Skip to main content

Linux

12819 CVEs vendor

Monthly

CVE-2026-46270 HIGH PATCH This Week

Use-after-free in the Linux kernel's rt9455 power supply driver allows local attackers to trigger memory corruption or system crashes via a race condition during driver probe or removal. The flaw stems from incorrect ordering of devm_-managed resource allocation, where the IRQ handler can fire against a freed or uninitialized power_supply handle. EPSS is very low (0.02%, 7th percentile) and no public exploit is identified at time of analysis, but the CVSS score of 8.4 reflects high impact on confidentiality, integrity, and availability for systems shipping the rt9455 Richtek battery charger driver.

Denial Of Service Linux Memory Corruption Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-46269 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's Canaan K230 pinctrl driver causes a local denial of service during device tree parsing. Specifically, k230_pinctrl_parse_functions() dereferences info->pctl_dev->dev before info->pctl_dev is initialized, triggering a kernel panic on systems using the K230 SoC. A low-privileged local attacker on affected hardware can crash the kernel, fully denying system availability. No public exploit code exists and EPSS of 0.02% (5th percentile) indicates minimal exploitation probability; however, the straightforward trigger condition and kernel-crash impact warrant prompt patching on K230-based deployments.

Denial Of Service Null Pointer Dereference Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46268 MEDIUM PATCH This Month

Inverted debug assertion in the Linux kernel PCI/P2PDMA subsystem triggers a spurious kernel warning in p2pmem_alloc_mmap() when CONFIG_DEBUG_VM is enabled, resulting in high availability impact on affected systems. The root cause is a stale VM_WARN_ON_ONCE_PAGE condition that was not updated after commit b7e282378773 changed the initial page refcount from one to zero, causing the assertion to fire on every valid P2PDMA allocation. Authenticated local users with access to P2PDMA-capable hardware can exploit this on debug-compiled kernels to cause denial of service; no public exploit exists and EPSS is 0.02% (4th percentile), reflecting negligible real-world exploitation likelihood.

Denial Of Service Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46267 HIGH PATCH This Week

Use-after-free in the Linux kernel NFC HCI SHDLC subsystem allows local low-privileged attackers to corrupt memory and potentially escalate privileges by triggering teardown races against active timers and queued work items. The flaw exists because llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc structure while timers and the sm_work state-machine handler may still execute concurrently. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the high-impact CVSS (7.8) reflects full CIA compromise on successful exploitation.

Information Disclosure Use After Free Memory Corruption Linux Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46266 CRITICAL PATCH Act Now

Remote manipulation of the Linux kernel's IPv4 routing cache is possible through RAW sockets bound to IPPROTO_RAW (protocol 255), where a malicious incoming ICMP packet whose inner header advertises protocol 255 will be matched to the socket and trigger FNHE (Forwarding Next Hop Exception) cache changes. The flaw affects Linux systems where a process has opened a RAW socket on protocol 255, and remote attackers can use crafted ICMP fragmentation-needed messages to influence routing decisions. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the CVSS 9.1 reflects high integrity and availability impact via unauthenticated network reachability.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-46265 HIGH PATCH This Week

Denial-of-service condition in the Linux kernel's HNS RoCE (RDMA over Converged Ethernet) driver affects systems using HiSilicon RDMA hardware alongside SUNRPC/NFS-over-RDMA workloads. The hns_roce_irq_workq workqueue lacks the WQ_MEM_RECLAIM flag while being flushed during QP (Queue Pair) destruction from a memory-reclaim context, triggering a kernel warning and potential stall during RDMA transport reset. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46264 HIGH PATCH This Week

Local privilege escalation potential exists in the Linux kernel's Intel Xe DRM driver (drm/xe/pf) due to a sysfs initialization ordering bug in SR-IOV Physical Function setup, where a failed devm_add_action_or_reset() call invokes kobject_put() on an uninitialized kobject, triggering refcount underflow and use-after-free conditions. The flaw affects Linux kernel 6.19 prior to the 6.19.4 stable patch and has been resolved upstream; no public exploit identified at time of analysis and EPSS rates exploitation probability at only 0.02%.

Information Disclosure Linux Use After Free Memory Corruption Red Hat +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-46263 HIGH PATCH This Week

Out-of-bounds array access in the Linux kernel's AMD GPU display driver (drm/amd/display) allows local privileged users to trigger memory corruption via the dcn35_stream_encoder_create() function when eng_id equals ENGINE_ID_DIGF (value 5) or is negative, indexing past the 5-element stream_enc_regs[] array. The flaw stems from a faulty boundary check using <= instead of <, and no public exploit has been identified at time of analysis with an EPSS score of 0.02% (5th percentile) indicating very low exploitation probability.

Amd Buffer Overflow Linux Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46262 MEDIUM PATCH This Month

Deadlock in the Linux kernel's ASoC fsl_xcvr audio driver causes a hung task and denial of service on NXP i.MX hardware. The defect was introduced by a prior patch (commit f51424872760) that erroneously added a read lock acquisition on controls_rwsem inside fsl_xcvr_mode_put(), unaware that the caller snd_ctl_elem_write() already holds the write lock on that same semaphore for the duration of the put operation. A local user with low privileges who triggers an ALSA control write on an affected system can induce an unresolvable deadlock. No public exploit exists and EPSS is 0.02%, reflecting very low real-world exploitation probability.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46261 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's SPI WPCM FIU driver allows a local low-privileged attacker to crash the kernel via a denial-of-service condition. The wpcm_fiu_probe() function passes the return value of platform_get_resource_byname() directly to resource_size() without validating against NULL, meaning if the named resource is absent the kernel dereferences a NULL pointer and panics. No public exploit exists and no active exploitation is confirmed; EPSS of 0.02% (5th percentile) reflects the narrow, hardware-specific attack surface.

Denial Of Service Null Pointer Dereference Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46260 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's IPv6 routing subsystem (fib6_add_rt2node) allows a local user with network configuration privileges to trigger memory corruption when adding routes that use the RTA_NH_ID nexthop attribute. The flaw was discovered by syzkaller and confirmed via KASAN slab-out-of-bounds reports. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the bug is in mainline kernel code paths reachable through netlink and is fixed across multiple stable trees.

Debian Buffer Overflow Linux Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46259 HIGH PATCH This Week

Use-after-free in the Linux kernel's procfs subsystem allows a local low-privileged attacker to potentially trigger memory corruption when reading /proc/[pid]/stat due to missing RCU protection around task->real_parent access in do_task_stat(). The race condition occurs when a parent task is released concurrently with another process reading its stat file, leading to a UAF dereference. No public exploit identified at time of analysis, and EPSS scoring is very low (0.02%, 7th percentile), indicating limited expected exploitation activity.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46258 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's GPIO character device subsystem (gpio/cdev) allows a local, low-privileged user to crash the kernel via a denial-of-service. In linehandle_create(), the macro retain_and_null_ptr(lh) sets lh to NULL, but a subsequent debug printout immediately dereferences that same pointer - triggering a kernel panic. No public exploit has been identified at time of analysis, and EPSS indicates very low exploitation probability at 0.02% (5th percentile), consistent with a local-access-only DoS with no code execution or data exposure component.

Denial Of Service Null Pointer Dereference Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46257 MEDIUM PATCH This Month

Local denial-of-service via kernel Oops in the Linux kernel SP804 timer driver on ARM32 platforms when read_current_timer() dereferences an uninitialized sched_clkevt pointer. Affected systems are those where sp804_clocksource_and_sched_clock_init is invoked without use_sched_clock=1, yet sp804_register_delay_timer is still called unconditionally - creating the conditions for a NULL/uninitialized pointer access in sp804_read(). EPSS is 0.02% (5th percentile), no KEV listing exists, and no public exploit has been identified, placing this as low operational priority outside specialized ARM32 embedded deployments.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46256 MEDIUM PATCH This Month

Denial-of-service via recursion deadlock in the Linux kernel's NFS LOCALIO subsystem when direct memory reclaim occurs on systems using loopback NFS mounts. The LOCALIO optimization - which bypasses network I/O when NFS client and server share the same host - fails to restrict its page cache allocations to GFP_NOFS context, allowing the kernel memory allocator to re-enter NFS via nfs_writepages during reclaim (path: NFS LOCALIO → XFS → NFS), producing a deadlock and kernel hang. No public exploit exists and EPSS stands at 0.02% (4th percentile), consistent with a kernel subsystem defect that requires a specific local configuration rather than a broadly exploitable condition. Vendor-released patches are available across stable kernel branches.

Buffer Overflow Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46255 MEDIUM PATCH This Month

Double-disable of managed clocks in the Linux kernel's fsl-edma (Freescale/NXP eDMA) DMA engine driver triggers kernel WARN_ON warnings during driver removal, causing an availability impact on affected systems. The bug originates from commit a9903de3aa16731846bf924342eca44bdabe9be6, where clocks allocated via devm_clk_get_enabled() - which automatically handles teardown - are also manually disabled in fsl_edma_remove(), resulting in a 'already disabled/unprepared' warning for each clock. No public exploit has been identified at time of analysis, and EPSS is 0.02% (5th percentile), reflecting the low likelihood of targeted exploitation of this kernel quality defect.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46254 MEDIUM PATCH This Month

Unaligned memory access in the Linux Kernel's AppArmor DFA table parser causes a denial of service on strict-alignment architectures. AppArmor's deterministic finite automaton (DFA) policy tables, which can originate from either kernel or userspace via apparmor_parser, lack guaranteed 8-byte alignment; on architectures that fault or warn on unaligned access (confirmed via SPARC call trace in the description), loading AppArmor profiles triggers a kernel WARNING at security/apparmor/match.c:316 and fails profile loading. No public exploit exists and no KEV listing is present; EPSS is 0.02% (5th percentile), consistent with a low-severity, architecture-specific, local-only issue.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46253 HIGH PATCH This Week

Heap buffer overflow in the Linux kernel's pstore/ram subsystem (persistent_ram_save_old function) allows local attackers with low privileges to trigger out-of-bounds writes and reads when the ramoops buffer size grows across boot cycles. The flaw affects Linux kernel versions from 3.5 onward and carries a CVSS 7.8 (High) rating, though exploitation requires a highly improbable chain of conditions across reboots. No public exploit identified at time of analysis, and EPSS is very low at 0.03%.

Buffer Overflow Linux Memory Corruption Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46252 MEDIUM PATCH This Month

Improper locking in the Linux kernel regulator subsystem's `regulator_resolve_supply()` error path allows a local low-privileged attacker to trigger a kernel crash or denial of service. The error path invokes `_regulator_put()` without holding the required `regulator_list_mutex`, producing a lockdep warning and exposing an unguarded concurrent access window when clearing the `rdev` supply pointer. No public exploit has been identified at time of analysis, and with an EPSS of 0.02% (5th percentile), real-world exploitation probability is very low.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46251 HIGH PATCH This Week

Linked-list corruption in the Linux kernel's btrfs filesystem allows a local user with btrfs write access to trigger memory corruption and a transaction abort when EXTENT_TREE_V2 incompat flag is enabled. The flaw stems from the block group tree being added twice to the switch_commits list, corrupting prev/next pointers and ultimately leading to filesystem inconsistency. No public exploit identified at time of analysis and EPSS probability is low at 0.02%, but the CVSS 8.4 reflects high local impact on confidentiality, integrity, and availability.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-46250 HIGH PATCH This Week

Denial of service in the Linux kernel's MIPS architecture support affects builds compiled with LLVM/Clang versions 18 through 21, where the compiler incorrectly restores the $gp global register variable in the relocate_kernel() epilogue. The result is that __current_thread_info points to the unrelocated kernel address space, causing an immediate NULL-pointer dereference in init_idle during early boot and a panic before userspace ever starts. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the issue is a boot-time crash rather than a remotely triggerable flaw.

Denial Of Service Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-46249 MEDIUM PATCH This Month

Kernel crash in the Linux octeontx2-af driver exposes Marvell OcteonTX2 systems to a denial-of-service condition triggered by kexec reboots when both AF and PF drivers are loaded as modules. Because kexec does not power-cycle hardware, the RVUM block revision register retains its pre-reboot value; the PF driver misinterprets this stale register value as confirmation that AF initialization is complete and proceeds to access hardware state that has not yet been reinitialized in the new kernel, producing a kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), confirming this is a niche reliability defect in a specific hardware/driver configuration rather than an adversarially weaponizable flaw.

Denial Of Service Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46248 MEDIUM PATCH This Month

Stale link mapping in the ath12k Wi-Fi 7 driver causes a kernel WARN_ON condition when MLO (Multi-Link Operation) connection preparation fails mid-initialization, leaving ahvif->links_map in an inconsistent state. Systems running the Linux kernel with Qualcomm ath12k hardware (e.g., QCN9274) are affected across stable branches through 6.18.13, 6.19.3, and pre-7.0 releases. A local low-privileged user capable of triggering repeated MLO authentication failures can induce kernel warning conditions, resulting in high availability impact with no public exploit identified at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46247 MEDIUM PATCH This Month

Kernel crash (denial of service) affects Qualcomm GFX3D GPU clock management on ARM64 Linux systems running vulnerable kernel versions. A regression introduced by commit d228ece36345 ('clk: divider: remove round_rate() in favor of determine_rate()') left the best_parent_hw field unpopulated in parent_req during GFX3D clock rate determination, causing a NULL dereference crash triggered by normal GPU devfreq monitoring. A local low-privileged user on a Qualcomm MSM/Snapdragon device can induce this crash through GPU frequency scaling activity. No public exploit exists and EPSS is 0.02%, consistent with a narrow hardware-specific bug rather than broadly exploitable vulnerability.

Denial Of Service Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46246 HIGH PATCH This Week

Use-after-free in the Linux kernel's pm8916_lbc power supply driver allows a local attacker to potentially trigger memory corruption or kernel crashes during device removal. The flaw stems from incorrect ordering of devm_-managed resources: the extcon handle is freed before the IRQ is unregistered, leaving a window where the IRQ handler invokes extcon_set_state_sync() on freed memory. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02% (5th percentile), reflecting low real-world attacker interest in this driver-specific race.

Denial Of Service Use After Free Memory Corruption Linux Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46245 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's AMD GPU display driver (drm/amd/display) crashes the kernel during Hot Plug Detection (HPD) initialization on systems with AMD GPUs. The amdgpu_dm_hpd_init() function assigns dc_link from a connector but then unconditionally dereferences it at line 940 of amdgpu_dm_irq.c without first confirming it is non-NULL - connectors lacking a valid dc_link trigger a kernel NULL dereference. Exploitation requires local, low-privileged access to a system with an affected AMD GPU; no public exploit has been identified at time of analysis and EPSS probability is 0.02% (5th percentile), indicating very limited real-world exploitation pressure.

Denial Of Service Null Pointer Dereference Amd Linux Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71314 MEDIUM PATCH This Month

Denial of service in the Linux kernel's DRM Panthor GPU driver allows a local authenticated user to trigger an unrecoverable system hang via a blocked GPU memory subsystem. Specifically, when `panthor_gpu_flush_caches()` times out due to a blocked memory subsystem - a condition inducible through buggy GPU jobs submitted by user-mode drivers (UMD) - the driver previously had no recovery path, causing indefinite waits and system unavailability. The fix introduces timeout-aware reset scheduling and immediate -EIO short-circuiting for queued flush operations after a failure, but until patched, the condition is exploitable by any local user with access to the GPU device. No public exploit code exists and EPSS is extremely low (0.02%), consistent with a niche hardware-specific local DoS.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71313 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's PCI endpoint NTB driver allows an authenticated local attacker to crash the kernel (denial of service) by triggering a memory allocation failure during driver initialization. The missing NULL check after `alloc_workqueue()` in `epf_ntb_epc_init()` causes a subsequent `queue_work()` call to dereference a NULL pointer, resulting in a kernel panic. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects the narrow hardware-specific attack surface; this is not confirmed actively exploited (CISA KEV absent).

Denial Of Service Null Pointer Dereference Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46244 CRITICAL PATCH Act Now

Firewall bypass in the Linux kernel's netfilter nft_inner module (versions 6.2 and later) allows remote attackers to forge transport headers in tunneled IPv6 packets due to a desynchronization between the computed inner transport header offset and the parsed L4 protocol. The flaw enables crafted IPv6 packets carrying extension headers to evade nftables inner-payload matching rules, with no public exploit identified at time of analysis and an EPSS score of 0.02% indicating negligible observed exploitation activity.

Authentication Bypass Linux Memory Corruption
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-46243 HIGH PATCH This Week

Local privilege escalation in the Linux kernel's SMB/CIFS client allows unprivileged userspace processes to forge cifs.spnego keys via add_key(2) or request_key(2), supplying attacker-controlled pid, uid, creduid, and upcall_target fields that cifs.upcall trusts as kernel-originated. Successful exploitation enables impersonation of CIFS credential negotiation, leading to high confidentiality, integrity, and availability impact on systems mounting SMB shares. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Linux Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46242 HIGH PATCH This Week

Local privilege escalation in the Linux kernel eventpoll (epoll) subsystem stems from a use-after-free in ep_remove() where file->f_ep is cleared but the file pointer continues to be used inside the f_lock critical section, allowing a concurrent __fput() to free the underlying struct eventpoll and struct file. Successful exploitation yields an attacker-controllable kmem_cache_free() against the wrong slab cache, enabling memory corruption that can lead to high-integrity, high-confidentiality, and high-availability impact (CVSS 7.8). EPSS is very low (0.02%), no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure Linux Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-47337 LOW PATCH Monitor

NULL pointer dereference in Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) allows an unprivileged local user to trigger a kernel oops, resulting in a denial of service. The flaw resides specifically in Ubuntu's out-of-tree SAUCE patches for AF_INET/AF_INET6 socket mediation - mainline Linux kernel builds are unaffected. No active exploitation is confirmed (not in CISA KEV), no public exploit has been identified at time of analysis, and the CVSS score of 3.3 (Low) accurately reflects the constrained impact: local access only, no confidentiality or integrity loss, and limited availability degradation.

Linux Ubuntu Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-47335 MEDIUM PATCH This Month

Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authenticated, unprivileged user to crash the system. The flaw resides in Ubuntu-specific SAUCE patches - out-of-tree modifications maintained by Canonical - meaning the vulnerable code path does not exist in upstream mainline kernels. With a CVSS score of 5.5 and an availability-only impact, the practical consequence is a local denial-of-service: any low-privilege user with shell access can force a kernel panic. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis.

Linux Ubuntu Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-47334 MEDIUM PATCH This Month

Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect in Ubuntu-specific AppArmor SAUCE patches, where notification handling code incorrectly sleeps while holding a spinlock. Violating this kernel locking invariant results in kernel panic or deadlock, causing a full system crash or hang. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low-complexity, low-privilege trigger conditions make it a realistic denial-of-service risk on any multi-user Ubuntu system running the affected kernel versions.

Linux Ubuntu Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-47327 LOW PATCH Monitor

NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash the kernel via the AppArmor notification handling path. The flaw exists exclusively in Ubuntu-specific SAUCE patches layered on top of the upstream Linux kernel, meaning only Ubuntu kernels carrying these versions are affected - not upstream Linux or other distributions. No public exploit code or active exploitation has been identified at time of analysis; the impact is limited to a kernel oops (availability loss, CVSS A:L), with no confidentiality or integrity impact.

Linux Ubuntu Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-46241 HIGH PATCH This Week

Use-after-free in the Linux kernel SPI controller driver for Freescale MPC52xx (spi-mpc52xx) occurs when controller registration fails and the previously requested interrupts are not properly disabled or released, leaving dangling interrupt handlers tied to freed memory. Local users with the ability to load or interact with this SPI driver on affected systems could potentially trigger memory corruption or information disclosure. EPSS is 0.02% and there is no public exploit identified at time of analysis, but the issue is rated CVSS 7.8 due to high impact on confidentiality, integrity, and availability.

Linux Use After Free Memory Corruption Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46240 HIGH PATCH This Week

Local privilege escalation potential via use-after-free in Linux Kernel iris media driver affects kernels 6.18.16-6.18.31, 6.19.6-6.19.x, and 7.0 series prior to the fix commits. The flaw resides in iris_release_internal_buffers(), where session_release_buf() may free a buffer that the caller subsequently dereferences, a regression introduced by commit 1dabf00ee206. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but local low-privileged attackers on systems with the Qualcomm iris video accelerator driver could potentially leverage the freed-memory access.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46239 MEDIUM PATCH This Month

Runtime PM reference count leak in the Linux kernel's OmniVision OV5647 camera sensor driver (media/i2c/ov5647) causes availability loss for systems equipped with this camera hardware. The s_ctrl function's handling of three V4L2 controls - AUTOGAIN, EXPOSURE_AUTO, and ANALOGUE_GAIN - returns early without invoking pm_runtime_put(), allowing unpaired runtime PM get/put calls to accumulate. A local user with access to the camera device node can trigger this imbalance repeatedly, exhausting the PM reference count and preventing the device from entering low-power states, ultimately making it unavailable. No public exploit has been identified; EPSS is 0.02% (5th percentile) and this vulnerability does not appear in CISA KEV.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46238 HIGH PATCH This Week

Use-after-free risk in the Linux kernel's batman-adv BAT IV mesh routing implementation allows adjacent network attackers to potentially corrupt memory or disclose information by triggering stale originator pointer dereferences. The flaw affects neigh_node structures that cached an auxiliary originator pointer not owned by the neighbor state, which could dangle after purge handling. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02%, but the CVSS 8.8 rating reflects high impact across confidentiality, integrity, and availability if triggered.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-46237 HIGH PATCH This Week

Local privilege-escalation-adjacent denial of service and potential memory corruption in the Linux kernel's AMD GPU VCN3 (Video Core Next 3) driver allows a local low-privileged user with GPU access to trigger an integer overflow in the message bound check of the drm/amdgpu/vcn3 subsystem. The flaw was identified by AMD's SDL review and patched upstream, and per CVSS it yields high confidentiality and availability impact without integrity impact. Exploitation status: no public exploit identified at time of analysis, and EPSS is very low at 0.02%.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46236 MEDIUM PATCH This Month

Availability impact in the Linux kernel's xbox_remote media/rc driver allows a local, low-privileged user with access to the affected device to crash the kernel via a DMA coherency violation. The IO buffer used for USB transfers is embedded directly within the device structure, which violates DMA coherency rules and can trigger memory corruption leading to kernel panic. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% reflects minimal observed exploitation activity. Vendor-released patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46235 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's saa7164 media driver can crash the kernel when ioremap() fails during PCI device initialization. Systems with SAA7164-based PCIe capture cards (e.g., Phillips/NXP SAA7164) running unpatched kernel versions from 2.6.32 through stable branches prior to 6.6.140, 6.12.90, 6.18.32, and 7.0.9 are affected. A local, low-privileged attacker who can trigger driver initialization under memory pressure conditions may cause a kernel oops or panic, resulting in denial of service. No public exploit exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46234 HIGH PATCH This Week

Local privilege escalation in the Linux kernel's vsock (virtio sockets) subsystem stems from inverted buffer-size clamping logic in vsock_update_buffer_size(), allowing a local user to grow vsk->buffer_size beyond the configured vsk->buffer_max_size and violate intended socket memory boundaries. Affected branches include stable trees prior to 6.6.140, 6.12.90, 6.18.32, 7.0.9, and 7.1-rc1; no public exploit identified at time of analysis and EPSS is 0.02% (5th percentile).

Linux Memory Corruption Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46233 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's batman-adv Bridge Loop Avoidance (BLA) subsystem enables local denial of service via kernel panic. The race condition exists in batadv_bla_purge_claims(), which traverses the claim hash list under rcu_read_lock() without accounting for concurrent claim releases - when batadv_claim_release() NULLs the backbone_gw pointer mid-traversal, a subsequent call to batadv_bla_claim_get_backbone_gw() on the partially-freed claim triggers a NULL dereference. Exploitation requires local low-privilege access on systems actively running batman-adv with BLA enabled; no active exploitation is confirmed and EPSS stands at 0.02% (5th percentile).

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46232 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's HID PlayStation driver (dualshock4_parse_report) allows an adjacent attacker with a malicious or spoofed DualShock 4 controller to read up to ~2 KiB beyond the touch_reports array and have portions of that data emitted through evdev. The flaw stems from the driver trusting the device-supplied num_touch_reports field without bounds checking, enabling potential kernel memory disclosure and denial of service. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but an upstream fix is available.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-46231 MEDIUM PATCH This Month

Reference counting failure in the Linux kernel's batman-adv Bridge Loop Avoidance (BLA) subsystem allows a local low-privileged user to cause a slow kernel memory leak and eventual denial of service. Specifically, batadv_bla_add_claim() omits the required batadv_backbone_gw_put() call on the error path when a claim hash insertion fails, preventing the backbone_gw object's reference count from ever reaching zero. The vulnerability has been present since at least kernel 4.7 and is patched across multiple stable branches; no public exploit exists and EPSS is extremely low at 0.02% (5th percentile), placing this firmly in the low-urgency tier except for environments actively running batman-adv with BLA.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46230 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's AMD GPU VCN3 (Video Core Next, generation 3) decoder message parser allows a local low-privileged user to read kernel memory beyond the buffer object boundary and potentially trigger denial of service. The flaw was resolved by adding bounds checks against the end of the buffer object whenever the dec msg is accessed. EPSS is very low (0.02%, 6th percentile) and no public exploit has been identified at time of analysis.

Linux Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46229 MEDIUM PATCH This Month

Stale VRAM exposure in the Linux kernel's amdkfd driver (drm/amdkfd) allows local authenticated users to observe prior occupants' GPU memory contents and crash multi-GPU compute workloads. The KFD allocation path omitted the AMDGPU_GEM_CREATE_VRAM_CLEARED flag - present in every other userspace GEM allocation path - leaving freshly allocated VRAM buffers populated with data from previous processes. The primary documented availability impact is deterministic crashes in RCCL peer-to-peer transport when stale values corrupt the ptrExchange, head, and tail protocol fields; a secondary information-disclosure risk exists because stale page-table remnants are observable by unprivileged compute kernels. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile).

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46228 MEDIUM PATCH This Month

Memory leak in the Linux kernel's spi: ch341 USB-to-SPI driver allows a local user to degrade system availability by triggering driver unbind without physical device disconnection. The defect lies in incorrect devres (device-managed resource) lifetime scoping - resources are anchored to the parent USB device rather than the USB interface, so they are not released when the driver unbinds during events such as probe deferral or runtime configuration changes. No public exploit has been identified at time of analysis, and an EPSS score of 0.02% (4th percentile) indicates negligible exploitation probability in the near term.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46227 HIGH PATCH This Week

Local privilege escalation in the Linux kernel SCTP subsystem allows unprivileged users to trigger a use-after-free or type confusion in the SCTP_SENDALL code path. The flaw stems from a stale iterator cursor in sctp_sendmsg() that survives across a dropped socket lock, and the type-confusion variant yields a controlled indirect call via outqueue.sched->init_sid. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the vendor description explicitly notes both bugs are reachable from CapEff=0.

Linux Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46226 MEDIUM PATCH This Month

Improper driver teardown ordering in the Linux kernel's Freescale (FSL) SPI controller driver allows a local low-privileged user to trigger a denial-of-service condition during driver unbind. The SPI controller is not deregistered before underlying resources such as DMA are released, creating a window where the controller may reference freed memory. No public exploit has been identified at time of analysis, and EPSS sits at 0.02% (5th percentile), reflecting low real-world exploitation probability.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46225 MEDIUM PATCH This Month

Improper resource deregistration ordering in the Linux kernel's spi/rspi (Renesas SPI controller) driver causes a local denial-of-service condition during driver unbind. The rspi driver releases DMA resources before deregistering the SPI controller, creating a window where in-flight controller operations can reference freed memory, resulting in a kernel crash or panic. With CVSS availability impact rated High and EPSS at 0.02% (5th percentile), this is a low-probability but locally exploitable stability issue affecting systems with Renesas SPI hardware. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46224 MEDIUM PATCH This Month

Memory leak in the Linux kernel's drm/xe Intel Xe GPU driver allows a local, low-privileged user to exhaust kernel memory by repeatedly triggering DMA buffer import failures, leading to denial of service. The bug resides in xe_dma_buf_init_obj(), where a pre-allocated buffer object (bo) is not freed when drm_gpuvm_resv_object_alloc() fails, due to ambiguous ownership semantics between the caller and callee on error paths. No public exploit exists and EPSS probability is extremely low at 0.02% (4th percentile), placing this in the maintenance-priority category rather than urgent remediation for most environments.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46223 MEDIUM PATCH This Month

An A-A (same-task) deadlock in the Linux kernel cgroup rmdir path (versions 7.0 through 7.1-rc2 and 6.19.x) can permanently hang the entire system, requiring a hard reboot. When a process acting as both a PID namespace zombie reaper (e.g., systemd/PID 1) and the cgroup rmdir(2) caller encounters dying tasks still linked to cgroup csets, the kernel blocks the reaper indefinitely in TASK_UNINTERRUPTIBLE, creating a circular dependency from which the system cannot recover. No public exploit has been identified at time of analysis, EPSS exploitation probability is extremely low (0.02%), and no CISA KEV listing exists - consistent with the scenario's narrow, operationally specific triggering conditions.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46222 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's Rockchip RKCIF (Camera Interface) media driver crashes the kernel when a local user enables streaming on a video device with no connected subdevice. Affected systems are Rockchip SoC-based platforms running Linux kernel versions from the introduction of the rkcif driver up through 6.19. A low-privileged local attacker can trigger a kernel panic - full denial of service - via the standard V4L2 VIDIOC_STREAMON ioctl. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.02% (5th percentile) reflects the narrow hardware-specific attack surface.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46221 MEDIUM PATCH This Month

Memory leak in the Linux kernel's EDAC/versalnet driver allows a local low-privileged user to gradually exhaust kernel heap memory, rated CVSS 5.5 with high availability impact. The flaw exists in init_one_mc() where a kzalloc()-allocated device name string becomes permanently unreachable after device_register() copies and nullifies the pointer, preventing any subsequent free on device removal. No public exploit identified at time of analysis; EPSS at 0.02% (4th percentile) confirms this is a low-exploitation-probability defect rather than an actively targeted vulnerability.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46220 MEDIUM PATCH This Month

Kernel panic via reachable assertion in the Linux kernel's AMDGPU SDMA v4 driver allows a local low-privileged user to crash the system by submitting crafted GPU command buffers. The sdma_v4_0_ring_emit_fence() function contains BUG_ON() assertions verifying dword-alignment of fence writeback addresses; these assertions are reachable through the DRM_IOCTL_AMDGPU_CS ioctl from unprivileged userspace, causing a fatal panic in a kernel scheduler worker thread. No public exploit or active exploitation has been identified at time of analysis, and EPSS at 0.02% reflects low exploitation likelihood, but the impact on shared GPU compute systems warrants prompt patching.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46219 HIGH PATCH This Week

Use-after-free in the Linux kernel's MPC52xx SPI driver (spi-mpc52xx) can be triggered when the driver is unbound, because the interrupt-scheduled state machine work is not cancelled after interrupts are disabled. Local users with the ability to unbind the driver could potentially corrupt kernel memory, with confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.

Use After Free Linux Information Disclosure Memory Corruption Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46218 HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's amdgpu (AMD GPU) driver allows local users with low privileges to trigger denial of service or read sensitive kernel memory by interacting with the uvd/vce/vcn IB (indirect buffer) handling paths. The flaw stems from missing bounds checks in ib_get_value and ib_set_value when accessing the IB at predefined offsets, compounded by a signed-integer index that could overflow. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.

Linux RCE
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46217 MEDIUM PATCH This Month

Integer overflow in the AMDGPU VCN4 (Video Core Next 4) multimedia driver within the Linux kernel allows a local low-privileged user to cause a kernel denial of service. The bounds check on incoming messages to the VCN4 encoder/decoder engine contains an overflow-vulnerable condition, meaning a crafted message can bypass intended size validation. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at the 5th percentile, indicating very low real-world exploitation likelihood currently.

Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46216 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's Intel Xe DRM HDCP GSC subsystem allows a local, low-privileged user to crash the kernel when media GT is disabled via configfs. The function `intel_hdcp_gsc_check_status()` evaluates `&gt->uc.gsc` without first verifying that `media_gt` is non-NULL, producing a kernel pagefault on systems where media GT has been explicitly disabled through the configfs interface. Exploitation yields a denial of service (kernel panic) with no confidentiality or integrity impact; no public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating very low exploitation likelihood in the wild.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46215 HIGH PATCH This Week

Use-after-free in the Linux kernel's DRM (Direct Rendering Manager) GEM handle subsystem allows a local authenticated attacker to trigger memory corruption via a race condition in the change_handle ioctl. The flaw stems from a window where a single GEM object briefly held two IDR entries, letting a concurrent gem_close call dereference a dangling handle. No public exploit identified at time of analysis and EPSS exploitation probability is low (0.02%), but the CVSS 7.8 reflects full confidentiality, integrity, and availability impact on affected systems.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46214 MEDIUM PATCH This Month

Denial-of-service via accept queue counter leak in the Linux kernel's vsock/virtio subsystem allows an authenticated local attacker to permanently exhaust a listener socket's backlog, causing it to reject all new connections. The flaw exists from kernel 5.5 onward in virtio_transport_recv_listen(), where sk_acceptq_added() is called before vsock_assign_transport() validation; failed transport assignments never call the paired sk_acceptq_removed(), permanently inflating sk_ack_backlog. No public exploit exists and EPSS is at the 5th percentile, but the impact in multi-tenant virtualized environments relying on vsock communication is a complete denial of vsock listener service.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46213 HIGH PATCH This Week

Use-after-free in the Linux kernel's appletb-kbd HID driver allows local low-privileged users on Apple Touch Bar-equipped MacBooks to potentially trigger memory corruption during driver tear-down. The flaw stems from incorrect ordering of timer cleanup and device reference release in the inactivity-timer cleanup path, leaving two race windows where a softirq can dereference freed backlight_device memory. EPSS is very low (0.02%) and no public exploit identified at time of analysis; impact is limited to systems running the appletb-kbd driver, primarily Apple MacBook Pro hardware with Touch Bars.

Information Disclosure Use After Free Apple Microsoft Memory Corruption +3
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46212 HIGH PATCH This Week

Use-after-free in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh networking module's bridge loop avoidance (BLA) subsystem allows adjacent attackers on the same Layer-2 segment to potentially trigger memory corruption when claim entries are deleted. The flaw, with a CVSS of 8.8 (AV:A/AC:L/PR:N/UI:N), exists in batadv_bla_del_backbone_claims() where a claim reference may be released before its final use, enabling exploitation by anyone able to inject mesh traffic. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but upstream fixes have been released across multiple stable kernel branches.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-46211 MEDIUM PATCH This Month

NULL pointer dereference and silent error suppression in the Linux kernel's Qualcomm MSM DRM/GEM subsystem allows a low-privileged local user to crash the kernel (denial of service) via a crafted GEM_INFO ioctl call. The msm_ioctl_gem_info_get_metadata() function unconditionally returns 0 on error and fails to check kmemdup() for a NULL return, enabling a dereference in the subsequent copy_to_user() call. No public exploit has been identified at time of analysis and EPSS is 0.02% (5th percentile), reflecting minimal real-world exploitation pressure despite the confirmed availability of upstream patch commits.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46210 HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's iris media driver allows local users with low privileges to trigger a use-after-free condition via concurrent access during Macro Blocks Per Frame (MBPF) checks. The flaw affects Linux kernel 6.18 and stems from improper lock ordering where fmt_src and fmt_dst structures are freed under inst->lock while the instance remains in the core list traversed under core->lock. EPSS is very low at 0.02% (5th percentile) and no public exploit identified at time of analysis, but the high CVSS score reflects severe local impact.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46209 HIGH PATCH This Week

Local privilege escalation potential exists in the Linux kernel's DRM/GEM framebuffer subsystem (drm_gem_fb_init_with_funcs) where inconsistent plane dimension calculations between integer division and DIV_ROUND_UP cause a size-check bypass. A local low-privileged user able to invoke the framebuffer ioctl with specific pixel formats (e.g., NV12) and crafted dimensions can trigger an out-of-bounds GPU memory access on the chroma plane, leading to memory corruption with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS is very low (0.02%), suggesting limited near-term exploitation risk despite the 7.8 CVSS.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46208 HIGH PATCH This Week

Use-after-free / race condition in the Linux kernel's batman-adv mesh networking module allows a local low-privileged attacker to trigger memory corruption by exploiting unsynchronized tp_meter sessions during mesh interface teardown. The flaw stems from batadv_mesh_free() not draining active tp_meter sessions before shutdown, letting sender threads or late-arriving packets operate on a destroyed mesh instance. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02%.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46207 MEDIUM PATCH This Month

Uninitialized socket buffer data exposure in the Linux kernel's vsock/virtio transport layer (6.7 and later) corrupts vsockmon tap monitoring output when non-linear skbs are in use. The `virtio_transport_copy_nonlinear_skb()` function constructs an `iov_iter` without setting `iov_iter.count`, causing zero-length copies that leave skb payloads uninitialized on the monitor interface - potentially exposing stale kernel memory to vsockmon consumers. Patched stable releases 6.12.90, 6.18.32, and 7.0.9 are available; no public exploit exists and EPSS stands at 0.02% (5th percentile), placing real-world exploitation risk very low but warranting attention in environments actively using vsockmon debugging.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46206 HIGH PATCH This Week

Local privilege escalation risk in the Linux kernel's batman-adv mesh networking module allows authenticated local users to trigger memory corruption by initiating new tp_meter throughput measurement sessions during mesh teardown. The flaw exists because the tp_meter subsystem failed to reject new sender/receiver sessions after mesh_state transitioned out of BATADV_MESH_ACTIVE, creating a race condition during module shutdown. No public exploit identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02%.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46205 HIGH PATCH This Week

Local privilege escalation risk in the Linux kernel's atomisp staging media driver allows authenticated low-privileged users to potentially abuse private IOCTLs that were not adequately validated. The upstream fix disables all private IOCTLs in the atomisp driver by returning early when the command is non-zero. EPSS is very low at 0.02% (5th percentile) and no public exploit identified at time of analysis, indicating limited real-world exploitation interest.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46204 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's AMD GPU VCN4 (Video Core Next) driver allows a local user with GPU access to trigger memory disclosure or denial of service by submitting a crafted indirect buffer (IB) to the amdgpu DRM subsystem. The flaw stems from missing bounds checks while parsing IBs in the drm/amdgpu/vcn4 code path, and no public exploit identified at time of analysis. EPSS exploitation probability is very low (0.02%) and the issue is not listed in CISA KEV.

Linux Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46203 HIGH PATCH This Week

Unclocked register access in the Linux kernel's Cadence Quadspi SPI controller driver (spi-cadence-quadspi) occurs during driver unbind, affecting kernel versions through 7.0.x and 7.1-rc1. A local low-privileged user able to trigger driver unbind can cause high-impact confidentiality loss and denial of service on systems using affected SPI hardware. There is no public exploit identified at time of analysis and EPSS rates exploitation probability at just 0.02%.

Information Disclosure Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46202 MEDIUM PATCH This Month

Kernel crash (denial of service) in the Linux kernel's hid-appletb-kbd driver results from calling a mutex-acquiring function from softirq and IRQ atomic contexts on Apple Touch Bar MacBooks running Linux. Authenticated local attackers with low privileges can trigger a kernel BUG by inducing Touch Bar inactivity or generating HID events that exercise the broken brightness-reset path, crashing the system. No public exploit has been identified and EPSS is 0.02% (4th percentile), reflecting the niche hardware requirement; patches are available in kernel versions 6.18.32, 7.0.9, and 7.1-rc4.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46201 HIGH PATCH This Week

Local privilege-context resource leak in the Linux kernel's Intel Xe DRM driver allows a local user with GPU access to exhaust dma-buf attachments by repeatedly triggering the failure path in xe_gem_prime_import(). The flaw, addressed across multiple stable trees (6.12.90, 7.0.9, 6.18.32, 7.1-rc2), causes a dma-buf attachment to remain attached when xe_dma_buf_init_obj() fails, producing a kernel-side memory and reference leak. EPSS is 0.02% and the issue is not on the CISA KEV list; no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46200 MEDIUM PATCH This Month

Denial-of-service via improper resource teardown ordering in the Linux kernel's MPC52xx SPI controller driver (spi/mpc52xx) affects systems running PowerPC-based embedded hardware. During driver unbind, the SPI controller was deregistered after - rather than before - disabling underlying resources such as interrupts and GPIOs, creating a window where the kernel could access freed or disabled resources and trigger a system crash. No public exploit has been identified at time of analysis, and with an EPSS of 0.02% (5th percentile), real-world exploitation is assessed as very low probability.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46199 HIGH PATCH This Week

Out-of-bounds read in the AMD GPU VCN4 (Video Core Next, 4th generation) decoder message parser of the Linux kernel allows a local low-privileged user to read kernel memory beyond the decoder message buffer object, potentially leading to information disclosure and denial of service. The flaw exists in the drm/amdgpu/vcn4 driver where bounds against the end of the buffer object (BO) were not validated when parsing decoder messages. No public exploit identified at time of analysis and EPSS scores the exploitation probability at just 0.02% (6th percentile), but a vendor patch is available across multiple stable branches.

Linux Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46198 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's batman-adv (B.A.T.M.A.N. advanced) mesh networking module stems from an integer overflow on the s16 buff_pos variable in batadv_iv_ogm_send_to_if, where the size check is performed using int while the position counter uses s16. Adjacent-network attackers on a batman-adv mesh can trigger the overflow by sending crafted OGM (Originator Message) aggregation packets, potentially leaking kernel memory or causing denial of service. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but the issue carries a CVSS of 8.8 due to high impact on confidentiality, integrity, and availability across adjacent networks.

Linux Buffer Overflow Integer Overflow
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-46197 HIGH PATCH This Week

Local privilege escalation via out-of-bounds buffer access in the Linux kernel's AMD KFD (Kernel Fusion Driver) SVM ioctl interface allows authenticated local users to corrupt kernel memory by supplying an attacker-controlled nattr attribute count that exceeds the buffer size. The flaw affects systems running AMD GPUs with the amdkfd driver and has been resolved upstream across multiple stable branches. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but the high CIA impact warrants prompt patching on AMD GPU compute workstations and HPC nodes.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46196 MEDIUM PATCH This Month

Persistent availability degradation in the Linux kernel tracepoint subsystem results from an unbalanced regfunc()/unregfunc() pair when tracepoint_add_func() fails mid-registration. When func_add() returns an error (such as -ENOMEM) after regfunc() has already executed, ext->unregfunc() is never called, leaving side effects permanently in place - for syscall tracepoints, this sticks sys_tracepoint_refcount at a non-zero value and keeps SYSCALL_TRACEPOINT set on every running task, imposing unnecessary syscall trace entry/exit overhead on all processes until reboot. No public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), indicating this is a low-probability exploitation target, though it is a confirmed kernel-quality bug with patches issued across multiple stable branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46195 CRITICAL PATCH Act Now

Memory corruption in the Linux kernel SMB client (cifs) allows a malicious SMB server to trigger out-of-bounds reads and potential dereferences in the DACL parsing path on 32-bit builds. The flaw resides in parse_sec_desc(), build_sec_desc(), and id_mode_to_cifs_acl(), where a server-supplied dacloffset value near U32_MAX can wrap around and bypass pointer-based bounds checks during chmod/chown operations against SMB shares. EPSS is very low at 0.02% and there is no public exploit identified at time of analysis, but the issue is a confirmed kernel bug with upstream fixes already merged.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-46194 MEDIUM PATCH This Month

Kernel panic via race condition in the f2fs filesystem extent node management affects Linux kernel across multiple stable branches. When f2fs_destroy_extent_node() is invoked from f2fs_drop_inode() with I_SYNC set, a concurrent kworker writeback thread can insert new extent nodes into the same extent tree between lock releases, causing node_cnt to become non-zero upon loop exit and triggering f2fs_bug_on() - a deliberate kernel assertion failure resulting in a system crash. A secondary gap leaves EX_BLOCK_AGE extent tree updates completely unprotected by the FI_NO_EXTENT flag check, compounding the race surface. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile), indicating low exploitation probability in the near term.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-46193 MEDIUM PATCH This Month

The xfrm AH (Authentication Header) subsystem in the Linux kernel miscalculates ICV buffer offsets during asynchronous callback processing when Extended Sequence Numbers (ESN) are enabled, resulting in 100% packet loss on affected IPsec AH tunnels. Systems running AH with ESN and an async HMAC implementation (confirmed in developer-provided UML repro with forced-async hmac(sha1)) on both IPv4 and IPv6 paths are affected across multiple stable kernel branches going back to the commit introducing ESN async support. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting a correctness defect with no exploitation interest rather than a broad attack surface; patch versions are confirmed across six stable branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46192 MEDIUM PATCH This Month

Denial of service in the Linux kernel's Microchip Core QSPI driver corrupts SPI transfers on systems using this controller. The spi-microchip-core-qspi driver incorrectly attempts to transmit garbage data during emulated read-only dual/quad SPI operations - a protocol violation, since QSPI lacks a dedicated MOSI line and the core hardware is expected to generate read clock cycles autonomously. The result is a bricked (permanently failed) SPI transfer, causing availability loss for any kernel component or userspace process depending on that SPI bus. No public exploit exists and EPSS probability is 0.02%, consistent with a hardware-specific, locally-triggered driver defect.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46191 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's framebuffer console (fbcon) subsystem allows a local low-privileged attacker to access kernel memory beyond the font buffer when console rotation is enabled and font reallocation fails. The flaw resides in fbcon_rotate_font() which retains the undersized old buffer after a failed reallocation, so printing characters with high-enough codes overflows the font buffer during putcs operations. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%), but the issue is patched across multiple stable kernel branches.

Linux Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46190 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's SPI-NOR flash debugfs interface (spi_nor_params_show) allows local authenticated users with debugfs access to trigger memory disclosure or denial of service on 64-bit systems. The flaw stems from sizeof() being used on a pointer array instead of ARRAY_SIZE(), inflating the bounds-check length by 8x. No public exploit identified at time of analysis and EPSS rates exploitation likelihood at 0.02%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46189 HIGH PATCH This Week

Double-free memory corruption in the Linux kernel's vmw_pvrdma (VMware Paravirtual RDMA) driver allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The flaw occurs in the pvrdma_alloc_ucontext() error path where pvrdma_uar_free() is invoked twice - once explicitly and again via pvrdma_dealloc_ucontext(). No public exploit identified at time of analysis, and EPSS (0.02%) indicates very low near-term exploitation probability.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46188 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's octeon_ep_vf driver crashes the kernel when napi_build_skb() fails during memory allocation in the receive path. Systems running kernels from the introduction of the octeon_ep_vf driver (commit 1cd3b407977c) through multiple stable branches are affected where Marvell Octeon EP VF network adapters are in use. A local, low-privileged attacker who can induce memory pressure while network traffic flows through an Octeon EP VF interface can trigger a kernel panic, resulting in full system unavailability. No public exploit code exists, EPSS is 0.02% (5th percentile), and this vulnerability has not been added to CISA KEV.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46187 MEDIUM PATCH This Month

Use-after-free in the Linux kernel's RSI (Redpine Signals) WiFi driver allows a local low-privileged attacker to crash the kernel by exploiting a race condition between kthread self-exit and external stop operations. When `kthread_complete_and_exit` races ahead of `kthread_stop`, the already-freed task struct is dereferenced, causing a kernel denial of service. No public exploit has been identified and EPSS sits at 0.02% (5th percentile), reflecting very low real-world exploitation probability; the vulnerability is not listed in CISA KEV.

Race Condition Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Use-after-free in the Linux kernel's rt9455 power supply driver allows local attackers to trigger memory corruption or system crashes via a race condition during driver probe or removal. The flaw stems from incorrect ordering of devm_-managed resource allocation, where the IRQ handler can fire against a freed or uninitialized power_supply handle. EPSS is very low (0.02%, 7th percentile) and no public exploit is identified at time of analysis, but the CVSS score of 8.4 reflects high impact on confidentiality, integrity, and availability for systems shipping the rt9455 Richtek battery charger driver.

Denial Of Service Linux Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's Canaan K230 pinctrl driver causes a local denial of service during device tree parsing. Specifically, k230_pinctrl_parse_functions() dereferences info->pctl_dev->dev before info->pctl_dev is initialized, triggering a kernel panic on systems using the K230 SoC. A low-privileged local attacker on affected hardware can crash the kernel, fully denying system availability. No public exploit code exists and EPSS of 0.02% (5th percentile) indicates minimal exploitation probability; however, the straightforward trigger condition and kernel-crash impact warrant prompt patching on K230-based deployments.

Denial Of Service Null Pointer Dereference Linux +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Inverted debug assertion in the Linux kernel PCI/P2PDMA subsystem triggers a spurious kernel warning in p2pmem_alloc_mmap() when CONFIG_DEBUG_VM is enabled, resulting in high availability impact on affected systems. The root cause is a stale VM_WARN_ON_ONCE_PAGE condition that was not updated after commit b7e282378773 changed the initial page refcount from one to zero, causing the assertion to fire on every valid P2PDMA allocation. Authenticated local users with access to P2PDMA-capable hardware can exploit this on debug-compiled kernels to cause denial of service; no public exploit exists and EPSS is 0.02% (4th percentile), reflecting negligible real-world exploitation likelihood.

Denial Of Service Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel NFC HCI SHDLC subsystem allows local low-privileged attackers to corrupt memory and potentially escalate privileges by triggering teardown races against active timers and queued work items. The flaw exists because llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc structure while timers and the sm_work state-machine handler may still execute concurrently. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the high-impact CVSS (7.8) reflects full CIA compromise on successful exploitation.

Information Disclosure Use After Free Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote manipulation of the Linux kernel's IPv4 routing cache is possible through RAW sockets bound to IPPROTO_RAW (protocol 255), where a malicious incoming ICMP packet whose inner header advertises protocol 255 will be matched to the socket and trigger FNHE (Forwarding Next Hop Exception) cache changes. The flaw affects Linux systems where a process has opened a RAW socket on protocol 255, and remote attackers can use crafted ICMP fragmentation-needed messages to influence routing decisions. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the CVSS 9.1 reflects high integrity and availability impact via unauthenticated network reachability.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial-of-service condition in the Linux kernel's HNS RoCE (RDMA over Converged Ethernet) driver affects systems using HiSilicon RDMA hardware alongside SUNRPC/NFS-over-RDMA workloads. The hns_roce_irq_workq workqueue lacks the WQ_MEM_RECLAIM flag while being flushed during QP (Queue Pair) destruction from a memory-reclaim context, triggering a kernel warning and potential stall during RDMA transport reset. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Local privilege escalation potential exists in the Linux kernel's Intel Xe DRM driver (drm/xe/pf) due to a sysfs initialization ordering bug in SR-IOV Physical Function setup, where a failed devm_add_action_or_reset() call invokes kobject_put() on an uninitialized kobject, triggering refcount underflow and use-after-free conditions. The flaw affects Linux kernel 6.19 prior to the 6.19.4 stable patch and has been resolved upstream; no public exploit identified at time of analysis and EPSS rates exploitation probability at only 0.02%.

Information Disclosure Linux Use After Free +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds array access in the Linux kernel's AMD GPU display driver (drm/amd/display) allows local privileged users to trigger memory corruption via the dcn35_stream_encoder_create() function when eng_id equals ENGINE_ID_DIGF (value 5) or is negative, indexing past the 5-element stream_enc_regs[] array. The flaw stems from a faulty boundary check using <= instead of <, and no public exploit has been identified at time of analysis with an EPSS score of 0.02% (5th percentile) indicating very low exploitation probability.

Amd Buffer Overflow Linux +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Deadlock in the Linux kernel's ASoC fsl_xcvr audio driver causes a hung task and denial of service on NXP i.MX hardware. The defect was introduced by a prior patch (commit f51424872760) that erroneously added a read lock acquisition on controls_rwsem inside fsl_xcvr_mode_put(), unaware that the caller snd_ctl_elem_write() already holds the write lock on that same semaphore for the duration of the put operation. A local user with low privileges who triggers an ALSA control write on an affected system can induce an unresolvable deadlock. No public exploit exists and EPSS is 0.02%, reflecting very low real-world exploitation probability.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's SPI WPCM FIU driver allows a local low-privileged attacker to crash the kernel via a denial-of-service condition. The wpcm_fiu_probe() function passes the return value of platform_get_resource_byname() directly to resource_size() without validating against NULL, meaning if the named resource is absent the kernel dereferences a NULL pointer and panics. No public exploit exists and no active exploitation is confirmed; EPSS of 0.02% (5th percentile) reflects the narrow, hardware-specific attack surface.

Denial Of Service Null Pointer Dereference Linux +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's IPv6 routing subsystem (fib6_add_rt2node) allows a local user with network configuration privileges to trigger memory corruption when adding routes that use the RTA_NH_ID nexthop attribute. The flaw was discovered by syzkaller and confirmed via KASAN slab-out-of-bounds reports. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the bug is in mainline kernel code paths reachable through netlink and is fixed across multiple stable trees.

Debian Buffer Overflow Linux +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's procfs subsystem allows a local low-privileged attacker to potentially trigger memory corruption when reading /proc/[pid]/stat due to missing RCU protection around task->real_parent access in do_task_stat(). The race condition occurs when a parent task is released concurrently with another process reading its stat file, leading to a UAF dereference. No public exploit identified at time of analysis, and EPSS scoring is very low (0.02%, 7th percentile), indicating limited expected exploitation activity.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's GPIO character device subsystem (gpio/cdev) allows a local, low-privileged user to crash the kernel via a denial-of-service. In linehandle_create(), the macro retain_and_null_ptr(lh) sets lh to NULL, but a subsequent debug printout immediately dereferences that same pointer - triggering a kernel panic. No public exploit has been identified at time of analysis, and EPSS indicates very low exploitation probability at 0.02% (5th percentile), consistent with a local-access-only DoS with no code execution or data exposure component.

Denial Of Service Null Pointer Dereference Linux +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local denial-of-service via kernel Oops in the Linux kernel SP804 timer driver on ARM32 platforms when read_current_timer() dereferences an uninitialized sched_clkevt pointer. Affected systems are those where sp804_clocksource_and_sched_clock_init is invoked without use_sched_clock=1, yet sp804_register_delay_timer is still called unconditionally - creating the conditions for a NULL/uninitialized pointer access in sp804_read(). EPSS is 0.02% (5th percentile), no KEV listing exists, and no public exploit has been identified, placing this as low operational priority outside specialized ARM32 embedded deployments.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial-of-service via recursion deadlock in the Linux kernel's NFS LOCALIO subsystem when direct memory reclaim occurs on systems using loopback NFS mounts. The LOCALIO optimization - which bypasses network I/O when NFS client and server share the same host - fails to restrict its page cache allocations to GFP_NOFS context, allowing the kernel memory allocator to re-enter NFS via nfs_writepages during reclaim (path: NFS LOCALIO → XFS → NFS), producing a deadlock and kernel hang. No public exploit exists and EPSS stands at 0.02% (4th percentile), consistent with a kernel subsystem defect that requires a specific local configuration rather than a broadly exploitable condition. Vendor-released patches are available across stable kernel branches.

Buffer Overflow Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Double-disable of managed clocks in the Linux kernel's fsl-edma (Freescale/NXP eDMA) DMA engine driver triggers kernel WARN_ON warnings during driver removal, causing an availability impact on affected systems. The bug originates from commit a9903de3aa16731846bf924342eca44bdabe9be6, where clocks allocated via devm_clk_get_enabled() - which automatically handles teardown - are also manually disabled in fsl_edma_remove(), resulting in a 'already disabled/unprepared' warning for each clock. No public exploit has been identified at time of analysis, and EPSS is 0.02% (5th percentile), reflecting the low likelihood of targeted exploitation of this kernel quality defect.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Unaligned memory access in the Linux Kernel's AppArmor DFA table parser causes a denial of service on strict-alignment architectures. AppArmor's deterministic finite automaton (DFA) policy tables, which can originate from either kernel or userspace via apparmor_parser, lack guaranteed 8-byte alignment; on architectures that fault or warn on unaligned access (confirmed via SPARC call trace in the description), loading AppArmor profiles triggers a kernel WARNING at security/apparmor/match.c:316 and fails profile loading. No public exploit exists and no KEV listing is present; EPSS is 0.02% (5th percentile), consistent with a low-severity, architecture-specific, local-only issue.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Heap buffer overflow in the Linux kernel's pstore/ram subsystem (persistent_ram_save_old function) allows local attackers with low privileges to trigger out-of-bounds writes and reads when the ramoops buffer size grows across boot cycles. The flaw affects Linux kernel versions from 3.5 onward and carries a CVSS 7.8 (High) rating, though exploitation requires a highly improbable chain of conditions across reboots. No public exploit identified at time of analysis, and EPSS is very low at 0.03%.

Buffer Overflow Linux Memory Corruption +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper locking in the Linux kernel regulator subsystem's `regulator_resolve_supply()` error path allows a local low-privileged attacker to trigger a kernel crash or denial of service. The error path invokes `_regulator_put()` without holding the required `regulator_list_mutex`, producing a lockdep warning and exposing an unguarded concurrent access window when clearing the `rdev` supply pointer. No public exploit has been identified at time of analysis, and with an EPSS of 0.02% (5th percentile), real-world exploitation probability is very low.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Linked-list corruption in the Linux kernel's btrfs filesystem allows a local user with btrfs write access to trigger memory corruption and a transaction abort when EXTENT_TREE_V2 incompat flag is enabled. The flaw stems from the block group tree being added twice to the switch_commits list, corrupting prev/next pointers and ultimately leading to filesystem inconsistency. No public exploit identified at time of analysis and EPSS probability is low at 0.02%, but the CVSS 8.4 reflects high local impact on confidentiality, integrity, and availability.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Denial of service in the Linux kernel's MIPS architecture support affects builds compiled with LLVM/Clang versions 18 through 21, where the compiler incorrectly restores the $gp global register variable in the relocate_kernel() epilogue. The result is that __current_thread_info points to the unrelocated kernel address space, causing an immediate NULL-pointer dereference in init_idle during early boot and a panic before userspace ever starts. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the issue is a boot-time crash rather than a remotely triggerable flaw.

Denial Of Service Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel crash in the Linux octeontx2-af driver exposes Marvell OcteonTX2 systems to a denial-of-service condition triggered by kexec reboots when both AF and PF drivers are loaded as modules. Because kexec does not power-cycle hardware, the RVUM block revision register retains its pre-reboot value; the PF driver misinterprets this stale register value as confirmation that AF initialization is complete and proceeds to access hardware state that has not yet been reinitialized in the new kernel, producing a kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), confirming this is a niche reliability defect in a specific hardware/driver configuration rather than an adversarially weaponizable flaw.

Denial Of Service Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stale link mapping in the ath12k Wi-Fi 7 driver causes a kernel WARN_ON condition when MLO (Multi-Link Operation) connection preparation fails mid-initialization, leaving ahvif->links_map in an inconsistent state. Systems running the Linux kernel with Qualcomm ath12k hardware (e.g., QCN9274) are affected across stable branches through 6.18.13, 6.19.3, and pre-7.0 releases. A local low-privileged user capable of triggering repeated MLO authentication failures can induce kernel warning conditions, resulting in high availability impact with no public exploit identified at time of analysis.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel crash (denial of service) affects Qualcomm GFX3D GPU clock management on ARM64 Linux systems running vulnerable kernel versions. A regression introduced by commit d228ece36345 ('clk: divider: remove round_rate() in favor of determine_rate()') left the best_parent_hw field unpopulated in parent_req during GFX3D clock rate determination, causing a NULL dereference crash triggered by normal GPU devfreq monitoring. A local low-privileged user on a Qualcomm MSM/Snapdragon device can induce this crash through GPU frequency scaling activity. No public exploit exists and EPSS is 0.02%, consistent with a narrow hardware-specific bug rather than broadly exploitable vulnerability.

Denial Of Service Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's pm8916_lbc power supply driver allows a local attacker to potentially trigger memory corruption or kernel crashes during device removal. The flaw stems from incorrect ordering of devm_-managed resources: the extcon handle is freed before the IRQ is unregistered, leaving a window where the IRQ handler invokes extcon_set_state_sync() on freed memory. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02% (5th percentile), reflecting low real-world attacker interest in this driver-specific race.

Denial Of Service Use After Free Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's AMD GPU display driver (drm/amd/display) crashes the kernel during Hot Plug Detection (HPD) initialization on systems with AMD GPUs. The amdgpu_dm_hpd_init() function assigns dc_link from a connector but then unconditionally dereferences it at line 940 of amdgpu_dm_irq.c without first confirming it is non-NULL - connectors lacking a valid dc_link trigger a kernel NULL dereference. Exploitation requires local, low-privileged access to a system with an affected AMD GPU; no public exploit has been identified at time of analysis and EPSS probability is 0.02% (5th percentile), indicating very limited real-world exploitation pressure.

Denial Of Service Null Pointer Dereference Amd +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in the Linux kernel's DRM Panthor GPU driver allows a local authenticated user to trigger an unrecoverable system hang via a blocked GPU memory subsystem. Specifically, when `panthor_gpu_flush_caches()` times out due to a blocked memory subsystem - a condition inducible through buggy GPU jobs submitted by user-mode drivers (UMD) - the driver previously had no recovery path, causing indefinite waits and system unavailability. The fix introduces timeout-aware reset scheduling and immediate -EIO short-circuiting for queued flush operations after a failure, but until patched, the condition is exploitable by any local user with access to the GPU device. No public exploit code exists and EPSS is extremely low (0.02%), consistent with a niche hardware-specific local DoS.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's PCI endpoint NTB driver allows an authenticated local attacker to crash the kernel (denial of service) by triggering a memory allocation failure during driver initialization. The missing NULL check after `alloc_workqueue()` in `epf_ntb_epc_init()` causes a subsequent `queue_work()` call to dereference a NULL pointer, resulting in a kernel panic. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects the narrow hardware-specific attack surface; this is not confirmed actively exploited (CISA KEV absent).

Denial Of Service Null Pointer Dereference Linux +2
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Firewall bypass in the Linux kernel's netfilter nft_inner module (versions 6.2 and later) allows remote attackers to forge transport headers in tunneled IPv6 packets due to a desynchronization between the computed inner transport header offset and the parsed L4 protocol. The flaw enables crafted IPv6 packets carrying extension headers to evade nftables inner-payload matching rules, with no public exploit identified at time of analysis and an EPSS score of 0.02% indicating negligible observed exploitation activity.

Authentication Bypass Linux Memory Corruption
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local privilege escalation in the Linux kernel's SMB/CIFS client allows unprivileged userspace processes to forge cifs.spnego keys via add_key(2) or request_key(2), supplying attacker-controlled pid, uid, creduid, and upcall_target fields that cifs.upcall trusts as kernel-originated. Successful exploitation enables impersonation of CIFS credential negotiation, leading to high confidentiality, integrity, and availability impact on systems mounting SMB shares. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Linux Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Linux kernel eventpoll (epoll) subsystem stems from a use-after-free in ep_remove() where file->f_ep is cleared but the file pointer continues to be used inside the f_lock critical section, allowing a concurrent __fput() to free the underlying struct eventpoll and struct file. Successful exploitation yields an attacker-controllable kmem_cache_free() against the wrong slab cache, enabling memory corruption that can lead to high-integrity, high-confidentiality, and high-availability impact (CVSS 7.8). EPSS is very low (0.02%), no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure Linux Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 3.3
LOW PATCH Monitor

NULL pointer dereference in Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) allows an unprivileged local user to trigger a kernel oops, resulting in a denial of service. The flaw resides specifically in Ubuntu's out-of-tree SAUCE patches for AF_INET/AF_INET6 socket mediation - mainline Linux kernel builds are unaffected. No active exploitation is confirmed (not in CISA KEV), no public exploit has been identified at time of analysis, and the CVSS score of 3.3 (Low) accurately reflects the constrained impact: local access only, no confidentiality or integrity loss, and limited availability degradation.

Linux Ubuntu Null Pointer Dereference +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authenticated, unprivileged user to crash the system. The flaw resides in Ubuntu-specific SAUCE patches - out-of-tree modifications maintained by Canonical - meaning the vulnerable code path does not exist in upstream mainline kernels. With a CVSS score of 5.5 and an availability-only impact, the practical consequence is a local denial-of-service: any low-privilege user with shell access can force a kernel panic. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis.

Linux Ubuntu Null Pointer Dereference +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect in Ubuntu-specific AppArmor SAUCE patches, where notification handling code incorrectly sleeps while holding a spinlock. Violating this kernel locking invariant results in kernel panic or deadlock, causing a full system crash or hang. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low-complexity, low-privilege trigger conditions make it a realistic denial-of-service risk on any multi-user Ubuntu system running the affected kernel versions.

Linux Ubuntu Information Disclosure
NVD VulDB
EPSS 0% CVSS 3.3
LOW PATCH Monitor

NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash the kernel via the AppArmor notification handling path. The flaw exists exclusively in Ubuntu-specific SAUCE patches layered on top of the upstream Linux kernel, meaning only Ubuntu kernels carrying these versions are affected - not upstream Linux or other distributions. No public exploit code or active exploitation has been identified at time of analysis; the impact is limited to a kernel oops (availability loss, CVSS A:L), with no confidentiality or integrity impact.

Linux Ubuntu Null Pointer Dereference +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel SPI controller driver for Freescale MPC52xx (spi-mpc52xx) occurs when controller registration fails and the previously requested interrupts are not properly disabled or released, leaving dangling interrupt handlers tied to freed memory. Local users with the ability to load or interact with this SPI driver on affected systems could potentially trigger memory corruption or information disclosure. EPSS is 0.02% and there is no public exploit identified at time of analysis, but the issue is rated CVSS 7.8 due to high impact on confidentiality, integrity, and availability.

Linux Use After Free Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation potential via use-after-free in Linux Kernel iris media driver affects kernels 6.18.16-6.18.31, 6.19.6-6.19.x, and 7.0 series prior to the fix commits. The flaw resides in iris_release_internal_buffers(), where session_release_buf() may free a buffer that the caller subsequently dereferences, a regression introduced by commit 1dabf00ee206. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but local low-privileged attackers on systems with the Qualcomm iris video accelerator driver could potentially leverage the freed-memory access.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Runtime PM reference count leak in the Linux kernel's OmniVision OV5647 camera sensor driver (media/i2c/ov5647) causes availability loss for systems equipped with this camera hardware. The s_ctrl function's handling of three V4L2 controls - AUTOGAIN, EXPOSURE_AUTO, and ANALOGUE_GAIN - returns early without invoking pm_runtime_put(), allowing unpaired runtime PM get/put calls to accumulate. A local user with access to the camera device node can trigger this imbalance repeatedly, exhausting the PM reference count and preventing the device from entering low-power states, ultimately making it unavailable. No public exploit has been identified; EPSS is 0.02% (5th percentile) and this vulnerability does not appear in CISA KEV.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free risk in the Linux kernel's batman-adv BAT IV mesh routing implementation allows adjacent network attackers to potentially corrupt memory or disclose information by triggering stale originator pointer dereferences. The flaw affects neigh_node structures that cached an auxiliary originator pointer not owned by the neighbor state, which could dangle after purge handling. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02%, but the CVSS 8.8 rating reflects high impact across confidentiality, integrity, and availability if triggered.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local privilege-escalation-adjacent denial of service and potential memory corruption in the Linux kernel's AMD GPU VCN3 (Video Core Next 3) driver allows a local low-privileged user with GPU access to trigger an integer overflow in the message bound check of the drm/amdgpu/vcn3 subsystem. The flaw was identified by AMD's SDL review and patched upstream, and per CVSS it yields high confidentiality and availability impact without integrity impact. Exploitation status: no public exploit identified at time of analysis, and EPSS is very low at 0.02%.

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Availability impact in the Linux kernel's xbox_remote media/rc driver allows a local, low-privileged user with access to the affected device to crash the kernel via a DMA coherency violation. The IO buffer used for USB transfers is embedded directly within the device structure, which violates DMA coherency rules and can trigger memory corruption leading to kernel panic. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% reflects minimal observed exploitation activity. Vendor-released patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's saa7164 media driver can crash the kernel when ioremap() fails during PCI device initialization. Systems with SAA7164-based PCIe capture cards (e.g., Phillips/NXP SAA7164) running unpatched kernel versions from 2.6.32 through stable branches prior to 6.6.140, 6.12.90, 6.18.32, and 7.0.9 are affected. A local, low-privileged attacker who can trigger driver initialization under memory pressure conditions may cause a kernel oops or panic, resulting in denial of service. No public exploit exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time.

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Linux kernel's vsock (virtio sockets) subsystem stems from inverted buffer-size clamping logic in vsock_update_buffer_size(), allowing a local user to grow vsk->buffer_size beyond the configured vsk->buffer_max_size and violate intended socket memory boundaries. Affected branches include stable trees prior to 6.6.140, 6.12.90, 6.18.32, 7.0.9, and 7.1-rc1; no public exploit identified at time of analysis and EPSS is 0.02% (5th percentile).

Linux Memory Corruption Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's batman-adv Bridge Loop Avoidance (BLA) subsystem enables local denial of service via kernel panic. The race condition exists in batadv_bla_purge_claims(), which traverses the claim hash list under rcu_read_lock() without accounting for concurrent claim releases - when batadv_claim_release() NULLs the backbone_gw pointer mid-traversal, a subsequent call to batadv_bla_claim_get_backbone_gw() on the partially-freed claim triggers a NULL dereference. Exploitation requires local low-privilege access on systems actively running batman-adv with BLA enabled; no active exploitation is confirmed and EPSS stands at 0.02% (5th percentile).

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's HID PlayStation driver (dualshock4_parse_report) allows an adjacent attacker with a malicious or spoofed DualShock 4 controller to read up to ~2 KiB beyond the touch_reports array and have portions of that data emitted through evdev. The flaw stems from the driver trusting the device-supplied num_touch_reports field without bounds checking, enabling potential kernel memory disclosure and denial of service. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but an upstream fix is available.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Reference counting failure in the Linux kernel's batman-adv Bridge Loop Avoidance (BLA) subsystem allows a local low-privileged user to cause a slow kernel memory leak and eventual denial of service. Specifically, batadv_bla_add_claim() omits the required batadv_backbone_gw_put() call on the error path when a claim hash insertion fails, preventing the backbone_gw object's reference count from ever reaching zero. The vulnerability has been present since at least kernel 4.7 and is patched across multiple stable branches; no public exploit exists and EPSS is extremely low at 0.02% (5th percentile), placing this firmly in the low-urgency tier except for environments actively running batman-adv with BLA.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's AMD GPU VCN3 (Video Core Next, generation 3) decoder message parser allows a local low-privileged user to read kernel memory beyond the buffer object boundary and potentially trigger denial of service. The flaw was resolved by adding bounds checks against the end of the buffer object whenever the dec msg is accessed. EPSS is very low (0.02%, 6th percentile) and no public exploit has been identified at time of analysis.

Linux Information Disclosure Buffer Overflow
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stale VRAM exposure in the Linux kernel's amdkfd driver (drm/amdkfd) allows local authenticated users to observe prior occupants' GPU memory contents and crash multi-GPU compute workloads. The KFD allocation path omitted the AMDGPU_GEM_CREATE_VRAM_CLEARED flag - present in every other userspace GEM allocation path - leaving freshly allocated VRAM buffers populated with data from previous processes. The primary documented availability impact is deterministic crashes in RCCL peer-to-peer transport when stale values corrupt the ptrExchange, head, and tail protocol fields; a secondary information-disclosure risk exists because stale page-table remnants are observable by unprivileged compute kernels. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile).

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's spi: ch341 USB-to-SPI driver allows a local user to degrade system availability by triggering driver unbind without physical device disconnection. The defect lies in incorrect devres (device-managed resource) lifetime scoping - resources are anchored to the parent USB device rather than the USB interface, so they are not released when the driver unbinds during events such as probe deferral or runtime configuration changes. No public exploit has been identified at time of analysis, and an EPSS score of 0.02% (4th percentile) indicates negligible exploitation probability in the near term.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Linux kernel SCTP subsystem allows unprivileged users to trigger a use-after-free or type confusion in the SCTP_SENDALL code path. The flaw stems from a stale iterator cursor in sctp_sendmsg() that survives across a dropped socket lock, and the type-confusion variant yields a controlled indirect call via outqueue.sched->init_sid. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the vendor description explicitly notes both bugs are reachable from CapEff=0.

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper driver teardown ordering in the Linux kernel's Freescale (FSL) SPI controller driver allows a local low-privileged user to trigger a denial-of-service condition during driver unbind. The SPI controller is not deregistered before underlying resources such as DMA are released, creating a window where the controller may reference freed memory. No public exploit has been identified at time of analysis, and EPSS sits at 0.02% (5th percentile), reflecting low real-world exploitation probability.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper resource deregistration ordering in the Linux kernel's spi/rspi (Renesas SPI controller) driver causes a local denial-of-service condition during driver unbind. The rspi driver releases DMA resources before deregistering the SPI controller, creating a window where in-flight controller operations can reference freed memory, resulting in a kernel crash or panic. With CVSS availability impact rated High and EPSS at 0.02% (5th percentile), this is a low-probability but locally exploitable stability issue affecting systems with Renesas SPI hardware. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's drm/xe Intel Xe GPU driver allows a local, low-privileged user to exhaust kernel memory by repeatedly triggering DMA buffer import failures, leading to denial of service. The bug resides in xe_dma_buf_init_obj(), where a pre-allocated buffer object (bo) is not freed when drm_gpuvm_resv_object_alloc() fails, due to ambiguous ownership semantics between the caller and callee on error paths. No public exploit exists and EPSS probability is extremely low at 0.02% (4th percentile), placing this in the maintenance-priority category rather than urgent remediation for most environments.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

An A-A (same-task) deadlock in the Linux kernel cgroup rmdir path (versions 7.0 through 7.1-rc2 and 6.19.x) can permanently hang the entire system, requiring a hard reboot. When a process acting as both a PID namespace zombie reaper (e.g., systemd/PID 1) and the cgroup rmdir(2) caller encounters dying tasks still linked to cgroup csets, the kernel blocks the reaper indefinitely in TASK_UNINTERRUPTIBLE, creating a circular dependency from which the system cannot recover. No public exploit has been identified at time of analysis, EPSS exploitation probability is extremely low (0.02%), and no CISA KEV listing exists - consistent with the scenario's narrow, operationally specific triggering conditions.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's Rockchip RKCIF (Camera Interface) media driver crashes the kernel when a local user enables streaming on a video device with no connected subdevice. Affected systems are Rockchip SoC-based platforms running Linux kernel versions from the introduction of the rkcif driver up through 6.19. A low-privileged local attacker can trigger a kernel panic - full denial of service - via the standard V4L2 VIDIOC_STREAMON ioctl. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.02% (5th percentile) reflects the narrow hardware-specific attack surface.

Linux Null Pointer Dereference Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's EDAC/versalnet driver allows a local low-privileged user to gradually exhaust kernel heap memory, rated CVSS 5.5 with high availability impact. The flaw exists in init_one_mc() where a kzalloc()-allocated device name string becomes permanently unreachable after device_register() copies and nullifies the pointer, preventing any subsequent free on device removal. No public exploit identified at time of analysis; EPSS at 0.02% (4th percentile) confirms this is a low-exploitation-probability defect rather than an actively targeted vulnerability.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic via reachable assertion in the Linux kernel's AMDGPU SDMA v4 driver allows a local low-privileged user to crash the system by submitting crafted GPU command buffers. The sdma_v4_0_ring_emit_fence() function contains BUG_ON() assertions verifying dword-alignment of fence writeback addresses; these assertions are reachable through the DRM_IOCTL_AMDGPU_CS ioctl from unprivileged userspace, causing a fatal panic in a kernel scheduler worker thread. No public exploit or active exploitation has been identified at time of analysis, and EPSS at 0.02% reflects low exploitation likelihood, but the impact on shared GPU compute systems warrants prompt patching.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's MPC52xx SPI driver (spi-mpc52xx) can be triggered when the driver is unbound, because the interrupt-scheduled state machine work is not cancelled after interrupts are disabled. Local users with the ability to unbind the driver could potentially corrupt kernel memory, with confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.

Use After Free Linux Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's amdgpu (AMD GPU) driver allows local users with low privileges to trigger denial of service or read sensitive kernel memory by interacting with the uvd/vce/vcn IB (indirect buffer) handling paths. The flaw stems from missing bounds checks in ib_get_value and ib_set_value when accessing the IB at predefined offsets, compounded by a signed-integer index that could overflow. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.

Linux RCE
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Integer overflow in the AMDGPU VCN4 (Video Core Next 4) multimedia driver within the Linux kernel allows a local low-privileged user to cause a kernel denial of service. The bounds check on incoming messages to the VCN4 encoder/decoder engine contains an overflow-vulnerable condition, meaning a crafted message can bypass intended size validation. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at the 5th percentile, indicating very low real-world exploitation likelihood currently.

Linux Buffer Overflow Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's Intel Xe DRM HDCP GSC subsystem allows a local, low-privileged user to crash the kernel when media GT is disabled via configfs. The function `intel_hdcp_gsc_check_status()` evaluates `&gt->uc.gsc` without first verifying that `media_gt` is non-NULL, producing a kernel pagefault on systems where media GT has been explicitly disabled through the configfs interface. Exploitation yields a denial of service (kernel panic) with no confidentiality or integrity impact; no public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating very low exploitation likelihood in the wild.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's DRM (Direct Rendering Manager) GEM handle subsystem allows a local authenticated attacker to trigger memory corruption via a race condition in the change_handle ioctl. The flaw stems from a window where a single GEM object briefly held two IDR entries, letting a concurrent gem_close call dereference a dangling handle. No public exploit identified at time of analysis and EPSS exploitation probability is low (0.02%), but the CVSS 7.8 reflects full confidentiality, integrity, and availability impact on affected systems.

Linux Information Disclosure Memory Corruption +1
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial-of-service via accept queue counter leak in the Linux kernel's vsock/virtio subsystem allows an authenticated local attacker to permanently exhaust a listener socket's backlog, causing it to reject all new connections. The flaw exists from kernel 5.5 onward in virtio_transport_recv_listen(), where sk_acceptq_added() is called before vsock_assign_transport() validation; failed transport assignments never call the paired sk_acceptq_removed(), permanently inflating sk_ack_backlog. No public exploit exists and EPSS is at the 5th percentile, but the impact in multi-tenant virtualized environments relying on vsock communication is a complete denial of vsock listener service.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's appletb-kbd HID driver allows local low-privileged users on Apple Touch Bar-equipped MacBooks to potentially trigger memory corruption during driver tear-down. The flaw stems from incorrect ordering of timer cleanup and device reference release in the inactivity-timer cleanup path, leaving two race windows where a softirq can dereference freed backlight_device memory. EPSS is very low (0.02%) and no public exploit identified at time of analysis; impact is limited to systems running the appletb-kbd driver, primarily Apple MacBook Pro hardware with Touch Bars.

Information Disclosure Use After Free Apple +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh networking module's bridge loop avoidance (BLA) subsystem allows adjacent attackers on the same Layer-2 segment to potentially trigger memory corruption when claim entries are deleted. The flaw, with a CVSS of 8.8 (AV:A/AC:L/PR:N/UI:N), exists in batadv_bla_del_backbone_claims() where a claim reference may be released before its final use, enabling exploitation by anyone able to inject mesh traffic. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but upstream fixes have been released across multiple stable kernel branches.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference and silent error suppression in the Linux kernel's Qualcomm MSM DRM/GEM subsystem allows a low-privileged local user to crash the kernel (denial of service) via a crafted GEM_INFO ioctl call. The msm_ioctl_gem_info_get_metadata() function unconditionally returns 0 on error and fails to check kmemdup() for a NULL return, enabling a dereference in the subsequent copy_to_user() call. No public exploit has been identified at time of analysis and EPSS is 0.02% (5th percentile), reflecting minimal real-world exploitation pressure despite the confirmed availability of upstream patch commits.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's iris media driver allows local users with low privileges to trigger a use-after-free condition via concurrent access during Macro Blocks Per Frame (MBPF) checks. The flaw affects Linux kernel 6.18 and stems from improper lock ordering where fmt_src and fmt_dst structures are freed under inst->lock while the instance remains in the core list traversed under core->lock. EPSS is very low at 0.02% (5th percentile) and no public exploit identified at time of analysis, but the high CVSS score reflects severe local impact.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation potential exists in the Linux kernel's DRM/GEM framebuffer subsystem (drm_gem_fb_init_with_funcs) where inconsistent plane dimension calculations between integer division and DIV_ROUND_UP cause a size-check bypass. A local low-privileged user able to invoke the framebuffer ioctl with specific pixel formats (e.g., NV12) and crafted dimensions can trigger an out-of-bounds GPU memory access on the chroma plane, leading to memory corruption with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS is very low (0.02%), suggesting limited near-term exploitation risk despite the 7.8 CVSS.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free / race condition in the Linux kernel's batman-adv mesh networking module allows a local low-privileged attacker to trigger memory corruption by exploiting unsynchronized tp_meter sessions during mesh interface teardown. The flaw stems from batadv_mesh_free() not draining active tp_meter sessions before shutdown, letting sender threads or late-arriving packets operate on a destroyed mesh instance. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02%.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Uninitialized socket buffer data exposure in the Linux kernel's vsock/virtio transport layer (6.7 and later) corrupts vsockmon tap monitoring output when non-linear skbs are in use. The `virtio_transport_copy_nonlinear_skb()` function constructs an `iov_iter` without setting `iov_iter.count`, causing zero-length copies that leave skb payloads uninitialized on the monitor interface - potentially exposing stale kernel memory to vsockmon consumers. Patched stable releases 6.12.90, 6.18.32, and 7.0.9 are available; no public exploit exists and EPSS stands at 0.02% (5th percentile), placing real-world exploitation risk very low but warranting attention in environments actively using vsockmon debugging.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation risk in the Linux kernel's batman-adv mesh networking module allows authenticated local users to trigger memory corruption by initiating new tp_meter throughput measurement sessions during mesh teardown. The flaw exists because the tp_meter subsystem failed to reject new sender/receiver sessions after mesh_state transitioned out of BATADV_MESH_ACTIVE, creating a race condition during module shutdown. No public exploit identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02%.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation risk in the Linux kernel's atomisp staging media driver allows authenticated low-privileged users to potentially abuse private IOCTLs that were not adequately validated. The upstream fix disables all private IOCTLs in the atomisp driver by returning early when the command is non-zero. EPSS is very low at 0.02% (5th percentile) and no public exploit identified at time of analysis, indicating limited real-world exploitation interest.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's AMD GPU VCN4 (Video Core Next) driver allows a local user with GPU access to trigger memory disclosure or denial of service by submitting a crafted indirect buffer (IB) to the amdgpu DRM subsystem. The flaw stems from missing bounds checks while parsing IBs in the drm/amdgpu/vcn4 code path, and no public exploit identified at time of analysis. EPSS exploitation probability is very low (0.02%) and the issue is not listed in CISA KEV.

Linux Information Disclosure Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Unclocked register access in the Linux kernel's Cadence Quadspi SPI controller driver (spi-cadence-quadspi) occurs during driver unbind, affecting kernel versions through 7.0.x and 7.1-rc1. A local low-privileged user able to trigger driver unbind can cause high-impact confidentiality loss and denial of service on systems using affected SPI hardware. There is no public exploit identified at time of analysis and EPSS rates exploitation probability at just 0.02%.

Information Disclosure Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel crash (denial of service) in the Linux kernel's hid-appletb-kbd driver results from calling a mutex-acquiring function from softirq and IRQ atomic contexts on Apple Touch Bar MacBooks running Linux. Authenticated local attackers with low privileges can trigger a kernel BUG by inducing Touch Bar inactivity or generating HID events that exercise the broken brightness-reset path, crashing the system. No public exploit has been identified and EPSS is 0.02% (4th percentile), reflecting the niche hardware requirement; patches are available in kernel versions 6.18.32, 7.0.9, and 7.1-rc4.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-context resource leak in the Linux kernel's Intel Xe DRM driver allows a local user with GPU access to exhaust dma-buf attachments by repeatedly triggering the failure path in xe_gem_prime_import(). The flaw, addressed across multiple stable trees (6.12.90, 7.0.9, 6.18.32, 7.1-rc2), causes a dma-buf attachment to remain attached when xe_dma_buf_init_obj() fails, producing a kernel-side memory and reference leak. EPSS is 0.02% and the issue is not on the CISA KEV list; no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial-of-service via improper resource teardown ordering in the Linux kernel's MPC52xx SPI controller driver (spi/mpc52xx) affects systems running PowerPC-based embedded hardware. During driver unbind, the SPI controller was deregistered after - rather than before - disabling underlying resources such as interrupts and GPIOs, creating a window where the kernel could access freed or disabled resources and trigger a system crash. No public exploit has been identified at time of analysis, and with an EPSS of 0.02% (5th percentile), real-world exploitation is assessed as very low probability.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the AMD GPU VCN4 (Video Core Next, 4th generation) decoder message parser of the Linux kernel allows a local low-privileged user to read kernel memory beyond the decoder message buffer object, potentially leading to information disclosure and denial of service. The flaw exists in the drm/amdgpu/vcn4 driver where bounds against the end of the buffer object (BO) were not validated when parsing decoder messages. No public exploit identified at time of analysis and EPSS scores the exploitation probability at just 0.02% (6th percentile), but a vendor patch is available across multiple stable branches.

Linux Information Disclosure Buffer Overflow
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's batman-adv (B.A.T.M.A.N. advanced) mesh networking module stems from an integer overflow on the s16 buff_pos variable in batadv_iv_ogm_send_to_if, where the size check is performed using int while the position counter uses s16. Adjacent-network attackers on a batman-adv mesh can trigger the overflow by sending crafted OGM (Originator Message) aggregation packets, potentially leaking kernel memory or causing denial of service. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but the issue carries a CVSS of 8.8 due to high impact on confidentiality, integrity, and availability across adjacent networks.

Linux Buffer Overflow Integer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation via out-of-bounds buffer access in the Linux kernel's AMD KFD (Kernel Fusion Driver) SVM ioctl interface allows authenticated local users to corrupt kernel memory by supplying an attacker-controlled nattr attribute count that exceeds the buffer size. The flaw affects systems running AMD GPUs with the amdkfd driver and has been resolved upstream across multiple stable branches. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but the high CIA impact warrants prompt patching on AMD GPU compute workstations and HPC nodes.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Persistent availability degradation in the Linux kernel tracepoint subsystem results from an unbalanced regfunc()/unregfunc() pair when tracepoint_add_func() fails mid-registration. When func_add() returns an error (such as -ENOMEM) after regfunc() has already executed, ext->unregfunc() is never called, leaving side effects permanently in place - for syscall tracepoints, this sticks sys_tracepoint_refcount at a non-zero value and keeps SYSCALL_TRACEPOINT set on every running task, imposing unnecessary syscall trace entry/exit overhead on all processes until reboot. No public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), indicating this is a low-probability exploitation target, though it is a confirmed kernel-quality bug with patches issued across multiple stable branches.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Memory corruption in the Linux kernel SMB client (cifs) allows a malicious SMB server to trigger out-of-bounds reads and potential dereferences in the DACL parsing path on 32-bit builds. The flaw resides in parse_sec_desc(), build_sec_desc(), and id_mode_to_cifs_acl(), where a server-supplied dacloffset value near U32_MAX can wrap around and bypass pointer-based bounds checks during chmod/chown operations against SMB shares. EPSS is very low at 0.02% and there is no public exploit identified at time of analysis, but the issue is a confirmed kernel bug with upstream fixes already merged.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Kernel panic via race condition in the f2fs filesystem extent node management affects Linux kernel across multiple stable branches. When f2fs_destroy_extent_node() is invoked from f2fs_drop_inode() with I_SYNC set, a concurrent kworker writeback thread can insert new extent nodes into the same extent tree between lock releases, causing node_cnt to become non-zero upon loop exit and triggering f2fs_bug_on() - a deliberate kernel assertion failure resulting in a system crash. A secondary gap leaves EX_BLOCK_AGE extent tree updates completely unprotected by the FI_NO_EXTENT flag check, compounding the race surface. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile), indicating low exploitation probability in the near term.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The xfrm AH (Authentication Header) subsystem in the Linux kernel miscalculates ICV buffer offsets during asynchronous callback processing when Extended Sequence Numbers (ESN) are enabled, resulting in 100% packet loss on affected IPsec AH tunnels. Systems running AH with ESN and an async HMAC implementation (confirmed in developer-provided UML repro with forced-async hmac(sha1)) on both IPv4 and IPv6 paths are affected across multiple stable kernel branches going back to the commit introducing ESN async support. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting a correctness defect with no exploitation interest rather than a broad attack surface; patch versions are confirmed across six stable branches.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in the Linux kernel's Microchip Core QSPI driver corrupts SPI transfers on systems using this controller. The spi-microchip-core-qspi driver incorrectly attempts to transmit garbage data during emulated read-only dual/quad SPI operations - a protocol violation, since QSPI lacks a dedicated MOSI line and the core hardware is expected to generate read clock cycles autonomously. The result is a bricked (permanently failed) SPI transfer, causing availability loss for any kernel component or userspace process depending on that SPI bus. No public exploit exists and EPSS probability is 0.02%, consistent with a hardware-specific, locally-triggered driver defect.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's framebuffer console (fbcon) subsystem allows a local low-privileged attacker to access kernel memory beyond the font buffer when console rotation is enabled and font reallocation fails. The flaw resides in fbcon_rotate_font() which retains the undersized old buffer after a failed reallocation, so printing characters with high-enough codes overflows the font buffer during putcs operations. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%), but the issue is patched across multiple stable kernel branches.

Linux Information Disclosure Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's SPI-NOR flash debugfs interface (spi_nor_params_show) allows local authenticated users with debugfs access to trigger memory disclosure or denial of service on 64-bit systems. The flaw stems from sizeof() being used on a pointer array instead of ARRAY_SIZE(), inflating the bounds-check length by 8x. No public exploit identified at time of analysis and EPSS rates exploitation likelihood at 0.02%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Double-free memory corruption in the Linux kernel's vmw_pvrdma (VMware Paravirtual RDMA) driver allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The flaw occurs in the pvrdma_alloc_ucontext() error path where pvrdma_uar_free() is invoked twice - once explicitly and again via pvrdma_dealloc_ucontext(). No public exploit identified at time of analysis, and EPSS (0.02%) indicates very low near-term exploitation probability.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's octeon_ep_vf driver crashes the kernel when napi_build_skb() fails during memory allocation in the receive path. Systems running kernels from the introduction of the octeon_ep_vf driver (commit 1cd3b407977c) through multiple stable branches are affected where Marvell Octeon EP VF network adapters are in use. A local, low-privileged attacker who can induce memory pressure while network traffic flows through an Octeon EP VF interface can trigger a kernel panic, resulting in full system unavailability. No public exploit code exists, EPSS is 0.02% (5th percentile), and this vulnerability has not been added to CISA KEV.

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Use-after-free in the Linux kernel's RSI (Redpine Signals) WiFi driver allows a local low-privileged attacker to crash the kernel by exploiting a race condition between kthread self-exit and external stop operations. When `kthread_complete_and_exit` races ahead of `kthread_stop`, the already-freed task struct is dereferenced, causing a kernel denial of service. No public exploit has been identified and EPSS sits at 0.02% (5th percentile), reflecting very low real-world exploitation probability; the vulnerability is not listed in CISA KEV.

Race Condition Linux Information Disclosure +2
NVD VulDB
Prev Page 7 of 143 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy