Skip to main content

Linux

12819 CVEs vendor

Monthly

CVE-2026-53016 HIGH PATCH This Week

Out-of-bounds write in the Linux kernel's AMD Cryptographic Coprocessor (ccp) driver allows a local low-privileged user to overrun a caller-supplied IV buffer by 8 bytes when issuing rfc3686(ctr(aes)) requests through the AF_ALG socket interface. The ccp_aes_complete() handler unconditionally copies AES_BLOCK_SIZE (16 bytes) back into the IV buffer, but RFC3686 skciphers expose only an 8-byte IV, corrupting adjacent memory. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS probability is low (0.18%, 7th percentile).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53015 MEDIUM PATCH This Month

Integer truncation in the Linux kernel's EROFS filesystem driver on 32-bit platforms causes logical cluster number (LCN) calculations to overflow at the 4 GiB boundary, resulting in incorrect block addressing and potential kernel-level availability impact. Affected systems are those running 32-bit Linux kernels (where `unsigned long` is 32 bits wide) with EROFS filesystems mounted. No public exploit exists and no active exploitation has been confirmed; EPSS stands at a very low 0.17% (6th percentile), consistent with the niche attack surface of 32-bit deployments.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53014 MEDIUM PATCH This Month

Kernel panic via skb headroom exhaustion in the Linux kernel's Traffic Control (TC) act_mirred subsystem affects systems using block-cast packet redirection across mixed device types. The root cause is a copy-paste error in tcf_blockcast_redir() where dev_is_mac_header_xmit() is queried against the next device in the iteration (dev) rather than the device currently being transmitted to (dev_prev), causing tcf_mirred_to_dev() to make wrong MAC header push/pull decisions for intermediate devices. In the worst case, skb_push_rcsum is called with an incorrect mac_len, exhausting socket buffer headroom and triggering a kernel panic. No public exploit code has been identified and EPSS is 0.17% at the 6th percentile, consistent with low real-world exploitation interest.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53013 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF macvlan_get_size() does not account for IFLA_MACVLAN_BC_CUTOFF, but macvlan_fill_info() conditionally includes it when port->bc_cutoff != 1. This causes nla_put_s32() to fail with -EMSGSIZE when the netlink skb runs out of space, triggering a WARN_ON in rtnetlink and preventing the interface from being dumped. The bug can be reproduced with: ip link add macvlan0 link eth0 type macvlan mode bridge ip link set macvlan0 type macvlan bc_cutoff 0 ip -d link show macvlan0 # fails with -EMSGSIZE The bc_cutoff feature was added in commit 954d1fa1ac93 ("macvlan: Add netlink attribute for broadcast cutoff"), which added the nla_put_s32() call in macvlan_fill_info() but missed adding the corresponding nla_total_size(4) in macvlan_get_size(). A follow-up commit 55cef78c244d ("macvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF") fixed the missing nla_policy entry but still did not fix the size calculation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53012 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: nexthop: fix IPv6 route referencing IPv4 nexthop syzbot reported a panic [1] [2]. When an IPv6 nexthop is replaced with an IPv4 nexthop, the has_v4 flag of all groups containing this nexthop is not updated. This is because nh_group_v4_update is only called when replacing AF_INET to AF_INET6, but the reverse direction (AF_INET6 to AF_INET) is missed. This allows a stale has_v4=false to bypass fib6_check_nexthop, causing IPv6 routes to be attached to groups that effectively contain only AF_INET members. Subsequent route lookups then call nexthop_fib6_nh() which returns NULL for the AF_INET member, leading to a NULL pointer dereference. Fix by calling nh_group_v4_update whenever the family changes, not just AF_INET to AF_INET6. Reproducer: ip -6 nexthop add id 1 blackhole ip nexthop add id 100 group 1 ip nexthop replace id 1 blackhole ip -6 route add 2001:db8::/64 nhid 100 ping -6 2001:db8::1 [1] https://syzkaller.appspot.com/bug?id=e17283eb2f8dcf3dd9b47fe6f67a95f71faadad0 [2] https://syzkaller.appspot.com/bug?id=8699b6ae54c9f35837d925686208402949e12ef3

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53011 HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's taprio traffic scheduler (net/sched) arises from a use-after-free in advance_sched() during an admin-to-oper schedule switch, affecting kernels from 5.2 through the fixed releases. After switch_schedules() queues the old oper schedule for RCU freeing, the 'next' pointer still references a freed entry that is then written to and published via rcu_assign_pointer(), letting a local user with network-configuration capability corrupt kernel memory for potential code execution. No public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with a complex local-only TSN feature rather than mass exploitation.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53010 CRITICAL PATCH Act Now

Use-after-free in the Linux kernel's ksmbd in-kernel SMB3 server occurs during durable handle reconnect, where smb2_open prematurely drops the durable file reference via ksmbd_put_durable_fd(fp); a subsequent error path or scavenger access then dereferences freed fp fields (e.g., fp->create_time). Affecting Linux ksmbd across multiple stable branches and fixed in releases such as 6.6.32, 6.18.33, 7.0.10, and 7.1, the flaw is rated CVSS 9.8 but carries a low EPSS of 0.17% (6th percentile); it is not in CISA KEV and no public exploit identified at time of analysis. An attacker with SMB access can trigger memory corruption potentially leading to information disclosure, denial of service, or code execution in kernel context.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53009 HIGH PATCH This Week

Local privilege-impacting memory corruption in the Linux kernel's Intel ice network driver allows a double-free of a transmit buffer's skb when the TX offload paths fail. When ice_tso() or ice_tx_csum() return an error, ice_xmit_frame_ring() frees the skb but leaves the 'first' tx_buf still marked ICE_TX_BUF_SKB, so a later ice_clean_tx_ring() during interface teardown frees the same skb a second time. Carries a CVSS 3.1 base of 7.8 (AV:L/PR:L), but with a low EPSS of 0.15% (5th percentile), no KEV listing, and no public exploit identified at time of analysis.

Code Injection Linux Intel
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53008 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel ICE (Intel Ethernet Controller) driver allows a local low-privileged attacker to trigger a kernel panic via a race condition during TX timestamp ring teardown. The flaw exists in systems using Intel ICE-series NICs with TX timestamping configured, where concurrent execution of ice_free_tx_tstamp_ring() and ice_tx_map() across CPU cores can cause CPU B to dereference a pointer that CPU A has already set to NULL. No public exploit or active exploitation has been identified; EPSS is 0.15% (5th percentile), consistent with its local, timing-dependent nature.

Denial Of Service Race Condition Linux
NVD VulDB
CVSS 3.1
4.7
EPSS
0.2%
CVE-2026-53007 MEDIUM This Month

In the Linux kernel, the following vulnerability has been resolved: ice: fix potential NULL pointer deref in error path of ice_set_ringparam() ice_set_ringparam nullifies tstamp_ring of temporary tx_rings, without clearing ICE_TX_RING_FLAGS_TXTIME bit. When ICE_TX_RING_FLAGS_TXTIME is set and the subsequent ice_setup_tx_ring() call fails, a NULL pointer dereference could happen in the unwinding sequence: ice_clean_tx_ring() -> ice_is_txtime_cfg() == true (ICE_TX_RING_FLAGS_TXTIME is set) -> ice_free_tx_tstamp_ring() -> ice_free_tstamp_ring() -> tstamp_ring->desc (NULL deref) Clear ICE_TX_RING_FLAGS_TXTIME bit to avoid the potential issue. Note that this potential issue is found by manual code review. Compile test only since unfortunately I don't have E830 devices.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53006 CRITICAL PATCH Act Now

Use-after-free in the Linux kernel's IPv6 ICMPv6 receive path (icmpv6_rcv()) allows stale pointers to freed socket buffer memory to be dereferenced after a pskb_pull() call relocates skb->head. The affected code cached the source and destination addresses (saddr/daddr) before the pull, and these stale references were only consumed by net_dbg_ratelimited() in the slow path, limiting practical impact. The flaw is fixed upstream across all maintained stable trees; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53005 HIGH PATCH This Week

Local use-after-free in the Linux kernel's AF_UNIX subsystem occurs when SOCKMAP (BPF socket map) redirects skbs carrying inflight file descriptors, hiding them from the AF_UNIX garbage collector and breaking the Tarjan-based GC's assumption that unix_edge.successor stays alive — producing a slab use-after-free in unix_del_edges() plus inflight-socket leaks and incorrect fdinfo accounting. Affected are kernels supporting SOCKMAP/sk_psock redirect (roughly 5.15 through pre-fix 7.x trees); a local attacker who can set up SOCKMAP redirection and pass SCM_RIGHTS descriptors can corrupt kernel memory toward privilege escalation or denial of service. There is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and it is not in CISA KEV.

Linux Information Disclosure Debian Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53004 HIGH PATCH This Week

Out-of-bounds write in the Linux kernel SCTP stack (sctp_getsockopt_peer_auth_chunks) lets a local unprivileged process trigger an 8-byte overrun past its own supplied getsockopt buffer, silently corrupting adjacent data in the caller's userspace address space. The bug is a size-check that omits the 8-byte sizeof(struct sctp_authchunks) header, so a buffer sized exactly to num_chunks passes validation but copy_to_user still writes the struct header. There is no public exploit identified at time of analysis (not in CISA KEV; EPSS 0.18%), though the kernel changelog cites a working reproducer on v7.0-13-generic, and a vendor patch is available.

Buffer Overflow Memory Corruption Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53003 HIGH PATCH This Week

Denial of service in the Linux kernel's PPPoE/PPP driver allows a malicious or broken peer to crash affected hosts by sending PPP frames with a compressed (1-byte) Protocol Field. Because pppd never negotiates Protocol Field Compression for PPPoE yet ppp_input() still accepted compressed frames, the payload is shifted one byte, producing a 4-byte misaligned network header that can raise unaligned-access exceptions on architectures that do not tolerate them. There is no public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-53002 CRITICAL PATCH Act Now

Stack out-of-bounds write in the Linux kernel's netfilter connection-tracking SIP application-layer gateway (ALG) allows remote attackers to corrupt kernel stack memory by sending crafted SIP/SDP traffic through a NAT device. The flaw lives in mangle_content_len(), reached via nf_nat_sdp_session → process_sdp when rewriting the SDP Content-Length during SIP INVITE handling, where an unbounded sprintf() overflowed an undersized stack buffer (caught by KASAN). There is no public exploit identified at time of analysis and EPSS is low (0.18%), so despite the NVD 9.8 rating the practical risk is gated by whether the SIP conntrack/NAT helper is in use.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53001 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: netfilter: xtables: restrict several matches to inet family This is a partial revert of: commit ab4f21e6fb1c ("netfilter: xtables: use NFPROTO_UNSPEC in more extensions") to allow ipv4 and ipv6 only. - xt_mac - xt_owner - xt_physdev These extensions are not used by ebtables in userspace. Moreover, xt_realm is only for ipv4, since dst->tclassid is ipv4 specific.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53000 HIGH PATCH This Week

Local privilege escalation / memory corruption in the Linux kernel's netfilter NAT subsystem (introduced in v5.14) arises because nf_nat_register_fn() freed nf_hook_ops structures immediately rather than deferring the release via RCU. Because the v5.14-era nfnetlink_hook feature lets userspace dump active netfilter hooks by peeking into the ops blob, a concurrent dump racing the NAT (un)register error path can access ops memory after it is freed. No public exploit has been identified at time of analysis and EPSS is low (0.17%), but the high-impact CVSS vector reflects a use-after-free class flaw in a core kernel subsystem.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52999 CRITICAL PATCH Act Now

Out-of-bounds read in the Linux kernel's netfilter nfnetlink_osf (passive OS fingerprinting) module occurs when the shared nf_osf_hdr_ctx->optp pointer is not reset after a fingerprint fully matches during TCP option parsing. Affecting systems that use the osf match with NF_OSF_LOGLEVEL_ALL enabled, the flaw causes subsequent fingerprint checks to parse beyond the end of the TCP options buffer, reading garbage data and producing incorrect or missing match logs. Although carrying a 9.1 CVSS, this is a functional/correctness bug in a niche feature; there is no public exploit identified at time of analysis and EPSS is low (0.18%, 7th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-52998 HIGH PATCH This Week

Kernel panic (denial of service) in the Linux kernel netfilter nfnetlink_osf module occurs because nf_osf_ttl() dereferences skb->dev during its TTL check without validating the device pointer, allowing a crafted packet to trigger a NULL pointer dereference on hosts using the OS-fingerprint (osf) match. The flaw affects systems with nftables/iptables rulesets that employ the osf TTL check, and is rated availability-only impact (CVSS 7.5, AV:N/A:H). There is no public exploit identified at time of analysis, EPSS is low (0.18%, 7th percentile), and it is not in CISA KEV; the fix has been merged across multiple stable trees.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52997 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's sch_dualpi2 queuing discipline (net/sched) allows a local attacker with low privileges to crash the kernel, causing a denial of service. The flaw exists in dualpi2_change(), which enforces updated queue limits after a qdisc reconfiguration: when traffic is exclusively queued in the L-queue and the C-queue is empty, the function unconditionally dereferences the NULL skb returned by the C-queue dequeue path, triggering a kernel panic. No public exploit code has been identified and EPSS sits at 0.17% (7th percentile), consistent with a locally-triggered, configuration-dependent kernel bug.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52996 MEDIUM PATCH This Month

Resource exhaustion in the Linux kernel ksmbd SMB server allows a low-privileged authenticated SMB client to leak kernel file descriptor references by sending repeated SMB2 CREATE requests with a DURABLE_HANDLE_REQUEST_V2 context that produces a CreateGuid hit but a ClientGUID mismatch. Each such request increments the refcount on a ksmbd_file via ksmbd_fp_get() in ksmbd_lookup_fd_cguid() but the mismatch code path never calls the matching release, causing global_ft entries to be pinned indefinitely. Over time this defeats the durable file scavenger and causes long-lived kernel resource leaks that can degrade or deny availability. No public exploit has been identified at time of analysis and EPSS is 0.19% (9th percentile), indicating low opportunistic exploitation probability.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52995 MEDIUM PATCH This Month

Stack memory disclosure in the Linux kernel RDS/IB subsystem exposes up to 26 bytes of uninitialized kernel stack contents - including kernel text and data pointers - to local unprivileged users via the getsockopt(SOL_RDS, RDS_INFO_IB_CONNECTIONS) interface. The leak enables KASLR bypass on systems where the kernel was built without CONFIG_INIT_STACK_ALL_ZERO=y, making this a useful primitive for chaining into privilege escalation. No public exploit code and no CISA KEV listing exist at time of analysis; EPSS is very low at 0.18% (7th percentile), but the CVE description itself supplies a complete, step-by-step reproduction recipe that reduces practical exploitation complexity to near-trivial for any local user with AF_RDS socket access.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52994 MEDIUM PATCH This Month

Improper RLIMIT_MEMLOCK accounting in the Linux kernel's vsock/virtio MSG_ZEROCOPY path allows a local low-privileged user to bypass per-process pinned-page limits, enabling unbounded kernel memory pinning that can drive the system toward memory exhaustion. The flaw is confined to the virtio vsock transport and is not remotely exploitable. No public exploit has been identified and EPSS sits at 0.17% (7th percentile), reflecting low exploitation interest; however, a vendor-confirmed fix is available in stable releases.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52993 CRITICAL PATCH Act Now

Memory corruption in the Linux kernel's TIPC (Transparent Inter-Process Communication) protocol stack allows remote attackers to trigger a double-free in tipc_buf_append() during message reassembly, where tipc_msg_validate() may reallocate and free the working skb while the error path frees a now-stale pointer. Affected systems are those running a vulnerable kernel (introduced around 4.15-era code, present across 5.10-7.0 branches) with the TIPC subsystem in use; successful exploitation can crash the kernel and, depending on heap conditions, potentially lead to privilege escalation. There is no public exploit identified at time of analysis, EPSS risk is low (0.18%, 7th percentile), and it is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52992 HIGH PATCH This Week

Out-of-bounds heap write in the Linux kernel's ADFS (Acorn Disc Filing System) driver allows a local attacker to corrupt kernel memory by mounting a crafted new-format ADFS disc image whose disc record declares a zone count of zero. adfs_read_map() forwards nzones==0 to kmalloc_array(0, ...), which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to dm[-1], an out-of-bounds write before the allocated buffer. The flaw was found by syzkaller; there is no public exploit identified at time of analysis and EPSS scores it at just 0.18% (8th percentile).

Buffer Overflow Memory Corruption Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52991 HIGH PATCH This Week

Local privilege-escalation-capable memory corruption in the Linux kernel's PSI (Pressure Stall Information) subsystem allows a local user with write access to cgroup pressure files to trigger a use-after-free or NULL-pointer dereference. The flaw stems from a race between pressure_write() and cgroup file release/rmdir on the kernfs_open_file->priv pointer, confirmed via a KASAN slab-use-after-free report in pressure_write+0xa4/0x210. No public exploit identified at time of analysis, and EPSS is low (0.19%, 8th percentile), indicating no observed mass exploitation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52990 MEDIUM PATCH This Month

Resource leak in the Linux kernel fsnotify subsystem causes hung tasks and local denial of service via a race condition in fsnotify_recalc_mask(). A local low-privilege user can trigger concurrent mark addition and removal on a filesystem connector object, causing an inode pointer returned by __fsnotify_recalc_mask() to be silently discarded rather than released via fsnotify_drop_object() - permanently blocking the umount path as fsnotify_sb_delete() waits indefinitely on the leaked reference. No public exploit exists and EPSS is at the 7th percentile, indicating negligible opportunistic exploitation risk.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52989 CRITICAL PATCH Act Now

Memory-safety flaw in the Linux kernel's NVMe-over-TCP target driver (nvmet-tcp) lets a connected initiator drive the kernel into reading received network data through an uninitialized iov_iter. Because nvmet_tcp_build_pdu_iovec() reported out-of-bounds PDU length/offset only via a fatal-error side effect while returning void, callers such as nvmet_tcp_handle_h2c_data_pdu() continued and advanced the receive state machine over an uninitialized cmd->recv_msg.msg_iter, leading to memory corruption or denial of service. NVD rates this 9.8 (CVSS:3.1 AV:N/AC:L/PR:N/UI:N), but EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis; it is not in CISA KEV.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52988 HIGH PATCH This Week

Kernel-memory disclosure and denial of service in the Linux kernel's netfilter nf_tables subsystem arises from unsafe RCU list traversal: a netlink dump can walk a basechain/flowtable hook list concurrently with a ruleset update, racing on partially-published hooks. The fix publishes new hooks via splice_list_rcu() during the commit phase so RCU readers see a consistent list. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis; the issue is a local race condition affecting privileged ruleset operations rather than a remotely reachable flaw.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52987 HIGH PATCH This Week

Local privilege escalation and kernel memory corruption is possible in the Linux kernel's AMD GPU driver (amdgpu) via a double drm_exec_fini() in the user-queue validation path. When amdgpu_userq_vm_validate() runs with new_addition set, a failure in amdgpu_ttm_tt_get_user_pages() routes execution to a cleanup label that finalizes the already-freed drm_exec object a second time, corrupting kernel state. No public exploit identified at time of analysis, and EPSS rates exploitation probability at only 0.16% (6th percentile), consistent with a hard-to-trigger local bug rather than a mass-exploited flaw.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52986 CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's netfilter SIP connection-tracking helper (nf_conntrack_sip) stems from parsing port numbers in non-NUL-terminated socket-buffer data with simple_strtoul() and dereferencing pointers after sip_parse_addr() without bounds checks. Remote attackers sending crafted SIP messages through a host where the SIP conntrack/NAT helper is active could read past the packet buffer, risking information disclosure or instability (tagged Information Disclosure). Despite a CVSS of 9.8, EPSS is only 0.18% (8th percentile) and no public exploit is identified at time of analysis; a vendor fix is available across multiple stable trees.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52985 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: netdevsim: zero initialize struct iphdr in dummy sk_buff Syzbot reports a KMSAN uninit-value originating from nsim_dev_trap_skb_build, with the allocation also being performed in the same function. Fix this by calling skb_put_zero instead of skb_put to guarantee zero initialization of the whole IP header.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52984 MEDIUM PATCH This Month

Unbounded queue growth in the Linux kernel's netem (Network Emulator) traffic control subsystem allows a local low-privileged user to exhaust kernel memory and trigger a denial of service. The flaw exists because netem_enqueue() enforces queue depth limits using only q->t_len (packets in the internal tfifo), while packets placed into sch->q via the reorder path (__qdisc_enqueue_head) are silently excluded from that count, allowing total queue occupancy to grow beyond sch->limit without bound. No public exploit has been identified and the EPSS score of 0.18% (8th percentile) places this in the lowest exploitation-probability tier; however, the vulnerability affects a wide range of active stable kernel branches and patched versions are available.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52983 HIGH PATCH This Week

Denial-of-service (TX queue stall) in the Linux kernel's Airoha QDMA Ethernet driver affects systems running on Airoha/MediaTek SoCs where airoha_dev_xmit() accounts inflight packets only across AIROHA_NUM_TX_RING queues while the NAPI completion path settles all netdev TX queues, corrupting Byte Queue Limits (BQL) state. The mismatch can wedge transmit queues and degrade or halt network throughput on the device. EPSS is 0.17% (7th percentile) and there is no public exploit identified at time of analysis; an upstream stable fix exists.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52982 CRITICAL PATCH Act Now

Use-after-free in the Linux kernel rtl8150 USB-to-Ethernet driver (drivers/net/usb/rtl8150.c) lets the transmit path read freed socket-buffer memory: rtl8150_start_xmit() reads skb->len for TX byte accounting after usb_submit_urb(), but the URB completion handler write_bulk_callback() can free the skb on another CPU first, producing a slab-use-after-free read flagged by KASAN/syzbot. Affected systems are those using an RTL8150-based USB Ethernet adapter; the practical impact is a stale/garbage stat read or a potential crash from freed-memory access rather than reliable info disclosure. There is no public exploit identified at time of analysis (not in CISA KEV, EPSS 0.18%/8th percentile), and the issue was found and fixed via upstream syzbot fuzzing.

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52981 HIGH PATCH This Week

Memory exhaustion in the Linux kernel networking stack stems from a socket buffer (SKB) leak in neigh_xmit(): when the function is called against an uninitialized neighbour table - for example NEIGH_ND_TABLE while IPv6 is disabled - it returns -EAFNOSUPPORT and bypasses its out_kfree_skb path, leaking the packet buffer because callers (originally MPLS) rely on neigh_xmit() to take ownership of the skb. Repeated triggering slowly exhausts kernel memory, leading to denial of service (CVSS 7.5, A:H). There is no public exploit identified at time of analysis, and EPSS is low (0.19%, 9th percentile); the upstream fix makes neigh_xmit() assume full ownership and free the skb on every path.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52980 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: sched/fair: Clear rel_deadline when initializing forked entities A yield-triggered crash can happen when a newly forked sched_entity enters the fair class with se->rel_deadline unexpectedly set. The failing sequence is: 1. A task is forked while se->rel_deadline is still set. 2. __sched_fork() initializes vruntime, vlag and other sched_entity state, but does not clear rel_deadline. 3. On the first enqueue, enqueue_entity() calls place_entity(). 4. Because se->rel_deadline is set, place_entity() treats se->deadline as a relative deadline and converts it to an absolute deadline by adding the current vruntime. 5. However, the forked entity's deadline is not a valid inherited relative deadline for this new scheduling instance, so the conversion produces an abnormally large deadline. 6. If the task later calls sched_yield(), yield_task_fair() advances se->vruntime to se->deadline. 7. The inflated vruntime is then used by the following enqueue path, where the vruntime-derived key can overflow when multiplied by the entity weight. 8. This corrupts cfs_rq->sum_w_vruntime, breaks EEVDF eligibility calculation, and can eventually make all entities appear ineligible. pick_next_entity() may then return NULL unexpectedly, leading to a later NULL dereference. A captured trace shows the effect clearly. Before yield, the entity's vruntime was around: 9834017729983308 After yield_task_fair() executed: se->vruntime = se->deadline the vruntime jumped to: 19668035460670230 and the deadline was later advanced further to: 19668035463470230 This shows that the deadline had already become abnormally large before yield_task_fair() copied it into vruntime. rel_deadline is only meaningful when se->deadline really carries a relative deadline that still needs to be placed against vruntime. A freshly forked sched_entity should not inherit or retain this state. Clear se->rel_deadline in __sched_fork(), together with the other sched_entity runtime state, so that the first enqueue does not interpret the new entity's deadline as a stale relative deadline.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52979 MEDIUM This Month

Race condition in the Linux kernel PSP network subsystem allows a local low-privileged attacker to crash the kernel through a TOCTOU flaw in device association creation. In `psp_assoc_device_get_locked()`, a device reference acquired under RCU becomes stale before the protecting lock is taken if `psp_dev_unregister()` completes concurrently, leaving the kernel operating on freed or invalid device state. No public exploit has been identified and EPSS stands at 0.17% (6th percentile), reflecting minimal active exploitation risk despite the well-characterized code-level race condition.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52978 MEDIUM This Month

In the Linux kernel, the following vulnerability has been resolved: net: psp: require admin permission for dev-set and key-rotate The dev-set and key-rotate netlink operations modify shared device state (PSP version configuration and cryptographic key material, respectively) but do not require CAP_NET_ADMIN. The only access control is psp_dev_check_access() which merely verifies netns membership.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52977 MEDIUM PATCH This Month

Livelock in the Linux kernel's futex requeue-PI subsystem can hang a system when a signal or timeout interrupts a FUTEX_WAIT_REQUEUE_PI operation concurrently with an active FUTEX_CQ_REQUEUE_PI requeue. The race causes a waiting thread (Task A) to block indefinitely on a hash-bucket lock while a requeue thread (Task B) busy-loops retrying the same operation, consuming all available CPU - worst-case on uniprocessor systems where Task A cannot be scheduled at all. No public exploit is identified and EPSS is 0.17% (7th percentile), but the deterministic nature of the livelock on UP or real-time-scheduled hardware makes this a genuine denial-of-service risk; patches are available across six Linux stable branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52976 HIGH PATCH This Week

Local privilege escalation in the Linux kernel's drm/xe Intel GPU driver arises from two error-handling defects in xe_exec_queue_create_ioctl() that leave a freed exec queue linked into either the VM's preempt-fence compute list or the hardware engine group list, producing a dangling pointer and a use-after-free. A local user with access to the DRM device on systems running the affected Intel Xe driver (introduced around 6.12) can trigger the faulty cleanup paths to corrupt kernel memory, with potential for code execution at kernel privilege. There is no public exploit identified at time of analysis and EPSS is low (0.18%, 7th percentile); the issue is fixed upstream and in stable releases.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52975 HIGH PATCH This Week

Concurrent access to an unprotected pointer in the Linux kernel's 802.3ad (LACP) bonding driver allows a local user to trigger a data race between the AD state-machine worker and the rtnetlink read path that fetches active aggregator info. Discovered by syzbot/KCSAN, the torn read of the `port->aggregator` pointer can disclose kernel memory state or destabilize the bonding driver on systems configured with LACP NIC teaming. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.18%, 7th percentile).

Linux Information Disclosure Google
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52974 HIGH PATCH This Week

Memory exhaustion (denial of service) in the Linux kernel's TLS device-offload receive path, where a failure during hardware offload setup leaks the strparser anchor socket buffer (skb) and never frees it. Affecting kernels from the introduction of the custom strparser (commit 84c61fe1a75b) onward, repeated triggering of the offload setup-failure path slowly drains kernel memory; CVSS rates availability impact High (7.5) but EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis. The regression was introduced by the kTLS-specific strparser rewrite and does not affect kernels using the standard strparser.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52973 HIGH PATCH This Week

Local privilege escalation in the Linux kernel futex subsystem stems from a slab use-after-free in futex_hash_put, triggered when a process shares its mm via CLONE_VM without CLONE_THREAD. The flawed need_futex_hash_allocate_default() check broke the non-concurrency assumption for per-CPU mm->futex_ref allocation, letting a stale +1 bias land on a percpu counter the mm no longer references. Carries CVSS 7.8 (high) with full C/I/A impact; no public exploit identified at time of analysis and EPSS is low (0.17%).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52972 MEDIUM PATCH This Month

Integer overflow in the Linux kernel's AF_ALG socket interface (crypto/af_alg.c) lets a local user supply an oversized AEAD associated-data length that wraps during TX buffer size arithmetic, corrupting size checks; the fix caps AD length to 0x80000000. Carrying CVSS 7.0 (AV:L/AC:H/PR:L), it affects any kernel exposing the algif AEAD interface and threatens confidentiality, integrity, and availability through resulting memory corruption. There is no public exploit identified at time of analysis, and EPSS is low at 0.18% (8th percentile), consistent with a local-only, high-complexity issue.

Integer Overflow Linux Buffer Overflow
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52971 HIGH PATCH This Week

Use-after-free in the Linux kernel's Amazon ENA (Elastic Network Adapter) PTP Hardware Clock (PHC) get_timestamp path lets a local low-privileged user trigger a NULL/dangling pointer dereference via a race between timestamp reads and clock teardown. The driver checked phc->active and cached the resp pointer from ena_dev->phc.virt_addr before taking the spinlock, so a concurrent ena_com_phc_destroy() could free the DMA memory and NULL virt_addr mid-operation. With a CVSS of 7.8 (high) but EPSS of only 0.17% (7th percentile), this is a memory-safety race with no public exploit identified at time of analysis; it is fixed upstream and patched in stable releases.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52970 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: fix missing expect put in obj eval nft_ct_expect_obj_eval() allocates an expectation and may call nf_ct_expect_related(), but never drops its local reference. Add nf_ct_expect_put(exp) before return to balance allocation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52969 HIGH PATCH This Week

Local privilege-relevant memory corruption in the Linux kernel's KVM subsystem (kvm_reset_dirty_gfn) lets any process holding /dev/kvm bypass a dirty-ring bounds check via a u64 integer overflow, driving a near-U64_MAX guest frame number into gfn_to_rmap() for an out-of-bounds kvm_rmap_head load and a conditional write-flag clear. Affected are kernels from 5.11 through the 7.x line running VMs on the shadow-paging (legacy/rmap) MMU path. This is a local (AV:L), low-privilege (PR:L) issue rated CVSS 7.8; there is no public exploit identified at time of analysis, EPSS is low at 0.19% (9th percentile), and it is not on CISA KEV.

Integer Overflow Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52968 HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's KVM s390 PCI adapter-interrupt-forwarding (AIF) code allows a low-privileged local actor on IBM Z (s390x) hosts to read and corrupt kernel memory. The flaw stems from double-scaled pointer arithmetic when indexing the GAIT table in kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and aen_host_forward(), triggered when an adapter interrupt source (aisb) index reaches 32 or higher under ZPCI_NR_DEVICES=512. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.18%, 8th percentile).

Buffer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52967 HIGH PATCH This Week

Out-of-bounds read and denial-of-service in the Linux kernel SMB/CIFS client (cifs.ko) affects systems mounting SMB shares on 32-bit architectures. When parsing a malicious SMB2 error response, the symlink_data() routine mishandles a hostile ErrorDataLength value, causing either an infinite loop or a read past the buffer that can hang the client or leak adjacent kernel memory. There is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile), but the bug is reachable by any malicious or compromised SMB server a vulnerable client connects to.

Linux Denial Of Service Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-52966 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm: Replace old pointer to new idr Commit 5e28b7b94408 introduced a logical error by failing to replace the newly generated IDR pointer to old id's pointer at the correct location within the "change handle" logic; this resulted in the issue reported by syzbot [1]. Specifically, the new IDR object pointer is intended to replace the original id's pointer during the normal execution flow. Additionally, an unnecessary conditional check for the ret exit path has been removed. [1] !RB_EMPTY_ROOT(&prime_fpriv->dmabufs) WARNING: drivers/gpu/drm/drm_prime.c:224 at drm_prime_destroy_file_private+0x48/0x60 drivers/gpu/drm/drm_prime.c:224, CPU#0: syz.0.17/5833 Call Trace: drm_file_free.part.0+0x7e6/0xcc0 drivers/gpu/drm/drm_file.c:269 drm_file_free drivers/gpu/drm/drm_file.c:237 [inline] drm_close_helper.isra.0+0x186/0x200 drivers/gpu/drm/drm_file.c:290 drm_release+0x1ab/0x360 drivers/gpu/drm/drm_file.c:438

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52965 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure When ttm_tt_swapout() fails, the current code calls ttm_resource_add_bulk_move() followed by ttm_resource_move_to_lru_tail() to restore the resource's bulk_move membership. However, ttm_resource_move_to_lru_tail() places the resource at the tail of the LRU list which, relative to the walk cursor's hitch node (placed immediately after the resource when it was yielded), puts the resource *in front of the* the hitch. The next list_for_each_entry_continue() from the hitch finds the same resource again, causing an infinite loop. Fix by deferring del_bulk_move to the success path only. On the success path, TTM_TT_FLAG_SWAPPED has just been set by ttm_tt_swapout() but the resource is still tracked in the bulk_move range, so ttm_resource_del_bulk_move()'s !ttm_resource_unevictable() guard would incorrectly skip the removal. Introduce ttm_resource_del_bulk_move_unevictable() which bypasses that guard.

Denial Of Service Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52964 MEDIUM PATCH This Month

Out-of-bounds descriptor read in the Linux kernel ALSA USB MIDI 2.0 subsystem allows a physically proximate or low-privileged local attacker to crash the kernel by presenting a malformed USB audio device with crafted MIDI 2.0 endpoint descriptors. The USB MIDI 2.0 endpoint parser validates bLength against bNumGrpTrmBlock but omits validation against remaining bytes in the endpoint-extra scan, allowing baAssoGrpTrmBlkID[] reads to advance past the descriptor buffer boundary. No public exploit is identified; EPSS stands at 0.18% (7th percentile), consistent with narrow, hardware-dependent attack surface and no active exploitation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52963 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Bound MIDI endpoint descriptor scans snd_usbmidi_get_ms_info() validates the internal MIDIStreaming endpoint descriptor size before using baAssocJackID[], but the descriptor walker can still return a class-specific endpoint descriptor whose bLength exceeds the remaining bytes in the endpoint-extra scan. That leaves later flexible-array reads bounded by bLength, but not by the remaining bytes in the endpoint-extra scan. Stop walking when bLength is zero or extends past the remaining endpoint-extra scan.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52962 HIGH PATCH This Week

Memory leak in the Linux kernel's Ceph client (CephFS) allows a local, low-privileged user to exhaust kernel buffer memory by repeatedly triggering the retry path in __ceph_setxattr(), where the old_blob holding ci->i_xattrs.prealloc_blob is never released via ceph_buffer_put(). The flaw affects systems mounting CephFS and is addressed by an upstream stable fix; there is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.18%). Note: the CWE-787 (out-of-bounds write) classification and 'Buffer Overflow' tag conflict with the description, which describes a resource/buffer leak rather than memory corruption.

Buffer Overflow Memory Corruption Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52961 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size The generic/642 test-case can reproduce the kernel crash: [40243.605254] ------------[ cut here ]------------ [40243.605956] kernel BUG at fs/ceph/xattr.c:918! [40243.607142] Oops: invalid opcode: 0000 [#1] SMP PTI [40243.608067] CPU: 7 UID: 0 PID: 498762 Comm: kworker/7:1 Not tainted 7.0.0-rc7+ #3 PREEMPT(full) [40243.609700] Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [40243.611820] Workqueue: ceph-msgr ceph_con_workfn [40243.612715] RIP: 0010:__ceph_build_xattrs_blob+0x1b8/0x1e0 [40243.613731] Code: 0f 84 82 fe ff ff e9 cf 8e 56 ff 48 8d 65 e8 31 c0 5b 41 5c 41 5d 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 c3 cc cc cc cc <0f> 0b 4c 8b 62 08 41 8b 85 24 07 00 00 49 83 c4 04 41 89 44 24 fc [40243.616888] RSP: 0018:ffffcc80c4d4b688 EFLAGS: 00010287 [40243.617773] RAX: 0000000000010026 RBX: 0000000000000001 RCX: 0000000000000000 [40243.618928] RDX: ffff8a773798dee0 RSI: 0000000000000000 RDI: 0000000000000000 [40243.620158] RBP: ffffcc80c4d4b6a0 R08: 0000000000000000 R09: 0000000000000000 [40243.621573] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8a75f3b58000 [40243.622907] R13: ffff8a75f3b58000 R14: 0000000000000080 R15: 000000000000bffd [40243.624054] FS: 0000000000000000(0000) GS:ffff8a787d1b4000(0000) knlGS:0000000000000000 [40243.625331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [40243.626269] CR2: 000072f390b623c0 CR3: 000000011c02a003 CR4: 0000000000372ef0 [40243.627408] Call Trace: [40243.627839] <TASK> [40243.628188] __prep_cap+0x3fd/0x4a0 [40243.628789] ? do_raw_spin_unlock+0x4e/0xe0 [40243.629474] ceph_check_caps+0x46a/0xc80 [40243.630094] ? __lock_acquire+0x4a2/0x2650 [40243.630773] ? find_held_lock+0x31/0x90 [40243.631347] ? handle_cap_grant+0x79f/0x1060 [40243.632068] ? lock_release+0xd9/0x300 [40243.632696] ? __mutex_unlock_slowpath+0x3e/0x340 [40243.633429] ? lock_release+0xd9/0x300 [40243.634052] handle_cap_grant+0xcf6/0x1060 [40243.634745] ceph_handle_caps+0x122b/0x2110 [40243.635415] mds_dispatch+0x5bd/0x2160 [40243.636034] ? ceph_con_process_message+0x65/0x190 [40243.636828] ? lock_release+0xd9/0x300 [40243.637431] ceph_con_process_message+0x7a/0x190 [40243.638184] ? kfree+0x311/0x4f0 [40243.638749] ? kfree+0x311/0x4f0 [40243.639268] process_message+0x16/0x1a0 [40243.639915] ? sg_free_table+0x39/0x90 [40243.640572] ceph_con_v2_try_read+0xf58/0x2120 [40243.641255] ? lock_acquire+0xc8/0x300 [40243.641863] ceph_con_workfn+0x151/0x820 [40243.642493] process_one_work+0x22f/0x630 [40243.643093] ? process_one_work+0x254/0x630 [40243.643770] worker_thread+0x1e2/0x400 [40243.644332] ? __pfx_worker_thread+0x10/0x10 [40243.645020] kthread+0x109/0x140 [40243.645560] ? __pfx_kthread+0x10/0x10 [40243.646125] ret_from_fork+0x3f8/0x480 [40243.646752] ? __pfx_kthread+0x10/0x10 [40243.647316] ? __pfx_kthread+0x10/0x10 [40243.647919] ret_from_fork_asm+0x1a/0x30 [40243.648556] </TASK> [40243.648902] Modules linked in: overlay hctr2 libpolyval chacha libchacha adiantum libnh libpoly1305 essiv intel_rapl_msr intel_rapl_common intel_uncore_frequency_common skx_edac_common nfit kvm_intel kvm irqbypass joydev ghash_clmulni_intel aesni_intel rapl input_leds mac_hid psmouse vga16fb serio_raw vgastate floppy i2c_piix4 pata_acpi bochs qemu_fw_cfg i2c_smbus sch_fq_codel rbd dm_crypt msr parport_pc ppdev lp parport efi_pstore [40243.654766] ---[ end trace 0000000000000000 ]--- Commit d93231a6bc8a ("ceph: prevent a client from exceeding the MDS maximum xattr size") moved the required_blob_size computation to before the __build_xattrs() call, introducing a race. __build_xattrs() releases and reacquires i_ceph_lock during execution. In that window, handle_cap_grant() may update i_xattrs.blob with a newer MDS-provided blob and bump i_xattrs.version. When __bui ---truncated---

Debian Ubuntu Denial Of Service Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52960 HIGH PATCH This Week

Denial of service in the Linux kernel's CephFS (ceph) client allows local users with an active CephFS mount to leak kernel memory by triggering the dirty-page writeback path. The flaw stems from a missing reference release on folios that the writeback batch holds but removes as unsuitable, gradually pinning pages and exhausting kernel memory (CVSS 7.5, availability-only). No public exploit identified at time of analysis; EPSS is low at 0.16% (6th percentile), and it is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52959 HIGH PATCH This Week

Page allocator corruption in the Linux kernel's AMD SEV-SNP guest driver (virt/sev-guest) affects confidential-computing guests running kernels from 6.14 onward. When a guest issues an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST), an untrusted host can return SNP_GUEST_VMM_ERR_INVALID_LEN with a length that does not match the original allocation; the cleanup path then frees pages using a host-controlled page order, corrupting the guest's page allocator. CVSS is 7.8 (local, high C/I/A), but EPSS is just 0.11% (2nd percentile), and there is no public exploit identified at time of analysis and no CISA KEV listing.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-52958 CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's libceph client (osdmap_decode) lets a malicious or compromised Ceph monitor/OSD send a corrupted OSD map whose max_osd field exceeds the actual message length, reading past the allocated buffer. The flaw affects kernels using the in-kernel Ceph client (RBD/CephFS) and is fixed across multiple stable branches. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile), consistent with a memory-safety bug requiring a hostile Ceph endpoint rather than broad internet exposure.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-52957 HIGH PATCH This Week

Denial of service in the Linux kernel's libceph client allows a malicious or corrupted Ceph cluster to crash the kernel via a null pointer dereference in decode_choose_args(). When processing a CEPH_MSG_OSD_MAP message, a crafted CRUSH map containing choose_args with a bucket_index that points to a NULL (unallocated) bucket triggers the crash, because the code validated only that the index stayed within max_buckets, not that the target bucket was non-NULL. There is no public exploit identified at time of analysis, EPSS exploitation probability is low (0.18%, 8th percentile), and the issue is patched upstream.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52956 HIGH PATCH This Week

Denial of service in the Linux kernel's libceph (Ceph client) component allows a malicious or compromised Ceph peer to crash a connecting host during the CephX authentication handshake. The flaw lives in __ceph_x_decrypt(), which reads a ceph_x_encrypt_header (notably hdr->magic) from a decrypted buffer without first verifying the buffer is large enough - a FRAME_TAG_AUTH_REPLY_MORE frame carrying a ciphertext_len of 8 or fewer bytes triggers an out-of-bounds memory access. CVSS is 7.5 (availability-only); EPSS is low at 0.16% (6th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52955 CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's libceph CRUSH map decoder (crush_decode()) lets a malicious or compromised Ceph cluster corrupt kernel memory on a connecting client. A crafted CEPH_MSG_OSD_MAP message whose bucket carries mismatched algorithm fields (alg vs b->alg) causes memory to be allocated for one bucket type but processed and later freed as another, leading to OOB access during decode and again during crush map destruction. Despite a 9.8 CVSS, there is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile); the realistic attack surface is limited to hosts mounting/connecting to attacker-controlled Ceph (RBD/CephFS) infrastructure.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52954 HIGH PATCH This Week

Denial of service in the Linux kernel's libceph (Ceph client) subsystem allows a malicious or compromised Ceph monitor/OSD to crash a connected client by sending a crafted CEPH_MSG_OSD_MAP whose embedded CRUSH map carries two choose_args maps sharing the same choose_args_index. The duplicate index trips an assertion in insert_choose_arg_map() during decode_choose_args(), triggering a kernel BUG and panic. CVSS is 7.5 (availability-only); there is no public exploit identified at time of analysis and EPSS is low at 0.18% (8th percentile).

Linux Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52953 HIGH PATCH This Week

Local denial of service in the Linux kernel's Intel VT-d (iommu/vt-d) driver lets a privileged user crash the host by terminating a QEMU/VFIO guest, triggering a general-protection-fault oops. The flaw lives in domain_remove_dev_pasid(), which dereferences the global static blocked domain - a dummy iommu_domain with no backing dmar_domain - during PASID teardown on device reset. No public exploit is identified at time of analysis; EPSS is low (0.17%, 7th percentile) and it is not in CISA KEV.

Linux Canonical Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52952 HIGH PATCH This Week

Use-after-free in the Linux kernel's IOMMU subsystem allows a local low-privileged actor with device-management access to corrupt kernel memory by racing a domain re-attach against an in-progress PCI device reset. The flaw lies in __iommu_group_set_domain_internal(), where the group->recovery_cnt fence wrongly rejected mandatory detach/teardown callers (IOMMU_SET_DOMAIN_MUST_SUCCEED), so group->domain could be freed while still referenced, and pci_dev_reset_iommu_done() could then re-attach the dangling pointer. EPSS is low at 0.16% (6th percentile) and there is no public exploit identified at time of analysis, but the high CVSS (8.8) reflects full kernel-memory confidentiality, integrity, and availability impact.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-52951 HIGH PATCH This Week

Local denial of service in the Linux kernel's Intel Xe DRM driver (drm/xe/dma-buf) arises from use-after-free and NULL pointer dereference race conditions in the dma-buf import path, affecting kernels from 6.8 through the fixes in 6.12.91, 6.18.33, 7.0.10 and 7.1. When a buffer object is shared from another GPU driver such as amdgpu, the exporter can invoke the Xe invalidate_mappings hook against a partially initialized or already-freed bo, crashing the system; two customers reported NULL ptr derefs in evict_flags. This is tagged Denial of Service, has no public exploit identified at time of analysis, and carries a low EPSS of 0.18% (7th percentile).

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52950 HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's Intel Xe DRM graphics driver (drm/xe) arises from a use-after-free in the dma-buf import path, where an error-handling retry loop operates on a buffer object (bo) that has already been freed. Affecting kernel 6.18 series before the 6.18.33 stable fix, a local low-privileged user with access to the Xe DRM device can trigger the freed-object access to corrupt kernel memory or leak data. There is no public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile), consistent with a local-only, driver-specific bug rather than mass-exploited remote flaw.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52949 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Fix ttm_bo_shrink() infinite LRU walk on backup failure Apply the same fix as b2ed01e7ad ("drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure") to the ttm_bo_shrink() path. Move del_bulk_move from before the backup to after success only, using ttm_resource_del_bulk_move_unevictable() since the resource is now unevictable once fully backed up.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52948 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong timeout value` warning was observed, accompanied by SMBus controller state machine corruption. The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of 10 ms. The user argument is checked against INT_MAX, but it is subsequently multiplied by 10 before being passed to msecs_to_jiffies(). A malicious user can pass a large value (e.g., 429496729) that passes the `arg > INT_MAX` check but overflows when multiplied by 10. This results in a truncated 32-bit unsigned value that bypasses the internal `(int)m < 0` check in `msecs_to_jiffies()`. The truncated value is then assigned to `client->adapter->timeout` (a signed 32-bit int), which is reinterpreted as a negative number. When passed to wait_for_completion_timeout(), this negative value undergoes sign extension to a 64-bit unsigned long, triggering the `schedule_timeout` warning and causing premature returns. This leaves the SMBus state machine in an unrecoverable state, constituting a local Denial of Service (DoS). Fix this by bounding the user argument to `INT_MAX / 10`. [wsa: move the comment as well]

Denial Of Service Linux Integer Overflow
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52947 HIGH PATCH This Week

Local privilege escalation and memory corruption is possible in the Linux kernel's QRTR (Qualcomm IPC Router) networking subsystem (net/qrtr/af_qrtr.c), where qrtr_port_remove() decrements a socket's reference count via __sock_put() before erasing the port from the qrtr_ports XArray and before the RCU grace period elapses, violating the RCU update ordering. A concurrent RCU reader (qrtr_reset_ports() or qrtr_port_lookup()) can retrieve the socket and call sock_hold() on an object whose refcount has already reached zero, producing refcount saturation and a use-after-free. The issue was reproduced by syzkaller fuzzing; it carries a CVSS of 7.8 (AV:L), EPSS is low at 0.18% (8th percentile), it is not on CISA KEV, and no public exploit identified at time of analysis.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52946 HIGH PATCH This Week

Remote denial of service in the Linux kernel arises from a SOFTIRQ-safe to SOFTIRQ-unsafe lock-ordering deadlock in the fasync signaling path (fs/fcntl), where send_sigio() and send_sigurg() take read_lock(&tasklist_lock) from softirq context while traversing a process group (PIDTYPE_PGID). When this collides with a writer spinning on tasklist_lock during fork()/exit(), the CPU can deadlock and hang. The flaw is reachable remotely via TCP URG packets (send_sigurg through NET_RX_SOFTIRQ), affects multiple stable branches, and is fixed by switching the traversal to RCU. There is no public exploit identified at time of analysis and EPSS is low (0.18%).

Code Injection Linux
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52945 HIGH PATCH This Week

Denial of service in the Linux kernel's WireGuard module causes the receive/decryption path to permanently stall for an individual peer under heavy network load. Affected stable trees (notably 6.12.34 through 6.12.73, with the same defect originating in 5.15/6.1 where threaded NAPI became default) can have inbound traffic to a specific WireGuard peer halt completely once the per-peer rx_queue fills its 1024-packet backlog and wg_packet_rx_poll is never rescheduled. The condition was reported by multiple production Cilium/Kubernetes operators; there is no public exploit identified at time of analysis and EPSS is very low (0.10%, 1st percentile).

Linux Kubernetes Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-52944 MEDIUM PATCH This Month

Unauthorized file attribute modification in the Linux kernel's ksmbd SMB server allows authenticated SMB clients to invoke FSCTL_SET_SPARSE and alter a file's sparse xattr without required permissions, bypassing both share-level and per-handle access controls. Two distinct authorization gaps exist: clients on read-only shares can issue the control code because fsctl_set_sparse() omits the KSMBD_TREE_CONN_FLAG_WRITABLE check that other FSCTL write operations enforce, and clients on writable shares with insufficient handle rights (lacking FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES) can modify the attribute because per-handle checks are entirely absent. No active exploitation is confirmed - the vulnerability is absent from CISA KEV and carries an EPSS of 0.22% (12th percentile) - but the exposure surface is any network-reachable ksmbd deployment serving untrusted SMB clients.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52943 HIGH PATCH This Week

Local privilege escalation in the Linux kernel networking stack (skbuff/MSG_ZEROCOPY path) allows an unprivileged local user to gain full root via a use-after-free on ubuf_info_msgzc. The pskb_carve_inside_header() and pskb_carve_inside_nonlinear() helpers memcpy the skb_shared_info (including the zerocopy destructor_arg/uarg pointer) into a new buffer without calling net_zcopy_get(), so the uarg refcount is decremented more times than it was incremented, freeing the ubuf_info while live TX skbs still reference it. A working proof-of-concept exists that achieves reliable root escalation on a default kernel configuration; the issue is not listed in CISA KEV and EPSS probability is low (0.21%, 11th percentile).

Privilege Escalation Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52942 HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel netfilter netdev logger (nf_log_syslog) lets a local low-privileged attacker leak adjacent slab memory into the kernel log and potentially crash the system. The flaw is in dump_mac_header(), whose fallback path tests skb->mac_header != skb->network_header but omits skb_mac_header_was_set(); an unset MAC header (value 0xffff) passes the check and causes a read ~64 KiB past the skb buffer. Fixed in stable kernels (e.g., 6.18.36, 6.12.94, 6.6.143, 6.1.176, 5.15.210, 7.0.13/7.1); no public exploit identified at time of analysis and EPSS is low at 0.17%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52941 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel SMC subsystem's smc_msg_event tracepoint crashes the kernel when SMC-D socket traffic is processed while the tracepoint is active. Affected kernels from commit aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 across multiple stable branches dereference conn->lnk unconditionally in the tracepoint, though this pointer is only valid for SMC-R connections and is NULL for SMC-D. While activating the tracepoint requires root, the crash itself can be triggered by any unprivileged user via AF_SMC socket operations on SMC-D capable systems (s390 natively, or x86 with loopback ISM loaded). No public exploit or active exploitation confirmed; EPSS sits at 0.16%.

Linux Canonical Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52940 MEDIUM PATCH This Month

Kernel stack memory disclosure in the Linux TUN driver exposes 14 bytes of uninitialized stack data to unprivileged local users on every read of a non-tunnel packet. The flaw affects Linux systems where a local user can open a TUN device and issue the TUNSETVNETHDRSZ ioctl to set the vnet header size to 24 bytes. No public exploit or active exploitation has been identified; EPSS is 0.15% (5th percentile), consistent with a local-only information disclosure requiring deliberate TUN device configuration.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52939 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel RDS/InfiniBand subsystem allows an unprivileged local user to trigger a kernel panic by sending an atomic cmsg over an active RDS/IB connection. The completion handler rds_ib_send_unmap_op() lacks switch cases for masked atomic opcodes (IB_WR_MASKED_ATOMIC_CMP_AND_SWP, IB_WR_MASKED_ATOMIC_FETCH_AND_ADD), returning rm=NULL while the send operation remains flagged, leading to a fatal NULL dereference at rm->m_final_op in softirq context. No public exploit has been identified and EPSS is 0.16% (6th percentile), but the crash is deterministic and reproducible on any system with mlx4/mlx5 InfiniBand hardware running an unpatched kernel with active RDS/IB connections.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52938 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's BPF socket storage subsystem (net/core/bpf_sk_storage.c) allows a local low-privileged user to crash the kernel. The race condition between bpf_selem_unlink_nofail() - which nulls smap before removing the element from the hlist - and concurrent RCU readers in bpf_sk_storage_clone() and bpf_sk_storage_diag_put_all() can be triggered during TCP SYN handling (socket cloning path), producing a kernel panic. No public exploit identified at time of analysis; EPSS of 0.14% (4th percentile) confirms negligible observed exploitation probability.

Linux Canonical Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-52937 MEDIUM PATCH This Month

Stack information disclosure in the Linux kernel's tap/macvtap driver exposes 8 bytes of uninitialized kernel stack contents to local users via the SIOCGIFHWADDR ioctl, leaking kernel .text and direct-map pointers that defeat KASLR. The affected code path in tap_ioctl() copies a 16-byte sockaddr_storage to userspace while netif_get_mac_address() initializes only 8 bytes (sa_family plus 6-byte Ethernet address), leaving the trailing 8 bytes unread. No public exploit is identified at time of analysis and EPSS sits at 0.15% (5th percentile), but KASLR bypass primitives of this type are routinely chained with local privilege-escalation exploits to gain kernel code-execution. NOTE: The provided CVSS vector (C:N/I:N/A:H) appears to misclassify this vulnerability - confidentiality is the impacted property, not availability; the assessed vector below corrects this.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52936 MEDIUM PATCH This Month

CPU stall vulnerability in the Linux kernel jitterentropy subsystem allows local low-privileged users to trigger prolonged non-preemptible spinlock holds by spawning concurrent entropy requests through jent_kcapi_random(), which holds a spinlock across expensive SHA3 conditioning and jitter collection. Systems running kernel versions from approximately 4.2 through pre-fix stable branches face entropy starvation and CPU busy-wait degradation under parallel getrandom() load. No public exploit identified at time of analysis; EPSS is 0.16% at the 5th percentile and no CISA KEV listing applies, making this a low-urgency, operator-pace patch for most deployments.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52935 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's xfrm espintcp (ESP-in-TCP IPsec encapsulation) send path allows a local user with a socket using espintcp to corrupt the one-message-at-a-time transmit state, leading to memory disclosure or a crash. The flaw stems from espintcp_sendmsg() reinitializing emsg->skmsg and reusing ctx->partial while a previous partial send is still in flight, attaching a stale offset to a fresh sk_msg. No public exploit is identified at time of analysis and EPSS is low (0.16%, 6th percentile), reflecting a niche, configuration-dependent attack surface rather than broad exploitability.

Linux Memory Corruption Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52934 HIGH PATCH This Week

Kernel heap memory corruption affects the batman-adv (B.A.T.M.A.N. Advanced) mesh routing subsystem of the Linux kernel, where a u16 accumulator in batadv_tvlv_container_list_size() can wrap around when the total size of registered TVLV containers exceeds 65535 bytes, leading to an undersized allocation and a subsequent out-of-bounds memcpy write in batadv_tvlv_container_ogm_append(). An attacker positioned on the mesh able to drive TVLV container accumulation past U16_MAX can corrupt adjacent kernel memory, risking denial of service or potential code execution. This is no public exploit identified at time of analysis, EPSS exploitation probability is low (0.16%), and it is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-52933 HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's io_uring poll subsystem arises from a signed-comparison flaw in io_poll_get_ownership(), where atomic_read() returns a signed int and the IO_POLL_CANCEL_FLAG (BIT(31)) makes poll_refs negative, so the '>= IO_POLL_REF_BIAS' slowpath check is never taken. Affecting kernels from the 5.15/6.x stable series through pre-patch 7.x, a local user with io_uring access can drive poll-reference accounting into an incorrect state during request cancellation, with CVSS 7.8 (AV:L) rating high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and EPSS is low (0.16%, 6th percentile), but a vendor patch is available across stable branches.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52932 HIGH PATCH This Week

Memory leak in the Linux kernel's xfrm IPComp (IP Payload Compression) code allows resource exhaustion because the destination scatter-gather page list is not freed when an asynchronous compression (acomp) operation fails. Affecting Linux 6.15 through the fixed stable releases, the flaw lets repeated compression errors progressively consume kernel memory, with CVSS scoring only availability impact (A:H). There is no public exploit identified at time of analysis and EPSS is low at 0.15%.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52931 CRITICAL PATCH Act Now

Use of uninitialized sender variables in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh networking module allows a malicious mesh peer to trigger undefined behavior on a node acting as a tp_meter receiver. When such a node receives a crafted ACK packet, batadv_tp_recv_ack() and batadv_tp_stop() execute sender-only code paths that read tp_vars members never initialized for the receiver role, potentially leaking memory contents or crashing the kernel. No public exploit identified at time of analysis; EPSS probability is low (0.17%, 6th percentile) and the issue is not in CISA KEV, but a vendor patch is available across multiple stable trees.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52930 MEDIUM PATCH This Month

Race condition in the Linux kernel's System V IPC shared memory subsystem allows a local low-privileged attacker to crash the kernel. The `shm_destroy_orphaned()` cleanup path evaluates whether an orphaned segment is safe to destroy by checking `shm_nattch` without holding `shm_perm.lock`, while the attach/detach paths update that counter independently of `shm_ids(ns).rwsem`, creating a window where a still-attached segment is erroneously destroyed. The EPSS score is 0.17% (6th percentile) and no KEV listing or public exploit exists, placing this firmly in the routine-patching tier rather than emergency response.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52929 HIGH PATCH This Week

Remote denial-of-service in the Linux kernel SCTP stack arises from incomplete rollback when an ADD_OUT_STREAMS (add outgoing streams) reconfiguration request is denied; the kernel shrinks queued chunks and lowers outcnt but leaves stale stream metadata behind, so a later stream re-add reuses a freed/stale 'ext' object and triggers a NULL-pointer dereference in the scheduler get path. Any remote SCTP peer that can negotiate stream reconfiguration on an established association can crash the host, with no authentication or user interaction required per the CVSS vector (AV:N/AC:L/PR:N/UI:N, A:H). There is no public exploit identified at time of analysis and EPSS is low (0.16%), indicating no observed weaponization.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52928 MEDIUM PATCH This Month

Availability disruption in the Linux kernel's AF_UNIX socket subsystem allows a local low-privileged user to trigger an unhandled code path by issuing a SIOCATMARK ioctl on non-stream (SOCK_DGRAM or SOCK_SEQPACKET) AF_UNIX sockets, which the kernel incorrectly permits to proceed into receive-queue inspection logic intended only for SOCK_STREAM. The flaw stems from a logic inconsistency: while SOCK_DGRAM and SOCK_SEQPACKET already reject MSG_OOB in sendmsg()/recvmsg(), the SIOCATMARK ioctl handler lacked the corresponding guard, creating an exploitable divergence. No public exploit or CISA KEV listing exists; EPSS at 0.16% (5th percentile) reflects a very low real-world exploitation probability.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52927 HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel ebtables 32-bit compat layer (compat_mtw_from_user) lets a local low-privileged user holding CAP_NET_ADMIN trigger KASAN-detected OOB reads by supplying an undersized match_size/target_size for an extension whose ->compat_from_user() callback assumes it can read compatsize bytes. It affects Linux from 2.6.34 through builds before the fix and is resolved upstream across all maintained stable branches; no public exploit is identified at time of analysis and EPSS is low (0.16%, 6th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds write in the Linux kernel's AMD Cryptographic Coprocessor (ccp) driver allows a local low-privileged user to overrun a caller-supplied IV buffer by 8 bytes when issuing rfc3686(ctr(aes)) requests through the AF_ALG socket interface. The ccp_aes_complete() handler unconditionally copies AES_BLOCK_SIZE (16 bytes) back into the IV buffer, but RFC3686 skciphers expose only an 8-byte IV, corrupting adjacent memory. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS probability is low (0.18%, 7th percentile).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Integer truncation in the Linux kernel's EROFS filesystem driver on 32-bit platforms causes logical cluster number (LCN) calculations to overflow at the 4 GiB boundary, resulting in incorrect block addressing and potential kernel-level availability impact. Affected systems are those running 32-bit Linux kernels (where `unsigned long` is 32 bits wide) with EROFS filesystems mounted. No public exploit exists and no active exploitation has been confirmed; EPSS stands at a very low 0.17% (6th percentile), consistent with the niche attack surface of 32-bit deployments.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic via skb headroom exhaustion in the Linux kernel's Traffic Control (TC) act_mirred subsystem affects systems using block-cast packet redirection across mixed device types. The root cause is a copy-paste error in tcf_blockcast_redir() where dev_is_mac_header_xmit() is queried against the next device in the iteration (dev) rather than the device currently being transmitted to (dev_prev), causing tcf_mirred_to_dev() to make wrong MAC header push/pull decisions for intermediate devices. In the worst case, skb_push_rcsum is called with an incorrect mac_len, exhausting socket buffer headroom and triggering a kernel panic. No public exploit code has been identified and EPSS is 0.17% at the 6th percentile, consistent with low real-world exploitation interest.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF macvlan_get_size() does not account for IFLA_MACVLAN_BC_CUTOFF, but macvlan_fill_info() conditionally includes it when port->bc_cutoff != 1. This causes nla_put_s32() to fail with -EMSGSIZE when the netlink skb runs out of space, triggering a WARN_ON in rtnetlink and preventing the interface from being dumped. The bug can be reproduced with: ip link add macvlan0 link eth0 type macvlan mode bridge ip link set macvlan0 type macvlan bc_cutoff 0 ip -d link show macvlan0 # fails with -EMSGSIZE The bc_cutoff feature was added in commit 954d1fa1ac93 ("macvlan: Add netlink attribute for broadcast cutoff"), which added the nla_put_s32() call in macvlan_fill_info() but missed adding the corresponding nla_total_size(4) in macvlan_get_size(). A follow-up commit 55cef78c244d ("macvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF") fixed the missing nla_policy entry but still did not fix the size calculation.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: nexthop: fix IPv6 route referencing IPv4 nexthop syzbot reported a panic [1] [2]. When an IPv6 nexthop is replaced with an IPv4 nexthop, the has_v4 flag of all groups containing this nexthop is not updated. This is because nh_group_v4_update is only called when replacing AF_INET to AF_INET6, but the reverse direction (AF_INET6 to AF_INET) is missed. This allows a stale has_v4=false to bypass fib6_check_nexthop, causing IPv6 routes to be attached to groups that effectively contain only AF_INET members. Subsequent route lookups then call nexthop_fib6_nh() which returns NULL for the AF_INET member, leading to a NULL pointer dereference. Fix by calling nh_group_v4_update whenever the family changes, not just AF_INET to AF_INET6. Reproducer: ip -6 nexthop add id 1 blackhole ip nexthop add id 100 group 1 ip nexthop replace id 1 blackhole ip -6 route add 2001:db8::/64 nhid 100 ping -6 2001:db8::1 [1] https://syzkaller.appspot.com/bug?id=e17283eb2f8dcf3dd9b47fe6f67a95f71faadad0 [2] https://syzkaller.appspot.com/bug?id=8699b6ae54c9f35837d925686208402949e12ef3

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's taprio traffic scheduler (net/sched) arises from a use-after-free in advance_sched() during an admin-to-oper schedule switch, affecting kernels from 5.2 through the fixed releases. After switch_schedules() queues the old oper schedule for RCU freeing, the 'next' pointer still references a freed entry that is then written to and published via rcu_assign_pointer(), letting a local user with network-configuration capability corrupt kernel memory for potential code execution. No public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with a complex local-only TSN feature rather than mass exploitation.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Use-after-free in the Linux kernel's ksmbd in-kernel SMB3 server occurs during durable handle reconnect, where smb2_open prematurely drops the durable file reference via ksmbd_put_durable_fd(fp); a subsequent error path or scavenger access then dereferences freed fp fields (e.g., fp->create_time). Affecting Linux ksmbd across multiple stable branches and fixed in releases such as 6.6.32, 6.18.33, 7.0.10, and 7.1, the flaw is rated CVSS 9.8 but carries a low EPSS of 0.17% (6th percentile); it is not in CISA KEV and no public exploit identified at time of analysis. An attacker with SMB access can trigger memory corruption potentially leading to information disclosure, denial of service, or code execution in kernel context.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-impacting memory corruption in the Linux kernel's Intel ice network driver allows a double-free of a transmit buffer's skb when the TX offload paths fail. When ice_tso() or ice_tx_csum() return an error, ice_xmit_frame_ring() frees the skb but leaves the 'first' tx_buf still marked ICE_TX_BUF_SKB, so a later ice_clean_tx_ring() during interface teardown frees the same skb a second time. Carries a CVSS 3.1 base of 7.8 (AV:L/PR:L), but with a low EPSS of 0.15% (5th percentile), no KEV listing, and no public exploit identified at time of analysis.

Code Injection Linux Intel
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel ICE (Intel Ethernet Controller) driver allows a local low-privileged attacker to trigger a kernel panic via a race condition during TX timestamp ring teardown. The flaw exists in systems using Intel ICE-series NICs with TX timestamping configured, where concurrent execution of ice_free_tx_tstamp_ring() and ice_tx_map() across CPU cores can cause CPU B to dereference a pointer that CPU A has already set to NULL. No public exploit or active exploitation has been identified; EPSS is 0.15% (5th percentile), consistent with its local, timing-dependent nature.

Denial Of Service Race Condition Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

In the Linux kernel, the following vulnerability has been resolved: ice: fix potential NULL pointer deref in error path of ice_set_ringparam() ice_set_ringparam nullifies tstamp_ring of temporary tx_rings, without clearing ICE_TX_RING_FLAGS_TXTIME bit. When ICE_TX_RING_FLAGS_TXTIME is set and the subsequent ice_setup_tx_ring() call fails, a NULL pointer dereference could happen in the unwinding sequence: ice_clean_tx_ring() -> ice_is_txtime_cfg() == true (ICE_TX_RING_FLAGS_TXTIME is set) -> ice_free_tx_tstamp_ring() -> ice_free_tstamp_ring() -> tstamp_ring->desc (NULL deref) Clear ICE_TX_RING_FLAGS_TXTIME bit to avoid the potential issue. Note that this potential issue is found by manual code review. Compile test only since unfortunately I don't have E830 devices.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Use-after-free in the Linux kernel's IPv6 ICMPv6 receive path (icmpv6_rcv()) allows stale pointers to freed socket buffer memory to be dereferenced after a pskb_pull() call relocates skb->head. The affected code cached the source and destination addresses (saddr/daddr) before the pull, and these stale references were only consumed by net_dbg_ratelimited() in the slow path, limiting practical impact. The flaw is fixed upstream across all maintained stable trees; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local use-after-free in the Linux kernel's AF_UNIX subsystem occurs when SOCKMAP (BPF socket map) redirects skbs carrying inflight file descriptors, hiding them from the AF_UNIX garbage collector and breaking the Tarjan-based GC's assumption that unix_edge.successor stays alive — producing a slab use-after-free in unix_del_edges() plus inflight-socket leaks and incorrect fdinfo accounting. Affected are kernels supporting SOCKMAP/sk_psock redirect (roughly 5.15 through pre-fix 7.x trees); a local attacker who can set up SOCKMAP redirection and pass SCM_RIGHTS descriptors can corrupt kernel memory toward privilege escalation or denial of service. There is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and it is not in CISA KEV.

Linux Information Disclosure Debian +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds write in the Linux kernel SCTP stack (sctp_getsockopt_peer_auth_chunks) lets a local unprivileged process trigger an 8-byte overrun past its own supplied getsockopt buffer, silently corrupting adjacent data in the caller's userspace address space. The bug is a size-check that omits the 8-byte sizeof(struct sctp_authchunks) header, so a buffer sized exactly to num_chunks passes validation but copy_to_user still writes the struct header. There is no public exploit identified at time of analysis (not in CISA KEV; EPSS 0.18%), though the kernel changelog cites a working reproducer on v7.0-13-generic, and a vendor patch is available.

Buffer Overflow Memory Corruption Linux
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel's PPPoE/PPP driver allows a malicious or broken peer to crash affected hosts by sending PPP frames with a compressed (1-byte) Protocol Field. Because pppd never negotiates Protocol Field Compression for PPPoE yet ppp_input() still accepted compressed frames, the payload is shifted one byte, producing a 4-byte misaligned network header that can raise unaligned-access exceptions on architectures that do not tolerate them. There is no public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Stack out-of-bounds write in the Linux kernel's netfilter connection-tracking SIP application-layer gateway (ALG) allows remote attackers to corrupt kernel stack memory by sending crafted SIP/SDP traffic through a NAT device. The flaw lives in mangle_content_len(), reached via nf_nat_sdp_session → process_sdp when rewriting the SDP Content-Length during SIP INVITE handling, where an unbounded sprintf() overflowed an undersized stack buffer (caught by KASAN). There is no public exploit identified at time of analysis and EPSS is low (0.18%), so despite the NVD 9.8 rating the practical risk is gated by whether the SIP conntrack/NAT helper is in use.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: netfilter: xtables: restrict several matches to inet family This is a partial revert of: commit ab4f21e6fb1c ("netfilter: xtables: use NFPROTO_UNSPEC in more extensions") to allow ipv4 and ipv6 only. - xt_mac - xt_owner - xt_physdev These extensions are not used by ebtables in userspace. Moreover, xt_realm is only for ipv4, since dst->tclassid is ipv4 specific.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation / memory corruption in the Linux kernel's netfilter NAT subsystem (introduced in v5.14) arises because nf_nat_register_fn() freed nf_hook_ops structures immediately rather than deferring the release via RCU. Because the v5.14-era nfnetlink_hook feature lets userspace dump active netfilter hooks by peeking into the ops blob, a concurrent dump racing the NAT (un)register error path can access ops memory after it is freed. No public exploit has been identified at time of analysis and EPSS is low (0.17%), but the high-impact CVSS vector reflects a use-after-free class flaw in a core kernel subsystem.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds read in the Linux kernel's netfilter nfnetlink_osf (passive OS fingerprinting) module occurs when the shared nf_osf_hdr_ctx->optp pointer is not reset after a fingerprint fully matches during TCP option parsing. Affecting systems that use the osf match with NF_OSF_LOGLEVEL_ALL enabled, the flaw causes subsequent fingerprint checks to parse beyond the end of the TCP options buffer, reading garbage data and producing incorrect or missing match logs. Although carrying a 9.1 CVSS, this is a functional/correctness bug in a niche feature; there is no public exploit identified at time of analysis and EPSS is low (0.18%, 7th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Kernel panic (denial of service) in the Linux kernel netfilter nfnetlink_osf module occurs because nf_osf_ttl() dereferences skb->dev during its TTL check without validating the device pointer, allowing a crafted packet to trigger a NULL pointer dereference on hosts using the OS-fingerprint (osf) match. The flaw affects systems with nftables/iptables rulesets that employ the osf TTL check, and is rated availability-only impact (CVSS 7.5, AV:N/A:H). There is no public exploit identified at time of analysis, EPSS is low (0.18%, 7th percentile), and it is not in CISA KEV; the fix has been merged across multiple stable trees.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's sch_dualpi2 queuing discipline (net/sched) allows a local attacker with low privileges to crash the kernel, causing a denial of service. The flaw exists in dualpi2_change(), which enforces updated queue limits after a qdisc reconfiguration: when traffic is exclusively queued in the L-queue and the C-queue is empty, the function unconditionally dereferences the NULL skb returned by the C-queue dequeue path, triggering a kernel panic. No public exploit code has been identified and EPSS sits at 0.17% (7th percentile), consistent with a locally-triggered, configuration-dependent kernel bug.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource exhaustion in the Linux kernel ksmbd SMB server allows a low-privileged authenticated SMB client to leak kernel file descriptor references by sending repeated SMB2 CREATE requests with a DURABLE_HANDLE_REQUEST_V2 context that produces a CreateGuid hit but a ClientGUID mismatch. Each such request increments the refcount on a ksmbd_file via ksmbd_fp_get() in ksmbd_lookup_fd_cguid() but the mismatch code path never calls the matching release, causing global_ft entries to be pinned indefinitely. Over time this defeats the durable file scavenger and causes long-lived kernel resource leaks that can degrade or deny availability. No public exploit has been identified at time of analysis and EPSS is 0.19% (9th percentile), indicating low opportunistic exploitation probability.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stack memory disclosure in the Linux kernel RDS/IB subsystem exposes up to 26 bytes of uninitialized kernel stack contents - including kernel text and data pointers - to local unprivileged users via the getsockopt(SOL_RDS, RDS_INFO_IB_CONNECTIONS) interface. The leak enables KASLR bypass on systems where the kernel was built without CONFIG_INIT_STACK_ALL_ZERO=y, making this a useful primitive for chaining into privilege escalation. No public exploit code and no CISA KEV listing exist at time of analysis; EPSS is very low at 0.18% (7th percentile), but the CVE description itself supplies a complete, step-by-step reproduction recipe that reduces practical exploitation complexity to near-trivial for any local user with AF_RDS socket access.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper RLIMIT_MEMLOCK accounting in the Linux kernel's vsock/virtio MSG_ZEROCOPY path allows a local low-privileged user to bypass per-process pinned-page limits, enabling unbounded kernel memory pinning that can drive the system toward memory exhaustion. The flaw is confined to the virtio vsock transport and is not remotely exploitable. No public exploit has been identified and EPSS sits at 0.17% (7th percentile), reflecting low exploitation interest; however, a vendor-confirmed fix is available in stable releases.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Memory corruption in the Linux kernel's TIPC (Transparent Inter-Process Communication) protocol stack allows remote attackers to trigger a double-free in tipc_buf_append() during message reassembly, where tipc_msg_validate() may reallocate and free the working skb while the error path frees a now-stale pointer. Affected systems are those running a vulnerable kernel (introduced around 4.15-era code, present across 5.10-7.0 branches) with the TIPC subsystem in use; successful exploitation can crash the kernel and, depending on heap conditions, potentially lead to privilege escalation. There is no public exploit identified at time of analysis, EPSS risk is low (0.18%, 7th percentile), and it is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds heap write in the Linux kernel's ADFS (Acorn Disc Filing System) driver allows a local attacker to corrupt kernel memory by mounting a crafted new-format ADFS disc image whose disc record declares a zone count of zero. adfs_read_map() forwards nzones==0 to kmalloc_array(0, ...), which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to dm[-1], an out-of-bounds write before the allocated buffer. The flaw was found by syzkaller; there is no public exploit identified at time of analysis and EPSS scores it at just 0.18% (8th percentile).

Buffer Overflow Memory Corruption Linux
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-escalation-capable memory corruption in the Linux kernel's PSI (Pressure Stall Information) subsystem allows a local user with write access to cgroup pressure files to trigger a use-after-free or NULL-pointer dereference. The flaw stems from a race between pressure_write() and cgroup file release/rmdir on the kernfs_open_file->priv pointer, confirmed via a KASAN slab-use-after-free report in pressure_write+0xa4/0x210. No public exploit identified at time of analysis, and EPSS is low (0.19%, 8th percentile), indicating no observed mass exploitation.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource leak in the Linux kernel fsnotify subsystem causes hung tasks and local denial of service via a race condition in fsnotify_recalc_mask(). A local low-privilege user can trigger concurrent mark addition and removal on a filesystem connector object, causing an inode pointer returned by __fsnotify_recalc_mask() to be silently discarded rather than released via fsnotify_drop_object() - permanently blocking the umount path as fsnotify_sb_delete() waits indefinitely on the leaked reference. No public exploit exists and EPSS is at the 7th percentile, indicating negligible opportunistic exploitation risk.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Memory-safety flaw in the Linux kernel's NVMe-over-TCP target driver (nvmet-tcp) lets a connected initiator drive the kernel into reading received network data through an uninitialized iov_iter. Because nvmet_tcp_build_pdu_iovec() reported out-of-bounds PDU length/offset only via a fatal-error side effect while returning void, callers such as nvmet_tcp_handle_h2c_data_pdu() continued and advanced the receive state machine over an uninitialized cmd->recv_msg.msg_iter, leading to memory corruption or denial of service. NVD rates this 9.8 (CVSS:3.1 AV:N/AC:L/PR:N/UI:N), but EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis; it is not in CISA KEV.

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Kernel-memory disclosure and denial of service in the Linux kernel's netfilter nf_tables subsystem arises from unsafe RCU list traversal: a netlink dump can walk a basechain/flowtable hook list concurrently with a ruleset update, racing on partially-published hooks. The fix publishes new hooks via splice_list_rcu() during the commit phase so RCU readers see a consistent list. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis; the issue is a local race condition affecting privileged ruleset operations rather than a remotely reachable flaw.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and kernel memory corruption is possible in the Linux kernel's AMD GPU driver (amdgpu) via a double drm_exec_fini() in the user-queue validation path. When amdgpu_userq_vm_validate() runs with new_addition set, a failure in amdgpu_ttm_tt_get_user_pages() routes execution to a cleanup label that finalizes the already-freed drm_exec object a second time, corrupting kernel state. No public exploit identified at time of analysis, and EPSS rates exploitation probability at only 0.16% (6th percentile), consistent with a hard-to-trigger local bug rather than a mass-exploited flaw.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's netfilter SIP connection-tracking helper (nf_conntrack_sip) stems from parsing port numbers in non-NUL-terminated socket-buffer data with simple_strtoul() and dereferencing pointers after sip_parse_addr() without bounds checks. Remote attackers sending crafted SIP messages through a host where the SIP conntrack/NAT helper is active could read past the packet buffer, risking information disclosure or instability (tagged Information Disclosure). Despite a CVSS of 9.8, EPSS is only 0.18% (8th percentile) and no public exploit is identified at time of analysis; a vendor fix is available across multiple stable trees.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: netdevsim: zero initialize struct iphdr in dummy sk_buff Syzbot reports a KMSAN uninit-value originating from nsim_dev_trap_skb_build, with the allocation also being performed in the same function. Fix this by calling skb_put_zero instead of skb_put to guarantee zero initialization of the whole IP header.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Unbounded queue growth in the Linux kernel's netem (Network Emulator) traffic control subsystem allows a local low-privileged user to exhaust kernel memory and trigger a denial of service. The flaw exists because netem_enqueue() enforces queue depth limits using only q->t_len (packets in the internal tfifo), while packets placed into sch->q via the reorder path (__qdisc_enqueue_head) are silently excluded from that count, allowing total queue occupancy to grow beyond sch->limit without bound. No public exploit has been identified and the EPSS score of 0.18% (8th percentile) places this in the lowest exploitation-probability tier; however, the vulnerability affects a wide range of active stable kernel branches and patched versions are available.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial-of-service (TX queue stall) in the Linux kernel's Airoha QDMA Ethernet driver affects systems running on Airoha/MediaTek SoCs where airoha_dev_xmit() accounts inflight packets only across AIROHA_NUM_TX_RING queues while the NAPI completion path settles all netdev TX queues, corrupting Byte Queue Limits (BQL) state. The mismatch can wedge transmit queues and degrade or halt network throughput on the device. EPSS is 0.17% (7th percentile) and there is no public exploit identified at time of analysis; an upstream stable fix exists.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Use-after-free in the Linux kernel rtl8150 USB-to-Ethernet driver (drivers/net/usb/rtl8150.c) lets the transmit path read freed socket-buffer memory: rtl8150_start_xmit() reads skb->len for TX byte accounting after usb_submit_urb(), but the URB completion handler write_bulk_callback() can free the skb on another CPU first, producing a slab-use-after-free read flagged by KASAN/syzbot. Affected systems are those using an RTL8150-based USB Ethernet adapter; the practical impact is a stale/garbage stat read or a potential crash from freed-memory access rather than reliable info disclosure. There is no public exploit identified at time of analysis (not in CISA KEV, EPSS 0.18%/8th percentile), and the issue was found and fixed via upstream syzbot fuzzing.

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Memory exhaustion in the Linux kernel networking stack stems from a socket buffer (SKB) leak in neigh_xmit(): when the function is called against an uninitialized neighbour table - for example NEIGH_ND_TABLE while IPv6 is disabled - it returns -EAFNOSUPPORT and bypasses its out_kfree_skb path, leaking the packet buffer because callers (originally MPLS) rely on neigh_xmit() to take ownership of the skb. Repeated triggering slowly exhausts kernel memory, leading to denial of service (CVSS 7.5, A:H). There is no public exploit identified at time of analysis, and EPSS is low (0.19%, 9th percentile); the upstream fix makes neigh_xmit() assume full ownership and free the skb on every path.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: sched/fair: Clear rel_deadline when initializing forked entities A yield-triggered crash can happen when a newly forked sched_entity enters the fair class with se->rel_deadline unexpectedly set. The failing sequence is: 1. A task is forked while se->rel_deadline is still set. 2. __sched_fork() initializes vruntime, vlag and other sched_entity state, but does not clear rel_deadline. 3. On the first enqueue, enqueue_entity() calls place_entity(). 4. Because se->rel_deadline is set, place_entity() treats se->deadline as a relative deadline and converts it to an absolute deadline by adding the current vruntime. 5. However, the forked entity's deadline is not a valid inherited relative deadline for this new scheduling instance, so the conversion produces an abnormally large deadline. 6. If the task later calls sched_yield(), yield_task_fair() advances se->vruntime to se->deadline. 7. The inflated vruntime is then used by the following enqueue path, where the vruntime-derived key can overflow when multiplied by the entity weight. 8. This corrupts cfs_rq->sum_w_vruntime, breaks EEVDF eligibility calculation, and can eventually make all entities appear ineligible. pick_next_entity() may then return NULL unexpectedly, leading to a later NULL dereference. A captured trace shows the effect clearly. Before yield, the entity's vruntime was around: 9834017729983308 After yield_task_fair() executed: se->vruntime = se->deadline the vruntime jumped to: 19668035460670230 and the deadline was later advanced further to: 19668035463470230 This shows that the deadline had already become abnormally large before yield_task_fair() copied it into vruntime. rel_deadline is only meaningful when se->deadline really carries a relative deadline that still needs to be placed against vruntime. A freshly forked sched_entity should not inherit or retain this state. Clear se->rel_deadline in __sched_fork(), together with the other sched_entity runtime state, so that the first enqueue does not interpret the new entity's deadline as a stale relative deadline.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Race condition in the Linux kernel PSP network subsystem allows a local low-privileged attacker to crash the kernel through a TOCTOU flaw in device association creation. In `psp_assoc_device_get_locked()`, a device reference acquired under RCU becomes stale before the protecting lock is taken if `psp_dev_unregister()` completes concurrently, leaving the kernel operating on freed or invalid device state. No public exploit has been identified and EPSS stands at 0.17% (6th percentile), reflecting minimal active exploitation risk despite the well-characterized code-level race condition.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

In the Linux kernel, the following vulnerability has been resolved: net: psp: require admin permission for dev-set and key-rotate The dev-set and key-rotate netlink operations modify shared device state (PSP version configuration and cryptographic key material, respectively) but do not require CAP_NET_ADMIN. The only access control is psp_dev_check_access() which merely verifies netns membership.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Livelock in the Linux kernel's futex requeue-PI subsystem can hang a system when a signal or timeout interrupts a FUTEX_WAIT_REQUEUE_PI operation concurrently with an active FUTEX_CQ_REQUEUE_PI requeue. The race causes a waiting thread (Task A) to block indefinitely on a hash-bucket lock while a requeue thread (Task B) busy-loops retrying the same operation, consuming all available CPU - worst-case on uniprocessor systems where Task A cannot be scheduled at all. No public exploit is identified and EPSS is 0.17% (7th percentile), but the deterministic nature of the livelock on UP or real-time-scheduled hardware makes this a genuine denial-of-service risk; patches are available across six Linux stable branches.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Linux kernel's drm/xe Intel GPU driver arises from two error-handling defects in xe_exec_queue_create_ioctl() that leave a freed exec queue linked into either the VM's preempt-fence compute list or the hardware engine group list, producing a dangling pointer and a use-after-free. A local user with access to the DRM device on systems running the affected Intel Xe driver (introduced around 6.12) can trigger the faulty cleanup paths to corrupt kernel memory, with potential for code execution at kernel privilege. There is no public exploit identified at time of analysis and EPSS is low (0.18%, 7th percentile); the issue is fixed upstream and in stable releases.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Concurrent access to an unprotected pointer in the Linux kernel's 802.3ad (LACP) bonding driver allows a local user to trigger a data race between the AD state-machine worker and the rtnetlink read path that fetches active aggregator info. Discovered by syzbot/KCSAN, the torn read of the `port->aggregator` pointer can disclose kernel memory state or destabilize the bonding driver on systems configured with LACP NIC teaming. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.18%, 7th percentile).

Linux Information Disclosure Google
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Memory exhaustion (denial of service) in the Linux kernel's TLS device-offload receive path, where a failure during hardware offload setup leaks the strparser anchor socket buffer (skb) and never frees it. Affecting kernels from the introduction of the custom strparser (commit 84c61fe1a75b) onward, repeated triggering of the offload setup-failure path slowly drains kernel memory; CVSS rates availability impact High (7.5) but EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis. The regression was introduced by the kTLS-specific strparser rewrite and does not affect kernels using the standard strparser.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Linux kernel futex subsystem stems from a slab use-after-free in futex_hash_put, triggered when a process shares its mm via CLONE_VM without CLONE_THREAD. The flawed need_futex_hash_allocate_default() check broke the non-concurrency assumption for per-CPU mm->futex_ref allocation, letting a stale +1 bias land on a percpu counter the mm no longer references. Carries CVSS 7.8 (high) with full C/I/A impact; no public exploit identified at time of analysis and EPSS is low (0.17%).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Integer overflow in the Linux kernel's AF_ALG socket interface (crypto/af_alg.c) lets a local user supply an oversized AEAD associated-data length that wraps during TX buffer size arithmetic, corrupting size checks; the fix caps AD length to 0x80000000. Carrying CVSS 7.0 (AV:L/AC:H/PR:L), it affects any kernel exposing the algif AEAD interface and threatens confidentiality, integrity, and availability through resulting memory corruption. There is no public exploit identified at time of analysis, and EPSS is low at 0.18% (8th percentile), consistent with a local-only, high-complexity issue.

Integer Overflow Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's Amazon ENA (Elastic Network Adapter) PTP Hardware Clock (PHC) get_timestamp path lets a local low-privileged user trigger a NULL/dangling pointer dereference via a race between timestamp reads and clock teardown. The driver checked phc->active and cached the resp pointer from ena_dev->phc.virt_addr before taking the spinlock, so a concurrent ena_com_phc_destroy() could free the DMA memory and NULL virt_addr mid-operation. With a CVSS of 7.8 (high) but EPSS of only 0.17% (7th percentile), this is a memory-safety race with no public exploit identified at time of analysis; it is fixed upstream and patched in stable releases.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: fix missing expect put in obj eval nft_ct_expect_obj_eval() allocates an expectation and may call nf_ct_expect_related(), but never drops its local reference. Add nf_ct_expect_put(exp) before return to balance allocation.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-relevant memory corruption in the Linux kernel's KVM subsystem (kvm_reset_dirty_gfn) lets any process holding /dev/kvm bypass a dirty-ring bounds check via a u64 integer overflow, driving a near-U64_MAX guest frame number into gfn_to_rmap() for an out-of-bounds kvm_rmap_head load and a conditional write-flag clear. Affected are kernels from 5.11 through the 7.x line running VMs on the shadow-paging (legacy/rmap) MMU path. This is a local (AV:L), low-privilege (PR:L) issue rated CVSS 7.8; there is no public exploit identified at time of analysis, EPSS is low at 0.19% (9th percentile), and it is not on CISA KEV.

Integer Overflow Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's KVM s390 PCI adapter-interrupt-forwarding (AIF) code allows a low-privileged local actor on IBM Z (s390x) hosts to read and corrupt kernel memory. The flaw stems from double-scaled pointer arithmetic when indexing the GAIT table in kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and aen_host_forward(), triggered when an adapter interrupt source (aisb) index reaches 32 or higher under ZPCI_NR_DEVICES=512. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.18%, 8th percentile).

Buffer Overflow Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out-of-bounds read and denial-of-service in the Linux kernel SMB/CIFS client (cifs.ko) affects systems mounting SMB shares on 32-bit architectures. When parsing a malicious SMB2 error response, the symlink_data() routine mishandles a hostile ErrorDataLength value, causing either an infinite loop or a read past the buffer that can hang the client or leak adjacent kernel memory. There is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile), but the bug is reachable by any malicious or compromised SMB server a vulnerable client connects to.

Linux Denial Of Service Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm: Replace old pointer to new idr Commit 5e28b7b94408 introduced a logical error by failing to replace the newly generated IDR pointer to old id's pointer at the correct location within the "change handle" logic; this resulted in the issue reported by syzbot [1]. Specifically, the new IDR object pointer is intended to replace the original id's pointer during the normal execution flow. Additionally, an unnecessary conditional check for the ret exit path has been removed. [1] !RB_EMPTY_ROOT(&prime_fpriv->dmabufs) WARNING: drivers/gpu/drm/drm_prime.c:224 at drm_prime_destroy_file_private+0x48/0x60 drivers/gpu/drm/drm_prime.c:224, CPU#0: syz.0.17/5833 Call Trace: drm_file_free.part.0+0x7e6/0xcc0 drivers/gpu/drm/drm_file.c:269 drm_file_free drivers/gpu/drm/drm_file.c:237 [inline] drm_close_helper.isra.0+0x186/0x200 drivers/gpu/drm/drm_file.c:290 drm_release+0x1ab/0x360 drivers/gpu/drm/drm_file.c:438

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure When ttm_tt_swapout() fails, the current code calls ttm_resource_add_bulk_move() followed by ttm_resource_move_to_lru_tail() to restore the resource's bulk_move membership. However, ttm_resource_move_to_lru_tail() places the resource at the tail of the LRU list which, relative to the walk cursor's hitch node (placed immediately after the resource when it was yielded), puts the resource *in front of the* the hitch. The next list_for_each_entry_continue() from the hitch finds the same resource again, causing an infinite loop. Fix by deferring del_bulk_move to the success path only. On the success path, TTM_TT_FLAG_SWAPPED has just been set by ttm_tt_swapout() but the resource is still tracked in the bulk_move range, so ttm_resource_del_bulk_move()'s !ttm_resource_unevictable() guard would incorrectly skip the removal. Introduce ttm_resource_del_bulk_move_unevictable() which bypasses that guard.

Denial Of Service Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Out-of-bounds descriptor read in the Linux kernel ALSA USB MIDI 2.0 subsystem allows a physically proximate or low-privileged local attacker to crash the kernel by presenting a malformed USB audio device with crafted MIDI 2.0 endpoint descriptors. The USB MIDI 2.0 endpoint parser validates bLength against bNumGrpTrmBlock but omits validation against remaining bytes in the endpoint-extra scan, allowing baAssoGrpTrmBlkID[] reads to advance past the descriptor buffer boundary. No public exploit is identified; EPSS stands at 0.18% (7th percentile), consistent with narrow, hardware-dependent attack surface and no active exploitation.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Bound MIDI endpoint descriptor scans snd_usbmidi_get_ms_info() validates the internal MIDIStreaming endpoint descriptor size before using baAssocJackID[], but the descriptor walker can still return a class-specific endpoint descriptor whose bLength exceeds the remaining bytes in the endpoint-extra scan. That leaves later flexible-array reads bounded by bLength, but not by the remaining bytes in the endpoint-extra scan. Stop walking when bLength is zero or extends past the remaining endpoint-extra scan.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory leak in the Linux kernel's Ceph client (CephFS) allows a local, low-privileged user to exhaust kernel buffer memory by repeatedly triggering the retry path in __ceph_setxattr(), where the old_blob holding ci->i_xattrs.prealloc_blob is never released via ceph_buffer_put(). The flaw affects systems mounting CephFS and is addressed by an upstream stable fix; there is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.18%). Note: the CWE-787 (out-of-bounds write) classification and 'Buffer Overflow' tag conflict with the description, which describes a resource/buffer leak rather than memory corruption.

Buffer Overflow Memory Corruption Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size The generic/642 test-case can reproduce the kernel crash: [40243.605254] ------------[ cut here ]------------ [40243.605956] kernel BUG at fs/ceph/xattr.c:918! [40243.607142] Oops: invalid opcode: 0000 [#1] SMP PTI [40243.608067] CPU: 7 UID: 0 PID: 498762 Comm: kworker/7:1 Not tainted 7.0.0-rc7+ #3 PREEMPT(full) [40243.609700] Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [40243.611820] Workqueue: ceph-msgr ceph_con_workfn [40243.612715] RIP: 0010:__ceph_build_xattrs_blob+0x1b8/0x1e0 [40243.613731] Code: 0f 84 82 fe ff ff e9 cf 8e 56 ff 48 8d 65 e8 31 c0 5b 41 5c 41 5d 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 c3 cc cc cc cc <0f> 0b 4c 8b 62 08 41 8b 85 24 07 00 00 49 83 c4 04 41 89 44 24 fc [40243.616888] RSP: 0018:ffffcc80c4d4b688 EFLAGS: 00010287 [40243.617773] RAX: 0000000000010026 RBX: 0000000000000001 RCX: 0000000000000000 [40243.618928] RDX: ffff8a773798dee0 RSI: 0000000000000000 RDI: 0000000000000000 [40243.620158] RBP: ffffcc80c4d4b6a0 R08: 0000000000000000 R09: 0000000000000000 [40243.621573] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8a75f3b58000 [40243.622907] R13: ffff8a75f3b58000 R14: 0000000000000080 R15: 000000000000bffd [40243.624054] FS: 0000000000000000(0000) GS:ffff8a787d1b4000(0000) knlGS:0000000000000000 [40243.625331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [40243.626269] CR2: 000072f390b623c0 CR3: 000000011c02a003 CR4: 0000000000372ef0 [40243.627408] Call Trace: [40243.627839] <TASK> [40243.628188] __prep_cap+0x3fd/0x4a0 [40243.628789] ? do_raw_spin_unlock+0x4e/0xe0 [40243.629474] ceph_check_caps+0x46a/0xc80 [40243.630094] ? __lock_acquire+0x4a2/0x2650 [40243.630773] ? find_held_lock+0x31/0x90 [40243.631347] ? handle_cap_grant+0x79f/0x1060 [40243.632068] ? lock_release+0xd9/0x300 [40243.632696] ? __mutex_unlock_slowpath+0x3e/0x340 [40243.633429] ? lock_release+0xd9/0x300 [40243.634052] handle_cap_grant+0xcf6/0x1060 [40243.634745] ceph_handle_caps+0x122b/0x2110 [40243.635415] mds_dispatch+0x5bd/0x2160 [40243.636034] ? ceph_con_process_message+0x65/0x190 [40243.636828] ? lock_release+0xd9/0x300 [40243.637431] ceph_con_process_message+0x7a/0x190 [40243.638184] ? kfree+0x311/0x4f0 [40243.638749] ? kfree+0x311/0x4f0 [40243.639268] process_message+0x16/0x1a0 [40243.639915] ? sg_free_table+0x39/0x90 [40243.640572] ceph_con_v2_try_read+0xf58/0x2120 [40243.641255] ? lock_acquire+0xc8/0x300 [40243.641863] ceph_con_workfn+0x151/0x820 [40243.642493] process_one_work+0x22f/0x630 [40243.643093] ? process_one_work+0x254/0x630 [40243.643770] worker_thread+0x1e2/0x400 [40243.644332] ? __pfx_worker_thread+0x10/0x10 [40243.645020] kthread+0x109/0x140 [40243.645560] ? __pfx_kthread+0x10/0x10 [40243.646125] ret_from_fork+0x3f8/0x480 [40243.646752] ? __pfx_kthread+0x10/0x10 [40243.647316] ? __pfx_kthread+0x10/0x10 [40243.647919] ret_from_fork_asm+0x1a/0x30 [40243.648556] </TASK> [40243.648902] Modules linked in: overlay hctr2 libpolyval chacha libchacha adiantum libnh libpoly1305 essiv intel_rapl_msr intel_rapl_common intel_uncore_frequency_common skx_edac_common nfit kvm_intel kvm irqbypass joydev ghash_clmulni_intel aesni_intel rapl input_leds mac_hid psmouse vga16fb serio_raw vgastate floppy i2c_piix4 pata_acpi bochs qemu_fw_cfg i2c_smbus sch_fq_codel rbd dm_crypt msr parport_pc ppdev lp parport efi_pstore [40243.654766] ---[ end trace 0000000000000000 ]--- Commit d93231a6bc8a ("ceph: prevent a client from exceeding the MDS maximum xattr size") moved the required_blob_size computation to before the __build_xattrs() call, introducing a race. __build_xattrs() releases and reacquires i_ceph_lock during execution. In that window, handle_cap_grant() may update i_xattrs.blob with a newer MDS-provided blob and bump i_xattrs.version. When __bui ---truncated---

Debian Ubuntu Denial Of Service +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel's CephFS (ceph) client allows local users with an active CephFS mount to leak kernel memory by triggering the dirty-page writeback path. The flaw stems from a missing reference release on folios that the writeback batch holds but removes as unsuitable, gradually pinning pages and exhausting kernel memory (CVSS 7.5, availability-only). No public exploit identified at time of analysis; EPSS is low at 0.16% (6th percentile), and it is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Page allocator corruption in the Linux kernel's AMD SEV-SNP guest driver (virt/sev-guest) affects confidential-computing guests running kernels from 6.14 onward. When a guest issues an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST), an untrusted host can return SNP_GUEST_VMM_ERR_INVALID_LEN with a length that does not match the original allocation; the cleanup path then frees pages using a host-controlled page order, corrupting the guest's page allocator. CVSS is 7.8 (local, high C/I/A), but EPSS is just 0.11% (2nd percentile), and there is no public exploit identified at time of analysis and no CISA KEV listing.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's libceph client (osdmap_decode) lets a malicious or compromised Ceph monitor/OSD send a corrupted OSD map whose max_osd field exceeds the actual message length, reading past the allocated buffer. The flaw affects kernels using the in-kernel Ceph client (RBD/CephFS) and is fixed across multiple stable branches. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile), consistent with a memory-safety bug requiring a hostile Ceph endpoint rather than broad internet exposure.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel's libceph client allows a malicious or corrupted Ceph cluster to crash the kernel via a null pointer dereference in decode_choose_args(). When processing a CEPH_MSG_OSD_MAP message, a crafted CRUSH map containing choose_args with a bucket_index that points to a NULL (unallocated) bucket triggers the crash, because the code validated only that the index stayed within max_buckets, not that the target bucket was non-NULL. There is no public exploit identified at time of analysis, EPSS exploitation probability is low (0.18%, 8th percentile), and the issue is patched upstream.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel's libceph (Ceph client) component allows a malicious or compromised Ceph peer to crash a connecting host during the CephX authentication handshake. The flaw lives in __ceph_x_decrypt(), which reads a ceph_x_encrypt_header (notably hdr->magic) from a decrypted buffer without first verifying the buffer is large enough - a FRAME_TAG_AUTH_REPLY_MORE frame carrying a ciphertext_len of 8 or fewer bytes triggers an out-of-bounds memory access. CVSS is 7.5 (availability-only); EPSS is low at 0.16% (6th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's libceph CRUSH map decoder (crush_decode()) lets a malicious or compromised Ceph cluster corrupt kernel memory on a connecting client. A crafted CEPH_MSG_OSD_MAP message whose bucket carries mismatched algorithm fields (alg vs b->alg) causes memory to be allocated for one bucket type but processed and later freed as another, leading to OOB access during decode and again during crush map destruction. Despite a 9.8 CVSS, there is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile); the realistic attack surface is limited to hosts mounting/connecting to attacker-controlled Ceph (RBD/CephFS) infrastructure.

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel's libceph (Ceph client) subsystem allows a malicious or compromised Ceph monitor/OSD to crash a connected client by sending a crafted CEPH_MSG_OSD_MAP whose embedded CRUSH map carries two choose_args maps sharing the same choose_args_index. The duplicate index trips an assertion in insert_choose_arg_map() during decode_choose_args(), triggering a kernel BUG and panic. CVSS is 7.5 (availability-only); there is no public exploit identified at time of analysis and EPSS is low at 0.18% (8th percentile).

Linux Denial Of Service
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local denial of service in the Linux kernel's Intel VT-d (iommu/vt-d) driver lets a privileged user crash the host by terminating a QEMU/VFIO guest, triggering a general-protection-fault oops. The flaw lives in domain_remove_dev_pasid(), which dereferences the global static blocked domain - a dummy iommu_domain with no backing dmar_domain - during PASID teardown on device reset. No public exploit is identified at time of analysis; EPSS is low (0.17%, 7th percentile) and it is not in CISA KEV.

Linux Canonical Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's IOMMU subsystem allows a local low-privileged actor with device-management access to corrupt kernel memory by racing a domain re-attach against an in-progress PCI device reset. The flaw lies in __iommu_group_set_domain_internal(), where the group->recovery_cnt fence wrongly rejected mandatory detach/teardown callers (IOMMU_SET_DOMAIN_MUST_SUCCEED), so group->domain could be freed while still referenced, and pci_dev_reset_iommu_done() could then re-attach the dangling pointer. EPSS is low at 0.16% (6th percentile) and there is no public exploit identified at time of analysis, but the high CVSS (8.8) reflects full kernel-memory confidentiality, integrity, and availability impact.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local denial of service in the Linux kernel's Intel Xe DRM driver (drm/xe/dma-buf) arises from use-after-free and NULL pointer dereference race conditions in the dma-buf import path, affecting kernels from 6.8 through the fixes in 6.12.91, 6.18.33, 7.0.10 and 7.1. When a buffer object is shared from another GPU driver such as amdgpu, the exporter can invoke the Xe invalidate_mappings hook against a partially initialized or already-freed bo, crashing the system; two customers reported NULL ptr derefs in evict_flags. This is tagged Denial of Service, has no public exploit identified at time of analysis, and carries a low EPSS of 0.18% (7th percentile).

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's Intel Xe DRM graphics driver (drm/xe) arises from a use-after-free in the dma-buf import path, where an error-handling retry loop operates on a buffer object (bo) that has already been freed. Affecting kernel 6.18 series before the 6.18.33 stable fix, a local low-privileged user with access to the Xe DRM device can trigger the freed-object access to corrupt kernel memory or leak data. There is no public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile), consistent with a local-only, driver-specific bug rather than mass-exploited remote flaw.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Fix ttm_bo_shrink() infinite LRU walk on backup failure Apply the same fix as b2ed01e7ad ("drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure") to the ttm_bo_shrink() path. Move del_bulk_move from before the backup to after success only, using ttm_resource_del_bulk_move_unevictable() since the resource is now unevictable once fully backed up.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong timeout value` warning was observed, accompanied by SMBus controller state machine corruption. The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of 10 ms. The user argument is checked against INT_MAX, but it is subsequently multiplied by 10 before being passed to msecs_to_jiffies(). A malicious user can pass a large value (e.g., 429496729) that passes the `arg > INT_MAX` check but overflows when multiplied by 10. This results in a truncated 32-bit unsigned value that bypasses the internal `(int)m < 0` check in `msecs_to_jiffies()`. The truncated value is then assigned to `client->adapter->timeout` (a signed 32-bit int), which is reinterpreted as a negative number. When passed to wait_for_completion_timeout(), this negative value undergoes sign extension to a 64-bit unsigned long, triggering the `schedule_timeout` warning and causing premature returns. This leaves the SMBus state machine in an unrecoverable state, constituting a local Denial of Service (DoS). Fix this by bounding the user argument to `INT_MAX / 10`. [wsa: move the comment as well]

Denial Of Service Linux Integer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption is possible in the Linux kernel's QRTR (Qualcomm IPC Router) networking subsystem (net/qrtr/af_qrtr.c), where qrtr_port_remove() decrements a socket's reference count via __sock_put() before erasing the port from the qrtr_ports XArray and before the RCU grace period elapses, violating the RCU update ordering. A concurrent RCU reader (qrtr_reset_ports() or qrtr_port_lookup()) can retrieve the socket and call sock_hold() on an object whose refcount has already reached zero, producing refcount saturation and a use-after-free. The issue was reproduced by syzkaller fuzzing; it carries a CVSS of 7.8 (AV:L), EPSS is low at 0.18% (8th percentile), it is not on CISA KEV, and no public exploit identified at time of analysis.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial of service in the Linux kernel arises from a SOFTIRQ-safe to SOFTIRQ-unsafe lock-ordering deadlock in the fasync signaling path (fs/fcntl), where send_sigio() and send_sigurg() take read_lock(&tasklist_lock) from softirq context while traversing a process group (PIDTYPE_PGID). When this collides with a writer spinning on tasklist_lock during fork()/exit(), the CPU can deadlock and hang. The flaw is reachable remotely via TCP URG packets (send_sigurg through NET_RX_SOFTIRQ), affects multiple stable branches, and is fixed by switching the traversal to RCU. There is no public exploit identified at time of analysis and EPSS is low (0.18%).

Code Injection Linux
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel's WireGuard module causes the receive/decryption path to permanently stall for an individual peer under heavy network load. Affected stable trees (notably 6.12.34 through 6.12.73, with the same defect originating in 5.15/6.1 where threaded NAPI became default) can have inbound traffic to a specific WireGuard peer halt completely once the per-peer rx_queue fills its 1024-packet backlog and wg_packet_rx_poll is never rescheduled. The condition was reported by multiple production Cilium/Kubernetes operators; there is no public exploit identified at time of analysis and EPSS is very low (0.10%, 1st percentile).

Linux Kubernetes Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Unauthorized file attribute modification in the Linux kernel's ksmbd SMB server allows authenticated SMB clients to invoke FSCTL_SET_SPARSE and alter a file's sparse xattr without required permissions, bypassing both share-level and per-handle access controls. Two distinct authorization gaps exist: clients on read-only shares can issue the control code because fsctl_set_sparse() omits the KSMBD_TREE_CONN_FLAG_WRITABLE check that other FSCTL write operations enforce, and clients on writable shares with insufficient handle rights (lacking FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES) can modify the attribute because per-handle checks are entirely absent. No active exploitation is confirmed - the vulnerability is absent from CISA KEV and carries an EPSS of 0.22% (12th percentile) - but the exposure surface is any network-reachable ksmbd deployment serving untrusted SMB clients.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Linux kernel networking stack (skbuff/MSG_ZEROCOPY path) allows an unprivileged local user to gain full root via a use-after-free on ubuf_info_msgzc. The pskb_carve_inside_header() and pskb_carve_inside_nonlinear() helpers memcpy the skb_shared_info (including the zerocopy destructor_arg/uarg pointer) into a new buffer without calling net_zcopy_get(), so the uarg refcount is decremented more times than it was incremented, freeing the ubuf_info while live TX skbs still reference it. A working proof-of-concept exists that achieves reliable root escalation on a default kernel configuration; the issue is not listed in CISA KEV and EPSS probability is low (0.21%, 11th percentile).

Privilege Escalation Linux
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel netfilter netdev logger (nf_log_syslog) lets a local low-privileged attacker leak adjacent slab memory into the kernel log and potentially crash the system. The flaw is in dump_mac_header(), whose fallback path tests skb->mac_header != skb->network_header but omits skb_mac_header_was_set(); an unset MAC header (value 0xffff) passes the check and causes a read ~64 KiB past the skb buffer. Fixed in stable kernels (e.g., 6.18.36, 6.12.94, 6.6.143, 6.1.176, 5.15.210, 7.0.13/7.1); no public exploit identified at time of analysis and EPSS is low at 0.17%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel SMC subsystem's smc_msg_event tracepoint crashes the kernel when SMC-D socket traffic is processed while the tracepoint is active. Affected kernels from commit aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 across multiple stable branches dereference conn->lnk unconditionally in the tracepoint, though this pointer is only valid for SMC-R connections and is NULL for SMC-D. While activating the tracepoint requires root, the crash itself can be triggered by any unprivileged user via AF_SMC socket operations on SMC-D capable systems (s390 natively, or x86 with loopback ISM loaded). No public exploit or active exploitation confirmed; EPSS sits at 0.16%.

Linux Canonical Denial Of Service +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel stack memory disclosure in the Linux TUN driver exposes 14 bytes of uninitialized stack data to unprivileged local users on every read of a non-tunnel packet. The flaw affects Linux systems where a local user can open a TUN device and issue the TUNSETVNETHDRSZ ioctl to set the vnet header size to 24 bytes. No public exploit or active exploitation has been identified; EPSS is 0.15% (5th percentile), consistent with a local-only information disclosure requiring deliberate TUN device configuration.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel RDS/InfiniBand subsystem allows an unprivileged local user to trigger a kernel panic by sending an atomic cmsg over an active RDS/IB connection. The completion handler rds_ib_send_unmap_op() lacks switch cases for masked atomic opcodes (IB_WR_MASKED_ATOMIC_CMP_AND_SWP, IB_WR_MASKED_ATOMIC_FETCH_AND_ADD), returning rm=NULL while the send operation remains flagged, leading to a fatal NULL dereference at rm->m_final_op in softirq context. No public exploit has been identified and EPSS is 0.16% (6th percentile), but the crash is deterministic and reproducible on any system with mlx4/mlx5 InfiniBand hardware running an unpatched kernel with active RDS/IB connections.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's BPF socket storage subsystem (net/core/bpf_sk_storage.c) allows a local low-privileged user to crash the kernel. The race condition between bpf_selem_unlink_nofail() - which nulls smap before removing the element from the hlist - and concurrent RCU readers in bpf_sk_storage_clone() and bpf_sk_storage_diag_put_all() can be triggered during TCP SYN handling (socket cloning path), producing a kernel panic. No public exploit identified at time of analysis; EPSS of 0.14% (4th percentile) confirms negligible observed exploitation probability.

Linux Canonical Denial Of Service +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stack information disclosure in the Linux kernel's tap/macvtap driver exposes 8 bytes of uninitialized kernel stack contents to local users via the SIOCGIFHWADDR ioctl, leaking kernel .text and direct-map pointers that defeat KASLR. The affected code path in tap_ioctl() copies a 16-byte sockaddr_storage to userspace while netif_get_mac_address() initializes only 8 bytes (sa_family plus 6-byte Ethernet address), leaving the trailing 8 bytes unread. No public exploit is identified at time of analysis and EPSS sits at 0.15% (5th percentile), but KASLR bypass primitives of this type are routinely chained with local privilege-escalation exploits to gain kernel code-execution. NOTE: The provided CVSS vector (C:N/I:N/A:H) appears to misclassify this vulnerability - confidentiality is the impacted property, not availability; the assessed vector below corrects this.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

CPU stall vulnerability in the Linux kernel jitterentropy subsystem allows local low-privileged users to trigger prolonged non-preemptible spinlock holds by spawning concurrent entropy requests through jent_kcapi_random(), which holds a spinlock across expensive SHA3 conditioning and jitter collection. Systems running kernel versions from approximately 4.2 through pre-fix stable branches face entropy starvation and CPU busy-wait degradation under parallel getrandom() load. No public exploit identified at time of analysis; EPSS is 0.16% at the 5th percentile and no CISA KEV listing applies, making this a low-urgency, operator-pace patch for most deployments.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's xfrm espintcp (ESP-in-TCP IPsec encapsulation) send path allows a local user with a socket using espintcp to corrupt the one-message-at-a-time transmit state, leading to memory disclosure or a crash. The flaw stems from espintcp_sendmsg() reinitializing emsg->skmsg and reusing ctx->partial while a previous partial send is still in flight, attaching a stale offset to a fresh sk_msg. No public exploit is identified at time of analysis and EPSS is low (0.16%, 6th percentile), reflecting a niche, configuration-dependent attack surface rather than broad exploitability.

Linux Memory Corruption Buffer Overflow
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Kernel heap memory corruption affects the batman-adv (B.A.T.M.A.N. Advanced) mesh routing subsystem of the Linux kernel, where a u16 accumulator in batadv_tvlv_container_list_size() can wrap around when the total size of registered TVLV containers exceeds 65535 bytes, leading to an undersized allocation and a subsequent out-of-bounds memcpy write in batadv_tvlv_container_ogm_append(). An attacker positioned on the mesh able to drive TVLV container accumulation past U16_MAX can corrupt adjacent kernel memory, risking denial of service or potential code execution. This is no public exploit identified at time of analysis, EPSS exploitation probability is low (0.16%), and it is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's io_uring poll subsystem arises from a signed-comparison flaw in io_poll_get_ownership(), where atomic_read() returns a signed int and the IO_POLL_CANCEL_FLAG (BIT(31)) makes poll_refs negative, so the '>= IO_POLL_REF_BIAS' slowpath check is never taken. Affecting kernels from the 5.15/6.x stable series through pre-patch 7.x, a local user with io_uring access can drive poll-reference accounting into an incorrect state during request cancellation, with CVSS 7.8 (AV:L) rating high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and EPSS is low (0.16%, 6th percentile), but a vendor patch is available across stable branches.

Linux Denial Of Service
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Memory leak in the Linux kernel's xfrm IPComp (IP Payload Compression) code allows resource exhaustion because the destination scatter-gather page list is not freed when an asynchronous compression (acomp) operation fails. Affecting Linux 6.15 through the fixed stable releases, the flaw lets repeated compression errors progressively consume kernel memory, with CVSS scoring only availability impact (A:H). There is no public exploit identified at time of analysis and EPSS is low at 0.15%.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Use of uninitialized sender variables in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh networking module allows a malicious mesh peer to trigger undefined behavior on a node acting as a tp_meter receiver. When such a node receives a crafted ACK packet, batadv_tp_recv_ack() and batadv_tp_stop() execute sender-only code paths that read tp_vars members never initialized for the receiver role, potentially leaking memory contents or crashing the kernel. No public exploit identified at time of analysis; EPSS probability is low (0.17%, 6th percentile) and the issue is not in CISA KEV, but a vendor patch is available across multiple stable trees.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Race condition in the Linux kernel's System V IPC shared memory subsystem allows a local low-privileged attacker to crash the kernel. The `shm_destroy_orphaned()` cleanup path evaluates whether an orphaned segment is safe to destroy by checking `shm_nattch` without holding `shm_perm.lock`, while the attach/detach paths update that counter independently of `shm_ids(ns).rwsem`, creating a window where a still-attached segment is erroneously destroyed. The EPSS score is 0.17% (6th percentile) and no KEV listing or public exploit exists, placing this firmly in the routine-patching tier rather than emergency response.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial-of-service in the Linux kernel SCTP stack arises from incomplete rollback when an ADD_OUT_STREAMS (add outgoing streams) reconfiguration request is denied; the kernel shrinks queued chunks and lowers outcnt but leaves stale stream metadata behind, so a later stream re-add reuses a freed/stale 'ext' object and triggers a NULL-pointer dereference in the scheduler get path. Any remote SCTP peer that can negotiate stream reconfiguration on an established association can crash the host, with no authentication or user interaction required per the CVSS vector (AV:N/AC:L/PR:N/UI:N, A:H). There is no public exploit identified at time of analysis and EPSS is low (0.16%), indicating no observed weaponization.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Availability disruption in the Linux kernel's AF_UNIX socket subsystem allows a local low-privileged user to trigger an unhandled code path by issuing a SIOCATMARK ioctl on non-stream (SOCK_DGRAM or SOCK_SEQPACKET) AF_UNIX sockets, which the kernel incorrectly permits to proceed into receive-queue inspection logic intended only for SOCK_STREAM. The flaw stems from a logic inconsistency: while SOCK_DGRAM and SOCK_SEQPACKET already reject MSG_OOB in sendmsg()/recvmsg(), the SIOCATMARK ioctl handler lacked the corresponding guard, creating an exploitable divergence. No public exploit or CISA KEV listing exists; EPSS at 0.16% (5th percentile) reflects a very low real-world exploitation probability.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel ebtables 32-bit compat layer (compat_mtw_from_user) lets a local low-privileged user holding CAP_NET_ADMIN trigger KASAN-detected OOB reads by supplying an undersized match_size/target_size for an extension whose ->compat_from_user() callback assumes it can read compatsize bytes. It affects Linux from 2.6.34 through builds before the fix and is resolved upstream across all maintained stable branches; no public exploit is identified at time of analysis and EPSS is low (0.16%, 6th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
Prev Page 5 of 143 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy