sock_def_readable(), potentially achieving arbitrary code execution, privilege escalation, or denial of service. The flaw affects systems using ATM (Asynchronous Transfer Mode) LAN Emulation Client functionality, present since Linux kernel version 2.4 (commit 1da177e4c3f4). EPSS score of 0.02% (7th percentile) suggests low probability of mass exploitation. Vendor patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). Not listed in CISA KEV; no public exploit code identified at time of analysis.

Authentication Bypass Use After Free Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel HID subsystem allows local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service when force feedback initialization fails on Logitech G920 racing wheels. The vulnerability occurs when userspace continues accessing freed memory structures (sysfs and /dev/input) after initialization errors. Vendor patches available across multiple stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of mass exploitation, consistent with hardware-specific local attack surface requiring physical device presence.

Information Disclosure Use After Free Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Adjacent network attackers can achieve high-severity code execution, information disclosure, or denial of service in the Linux kernel HID (Human Interface Device) subsystem by exploiting a bounds-checking flaw in hid_report_raw_event(). A bogus memset() operation intended to zero unused buffer space instead creates out-of-bounds read/write conditions when processing malformed HID input reports from adjacent devices (USB, Bluetooth). Vendor patches available for stable branches 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% suggests minimal observed exploitation, but the unauthenticated adjacent-network attack vector with low complexity makes this exploitable in environments with untrusted HID peripherals.

Information Disclosure Linux Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds memory writes in Linux kernel HID multitouch driver allow local authenticated users to achieve code execution or crash systems via malicious USB/HID devices. The vulnerability exists in the HID multitouch report parsing logic where mismatched report IDs in feature requests can confuse the HID core. Vendor-released patches are available across multiple kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score is low (0.02%, 7th percentile), indicating minimal observed exploitation attempts. No public exploit code identified at time of analysis.

Linux Memory Corruption Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel denial of service via crafted btrfs metadata allowing local attackers to trigger an unguarded BUG_ON() condition during relocation recovery at mount time. The vulnerability arises when a root item on disk contains a non-zero drop_progress with zero drop_level, an invalid state that should not exist but lacks validation on read. CVSS 5.5 reflects local attack vector and availability impact; EPSS 0.02% indicates minimal real-world exploitation likelihood.

Checkpoint Ubuntu Debian +4
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory corruption and page reference leaks in the Linux kernel mshv (Microsoft Hyper-V) module occur when pin_user_pages_fast() returns a partial pin count, which the current code incorrectly treats as success. A local authenticated attacker with privileges can trigger this vulnerability to corrupt memory or cause denial of service on systems using the mshv module, particularly in Hyper-V guest environments.

Buffer Overflow Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory corruption in the Linux kernel CAAM (Cryptographic Acceleration and Assurance Module) crypto driver allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The vulnerability occurs when HMAC keys longer than the hash block size are processed - the driver allocates a DMA-aligned buffer size but fails to use it, causing the hashed key to overwrite adjacent memory. Vendor patches are available for stable kernel versions 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in the Linux kernel AF_ALG crypto interface allows local authenticated attackers to trigger a NULL pointer dereference and kernel panic by sending sequential sendmsg() calls that cause scatter-gather list chain operations to fail to properly unmark SGL boundaries. The vulnerability occurs when AF_ALG allocates chained SGL structures without clearing end markers on previous entries, causing the crypto scatterwalk to encounter premature termination and dereference NULL pointers. CVSS 5.5 (AV:L/AC:L/PR:L) reflects local-only attack requirement with low complexity; EPSS 0.02% (7th percentile) indicates minimal real-world exploitation risk despite kernel panic severity.

Denial Of Service Null Pointer Dereference Linux +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Race condition in Linux kernel MPLS subsystem allows local authenticated users to trigger out-of-bounds memory access via concurrent label table resizing. The vulnerability affects RCU-protected codepaths (mpls_forward, mpls_dump_routes) that can obtain inconsistent snapshots of platform_labels array metadata during resize operations, potentially leading to information disclosure or denial of service. Vendor patch available addressing the issue through seqcount-based synchronization. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no active exploitation or public POC identified.

Information Disclosure Linux Buffer Overflow +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak __radix_tree_create() allocates and links intermediate nodes into the tree one by one. If a subsequent allocation fails, the already-linked nodes remain in the tree with no corresponding leaf entry. These orphaned internal nodes are never reclaimed because radix_tree_for_each_slot() only visits slots containing leaf values. The radix_tree API is deprecated in favor of xarray. As suggested by Matthew Wilcox, migrate qrtr_tx_flow from radix_tree to xarray instead of fixing the radix_tree itself [1]. xarray properly handles cleanup of internal nodes - xa_destroy() frees all internal xarray nodes when the qrtr_node is released, preventing the leak. [1] https://lore.kernel.org/all/20260225071623.41275-1-jiayuan.chen@linux.dev/T/

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak When processing Router Advertisements with user options the kernel builds an RTM_NEWNDUSEROPT netlink message. The nduseroptmsg struct has three padding fields that are never zeroed and can leak kernel data The fix is simple, just zeroes the padding fields.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution and information disclosure in Linux Kernel's TI ICSSG PRU Ethernet driver allows unauthenticated network attackers to leak kernel heap memory to userspace and potentially corrupt page_pool state. The zero-copy RX dispatch path fails to copy received packet data into newly allocated skbs, instead forwarding uninitialized heap memory up the network stack. Vendor patches available for kernel 6.19.12 and 7.0. EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity despite critical CVSS 9.8 rating and network attack vector.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Memory corruption in Linux kernel IPv6 ICMP error handling allows remote unauthenticated attackers to potentially achieve code execution or information disclosure. The vulnerability arises from incomplete control block (CB) sanitization when converting IPv4 ICMP errors to ICMPv6, enabling forged CIPSO options in outer IPv4 packets to manipulate inner IPv6 packet parsing. This can trigger out-of-bounds memory access extending into skb_shared_info structures. Despite CVSS 9.8 critical rating, EPSS exploitation probability is extremely low (0.02%, 7th percentile), no public exploit code exists, and CISA has not listed this as actively exploited. Patches are available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).

Information Disclosure Linux Memory Corruption
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

A stack-based buffer overflow in the Linux kernel's IPv6-to-IPv4 tunneling (ip6_tunnel) code allows remote unauthenticated attackers to achieve arbitrary code execution. The vulnerability occurs when ip4ip6_err() passes a cloned skb with IPv6-formatted control buffer data to icmp_send(), which misinterprets it as IPv4 control buffer data. This type confusion causes __ip_options_echo() to read attacker-controlled packet data as a length value and copy up to that many bytes into a fixed 40-byte stack buffer, enabling remote exploitation with no prerequisites. EPSS score of 0.02% suggests limited exploitation probability despite critical CVSS 9.8 rating. Vendor-released patches are available across all maintained kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0).

Linux Memory Corruption Buffer Overflow
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Linux kernel GSO feature check reads uninitialized IPv4 header data when processing packets from PF_PACKET paths, causing kernel memory disclosure or denial of service. The vulnerability affects multiple kernel versions before 6.12.81, 6.19.12, and 7.0, and requires local user access to trigger via raw packet injection.

Code Injection Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Information disclosure in the Linux kernel's traffic control (tc) scheduler allows local users with low privileges to read uninitialized kernel heap memory through the tc_chain_fill_node() function, which fails to zero-initialize the tcm_info field in netlink messages before transmission to userspace. The vulnerability affects multiple stable kernel series and has a vendor-released patch available across all affected versions.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A local denial of service vulnerability in the Linux kernel bnxt_en driver allows authenticated local users to crash the system by triggering an out-of-bounds array access during backing store capability queries. The vulnerability stems from incorrect use of firmware-provided type values to index fixed metadata arrays, rather than using the known loop iteration index. Exploitation requires local access and user-level privileges (PR:L), and no active exploitation has been reported.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory corruption in Linux kernel's crypto authencesn subsystem allows local authenticated attackers to disclose sensitive kernel memory, modify data integrity, or cause denial of service through improper handling of sequence bits during out-of-place decryption operations. The vulnerability affects Linux kernel versions from 4.3 through multiple stable branches (5.10.x, 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x) with patches available across all affected branches. EPSS exploitation probability is low (0.02%, 7th percentile) and no active exploitation or public POC has been identified.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in the Linux kernel NFC PN533 UART driver allows local authenticated attackers to exhaust memory by sending malformed NFC frames without valid headers, causing unbounded socket buffer growth until kernel crash. Affects Linux 5.5 through 7.0 with patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0); EPSS exploitation probability is minimal at 0.02%, but local privilege is required.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Linux kernel axienet driver can permanently stall network transmit queues due to incorrect Byte Queue Limits (BQL) accounting when scatter-gather TX packets span multiple NAPI polls. When a multi-buffer-descriptor packet completes across different polling cycles, only partial byte counts are credited to BQL, causing the subsystem to incorrectly believe bytes remain in-flight indefinitely and halting transmission. Vendor patches available for stable branches (6.18.22, 6.19.12, 7.0). EPSS exploitation probability is 2% (4th percentile), no active exploitation confirmed, indicating low real-world targeting despite the 7.5 CVSS score.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A logic error in the Linux kernel's BPF verifier regsafe() function allows local attackers with low privileges to exploit improper state exploration for packet pointer ranges, potentially leading to high confidentiality, integrity, and availability impacts. The vulnerability affects multiple stable kernel branches from 5.10 through 6.19, with vendor patches available across all affected versions. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service via soft lockup in Linux kernel MPTCP (Multipath TCP) receive function allows remote unauthenticated attackers to lock up a CPU core indefinitely when applications use MSG_PEEK with MSG_WAITALL flags. The vulnerability stems from improper handling of peeked socket buffers that remain in the receive queue, causing sk_wait_data() to never actually wait and spinning in an infinite loop. EPSS score is low (0.02%, 4th percentile) indicating minimal observed exploitation probability. Vendor patches available for kernel versions 6.18.x and 6.19.x series.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local privilege escalation and information disclosure in Linux kernel netfilter x_tables subsystem allows authenticated local users to leak memory contents or crash the system due to improper null-termination validation of string names passed to c-string functions. CVSS 7.1 (High/Confidentiality, High/Availability impact) but low real-world priority: EPSS 0.02% (7th percentile) indicates minimal observed exploitation likelihood. Patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). No active exploitation confirmed, no POC identified, requires local authenticated access with low privileges.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel netfilter subsystem allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs when unregistering connection tracking helpers - expectations referencing the helper survive cleanup and later dereference the freed helper object during expectation dumps or new connection establishment. Vendor-released patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% indicates low observed exploitation probability; no active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Information Disclosure Use After Free Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Information disclosure in the Linux kernel netfilter ctnetlink module allows local authenticated users to read stale NAT configuration data from kernel memory via a crafted netlink message. When ctnetlink_alloc_expect() allocates connection tracking expectations without initializing NAT fields, uninitialized memory containing sensitive data from previous slab allocations is exposed to userspace during expectation dumps. This requires local access and low-privileged authentication (PR:L) but carries a high availability impact due to potential memory disclosure vectors.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

A buffer overflow in the Linux kernel netfilter ctnetlink subsystem allows authenticated local attackers to read arbitrary kernel memory. The vulnerability arises when userspace provides a helper name for a new expectation that differs from the master conntrack helper, causing the kernel to read 4 bytes beyond the expectation boundary. Vendor-released patches are available across multiple stable kernel branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). Despite a CVSS base score of 7.3, the EPSS score is exceptionally low (0.02%, 7th percentile), indicating minimal observed exploitation attempts, and the vulnerability is not listed in CISA KEV, suggesting no confirmed active exploitation.

Buffer Overflow Linux Information Disclosure
NVD VulDB
Prev Page 17 of 143 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy