Red Hat
Monthly
Out-of-memory exploitation in the Linux kernel's amdgpu DRM subsystem allows a local, low-privileged user to crash the system by supplying unchecked huge values to the amdgpu_userq_signal_ioctl interface. The missing upper-bound validation on user inputs enables resource exhaustion that can destabilize or deny service on any Linux system equipped with a supported AMD GPU. No public exploit code exists and no active exploitation has been confirmed (no CISA KEV listing), with an EPSS of 0.02% placing this firmly in the low-priority tier for most environments outside high-assurance or shared multi-user GPU workloads.
Reference leak in the Linux kernel's amdgpu userqueue subsystem allows a local low-privileged user to exhaust kernel resources by repeatedly triggering an early-abort code path in amdgpu_userq_wait_ioctl. When the ioctl aborts because the caller-supplied output array is too small, the kernel omits required reference drops on syncobj and timeline fence objects, preventing those objects from ever being freed. No active exploitation is confirmed (not in CISA KEV), and EPSS sits at 0.02% (4th percentile), signaling negligible real-world exploitation activity.
Out-of-memory exploitation in the Linux kernel's amdgpu DRM driver allows a local low-privileged user to crash or destabilize a system by supplying oversized input values to the amdgpu_userq_wait_ioctl interface. Systems running affected kernel versions with AMD GPU hardware are vulnerable to availability loss. No public exploit code has been identified at time of analysis, and an EPSS score of 0.02% (4th percentile) reflects very low real-world exploitation probability; this is not confirmed actively exploited (not in CISA KEV).
Memory leak in the Linux kernel's samsung-dsim DRM bridge driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering error paths in samsung_dsim_host_attach() where drm_bridge_remove() is never called after a failed samsung_dsim_register_te_irq() or host attach operation. Affected systems must be running Samsung MIPI DSI display hardware with the samsung-dsim module loaded. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) combined with absence from CISA KEV confirms this is a low-exploitation-likelihood maintenance fix rather than an active threat.
Memory leak in the Linux kernel's drm/xe (Intel Xe GPU) sync subsystem allows a local low-privileged user to cause a denial of service by exhausting kernel memory. The flaw exists in the drm/xe/sync error-handling path: when dma_fence_chain_alloc() fails, the user fence reference is not properly released (CWE-401), leaving allocated memory permanently inaccessible to the allocator. No active exploitation has been identified (EPSS 0.02%, 4th percentile, not in CISA KEV), and patches have been backported to stable kernel branches including 6.18.20 and 6.19.9.
Incomplete cleanup in the Linux kernel's DRM/Xe GPU driver allows a local low-privileged user to leak kernel object references (syncobj, fence, chain fence, or user fence) by triggering error paths in xe_sync_entry_parse(), resulting in kernel memory exhaustion and local denial of service. Affected kernels include those shipping the Intel Xe GPU driver from the introducing commit (dd08ebf6c352) up to the fix commits landed in stable series 6.12, 6.18, 6.19, and 7.0. No public exploit code exists and no active exploitation has been reported; EPSS probability sits at 0.02% (5th percentile), reflecting extremely low real-world exploitation interest.
Stack buffer overflow in the Linux kernel's pmbus/q54sj108a2 hwmon driver allows local privileged users to corrupt kernel stack memory by reading from a specific debugfs entry. The flaw stems from a misuse of bin2hex() that writes 64 bytes of hex-encoded output into a 34-byte stack buffer, overflowing it by 30 bytes; no public exploit identified at time of analysis and EPSS exploitation probability is negligible at 0.03% (9th percentile).
Use-after-free in the Linux kernel's ksmbd SMB server (smb2_open()) allows remote attackers to potentially trigger memory corruption when accessing an opinfo pointer dereferenced after rcu_read_unlock(). The flaw is fixed in upstream stable releases (6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0); no public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Linux kernel MCTP driver leaks USB device references when probe fails, allowing local authenticated attackers to trigger denial of service through resource exhaustion. The flaw affects kernels from 6.15 through 6.19.9 and has been patched in versions 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% indicates minimal active exploitation risk, and no public exploit code has been identified at time of analysis.
Resource leak in Linux kernel's Microchip DSA PTP driver allows local authenticated users with low privileges to cause denial of service through high availability impact. The ksz_ptp_irq_setup() function fails to dispose of newly created IRQ mappings when request_threaded_irq() fails during PTP message IRQ setup, leading to resource exhaustion. Vendor patches available across multiple stable kernel branches (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation in the wild, and no public exploit identified at time of analysis.
Memory leak and denial-of-service in the Linux kernel macb network driver (used in AMD ZynqMP platforms) allows local authenticated users to cause prolonged network disruption and system resource exhaustion. The flaw manifests during suspend/resume cycles when the transmit ring pointer resets incorrectly, silently dropping queued packets without releasing their memory, and causing the driver to become stuck waiting for already-transmitted packets. Real-world impact observed in NFS rootfs recovery delays. EPSS score of 0.02% (7th percentile) indicates low exploitation likelihood. Vendor patches available across multiple stable kernel branches (6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.9).
A NULL pointer dereference in Linux kernel AMD GPU driver cleanup code causes local denial of service when GPU initialization fails on systems with unsupported AMD hardware blocks. Local authenticated users with low privileges can trigger kernel crashes during device teardown sequences. The vulnerability affects multiple stable kernel versions (6.18.16-6.18.19, 6.19.6-6.19.9) with patches available from upstream. EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, and no active exploitation or public exploits are confirmed. Real-world impact is limited to systems with specific AMD GPU hardware experiencing initialization failures, making this primarily a reliability issue rather than a direct security threat.
Null pointer dereference in Linux kernel's AMD DRM driver causes system crash during device cleanup on unsupported hardware. The flaw (CWE-476) affects multiple 6.18.x and 6.19.x kernel versions, allowing local authenticated users to trigger denial of service through AMD GPU driver initialization or cleanup operations. Patches available via kernel stable tree commits with EPSS score of 0.02% indicating minimal exploitation likelihood. No active exploitation or public POC identified at time of analysis.
NULL pointer dereference in Linux kernel's ublk driver allows local authenticated users to crash the system by sending UBLK_CMD_UPDATE_SIZE to a device before it starts or after it stops. The vulnerability exists in ublk_ctrl_set_size() which unconditionally dereferences ub->ub_disk without validating the device state, triggering a kernel panic and causing a denial of service. Patches are available from the Linux kernel maintainers for versions 6.18.20, 6.19.9, and 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, consistent with the local-only attack vector and absence from CISA KEV.
System hangs on Linux kernel resume from s2ram when firmware re-enables x2apic mode that kernel disabled during boot. Affects x86 systems with APIC hardware where kernel disabled x2apic (due to missing IRQ remapping support or other reasons) but ACPI-compliant firmware restores x2apic to initial boot state per spec. Kernel continues using xapic interface while hardware operates in x2apic mode, causing denial of service through system freezes. CVSS 5.5 (local low-complexity authenticated attack, high availability impact). EPSS 0.02% (7th percentile) indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0 mainline). No KEV listing or public exploit identified at time of analysis.
Denial of service via transaction abort in Linux kernel btrfs subsystem when a non-privileged subvolume owner repeatedly calls the set received ioctl with identical UUID values, causing filesystem to transition to read-only mode. The vulnerability exploits insufficient pre-flight validation that allows metadata updates to commence before detecting item overflow conditions, requiring only local access and subvolume ownership rather than root privileges. EPSS score of 0.02% indicates low exploitation probability despite CVSS 5.5 severity, suggesting practical exploitation barriers despite low privilege requirements.
RCU locking imbalance in Linux kernel btrfs filesystem code causes local denial of service. The try_release_subpage_extent_buffer() function in btrfs can exit an error path without properly releasing an RCU read lock, creating a locking inconsistency that leads to system instability. Affects Linux kernel versions 6.17 through pre-7.0, with patches available in stable branches 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation activity. The flaw was detected through static analysis using Clang's thread-safety analyzer rather than field exploitation, suggesting lower immediate real-world risk despite the high-availability CVSS impact rating.
Local denial of service in Linux kernel's MPU3050 gyroscope driver allows authenticated users with low privileges to crash the system by triggering power management failures. The mpu3050-core driver fails to validate pm_runtime_get_sync() return values, enabling hardware access when device resume fails and causing improper reference counting that leads to kernel instability. EPSS score of 0.02% indicates minimal active exploitation likelihood, and patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).
A NULL pointer dereference in the Linux kernel's adis_init() function causes kernel crashes when initializing ADIS IMU drivers (adis16480, adis16490, adis16545). The function attempts to dereference adis->ops without first verifying it is non-NULL, triggering denial of service on affected systems during device probe. Exploitation requires local access with low privileges (CVSS AV:L/AC:L/PR:L). EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation likelihood. Vendor patches available across multiple stable kernel versions (6.19.9, 6.18.19, 7.0).
Local denial of service in the Linux kernel's HX9023S proximity sensor driver (iio subsystem) allows authenticated users with low privileges to crash the system via division by zero when setting sampling frequency with an unspecified value. Patch available from kernel.org stable trees for versions 6.12.78, 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation activity. No public exploit code or active exploitation (not in CISA KEV) confirmed at time of analysis.
Denial of service in Linux kernel KVM/arm64 vGIC subsystem allows local authenticated users with low privileges to crash the hypervisor via use-after-free during virtual interrupt controller teardown. CVSS rates this 5.5 (medium severity, local vector), but EPSS exploitation probability is very low at 0.02% (4th percentile). Patches available across multiple stable kernel versions (6.18.19, 6.19.9, 7.0). No active exploitation confirmed per CISA KEV, and the local-only attack vector with specific KVM/ARM64 deployment requirements limits real-world impact to environments running ARM64 virtualization workloads.
Use of uninitialized memory in Linux kernel f2fs filesystem node footer validation causes local denial of service. Linux kernel versions 7.0 through 7.1-rc1 with f2fs support allow local authenticated users to trigger a kernel crash by mounting a maliciously crafted f2fs filesystem image. The vulnerability occurs when f2fs_sanity_check_node_footer() accesses uninitialized folio data after a failed disk read operation during filesystem mount, as reported by syzbot. EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation likelihood. Vendor patches available for stable kernel branches 6.18.25, 7.0.2, and 7.1-rc1.
The Linux kernel mshv_vtl driver permits local denial-of-service via memory registration failure when VTL0 memory ranges are sufficiently aligned (35+ trailing zeros in physical address). An unclamped vmemmap_shift calculation can exceed MAX_FOLIO_ORDER, causing memremap_pages() to reject the operation and potentially destabilize virtualization infrastructure. CVSS 5.5 indicates local authenticated exploitation with low complexity. EPSS 0.02% suggests minimal real-world targeting. Vendor patches available for kernel 7.0.2 and 7.1-rc1 address both the shift clamping and error propagation issues.
Local denial of service in Linux kernel PTP (Precision Time Protocol) driver for Intel Ethernet (ice) allows authenticated users with low privileges to crash the system when PF passthrough is configured without the controlling PF. The vulnerability is caused by improper null pointer handling (CWE-617) when ice_ptp_setup_pf() attempts to access an uninitialized PTP controlling PF in VFIO passthrough configurations. Affects Linux kernel 6.13 through 7.0-rc7. EPSS probability is very low (0.02%, 4th percentile) and no active exploitation has been reported. Patches are available in stable branches 6.18.24, 6.19.14, and mainline 7.0.
Die ID initialization and lookup bugs in the Linux kernel's Intel uncore performance monitoring subsystem (perf/x86/intel/uncore) can cause a reachable assertion trigger or silent loss of PMON unit visibility on Intel Sapphire Rapids (SPR) and Emerald Rapids (EMR) server hardware. Authenticated local users on affected systems may crash the kernel via the WARN_ON_ONCE reachable assertion (CWE-617) or, when NUMA is disabled on a NUMA-capable platform, cause all uncore PMON units to be silently dropped from the RB tree - rendering hardware performance monitoring inoperative. No public exploit exists and EPSS is 0.02%, indicating no active exploitation pressure at time of analysis.
Unbalanced reference counting in the Linux kernel USB gadget CDC Subset Ethernet driver (f_subset) causes a resource leak that denies availability of USB gadget reconfiguration. A local authenticated user can trigger the condition by allocating and freeing the geth USB gadget function, leaving the reference count permanently elevated due to a missing decrement in geth_free(). The practical impact is a denial-of-service against the configfs interface for USB gadget management - subsequent attempts to unlink and re-configure the USB function fail silently. No public exploit is identified and EPSS exploitation probability is negligible at 0.02% (7th percentile).
Race condition in the Linux kernel's USB RNDIS gadget function driver (f_rndis) allows a local low-privileged attacker to crash the kernel by concurrently manipulating class/subclass/protocol configfs attributes without mutex protection. Identified during code inspection - not observed in active exploitation - this vulnerability affects multiple stable kernel branches from 4.14 through 7.0-rc3, with patches released across all maintained stable series. With an EPSS of 0.02% (7th percentile), no public exploit, and no CISA KEV listing, real-world risk is low but meaningful on embedded or IoT devices using Linux as a USB RNDIS peripheral.
Local denial of service in Linux kernel COMEDI subsystem allows authenticated users to trigger inconsistent lock states when reattaching low-level drivers to legacy COMEDI devices. Exploitation probability is low (EPSS 2%, percentile 7%) with no public exploit identified at time of analysis. Vendor-released patches available across all stable kernel branches from 5.10.253 through 7.0. Affects systems configured with non-zero comedi_num_legacy_minors parameter and requires local authenticated access to COMEDI device nodes.
Local privilege escalation in Linux kernel IPv6 address configuration subsystem enables authenticated local users to gain high-level system access through a use-after-free (UaF) condition in addrconf_permanent_addr(). Patch available across all maintained stable kernel series (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) with fixes backported from commit f1705ec197e7. EPSS score of 0.02% suggests minimal active exploitation likelihood, no KEV listing or public POC identified at time of analysis.
Transaction abort and denial of service in Linux kernel btrfs qgroup ioctls occurs when quota group operations fail to reserve transaction space for metadata updates and delayed references, resulting in -ENOSPC errors under filesystem pressure. Affected versions include mainline kernel through 6.19.x and stable branches 6.12.x and 6.18.x, with patches available in 6.12.81, 6.18.22, 6.19.12, and 7.0. Local authenticated users can trigger filesystem unavailability through qgroup operations. EPSS exploitation probability is low (0.02%), no active exploitation confirmed, and this represents a stability issue rather than a direct security compromise, though availability impact is high per CVSS 5.5 score.
NULL pointer dereference in the Linux kernel's AMD display driver (DRM subsystem) allows local authenticated users to crash the system via dcn401_init_hw() function. Affects kernel 6.12 through 7.0-rc6, specifically the DCN 4.01 hardware sequencer in amdgpu driver. Vendor patches available for stable branches (6.18.22, 6.19.12, 7.0). EPSS exploitation probability is very low (0.02%, 4th percentile), indicating minimal real-world threat despite moderate CVSS score. Not listed in CISA KEV, and no public exploit code identified at time of analysis.
ChaCha cipher implementation in the Linux kernel leaks cryptographic key material through an improperly zeroized stack variable. The ChaCha permutation function leaves 'permuted_state' on the stack after execution, which can be used to reverse-compute the original encryption key since ChaCha's permutation is mathematically invertible. This information disclosure affects kernel cryptographic operations including the RNG (random number generator). EPSS score of 0.02% indicates very low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV). Patches are available across all maintained kernel versions from 5.10.253 through 6.19.12.
Null pointer dereference in Linux kernel's Qualcomm SM8450 interconnect driver causes local denial of service during device probe. The vulnerability affects Linux kernel 6.19.x through 7.0-rc6 on Qualcomm SM8450 platforms when the interconnect driver initializes. Upstream patches are available (commits 77d22bf3fc5d and dbbd550d7c8d). EPSS score of 0.02% indicates very low observed exploitation probability, and no active exploitation or public POC has been identified. Real-world risk is limited to local authenticated users on affected Qualcomm SoC platforms during driver initialization.
Authentication downgrade in Linux kernel Bluetooth SMP allows adjacent network attackers to bypass MITM protection during pairing. When a Bluetooth responder requires BT_SECURITY_HIGH, the SMP implementation incorrectly builds pairing responses before enforcing local MITM requirements, allowing initiators to force weaker 'Just Confirm' authentication even when policy mandates stronger methods. EPSS score of 0.02% indicates low predicted exploitation probability, and no active exploitation or public POC has been identified. Patches available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Kernel NULL pointer dereference in Linux kernel's BPF verifier allows local authenticated users to trigger a denial of service. The vulnerability stems from improper handling of nullable PTR_TO_BUF pointers in check_mem_access(), where map iterator callbacks can dereference NULL ctx->key or ctx->value pointers without validation, causing a kernel crash. Affects Linux kernel versions 5.17 through 7.0-rc4, with patches available across stable branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild, and no evidence of public exploit code or active exploitation exists. Local access with low privileges required makes this a targeted risk rather than widespread threat.
Use-after-free in Linux kernel thermal subsystem allows local authenticated attackers with low privileges to achieve high confidentiality, integrity, and availability impact through race condition during thermal zone device registration failure. The flaw occurs when thermal_zone_device_register_with_trips() fails after registration but before properly cleaning up - if userspace holds a kobject reference, the thermal zone structure can be freed prematurely while still in use. Vendor patches available across stable branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating, suggesting limited real-world attacker interest in this local race condition.
Buffer overflow in the Linux kernel's CAAM crypto driver allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with elevated privileges. The vulnerability occurs when HMAC keys exceeding the algorithm's block size are processed - the driver allocates DMA-aligned memory but uses kmemdup() to copy only the actual key length, then reads beyond the source buffer boundary during hashing. EPSS score of 0.02% (5th percentile) indicates low predicted exploitation likelihood. Patches are available across multiple stable kernel branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) via upstream commits, with fixes applied since kernel 6.3 introduced the vulnerable code.
Race condition in Linux kernel's dummy-hcd USB gadget driver causes kernel crash and denial of service when USB reset occurs simultaneously with driver unbind. Syzbot testing triggered NULL pointer dereference in usb_gadget_udc_reset() due to improper spinlock handling in stop_activity() that allowed dum->driver to be cleared prematurely. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) suggests very low observed exploitation probability. Not listed in CISA KEV, indicating no confirmed active exploitation.
A deadlock vulnerability in the Linux kernel's sched_ext (extensible scheduler) subsystem allows local authenticated users to trigger a denial of service by creating cyclic wait dependencies between CPUs. The flaw exists in the SCX_KICK_WAIT mechanism where busy-waiting in hardirq context prevents rescheduling and kick_sync advancement, causing multi-CPU deadlocks when wait cycles form. Patch available from mainline kernel (commit c3a7903f65cf for mainline, 415cb193bb97 for stable 6.12+). EPSS score of 0.02% suggests minimal real-world exploitation activity. No public exploit code or active exploitation confirmed at time of analysis.
A firmware crash in Linux kernel's iwlwifi driver (versions 6.9 through 7.0-rc7) occurs when the AX201 Wi-Fi adapter incorrectly receives a 6GHz-related command (MCC_ALLOWED_AP_TYPE_CMD) despite lacking 6E support. This triggers a local denial of service (CVSS 5.5, AV:L) requiring low privileges. Vendor patches are available across stable branches (6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation risk, with no active exploitation or public POC identified. Priority for systems using Intel AX201 adapters where local users could trigger system instability.
Race condition in the Linux kernel's dummy-hcd USB driver allows local authenticated users to trigger use-after-free conditions during gadget driver unbinding, potentially enabling privilege escalation, information disclosure, or denial of service. The flaw stems from incorrect ordering of interrupt synchronization - emulated synchronize_irq() runs before interrupt-disable, allowing callbacks to execute after the gadget driver is unbound. Patched versions include 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild, with no confirmed active exploitation or public POC identified at time of analysis.
Local denial of service in Linux kernel scheduler (6.12.78-6.19.12) allows low-privileged users to trigger system-wide instability via stress-ng-yield workloads. The flaw stems from incomplete vruntime tracking in commit b3d99f43c72b, where yield()-heavy tasks can leapfrog past tick updates and cause overflow conditions. EPSS exploitation probability is negligible (0.02%, 5th percentile), and vendor patches are available across all affected stable branches. No active exploitation or public POC identified at time of analysis.
Use-after-free (UAF) in Linux kernel Bluetooth subsystem allows adjacent network attackers to trigger memory corruption via malformed LE Read Features Complete responses. The vulnerability occurs when hci_conn is freed before le_read_features_complete callback executes but after hci_le_read_remote_features_sync initiates, causing atomic operations on freed memory during hci_conn_drop. Active exploitation status not confirmed (no CISA KEV listing). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. Upstream patches committed to stable kernel branches 6.19.12+ and 7.0+.
A null pointer dereference in the AMD Display Core driver's DSC (Display Stream Compression) handling for eDP panels causes local system crashes on Linux kernel 6.12 through 7.0-rc5. The vulnerability stems from missing function hook validation before use, allowing local authenticated users with low privileges to trigger a high-severity denial-of-service condition. Patches available across kernel 6.12.75, 6.18.16, 6.19.6, and 7.0 stable branches. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation activity, and no KEV listing or public POC identified at time of analysis.
Race condition in Linux kernel AMDGPU driver allows local attackers with low privileges to trigger denial of service through GPU page faults during DMA buffer operations. The vulnerability affects multi-GPU systems where shared buffer objects are accessed across different GPUs, particularly impacting AMD Radeon graphics driver stability. Patch available from upstream kernel maintainers for versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit code or active exploitation has been identified.
Resource leak in Linux kernel MOST (Media Oriented Systems Transport) core driver allows local authenticated users to trigger denial of service through repeated interface registration failures. The vulnerability stems from incomplete error handling in the driver's registration path, where resources allocated for MOST interfaces are not properly released when early registration failures occur. While CVSS rates this 5.5 with local access and low attack complexity, the EPSS score of 0.02% (5th percentile) indicates minimal real-world exploitation likelihood. Vendor patches are available across multiple kernel stable branches (6.12.75, 6.18.16, 6.19.6, 7.0).
An out-of-bounds shift operation in the Linux kernel's solo6x10 media driver causes a local denial of service. Affects Linux kernel versions from the initial commit through 7.0-rc3, with patches available in stable versions 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. The flaw, triggered by improper chip_id bounds checking, causes Clang's undefined behavior sanitizer to instrument code that can lead to system instability when exploited by low-privileged local users. EPSS exploitation probability is 0.02% (7th percentile), indicating minimal widespread threat. Vendor-released patches address the issue by adding explicit bounds validation and using unsigned shift operations.
go-git versions prior to 5.18.0 and 6.0.0-alpha.2 leak HTTP authentication credentials when following cross-host redirects during smart-HTTP clone and fetch operations. Remote unauthenticated attackers controlling a redirect target can capture credentials intended for the original repository host. User interaction (initiating a clone/fetch to a malicious or compromised server) is required. Vendor-released patches are available in v5.18.0 and v6.0.0-alpha.2.
Race condition in drm/panthor GPU driver violates dma-fence safe access rules, allowing local authenticated users to cause denial of service via timeline name retrieval racing with queue freeing. CVSS 5.5 (local, low complexity) with EPSS 0.02% indicating minimal real-world exploitation likelihood despite active kernel-level flaw.
Denial of service in Linux kernel DRM GEM shmem helper functions allows local privileged attackers to trigger CPU warnings and system instability via improper reservation lock handling around vmap/vunmap operations. The vulnerability affects Linux 6.16 and multiple stable branches (6.18, 6.19, 7.0) and is resolved in patched versions; exploitation requires local access with limited privileges and produces availability impact through kernel warnings rather than remote compromise.
Memory access violations occur in Linux kernel on Xilinx ZynqMP systems when OP-TEE device tree nodes are manually defined, preventing U-Boot's OP-TEE injection logic from properly inserting reserved-memory nodes. This affects Linux kernel versions 6.9 through 7.0 on ARM64 ZynqMP platforms, allowing local authenticated users to cause denial of service through runtime memory access faults. Vendor-released patches are available across multiple stable branches (6.12.75, 6.18.16, 6.19.6, 7.0).
Path traversal vulnerability in YARD prior to version 0.9.42 allows remote attackers to access arbitrary files on a server running yard server with unsanitized HTTP requests when using the --docroot flag. The vulnerability affects the documentation serving functionality and has been patched in version 0.9.42. No public exploit code or active exploitation has been identified at the time of analysis.
Local users with low privileges can trigger a denial of service in Linux kernel KVM (Kernel-based Virtual Machine) by manipulating nested virtualization state on AMD SVM systems. The vulnerability allows unprivileged users to cause a kernel warning and potential system instability by modifying CPUID after loading CR3 register state in nested SVM configurations. With CVSS 5.5 (AV:L/AC:L/PR:L) and low EPSS (0.02%), this represents a localized availability risk rather than a critical remote threat. Vendor patches are available across multiple kernel versions (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).
Local attackers with low privileges can cause indefinite system hangs in Linux kernel device-mapper (dm) subsystem by injecting io-timeout-fail errors, triggering CWE-772 resource leaks where I/O requests are never completed. Affects longstanding kernel code from 5.10.x through mainline 6.19.x; vendor-patched versions available (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low real-world exploitation probability. No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis.
NULL pointer dereference in Linux kernel ACPI processor module allows local authenticated attackers to crash the system. The flaw occurs in acpi_processor_errata_piix4() when device lookup logic overwrites a valid pointer with NULL, triggering a crash when accessed by dev_dbg(). Vendor-released patches are available across multiple stable kernel branches (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS exploitation probability is very low (0.02%, 7th percentile), and no public exploit or active exploitation has been identified. The vulnerability requires local access with low privileges (CVSS AV:L/PR:L), making it a lower priority than network-exposed flaws despite the high availability impact.
A use-after-free in the OmniVision OV5647 camera sensor driver (media: i2c: ov5647) can trigger a kernel crash. The ov5647_init_controls() function dereferences an uninitialized subdev pointer via v4l2_get_subdevdata() when error conditions occur during probe. This affects Linux kernel versions from 5.12 through multiple stable branches including 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, and 6.19.x prior to patches. Vendor patches available across all affected stable trees. EPSS exploitation probability is very low (0.02%, 7th percentile) with no public exploit identified at time of analysis.
Hardware-level denial of service in Linux kernel verisilicon media driver on i.MX8MQ platform allows local authenticated users to trigger VPU bus errors and system hangs through simultaneous H.264/HEVC decoding. Affects kernel versions 5.14 through pre-6.19.6 and pre-7.0. Patches available via stable kernel commits 286d629d1064 and e0203ddf9af7. EPSS score of 0.02% indicates minimal observed exploitation, and CVSS 5.5 reflects local scope with low complexity. No public exploit code identified, and not listed in CISA KEV.
System hang during RAID array teardown affects Linux kernel's dm-raid target when metadata devices are suspended before removal. The vulnerability triggers when stopping dm-raid managed arrays, causing md_stop() to indefinitely block while attempting to flush write-intent bitmaps to already-suspended metadata devices. With EPSS exploitation probability at 0.02% (4th percentile) and vendor patches available for kernel versions 6.18.16, 6.19.6, and 7.0, this represents a local denial-of-service risk requiring low privileges but poses minimal risk in most environments due to the specific dm-raid configuration prerequisite.
Denial of service vulnerability in Linux kernel btrfs filesystem allows local authenticated users to trigger a kernel panic via unexpected delayed reference types. The vulnerability stems from improper error handling in run_one_delayed_ref() that invokes BUG() instead of gracefully returning an error. Patched in Linux 6.19.6 and 7.0 with proper error logging. EPSS exploitation probability is very low (0.02%, 5th percentile) with no public exploit or active exploitation reported, indicating minimal real-world risk despite the high availability impact in the CVSS score.
Local denial-of-service in Linux kernel BPF crypto subsystem allows authenticated attackers to crash the system via CFI policy violations. The vulnerability stems from a type mismatch in BPF's crypto destructor function when Control Flow Integrity (CONFIG_CFI) is enabled, causing kernel panics during object cleanup operations. Patches available across kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low likelihood of mass exploitation. No KEV listing or public exploits identified at time of analysis.
Denial of service via system hang in Linux kernel's AMD display driver occurs when the DMUB hardware lock evaluation mismatches between lock acquisition and release in the HWSS fast path, affecting ASIC variants without FAMS support. Local authenticated attackers can trigger this condition through display operations, causing a hang with high availability impact. Patch available in stable releases 6.19.6 and 7.0; EPSS score of 0.02% indicates low real-world exploitation probability despite KEV status.
Linux kernel DMA API debug warnings in V3D rendering driver cause denial of service when CONFIG_DMA_API_DEBUG is enabled and V3D segment sizes exceed the default 64K maximum. The vulnerability affects systems using V3D graphics rendering (particularly Raspberry Pi 5) with debug DMA API enabled, allowing local authenticated users to trigger kernel warnings and potential system instability by creating V3D buffer objects larger than the device's claimed DMA segment size limit.
A reference count underflow in the Linux kernel's chips-media wave5 video codec driver causes a runtime PM usage count to decrement below zero during module removal, triggering a kernel warning and potentially causing denial of service when the driver is unloaded. The vulnerability affects unprivileged local users on systems with the wave5 codec driver enabled, and occurs when the device has already been suspended via autosuspend before the remove path executes pm_runtime_put_sync(). EPSS score of 0.02% indicates low exploitation probability despite the denial-of-service capability.
Null-pointer dereference in the Linux kernel DRM panel driver (jdi_panel_dsi_remove function) allows local authenticated attackers to cause a denial of service by triggering device removal when the jdi structure is NULL. The vulnerability exists because the function checks for NULL but fails to return early, allowing subsequent code to dereference the NULL pointer. CVSS score is 5.5 (local attack vector, low complexity); EPSS indicates low exploitation probability (0.02%, 5th percentile), and no public exploit code or active exploitation has been confirmed.
Linux kernel btrfs filesystem crashes with kernel BUG when read-repair operations execute after filesystem transitions to read-only state during critical ENOSPC errors. Affects btrfs users experiencing metadata space exhaustion, causing denial of service through kernel panic in the bio repair path. Local attackers with low privileges can trigger this condition in specific filesystem states. EPSS score of 0.02% and no KEV listing indicate low probability of widespread exploitation. Vendor-released patches available in kernel versions 6.19.6 and 7.0.
Denial of service in Linux kernel drm/amdgpu driver (VCNv2.5) affects virtual function (VF) GPU environments running kernel versions prior to 6.18.16, 6.19.6, and 7.0. During module unload or system deinitialization, VF configurations trigger a kernel warning and potential crash when attempting to release an uninitialized VCN poison interrupt handler. EPSS exploitation probability is very low (0.02%, 4th percentile) with no public exploit or active exploitation (not in CISA KEV). Vendor patches available across multiple stable kernel branches via upstream commits.
Local denial-of-service in Linux kernel's Rockchip RGA media driver allows authenticated users with low privileges to crash the system through NULL pointer dereference. The vulnerability affects kernel versions 6.8+ containing the Rockchip RGA driver, where rga_buf_init() fails to validate ERR_PTR returns from rga_get_frame() before dereferencing frame size. Vendor patches available across stable branches (6.12.75, 6.18.16, 6.19.6). EPSS score 0.02% (5th percentile) indicates minimal real-world exploitation likelihood, consistent with local-only attack vector requiring authenticated access.
Denial of service in Linux kernel RapidIO subsystem occurs when idtab allocation fails during rio_scan_alloc_net(), causing the function to incorrectly invoke rio_free_net() instead of kfree() on unregistered memory, leaving a dangling pointer in mport->net that can be dereferenced later to trigger a crash. Authenticated local attackers with low privilege can trigger this condition on systems with RapidIO support enabled, resulting in kernel panic and service unavailability. EPSS probability is low (0.02%) despite moderate CVSS, indicating limited real-world exploitability; no public exploit code or active KEV exploitation confirmed.
Kernel panic occurs in the Renesas RZ/G2L MIPI DSI driver during system reboot when display panels attempt to send DSI commands in their unprepare callback, due to incorrect sequencing of driver shutdown. The vulnerability affects Linux kernel versions from commit 56de5e305d4b onwards on ARM64 systems running RZ/G2L platforms with specific panel types, allowing local users with standard privileges to trigger a denial of service by initiating a reboot.
In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix kthread worker destruction in polling mode Fix the cleanup order in polling mode (irq < 0) to prevent kernel warnings during module removal. Cancel the hrtimer before destroying the kthread worker to ensure work queues are empty. In polling mode, the driver uses hrtimer to periodically trigger wave5_vpu_timer_callback() which queues work via kthread_queue_work(). The kthread_destroy_worker() function validates that both work queues are empty with WARN_ON(!list_empty(&worker->work_list)) and WARN_ON(!list_empty(&worker->delayed_work_list)). The original code called kthread_destroy_worker() before hrtimer_cancel(), creating a race condition where the timer could fire during worker destruction and queue new work, triggering the WARN_ON. This causes the following warning on every module unload in polling mode: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1034 at kernel/kthread.c:1430 kthread_destroy_worker+0x84/0x98 Modules linked in: wave5(-) rpmsg_ctrl rpmsg_char ... Call trace: kthread_destroy_worker+0x84/0x98 wave5_vpu_remove+0xc8/0xe0 [wave5] platform_remove+0x30/0x58 ... ---[ end trace 0000000000000000 ]---
In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node When CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during vmalloc cleanup triggers expensive stack unwinding that acquires RCU read locks. Processing a large purge_list without rescheduling can cause the task to hold CPU for extended periods (10+ seconds), leading to RCU stalls and potential OOM conditions. The issue manifests in purge_vmap_node() -> kasan_release_vmalloc_node() where iterating through hundreds or thousands of vmap_area entries and freeing their associated shadow pages causes: rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6229/1:b..l ... task:kworker/0:17 state:R running task stack:28840 pid:6229 ... kasan_release_vmalloc_node+0x1ba/0xad0 mm/vmalloc.c:2299 purge_vmap_node+0x1ba/0xad0 mm/vmalloc.c:2299 Each call to kasan_release_vmalloc() can free many pages, and with page_owner tracking, each free triggers save_stack() which performs stack unwinding under RCU read lock. Without yielding, this creates an unbounded RCU critical section. Add periodic cond_resched() calls within the loop to allow: - RCU grace periods to complete - Other tasks to run - Scheduler to preempt when needed The fix uses need_resched() for immediate response under load, with a batch count of 32 as a guaranteed upper bound to prevent worst-case stalls even under light load.
Local denial of service in Linux kernel's kexec subsystem allows authenticated attackers to trigger kernel warning and system instability. The kexec_load_purgatory() function incorrectly derives the purgatory entry point when multiple executable sections have overlapping sh_addr values, causing a WARN condition that disrupts kexec operations. With CVSS 5.5 (AV:L/AC:L/PR:L/UI:N) and EPSS at 0.02%, this represents low real-world exploitation risk. Patches available across multiple stable kernel versions including 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, and 6.19.6.
Local privilege escalation in Linux kernel ext4 filesystem causes kernel panic during mount operations when DOUBLE_CHECK is enabled. Affects multiple stable kernel versions from 6.6.128 through 7.0. The initialization race condition allows local authenticated users to trigger a denial of service by mounting specially crafted ext4 filesystems with corrupted block bitmaps. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability. Vendor patches available across all affected stable branches.
Local users with low privileges can trigger unbounded kernel memory consumption in the Linux kernel's DRM subsystem via DRM_IOCTL_MODE_CREATEPROPBLOB, bypassing memory cgroup accounting and causing system-wide denial of service. The vulnerability affects all Linux kernel versions from 2.6.12-rc2 (commit 1da177e4) through 6.19.x until patched in 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS score is low (0.02%) and no active exploitation is documented; however, the attack requires only local access and low privileges (CVSS AV:L/AC:L/PR:L), making it easily exploitable by unprivileged users on multi-tenant systems.
Memory accounting errors in Linux kernel hugetlb subsystem cause subpool reservation counters to incorrectly increment on failed global allocations, eventually rendering hugetlb subpools permanently unusable. The vulnerability affects Linux kernels from 6.15 onward where commit a833a693a490 introduced the flaw. When a process requests hugepages that require both subpool and global pool resources, failed global allocations leave the subpool's used_hpages counter elevated despite no actual page consumption, progressively exhausting the subpool's apparent capacity until all future allocations fail. Patches available for kernels 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% and lack of KEV listing indicate low exploitation probability, though local authenticated attackers can trigger the condition to cause denial of service against hugetlb-dependent workloads.
Denial of service via NMI-unsafe seqcount access in Linux kernel memory slab allocator allows local privileged attackers to trigger kernel deadlock when get_from_any_partial() is called in NMI context. The vulnerability stems from unsafe access to current->mems_allowed_seq (a spinlock-based seqcount) without NMI-safety guarantees, causing lockdep warnings and potential system hang. EPSS exploitation probability is low at 0.02%, and no active exploitation has been confirmed.
A denial of service vulnerability in the Linux kernel's Cadence QSPI driver causes duplicate clock disables during device probe error handling when flash device tree descriptions are missing or malformed. An unprivileged local user can trigger this vulnerability by providing broken device tree configuration for attached SPI flash devices, resulting in kernel warnings and potential system instability.
Denial of service via missing reservation lock in drm/tests shmem allows local authenticated users to trigger a kernel warning and crash the DRM graphics subsystem. The vulnerability exists in DRM test code that calls drm_gem_shmem_madvise_locked() without properly acquiring the GEM object's reservation lock, causing CPU warnings and potential system instability on affected kernel versions.
Kernel denial of service in rtw88 WiFi driver 8822b chipset allows local authenticated users to trigger a kernel WARNING and potential system instability by setting antenna configuration while the wireless chip is powered off, causing unexpected values when RF registers are read during power-down state.
Denial of service in Linux kernel DRM GEM shmem helper when drm_gem_shmem_purge_locked() is called without properly holding the GEM object's reservation lock, affecting local authenticated users. The vulnerability causes a kernel warning and denial of service condition in the direct rendering manager's shared memory handling code. CVSS 5.5 with low EPSS (0.02%) indicates limited real-world exploitation despite availability of patch. Affected Linux versions prior to kernels with commits cdf8bbbd9017adcfb91ad9a902198d4b507719a9, 8baeee2c1c0cdb3a8eac3b8f38156cce6ee1a69f, and 3f41307d589c2f25d556d47b165df808124cd0c4.
Apache::Session versions through 1.94 for Perl re-creates deleted sessions. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
curl versions 7.14.0 through 8.19.0 leak netrc credentials when reusing proxy connections, allowing authenticated local attackers to obtain sensitive authentication data via connection pooling that ignores credential requirements. CVSS 5.3 reflects high confidentiality impact but requires low-privilege authentication and high attack complexity; EPSS 0.02% indicates minimal real-world exploitation probability despite broad version coverage. No public exploit code identified at time of analysis.
OCSP stapling validation bypass in curl 8.17.0-8.19.0 allows remote attackers to obtain sensitive certificate validation information when curl uses Apple SecTrust for TLS connections, potentially enabling man-in-the-middle attacks by bypassing server certificate revocation checks.
Cross-proxy Digest authentication state leak in curl allows remote attackers to obtain sensitive authentication credentials when curl is used with proxy authentication across multiple proxy hops. The vulnerability affects curl versions from 7.12.0 through 8.19.0 due to improper handling of Digest authentication state between proxies, enabling credential disclosure with network-level access and no authentication requirements. EPSS score of 0.03% suggests low real-world exploitation probability despite the information disclosure impact.
Cross-site scripting (XSS) vulnerability in Go's html/template library allows attackers to bypass URL escaping in meta tag content attributes by inserting ASCII whitespaces around the equals sign, enabling injection of malicious scripts into web applications. Affects Go 1.25.x before 1.25.10 and 1.26.x before 1.26.3. This is a regression from CVE-2026-27142 where the fix was incomplete, and exploitation requires user interaction (UI:R) but operates across security boundaries (S:C).
Go's html/template library incorrectly escapes data passed into <script> tags when the tag contains an empty or whitespace-only 'type' attribute, allowing a trusted template author to inadvertently expose sensitive information to client-side scripts. Affects html/template versions prior to 1.26.3 and 1.25.10. CVSS 6.1 with user interaction required; EPSS 0.01% indicates minimal real-world exploitation likelihood despite moderate base score.
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.
Cross-site scripting (XSS) vulnerability in PHP 8.2.x (prior to 8.2.31) allows network-based attackers to inject malicious scripts that execute in victim browsers, compromising session tokens and potentially escalating to account takeover. Vendor-released patch (PHP 8.2.31) addresses this along with seven additional CVEs in a coordinated security release. CVSS 7.3 HIGH with user interaction required; exploitation status classified as POC-available per CVSS 4.0 vector (E:P), though public exploit code not independently verified at time of analysis.
A buffer over-read vulnerability in PHP 8.2 prior to version 8.2.31 allows remote attackers to disclose sensitive information through a network vector with high attack complexity and partial attack time requirements. The vulnerability (CWE-125) affects information availability and system availability, with CVSS 6.3 indicating moderate risk. Vendor-released patch available in PHP 8.2.31.
Use-after-free memory corruption in PHP 8.2 prior to version 8.2.31 allows remote attackers to cause information disclosure or denial of service via network requests with low attack complexity. The vulnerability is addressed in PHP 8.2.31, released as a security update bundling fixes for eight CVEs including CVE-2026-7261. Patch availability is confirmed from the PHP development team.
Out-of-memory exploitation in the Linux kernel's amdgpu DRM subsystem allows a local, low-privileged user to crash the system by supplying unchecked huge values to the amdgpu_userq_signal_ioctl interface. The missing upper-bound validation on user inputs enables resource exhaustion that can destabilize or deny service on any Linux system equipped with a supported AMD GPU. No public exploit code exists and no active exploitation has been confirmed (no CISA KEV listing), with an EPSS of 0.02% placing this firmly in the low-priority tier for most environments outside high-assurance or shared multi-user GPU workloads.
Reference leak in the Linux kernel's amdgpu userqueue subsystem allows a local low-privileged user to exhaust kernel resources by repeatedly triggering an early-abort code path in amdgpu_userq_wait_ioctl. When the ioctl aborts because the caller-supplied output array is too small, the kernel omits required reference drops on syncobj and timeline fence objects, preventing those objects from ever being freed. No active exploitation is confirmed (not in CISA KEV), and EPSS sits at 0.02% (4th percentile), signaling negligible real-world exploitation activity.
Out-of-memory exploitation in the Linux kernel's amdgpu DRM driver allows a local low-privileged user to crash or destabilize a system by supplying oversized input values to the amdgpu_userq_wait_ioctl interface. Systems running affected kernel versions with AMD GPU hardware are vulnerable to availability loss. No public exploit code has been identified at time of analysis, and an EPSS score of 0.02% (4th percentile) reflects very low real-world exploitation probability; this is not confirmed actively exploited (not in CISA KEV).
Memory leak in the Linux kernel's samsung-dsim DRM bridge driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering error paths in samsung_dsim_host_attach() where drm_bridge_remove() is never called after a failed samsung_dsim_register_te_irq() or host attach operation. Affected systems must be running Samsung MIPI DSI display hardware with the samsung-dsim module loaded. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) combined with absence from CISA KEV confirms this is a low-exploitation-likelihood maintenance fix rather than an active threat.
Memory leak in the Linux kernel's drm/xe (Intel Xe GPU) sync subsystem allows a local low-privileged user to cause a denial of service by exhausting kernel memory. The flaw exists in the drm/xe/sync error-handling path: when dma_fence_chain_alloc() fails, the user fence reference is not properly released (CWE-401), leaving allocated memory permanently inaccessible to the allocator. No active exploitation has been identified (EPSS 0.02%, 4th percentile, not in CISA KEV), and patches have been backported to stable kernel branches including 6.18.20 and 6.19.9.
Incomplete cleanup in the Linux kernel's DRM/Xe GPU driver allows a local low-privileged user to leak kernel object references (syncobj, fence, chain fence, or user fence) by triggering error paths in xe_sync_entry_parse(), resulting in kernel memory exhaustion and local denial of service. Affected kernels include those shipping the Intel Xe GPU driver from the introducing commit (dd08ebf6c352) up to the fix commits landed in stable series 6.12, 6.18, 6.19, and 7.0. No public exploit code exists and no active exploitation has been reported; EPSS probability sits at 0.02% (5th percentile), reflecting extremely low real-world exploitation interest.
Stack buffer overflow in the Linux kernel's pmbus/q54sj108a2 hwmon driver allows local privileged users to corrupt kernel stack memory by reading from a specific debugfs entry. The flaw stems from a misuse of bin2hex() that writes 64 bytes of hex-encoded output into a 34-byte stack buffer, overflowing it by 30 bytes; no public exploit identified at time of analysis and EPSS exploitation probability is negligible at 0.03% (9th percentile).
Use-after-free in the Linux kernel's ksmbd SMB server (smb2_open()) allows remote attackers to potentially trigger memory corruption when accessing an opinfo pointer dereferenced after rcu_read_unlock(). The flaw is fixed in upstream stable releases (6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0); no public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Linux kernel MCTP driver leaks USB device references when probe fails, allowing local authenticated attackers to trigger denial of service through resource exhaustion. The flaw affects kernels from 6.15 through 6.19.9 and has been patched in versions 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% indicates minimal active exploitation risk, and no public exploit code has been identified at time of analysis.
Resource leak in Linux kernel's Microchip DSA PTP driver allows local authenticated users with low privileges to cause denial of service through high availability impact. The ksz_ptp_irq_setup() function fails to dispose of newly created IRQ mappings when request_threaded_irq() fails during PTP message IRQ setup, leading to resource exhaustion. Vendor patches available across multiple stable kernel branches (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation in the wild, and no public exploit identified at time of analysis.
Memory leak and denial-of-service in the Linux kernel macb network driver (used in AMD ZynqMP platforms) allows local authenticated users to cause prolonged network disruption and system resource exhaustion. The flaw manifests during suspend/resume cycles when the transmit ring pointer resets incorrectly, silently dropping queued packets without releasing their memory, and causing the driver to become stuck waiting for already-transmitted packets. Real-world impact observed in NFS rootfs recovery delays. EPSS score of 0.02% (7th percentile) indicates low exploitation likelihood. Vendor patches available across multiple stable kernel branches (6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.9).
A NULL pointer dereference in Linux kernel AMD GPU driver cleanup code causes local denial of service when GPU initialization fails on systems with unsupported AMD hardware blocks. Local authenticated users with low privileges can trigger kernel crashes during device teardown sequences. The vulnerability affects multiple stable kernel versions (6.18.16-6.18.19, 6.19.6-6.19.9) with patches available from upstream. EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, and no active exploitation or public exploits are confirmed. Real-world impact is limited to systems with specific AMD GPU hardware experiencing initialization failures, making this primarily a reliability issue rather than a direct security threat.
Null pointer dereference in Linux kernel's AMD DRM driver causes system crash during device cleanup on unsupported hardware. The flaw (CWE-476) affects multiple 6.18.x and 6.19.x kernel versions, allowing local authenticated users to trigger denial of service through AMD GPU driver initialization or cleanup operations. Patches available via kernel stable tree commits with EPSS score of 0.02% indicating minimal exploitation likelihood. No active exploitation or public POC identified at time of analysis.
NULL pointer dereference in Linux kernel's ublk driver allows local authenticated users to crash the system by sending UBLK_CMD_UPDATE_SIZE to a device before it starts or after it stops. The vulnerability exists in ublk_ctrl_set_size() which unconditionally dereferences ub->ub_disk without validating the device state, triggering a kernel panic and causing a denial of service. Patches are available from the Linux kernel maintainers for versions 6.18.20, 6.19.9, and 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, consistent with the local-only attack vector and absence from CISA KEV.
System hangs on Linux kernel resume from s2ram when firmware re-enables x2apic mode that kernel disabled during boot. Affects x86 systems with APIC hardware where kernel disabled x2apic (due to missing IRQ remapping support or other reasons) but ACPI-compliant firmware restores x2apic to initial boot state per spec. Kernel continues using xapic interface while hardware operates in x2apic mode, causing denial of service through system freezes. CVSS 5.5 (local low-complexity authenticated attack, high availability impact). EPSS 0.02% (7th percentile) indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0 mainline). No KEV listing or public exploit identified at time of analysis.
Denial of service via transaction abort in Linux kernel btrfs subsystem when a non-privileged subvolume owner repeatedly calls the set received ioctl with identical UUID values, causing filesystem to transition to read-only mode. The vulnerability exploits insufficient pre-flight validation that allows metadata updates to commence before detecting item overflow conditions, requiring only local access and subvolume ownership rather than root privileges. EPSS score of 0.02% indicates low exploitation probability despite CVSS 5.5 severity, suggesting practical exploitation barriers despite low privilege requirements.
RCU locking imbalance in Linux kernel btrfs filesystem code causes local denial of service. The try_release_subpage_extent_buffer() function in btrfs can exit an error path without properly releasing an RCU read lock, creating a locking inconsistency that leads to system instability. Affects Linux kernel versions 6.17 through pre-7.0, with patches available in stable branches 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation activity. The flaw was detected through static analysis using Clang's thread-safety analyzer rather than field exploitation, suggesting lower immediate real-world risk despite the high-availability CVSS impact rating.
Local denial of service in Linux kernel's MPU3050 gyroscope driver allows authenticated users with low privileges to crash the system by triggering power management failures. The mpu3050-core driver fails to validate pm_runtime_get_sync() return values, enabling hardware access when device resume fails and causing improper reference counting that leads to kernel instability. EPSS score of 0.02% indicates minimal active exploitation likelihood, and patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).
A NULL pointer dereference in the Linux kernel's adis_init() function causes kernel crashes when initializing ADIS IMU drivers (adis16480, adis16490, adis16545). The function attempts to dereference adis->ops without first verifying it is non-NULL, triggering denial of service on affected systems during device probe. Exploitation requires local access with low privileges (CVSS AV:L/AC:L/PR:L). EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation likelihood. Vendor patches available across multiple stable kernel versions (6.19.9, 6.18.19, 7.0).
Local denial of service in the Linux kernel's HX9023S proximity sensor driver (iio subsystem) allows authenticated users with low privileges to crash the system via division by zero when setting sampling frequency with an unspecified value. Patch available from kernel.org stable trees for versions 6.12.78, 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation activity. No public exploit code or active exploitation (not in CISA KEV) confirmed at time of analysis.
Denial of service in Linux kernel KVM/arm64 vGIC subsystem allows local authenticated users with low privileges to crash the hypervisor via use-after-free during virtual interrupt controller teardown. CVSS rates this 5.5 (medium severity, local vector), but EPSS exploitation probability is very low at 0.02% (4th percentile). Patches available across multiple stable kernel versions (6.18.19, 6.19.9, 7.0). No active exploitation confirmed per CISA KEV, and the local-only attack vector with specific KVM/ARM64 deployment requirements limits real-world impact to environments running ARM64 virtualization workloads.
Use of uninitialized memory in Linux kernel f2fs filesystem node footer validation causes local denial of service. Linux kernel versions 7.0 through 7.1-rc1 with f2fs support allow local authenticated users to trigger a kernel crash by mounting a maliciously crafted f2fs filesystem image. The vulnerability occurs when f2fs_sanity_check_node_footer() accesses uninitialized folio data after a failed disk read operation during filesystem mount, as reported by syzbot. EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation likelihood. Vendor patches available for stable kernel branches 6.18.25, 7.0.2, and 7.1-rc1.
The Linux kernel mshv_vtl driver permits local denial-of-service via memory registration failure when VTL0 memory ranges are sufficiently aligned (35+ trailing zeros in physical address). An unclamped vmemmap_shift calculation can exceed MAX_FOLIO_ORDER, causing memremap_pages() to reject the operation and potentially destabilize virtualization infrastructure. CVSS 5.5 indicates local authenticated exploitation with low complexity. EPSS 0.02% suggests minimal real-world targeting. Vendor patches available for kernel 7.0.2 and 7.1-rc1 address both the shift clamping and error propagation issues.
Local denial of service in Linux kernel PTP (Precision Time Protocol) driver for Intel Ethernet (ice) allows authenticated users with low privileges to crash the system when PF passthrough is configured without the controlling PF. The vulnerability is caused by improper null pointer handling (CWE-617) when ice_ptp_setup_pf() attempts to access an uninitialized PTP controlling PF in VFIO passthrough configurations. Affects Linux kernel 6.13 through 7.0-rc7. EPSS probability is very low (0.02%, 4th percentile) and no active exploitation has been reported. Patches are available in stable branches 6.18.24, 6.19.14, and mainline 7.0.
Die ID initialization and lookup bugs in the Linux kernel's Intel uncore performance monitoring subsystem (perf/x86/intel/uncore) can cause a reachable assertion trigger or silent loss of PMON unit visibility on Intel Sapphire Rapids (SPR) and Emerald Rapids (EMR) server hardware. Authenticated local users on affected systems may crash the kernel via the WARN_ON_ONCE reachable assertion (CWE-617) or, when NUMA is disabled on a NUMA-capable platform, cause all uncore PMON units to be silently dropped from the RB tree - rendering hardware performance monitoring inoperative. No public exploit exists and EPSS is 0.02%, indicating no active exploitation pressure at time of analysis.
Unbalanced reference counting in the Linux kernel USB gadget CDC Subset Ethernet driver (f_subset) causes a resource leak that denies availability of USB gadget reconfiguration. A local authenticated user can trigger the condition by allocating and freeing the geth USB gadget function, leaving the reference count permanently elevated due to a missing decrement in geth_free(). The practical impact is a denial-of-service against the configfs interface for USB gadget management - subsequent attempts to unlink and re-configure the USB function fail silently. No public exploit is identified and EPSS exploitation probability is negligible at 0.02% (7th percentile).
Race condition in the Linux kernel's USB RNDIS gadget function driver (f_rndis) allows a local low-privileged attacker to crash the kernel by concurrently manipulating class/subclass/protocol configfs attributes without mutex protection. Identified during code inspection - not observed in active exploitation - this vulnerability affects multiple stable kernel branches from 4.14 through 7.0-rc3, with patches released across all maintained stable series. With an EPSS of 0.02% (7th percentile), no public exploit, and no CISA KEV listing, real-world risk is low but meaningful on embedded or IoT devices using Linux as a USB RNDIS peripheral.
Local denial of service in Linux kernel COMEDI subsystem allows authenticated users to trigger inconsistent lock states when reattaching low-level drivers to legacy COMEDI devices. Exploitation probability is low (EPSS 2%, percentile 7%) with no public exploit identified at time of analysis. Vendor-released patches available across all stable kernel branches from 5.10.253 through 7.0. Affects systems configured with non-zero comedi_num_legacy_minors parameter and requires local authenticated access to COMEDI device nodes.
Local privilege escalation in Linux kernel IPv6 address configuration subsystem enables authenticated local users to gain high-level system access through a use-after-free (UaF) condition in addrconf_permanent_addr(). Patch available across all maintained stable kernel series (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) with fixes backported from commit f1705ec197e7. EPSS score of 0.02% suggests minimal active exploitation likelihood, no KEV listing or public POC identified at time of analysis.
Transaction abort and denial of service in Linux kernel btrfs qgroup ioctls occurs when quota group operations fail to reserve transaction space for metadata updates and delayed references, resulting in -ENOSPC errors under filesystem pressure. Affected versions include mainline kernel through 6.19.x and stable branches 6.12.x and 6.18.x, with patches available in 6.12.81, 6.18.22, 6.19.12, and 7.0. Local authenticated users can trigger filesystem unavailability through qgroup operations. EPSS exploitation probability is low (0.02%), no active exploitation confirmed, and this represents a stability issue rather than a direct security compromise, though availability impact is high per CVSS 5.5 score.
NULL pointer dereference in the Linux kernel's AMD display driver (DRM subsystem) allows local authenticated users to crash the system via dcn401_init_hw() function. Affects kernel 6.12 through 7.0-rc6, specifically the DCN 4.01 hardware sequencer in amdgpu driver. Vendor patches available for stable branches (6.18.22, 6.19.12, 7.0). EPSS exploitation probability is very low (0.02%, 4th percentile), indicating minimal real-world threat despite moderate CVSS score. Not listed in CISA KEV, and no public exploit code identified at time of analysis.
ChaCha cipher implementation in the Linux kernel leaks cryptographic key material through an improperly zeroized stack variable. The ChaCha permutation function leaves 'permuted_state' on the stack after execution, which can be used to reverse-compute the original encryption key since ChaCha's permutation is mathematically invertible. This information disclosure affects kernel cryptographic operations including the RNG (random number generator). EPSS score of 0.02% indicates very low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV). Patches are available across all maintained kernel versions from 5.10.253 through 6.19.12.
Null pointer dereference in Linux kernel's Qualcomm SM8450 interconnect driver causes local denial of service during device probe. The vulnerability affects Linux kernel 6.19.x through 7.0-rc6 on Qualcomm SM8450 platforms when the interconnect driver initializes. Upstream patches are available (commits 77d22bf3fc5d and dbbd550d7c8d). EPSS score of 0.02% indicates very low observed exploitation probability, and no active exploitation or public POC has been identified. Real-world risk is limited to local authenticated users on affected Qualcomm SoC platforms during driver initialization.
Authentication downgrade in Linux kernel Bluetooth SMP allows adjacent network attackers to bypass MITM protection during pairing. When a Bluetooth responder requires BT_SECURITY_HIGH, the SMP implementation incorrectly builds pairing responses before enforcing local MITM requirements, allowing initiators to force weaker 'Just Confirm' authentication even when policy mandates stronger methods. EPSS score of 0.02% indicates low predicted exploitation probability, and no active exploitation or public POC has been identified. Patches available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Kernel NULL pointer dereference in Linux kernel's BPF verifier allows local authenticated users to trigger a denial of service. The vulnerability stems from improper handling of nullable PTR_TO_BUF pointers in check_mem_access(), where map iterator callbacks can dereference NULL ctx->key or ctx->value pointers without validation, causing a kernel crash. Affects Linux kernel versions 5.17 through 7.0-rc4, with patches available across stable branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild, and no evidence of public exploit code or active exploitation exists. Local access with low privileges required makes this a targeted risk rather than widespread threat.
Use-after-free in Linux kernel thermal subsystem allows local authenticated attackers with low privileges to achieve high confidentiality, integrity, and availability impact through race condition during thermal zone device registration failure. The flaw occurs when thermal_zone_device_register_with_trips() fails after registration but before properly cleaning up - if userspace holds a kobject reference, the thermal zone structure can be freed prematurely while still in use. Vendor patches available across stable branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating, suggesting limited real-world attacker interest in this local race condition.
Buffer overflow in the Linux kernel's CAAM crypto driver allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with elevated privileges. The vulnerability occurs when HMAC keys exceeding the algorithm's block size are processed - the driver allocates DMA-aligned memory but uses kmemdup() to copy only the actual key length, then reads beyond the source buffer boundary during hashing. EPSS score of 0.02% (5th percentile) indicates low predicted exploitation likelihood. Patches are available across multiple stable kernel branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) via upstream commits, with fixes applied since kernel 6.3 introduced the vulnerable code.
Race condition in Linux kernel's dummy-hcd USB gadget driver causes kernel crash and denial of service when USB reset occurs simultaneously with driver unbind. Syzbot testing triggered NULL pointer dereference in usb_gadget_udc_reset() due to improper spinlock handling in stop_activity() that allowed dum->driver to be cleared prematurely. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) suggests very low observed exploitation probability. Not listed in CISA KEV, indicating no confirmed active exploitation.
A deadlock vulnerability in the Linux kernel's sched_ext (extensible scheduler) subsystem allows local authenticated users to trigger a denial of service by creating cyclic wait dependencies between CPUs. The flaw exists in the SCX_KICK_WAIT mechanism where busy-waiting in hardirq context prevents rescheduling and kick_sync advancement, causing multi-CPU deadlocks when wait cycles form. Patch available from mainline kernel (commit c3a7903f65cf for mainline, 415cb193bb97 for stable 6.12+). EPSS score of 0.02% suggests minimal real-world exploitation activity. No public exploit code or active exploitation confirmed at time of analysis.
A firmware crash in Linux kernel's iwlwifi driver (versions 6.9 through 7.0-rc7) occurs when the AX201 Wi-Fi adapter incorrectly receives a 6GHz-related command (MCC_ALLOWED_AP_TYPE_CMD) despite lacking 6E support. This triggers a local denial of service (CVSS 5.5, AV:L) requiring low privileges. Vendor patches are available across stable branches (6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation risk, with no active exploitation or public POC identified. Priority for systems using Intel AX201 adapters where local users could trigger system instability.
Race condition in the Linux kernel's dummy-hcd USB driver allows local authenticated users to trigger use-after-free conditions during gadget driver unbinding, potentially enabling privilege escalation, information disclosure, or denial of service. The flaw stems from incorrect ordering of interrupt synchronization - emulated synchronize_irq() runs before interrupt-disable, allowing callbacks to execute after the gadget driver is unbound. Patched versions include 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild, with no confirmed active exploitation or public POC identified at time of analysis.
Local denial of service in Linux kernel scheduler (6.12.78-6.19.12) allows low-privileged users to trigger system-wide instability via stress-ng-yield workloads. The flaw stems from incomplete vruntime tracking in commit b3d99f43c72b, where yield()-heavy tasks can leapfrog past tick updates and cause overflow conditions. EPSS exploitation probability is negligible (0.02%, 5th percentile), and vendor patches are available across all affected stable branches. No active exploitation or public POC identified at time of analysis.
Use-after-free (UAF) in Linux kernel Bluetooth subsystem allows adjacent network attackers to trigger memory corruption via malformed LE Read Features Complete responses. The vulnerability occurs when hci_conn is freed before le_read_features_complete callback executes but after hci_le_read_remote_features_sync initiates, causing atomic operations on freed memory during hci_conn_drop. Active exploitation status not confirmed (no CISA KEV listing). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. Upstream patches committed to stable kernel branches 6.19.12+ and 7.0+.
A null pointer dereference in the AMD Display Core driver's DSC (Display Stream Compression) handling for eDP panels causes local system crashes on Linux kernel 6.12 through 7.0-rc5. The vulnerability stems from missing function hook validation before use, allowing local authenticated users with low privileges to trigger a high-severity denial-of-service condition. Patches available across kernel 6.12.75, 6.18.16, 6.19.6, and 7.0 stable branches. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation activity, and no KEV listing or public POC identified at time of analysis.
Race condition in Linux kernel AMDGPU driver allows local attackers with low privileges to trigger denial of service through GPU page faults during DMA buffer operations. The vulnerability affects multi-GPU systems where shared buffer objects are accessed across different GPUs, particularly impacting AMD Radeon graphics driver stability. Patch available from upstream kernel maintainers for versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit code or active exploitation has been identified.
Resource leak in Linux kernel MOST (Media Oriented Systems Transport) core driver allows local authenticated users to trigger denial of service through repeated interface registration failures. The vulnerability stems from incomplete error handling in the driver's registration path, where resources allocated for MOST interfaces are not properly released when early registration failures occur. While CVSS rates this 5.5 with local access and low attack complexity, the EPSS score of 0.02% (5th percentile) indicates minimal real-world exploitation likelihood. Vendor patches are available across multiple kernel stable branches (6.12.75, 6.18.16, 6.19.6, 7.0).
An out-of-bounds shift operation in the Linux kernel's solo6x10 media driver causes a local denial of service. Affects Linux kernel versions from the initial commit through 7.0-rc3, with patches available in stable versions 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. The flaw, triggered by improper chip_id bounds checking, causes Clang's undefined behavior sanitizer to instrument code that can lead to system instability when exploited by low-privileged local users. EPSS exploitation probability is 0.02% (7th percentile), indicating minimal widespread threat. Vendor-released patches address the issue by adding explicit bounds validation and using unsigned shift operations.
go-git versions prior to 5.18.0 and 6.0.0-alpha.2 leak HTTP authentication credentials when following cross-host redirects during smart-HTTP clone and fetch operations. Remote unauthenticated attackers controlling a redirect target can capture credentials intended for the original repository host. User interaction (initiating a clone/fetch to a malicious or compromised server) is required. Vendor-released patches are available in v5.18.0 and v6.0.0-alpha.2.
Race condition in drm/panthor GPU driver violates dma-fence safe access rules, allowing local authenticated users to cause denial of service via timeline name retrieval racing with queue freeing. CVSS 5.5 (local, low complexity) with EPSS 0.02% indicating minimal real-world exploitation likelihood despite active kernel-level flaw.
Denial of service in Linux kernel DRM GEM shmem helper functions allows local privileged attackers to trigger CPU warnings and system instability via improper reservation lock handling around vmap/vunmap operations. The vulnerability affects Linux 6.16 and multiple stable branches (6.18, 6.19, 7.0) and is resolved in patched versions; exploitation requires local access with limited privileges and produces availability impact through kernel warnings rather than remote compromise.
Memory access violations occur in Linux kernel on Xilinx ZynqMP systems when OP-TEE device tree nodes are manually defined, preventing U-Boot's OP-TEE injection logic from properly inserting reserved-memory nodes. This affects Linux kernel versions 6.9 through 7.0 on ARM64 ZynqMP platforms, allowing local authenticated users to cause denial of service through runtime memory access faults. Vendor-released patches are available across multiple stable branches (6.12.75, 6.18.16, 6.19.6, 7.0).
Path traversal vulnerability in YARD prior to version 0.9.42 allows remote attackers to access arbitrary files on a server running yard server with unsanitized HTTP requests when using the --docroot flag. The vulnerability affects the documentation serving functionality and has been patched in version 0.9.42. No public exploit code or active exploitation has been identified at the time of analysis.
Local users with low privileges can trigger a denial of service in Linux kernel KVM (Kernel-based Virtual Machine) by manipulating nested virtualization state on AMD SVM systems. The vulnerability allows unprivileged users to cause a kernel warning and potential system instability by modifying CPUID after loading CR3 register state in nested SVM configurations. With CVSS 5.5 (AV:L/AC:L/PR:L) and low EPSS (0.02%), this represents a localized availability risk rather than a critical remote threat. Vendor patches are available across multiple kernel versions (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).
Local attackers with low privileges can cause indefinite system hangs in Linux kernel device-mapper (dm) subsystem by injecting io-timeout-fail errors, triggering CWE-772 resource leaks where I/O requests are never completed. Affects longstanding kernel code from 5.10.x through mainline 6.19.x; vendor-patched versions available (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low real-world exploitation probability. No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis.
NULL pointer dereference in Linux kernel ACPI processor module allows local authenticated attackers to crash the system. The flaw occurs in acpi_processor_errata_piix4() when device lookup logic overwrites a valid pointer with NULL, triggering a crash when accessed by dev_dbg(). Vendor-released patches are available across multiple stable kernel branches (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS exploitation probability is very low (0.02%, 7th percentile), and no public exploit or active exploitation has been identified. The vulnerability requires local access with low privileges (CVSS AV:L/PR:L), making it a lower priority than network-exposed flaws despite the high availability impact.
A use-after-free in the OmniVision OV5647 camera sensor driver (media: i2c: ov5647) can trigger a kernel crash. The ov5647_init_controls() function dereferences an uninitialized subdev pointer via v4l2_get_subdevdata() when error conditions occur during probe. This affects Linux kernel versions from 5.12 through multiple stable branches including 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, and 6.19.x prior to patches. Vendor patches available across all affected stable trees. EPSS exploitation probability is very low (0.02%, 7th percentile) with no public exploit identified at time of analysis.
Hardware-level denial of service in Linux kernel verisilicon media driver on i.MX8MQ platform allows local authenticated users to trigger VPU bus errors and system hangs through simultaneous H.264/HEVC decoding. Affects kernel versions 5.14 through pre-6.19.6 and pre-7.0. Patches available via stable kernel commits 286d629d1064 and e0203ddf9af7. EPSS score of 0.02% indicates minimal observed exploitation, and CVSS 5.5 reflects local scope with low complexity. No public exploit code identified, and not listed in CISA KEV.
System hang during RAID array teardown affects Linux kernel's dm-raid target when metadata devices are suspended before removal. The vulnerability triggers when stopping dm-raid managed arrays, causing md_stop() to indefinitely block while attempting to flush write-intent bitmaps to already-suspended metadata devices. With EPSS exploitation probability at 0.02% (4th percentile) and vendor patches available for kernel versions 6.18.16, 6.19.6, and 7.0, this represents a local denial-of-service risk requiring low privileges but poses minimal risk in most environments due to the specific dm-raid configuration prerequisite.
Denial of service vulnerability in Linux kernel btrfs filesystem allows local authenticated users to trigger a kernel panic via unexpected delayed reference types. The vulnerability stems from improper error handling in run_one_delayed_ref() that invokes BUG() instead of gracefully returning an error. Patched in Linux 6.19.6 and 7.0 with proper error logging. EPSS exploitation probability is very low (0.02%, 5th percentile) with no public exploit or active exploitation reported, indicating minimal real-world risk despite the high availability impact in the CVSS score.
Local denial-of-service in Linux kernel BPF crypto subsystem allows authenticated attackers to crash the system via CFI policy violations. The vulnerability stems from a type mismatch in BPF's crypto destructor function when Control Flow Integrity (CONFIG_CFI) is enabled, causing kernel panics during object cleanup operations. Patches available across kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low likelihood of mass exploitation. No KEV listing or public exploits identified at time of analysis.
Denial of service via system hang in Linux kernel's AMD display driver occurs when the DMUB hardware lock evaluation mismatches between lock acquisition and release in the HWSS fast path, affecting ASIC variants without FAMS support. Local authenticated attackers can trigger this condition through display operations, causing a hang with high availability impact. Patch available in stable releases 6.19.6 and 7.0; EPSS score of 0.02% indicates low real-world exploitation probability despite KEV status.
Linux kernel DMA API debug warnings in V3D rendering driver cause denial of service when CONFIG_DMA_API_DEBUG is enabled and V3D segment sizes exceed the default 64K maximum. The vulnerability affects systems using V3D graphics rendering (particularly Raspberry Pi 5) with debug DMA API enabled, allowing local authenticated users to trigger kernel warnings and potential system instability by creating V3D buffer objects larger than the device's claimed DMA segment size limit.
A reference count underflow in the Linux kernel's chips-media wave5 video codec driver causes a runtime PM usage count to decrement below zero during module removal, triggering a kernel warning and potentially causing denial of service when the driver is unloaded. The vulnerability affects unprivileged local users on systems with the wave5 codec driver enabled, and occurs when the device has already been suspended via autosuspend before the remove path executes pm_runtime_put_sync(). EPSS score of 0.02% indicates low exploitation probability despite the denial-of-service capability.
Null-pointer dereference in the Linux kernel DRM panel driver (jdi_panel_dsi_remove function) allows local authenticated attackers to cause a denial of service by triggering device removal when the jdi structure is NULL. The vulnerability exists because the function checks for NULL but fails to return early, allowing subsequent code to dereference the NULL pointer. CVSS score is 5.5 (local attack vector, low complexity); EPSS indicates low exploitation probability (0.02%, 5th percentile), and no public exploit code or active exploitation has been confirmed.
Linux kernel btrfs filesystem crashes with kernel BUG when read-repair operations execute after filesystem transitions to read-only state during critical ENOSPC errors. Affects btrfs users experiencing metadata space exhaustion, causing denial of service through kernel panic in the bio repair path. Local attackers with low privileges can trigger this condition in specific filesystem states. EPSS score of 0.02% and no KEV listing indicate low probability of widespread exploitation. Vendor-released patches available in kernel versions 6.19.6 and 7.0.
Denial of service in Linux kernel drm/amdgpu driver (VCNv2.5) affects virtual function (VF) GPU environments running kernel versions prior to 6.18.16, 6.19.6, and 7.0. During module unload or system deinitialization, VF configurations trigger a kernel warning and potential crash when attempting to release an uninitialized VCN poison interrupt handler. EPSS exploitation probability is very low (0.02%, 4th percentile) with no public exploit or active exploitation (not in CISA KEV). Vendor patches available across multiple stable kernel branches via upstream commits.
Local denial-of-service in Linux kernel's Rockchip RGA media driver allows authenticated users with low privileges to crash the system through NULL pointer dereference. The vulnerability affects kernel versions 6.8+ containing the Rockchip RGA driver, where rga_buf_init() fails to validate ERR_PTR returns from rga_get_frame() before dereferencing frame size. Vendor patches available across stable branches (6.12.75, 6.18.16, 6.19.6). EPSS score 0.02% (5th percentile) indicates minimal real-world exploitation likelihood, consistent with local-only attack vector requiring authenticated access.
Denial of service in Linux kernel RapidIO subsystem occurs when idtab allocation fails during rio_scan_alloc_net(), causing the function to incorrectly invoke rio_free_net() instead of kfree() on unregistered memory, leaving a dangling pointer in mport->net that can be dereferenced later to trigger a crash. Authenticated local attackers with low privilege can trigger this condition on systems with RapidIO support enabled, resulting in kernel panic and service unavailability. EPSS probability is low (0.02%) despite moderate CVSS, indicating limited real-world exploitability; no public exploit code or active KEV exploitation confirmed.
Kernel panic occurs in the Renesas RZ/G2L MIPI DSI driver during system reboot when display panels attempt to send DSI commands in their unprepare callback, due to incorrect sequencing of driver shutdown. The vulnerability affects Linux kernel versions from commit 56de5e305d4b onwards on ARM64 systems running RZ/G2L platforms with specific panel types, allowing local users with standard privileges to trigger a denial of service by initiating a reboot.
In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix kthread worker destruction in polling mode Fix the cleanup order in polling mode (irq < 0) to prevent kernel warnings during module removal. Cancel the hrtimer before destroying the kthread worker to ensure work queues are empty. In polling mode, the driver uses hrtimer to periodically trigger wave5_vpu_timer_callback() which queues work via kthread_queue_work(). The kthread_destroy_worker() function validates that both work queues are empty with WARN_ON(!list_empty(&worker->work_list)) and WARN_ON(!list_empty(&worker->delayed_work_list)). The original code called kthread_destroy_worker() before hrtimer_cancel(), creating a race condition where the timer could fire during worker destruction and queue new work, triggering the WARN_ON. This causes the following warning on every module unload in polling mode: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1034 at kernel/kthread.c:1430 kthread_destroy_worker+0x84/0x98 Modules linked in: wave5(-) rpmsg_ctrl rpmsg_char ... Call trace: kthread_destroy_worker+0x84/0x98 wave5_vpu_remove+0xc8/0xe0 [wave5] platform_remove+0x30/0x58 ... ---[ end trace 0000000000000000 ]---
In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node When CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during vmalloc cleanup triggers expensive stack unwinding that acquires RCU read locks. Processing a large purge_list without rescheduling can cause the task to hold CPU for extended periods (10+ seconds), leading to RCU stalls and potential OOM conditions. The issue manifests in purge_vmap_node() -> kasan_release_vmalloc_node() where iterating through hundreds or thousands of vmap_area entries and freeing their associated shadow pages causes: rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6229/1:b..l ... task:kworker/0:17 state:R running task stack:28840 pid:6229 ... kasan_release_vmalloc_node+0x1ba/0xad0 mm/vmalloc.c:2299 purge_vmap_node+0x1ba/0xad0 mm/vmalloc.c:2299 Each call to kasan_release_vmalloc() can free many pages, and with page_owner tracking, each free triggers save_stack() which performs stack unwinding under RCU read lock. Without yielding, this creates an unbounded RCU critical section. Add periodic cond_resched() calls within the loop to allow: - RCU grace periods to complete - Other tasks to run - Scheduler to preempt when needed The fix uses need_resched() for immediate response under load, with a batch count of 32 as a guaranteed upper bound to prevent worst-case stalls even under light load.
Local denial of service in Linux kernel's kexec subsystem allows authenticated attackers to trigger kernel warning and system instability. The kexec_load_purgatory() function incorrectly derives the purgatory entry point when multiple executable sections have overlapping sh_addr values, causing a WARN condition that disrupts kexec operations. With CVSS 5.5 (AV:L/AC:L/PR:L/UI:N) and EPSS at 0.02%, this represents low real-world exploitation risk. Patches available across multiple stable kernel versions including 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, and 6.19.6.
Local privilege escalation in Linux kernel ext4 filesystem causes kernel panic during mount operations when DOUBLE_CHECK is enabled. Affects multiple stable kernel versions from 6.6.128 through 7.0. The initialization race condition allows local authenticated users to trigger a denial of service by mounting specially crafted ext4 filesystems with corrupted block bitmaps. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability. Vendor patches available across all affected stable branches.
Local users with low privileges can trigger unbounded kernel memory consumption in the Linux kernel's DRM subsystem via DRM_IOCTL_MODE_CREATEPROPBLOB, bypassing memory cgroup accounting and causing system-wide denial of service. The vulnerability affects all Linux kernel versions from 2.6.12-rc2 (commit 1da177e4) through 6.19.x until patched in 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS score is low (0.02%) and no active exploitation is documented; however, the attack requires only local access and low privileges (CVSS AV:L/AC:L/PR:L), making it easily exploitable by unprivileged users on multi-tenant systems.
Memory accounting errors in Linux kernel hugetlb subsystem cause subpool reservation counters to incorrectly increment on failed global allocations, eventually rendering hugetlb subpools permanently unusable. The vulnerability affects Linux kernels from 6.15 onward where commit a833a693a490 introduced the flaw. When a process requests hugepages that require both subpool and global pool resources, failed global allocations leave the subpool's used_hpages counter elevated despite no actual page consumption, progressively exhausting the subpool's apparent capacity until all future allocations fail. Patches available for kernels 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% and lack of KEV listing indicate low exploitation probability, though local authenticated attackers can trigger the condition to cause denial of service against hugetlb-dependent workloads.
Denial of service via NMI-unsafe seqcount access in Linux kernel memory slab allocator allows local privileged attackers to trigger kernel deadlock when get_from_any_partial() is called in NMI context. The vulnerability stems from unsafe access to current->mems_allowed_seq (a spinlock-based seqcount) without NMI-safety guarantees, causing lockdep warnings and potential system hang. EPSS exploitation probability is low at 0.02%, and no active exploitation has been confirmed.
A denial of service vulnerability in the Linux kernel's Cadence QSPI driver causes duplicate clock disables during device probe error handling when flash device tree descriptions are missing or malformed. An unprivileged local user can trigger this vulnerability by providing broken device tree configuration for attached SPI flash devices, resulting in kernel warnings and potential system instability.
Denial of service via missing reservation lock in drm/tests shmem allows local authenticated users to trigger a kernel warning and crash the DRM graphics subsystem. The vulnerability exists in DRM test code that calls drm_gem_shmem_madvise_locked() without properly acquiring the GEM object's reservation lock, causing CPU warnings and potential system instability on affected kernel versions.
Kernel denial of service in rtw88 WiFi driver 8822b chipset allows local authenticated users to trigger a kernel WARNING and potential system instability by setting antenna configuration while the wireless chip is powered off, causing unexpected values when RF registers are read during power-down state.
Denial of service in Linux kernel DRM GEM shmem helper when drm_gem_shmem_purge_locked() is called without properly holding the GEM object's reservation lock, affecting local authenticated users. The vulnerability causes a kernel warning and denial of service condition in the direct rendering manager's shared memory handling code. CVSS 5.5 with low EPSS (0.02%) indicates limited real-world exploitation despite availability of patch. Affected Linux versions prior to kernels with commits cdf8bbbd9017adcfb91ad9a902198d4b507719a9, 8baeee2c1c0cdb3a8eac3b8f38156cce6ee1a69f, and 3f41307d589c2f25d556d47b165df808124cd0c4.
Apache::Session versions through 1.94 for Perl re-creates deleted sessions. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
curl versions 7.14.0 through 8.19.0 leak netrc credentials when reusing proxy connections, allowing authenticated local attackers to obtain sensitive authentication data via connection pooling that ignores credential requirements. CVSS 5.3 reflects high confidentiality impact but requires low-privilege authentication and high attack complexity; EPSS 0.02% indicates minimal real-world exploitation probability despite broad version coverage. No public exploit code identified at time of analysis.
OCSP stapling validation bypass in curl 8.17.0-8.19.0 allows remote attackers to obtain sensitive certificate validation information when curl uses Apple SecTrust for TLS connections, potentially enabling man-in-the-middle attacks by bypassing server certificate revocation checks.
Cross-proxy Digest authentication state leak in curl allows remote attackers to obtain sensitive authentication credentials when curl is used with proxy authentication across multiple proxy hops. The vulnerability affects curl versions from 7.12.0 through 8.19.0 due to improper handling of Digest authentication state between proxies, enabling credential disclosure with network-level access and no authentication requirements. EPSS score of 0.03% suggests low real-world exploitation probability despite the information disclosure impact.
Cross-site scripting (XSS) vulnerability in Go's html/template library allows attackers to bypass URL escaping in meta tag content attributes by inserting ASCII whitespaces around the equals sign, enabling injection of malicious scripts into web applications. Affects Go 1.25.x before 1.25.10 and 1.26.x before 1.26.3. This is a regression from CVE-2026-27142 where the fix was incomplete, and exploitation requires user interaction (UI:R) but operates across security boundaries (S:C).
Go's html/template library incorrectly escapes data passed into <script> tags when the tag contains an empty or whitespace-only 'type' attribute, allowing a trusted template author to inadvertently expose sensitive information to client-side scripts. Affects html/template versions prior to 1.26.3 and 1.25.10. CVSS 6.1 with user interaction required; EPSS 0.01% indicates minimal real-world exploitation likelihood despite moderate base score.
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.
Cross-site scripting (XSS) vulnerability in PHP 8.2.x (prior to 8.2.31) allows network-based attackers to inject malicious scripts that execute in victim browsers, compromising session tokens and potentially escalating to account takeover. Vendor-released patch (PHP 8.2.31) addresses this along with seven additional CVEs in a coordinated security release. CVSS 7.3 HIGH with user interaction required; exploitation status classified as POC-available per CVSS 4.0 vector (E:P), though public exploit code not independently verified at time of analysis.
A buffer over-read vulnerability in PHP 8.2 prior to version 8.2.31 allows remote attackers to disclose sensitive information through a network vector with high attack complexity and partial attack time requirements. The vulnerability (CWE-125) affects information availability and system availability, with CVSS 6.3 indicating moderate risk. Vendor-released patch available in PHP 8.2.31.
Use-after-free memory corruption in PHP 8.2 prior to version 8.2.31 allows remote attackers to cause information disclosure or denial of service via network requests with low attack complexity. The vulnerability is addressed in PHP 8.2.31, released as a security update bundling fixes for eight CVEs including CVE-2026-7261. Patch availability is confirmed from the PHP development team.