Linux

Race condition in Linux kernel AppArmor subsystem allows use-after-free of i_private data when filesystem callback functions access inode structures after reference counting errors. The vulnerability occurs because AppArmor releases references to private data after removing filesystem entries, but inodes can persist beyond that point and trigger filesystem callbacks that access freed memory. This affects AppArmor security policy enforcement and could lead to information disclosure or denial of service through carefully timed filesystem operations. No active exploitation has been confirmed, and the issue is addressed through upstream kernel fixes.

Use-after-free in Linux kernel AppArmor subsystem allows local attackers to cause denial of service or potentially execute code by racing the opening of rawdata profile files against profile removal, triggering access to freed memory in the aa_loaddata structure. The vulnerability exploits an unrefcounted rawdata inode design where concurrent VFS and profile destruction operations create a window for dangling pointer dereference during seq_rawdata_open(). No public exploit code or active exploitation has been identified; the fix involves implementing a double refcount scheme to properly manage rawdata lifecycle.

AppArmor differential encoding verification in the Linux kernel contains logic errors that permit infinite loops to be created through abuse of the verification chain mechanism. Two distinct bugs in the verification routine-conflation of checked states with currently-checked states, and incorrect loop iterator comparison-allow malformed differential encoding chains to bypass security checks. This enables potential information disclosure or policy circumvention on systems relying on AppArmor mandatory access control. The vulnerability affects Linux kernel versions prior to fixes applied across multiple stable branches via kernel commits.

Double free vulnerability in Linux kernel AppArmor subsystem allows local attackers to cause denial of service or information disclosure by triggering memory corruption during namespace profile replacement. The flaw occurs in aa_replace_profiles() when ns_name is transferred from ent->ns_name without nulling the source pointer, resulting in the same memory region being freed twice. This is a memory corruption issue with kernel-level impact affecting all Linux distributions running vulnerable kernel versions.

Out-of-bounds read and write in Linux kernel AppArmor verify_dfa() function allows local attackers to trigger memory corruption via malformed DFA profiles with invalid DEFAULT_TABLE entries. The vulnerability exists because bounds validation is skipped during differential encoding chain traversal, permitting an attacker with CAP_MAC_ADMIN or write access to /sys/kernel/security/apparmor/policy to craft a malicious policy that causes slab-out-of-bounds access. No public exploit code or active exploitation has been identified; patch is available in upstream kernel.

Out-of-bounds read in Linux kernel AppArmor DFA matching allows local attackers to cause memory corruption via malformed input to apparmor_file_open, triggered when the match_char() macro's character parameter is evaluated multiple times during differential encoding chain traversal, causing pointer advancement past buffer boundaries. The vulnerability manifests as a slab-out-of-bounds read detected by KASAN during file open operations and affects all Linux distributions shipping the vulnerable kernel code. No active exploitation in the wild has been confirmed, but the memory corruption vector creates denial-of-service and potential privilege escalation risk for local attackers.

Linux kernel AppArmor policy namespace implementation allows arbitrary nesting and creation of policy namespaces without enforcing depth limits, enabling local attackers to exhaust system resources through unbounded namespace proliferation. The vulnerability affects AppArmor in the Linux kernel across multiple stable branches. This is a denial-of-service vulnerability requiring local access, with fixes available across stable kernel versions.

Stack exhaustion in AppArmor profile removal allows local denial of service by crafting deeply nested profiles that trigger recursive kernel stack consumption. The Linux kernel's AppArmor security module can be crashed by a local user with permission to load profiles via the apparmor_parser tool and trigger removal through sysfs, causing kernel stack overflow. The fix replaces recursive profile removal with an iterative approach to prevent stack exhaustion.

Memory leak in Linux kernel AppArmor module verify_header function causes namespace string allocation leaks during multiple profile unpacking and breaks namespace consistency checking. The vulnerable code incorrectly resets the namespace pointer to NULL on every function call, discarding previously allocated namespace strings and preventing proper namespace comparison across profile iterations. This affects Linux kernel versions with the vulnerable AppArmor implementation prior to upstream fixes applied across stable branches.

Linux kernel KVM x86/mmu module improperly validates shadow page table entries (SPTEs) in indirect MMUs, allowing host userspace writes to bypass KVM's write-tracking detection and corrupt shadow paging state. The vulnerability affects KVM implementations on x86 systems with nested or indirect MMU configurations where writes originating outside KVM's scope (e.g., from host userspace via memory access) are not detected, potentially leading to memory corruption or VM escape. No CVSS score, EPSS data, or KEV status is available; this appears to be an internal kernel consistency issue addressed via upstream patch rather than a directly exploitable security boundary.

Linux kernel KVM x86/MMU incorrectly installs emulated MMIO shadow page table entries (SPTEs) without first zapping existing shadow-present SPTEs when host userspace modifies guest page tables outside KVM's scope, causing kernel warnings and potential memory consistency issues. The vulnerability affects KVM on x86 systems running vulnerable kernel versions and can be triggered by a local attacker with ability to manipulate guest memory or run guest VMs, though the practical impact beyond kernel instability remains limited.

Deadlock in Linux kernel rust_binder driver occurs when BC_DEAD_BINDER_DONE is invoked on a non-looper thread while the proc lock is held, preventing push_work_if_looper() from safely acquiring the proc lock for work queue delivery. The vulnerability affects the Rust implementation of Android's Binder IPC mechanism and can cause kernel deadlock, potentially resulting in denial of service to affected processes or the entire system depending on thread scheduling.

Memory leak in Linux kernel nf_tables nft_dynset module allows local denial of service through failed stateful expression cloning during dynamic set operations. When the second stateful expression clone fails under GFP_ATOMIC memory allocation, the first expression is not properly released, accumulating percpu memory allocations that exhaust kernel memory. This affects all Linux kernel versions until patched, with exploitation requiring local system access to trigger the nf_tables dynamic set evaluation code path.

Incus versions prior to 6.23.0 allow local authenticated attackers to manipulate temporary screenshot files via predictable /tmp paths and symlink attacks, potentially truncating and altering permissions of arbitrary files on systems with disabled symlink protection (rare), leading to denial of service or local privilege escalation. The vulnerability requires local access and authenticated user privileges but is particularly dangerous on systems without kernel-level symlink protections enabled. An exploit proof-of-concept exists, and the vendor has released patched version 6.23.0 to address the issue.

Linux kernel ICMP tag validation routines fail to check for NULL protocol handler pointers before dereferencing them, causing kernel panics in softirq context when processing fragmentation-needed errors with unregistered protocol numbers and ip_no_pmtu_disc hardened mode enabled. The vulnerability affects multiple Linux kernel versions across stable branches (6.1, 6.6, 6.12, 6.18, 6.19, and 7.0-rc5), with an EPSS score of 0.02% (7th percentile) indicating low real-world exploitation probability. No public exploit code or active exploitation has been confirmed; the fix requires adding a NULL pointer check in icmp_tag_validation() before accessing icmp_strict_tag_validation.

Linux kernel nfnetlink_osf module fails to validate TCP option lengths in OS fingerprint definitions, allowing null pointer dereference and out-of-bounds memory reads when processing packets with malformed or missing TCP options. The vulnerability affects Linux kernel versions across multiple stable branches (6.1.x through 6.19.x and 7.0-rc5), with EPSS score of 0.02% indicating low practical exploitation probability despite the memory safety issue. No public exploit code or active exploitation has been reported.

Linux kernel mac80211 mesh networking crashes on NULL pointer dereference when processing Channel Switch Announcement (CSA) action frames lacking Mesh Configuration IE, allowing adjacent WiFi attackers to trigger kernel panic (DoS) via crafted frames. Affects multiple stable kernel versions (6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0-rc5 and earlier); EPSS exploitation probability is 0.02% (low), no public exploit identified, and upstream fixes are available across all affected release branches.

crun versions 1.19 through 1.26 misparse the `-u` (--user) option during container execution, causing a numeric UID value of 1 to be incorrectly interpreted as UID 0 (root) instead, resulting in privilege escalation where containerized processes execute with root privileges instead of the intended unprivileged user. The vulnerability affects the containers/crun OCI runtime container (cpe:2.3:a:containers:crun:*:*:*:*:*:*:*:*) and has been patched in version 1.27. No public exploit code or active exploitation has been identified, though the EPSS score of 0.01% (percentile 2%) indicates minimal real-world exploitation likelihood despite the privilege escalation tag.

A buffer overflow vulnerability exists in the Linux kernel's Bluetooth L2CAP implementation where the code fails to properly validate command identifiers when accepting L2CAP_ECRED_CONN_REQ requests, allowing multiple pending requests with identical identifiers to exceed the L2CAP_ECRED_MAX_CID limit of 5 channels and trigger a buffer overflow. All Linux kernel versions containing the vulnerable L2CAP Bluetooth code are affected. An attacker with local Bluetooth access or remote capability could trigger this vulnerability to cause a kernel crash or potentially execute arbitrary code with kernel privileges, though exploitation requires interaction with the Bluetooth subsystem.

A race condition exists in the Linux kernel's AF_UNIX socket implementation where the garbage collector (GC) can incorrectly purge receive queues of alive sockets when MSG_PEEK operations occur concurrently with socket closure. The vulnerability affects all Linux kernel versions and allows local attackers with socket access to cause information disclosure or denial of service by triggering the race condition between MSG_PEEK, socket closure, and GC execution. A proof-of-concept demonstrating the issue has been publicly reported by Igor Ushakov, and patches are available in the stable kernel tree.

A race condition exists in the Linux kernel's bridge CFM (Connectivity Fault Management) peer MEP (Maintenance End Point) deletion code where a delayed work queue can be rescheduled between the cancellation check and memory freeing, leading to use-after-free on freed memory. This affects all Linux kernel versions with the vulnerable bridge CFM implementation. An attacker with local access to trigger peer MEP deletion while CFM frame reception occurs could cause a kernel use-after-free condition potentially leading to information disclosure or denial of service.

A use-after-free vulnerability exists in the Linux kernel's netfilter nf_tables flowtable implementation during error handling in the hook registration path. When hook registration fails (due to reaching maximum hook limits or hardware offload setup failures), the flowtable is not properly synchronized with RCU grace periods before being released, allowing concurrent packet processing or control plane operations (nfnetlink_hook) to access freed memory. This vulnerability affects all Linux kernel versions with the vulnerable nf_tables code and was discovered via KASAN reports during hook dumping operations; while not currently listed in known exploited vulnerabilities (KEV) databases, the use-after-free nature presents a real risk for denial of service or information disclosure in environments utilizing netfilter flowtables.

A use-after-free vulnerability exists in the Linux kernel's netfilter xt_CT module where pending enqueued packets maintain references to template objects that can be freed when helper modules are removed or timeout policies are deleted via nfnetlink_cttimeout. An attacker with the ability to unload kernel modules or manipulate netfilter timeout policies could trigger a kernel crash or information disclosure by causing the kernel to access freed memory when processing queued packets. While no CVSS score, EPSS probability, or KEV status has been assigned, the availability of six distinct kernel patch commits across stable branches indicates active remediation and acknowledgment of the vulnerability as a real kernel stability issue.

A memory leak vulnerability exists in the Linux kernel's ice driver in the ice_set_ringparam() function, where dynamically allocated tx_rings and xdp_rings are not properly freed when subsequent rx_rings allocation or setup fails. This affects all Linux kernel versions with the vulnerable ice driver code path, and while memory leaks typically enable denial of service through resource exhaustion rather than direct code execution, the impact depends on exploitation frequency and system memory constraints. No active exploitation or proof-of-concept has been publicly disclosed; the vulnerability was discovered through static analysis and code review rather than in-the-wild detection.

A metadata validation vulnerability in the Linux kernel's Squashfs filesystem implementation allows out-of-bounds memory access when processing corrupted or malicious filesystem images. Specifically, a negative metadata block offset derived from a corrupted index lookup table is passed to squashfs_copy_data without bounds checking, causing a general protection fault. Any Linux system mounting an untrusted Squashfs image is affected, potentially enabling denial of service or information disclosure attacks, though no active exploitation in the wild is currently documented.

A double-put vulnerability exists in the Linux kernel's pinctrl cirrus cs42l43 driver probe function, where devm_add_action_or_reset() already invokes cleanup on failure but the code explicitly calls put again, causing a double-free condition. This affects Linux kernel versions across multiple stable branches where the cs42l43 pinctrl driver is compiled. The vulnerability could lead to kernel memory corruption and potential denial of service or information disclosure when the driver probe path encounters failure conditions.

A buffer management vulnerability exists in the Linux kernel's Google Virtual Ethernet (GVE) driver within the gve_tx_clean_pending_packets() function when operating in DQ-QPL (Descriptor Queue with Queue Pair Lists) mode. The function incorrectly interprets buffer IDs as DMA addresses and attempts to unmap memory using the wrong cleanup path, causing out-of-bounds array access and potential memory corruption. This affects Linux kernel versions across multiple stable branches and can be triggered during network device reset operations, potentially leading to kernel crashes or memory safety violations.

A memory management vulnerability in the Linux kernel's netfilter nf_tables subsystem can be triggered through fault injection during set flush operations, causing a kernel warning splat when memory allocation fails under GFP_KERNEL conditions. This vulnerability affects Linux kernel versions across distributions and is exploitable by local attackers with network namespace capabilities, potentially leading to kernel warnings and denial of service through memory exhaustion attacks. While no CVSS score or active exploitation in the wild has been reported, the vulnerability was discovered through syzbot fuzzing with fault injection, indicating it requires specific conditions to trigger but represents a real kernel stability issue that has been patched.

A kernel stack memory leak exists in the Linux kernel's RDMA/ionic driver within the ionic_create_cq() function, where uninitialized stack memory is copied to userspace via the ionic_cq_resp structure. An unprivileged local attacker with access to RDMA/ionic devices can trigger this vulnerability to leak up to 11 bytes of sensitive kernel stack data, potentially revealing kernel addresses, cryptographic material, or other sensitive information useful for further exploitation. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, and no public proof-of-concept has been disclosed; however, patches are available across multiple stable kernel branches.

This vulnerability affects the Linux kernel's ARM64 BPF JIT compiler, where insufficient alignment requirements (4 bytes instead of 8 bytes) for the JIT buffer cause the bpf_plt structure's u64 target field to be misaligned. This misalignment creates two critical issues: UBSAN generates warnings for undefined behavior, and more dangerously, concurrent updates to the target field via WRITE_ONCE() in bpf_arch_text_poke() can result in torn 64-bit reads on ARM64 systems, causing the JIT to jump to corrupted addresses. Linux kernel versions using ARM64 BPF JIT are affected, and while there is no public exploit code available, this represents a memory corruption vulnerability that could lead to privilege escalation or denial of service. Multiple stable kernel patches are available addressing this issue.

This vulnerability affects multiple Linux kernel HID (Human Interface Device) drivers that lack proper validation checks when processing raw event callbacks from unclaimed HID devices. An attacker could connect a malicious or broken HID device to trigger a NULL pointer dereference in affected drivers, causing a kernel crash and denial of service. The vulnerability was identified as a gap in security hardening following a similar fix applied to the appleir driver, and patches are available across multiple stable kernel branches.

A NULL pointer dereference vulnerability exists in the Linux kernel's bridge networking module when IPv6 is disabled via the 'ipv6.disable=1' boot parameter. When Neighbor Discovery (ND) suppression is enabled on a bridge, an ICMPv6 packet reaching the bridge causes the kernel to dereference a NULL pointer in the nd_tbl structure, resulting in a kernel panic and denial of service. This affects all Linux kernel versions with this code path, and while no CVSS score or EPSS data is currently available, the vulnerability is readily triggered through network packet receipt on systems with specific boot configurations.

A reference counting vulnerability in the Linux kernel's tracing subsystem causes a WARN_ON to trigger when a process forks and both parent and child processes exit, particularly when the application calls madvise(MADV_DOFORK) to enable VMA copy-on-fork behavior. The vulnerability affects all Linux kernel versions with the vulnerable tracing_buffers_mmap code and allows local attackers to cause a kernel warning that may lead to denial of service or information disclosure through the kernel warning itself. While not currently listed in KEV or known to be actively exploited, the vulnerability has been patched in stable kernel branches as indicated by four separate commit references.

A divide-by-zero vulnerability exists in the Linux kernel's ETS (Enhanced Transmission Selection) qdisc offload implementation that can crash the kernel when processing malformed traffic scheduling configurations. The vulnerability affects all Linux kernel versions with the ETS scheduler module enabled, and a local privileged user (or attacker with CAP_NET_ADMIN capability) can trigger a kernel panic by crafting specific netlink messages via the tc (traffic control) utility. While no public exploit code has been confirmed in the wild, the condition is easily reproducible and results in immediate kernel crash, making this a high-priority local denial-of-service vector.

A buffer overflow vulnerability exists in the Linux kernel's IFE (Intermediate Functional Element) traffic control action module where metadata list replacement incorrectly appends new metadata instead of replacing old entries, causing unbounded metadata accumulation. This affects all Linux kernel versions with the vulnerable IFE scheduling code (cpe:2.3:a:linux:linux). An attacker with the ability to modify traffic control rules can trigger an out-of-bounds write via the ife_tlv_meta_encode function, potentially achieving kernel memory corruption and denial of service. The vulnerability is not listed as actively exploited in public KEV databases, but patches are available across multiple stable kernel branches.

A memory buffer management vulnerability exists in the Linux kernel's ice network driver XDP (eXpress Data Path) implementation, specifically in how it calculates fragment buffer sizes for receive queues. The vulnerability affects Linux kernel versions with the vulnerable ice driver code path and can be triggered through XDP operations that attempt to grow multi-buffer packet tails, potentially causing kernel panics or denial of service. An attacker with the ability to load and execute XDP programs can exploit this by crafting specific packet sizes and offset values to trigger the panic condition, as demonstrated by the XSK_UMEM__MAX_FRAME_SIZE test case, though real-world exploitation requires local access to load XDP programs.

A resource management vulnerability exists in the Linux kernel's nvmet-fcloop NVMe-FC loopback driver where the lsrsp (LS response) callback is invoked without proper validation of the remote port state, potentially leading to use-after-free or double-free conditions. This affects Linux kernel implementations using nvmet-fcloop for NVMe-FC transport emulation across all versions prior to the patch commits (f30b95159a53e72529a9ca1667f11cd1970240a7, 31d3817bcd9e192b30abe3cf4b68f69d48864dd2, dd677d0598387ea623820ab2bd0e029c377445a3). An attacker with local kernel-level access or ability to trigger abnormal nvmet-fcloop state transitions could potentially cause information disclosure or denial of service through memory corruption.

A vulnerability in the Linux kernel's Transparent Huge Pages (THP) subsystem incorrectly enables THP for files on anonymous inodes (such as guest_memfd and secretmem), which were not designed to support large folios. This can trigger kernel crashes via memory copy operations on unmapped memory in secretmem, or WARN_ON conditions in guest_memfd fault handlers. The vulnerability affects Linux kernel versions across multiple stable branches and requires a kernel patch to remediate; while not known to be actively exploited in the wild, the condition can be triggered locally by unprivileged users through madvise() syscalls.

This vulnerability is a preemption context violation in the Linux kernel's block I/O tracing subsystem where tracing_record_cmdline() unsafely uses __this_cpu_read() and __this_cpu_write() operations from preemptible context. The Linux kernel in versions supporting blktrace (affected via CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) is vulnerable, allowing potential information disclosure or denial of service when block tracing is enabled and block I/O operations occur from user-space processes. This is not actively exploited in the wild (no KEV status), but the vulnerability has functional proof of concept through blktests/blktrace/002, making it a moderate priority for kernel maintainers and distributions shipping PREEMPT(full) configurations.

The Linux kernel's Realtek WiFi driver (rsi) incorrectly defaults to returning -EOPNOTSUPP error code in the rsi_mac80211_config function, which triggers a WARN_ON condition in ieee80211_hw_conf_init and deviates from expected driver behavior. This affects Linux kernel versions across multiple stable branches where the rsi WiFi driver is compiled and loaded. While not actively exploited in the wild, the issue causes kernel warnings and improper driver initialization that could degrade WiFi functionality or stability on affected systems.

A race condition exists in the Linux kernel's NFC rawsock implementation where the tx_work function can execute concurrently with socket teardown, leading to use-after-free vulnerabilities when accessing NCI device structures. This affects all Linux kernel versions with the vulnerable NFC rawsock code path, particularly impacting systems where processes are forcefully terminated (e.g., via SIGKILL). An attacker with local access to trigger socket teardown race conditions could cause kernel memory corruption, information disclosure, or denial of service.

A Linux kernel scheduler vulnerability in SCHED_DEADLINE task handling causes bandwidth accounting corruption when a deadline task holding a priority-inheritance mutex is changed to a lower priority class via sched_setscheduler(). The vulnerability affects Linux kernel implementations (all versions with SCHED_DEADLINE support) and can be triggered by local unprivileged users running specific workloads like stress-ng, potentially leading to kernel warnings, task accounting underflow, and denial of service. No active exploitation in the wild is currently documented, but the vulnerability is fixed in stable kernel branches as evidenced by the provided commit references.

A credential disclosure vulnerability exists in the Linux kernel's Dell WMI System Management (dell-wmi-sysman) module where the set_new_password() function performs hex dumps of memory buffers containing plaintext password data, including both current and new passwords. This affects all Linux kernel versions with the vulnerable dell-wmi-sysman driver, allowing local attackers with access to kernel logs or debug output to extract sensitive authentication credentials. While no CVSS score, EPSS probability, or active KEV status is currently assigned, the patch availability across six stable kernel branches indicates the vulnerability has been formally addressed by the Linux kernel maintainers.

A race condition in the Linux kernel's i801 I2C driver causes a kernel NULL pointer dereference and panic during boot when multiple udev threads concurrently access the ACPI I/O handler region. The vulnerability affects Linux kernel versions running the i2c_i801 driver on systems with Intel i801 chipsets. An attacker with local access or the ability to trigger concurrent device enumeration during boot can crash the system, resulting in denial of service.

This vulnerability is an AB-BA deadlock in the Linux kernel's PHY (Physical Layer) LED trigger subsystem that occurs when both LEDS_TRIGGER_NETDEV and LED_TRIGGER_PHY are enabled simultaneously. The deadlock arises because PHY LED triggers are registered during the phy_attach phase while holding the RTNL lock, then attempting to acquire the triggers_list_lock, while the netdev LED trigger code does the reverse-holding triggers_list_lock and attempting to acquire RTNL. This deadlock affects all Linux kernel versions with the affected PHY and LED trigger subsystems enabled (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), and while not directly exploitable for privilege escalation, it can be triggered to cause a system hang or denial of service by users with network configuration privileges or via userspace LED sysfs writes.

A use-of-uninitialized-variable vulnerability exists in the Linux kernel's radiotap parser that can lead to information disclosure when processing radiotap frames with undefined fields. The vulnerability affects all Linux kernel versions using the radiotap namespace parser (cpe:2.3:a:linux:linux) and occurs when undefined radiotap field 18 is present, causing the iterator->_next_ns_data variable to be compared against an uninitialized value. While no CVSS score or EPSS data is currently available and there is no indication of active exploitation, the vulnerability has been patched across multiple kernel branches as evidenced by six distinct commit fixes.

The Linux kernel kalmia USB driver fails to validate that connected USB devices have the required endpoints before binding to them, allowing a malicious or malformed USB device to trigger a kernel crash during endpoint access. This denial-of-service vulnerability affects all Linux kernel versions running the kalmia driver (net/usb/kalmia.c) and requires physical USB device connection or local control of USB device enumeration. While no CVSS score or EPSS probability is formally assigned, the vulnerability has been patched across multiple stable kernel branches, indicating recognition of the issue's severity.

The Linux kernel's ksmbd (SMB server implementation) component uses the non-constant-time memcmp() function to compare Message Authentication Codes (MACs) instead of the cryptographically-secure crypto_memneq() function, enabling timing-based attacks to leak authentication credentials. All Linux kernel versions with ksmbd are affected, allowing attackers to potentially forge authentication by measuring response time differences during MAC validation. While no public exploit code is confirmed, multiple stable kernel branches have received patches addressing this vulnerability, indicating kernel maintainers treated this as a legitimate information disclosure risk.

A locking initialization vulnerability exists in the Linux kernel's CAN BCM (Broadcast Manager) socket implementation where the bcm_tx_lock spinlock is not properly initialized in the RX setup path, creating a race condition when RX_RTR_FRAME flag processing attempts to transmit frames. This affects all Linux kernel versions with the vulnerable CAN BCM code, and while no public exploit is known, the vulnerability could lead to kernel memory corruption or denial of service if the uninitialized lock is accessed during concurrent RTR frame handling.

This vulnerability is a race condition in the Linux kernel's PCI Designware endpoint driver where MSI-X interrupt writes to the host can complete after the corresponding Address Translation Unit (ATU) entry is unmapped, potentially corrupting host memory or triggering IOMMU errors. The vulnerability affects all Linux kernel versions with the vulnerable code path in the PCI DWC endpoint implementation (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), specifically impacting systems using PCI endpoint devices with MSI-X interrupt support such as NVMe-PCI endpoint function drivers. An attacker with the ability to trigger high-frequency MSI-X interrupts from a malicious endpoint device could exploit this race condition to cause denial of service through IOMMU faults or potentially corrupt host memory.

This vulnerability is a resource leak in the Linux kernel's NVMe driver where the admin queue is not properly released during controller reset operations. Systems running affected Linux kernel versions are vulnerable to denial of service through memory exhaustion when NVMe controllers reset repeatedly. While no active exploitation in the wild has been reported and CVSS/EPSS scores are not yet published, the issue affects all Linux distributions and is resolved through kernel patching with fixes available across multiple stable branches.

A stack-out-of-bounds write vulnerability exists in the Linux kernel's BPF devmap implementation where the get_upper_ifindexes() function iterates over upper network devices without properly validating buffer bounds. An attacker with the ability to create multiple virtual network devices (e.g., more than 8 macvlans) and trigger XDP packet processing with BPF_F_BROADCAST and BPF_F_EXCLUDE_INGRESS flags can write beyond allocated stack memory, potentially causing denial of service or arbitrary code execution. The vulnerability affects all Linux kernel versions using the vulnerable devmap code path and has been patched across multiple stable kernel branches, indicating recognition as a real security concern requiring immediate updates.

A use-of-uninitialized-variable vulnerability exists in the Linux kernel's AMD GPU (drm/amdgpu) driver, specifically in the slot reset error handling path. When device recovery fails after a slot reset is called, the code branches to error handling logic that references an uninitialized hive pointer and accesses an uninitialized list, potentially leading to information disclosure or system instability. This affects Linux kernel versions across multiple stable branches, with patches available in the referenced commits.

A deadlock vulnerability exists in the Linux kernel's mcp251x CAN bus driver where the mcp251x_open() function calls free_irq() while holding the mpc_lock mutex during error handling, causing the function to deadlock if an interrupt occurs simultaneously. This affects all Linux kernel versions with the vulnerable mcp251x driver code, and while not actively exploited in the wild (no KEV status indicates no in-the-wild exploitation), it represents a local denial of service condition where a user with appropriate device access can trigger driver initialization failures that hang the system.

This vulnerability is a race condition in the Linux kernel's libata subsystem where pending work is not properly canceled after clearing a deferred queue command (deferred_qc), leading to a WARN_ON() condition when the stale work eventually executes. The vulnerability affects all Linux kernel versions with the vulnerable libata code path, impacting systems using ATA/SATA disk controllers. An attacker with local access could trigger this condition through specific command sequences involving NCQ and non-NCQ commands, causing kernel warnings and potential system instability, though direct privilege escalation is not demonstrated.

This vulnerability is a speculative execution safety flaw in the Linux kernel's x86 FRED (Flexible Return and Event Delivery) interrupt handling code where array_index_nospec() is incorrectly positioned, allowing speculative memory predictions to leak sensitive information through side-channel attacks. The vulnerability affects all Linux kernel versions with FRED support (primarily x86-64 systems with newer Intel/AMD processors). An attacker with local access could potentially infer sensitive kernel memory values through timing or covert channel attacks exploiting the unsafe speculation window.

A null pointer dereference vulnerability exists in the Linux kernel's ice network driver that crashes the system during ethtool offline loopback tests. The vulnerability affects Linux kernel versions running the ice driver (Intel Ethernet Controller driver), and an attacker with local access and CAP_NET_ADMIN privileges can trigger a kernel panic (denial of service) by executing ethtool loopback self-tests. No active exploitation or public POC has been reported; patches are available in stable kernel releases.

A memory management vulnerability in the Linux kernel's EFI boot services implementation causes a leak of approximately 140MB of RAM on systems with CONFIG_DEFERRED_STRUCT_PAGE_INIT enabled, particularly affecting resource-constrained EC2 instances with 512MB total RAM. The vulnerability occurs when efi_free_boot_services() attempts to free EFI boot services memory before the kernel's deferred memory map initialization is complete, resulting in freed pages being skipped and never returned to the memory pool. This is a kernel-level memory exhaustion issue affecting all Linux distributions, though impact is most severe on systems with minimal RAM; no active exploitation or proof-of-concept has been identified as this is a resource leak rather than a code execution vector.

A use-after-free vulnerability exists in the Linux kernel's netfilter nft_set_pipapo (Pipelined Packet Processing) set type garbage collection mechanism. The vulnerability allows local attackers to trigger denial of service through soft lockup warnings and RCU stall reports by creating a large number of expired elements that trigger prolonged, non-preemptible garbage collection operations. The affected product is the Linux kernel across all versions, with patches available in the stable series via multiple commit references.

A resource management vulnerability exists in the Linux kernel's DRM/XE (Intel Graphics Execution Manager) queue initialization code where the finalization function is not called when execution queue creation fails, leaving the queue registered in the GuC (GPU Unified Compute) list and potentially causing invalid memory references. This affects all Linux kernel versions containing the vulnerable DRM/XE driver code. The vulnerability could lead to memory corruption or system instability when an exec queue creation failure occurs, though exploitation would require local kernel code execution capability or ability to trigger queue creation failures.

A NULL pointer dereference vulnerability exists in the Linux kernel's HID pidff (PID force feedback) driver due to incomplete clearing of conditional effect bits from the ffbit field. This affects all Linux kernel versions using the vulnerable pidff driver code. An attacker with local access to a system with a connected force feedback HID device could trigger a kernel panic, causing a denial of service. No CVSS score, EPSS score, or active KEV status is currently available, but three stable kernel commits addressing this issue have been merged, indicating the vulnerability has been formally patched.

A race condition exists in the Linux kernel's CXL (Compute Express Link) subsystem where the nvdimm_bus object can be invalidated while orphaned nvdimm objects attempt to reprobe, leading to a NULL pointer dereference in kobject_get() during device registration. This affects Linux kernels with CXL support enabled, allowing a local attacker or system administrator to trigger a kernel panic (denial of service) through module unload/reload sequences or specific timing during CXL ACPI probe operations. No active exploitation in the wild has been reported, but the vulnerability is easily reproducible via the cxl-translate.sh unit test with minimal timing manipulation.

A memory access protection bypass vulnerability exists in the Linux kernel's ARM64 ioremap_prot() function where user-space page protection attributes are improperly propagated to kernel-space I/O remapping, bypassing Privileged Access Never (PAN) protections and enabling information disclosure. This affects all Linux kernel versions on ARM64 systems with PAN enabled. An attacker with local access can trigger memory access faults and potentially read sensitive kernel memory through operations like accessing /proc/[pid]/environ on vulnerable systems.

A memory protection vulnerability exists in the Linux kernel's ARM64 Guarded Control Stack (GCS) implementation when FEAT_LPA2 (52-bit virtual addressing) is enabled. The vulnerability occurs because GCS page table entries incorrectly use the PTE_SHARED bits (0b11) in positions that are repurposed for high-order address bits when LPA2 is active, causing page table corruption and kernel panics during GCS memory operations. This affects all Linux kernel versions with GCS support on ARM64 systems with LPA2 enabled, and while no active exploitation or public POC has been reported, the vulnerability causes immediate kernel crashes when GCS is enabled on affected hardware configurations.

A memory corruption vulnerability exists in the Linux kernel's XDP (eXpress Data Path) subsystem where negative tailroom calculations are incorrectly reported as large unsigned integers, allowing buffer overflows during tail growth operations. This affects Linux kernel versions across multiple stable branches when certain Ethernet drivers (notably ixgbevf) report incorrect DMA write sizes, leading to heap corruption, segmentation faults, and general protection faults as demonstrated in the xskxceiver test utility. The vulnerability has no CVSS score assigned and shows no active KEV exploitation status, but represents a critical memory safety issue affecting systems using XDP with affected Ethernet drivers.

A race condition exists in the Linux kernel's eBPF CPU map implementation on PREEMPT_RT systems, where concurrent access to per-CPU packet queues can cause memory corruption and kernel crashes. This vulnerability affects Linux kernel versions across multiple branches and can be triggered by tasks running on the same CPU, potentially allowing local denial of service or information disclosure. A proof-of-concept has been made available via syzkaller, and patches have been released through the official Linux kernel stable repositories.

A use-after-free (UAF) vulnerability exists in the Linux kernel's network queue discipline (qdisc) subsystem when shrinking the number of transmit queues on network interfaces. The vulnerability occurs because qdisc_reset_all_tx_gt() can reset and free skb buffers concurrently with the lockless dequeue path (qdisc_run_begin/end), allowing freed memory to be accessed during packet dequeuing. All Linux kernels with lockless qdisc support are affected, and the vulnerability has been demonstrated via a practical reproduction case involving virtio-net devices under heavy traffic while changing queue pair counts. Multiple stable kernel patches are available addressing the issue.

A memory leak vulnerability exists in the Linux kernel's NFC NCI subsystem where the nci_transceive() function fails to free socket buffer (skb) objects on three early error paths (-EPROTO, -EINVAL, -EBUSY), causing kernel memory exhaustion over time. The vulnerability affects all Linux kernel versions with the vulnerable code in the NFC NCI driver, impacting any system with NFC capabilities that processes malformed or resource-constrained NCI transactions. While not directly exploitable for code execution, attackers can trigger memory exhaustion leading to denial of service by sending specially crafted NFC messages that trigger the error paths, and the vulnerability has been confirmed in kernel self-tests via kmemleak detection.

This vulnerability allows userspace applications to trivially trigger kernel warning backtraces in the AMD GPU (amdgpu) driver's user queue (userq) implementation by passing intentionally small num_fences values or exploiting legitimate growth between successive ioctl calls. While not a traditional security vulnerability enabling code execution or data theft, it constitutes an information disclosure issue through kernel log pollution and denial-of-service potential via warning spam. The Linux kernel across all versions utilizing the affected amdgpu userq code path is impacted, though the actual attack surface is limited to systems with AMD GPUs and unprivileged users with access to the amdgpu device interface.

A memory leak vulnerability exists in the Linux kernel's pinctrl subsystem within the pinconf_generic_parse_dt_config() function. When the parse_dt_cfg() function fails, the code returns directly without executing cleanup logic, causing the cfg buffer to be leaked. This affects all Linux kernel versions containing the vulnerable pinctrl-generic code, and while the vulnerability itself does not enable direct code execution, it can lead to denial of service through memory exhaustion over time as the kernel gradually loses available memory.

A use-after-free vulnerability exists in the Linux kernel's cfg80211 WiFi subsystem where the rfkill_block work queue is not properly cancelled during wireless device (wiphy) unregistration, allowing a worker thread to access freed memory. This affects all Linux kernel versions in the cfg80211 module (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), and while no CVSS score or EPSS data is available, the vulnerability can trigger a kernel crash or information disclosure when a WiFi device is removed while rfkill operations are pending.

A buffer handling vulnerability exists in the Linux kernel's CAN USB f81604 driver where improperly sized interrupt URB (USB Request Block) messages are not validated before processing, potentially leading to information disclosure or memory corruption. All Linux kernel versions with the affected CAN f81604 USB driver are impacted. An attacker with physical access to a malicious USB device or local system access could trigger abnormal URB message handling to leak kernel memory or cause denial of service. This vulnerability is not currently listed as actively exploited in known vulnerability databases, and no public proof-of-concept has been widely circulated, though patches are available across multiple kernel stable branches.

A validation bypass vulnerability exists in the Linux kernel's netfilter nft_set_rbtree module that fails to properly validate overlapping open intervals in packet filtering rule sets. This affects all Linux distributions running vulnerable kernel versions, allowing local or remote attackers with network configuration privileges to bypass firewall rules through malformed interval specifications. The vulnerability is classified as an information disclosure issue and has been patched upstream, though no active exploitation in the wild has been documented.

A NULL pointer dereference vulnerability exists in the Linux kernel's intel_pstate CPU frequency scaling driver that crashes the system when turbo boost is disabled on systems with CPU count limitations. This affects Linux kernel versions across multiple releases where the system is booted with 'nosmt' or 'maxcpus' kernel parameters and a user or administrator attempts to disable turbo via sysfs. An unprivileged local attacker with write access to /sys/devices/system/cpu/intel_pstate/no_turbo can trigger a kernel panic, resulting in denial of service. The vulnerability has been patched and fixes are available across multiple stable kernel branches.

A resource management vulnerability in the Linux kernel UDP implementation causes improper handling of socket state during disconnect operations. When a UDP socket is bound to a wildcard address, connected to a remote peer, and then disconnected, the kernel fails to properly remove the socket from the 4-tuple hash table, leaving stale entries that can lead to information disclosure or denial of service conditions. All Linux kernel versions using the affected UDP code path are impacted, with patches available through the Linux kernel stable tree.

A memory leak vulnerability exists in the Linux kernel's NFC (Near Field Communication) NCI subsystem where pending data exchange operations are not properly completed when a device is closed, causing socket references to be held indefinitely. This affects all Linux kernel versions with the vulnerable NFC NCI code path. An attacker with local access to NFC functionality could trigger repeated device close operations to exhaust memory resources, leading to denial of service. While no CVSS score or EPSS data is currently available, the issue is being actively addressed through kernel patches as evidenced by multiple commit references.

A null pointer dereference vulnerability exists in the Linux kernel's libie firmware logging module where the libie_fwlog_deinit() function attempts to unroll firmware logging structures even when logging was never properly initialized, causing kernel panics during driver unload. This affects the ixgbe driver and potentially other devices using the libie_fwlog module across multiple Linux kernel versions. An unprivileged local attacker with module unload capabilities can trigger a denial of service by unloading the affected driver, as demonstrated through rmmod operations in recovery mode.

A buffer over-read vulnerability exists in the Linux kernel's CXL mailbox command handler where the cxl_payload_from_user_allowed() function casts and dereferences user-supplied payload data without first validating its size. An unprivileged local attacker can send a raw mailbox command with an undersized payload (e.g., 1 byte instead of the expected 16 bytes for CXL_MBOX_OP_CLEAR_LOG) to trigger a kernel memory read past the allocated buffer, causing a KASAN splat and potential denial of service. While not yet listed in the KEV catalog or with public EPSS/CVSS scoring, patch commits are available in the Linux stable kernel repositories, indicating the vulnerability has been resolved upstream.

A resource leak vulnerability exists in the Linux kernel's ETAS ES58X USB CAN driver where URBs (USB Request Blocks) submitted in the read bulk callback are not properly anchored before submission, potentially causing memory leaks when usb_kill_anchored_urbs() is invoked. This affects all Linux kernel versions running the etas_es58x driver. An attacker with local access to trigger device disconnection or system shutdown could cause kernel memory exhaustion through repeated URB leaks, leading to denial of service or information disclosure of kernel memory contents.

The Apple Silicon SMC hwmon driver (macsmc-hwmon) in the Linux kernel contains critical memory safety bugs in sensor population and float conversion logic. Specifically, voltage sensors are incorrectly registered to the temperature sensor array, and float-to-32-bit conversion has flawed exponent handling, potentially leading to out-of-bounds memory access, data corruption, or incorrect fan control on affected Apple Silicon systems. The vulnerability affects Linux kernel versions with the macsmc-hwmon driver and has been patched; no active exploitation or POC is currently known, but the nature of the bugs suggests high real-world risk for systems relying on thermal management.

A use-after-free and list corruption vulnerability exists in the Linux kernel's IPMI (Intelligent Platform Management Interface) subsystem when the SMI sender returns an error. The vulnerability affects all Linux kernel versions with the vulnerable IPMI code path, allowing local attackers or processes with IPMI access to trigger denial of service conditions through list corruption and NULL pointer dereferences. The vulnerability is not currently listed in CISA's KEV catalog, and no CVSS or EPSS scores have been published; however, the technical nature indicates high reliability for exploitation by local actors with kernel interface access.

A logic error in the Linux kernel's MPTCP (MultiPath TCP) path management subsystem fails to properly track endpoint usage state when an endpoint is configured with both 'signal' and 'subflow' flags and subsequently removed. This causes a kernel warning and potential state inconsistency in the MPTCP connection management code. The vulnerability affects Linux kernel versions and is triggered through netlink socket manipulation by unprivileged users, potentially leading to denial of service or unexpected kernel behavior.

A lifecycle management vulnerability in the Linux kernel's USB NCM (Network Control Model) gadget function causes the network device to outlive its parent gadget device, resulting in NULL pointer dereferences and dangling sysfs symlinks when the USB gadget is disconnected. This affects all Linux kernel versions with the vulnerable USB gadget NCM implementation, and an attacker with local access to trigger USB gadget bind/unbind cycles can cause a kernel panic (denial of service). No CVSS vector, EPSS score, or active KEV status is available, but patches are confirmed available in the Linux stable tree.

A use-after-free (UAF) vulnerability exists in the Linux kernel's BPF subsystem within the bpf_trampoline_link_cgroup_shim function, where a race condition allows a process to reference memory after it has been freed. An attacker with CAP_BPF or CAP_PERFMON capabilities can trigger this vulnerability to cause a kernel crash (denial of service). A proof-of-concept has been demonstrated by the reporter, showing the bug can be reliably reproduced; the vulnerability is not listed on the CISA KEV catalog but affects all Linux kernel versions until patched.

A logic error in the Linux kernel's drm/vmwgfx driver causes the vmw_translate_ptr functions to return success when pointer lookups actually fail, because the error handling was not updated when the underlying lookup function's return mechanism changed from returning a pointer to returning an error code with pointer as an out parameter. This allows uninitialized pointer dereferences and out-of-bounds memory access when the functions incorrectly report success, potentially enabling information disclosure or privilege escalation via the VMware graphics driver.

A memory alignment fault vulnerability exists in the Linux kernel's IPv4 multipath routing hash seed implementation that causes kernel panics on ARM64 systems when compiled with Clang and Link Time Optimization (LTO) enabled. The vulnerability affects all Linux kernel versions with the vulnerable code path in net/ipv4/route.c, specifically impacting ARM64 architectures where strict alignment requirements for Load-Acquire instructions are enforced. An attacker with local access or ability to trigger multipath hash operations could cause a denial of service by crashing the kernel, though no active exploitation has been reported in the wild.

A device node reference leak exists in the Linux kernel's bq257xx regulator driver within the bq257xx_reg_dt_parse_gpio() function. When the function fails to retrieve a subchild device node, it returns prematurely without properly releasing the reference via of_node_put(child), causing a memory leak. This affects all Linux kernel versions containing this vulnerable code path in the bq257xx regulator driver, and while not directly exploitable for code execution, the memory leak can be triggered repeatedly to degrade system stability and availability.

A preempt count leak exists in the Linux kernel's i40e network driver within the napi poll tracepoint implementation, where get_cpu() is called without a corresponding put_cpu() to restore the preempt count. This affects all Linux kernel versions containing the vulnerable i40e driver code and can cause kernel accounting errors and potential system instability when the tracepoint is enabled. The vulnerability has no known active exploitation or public proof-of-concept code, and while not formally scored with CVSS, it represents a moderate kernel reliability issue that has persisted undetected for over three years.

The Linux kernel's kaweth USB driver fails to validate that probed USB devices have the expected number and types of endpoints before binding to them, allowing a malicious or malformed USB device to cause a kernel crash when the driver blindly accesses non-existent endpoints. This denial-of-service vulnerability affects Linux kernel versions across multiple stable branches and can be triggered by any user with the ability to connect a crafted USB device to a system running the vulnerable kernel. While CVSS and EPSS scores are not available, the vulnerability represents a straightforward crash vector with no reported active exploitation but patches are available across multiple kernel versions.

A lockdep-detected invalid wait context vulnerability exists in the Linux kernel's performance event scheduling subsystem, specifically in the ctx_sched_in() function when handling pinned events. The vulnerability affects all Linux kernel versions (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) and arises when the kernel attempts to acquire a wait-queue lock while already holding a perf-context lock, violating lock ordering rules and potentially causing system hangs or crashes. This is a kernel-level synchronization bug that can be triggered by unprivileged users with access to perf event tracing capabilities, though active exploitation in the wild has not been documented.