Red Hat
Monthly
Denial-of-service in the Linux kernel's ksmbd SMB server component stems from improper handling of volume identifiers in FS_OBJECT_ID_INFORMATION responses. Affected kernels fail to correctly use the superblock UUID (sb->s_uuid) as the volume identifier, and lack a safe fallback (via vfs_statfs()) for filesystems that do not expose a UUID - creating conditions for a kernel availability impact when a local low-privileged user interacts with an affected SMB share. EPSS is 0.01% (1st percentile) and no active exploitation is confirmed in CISA KEV; no public exploit code has been identified at time of analysis.
Denial of service in Avahi prior to version 0.9-rc4 allows local unprivileged users to crash avahi-daemon by sending a D-Bus method call with conflicting publish flags. The vulnerability requires local access and low privileges but causes immediate service unavailability. No public exploit code or active exploitation has been confirmed; however, the attack is trivial to execute given the low complexity barrier.
Unauthenticated remote code execution in OpenPrinting CUPS 2.4.16 and earlier allows attackers to send print jobs to shared PostScript queues without authentication, exploit a newline injection vulnerability in page-border parameter handling, and execute arbitrary binaries as the lp user by chaining a follow-up raw print job. CISA KEV status and active exploitation confirmation not provided; no publicly available patches identified at publication.
Heap-based buffer overflow in OpenPrinting CUPS scheduler versions 2.4.16 and prior allows unauthenticated remote attackers to trigger a denial of service condition by crafting malicious job attributes that overflow buffers during filter option string construction. With a CVSS score of 5.3 and network accessibility, this vulnerability impacts availability on exposed CUPS instances; no public exploit code or vendor patch has been released as of publication.
Path traversal in OpenPrinting CUPS RSS notifier (versions 2.4.16 and prior) allows unauthenticated remote IPP clients to write arbitrary files outside the intended CacheDir/rss directory via a crafted notify-recipient-uri parameter. By exploiting default group-writable permissions on CacheDir, attackers can overwrite critical state files such as job.cache, causing the CUPS scheduler to fail parsing job queues and resulting in loss of previously queued print jobs. No public exploit code or vendor patch is currently available, though the vulnerability is demonstrated with proof-of-concept exploitation.
Local privilege escalation in OpenPrinting CUPS 2.4.16 and prior allows unprivileged users to bypass authentication and create arbitrary file overwrites as root by coercing cupsd into issuing reusable Authorization tokens and leveraging printer-sharing policies to persist file:// URIs that bypass FileDevice restrictions. A proof-of-concept demonstrates root command execution via sudoers file modification, and the vulnerability is confirmed by the presence of public exploit code.
Denial of service in rust-rpm-sequoia allows local attackers to crash RPM signature verification by submitting specially crafted RPM files that trigger unhandled errors in OpenPGP parsing, preventing legitimate package management operations. CVSS 4.0 (low severity), local attack vector, non-authenticating. No public exploit code or active exploitation confirmed.
Linux kernel sunrpc subsystem fails to properly release cache_request objects when file descriptors are closed mid-read, resulting in memory leaks and potential information disclosure through stale cache entries. The vulnerability affects all Linux kernel versions with the affected sunrpc cache implementation, and requires no special privileges or network access to trigger since it occurs during normal file descriptor closure in the kernel's user-space cache management interface.
Use-after-free in the Linux kernel's nvdimm/bus subsystem allows local privileged users to potentially trigger memory corruption when device_add() fails during nd_async_device_register() asynchronous initialization. The flaw stems from the parent device reference being dropped before the parent pointer is accessed on allocation failure paths. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Out-of-bounds read and write in the Broadcom bnxt_en network driver of the Linux kernel allows a malicious or compromised NIC to corrupt kernel heap memory or crash the system. The flaw resides in the DBG_BUF_PRODUCER async event handler, which uses a firmware-supplied 16-bit 'type' field as an unchecked index into the bp->bs_trace[] array. No public exploit identified at time of analysis and EPSS rates exploitation probability at just 0.02%, but the impact on confidentiality and availability is high where the trust boundary between NIC firmware and kernel is relevant.
Null pointer dereference in Linux kernel mac80211 IEEE 802.11 wireless subsystem crashes AP_VLAN stations during channel bandwidth change operations. The ieee80211_chan_bw_change() function incorrectly accesses link data on VLAN interfaces (such as 4-address WDS clients) where the link structure is uninitialized, leading to kernel panic when dereferencing a NULL channel pointer. Any system with AP_VLAN wireless configurations and active channel state announcement (CSA) operations is vulnerable to local denial of service.
Linux kernel xe (Intel GPU) driver leaks dynamically allocated virtual memory area (VMA) structures when argument validation fails in the xe_vm_madvise_ioctl handler, allowing local attackers to exhaust kernel memory and trigger denial of service. The vulnerability has been patched upstream in stable kernel branches with proper cleanup path addition.
Infinite loop in Linux kernel serial core driver handle_tx() affects systems using uninitialized PORT_UNKNOWN serial ports, where uart_write_room() and uart_write() behave inconsistently regarding null transmit buffers, causing denial of service through system hangs. The vulnerability impacts caif_serial and other drivers that rely on tty_write_room() to determine write capacity. Patch available in upstream kernel commits; no CVSS score assigned due to kernel-specific nature and relatively limited exposure scope.
Linux kernel drm/imagination driver deadlock in soft reset sequence allows local denial of service when the soft reset handler calls disable_irq() from within a threaded IRQ handler context, creating a self-deadlock condition. The fix replaces disable_irq() with disable_irq_nosync() to prevent the handler from waiting on itself. Affected systems running vulnerable kernel versions with imagination GPU drivers can experience system hangs during GPU reset operations; no public exploit code identified at time of analysis.
NULL pointer dereference in Linux kernel DRM i915 GPU driver allows local denial of service during system probe when DMC firmware initialization has not yet completed but hardware has DC6 power state enabled. The vulnerability occurs in intel_dmc_update_dc6_allowed_count() when called from gen9_set_dc_state() during intel_power_domains_init_hw(), which executes before DMC initialization, causing kernel oops if DC6 is unexpectedly enabled by BIOS firmware. No public exploit code identified; this is a kernel crash vulnerability requiring local system access triggered by atypical BIOS behavior.
Linux kernel btrfs filesystem fails to log new directory dentries when the parent directory of a conflicting inode is logged, causing new files and subdirectories to become inaccessible after power failure or system crash. The vulnerability affects all Linux kernel versions with btrfs; an attacker or system malfunction can trigger data loss through specific filesystem operation sequences involving deleted and recreated inodes with naming conflicts.
Memory leak in Linux kernel Microchip MPFS system controller driver (mpfs_sys_controller_probe) allows local attackers to exhaust kernel memory by repeatedly triggering the MTD device lookup failure path, eventually causing denial of service through memory exhaustion.
NULL pointer dereference in Linux kernel ROSE socket implementation allows local denial of service when rose_connect() is called twice during an active connection attempt. The vulnerability occurs because rose_connect() fails to validate TCP_SYN_SENT state, permitting rose->neighbour to be overwritten with NULL, which later causes a kernel crash when rose_transmit_link() dereferences the NULL pointer during socket closure. No active exploitation reported; fix available in upstream kernel commits.
Out-of-bounds read in the Linux kernel's cdc_ncm USB networking driver allows a local attacker with a malicious or compromised USB CDC NCM device to read kernel memory beyond the skb buffer. The flaw lives in cdc_ncm_rx_verify_ndp16(), where the NDP16 nframes bounds check omits the ndpoffset value, letting DPE array iteration in cdc_ncm_rx_fixup() walk past the legitimate buffer when wNdpIndex points near the end of the NTB. No public exploit identified at time of analysis and EPSS exploitation probability is 0.02% (5th percentile), but a patch is available from upstream Linux maintainers.
Buffer overflow in Linux kernel cdc_ncm driver allows out-of-bounds memory reads when processing malformed USB CDC NCM (Network Control Model) packets with NDP32 (Normal Data Packet) headers positioned near the end of the network transfer buffer. The vulnerability exists in cdc_ncm_rx_verify_ndp32() where bounds checking fails to account for the ndpoffset value when validating the DPE (Data Packet Element) array size, potentially enabling local denial-of-service or information disclosure on systems with affected USB CDC NCM network devices. No active exploitation or public proof-of-concept identified at time of analysis.
Kernel page fault in Intel IGC network driver XDP TX timestamp handling allows local denial of service when an XDP application requesting TX timestamping shuts down while the interface link remains active. The vulnerability stems from stale xsk_meta pointers left in memory after TX ring shutdown, causing the IRQ handler to dereference invalid kernel addresses and trigger a kernel panic. This affects Linux kernel versions in the igc driver and requires no special privileges or network access, only the ability to run XDP programs on an affected system.
Use-after-free vulnerability in Linux kernel ACPI processor errata handling allows local attackers to cause denial of service or potentially execute code via device pointer dereference after reference dropping in acpi_processor_errata_piix4(). The vulnerability affects multiple Linux kernel versions and was introduced in a previous fix attempt (commit f132e089fe89); it has been resolved across stable kernel branches with no active public exploitation identified.
Race condition in Linux kernel net/mlx5e IPSec offload driver allows concurrent access to a shared DMA-mapped ASO context, potentially causing information disclosure or incorrect IPSec processing results. The vulnerability affects systems using Mellanox MLX5 network adapters with IPSec offload functionality. An attacker with local access to initiate multiple IPSec operations in rapid succession can trigger the race condition, corrupting the shared context and causing subsequent operations to read invalid data, compromising confidentiality and integrity of IPSec-protected traffic.
Linux kernel net/mlx5e driver suffers a race condition during IPSec ESN (Extended Sequence Number) update handling that causes incorrect ESN high-order bit increments, leading to anti-replay failures and IPSec traffic halts. The vulnerability affects systems using Mellanox ConnectX adapters with IPSec full offload mode enabled. Attackers with local network access or the ability to trigger IPSec traffic patterns could exploit this to disrupt encrypted communications, though no public exploit code or active exploitation has been reported.
Linux kernel net shaper module fails to validate netdev liveness during hierarchy read operations, allowing information disclosure through use-after-free conditions when a network device is unregistered while RCU-protected read operations are in progress. The vulnerability affects the netlink operation callbacks in the shaper subsystem, where references acquired during pre-callbacks are not validated before later lock/RCU acquisitions, creating a race condition that can expose kernel memory or cause denial of service. No public exploit code has been identified at time of analysis, and the issue requires local access to trigger netlink operations.
Linux kernel net shaper subsystem susceptible to race condition during hierarchy creation allows unauthenticated local attackers to leak kernel memory or trigger use-after-free conditions. The vulnerability arises when a netdev is unregistered between reference acquisition during Netlink operation preparation and subsequent lock acquisition, permitting hierarchy allocation after flush operations have completed. Fixed via upstream commits that consolidate locking to pre-callback phase, preventing concurrent write races with flush operations.
Linux kernel NULL pointer dereference in the x86 PMU NMI handler on AMD EPYC systems causes denial of service when perf event unthrottling races with PMU rescheduling. The vulnerability stems from commit 7e772a93eb61 moving event pointer initialization later in x86_pmu_enable(), allowing the unthrottle path to set active_mask bits without populating the corresponding events[] array entries, leading to NULL pointer dereference when subsequent PMC overflow interrupts fire. No public exploit code identified at time of analysis; patch fixes are available in upstream Linux kernel stable branches.
Null pointer dereference in Linux kernel arm_mpam memory bandwidth monitoring causes kernel oops when an MSC supporting bandwidth monitoring transitions offline and back online. The mpam_restore_mbwu_state() function fails to initialize a value buffer before passing it to __ris_msmon_read() via IPI, triggering a crash in the bandwidth counter restoration routine. This affects ARM systems with MPAM (Memory Partitioning and Monitoring) support and results in denial of service through system instability when memory controllers are toggled.
A use-after-free vulnerability in the Linux kernel's mshv (Microsoft Hyper-V) driver allows local attackers to trigger a kernel panic by unmapping user memory after a failed mshv_map_user_memory() call. The error path incorrectly calls vfree() without unregistering the associated MMU notifier, leaving a dangling reference that fires when userspace performs subsequent memory operations. This is a memory safety issue affecting the Hyper-V virtualization subsystem in the Linux kernel.
Memory leak in the Linux kernel's Amlogic SPI controller driver (aml_spisg_probe) fails to release SPI controller resources in multiple error paths during probe, allowing local attackers to exhaust kernel memory through repeated driver load/unload cycles or failed probe attempts. The vulnerability has been resolved in the upstream kernel by converting to device-managed SPI allocation functions.
Memory leak in Linux kernel drm/vmwgfx driver caused by overwriting KMS surface dirty tracker without proper cleanup. The vulnerability affects the VMware graphics driver subsystem in the kernel, allowing local attackers to trigger memory exhaustion through repeated surface operations. No CVSS score, EPSS data, or KEV status available; fix commits exist in upstream stable kernel branches.
Linux kernel crashes in iommu_sva_unbind_device() when accessing a freed mm structure after iommu_domain_free() deallocates domain->mm->iommu_mm, causing denial of service on systems using IOMMU Shared Virtual Addressing (SVA). The fix reorders code to access the structure before the domain is freed. No CVSS score, EPSS, or KEV status available; no public exploit code identified.
Use-after-free in Linux kernel ksmbd SMB server allows local or remote attackers to read freed memory and potentially achieve denial of service or code execution via compound SMB2 requests that reuse a tree connection after it has been disconnected and its associated share_conf structure freed. The vulnerability exists because smb2_get_ksmbd_tcon() bypasses state validation checks when reusing connections in compound requests, enabling subsequent commands to dereference already-freed share_conf pointers. No CVE severity metrics are available, but KASAN confirms memory corruption is triggered in smb2_write operations during tree disconnect sequences.
Use-after-free in Linux kernel's ksmbd SMB server allows remote attackers to crash the kernel or potentially execute code via malicious SMB2 DURABLE_REQ_V2 replay operations. The vulnerability occurs when parse_durable_handle_context() unconditionally reassigns file handle connection pointers during replay operations, causing stale pointer dereferences when the reassigned connection is subsequently freed. A KASAN report confirms the use-after-free in spin_lock operations during file descriptor closure, triggered during SMB2 connection handling in the ksmbd-io workqueue. No public exploit code or active exploitation has been confirmed at time of analysis.
Linux kernel drm/logicvc driver fails to release a device node reference in logicvc_drm_config_parse(), causing a reference leak that can exhaust kernel memory resources over time. The vulnerability affects all Linux kernel versions with the logicvc DRM driver enabled; it requires local access to trigger repeated calls to the vulnerable code path. This is a low-severity resource exhaustion issue resolved via kernel patch implementing automatic cleanup attributes.
Linux kernel KVM ARM64 fails to properly initialize ID registers for non-protected pKVM guests, causing feature detection checks to incorrectly return zero and preventing proper save/restore of system registers like TCR2_EL1 during world switches, potentially leading to state corruption. The vulnerability affects the hypervisor's ability to detect CPU features in non-protected virtual machines despite the initialization flag being incorrectly set. This is a kernel-level logic error that impacts system register handling in ARM64 virtualization.
Linux kernel accel/amdxdna driver fails to validate command buffer payload count, allowing out-of-bounds reads in AMD XDNA accelerator command processing. The vulnerability affects the accel/amdxdna subsystem across unspecified Linux kernel versions and permits information disclosure through unvalidated payload size interpretation. No active exploitation, public proof-of-concept, or CVSS data currently available.
Linux kernel btrfs subsystem fails to free allocated pages in btrfs_uring_read_extent() when error conditions occur before asynchronous I/O completion, leading to memory leaks. The vulnerability affects all Linux kernel versions with the vulnerable btrfs implementation; while tagged as Information Disclosure, the primary impact is denial of service through memory exhaustion rather than data exposure. No public exploit code or active exploitation has been identified; this is a defensive fix addressing a code path that may never execute under normal conditions but represents a resource management defect.
Memory leak in Linux kernel DRM/XE configfs device release allows information disclosure through unfreed ctx_restore_mid_bb allocation. The xe_config_device_release() function fails to deallocate ctx_restore_mid_bb[0].cs memory that was previously allocated by wa_bb_store(), leaving sensitive kernel memory accessible when the configfs device is removed. Affected Linux kernel versions containing the vulnerable DRM/XE driver require patching to prevent potential information leakage.
Mutex lock-unlock mismatch in the Linux kernel's wlcore Wi-Fi driver allows potential information disclosure or system instability through improper synchronization. The vulnerability occurs when wl->mutex is unlocked without being locked first, detected by the Clang thread-safety analyzer. This affects all Linux kernel versions with the wlcore Wi-Fi driver. No active exploitation has been identified, but the bug creates a race condition that could be leveraged to access shared kernel state.
Linux kernel RDS TCP subsystem resolves circular locking dependency in rds_tcp_tune() function where socket lock contention with fs_reclaim memory allocation creates deadlock potential. The vulnerability affects all Linux kernel versions with the vulnerable code path in net/rds/tcp.c; the fix relocates sk_net_refcnt_upgrade() outside the socket lock critical section to eliminate the circular lock dependency without compromising synchronization semantics.
Memory leak in Linux kernel DRM/XE register save-restore (reg_sr) module fails to free allocated memory when xa_store() operation fails, potentially allowing local information disclosure or denial of service through repeated trigger of the error path. The vulnerability affects all Linux kernel versions containing the affected drm/xe/reg_sr code prior to the fix commits referenced. No CVSS score or exploit data provided; patch commits are available in upstream Linux repository.
HTTP response header injection in Electron allows remote attackers to inject malicious headers via crafted input reflected in response headers when custom protocol handlers or webRequest.onHeadersReceived are used. An attacker can manipulate cookies, content security policy, or cross-origin access controls in affected applications. This affects Electron 41.x before 41.0.3, 40.x before 40.8.3, 39.x before 39.8.3, and 38.x before 38.8.6; no public exploit code is documented at time of analysis.
Cookie attribute injection in Tornado web framework versions before 6.5.5 allows unauthenticated remote attackers to manipulate cookie security attributes through crafted characters in domain, path, and samesite parameters of RequestHandler.set_cookie. With CVSS 7.2 and EPSS data unavailable, this represents a moderate integrity and confidentiality risk for web applications using affected Tornado versions. No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward for exploitation.
HTTP response desynchronization in Rack web server framework versions prior to 2.2.23, 3.1.21, and 3.2.6 allows remote attackers to cause Content-Length header mismatches by requesting non-existent paths with percent-encoded UTF-8 characters. The vulnerability stems from Rack::Files#fail using String#size instead of String#bytesize when setting Content-Length, causing declared header values to be smaller than actual bytes transmitted, potentially leading to response framing errors and information disclosure in deployments sensitive to Content-Length validation. No public exploit code or confirmed active exploitation identified at time of analysis.
Rack::Sendfile in versions prior to 2.2.23, 3.1.21, and 3.2.6 allows remote attackers to inject regex metacharacters into X-Accel-Mapping request headers, enabling unescaped interpolation that manipulates the X-Accel-Redirect response header and causes nginx to serve unintended files from internal locations. No public exploit code or active exploitation has been confirmed; patch versions are available from the vendor.
Denial of service in Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 allows unauthenticated remote attackers to consume disproportionate CPU, memory, I/O, and bandwidth by supplying many small overlapping byte ranges in HTTP Range headers, bypassing the existing CVE-2024-26141 fix that only validates total byte coverage. The vulnerability affects Rack's file-serving paths that process multipart byte range responses, enabling attackers to degrade service availability with minimal request complexity.
Rack::Static fails to apply security-relevant response headers to URL-encoded variants of static file paths, allowing attackers to bypass header-based security controls by requesting percent-encoded forms of protected resources. This affects Rack versions prior to 2.2.23, 3.1.21, and 3.2.6, and is particularly dangerous in deployments relying on Rack::Static to enforce Content-Security-Policy, X-Frame-Options, or similar protective headers on static content. No public exploit code or active exploitation has been confirmed at time of analysis.
Rack web server interface versions prior to 2.2.23, 3.1.21, and 3.2.6 fail to properly escape regex metacharacters when constructing directory path filtering expressions, causing the Rack::Directory component to expose full filesystem paths in HTML directory listings. An unauthenticated remote attacker can retrieve sensitive path information by requesting directory listings when the configured root path contains regex special characters such as +, *, or ., achieving low-confidentiality impact with CVSS 5.3. No public exploit code or active exploitation has been confirmed at time of analysis.
Denial of service in Rack::Utils.select_best_encoding allows unauthenticated remote attackers to consume disproportionate CPU resources via a crafted Accept-Encoding header containing multiple wildcard entries, affecting Rack versions prior to 2.2.23, 3.1.21, and 3.2.6. The vulnerability exploits quadratic time complexity in the encoding selection algorithm used by Rack::Deflater middleware, enabling a single HTTP request to trigger sustained CPU exhaustion and application unavailability.
Host header validation bypass in Rack 3.0.0.beta1-3.1.20 and 3.2.0-3.2.5 allows unauthenticated remote attackers to poison Host headers by injecting RFC-noncompliant characters (/, ?, #, @) that pass the AUTHORITY regex but are accepted by req.host, req.url, and req.base_url. Applications relying on naive prefix or suffix matching for host validation, link generation, or origin checks can be bypassed, enabling host header poisoning attacks. No public exploit code or active exploitation has been confirmed at the time of analysis.
OpenSSH before version 10.3 mishandles the authorized_keys principals option when a principals list is combined with a Certificate Authority that uses certain comma character patterns, allowing authenticated local or remote users to disclose sensitive authorization information or manipulate authentication decisions. This vulnerability affects all OpenSSH versions prior to 10.3p1 and requires authenticated access (PR:L) with non-trivial attack complexity (AC:H), resulting in partial confidentiality and integrity impact. No public exploit code or active exploitation has been identified at time of analysis.
Network denial-of-service in Suricata prior to 7.0.15 allows remote unauthenticated attackers to degrade intrusion detection performance via inefficient DCERPC buffering. The flaw enables attackers to bypass or impair network security monitoring by exhausting system resources through malformed DCERPC traffic, effectively blinding detection capabilities. No public exploit identified at time of analysis, though EPSS score and exploitation likelihood were not provided in available data.
Memory exhaustion in Suricata network IDS/IPS via HTTP/2 CONTINUATION frame flooding allows remote unauthenticated attackers to trigger denial of service, typically forcing operating system termination of the Suricata process. Affects all versions prior to 7.0.15 and 8.0.4. EPSS data not available, but CVSS 7.5 (High) reflects network-accessible attack with low complexity requiring no privileges. No public exploit identified at time of analysis, though the attack technique (HTTP/2 frame flooding) is well-documented in protocol security research.
Denial of service in Suricata 8.0.0 through 8.0.3 allows unauthenticated remote attackers to degrade performance via specially crafted SMTP traffic containing MIME-encoded messages with URLs. The quadratic complexity vulnerability (CWE-407) triggers excessive processing when the IDS/IPS engine searches for URLs in malformed messages. EPSS data not provided, but exploitation probability appears low given no public exploit identified at time of analysis and the requirement for sustained malicious SMTP traffic to achieve impact.
Network-accessible resource exhaustion in Suricata IDS allows remote attackers to degrade detection performance via specially crafted traffic. Affects versions prior to 7.0.15 and 8.0.4 (CVSS 7.5 HIGH). Attack requires no authentication (PR:N) and low complexity (AC:L), enabling trivial performance degradation that could blind security monitoring. EPSS data not available, but no public exploit identified at time of analysis. Vendor patches released for both affected branches (7.0.15, 8.0.4).
Performance degradation in Suricata IDS/IPS engine allows remote unauthenticated attackers to cause denial of service through inefficient Kerberos 5 buffering. Affects versions prior to 7.0.15 and 8.0.4. CVSS 7.5 with high availability impact. No public exploit identified at time of analysis, EPSS data not provided. Vendor-released patches available in versions 7.0.15 and 8.0.4.
NULL pointer dereference in Suricata 8.0.0 through 8.0.3 causes denial of service when processing malformed TLS traffic with the 'tls.alpn' rule keyword. Remote unauthenticated attackers can crash the IDS/IPS engine by sending specially crafted network packets, completely disabling network security monitoring. EPSS data not available, but the low attack complexity (AC:L) and network vector (AV:N) combined with high availability impact (A:H) indicate significant operational risk for organizations relying on Suricata for traffic inspection. No evidence of active exploitation (no CISA KEV listing) or public exploit code identified at time of analysis.
Keycloak's SingleUseObjectProvider lacks proper type and namespace isolation, allowing unauthenticated remote attackers with user interaction to delete arbitrary single-use entries and replay consumed action tokens such as password reset links, leading to account compromise. The vulnerability requires user interaction (UI:R) and high attack complexity (AC:H), resulting in a CVSS score of 5.3. No public exploit code or active exploitation has been confirmed at time of analysis.
Unblinded BPF immediate values in PROBE_MEM32 stores bypass constant hardening in the Linux kernel BPF JIT compiler when bpf_jit_harden >= 1, allowing user-controlled 32-bit immediates to leak into native code. The vulnerability affects Linux kernel versions where convert_ctx_accesses() rewrites arena pointer stores to BPF_ST|BPF_PROBE_MEM32 before constant blinding runs, but bpf_jit_blind_insn() only handles BPF_ST|BPF_MEM instructions. No public exploit code or active exploitation has been ide
Memory sealing (mseal) in the Linux kernel incorrectly tracks virtual memory area (VMA) boundaries during merge operations, causing curr_end to become stale and resulting in incorrect iteration state. This flaw in mm/mseal.c affects Linux kernel versions where the mseal feature is present, allowing local attackers to potentially bypass memory sealing protections or trigger information disclosure by manipulating VMA merge behavior during seal operations.
Use-after-free vulnerability in Linux kernel futex handling allows local attackers to read freed memory via race condition between futex_key_to_node_opt() and vma_replace_policy(). When mbind() concurrently replaces virtual memory area policies, __futex_key_to_node() may dereference a freed mempolicy structure, enabling information disclosure of kernel memory. The vulnerability requires local access and precise timing but poses memory safety risk in multi-threaded applications using futex operations alongside memory policy changes.
Linux kernel TLS subsystem leaks socket buffers (skbs) when asynchronous AEAD decryption operations fail during batch processing, allowing local attackers to exhaust kernel memory and potentially cause denial of service. The vulnerability exists in tls_decrypt_async_wait() and related functions that manage the async_hold queue, which pins encrypted input buffers for AEAD engine references; improper cleanup in failure paths leaves these buffers allocated indefinitely. This is a kernel memory leak affecting TLS decryption in the kernel's cryptographic stack, confirmed by multiple upstream patches across stable branches.
Use-after-free in Linux kernel clsact qdisc initialization and destruction rollback allows local denial of service or potential information disclosure when qdisc replacement fails midway during tcf_block_get_ext() operations. The vulnerability stems from asymmetric initialization and cleanup paths where egress_entry references from a previous clsact instance remain valid during failure scenarios, leading to double-free or use-after-free conditions. Affected Linux kernel versions across all distributions that include the clsact traffic control qdisc require patching.
Use-after-free in Linux kernel netfilter BPF hook memory management allows local attackers to read sensitive kernel memory via concurrent nfnetlink_hooks dumping operations. The vulnerability arises from premature memory release in hook structures before RCU readers complete their access, enabling information disclosure through netlink interface. No active exploitation confirmed, but the KASAN report demonstrates reliable reproducer availability.
Path traversal in Poetry's wheel installer (versions prior to 2.3.3) allows malicious Python packages to write arbitrary files outside the installation directory during package installation. Attackers can craft wheel files containing ../ directory traversal sequences that bypass containment checks, enabling file overwrite with Poetry process privileges. This directly threatens CI/CD pipelines and developer workstations installing untrusted packages from PyPI or private repositories. No active exploitation confirmed at time of analysis, but a functional proof-of-concept is publicly documented in the GitHub advisory.
Heap memory disclosure in OpenEXR 3.4.0 through 3.4.7 allows remote attackers to extract sensitive information through decoded pixel data when processing malicious EXR image files. The vulnerability requires no authentication (PR:N) or user interaction (UI:N), triggering automatically during file parsing under default configurations. With CVSS 8.7 and high confidentiality impact (VC:H), this represents significant risk for applications processing untrusted EXR files. No public exploit identified at time of analysis, though the low attack complexity (AC:L) suggests straightforward exploitation once attack methods are documented.
Out-of-bounds heap write in OpenEXR 3.4.0-3.4.7 allows local attackers to crash applications or corrupt memory when processing malicious B44/B44A compressed EXR files. Attack requires user interaction to open a crafted image file. Patched in version 3.4.8. CVSS 8.4 (High) reflects local attack vector with no privileges required but mandatory user action. No confirmed active exploitation or public POC identified at time of analysis, though proof-of-concept development is feasible given the detailed GitHub advisory and commit.
AIOHTTP prior to version 3.13.4 allows multiple Host headers in HTTP requests, enabling information disclosure through header injection attacks. An unauthenticated remote attacker can exploit this by crafting malicious requests with duplicate Host headers to potentially bypass security controls or extract sensitive information from affected applications. The vulnerability has been patched in version 3.13.4, and no public exploit code or active exploitation has been identified at the time of analysis.
Memory exhaustion vulnerability in AIOHTTP prior to version 3.13.4 allows unauthenticated remote attackers to trigger denial of service via specially crafted HTTP responses containing excessive multipart headers. The vulnerability exploits insufficient memory limits during multipart header parsing, causing the server or client to consume more memory than intended. CVSS 6.6 (medium-high availability impact) with no public exploit code identified at time of analysis.
AIOHTTP static resource handler on Windows exposes NTLMv2 remote path information to unauthenticated remote attackers, allowing information disclosure with high confidentiality impact. Versions prior to 3.13.4 are affected. The vulnerability has been patched and no active exploitation has been confirmed at this time.
Memory exhaustion in aiohttp's header and trailer handling allows remote attackers to cause denial of service by sending attacker-controlled HTTP requests or responses with uncapped header/trailer values. The vulnerability affects aiohttp Python library across affected versions, enabling attackers to exhaust application memory without authentication. A mitigation is available via reverse proxy configuration, and upstream patch has been released.
ONNX versions prior to 1.21.0 allow local attackers to read arbitrary files by exploiting a hardlink-based path traversal vulnerability in onnx.load(). The vulnerability bypasses existing symlink protections because hardlinks appear as regular files to filesystem checks. An attacker with local file system access can craft a malicious ONNX model file using hardlinks to access sensitive data outside the intended directory, requiring user interaction to load the crafted model. No public exploit code has been identified; EPSS score of 4.7 indicates low exploitation probability despite moderate CVSS impact.
Arbitrary attribute injection in ONNX Python library (versions prior to 1.21.0) allows unauthenticated remote attackers to manipulate internal object properties by embedding malicious metadata in ONNX model files, resulting in potential information disclosure, data integrity violations, and high availability impact (CVSS 8.6). The vulnerability stems from unchecked use of Python's setattr() with externally-controlled keys during ExternalDataInfo deserialization. No public exploit code or CISA KEV listing identified at time of analysis, but proof-of-concept development is trivial given the straightforward nature of Python attribute manipulation. EPSS data not provided, but the unauthenticated network-accessible attack vector and low complexity suggest material risk for organizations processing untrusted ONNX models.
AppArmor differential encoding verification in the Linux kernel contains logic errors that permit infinite loops to be created through abuse of the verification chain mechanism. Two distinct bugs in the verification routine-conflation of checked states with currently-checked states, and incorrect loop iterator comparison-allow malformed differential encoding chains to bypass security checks. This enables potential information disclosure or policy circumvention on systems relying on AppArmor mandatory access control. The vulnerability affects Linux kernel versions prior to fixes applied across multiple stable branches via kernel commits.
Linux kernel AppArmor policy namespace implementation allows arbitrary nesting and creation of policy namespaces without enforcing depth limits, enabling local attackers to exhaust system resources through unbounded namespace proliferation. The vulnerability affects AppArmor in the Linux kernel across multiple stable branches. This is a denial-of-service vulnerability requiring local access, with fixes available across stable kernel versions.
Stack exhaustion in AppArmor profile removal allows local denial of service by crafting deeply nested profiles that trigger recursive kernel stack consumption. The Linux kernel's AppArmor security module can be crashed by a local user with permission to load profiles via the apparmor_parser tool and trigger removal through sysfs, causing kernel stack overflow. The fix replaces recursive profile removal with an iterative approach to prevent stack exhaustion.
Memory leak in Linux kernel AppArmor module verify_header function causes namespace string allocation leaks during multiple profile unpacking and breaks namespace consistency checking. The vulnerable code incorrectly resets the namespace pointer to NULL on every function call, discarding previously allocated namespace strings and preventing proper namespace comparison across profile iterations. This affects Linux kernel versions with the vulnerable AppArmor implementation prior to upstream fixes applied across stable branches.
Linux kernel KVM x86/mmu module improperly validates shadow page table entries (SPTEs) in indirect MMUs, allowing host userspace writes to bypass KVM's write-tracking detection and corrupt shadow paging state. The vulnerability affects KVM implementations on x86 systems with nested or indirect MMU configurations where writes originating outside KVM's scope (e.g., from host userspace via memory access) are not detected, potentially leading to memory corruption or VM escape. No CVSS score, EPSS data, or KEV status is available; this appears to be an internal kernel consistency issue addressed via upstream patch rather than a directly exploitable security boundary.
Information disclosure in Google Chrome's WebGL implementation prior to version 146.0.7680.178 allows remote attackers to extract potentially sensitive data from process memory by serving a crafted HTML page. The vulnerability affects all Chrome versions before the patched release and requires only user interaction (visiting a malicious webpage) to trigger memory disclosure via WebGL rendering.
Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in the Dawn graphics library allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects all Chrome versions below the patched release and carries high severity per Chromium's assessment.
Remote code execution in Google Chrome prior to 146.0.7680.178 via use-after-free vulnerability in Dawn graphics subsystem allows an attacker who has already compromised the renderer process to execute arbitrary code through a crafted HTML page. This vulnerability requires prior renderer compromise but presents significant risk in multi-process exploitation chains; vendor has released patched version 146.0.7680.178 to address the issue.
Information disclosure in ANGLE (graphics abstraction layer) within Google Chrome prior to version 146.0.7680.178 enables remote attackers to leak cross-origin data through crafted HTML pages. The vulnerability affects all Chrome versions before the patched release and requires only network access and user interaction (visiting a malicious page), posing a moderate real-world risk to users who may inadvertently access attacker-controlled content.
Out-of-bounds read in WebCodecs functionality in Google Chrome prior to version 146.0.7680.178 allows remote attackers to read arbitrary memory contents via a crafted HTML page. The vulnerability affects all Chrome versions before the patched release and requires only user interaction (visiting a malicious webpage) to trigger. No public exploit code or active exploitation has been confirmed at time of analysis.
Remote code execution in Google Chrome on Android via use-after-free vulnerability in Web MIDI allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects Chrome versions prior to 146.0.7680.178 and carries high severity per Chromium's security classification. A vendor-released patch is available.
Integer overflow in ANGLE (Google's OpenGL abstraction layer) in Chrome on Windows before version 146.0.7680.178 enables out-of-bounds memory writes if the renderer process is compromised, allowing an attacker to execute arbitrary code with renderer privileges. The vulnerability requires prior renderer process compromise, limiting the immediate attack surface but representing a critical post-compromise escalation vector. Chromium severity is rated High; patch availability confirms vendor remediation.
Information disclosure in Google Chrome's WebUSB implementation prior to version 146.0.7680.178 allows remote attackers to extract sensitive data from process memory by delivering a crafted HTML page, exploiting insufficient policy enforcement in the WebUSB API. The vulnerability affects all Chrome versions before 146.0.7680.178 across all platforms. No public exploit code or active exploitation has been confirmed at the time of this analysis.
Remote code execution in ANGLE (Almost Native Graphics Layer Engine) within Google Chrome on macOS prior to version 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code by crafting a malicious HTML page that triggers a heap buffer overflow. This vulnerability affects all Chrome versions below the patched release and poses an immediate risk to macOS users who visit compromised or malicious websites.
Integer overflow in Google Chrome's Codecs component prior to version 146.0.7680.178 enables remote code execution and arbitrary memory read/write operations when a user visits a malicious HTML page. The vulnerability affects all versions before the patch release and requires no user interaction beyond visiting a crafted webpage. Chromium security team classified this as High severity; no public exploit code or active exploitation has been confirmed at the time of analysis.
Finite-field Diffie-Hellman (FFDH) in Mbed TLS 3.5.x, 3.6.0 through 3.6.5, and TF-PSA-Crypto 1.0 lacks contributory behavior due to improper validation of peer-supplied parameters, allowing an attacker to restrict the shared secret to a small set of predictable values. While the vulnerability does not directly impact TLS (which does not depend on contributory behavior), it poses a significant risk to protocols that do rely on this property, including those where an active network attacker or malicious peer can exploit the weakness. No CVSS score or public exploit code has been assigned at the time of analysis.
Denial-of-service in the Linux kernel's ksmbd SMB server component stems from improper handling of volume identifiers in FS_OBJECT_ID_INFORMATION responses. Affected kernels fail to correctly use the superblock UUID (sb->s_uuid) as the volume identifier, and lack a safe fallback (via vfs_statfs()) for filesystems that do not expose a UUID - creating conditions for a kernel availability impact when a local low-privileged user interacts with an affected SMB share. EPSS is 0.01% (1st percentile) and no active exploitation is confirmed in CISA KEV; no public exploit code has been identified at time of analysis.
Denial of service in Avahi prior to version 0.9-rc4 allows local unprivileged users to crash avahi-daemon by sending a D-Bus method call with conflicting publish flags. The vulnerability requires local access and low privileges but causes immediate service unavailability. No public exploit code or active exploitation has been confirmed; however, the attack is trivial to execute given the low complexity barrier.
Unauthenticated remote code execution in OpenPrinting CUPS 2.4.16 and earlier allows attackers to send print jobs to shared PostScript queues without authentication, exploit a newline injection vulnerability in page-border parameter handling, and execute arbitrary binaries as the lp user by chaining a follow-up raw print job. CISA KEV status and active exploitation confirmation not provided; no publicly available patches identified at publication.
Heap-based buffer overflow in OpenPrinting CUPS scheduler versions 2.4.16 and prior allows unauthenticated remote attackers to trigger a denial of service condition by crafting malicious job attributes that overflow buffers during filter option string construction. With a CVSS score of 5.3 and network accessibility, this vulnerability impacts availability on exposed CUPS instances; no public exploit code or vendor patch has been released as of publication.
Path traversal in OpenPrinting CUPS RSS notifier (versions 2.4.16 and prior) allows unauthenticated remote IPP clients to write arbitrary files outside the intended CacheDir/rss directory via a crafted notify-recipient-uri parameter. By exploiting default group-writable permissions on CacheDir, attackers can overwrite critical state files such as job.cache, causing the CUPS scheduler to fail parsing job queues and resulting in loss of previously queued print jobs. No public exploit code or vendor patch is currently available, though the vulnerability is demonstrated with proof-of-concept exploitation.
Local privilege escalation in OpenPrinting CUPS 2.4.16 and prior allows unprivileged users to bypass authentication and create arbitrary file overwrites as root by coercing cupsd into issuing reusable Authorization tokens and leveraging printer-sharing policies to persist file:// URIs that bypass FileDevice restrictions. A proof-of-concept demonstrates root command execution via sudoers file modification, and the vulnerability is confirmed by the presence of public exploit code.
Denial of service in rust-rpm-sequoia allows local attackers to crash RPM signature verification by submitting specially crafted RPM files that trigger unhandled errors in OpenPGP parsing, preventing legitimate package management operations. CVSS 4.0 (low severity), local attack vector, non-authenticating. No public exploit code or active exploitation confirmed.
Linux kernel sunrpc subsystem fails to properly release cache_request objects when file descriptors are closed mid-read, resulting in memory leaks and potential information disclosure through stale cache entries. The vulnerability affects all Linux kernel versions with the affected sunrpc cache implementation, and requires no special privileges or network access to trigger since it occurs during normal file descriptor closure in the kernel's user-space cache management interface.
Use-after-free in the Linux kernel's nvdimm/bus subsystem allows local privileged users to potentially trigger memory corruption when device_add() fails during nd_async_device_register() asynchronous initialization. The flaw stems from the parent device reference being dropped before the parent pointer is accessed on allocation failure paths. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Out-of-bounds read and write in the Broadcom bnxt_en network driver of the Linux kernel allows a malicious or compromised NIC to corrupt kernel heap memory or crash the system. The flaw resides in the DBG_BUF_PRODUCER async event handler, which uses a firmware-supplied 16-bit 'type' field as an unchecked index into the bp->bs_trace[] array. No public exploit identified at time of analysis and EPSS rates exploitation probability at just 0.02%, but the impact on confidentiality and availability is high where the trust boundary between NIC firmware and kernel is relevant.
Null pointer dereference in Linux kernel mac80211 IEEE 802.11 wireless subsystem crashes AP_VLAN stations during channel bandwidth change operations. The ieee80211_chan_bw_change() function incorrectly accesses link data on VLAN interfaces (such as 4-address WDS clients) where the link structure is uninitialized, leading to kernel panic when dereferencing a NULL channel pointer. Any system with AP_VLAN wireless configurations and active channel state announcement (CSA) operations is vulnerable to local denial of service.
Linux kernel xe (Intel GPU) driver leaks dynamically allocated virtual memory area (VMA) structures when argument validation fails in the xe_vm_madvise_ioctl handler, allowing local attackers to exhaust kernel memory and trigger denial of service. The vulnerability has been patched upstream in stable kernel branches with proper cleanup path addition.
Infinite loop in Linux kernel serial core driver handle_tx() affects systems using uninitialized PORT_UNKNOWN serial ports, where uart_write_room() and uart_write() behave inconsistently regarding null transmit buffers, causing denial of service through system hangs. The vulnerability impacts caif_serial and other drivers that rely on tty_write_room() to determine write capacity. Patch available in upstream kernel commits; no CVSS score assigned due to kernel-specific nature and relatively limited exposure scope.
Linux kernel drm/imagination driver deadlock in soft reset sequence allows local denial of service when the soft reset handler calls disable_irq() from within a threaded IRQ handler context, creating a self-deadlock condition. The fix replaces disable_irq() with disable_irq_nosync() to prevent the handler from waiting on itself. Affected systems running vulnerable kernel versions with imagination GPU drivers can experience system hangs during GPU reset operations; no public exploit code identified at time of analysis.
NULL pointer dereference in Linux kernel DRM i915 GPU driver allows local denial of service during system probe when DMC firmware initialization has not yet completed but hardware has DC6 power state enabled. The vulnerability occurs in intel_dmc_update_dc6_allowed_count() when called from gen9_set_dc_state() during intel_power_domains_init_hw(), which executes before DMC initialization, causing kernel oops if DC6 is unexpectedly enabled by BIOS firmware. No public exploit code identified; this is a kernel crash vulnerability requiring local system access triggered by atypical BIOS behavior.
Linux kernel btrfs filesystem fails to log new directory dentries when the parent directory of a conflicting inode is logged, causing new files and subdirectories to become inaccessible after power failure or system crash. The vulnerability affects all Linux kernel versions with btrfs; an attacker or system malfunction can trigger data loss through specific filesystem operation sequences involving deleted and recreated inodes with naming conflicts.
Memory leak in Linux kernel Microchip MPFS system controller driver (mpfs_sys_controller_probe) allows local attackers to exhaust kernel memory by repeatedly triggering the MTD device lookup failure path, eventually causing denial of service through memory exhaustion.
NULL pointer dereference in Linux kernel ROSE socket implementation allows local denial of service when rose_connect() is called twice during an active connection attempt. The vulnerability occurs because rose_connect() fails to validate TCP_SYN_SENT state, permitting rose->neighbour to be overwritten with NULL, which later causes a kernel crash when rose_transmit_link() dereferences the NULL pointer during socket closure. No active exploitation reported; fix available in upstream kernel commits.
Out-of-bounds read in the Linux kernel's cdc_ncm USB networking driver allows a local attacker with a malicious or compromised USB CDC NCM device to read kernel memory beyond the skb buffer. The flaw lives in cdc_ncm_rx_verify_ndp16(), where the NDP16 nframes bounds check omits the ndpoffset value, letting DPE array iteration in cdc_ncm_rx_fixup() walk past the legitimate buffer when wNdpIndex points near the end of the NTB. No public exploit identified at time of analysis and EPSS exploitation probability is 0.02% (5th percentile), but a patch is available from upstream Linux maintainers.
Buffer overflow in Linux kernel cdc_ncm driver allows out-of-bounds memory reads when processing malformed USB CDC NCM (Network Control Model) packets with NDP32 (Normal Data Packet) headers positioned near the end of the network transfer buffer. The vulnerability exists in cdc_ncm_rx_verify_ndp32() where bounds checking fails to account for the ndpoffset value when validating the DPE (Data Packet Element) array size, potentially enabling local denial-of-service or information disclosure on systems with affected USB CDC NCM network devices. No active exploitation or public proof-of-concept identified at time of analysis.
Kernel page fault in Intel IGC network driver XDP TX timestamp handling allows local denial of service when an XDP application requesting TX timestamping shuts down while the interface link remains active. The vulnerability stems from stale xsk_meta pointers left in memory after TX ring shutdown, causing the IRQ handler to dereference invalid kernel addresses and trigger a kernel panic. This affects Linux kernel versions in the igc driver and requires no special privileges or network access, only the ability to run XDP programs on an affected system.
Use-after-free vulnerability in Linux kernel ACPI processor errata handling allows local attackers to cause denial of service or potentially execute code via device pointer dereference after reference dropping in acpi_processor_errata_piix4(). The vulnerability affects multiple Linux kernel versions and was introduced in a previous fix attempt (commit f132e089fe89); it has been resolved across stable kernel branches with no active public exploitation identified.
Race condition in Linux kernel net/mlx5e IPSec offload driver allows concurrent access to a shared DMA-mapped ASO context, potentially causing information disclosure or incorrect IPSec processing results. The vulnerability affects systems using Mellanox MLX5 network adapters with IPSec offload functionality. An attacker with local access to initiate multiple IPSec operations in rapid succession can trigger the race condition, corrupting the shared context and causing subsequent operations to read invalid data, compromising confidentiality and integrity of IPSec-protected traffic.
Linux kernel net/mlx5e driver suffers a race condition during IPSec ESN (Extended Sequence Number) update handling that causes incorrect ESN high-order bit increments, leading to anti-replay failures and IPSec traffic halts. The vulnerability affects systems using Mellanox ConnectX adapters with IPSec full offload mode enabled. Attackers with local network access or the ability to trigger IPSec traffic patterns could exploit this to disrupt encrypted communications, though no public exploit code or active exploitation has been reported.
Linux kernel net shaper module fails to validate netdev liveness during hierarchy read operations, allowing information disclosure through use-after-free conditions when a network device is unregistered while RCU-protected read operations are in progress. The vulnerability affects the netlink operation callbacks in the shaper subsystem, where references acquired during pre-callbacks are not validated before later lock/RCU acquisitions, creating a race condition that can expose kernel memory or cause denial of service. No public exploit code has been identified at time of analysis, and the issue requires local access to trigger netlink operations.
Linux kernel net shaper subsystem susceptible to race condition during hierarchy creation allows unauthenticated local attackers to leak kernel memory or trigger use-after-free conditions. The vulnerability arises when a netdev is unregistered between reference acquisition during Netlink operation preparation and subsequent lock acquisition, permitting hierarchy allocation after flush operations have completed. Fixed via upstream commits that consolidate locking to pre-callback phase, preventing concurrent write races with flush operations.
Linux kernel NULL pointer dereference in the x86 PMU NMI handler on AMD EPYC systems causes denial of service when perf event unthrottling races with PMU rescheduling. The vulnerability stems from commit 7e772a93eb61 moving event pointer initialization later in x86_pmu_enable(), allowing the unthrottle path to set active_mask bits without populating the corresponding events[] array entries, leading to NULL pointer dereference when subsequent PMC overflow interrupts fire. No public exploit code identified at time of analysis; patch fixes are available in upstream Linux kernel stable branches.
Null pointer dereference in Linux kernel arm_mpam memory bandwidth monitoring causes kernel oops when an MSC supporting bandwidth monitoring transitions offline and back online. The mpam_restore_mbwu_state() function fails to initialize a value buffer before passing it to __ris_msmon_read() via IPI, triggering a crash in the bandwidth counter restoration routine. This affects ARM systems with MPAM (Memory Partitioning and Monitoring) support and results in denial of service through system instability when memory controllers are toggled.
A use-after-free vulnerability in the Linux kernel's mshv (Microsoft Hyper-V) driver allows local attackers to trigger a kernel panic by unmapping user memory after a failed mshv_map_user_memory() call. The error path incorrectly calls vfree() without unregistering the associated MMU notifier, leaving a dangling reference that fires when userspace performs subsequent memory operations. This is a memory safety issue affecting the Hyper-V virtualization subsystem in the Linux kernel.
Memory leak in the Linux kernel's Amlogic SPI controller driver (aml_spisg_probe) fails to release SPI controller resources in multiple error paths during probe, allowing local attackers to exhaust kernel memory through repeated driver load/unload cycles or failed probe attempts. The vulnerability has been resolved in the upstream kernel by converting to device-managed SPI allocation functions.
Memory leak in Linux kernel drm/vmwgfx driver caused by overwriting KMS surface dirty tracker without proper cleanup. The vulnerability affects the VMware graphics driver subsystem in the kernel, allowing local attackers to trigger memory exhaustion through repeated surface operations. No CVSS score, EPSS data, or KEV status available; fix commits exist in upstream stable kernel branches.
Linux kernel crashes in iommu_sva_unbind_device() when accessing a freed mm structure after iommu_domain_free() deallocates domain->mm->iommu_mm, causing denial of service on systems using IOMMU Shared Virtual Addressing (SVA). The fix reorders code to access the structure before the domain is freed. No CVSS score, EPSS, or KEV status available; no public exploit code identified.
Use-after-free in Linux kernel ksmbd SMB server allows local or remote attackers to read freed memory and potentially achieve denial of service or code execution via compound SMB2 requests that reuse a tree connection after it has been disconnected and its associated share_conf structure freed. The vulnerability exists because smb2_get_ksmbd_tcon() bypasses state validation checks when reusing connections in compound requests, enabling subsequent commands to dereference already-freed share_conf pointers. No CVE severity metrics are available, but KASAN confirms memory corruption is triggered in smb2_write operations during tree disconnect sequences.
Use-after-free in Linux kernel's ksmbd SMB server allows remote attackers to crash the kernel or potentially execute code via malicious SMB2 DURABLE_REQ_V2 replay operations. The vulnerability occurs when parse_durable_handle_context() unconditionally reassigns file handle connection pointers during replay operations, causing stale pointer dereferences when the reassigned connection is subsequently freed. A KASAN report confirms the use-after-free in spin_lock operations during file descriptor closure, triggered during SMB2 connection handling in the ksmbd-io workqueue. No public exploit code or active exploitation has been confirmed at time of analysis.
Linux kernel drm/logicvc driver fails to release a device node reference in logicvc_drm_config_parse(), causing a reference leak that can exhaust kernel memory resources over time. The vulnerability affects all Linux kernel versions with the logicvc DRM driver enabled; it requires local access to trigger repeated calls to the vulnerable code path. This is a low-severity resource exhaustion issue resolved via kernel patch implementing automatic cleanup attributes.
Linux kernel KVM ARM64 fails to properly initialize ID registers for non-protected pKVM guests, causing feature detection checks to incorrectly return zero and preventing proper save/restore of system registers like TCR2_EL1 during world switches, potentially leading to state corruption. The vulnerability affects the hypervisor's ability to detect CPU features in non-protected virtual machines despite the initialization flag being incorrectly set. This is a kernel-level logic error that impacts system register handling in ARM64 virtualization.
Linux kernel accel/amdxdna driver fails to validate command buffer payload count, allowing out-of-bounds reads in AMD XDNA accelerator command processing. The vulnerability affects the accel/amdxdna subsystem across unspecified Linux kernel versions and permits information disclosure through unvalidated payload size interpretation. No active exploitation, public proof-of-concept, or CVSS data currently available.
Linux kernel btrfs subsystem fails to free allocated pages in btrfs_uring_read_extent() when error conditions occur before asynchronous I/O completion, leading to memory leaks. The vulnerability affects all Linux kernel versions with the vulnerable btrfs implementation; while tagged as Information Disclosure, the primary impact is denial of service through memory exhaustion rather than data exposure. No public exploit code or active exploitation has been identified; this is a defensive fix addressing a code path that may never execute under normal conditions but represents a resource management defect.
Memory leak in Linux kernel DRM/XE configfs device release allows information disclosure through unfreed ctx_restore_mid_bb allocation. The xe_config_device_release() function fails to deallocate ctx_restore_mid_bb[0].cs memory that was previously allocated by wa_bb_store(), leaving sensitive kernel memory accessible when the configfs device is removed. Affected Linux kernel versions containing the vulnerable DRM/XE driver require patching to prevent potential information leakage.
Mutex lock-unlock mismatch in the Linux kernel's wlcore Wi-Fi driver allows potential information disclosure or system instability through improper synchronization. The vulnerability occurs when wl->mutex is unlocked without being locked first, detected by the Clang thread-safety analyzer. This affects all Linux kernel versions with the wlcore Wi-Fi driver. No active exploitation has been identified, but the bug creates a race condition that could be leveraged to access shared kernel state.
Linux kernel RDS TCP subsystem resolves circular locking dependency in rds_tcp_tune() function where socket lock contention with fs_reclaim memory allocation creates deadlock potential. The vulnerability affects all Linux kernel versions with the vulnerable code path in net/rds/tcp.c; the fix relocates sk_net_refcnt_upgrade() outside the socket lock critical section to eliminate the circular lock dependency without compromising synchronization semantics.
Memory leak in Linux kernel DRM/XE register save-restore (reg_sr) module fails to free allocated memory when xa_store() operation fails, potentially allowing local information disclosure or denial of service through repeated trigger of the error path. The vulnerability affects all Linux kernel versions containing the affected drm/xe/reg_sr code prior to the fix commits referenced. No CVSS score or exploit data provided; patch commits are available in upstream Linux repository.
HTTP response header injection in Electron allows remote attackers to inject malicious headers via crafted input reflected in response headers when custom protocol handlers or webRequest.onHeadersReceived are used. An attacker can manipulate cookies, content security policy, or cross-origin access controls in affected applications. This affects Electron 41.x before 41.0.3, 40.x before 40.8.3, 39.x before 39.8.3, and 38.x before 38.8.6; no public exploit code is documented at time of analysis.
Cookie attribute injection in Tornado web framework versions before 6.5.5 allows unauthenticated remote attackers to manipulate cookie security attributes through crafted characters in domain, path, and samesite parameters of RequestHandler.set_cookie. With CVSS 7.2 and EPSS data unavailable, this represents a moderate integrity and confidentiality risk for web applications using affected Tornado versions. No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward for exploitation.
HTTP response desynchronization in Rack web server framework versions prior to 2.2.23, 3.1.21, and 3.2.6 allows remote attackers to cause Content-Length header mismatches by requesting non-existent paths with percent-encoded UTF-8 characters. The vulnerability stems from Rack::Files#fail using String#size instead of String#bytesize when setting Content-Length, causing declared header values to be smaller than actual bytes transmitted, potentially leading to response framing errors and information disclosure in deployments sensitive to Content-Length validation. No public exploit code or confirmed active exploitation identified at time of analysis.
Rack::Sendfile in versions prior to 2.2.23, 3.1.21, and 3.2.6 allows remote attackers to inject regex metacharacters into X-Accel-Mapping request headers, enabling unescaped interpolation that manipulates the X-Accel-Redirect response header and causes nginx to serve unintended files from internal locations. No public exploit code or active exploitation has been confirmed; patch versions are available from the vendor.
Denial of service in Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 allows unauthenticated remote attackers to consume disproportionate CPU, memory, I/O, and bandwidth by supplying many small overlapping byte ranges in HTTP Range headers, bypassing the existing CVE-2024-26141 fix that only validates total byte coverage. The vulnerability affects Rack's file-serving paths that process multipart byte range responses, enabling attackers to degrade service availability with minimal request complexity.
Rack::Static fails to apply security-relevant response headers to URL-encoded variants of static file paths, allowing attackers to bypass header-based security controls by requesting percent-encoded forms of protected resources. This affects Rack versions prior to 2.2.23, 3.1.21, and 3.2.6, and is particularly dangerous in deployments relying on Rack::Static to enforce Content-Security-Policy, X-Frame-Options, or similar protective headers on static content. No public exploit code or active exploitation has been confirmed at time of analysis.
Rack web server interface versions prior to 2.2.23, 3.1.21, and 3.2.6 fail to properly escape regex metacharacters when constructing directory path filtering expressions, causing the Rack::Directory component to expose full filesystem paths in HTML directory listings. An unauthenticated remote attacker can retrieve sensitive path information by requesting directory listings when the configured root path contains regex special characters such as +, *, or ., achieving low-confidentiality impact with CVSS 5.3. No public exploit code or active exploitation has been confirmed at time of analysis.
Denial of service in Rack::Utils.select_best_encoding allows unauthenticated remote attackers to consume disproportionate CPU resources via a crafted Accept-Encoding header containing multiple wildcard entries, affecting Rack versions prior to 2.2.23, 3.1.21, and 3.2.6. The vulnerability exploits quadratic time complexity in the encoding selection algorithm used by Rack::Deflater middleware, enabling a single HTTP request to trigger sustained CPU exhaustion and application unavailability.
Host header validation bypass in Rack 3.0.0.beta1-3.1.20 and 3.2.0-3.2.5 allows unauthenticated remote attackers to poison Host headers by injecting RFC-noncompliant characters (/, ?, #, @) that pass the AUTHORITY regex but are accepted by req.host, req.url, and req.base_url. Applications relying on naive prefix or suffix matching for host validation, link generation, or origin checks can be bypassed, enabling host header poisoning attacks. No public exploit code or active exploitation has been confirmed at the time of analysis.
OpenSSH before version 10.3 mishandles the authorized_keys principals option when a principals list is combined with a Certificate Authority that uses certain comma character patterns, allowing authenticated local or remote users to disclose sensitive authorization information or manipulate authentication decisions. This vulnerability affects all OpenSSH versions prior to 10.3p1 and requires authenticated access (PR:L) with non-trivial attack complexity (AC:H), resulting in partial confidentiality and integrity impact. No public exploit code or active exploitation has been identified at time of analysis.
Network denial-of-service in Suricata prior to 7.0.15 allows remote unauthenticated attackers to degrade intrusion detection performance via inefficient DCERPC buffering. The flaw enables attackers to bypass or impair network security monitoring by exhausting system resources through malformed DCERPC traffic, effectively blinding detection capabilities. No public exploit identified at time of analysis, though EPSS score and exploitation likelihood were not provided in available data.
Memory exhaustion in Suricata network IDS/IPS via HTTP/2 CONTINUATION frame flooding allows remote unauthenticated attackers to trigger denial of service, typically forcing operating system termination of the Suricata process. Affects all versions prior to 7.0.15 and 8.0.4. EPSS data not available, but CVSS 7.5 (High) reflects network-accessible attack with low complexity requiring no privileges. No public exploit identified at time of analysis, though the attack technique (HTTP/2 frame flooding) is well-documented in protocol security research.
Denial of service in Suricata 8.0.0 through 8.0.3 allows unauthenticated remote attackers to degrade performance via specially crafted SMTP traffic containing MIME-encoded messages with URLs. The quadratic complexity vulnerability (CWE-407) triggers excessive processing when the IDS/IPS engine searches for URLs in malformed messages. EPSS data not provided, but exploitation probability appears low given no public exploit identified at time of analysis and the requirement for sustained malicious SMTP traffic to achieve impact.
Network-accessible resource exhaustion in Suricata IDS allows remote attackers to degrade detection performance via specially crafted traffic. Affects versions prior to 7.0.15 and 8.0.4 (CVSS 7.5 HIGH). Attack requires no authentication (PR:N) and low complexity (AC:L), enabling trivial performance degradation that could blind security monitoring. EPSS data not available, but no public exploit identified at time of analysis. Vendor patches released for both affected branches (7.0.15, 8.0.4).
Performance degradation in Suricata IDS/IPS engine allows remote unauthenticated attackers to cause denial of service through inefficient Kerberos 5 buffering. Affects versions prior to 7.0.15 and 8.0.4. CVSS 7.5 with high availability impact. No public exploit identified at time of analysis, EPSS data not provided. Vendor-released patches available in versions 7.0.15 and 8.0.4.
NULL pointer dereference in Suricata 8.0.0 through 8.0.3 causes denial of service when processing malformed TLS traffic with the 'tls.alpn' rule keyword. Remote unauthenticated attackers can crash the IDS/IPS engine by sending specially crafted network packets, completely disabling network security monitoring. EPSS data not available, but the low attack complexity (AC:L) and network vector (AV:N) combined with high availability impact (A:H) indicate significant operational risk for organizations relying on Suricata for traffic inspection. No evidence of active exploitation (no CISA KEV listing) or public exploit code identified at time of analysis.
Keycloak's SingleUseObjectProvider lacks proper type and namespace isolation, allowing unauthenticated remote attackers with user interaction to delete arbitrary single-use entries and replay consumed action tokens such as password reset links, leading to account compromise. The vulnerability requires user interaction (UI:R) and high attack complexity (AC:H), resulting in a CVSS score of 5.3. No public exploit code or active exploitation has been confirmed at time of analysis.
Unblinded BPF immediate values in PROBE_MEM32 stores bypass constant hardening in the Linux kernel BPF JIT compiler when bpf_jit_harden >= 1, allowing user-controlled 32-bit immediates to leak into native code. The vulnerability affects Linux kernel versions where convert_ctx_accesses() rewrites arena pointer stores to BPF_ST|BPF_PROBE_MEM32 before constant blinding runs, but bpf_jit_blind_insn() only handles BPF_ST|BPF_MEM instructions. No public exploit code or active exploitation has been ide
Memory sealing (mseal) in the Linux kernel incorrectly tracks virtual memory area (VMA) boundaries during merge operations, causing curr_end to become stale and resulting in incorrect iteration state. This flaw in mm/mseal.c affects Linux kernel versions where the mseal feature is present, allowing local attackers to potentially bypass memory sealing protections or trigger information disclosure by manipulating VMA merge behavior during seal operations.
Use-after-free vulnerability in Linux kernel futex handling allows local attackers to read freed memory via race condition between futex_key_to_node_opt() and vma_replace_policy(). When mbind() concurrently replaces virtual memory area policies, __futex_key_to_node() may dereference a freed mempolicy structure, enabling information disclosure of kernel memory. The vulnerability requires local access and precise timing but poses memory safety risk in multi-threaded applications using futex operations alongside memory policy changes.
Linux kernel TLS subsystem leaks socket buffers (skbs) when asynchronous AEAD decryption operations fail during batch processing, allowing local attackers to exhaust kernel memory and potentially cause denial of service. The vulnerability exists in tls_decrypt_async_wait() and related functions that manage the async_hold queue, which pins encrypted input buffers for AEAD engine references; improper cleanup in failure paths leaves these buffers allocated indefinitely. This is a kernel memory leak affecting TLS decryption in the kernel's cryptographic stack, confirmed by multiple upstream patches across stable branches.
Use-after-free in Linux kernel clsact qdisc initialization and destruction rollback allows local denial of service or potential information disclosure when qdisc replacement fails midway during tcf_block_get_ext() operations. The vulnerability stems from asymmetric initialization and cleanup paths where egress_entry references from a previous clsact instance remain valid during failure scenarios, leading to double-free or use-after-free conditions. Affected Linux kernel versions across all distributions that include the clsact traffic control qdisc require patching.
Use-after-free in Linux kernel netfilter BPF hook memory management allows local attackers to read sensitive kernel memory via concurrent nfnetlink_hooks dumping operations. The vulnerability arises from premature memory release in hook structures before RCU readers complete their access, enabling information disclosure through netlink interface. No active exploitation confirmed, but the KASAN report demonstrates reliable reproducer availability.
Path traversal in Poetry's wheel installer (versions prior to 2.3.3) allows malicious Python packages to write arbitrary files outside the installation directory during package installation. Attackers can craft wheel files containing ../ directory traversal sequences that bypass containment checks, enabling file overwrite with Poetry process privileges. This directly threatens CI/CD pipelines and developer workstations installing untrusted packages from PyPI or private repositories. No active exploitation confirmed at time of analysis, but a functional proof-of-concept is publicly documented in the GitHub advisory.
Heap memory disclosure in OpenEXR 3.4.0 through 3.4.7 allows remote attackers to extract sensitive information through decoded pixel data when processing malicious EXR image files. The vulnerability requires no authentication (PR:N) or user interaction (UI:N), triggering automatically during file parsing under default configurations. With CVSS 8.7 and high confidentiality impact (VC:H), this represents significant risk for applications processing untrusted EXR files. No public exploit identified at time of analysis, though the low attack complexity (AC:L) suggests straightforward exploitation once attack methods are documented.
Out-of-bounds heap write in OpenEXR 3.4.0-3.4.7 allows local attackers to crash applications or corrupt memory when processing malicious B44/B44A compressed EXR files. Attack requires user interaction to open a crafted image file. Patched in version 3.4.8. CVSS 8.4 (High) reflects local attack vector with no privileges required but mandatory user action. No confirmed active exploitation or public POC identified at time of analysis, though proof-of-concept development is feasible given the detailed GitHub advisory and commit.
AIOHTTP prior to version 3.13.4 allows multiple Host headers in HTTP requests, enabling information disclosure through header injection attacks. An unauthenticated remote attacker can exploit this by crafting malicious requests with duplicate Host headers to potentially bypass security controls or extract sensitive information from affected applications. The vulnerability has been patched in version 3.13.4, and no public exploit code or active exploitation has been identified at the time of analysis.
Memory exhaustion vulnerability in AIOHTTP prior to version 3.13.4 allows unauthenticated remote attackers to trigger denial of service via specially crafted HTTP responses containing excessive multipart headers. The vulnerability exploits insufficient memory limits during multipart header parsing, causing the server or client to consume more memory than intended. CVSS 6.6 (medium-high availability impact) with no public exploit code identified at time of analysis.
AIOHTTP static resource handler on Windows exposes NTLMv2 remote path information to unauthenticated remote attackers, allowing information disclosure with high confidentiality impact. Versions prior to 3.13.4 are affected. The vulnerability has been patched and no active exploitation has been confirmed at this time.
Memory exhaustion in aiohttp's header and trailer handling allows remote attackers to cause denial of service by sending attacker-controlled HTTP requests or responses with uncapped header/trailer values. The vulnerability affects aiohttp Python library across affected versions, enabling attackers to exhaust application memory without authentication. A mitigation is available via reverse proxy configuration, and upstream patch has been released.
ONNX versions prior to 1.21.0 allow local attackers to read arbitrary files by exploiting a hardlink-based path traversal vulnerability in onnx.load(). The vulnerability bypasses existing symlink protections because hardlinks appear as regular files to filesystem checks. An attacker with local file system access can craft a malicious ONNX model file using hardlinks to access sensitive data outside the intended directory, requiring user interaction to load the crafted model. No public exploit code has been identified; EPSS score of 4.7 indicates low exploitation probability despite moderate CVSS impact.
Arbitrary attribute injection in ONNX Python library (versions prior to 1.21.0) allows unauthenticated remote attackers to manipulate internal object properties by embedding malicious metadata in ONNX model files, resulting in potential information disclosure, data integrity violations, and high availability impact (CVSS 8.6). The vulnerability stems from unchecked use of Python's setattr() with externally-controlled keys during ExternalDataInfo deserialization. No public exploit code or CISA KEV listing identified at time of analysis, but proof-of-concept development is trivial given the straightforward nature of Python attribute manipulation. EPSS data not provided, but the unauthenticated network-accessible attack vector and low complexity suggest material risk for organizations processing untrusted ONNX models.
AppArmor differential encoding verification in the Linux kernel contains logic errors that permit infinite loops to be created through abuse of the verification chain mechanism. Two distinct bugs in the verification routine-conflation of checked states with currently-checked states, and incorrect loop iterator comparison-allow malformed differential encoding chains to bypass security checks. This enables potential information disclosure or policy circumvention on systems relying on AppArmor mandatory access control. The vulnerability affects Linux kernel versions prior to fixes applied across multiple stable branches via kernel commits.
Linux kernel AppArmor policy namespace implementation allows arbitrary nesting and creation of policy namespaces without enforcing depth limits, enabling local attackers to exhaust system resources through unbounded namespace proliferation. The vulnerability affects AppArmor in the Linux kernel across multiple stable branches. This is a denial-of-service vulnerability requiring local access, with fixes available across stable kernel versions.
Stack exhaustion in AppArmor profile removal allows local denial of service by crafting deeply nested profiles that trigger recursive kernel stack consumption. The Linux kernel's AppArmor security module can be crashed by a local user with permission to load profiles via the apparmor_parser tool and trigger removal through sysfs, causing kernel stack overflow. The fix replaces recursive profile removal with an iterative approach to prevent stack exhaustion.
Memory leak in Linux kernel AppArmor module verify_header function causes namespace string allocation leaks during multiple profile unpacking and breaks namespace consistency checking. The vulnerable code incorrectly resets the namespace pointer to NULL on every function call, discarding previously allocated namespace strings and preventing proper namespace comparison across profile iterations. This affects Linux kernel versions with the vulnerable AppArmor implementation prior to upstream fixes applied across stable branches.
Linux kernel KVM x86/mmu module improperly validates shadow page table entries (SPTEs) in indirect MMUs, allowing host userspace writes to bypass KVM's write-tracking detection and corrupt shadow paging state. The vulnerability affects KVM implementations on x86 systems with nested or indirect MMU configurations where writes originating outside KVM's scope (e.g., from host userspace via memory access) are not detected, potentially leading to memory corruption or VM escape. No CVSS score, EPSS data, or KEV status is available; this appears to be an internal kernel consistency issue addressed via upstream patch rather than a directly exploitable security boundary.
Information disclosure in Google Chrome's WebGL implementation prior to version 146.0.7680.178 allows remote attackers to extract potentially sensitive data from process memory by serving a crafted HTML page. The vulnerability affects all Chrome versions before the patched release and requires only user interaction (visiting a malicious webpage) to trigger memory disclosure via WebGL rendering.
Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in the Dawn graphics library allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects all Chrome versions below the patched release and carries high severity per Chromium's assessment.
Remote code execution in Google Chrome prior to 146.0.7680.178 via use-after-free vulnerability in Dawn graphics subsystem allows an attacker who has already compromised the renderer process to execute arbitrary code through a crafted HTML page. This vulnerability requires prior renderer compromise but presents significant risk in multi-process exploitation chains; vendor has released patched version 146.0.7680.178 to address the issue.
Information disclosure in ANGLE (graphics abstraction layer) within Google Chrome prior to version 146.0.7680.178 enables remote attackers to leak cross-origin data through crafted HTML pages. The vulnerability affects all Chrome versions before the patched release and requires only network access and user interaction (visiting a malicious page), posing a moderate real-world risk to users who may inadvertently access attacker-controlled content.
Out-of-bounds read in WebCodecs functionality in Google Chrome prior to version 146.0.7680.178 allows remote attackers to read arbitrary memory contents via a crafted HTML page. The vulnerability affects all Chrome versions before the patched release and requires only user interaction (visiting a malicious webpage) to trigger. No public exploit code or active exploitation has been confirmed at time of analysis.
Remote code execution in Google Chrome on Android via use-after-free vulnerability in Web MIDI allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects Chrome versions prior to 146.0.7680.178 and carries high severity per Chromium's security classification. A vendor-released patch is available.
Integer overflow in ANGLE (Google's OpenGL abstraction layer) in Chrome on Windows before version 146.0.7680.178 enables out-of-bounds memory writes if the renderer process is compromised, allowing an attacker to execute arbitrary code with renderer privileges. The vulnerability requires prior renderer process compromise, limiting the immediate attack surface but representing a critical post-compromise escalation vector. Chromium severity is rated High; patch availability confirms vendor remediation.
Information disclosure in Google Chrome's WebUSB implementation prior to version 146.0.7680.178 allows remote attackers to extract sensitive data from process memory by delivering a crafted HTML page, exploiting insufficient policy enforcement in the WebUSB API. The vulnerability affects all Chrome versions before 146.0.7680.178 across all platforms. No public exploit code or active exploitation has been confirmed at the time of this analysis.
Remote code execution in ANGLE (Almost Native Graphics Layer Engine) within Google Chrome on macOS prior to version 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code by crafting a malicious HTML page that triggers a heap buffer overflow. This vulnerability affects all Chrome versions below the patched release and poses an immediate risk to macOS users who visit compromised or malicious websites.
Integer overflow in Google Chrome's Codecs component prior to version 146.0.7680.178 enables remote code execution and arbitrary memory read/write operations when a user visits a malicious HTML page. The vulnerability affects all versions before the patch release and requires no user interaction beyond visiting a crafted webpage. Chromium security team classified this as High severity; no public exploit code or active exploitation has been confirmed at the time of analysis.
Finite-field Diffie-Hellman (FFDH) in Mbed TLS 3.5.x, 3.6.0 through 3.6.5, and TF-PSA-Crypto 1.0 lacks contributory behavior due to improper validation of peer-supplied parameters, allowing an attacker to restrict the shared secret to a small set of predictable values. While the vulnerability does not directly impact TLS (which does not depend on contributory behavior), it poses a significant risk to protocols that do rely on this property, including those where an active network attacker or malicious peer can exploit the weakness. No CVSS score or public exploit code has been assigned at the time of analysis.