Linux
Monthly
Use-after-free in the Linux kernel's edt-ft5x06 capacitive touchscreen driver (CWE-416) lets a local actor with access to the driver's per-client debugfs interface read or corrupt freed kernel memory during device teardown. The regression was introduced by commit 68743c500c6e, which removed manual debugfs cleanup and left a window where debugfs files referencing tsdata->raw_buffer remained accessible after the buffer was freed. No public exploit identified at time of analysis; EPSS is very low (0.02%, 4th percentile) and it is not in CISA KEV, but a vendor (stable-tree) patch is available.
Memory leak in the Linux kernel's TPM2 session subsystem allows a local low-privileged user to exhaust kernel memory over time via repeated invocations of the vulnerable tpm2_read_public() function. The function allocates a kernel buffer via tpm_buf_init() but fails to call tpm_buf_destroy() on both its success path and its error path triggered by an unrecognized hash algorithm, leaking a page allocation each time. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% at the 4th percentile reflects very low real-world exploitation probability.
Race condition in the Linux kernel's md/md-llbitmap subsystem can cause availability loss on systems using software RAID with bitmap tracking. The barrier raise in llbitmap_start_write() and llbitmap_start_discard() occurs after the state machine transition is initiated, creating a window where concurrent state changes proceed without synchronization - potentially crashing the RAID subsystem or rendering an md array unavailable. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects negligible automated exploitation risk. Patches are available across multiple stable kernel branches.
Out-of-bounds read in the Linux kernel's ext4 filesystem driver allows a local attacker to read up to 3 bytes beyond a valid extended-attribute (xattr) region, potentially leaking adjacent kernel memory or crashing the system. The flaw lives in check_xattrs(), where a loose bounds check on the next xattr entry lets IS_LAST_ENTRY() perform a 4-byte read that overruns the buffer when parsing a crafted or corrupted ext4 xattr block. It is not in CISA KEV and no public exploit identified at time of analysis; EPSS is negligible at 0.02% (5th percentile), consistent with a low-impact local memory-safety bug that has already been patched upstream.
Concurrent execution race in the Linux kernel's mm/vmalloc subsystem allows a local low-privileged attacker to trigger memory corruption or leaks by exercising the vmap_node shrinker simultaneously with lazy vmap purge operations. The flaw stems from unserialized invocation of decay_va_pool_node() between __purge_vmap_area_lazy() and the shrinker path. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the issue is patched upstream in the stable tree.
Null pointer dereference in the Linux kernel rtw88 PCIe WiFi driver for the Realtek 8821CE adapter crashes the kernel during driver probing when the card is installed directly on a root PCI bus without an upstream PCI-to-PCI bridge. The defect was discovered via Svace static analysis by the Linux Verification Center - not through active exploitation - and no public exploit has been identified at time of analysis. EPSS of 0.02% (5th percentile) reflects the highly hardware-specific triggering condition, though the crash is deterministic when that condition is met.
Denial of service in the Linux kernel's igorplugusb infrared remote control driver allows a local low-privileged user to crash the kernel on systems where a compatible USB IR receiver is connected and the host controller performs DMA on control requests. The igorplugusb driver failed to allocate the USB control request structure separately, violating DMA coherency requirements enforced by certain host controllers - an object allocated on the kernel stack or embedded in a larger structure is not guaranteed to be DMA-safe. No public exploit code exists, and EPSS of 0.02% confirms negligible exploitation interest. Vendor-released patches are available across multiple stable branches.
Local privilege escalation potential via use-after-free in the Linux kernel's ALSA aloop (snd-aloop) driver allows authenticated local users to trigger memory corruption by racing PCM stream close against a peer format-change stop. The flaw stems from snd_pcm_stop() running after cable->lock is dropped, leaving a stale peer substream pointer that can be freed by a concurrent close. Upstream fixes are merged into stable trees (6.12.88, 6.18.27, 7.0.4, 7.1-rc2); no public exploit identified at time of analysis and EPSS is very low at 0.02%.
The zram compressed-RAM block device driver in the Linux kernel hangs processes indefinitely when partial discard requests are submitted on systems where the discard granularity is smaller than the system page size (e.g., 4K discards on ARM64 systems with 64K pages). The driver correctly identifies partial discards as unsupported and returns early, but omits calling bio_endio(), leaving submit_bio_wait() blocked forever. Exploitation requires local access to a zram device with low privileges; no public exploit exists and EPSS is 0.02%, consistent with a niche local denial-of-service. Patches are available across multiple stable kernel branches.
Kernel panic via exhausted buffer in the ALSA control subsystem affects Linux kernel builds compiled with CONFIG_FORTIFY_SOURCE and Clang, allowing a local low-privileged user to crash the system. The function snd_ctl_elem_init_enum_names() fails to guard against a zero buf_len before invoking strnlen(), and Clang's fortified strnlen fires a BRK exception when it cannot determine the object size of the advanced pointer p inside the loop - panicking the kernel before the intended error-path return. Discovered through kernel fuzz testing on Xiaomi Smartphone hardware; no public exploit and no KEV listing; EPSS is 0.02%.
Memory leak in the Linux kernel's DAMON statistics subsystem (mm/damon/stat) causes kernel memory exhaustion when damon_start() fails during damon_stat_start(). The allocated DAMON context is never freed on the failure path, and the stale global pointer is overwritten on each subsequent enable attempt, making prior allocations permanently unreachable. Exploitation requires local access with low privileges, yields high availability impact (A:H) via progressive kernel memory exhaustion, and no public exploit or active exploitation has been identified at time of analysis.
NULL pointer dereference in the Linux kernel bridge subsystem's FDB (Forwarding Database) RCU readers allows a local low-privileged user to crash the kernel via a sysfs read race. The vulnerability in `br_fdb_fillbuf()` - reached through the `brforward_read()` sysfs path - loads `f->dst` multiple times without synchronization, enabling a concurrent `fdb_delete_local()` call to nullify the pointer between the NULL check and the subsequent `port_no` dereference. No active exploitation has been identified (EPSS 0.02%, not in CISA KEV), but vendor patch commits are available across all active stable kernel branches.
Remote denial-of-service in the Linux kernel rxrpc subsystem (rxkad authentication) allows unauthenticated network attackers to crash vulnerable hosts by sending packets with misaligned crypto length fields. The flaw stems from improper handling of decryption errors and a remotely-triggerable WARN_ON_ONCE() in the rxkad packet processing path. EPSS scoring is very low (0.02%) and no public exploit identified at time of analysis, but the CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) rating reflects the unauthenticated remote availability impact.
Use-after-free in the Linux kernel's RDMA mana_ib driver (Microsoft Azure Network Adapter) lets a local user trigger stale firmware RX steering after destroying an RSS QP, so incoming completions land on reused CQ IDs and corrupt kernel state. It affects Linux deployments on Azure VMs using MANA with RDMA/DPDK; an attacker who can create and destroy RSS QPs (e.g., via a DPDK application exit while a peer keeps transmitting) can drive completions onto TX CQs and crash or corrupt the driver. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 5th percentile), indicating low real-world exploitation likelihood.
Resource leak in the Linux kernel SPI subsystem allows a local low-privileged attacker to exhaust kernel resources and cause denial of service. The flaw affects multiple stable kernel branches (5.4.x through 7.x) and occurs when spi_setup() fails during SPI device registration, leaving resources allocated by setup() unreleased because the controller cleanup() callback is never invoked on the error path. No public exploit exists and EPSS sits at 0.02% (5th percentile), indicating very low real-world exploitation probability; this is a stability fix appropriate for routine patching rather than emergency response.
KVM SVM subsystem in the Linux Kernel incorrectly handles the INVLPGA instruction when EFER.SVME=0, failing to inject the required #UD (Undefined Opcode) exception into the guest VM. Systems running AMD hardware virtualization (AMD-V/SVM) under KVM are affected from kernel 2.6.32 through multiple stable branches, with the flaw enabling a low-privileged guest user to trigger a high-severity availability impact. No public exploit exists and EPSS stands at 0.02% (5th percentile), indicating very low current exploitation probability; however, the kernel maintainers tagged this for stable backports across six separate stable branches, reflecting broad deployment surface.
Local privilege escalation via memory corruption in Linux Kernel crypto subsystem (acomp) affects systems using asynchronous hardware compression accelerators such as Intel QAT. The flaw stems from acomp_save_req() storing the wrong pointer (&req->chain instead of req itself) in req->base.data, causing the completion callback acomp_reqchain_done() to dereference fields at incorrect offsets. No public exploit identified at time of analysis, and EPSS is very low at 0.02%, but the high CVSS (7.8) reflects potential for memory corruption with high confidentiality, integrity, and availability impact.
Credit exhaustion in the OCFS2 DIO completion path of the Linux kernel can cause the JBD2 journaling layer to exceed its maximum transaction credit limit, resulting in kernel warnings and a high-availability denial-of-service condition. Systems running the Linux kernel with the OCFS2 cluster filesystem configured for direct I/O workloads across multiple stable branches (6.6.x, 6.12.x, 6.18.x, 7.0.x) are affected. A local attacker with low privileges and write access to an OCFS2 volume can trigger complex extent tree merges that request more than 5449 JBD2 credits, destabilizing the filesystem journal. No public exploit is identified at time of analysis, and EPSS sits at the 5th percentile, reflecting very low real-world exploitation probability.
Null-pointer dereference in the Linux kernel's RBD (RADOS Block Device) subsystem crashes the kernel when device_add_disk() fails after device_add() has already succeeded. Systems running Linux kernel with Ceph RBD support enabled are affected across multiple stable branches from the introduction of commit 27c97abc30e2 through the patched releases. A local attacker with sufficient privileges to map RBD images via the sysfs interface can trigger this error path to cause a kernel panic and system-wide denial of service. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.02% at the 5th percentile signals negligible weaponization probability.
Out-of-bounds read in the Linux kernel's EROFS filesystem driver allows a local attacker to crash the system or potentially leak kernel memory by mounting a crafted EROFS image. The flaw stems from missing validation of the trailing dirent nameoff field, which can underflow during strnlen() and cause reads beyond the directory block. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a vendor patch is available across multiple stable kernel branches.
Incorrect DMA synchronization direction in the Linux kernel's atmel-tdes crypto driver exposes systems running on non-coherent cache architectures to stale cache data reads. The atmel-tdes driver incorrectly calls dma_sync_single_for_device() instead of dma_sync_single_for_cpu() before the CPU consumes DMA output, causing cache invalidation to be skipped on non-coherent platforms (typically ARM-based Atmel/Microchip SoCs). This means the CPU may read stale cached data rather than actual DES/3DES operation output, producing incorrect cryptographic results and potential information exposure from prior cache contents. No public exploit exists and EPSS is 0.02%, but hardware-platform specificity limits real-world reach significantly.
Privilege escalation and denial of service in the Linux kernel's nested SVM (nSVM) virtualization subsystem allows an L2 guest to issue VMMCALL hypercalls as if it were L1 when nested_svm_l2_tlb_flush_enabled() is true, L1 does not intercept VMMCALL, and the hypercall is not a supported Hyper-V call. The fix forces KVM to synthesize a #UD exception in this scenario, matching architectural behavior; no public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%).
Local privilege escalation and memory corruption in the Linux kernel's atmel-sha204a crypto driver allows an attacker who can remove or unbind the device to trigger a use-after-free during the driver teardown path. The flaw stems from failing to unregister the hwrng and flush the Atmel I2C workqueue before teardown, letting a queued ->read() callback execute against freed state, and an early return that also leaks the hwrng.priv allocation. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, so this is a defense-in-depth hardening fix rather than an urgent emergency.
Memory leak and potential use-after-free in the Linux kernel's spi-ch341 USB driver expose systems to local denial-of-service when CH341 device probe failures occur without proper resource cleanup. Kernels from the commit introducing the spi-ch341 driver (8846739f52afa07e63395c80227dc544f54bd7b1) through the respective stable-branch fix commits across the 6.11 through 7.0 lineages are affected. Repeated probe failures accumulate leaked kernel memory that can exhaust system resources; no active exploitation is identified (EPSS 0.02%, no CISA KEV listing), placing this firmly in the maintenance-priority rather than incident-response category.
Linux kernel's hwmon powerz USB power meter driver fails to cancel an in-flight USB Request Block (URB) when a process is interrupted by a signal mid-read, resulting in reads from an unfilled DMA transfer buffer that can cause denial of service and potentially expose stale kernel buffer contents. Affected since commit 4381a36abdf1c5c0323c1c51f869dc000115eb20 and patched in stable releases 6.12.86, 7.0.4, and 6.18.27. No public exploit exists and EPSS is 0.02% (5th percentile), reflecting both the niche hardware dependency and strictly local attack surface; this issue is not listed in CISA KEV.
Out-of-bounds heap read in the Linux kernel ntfs3 driver's run_unpack() function allows a local user to crash the kernel by mounting a crafted NTFS image. The flaw affects multiple stable kernel branches from 5.15 onward, where run list parsing in MFT attributes consumes up to 15 bytes beyond the valid buffer boundary without checking remaining buffer size. No public exploit code exists and EPSS sits at 0.02% (5th percentile), but the local denial-of-service impact is A:H and patches are available across all affected stable branches.
KVM nested SVM (AMD virtualization) in the Linux kernel incorrectly marks VMCB_LBR dirty in the guest's vmcb12 during nested VM exit processing, triggering architecturally undefined behavior that results in hypervisor availability loss. Affected are Linux kernels from 5.19 through versions preceding the stable-branch patches at 6.18.27 and 7.0.4. A low-privileged local attacker operating within a nested virtual machine on an AMD SVM-capable host can exploit this to crash or destabilize the host KVM layer. No public exploit and no CISA KEV listing exist; EPSS sits at 0.02% (4th percentile), confirming negligible opportunistic exploitation probability.
Out-of-bounds read in the Linux kernel md/raid5 journal recovery path allows a local privileged user supplying a corrupted MD RAID5 journal device to trigger memory disclosure or kernel crashes during journal replay. The flaw exists in r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb(), which trusted on-disk payload size fields without validating them against the metadata block's remaining space. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02% (5th percentile).
Use-after-free in the Linux kernel's mwifiex Wi-Fi driver (Marvell) occurs during adapter teardown: mwifiex_adapter_cleanup() calls the non-synchronous timer_delete() on the wakeup_timer, so a still-running wakeup_timer_fn callback can dereference adapter fields (hw_status, if_ops.card_reset) after mwifiex_free_adapter() frees them along the card-removal path. A local attacker who can trigger device removal while the timer fires could corrupt freed kernel memory, enabling privilege escalation or denial of service. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%, 5th percentile), and the fix (timer_delete_sync()) is merged into stable releases.
Improper memory deallocation in the Linux kernel's NX-842 hardware compression crypto driver (nx842_crypto_alloc_ctx/free_ctx) causes bounce buffers allocated as order-2 (4 pages) to be released with single-page free_page() calls, leaking three of every four pages. The flaw is local-only with no public exploit identified at time of analysis, and EPSS (0.02%, 5th percentile) reflects negligible mass-exploitation interest. Note that the NVD CVSS (7.8, C:H/I:H/A:H) appears overstated for what the upstream commit explicitly describes as a memory leak rather than corruption.
Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows a local user with access to the DAMON sysfs interface to read out-of-bounds kernel memory or crash the system. The flaw exists because mm/damon/core failed to validate the user-supplied node ID (damos_quota_goal->nid) before using it in NODE_DATA() for the node_memcg_used_bp and node_memcg_free_bp quota goal metrics. The kernel description includes a working reproduction using the user-space 'damo' tool, but no public weaponized exploit and no active exploitation (CISA KEV) have been reported; EPSS is negligible at 0.02%.
Kernel panic in the Linux Ceph filesystem client affects systems running fscrypt-encrypted CephFS on kernel versions 6.18.16-6.18.29, 6.19.6, and 7.0.x prior to 7.0.4. An off-by-one error (CWE-193) in `ceph_wbc->num_ops` during encrypted writeback causes a hard BUG_ON assertion in `ceph_submit_write()`, crashing the kernel when a bounce buffer allocation fails under memory pressure. No public exploit exists and EPSS is 0.02% (4th percentile), but the CVE description contains a precise reproduction recipe, making reliable local triggering straightforward for anyone with write access to an affected encrypted mount.
Local privilege escalation and memory corruption in the Linux kernel fbdev deferred I/O subsystem allows local low-privileged users to trigger undefined behavior when a framebuffer device is hot-unplugged while user space retains an active memory mapping. The flaw stems from improper lifetime management between struct fb_info and deferred I/O state, leading to use-after-free conditions with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%).
Out-of-bounds heap read in the Linux kernel's ibmasm driver (the IBM Advanced System Management service-processor interface) lets a local privileged user leak adjacent kernel heap memory. The ibmasm_send_i2o_message() function trusts user-controlled command_size and data_size header fields to size a memcpy_toio() without validating them against the real allocation, so a small buffer with inflated header values forces a read of up to ~65 KB past the allocation, which is then forwarded to the service processor over MMIO. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.
Deadlock in the Linux kernel's x86 Control-flow Enforcement Technology (CET) shadow stack implementation can be triggered by a local unprivileged user during signal return, causing a kernel hang and denial of service. The flaw exists in x86 SMP kernels with PER_VMA_LOCK configured where X86_USER_SHADOW_STACK is enabled: holding the mmap read lock while reading the shadow stack signal frame during sigreturn allows a recursive lock acquisition attempt that deadlocks when a concurrent mmap writer is waiting on another CPU. No public exploit has been identified at time of analysis and EPSS exploitation probability is extremely low at 0.02% (5th percentile), but the availability impact is high on affected systems with shadow stack enabled.
Integer overflow in the Linux kernel's ntfs3 filesystem driver allows local attackers to bypass volume boundary validation when mounting or accessing a crafted NTFS volume, leading to memory corruption with high confidentiality, integrity, and availability impact. The flaw resides in run_unpack() where the check `lcn + len > sbi->used.bitmap.nbits` performs raw addition that wraps for large values, sidestepping the bounds check. No public exploit identified at time of analysis and EPSS is very low (0.02%), but CVSS 7.8 with required user interaction reflects realistic local privilege-escalation potential when untrusted NTFS media is processed.
Deadlock in the Linux kernel jbd2 journal subsystem can hang filesystems and render systems unresponsive when filesystem blocksize is smaller than the system pagesize. Introduced by commit f76d4c28a46a, the flaw breaks the required folio-then-buffer lock ordering in jbd2_journal_cancel_revoke(), causing an ABBA deadlock between concurrent filesystem journal operations and block device writeback. No public exploit is identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with a race-condition kernel bug requiring a non-default configuration that is unlikely to be deliberately weaponized.
IRQ handler cleanup failure in the Linux kernel Intel QAT (Quick Assist Technology) crypto driver for 6xxx-series devices causes kernel resource leaks and availability impact when device probe partially fails. The flaw manifests during adf_dev_up() failure: because pcim_enable_device() registers pcim_msi_release() as a devres action that runs in LIFO order, MSI-X vectors are torn down while IRQ handlers such as 'qat0-bundle0' are still attached, producing remove_proc_entry() warnings and leaking procfs entries. No public exploit has been identified at time of analysis, and EPSS at 0.02% (4th percentile) confirms negligible exploitation interest; impact is limited to systems that physically host Intel QAT 6xxx accelerator cards.
Incorrect NextRIP state management in the Linux kernel's KVM nested SVM (nSVM) subsystem causes a denial-of-service condition affecting nested AMD virtualization environments from kernel 5.8 onward. After the first L2 VMRUN completes and NextRIP is updated by the CPU or KVM, a subsequent save/restore cycle incorrectly substitutes the stale current RIP in vmcb02, corrupting virtual machine control block state and crashing the nested guest or KVM subsystem. No active exploitation has been identified (not in CISA KEV, EPSS 0.02% at 4th percentile), and the vulnerability is strictly limited to AMD hosts with nested virtualization configured using NRIPS-disabled L1 guests with injected soft interrupts.
Use-after-free in the Linux kernel's amphion VPU media driver allows local privileged users to trigger a kernel panic and potential memory corruption due to a race condition between v4l2_m2m_ctx_release() and v4l2_m2m_try_run(). The flaw affects systems using the amphion video encode/decode driver (introduced in 5.18) and has been resolved upstream by removing reliance on the m2m framework's job scheduling. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the local high-impact CVSS of 7.8 makes it relevant for multi-tenant or hardened kernel deployments.
Landlock LSM's credential transfer hook in the Linux kernel silently drops the LOG_SUBDOMAINS_OFF audit-muting flag across fork() boundaries, breaking the documented sandboxing pattern where a parent process suppresses subdomain audit logs before spawning sandboxed children. Affected kernels from commit ead9079f75696 onward across the 6.15, 6.18, and 7.x stable branches allow child processes to emit unexpected Landlock audit records the operator explicitly intended to suppress. No public exploit identified at time of analysis; EPSS is 0.02% (4th percentile), and this is a logic correctness defect rather than a privilege-escalation or data-exfiltration path.
Use-after-free in the Linux kernel Bluetooth subsystem (hci_event) allows an adjacent attacker within Bluetooth range to potentially achieve memory corruption against vulnerable hosts during SSP pairing. The flaw stems from missing hdev locking in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), where an hci_conn structure can be freed concurrently while still in use. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%).
Out-of-bounds read in the Linux kernel's AppArmor LSM subsystem (security/apparmor/match.c) allows a local low-privileged user to trigger a KASAN slab-out-of-bounds read via the mount() syscall on kernels 7.0 through 7.0.3 and 7.1-rc1. The flaw stems from a missing string terminator that causes aa_dfa_match() to read past the end of an 8KB kmalloc buffer when processing mount path strings, resulting in potential information disclosure and system instability (denial of service). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%.
Local privilege-bounded information disclosure and integrity compromise in the Linux kernel's SELinux module affects overlayfs mounts where mmap() and mprotect() operations bypass the intended dual-credential access checks. A local authenticated user with access to an overlayfs top-level (user) file can map or change protections on backing files without the mounter's credentials being properly evaluated, undermining the SELinux overlayfs security model. EPSS is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis.
Local privilege escalation risk in the Linux kernel's RDS (Reliable Datagram Sockets) subsystem stems from a double-free condition in __rds_rdma_map() when a put_user() copy of the MR cookie fails after get_mr() has transferred sg/pages ownership to the transport. A local authenticated attacker triggering this race or fault path could cause memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis and EPSS is low at 0.02%, but a vendor-released patch is available across multiple stable branches.
Denial of service in the Linux kernel Ceph client allows local users with access to a Ceph-mounted filesystem to trigger d_hash list corruption and RCU stalls by inducing path lookups against reused cached negative dentries. The flaw stems from fs/ceph/dir.c calling d_add(dentry, NULL) on already-hashed negative dentries, creating self-loops in the hlist_bl bucket that cause __d_lookup() to spin indefinitely. EPSS is 0.02% (5th percentile) and no public exploit identified at time of analysis, but the bug has been reproduced organically in production (RCU stall on a Dell PowerEdge R7615 running 6.18.17).
Soft lockup in the Linux kernel's md/raid5 subsystem allows a local low-privileged user to trigger an infinite loop in the raid5d kernel thread, causing a kernel soft lockup and system-wide denial of service on hosts running RAID5 arrays. The fault lies in retry_aligned_read() using the wrong stripe release path when encountering overlapping stripes, permanently starving handle_stripe() of the work item needed to resolve the overlap. No public exploit has been identified and EPSS at 0.02% (5th percentile) confirms negligible exploitation probability; however, multiple active stable kernel branches from 3.12 onward are affected and vendor-released patches are confirmed across five fix versions.
Deadlock in the Linux kernel md/raid10 subsystem causes a permanent denial-of-service when NOWAIT IO requests coincide with an array check (resync) operation. The md resync thread becomes permanently stuck because the nr_pending atomic counter underflows to a large negative value, preventing it from ever reaching the zero threshold needed to proceed. Systems running RAID-10 arrays where applications use O_NOWAIT IO (e.g., filesystem writeback paths via ext4) are affected. No public exploit code exists and EPSS is 0.02%, indicating low exploitation probability, but the bug is deterministically reproducible by any local user with IO access to the affected array.
Infinite loop denial-of-service in the Linux kernel ALSA ctxfi audio driver allows a local low-privileged user to hang the kernel by triggering S/PDIF passthrough playback at 32000 Hz on Creative Sound Blaster X-Fi hardware. The root cause is an uninitialized `pll_rate` field that causes a resource-calculation loop to never exit, consuming CPU indefinitely and degrading or halting system availability. No public exploit exists and the EPSS score of 0.02% (5th percentile) confirms negligible real-world exploitation pressure; the vulnerability is not listed in CISA KEV.
USB device reference count leak in the Linux kernel ALSA CAIAQ driver allows a local attacker with access to USB hardware to trigger kernel memory exhaustion. The flaw exists because usb_get_dev() is called in create_card() but its matching usb_put_dev() is only installed as a destructor late in init_card(), leaving it unreachable on all intermediate failure paths. Syzbot has reproduced the issue using a malformed UAC3 USB audio device, and patches are available across all affected stable kernel branches. No public exploit has been identified at time of analysis, and EPSS is negligible at 0.02%.
Use-after-free in the Linux kernel's QRTR (Qualcomm IPC Router) name service driver remove path allows local low-privileged users to corrupt memory and potentially escalate privileges. The flaw occurs because qrtr_ns_data_ready() can queue work to a workqueue that has already been destroyed during driver teardown, dereferencing freed memory. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the fix has landed across multiple stable kernel trees.
Missing brelse() in the ext4 filesystem's ext4_xattr_inode_dec_ref_all() function causes a buffer head refcount leak that can degrade system availability on affected Linux kernel versions. Introduced by commit c8e008b60492 (
Data corruption in the Linux kernel md-llbitmap RAID subsystem allows stale bitmap pages to be read from spare disks during rebuild. The md-llbitmap code iterated rdevs checking only raid_disk assignment and the Faulty flag, omitting the In_sync flag, so bitmap data could be sourced from a not-yet-synchronized spare. No public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%), but the bug can silently corrupt arrays during normal operation or recovery.
Resource leak in the Linux kernel IPMI SSIF driver leaves an orphaned kernel thread running when driver initialization fails mid-sequence. Systems with SSIF-capable IPMI hardware (BMC connected via SMBus/I2C) running unpatched kernels are affected across multiple stable branches. If initialization errors occur after the ssif kthread is spawned but before the IPMI core starts the interface, the thread is never stopped, degrading system availability over time. No public exploit exists and EPSS is 0.02% (4th percentile), making this a routine patch-cycle item rather than an emergency; fixes are confirmed in stable kernel releases 6.18.27 and 7.0.4.
Remote denial of service and potential memory corruption in the Linux kernel's RDMA Software RoCE (rxe) driver allows network attackers to send malformed RDMA packets that bypass length validation in rxe_rcv(). Affected systems with the rxe module loaded and reachable on the network can experience integer underflow in payload_size() due to an attacker-controlled BTH pad field, leading to negative values being passed to downstream receive-path handlers. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the CVSS 9.1 rating reflects the unauthenticated network attack surface where rxe is exposed.
Two kernel heap memory leaks in Linux kernel's weighted interleave NUMA memory policy subsystem allow a local low-privilege user to exhaust kernel memory and cause denial of service. The `weighted_interleave_auto_store()` function in `mm/mempolicy.c` fails to free `new_wi_state` on an early-return path and fails to free the old state object when overwritten via `rcu_assign_pointer()` when processing 'true' writes, because `old_wi_state` is only fetched inside the wrong conditional branch. The second leak is trivially automatable - any authorized sysfs writer can loop-write '1' indefinitely to drive the system into OOM - though no public exploit exists and EPSS sits at a negligible 0.02%.
Denial-of-service via kernel panic in the Linux kernel's greybus gb-beagleplay driver allows a local low-privileged user to crash the system by triggering an illegal sleep-in-atomic-context condition. The greybus HDLC TX path calls usleep_range() inside hdlc_append() while the tx_producer_lock spinlock is held, violating the fundamental Linux kernel rule that sleeping is forbidden in atomic context and triggering a 'BUG: scheduling while atomic' kernel oops. No public exploit has been identified at time of analysis, and EPSS at 0.02% (5th percentile) reflects the hardware-specific and local-access-only nature of this flaw. The input tag 'Information Disclosure' appears to be a misclassification - the actual impact is exclusively availability (kernel crash), consistent with the CVSS vector's A:H/C:N/I:N ratings.
Resource accounting exhaustion in the Linux kernel's inotify subsystem allows a local low-privileged user to permanently leak watch counts by repeatedly triggering a failure path in inotify_new_watch() that increments the per-namespace watch counter without a corresponding decrement. Over time this exhausts the max_user_watches limit, causing all subsequent inotify watch creation within the namespace to fail with -ENOSPC even when no watches are genuinely active, constituting a local denial-of-service against inotify-dependent applications. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects very low real-world exploitation probability with no CISA KEV listing.
Integer overflow in the Linux kernel's rxgk (RxRPC GSS Kerberos) token extraction routine allows remote attackers to potentially trigger memory corruption via length-check bypass in rxgk_extract_token(). The flaw affects Linux kernel versions in the 6.16.9-to-6.17 range and was fixed by changing the validation to round down available data instead of rounding up the tested value. No public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.02%.
Memory exhaustion in the Linux Kernel's QRTR (Qualcomm IPC Router) nameserver subsystem exposes local, low-privileged users to a denial-of-service condition. The `ctrl_cmd_bye()` function, triggered when a QRTR node sends a BYE shutdown packet, fails to remove the node from the Xarray structure or release the associated memory - resulting in a persistent kernel memory leak (CWE-401). Affected systems are Linux kernels from 5.7 through multiple stable branches, with fixes backported to 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No active exploitation is confirmed (not in CISA KEV), and EPSS sits at 0.02% (5th percentile), indicating minimal real-world threat at this time.
Out-of-bounds read in the Linux kernel's IPv4 ICMP handling allows remote attackers to trigger denial of service and potential information disclosure by sending crafted ICMP Extended Echo Reply packets. The flaw stems from the kernel consulting the icmp_pointers[] array with reply types (ICMP_EXT_ECHOREPLY) that fall outside its bounded range (NR_ICMP_TYPES). No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the network attack vector and high availability impact make patching a priority for exposed Linux hosts.
Local privilege escalation in the Linux kernel's vfio/cdx (Composable DMA-capable eXtension) driver allows a process with access to a VFIO device file descriptor to trigger a use-after-free of the cdx_irqs array via concurrent VFIO_DEVICE_SET_IRQS ioctls. The race in vfio_cdx_set_msi_trigger() can be exploited by a local low-privileged attacker for memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).
Lock re-entrancy corruption in the Linux kernel's mm/page_alloc subsystem affects uniprocessor (UP/!CONFIG_SMP) builds, allowing freelist corruption that crashes the kernel. On UP kernels, spin_trylock() is a compile-time no-op that unconditionally succeeds; when alloc_frozen_pages_nolock() is invoked from NMI context, it re-enters rmqueue() and acquires the zone lock already held by the interrupted context, corrupting the page allocator's freelists. No public exploit exists and EPSS sits at the 4th percentile (0.02%), consistent with the narrow scope: only non-default UP kernel builds on specific kernel versions are affected, making this a targeted stability concern for embedded or legacy uniprocessor deployments rather than a broad production threat.
NULL pointer dereference in the Linux kernel vfio/cdx subsystem allows a local low-privileged user with access to a CDX VFIO device to crash the kernel by issuing an out-of-order ioctl sequence. Specifically, calling VFIO_DEVICE_SET_IRQS with DATA_BOOL or DATA_NONE flags before ever initializing MSI interrupts via the EVENTFD path dereferences an unallocated cdx_irqs pointer, producing a kernel panic and denial-of-service. No public exploit code exists and EPSS is 0.02%, but vendor-released patches are confirmed available across all affected stable branches.
Out-of-bounds read in the Linux kernel's crypto authencesn AEAD wrapper allows a local user with AF_ALG access to trigger memory disclosure and possible denial of service by instantiating an authencesn transform built on an ahash whose digest size is 1-3 bytes (for example cbcmac(cipher_null)). The flaw stems from crypto_authenc_esn_create() failing to validate the inner digest size, letting an invalid default authsize bypass the existing setauthsize() check. No public exploit identified at time of analysis and EPSS probability is negligible (0.02%), but the upstream fix is shipping across multiple stable trees.
Nested SVM virtualization in the Linux kernel KVM subsystem can leave the host hypervisor (L1) running with corrupted page-table state when CR3 restoration fails during a nested #VMEXIT. The root function nested_svm_vmexit() returns an error code that most callers silently ignore, meaning the host continues executing against corrupt address-space mappings rather than triggering the shutdown behavior mandated by the AMD Architecture Programmer's Manual. The fix injects a triple fault - mirroring real hardware behavior - and continues cleanup to avoid leaving vCPU state partially torn down. No public exploit exists and EPSS is 0.02%, but the availability impact is high for any host running nested AMD virtualization.
Denial of service in the Linux kernel ks8851 Ethernet driver allows a deadlock condition when handling concurrent IRQ and TX softirq processing on systems using the Micrel KS8851 MAC/PHY chip. The flaw manifests when the IRQ handler executes netdev_alloc_skb_ip_align() with bottom-halves enabled, triggering pending softirq processing that re-enters the driver's xmit path and attempts to re-acquire an already-held spinlock. EPSS scores this at 0.02% (5th percentile) and no public exploit identified at time of analysis, consistent with a local hardware-dependent stability bug rather than a remotely weaponizable vulnerability.
Memory leak in the Linux kernel's EDAC/versalnet driver (mc_probe()) results in unreleased device_node references, enabling local low-privileged users to cause kernel memory exhaustion and availability degradation on AMD/Xilinx Versal SoC systems. The root cause is a missing of_node_put() call on all exit paths of mc_probe(), with the fix applied across stable branches including 6.18.27 and 7.0.4. No public exploit or CISA KEV listing exists, and EPSS sits at 0.02% (4th percentile), reflecting minimal active exploitation risk.
Slab allocator corruption in the Linux kernel's mm/slab subsystem allows local low-privileged users on uniprocessor (UP, !CONFIG_SMP) builds to potentially corrupt kernel memory state when kmalloc_nolock() is invoked from NMI context. The flaw stems from spin_trylock() being a no-op on UP kernels, allowing re-entry into the slab allocator while n->list_lock is already held by the interrupted context. EPSS is very low (0.02%) and no public exploit has been identified at time of analysis, though an upstream patch is available.
Race condition in the Linux kernel's AF_ALG AEAD AIO interface allows a local low-privileged user to trigger a denial of service by exploiting shared socket-wide IV buffer state across concurrent asynchronous AEAD requests. The algif_aead subsystem fails to snapshot the Initialization Vector into per-request storage before dispatching async operations, meaning any concurrent socket activity that updates the shared IV can corrupt an in-flight request before it completes. No public exploit has been identified and EPSS is extremely low at 0.02% (7th percentile); vendor-released patches are available across all supported stable kernel branches.
Denial-of-service in the Linux kernel's SMC (Shared Memory Communications) networking subsystem allows remote attackers to crash the kernel by sending a CLC decline message during the early stage of an SMC handshake before the connection is associated with a link group. The flaw, tracked as EUVD-2026-32408, stems from smc_clc_wait_msg() accessing link-group sync state that does not yet exist at that point in the handshake. No public exploit identified at time of analysis and EPSS probability is very low (0.02%, 5th percentile), but the network attack vector and high availability impact warrant patching on systems that use SMC.
Uncontrolled resource consumption in the Linux kernel's QRTR (Qualcomm IPC Router) nameserver module allows a local authenticated user to exhaust nameserver resources by flooding it with unbounded NEW_LOOKUP messages over a single socket. The affected subsystem (net/qrtr/ns) restricted lookups to local clients but imposed no count limit, enabling a sustained denial-of-service against QRTR-dependent inter-process communication on Qualcomm SoC platforms. No public exploit has been identified and EPSS stands at 0.02% (5th percentile), placing this firmly in the low real-world priority tier despite its High availability impact rating.
Deadlock and memory leak in the Linux kernel DAMON subsystem arise from a race condition between damon_call() request registration and kdamond_fn() thread exit, affecting systems using the Data Access MONitor (DAMON) API. A local low-privileged process can trigger the race at precisely the moment a kdamond thread is terminating - causing the calling thread to wait indefinitely for a handler that has already exited, resulting in a kernel-level availability denial. No active exploitation is confirmed (EPSS 0.02%, not in CISA KEV), and the high attack complexity required to win the race significantly constrains real-world risk.
Denial of service in the Linux kernel's libceph subsystem allows remote attackers to crash the kernel via a malformed CEPH_MSG_AUTH_REPLY message containing zero values for both protocol and result fields. The flaw resides in ceph_handle_auth_reply() where a missing validation causes ac->ops to be set to NULL before being dereferenced. No public exploit identified at time of analysis, and EPSS is extremely low (0.02%), but the network attack vector with no authentication and high availability impact warrants prompt patching on Ceph-enabled systems.
Integer overflow in the Linux kernel's device mapper mirror (dm-mirror) subsystem allows a local attacker with device mapper configuration privileges to crash the kernel via a denial-of-service condition. The flaw resides in create_dirty_log() where an unchecked unsigned addition of 2 + param_count wraps around to a small value when param_count approaches UINT_MAX, bypassing an argc bounds check and triggering out-of-bounds reads in dm_dirty_log_create(). No public exploit code exists and EPSS is exceptionally low at 0.02% (5th percentile); this CVE has not been added to the CISA KEV catalog, indicating no confirmed active exploitation at time of analysis.
Out-of-bounds MMIO read in the Linux kernel's ibmasm (IBM Advanced System Management) misc driver allows a compromised IBM service processor to read 8 bytes from unintended device registers or trigger a machine check exception (system crash) by writing an out-of-range queue reader/writer index before asserting an interrupt. The flaw resides in ibmasm_handle_mouse_interrupt() where raw readl() values are passed unchecked to get_queue_entry(), and is fixed by bounds-checking both indices against REMOTE_QUEUE_SIZE (60). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%.
Two related memory-management defects in the Linux kernel thermal zone governor subsystem expose local low-privileged users to system availability loss. The first is a memory leak (CWE-401) in the registration error path of thermal_zone_device_register_with_trips(), which fails to remove an attached governor when registration fails mid-way. The second, and more critically impactful, is a race condition in thermal_zone_device_unregister(), which calls thermal_set_governor() without first acquiring the thermal zone lock - permitting a concurrent sysfs-based governor update to produce a use-after-free, which can trigger a kernel panic. No public exploit code exists and EPSS is 0.02% (5th percentile); vendor-released patches are available across multiple stable kernel branches including 6.6.140, 6.12.86, 6.18.27, and 7.0.4.
Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows privileged local users to crash the kernel by supplying arbitrary node IDs to damos_quota_goal via DAMON_SYSFS. Affecting Linux 6.16 and fixed in 6.18.27, 7.0.4, and 7.1-rc1, the flaw stems from missing validation before si_meminfo_node()/NODE_DATA() lookups and is reproducible with the upstream 'damo' user-space tool. No public exploit identified at time of analysis and EPSS is very low at 0.02%.
The atmel-aes crypto driver in the Linux kernel leaks 3 pages of kernel memory per cleanup cycle due to a mismatch between allocation and deallocation functions: atmel_aes_buff_init() allocates 4 contiguous pages via __get_free_pages() with ATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() frees only a single page via free_page() instead of the correct free_pages(). Systems running on Atmel/Microchip ARM SoC hardware with this driver loaded are vulnerable to gradual kernel memory exhaustion leading to denial of service. No public exploit code exists and no active exploitation has been confirmed; the EPSS score of 0.02% (5th percentile) reflects the extremely narrow hardware-specific attack surface, and vendor-released patches are available across multiple stable kernel branches.
Availability degradation in the Linux kernel ALSA USB audio subsystem allows a local attacker with a crafted UAC2 USB audio device to trigger an unbounded parsing loop that holds register_mutex while repeatedly flooding the kernel log with error messages. Affected systems running snd-usb-audio on multiple stable kernel branches from 3.x through 7.0 are exposed to denial-of-service via mutex contention during USB device probe. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (6th percentile) reflects minimal threat actor interest; no CISA KEV listing exists.
Race condition in the Linux kernel memory management subsystem during large-folio migration can cause kernel availability disruption on SMP/NUMA systems. The flaw in migrate_folio_move() causes a destination folio to become visible to concurrent rmap-removal paths before being requeued onto the deferred split queue, triggering a kernel WARN in deferred_split_folio() or silently losing a folio from split_queue when the shrinker races the migration lock. With no public exploit, no CISA KEV listing, and an EPSS of 0.02%, this is a low real-world risk issue primarily relevant to HPC, virtualization, and database workloads with heavy NUMA migration activity.
NULL pointer dereference in the Linux kernel's Xilinx remoteproc (xlnx) IPI receive callback enables a local low-privileged user to crash the kernel on Xilinx SoC-based systems. The receive callback unconditionally accesses buffer information without first validating whether the message pointer is NULL, which occurs when IPI is operating in non-buffered mode. No public exploit exists and no active exploitation is confirmed; with EPSS at 0.02% (5th percentile), real-world risk is very low and hardware-specific.
Race condition and missed wake-up in the Linux kernel TCP listener migration path (SO_REUSEPORT) allows local low-privileged attackers to cause hangs and potentially exploit a use-after-free on listener sockets. Affects kernels from 5.14 up to versions fixed in 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No public exploit identified at time of analysis, and EPSS is very low (0.02%).
Broken LBR MSR save/restore in the Linux kernel KVM/SVM subsystem allows a low-privileged local attacker to cause high-impact availability failures in virtualized environments running on AMD SVM hardware. MSR_IA32_DEBUGCTLMSR and Last Branch Record (LBR) MSRs are not enumerated by KVM_GET_MSR_INDEX_LIST and cannot be set via KVM_SET_MSRS, meaning VM state is not correctly preserved across save/restore or live migration cycles, particularly when L2 guests are running. No public exploit has been identified at time of analysis, and EPSS of 0.02% indicates very low exploitation probability, but the flaw affects a foundational hypervisor state management path on production AMD virtualization infrastructure.
Incorrect physical address conversion in the Linux kernel's mm/memfd_luo subsystem can crash the kernel when the put_folios error-cleanup path executes during memfd Live Update Object (LUO) operations. The cleanup passes a raw Page Frame Number (PFN) where kho_restore_folio() requires a phys_addr_t, and a missing sparse-hole guard (pfn==0) risks misprocessing file holes. No public exploit identified at time of analysis; EPSS of 0.02% (5th percentile) and absence from CISA KEV confirm very low real-world exploitation probability, with impact confined to local denial of service on systems running the experimental KHO/LUO subsystem.
Memory exhaustion denial-of-service in the Linux kernel's rxkad Kerberos authentication layer allows a local low-privilege attacker to leak kernel memory by repeatedly triggering error paths in rxkad_verify_response(). The vulnerability affects kernels from approximately 5.11 through all unpatched stable series prior to 6.6.140, 6.12.86, 6.18.27, and 7.0.4. No public exploit exists and EPSS sits at 0.02% (5th percentile), indicating minimal real-world exploitation likelihood; however, systems running AFS workloads with rxrpc active warrant patching at next maintenance.
Local privilege escalation and memory corruption in the Linux kernel's MediaTek JPEG (mtk-jpeg) media driver allows a local user with access to the device to trigger a use-after-free condition. The flaw occurs in mtk_jpeg_release() which frees the context structure without first cancelling pending workqueue items, creating a race window during device close where the worker thread accesses freed memory. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, but the bug is fixed across multiple stable trees.
Memory exhaustion handling flaw in the Linux kernel's rxrpc/rxgk subsystem allows network-adjacent attackers to potentially trigger unsafe code paths when rxgk_decrypt_skb() returns -ENOMEM during RxGSS-Kerberos token extraction. Affected kernels include the 6.17 series and specific commits in 6.16.9 onward, fixed in upstream commits and stable backports targeting 6.18.27 and 7.1-rc1. No public exploit identified at time of analysis, and EPSS is very low (0.02%) despite the 8.1 CVSS score.
Duplicate resource teardown in the Linux kernel's PCI endpoint NTB (Non-Transparent Bridge) driver causes a kernel oops when link state transitions fail or complete, enabling a local low-privileged user to crash the kernel. The `epf_ntb_epc_destroy()` helper performs teardown that its callers also execute, resulting in a double-free-class condition. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV); the EPSS score of 0.02% at the 5th percentile reflects extremely low observed exploitation probability.
Deadlock in Linux kernel DAMON (Data Access Monitor) subsystem allows a local low-privileged user or kernel code path to cause an indefinite thread hang in the mm/damon/core module via a race condition between damos_walk() request registration and kdamond_fn() exit sequencing. Systems running Linux kernels from commit bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61 through the patch commits are affected, with availability as the sole impact (CVSS C:N/I:N/A:H). No public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating negligible real-world exploitation interest.
Use-after-free in the Linux kernel's edt-ft5x06 capacitive touchscreen driver (CWE-416) lets a local actor with access to the driver's per-client debugfs interface read or corrupt freed kernel memory during device teardown. The regression was introduced by commit 68743c500c6e, which removed manual debugfs cleanup and left a window where debugfs files referencing tsdata->raw_buffer remained accessible after the buffer was freed. No public exploit identified at time of analysis; EPSS is very low (0.02%, 4th percentile) and it is not in CISA KEV, but a vendor (stable-tree) patch is available.
Memory leak in the Linux kernel's TPM2 session subsystem allows a local low-privileged user to exhaust kernel memory over time via repeated invocations of the vulnerable tpm2_read_public() function. The function allocates a kernel buffer via tpm_buf_init() but fails to call tpm_buf_destroy() on both its success path and its error path triggered by an unrecognized hash algorithm, leaking a page allocation each time. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% at the 4th percentile reflects very low real-world exploitation probability.
Race condition in the Linux kernel's md/md-llbitmap subsystem can cause availability loss on systems using software RAID with bitmap tracking. The barrier raise in llbitmap_start_write() and llbitmap_start_discard() occurs after the state machine transition is initiated, creating a window where concurrent state changes proceed without synchronization - potentially crashing the RAID subsystem or rendering an md array unavailable. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects negligible automated exploitation risk. Patches are available across multiple stable kernel branches.
Out-of-bounds read in the Linux kernel's ext4 filesystem driver allows a local attacker to read up to 3 bytes beyond a valid extended-attribute (xattr) region, potentially leaking adjacent kernel memory or crashing the system. The flaw lives in check_xattrs(), where a loose bounds check on the next xattr entry lets IS_LAST_ENTRY() perform a 4-byte read that overruns the buffer when parsing a crafted or corrupted ext4 xattr block. It is not in CISA KEV and no public exploit identified at time of analysis; EPSS is negligible at 0.02% (5th percentile), consistent with a low-impact local memory-safety bug that has already been patched upstream.
Concurrent execution race in the Linux kernel's mm/vmalloc subsystem allows a local low-privileged attacker to trigger memory corruption or leaks by exercising the vmap_node shrinker simultaneously with lazy vmap purge operations. The flaw stems from unserialized invocation of decay_va_pool_node() between __purge_vmap_area_lazy() and the shrinker path. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the issue is patched upstream in the stable tree.
Null pointer dereference in the Linux kernel rtw88 PCIe WiFi driver for the Realtek 8821CE adapter crashes the kernel during driver probing when the card is installed directly on a root PCI bus without an upstream PCI-to-PCI bridge. The defect was discovered via Svace static analysis by the Linux Verification Center - not through active exploitation - and no public exploit has been identified at time of analysis. EPSS of 0.02% (5th percentile) reflects the highly hardware-specific triggering condition, though the crash is deterministic when that condition is met.
Denial of service in the Linux kernel's igorplugusb infrared remote control driver allows a local low-privileged user to crash the kernel on systems where a compatible USB IR receiver is connected and the host controller performs DMA on control requests. The igorplugusb driver failed to allocate the USB control request structure separately, violating DMA coherency requirements enforced by certain host controllers - an object allocated on the kernel stack or embedded in a larger structure is not guaranteed to be DMA-safe. No public exploit code exists, and EPSS of 0.02% confirms negligible exploitation interest. Vendor-released patches are available across multiple stable branches.
Local privilege escalation potential via use-after-free in the Linux kernel's ALSA aloop (snd-aloop) driver allows authenticated local users to trigger memory corruption by racing PCM stream close against a peer format-change stop. The flaw stems from snd_pcm_stop() running after cable->lock is dropped, leaving a stale peer substream pointer that can be freed by a concurrent close. Upstream fixes are merged into stable trees (6.12.88, 6.18.27, 7.0.4, 7.1-rc2); no public exploit identified at time of analysis and EPSS is very low at 0.02%.
The zram compressed-RAM block device driver in the Linux kernel hangs processes indefinitely when partial discard requests are submitted on systems where the discard granularity is smaller than the system page size (e.g., 4K discards on ARM64 systems with 64K pages). The driver correctly identifies partial discards as unsupported and returns early, but omits calling bio_endio(), leaving submit_bio_wait() blocked forever. Exploitation requires local access to a zram device with low privileges; no public exploit exists and EPSS is 0.02%, consistent with a niche local denial-of-service. Patches are available across multiple stable kernel branches.
Kernel panic via exhausted buffer in the ALSA control subsystem affects Linux kernel builds compiled with CONFIG_FORTIFY_SOURCE and Clang, allowing a local low-privileged user to crash the system. The function snd_ctl_elem_init_enum_names() fails to guard against a zero buf_len before invoking strnlen(), and Clang's fortified strnlen fires a BRK exception when it cannot determine the object size of the advanced pointer p inside the loop - panicking the kernel before the intended error-path return. Discovered through kernel fuzz testing on Xiaomi Smartphone hardware; no public exploit and no KEV listing; EPSS is 0.02%.
Memory leak in the Linux kernel's DAMON statistics subsystem (mm/damon/stat) causes kernel memory exhaustion when damon_start() fails during damon_stat_start(). The allocated DAMON context is never freed on the failure path, and the stale global pointer is overwritten on each subsequent enable attempt, making prior allocations permanently unreachable. Exploitation requires local access with low privileges, yields high availability impact (A:H) via progressive kernel memory exhaustion, and no public exploit or active exploitation has been identified at time of analysis.
NULL pointer dereference in the Linux kernel bridge subsystem's FDB (Forwarding Database) RCU readers allows a local low-privileged user to crash the kernel via a sysfs read race. The vulnerability in `br_fdb_fillbuf()` - reached through the `brforward_read()` sysfs path - loads `f->dst` multiple times without synchronization, enabling a concurrent `fdb_delete_local()` call to nullify the pointer between the NULL check and the subsequent `port_no` dereference. No active exploitation has been identified (EPSS 0.02%, not in CISA KEV), but vendor patch commits are available across all active stable kernel branches.
Remote denial-of-service in the Linux kernel rxrpc subsystem (rxkad authentication) allows unauthenticated network attackers to crash vulnerable hosts by sending packets with misaligned crypto length fields. The flaw stems from improper handling of decryption errors and a remotely-triggerable WARN_ON_ONCE() in the rxkad packet processing path. EPSS scoring is very low (0.02%) and no public exploit identified at time of analysis, but the CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) rating reflects the unauthenticated remote availability impact.
Use-after-free in the Linux kernel's RDMA mana_ib driver (Microsoft Azure Network Adapter) lets a local user trigger stale firmware RX steering after destroying an RSS QP, so incoming completions land on reused CQ IDs and corrupt kernel state. It affects Linux deployments on Azure VMs using MANA with RDMA/DPDK; an attacker who can create and destroy RSS QPs (e.g., via a DPDK application exit while a peer keeps transmitting) can drive completions onto TX CQs and crash or corrupt the driver. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 5th percentile), indicating low real-world exploitation likelihood.
Resource leak in the Linux kernel SPI subsystem allows a local low-privileged attacker to exhaust kernel resources and cause denial of service. The flaw affects multiple stable kernel branches (5.4.x through 7.x) and occurs when spi_setup() fails during SPI device registration, leaving resources allocated by setup() unreleased because the controller cleanup() callback is never invoked on the error path. No public exploit exists and EPSS sits at 0.02% (5th percentile), indicating very low real-world exploitation probability; this is a stability fix appropriate for routine patching rather than emergency response.
KVM SVM subsystem in the Linux Kernel incorrectly handles the INVLPGA instruction when EFER.SVME=0, failing to inject the required #UD (Undefined Opcode) exception into the guest VM. Systems running AMD hardware virtualization (AMD-V/SVM) under KVM are affected from kernel 2.6.32 through multiple stable branches, with the flaw enabling a low-privileged guest user to trigger a high-severity availability impact. No public exploit exists and EPSS stands at 0.02% (5th percentile), indicating very low current exploitation probability; however, the kernel maintainers tagged this for stable backports across six separate stable branches, reflecting broad deployment surface.
Local privilege escalation via memory corruption in Linux Kernel crypto subsystem (acomp) affects systems using asynchronous hardware compression accelerators such as Intel QAT. The flaw stems from acomp_save_req() storing the wrong pointer (&req->chain instead of req itself) in req->base.data, causing the completion callback acomp_reqchain_done() to dereference fields at incorrect offsets. No public exploit identified at time of analysis, and EPSS is very low at 0.02%, but the high CVSS (7.8) reflects potential for memory corruption with high confidentiality, integrity, and availability impact.
Credit exhaustion in the OCFS2 DIO completion path of the Linux kernel can cause the JBD2 journaling layer to exceed its maximum transaction credit limit, resulting in kernel warnings and a high-availability denial-of-service condition. Systems running the Linux kernel with the OCFS2 cluster filesystem configured for direct I/O workloads across multiple stable branches (6.6.x, 6.12.x, 6.18.x, 7.0.x) are affected. A local attacker with low privileges and write access to an OCFS2 volume can trigger complex extent tree merges that request more than 5449 JBD2 credits, destabilizing the filesystem journal. No public exploit is identified at time of analysis, and EPSS sits at the 5th percentile, reflecting very low real-world exploitation probability.
Null-pointer dereference in the Linux kernel's RBD (RADOS Block Device) subsystem crashes the kernel when device_add_disk() fails after device_add() has already succeeded. Systems running Linux kernel with Ceph RBD support enabled are affected across multiple stable branches from the introduction of commit 27c97abc30e2 through the patched releases. A local attacker with sufficient privileges to map RBD images via the sysfs interface can trigger this error path to cause a kernel panic and system-wide denial of service. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.02% at the 5th percentile signals negligible weaponization probability.
Out-of-bounds read in the Linux kernel's EROFS filesystem driver allows a local attacker to crash the system or potentially leak kernel memory by mounting a crafted EROFS image. The flaw stems from missing validation of the trailing dirent nameoff field, which can underflow during strnlen() and cause reads beyond the directory block. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a vendor patch is available across multiple stable kernel branches.
Incorrect DMA synchronization direction in the Linux kernel's atmel-tdes crypto driver exposes systems running on non-coherent cache architectures to stale cache data reads. The atmel-tdes driver incorrectly calls dma_sync_single_for_device() instead of dma_sync_single_for_cpu() before the CPU consumes DMA output, causing cache invalidation to be skipped on non-coherent platforms (typically ARM-based Atmel/Microchip SoCs). This means the CPU may read stale cached data rather than actual DES/3DES operation output, producing incorrect cryptographic results and potential information exposure from prior cache contents. No public exploit exists and EPSS is 0.02%, but hardware-platform specificity limits real-world reach significantly.
Privilege escalation and denial of service in the Linux kernel's nested SVM (nSVM) virtualization subsystem allows an L2 guest to issue VMMCALL hypercalls as if it were L1 when nested_svm_l2_tlb_flush_enabled() is true, L1 does not intercept VMMCALL, and the hypercall is not a supported Hyper-V call. The fix forces KVM to synthesize a #UD exception in this scenario, matching architectural behavior; no public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%).
Local privilege escalation and memory corruption in the Linux kernel's atmel-sha204a crypto driver allows an attacker who can remove or unbind the device to trigger a use-after-free during the driver teardown path. The flaw stems from failing to unregister the hwrng and flush the Atmel I2C workqueue before teardown, letting a queued ->read() callback execute against freed state, and an early return that also leaks the hwrng.priv allocation. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, so this is a defense-in-depth hardening fix rather than an urgent emergency.
Memory leak and potential use-after-free in the Linux kernel's spi-ch341 USB driver expose systems to local denial-of-service when CH341 device probe failures occur without proper resource cleanup. Kernels from the commit introducing the spi-ch341 driver (8846739f52afa07e63395c80227dc544f54bd7b1) through the respective stable-branch fix commits across the 6.11 through 7.0 lineages are affected. Repeated probe failures accumulate leaked kernel memory that can exhaust system resources; no active exploitation is identified (EPSS 0.02%, no CISA KEV listing), placing this firmly in the maintenance-priority rather than incident-response category.
Linux kernel's hwmon powerz USB power meter driver fails to cancel an in-flight USB Request Block (URB) when a process is interrupted by a signal mid-read, resulting in reads from an unfilled DMA transfer buffer that can cause denial of service and potentially expose stale kernel buffer contents. Affected since commit 4381a36abdf1c5c0323c1c51f869dc000115eb20 and patched in stable releases 6.12.86, 7.0.4, and 6.18.27. No public exploit exists and EPSS is 0.02% (5th percentile), reflecting both the niche hardware dependency and strictly local attack surface; this issue is not listed in CISA KEV.
Out-of-bounds heap read in the Linux kernel ntfs3 driver's run_unpack() function allows a local user to crash the kernel by mounting a crafted NTFS image. The flaw affects multiple stable kernel branches from 5.15 onward, where run list parsing in MFT attributes consumes up to 15 bytes beyond the valid buffer boundary without checking remaining buffer size. No public exploit code exists and EPSS sits at 0.02% (5th percentile), but the local denial-of-service impact is A:H and patches are available across all affected stable branches.
KVM nested SVM (AMD virtualization) in the Linux kernel incorrectly marks VMCB_LBR dirty in the guest's vmcb12 during nested VM exit processing, triggering architecturally undefined behavior that results in hypervisor availability loss. Affected are Linux kernels from 5.19 through versions preceding the stable-branch patches at 6.18.27 and 7.0.4. A low-privileged local attacker operating within a nested virtual machine on an AMD SVM-capable host can exploit this to crash or destabilize the host KVM layer. No public exploit and no CISA KEV listing exist; EPSS sits at 0.02% (4th percentile), confirming negligible opportunistic exploitation probability.
Out-of-bounds read in the Linux kernel md/raid5 journal recovery path allows a local privileged user supplying a corrupted MD RAID5 journal device to trigger memory disclosure or kernel crashes during journal replay. The flaw exists in r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb(), which trusted on-disk payload size fields without validating them against the metadata block's remaining space. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02% (5th percentile).
Use-after-free in the Linux kernel's mwifiex Wi-Fi driver (Marvell) occurs during adapter teardown: mwifiex_adapter_cleanup() calls the non-synchronous timer_delete() on the wakeup_timer, so a still-running wakeup_timer_fn callback can dereference adapter fields (hw_status, if_ops.card_reset) after mwifiex_free_adapter() frees them along the card-removal path. A local attacker who can trigger device removal while the timer fires could corrupt freed kernel memory, enabling privilege escalation or denial of service. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%, 5th percentile), and the fix (timer_delete_sync()) is merged into stable releases.
Improper memory deallocation in the Linux kernel's NX-842 hardware compression crypto driver (nx842_crypto_alloc_ctx/free_ctx) causes bounce buffers allocated as order-2 (4 pages) to be released with single-page free_page() calls, leaking three of every four pages. The flaw is local-only with no public exploit identified at time of analysis, and EPSS (0.02%, 5th percentile) reflects negligible mass-exploitation interest. Note that the NVD CVSS (7.8, C:H/I:H/A:H) appears overstated for what the upstream commit explicitly describes as a memory leak rather than corruption.
Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows a local user with access to the DAMON sysfs interface to read out-of-bounds kernel memory or crash the system. The flaw exists because mm/damon/core failed to validate the user-supplied node ID (damos_quota_goal->nid) before using it in NODE_DATA() for the node_memcg_used_bp and node_memcg_free_bp quota goal metrics. The kernel description includes a working reproduction using the user-space 'damo' tool, but no public weaponized exploit and no active exploitation (CISA KEV) have been reported; EPSS is negligible at 0.02%.
Kernel panic in the Linux Ceph filesystem client affects systems running fscrypt-encrypted CephFS on kernel versions 6.18.16-6.18.29, 6.19.6, and 7.0.x prior to 7.0.4. An off-by-one error (CWE-193) in `ceph_wbc->num_ops` during encrypted writeback causes a hard BUG_ON assertion in `ceph_submit_write()`, crashing the kernel when a bounce buffer allocation fails under memory pressure. No public exploit exists and EPSS is 0.02% (4th percentile), but the CVE description contains a precise reproduction recipe, making reliable local triggering straightforward for anyone with write access to an affected encrypted mount.
Local privilege escalation and memory corruption in the Linux kernel fbdev deferred I/O subsystem allows local low-privileged users to trigger undefined behavior when a framebuffer device is hot-unplugged while user space retains an active memory mapping. The flaw stems from improper lifetime management between struct fb_info and deferred I/O state, leading to use-after-free conditions with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%).
Out-of-bounds heap read in the Linux kernel's ibmasm driver (the IBM Advanced System Management service-processor interface) lets a local privileged user leak adjacent kernel heap memory. The ibmasm_send_i2o_message() function trusts user-controlled command_size and data_size header fields to size a memcpy_toio() without validating them against the real allocation, so a small buffer with inflated header values forces a read of up to ~65 KB past the allocation, which is then forwarded to the service processor over MMIO. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.
Deadlock in the Linux kernel's x86 Control-flow Enforcement Technology (CET) shadow stack implementation can be triggered by a local unprivileged user during signal return, causing a kernel hang and denial of service. The flaw exists in x86 SMP kernels with PER_VMA_LOCK configured where X86_USER_SHADOW_STACK is enabled: holding the mmap read lock while reading the shadow stack signal frame during sigreturn allows a recursive lock acquisition attempt that deadlocks when a concurrent mmap writer is waiting on another CPU. No public exploit has been identified at time of analysis and EPSS exploitation probability is extremely low at 0.02% (5th percentile), but the availability impact is high on affected systems with shadow stack enabled.
Integer overflow in the Linux kernel's ntfs3 filesystem driver allows local attackers to bypass volume boundary validation when mounting or accessing a crafted NTFS volume, leading to memory corruption with high confidentiality, integrity, and availability impact. The flaw resides in run_unpack() where the check `lcn + len > sbi->used.bitmap.nbits` performs raw addition that wraps for large values, sidestepping the bounds check. No public exploit identified at time of analysis and EPSS is very low (0.02%), but CVSS 7.8 with required user interaction reflects realistic local privilege-escalation potential when untrusted NTFS media is processed.
Deadlock in the Linux kernel jbd2 journal subsystem can hang filesystems and render systems unresponsive when filesystem blocksize is smaller than the system pagesize. Introduced by commit f76d4c28a46a, the flaw breaks the required folio-then-buffer lock ordering in jbd2_journal_cancel_revoke(), causing an ABBA deadlock between concurrent filesystem journal operations and block device writeback. No public exploit is identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with a race-condition kernel bug requiring a non-default configuration that is unlikely to be deliberately weaponized.
IRQ handler cleanup failure in the Linux kernel Intel QAT (Quick Assist Technology) crypto driver for 6xxx-series devices causes kernel resource leaks and availability impact when device probe partially fails. The flaw manifests during adf_dev_up() failure: because pcim_enable_device() registers pcim_msi_release() as a devres action that runs in LIFO order, MSI-X vectors are torn down while IRQ handlers such as 'qat0-bundle0' are still attached, producing remove_proc_entry() warnings and leaking procfs entries. No public exploit has been identified at time of analysis, and EPSS at 0.02% (4th percentile) confirms negligible exploitation interest; impact is limited to systems that physically host Intel QAT 6xxx accelerator cards.
Incorrect NextRIP state management in the Linux kernel's KVM nested SVM (nSVM) subsystem causes a denial-of-service condition affecting nested AMD virtualization environments from kernel 5.8 onward. After the first L2 VMRUN completes and NextRIP is updated by the CPU or KVM, a subsequent save/restore cycle incorrectly substitutes the stale current RIP in vmcb02, corrupting virtual machine control block state and crashing the nested guest or KVM subsystem. No active exploitation has been identified (not in CISA KEV, EPSS 0.02% at 4th percentile), and the vulnerability is strictly limited to AMD hosts with nested virtualization configured using NRIPS-disabled L1 guests with injected soft interrupts.
Use-after-free in the Linux kernel's amphion VPU media driver allows local privileged users to trigger a kernel panic and potential memory corruption due to a race condition between v4l2_m2m_ctx_release() and v4l2_m2m_try_run(). The flaw affects systems using the amphion video encode/decode driver (introduced in 5.18) and has been resolved upstream by removing reliance on the m2m framework's job scheduling. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the local high-impact CVSS of 7.8 makes it relevant for multi-tenant or hardened kernel deployments.
Landlock LSM's credential transfer hook in the Linux kernel silently drops the LOG_SUBDOMAINS_OFF audit-muting flag across fork() boundaries, breaking the documented sandboxing pattern where a parent process suppresses subdomain audit logs before spawning sandboxed children. Affected kernels from commit ead9079f75696 onward across the 6.15, 6.18, and 7.x stable branches allow child processes to emit unexpected Landlock audit records the operator explicitly intended to suppress. No public exploit identified at time of analysis; EPSS is 0.02% (4th percentile), and this is a logic correctness defect rather than a privilege-escalation or data-exfiltration path.
Use-after-free in the Linux kernel Bluetooth subsystem (hci_event) allows an adjacent attacker within Bluetooth range to potentially achieve memory corruption against vulnerable hosts during SSP pairing. The flaw stems from missing hdev locking in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), where an hci_conn structure can be freed concurrently while still in use. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%).
Out-of-bounds read in the Linux kernel's AppArmor LSM subsystem (security/apparmor/match.c) allows a local low-privileged user to trigger a KASAN slab-out-of-bounds read via the mount() syscall on kernels 7.0 through 7.0.3 and 7.1-rc1. The flaw stems from a missing string terminator that causes aa_dfa_match() to read past the end of an 8KB kmalloc buffer when processing mount path strings, resulting in potential information disclosure and system instability (denial of service). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%.
Local privilege-bounded information disclosure and integrity compromise in the Linux kernel's SELinux module affects overlayfs mounts where mmap() and mprotect() operations bypass the intended dual-credential access checks. A local authenticated user with access to an overlayfs top-level (user) file can map or change protections on backing files without the mounter's credentials being properly evaluated, undermining the SELinux overlayfs security model. EPSS is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis.
Local privilege escalation risk in the Linux kernel's RDS (Reliable Datagram Sockets) subsystem stems from a double-free condition in __rds_rdma_map() when a put_user() copy of the MR cookie fails after get_mr() has transferred sg/pages ownership to the transport. A local authenticated attacker triggering this race or fault path could cause memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis and EPSS is low at 0.02%, but a vendor-released patch is available across multiple stable branches.
Denial of service in the Linux kernel Ceph client allows local users with access to a Ceph-mounted filesystem to trigger d_hash list corruption and RCU stalls by inducing path lookups against reused cached negative dentries. The flaw stems from fs/ceph/dir.c calling d_add(dentry, NULL) on already-hashed negative dentries, creating self-loops in the hlist_bl bucket that cause __d_lookup() to spin indefinitely. EPSS is 0.02% (5th percentile) and no public exploit identified at time of analysis, but the bug has been reproduced organically in production (RCU stall on a Dell PowerEdge R7615 running 6.18.17).
Soft lockup in the Linux kernel's md/raid5 subsystem allows a local low-privileged user to trigger an infinite loop in the raid5d kernel thread, causing a kernel soft lockup and system-wide denial of service on hosts running RAID5 arrays. The fault lies in retry_aligned_read() using the wrong stripe release path when encountering overlapping stripes, permanently starving handle_stripe() of the work item needed to resolve the overlap. No public exploit has been identified and EPSS at 0.02% (5th percentile) confirms negligible exploitation probability; however, multiple active stable kernel branches from 3.12 onward are affected and vendor-released patches are confirmed across five fix versions.
Deadlock in the Linux kernel md/raid10 subsystem causes a permanent denial-of-service when NOWAIT IO requests coincide with an array check (resync) operation. The md resync thread becomes permanently stuck because the nr_pending atomic counter underflows to a large negative value, preventing it from ever reaching the zero threshold needed to proceed. Systems running RAID-10 arrays where applications use O_NOWAIT IO (e.g., filesystem writeback paths via ext4) are affected. No public exploit code exists and EPSS is 0.02%, indicating low exploitation probability, but the bug is deterministically reproducible by any local user with IO access to the affected array.
Infinite loop denial-of-service in the Linux kernel ALSA ctxfi audio driver allows a local low-privileged user to hang the kernel by triggering S/PDIF passthrough playback at 32000 Hz on Creative Sound Blaster X-Fi hardware. The root cause is an uninitialized `pll_rate` field that causes a resource-calculation loop to never exit, consuming CPU indefinitely and degrading or halting system availability. No public exploit exists and the EPSS score of 0.02% (5th percentile) confirms negligible real-world exploitation pressure; the vulnerability is not listed in CISA KEV.
USB device reference count leak in the Linux kernel ALSA CAIAQ driver allows a local attacker with access to USB hardware to trigger kernel memory exhaustion. The flaw exists because usb_get_dev() is called in create_card() but its matching usb_put_dev() is only installed as a destructor late in init_card(), leaving it unreachable on all intermediate failure paths. Syzbot has reproduced the issue using a malformed UAC3 USB audio device, and patches are available across all affected stable kernel branches. No public exploit has been identified at time of analysis, and EPSS is negligible at 0.02%.
Use-after-free in the Linux kernel's QRTR (Qualcomm IPC Router) name service driver remove path allows local low-privileged users to corrupt memory and potentially escalate privileges. The flaw occurs because qrtr_ns_data_ready() can queue work to a workqueue that has already been destroyed during driver teardown, dereferencing freed memory. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the fix has landed across multiple stable kernel trees.
Missing brelse() in the ext4 filesystem's ext4_xattr_inode_dec_ref_all() function causes a buffer head refcount leak that can degrade system availability on affected Linux kernel versions. Introduced by commit c8e008b60492 (
Data corruption in the Linux kernel md-llbitmap RAID subsystem allows stale bitmap pages to be read from spare disks during rebuild. The md-llbitmap code iterated rdevs checking only raid_disk assignment and the Faulty flag, omitting the In_sync flag, so bitmap data could be sourced from a not-yet-synchronized spare. No public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%), but the bug can silently corrupt arrays during normal operation or recovery.
Resource leak in the Linux kernel IPMI SSIF driver leaves an orphaned kernel thread running when driver initialization fails mid-sequence. Systems with SSIF-capable IPMI hardware (BMC connected via SMBus/I2C) running unpatched kernels are affected across multiple stable branches. If initialization errors occur after the ssif kthread is spawned but before the IPMI core starts the interface, the thread is never stopped, degrading system availability over time. No public exploit exists and EPSS is 0.02% (4th percentile), making this a routine patch-cycle item rather than an emergency; fixes are confirmed in stable kernel releases 6.18.27 and 7.0.4.
Remote denial of service and potential memory corruption in the Linux kernel's RDMA Software RoCE (rxe) driver allows network attackers to send malformed RDMA packets that bypass length validation in rxe_rcv(). Affected systems with the rxe module loaded and reachable on the network can experience integer underflow in payload_size() due to an attacker-controlled BTH pad field, leading to negative values being passed to downstream receive-path handlers. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the CVSS 9.1 rating reflects the unauthenticated network attack surface where rxe is exposed.
Two kernel heap memory leaks in Linux kernel's weighted interleave NUMA memory policy subsystem allow a local low-privilege user to exhaust kernel memory and cause denial of service. The `weighted_interleave_auto_store()` function in `mm/mempolicy.c` fails to free `new_wi_state` on an early-return path and fails to free the old state object when overwritten via `rcu_assign_pointer()` when processing 'true' writes, because `old_wi_state` is only fetched inside the wrong conditional branch. The second leak is trivially automatable - any authorized sysfs writer can loop-write '1' indefinitely to drive the system into OOM - though no public exploit exists and EPSS sits at a negligible 0.02%.
Denial-of-service via kernel panic in the Linux kernel's greybus gb-beagleplay driver allows a local low-privileged user to crash the system by triggering an illegal sleep-in-atomic-context condition. The greybus HDLC TX path calls usleep_range() inside hdlc_append() while the tx_producer_lock spinlock is held, violating the fundamental Linux kernel rule that sleeping is forbidden in atomic context and triggering a 'BUG: scheduling while atomic' kernel oops. No public exploit has been identified at time of analysis, and EPSS at 0.02% (5th percentile) reflects the hardware-specific and local-access-only nature of this flaw. The input tag 'Information Disclosure' appears to be a misclassification - the actual impact is exclusively availability (kernel crash), consistent with the CVSS vector's A:H/C:N/I:N ratings.
Resource accounting exhaustion in the Linux kernel's inotify subsystem allows a local low-privileged user to permanently leak watch counts by repeatedly triggering a failure path in inotify_new_watch() that increments the per-namespace watch counter without a corresponding decrement. Over time this exhausts the max_user_watches limit, causing all subsequent inotify watch creation within the namespace to fail with -ENOSPC even when no watches are genuinely active, constituting a local denial-of-service against inotify-dependent applications. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects very low real-world exploitation probability with no CISA KEV listing.
Integer overflow in the Linux kernel's rxgk (RxRPC GSS Kerberos) token extraction routine allows remote attackers to potentially trigger memory corruption via length-check bypass in rxgk_extract_token(). The flaw affects Linux kernel versions in the 6.16.9-to-6.17 range and was fixed by changing the validation to round down available data instead of rounding up the tested value. No public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.02%.
Memory exhaustion in the Linux Kernel's QRTR (Qualcomm IPC Router) nameserver subsystem exposes local, low-privileged users to a denial-of-service condition. The `ctrl_cmd_bye()` function, triggered when a QRTR node sends a BYE shutdown packet, fails to remove the node from the Xarray structure or release the associated memory - resulting in a persistent kernel memory leak (CWE-401). Affected systems are Linux kernels from 5.7 through multiple stable branches, with fixes backported to 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No active exploitation is confirmed (not in CISA KEV), and EPSS sits at 0.02% (5th percentile), indicating minimal real-world threat at this time.
Out-of-bounds read in the Linux kernel's IPv4 ICMP handling allows remote attackers to trigger denial of service and potential information disclosure by sending crafted ICMP Extended Echo Reply packets. The flaw stems from the kernel consulting the icmp_pointers[] array with reply types (ICMP_EXT_ECHOREPLY) that fall outside its bounded range (NR_ICMP_TYPES). No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the network attack vector and high availability impact make patching a priority for exposed Linux hosts.
Local privilege escalation in the Linux kernel's vfio/cdx (Composable DMA-capable eXtension) driver allows a process with access to a VFIO device file descriptor to trigger a use-after-free of the cdx_irqs array via concurrent VFIO_DEVICE_SET_IRQS ioctls. The race in vfio_cdx_set_msi_trigger() can be exploited by a local low-privileged attacker for memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).
Lock re-entrancy corruption in the Linux kernel's mm/page_alloc subsystem affects uniprocessor (UP/!CONFIG_SMP) builds, allowing freelist corruption that crashes the kernel. On UP kernels, spin_trylock() is a compile-time no-op that unconditionally succeeds; when alloc_frozen_pages_nolock() is invoked from NMI context, it re-enters rmqueue() and acquires the zone lock already held by the interrupted context, corrupting the page allocator's freelists. No public exploit exists and EPSS sits at the 4th percentile (0.02%), consistent with the narrow scope: only non-default UP kernel builds on specific kernel versions are affected, making this a targeted stability concern for embedded or legacy uniprocessor deployments rather than a broad production threat.
NULL pointer dereference in the Linux kernel vfio/cdx subsystem allows a local low-privileged user with access to a CDX VFIO device to crash the kernel by issuing an out-of-order ioctl sequence. Specifically, calling VFIO_DEVICE_SET_IRQS with DATA_BOOL or DATA_NONE flags before ever initializing MSI interrupts via the EVENTFD path dereferences an unallocated cdx_irqs pointer, producing a kernel panic and denial-of-service. No public exploit code exists and EPSS is 0.02%, but vendor-released patches are confirmed available across all affected stable branches.
Out-of-bounds read in the Linux kernel's crypto authencesn AEAD wrapper allows a local user with AF_ALG access to trigger memory disclosure and possible denial of service by instantiating an authencesn transform built on an ahash whose digest size is 1-3 bytes (for example cbcmac(cipher_null)). The flaw stems from crypto_authenc_esn_create() failing to validate the inner digest size, letting an invalid default authsize bypass the existing setauthsize() check. No public exploit identified at time of analysis and EPSS probability is negligible (0.02%), but the upstream fix is shipping across multiple stable trees.
Nested SVM virtualization in the Linux kernel KVM subsystem can leave the host hypervisor (L1) running with corrupted page-table state when CR3 restoration fails during a nested #VMEXIT. The root function nested_svm_vmexit() returns an error code that most callers silently ignore, meaning the host continues executing against corrupt address-space mappings rather than triggering the shutdown behavior mandated by the AMD Architecture Programmer's Manual. The fix injects a triple fault - mirroring real hardware behavior - and continues cleanup to avoid leaving vCPU state partially torn down. No public exploit exists and EPSS is 0.02%, but the availability impact is high for any host running nested AMD virtualization.
Denial of service in the Linux kernel ks8851 Ethernet driver allows a deadlock condition when handling concurrent IRQ and TX softirq processing on systems using the Micrel KS8851 MAC/PHY chip. The flaw manifests when the IRQ handler executes netdev_alloc_skb_ip_align() with bottom-halves enabled, triggering pending softirq processing that re-enters the driver's xmit path and attempts to re-acquire an already-held spinlock. EPSS scores this at 0.02% (5th percentile) and no public exploit identified at time of analysis, consistent with a local hardware-dependent stability bug rather than a remotely weaponizable vulnerability.
Memory leak in the Linux kernel's EDAC/versalnet driver (mc_probe()) results in unreleased device_node references, enabling local low-privileged users to cause kernel memory exhaustion and availability degradation on AMD/Xilinx Versal SoC systems. The root cause is a missing of_node_put() call on all exit paths of mc_probe(), with the fix applied across stable branches including 6.18.27 and 7.0.4. No public exploit or CISA KEV listing exists, and EPSS sits at 0.02% (4th percentile), reflecting minimal active exploitation risk.
Slab allocator corruption in the Linux kernel's mm/slab subsystem allows local low-privileged users on uniprocessor (UP, !CONFIG_SMP) builds to potentially corrupt kernel memory state when kmalloc_nolock() is invoked from NMI context. The flaw stems from spin_trylock() being a no-op on UP kernels, allowing re-entry into the slab allocator while n->list_lock is already held by the interrupted context. EPSS is very low (0.02%) and no public exploit has been identified at time of analysis, though an upstream patch is available.
Race condition in the Linux kernel's AF_ALG AEAD AIO interface allows a local low-privileged user to trigger a denial of service by exploiting shared socket-wide IV buffer state across concurrent asynchronous AEAD requests. The algif_aead subsystem fails to snapshot the Initialization Vector into per-request storage before dispatching async operations, meaning any concurrent socket activity that updates the shared IV can corrupt an in-flight request before it completes. No public exploit has been identified and EPSS is extremely low at 0.02% (7th percentile); vendor-released patches are available across all supported stable kernel branches.
Denial-of-service in the Linux kernel's SMC (Shared Memory Communications) networking subsystem allows remote attackers to crash the kernel by sending a CLC decline message during the early stage of an SMC handshake before the connection is associated with a link group. The flaw, tracked as EUVD-2026-32408, stems from smc_clc_wait_msg() accessing link-group sync state that does not yet exist at that point in the handshake. No public exploit identified at time of analysis and EPSS probability is very low (0.02%, 5th percentile), but the network attack vector and high availability impact warrant patching on systems that use SMC.
Uncontrolled resource consumption in the Linux kernel's QRTR (Qualcomm IPC Router) nameserver module allows a local authenticated user to exhaust nameserver resources by flooding it with unbounded NEW_LOOKUP messages over a single socket. The affected subsystem (net/qrtr/ns) restricted lookups to local clients but imposed no count limit, enabling a sustained denial-of-service against QRTR-dependent inter-process communication on Qualcomm SoC platforms. No public exploit has been identified and EPSS stands at 0.02% (5th percentile), placing this firmly in the low real-world priority tier despite its High availability impact rating.
Deadlock and memory leak in the Linux kernel DAMON subsystem arise from a race condition between damon_call() request registration and kdamond_fn() thread exit, affecting systems using the Data Access MONitor (DAMON) API. A local low-privileged process can trigger the race at precisely the moment a kdamond thread is terminating - causing the calling thread to wait indefinitely for a handler that has already exited, resulting in a kernel-level availability denial. No active exploitation is confirmed (EPSS 0.02%, not in CISA KEV), and the high attack complexity required to win the race significantly constrains real-world risk.
Denial of service in the Linux kernel's libceph subsystem allows remote attackers to crash the kernel via a malformed CEPH_MSG_AUTH_REPLY message containing zero values for both protocol and result fields. The flaw resides in ceph_handle_auth_reply() where a missing validation causes ac->ops to be set to NULL before being dereferenced. No public exploit identified at time of analysis, and EPSS is extremely low (0.02%), but the network attack vector with no authentication and high availability impact warrants prompt patching on Ceph-enabled systems.
Integer overflow in the Linux kernel's device mapper mirror (dm-mirror) subsystem allows a local attacker with device mapper configuration privileges to crash the kernel via a denial-of-service condition. The flaw resides in create_dirty_log() where an unchecked unsigned addition of 2 + param_count wraps around to a small value when param_count approaches UINT_MAX, bypassing an argc bounds check and triggering out-of-bounds reads in dm_dirty_log_create(). No public exploit code exists and EPSS is exceptionally low at 0.02% (5th percentile); this CVE has not been added to the CISA KEV catalog, indicating no confirmed active exploitation at time of analysis.
Out-of-bounds MMIO read in the Linux kernel's ibmasm (IBM Advanced System Management) misc driver allows a compromised IBM service processor to read 8 bytes from unintended device registers or trigger a machine check exception (system crash) by writing an out-of-range queue reader/writer index before asserting an interrupt. The flaw resides in ibmasm_handle_mouse_interrupt() where raw readl() values are passed unchecked to get_queue_entry(), and is fixed by bounds-checking both indices against REMOTE_QUEUE_SIZE (60). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%.
Two related memory-management defects in the Linux kernel thermal zone governor subsystem expose local low-privileged users to system availability loss. The first is a memory leak (CWE-401) in the registration error path of thermal_zone_device_register_with_trips(), which fails to remove an attached governor when registration fails mid-way. The second, and more critically impactful, is a race condition in thermal_zone_device_unregister(), which calls thermal_set_governor() without first acquiring the thermal zone lock - permitting a concurrent sysfs-based governor update to produce a use-after-free, which can trigger a kernel panic. No public exploit code exists and EPSS is 0.02% (5th percentile); vendor-released patches are available across multiple stable kernel branches including 6.6.140, 6.12.86, 6.18.27, and 7.0.4.
Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows privileged local users to crash the kernel by supplying arbitrary node IDs to damos_quota_goal via DAMON_SYSFS. Affecting Linux 6.16 and fixed in 6.18.27, 7.0.4, and 7.1-rc1, the flaw stems from missing validation before si_meminfo_node()/NODE_DATA() lookups and is reproducible with the upstream 'damo' user-space tool. No public exploit identified at time of analysis and EPSS is very low at 0.02%.
The atmel-aes crypto driver in the Linux kernel leaks 3 pages of kernel memory per cleanup cycle due to a mismatch between allocation and deallocation functions: atmel_aes_buff_init() allocates 4 contiguous pages via __get_free_pages() with ATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() frees only a single page via free_page() instead of the correct free_pages(). Systems running on Atmel/Microchip ARM SoC hardware with this driver loaded are vulnerable to gradual kernel memory exhaustion leading to denial of service. No public exploit code exists and no active exploitation has been confirmed; the EPSS score of 0.02% (5th percentile) reflects the extremely narrow hardware-specific attack surface, and vendor-released patches are available across multiple stable kernel branches.
Availability degradation in the Linux kernel ALSA USB audio subsystem allows a local attacker with a crafted UAC2 USB audio device to trigger an unbounded parsing loop that holds register_mutex while repeatedly flooding the kernel log with error messages. Affected systems running snd-usb-audio on multiple stable kernel branches from 3.x through 7.0 are exposed to denial-of-service via mutex contention during USB device probe. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (6th percentile) reflects minimal threat actor interest; no CISA KEV listing exists.
Race condition in the Linux kernel memory management subsystem during large-folio migration can cause kernel availability disruption on SMP/NUMA systems. The flaw in migrate_folio_move() causes a destination folio to become visible to concurrent rmap-removal paths before being requeued onto the deferred split queue, triggering a kernel WARN in deferred_split_folio() or silently losing a folio from split_queue when the shrinker races the migration lock. With no public exploit, no CISA KEV listing, and an EPSS of 0.02%, this is a low real-world risk issue primarily relevant to HPC, virtualization, and database workloads with heavy NUMA migration activity.
NULL pointer dereference in the Linux kernel's Xilinx remoteproc (xlnx) IPI receive callback enables a local low-privileged user to crash the kernel on Xilinx SoC-based systems. The receive callback unconditionally accesses buffer information without first validating whether the message pointer is NULL, which occurs when IPI is operating in non-buffered mode. No public exploit exists and no active exploitation is confirmed; with EPSS at 0.02% (5th percentile), real-world risk is very low and hardware-specific.
Race condition and missed wake-up in the Linux kernel TCP listener migration path (SO_REUSEPORT) allows local low-privileged attackers to cause hangs and potentially exploit a use-after-free on listener sockets. Affects kernels from 5.14 up to versions fixed in 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No public exploit identified at time of analysis, and EPSS is very low (0.02%).
Broken LBR MSR save/restore in the Linux kernel KVM/SVM subsystem allows a low-privileged local attacker to cause high-impact availability failures in virtualized environments running on AMD SVM hardware. MSR_IA32_DEBUGCTLMSR and Last Branch Record (LBR) MSRs are not enumerated by KVM_GET_MSR_INDEX_LIST and cannot be set via KVM_SET_MSRS, meaning VM state is not correctly preserved across save/restore or live migration cycles, particularly when L2 guests are running. No public exploit has been identified at time of analysis, and EPSS of 0.02% indicates very low exploitation probability, but the flaw affects a foundational hypervisor state management path on production AMD virtualization infrastructure.
Incorrect physical address conversion in the Linux kernel's mm/memfd_luo subsystem can crash the kernel when the put_folios error-cleanup path executes during memfd Live Update Object (LUO) operations. The cleanup passes a raw Page Frame Number (PFN) where kho_restore_folio() requires a phys_addr_t, and a missing sparse-hole guard (pfn==0) risks misprocessing file holes. No public exploit identified at time of analysis; EPSS of 0.02% (5th percentile) and absence from CISA KEV confirm very low real-world exploitation probability, with impact confined to local denial of service on systems running the experimental KHO/LUO subsystem.
Memory exhaustion denial-of-service in the Linux kernel's rxkad Kerberos authentication layer allows a local low-privilege attacker to leak kernel memory by repeatedly triggering error paths in rxkad_verify_response(). The vulnerability affects kernels from approximately 5.11 through all unpatched stable series prior to 6.6.140, 6.12.86, 6.18.27, and 7.0.4. No public exploit exists and EPSS sits at 0.02% (5th percentile), indicating minimal real-world exploitation likelihood; however, systems running AFS workloads with rxrpc active warrant patching at next maintenance.
Local privilege escalation and memory corruption in the Linux kernel's MediaTek JPEG (mtk-jpeg) media driver allows a local user with access to the device to trigger a use-after-free condition. The flaw occurs in mtk_jpeg_release() which frees the context structure without first cancelling pending workqueue items, creating a race window during device close where the worker thread accesses freed memory. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, but the bug is fixed across multiple stable trees.
Memory exhaustion handling flaw in the Linux kernel's rxrpc/rxgk subsystem allows network-adjacent attackers to potentially trigger unsafe code paths when rxgk_decrypt_skb() returns -ENOMEM during RxGSS-Kerberos token extraction. Affected kernels include the 6.17 series and specific commits in 6.16.9 onward, fixed in upstream commits and stable backports targeting 6.18.27 and 7.1-rc1. No public exploit identified at time of analysis, and EPSS is very low (0.02%) despite the 8.1 CVSS score.
Duplicate resource teardown in the Linux kernel's PCI endpoint NTB (Non-Transparent Bridge) driver causes a kernel oops when link state transitions fail or complete, enabling a local low-privileged user to crash the kernel. The `epf_ntb_epc_destroy()` helper performs teardown that its callers also execute, resulting in a double-free-class condition. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV); the EPSS score of 0.02% at the 5th percentile reflects extremely low observed exploitation probability.
Deadlock in Linux kernel DAMON (Data Access Monitor) subsystem allows a local low-privileged user or kernel code path to cause an indefinite thread hang in the mm/damon/core module via a race condition between damos_walk() request registration and kdamond_fn() exit sequencing. Systems running Linux kernels from commit bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61 through the patch commits are affected, with availability as the sole impact (CVSS C:N/I:N/A:H). No public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating negligible real-world exploitation interest.