Red Hat
Monthly
Kernel panic via reference count corruption in the Linux kernel's HFS+ filesystem driver (hfsplus) allows a local attacker with low privileges to crash the system. The function hfs_bnode_create() returns an already-hashed B-tree node without incrementing its reference count when it unexpectedly encounters a node that should not yet exist - a condition triggered by filesystem corruption or a logic error in hfs_bmap_alloc(). When hfs_bnode_put() later decrements the reference count to zero and attempts cleanup, the kernel triggers a fatal BUG_ON(!atomic_read(&node->refcnt)) assertion at bnode.c:676, causing an immediate kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with the local-only attack vector and niche trigger conditions, but the availability impact is total for affected systems.
Denial of service in the Linux kernel's RCU (Read-Copy-Update) subsystem allows a local condition to trigger an infinite recursion deadloop in rcu_read_unlock_special() when ftrace is enabled, leading to kernel hang or crash. The flaw stems from a missing recursion-protection flag when raise_softirq_irqoff() is invoked from the RCU unlock path, causing repeated re-entry through the softirq/trace stack. No public exploit identified at time of analysis and EPSS rates exploitation probability at 0.02%.
Memory leak in Linux kernel's fbdev au1200fb framebuffer driver causes resource exhaustion when the probe function encounters IRQ allocation failure. The vulnerability exists in au1200fb_drv_probe() within the au1200fb driver: when platform_get_irq() returns an error, the function returns immediately without releasing previously allocated memory, leading to kernel heap exhaustion over time. Local attackers or repeated probe failures (e.g., via hotplug events on affected MIPS-based Alchemy hardware) can deplete kernel memory, resulting in denial of service. No public exploit has been identified at time of analysis, and EPSS at 0.02% (7th percentile) confirms negligible exploitation interest.
IO deadloop in Linux kernel's md/raid5 subsystem causes complete availability loss on systems running degraded RAID5 arrays with llbitmap enabled. When llbitmap bit state is 'unwritten', the missing synchronization check in need_this_block() diverges from the check present in handle_stripe_dirtying(), trapping handle_stripe() in an infinite loop that never makes progress - effectively hanging all IO on the affected array. No public exploit is identified at time of analysis, and EPSS at 0.02% (4th percentile) reflects very low real-world exploitation probability, consistent with the narrow deployment conditions required.
Missing MTU validation in the Linux kernel fbnic Ethernet driver allows a local low-privileged user to trigger a denial of service by increasing the interface MTU after an XDP program is already attached. Increasing the MTU beyond the HDS (Header Data Split) threshold causes the fbnic hardware to fragment packets across multiple buffers; since single-buffer XDP programs cannot process multi-fragment frames, the driver silently drops them - breaking new TCP streams and discarding oversized non-TCP traffic. No public exploit exists and EPSS is 0.02% (4th percentile), placing this firmly in the low-priority tier despite its High availability rating; patches are confirmed available in Linux 6.18.14, 6.19.4, and 7.0.
Memory leak in the Linux kernel's StarFive AES crypto driver allows a local low-privileged user on affected StarFive JH7110 RISC-V hardware to exhaust kernel memory and cause a denial of service. The flaw resides in starfive_aes_aead_do_one_req(), where kzalloc()-allocated memory for rctx->adata is not freed on two distinct error paths - failures in sg_copy_to_buffer() or starfive_aes_hw_init() - resulting in unreleased heap memory each time an AEAD operation fails. No public exploit exists and EPSS is extremely low at 0.02%, consistent with a hardware-specific, analysis-discovered defect rather than an actively targeted weakness.
Use-after-free race condition in the Linux kernel hwrng (hardware random number generator) core subsystem allows a local attacker with low privileges to crash the kernel, causing a denial of service. The race occurs when hwrng_register() and hwrng_unregister() execute concurrently, leaving the hwrng_fill pointer dirty and enabling kthread_stop() to be invoked on an already-freed task_struct - confirmed in the virtrng_remove call path, making virtualized Linux environments a primary real-world attack surface. No public exploit code exists and no active exploitation (KEV) has been confirmed; the EPSS score of 0.02% reflects minimal opportunistic exploitation activity.
Memory exhaustion in the Linux kernel's ext4 filesystem driver allows a local low-privilege user to gradually degrade system availability by repeatedly triggering a kernel memory leak in ext4_ext_shift_extents(). The flaw, present since approximately kernel 3.15, causes path structures allocated by ext4_find_extent() to go unreleased when a NULL extent is encountered during fallocate shift operations. With no CISA KEV listing, an EPSS of 0.02%, and no public exploit code identified, this is a low-urgency but genuine patch priority for long-lived ext4 systems with unprivileged local users.
Memory exhaustion in the Linux kernel's drm/amdgpu driver allows a local low-privileged user on AMD GPU-equipped systems to degrade host availability by repeatedly triggering an error path in amdgpu_acpi_enumerate_xcc() that leaks kernel heap memory. The root cause is a missing free of the xcc_info structure when amdgpu_acpi_dev_init() returns -ENOMEM, identified through static analysis and code review rather than active exploitation. With EPSS at 0.02% (5th percentile) and no CISA KEV listing, this is a low-priority maintenance fix for most environments, most relevant to long-running AMD GPU compute workloads where repeated enumeration failures could accumulate leaked memory.
Use-after-free in the Linux kernel's ab8500 power supply driver (drivers/power/supply/ab8500) can be triggered during device removal or probe due to incorrect ordering of devm_-managed resource allocation. The race allows an IRQ handler to invoke power_supply_changed() against a freed or uninitialized power_supply handle, typically resulting in a kernel crash or silent memory corruption. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the flaw is not on CISA KEV.
Kernel NULL pointer dereference in the Linux EROFS compressed filesystem driver allows a local user reading from an EROFS image to crash the system. The flaw lives in z_erofs_decompress_pcluster(), where compressed folios for ztailpacking pclusters are added to I/O chains before being validated; if inline-data reading fails (notably when a fatal signal interrupts read_mapping_folio()), decompression assumes the folios are valid and dereferences a NULL pointer. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%), and the issue is not in CISA KEV.
TPM locality leak in the Linux kernel's tpm_i2c_infineon driver allows a local user on an affected system to exhaust TPM localities and render the TPM device unavailable. The tpm_tis_i2c_send() function acquires a TPM locality at entry but fails to release it when get_burstcount() times out with -EBUSY, causing a resource leak on every such timeout. Patches are available across multiple stable kernel branches; no public exploit code or active exploitation (CISA KEV) has been identified, and EPSS is 0.02% at the 7th percentile.
Kernel crash (oops) in the stmmac GMAC4 Ethernet driver causes a denial of service when split header reception is enabled. The stmmac receive path incorrectly assumes that buf2 of the first DMA descriptor is always fully populated with payload, but the GMAC4 hardware does not guarantee this in all cases. When the assumption is violated, the driver miscalculates the length of buf2 in the second descriptor, resulting in an invalid virtual address dereference deep in the DMA cache-invalidation path, crashing the kernel. No public exploit has been identified at time of analysis, and EPSS is 0.02% (4th percentile), indicating negligible opportunistic exploitation interest.
Memory leak in the Linux kernel's NI USB GPIB driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering a failed initialization path. The flaw exists in ni_usb_init(), where a writes buffer is allocated but never freed when ni_usb_setup_init() returns failure, compounding the issue with an incorrect error code (-EFAULT instead of -EINVAL). No public exploit is identified at time of analysis, and EPSS sits at 0.02%, consistent with the niche hardware driver context and local-only attack surface.
Memory corruption in the Linux kernel's pm8916_lbc power-supply driver (Qualcomm PM8916 PMIC linear battery charger) stems from a use-after-free in power_supply_changed(), where devm-managed teardown ordering lets a charger interrupt fire against a freed or not-yet-initialized power_supply handle during driver probe or removal. Local attackers able to trigger device unbind/rebind or module load/unload can crash the system or silently corrupt kernel memory. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis; the issue is not in CISA KEV.
Kernel panic in the Linux kernel's Inside Secure EIP-93 hardware crypto driver occurs during driver detach due to a loop iterator bug that causes the same hash algorithm to be unregistered multiple times. Systems equipped with Inside Secure EIP-93 cryptographic accelerator hardware and running unpatched kernels between the introducing commit (9739f5f93b78) and the fix commits are vulnerable. A local low-privileged user who can trigger driver detach - via module unload or device removal - can crash the kernel, resulting in a full system denial of service. No public exploit exists and EPSS is 0.02% (4th percentile), indicating negligible in-the-wild activity.
Use-after-free in the Linux kernel's goldfish power-supply driver (drivers/power/supply/goldfish_battery) allows a local attacker to crash the system or corrupt kernel memory by racing device probe/removal against the battery IRQ handler. The driver requested its IRQ via devm_ before registering the power_supply handle, so on teardown the handle is freed while the still-live interrupt can fire and call power_supply_changed() on freed (or, during probe, uninitialized) memory. No public exploit identified at time of analysis; EPSS is negligible (0.02%) and the bug is not in CISA KEV.
Btrfs transaction aborts in the Linux kernel allow local low-privileged users to crash the filesystem by triggering a logic defect in DUP chunk allocation that generates overlapping physical address ranges in the chunk map. Systems running btrfs with DUP metadata profiles - the default for single-device btrfs deployments - can encounter EEXIST (-17) errors in insert_dev_extents() during btrfs_create_pending_block_groups(), causing the transaction to abort and the filesystem to enter an error state. No public exploit or active exploitation (CISA KEV) has been identified; with an EPSS of 0.02% (4th percentile), this is a kernel reliability defect of operational concern to btrfs operators rather than a traditional attack vector.
Uninitialized kernel memory leaks to local users via the MCTP netlink subsystem in the Linux kernel, where RTM_GETNEIGH responses return stale kernel data in the pad bytes of ndmsg structures across link, addr, and neigh response messages. Any local user with PR:L access to the MCTP netlink interface can extract arbitrary pad-byte contents from kernel memory allocations, potentially exposing pointers, partial stack data, or remnants of prior allocations that could assist in defeating kernel address space layout randomization (KASLR). Disclosed by Syed Faraz Abrar (Zellic) and Pumpkin (DEVCORE Research Team) via Trend Micro Zero Day Initiative; no public exploit code exists and EPSS sits at the 5th percentile (0.02%), indicating negligible active exploitation at time of analysis.
Memory leak in the Linux kernel's chips-media wave5 VPU media driver allows a local low-privileged user to exhaust kernel memory, resulting in denial of service. The flaw exists in both the encoder and decoder open paths - wave5_vpu_open_enc() and wave5_vpu_open_dec() - where a VPU instance allocated via kzalloc() is not freed when the subsequent codec_info allocation fails. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting the hardware-specific and local-only nature of this issue.
BPF map hash verification in the Linux kernel is vulnerable to a TOCTOU race condition that allows a local low-privileged attacker to bypass integrity checks enforced by trusted BPF loaders. Userspace can call BPF_OBJ_GET_INFO_BY_FD to prime the hash cache, then modify the map contents in the race window before freezing it, causing a trusted loader to verify the original (stale) hash against the silently-altered map. No active exploitation is confirmed (not in CISA KEV) and EPSS is 0.02%, but the attack's integrity impact appears understated by the published CVSS vector, which records A:H/I:N - inconsistent with a hash-bypass that enables modified code/data to be loaded as trusted.
Memory leak in the Linux kernel's Rust-language PWM subsystem allows a local low-privileged attacker to gradually exhaust kernel memory through repeated PWM chip initialization failures. The `pwmchip_alloc()` function allocates a device structure holding an initial reference that must be explicitly released via `pwmchip_put()` on error paths, but when `__pinned_init()` fails the reference is never dropped, leaking the `pwm_chip` allocation. EPSS stands at 0.02% (5th percentile) and the vulnerability is not listed in CISA KEV, indicating no known active exploitation; no public exploit code has been identified at time of analysis.
Reference leak in the Linux kernel's thermal/of subsystem allows a local low-privileged user to degrade system availability through repeated kernel resource exhaustion. The thermal_of_cm_lookup() function acquires a device_node reference via of_parse_phandle() but never releases it, causing reference counts to accumulate without bound on systems with Device Tree-based thermal configuration. No active exploitation is identified (EPSS 0.02%, 5th percentile; no CISA KEV listing), and this is a reliability and availability defect rather than a code-execution primitive; patched stable kernel versions are available across multiple maintained branches.
Improper lock release in the Linux kernel ksmbd subsystem (in-kernel SMB server) allows a local low-privileged user to trigger a deadlock by inducing error paths in `ksmbd_vfs_kern_path_locked` where `ksmbd_vfs_kern_path_end_removing()` is never called to balance the corresponding `ksmbd_vfs_kern_path_start_removing()`. Affected kernel versions span multiple stable branches from 5.15 through 6.17. No public exploit or active exploitation is known; EPSS stands at 0.02% (7th percentile), confirming low real-world exploitation probability.
Missing endpoint descriptor validation in the Linux kernel catc USB Ethernet driver allows a physically-present attacker with a crafted USB device to cause a kernel denial of service. The catc_probe() function submits URBs against hardcoded endpoint pipes (bulk on endpoint 1, interrupt on endpoint 2) without confirming that the connected device actually presents those endpoint types - a malformed device can exploit this assumption to trigger undefined behavior at the URB submission layer. No active exploitation has been confirmed (not listed in CISA KEV), and the EPSS score is extremely low at 0.02% (7th percentile), reflecting limited real-world exploitation likelihood.
Memory leak in the Linux kernel's RDMA/mlx5 subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering the error path in the GET_DATA_DIRECT_SYSFS_PATH uverbs handler. The flaw affects multiple stable kernel branches requiring mlx5-family InfiniBand/RDMA hardware, and was discovered through static analysis and code review rather than active exploitation. No public exploit exists and EPSS probability is 0.02% (5th percentile), indicating no public exploit or active exploitation at time of analysis.
Memory leak in the Linux kernel's MTD TP-Link SafeLoader partition parser allows a local low-privileged user to cause availability degradation on affected embedded systems. The `mtd_parser_tplink_safeloader_parse()` function omits freeing a temporary buffer `buf` on the error path when a subsequent `kmalloc()` for `parts[idx].name` fails inside the parsing loop. No public exploit exists and EPSS is negligible at 0.02% (5th percentile); this vulnerability was identified via static analysis and code review, not observed exploitation.
Local denial-of-condition in the Linux kernel ext4 filesystem driver allows an internal counter (s_dirtyclusters_counter) to be double-decremented to -1 along the block-allocation error path that triggers during filesystem shutdown, surfacing as a WARNING in ext4_put_super(). The flaw lives between ext4_mb_mark_diskspace_used() and ext4_mb_new_blocks(), where a metadata-write failure causes the dirty-clusters reservation to be released twice. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 7th percentile); despite the CWE-415 (double free) classification and a 7.8 CVSS, the observed effect is cluster-accounting corruption rather than demonstrated memory corruption.
An infinite self-IPI loop in the Linux kernel's real-time scheduler `rto_next_cpu()` function causes a CPU hardlockup, resulting in a complete denial of service on affected multi-CPU systems. Systems with `HAVE_RT_PUSH_IPI` enabled are vulnerable when a specific concurrent mix of CPU-bound RT tasks, non-CPU-bound RT tasks, and kernel-stuck CFS tasks triggers a race condition between `rd->rto_loop` and `rd->rto_loop_next` during RT load balancing. No public exploit exists and this is not listed in CISA KEV; the EPSS score of 0.02% (7th percentile) confirms low real-world exploitation probability.
NULL pointer dereference in the Linux kernel's ovpn (in-kernel OpenVPN) TCP socket handling causes a local denial of service via kernel crash. The race condition - between keepalive-driven peer release and concurrent userspace socket closure via tcp_close() - allows a low-privileged local user to trigger a kernel crash when ovpn attempts to dereference a NULL sk->sk_socket pointer during socket detachment. No public exploit has been identified and EPSS stands at 0.02% (4th percentile), reflecting narrow real-world exploitability constrained by the specific configuration and timing required.
Reference leak in the Linux kernel IPVS (IP Virtual Server) subsystem allows a local low-privileged user to trigger a race condition between the netdev notifier handler and destination cache update logic, potentially causing kernel resource exhaustion. When a network device is shutting down, the FIB routing subsystem may return a valid route after ip_vs_dst_event() finishes processing, allowing that route to be cached against a closing device and leaking a device reference until the IPVS destination is removed. This is a medium-severity availability issue with no public exploit identified at time of analysis and a very low EPSS score of 0.02% (5th percentile), indicating it is not currently a prioritized exploitation target.
Local privilege-relevant memory corruption in the Linux kernel's sbs-battery power supply driver (drivers/power/supply/sbs-battery) stems from a use-after-free in power_supply_changed(). Because the driver requested its IRQ via devm_ before allocating/registering the power_supply handle, devm teardown frees the handle in reverse order while the interrupt is still live, so an SMBus battery interrupt firing during device removal (or before registration during probe) invokes power_supply_changed() on a freed or uninitialized pointer, typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile), no public exploit is identified, and it is not on CISA KEV; the fix is upstream-committed and shipped in multiple stable releases.
Availability impact in the Linux kernel FAT filesystem driver allows a local low-privileged user to trigger a kernel WARN_ON by mounting and operating on a corrupted FAT image with incorrect directory link counts. Specifically, rmdir unconditionally decrements the parent inode's i_nlink without first verifying it is at least 3, allowing underflow to zero on malformed images. No public exploit has been identified and the EPSS probability is 0.02% (7th percentile), but the kernel WARN_ON can cause a system crash, making the real-world availability impact high on affected systems where users can mount FAT images.
Local memory corruption affects the Linux kernel's hwmon ibmpex driver, where commit 6946c726c3f4 - intended to fix a use-after-free in the high/low sysfs store handlers - instead introduced a new race condition by setting driver data to NULL before removing sensor attributes. The remediation is a revert of that flawed commit across the 6.1, 6.6, 6.12, 6.18, and 6.19 stable trees. With EPSS at 0.02% (7th percentile), no public exploit identified at time of analysis, and no CISA KEV listing, real-world risk is minimal given the obscure IBM PowerExecutive sensor hardware the driver targets.
Bridge multicast MDB entry counter underflow in the Linux kernel's `net/bridge/br_multicast.c` allows local attackers with low privileges to trigger a kernel WARN_ON - and a system panic on hosts configured with `panic_on_warn=1` - by manipulating VLAN snooping state on a bridge interface before flushing multicast group entries. Multiple stable kernel branches are affected across all architectures that include the bridge multicast subsystem. No public exploit identified at time of analysis, with an EPSS score of 0.02% (5th percentile) confirming low exploitation probability; patches are available across kernel stable series 6.12, 6.6, 6.18, 6.19, and 7.0.
Ext4 filesystem extent-splitting logic in the Linux kernel incorrectly caches extents mid-operation, leaving stale hole entries in the in-memory extent status tree (ESTree). When a Direct I/O write partially covers a pre-allocated unwritten extent, ext4_split_extent_at() can insert an incorrect hole entry that persists uncorrected, causing space accounting errors when subsequent delayed buffer writes target the same region. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.02% (7th percentile) reflects negligible real-world exploitation likelihood; this is primarily a kernel correctness and filesystem availability defect rather than a targeted attack surface.
NULL pointer dereference in the Linux kernel's cdns3 USB dual-role driver crashes the kernel when a USB OTG role switch to host mode occurs during a system resume from suspend. The host role's resume() operation calls usb_hcd_is_primary_hcd() on an xhci-hcd device whose probe has been deferred by the driver model, yielding a dereference at virtual address 0x208 and a kernel oops. Impact is limited to denial of service (system crash); no privilege escalation or data disclosure is possible. No active exploitation is confirmed (CISA KEV absent, EPSS 0.02%), and the vulnerability is practically relevant only on hardware platforms featuring the Cadence USB3 cdns3 controller.
Memory leak in the Linux kernel's AMD XDnA accelerator driver (accel/amdxdna) allows a local low-privileged user to degrade system availability by exhausting kernel memory. The amdxdna_ubuf_map() function fails to release previously allocated scatter-gather (sg) and internal sg table memory when error paths are taken during sg_alloc_table_from_pages or dma_map_sgtable operations. No active exploitation is confirmed (absent from CISA KEV), EPSS stands at 0.02% (4th percentile), and impact is strictly limited to availability - no confidentiality or integrity exposure exists.
Deadlock in the Linux kernel mlx5e Mellanox/NVIDIA Ethernet driver allows a low-privileged local attacker to hang the system by triggering network health reporter recovery paths that acquire locks in the wrong order. Specifically, work handlers acquire the netdev instance lock before invoking devlink_health_report, which then attempts to acquire the devlink lock - reversing the mandated devlink → rtnl → netdev ordering and producing an ABBA deadlock. The vulnerability affects systems equipped with Mellanox/NVIDIA ConnectX NICs; no public exploit exists and EPSS sits at 0.02% (4th percentile), consistent with a kernel-internal locking race rather than an externally triggerable flaw.
Use-after-free in the Linux kernel's pf1550 power-supply driver (drivers/power/supply/pf1550) lets a queued hardware interrupt invoke power_supply_changed() on an already-freed power_supply handle during module/device removal, and can also dereference an uninitialized handle during probe. The flaw stems from devm-managed resource ordering: the IRQ was requested before the power_supply was registered, so devm teardown frees the power_supply first. Impact is typically a kernel crash or silent memory corruption. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.
Race condition in the Linux kernel's XFRM ICMP route lookup path causes a kernel WARN_ON that can crash affected systems. Within `icmp_route_lookup()`, a TOCTOU window between a locality check and a subsequent `ip_route_input()` call allows a concurrently executing `ip addr add` to return a LOCAL route whose `dst.output` is set to `ip_rt_bug()` - a debugging stub that fires `WARN_ON` when invoked during ICMP error transmission. Exploitation requires local access, active XFRM/IPsec policy, and precise race-window timing; no active exploitation is confirmed and EPSS sits at 0.02%, though a public reproducer exists that requires kernel modification to reliably trigger.
Recursive mutex deadlock in the Linux kernel's PowerPC Enhanced Error Handling (EEH) subsystem causes denial of service on IBM POWER systems running affected kernel versions. Commit 1010b4c012b0 inadvertently repositioned pci_lock_rescan_remove() calls so that eeh_handle_normal_event() holds the lock before invoking eeh_pe_bus_get(), which internally attempts to acquire the same mutex, producing a confirmed lockdep-detected deadlock that crashes the EEH daemon and disables PCI error recovery. No public exploit has been identified and the EPSS score of 0.02% (7th percentile) reflects the narrow hardware-specific attack surface; real-world impact is a reliability and availability concern for IBM POWER server operators rather than a traditional security attack vector.
Information disclosure in the Linux kernel BPF subsystem allows a local low-privileged user with BPF program load access to leak kernel memory contents. Incorrect memory-access flags on several ARG_PTR_TO_MEM helper prototypes (notably bpf_get_stack_proto_raw_tp) cause the verifier to wrongly assume helper-written buffers are unchanged, optimizing away subsequent reads and producing stale or uninitialized data that can expose kernel memory. There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and it is not in CISA KEV.
Local privilege-level use-after-free in the Linux kernel's bq256xx battery charger driver (power: supply: bq256xx) allows memory corruption when a charger IRQ fires during device probe or removal, calling power_supply_changed() against a freed or uninitialized power_supply handle. The flaw stems from devm_ resources being released in reverse order, so the IRQ outlives the power_supply registration; triggering it typically crashes the system or silently corrupts kernel memory. No public exploit is identified at time of analysis and EPSS exploitation probability is negligible (0.02%, 7th percentile), with no CISA KEV listing.
Circular lock dependency in the Linux kernel's netfilter nf_tables subsystem causes kernel deadlock or hang when nft reset, ipset list, and iptables-nft with '-m set' rules execute concurrently, resulting in a local denial of service. The root cause is improper use of commit_mutex in the reset path, which - when interleaved with nfnl_subsys_ipset and nlk_cb_mutex acquisitions - creates a deadlock cycle. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.02% (5th percentile) reflects the low real-world exploitation probability for this class of locking defect.
Memory exhaustion vulnerability in the Linux kernel's CAAM DPAA2 crypto driver allows gradual resource depletion on systems with NXP DPAA2 hardware through unreleased per-CPU net_device allocations during failed probe retries. The regression was introduced when commit 0e1a4d427f58 converted embedded net_device structs to dynamically allocated pointers but omitted cleanup in the dpaa2_dpseci_free() error path - meaning every deferred probe retry triggered by a temporarily unavailable DPIO subsystem silently leaks netdev memory. No public exploit exists and EPSS probability is 0.02% (5th percentile), consistent with the hardware-specific, non-user-controlled nature of the defect.
Availability impact via stale extent cache corruption in the Linux kernel's ext4 filesystem driver allows a local low-privileged user to trigger a kernel denial-of-service condition. When an ext4 extent-splitting operation fails mid-execution, stale entries are left in the extent status tree, which can cause subsequent filesystem operations to crash the kernel. No public exploit exists and EPSS probability sits at 0.02% (7th percentile), reflecting this as a stability bug rather than a targeted attack vector. Vendor-released patches are available across all active stable branches.
Counter value underrun in the Linux kernel's netfilter nft_counter subsystem allows a local unprivileged user to corrupt nftables packet and byte counter data through a race condition in concurrent dump-and-reset operations. Two parallel resets can each read the same counter totals and both subtract them, causing the counters to underrun - potentially wrapping unsigned values to astronomically large figures and producing incorrect firewall accounting. No public exploit exists and EPSS is 0.02% (5th percentile), consistent with a low-priority correctness defect rather than a targeted security attack vector.
Out-of-bounds array access in the Linux kernel's Intel Discrete Graphics MTD driver (mtd_intel_dg.c) lets a local actor trigger kernel memory corruption when the driver enumerates NVM regions before nregions is initialized. The flaw, caught by UBSAN as an array-index-out-of-bounds at line 750, affects systems running kernel 6.17 through the pre-patch 6.18/6.19 series with Intel discrete graphics hardware. No public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.02%, 4th percentile).
Linux Kernel quota subsystem livelocks the system when quotactl_block() and freeze_super() execute concurrently on non-preemptible kernels, causing 100% CPU consumption and an indefinite hang of the filesystem freeze process. The root cause is a missing scheduling point in quotactl_block()'s retry loop: on kernels with preemption disabled, the spinning loop never yields the CPU, starving synchronize_rcu() of the RCU quiescent state it needs to advance, which in turn blocks freeze_super() from completing. Affected are Linux kernel versions from commit 576215cffdefc1f0ceebffd87abb390926e6b037 onward, on systems using quota-enabled filesystems; no public exploit or active exploitation has been identified at time of analysis.
Out-of-bounds read in the Linux kernel's AppArmor subsystem allows a local, low-privileged attacker to leak adjacent kernel memory and potentially crash the system when AppArmor parses a policy table built from possibly unaligned, userspace-supplied source data. The flaw stems from unaligned memory accesses during table creation in the policy loader and carries high confidentiality and availability impact. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.02%, 5th percentile), consistent with a hard-to-reach local-only kernel hardening fix rather than a mass-exploitation target.
Stale unwritten extent retention in the Linux kernel ext4 filesystem's in-memory extent status cache allows a local low-privileged user to trigger filesystem state inconsistency with high availability impact. The flaw manifests in ext4_split_extent() when a PARTIAL_VALID1 zeroout operation succeeds but the subsequent split at the first boundary fails due to temporary memory pressure, leaving the extent status tree out of sync with on-disk extent data. Patched stable releases are available; no public exploit or CISA KEV listing has been identified at time of analysis, and EPSS exploitation probability sits at 0.02% (5th percentile).
Local privilege-holder denial of service (and potential kernel memory corruption) in the Linux kernel's HiSilicon hns3 network driver allows a user with CAP_NET_ADMIN to trigger a double-free of the tx_spare backup buffer. The flaw lives in hns3_set_ringparam(), where a temporary ring copy is made for rollback but the original ring's tx_spare pointer is left dangling; if a subsequent allocation in hns3_init_all_ring() fails, the error path frees the stale pointer twice (CWE-415). EPSS is negligible (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but a vendor-released patch is available across multiple stable trees.
Guest-to-host denial of service in the Linux kernel's xen-netback driver allows a malicious or buggy Xen guest to crash the hypervisor host by writing "0" to the xenbus key multi-queue-num-queues. The connect() function validates only the upper bound of requested_num_queues, permitting a zero value to reach vzalloc(array_size(0, ...)), which triggers WARN_ON_ONCE in __vmalloc_node_range(); on hosts with panic_on_warn=1 this escalates to a full kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with a narrow Xen-specific attack surface, but the guest-controlled code path is trivial to trigger and vendor patches have been backported across seven stable kernel series, confirming the impact is real.
Divide-by-zero kernel panic (Oops) in the Linux kernel MPTCP subsystem's `mptcp_rcvbuf_grow()` function can be triggered by a local authenticated user under a rare but specific race condition involving concurrent out-of-order packet arrival and receive buffer initialization. The vulnerability also causes a secondary effect where the MPTCP receive buffer slowly drifts toward the `tcp_rmem[2]` maximum, degrading system performance on MPTCP-heavy workloads. No public exploit identified at time of analysis; EPSS is 0.02% (4th percentile), consistent with its local-only, race-dependent nature.
Memory leak in the Linux kernel's md/raid1 subsystem allows a local attacker with access to RAID configuration interfaces to gradually exhaust kernel memory by repeatedly triggering the faulty error path in raid1_run(). Affected kernel versions span multiple stable branches prior to 6.12.75, 6.18.14, 6.19.4, and 7.0. No public exploit identified at time of analysis; EPSS at 0.02% (5th percentile) and confirmed discovery via static analysis rather than active exploitation signals minimal real-world risk. Vendor-released patches are available across all affected stable branches.
Memory leak in the Linux kernel's af_unix subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering a failure path in unix_stream_connect(). When prepare_peercred() fails after unix_create1() has already allocated a new socket object (newsk), the error path omits the required unix_release_sock() call, leaving kernel memory permanently unreleased. No public exploit has been identified at time of analysis; EPSS at 0.02% (4th percentile) reflects negligible widespread exploitation likelihood, consistent with the local-only attack vector.
BPF verifier rejection in the Linux kernel's XDP subsystem forces valid BPF programs to fail load-time verification when they pass pointers from BPF_F_RDONLY_PROG maps to the bpf_xdp_store_bytes helper. The root cause is an incorrect argument type annotation - the helper's third argument (source buffer) is declared as ARG_PTR_TO_UNINIT_MEM, which carries the MEM_WRITE flag, causing the verifier to demand write permission on memory that the helper only reads. Separately, this same mistype permits the helper to read from uninitialized memory (CWE-908). No public exploit is identified at time of analysis, and EPSS sits at 0.02%, but kernel patches across all active stable branches have been issued.
Local privilege-impacting memory corruption in the Linux kernel's cpcap-battery power supply driver allows a use-after-free in power_supply_changed() triggered during device probe or removal. The driver requested its IRQ via devm_ before registering the power_supply handle, so on teardown the handle is freed while the interrupt handler can still fire, dereferencing freed memory and typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile) and there is no public exploit identified at time of analysis; the issue is confined to Motorola CPCAP PMIC hardware (e.g. Droid 4) rather than general-purpose servers.
Integer underflow in the Linux kernel's AppArmor subsystem (`aa_get_buffer()`) allows a local low-privileged user to cause per-CPU buffer starvation and system-wide denial of service. The `cache->hold` unsigned counter wraps to UINT_MAX when decremented below zero, permanently preventing `aa_put_buffer()` from recycling buffers back to the global pool and forcing repeated `kmalloc(aa_g_path_max)` heap allocations that starve other CPUs. No public exploit exists and EPSS is 0.02% (5th percentile); this is not in CISA KEV, but patches are available across multiple stable kernel branches.
Resource leak in the Linux kernel's sca3000 IIO accelerometer driver (sca3000_probe()) allows a local low-privileged user on affected hardware to cause IRQ resource exhaustion by repeatedly triggering the error path where iio_device_register() fails without releasing the IRQ registered via request_threaded_irq(). Affected are Linux kernel versions from approximately 4.10 through multiple stable branches, all of which now have upstream fix commits. No public exploit exists and EPSS stands at 0.02% (7th percentile), indicating this is a robustness/maintenance fix rather than an actively targeted vulnerability.
Use-after-free in the Linux kernel's pm8916_bms_vm power-supply driver (for Qualcomm PM8916 battery monitoring on certain Snapdragon SoCs) lets a freed power_supply handle be dereferenced when an IRQ fires during device removal or probe, corrupting kernel memory or crashing the system. The flaw stems from devm-managed IRQ registration occurring before the power_supply handle was registered, so devm's reverse-order teardown frees the handle while the interrupt is still live. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; impact is realistically a local denial of service on the narrow set of devices using this driver.
Memory exhaustion via the MediaTek SVS (Smart Voltage Scaling) debugfs interface in the Linux kernel allows a local attacker with low privileges to leak kernel memory on MediaTek SoC-based systems. The root cause is that `svs_enable_debug_write()` allocates a buffer via `memdup_user_nul()` to copy user-supplied input, but fails to free it when the subsequent `kstrtoint()` call rejects non-integer input - a classic CWE-401 missing-release flaw. No public exploit has been identified and EPSS is 0.02% (7th percentile), making this a low-urgency, patch-when-convenient issue for the narrow device population running affected MediaTek SoC kernels.
PCI/P2PDMA subsystem in the Linux kernel hangs indefinitely on PCI device removal due to a missing percpu_ref_put() call on the error exit path of p2pmem_alloc_mmap(). Low-privileged local users on systems with P2PDMA-capable PCI hardware can trigger a vm_insert_page() failure that leaks a per-CPU pgmap reference, causing memunmap_pages() to stall forever when the PCI device is later removed. No public exploit has been identified and EPSS is at the 5th percentile; this is not in CISA KEV.
Local privilege-level use-after-free in the Linux kernel's bq25980 battery charger power-supply driver (drivers/power/supply/bq25980.c) allows a triggered IRQ to call power_supply_changed() on a freed or uninitialized power_supply handle, typically crashing the system or corrupting memory. The flaw stems from devm-managed IRQ registration ordering relative to power_supply registration, creating a race during driver probe and removal. EPSS is negligible (0.02%, 7th percentile), there is no public exploit identified at time of analysis, and it is not on CISA KEV; the fix is committed upstream and shipped in multiple stable kernels.
NULL pointer dereference in the Linux kernel's Intel ISH HID subsystem (`intel_ishtp` module) causes a kernel panic and local denial of service during warm reset operations. The `ishtp_bus_remove_all_clients()` function dereferences `cl->device->reference_count` without a NULL guard, which is reachable when a firmware reset interrupts ISH client enumeration mid-flight. No public exploit or active exploitation (CISA KEV) exists; EPSS probability is 0.02% at the 5th percentile, consistent with a timing-dependent, hardware-specific kernel crash path.
Error handling failure in the Linux kernel's arm64 Guarded Control Stack (GCS) subsystem allows a local low-privileged user on ARMv9 hardware to trigger a kernel denial of service by exploiting an incorrect NULL check in arch_set_shadow_stack_status(). Because alloc_gcs() propagates do_mmap() failures as error-encoded pointers rather than NULL, the existing guard is bypassed and the kernel proceeds to use an invalid GCS address, risking a kernel panic. No public exploit exists and EPSS sits at the 4th percentile, but the vulnerability is confirmed patched in Linux 6.18.14, 6.19.4, and 7.0.
Regulator resource leak in the Linux kernel MFD Arizona WM5102 audio codec driver causes availability degradation on affected hardware when the write sequencer error path is triggered. The `wm5102_clear_write_sequencer()` helper returns early on error without jumping to the `err_reset` cleanup label, leaving kernel voltage regulators enabled and leaking resources across repeated invocations. Exploitation requires local low-privilege access on systems with WM5102 hardware; EPSS is 0.02% (7th percentile) and no active exploitation has been identified, placing real-world priority firmly in the low tier.
NULL pointer dereference in the Linux kernel's NXP i.MX8QM HSIO PHY driver crashes the kernel on affected embedded hardware. The flaw exists in `imx_hsio_configure_clk_pad()`, which unconditionally dereferences `refclk_pad` even when the `fsl,refclk-pad-mode` devicetree property is absent, setting the pointer to NULL during probe. A local low-privileged user on NXP i.MX8QM-based systems with vulnerable kernel versions can trigger a kernel panic, causing a full denial-of-service. No public exploit or active exploitation (CISA KEV) has been identified; EPSS of 0.02% at the 5th percentile confirms negligible exploitation probability.
Denial-of-service via kernel crash in the Linux kernel's netfilter nft_set_rbtree subsystem, exploitable by a local user with nftables manipulation capability. The flaw lies in the partial overlap detection logic for anonymous sets: an optimization that omits end elements for adjacent intervals also inadvertently suppresses overlap checks on start elements, allowing two intervals sharing the same start point (e.g., A-B and A-C where C < B) to be inserted simultaneously, corrupting the red-black tree and triggering a kernel panic. No public exploit code has been identified at time of analysis, and the EPSS score of 0.02% (7th percentile) reflects low real-world exploitation probability, though the vulnerability is present across many long-term stable kernel branches.
Memory exhaustion denial-of-service in the Linux kernel smartpqi SCSI driver allows a local user to degrade system availability through kernel memory leak accumulation. The vulnerability exists in pqi_report_phys_luns(), which fails to release the rpl_list buffer on two distinct error paths - unsupported data format detection and rpl_16byte_wwid_list allocation failure - both of which bypass cleanup logic. No public exploit exists and EPSS sits at 0.02% (7th percentile), but systems running Microsemi/PMC-Sierra SmartPQI RAID controllers on unpatched kernels are at risk of gradual availability degradation.
Resource leak in the Linux kernel's st33zp24 TPM driver allows a low-privileged local user to exhaust TPM localities and deny TPM service on systems equipped with STMicroelectronics ST33ZP24 hardware. When get_burstcount() returns -EBUSY on timeout, st33zp24_send() exits without releasing the previously acquired TPM locality, creating a cumulative leak that can render all subsequent TPM operations unavailable. No public exploit code exists and EPSS probability is 0.02% (7th percentile), but systems relying on the ST33ZP24 for measured boot or disk-encryption attestation face meaningful operational risk if exploited.
Memory leaks in the Linux kernel's SUNRPC auth_gss subsystem allow a local low-privilege attacker to gradually exhaust kernel heap memory on systems using NFS with Kerberos (RPCSEC_GSS) authentication. The gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() XDR decoding functions fail to release previously allocated kernel buffers when a partial decode sequence errors out mid-function, leaving unreferenced kmemdup() allocations on the heap. No public exploit exists and EPSS is 0.02%, but no public exploit identified at time of analysis; repeated triggering of the vulnerable paths could degrade availability on RPCSEC_GSS-enabled servers.
NULL pointer dereference in the Linux kernel's wm97xx battery power supply driver crashes the kernel when a hardware interrupt fires during a narrow initialization race window. Systems running Linux kernel versions from 2.6.32 through various stable branches (pre-patch releases in 5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19, and 7.0 series) with wm97xx-equipped hardware are affected. A local attacker - or natural hardware interrupt timing - can trigger a kernel panic (denial of service) during driver probe; no public exploit has been identified and EPSS sits at the 7th percentile, reflecting the narrow hardware footprint.
Reference count leak in the Linux kernel's pinctrl-single driver (`pcs_add_gpio_func()`) allows a local low-privileged user to cause kernel memory exhaustion and denial of service on affected embedded/SoC platforms. The `of_parse_phandle_with_args()` Device Tree API increments a refcount on the returned device_node pointer, but the iterating loop never calls `of_node_put()` to release it - accumulating leaked references on every GPIO phandle processed. No public exploit exists and EPSS is 0.02%, placing this firmly in the low-urgency patch category; exploitation requires specific hardware and driver configuration not present on typical x86 servers.
Local privilege escalation potential via a use-after-free in the Linux kernel's act8945a power supply driver, where the ACT8945A PMIC IRQ is requested before the power_supply handle is registered (and torn down after it during removal), letting an interrupt invoke power_supply_changed() on a freed or uninitialized handle. Affected systems run vulnerable Linux kernel builds (pre-6.6.128, pre-6.12.75, pre-6.1.165, pre-5.15.202, pre-5.10.252, and others) with the act8945a driver bound to real Atmel/Microchip SAMA5-class hardware. There is no public exploit identified at time of analysis; EPSS is very low (0.02%, 7th percentile) and the flaw is not in CISA KEV.
Local privilege-bounded use-after-free in the Linux kernel's CAIF serial line discipline (caif_serial / CONFIG_CAIF_TTY) lets a local attacker corrupt kernel memory by racing ldisc_close() against packet transmission. ldisc_close() drops the tty reference via tty_kref_put() while the CAIF network device is still live, so a concurrent caif_xmit()/handle_tx() can dereference the freed tty (ser->tty) and call tty->ops->write() on dangling memory, confirmed by a KASAN slab-use-after-free report. A reproducer is published, but no public weaponized exploit and no active exploitation are recorded; EPSS is 0.02% (7th percentile), consistent with a niche driver and a tight race window.
Uninitialized stack memory exposure in the Linux kernel's MCTP-over-I2C (mctp-i2c) driver affects systems using i2c-aspeed or i2c-npcm7xx bus drivers, particularly server/BMC hardware with Aspeed and Nuvoton chipsets. When a read is performed against an mctp-i2c device instance, the event handler fails to initialize the 'val' byte before returning it to the caller, exposing whatever residual value sits on the kernel stack at that moment. No public exploit has been identified at time of analysis, and with an EPSS of 0.03% (10th percentile), real-world exploitation pressure is currently negligible; however, kernel stack data leakage is a meaningful information disclosure primitive on affected hardware.
Infinite loop denial of service in the Linux kernel's ntfs3 filesystem driver allows a local low-privileged user to hang the kernel's I/O subsystem by triggering a non-terminating loop in the file write path. The flaw in `ntfs_file_write_iter` (fs/ntfs3/file.c:1284) occurs when iterating over the valid data range [valid:pos) during a write operation - if the `valid` pointer fails to advance (returning the same value), the loop condition is never satisfied and the inode lock is held indefinitely, causing a full write-path hang. No active exploitation has been identified (absent from CISA KEV) and EPSS of 0.02% at the 7th percentile confirms negligible observed exploitation activity; a patch is available across all affected stable branches.
Memory leak in the Linux kernel's DesignWare i3c master driver (`drivers/i3c/master/dw-i3c-master.c`) allows a local low-privileged user on systems equipped with DesignWare i3c hardware to cause gradual kernel memory exhaustion by repeatedly triggering the failure path in `dw_i3c_master_i2c_xfers()`, where `dw_i3c_master_alloc_xfer()` allocates a transfer structure that is never freed when `pm_runtime_resume_and_get()` returns an error. No public exploit identified at time of analysis; EPSS of 0.02% (5th percentile) and the static-analysis discovery method both confirm this is a low-immediacy, low-exploitation-probability issue. Vendor-released patches are available across multiple stable kernel branches.
Stale data exposure and filesystem data corruption in the Linux kernel's ext4 extent-splitting subsystem affects all major stable branches prior to 6.6.130, 6.12.75, 6.18.14, 6.19.4, and 7.0. When ext4_split_extent_at() encounters a transient ENOSPC condition while splitting a large unwritten extent at its first boundary, the error path incorrectly zeroes out and marks the entire extent as written - leaving stale disk content from adjacent regions readable in areas that should remain unwritten or zero-filled. No public exploit identified at time of analysis; EPSS at 0.02% (5th percentile) reflects the narrow, local-only, condition-dependent trigger path that makes automated or widespread exploitation highly unlikely.
NULL pointer dereference in the Linux kernel's csiostor SCSI driver (Chelsio T5 iSCSI storage controller) causes a local denial-of-service via kernel panic. The flaw resides in the error exit path: when the pointer rn is NULL, the CSIO_INC_STATS macro still dereferences it, triggering a kernel crash. Exploitation requires local low-privilege access on a system equipped with Chelsio csiostor hardware; no active exploitation is confirmed (not in CISA KEV) and EPSS sits at 0.02% (7th percentile), indicating minimal real-world exploitation pressure.
Non-NCQ command starvation in the Linux kernel's libata-scsi layer can cause complete denial of service for certain disk I/O operations on systems using multi-queue ATA host adapters. On affected hardware, when a target storage device is under sustained NCQ (Native Command Queuing) traffic, the SCSI layer's SCSI_MLQUEUE_XXX_BUSY requeue mechanism provides no forward-progress guarantees for non-NCQ commands - other CPU cores can continuously inject new NCQ commands from separate submission queues, indefinitely deferring the non-NCQ command. No public exploit has been identified at time of analysis and EPSS probability is very low (0.02%, 5th percentile), but the bug can manifest naturally under heavy I/O workloads without deliberate exploitation.
Kernel panic in the Linux inside-secure/eip93 hardware crypto driver occurs when the driver teardown routine unconditionally unregisters all cryptographic algorithms, including those never registered because the underlying EIP93 silicon does not implement them. Platforms with partial EIP93 silicon support - where only a subset of algorithms are burned into hardware - trigger the panic during module removal or system shutdown. No public exploit exists and EPSS sits at the 4th percentile (0.02%), indicating this is primarily a stability defect with negligible exploitation interest rather than a targeted attack surface.
Memory corruption in the Linux kernel's AMD GPU driver (amdgpu) arises because amdgpu_gmc_get_nps_memranges() releases buffers allocated by amdgpu_discovery_get_nps_info() with kfree() even though that memory may have been allocated via kvcalloc()/vmalloc(), corrupting the kernel allocator state. The flaw affects systems running AMD GPUs on kernels prior to the fixed stable releases (6.12.75, 6.18.14, 6.19.4, and 7.0). There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and the issue was found via static analysis and code review rather than in-the-wild exploitation.
Denial of service in the Linux kernel's EFI unaccepted-memory handling allows a boot-time kernel panic on confidential-computing guests, affecting kernels from 6.6 through the 6.19/7.0 development line. The reserve_unaccepted() routine miscalculates the memblock reservation size when the unaccepted memory table is not page-aligned, leaving the table's tail unreserved so it can be overwritten or rendered inaccessible, triggering a panic in accept_memory(). It is observed on Intel TDX VMs with larger memory sizes (e.g. >64GB); there is no public exploit identified at time of analysis and EPSS is negligible (0.02%).
Incorrect offset handling in the Linux kernel IPVS subsystem causes IPv6 protocol checksum validation to fail when extension headers precede the transport header, disrupting availability on systems acting as IPv6 load balancers. Affected across a broad kernel version range from 2.6.28 onward, with fixes confirmed in stable releases 6.19.4 and mainline 7.0. No public exploit code exists and no active exploitation has been identified; EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation pressure.
Improper locking in the Linux kernel's Microsemi Ocelot network switch driver (`net/mscc/ocelot`) allows a local low-privileged user on hardware running Ocelot switch chips to trigger a race condition in `ocelot_port_xmit_inj()`, potentially causing a kernel panic or system crash. Affected stable branches span 6.1.107-6.1.164, 6.6.48-6.6.127, and 6.10.7 through 6.11 release candidates, with patches confirmed in 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, and 7.0. No public exploit identified at time of analysis; EPSS at 0.02% (7th percentile) reflects extremely low exploitation probability, consistent with the hardware-specific trigger requirement and local-only attack vector.
NULL pointer dereference in the Linux kernel's AppArmor LSM function `aa_sock_file_perm` allows a local authenticated user to crash the kernel (oops) during socket setup or teardown. The flaw affects the fallback mediation path for AF_UNIX sockets and all other socket families when AppArmor is in enforcing mode, because neither `sock` nor `sock->sk` are validated for NULL before dereferencing. Impact is limited to availability (system crash); no confidentiality or integrity loss is possible. No public exploit is identified at time of analysis, and EPSS at 0.02% (7th percentile) indicates negligible exploitation probability.
Reachable assertion in the Linux kernel network subsystem allows a local low-privileged user to trigger a WARN_ON_ONCE by constructing a sufficiently long forward path through IPIP tunnels, resulting in a kernel warning and high availability impact. The root cause (CWE-617) is an assertion in the forward path array access code that became reachable after IPIP tunnel support was introduced, expanding the possible depth of forward paths beyond the implicit assumption encoded in the warning. No public exploit code exists and EPSS is extremely low (0.02%, 7th percentile), but the kernel-level denial-of-service impact on local multi-tenant or containerized systems warrants patching.
Kernel panic via reference count corruption in the Linux kernel's HFS+ filesystem driver (hfsplus) allows a local attacker with low privileges to crash the system. The function hfs_bnode_create() returns an already-hashed B-tree node without incrementing its reference count when it unexpectedly encounters a node that should not yet exist - a condition triggered by filesystem corruption or a logic error in hfs_bmap_alloc(). When hfs_bnode_put() later decrements the reference count to zero and attempts cleanup, the kernel triggers a fatal BUG_ON(!atomic_read(&node->refcnt)) assertion at bnode.c:676, causing an immediate kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with the local-only attack vector and niche trigger conditions, but the availability impact is total for affected systems.
Denial of service in the Linux kernel's RCU (Read-Copy-Update) subsystem allows a local condition to trigger an infinite recursion deadloop in rcu_read_unlock_special() when ftrace is enabled, leading to kernel hang or crash. The flaw stems from a missing recursion-protection flag when raise_softirq_irqoff() is invoked from the RCU unlock path, causing repeated re-entry through the softirq/trace stack. No public exploit identified at time of analysis and EPSS rates exploitation probability at 0.02%.
Memory leak in Linux kernel's fbdev au1200fb framebuffer driver causes resource exhaustion when the probe function encounters IRQ allocation failure. The vulnerability exists in au1200fb_drv_probe() within the au1200fb driver: when platform_get_irq() returns an error, the function returns immediately without releasing previously allocated memory, leading to kernel heap exhaustion over time. Local attackers or repeated probe failures (e.g., via hotplug events on affected MIPS-based Alchemy hardware) can deplete kernel memory, resulting in denial of service. No public exploit has been identified at time of analysis, and EPSS at 0.02% (7th percentile) confirms negligible exploitation interest.
IO deadloop in Linux kernel's md/raid5 subsystem causes complete availability loss on systems running degraded RAID5 arrays with llbitmap enabled. When llbitmap bit state is 'unwritten', the missing synchronization check in need_this_block() diverges from the check present in handle_stripe_dirtying(), trapping handle_stripe() in an infinite loop that never makes progress - effectively hanging all IO on the affected array. No public exploit is identified at time of analysis, and EPSS at 0.02% (4th percentile) reflects very low real-world exploitation probability, consistent with the narrow deployment conditions required.
Missing MTU validation in the Linux kernel fbnic Ethernet driver allows a local low-privileged user to trigger a denial of service by increasing the interface MTU after an XDP program is already attached. Increasing the MTU beyond the HDS (Header Data Split) threshold causes the fbnic hardware to fragment packets across multiple buffers; since single-buffer XDP programs cannot process multi-fragment frames, the driver silently drops them - breaking new TCP streams and discarding oversized non-TCP traffic. No public exploit exists and EPSS is 0.02% (4th percentile), placing this firmly in the low-priority tier despite its High availability rating; patches are confirmed available in Linux 6.18.14, 6.19.4, and 7.0.
Memory leak in the Linux kernel's StarFive AES crypto driver allows a local low-privileged user on affected StarFive JH7110 RISC-V hardware to exhaust kernel memory and cause a denial of service. The flaw resides in starfive_aes_aead_do_one_req(), where kzalloc()-allocated memory for rctx->adata is not freed on two distinct error paths - failures in sg_copy_to_buffer() or starfive_aes_hw_init() - resulting in unreleased heap memory each time an AEAD operation fails. No public exploit exists and EPSS is extremely low at 0.02%, consistent with a hardware-specific, analysis-discovered defect rather than an actively targeted weakness.
Use-after-free race condition in the Linux kernel hwrng (hardware random number generator) core subsystem allows a local attacker with low privileges to crash the kernel, causing a denial of service. The race occurs when hwrng_register() and hwrng_unregister() execute concurrently, leaving the hwrng_fill pointer dirty and enabling kthread_stop() to be invoked on an already-freed task_struct - confirmed in the virtrng_remove call path, making virtualized Linux environments a primary real-world attack surface. No public exploit code exists and no active exploitation (KEV) has been confirmed; the EPSS score of 0.02% reflects minimal opportunistic exploitation activity.
Memory exhaustion in the Linux kernel's ext4 filesystem driver allows a local low-privilege user to gradually degrade system availability by repeatedly triggering a kernel memory leak in ext4_ext_shift_extents(). The flaw, present since approximately kernel 3.15, causes path structures allocated by ext4_find_extent() to go unreleased when a NULL extent is encountered during fallocate shift operations. With no CISA KEV listing, an EPSS of 0.02%, and no public exploit code identified, this is a low-urgency but genuine patch priority for long-lived ext4 systems with unprivileged local users.
Memory exhaustion in the Linux kernel's drm/amdgpu driver allows a local low-privileged user on AMD GPU-equipped systems to degrade host availability by repeatedly triggering an error path in amdgpu_acpi_enumerate_xcc() that leaks kernel heap memory. The root cause is a missing free of the xcc_info structure when amdgpu_acpi_dev_init() returns -ENOMEM, identified through static analysis and code review rather than active exploitation. With EPSS at 0.02% (5th percentile) and no CISA KEV listing, this is a low-priority maintenance fix for most environments, most relevant to long-running AMD GPU compute workloads where repeated enumeration failures could accumulate leaked memory.
Use-after-free in the Linux kernel's ab8500 power supply driver (drivers/power/supply/ab8500) can be triggered during device removal or probe due to incorrect ordering of devm_-managed resource allocation. The race allows an IRQ handler to invoke power_supply_changed() against a freed or uninitialized power_supply handle, typically resulting in a kernel crash or silent memory corruption. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the flaw is not on CISA KEV.
Kernel NULL pointer dereference in the Linux EROFS compressed filesystem driver allows a local user reading from an EROFS image to crash the system. The flaw lives in z_erofs_decompress_pcluster(), where compressed folios for ztailpacking pclusters are added to I/O chains before being validated; if inline-data reading fails (notably when a fatal signal interrupts read_mapping_folio()), decompression assumes the folios are valid and dereferences a NULL pointer. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%), and the issue is not in CISA KEV.
TPM locality leak in the Linux kernel's tpm_i2c_infineon driver allows a local user on an affected system to exhaust TPM localities and render the TPM device unavailable. The tpm_tis_i2c_send() function acquires a TPM locality at entry but fails to release it when get_burstcount() times out with -EBUSY, causing a resource leak on every such timeout. Patches are available across multiple stable kernel branches; no public exploit code or active exploitation (CISA KEV) has been identified, and EPSS is 0.02% at the 7th percentile.
Kernel crash (oops) in the stmmac GMAC4 Ethernet driver causes a denial of service when split header reception is enabled. The stmmac receive path incorrectly assumes that buf2 of the first DMA descriptor is always fully populated with payload, but the GMAC4 hardware does not guarantee this in all cases. When the assumption is violated, the driver miscalculates the length of buf2 in the second descriptor, resulting in an invalid virtual address dereference deep in the DMA cache-invalidation path, crashing the kernel. No public exploit has been identified at time of analysis, and EPSS is 0.02% (4th percentile), indicating negligible opportunistic exploitation interest.
Memory leak in the Linux kernel's NI USB GPIB driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering a failed initialization path. The flaw exists in ni_usb_init(), where a writes buffer is allocated but never freed when ni_usb_setup_init() returns failure, compounding the issue with an incorrect error code (-EFAULT instead of -EINVAL). No public exploit is identified at time of analysis, and EPSS sits at 0.02%, consistent with the niche hardware driver context and local-only attack surface.
Memory corruption in the Linux kernel's pm8916_lbc power-supply driver (Qualcomm PM8916 PMIC linear battery charger) stems from a use-after-free in power_supply_changed(), where devm-managed teardown ordering lets a charger interrupt fire against a freed or not-yet-initialized power_supply handle during driver probe or removal. Local attackers able to trigger device unbind/rebind or module load/unload can crash the system or silently corrupt kernel memory. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis; the issue is not in CISA KEV.
Kernel panic in the Linux kernel's Inside Secure EIP-93 hardware crypto driver occurs during driver detach due to a loop iterator bug that causes the same hash algorithm to be unregistered multiple times. Systems equipped with Inside Secure EIP-93 cryptographic accelerator hardware and running unpatched kernels between the introducing commit (9739f5f93b78) and the fix commits are vulnerable. A local low-privileged user who can trigger driver detach - via module unload or device removal - can crash the kernel, resulting in a full system denial of service. No public exploit exists and EPSS is 0.02% (4th percentile), indicating negligible in-the-wild activity.
Use-after-free in the Linux kernel's goldfish power-supply driver (drivers/power/supply/goldfish_battery) allows a local attacker to crash the system or corrupt kernel memory by racing device probe/removal against the battery IRQ handler. The driver requested its IRQ via devm_ before registering the power_supply handle, so on teardown the handle is freed while the still-live interrupt can fire and call power_supply_changed() on freed (or, during probe, uninitialized) memory. No public exploit identified at time of analysis; EPSS is negligible (0.02%) and the bug is not in CISA KEV.
Btrfs transaction aborts in the Linux kernel allow local low-privileged users to crash the filesystem by triggering a logic defect in DUP chunk allocation that generates overlapping physical address ranges in the chunk map. Systems running btrfs with DUP metadata profiles - the default for single-device btrfs deployments - can encounter EEXIST (-17) errors in insert_dev_extents() during btrfs_create_pending_block_groups(), causing the transaction to abort and the filesystem to enter an error state. No public exploit or active exploitation (CISA KEV) has been identified; with an EPSS of 0.02% (4th percentile), this is a kernel reliability defect of operational concern to btrfs operators rather than a traditional attack vector.
Uninitialized kernel memory leaks to local users via the MCTP netlink subsystem in the Linux kernel, where RTM_GETNEIGH responses return stale kernel data in the pad bytes of ndmsg structures across link, addr, and neigh response messages. Any local user with PR:L access to the MCTP netlink interface can extract arbitrary pad-byte contents from kernel memory allocations, potentially exposing pointers, partial stack data, or remnants of prior allocations that could assist in defeating kernel address space layout randomization (KASLR). Disclosed by Syed Faraz Abrar (Zellic) and Pumpkin (DEVCORE Research Team) via Trend Micro Zero Day Initiative; no public exploit code exists and EPSS sits at the 5th percentile (0.02%), indicating negligible active exploitation at time of analysis.
Memory leak in the Linux kernel's chips-media wave5 VPU media driver allows a local low-privileged user to exhaust kernel memory, resulting in denial of service. The flaw exists in both the encoder and decoder open paths - wave5_vpu_open_enc() and wave5_vpu_open_dec() - where a VPU instance allocated via kzalloc() is not freed when the subsequent codec_info allocation fails. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting the hardware-specific and local-only nature of this issue.
BPF map hash verification in the Linux kernel is vulnerable to a TOCTOU race condition that allows a local low-privileged attacker to bypass integrity checks enforced by trusted BPF loaders. Userspace can call BPF_OBJ_GET_INFO_BY_FD to prime the hash cache, then modify the map contents in the race window before freezing it, causing a trusted loader to verify the original (stale) hash against the silently-altered map. No active exploitation is confirmed (not in CISA KEV) and EPSS is 0.02%, but the attack's integrity impact appears understated by the published CVSS vector, which records A:H/I:N - inconsistent with a hash-bypass that enables modified code/data to be loaded as trusted.
Memory leak in the Linux kernel's Rust-language PWM subsystem allows a local low-privileged attacker to gradually exhaust kernel memory through repeated PWM chip initialization failures. The `pwmchip_alloc()` function allocates a device structure holding an initial reference that must be explicitly released via `pwmchip_put()` on error paths, but when `__pinned_init()` fails the reference is never dropped, leaking the `pwm_chip` allocation. EPSS stands at 0.02% (5th percentile) and the vulnerability is not listed in CISA KEV, indicating no known active exploitation; no public exploit code has been identified at time of analysis.
Reference leak in the Linux kernel's thermal/of subsystem allows a local low-privileged user to degrade system availability through repeated kernel resource exhaustion. The thermal_of_cm_lookup() function acquires a device_node reference via of_parse_phandle() but never releases it, causing reference counts to accumulate without bound on systems with Device Tree-based thermal configuration. No active exploitation is identified (EPSS 0.02%, 5th percentile; no CISA KEV listing), and this is a reliability and availability defect rather than a code-execution primitive; patched stable kernel versions are available across multiple maintained branches.
Improper lock release in the Linux kernel ksmbd subsystem (in-kernel SMB server) allows a local low-privileged user to trigger a deadlock by inducing error paths in `ksmbd_vfs_kern_path_locked` where `ksmbd_vfs_kern_path_end_removing()` is never called to balance the corresponding `ksmbd_vfs_kern_path_start_removing()`. Affected kernel versions span multiple stable branches from 5.15 through 6.17. No public exploit or active exploitation is known; EPSS stands at 0.02% (7th percentile), confirming low real-world exploitation probability.
Missing endpoint descriptor validation in the Linux kernel catc USB Ethernet driver allows a physically-present attacker with a crafted USB device to cause a kernel denial of service. The catc_probe() function submits URBs against hardcoded endpoint pipes (bulk on endpoint 1, interrupt on endpoint 2) without confirming that the connected device actually presents those endpoint types - a malformed device can exploit this assumption to trigger undefined behavior at the URB submission layer. No active exploitation has been confirmed (not listed in CISA KEV), and the EPSS score is extremely low at 0.02% (7th percentile), reflecting limited real-world exploitation likelihood.
Memory leak in the Linux kernel's RDMA/mlx5 subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering the error path in the GET_DATA_DIRECT_SYSFS_PATH uverbs handler. The flaw affects multiple stable kernel branches requiring mlx5-family InfiniBand/RDMA hardware, and was discovered through static analysis and code review rather than active exploitation. No public exploit exists and EPSS probability is 0.02% (5th percentile), indicating no public exploit or active exploitation at time of analysis.
Memory leak in the Linux kernel's MTD TP-Link SafeLoader partition parser allows a local low-privileged user to cause availability degradation on affected embedded systems. The `mtd_parser_tplink_safeloader_parse()` function omits freeing a temporary buffer `buf` on the error path when a subsequent `kmalloc()` for `parts[idx].name` fails inside the parsing loop. No public exploit exists and EPSS is negligible at 0.02% (5th percentile); this vulnerability was identified via static analysis and code review, not observed exploitation.
Local denial-of-condition in the Linux kernel ext4 filesystem driver allows an internal counter (s_dirtyclusters_counter) to be double-decremented to -1 along the block-allocation error path that triggers during filesystem shutdown, surfacing as a WARNING in ext4_put_super(). The flaw lives between ext4_mb_mark_diskspace_used() and ext4_mb_new_blocks(), where a metadata-write failure causes the dirty-clusters reservation to be released twice. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 7th percentile); despite the CWE-415 (double free) classification and a 7.8 CVSS, the observed effect is cluster-accounting corruption rather than demonstrated memory corruption.
An infinite self-IPI loop in the Linux kernel's real-time scheduler `rto_next_cpu()` function causes a CPU hardlockup, resulting in a complete denial of service on affected multi-CPU systems. Systems with `HAVE_RT_PUSH_IPI` enabled are vulnerable when a specific concurrent mix of CPU-bound RT tasks, non-CPU-bound RT tasks, and kernel-stuck CFS tasks triggers a race condition between `rd->rto_loop` and `rd->rto_loop_next` during RT load balancing. No public exploit exists and this is not listed in CISA KEV; the EPSS score of 0.02% (7th percentile) confirms low real-world exploitation probability.
NULL pointer dereference in the Linux kernel's ovpn (in-kernel OpenVPN) TCP socket handling causes a local denial of service via kernel crash. The race condition - between keepalive-driven peer release and concurrent userspace socket closure via tcp_close() - allows a low-privileged local user to trigger a kernel crash when ovpn attempts to dereference a NULL sk->sk_socket pointer during socket detachment. No public exploit has been identified and EPSS stands at 0.02% (4th percentile), reflecting narrow real-world exploitability constrained by the specific configuration and timing required.
Reference leak in the Linux kernel IPVS (IP Virtual Server) subsystem allows a local low-privileged user to trigger a race condition between the netdev notifier handler and destination cache update logic, potentially causing kernel resource exhaustion. When a network device is shutting down, the FIB routing subsystem may return a valid route after ip_vs_dst_event() finishes processing, allowing that route to be cached against a closing device and leaking a device reference until the IPVS destination is removed. This is a medium-severity availability issue with no public exploit identified at time of analysis and a very low EPSS score of 0.02% (5th percentile), indicating it is not currently a prioritized exploitation target.
Local privilege-relevant memory corruption in the Linux kernel's sbs-battery power supply driver (drivers/power/supply/sbs-battery) stems from a use-after-free in power_supply_changed(). Because the driver requested its IRQ via devm_ before allocating/registering the power_supply handle, devm teardown frees the handle in reverse order while the interrupt is still live, so an SMBus battery interrupt firing during device removal (or before registration during probe) invokes power_supply_changed() on a freed or uninitialized pointer, typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile), no public exploit is identified, and it is not on CISA KEV; the fix is upstream-committed and shipped in multiple stable releases.
Availability impact in the Linux kernel FAT filesystem driver allows a local low-privileged user to trigger a kernel WARN_ON by mounting and operating on a corrupted FAT image with incorrect directory link counts. Specifically, rmdir unconditionally decrements the parent inode's i_nlink without first verifying it is at least 3, allowing underflow to zero on malformed images. No public exploit has been identified and the EPSS probability is 0.02% (7th percentile), but the kernel WARN_ON can cause a system crash, making the real-world availability impact high on affected systems where users can mount FAT images.
Local memory corruption affects the Linux kernel's hwmon ibmpex driver, where commit 6946c726c3f4 - intended to fix a use-after-free in the high/low sysfs store handlers - instead introduced a new race condition by setting driver data to NULL before removing sensor attributes. The remediation is a revert of that flawed commit across the 6.1, 6.6, 6.12, 6.18, and 6.19 stable trees. With EPSS at 0.02% (7th percentile), no public exploit identified at time of analysis, and no CISA KEV listing, real-world risk is minimal given the obscure IBM PowerExecutive sensor hardware the driver targets.
Bridge multicast MDB entry counter underflow in the Linux kernel's `net/bridge/br_multicast.c` allows local attackers with low privileges to trigger a kernel WARN_ON - and a system panic on hosts configured with `panic_on_warn=1` - by manipulating VLAN snooping state on a bridge interface before flushing multicast group entries. Multiple stable kernel branches are affected across all architectures that include the bridge multicast subsystem. No public exploit identified at time of analysis, with an EPSS score of 0.02% (5th percentile) confirming low exploitation probability; patches are available across kernel stable series 6.12, 6.6, 6.18, 6.19, and 7.0.
Ext4 filesystem extent-splitting logic in the Linux kernel incorrectly caches extents mid-operation, leaving stale hole entries in the in-memory extent status tree (ESTree). When a Direct I/O write partially covers a pre-allocated unwritten extent, ext4_split_extent_at() can insert an incorrect hole entry that persists uncorrected, causing space accounting errors when subsequent delayed buffer writes target the same region. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.02% (7th percentile) reflects negligible real-world exploitation likelihood; this is primarily a kernel correctness and filesystem availability defect rather than a targeted attack surface.
NULL pointer dereference in the Linux kernel's cdns3 USB dual-role driver crashes the kernel when a USB OTG role switch to host mode occurs during a system resume from suspend. The host role's resume() operation calls usb_hcd_is_primary_hcd() on an xhci-hcd device whose probe has been deferred by the driver model, yielding a dereference at virtual address 0x208 and a kernel oops. Impact is limited to denial of service (system crash); no privilege escalation or data disclosure is possible. No active exploitation is confirmed (CISA KEV absent, EPSS 0.02%), and the vulnerability is practically relevant only on hardware platforms featuring the Cadence USB3 cdns3 controller.
Memory leak in the Linux kernel's AMD XDnA accelerator driver (accel/amdxdna) allows a local low-privileged user to degrade system availability by exhausting kernel memory. The amdxdna_ubuf_map() function fails to release previously allocated scatter-gather (sg) and internal sg table memory when error paths are taken during sg_alloc_table_from_pages or dma_map_sgtable operations. No active exploitation is confirmed (absent from CISA KEV), EPSS stands at 0.02% (4th percentile), and impact is strictly limited to availability - no confidentiality or integrity exposure exists.
Deadlock in the Linux kernel mlx5e Mellanox/NVIDIA Ethernet driver allows a low-privileged local attacker to hang the system by triggering network health reporter recovery paths that acquire locks in the wrong order. Specifically, work handlers acquire the netdev instance lock before invoking devlink_health_report, which then attempts to acquire the devlink lock - reversing the mandated devlink → rtnl → netdev ordering and producing an ABBA deadlock. The vulnerability affects systems equipped with Mellanox/NVIDIA ConnectX NICs; no public exploit exists and EPSS sits at 0.02% (4th percentile), consistent with a kernel-internal locking race rather than an externally triggerable flaw.
Use-after-free in the Linux kernel's pf1550 power-supply driver (drivers/power/supply/pf1550) lets a queued hardware interrupt invoke power_supply_changed() on an already-freed power_supply handle during module/device removal, and can also dereference an uninitialized handle during probe. The flaw stems from devm-managed resource ordering: the IRQ was requested before the power_supply was registered, so devm teardown frees the power_supply first. Impact is typically a kernel crash or silent memory corruption. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.
Race condition in the Linux kernel's XFRM ICMP route lookup path causes a kernel WARN_ON that can crash affected systems. Within `icmp_route_lookup()`, a TOCTOU window between a locality check and a subsequent `ip_route_input()` call allows a concurrently executing `ip addr add` to return a LOCAL route whose `dst.output` is set to `ip_rt_bug()` - a debugging stub that fires `WARN_ON` when invoked during ICMP error transmission. Exploitation requires local access, active XFRM/IPsec policy, and precise race-window timing; no active exploitation is confirmed and EPSS sits at 0.02%, though a public reproducer exists that requires kernel modification to reliably trigger.
Recursive mutex deadlock in the Linux kernel's PowerPC Enhanced Error Handling (EEH) subsystem causes denial of service on IBM POWER systems running affected kernel versions. Commit 1010b4c012b0 inadvertently repositioned pci_lock_rescan_remove() calls so that eeh_handle_normal_event() holds the lock before invoking eeh_pe_bus_get(), which internally attempts to acquire the same mutex, producing a confirmed lockdep-detected deadlock that crashes the EEH daemon and disables PCI error recovery. No public exploit has been identified and the EPSS score of 0.02% (7th percentile) reflects the narrow hardware-specific attack surface; real-world impact is a reliability and availability concern for IBM POWER server operators rather than a traditional security attack vector.
Information disclosure in the Linux kernel BPF subsystem allows a local low-privileged user with BPF program load access to leak kernel memory contents. Incorrect memory-access flags on several ARG_PTR_TO_MEM helper prototypes (notably bpf_get_stack_proto_raw_tp) cause the verifier to wrongly assume helper-written buffers are unchanged, optimizing away subsequent reads and producing stale or uninitialized data that can expose kernel memory. There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and it is not in CISA KEV.
Local privilege-level use-after-free in the Linux kernel's bq256xx battery charger driver (power: supply: bq256xx) allows memory corruption when a charger IRQ fires during device probe or removal, calling power_supply_changed() against a freed or uninitialized power_supply handle. The flaw stems from devm_ resources being released in reverse order, so the IRQ outlives the power_supply registration; triggering it typically crashes the system or silently corrupts kernel memory. No public exploit is identified at time of analysis and EPSS exploitation probability is negligible (0.02%, 7th percentile), with no CISA KEV listing.
Circular lock dependency in the Linux kernel's netfilter nf_tables subsystem causes kernel deadlock or hang when nft reset, ipset list, and iptables-nft with '-m set' rules execute concurrently, resulting in a local denial of service. The root cause is improper use of commit_mutex in the reset path, which - when interleaved with nfnl_subsys_ipset and nlk_cb_mutex acquisitions - creates a deadlock cycle. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.02% (5th percentile) reflects the low real-world exploitation probability for this class of locking defect.
Memory exhaustion vulnerability in the Linux kernel's CAAM DPAA2 crypto driver allows gradual resource depletion on systems with NXP DPAA2 hardware through unreleased per-CPU net_device allocations during failed probe retries. The regression was introduced when commit 0e1a4d427f58 converted embedded net_device structs to dynamically allocated pointers but omitted cleanup in the dpaa2_dpseci_free() error path - meaning every deferred probe retry triggered by a temporarily unavailable DPIO subsystem silently leaks netdev memory. No public exploit exists and EPSS probability is 0.02% (5th percentile), consistent with the hardware-specific, non-user-controlled nature of the defect.
Availability impact via stale extent cache corruption in the Linux kernel's ext4 filesystem driver allows a local low-privileged user to trigger a kernel denial-of-service condition. When an ext4 extent-splitting operation fails mid-execution, stale entries are left in the extent status tree, which can cause subsequent filesystem operations to crash the kernel. No public exploit exists and EPSS probability sits at 0.02% (7th percentile), reflecting this as a stability bug rather than a targeted attack vector. Vendor-released patches are available across all active stable branches.
Counter value underrun in the Linux kernel's netfilter nft_counter subsystem allows a local unprivileged user to corrupt nftables packet and byte counter data through a race condition in concurrent dump-and-reset operations. Two parallel resets can each read the same counter totals and both subtract them, causing the counters to underrun - potentially wrapping unsigned values to astronomically large figures and producing incorrect firewall accounting. No public exploit exists and EPSS is 0.02% (5th percentile), consistent with a low-priority correctness defect rather than a targeted security attack vector.
Out-of-bounds array access in the Linux kernel's Intel Discrete Graphics MTD driver (mtd_intel_dg.c) lets a local actor trigger kernel memory corruption when the driver enumerates NVM regions before nregions is initialized. The flaw, caught by UBSAN as an array-index-out-of-bounds at line 750, affects systems running kernel 6.17 through the pre-patch 6.18/6.19 series with Intel discrete graphics hardware. No public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.02%, 4th percentile).
Linux Kernel quota subsystem livelocks the system when quotactl_block() and freeze_super() execute concurrently on non-preemptible kernels, causing 100% CPU consumption and an indefinite hang of the filesystem freeze process. The root cause is a missing scheduling point in quotactl_block()'s retry loop: on kernels with preemption disabled, the spinning loop never yields the CPU, starving synchronize_rcu() of the RCU quiescent state it needs to advance, which in turn blocks freeze_super() from completing. Affected are Linux kernel versions from commit 576215cffdefc1f0ceebffd87abb390926e6b037 onward, on systems using quota-enabled filesystems; no public exploit or active exploitation has been identified at time of analysis.
Out-of-bounds read in the Linux kernel's AppArmor subsystem allows a local, low-privileged attacker to leak adjacent kernel memory and potentially crash the system when AppArmor parses a policy table built from possibly unaligned, userspace-supplied source data. The flaw stems from unaligned memory accesses during table creation in the policy loader and carries high confidentiality and availability impact. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.02%, 5th percentile), consistent with a hard-to-reach local-only kernel hardening fix rather than a mass-exploitation target.
Stale unwritten extent retention in the Linux kernel ext4 filesystem's in-memory extent status cache allows a local low-privileged user to trigger filesystem state inconsistency with high availability impact. The flaw manifests in ext4_split_extent() when a PARTIAL_VALID1 zeroout operation succeeds but the subsequent split at the first boundary fails due to temporary memory pressure, leaving the extent status tree out of sync with on-disk extent data. Patched stable releases are available; no public exploit or CISA KEV listing has been identified at time of analysis, and EPSS exploitation probability sits at 0.02% (5th percentile).
Local privilege-holder denial of service (and potential kernel memory corruption) in the Linux kernel's HiSilicon hns3 network driver allows a user with CAP_NET_ADMIN to trigger a double-free of the tx_spare backup buffer. The flaw lives in hns3_set_ringparam(), where a temporary ring copy is made for rollback but the original ring's tx_spare pointer is left dangling; if a subsequent allocation in hns3_init_all_ring() fails, the error path frees the stale pointer twice (CWE-415). EPSS is negligible (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but a vendor-released patch is available across multiple stable trees.
Guest-to-host denial of service in the Linux kernel's xen-netback driver allows a malicious or buggy Xen guest to crash the hypervisor host by writing "0" to the xenbus key multi-queue-num-queues. The connect() function validates only the upper bound of requested_num_queues, permitting a zero value to reach vzalloc(array_size(0, ...)), which triggers WARN_ON_ONCE in __vmalloc_node_range(); on hosts with panic_on_warn=1 this escalates to a full kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with a narrow Xen-specific attack surface, but the guest-controlled code path is trivial to trigger and vendor patches have been backported across seven stable kernel series, confirming the impact is real.
Divide-by-zero kernel panic (Oops) in the Linux kernel MPTCP subsystem's `mptcp_rcvbuf_grow()` function can be triggered by a local authenticated user under a rare but specific race condition involving concurrent out-of-order packet arrival and receive buffer initialization. The vulnerability also causes a secondary effect where the MPTCP receive buffer slowly drifts toward the `tcp_rmem[2]` maximum, degrading system performance on MPTCP-heavy workloads. No public exploit identified at time of analysis; EPSS is 0.02% (4th percentile), consistent with its local-only, race-dependent nature.
Memory leak in the Linux kernel's md/raid1 subsystem allows a local attacker with access to RAID configuration interfaces to gradually exhaust kernel memory by repeatedly triggering the faulty error path in raid1_run(). Affected kernel versions span multiple stable branches prior to 6.12.75, 6.18.14, 6.19.4, and 7.0. No public exploit identified at time of analysis; EPSS at 0.02% (5th percentile) and confirmed discovery via static analysis rather than active exploitation signals minimal real-world risk. Vendor-released patches are available across all affected stable branches.
Memory leak in the Linux kernel's af_unix subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering a failure path in unix_stream_connect(). When prepare_peercred() fails after unix_create1() has already allocated a new socket object (newsk), the error path omits the required unix_release_sock() call, leaving kernel memory permanently unreleased. No public exploit has been identified at time of analysis; EPSS at 0.02% (4th percentile) reflects negligible widespread exploitation likelihood, consistent with the local-only attack vector.
BPF verifier rejection in the Linux kernel's XDP subsystem forces valid BPF programs to fail load-time verification when they pass pointers from BPF_F_RDONLY_PROG maps to the bpf_xdp_store_bytes helper. The root cause is an incorrect argument type annotation - the helper's third argument (source buffer) is declared as ARG_PTR_TO_UNINIT_MEM, which carries the MEM_WRITE flag, causing the verifier to demand write permission on memory that the helper only reads. Separately, this same mistype permits the helper to read from uninitialized memory (CWE-908). No public exploit is identified at time of analysis, and EPSS sits at 0.02%, but kernel patches across all active stable branches have been issued.
Local privilege-impacting memory corruption in the Linux kernel's cpcap-battery power supply driver allows a use-after-free in power_supply_changed() triggered during device probe or removal. The driver requested its IRQ via devm_ before registering the power_supply handle, so on teardown the handle is freed while the interrupt handler can still fire, dereferencing freed memory and typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile) and there is no public exploit identified at time of analysis; the issue is confined to Motorola CPCAP PMIC hardware (e.g. Droid 4) rather than general-purpose servers.
Integer underflow in the Linux kernel's AppArmor subsystem (`aa_get_buffer()`) allows a local low-privileged user to cause per-CPU buffer starvation and system-wide denial of service. The `cache->hold` unsigned counter wraps to UINT_MAX when decremented below zero, permanently preventing `aa_put_buffer()` from recycling buffers back to the global pool and forcing repeated `kmalloc(aa_g_path_max)` heap allocations that starve other CPUs. No public exploit exists and EPSS is 0.02% (5th percentile); this is not in CISA KEV, but patches are available across multiple stable kernel branches.
Resource leak in the Linux kernel's sca3000 IIO accelerometer driver (sca3000_probe()) allows a local low-privileged user on affected hardware to cause IRQ resource exhaustion by repeatedly triggering the error path where iio_device_register() fails without releasing the IRQ registered via request_threaded_irq(). Affected are Linux kernel versions from approximately 4.10 through multiple stable branches, all of which now have upstream fix commits. No public exploit exists and EPSS stands at 0.02% (7th percentile), indicating this is a robustness/maintenance fix rather than an actively targeted vulnerability.
Use-after-free in the Linux kernel's pm8916_bms_vm power-supply driver (for Qualcomm PM8916 battery monitoring on certain Snapdragon SoCs) lets a freed power_supply handle be dereferenced when an IRQ fires during device removal or probe, corrupting kernel memory or crashing the system. The flaw stems from devm-managed IRQ registration occurring before the power_supply handle was registered, so devm's reverse-order teardown frees the handle while the interrupt is still live. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; impact is realistically a local denial of service on the narrow set of devices using this driver.
Memory exhaustion via the MediaTek SVS (Smart Voltage Scaling) debugfs interface in the Linux kernel allows a local attacker with low privileges to leak kernel memory on MediaTek SoC-based systems. The root cause is that `svs_enable_debug_write()` allocates a buffer via `memdup_user_nul()` to copy user-supplied input, but fails to free it when the subsequent `kstrtoint()` call rejects non-integer input - a classic CWE-401 missing-release flaw. No public exploit has been identified and EPSS is 0.02% (7th percentile), making this a low-urgency, patch-when-convenient issue for the narrow device population running affected MediaTek SoC kernels.
PCI/P2PDMA subsystem in the Linux kernel hangs indefinitely on PCI device removal due to a missing percpu_ref_put() call on the error exit path of p2pmem_alloc_mmap(). Low-privileged local users on systems with P2PDMA-capable PCI hardware can trigger a vm_insert_page() failure that leaks a per-CPU pgmap reference, causing memunmap_pages() to stall forever when the PCI device is later removed. No public exploit has been identified and EPSS is at the 5th percentile; this is not in CISA KEV.
Local privilege-level use-after-free in the Linux kernel's bq25980 battery charger power-supply driver (drivers/power/supply/bq25980.c) allows a triggered IRQ to call power_supply_changed() on a freed or uninitialized power_supply handle, typically crashing the system or corrupting memory. The flaw stems from devm-managed IRQ registration ordering relative to power_supply registration, creating a race during driver probe and removal. EPSS is negligible (0.02%, 7th percentile), there is no public exploit identified at time of analysis, and it is not on CISA KEV; the fix is committed upstream and shipped in multiple stable kernels.
NULL pointer dereference in the Linux kernel's Intel ISH HID subsystem (`intel_ishtp` module) causes a kernel panic and local denial of service during warm reset operations. The `ishtp_bus_remove_all_clients()` function dereferences `cl->device->reference_count` without a NULL guard, which is reachable when a firmware reset interrupts ISH client enumeration mid-flight. No public exploit or active exploitation (CISA KEV) exists; EPSS probability is 0.02% at the 5th percentile, consistent with a timing-dependent, hardware-specific kernel crash path.
Error handling failure in the Linux kernel's arm64 Guarded Control Stack (GCS) subsystem allows a local low-privileged user on ARMv9 hardware to trigger a kernel denial of service by exploiting an incorrect NULL check in arch_set_shadow_stack_status(). Because alloc_gcs() propagates do_mmap() failures as error-encoded pointers rather than NULL, the existing guard is bypassed and the kernel proceeds to use an invalid GCS address, risking a kernel panic. No public exploit exists and EPSS sits at the 4th percentile, but the vulnerability is confirmed patched in Linux 6.18.14, 6.19.4, and 7.0.
Regulator resource leak in the Linux kernel MFD Arizona WM5102 audio codec driver causes availability degradation on affected hardware when the write sequencer error path is triggered. The `wm5102_clear_write_sequencer()` helper returns early on error without jumping to the `err_reset` cleanup label, leaving kernel voltage regulators enabled and leaking resources across repeated invocations. Exploitation requires local low-privilege access on systems with WM5102 hardware; EPSS is 0.02% (7th percentile) and no active exploitation has been identified, placing real-world priority firmly in the low tier.
NULL pointer dereference in the Linux kernel's NXP i.MX8QM HSIO PHY driver crashes the kernel on affected embedded hardware. The flaw exists in `imx_hsio_configure_clk_pad()`, which unconditionally dereferences `refclk_pad` even when the `fsl,refclk-pad-mode` devicetree property is absent, setting the pointer to NULL during probe. A local low-privileged user on NXP i.MX8QM-based systems with vulnerable kernel versions can trigger a kernel panic, causing a full denial-of-service. No public exploit or active exploitation (CISA KEV) has been identified; EPSS of 0.02% at the 5th percentile confirms negligible exploitation probability.
Denial-of-service via kernel crash in the Linux kernel's netfilter nft_set_rbtree subsystem, exploitable by a local user with nftables manipulation capability. The flaw lies in the partial overlap detection logic for anonymous sets: an optimization that omits end elements for adjacent intervals also inadvertently suppresses overlap checks on start elements, allowing two intervals sharing the same start point (e.g., A-B and A-C where C < B) to be inserted simultaneously, corrupting the red-black tree and triggering a kernel panic. No public exploit code has been identified at time of analysis, and the EPSS score of 0.02% (7th percentile) reflects low real-world exploitation probability, though the vulnerability is present across many long-term stable kernel branches.
Memory exhaustion denial-of-service in the Linux kernel smartpqi SCSI driver allows a local user to degrade system availability through kernel memory leak accumulation. The vulnerability exists in pqi_report_phys_luns(), which fails to release the rpl_list buffer on two distinct error paths - unsupported data format detection and rpl_16byte_wwid_list allocation failure - both of which bypass cleanup logic. No public exploit exists and EPSS sits at 0.02% (7th percentile), but systems running Microsemi/PMC-Sierra SmartPQI RAID controllers on unpatched kernels are at risk of gradual availability degradation.
Resource leak in the Linux kernel's st33zp24 TPM driver allows a low-privileged local user to exhaust TPM localities and deny TPM service on systems equipped with STMicroelectronics ST33ZP24 hardware. When get_burstcount() returns -EBUSY on timeout, st33zp24_send() exits without releasing the previously acquired TPM locality, creating a cumulative leak that can render all subsequent TPM operations unavailable. No public exploit code exists and EPSS probability is 0.02% (7th percentile), but systems relying on the ST33ZP24 for measured boot or disk-encryption attestation face meaningful operational risk if exploited.
Memory leaks in the Linux kernel's SUNRPC auth_gss subsystem allow a local low-privilege attacker to gradually exhaust kernel heap memory on systems using NFS with Kerberos (RPCSEC_GSS) authentication. The gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() XDR decoding functions fail to release previously allocated kernel buffers when a partial decode sequence errors out mid-function, leaving unreferenced kmemdup() allocations on the heap. No public exploit exists and EPSS is 0.02%, but no public exploit identified at time of analysis; repeated triggering of the vulnerable paths could degrade availability on RPCSEC_GSS-enabled servers.
NULL pointer dereference in the Linux kernel's wm97xx battery power supply driver crashes the kernel when a hardware interrupt fires during a narrow initialization race window. Systems running Linux kernel versions from 2.6.32 through various stable branches (pre-patch releases in 5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19, and 7.0 series) with wm97xx-equipped hardware are affected. A local attacker - or natural hardware interrupt timing - can trigger a kernel panic (denial of service) during driver probe; no public exploit has been identified and EPSS sits at the 7th percentile, reflecting the narrow hardware footprint.
Reference count leak in the Linux kernel's pinctrl-single driver (`pcs_add_gpio_func()`) allows a local low-privileged user to cause kernel memory exhaustion and denial of service on affected embedded/SoC platforms. The `of_parse_phandle_with_args()` Device Tree API increments a refcount on the returned device_node pointer, but the iterating loop never calls `of_node_put()` to release it - accumulating leaked references on every GPIO phandle processed. No public exploit exists and EPSS is 0.02%, placing this firmly in the low-urgency patch category; exploitation requires specific hardware and driver configuration not present on typical x86 servers.
Local privilege escalation potential via a use-after-free in the Linux kernel's act8945a power supply driver, where the ACT8945A PMIC IRQ is requested before the power_supply handle is registered (and torn down after it during removal), letting an interrupt invoke power_supply_changed() on a freed or uninitialized handle. Affected systems run vulnerable Linux kernel builds (pre-6.6.128, pre-6.12.75, pre-6.1.165, pre-5.15.202, pre-5.10.252, and others) with the act8945a driver bound to real Atmel/Microchip SAMA5-class hardware. There is no public exploit identified at time of analysis; EPSS is very low (0.02%, 7th percentile) and the flaw is not in CISA KEV.
Local privilege-bounded use-after-free in the Linux kernel's CAIF serial line discipline (caif_serial / CONFIG_CAIF_TTY) lets a local attacker corrupt kernel memory by racing ldisc_close() against packet transmission. ldisc_close() drops the tty reference via tty_kref_put() while the CAIF network device is still live, so a concurrent caif_xmit()/handle_tx() can dereference the freed tty (ser->tty) and call tty->ops->write() on dangling memory, confirmed by a KASAN slab-use-after-free report. A reproducer is published, but no public weaponized exploit and no active exploitation are recorded; EPSS is 0.02% (7th percentile), consistent with a niche driver and a tight race window.
Uninitialized stack memory exposure in the Linux kernel's MCTP-over-I2C (mctp-i2c) driver affects systems using i2c-aspeed or i2c-npcm7xx bus drivers, particularly server/BMC hardware with Aspeed and Nuvoton chipsets. When a read is performed against an mctp-i2c device instance, the event handler fails to initialize the 'val' byte before returning it to the caller, exposing whatever residual value sits on the kernel stack at that moment. No public exploit has been identified at time of analysis, and with an EPSS of 0.03% (10th percentile), real-world exploitation pressure is currently negligible; however, kernel stack data leakage is a meaningful information disclosure primitive on affected hardware.
Infinite loop denial of service in the Linux kernel's ntfs3 filesystem driver allows a local low-privileged user to hang the kernel's I/O subsystem by triggering a non-terminating loop in the file write path. The flaw in `ntfs_file_write_iter` (fs/ntfs3/file.c:1284) occurs when iterating over the valid data range [valid:pos) during a write operation - if the `valid` pointer fails to advance (returning the same value), the loop condition is never satisfied and the inode lock is held indefinitely, causing a full write-path hang. No active exploitation has been identified (absent from CISA KEV) and EPSS of 0.02% at the 7th percentile confirms negligible observed exploitation activity; a patch is available across all affected stable branches.
Memory leak in the Linux kernel's DesignWare i3c master driver (`drivers/i3c/master/dw-i3c-master.c`) allows a local low-privileged user on systems equipped with DesignWare i3c hardware to cause gradual kernel memory exhaustion by repeatedly triggering the failure path in `dw_i3c_master_i2c_xfers()`, where `dw_i3c_master_alloc_xfer()` allocates a transfer structure that is never freed when `pm_runtime_resume_and_get()` returns an error. No public exploit identified at time of analysis; EPSS of 0.02% (5th percentile) and the static-analysis discovery method both confirm this is a low-immediacy, low-exploitation-probability issue. Vendor-released patches are available across multiple stable kernel branches.
Stale data exposure and filesystem data corruption in the Linux kernel's ext4 extent-splitting subsystem affects all major stable branches prior to 6.6.130, 6.12.75, 6.18.14, 6.19.4, and 7.0. When ext4_split_extent_at() encounters a transient ENOSPC condition while splitting a large unwritten extent at its first boundary, the error path incorrectly zeroes out and marks the entire extent as written - leaving stale disk content from adjacent regions readable in areas that should remain unwritten or zero-filled. No public exploit identified at time of analysis; EPSS at 0.02% (5th percentile) reflects the narrow, local-only, condition-dependent trigger path that makes automated or widespread exploitation highly unlikely.
NULL pointer dereference in the Linux kernel's csiostor SCSI driver (Chelsio T5 iSCSI storage controller) causes a local denial-of-service via kernel panic. The flaw resides in the error exit path: when the pointer rn is NULL, the CSIO_INC_STATS macro still dereferences it, triggering a kernel crash. Exploitation requires local low-privilege access on a system equipped with Chelsio csiostor hardware; no active exploitation is confirmed (not in CISA KEV) and EPSS sits at 0.02% (7th percentile), indicating minimal real-world exploitation pressure.
Non-NCQ command starvation in the Linux kernel's libata-scsi layer can cause complete denial of service for certain disk I/O operations on systems using multi-queue ATA host adapters. On affected hardware, when a target storage device is under sustained NCQ (Native Command Queuing) traffic, the SCSI layer's SCSI_MLQUEUE_XXX_BUSY requeue mechanism provides no forward-progress guarantees for non-NCQ commands - other CPU cores can continuously inject new NCQ commands from separate submission queues, indefinitely deferring the non-NCQ command. No public exploit has been identified at time of analysis and EPSS probability is very low (0.02%, 5th percentile), but the bug can manifest naturally under heavy I/O workloads without deliberate exploitation.
Kernel panic in the Linux inside-secure/eip93 hardware crypto driver occurs when the driver teardown routine unconditionally unregisters all cryptographic algorithms, including those never registered because the underlying EIP93 silicon does not implement them. Platforms with partial EIP93 silicon support - where only a subset of algorithms are burned into hardware - trigger the panic during module removal or system shutdown. No public exploit exists and EPSS sits at the 4th percentile (0.02%), indicating this is primarily a stability defect with negligible exploitation interest rather than a targeted attack surface.
Memory corruption in the Linux kernel's AMD GPU driver (amdgpu) arises because amdgpu_gmc_get_nps_memranges() releases buffers allocated by amdgpu_discovery_get_nps_info() with kfree() even though that memory may have been allocated via kvcalloc()/vmalloc(), corrupting the kernel allocator state. The flaw affects systems running AMD GPUs on kernels prior to the fixed stable releases (6.12.75, 6.18.14, 6.19.4, and 7.0). There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and the issue was found via static analysis and code review rather than in-the-wild exploitation.
Denial of service in the Linux kernel's EFI unaccepted-memory handling allows a boot-time kernel panic on confidential-computing guests, affecting kernels from 6.6 through the 6.19/7.0 development line. The reserve_unaccepted() routine miscalculates the memblock reservation size when the unaccepted memory table is not page-aligned, leaving the table's tail unreserved so it can be overwritten or rendered inaccessible, triggering a panic in accept_memory(). It is observed on Intel TDX VMs with larger memory sizes (e.g. >64GB); there is no public exploit identified at time of analysis and EPSS is negligible (0.02%).
Incorrect offset handling in the Linux kernel IPVS subsystem causes IPv6 protocol checksum validation to fail when extension headers precede the transport header, disrupting availability on systems acting as IPv6 load balancers. Affected across a broad kernel version range from 2.6.28 onward, with fixes confirmed in stable releases 6.19.4 and mainline 7.0. No public exploit code exists and no active exploitation has been identified; EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation pressure.
Improper locking in the Linux kernel's Microsemi Ocelot network switch driver (`net/mscc/ocelot`) allows a local low-privileged user on hardware running Ocelot switch chips to trigger a race condition in `ocelot_port_xmit_inj()`, potentially causing a kernel panic or system crash. Affected stable branches span 6.1.107-6.1.164, 6.6.48-6.6.127, and 6.10.7 through 6.11 release candidates, with patches confirmed in 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, and 7.0. No public exploit identified at time of analysis; EPSS at 0.02% (7th percentile) reflects extremely low exploitation probability, consistent with the hardware-specific trigger requirement and local-only attack vector.
NULL pointer dereference in the Linux kernel's AppArmor LSM function `aa_sock_file_perm` allows a local authenticated user to crash the kernel (oops) during socket setup or teardown. The flaw affects the fallback mediation path for AF_UNIX sockets and all other socket families when AppArmor is in enforcing mode, because neither `sock` nor `sock->sk` are validated for NULL before dereferencing. Impact is limited to availability (system crash); no confidentiality or integrity loss is possible. No public exploit is identified at time of analysis, and EPSS at 0.02% (7th percentile) indicates negligible exploitation probability.
Reachable assertion in the Linux kernel network subsystem allows a local low-privileged user to trigger a WARN_ON_ONCE by constructing a sufficiently long forward path through IPIP tunnels, resulting in a kernel warning and high availability impact. The root cause (CWE-617) is an assertion in the forward path array access code that became reachable after IPIP tunnel support was introduced, expanding the possible depth of forward paths beyond the implicit assumption encoded in the warning. No public exploit code exists and EPSS is extremely low (0.02%, 7th percentile), but the kernel-level denial-of-service impact on local multi-tenant or containerized systems warrants patching.