Red Hat
Monthly
Reachable assertion in the Linux kernel network subsystem allows a local low-privileged user to trigger a WARN_ON_ONCE by constructing a sufficiently long forward path through IPIP tunnels, resulting in a kernel warning and high availability impact. The root cause (CWE-617) is an assertion in the forward path array access code that became reachable after IPIP tunnel support was introduced, expanding the possible depth of forward paths beyond the implicit assumption encoded in the warning. No public exploit code exists and EPSS is extremely low (0.02%, 7th percentile), but the kernel-level denial-of-service impact on local multi-tenant or containerized systems warrants patching.
OCSP responder certificate validity bypass in Erlang OTP's public_key library allows forged OCSP responses-signed with the private key of an expired responder certificate-to be accepted as valid, defeating TLS certificate revocation checks. Affected deployments include TLS clients using OCSP stapling via the ssl application, and any application calling public_key:pkix_ocsp_validate/5 directly for server-side client certificate validation. An attacker who has obtained the private key of an expired CA-designated OCSP responder can present a revoked TLS certificate alongside a forged OCSP response and achieve authentication bypass. No public exploit code exists and CISA KEV does not list this vulnerability; SSVC rates exploitation as none at time of analysis.
Memory leak in the Linux kernel NTFS3 driver's ntfs_fill_super() function allows a local user with mount privileges to gradually exhaust kernel memory by repeatedly mounting NTFS filesystems. The ntfs_mount_options structure (32 bytes per mount) is permanently leaked because fc->fs_private is nulled before ntfs_fs_free() can release it, confirmed by kmemleak tooling. No active exploitation has been identified - EPSS is 0.02% (5th percentile) and this vulnerability is absent from CISA KEV - making it a maintenance-class fix rather than an urgent security priority, though the availability impact is rated High by CVSS.
Uninitialized memory use in the Linux kernel's NTFS3 filesystem driver (fs/ntfs3) causes a kernel crash when a local, low-privileged user triggers NTFS compression writes under specific folio allocation conditions. The flaw was surfaced by KMSAN (Kernel Memory Sanitizer) in longest_match_std(), called from ntfs_compress_write(), when newly allocated folios are neither marked uptodate nor initialized before use. No public exploit or active exploitation has been identified; EPSS stands at 0.02% (5th percentile), confirming negligible automated attack activity at time of analysis.
Deadlock in the Linux kernel's NTFS3 compressed-file read path (fs/ntfs3) causes indefinite task hang and local denial of service when concurrent readers contend over compressed NTFS frames. The inode mutex (ni_lock) and VFS page locks are acquired in inverted order across two concurrent tasks - a classic ABBA deadlock first surfaced by Syzbot. Versions prior to 6.19.4 (stable) and 7.0 (mainline) are affected; no public exploit or active exploitation has been identified, and the EPSS score of 0.02% (5th percentile) reflects the narrow, configuration-specific conditions required.
NULL pointer dereference in the Linux kernel's accel/amdxdna driver (AMD AI accelerator/NPU subsystem) allows a local low-privileged user to trigger a kernel crash and denial of service. The flaw arises during error-path execution in aie2_create_context(): when mailbox channel creation fails, the channel pointer remains NULL, yet aie_destroy_context() is unconditionally called assuming it is non-NULL. No public exploit code exists and EPSS probability is 0.02%, indicating very low exploitation activity. Vendor-released patches are available in Linux 6.19.4 and the 7.0 series.
NULL pointer dereference in the Linux kernel's drm/panthor subsystem causes a kernel panic and denial of service during GPU firmware unplug operations. The `panthor_fw_unplug()` function incorrectly attempted MCU halt and wait procedures even when firmware was never loaded or fully initialized, dereferencing a NULL pointer in that code path. Systems running a Panthor-based ARM Mali GPU (using the Panthor DRM driver) are affected across kernel versions from the introduction of the driver up to the fixed stable commits; no public exploit exists and EPSS is at the 5th percentile, indicating negligible opportunistic exploitation probability.
Out-of-bounds stack read in the Linux kernel's IMA (Integrity Measurement Architecture) subsystem, in ima_appraise_measurement() reached via is_bprm_creds_for_exec(), affecting kernels from the 6.14 series up to the fixed stable commits. A misuse of container_of() on a *file pointer computes an invalid stack offset, letting a local execution path read one byte past a stack frame object (flagged by KASAN), which can disclose adjacent stack data or crash the task. EPSS is very low (0.02%, 5th percentile), the CVE is not on CISA KEV, and there is no public exploit identified at time of analysis; the issue is patched upstream.
The drm/display/dp_mst subsystem in the Linux kernel crashes with a UBSAN shift-out-of-bounds error when a DP 2.1 monitor disconnects while delayed_destroy_work is still in flight, producing a kernel denial-of-service on affected systems. Systems running unpatched kernel versions across the 6.1.x, 6.6.x, 6.12.x, 6.18.x, and 6.19.x stable branches with DisplayPort Multi-Stream Transport (MST) capable hardware are vulnerable. No public exploit or active exploitation has been identified; patches are available across all affected stable branches with specific fix commits traceable to git.kernel.org.
Networking denial of service in the Linux kernel's Smack LSM disrupts IPv4 connectivity for all processes carrying non-ambient Smack labels when a previously-used CIPSO DOI value is cycled through /smack/doi. The kernel's smk_cipso_doi function retains decommissioned DOI definitions in netlabel's CIPSO configuration, causing re-add operations to fail with EEXIST (-17); this prevents the default IPv4 domain mapping from being re-established, silently severing label-based network traffic. No public exploit code is identified and EPSS sits at 0.02% (7th percentile), reflecting the very narrow deployment surface - only systems with Smack as the active LSM and CIPSO networking configured are affected.
Race condition in the Linux kernel's accel/amdxdna driver allows a local low-privileged user to cause device availability impact on systems equipped with AMD XDna AI accelerator hardware. The flaw in the rpm_on flag check permits command submissions to the accelerator during a narrow autosuspend transition window before the device has fully resumed, producing undefined hardware behavior or driver crashes. No public exploit exists and EPSS is at the 6th percentile (0.02%), indicating negligible real-world exploitation probability; no active exploitation is confirmed.
NULL pointer dereference in the Linux kernel bareudp driver crashes the kernel when Open vSwitch triggers `bareudp_fill_metadata_dst()` against a down IPv6 bareudp tunnel device. The socket pointer (`bareudp->sock`) is NULL between `bareudp_stop()` and `bareudp_open()`, and the IPv6 path passes it unsafely to `udp_tunnel6_dst_lookup()` at `sock->sk` offset 0x18. A local attacker with low privileges and access to OVS netlink commands can force a kernel panic, causing a denial of service. No public exploit code exists and no active exploitation has been identified; EPSS at 0.02% (5th percentile) confirms negligible observed exploitation.
Kernel NULL pointer dereference in the Linux TAPRIO traffic scheduler allows a local user with namespace-scoped CAP_NET_ADMIN to trigger a kernel panic. On systems with unprivileged user namespaces enabled - the default on Ubuntu, Fedora, Debian, and most container-oriented distributions - any unprivileged local user can acquire namespace-scoped CAP_NET_ADMIN simply by creating a new network namespace, reducing the effective privilege bar to an ordinary user account. Patched stable releases exist (6.6.141, 6.12.91, 7.0.10, 6.18.33, 7.1-rc2), no active exploitation has been confirmed by CISA KEV, and EPSS is 0.02% (5th percentile), but the straightforward attack sequence and wide Linux footprint make this a priority patch on multi-tenant or container-hosting systems.
Incorrect ARP payload parsing in the Linux kernel's netfilter arptables subsystem causes filtering rules to evaluate against garbage data on systems with IEEE1394 (FireWire) network interfaces. The arp_packet_match() function and arpt_mangle both assume a standard dual-hardware-address ARP layout, but IPv4-over-IEEE1394 per RFC 2734 omits the target hardware address field - the same discrepancy the rest of the kernel ARP stack already handles correctly. The result is that arptables rules on FireWire interfaces silently malfunction: legitimate traffic may be dropped and traffic that should be blocked may be passed, with arpt_mangle additionally writing to wrong offsets and corrupting packets. No public exploit has been identified and EPSS is 0.02% (6th percentile), consistent with the extremely niche attack surface.
Null pointer dereference in the Linux kernel SLIP header compression (slhc) subsystem crashes the kernel when a VJ-compressed frame is received on a PPP instance configured with zero receive slots. An unprivileged local user who can create a user namespace can invoke the PPPIOCSMAXCID ioctl with a crafted argument (0xffff0000) that exploits a signed-integer arithmetic shift to supply rslots=0 to slhc_init(), leaving comp->rstate NULL; any subsequent inbound VJ frame targeting slot 0 then dereferences that NULL pointer in softirq context, producing a kernel panic. No public exploit has been identified at time of analysis, and EPSS probability is negligible at 0.02%, but the attack path is fully reachable from unprivileged user namespaces, making the practical privilege bar lower than the PR:L label implies on systems where user namespaces are enabled.
Divide-by-zero in the Linux kernel netfilter OSF module (nfnetlink_osf) allows a local user with CAP_NET_ADMIN to crash the kernel. By injecting a crafted OS fingerprint with a zero window scale value (wss.val=0) via nfnetlink, the attacker causes nf_osf_match_one() to execute an unguarded modulo operation when any subsequent matching TCP SYN packet is processed, resulting in a kernel panic and system-wide denial of service. No active exploitation is confirmed; EPSS sits at 0.02% (5th percentile), reflecting very low probability of widespread automated exploitation.
Kernel panic in the Linux kernel's Open vSwitch (openvswitch) subsystem allows a low-privileged local user to crash the host kernel on Ubuntu-default and similar configurations. The vport netlink reply handler pre-allocates a fixed-size buffer but lacks an upper-bound check on the upcall PID array size, causing nla_put() to return -EMSGSIZE and BUG_ON(err < 0) to fire in ovs_vport_cmd_set(), triggering a kernel panic. On systems with unprivileged user namespaces enabled (Ubuntu default), any local user can reach this path via unshare -Urn without requiring elevated privileges. No public exploit has been identified at time of analysis, and EPSS at 0.02% reflects low current exploitation probability.
Local denial of service in the Linux kernel's BPF CO-RE relocation parser allows a process holding CAP_BPF to deterministically crash the system by loading a BPF program with a negative CO-RE accessor index. The flaw stems from bpf_core_parse_spec() in the libbpf relocation core accepting negative values from sscanf("%d") that bypass upper-bound checks due to integer promotion, ultimately driving an out-of-bounds read past the BTF members array. EPSS is negligible (0.01%) and there is no public exploit identified at time of analysis; a kernel oops backtrace is published in the changelog but it serves as a crash reproducer rather than a weaponized exploit.
Incorrect end-of-list detection in the Linux kernel's BPF cgroup storage map subsystem allows a local low-privileged user with BPF syscall access to trigger a kernel crash (denial of service) via the `cgroup_storage_get_next_key()` function. The function uses `list_next_entry()`, which never returns NULL but wraps to the list head on the last element, causing the kernel to read `storage->key` from a bogus pointer aliasing internal map fields and copy the result to userspace - a condition that can provoke a kernel oops or panic. No public exploit exists and EPSS is 0.02% (5th percentile), consistent with the local-only attack surface and absence of CISA KEV listing.
Local privilege-escalation-class memory corruption in the Linux kernel's BPF arena subsystem (introduced around 6.9) allows a process holding BPF capabilities to trigger a use-after-free. When a BPF arena VMA is inherited across fork(), arena_vm_open() bumps the mmap refcount but never registers the child VMA in arena->vma_list, leaving vml->vma pointing at the parent VMA; after the parent munmaps, a child call to bpf_arena_free_pages() dereferences the dangling pointer in zap_pages(). No public exploit or active exploitation is identified (EPSS 0.02%, 5th percentile), and vendor patches are available.
Denial of service in the zipdetails CLI tool bundled with Perl's IO::Compress versions 2.207 through 2.219 causes the script to abort with status 255 when parsing a ZIP archive containing an Info-ZIP Unix Extra Field (tag 0x7875) that declares an 8-byte UID or GID size. The bug is a typo in the source (calling unpackValueQ instead of unpackValue_Q), and no public exploit is identified at time of analysis; library callers of IO::Compress/IO::Uncompress are unaffected. EPSS is negligible (0.02%) and impact is limited to crashing the inspection tool, not the consuming application.
Denial of service in the Perl module IO::Uncompress::Unzip before version 2.220 allows remote attackers to cause CPU exhaustion by supplying a crafted ZIP archive that triggers a per-byte read loop in the fastForward() routine. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02%, but any application that accepts untrusted ZIP files and extracts a named entry through this module is exposed to availability impact.
Uncaught exception in IO::Uncompress::Unzip before version 2.215 for Perl causes application-level denial of service when parsing ZIP files containing malformed DOS date fields. The `_dosToUnixTime()` function calls `Time::Local::timelocal()` without an `eval` guard, so a ZIP header encoding an out-of-range month, day, or hour causes `timelocal()` to `die`, propagating the exception to the caller rather than returning `undef` with a populated `$UnzipError` as callers expect. Any Perl application that processes untrusted ZIP files locally is affected; no public exploit has been identified at time of analysis, and EPSS exploitation probability is negligible at 0.02%.
Denial of service in OpenStack Swift's s3api middleware allows an authenticated S3 API user to permanently hang proxy-server workers by sending a truncated aws-chunked PUT request body. Versions 2.36.0 through 2.36.1 and 2.37.0 through 2.37.1 are affected; the defect was introduced in 2.36.0 and fixed in 2.36.2 and 2.37.2. There is no public exploit identified at time of analysis, and EPSS is very low (0.04%, 12th percentile), but the high availability impact and low attack complexity make this a credible operational threat to S3-compatible Swift deployments.
Arbitrary package installation leading to code execution affects the yeoman-environment npm library (the runtime behind the Yeoman/`yo` scaffolding CLI) in versions >= 2.9.0 and < 6.0.1. The vulnerable `installLocalGenerators()` method silently calls `repository.install()` on caller-supplied package names without any user confirmation, so a downstream CLI that passes attacker-controlled project configuration into this path will install and execute attacker-chosen packages during bootstrap. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; CVSS is 8.6 (high) but exploitation is contingent on how consumers feed configuration into the library.
Null pointer dereference in the Linux kernel's Bluetooth L2CAP socket layer crashes the kernel when `l2cap_sock_get_sndtimeo_cb()` is invoked with a NULL socket context, resulting in a local denial-of-service (kernel panic). The flaw stems from an oversight where sibling callbacks `l2cap_sock_resume_cb()` and `l2cap_sock_ready_cb()` already carry the required NULL guard, but `l2cap_sock_get_sndtimeo_cb()` does not. With EPSS at 0.02% (5th percentile), no public exploit identified, and no CISA KEV listing, real-world exploitation risk is low - but the vulnerability has persisted since Linux 3.13 and affects every major stable branch until patched versions were released.
Null pointer dereference in the Linux kernel's Bluetooth L2CAP socket layer crashes the kernel when `l2cap_sock_new_connection_cb()` is invoked without the NULL guard present in sibling callbacks. Local unprivileged users on systems with Bluetooth enabled can trigger a kernel oops or panic, resulting in a denial of service. No public exploit or CISA KEV listing exists; EPSS probability is near zero at 0.02% (5th percentile), indicating minimal active exploitation interest at time of analysis.
NULL pointer dereference in the Linux kernel Bluetooth L2CAP subsystem causes a local denial-of-service via kernel panic when `l2cap_sock_state_change_cb()` is invoked with a NULL socket pointer. A local low-privileged user with access to the Bluetooth socket API can trigger a system crash by exercising the L2CAP state change callback path that lacked the NULL guard already applied to sibling callbacks `l2cap_sock_resume_cb()` and `l2cap_sock_ready_cb()`. No active exploitation is confirmed (not in CISA KEV) and EPSS stands at 0.02% (5th percentile), indicating minimal real-world adversarial interest at time of analysis.
Denial of service in vllm 0.19.0's OpenAI-compatible serving path allows remote unauthenticated attackers to exhaust scheduler resources by submitting requests with unbounded logprob counts. The root cause, confirmed by PR diff analysis, is the absence of any per-batch logprob budget in the v1 scheduler: requests specifying logprobs=-1 (full vocabulary) multiplied across parallel sequences (n) generate massive compute and memory overhead with no cap, blocking or crashing the inference server. Publicly available exploit code exists (GitHub issue #37343); no confirmed active exploitation at time of analysis.
Arbitrary file modification in the Perl Archive::Tar module before version 3.08 allows a malicious tar archive to create hardlinks pointing outside the extraction directory. Any application or service that extracts attacker-supplied tarballs is affected: because extraction chmods the shared inode of a hardlink, an attacker can alter permissions of sensitive files outside the intended target path. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; it is not listed in CISA KEV.
Heap buffer over-read in ImageMagick's distributed pixel cache server affects all Magick.NET NuGet package variants prior to version 14.12.0. An attacker with the ability to connect to a running `magick -distribute-cache` service can trigger an out-of-bounds read (CWE-125) in the server process, resulting in high-severity confidentiality impact (memory disclosure) and availability impact (potential crash). No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 5.7 reflects meaningful mitigating constraints: high attack complexity and high privileges required per the vector.
Information disclosure in Magick.NET's distributed pixel cache server exposes sensitive pixel data due to the absence of a challenge-response authentication model on the cache service. All Magick.NET NuGet packages (Q16, Q16-HDRI, and OpenMP variants across AnyCPU, x64, x86, arm64 architectures) prior to version 14.12.0 are affected. A highly privileged local attacker meeting the high-complexity conditions of this vulnerability could read pixel cache contents belonging to other processes, leaking potentially sensitive image data. No public exploit code and no CISA KEV listing have been identified at time of analysis.
File descriptor hijacking in ImageMagick's distributed pixel cache server (magick -distribute-cache) exposes sensitive data via a race condition exploitable by a privileged local attacker. Affected are all Magick.NET NuGet packages across Q16, Q16-HDRI, OpenMP, and ARM64 variants prior to version 14.12.0. Successful exploitation yields high-confidentiality impact - an attacker can read file descriptors belonging to the server process - though no public exploit code exists and this is not currently listed in the CISA KEV catalog.
Heap buffer over-write in ImageMagick's distributed pixel cache server (`magick -distribute-cache`) allows an attacker who can connect to the service to corrupt the server process's heap memory, resulting in a high-severity denial-of-service condition. All Magick.NET NuGet package variants (Q16, HDRI, OpenMP, across arm64/x64/x86/AnyCPU architectures) prior to version 14.12.0 are confirmed affected. No public exploit has been identified at time of analysis and the vulnerability does not appear in CISA KEV; however, a notable discrepancy exists between the CVSS attack vector (AV:L, local) and the description's implication of service-level connectivity, which warrants independent verification before fully trusting the low CVSS score.
Panic-induced denial of service in the golang.org/x/crypto/ssh/agent package allows remote unauthenticated attackers to crash processes by submitting specially crafted SSH agent protocol messages containing malformed wire-format bytes that are unsafely cast into an ed25519.PrivateKey without sufficient validation. All versions of golang.org/x/crypto/ssh/agent prior to 0.52.0 are affected. No public exploit exists at time of analysis (EPSS 0.02%), though the SSVC framework flags the attack as automatable, and a vendor patch is available.
Null pointer dereference in the Linux kernel's RED qdisc (sch_red) allows a local user with low privileges to trigger a kernel panic and system crash when a specific nested qdisc hierarchy is configured. The flaw occurs in net/sched/sch_red.c when RED calls its child qdisc's dequeue() directly after a peek() has already cached the packet in QFQ's gso_skb buffer, causing QFQ's dequeue path to dereference a null pointer. No public exploit has been identified at time of analysis, and EPSS is 0.02% (7th percentile), reflecting very low real-world exploitation probability.
Heap corruption in Google Chrome's GPU component prior to version 148.0.7778.179 allows remote attackers to exploit an out-of-bounds read via a crafted HTML page, potentially leading to arbitrary code execution or information disclosure within the renderer context. The flaw carries a CVSS 8.8 (High) rating due to network reachability and high impact across confidentiality, integrity, and availability, though exploitation requires user interaction (visiting a malicious page). There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as 'none', suggesting opportunistic rather than active targeting.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, enabling a remote attacker to run arbitrary code when a victim visits a crafted HTML page. Chromium rates the severity as High and the CVSS 3.1 score is 8.8, but exploitation requires user interaction (UI:R); no public exploit identified at time of analysis.
Heap buffer overflow in the WebRTC component of Google Chrome before 148.0.7778.179 allows remote attackers to execute arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. The flaw was reported by Chrome's internal security team, has a patched stable channel build available, and carries a CVSS 8.8 score with no public exploit identified at time of analysis. SSVC currently rates exploitation as 'none' but technical impact as 'total', reflecting full compromise of the affected process if triggered.
Remote code execution in Google Chrome on Windows prior to 148.0.7778.179 stems from a use-after-free flaw in the XR (WebXR) component, enabling a remote attacker to run arbitrary code in the renderer process by enticing a user to visit a crafted HTML page. Chromium rates the issue High severity and CVSS scores it 8.8; no public exploit identified at time of analysis and SSVC reports exploitation status as none. A vendor patch is available via the Stable Channel update referenced in the Chrome Releases advisory.
Sandbox escape in Google Chrome (Linux and ChromeOS) prior to 148.0.7778.179 allows a remote attacker who has already compromised the renderer process to break out via a crafted video file processed by the GFX component. The flaw is a type confusion (CWE-843) rated High severity by Chromium, with no public exploit identified at time of analysis and SSVC indicating exploitation has not been observed. It requires user interaction and chained exploitation of a prior renderer compromise, which raises the bar despite the High CVSS of 7.5.
ServiceWorker policy enforcement failure in Google Chrome prior to version 148.0.7778.179 enables unauthenticated remote attackers to leak cross-origin data by luring a victim to a crafted HTML page. The vulnerability stems from Chrome's ServiceWorker layer failing to adequately enforce isolation boundaries (CWE-693), allowing a malicious origin to read data it should not have access to under the same-origin policy. No public exploit identified at time of analysis, and the CVSS score of 4.3 reflects limited confidentiality impact; however, the zero-privilege, network-accessible attack vector means any Chrome user browsing a malicious page could be affected.
Same-origin policy bypass in Google Chrome's Service Worker subsystem (all versions prior to 148.0.7778.179) allows remote unauthenticated attackers to read cross-origin data by luring a victim to a crafted HTML page. The flaw originates from insufficient policy enforcement (CWE-693) within the Service Worker layer, enabling unauthorized access to confidential data across origins. No public exploit code has been identified and no active exploitation is confirmed; Google has shipped a fix in stable channel version 148.0.7778.179.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free condition in the QUIC networking stack, allowing remote attackers to execute arbitrary code within the browser sandbox via malicious network traffic. Exploitation requires user interaction (visiting a malicious site or processing attacker-controlled QUIC traffic), and no public exploit has been identified at time of analysis. Chromium rates this as High severity, and a vendor patch is available.
Out-of-bounds memory read in the GPU component of Google Chrome on macOS exposes process memory to remote attackers via a crafted HTML page. Affected versions are all Chrome releases prior to 148.0.7778.179 on Mac; Windows and Linux are not identified as affected. No public exploit or active exploitation has been identified at time of analysis, and SSVC confirms exploitation status as none with non-automatable attack delivery.
Remote code execution in Google Chrome on Windows prior to version 148.0.7778.179 stems from a use-after-free condition in the GPU component, enabling a remote attacker to run arbitrary code within the renderer sandbox after the victim loads a crafted HTML page. Google has rated the issue High severity and shipped a fix; no public exploit identified at time of analysis and SSVC indicates exploitation status 'none' despite total technical impact.
UI spoofing in Google Chrome on Windows (prior to 148.0.7778.179) enables a remote attacker who has already achieved renderer process compromise to deceive end users through a crafted HTML page, exploiting CWE-451 (UI Misrepresentation of Critical Information). Affected users on Windows running any Chrome version below 148.0.7778.179 are exposed to potential phishing or credential-harvesting scenarios dressed up as legitimate browser UI. No public exploit code or CISA KEV listing exists at time of analysis, but the Chromium team assigned a Critical internal severity - a meaningful contrast with the NVD CVSS score of 4.2 - suggesting the spoofing potential carries downstream risk beyond what the base score reflects.
Remote code execution in Google Chrome on Linux before 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, allowing a remote attacker who lures a victim to a crafted HTML page to execute arbitrary code in the renderer process. Chromium rates the severity as Critical and a vendor patch is available, though there is no public exploit identified at time of analysis and SSVC indicates no observed exploitation. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability with required user interaction (visiting a page).
Resource exhaustion in ISC BIND 9's resolver state machine allows remote unauthenticated attackers to trigger an unbounded resend loop by sending crafted DNS queries that activate bad-server retry conditions, degrading resolver availability. Multiple active release branches are affected across standard and Subscription Edition builds spanning versions 9.18.36 through 9.21.21. No public exploit has been identified and the vulnerability is not listed in CISA KEV; however, the fully network-accessible, zero-authentication attack vector makes every exposed BIND 9 resolver a potential target.
Amplified resource exhaustion in ISC BIND 9 resolvers enables remote unauthenticated attackers to cause disproportionate resource consumption by directing a victim resolver to query a specially crafted authoritative DNS zone. All major BIND 9 resolver branches are affected, spanning versions 9.11.x through 9.21.x including BIND 9 Supported (S1) variants, representing a broad deployment footprint across enterprise and ISP resolver infrastructure. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; ISC has released patched versions.
Heap use-after-free in Unbound's RPZ (Response Policy Zone) subsystem crashes the DNS resolver under a specific race condition affecting multi-threaded deployments. Versions 1.14.0 through 1.25.0 are affected when an RPZ zone with 'rpz-nsip' or 'rpz-nsdname' triggers is served via XFR (zone transfer) and a simultaneous read occurs in another thread. The crash is remotely triggerable by timing a DNS query against an in-progress XFR, but requires multiple co-occurring non-default conditions; no public exploit exists and no active exploitation has been confirmed.
DNS cache poisoning in NLnet Labs Unbound 1.25.0 and earlier allows an adjacent-network attacker to inject malicious resource records into the resolver's cache by exploiting insufficient validation of authority-section RRSets. By attaching forged non-NS RRSets (such as MX records) with accompanying address records in spoofed or fragmented DNS replies, an attacker can trick Unbound into caching poisoned entries when the authority RRSet carries sufficient trust as in-zone delegation data. Publicly available proof-of-concept exploit code exists (CVSS 4.0 E:P); this is a complement fix to CVE-2025-11411, meaning systems that patched the prior vulnerability but have not upgraded to 1.25.1 remain exposed.
Unbound DNS resolver up to and including version 1.25.0 exposes a denial-of-service condition in its DNSSEC validation stack, specifically in the negative cache code path used to look up DS records. An adversary who controls a DNSSEC-signed zone can craft NSEC3 records with high-but-permissible iteration counts for child delegations, causing any vulnerable Unbound instance that queries those records to perform unbounded SHA-1 hash computations while holding a global negative cache lock - blocking all other threads that need cache access. No public exploit code exists and this is not listed in the CISA KEV catalog at time of analysis, but coordinated query floods against the vulnerable code path could escalate a single-instance slowdown into a full denial of service.
Heap out-of-bounds read in Unbound's DNSCrypt packet handling allows a remote unauthenticated attacker to potentially crash the resolver with a single malformed query, causing denial of service. Affected are all Unbound installations from version 1.6.2 through 1.25.0 that were compiled with the optional '--enable-dnscrypt' flag. The crash is probabilistic rather than guaranteed - whether the out-of-bounds read escalates to a heap overflow depends entirely on the memory allocator behavior and heap layout at runtime; absent a crash, Unbound's own packet validation will discard the offending query. No public exploit exists and no active exploitation has been identified at time of analysis.
Timing side-channel in memcached versions prior to 1.6.42 allows remote attackers to recover SASL authentication credentials by measuring response times during password comparison. The flaw stems from the use of the non-constant-time memcmp() function within sasl_server_userdb_checkpass, enabling byte-by-byte inference of stored passwords. No public exploit identified at time of analysis, but the upstream fix has been published.
Heap memory disclosure in strukturag libheif versions 1.21.2 and prior exposes up to 12,288+ bytes of uninitialized heap content - potentially containing auth tokens, database results, or other users' image data - when decoding crafted HEIF or AVIF grid images under the library's default settings. The decode path silently suppresses tile failures while returning heif_error_Ok, so calling applications receive heap garbage as valid pixel values with no error indication. Server-side image pipelines that ingest user-uploaded HEIF/AVIF and re-encode the output (e.g., as PNG or JPEG thumbnails for CDNs or social platforms) are at highest cross-user exposure risk; no public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Infinite CPU loop denial-of-service in libheif 1.21.2 and below allows a remote unauthenticated attacker to permanently exhaust a victim application's CPU by delivering a crafted 800-byte HEIF sequence file. The vulnerability triggers during file parsing in Box_stts::get_sample_duration() before any image decoding occurs, meaning any application that opens user-supplied HEIF files is exposed at the moment of file open. No KEV listing and no public exploit have been identified at time of analysis, but the low attack complexity and high availability impact make this a meaningful risk for deployments that process untrusted HEIF content. Vendor-released patch version 1.22.0 resolves the issue.
Denial of service in libheif versions 1.21.2 and below allows a remote attacker to crash any application linked against the library by supplying a crafted HEIF sequence file. The crash is deterministic - the malformed file passes parsing without error, then triggers a guaranteed SEGV on the first frame access due to an unsigned integer underflow that maps all media samples to an empty chunk. No public exploit has been identified at time of analysis, and this is not listed in the CISA KEV catalog; vendor-released patch is available in version 1.22.0.
Privilege escalation in Mozilla Firefox's WebRTC Audio/Video component allows remote attackers to elevate privileges within the browser context when a user is lured into interacting with a malicious page. The flaw carries a CVSS 8.8 with required user interaction and was addressed in Firefox 151; no public exploit identified at time of analysis and EPSS exploitation probability sits at 0.03% (8th percentile).
Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151.
Privilege escalation in Mozilla Firefox's Security component allows remote attackers to elevate privileges within the browser when a victim interacts with attacker-controlled content, affecting Firefox versions prior to 151 and Firefox ESR prior to 140.11. With CVSS 8.8 (high) and user interaction required, exploitation is plausible via malicious web content, though EPSS sits at just 0.04% (12th percentile) and no public exploit identified at time of analysis. SSVC rates exploitation as 'none' but flags the issue as automatable with partial technical impact, suggesting concerning scalability if a working exploit emerges.
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151.
Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Information disclosure in Mozilla Firefox's WebGPU graphics component allows remote attackers to access sensitive in-memory data from browser sessions via crafted web content rendered through the WebGPU API. The flaw affects Firefox versions prior to 151 and has been addressed by Mozilla in advisories MFSA2026-46 and MFSA2026-50. There is no public exploit identified at time of analysis, and EPSS scoring (0.02%, 4th percentile) indicates very low likelihood of near-term mass exploitation.
Information disclosure in Mozilla Firefox versions prior to 151 affects the IP Protection component, allowing remote unauthenticated attackers to obtain sensitive information over the network without user interaction. The flaw carries a CVSS score of 7.5 driven entirely by confidentiality impact (C:H/I:N/A:N), and while no public exploit is identified at time of analysis, the very low EPSS score of 0.02% (4th percentile) suggests minimal active exploitation interest. Mozilla addressed the issue in Firefox 151 via security advisories MFSA2026-46 and MFSA2026-50.
Information disclosure in Mozilla Firefox prior to version 151 allows remote attackers to leak sensitive data through a flaw in the DOM: Security component, exploitable without authentication or user interaction. The CVSS 7.5 rating reflects high confidentiality impact via network vector, though EPSS scoring at 0.02% (4th percentile) indicates very low predicted exploitation probability and no public exploit identified at time of analysis.
Spoofing issue in the Popup Blocker component. This vulnerability was fixed in Firefox 151.
Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151.
Mitigation bypass in Mozilla Firefox's DOM: Security component allows remote attackers to circumvent built-in browser security protections when a user visits a maliciously crafted web page. The flaw affects Firefox versions prior to 151 and Firefox ESR prior to 140.11, with CVSS 8.1 reflecting high confidentiality and integrity impact contingent on user interaction. EPSS scoring is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis, but the CWE-693 protection-mechanism-failure classification means defensive layers users rely on may not function as intended.
Spoofing via the Form Autofill component in Mozilla Firefox allows a network-based attacker to achieve high integrity impact against users who interact with attacker-controlled content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) confirms no authentication is required from the attacker side, but a victim must interact with malicious content for the attack to succeed. No public exploit code has been identified at time of analysis, and EPSS sits at 0.02% (5th percentile), indicating very low observed exploitation probability; the vulnerability is not listed in the CISA KEV catalog.
Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151.
Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Privilege escalation in the Enterprise Policies component of Mozilla Firefox affects versions prior to Firefox 151 and Firefox ESR 140.11, allowing remote attackers who can convince a user to interact with crafted content to elevate privileges within the browser. No public exploit identified at time of analysis, and EPSS scoring places exploitation probability at just 0.03% (9th percentile). The vulnerability requires user interaction per the CVSS vector, which somewhat constrains real-world weaponization despite the high 8.8 CVSS score.
Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Privilege escalation in Mozilla Firefox's DOM Workers component allows remote attackers to elevate privileges within the browser when a victim interacts with a malicious web page. Affects Firefox versions prior to 151 and Firefox ESR prior to 140.11, with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS rates exploitation probability at only 0.03% (9th percentile).
Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.
Privilege escalation in Mozilla Firefox via the Application Update component allows remote attackers to gain elevated privileges when a user interacts with malicious content, fixed in Firefox 151. The flaw carries a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:N/UI:R) and is categorized under CWE-269 (Improper Privilege Management). There is no public exploit identified at time of analysis, and EPSS estimates only a 0.03% probability of exploitation in the next 30 days.
Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151.
Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Integer underflow in the Linux kernel's MPI crypto library function `mpi_read_raw_from_sgl()` allows a local low-privileged user to trigger an infinite kernel loop via the `KEYCTL_PKEY_ENCRYPT` syscall, causing a system-wide denial of service with soft lockup splats. The flaw was latent since commit `2d4d1eea540b` but became exploitable only after commit `63ba4d67594a` changed how asymmetric key operations construct scatterlists, allowing `out_len > in_len` with a zero-filled buffer to satisfy the underflow condition. No active exploitation is confirmed (EPSS 0.02%, not in CISA KEV), but the attack path is fully described in the upstream commit message, making independent reproduction straightforward.
Memory exhaustion in the Linux kernel's QRTR (Qualcomm IPC Router) namespace subsystem allows a local low-privileged attacker to crash the system by flooding NEW_SERVER registration messages without triggering any bound check. Affected systems are those running kernels between the introducing commit (0c2204a4ad710d95d348ea006f14ba926e842ffd) and the fix commits across stable branches. No public exploit code has been identified and EPSS sits at the 5th percentile, indicating minimal observed exploitation activity.
Heap buffer over-write of a single byte in Magick.NET's JP2 encoder allows local attackers to cause availability impact (crash/denial of service) by supplying a crafted JP2 image processed with certain options. All Magick.NET NuGet package variants prior to version 14.13.1 are affected across multiple architectures (AnyCPU, x64, x86, arm64) and quantum depth configurations (Q16, Q16-HDRI). No public exploit has been identified at time of analysis, and a vendor-released patch exists at version 14.13.1.
Stack overflow in the Magick.NET fx expression evaluator affects all Q16 and HDRI NuGet package variants prior to version 14.13.1. The root cause is a missing recursion depth check in the fx operation: a crafted argument can drive the evaluator into uncontrolled recursion, exhausting the call stack and crashing the host process. Impact is limited to availability (denial of service); no confidentiality or integrity exposure is present, and no public exploit or CISA KEV listing exists at time of analysis.
Heap buffer over-write in Magick.NET's MIFF encoder triggers an out-of-bounds write when LZMA compression is active, due to a missing buffer size check (CWE-131). All Magick.NET NuGet package variants prior to version 14.13.1 are affected across multiple architectures (AnyCPU, x64, x86, arm64) and depth configurations (Q16, Q16-HDRI, OpenMP). An attacker who can deliver a crafted MIFF file for local processing can crash the consuming application, resulting in a complete availability impact. No public exploit code or CISA KEV listing exists at time of analysis, limiting real-world severity despite the heap write primitive.
Out-of-bounds heap over-read in Magick.NET's polynomial distortion operation exposes limited heap memory and can trigger a crash when processing a specially crafted image with specific distortion arguments. Affected are all Magick.NET NuGet package variants (Q16, Q16-HDRI, across AnyCPU, arm64, x64, x86, and OpenMP builds) prior to version 14.13.1. The CVSS vector scores this as a local, low-complexity issue with low confidentiality and availability impact; no public exploit code exists and it is not listed in the CISA KEV catalog at time of analysis.
Race condition in Docker's `docker cp` mount setup allows a process running inside a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem as root. Affected packages include github.com/docker/docker <= 28.5.2 and github.com/moby/moby <= 28.5.2, with a patch only confirmed for the moby/moby v2 branch at 2.0.0-beta.14. The CVSS vector reflects a scope-changed (S:C), high-availability-impact flaw requiring low privileges and high complexity; no public exploit or CISA KEV listing has been identified at time of analysis, but the attack is realistic when operators use `docker cp` against containers running untrusted workloads with volume mounts.
Out-of-bounds single-byte read in Magick.NET's meta encoder affects all Q16 and Q16-HDRI NuGet package variants prior to version 14.13.1. An off-by-one indexing error in the meta encoder allows a remote unauthenticated attacker to read one byte beyond the allocated buffer boundary during metadata processing, resulting in limited memory disclosure. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; however, the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the flaw is network-reachable without authentication or user interaction, making any application that processes attacker-supplied images or metadata a viable target.
Reachable assertion in the Linux kernel network subsystem allows a local low-privileged user to trigger a WARN_ON_ONCE by constructing a sufficiently long forward path through IPIP tunnels, resulting in a kernel warning and high availability impact. The root cause (CWE-617) is an assertion in the forward path array access code that became reachable after IPIP tunnel support was introduced, expanding the possible depth of forward paths beyond the implicit assumption encoded in the warning. No public exploit code exists and EPSS is extremely low (0.02%, 7th percentile), but the kernel-level denial-of-service impact on local multi-tenant or containerized systems warrants patching.
OCSP responder certificate validity bypass in Erlang OTP's public_key library allows forged OCSP responses-signed with the private key of an expired responder certificate-to be accepted as valid, defeating TLS certificate revocation checks. Affected deployments include TLS clients using OCSP stapling via the ssl application, and any application calling public_key:pkix_ocsp_validate/5 directly for server-side client certificate validation. An attacker who has obtained the private key of an expired CA-designated OCSP responder can present a revoked TLS certificate alongside a forged OCSP response and achieve authentication bypass. No public exploit code exists and CISA KEV does not list this vulnerability; SSVC rates exploitation as none at time of analysis.
Memory leak in the Linux kernel NTFS3 driver's ntfs_fill_super() function allows a local user with mount privileges to gradually exhaust kernel memory by repeatedly mounting NTFS filesystems. The ntfs_mount_options structure (32 bytes per mount) is permanently leaked because fc->fs_private is nulled before ntfs_fs_free() can release it, confirmed by kmemleak tooling. No active exploitation has been identified - EPSS is 0.02% (5th percentile) and this vulnerability is absent from CISA KEV - making it a maintenance-class fix rather than an urgent security priority, though the availability impact is rated High by CVSS.
Uninitialized memory use in the Linux kernel's NTFS3 filesystem driver (fs/ntfs3) causes a kernel crash when a local, low-privileged user triggers NTFS compression writes under specific folio allocation conditions. The flaw was surfaced by KMSAN (Kernel Memory Sanitizer) in longest_match_std(), called from ntfs_compress_write(), when newly allocated folios are neither marked uptodate nor initialized before use. No public exploit or active exploitation has been identified; EPSS stands at 0.02% (5th percentile), confirming negligible automated attack activity at time of analysis.
Deadlock in the Linux kernel's NTFS3 compressed-file read path (fs/ntfs3) causes indefinite task hang and local denial of service when concurrent readers contend over compressed NTFS frames. The inode mutex (ni_lock) and VFS page locks are acquired in inverted order across two concurrent tasks - a classic ABBA deadlock first surfaced by Syzbot. Versions prior to 6.19.4 (stable) and 7.0 (mainline) are affected; no public exploit or active exploitation has been identified, and the EPSS score of 0.02% (5th percentile) reflects the narrow, configuration-specific conditions required.
NULL pointer dereference in the Linux kernel's accel/amdxdna driver (AMD AI accelerator/NPU subsystem) allows a local low-privileged user to trigger a kernel crash and denial of service. The flaw arises during error-path execution in aie2_create_context(): when mailbox channel creation fails, the channel pointer remains NULL, yet aie_destroy_context() is unconditionally called assuming it is non-NULL. No public exploit code exists and EPSS probability is 0.02%, indicating very low exploitation activity. Vendor-released patches are available in Linux 6.19.4 and the 7.0 series.
NULL pointer dereference in the Linux kernel's drm/panthor subsystem causes a kernel panic and denial of service during GPU firmware unplug operations. The `panthor_fw_unplug()` function incorrectly attempted MCU halt and wait procedures even when firmware was never loaded or fully initialized, dereferencing a NULL pointer in that code path. Systems running a Panthor-based ARM Mali GPU (using the Panthor DRM driver) are affected across kernel versions from the introduction of the driver up to the fixed stable commits; no public exploit exists and EPSS is at the 5th percentile, indicating negligible opportunistic exploitation probability.
Out-of-bounds stack read in the Linux kernel's IMA (Integrity Measurement Architecture) subsystem, in ima_appraise_measurement() reached via is_bprm_creds_for_exec(), affecting kernels from the 6.14 series up to the fixed stable commits. A misuse of container_of() on a *file pointer computes an invalid stack offset, letting a local execution path read one byte past a stack frame object (flagged by KASAN), which can disclose adjacent stack data or crash the task. EPSS is very low (0.02%, 5th percentile), the CVE is not on CISA KEV, and there is no public exploit identified at time of analysis; the issue is patched upstream.
The drm/display/dp_mst subsystem in the Linux kernel crashes with a UBSAN shift-out-of-bounds error when a DP 2.1 monitor disconnects while delayed_destroy_work is still in flight, producing a kernel denial-of-service on affected systems. Systems running unpatched kernel versions across the 6.1.x, 6.6.x, 6.12.x, 6.18.x, and 6.19.x stable branches with DisplayPort Multi-Stream Transport (MST) capable hardware are vulnerable. No public exploit or active exploitation has been identified; patches are available across all affected stable branches with specific fix commits traceable to git.kernel.org.
Networking denial of service in the Linux kernel's Smack LSM disrupts IPv4 connectivity for all processes carrying non-ambient Smack labels when a previously-used CIPSO DOI value is cycled through /smack/doi. The kernel's smk_cipso_doi function retains decommissioned DOI definitions in netlabel's CIPSO configuration, causing re-add operations to fail with EEXIST (-17); this prevents the default IPv4 domain mapping from being re-established, silently severing label-based network traffic. No public exploit code is identified and EPSS sits at 0.02% (7th percentile), reflecting the very narrow deployment surface - only systems with Smack as the active LSM and CIPSO networking configured are affected.
Race condition in the Linux kernel's accel/amdxdna driver allows a local low-privileged user to cause device availability impact on systems equipped with AMD XDna AI accelerator hardware. The flaw in the rpm_on flag check permits command submissions to the accelerator during a narrow autosuspend transition window before the device has fully resumed, producing undefined hardware behavior or driver crashes. No public exploit exists and EPSS is at the 6th percentile (0.02%), indicating negligible real-world exploitation probability; no active exploitation is confirmed.
NULL pointer dereference in the Linux kernel bareudp driver crashes the kernel when Open vSwitch triggers `bareudp_fill_metadata_dst()` against a down IPv6 bareudp tunnel device. The socket pointer (`bareudp->sock`) is NULL between `bareudp_stop()` and `bareudp_open()`, and the IPv6 path passes it unsafely to `udp_tunnel6_dst_lookup()` at `sock->sk` offset 0x18. A local attacker with low privileges and access to OVS netlink commands can force a kernel panic, causing a denial of service. No public exploit code exists and no active exploitation has been identified; EPSS at 0.02% (5th percentile) confirms negligible observed exploitation.
Kernel NULL pointer dereference in the Linux TAPRIO traffic scheduler allows a local user with namespace-scoped CAP_NET_ADMIN to trigger a kernel panic. On systems with unprivileged user namespaces enabled - the default on Ubuntu, Fedora, Debian, and most container-oriented distributions - any unprivileged local user can acquire namespace-scoped CAP_NET_ADMIN simply by creating a new network namespace, reducing the effective privilege bar to an ordinary user account. Patched stable releases exist (6.6.141, 6.12.91, 7.0.10, 6.18.33, 7.1-rc2), no active exploitation has been confirmed by CISA KEV, and EPSS is 0.02% (5th percentile), but the straightforward attack sequence and wide Linux footprint make this a priority patch on multi-tenant or container-hosting systems.
Incorrect ARP payload parsing in the Linux kernel's netfilter arptables subsystem causes filtering rules to evaluate against garbage data on systems with IEEE1394 (FireWire) network interfaces. The arp_packet_match() function and arpt_mangle both assume a standard dual-hardware-address ARP layout, but IPv4-over-IEEE1394 per RFC 2734 omits the target hardware address field - the same discrepancy the rest of the kernel ARP stack already handles correctly. The result is that arptables rules on FireWire interfaces silently malfunction: legitimate traffic may be dropped and traffic that should be blocked may be passed, with arpt_mangle additionally writing to wrong offsets and corrupting packets. No public exploit has been identified and EPSS is 0.02% (6th percentile), consistent with the extremely niche attack surface.
Null pointer dereference in the Linux kernel SLIP header compression (slhc) subsystem crashes the kernel when a VJ-compressed frame is received on a PPP instance configured with zero receive slots. An unprivileged local user who can create a user namespace can invoke the PPPIOCSMAXCID ioctl with a crafted argument (0xffff0000) that exploits a signed-integer arithmetic shift to supply rslots=0 to slhc_init(), leaving comp->rstate NULL; any subsequent inbound VJ frame targeting slot 0 then dereferences that NULL pointer in softirq context, producing a kernel panic. No public exploit has been identified at time of analysis, and EPSS probability is negligible at 0.02%, but the attack path is fully reachable from unprivileged user namespaces, making the practical privilege bar lower than the PR:L label implies on systems where user namespaces are enabled.
Divide-by-zero in the Linux kernel netfilter OSF module (nfnetlink_osf) allows a local user with CAP_NET_ADMIN to crash the kernel. By injecting a crafted OS fingerprint with a zero window scale value (wss.val=0) via nfnetlink, the attacker causes nf_osf_match_one() to execute an unguarded modulo operation when any subsequent matching TCP SYN packet is processed, resulting in a kernel panic and system-wide denial of service. No active exploitation is confirmed; EPSS sits at 0.02% (5th percentile), reflecting very low probability of widespread automated exploitation.
Kernel panic in the Linux kernel's Open vSwitch (openvswitch) subsystem allows a low-privileged local user to crash the host kernel on Ubuntu-default and similar configurations. The vport netlink reply handler pre-allocates a fixed-size buffer but lacks an upper-bound check on the upcall PID array size, causing nla_put() to return -EMSGSIZE and BUG_ON(err < 0) to fire in ovs_vport_cmd_set(), triggering a kernel panic. On systems with unprivileged user namespaces enabled (Ubuntu default), any local user can reach this path via unshare -Urn without requiring elevated privileges. No public exploit has been identified at time of analysis, and EPSS at 0.02% reflects low current exploitation probability.
Local denial of service in the Linux kernel's BPF CO-RE relocation parser allows a process holding CAP_BPF to deterministically crash the system by loading a BPF program with a negative CO-RE accessor index. The flaw stems from bpf_core_parse_spec() in the libbpf relocation core accepting negative values from sscanf("%d") that bypass upper-bound checks due to integer promotion, ultimately driving an out-of-bounds read past the BTF members array. EPSS is negligible (0.01%) and there is no public exploit identified at time of analysis; a kernel oops backtrace is published in the changelog but it serves as a crash reproducer rather than a weaponized exploit.
Incorrect end-of-list detection in the Linux kernel's BPF cgroup storage map subsystem allows a local low-privileged user with BPF syscall access to trigger a kernel crash (denial of service) via the `cgroup_storage_get_next_key()` function. The function uses `list_next_entry()`, which never returns NULL but wraps to the list head on the last element, causing the kernel to read `storage->key` from a bogus pointer aliasing internal map fields and copy the result to userspace - a condition that can provoke a kernel oops or panic. No public exploit exists and EPSS is 0.02% (5th percentile), consistent with the local-only attack surface and absence of CISA KEV listing.
Local privilege-escalation-class memory corruption in the Linux kernel's BPF arena subsystem (introduced around 6.9) allows a process holding BPF capabilities to trigger a use-after-free. When a BPF arena VMA is inherited across fork(), arena_vm_open() bumps the mmap refcount but never registers the child VMA in arena->vma_list, leaving vml->vma pointing at the parent VMA; after the parent munmaps, a child call to bpf_arena_free_pages() dereferences the dangling pointer in zap_pages(). No public exploit or active exploitation is identified (EPSS 0.02%, 5th percentile), and vendor patches are available.
Denial of service in the zipdetails CLI tool bundled with Perl's IO::Compress versions 2.207 through 2.219 causes the script to abort with status 255 when parsing a ZIP archive containing an Info-ZIP Unix Extra Field (tag 0x7875) that declares an 8-byte UID or GID size. The bug is a typo in the source (calling unpackValueQ instead of unpackValue_Q), and no public exploit is identified at time of analysis; library callers of IO::Compress/IO::Uncompress are unaffected. EPSS is negligible (0.02%) and impact is limited to crashing the inspection tool, not the consuming application.
Denial of service in the Perl module IO::Uncompress::Unzip before version 2.220 allows remote attackers to cause CPU exhaustion by supplying a crafted ZIP archive that triggers a per-byte read loop in the fastForward() routine. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02%, but any application that accepts untrusted ZIP files and extracts a named entry through this module is exposed to availability impact.
Uncaught exception in IO::Uncompress::Unzip before version 2.215 for Perl causes application-level denial of service when parsing ZIP files containing malformed DOS date fields. The `_dosToUnixTime()` function calls `Time::Local::timelocal()` without an `eval` guard, so a ZIP header encoding an out-of-range month, day, or hour causes `timelocal()` to `die`, propagating the exception to the caller rather than returning `undef` with a populated `$UnzipError` as callers expect. Any Perl application that processes untrusted ZIP files locally is affected; no public exploit has been identified at time of analysis, and EPSS exploitation probability is negligible at 0.02%.
Denial of service in OpenStack Swift's s3api middleware allows an authenticated S3 API user to permanently hang proxy-server workers by sending a truncated aws-chunked PUT request body. Versions 2.36.0 through 2.36.1 and 2.37.0 through 2.37.1 are affected; the defect was introduced in 2.36.0 and fixed in 2.36.2 and 2.37.2. There is no public exploit identified at time of analysis, and EPSS is very low (0.04%, 12th percentile), but the high availability impact and low attack complexity make this a credible operational threat to S3-compatible Swift deployments.
Arbitrary package installation leading to code execution affects the yeoman-environment npm library (the runtime behind the Yeoman/`yo` scaffolding CLI) in versions >= 2.9.0 and < 6.0.1. The vulnerable `installLocalGenerators()` method silently calls `repository.install()` on caller-supplied package names without any user confirmation, so a downstream CLI that passes attacker-controlled project configuration into this path will install and execute attacker-chosen packages during bootstrap. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; CVSS is 8.6 (high) but exploitation is contingent on how consumers feed configuration into the library.
Null pointer dereference in the Linux kernel's Bluetooth L2CAP socket layer crashes the kernel when `l2cap_sock_get_sndtimeo_cb()` is invoked with a NULL socket context, resulting in a local denial-of-service (kernel panic). The flaw stems from an oversight where sibling callbacks `l2cap_sock_resume_cb()` and `l2cap_sock_ready_cb()` already carry the required NULL guard, but `l2cap_sock_get_sndtimeo_cb()` does not. With EPSS at 0.02% (5th percentile), no public exploit identified, and no CISA KEV listing, real-world exploitation risk is low - but the vulnerability has persisted since Linux 3.13 and affects every major stable branch until patched versions were released.
Null pointer dereference in the Linux kernel's Bluetooth L2CAP socket layer crashes the kernel when `l2cap_sock_new_connection_cb()` is invoked without the NULL guard present in sibling callbacks. Local unprivileged users on systems with Bluetooth enabled can trigger a kernel oops or panic, resulting in a denial of service. No public exploit or CISA KEV listing exists; EPSS probability is near zero at 0.02% (5th percentile), indicating minimal active exploitation interest at time of analysis.
NULL pointer dereference in the Linux kernel Bluetooth L2CAP subsystem causes a local denial-of-service via kernel panic when `l2cap_sock_state_change_cb()` is invoked with a NULL socket pointer. A local low-privileged user with access to the Bluetooth socket API can trigger a system crash by exercising the L2CAP state change callback path that lacked the NULL guard already applied to sibling callbacks `l2cap_sock_resume_cb()` and `l2cap_sock_ready_cb()`. No active exploitation is confirmed (not in CISA KEV) and EPSS stands at 0.02% (5th percentile), indicating minimal real-world adversarial interest at time of analysis.
Denial of service in vllm 0.19.0's OpenAI-compatible serving path allows remote unauthenticated attackers to exhaust scheduler resources by submitting requests with unbounded logprob counts. The root cause, confirmed by PR diff analysis, is the absence of any per-batch logprob budget in the v1 scheduler: requests specifying logprobs=-1 (full vocabulary) multiplied across parallel sequences (n) generate massive compute and memory overhead with no cap, blocking or crashing the inference server. Publicly available exploit code exists (GitHub issue #37343); no confirmed active exploitation at time of analysis.
Arbitrary file modification in the Perl Archive::Tar module before version 3.08 allows a malicious tar archive to create hardlinks pointing outside the extraction directory. Any application or service that extracts attacker-supplied tarballs is affected: because extraction chmods the shared inode of a hardlink, an attacker can alter permissions of sensitive files outside the intended target path. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; it is not listed in CISA KEV.
Heap buffer over-read in ImageMagick's distributed pixel cache server affects all Magick.NET NuGet package variants prior to version 14.12.0. An attacker with the ability to connect to a running `magick -distribute-cache` service can trigger an out-of-bounds read (CWE-125) in the server process, resulting in high-severity confidentiality impact (memory disclosure) and availability impact (potential crash). No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 5.7 reflects meaningful mitigating constraints: high attack complexity and high privileges required per the vector.
Information disclosure in Magick.NET's distributed pixel cache server exposes sensitive pixel data due to the absence of a challenge-response authentication model on the cache service. All Magick.NET NuGet packages (Q16, Q16-HDRI, and OpenMP variants across AnyCPU, x64, x86, arm64 architectures) prior to version 14.12.0 are affected. A highly privileged local attacker meeting the high-complexity conditions of this vulnerability could read pixel cache contents belonging to other processes, leaking potentially sensitive image data. No public exploit code and no CISA KEV listing have been identified at time of analysis.
File descriptor hijacking in ImageMagick's distributed pixel cache server (magick -distribute-cache) exposes sensitive data via a race condition exploitable by a privileged local attacker. Affected are all Magick.NET NuGet packages across Q16, Q16-HDRI, OpenMP, and ARM64 variants prior to version 14.12.0. Successful exploitation yields high-confidentiality impact - an attacker can read file descriptors belonging to the server process - though no public exploit code exists and this is not currently listed in the CISA KEV catalog.
Heap buffer over-write in ImageMagick's distributed pixel cache server (`magick -distribute-cache`) allows an attacker who can connect to the service to corrupt the server process's heap memory, resulting in a high-severity denial-of-service condition. All Magick.NET NuGet package variants (Q16, HDRI, OpenMP, across arm64/x64/x86/AnyCPU architectures) prior to version 14.12.0 are confirmed affected. No public exploit has been identified at time of analysis and the vulnerability does not appear in CISA KEV; however, a notable discrepancy exists between the CVSS attack vector (AV:L, local) and the description's implication of service-level connectivity, which warrants independent verification before fully trusting the low CVSS score.
Panic-induced denial of service in the golang.org/x/crypto/ssh/agent package allows remote unauthenticated attackers to crash processes by submitting specially crafted SSH agent protocol messages containing malformed wire-format bytes that are unsafely cast into an ed25519.PrivateKey without sufficient validation. All versions of golang.org/x/crypto/ssh/agent prior to 0.52.0 are affected. No public exploit exists at time of analysis (EPSS 0.02%), though the SSVC framework flags the attack as automatable, and a vendor patch is available.
Null pointer dereference in the Linux kernel's RED qdisc (sch_red) allows a local user with low privileges to trigger a kernel panic and system crash when a specific nested qdisc hierarchy is configured. The flaw occurs in net/sched/sch_red.c when RED calls its child qdisc's dequeue() directly after a peek() has already cached the packet in QFQ's gso_skb buffer, causing QFQ's dequeue path to dereference a null pointer. No public exploit has been identified at time of analysis, and EPSS is 0.02% (7th percentile), reflecting very low real-world exploitation probability.
Heap corruption in Google Chrome's GPU component prior to version 148.0.7778.179 allows remote attackers to exploit an out-of-bounds read via a crafted HTML page, potentially leading to arbitrary code execution or information disclosure within the renderer context. The flaw carries a CVSS 8.8 (High) rating due to network reachability and high impact across confidentiality, integrity, and availability, though exploitation requires user interaction (visiting a malicious page). There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as 'none', suggesting opportunistic rather than active targeting.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, enabling a remote attacker to run arbitrary code when a victim visits a crafted HTML page. Chromium rates the severity as High and the CVSS 3.1 score is 8.8, but exploitation requires user interaction (UI:R); no public exploit identified at time of analysis.
Heap buffer overflow in the WebRTC component of Google Chrome before 148.0.7778.179 allows remote attackers to execute arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. The flaw was reported by Chrome's internal security team, has a patched stable channel build available, and carries a CVSS 8.8 score with no public exploit identified at time of analysis. SSVC currently rates exploitation as 'none' but technical impact as 'total', reflecting full compromise of the affected process if triggered.
Remote code execution in Google Chrome on Windows prior to 148.0.7778.179 stems from a use-after-free flaw in the XR (WebXR) component, enabling a remote attacker to run arbitrary code in the renderer process by enticing a user to visit a crafted HTML page. Chromium rates the issue High severity and CVSS scores it 8.8; no public exploit identified at time of analysis and SSVC reports exploitation status as none. A vendor patch is available via the Stable Channel update referenced in the Chrome Releases advisory.
Sandbox escape in Google Chrome (Linux and ChromeOS) prior to 148.0.7778.179 allows a remote attacker who has already compromised the renderer process to break out via a crafted video file processed by the GFX component. The flaw is a type confusion (CWE-843) rated High severity by Chromium, with no public exploit identified at time of analysis and SSVC indicating exploitation has not been observed. It requires user interaction and chained exploitation of a prior renderer compromise, which raises the bar despite the High CVSS of 7.5.
ServiceWorker policy enforcement failure in Google Chrome prior to version 148.0.7778.179 enables unauthenticated remote attackers to leak cross-origin data by luring a victim to a crafted HTML page. The vulnerability stems from Chrome's ServiceWorker layer failing to adequately enforce isolation boundaries (CWE-693), allowing a malicious origin to read data it should not have access to under the same-origin policy. No public exploit identified at time of analysis, and the CVSS score of 4.3 reflects limited confidentiality impact; however, the zero-privilege, network-accessible attack vector means any Chrome user browsing a malicious page could be affected.
Same-origin policy bypass in Google Chrome's Service Worker subsystem (all versions prior to 148.0.7778.179) allows remote unauthenticated attackers to read cross-origin data by luring a victim to a crafted HTML page. The flaw originates from insufficient policy enforcement (CWE-693) within the Service Worker layer, enabling unauthorized access to confidential data across origins. No public exploit code has been identified and no active exploitation is confirmed; Google has shipped a fix in stable channel version 148.0.7778.179.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free condition in the QUIC networking stack, allowing remote attackers to execute arbitrary code within the browser sandbox via malicious network traffic. Exploitation requires user interaction (visiting a malicious site or processing attacker-controlled QUIC traffic), and no public exploit has been identified at time of analysis. Chromium rates this as High severity, and a vendor patch is available.
Out-of-bounds memory read in the GPU component of Google Chrome on macOS exposes process memory to remote attackers via a crafted HTML page. Affected versions are all Chrome releases prior to 148.0.7778.179 on Mac; Windows and Linux are not identified as affected. No public exploit or active exploitation has been identified at time of analysis, and SSVC confirms exploitation status as none with non-automatable attack delivery.
Remote code execution in Google Chrome on Windows prior to version 148.0.7778.179 stems from a use-after-free condition in the GPU component, enabling a remote attacker to run arbitrary code within the renderer sandbox after the victim loads a crafted HTML page. Google has rated the issue High severity and shipped a fix; no public exploit identified at time of analysis and SSVC indicates exploitation status 'none' despite total technical impact.
UI spoofing in Google Chrome on Windows (prior to 148.0.7778.179) enables a remote attacker who has already achieved renderer process compromise to deceive end users through a crafted HTML page, exploiting CWE-451 (UI Misrepresentation of Critical Information). Affected users on Windows running any Chrome version below 148.0.7778.179 are exposed to potential phishing or credential-harvesting scenarios dressed up as legitimate browser UI. No public exploit code or CISA KEV listing exists at time of analysis, but the Chromium team assigned a Critical internal severity - a meaningful contrast with the NVD CVSS score of 4.2 - suggesting the spoofing potential carries downstream risk beyond what the base score reflects.
Remote code execution in Google Chrome on Linux before 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, allowing a remote attacker who lures a victim to a crafted HTML page to execute arbitrary code in the renderer process. Chromium rates the severity as Critical and a vendor patch is available, though there is no public exploit identified at time of analysis and SSVC indicates no observed exploitation. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability with required user interaction (visiting a page).
Resource exhaustion in ISC BIND 9's resolver state machine allows remote unauthenticated attackers to trigger an unbounded resend loop by sending crafted DNS queries that activate bad-server retry conditions, degrading resolver availability. Multiple active release branches are affected across standard and Subscription Edition builds spanning versions 9.18.36 through 9.21.21. No public exploit has been identified and the vulnerability is not listed in CISA KEV; however, the fully network-accessible, zero-authentication attack vector makes every exposed BIND 9 resolver a potential target.
Amplified resource exhaustion in ISC BIND 9 resolvers enables remote unauthenticated attackers to cause disproportionate resource consumption by directing a victim resolver to query a specially crafted authoritative DNS zone. All major BIND 9 resolver branches are affected, spanning versions 9.11.x through 9.21.x including BIND 9 Supported (S1) variants, representing a broad deployment footprint across enterprise and ISP resolver infrastructure. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; ISC has released patched versions.
Heap use-after-free in Unbound's RPZ (Response Policy Zone) subsystem crashes the DNS resolver under a specific race condition affecting multi-threaded deployments. Versions 1.14.0 through 1.25.0 are affected when an RPZ zone with 'rpz-nsip' or 'rpz-nsdname' triggers is served via XFR (zone transfer) and a simultaneous read occurs in another thread. The crash is remotely triggerable by timing a DNS query against an in-progress XFR, but requires multiple co-occurring non-default conditions; no public exploit exists and no active exploitation has been confirmed.
DNS cache poisoning in NLnet Labs Unbound 1.25.0 and earlier allows an adjacent-network attacker to inject malicious resource records into the resolver's cache by exploiting insufficient validation of authority-section RRSets. By attaching forged non-NS RRSets (such as MX records) with accompanying address records in spoofed or fragmented DNS replies, an attacker can trick Unbound into caching poisoned entries when the authority RRSet carries sufficient trust as in-zone delegation data. Publicly available proof-of-concept exploit code exists (CVSS 4.0 E:P); this is a complement fix to CVE-2025-11411, meaning systems that patched the prior vulnerability but have not upgraded to 1.25.1 remain exposed.
Unbound DNS resolver up to and including version 1.25.0 exposes a denial-of-service condition in its DNSSEC validation stack, specifically in the negative cache code path used to look up DS records. An adversary who controls a DNSSEC-signed zone can craft NSEC3 records with high-but-permissible iteration counts for child delegations, causing any vulnerable Unbound instance that queries those records to perform unbounded SHA-1 hash computations while holding a global negative cache lock - blocking all other threads that need cache access. No public exploit code exists and this is not listed in the CISA KEV catalog at time of analysis, but coordinated query floods against the vulnerable code path could escalate a single-instance slowdown into a full denial of service.
Heap out-of-bounds read in Unbound's DNSCrypt packet handling allows a remote unauthenticated attacker to potentially crash the resolver with a single malformed query, causing denial of service. Affected are all Unbound installations from version 1.6.2 through 1.25.0 that were compiled with the optional '--enable-dnscrypt' flag. The crash is probabilistic rather than guaranteed - whether the out-of-bounds read escalates to a heap overflow depends entirely on the memory allocator behavior and heap layout at runtime; absent a crash, Unbound's own packet validation will discard the offending query. No public exploit exists and no active exploitation has been identified at time of analysis.
Timing side-channel in memcached versions prior to 1.6.42 allows remote attackers to recover SASL authentication credentials by measuring response times during password comparison. The flaw stems from the use of the non-constant-time memcmp() function within sasl_server_userdb_checkpass, enabling byte-by-byte inference of stored passwords. No public exploit identified at time of analysis, but the upstream fix has been published.
Heap memory disclosure in strukturag libheif versions 1.21.2 and prior exposes up to 12,288+ bytes of uninitialized heap content - potentially containing auth tokens, database results, or other users' image data - when decoding crafted HEIF or AVIF grid images under the library's default settings. The decode path silently suppresses tile failures while returning heif_error_Ok, so calling applications receive heap garbage as valid pixel values with no error indication. Server-side image pipelines that ingest user-uploaded HEIF/AVIF and re-encode the output (e.g., as PNG or JPEG thumbnails for CDNs or social platforms) are at highest cross-user exposure risk; no public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Infinite CPU loop denial-of-service in libheif 1.21.2 and below allows a remote unauthenticated attacker to permanently exhaust a victim application's CPU by delivering a crafted 800-byte HEIF sequence file. The vulnerability triggers during file parsing in Box_stts::get_sample_duration() before any image decoding occurs, meaning any application that opens user-supplied HEIF files is exposed at the moment of file open. No KEV listing and no public exploit have been identified at time of analysis, but the low attack complexity and high availability impact make this a meaningful risk for deployments that process untrusted HEIF content. Vendor-released patch version 1.22.0 resolves the issue.
Denial of service in libheif versions 1.21.2 and below allows a remote attacker to crash any application linked against the library by supplying a crafted HEIF sequence file. The crash is deterministic - the malformed file passes parsing without error, then triggers a guaranteed SEGV on the first frame access due to an unsigned integer underflow that maps all media samples to an empty chunk. No public exploit has been identified at time of analysis, and this is not listed in the CISA KEV catalog; vendor-released patch is available in version 1.22.0.
Privilege escalation in Mozilla Firefox's WebRTC Audio/Video component allows remote attackers to elevate privileges within the browser context when a user is lured into interacting with a malicious page. The flaw carries a CVSS 8.8 with required user interaction and was addressed in Firefox 151; no public exploit identified at time of analysis and EPSS exploitation probability sits at 0.03% (8th percentile).
Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151.
Privilege escalation in Mozilla Firefox's Security component allows remote attackers to elevate privileges within the browser when a victim interacts with attacker-controlled content, affecting Firefox versions prior to 151 and Firefox ESR prior to 140.11. With CVSS 8.8 (high) and user interaction required, exploitation is plausible via malicious web content, though EPSS sits at just 0.04% (12th percentile) and no public exploit identified at time of analysis. SSVC rates exploitation as 'none' but flags the issue as automatable with partial technical impact, suggesting concerning scalability if a working exploit emerges.
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151.
Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Information disclosure in Mozilla Firefox's WebGPU graphics component allows remote attackers to access sensitive in-memory data from browser sessions via crafted web content rendered through the WebGPU API. The flaw affects Firefox versions prior to 151 and has been addressed by Mozilla in advisories MFSA2026-46 and MFSA2026-50. There is no public exploit identified at time of analysis, and EPSS scoring (0.02%, 4th percentile) indicates very low likelihood of near-term mass exploitation.
Information disclosure in Mozilla Firefox versions prior to 151 affects the IP Protection component, allowing remote unauthenticated attackers to obtain sensitive information over the network without user interaction. The flaw carries a CVSS score of 7.5 driven entirely by confidentiality impact (C:H/I:N/A:N), and while no public exploit is identified at time of analysis, the very low EPSS score of 0.02% (4th percentile) suggests minimal active exploitation interest. Mozilla addressed the issue in Firefox 151 via security advisories MFSA2026-46 and MFSA2026-50.
Information disclosure in Mozilla Firefox prior to version 151 allows remote attackers to leak sensitive data through a flaw in the DOM: Security component, exploitable without authentication or user interaction. The CVSS 7.5 rating reflects high confidentiality impact via network vector, though EPSS scoring at 0.02% (4th percentile) indicates very low predicted exploitation probability and no public exploit identified at time of analysis.
Spoofing issue in the Popup Blocker component. This vulnerability was fixed in Firefox 151.
Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151.
Mitigation bypass in Mozilla Firefox's DOM: Security component allows remote attackers to circumvent built-in browser security protections when a user visits a maliciously crafted web page. The flaw affects Firefox versions prior to 151 and Firefox ESR prior to 140.11, with CVSS 8.1 reflecting high confidentiality and integrity impact contingent on user interaction. EPSS scoring is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis, but the CWE-693 protection-mechanism-failure classification means defensive layers users rely on may not function as intended.
Spoofing via the Form Autofill component in Mozilla Firefox allows a network-based attacker to achieve high integrity impact against users who interact with attacker-controlled content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) confirms no authentication is required from the attacker side, but a victim must interact with malicious content for the attack to succeed. No public exploit code has been identified at time of analysis, and EPSS sits at 0.02% (5th percentile), indicating very low observed exploitation probability; the vulnerability is not listed in the CISA KEV catalog.
Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151.
Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Privilege escalation in the Enterprise Policies component of Mozilla Firefox affects versions prior to Firefox 151 and Firefox ESR 140.11, allowing remote attackers who can convince a user to interact with crafted content to elevate privileges within the browser. No public exploit identified at time of analysis, and EPSS scoring places exploitation probability at just 0.03% (9th percentile). The vulnerability requires user interaction per the CVSS vector, which somewhat constrains real-world weaponization despite the high 8.8 CVSS score.
Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Privilege escalation in Mozilla Firefox's DOM Workers component allows remote attackers to elevate privileges within the browser when a victim interacts with a malicious web page. Affects Firefox versions prior to 151 and Firefox ESR prior to 140.11, with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS rates exploitation probability at only 0.03% (9th percentile).
Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.
Privilege escalation in Mozilla Firefox via the Application Update component allows remote attackers to gain elevated privileges when a user interacts with malicious content, fixed in Firefox 151. The flaw carries a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:N/UI:R) and is categorized under CWE-269 (Improper Privilege Management). There is no public exploit identified at time of analysis, and EPSS estimates only a 0.03% probability of exploitation in the next 30 days.
Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151.
Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Integer underflow in the Linux kernel's MPI crypto library function `mpi_read_raw_from_sgl()` allows a local low-privileged user to trigger an infinite kernel loop via the `KEYCTL_PKEY_ENCRYPT` syscall, causing a system-wide denial of service with soft lockup splats. The flaw was latent since commit `2d4d1eea540b` but became exploitable only after commit `63ba4d67594a` changed how asymmetric key operations construct scatterlists, allowing `out_len > in_len` with a zero-filled buffer to satisfy the underflow condition. No active exploitation is confirmed (EPSS 0.02%, not in CISA KEV), but the attack path is fully described in the upstream commit message, making independent reproduction straightforward.
Memory exhaustion in the Linux kernel's QRTR (Qualcomm IPC Router) namespace subsystem allows a local low-privileged attacker to crash the system by flooding NEW_SERVER registration messages without triggering any bound check. Affected systems are those running kernels between the introducing commit (0c2204a4ad710d95d348ea006f14ba926e842ffd) and the fix commits across stable branches. No public exploit code has been identified and EPSS sits at the 5th percentile, indicating minimal observed exploitation activity.
Heap buffer over-write of a single byte in Magick.NET's JP2 encoder allows local attackers to cause availability impact (crash/denial of service) by supplying a crafted JP2 image processed with certain options. All Magick.NET NuGet package variants prior to version 14.13.1 are affected across multiple architectures (AnyCPU, x64, x86, arm64) and quantum depth configurations (Q16, Q16-HDRI). No public exploit has been identified at time of analysis, and a vendor-released patch exists at version 14.13.1.
Stack overflow in the Magick.NET fx expression evaluator affects all Q16 and HDRI NuGet package variants prior to version 14.13.1. The root cause is a missing recursion depth check in the fx operation: a crafted argument can drive the evaluator into uncontrolled recursion, exhausting the call stack and crashing the host process. Impact is limited to availability (denial of service); no confidentiality or integrity exposure is present, and no public exploit or CISA KEV listing exists at time of analysis.
Heap buffer over-write in Magick.NET's MIFF encoder triggers an out-of-bounds write when LZMA compression is active, due to a missing buffer size check (CWE-131). All Magick.NET NuGet package variants prior to version 14.13.1 are affected across multiple architectures (AnyCPU, x64, x86, arm64) and depth configurations (Q16, Q16-HDRI, OpenMP). An attacker who can deliver a crafted MIFF file for local processing can crash the consuming application, resulting in a complete availability impact. No public exploit code or CISA KEV listing exists at time of analysis, limiting real-world severity despite the heap write primitive.
Out-of-bounds heap over-read in Magick.NET's polynomial distortion operation exposes limited heap memory and can trigger a crash when processing a specially crafted image with specific distortion arguments. Affected are all Magick.NET NuGet package variants (Q16, Q16-HDRI, across AnyCPU, arm64, x64, x86, and OpenMP builds) prior to version 14.13.1. The CVSS vector scores this as a local, low-complexity issue with low confidentiality and availability impact; no public exploit code exists and it is not listed in the CISA KEV catalog at time of analysis.
Race condition in Docker's `docker cp` mount setup allows a process running inside a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem as root. Affected packages include github.com/docker/docker <= 28.5.2 and github.com/moby/moby <= 28.5.2, with a patch only confirmed for the moby/moby v2 branch at 2.0.0-beta.14. The CVSS vector reflects a scope-changed (S:C), high-availability-impact flaw requiring low privileges and high complexity; no public exploit or CISA KEV listing has been identified at time of analysis, but the attack is realistic when operators use `docker cp` against containers running untrusted workloads with volume mounts.
Out-of-bounds single-byte read in Magick.NET's meta encoder affects all Q16 and Q16-HDRI NuGet package variants prior to version 14.13.1. An off-by-one indexing error in the meta encoder allows a remote unauthenticated attacker to read one byte beyond the allocated buffer boundary during metadata processing, resulting in limited memory disclosure. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; however, the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the flaw is network-reachable without authentication or user interaction, making any application that processes attacker-supplied images or metadata a viable target.