Red Hat
Monthly
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.0). Public exploit code available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. Public exploit code available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 4.7). Public exploit code available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 4.7). Public exploit code available.
containerd is an open-source container runtime. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. This Memory Leak vulnerability could allow attackers to exhaust available memory leading to denial of service.
A flaw was found in Red Hat Single Sign-On. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Out of bounds memory access in V8 in Google Chrome prior to 141.0.7390.122 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Use after free in Safe Browsing in Google Chrome prior to 141.0.7390.107 allowed a remote attacker who had compromised the renderer process to potentially perform out of bounds memory access via a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Use after free in Storage in Google Chrome prior to 141.0.7390.65 allowed a remote attacker to execute arbitrary code via a crafted video file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Heap buffer overflow in Sync in Google Chrome prior to 141.0.7390.65 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Off by one error in V8 in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Out of bounds read in Media in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Side-channel information leakage in Tab in Google Chrome prior to 141.0.7390.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Inappropriate implementation in Media in Google Chrome prior to 141.0.7390.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Side-channel information leakage in Storage in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Heap buffer overflow in Video in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Heap buffer overflow in WebGPU in Google Chrome prior to 141.0.7390.54 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A flaw was found in the 3scale Developer Portal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. Public exploit code available.
A flaw was found in Rubygem MQTT. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.
containerd is an open-source container runtime. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.
MARIN3R is a lightweight, CRD based envoy control plane for kubernetes. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A use-after-free issue was addressed with improved memory management. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.
An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A denial of service vulnerability exists in the lasso_node_init_from_message_with_format functionality of Entr'ouvert Lasso 2.5.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A denial of service vulnerability exists in the g_assert_not_reached functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A denial of service vulnerability exists in the lasso_provider_verify_saml_signature functionality of Entr'ouvert Lasso 2.5.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A flaw was found in Red Hat Satellite (Foreman component). Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable. No vendor patch available.
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
Redis is an open source, in-memory database that persists on disk. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity.
The issue was addressed with improved checks. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
This issue was addressed through improved state management. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
This issue was addressed with improved checks. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
This issue was addressed with improved checks This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, visionOS 26.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A use-after-free issue was addressed with improved memory management. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A use-after-free issue was addressed with improved memory management. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The issue was addressed with improved memory handling. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
This issue was addressed through improved state management. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A buffer overflow was addressed with improved bounds checking. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
This issue was addressed through improved state management. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The issue was addressed with improved memory handling. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Multiple issues were addressed by disabling array allocation sinking. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The issue was addressed with improved memory handling. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The issue was addressed with improved handling of caches. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
React Native Metro Development Server binds to external interfaces by default and contains an OS command injection endpoint, allowing unauthenticated network attackers to execute arbitrary code.
Use-after-free in X.Org X server and Xwayland during Present extension notification processing allows local authenticated users to achieve arbitrary code execution or denial of service. The flaw affects core display server components across multiple Linux distributions, with Red Hat confirming patches through 15 security advisories (RHSA-2025:19432 through RHSA-2025:22055). CVSS 7.3 reflects high integrity and availability impact with low confidentiality impact. No active exploitation confirmed (not in CISA KEV). EPSS data not provided, but the local attack vector and authentication requirement reduce remote exploitation risk despite the severity of potential impact.
A flaw was found in Red Hat Openshift AI Service. The TrustyAI component is granting all service accounts and users on a cluster permissions to get, list, watch any pod in any namespace on the cluster. TrustyAI is creating a role `trustyai-service-operator-lmeval-user-role` and a CRB `trustyai-service-operator-default-lmeval-user-rolebinding` which is being applied to `system:authenticated` making it so that every single user or service account can get a list of pods running in any namespace on the cluster Additionally users can access all `persistentvolumeclaims` and `lmevaljobs`
Denial of service in Apache Tomcat occurs when multipart upload errors leave temporary disk files uncleaned, allowing attackers to exhaust disk space faster than garbage collection reclaims it. Affected versions 8.5.0-8.5.100 (EOL), 9.0.0-M1-9.0.109, 10.1.0-M1-10.1.46, and 11.0.0-M1-11.0.11 require authenticated access (PR:L) and high attack complexity, making real-world exploitation limited despite the medium CVSS score.
ANSI escape sequence injection in Apache Tomcat log messages enables console manipulation and social engineering attacks against administrators on Windows systems. Attackers can craft malicious URLs that inject escape sequences into Tomcat logs, potentially manipulating console output and clipboard contents to trick administrators into executing attacker-controlled commands. This affects Tomcat 9.0.40-9.0.108, 10.1.0-M1-10.1.44, and 11.0.0-M1-11.0.10, with highest risk when Tomcat runs in ANSI-capable Windows consoles. Despite the 9.6 CVSS score, real-world risk is lower as exploitation requires user interaction (administrator viewing logs in console), scope change indicating console compromise beyond Tomcat process, and specific Windows deployment configuration. No active exploitation confirmed (not in CISA KEV), and EPSS data not available at time of analysis.
Path traversal in Apache Tomcat versions 9.x through 11.x allows authenticated attackers to bypass security constraints protecting /WEB-INF/ and /META-INF/ directories when URL rewriting rules manipulate query parameters. Successful exploitation combined with enabled PUT requests enables remote code execution through malicious file upload. Apache Security Team confirms publicly available exploit code exists. The vulnerability stems from a regression in the fix for bug 60013, where URL normalization occurs before decoding, creating an exploitable window in specific rewrite configurations.
Unauthorized data access in Oracle Java SE JAXP component allows remote unauthenticated attackers to exfiltrate sensitive information from multiple Java platforms including Oracle Java SE (8u461 through 25), GraalVM for JDK (17.0.16, 21.0.8), and GraalVM Enterprise Edition (21.3.15). Exploitation requires no authentication, low complexity, and can occur through web services supplying malicious data to JAXP APIs or via sandboxed Java Web Start/applet deployments loading untrusted code. Oracle released patches in October 2025 Critical Patch Update with EPSS data unavailable at time of analysis. CVSS 7.5 reflects pure confidentiality impact with network attack vector.
Improper access control in Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition allows unauthenticated remote attackers to create, delete, or modify critical data when APIs in the Security component are exposed via web services or similar mechanisms. The vulnerability affects Java 8u461 through 25 and carries a CVSS 5.9 with high integrity impact, though exploitation is difficult (AC:H) and no public exploit or active KEV status has been confirmed.
Remote code execution in Mozilla Firefox 143 and Thunderbird 143 allows unauthenticated network attackers to execute arbitrary code via memory corruption. The vulnerability stems from a memory safety bug (CWE-119 buffer overflow) exploitable without user interaction. CVSS score of 9.8 reflects critical severity with network-based attack vector, low complexity, and no privileges required. Vendor-released patches are available in Firefox 144 and Thunderbird 144. No public exploit identified at time of analysis, though Mozilla's assessment indicates the memory corruption is presumed exploitable with sufficient effort.
Use-after-free memory corruption in Mozilla Thunderbird 143+ and Firefox allows remote code execution via malicious web extensions exploiting the native messaging API on Windows. CVSS 9.8 (critical) with network-based attack vector requiring no user interaction or authentication. Patched in Firefox 144 and Thunderbird 144. No public exploit identified at time of analysis, but CVSS metrics indicate high exploitability (AV:N/AC:L/PR:N/UI:N) with complete impact to confidentiality, integrity, and availability.
Memory corruption in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird ESR 140.3 enables remote arbitrary code execution when users interact with malicious content. Exploitation requires user interaction (opening crafted web content or email), but no authentication is needed. Mozilla issued patches in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird ESR 140.4. With CVSS 8.8 and EPSS data unavailable, the vulnerability represents critical risk to unpatched installations. No public exploit identified at time of analysis, though Mozilla's acknowledgment of memory corruption evidence suggests exploitation is technically feasible.
Memory corruption vulnerabilities in Mozilla Firefox and Thunderbird allow remote code execution when users interact with malicious web content. Affects Firefox ESR 115.28 and below, Firefox ESR 140.3 and below, Firefox 143 and below, Thunderbird 143 and below, and Thunderbird ESR 140.3 and below. Mozilla confirmed memory safety bugs with evidence of memory corruption presumed exploitable for arbitrary code execution. Vendor-released patches available: Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4. CVSS 8.8 severity driven by network attack vector with low complexity requiring only user interaction, no authentication required. No public exploit identified at time of analysis, though multiple internal bug reports suggest coordinated fix effort.
Command injection via Firefox/Thunderbird 'Copy as cURL' feature on Windows allows remote attackers to execute arbitrary commands when users copy network requests as cURL commands and paste them into terminals. Affects Firefox <144, Firefox ESR <140.4, Thunderbird <144, and Thunderbird <140.4 exclusively on Windows platforms. No public exploit identified at time of analysis, but attack vector requires only user interaction (CVSS PR:N/UI:R) with no privileges needed.
Firefox and Thunderbird allow cross-site scripting (XSS) attacks when a malicious page uses the type attribute of an OBJECT tag to override default browser behavior for resources served without a content-type header. An attacker can craft a malicious webpage that exploits this flaw to execute arbitrary JavaScript in the context of a vulnerable site that unsafely omits content-type headers, affecting Firefox versions before 144, Firefox ESR before 140.4, Thunderbird before 144, and Thunderbird ESR before 140.4. No public exploit code or active exploitation has been identified at time of analysis.
Modify read-only JavaScript Object properties in Firefox and Thunderbird via crafted web content, allowing attackers to bypass property immutability protections and alter application state. Affects Firefox versions below 144, Firefox ESR below 115.29 and 140.4, Thunderbird below 144 and 140.4. Requires user interaction (malicious website visit) but no authentication. CVSS 6.5 reflects high integrity impact with user-interaction requirement; no evidence of active exploitation or public exploit code at time of analysis.
Information disclosure in Mozilla Firefox and Thunderbird allows unauthenticated remote attackers to extract privileged browser process memory via malicious IPC messages from a compromised web content process. Affects Firefox <144, Firefox ESR <115.29 and <140.4, and Thunderbird <144 and <140.4. CVSS 9.8 indicates network-exploitable with no auth required, though actual exploitation requires first compromising a web content process. Vendor-released patches available (Firefox 144, Firefox ESR 115.29/140.4, Thunderbird 144/140.4). No public exploit identified at time of analysis; EPSS data not provided.
Out-of-bounds memory corruption in Mozilla Firefox and Thunderbird allows unauthenticated remote attackers to achieve code execution via malicious WebGL texture operations. A compromised web content process can exploit manipulated WebGL textures to trigger out-of-bounds reads and writes in privileged browser processes, potentially leading to full system compromise. Affects Firefox <144, Firefox ESR <115.29 and <140.4, and Thunderbird <144 and <140.4. Vendor-released patches available across all affected product lines. CVSS 9.8 reflects network-accessible, no-authentication-required attack with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the specific Bugzilla reference (1989127) indicates detailed technical analysis exists.
Remote code execution in Mozilla Firefox (all versions prior to 144, ESR prior to 140.4) and Thunderbird (all versions prior to 144, ESR prior to 140.4) allows unauthenticated remote attackers to execute arbitrary code, disclose sensitive information, or cause denial of service through a use-after-free vulnerability in MediaTrackGraphImpl::GetInstance(). With a critical CVSS score of 9.8 and no authentication required, this memory corruption flaw represents a severe security risk. No public exploit identified at time of analysis, though EPSS data not available to assess exploitation probability.
A privilege escalation vulnerability exists in the integration between Active Directory and the System Security Services Daemon (SSSD) on Linux systems, where an attacker with permissions to modify AD attributes can impersonate privileged users by exploiting a fallback mechanism in the Kerberos authentication plugin. The vulnerability affects domain-joined Linux hosts running SSSD in default configurations and allows attackers to gain unauthorized access with high privileges. With a low EPSS score of 0.05% and no KEV listing, this appears to be a theoretical risk requiring existing AD permissions rather than an actively exploited vulnerability.
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: call disconnect callback before deleting conn In hci_cs_disconnect, we do hci_conn_del even if disconnection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
In the Linux kernel, the following vulnerability has been resolved: fs: dlm: fix use after free in midcomms commit While working on processing dlm message in softirq context I experienced the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
In the Linux kernel, the following vulnerability has been resolved: blk-mq: use quiesced elevator switch when reinitializing queues The hctx's run_work may be racing with the elevator switch when. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
A null pointer dereference vulnerability exists in the Linux kernel's AMD display driver (drm/amd/display) within the dm_resume() function, where the aconnector->dc_link pointer is dereferenced without proper null checks. An unprivileged local attacker with user-level access can trigger a kernel panic and cause a denial of service by inducing a display resume operation. While the CVSS score is moderate (5.5) and EPSS exploitation probability is very low (0.01%), this vulnerability is straightforward to trigger given local access and affects all Linux kernel versions with the vulnerable AMD display driver code.
A logic error in the Linux kernel's device mapper thin pool module causes infinite loops and system hangs when metadata commits fail. The vulnerability affects Linux kernel systems with dm-thin storage pools; when a commit fails during btree metadata operations, the pmd->root pointer is not properly restored to the last valid transaction state, causing subsequent read operations to traverse a corrupted btree structure. An unprivileged local attacker with access to the system can trigger this denial of service condition, resulting in kernel softlockups and system hangs. While no public exploit code is widely distributed, the vulnerability is straightforward to trigger through storage I/O operations on affected systems.
A null pointer dereference vulnerability exists in the Linux kernel's WiFi mac80211 MLME (MAC Layer Management Entity) implementation that crashes the kernel during WiFi association tracing when an AP connection without link 0 fails. The vulnerability affects all Linux kernel versions with the vulnerable code path in the mac80211 wireless driver subsystem, allowing a local authenticated attacker to trigger a denial of service condition. The EPSS score of 0.01% indicates this is rarely exploited in practice, though patches are publicly available from kernel.org.
A resource leak vulnerability exists in the Linux kernel's mpt3sas SCSI transport driver where the sas_rphy_add() function can fail without properly freeing allocated resources, leading to a NULL pointer dereference and kernel crash during device removal. This affects Linux kernel implementations across multiple versions that use the mpt3sas driver for SAS (Serial Attached SCSI) HBA management. An unprivileged local attacker with sufficient privileges to trigger transport port operations can cause a denial of service by inducing a kernel panic, though the low EPSS score of 0.01% suggests exploitation is not practically demonstrated in the wild.
An information leak vulnerability exists in the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem within the tipc_topsrv_kern_subscr() function. The vulnerability occurs due to incomplete initialization of the sub.usr_handle field, leaving four bytes uninitialized when setsockopt() is called with SOL_TIPC options, allowing kernel memory contents to be leaked to user space. This affects Linux kernel versions including 6.1-rc1 and potentially others; while the EPSS score is extremely low at 0.01% percentile, the vulnerability requires local access and low privileges to trigger, making it a lower-priority but real information disclosure issue that has been patched by multiple vendors.
A null pointer dereference vulnerability exists in the Linux kernel's block layer (blk-mq) memory allocation path that can be triggered by a local, low-privileged user to cause a denial of service. The vulnerability affects Linux kernel versions including 6.1-rc1 and potentially other versions where a failed memory allocation during block queue tag initialization leaves a dangling pointer that is later dereferenced during cleanup. While the EPSS score is low (0.02%, percentile 4%), the vulnerability is straightforward to trigger under memory pressure conditions, requires only local access with minimal privileges, and has vendor patches available.
A memory leak vulnerability exists in the Linux kernel's test_firmware module initialization function (test_firmware_init) where allocated memory for test_fw_config->name is not properly freed when misc_register() fails. This affects all versions of the Linux kernel with the test_firmware module compiled, allowing local authenticated attackers to exhaust kernel memory and cause a denial of service. The vulnerability has a patch available from the Linux kernel maintainers, with an EPSS score of 0.01% indicating very low real-world exploitation probability despite the moderate CVSS score.
A memory leakage and potential segmentation fault vulnerability exists in the Linux kernel's AMD KFD (Kernel Fusion Driver) GPU memory management subsystem, specifically in the _gpuvm_import_dmabuf() function. The vulnerability affects Linux kernel versions across multiple branches and can be exploited by local users with low privilege levels to cause denial of service through memory corruption. Patches are available from the Linux kernel stable branches, and while the EPSS score is very low (0.01%, percentile 3%), the vulnerability has moderate CVSS severity (5.5) due to its ability to cause system availability impact.
A null pointer dereference vulnerability exists in the Linux kernel's AMD GPU (amdgpu) driver in the amdgpu_bo_validate_size() function. When validating buffer object sizes for non-exclusive memory domains, the function fails to verify that the TTM (Translation Table Maps) domain manager exists before dereferencing it, leading to a kernel oops and denial of service. Local attackers with unprivileged user privileges can trigger this vulnerability to crash the system. While patches are available from the vendor, the EPSS score of 0.01% and very low exploitation probability suggest this is a low-priority issue in practice despite the denial-of-service impact.
A memory corruption vulnerability exists in the Linux kernel's MSM display port driver that occurs when more than eight display bridges are connected, allowing local attackers with low privileges to corrupt kernel memory beyond a fixed-size array. The vulnerability affects Linux kernel versions up to 6.1-rc2 and requires local access to exploit, with no known active exploitation in the wild (not in KEV) and a very low EPSS score of 0.02% indicating minimal real-world exploitation likelihood.
A resource leak vulnerability exists in the Linux kernel's FSL PAMU (Freescale Peripheral Access Management Unit) IOMMU driver where the fsl_pamu_probe() function fails to release IRQ and memory resources when the create_csd() function returns an error, allowing a local privileged attacker to cause a denial of service through resource exhaustion. The vulnerability affects multiple Linux kernel versions across stable branches and has an EPSS score of 0.01% (percentile 2%), indicating low real-world exploitation probability despite the moderate CVSS 5.5 score. Patches are available from the Linux kernel maintainers across multiple stable branches.
A null pointer dereference vulnerability exists in the Linux kernel's MediaTek IOMMU driver where the platform_get_resource() function may return a NULL pointer without proper validation, leading to a crash when resource_size() attempts to dereference it. This affects all versions of the Linux kernel with the vulnerable MediaTek IOMMU code. A local attacker with low privileges can trigger a denial of service by causing a kernel panic, though the vulnerability is unlikely to be actively exploited in the wild given the low EPSS score of 0.01%.
A memory leak vulnerability exists in the Linux kernel's Rockchip clock driver (rockchip_clk_register_pll function) where allocated memory from kmemdup() is not freed when clk_register() fails, potentially causing denial of service through memory exhaustion. All versions of the Linux kernel with Rockchip clock support are affected. An attacker with local privileges can trigger repeated clock registration failures to exhaust system memory and crash the system, with an EPSS score of 0.01% indicating very low real-world exploitation probability despite the moderate CVSS score of 5.5.
A memory leak vulnerability exists in the Linux kernel's mxm-wmi (MXM WMI) platform driver where the ACPI buffer returned by wmi_evaluate_method() is not properly freed after invocation, leading to kernel memory exhaustion and potential denial of service. The vulnerability affects all versions of the Linux kernel with the mxm-wmi driver enabled, particularly systems with NVIDIA/AMD discrete GPU switching support. A local attacker with standard user privileges can repeatedly trigger the affected code path to exhaust kernel memory and crash the system, though the extremely low EPSS score (0.01th percentile) suggests exploitation is not actively observed in the wild.
This is a reference counting memory leak in the Linux kernel's radeon graphics driver, specifically in the radeon_atrm_get_bios() function where a PCI device pointer obtained via pci_get_class() is not properly released when loop conditions cause early exit. An authenticated local attacker with low privileges can trigger this vulnerability to cause a denial of service through kernel memory exhaustion, as unreleased PCI device objects accumulate in kernel memory. While no public exploit code exists (EPSS 0.01% indicates minimal real-world exploitation probability), the vulnerability affects all Linux kernel versions running the radeon driver and patches are available across multiple stable kernel series.
This vulnerability in the Linux kernel's NILFS2 filesystem causes a kernel panic when the system is booted with panic_on_warn enabled and checkpoint metadata corruption is detected. A local attacker with standard user privileges can trigger this denial of service by crafting malicious NILFS2 filesystem images or corrupting checkpoint metadata on disk, causing the kernel to panic and crash the system. The vulnerability affects multiple Linux kernel versions across several stable branches, with patches available from the vendor, but EPSS exploitation probability remains very low at 0.01 percentile, indicating this is not actively exploited in the wild.
A race condition vulnerability exists in the Linux kernel's parisc architecture-specific firmware call pdc_iodc_print() that allows local attackers to cause buffer overflows and potentially execute arbitrary code. The vulnerability affects Linux kernel versions from 2.6.25 through versions before the patched releases, requiring local access with low privileges to exploit. With an EPSS score of only 0.01%, this vulnerability has very low exploitation likelihood in the wild despite its high CVSS score of 7.8.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.0). Public exploit code available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. Public exploit code available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 4.7). Public exploit code available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 4.7). Public exploit code available.
containerd is an open-source container runtime. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. This Memory Leak vulnerability could allow attackers to exhaust available memory leading to denial of service.
A flaw was found in Red Hat Single Sign-On. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Out of bounds memory access in V8 in Google Chrome prior to 141.0.7390.122 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Use after free in Safe Browsing in Google Chrome prior to 141.0.7390.107 allowed a remote attacker who had compromised the renderer process to potentially perform out of bounds memory access via a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Use after free in Storage in Google Chrome prior to 141.0.7390.65 allowed a remote attacker to execute arbitrary code via a crafted video file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Heap buffer overflow in Sync in Google Chrome prior to 141.0.7390.65 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Off by one error in V8 in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Out of bounds read in Media in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Side-channel information leakage in Tab in Google Chrome prior to 141.0.7390.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Inappropriate implementation in Media in Google Chrome prior to 141.0.7390.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Side-channel information leakage in Storage in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Heap buffer overflow in Video in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Heap buffer overflow in WebGPU in Google Chrome prior to 141.0.7390.54 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A flaw was found in the 3scale Developer Portal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. Public exploit code available.
A flaw was found in Rubygem MQTT. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.
containerd is an open-source container runtime. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.
MARIN3R is a lightweight, CRD based envoy control plane for kubernetes. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A use-after-free issue was addressed with improved memory management. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.
An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A denial of service vulnerability exists in the lasso_node_init_from_message_with_format functionality of Entr'ouvert Lasso 2.5.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A denial of service vulnerability exists in the g_assert_not_reached functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A denial of service vulnerability exists in the lasso_provider_verify_saml_signature functionality of Entr'ouvert Lasso 2.5.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A flaw was found in Red Hat Satellite (Foreman component). Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable. No vendor patch available.
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
Redis is an open source, in-memory database that persists on disk. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity.
The issue was addressed with improved checks. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
This issue was addressed through improved state management. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
This issue was addressed with improved checks. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
This issue was addressed with improved checks This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, visionOS 26.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A use-after-free issue was addressed with improved memory management. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A use-after-free issue was addressed with improved memory management. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The issue was addressed with improved memory handling. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
This issue was addressed through improved state management. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A buffer overflow was addressed with improved bounds checking. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
This issue was addressed through improved state management. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The issue was addressed with improved memory handling. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Multiple issues were addressed by disabling array allocation sinking. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The issue was addressed with improved memory handling. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The issue was addressed with improved handling of caches. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
React Native Metro Development Server binds to external interfaces by default and contains an OS command injection endpoint, allowing unauthenticated network attackers to execute arbitrary code.
Use-after-free in X.Org X server and Xwayland during Present extension notification processing allows local authenticated users to achieve arbitrary code execution or denial of service. The flaw affects core display server components across multiple Linux distributions, with Red Hat confirming patches through 15 security advisories (RHSA-2025:19432 through RHSA-2025:22055). CVSS 7.3 reflects high integrity and availability impact with low confidentiality impact. No active exploitation confirmed (not in CISA KEV). EPSS data not provided, but the local attack vector and authentication requirement reduce remote exploitation risk despite the severity of potential impact.
A flaw was found in Red Hat Openshift AI Service. The TrustyAI component is granting all service accounts and users on a cluster permissions to get, list, watch any pod in any namespace on the cluster. TrustyAI is creating a role `trustyai-service-operator-lmeval-user-role` and a CRB `trustyai-service-operator-default-lmeval-user-rolebinding` which is being applied to `system:authenticated` making it so that every single user or service account can get a list of pods running in any namespace on the cluster Additionally users can access all `persistentvolumeclaims` and `lmevaljobs`
Denial of service in Apache Tomcat occurs when multipart upload errors leave temporary disk files uncleaned, allowing attackers to exhaust disk space faster than garbage collection reclaims it. Affected versions 8.5.0-8.5.100 (EOL), 9.0.0-M1-9.0.109, 10.1.0-M1-10.1.46, and 11.0.0-M1-11.0.11 require authenticated access (PR:L) and high attack complexity, making real-world exploitation limited despite the medium CVSS score.
ANSI escape sequence injection in Apache Tomcat log messages enables console manipulation and social engineering attacks against administrators on Windows systems. Attackers can craft malicious URLs that inject escape sequences into Tomcat logs, potentially manipulating console output and clipboard contents to trick administrators into executing attacker-controlled commands. This affects Tomcat 9.0.40-9.0.108, 10.1.0-M1-10.1.44, and 11.0.0-M1-11.0.10, with highest risk when Tomcat runs in ANSI-capable Windows consoles. Despite the 9.6 CVSS score, real-world risk is lower as exploitation requires user interaction (administrator viewing logs in console), scope change indicating console compromise beyond Tomcat process, and specific Windows deployment configuration. No active exploitation confirmed (not in CISA KEV), and EPSS data not available at time of analysis.
Path traversal in Apache Tomcat versions 9.x through 11.x allows authenticated attackers to bypass security constraints protecting /WEB-INF/ and /META-INF/ directories when URL rewriting rules manipulate query parameters. Successful exploitation combined with enabled PUT requests enables remote code execution through malicious file upload. Apache Security Team confirms publicly available exploit code exists. The vulnerability stems from a regression in the fix for bug 60013, where URL normalization occurs before decoding, creating an exploitable window in specific rewrite configurations.
Unauthorized data access in Oracle Java SE JAXP component allows remote unauthenticated attackers to exfiltrate sensitive information from multiple Java platforms including Oracle Java SE (8u461 through 25), GraalVM for JDK (17.0.16, 21.0.8), and GraalVM Enterprise Edition (21.3.15). Exploitation requires no authentication, low complexity, and can occur through web services supplying malicious data to JAXP APIs or via sandboxed Java Web Start/applet deployments loading untrusted code. Oracle released patches in October 2025 Critical Patch Update with EPSS data unavailable at time of analysis. CVSS 7.5 reflects pure confidentiality impact with network attack vector.
Improper access control in Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition allows unauthenticated remote attackers to create, delete, or modify critical data when APIs in the Security component are exposed via web services or similar mechanisms. The vulnerability affects Java 8u461 through 25 and carries a CVSS 5.9 with high integrity impact, though exploitation is difficult (AC:H) and no public exploit or active KEV status has been confirmed.
Remote code execution in Mozilla Firefox 143 and Thunderbird 143 allows unauthenticated network attackers to execute arbitrary code via memory corruption. The vulnerability stems from a memory safety bug (CWE-119 buffer overflow) exploitable without user interaction. CVSS score of 9.8 reflects critical severity with network-based attack vector, low complexity, and no privileges required. Vendor-released patches are available in Firefox 144 and Thunderbird 144. No public exploit identified at time of analysis, though Mozilla's assessment indicates the memory corruption is presumed exploitable with sufficient effort.
Use-after-free memory corruption in Mozilla Thunderbird 143+ and Firefox allows remote code execution via malicious web extensions exploiting the native messaging API on Windows. CVSS 9.8 (critical) with network-based attack vector requiring no user interaction or authentication. Patched in Firefox 144 and Thunderbird 144. No public exploit identified at time of analysis, but CVSS metrics indicate high exploitability (AV:N/AC:L/PR:N/UI:N) with complete impact to confidentiality, integrity, and availability.
Memory corruption in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird ESR 140.3 enables remote arbitrary code execution when users interact with malicious content. Exploitation requires user interaction (opening crafted web content or email), but no authentication is needed. Mozilla issued patches in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird ESR 140.4. With CVSS 8.8 and EPSS data unavailable, the vulnerability represents critical risk to unpatched installations. No public exploit identified at time of analysis, though Mozilla's acknowledgment of memory corruption evidence suggests exploitation is technically feasible.
Memory corruption vulnerabilities in Mozilla Firefox and Thunderbird allow remote code execution when users interact with malicious web content. Affects Firefox ESR 115.28 and below, Firefox ESR 140.3 and below, Firefox 143 and below, Thunderbird 143 and below, and Thunderbird ESR 140.3 and below. Mozilla confirmed memory safety bugs with evidence of memory corruption presumed exploitable for arbitrary code execution. Vendor-released patches available: Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4. CVSS 8.8 severity driven by network attack vector with low complexity requiring only user interaction, no authentication required. No public exploit identified at time of analysis, though multiple internal bug reports suggest coordinated fix effort.
Command injection via Firefox/Thunderbird 'Copy as cURL' feature on Windows allows remote attackers to execute arbitrary commands when users copy network requests as cURL commands and paste them into terminals. Affects Firefox <144, Firefox ESR <140.4, Thunderbird <144, and Thunderbird <140.4 exclusively on Windows platforms. No public exploit identified at time of analysis, but attack vector requires only user interaction (CVSS PR:N/UI:R) with no privileges needed.
Firefox and Thunderbird allow cross-site scripting (XSS) attacks when a malicious page uses the type attribute of an OBJECT tag to override default browser behavior for resources served without a content-type header. An attacker can craft a malicious webpage that exploits this flaw to execute arbitrary JavaScript in the context of a vulnerable site that unsafely omits content-type headers, affecting Firefox versions before 144, Firefox ESR before 140.4, Thunderbird before 144, and Thunderbird ESR before 140.4. No public exploit code or active exploitation has been identified at time of analysis.
Modify read-only JavaScript Object properties in Firefox and Thunderbird via crafted web content, allowing attackers to bypass property immutability protections and alter application state. Affects Firefox versions below 144, Firefox ESR below 115.29 and 140.4, Thunderbird below 144 and 140.4. Requires user interaction (malicious website visit) but no authentication. CVSS 6.5 reflects high integrity impact with user-interaction requirement; no evidence of active exploitation or public exploit code at time of analysis.
Information disclosure in Mozilla Firefox and Thunderbird allows unauthenticated remote attackers to extract privileged browser process memory via malicious IPC messages from a compromised web content process. Affects Firefox <144, Firefox ESR <115.29 and <140.4, and Thunderbird <144 and <140.4. CVSS 9.8 indicates network-exploitable with no auth required, though actual exploitation requires first compromising a web content process. Vendor-released patches available (Firefox 144, Firefox ESR 115.29/140.4, Thunderbird 144/140.4). No public exploit identified at time of analysis; EPSS data not provided.
Out-of-bounds memory corruption in Mozilla Firefox and Thunderbird allows unauthenticated remote attackers to achieve code execution via malicious WebGL texture operations. A compromised web content process can exploit manipulated WebGL textures to trigger out-of-bounds reads and writes in privileged browser processes, potentially leading to full system compromise. Affects Firefox <144, Firefox ESR <115.29 and <140.4, and Thunderbird <144 and <140.4. Vendor-released patches available across all affected product lines. CVSS 9.8 reflects network-accessible, no-authentication-required attack with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the specific Bugzilla reference (1989127) indicates detailed technical analysis exists.
Remote code execution in Mozilla Firefox (all versions prior to 144, ESR prior to 140.4) and Thunderbird (all versions prior to 144, ESR prior to 140.4) allows unauthenticated remote attackers to execute arbitrary code, disclose sensitive information, or cause denial of service through a use-after-free vulnerability in MediaTrackGraphImpl::GetInstance(). With a critical CVSS score of 9.8 and no authentication required, this memory corruption flaw represents a severe security risk. No public exploit identified at time of analysis, though EPSS data not available to assess exploitation probability.
A privilege escalation vulnerability exists in the integration between Active Directory and the System Security Services Daemon (SSSD) on Linux systems, where an attacker with permissions to modify AD attributes can impersonate privileged users by exploiting a fallback mechanism in the Kerberos authentication plugin. The vulnerability affects domain-joined Linux hosts running SSSD in default configurations and allows attackers to gain unauthorized access with high privileges. With a low EPSS score of 0.05% and no KEV listing, this appears to be a theoretical risk requiring existing AD permissions rather than an actively exploited vulnerability.
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: call disconnect callback before deleting conn In hci_cs_disconnect, we do hci_conn_del even if disconnection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
In the Linux kernel, the following vulnerability has been resolved: fs: dlm: fix use after free in midcomms commit While working on processing dlm message in softirq context I experienced the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
In the Linux kernel, the following vulnerability has been resolved: blk-mq: use quiesced elevator switch when reinitializing queues The hctx's run_work may be racing with the elevator switch when. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
A null pointer dereference vulnerability exists in the Linux kernel's AMD display driver (drm/amd/display) within the dm_resume() function, where the aconnector->dc_link pointer is dereferenced without proper null checks. An unprivileged local attacker with user-level access can trigger a kernel panic and cause a denial of service by inducing a display resume operation. While the CVSS score is moderate (5.5) and EPSS exploitation probability is very low (0.01%), this vulnerability is straightforward to trigger given local access and affects all Linux kernel versions with the vulnerable AMD display driver code.
A logic error in the Linux kernel's device mapper thin pool module causes infinite loops and system hangs when metadata commits fail. The vulnerability affects Linux kernel systems with dm-thin storage pools; when a commit fails during btree metadata operations, the pmd->root pointer is not properly restored to the last valid transaction state, causing subsequent read operations to traverse a corrupted btree structure. An unprivileged local attacker with access to the system can trigger this denial of service condition, resulting in kernel softlockups and system hangs. While no public exploit code is widely distributed, the vulnerability is straightforward to trigger through storage I/O operations on affected systems.
A null pointer dereference vulnerability exists in the Linux kernel's WiFi mac80211 MLME (MAC Layer Management Entity) implementation that crashes the kernel during WiFi association tracing when an AP connection without link 0 fails. The vulnerability affects all Linux kernel versions with the vulnerable code path in the mac80211 wireless driver subsystem, allowing a local authenticated attacker to trigger a denial of service condition. The EPSS score of 0.01% indicates this is rarely exploited in practice, though patches are publicly available from kernel.org.
A resource leak vulnerability exists in the Linux kernel's mpt3sas SCSI transport driver where the sas_rphy_add() function can fail without properly freeing allocated resources, leading to a NULL pointer dereference and kernel crash during device removal. This affects Linux kernel implementations across multiple versions that use the mpt3sas driver for SAS (Serial Attached SCSI) HBA management. An unprivileged local attacker with sufficient privileges to trigger transport port operations can cause a denial of service by inducing a kernel panic, though the low EPSS score of 0.01% suggests exploitation is not practically demonstrated in the wild.
An information leak vulnerability exists in the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem within the tipc_topsrv_kern_subscr() function. The vulnerability occurs due to incomplete initialization of the sub.usr_handle field, leaving four bytes uninitialized when setsockopt() is called with SOL_TIPC options, allowing kernel memory contents to be leaked to user space. This affects Linux kernel versions including 6.1-rc1 and potentially others; while the EPSS score is extremely low at 0.01% percentile, the vulnerability requires local access and low privileges to trigger, making it a lower-priority but real information disclosure issue that has been patched by multiple vendors.
A null pointer dereference vulnerability exists in the Linux kernel's block layer (blk-mq) memory allocation path that can be triggered by a local, low-privileged user to cause a denial of service. The vulnerability affects Linux kernel versions including 6.1-rc1 and potentially other versions where a failed memory allocation during block queue tag initialization leaves a dangling pointer that is later dereferenced during cleanup. While the EPSS score is low (0.02%, percentile 4%), the vulnerability is straightforward to trigger under memory pressure conditions, requires only local access with minimal privileges, and has vendor patches available.
A memory leak vulnerability exists in the Linux kernel's test_firmware module initialization function (test_firmware_init) where allocated memory for test_fw_config->name is not properly freed when misc_register() fails. This affects all versions of the Linux kernel with the test_firmware module compiled, allowing local authenticated attackers to exhaust kernel memory and cause a denial of service. The vulnerability has a patch available from the Linux kernel maintainers, with an EPSS score of 0.01% indicating very low real-world exploitation probability despite the moderate CVSS score.
A memory leakage and potential segmentation fault vulnerability exists in the Linux kernel's AMD KFD (Kernel Fusion Driver) GPU memory management subsystem, specifically in the _gpuvm_import_dmabuf() function. The vulnerability affects Linux kernel versions across multiple branches and can be exploited by local users with low privilege levels to cause denial of service through memory corruption. Patches are available from the Linux kernel stable branches, and while the EPSS score is very low (0.01%, percentile 3%), the vulnerability has moderate CVSS severity (5.5) due to its ability to cause system availability impact.
A null pointer dereference vulnerability exists in the Linux kernel's AMD GPU (amdgpu) driver in the amdgpu_bo_validate_size() function. When validating buffer object sizes for non-exclusive memory domains, the function fails to verify that the TTM (Translation Table Maps) domain manager exists before dereferencing it, leading to a kernel oops and denial of service. Local attackers with unprivileged user privileges can trigger this vulnerability to crash the system. While patches are available from the vendor, the EPSS score of 0.01% and very low exploitation probability suggest this is a low-priority issue in practice despite the denial-of-service impact.
A memory corruption vulnerability exists in the Linux kernel's MSM display port driver that occurs when more than eight display bridges are connected, allowing local attackers with low privileges to corrupt kernel memory beyond a fixed-size array. The vulnerability affects Linux kernel versions up to 6.1-rc2 and requires local access to exploit, with no known active exploitation in the wild (not in KEV) and a very low EPSS score of 0.02% indicating minimal real-world exploitation likelihood.
A resource leak vulnerability exists in the Linux kernel's FSL PAMU (Freescale Peripheral Access Management Unit) IOMMU driver where the fsl_pamu_probe() function fails to release IRQ and memory resources when the create_csd() function returns an error, allowing a local privileged attacker to cause a denial of service through resource exhaustion. The vulnerability affects multiple Linux kernel versions across stable branches and has an EPSS score of 0.01% (percentile 2%), indicating low real-world exploitation probability despite the moderate CVSS 5.5 score. Patches are available from the Linux kernel maintainers across multiple stable branches.
A null pointer dereference vulnerability exists in the Linux kernel's MediaTek IOMMU driver where the platform_get_resource() function may return a NULL pointer without proper validation, leading to a crash when resource_size() attempts to dereference it. This affects all versions of the Linux kernel with the vulnerable MediaTek IOMMU code. A local attacker with low privileges can trigger a denial of service by causing a kernel panic, though the vulnerability is unlikely to be actively exploited in the wild given the low EPSS score of 0.01%.
A memory leak vulnerability exists in the Linux kernel's Rockchip clock driver (rockchip_clk_register_pll function) where allocated memory from kmemdup() is not freed when clk_register() fails, potentially causing denial of service through memory exhaustion. All versions of the Linux kernel with Rockchip clock support are affected. An attacker with local privileges can trigger repeated clock registration failures to exhaust system memory and crash the system, with an EPSS score of 0.01% indicating very low real-world exploitation probability despite the moderate CVSS score of 5.5.
A memory leak vulnerability exists in the Linux kernel's mxm-wmi (MXM WMI) platform driver where the ACPI buffer returned by wmi_evaluate_method() is not properly freed after invocation, leading to kernel memory exhaustion and potential denial of service. The vulnerability affects all versions of the Linux kernel with the mxm-wmi driver enabled, particularly systems with NVIDIA/AMD discrete GPU switching support. A local attacker with standard user privileges can repeatedly trigger the affected code path to exhaust kernel memory and crash the system, though the extremely low EPSS score (0.01th percentile) suggests exploitation is not actively observed in the wild.
This is a reference counting memory leak in the Linux kernel's radeon graphics driver, specifically in the radeon_atrm_get_bios() function where a PCI device pointer obtained via pci_get_class() is not properly released when loop conditions cause early exit. An authenticated local attacker with low privileges can trigger this vulnerability to cause a denial of service through kernel memory exhaustion, as unreleased PCI device objects accumulate in kernel memory. While no public exploit code exists (EPSS 0.01% indicates minimal real-world exploitation probability), the vulnerability affects all Linux kernel versions running the radeon driver and patches are available across multiple stable kernel series.
This vulnerability in the Linux kernel's NILFS2 filesystem causes a kernel panic when the system is booted with panic_on_warn enabled and checkpoint metadata corruption is detected. A local attacker with standard user privileges can trigger this denial of service by crafting malicious NILFS2 filesystem images or corrupting checkpoint metadata on disk, causing the kernel to panic and crash the system. The vulnerability affects multiple Linux kernel versions across several stable branches, with patches available from the vendor, but EPSS exploitation probability remains very low at 0.01 percentile, indicating this is not actively exploited in the wild.
A race condition vulnerability exists in the Linux kernel's parisc architecture-specific firmware call pdc_iodc_print() that allows local attackers to cause buffer overflows and potentially execute arbitrary code. The vulnerability affects Linux kernel versions from 2.6.25 through versions before the patched releases, requiring local access with low privileges to exploit. With an EPSS score of only 0.01%, this vulnerability has very low exploitation likelihood in the wild despite its high CVSS score of 7.8.