Memory Corruption
Monthly
Sandbox escape in Google Chrome's GPU process prior to version 148.0.7778.216 allows remote attackers who have already compromised the renderer process to break out of the Chromium sandbox via a crafted HTML page. The flaw is an out-of-bounds write (CWE-787) rated High by Chromium with CVSS 8.3, and while a vendor patch is available, no public exploit identified at time of analysis and EPSS is very low at 0.03%.
Remote code execution in Google Chrome's V8 JavaScript engine prior to 148.0.7778.216 allows attackers to execute arbitrary code inside the renderer sandbox when a victim visits a crafted HTML page. The flaw is an out-of-bounds write (CWE-787) rated High by Chromium and CVSS 8.8, requires user interaction to load attacker-controlled content, and no public exploit has been identified at time of analysis.
Sandbox escape in Google Chrome's WebGL component (versions prior to 148.0.7778.216) allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium, requiring user interaction (visiting a page) and a prior renderer compromise, making it a second-stage exploit primitive. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.03%.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to trigger an out-of-bounds write in the GPU process via a crafted HTML page, potentially breaking out of Chrome's renderer sandbox. The flaw carries a CVSS 9.6 due to scope change (S:C) and high impact across confidentiality, integrity, and availability, but requires user interaction (UI:R) such as visiting a malicious page. No public exploit identified at time of analysis, and EPSS is very low at 0.03% (11th percentile), suggesting limited near-term mass exploitation despite the severe potential impact.
Out-of-bounds write in the ANGLE graphics translation layer of Google Chrome before 148.0.7778.216 allows a remote attacker to trigger heap corruption by luring a user to a crafted HTML page, potentially leading to arbitrary code execution within the renderer process. Chromium rates the severity as High and CVSS scores it 8.8, but EPSS exploitation probability is currently very low (0.03%, 11th percentile) and no public exploit identified at time of analysis. The flaw was reported through Chrome's internal disclosure process and a fixed build is already available from the vendor.
Arbitrary code execution in Google Chrome on macOS prior to 148.0.7778.216 stems from a use-after-free condition in the Bluetooth component, exploitable through a malicious browser extension. Chromium rates the severity as High, and while CVSS scores it 8.1 with network attack vector, real-world exploitation requires the victim to install an attacker-controlled extension. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.01%.
Remote code execution in Google Chrome's WebRTC component (versions prior to 148.0.7778.216) allows a remote attacker to execute arbitrary code within the browser sandbox by enticing a victim to load a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High by Chromium's security team, and while no public exploit identified at time of analysis, the CVSS 8.8 score reflects the low-complexity network-based attack vector combined with the high impact across confidentiality, integrity, and availability. User interaction (visiting a malicious page) is required, but otherwise no authentication or privileges are needed.
Heap corruption in Google Chrome's SurfaceCapture component (versions prior to 148.0.7778.216) allows a remote attacker to potentially execute arbitrary code by luring a user to a crafted HTML page. The flaw is a use-after-free issue rated High severity by the Chromium project, with a CVSS score of 8.8 reflecting low complexity and no authentication, though user interaction is required. There is no public exploit identified at time of analysis and EPSS is very low (0.03%, 11th percentile), but the historical pattern of Chrome UAF bugs being weaponized makes patching urgent.
Heap corruption in Google Chrome's PDFium component before version 148.0.7778.216 lets a remote attacker trigger a use-after-free condition by serving a crafted PDF, opening the door to code execution within the renderer process. The flaw carries a CVSS 8.8 (High) rating and requires user interaction (UI:R) to open or render the malicious document. EPSS is currently very low (0.03%, 11th percentile) and no public exploit has been identified at time of analysis, though Chrome PDFium UAFs have a long history of weaponization in browser exploit chains.
Sandboxed arbitrary code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free condition in the PDF component that remote attackers can trigger by serving a crafted PDF file. The flaw carries a CVSS 8.8 rating reflecting network reach with required user interaction (opening or rendering a malicious PDF), and no public exploit identified at time of analysis though Google rates the underlying Chromium severity as High.
Remote code execution in Google Chrome on iOS prior to 148.0.7778.216 allows attackers to exploit a use-after-free memory corruption flaw when a victim is lured to a malicious HTML page and performs specific UI gestures. The issue carries a CVSS 7.5 (High) score with high attack complexity and required user interaction, and no public exploit has been identified at time of analysis.
Heap corruption in Google Chrome's TabStrip component before version 148.0.7778.216 allows remote attackers to potentially achieve code execution by serving a crafted HTML page and inducing the victim to perform specific UI gestures. Chromium rates the issue High severity, but EPSS places exploitation probability at just 0.03% (11th percentile) and no public exploit identified at time of analysis, reflecting the high attack complexity and required user interaction.
Remote code execution in Google Chrome's WebAudio component (versions prior to 148.0.7778.216) allows a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium, with a CVSS score of 8.8 reflecting low attack complexity and no authentication required, though user interaction (visiting a page) is needed. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 enables remote attackers to break out of the renderer process sandbox by enticing a user to visit a crafted HTML page that triggers a use-after-free condition in the UI component. Chromium rates the severity as High, and a vendor patch is available; no public exploit identified at time of analysis and EPSS exploitation probability is currently very low (0.03%, 11th percentile).
Sandbox escape in Google Chrome on Windows before 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page leveraging a use-after-free in Core. The flaw is rated High by Chromium and carries CVSS 8.3, but EPSS is very low (0.03%) and no public exploit identified at time of analysis, so it is most relevant as the second stage of a multi-bug exploit chain rather than a standalone entry vector.
Sandbox escape in Google Chrome on macOS before 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers a use-after-free in the Views UI component. The flaw is rated High severity by Chromium and carries a CVSS 8.3 due to scope change, but EPSS is only 0.03% and there is no public exploit identified at time of analysis. Exploitation is realistic only as the second stage of a chained renderer compromise rather than a standalone drive-by attack.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the browser's XML handling component, allowing a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. Chromium rates the severity as High with a CVSS 3.1 score of 8.8, and exploitation requires user interaction such as visiting a malicious site. No public exploit identified at time of analysis, but use-after-free flaws in Chrome's XML parsing have historically been chained with sandbox escapes for full system compromise.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free condition in the ANGLE graphics translation layer that lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. Google rates this High severity and a vendor patch is available, but EPSS scoring (0.03%, 11th percentile) is low and no public exploit identified at time of analysis, suggesting it has not yet been weaponized broadly.
Remote code execution in Google Chrome on Windows prior to version 148.0.7778.216 allows attackers to execute arbitrary code within the renderer sandbox by enticing a victim to visit a crafted HTML page that triggers a use-after-free condition in the Media component. Rated High severity by Chromium with a CVSS 8.8 score, the flaw requires user interaction (visiting a malicious page) but no authentication, and no public exploit identified at time of analysis.
Remote code execution in Google Chrome (ANGLE component) prior to version 148.0.7778.216 allows a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. The flaw is a use-after-free memory corruption issue (CWE-416) rated High severity by Chromium and CVSS 8.8, requiring only that a victim visit a malicious page. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Sandbox escape in Google Chrome on Windows versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a use-after-free flaw in the UI component, triggered by a crafted HTML page. Chromium rates this High severity and a vendor patch is available, though no public exploit has been identified at time of analysis and EPSS exploitation probability is very low (0.03%, 11th percentile).
Sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the GPU/GFX sandbox via a crafted HTML page, leveraging a use-after-free condition. The flaw is rated High severity by Chromium (CVSS 8.3) and requires user interaction plus a chained renderer compromise; no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.03%).
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the Aura UI framework component. A remote attacker who lures a user to a malicious HTML page and convinces them to perform specific UI gestures can execute arbitrary code within the browser process. No public exploit identified at time of analysis, and the CVSS 7.5 score reflects high attack complexity combined with required user interaction.
Use-after-free in the Input component of Google Chrome prior to 148.0.7778.216 allows a remote attacker to trigger heap corruption when a victim is lured to a crafted HTML page and performs specific UI gestures. Chromium rates the severity High, and while no public exploit identified at time of analysis and EPSS is very low (0.03%, 11th percentile), the bug class historically yields renderer RCE when chained with a sandbox escape. A vendor patch is available in the stable channel update referenced by Google.
Sandbox escape in Google Chrome on Windows prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the renderer sandbox via a use-after-free in the ANGLE graphics layer. Exploitation requires user interaction (visiting a crafted HTML page) and a pre-existing renderer compromise, so it functions as the second stage of an exploit chain rather than a standalone RCE. No public exploit identified at time of analysis and EPSS is very low (0.03%), but Chrome rates the underlying flaw as High severity.
Sandbox escape in Google Chrome's GPU process prior to version 148.0.7778.216 lets a remote attacker who has already gained code execution inside the renderer process break out of Chrome's sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium and carries CVSS 8.3 (AV:N/AC:H/PR:N/UI:R/S:C). EPSS is very low (0.03%), and there is no public exploit identified at time of analysis, but the bug is part of a stable-channel security release shipped by Google.
Out-of-bounds memory write in Dawn, Chrome's WebGPU implementation, affects Google Chrome on macOS prior to version 148.0.7778.216. Remote unauthenticated attackers (per CVSS PR:N) can trigger the write via a crafted HTML page requiring only a single user interaction - visiting a malicious site. The CVSS-scored impact is constrained to low integrity (I:L), with no confidentiality or availability impact confirmed, suggesting the write primitive is limited or difficult to weaponize for full code execution without chaining additional exploits. No public exploit identified at time of analysis and EPSS at 0.03% (11th percentile) indicates very low exploitation probability.
Remote code execution in Google Chrome's ANGLE graphics layer prior to version 148.0.7778.216 allows attackers to run arbitrary code inside the browser sandbox when a victim visits a crafted HTML page. The flaw is a use-after-free memory corruption issue (CWE-416) reported internally by the Chrome team and rated High by Chromium; no public exploit identified at time of analysis, though Chrome UAF bugs in ANGLE are historically attractive targets and pair well with sandbox escapes.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 enables remote attackers, who have already compromised the renderer process, to break out of the browser sandbox via a use-after-free flaw in the ANGLE graphics translation layer. Exploitation requires user interaction (visiting a crafted HTML page) and a prior renderer compromise, making this a second-stage primitive in a chained attack. EPSS is low at 0.03% and there is no public exploit identified at time of analysis, though Google rates the underlying Chromium severity as High.
Heap corruption in Google Chrome's Skia graphics library affects all versions prior to 148.0.7778.216 and can be triggered by a remote attacker hosting a crafted HTML page. Successful exploitation requires user interaction (visiting the page) but yields high confidentiality, integrity, and availability impact within the renderer context. No public exploit is identified at time of analysis and EPSS is very low (0.03%), though Chromium rates the severity as High and a vendor patch is available.
Renderer-to-browser sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 enables remote code execution via a use-after-free in the GPU process. An attacker who has already compromised the renderer can leverage a crafted HTML page to corrupt GPU process memory and execute arbitrary code outside the renderer sandbox. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Chromium rates the underlying severity as High.
Out-of-bounds write in the ANGLE graphics translation layer in Google Chrome before 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to potentially escape the Chrome sandbox via a crafted HTML page. The flaw is rated High severity by Chromium and chained exploitation could lead to code execution outside the renderer sandbox, though no public exploit identified at time of analysis and EPSS estimates only a 0.03% near-term exploitation probability.
Sandbox escape in Google Chrome before 148.0.7778.216 enables a remote attacker who has already compromised the renderer process to break out of Chrome's sandbox through an out-of-bounds write in the GPU process triggered by a crafted HTML page. Google rates the Chromium security severity as High and a vendor patch is available, but no public exploit has been identified at time of analysis and EPSS exploitation probability is low at 0.03% (11th percentile).
Sandbox escape in Google Chrome on Windows prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page exploiting a use-after-free in the Accessibility component. Chromium rates the severity as High and a vendor patch is available, but no public exploit has been identified at time of analysis and EPSS exploitation probability remains very low at 0.03%.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free condition in the ANGLE graphics translation layer, triggered when a victim visits a crafted HTML page. Remote attackers can potentially break out of Chrome's renderer sandbox to gain broader access on the host system. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.03% (11th percentile), though the Chromium team rated severity as High.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that triggers a use-after-free in the Accessibility component. Chromium rates the issue High severity and a vendor patch is available, though no public exploit identified at time of analysis and EPSS exploitation probability is currently low (0.03%, 11th percentile).
Sandbox escape and arbitrary code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the ANGLE graphics translation layer. An attacker who has already compromised the renderer process can leverage a crafted HTML page to break memory safety and execute code in a higher-privileged context. No public exploit identified at time of analysis, though Chromium rates the underlying severity as High.
Sandbox escape in Google Chrome's ANGLE graphics layer prior to version 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of Chrome's sandbox via a crafted HTML page. Rated High severity by Chromium with a CVSS of 8.3, the issue is patched but no public exploit has been identified at time of analysis, and EPSS exploitation probability is low (0.03%, 11th percentile).
Sandbox escape in Google Chrome's ANGLE graphics layer prior to version 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High severity by Chromium with a CVSS score of 8.3, but EPSS exploitation probability is currently very low at 0.03% and no public exploit has been identified at time of analysis.
Remote code execution in Google Chrome prior to 148.0.7778.216 enables a remote attacker to execute arbitrary code within the renderer sandbox by luring a user to a crafted HTML page that triggers a use-after-free in the DOM implementation. The flaw carries a CVSS 8.8 (High) rating reflecting network reach with required user interaction, and Google has rated the Chromium severity as High; no public exploit is identified at the time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Google Chrome's V8 JavaScript engine prior to version 148.0.7778.216 allows remote attackers to execute arbitrary code inside the renderer sandbox by luring a user to a crafted HTML page. The flaw is a CWE-787 out-of-bounds write in V8 carrying a CVSS 8.8 (High) with Chromium severity rated High; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of Chrome's sandbox via a use-after-free in the GPU process. Chrome rates the underlying memory corruption as High severity, and while no public exploit identified at time of analysis, the bug is part of a chained-exploit class historically weaponized against browsers. EPSS is very low (0.03%) reflecting the prerequisite of an already-compromised renderer rather than a direct one-shot RCE.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the Chromium sandbox via a crafted HTML page that triggers a use-after-free in the Skia graphics library. Google rated this Critical internally, though no public exploit identified at time of analysis and EPSS scores exploitation probability at just 0.03% (11th percentile). The flaw requires chaining with a separate renderer compromise, so it is a second-stage primitive rather than a single-shot RCE.
Sandbox escape in Google Chrome before 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted Chrome Extension exploiting a use-after-free in the Extensions component. Chromium rates the underlying flaw as Critical severity, though no public exploit has been identified at time of analysis and EPSS exploitation probability sits at 0.03% (11th percentile).
Sandbox escape in Google Chrome on Windows prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page targeting the XR (WebXR) component. The flaw is a use-after-free rated Critical by Chromium and CVSS 8.3 (AV:N/AC:H/PR:N/UI:R/S:C); no public exploit identified at time of analysis and EPSS is low at 0.03%, but the bug forms a key link in a multi-stage browser exploit chain.
Sandbox escape in Google Chrome for Android versions prior to 148.0.7778.216 enables a remote attacker who has already compromised the renderer process to break out of the sandbox via a use-after-free flaw in the WebView component. Chromium rates the severity as Critical, and a vendor patch is available; no public exploit identified at time of analysis and EPSS is very low (0.03%, 10th percentile), but the chained-exploit potential against mobile users makes prompt patching important.
Remote code execution in Google Chrome prior to 148.0.7778.216 allows attackers to exploit a use-after-free condition in the Proxy component via a malicious PAC (Proxy Auto-Config) script delivered through a crafted web page. Chromium rates this as Critical severity, and while no public exploit identified at time of analysis, the EPSS score of 0.04% reflects low predicted exploitation activity despite the high CVSS 8.8 rating. Successful exploitation requires user interaction (UI:R) such as visiting an attacker-controlled page that triggers the vulnerable PAC processing path.
Sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 allows a remote attacker to break out of the renderer sandbox by enticing a user to visit a crafted HTML page that triggers a use-after-free in the Base component. Chromium rates the severity Critical and CVSS scores it 9.6, though no public exploit is identified at time of analysis and EPSS exploitation probability is currently very low (0.03%).
Remote code execution in Google Chrome on macOS prior to version 148.0.7778.216 allows attackers to exploit a use-after-free flaw in the Browser component via a malicious HTML page. Rated Critical by Chromium's security team with a CVSS of 8.8, exploitation requires user interaction (visiting a crafted page) but no authentication, and no public exploit identified at time of analysis. A vendor patch is available through the Chrome stable channel update.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to execute arbitrary code via a crafted HTML page exploiting a use-after-free flaw in the Base component. Chromium classifies the severity as Critical, and Google has shipped a stable channel update; no public exploit has been identified at time of analysis. Exploitation requires user interaction (visiting a malicious page), which is the typical drive-by browser attack model.
Sandbox escape in Google Chrome on macOS versions prior to 148.0.7778.216 allows attackers to break out of the browser's renderer sandbox via a use-after-free flaw in the Bluetooth component. Exploitation requires convincing a user to install a malicious Chrome Extension, which then triggers the bug through crafted extension interactions. Chromium rates this Critical severity; no public exploit identified at time of analysis and EPSS remains low (0.01%) despite the high CVSS of 9.0.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from an out-of-bounds write in the ANGLE graphics translation layer, allowing a remote attacker to execute arbitrary code in the browser's renderer context after a victim visits a crafted HTML page. Chromium rates this severity Critical and CVSS scores it 8.8, with vendor patches released via the Stable channel update; no public exploit identified at time of analysis.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in ANGLE, the graphics abstraction layer that translates OpenGL ES calls to native GPU APIs. A remote attacker who lures a user into visiting a crafted HTML page can execute arbitrary code within the renderer sandbox, with Chromium rating the severity as Critical. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 enables a remote attacker who has already compromised the renderer process to break out of Chrome's sandbox via a use-after-free flaw in the ANGLE graphics translation layer. Exploitation requires user interaction with a crafted HTML page and is typically chained with a separate renderer-compromise bug. No public exploit identified at time of analysis, and EPSS is very low (0.03%), though Google rated the underlying issue Critical severity.
Sandbox escape in Google Chrome for Android prior to 148.0.7778.216 allows a remote attacker who lures a user to a crafted HTML page to break out of the renderer sandbox by exploiting a use-after-free condition in the WebGL component. Chromium rates the issue Critical and CVSS scores it 9.6 due to the scope change from compromised renderer to host, though EPSS is only 0.03% (10th percentile) and no public exploit identified at time of analysis.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to exploit a use-after-free condition in the Dawn WebGPU implementation through a crafted HTML page, leading to potential escape from the browser's renderer sandbox. The flaw carries a CVSS 9.6 with scope change reflecting cross-boundary impact, and while no public exploit identified at time of analysis, Google's own classification of the underlying Chromium severity as Critical signals significant risk to end users. EPSS is currently low (0.03%, 11th percentile), suggesting no widespread exploitation has been observed yet despite the severity.
Remote code execution in Google Chrome desktop versions prior to 148.0.7778.216 allows a remote attacker to execute arbitrary code within the renderer sandbox by serving a crafted HTML page that triggers a use-after-free condition in the Network component. Google rates the underlying Chromium issue as Critical severity, and no public exploit identified at time of analysis, though the bug class and reachable attack surface make it a high-priority browser patch.
Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows remote attackers to corrupt GPU process memory via a crafted HTML page, breaking out of the renderer sandbox boundary. Chromium rates this Critical severity with a CVSS of 9.6 due to scope change, though EPSS remains low at 0.03% and no public exploit identified at time of analysis.
Local privilege escalation in Ubuntu Linux 6.8 kernel stems from an AppArmor SAUCE patch that omits proper locking when modifying a linked list, enabling a race condition that can be exploited by an unprivileged local user. Successful exploitation leads to a use-after-free condition with theoretical arbitrary code execution in kernel context. No public exploit identified at time of analysis, and the issue is not present on the CISA KEV list.
Out-of-bounds write in bzip2's bzip2recover utility allows a local attacker to supply a specially crafted file that triggers an off-by-one error, corrupting a global buffer and crashing the process. Per the CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:N), the attack requires no privileges and no user interaction beyond the utility being invoked against a malicious file. Impact is strictly denial of service against the bzip2recover process - no confidentiality or integrity exposure - and the CVSS 4.0 score of 5.1 (Medium) reflects this constrained scope. No public exploit or active exploitation has been identified at time of analysis.
Use-after-free in the Linux kernel SPI controller driver for Freescale MPC52xx (spi-mpc52xx) occurs when controller registration fails and the previously requested interrupts are not properly disabled or released, leaving dangling interrupt handlers tied to freed memory. Local users with the ability to load or interact with this SPI driver on affected systems could potentially trigger memory corruption or information disclosure. EPSS is 0.02% and there is no public exploit identified at time of analysis, but the issue is rated CVSS 7.8 due to high impact on confidentiality, integrity, and availability.
Local privilege escalation potential via use-after-free in Linux Kernel iris media driver affects kernels 6.18.16-6.18.31, 6.19.6-6.19.x, and 7.0 series prior to the fix commits. The flaw resides in iris_release_internal_buffers(), where session_release_buf() may free a buffer that the caller subsequently dereferences, a regression introduced by commit 1dabf00ee206. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but local low-privileged attackers on systems with the Qualcomm iris video accelerator driver could potentially leverage the freed-memory access.
Local privilege escalation in the Linux kernel's vsock (virtio sockets) subsystem stems from inverted buffer-size clamping logic in vsock_update_buffer_size(), allowing a local user to grow vsk->buffer_size beyond the configured vsk->buffer_max_size and violate intended socket memory boundaries. Affected branches include stable trees prior to 6.6.140, 6.12.90, 6.18.32, 7.0.9, and 7.1-rc1; no public exploit identified at time of analysis and EPSS is 0.02% (5th percentile).
Local privilege escalation in the Linux kernel SCTP subsystem allows unprivileged users to trigger a use-after-free or type confusion in the SCTP_SENDALL code path. The flaw stems from a stale iterator cursor in sctp_sendmsg() that survives across a dropped socket lock, and the type-confusion variant yields a controlled indirect call via outqueue.sched->init_sid. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the vendor description explicitly notes both bugs are reachable from CapEff=0.
Use-after-free in the Linux kernel's MPC52xx SPI driver (spi-mpc52xx) can be triggered when the driver is unbound, because the interrupt-scheduled state machine work is not cancelled after interrupts are disabled. Local users with the ability to unbind the driver could potentially corrupt kernel memory, with confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Use-after-free in the Linux kernel's DRM (Direct Rendering Manager) GEM handle subsystem allows a local authenticated attacker to trigger memory corruption via a race condition in the change_handle ioctl. The flaw stems from a window where a single GEM object briefly held two IDR entries, letting a concurrent gem_close call dereference a dangling handle. No public exploit identified at time of analysis and EPSS exploitation probability is low (0.02%), but the CVSS 7.8 reflects full confidentiality, integrity, and availability impact on affected systems.
Use-after-free in the Linux kernel's appletb-kbd HID driver allows local low-privileged users on Apple Touch Bar-equipped MacBooks to potentially trigger memory corruption during driver tear-down. The flaw stems from incorrect ordering of timer cleanup and device reference release in the inactivity-timer cleanup path, leaving two race windows where a softirq can dereference freed backlight_device memory. EPSS is very low (0.02%) and no public exploit identified at time of analysis; impact is limited to systems running the appletb-kbd driver, primarily Apple MacBook Pro hardware with Touch Bars.
Use-after-free in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh networking module's bridge loop avoidance (BLA) subsystem allows adjacent attackers on the same Layer-2 segment to potentially trigger memory corruption when claim entries are deleted. The flaw, with a CVSS of 8.8 (AV:A/AC:L/PR:N/UI:N), exists in batadv_bla_del_backbone_claims() where a claim reference may be released before its final use, enabling exploitation by anyone able to inject mesh traffic. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but upstream fixes have been released across multiple stable kernel branches.
Local privilege escalation and memory corruption in the Linux kernel's iris media driver allows local users with low privileges to trigger a use-after-free condition via concurrent access during Macro Blocks Per Frame (MBPF) checks. The flaw affects Linux kernel 6.18 and stems from improper lock ordering where fmt_src and fmt_dst structures are freed under inst->lock while the instance remains in the core list traversed under core->lock. EPSS is very low at 0.02% (5th percentile) and no public exploit identified at time of analysis, but the high CVSS score reflects severe local impact.
Local privilege escalation potential exists in the Linux kernel's DRM/GEM framebuffer subsystem (drm_gem_fb_init_with_funcs) where inconsistent plane dimension calculations between integer division and DIV_ROUND_UP cause a size-check bypass. A local low-privileged user able to invoke the framebuffer ioctl with specific pixel formats (e.g., NV12) and crafted dimensions can trigger an out-of-bounds GPU memory access on the chroma plane, leading to memory corruption with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS is very low (0.02%), suggesting limited near-term exploitation risk despite the 7.8 CVSS.
Local privilege escalation via out-of-bounds buffer access in the Linux kernel's AMD KFD (Kernel Fusion Driver) SVM ioctl interface allows authenticated local users to corrupt kernel memory by supplying an attacker-controlled nattr attribute count that exceeds the buffer size. The flaw affects systems running AMD GPUs with the amdkfd driver and has been resolved upstream across multiple stable branches. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but the high CIA impact warrants prompt patching on AMD GPU compute workstations and HPC nodes.
Local privilege escalation risk in the Linux kernel's brcmfmac Broadcom FullMAC Wi-Fi driver stems from a use-after-free in the watchdog kthread teardown path, where the watchdog task can exit between send_sig() and kthread_stop(), leaving stale memory accessible. Successful exploitation by a local low-privileged attacker who can trigger driver teardown could yield kernel memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis and EPSS is very low (0.02%), suggesting limited near-term exploitation interest.
Memory corruption in the Linux kernel scheduler exit path allows local low-privileged users to trigger use-after-free or double-free of task stacks when an exiting task oopses, per CVE-2026-46173. The flaw stems from make_task_dead() invoking do_task_dead() with preemption enabled, violating the scheduler's requirement that __schedule() run with preemption disabled, which can leave two tasks running on the same stack. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.
Use-after-free in the Linux kernel mac80211 wireless subsystem allows attackers on the adjacent wireless network to corrupt kernel memory by triggering radar detection cancellation paths that free a channel context still being iterated. No public exploit identified at time of analysis, and EPSS exploitation probability is 0.02% (5th percentile), but the high CVSS reflects severe potential impact on confidentiality, integrity, and availability if exploited. A vendor-released patch is available in stable kernel updates including 6.12.88, 6.18.30, and 7.0.7.
Local privilege escalation potential exists in the Linux kernel's sched_ext (SCX) subsystem where a use-after-free condition in cgroup setter operations can be triggered when a BPF scheduler is swapped concurrently with cgroup weight, idle, or bandwidth updates. The flaw affects kernel 6.18 and related stable branches and stems from reading scx_root outside the scx_cgroup_ops_rwsem, allowing a stale pointer to be dereferenced after the previous scheduler is freed via RCU. EPSS is very low (0.02%) and no public exploit is identified at time of analysis.
Local privilege escalation in the Linux kernel's RDMA/mana driver allows an authenticated low-privileged user to corrupt kernel memory by supplying an oversized rx_hash_key_len via the uAPI structure, which is passed unchecked to memcpy. The flaw affects kernels using the Microsoft Azure Network Adapter (MANA) RDMA driver and can lead to heap/stack overflow within kernel space, enabling potential code execution or system compromise. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (5th percentile), indicating limited exploitation interest so far.
Denial-of-service in the Linux kernel mt76/mt7921 MediaTek Wi-Fi driver lets a buffer-length (buf_len) underflow occur while iterating the CLC (country location configuration) power table, producing a near-infinite loop or an invalid power setting that crashes driver initialization. Systems running affected kernels with MediaTek MT7921 Wi-Fi hardware are impacted; classified CWE-787 (out-of-bounds write) with a vendor-assigned CVSS of 7.8 (local, AV:L). No public exploit identified at time of analysis and EPSS is very low (0.02%), consistent with a reliability/DoS defect rather than a readily weaponizable memory-corruption primitive.
Use-after-free/double-free in the Linux kernel's mac80211 wireless subsystem affects systems with Multi-Link Operation (MLO) Wi-Fi connections when debugfs is enabled. The flaw occurs when connection preparation fails for MLO connections and the interface is reset to non-MLD without removing the associated station, corrupting debugfs state. EPSS probability is 0.02% (5th percentile) and no public exploit identified at time of analysis, but the CVSS 8.8 score reflects high impact on adjacent-network reachable systems.
Out-of-bounds read and information disclosure in the Linux kernel's virtio_bt (virtio Bluetooth) driver allows a malicious or buggy virtio backend to leak uninitialized kernel heap memory into received Bluetooth skbs. The virtbt_rx_work() function trusted the device-reported length from virtqueue_get_buf() without clamping it to the 1000-byte buffer actually exposed via sg_init_one(), so a hostile backend can report lengths between 1001 and skb_tailroom() - or 0 - causing skb_put() to expose untouched heap bytes or virtbt_rx_handle() to read an uninitialized pkt_type. No public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), but a vendor patch is available.
Use-after-free in the Linux kernel's DAMON sysfs interface (mm/damon/sysfs-schemes) lets a local actor with access to the 'memcg_path' file race a read against a concurrent write that frees the underlying buffer, accessing freed kernel memory. The flaw affects DAMON-enabled builds across the 6.6.96, 6.12.36, 6.15.5 and 6.16-rc lines, and is fixed by serializing both direct reads and writes under damon_sysfs_lock. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; it is not in CISA KEV.
Local privilege escalation and kernel memory corruption in the Linux kernel's IPv6 GRE (ip6_gre) subsystem stem from ip6erspan_changelink() using dev_net(dev) instead of the cached t->net after IFLA_NET_NS_FD migration, causing a tunnel to be re-inserted into the wrong per-netns hash. When the original network namespace is later destroyed, the stale entry triggers a slab-use-after-free (flagged by KASAN) and a kernel BUG at LIST_POISON1, reachable from an unprivileged user namespace. No public exploit identified at time of analysis, though the bug is trivially reachable via unshare and EPSS exploitation probability is low (0.02%).
Use-after-free in the Linux kernel's xfrm (IPsec) state management subsystem allows local attackers with low privileges to trigger memory corruption via concurrent xfrm_state lifecycle operations. The flaw resides in __xfrm_state_delete() where value-based predicates on x->km.seq and x->id.spi can race with xfrm_alloc_spi() outside of xfrm_state_lock, leading to slab-use-after-free writes through LIST_POISON pointers on the byseq/byspi/bydst/bysrc hash chains. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (5th percentile), but a vendor patch is available.
Use-after-free in the Linux kernel's KVM x86 shadow MMU allows a malicious guest VM to corrupt host memory and potentially escalate privileges on the hypervisor. The flaw occurs when a guest modifies its page tables between VM entries, causing KVM to install rmap entries outside the expected GFN range of a direct-mapped shadow page; subsequent rmap walks (e.g., during dirty logging or MMU notifier invalidations from MADV_DONTNEED) then dereference a freed kvm_mmu_page. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug has existed since the earliest KVM versions and is now patched upstream.
Local privilege escalation potential in the Linux kernel Bluetooth subsystem (hci_conn) stems from a use-after-free in create_big_sync() when a Broadcast Isochronous Group (BIG) creation races against connection teardown. A local low-privileged attacker on a system with active Bluetooth LE Audio operations could trigger the freed hci_conn dereference through hci_connect_cfm()/hci_conn_del(), enabling memory corruption with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 5th percentile), reflecting limited weaponization despite the CVSS 7.8 rating.
Out-of-bounds write in Samsung's Escargot JavaScript engine allows attacker-supplied scripts to corrupt memory through the ArrayBuffer.prototype.transfer() built-in, with high confidentiality, integrity, and availability impact (CVSS 8.8). The flaw stems from a missing length-bounds check when transferring an ArrayBuffer to a new byte length, enabling writes past the allocated buffer that can lead to remote code execution if a victim runs the malicious script. No public exploit has been identified at time of analysis, and no EPSS or CISA KEV data was provided.
Out-of-bounds write in LibVNCClient (shipped in the LibVNCServer project, versions 0.9.15 and earlier) lets a malicious or compromised VNC server corrupt memory in any client that connects to it. The Tight encoding decoder's Gradient filter uses fixed 2048-pixel scratch buffers but never validates the server-supplied rectangle width, so a crafted FramebufferUpdate with a width above 2048 overruns those buffers, threatening confidentiality, integrity, and availability (CVSS 8.8). There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue is fixed by upstream commit 5b270544.
Use-after-free in the Linux kernel's edt-ft5x06 capacitive touchscreen driver (CWE-416) lets a local actor with access to the driver's per-client debugfs interface read or corrupt freed kernel memory during device teardown. The regression was introduced by commit 68743c500c6e, which removed manual debugfs cleanup and left a window where debugfs files referencing tsdata->raw_buffer remained accessible after the buffer was freed. No public exploit identified at time of analysis; EPSS is very low (0.02%, 4th percentile) and it is not in CISA KEV, but a vendor (stable-tree) patch is available.
Local privilege escalation potential via use-after-free in the Linux kernel's ALSA aloop (snd-aloop) driver allows authenticated local users to trigger memory corruption by racing PCM stream close against a peer format-change stop. The flaw stems from snd_pcm_stop() running after cable->lock is dropped, leaving a stale peer substream pointer that can be freed by a concurrent close. Upstream fixes are merged into stable trees (6.12.88, 6.18.27, 7.0.4, 7.1-rc2); no public exploit identified at time of analysis and EPSS is very low at 0.02%.
Use-after-free in the Linux kernel's RDMA mana_ib driver (Microsoft Azure Network Adapter) lets a local user trigger stale firmware RX steering after destroying an RSS QP, so incoming completions land on reused CQ IDs and corrupt kernel state. It affects Linux deployments on Azure VMs using MANA with RDMA/DPDK; an attacker who can create and destroy RSS QPs (e.g., via a DPDK application exit while a peer keeps transmitting) can drive completions onto TX CQs and crash or corrupt the driver. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 5th percentile), indicating low real-world exploitation likelihood.
Local privilege escalation via memory corruption in Linux Kernel crypto subsystem (acomp) affects systems using asynchronous hardware compression accelerators such as Intel QAT. The flaw stems from acomp_save_req() storing the wrong pointer (&req->chain instead of req itself) in req->base.data, causing the completion callback acomp_reqchain_done() to dereference fields at incorrect offsets. No public exploit identified at time of analysis, and EPSS is very low at 0.02%, but the high CVSS (7.8) reflects potential for memory corruption with high confidentiality, integrity, and availability impact.
Sandbox escape in Google Chrome's GPU process prior to version 148.0.7778.216 allows remote attackers who have already compromised the renderer process to break out of the Chromium sandbox via a crafted HTML page. The flaw is an out-of-bounds write (CWE-787) rated High by Chromium with CVSS 8.3, and while a vendor patch is available, no public exploit identified at time of analysis and EPSS is very low at 0.03%.
Remote code execution in Google Chrome's V8 JavaScript engine prior to 148.0.7778.216 allows attackers to execute arbitrary code inside the renderer sandbox when a victim visits a crafted HTML page. The flaw is an out-of-bounds write (CWE-787) rated High by Chromium and CVSS 8.8, requires user interaction to load attacker-controlled content, and no public exploit has been identified at time of analysis.
Sandbox escape in Google Chrome's WebGL component (versions prior to 148.0.7778.216) allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium, requiring user interaction (visiting a page) and a prior renderer compromise, making it a second-stage exploit primitive. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.03%.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to trigger an out-of-bounds write in the GPU process via a crafted HTML page, potentially breaking out of Chrome's renderer sandbox. The flaw carries a CVSS 9.6 due to scope change (S:C) and high impact across confidentiality, integrity, and availability, but requires user interaction (UI:R) such as visiting a malicious page. No public exploit identified at time of analysis, and EPSS is very low at 0.03% (11th percentile), suggesting limited near-term mass exploitation despite the severe potential impact.
Out-of-bounds write in the ANGLE graphics translation layer of Google Chrome before 148.0.7778.216 allows a remote attacker to trigger heap corruption by luring a user to a crafted HTML page, potentially leading to arbitrary code execution within the renderer process. Chromium rates the severity as High and CVSS scores it 8.8, but EPSS exploitation probability is currently very low (0.03%, 11th percentile) and no public exploit identified at time of analysis. The flaw was reported through Chrome's internal disclosure process and a fixed build is already available from the vendor.
Arbitrary code execution in Google Chrome on macOS prior to 148.0.7778.216 stems from a use-after-free condition in the Bluetooth component, exploitable through a malicious browser extension. Chromium rates the severity as High, and while CVSS scores it 8.1 with network attack vector, real-world exploitation requires the victim to install an attacker-controlled extension. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.01%.
Remote code execution in Google Chrome's WebRTC component (versions prior to 148.0.7778.216) allows a remote attacker to execute arbitrary code within the browser sandbox by enticing a victim to load a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High by Chromium's security team, and while no public exploit identified at time of analysis, the CVSS 8.8 score reflects the low-complexity network-based attack vector combined with the high impact across confidentiality, integrity, and availability. User interaction (visiting a malicious page) is required, but otherwise no authentication or privileges are needed.
Heap corruption in Google Chrome's SurfaceCapture component (versions prior to 148.0.7778.216) allows a remote attacker to potentially execute arbitrary code by luring a user to a crafted HTML page. The flaw is a use-after-free issue rated High severity by the Chromium project, with a CVSS score of 8.8 reflecting low complexity and no authentication, though user interaction is required. There is no public exploit identified at time of analysis and EPSS is very low (0.03%, 11th percentile), but the historical pattern of Chrome UAF bugs being weaponized makes patching urgent.
Heap corruption in Google Chrome's PDFium component before version 148.0.7778.216 lets a remote attacker trigger a use-after-free condition by serving a crafted PDF, opening the door to code execution within the renderer process. The flaw carries a CVSS 8.8 (High) rating and requires user interaction (UI:R) to open or render the malicious document. EPSS is currently very low (0.03%, 11th percentile) and no public exploit has been identified at time of analysis, though Chrome PDFium UAFs have a long history of weaponization in browser exploit chains.
Sandboxed arbitrary code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free condition in the PDF component that remote attackers can trigger by serving a crafted PDF file. The flaw carries a CVSS 8.8 rating reflecting network reach with required user interaction (opening or rendering a malicious PDF), and no public exploit identified at time of analysis though Google rates the underlying Chromium severity as High.
Remote code execution in Google Chrome on iOS prior to 148.0.7778.216 allows attackers to exploit a use-after-free memory corruption flaw when a victim is lured to a malicious HTML page and performs specific UI gestures. The issue carries a CVSS 7.5 (High) score with high attack complexity and required user interaction, and no public exploit has been identified at time of analysis.
Heap corruption in Google Chrome's TabStrip component before version 148.0.7778.216 allows remote attackers to potentially achieve code execution by serving a crafted HTML page and inducing the victim to perform specific UI gestures. Chromium rates the issue High severity, but EPSS places exploitation probability at just 0.03% (11th percentile) and no public exploit identified at time of analysis, reflecting the high attack complexity and required user interaction.
Remote code execution in Google Chrome's WebAudio component (versions prior to 148.0.7778.216) allows a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium, with a CVSS score of 8.8 reflecting low attack complexity and no authentication required, though user interaction (visiting a page) is needed. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 enables remote attackers to break out of the renderer process sandbox by enticing a user to visit a crafted HTML page that triggers a use-after-free condition in the UI component. Chromium rates the severity as High, and a vendor patch is available; no public exploit identified at time of analysis and EPSS exploitation probability is currently very low (0.03%, 11th percentile).
Sandbox escape in Google Chrome on Windows before 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page leveraging a use-after-free in Core. The flaw is rated High by Chromium and carries CVSS 8.3, but EPSS is very low (0.03%) and no public exploit identified at time of analysis, so it is most relevant as the second stage of a multi-bug exploit chain rather than a standalone entry vector.
Sandbox escape in Google Chrome on macOS before 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers a use-after-free in the Views UI component. The flaw is rated High severity by Chromium and carries a CVSS 8.3 due to scope change, but EPSS is only 0.03% and there is no public exploit identified at time of analysis. Exploitation is realistic only as the second stage of a chained renderer compromise rather than a standalone drive-by attack.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the browser's XML handling component, allowing a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. Chromium rates the severity as High with a CVSS 3.1 score of 8.8, and exploitation requires user interaction such as visiting a malicious site. No public exploit identified at time of analysis, but use-after-free flaws in Chrome's XML parsing have historically been chained with sandbox escapes for full system compromise.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free condition in the ANGLE graphics translation layer that lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. Google rates this High severity and a vendor patch is available, but EPSS scoring (0.03%, 11th percentile) is low and no public exploit identified at time of analysis, suggesting it has not yet been weaponized broadly.
Remote code execution in Google Chrome on Windows prior to version 148.0.7778.216 allows attackers to execute arbitrary code within the renderer sandbox by enticing a victim to visit a crafted HTML page that triggers a use-after-free condition in the Media component. Rated High severity by Chromium with a CVSS 8.8 score, the flaw requires user interaction (visiting a malicious page) but no authentication, and no public exploit identified at time of analysis.
Remote code execution in Google Chrome (ANGLE component) prior to version 148.0.7778.216 allows a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. The flaw is a use-after-free memory corruption issue (CWE-416) rated High severity by Chromium and CVSS 8.8, requiring only that a victim visit a malicious page. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Sandbox escape in Google Chrome on Windows versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a use-after-free flaw in the UI component, triggered by a crafted HTML page. Chromium rates this High severity and a vendor patch is available, though no public exploit has been identified at time of analysis and EPSS exploitation probability is very low (0.03%, 11th percentile).
Sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the GPU/GFX sandbox via a crafted HTML page, leveraging a use-after-free condition. The flaw is rated High severity by Chromium (CVSS 8.3) and requires user interaction plus a chained renderer compromise; no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.03%).
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the Aura UI framework component. A remote attacker who lures a user to a malicious HTML page and convinces them to perform specific UI gestures can execute arbitrary code within the browser process. No public exploit identified at time of analysis, and the CVSS 7.5 score reflects high attack complexity combined with required user interaction.
Use-after-free in the Input component of Google Chrome prior to 148.0.7778.216 allows a remote attacker to trigger heap corruption when a victim is lured to a crafted HTML page and performs specific UI gestures. Chromium rates the severity High, and while no public exploit identified at time of analysis and EPSS is very low (0.03%, 11th percentile), the bug class historically yields renderer RCE when chained with a sandbox escape. A vendor patch is available in the stable channel update referenced by Google.
Sandbox escape in Google Chrome on Windows prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the renderer sandbox via a use-after-free in the ANGLE graphics layer. Exploitation requires user interaction (visiting a crafted HTML page) and a pre-existing renderer compromise, so it functions as the second stage of an exploit chain rather than a standalone RCE. No public exploit identified at time of analysis and EPSS is very low (0.03%), but Chrome rates the underlying flaw as High severity.
Sandbox escape in Google Chrome's GPU process prior to version 148.0.7778.216 lets a remote attacker who has already gained code execution inside the renderer process break out of Chrome's sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium and carries CVSS 8.3 (AV:N/AC:H/PR:N/UI:R/S:C). EPSS is very low (0.03%), and there is no public exploit identified at time of analysis, but the bug is part of a stable-channel security release shipped by Google.
Out-of-bounds memory write in Dawn, Chrome's WebGPU implementation, affects Google Chrome on macOS prior to version 148.0.7778.216. Remote unauthenticated attackers (per CVSS PR:N) can trigger the write via a crafted HTML page requiring only a single user interaction - visiting a malicious site. The CVSS-scored impact is constrained to low integrity (I:L), with no confidentiality or availability impact confirmed, suggesting the write primitive is limited or difficult to weaponize for full code execution without chaining additional exploits. No public exploit identified at time of analysis and EPSS at 0.03% (11th percentile) indicates very low exploitation probability.
Remote code execution in Google Chrome's ANGLE graphics layer prior to version 148.0.7778.216 allows attackers to run arbitrary code inside the browser sandbox when a victim visits a crafted HTML page. The flaw is a use-after-free memory corruption issue (CWE-416) reported internally by the Chrome team and rated High by Chromium; no public exploit identified at time of analysis, though Chrome UAF bugs in ANGLE are historically attractive targets and pair well with sandbox escapes.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 enables remote attackers, who have already compromised the renderer process, to break out of the browser sandbox via a use-after-free flaw in the ANGLE graphics translation layer. Exploitation requires user interaction (visiting a crafted HTML page) and a prior renderer compromise, making this a second-stage primitive in a chained attack. EPSS is low at 0.03% and there is no public exploit identified at time of analysis, though Google rates the underlying Chromium severity as High.
Heap corruption in Google Chrome's Skia graphics library affects all versions prior to 148.0.7778.216 and can be triggered by a remote attacker hosting a crafted HTML page. Successful exploitation requires user interaction (visiting the page) but yields high confidentiality, integrity, and availability impact within the renderer context. No public exploit is identified at time of analysis and EPSS is very low (0.03%), though Chromium rates the severity as High and a vendor patch is available.
Renderer-to-browser sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 enables remote code execution via a use-after-free in the GPU process. An attacker who has already compromised the renderer can leverage a crafted HTML page to corrupt GPU process memory and execute arbitrary code outside the renderer sandbox. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Chromium rates the underlying severity as High.
Out-of-bounds write in the ANGLE graphics translation layer in Google Chrome before 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to potentially escape the Chrome sandbox via a crafted HTML page. The flaw is rated High severity by Chromium and chained exploitation could lead to code execution outside the renderer sandbox, though no public exploit identified at time of analysis and EPSS estimates only a 0.03% near-term exploitation probability.
Sandbox escape in Google Chrome before 148.0.7778.216 enables a remote attacker who has already compromised the renderer process to break out of Chrome's sandbox through an out-of-bounds write in the GPU process triggered by a crafted HTML page. Google rates the Chromium security severity as High and a vendor patch is available, but no public exploit has been identified at time of analysis and EPSS exploitation probability is low at 0.03% (11th percentile).
Sandbox escape in Google Chrome on Windows prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page exploiting a use-after-free in the Accessibility component. Chromium rates the severity as High and a vendor patch is available, but no public exploit has been identified at time of analysis and EPSS exploitation probability remains very low at 0.03%.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free condition in the ANGLE graphics translation layer, triggered when a victim visits a crafted HTML page. Remote attackers can potentially break out of Chrome's renderer sandbox to gain broader access on the host system. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.03% (11th percentile), though the Chromium team rated severity as High.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that triggers a use-after-free in the Accessibility component. Chromium rates the issue High severity and a vendor patch is available, though no public exploit identified at time of analysis and EPSS exploitation probability is currently low (0.03%, 11th percentile).
Sandbox escape and arbitrary code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the ANGLE graphics translation layer. An attacker who has already compromised the renderer process can leverage a crafted HTML page to break memory safety and execute code in a higher-privileged context. No public exploit identified at time of analysis, though Chromium rates the underlying severity as High.
Sandbox escape in Google Chrome's ANGLE graphics layer prior to version 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of Chrome's sandbox via a crafted HTML page. Rated High severity by Chromium with a CVSS of 8.3, the issue is patched but no public exploit has been identified at time of analysis, and EPSS exploitation probability is low (0.03%, 11th percentile).
Sandbox escape in Google Chrome's ANGLE graphics layer prior to version 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High severity by Chromium with a CVSS score of 8.3, but EPSS exploitation probability is currently very low at 0.03% and no public exploit has been identified at time of analysis.
Remote code execution in Google Chrome prior to 148.0.7778.216 enables a remote attacker to execute arbitrary code within the renderer sandbox by luring a user to a crafted HTML page that triggers a use-after-free in the DOM implementation. The flaw carries a CVSS 8.8 (High) rating reflecting network reach with required user interaction, and Google has rated the Chromium severity as High; no public exploit is identified at the time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Google Chrome's V8 JavaScript engine prior to version 148.0.7778.216 allows remote attackers to execute arbitrary code inside the renderer sandbox by luring a user to a crafted HTML page. The flaw is a CWE-787 out-of-bounds write in V8 carrying a CVSS 8.8 (High) with Chromium severity rated High; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of Chrome's sandbox via a use-after-free in the GPU process. Chrome rates the underlying memory corruption as High severity, and while no public exploit identified at time of analysis, the bug is part of a chained-exploit class historically weaponized against browsers. EPSS is very low (0.03%) reflecting the prerequisite of an already-compromised renderer rather than a direct one-shot RCE.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the Chromium sandbox via a crafted HTML page that triggers a use-after-free in the Skia graphics library. Google rated this Critical internally, though no public exploit identified at time of analysis and EPSS scores exploitation probability at just 0.03% (11th percentile). The flaw requires chaining with a separate renderer compromise, so it is a second-stage primitive rather than a single-shot RCE.
Sandbox escape in Google Chrome before 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted Chrome Extension exploiting a use-after-free in the Extensions component. Chromium rates the underlying flaw as Critical severity, though no public exploit has been identified at time of analysis and EPSS exploitation probability sits at 0.03% (11th percentile).
Sandbox escape in Google Chrome on Windows prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page targeting the XR (WebXR) component. The flaw is a use-after-free rated Critical by Chromium and CVSS 8.3 (AV:N/AC:H/PR:N/UI:R/S:C); no public exploit identified at time of analysis and EPSS is low at 0.03%, but the bug forms a key link in a multi-stage browser exploit chain.
Sandbox escape in Google Chrome for Android versions prior to 148.0.7778.216 enables a remote attacker who has already compromised the renderer process to break out of the sandbox via a use-after-free flaw in the WebView component. Chromium rates the severity as Critical, and a vendor patch is available; no public exploit identified at time of analysis and EPSS is very low (0.03%, 10th percentile), but the chained-exploit potential against mobile users makes prompt patching important.
Remote code execution in Google Chrome prior to 148.0.7778.216 allows attackers to exploit a use-after-free condition in the Proxy component via a malicious PAC (Proxy Auto-Config) script delivered through a crafted web page. Chromium rates this as Critical severity, and while no public exploit identified at time of analysis, the EPSS score of 0.04% reflects low predicted exploitation activity despite the high CVSS 8.8 rating. Successful exploitation requires user interaction (UI:R) such as visiting an attacker-controlled page that triggers the vulnerable PAC processing path.
Sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 allows a remote attacker to break out of the renderer sandbox by enticing a user to visit a crafted HTML page that triggers a use-after-free in the Base component. Chromium rates the severity Critical and CVSS scores it 9.6, though no public exploit is identified at time of analysis and EPSS exploitation probability is currently very low (0.03%).
Remote code execution in Google Chrome on macOS prior to version 148.0.7778.216 allows attackers to exploit a use-after-free flaw in the Browser component via a malicious HTML page. Rated Critical by Chromium's security team with a CVSS of 8.8, exploitation requires user interaction (visiting a crafted page) but no authentication, and no public exploit identified at time of analysis. A vendor patch is available through the Chrome stable channel update.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to execute arbitrary code via a crafted HTML page exploiting a use-after-free flaw in the Base component. Chromium classifies the severity as Critical, and Google has shipped a stable channel update; no public exploit has been identified at time of analysis. Exploitation requires user interaction (visiting a malicious page), which is the typical drive-by browser attack model.
Sandbox escape in Google Chrome on macOS versions prior to 148.0.7778.216 allows attackers to break out of the browser's renderer sandbox via a use-after-free flaw in the Bluetooth component. Exploitation requires convincing a user to install a malicious Chrome Extension, which then triggers the bug through crafted extension interactions. Chromium rates this Critical severity; no public exploit identified at time of analysis and EPSS remains low (0.01%) despite the high CVSS of 9.0.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from an out-of-bounds write in the ANGLE graphics translation layer, allowing a remote attacker to execute arbitrary code in the browser's renderer context after a victim visits a crafted HTML page. Chromium rates this severity Critical and CVSS scores it 8.8, with vendor patches released via the Stable channel update; no public exploit identified at time of analysis.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in ANGLE, the graphics abstraction layer that translates OpenGL ES calls to native GPU APIs. A remote attacker who lures a user into visiting a crafted HTML page can execute arbitrary code within the renderer sandbox, with Chromium rating the severity as Critical. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 enables a remote attacker who has already compromised the renderer process to break out of Chrome's sandbox via a use-after-free flaw in the ANGLE graphics translation layer. Exploitation requires user interaction with a crafted HTML page and is typically chained with a separate renderer-compromise bug. No public exploit identified at time of analysis, and EPSS is very low (0.03%), though Google rated the underlying issue Critical severity.
Sandbox escape in Google Chrome for Android prior to 148.0.7778.216 allows a remote attacker who lures a user to a crafted HTML page to break out of the renderer sandbox by exploiting a use-after-free condition in the WebGL component. Chromium rates the issue Critical and CVSS scores it 9.6 due to the scope change from compromised renderer to host, though EPSS is only 0.03% (10th percentile) and no public exploit identified at time of analysis.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to exploit a use-after-free condition in the Dawn WebGPU implementation through a crafted HTML page, leading to potential escape from the browser's renderer sandbox. The flaw carries a CVSS 9.6 with scope change reflecting cross-boundary impact, and while no public exploit identified at time of analysis, Google's own classification of the underlying Chromium severity as Critical signals significant risk to end users. EPSS is currently low (0.03%, 11th percentile), suggesting no widespread exploitation has been observed yet despite the severity.
Remote code execution in Google Chrome desktop versions prior to 148.0.7778.216 allows a remote attacker to execute arbitrary code within the renderer sandbox by serving a crafted HTML page that triggers a use-after-free condition in the Network component. Google rates the underlying Chromium issue as Critical severity, and no public exploit identified at time of analysis, though the bug class and reachable attack surface make it a high-priority browser patch.
Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows remote attackers to corrupt GPU process memory via a crafted HTML page, breaking out of the renderer sandbox boundary. Chromium rates this Critical severity with a CVSS of 9.6 due to scope change, though EPSS remains low at 0.03% and no public exploit identified at time of analysis.
Local privilege escalation in Ubuntu Linux 6.8 kernel stems from an AppArmor SAUCE patch that omits proper locking when modifying a linked list, enabling a race condition that can be exploited by an unprivileged local user. Successful exploitation leads to a use-after-free condition with theoretical arbitrary code execution in kernel context. No public exploit identified at time of analysis, and the issue is not present on the CISA KEV list.
Out-of-bounds write in bzip2's bzip2recover utility allows a local attacker to supply a specially crafted file that triggers an off-by-one error, corrupting a global buffer and crashing the process. Per the CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:N), the attack requires no privileges and no user interaction beyond the utility being invoked against a malicious file. Impact is strictly denial of service against the bzip2recover process - no confidentiality or integrity exposure - and the CVSS 4.0 score of 5.1 (Medium) reflects this constrained scope. No public exploit or active exploitation has been identified at time of analysis.
Use-after-free in the Linux kernel SPI controller driver for Freescale MPC52xx (spi-mpc52xx) occurs when controller registration fails and the previously requested interrupts are not properly disabled or released, leaving dangling interrupt handlers tied to freed memory. Local users with the ability to load or interact with this SPI driver on affected systems could potentially trigger memory corruption or information disclosure. EPSS is 0.02% and there is no public exploit identified at time of analysis, but the issue is rated CVSS 7.8 due to high impact on confidentiality, integrity, and availability.
Local privilege escalation potential via use-after-free in Linux Kernel iris media driver affects kernels 6.18.16-6.18.31, 6.19.6-6.19.x, and 7.0 series prior to the fix commits. The flaw resides in iris_release_internal_buffers(), where session_release_buf() may free a buffer that the caller subsequently dereferences, a regression introduced by commit 1dabf00ee206. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but local low-privileged attackers on systems with the Qualcomm iris video accelerator driver could potentially leverage the freed-memory access.
Local privilege escalation in the Linux kernel's vsock (virtio sockets) subsystem stems from inverted buffer-size clamping logic in vsock_update_buffer_size(), allowing a local user to grow vsk->buffer_size beyond the configured vsk->buffer_max_size and violate intended socket memory boundaries. Affected branches include stable trees prior to 6.6.140, 6.12.90, 6.18.32, 7.0.9, and 7.1-rc1; no public exploit identified at time of analysis and EPSS is 0.02% (5th percentile).
Local privilege escalation in the Linux kernel SCTP subsystem allows unprivileged users to trigger a use-after-free or type confusion in the SCTP_SENDALL code path. The flaw stems from a stale iterator cursor in sctp_sendmsg() that survives across a dropped socket lock, and the type-confusion variant yields a controlled indirect call via outqueue.sched->init_sid. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the vendor description explicitly notes both bugs are reachable from CapEff=0.
Use-after-free in the Linux kernel's MPC52xx SPI driver (spi-mpc52xx) can be triggered when the driver is unbound, because the interrupt-scheduled state machine work is not cancelled after interrupts are disabled. Local users with the ability to unbind the driver could potentially corrupt kernel memory, with confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Use-after-free in the Linux kernel's DRM (Direct Rendering Manager) GEM handle subsystem allows a local authenticated attacker to trigger memory corruption via a race condition in the change_handle ioctl. The flaw stems from a window where a single GEM object briefly held two IDR entries, letting a concurrent gem_close call dereference a dangling handle. No public exploit identified at time of analysis and EPSS exploitation probability is low (0.02%), but the CVSS 7.8 reflects full confidentiality, integrity, and availability impact on affected systems.
Use-after-free in the Linux kernel's appletb-kbd HID driver allows local low-privileged users on Apple Touch Bar-equipped MacBooks to potentially trigger memory corruption during driver tear-down. The flaw stems from incorrect ordering of timer cleanup and device reference release in the inactivity-timer cleanup path, leaving two race windows where a softirq can dereference freed backlight_device memory. EPSS is very low (0.02%) and no public exploit identified at time of analysis; impact is limited to systems running the appletb-kbd driver, primarily Apple MacBook Pro hardware with Touch Bars.
Use-after-free in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh networking module's bridge loop avoidance (BLA) subsystem allows adjacent attackers on the same Layer-2 segment to potentially trigger memory corruption when claim entries are deleted. The flaw, with a CVSS of 8.8 (AV:A/AC:L/PR:N/UI:N), exists in batadv_bla_del_backbone_claims() where a claim reference may be released before its final use, enabling exploitation by anyone able to inject mesh traffic. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but upstream fixes have been released across multiple stable kernel branches.
Local privilege escalation and memory corruption in the Linux kernel's iris media driver allows local users with low privileges to trigger a use-after-free condition via concurrent access during Macro Blocks Per Frame (MBPF) checks. The flaw affects Linux kernel 6.18 and stems from improper lock ordering where fmt_src and fmt_dst structures are freed under inst->lock while the instance remains in the core list traversed under core->lock. EPSS is very low at 0.02% (5th percentile) and no public exploit identified at time of analysis, but the high CVSS score reflects severe local impact.
Local privilege escalation potential exists in the Linux kernel's DRM/GEM framebuffer subsystem (drm_gem_fb_init_with_funcs) where inconsistent plane dimension calculations between integer division and DIV_ROUND_UP cause a size-check bypass. A local low-privileged user able to invoke the framebuffer ioctl with specific pixel formats (e.g., NV12) and crafted dimensions can trigger an out-of-bounds GPU memory access on the chroma plane, leading to memory corruption with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS is very low (0.02%), suggesting limited near-term exploitation risk despite the 7.8 CVSS.
Local privilege escalation via out-of-bounds buffer access in the Linux kernel's AMD KFD (Kernel Fusion Driver) SVM ioctl interface allows authenticated local users to corrupt kernel memory by supplying an attacker-controlled nattr attribute count that exceeds the buffer size. The flaw affects systems running AMD GPUs with the amdkfd driver and has been resolved upstream across multiple stable branches. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but the high CIA impact warrants prompt patching on AMD GPU compute workstations and HPC nodes.
Local privilege escalation risk in the Linux kernel's brcmfmac Broadcom FullMAC Wi-Fi driver stems from a use-after-free in the watchdog kthread teardown path, where the watchdog task can exit between send_sig() and kthread_stop(), leaving stale memory accessible. Successful exploitation by a local low-privileged attacker who can trigger driver teardown could yield kernel memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis and EPSS is very low (0.02%), suggesting limited near-term exploitation interest.
Memory corruption in the Linux kernel scheduler exit path allows local low-privileged users to trigger use-after-free or double-free of task stacks when an exiting task oopses, per CVE-2026-46173. The flaw stems from make_task_dead() invoking do_task_dead() with preemption enabled, violating the scheduler's requirement that __schedule() run with preemption disabled, which can leave two tasks running on the same stack. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.
Use-after-free in the Linux kernel mac80211 wireless subsystem allows attackers on the adjacent wireless network to corrupt kernel memory by triggering radar detection cancellation paths that free a channel context still being iterated. No public exploit identified at time of analysis, and EPSS exploitation probability is 0.02% (5th percentile), but the high CVSS reflects severe potential impact on confidentiality, integrity, and availability if exploited. A vendor-released patch is available in stable kernel updates including 6.12.88, 6.18.30, and 7.0.7.
Local privilege escalation potential exists in the Linux kernel's sched_ext (SCX) subsystem where a use-after-free condition in cgroup setter operations can be triggered when a BPF scheduler is swapped concurrently with cgroup weight, idle, or bandwidth updates. The flaw affects kernel 6.18 and related stable branches and stems from reading scx_root outside the scx_cgroup_ops_rwsem, allowing a stale pointer to be dereferenced after the previous scheduler is freed via RCU. EPSS is very low (0.02%) and no public exploit is identified at time of analysis.
Local privilege escalation in the Linux kernel's RDMA/mana driver allows an authenticated low-privileged user to corrupt kernel memory by supplying an oversized rx_hash_key_len via the uAPI structure, which is passed unchecked to memcpy. The flaw affects kernels using the Microsoft Azure Network Adapter (MANA) RDMA driver and can lead to heap/stack overflow within kernel space, enabling potential code execution or system compromise. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (5th percentile), indicating limited exploitation interest so far.
Denial-of-service in the Linux kernel mt76/mt7921 MediaTek Wi-Fi driver lets a buffer-length (buf_len) underflow occur while iterating the CLC (country location configuration) power table, producing a near-infinite loop or an invalid power setting that crashes driver initialization. Systems running affected kernels with MediaTek MT7921 Wi-Fi hardware are impacted; classified CWE-787 (out-of-bounds write) with a vendor-assigned CVSS of 7.8 (local, AV:L). No public exploit identified at time of analysis and EPSS is very low (0.02%), consistent with a reliability/DoS defect rather than a readily weaponizable memory-corruption primitive.
Use-after-free/double-free in the Linux kernel's mac80211 wireless subsystem affects systems with Multi-Link Operation (MLO) Wi-Fi connections when debugfs is enabled. The flaw occurs when connection preparation fails for MLO connections and the interface is reset to non-MLD without removing the associated station, corrupting debugfs state. EPSS probability is 0.02% (5th percentile) and no public exploit identified at time of analysis, but the CVSS 8.8 score reflects high impact on adjacent-network reachable systems.
Out-of-bounds read and information disclosure in the Linux kernel's virtio_bt (virtio Bluetooth) driver allows a malicious or buggy virtio backend to leak uninitialized kernel heap memory into received Bluetooth skbs. The virtbt_rx_work() function trusted the device-reported length from virtqueue_get_buf() without clamping it to the 1000-byte buffer actually exposed via sg_init_one(), so a hostile backend can report lengths between 1001 and skb_tailroom() - or 0 - causing skb_put() to expose untouched heap bytes or virtbt_rx_handle() to read an uninitialized pkt_type. No public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), but a vendor patch is available.
Use-after-free in the Linux kernel's DAMON sysfs interface (mm/damon/sysfs-schemes) lets a local actor with access to the 'memcg_path' file race a read against a concurrent write that frees the underlying buffer, accessing freed kernel memory. The flaw affects DAMON-enabled builds across the 6.6.96, 6.12.36, 6.15.5 and 6.16-rc lines, and is fixed by serializing both direct reads and writes under damon_sysfs_lock. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; it is not in CISA KEV.
Local privilege escalation and kernel memory corruption in the Linux kernel's IPv6 GRE (ip6_gre) subsystem stem from ip6erspan_changelink() using dev_net(dev) instead of the cached t->net after IFLA_NET_NS_FD migration, causing a tunnel to be re-inserted into the wrong per-netns hash. When the original network namespace is later destroyed, the stale entry triggers a slab-use-after-free (flagged by KASAN) and a kernel BUG at LIST_POISON1, reachable from an unprivileged user namespace. No public exploit identified at time of analysis, though the bug is trivially reachable via unshare and EPSS exploitation probability is low (0.02%).
Use-after-free in the Linux kernel's xfrm (IPsec) state management subsystem allows local attackers with low privileges to trigger memory corruption via concurrent xfrm_state lifecycle operations. The flaw resides in __xfrm_state_delete() where value-based predicates on x->km.seq and x->id.spi can race with xfrm_alloc_spi() outside of xfrm_state_lock, leading to slab-use-after-free writes through LIST_POISON pointers on the byseq/byspi/bydst/bysrc hash chains. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (5th percentile), but a vendor patch is available.
Use-after-free in the Linux kernel's KVM x86 shadow MMU allows a malicious guest VM to corrupt host memory and potentially escalate privileges on the hypervisor. The flaw occurs when a guest modifies its page tables between VM entries, causing KVM to install rmap entries outside the expected GFN range of a direct-mapped shadow page; subsequent rmap walks (e.g., during dirty logging or MMU notifier invalidations from MADV_DONTNEED) then dereference a freed kvm_mmu_page. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug has existed since the earliest KVM versions and is now patched upstream.
Local privilege escalation potential in the Linux kernel Bluetooth subsystem (hci_conn) stems from a use-after-free in create_big_sync() when a Broadcast Isochronous Group (BIG) creation races against connection teardown. A local low-privileged attacker on a system with active Bluetooth LE Audio operations could trigger the freed hci_conn dereference through hci_connect_cfm()/hci_conn_del(), enabling memory corruption with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 5th percentile), reflecting limited weaponization despite the CVSS 7.8 rating.
Out-of-bounds write in Samsung's Escargot JavaScript engine allows attacker-supplied scripts to corrupt memory through the ArrayBuffer.prototype.transfer() built-in, with high confidentiality, integrity, and availability impact (CVSS 8.8). The flaw stems from a missing length-bounds check when transferring an ArrayBuffer to a new byte length, enabling writes past the allocated buffer that can lead to remote code execution if a victim runs the malicious script. No public exploit has been identified at time of analysis, and no EPSS or CISA KEV data was provided.
Out-of-bounds write in LibVNCClient (shipped in the LibVNCServer project, versions 0.9.15 and earlier) lets a malicious or compromised VNC server corrupt memory in any client that connects to it. The Tight encoding decoder's Gradient filter uses fixed 2048-pixel scratch buffers but never validates the server-supplied rectangle width, so a crafted FramebufferUpdate with a width above 2048 overruns those buffers, threatening confidentiality, integrity, and availability (CVSS 8.8). There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue is fixed by upstream commit 5b270544.
Use-after-free in the Linux kernel's edt-ft5x06 capacitive touchscreen driver (CWE-416) lets a local actor with access to the driver's per-client debugfs interface read or corrupt freed kernel memory during device teardown. The regression was introduced by commit 68743c500c6e, which removed manual debugfs cleanup and left a window where debugfs files referencing tsdata->raw_buffer remained accessible after the buffer was freed. No public exploit identified at time of analysis; EPSS is very low (0.02%, 4th percentile) and it is not in CISA KEV, but a vendor (stable-tree) patch is available.
Local privilege escalation potential via use-after-free in the Linux kernel's ALSA aloop (snd-aloop) driver allows authenticated local users to trigger memory corruption by racing PCM stream close against a peer format-change stop. The flaw stems from snd_pcm_stop() running after cable->lock is dropped, leaving a stale peer substream pointer that can be freed by a concurrent close. Upstream fixes are merged into stable trees (6.12.88, 6.18.27, 7.0.4, 7.1-rc2); no public exploit identified at time of analysis and EPSS is very low at 0.02%.
Use-after-free in the Linux kernel's RDMA mana_ib driver (Microsoft Azure Network Adapter) lets a local user trigger stale firmware RX steering after destroying an RSS QP, so incoming completions land on reused CQ IDs and corrupt kernel state. It affects Linux deployments on Azure VMs using MANA with RDMA/DPDK; an attacker who can create and destroy RSS QPs (e.g., via a DPDK application exit while a peer keeps transmitting) can drive completions onto TX CQs and crash or corrupt the driver. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 5th percentile), indicating low real-world exploitation likelihood.
Local privilege escalation via memory corruption in Linux Kernel crypto subsystem (acomp) affects systems using asynchronous hardware compression accelerators such as Intel QAT. The flaw stems from acomp_save_req() storing the wrong pointer (&req->chain instead of req itself) in req->base.data, causing the completion callback acomp_reqchain_done() to dereference fields at incorrect offsets. No public exploit identified at time of analysis, and EPSS is very low at 0.02%, but the high CVSS (7.8) reflects potential for memory corruption with high confidentiality, integrity, and availability impact.