Linux
Monthly
Interrupt storm in Linux kernel dpaa2-switch driver occurs when a bounds check rejects an out-of-bounds if_id in the IRQ handler but fails to clear the interrupt status, causing repeated spurious interrupts. This denial-of-service condition affects the NXP DPAA2 Ethernet switch driver on systems running vulnerable Linux kernel versions. An attacker with the ability to trigger malformed frames or hardware state transitions could exhaust CPU resources through interrupt flooding.
Memory leak in Linux kernel DRM/XE configfs device release allows information disclosure through unfreed ctx_restore_mid_bb allocation. The xe_config_device_release() function fails to deallocate ctx_restore_mid_bb[0].cs memory that was previously allocated by wa_bb_store(), leaving sensitive kernel memory accessible when the configfs device is removed. Affected Linux kernel versions containing the vulnerable DRM/XE driver require patching to prevent potential information leakage.
Mutex lock-unlock mismatch in the Linux kernel's wlcore Wi-Fi driver allows potential information disclosure or system instability through improper synchronization. The vulnerability occurs when wl->mutex is unlocked without being locked first, detected by the Clang thread-safety analyzer. This affects all Linux kernel versions with the wlcore Wi-Fi driver. No active exploitation has been identified, but the bug creates a race condition that could be leveraged to access shared kernel state.
Linux kernel RDS TCP subsystem resolves circular locking dependency in rds_tcp_tune() function where socket lock contention with fs_reclaim memory allocation creates deadlock potential. The vulnerability affects all Linux kernel versions with the vulnerable code path in net/rds/tcp.c; the fix relocates sk_net_refcnt_upgrade() outside the socket lock critical section to eliminate the circular lock dependency without compromising synchronization semantics.
Memory leak in Linux kernel DRM/XE register save-restore (reg_sr) module fails to free allocated memory when xa_store() operation fails, potentially allowing local information disclosure or denial of service through repeated trigger of the error path. The vulnerability affects all Linux kernel versions containing the affected drm/xe/reg_sr code prior to the fix commits referenced. No CVSS score or exploit data provided; patch commits are available in upstream Linux repository.
Unblinded BPF immediate values in PROBE_MEM32 stores bypass constant hardening in the Linux kernel BPF JIT compiler when bpf_jit_harden >= 1, allowing user-controlled 32-bit immediates to leak into native code. The vulnerability affects Linux kernel versions where convert_ctx_accesses() rewrites arena pointer stores to BPF_ST|BPF_PROBE_MEM32 before constant blinding runs, but bpf_jit_blind_insn() only handles BPF_ST|BPF_MEM instructions. No public exploit code or active exploitation has been ide
Memory sealing (mseal) in the Linux kernel incorrectly tracks virtual memory area (VMA) boundaries during merge operations, causing curr_end to become stale and resulting in incorrect iteration state. This flaw in mm/mseal.c affects Linux kernel versions where the mseal feature is present, allowing local attackers to potentially bypass memory sealing protections or trigger information disclosure by manipulating VMA merge behavior during seal operations.
Use-after-free vulnerability in Linux kernel futex handling allows local attackers to read freed memory via race condition between futex_key_to_node_opt() and vma_replace_policy(). When mbind() concurrently replaces virtual memory area policies, __futex_key_to_node() may dereference a freed mempolicy structure, enabling information disclosure of kernel memory. The vulnerability requires local access and precise timing but poses memory safety risk in multi-threaded applications using futex operations alongside memory policy changes.
Linux kernel TLS subsystem leaks socket buffers (skbs) when asynchronous AEAD decryption operations fail during batch processing, allowing local attackers to exhaust kernel memory and potentially cause denial of service. The vulnerability exists in tls_decrypt_async_wait() and related functions that manage the async_hold queue, which pins encrypted input buffers for AEAD engine references; improper cleanup in failure paths leaves these buffers allocated indefinitely. This is a kernel memory leak affecting TLS decryption in the kernel's cryptographic stack, confirmed by multiple upstream patches across stable branches.
Use-after-free in Linux kernel clsact qdisc initialization and destruction rollback allows local denial of service or potential information disclosure when qdisc replacement fails midway during tcf_block_get_ext() operations. The vulnerability stems from asymmetric initialization and cleanup paths where egress_entry references from a previous clsact instance remain valid during failure scenarios, leading to double-free or use-after-free conditions. Affected Linux kernel versions across all distributions that include the clsact traffic control qdisc require patching.
Use-after-free in Linux kernel netfilter BPF hook memory management allows local attackers to read sensitive kernel memory via concurrent nfnetlink_hooks dumping operations. The vulnerability arises from premature memory release in hook structures before RCU readers complete their access, enabling information disclosure through netlink interface. No active exploitation confirmed, but the KASAN report demonstrates reliable reproducer availability.
Use-after-free in Linux kernel AppArmor allows local authenticated users to achieve high confidentiality, integrity, and availability impact through a race condition between inode eviction and filesystem callbacks. The vulnerability stems from premature reference release of i_private data before inode cleanup completes. Patch available from kernel.org stable branches affecting Linux 4.13+ with Ubuntu marking priority=high across 729 releases. EPSS score of 0.02% suggests limited observed exploitation attempts despite widespread kernel deployment.
Use-after-free in Linux kernel AppArmor allows local authenticated attackers to achieve high-impact code execution, privilege escalation, or denial of service via race condition on rawdata inode dereference. Affects kernel 4.13+ including current LTS branches. Patches available for 6.6.130, 6.12.77, 6.18.18, 6.19.8, and 7.0-rc4. EPSS score is low (0.02%) with no public exploit identified at time of analysis, but Ubuntu rated this priority=high affecting 729 releases.
AppArmor differential encoding verification in the Linux kernel contains logic errors that permit infinite loops to be created through abuse of the verification chain mechanism. Two distinct bugs in the verification routine-conflation of checked states with currently-checked states, and incorrect loop iterator comparison-allow malformed differential encoding chains to bypass security checks. This enables potential information disclosure or policy circumvention on systems relying on AppArmor mandatory access control. The vulnerability affects Linux kernel versions prior to fixes applied across multiple stable branches via kernel commits.
Double-free memory corruption in Linux kernel's AppArmor profile replacement allows local authenticated users to trigger kernel crashes or potentially execute arbitrary code with kernel privileges. The flaw affects Linux kernel versions from 5.5 onwards, with vendor patches available across multiple stable branches (6.6.130, 6.12.77, 6.18.18, 6.19.8, 7.0-rc4). EPSS exploitation probability is low (0.02%, 5th percentile) and no public exploit identified at time of analysis, though Ubuntu rates this medium priority with patches deployed across 729 releases.
Out-of-bounds read and write in Linux kernel AppArmor DFA verification allows local authenticated users to cause memory corruption and potential privilege escalation. Affects Linux kernel 4.17+ through 6.12.x, actively patched in stable branches 6.6.130, 6.12.77, 6.18.18, and 6.19.8. The vulnerability occurs during AppArmor policy loading when malformed DFA structures bypass bounds checking in verify_dfa(). EPSS score of 0.02% suggests low exploitation probability in the wild; no public exploit code or CISA KEV listing identified. Ubuntu rates this medium priority with patches released via USN-8152-1.
Out-of-bounds memory read in Linux kernel AppArmor DFA matching affects kernel versions since 4.17 due to macro side-effect bug. The match_char() macro evaluates its character parameter multiple times when called with *str++, causing the pointer to advance past buffer boundaries during differential encoding chain traversal. Ubuntu has released patches (USN-8152-1) with fixes available in kernels 6.6.130, 6.12.77, 6.18.18, 6.19.8, and 7.0-rc4. EPSS score of 0.02% (5th percentile) indicates very low exploitation probability, and no public exploit or CISA KEV listing exists. CVSS 7.8 reflects local high-privilege impact, but real-world risk is limited to authenticated local users who can trigger AppArmor path permission checks.
Linux kernel AppArmor policy namespace implementation allows arbitrary nesting and creation of policy namespaces without enforcing depth limits, enabling local attackers to exhaust system resources through unbounded namespace proliferation. The vulnerability affects AppArmor in the Linux kernel across multiple stable branches. This is a denial-of-service vulnerability requiring local access, with fixes available across stable kernel versions.
Stack exhaustion in AppArmor profile removal allows local denial of service by crafting deeply nested profiles that trigger recursive kernel stack consumption. The Linux kernel's AppArmor security module can be crashed by a local user with permission to load profiles via the apparmor_parser tool and trigger removal through sysfs, causing kernel stack overflow. The fix replaces recursive profile removal with an iterative approach to prevent stack exhaustion.
Memory leak in Linux kernel AppArmor module verify_header function causes namespace string allocation leaks during multiple profile unpacking and breaks namespace consistency checking. The vulnerable code incorrectly resets the namespace pointer to NULL on every function call, discarding previously allocated namespace strings and preventing proper namespace comparison across profile iterations. This affects Linux kernel versions with the vulnerable AppArmor implementation prior to upstream fixes applied across stable branches.
Linux kernel KVM x86/mmu module improperly validates shadow page table entries (SPTEs) in indirect MMUs, allowing host userspace writes to bypass KVM's write-tracking detection and corrupt shadow paging state. The vulnerability affects KVM implementations on x86 systems with nested or indirect MMU configurations where writes originating outside KVM's scope (e.g., from host userspace via memory access) are not detected, potentially leading to memory corruption or VM escape. No CVSS score, EPSS data, or KEV status is available; this appears to be an internal kernel consistency issue addressed via upstream patch rather than a directly exploitable security boundary.
Linux kernel KVM x86/MMU incorrectly installs emulated MMIO shadow page table entries (SPTEs) without first zapping existing shadow-present SPTEs when host userspace modifies guest page tables outside KVM's scope, causing kernel warnings and potential memory consistency issues. The vulnerability affects KVM on x86 systems running vulnerable kernel versions and can be triggered by a local attacker with ability to manipulate guest memory or run guest VMs, though the practical impact beyond kernel instability remains limited.
Deadlock in Linux kernel rust_binder driver occurs when BC_DEAD_BINDER_DONE is invoked on a non-looper thread while the proc lock is held, preventing push_work_if_looper() from safely acquiring the proc lock for work queue delivery. The vulnerability affects the Rust implementation of Android's Binder IPC mechanism and can cause kernel deadlock, potentially resulting in denial of service to affected processes or the entire system depending on thread scheduling.
Memory leak in Linux kernel nf_tables nft_dynset module allows local denial of service through failed stateful expression cloning during dynamic set operations. When the second stateful expression clone fails under GFP_ATOMIC memory allocation, the first expression is not properly released, accumulating percpu memory allocations that exhaust kernel memory. This affects all Linux kernel versions until patched, with exploitation requiring local system access to trigger the nf_tables dynamic set evaluation code path.
Incus versions prior to 6.23.0 allow local authenticated attackers to manipulate temporary screenshot files via predictable /tmp paths and symlink attacks, potentially truncating and altering permissions of arbitrary files on systems with disabled symlink protection (rare), leading to denial of service or local privilege escalation. The vulnerability requires local access and authenticated user privileges but is particularly dangerous on systems without kernel-level symlink protections enabled. An exploit proof-of-concept exists, and the vendor has released patched version 6.23.0 to address the issue.
Linux kernel ICMP tag validation routines fail to check for NULL protocol handler pointers before dereferencing them, causing kernel panics in softirq context when processing fragmentation-needed errors with unregistered protocol numbers and ip_no_pmtu_disc hardened mode enabled. The vulnerability affects multiple Linux kernel versions across stable branches (6.1, 6.6, 6.12, 6.18, 6.19, and 7.0-rc5), with an EPSS score of 0.02% (7th percentile) indicating low real-world exploitation probability. No public exploit code or active exploitation has been confirmed; the fix requires adding a NULL pointer check in icmp_tag_validation() before accessing icmp_strict_tag_validation.
Linux kernel nfnetlink_osf module fails to validate TCP option lengths in OS fingerprint definitions, allowing null pointer dereference and out-of-bounds memory reads when processing packets with malformed or missing TCP options. The vulnerability affects Linux kernel versions across multiple stable branches (6.1.x through 6.19.x and 7.0-rc5), with EPSS score of 0.02% indicating low practical exploitation probability despite the memory safety issue. No public exploit code or active exploitation has been reported.
Linux kernel mac80211 mesh networking crashes on NULL pointer dereference when processing Channel Switch Announcement (CSA) action frames lacking Mesh Configuration IE, allowing adjacent WiFi attackers to trigger kernel panic (DoS) via crafted frames. Affects multiple stable kernel versions (6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0-rc5 and earlier); EPSS exploitation probability is 0.02% (low), no public exploit identified, and upstream fixes are available across all affected release branches.
crun versions 1.19 through 1.26 misparse the `-u` (--user) option during container execution, causing a numeric UID value of 1 to be incorrectly interpreted as UID 0 (root) instead, resulting in privilege escalation where containerized processes execute with root privileges instead of the intended unprivileged user. The vulnerability affects the containers/crun OCI runtime container (cpe:2.3:a:containers:crun:*:*:*:*:*:*:*:*) and has been patched in version 1.27. No public exploit code or active exploitation has been identified, though the EPSS score of 0.01% (percentile 2%) indicates minimal real-world exploitation likelihood despite the privilege escalation tag.
Buffer overflow in Linux kernel Bluetooth L2CAP subsystem allows adjacent network attackers to achieve code execution with high integrity and confidentiality impact. The flaw occurs when the kernel incorrectly accepts multiple L2CAP_ECRED_CONN_REQ commands with the same identifier, violating Bluetooth Core Specification requirements. This causes allocation beyond the L2CAP_ECRED_MAX_CID limit (5 channels) in l2cap_ecred_rsp_defer, triggering memory corruption. Affects Linux kernel 5.7+ through multiple stable branches. Vendor patches available for 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, and 7.0-rc5. EPSS score of 0.02% suggests low likelihood of mass exploitation, no public POC or active exploitation confirmed at time of analysis.
A race condition exists in the Linux kernel's AF_UNIX socket implementation where the garbage collector (GC) can incorrectly purge receive queues of alive sockets when MSG_PEEK operations occur concurrently with socket closure. The vulnerability affects all Linux kernel versions and allows local attackers with socket access to cause information disclosure or denial of service by triggering the race condition between MSG_PEEK, socket closure, and GC execution. A proof-of-concept demonstrating the issue has been publicly reported by Igor Ushakov, and patches are available in the stable kernel tree.
A race condition exists in the Linux kernel's bridge CFM (Connectivity Fault Management) peer MEP (Maintenance End Point) deletion code where a delayed work queue can be rescheduled between the cancellation check and memory freeing, leading to use-after-free on freed memory. This affects all Linux kernel versions with the vulnerable bridge CFM implementation. An attacker with local access to trigger peer MEP deletion while CFM frame reception occurs could cause a kernel use-after-free condition potentially leading to information disclosure or denial of service.
A use-after-free vulnerability exists in the Linux kernel's netfilter nf_tables flowtable implementation during error handling in the hook registration path. When hook registration fails (due to reaching maximum hook limits or hardware offload setup failures), the flowtable is not properly synchronized with RCU grace periods before being released, allowing concurrent packet processing or control plane operations (nfnetlink_hook) to access freed memory. This vulnerability affects all Linux kernel versions with the vulnerable nf_tables code and was discovered via KASAN reports during hook dumping operations; while not currently listed in known exploited vulnerabilities (KEV) databases, the use-after-free nature presents a real risk for denial of service or information disclosure in environments utilizing netfilter flowtables.
Local privilege escalation in Linux kernel netfilter subsystem (xt_CT module) allows authenticated attackers with low privileges to achieve arbitrary code execution, information disclosure, and denial of service. The vulnerability stems from improper handling of packets enqueued in nfqueue when connection tracking templates are removed, creating use-after-free conditions on helper modules or timeout policies. Patches released across stable branches 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, and mainline 7.0-rc5. EPSS score of 0.02% (7th percentile) indicates low probability of mass exploitation despite 7.8 CVSS severity, with no KEV listing or public POC identified.
A buffer overflow vulnerability exists in the Linux kernel's dma_map_sg tracepoint that can be triggered when tracing large scatter-gather lists, particularly with devices like virtio-gpu that create large DRM buffers exceeding 1000 entries. The vulnerability affects all Linux kernel versions prior to the fix and can cause perf buffer overflow warnings and potential kernel instability when dynamic array allocations exceed PERF_MAX_TRACE_SIZE (8192 bytes). While this is a kernel-level issue requiring local access to trigger tracing functionality, it poses a denial-of-service risk and memory safety concern for systems using performance tracing on workloads with large scatter-gather operations.
A memory leak vulnerability exists in the Linux kernel's ice driver in the ice_set_ringparam() function, where dynamically allocated tx_rings and xdp_rings are not properly freed when subsequent rx_rings allocation or setup fails. This affects all Linux kernel versions with the vulnerable ice driver code path, and while memory leaks typically enable denial of service through resource exhaustion rather than direct code execution, the impact depends on exploitation frequency and system memory constraints. No active exploitation or proof-of-concept has been publicly disclosed; the vulnerability was discovered through static analysis and code review rather than in-the-wild detection.
A metadata validation vulnerability in the Linux kernel's Squashfs filesystem implementation allows out-of-bounds memory access when processing corrupted or malicious filesystem images. Specifically, a negative metadata block offset derived from a corrupted index lookup table is passed to squashfs_copy_data without bounds checking, causing a general protection fault. Any Linux system mounting an untrusted Squashfs image is affected, potentially enabling denial of service or information disclosure attacks, though no active exploitation in the wild is currently documented.
A double-put vulnerability exists in the Linux kernel's pinctrl cirrus cs42l43 driver probe function, where devm_add_action_or_reset() already invokes cleanup on failure but the code explicitly calls put again, causing a double-free condition. This affects Linux kernel versions across multiple stable branches where the cs42l43 pinctrl driver is compiled. The vulnerability could lead to kernel memory corruption and potential denial of service or information disclosure when the driver probe path encounters failure conditions.
A buffer management vulnerability exists in the Linux kernel's Google Virtual Ethernet (GVE) driver within the gve_tx_clean_pending_packets() function when operating in DQ-QPL (Descriptor Queue with Queue Pair Lists) mode. The function incorrectly interprets buffer IDs as DMA addresses and attempts to unmap memory using the wrong cleanup path, causing out-of-bounds array access and potential memory corruption. This affects Linux kernel versions across multiple stable branches and can be triggered during network device reset operations, potentially leading to kernel crashes or memory safety violations.
A memory management vulnerability in the Linux kernel's netfilter nf_tables subsystem can be triggered through fault injection during set flush operations, causing a kernel warning splat when memory allocation fails under GFP_KERNEL conditions. This vulnerability affects Linux kernel versions across distributions and is exploitable by local attackers with network namespace capabilities, potentially leading to kernel warnings and denial of service through memory exhaustion attacks. While no CVSS score or active exploitation in the wild has been reported, the vulnerability was discovered through syzbot fuzzing with fault injection, indicating it requires specific conditions to trigger but represents a real kernel stability issue that has been patched.
A kernel stack memory leak exists in the Linux kernel's RDMA/ionic driver within the ionic_create_cq() function, where uninitialized stack memory is copied to userspace via the ionic_cq_resp structure. An unprivileged local attacker with access to RDMA/ionic devices can trigger this vulnerability to leak up to 11 bytes of sensitive kernel stack data, potentially revealing kernel addresses, cryptographic material, or other sensitive information useful for further exploitation. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, and no public proof-of-concept has been disclosed; however, patches are available across multiple stable kernel branches.
This vulnerability affects the Linux kernel's ARM64 BPF JIT compiler, where insufficient alignment requirements (4 bytes instead of 8 bytes) for the JIT buffer cause the bpf_plt structure's u64 target field to be misaligned. This misalignment creates two critical issues: UBSAN generates warnings for undefined behavior, and more dangerously, concurrent updates to the target field via WRITE_ONCE() in bpf_arch_text_poke() can result in torn 64-bit reads on ARM64 systems, causing the JIT to jump to corrupted addresses. Linux kernel versions using ARM64 BPF JIT are affected, and while there is no public exploit code available, this represents a memory corruption vulnerability that could lead to privilege escalation or denial of service. Multiple stable kernel patches are available addressing this issue.
This vulnerability affects multiple Linux kernel HID (Human Interface Device) drivers that lack proper validation checks when processing raw event callbacks from unclaimed HID devices. An attacker could connect a malicious or broken HID device to trigger a NULL pointer dereference in affected drivers, causing a kernel crash and denial of service. The vulnerability was identified as a gap in security hardening following a similar fix applied to the appleir driver, and patches are available across multiple stable kernel branches.
A NULL pointer dereference vulnerability exists in the Linux kernel's bridge networking module when IPv6 is disabled via the 'ipv6.disable=1' boot parameter. When Neighbor Discovery (ND) suppression is enabled on a bridge, an ICMPv6 packet reaching the bridge causes the kernel to dereference a NULL pointer in the nd_tbl structure, resulting in a kernel panic and denial of service. This affects all Linux kernel versions with this code path, and while no CVSS score or EPSS data is currently available, the vulnerability is readily triggered through network packet receipt on systems with specific boot configurations.
A reference counting vulnerability in the Linux kernel's tracing subsystem causes a WARN_ON to trigger when a process forks and both parent and child processes exit, particularly when the application calls madvise(MADV_DOFORK) to enable VMA copy-on-fork behavior. The vulnerability affects all Linux kernel versions with the vulnerable tracing_buffers_mmap code and allows local attackers to cause a kernel warning that may lead to denial of service or information disclosure through the kernel warning itself. While not currently listed in KEV or known to be actively exploited, the vulnerability has been patched in stable kernel branches as indicated by four separate commit references.
A divide-by-zero vulnerability exists in the Linux kernel's ETS (Enhanced Transmission Selection) qdisc offload implementation that can crash the kernel when processing malformed traffic scheduling configurations. The vulnerability affects all Linux kernel versions with the ETS scheduler module enabled, and a local privileged user (or attacker with CAP_NET_ADMIN capability) can trigger a kernel panic by crafting specific netlink messages via the tc (traffic control) utility. While no public exploit code has been confirmed in the wild, the condition is easily reproducible and results in immediate kernel crash, making this a high-priority local denial-of-service vector.
A buffer overflow vulnerability exists in the Linux kernel's IFE (Intermediate Functional Element) traffic control action module where metadata list replacement incorrectly appends new metadata instead of replacing old entries, causing unbounded metadata accumulation. This affects all Linux kernel versions with the vulnerable IFE scheduling code (cpe:2.3:a:linux:linux). An attacker with the ability to modify traffic control rules can trigger an out-of-bounds write via the ife_tlv_meta_encode function, potentially achieving kernel memory corruption and denial of service. The vulnerability is not listed as actively exploited in public KEV databases, but patches are available across multiple stable kernel branches.
A memory buffer management vulnerability exists in the Linux kernel's ice network driver XDP (eXpress Data Path) implementation, specifically in how it calculates fragment buffer sizes for receive queues. The vulnerability affects Linux kernel versions with the vulnerable ice driver code path and can be triggered through XDP operations that attempt to grow multi-buffer packet tails, potentially causing kernel panics or denial of service. An attacker with the ability to load and execute XDP programs can exploit this by crafting specific packet sizes and offset values to trigger the panic condition, as demonstrated by the XSK_UMEM__MAX_FRAME_SIZE test case, though real-world exploitation requires local access to load XDP programs.
A resource management vulnerability exists in the Linux kernel's nvmet-fcloop NVMe-FC loopback driver where the lsrsp (LS response) callback is invoked without proper validation of the remote port state, potentially leading to use-after-free or double-free conditions. This affects Linux kernel implementations using nvmet-fcloop for NVMe-FC transport emulation across all versions prior to the patch commits (f30b95159a53e72529a9ca1667f11cd1970240a7, 31d3817bcd9e192b30abe3cf4b68f69d48864dd2, dd677d0598387ea623820ab2bd0e029c377445a3). An attacker with local kernel-level access or ability to trigger abnormal nvmet-fcloop state transitions could potentially cause information disclosure or denial of service through memory corruption.
A vulnerability in the Linux kernel's Transparent Huge Pages (THP) subsystem incorrectly enables THP for files on anonymous inodes (such as guest_memfd and secretmem), which were not designed to support large folios. This can trigger kernel crashes via memory copy operations on unmapped memory in secretmem, or WARN_ON conditions in guest_memfd fault handlers. The vulnerability affects Linux kernel versions across multiple stable branches and requires a kernel patch to remediate; while not known to be actively exploited in the wild, the condition can be triggered locally by unprivileged users through madvise() syscalls.
This vulnerability is a preemption context violation in the Linux kernel's block I/O tracing subsystem where tracing_record_cmdline() unsafely uses __this_cpu_read() and __this_cpu_write() operations from preemptible context. The Linux kernel in versions supporting blktrace (affected via CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) is vulnerable, allowing potential information disclosure or denial of service when block tracing is enabled and block I/O operations occur from user-space processes. This is not actively exploited in the wild (no KEV status), but the vulnerability has functional proof of concept through blktests/blktrace/002, making it a moderate priority for kernel maintainers and distributions shipping PREEMPT(full) configurations.
The Linux kernel's Realtek WiFi driver (rsi) incorrectly defaults to returning -EOPNOTSUPP error code in the rsi_mac80211_config function, which triggers a WARN_ON condition in ieee80211_hw_conf_init and deviates from expected driver behavior. This affects Linux kernel versions across multiple stable branches where the rsi WiFi driver is compiled and loaded. While not actively exploited in the wild, the issue causes kernel warnings and improper driver initialization that could degrade WiFi functionality or stability on affected systems.
Local privilege escalation and denial of service in Linux kernel NFC rawsock implementation (versions 3.1 through 6.19.6, patched in 6.1.167, 6.6.130, 6.12.77, 6.18.17, 6.19.7, 7.0-rc3) allows authenticated local users to trigger use-after-free conditions via race between socket teardown and asynchronous NFC data transmission. CVSS 7.8 HIGH with local attack vector requiring low privileges. EPSS score 0.02% (6th percentile) indicates minimal real-world exploitation probability. Vendor patches available across all stable kernel branches since early 2026.
A Linux kernel scheduler vulnerability in SCHED_DEADLINE task handling causes bandwidth accounting corruption when a deadline task holding a priority-inheritance mutex is changed to a lower priority class via sched_setscheduler(). The vulnerability affects Linux kernel implementations (all versions with SCHED_DEADLINE support) and can be triggered by local unprivileged users running specific workloads like stress-ng, potentially leading to kernel warnings, task accounting underflow, and denial of service. No active exploitation in the wild is currently documented, but the vulnerability is fixed in stable kernel branches as evidenced by the provided commit references.
A credential disclosure vulnerability exists in the Linux kernel's Dell WMI System Management (dell-wmi-sysman) module where the set_new_password() function performs hex dumps of memory buffers containing plaintext password data, including both current and new passwords. This affects all Linux kernel versions with the vulnerable dell-wmi-sysman driver, allowing local attackers with access to kernel logs or debug output to extract sensitive authentication credentials. While no CVSS score, EPSS probability, or active KEV status is currently assigned, the patch availability across six stable kernel branches indicates the vulnerability has been formally addressed by the Linux kernel maintainers.
A race condition in the Linux kernel's i801 I2C driver causes a kernel NULL pointer dereference and panic during boot when multiple udev threads concurrently access the ACPI I/O handler region. The vulnerability affects Linux kernel versions running the i2c_i801 driver on systems with Intel i801 chipsets. An attacker with local access or the ability to trigger concurrent device enumeration during boot can crash the system, resulting in denial of service.
This vulnerability is an AB-BA deadlock in the Linux kernel's PHY (Physical Layer) LED trigger subsystem that occurs when both LEDS_TRIGGER_NETDEV and LED_TRIGGER_PHY are enabled simultaneously. The deadlock arises because PHY LED triggers are registered during the phy_attach phase while holding the RTNL lock, then attempting to acquire the triggers_list_lock, while the netdev LED trigger code does the reverse—holding triggers_list_lock and attempting to acquire RTNL. This deadlock affects all Linux kernel versions with the affected PHY and LED trigger subsystems enabled (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), and while not directly exploitable for privilege escalation, it can be triggered to cause a system hang or denial of service by users with network configuration privileges or via userspace LED sysfs writes.
A use-of-uninitialized-variable vulnerability exists in the Linux kernel's radiotap parser that can lead to information disclosure when processing radiotap frames with undefined fields. The vulnerability affects all Linux kernel versions using the radiotap namespace parser (cpe:2.3:a:linux:linux) and occurs when undefined radiotap field 18 is present, causing the iterator->_next_ns_data variable to be compared against an uninitialized value. While no CVSS score or EPSS data is currently available and there is no indication of active exploitation, the vulnerability has been patched across multiple kernel branches as evidenced by six distinct commit fixes.
A NULL pointer dereference vulnerability exists in the Linux kernel's DRM client subsystem within the drm_client_modeset_probe function. When memory allocation for the 'modes' variable fails via kcalloc, the error handling path incorrectly attempts to destroy a NULL pointer, leading to a kernel panic or denial of service. This affects all Linux kernel versions containing this vulnerable code path in the DRM display driver subsystem.
The Linux kernel kalmia USB driver fails to validate that connected USB devices have the required endpoints before binding to them, allowing a malicious or malformed USB device to trigger a kernel crash during endpoint access. This denial-of-service vulnerability affects all Linux kernel versions running the kalmia driver (net/usb/kalmia.c) and requires physical USB device connection or local control of USB device enumeration. While no CVSS score or EPSS probability is formally assigned, the vulnerability has been patched across multiple stable kernel branches, indicating recognition of the issue's severity.
The Linux kernel's ksmbd (SMB server implementation) component uses the non-constant-time memcmp() function to compare Message Authentication Codes (MACs) instead of the cryptographically-secure crypto_memneq() function, enabling timing-based attacks to leak authentication credentials. All Linux kernel versions with ksmbd are affected, allowing attackers to potentially forge authentication by measuring response time differences during MAC validation. While no public exploit code is confirmed, multiple stable kernel branches have received patches addressing this vulnerability, indicating kernel maintainers treated this as a legitimate information disclosure risk.
An out-of-bounds (OOB) memory access vulnerability exists in the Linux kernel's MediaTek MT7925 WiFi driver in the mt7925_mac_write_txwi_80211() function, which fails to validate frame length before accessing management frame fields. This vulnerability affects systems running Linux kernel versions with the vulnerable MT7925 driver code and could allow an attacker with local access or the ability to craft malicious wireless frames to read or write out-of-bounds memory, potentially leading to information disclosure or denial of service. While no CVSS score, EPSS data, or active exploitation reports are currently documented, the vulnerability has been patched across multiple stable Linux kernel branches as indicated by four distinct commit references.
A locking initialization vulnerability exists in the Linux kernel's CAN BCM (Broadcast Manager) socket implementation where the bcm_tx_lock spinlock is not properly initialized in the RX setup path, creating a race condition when RX_RTR_FRAME flag processing attempts to transmit frames. This affects all Linux kernel versions with the vulnerable CAN BCM code, and while no public exploit is known, the vulnerability could lead to kernel memory corruption or denial of service if the uninitialized lock is accessed during concurrent RTR frame handling.
This vulnerability is a race condition in the Linux kernel's PCI Designware endpoint driver where MSI-X interrupt writes to the host can complete after the corresponding Address Translation Unit (ATU) entry is unmapped, potentially corrupting host memory or triggering IOMMU errors. The vulnerability affects all Linux kernel versions with the vulnerable code path in the PCI DWC endpoint implementation (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), specifically impacting systems using PCI endpoint devices with MSI-X interrupt support such as NVMe-PCI endpoint function drivers. An attacker with the ability to trigger high-frequency MSI-X interrupts from a malicious endpoint device could exploit this race condition to cause denial of service through IOMMU faults or potentially corrupt host memory.
This vulnerability is a resource leak in the Linux kernel's NVMe driver where the admin queue is not properly released during controller reset operations. Systems running affected Linux kernel versions are vulnerable to denial of service through memory exhaustion when NVMe controllers reset repeatedly. While no active exploitation in the wild has been reported and CVSS/EPSS scores are not yet published, the issue affects all Linux distributions and is resolved through kernel patching with fixes available across multiple stable branches.
A stack-out-of-bounds write vulnerability exists in the Linux kernel's BPF devmap implementation where the get_upper_ifindexes() function iterates over upper network devices without properly validating buffer bounds. An attacker with the ability to create multiple virtual network devices (e.g., more than 8 macvlans) and trigger XDP packet processing with BPF_F_BROADCAST and BPF_F_EXCLUDE_INGRESS flags can write beyond allocated stack memory, potentially causing denial of service or arbitrary code execution. The vulnerability affects all Linux kernel versions using the vulnerable devmap code path and has been patched across multiple stable kernel branches, indicating recognition as a real security concern requiring immediate updates.
A use-of-uninitialized-variable vulnerability exists in the Linux kernel's AMD GPU (drm/amdgpu) driver, specifically in the slot reset error handling path. When device recovery fails after a slot reset is called, the code branches to error handling logic that references an uninitialized hive pointer and accesses an uninitialized list, potentially leading to information disclosure or system instability. This affects Linux kernel versions across multiple stable branches, with patches available in the referenced commits.
A deadlock vulnerability exists in the Linux kernel's mcp251x CAN bus driver where the mcp251x_open() function calls free_irq() while holding the mpc_lock mutex during error handling, causing the function to deadlock if an interrupt occurs simultaneously. This affects all Linux kernel versions with the vulnerable mcp251x driver code, and while not actively exploited in the wild (no KEV status indicates no in-the-wild exploitation), it represents a local denial of service condition where a user with appropriate device access can trigger driver initialization failures that hang the system.
A logic error in the Linux kernel's DRBD (Distributed Replicated Block Device) subsystem causes drbd_al_begin_io_nonblock() to fail silently when activity log extent acquisition fails due to spinlock contention, leading to loss of mutual exclusivity guarantees between resync and application I/O operations. This vulnerability affects all Linux kernel versions with the affected DRBD code and can result in kernel crashes via BUG_ON() assertions when activity log references are incorrectly released, as well as potential data consistency issues during active resync operations when concurrent application I/O proceeds without proper exclusivity enforcement.
This vulnerability is a race condition in the Linux kernel's libata subsystem where pending work is not properly canceled after clearing a deferred queue command (deferred_qc), leading to a WARN_ON() condition when the stale work eventually executes. The vulnerability affects all Linux kernel versions with the vulnerable libata code path, impacting systems using ATA/SATA disk controllers. An attacker with local access could trigger this condition through specific command sequences involving NCQ and non-NCQ commands, causing kernel warnings and potential system instability, though direct privilege escalation is not demonstrated.
This vulnerability is a speculative execution safety flaw in the Linux kernel's x86 FRED (Flexible Return and Event Delivery) interrupt handling code where array_index_nospec() is incorrectly positioned, allowing speculative memory predictions to leak sensitive information through side-channel attacks. The vulnerability affects all Linux kernel versions with FRED support (primarily x86-64 systems with newer Intel/AMD processors). An attacker with local access could potentially infer sensitive kernel memory values through timing or covert channel attacks exploiting the unsafe speculation window.
A null pointer dereference vulnerability exists in the Linux kernel's ice network driver that crashes the system during ethtool offline loopback tests. The vulnerability affects Linux kernel versions running the ice driver (Intel Ethernet Controller driver), and an attacker with local access and CAP_NET_ADMIN privileges can trigger a kernel panic (denial of service) by executing ethtool loopback self-tests. No active exploitation or public POC has been reported; patches are available in stable kernel releases.
A memory management vulnerability in the Linux kernel's EFI boot services implementation causes a leak of approximately 140MB of RAM on systems with CONFIG_DEFERRED_STRUCT_PAGE_INIT enabled, particularly affecting resource-constrained EC2 instances with 512MB total RAM. The vulnerability occurs when efi_free_boot_services() attempts to free EFI boot services memory before the kernel's deferred memory map initialization is complete, resulting in freed pages being skipped and never returned to the memory pool. This is a kernel-level memory exhaustion issue affecting all Linux distributions, though impact is most severe on systems with minimal RAM; no active exploitation or proof-of-concept has been identified as this is a resource leak rather than a code execution vector.
Use-after-free in Linux kernel's netfilter nft_set_pipapo enables local privilege escalation to kernel-level access (confidentiality/integrity/availability compromise). Affects Linux kernel 5.6+ through multiple stable branches (6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x). Vendor patches available across all affected kernel series. EPSS score of 0.03% (9th percentile) indicates low automated exploitation likelihood, consistent with local-access requirement and lack of public exploit code at time of analysis.
A resource management vulnerability exists in the Linux kernel's DRM/XE (Intel Graphics Execution Manager) queue initialization code where the finalization function is not called when execution queue creation fails, leaving the queue registered in the GuC (GPU Unified Compute) list and potentially causing invalid memory references. This affects all Linux kernel versions containing the vulnerable DRM/XE driver code. The vulnerability could lead to memory corruption or system instability when an exec queue creation failure occurs, though exploitation would require local kernel code execution capability or ability to trigger queue creation failures.
A NULL pointer dereference vulnerability exists in the Linux kernel's HID pidff (PID force feedback) driver due to incomplete clearing of conditional effect bits from the ffbit field. This affects all Linux kernel versions using the vulnerable pidff driver code. An attacker with local access to a system with a connected force feedback HID device could trigger a kernel panic, causing a denial of service. No CVSS score, EPSS score, or active KEV status is currently available, but three stable kernel commits addressing this issue have been merged, indicating the vulnerability has been formally patched.
A race condition exists in the Linux kernel's CXL (Compute Express Link) subsystem where the nvdimm_bus object can be invalidated while orphaned nvdimm objects attempt to reprobe, leading to a NULL pointer dereference in kobject_get() during device registration. This affects Linux kernels with CXL support enabled, allowing a local attacker or system administrator to trigger a kernel panic (denial of service) through module unload/reload sequences or specific timing during CXL ACPI probe operations. No active exploitation in the wild has been reported, but the vulnerability is easily reproducible via the cxl-translate.sh unit test with minimal timing manipulation.
A use-after-free vulnerability exists in the Linux kernel's CAN USB f81604 driver where URBs submitted in the read bulk callback are not properly anchored before submission, potentially allowing them to be leaked if usb_kill_anchored_urbs() is invoked. This affects all Linux kernel versions with the vulnerable f81604 driver code. An attacker with local access or control over a malicious USB CAN adapter could potentially trigger memory corruption or information disclosure by causing URB leaks during driver cleanup or device disconnection.
A memory access protection bypass vulnerability exists in the Linux kernel's ARM64 ioremap_prot() function where user-space page protection attributes are improperly propagated to kernel-space I/O remapping, bypassing Privileged Access Never (PAN) protections and enabling information disclosure. This affects all Linux kernel versions on ARM64 systems with PAN enabled. An attacker with local access can trigger memory access faults and potentially read sensitive kernel memory through operations like accessing /proc/[pid]/environ on vulnerable systems.
A memory protection vulnerability exists in the Linux kernel's ARM64 Guarded Control Stack (GCS) implementation when FEAT_LPA2 (52-bit virtual addressing) is enabled. The vulnerability occurs because GCS page table entries incorrectly use the PTE_SHARED bits (0b11) in positions that are repurposed for high-order address bits when LPA2 is active, causing page table corruption and kernel panics during GCS memory operations. This affects all Linux kernel versions with GCS support on ARM64 systems with LPA2 enabled, and while no active exploitation or public POC has been reported, the vulnerability causes immediate kernel crashes when GCS is enabled on affected hardware configurations.
A use-after-free vulnerability exists in the Linux kernel's crypto subsystem (CCP driver) within the sev_tsm_init_locked() function error path, where a pr_err() statement dereferences freed memory to access structure fields t->tio_en and t->tio_init_done after kfree(t) has been executed. This vulnerability can lead to information disclosure by reading freed memory contents. The issue affects Linux kernel versions across distributions using the affected CCP crypto driver code and was identified by the Smatch static analyzer.
A memory corruption vulnerability exists in the Linux kernel's XDP (eXpress Data Path) subsystem where negative tailroom calculations are incorrectly reported as large unsigned integers, allowing buffer overflows during tail growth operations. This affects Linux kernel versions across multiple stable branches when certain Ethernet drivers (notably ixgbevf) report incorrect DMA write sizes, leading to heap corruption, segmentation faults, and general protection faults as demonstrated in the xskxceiver test utility. The vulnerability has no CVSS score assigned and shows no active KEV exploitation status, but represents a critical memory safety issue affecting systems using XDP with affected Ethernet drivers.
A race condition exists in the Linux kernel's eBPF CPU map implementation on PREEMPT_RT systems, where concurrent access to per-CPU packet queues can cause memory corruption and kernel crashes. This vulnerability affects Linux kernel versions across multiple branches and can be triggered by tasks running on the same CPU, potentially allowing local denial of service or information disclosure. A proof-of-concept has been made available via syzkaller, and patches have been released through the official Linux kernel stable repositories.
A null pointer dereference vulnerability exists in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) that can cause a kernel crash when userspace attempts to destroy a hardware context that has been automatically suspended. The vulnerability affects all Linux kernel versions with the vulnerable amdxdna driver code path; an unprivileged local user with access to the driver's ioctl interface can trigger a denial of service by issuing a destroy context command on a suspended context, causing the kernel to crash when accessing a NULL mailbox channel pointer. No CVSS score, EPSS data, or KEV status is currently available, but the vulnerability is classified as a denial of service with straightforward triggering conditions.
Use-after-free in Linux kernel network traffic control subsystem allows local authenticated attackers to execute arbitrary code with high privileges when changing network queue pair configurations on lockless qdiscs (virtio-net confirmed affected). Race condition between qdisc_reset_all_tx_gt() and dequeue operations causes memory to be freed while still in use. Vendor-released patches available for stable kernel branches 6.1.167, 6.6.130, 6.12.77, 6.18.17, 6.19.7, and mainline 7.0-rc3. EPSS exploitation probability is low (0.02%, 7th percentile) and no active exploitation confirmed at time of analysis, though a reliable reproducer exists using iperf3 and ethtool queue manipulation.
A memory leak vulnerability exists in the Linux kernel's NFC NCI subsystem where the nci_transceive() function fails to free socket buffer (skb) objects on three early error paths (-EPROTO, -EINVAL, -EBUSY), causing kernel memory exhaustion over time. The vulnerability affects all Linux kernel versions with the vulnerable code in the NFC NCI driver, impacting any system with NFC capabilities that processes malformed or resource-constrained NCI transactions. While not directly exploitable for code execution, attackers can trigger memory exhaustion leading to denial of service by sending specially crafted NFC messages that trigger the error paths, and the vulnerability has been confirmed in kernel self-tests via kmemleak detection.
This vulnerability allows userspace applications to trivially trigger kernel warning backtraces in the AMD GPU (amdgpu) driver's user queue (userq) implementation by passing intentionally small num_fences values or exploiting legitimate growth between successive ioctl calls. While not a traditional security vulnerability enabling code execution or data theft, it constitutes an information disclosure issue through kernel log pollution and denial-of-service potential via warning spam. The Linux kernel across all versions utilizing the affected amdgpu userq code path is impacted, though the actual attack surface is limited to systems with AMD GPUs and unprivileged users with access to the amdgpu device interface.
A memory leak vulnerability exists in the Linux kernel's pinctrl subsystem within the pinconf_generic_parse_dt_config() function. When the parse_dt_cfg() function fails, the code returns directly without executing cleanup logic, causing the cfg buffer to be leaked. This affects all Linux kernel versions containing the vulnerable pinctrl-generic code, and while the vulnerability itself does not enable direct code execution, it can lead to denial of service through memory exhaustion over time as the kernel gradually loses available memory.
Use-after-free in Linux kernel cfg80211 WiFi subsystem allows local authenticated users with low privileges to achieve high impact on confidentiality, integrity, and availability through rfkill work-queue exploitation. The vulnerability affects Linux kernel versions 2.6.31 through 6.19-rc2, with patches released for stable branches 6.1.167, 6.6.130, 6.12.77, 6.18.17, 6.19.7, and 7.0-rc2. EPSS score of 0.02% (7th percentile) indicates very low probability of mass exploitation. No CISA KEV listing or public exploit identified at time of analysis, though the issue was discovered via syzkaller fuzzing, demonstrating automated exploit development potential.
A kernel stack memory leak exists in the Linux kernel's RDMA/irdma driver within the irdma_create_user_ah() function, where 4 bytes of uninitialized kernel stack memory are leaked to user space through the rsvd (reserved) field of the irdma_create_ah_resp structure. This information disclosure vulnerability affects all Linux kernel versions with the vulnerable irdma driver code, allowing any unprivileged user with access to RDMA operations to read sensitive kernel stack data. While no CVSS score or EPSS metric is currently available, the vulnerability is classified as Information Disclosure and has been patched across multiple stable kernel branches, indicating upstream recognition and remediation.
Interrupt storm in Linux kernel dpaa2-switch driver occurs when a bounds check rejects an out-of-bounds if_id in the IRQ handler but fails to clear the interrupt status, causing repeated spurious interrupts. This denial-of-service condition affects the NXP DPAA2 Ethernet switch driver on systems running vulnerable Linux kernel versions. An attacker with the ability to trigger malformed frames or hardware state transitions could exhaust CPU resources through interrupt flooding.
Memory leak in Linux kernel DRM/XE configfs device release allows information disclosure through unfreed ctx_restore_mid_bb allocation. The xe_config_device_release() function fails to deallocate ctx_restore_mid_bb[0].cs memory that was previously allocated by wa_bb_store(), leaving sensitive kernel memory accessible when the configfs device is removed. Affected Linux kernel versions containing the vulnerable DRM/XE driver require patching to prevent potential information leakage.
Mutex lock-unlock mismatch in the Linux kernel's wlcore Wi-Fi driver allows potential information disclosure or system instability through improper synchronization. The vulnerability occurs when wl->mutex is unlocked without being locked first, detected by the Clang thread-safety analyzer. This affects all Linux kernel versions with the wlcore Wi-Fi driver. No active exploitation has been identified, but the bug creates a race condition that could be leveraged to access shared kernel state.
Linux kernel RDS TCP subsystem resolves circular locking dependency in rds_tcp_tune() function where socket lock contention with fs_reclaim memory allocation creates deadlock potential. The vulnerability affects all Linux kernel versions with the vulnerable code path in net/rds/tcp.c; the fix relocates sk_net_refcnt_upgrade() outside the socket lock critical section to eliminate the circular lock dependency without compromising synchronization semantics.
Memory leak in Linux kernel DRM/XE register save-restore (reg_sr) module fails to free allocated memory when xa_store() operation fails, potentially allowing local information disclosure or denial of service through repeated trigger of the error path. The vulnerability affects all Linux kernel versions containing the affected drm/xe/reg_sr code prior to the fix commits referenced. No CVSS score or exploit data provided; patch commits are available in upstream Linux repository.
Unblinded BPF immediate values in PROBE_MEM32 stores bypass constant hardening in the Linux kernel BPF JIT compiler when bpf_jit_harden >= 1, allowing user-controlled 32-bit immediates to leak into native code. The vulnerability affects Linux kernel versions where convert_ctx_accesses() rewrites arena pointer stores to BPF_ST|BPF_PROBE_MEM32 before constant blinding runs, but bpf_jit_blind_insn() only handles BPF_ST|BPF_MEM instructions. No public exploit code or active exploitation has been ide
Memory sealing (mseal) in the Linux kernel incorrectly tracks virtual memory area (VMA) boundaries during merge operations, causing curr_end to become stale and resulting in incorrect iteration state. This flaw in mm/mseal.c affects Linux kernel versions where the mseal feature is present, allowing local attackers to potentially bypass memory sealing protections or trigger information disclosure by manipulating VMA merge behavior during seal operations.
Use-after-free vulnerability in Linux kernel futex handling allows local attackers to read freed memory via race condition between futex_key_to_node_opt() and vma_replace_policy(). When mbind() concurrently replaces virtual memory area policies, __futex_key_to_node() may dereference a freed mempolicy structure, enabling information disclosure of kernel memory. The vulnerability requires local access and precise timing but poses memory safety risk in multi-threaded applications using futex operations alongside memory policy changes.
Linux kernel TLS subsystem leaks socket buffers (skbs) when asynchronous AEAD decryption operations fail during batch processing, allowing local attackers to exhaust kernel memory and potentially cause denial of service. The vulnerability exists in tls_decrypt_async_wait() and related functions that manage the async_hold queue, which pins encrypted input buffers for AEAD engine references; improper cleanup in failure paths leaves these buffers allocated indefinitely. This is a kernel memory leak affecting TLS decryption in the kernel's cryptographic stack, confirmed by multiple upstream patches across stable branches.
Use-after-free in Linux kernel clsact qdisc initialization and destruction rollback allows local denial of service or potential information disclosure when qdisc replacement fails midway during tcf_block_get_ext() operations. The vulnerability stems from asymmetric initialization and cleanup paths where egress_entry references from a previous clsact instance remain valid during failure scenarios, leading to double-free or use-after-free conditions. Affected Linux kernel versions across all distributions that include the clsact traffic control qdisc require patching.
Use-after-free in Linux kernel netfilter BPF hook memory management allows local attackers to read sensitive kernel memory via concurrent nfnetlink_hooks dumping operations. The vulnerability arises from premature memory release in hook structures before RCU readers complete their access, enabling information disclosure through netlink interface. No active exploitation confirmed, but the KASAN report demonstrates reliable reproducer availability.
Use-after-free in Linux kernel AppArmor allows local authenticated users to achieve high confidentiality, integrity, and availability impact through a race condition between inode eviction and filesystem callbacks. The vulnerability stems from premature reference release of i_private data before inode cleanup completes. Patch available from kernel.org stable branches affecting Linux 4.13+ with Ubuntu marking priority=high across 729 releases. EPSS score of 0.02% suggests limited observed exploitation attempts despite widespread kernel deployment.
Use-after-free in Linux kernel AppArmor allows local authenticated attackers to achieve high-impact code execution, privilege escalation, or denial of service via race condition on rawdata inode dereference. Affects kernel 4.13+ including current LTS branches. Patches available for 6.6.130, 6.12.77, 6.18.18, 6.19.8, and 7.0-rc4. EPSS score is low (0.02%) with no public exploit identified at time of analysis, but Ubuntu rated this priority=high affecting 729 releases.
AppArmor differential encoding verification in the Linux kernel contains logic errors that permit infinite loops to be created through abuse of the verification chain mechanism. Two distinct bugs in the verification routine-conflation of checked states with currently-checked states, and incorrect loop iterator comparison-allow malformed differential encoding chains to bypass security checks. This enables potential information disclosure or policy circumvention on systems relying on AppArmor mandatory access control. The vulnerability affects Linux kernel versions prior to fixes applied across multiple stable branches via kernel commits.
Double-free memory corruption in Linux kernel's AppArmor profile replacement allows local authenticated users to trigger kernel crashes or potentially execute arbitrary code with kernel privileges. The flaw affects Linux kernel versions from 5.5 onwards, with vendor patches available across multiple stable branches (6.6.130, 6.12.77, 6.18.18, 6.19.8, 7.0-rc4). EPSS exploitation probability is low (0.02%, 5th percentile) and no public exploit identified at time of analysis, though Ubuntu rates this medium priority with patches deployed across 729 releases.
Out-of-bounds read and write in Linux kernel AppArmor DFA verification allows local authenticated users to cause memory corruption and potential privilege escalation. Affects Linux kernel 4.17+ through 6.12.x, actively patched in stable branches 6.6.130, 6.12.77, 6.18.18, and 6.19.8. The vulnerability occurs during AppArmor policy loading when malformed DFA structures bypass bounds checking in verify_dfa(). EPSS score of 0.02% suggests low exploitation probability in the wild; no public exploit code or CISA KEV listing identified. Ubuntu rates this medium priority with patches released via USN-8152-1.
Out-of-bounds memory read in Linux kernel AppArmor DFA matching affects kernel versions since 4.17 due to macro side-effect bug. The match_char() macro evaluates its character parameter multiple times when called with *str++, causing the pointer to advance past buffer boundaries during differential encoding chain traversal. Ubuntu has released patches (USN-8152-1) with fixes available in kernels 6.6.130, 6.12.77, 6.18.18, 6.19.8, and 7.0-rc4. EPSS score of 0.02% (5th percentile) indicates very low exploitation probability, and no public exploit or CISA KEV listing exists. CVSS 7.8 reflects local high-privilege impact, but real-world risk is limited to authenticated local users who can trigger AppArmor path permission checks.
Linux kernel AppArmor policy namespace implementation allows arbitrary nesting and creation of policy namespaces without enforcing depth limits, enabling local attackers to exhaust system resources through unbounded namespace proliferation. The vulnerability affects AppArmor in the Linux kernel across multiple stable branches. This is a denial-of-service vulnerability requiring local access, with fixes available across stable kernel versions.
Stack exhaustion in AppArmor profile removal allows local denial of service by crafting deeply nested profiles that trigger recursive kernel stack consumption. The Linux kernel's AppArmor security module can be crashed by a local user with permission to load profiles via the apparmor_parser tool and trigger removal through sysfs, causing kernel stack overflow. The fix replaces recursive profile removal with an iterative approach to prevent stack exhaustion.
Memory leak in Linux kernel AppArmor module verify_header function causes namespace string allocation leaks during multiple profile unpacking and breaks namespace consistency checking. The vulnerable code incorrectly resets the namespace pointer to NULL on every function call, discarding previously allocated namespace strings and preventing proper namespace comparison across profile iterations. This affects Linux kernel versions with the vulnerable AppArmor implementation prior to upstream fixes applied across stable branches.
Linux kernel KVM x86/mmu module improperly validates shadow page table entries (SPTEs) in indirect MMUs, allowing host userspace writes to bypass KVM's write-tracking detection and corrupt shadow paging state. The vulnerability affects KVM implementations on x86 systems with nested or indirect MMU configurations where writes originating outside KVM's scope (e.g., from host userspace via memory access) are not detected, potentially leading to memory corruption or VM escape. No CVSS score, EPSS data, or KEV status is available; this appears to be an internal kernel consistency issue addressed via upstream patch rather than a directly exploitable security boundary.
Linux kernel KVM x86/MMU incorrectly installs emulated MMIO shadow page table entries (SPTEs) without first zapping existing shadow-present SPTEs when host userspace modifies guest page tables outside KVM's scope, causing kernel warnings and potential memory consistency issues. The vulnerability affects KVM on x86 systems running vulnerable kernel versions and can be triggered by a local attacker with ability to manipulate guest memory or run guest VMs, though the practical impact beyond kernel instability remains limited.
Deadlock in Linux kernel rust_binder driver occurs when BC_DEAD_BINDER_DONE is invoked on a non-looper thread while the proc lock is held, preventing push_work_if_looper() from safely acquiring the proc lock for work queue delivery. The vulnerability affects the Rust implementation of Android's Binder IPC mechanism and can cause kernel deadlock, potentially resulting in denial of service to affected processes or the entire system depending on thread scheduling.
Memory leak in Linux kernel nf_tables nft_dynset module allows local denial of service through failed stateful expression cloning during dynamic set operations. When the second stateful expression clone fails under GFP_ATOMIC memory allocation, the first expression is not properly released, accumulating percpu memory allocations that exhaust kernel memory. This affects all Linux kernel versions until patched, with exploitation requiring local system access to trigger the nf_tables dynamic set evaluation code path.
Incus versions prior to 6.23.0 allow local authenticated attackers to manipulate temporary screenshot files via predictable /tmp paths and symlink attacks, potentially truncating and altering permissions of arbitrary files on systems with disabled symlink protection (rare), leading to denial of service or local privilege escalation. The vulnerability requires local access and authenticated user privileges but is particularly dangerous on systems without kernel-level symlink protections enabled. An exploit proof-of-concept exists, and the vendor has released patched version 6.23.0 to address the issue.
Linux kernel ICMP tag validation routines fail to check for NULL protocol handler pointers before dereferencing them, causing kernel panics in softirq context when processing fragmentation-needed errors with unregistered protocol numbers and ip_no_pmtu_disc hardened mode enabled. The vulnerability affects multiple Linux kernel versions across stable branches (6.1, 6.6, 6.12, 6.18, 6.19, and 7.0-rc5), with an EPSS score of 0.02% (7th percentile) indicating low real-world exploitation probability. No public exploit code or active exploitation has been confirmed; the fix requires adding a NULL pointer check in icmp_tag_validation() before accessing icmp_strict_tag_validation.
Linux kernel nfnetlink_osf module fails to validate TCP option lengths in OS fingerprint definitions, allowing null pointer dereference and out-of-bounds memory reads when processing packets with malformed or missing TCP options. The vulnerability affects Linux kernel versions across multiple stable branches (6.1.x through 6.19.x and 7.0-rc5), with EPSS score of 0.02% indicating low practical exploitation probability despite the memory safety issue. No public exploit code or active exploitation has been reported.
Linux kernel mac80211 mesh networking crashes on NULL pointer dereference when processing Channel Switch Announcement (CSA) action frames lacking Mesh Configuration IE, allowing adjacent WiFi attackers to trigger kernel panic (DoS) via crafted frames. Affects multiple stable kernel versions (6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0-rc5 and earlier); EPSS exploitation probability is 0.02% (low), no public exploit identified, and upstream fixes are available across all affected release branches.
crun versions 1.19 through 1.26 misparse the `-u` (--user) option during container execution, causing a numeric UID value of 1 to be incorrectly interpreted as UID 0 (root) instead, resulting in privilege escalation where containerized processes execute with root privileges instead of the intended unprivileged user. The vulnerability affects the containers/crun OCI runtime container (cpe:2.3:a:containers:crun:*:*:*:*:*:*:*:*) and has been patched in version 1.27. No public exploit code or active exploitation has been identified, though the EPSS score of 0.01% (percentile 2%) indicates minimal real-world exploitation likelihood despite the privilege escalation tag.
Buffer overflow in Linux kernel Bluetooth L2CAP subsystem allows adjacent network attackers to achieve code execution with high integrity and confidentiality impact. The flaw occurs when the kernel incorrectly accepts multiple L2CAP_ECRED_CONN_REQ commands with the same identifier, violating Bluetooth Core Specification requirements. This causes allocation beyond the L2CAP_ECRED_MAX_CID limit (5 channels) in l2cap_ecred_rsp_defer, triggering memory corruption. Affects Linux kernel 5.7+ through multiple stable branches. Vendor patches available for 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, and 7.0-rc5. EPSS score of 0.02% suggests low likelihood of mass exploitation, no public POC or active exploitation confirmed at time of analysis.
A race condition exists in the Linux kernel's AF_UNIX socket implementation where the garbage collector (GC) can incorrectly purge receive queues of alive sockets when MSG_PEEK operations occur concurrently with socket closure. The vulnerability affects all Linux kernel versions and allows local attackers with socket access to cause information disclosure or denial of service by triggering the race condition between MSG_PEEK, socket closure, and GC execution. A proof-of-concept demonstrating the issue has been publicly reported by Igor Ushakov, and patches are available in the stable kernel tree.
A race condition exists in the Linux kernel's bridge CFM (Connectivity Fault Management) peer MEP (Maintenance End Point) deletion code where a delayed work queue can be rescheduled between the cancellation check and memory freeing, leading to use-after-free on freed memory. This affects all Linux kernel versions with the vulnerable bridge CFM implementation. An attacker with local access to trigger peer MEP deletion while CFM frame reception occurs could cause a kernel use-after-free condition potentially leading to information disclosure or denial of service.
A use-after-free vulnerability exists in the Linux kernel's netfilter nf_tables flowtable implementation during error handling in the hook registration path. When hook registration fails (due to reaching maximum hook limits or hardware offload setup failures), the flowtable is not properly synchronized with RCU grace periods before being released, allowing concurrent packet processing or control plane operations (nfnetlink_hook) to access freed memory. This vulnerability affects all Linux kernel versions with the vulnerable nf_tables code and was discovered via KASAN reports during hook dumping operations; while not currently listed in known exploited vulnerabilities (KEV) databases, the use-after-free nature presents a real risk for denial of service or information disclosure in environments utilizing netfilter flowtables.
Local privilege escalation in Linux kernel netfilter subsystem (xt_CT module) allows authenticated attackers with low privileges to achieve arbitrary code execution, information disclosure, and denial of service. The vulnerability stems from improper handling of packets enqueued in nfqueue when connection tracking templates are removed, creating use-after-free conditions on helper modules or timeout policies. Patches released across stable branches 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, and mainline 7.0-rc5. EPSS score of 0.02% (7th percentile) indicates low probability of mass exploitation despite 7.8 CVSS severity, with no KEV listing or public POC identified.
A buffer overflow vulnerability exists in the Linux kernel's dma_map_sg tracepoint that can be triggered when tracing large scatter-gather lists, particularly with devices like virtio-gpu that create large DRM buffers exceeding 1000 entries. The vulnerability affects all Linux kernel versions prior to the fix and can cause perf buffer overflow warnings and potential kernel instability when dynamic array allocations exceed PERF_MAX_TRACE_SIZE (8192 bytes). While this is a kernel-level issue requiring local access to trigger tracing functionality, it poses a denial-of-service risk and memory safety concern for systems using performance tracing on workloads with large scatter-gather operations.
A memory leak vulnerability exists in the Linux kernel's ice driver in the ice_set_ringparam() function, where dynamically allocated tx_rings and xdp_rings are not properly freed when subsequent rx_rings allocation or setup fails. This affects all Linux kernel versions with the vulnerable ice driver code path, and while memory leaks typically enable denial of service through resource exhaustion rather than direct code execution, the impact depends on exploitation frequency and system memory constraints. No active exploitation or proof-of-concept has been publicly disclosed; the vulnerability was discovered through static analysis and code review rather than in-the-wild detection.
A metadata validation vulnerability in the Linux kernel's Squashfs filesystem implementation allows out-of-bounds memory access when processing corrupted or malicious filesystem images. Specifically, a negative metadata block offset derived from a corrupted index lookup table is passed to squashfs_copy_data without bounds checking, causing a general protection fault. Any Linux system mounting an untrusted Squashfs image is affected, potentially enabling denial of service or information disclosure attacks, though no active exploitation in the wild is currently documented.
A double-put vulnerability exists in the Linux kernel's pinctrl cirrus cs42l43 driver probe function, where devm_add_action_or_reset() already invokes cleanup on failure but the code explicitly calls put again, causing a double-free condition. This affects Linux kernel versions across multiple stable branches where the cs42l43 pinctrl driver is compiled. The vulnerability could lead to kernel memory corruption and potential denial of service or information disclosure when the driver probe path encounters failure conditions.
A buffer management vulnerability exists in the Linux kernel's Google Virtual Ethernet (GVE) driver within the gve_tx_clean_pending_packets() function when operating in DQ-QPL (Descriptor Queue with Queue Pair Lists) mode. The function incorrectly interprets buffer IDs as DMA addresses and attempts to unmap memory using the wrong cleanup path, causing out-of-bounds array access and potential memory corruption. This affects Linux kernel versions across multiple stable branches and can be triggered during network device reset operations, potentially leading to kernel crashes or memory safety violations.
A memory management vulnerability in the Linux kernel's netfilter nf_tables subsystem can be triggered through fault injection during set flush operations, causing a kernel warning splat when memory allocation fails under GFP_KERNEL conditions. This vulnerability affects Linux kernel versions across distributions and is exploitable by local attackers with network namespace capabilities, potentially leading to kernel warnings and denial of service through memory exhaustion attacks. While no CVSS score or active exploitation in the wild has been reported, the vulnerability was discovered through syzbot fuzzing with fault injection, indicating it requires specific conditions to trigger but represents a real kernel stability issue that has been patched.
A kernel stack memory leak exists in the Linux kernel's RDMA/ionic driver within the ionic_create_cq() function, where uninitialized stack memory is copied to userspace via the ionic_cq_resp structure. An unprivileged local attacker with access to RDMA/ionic devices can trigger this vulnerability to leak up to 11 bytes of sensitive kernel stack data, potentially revealing kernel addresses, cryptographic material, or other sensitive information useful for further exploitation. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, and no public proof-of-concept has been disclosed; however, patches are available across multiple stable kernel branches.
This vulnerability affects the Linux kernel's ARM64 BPF JIT compiler, where insufficient alignment requirements (4 bytes instead of 8 bytes) for the JIT buffer cause the bpf_plt structure's u64 target field to be misaligned. This misalignment creates two critical issues: UBSAN generates warnings for undefined behavior, and more dangerously, concurrent updates to the target field via WRITE_ONCE() in bpf_arch_text_poke() can result in torn 64-bit reads on ARM64 systems, causing the JIT to jump to corrupted addresses. Linux kernel versions using ARM64 BPF JIT are affected, and while there is no public exploit code available, this represents a memory corruption vulnerability that could lead to privilege escalation or denial of service. Multiple stable kernel patches are available addressing this issue.
This vulnerability affects multiple Linux kernel HID (Human Interface Device) drivers that lack proper validation checks when processing raw event callbacks from unclaimed HID devices. An attacker could connect a malicious or broken HID device to trigger a NULL pointer dereference in affected drivers, causing a kernel crash and denial of service. The vulnerability was identified as a gap in security hardening following a similar fix applied to the appleir driver, and patches are available across multiple stable kernel branches.
A NULL pointer dereference vulnerability exists in the Linux kernel's bridge networking module when IPv6 is disabled via the 'ipv6.disable=1' boot parameter. When Neighbor Discovery (ND) suppression is enabled on a bridge, an ICMPv6 packet reaching the bridge causes the kernel to dereference a NULL pointer in the nd_tbl structure, resulting in a kernel panic and denial of service. This affects all Linux kernel versions with this code path, and while no CVSS score or EPSS data is currently available, the vulnerability is readily triggered through network packet receipt on systems with specific boot configurations.
A reference counting vulnerability in the Linux kernel's tracing subsystem causes a WARN_ON to trigger when a process forks and both parent and child processes exit, particularly when the application calls madvise(MADV_DOFORK) to enable VMA copy-on-fork behavior. The vulnerability affects all Linux kernel versions with the vulnerable tracing_buffers_mmap code and allows local attackers to cause a kernel warning that may lead to denial of service or information disclosure through the kernel warning itself. While not currently listed in KEV or known to be actively exploited, the vulnerability has been patched in stable kernel branches as indicated by four separate commit references.
A divide-by-zero vulnerability exists in the Linux kernel's ETS (Enhanced Transmission Selection) qdisc offload implementation that can crash the kernel when processing malformed traffic scheduling configurations. The vulnerability affects all Linux kernel versions with the ETS scheduler module enabled, and a local privileged user (or attacker with CAP_NET_ADMIN capability) can trigger a kernel panic by crafting specific netlink messages via the tc (traffic control) utility. While no public exploit code has been confirmed in the wild, the condition is easily reproducible and results in immediate kernel crash, making this a high-priority local denial-of-service vector.
A buffer overflow vulnerability exists in the Linux kernel's IFE (Intermediate Functional Element) traffic control action module where metadata list replacement incorrectly appends new metadata instead of replacing old entries, causing unbounded metadata accumulation. This affects all Linux kernel versions with the vulnerable IFE scheduling code (cpe:2.3:a:linux:linux). An attacker with the ability to modify traffic control rules can trigger an out-of-bounds write via the ife_tlv_meta_encode function, potentially achieving kernel memory corruption and denial of service. The vulnerability is not listed as actively exploited in public KEV databases, but patches are available across multiple stable kernel branches.
A memory buffer management vulnerability exists in the Linux kernel's ice network driver XDP (eXpress Data Path) implementation, specifically in how it calculates fragment buffer sizes for receive queues. The vulnerability affects Linux kernel versions with the vulnerable ice driver code path and can be triggered through XDP operations that attempt to grow multi-buffer packet tails, potentially causing kernel panics or denial of service. An attacker with the ability to load and execute XDP programs can exploit this by crafting specific packet sizes and offset values to trigger the panic condition, as demonstrated by the XSK_UMEM__MAX_FRAME_SIZE test case, though real-world exploitation requires local access to load XDP programs.
A resource management vulnerability exists in the Linux kernel's nvmet-fcloop NVMe-FC loopback driver where the lsrsp (LS response) callback is invoked without proper validation of the remote port state, potentially leading to use-after-free or double-free conditions. This affects Linux kernel implementations using nvmet-fcloop for NVMe-FC transport emulation across all versions prior to the patch commits (f30b95159a53e72529a9ca1667f11cd1970240a7, 31d3817bcd9e192b30abe3cf4b68f69d48864dd2, dd677d0598387ea623820ab2bd0e029c377445a3). An attacker with local kernel-level access or ability to trigger abnormal nvmet-fcloop state transitions could potentially cause information disclosure or denial of service through memory corruption.
A vulnerability in the Linux kernel's Transparent Huge Pages (THP) subsystem incorrectly enables THP for files on anonymous inodes (such as guest_memfd and secretmem), which were not designed to support large folios. This can trigger kernel crashes via memory copy operations on unmapped memory in secretmem, or WARN_ON conditions in guest_memfd fault handlers. The vulnerability affects Linux kernel versions across multiple stable branches and requires a kernel patch to remediate; while not known to be actively exploited in the wild, the condition can be triggered locally by unprivileged users through madvise() syscalls.
This vulnerability is a preemption context violation in the Linux kernel's block I/O tracing subsystem where tracing_record_cmdline() unsafely uses __this_cpu_read() and __this_cpu_write() operations from preemptible context. The Linux kernel in versions supporting blktrace (affected via CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) is vulnerable, allowing potential information disclosure or denial of service when block tracing is enabled and block I/O operations occur from user-space processes. This is not actively exploited in the wild (no KEV status), but the vulnerability has functional proof of concept through blktests/blktrace/002, making it a moderate priority for kernel maintainers and distributions shipping PREEMPT(full) configurations.
The Linux kernel's Realtek WiFi driver (rsi) incorrectly defaults to returning -EOPNOTSUPP error code in the rsi_mac80211_config function, which triggers a WARN_ON condition in ieee80211_hw_conf_init and deviates from expected driver behavior. This affects Linux kernel versions across multiple stable branches where the rsi WiFi driver is compiled and loaded. While not actively exploited in the wild, the issue causes kernel warnings and improper driver initialization that could degrade WiFi functionality or stability on affected systems.
Local privilege escalation and denial of service in Linux kernel NFC rawsock implementation (versions 3.1 through 6.19.6, patched in 6.1.167, 6.6.130, 6.12.77, 6.18.17, 6.19.7, 7.0-rc3) allows authenticated local users to trigger use-after-free conditions via race between socket teardown and asynchronous NFC data transmission. CVSS 7.8 HIGH with local attack vector requiring low privileges. EPSS score 0.02% (6th percentile) indicates minimal real-world exploitation probability. Vendor patches available across all stable kernel branches since early 2026.
A Linux kernel scheduler vulnerability in SCHED_DEADLINE task handling causes bandwidth accounting corruption when a deadline task holding a priority-inheritance mutex is changed to a lower priority class via sched_setscheduler(). The vulnerability affects Linux kernel implementations (all versions with SCHED_DEADLINE support) and can be triggered by local unprivileged users running specific workloads like stress-ng, potentially leading to kernel warnings, task accounting underflow, and denial of service. No active exploitation in the wild is currently documented, but the vulnerability is fixed in stable kernel branches as evidenced by the provided commit references.
A credential disclosure vulnerability exists in the Linux kernel's Dell WMI System Management (dell-wmi-sysman) module where the set_new_password() function performs hex dumps of memory buffers containing plaintext password data, including both current and new passwords. This affects all Linux kernel versions with the vulnerable dell-wmi-sysman driver, allowing local attackers with access to kernel logs or debug output to extract sensitive authentication credentials. While no CVSS score, EPSS probability, or active KEV status is currently assigned, the patch availability across six stable kernel branches indicates the vulnerability has been formally addressed by the Linux kernel maintainers.
A race condition in the Linux kernel's i801 I2C driver causes a kernel NULL pointer dereference and panic during boot when multiple udev threads concurrently access the ACPI I/O handler region. The vulnerability affects Linux kernel versions running the i2c_i801 driver on systems with Intel i801 chipsets. An attacker with local access or the ability to trigger concurrent device enumeration during boot can crash the system, resulting in denial of service.
This vulnerability is an AB-BA deadlock in the Linux kernel's PHY (Physical Layer) LED trigger subsystem that occurs when both LEDS_TRIGGER_NETDEV and LED_TRIGGER_PHY are enabled simultaneously. The deadlock arises because PHY LED triggers are registered during the phy_attach phase while holding the RTNL lock, then attempting to acquire the triggers_list_lock, while the netdev LED trigger code does the reverse—holding triggers_list_lock and attempting to acquire RTNL. This deadlock affects all Linux kernel versions with the affected PHY and LED trigger subsystems enabled (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), and while not directly exploitable for privilege escalation, it can be triggered to cause a system hang or denial of service by users with network configuration privileges or via userspace LED sysfs writes.
A use-of-uninitialized-variable vulnerability exists in the Linux kernel's radiotap parser that can lead to information disclosure when processing radiotap frames with undefined fields. The vulnerability affects all Linux kernel versions using the radiotap namespace parser (cpe:2.3:a:linux:linux) and occurs when undefined radiotap field 18 is present, causing the iterator->_next_ns_data variable to be compared against an uninitialized value. While no CVSS score or EPSS data is currently available and there is no indication of active exploitation, the vulnerability has been patched across multiple kernel branches as evidenced by six distinct commit fixes.
A NULL pointer dereference vulnerability exists in the Linux kernel's DRM client subsystem within the drm_client_modeset_probe function. When memory allocation for the 'modes' variable fails via kcalloc, the error handling path incorrectly attempts to destroy a NULL pointer, leading to a kernel panic or denial of service. This affects all Linux kernel versions containing this vulnerable code path in the DRM display driver subsystem.
The Linux kernel kalmia USB driver fails to validate that connected USB devices have the required endpoints before binding to them, allowing a malicious or malformed USB device to trigger a kernel crash during endpoint access. This denial-of-service vulnerability affects all Linux kernel versions running the kalmia driver (net/usb/kalmia.c) and requires physical USB device connection or local control of USB device enumeration. While no CVSS score or EPSS probability is formally assigned, the vulnerability has been patched across multiple stable kernel branches, indicating recognition of the issue's severity.
The Linux kernel's ksmbd (SMB server implementation) component uses the non-constant-time memcmp() function to compare Message Authentication Codes (MACs) instead of the cryptographically-secure crypto_memneq() function, enabling timing-based attacks to leak authentication credentials. All Linux kernel versions with ksmbd are affected, allowing attackers to potentially forge authentication by measuring response time differences during MAC validation. While no public exploit code is confirmed, multiple stable kernel branches have received patches addressing this vulnerability, indicating kernel maintainers treated this as a legitimate information disclosure risk.
An out-of-bounds (OOB) memory access vulnerability exists in the Linux kernel's MediaTek MT7925 WiFi driver in the mt7925_mac_write_txwi_80211() function, which fails to validate frame length before accessing management frame fields. This vulnerability affects systems running Linux kernel versions with the vulnerable MT7925 driver code and could allow an attacker with local access or the ability to craft malicious wireless frames to read or write out-of-bounds memory, potentially leading to information disclosure or denial of service. While no CVSS score, EPSS data, or active exploitation reports are currently documented, the vulnerability has been patched across multiple stable Linux kernel branches as indicated by four distinct commit references.
A locking initialization vulnerability exists in the Linux kernel's CAN BCM (Broadcast Manager) socket implementation where the bcm_tx_lock spinlock is not properly initialized in the RX setup path, creating a race condition when RX_RTR_FRAME flag processing attempts to transmit frames. This affects all Linux kernel versions with the vulnerable CAN BCM code, and while no public exploit is known, the vulnerability could lead to kernel memory corruption or denial of service if the uninitialized lock is accessed during concurrent RTR frame handling.
This vulnerability is a race condition in the Linux kernel's PCI Designware endpoint driver where MSI-X interrupt writes to the host can complete after the corresponding Address Translation Unit (ATU) entry is unmapped, potentially corrupting host memory or triggering IOMMU errors. The vulnerability affects all Linux kernel versions with the vulnerable code path in the PCI DWC endpoint implementation (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), specifically impacting systems using PCI endpoint devices with MSI-X interrupt support such as NVMe-PCI endpoint function drivers. An attacker with the ability to trigger high-frequency MSI-X interrupts from a malicious endpoint device could exploit this race condition to cause denial of service through IOMMU faults or potentially corrupt host memory.
This vulnerability is a resource leak in the Linux kernel's NVMe driver where the admin queue is not properly released during controller reset operations. Systems running affected Linux kernel versions are vulnerable to denial of service through memory exhaustion when NVMe controllers reset repeatedly. While no active exploitation in the wild has been reported and CVSS/EPSS scores are not yet published, the issue affects all Linux distributions and is resolved through kernel patching with fixes available across multiple stable branches.
A stack-out-of-bounds write vulnerability exists in the Linux kernel's BPF devmap implementation where the get_upper_ifindexes() function iterates over upper network devices without properly validating buffer bounds. An attacker with the ability to create multiple virtual network devices (e.g., more than 8 macvlans) and trigger XDP packet processing with BPF_F_BROADCAST and BPF_F_EXCLUDE_INGRESS flags can write beyond allocated stack memory, potentially causing denial of service or arbitrary code execution. The vulnerability affects all Linux kernel versions using the vulnerable devmap code path and has been patched across multiple stable kernel branches, indicating recognition as a real security concern requiring immediate updates.
A use-of-uninitialized-variable vulnerability exists in the Linux kernel's AMD GPU (drm/amdgpu) driver, specifically in the slot reset error handling path. When device recovery fails after a slot reset is called, the code branches to error handling logic that references an uninitialized hive pointer and accesses an uninitialized list, potentially leading to information disclosure or system instability. This affects Linux kernel versions across multiple stable branches, with patches available in the referenced commits.
A deadlock vulnerability exists in the Linux kernel's mcp251x CAN bus driver where the mcp251x_open() function calls free_irq() while holding the mpc_lock mutex during error handling, causing the function to deadlock if an interrupt occurs simultaneously. This affects all Linux kernel versions with the vulnerable mcp251x driver code, and while not actively exploited in the wild (no KEV status indicates no in-the-wild exploitation), it represents a local denial of service condition where a user with appropriate device access can trigger driver initialization failures that hang the system.
A logic error in the Linux kernel's DRBD (Distributed Replicated Block Device) subsystem causes drbd_al_begin_io_nonblock() to fail silently when activity log extent acquisition fails due to spinlock contention, leading to loss of mutual exclusivity guarantees between resync and application I/O operations. This vulnerability affects all Linux kernel versions with the affected DRBD code and can result in kernel crashes via BUG_ON() assertions when activity log references are incorrectly released, as well as potential data consistency issues during active resync operations when concurrent application I/O proceeds without proper exclusivity enforcement.
This vulnerability is a race condition in the Linux kernel's libata subsystem where pending work is not properly canceled after clearing a deferred queue command (deferred_qc), leading to a WARN_ON() condition when the stale work eventually executes. The vulnerability affects all Linux kernel versions with the vulnerable libata code path, impacting systems using ATA/SATA disk controllers. An attacker with local access could trigger this condition through specific command sequences involving NCQ and non-NCQ commands, causing kernel warnings and potential system instability, though direct privilege escalation is not demonstrated.
This vulnerability is a speculative execution safety flaw in the Linux kernel's x86 FRED (Flexible Return and Event Delivery) interrupt handling code where array_index_nospec() is incorrectly positioned, allowing speculative memory predictions to leak sensitive information through side-channel attacks. The vulnerability affects all Linux kernel versions with FRED support (primarily x86-64 systems with newer Intel/AMD processors). An attacker with local access could potentially infer sensitive kernel memory values through timing or covert channel attacks exploiting the unsafe speculation window.
A null pointer dereference vulnerability exists in the Linux kernel's ice network driver that crashes the system during ethtool offline loopback tests. The vulnerability affects Linux kernel versions running the ice driver (Intel Ethernet Controller driver), and an attacker with local access and CAP_NET_ADMIN privileges can trigger a kernel panic (denial of service) by executing ethtool loopback self-tests. No active exploitation or public POC has been reported; patches are available in stable kernel releases.
A memory management vulnerability in the Linux kernel's EFI boot services implementation causes a leak of approximately 140MB of RAM on systems with CONFIG_DEFERRED_STRUCT_PAGE_INIT enabled, particularly affecting resource-constrained EC2 instances with 512MB total RAM. The vulnerability occurs when efi_free_boot_services() attempts to free EFI boot services memory before the kernel's deferred memory map initialization is complete, resulting in freed pages being skipped and never returned to the memory pool. This is a kernel-level memory exhaustion issue affecting all Linux distributions, though impact is most severe on systems with minimal RAM; no active exploitation or proof-of-concept has been identified as this is a resource leak rather than a code execution vector.
Use-after-free in Linux kernel's netfilter nft_set_pipapo enables local privilege escalation to kernel-level access (confidentiality/integrity/availability compromise). Affects Linux kernel 5.6+ through multiple stable branches (6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x). Vendor patches available across all affected kernel series. EPSS score of 0.03% (9th percentile) indicates low automated exploitation likelihood, consistent with local-access requirement and lack of public exploit code at time of analysis.
A resource management vulnerability exists in the Linux kernel's DRM/XE (Intel Graphics Execution Manager) queue initialization code where the finalization function is not called when execution queue creation fails, leaving the queue registered in the GuC (GPU Unified Compute) list and potentially causing invalid memory references. This affects all Linux kernel versions containing the vulnerable DRM/XE driver code. The vulnerability could lead to memory corruption or system instability when an exec queue creation failure occurs, though exploitation would require local kernel code execution capability or ability to trigger queue creation failures.
A NULL pointer dereference vulnerability exists in the Linux kernel's HID pidff (PID force feedback) driver due to incomplete clearing of conditional effect bits from the ffbit field. This affects all Linux kernel versions using the vulnerable pidff driver code. An attacker with local access to a system with a connected force feedback HID device could trigger a kernel panic, causing a denial of service. No CVSS score, EPSS score, or active KEV status is currently available, but three stable kernel commits addressing this issue have been merged, indicating the vulnerability has been formally patched.
A race condition exists in the Linux kernel's CXL (Compute Express Link) subsystem where the nvdimm_bus object can be invalidated while orphaned nvdimm objects attempt to reprobe, leading to a NULL pointer dereference in kobject_get() during device registration. This affects Linux kernels with CXL support enabled, allowing a local attacker or system administrator to trigger a kernel panic (denial of service) through module unload/reload sequences or specific timing during CXL ACPI probe operations. No active exploitation in the wild has been reported, but the vulnerability is easily reproducible via the cxl-translate.sh unit test with minimal timing manipulation.
A use-after-free vulnerability exists in the Linux kernel's CAN USB f81604 driver where URBs submitted in the read bulk callback are not properly anchored before submission, potentially allowing them to be leaked if usb_kill_anchored_urbs() is invoked. This affects all Linux kernel versions with the vulnerable f81604 driver code. An attacker with local access or control over a malicious USB CAN adapter could potentially trigger memory corruption or information disclosure by causing URB leaks during driver cleanup or device disconnection.
A memory access protection bypass vulnerability exists in the Linux kernel's ARM64 ioremap_prot() function where user-space page protection attributes are improperly propagated to kernel-space I/O remapping, bypassing Privileged Access Never (PAN) protections and enabling information disclosure. This affects all Linux kernel versions on ARM64 systems with PAN enabled. An attacker with local access can trigger memory access faults and potentially read sensitive kernel memory through operations like accessing /proc/[pid]/environ on vulnerable systems.
A memory protection vulnerability exists in the Linux kernel's ARM64 Guarded Control Stack (GCS) implementation when FEAT_LPA2 (52-bit virtual addressing) is enabled. The vulnerability occurs because GCS page table entries incorrectly use the PTE_SHARED bits (0b11) in positions that are repurposed for high-order address bits when LPA2 is active, causing page table corruption and kernel panics during GCS memory operations. This affects all Linux kernel versions with GCS support on ARM64 systems with LPA2 enabled, and while no active exploitation or public POC has been reported, the vulnerability causes immediate kernel crashes when GCS is enabled on affected hardware configurations.
A use-after-free vulnerability exists in the Linux kernel's crypto subsystem (CCP driver) within the sev_tsm_init_locked() function error path, where a pr_err() statement dereferences freed memory to access structure fields t->tio_en and t->tio_init_done after kfree(t) has been executed. This vulnerability can lead to information disclosure by reading freed memory contents. The issue affects Linux kernel versions across distributions using the affected CCP crypto driver code and was identified by the Smatch static analyzer.
A memory corruption vulnerability exists in the Linux kernel's XDP (eXpress Data Path) subsystem where negative tailroom calculations are incorrectly reported as large unsigned integers, allowing buffer overflows during tail growth operations. This affects Linux kernel versions across multiple stable branches when certain Ethernet drivers (notably ixgbevf) report incorrect DMA write sizes, leading to heap corruption, segmentation faults, and general protection faults as demonstrated in the xskxceiver test utility. The vulnerability has no CVSS score assigned and shows no active KEV exploitation status, but represents a critical memory safety issue affecting systems using XDP with affected Ethernet drivers.
A race condition exists in the Linux kernel's eBPF CPU map implementation on PREEMPT_RT systems, where concurrent access to per-CPU packet queues can cause memory corruption and kernel crashes. This vulnerability affects Linux kernel versions across multiple branches and can be triggered by tasks running on the same CPU, potentially allowing local denial of service or information disclosure. A proof-of-concept has been made available via syzkaller, and patches have been released through the official Linux kernel stable repositories.
A null pointer dereference vulnerability exists in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) that can cause a kernel crash when userspace attempts to destroy a hardware context that has been automatically suspended. The vulnerability affects all Linux kernel versions with the vulnerable amdxdna driver code path; an unprivileged local user with access to the driver's ioctl interface can trigger a denial of service by issuing a destroy context command on a suspended context, causing the kernel to crash when accessing a NULL mailbox channel pointer. No CVSS score, EPSS data, or KEV status is currently available, but the vulnerability is classified as a denial of service with straightforward triggering conditions.
Use-after-free in Linux kernel network traffic control subsystem allows local authenticated attackers to execute arbitrary code with high privileges when changing network queue pair configurations on lockless qdiscs (virtio-net confirmed affected). Race condition between qdisc_reset_all_tx_gt() and dequeue operations causes memory to be freed while still in use. Vendor-released patches available for stable kernel branches 6.1.167, 6.6.130, 6.12.77, 6.18.17, 6.19.7, and mainline 7.0-rc3. EPSS exploitation probability is low (0.02%, 7th percentile) and no active exploitation confirmed at time of analysis, though a reliable reproducer exists using iperf3 and ethtool queue manipulation.
A memory leak vulnerability exists in the Linux kernel's NFC NCI subsystem where the nci_transceive() function fails to free socket buffer (skb) objects on three early error paths (-EPROTO, -EINVAL, -EBUSY), causing kernel memory exhaustion over time. The vulnerability affects all Linux kernel versions with the vulnerable code in the NFC NCI driver, impacting any system with NFC capabilities that processes malformed or resource-constrained NCI transactions. While not directly exploitable for code execution, attackers can trigger memory exhaustion leading to denial of service by sending specially crafted NFC messages that trigger the error paths, and the vulnerability has been confirmed in kernel self-tests via kmemleak detection.
This vulnerability allows userspace applications to trivially trigger kernel warning backtraces in the AMD GPU (amdgpu) driver's user queue (userq) implementation by passing intentionally small num_fences values or exploiting legitimate growth between successive ioctl calls. While not a traditional security vulnerability enabling code execution or data theft, it constitutes an information disclosure issue through kernel log pollution and denial-of-service potential via warning spam. The Linux kernel across all versions utilizing the affected amdgpu userq code path is impacted, though the actual attack surface is limited to systems with AMD GPUs and unprivileged users with access to the amdgpu device interface.
A memory leak vulnerability exists in the Linux kernel's pinctrl subsystem within the pinconf_generic_parse_dt_config() function. When the parse_dt_cfg() function fails, the code returns directly without executing cleanup logic, causing the cfg buffer to be leaked. This affects all Linux kernel versions containing the vulnerable pinctrl-generic code, and while the vulnerability itself does not enable direct code execution, it can lead to denial of service through memory exhaustion over time as the kernel gradually loses available memory.
Use-after-free in Linux kernel cfg80211 WiFi subsystem allows local authenticated users with low privileges to achieve high impact on confidentiality, integrity, and availability through rfkill work-queue exploitation. The vulnerability affects Linux kernel versions 2.6.31 through 6.19-rc2, with patches released for stable branches 6.1.167, 6.6.130, 6.12.77, 6.18.17, 6.19.7, and 7.0-rc2. EPSS score of 0.02% (7th percentile) indicates very low probability of mass exploitation. No CISA KEV listing or public exploit identified at time of analysis, though the issue was discovered via syzkaller fuzzing, demonstrating automated exploit development potential.
A kernel stack memory leak exists in the Linux kernel's RDMA/irdma driver within the irdma_create_user_ah() function, where 4 bytes of uninitialized kernel stack memory are leaked to user space through the rsvd (reserved) field of the irdma_create_ah_resp structure. This information disclosure vulnerability affects all Linux kernel versions with the vulnerable irdma driver code, allowing any unprivileged user with access to RDMA operations to read sensitive kernel stack data. While no CVSS score or EPSS metric is currently available, the vulnerability is classified as Information Disclosure and has been patched across multiple stable kernel branches, indicating upstream recognition and remediation.