Memory Corruption
Monthly
Parse Server versions prior to 8.6.70 and 9.7.0-alpha.18 allow authenticated users with find class-level permissions to bypass protectedFields restrictions on LiveQuery subscriptions by submitting array-like objects with numeric keys instead of proper arrays in $or, $and, or $nor operators. This enables information disclosure through a binary oracle attack that reveals whether protected fields match attacker-supplied values. The vulnerability requires prior authentication and find-level access but no user interaction, affecting all deployments of vulnerable Parse Server versions.
DNSdist instances using custom Lua code can be crashed via denial of service when the DNSQuestion:getEDNSOptions method accesses a modified DNS packet, triggering a use-after-free condition. This affects DNSdist across all versions and requires network access to send crafted DNS queries, but the attack demands specific Lua code patterns and high attack complexity; no public exploit or active exploitation has been confirmed, and the real-world impact is limited to environments where custom Lua DNS query handlers reference EDNS options.
DNSdist fails to validate packet size bounds when rewriting DNS questions or responses via Lua methods (DNSQuestion:changeName, DNSResponse:changeName), allowing unauthenticated remote attackers to craft DNS responses that trigger out-of-bounds writes and exceed the 65535-byte DNS packet size limit, resulting in denial of service via crash. CVSS 5.9 (high availability impact); no public exploit code identified at time of analysis.
Memory leak in Linux kernel nf_tables nft_dynset module allows local denial of service through failed stateful expression cloning during dynamic set operations. When the second stateful expression clone fails under GFP_ATOMIC memory allocation, the first expression is not properly released, accumulating percpu memory allocations that exhaust kernel memory. This affects all Linux kernel versions until patched, with exploitation requiring local system access to trigger the nf_tables dynamic set evaluation code path.
Arbitrary code execution in Adobe Substance3D Stager 3.1.7 and earlier allows local attackers to execute malicious code with user privileges through specially crafted files. Exploitation requires social engineering to trick users into opening weaponized Stager project files. No public exploit identified at time of analysis, though the use-after-free vulnerability class is well-understood and exploitable. CVSS 7.8 (High) reflects significant impact if exploited, though local attack vector and user interaction requirement reduce immediate risk compared to remotely exploitable flaws.
Grafana's OpenFeature feature toggle evaluation endpoint can be forced into an out-of-memory condition by submitting unbounded values, enabling remote denial-of-service attacks against the monitoring platform. The vulnerability is network-accessible, requires no authentication (CVSS AV:N/AC:L/PR:N), and has been assigned a CVSS score of 7.5 with high availability impact. No public exploit identified at time of analysis, and authentication requirements confirm unauthenticated access per the CVSS vector PR:N.
Use after free vulnerability in Softing smartLink HW-DP or smartLink HW-PN webserver allows HTTP DoS. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
MapServer versions 4.2 through 8.6.0 are vulnerable to a heap buffer overflow in the SLD (Styled Layer Descriptor) parser that allows remote, unauthenticated attackers to crash the MapServer process by sending a crafted SLD document containing more than 100 Threshold elements within a ColorMap/Categorize structure. The vulnerability is reachable via WMS GetMap requests using the SLD_BODY parameter, requiring no authentication or user interaction. Vendor-released patch: version 8.6.1 eliminates the issue; no public exploit code or active exploitation has been identified at time of analysis.
p11-kit remote token handling fails to validate NULL derive mechanism parameters in C_DeriveKey operations, allowing unauthenticated remote attackers to trigger NULL pointer dereferences and undefined memory access in the RPC client layer. This denial-of-service vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and OpenShift Container Platform 4, with a CVSS score of 5.3 reflecting moderate availability impact. No public exploit identified at time of analysis.
X11 display interaction path contains an out-of-bounds write vulnerability that allows local attackers to crash affected applications through a single zero byte write. The medium-severity flaw (CVSS 4.0) requires no privileges or user interaction to trigger a denial of service condition. No patch is currently available for this vulnerability.
A security vulnerability in versions 1.2.1 (CVSS 7.5). High severity vulnerability requiring prompt remediation.
EVerest charging software stack versions prior to 2026.02.0 contain a use-after-free vulnerability in the ISO15118_chargerImpl::handle_session_setup function that crashes the EVSE process when session setup commands are issued after ISO15118 initialization failure. Remote attackers with MQTT access can trigger this denial of service condition by sending a crafted session_setup command, causing the process to reference freed memory (v2g_ctx). A vendor-released patch is available in version 2026.02.0.
EVerest-Core prior to version 2026.02.0 contains an out-of-bounds write vulnerability in the ISO15118_chargerImpl::handle_update_energy_transfer_modes function, where variable-length MQTT command payloads are copied into a fixed-size 6-element array without bounds checking. When schema validation is disabled by default, oversized payloads trigger memory corruption that can crash the EV charging service or corrupt adjacent EVSE (Electric Vehicle Supply Equipment) state, affecting the integrity and availability of EV charging infrastructure. No public exploit code has been identified at the time of analysis, but the vulnerability is patched in version 2026.02.0.
Out-of-bounds memory writes in EVerest charging software stack versions prior to 2026.02.0 allow local attackers to corrupt EVSE state or crash the charging process by sending oversized MQTT command payloads that bypass disabled schema validation. The ISO15118_chargerImpl::handle_session_setup function copies variable-length payment_options lists into a fixed 2-element array without bounds checking, exposing a CWE-787 buffer overflow vulnerability with availability and integrity impact. No public exploit code has been identified at time of analysis.
EVerest charging software stack versions prior to 2026.02.0 contain a data race condition leading to use-after-free memory corruption, triggered by EV plug-in/unplug events and authorization flows (RFID, RemoteStart, OCPP). Unauthenticated physical attackers with high complexity can exploit this to leak sensitive information or cause denial of service on affected charging infrastructure. No public exploit identified at time of analysis.
Out-of-bounds write vulnerabilities in Siemens CPCI85 Central Processing/Communication and SICORE Base system (versions below V26.10) allow unauthenticated remote attackers to crash critical industrial control system services through maliciously crafted XML requests, resulting in denial-of-service conditions. CISA's SSVC framework marks this as automatable with partial technical impact, though no public exploit has been identified at time of analysis. The CVSS 4.0 score of 8.7 reflects high availability impact (VA:H) with network accessibility requiring no authentication (PR:N).
Squid versions prior to 7.5 contain a heap use-after-free vulnerability (CWE-416) in ICP (Internet Cache Protocol) traffic handling that enables remote attackers to reliably trigger denial of service against affected proxy services. The vulnerability affects any Squid deployment with ICP support explicitly enabled via non-zero icp_port configuration, and cannot be mitigated through access control rules alone. A patch is available in version 7.5, and the vulnerability has been confirmed across multiple Debian releases and SUSE distributions.
cryptodev-linux 1.14 and earlier suffer from a use-after-free vulnerability in the /dev/crypto device driver that enables local privilege escalation through reference count manipulation. Attackers with local access can exploit this memory corruption flaw to gain elevated privileges on affected systems. Public exploit code exists for this vulnerability.
A memory leak vulnerability exists in the Linux kernel's ice driver in the ice_set_ringparam() function, where dynamically allocated tx_rings and xdp_rings are not properly freed when subsequent rx_rings allocation or setup fails. This affects all Linux kernel versions with the vulnerable ice driver code path, and while memory leaks typically enable denial of service through resource exhaustion rather than direct code execution, the impact depends on exploitation frequency and system memory constraints. No active exploitation or proof-of-concept has been publicly disclosed; the vulnerability was discovered through static analysis and code review rather than in-the-wild detection.
A vulnerability in the Linux kernel's Transparent Huge Pages (THP) subsystem incorrectly enables THP for files on anonymous inodes (such as guest_memfd and secretmem), which were not designed to support large folios. This can trigger kernel crashes via memory copy operations on unmapped memory in secretmem, or WARN_ON conditions in guest_memfd fault handlers. The vulnerability affects Linux kernel versions across multiple stable branches and requires a kernel patch to remediate; while not known to be actively exploited in the wild, the condition can be triggered locally by unprivileged users through madvise() syscalls.
This vulnerability is a race condition in the Linux kernel's PCI Designware endpoint driver where MSI-X interrupt writes to the host can complete after the corresponding Address Translation Unit (ATU) entry is unmapped, potentially corrupting host memory or triggering IOMMU errors. The vulnerability affects all Linux kernel versions with the vulnerable code path in the PCI DWC endpoint implementation (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), specifically impacting systems using PCI endpoint devices with MSI-X interrupt support such as NVMe-PCI endpoint function drivers. An attacker with the ability to trigger high-frequency MSI-X interrupts from a malicious endpoint device could exploit this race condition to cause denial of service through IOMMU faults or potentially corrupt host memory.
A use-of-uninitialized-variable vulnerability exists in the Linux kernel's AMD GPU (drm/amdgpu) driver, specifically in the slot reset error handling path. When device recovery fails after a slot reset is called, the code branches to error handling logic that references an uninitialized hive pointer and accesses an uninitialized list, potentially leading to information disclosure or system instability. This affects Linux kernel versions across multiple stable branches, with patches available in the referenced commits.
A logic error in the Linux kernel's DRBD (Distributed Replicated Block Device) subsystem causes drbd_al_begin_io_nonblock() to fail silently when activity log extent acquisition fails due to spinlock contention, leading to loss of mutual exclusivity guarantees between resync and application I/O operations. This vulnerability affects all Linux kernel versions with the affected DRBD code and can result in kernel crashes via BUG_ON() assertions when activity log references are incorrectly released, as well as potential data consistency issues during active resync operations when concurrent application I/O proceeds without proper exclusivity enforcement.
This vulnerability is a speculative execution safety flaw in the Linux kernel's x86 FRED (Flexible Return and Event Delivery) interrupt handling code where array_index_nospec() is incorrectly positioned, allowing speculative memory predictions to leak sensitive information through side-channel attacks. The vulnerability affects all Linux kernel versions with FRED support (primarily x86-64 systems with newer Intel/AMD processors). An attacker with local access could potentially infer sensitive kernel memory values through timing or covert channel attacks exploiting the unsafe speculation window.
A memory management vulnerability in the Linux kernel's EFI boot services implementation causes a leak of approximately 140MB of RAM on systems with CONFIG_DEFERRED_STRUCT_PAGE_INIT enabled, particularly affecting resource-constrained EC2 instances with 512MB total RAM. The vulnerability occurs when efi_free_boot_services() attempts to free EFI boot services memory before the kernel's deferred memory map initialization is complete, resulting in freed pages being skipped and never returned to the memory pool. This is a kernel-level memory exhaustion issue affecting all Linux distributions, though impact is most severe on systems with minimal RAM; no active exploitation or proof-of-concept has been identified as this is a resource leak rather than a code execution vector.
A memory access protection bypass vulnerability exists in the Linux kernel's ARM64 ioremap_prot() function where user-space page protection attributes are improperly propagated to kernel-space I/O remapping, bypassing Privileged Access Never (PAN) protections and enabling information disclosure. This affects all Linux kernel versions on ARM64 systems with PAN enabled. An attacker with local access can trigger memory access faults and potentially read sensitive kernel memory through operations like accessing /proc/[pid]/environ on vulnerable systems.
A memory protection vulnerability exists in the Linux kernel's ARM64 Guarded Control Stack (GCS) implementation when FEAT_LPA2 (52-bit virtual addressing) is enabled. The vulnerability occurs because GCS page table entries incorrectly use the PTE_SHARED bits (0b11) in positions that are repurposed for high-order address bits when LPA2 is active, causing page table corruption and kernel panics during GCS memory operations. This affects all Linux kernel versions with GCS support on ARM64 systems with LPA2 enabled, and while no active exploitation or public POC has been reported, the vulnerability causes immediate kernel crashes when GCS is enabled on affected hardware configurations.
A memory corruption vulnerability exists in the Linux kernel's XDP (eXpress Data Path) subsystem where negative tailroom calculations are incorrectly reported as large unsigned integers, allowing buffer overflows during tail growth operations. This affects Linux kernel versions across multiple stable branches when certain Ethernet drivers (notably ixgbevf) report incorrect DMA write sizes, leading to heap corruption, segmentation faults, and general protection faults as demonstrated in the xskxceiver test utility. The vulnerability has no CVSS score assigned and shows no active KEV exploitation status, but represents a critical memory safety issue affecting systems using XDP with affected Ethernet drivers.
A memory leak vulnerability exists in the Linux kernel's NFC NCI subsystem where the nci_transceive() function fails to free socket buffer (skb) objects on three early error paths (-EPROTO, -EINVAL, -EBUSY), causing kernel memory exhaustion over time. The vulnerability affects all Linux kernel versions with the vulnerable code in the NFC NCI driver, impacting any system with NFC capabilities that processes malformed or resource-constrained NCI transactions. While not directly exploitable for code execution, attackers can trigger memory exhaustion leading to denial of service by sending specially crafted NFC messages that trigger the error paths, and the vulnerability has been confirmed in kernel self-tests via kmemleak detection.
A memory leak vulnerability exists in the Linux kernel's NFC (Near Field Communication) NCI subsystem where pending data exchange operations are not properly completed when a device is closed, causing socket references to be held indefinitely. This affects all Linux kernel versions with the vulnerable NFC NCI code path. An attacker with local access to NFC functionality could trigger repeated device close operations to exhaust memory resources, leading to denial of service. While no CVSS score or EPSS data is currently available, the issue is being actively addressed through kernel patches as evidenced by multiple commit references.
This vulnerability is a memory leak in the Linux kernel's AF_XDP socket implementation where buffers fail to be properly returned to the free list due to improper list node reinitialization. The vulnerability affects all Linux kernel versions with the AF_XDP subsystem enabled, potentially allowing local attackers or unprivileged users to exhaust kernel memory over time. While not actively exploited in the wild according to available intelligence, the vulnerability has clear patches available in stable kernel branches and represents a real denial-of-service risk for systems relying on XDP functionality.
The Apple Silicon SMC hwmon driver (macsmc-hwmon) in the Linux kernel contains critical memory safety bugs in sensor population and float conversion logic. Specifically, voltage sensors are incorrectly registered to the temperature sensor array, and float-to-32-bit conversion has flawed exponent handling, potentially leading to out-of-bounds memory access, data corruption, or incorrect fan control on affected Apple Silicon systems. The vulnerability affects Linux kernel versions with the macsmc-hwmon driver and has been patched; no active exploitation or POC is currently known, but the nature of the bugs suggests high real-world risk for systems relying on thermal management.
A use-after-free and list corruption vulnerability exists in the Linux kernel's IPMI (Intelligent Platform Management Interface) subsystem when the SMI sender returns an error. The vulnerability affects all Linux kernel versions with the vulnerable IPMI code path, allowing local attackers or processes with IPMI access to trigger denial of service conditions through list corruption and NULL pointer dereferences. The vulnerability is not currently listed in CISA's KEV catalog, and no CVSS or EPSS scores have been published; however, the technical nature indicates high reliability for exploitation by local actors with kernel interface access.
A memory alignment fault vulnerability exists in the Linux kernel's IPv4 multipath routing hash seed implementation that causes kernel panics on ARM64 systems when compiled with Clang and Link Time Optimization (LTO) enabled. The vulnerability affects all Linux kernel versions with the vulnerable code path in net/ipv4/route.c, specifically impacting ARM64 architectures where strict alignment requirements for Load-Acquire instructions are enforced. An attacker with local access or ability to trigger multipath hash operations could cause a denial of service by crashing the kernel, though no active exploitation has been reported in the wild.
A device node reference leak exists in the Linux kernel's bq257xx regulator driver within the bq257xx_reg_dt_parse_gpio() function. When the function fails to retrieve a subchild device node, it returns prematurely without properly releasing the reference via of_node_put(child), causing a memory leak. This affects all Linux kernel versions containing this vulnerable code path in the bq257xx regulator driver, and while not directly exploitable for code execution, the memory leak can be triggered repeatedly to degrade system stability and availability.
A memory safety vulnerability exists in the Linux kernel's accel/rocket driver where the error path in rocket_probe() fails to properly unwind resource allocations when rocket_core_init() fails, particularly during EPROBE_DEFER scenarios. This affects all Linux kernel versions containing the vulnerable accel/rocket driver code. An attacker with local access could trigger a probe failure condition to cause out-of-bounds memory accesses, potentially leading to denial of service or privilege escalation.
This vulnerability is a memory leak in the Linux kernel's Bluetooth subsystem where Socket Buffers (SKBs) queued into the sk_error_queue for TX timestamping are not properly purged during socket destruction, allowing sensitive timestamp data to persist in kernel memory. The vulnerability affects all Linux kernel versions that support Bluetooth with SO_TIMESTAMPING enabled (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*). An attacker with local access could potentially read leaked kernel memory contents including timestamp information that should have been cleaned up, or trigger the leak by unexpectedly removing the Bluetooth controller while timestamped packets remain queued.
A credential reference leak exists in the Linux kernel's nfsd (NFS daemon) subsystem, specifically in the nfsd_nl_threads_set_doit() function which handles netlink-based thread configuration. The vulnerability affects all Linux kernel versions containing the vulnerable nfsd code path, allowing local users with netlink access to trigger memory leaks of credential structures through repeated invocations of the affected function. While not directly exploitable for privilege escalation or data theft, the memory leak can lead to denial of service through resource exhaustion and enables information disclosure via leaked kernel memory structures.
A reference count leak in the Linux kernel's SCSI core subsystem causes the tagset_refcnt reference counter to fail to decrement properly, resulting in resource exhaustion and system hangs during SCSI host teardown. This affects all Linux kernel versions with the vulnerable code path, particularly impacting iSCSI configurations where the leak manifests as indefinite blocking in scsi_remove_host() calls. While not actively exploited in the wild (no KEV status), this is a denial-of-service vulnerability that can be triggered by any user with the ability to manage SCSI sessions or trigger host removal operations.
This vulnerability is a resource leak in the Linux kernel's InfiniBand mthca driver within the mthca_create_srq() function, where the mthca_unmap_user_db() cleanup call is missing on the error path. A user with local access can trigger this leak by causing the mthca_create_srq() system call to fail, resulting in persistent kernel memory not being freed, which could lead to denial of service through memory exhaustion. While no CVSS score, EPSS value, or KEV status is documented, the issue affects all Linux kernel versions using the mthca driver and has been patched across multiple stable kernel branches as evidenced by six linked commit fixes.
Improper bounds checking in Apple macOS (Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, Tahoe 26.3 and earlier) permits a local attacker to write out-of-bounds memory through a malicious application, potentially allowing modification of protected filesystem areas. The vulnerability requires user interaction to execute the malicious app and affects the file system's integrity rather than confidentiality. No patch is currently available for this out-of-bounds write condition.
Apple's iOS, iPadOS, macOS, tvOS, and watchOS contain a use-after-free vulnerability that could allow a local attacker to corrupt kernel memory or cause unexpected system crashes. An installed application can trigger this memory corruption flaw through user interaction, potentially leading to denial of service or unauthorized kernel-level modifications. No patch is currently available for this vulnerability (CVSS 7.1).
Memory corruption in Apple Safari, iOS, iPadOS, macOS, and visionOS allows remote attackers to crash affected processes by delivering maliciously crafted web content to users. The vulnerability requires user interaction to view the malicious content and does not enable code execution or information disclosure. A patch is currently unavailable for this issue.
macOS systems running Sequoia 15.7.4 or earlier, Sonoma 14.8.4 or earlier, and Tahoe 26.3 or earlier contain a use-after-free vulnerability in SMB share handling that could allow an attacker to crash the operating system by mounting a specially crafted network share. The vulnerability requires user interaction to mount the malicious share and results in denial of service rather than code execution or data compromise. No patch is currently available for this vulnerability.
Type confusion in Apple's iOS, iPadOS, macOS, tvOS, visionOS, and watchOS allows local attackers to trigger unexpected application termination through memory corruption. The vulnerability affects multiple OS versions and currently lacks a publicly available patch. An attacker with local access can exploit this to cause denial of service by crashing targeted applications.
Apple's iOS, iPadOS, macOS, tvOS, visionOS, and watchOS contain a use-after-free vulnerability that could allow remote attackers to crash affected applications by processing maliciously crafted web content. The vulnerability stems from improper memory management and requires user interaction to exploit. No patch is currently available, leaving users vulnerable until official updates are released.
Denial of service in Apple iOS, iPadOS, and macOS due to a use-after-free memory corruption vulnerability allows local attackers to trigger unexpected system termination. The flaw affects multiple Apple platforms including iOS 18.x, macOS Sequoia, Sonoma, and Tahoe versions. No patch is currently available.
This vulnerability is a memory handling flaw in Apple's operating systems (iOS, iPadOS, macOS, tvOS, visionOS, and watchOS) that allows a malicious application to trigger unexpected system termination or corrupt kernel memory. The vulnerability affects all versions prior to the version 26.4 releases across Apple's entire ecosystem. An attacker can exploit this by crafting a malicious app that triggers improper memory handling, potentially leading to denial of service or privilege escalation through kernel memory corruption.
NVIDIA SNAP-4 Container contains a use-of-out-of-range pointer offset vulnerability in the VIRTIO-BLK component that allows a malicious guest VM to trigger memory corruption and denial of service. The vulnerability affects NVIDIA SNAP-4 Container across all versions as indicated by the CPE string. A successful exploit results in denial of service to the DPA (Data Processing Appliance) and impacts storage availability to other VMs, though no code execution or information disclosure is possible. There is no evidence of active exploitation in the wild (KEV status indicates none), and the CVSS score of 6.8 reflects moderate severity with high availability impact but limited exploitability due to requiring adjacent network access and user privileges.
Unauthenticated remote attackers can escape the Firefox sandbox through a use-after-free vulnerability in the Canvas2D graphics component, allowing arbitrary code execution on affected systems running Firefox versions prior to 149. The vulnerability requires no user interaction and impacts the entire system due to its critical severity and CVSS score of 10.0. No patch is currently available for this actively exploitable flaw.
A use-after-free vulnerability in Firefox's Cocoa widget component allows remote code execution without user interaction or special privileges, affecting Firefox versions below 149 and ESR below 140.9. An attacker can exploit this memory corruption flaw over the network to achieve complete system compromise with high confidentiality, integrity, and availability impact. No patch is currently available.
Firefox versions prior to 149 contain a use-after-free vulnerability in the JavaScript engine that allows unauthenticated remote attackers to achieve arbitrary code execution with no user interaction required. The vulnerability affects all Firefox users and can be exploited over the network to gain complete control over an affected system. No patch is currently available.
A JIT (Just-In-Time) compilation miscompilation vulnerability exists in Firefox's JavaScript Engine that can lead to information disclosure. This affects Firefox versions below 149 and Firefox ESR versions below 140.9. An attacker can exploit this vulnerability through malicious JavaScript code to potentially disclose sensitive information from the browser's memory or process space.
Mozilla Firefox versions below 149 (and ESR versions below 140.9) contain a use-after-free vulnerability in the JavaScript Engine that enables unauthenticated remote attackers to achieve arbitrary code execution without user interaction. The memory corruption flaw allows complete compromise of affected systems through network-based attacks. No patch is currently available for this critical vulnerability.
A JIT miscompilation vulnerability exists in Firefox's JavaScript engine that can lead to information disclosure. This affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit this flaw through malicious JavaScript to extract sensitive information from the browser's memory, potentially compromising user data and system security.
Unauthenticated remote attackers can achieve arbitrary code execution through a use-after-free memory corruption vulnerability in Firefox's text and font rendering engine, affecting Firefox versions below 149, ESR below 115.34, and ESR below 140.9. The vulnerability requires no user interaction or special privileges and allows complete compromise of confidentiality, integrity, and availability. No patch is currently available.
Critical use-after-free in Mozilla Firefox's CSS parsing engine enables unauthenticated remote code execution with no user interaction required, affecting Firefox versions below 149, ESR 115.34, and ESR 140.9. An attacker can exploit this memory corruption vulnerability by crafting a malicious web page that triggers the vulnerability when rendered, achieving full system compromise. No patch is currently available.
Sandbox escape in Mozilla Firefox's Disability Access APIs component due to a use-after-free memory vulnerability allows unauthenticated remote attackers to execute arbitrary code with full system compromise. Firefox versions below 149 and Firefox ESR below 140.9 are affected, with no patch currently available. The vulnerability is exploitable over the network without user interaction, presenting critical risk to all affected users.
Memory corruption through out-of-bounds writes in Android-ImageMagick7 prior to version 7.1.2-11 enables local attackers to achieve arbitrary code execution with user interaction. The vulnerability affects Google's implementation of ImageMagick and carries a CVSS score of 7.8, indicating high severity with complete confidentiality, integrity, and availability impact. A patch is available for affected users.
Memory corruption through out-of-bounds write in Android-ImageMagick7 before version 7.1.2-10 enables remote code execution when a user processes a malicious image file. An attacker can exploit this vulnerability over the network without authentication to achieve complete system compromise including data theft, modification, and denial of service. A patch is available for affected Android devices running vulnerable versions of the ImageMagick library.
WujekFoliarz DualSenseY-v2 versions prior to 54 contain an out-of-bounds write vulnerability that allows local attackers with user interaction to achieve arbitrary code execution with full system compromise. The CVSS 7.8 rating reflects the high impact on confidentiality, integrity, and availability through memory corruption exploitation. A patch is available for affected users to mitigate this local privilege escalation risk.
A Use After Free (UAF) vulnerability exists in No-Chicken Echo-Mate prior to version V250329, allowing an attacker with high privileges to cause memory corruption that may lead to information disclosure, data integrity violations, or denial of service. The vulnerability is classified as CWE-416 and carries a CVSS score of 6.4; a security patch is available from the vendor via GitHub pull request.
Remote code execution in Google Chrome's Federated Credential Management (FedCM) prior to version 146.0.7680.165 enables unauthenticated attackers to execute arbitrary code within the browser sandbox through a malicious HTML page. This use-after-free vulnerability in memory management affects Chrome on all supported platforms and requires only user interaction to trigger. A patch is available in Chrome 146.0.7680.165 and later.
Sandboxed code execution in Google Chrome's WebGPU implementation (prior to 146.0.7680.165) stems from a use-after-free memory vulnerability that can be triggered via malicious HTML pages. An unauthenticated remote attacker can exploit this to execute arbitrary code within the Chrome sandbox without user interaction beyond viewing a crafted webpage. A patch is available for affected users.
Sandbox escape in Google Chrome prior to version 146.0.7680.165 via a use-after-free vulnerability in the Dawn graphics component enables remote attackers to execute arbitrary code when users visit malicious HTML pages. The vulnerability affects multiple platforms including Debian systems and requires only user interaction to trigger, bypassing Chrome's sandbox isolation. A patch is available to remediate this high-severity memory corruption flaw.
XnSoft NConvert version 7.230 contains a Use-After-Free vulnerability triggered by processing specially crafted TIFF files, which can lead to information disclosure and potential code execution. The vulnerability affects NConvert image conversion software and has been publicly documented with proof-of-concept code available on GitHub. An attacker can exploit this by providing a malicious TIFF file to an NConvert user or service, potentially causing a crash or unauthorized memory access.
GPU shader compiler memory corruption via malicious shader code allows remote code execution when the compiler runs with elevated privileges, affecting multiple platforms through crafted switch statements that trigger out-of-bounds writes. An attacker can exploit this vulnerability by delivering specially-crafted GPU shader code through a web page, potentially gaining system-level control on vulnerable devices. No patch is currently available for this critical vulnerability.
A remote code execution vulnerability in libde265 (CVSS 5.5). Remediation should follow standard vulnerability management procedures.
libfuse versions 3.18.0 through 3.18.1 contain a use-after-free vulnerability in the io_uring subsystem that allows local attackers to crash FUSE filesystem processes or execute arbitrary code when thread creation fails under resource constraints. The flaw occurs when io_uring initialization fails (e.g., due to cgroup limits), leaving a dangling pointer in session state that is dereferenced during shutdown. Public exploit code exists for this vulnerability, and no patch is currently available.
Heap-based buffer overflow in GPAC MP4Box's XML parsing function allows local attackers to corrupt memory and potentially crash the application or achieve code execution by crafting malicious NHML files with specially formatted BitSequence elements. The vulnerability affects systems processing untrusted multimedia files and remains unpatched as of this advisory. Exploitation requires user interaction to open a malicious file.
Qwik, a performance-focused JavaScript framework, contains an array prototype pollution vulnerability in its FormData parsing logic that affects versions prior to 1.19.2. Attackers can submit specially crafted form field names using mixed array-index and object-property keys (e.g., items.0 alongside items.toString or items.length) to inject malicious properties into objects the application expects to be arrays, leading to denial of service through malformed array states, oversized lengths, or request handling failures. The vulnerability has a CVSS score of 7.5 (High severity) with network-based exploitation requiring no authentication or user interaction, and a patch is available in version 1.19.2.
The tar-rs Rust library versions 0.4.44 and below contain a logic flaw where PAX (POSIX.1-2001) size headers are conditionally skipped when the base tar header size is nonzero, causing the library to parse tar archives differently than other standard tar implementations like Go's archive/tar. This discrepancy allows an attacker to craft malicious tar archives that appear different when unpacked by tar-rs versus other parsers, potentially leading to information disclosure or file confusion attacks. The vulnerability affects any application using tar-rs to parse untrusted archives and expecting consistent behavior with other tar parsers, with a moderate CVSS score of 5.1 indicating low attack complexity and network accessibility.
PJSIP versions 2.16 and earlier contain a heap use-after-free vulnerability in ICE session handling caused by race conditions between session destruction and callback execution, enabling memory corruption and potential code execution. This flaw affects all systems using vulnerable PJSIP versions for multimedia communication and currently has no available patch. With a CVSS score of 8.1, the vulnerability is remotely exploitable without authentication or user interaction.
Heap memory corruption in Google Chrome prior to version 146.0.7680.153 can be triggered through malicious browser extensions, affecting Chrome users on Google, Ubuntu, and Debian systems. An attacker must convince a user to install a compromised extension to exploit this use-after-free vulnerability and potentially achieve code execution. A patch is available.
Heap memory corruption in Google Chrome's V8 engine (versions prior to 146.0.7680.153) stems from type confusion vulnerabilities that can be triggered through malicious HTML pages without user privileges. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution or crash the browser. The vulnerability affects Chrome, Ubuntu, and Debian systems, with patches now available.
A use-after-free vulnerability in Google Chrome's Digital Credentials API prior to version 146.0.7680.153 enables attackers with a compromised renderer process to escape the sandbox and potentially achieve code execution through a specially crafted HTML page. The vulnerability affects Chrome on multiple platforms including Ubuntu and Debian systems, requiring user interaction to trigger but presenting high impact across confidentiality, integrity, and availability. A patch is available in Chrome 146.0.7680.153 and later versions.
Heap memory corruption in Google Chrome versions prior to 146.0.7680.153 can be triggered through a use-after-free vulnerability in the Network component when a user visits a malicious HTML page. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with high integrity and confidentiality impact. A patch is available for Chrome, Ubuntu, and Debian users.
Heap corruption in Google Chrome's V8 engine prior to version 146.0.7680.153 can be triggered through out-of-bounds memory writes when a user visits a malicious webpage. An unauthenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution with high integrity and confidentiality impact. A security patch is available for affected users on Chrome, Ubuntu, and Debian systems.
Heap memory corruption in Google Chrome's Blink rendering engine prior to version 146.0.7680.153 can be triggered through a malicious HTML page, potentially enabling remote code execution. An unauthenticated attacker requires only user interaction to exploit this use-after-free vulnerability across network boundaries. A patch is available for affected Chrome, Ubuntu, and Debian users.
Heap corruption via use-after-free in Google Chrome's WebRTC implementation (versions prior to 146.0.7680.153) enables remote attackers to achieve arbitrary code execution through malicious HTML pages, requiring only user interaction. The vulnerability affects Chrome, Ubuntu, and Debian systems with a CVSS score of 8.8, though a patch is available.
Heap memory corruption in Google Chrome's WebRTC implementation prior to version 146.0.7680.153 enables remote attackers to execute arbitrary code by tricking users into visiting malicious websites. The use-after-free vulnerability requires only user interaction and affects Chrome on multiple platforms including Ubuntu and Debian systems. A patch is available to address this high-severity flaw.
Heap corruption in Google Chrome versions before 146.0.7680.153 results from a use-after-free vulnerability in the Base component, enabling remote attackers to execute arbitrary code through malicious HTML pages. The attack requires user interaction but no authentication, affecting Chrome on multiple platforms including Linux distributions. A patch is available to remediate this critical-severity vulnerability.
This is a critical out-of-bounds read and write vulnerability in the WebGL implementation of Google Chrome prior to version 146.0.7680.153. The vulnerability allows a remote attacker to perform arbitrary memory read and write operations by crafting a malicious HTML page, potentially leading to information disclosure, code execution, or complete system compromise. The vulnerability affects multiple Debian releases and has been assigned ENISA EUVD ID EUVD-2026-13447; a vendor patch is available.
Out-of-bounds memory corruption in Google Chrome's WebGL implementation on Android prior to version 146.0.7680.153 enables remote attackers to escape the browser sandbox by delivering a malicious HTML page, requiring only user interaction. This critical vulnerability affects Chrome users on Android devices and could lead to complete system compromise if successfully exploited. A patch is available in Chrome 146.0.7680.153 and later versions.
Stack buffer overflow in wolfSSL 5.8.4's ECH (Encrypted Client Hello) implementation allows remote attackers to crash TLS clients or achieve code execution by sending a maliciously crafted ECH configuration. The vulnerability affects clients that have explicitly enabled ECH support, which is disabled by default. An attacker controlling a TLS server can exploit this remotely without authentication or user interaction.
CVE-2026-3503 is a security vulnerability (CVSS 4.3) that allows a physical attacker. Remediation should follow standard vulnerability management procedures.
Buffer overflow vulnerabilities in wolfSSL's CRL parser enable heap and stack memory corruption when processing maliciously crafted Certificate Revocation Lists, allowing potential code execution on affected systems. This vulnerability only impacts installations with explicit CRL support enabled that load CRLs from untrusted sources. No patch is currently available.
HTSlib, a widely-used bioinformatics library for reading and writing sequence alignment formats, contains a critical buffer overflow vulnerability in its CRAM format decoder. The vulnerability exists in the `cram_byte_array_len_decode()` function which fails to validate that unpacked data matches the output buffer size, affecting HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1. An attacker can craft a malicious CRAM file that, when opened by a user, triggers either a heap or stack overflow with attacker-controlled bytes, potentially leading to arbitrary code execution, program crash, or memory corruption.
HTSlib contains a buffer overflow vulnerability in its CRAM format decoder affecting the VARINT and CONST encoding handlers, where incomplete context validation allows writes of up to eight bytes beyond heap allocation boundaries or into stack-allocated single-byte variables. This vulnerability affects HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1, and impacts any application using the library to process CRAM-formatted bioinformatics data files. An attacker can craft a malicious CRAM file to trigger heap or stack overflow conditions, potentially leading to denial of service, memory corruption, or arbitrary code execution when processed by a vulnerable application.
This vulnerability is a memory leak in the Linux kernel's io_uring subsystem, specifically within the zero-copy receive (zcrx) implementation where a page array fails to be deallocated during scatter-gather initialization failures. The vulnerability affects all Linux kernel versions with the vulnerable io_uring/zcrx code path, allowing local attackers with the ability to trigger failed scatter-gather operations to exhaust kernel memory and cause denial of service. No active exploitation has been reported, but this is a kernel memory management issue with straightforward local triggering conditions.
Parse Server versions prior to 8.6.70 and 9.7.0-alpha.18 allow authenticated users with find class-level permissions to bypass protectedFields restrictions on LiveQuery subscriptions by submitting array-like objects with numeric keys instead of proper arrays in $or, $and, or $nor operators. This enables information disclosure through a binary oracle attack that reveals whether protected fields match attacker-supplied values. The vulnerability requires prior authentication and find-level access but no user interaction, affecting all deployments of vulnerable Parse Server versions.
DNSdist instances using custom Lua code can be crashed via denial of service when the DNSQuestion:getEDNSOptions method accesses a modified DNS packet, triggering a use-after-free condition. This affects DNSdist across all versions and requires network access to send crafted DNS queries, but the attack demands specific Lua code patterns and high attack complexity; no public exploit or active exploitation has been confirmed, and the real-world impact is limited to environments where custom Lua DNS query handlers reference EDNS options.
DNSdist fails to validate packet size bounds when rewriting DNS questions or responses via Lua methods (DNSQuestion:changeName, DNSResponse:changeName), allowing unauthenticated remote attackers to craft DNS responses that trigger out-of-bounds writes and exceed the 65535-byte DNS packet size limit, resulting in denial of service via crash. CVSS 5.9 (high availability impact); no public exploit code identified at time of analysis.
Memory leak in Linux kernel nf_tables nft_dynset module allows local denial of service through failed stateful expression cloning during dynamic set operations. When the second stateful expression clone fails under GFP_ATOMIC memory allocation, the first expression is not properly released, accumulating percpu memory allocations that exhaust kernel memory. This affects all Linux kernel versions until patched, with exploitation requiring local system access to trigger the nf_tables dynamic set evaluation code path.
Arbitrary code execution in Adobe Substance3D Stager 3.1.7 and earlier allows local attackers to execute malicious code with user privileges through specially crafted files. Exploitation requires social engineering to trick users into opening weaponized Stager project files. No public exploit identified at time of analysis, though the use-after-free vulnerability class is well-understood and exploitable. CVSS 7.8 (High) reflects significant impact if exploited, though local attack vector and user interaction requirement reduce immediate risk compared to remotely exploitable flaws.
Grafana's OpenFeature feature toggle evaluation endpoint can be forced into an out-of-memory condition by submitting unbounded values, enabling remote denial-of-service attacks against the monitoring platform. The vulnerability is network-accessible, requires no authentication (CVSS AV:N/AC:L/PR:N), and has been assigned a CVSS score of 7.5 with high availability impact. No public exploit identified at time of analysis, and authentication requirements confirm unauthenticated access per the CVSS vector PR:N.
Use after free vulnerability in Softing smartLink HW-DP or smartLink HW-PN webserver allows HTTP DoS. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
MapServer versions 4.2 through 8.6.0 are vulnerable to a heap buffer overflow in the SLD (Styled Layer Descriptor) parser that allows remote, unauthenticated attackers to crash the MapServer process by sending a crafted SLD document containing more than 100 Threshold elements within a ColorMap/Categorize structure. The vulnerability is reachable via WMS GetMap requests using the SLD_BODY parameter, requiring no authentication or user interaction. Vendor-released patch: version 8.6.1 eliminates the issue; no public exploit code or active exploitation has been identified at time of analysis.
p11-kit remote token handling fails to validate NULL derive mechanism parameters in C_DeriveKey operations, allowing unauthenticated remote attackers to trigger NULL pointer dereferences and undefined memory access in the RPC client layer. This denial-of-service vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and OpenShift Container Platform 4, with a CVSS score of 5.3 reflecting moderate availability impact. No public exploit identified at time of analysis.
X11 display interaction path contains an out-of-bounds write vulnerability that allows local attackers to crash affected applications through a single zero byte write. The medium-severity flaw (CVSS 4.0) requires no privileges or user interaction to trigger a denial of service condition. No patch is currently available for this vulnerability.
A security vulnerability in versions 1.2.1 (CVSS 7.5). High severity vulnerability requiring prompt remediation.
EVerest charging software stack versions prior to 2026.02.0 contain a use-after-free vulnerability in the ISO15118_chargerImpl::handle_session_setup function that crashes the EVSE process when session setup commands are issued after ISO15118 initialization failure. Remote attackers with MQTT access can trigger this denial of service condition by sending a crafted session_setup command, causing the process to reference freed memory (v2g_ctx). A vendor-released patch is available in version 2026.02.0.
EVerest-Core prior to version 2026.02.0 contains an out-of-bounds write vulnerability in the ISO15118_chargerImpl::handle_update_energy_transfer_modes function, where variable-length MQTT command payloads are copied into a fixed-size 6-element array without bounds checking. When schema validation is disabled by default, oversized payloads trigger memory corruption that can crash the EV charging service or corrupt adjacent EVSE (Electric Vehicle Supply Equipment) state, affecting the integrity and availability of EV charging infrastructure. No public exploit code has been identified at the time of analysis, but the vulnerability is patched in version 2026.02.0.
Out-of-bounds memory writes in EVerest charging software stack versions prior to 2026.02.0 allow local attackers to corrupt EVSE state or crash the charging process by sending oversized MQTT command payloads that bypass disabled schema validation. The ISO15118_chargerImpl::handle_session_setup function copies variable-length payment_options lists into a fixed 2-element array without bounds checking, exposing a CWE-787 buffer overflow vulnerability with availability and integrity impact. No public exploit code has been identified at time of analysis.
EVerest charging software stack versions prior to 2026.02.0 contain a data race condition leading to use-after-free memory corruption, triggered by EV plug-in/unplug events and authorization flows (RFID, RemoteStart, OCPP). Unauthenticated physical attackers with high complexity can exploit this to leak sensitive information or cause denial of service on affected charging infrastructure. No public exploit identified at time of analysis.
Out-of-bounds write vulnerabilities in Siemens CPCI85 Central Processing/Communication and SICORE Base system (versions below V26.10) allow unauthenticated remote attackers to crash critical industrial control system services through maliciously crafted XML requests, resulting in denial-of-service conditions. CISA's SSVC framework marks this as automatable with partial technical impact, though no public exploit has been identified at time of analysis. The CVSS 4.0 score of 8.7 reflects high availability impact (VA:H) with network accessibility requiring no authentication (PR:N).
Squid versions prior to 7.5 contain a heap use-after-free vulnerability (CWE-416) in ICP (Internet Cache Protocol) traffic handling that enables remote attackers to reliably trigger denial of service against affected proxy services. The vulnerability affects any Squid deployment with ICP support explicitly enabled via non-zero icp_port configuration, and cannot be mitigated through access control rules alone. A patch is available in version 7.5, and the vulnerability has been confirmed across multiple Debian releases and SUSE distributions.
cryptodev-linux 1.14 and earlier suffer from a use-after-free vulnerability in the /dev/crypto device driver that enables local privilege escalation through reference count manipulation. Attackers with local access can exploit this memory corruption flaw to gain elevated privileges on affected systems. Public exploit code exists for this vulnerability.
A memory leak vulnerability exists in the Linux kernel's ice driver in the ice_set_ringparam() function, where dynamically allocated tx_rings and xdp_rings are not properly freed when subsequent rx_rings allocation or setup fails. This affects all Linux kernel versions with the vulnerable ice driver code path, and while memory leaks typically enable denial of service through resource exhaustion rather than direct code execution, the impact depends on exploitation frequency and system memory constraints. No active exploitation or proof-of-concept has been publicly disclosed; the vulnerability was discovered through static analysis and code review rather than in-the-wild detection.
A vulnerability in the Linux kernel's Transparent Huge Pages (THP) subsystem incorrectly enables THP for files on anonymous inodes (such as guest_memfd and secretmem), which were not designed to support large folios. This can trigger kernel crashes via memory copy operations on unmapped memory in secretmem, or WARN_ON conditions in guest_memfd fault handlers. The vulnerability affects Linux kernel versions across multiple stable branches and requires a kernel patch to remediate; while not known to be actively exploited in the wild, the condition can be triggered locally by unprivileged users through madvise() syscalls.
This vulnerability is a race condition in the Linux kernel's PCI Designware endpoint driver where MSI-X interrupt writes to the host can complete after the corresponding Address Translation Unit (ATU) entry is unmapped, potentially corrupting host memory or triggering IOMMU errors. The vulnerability affects all Linux kernel versions with the vulnerable code path in the PCI DWC endpoint implementation (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), specifically impacting systems using PCI endpoint devices with MSI-X interrupt support such as NVMe-PCI endpoint function drivers. An attacker with the ability to trigger high-frequency MSI-X interrupts from a malicious endpoint device could exploit this race condition to cause denial of service through IOMMU faults or potentially corrupt host memory.
A use-of-uninitialized-variable vulnerability exists in the Linux kernel's AMD GPU (drm/amdgpu) driver, specifically in the slot reset error handling path. When device recovery fails after a slot reset is called, the code branches to error handling logic that references an uninitialized hive pointer and accesses an uninitialized list, potentially leading to information disclosure or system instability. This affects Linux kernel versions across multiple stable branches, with patches available in the referenced commits.
A logic error in the Linux kernel's DRBD (Distributed Replicated Block Device) subsystem causes drbd_al_begin_io_nonblock() to fail silently when activity log extent acquisition fails due to spinlock contention, leading to loss of mutual exclusivity guarantees between resync and application I/O operations. This vulnerability affects all Linux kernel versions with the affected DRBD code and can result in kernel crashes via BUG_ON() assertions when activity log references are incorrectly released, as well as potential data consistency issues during active resync operations when concurrent application I/O proceeds without proper exclusivity enforcement.
This vulnerability is a speculative execution safety flaw in the Linux kernel's x86 FRED (Flexible Return and Event Delivery) interrupt handling code where array_index_nospec() is incorrectly positioned, allowing speculative memory predictions to leak sensitive information through side-channel attacks. The vulnerability affects all Linux kernel versions with FRED support (primarily x86-64 systems with newer Intel/AMD processors). An attacker with local access could potentially infer sensitive kernel memory values through timing or covert channel attacks exploiting the unsafe speculation window.
A memory management vulnerability in the Linux kernel's EFI boot services implementation causes a leak of approximately 140MB of RAM on systems with CONFIG_DEFERRED_STRUCT_PAGE_INIT enabled, particularly affecting resource-constrained EC2 instances with 512MB total RAM. The vulnerability occurs when efi_free_boot_services() attempts to free EFI boot services memory before the kernel's deferred memory map initialization is complete, resulting in freed pages being skipped and never returned to the memory pool. This is a kernel-level memory exhaustion issue affecting all Linux distributions, though impact is most severe on systems with minimal RAM; no active exploitation or proof-of-concept has been identified as this is a resource leak rather than a code execution vector.
A memory access protection bypass vulnerability exists in the Linux kernel's ARM64 ioremap_prot() function where user-space page protection attributes are improperly propagated to kernel-space I/O remapping, bypassing Privileged Access Never (PAN) protections and enabling information disclosure. This affects all Linux kernel versions on ARM64 systems with PAN enabled. An attacker with local access can trigger memory access faults and potentially read sensitive kernel memory through operations like accessing /proc/[pid]/environ on vulnerable systems.
A memory protection vulnerability exists in the Linux kernel's ARM64 Guarded Control Stack (GCS) implementation when FEAT_LPA2 (52-bit virtual addressing) is enabled. The vulnerability occurs because GCS page table entries incorrectly use the PTE_SHARED bits (0b11) in positions that are repurposed for high-order address bits when LPA2 is active, causing page table corruption and kernel panics during GCS memory operations. This affects all Linux kernel versions with GCS support on ARM64 systems with LPA2 enabled, and while no active exploitation or public POC has been reported, the vulnerability causes immediate kernel crashes when GCS is enabled on affected hardware configurations.
A memory corruption vulnerability exists in the Linux kernel's XDP (eXpress Data Path) subsystem where negative tailroom calculations are incorrectly reported as large unsigned integers, allowing buffer overflows during tail growth operations. This affects Linux kernel versions across multiple stable branches when certain Ethernet drivers (notably ixgbevf) report incorrect DMA write sizes, leading to heap corruption, segmentation faults, and general protection faults as demonstrated in the xskxceiver test utility. The vulnerability has no CVSS score assigned and shows no active KEV exploitation status, but represents a critical memory safety issue affecting systems using XDP with affected Ethernet drivers.
A memory leak vulnerability exists in the Linux kernel's NFC NCI subsystem where the nci_transceive() function fails to free socket buffer (skb) objects on three early error paths (-EPROTO, -EINVAL, -EBUSY), causing kernel memory exhaustion over time. The vulnerability affects all Linux kernel versions with the vulnerable code in the NFC NCI driver, impacting any system with NFC capabilities that processes malformed or resource-constrained NCI transactions. While not directly exploitable for code execution, attackers can trigger memory exhaustion leading to denial of service by sending specially crafted NFC messages that trigger the error paths, and the vulnerability has been confirmed in kernel self-tests via kmemleak detection.
A memory leak vulnerability exists in the Linux kernel's NFC (Near Field Communication) NCI subsystem where pending data exchange operations are not properly completed when a device is closed, causing socket references to be held indefinitely. This affects all Linux kernel versions with the vulnerable NFC NCI code path. An attacker with local access to NFC functionality could trigger repeated device close operations to exhaust memory resources, leading to denial of service. While no CVSS score or EPSS data is currently available, the issue is being actively addressed through kernel patches as evidenced by multiple commit references.
This vulnerability is a memory leak in the Linux kernel's AF_XDP socket implementation where buffers fail to be properly returned to the free list due to improper list node reinitialization. The vulnerability affects all Linux kernel versions with the AF_XDP subsystem enabled, potentially allowing local attackers or unprivileged users to exhaust kernel memory over time. While not actively exploited in the wild according to available intelligence, the vulnerability has clear patches available in stable kernel branches and represents a real denial-of-service risk for systems relying on XDP functionality.
The Apple Silicon SMC hwmon driver (macsmc-hwmon) in the Linux kernel contains critical memory safety bugs in sensor population and float conversion logic. Specifically, voltage sensors are incorrectly registered to the temperature sensor array, and float-to-32-bit conversion has flawed exponent handling, potentially leading to out-of-bounds memory access, data corruption, or incorrect fan control on affected Apple Silicon systems. The vulnerability affects Linux kernel versions with the macsmc-hwmon driver and has been patched; no active exploitation or POC is currently known, but the nature of the bugs suggests high real-world risk for systems relying on thermal management.
A use-after-free and list corruption vulnerability exists in the Linux kernel's IPMI (Intelligent Platform Management Interface) subsystem when the SMI sender returns an error. The vulnerability affects all Linux kernel versions with the vulnerable IPMI code path, allowing local attackers or processes with IPMI access to trigger denial of service conditions through list corruption and NULL pointer dereferences. The vulnerability is not currently listed in CISA's KEV catalog, and no CVSS or EPSS scores have been published; however, the technical nature indicates high reliability for exploitation by local actors with kernel interface access.
A memory alignment fault vulnerability exists in the Linux kernel's IPv4 multipath routing hash seed implementation that causes kernel panics on ARM64 systems when compiled with Clang and Link Time Optimization (LTO) enabled. The vulnerability affects all Linux kernel versions with the vulnerable code path in net/ipv4/route.c, specifically impacting ARM64 architectures where strict alignment requirements for Load-Acquire instructions are enforced. An attacker with local access or ability to trigger multipath hash operations could cause a denial of service by crashing the kernel, though no active exploitation has been reported in the wild.
A device node reference leak exists in the Linux kernel's bq257xx regulator driver within the bq257xx_reg_dt_parse_gpio() function. When the function fails to retrieve a subchild device node, it returns prematurely without properly releasing the reference via of_node_put(child), causing a memory leak. This affects all Linux kernel versions containing this vulnerable code path in the bq257xx regulator driver, and while not directly exploitable for code execution, the memory leak can be triggered repeatedly to degrade system stability and availability.
A memory safety vulnerability exists in the Linux kernel's accel/rocket driver where the error path in rocket_probe() fails to properly unwind resource allocations when rocket_core_init() fails, particularly during EPROBE_DEFER scenarios. This affects all Linux kernel versions containing the vulnerable accel/rocket driver code. An attacker with local access could trigger a probe failure condition to cause out-of-bounds memory accesses, potentially leading to denial of service or privilege escalation.
This vulnerability is a memory leak in the Linux kernel's Bluetooth subsystem where Socket Buffers (SKBs) queued into the sk_error_queue for TX timestamping are not properly purged during socket destruction, allowing sensitive timestamp data to persist in kernel memory. The vulnerability affects all Linux kernel versions that support Bluetooth with SO_TIMESTAMPING enabled (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*). An attacker with local access could potentially read leaked kernel memory contents including timestamp information that should have been cleaned up, or trigger the leak by unexpectedly removing the Bluetooth controller while timestamped packets remain queued.
A credential reference leak exists in the Linux kernel's nfsd (NFS daemon) subsystem, specifically in the nfsd_nl_threads_set_doit() function which handles netlink-based thread configuration. The vulnerability affects all Linux kernel versions containing the vulnerable nfsd code path, allowing local users with netlink access to trigger memory leaks of credential structures through repeated invocations of the affected function. While not directly exploitable for privilege escalation or data theft, the memory leak can lead to denial of service through resource exhaustion and enables information disclosure via leaked kernel memory structures.
A reference count leak in the Linux kernel's SCSI core subsystem causes the tagset_refcnt reference counter to fail to decrement properly, resulting in resource exhaustion and system hangs during SCSI host teardown. This affects all Linux kernel versions with the vulnerable code path, particularly impacting iSCSI configurations where the leak manifests as indefinite blocking in scsi_remove_host() calls. While not actively exploited in the wild (no KEV status), this is a denial-of-service vulnerability that can be triggered by any user with the ability to manage SCSI sessions or trigger host removal operations.
This vulnerability is a resource leak in the Linux kernel's InfiniBand mthca driver within the mthca_create_srq() function, where the mthca_unmap_user_db() cleanup call is missing on the error path. A user with local access can trigger this leak by causing the mthca_create_srq() system call to fail, resulting in persistent kernel memory not being freed, which could lead to denial of service through memory exhaustion. While no CVSS score, EPSS value, or KEV status is documented, the issue affects all Linux kernel versions using the mthca driver and has been patched across multiple stable kernel branches as evidenced by six linked commit fixes.
Improper bounds checking in Apple macOS (Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, Tahoe 26.3 and earlier) permits a local attacker to write out-of-bounds memory through a malicious application, potentially allowing modification of protected filesystem areas. The vulnerability requires user interaction to execute the malicious app and affects the file system's integrity rather than confidentiality. No patch is currently available for this out-of-bounds write condition.
Apple's iOS, iPadOS, macOS, tvOS, and watchOS contain a use-after-free vulnerability that could allow a local attacker to corrupt kernel memory or cause unexpected system crashes. An installed application can trigger this memory corruption flaw through user interaction, potentially leading to denial of service or unauthorized kernel-level modifications. No patch is currently available for this vulnerability (CVSS 7.1).
Memory corruption in Apple Safari, iOS, iPadOS, macOS, and visionOS allows remote attackers to crash affected processes by delivering maliciously crafted web content to users. The vulnerability requires user interaction to view the malicious content and does not enable code execution or information disclosure. A patch is currently unavailable for this issue.
macOS systems running Sequoia 15.7.4 or earlier, Sonoma 14.8.4 or earlier, and Tahoe 26.3 or earlier contain a use-after-free vulnerability in SMB share handling that could allow an attacker to crash the operating system by mounting a specially crafted network share. The vulnerability requires user interaction to mount the malicious share and results in denial of service rather than code execution or data compromise. No patch is currently available for this vulnerability.
Type confusion in Apple's iOS, iPadOS, macOS, tvOS, visionOS, and watchOS allows local attackers to trigger unexpected application termination through memory corruption. The vulnerability affects multiple OS versions and currently lacks a publicly available patch. An attacker with local access can exploit this to cause denial of service by crashing targeted applications.
Apple's iOS, iPadOS, macOS, tvOS, visionOS, and watchOS contain a use-after-free vulnerability that could allow remote attackers to crash affected applications by processing maliciously crafted web content. The vulnerability stems from improper memory management and requires user interaction to exploit. No patch is currently available, leaving users vulnerable until official updates are released.
Denial of service in Apple iOS, iPadOS, and macOS due to a use-after-free memory corruption vulnerability allows local attackers to trigger unexpected system termination. The flaw affects multiple Apple platforms including iOS 18.x, macOS Sequoia, Sonoma, and Tahoe versions. No patch is currently available.
This vulnerability is a memory handling flaw in Apple's operating systems (iOS, iPadOS, macOS, tvOS, visionOS, and watchOS) that allows a malicious application to trigger unexpected system termination or corrupt kernel memory. The vulnerability affects all versions prior to the version 26.4 releases across Apple's entire ecosystem. An attacker can exploit this by crafting a malicious app that triggers improper memory handling, potentially leading to denial of service or privilege escalation through kernel memory corruption.
NVIDIA SNAP-4 Container contains a use-of-out-of-range pointer offset vulnerability in the VIRTIO-BLK component that allows a malicious guest VM to trigger memory corruption and denial of service. The vulnerability affects NVIDIA SNAP-4 Container across all versions as indicated by the CPE string. A successful exploit results in denial of service to the DPA (Data Processing Appliance) and impacts storage availability to other VMs, though no code execution or information disclosure is possible. There is no evidence of active exploitation in the wild (KEV status indicates none), and the CVSS score of 6.8 reflects moderate severity with high availability impact but limited exploitability due to requiring adjacent network access and user privileges.
Unauthenticated remote attackers can escape the Firefox sandbox through a use-after-free vulnerability in the Canvas2D graphics component, allowing arbitrary code execution on affected systems running Firefox versions prior to 149. The vulnerability requires no user interaction and impacts the entire system due to its critical severity and CVSS score of 10.0. No patch is currently available for this actively exploitable flaw.
A use-after-free vulnerability in Firefox's Cocoa widget component allows remote code execution without user interaction or special privileges, affecting Firefox versions below 149 and ESR below 140.9. An attacker can exploit this memory corruption flaw over the network to achieve complete system compromise with high confidentiality, integrity, and availability impact. No patch is currently available.
Firefox versions prior to 149 contain a use-after-free vulnerability in the JavaScript engine that allows unauthenticated remote attackers to achieve arbitrary code execution with no user interaction required. The vulnerability affects all Firefox users and can be exploited over the network to gain complete control over an affected system. No patch is currently available.
A JIT (Just-In-Time) compilation miscompilation vulnerability exists in Firefox's JavaScript Engine that can lead to information disclosure. This affects Firefox versions below 149 and Firefox ESR versions below 140.9. An attacker can exploit this vulnerability through malicious JavaScript code to potentially disclose sensitive information from the browser's memory or process space.
Mozilla Firefox versions below 149 (and ESR versions below 140.9) contain a use-after-free vulnerability in the JavaScript Engine that enables unauthenticated remote attackers to achieve arbitrary code execution without user interaction. The memory corruption flaw allows complete compromise of affected systems through network-based attacks. No patch is currently available for this critical vulnerability.
A JIT miscompilation vulnerability exists in Firefox's JavaScript engine that can lead to information disclosure. This affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit this flaw through malicious JavaScript to extract sensitive information from the browser's memory, potentially compromising user data and system security.
Unauthenticated remote attackers can achieve arbitrary code execution through a use-after-free memory corruption vulnerability in Firefox's text and font rendering engine, affecting Firefox versions below 149, ESR below 115.34, and ESR below 140.9. The vulnerability requires no user interaction or special privileges and allows complete compromise of confidentiality, integrity, and availability. No patch is currently available.
Critical use-after-free in Mozilla Firefox's CSS parsing engine enables unauthenticated remote code execution with no user interaction required, affecting Firefox versions below 149, ESR 115.34, and ESR 140.9. An attacker can exploit this memory corruption vulnerability by crafting a malicious web page that triggers the vulnerability when rendered, achieving full system compromise. No patch is currently available.
Sandbox escape in Mozilla Firefox's Disability Access APIs component due to a use-after-free memory vulnerability allows unauthenticated remote attackers to execute arbitrary code with full system compromise. Firefox versions below 149 and Firefox ESR below 140.9 are affected, with no patch currently available. The vulnerability is exploitable over the network without user interaction, presenting critical risk to all affected users.
Memory corruption through out-of-bounds writes in Android-ImageMagick7 prior to version 7.1.2-11 enables local attackers to achieve arbitrary code execution with user interaction. The vulnerability affects Google's implementation of ImageMagick and carries a CVSS score of 7.8, indicating high severity with complete confidentiality, integrity, and availability impact. A patch is available for affected users.
Memory corruption through out-of-bounds write in Android-ImageMagick7 before version 7.1.2-10 enables remote code execution when a user processes a malicious image file. An attacker can exploit this vulnerability over the network without authentication to achieve complete system compromise including data theft, modification, and denial of service. A patch is available for affected Android devices running vulnerable versions of the ImageMagick library.
WujekFoliarz DualSenseY-v2 versions prior to 54 contain an out-of-bounds write vulnerability that allows local attackers with user interaction to achieve arbitrary code execution with full system compromise. The CVSS 7.8 rating reflects the high impact on confidentiality, integrity, and availability through memory corruption exploitation. A patch is available for affected users to mitigate this local privilege escalation risk.
A Use After Free (UAF) vulnerability exists in No-Chicken Echo-Mate prior to version V250329, allowing an attacker with high privileges to cause memory corruption that may lead to information disclosure, data integrity violations, or denial of service. The vulnerability is classified as CWE-416 and carries a CVSS score of 6.4; a security patch is available from the vendor via GitHub pull request.
Remote code execution in Google Chrome's Federated Credential Management (FedCM) prior to version 146.0.7680.165 enables unauthenticated attackers to execute arbitrary code within the browser sandbox through a malicious HTML page. This use-after-free vulnerability in memory management affects Chrome on all supported platforms and requires only user interaction to trigger. A patch is available in Chrome 146.0.7680.165 and later.
Sandboxed code execution in Google Chrome's WebGPU implementation (prior to 146.0.7680.165) stems from a use-after-free memory vulnerability that can be triggered via malicious HTML pages. An unauthenticated remote attacker can exploit this to execute arbitrary code within the Chrome sandbox without user interaction beyond viewing a crafted webpage. A patch is available for affected users.
Sandbox escape in Google Chrome prior to version 146.0.7680.165 via a use-after-free vulnerability in the Dawn graphics component enables remote attackers to execute arbitrary code when users visit malicious HTML pages. The vulnerability affects multiple platforms including Debian systems and requires only user interaction to trigger, bypassing Chrome's sandbox isolation. A patch is available to remediate this high-severity memory corruption flaw.
XnSoft NConvert version 7.230 contains a Use-After-Free vulnerability triggered by processing specially crafted TIFF files, which can lead to information disclosure and potential code execution. The vulnerability affects NConvert image conversion software and has been publicly documented with proof-of-concept code available on GitHub. An attacker can exploit this by providing a malicious TIFF file to an NConvert user or service, potentially causing a crash or unauthorized memory access.
GPU shader compiler memory corruption via malicious shader code allows remote code execution when the compiler runs with elevated privileges, affecting multiple platforms through crafted switch statements that trigger out-of-bounds writes. An attacker can exploit this vulnerability by delivering specially-crafted GPU shader code through a web page, potentially gaining system-level control on vulnerable devices. No patch is currently available for this critical vulnerability.
A remote code execution vulnerability in libde265 (CVSS 5.5). Remediation should follow standard vulnerability management procedures.
libfuse versions 3.18.0 through 3.18.1 contain a use-after-free vulnerability in the io_uring subsystem that allows local attackers to crash FUSE filesystem processes or execute arbitrary code when thread creation fails under resource constraints. The flaw occurs when io_uring initialization fails (e.g., due to cgroup limits), leaving a dangling pointer in session state that is dereferenced during shutdown. Public exploit code exists for this vulnerability, and no patch is currently available.
Heap-based buffer overflow in GPAC MP4Box's XML parsing function allows local attackers to corrupt memory and potentially crash the application or achieve code execution by crafting malicious NHML files with specially formatted BitSequence elements. The vulnerability affects systems processing untrusted multimedia files and remains unpatched as of this advisory. Exploitation requires user interaction to open a malicious file.
Qwik, a performance-focused JavaScript framework, contains an array prototype pollution vulnerability in its FormData parsing logic that affects versions prior to 1.19.2. Attackers can submit specially crafted form field names using mixed array-index and object-property keys (e.g., items.0 alongside items.toString or items.length) to inject malicious properties into objects the application expects to be arrays, leading to denial of service through malformed array states, oversized lengths, or request handling failures. The vulnerability has a CVSS score of 7.5 (High severity) with network-based exploitation requiring no authentication or user interaction, and a patch is available in version 1.19.2.
The tar-rs Rust library versions 0.4.44 and below contain a logic flaw where PAX (POSIX.1-2001) size headers are conditionally skipped when the base tar header size is nonzero, causing the library to parse tar archives differently than other standard tar implementations like Go's archive/tar. This discrepancy allows an attacker to craft malicious tar archives that appear different when unpacked by tar-rs versus other parsers, potentially leading to information disclosure or file confusion attacks. The vulnerability affects any application using tar-rs to parse untrusted archives and expecting consistent behavior with other tar parsers, with a moderate CVSS score of 5.1 indicating low attack complexity and network accessibility.
PJSIP versions 2.16 and earlier contain a heap use-after-free vulnerability in ICE session handling caused by race conditions between session destruction and callback execution, enabling memory corruption and potential code execution. This flaw affects all systems using vulnerable PJSIP versions for multimedia communication and currently has no available patch. With a CVSS score of 8.1, the vulnerability is remotely exploitable without authentication or user interaction.
Heap memory corruption in Google Chrome prior to version 146.0.7680.153 can be triggered through malicious browser extensions, affecting Chrome users on Google, Ubuntu, and Debian systems. An attacker must convince a user to install a compromised extension to exploit this use-after-free vulnerability and potentially achieve code execution. A patch is available.
Heap memory corruption in Google Chrome's V8 engine (versions prior to 146.0.7680.153) stems from type confusion vulnerabilities that can be triggered through malicious HTML pages without user privileges. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution or crash the browser. The vulnerability affects Chrome, Ubuntu, and Debian systems, with patches now available.
A use-after-free vulnerability in Google Chrome's Digital Credentials API prior to version 146.0.7680.153 enables attackers with a compromised renderer process to escape the sandbox and potentially achieve code execution through a specially crafted HTML page. The vulnerability affects Chrome on multiple platforms including Ubuntu and Debian systems, requiring user interaction to trigger but presenting high impact across confidentiality, integrity, and availability. A patch is available in Chrome 146.0.7680.153 and later versions.
Heap memory corruption in Google Chrome versions prior to 146.0.7680.153 can be triggered through a use-after-free vulnerability in the Network component when a user visits a malicious HTML page. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with high integrity and confidentiality impact. A patch is available for Chrome, Ubuntu, and Debian users.
Heap corruption in Google Chrome's V8 engine prior to version 146.0.7680.153 can be triggered through out-of-bounds memory writes when a user visits a malicious webpage. An unauthenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution with high integrity and confidentiality impact. A security patch is available for affected users on Chrome, Ubuntu, and Debian systems.
Heap memory corruption in Google Chrome's Blink rendering engine prior to version 146.0.7680.153 can be triggered through a malicious HTML page, potentially enabling remote code execution. An unauthenticated attacker requires only user interaction to exploit this use-after-free vulnerability across network boundaries. A patch is available for affected Chrome, Ubuntu, and Debian users.
Heap corruption via use-after-free in Google Chrome's WebRTC implementation (versions prior to 146.0.7680.153) enables remote attackers to achieve arbitrary code execution through malicious HTML pages, requiring only user interaction. The vulnerability affects Chrome, Ubuntu, and Debian systems with a CVSS score of 8.8, though a patch is available.
Heap memory corruption in Google Chrome's WebRTC implementation prior to version 146.0.7680.153 enables remote attackers to execute arbitrary code by tricking users into visiting malicious websites. The use-after-free vulnerability requires only user interaction and affects Chrome on multiple platforms including Ubuntu and Debian systems. A patch is available to address this high-severity flaw.
Heap corruption in Google Chrome versions before 146.0.7680.153 results from a use-after-free vulnerability in the Base component, enabling remote attackers to execute arbitrary code through malicious HTML pages. The attack requires user interaction but no authentication, affecting Chrome on multiple platforms including Linux distributions. A patch is available to remediate this critical-severity vulnerability.
This is a critical out-of-bounds read and write vulnerability in the WebGL implementation of Google Chrome prior to version 146.0.7680.153. The vulnerability allows a remote attacker to perform arbitrary memory read and write operations by crafting a malicious HTML page, potentially leading to information disclosure, code execution, or complete system compromise. The vulnerability affects multiple Debian releases and has been assigned ENISA EUVD ID EUVD-2026-13447; a vendor patch is available.
Out-of-bounds memory corruption in Google Chrome's WebGL implementation on Android prior to version 146.0.7680.153 enables remote attackers to escape the browser sandbox by delivering a malicious HTML page, requiring only user interaction. This critical vulnerability affects Chrome users on Android devices and could lead to complete system compromise if successfully exploited. A patch is available in Chrome 146.0.7680.153 and later versions.
Stack buffer overflow in wolfSSL 5.8.4's ECH (Encrypted Client Hello) implementation allows remote attackers to crash TLS clients or achieve code execution by sending a maliciously crafted ECH configuration. The vulnerability affects clients that have explicitly enabled ECH support, which is disabled by default. An attacker controlling a TLS server can exploit this remotely without authentication or user interaction.
CVE-2026-3503 is a security vulnerability (CVSS 4.3) that allows a physical attacker. Remediation should follow standard vulnerability management procedures.
Buffer overflow vulnerabilities in wolfSSL's CRL parser enable heap and stack memory corruption when processing maliciously crafted Certificate Revocation Lists, allowing potential code execution on affected systems. This vulnerability only impacts installations with explicit CRL support enabled that load CRLs from untrusted sources. No patch is currently available.
HTSlib, a widely-used bioinformatics library for reading and writing sequence alignment formats, contains a critical buffer overflow vulnerability in its CRAM format decoder. The vulnerability exists in the `cram_byte_array_len_decode()` function which fails to validate that unpacked data matches the output buffer size, affecting HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1. An attacker can craft a malicious CRAM file that, when opened by a user, triggers either a heap or stack overflow with attacker-controlled bytes, potentially leading to arbitrary code execution, program crash, or memory corruption.
HTSlib contains a buffer overflow vulnerability in its CRAM format decoder affecting the VARINT and CONST encoding handlers, where incomplete context validation allows writes of up to eight bytes beyond heap allocation boundaries or into stack-allocated single-byte variables. This vulnerability affects HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1, and impacts any application using the library to process CRAM-formatted bioinformatics data files. An attacker can craft a malicious CRAM file to trigger heap or stack overflow conditions, potentially leading to denial of service, memory corruption, or arbitrary code execution when processed by a vulnerable application.
This vulnerability is a memory leak in the Linux kernel's io_uring subsystem, specifically within the zero-copy receive (zcrx) implementation where a page array fails to be deallocated during scatter-gather initialization failures. The vulnerability affects all Linux kernel versions with the vulnerable io_uring/zcrx code path, allowing local attackers with the ability to trigger failed scatter-gather operations to exhaust kernel memory and cause denial of service. No active exploitation has been reported, but this is a kernel memory management issue with straightforward local triggering conditions.