Linux
Monthly
A buffer handling vulnerability exists in the Linux kernel's CAN USB f81604 driver where improperly sized interrupt URB (USB Request Block) messages are not validated before processing, potentially leading to information disclosure or memory corruption. All Linux kernel versions with the affected CAN f81604 USB driver are impacted. An attacker with physical access to a malicious USB device or local system access could trigger abnormal URB message handling to leak kernel memory or cause denial of service. This vulnerability is not currently listed as actively exploited in known vulnerability databases, and no public proof-of-concept has been widely circulated, though patches are available across multiple kernel stable branches.
A validation bypass vulnerability exists in the Linux kernel's netfilter nft_set_rbtree module that fails to properly validate overlapping open intervals in packet filtering rule sets. This affects all Linux distributions running vulnerable kernel versions, allowing local or remote attackers with network configuration privileges to bypass firewall rules through malformed interval specifications. The vulnerability is classified as an information disclosure issue and has been patched upstream, though no active exploitation in the wild has been documented.
A NULL pointer dereference vulnerability exists in the Linux kernel's intel_pstate CPU frequency scaling driver that crashes the system when turbo boost is disabled on systems with CPU count limitations. This affects Linux kernel versions across multiple releases where the system is booted with 'nosmt' or 'maxcpus' kernel parameters and a user or administrator attempts to disable turbo via sysfs. An unprivileged local attacker with write access to /sys/devices/system/cpu/intel_pstate/no_turbo can trigger a kernel panic, resulting in denial of service. The vulnerability has been patched and fixes are available across multiple stable kernel branches.
A resource management vulnerability in the Linux kernel UDP implementation causes improper handling of socket state during disconnect operations. When a UDP socket is bound to a wildcard address, connected to a remote peer, and then disconnected, the kernel fails to properly remove the socket from the 4-tuple hash table, leaving stale entries that can lead to information disclosure or denial of service conditions. All Linux kernel versions using the affected UDP code path are impacted, with patches available through the Linux kernel stable tree.
A memory leak vulnerability exists in the Linux kernel's NFC (Near Field Communication) NCI subsystem where pending data exchange operations are not properly completed when a device is closed, causing socket references to be held indefinitely. This affects all Linux kernel versions with the vulnerable NFC NCI code path. An attacker with local access to NFC functionality could trigger repeated device close operations to exhaust memory resources, leading to denial of service. While no CVSS score or EPSS data is currently available, the issue is being actively addressed through kernel patches as evidenced by multiple commit references.
A null pointer dereference vulnerability exists in the Linux kernel's libie firmware logging module where the libie_fwlog_deinit() function attempts to unroll firmware logging structures even when logging was never properly initialized, causing kernel panics during driver unload. This affects the ixgbe driver and potentially other devices using the libie_fwlog module across multiple Linux kernel versions. An unprivileged local attacker with module unload capabilities can trigger a denial of service by unloading the affected driver, as demonstrated through rmmod operations in recovery mode.
A NULL pointer dereference vulnerability exists in the Linux kernel's AMD XDena accelerator driver (accel/amdxdna) where the mgmt_chann variable may be set to NULL if firmware returns an unexpected error during management message transmission, subsequently causing a kernel crash when aie2_hw_stop() attempts to access it. This affects Linux kernel versions across the amdxdna subsystem and can be exploited by local attackers with physical access or through malicious firmware to trigger a denial of service condition. Two stable kernel patches are available that introduce proper NULL checks and a dedicated helper function to safely destroy mgmt_chann.
A buffer over-read vulnerability exists in the Linux kernel's CXL mailbox command handler where the cxl_payload_from_user_allowed() function casts and dereferences user-supplied payload data without first validating its size. An unprivileged local attacker can send a raw mailbox command with an undersized payload (e.g., 1 byte instead of the expected 16 bytes for CXL_MBOX_OP_CLEAR_LOG) to trigger a kernel memory read past the allocated buffer, causing a KASAN splat and potential denial of service. While not yet listed in the KEV catalog or with public EPSS/CVSS scoring, patch commits are available in the Linux stable kernel repositories, indicating the vulnerability has been resolved upstream.
This vulnerability is a memory leak in the Linux kernel's AF_XDP socket implementation where buffers fail to be properly returned to the free list due to improper list node reinitialization. The vulnerability affects all Linux kernel versions with the AF_XDP subsystem enabled, potentially allowing local attackers or unprivileged users to exhaust kernel memory over time. While not actively exploited in the wild according to available intelligence, the vulnerability has clear patches available in stable kernel branches and represents a real denial-of-service risk for systems relying on XDP functionality.
An out-of-bounds (OOB) memory access vulnerability exists in the Linux kernel's MediaTek MT7996 WiFi driver (mt76) within the mt7996_mac_write_txwi_80211() function. The vulnerability occurs when the function accesses management frame fields without first validating the frame length, potentially allowing information disclosure or denial of service on systems using affected MT7996 hardware. Multiple stable kernel patches are available across several kernel versions, indicating the issue has been actively remediated in the upstream Linux project.
A resource leak vulnerability exists in the Linux kernel's ETAS ES58X USB CAN driver where URBs (USB Request Blocks) submitted in the read bulk callback are not properly anchored before submission, potentially causing memory leaks when usb_kill_anchored_urbs() is invoked. This affects all Linux kernel versions running the etas_es58x driver. An attacker with local access to trigger device disconnection or system shutdown could cause kernel memory exhaustion through repeated URB leaks, leading to denial of service or information disclosure of kernel memory contents.
The Apple Silicon SMC hwmon driver (macsmc-hwmon) in the Linux kernel contains critical memory safety bugs in sensor population and float conversion logic. Specifically, voltage sensors are incorrectly registered to the temperature sensor array, and float-to-32-bit conversion has flawed exponent handling, potentially leading to out-of-bounds memory access, data corruption, or incorrect fan control on affected Apple Silicon systems. The vulnerability affects Linux kernel versions with the macsmc-hwmon driver and has been patched; no active exploitation or POC is currently known, but the nature of the bugs suggests high real-world risk for systems relying on thermal management.
A use-after-free and list corruption vulnerability exists in the Linux kernel's IPMI (Intelligent Platform Management Interface) subsystem when the SMI sender returns an error. The vulnerability affects all Linux kernel versions with the vulnerable IPMI code path, allowing local attackers or processes with IPMI access to trigger denial of service conditions through list corruption and NULL pointer dereferences. The vulnerability is not currently listed in CISA's KEV catalog, and no CVSS or EPSS scores have been published; however, the technical nature indicates high reliability for exploitation by local actors with kernel interface access.
A logic error in the Linux kernel's MPTCP (MultiPath TCP) path management subsystem fails to properly track endpoint usage state when an endpoint is configured with both 'signal' and 'subflow' flags and subsequently removed. This causes a kernel warning and potential state inconsistency in the MPTCP connection management code. The vulnerability affects Linux kernel versions and is triggered through netlink socket manipulation by unprivileged users, potentially leading to denial of service or unexpected kernel behavior.
A lifecycle management vulnerability in the Linux kernel's USB NCM (Network Control Model) gadget function causes the network device to outlive its parent gadget device, resulting in NULL pointer dereferences and dangling sysfs symlinks when the USB gadget is disconnected. This affects all Linux kernel versions with the vulnerable USB gadget NCM implementation, and an attacker with local access to trigger USB gadget bind/unbind cycles can cause a kernel panic (denial of service). No CVSS vector, EPSS score, or active KEV status is available, but patches are confirmed available in the Linux stable tree.
A use-after-free (UAF) vulnerability exists in the Linux kernel's BPF subsystem within the bpf_trampoline_link_cgroup_shim function, where a race condition allows a process to reference memory after it has been freed. An attacker with CAP_BPF or CAP_PERFMON capabilities can trigger this vulnerability to cause a kernel crash (denial of service). A proof-of-concept has been demonstrated by the reporter, showing the bug can be reliably reproduced; the vulnerability is not listed on the CISA KEV catalog but affects all Linux kernel versions until patched.
A descriptor validation bypass in the Linux kernel's ALSA USB audio subsystem allows malicious USB devices to provide truncated UAC3 (USB Audio Class 3) header descriptors that escape validation checks, potentially causing out-of-bounds memory reads. The vulnerability stems from an incorrect protocol version constant (UAC_VERSION_2 instead of UAC_VERSION_3) in the validator table, causing validation logic to never execute for actual UAC3 devices. Affected are all Linux kernel versions containing the vulnerable code path; while CVSS and EPSS scores are not provided, this is a local privilege escalation / denial of service vector requiring physical USB device access or local code execution capability to exploit.
A logic error in the Linux kernel's drm/vmwgfx driver causes the vmw_translate_ptr functions to return success when pointer lookups actually fail, because the error handling was not updated when the underlying lookup function's return mechanism changed from returning a pointer to returning an error code with pointer as an out parameter. This allows uninitialized pointer dereferences and out-of-bounds memory access when the functions incorrectly report success, potentially enabling information disclosure or privilege escalation via the VMware graphics driver.
A memory alignment fault vulnerability exists in the Linux kernel's IPv4 multipath routing hash seed implementation that causes kernel panics on ARM64 systems when compiled with Clang and Link Time Optimization (LTO) enabled. The vulnerability affects all Linux kernel versions with the vulnerable code path in net/ipv4/route.c, specifically impacting ARM64 architectures where strict alignment requirements for Load-Acquire instructions are enforced. An attacker with local access or ability to trigger multipath hash operations could cause a denial of service by crashing the kernel, though no active exploitation has been reported in the wild.
An out-of-bounds (OOB) memory access vulnerability exists in the Linux kernel's mt76 WiFi driver, specifically in the mt76_connac2_mac_write_txwi_80211() function which fails to validate frame length before accessing management frame fields. This affects all Linux kernel versions containing the vulnerable mt76 driver code and could allow an attacker to read sensitive kernel memory or trigger a denial of service through a specially crafted WiFi management frame. The vulnerability has been patched across multiple stable kernel branches with fixes available since the issue was identified.
A device node reference leak exists in the Linux kernel's bq257xx regulator driver within the bq257xx_reg_dt_parse_gpio() function. When the function fails to retrieve a subchild device node, it returns prematurely without properly releasing the reference via of_node_put(child), causing a memory leak. This affects all Linux kernel versions containing this vulnerable code path in the bq257xx regulator driver, and while not directly exploitable for code execution, the memory leak can be triggered repeatedly to degrade system stability and availability.
A preempt count leak exists in the Linux kernel's i40e network driver within the napi poll tracepoint implementation, where get_cpu() is called without a corresponding put_cpu() to restore the preempt count. This affects all Linux kernel versions containing the vulnerable i40e driver code and can cause kernel accounting errors and potential system instability when the tracepoint is enabled. The vulnerability has no known active exploitation or public proof-of-concept code, and while not formally scored with CVSS, it represents a moderate kernel reliability issue that has persisted undetected for over three years.
The Linux kernel's kaweth USB driver fails to validate that probed USB devices have the expected number and types of endpoints before binding to them, allowing a malicious or malformed USB device to cause a kernel crash when the driver blindly accesses non-existent endpoints. This denial-of-service vulnerability affects Linux kernel versions across multiple stable branches and can be triggered by any user with the ability to connect a crafted USB device to a system running the vulnerable kernel. While CVSS and EPSS scores are not available, the vulnerability represents a straightforward crash vector with no reported active exploitation but patches are available across multiple kernel versions.
A lockdep-detected invalid wait context vulnerability exists in the Linux kernel's performance event scheduling subsystem, specifically in the ctx_sched_in() function when handling pinned events. The vulnerability affects all Linux kernel versions (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) and arises when the kernel attempts to acquire a wait-queue lock while already holding a perf-context lock, violating lock ordering rules and potentially causing system hangs or crashes. This is a kernel-level synchronization bug that can be triggered by unprivileged users with access to perf event tracing capabilities, though active exploitation in the wild has not been documented.
A logic error in the Linux kernel's bonding driver allows an unprivileged user to change the xmit_hash_policy parameter to an incompatible value (vlan+srcmac) while an XDP program is loaded, creating an inconsistent state where the kernel cannot safely unload the XDP program during device shutdown. This triggers a kernel warning and potential instability when the bond interface is destroyed. The vulnerability affects Linux kernel versions across multiple stable branches and requires local access to trigger.
A NULL pointer dereference vulnerability exists in the Linux kernel's event tracing subsystem, specifically in the trigger_data_free() function which fails to validate NULL pointers before dereferencing the data->cmd_ops field. This affects all Linux kernel versions where the vulnerable tracing code is present, and can be exploited by local attackers with appropriate privileges to cause a denial of service through kernel panic. The vulnerability was discovered through automated code review rather than active exploitation in the wild, and patches have been committed to stable kernel branches.
A warning trace vulnerability exists in the Linux kernel's pinctrl equilibrium driver where the eqbr_irq_mask_ack() callback function incorrectly calls both eqbr_irq_mask() and eqbr_irq_ack(), causing gpiochip_disable_irq() to be invoked twice and generating spurious kernel warnings on every GPIO during driver load. All Linux kernel versions with the affected equilibrium pinctrl driver are impacted, though this is primarily a kernel stability and logging issue rather than a security vulnerability. The issue has been resolved in multiple stable kernel branches as evidenced by the five stable commit hashes referenced, indicating patches are available.
A buffer overflow vulnerability exists in the Linux kernel's EMS USB CAN driver (ems_usb) in the ems_usb_read_bulk_callback() function, where the driver fails to properly validate USB message lengths before parsing and copying data. An attacker with the ability to supply a malicious USB device or intercept USB communications could trigger a buffer overflow by providing specially crafted messages that exceed the expected message boundaries, potentially leading to kernel memory corruption, denial of service, or privilege escalation. No CVSS score, EPSS risk rating, or active exploitation data (KEV status) is currently available, though multiple stable kernel branches have received patches indicating vendor awareness of the issue's severity.
A use-after-free vulnerability exists in the Linux kernel's pm8001 SCSI driver where the pm8001_queue_command() function incorrectly returns -ENODEV after already freeing a SAS task, causing the upper-layer libsas driver to attempt a second free operation. This affects all Linux kernel versions with the vulnerable pm8001 driver code, and while not remotely exploitable by default, it can lead to kernel memory corruption and denial of service on systems using PM8001-compatible SCSI controllers. No CVSS score, EPSS data, or active KEV status is currently available, but multiple stable kernel patches have been released across multiple branches.
Out-of-bounds memory access in the Linux kernel's accel/rocket DRM driver allows local authenticated users to trigger denial of service and potential information disclosure during probe failure paths. The flaw stems from improper error unwinding in rocket_probe() when rocket_core_init() fails (notably on EPROBE_DEFER), leaving stale counter state that subsequent code dereferences out of bounds. No public exploit identified at time of analysis, and EPSS scores exploitation likelihood at 0.02% (4th percentile), consistent with a hardware-driver-specific issue requiring local access.
A NULL pointer dereference vulnerability exists in the Linux kernel's IPv6 routing code within the ip6_rt_get_dev_rcu() function, triggered when a slave device is being un-slaved from a Virtual Routing and Forwarding (VRF) context. The vulnerability affects all Linux kernel versions with the affected code path and can be exploited to cause a kernel panic and denial of service. This issue was introduced by commit 4832c30d5458 which removed the fallback to loopback device handling, and multiple stable kernel branches have received patches to restore the NULL pointer check and fallback logic.
The Linux kernel CIFS client contains an information disclosure vulnerability where debug logging in the cifs_set_cifscreds() function exposes plaintext usernames and passwords in kernel logs when debug logging is enabled. This affects all versions of the Linux kernel with CIFS client support, allowing any local user or administrator with access to kernel logs to recover plaintext SMB credentials. While no CVSS score, EPSS data, or KEV status is publicly available, the severity is elevated due to the direct exposure of authentication credentials in commonly-accessible debug logs.
This vulnerability is a data-race condition in the Linux kernel where socket callback pointers (sk->sk_data_ready and sk->sk_write_space) are being modified concurrently by skmsg and other kernel layers without proper synchronization, potentially leading to information disclosure. All Linux kernel versions are affected across all architectures and distributions (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), with the issue impacting UDP, TCP, and AF_UNIX socket implementations. An attacker with local access could potentially exploit this race condition to read sensitive data or cause memory corruption by triggering concurrent modifications to these critical function pointers.
The Linux kernel contains a memory allocation failure vulnerability in the ASoC SDCA (Serial Data Center Audio) subsystem where the find_sdca_entity_iot() function allocates memory for an Entity name but fails to validate whether the allocation succeeded. An attacker with local access could trigger memory allocation failure conditions to cause an information disclosure or denial of service, depending on how the unvalidated null pointer is subsequently used. No CVSS score, EPSS data, or KEV status is currently available for this vulnerability.
A kernel panic vulnerability exists in Linux IPv6 nexthop handling where standalone IPv6 nexthop objects created with loopback devices are misclassified as reject routes, causing the nhc_pcpu_rth_output field to remain unallocated. When an IPv4 route subsequently references this nexthop, a NULL pointer dereference in __mkroute_output() triggers a kernel panic, resulting in denial of service. All Linux kernel versions with IPv6 nexthop support are affected, and the vulnerability is remotely triggerable by unprivileged users with network configuration capabilities.
This vulnerability is a memory leak in the Linux kernel's Bluetooth subsystem where Socket Buffers (SKBs) queued into the sk_error_queue for TX timestamping are not properly purged during socket destruction, allowing sensitive timestamp data to persist in kernel memory. The vulnerability affects all Linux kernel versions that support Bluetooth with SO_TIMESTAMPING enabled (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*). An attacker with local access could potentially read leaked kernel memory contents including timestamp information that should have been cleaned up, or trigger the leak by unexpectedly removing the Bluetooth controller while timestamped packets remain queued.
A denial-of-service vulnerability exists in the Linux kernel's ucan (CAN-over-USB) driver where malformed USB messages with a zero-length field cause an infinite loop in the ucan_read_bulk_callback() function, hanging the entire system. An attacker with physical access to a USB port can connect a malicious or compromised CAN device to trigger this condition, rendering the affected system unresponsive. While no CVSS or EPSS scores are available, the vulnerability is confirmed as patched across multiple stable kernel branches with six commits addressing the issue.
A credential reference leak exists in the Linux kernel's nfsd (NFS daemon) subsystem, specifically in the nfsd_nl_threads_set_doit() function which handles netlink-based thread configuration. The vulnerability affects all Linux kernel versions containing the vulnerable nfsd code path, allowing local users with netlink access to trigger memory leaks of credential structures through repeated invocations of the affected function. While not directly exploitable for privilege escalation or data theft, the memory leak can lead to denial of service through resource exhaustion and enables information disclosure via leaked kernel memory structures.
A reference count leak in the Linux kernel's SCSI core subsystem causes the tagset_refcnt reference counter to fail to decrement properly, resulting in resource exhaustion and system hangs during SCSI host teardown. This affects all Linux kernel versions with the vulnerable code path, particularly impacting iSCSI configurations where the leak manifests as indefinite blocking in scsi_remove_host() calls. While not actively exploited in the wild (no KEV status), this is a denial-of-service vulnerability that can be triggered by any user with the ability to manage SCSI sessions or trigger host removal operations.
A deadlock vulnerability exists in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) that occurs when an application issues a query IOCTL while the device is undergoing auto-suspend. The vulnerability affects all Linux distributions shipping the vulnerable kernel code. An attacker with local access to the system can trigger this deadlock by issuing query IOCTLs concurrently with power management events, causing a complete hang of the AMD XDNA accelerator subsystem and denial of service to legitimate applications. This vulnerability is not listed in the CISA KEV catalog and no public exploit code has been identified, but the fix has been integrated into the stable Linux kernel.
This vulnerability is a race condition in the Linux kernel's BPF devmap subsystem that occurs on PREEMPT_RT kernels, where per-CPU bulk queue structures can be accessed concurrently by multiple preemptible tasks on the same CPU. An attacker or unprivileged local process can trigger use-after-free, double-free, or memory corruption conditions by crafting specific XDP (eXpress Data Path) redirect operations that cause concurrent access to shared queue structures, potentially leading to kernel crashes, information disclosure, or privilege escalation. The vulnerability affects all Linux kernel versions with the vulnerable devmap code path and has been patched upstream, though CVSS and EPSS scores are not yet assigned and no public exploit or KEV status is currently documented.
A NULL pointer dereference vulnerability exists in the Linux kernel's VXLAN implementation when IPv6 is disabled via the 'ipv6.disable=1' boot parameter. When an IPv6 packet is injected into a VXLAN interface, the route_shortcircuit() function attempts to call neigh_lookup() on an uninitialized nd_tbl (neighbor discovery table), causing a kernel panic and denial of service. This affects all Linux distributions shipping vulnerable kernel versions, and while no CVSS score or EPSS data is provided, the presence of six stable kernel commits and reproducible crash conditions indicates high practical impact.
A recursive locking vulnerability exists in the Linux kernel's target core configfs implementation where the target_core_item_dbroot_store() function attempts to open a file using filp_open() while already holding a semaphore (frag_sem) acquired in flush_write_buffer(), creating a deadlock condition when the same configfs file is accessed. This affects all Linux kernel versions with the vulnerable target subsystem code, and while no CVSS score or EPSS data is publicly available, the vulnerability has been resolved across multiple stable kernel branches with patch commits available in the kernel git repository, suggesting active acknowledgment of the issue as a legitimate kernel bug requiring remediation.
This vulnerability involves improper resource cleanup in the Linux kernel's NFC PN533 USB driver, where a reference count on the USB interface is not properly released when a device is disconnected. Affected systems include all Linux kernel versions with the vulnerable PN533 driver code, impacting any system using NFC devices based on the PN533 chipset. While this is a resource management issue rather than a direct memory corruption vulnerability, it can lead to information disclosure or denial of service through USB interface resource exhaustion over repeated device attach/detach cycles. The vulnerability has been resolved in the Linux kernel with multiple backported patches available across stable branches.
The pegasus USB network driver in the Linux kernel fails to validate that connected USB devices have the proper number and types of endpoints before binding to them, allowing a malicious USB device to trigger a kernel crash through null pointer dereference or out-of-bounds memory access. This denial-of-service vulnerability affects Linux kernel versions across multiple stable branches, as evidenced by patches applied to at least six different kernel maintenance branches. An attacker with physical access to a target system or the ability to inject a crafted USB device into the network could crash the kernel without authentication or elevated privileges, though no public exploit code or active exploitation in the wild has been reported.
This vulnerability is a resource leak in the Linux kernel's InfiniBand mthca driver within the mthca_create_srq() function, where the mthca_unmap_user_db() cleanup call is missing on the error path. A user with local access can trigger this leak by causing the mthca_create_srq() system call to fail, resulting in persistent kernel memory not being freed, which could lead to denial of service through memory exhaustion. While no CVSS score, EPSS value, or KEV status is documented, the issue affects all Linux kernel versions using the mthca driver and has been patched across multiple stable kernel branches as evidenced by six linked commit fixes.
An out-of-bounds memory write vulnerability exists in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) where a memset() operation clears a command header before validating sufficient space is available in the command slot, potentially leading to memory corruption. The vulnerability affects Linux kernel versions across multiple releases where the amdxdna driver is present and enabled. An attacker with local access and appropriate capabilities to interact with the amdxdna device could trigger this memory corruption to achieve denial of service or potentially escalate privileges.
A race condition in the SiFive PLIC (Platform Level Interrupt Controller) interrupt handling code can cause interrupts to become frozen when interrupt affinity is modified while an interrupt is being processed. The vulnerability affects Linux kernel implementations using the SiFive PLIC irqchip driver, potentially causing system hangs or device unresponsiveness on RISC-V systems. While not actively exploited in the wild, the issue is easily reproducible through concurrent affinity changes and high interrupt load, making it a practical denial-of-service concern for affected systems.
A null pointer dereference vulnerability exists in the Linux kernel's ATM LANE module (lec_arp_clear_vccs function) where multiple ARP entries can share the same virtual circuit connection (VCC). When a VCC is closed, the kernel iterates through ARP entries and clears associated VCC pointers; if multiple entries share the same VCC, the first iteration frees the vpriv structure and sets it to NULL, causing subsequent iterations to crash when attempting to dereference the now-NULL pointer. A local attacker can trigger this denial of service condition through crafted ATM socket operations, as demonstrated by existing syzkaller reproducers.
A null-pointer dereference vulnerability exists in the Linux kernel's DRBD (Distributed Replicated Block Device) subsystem when handling local read errors. When a READ_COMPLETED_WITH_ERROR event occurs in drbd_request_endio(), a NULL peer_device pointer is passed to the __req_mod() function, which then unconditionally dereferences it in drbd_set_out_of_sync(), causing a kernel panic or system crash. This affects all Linux kernel versions with the vulnerable DRBD code, and while not actively exploited in the wild, it can be triggered by a local user or administrator through normal disk I/O error conditions, resulting in denial of service.
This vulnerability exists in the Linux kernel's MediaTek Ethernet driver (mtk_eth_soc) where an eBPF program pointer is not properly reset to its previous state if the mtk_xdp_setup() function encounters an error during the mtk_open routine. This resource management flaw can lead to incorrect reference counting of eBPF programs, potentially causing use-after-free or memory leak conditions. All Linux kernel versions with the affected MediaTek Ethernet driver (cpe:2.3:a:linux:linux) are impacted, and the vulnerability has been patched across multiple stable kernel branches as evidenced by six commit references spanning different kernel versions.
A PM runtime reference leak exists in the Linux kernel's fp9931 regulator driver hwmon interface, where the pm_runtime_put_autosuspend() function fails to be called when regmap_read() encounters an error, causing the power management reference count to become unbalanced. This affects all Linux kernel versions with the vulnerable fp9931 driver code. While not directly exploitable for code execution, the reference leak can lead to device power management failures, potential denial of service through resource exhaustion, or unexpected device behavior in systems using the FP9931 regulator hardware.
An uninitialized variable vulnerability exists in the Linux kernel's SMB2 client implementation within the smb2_unlink() function, where failure of SMB2_open_init() or SMB2_close_init() operations (such as during reconnection) leaves iovs structures uninitialized. If subsequent cleanup functions like SMB2_open_free(), SMB2_close_free(), or smb2_set_related() attempt to operate on these uninitialized structures, the kernel will oops (crash), resulting in a denial of service condition affecting all Linux distributions and versions using affected kernel code.
Use-after-free in the Linux kernel's libertas wireless driver (lbs_free_adapter()) allows local privileged users to corrupt memory when a timer callback races with adapter teardown. The flaw stems from using non-synchronous timer_delete() instead of timer_delete_sync() on command_timer and tx_lockup_timer, leaving callbacks free to dereference freed driver_lock, cur_cmd, and dev fields. EPSS is very low (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but the bug has existed since the driver's introduction and on stable trees through 6.18.x.
A size calculation overflow vulnerability exists in the Linux kernel's accel/amdxdna driver that can result in undersized buffer allocations and potential memory corruption. The vulnerability affects Linux kernel versions across multiple branches where the AMD XDNA accelerator driver is compiled. An attacker with local access could exploit this to trigger memory corruption, potentially leading to denial of service or privilege escalation, though exploitation complexity and attack surface requirements remain moderate.
A NULL pointer dereference vulnerability exists in the Linux kernel's mac80211 mesh networking subsystem (CVE-2026-23279), specifically in the mesh_rx_csa_frame() function which fails to validate the presence of the Mesh Channel Switch Parameters IE before dereferencing it. A remote attacker with an established mesh peer link can trigger a kernel panic by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame that includes matching Mesh ID and configuration elements but omits the required Channel Switch Parameters IE. This vulnerability affects all Linux kernel versions since v3.13 (January 2014) and requires no special authentication beyond the default open mesh peering, making it a trivial denial-of-service vector against systems with mesh networking enabled.
Xen privcmd driver in Linux kernel allows root processes in unprivileged guest VMs to bypass secure boot protections by issuing arbitrary hypercalls that modify kernel memory. This Xen Security Advisory (XSA-482) affects Linux kernels running as Xen domU guests with secure boot enabled. The vulnerability is addressed in kernel patches 6.1.167, 6.6.130, 6.12.78, 6.18.20, and 6.19.10. EPSS score of 0.03% (9th percentile) indicates low probability of widespread exploitation. No active exploitation confirmed at time of analysis; POC status unknown.
A resource management flaw in the Linux kernel's netfilter nf_tables subsystem fails to properly iterate over all pending catchall elements during transaction processing, leading to incomplete cleanup when a map holding catchall elements is destroyed. This affects Linux kernel versions across multiple stable branches and can result in memory corruption, information disclosure, or denial of service when crafted netfilter rule transactions are processed. The vulnerability is not known to be actively exploited in the wild, but the presence of multiple stable branch patches and specific affected kernel versions indicates kernel maintainers have treated this as a material flaw requiring coordinated remediation.
A NULL pointer dereference vulnerability exists in the Linux kernel's TEQL (Trivial Ethernet Queue Limiting) network scheduler when transmitting through tunnel slave devices, particularly gretap tunnels. The vulnerability occurs because teql_master_xmit() fails to update skb->dev to the slave device before transmission, causing tunnel xmit functions to reference unallocated per-CPU statistics on the TEQL master device. This allows a local or networked attacker to trigger a kernel page fault and crash the system, resulting in a denial of service. No CVSS score, EPSS risk score, or KEV active exploitation status is currently published, but patch commits are available in Linux kernel stable branches (6.18.19, 6.19.9, and 7.0-rc4).
A stack overflow vulnerability exists in the Linux kernel's tunnel transmission functions (iptunnel_xmit and ip6tunnel_xmit) due to missing recursion limits when GRE tap interfaces operate as slaves in bonded devices with broadcast mode enabled. This allows local attackers or legitimate multicast/broadcast traffic to trigger infinite recursion between bond_xmit_broadcast() and tunnel transmission functions, causing kernel stack exhaustion and denial of service. The vulnerability affects multiple Linux kernel versions and has been resolved with the addition of IP_TUNNEL_RECURSION_LIMIT (4) to prevent excessive stack consumption during nested tunnel packet encapsulation.
A race condition exists in the Linux kernel's io_uring subsystem where task work flags can be manipulated on stale ring memory during concurrent ring resize operations when DEFER_TASKRUN or SETUP_TASKRUN modes are enabled. This vulnerability affects Linux kernel versions including 6.13, 6.18.19, 6.19.9, and 7.0-rc4, and could allow an attacker with local code execution capabilities to cause information disclosure or kernel memory corruption. The vulnerability has been patched across multiple stable kernel versions as evidenced by available git commits, though no active KEV status or EPSS score has been published.
Linux kernel netfilter xt_IDLETIMER subsystem crashes when revision 0 rules reuse ALARM-type timer labels created by revision 1, triggering mod_timer() on an uninitialized timer_list. Affects Linux kernel 5.7+ through 6.19.x series. Local authenticated attackers with CAP_NET_ADMIN (PR:L) can cause kernel panic on systems with panic_on_warn=1, achieving high-severity local denial of service or potential privilege escalation via kernel memory corruption. EPSS score is very low (0.02%, 4th percentile) indicating minimal observed exploitation likelihood. No public exploit code identified at time of analysis.
A use-after-free race condition exists in the Linux kernel's macvlan driver within the macvlan_common_newlink() error handling path. When a macvlan device creation fails after the network device becomes visible to the RCU (Read-Copy-Update) subsystem, the caller's subsequent free_netdev(dev) can race with ongoing packet forwarding operations, causing kernel memory corruption and potential information disclosure. This vulnerability affects Linux kernel versions 5.10 through 6.19 and later, and while no public exploit exists, the issue is reproducible via crafted netlink commands that trigger concurrent device creation and packet transmission.
A use-after-free vulnerability exists in the Linux kernel's netfilter nf_tables subsystem where a set element can be published and removed without waiting for RCU grace period completion, allowing concurrent RCU readers to access freed memory. This affects all Linux kernel versions across multiple stable branches (4.10 and later) as indicated by the CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*. An attacker with local access to manipulate netfilter rules could trigger information disclosure or denial of service by exploiting the race condition during batch insertion of elements into a full netfilter set.
A race condition exists in the Linux kernel's perf subsystem where __perf_event_overflow() can execute with only preemption disabled (rather than IRQs disabled) on software events, creating a window for concurrent execution with perf_event_exit_event() and related cleanup functions. This race condition allows the overflow handler to access kernel structures (such as BPF programs) that are being freed concurrently, potentially leading to use-after-free conditions, memory corruption, or privilege escalation. The vulnerability affects multiple stable Linux kernel versions and has patches available across multiple kernel branches (6.12.77, 6.19.7, 7.0-rc2, and others as indicated by the git commit references).
Use-after-free in Linux kernel traffic control (net/sched) occurs when act_ct action returns TC_ACT_CONSUMED while a packet is held by the defragmentation engine, allowing local authenticated attackers with low privileges to achieve code execution, denial of service, or information disclosure. Affects Linux kernel 6.8 through 6.12.x and 6.18.x series. Vendor patches available across multiple stable branches (commits 524ce8b4, 380ad8b7, 9deda0fc, 11cb63b0). EPSS score of 0.02% (4th percentile) indicates very low observed exploitation likelihood despite 7.8 CVSS rating. No active exploitation confirmed; not listed in CISA KEV.
Out-of-bounds read in Linux kernel's AppArmor subsystem allows local authenticated attackers to disclose kernel memory and potentially crash the system via maliciously crafted security policies. Affects Linux kernels from 3.4 onwards with patches released for stable branches 6.12.77, 6.18.18, 6.19.8, and 7.0-rc4. No active exploitation confirmed (not in CISA KEV), EPSS probability low at 0.02%, but Ubuntu rates priority as medium with patches deployed across 729 releases. Requires local access with low privileges (PR:L) and ability to load AppArmor policies.
Local privilege escalation in Linux kernel AppArmor allows low-privilege users to manipulate security policy via confused deputy attack. Attackers pass file descriptors for apparmorfs interfaces to privileged processes, enabling full policy management capabilities including disabling confinement and bypassing user namespace restrictions. Publicly available exploit code exists. EPSS score 0.01% suggests low widespread exploitation probability. Patches released for kernel 6.12.77, 6.18.18, 6.19.8, and 7.0-rc4 with multiple distribution advisories available.
This vulnerability is a race condition in the Linux kernel's F2FS file system that causes flag inconsistency between concurrent atomic commit and checkpoint write operations. The issue affects all Linux kernel versions with F2FS support (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), allowing information disclosure through incorrect inode state recovery after sudden power-off (SPO) scenarios. An attacker with local file system access during atomic write operations could trigger the race condition, leading to potential data inconsistency and information leakage when the system recovers.
A divide-by-zero vulnerability exists in the Linux kernel's rivafb framebuffer driver in the nv3_arb() function, which can be triggered by unprivileged userspace applications via the FBIOPUT_VSCREENINFO ioctl call on /dev/fb* devices. An attacker can crash the kernel by crafting a malicious or misconfigured PCI device that exposes a bogus PRAMDAC MCLK PLL configuration, causing the state->mclk_khz divisor to become zero. This is a Denial of Service vulnerability affecting the Linux kernel across multiple stable versions, with patches available in the kernel git repository.
A vulnerability in the Linux kernel's f2fs (Flash-Friendly File System) implementation fails to validate node footer integrity during asynchronous read and write I/O operations, allowing corrupted node page data to trigger a kernel BUG and cause denial of service. This affects all Linux kernel versions using f2fs, particularly those processing untrusted or fuzzed filesystem images. An attacker with the ability to craft a malicious f2fs filesystem image can trigger a kernel panic when the corrupted node page is written back, resulting in system unavailability.
A logic error in the Linux kernel's AMD GPU driver causes system crashes when two AMD GPUs are present and only one supports ASPM (Active State Power Management). The vulnerability stems from a commit that was erroneously reapplied after being removed in a prior refactoring, leading to incorrect ASPM state evaluation across multiple devices. Systems running affected Linux kernel versions with heterogeneous AMD GPU configurations (mixed ASPM support) will experience denial of service through kernel crashes.
This vulnerability is a memory leak in the Linux kernel's io_uring subsystem, specifically within the zero-copy receive (zcrx) implementation where a page array fails to be deallocated during scatter-gather initialization failures. The vulnerability affects all Linux kernel versions with the vulnerable io_uring/zcrx code path, allowing local attackers with the ability to trigger failed scatter-gather operations to exhaust kernel memory and cause denial of service. No active exploitation has been reported, but this is a kernel memory management issue with straightforward local triggering conditions.
A memory corruption vulnerability exists in the Linux kernel's Google Virtual Ethernet (gve) driver where dynamic queue count changes cause misalignment between the driver's stats region and the NIC's offset calculations. When queue counts increase, the NIC can write past the allocated stats region boundary causing heap corruption; when decreased, stats data becomes misaligned. This affects Linux kernel versions across multiple stable branches (as evidenced by patches in 5.10, 5.15, 6.1, 6.6, 6.7, 6.8, and 6.9 series). The vulnerability is not currently listed as actively exploited in KEV, but represents a critical reliability and security issue for systems using Google Cloud Platform infrastructure with the affected gve driver.
This vulnerability is a resource leak in the Linux kernel's NVMe/FC (NVMe over Fibre Channel) driver where the admin tag set and associated block I/O queue resources fail to be released if controller initialization encounters errors after the admin queue is allocated. The affected product is the Linux kernel across all versions that include the vulnerable nvme-fc code path. An attacker or malicious process could trigger repeated failed NVMe/FC controller initialization attempts to exhaust kernel memory through cumulative tag set leaks, potentially leading to denial of service. This is not actively exploited in the wild (not listed in CISA KEV), but patches are available across multiple kernel branches.
A memory leak vulnerability exists in the Linux kernel's regmap maple tree caching implementation where allocated memory is not freed when the mas_store_gfp() function fails during a write operation. This affects all Linux kernel versions containing the vulnerable regcache_maple_write() function, potentially allowing local attackers to exhaust kernel memory through repeated cache write failures. While no CVSS score or EPSS data is currently available, the vulnerability has been assigned CVE-2026-23260 and multiple stable kernel patches are available, indicating this is a recognized and actively addressed issue.
A memory management vulnerability exists in the Linux kernel's io_uring subsystem where allocated iovec buffers may fail to be properly freed when a read/write request cannot be recycled back to the rw_cache. This affects all Linux kernel versions with the vulnerable io_uring/rw code path, potentially allowing local attackers to trigger memory leaks that degrade system performance or enable denial of service conditions. The vulnerability has been patched in the Linux kernel stable trees as evidenced by the provided commit references.
A memory leak vulnerability exists in the Linux kernel's Liquidio network driver within the setup_nic_devices() function where the netdev pointer is not initialized in the oct->props[i].netdev structure before calling queue setup functions. If netif_set_real_num_rx_queues() or netif_set_real_num_tx_queues() fail, the allocated netdev memory is not freed because the cleanup function liquidio_destroy_nic_device() cannot locate it via the NULL pointer. This affects all Linux kernel versions with the Liquidio driver and allows for memory exhaustion through repeated device initialization failures.
A memory leak vulnerability exists in the Linux kernel's liquidio network driver within the setup_nic_devices() function, where an off-by-one error in the cleanup loop causes failure to deallocate the last successfully allocated device during error handling. The vulnerability affects Linux kernel versions across multiple stable branches (as evidenced by patches in 4.9, 4.14, 4.19, 5.4, 5.10, 5.15, and 5.16 stable trees per the kernel.org references). While this is a local denial-of-service vector through memory exhaustion rather than a direct code execution path, it could be leveraged by unprivileged users to degrade system stability over time.
This vulnerability is an off-by-one error in the Linux kernel's liquidio driver that causes a memory leak during virtual function (VF) setup failure cleanup. The vulnerability affects the Linux kernel across all versions where the liquidio net driver is compiled, as identified through the affected CPE (cpe:2.3:a:linux:linux). While this is a memory leak rather than a direct code execution vulnerability, it can be exploited to exhaust kernel memory resources, leading to denial of service.
A race condition vulnerability exists in the Linux kernel's /proc/net/ptype implementation where concurrent readers and writers violate RCU (Read-Copy-Update) synchronization rules, allowing information disclosure through unsafe access to device pointers. The vulnerability affects all Linux kernel versions with the vulnerable ptype_seq_show() and ptype_seq_next() functions. An attacker with local access can trigger RCU stalls, kernel panics, or read uninitialized kernel memory by racing concurrent packet type structure modifications against /proc/net/ptype reads, potentially leaking sensitive kernel data or causing denial of service.
A vulnerability in the Linux kernel's Generic Receive Offload (GRO) implementation for UDP traffic causes incorrect network offset calculations when processing encapsulated packets. The flaw affects all Linux kernel versions where the GRO subsystem handles UDP encapsulation, as specified in the CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*. When hardware NICs, the tun driver, or veth setups inject packets with the encapsulation flag set, the udp4_gro_complete() function incorrectly computes the outer UDP header pseudo checksum using the inner network offset, leading to checksum validation failures that can disrupt packet processing and potentially cause denial of service or packet drops. No active exploitation has been reported in the wild, and no public proof-of-concept code is known to exist, though the vulnerability is triggered through normal network operations involving UDP-encapsulated traffic.
This vulnerability is a missing exception fixup handler in the LoongArch architecture's BPF JIT compiler that fails to properly recover from memory access exceptions (ADEM) triggered by BPF_PROBE_MEM* instructions. The Linux kernel on LoongArch systems (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) is affected, potentially allowing information disclosure or denial of service when BPF programs attempt to safely probe memory locations. This is not actively exploited (no KEV status), but patches are available across multiple stable kernel branches.
A resource management vulnerability exists in the Linux kernel's Btrfs filesystem implementation where qgroup data reservations are incorrectly freed when an inline extent creation fails due to -ENOSPC (no space available). This causes the kernel to prematurely release qgroup quota accounting for data that will actually be used when the operation falls back to the normal copy-on-write path, potentially leading to qgroup quota inconsistencies and information disclosure about quota state. All Linux distributions using Btrfs with qgroup quota tracking enabled are affected. While no CVSS score or EPSS risk score has been assigned, the vulnerability has stable patches available in the Linux kernel repository.
A resource leak vulnerability exists in the Linux kernel's btrfs filesystem implementation where reserved qgroup data fails to be freed in error paths during inline extent insertion operations. This affects all Linux versions with vulnerable btrfs code, and allows local attackers with filesystem write access to exhaust kernel memory resources through repeated failed inline extent insertions, potentially causing denial of service. No active exploitation in the wild has been reported, but kernel memory exhaustion vulnerabilities are routinely targeted by local privilege escalation chains.
Linux kernel DVB digital video recorder driver allows local authenticated users to trigger use-after-free conditions via stale waitqueue entries, potentially achieving privilege escalation to root or causing kernel crashes. The vulnerability stems from improper waitqueue reinitialization when reopening DVR devices, orphaning existing epoll/io_uring poll entries. Affects Linux kernel versions from 2.6.17 through 6.19.6, with patches available in 6.12.77, 6.18.17, 6.19.7, and 7.0-rc2. EPSS score of 0.02% (4th percentile) indicates low observed exploitation activity, though CVSS 7.8 reflects high impact if local access is obtained.
A memory allocation failure vulnerability exists in the Linux kernel's XFS filesystem checking code where the xchk_xfile_*_descr macros call kasprintf with formatted strings that can exceed safe allocation limits, leading to potential denial of service or information disclosure. This affects Linux kernel versions 6.6 through 6.14 and later releases including 6.18.16, 6.19.6, and 7.0-rc1, with the vulnerability discoverable through syzbot fuzzing by researcher Jiaming Zhang. While no active exploitation has been confirmed, the issue represents a path to failure in a core filesystem validation component that could be triggered by malicious or malformed filesystem structures.
This vulnerability in the Linux kernel's XFS filesystem code involves improper pointer validation in xfarray and xfblob destructor functions, where the destructors can be called with invalid (dangling) pointers if the pointer is not properly nulled after deallocation. The vulnerability affects Linux kernel versions 6.9 through 6.10 and later patch versions, potentially allowing information disclosure or system instability. While no CVSS score or exploitation data is publicly available, the fix was backported across multiple kernel versions (6.12.75, 6.18.16, 6.19.6, 7.0-rc1) indicating recognition of the issue's significance across the kernel maintenance community.
A null pointer dereference vulnerability exists in the XFS filesystem checker (xchk_scrub_create_subord) in the Linux kernel, where the function returns a mangled ENOMEM error instead of NULL, and callers fail to properly validate the return value. This affects Linux kernel versions 6.2 through 6.10 and later stable branches, potentially allowing a local attacker with filesystem access to trigger a denial of service condition through unhandled memory allocation failures during XFS filesystem integrity checks.
A null pointer dereference vulnerability exists in the Linux kernel's XFS filesystem repair code when revalidating B-tree structures during fsck operations. The vulnerability affects Linux kernel versions across multiple release branches (6.8, 6.12.75, 6.18.16, 6.19.6, and 7.0-rc1) when the xfs_scrub utility attempts to repair both the free space B-tree (bnobt) and count B-tree (cntbt) simultaneously. An authenticated attacker with fsck/scrub privileges can trigger a kernel crash (denial of service) by injecting corruption markers via XFS_IOC_ERROR_INJECTION ioctl, causing the kernel to crash when the second B-tree revalidation is attempted after the first one fails and nullifies a required cursor.
A buffer handling vulnerability exists in the Linux kernel's CAN USB f81604 driver where improperly sized interrupt URB (USB Request Block) messages are not validated before processing, potentially leading to information disclosure or memory corruption. All Linux kernel versions with the affected CAN f81604 USB driver are impacted. An attacker with physical access to a malicious USB device or local system access could trigger abnormal URB message handling to leak kernel memory or cause denial of service. This vulnerability is not currently listed as actively exploited in known vulnerability databases, and no public proof-of-concept has been widely circulated, though patches are available across multiple kernel stable branches.
A validation bypass vulnerability exists in the Linux kernel's netfilter nft_set_rbtree module that fails to properly validate overlapping open intervals in packet filtering rule sets. This affects all Linux distributions running vulnerable kernel versions, allowing local or remote attackers with network configuration privileges to bypass firewall rules through malformed interval specifications. The vulnerability is classified as an information disclosure issue and has been patched upstream, though no active exploitation in the wild has been documented.
A NULL pointer dereference vulnerability exists in the Linux kernel's intel_pstate CPU frequency scaling driver that crashes the system when turbo boost is disabled on systems with CPU count limitations. This affects Linux kernel versions across multiple releases where the system is booted with 'nosmt' or 'maxcpus' kernel parameters and a user or administrator attempts to disable turbo via sysfs. An unprivileged local attacker with write access to /sys/devices/system/cpu/intel_pstate/no_turbo can trigger a kernel panic, resulting in denial of service. The vulnerability has been patched and fixes are available across multiple stable kernel branches.
A resource management vulnerability in the Linux kernel UDP implementation causes improper handling of socket state during disconnect operations. When a UDP socket is bound to a wildcard address, connected to a remote peer, and then disconnected, the kernel fails to properly remove the socket from the 4-tuple hash table, leaving stale entries that can lead to information disclosure or denial of service conditions. All Linux kernel versions using the affected UDP code path are impacted, with patches available through the Linux kernel stable tree.
A memory leak vulnerability exists in the Linux kernel's NFC (Near Field Communication) NCI subsystem where pending data exchange operations are not properly completed when a device is closed, causing socket references to be held indefinitely. This affects all Linux kernel versions with the vulnerable NFC NCI code path. An attacker with local access to NFC functionality could trigger repeated device close operations to exhaust memory resources, leading to denial of service. While no CVSS score or EPSS data is currently available, the issue is being actively addressed through kernel patches as evidenced by multiple commit references.
A null pointer dereference vulnerability exists in the Linux kernel's libie firmware logging module where the libie_fwlog_deinit() function attempts to unroll firmware logging structures even when logging was never properly initialized, causing kernel panics during driver unload. This affects the ixgbe driver and potentially other devices using the libie_fwlog module across multiple Linux kernel versions. An unprivileged local attacker with module unload capabilities can trigger a denial of service by unloading the affected driver, as demonstrated through rmmod operations in recovery mode.
A NULL pointer dereference vulnerability exists in the Linux kernel's AMD XDena accelerator driver (accel/amdxdna) where the mgmt_chann variable may be set to NULL if firmware returns an unexpected error during management message transmission, subsequently causing a kernel crash when aie2_hw_stop() attempts to access it. This affects Linux kernel versions across the amdxdna subsystem and can be exploited by local attackers with physical access or through malicious firmware to trigger a denial of service condition. Two stable kernel patches are available that introduce proper NULL checks and a dedicated helper function to safely destroy mgmt_chann.
A buffer over-read vulnerability exists in the Linux kernel's CXL mailbox command handler where the cxl_payload_from_user_allowed() function casts and dereferences user-supplied payload data without first validating its size. An unprivileged local attacker can send a raw mailbox command with an undersized payload (e.g., 1 byte instead of the expected 16 bytes for CXL_MBOX_OP_CLEAR_LOG) to trigger a kernel memory read past the allocated buffer, causing a KASAN splat and potential denial of service. While not yet listed in the KEV catalog or with public EPSS/CVSS scoring, patch commits are available in the Linux stable kernel repositories, indicating the vulnerability has been resolved upstream.
This vulnerability is a memory leak in the Linux kernel's AF_XDP socket implementation where buffers fail to be properly returned to the free list due to improper list node reinitialization. The vulnerability affects all Linux kernel versions with the AF_XDP subsystem enabled, potentially allowing local attackers or unprivileged users to exhaust kernel memory over time. While not actively exploited in the wild according to available intelligence, the vulnerability has clear patches available in stable kernel branches and represents a real denial-of-service risk for systems relying on XDP functionality.
An out-of-bounds (OOB) memory access vulnerability exists in the Linux kernel's MediaTek MT7996 WiFi driver (mt76) within the mt7996_mac_write_txwi_80211() function. The vulnerability occurs when the function accesses management frame fields without first validating the frame length, potentially allowing information disclosure or denial of service on systems using affected MT7996 hardware. Multiple stable kernel patches are available across several kernel versions, indicating the issue has been actively remediated in the upstream Linux project.
A resource leak vulnerability exists in the Linux kernel's ETAS ES58X USB CAN driver where URBs (USB Request Blocks) submitted in the read bulk callback are not properly anchored before submission, potentially causing memory leaks when usb_kill_anchored_urbs() is invoked. This affects all Linux kernel versions running the etas_es58x driver. An attacker with local access to trigger device disconnection or system shutdown could cause kernel memory exhaustion through repeated URB leaks, leading to denial of service or information disclosure of kernel memory contents.
The Apple Silicon SMC hwmon driver (macsmc-hwmon) in the Linux kernel contains critical memory safety bugs in sensor population and float conversion logic. Specifically, voltage sensors are incorrectly registered to the temperature sensor array, and float-to-32-bit conversion has flawed exponent handling, potentially leading to out-of-bounds memory access, data corruption, or incorrect fan control on affected Apple Silicon systems. The vulnerability affects Linux kernel versions with the macsmc-hwmon driver and has been patched; no active exploitation or POC is currently known, but the nature of the bugs suggests high real-world risk for systems relying on thermal management.
A use-after-free and list corruption vulnerability exists in the Linux kernel's IPMI (Intelligent Platform Management Interface) subsystem when the SMI sender returns an error. The vulnerability affects all Linux kernel versions with the vulnerable IPMI code path, allowing local attackers or processes with IPMI access to trigger denial of service conditions through list corruption and NULL pointer dereferences. The vulnerability is not currently listed in CISA's KEV catalog, and no CVSS or EPSS scores have been published; however, the technical nature indicates high reliability for exploitation by local actors with kernel interface access.
A logic error in the Linux kernel's MPTCP (MultiPath TCP) path management subsystem fails to properly track endpoint usage state when an endpoint is configured with both 'signal' and 'subflow' flags and subsequently removed. This causes a kernel warning and potential state inconsistency in the MPTCP connection management code. The vulnerability affects Linux kernel versions and is triggered through netlink socket manipulation by unprivileged users, potentially leading to denial of service or unexpected kernel behavior.
A lifecycle management vulnerability in the Linux kernel's USB NCM (Network Control Model) gadget function causes the network device to outlive its parent gadget device, resulting in NULL pointer dereferences and dangling sysfs symlinks when the USB gadget is disconnected. This affects all Linux kernel versions with the vulnerable USB gadget NCM implementation, and an attacker with local access to trigger USB gadget bind/unbind cycles can cause a kernel panic (denial of service). No CVSS vector, EPSS score, or active KEV status is available, but patches are confirmed available in the Linux stable tree.
A use-after-free (UAF) vulnerability exists in the Linux kernel's BPF subsystem within the bpf_trampoline_link_cgroup_shim function, where a race condition allows a process to reference memory after it has been freed. An attacker with CAP_BPF or CAP_PERFMON capabilities can trigger this vulnerability to cause a kernel crash (denial of service). A proof-of-concept has been demonstrated by the reporter, showing the bug can be reliably reproduced; the vulnerability is not listed on the CISA KEV catalog but affects all Linux kernel versions until patched.
A descriptor validation bypass in the Linux kernel's ALSA USB audio subsystem allows malicious USB devices to provide truncated UAC3 (USB Audio Class 3) header descriptors that escape validation checks, potentially causing out-of-bounds memory reads. The vulnerability stems from an incorrect protocol version constant (UAC_VERSION_2 instead of UAC_VERSION_3) in the validator table, causing validation logic to never execute for actual UAC3 devices. Affected are all Linux kernel versions containing the vulnerable code path; while CVSS and EPSS scores are not provided, this is a local privilege escalation / denial of service vector requiring physical USB device access or local code execution capability to exploit.
A logic error in the Linux kernel's drm/vmwgfx driver causes the vmw_translate_ptr functions to return success when pointer lookups actually fail, because the error handling was not updated when the underlying lookup function's return mechanism changed from returning a pointer to returning an error code with pointer as an out parameter. This allows uninitialized pointer dereferences and out-of-bounds memory access when the functions incorrectly report success, potentially enabling information disclosure or privilege escalation via the VMware graphics driver.
A memory alignment fault vulnerability exists in the Linux kernel's IPv4 multipath routing hash seed implementation that causes kernel panics on ARM64 systems when compiled with Clang and Link Time Optimization (LTO) enabled. The vulnerability affects all Linux kernel versions with the vulnerable code path in net/ipv4/route.c, specifically impacting ARM64 architectures where strict alignment requirements for Load-Acquire instructions are enforced. An attacker with local access or ability to trigger multipath hash operations could cause a denial of service by crashing the kernel, though no active exploitation has been reported in the wild.
An out-of-bounds (OOB) memory access vulnerability exists in the Linux kernel's mt76 WiFi driver, specifically in the mt76_connac2_mac_write_txwi_80211() function which fails to validate frame length before accessing management frame fields. This affects all Linux kernel versions containing the vulnerable mt76 driver code and could allow an attacker to read sensitive kernel memory or trigger a denial of service through a specially crafted WiFi management frame. The vulnerability has been patched across multiple stable kernel branches with fixes available since the issue was identified.
A device node reference leak exists in the Linux kernel's bq257xx regulator driver within the bq257xx_reg_dt_parse_gpio() function. When the function fails to retrieve a subchild device node, it returns prematurely without properly releasing the reference via of_node_put(child), causing a memory leak. This affects all Linux kernel versions containing this vulnerable code path in the bq257xx regulator driver, and while not directly exploitable for code execution, the memory leak can be triggered repeatedly to degrade system stability and availability.
A preempt count leak exists in the Linux kernel's i40e network driver within the napi poll tracepoint implementation, where get_cpu() is called without a corresponding put_cpu() to restore the preempt count. This affects all Linux kernel versions containing the vulnerable i40e driver code and can cause kernel accounting errors and potential system instability when the tracepoint is enabled. The vulnerability has no known active exploitation or public proof-of-concept code, and while not formally scored with CVSS, it represents a moderate kernel reliability issue that has persisted undetected for over three years.
The Linux kernel's kaweth USB driver fails to validate that probed USB devices have the expected number and types of endpoints before binding to them, allowing a malicious or malformed USB device to cause a kernel crash when the driver blindly accesses non-existent endpoints. This denial-of-service vulnerability affects Linux kernel versions across multiple stable branches and can be triggered by any user with the ability to connect a crafted USB device to a system running the vulnerable kernel. While CVSS and EPSS scores are not available, the vulnerability represents a straightforward crash vector with no reported active exploitation but patches are available across multiple kernel versions.
A lockdep-detected invalid wait context vulnerability exists in the Linux kernel's performance event scheduling subsystem, specifically in the ctx_sched_in() function when handling pinned events. The vulnerability affects all Linux kernel versions (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) and arises when the kernel attempts to acquire a wait-queue lock while already holding a perf-context lock, violating lock ordering rules and potentially causing system hangs or crashes. This is a kernel-level synchronization bug that can be triggered by unprivileged users with access to perf event tracing capabilities, though active exploitation in the wild has not been documented.
A logic error in the Linux kernel's bonding driver allows an unprivileged user to change the xmit_hash_policy parameter to an incompatible value (vlan+srcmac) while an XDP program is loaded, creating an inconsistent state where the kernel cannot safely unload the XDP program during device shutdown. This triggers a kernel warning and potential instability when the bond interface is destroyed. The vulnerability affects Linux kernel versions across multiple stable branches and requires local access to trigger.
A NULL pointer dereference vulnerability exists in the Linux kernel's event tracing subsystem, specifically in the trigger_data_free() function which fails to validate NULL pointers before dereferencing the data->cmd_ops field. This affects all Linux kernel versions where the vulnerable tracing code is present, and can be exploited by local attackers with appropriate privileges to cause a denial of service through kernel panic. The vulnerability was discovered through automated code review rather than active exploitation in the wild, and patches have been committed to stable kernel branches.
A warning trace vulnerability exists in the Linux kernel's pinctrl equilibrium driver where the eqbr_irq_mask_ack() callback function incorrectly calls both eqbr_irq_mask() and eqbr_irq_ack(), causing gpiochip_disable_irq() to be invoked twice and generating spurious kernel warnings on every GPIO during driver load. All Linux kernel versions with the affected equilibrium pinctrl driver are impacted, though this is primarily a kernel stability and logging issue rather than a security vulnerability. The issue has been resolved in multiple stable kernel branches as evidenced by the five stable commit hashes referenced, indicating patches are available.
A buffer overflow vulnerability exists in the Linux kernel's EMS USB CAN driver (ems_usb) in the ems_usb_read_bulk_callback() function, where the driver fails to properly validate USB message lengths before parsing and copying data. An attacker with the ability to supply a malicious USB device or intercept USB communications could trigger a buffer overflow by providing specially crafted messages that exceed the expected message boundaries, potentially leading to kernel memory corruption, denial of service, or privilege escalation. No CVSS score, EPSS risk rating, or active exploitation data (KEV status) is currently available, though multiple stable kernel branches have received patches indicating vendor awareness of the issue's severity.
A use-after-free vulnerability exists in the Linux kernel's pm8001 SCSI driver where the pm8001_queue_command() function incorrectly returns -ENODEV after already freeing a SAS task, causing the upper-layer libsas driver to attempt a second free operation. This affects all Linux kernel versions with the vulnerable pm8001 driver code, and while not remotely exploitable by default, it can lead to kernel memory corruption and denial of service on systems using PM8001-compatible SCSI controllers. No CVSS score, EPSS data, or active KEV status is currently available, but multiple stable kernel patches have been released across multiple branches.
Out-of-bounds memory access in the Linux kernel's accel/rocket DRM driver allows local authenticated users to trigger denial of service and potential information disclosure during probe failure paths. The flaw stems from improper error unwinding in rocket_probe() when rocket_core_init() fails (notably on EPROBE_DEFER), leaving stale counter state that subsequent code dereferences out of bounds. No public exploit identified at time of analysis, and EPSS scores exploitation likelihood at 0.02% (4th percentile), consistent with a hardware-driver-specific issue requiring local access.
A NULL pointer dereference vulnerability exists in the Linux kernel's IPv6 routing code within the ip6_rt_get_dev_rcu() function, triggered when a slave device is being un-slaved from a Virtual Routing and Forwarding (VRF) context. The vulnerability affects all Linux kernel versions with the affected code path and can be exploited to cause a kernel panic and denial of service. This issue was introduced by commit 4832c30d5458 which removed the fallback to loopback device handling, and multiple stable kernel branches have received patches to restore the NULL pointer check and fallback logic.
The Linux kernel CIFS client contains an information disclosure vulnerability where debug logging in the cifs_set_cifscreds() function exposes plaintext usernames and passwords in kernel logs when debug logging is enabled. This affects all versions of the Linux kernel with CIFS client support, allowing any local user or administrator with access to kernel logs to recover plaintext SMB credentials. While no CVSS score, EPSS data, or KEV status is publicly available, the severity is elevated due to the direct exposure of authentication credentials in commonly-accessible debug logs.
This vulnerability is a data-race condition in the Linux kernel where socket callback pointers (sk->sk_data_ready and sk->sk_write_space) are being modified concurrently by skmsg and other kernel layers without proper synchronization, potentially leading to information disclosure. All Linux kernel versions are affected across all architectures and distributions (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), with the issue impacting UDP, TCP, and AF_UNIX socket implementations. An attacker with local access could potentially exploit this race condition to read sensitive data or cause memory corruption by triggering concurrent modifications to these critical function pointers.
The Linux kernel contains a memory allocation failure vulnerability in the ASoC SDCA (Serial Data Center Audio) subsystem where the find_sdca_entity_iot() function allocates memory for an Entity name but fails to validate whether the allocation succeeded. An attacker with local access could trigger memory allocation failure conditions to cause an information disclosure or denial of service, depending on how the unvalidated null pointer is subsequently used. No CVSS score, EPSS data, or KEV status is currently available for this vulnerability.
A kernel panic vulnerability exists in Linux IPv6 nexthop handling where standalone IPv6 nexthop objects created with loopback devices are misclassified as reject routes, causing the nhc_pcpu_rth_output field to remain unallocated. When an IPv4 route subsequently references this nexthop, a NULL pointer dereference in __mkroute_output() triggers a kernel panic, resulting in denial of service. All Linux kernel versions with IPv6 nexthop support are affected, and the vulnerability is remotely triggerable by unprivileged users with network configuration capabilities.
This vulnerability is a memory leak in the Linux kernel's Bluetooth subsystem where Socket Buffers (SKBs) queued into the sk_error_queue for TX timestamping are not properly purged during socket destruction, allowing sensitive timestamp data to persist in kernel memory. The vulnerability affects all Linux kernel versions that support Bluetooth with SO_TIMESTAMPING enabled (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*). An attacker with local access could potentially read leaked kernel memory contents including timestamp information that should have been cleaned up, or trigger the leak by unexpectedly removing the Bluetooth controller while timestamped packets remain queued.
A denial-of-service vulnerability exists in the Linux kernel's ucan (CAN-over-USB) driver where malformed USB messages with a zero-length field cause an infinite loop in the ucan_read_bulk_callback() function, hanging the entire system. An attacker with physical access to a USB port can connect a malicious or compromised CAN device to trigger this condition, rendering the affected system unresponsive. While no CVSS or EPSS scores are available, the vulnerability is confirmed as patched across multiple stable kernel branches with six commits addressing the issue.
A credential reference leak exists in the Linux kernel's nfsd (NFS daemon) subsystem, specifically in the nfsd_nl_threads_set_doit() function which handles netlink-based thread configuration. The vulnerability affects all Linux kernel versions containing the vulnerable nfsd code path, allowing local users with netlink access to trigger memory leaks of credential structures through repeated invocations of the affected function. While not directly exploitable for privilege escalation or data theft, the memory leak can lead to denial of service through resource exhaustion and enables information disclosure via leaked kernel memory structures.
A reference count leak in the Linux kernel's SCSI core subsystem causes the tagset_refcnt reference counter to fail to decrement properly, resulting in resource exhaustion and system hangs during SCSI host teardown. This affects all Linux kernel versions with the vulnerable code path, particularly impacting iSCSI configurations where the leak manifests as indefinite blocking in scsi_remove_host() calls. While not actively exploited in the wild (no KEV status), this is a denial-of-service vulnerability that can be triggered by any user with the ability to manage SCSI sessions or trigger host removal operations.
A deadlock vulnerability exists in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) that occurs when an application issues a query IOCTL while the device is undergoing auto-suspend. The vulnerability affects all Linux distributions shipping the vulnerable kernel code. An attacker with local access to the system can trigger this deadlock by issuing query IOCTLs concurrently with power management events, causing a complete hang of the AMD XDNA accelerator subsystem and denial of service to legitimate applications. This vulnerability is not listed in the CISA KEV catalog and no public exploit code has been identified, but the fix has been integrated into the stable Linux kernel.
This vulnerability is a race condition in the Linux kernel's BPF devmap subsystem that occurs on PREEMPT_RT kernels, where per-CPU bulk queue structures can be accessed concurrently by multiple preemptible tasks on the same CPU. An attacker or unprivileged local process can trigger use-after-free, double-free, or memory corruption conditions by crafting specific XDP (eXpress Data Path) redirect operations that cause concurrent access to shared queue structures, potentially leading to kernel crashes, information disclosure, or privilege escalation. The vulnerability affects all Linux kernel versions with the vulnerable devmap code path and has been patched upstream, though CVSS and EPSS scores are not yet assigned and no public exploit or KEV status is currently documented.
A NULL pointer dereference vulnerability exists in the Linux kernel's VXLAN implementation when IPv6 is disabled via the 'ipv6.disable=1' boot parameter. When an IPv6 packet is injected into a VXLAN interface, the route_shortcircuit() function attempts to call neigh_lookup() on an uninitialized nd_tbl (neighbor discovery table), causing a kernel panic and denial of service. This affects all Linux distributions shipping vulnerable kernel versions, and while no CVSS score or EPSS data is provided, the presence of six stable kernel commits and reproducible crash conditions indicates high practical impact.
A recursive locking vulnerability exists in the Linux kernel's target core configfs implementation where the target_core_item_dbroot_store() function attempts to open a file using filp_open() while already holding a semaphore (frag_sem) acquired in flush_write_buffer(), creating a deadlock condition when the same configfs file is accessed. This affects all Linux kernel versions with the vulnerable target subsystem code, and while no CVSS score or EPSS data is publicly available, the vulnerability has been resolved across multiple stable kernel branches with patch commits available in the kernel git repository, suggesting active acknowledgment of the issue as a legitimate kernel bug requiring remediation.
This vulnerability involves improper resource cleanup in the Linux kernel's NFC PN533 USB driver, where a reference count on the USB interface is not properly released when a device is disconnected. Affected systems include all Linux kernel versions with the vulnerable PN533 driver code, impacting any system using NFC devices based on the PN533 chipset. While this is a resource management issue rather than a direct memory corruption vulnerability, it can lead to information disclosure or denial of service through USB interface resource exhaustion over repeated device attach/detach cycles. The vulnerability has been resolved in the Linux kernel with multiple backported patches available across stable branches.
The pegasus USB network driver in the Linux kernel fails to validate that connected USB devices have the proper number and types of endpoints before binding to them, allowing a malicious USB device to trigger a kernel crash through null pointer dereference or out-of-bounds memory access. This denial-of-service vulnerability affects Linux kernel versions across multiple stable branches, as evidenced by patches applied to at least six different kernel maintenance branches. An attacker with physical access to a target system or the ability to inject a crafted USB device into the network could crash the kernel without authentication or elevated privileges, though no public exploit code or active exploitation in the wild has been reported.
This vulnerability is a resource leak in the Linux kernel's InfiniBand mthca driver within the mthca_create_srq() function, where the mthca_unmap_user_db() cleanup call is missing on the error path. A user with local access can trigger this leak by causing the mthca_create_srq() system call to fail, resulting in persistent kernel memory not being freed, which could lead to denial of service through memory exhaustion. While no CVSS score, EPSS value, or KEV status is documented, the issue affects all Linux kernel versions using the mthca driver and has been patched across multiple stable kernel branches as evidenced by six linked commit fixes.
An out-of-bounds memory write vulnerability exists in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) where a memset() operation clears a command header before validating sufficient space is available in the command slot, potentially leading to memory corruption. The vulnerability affects Linux kernel versions across multiple releases where the amdxdna driver is present and enabled. An attacker with local access and appropriate capabilities to interact with the amdxdna device could trigger this memory corruption to achieve denial of service or potentially escalate privileges.
A race condition in the SiFive PLIC (Platform Level Interrupt Controller) interrupt handling code can cause interrupts to become frozen when interrupt affinity is modified while an interrupt is being processed. The vulnerability affects Linux kernel implementations using the SiFive PLIC irqchip driver, potentially causing system hangs or device unresponsiveness on RISC-V systems. While not actively exploited in the wild, the issue is easily reproducible through concurrent affinity changes and high interrupt load, making it a practical denial-of-service concern for affected systems.
A null pointer dereference vulnerability exists in the Linux kernel's ATM LANE module (lec_arp_clear_vccs function) where multiple ARP entries can share the same virtual circuit connection (VCC). When a VCC is closed, the kernel iterates through ARP entries and clears associated VCC pointers; if multiple entries share the same VCC, the first iteration frees the vpriv structure and sets it to NULL, causing subsequent iterations to crash when attempting to dereference the now-NULL pointer. A local attacker can trigger this denial of service condition through crafted ATM socket operations, as demonstrated by existing syzkaller reproducers.
A null-pointer dereference vulnerability exists in the Linux kernel's DRBD (Distributed Replicated Block Device) subsystem when handling local read errors. When a READ_COMPLETED_WITH_ERROR event occurs in drbd_request_endio(), a NULL peer_device pointer is passed to the __req_mod() function, which then unconditionally dereferences it in drbd_set_out_of_sync(), causing a kernel panic or system crash. This affects all Linux kernel versions with the vulnerable DRBD code, and while not actively exploited in the wild, it can be triggered by a local user or administrator through normal disk I/O error conditions, resulting in denial of service.
This vulnerability exists in the Linux kernel's MediaTek Ethernet driver (mtk_eth_soc) where an eBPF program pointer is not properly reset to its previous state if the mtk_xdp_setup() function encounters an error during the mtk_open routine. This resource management flaw can lead to incorrect reference counting of eBPF programs, potentially causing use-after-free or memory leak conditions. All Linux kernel versions with the affected MediaTek Ethernet driver (cpe:2.3:a:linux:linux) are impacted, and the vulnerability has been patched across multiple stable kernel branches as evidenced by six commit references spanning different kernel versions.
A PM runtime reference leak exists in the Linux kernel's fp9931 regulator driver hwmon interface, where the pm_runtime_put_autosuspend() function fails to be called when regmap_read() encounters an error, causing the power management reference count to become unbalanced. This affects all Linux kernel versions with the vulnerable fp9931 driver code. While not directly exploitable for code execution, the reference leak can lead to device power management failures, potential denial of service through resource exhaustion, or unexpected device behavior in systems using the FP9931 regulator hardware.
An uninitialized variable vulnerability exists in the Linux kernel's SMB2 client implementation within the smb2_unlink() function, where failure of SMB2_open_init() or SMB2_close_init() operations (such as during reconnection) leaves iovs structures uninitialized. If subsequent cleanup functions like SMB2_open_free(), SMB2_close_free(), or smb2_set_related() attempt to operate on these uninitialized structures, the kernel will oops (crash), resulting in a denial of service condition affecting all Linux distributions and versions using affected kernel code.
Use-after-free in the Linux kernel's libertas wireless driver (lbs_free_adapter()) allows local privileged users to corrupt memory when a timer callback races with adapter teardown. The flaw stems from using non-synchronous timer_delete() instead of timer_delete_sync() on command_timer and tx_lockup_timer, leaving callbacks free to dereference freed driver_lock, cur_cmd, and dev fields. EPSS is very low (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but the bug has existed since the driver's introduction and on stable trees through 6.18.x.
A size calculation overflow vulnerability exists in the Linux kernel's accel/amdxdna driver that can result in undersized buffer allocations and potential memory corruption. The vulnerability affects Linux kernel versions across multiple branches where the AMD XDNA accelerator driver is compiled. An attacker with local access could exploit this to trigger memory corruption, potentially leading to denial of service or privilege escalation, though exploitation complexity and attack surface requirements remain moderate.
A NULL pointer dereference vulnerability exists in the Linux kernel's mac80211 mesh networking subsystem (CVE-2026-23279), specifically in the mesh_rx_csa_frame() function which fails to validate the presence of the Mesh Channel Switch Parameters IE before dereferencing it. A remote attacker with an established mesh peer link can trigger a kernel panic by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame that includes matching Mesh ID and configuration elements but omits the required Channel Switch Parameters IE. This vulnerability affects all Linux kernel versions since v3.13 (January 2014) and requires no special authentication beyond the default open mesh peering, making it a trivial denial-of-service vector against systems with mesh networking enabled.
Xen privcmd driver in Linux kernel allows root processes in unprivileged guest VMs to bypass secure boot protections by issuing arbitrary hypercalls that modify kernel memory. This Xen Security Advisory (XSA-482) affects Linux kernels running as Xen domU guests with secure boot enabled. The vulnerability is addressed in kernel patches 6.1.167, 6.6.130, 6.12.78, 6.18.20, and 6.19.10. EPSS score of 0.03% (9th percentile) indicates low probability of widespread exploitation. No active exploitation confirmed at time of analysis; POC status unknown.
A resource management flaw in the Linux kernel's netfilter nf_tables subsystem fails to properly iterate over all pending catchall elements during transaction processing, leading to incomplete cleanup when a map holding catchall elements is destroyed. This affects Linux kernel versions across multiple stable branches and can result in memory corruption, information disclosure, or denial of service when crafted netfilter rule transactions are processed. The vulnerability is not known to be actively exploited in the wild, but the presence of multiple stable branch patches and specific affected kernel versions indicates kernel maintainers have treated this as a material flaw requiring coordinated remediation.
A NULL pointer dereference vulnerability exists in the Linux kernel's TEQL (Trivial Ethernet Queue Limiting) network scheduler when transmitting through tunnel slave devices, particularly gretap tunnels. The vulnerability occurs because teql_master_xmit() fails to update skb->dev to the slave device before transmission, causing tunnel xmit functions to reference unallocated per-CPU statistics on the TEQL master device. This allows a local or networked attacker to trigger a kernel page fault and crash the system, resulting in a denial of service. No CVSS score, EPSS risk score, or KEV active exploitation status is currently published, but patch commits are available in Linux kernel stable branches (6.18.19, 6.19.9, and 7.0-rc4).
A stack overflow vulnerability exists in the Linux kernel's tunnel transmission functions (iptunnel_xmit and ip6tunnel_xmit) due to missing recursion limits when GRE tap interfaces operate as slaves in bonded devices with broadcast mode enabled. This allows local attackers or legitimate multicast/broadcast traffic to trigger infinite recursion between bond_xmit_broadcast() and tunnel transmission functions, causing kernel stack exhaustion and denial of service. The vulnerability affects multiple Linux kernel versions and has been resolved with the addition of IP_TUNNEL_RECURSION_LIMIT (4) to prevent excessive stack consumption during nested tunnel packet encapsulation.
A race condition exists in the Linux kernel's io_uring subsystem where task work flags can be manipulated on stale ring memory during concurrent ring resize operations when DEFER_TASKRUN or SETUP_TASKRUN modes are enabled. This vulnerability affects Linux kernel versions including 6.13, 6.18.19, 6.19.9, and 7.0-rc4, and could allow an attacker with local code execution capabilities to cause information disclosure or kernel memory corruption. The vulnerability has been patched across multiple stable kernel versions as evidenced by available git commits, though no active KEV status or EPSS score has been published.
Linux kernel netfilter xt_IDLETIMER subsystem crashes when revision 0 rules reuse ALARM-type timer labels created by revision 1, triggering mod_timer() on an uninitialized timer_list. Affects Linux kernel 5.7+ through 6.19.x series. Local authenticated attackers with CAP_NET_ADMIN (PR:L) can cause kernel panic on systems with panic_on_warn=1, achieving high-severity local denial of service or potential privilege escalation via kernel memory corruption. EPSS score is very low (0.02%, 4th percentile) indicating minimal observed exploitation likelihood. No public exploit code identified at time of analysis.
A use-after-free race condition exists in the Linux kernel's macvlan driver within the macvlan_common_newlink() error handling path. When a macvlan device creation fails after the network device becomes visible to the RCU (Read-Copy-Update) subsystem, the caller's subsequent free_netdev(dev) can race with ongoing packet forwarding operations, causing kernel memory corruption and potential information disclosure. This vulnerability affects Linux kernel versions 5.10 through 6.19 and later, and while no public exploit exists, the issue is reproducible via crafted netlink commands that trigger concurrent device creation and packet transmission.
A use-after-free vulnerability exists in the Linux kernel's netfilter nf_tables subsystem where a set element can be published and removed without waiting for RCU grace period completion, allowing concurrent RCU readers to access freed memory. This affects all Linux kernel versions across multiple stable branches (4.10 and later) as indicated by the CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*. An attacker with local access to manipulate netfilter rules could trigger information disclosure or denial of service by exploiting the race condition during batch insertion of elements into a full netfilter set.
A race condition exists in the Linux kernel's perf subsystem where __perf_event_overflow() can execute with only preemption disabled (rather than IRQs disabled) on software events, creating a window for concurrent execution with perf_event_exit_event() and related cleanup functions. This race condition allows the overflow handler to access kernel structures (such as BPF programs) that are being freed concurrently, potentially leading to use-after-free conditions, memory corruption, or privilege escalation. The vulnerability affects multiple stable Linux kernel versions and has patches available across multiple kernel branches (6.12.77, 6.19.7, 7.0-rc2, and others as indicated by the git commit references).
Use-after-free in Linux kernel traffic control (net/sched) occurs when act_ct action returns TC_ACT_CONSUMED while a packet is held by the defragmentation engine, allowing local authenticated attackers with low privileges to achieve code execution, denial of service, or information disclosure. Affects Linux kernel 6.8 through 6.12.x and 6.18.x series. Vendor patches available across multiple stable branches (commits 524ce8b4, 380ad8b7, 9deda0fc, 11cb63b0). EPSS score of 0.02% (4th percentile) indicates very low observed exploitation likelihood despite 7.8 CVSS rating. No active exploitation confirmed; not listed in CISA KEV.
Out-of-bounds read in Linux kernel's AppArmor subsystem allows local authenticated attackers to disclose kernel memory and potentially crash the system via maliciously crafted security policies. Affects Linux kernels from 3.4 onwards with patches released for stable branches 6.12.77, 6.18.18, 6.19.8, and 7.0-rc4. No active exploitation confirmed (not in CISA KEV), EPSS probability low at 0.02%, but Ubuntu rates priority as medium with patches deployed across 729 releases. Requires local access with low privileges (PR:L) and ability to load AppArmor policies.
Local privilege escalation in Linux kernel AppArmor allows low-privilege users to manipulate security policy via confused deputy attack. Attackers pass file descriptors for apparmorfs interfaces to privileged processes, enabling full policy management capabilities including disabling confinement and bypassing user namespace restrictions. Publicly available exploit code exists. EPSS score 0.01% suggests low widespread exploitation probability. Patches released for kernel 6.12.77, 6.18.18, 6.19.8, and 7.0-rc4 with multiple distribution advisories available.
This vulnerability is a race condition in the Linux kernel's F2FS file system that causes flag inconsistency between concurrent atomic commit and checkpoint write operations. The issue affects all Linux kernel versions with F2FS support (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), allowing information disclosure through incorrect inode state recovery after sudden power-off (SPO) scenarios. An attacker with local file system access during atomic write operations could trigger the race condition, leading to potential data inconsistency and information leakage when the system recovers.
A divide-by-zero vulnerability exists in the Linux kernel's rivafb framebuffer driver in the nv3_arb() function, which can be triggered by unprivileged userspace applications via the FBIOPUT_VSCREENINFO ioctl call on /dev/fb* devices. An attacker can crash the kernel by crafting a malicious or misconfigured PCI device that exposes a bogus PRAMDAC MCLK PLL configuration, causing the state->mclk_khz divisor to become zero. This is a Denial of Service vulnerability affecting the Linux kernel across multiple stable versions, with patches available in the kernel git repository.
A vulnerability in the Linux kernel's f2fs (Flash-Friendly File System) implementation fails to validate node footer integrity during asynchronous read and write I/O operations, allowing corrupted node page data to trigger a kernel BUG and cause denial of service. This affects all Linux kernel versions using f2fs, particularly those processing untrusted or fuzzed filesystem images. An attacker with the ability to craft a malicious f2fs filesystem image can trigger a kernel panic when the corrupted node page is written back, resulting in system unavailability.
A logic error in the Linux kernel's AMD GPU driver causes system crashes when two AMD GPUs are present and only one supports ASPM (Active State Power Management). The vulnerability stems from a commit that was erroneously reapplied after being removed in a prior refactoring, leading to incorrect ASPM state evaluation across multiple devices. Systems running affected Linux kernel versions with heterogeneous AMD GPU configurations (mixed ASPM support) will experience denial of service through kernel crashes.
This vulnerability is a memory leak in the Linux kernel's io_uring subsystem, specifically within the zero-copy receive (zcrx) implementation where a page array fails to be deallocated during scatter-gather initialization failures. The vulnerability affects all Linux kernel versions with the vulnerable io_uring/zcrx code path, allowing local attackers with the ability to trigger failed scatter-gather operations to exhaust kernel memory and cause denial of service. No active exploitation has been reported, but this is a kernel memory management issue with straightforward local triggering conditions.
A memory corruption vulnerability exists in the Linux kernel's Google Virtual Ethernet (gve) driver where dynamic queue count changes cause misalignment between the driver's stats region and the NIC's offset calculations. When queue counts increase, the NIC can write past the allocated stats region boundary causing heap corruption; when decreased, stats data becomes misaligned. This affects Linux kernel versions across multiple stable branches (as evidenced by patches in 5.10, 5.15, 6.1, 6.6, 6.7, 6.8, and 6.9 series). The vulnerability is not currently listed as actively exploited in KEV, but represents a critical reliability and security issue for systems using Google Cloud Platform infrastructure with the affected gve driver.
This vulnerability is a resource leak in the Linux kernel's NVMe/FC (NVMe over Fibre Channel) driver where the admin tag set and associated block I/O queue resources fail to be released if controller initialization encounters errors after the admin queue is allocated. The affected product is the Linux kernel across all versions that include the vulnerable nvme-fc code path. An attacker or malicious process could trigger repeated failed NVMe/FC controller initialization attempts to exhaust kernel memory through cumulative tag set leaks, potentially leading to denial of service. This is not actively exploited in the wild (not listed in CISA KEV), but patches are available across multiple kernel branches.
A memory leak vulnerability exists in the Linux kernel's regmap maple tree caching implementation where allocated memory is not freed when the mas_store_gfp() function fails during a write operation. This affects all Linux kernel versions containing the vulnerable regcache_maple_write() function, potentially allowing local attackers to exhaust kernel memory through repeated cache write failures. While no CVSS score or EPSS data is currently available, the vulnerability has been assigned CVE-2026-23260 and multiple stable kernel patches are available, indicating this is a recognized and actively addressed issue.
A memory management vulnerability exists in the Linux kernel's io_uring subsystem where allocated iovec buffers may fail to be properly freed when a read/write request cannot be recycled back to the rw_cache. This affects all Linux kernel versions with the vulnerable io_uring/rw code path, potentially allowing local attackers to trigger memory leaks that degrade system performance or enable denial of service conditions. The vulnerability has been patched in the Linux kernel stable trees as evidenced by the provided commit references.
A memory leak vulnerability exists in the Linux kernel's Liquidio network driver within the setup_nic_devices() function where the netdev pointer is not initialized in the oct->props[i].netdev structure before calling queue setup functions. If netif_set_real_num_rx_queues() or netif_set_real_num_tx_queues() fail, the allocated netdev memory is not freed because the cleanup function liquidio_destroy_nic_device() cannot locate it via the NULL pointer. This affects all Linux kernel versions with the Liquidio driver and allows for memory exhaustion through repeated device initialization failures.
A memory leak vulnerability exists in the Linux kernel's liquidio network driver within the setup_nic_devices() function, where an off-by-one error in the cleanup loop causes failure to deallocate the last successfully allocated device during error handling. The vulnerability affects Linux kernel versions across multiple stable branches (as evidenced by patches in 4.9, 4.14, 4.19, 5.4, 5.10, 5.15, and 5.16 stable trees per the kernel.org references). While this is a local denial-of-service vector through memory exhaustion rather than a direct code execution path, it could be leveraged by unprivileged users to degrade system stability over time.
This vulnerability is an off-by-one error in the Linux kernel's liquidio driver that causes a memory leak during virtual function (VF) setup failure cleanup. The vulnerability affects the Linux kernel across all versions where the liquidio net driver is compiled, as identified through the affected CPE (cpe:2.3:a:linux:linux). While this is a memory leak rather than a direct code execution vulnerability, it can be exploited to exhaust kernel memory resources, leading to denial of service.
A race condition vulnerability exists in the Linux kernel's /proc/net/ptype implementation where concurrent readers and writers violate RCU (Read-Copy-Update) synchronization rules, allowing information disclosure through unsafe access to device pointers. The vulnerability affects all Linux kernel versions with the vulnerable ptype_seq_show() and ptype_seq_next() functions. An attacker with local access can trigger RCU stalls, kernel panics, or read uninitialized kernel memory by racing concurrent packet type structure modifications against /proc/net/ptype reads, potentially leaking sensitive kernel data or causing denial of service.
A vulnerability in the Linux kernel's Generic Receive Offload (GRO) implementation for UDP traffic causes incorrect network offset calculations when processing encapsulated packets. The flaw affects all Linux kernel versions where the GRO subsystem handles UDP encapsulation, as specified in the CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*. When hardware NICs, the tun driver, or veth setups inject packets with the encapsulation flag set, the udp4_gro_complete() function incorrectly computes the outer UDP header pseudo checksum using the inner network offset, leading to checksum validation failures that can disrupt packet processing and potentially cause denial of service or packet drops. No active exploitation has been reported in the wild, and no public proof-of-concept code is known to exist, though the vulnerability is triggered through normal network operations involving UDP-encapsulated traffic.
This vulnerability is a missing exception fixup handler in the LoongArch architecture's BPF JIT compiler that fails to properly recover from memory access exceptions (ADEM) triggered by BPF_PROBE_MEM* instructions. The Linux kernel on LoongArch systems (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) is affected, potentially allowing information disclosure or denial of service when BPF programs attempt to safely probe memory locations. This is not actively exploited (no KEV status), but patches are available across multiple stable kernel branches.
A resource management vulnerability exists in the Linux kernel's Btrfs filesystem implementation where qgroup data reservations are incorrectly freed when an inline extent creation fails due to -ENOSPC (no space available). This causes the kernel to prematurely release qgroup quota accounting for data that will actually be used when the operation falls back to the normal copy-on-write path, potentially leading to qgroup quota inconsistencies and information disclosure about quota state. All Linux distributions using Btrfs with qgroup quota tracking enabled are affected. While no CVSS score or EPSS risk score has been assigned, the vulnerability has stable patches available in the Linux kernel repository.
A resource leak vulnerability exists in the Linux kernel's btrfs filesystem implementation where reserved qgroup data fails to be freed in error paths during inline extent insertion operations. This affects all Linux versions with vulnerable btrfs code, and allows local attackers with filesystem write access to exhaust kernel memory resources through repeated failed inline extent insertions, potentially causing denial of service. No active exploitation in the wild has been reported, but kernel memory exhaustion vulnerabilities are routinely targeted by local privilege escalation chains.
Linux kernel DVB digital video recorder driver allows local authenticated users to trigger use-after-free conditions via stale waitqueue entries, potentially achieving privilege escalation to root or causing kernel crashes. The vulnerability stems from improper waitqueue reinitialization when reopening DVR devices, orphaning existing epoll/io_uring poll entries. Affects Linux kernel versions from 2.6.17 through 6.19.6, with patches available in 6.12.77, 6.18.17, 6.19.7, and 7.0-rc2. EPSS score of 0.02% (4th percentile) indicates low observed exploitation activity, though CVSS 7.8 reflects high impact if local access is obtained.
A memory allocation failure vulnerability exists in the Linux kernel's XFS filesystem checking code where the xchk_xfile_*_descr macros call kasprintf with formatted strings that can exceed safe allocation limits, leading to potential denial of service or information disclosure. This affects Linux kernel versions 6.6 through 6.14 and later releases including 6.18.16, 6.19.6, and 7.0-rc1, with the vulnerability discoverable through syzbot fuzzing by researcher Jiaming Zhang. While no active exploitation has been confirmed, the issue represents a path to failure in a core filesystem validation component that could be triggered by malicious or malformed filesystem structures.
This vulnerability in the Linux kernel's XFS filesystem code involves improper pointer validation in xfarray and xfblob destructor functions, where the destructors can be called with invalid (dangling) pointers if the pointer is not properly nulled after deallocation. The vulnerability affects Linux kernel versions 6.9 through 6.10 and later patch versions, potentially allowing information disclosure or system instability. While no CVSS score or exploitation data is publicly available, the fix was backported across multiple kernel versions (6.12.75, 6.18.16, 6.19.6, 7.0-rc1) indicating recognition of the issue's significance across the kernel maintenance community.
A null pointer dereference vulnerability exists in the XFS filesystem checker (xchk_scrub_create_subord) in the Linux kernel, where the function returns a mangled ENOMEM error instead of NULL, and callers fail to properly validate the return value. This affects Linux kernel versions 6.2 through 6.10 and later stable branches, potentially allowing a local attacker with filesystem access to trigger a denial of service condition through unhandled memory allocation failures during XFS filesystem integrity checks.
A null pointer dereference vulnerability exists in the Linux kernel's XFS filesystem repair code when revalidating B-tree structures during fsck operations. The vulnerability affects Linux kernel versions across multiple release branches (6.8, 6.12.75, 6.18.16, 6.19.6, and 7.0-rc1) when the xfs_scrub utility attempts to repair both the free space B-tree (bnobt) and count B-tree (cntbt) simultaneously. An authenticated attacker with fsck/scrub privileges can trigger a kernel crash (denial of service) by injecting corruption markers via XFS_IOC_ERROR_INJECTION ioctl, causing the kernel to crash when the second B-tree revalidation is attempted after the first one fails and nullifies a required cursor.