Skip to main content

Linux

12819 CVEs vendor

Monthly

In the Linux kernel, the following vulnerability has been resolved: xen/events: Return -EEXIST for bound VIRQs Change find_virq() to return -EEXIST when a VIRQ is bound to a different CPU than the.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: xsk: Harden userspace-supplied xdp_desc validation Turned out certain clearly invalid values passed in xdp_desc from userspace can.

Linux Buffer Overflow Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_output() Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent possible UAF. No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller When loading the i10nm_edac driver on some Intel Granite Rapids. No vendor patch available.

Intel Linux Buffer Overflow Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe() The drv->sram_reg pointer could be set to.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: debugfs: Fix legacy mode page table dump logic In legacy mode, SSPTPTR is ignored if TT is not 00b or 01b.

Linux Information Disclosure Canonical Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640.

Intel Linux Information Disclosure Linux Kernel
NVD
EPSS
0.1%

In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: avoid soft lockup when mprotect to large memory area When calling mprotect() to a large hugetlb memory area in our.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.1%

In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix bootup splat with separate_gpu_drm modparam The drm_gem_for_each_gpuvm_bo() call from lookup_vma() accesses. No vendor patch available.

Linux Qualcomm Information Disclosure Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: No support of struct argument in trampoline programs The current implementation does not support struct argument. No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.0%
CVE-2025-40150 Monitor

Linux kernel F2FS filesystem implementation contains a race condition between garbage collection and block allocation that causes segment type inconsistencies, leading to filesystem shutdown. The vulnerability affects systems using F2FS with pinned files during concurrent fallocate and writepage operations. While the EPSS score is low at 0.03%, this is a kernel-level denial of service affecting data availability on affected systems.

Linux Linux Kernel Denial Of Service Race Condition
NVD
EPSS
0.0%
CVE-2025-40149 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock(). Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Memory Corruption Linux Information Disclosure Use After Free
NVD
CVSS 3.1
7.8
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute functions The function dc_stream_set_cursor_attributes(). No vendor patch available.

Denial Of Service Linux Amd Linux Kernel
NVD
EPSS
0.0%
CVE-2025-40147 Monitor

Linux kernel block I/O throttling subsystem crashes with a NULL pointer dereference when I/O operations are submitted during early initialization before throttle policy is fully activated, causing denial of service on affected systems. The vulnerability affects the block layer's throttle policy initialization sequence and is triggered sporadically on cold boots when blk_should_throtl() accesses uninitialized throttle group state. With an EPSS score of 0.03% (10th percentile) and no public exploit identified, this is a low-probability but high-impact local crash condition requiring a kernel patch to fully resolve.

Linux Linux Kernel Null Pointer Dereference Denial Of Service Race Condition
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix potential deadlock while nr_requests grown Allocate and free sched_tags while queue is freezed can deadlock[1], this is. No vendor patch available.

Linux Information Disclosure IBM Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: PCI/pwrctrl: Fix double cleanup on devm_add_action_or_reset() failure When devm_add_action_or_reset() fails, it calls the passed. No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: bpf: dont report verifier bug for missing bpf_scc_visit on speculative path Syzbot generated a program that triggers a. No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on PREEMPT_RT snd_pcm_group_lock_irq() acquires a spinlock_t and. No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix possible UAF on iso_conn_free This attempt to fix similar issue to sco_conn_free where if the conn->sk is not.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.1%

In the Linux kernel, the following vulnerability has been resolved: smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set(). No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid NULL pointer dereference in f2fs_check_quota_consistency() syzbot reported a f2fs bug as below: Oops: gen[. No vendor patch available.

Denial Of Service Linux Canonical Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to truncate first page in error path of f2fs_truncate() syzbot reports a bug as below: loop0: detected capacity change.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/qm - request reserved interrupt for virtual function The device interrupt vector 3 is an error interrupt for. No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.0%
CVE-2025-40135 Monitor

Linux kernel IPv6 packet transmission uses unsafe device reference handling in ip6_xmit() function, creating a use-after-free (UAF) vulnerability where the destination device pointer may be accessed after being freed. This affects all Linux kernel versions prior to patched stable releases, potentially allowing local or remote attackers to trigger memory corruption and information disclosure via crafted IPv6 traffic or network configuration changes. No active exploitation has been confirmed, and the EPSS score of 0.03% (10th percentile) indicates low real-world exploitation probability despite the underlying memory safety issue.

Linux Linux Kernel Use After Free
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: dm: fix NULL pointer dereference in __dm_suspend() There is a race condition between dm device suspend and table load that can lead.

Denial Of Service Linux Linux Kernel
NVD
EPSS
0.1%

In the Linux kernel, the following vulnerability has been resolved: mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable(). No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback In create_sdw_dailink() check that sof_end->codec_info->add_sidecar. No vendor patch available.

Intel Linux Information Disclosure Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu() In ath12k_dp_mon_rx_deliver_msdu(), peer lookup fails because. No vendor patch available.

Linux Authentication Bypass Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix data race in CPU latency PM QoS request handling The cpu_latency_qos_add/remove/update_request interfaces lack. No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix null pointer dereference on zero-length checksum In xdr_stream_decode_opaque_auth(), zero-length checksum.len causes.

Denial Of Service Linux Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: hwrng: ks-sa - fix division by zero in ks_sa_rng_init Fix division by zero in ks_sa_rng_init caused by missing clock pointer.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.1%

In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC The referenced commit introduced exception handlers.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.1%

In the Linux kernel, the following vulnerability has been resolved: blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx In __blk_mq_update_nr_hw_queues() the return value.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.1%

In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Anthony Yznaga tracked down that a BUG_ON in ext4.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.1%

In the Linux kernel, the following vulnerability has been resolved: bpf: Enforce expected_attach_type for tailcall compatibility Yinhao et al.

Denial Of Service Linux Linux Kernel
NVD
EPSS
0.1%

In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error When running perf_fuzzer on PTL, sometimes the below "unchecked MSR access. No vendor patch available.

Intel Linux Information Disclosure Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640.

Intel Linux Information Disclosure Linux Kernel
NVD
EPSS
0.1%

In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock Prevent USB runtime PM (autosuspend) for AX88772* in bind.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.1%
CVE-2025-40119 Monitor

In the Linux kernel, the following vulnerability has been resolved: ext4: fix potential null deref in ext4_mb_init() In ext4_mb_init(), ext4_mb_avg_fragment_size_destroy() may be called when sbi->s_mb_avg_fragment_size remains uninitialized (e.g., if groupinfo slab cache allocation fails). Since ext4_mb_avg_fragment_size_destroy() lacks null pointer checking, this leads to a null pointer dereference. ================================================================== EXT4-fs: no memory for groupinfo slab cache BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0002 [#1] SMP PTI CPU:2 UID: 0 PID: 87 Comm:mount Not tainted 6.17.0-rc2 #1134 PREEMPT(none) RIP: 0010:_raw_spin_lock_irqsave+0x1b/0x40 Call Trace: <TASK> xa_destroy+0x61/0x130 ext4_mb_init+0x483/0x540 __ext4_fill_super+0x116d/0x17b0 ext4_fill_super+0xd3/0x280 get_tree_bdev_flags+0x132/0x1d0 vfs_get_tree+0x29/0xd0 do_new_mount+0x197/0x300 __x64_sys_mount+0x116/0x150 do_syscall_64+0x50/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ================================================================== Therefore, add necessary null check to ext4_mb_avg_fragment_size_destroy() to prevent this issue. The same fix is also applied to ext4_mb_largest_free_orders_destroy().

Linux Denial Of Service Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Since commit f7b705c238d1 ("scsi: pm80xx: Set phy_attached to zero when.

Linux Buffer Overflow Linux Kernel
NVD
EPSS
0.1%

In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Fix array underflow in pci_endpoint_test_ioctl() Commit eefb83790a0d ("misc: pci_endpoint_test: Add. No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD VulDB
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup The kthread_run() function returns error pointers so the.

Linux Information Disclosure Linux Kernel
NVD VulDB
EPSS
0.1%

In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() During mpt3sas_transport_port_remove(), messages were logged.

Dell Linux Denial Of Service Canonical Linux Kernel
NVD VulDB
EPSS
0.1%

In the Linux kernel, the following vulnerability has been resolved: remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E The ADSP firmware on X1E has separate firmware binaries for the main firmware. No vendor patch available.

Denial Of Service Linux Linux Kernel
NVD VulDB
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara The referenced commit introduced exception handlers on.

Denial Of Service Linux Linux Kernel
NVD VulDB
EPSS
0.1%

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix Use-after-free in validation Nodes stored in the validation duplicates hashtable come from an arena allocator that.

Linux Information Disclosure Linux Kernel
NVD VulDB
EPSS
0.1%

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix a null-ptr access in the cursor snooper Check that the resource which is converted to a surface exists before.

Linux Information Disclosure Linux Kernel
NVD VulDB
EPSS
0.1%

In the Linux kernel, the following vulnerability has been resolved: crypto: rng - Ensure set_ent is always present Ensure that set_ent is always set since only drbg provides it.

Linux Information Disclosure Linux Kernel
NVD
EPSS
0.1%

In the Linux kernel, the following vulnerability has been resolved: serial: qcom-geni: Fix blocked task Revert commit 1afa70632c39 ("serial: qcom-geni: Enable PM runtime for serial driver") and its. No vendor patch available.

Linux Qualcomm Information Disclosure Linux Kernel
NVD
EPSS
0.0%

In the Linux kernel, the following vulnerability has been resolved: can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled This issue is similar to the.

Denial Of Service Linux Linux Kernel
NVD
EPSS
0.1%
CVE-2025-40105 Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are "leaked". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous "Busy inodes after unmount" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.

Linux Information Disclosure
NVD
EPSS
0.2%
CVE-2025-40103 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix refcount leak for cifs_sb_tlink Fix three refcount inconsistency issues related to `cifs_sb_tlink`. Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be called after successful calls to `cifs_sb_tlink()`. Three calls fail to update refcount accordingly, leading to possible resource leaks.

Linux Information Disclosure
NVD
EPSS
0.1%
CVE-2025-40080 Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: nbd: restrict sockets to TCP and UDP Recently, syzbot started to abuse NBD with all kinds of sockets. Commit cf1b2326b734 ("nbd: verify socket is supported during setup") made sure the socket supported a shutdown() method. Explicitely accept TCP and UNIX stream sockets.

Linux Information Disclosure
NVD
EPSS
0.2%
CVE-2025-40078 Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: bpf: Explicitly check accesses to bpf_sock_addr Syzkaller found a kernel warning on the following sock_addr program: 0: r0 = 0 1: r2 = *(u32 *)(r1 +60) 2: exit which triggers: verifier bug: error during ctx access conversion (0) This is happening because offset 60 in bpf_sock_addr corresponds to an implicit padding of 4 bytes, right after msg_src_ip4. Access to this padding isn't rejected in sock_addr_is_valid_access and it thus later fails to convert the access. This patch fixes it by explicitly checking the various fields of bpf_sock_addr in sock_addr_is_valid_access. I checked the other ctx structures and is_valid_access functions and didn't find any other similar cases. Other cases of (properly handled) padding are covered in new tests in a subsequent patch.

Linux Information Disclosure
NVD
EPSS
0.2%
CVE-2025-40070 Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: pps: fix warning in pps_register_cdev when register device fail Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error handling in __video_register_device()"), the release hook should be set before device_register(). Otherwise, when device_register() return error and put_device() try to callback the release function, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567 Modules linked in: CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567 Call Trace: <TASK> kobject_cleanup+0x136/0x410 lib/kobject.c:689 kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0xe9/0x130 lib/kobject.c:737 put_device+0x24/0x30 drivers/base/core.c:3797 pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402 pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108 pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57 tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432 tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563 tiocsetd drivers/tty/tty_io.c:2429 [inline] tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Before commit c79a39dc8d06 ("pps: Fix a use-after-free"), pps_register_cdev() call device_create() to create pps->dev, which will init dev->release to device_create_release(). Now the comment is outdated, just remove it. Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed in pps_register_source() to avoid a double free in the failure case.

Linux Information Disclosure
NVD
EPSS
0.2%
CVE-2025-40022 Monitor

In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Fix incorrect boolean values in af_alg_ctx Commit 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg") changed some fields from bool to 1-bit bitfields of type u32. However, some assignments to these fields, specifically 'more' and 'merge', assign values greater than 1. These relied on C's implicit conversion to bool, such that zero becomes false and nonzero becomes true. With a 1-bit bitfields of type u32 instead, mod 2 of the value is taken instead, resulting in 0 being assigned in some cases when 1 was intended. Fix this by restoring the bool type.

Information Disclosure Linux
NVD
EPSS
0.1%
CVE-2025-40016 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero unique ID. ``` Each Unit and Terminal within the video function is assigned a unique identification number, the Unit ID (UID) or Terminal ID (TID), contained in the bUnitID or bTerminalID field of the descriptor. The value 0x00 is reserved for undefined ID, ``` If we add a new entity with id 0 or a duplicated ID, it will be marked as UVC_INVALID_ENTITY_ID. In a previous attempt commit 3dd075fe8ebb ("media: uvcvideo: Require entities to have a non-zero unique ID"), we ignored all the invalid units, this broke a lot of non-compatible cameras. Hopefully we are more lucky this time. This also prevents some syzkaller reproducers from triggering warnings due to a chain of entities referring to themselves. In one particular case, an Output Unit is connected to an Input Unit, both with the same ID of 1. But when looking up for the source ID of the Output Unit, that same entity is found instead of the input entity, which leads to such warnings. In another case, a backward chain was considered finished as the source ID was 0. Later on, that entity was found, but its pads were not valid. Here is a sample stack trace for one of those cases. [ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 20.830206] usb 1-1: Using ep0 maxpacket: 8 [ 20.833501] usb 1-1: config 0 descriptor?? [ 21.038518] usb 1-1: string descriptor 0 read error: -71 [ 21.038893] usb 1-1: Found UVC 0.00 device <unnamed> (2833:0201) [ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized! [ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized! [ 21.042218] ------------[ cut here ]------------ [ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0 [ 21.043195] Modules linked in: [ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444 [ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 21.044639] Workqueue: usb_hub_wq hub_event [ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0 [ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00 [ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246 [ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1 [ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290 [ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000 [ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003 [ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000 [ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 [ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0 [ 21.051136] PKRU: 55555554 [ 21.051331] Call Trace: [ 21.051480] <TASK> [ 21.051611] ? __warn+0xc4/0x210 [ 21.051861] ? media_create_pad_link+0x2c4/0x2e0 [ 21.052252] ? report_bug+0x11b/0x1a0 [ 21.052540] ? trace_hardirqs_on+0x31/0x40 [ 21.052901] ? handle_bug+0x3d/0x70 [ 21.053197] ? exc_invalid_op+0x1a/0x50 [ 21.053511] ? asm_exc_invalid_op+0x1a/0x20 [ 21.053924] ? media_create_pad_link+0x91/0x2e0 [ 21.054364] ? media_create_pad_link+0x2c4/0x2e0 [ 21.054834] ? media_create_pad_link+0x91/0x2e0 [ 21.055131] ? _raw_spin_unlock+0x1e/0x40 [ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210 [ 21.055837] uvc_mc_register_entities+0x358/0x400 [ 21.056144] uvc_register_chains+0x1 ---truncated---

Linux Information Disclosure
NVD
EPSS
0.0%
CVE-2025-40005 MEDIUM PATCH This Month

Kernel crash in Linux kernel Cadence QSPI driver (cadence-quadspi) allows authenticated local attackers with moderate privileges to cause denial of service by unbinding the driver during active indirect read or write operations. The vulnerability affects Linux kernel versions including 6.17-rc1 through rc4 and potentially earlier versions; exploitation requires root access to force device removal, but the EPSS score of 0.01% indicates minimal real-world exploitation probability despite the availability of upstream fixes in stable kernel branches.

Denial Of Service Linux
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-39997 Monitor

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") patched a UAF issue caused by the error timer. However, because the error timer kill added in this patch occurs after the endpoint delete, a race condition to UAF still occurs, albeit rarely. Additionally, since kill-cleanup for urb is also missing, freed memory can be accessed in interrupt context related to urb, which can cause UAF. Therefore, to prevent this, error timer and urb must be killed before freeing the heap memory.

Linux Information Disclosure
NVD
EPSS
0.0%
CVE-2025-39981 Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix possible UAFs This attemps to fix possible UAFs caused by struct mgmt_pending being freed while still being processed like in the following trace, in order to fix mgmt_pending_valid is introduce and use to check if the mgmt_pending hasn't been removed from the pending list, on the complete callbacks it is used to check and in addtion remove the cmd from the list while holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd is left on the list it can still be accessed and freed. BUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223 Read of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55 CPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223 hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 12210: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269 mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296 __add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247 add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:729 sock_write_iter+0x258/0x330 net/socket.c:1133 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 12221: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2381 [inline] slab_free mm/slub.c:4648 [inline] kfree+0x18e/0x440 mm/slub.c:4847 mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline] mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257 __mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444 hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290 hci_dev_do_close net/bluetooth/hci_core.c:501 [inline] hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526 sock_do_ioctl+0xd9/0x300 net/socket.c:1192 sock_ioctl+0x576/0x790 net/socket.c:1313 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf ---truncated---

Linux Information Disclosure
NVD
EPSS
0.0%
CVE-2025-39980 Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: nexthop: Forbid FDB status change while nexthop is in a group The kernel forbids the creation of non-FDB nexthop groups with FDB nexthops: # ip nexthop add id 1 via 192.0.2.1 fdb # ip nexthop add id 2 group 1 Error: Non FDB nexthop group cannot have fdb nexthops. And vice versa: # ip nexthop add id 3 via 192.0.2.2 dev dummy1 # ip nexthop add id 4 group 3 fdb Error: FDB nexthop group can only have fdb nexthops. However, as long as no routes are pointing to a non-FDB nexthop group, the kernel allows changing the type of a nexthop from FDB to non-FDB and vice versa: # ip nexthop add id 5 via 192.0.2.2 dev dummy1 # ip nexthop add id 6 group 5 # ip nexthop replace id 5 via 192.0.2.2 fdb # echo $? 0 This configuration is invalid and can result in a NPD [1] since FDB nexthops are not associated with a nexthop device: # ip route add 198.51.100.1/32 nhid 6 # ping 198.51.100.1 Fix by preventing nexthop FDB status change while the nexthop is in a group: # ip nexthop add id 7 via 192.0.2.2 dev dummy1 # ip nexthop add id 8 group 7 # ip nexthop replace id 7 via 192.0.2.2 fdb Error: Cannot change nexthop FDB status while in a group. [1] BUG: kernel NULL pointer dereference, address: 00000000000003c0 [...] Oops: Oops: 0000 [#1] SMP CPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014 RIP: 0010:fib_lookup_good_nhc+0x1e/0x80 [...] Call Trace: <TASK> fib_table_lookup+0x541/0x650 ip_route_output_key_hash_rcu+0x2ea/0x970 ip_route_output_key_hash+0x55/0x80 __ip4_datagram_connect+0x250/0x330 udp_connect+0x2b/0x60 __sys_connect+0x9c/0xd0 __x64_sys_connect+0x18/0x20 do_syscall_64+0xa4/0x2a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Denial Of Service Linux
NVD VulDB
EPSS
0.2%
CVE-2025-39978 Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix potential use after free in otx2_tc_add_flow() This code calls kfree_rcu(new_node, rcu) and then dereferences "new_node" and then dereferences it on the next line. Two lines later, we take a mutex so I don't think this is an RCU safe region. Re-order it to do the dereferences before queuing up the free.

Denial Of Service Linux
NVD
EPSS
0.2%
CVE-2025-39977 Monitor

In the Linux kernel, the following vulnerability has been resolved: futex: Prevent use-after-free during requeue-PI syzbot managed to trigger the following race: T1 T2 futex_wait_requeue_pi() futex_do_wait() schedule() futex_requeue() futex_proxy_trylock_atomic() futex_requeue_pi_prepare() requeue_pi_wake_futex() futex_requeue_pi_complete() /* preempt */ * timeout/ signal wakes T1 * futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED futex_hash_put() // back to userland, on stack futex_q is garbage /* back */ wake_up_state(q->task, TASK_NORMAL); In this scenario futex_wait_requeue_pi() is able to leave without using futex_q::lock_ptr for synchronization. This can be prevented by reading futex_q::task before updating the futex_q::requeue_state. A reference on the task_struct is not needed because requeue_pi_wake_futex() is invoked with a spinlock_t held which implies a RCU read section. Even if T1 terminates immediately after, the task_struct will remain valid during T2's wake_up_state(). A READ_ONCE on futex_q::task before futex_requeue_pi_complete() is enough because it ensures that the variable is read before the state is updated. Read futex_q::task before updating the requeue state, use it for the following wakeup.

Information Disclosure Linux
NVD
EPSS
0.0%
CVE-2025-39964 LOW PATCH Monitor

Concurrent write access to AF_ALG cryptographic sockets in the Linux kernel corrupts internal socket state and interleaves cryptographic data in an unpredictable manner, undermining the integrity and availability of kernel crypto operations for local users. The flaw spans multiple stable kernel branches up to and including 6.17-rc4, with six upstream patch commits available. No public exploit or active exploitation has been identified; the Siemens SSA-019113 advisory confirms downstream impact on industrial and embedded Linux-based products.

Linux Information Disclosure
NVD
CVSS 3.1
3.3
EPSS
0.2%
CVE-2025-11561 HIGH PATCH This Week

A privilege escalation vulnerability exists in the integration between Active Directory and the System Security Services Daemon (SSSD) on Linux systems, where an attacker with permissions to modify AD attributes can impersonate privileged users by exploiting a fallback mechanism in the Kerberos authentication plugin. The vulnerability affects domain-joined Linux hosts running SSSD in default configurations and allows attackers to gain unauthorized access with high privileges. With a low EPSS score of 0.05% and no KEV listing, this appears to be a theoretical risk requiring existing AD permissions rather than an actively exploited vulnerability.

Authentication Bypass Privilege Escalation Linux Red Hat Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-39955 HIGH PATCH This Week

A local privilege-boundary/state-handling flaw in the Linux kernel's TCP stack lets an unprivileged user leave a stale TCP Fast Open request socket (fastopen_rsk) attached to a socket after tcp_disconnect(), which the retransmit timer later dereferences. By abusing accept() → connect(AF_UNSPEC) → connect() on a server-side TFO socket before the 3-way handshake completes, an attacker drives the socket into TCP_ESTABLISHED while retaining fastopen_rsk, triggering a kernel WARNING in tcp_retransmit_timer() and a failed retransmission. There is no public exploit identified at time of analysis, and the issue is not in CISA KEV; it was found by syzbot and resolved upstream by calling reqsk_fastopen_remove() in tcp_disconnect().

Debian Linux Information Disclosure
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2023-53673 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: call disconnect callback before deleting conn In hci_cs_disconnect, we do hci_conn_del even if disconnection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Denial Of Service Linux Memory Corruption Linux Kernel +2
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2023-53629 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: fs: dlm: fix use after free in midcomms commit While working on processing dlm message in softirq context I experienced the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Linux Red Hat Use After Free Memory Corruption Denial Of Service +2
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2022-50552 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: blk-mq: use quiesced elevator switch when reinitializing queues The hctx's run_work may be racing with the elevator switch when. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Denial Of Service Memory Corruption Linux Linux Kernel +2
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2022-50535 MEDIUM PATCH This Month

A null pointer dereference vulnerability exists in the Linux kernel's AMD display driver (drm/amd/display) within the dm_resume() function, where the aconnector->dc_link pointer is dereferenced without proper null checks. An unprivileged local attacker with user-level access can trigger a kernel panic and cause a denial of service by inducing a display resume operation. While the CVSS score is moderate (5.5) and EPSS exploitation probability is very low (0.01%), this vulnerability is straightforward to trigger given local access and affects all Linux kernel versions with the vulnerable AMD display driver code.

Linux Denial Of Service Null Pointer Dereference Linux Kernel Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2022-50534 MEDIUM PATCH This Month

A logic error in the Linux kernel's device mapper thin pool module causes infinite loops and system hangs when metadata commits fail. The vulnerability affects Linux kernel systems with dm-thin storage pools; when a commit fails during btree metadata operations, the pmd->root pointer is not properly restored to the last valid transaction state, causing subsequent read operations to traverse a corrupted btree structure. An unprivileged local attacker with access to the system can trigger this denial of service condition, resulting in kernel softlockups and system hangs. While no public exploit code is widely distributed, the vulnerability is straightforward to trigger through storage I/O operations on affected systems.

Linux Denial Of Service Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2022-50533 MEDIUM PATCH This Month

A null pointer dereference vulnerability exists in the Linux kernel's WiFi mac80211 MLME (MAC Layer Management Entity) implementation that crashes the kernel during WiFi association tracing when an AP connection without link 0 fails. The vulnerability affects all Linux kernel versions with the vulnerable code path in the mac80211 wireless driver subsystem, allowing a local authenticated attacker to trigger a denial of service condition. The EPSS score of 0.01% indicates this is rarely exploited in practice, though patches are publicly available from kernel.org.

Linux Denial Of Service Null Pointer Dereference Linux Kernel Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2022-50532 MEDIUM PATCH This Month

A resource leak vulnerability exists in the Linux kernel's mpt3sas SCSI transport driver where the sas_rphy_add() function can fail without properly freeing allocated resources, leading to a NULL pointer dereference and kernel crash during device removal. This affects Linux kernel implementations across multiple versions that use the mpt3sas driver for SAS (Serial Attached SCSI) HBA management. An unprivileged local attacker with sufficient privileges to trigger transport port operations can cause a denial of service by inducing a kernel panic, though the low EPSS score of 0.01% suggests exploitation is not practically demonstrated in the wild.

Linux Denial Of Service Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2022-50531 MEDIUM PATCH This Month

An information leak vulnerability exists in the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem within the tipc_topsrv_kern_subscr() function. The vulnerability occurs due to incomplete initialization of the sub.usr_handle field, leaving four bytes uninitialized when setsockopt() is called with SOL_TIPC options, allowing kernel memory contents to be leaked to user space. This affects Linux kernel versions including 6.1-rc1 and potentially others; while the EPSS score is extremely low at 0.01% percentile, the vulnerability requires local access and low privileges to trigger, making it a lower-priority but real information disclosure issue that has been patched by multiple vendors.

Linux Information Disclosure Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2022-50530 MEDIUM PATCH This Month

A null pointer dereference vulnerability exists in the Linux kernel's block layer (blk-mq) memory allocation path that can be triggered by a local, low-privileged user to cause a denial of service. The vulnerability affects Linux kernel versions including 6.1-rc1 and potentially other versions where a failed memory allocation during block queue tag initialization leaves a dangling pointer that is later dereferenced during cleanup. While the EPSS score is low (0.02%, percentile 4%), the vulnerability is straightforward to trigger under memory pressure conditions, requires only local access with minimal privileges, and has vendor patches available.

Linux Null Pointer Dereference Denial Of Service Linux Kernel Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2022-50529 MEDIUM PATCH This Month

A memory leak vulnerability exists in the Linux kernel's test_firmware module initialization function (test_firmware_init) where allocated memory for test_fw_config->name is not properly freed when misc_register() fails. This affects all versions of the Linux kernel with the test_firmware module compiled, allowing local authenticated attackers to exhaust kernel memory and cause a denial of service. The vulnerability has a patch available from the Linux kernel maintainers, with an EPSS score of 0.01% indicating very low real-world exploitation probability despite the moderate CVSS score.

Linux Information Disclosure Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2022-50528 MEDIUM PATCH This Month

A memory leakage and potential segmentation fault vulnerability exists in the Linux kernel's AMD KFD (Kernel Fusion Driver) GPU memory management subsystem, specifically in the _gpuvm_import_dmabuf() function. The vulnerability affects Linux kernel versions across multiple branches and can be exploited by local users with low privilege levels to cause denial of service through memory corruption. Patches are available from the Linux kernel stable branches, and while the EPSS score is very low (0.01%, percentile 3%), the vulnerability has moderate CVSS severity (5.5) due to its ability to cause system availability impact.

Linux Denial Of Service Memory Corruption Linux Kernel Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2022-50527 MEDIUM PATCH This Month

A null pointer dereference vulnerability exists in the Linux kernel's AMD GPU (amdgpu) driver in the amdgpu_bo_validate_size() function. When validating buffer object sizes for non-exclusive memory domains, the function fails to verify that the TTM (Translation Table Maps) domain manager exists before dereferencing it, leading to a kernel oops and denial of service. Local attackers with unprivileged user privileges can trigger this vulnerability to crash the system. While patches are available from the vendor, the EPSS score of 0.01% and very low exploitation probability suggest this is a low-priority issue in practice despite the denial-of-service impact.

Linux Denial Of Service Null Pointer Dereference Linux Kernel Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2022-50526 HIGH PATCH This Week

A memory corruption vulnerability exists in the Linux kernel's MSM display port driver that occurs when more than eight display bridges are connected, allowing local attackers with low privileges to corrupt kernel memory beyond a fixed-size array. The vulnerability affects Linux kernel versions up to 6.1-rc2 and requires local access to exploit, with no known active exploitation in the wild (not in KEV) and a very low EPSS score of 0.02% indicating minimal real-world exploitation likelihood.

Memory Corruption Linux Buffer Overflow Denial Of Service Linux Kernel +2
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2022-50525 MEDIUM PATCH This Month

A resource leak vulnerability exists in the Linux kernel's FSL PAMU (Freescale Peripheral Access Management Unit) IOMMU driver where the fsl_pamu_probe() function fails to release IRQ and memory resources when the create_csd() function returns an error, allowing a local privileged attacker to cause a denial of service through resource exhaustion. The vulnerability affects multiple Linux kernel versions across stable branches and has an EPSS score of 0.01% (percentile 2%), indicating low real-world exploitation probability despite the moderate CVSS 5.5 score. Patches are available from the Linux kernel maintainers across multiple stable branches.

Linux Denial Of Service Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2022-50524 MEDIUM PATCH This Month

A null pointer dereference vulnerability exists in the Linux kernel's MediaTek IOMMU driver where the platform_get_resource() function may return a NULL pointer without proper validation, leading to a crash when resource_size() attempts to dereference it. This affects all versions of the Linux kernel with the vulnerable MediaTek IOMMU code. A local attacker with low privileges can trigger a denial of service by causing a kernel panic, though the vulnerability is unlikely to be actively exploited in the wild given the low EPSS score of 0.01%.

Linux Null Pointer Dereference Denial Of Service Linux Kernel Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2022-50523 MEDIUM PATCH This Month

A memory leak vulnerability exists in the Linux kernel's Rockchip clock driver (rockchip_clk_register_pll function) where allocated memory from kmemdup() is not freed when clk_register() fails, potentially causing denial of service through memory exhaustion. All versions of the Linux kernel with Rockchip clock support are affected. An attacker with local privileges can trigger repeated clock registration failures to exhaust system memory and crash the system, with an EPSS score of 0.01% indicating very low real-world exploitation probability despite the moderate CVSS score of 5.5.

Linux Memory Corruption Denial Of Service Linux Kernel Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2022-50522 LOW PATCH Monitor

CVE-2022-50522 is a security vulnerability (CVSS 3.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Linux Information Disclosure Linux Kernel
NVD VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2022-50521 MEDIUM PATCH This Month

A memory leak vulnerability exists in the Linux kernel's mxm-wmi (MXM WMI) platform driver where the ACPI buffer returned by wmi_evaluate_method() is not properly freed after invocation, leading to kernel memory exhaustion and potential denial of service. The vulnerability affects all versions of the Linux kernel with the mxm-wmi driver enabled, particularly systems with NVIDIA/AMD discrete GPU switching support. A local attacker with standard user privileges can repeatedly trigger the affected code path to exhaust kernel memory and crash the system, though the extremely low EPSS score (0.01th percentile) suggests exploitation is not actively observed in the wild.

Linux Denial Of Service Memory Corruption Linux Kernel Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2022-50520 MEDIUM PATCH This Month

This is a reference counting memory leak in the Linux kernel's radeon graphics driver, specifically in the radeon_atrm_get_bios() function where a PCI device pointer obtained via pci_get_class() is not properly released when loop conditions cause early exit. An authenticated local attacker with low privileges can trigger this vulnerability to cause a denial of service through kernel memory exhaustion, as unreleased PCI device objects accumulate in kernel memory. While no public exploit code exists (EPSS 0.01% indicates minimal real-world exploitation probability), the vulnerability affects all Linux kernel versions running the radeon driver and patches are available across multiple stable kernel series.

Linux Memory Corruption Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2022-50519 MEDIUM PATCH This Month

This vulnerability in the Linux kernel's NILFS2 filesystem causes a kernel panic when the system is booted with panic_on_warn enabled and checkpoint metadata corruption is detected. A local attacker with standard user privileges can trigger this denial of service by crafting malicious NILFS2 filesystem images or corrupting checkpoint metadata on disk, causing the kernel to panic and crash the system. The vulnerability affects multiple Linux kernel versions across several stable branches, with patches available from the vendor, but EPSS exploitation probability remains very low at 0.01 percentile, indicating this is not actively exploited in the wild.

Linux Denial Of Service Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2022-50518 HIGH PATCH This Week

A race condition vulnerability exists in the Linux kernel's parisc architecture-specific firmware call pdc_iodc_print() that allows local attackers to cause buffer overflows and potentially execute arbitrary code. The vulnerability affects Linux kernel versions from 2.6.25 through versions before the patched releases, requiring local access with low privileges to exploit. With an EPSS score of only 0.01%, this vulnerability has very low exploitation likelihood in the wild despite its high CVSS score of 7.8.

Linux Buffer Overflow Race Condition Linux Kernel Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2022-50517 MEDIUM PATCH This Month

A memory corruption vulnerability in the Linux kernel's huge page (THP) split handling causes a soft lockup and denial of service when page->private is incorrectly clobbered during transparent huge page operations. The vulnerability affects Linux kernel versions 5.19 through 6.1-rc1, and while it requires local privilege access to trigger via madvise syscalls, it can reliably cause system hangs under stress conditions such as memory pressure or aggressive swapping scenarios. The EPSS score of 0.02% and lack of widespread active exploitation indicate low real-world risk, though the availability of patches makes remediation straightforward.

Linux Denial Of Service Memory Corruption Use After Free Linux Kernel +2
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2022-50516 MEDIUM PATCH This Month

A denial of service vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Linux Denial Of Service Null Pointer Dereference Linux Kernel Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: xen/events: Return -EEXIST for bound VIRQs Change find_virq() to return -EEXIST when a VIRQ is bound to a different CPU than the.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: xsk: Harden userspace-supplied xdp_desc validation Turned out certain clearly invalid values passed in xdp_desc from userspace can.

Linux Buffer Overflow Linux Kernel
NVD
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_output() Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent possible UAF. No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller When loading the i10nm_edac driver on some Intel Granite Rapids. No vendor patch available.

Intel Linux Buffer Overflow +1
NVD
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe() The drv->sram_reg pointer could be set to.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: debugfs: Fix legacy mode page table dump logic In legacy mode, SSPTPTR is ignored if TT is not 00b or 01b.

Linux Information Disclosure Canonical +1
NVD
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640.

Intel Linux Information Disclosure +1
NVD
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: avoid soft lockup when mprotect to large memory area When calling mprotect() to a large hugetlb memory area in our.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix bootup splat with separate_gpu_drm modparam The drm_gem_for_each_gpuvm_bo() call from lookup_vma() accesses. No vendor patch available.

Linux Qualcomm Information Disclosure +1
NVD
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: No support of struct argument in trampoline programs The current implementation does not support struct argument. No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%
Monitor

Linux kernel F2FS filesystem implementation contains a race condition between garbage collection and block allocation that causes segment type inconsistencies, leading to filesystem shutdown. The vulnerability affects systems using F2FS with pinned files during concurrent fallocate and writepage operations. While the EPSS score is low at 0.03%, this is a kernel-level denial of service affecting data availability on affected systems.

Linux Linux Kernel Denial Of Service +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock(). Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Memory Corruption Linux Information Disclosure +1
NVD
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute functions The function dc_stream_set_cursor_attributes(). No vendor patch available.

Denial Of Service Linux Amd +1
NVD
EPSS 0%
Monitor

Linux kernel block I/O throttling subsystem crashes with a NULL pointer dereference when I/O operations are submitted during early initialization before throttle policy is fully activated, causing denial of service on affected systems. The vulnerability affects the block layer's throttle policy initialization sequence and is triggered sporadically on cold boots when blk_should_throtl() accesses uninitialized throttle group state. With an EPSS score of 0.03% (10th percentile) and no public exploit identified, this is a low-probability but high-impact local crash condition requiring a kernel patch to fully resolve.

Linux Linux Kernel Null Pointer Dereference +2
NVD
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix potential deadlock while nr_requests grown Allocate and free sched_tags while queue is freezed can deadlock[1], this is. No vendor patch available.

Linux Information Disclosure IBM +1
NVD
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: PCI/pwrctrl: Fix double cleanup on devm_add_action_or_reset() failure When devm_add_action_or_reset() fails, it calls the passed. No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: bpf: dont report verifier bug for missing bpf_scc_visit on speculative path Syzbot generated a program that triggers a. No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on PREEMPT_RT snd_pcm_group_lock_irq() acquires a spinlock_t and. No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix possible UAF on iso_conn_free This attempt to fix similar issue to sco_conn_free where if the conn->sk is not.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set(). No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid NULL pointer dereference in f2fs_check_quota_consistency() syzbot reported a f2fs bug as below: Oops: gen[. No vendor patch available.

Denial Of Service Linux Canonical +1
NVD
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to truncate first page in error path of f2fs_truncate() syzbot reports a bug as below: loop0: detected capacity change.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/qm - request reserved interrupt for virtual function The device interrupt vector 3 is an error interrupt for. No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%
Monitor

Linux kernel IPv6 packet transmission uses unsafe device reference handling in ip6_xmit() function, creating a use-after-free (UAF) vulnerability where the destination device pointer may be accessed after being freed. This affects all Linux kernel versions prior to patched stable releases, potentially allowing local or remote attackers to trigger memory corruption and information disclosure via crafted IPv6 traffic or network configuration changes. No active exploitation has been confirmed, and the EPSS score of 0.03% (10th percentile) indicates low real-world exploitation probability despite the underlying memory safety issue.

Linux Linux Kernel Use After Free
NVD
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: dm: fix NULL pointer dereference in __dm_suspend() There is a race condition between dm device suspend and table load that can lead.

Denial Of Service Linux Linux Kernel
NVD
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable(). No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback In create_sdw_dailink() check that sof_end->codec_info->add_sidecar. No vendor patch available.

Intel Linux Information Disclosure +1
NVD
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu() In ath12k_dp_mon_rx_deliver_msdu(), peer lookup fails because. No vendor patch available.

Linux Authentication Bypass Linux Kernel
NVD
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix data race in CPU latency PM QoS request handling The cpu_latency_qos_add/remove/update_request interfaces lack. No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix null pointer dereference on zero-length checksum In xdr_stream_decode_opaque_auth(), zero-length checksum.len causes.

Denial Of Service Linux Linux Kernel
NVD
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: hwrng: ks-sa - fix division by zero in ks_sa_rng_init Fix division by zero in ks_sa_rng_init caused by missing clock pointer.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC The referenced commit introduced exception handlers.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx In __blk_mq_update_nr_hw_queues() the return value.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Anthony Yznaga tracked down that a BUG_ON in ext4.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: bpf: Enforce expected_attach_type for tailcall compatibility Yinhao et al.

Denial Of Service Linux Linux Kernel
NVD
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error When running perf_fuzzer on PTL, sometimes the below "unchecked MSR access. No vendor patch available.

Intel Linux Information Disclosure +1
NVD
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640.

Intel Linux Information Disclosure +1
NVD
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock Prevent USB runtime PM (autosuspend) for AX88772* in bind.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%
Monitor

In the Linux kernel, the following vulnerability has been resolved: ext4: fix potential null deref in ext4_mb_init() In ext4_mb_init(), ext4_mb_avg_fragment_size_destroy() may be called when sbi->s_mb_avg_fragment_size remains uninitialized (e.g., if groupinfo slab cache allocation fails). Since ext4_mb_avg_fragment_size_destroy() lacks null pointer checking, this leads to a null pointer dereference. ================================================================== EXT4-fs: no memory for groupinfo slab cache BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0002 [#1] SMP PTI CPU:2 UID: 0 PID: 87 Comm:mount Not tainted 6.17.0-rc2 #1134 PREEMPT(none) RIP: 0010:_raw_spin_lock_irqsave+0x1b/0x40 Call Trace: <TASK> xa_destroy+0x61/0x130 ext4_mb_init+0x483/0x540 __ext4_fill_super+0x116d/0x17b0 ext4_fill_super+0xd3/0x280 get_tree_bdev_flags+0x132/0x1d0 vfs_get_tree+0x29/0xd0 do_new_mount+0x197/0x300 __x64_sys_mount+0x116/0x150 do_syscall_64+0x50/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ================================================================== Therefore, add necessary null check to ext4_mb_avg_fragment_size_destroy() to prevent this issue. The same fix is also applied to ext4_mb_largest_free_orders_destroy().

Linux Denial Of Service Linux Kernel
NVD
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Since commit f7b705c238d1 ("scsi: pm80xx: Set phy_attached to zero when.

Linux Buffer Overflow Linux Kernel
NVD
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Fix array underflow in pci_endpoint_test_ioctl() Commit eefb83790a0d ("misc: pci_endpoint_test: Add. No vendor patch available.

Linux Information Disclosure Linux Kernel
NVD VulDB
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup The kthread_run() function returns error pointers so the.

Linux Information Disclosure Linux Kernel
NVD VulDB
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() During mpt3sas_transport_port_remove(), messages were logged.

Dell Linux Denial Of Service +2
NVD VulDB
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E The ADSP firmware on X1E has separate firmware binaries for the main firmware. No vendor patch available.

Denial Of Service Linux Linux Kernel
NVD VulDB
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara The referenced commit introduced exception handlers on.

Denial Of Service Linux Linux Kernel
NVD VulDB
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix Use-after-free in validation Nodes stored in the validation duplicates hashtable come from an arena allocator that.

Linux Information Disclosure Linux Kernel
NVD VulDB
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix a null-ptr access in the cursor snooper Check that the resource which is converted to a surface exists before.

Linux Information Disclosure Linux Kernel
NVD VulDB
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: crypto: rng - Ensure set_ent is always present Ensure that set_ent is always set since only drbg provides it.

Linux Information Disclosure Linux Kernel
NVD
EPSS 0%

In the Linux kernel, the following vulnerability has been resolved: serial: qcom-geni: Fix blocked task Revert commit 1afa70632c39 ("serial: qcom-geni: Enable PM runtime for serial driver") and its. No vendor patch available.

Linux Qualcomm Information Disclosure +1
NVD
EPSS 0%
PATCH

In the Linux kernel, the following vulnerability has been resolved: can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled This issue is similar to the.

Denial Of Service Linux Linux Kernel
NVD
EPSS 0%
Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are "leaked". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous "Busy inodes after unmount" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.

Linux Information Disclosure
NVD
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix refcount leak for cifs_sb_tlink Fix three refcount inconsistency issues related to `cifs_sb_tlink`. Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be called after successful calls to `cifs_sb_tlink()`. Three calls fail to update refcount accordingly, leading to possible resource leaks.

Linux Information Disclosure
NVD
EPSS 0%
Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: nbd: restrict sockets to TCP and UDP Recently, syzbot started to abuse NBD with all kinds of sockets. Commit cf1b2326b734 ("nbd: verify socket is supported during setup") made sure the socket supported a shutdown() method. Explicitely accept TCP and UNIX stream sockets.

Linux Information Disclosure
NVD
EPSS 0%
Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: bpf: Explicitly check accesses to bpf_sock_addr Syzkaller found a kernel warning on the following sock_addr program: 0: r0 = 0 1: r2 = *(u32 *)(r1 +60) 2: exit which triggers: verifier bug: error during ctx access conversion (0) This is happening because offset 60 in bpf_sock_addr corresponds to an implicit padding of 4 bytes, right after msg_src_ip4. Access to this padding isn't rejected in sock_addr_is_valid_access and it thus later fails to convert the access. This patch fixes it by explicitly checking the various fields of bpf_sock_addr in sock_addr_is_valid_access. I checked the other ctx structures and is_valid_access functions and didn't find any other similar cases. Other cases of (properly handled) padding are covered in new tests in a subsequent patch.

Linux Information Disclosure
NVD
EPSS 0%
Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: pps: fix warning in pps_register_cdev when register device fail Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error handling in __video_register_device()"), the release hook should be set before device_register(). Otherwise, when device_register() return error and put_device() try to callback the release function, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567 Modules linked in: CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567 Call Trace: <TASK> kobject_cleanup+0x136/0x410 lib/kobject.c:689 kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0xe9/0x130 lib/kobject.c:737 put_device+0x24/0x30 drivers/base/core.c:3797 pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402 pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108 pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57 tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432 tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563 tiocsetd drivers/tty/tty_io.c:2429 [inline] tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Before commit c79a39dc8d06 ("pps: Fix a use-after-free"), pps_register_cdev() call device_create() to create pps->dev, which will init dev->release to device_create_release(). Now the comment is outdated, just remove it. Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed in pps_register_source() to avoid a double free in the failure case.

Linux Information Disclosure
NVD
EPSS 0%
Monitor

In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Fix incorrect boolean values in af_alg_ctx Commit 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg") changed some fields from bool to 1-bit bitfields of type u32. However, some assignments to these fields, specifically 'more' and 'merge', assign values greater than 1. These relied on C's implicit conversion to bool, such that zero becomes false and nonzero becomes true. With a 1-bit bitfields of type u32 instead, mod 2 of the value is taken instead, resulting in 0 being assigned in some cases when 1 was intended. Fix this by restoring the bool type.

Information Disclosure Linux
NVD
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero unique ID. ``` Each Unit and Terminal within the video function is assigned a unique identification number, the Unit ID (UID) or Terminal ID (TID), contained in the bUnitID or bTerminalID field of the descriptor. The value 0x00 is reserved for undefined ID, ``` If we add a new entity with id 0 or a duplicated ID, it will be marked as UVC_INVALID_ENTITY_ID. In a previous attempt commit 3dd075fe8ebb ("media: uvcvideo: Require entities to have a non-zero unique ID"), we ignored all the invalid units, this broke a lot of non-compatible cameras. Hopefully we are more lucky this time. This also prevents some syzkaller reproducers from triggering warnings due to a chain of entities referring to themselves. In one particular case, an Output Unit is connected to an Input Unit, both with the same ID of 1. But when looking up for the source ID of the Output Unit, that same entity is found instead of the input entity, which leads to such warnings. In another case, a backward chain was considered finished as the source ID was 0. Later on, that entity was found, but its pads were not valid. Here is a sample stack trace for one of those cases. [ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 20.830206] usb 1-1: Using ep0 maxpacket: 8 [ 20.833501] usb 1-1: config 0 descriptor?? [ 21.038518] usb 1-1: string descriptor 0 read error: -71 [ 21.038893] usb 1-1: Found UVC 0.00 device <unnamed> (2833:0201) [ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized! [ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized! [ 21.042218] ------------[ cut here ]------------ [ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0 [ 21.043195] Modules linked in: [ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444 [ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 21.044639] Workqueue: usb_hub_wq hub_event [ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0 [ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00 [ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246 [ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1 [ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290 [ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000 [ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003 [ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000 [ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 [ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0 [ 21.051136] PKRU: 55555554 [ 21.051331] Call Trace: [ 21.051480] <TASK> [ 21.051611] ? __warn+0xc4/0x210 [ 21.051861] ? media_create_pad_link+0x2c4/0x2e0 [ 21.052252] ? report_bug+0x11b/0x1a0 [ 21.052540] ? trace_hardirqs_on+0x31/0x40 [ 21.052901] ? handle_bug+0x3d/0x70 [ 21.053197] ? exc_invalid_op+0x1a/0x50 [ 21.053511] ? asm_exc_invalid_op+0x1a/0x20 [ 21.053924] ? media_create_pad_link+0x91/0x2e0 [ 21.054364] ? media_create_pad_link+0x2c4/0x2e0 [ 21.054834] ? media_create_pad_link+0x91/0x2e0 [ 21.055131] ? _raw_spin_unlock+0x1e/0x40 [ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210 [ 21.055837] uvc_mc_register_entities+0x358/0x400 [ 21.056144] uvc_register_chains+0x1 ---truncated---

Linux Information Disclosure
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel crash in Linux kernel Cadence QSPI driver (cadence-quadspi) allows authenticated local attackers with moderate privileges to cause denial of service by unbinding the driver during active indirect read or write operations. The vulnerability affects Linux kernel versions including 6.17-rc1 through rc4 and potentially earlier versions; exploitation requires root access to force device removal, but the EPSS score of 0.01% indicates minimal real-world exploitation probability despite the availability of upstream fixes in stable kernel branches.

Denial Of Service Linux
NVD
EPSS 0%
Monitor

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") patched a UAF issue caused by the error timer. However, because the error timer kill added in this patch occurs after the endpoint delete, a race condition to UAF still occurs, albeit rarely. Additionally, since kill-cleanup for urb is also missing, freed memory can be accessed in interrupt context related to urb, which can cause UAF. Therefore, to prevent this, error timer and urb must be killed before freeing the heap memory.

Linux Information Disclosure
NVD
EPSS 0%
Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix possible UAFs This attemps to fix possible UAFs caused by struct mgmt_pending being freed while still being processed like in the following trace, in order to fix mgmt_pending_valid is introduce and use to check if the mgmt_pending hasn't been removed from the pending list, on the complete callbacks it is used to check and in addtion remove the cmd from the list while holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd is left on the list it can still be accessed and freed. BUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223 Read of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55 CPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223 hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 12210: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269 mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296 __add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247 add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:729 sock_write_iter+0x258/0x330 net/socket.c:1133 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 12221: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2381 [inline] slab_free mm/slub.c:4648 [inline] kfree+0x18e/0x440 mm/slub.c:4847 mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline] mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257 __mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444 hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290 hci_dev_do_close net/bluetooth/hci_core.c:501 [inline] hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526 sock_do_ioctl+0xd9/0x300 net/socket.c:1192 sock_ioctl+0x576/0x790 net/socket.c:1313 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf ---truncated---

Linux Information Disclosure
NVD
EPSS 0%
Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: nexthop: Forbid FDB status change while nexthop is in a group The kernel forbids the creation of non-FDB nexthop groups with FDB nexthops: # ip nexthop add id 1 via 192.0.2.1 fdb # ip nexthop add id 2 group 1 Error: Non FDB nexthop group cannot have fdb nexthops. And vice versa: # ip nexthop add id 3 via 192.0.2.2 dev dummy1 # ip nexthop add id 4 group 3 fdb Error: FDB nexthop group can only have fdb nexthops. However, as long as no routes are pointing to a non-FDB nexthop group, the kernel allows changing the type of a nexthop from FDB to non-FDB and vice versa: # ip nexthop add id 5 via 192.0.2.2 dev dummy1 # ip nexthop add id 6 group 5 # ip nexthop replace id 5 via 192.0.2.2 fdb # echo $? 0 This configuration is invalid and can result in a NPD [1] since FDB nexthops are not associated with a nexthop device: # ip route add 198.51.100.1/32 nhid 6 # ping 198.51.100.1 Fix by preventing nexthop FDB status change while the nexthop is in a group: # ip nexthop add id 7 via 192.0.2.2 dev dummy1 # ip nexthop add id 8 group 7 # ip nexthop replace id 7 via 192.0.2.2 fdb Error: Cannot change nexthop FDB status while in a group. [1] BUG: kernel NULL pointer dereference, address: 00000000000003c0 [...] Oops: Oops: 0000 [#1] SMP CPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014 RIP: 0010:fib_lookup_good_nhc+0x1e/0x80 [...] Call Trace: <TASK> fib_table_lookup+0x541/0x650 ip_route_output_key_hash_rcu+0x2ea/0x970 ip_route_output_key_hash+0x55/0x80 __ip4_datagram_connect+0x250/0x330 udp_connect+0x2b/0x60 __sys_connect+0x9c/0xd0 __x64_sys_connect+0x18/0x20 do_syscall_64+0xa4/0x2a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Denial Of Service Linux
NVD VulDB
EPSS 0%
Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix potential use after free in otx2_tc_add_flow() This code calls kfree_rcu(new_node, rcu) and then dereferences "new_node" and then dereferences it on the next line. Two lines later, we take a mutex so I don't think this is an RCU safe region. Re-order it to do the dereferences before queuing up the free.

Denial Of Service Linux
NVD
EPSS 0%
Monitor

In the Linux kernel, the following vulnerability has been resolved: futex: Prevent use-after-free during requeue-PI syzbot managed to trigger the following race: T1 T2 futex_wait_requeue_pi() futex_do_wait() schedule() futex_requeue() futex_proxy_trylock_atomic() futex_requeue_pi_prepare() requeue_pi_wake_futex() futex_requeue_pi_complete() /* preempt */ * timeout/ signal wakes T1 * futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED futex_hash_put() // back to userland, on stack futex_q is garbage /* back */ wake_up_state(q->task, TASK_NORMAL); In this scenario futex_wait_requeue_pi() is able to leave without using futex_q::lock_ptr for synchronization. This can be prevented by reading futex_q::task before updating the futex_q::requeue_state. A reference on the task_struct is not needed because requeue_pi_wake_futex() is invoked with a spinlock_t held which implies a RCU read section. Even if T1 terminates immediately after, the task_struct will remain valid during T2's wake_up_state(). A READ_ONCE on futex_q::task before futex_requeue_pi_complete() is enough because it ensures that the variable is read before the state is updated. Read futex_q::task before updating the requeue state, use it for the following wakeup.

Information Disclosure Linux
NVD
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Concurrent write access to AF_ALG cryptographic sockets in the Linux kernel corrupts internal socket state and interleaves cryptographic data in an unpredictable manner, undermining the integrity and availability of kernel crypto operations for local users. The flaw spans multiple stable kernel branches up to and including 6.17-rc4, with six upstream patch commits available. No public exploit or active exploitation has been identified; the Siemens SSA-019113 advisory confirms downstream impact on industrial and embedded Linux-based products.

Linux Information Disclosure
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A privilege escalation vulnerability exists in the integration between Active Directory and the System Security Services Daemon (SSSD) on Linux systems, where an attacker with permissions to modify AD attributes can impersonate privileged users by exploiting a fallback mechanism in the Kerberos authentication plugin. The vulnerability affects domain-joined Linux hosts running SSSD in default configurations and allows attackers to gain unauthorized access with high privileges. With a low EPSS score of 0.05% and no KEV listing, this appears to be a theoretical risk requiring existing AD permissions rather than an actively exploited vulnerability.

Authentication Bypass Privilege Escalation Linux +2
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A local privilege-boundary/state-handling flaw in the Linux kernel's TCP stack lets an unprivileged user leave a stale TCP Fast Open request socket (fastopen_rsk) attached to a socket after tcp_disconnect(), which the retransmit timer later dereferences. By abusing accept() → connect(AF_UNSPEC) → connect() on a server-side TFO socket before the 3-way handshake completes, an attacker drives the socket into TCP_ESTABLISHED while retaining fastopen_rsk, triggering a kernel WARNING in tcp_retransmit_timer() and a failed retransmission. There is no public exploit identified at time of analysis, and the issue is not in CISA KEV; it was found by syzbot and resolved upstream by calling reqsk_fastopen_remove() in tcp_disconnect().

Debian Linux Information Disclosure
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: call disconnect callback before deleting conn In hci_cs_disconnect, we do hci_conn_del even if disconnection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Denial Of Service Linux +4
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: fs: dlm: fix use after free in midcomms commit While working on processing dlm message in softirq context I experienced the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Linux Red Hat Use After Free +4
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: blk-mq: use quiesced elevator switch when reinitializing queues The hctx's run_work may be racing with the elevator switch when. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Denial Of Service Memory Corruption +4
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A null pointer dereference vulnerability exists in the Linux kernel's AMD display driver (drm/amd/display) within the dm_resume() function, where the aconnector->dc_link pointer is dereferenced without proper null checks. An unprivileged local attacker with user-level access can trigger a kernel panic and cause a denial of service by inducing a display resume operation. While the CVSS score is moderate (5.5) and EPSS exploitation probability is very low (0.01%), this vulnerability is straightforward to trigger given local access and affects all Linux kernel versions with the vulnerable AMD display driver code.

Linux Denial Of Service Null Pointer Dereference +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A logic error in the Linux kernel's device mapper thin pool module causes infinite loops and system hangs when metadata commits fail. The vulnerability affects Linux kernel systems with dm-thin storage pools; when a commit fails during btree metadata operations, the pmd->root pointer is not properly restored to the last valid transaction state, causing subsequent read operations to traverse a corrupted btree structure. An unprivileged local attacker with access to the system can trigger this denial of service condition, resulting in kernel softlockups and system hangs. While no public exploit code is widely distributed, the vulnerability is straightforward to trigger through storage I/O operations on affected systems.

Linux Denial Of Service Linux Kernel +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A null pointer dereference vulnerability exists in the Linux kernel's WiFi mac80211 MLME (MAC Layer Management Entity) implementation that crashes the kernel during WiFi association tracing when an AP connection without link 0 fails. The vulnerability affects all Linux kernel versions with the vulnerable code path in the mac80211 wireless driver subsystem, allowing a local authenticated attacker to trigger a denial of service condition. The EPSS score of 0.01% indicates this is rarely exploited in practice, though patches are publicly available from kernel.org.

Linux Denial Of Service Null Pointer Dereference +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A resource leak vulnerability exists in the Linux kernel's mpt3sas SCSI transport driver where the sas_rphy_add() function can fail without properly freeing allocated resources, leading to a NULL pointer dereference and kernel crash during device removal. This affects Linux kernel implementations across multiple versions that use the mpt3sas driver for SAS (Serial Attached SCSI) HBA management. An unprivileged local attacker with sufficient privileges to trigger transport port operations can cause a denial of service by inducing a kernel panic, though the low EPSS score of 0.01% suggests exploitation is not practically demonstrated in the wild.

Linux Denial Of Service Linux Kernel +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

An information leak vulnerability exists in the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem within the tipc_topsrv_kern_subscr() function. The vulnerability occurs due to incomplete initialization of the sub.usr_handle field, leaving four bytes uninitialized when setsockopt() is called with SOL_TIPC options, allowing kernel memory contents to be leaked to user space. This affects Linux kernel versions including 6.1-rc1 and potentially others; while the EPSS score is extremely low at 0.01% percentile, the vulnerability requires local access and low privileges to trigger, making it a lower-priority but real information disclosure issue that has been patched by multiple vendors.

Linux Information Disclosure Linux Kernel +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A null pointer dereference vulnerability exists in the Linux kernel's block layer (blk-mq) memory allocation path that can be triggered by a local, low-privileged user to cause a denial of service. The vulnerability affects Linux kernel versions including 6.1-rc1 and potentially other versions where a failed memory allocation during block queue tag initialization leaves a dangling pointer that is later dereferenced during cleanup. While the EPSS score is low (0.02%, percentile 4%), the vulnerability is straightforward to trigger under memory pressure conditions, requires only local access with minimal privileges, and has vendor patches available.

Linux Null Pointer Dereference Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A memory leak vulnerability exists in the Linux kernel's test_firmware module initialization function (test_firmware_init) where allocated memory for test_fw_config->name is not properly freed when misc_register() fails. This affects all versions of the Linux kernel with the test_firmware module compiled, allowing local authenticated attackers to exhaust kernel memory and cause a denial of service. The vulnerability has a patch available from the Linux kernel maintainers, with an EPSS score of 0.01% indicating very low real-world exploitation probability despite the moderate CVSS score.

Linux Information Disclosure Linux Kernel +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A memory leakage and potential segmentation fault vulnerability exists in the Linux kernel's AMD KFD (Kernel Fusion Driver) GPU memory management subsystem, specifically in the _gpuvm_import_dmabuf() function. The vulnerability affects Linux kernel versions across multiple branches and can be exploited by local users with low privilege levels to cause denial of service through memory corruption. Patches are available from the Linux kernel stable branches, and while the EPSS score is very low (0.01%, percentile 3%), the vulnerability has moderate CVSS severity (5.5) due to its ability to cause system availability impact.

Linux Denial Of Service Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A null pointer dereference vulnerability exists in the Linux kernel's AMD GPU (amdgpu) driver in the amdgpu_bo_validate_size() function. When validating buffer object sizes for non-exclusive memory domains, the function fails to verify that the TTM (Translation Table Maps) domain manager exists before dereferencing it, leading to a kernel oops and denial of service. Local attackers with unprivileged user privileges can trigger this vulnerability to crash the system. While patches are available from the vendor, the EPSS score of 0.01% and very low exploitation probability suggest this is a low-priority issue in practice despite the denial-of-service impact.

Linux Denial Of Service Null Pointer Dereference +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A memory corruption vulnerability exists in the Linux kernel's MSM display port driver that occurs when more than eight display bridges are connected, allowing local attackers with low privileges to corrupt kernel memory beyond a fixed-size array. The vulnerability affects Linux kernel versions up to 6.1-rc2 and requires local access to exploit, with no known active exploitation in the wild (not in KEV) and a very low EPSS score of 0.02% indicating minimal real-world exploitation likelihood.

Memory Corruption Linux Buffer Overflow +4
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A resource leak vulnerability exists in the Linux kernel's FSL PAMU (Freescale Peripheral Access Management Unit) IOMMU driver where the fsl_pamu_probe() function fails to release IRQ and memory resources when the create_csd() function returns an error, allowing a local privileged attacker to cause a denial of service through resource exhaustion. The vulnerability affects multiple Linux kernel versions across stable branches and has an EPSS score of 0.01% (percentile 2%), indicating low real-world exploitation probability despite the moderate CVSS 5.5 score. Patches are available from the Linux kernel maintainers across multiple stable branches.

Linux Denial Of Service Linux Kernel +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A null pointer dereference vulnerability exists in the Linux kernel's MediaTek IOMMU driver where the platform_get_resource() function may return a NULL pointer without proper validation, leading to a crash when resource_size() attempts to dereference it. This affects all versions of the Linux kernel with the vulnerable MediaTek IOMMU code. A local attacker with low privileges can trigger a denial of service by causing a kernel panic, though the vulnerability is unlikely to be actively exploited in the wild given the low EPSS score of 0.01%.

Linux Null Pointer Dereference Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A memory leak vulnerability exists in the Linux kernel's Rockchip clock driver (rockchip_clk_register_pll function) where allocated memory from kmemdup() is not freed when clk_register() fails, potentially causing denial of service through memory exhaustion. All versions of the Linux kernel with Rockchip clock support are affected. An attacker with local privileges can trigger repeated clock registration failures to exhaust system memory and crash the system, with an EPSS score of 0.01% indicating very low real-world exploitation probability despite the moderate CVSS score of 5.5.

Linux Memory Corruption Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 3.3
LOW PATCH Monitor

CVE-2022-50522 is a security vulnerability (CVSS 3.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Linux Information Disclosure Linux Kernel
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A memory leak vulnerability exists in the Linux kernel's mxm-wmi (MXM WMI) platform driver where the ACPI buffer returned by wmi_evaluate_method() is not properly freed after invocation, leading to kernel memory exhaustion and potential denial of service. The vulnerability affects all versions of the Linux kernel with the mxm-wmi driver enabled, particularly systems with NVIDIA/AMD discrete GPU switching support. A local attacker with standard user privileges can repeatedly trigger the affected code path to exhaust kernel memory and crash the system, though the extremely low EPSS score (0.01th percentile) suggests exploitation is not actively observed in the wild.

Linux Denial Of Service Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

This is a reference counting memory leak in the Linux kernel's radeon graphics driver, specifically in the radeon_atrm_get_bios() function where a PCI device pointer obtained via pci_get_class() is not properly released when loop conditions cause early exit. An authenticated local attacker with low privileges can trigger this vulnerability to cause a denial of service through kernel memory exhaustion, as unreleased PCI device objects accumulate in kernel memory. While no public exploit code exists (EPSS 0.01% indicates minimal real-world exploitation probability), the vulnerability affects all Linux kernel versions running the radeon driver and patches are available across multiple stable kernel series.

Linux Memory Corruption Linux Kernel +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

This vulnerability in the Linux kernel's NILFS2 filesystem causes a kernel panic when the system is booted with panic_on_warn enabled and checkpoint metadata corruption is detected. A local attacker with standard user privileges can trigger this denial of service by crafting malicious NILFS2 filesystem images or corrupting checkpoint metadata on disk, causing the kernel to panic and crash the system. The vulnerability affects multiple Linux kernel versions across several stable branches, with patches available from the vendor, but EPSS exploitation probability remains very low at 0.01 percentile, indicating this is not actively exploited in the wild.

Linux Denial Of Service Linux Kernel +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A race condition vulnerability exists in the Linux kernel's parisc architecture-specific firmware call pdc_iodc_print() that allows local attackers to cause buffer overflows and potentially execute arbitrary code. The vulnerability affects Linux kernel versions from 2.6.25 through versions before the patched releases, requiring local access with low privileges to exploit. With an EPSS score of only 0.01%, this vulnerability has very low exploitation likelihood in the wild despite its high CVSS score of 7.8.

Linux Buffer Overflow Race Condition +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A memory corruption vulnerability in the Linux kernel's huge page (THP) split handling causes a soft lockup and denial of service when page->private is incorrectly clobbered during transparent huge page operations. The vulnerability affects Linux kernel versions 5.19 through 6.1-rc1, and while it requires local privilege access to trigger via madvise syscalls, it can reliably cause system hangs under stress conditions such as memory pressure or aggressive swapping scenarios. The EPSS score of 0.02% and lack of widespread active exploitation indicate low real-world risk, though the availability of patches makes remediation straightforward.

Linux Denial Of Service Memory Corruption +4
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A denial of service vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Linux Denial Of Service Null Pointer Dereference +3
NVD VulDB
Prev Page 35 of 143 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy