Skip to main content

Linux

12817 CVEs vendor

Monthly

CVE-2026-53284 HIGH PATCH This Week

Improper error handling in the btrfs filesystem's transaction commit path (btrfs_write_and_wait_transaction) lets a failed metadata writeout leave dirty extent buffers uncleaned, forcing the filesystem read-only and triggering kernel warnings at unmount. The flaw affects Linux kernels prior to 6.18.33, 7.0.10, and 7.1 and is an availability/data-integrity issue on btrfs volumes, with no confidentiality impact despite an 'Information Disclosure' tag in the source data. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.17%, 6th percentile).

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53283 MEDIUM PATCH This Month

Boot-time kernel crash in Linux 6.16+ on AMD IOMMU-equipped systems causes a General Protection Fault when a PCI device whose Bus:Device.Function address is absent from the ACPI IVRS table is encountered during IOMMU initialization. The root cause is a missing bounds check in __rlookup_amd_iommu() that was latent until commit e874c666b15b changed the rlookup_table allocation from a zeroed page-order block (which returned NULL on overrun) to a tight kvcalloc(), causing adjacent slab contents to be dereferenced as a valid struct amd_iommu pointer. The result is a non-recoverable GPF at boot time, confirmed in production on Google Compute Engine ct6e VMs; no public exploit code and no CISA KEV listing exist at time of analysis.

Google Linux Amd Canonical Denial Of Service +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53282 MEDIUM PATCH This Month

Stack access fault in the x86/kexec purgatory handoff crashes non-kjump kexec operations on affected Linux kernel versions, resulting in a local denial of service. A prior regression removed a 'gratuitous' stack push in the non-kjump path; however, the purgatory code shipped by kexec-tools still reads above its stack top expecting that return address, triggering a memory fault that aborts the kexec reboot or crashes the system. No public exploit exists and EPSS sits at the 6th percentile, placing this firmly in the reliability-regression category rather than an adversarial attack surface.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53281 HIGH PATCH This Week

Local privilege escalation or denial of service in the Linux kernel's Intel VT-d IOMMU driver (iommu/vt-d) arises from incomplete handling of a missing dev_pasid entry during PASID teardown; an authenticated low-privileged actor able to drive IOMMU/PASID detach operations can trigger a NULL pointer dereference or unbalanced refcount that may decay into a use-after-free. This completes an earlier partial fix (commit 60f030f7418d) and is tagged as Denial of Service. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.17% (6th percentile).

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53280 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel IOMMU subsystem crashes affected systems during PCI device reset when a default domain allocation has previously failed. Local users with low-privilege access on Linux kernel versions in the 7.0 branch (prior to 7.0.10) and before 7.1 can trigger a kernel panic through the `pci_dev_reset_iommu_done()` function, resulting in a denial of service. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.15% (5th percentile) reflects the low real-world exploitation likelihood given the edge-case hardware precondition and local-only attack vector.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53279 MEDIUM PATCH This Month

Indefinite kernel hang in the Linux kernel's drm/gma500 Oaktrail LVDS display initialization code can be triggered locally on systems with Intel GMA 500/Oaktrail graphics hardware, causing a denial of service requiring a hard reboot. The defect lies in error handling that incorrectly attempts to deregister an I2C adapter obtained via i2c_get_adapter() - which only increments a reference count - rather than restricting cleanup to adapters the driver itself allocated. No public exploit code exists and EPSS is 0.17% (7th percentile), consistent with a niche, largely retired hardware platform.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53278 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel arm_mpam subsystem allows a local low-privileged attacker to crash the kernel by triggering a specific cleanup code path before initialization completes. The flaw exists in __destroy_component_cfg(), which unconditionally dereferences the embedded 'garbage' structure to free the configuration array even when mpam_disable() is called before __allocate_component_cfg() has ever run. No public exploit code exists and the EPSS score of 0.15% (5th percentile) confirms negligible real-world exploitation activity; vendor-supplied patches are available via upstream stable commits.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53277 HIGH PATCH This Week

Local privilege escalation / host compromise risk in the Linux kernel arm64 KVM subsystem arises because __kvm_at_s12() (AT instruction emulation) and __kvm_find_s1_desc_level() invoke the stage-1/nested stage-2 page-table walkers walk_s1() and kvm_walk_nested_s2() without holding kvm->srcu, which those walkers require to guard against concurrent memslot changes. A malicious or compromised guest on an affected arm64 host can race memslot updates against these walks, with CVSS scoring confidentiality, integrity and availability all High under a changed scope (host impact). It is patched in stable trees, EPSS is low (0.17%), and there is no public exploit identified at time of analysis.

Code Injection Linux
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53276 HIGH This Week

Local privilege escalation potential via a use-after-free in the Linux kernel's Bluetooth ISO (Isochronous) subsystem affects kernels through 6.19 and related stable trees. In iso_sock_rebind_bc(), the code caches the hci_conn pointer (bis) and then drops the socket lock to acquire hci_dev_lock; a concurrent close() during this unlocked window can destroy the connection and free the bis structure, so the subsequent hci_dev_lock(bis->hdev) dereferences freed memory. There is no public exploit identified at time of analysis and EPSS is low (0.15%, 5th percentile), but a kernel UAF reachable by a local user warrants timely patching.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53275 HIGH PATCH This Week

Use-after-free in the Linux kernel's IPv6 multicast (MLD) query processing path allows an adjacent-network attacker to corrupt or read freed kernel slab memory by sending a crafted MLD query. The flaw stems from a stale pointer to the multicast group address being dereferenced in __mld_query_work() after pskb_may_pull() reallocated the skb header, confirmed by a KASAN slab-use-after-free report. Carries an 8.8 CVSS (adjacent vector); no public exploit identified at time of analysis and EPSS is low at 0.17% (6th percentile).

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53274 MEDIUM PATCH This Month

Sleep-inside-lock in the Linux kernel's SMC networking subsystem (`__smc_setsockopt()`) allows a local low-privilege user to hold the socket lock indefinitely, exhausting kernel worker threads and triggering the hung task watchdog - producing a local denial of service. Affected systems must have the `net/smc` module loaded and a user-space mechanism (userfaultfd or FUSE) available to stall the in-kernel copy operation. No public exploit has been identified at time of analysis, and EPSS at 0.18% (8th percentile) reflects very low mass-exploitation probability; however, the technique is well-understood in kernel security research.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53273 HIGH PATCH This Week

Local privilege escalation or kernel memory corruption in the Linux kernel's OP-TEE (Trusted Execution Environment) driver arises from a use-after-free in the supplicant request path on ARM TrustZone systems. After commit 70b0d6b0a199 made the client wait killable, a client task can exit and kfree() its request while its ID still lives in supp->idr, so a later supplicant lookup dereferences freed memory. CVSS 7.8 (local, low privilege) with EPSS at 0.17% (7th percentile); no public exploit identified at time of analysis and not listed in CISA KEV.

Linux Denial Of Service Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53272 HIGH PATCH This Week

Use-after-free in the Linux kernel's EROFS filesystem lets a local attacker who can trigger a decompression I/O race during unmount corrupt kernel memory. When z_erofs_decompress_kickoff() queues asynchronous decompression work, a concurrent unmount can free the superblock info (sbi) before the kworker accesses sbi->sync_decompress, producing a CWE-416 use-after-free with high confidentiality, integrity and availability impact (CVSS 7.8). EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis; the flaw is not on CISA KEV.

Memory Corruption Linux Use After Free Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53271 MEDIUM PATCH This Month

NULL pointer dereference in the ksmbd (in-kernel SMB server) subsystem of the Linux kernel causes a remotely triggerable kernel oops, resulting in denial of service. The race condition in smb2_oplock_break_noti() and smb2_lease_break_noti() allows an authenticated SMB client to crash the kernel by racing an SMB2 LOGOFF against an oplock/lease break notification - setting opinfo->conn to NULL in the window after ci->m_lock is dropped, then dereferencing it in ksmbd_conn_r_count_inc(). No public exploit identified at time of analysis; EPSS is very low at 0.16% (6th percentile), and CISA KEV listing is absent.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53270 HIGH PATCH This Week

Use-after-free in the Linux kernel's IPVS (IP Virtual Server) load balancer allows a local privileged user to corrupt kernel memory by editing a virtual service's scheduler. ip_vs_edit_service() cleared svc->scheduler only after the old scheduler module had already initiated RCU callbacks, so in-flight packets could dereference svc->sched_data after it was freed at the end of the RCU grace period. The flaw carries CVSS 7.8 with high confidentiality, integrity, and availability impact; EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53269 MEDIUM PATCH This Month

Denial-of-service via race condition in the Linux kernel's netfilter synproxy subsystem allows a local low-privileged user to crash the system by triggering concurrent netfilter hook registration. The synproxy infrastructure registers hooks on-demand when iptables targets or nftables expressions are added; without serialization, concurrent additions race on the reference count control blocks, corrupting kernel state. No public exploit exists and EPSS is 7th percentile (0.17%), but any Linux system running a kernel from 5.3 onward with the ability for unprivileged users to manipulate netfilter rules is technically exposed.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53268 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's netfilter IRC connection-tracking helper (nf_conntrack_irc) lets remote attackers leak adjacent kernel memory or crash the host when the parser fails to bail out after matching a DCC command string. The CVSS 3.1 vector (AV:N/PR:N) describes unauthenticated remote reachability with low confidentiality impact and high availability impact, but exploitation is gated on the legacy IRC conntrack helper being loaded and assigned to traffic - a non-default condition on most modern systems. There is no public exploit identified at time of analysis, EPSS is low (0.17%, 7th percentile), and the issue is not on CISA KEV.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-53267 HIGH PATCH This Week

Stack-based out-of-bounds write in the Linux kernel netfilter nf_tables conntrack (nft_ct) module lets a local actor with rule-loading capability corrupt the kernel stack, enabling privilege escalation or denial of service. When an nftables ruleset attaches a per-CPU template conntrack (e.g. via 'ct zone set') and a subsequent 'ct original/reply' load expression runs on the same packet, nft_ct_get_eval() mistakes the zeroed template ct for a real conntrack and performs a 16-byte memcpy bounded by an untrusted field, overflowing struct nft_regs on the kernel stack. No public exploit identified at time of analysis, though a historic syzkaller report demonstrates the crash; EPSS risk is low (0.16%, 6th percentile).

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53266 HIGH PATCH This Week

Out-of-bounds/illegitimate write in the Linux kernel's bridge netfilter ebtables SNAT target (ebt_snat) lets the optional ARP sender-hardware-address rewrite copy a MAC address into a non-linear skb fragment that is still backed by a splice-imported file page, corrupting memory the kernel should not write to. The flaw affects systems using the bridge ebtables SNAT target with ARP rewrite enabled; the fix makes the ARP SHA range writable via skb_ensure_writable() before skb_store_bits() runs. There is no public exploit identified at time of analysis and EPSS is low (0.17%), but CVSS is rated 8.8 with a scope change reflecting the cross-context write.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53265 HIGH PATCH This Week

Local privilege-escalation/memory-corruption in the Linux kernel device-mapper dm-cache 'smq' policy allows a low-privileged local user to trigger a check-then-act race in smq_invalidate_mapping(). The e->allocated predicate was evaluated outside mq->lock, so two concurrent cache-block invalidators can both see an entry as allocated and free it twice, corrupting the SMQ queues/hash table and tripping the allocation assertion in free_entry(). No public exploit is identified at time of analysis and EPSS exploitation probability is low (0.17%, 7th percentile); the issue is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53264 HIGH PATCH This Week

Local privilege-bearing users can trigger a use-after-free in the Linux kernel's net/sched action subsystem (act_api) by racing concurrent NEWTFILTER and DELFILTER operations, where an action object can be kfree()'d immediately on one CPU while another CPU still holds an RCU-protected reference and calls refcount_inc_not_zero() on freed memory. Affecting the tc action lifecycle, exploitation can corrupt kernel memory and lead to local privilege escalation or denial of service (kernel panic). This issue has no public exploit identified at time of analysis and carries a low EPSS exploitation probability (0.17%, 7th percentile).

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53263 MEDIUM PATCH This Month

Kernel stack memory disclosure and multicast address corruption in the Linux kernel's 6lowpan IPHC subsystem affects all deployments running the vulnerable code path from commit 5609c185f24d onward. A local unprivileged user on a system with an active 6lowpan interface can trigger `lowpan_iphc_mcast_ctx_addr_compress()` to transmit uninitialized kernel stack bytes over the 6lowpan link layer while also corrupting the RIID field in compressed multicast addresses, breaking multicast connectivity. No public exploit identified at time of analysis; EPSS is 0.17% (7th percentile), and this is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53262 HIGH PATCH This Week

Local privilege escalation via use-after-free in the Linux kernel's L2TP PPP (pppol2tp) subsystem allows a low-privileged local user holding a pppol2tp socket to corrupt freed kernel memory. The flaw is a race in pppol2tp_ioctl(), where sk_user_data was dereferenced without reference counting; an attacker stalls the ioctl mid-copy (e.g. via a userfaultfd page-fault sleep) while concurrently closing the socket, freeing the l2tp_session and leaving a dangling pointer. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.16%, 6th percentile).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53261 MEDIUM PATCH This Month

Memory leak in the Linux kernel devlink subsystem allows a local low-privileged user to trigger resource exhaustion by inducing a Sub-Function (SF) probe failure, leaving a nested devlink relation unreleased. The flaw occurs because devlink_free() does not clear devlink->rel when an instance fails probe before reaching devl_register(), bypassing the normal cleanup path in devl_unregister(). No public exploit has been identified and EPSS is 0.16% (6th percentile), consistent with a low-real-world-risk kernel memory management defect; patch is available across multiple stable branches.

Linux Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53260 CRITICAL Act Now

Denial of service and potential memory corruption in the Linux kernel TCP stack arises from a refcount underflow / use-after-free in reqsk_queue_hash_req(), affecting kernels built with PREEMPT_RT (real-time preemption). On affected systems a request socket (reqsk) can lose both its ehash and timer reference counts when reqsk_queue_hash_req() is preempted between mod_timer() and refcount_set(), letting reqsk_timer_handler() drop the object twice and trigger a use-after-free flagged by refcount_warn_saturate. The fix was reported via syzbot fuzzing; there is no public weaponized exploit identified at time of analysis and the EPSS score is very low (0.15%, 5th percentile), and despite the NVD 9.8 score real-world exploitability is constrained to PREEMPT_RT kernels and a narrow timing window.

Linux Information Disclosure Google Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53259 HIGH PATCH This Week

Memory corruption via a use-after-free in the Linux kernel's IPv6 anycast subsystem allows a local attacker to read freed slab memory and potentially corrupt kernel state. The flaw lives in __ipv6_dev_ac_inc()/ipv6_add_acaddr_hash(), where an ifacaddr6 (aca) object is published into the global inet6_acaddr_lst[] hash outside idev->lock, opening a race with device teardown (ipv6_ac_destroy_dev) that frees the object while it is still linked in the RCU-walked hash. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis, but the vendor has shipped a fix.

Linux Information Disclosure Google Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53258 MEDIUM This Month

Memory leak in the Linux kernel wifi cfg80211 subsystem allows a local low-privileged user to cause gradual kernel memory exhaustion by repeatedly triggering failed 6 GHz split scans. The leaked object is a 512-byte allocation in rdev->int_scan_req that escapes the cleanup path in ___cfg80211_scan_done() because rdev->scan_req is NULL at freeing time, causing an early return. No public exploit has been identified; EPSS of 0.16% (6th percentile) reflects very low real-world exploitation probability, and this vulnerability is not listed in CISA KEV.

Linux Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53257 MEDIUM PATCH This Month

Kernel crash in Linux cfg80211 WiFi subsystem occurs when EHT (Wi-Fi 7 / 802.11be) capability elements are present without matching EHT operation elements, triggering a null pointer dereference in mac80211 and causing a denial of service. Systems running affected kernel versions with Wi-Fi 7 hardware are at risk of a local-privilege kernel panic with no confidentiality or integrity impact. EPSS is extremely low at 0.15% (5th percentile) and no public exploit has been identified; this is not listed in CISA KEV.

Linux Denial Of Service
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53256 HIGH PATCH This Week

Use-after-free in the Linux kernel's Bluetooth RFCOMM subsystem allows an attacker within Bluetooth range to corrupt kernel memory by racing an incoming RFCOMM connection against the close of a listener socket. The flaw lives in rfcomm_connect_ind(), which uses a listener socket returned by rfcomm_get_sock_by_channel() after the protecting list lock is dropped and without taking a reference, so a concurrent rfcomm_sock_release() can free the parent socket before it is locked and a child is enqueued. KASAN confirmed a slab-use-after-free in lock_sock_nested(); EPSS is low (0.17%, 7th percentile), there is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
8.0
EPSS
0.2%
CVE-2026-53255 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel Bluetooth management (MGMT) interface lets a local user with Bluetooth privileges trigger a one-byte read past the advertising-data buffer by submitting a malformed MGMT_OP_ADD_ADVERTISING request. The flaw lives in tlv_data_is_valid(), which inspects the type octet at data[i+1] before confirming the current TLV element fits in the buffer; KASAN flags it as a vmalloc-out-of-bounds read. No public exploit identified at time of analysis and EPSS risk is low (0.17%), consistent with a local-only kernel memory-safety bug rather than a remotely weaponizable one.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53254 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's Bluetooth RFCOMM stack allows a malicious paired or in-range remote device to leak adjacent kernel memory or crash the host by sending truncated MCC (Multiplexer Control Channel) frames. The RFCOMM MCC handlers cast skb->data to protocol structs without first checking skb->len, so short frames cause reads past the buffer; impact is confidentiality and availability loss (CVSS 8.1). There is no public exploit identified at time of analysis and EPSS estimates exploitation probability at just 0.18%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-53253 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's Bluetooth BNEP (Bluetooth Network Encapsulation Protocol) subsystem allows an adjacent attacker to crash the kernel by sending a malformed short BNEP frame over an established PAN connection. The flaw in bnep_rx_frame()/bnep_rx_control() in net/bluetooth/bnep/core.c reads the packet-type, control-opcode, and setup UUID-size bytes before confirming they are present, producing a KASAN-confirmed slab-out-of-bounds read past a 1-byte kmalloc-8 allocation. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.18%, 8th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53252 MEDIUM PATCH This Month

Percpu memory leak in the Linux kernel Bluetooth subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering early failures in Bluetooth HCI UART device initialization. Affected kernels spanning stable branches from 5.10 through 6.16-rc4 fail to invoke cleanup_srcu_struct() when hci_register_dev() never completes, causing the SRCU struct allocated early in hci_alloc_dev() to persist indefinitely. No public exploit code has been identified at time of analysis, and EPSS at 0.19% (9th percentile) reflects negligible exploitation interest; however the availability impact is rated High by NVD given the potential for kernel memory exhaustion.

Linux Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53251 MEDIUM PATCH This Month

Reference leak in the Linux kernel Bluetooth ISO subsystem allows a local low-privileged user to exhaust kernel resources and cause a denial of service. The `iso_conn_big_sync` function acquires an `hci_dev` reference via `hci_dev_hold()` through `hci_get_route()` but never releases it, violating the borrow contract. No active exploitation has been confirmed and EPSS is very low at 0.18% (7th percentile), but the affected surface - the BLE Audio Broadcast Isochronous Group (BIG) synchronization path - is present on any Linux system with a Bluetooth controller.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53250 HIGH PATCH This Week

Out-of-bounds kernel memory access in the Linux kernel's AF_XDP (xsk) transmit path allows a local low-privileged process to bypass bounds checking on TX checksum metadata. Because csum_start/csum_offset live in a userspace-mapped UMEM buffer, a malicious application could race to overwrite them between the validation read and the assignment read in xsk_skb_metadata(), defeating the bounds check during checksum computation. No public exploit identified at time of analysis; EPSS is low (0.18%, 8th percentile), consistent with a local-only kernel race rather than a mass-exploited remote bug.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53249 MEDIUM PATCH This Month

Unprivileged local users on Linux systems running unpatched kernels can set IPOPT_SSRR (Strict Source and Record Route) and IPOPT_LSRR (Loose Source and Record Route) IPv4 options without the CAP_NET_RAW capability, enabling them to force outbound packets through attacker-controlled network nodes and leak TCP Initial Sequence Numbers (ISN) along with other protocol metadata. Affected systems span Linux kernel versions from 2.6.12 through multiple stable branches prior to their respective patch releases. No public exploit has been identified at time of analysis, and EPSS remains at 0.18% (8th percentile), indicating low automated exploitation risk.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53248 HIGH PATCH This Week

Use-after-free in the Linux kernel's Airoha (airoha_eth) network driver allows memory corruption when metadata dst objects are torn down while still referenced by in-flight receive skbs. The airoha_metadata_dst_free() routine called metadata_dst_free()/kfree() directly, bypassing the RCU grace period required by the noref dst pointers set via skb_dst_set_noref() in the RX path, so RCU readers could dereference freed memory. No public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile); the issue is patched in current stable kernels.

Authentication Bypass Linux Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53247 CRITICAL PATCH Act Now

Memory corruption (use-after-free) in the Linux kernel's MediaTek mtk_eth_soc Ethernet driver allows the metadata destination object to be freed via kfree() during driver teardown while the RX path may still hold a non-refcounted (noref) pointer to it from a live skb. Affects systems running the mtk_eth_soc driver (MediaTek SoC networking, common in routers/embedded devices) across multiple kernel branches; the fix routes the free through dst_release() so the RCU grace period is honored. No public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and it is not in CISA KEV - despite the input's nominal CVSS of 9.8.

Authentication Bypass Linux Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53246 CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's SCTP stack lets a remote peer corrupt kernel memory by sending a COOKIE_ECHO chunk whose embedded cached INIT chunk advertises an inflated length, which sctp_unpack_cookie() failed to validate against the remaining COOKIE_ECHO buffer before sctp_process_init() walked its parameters. Any host running an SCTP listening server (kernels from 2.6.12 up to the fixed stable releases) is affected, with the kernel-assigned CVSS rating it 9.8/network-unauthenticated, though EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis. Impact ranges from out-of-bounds reads to potential heap corruption during STATE_COOKIE handling and kmemdup() copies.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53245 MEDIUM PATCH This Month

Three distinct logic errors in the Linux kernel's MRP (Multiple Registration Protocol) PDU parser `mrp_pdu_parse_vecattr()` allow an attacker to corrupt kernel MRP applicant state and PDU parsing offsets, resulting in denial of service. Affected systems must have the `mrp` kernel module loaded with an active IEEE 802.1ak bridge interface. No public exploit exists and EPSS is 0.18% (8th percentile), reflecting low active targeting, though patches across multiple stable branches are available and should be applied routinely.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53244 HIGH This Week

Denial of service in the Linux kernel's NFSD server affects systems that export filesystems implementing the VFS ->atomic_create operation. A mismatch between the dentry_create() error-handling contract and the newer start_creating()/end_creating() locking pattern means that when ->atomic_create returns an error, nfsd4_create_file() passes an error pointer to end_creating() and never unlocks the parent directory inode, leaving the lock permanently held. This is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and it is not in CISA KEV, but the held lock can stall NFS service for all clients.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53243 MEDIUM PATCH This Month

Uninitialized stack variable use in the Linux kernel's rseq (restartable sequences) subsystem exposes systems to kernel information leak and denial-of-service. The flaw in `rseq_exit_user_update()` arises from a C standard evaluation-order ambiguity in struct initialization, detected by syzbot's KMSAN (Kernel Memory Sanitizer) as a kernel-infoleak. Affected are Linux 7.0.10 through 7.0.12 and 7.1 release candidates rc3-rc6; exploitation requires local low-privilege access, no public exploit exists, and EPSS is very low at 0.16%.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53242 HIGH PATCH This Week

Kernel panic (denial of service) in the Linux kernel ALSA PCM subsystem occurs when snd_pcm_drain() is called on linked (grouped) audio streams that are concurrently unlinked, corrupting wait queue lists and ultimately dereferencing a NULL function pointer. The flaw stems from init_waitqueue_entry/add_wait_queue not clearing list pointers combined with a conditional remove_wait_queue that is skipped after a concurrent UNLINK, leaving an orphaned wait entry that gets added to two queues at once. It is a local-privilege issue requiring access to ALSA PCM devices; no public exploit has been identified at time of analysis and the EPSS score is very low (0.18%).

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53241 MEDIUM PATCH This Month

Stack overread in the Linux kernel ALSA MIDI sequencer dummy client (snd_seq_dummy) allows a local low-privileged user to crash the kernel or potentially leak kernel stack contents by sending a crafted Universal MIDI Packet (UMP) event. The dummy port copies incoming events into a legacy-sized stack temporary, but when the UMP flag remains set the delivery path calls snd_seq_event_packet_size() and copies a larger UMP-sized packet from that undersized allocation, reading past the stack buffer end. No public exploit has been identified and EPSS is 0.18% (7th percentile), placing this firmly in routine-patch rather than emergency-response territory.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53240 HIGH PATCH This Week

Use-after-free in the Linux kernel's XFRM IP-TFS (IPsec Traffic Flow Confidentiality, RFC 9347) inbound reassembly path lets a race between __input_process_payload() and a concurrent iptfs_reassem_cont()/drop_timer handler operate on a freed sk_buff in skbuff_head_cache, causing memory corruption. The flaw affects kernels from 6.14 (where IP-TFS was introduced) running an IPsec SA in IP-TFS mode, and is fixed in stable releases including 6.18.36, 7.0.13 and 7.1. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.17%, 7th percentile).

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53239 HIGH PATCH This Week

Local privilege escalation via use-after-free in the Linux kernel's XFRM (IPsec) policy subsystem allows a local low-privileged attacker to corrupt kernel memory by racing XFRM_MSG_DELPOLICY and XFRM_MSG_NEWSPDINFO netlink operations. In xfrm_policy_bysel_ctx(), the inexact policy bin was pruned after dropping xfrm_policy_lock, leaving a window where a concurrent xfrm_hash_rebuild() could kfree_rcu() the same bin, leading to a use-after-free. No public exploit identified at time of analysis; EPSS probability is low (0.18%) and it is not listed in CISA KEV.

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53238 MEDIUM PATCH This Month

Out-of-bounds read in the Linux kernel netlabel subsystem allows a local low-privileged attacker to crash the kernel by submitting a crafted Generic Netlink request with a valid IPv4/IPv6 address attribute paired with a shorter-than-expected mask attribute. The netlbl_unlabel_addrinfo_get() function relied solely on the address attribute length to determine address family, then unconditionally read the mask attribute as a full struct in_addr (4 bytes) or struct in6_addr (16 bytes) without independently validating the mask length. No public exploit or active exploitation has been identified (EPSS 0.18%, 8th percentile); patches are available across all maintained stable branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53237 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's Marvell EBU GPIO driver (gpio/mvebu) causes a kernel oops and system crash during suspend/resume operations on Marvell Armada ARM platforms. The flaw affects all stable kernel branches from 4.12 onward where mvebu_pwm_suspend() and mvebu_pwm_resume() are unconditionally invoked for every GPIO bank, including those where mvchip->mvpwm is NULL due to absent PWM hardware. A local authenticated user with sufficient privileges to trigger system suspend can crash the kernel with no recovery, resulting in full availability loss. No public exploit exists and EPSS is 0.18% (7th percentile), reflecting a niche hardware dependency that sharply limits real-world exposure.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53236 MEDIUM PATCH This Month

TCP socket side-channel information disclosure in the Linux kernel allows unprivileged local users to attach classic BPF (cBPF) filters via SO_ATTACH_FILTER to TCP sockets and observe TCP sequence and acknowledgment numbers, potentially enabling session inference or TCP injection assistance. The vulnerability exists because no capability check was enforced before this patch, which now restricts SO_ATTACH_FILTER on TCP sockets to processes holding CAP_NET_ADMIN. No public exploit identified at time of analysis; EPSS stands at 0.18% (8th percentile), and patched releases are available across multiple stable kernel branches including 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, and 7.1.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53235 HIGH PATCH This Week

Remote denial-of-service in the Linux kernel networking stack (GRO path) lets attackers crash a host by triggering a reachable kernel BUG_ON() panic. The flaw lives in skb_gro_receive_list(), which calls skb_pull() without a preceding pskb_may_pull() guard; when frames arrive via napi_gro_frags() with all data in page fragments (skb_headlen == 0) and a non-zero GRO offset, the pull makes skb->len drop below skb->data_len and hits BUG_ON(skb->len < skb->data_len). It affects kernels from 6.10 up to the fixed stable releases, carries CVSS 7.5 (availability-only), has a low EPSS of 0.18% (7th percentile), is not in CISA KEV, and has no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53234 HIGH This Week

Use-after-free in the Linux kernel's IBM EMAC Ethernet driver (drivers/net/ethernet/ibm/emac) lets in-flight packet processing touch hardware resources that have already been freed during device removal, because devm_register_netdev() deferred unregister_netdev() until after emac_remove() tore down the hardware. A local attacker who can trigger driver unbind/hot-removal while the interface handles traffic can corrupt kernel memory, potentially escalating to code execution or crashing the system. This is a fixed regression window on IBM PowerPC EMAC hardware; no public exploit identified at time of analysis and EPSS risk is low (0.18%, 7th percentile).

Memory Corruption Authentication Bypass Linux Use After Free IBM
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53233 HIGH PATCH This Week

Local memory corruption (double-free) in the Linux kernel netdev generic-netlink interface affects the device-memory RX binding path (netdev_nl_bind_rx_doit) in kernels 7.1-rc1 through 7.1-rc7 and backport-affected stable branches. Because genlmsg_reply() unconditionally consumes the reply skb, the buggy error path then calls nlmsg_free() on that same buffer, freeing it a second time; a local user able to reach the BIND_RX netlink command and force a reply failure can trigger the flaw. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with a hard-to-reach error path rather than easy exploitation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53232 HIGH PATCH This Week

Use of a dangling pointer in the Linux kernel's phylib/SFP networking subsystem occurs when PHY probing fails but sfp_bus_del_upstream() is never called, leaving the sfp-bus 'upstream' field pointing at freed/torn-down state that can be dereferenced during a later SFP hot-plug event. Affected systems are Linux hosts and appliances using PHY drivers with SFP cage support across kernels from 5.5 up to the fix in commit 48774e87. There is no public exploit identified at time of analysis, the EPSS score is very low (0.16%, 5th percentile), and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53231 MEDIUM PATCH This Month

Deadlock in the Linux kernel PHY networking subsystem (net/phy) allows a local low-privileged user to freeze the networking stack on systems using the generic PHY driver (genphy) with SFP cage hardware. When genphy triggers PHY probing - which occurs while holding the RTNL lock - it erroneously calls sfp_bus_add_upstream(), which itself attempts to acquire RTNL, producing a self-deadlock confirmed by reproduction. No public exploit exists and EPSS is 0.16% (6th percentile), reflecting that exploitation requires an uncommon hardware and driver combination.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53230 HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux mlx5_core driver's mlx5_query_nic_vport_mac_list() function allows a slab-out-of-bounds access when querying a VF vport whose configured MAC-list maximum exceeds the PF's log_max_current_uc/mc_list capability. The driver sizes its firmware command buffer using the PF capabilities rather than the vport's own HCA caps, so an oversized firmware response overflows the buffer during eswitch vport-change handling. This affects systems running NVIDIA/Mellanox ConnectX (mlx5) NICs in SR-IOV/switchdev mode; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 7th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
8.7
EPSS
0.2%
CVE-2026-53229 HIGH PATCH This Week

Resource exhaustion (DMA mapping and xdp_frame leak) in the Linux kernel's mlx5e driver affects systems using AF_XDP (XSK) zero-copy sockets on NVIDIA/Mellanox ConnectX NICs. In the XSK path of mlx5e_xmit_xdp_buff(), an XDP_TX transmit failure (e.g. a full XDP send queue) returns without unmapping the DMA address or freeing the converted xdp_frame, slowly leaking kernel memory and DMA mappings until availability degrades. No public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and the issue is not in CISA KEV, so real-world risk is gradual leakage under heavy XSK workloads rather than direct remote compromise.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53228 CRITICAL PATCH Act Now

Use-after-free read in the Linux kernel's IPv6 SIT (IPv6-in-IPv4) tunnel transmit path lets a stale inner-IPv6-header pointer be dereferenced after GSO offload processing relocates the skb head, exposing freed kernel memory or crashing the host. The flaw affects systems running SIT tunnels in ipip6_tunnel_xmit(), where iptunnel_handle_offloads() may call pskb_expand_head() and move the buffer while the code keeps reading the old iph6 pointer. There is no public exploit identified at time of analysis; EPSS is low (0.18%, 8th percentile) and the issue is not in CISA KEV. The vendor-tagged impact is Information Disclosure, which is materially narrower than the assigned CVSS 9.8.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53227 MEDIUM PATCH This Month

Invalid pointer free in the Linux kernel's Open vSwitch (OVS) subsystem allows a local low-privileged user to crash the kernel, resulting in denial of service. The net/openvswitch reply skb cleanup code incorrectly assumes allocation always occurs before mutex acquisition; when allocation fails after locking, an ERR_PTR is passed to kfree_skb(), triggering a kernel panic on any host with OVS active. No public exploit has been identified and EPSS is 0.20% (10th percentile), but the crash is likely deterministic once the code path is reached on a vulnerable kernel.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53226 MEDIUM PATCH This Month

Resource leak and use-after-free in the Linux kernel's gpio-rockchip driver can crash the kernel on systems using Rockchip GPIO hardware. The driver's remove path fails to call irq_domain_remove_generic_chips(), leaving allocated generic chip structures unreleased and dangling on the global gc_list. After driver unbind or module removal, IRQ subsystem suspend, resume, or shutdown callbacks may subsequently dereference the freed memory, producing a use-after-free condition and kernel panic. No public exploit exists and EPSS sits at the 7th percentile, indicating very low real-world exploitation probability; however, the availability of upstream fix commits makes patching straightforward.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53225 CRITICAL PATCH Act Now

Out-of-bounds uninitialized-memory read in the Linux kernel SCTP stack lets an unauthenticated network peer trigger the receive path to read up to 16 bytes past a truncated ASCONF address parameter. The flaw lives in __sctp_rcv_asconf_lookup() in net/sctp/input.c, which validates only the ADDIP and parameter headers before calling af->from_addr_param(), trusting the parameter's declared length without bounding the full address against the chunk. No public exploit is identified at time of analysis, and EPSS exploitation probability is low at 0.18% (8th percentile); the issue is already patched upstream and classed as information disclosure.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-53224 CRITICAL PATCH Act Now

Out-of-bounds memory reads in the Linux kernel SCTP stack allow remote attackers to trigger information disclosure and kernel crashes by sending a malformed COOKIE_ECHO chunk. The flaw lives in sctp_unpack_cookie(), which fails to verify that an embedded INIT chunk is large enough for a complete INIT header and does not fully validate raw_addr_list_len, so sctp_process_init() and the address parser read past the cookie payload. EPSS is low (0.21%) and there is no public exploit identified at time of analysis, but the network-reachable, unauthenticated nature (CVSS 9.1) makes it a meaningful patch priority for any host with SCTP in use.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-53223 HIGH PATCH This Week

Local heap disclosure and kernel crash in the Linux kernel networking stack arises because skb_is_err_queue() misidentifies AF_PACKET outgoing-tap skbs as error-queue skbs, letting AF_PACKET control-buffer state be misread as sock_exterr_skb::opt_stats. When timestamping and SO_RXQ_OVFL are enabled, an odd packet-drop counter makes the timestamp cmsg path emit SCM_TIMESTAMPING_OPT_STATS over non-linear skbs, reading past the linear head to leak adjacent kernel heap or trip hardened usercopy (BUG/panic). CVSS is 7.1 (C:H/A:H, local, low-priv); EPSS is low at 0.18% (8th percentile), and there is no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53222 MEDIUM PATCH This Month

Use-after-free in the Linux kernel ptp_ocp driver crashes the kernel during device removal on systems equipped with Open Compute Platform PTP hardware. The teardown function ptp_ocp_detach() frees pin resources before calling ptp_clock_unregister(), which then accesses those freed resources via ptp_disable_all_events(), introduced by commit a60fc3294a37. EPSS is 0.15% (5th percentile) and this vulnerability is not listed in CISA KEV, indicating no public exploitation and very low real-world risk outside specialized environments.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53221 CRITICAL PATCH Act Now

Incorrect tunnel matching in the Linux kernel's IPv6 Virtual Tunnel Interface (vti6) lets the vti6_tnl_lookup() fallback path select the wrong tunnel when an exact match fails, because the wildcard-search loops omitted checks that a candidate tunnel actually holds a wildcard local or remote address. On hosts configured with multiple vti6 tunnels sharing the ip6n->tnls_r_l hash table, hash collisions can cause inbound IPv6/IPsec packets to be associated with an unintended tunnel, enabling traffic misdirection and information disclosure. There is no public exploit identified at time of analysis, EPSS probability is low (0.18%), and the issue is not in CISA KEV; the upstream fix is available across multiple stable kernel branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53220 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel netfilter bridge redirect target crashes the kernel when a bridge port is removed or reassigned between an initial NFQUEUE hook invocation and packet reinject. The affected function ebt_redirect_tg() in the ebtables bridge filtering subsystem calls br_port_get_rcu() without guarding against a NULL return, and the additional complexity noted in the fix is that a mere NULL check would still be insufficient - userspace can move the device into a macvlan while the packet is queued, requiring the packet to be dropped entirely. This flaw has existed since commit f350a0a87374418635689471606454abc7beaa3a (kernel 2.6.36), making it a long-standing latent bug. No public exploit identified at time of analysis; EPSS at 0.18% (7th percentile) signals negligible automated exploitation risk.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53219 MEDIUM PATCH This Month

Netfilter x_tables in the Linux kernel leaks raw percpu counter pointer addresses to userspace on SMP systems via a crafted fault-window attack against the get-entries path. A local user with netfilter access can engineer a userspace buffer that triggers a page fault after the kernel copies the internal percpu allocation pointer (pcnt) but before the sanitized counter snapshot overwrites it, causing the syscall to return -EFAULT while leaving the raw kernel virtual address exposed in the caller's buffer. No public exploit is identified at time of analysis and EPSS sits at 0.18% (8th percentile), but the leaked percpu address functions as a KASLR bypass primitive chainable with a second vulnerability to achieve privilege escalation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53218 MEDIUM PATCH This Month

Register tracking corruption in the Linux kernel's netfilter nft_exthdr subsystem allows a local low-privileged attacker with nftables configuration rights to trigger reads of uninitialized stack data from nft_regs, resulting in kernel instability or denial of service. The flaw affects any kernel version since the introduction of commit c078ca3b0c5b through the respective unpatched stable branches. EPSS is 0.18% (8th percentile) and this vulnerability is not listed in CISA KEV, indicating low exploitation activity; however, the ubiquity of Linux deployments means patching across stable LTS branches is warranted.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53217 HIGH PATCH This Week

Information disclosure and frame corruption in the Linux kernel's Marvell mvpp2 network driver allows stale cache contents to be read into received packets on non-coherent DMA systems. Because the driver synced the RX buffer starting at the raw DMA address rather than at the hardware packet offset (MVPP2_SKB_HEADROOM), it synchronized unused headroom and missed an equal number of bytes at the packet tail, leaving the CPU to read stale cache lines for the end of each frame. EPSS is low (0.18%), there is no public exploit identified at time of analysis, and the issue is bounded to specific Marvell Armada-class hardware rather than general-purpose servers.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-53216 CRITICAL PATCH Act Now

Memory corruption in the Linux kernel's Marvell mvpp2 (PPv2) Ethernet driver allows the XDP fast-path to write past the real packet buffer on hardware using short BM pools. The driver hard-codes PAGE_SIZE as the XDP frame size even when short-pool buffers are smaller, so bpf_xdp_adjust_tail() can legitimately grow a frame beyond its actual allocation, corrupting adjacent memory or later tripping skb tailroom checks. EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis; despite the auto-assigned 9.8 CVSS, realistic exploitation is constrained to systems running an XDP program on affected Marvell hardware.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53215 CRITICAL PATCH Act Now

Memory corruption in the Linux kernel's Marvell mvpp2 (PPv2) Ethernet driver arises from an incorrect RX buffer-recycling order: when mvpp2_rx_refill() fails after the current buffer has already been handed to XDP or attached to an skb, the driver still returns that buffer to the hardware Buffer Manager (BM) pool, allowing the NIC to DMA into memory the RX ring no longer owns. Systems running Marvell Armada SoCs with the mvpp2 driver and XDP or skb RX processing are affected; the fix reorders the refill to complete before the buffer is handed off. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and the CVE is not listed in CISA KEV despite the inflated 9.8 NVD score.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53214 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's IPv6 address configuration subsystem crashes the kernel when cleanup_prefix_route() receives the fib6_null_entry sentinel from addrconf_get_prefix_route() and attempts to access its NULL fib6_table pointer without validation. An authenticated local user holding CAP_NET_ADMIN can trigger this by sending a crafted IPv6 DELADDR netlink message, causing a general protection fault and system-wide denial of service. No public exploit or CISA KEV listing exists; EPSS is 0.17% (6th percentile), consistent with a privilege-gated local DoS affecting an extremely widely deployed target.

Linux Canonical Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53213 MEDIUM PATCH This Month

Memory leak in the Linux kernel's drm/vc4 (Broadcom VideoCore IV DRM) driver allows a local low-privileged user to gradually exhaust kernel memory under allocation-failure conditions. The flaw arises because the return value of krealloc() is assigned directly back to the original pointer without a NULL check - if krealloc() fails and returns NULL, the reference to the previously allocated buffer is silently overwritten, permanently leaking that memory. No public exploit code is identified at time of analysis, and EPSS probability is extremely low at 0.18% (8th percentile), consistent with the local-only, condition-dependent nature of the bug.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53212 HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel netfilter nf_tables tunnel module (nft_tunnel) stems from a use-after-free triggered when a tunnel object is destroyed while packets still hold a reference to its metadata_dst. The flawed nft_tunnel_obj_destroy() path calls metadata_dst_free(), which kfree()s the structure while ignoring the dst_entry refcount, so packets queued in a qdisc (e.g. netem) later call dst_release() on freed memory. CVSS is 7.8 (high) with CVSS:3.1 vector AV:L/PR:L; EPSS is low at 0.18% (7th percentile), it is not in CISA KEV, and no public exploit identified at time of analysis.

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53211 MEDIUM PATCH This Month

Kernel stack information disclosure in the Linux kernel's netfilter nft_meta_bridge subsystem leaks 2 bytes of uninitialized stack data to userspace via the IIFHWADDR register. A local attacker with CAP_NET_ADMIN privileges can craft an nftables bridge rule that reads the full 8-byte register span after a memcpy writes only 6 bytes, exposing stale nft_do_chain() stack content. No public exploit exists and EPSS is 0.17%; however, on hardened systems kernel stack leaks can assist KASLR bypass when chained with other primitives.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53210 MEDIUM PATCH This Month

Memory leak in the Linux kernel TEE subsystem's register_shm_helper() function allows a local low-privileged user to exhaust kernel memory and degrade system availability. Triggering the leak requires calling the TEE_IOC_SHM_REGISTER ioctl with a length of zero, causing the function to allocate shared memory and then skip its deallocation when iov_iter_npages() returns 0. No public exploit has been identified at time of analysis, and EPSS sits at the 7th percentile, indicating very low real-world exploitation probability.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53209 HIGH PATCH This Week

Memory corruption in the Linux kernel Bluetooth subsystem (hci_sync) allows a local privileged user to overrun a temporary buffer when the Broadcast Announcement service data is prepended to an already-maximum-sized extended advertising payload. The flaw affects systems using Bluetooth LE Audio / Broadcast Audio Profile advertising; the upstream fix rejects the oversized combination before copying, preserving the existing advertising data. No public exploit identified at time of analysis, and the EPSS probability is very low (0.18%, 8th percentile), indicating no current evidence of widespread exploitation interest.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53208 MEDIUM PATCH This Month

Bluetooth L2CAP in the Linux kernel fails to enforce the signaling MTU (MTUsig = 48 bytes) in l2cap_sig_channel(), enabling a nearby BR/EDR peer to send a single oversized fixed-channel signaling packet packed with many ECHO_REQ commands before pairing and force a proportional burst of ECHO_RSP frames. In a confirmed test, one 681-byte CID 0x0001 packet containing 168 ECHO_REQ commands caused the target to emit 168 responses over approximately 220 ms - roughly a 250× frame amplification - constituting a traffic-amplification denial-of-service. No active exploitation has been identified at time of analysis; vendor-released patches are available across multiple stable kernel branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53207 MEDIUM PATCH This Month

Recursive spinlock AA deadlock in the Linux kernel's hugetlb memory-failure subsystem allows a local user to hang or panic the kernel by racing two concurrent madvise(MADV_HWPOISON) calls against a concurrent unmap on the same hugetlb folio. The flaw exists because get_huge_page_for_hwpoison() held hugetlb_lock while calling folio_put(), which - when concurrent unmap had already dropped the page-table reference - triggered free_huge_folio() to re-acquire the non-recursive lock, causing an irrecoverable deadlock. No confirmed active exploitation exists (not in CISA KEV), and EPSS sits at 0.18% (8th percentile), indicating negligible real-world exploitation probability at this time.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53206 MEDIUM PATCH This Month

Missing bounds validation in the Linux kernel's accel/ivpu Intel VPU accelerator driver allows a local low-privileged user on an affected Intel VPU-equipped system to trigger kernel memory allocation errors or a denial of service by supplying a malformed firmware image header specifying improperly aligned or undersized runtime memory. Affected versions include Linux 6.19 and 7.1-rc1 through rc6; fixed commits are available for both the 7.0.x stable series and the 7.1 branch. No public exploit identified at time of analysis; EPSS is 0.16% (6th percentile), and no CISA KEV listing exists, reflecting minimal real-world exploitation interest.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53205 HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's accel/ivpu driver (Intel NPU/VPU accelerator) occurs because firmware-supplied read and write indices for the firmware log buffer were used without bounds validation, allowing invalid offsets to drive out-of-bounds buffer reads. Affecting Intel Core Ultra-class systems running affected 6.12.x through 6.18.x and 7.x kernels, a local low-privileged actor able to influence the device's firmware log indices can disclose kernel memory or crash the host. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.18%, 7th percentile).

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53204 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's Intel Stratix10 RSU (Remote System Update) firmware driver causes a kernel panic when SMC call timeouts occur during probe initialization. Affected kernels through 7.1-rc7 and 7.0.13 expose a race condition where timeout-driven error paths in stratix10_rsu_probe() free the service channel - setting chan->scl to NULL - but fail to return early, allowing subsequent service kthreads to dereference the now-NULL pointer in their receive callbacks. The vulnerability is a local denial-of-service with no public exploit identified at time of analysis, and EPSS places exploitation probability at only 0.15%.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53203 HIGH PATCH This Week

Local privilege-context memory corruption in the Linux kernel's accel/ivpu (Intel NPU/VPU accelerator) driver allows a low-privileged user with access to the device to trigger a buffer overflow through the metric stream MS get_info ioctl. When the NPU firmware reports an info size larger than the allocated kernel buffer, the driver performs an oversized copy, corrupting kernel memory and potentially leaking sensitive data or crashing the system. No public exploit identified at time of analysis; EPSS probability is low (0.19%) and the issue is not in CISA KEV.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53202 HIGH PATCH This Week

Local memory corruption in the Linux kernel's Intel VPU accelerator driver (accel/ivpu) lets attacker-influenced firmware data overflow a stack buffer during IPC message receive. The defect is a signed-int truncation of the firmware-supplied data_size in min_t(int, ...), so values >= 0x80000000 turn negative, bypass the size clamp, and drive an oversized memcpy. Rated CVSS 7.8 (AV:L) with a low EPSS of 0.19% (9th percentile); no public exploit identified at time of analysis and it is not in CISA KEV.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53201 HIGH This Week

Local privilege/memory-integrity exposure in the Linux kernel's drm/xe Intel GPU driver stems from a missed TLB invalidation: a previously merged optimization that skipped GuC scheduler suspend toggling when an exec queue was idle has been reverted because it bypassed the context switch that flushes TLB entries for invalidated userptr VMAs. On Intel Xe GPUs running in long-running (LR)/preempt-fence VM mode, this leaves stale TLB mappings to invalidated user pointers, producing page faults and stale-memory access during userptr invalidation. There is no public exploit identified at time of analysis and EPSS is low (0.17%, 7th percentile); the fix is the revert commit itself, restoring unconditional schedule toggling on suspend.

Authentication Bypass Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53200 HIGH PATCH This Week

Execute-permission bypass in the Linux kernel's KVM arm64 nested-virtualization (NV) code allows a nested guest to receive unintended execute permissions on stage-2 mappings when the host CPU lacks FEAT_XNX. The root cause is a misuse of FIELD_PREP() on the XN[0] mask after XN had already been shifted out of its bitfield position, which unconditionally grants execute rights instead of conditionally clearing them. There is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and the issue is not in CISA KEV, but the assigned CVSS of 8.8 reflects the hypervisor scope-change and potential for a guest to bypass non-executable memory enforcement.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53199 HIGH PATCH This Week

Denial of service in the Linux kernel's Hyper-V netvsc network driver (hv_netvsc) allows a system crash when transmitting packets whose skb fragments reference high memory. On 32-bit x86 builds with CONFIG_HIGHMEM=y, netvsc_copy_to_send_buf() calls phys_to_virt() on fragment PFNs that may live above the LOWMEM boundary, producing an address outside the kernel direct map; the following memcpy() faults fatally on the transmit softirq path. No public exploit has been identified, the EPSS probability is low (0.18%), and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53198 HIGH PATCH This Week

Use-after-free in the Linux kernel's in-kernel SMB server (ksmbd) lets an authenticated SMB client corrupt kernel slab memory by sending a second SMB2_CANCEL for the same AsyncId of a blocking byte-range lock. The first cancel frees the struct file_lock but takes an early-exit that never unlinks the async work or clears its cancel callback, leaving a live cancel_fn pointing at freed memory in the file_lock_cache (size 192) slab; a racing second cancel re-runs smb2_remove_blocked_lock() on the dangling pointer. The flaw was reproduced on mainline with KASAN by an authenticated client, EPSS is low (0.18%), and there is no public exploit identified at time of analysis.

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53197 MEDIUM PATCH This Month

ABBA deadlock in the Linux kernel xfrm iptfs subsystem causes availability loss on SMP systems when iptfs state is destroyed while its timer callbacks are concurrently executing on another CPU. The vulnerability affects the IP Traffic Flow Secrecy (IPTFS) implementation within the kernel's xfrm IPsec framework, specifically during iptfs_destroy_state() - a function that acquires spinlocks before calling hrtimer_cancel(), creating a circular dependency with softirq timer callbacks that attempt to re-acquire those same locks. No public exploit code has been identified and EPSS is 0.17% (7th percentile), indicating this is a low-probability exploitation target; the impact is a kernel deadlock causing a system hang (DoS) with no confidentiality or integrity impact.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53196 MEDIUM PATCH This Month

Heap buffer overflow in the Linux kernel's io_ti USB serial driver (get_manuf_info()) lets a malicious USB device overflow a 10-byte kmalloc buffer by up to ~16 KB when attached to a host using this driver. The driver trusts the EEPROM-supplied descriptor Size field (validated only against TI_MAX_I2C_SIZE, not the destination buffer), enabling kernel memory corruption with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis; EPSS is low (0.20%, 10th percentile) and the issue is not in CISA KEV.

Memory Corruption Linux Buffer Overflow
NVD VulDB
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-53195 HIGH PATCH This Week

Kernel-level heap buffer overflow (out-of-bounds write) in the Linux kernel's io_ti USB-serial driver (used by Digi Edgeport TI-based USB serial adapters) allows a local low-privileged attacker or a malicious/crafted firmware image to corrupt kernel heap memory. The flaw lives in build_i2c_fw_hdr(), which copies an attacker-influenced 16-bit Length field (up to 65535) from the firmware image into a fixed-size buffer without validating it fits the remaining space after the ti_i2c_firmware_rec header. There is no public exploit identified at time of analysis, EPSS is low (0.20%, 10th percentile), and it is not on the CISA KEV list, so exploitation is theoretical rather than observed.

Memory Corruption Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Improper error handling in the btrfs filesystem's transaction commit path (btrfs_write_and_wait_transaction) lets a failed metadata writeout leave dirty extent buffers uncleaned, forcing the filesystem read-only and triggering kernel warnings at unmount. The flaw affects Linux kernels prior to 6.18.33, 7.0.10, and 7.1 and is an availability/data-integrity issue on btrfs volumes, with no confidentiality impact despite an 'Information Disclosure' tag in the source data. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.17%, 6th percentile).

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Boot-time kernel crash in Linux 6.16+ on AMD IOMMU-equipped systems causes a General Protection Fault when a PCI device whose Bus:Device.Function address is absent from the ACPI IVRS table is encountered during IOMMU initialization. The root cause is a missing bounds check in __rlookup_amd_iommu() that was latent until commit e874c666b15b changed the rlookup_table allocation from a zeroed page-order block (which returned NULL on overrun) to a tight kvcalloc(), causing adjacent slab contents to be dereferenced as a valid struct amd_iommu pointer. The result is a non-recoverable GPF at boot time, confirmed in production on Google Compute Engine ct6e VMs; no public exploit code and no CISA KEV listing exist at time of analysis.

Google Linux Amd +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stack access fault in the x86/kexec purgatory handoff crashes non-kjump kexec operations on affected Linux kernel versions, resulting in a local denial of service. A prior regression removed a 'gratuitous' stack push in the non-kjump path; however, the purgatory code shipped by kexec-tools still reads above its stack top expecting that return address, triggering a memory fault that aborts the kexec reboot or crashes the system. No public exploit exists and EPSS sits at the 6th percentile, placing this firmly in the reliability-regression category rather than an adversarial attack surface.

Linux Denial Of Service
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Local privilege escalation or denial of service in the Linux kernel's Intel VT-d IOMMU driver (iommu/vt-d) arises from incomplete handling of a missing dev_pasid entry during PASID teardown; an authenticated low-privileged actor able to drive IOMMU/PASID detach operations can trigger a NULL pointer dereference or unbalanced refcount that may decay into a use-after-free. This completes an earlier partial fix (commit 60f030f7418d) and is tagged as Denial of Service. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.17% (6th percentile).

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel IOMMU subsystem crashes affected systems during PCI device reset when a default domain allocation has previously failed. Local users with low-privilege access on Linux kernel versions in the 7.0 branch (prior to 7.0.10) and before 7.1 can trigger a kernel panic through the `pci_dev_reset_iommu_done()` function, resulting in a denial of service. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.15% (5th percentile) reflects the low real-world exploitation likelihood given the edge-case hardware precondition and local-only attack vector.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Indefinite kernel hang in the Linux kernel's drm/gma500 Oaktrail LVDS display initialization code can be triggered locally on systems with Intel GMA 500/Oaktrail graphics hardware, causing a denial of service requiring a hard reboot. The defect lies in error handling that incorrectly attempts to deregister an I2C adapter obtained via i2c_get_adapter() - which only increments a reference count - rather than restricting cleanup to adapters the driver itself allocated. No public exploit code exists and EPSS is 0.17% (7th percentile), consistent with a niche, largely retired hardware platform.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel arm_mpam subsystem allows a local low-privileged attacker to crash the kernel by triggering a specific cleanup code path before initialization completes. The flaw exists in __destroy_component_cfg(), which unconditionally dereferences the embedded 'garbage' structure to free the configuration array even when mpam_disable() is called before __allocate_component_cfg() has ever run. No public exploit code exists and the EPSS score of 0.15% (5th percentile) confirms negligible real-world exploitation activity; vendor-supplied patches are available via upstream stable commits.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Local privilege escalation / host compromise risk in the Linux kernel arm64 KVM subsystem arises because __kvm_at_s12() (AT instruction emulation) and __kvm_find_s1_desc_level() invoke the stage-1/nested stage-2 page-table walkers walk_s1() and kvm_walk_nested_s2() without holding kvm->srcu, which those walkers require to guard against concurrent memslot changes. A malicious or compromised guest on an affected arm64 host can race memslot updates against these walks, with CVSS scoring confidentiality, integrity and availability all High under a changed scope (host impact). It is patched in stable trees, EPSS is low (0.17%), and there is no public exploit identified at time of analysis.

Code Injection Linux
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation potential via a use-after-free in the Linux kernel's Bluetooth ISO (Isochronous) subsystem affects kernels through 6.19 and related stable trees. In iso_sock_rebind_bc(), the code caches the hci_conn pointer (bis) and then drops the socket lock to acquire hci_dev_lock; a concurrent close() during this unlocked window can destroy the connection and free the bis structure, so the subsequent hci_dev_lock(bis->hdev) dereferences freed memory. There is no public exploit identified at time of analysis and EPSS is low (0.15%, 5th percentile), but a kernel UAF reachable by a local user warrants timely patching.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's IPv6 multicast (MLD) query processing path allows an adjacent-network attacker to corrupt or read freed kernel slab memory by sending a crafted MLD query. The flaw stems from a stale pointer to the multicast group address being dereferenced in __mld_query_work() after pskb_may_pull() reallocated the skb header, confirmed by a KASAN slab-use-after-free report. Carries an 8.8 CVSS (adjacent vector); no public exploit identified at time of analysis and EPSS is low at 0.17% (6th percentile).

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Sleep-inside-lock in the Linux kernel's SMC networking subsystem (`__smc_setsockopt()`) allows a local low-privilege user to hold the socket lock indefinitely, exhausting kernel worker threads and triggering the hung task watchdog - producing a local denial of service. Affected systems must have the `net/smc` module loaded and a user-space mechanism (userfaultfd or FUSE) available to stall the in-kernel copy operation. No public exploit has been identified at time of analysis, and EPSS at 0.18% (8th percentile) reflects very low mass-exploitation probability; however, the technique is well-understood in kernel security research.

Linux Denial Of Service
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation or kernel memory corruption in the Linux kernel's OP-TEE (Trusted Execution Environment) driver arises from a use-after-free in the supplicant request path on ARM TrustZone systems. After commit 70b0d6b0a199 made the client wait killable, a client task can exit and kfree() its request while its ID still lives in supp->idr, so a later supplicant lookup dereferences freed memory. CVSS 7.8 (local, low privilege) with EPSS at 0.17% (7th percentile); no public exploit identified at time of analysis and not listed in CISA KEV.

Linux Denial Of Service Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's EROFS filesystem lets a local attacker who can trigger a decompression I/O race during unmount corrupt kernel memory. When z_erofs_decompress_kickoff() queues asynchronous decompression work, a concurrent unmount can free the superblock info (sbi) before the kworker accesses sbi->sync_decompress, producing a CWE-416 use-after-free with high confidentiality, integrity and availability impact (CVSS 7.8). EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis; the flaw is not on CISA KEV.

Memory Corruption Linux Use After Free +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the ksmbd (in-kernel SMB server) subsystem of the Linux kernel causes a remotely triggerable kernel oops, resulting in denial of service. The race condition in smb2_oplock_break_noti() and smb2_lease_break_noti() allows an authenticated SMB client to crash the kernel by racing an SMB2 LOGOFF against an oplock/lease break notification - setting opinfo->conn to NULL in the window after ci->m_lock is dropped, then dereferencing it in ksmbd_conn_r_count_inc(). No public exploit identified at time of analysis; EPSS is very low at 0.16% (6th percentile), and CISA KEV listing is absent.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's IPVS (IP Virtual Server) load balancer allows a local privileged user to corrupt kernel memory by editing a virtual service's scheduler. ip_vs_edit_service() cleared svc->scheduler only after the old scheduler module had already initiated RCU callbacks, so in-flight packets could dereference svc->sched_data after it was freed at the end of the RCU grace period. The flaw carries CVSS 7.8 with high confidentiality, integrity, and availability impact; EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial-of-service via race condition in the Linux kernel's netfilter synproxy subsystem allows a local low-privileged user to crash the system by triggering concurrent netfilter hook registration. The synproxy infrastructure registers hooks on-demand when iptables targets or nftables expressions are added; without serialization, concurrent additions race on the reference count control blocks, corrupting kernel state. No public exploit exists and EPSS is 7th percentile (0.17%), but any Linux system running a kernel from 5.3 onward with the ability for unprivileged users to manipulate netfilter rules is technically exposed.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's netfilter IRC connection-tracking helper (nf_conntrack_irc) lets remote attackers leak adjacent kernel memory or crash the host when the parser fails to bail out after matching a DCC command string. The CVSS 3.1 vector (AV:N/PR:N) describes unauthenticated remote reachability with low confidentiality impact and high availability impact, but exploitation is gated on the legacy IRC conntrack helper being loaded and assigned to traffic - a non-default condition on most modern systems. There is no public exploit identified at time of analysis, EPSS is low (0.17%, 7th percentile), and the issue is not on CISA KEV.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Stack-based out-of-bounds write in the Linux kernel netfilter nf_tables conntrack (nft_ct) module lets a local actor with rule-loading capability corrupt the kernel stack, enabling privilege escalation or denial of service. When an nftables ruleset attaches a per-CPU template conntrack (e.g. via 'ct zone set') and a subsequent 'ct original/reply' load expression runs on the same packet, nft_ct_get_eval() mistakes the zeroed template ct for a real conntrack and performs a 16-byte memcpy bounded by an untrusted field, overflowing struct nft_regs on the kernel stack. No public exploit identified at time of analysis, though a historic syzkaller report demonstrates the crash; EPSS risk is low (0.16%, 6th percentile).

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out-of-bounds/illegitimate write in the Linux kernel's bridge netfilter ebtables SNAT target (ebt_snat) lets the optional ARP sender-hardware-address rewrite copy a MAC address into a non-linear skb fragment that is still backed by a splice-imported file page, corrupting memory the kernel should not write to. The flaw affects systems using the bridge ebtables SNAT target with ARP rewrite enabled; the fix makes the ARP SHA range writable via skb_ensure_writable() before skb_store_bits() runs. There is no public exploit identified at time of analysis and EPSS is low (0.17%), but CVSS is rated 8.8 with a scope change reflecting the cross-context write.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-escalation/memory-corruption in the Linux kernel device-mapper dm-cache 'smq' policy allows a low-privileged local user to trigger a check-then-act race in smq_invalidate_mapping(). The e->allocated predicate was evaluated outside mq->lock, so two concurrent cache-block invalidators can both see an entry as allocated and free it twice, corrupting the SMQ queues/hash table and tripping the allocation assertion in free_entry(). No public exploit is identified at time of analysis and EPSS exploitation probability is low (0.17%, 7th percentile); the issue is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-bearing users can trigger a use-after-free in the Linux kernel's net/sched action subsystem (act_api) by racing concurrent NEWTFILTER and DELFILTER operations, where an action object can be kfree()'d immediately on one CPU while another CPU still holds an RCU-protected reference and calls refcount_inc_not_zero() on freed memory. Affecting the tc action lifecycle, exploitation can corrupt kernel memory and lead to local privilege escalation or denial of service (kernel panic). This issue has no public exploit identified at time of analysis and carries a low EPSS exploitation probability (0.17%, 7th percentile).

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel stack memory disclosure and multicast address corruption in the Linux kernel's 6lowpan IPHC subsystem affects all deployments running the vulnerable code path from commit 5609c185f24d onward. A local unprivileged user on a system with an active 6lowpan interface can trigger `lowpan_iphc_mcast_ctx_addr_compress()` to transmit uninitialized kernel stack bytes over the 6lowpan link layer while also corrupting the RIID field in compressed multicast addresses, breaking multicast connectivity. No public exploit identified at time of analysis; EPSS is 0.17% (7th percentile), and this is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation via use-after-free in the Linux kernel's L2TP PPP (pppol2tp) subsystem allows a low-privileged local user holding a pppol2tp socket to corrupt freed kernel memory. The flaw is a race in pppol2tp_ioctl(), where sk_user_data was dereferenced without reference counting; an attacker stalls the ioctl mid-copy (e.g. via a userfaultfd page-fault sleep) while concurrently closing the socket, freeing the l2tp_session and leaving a dangling pointer. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.16%, 6th percentile).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel devlink subsystem allows a local low-privileged user to trigger resource exhaustion by inducing a Sub-Function (SF) probe failure, leaving a nested devlink relation unreleased. The flaw occurs because devlink_free() does not clear devlink->rel when an instance fails probe before reaching devl_register(), bypassing the normal cleanup path in devl_unregister(). No public exploit has been identified and EPSS is 0.16% (6th percentile), consistent with a low-real-world-risk kernel memory management defect; patch is available across multiple stable branches.

Linux Information Disclosure
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Denial of service and potential memory corruption in the Linux kernel TCP stack arises from a refcount underflow / use-after-free in reqsk_queue_hash_req(), affecting kernels built with PREEMPT_RT (real-time preemption). On affected systems a request socket (reqsk) can lose both its ehash and timer reference counts when reqsk_queue_hash_req() is preempted between mod_timer() and refcount_set(), letting reqsk_timer_handler() drop the object twice and trigger a use-after-free flagged by refcount_warn_saturate. The fix was reported via syzbot fuzzing; there is no public weaponized exploit identified at time of analysis and the EPSS score is very low (0.15%, 5th percentile), and despite the NVD 9.8 score real-world exploitability is constrained to PREEMPT_RT kernels and a narrow timing window.

Linux Information Disclosure Google +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory corruption via a use-after-free in the Linux kernel's IPv6 anycast subsystem allows a local attacker to read freed slab memory and potentially corrupt kernel state. The flaw lives in __ipv6_dev_ac_inc()/ipv6_add_acaddr_hash(), where an ifacaddr6 (aca) object is published into the global inet6_acaddr_lst[] hash outside idev->lock, opening a race with device teardown (ipv6_ac_destroy_dev) that frees the object while it is still linked in the RCU-walked hash. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis, but the vendor has shipped a fix.

Linux Information Disclosure Google +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Memory leak in the Linux kernel wifi cfg80211 subsystem allows a local low-privileged user to cause gradual kernel memory exhaustion by repeatedly triggering failed 6 GHz split scans. The leaked object is a 512-byte allocation in rdev->int_scan_req that escapes the cleanup path in ___cfg80211_scan_done() because rdev->scan_req is NULL at freeing time, causing an early return. No public exploit has been identified; EPSS of 0.16% (6th percentile) reflects very low real-world exploitation probability, and this vulnerability is not listed in CISA KEV.

Linux Information Disclosure
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel crash in Linux cfg80211 WiFi subsystem occurs when EHT (Wi-Fi 7 / 802.11be) capability elements are present without matching EHT operation elements, triggering a null pointer dereference in mac80211 and causing a denial of service. Systems running affected kernel versions with Wi-Fi 7 hardware are at risk of a local-privilege kernel panic with no confidentiality or integrity impact. EPSS is extremely low at 0.15% (5th percentile) and no public exploit has been identified; this is not listed in CISA KEV.

Linux Denial Of Service
NVD
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Use-after-free in the Linux kernel's Bluetooth RFCOMM subsystem allows an attacker within Bluetooth range to corrupt kernel memory by racing an incoming RFCOMM connection against the close of a listener socket. The flaw lives in rfcomm_connect_ind(), which uses a listener socket returned by rfcomm_get_sock_by_channel() after the protecting list lock is dropped and without taking a reference, so a concurrent rfcomm_sock_release() can free the parent socket before it is locked and a child is enqueued. KASAN confirmed a slab-use-after-free in lock_sock_nested(); EPSS is low (0.17%, 7th percentile), there is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel Bluetooth management (MGMT) interface lets a local user with Bluetooth privileges trigger a one-byte read past the advertising-data buffer by submitting a malformed MGMT_OP_ADD_ADVERTISING request. The flaw lives in tlv_data_is_valid(), which inspects the type octet at data[i+1] before confirming the current TLV element fits in the buffer; KASAN flags it as a vmalloc-out-of-bounds read. No public exploit identified at time of analysis and EPSS risk is low (0.17%), consistent with a local-only kernel memory-safety bug rather than a remotely weaponizable one.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's Bluetooth RFCOMM stack allows a malicious paired or in-range remote device to leak adjacent kernel memory or crash the host by sending truncated MCC (Multiplexer Control Channel) frames. The RFCOMM MCC handlers cast skb->data to protocol structs without first checking skb->len, so short frames cause reads past the buffer; impact is confidentiality and availability loss (CVSS 8.1). There is no public exploit identified at time of analysis and EPSS estimates exploitation probability at just 0.18%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's Bluetooth BNEP (Bluetooth Network Encapsulation Protocol) subsystem allows an adjacent attacker to crash the kernel by sending a malformed short BNEP frame over an established PAN connection. The flaw in bnep_rx_frame()/bnep_rx_control() in net/bluetooth/bnep/core.c reads the packet-type, control-opcode, and setup UUID-size bytes before confirming they are present, producing a KASAN-confirmed slab-out-of-bounds read past a 1-byte kmalloc-8 allocation. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.18%, 8th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Percpu memory leak in the Linux kernel Bluetooth subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering early failures in Bluetooth HCI UART device initialization. Affected kernels spanning stable branches from 5.10 through 6.16-rc4 fail to invoke cleanup_srcu_struct() when hci_register_dev() never completes, causing the SRCU struct allocated early in hci_alloc_dev() to persist indefinitely. No public exploit code has been identified at time of analysis, and EPSS at 0.19% (9th percentile) reflects negligible exploitation interest; however the availability impact is rated High by NVD given the potential for kernel memory exhaustion.

Linux Information Disclosure
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Reference leak in the Linux kernel Bluetooth ISO subsystem allows a local low-privileged user to exhaust kernel resources and cause a denial of service. The `iso_conn_big_sync` function acquires an `hci_dev` reference via `hci_dev_hold()` through `hci_get_route()` but never releases it, violating the borrow contract. No active exploitation has been confirmed and EPSS is very low at 0.18% (7th percentile), but the affected surface - the BLE Audio Broadcast Isochronous Group (BIG) synchronization path - is present on any Linux system with a Bluetooth controller.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds kernel memory access in the Linux kernel's AF_XDP (xsk) transmit path allows a local low-privileged process to bypass bounds checking on TX checksum metadata. Because csum_start/csum_offset live in a userspace-mapped UMEM buffer, a malicious application could race to overwrite them between the validation read and the assignment read in xsk_skb_metadata(), defeating the bounds check during checksum computation. No public exploit identified at time of analysis; EPSS is low (0.18%, 8th percentile), consistent with a local-only kernel race rather than a mass-exploited remote bug.

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Unprivileged local users on Linux systems running unpatched kernels can set IPOPT_SSRR (Strict Source and Record Route) and IPOPT_LSRR (Loose Source and Record Route) IPv4 options without the CAP_NET_RAW capability, enabling them to force outbound packets through attacker-controlled network nodes and leak TCP Initial Sequence Numbers (ISN) along with other protocol metadata. Affected systems span Linux kernel versions from 2.6.12 through multiple stable branches prior to their respective patch releases. No public exploit has been identified at time of analysis, and EPSS remains at 0.18% (8th percentile), indicating low automated exploitation risk.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's Airoha (airoha_eth) network driver allows memory corruption when metadata dst objects are torn down while still referenced by in-flight receive skbs. The airoha_metadata_dst_free() routine called metadata_dst_free()/kfree() directly, bypassing the RCU grace period required by the noref dst pointers set via skb_dst_set_noref() in the RX path, so RCU readers could dereference freed memory. No public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile); the issue is patched in current stable kernels.

Authentication Bypass Linux Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Memory corruption (use-after-free) in the Linux kernel's MediaTek mtk_eth_soc Ethernet driver allows the metadata destination object to be freed via kfree() during driver teardown while the RX path may still hold a non-refcounted (noref) pointer to it from a live skb. Affects systems running the mtk_eth_soc driver (MediaTek SoC networking, common in routers/embedded devices) across multiple kernel branches; the fix routes the free through dst_release() so the RCU grace period is honored. No public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and it is not in CISA KEV - despite the input's nominal CVSS of 9.8.

Authentication Bypass Linux Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's SCTP stack lets a remote peer corrupt kernel memory by sending a COOKIE_ECHO chunk whose embedded cached INIT chunk advertises an inflated length, which sctp_unpack_cookie() failed to validate against the remaining COOKIE_ECHO buffer before sctp_process_init() walked its parameters. Any host running an SCTP listening server (kernels from 2.6.12 up to the fixed stable releases) is affected, with the kernel-assigned CVSS rating it 9.8/network-unauthenticated, though EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis. Impact ranges from out-of-bounds reads to potential heap corruption during STATE_COOKIE handling and kmemdup() copies.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Three distinct logic errors in the Linux kernel's MRP (Multiple Registration Protocol) PDU parser `mrp_pdu_parse_vecattr()` allow an attacker to corrupt kernel MRP applicant state and PDU parsing offsets, resulting in denial of service. Affected systems must have the `mrp` kernel module loaded with an active IEEE 802.1ak bridge interface. No public exploit exists and EPSS is 0.18% (8th percentile), reflecting low active targeting, though patches across multiple stable branches are available and should be applied routinely.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in the Linux kernel's NFSD server affects systems that export filesystems implementing the VFS ->atomic_create operation. A mismatch between the dentry_create() error-handling contract and the newer start_creating()/end_creating() locking pattern means that when ->atomic_create returns an error, nfsd4_create_file() passes an error pointer to end_creating() and never unlocks the parent directory inode, leaving the lock permanently held. This is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and it is not in CISA KEV, but the held lock can stall NFS service for all clients.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Uninitialized stack variable use in the Linux kernel's rseq (restartable sequences) subsystem exposes systems to kernel information leak and denial-of-service. The flaw in `rseq_exit_user_update()` arises from a C standard evaluation-order ambiguity in struct initialization, detected by syzbot's KMSAN (Kernel Memory Sanitizer) as a kernel-infoleak. Affected are Linux 7.0.10 through 7.0.12 and 7.1 release candidates rc3-rc6; exploitation requires local low-privilege access, no public exploit exists, and EPSS is very low at 0.16%.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Kernel panic (denial of service) in the Linux kernel ALSA PCM subsystem occurs when snd_pcm_drain() is called on linked (grouped) audio streams that are concurrently unlinked, corrupting wait queue lists and ultimately dereferencing a NULL function pointer. The flaw stems from init_waitqueue_entry/add_wait_queue not clearing list pointers combined with a conditional remove_wait_queue that is skipped after a concurrent UNLINK, leaving an orphaned wait entry that gets added to two queues at once. It is a local-privilege issue requiring access to ALSA PCM devices; no public exploit has been identified at time of analysis and the EPSS score is very low (0.18%).

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stack overread in the Linux kernel ALSA MIDI sequencer dummy client (snd_seq_dummy) allows a local low-privileged user to crash the kernel or potentially leak kernel stack contents by sending a crafted Universal MIDI Packet (UMP) event. The dummy port copies incoming events into a legacy-sized stack temporary, but when the UMP flag remains set the delivery path calls snd_seq_event_packet_size() and copies a larger UMP-sized packet from that undersized allocation, reading past the stack buffer end. No public exploit has been identified and EPSS is 0.18% (7th percentile), placing this firmly in routine-patch rather than emergency-response territory.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's XFRM IP-TFS (IPsec Traffic Flow Confidentiality, RFC 9347) inbound reassembly path lets a race between __input_process_payload() and a concurrent iptfs_reassem_cont()/drop_timer handler operate on a freed sk_buff in skbuff_head_cache, causing memory corruption. The flaw affects kernels from 6.14 (where IP-TFS was introduced) running an IPsec SA in IP-TFS mode, and is fixed in stable releases including 6.18.36, 7.0.13 and 7.1. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.17%, 7th percentile).

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation via use-after-free in the Linux kernel's XFRM (IPsec) policy subsystem allows a local low-privileged attacker to corrupt kernel memory by racing XFRM_MSG_DELPOLICY and XFRM_MSG_NEWSPDINFO netlink operations. In xfrm_policy_bysel_ctx(), the inexact policy bin was pruned after dropping xfrm_policy_lock, leaving a window where a concurrent xfrm_hash_rebuild() could kfree_rcu() the same bin, leading to a use-after-free. No public exploit identified at time of analysis; EPSS probability is low (0.18%) and it is not listed in CISA KEV.

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Out-of-bounds read in the Linux kernel netlabel subsystem allows a local low-privileged attacker to crash the kernel by submitting a crafted Generic Netlink request with a valid IPv4/IPv6 address attribute paired with a shorter-than-expected mask attribute. The netlbl_unlabel_addrinfo_get() function relied solely on the address attribute length to determine address family, then unconditionally read the mask attribute as a full struct in_addr (4 bytes) or struct in6_addr (16 bytes) without independently validating the mask length. No public exploit or active exploitation has been identified (EPSS 0.18%, 8th percentile); patches are available across all maintained stable branches.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's Marvell EBU GPIO driver (gpio/mvebu) causes a kernel oops and system crash during suspend/resume operations on Marvell Armada ARM platforms. The flaw affects all stable kernel branches from 4.12 onward where mvebu_pwm_suspend() and mvebu_pwm_resume() are unconditionally invoked for every GPIO bank, including those where mvchip->mvpwm is NULL due to absent PWM hardware. A local authenticated user with sufficient privileges to trigger system suspend can crash the kernel with no recovery, resulting in full availability loss. No public exploit exists and EPSS is 0.18% (7th percentile), reflecting a niche hardware dependency that sharply limits real-world exposure.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

TCP socket side-channel information disclosure in the Linux kernel allows unprivileged local users to attach classic BPF (cBPF) filters via SO_ATTACH_FILTER to TCP sockets and observe TCP sequence and acknowledgment numbers, potentially enabling session inference or TCP injection assistance. The vulnerability exists because no capability check was enforced before this patch, which now restricts SO_ATTACH_FILTER on TCP sockets to processes holding CAP_NET_ADMIN. No public exploit identified at time of analysis; EPSS stands at 0.18% (8th percentile), and patched releases are available across multiple stable kernel branches including 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, and 7.1.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial-of-service in the Linux kernel networking stack (GRO path) lets attackers crash a host by triggering a reachable kernel BUG_ON() panic. The flaw lives in skb_gro_receive_list(), which calls skb_pull() without a preceding pskb_may_pull() guard; when frames arrive via napi_gro_frags() with all data in page fragments (skb_headlen == 0) and a non-zero GRO offset, the pull makes skb->len drop below skb->data_len and hits BUG_ON(skb->len < skb->data_len). It affects kernels from 6.10 up to the fixed stable releases, carries CVSS 7.5 (availability-only), has a low EPSS of 0.18% (7th percentile), is not in CISA KEV, and has no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Use-after-free in the Linux kernel's IBM EMAC Ethernet driver (drivers/net/ethernet/ibm/emac) lets in-flight packet processing touch hardware resources that have already been freed during device removal, because devm_register_netdev() deferred unregister_netdev() until after emac_remove() tore down the hardware. A local attacker who can trigger driver unbind/hot-removal while the interface handles traffic can corrupt kernel memory, potentially escalating to code execution or crashing the system. This is a fixed regression window on IBM PowerPC EMAC hardware; no public exploit identified at time of analysis and EPSS risk is low (0.18%, 7th percentile).

Memory Corruption Authentication Bypass Linux +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local memory corruption (double-free) in the Linux kernel netdev generic-netlink interface affects the device-memory RX binding path (netdev_nl_bind_rx_doit) in kernels 7.1-rc1 through 7.1-rc7 and backport-affected stable branches. Because genlmsg_reply() unconditionally consumes the reply skb, the buggy error path then calls nlmsg_free() on that same buffer, freeing it a second time; a local user able to reach the BIND_RX netlink command and force a reply failure can trigger the flaw. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with a hard-to-reach error path rather than easy exploitation.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use of a dangling pointer in the Linux kernel's phylib/SFP networking subsystem occurs when PHY probing fails but sfp_bus_del_upstream() is never called, leaving the sfp-bus 'upstream' field pointing at freed/torn-down state that can be dereferenced during a later SFP hot-plug event. Affected systems are Linux hosts and appliances using PHY drivers with SFP cage support across kernels from 5.5 up to the fix in commit 48774e87. There is no public exploit identified at time of analysis, the EPSS score is very low (0.16%, 5th percentile), and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Deadlock in the Linux kernel PHY networking subsystem (net/phy) allows a local low-privileged user to freeze the networking stack on systems using the generic PHY driver (genphy) with SFP cage hardware. When genphy triggers PHY probing - which occurs while holding the RTNL lock - it erroneously calls sfp_bus_add_upstream(), which itself attempts to acquire RTNL, producing a self-deadlock confirmed by reproduction. No public exploit exists and EPSS is 0.16% (6th percentile), reflecting that exploitation requires an uncommon hardware and driver combination.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux mlx5_core driver's mlx5_query_nic_vport_mac_list() function allows a slab-out-of-bounds access when querying a VF vport whose configured MAC-list maximum exceeds the PF's log_max_current_uc/mc_list capability. The driver sizes its firmware command buffer using the PF capabilities rather than the vport's own HCA caps, so an oversized firmware response overflows the buffer during eswitch vport-change handling. This affects systems running NVIDIA/Mellanox ConnectX (mlx5) NICs in SR-IOV/switchdev mode; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 7th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Resource exhaustion (DMA mapping and xdp_frame leak) in the Linux kernel's mlx5e driver affects systems using AF_XDP (XSK) zero-copy sockets on NVIDIA/Mellanox ConnectX NICs. In the XSK path of mlx5e_xmit_xdp_buff(), an XDP_TX transmit failure (e.g. a full XDP send queue) returns without unmapping the DMA address or freeing the converted xdp_frame, slowly leaking kernel memory and DMA mappings until availability degrades. No public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and the issue is not in CISA KEV, so real-world risk is gradual leakage under heavy XSK workloads rather than direct remote compromise.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Use-after-free read in the Linux kernel's IPv6 SIT (IPv6-in-IPv4) tunnel transmit path lets a stale inner-IPv6-header pointer be dereferenced after GSO offload processing relocates the skb head, exposing freed kernel memory or crashing the host. The flaw affects systems running SIT tunnels in ipip6_tunnel_xmit(), where iptunnel_handle_offloads() may call pskb_expand_head() and move the buffer while the code keeps reading the old iph6 pointer. There is no public exploit identified at time of analysis; EPSS is low (0.18%, 8th percentile) and the issue is not in CISA KEV. The vendor-tagged impact is Information Disclosure, which is materially narrower than the assigned CVSS 9.8.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Invalid pointer free in the Linux kernel's Open vSwitch (OVS) subsystem allows a local low-privileged user to crash the kernel, resulting in denial of service. The net/openvswitch reply skb cleanup code incorrectly assumes allocation always occurs before mutex acquisition; when allocation fails after locking, an ERR_PTR is passed to kfree_skb(), triggering a kernel panic on any host with OVS active. No public exploit has been identified and EPSS is 0.20% (10th percentile), but the crash is likely deterministic once the code path is reached on a vulnerable kernel.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource leak and use-after-free in the Linux kernel's gpio-rockchip driver can crash the kernel on systems using Rockchip GPIO hardware. The driver's remove path fails to call irq_domain_remove_generic_chips(), leaving allocated generic chip structures unreleased and dangling on the global gc_list. After driver unbind or module removal, IRQ subsystem suspend, resume, or shutdown callbacks may subsequently dereference the freed memory, producing a use-after-free condition and kernel panic. No public exploit exists and EPSS sits at the 7th percentile, indicating very low real-world exploitation probability; however, the availability of upstream fix commits makes patching straightforward.

Linux Denial Of Service
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds uninitialized-memory read in the Linux kernel SCTP stack lets an unauthenticated network peer trigger the receive path to read up to 16 bytes past a truncated ASCONF address parameter. The flaw lives in __sctp_rcv_asconf_lookup() in net/sctp/input.c, which validates only the ADDIP and parameter headers before calling af->from_addr_param(), trusting the parameter's declared length without bounding the full address against the chunk. No public exploit is identified at time of analysis, and EPSS exploitation probability is low at 0.18% (8th percentile); the issue is already patched upstream and classed as information disclosure.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds memory reads in the Linux kernel SCTP stack allow remote attackers to trigger information disclosure and kernel crashes by sending a malformed COOKIE_ECHO chunk. The flaw lives in sctp_unpack_cookie(), which fails to verify that an embedded INIT chunk is large enough for a complete INIT header and does not fully validate raw_addr_list_len, so sctp_process_init() and the address parser read past the cookie payload. EPSS is low (0.21%) and there is no public exploit identified at time of analysis, but the network-reachable, unauthenticated nature (CVSS 9.1) makes it a meaningful patch priority for any host with SCTP in use.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local heap disclosure and kernel crash in the Linux kernel networking stack arises because skb_is_err_queue() misidentifies AF_PACKET outgoing-tap skbs as error-queue skbs, letting AF_PACKET control-buffer state be misread as sock_exterr_skb::opt_stats. When timestamping and SO_RXQ_OVFL are enabled, an odd packet-drop counter makes the timestamp cmsg path emit SCM_TIMESTAMPING_OPT_STATS over non-linear skbs, reading past the linear head to leak adjacent kernel heap or trip hardened usercopy (BUG/panic). CVSS is 7.1 (C:H/A:H, local, low-priv); EPSS is low at 0.18% (8th percentile), and there is no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Use-after-free in the Linux kernel ptp_ocp driver crashes the kernel during device removal on systems equipped with Open Compute Platform PTP hardware. The teardown function ptp_ocp_detach() frees pin resources before calling ptp_clock_unregister(), which then accesses those freed resources via ptp_disable_all_events(), introduced by commit a60fc3294a37. EPSS is 0.15% (5th percentile) and this vulnerability is not listed in CISA KEV, indicating no public exploitation and very low real-world risk outside specialized environments.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Incorrect tunnel matching in the Linux kernel's IPv6 Virtual Tunnel Interface (vti6) lets the vti6_tnl_lookup() fallback path select the wrong tunnel when an exact match fails, because the wildcard-search loops omitted checks that a candidate tunnel actually holds a wildcard local or remote address. On hosts configured with multiple vti6 tunnels sharing the ip6n->tnls_r_l hash table, hash collisions can cause inbound IPv6/IPsec packets to be associated with an unintended tunnel, enabling traffic misdirection and information disclosure. There is no public exploit identified at time of analysis, EPSS probability is low (0.18%), and the issue is not in CISA KEV; the upstream fix is available across multiple stable kernel branches.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel netfilter bridge redirect target crashes the kernel when a bridge port is removed or reassigned between an initial NFQUEUE hook invocation and packet reinject. The affected function ebt_redirect_tg() in the ebtables bridge filtering subsystem calls br_port_get_rcu() without guarding against a NULL return, and the additional complexity noted in the fix is that a mere NULL check would still be insufficient - userspace can move the device into a macvlan while the packet is queued, requiring the packet to be dropped entirely. This flaw has existed since commit f350a0a87374418635689471606454abc7beaa3a (kernel 2.6.36), making it a long-standing latent bug. No public exploit identified at time of analysis; EPSS at 0.18% (7th percentile) signals negligible automated exploitation risk.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Netfilter x_tables in the Linux kernel leaks raw percpu counter pointer addresses to userspace on SMP systems via a crafted fault-window attack against the get-entries path. A local user with netfilter access can engineer a userspace buffer that triggers a page fault after the kernel copies the internal percpu allocation pointer (pcnt) but before the sanitized counter snapshot overwrites it, causing the syscall to return -EFAULT while leaving the raw kernel virtual address exposed in the caller's buffer. No public exploit is identified at time of analysis and EPSS sits at 0.18% (8th percentile), but the leaked percpu address functions as a KASLR bypass primitive chainable with a second vulnerability to achieve privilege escalation.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Register tracking corruption in the Linux kernel's netfilter nft_exthdr subsystem allows a local low-privileged attacker with nftables configuration rights to trigger reads of uninitialized stack data from nft_regs, resulting in kernel instability or denial of service. The flaw affects any kernel version since the introduction of commit c078ca3b0c5b through the respective unpatched stable branches. EPSS is 0.18% (8th percentile) and this vulnerability is not listed in CISA KEV, indicating low exploitation activity; however, the ubiquity of Linux deployments means patching across stable LTS branches is warranted.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Information disclosure and frame corruption in the Linux kernel's Marvell mvpp2 network driver allows stale cache contents to be read into received packets on non-coherent DMA systems. Because the driver synced the RX buffer starting at the raw DMA address rather than at the hardware packet offset (MVPP2_SKB_HEADROOM), it synchronized unused headroom and missed an equal number of bytes at the packet tail, leaving the CPU to read stale cache lines for the end of each frame. EPSS is low (0.18%), there is no public exploit identified at time of analysis, and the issue is bounded to specific Marvell Armada-class hardware rather than general-purpose servers.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Memory corruption in the Linux kernel's Marvell mvpp2 (PPv2) Ethernet driver allows the XDP fast-path to write past the real packet buffer on hardware using short BM pools. The driver hard-codes PAGE_SIZE as the XDP frame size even when short-pool buffers are smaller, so bpf_xdp_adjust_tail() can legitimately grow a frame beyond its actual allocation, corrupting adjacent memory or later tripping skb tailroom checks. EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis; despite the auto-assigned 9.8 CVSS, realistic exploitation is constrained to systems running an XDP program on affected Marvell hardware.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Memory corruption in the Linux kernel's Marvell mvpp2 (PPv2) Ethernet driver arises from an incorrect RX buffer-recycling order: when mvpp2_rx_refill() fails after the current buffer has already been handed to XDP or attached to an skb, the driver still returns that buffer to the hardware Buffer Manager (BM) pool, allowing the NIC to DMA into memory the RX ring no longer owns. Systems running Marvell Armada SoCs with the mvpp2 driver and XDP or skb RX processing are affected; the fix reorders the refill to complete before the buffer is handed off. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and the CVE is not listed in CISA KEV despite the inflated 9.8 NVD score.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's IPv6 address configuration subsystem crashes the kernel when cleanup_prefix_route() receives the fib6_null_entry sentinel from addrconf_get_prefix_route() and attempts to access its NULL fib6_table pointer without validation. An authenticated local user holding CAP_NET_ADMIN can trigger this by sending a crafted IPv6 DELADDR netlink message, causing a general protection fault and system-wide denial of service. No public exploit or CISA KEV listing exists; EPSS is 0.17% (6th percentile), consistent with a privilege-gated local DoS affecting an extremely widely deployed target.

Linux Canonical Denial Of Service +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's drm/vc4 (Broadcom VideoCore IV DRM) driver allows a local low-privileged user to gradually exhaust kernel memory under allocation-failure conditions. The flaw arises because the return value of krealloc() is assigned directly back to the original pointer without a NULL check - if krealloc() fails and returns NULL, the reference to the previously allocated buffer is silently overwritten, permanently leaking that memory. No public exploit code is identified at time of analysis, and EPSS probability is extremely low at 0.18% (8th percentile), consistent with the local-only, condition-dependent nature of the bug.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel netfilter nf_tables tunnel module (nft_tunnel) stems from a use-after-free triggered when a tunnel object is destroyed while packets still hold a reference to its metadata_dst. The flawed nft_tunnel_obj_destroy() path calls metadata_dst_free(), which kfree()s the structure while ignoring the dst_entry refcount, so packets queued in a qdisc (e.g. netem) later call dst_release() on freed memory. CVSS is 7.8 (high) with CVSS:3.1 vector AV:L/PR:L; EPSS is low at 0.18% (7th percentile), it is not in CISA KEV, and no public exploit identified at time of analysis.

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel stack information disclosure in the Linux kernel's netfilter nft_meta_bridge subsystem leaks 2 bytes of uninitialized stack data to userspace via the IIFHWADDR register. A local attacker with CAP_NET_ADMIN privileges can craft an nftables bridge rule that reads the full 8-byte register span after a memcpy writes only 6 bytes, exposing stale nft_do_chain() stack content. No public exploit exists and EPSS is 0.17%; however, on hardened systems kernel stack leaks can assist KASLR bypass when chained with other primitives.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel TEE subsystem's register_shm_helper() function allows a local low-privileged user to exhaust kernel memory and degrade system availability. Triggering the leak requires calling the TEE_IOC_SHM_REGISTER ioctl with a length of zero, causing the function to allocate shared memory and then skip its deallocation when iov_iter_npages() returns 0. No public exploit has been identified at time of analysis, and EPSS sits at the 7th percentile, indicating very low real-world exploitation probability.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory corruption in the Linux kernel Bluetooth subsystem (hci_sync) allows a local privileged user to overrun a temporary buffer when the Broadcast Announcement service data is prepended to an already-maximum-sized extended advertising payload. The flaw affects systems using Bluetooth LE Audio / Broadcast Audio Profile advertising; the upstream fix rejects the oversized combination before copying, preserving the existing advertising data. No public exploit identified at time of analysis, and the EPSS probability is very low (0.18%, 8th percentile), indicating no current evidence of widespread exploitation interest.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Bluetooth L2CAP in the Linux kernel fails to enforce the signaling MTU (MTUsig = 48 bytes) in l2cap_sig_channel(), enabling a nearby BR/EDR peer to send a single oversized fixed-channel signaling packet packed with many ECHO_REQ commands before pairing and force a proportional burst of ECHO_RSP frames. In a confirmed test, one 681-byte CID 0x0001 packet containing 168 ECHO_REQ commands caused the target to emit 168 responses over approximately 220 ms - roughly a 250× frame amplification - constituting a traffic-amplification denial-of-service. No active exploitation has been identified at time of analysis; vendor-released patches are available across multiple stable kernel branches.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Recursive spinlock AA deadlock in the Linux kernel's hugetlb memory-failure subsystem allows a local user to hang or panic the kernel by racing two concurrent madvise(MADV_HWPOISON) calls against a concurrent unmap on the same hugetlb folio. The flaw exists because get_huge_page_for_hwpoison() held hugetlb_lock while calling folio_put(), which - when concurrent unmap had already dropped the page-table reference - triggered free_huge_folio() to re-acquire the non-recursive lock, causing an irrecoverable deadlock. No confirmed active exploitation exists (not in CISA KEV), and EPSS sits at 0.18% (8th percentile), indicating negligible real-world exploitation probability at this time.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Missing bounds validation in the Linux kernel's accel/ivpu Intel VPU accelerator driver allows a local low-privileged user on an affected Intel VPU-equipped system to trigger kernel memory allocation errors or a denial of service by supplying a malformed firmware image header specifying improperly aligned or undersized runtime memory. Affected versions include Linux 6.19 and 7.1-rc1 through rc6; fixed commits are available for both the 7.0.x stable series and the 7.1 branch. No public exploit identified at time of analysis; EPSS is 0.16% (6th percentile), and no CISA KEV listing exists, reflecting minimal real-world exploitation interest.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's accel/ivpu driver (Intel NPU/VPU accelerator) occurs because firmware-supplied read and write indices for the firmware log buffer were used without bounds validation, allowing invalid offsets to drive out-of-bounds buffer reads. Affecting Intel Core Ultra-class systems running affected 6.12.x through 6.18.x and 7.x kernels, a local low-privileged actor able to influence the device's firmware log indices can disclose kernel memory or crash the host. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.18%, 7th percentile).

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's Intel Stratix10 RSU (Remote System Update) firmware driver causes a kernel panic when SMC call timeouts occur during probe initialization. Affected kernels through 7.1-rc7 and 7.0.13 expose a race condition where timeout-driven error paths in stratix10_rsu_probe() free the service channel - setting chan->scl to NULL - but fail to return early, allowing subsequent service kthreads to dereference the now-NULL pointer in their receive callbacks. The vulnerability is a local denial-of-service with no public exploit identified at time of analysis, and EPSS places exploitation probability at only 0.15%.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local privilege-context memory corruption in the Linux kernel's accel/ivpu (Intel NPU/VPU accelerator) driver allows a low-privileged user with access to the device to trigger a buffer overflow through the metric stream MS get_info ioctl. When the NPU firmware reports an info size larger than the allocated kernel buffer, the driver performs an oversized copy, corrupting kernel memory and potentially leaking sensitive data or crashing the system. No public exploit identified at time of analysis; EPSS probability is low (0.19%) and the issue is not in CISA KEV.

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local memory corruption in the Linux kernel's Intel VPU accelerator driver (accel/ivpu) lets attacker-influenced firmware data overflow a stack buffer during IPC message receive. The defect is a signed-int truncation of the firmware-supplied data_size in min_t(int, ...), so values >= 0x80000000 turn negative, bypass the size clamp, and drive an oversized memcpy. Rated CVSS 7.8 (AV:L) with a low EPSS of 0.19% (9th percentile); no public exploit identified at time of analysis and it is not in CISA KEV.

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege/memory-integrity exposure in the Linux kernel's drm/xe Intel GPU driver stems from a missed TLB invalidation: a previously merged optimization that skipped GuC scheduler suspend toggling when an exec queue was idle has been reverted because it bypassed the context switch that flushes TLB entries for invalidated userptr VMAs. On Intel Xe GPUs running in long-running (LR)/preempt-fence VM mode, this leaves stale TLB mappings to invalidated user pointers, producing page faults and stale-memory access during userptr invalidation. There is no public exploit identified at time of analysis and EPSS is low (0.17%, 7th percentile); the fix is the revert commit itself, restoring unconditional schedule toggling on suspend.

Authentication Bypass Linux
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Execute-permission bypass in the Linux kernel's KVM arm64 nested-virtualization (NV) code allows a nested guest to receive unintended execute permissions on stage-2 mappings when the host CPU lacks FEAT_XNX. The root cause is a misuse of FIELD_PREP() on the XN[0] mask after XN had already been shifted out of its bitfield position, which unconditionally grants execute rights instead of conditionally clearing them. There is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and the issue is not in CISA KEV, but the assigned CVSS of 8.8 reflects the hypervisor scope-change and potential for a guest to bypass non-executable memory enforcement.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel's Hyper-V netvsc network driver (hv_netvsc) allows a system crash when transmitting packets whose skb fragments reference high memory. On 32-bit x86 builds with CONFIG_HIGHMEM=y, netvsc_copy_to_send_buf() calls phys_to_virt() on fragment PFNs that may live above the LOWMEM boundary, producing an address outside the kernel direct map; the following memcpy() faults fatally on the transmit softirq path. No public exploit has been identified, the EPSS probability is low (0.18%), and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's in-kernel SMB server (ksmbd) lets an authenticated SMB client corrupt kernel slab memory by sending a second SMB2_CANCEL for the same AsyncId of a blocking byte-range lock. The first cancel frees the struct file_lock but takes an early-exit that never unlinks the async work or clears its cancel callback, leaving a live cancel_fn pointing at freed memory in the file_lock_cache (size 192) slab; a racing second cancel re-runs smb2_remove_blocked_lock() on the dangling pointer. The flaw was reproduced on mainline with KASAN by an authenticated client, EPSS is low (0.18%), and there is no public exploit identified at time of analysis.

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

ABBA deadlock in the Linux kernel xfrm iptfs subsystem causes availability loss on SMP systems when iptfs state is destroyed while its timer callbacks are concurrently executing on another CPU. The vulnerability affects the IP Traffic Flow Secrecy (IPTFS) implementation within the kernel's xfrm IPsec framework, specifically during iptfs_destroy_state() - a function that acquires spinlocks before calling hrtimer_cancel(), creating a circular dependency with softirq timer callbacks that attempt to re-acquire those same locks. No public exploit code has been identified and EPSS is 0.17% (7th percentile), indicating this is a low-probability exploitation target; the impact is a kernel deadlock causing a system hang (DoS) with no confidentiality or integrity impact.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Heap buffer overflow in the Linux kernel's io_ti USB serial driver (get_manuf_info()) lets a malicious USB device overflow a 10-byte kmalloc buffer by up to ~16 KB when attached to a host using this driver. The driver trusts the EEPROM-supplied descriptor Size field (validated only against TI_MAX_I2C_SIZE, not the destination buffer), enabling kernel memory corruption with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis; EPSS is low (0.20%, 10th percentile) and the issue is not in CISA KEV.

Memory Corruption Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Kernel-level heap buffer overflow (out-of-bounds write) in the Linux kernel's io_ti USB-serial driver (used by Digi Edgeport TI-based USB serial adapters) allows a local low-privileged attacker or a malicious/crafted firmware image to corrupt kernel heap memory. The flaw lives in build_i2c_fw_hdr(), which copies an attacker-influenced 16-bit Length field (up to 65535) from the firmware image into a fixed-size buffer without validating it fits the remaining space after the ti_i2c_firmware_rec header. There is no public exploit identified at time of analysis, EPSS is low (0.20%, 10th percentile), and it is not on the CISA KEV list, so exploitation is theoretical rather than observed.

Memory Corruption Linux Buffer Overflow
NVD VulDB
Prev Page 2 of 143 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy