Linux
Monthly
Stale gateway pointer in the Linux kernel's batman-adv mesh networking subsystem causes availability failures during mesh teardown and recreation. The batman-adv gateway cleanup function `batadv_gw_node_free()` frees gateway list entries without clearing `bat_priv->gw.curr_gw`, leaving a dangling reference that persists across cleanup and breaks subsequent mesh recreation attempts. No public exploit exists and EPSS sits at 0.16% (6th percentile), indicating negligible opportunistic exploitation interest at time of analysis.
NULL pointer dereference in the Linux kernel VRF (Virtual Routing and Forwarding) subsystem allows a local low-privileged user to crash the kernel via a race condition between RCU readers and VRF port removal operations, resulting in a complete denial of service on affected systems. Systems using VRF network segmentation are at risk specifically when VRF port membership is dynamically modified concurrent with socket bind() operations. EPSS is 0.16% (6th percentile) and the vulnerability is not listed in CISA KEV; no public exploit code has been identified, but patched kernel versions are available across all active stable branches.
Use-after-free in the Linux kernel SCTP stack (net/sctp) allows a remote peer to crash the kernel by forcing an association to roll back from COOKIE_ECHOED to COOKIE_WAIT via a Stale Cookie ERROR. When sctp_stream_update() rebuilds the stream table during this rollback it leaves the scheduler's cached stream->out_curr pointer referencing freed memory, so the next scheduler dequeue (FCFS/RR/PRIO) dereferences a dangling sctp_stream_out entry. The flaw is tagged as Denial of Service, carries an NVD CVSS of 9.8, but has a low EPSS of 0.17% (6th percentile); no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation and information disclosure in the Linux kernel's SysV IPC subsystem stems from an unbounded ID allocation in ipc_idr_alloc() along the checkpoint/restore (CRIU) path, where a user-supplied next_id can spill past the valid ipc_mni range. Because removal truncates the index via ipcid_to_idx(), a high-index object can be freed while its real IDR slot dangles, so a subsequent /proc/sysvipc/shm walk dereferences freed memory - a use-after-free. No public exploit identified at time of analysis; EPSS is low at 0.17% (6th percentile) and the issue is not on CISA KEV.
Denial of service in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh routing subsystem allows a crash via NULL pointer dereference in the Distributed ARP Table (DAT) forwarding path. The function batadv_dat_forward_data() fails to check the return value of pskb_copy_for_clone() before passing the cloned skb to batadv_send_skb_prepare_unicast_4addr(), so a failed allocation while forwarding to a DHT candidate triggers a kernel oops. Affects systems running batman-adv mesh networking; this is a memory-pressure-dependent crash with no public exploit identified at time of analysis (EPSS 0.17%, 6th percentile), and it is not listed in CISA KEV.
Denial of service in the Linux kernel netfilter ipset subsystem allows a local low-privileged user to disrupt availability by triggering an iterator overrun in hash:ip,mark, hash:ip,port, hash:ip,port,ip, or hash:ip,port,net set types during IPv4 range iteration. The 32-bit loop iterator is not properly bounded, allowing it to advance past the last address in the requested range; subsequent retry passes then resume from an unintended position, corrupting traversal state. No public exploit is identified at time of analysis, and the EPSS score of 0.16% (6th percentile) confirms very low exploitation probability, making this a routine patching priority rather than an emergency response.
Incorrect strict-mode policy matching in the Linux kernel's netfilter xt_policy module causes multi-element inbound IPsec policy rules to be evaluated in the wrong order, so packets can be matched against the wrong transform descriptor. On systems that filter inbound traffic with iptables/nftables 'policy' matches in strict mode using multiple policy elements, this can let traffic that should be rejected satisfy the rule (or legitimate IPsec traffic fail it), undermining the intended firewall/IPsec enforcement. There is no public exploit identified at time of analysis and EPSS is low (0.16%, 6th percentile); the issue has been resolved upstream with stable patches available.
Local privilege escalation via use-after-free in the Linux kernel's batman-adv (B.A.T.M.A.N. advanced) mesh networking module allows a local low-privileged user to crash or potentially gain code execution by triggering a tp_meter counter underflow during interface shutdown. Concurrent shutdown paths (timeout, user cancel, normal finish) each decrement the 'sending' atomic counter, underflowing it to -1, which traps the sender kthread in an infinite loop and produces a use-after-free when the mesh interface is removed while the zombie thread still runs. No public exploit identified at time of analysis, and EPSS is low at 0.16%; a vendor patch is available across multiple stable trees.
Use-after-free in the Linux kernel Bluetooth subsystem allows a crafted sequence of socket polling and connection teardown to dereference a freed sock structure, because bt_sock_poll() walks the per-socket accept queue without synchronization while a concurrent child teardown unlinks the same socket and drops its last reference. The flaw has existed since the original Bluetooth import and affects effectively all kernel versions until the fixed stable releases; EPSS is low (0.18%, 7th percentile) and there is no public exploit identified at time of analysis. Successful exploitation of the freed-object access can corrupt kernel memory, enabling denial of service and potentially privilege escalation.
Out-of-bounds kernel memory read in the Linux kernel's SCTP sock_diag subsystem allows a local attacker to disclose adjacent kernel memory and potentially crash the system by racing a diag dump against association teardown. The exact sock_diag lookup (dump_one path) can hold a transport reference, block on lock_sock(), and resume after sctp_association_free() has reaped the association and freed its bind-address list, causing inet_diag_msg_sctpasoc_fill() to dereference an emptied bind-address list as a valid sctp_sockaddr_entry. CVSS is 7.1 (local, high confidentiality and availability impact); EPSS is low (0.18%, 7th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Stack exhaustion in the Linux kernel batman-adv mesh networking subsystem allows an attacker on the same batman-adv mesh to crash the kernel by sending matryoshka-nested BATADV_UNICAST_FRAG packets. The reassembled payload's packet type is not validated before re-processing, enabling unbounded recursion in batadv_batman_skb_recv() that exhausts kernel stack and causes a hard system crash. No active exploitation is recorded in CISA KEV and EPSS sits at 0.18% (7th percentile), making this a targeted DoS risk limited to environments running batman-adv mesh networking.
Local denial of service and potential information disclosure in the Linux kernel's IPv6 netfilter Hop-by-Hop options match (ip6t_hbh) stems from an off-by-one out-of-bounds array access. A local user able to install xtables rules can supply an oversized optsnr value that the hbh_mt6_check() setup path fails to validate, reading/writing past the fixed 16-entry opts[] array (confirmed via a UBSAN array-index-out-of-bounds report at index 16). There is no public exploit identified at time of analysis and EPSS risk is low (0.18%), but a vendor fix has shipped across multiple stable kernel branches.
Denial of service in the Linux kernel's batman-adv mesh networking module arises from faulty length accounting during fragment reassembly, where the accumulated payload length can be truncated during updates, letting malformed fragment chains bypass validation and drive reassembly with inconsistent length state. The flaw affects systems running the B.A.T.M.A.N. Advanced (batman-adv) module across many stable kernel series and results in a local denial of service per the upstream description. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 7th percentile), and the NVD CVSS of 9.8 conflicts with the upstream 'local denial of service' characterization.
NULL pointer dereference in the Linux kernel's batman-adv OGMv2 subsystem allows a local low-privilege user to crash the kernel by racing interface teardown against OGM dispatch. When a batman-adv hard interface is disabled and its mesh_iface pointer is set to NULL, the batadv_v_ogm_queue_on_if() function continues to call netdev_priv() on that NULL pointer, triggering a kernel panic. No public exploit exists and EPSS is 0.18% (7th percentile), making this low operational priority except on systems actively running batman-adv mesh networking.
Use-after-free in the Linux kernel's netfilter NFQUEUE subsystem affects bridge LOCAL_IN packet handling, where br_pass_frame_up() rewrites skb->dev to the bridge master before queuing without holding a reference on that device. A local attacker who can influence queued bridge traffic and trigger bridge teardown (NETDEV_DOWN) can cause the kernel to re-enter the receive path with a freed bridge master device, yielding a use-after-free with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.19%, 9th percentile).
Authenticated arbitrary file write in Gogs (self-hosted Git service) versions below 0.14.3 on Linux/macOS lets a user with repository write access escape the working tree and overwrite any file the gogs UID can touch, escalating to remote code execution. The flaw stems from `UploadRepoFiles` validating symlinks only on the leaf path while sibling functions correctly walk every component; combined with a crafted multipart filename containing a literal backslash, the write is redirected through a previously committed directory symlink to targets like `~git/.ssh/authorized_keys` or `<repo>.git/hooks/post-receive`. No CISA KEV listing and no EPSS provided, but a detailed, tested proof-of-concept is published in the vendor advisory, so publicly available exploit code exists.
Improper session authorization in the Linux kernel's in-kernel SMB3 server (ksmbd) lets an authenticated SMB client reach sessions it never bound to. Because the connection-wide conn->binding flag stays set after a binding SESSION_SETUP, the global lookup in ksmbd_session_lookup_all() would resolve any session by ID, allowing a low-privileged remote user to access another user's session (Information Disclosure tagged). No public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and it is not in CISA KEV.
Local privilege escalation / memory corruption in the Linux kernel's SO_REUSEPORT BPF handling allows a local user to trigger a use-after-free (vmalloc out-of-bounds read) by replacing a classic BPF (cBPF) reuseport program via setsockopt() while another thread routes UDP traffic through the same reuseport group. Because the cBPF program is freed immediately by sk_reuseport_prog_free() without waiting for an RCU grace period, in-flight readers in reuseport_select_sock() dereference freed memory; the fix defers freeing until after one RCU grace period. No public exploit identified at time of analysis and EPSS probability is low (0.17%), but the bug is confirmed and fixed upstream.
Improper network-namespace isolation in the Linux kernel's IPv6 VTI (ip6_vti) tunnel driver allows the per-netns fallback device (ip6_vti0) to be relocated into another network namespace, because vti6_init_net() omits the netns_immutable flag that sibling tunnel drivers (ip6_tunnel, sit, ip6_gre, ip_tunnel) all set. A local user holding CAP_NET_ADMIN in a namespace can move this fallback device, breaking the isolation guarantee the kernel enforces for other fallback tunnels and potentially destabilizing networking state. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.15%, 5th percentile).
Improper access-control re-validation in the Linux kernel's RDMA/InfiniBand subsystem (the ib_uverbs memory-region re-registration path) allows a local user with RDMA device access to obtain unintended read-write access to memory that was only pinned as read-only. When IB_MR_REREG_ACCESS upgrades a memory region from RO to RW, the underlying umem was not re-evaluated to confirm it is properly pinned for writing, enabling potential memory corruption or disclosure across RDMA-capable drivers. EPSS is low (0.17%, 6th percentile) and there is no public exploit identified at time of analysis; the issue is fixed upstream in multiple stable trees.
Local privilege escalation potential in the Linux kernel's net/sched traffic-control subsystem arises from a partial copy-on-write (COW) miss in the pedit action (tcf_pedit_act), where skb_ensure_writable() is sized using tcfp_off_max_hint before the per-key loop and fails to account for the runtime header offset added by typed keys, leaving part of the write region un-COW'd and causing page cache corruption. A local low-privileged attacker able to install tc pedit rules (CAP_NET_ADMIN, obtainable in user namespaces on many distros) can corrupt shared page-cache memory, with CVSS 7.8 reflecting high confidentiality, integrity, and availability impact. Publicly available exploit code exists, though EPSS is low at 0.14% (4th percentile) and the issue is not on CISA KEV.
Out-of-bounds array access in the Linux kernel's Rockchip RKCIF camera interface driver (drivers/media/platform/rockchip/rkcif) allows a local low-privileged user to trigger memory corruption by reading one element past the end of internal arrays due to off-by-one comparison errors. Affects mainline Linux through 6.19 and is fixed in 7.0.4 and 7.1-rc1; no public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%, 5th percentile).
Privilege escalation via UID confusion in the Linux kernel's 9p filesystem client allows local users mounting 9P2000.L shares with non-default access modes to be silently demoted to the INVALID_UID (nobody/65534) for all fid lookups, breaking root's ability to chown or perform privileged file operations over the mount. Introduced by commit 1f3e4142c0eb during the conversion of 9p to the new mount API, the bug causes v9fs_apply_options() to OR user-supplied access flags onto the default V9FS_ACCESS_CLIENT instead of replacing them. EPSS is 0.02% and the issue is not on CISA KEV; no public exploit identified at time of analysis.
Denial-of-service in the Linux kernel's DAMON (Data Access MONitor) subsystem allows a local low-privileged user to crash the kernel by supplying a non-power-of-two `min_region_sz` value through the DAMON sysfs interface and invoking `damon_start()`. The flaw is an incomplete remediation: commit c80f46ac228b fixed the same class of bug for the `damon_commit_ctx()` code path but left `damon_start()` - reachable via DAMON sysfs - without the `is_power_of_2()` guard. No public exploit exists and EPSS sits at 0.02% (4th percentile), indicating negligible real-world exploitation probability; no CISA KEV listing has been issued.
Memory leak in the Linux kernel's drm/nouveau subsystem exposes systems with NVIDIA GPUs using the open-source nouveau driver to local denial of service. When aperture_remove_conflicting_pci_devices() fails during PCI device probe, the error path bypasses the fail_nvkm cleanup label, permanently leaking both the nvkm_device wrapper and the pci_enable_device() reference taken inside nvkm_device_pci_new(). No public exploit exists and EPSS sits at the 5th percentile (0.02%), confirming negligible exploitation probability; however, patched stable releases are available across multiple kernel branches.
Buffer overflow in the Linux kernel's greybus gb-beagleplay driver allows an adjacent attacker with control over the cc1352 bootloader serial data stream to overflow the fixed rx_buffer used to stage bootloader packets. The cc1352_bootloader_rx() handler appends serdev chunks without validating they fit in remaining buffer space, enabling memory corruption with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Use-after-free and VFS invariant violations in the Linux kernel SMC subsystem (5.17 through pre-6.19.4) allow local privileged users to trigger memory corruption and system instability via the TCP ULP-to-SMC conversion path. The upstream maintainers fully reverted the underlying commit d7cd421da9da rather than attempting an in-place fix, citing fundamental design flaws; no public exploit identified at time of analysis and EPSS sits at 0.02% (5th percentile).
Improper end-of-filesystem boundary handling in the Linux kernel EROFS driver for file-backed mounts causes a denial-of-service condition when I/O requests exceed the filesystem image boundary. Affected kernels spanning multiple stable branches fail to zero-fill out-of-bounds I/O regions as expected (analogous to loopback device behavior), producing undefined kernel behavior that results in availability loss. No public exploit has been identified and EPSS is 0.02% (5th percentile), indicating negligible opportunistic exploitation probability; patches are confirmed available across stable branches 6.12.x, 6.18.x, 6.19.x, and 7.0.
Local privilege/availability impact in the Linux kernel AppArmor subsystem stems from incomplete rlimit handling for POSIX CPU timers, where setting an rlimit through AppArmor policy did not propagate to the POSIX CPU timer machinery. A local low-privileged user operating under an AppArmor-confined profile can leverage the inconsistent limit enforcement to disrupt CPU-time accounting and cause high-impact availability effects on the system. No public exploit identified at time of analysis, and EPSS rates likelihood of exploitation at only 0.02% (7th percentile).
Race condition in the Linux kernel device-mapper (dm) subsystem allows a local privileged user to trigger memory corruption or use-after-free conditions by exploiting a TOCTOU flaw in dm_blk_report_zones, which calls dm_suspended_md without holding required locks. The flaw affects multiple stable kernel branches including 6.12.x, 6.15.x, 6.16, and 6.18.x prior to fixed releases. No public exploit identified at time of analysis, and EPSS scores exploitation probability at 0.02% (5th percentile).
Uninitialized stack memory disclosure in the Linux kernel's iio pressure sensor driver (mprls0025pa) for the Honeywell MPRLS0025PA SPI pressure sensor stems from a spi_transfer struct that was not zeroed before use. Local users on systems with the vulnerable driver loaded may trigger undefined SPI transfer behavior and potentially leak kernel stack contents. There is no public exploit identified at time of analysis, and EPSS rates exploitation likelihood at 0.02% (5th percentile).
Memory corruption in the Linux kernel's RDMA Soft-RoCE (rxe) driver allows incorrect iova-to-virtual-address translation when Memory Region (MR) page sizes differ from the system PAGE_SIZE, leading to access of wrong memory pages during RDMA operations. The flaw affects kernels from 6.3 through pre-6.18.14 / pre-6.19.4 / pre-7.0 patched releases, and a related kernel panic was previously reported by Yi Zhang. EPSS is 0.02% (4th percentile) and no public exploit identified at time of analysis, but a patch is available from upstream.
Local privilege escalation potential exists in the Linux kernel's netfilter nf_tables subsystem where netlink hook unregistration functions failed to use RCU-safe list removal while concurrent dumpers walked the same list. Affected paths are nft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks, which previously used non-RCU list_del semantics and could race with readers, leading to memory corruption or use-after-free conditions on systems exposing nftables. No public exploit identified at time of analysis, and EPSS rates real-world exploitation likelihood at 0.02%.
Use-after-free in the Linux kernel's Generic Receive Offload (GRO) networking path allows local attackers to corrupt kernel memory and potentially achieve privilege escalation or denial of service. The flaw stems from skb_gro_receive() merging fragment lists between socket buffers without honoring the SKBFL_MANAGED_FRAG_REFS zero-copy flag, leaving page refcounts inconsistent. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02% (5th percentile).
Memory leak in the Linux kernel's TUN driver (tun_xdp_one) allows a local attacker to exhaust host memory by repeatedly triggering build_skb() allocation failures, leaking one page-frag chunk per failed batch entry. The flaw affects the vhost_net XDP fast-path used by virtual machines and containers; with no public exploit identified at time of analysis and an EPSS score of 0.02% (5th percentile), real-world weaponization risk is low, but sustained leakage on busy virtualization hosts could degrade availability.
Local denial-of-service in the Linux kernel's tun/vhost-net subsystem allows an unprivileged process with access to /dev/net/tun and /dev/vhost-net to leak page-frag chunks on every short frame (length minus virtio-net header below ETH_HLEN) submitted to tun_xdp_one(), eventually exhausting host memory and triggering an OOM panic. The flaw is a missing put_page() on the -EINVAL error path that tun_sendmsg() then masks by reporting success to vhost_tx_batch(). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug is upstream-confirmed with patches in stable trees.
Denial-of-service via memory exhaustion in the Linux kernel's tap/vhost_net XDP path allows adjacent network attackers to leak kernel page-frag memory by sending malformed frames over a tap device. The bug in tap_get_user_xdp() fails to free pages allocated by vhost_net_build_xdp() on the error paths for undersized frames (<ETH_HLEN) and build_skb() allocation failures, with each rejected frame in a batch leaking one page-frag chunk. EPSS is 0.02% and no public exploit identified at time of analysis; not listed in CISA KEV.
Local privilege escalation in the Linux kernel's net/sched act_ct traffic control action stems from a use-after-free in tcf_ct_flow_table_get(), where rhashtable_lookup_fast() releases the RCU read lock before refcount_inc_not_zero() can pin the returned ct_ft object. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but Trend Micro ZDI provided detailed root-cause analysis and stable-tree patches are merged across 5.10 through 6.18 lines. Successful exploitation grants attacker-controlled kernel memory access enabling privilege escalation to root.
Lock resource leak in Linux kernel hugetlbfs subsystem enables local denial of service against systems using huge page memory mappings. Introduced by a faulty commit (ea52cb24cd3f) that incorrectly handled VMA lock allocation during the mmap_prepare stage, the defect allows a failed post-mmap_prepare allocation to leave a VMA lock unreleased, leaking kernel resources. This CVE documents the corrective revert; systems running affected kernel versions (around 6.19 through pre-7.0.12 and pre-7.1-rc6) with hugetlbfs in use are exposed to potential availability impact. No public exploit code exists and EPSS probability is 0.02% (5th percentile), indicating very low real-world exploitation activity.
Use-after-free in the Linux kernel KVM subsystem on arm64 allows a local attacker with the ability to manipulate nested virtualization state to dereference a freed nested_mmus array, with potential scope-crossing impact from guest to host kernel memory. Triggered by a race between kvm_vcpu_init_nested() reallocating the array under config_lock and MMU notifier walkers (kvm_unmap_gfn_range) traversing it under mmu_lock. EPSS is 0.02% and no public exploit identified at time of analysis; not listed in CISA KEV.
Use-after-free in the KVM arm64 vGIC-ITS translation cache allows a malicious guest to corrupt host kernel memory by triggering concurrent cache invalidations that double-drop a single reference. The flaw affects Linux 6.10 and later until the stable backports, has no public exploit identified at time of analysis, and EPSS rates real-world exploitation probability as very low (0.02%, 5th percentile) despite the CVSS 9.3 rating.
Stale kernel memory disclosure in the Linux kernel's io_uring IORING_OP_WAITID operation allows a local low-privileged user to read arbitrary bytes from reused io_kiocb command storage via the userspace siginfo output buffer. The io_uring prep path for waitid requests fails to zero-initialize the io_waitid::info result field, meaning that when a wait completes without a child event the kernel copies whatever bytes happen to occupy that slab slot into the caller's siginfo_t. No public exploit has been identified at time of analysis; EPSS at 0.02% (5th percentile) reflects low current exploitation probability.
File descriptor exhaustion in Netty's Unix domain socket native transport allows a local peer to leak two file descriptors per crafted SCM_RIGHTS message into the receiving process, with neither FD ever closed. Affected are applications explicitly configured with DomainSocketReadMode.FILE_DESCRIPTORS on Epoll or KQueue DomainSocketChannel - a non-default opt-in setting. Sustained message flooding by a local socket peer can exhaust the Netty process's file descriptor table, ultimately causing denial of service. No public exploit identified at time of analysis and not listed in CISA KEV; CVSS scores this at 4.0 (Low) reflecting the local-only attack surface and low availability impact.
Infinite loop denial-of-service in the Linux kernel's drm/v3d GPU driver allows a local low-privileged user to permanently peg a CPU core by submitting a crafted self-referential ioctl extension structure. The vulnerability exists in v3d_get_extensions(), which traverses a userspace-controlled linked list without bounding chain length; when both in_sync_count and out_sync_count are zero, the duplicate-extension guard silently passes on every iteration, trapping the kernel thread indefinitely. No public exploit or active exploitation has been identified at time of analysis; EPSS stands at 0.02%, consistent with the local-access-only attack surface.
Error pointer dereference in the Linux kernel's Intel IPU6 media driver crashes the kernel during a failed probe, resulting in local denial of service. The flaw resides in `ipu6_pci_probe()` at `drivers/media/pci/intel/ipu6/ipu6.c:690`, where `isp->psys` holds an ERR_PTR value rather than NULL in a specific error path, causing it to be dereferenced during cleanup rather than handled safely. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting negligible real-world exploitation interest.
Kernel warning (WARN_ON) triggerable in the Linux videobuf2 DMA scatter-gather subsystem on Apple Silicon systems allows a low-privileged local user to destabilize video capture pipelines by performing mmap() on an imported DMA-buf. The vb2_dma_sg_mmap function fails to set VM_DONTEXPAND and VM_DONTDUMP VMA flags - protections that vb2_dma_contig correctly applies - causing drm_gem_mmap_obj() to hit its assertion guard. No public exploit has been identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with the narrow hardware-specific trigger surface.
Local privilege escalation in the Linux kernel's AMD GPU userqueue (drm/amdgpu/userq) driver allows a low-privileged local user to exploit a race condition between queue creation and wptr_obj unmapping, resulting in access to stale wptr mappings and potential substitution of a buffer object at the same address. The flaw affects AMD GPU userqueue handling and could enable memory corruption with high impact to confidentiality, integrity, and availability. No public exploit has been identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.
NULL pointer dereference in the Linux kernel's Renesas VSP1 media driver crashes the kernel during module unload on Generation 4 Renesas SoC hardware. The defect exists because the cleanup path unconditionally invokes vsp1_drm_cleanup() rather than vsp1_vspx_cleanup() for gen 4 IP versions, while the initialization path correctly checks the IP version - an asymmetry introduced when gen 4 support was added. With an EPSS of 0.02% (4th percentile), no KEV listing, and no public exploit code, real-world exploitation risk is very low and confined to niche embedded and automotive platforms; vendor-released patches are available in stable kernel branches.
Information disclosure in the Linux kernel's Intel Xe DRM graphics driver (drm/xe) allows a local user to read stale data from previously freed memory pages belonging to other processes. The xe_vm_madvise_ioctl() handler failed to reject PAT indices set to XE_COH_NONE (non-coherent) coherency mode on CPU-cached buffer objects, letting a GPU bypass dirty CPU caches and read sensitive content directly from DRAM before the kernel's page-clearing writeback completes. There is no public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, consistent with a local, race-dependent leak rather than a widely weaponized flaw.
Local privilege escalation and memory corruption in the Linux kernel's MediaTek power-domain (pmdomain) driver stems from a use-after-free in scpsys_get_bus_protection_legacy(), where a device node is released via of_node_put() before the error path dereferences it in dev_err_probe(). Affecting kernels using the MediaTek SCPSYS legacy bus-protection code path (typically ARM/ARM64 MediaTek SoC platforms), a local low-privileged attacker able to influence the probe error path could corrupt freed kernel memory, with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.02%, 4th percentile).
Out-of-bounds array write in the Linux kernel's ath5k wireless driver allows a stray write of a -1 sentinel value into adjacent struct memory when ts_final_idx reaches 3 on Atheros 5212 chipsets. The kernel maintainers and the original reporter explicitly describe the impact as negligible, as the only field overwritten is info->status.ack_signal, with no public exploit identified at time of analysis and an EPSS score of 0.02% (7th percentile).
Denial of service in the Linux kernel flow dissector allows remote attackers to trigger an unaligned access exception by sending crafted PPPoE Protocol Field Compression (PFC) frames to an Ethernet interface on alignment-sensitive architectures such as MIPS. The flaw affects kernels from 6.0 onward where Receive Packet Steering (RPS) or similar features invoke the flow dissector on incoming frames, and no PPPoE session needs to be active on the targeted interface. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the vendor has released patched kernel versions.
NULL pointer dereference in the rtl8723bs staging WiFi driver crashes the Linux kernel when memory allocation fails in rtw_cbuf_alloc(). Systems running Linux 7.0 with an RTL8723BS chipset and the staging driver loaded are affected; a local low-privileged user can trigger a kernel panic resulting in denial of service. No public exploit exists and EPSS at 0.02% (5th percentile) reflects negligible real-world exploitation probability.
Denial of service in the Linux kernel's NVMe-over-TCP target (nvmet_tcp) module allows remote initiators to trigger a recursive nvmet-wq workqueue flush during controller teardown, producing a lockdep-flagged deadlock condition in nvmet_ctrl_free(). The flaw affects systems exposing NVMe-TCP targets where controller release work and async_event_work are both queued on the same nvmet workqueue. EPSS is 0.02% (7th percentile) and there is no public exploit identified at time of analysis; vendor patches have been issued across multiple stable branches.
Out-of-bounds disk read in the Linux kernel ISO 9660 filesystem (isofs) Rock Ridge handler allows narrow information disclosure when a crafted ISO image is mounted. The rock_continue() function trusted the CE continuation extent block number from the on-disk Rock Ridge record and passed it to sb_bread() without bounds checking against the volume size, so a malicious ISO can cause the kernel to read blocks belonging to an adjacent filesystem on the same block device and surface their contents through readlink() on SL sub-records. EPSS is 0.02%, no public exploit identified at time of analysis, and the issue is not on CISA KEV.
Local denial-of-service in the Linux kernel's SELinux subsystem allows any low-privileged local process to monopolize the `/sys/fs/selinux/policy` file descriptor, blocking all other processes from reading the active kernel policy. The root cause is a `policy_opened` flag that enforced a single-open restriction on the SELinux policy pseudofile - originally intended to prevent inconsistent reads or unbounded kernel memory allocation, but which also created a trivial resource-starvation primitive. No active exploitation has been identified (not in CISA KEV), and the EPSS score of 0.02% places this in the 5th percentile for exploitation likelihood.
Local privilege escalation and memory corruption in the Linux kernel's topcliff-pch (pch_spi) SPI master driver arises from a use-after-free triggered when the driver is unbound, because DMA buffers are released before the driver's transfer queue is flushed. An attacker with the ability to unbind the device can cause the freed DMA buffers to be accessed by in-flight SPI transfers, yielding CWE-416 memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis, and the EPSS probability is negligible (0.02%), consistent with an obscure, hardware-specific driver rather than a broadly exploitable flaw.
Local denial of service in the Linux kernel hfsplus filesystem driver occurs when hfsplus_fill_super() fails to release tree->tree_lock on an error path during HFS+ mount, causing a 'held lock freed' warning and potential lockdep-detected kernel instability. The flaw affects systems with CONFIG_HFSPLUS_FS enabled and is triggered when hfsplus_cat_build_key() returns an error during superblock initialization. No public exploit identified at time of analysis, and EPSS is very low (0.02%).
Deadlock vulnerability in the Linux kernel's pseries/papr-hvpipe subsystem allows a local low-privileged attacker on IBM pSeries Power Architecture systems to cause a kernel deadlock by triggering a race between the ioctl or release handler and a hardware interrupt firing on the same CPU. Exploitation is architecture-specific, requiring IBM PAPR hardware with the hvpipe driver loaded, and results in an availability-only denial-of-service. No public exploit exists and EPSS probability stands at 0.02%, consistent with a narrow attack surface; vendor-released patches are confirmed available for Linux 7.0.7, 7.1-rc3, and the 6.18 stable branch.
Improper interrupt registration in the Linux kernel's libwx network driver causes a kernel WARNING when VF (Virtual Function) misc interrupts are initialized, resulting in high availability impact on affected systems. The libwx driver incorrectly calls request_threaded_irq() with a primary handler, a NULL threaded handler, and the IRQF_ONESHOT flag - an invalid combination flagged as a WARNING by the kernel interrupt management subsystem since commit aef30c8d569c. Exploitation requires local access with low privileges on a system equipped with a Wangxun VF NIC using the libwx driver; no public exploit code exists and EPSS is negligible at 0.02%.
NULL pointer dereference in the Linux kernel's s3c64xx SPI driver triggers a kernel crash on driver unbind, allowing a local low-privileged attacker to cause a denial of service. The flaw affects systems equipped with Samsung S3C64xx-series SoC hardware running unpatched kernel versions from 6.0 onward. No public exploit code exists and EPSS probability sits at 0.02%, but the crash is deterministic once the driver unbind sequence is triggered on vulnerable hardware. No active exploitation (CISA KEV) has been identified.
KVM/x86 on Linux exposes a race condition in interrupt request register (IRR) scanning that causes incorrect reporting of the highest pending interrupt in nested virtualization scenarios. Specifically, when PID.ON is set by a sender vCPU after the target vCPU has already harvested and cleared the PIR, a second call to vmx_sync_pir_to_irr() observes an empty PIR and returns max_irr=-1 without scanning the IRR, producing a spurious kernel WARNING in vmx_check_nested_events() and a wasted L2 VM-Enter/VM-Exit cycle. The interrupt itself is not lost - it resides in the IRR from the first sync - but the incorrect max_irr triggers the assertion. No public exploit exists and EPSS is 0.02%, consistent with the highly localized, timing-dependent nature of this defect.
Out-of-bounds kernel memory write in the Linux kernel device-mapper ioctl subsystem (dm-ioctl) affects the retrieve_status function, where an unchecked align_ptr() call on the output pointer can advance it past the end of the caller-supplied buffer, causing a wrapped-around 'remaining' length calculation and subsequent overflow writes. Exploitation requires local privileges to issue device-mapper ioctls (root/CAP_SYS_ADMIN), and there is no public exploit identified at time of analysis; EPSS is negligible at 0.03% (9th percentile). The upstream maintainers explicitly note the flaw has no practical security impact because only root can trigger it and standard libraries (libdevmapper, devicemapper-rs) use 8-byte-aligned buffers that never overshoot.
Out-of-bounds memory access in the Linux kernel's Microchip PolarFire SoC clock conditioning circuit driver (clk-mpfs-ccc) occurs during registration of the final clock outputs, because the driver's hws array is sized only for two PLLs and their four dividers while the defined clock IDs also enumerate two unsupported DLLs and their outputs. On affected Microchip PolarFire SoC hardware this leads to reads past the allocated array (flagged by UBSAN), enabling information disclosure or a kernel crash. There is no public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%).
Missing resource cleanup in the Linux kernel's generic power domain (genpd) subsystem causes runtime PM to remain enabled for virtual devices after detach, leading to a NULL pointer dereference in genpd_runtime_suspend() and local denial of service. The flaw affects systems where drivers use genpd_dev_pm_attach_by_id() - predominantly ARM and SoC-based platforms - since the balancing pm_runtime_disable() call is absent from genpd_dev_pm_detach(). No public exploit exists and EPSS at 0.02% (5th percentile) confirms negligible exploitation probability; this is not listed in CISA KEV.
Sensitive HMAC key material is exposed through kernel debug logging in the Linux kernel's CAAM (Cryptographic Acceleration and Assurance Module) crypto driver. On systems with CONFIG_DYNAMIC_DEBUG enabled and debug output activated for the caam module at runtime, calls to hash_digest_key() emit raw HMAC key bytes via hex dump into the kernel log, allowing any local attacker with debug log read access to extract cryptographic secrets. No public exploit code has been identified and EPSS probability is 0.02%, though the confidentiality impact is severe if exploitation conditions are met. The provided CVSS vector (C:N/A:H) appears to misclassify this as an availability issue rather than a confidentiality issue - see confidence notes.
Linux kernel x86 EFI runtime service fault handling panics instead of recovering gracefully on systems with buggy EFI firmware, following the FPU softirq changes introduced in commit d02198550423. When kernel_fpu_begin() began using local_bh_disable() in place of preempt_disable(), SOFTIRQ_OFFSET is set in preempt_count for the duration of EFI runtime service calls, causing in_interrupt() to return true in normal task context - which causes efi_crash_gracefully_on_page_fault() to bail unconditionally, escalating to panic(). On hardware where EFI firmware (e.g., GetTime()) accesses unmapped memory, this produces an unrecoverable system freeze. No public exploit identified at time of analysis; EPSS is 0.02%, confirming no observed exploitation activity.
Incorrect length calculation in the Linux kernel's lib/scatterlist extract_kvec_to_sg helper can produce scatterlist entries that cross page boundaries, leading to memory corruption or out-of-bounds access in kernel code paths that build scatterlists from kvecs (originally introduced in v6.3, moved to lib/scatterlist.c in v6.5). The flaw is patched upstream across the 6.6, 6.12, 6.18 and 7.0/7.1 stable trees, with no public exploit identified at time of analysis and a very low EPSS probability of 0.02%.
Use-after-free in the Linux kernel's Open Firmware (OF) device-tree unit test code (of_unittest_changeset) allows reads of freed memory when the unit test path executes. The flaw lives in selftest code (drivers/of/unittest.c) reachable only when CONFIG_OF_UNITTEST is built in and the test runs, making real-world impact narrow. EPSS is 0.02% (5th percentile) and there is no public exploit identified at time of analysis; the bug has been fixed upstream and backported to stable trees.
Missing RTNL lock acquisition in the txgbe network driver causes a kernel assertion warning during module removal on systems with Wangxun copper NICs with external PHY. When `rmmod txgbe` is executed, `phylink_disconnect_phy()` fires an `ASSERT_RTNL()` check at `drivers/net/phy/phylink.c:2351` because the driver's remove path neglects to hold the RTNL mutex, producing a kernel WARNING and degrading system availability. No public exploit exists and EPSS is 0.02% (5th percentile); this is a stability regression rather than a remotely exploitable flaw, affecting a narrow hardware-specific code path.
Array out-of-bounds read in the Linux kernel's Qualcomm Light Pulse Generator (qcom-lpg) LED driver allows a local low-privileged user to crash the kernel via denial of service on affected Qualcomm SoC-based systems. The flaw stems from using FIELD_GET() to extract a 3-bit register value (range 0-7) as an index into an array with only 5 elements, enabling reads beyond array bounds and subsequent hardware misconfiguration or kernel panic. No public exploit has been identified and EPSS stands at the 5th percentile, placing this firmly in lower-priority triage despite the technically High availability impact per CVSS.
Local memory corruption in the Linux kernel's mtd/docg3 M-Systems DiskOnChip driver occurs when docg3_release() dereferences a docg3 pointer already freed by doc_release_device() (kfree at line 1881), a CWE-416 use-after-free reachable during device teardown. Only systems that load the docg3 driver for DiskOnChip G3 flash hardware are affected. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%, 7th percentile), and the issue is not in CISA KEV; it has been fixed upstream across multiple stable branches.
NULL pointer dereference in the Linux kernel's HugeTLB early boot parameter parser causes a system crash before the OS fully initializes. Specifically, `hugetlb_add_param()` in `mm/hugetlb` dereferences a NULL pointer via `strlen()` when `hugepages`, `hugepagesz`, or `default_hugepagesz` kernel command line parameters are supplied without a '=' separator, producing a boot-time kernel panic. The impact is a complete denial of service - the system fails to boot until the malformed parameter is corrected. No public exploit or CISA KEV listing exists; EPSS stands at 0.02% (5th percentile), reflecting very low observed exploitation activity. Patches are available in Linux 6.18.27, 7.0.4, and 7.1-rc1, with Ubuntu distributing fixes via USN-8489-1 and USN-8488-1.
Sensitive cryptographic material-HMAC session keys, nonces, and passphrase data held in struct tpm2_auth-is left in freed slab memory when a TPM device is released via tpm_dev_release() in Linux kernels from 6.10 onward, because that code path uses kfree() rather than kfree_sensitive(). Every other tear-down path in the same TPM driver (tpm2_end_auth_session() and tpm_buf_check_hmac_response()) already calls kfree_sensitive(), making this an isolated inconsistency. No public exploit exists and EPSS is 0.02% (5th percentile), but in high-assurance environments where TPM-backed key confidentiality is mandatory the residual key material is a meaningful exposure until overwritten by subsequent allocations.
NULL pointer dereference in the Linux kernel's admv1013 IIO frequency driver crashes the kernel when device_property_read_string() fails during device initialization, leaving a garbage pointer subsequently passed to strcmp(). A local low-privileged user on a system with ADMV1013 microwave upconverter hardware can reliably trigger a kernel panic, resulting in a complete denial of service. No public exploit exists and EPSS sits at 0.02% (5th percentile), but vendor-released patches are available across multiple stable kernel branches including 6.12.86 and 7.0.4.
Out-of-bounds write in the Linux kernel's vmalloc subsystem (vrealloc_node_align()) lets a local low-privileged actor trigger heap memory corruption when a vmalloc-backed object is shrunk while also forcing reallocation for NUMA-node or alignment reasons. Introduced by commit 4c5d3365882d in the 6.18 development series and carried into stable trees, the flaw causes the code to memcpy the old (larger) size into a smaller new buffer. There is no public exploit identified at time of analysis and EPSS is very low (0.02%), reflecting a subsystem-internal bug rather than a broadly reachable network attack surface.
Use-after-free in the Linux kernel's HMM (Heterogeneous Memory Management) test driver (lib/test_hmm) allows local users to trigger a kernel panic and potentially escalate privileges when device private pages are faulted in after the dmirror file descriptor is closed. The flaw was discovered during arm64 selftest runs where a SIGABRT coredump walked stale VMAs and dereferenced a dangling zone_device_data pointer. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the bug is fixed upstream across multiple stable trees.
Improper handling of allocation-profiling codetags in the Linux kernel's mm/alloc_tag subsystem causes an 'alloc_tag was not set' WARNING when pages allocated before page_ext initialization are later freed, because their codetag reference was never set. This affects local systems running kernels built with the debug option CONFIG_MEM_ALLOC_PROFILING_DEBUG and with mem_profiling_compressed disabled, and is triggered by ordinary boot-time activity (e.g. KASAN quarantine reclaim freeing early-allocated pages). It is classified under CWE-415 (double free) but the observed effect is a kernel warning splat; there is no public exploit identified at time of analysis and EPSS is negligible (0.02%).
NULL pointer dereference in the Linux kernel's drm/imagination (PowerVR GPU) driver crashes the kernel when a local user writes to the ftrace mask debugfs entry. Affected kernels range from the introduction of the drm/imagination driver at commit a331631496a0af9a6f4e7e1860983afd8b1bb013 through Linux 7.0, with fixes landed in 7.0.4 and 7.1-rc2. An attacker with local access and write permission to the debugfs interface can trigger a kernel Oops, resulting in a full system crash and denial of service. No public exploit exists and EPSS is 0.02%, consistent with the narrow hardware scope (Imagination Technologies PowerVR GPUs) and local-only attack surface.
Use-after-free in the Linux kernel's mm/zone_device subsystem allows local attackers with low privileges to corrupt memory or escalate privileges by exploiting a race where a device folio is accessed after the driver's ->folio_free() callback has already reallocated it with a potentially different order. The flaw affects systems using ZONE_DEVICE memory (typically with DAX, HMM, or GPU/accelerator drivers exposing device-backed folios) and carries a 7.8 CVSS with low EPSS (0.02%, 5th percentile), indicating high theoretical impact but no public exploit identified at time of analysis.
Kernel panic in the Linux amdgpu DRM driver exposes systems running RDNA4 hardware (e.g., AMD RX 9070 XT) to a denial-of-service condition during driver initialization, but only when the kernel is compiled with CONFIG_DRM_DEBUG_MM enabled. The RDNA4 architecture (GFX 12) removed the GDS, GWS, and OA on-chip memory resources entirely; however, amdgpu_ttm_init() unconditionally invokes amdgpu_ttm_init_on_chip() for these resources regardless of size, ultimately calling drm_mm_init(mm, 0, 0), which triggers DRM_MM_BUG_ON and crashes the kernel at modprobe time. No public exploit exists and EPSS sits at 0.02% (7th percentile), consistent with a hardware-specific, debug-config-dependent crash rather than a remotely triggerable attack surface.
Use-After-Free and race conditions in the Linux kernel's Bluetooth hci_uart driver (drivers/bluetooth/hci_uart.c) enable a local low-privileged user to corrupt kernel heap memory, potentially escalating to root. The flaw stems from improper lifecycle management of the hci_uart struct and its associated workqueues: when a TTY hangup interrupts Bluetooth UART initialization before HCI_UART_PROTO_READY is set, teardown skips workqueue cancellation, leaving deferred work items to dereference freed memory. Three compounding sub-issues - a tx_skb double-free, a vendor callback UAF via premature hci_free_dev(), and proto_lock races during error paths - are all resolved in patched stable releases. No public exploit is known and EPSS at 0.02% (7th percentile) signals low near-term exploitation probability despite the CVSS 7.8 rating.
Local privilege escalation via use-after-free in the Linux kernel io_uring io-wq worker subsystem allows an unprivileged local user to corrupt kernel memory and potentially execute arbitrary code in kernel context. The flaw lives in io_wq_remove_pending(), where a missing io_wq_is_hashed() check on the predecessor work item lets a non-hashed io_kiocb be recorded in wq->hash_tail[0]; after that request is freed back to req_cachep, the stale pointer is dereferenced on the next hashed bucket-0 enqueue. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug is reachable from any process that can issue io_uring syscalls.
Denial-of-service in the Linux kernel's DRM VKMS (Virtual Kernel Mode Setting) subsystem arises from an improperly managed custom hrtimer used for vblank timing, replaced in the fix by DRM's standard vblank timer implementation. Local users with low-privileged access to the VKMS device can trigger a kernel availability failure - likely a crash or hang - due to the divergent timer lifecycle in struct vkms_output. EPSS is negligible at 0.02% and no active exploitation is confirmed; this is a low-urgency kernel hardening fix affecting development and CI-focused deployments.
Type confusion in OP-TEE OS versions 4.3.0 through 4.10.x allows a highly privileged local attacker operating in the normal world to crash the Trusted Execution Environment by submitting a malformed FFA_MEM_SHARE request, resulting in denial of service of all secure services hosted in the TEE. Exploitation is gated behind a non-default build configuration requiring both CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y, substantially narrowing the affected population to deployments using OP-TEE as an S-EL1 Secure Partition Manager Core. No public exploit code has been identified and the vulnerability is absent from the CISA KEV catalog; the CVSS score of 4.4 (Medium) reflects these real-world constraints accurately.
Private ECDH key recovery in OP-TEE prior to version 4.11.0 is achievable by a local attacker who can invoke TEE_DeriveKey with approximately 30-40 crafted public key values lying off the target elliptic curve. Because the implementation omits point validation - failing to verify that (X, Y) satisfies Y^2 ≡ X^3 + aX + b mod P for the specified curve - each malformed call leaks a residue d mod r, where d is the private key and r is the order of the attacker-chosen invalid curve. Accumulated residues allow full private key reconstruction via the Chinese Remainder Theorem. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the underlying invalid curve attack technique is well-documented in cryptographic literature and reproducible by any skilled attacker with local access.
Use-after-free race condition in OP-TEE OS versions 3.16.0 through 4.10.x enables local low-privileged attackers to corrupt memory within the secure world when OP-TEE is built as an FF-A Secure Partition Manager Core (SPMC) for S-EL0 Secure Partitions. The flaw stems from missing lock acquisition in sp_mem_remove() during shared-memory teardown, allowing concurrent threads to dereference freed sp_mem_map_region or sp_mem_receiver objects. No public exploit identified at time of analysis, but successful exploitation yields high confidentiality, integrity, and availability impact inside the Trusted Execution Environment.
Remote denial of service in the Linux kernel ibmveth driver on IBM Power systems allows attackers to freeze physical network adapters by transmitting GSO packets with an MSS below 224 bytes, halting all traffic until manual reset. The flaw affects multiple stable kernel branches and is fixed upstream, with no public exploit identified at time of analysis and an EPSS score of 0.02% (7th percentile) reflecting low expected exploitation volume despite the high CVSS of 8.6.
Race condition in the Linux kernel's CoreSight TMC-ETR (Trace Memory Controller, Embedded Trace Router) driver triggers a kernel WARN_ON() when sysfs and perf hardware tracing modes are enabled concurrently, resulting in a denial-of-service condition against the tracing subsystem. The sysfs enable path is split across two separate spinlock-protected critical sections, creating a window where perf mode can initialize drvdata->etr_buf between the sysfs buffer allocation and hardware enablement steps - causing tmc_etr_enable_hw() to encounter an already-initialized pointer and fire WARN_ON(). No public exploit exists and EPSS is 0.02% (4th percentile), indicating near-zero real-world exploitation probability; patched kernel versions 6.18.14, 6.19.4, and 7.0 are available.
Denial of service in the Linux kernel ath12k Wi-Fi driver affects systems using Qualcomm WCN7850 chipsets with multi-link operation (MLO) connections. When Wake-on-WLAN (WoW) offloads are configured on both primary and secondary links during a multi-link connection, the WCN7850 firmware crashes, disrupting wireless connectivity. EPSS exploitation probability is very low (0.02%, 4th percentile) and no public exploit identified at time of analysis, suggesting this is primarily a stability/reliability fix rather than a security priority.
Stale gateway pointer in the Linux kernel's batman-adv mesh networking subsystem causes availability failures during mesh teardown and recreation. The batman-adv gateway cleanup function `batadv_gw_node_free()` frees gateway list entries without clearing `bat_priv->gw.curr_gw`, leaving a dangling reference that persists across cleanup and breaks subsequent mesh recreation attempts. No public exploit exists and EPSS sits at 0.16% (6th percentile), indicating negligible opportunistic exploitation interest at time of analysis.
NULL pointer dereference in the Linux kernel VRF (Virtual Routing and Forwarding) subsystem allows a local low-privileged user to crash the kernel via a race condition between RCU readers and VRF port removal operations, resulting in a complete denial of service on affected systems. Systems using VRF network segmentation are at risk specifically when VRF port membership is dynamically modified concurrent with socket bind() operations. EPSS is 0.16% (6th percentile) and the vulnerability is not listed in CISA KEV; no public exploit code has been identified, but patched kernel versions are available across all active stable branches.
Use-after-free in the Linux kernel SCTP stack (net/sctp) allows a remote peer to crash the kernel by forcing an association to roll back from COOKIE_ECHOED to COOKIE_WAIT via a Stale Cookie ERROR. When sctp_stream_update() rebuilds the stream table during this rollback it leaves the scheduler's cached stream->out_curr pointer referencing freed memory, so the next scheduler dequeue (FCFS/RR/PRIO) dereferences a dangling sctp_stream_out entry. The flaw is tagged as Denial of Service, carries an NVD CVSS of 9.8, but has a low EPSS of 0.17% (6th percentile); no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation and information disclosure in the Linux kernel's SysV IPC subsystem stems from an unbounded ID allocation in ipc_idr_alloc() along the checkpoint/restore (CRIU) path, where a user-supplied next_id can spill past the valid ipc_mni range. Because removal truncates the index via ipcid_to_idx(), a high-index object can be freed while its real IDR slot dangles, so a subsequent /proc/sysvipc/shm walk dereferences freed memory - a use-after-free. No public exploit identified at time of analysis; EPSS is low at 0.17% (6th percentile) and the issue is not on CISA KEV.
Denial of service in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh routing subsystem allows a crash via NULL pointer dereference in the Distributed ARP Table (DAT) forwarding path. The function batadv_dat_forward_data() fails to check the return value of pskb_copy_for_clone() before passing the cloned skb to batadv_send_skb_prepare_unicast_4addr(), so a failed allocation while forwarding to a DHT candidate triggers a kernel oops. Affects systems running batman-adv mesh networking; this is a memory-pressure-dependent crash with no public exploit identified at time of analysis (EPSS 0.17%, 6th percentile), and it is not listed in CISA KEV.
Denial of service in the Linux kernel netfilter ipset subsystem allows a local low-privileged user to disrupt availability by triggering an iterator overrun in hash:ip,mark, hash:ip,port, hash:ip,port,ip, or hash:ip,port,net set types during IPv4 range iteration. The 32-bit loop iterator is not properly bounded, allowing it to advance past the last address in the requested range; subsequent retry passes then resume from an unintended position, corrupting traversal state. No public exploit is identified at time of analysis, and the EPSS score of 0.16% (6th percentile) confirms very low exploitation probability, making this a routine patching priority rather than an emergency response.
Incorrect strict-mode policy matching in the Linux kernel's netfilter xt_policy module causes multi-element inbound IPsec policy rules to be evaluated in the wrong order, so packets can be matched against the wrong transform descriptor. On systems that filter inbound traffic with iptables/nftables 'policy' matches in strict mode using multiple policy elements, this can let traffic that should be rejected satisfy the rule (or legitimate IPsec traffic fail it), undermining the intended firewall/IPsec enforcement. There is no public exploit identified at time of analysis and EPSS is low (0.16%, 6th percentile); the issue has been resolved upstream with stable patches available.
Local privilege escalation via use-after-free in the Linux kernel's batman-adv (B.A.T.M.A.N. advanced) mesh networking module allows a local low-privileged user to crash or potentially gain code execution by triggering a tp_meter counter underflow during interface shutdown. Concurrent shutdown paths (timeout, user cancel, normal finish) each decrement the 'sending' atomic counter, underflowing it to -1, which traps the sender kthread in an infinite loop and produces a use-after-free when the mesh interface is removed while the zombie thread still runs. No public exploit identified at time of analysis, and EPSS is low at 0.16%; a vendor patch is available across multiple stable trees.
Use-after-free in the Linux kernel Bluetooth subsystem allows a crafted sequence of socket polling and connection teardown to dereference a freed sock structure, because bt_sock_poll() walks the per-socket accept queue without synchronization while a concurrent child teardown unlinks the same socket and drops its last reference. The flaw has existed since the original Bluetooth import and affects effectively all kernel versions until the fixed stable releases; EPSS is low (0.18%, 7th percentile) and there is no public exploit identified at time of analysis. Successful exploitation of the freed-object access can corrupt kernel memory, enabling denial of service and potentially privilege escalation.
Out-of-bounds kernel memory read in the Linux kernel's SCTP sock_diag subsystem allows a local attacker to disclose adjacent kernel memory and potentially crash the system by racing a diag dump against association teardown. The exact sock_diag lookup (dump_one path) can hold a transport reference, block on lock_sock(), and resume after sctp_association_free() has reaped the association and freed its bind-address list, causing inet_diag_msg_sctpasoc_fill() to dereference an emptied bind-address list as a valid sctp_sockaddr_entry. CVSS is 7.1 (local, high confidentiality and availability impact); EPSS is low (0.18%, 7th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Stack exhaustion in the Linux kernel batman-adv mesh networking subsystem allows an attacker on the same batman-adv mesh to crash the kernel by sending matryoshka-nested BATADV_UNICAST_FRAG packets. The reassembled payload's packet type is not validated before re-processing, enabling unbounded recursion in batadv_batman_skb_recv() that exhausts kernel stack and causes a hard system crash. No active exploitation is recorded in CISA KEV and EPSS sits at 0.18% (7th percentile), making this a targeted DoS risk limited to environments running batman-adv mesh networking.
Local denial of service and potential information disclosure in the Linux kernel's IPv6 netfilter Hop-by-Hop options match (ip6t_hbh) stems from an off-by-one out-of-bounds array access. A local user able to install xtables rules can supply an oversized optsnr value that the hbh_mt6_check() setup path fails to validate, reading/writing past the fixed 16-entry opts[] array (confirmed via a UBSAN array-index-out-of-bounds report at index 16). There is no public exploit identified at time of analysis and EPSS risk is low (0.18%), but a vendor fix has shipped across multiple stable kernel branches.
Denial of service in the Linux kernel's batman-adv mesh networking module arises from faulty length accounting during fragment reassembly, where the accumulated payload length can be truncated during updates, letting malformed fragment chains bypass validation and drive reassembly with inconsistent length state. The flaw affects systems running the B.A.T.M.A.N. Advanced (batman-adv) module across many stable kernel series and results in a local denial of service per the upstream description. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 7th percentile), and the NVD CVSS of 9.8 conflicts with the upstream 'local denial of service' characterization.
NULL pointer dereference in the Linux kernel's batman-adv OGMv2 subsystem allows a local low-privilege user to crash the kernel by racing interface teardown against OGM dispatch. When a batman-adv hard interface is disabled and its mesh_iface pointer is set to NULL, the batadv_v_ogm_queue_on_if() function continues to call netdev_priv() on that NULL pointer, triggering a kernel panic. No public exploit exists and EPSS is 0.18% (7th percentile), making this low operational priority except on systems actively running batman-adv mesh networking.
Use-after-free in the Linux kernel's netfilter NFQUEUE subsystem affects bridge LOCAL_IN packet handling, where br_pass_frame_up() rewrites skb->dev to the bridge master before queuing without holding a reference on that device. A local attacker who can influence queued bridge traffic and trigger bridge teardown (NETDEV_DOWN) can cause the kernel to re-enter the receive path with a freed bridge master device, yielding a use-after-free with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.19%, 9th percentile).
Authenticated arbitrary file write in Gogs (self-hosted Git service) versions below 0.14.3 on Linux/macOS lets a user with repository write access escape the working tree and overwrite any file the gogs UID can touch, escalating to remote code execution. The flaw stems from `UploadRepoFiles` validating symlinks only on the leaf path while sibling functions correctly walk every component; combined with a crafted multipart filename containing a literal backslash, the write is redirected through a previously committed directory symlink to targets like `~git/.ssh/authorized_keys` or `<repo>.git/hooks/post-receive`. No CISA KEV listing and no EPSS provided, but a detailed, tested proof-of-concept is published in the vendor advisory, so publicly available exploit code exists.
Improper session authorization in the Linux kernel's in-kernel SMB3 server (ksmbd) lets an authenticated SMB client reach sessions it never bound to. Because the connection-wide conn->binding flag stays set after a binding SESSION_SETUP, the global lookup in ksmbd_session_lookup_all() would resolve any session by ID, allowing a low-privileged remote user to access another user's session (Information Disclosure tagged). No public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and it is not in CISA KEV.
Local privilege escalation / memory corruption in the Linux kernel's SO_REUSEPORT BPF handling allows a local user to trigger a use-after-free (vmalloc out-of-bounds read) by replacing a classic BPF (cBPF) reuseport program via setsockopt() while another thread routes UDP traffic through the same reuseport group. Because the cBPF program is freed immediately by sk_reuseport_prog_free() without waiting for an RCU grace period, in-flight readers in reuseport_select_sock() dereference freed memory; the fix defers freeing until after one RCU grace period. No public exploit identified at time of analysis and EPSS probability is low (0.17%), but the bug is confirmed and fixed upstream.
Improper network-namespace isolation in the Linux kernel's IPv6 VTI (ip6_vti) tunnel driver allows the per-netns fallback device (ip6_vti0) to be relocated into another network namespace, because vti6_init_net() omits the netns_immutable flag that sibling tunnel drivers (ip6_tunnel, sit, ip6_gre, ip_tunnel) all set. A local user holding CAP_NET_ADMIN in a namespace can move this fallback device, breaking the isolation guarantee the kernel enforces for other fallback tunnels and potentially destabilizing networking state. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.15%, 5th percentile).
Improper access-control re-validation in the Linux kernel's RDMA/InfiniBand subsystem (the ib_uverbs memory-region re-registration path) allows a local user with RDMA device access to obtain unintended read-write access to memory that was only pinned as read-only. When IB_MR_REREG_ACCESS upgrades a memory region from RO to RW, the underlying umem was not re-evaluated to confirm it is properly pinned for writing, enabling potential memory corruption or disclosure across RDMA-capable drivers. EPSS is low (0.17%, 6th percentile) and there is no public exploit identified at time of analysis; the issue is fixed upstream in multiple stable trees.
Local privilege escalation potential in the Linux kernel's net/sched traffic-control subsystem arises from a partial copy-on-write (COW) miss in the pedit action (tcf_pedit_act), where skb_ensure_writable() is sized using tcfp_off_max_hint before the per-key loop and fails to account for the runtime header offset added by typed keys, leaving part of the write region un-COW'd and causing page cache corruption. A local low-privileged attacker able to install tc pedit rules (CAP_NET_ADMIN, obtainable in user namespaces on many distros) can corrupt shared page-cache memory, with CVSS 7.8 reflecting high confidentiality, integrity, and availability impact. Publicly available exploit code exists, though EPSS is low at 0.14% (4th percentile) and the issue is not on CISA KEV.
Out-of-bounds array access in the Linux kernel's Rockchip RKCIF camera interface driver (drivers/media/platform/rockchip/rkcif) allows a local low-privileged user to trigger memory corruption by reading one element past the end of internal arrays due to off-by-one comparison errors. Affects mainline Linux through 6.19 and is fixed in 7.0.4 and 7.1-rc1; no public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%, 5th percentile).
Privilege escalation via UID confusion in the Linux kernel's 9p filesystem client allows local users mounting 9P2000.L shares with non-default access modes to be silently demoted to the INVALID_UID (nobody/65534) for all fid lookups, breaking root's ability to chown or perform privileged file operations over the mount. Introduced by commit 1f3e4142c0eb during the conversion of 9p to the new mount API, the bug causes v9fs_apply_options() to OR user-supplied access flags onto the default V9FS_ACCESS_CLIENT instead of replacing them. EPSS is 0.02% and the issue is not on CISA KEV; no public exploit identified at time of analysis.
Denial-of-service in the Linux kernel's DAMON (Data Access MONitor) subsystem allows a local low-privileged user to crash the kernel by supplying a non-power-of-two `min_region_sz` value through the DAMON sysfs interface and invoking `damon_start()`. The flaw is an incomplete remediation: commit c80f46ac228b fixed the same class of bug for the `damon_commit_ctx()` code path but left `damon_start()` - reachable via DAMON sysfs - without the `is_power_of_2()` guard. No public exploit exists and EPSS sits at 0.02% (4th percentile), indicating negligible real-world exploitation probability; no CISA KEV listing has been issued.
Memory leak in the Linux kernel's drm/nouveau subsystem exposes systems with NVIDIA GPUs using the open-source nouveau driver to local denial of service. When aperture_remove_conflicting_pci_devices() fails during PCI device probe, the error path bypasses the fail_nvkm cleanup label, permanently leaking both the nvkm_device wrapper and the pci_enable_device() reference taken inside nvkm_device_pci_new(). No public exploit exists and EPSS sits at the 5th percentile (0.02%), confirming negligible exploitation probability; however, patched stable releases are available across multiple kernel branches.
Buffer overflow in the Linux kernel's greybus gb-beagleplay driver allows an adjacent attacker with control over the cc1352 bootloader serial data stream to overflow the fixed rx_buffer used to stage bootloader packets. The cc1352_bootloader_rx() handler appends serdev chunks without validating they fit in remaining buffer space, enabling memory corruption with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Use-after-free and VFS invariant violations in the Linux kernel SMC subsystem (5.17 through pre-6.19.4) allow local privileged users to trigger memory corruption and system instability via the TCP ULP-to-SMC conversion path. The upstream maintainers fully reverted the underlying commit d7cd421da9da rather than attempting an in-place fix, citing fundamental design flaws; no public exploit identified at time of analysis and EPSS sits at 0.02% (5th percentile).
Improper end-of-filesystem boundary handling in the Linux kernel EROFS driver for file-backed mounts causes a denial-of-service condition when I/O requests exceed the filesystem image boundary. Affected kernels spanning multiple stable branches fail to zero-fill out-of-bounds I/O regions as expected (analogous to loopback device behavior), producing undefined kernel behavior that results in availability loss. No public exploit has been identified and EPSS is 0.02% (5th percentile), indicating negligible opportunistic exploitation probability; patches are confirmed available across stable branches 6.12.x, 6.18.x, 6.19.x, and 7.0.
Local privilege/availability impact in the Linux kernel AppArmor subsystem stems from incomplete rlimit handling for POSIX CPU timers, where setting an rlimit through AppArmor policy did not propagate to the POSIX CPU timer machinery. A local low-privileged user operating under an AppArmor-confined profile can leverage the inconsistent limit enforcement to disrupt CPU-time accounting and cause high-impact availability effects on the system. No public exploit identified at time of analysis, and EPSS rates likelihood of exploitation at only 0.02% (7th percentile).
Race condition in the Linux kernel device-mapper (dm) subsystem allows a local privileged user to trigger memory corruption or use-after-free conditions by exploiting a TOCTOU flaw in dm_blk_report_zones, which calls dm_suspended_md without holding required locks. The flaw affects multiple stable kernel branches including 6.12.x, 6.15.x, 6.16, and 6.18.x prior to fixed releases. No public exploit identified at time of analysis, and EPSS scores exploitation probability at 0.02% (5th percentile).
Uninitialized stack memory disclosure in the Linux kernel's iio pressure sensor driver (mprls0025pa) for the Honeywell MPRLS0025PA SPI pressure sensor stems from a spi_transfer struct that was not zeroed before use. Local users on systems with the vulnerable driver loaded may trigger undefined SPI transfer behavior and potentially leak kernel stack contents. There is no public exploit identified at time of analysis, and EPSS rates exploitation likelihood at 0.02% (5th percentile).
Memory corruption in the Linux kernel's RDMA Soft-RoCE (rxe) driver allows incorrect iova-to-virtual-address translation when Memory Region (MR) page sizes differ from the system PAGE_SIZE, leading to access of wrong memory pages during RDMA operations. The flaw affects kernels from 6.3 through pre-6.18.14 / pre-6.19.4 / pre-7.0 patched releases, and a related kernel panic was previously reported by Yi Zhang. EPSS is 0.02% (4th percentile) and no public exploit identified at time of analysis, but a patch is available from upstream.
Local privilege escalation potential exists in the Linux kernel's netfilter nf_tables subsystem where netlink hook unregistration functions failed to use RCU-safe list removal while concurrent dumpers walked the same list. Affected paths are nft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks, which previously used non-RCU list_del semantics and could race with readers, leading to memory corruption or use-after-free conditions on systems exposing nftables. No public exploit identified at time of analysis, and EPSS rates real-world exploitation likelihood at 0.02%.
Use-after-free in the Linux kernel's Generic Receive Offload (GRO) networking path allows local attackers to corrupt kernel memory and potentially achieve privilege escalation or denial of service. The flaw stems from skb_gro_receive() merging fragment lists between socket buffers without honoring the SKBFL_MANAGED_FRAG_REFS zero-copy flag, leaving page refcounts inconsistent. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02% (5th percentile).
Memory leak in the Linux kernel's TUN driver (tun_xdp_one) allows a local attacker to exhaust host memory by repeatedly triggering build_skb() allocation failures, leaking one page-frag chunk per failed batch entry. The flaw affects the vhost_net XDP fast-path used by virtual machines and containers; with no public exploit identified at time of analysis and an EPSS score of 0.02% (5th percentile), real-world weaponization risk is low, but sustained leakage on busy virtualization hosts could degrade availability.
Local denial-of-service in the Linux kernel's tun/vhost-net subsystem allows an unprivileged process with access to /dev/net/tun and /dev/vhost-net to leak page-frag chunks on every short frame (length minus virtio-net header below ETH_HLEN) submitted to tun_xdp_one(), eventually exhausting host memory and triggering an OOM panic. The flaw is a missing put_page() on the -EINVAL error path that tun_sendmsg() then masks by reporting success to vhost_tx_batch(). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug is upstream-confirmed with patches in stable trees.
Denial-of-service via memory exhaustion in the Linux kernel's tap/vhost_net XDP path allows adjacent network attackers to leak kernel page-frag memory by sending malformed frames over a tap device. The bug in tap_get_user_xdp() fails to free pages allocated by vhost_net_build_xdp() on the error paths for undersized frames (<ETH_HLEN) and build_skb() allocation failures, with each rejected frame in a batch leaking one page-frag chunk. EPSS is 0.02% and no public exploit identified at time of analysis; not listed in CISA KEV.
Local privilege escalation in the Linux kernel's net/sched act_ct traffic control action stems from a use-after-free in tcf_ct_flow_table_get(), where rhashtable_lookup_fast() releases the RCU read lock before refcount_inc_not_zero() can pin the returned ct_ft object. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but Trend Micro ZDI provided detailed root-cause analysis and stable-tree patches are merged across 5.10 through 6.18 lines. Successful exploitation grants attacker-controlled kernel memory access enabling privilege escalation to root.
Lock resource leak in Linux kernel hugetlbfs subsystem enables local denial of service against systems using huge page memory mappings. Introduced by a faulty commit (ea52cb24cd3f) that incorrectly handled VMA lock allocation during the mmap_prepare stage, the defect allows a failed post-mmap_prepare allocation to leave a VMA lock unreleased, leaking kernel resources. This CVE documents the corrective revert; systems running affected kernel versions (around 6.19 through pre-7.0.12 and pre-7.1-rc6) with hugetlbfs in use are exposed to potential availability impact. No public exploit code exists and EPSS probability is 0.02% (5th percentile), indicating very low real-world exploitation activity.
Use-after-free in the Linux kernel KVM subsystem on arm64 allows a local attacker with the ability to manipulate nested virtualization state to dereference a freed nested_mmus array, with potential scope-crossing impact from guest to host kernel memory. Triggered by a race between kvm_vcpu_init_nested() reallocating the array under config_lock and MMU notifier walkers (kvm_unmap_gfn_range) traversing it under mmu_lock. EPSS is 0.02% and no public exploit identified at time of analysis; not listed in CISA KEV.
Use-after-free in the KVM arm64 vGIC-ITS translation cache allows a malicious guest to corrupt host kernel memory by triggering concurrent cache invalidations that double-drop a single reference. The flaw affects Linux 6.10 and later until the stable backports, has no public exploit identified at time of analysis, and EPSS rates real-world exploitation probability as very low (0.02%, 5th percentile) despite the CVSS 9.3 rating.
Stale kernel memory disclosure in the Linux kernel's io_uring IORING_OP_WAITID operation allows a local low-privileged user to read arbitrary bytes from reused io_kiocb command storage via the userspace siginfo output buffer. The io_uring prep path for waitid requests fails to zero-initialize the io_waitid::info result field, meaning that when a wait completes without a child event the kernel copies whatever bytes happen to occupy that slab slot into the caller's siginfo_t. No public exploit has been identified at time of analysis; EPSS at 0.02% (5th percentile) reflects low current exploitation probability.
File descriptor exhaustion in Netty's Unix domain socket native transport allows a local peer to leak two file descriptors per crafted SCM_RIGHTS message into the receiving process, with neither FD ever closed. Affected are applications explicitly configured with DomainSocketReadMode.FILE_DESCRIPTORS on Epoll or KQueue DomainSocketChannel - a non-default opt-in setting. Sustained message flooding by a local socket peer can exhaust the Netty process's file descriptor table, ultimately causing denial of service. No public exploit identified at time of analysis and not listed in CISA KEV; CVSS scores this at 4.0 (Low) reflecting the local-only attack surface and low availability impact.
Infinite loop denial-of-service in the Linux kernel's drm/v3d GPU driver allows a local low-privileged user to permanently peg a CPU core by submitting a crafted self-referential ioctl extension structure. The vulnerability exists in v3d_get_extensions(), which traverses a userspace-controlled linked list without bounding chain length; when both in_sync_count and out_sync_count are zero, the duplicate-extension guard silently passes on every iteration, trapping the kernel thread indefinitely. No public exploit or active exploitation has been identified at time of analysis; EPSS stands at 0.02%, consistent with the local-access-only attack surface.
Error pointer dereference in the Linux kernel's Intel IPU6 media driver crashes the kernel during a failed probe, resulting in local denial of service. The flaw resides in `ipu6_pci_probe()` at `drivers/media/pci/intel/ipu6/ipu6.c:690`, where `isp->psys` holds an ERR_PTR value rather than NULL in a specific error path, causing it to be dereferenced during cleanup rather than handled safely. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting negligible real-world exploitation interest.
Kernel warning (WARN_ON) triggerable in the Linux videobuf2 DMA scatter-gather subsystem on Apple Silicon systems allows a low-privileged local user to destabilize video capture pipelines by performing mmap() on an imported DMA-buf. The vb2_dma_sg_mmap function fails to set VM_DONTEXPAND and VM_DONTDUMP VMA flags - protections that vb2_dma_contig correctly applies - causing drm_gem_mmap_obj() to hit its assertion guard. No public exploit has been identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with the narrow hardware-specific trigger surface.
Local privilege escalation in the Linux kernel's AMD GPU userqueue (drm/amdgpu/userq) driver allows a low-privileged local user to exploit a race condition between queue creation and wptr_obj unmapping, resulting in access to stale wptr mappings and potential substitution of a buffer object at the same address. The flaw affects AMD GPU userqueue handling and could enable memory corruption with high impact to confidentiality, integrity, and availability. No public exploit has been identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.
NULL pointer dereference in the Linux kernel's Renesas VSP1 media driver crashes the kernel during module unload on Generation 4 Renesas SoC hardware. The defect exists because the cleanup path unconditionally invokes vsp1_drm_cleanup() rather than vsp1_vspx_cleanup() for gen 4 IP versions, while the initialization path correctly checks the IP version - an asymmetry introduced when gen 4 support was added. With an EPSS of 0.02% (4th percentile), no KEV listing, and no public exploit code, real-world exploitation risk is very low and confined to niche embedded and automotive platforms; vendor-released patches are available in stable kernel branches.
Information disclosure in the Linux kernel's Intel Xe DRM graphics driver (drm/xe) allows a local user to read stale data from previously freed memory pages belonging to other processes. The xe_vm_madvise_ioctl() handler failed to reject PAT indices set to XE_COH_NONE (non-coherent) coherency mode on CPU-cached buffer objects, letting a GPU bypass dirty CPU caches and read sensitive content directly from DRAM before the kernel's page-clearing writeback completes. There is no public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, consistent with a local, race-dependent leak rather than a widely weaponized flaw.
Local privilege escalation and memory corruption in the Linux kernel's MediaTek power-domain (pmdomain) driver stems from a use-after-free in scpsys_get_bus_protection_legacy(), where a device node is released via of_node_put() before the error path dereferences it in dev_err_probe(). Affecting kernels using the MediaTek SCPSYS legacy bus-protection code path (typically ARM/ARM64 MediaTek SoC platforms), a local low-privileged attacker able to influence the probe error path could corrupt freed kernel memory, with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.02%, 4th percentile).
Out-of-bounds array write in the Linux kernel's ath5k wireless driver allows a stray write of a -1 sentinel value into adjacent struct memory when ts_final_idx reaches 3 on Atheros 5212 chipsets. The kernel maintainers and the original reporter explicitly describe the impact as negligible, as the only field overwritten is info->status.ack_signal, with no public exploit identified at time of analysis and an EPSS score of 0.02% (7th percentile).
Denial of service in the Linux kernel flow dissector allows remote attackers to trigger an unaligned access exception by sending crafted PPPoE Protocol Field Compression (PFC) frames to an Ethernet interface on alignment-sensitive architectures such as MIPS. The flaw affects kernels from 6.0 onward where Receive Packet Steering (RPS) or similar features invoke the flow dissector on incoming frames, and no PPPoE session needs to be active on the targeted interface. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the vendor has released patched kernel versions.
NULL pointer dereference in the rtl8723bs staging WiFi driver crashes the Linux kernel when memory allocation fails in rtw_cbuf_alloc(). Systems running Linux 7.0 with an RTL8723BS chipset and the staging driver loaded are affected; a local low-privileged user can trigger a kernel panic resulting in denial of service. No public exploit exists and EPSS at 0.02% (5th percentile) reflects negligible real-world exploitation probability.
Denial of service in the Linux kernel's NVMe-over-TCP target (nvmet_tcp) module allows remote initiators to trigger a recursive nvmet-wq workqueue flush during controller teardown, producing a lockdep-flagged deadlock condition in nvmet_ctrl_free(). The flaw affects systems exposing NVMe-TCP targets where controller release work and async_event_work are both queued on the same nvmet workqueue. EPSS is 0.02% (7th percentile) and there is no public exploit identified at time of analysis; vendor patches have been issued across multiple stable branches.
Out-of-bounds disk read in the Linux kernel ISO 9660 filesystem (isofs) Rock Ridge handler allows narrow information disclosure when a crafted ISO image is mounted. The rock_continue() function trusted the CE continuation extent block number from the on-disk Rock Ridge record and passed it to sb_bread() without bounds checking against the volume size, so a malicious ISO can cause the kernel to read blocks belonging to an adjacent filesystem on the same block device and surface their contents through readlink() on SL sub-records. EPSS is 0.02%, no public exploit identified at time of analysis, and the issue is not on CISA KEV.
Local denial-of-service in the Linux kernel's SELinux subsystem allows any low-privileged local process to monopolize the `/sys/fs/selinux/policy` file descriptor, blocking all other processes from reading the active kernel policy. The root cause is a `policy_opened` flag that enforced a single-open restriction on the SELinux policy pseudofile - originally intended to prevent inconsistent reads or unbounded kernel memory allocation, but which also created a trivial resource-starvation primitive. No active exploitation has been identified (not in CISA KEV), and the EPSS score of 0.02% places this in the 5th percentile for exploitation likelihood.
Local privilege escalation and memory corruption in the Linux kernel's topcliff-pch (pch_spi) SPI master driver arises from a use-after-free triggered when the driver is unbound, because DMA buffers are released before the driver's transfer queue is flushed. An attacker with the ability to unbind the device can cause the freed DMA buffers to be accessed by in-flight SPI transfers, yielding CWE-416 memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis, and the EPSS probability is negligible (0.02%), consistent with an obscure, hardware-specific driver rather than a broadly exploitable flaw.
Local denial of service in the Linux kernel hfsplus filesystem driver occurs when hfsplus_fill_super() fails to release tree->tree_lock on an error path during HFS+ mount, causing a 'held lock freed' warning and potential lockdep-detected kernel instability. The flaw affects systems with CONFIG_HFSPLUS_FS enabled and is triggered when hfsplus_cat_build_key() returns an error during superblock initialization. No public exploit identified at time of analysis, and EPSS is very low (0.02%).
Deadlock vulnerability in the Linux kernel's pseries/papr-hvpipe subsystem allows a local low-privileged attacker on IBM pSeries Power Architecture systems to cause a kernel deadlock by triggering a race between the ioctl or release handler and a hardware interrupt firing on the same CPU. Exploitation is architecture-specific, requiring IBM PAPR hardware with the hvpipe driver loaded, and results in an availability-only denial-of-service. No public exploit exists and EPSS probability stands at 0.02%, consistent with a narrow attack surface; vendor-released patches are confirmed available for Linux 7.0.7, 7.1-rc3, and the 6.18 stable branch.
Improper interrupt registration in the Linux kernel's libwx network driver causes a kernel WARNING when VF (Virtual Function) misc interrupts are initialized, resulting in high availability impact on affected systems. The libwx driver incorrectly calls request_threaded_irq() with a primary handler, a NULL threaded handler, and the IRQF_ONESHOT flag - an invalid combination flagged as a WARNING by the kernel interrupt management subsystem since commit aef30c8d569c. Exploitation requires local access with low privileges on a system equipped with a Wangxun VF NIC using the libwx driver; no public exploit code exists and EPSS is negligible at 0.02%.
NULL pointer dereference in the Linux kernel's s3c64xx SPI driver triggers a kernel crash on driver unbind, allowing a local low-privileged attacker to cause a denial of service. The flaw affects systems equipped with Samsung S3C64xx-series SoC hardware running unpatched kernel versions from 6.0 onward. No public exploit code exists and EPSS probability sits at 0.02%, but the crash is deterministic once the driver unbind sequence is triggered on vulnerable hardware. No active exploitation (CISA KEV) has been identified.
KVM/x86 on Linux exposes a race condition in interrupt request register (IRR) scanning that causes incorrect reporting of the highest pending interrupt in nested virtualization scenarios. Specifically, when PID.ON is set by a sender vCPU after the target vCPU has already harvested and cleared the PIR, a second call to vmx_sync_pir_to_irr() observes an empty PIR and returns max_irr=-1 without scanning the IRR, producing a spurious kernel WARNING in vmx_check_nested_events() and a wasted L2 VM-Enter/VM-Exit cycle. The interrupt itself is not lost - it resides in the IRR from the first sync - but the incorrect max_irr triggers the assertion. No public exploit exists and EPSS is 0.02%, consistent with the highly localized, timing-dependent nature of this defect.
Out-of-bounds kernel memory write in the Linux kernel device-mapper ioctl subsystem (dm-ioctl) affects the retrieve_status function, where an unchecked align_ptr() call on the output pointer can advance it past the end of the caller-supplied buffer, causing a wrapped-around 'remaining' length calculation and subsequent overflow writes. Exploitation requires local privileges to issue device-mapper ioctls (root/CAP_SYS_ADMIN), and there is no public exploit identified at time of analysis; EPSS is negligible at 0.03% (9th percentile). The upstream maintainers explicitly note the flaw has no practical security impact because only root can trigger it and standard libraries (libdevmapper, devicemapper-rs) use 8-byte-aligned buffers that never overshoot.
Out-of-bounds memory access in the Linux kernel's Microchip PolarFire SoC clock conditioning circuit driver (clk-mpfs-ccc) occurs during registration of the final clock outputs, because the driver's hws array is sized only for two PLLs and their four dividers while the defined clock IDs also enumerate two unsupported DLLs and their outputs. On affected Microchip PolarFire SoC hardware this leads to reads past the allocated array (flagged by UBSAN), enabling information disclosure or a kernel crash. There is no public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%).
Missing resource cleanup in the Linux kernel's generic power domain (genpd) subsystem causes runtime PM to remain enabled for virtual devices after detach, leading to a NULL pointer dereference in genpd_runtime_suspend() and local denial of service. The flaw affects systems where drivers use genpd_dev_pm_attach_by_id() - predominantly ARM and SoC-based platforms - since the balancing pm_runtime_disable() call is absent from genpd_dev_pm_detach(). No public exploit exists and EPSS at 0.02% (5th percentile) confirms negligible exploitation probability; this is not listed in CISA KEV.
Sensitive HMAC key material is exposed through kernel debug logging in the Linux kernel's CAAM (Cryptographic Acceleration and Assurance Module) crypto driver. On systems with CONFIG_DYNAMIC_DEBUG enabled and debug output activated for the caam module at runtime, calls to hash_digest_key() emit raw HMAC key bytes via hex dump into the kernel log, allowing any local attacker with debug log read access to extract cryptographic secrets. No public exploit code has been identified and EPSS probability is 0.02%, though the confidentiality impact is severe if exploitation conditions are met. The provided CVSS vector (C:N/A:H) appears to misclassify this as an availability issue rather than a confidentiality issue - see confidence notes.
Linux kernel x86 EFI runtime service fault handling panics instead of recovering gracefully on systems with buggy EFI firmware, following the FPU softirq changes introduced in commit d02198550423. When kernel_fpu_begin() began using local_bh_disable() in place of preempt_disable(), SOFTIRQ_OFFSET is set in preempt_count for the duration of EFI runtime service calls, causing in_interrupt() to return true in normal task context - which causes efi_crash_gracefully_on_page_fault() to bail unconditionally, escalating to panic(). On hardware where EFI firmware (e.g., GetTime()) accesses unmapped memory, this produces an unrecoverable system freeze. No public exploit identified at time of analysis; EPSS is 0.02%, confirming no observed exploitation activity.
Incorrect length calculation in the Linux kernel's lib/scatterlist extract_kvec_to_sg helper can produce scatterlist entries that cross page boundaries, leading to memory corruption or out-of-bounds access in kernel code paths that build scatterlists from kvecs (originally introduced in v6.3, moved to lib/scatterlist.c in v6.5). The flaw is patched upstream across the 6.6, 6.12, 6.18 and 7.0/7.1 stable trees, with no public exploit identified at time of analysis and a very low EPSS probability of 0.02%.
Use-after-free in the Linux kernel's Open Firmware (OF) device-tree unit test code (of_unittest_changeset) allows reads of freed memory when the unit test path executes. The flaw lives in selftest code (drivers/of/unittest.c) reachable only when CONFIG_OF_UNITTEST is built in and the test runs, making real-world impact narrow. EPSS is 0.02% (5th percentile) and there is no public exploit identified at time of analysis; the bug has been fixed upstream and backported to stable trees.
Missing RTNL lock acquisition in the txgbe network driver causes a kernel assertion warning during module removal on systems with Wangxun copper NICs with external PHY. When `rmmod txgbe` is executed, `phylink_disconnect_phy()` fires an `ASSERT_RTNL()` check at `drivers/net/phy/phylink.c:2351` because the driver's remove path neglects to hold the RTNL mutex, producing a kernel WARNING and degrading system availability. No public exploit exists and EPSS is 0.02% (5th percentile); this is a stability regression rather than a remotely exploitable flaw, affecting a narrow hardware-specific code path.
Array out-of-bounds read in the Linux kernel's Qualcomm Light Pulse Generator (qcom-lpg) LED driver allows a local low-privileged user to crash the kernel via denial of service on affected Qualcomm SoC-based systems. The flaw stems from using FIELD_GET() to extract a 3-bit register value (range 0-7) as an index into an array with only 5 elements, enabling reads beyond array bounds and subsequent hardware misconfiguration or kernel panic. No public exploit has been identified and EPSS stands at the 5th percentile, placing this firmly in lower-priority triage despite the technically High availability impact per CVSS.
Local memory corruption in the Linux kernel's mtd/docg3 M-Systems DiskOnChip driver occurs when docg3_release() dereferences a docg3 pointer already freed by doc_release_device() (kfree at line 1881), a CWE-416 use-after-free reachable during device teardown. Only systems that load the docg3 driver for DiskOnChip G3 flash hardware are affected. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%, 7th percentile), and the issue is not in CISA KEV; it has been fixed upstream across multiple stable branches.
NULL pointer dereference in the Linux kernel's HugeTLB early boot parameter parser causes a system crash before the OS fully initializes. Specifically, `hugetlb_add_param()` in `mm/hugetlb` dereferences a NULL pointer via `strlen()` when `hugepages`, `hugepagesz`, or `default_hugepagesz` kernel command line parameters are supplied without a '=' separator, producing a boot-time kernel panic. The impact is a complete denial of service - the system fails to boot until the malformed parameter is corrected. No public exploit or CISA KEV listing exists; EPSS stands at 0.02% (5th percentile), reflecting very low observed exploitation activity. Patches are available in Linux 6.18.27, 7.0.4, and 7.1-rc1, with Ubuntu distributing fixes via USN-8489-1 and USN-8488-1.
Sensitive cryptographic material-HMAC session keys, nonces, and passphrase data held in struct tpm2_auth-is left in freed slab memory when a TPM device is released via tpm_dev_release() in Linux kernels from 6.10 onward, because that code path uses kfree() rather than kfree_sensitive(). Every other tear-down path in the same TPM driver (tpm2_end_auth_session() and tpm_buf_check_hmac_response()) already calls kfree_sensitive(), making this an isolated inconsistency. No public exploit exists and EPSS is 0.02% (5th percentile), but in high-assurance environments where TPM-backed key confidentiality is mandatory the residual key material is a meaningful exposure until overwritten by subsequent allocations.
NULL pointer dereference in the Linux kernel's admv1013 IIO frequency driver crashes the kernel when device_property_read_string() fails during device initialization, leaving a garbage pointer subsequently passed to strcmp(). A local low-privileged user on a system with ADMV1013 microwave upconverter hardware can reliably trigger a kernel panic, resulting in a complete denial of service. No public exploit exists and EPSS sits at 0.02% (5th percentile), but vendor-released patches are available across multiple stable kernel branches including 6.12.86 and 7.0.4.
Out-of-bounds write in the Linux kernel's vmalloc subsystem (vrealloc_node_align()) lets a local low-privileged actor trigger heap memory corruption when a vmalloc-backed object is shrunk while also forcing reallocation for NUMA-node or alignment reasons. Introduced by commit 4c5d3365882d in the 6.18 development series and carried into stable trees, the flaw causes the code to memcpy the old (larger) size into a smaller new buffer. There is no public exploit identified at time of analysis and EPSS is very low (0.02%), reflecting a subsystem-internal bug rather than a broadly reachable network attack surface.
Use-after-free in the Linux kernel's HMM (Heterogeneous Memory Management) test driver (lib/test_hmm) allows local users to trigger a kernel panic and potentially escalate privileges when device private pages are faulted in after the dmirror file descriptor is closed. The flaw was discovered during arm64 selftest runs where a SIGABRT coredump walked stale VMAs and dereferenced a dangling zone_device_data pointer. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the bug is fixed upstream across multiple stable trees.
Improper handling of allocation-profiling codetags in the Linux kernel's mm/alloc_tag subsystem causes an 'alloc_tag was not set' WARNING when pages allocated before page_ext initialization are later freed, because their codetag reference was never set. This affects local systems running kernels built with the debug option CONFIG_MEM_ALLOC_PROFILING_DEBUG and with mem_profiling_compressed disabled, and is triggered by ordinary boot-time activity (e.g. KASAN quarantine reclaim freeing early-allocated pages). It is classified under CWE-415 (double free) but the observed effect is a kernel warning splat; there is no public exploit identified at time of analysis and EPSS is negligible (0.02%).
NULL pointer dereference in the Linux kernel's drm/imagination (PowerVR GPU) driver crashes the kernel when a local user writes to the ftrace mask debugfs entry. Affected kernels range from the introduction of the drm/imagination driver at commit a331631496a0af9a6f4e7e1860983afd8b1bb013 through Linux 7.0, with fixes landed in 7.0.4 and 7.1-rc2. An attacker with local access and write permission to the debugfs interface can trigger a kernel Oops, resulting in a full system crash and denial of service. No public exploit exists and EPSS is 0.02%, consistent with the narrow hardware scope (Imagination Technologies PowerVR GPUs) and local-only attack surface.
Use-after-free in the Linux kernel's mm/zone_device subsystem allows local attackers with low privileges to corrupt memory or escalate privileges by exploiting a race where a device folio is accessed after the driver's ->folio_free() callback has already reallocated it with a potentially different order. The flaw affects systems using ZONE_DEVICE memory (typically with DAX, HMM, or GPU/accelerator drivers exposing device-backed folios) and carries a 7.8 CVSS with low EPSS (0.02%, 5th percentile), indicating high theoretical impact but no public exploit identified at time of analysis.
Kernel panic in the Linux amdgpu DRM driver exposes systems running RDNA4 hardware (e.g., AMD RX 9070 XT) to a denial-of-service condition during driver initialization, but only when the kernel is compiled with CONFIG_DRM_DEBUG_MM enabled. The RDNA4 architecture (GFX 12) removed the GDS, GWS, and OA on-chip memory resources entirely; however, amdgpu_ttm_init() unconditionally invokes amdgpu_ttm_init_on_chip() for these resources regardless of size, ultimately calling drm_mm_init(mm, 0, 0), which triggers DRM_MM_BUG_ON and crashes the kernel at modprobe time. No public exploit exists and EPSS sits at 0.02% (7th percentile), consistent with a hardware-specific, debug-config-dependent crash rather than a remotely triggerable attack surface.
Use-After-Free and race conditions in the Linux kernel's Bluetooth hci_uart driver (drivers/bluetooth/hci_uart.c) enable a local low-privileged user to corrupt kernel heap memory, potentially escalating to root. The flaw stems from improper lifecycle management of the hci_uart struct and its associated workqueues: when a TTY hangup interrupts Bluetooth UART initialization before HCI_UART_PROTO_READY is set, teardown skips workqueue cancellation, leaving deferred work items to dereference freed memory. Three compounding sub-issues - a tx_skb double-free, a vendor callback UAF via premature hci_free_dev(), and proto_lock races during error paths - are all resolved in patched stable releases. No public exploit is known and EPSS at 0.02% (7th percentile) signals low near-term exploitation probability despite the CVSS 7.8 rating.
Local privilege escalation via use-after-free in the Linux kernel io_uring io-wq worker subsystem allows an unprivileged local user to corrupt kernel memory and potentially execute arbitrary code in kernel context. The flaw lives in io_wq_remove_pending(), where a missing io_wq_is_hashed() check on the predecessor work item lets a non-hashed io_kiocb be recorded in wq->hash_tail[0]; after that request is freed back to req_cachep, the stale pointer is dereferenced on the next hashed bucket-0 enqueue. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug is reachable from any process that can issue io_uring syscalls.
Denial-of-service in the Linux kernel's DRM VKMS (Virtual Kernel Mode Setting) subsystem arises from an improperly managed custom hrtimer used for vblank timing, replaced in the fix by DRM's standard vblank timer implementation. Local users with low-privileged access to the VKMS device can trigger a kernel availability failure - likely a crash or hang - due to the divergent timer lifecycle in struct vkms_output. EPSS is negligible at 0.02% and no active exploitation is confirmed; this is a low-urgency kernel hardening fix affecting development and CI-focused deployments.
Type confusion in OP-TEE OS versions 4.3.0 through 4.10.x allows a highly privileged local attacker operating in the normal world to crash the Trusted Execution Environment by submitting a malformed FFA_MEM_SHARE request, resulting in denial of service of all secure services hosted in the TEE. Exploitation is gated behind a non-default build configuration requiring both CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y, substantially narrowing the affected population to deployments using OP-TEE as an S-EL1 Secure Partition Manager Core. No public exploit code has been identified and the vulnerability is absent from the CISA KEV catalog; the CVSS score of 4.4 (Medium) reflects these real-world constraints accurately.
Private ECDH key recovery in OP-TEE prior to version 4.11.0 is achievable by a local attacker who can invoke TEE_DeriveKey with approximately 30-40 crafted public key values lying off the target elliptic curve. Because the implementation omits point validation - failing to verify that (X, Y) satisfies Y^2 ≡ X^3 + aX + b mod P for the specified curve - each malformed call leaks a residue d mod r, where d is the private key and r is the order of the attacker-chosen invalid curve. Accumulated residues allow full private key reconstruction via the Chinese Remainder Theorem. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the underlying invalid curve attack technique is well-documented in cryptographic literature and reproducible by any skilled attacker with local access.
Use-after-free race condition in OP-TEE OS versions 3.16.0 through 4.10.x enables local low-privileged attackers to corrupt memory within the secure world when OP-TEE is built as an FF-A Secure Partition Manager Core (SPMC) for S-EL0 Secure Partitions. The flaw stems from missing lock acquisition in sp_mem_remove() during shared-memory teardown, allowing concurrent threads to dereference freed sp_mem_map_region or sp_mem_receiver objects. No public exploit identified at time of analysis, but successful exploitation yields high confidentiality, integrity, and availability impact inside the Trusted Execution Environment.
Remote denial of service in the Linux kernel ibmveth driver on IBM Power systems allows attackers to freeze physical network adapters by transmitting GSO packets with an MSS below 224 bytes, halting all traffic until manual reset. The flaw affects multiple stable kernel branches and is fixed upstream, with no public exploit identified at time of analysis and an EPSS score of 0.02% (7th percentile) reflecting low expected exploitation volume despite the high CVSS of 8.6.
Race condition in the Linux kernel's CoreSight TMC-ETR (Trace Memory Controller, Embedded Trace Router) driver triggers a kernel WARN_ON() when sysfs and perf hardware tracing modes are enabled concurrently, resulting in a denial-of-service condition against the tracing subsystem. The sysfs enable path is split across two separate spinlock-protected critical sections, creating a window where perf mode can initialize drvdata->etr_buf between the sysfs buffer allocation and hardware enablement steps - causing tmc_etr_enable_hw() to encounter an already-initialized pointer and fire WARN_ON(). No public exploit exists and EPSS is 0.02% (4th percentile), indicating near-zero real-world exploitation probability; patched kernel versions 6.18.14, 6.19.4, and 7.0 are available.
Denial of service in the Linux kernel ath12k Wi-Fi driver affects systems using Qualcomm WCN7850 chipsets with multi-link operation (MLO) connections. When Wake-on-WLAN (WoW) offloads are configured on both primary and secondary links during a multi-link connection, the WCN7850 firmware crashes, disrupting wireless connectivity. EPSS exploitation probability is very low (0.02%, 4th percentile) and no public exploit identified at time of analysis, suggesting this is primarily a stability/reliability fix rather than a security priority.