Skip to main content

Linux

12819 CVEs vendor

Monthly

CVE-2026-46186 MEDIUM PATCH This Month

Uninitialized memory read in Linux kernel's Bluetooth virtio_bt driver allows a malicious or compromised virtio backend to trigger kernel DoS and potential information disclosure against guest VMs. The driver's virtbt_rx_handle() function fails to validate that received RX socket buffers contain sufficient bytes to cover the fixed HCI header for the declared packet type before forwarding to hci_recv_frame(). A backend-supplied one-byte completion with type HCI_ACLDATA_PKT causes the ACL classification path in hci_dev_classify_pkt_type() to dereference hci_acl_hdr(skb)->handle on an empty buffer when the HCI device holds an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with a kernel subsystem bug requiring privileged backend access in a virtualized environment.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46185 CRITICAL PATCH Act Now

Out-of-bounds read in the Linux kernel's SMB client (smb/client) symlink handling allows a malicious or compromised SMB server to trigger memory disclosure or denial-of-service against Linux clients that mount SMB shares. The flaw resides in symlink_data() where smb2_check_message() does not validate response length before fields beyond the 64-byte SMB2 header are accessed. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, though upstream kernel fixes have already been merged across multiple stable branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-46184 MEDIUM PATCH This Month

Division by zero in the Linux kernel's ua101 USB audio driver allows a local attacker to crash the kernel by presenting a crafted USB device with a malformed audio class descriptor. The ua101 driver's `detect_usb_format()` function fails to validate the `bNrChannels` field before use, so a device reporting `bNrChannels = 0` causes `frame_bytes` to become zero, which is subsequently used as a divisor in both `playback_urb_complete()` and `capture_urb_complete()` URB handlers, triggering a fatal kernel panic. No public exploit has been identified and EPSS is 0.02% (5th percentile), but the vulnerability affects multiple supported stable branches and patches are available across all of them.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46183 HIGH PATCH This Week

Use-after-free in the Linux kernel's DAMON (Data Access MONitor) sysfs-schemes interface allows local users with sysfs access to read freed memory by racing concurrent reads and writes of the quota goal 'path' file across separate file descriptors. EPSS is 0.02% and no public exploit identified at time of analysis, but the CVSS 7.8 reflects full CIA impact if a local attacker can win the race.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46182 MEDIUM PATCH This Month

Kernel stack memory disclosure in the Linux kernel's pseries/papr-hvpipe driver exposes up to 43 bytes of uninitialized stack data to unprivileged local users on IBM Power (pseries) systems. The `struct papr_hvpipe_hdr` reserved padding fields (`reserved[3]` and `reserved2[40]`) are never zeroed before `copy_to_user()` copies the full structure to userspace, allowing a local attacker to harvest stale kernel stack contents - potentially including ASLR offsets or residual cryptographic material. No public exploit exists and no CISA KEV listing applies; EPSS at 0.02% (4th percentile) reflects low exploitation probability consistent with the narrow pseries-only deployment scope. Vendor-released patches are confirmed in stable branches 6.18.30, 7.0.7, and 7.1-rc3.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46181 HIGH PATCH This Week

Local privilege escalation or denial-of-service in the Linux kernel's RDMA/mlx4 InfiniBand driver stems from improper RCU synchronization in mlx4_srq_event(), where the mlx4_srq structure is never freed via RCU and can be accessed before initialization completes. Local low-privileged users on systems using Mellanox ConnectX (mlx4) RDMA hardware can trigger a race condition leading to memory corruption or kernel crash, with CVSS 7.8 reflecting high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS scores this at just 0.02%, indicating minimal real-world exploitation likelihood.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46180 HIGH PATCH This Week

Local privilege escalation risk in the Linux kernel's brcmfmac Broadcom FullMAC Wi-Fi driver stems from a use-after-free in the watchdog kthread teardown path, where the watchdog task can exit between send_sig() and kthread_stop(), leaving stale memory accessible. Successful exploitation by a local low-privileged attacker who can trigger driver teardown could yield kernel memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis and EPSS is very low (0.02%), suggesting limited near-term exploitation interest.

Linux Use After Free Memory Corruption Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46179 MEDIUM PATCH This Month

Divide-by-zero in the Linux kernel ASoC SOF compressed audio subsystem allows a low-privileged local user to crash the kernel by querying stream pointer position before stream parameters are configured. Affected are Linux kernel stable branches 6.6 through 7.0 (pre-patch), all running on hardware with SOF audio drivers loaded. No active exploitation has been confirmed - EPSS sits at 0.02% (5th percentile) and the vulnerability is absent from CISA KEV - making this a medium-severity availability risk relevant primarily to multi-user desktop and embedded audio platforms.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46178 HIGH PATCH This Week

Resource leak in the Linux kernel's RDMA/mlx4 InfiniBand driver allows local authenticated users to trigger kernel memory exhaustion when mlx4_ib_create_srq() fails, because mlx4_srq_alloc() is not properly undone via mlx4_srq_free() during error unwind. CVSS 7.8 (AV:L/AC:L/PR:L) reflects local privileged access required, and EPSS is very low at 0.02% (5th percentile), with no public exploit identified at time of analysis. The fix has been merged upstream and backported across multiple stable trees, indicating broad downstream exposure on systems using Mellanox ConnectX HCAs.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46177 HIGH PATCH This Week

Denial of service in the Linux kernel IPMI driver allows a malicious or buggy BMC (Baseboard Management Controller) to indefinitely stall the driver by never signaling completion on event/message fetches or by keeping the attention (attn) bit asserted. The CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H) score reflects pure availability impact, and the issue has existed since the IPMI driver's inception; no public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), indicating very low exploitation likelihood.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46176 HIGH PATCH This Week

Use-after-free and double-free condition in the Linux kernel RDMA/mlx5 driver allows local privileged users to corrupt kernel memory through error path mishandling in mlx5_ib_dev_res_srq_init(). The flaw stems from incorrect fall-through logic when ib_create_srq() fails for the second Shared Receive Queue (s1), leaving freed s0 pointers and ERR_PTR values assigned to device resource fields. No public exploit identified at time of analysis, with EPSS scoring this at just 0.02% probability of exploitation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46175 HIGH PATCH This Week

Filesystem inconsistency in the Linux kernel's F2FS implementation allows local authenticated users to trigger fsck misinterpretation of node block migration as fsync-written data, resulting in filesystem integrity issues following a sudden power-off (SPO). Affecting Linux kernel versions through 7.0.7 and 7.1-rc1 (with backports to 6.18.30), the flaw stems from Foreground Garbage Collection (FGGC) failing to clear dentry and fsync marks during node block migration. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (4th percentile).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46174 HIGH PATCH This Week

Local privilege escalation and information disclosure in the Linux kernel on AMD Zen2 CPUs allows low-privileged users to trigger instruction corruption via improper isolation of shared resources in the op cache. Affecting kernels prior to 5.10.256, 5.15.207, 6.1.173, 6.6.139, 6.12.88, 6.18.30, and 7.0.7, the flaw carries a CVSS 8.8 due to scope change (S:C) impacting confidentiality, integrity, and availability beyond the original security boundary. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the architectural nature of the bug (CPU op cache sharing) makes it relevant for multi-tenant and virtualization workloads.

Linux Amd Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-46173 HIGH PATCH This Week

Memory corruption in the Linux kernel scheduler exit path allows local low-privileged users to trigger use-after-free or double-free of task stacks when an exiting task oopses, per CVE-2026-46173. The flaw stems from make_task_dead() invoking do_task_dead() with preemption enabled, violating the scheduler's requirement that __schedule() run with preemption disabled, which can leave two tasks running on the same stack. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46172 MEDIUM PATCH This Month

Resource exhaustion via dst entry reference leak in the Linux kernel's IPv6 IPsec (xfrm6) receive path allows a local attacker with low privileges to cause a denial of service by exhausting kernel memory. The flaw exists in xfrm6_rcv_encap(), which calls ip6_route_input_lookup() returning a referenced dst entry even for error routes, but fails to release that reference before dropping the packet when dst->error is set. Repeated packets hitting this code path therefore accumulate unreleased dst references, ultimately crashing the system. No public exploit exists and this vulnerability is not in the CISA KEV list; EPSS exploitation probability is extremely low at 0.02% (5th percentile).

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46171 MEDIUM PATCH This Month

Memory leak in the Linux kernel's RISC-V KVM vector context allocation allows a local low-privileged attacker to exhaust kernel memory, causing denial of service on RISC-V hypervisor hosts. The flaw exists in kvm_riscv_vcpu_alloc_vector_context() where a failed second kzalloc call (host_context.vector.datap) returns an error without freeing the first allocation (guest_context.vector.datap), accumulating unreleased kernel memory across repeated vCPU creation attempts. No public exploit exists and no active exploitation is confirmed; EPSS at 0.02% (4th percentile) reflects the narrow RISC-V KVM deployment surface.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46170 MEDIUM PATCH This Month

The MPTCP (Multipath TCP) path manager in the Linux kernel mishandles socket reference counting during ADD_ADDR retransmission timer callbacks, resulting in a local denial-of-service. When the retransmit timer fires and holds the last reference to a socket, calling __sock_put() instead of sock_put() leaks the socket; and if sock_put() is used without first marking the timer done, the resulting sk_free() call invokes sk_stop_timer_sync() on the same in-flight timer, causing the kernel to wait indefinitely. No public exploit has been identified at time of analysis; EPSS is 0.02% (4th percentile), and the vulnerability is not listed in CISA KEV.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46169 MEDIUM PATCH This Month

Uninitialized memory use in the Linux kernel HFS+ filesystem driver (hfsplus) can crash the kernel when a local user mounts a crafted, corrupted HFS+ image. The flaw in hfs_brec_read() allows a partial catalog record read - as few as 26 bytes into a 520-byte structure - leaving the nodeName field uninitialized; this data then propagates through hfsplus_cat_build_key_uni() into hfsplus_strcasecmp(), where it is used as array indices in case_fold(), triggering a kernel denial of service. No public exploit is identified at time of analysis and EPSS is very low at 0.02% (5th percentile); this is not listed in CISA KEV.

Linux Authentication Bypass
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46168 MEDIUM PATCH This Month

Scheduling-while-atomic kernel panic in the Linux kernel MPTCP subsystem allows a local low-privileged user to crash the host by setting timestamp socket options on an MPTCP socket. The defect stems from invoking sleepable helpers - sock_set_timestamp() and sock_set_timestamping() - inside the atomic context established by lock_sock_fast(), violating the kernel's non-sleeping constraint for spinlock holders. No public exploit code has been identified and EPSS sits at 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time. Note: the 'Information Disclosure' tag applied by some sources appears incorrect - the actual impact is limited to availability (kernel panic/crash) with no confidentiality or integrity consequence per the CVSS vector.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46167 MEDIUM PATCH This Month

Uninitialized heap memory in the Linux kernel's usblp USB printer driver leaks a stale kernel byte to userspace through the LPGETSTATUS ioctl when a malicious or non-compliant USB printer returns zero bytes to a one-byte status request. Affected branches span kernel versions from 2.6.12 through 6.18.x, 7.0.x, and 7.1-rc3, with fixes available in stable releases 6.6.140, 6.12.88, 6.18.30, and 7.0.7. No public exploit exists and EPSS stands at 0.02% (5th percentile); exploitation requires local access, a cooperating malicious USB device, and access to the printer device node - substantially narrowing real-world risk despite the breadth of affected kernel versions.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46166 HIGH PATCH This Week

Use-after-free in the Linux kernel mac80211 wireless subsystem allows attackers on the adjacent wireless network to corrupt kernel memory by triggering radar detection cancellation paths that free a channel context still being iterated. No public exploit identified at time of analysis, and EPSS exploitation probability is 0.02% (5th percentile), but the high CVSS reflects severe potential impact on confidentiality, integrity, and availability if exploited. A vendor-released patch is available in stable kernel updates including 6.12.88, 6.18.30, and 7.0.7.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-46165 MEDIUM PATCH This Month

OpenVSwitch tunnel port removal in the Linux kernel triggers a self-deadlock that permanently hangs the kernel's RTNL lock, causing a denial of service requiring system reboot. The flaw affects systems across multiple stable kernel branches (6.6.x, 6.12.x, 6.18.x, 7.0.x) where OVS tunnel vports (VXLAN, GRE, GENEVE) are actively managed. Patched versions are available across all affected stable branches; no public exploit identified at time of analysis, and the EPSS score of 0.02% (5th percentile) indicates negligible observed exploitation probability.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46164 HIGH PATCH This Week

Memory corruption in the Linux kernel's btrfs filesystem can be triggered when create_space_info_sub_group() encounters a kobject initialization failure, causing the sub_group structure to be freed twice. The double-free occurs because btrfs_sysfs_add_space_info_type() already releases the memory via kobject_put() in its error path, after which the caller frees it again. EPSS scores this at 0.02% (5th percentile) and there is no public exploit identified at time of analysis, but a vendor-released patch is available.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-46163 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's b43legacy wireless driver allows a local attacker with low privileges to read beyond the dev->key[] array when firmware reports a key index exceeding dev->max_nr_keys. The existing B43legacy_WARN_ON check was non-enforcing in production builds, permitting memory disclosure during RX packet handling on systems with vulnerable Broadcom legacy WiFi chipsets. No public exploit identified at time of analysis, and EPSS is very low (0.02%), suggesting limited near-term mass exploitation despite a high CVSS of 7.8.

Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46162 HIGH PATCH This Week

Double-free memory corruption in the Linux kernel's Intel ice (E810) network driver occurs in the ice_sf_eth_activate() error path when auxiliary_device_add() fails, causing sf_dev to be freed twice. Affecting Linux kernel versions starting at 6.12 through pre-patch builds, a local privileged user triggering the failure path can corrupt kernel heap state, with no public exploit identified at time of analysis and a very low EPSS score of 0.02%.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46161 MEDIUM PATCH This Month

Divide-by-zero in the Linux kernel's md/raid10 subsystem allows a local authenticated user to crash the kernel by supplying a zero far_copies value when configuring a RAID10 array with the 'improved' far set layout. The affected function setup_geo() performs the division geo->far_set_size = disks / fc without first validating that fc is non-zero, triggering a kernel oops or panic and producing a high availability impact. EPSS is 0.02% (5th percentile) and this CVE is not listed in CISA KEV, consistent with the local-only, configuration-specific attack vector and no public exploit identified at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46160 MEDIUM PATCH This Month

Filesystem availability loss in the Linux kernel's btrfs subsystem can render a mounted volume unrecoverable after a power failure under specific directory removal conditions. The btrfs directory removal path fails to update the inode's `last_unlink_trans` field, causing a stale transaction ID to persist. When a process holds an open file descriptor to the removed directory and subsequently calls fsync, the incomplete journal entry survives to disk; upon next mount, log replay fails with -EIO and a 'corrupt leaf: invalid nlink' critical error, leaving the filesystem unmountable. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects negligible opportunistic exploitation interest, consistent with a logic-flaw data-integrity bug rather than a memory-corruption primitive.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46159 MEDIUM PATCH This Month

Kernel heap memory disclosure in the Linux btrfs subsystem allows a low-privileged local user to read uninitialized kmalloc heap bytes from kernel memory via a TOCTOU race in the btrfs_ioctl_space_info() code path. Affected systems are those running btrfs filesystems on kernel versions dating back to 2.6.34; the race window opens when groups_sem is released between the slot-counting and buffer-filling passes of the ioctl, and concurrent block group removal shrinks the actual entry count below the allocated buffer size, causing copy_to_user() to copy trailing uninitialized heap data into userspace. No public exploit has been identified at time of analysis and EPSS exploitation probability is extremely low (0.02%), but patched stable releases are available.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-46158 MEDIUM PATCH This Month

Socket reference count leak in the Linux kernel MPTCP path manager allows a local low-privilege attacker to cause kernel resource exhaustion and denial of service by repeatedly triggering ADD_ADDR retransmission events. Affected versions span from Linux 5.10 through 7.1-rc2, with patches confirmed available in stable releases 6.18.30, 7.0.7, and 7.1-rc3. No public exploit has been identified and EPSS probability is negligible at 0.02%, placing this firmly in routine maintenance priority rather than emergency response.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46157 HIGH PATCH This Week

Local privilege escalation risk in the Linux kernel's ALSA PCM OSS emulation layer stems from an unprotected concurrent access to the runtime.oss.trigger bit field, allowing racing writes to corrupt adjacent bit fields and destabilize sound device state. The flaw affects Linux kernel versions prior to 6.12.88, 6.18.30, and 7.0.7, and was discovered through fuzzing; no public exploit identified at time of analysis, and EPSS scoring (0.02%) indicates negligible probability of opportunistic exploitation.

Linux Information Disclosure Race Condition
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46156 MEDIUM PATCH This Month

Kernel panic (ADE - Address Error for Memory access) in the LoongArch-specific PCI fixup function loongson_gpu_fixup_dma_hang() crashes systems that boot with a discrete Loongson GPU whose PCI device ID does not match any handled case in the switch statement. The missing default case causes readl() to be called with a garbage MMIO address derived from uninitialized register state, resulting in a hard kernel panic at boot time (PID 1, swapper/0) and rendering the system unavailable. No public exploit identified at time of analysis, and EPSS is 0.02% (5th percentile), consistent with a hardware-specific local DoS requiring no attacker interaction.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46155 CRITICAL PATCH Act Now

Out-of-bounds heap read in the Linux kernel's SMB client (smb/client) allows a malicious or compromised SMB server to leak adjacent kernel heap memory to a connected Linux client. The flaw lives in smb2_compound_op() where check_wsl_eas() fails to validate that OutputBufferLength fits within iov_len before a memcpy, so a truncated response with an oversized OutputBufferLength and an early-terminated EA list triggers the read past the rsp_iov allocation. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but upstream patches have been merged across multiple stable branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-46154 HIGH PATCH This Week

Local privilege escalation potential exists in the Linux kernel's sched_ext (SCX) subsystem where a use-after-free condition in cgroup setter operations can be triggered when a BPF scheduler is swapped concurrently with cgroup weight, idle, or bandwidth updates. The flaw affects kernel 6.18 and related stable branches and stems from reading scx_root outside the scx_cgroup_ops_rwsem, allowing a stale pointer to be dereferenced after the previous scheduler is freed via RCU. EPSS is very low (0.02%) and no public exploit is identified at time of analysis.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-46153 MEDIUM PATCH This Month

Memory exhaustion in the Linux kernel's 8021q VLAN subsystem allows a local user with low privileges to cause denial-of-service by repeatedly manipulating VLAN egress QoS priority mappings. The function `vlan_dev_set_egress_priority()` retains cleared priority entries as unreachable tombstones in the kernel hash table across set/clear cycles, accumulating until device teardown and leaking kernel memory. No public exploit exists and EPSS is 0.02% at the 5th percentile, indicating negligible real-world exploitation interest; however, the High availability impact in CVSS reflects potential OOM-triggered system instability on affected hosts.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46152 HIGH PATCH This Week

Concurrency flaw in the Linux kernel's mac80211 WiFi subsystem (versions from 6.4 onward) can cause misrouted or dropped 802.11 frames on adjacent-network attacks. The bug stems from a stray `static` qualifier on the per-invocation `rx_result` in `ieee80211_invoke_fast_rx()`, which is documented as parallel-RX safe but in practice shares a single result variable across concurrent callers. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the CVSS rating of 8.8 reflects strong CIA impact under adjacent-network conditions.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-46151 MEDIUM PATCH This Month

Heap memory disclosure in the Linux kernel usblp USB printer driver allows a local attacker with a malicious USB printer to expose up to 1021 bytes of uninitialized kmalloc heap to userspace. The driver's usblp_cache_device_id_string() blindly trusts a device-supplied 2-byte big-endian length prefix in the IEEE 1284 GET_DEVICE_ID response, leaking stale kernel heap contents via the ieee1284_id sysfs attribute and the IOCNR_GET_DEVICE_ID ioctl. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile) and the vulnerability is not listed in CISA KEV, but vendor patches are confirmed across multiple stable kernel branches.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46150 HIGH PATCH This Week

Permission check bypass in the Linux kernel's fanotify subsystem allows local low-privileged users to circumvent access control decisions enforced by fanotify-based security tools. The flaw stems from fsnotify_get_mark_safe() incorrectly returning false for marks on unrelated groups, causing the permission event evaluation to be skipped entirely. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, but the impact on systems relying on fanotify for access control (antivirus, EDR, HSM) is significant.

Linux Authentication Bypass
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46149 HIGH PATCH This Week

Out-of-bounds stack read in the Linux kernel SCSI target subsystem's configfs interface allows a local privileged user to trigger a kernel panic or leak adjacent stack memory by reading the tg_pt_gp members sysfs attribute when a long iSCSI IQN fabric WWN (up to 223 bytes) is configured. The flaw stems from misusing the snprintf() return value (which reports intended length, not bytes written) as a memcpy() source length. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 5th percentile).

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46148 MEDIUM PATCH This Month

Incorrect hardware chip-select management in the Linux kernel spi/microchip-core-qspi driver causes the built-in hardware CS line to assert spuriously during SPI transactions directed at GPIO-managed chip selects on multi-device coreQSPI controllers. Systems using Microchip coreQSPI IP hardware with two or more attached SPI devices - where at least one device uses the built-in hardware CS - are subject to unintended bus assertion that can crash or disrupt SPI-dependent peripherals, producing a high-availability impact. No public exploit exists and EPSS stands at 0.02% (4th percentile), consistent with the narrow embedded-hardware topology required for manifestation; the vulnerability is not in CISA KEV.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46147 MEDIUM PATCH This Month

Two distinct bugs in the Linux kernel's pKVM (protected KVM) arm64 vCPU initialization path allow a local low-privileged user to cause persistent resource pin leaks and observe partially initialized memory objects. The pin leak (Bug 1) occurs when an error path in __pkvm_init_vcpu() jumps to cleanup without releasing hyp_pin_shared_mem() references on host vCPU and SVE state pages, permanently exhausting pin references and ultimately degrading or crashing the hypervisor subsystem. A separate memory ordering flaw (Bug 2) uses a bare store to publish the vCPU pointer into hyp_vm->vcpus[], allowing a concurrent pkvm_load_hyp_vcpu() caller to read a partially initialized vCPU object. No active exploitation has been identified and EPSS is 0.02%, consistent with a kernel subsystem bug affecting a specialized configuration rather than a broadly targeted attack surface.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46146 MEDIUM PATCH This Month

Denial of service in the Linux kernel ALSA USB audio subsystem allows a local attacker to hang a CPU core indefinitely by presenting a malformed USB audio class v3 channel map descriptor. The affected function `convert_chmap_v3()` uses the descriptor field `cs_desc->wLength` as a loop increment without validating it, so a zero-length descriptor causes an unescapable infinite loop that saturates a CPU core until the process is killed or the system rebooted. No active exploitation has been confirmed - the vulnerability is absent from CISA KEV, and the EPSS score of 0.02% at the 5th percentile indicates negligible current attacker interest.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46145 HIGH PATCH This Week

Local privilege escalation in the Linux kernel's RDMA/mana driver allows an authenticated low-privileged user to corrupt kernel memory by supplying an oversized rx_hash_key_len via the uAPI structure, which is passed unchecked to memcpy. The flaw affects kernels using the Microsoft Azure Network Adapter (MANA) RDMA driver and can lead to heap/stack overflow within kernel space, enabling potential code execution or system compromise. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (5th percentile), indicating limited exploitation interest so far.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46144 MEDIUM PATCH This Month

Resource leak in the Linux kernel's RDMA/mana driver allows a local low-privileged user to exhaust kernel resources via a missing cleanup in the error unwind path of mana_ib_create_qp_rss(). The Microsoft Azure Network Adapter (MANA) InfiniBand subsystem fails to release mana_ib_cfg_vport_steering() allocations when QP RSS creation fails mid-flight, while the normal destroy path handles cleanup correctly - leaving the error path mismatched. No public exploit is identified and EPSS sits at 0.02% (5th percentile), reflecting very low real-world exploitation probability, though patches are confirmed available across multiple stable kernel branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46143 MEDIUM PATCH This Month

Memory leak in the Linux kernel's Qualcomm ASoC q6apm-lpass-dai audio driver allows a local low-privileged user to exhaust kernel memory by repeatedly invoking the ALSA prepare callback, which opens multiple APM graphs on the playback path without corresponding release. Affected systems are limited to those running Qualcomm LPASS audio hardware across several Linux stable branches (6.6.x, 6.9.x, 6.10, 6.12.x). No public exploit exists and EPSS at 0.02% (5th percentile) reflects negligible real-world exploitation interest; the practical impact is local denial of service on Qualcomm SoC-equipped devices.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46142 MEDIUM PATCH This Month

System hang vulnerability in the Linux kernel's libwx (WangXun) network driver affects systems using SR-IOV Virtual Functions. During VF initialization, the driver attempts to read register WX_CFG_PORT_ST, which is restricted to Physical Functions only; this illegal register access causes the system to hang, resulting in a complete denial of service. No public exploit exists and EPSS is 0.02%, but any system running a WangXun NIC with SR-IOV enabled and attaching a VF is directly exposed.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46141 MEDIUM PATCH This Month

Memory leak in the Linux kernel's powerpc XIVE interrupt subsystem causes progressive kernel heap exhaustion on IBM POWER9+ systems when MSI-X vectors are allocated and then freed for PCI devices such as NVMe controllers. The regression was introduced by commit cc0cc23babc9 which refactored the XIVE/child interrupt controller relationship: xive_irq_free_data() subsequently used the wrong domain lookup path, causing every allocated struct xive_irq_data (64 bytes) to be orphaned on irqdomain teardown. No public exploit is identified and EPSS stands at 0.02% (4th percentile), consistent with the narrow hardware-specific scope and local-only access requirement.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46140 HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel's MediaTek Bluetooth driver (btmtk) lets a short or malformed WMT firmware event response trigger reads past the SKB tailroom in btmtk_usb_hci_wmt_sync(), potentially leaking adjacent kernel memory or crashing the host. The flaw affects systems using MediaTek USB Bluetooth controllers (MT76xx family) on kernels around 6.11 through release candidates of 7.1, scoring CVSS 7.1 with high confidentiality and availability impact. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%), but a vendor fix is available across multiple stable branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46139 MEDIUM PATCH This Month

The Linux kernel SMB client transmits uninitialized kernel heap data in the reserved Sbz2 field of Windows ACL security descriptors to remote Samba servers, causing chmod operations on SMB-mounted filesystems to fail with EINVAL. This regression was introduced by commit 62e7dd0a39c2d, which split a struct field but left a newly created 2-byte reserved field unpopulated due to use of kmalloc() instead of kzalloc(). No public exploit exists (EPSS 0.02%, no KEV listing); the practical impact is an operational disruption of file permission management on Samba-backed mounts, with a secondary minor information disclosure of heap contents to the remote server.

Linux Microsoft Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46138 HIGH PATCH This Week

Out-of-bounds heap read and infinite loop in the Linux kernel Bluetooth HCI event handler (hci_le_create_big_complete_evt) allows an adjacent attacker to trigger denial of service on systems with Bluetooth LE Isochronous (BIG) connections. The flaw arises when a malicious or malformed controller returns an LE_Create_BIG_Complete event with fewer bis_handle entries than expected, causing the kernel to read past the flex array and spin indefinitely while holding hci_dev_lock. No public exploit identified at time of analysis, and EPSS probability is very low (0.02%), but the issue is patched across multiple stable trees.

Linux Denial Of Service Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-46137 CRITICAL PATCH Act Now

Race condition in the Linux kernel's MPTCP (Multipath TCP) path manager subsystem affects the mptcp_pm_add_timer() ADD_ADDR retransmission helper, where the timer callback runs in softirq context without holding the socket lock via bh_lock_sock(). The data race could lead to inconsistent socket state when concurrent operations touch the same MPTCP socket. Despite a CVSS of 9.8, EPSS is only 0.02% (5th percentile) and no public exploit identified at time of analysis; the tag 'Information Disclosure' suggests realistic impact is far below the headline score.

Linux Information Disclosure Race Condition
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-46136 HIGH PATCH This Week

Denial-of-service in the Linux kernel mt76/mt7921 MediaTek Wi-Fi driver lets a buffer-length (buf_len) underflow occur while iterating the CLC (country location configuration) power table, producing a near-infinite loop or an invalid power setting that crashes driver initialization. Systems running affected kernels with MediaTek MT7921 Wi-Fi hardware are impacted; classified CWE-787 (out-of-bounds write) with a vendor-assigned CVSS of 7.8 (local, AV:L). No public exploit identified at time of analysis and EPSS is very low (0.02%), consistent with a reliability/DoS defect rather than a readily weaponizable memory-corruption primitive.

Memory Corruption Linux Denial Of Service Buffer Overflow Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46135 CRITICAL PATCH Act Now

Race condition in the Linux kernel's NVMe/TCP target (nvmet-tcp) subsystem allows a remote NVMe/TCP host to trigger a double kref_put() on a queue object by sending an Initialization Connection Request (ICReq) and immediately closing the connection. The flaw, fixed in stable releases 6.12.88, 6.18.30, and 7.0.7 (mainline 7.1-rc2), stems from nvmet_tcp_handle_icreq() updating queue->state without serializing against concurrent target-side queue teardown, defeating the DISCONNECTING-state guard and enabling a use-after-free condition. No public exploit identified at time of analysis and EPSS is very low (0.02%), indicating limited real-world exploitation interest despite the headline 9.8 CVSS.

Linux Information Disclosure Race Condition
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-46134 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's cros_ec_typec driver crashes the kernel when a Thunderbolt alternate mode operation is processed on affected ChromeOS devices. The flaw originates in cros_typec_register_thunderbolt(), which allocates the adata structure but omits mutex_init(&adata->lock); when cros_typec_altmode_work() later acquires that uninitialized mutex, the kernel dereferences a NULL or garbage pointer and panics. No public exploit code exists and EPSS of 0.02% (4th percentile) reflects the narrow hardware prerequisite and strictly local-only attack surface; the vulnerability is not listed in CISA KEV.

Linux Denial Of Service Google Null Pointer Dereference Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46133 HIGH PATCH This Week

Remote denial-of-service in the Linux kernel's Soft RoCE (RDMA/rxe) driver allows unauthenticated attackers to crash the kernel by sending a single crafted 48-byte UDP packet to port 4791 with an undefined BTH opcode. The flaw triggers an out-of-bounds read in rxe_icrc_hdr() via crc32_le() due to zero-initialized rxe_opcode[] entries causing arithmetic underflow, panicking the host with no public exploit identified at time of analysis though EPSS is very low at 0.03%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46132 MEDIUM PATCH This Month

Kernel stack information leak in Linux rtnetlink's rtnl_fill_vfinfo() exposes up to 26 bytes of uninitialized kernel stack memory to any unprivileged local user on systems with SR-IOV NICs. The flaw exists because struct ifla_vf_broadcast (32 bytes) is declared on the stack without zeroing, only the first 6 bytes are filled via memcpy on Ethernet devices, and the full struct is transmitted to userspace via RTM_GETLINK responses. No public exploit is identified at time of analysis and EPSS is 0.02% (5th percentile), but the attack is trivially repeatable without any special privileges, making it a practical KASLR bypass primitive or sensitive-data harvesting tool on multi-tenant or shared-access Linux systems.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46131 MEDIUM PATCH This Month

Availability impact in Linux Kernel KVM's x86 nested virtualization subsystem allows a low-privileged user operating within an L2 (nested) guest to trigger a host kernel denial-of-service via incorrect hypercall handling. The root cause is an incorrect guard condition in slow-flush hypercall paths: KVM checks `is_guest_mode(vcpu)` before calling `translate_nested_gpa()`, but that translation function is only valid when the L2 guest is running with nested EPT/NPT actually enabled - not merely when guest mode is active. No public exploit has been identified at time of analysis, and EPSS exploitation probability is 0.02% (5th percentile). Vendor-released patches are available across multiple stable branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46130 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's dm-verity-fec (forward error correction) subsystem allows kernel memory disclosure or a crash when decoding Reed-Solomon parity data. The flaw affects the device-mapper verity FEC code where fec_decode_bufs() wrongly assumes parity bytes of the first RS codeword never span a parity-block boundary; with certain non-default fec_roots values combined with low-memory buffer-allocation failures, the decoder reads past the end of the parity block buffer. Tracked as CWE-125, it carries a 7.1 CVSS (local, low complexity per NVD) but a negligible EPSS of 0.02%, and there is no public exploit identified at time of analysis.

Linux Buffer Overflow Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46129 HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's btrfs filesystem stems from a double-free in create_space_info() when kobject_init_and_add() fails during sysfs registration. The flaw affects multiple stable Linux branches (6.6.x, 6.12.x, 6.18.x prior to the fixed releases) and could allow a local attacker with low privileges to corrupt kernel memory; no public exploit identified at time of analysis and EPSS is very low (0.02%).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46128 MEDIUM PATCH This Month

Denial-of-service in the Linux kernel IPMI subsystem allows a system crash when the BMC (Baseboard Management Controller) returns a malformed empty event message buffer instead of a proper error code. The kernel's IPMI driver defers response size validation to later processing stages rather than checking immediately upon receipt, causing it to process invalid data from certain non-compliant BMC firmware. No public exploit exists and EPSS is 0.02% (5th percentile); the trigger is hardware-driven misbehavior rather than deliberate attacker input, but the availability impact is high (kernel panic). Patched kernel versions are available across multiple stable branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46127 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's RDMA/ocrdma driver crashes systems running Emulex OneConnect RDMA adapters. The flaw exists in `ocrdma_copy_pd_uresp()`, where error-path code dereferences `pd->uctx` before it is initialized, producing a kernel panic and complete system unavailability when triggered. No public exploit code has been identified and EPSS sits at 0.02% (5th percentile), reflecting very low exploitation probability at this time; however, the local low-privilege vector means any unprivileged user on an affected system with ocrdma hardware present could trigger the crash.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46126 MEDIUM PATCH This Month

Improper error-path cleanup in the RDMA/mana driver's `mana_ib_create_qp_rss()` function allows a local low-privileged user on Azure VMs with Microsoft MANA NICs to crash the kernel. Two logic bugs in the WQ table unwind - a redundant `i--` that skips a cleanup iteration, and a missed `mana_destroy_wq_obj()` call when `mana_ib_install_cq_cb()` fails - leave kernel objects in a dangling state, producing a high-availability (DoS) impact. No public exploit exists and EPSS is at the 5th percentile; this vulnerability is not in CISA KEV.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46125 HIGH PATCH This Week

Use-after-free/double-free in the Linux kernel's mac80211 wireless subsystem affects systems with Multi-Link Operation (MLO) Wi-Fi connections when debugfs is enabled. The flaw occurs when connection preparation fails for MLO connections and the interface is reset to non-MLD without removing the associated station, corrupting debugfs state. EPSS probability is 0.02% (5th percentile) and no public exploit identified at time of analysis, but the CVSS 8.8 score reflects high impact on adjacent-network reachable systems.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-46124 HIGH PATCH This Week

Information disclosure in the Linux kernel isofs filesystem allows authenticated NFS peers to read arbitrary in-range blocks from the backing device by submitting crafted NFS file handles to isofs_export_iget(). The flaw resides in isofs_fh_to_dentry() and isofs_fh_to_parent(), which previously only rejected block==0 before passing the attacker-controlled block number to sb_bread(), exposing unrelated adjacent-partition data as iso_inode_info fields returned to NFS clients. No public exploit identified at time of analysis, EPSS is 0.02% (5th percentile), and this is reported as hardening adjacent to the prior CVE-2025-37780 fix.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46123 HIGH PATCH This Week

Out-of-bounds read and information disclosure in the Linux kernel's virtio_bt (virtio Bluetooth) driver allows a malicious or buggy virtio backend to leak uninitialized kernel heap memory into received Bluetooth skbs. The virtbt_rx_work() function trusted the device-reported length from virtqueue_get_buf() without clamping it to the 1000-byte buffer actually exposed via sg_init_one(), so a hostile backend can report lengths between 1001 and skb_tailroom() - or 0 - causing skb_put() to expose untouched heap bytes or virtbt_rx_handle() to read an uninitialized pkt_type. No public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), but a vendor patch is available.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-46122 HIGH PATCH This Week

Out-of-bounds memory read in the Linux kernel's b43 Broadcom wireless driver allows leakage of adjacent kernel memory when the device firmware supplies a key index that exceeds the 58-entry dev->key[] array in b43_rx(). The pre-patch guard (B43_WARN_ON) is a no-op in production kernels, so the invalid index was used to index the array unchecked. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%); the fix enforces the bounds check and drops the offending frame.

Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46121 HIGH PATCH This Week

Use-after-free in the Linux kernel's DAMON sysfs interface (mm/damon/sysfs-schemes) lets a local actor with access to the 'memcg_path' file race a read against a concurrent write that frees the underlying buffer, accessing freed kernel memory. The flaw affects DAMON-enabled builds across the 6.6.96, 6.12.36, 6.15.5 and 6.16-rc lines, and is fixed by serializing both direct reads and writes under damon_sysfs_lock. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; it is not in CISA KEV.

Memory Corruption Linux Use After Free Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46120 HIGH PATCH This Week

Local privilege escalation and kernel memory corruption in the Linux kernel's IPv6 GRE (ip6_gre) subsystem stem from ip6erspan_changelink() using dev_net(dev) instead of the cached t->net after IFLA_NET_NS_FD migration, causing a tunnel to be re-inserted into the wrong per-netns hash. When the original network namespace is later destroyed, the stale entry triggers a slab-use-after-free (flagged by KASAN) and a kernel BUG at LIST_POISON1, reachable from an unprivileged user namespace. No public exploit identified at time of analysis, though the bug is trivially reachable via unshare and EPSS exploitation probability is low (0.02%).

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46119 CRITICAL PATCH Act Now

Information disclosure and denial of service in the Linux kernel's libceph subsystem allows remote Ceph servers (or attackers able to spoof/MITM unauthenticated Ceph traffic) to trigger a slab-out-of-bounds read by sending a crafted CEPH_MSG_AUTH_REPLY message with a positive result value. The flaw causes the kernel client to send memory contents past the allocated front-segment buffer back over the wire, potentially leaking adjacent kernel heap data and destabilizing the host. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the CVSS of 9.1 reflects the network-reachable, no-privileges-required nature of the bug in affected Ceph client deployments.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-46118 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's pseries/papr-hvpipe subsystem crashes IBM POWER/pSeries hosts via a local ioctl call. The flaw was introduced by commit 6d3789d347a7, which refactored papr_hvpipe_dev_create_handle() to use FD_PREPARE() but left src_info accessible after retain_and_null_ptr() nulled it, causing a write to address 0x0 when the pointer is subsequently used in the global list insertion path. Exploitation requires local low-privileged access on pSeries hardware; no public exploit exists and EPSS is 0.02%, indicating negligible opportunistic exploitation risk.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46117 HIGH PATCH This Week

Local privilege escalation and kernel memory corruption in the Linux kernel's RDMA/mana driver allows authenticated local users to trigger a user-reachable WARN_ON() and subsequently corrupt kernel memory by specifying Work Queues that share the same Completion Queue through the uAPI of mana_ib_create_qp_rss(). The flaw affects Linux 6.8 through versions before the patched 6.12.91, 6.18.30, 7.0.7, and 7.1-rc3 releases. No public exploit identified at time of analysis, and EPSS scoring is low at 0.02%.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46116 HIGH PATCH This Week

Use-after-free in the Linux kernel's xfrm (IPsec) state management subsystem allows local attackers with low privileges to trigger memory corruption via concurrent xfrm_state lifecycle operations. The flaw resides in __xfrm_state_delete() where value-based predicates on x->km.seq and x->id.spi can race with xfrm_alloc_spi() outside of xfrm_state_lock, leading to slab-use-after-free writes through LIST_POISON pointers on the byseq/byspi/bydst/bysrc hash chains. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (5th percentile), but a vendor patch is available.

Linux Denial Of Service Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46115 CRITICAL PATCH Act Now

Incorrect bvec coalescing in the Linux kernel's block layer (biovec_phys_mergeable) can merge physically contiguous bio_vec segments that belong to different zone-device dev_pagemaps, corrupting the ability to recover the correct pgmap via page_pgmap() for the merged segment. The flaw affects systems using zone device memory registered in multiple chunks (e.g., DAX/persistent memory or GPU/accelerator memory backends) and was fixed upstream; no public exploit is identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-46114 HIGH PATCH This Week

Remote information disclosure in the Linux kernel's RDMA Soft-RoCE (rxe) driver allows unauthenticated network attackers to leak adjacent kernel skb head-buffer memory by sending zero-length ATOMIC_WRITE RDMA packets. The flaw, tracked as CVE-2026-46114 and affecting kernels from 6.2 onward, lets a remote initiator extract 4 bytes of kernel tailroom per probe - including kernel strings and partial direct-map pointer words - into an attacker-controlled memory region. No public exploit identified at time of analysis and EPSS is low (0.05%, 17th percentile), but the vendor (kernel.org) has released stable patches across multiple branches.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-46113 HIGH POC PATCH This Week

Use-after-free in the Linux kernel's KVM x86 shadow MMU allows a malicious guest VM to corrupt host memory and potentially escalate privileges on the hypervisor. The flaw occurs when a guest modifies its page tables between VM entries, causing KVM to install rmap entries outside the expected GFN range of a direct-mapped shadow page; subsequent rmap walks (e.g., during dirty logging or MMU notifier invalidations from MADV_DONTNEED) then dereference a freed kvm_mmu_page. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug has existed since the earliest KVM versions and is now patched upstream.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-46112 HIGH PATCH This Week

Local privilege escalation risk in the Linux kernel's RDMA/hns driver stems from an unlocked call to hns_roce_qp_remove() in the error unwind path of hns_roce_qp_remove_common(). Low-privileged local users on systems with HiSilicon RoCE (hns) RDMA hardware could trigger the error flow to corrupt kernel memory, with EPSS at 0.02% indicating no known exploitation, and no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46111 HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel Bluetooth subsystem (hci_conn) stems from a use-after-free in create_big_sync() when a Broadcast Isochronous Group (BIG) creation races against connection teardown. A local low-privileged attacker on a system with active Bluetooth LE Audio operations could trigger the freed hci_conn dereference through hci_connect_cfm()/hci_conn_del(), enabling memory corruption with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 5th percentile), reflecting limited weaponization despite the CVSS 7.8 rating.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46110 HIGH PATCH This Week

Denial of service in the Linux kernel's stmmac Ethernet driver allows remote attackers to trigger a NULL pointer dereference and kernel panic on systems using STMicroelectronics MAC network controllers under sustained memory pressure. The flaw stems from incomplete handling of the DMA RX descriptor ring lifecycle, where stmmac_rx() cannot distinguish 'full' from 'dirty' descriptors when stmmac_rx_refill() fails to allocate replacement buffers. EPSS rates exploitation probability at only 0.02% (5th percentile), and no public exploit identified at time of analysis.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46109 MEDIUM PATCH This Month

Memory leak in the Linux kernel USB ULPI subsystem allows a local low-privilege attacker to gradually exhaust kernel memory by repeatedly triggering registration failures in the ulpi_register() function. A prior fix for a double-free (commit 01af542392b5) removed the kfree(ulpi) call on the device_register() failure path but inadvertently left the allocation unreleased when ulpi_of_register() or ulpi_read_id() fail before device_register() is ever reached. No public exploit exists and EPSS is 0.02%, indicating minimal real-world exploitation pressure; however, patched kernel stable releases are available across all supported branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46108 MEDIUM PATCH This Month

Denial of service in the Linux kernel's IPMI SI (System Interface) driver results from improper state machine recovery when message allocation fails, leaving the driver stuck in a non-normal state and rendering the IPMI subsystem non-functional. Locally authenticated users with low privileges on affected systems with an active ipmi_si module can trigger this condition, typically under memory-pressure scenarios. No public exploit has been identified at time of analysis; EPSS at 0.02% (5th percentile) confirms negligible exploitation interest, and patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46107 HIGH PATCH This Week

Local privilege escalation or denial-of-service in the Linux kernel's dm-thin (device-mapper thin provisioning) target stems from a metadata reference-count underflow in rebalance_children(). Local users with access to thin-provisioned device-mapper volumes can trigger 'unable to decrement block' errors that corrupt metadata accounting on shared btree nodes, with no public exploit identified at time of analysis and a very low EPSS score (0.02%, 5th percentile) indicating limited exploitation interest despite the high CVSS of 7.8.

Linux Information Disclosure Integer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46106 MEDIUM PATCH This Month

Three concurrent race conditions in the Linux kernel's eventfs subsystem (tracefs) can be triggered during remount operations, leading to kernel denial-of-service via LIST_POISON1 pointer dereference or use-after-free. Systems running affected kernel versions with tracefs mounted are vulnerable when a local user with sufficient privilege simultaneously remounts the filesystem while kprobe events are being added or removed. No public exploit code has been identified at time of analysis, and EPSS at 0.02% (5th percentile) indicates very low observed exploitation probability.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46105 HIGH PATCH This Week

Local denial of service in the Linux kernel's mpt3sas SCSI driver allows a privileged local user to trigger a kernel oops by issuing oversized NVMe I/O operations against drives behind Broadcom/LSI MPT3 SAS HBAs. The flaw stems from a size mismatch between firmware-reported MDTS values and the driver's fixed 4K PRP list buffer, and no public exploit identified at time of analysis. EPSS is very low (0.02%, 4th percentile), consistent with a kernel reliability bug requiring local privileged access rather than a remote attack surface.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46104 MEDIUM PATCH This Month

SELinux socket permission helpers in the Linux kernel misread security blob data in stacked LSM configurations, causing kernel crashes or incorrect AVC (Access Vector Cache) decisions. Specifically, sock_has_perm() and nlmsg_sock_has_extended_perms() dereference sk->sk_security directly under the assumption that the SELinux blob always sits at offset zero, which fails when another LSM allocates socket blob storage ahead of SELinux in a stacked configuration. No public exploit has been identified at time of analysis, EPSS is 0.02%, and patches are available for Linux 6.18.30 and 7.0.7.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-47243 Go PATCH GHSA Awaiting Data

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/21. he.org>) Linux kernel: Dirty Frag variants — fix merged into netdev (Hyunwoo Kim <imv4bel@...il.com>) Re: Linux kernel: Dirty Frag variants — fix merged into netdev (Solar Designer <solar@...nwall.com>) Re: Linux kernel: Dirty Frag variants — fix merged into netdev (Hyunwoo Kim <imv4bel@...il.com>) CVE-2026-47243: Kata Containers runtime-rs 3.30: virtiofsd symlink escape (Aurelien Bombo <aurelien.bombo@...rosoft.com>) CVE-2026-46473: Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand (Robert Rothenberg <rrwo@...nsec.org>) Re: On the issue of MIME handlers that execute arbitrary code (e.

Linux RCE
NVD
EPSS
0.1%
CVE-2026-46103 MEDIUM PATCH This Month

Memory leak in the Linux kernel's CAN UCAN USB driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering driver unbind cycles without physical device disconnection. The flaw (CWE-401) exists because devres-managed buffers are incorrectly scoped to the parent USB device rather than the USB interface, so they are never released during software-initiated unbind events such as probe deferral or configuration changes. No public exploit code exists and EPSS sits at 0.02% (5th percentile), indicating near-zero real-world exploitation probability despite the CVSS Availability: High rating.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46102 HIGH PATCH This Week

Remote denial of service in the Linux kernel's stream parser (strparser) subsystem allows attackers to exhaust memory by repeatedly triggering message assembly timeouts that fail to release partially assembled skb buffers. The flaw resides in strp_abort_strp(), which leaks strp->skb_head on abort, and affects kernels from at least 4.9 through the 6.x and 7.x release lines until the fix introduced in 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No public exploit identified at time of analysis, and EPSS (0.02%, 5th percentile) reflects low predicted exploitation in the next 30 days despite the CVSS 7.5 rating.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46101 MEDIUM PATCH This Month

Undefined behavior in the Linux kernel's nftables bitwise expression handler allows a local attacker with low privileges to crash the kernel. The nft_bitwise subsystem failed to reject zero-value shift operands during rule initialization; a zero shift causes the carry propagation formula (BITS_PER_TYPE(u32) - shift = 32 - 0 = 32) to perform a 32-bit shift of a 32-bit type, which is undefined behavior in C and can result in a kernel panic. No public exploit is identified at time of analysis, and EPSS at 0.02% (5th percentile) indicates very low automated exploitation activity, consistent with the local-only attack vector requiring nftables configuration privileges.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46100 HIGH PATCH This Week

Local privilege-impacting memory corruption in the Linux kernel's AFS filesystem can be triggered by an authenticated local user mapping AFS files, leading to a refcount leak that can cause kernel resource exhaustion or use-after-free conditions affecting confidentiality, integrity, and availability. The flaw stems from an incorrect conversion of AFS's mmap handler to the new .mmap_prepare() interface (commit 9d5403b1036c), which leaks reference counts when a VMA merge or allocation failure occurs after the prepare call. No public exploit identified at time of analysis and EPSS rates exploitation likelihood at just 0.02%.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46099 HIGH PATCH This Week

Use-after-free in the Linux kernel's IPv6 SR (seg6) and RPL lightweight tunnel input paths can be triggered on PREEMPT_RT builds when a higher-priority task races ksoftirqd during a concurrent FIB lookup on a shared nexthop. The flaw causes dst_cache_set_ip6() to call dst_hold() on a freed per-CPU route, producing a kernel warning or memory corruption that an attacker on the network could leverage for denial of service or potential code execution. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-46098 MEDIUM PATCH This Month

Use-after-free in the Linux kernel CAIF networking subsystem allows a local low-privileged user to crash the kernel via a double invocation of caif_free_client(). The CAIF socket layer in caif_connect() can tear down a client on remote shutdown, freeing the service object via adap_layer->dn but leaving that pointer stale; when the socket is later destroyed, caif_sock_destructor() dereferences the already-freed pointer, triggering a NULL pointer dereference (CWE-476) and kernel oops. No public exploit exists and EPSS sits at 0.02% (5th percentile), but vendor-released patches are available across multiple stable kernel branches.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Uninitialized memory read in Linux kernel's Bluetooth virtio_bt driver allows a malicious or compromised virtio backend to trigger kernel DoS and potential information disclosure against guest VMs. The driver's virtbt_rx_handle() function fails to validate that received RX socket buffers contain sufficient bytes to cover the fixed HCI header for the declared packet type before forwarding to hci_recv_frame(). A backend-supplied one-byte completion with type HCI_ACLDATA_PKT causes the ACL classification path in hci_dev_classify_pkt_type() to dereference hci_acl_hdr(skb)->handle on an empty buffer when the HCI device holds an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with a kernel subsystem bug requiring privileged backend access in a virtualized environment.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds read in the Linux kernel's SMB client (smb/client) symlink handling allows a malicious or compromised SMB server to trigger memory disclosure or denial-of-service against Linux clients that mount SMB shares. The flaw resides in symlink_data() where smb2_check_message() does not validate response length before fields beyond the 64-byte SMB2 header are accessed. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, though upstream kernel fixes have already been merged across multiple stable branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Division by zero in the Linux kernel's ua101 USB audio driver allows a local attacker to crash the kernel by presenting a crafted USB device with a malformed audio class descriptor. The ua101 driver's `detect_usb_format()` function fails to validate the `bNrChannels` field before use, so a device reporting `bNrChannels = 0` causes `frame_bytes` to become zero, which is subsequently used as a divisor in both `playback_urb_complete()` and `capture_urb_complete()` URB handlers, triggering a fatal kernel panic. No public exploit has been identified and EPSS is 0.02% (5th percentile), but the vulnerability affects multiple supported stable branches and patches are available across all of them.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's DAMON (Data Access MONitor) sysfs-schemes interface allows local users with sysfs access to read freed memory by racing concurrent reads and writes of the quota goal 'path' file across separate file descriptors. EPSS is 0.02% and no public exploit identified at time of analysis, but the CVSS 7.8 reflects full CIA impact if a local attacker can win the race.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel stack memory disclosure in the Linux kernel's pseries/papr-hvpipe driver exposes up to 43 bytes of uninitialized stack data to unprivileged local users on IBM Power (pseries) systems. The `struct papr_hvpipe_hdr` reserved padding fields (`reserved[3]` and `reserved2[40]`) are never zeroed before `copy_to_user()` copies the full structure to userspace, allowing a local attacker to harvest stale kernel stack contents - potentially including ASLR offsets or residual cryptographic material. No public exploit exists and no CISA KEV listing applies; EPSS at 0.02% (4th percentile) reflects low exploitation probability consistent with the narrow pseries-only deployment scope. Vendor-released patches are confirmed in stable branches 6.18.30, 7.0.7, and 7.1-rc3.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation or denial-of-service in the Linux kernel's RDMA/mlx4 InfiniBand driver stems from improper RCU synchronization in mlx4_srq_event(), where the mlx4_srq structure is never freed via RCU and can be accessed before initialization completes. Local low-privileged users on systems using Mellanox ConnectX (mlx4) RDMA hardware can trigger a race condition leading to memory corruption or kernel crash, with CVSS 7.8 reflecting high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS scores this at just 0.02%, indicating minimal real-world exploitation likelihood.

Linux Denial Of Service
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation risk in the Linux kernel's brcmfmac Broadcom FullMAC Wi-Fi driver stems from a use-after-free in the watchdog kthread teardown path, where the watchdog task can exit between send_sig() and kthread_stop(), leaving stale memory accessible. Successful exploitation by a local low-privileged attacker who can trigger driver teardown could yield kernel memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis and EPSS is very low (0.02%), suggesting limited near-term exploitation interest.

Linux Use After Free Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Divide-by-zero in the Linux kernel ASoC SOF compressed audio subsystem allows a low-privileged local user to crash the kernel by querying stream pointer position before stream parameters are configured. Affected are Linux kernel stable branches 6.6 through 7.0 (pre-patch), all running on hardware with SOF audio drivers loaded. No active exploitation has been confirmed - EPSS sits at 0.02% (5th percentile) and the vulnerability is absent from CISA KEV - making this a medium-severity availability risk relevant primarily to multi-user desktop and embedded audio platforms.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Resource leak in the Linux kernel's RDMA/mlx4 InfiniBand driver allows local authenticated users to trigger kernel memory exhaustion when mlx4_ib_create_srq() fails, because mlx4_srq_alloc() is not properly undone via mlx4_srq_free() during error unwind. CVSS 7.8 (AV:L/AC:L/PR:L) reflects local privileged access required, and EPSS is very low at 0.02% (5th percentile), with no public exploit identified at time of analysis. The fix has been merged upstream and backported across multiple stable trees, indicating broad downstream exposure on systems using Mellanox ConnectX HCAs.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel IPMI driver allows a malicious or buggy BMC (Baseboard Management Controller) to indefinitely stall the driver by never signaling completion on event/message fetches or by keeping the attention (attn) bit asserted. The CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H) score reflects pure availability impact, and the issue has existed since the IPMI driver's inception; no public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), indicating very low exploitation likelihood.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free and double-free condition in the Linux kernel RDMA/mlx5 driver allows local privileged users to corrupt kernel memory through error path mishandling in mlx5_ib_dev_res_srq_init(). The flaw stems from incorrect fall-through logic when ib_create_srq() fails for the second Shared Receive Queue (s1), leaving freed s0 pointers and ERR_PTR values assigned to device resource fields. No public exploit identified at time of analysis, with EPSS scoring this at just 0.02% probability of exploitation.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Filesystem inconsistency in the Linux kernel's F2FS implementation allows local authenticated users to trigger fsck misinterpretation of node block migration as fsync-written data, resulting in filesystem integrity issues following a sudden power-off (SPO). Affecting Linux kernel versions through 7.0.7 and 7.1-rc1 (with backports to 6.18.30), the flaw stems from Foreground Garbage Collection (FGGC) failing to clear dentry and fsync marks during node block migration. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (4th percentile).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Local privilege escalation and information disclosure in the Linux kernel on AMD Zen2 CPUs allows low-privileged users to trigger instruction corruption via improper isolation of shared resources in the op cache. Affecting kernels prior to 5.10.256, 5.15.207, 6.1.173, 6.6.139, 6.12.88, 6.18.30, and 7.0.7, the flaw carries a CVSS 8.8 due to scope change (S:C) impacting confidentiality, integrity, and availability beyond the original security boundary. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the architectural nature of the bug (CPU op cache sharing) makes it relevant for multi-tenant and virtualization workloads.

Linux Amd Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory corruption in the Linux kernel scheduler exit path allows local low-privileged users to trigger use-after-free or double-free of task stacks when an exiting task oopses, per CVE-2026-46173. The flaw stems from make_task_dead() invoking do_task_dead() with preemption enabled, violating the scheduler's requirement that __schedule() run with preemption disabled, which can leave two tasks running on the same stack. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource exhaustion via dst entry reference leak in the Linux kernel's IPv6 IPsec (xfrm6) receive path allows a local attacker with low privileges to cause a denial of service by exhausting kernel memory. The flaw exists in xfrm6_rcv_encap(), which calls ip6_route_input_lookup() returning a referenced dst entry even for error routes, but fails to release that reference before dropping the packet when dst->error is set. Repeated packets hitting this code path therefore accumulate unreleased dst references, ultimately crashing the system. No public exploit exists and this vulnerability is not in the CISA KEV list; EPSS exploitation probability is extremely low at 0.02% (5th percentile).

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's RISC-V KVM vector context allocation allows a local low-privileged attacker to exhaust kernel memory, causing denial of service on RISC-V hypervisor hosts. The flaw exists in kvm_riscv_vcpu_alloc_vector_context() where a failed second kzalloc call (host_context.vector.datap) returns an error without freeing the first allocation (guest_context.vector.datap), accumulating unreleased kernel memory across repeated vCPU creation attempts. No public exploit exists and no active exploitation is confirmed; EPSS at 0.02% (4th percentile) reflects the narrow RISC-V KVM deployment surface.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The MPTCP (Multipath TCP) path manager in the Linux kernel mishandles socket reference counting during ADD_ADDR retransmission timer callbacks, resulting in a local denial-of-service. When the retransmit timer fires and holds the last reference to a socket, calling __sock_put() instead of sock_put() leaks the socket; and if sock_put() is used without first marking the timer done, the resulting sk_free() call invokes sk_stop_timer_sync() on the same in-flight timer, causing the kernel to wait indefinitely. No public exploit has been identified at time of analysis; EPSS is 0.02% (4th percentile), and the vulnerability is not listed in CISA KEV.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Uninitialized memory use in the Linux kernel HFS+ filesystem driver (hfsplus) can crash the kernel when a local user mounts a crafted, corrupted HFS+ image. The flaw in hfs_brec_read() allows a partial catalog record read - as few as 26 bytes into a 520-byte structure - leaving the nodeName field uninitialized; this data then propagates through hfsplus_cat_build_key_uni() into hfsplus_strcasecmp(), where it is used as array indices in case_fold(), triggering a kernel denial of service. No public exploit is identified at time of analysis and EPSS is very low at 0.02% (5th percentile); this is not listed in CISA KEV.

Linux Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Scheduling-while-atomic kernel panic in the Linux kernel MPTCP subsystem allows a local low-privileged user to crash the host by setting timestamp socket options on an MPTCP socket. The defect stems from invoking sleepable helpers - sock_set_timestamp() and sock_set_timestamping() - inside the atomic context established by lock_sock_fast(), violating the kernel's non-sleeping constraint for spinlock holders. No public exploit code has been identified and EPSS sits at 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time. Note: the 'Information Disclosure' tag applied by some sources appears incorrect - the actual impact is limited to availability (kernel panic/crash) with no confidentiality or integrity consequence per the CVSS vector.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Uninitialized heap memory in the Linux kernel's usblp USB printer driver leaks a stale kernel byte to userspace through the LPGETSTATUS ioctl when a malicious or non-compliant USB printer returns zero bytes to a one-byte status request. Affected branches span kernel versions from 2.6.12 through 6.18.x, 7.0.x, and 7.1-rc3, with fixes available in stable releases 6.6.140, 6.12.88, 6.18.30, and 7.0.7. No public exploit exists and EPSS stands at 0.02% (5th percentile); exploitation requires local access, a cooperating malicious USB device, and access to the printer device node - substantially narrowing real-world risk despite the breadth of affected kernel versions.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in the Linux kernel mac80211 wireless subsystem allows attackers on the adjacent wireless network to corrupt kernel memory by triggering radar detection cancellation paths that free a channel context still being iterated. No public exploit identified at time of analysis, and EPSS exploitation probability is 0.02% (5th percentile), but the high CVSS reflects severe potential impact on confidentiality, integrity, and availability if exploited. A vendor-released patch is available in stable kernel updates including 6.12.88, 6.18.30, and 7.0.7.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

OpenVSwitch tunnel port removal in the Linux kernel triggers a self-deadlock that permanently hangs the kernel's RTNL lock, causing a denial of service requiring system reboot. The flaw affects systems across multiple stable kernel branches (6.6.x, 6.12.x, 6.18.x, 7.0.x) where OVS tunnel vports (VXLAN, GRE, GENEVE) are actively managed. Patched versions are available across all affected stable branches; no public exploit identified at time of analysis, and the EPSS score of 0.02% (5th percentile) indicates negligible observed exploitation probability.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Memory corruption in the Linux kernel's btrfs filesystem can be triggered when create_space_info_sub_group() encounters a kobject initialization failure, causing the sub_group structure to be freed twice. The double-free occurs because btrfs_sysfs_add_space_info_type() already releases the memory via kobject_put() in its error path, after which the caller frees it again. EPSS scores this at 0.02% (5th percentile) and there is no public exploit identified at time of analysis, but a vendor-released patch is available.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's b43legacy wireless driver allows a local attacker with low privileges to read beyond the dev->key[] array when firmware reports a key index exceeding dev->max_nr_keys. The existing B43legacy_WARN_ON check was non-enforcing in production builds, permitting memory disclosure during RX packet handling on systems with vulnerable Broadcom legacy WiFi chipsets. No public exploit identified at time of analysis, and EPSS is very low (0.02%), suggesting limited near-term mass exploitation despite a high CVSS of 7.8.

Linux Buffer Overflow Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Double-free memory corruption in the Linux kernel's Intel ice (E810) network driver occurs in the ice_sf_eth_activate() error path when auxiliary_device_add() fails, causing sf_dev to be freed twice. Affecting Linux kernel versions starting at 6.12 through pre-patch builds, a local privileged user triggering the failure path can corrupt kernel heap state, with no public exploit identified at time of analysis and a very low EPSS score of 0.02%.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Divide-by-zero in the Linux kernel's md/raid10 subsystem allows a local authenticated user to crash the kernel by supplying a zero far_copies value when configuring a RAID10 array with the 'improved' far set layout. The affected function setup_geo() performs the division geo->far_set_size = disks / fc without first validating that fc is non-zero, triggering a kernel oops or panic and producing a high availability impact. EPSS is 0.02% (5th percentile) and this CVE is not listed in CISA KEV, consistent with the local-only, configuration-specific attack vector and no public exploit identified at time of analysis.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Filesystem availability loss in the Linux kernel's btrfs subsystem can render a mounted volume unrecoverable after a power failure under specific directory removal conditions. The btrfs directory removal path fails to update the inode's `last_unlink_trans` field, causing a stale transaction ID to persist. When a process holds an open file descriptor to the removed directory and subsequently calls fsync, the incomplete journal entry survives to disk; upon next mount, log replay fails with -EIO and a 'corrupt leaf: invalid nlink' critical error, leaving the filesystem unmountable. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects negligible opportunistic exploitation interest, consistent with a logic-flaw data-integrity bug rather than a memory-corruption primitive.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Kernel heap memory disclosure in the Linux btrfs subsystem allows a low-privileged local user to read uninitialized kmalloc heap bytes from kernel memory via a TOCTOU race in the btrfs_ioctl_space_info() code path. Affected systems are those running btrfs filesystems on kernel versions dating back to 2.6.34; the race window opens when groups_sem is released between the slot-counting and buffer-filling passes of the ioctl, and concurrent block group removal shrinks the actual entry count below the allocated buffer size, causing copy_to_user() to copy trailing uninitialized heap data into userspace. No public exploit has been identified at time of analysis and EPSS exploitation probability is extremely low (0.02%), but patched stable releases are available.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Socket reference count leak in the Linux kernel MPTCP path manager allows a local low-privilege attacker to cause kernel resource exhaustion and denial of service by repeatedly triggering ADD_ADDR retransmission events. Affected versions span from Linux 5.10 through 7.1-rc2, with patches confirmed available in stable releases 6.18.30, 7.0.7, and 7.1-rc3. No public exploit has been identified and EPSS probability is negligible at 0.02%, placing this firmly in routine maintenance priority rather than emergency response.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation risk in the Linux kernel's ALSA PCM OSS emulation layer stems from an unprotected concurrent access to the runtime.oss.trigger bit field, allowing racing writes to corrupt adjacent bit fields and destabilize sound device state. The flaw affects Linux kernel versions prior to 6.12.88, 6.18.30, and 7.0.7, and was discovered through fuzzing; no public exploit identified at time of analysis, and EPSS scoring (0.02%) indicates negligible probability of opportunistic exploitation.

Linux Information Disclosure Race Condition
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic (ADE - Address Error for Memory access) in the LoongArch-specific PCI fixup function loongson_gpu_fixup_dma_hang() crashes systems that boot with a discrete Loongson GPU whose PCI device ID does not match any handled case in the switch statement. The missing default case causes readl() to be called with a garbage MMIO address derived from uninitialized register state, resulting in a hard kernel panic at boot time (PID 1, swapper/0) and rendering the system unavailable. No public exploit identified at time of analysis, and EPSS is 0.02% (5th percentile), consistent with a hardware-specific local DoS requiring no attacker interaction.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds heap read in the Linux kernel's SMB client (smb/client) allows a malicious or compromised SMB server to leak adjacent kernel heap memory to a connected Linux client. The flaw lives in smb2_compound_op() where check_wsl_eas() fails to validate that OutputBufferLength fits within iov_len before a memcpy, so a truncated response with an oversized OutputBufferLength and an early-terminated EA list triggers the read past the rsp_iov allocation. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but upstream patches have been merged across multiple stable branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Local privilege escalation potential exists in the Linux kernel's sched_ext (SCX) subsystem where a use-after-free condition in cgroup setter operations can be triggered when a BPF scheduler is swapped concurrently with cgroup weight, idle, or bandwidth updates. The flaw affects kernel 6.18 and related stable branches and stems from reading scx_root outside the scx_cgroup_ops_rwsem, allowing a stale pointer to be dereferenced after the previous scheduler is freed via RCU. EPSS is very low (0.02%) and no public exploit is identified at time of analysis.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory exhaustion in the Linux kernel's 8021q VLAN subsystem allows a local user with low privileges to cause denial-of-service by repeatedly manipulating VLAN egress QoS priority mappings. The function `vlan_dev_set_egress_priority()` retains cleared priority entries as unreachable tombstones in the kernel hash table across set/clear cycles, accumulating until device teardown and leaking kernel memory. No public exploit exists and EPSS is 0.02% at the 5th percentile, indicating negligible real-world exploitation interest; however, the High availability impact in CVSS reflects potential OOM-triggered system instability on affected hosts.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Concurrency flaw in the Linux kernel's mac80211 WiFi subsystem (versions from 6.4 onward) can cause misrouted or dropped 802.11 frames on adjacent-network attacks. The bug stems from a stray `static` qualifier on the per-invocation `rx_result` in `ieee80211_invoke_fast_rx()`, which is documented as parallel-RX safe but in practice shares a single result variable across concurrent callers. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the CVSS rating of 8.8 reflects strong CIA impact under adjacent-network conditions.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Heap memory disclosure in the Linux kernel usblp USB printer driver allows a local attacker with a malicious USB printer to expose up to 1021 bytes of uninitialized kmalloc heap to userspace. The driver's usblp_cache_device_id_string() blindly trusts a device-supplied 2-byte big-endian length prefix in the IEEE 1284 GET_DEVICE_ID response, leaking stale kernel heap contents via the ieee1284_id sysfs attribute and the IOCNR_GET_DEVICE_ID ioctl. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile) and the vulnerability is not listed in CISA KEV, but vendor patches are confirmed across multiple stable kernel branches.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Permission check bypass in the Linux kernel's fanotify subsystem allows local low-privileged users to circumvent access control decisions enforced by fanotify-based security tools. The flaw stems from fsnotify_get_mark_safe() incorrectly returning false for marks on unrelated groups, causing the permission event evaluation to be skipped entirely. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, but the impact on systems relying on fanotify for access control (antivirus, EDR, HSM) is significant.

Linux Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds stack read in the Linux kernel SCSI target subsystem's configfs interface allows a local privileged user to trigger a kernel panic or leak adjacent stack memory by reading the tg_pt_gp members sysfs attribute when a long iSCSI IQN fabric WWN (up to 223 bytes) is configured. The flaw stems from misusing the snprintf() return value (which reports intended length, not bytes written) as a memcpy() source length. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 5th percentile).

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Incorrect hardware chip-select management in the Linux kernel spi/microchip-core-qspi driver causes the built-in hardware CS line to assert spuriously during SPI transactions directed at GPIO-managed chip selects on multi-device coreQSPI controllers. Systems using Microchip coreQSPI IP hardware with two or more attached SPI devices - where at least one device uses the built-in hardware CS - are subject to unintended bus assertion that can crash or disrupt SPI-dependent peripherals, producing a high-availability impact. No public exploit exists and EPSS stands at 0.02% (4th percentile), consistent with the narrow embedded-hardware topology required for manifestation; the vulnerability is not in CISA KEV.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Two distinct bugs in the Linux kernel's pKVM (protected KVM) arm64 vCPU initialization path allow a local low-privileged user to cause persistent resource pin leaks and observe partially initialized memory objects. The pin leak (Bug 1) occurs when an error path in __pkvm_init_vcpu() jumps to cleanup without releasing hyp_pin_shared_mem() references on host vCPU and SVE state pages, permanently exhausting pin references and ultimately degrading or crashing the hypervisor subsystem. A separate memory ordering flaw (Bug 2) uses a bare store to publish the vCPU pointer into hyp_vm->vcpus[], allowing a concurrent pkvm_load_hyp_vcpu() caller to read a partially initialized vCPU object. No active exploitation has been identified and EPSS is 0.02%, consistent with a kernel subsystem bug affecting a specialized configuration rather than a broadly targeted attack surface.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in the Linux kernel ALSA USB audio subsystem allows a local attacker to hang a CPU core indefinitely by presenting a malformed USB audio class v3 channel map descriptor. The affected function `convert_chmap_v3()` uses the descriptor field `cs_desc->wLength` as a loop increment without validating it, so a zero-length descriptor causes an unescapable infinite loop that saturates a CPU core until the process is killed or the system rebooted. No active exploitation has been confirmed - the vulnerability is absent from CISA KEV, and the EPSS score of 0.02% at the 5th percentile indicates negligible current attacker interest.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Linux kernel's RDMA/mana driver allows an authenticated low-privileged user to corrupt kernel memory by supplying an oversized rx_hash_key_len via the uAPI structure, which is passed unchecked to memcpy. The flaw affects kernels using the Microsoft Azure Network Adapter (MANA) RDMA driver and can lead to heap/stack overflow within kernel space, enabling potential code execution or system compromise. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (5th percentile), indicating limited exploitation interest so far.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource leak in the Linux kernel's RDMA/mana driver allows a local low-privileged user to exhaust kernel resources via a missing cleanup in the error unwind path of mana_ib_create_qp_rss(). The Microsoft Azure Network Adapter (MANA) InfiniBand subsystem fails to release mana_ib_cfg_vport_steering() allocations when QP RSS creation fails mid-flight, while the normal destroy path handles cleanup correctly - leaving the error path mismatched. No public exploit is identified and EPSS sits at 0.02% (5th percentile), reflecting very low real-world exploitation probability, though patches are confirmed available across multiple stable kernel branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's Qualcomm ASoC q6apm-lpass-dai audio driver allows a local low-privileged user to exhaust kernel memory by repeatedly invoking the ALSA prepare callback, which opens multiple APM graphs on the playback path without corresponding release. Affected systems are limited to those running Qualcomm LPASS audio hardware across several Linux stable branches (6.6.x, 6.9.x, 6.10, 6.12.x). No public exploit exists and EPSS at 0.02% (5th percentile) reflects negligible real-world exploitation interest; the practical impact is local denial of service on Qualcomm SoC-equipped devices.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

System hang vulnerability in the Linux kernel's libwx (WangXun) network driver affects systems using SR-IOV Virtual Functions. During VF initialization, the driver attempts to read register WX_CFG_PORT_ST, which is restricted to Physical Functions only; this illegal register access causes the system to hang, resulting in a complete denial of service. No public exploit exists and EPSS is 0.02%, but any system running a WangXun NIC with SR-IOV enabled and attaching a VF is directly exposed.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's powerpc XIVE interrupt subsystem causes progressive kernel heap exhaustion on IBM POWER9+ systems when MSI-X vectors are allocated and then freed for PCI devices such as NVMe controllers. The regression was introduced by commit cc0cc23babc9 which refactored the XIVE/child interrupt controller relationship: xive_irq_free_data() subsequently used the wrong domain lookup path, causing every allocated struct xive_irq_data (64 bytes) to be orphaned on irqdomain teardown. No public exploit is identified and EPSS stands at 0.02% (4th percentile), consistent with the narrow hardware-specific scope and local-only access requirement.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel's MediaTek Bluetooth driver (btmtk) lets a short or malformed WMT firmware event response trigger reads past the SKB tailroom in btmtk_usb_hci_wmt_sync(), potentially leaking adjacent kernel memory or crashing the host. The flaw affects systems using MediaTek USB Bluetooth controllers (MT76xx family) on kernels around 6.11 through release candidates of 7.1, scoring CVSS 7.1 with high confidentiality and availability impact. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%), but a vendor fix is available across multiple stable branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The Linux kernel SMB client transmits uninitialized kernel heap data in the reserved Sbz2 field of Windows ACL security descriptors to remote Samba servers, causing chmod operations on SMB-mounted filesystems to fail with EINVAL. This regression was introduced by commit 62e7dd0a39c2d, which split a struct field but left a newly created 2-byte reserved field unpopulated due to use of kmalloc() instead of kzalloc(). No public exploit exists (EPSS 0.02%, no KEV listing); the practical impact is an operational disruption of file permission management on Samba-backed mounts, with a secondary minor information disclosure of heap contents to the remote server.

Linux Microsoft Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out-of-bounds heap read and infinite loop in the Linux kernel Bluetooth HCI event handler (hci_le_create_big_complete_evt) allows an adjacent attacker to trigger denial of service on systems with Bluetooth LE Isochronous (BIG) connections. The flaw arises when a malicious or malformed controller returns an LE_Create_BIG_Complete event with fewer bis_handle entries than expected, causing the kernel to read past the flex array and spin indefinitely while holding hci_dev_lock. No public exploit identified at time of analysis, and EPSS probability is very low (0.02%), but the issue is patched across multiple stable trees.

Linux Denial Of Service Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Race condition in the Linux kernel's MPTCP (Multipath TCP) path manager subsystem affects the mptcp_pm_add_timer() ADD_ADDR retransmission helper, where the timer callback runs in softirq context without holding the socket lock via bh_lock_sock(). The data race could lead to inconsistent socket state when concurrent operations touch the same MPTCP socket. Despite a CVSS of 9.8, EPSS is only 0.02% (5th percentile) and no public exploit identified at time of analysis; the tag 'Information Disclosure' suggests realistic impact is far below the headline score.

Linux Information Disclosure Race Condition
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Denial-of-service in the Linux kernel mt76/mt7921 MediaTek Wi-Fi driver lets a buffer-length (buf_len) underflow occur while iterating the CLC (country location configuration) power table, producing a near-infinite loop or an invalid power setting that crashes driver initialization. Systems running affected kernels with MediaTek MT7921 Wi-Fi hardware are impacted; classified CWE-787 (out-of-bounds write) with a vendor-assigned CVSS of 7.8 (local, AV:L). No public exploit identified at time of analysis and EPSS is very low (0.02%), consistent with a reliability/DoS defect rather than a readily weaponizable memory-corruption primitive.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Race condition in the Linux kernel's NVMe/TCP target (nvmet-tcp) subsystem allows a remote NVMe/TCP host to trigger a double kref_put() on a queue object by sending an Initialization Connection Request (ICReq) and immediately closing the connection. The flaw, fixed in stable releases 6.12.88, 6.18.30, and 7.0.7 (mainline 7.1-rc2), stems from nvmet_tcp_handle_icreq() updating queue->state without serializing against concurrent target-side queue teardown, defeating the DISCONNECTING-state guard and enabling a use-after-free condition. No public exploit identified at time of analysis and EPSS is very low (0.02%), indicating limited real-world exploitation interest despite the headline 9.8 CVSS.

Linux Information Disclosure Race Condition
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's cros_ec_typec driver crashes the kernel when a Thunderbolt alternate mode operation is processed on affected ChromeOS devices. The flaw originates in cros_typec_register_thunderbolt(), which allocates the adata structure but omits mutex_init(&adata->lock); when cros_typec_altmode_work() later acquires that uninitialized mutex, the kernel dereferences a NULL or garbage pointer and panics. No public exploit code exists and EPSS of 0.02% (4th percentile) reflects the narrow hardware prerequisite and strictly local-only attack surface; the vulnerability is not listed in CISA KEV.

Linux Denial Of Service Google +3
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial-of-service in the Linux kernel's Soft RoCE (RDMA/rxe) driver allows unauthenticated attackers to crash the kernel by sending a single crafted 48-byte UDP packet to port 4791 with an undefined BTH opcode. The flaw triggers an out-of-bounds read in rxe_icrc_hdr() via crc32_le() due to zero-initialized rxe_opcode[] entries causing arithmetic underflow, panicking the host with no public exploit identified at time of analysis though EPSS is very low at 0.03%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel stack information leak in Linux rtnetlink's rtnl_fill_vfinfo() exposes up to 26 bytes of uninitialized kernel stack memory to any unprivileged local user on systems with SR-IOV NICs. The flaw exists because struct ifla_vf_broadcast (32 bytes) is declared on the stack without zeroing, only the first 6 bytes are filled via memcpy on Ethernet devices, and the full struct is transmitted to userspace via RTM_GETLINK responses. No public exploit is identified at time of analysis and EPSS is 0.02% (5th percentile), but the attack is trivially repeatable without any special privileges, making it a practical KASLR bypass primitive or sensitive-data harvesting tool on multi-tenant or shared-access Linux systems.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Availability impact in Linux Kernel KVM's x86 nested virtualization subsystem allows a low-privileged user operating within an L2 (nested) guest to trigger a host kernel denial-of-service via incorrect hypercall handling. The root cause is an incorrect guard condition in slow-flush hypercall paths: KVM checks `is_guest_mode(vcpu)` before calling `translate_nested_gpa()`, but that translation function is only valid when the L2 guest is running with nested EPT/NPT actually enabled - not merely when guest mode is active. No public exploit has been identified at time of analysis, and EPSS exploitation probability is 0.02% (5th percentile). Vendor-released patches are available across multiple stable branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's dm-verity-fec (forward error correction) subsystem allows kernel memory disclosure or a crash when decoding Reed-Solomon parity data. The flaw affects the device-mapper verity FEC code where fec_decode_bufs() wrongly assumes parity bytes of the first RS codeword never span a parity-block boundary; with certain non-default fec_roots values combined with low-memory buffer-allocation failures, the decoder reads past the end of the parity block buffer. Tracked as CWE-125, it carries a 7.1 CVSS (local, low complexity per NVD) but a negligible EPSS of 0.02%, and there is no public exploit identified at time of analysis.

Linux Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel's btrfs filesystem stems from a double-free in create_space_info() when kobject_init_and_add() fails during sysfs registration. The flaw affects multiple stable Linux branches (6.6.x, 6.12.x, 6.18.x prior to the fixed releases) and could allow a local attacker with low privileges to corrupt kernel memory; no public exploit identified at time of analysis and EPSS is very low (0.02%).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial-of-service in the Linux kernel IPMI subsystem allows a system crash when the BMC (Baseboard Management Controller) returns a malformed empty event message buffer instead of a proper error code. The kernel's IPMI driver defers response size validation to later processing stages rather than checking immediately upon receipt, causing it to process invalid data from certain non-compliant BMC firmware. No public exploit exists and EPSS is 0.02% (5th percentile); the trigger is hardware-driven misbehavior rather than deliberate attacker input, but the availability impact is high (kernel panic). Patched kernel versions are available across multiple stable branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's RDMA/ocrdma driver crashes systems running Emulex OneConnect RDMA adapters. The flaw exists in `ocrdma_copy_pd_uresp()`, where error-path code dereferences `pd->uctx` before it is initialized, producing a kernel panic and complete system unavailability when triggered. No public exploit code has been identified and EPSS sits at 0.02% (5th percentile), reflecting very low exploitation probability at this time; however, the local low-privilege vector means any unprivileged user on an affected system with ocrdma hardware present could trigger the crash.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper error-path cleanup in the RDMA/mana driver's `mana_ib_create_qp_rss()` function allows a local low-privileged user on Azure VMs with Microsoft MANA NICs to crash the kernel. Two logic bugs in the WQ table unwind - a redundant `i--` that skips a cleanup iteration, and a missed `mana_destroy_wq_obj()` call when `mana_ib_install_cq_cb()` fails - leave kernel objects in a dangling state, producing a high-availability (DoS) impact. No public exploit exists and EPSS is at the 5th percentile; this vulnerability is not in CISA KEV.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free/double-free in the Linux kernel's mac80211 wireless subsystem affects systems with Multi-Link Operation (MLO) Wi-Fi connections when debugfs is enabled. The flaw occurs when connection preparation fails for MLO connections and the interface is reset to non-MLD without removing the associated station, corrupting debugfs state. EPSS probability is 0.02% (5th percentile) and no public exploit identified at time of analysis, but the CVSS 8.8 score reflects high impact on adjacent-network reachable systems.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Information disclosure in the Linux kernel isofs filesystem allows authenticated NFS peers to read arbitrary in-range blocks from the backing device by submitting crafted NFS file handles to isofs_export_iget(). The flaw resides in isofs_fh_to_dentry() and isofs_fh_to_parent(), which previously only rejected block==0 before passing the attacker-controlled block number to sb_bread(), exposing unrelated adjacent-partition data as iso_inode_info fields returned to NFS clients. No public exploit identified at time of analysis, EPSS is 0.02% (5th percentile), and this is reported as hardening adjacent to the prior CVE-2025-37780 fix.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Out-of-bounds read and information disclosure in the Linux kernel's virtio_bt (virtio Bluetooth) driver allows a malicious or buggy virtio backend to leak uninitialized kernel heap memory into received Bluetooth skbs. The virtbt_rx_work() function trusted the device-reported length from virtqueue_get_buf() without clamping it to the 1000-byte buffer actually exposed via sg_init_one(), so a hostile backend can report lengths between 1001 and skb_tailroom() - or 0 - causing skb_put() to expose untouched heap bytes or virtbt_rx_handle() to read an uninitialized pkt_type. No public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), but a vendor patch is available.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds memory read in the Linux kernel's b43 Broadcom wireless driver allows leakage of adjacent kernel memory when the device firmware supplies a key index that exceeds the 58-entry dev->key[] array in b43_rx(). The pre-patch guard (B43_WARN_ON) is a no-op in production kernels, so the invalid index was used to index the array unchecked. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%); the fix enforces the bounds check and drops the offending frame.

Linux Buffer Overflow Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's DAMON sysfs interface (mm/damon/sysfs-schemes) lets a local actor with access to the 'memcg_path' file race a read against a concurrent write that frees the underlying buffer, accessing freed kernel memory. The flaw affects DAMON-enabled builds across the 6.6.96, 6.12.36, 6.15.5 and 6.16-rc lines, and is fixed by serializing both direct reads and writes under damon_sysfs_lock. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; it is not in CISA KEV.

Memory Corruption Linux Use After Free +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and kernel memory corruption in the Linux kernel's IPv6 GRE (ip6_gre) subsystem stem from ip6erspan_changelink() using dev_net(dev) instead of the cached t->net after IFLA_NET_NS_FD migration, causing a tunnel to be re-inserted into the wrong per-netns hash. When the original network namespace is later destroyed, the stale entry triggers a slab-use-after-free (flagged by KASAN) and a kernel BUG at LIST_POISON1, reachable from an unprivileged user namespace. No public exploit identified at time of analysis, though the bug is trivially reachable via unshare and EPSS exploitation probability is low (0.02%).

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Information disclosure and denial of service in the Linux kernel's libceph subsystem allows remote Ceph servers (or attackers able to spoof/MITM unauthenticated Ceph traffic) to trigger a slab-out-of-bounds read by sending a crafted CEPH_MSG_AUTH_REPLY message with a positive result value. The flaw causes the kernel client to send memory contents past the allocated front-segment buffer back over the wire, potentially leaking adjacent kernel heap data and destabilizing the host. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the CVSS of 9.1 reflects the network-reachable, no-privileges-required nature of the bug in affected Ceph client deployments.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's pseries/papr-hvpipe subsystem crashes IBM POWER/pSeries hosts via a local ioctl call. The flaw was introduced by commit 6d3789d347a7, which refactored papr_hvpipe_dev_create_handle() to use FD_PREPARE() but left src_info accessible after retain_and_null_ptr() nulled it, causing a write to address 0x0 when the pointer is subsequently used in the global list insertion path. Exploitation requires local low-privileged access on pSeries hardware; no public exploit exists and EPSS is 0.02%, indicating negligible opportunistic exploitation risk.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and kernel memory corruption in the Linux kernel's RDMA/mana driver allows authenticated local users to trigger a user-reachable WARN_ON() and subsequently corrupt kernel memory by specifying Work Queues that share the same Completion Queue through the uAPI of mana_ib_create_qp_rss(). The flaw affects Linux 6.8 through versions before the patched 6.12.91, 6.18.30, 7.0.7, and 7.1-rc3 releases. No public exploit identified at time of analysis, and EPSS scoring is low at 0.02%.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's xfrm (IPsec) state management subsystem allows local attackers with low privileges to trigger memory corruption via concurrent xfrm_state lifecycle operations. The flaw resides in __xfrm_state_delete() where value-based predicates on x->km.seq and x->id.spi can race with xfrm_alloc_spi() outside of xfrm_state_lock, leading to slab-use-after-free writes through LIST_POISON pointers on the byseq/byspi/bydst/bysrc hash chains. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (5th percentile), but a vendor patch is available.

Linux Denial Of Service Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Incorrect bvec coalescing in the Linux kernel's block layer (biovec_phys_mergeable) can merge physically contiguous bio_vec segments that belong to different zone-device dev_pagemaps, corrupting the ability to recover the correct pgmap via page_pgmap() for the merged segment. The flaw affects systems using zone device memory registered in multiple chunks (e.g., DAX/persistent memory or GPU/accelerator memory backends) and was fixed upstream; no public exploit is identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote information disclosure in the Linux kernel's RDMA Soft-RoCE (rxe) driver allows unauthenticated network attackers to leak adjacent kernel skb head-buffer memory by sending zero-length ATOMIC_WRITE RDMA packets. The flaw, tracked as CVE-2026-46114 and affecting kernels from 6.2 onward, lets a remote initiator extract 4 bytes of kernel tailroom per probe - including kernel strings and partial direct-map pointer words - into an attacker-controlled memory region. No public exploit identified at time of analysis and EPSS is low (0.05%, 17th percentile), but the vendor (kernel.org) has released stable patches across multiple branches.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Use-after-free in the Linux kernel's KVM x86 shadow MMU allows a malicious guest VM to corrupt host memory and potentially escalate privileges on the hypervisor. The flaw occurs when a guest modifies its page tables between VM entries, causing KVM to install rmap entries outside the expected GFN range of a direct-mapped shadow page; subsequent rmap walks (e.g., during dirty logging or MMU notifier invalidations from MADV_DONTNEED) then dereference a freed kvm_mmu_page. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug has existed since the earliest KVM versions and is now patched upstream.

Linux Information Disclosure Memory Corruption +1
NVD VulDB GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation risk in the Linux kernel's RDMA/hns driver stems from an unlocked call to hns_roce_qp_remove() in the error unwind path of hns_roce_qp_remove_common(). Low-privileged local users on systems with HiSilicon RoCE (hns) RDMA hardware could trigger the error flow to corrupt kernel memory, with EPSS at 0.02% indicating no known exploitation, and no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel Bluetooth subsystem (hci_conn) stems from a use-after-free in create_big_sync() when a Broadcast Isochronous Group (BIG) creation races against connection teardown. A local low-privileged attacker on a system with active Bluetooth LE Audio operations could trigger the freed hci_conn dereference through hci_connect_cfm()/hci_conn_del(), enabling memory corruption with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 5th percentile), reflecting limited weaponization despite the CVSS 7.8 rating.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel's stmmac Ethernet driver allows remote attackers to trigger a NULL pointer dereference and kernel panic on systems using STMicroelectronics MAC network controllers under sustained memory pressure. The flaw stems from incomplete handling of the DMA RX descriptor ring lifecycle, where stmmac_rx() cannot distinguish 'full' from 'dirty' descriptors when stmmac_rx_refill() fails to allocate replacement buffers. EPSS rates exploitation probability at only 0.02% (5th percentile), and no public exploit identified at time of analysis.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel USB ULPI subsystem allows a local low-privilege attacker to gradually exhaust kernel memory by repeatedly triggering registration failures in the ulpi_register() function. A prior fix for a double-free (commit 01af542392b5) removed the kfree(ulpi) call on the device_register() failure path but inadvertently left the allocation unreleased when ulpi_of_register() or ulpi_read_id() fail before device_register() is ever reached. No public exploit exists and EPSS is 0.02%, indicating minimal real-world exploitation pressure; however, patched kernel stable releases are available across all supported branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in the Linux kernel's IPMI SI (System Interface) driver results from improper state machine recovery when message allocation fails, leaving the driver stuck in a non-normal state and rendering the IPMI subsystem non-functional. Locally authenticated users with low privileges on affected systems with an active ipmi_si module can trigger this condition, typically under memory-pressure scenarios. No public exploit has been identified at time of analysis; EPSS at 0.02% (5th percentile) confirms negligible exploitation interest, and patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation or denial-of-service in the Linux kernel's dm-thin (device-mapper thin provisioning) target stems from a metadata reference-count underflow in rebalance_children(). Local users with access to thin-provisioned device-mapper volumes can trigger 'unable to decrement block' errors that corrupt metadata accounting on shared btree nodes, with no public exploit identified at time of analysis and a very low EPSS score (0.02%, 5th percentile) indicating limited exploitation interest despite the high CVSS of 7.8.

Linux Information Disclosure Integer Overflow
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Three concurrent race conditions in the Linux kernel's eventfs subsystem (tracefs) can be triggered during remount operations, leading to kernel denial-of-service via LIST_POISON1 pointer dereference or use-after-free. Systems running affected kernel versions with tracefs mounted are vulnerable when a local user with sufficient privilege simultaneously remounts the filesystem while kprobe events are being added or removed. No public exploit code has been identified at time of analysis, and EPSS at 0.02% (5th percentile) indicates very low observed exploitation probability.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local denial of service in the Linux kernel's mpt3sas SCSI driver allows a privileged local user to trigger a kernel oops by issuing oversized NVMe I/O operations against drives behind Broadcom/LSI MPT3 SAS HBAs. The flaw stems from a size mismatch between firmware-reported MDTS values and the driver's fixed 4K PRP list buffer, and no public exploit identified at time of analysis. EPSS is very low (0.02%, 4th percentile), consistent with a kernel reliability bug requiring local privileged access rather than a remote attack surface.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

SELinux socket permission helpers in the Linux kernel misread security blob data in stacked LSM configurations, causing kernel crashes or incorrect AVC (Access Vector Cache) decisions. Specifically, sock_has_perm() and nlmsg_sock_has_extended_perms() dereference sk->sk_security directly under the assumption that the SELinux blob always sits at offset zero, which fails when another LSM allocates socket blob storage ahead of SELinux in a stacked configuration. No public exploit has been identified at time of analysis, EPSS is 0.02%, and patches are available for Linux 6.18.30 and 7.0.7.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0%
PATCH Awaiting Data

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/21. he.org>) Linux kernel: Dirty Frag variants — fix merged into netdev (Hyunwoo Kim <imv4bel@...il.com>) Re: Linux kernel: Dirty Frag variants — fix merged into netdev (Solar Designer <solar@...nwall.com>) Re: Linux kernel: Dirty Frag variants — fix merged into netdev (Hyunwoo Kim <imv4bel@...il.com>) CVE-2026-47243: Kata Containers runtime-rs 3.30: virtiofsd symlink escape (Aurelien Bombo <aurelien.bombo@...rosoft.com>) CVE-2026-46473: Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand (Robert Rothenberg <rrwo@...nsec.org>) Re: On the issue of MIME handlers that execute arbitrary code (e.

Linux RCE
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's CAN UCAN USB driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering driver unbind cycles without physical device disconnection. The flaw (CWE-401) exists because devres-managed buffers are incorrectly scoped to the parent USB device rather than the USB interface, so they are never released during software-initiated unbind events such as probe deferral or configuration changes. No public exploit code exists and EPSS sits at 0.02% (5th percentile), indicating near-zero real-world exploitation probability despite the CVSS Availability: High rating.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial of service in the Linux kernel's stream parser (strparser) subsystem allows attackers to exhaust memory by repeatedly triggering message assembly timeouts that fail to release partially assembled skb buffers. The flaw resides in strp_abort_strp(), which leaks strp->skb_head on abort, and affects kernels from at least 4.9 through the 6.x and 7.x release lines until the fix introduced in 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No public exploit identified at time of analysis, and EPSS (0.02%, 5th percentile) reflects low predicted exploitation in the next 30 days despite the CVSS 7.5 rating.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Undefined behavior in the Linux kernel's nftables bitwise expression handler allows a local attacker with low privileges to crash the kernel. The nft_bitwise subsystem failed to reject zero-value shift operands during rule initialization; a zero shift causes the carry propagation formula (BITS_PER_TYPE(u32) - shift = 32 - 0 = 32) to perform a 32-bit shift of a 32-bit type, which is undefined behavior in C and can result in a kernel panic. No public exploit is identified at time of analysis, and EPSS at 0.02% (5th percentile) indicates very low automated exploitation activity, consistent with the local-only attack vector requiring nftables configuration privileges.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-impacting memory corruption in the Linux kernel's AFS filesystem can be triggered by an authenticated local user mapping AFS files, leading to a refcount leak that can cause kernel resource exhaustion or use-after-free conditions affecting confidentiality, integrity, and availability. The flaw stems from an incorrect conversion of AFS's mmap handler to the new .mmap_prepare() interface (commit 9d5403b1036c), which leaks reference counts when a VMA merge or allocation failure occurs after the prepare call. No public exploit identified at time of analysis and EPSS rates exploitation likelihood at just 0.02%.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Use-after-free in the Linux kernel's IPv6 SR (seg6) and RPL lightweight tunnel input paths can be triggered on PREEMPT_RT builds when a higher-priority task races ksoftirqd during a concurrent FIB lookup on a shared nexthop. The flaw causes dst_cache_set_ip6() to call dst_hold() on a freed per-CPU route, producing a kernel warning or memory corruption that an attacker on the network could leverage for denial of service or potential code execution. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Use-after-free in the Linux kernel CAIF networking subsystem allows a local low-privileged user to crash the kernel via a double invocation of caif_free_client(). The CAIF socket layer in caif_connect() can tear down a client on remote shutdown, freeing the service object via adap_layer->dn but leaving that pointer stale; when the socket is later destroyed, caif_sock_destructor() dereferences the already-freed pointer, triggering a NULL pointer dereference (CWE-476) and kernel oops. No public exploit exists and EPSS sits at 0.02% (5th percentile), but vendor-released patches are available across multiple stable kernel branches.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
Prev Page 8 of 143 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy