Red Hat
Monthly
Remote code execution in Google Chrome versions prior to 149.0.7827.53 allows an attacker on the same local network segment (adjacent network) to execute arbitrary code by sending malicious traffic to the browser's Cast component. The flaw stems from a use-after-free memory corruption issue in the Cast feature (used for media streaming to devices like Chromecast) and is rated High severity by Chromium with a CVSS score of 8.8. No public exploit identified at time of analysis, though a vendor patch has been released.
Sandbox escape in Google Chrome on macOS prior to 149.0.7827.53 lets a remote attacker who has already compromised the renderer process break out of the Chromium sandbox via a crafted HTML page that triggers an out-of-bounds write in Skia. Google rates the underlying Chromium issue High severity and a vendor patch is available, though no public exploit code has been identified at time of analysis.
Sandbox escape in Google Chrome's Chromecast component prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. Rated High severity by the Chromium project with a CVSS of 8.3, the flaw requires a prior renderer compromise and user interaction, and no public exploit identified at time of analysis. Successful exploitation gives attackers code execution outside the renderer's restricted context, dramatically expanding impact on the host.
Arbitrary code execution in Google Chrome for Android prior to 149.0.7827.53 stems from a use-after-free flaw in the WebAppInstalls component, triggered when a victim opens a malicious file. Although the CVSS vector lists a network attack vector with high impact across confidentiality, integrity, and availability, exploitation requires user interaction and no public exploit identified at time of analysis. EPSS probability is very low (0.01%) and SSVC indicates no observed exploitation, suggesting the immediate threat is limited despite the High severity rating from Chromium.
Same-origin policy bypass in Google Chrome's DevTools component prior to version 149.0.7827.53 allows remote attackers to violate browser security boundaries when victims perform specific UI gestures on attacker-controlled pages. The flaw stems from insufficient validation of untrusted input within DevTools and is rated High severity by Chromium with a CVSS of 8.8, though no public exploit identified at time of analysis and EPSS is very low at 0.02%.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 is possible via an integer overflow in the Dawn WebGPU implementation, allowing a remote attacker who has already compromised the renderer process to break out of the browser sandbox using a crafted HTML page. Google rates the Chromium severity as High and a vendor patch is available; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Sandbox escape in Google Chrome on macOS prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page abusing the WebShare component. The bug is rated High severity by Chromium and carries a CVSS 8.3 with scope change reflecting the sandbox boundary crossing, though no public exploit has been identified at time of analysis.
Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High severity by Chromium and CVSS 8.3, and while no public exploit is identified at time of analysis, sandbox escapes in ANGLE have historically been chained with renderer RCE bugs to achieve full system compromise.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a use-after-free flaw in the Viz compositor component. Exploitation requires a crafted HTML page and victim interaction, and Google has rated the underlying Chromium security severity as High. No public exploit has been identified at time of analysis, but this class of bug is historically chained with renderer RCE bugs to achieve full browser compromise.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page exploiting insufficient input validation in the Media component. Google rates the Chromium security severity as High, and no public exploit has been identified at time of analysis. Successful exploitation requires chaining with a separate renderer compromise plus user interaction, raising attack complexity but yielding full host-level impact if achieved.
Universal Cross-Site Scripting (UXSS) in Google Chrome's DevTools component allows an attacker who has already compromised the renderer process to inject arbitrary scripts or HTML across security origins via a crafted HTML page, bypassing the same-origin policy. Affected versions are all Chrome releases prior to 149.0.7827.53. No public exploit code exists and no active exploitation has been observed; this vulnerability functions as a second-stage capability within a broader attack chain requiring prior renderer compromise.
Sandbox escape in Google Chrome on iOS prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free in the Core component rated High severity by Chromium, and no public exploit identified at time of analysis. Exploitation requires user interaction (visiting a malicious page) and chaining with a prior renderer compromise, raising the practical bar despite the 8.3 CVSS score.
Remote code execution in Google Chrome's ANGLE graphics layer on Windows prior to version 149.0.7827.53 allows attackers to execute arbitrary code inside the renderer sandbox when a victim visits a crafted HTML page. The flaw is a use-after-free (CWE-416) memory corruption issue rated High severity by Chromium, requires user interaction to trigger, and no public exploit has been identified at time of analysis.
Remote code execution in Google Chrome on Windows (versions prior to 149.0.7827.53) is possible through a use-after-free vulnerability in the ANGLE graphics translation layer, triggered when a victim visits a crafted HTML page. Successful exploitation yields arbitrary code execution constrained to the Chrome renderer sandbox, with Chromium rating the severity as High and CVSS scored at 8.8. There is no public exploit identified at time of analysis and CISA SSVC marks exploitation status as none, but the bug class (UAF in GPU translation) is historically a popular target for chained sandbox escapes.
Same-origin policy bypass in Google Chrome's Extensions component prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to perform unauthorized cross-origin actions via a crafted HTML page. The vulnerability stems from insufficient input validation (CWE-20) in the Extensions subsystem and carries a CVSS integrity impact of High with no confidentiality or availability loss. No active exploitation has been confirmed - EPSS sits at 0.02% (6th percentile), SSVC exploitation status is 'none', and the CVE is not listed in CISA KEV - but a vendor-released patch is available.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page abusing the Media component. Google rates the issue High severity and a vendor patch is available, though no public exploit has been identified at time of analysis.
Remote code execution in Google Chrome's V8 JavaScript engine prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. The flaw is a type confusion bug (CWE-843) rated High severity by Chromium with a CVSS 8.8 score; no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV. User interaction is required, as the victim must visit attacker-controlled or compromised content.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 enables a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a use-after-free flaw in the Dawn WebGPU implementation. Exploitation requires luring a victim to a crafted HTML page and chaining this bug with a prior renderer compromise, but the impact is full sandbox escape with high confidentiality, integrity, and availability consequences. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Out-of-bounds write in the ANGLE graphics layer of Google Chrome versions prior to 149.0.7827.53 enables remote attackers to trigger heap corruption and potentially execute arbitrary code by luring a victim to a crafted HTML page. Chromium rates the severity as High and CVSS 8.8 reflects the network attack vector with required user interaction. No public exploit identified at time of analysis, though the bug class (memory corruption in a browser-exposed component) is historically a prime target for weaponization.
Heap corruption in Google Chrome's WebAuthentication component prior to version 149.0.7827.53 allows remote attackers to potentially execute arbitrary code through a crafted HTML page combined with user interaction. The flaw is a use-after-free (CWE-416) rated High severity by Chromium and carries a CVSS 7.5 score, though exploitation requires specific UI gestures from the victim. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Sandbox escape in Google Chrome prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a use-after-free in the Network component, triggered by a crafted HTML page. Chromium rates the severity as High and a vendor patch is available; no public exploit identified at time of analysis.
Remote code execution in Google Chrome's V8 JavaScript engine prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the browser sandbox by luring a user to a crafted HTML page. Rated High severity by Chromium with a CVSS 8.8, the flaw requires user interaction (visiting a malicious site) but no authentication or privileges. No public exploit has been identified at the time of analysis, and the issue is not currently listed in CISA KEV.
Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the WebRTC component that lets a remote attacker run arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. Google rates the underlying Chromium issue as High severity, and no public exploit is identified at time of analysis, though publicly available patch metadata and Chromium bug tracker entries (issue 503422316) confirm the fix.
Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the Ozone graphics abstraction layer, rated Critical by Chromium's internal severity classification. Remote attackers can trigger arbitrary code execution within the browser's rendering context by enticing a victim to visit a crafted HTML page. There is no public exploit identified at time of analysis, and CISA SSVC scoring indicates no observed exploitation, though the technical impact is rated total.
Remote code execution in Google Chrome on macOS prior to version 149.0.7827.53 stems from a use-after-free condition in the Passwords component, allowing a remote attacker to execute arbitrary code if a victim is convinced to perform specific UI gestures on a crafted HTML page. Chromium rates the underlying severity as Critical, though CVSS scores it 7.5 due to high attack complexity and required user interaction. There is no public exploit identified at time of analysis and SSVC indicates exploitation status is none.
Remote heap corruption in Google Chrome on macOS prior to 149.0.7827.53 stems from a use-after-free in the Passwords component, letting a remote attacker who lures a user into specific UI interactions trigger memory corruption via a crafted HTML page. Chromium rates the underlying flaw Critical and a vendor patch is available, though no public exploit has been identified at time of analysis and active exploitation has not been confirmed by CISA KEV.
Heap corruption in Google Chrome's Ozone display layer on Linux versions prior to 149.0.7827.53 allows remote attackers to potentially achieve code execution by enticing a user to perform specific UI gestures on a crafted HTML page. Chromium rates the underlying issue as Critical severity, and no public exploit has been identified at time of analysis. The defect is a use-after-free (CWE-416) reachable from the renderer's interaction with the Linux display abstraction.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows remote attackers who have already compromised the renderer process to potentially break out of the sandbox via a stack buffer overflow in the GPU component triggered by a crafted HTML page. Chromium rates this as Critical severity, and while no public exploit has been identified at time of analysis, the vendor has released a patched stable channel build addressing the issue.
Sandbox escape in Google Chrome's GPU component prior to version 149.0.7827.53 allows remote attackers to break out of the renderer sandbox via a crafted HTML page when a user visits a malicious site. Google's Chromium team rated the underlying issue Critical severity, and while a patch is available, no public exploit identified at time of analysis and EPSS estimates exploitation probability at only 0.03%.
Remote code execution in Google Chrome for iOS prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code by enticing a user to visit a crafted HTML page. Chromium rates the underlying use-after-free as Critical severity, though SSVC currently shows no observed exploitation and no public exploit identified at time of analysis. The CVSS 8.8 rating reflects high impact across confidentiality, integrity, and availability, tempered by a required user interaction (visiting the malicious page).
Remote code execution in Google Chrome's Ozone display server layer affects all desktop versions prior to 149.0.7827.53, where a use-after-free memory corruption flaw can be triggered by a crafted HTML page. Chromium-internal severity is rated Critical and the CVSS 3.1 score of 8.8 reflects high impact across confidentiality, integrity, and availability, though exploitation requires user interaction (visiting an attacker-controlled page). No public exploit has been identified at time of analysis, and CISA SSVC currently lists Exploitation as 'none'.
Sandbox escape in Google Chrome on Linux prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that triggers a use-after-free in the Printing component. Google rates the underlying Chromium issue as Critical severity, and no public exploit is identified at time of analysis. The CVSS 8.3 score reflects the chained nature of the attack and the scope change that results when sandbox boundaries are crossed.
Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the Chromoting (Chrome Remote Desktop) component, which Google rated Critical internally. A remote attacker can deliver malicious network traffic to a user with an active Chromoting session and execute arbitrary code in the browser context, though user interaction is required per the CVSS vector. No public exploit identified at time of analysis, and EPSS probability is very low (0.04%).
Sandbox escape in Google Chrome for Android versions prior to 149.0.7827.53 stems from an out-of-bounds write in the GPU process that a remote attacker can trigger via a crafted HTML page. Google rates the underlying Chromium issue as Critical severity, and while a vendor patch is available, no public exploit identified at time of analysis and EPSS sits at 0.03% (11th percentile). The CVSS scope-changed vector (S:C) reflects the impact of breaking out of Chrome's sandbox to affect the broader Android OS context.
Heap corruption in Google Chrome's GFX component on Linux prior to version 149.0.7827.53 allows remote attackers to potentially achieve code execution when a victim visits a crafted HTML page. Google rates the underlying Chromium issue as Critical severity, and a vendor patch is available; no public exploit identified at time of analysis.
Heap corruption in Google Chrome's Cast component prior to version 149.0.7827.53 allows adjacent-network attackers to trigger a use-after-free condition through crafted network traffic, potentially leading to arbitrary code execution within the renderer. Chromium rates the underlying severity as Critical, and no public exploit identified at time of analysis, though the AV:A vector means any attacker sharing the victim's LAN or Wi-Fi segment can attempt exploitation without authentication or user interaction.
Out-of-bounds read in the ANGLE graphics layer of Google Chrome before 149.0.7827.53 enables a remote attacker who has already compromised the renderer process to potentially escape the browser sandbox via a crafted HTML page. Chromium rates the underlying issue Critical severity, and while no public exploit has been identified at time of analysis, the bug is in a historically targeted attack surface (GPU/ANGLE) frequently abused in renderer-to-broker escape chains.
Remote code execution in Google Chrome's Cast Streaming component (versions prior to 149.0.7827.53) allows an attacker on the same local network segment to execute arbitrary code by sending malicious network traffic to a vulnerable browser. The flaw is rated Critical by the Chromium project and carries a CVSS 3.1 score of 8.8, with no public exploit identified at time of analysis.
Remote code execution in Google Chrome on macOS prior to 149.0.7827.53 stems from a use-after-free flaw in the Chromoting (Chrome Remote Desktop) component, allowing remote attackers to execute arbitrary code by delivering malicious network traffic. Google's Chromium team rates the underlying defect as Critical severity, and no public exploit has been identified at time of analysis, though the bug class historically attracts in-the-wild exploitation against browser users.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows remote attackers to exploit a use-after-free condition in the FileSystem component via a crafted HTML page, with user interaction required. Google has rated the underlying Chromium issue as Critical severity, and a vendor patch is available; no public exploit identified at time of analysis, though the high CVSS score (9.6) and scope-changed impact warrant rapid patching.
Remote code execution in Google Chrome for iOS versions prior to 149.0.7827.53 allows a remote attacker to execute arbitrary code by luring a victim to a crafted HTML page that triggers a use-after-free condition. The flaw is rated Critical by Chromium and carries a CVSS 8.8 score, and while no public exploit is identified at time of analysis, the user-interaction-only barrier (visiting a page) makes drive-by exploitation a realistic concern for unpatched iOS Chrome users.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 enables a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page targeting a use-after-free flaw in the Chromecast component. Google classifies the underlying issue as Critical severity, and no public exploit has been identified at time of analysis. The bug requires chaining with a separate renderer compromise, which lowers standalone exploitability but makes it valuable as the second stage of a full browser exploit chain.
Heap corruption in Google Chrome's ANGLE graphics translation layer prior to version 149.0.7827.53 allows remote attackers to potentially achieve code execution by enticing a user to visit a crafted HTML page. Chromium rates the severity as Critical and the CVSS score is 8.8 (High), but no public exploit identified at time of analysis. The flaw is a type confusion issue that maps to CWE-787 (out-of-bounds write), affecting the browser's WebGL/graphics rendering path.
Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the Network component, allowing a remote attacker to execute arbitrary code within the renderer process when a user visits a crafted HTML page. Google rated this issue Critical at the Chromium level, and a vendor patch is available; no public exploit identified at time of analysis.
Sandbox escape in Google Chrome's ANGLE graphics layer prior to version 149.0.7827.53 allows a remote attacker to trigger an out-of-bounds read and write via a crafted HTML page, with a CVSS 9.6 reflecting scope change and high impact across confidentiality, integrity, and availability. The flaw was rated Critical internally by Chromium and reported by Google's own CVE admin team; no public exploit identified at time of analysis, and CISA SSVC currently lists exploitation status as none.
Local root code execution in libinput versions before 1.30.4 and 1.31.x before 1.31.3 is possible because the libinput-device-group helper fails to escape the 'phys' string returned for an input device, allowing injection of attacker-controlled udev properties that are subsequently evaluated as privileged actions. The flaw, tracked as CWE-93 (CRLF/property injection), enables an unprivileged local user who can attach or simulate a device with a crafted physical-path identifier to escalate to root. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Open redirect in WebOb (pip/webob <= 1.8.9) enables unauthenticated network attackers to redirect victims to arbitrary attacker-controlled domains by bypassing the prior CVE-2024-42353 patch. The bypass exploits Python 3.10+'s silent stripping of ASCII control characters (tab, CR, LF) from URLs before parsing, so a crafted path like /\t/attacker.com passes the previous // guard, then gets normalized by urlsplit into a protocol-relative URL pointing to attacker.com. No public exploit has been identified at time of analysis beyond the advisory's own proof-of-concept code, but the bypass technique is trivial and the full exploit path is published in the GitHub advisory GHSA-fh3h-vg37-cc95.
Local privilege escalation in NetworkManager's dhclient backend allows a low-privileged local user to execute arbitrary OS commands with elevated privileges by supplying a crafted Manufacturer Usage Description (MUD) URL. Exploitation is strictly limited to systems where an administrator has explicitly reconfigured NetworkManager to use the dhclient backend - a non-default setting - meaning the vast majority of deployments are unaffected by design. CVSS 6.7 (local vector, high complexity, user interaction required) accurately reflects the constrained exploitation conditions; no public exploit code or CISA KEV listing exists at time of analysis.
Use-after-free in libexpat before 2.8.2 allows memory corruption, information disclosure, and potential code execution when prohibited API functions are called from within XML event handler callbacks. All libexpat consumers - including language bindings such as CPython's xml.parsers.expat - are affected when handler code (or attacker-influenced handler logic) invokes XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset in a re-entrant manner during active parsing. No public exploit code exists at time of analysis and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog, but the CPython project has an associated open issue (python/cpython#146169) indicating ecosystem-wide reach.
Resource exhaustion in Open vSwitch v3.6.90 allows an authenticated attacker with OVSDB write access to crash the virtual switch by requesting an unbounded number of handler or revalidation threads via a missing upper-bound check in the udpif_set_threads() function. The SSVC framework confirms a proof-of-concept exploit exists, though the vulnerability is not listed in CISA KEV and automated mass exploitation is assessed as unlikely due to the required management-plane authentication. With CVSS 6.5 and impact limited to availability, this is a moderate-priority finding that becomes high-priority in environments where OVSDB write access is broadly granted or inadequately segmented.
Arbitrary file write on OpenStack Ironic conductor nodes is achievable via path traversal in virtual media ISO handling (OSSA-2026-018). Authenticated attackers who can supply a malicious ISO image through the deploy_iso_href parameter can write files to arbitrary locations on the conductor host, constrained only by the ironic-conductor process's filesystem permissions. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV, but the vulnerability carries a CVSS 3.1 score of 6.5 and is rated Critical severity by the Ironic project.
Remote denial of service in the Linux kernel ibmveth driver on IBM Power systems allows attackers to freeze physical network adapters by transmitting GSO packets with an MSS below 224 bytes, halting all traffic until manual reset. The flaw affects multiple stable kernel branches and is fixed upstream, with no public exploit identified at time of analysis and an EPSS score of 0.02% (7th percentile) reflecting low expected exploitation volume despite the high CVSS of 8.6.
Race condition in the Linux kernel's CoreSight TMC-ETR (Trace Memory Controller, Embedded Trace Router) driver triggers a kernel WARN_ON() when sysfs and perf hardware tracing modes are enabled concurrently, resulting in a denial-of-service condition against the tracing subsystem. The sysfs enable path is split across two separate spinlock-protected critical sections, creating a window where perf mode can initialize drvdata->etr_buf between the sysfs buffer allocation and hardware enablement steps - causing tmc_etr_enable_hw() to encounter an already-initialized pointer and fire WARN_ON(). No public exploit exists and EPSS is 0.02% (4th percentile), indicating near-zero real-world exploitation probability; patched kernel versions 6.18.14, 6.19.4, and 7.0 are available.
Denial of service in the Linux kernel ath12k Wi-Fi driver affects systems using Qualcomm WCN7850 chipsets with multi-link operation (MLO) connections. When Wake-on-WLAN (WoW) offloads are configured on both primary and secondary links during a multi-link connection, the WCN7850 firmware crashes, disrupting wireless connectivity. EPSS exploitation probability is very low (0.02%, 4th percentile) and no public exploit identified at time of analysis, suggesting this is primarily a stability/reliability fix rather than a security priority.
Use-after-free in the Linux kernel's rt9455 power supply driver allows local attackers to trigger memory corruption or system crashes via a race condition during driver probe or removal. The flaw stems from incorrect ordering of devm_-managed resource allocation, where the IRQ handler can fire against a freed or uninitialized power_supply handle. EPSS is very low (0.02%, 7th percentile) and no public exploit is identified at time of analysis, but the CVSS score of 8.4 reflects high impact on confidentiality, integrity, and availability for systems shipping the rt9455 Richtek battery charger driver.
NULL pointer dereference in the Linux kernel's Canaan K230 pinctrl driver causes a local denial of service during device tree parsing. Specifically, k230_pinctrl_parse_functions() dereferences info->pctl_dev->dev before info->pctl_dev is initialized, triggering a kernel panic on systems using the K230 SoC. A low-privileged local attacker on affected hardware can crash the kernel, fully denying system availability. No public exploit code exists and EPSS of 0.02% (5th percentile) indicates minimal exploitation probability; however, the straightforward trigger condition and kernel-crash impact warrant prompt patching on K230-based deployments.
Inverted debug assertion in the Linux kernel PCI/P2PDMA subsystem triggers a spurious kernel warning in p2pmem_alloc_mmap() when CONFIG_DEBUG_VM is enabled, resulting in high availability impact on affected systems. The root cause is a stale VM_WARN_ON_ONCE_PAGE condition that was not updated after commit b7e282378773 changed the initial page refcount from one to zero, causing the assertion to fire on every valid P2PDMA allocation. Authenticated local users with access to P2PDMA-capable hardware can exploit this on debug-compiled kernels to cause denial of service; no public exploit exists and EPSS is 0.02% (4th percentile), reflecting negligible real-world exploitation likelihood.
Use-after-free in the Linux kernel NFC HCI SHDLC subsystem allows local low-privileged attackers to corrupt memory and potentially escalate privileges by triggering teardown races against active timers and queued work items. The flaw exists because llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc structure while timers and the sm_work state-machine handler may still execute concurrently. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the high-impact CVSS (7.8) reflects full CIA compromise on successful exploitation.
Remote manipulation of the Linux kernel's IPv4 routing cache is possible through RAW sockets bound to IPPROTO_RAW (protocol 255), where a malicious incoming ICMP packet whose inner header advertises protocol 255 will be matched to the socket and trigger FNHE (Forwarding Next Hop Exception) cache changes. The flaw affects Linux systems where a process has opened a RAW socket on protocol 255, and remote attackers can use crafted ICMP fragmentation-needed messages to influence routing decisions. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the CVSS 9.1 reflects high integrity and availability impact via unauthenticated network reachability.
Denial-of-service condition in the Linux kernel's HNS RoCE (RDMA over Converged Ethernet) driver affects systems using HiSilicon RDMA hardware alongside SUNRPC/NFS-over-RDMA workloads. The hns_roce_irq_workq workqueue lacks the WQ_MEM_RECLAIM flag while being flushed during QP (Queue Pair) destruction from a memory-reclaim context, triggering a kernel warning and potential stall during RDMA transport reset. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis.
Local privilege escalation potential exists in the Linux kernel's Intel Xe DRM driver (drm/xe/pf) due to a sysfs initialization ordering bug in SR-IOV Physical Function setup, where a failed devm_add_action_or_reset() call invokes kobject_put() on an uninitialized kobject, triggering refcount underflow and use-after-free conditions. The flaw affects Linux kernel 6.19 prior to the 6.19.4 stable patch and has been resolved upstream; no public exploit identified at time of analysis and EPSS rates exploitation probability at only 0.02%.
Out-of-bounds array access in the Linux kernel's AMD GPU display driver (drm/amd/display) allows local privileged users to trigger memory corruption via the dcn35_stream_encoder_create() function when eng_id equals ENGINE_ID_DIGF (value 5) or is negative, indexing past the 5-element stream_enc_regs[] array. The flaw stems from a faulty boundary check using <= instead of <, and no public exploit has been identified at time of analysis with an EPSS score of 0.02% (5th percentile) indicating very low exploitation probability.
Deadlock in the Linux kernel's ASoC fsl_xcvr audio driver causes a hung task and denial of service on NXP i.MX hardware. The defect was introduced by a prior patch (commit f51424872760) that erroneously added a read lock acquisition on controls_rwsem inside fsl_xcvr_mode_put(), unaware that the caller snd_ctl_elem_write() already holds the write lock on that same semaphore for the duration of the put operation. A local user with low privileges who triggers an ALSA control write on an affected system can induce an unresolvable deadlock. No public exploit exists and EPSS is 0.02%, reflecting very low real-world exploitation probability.
NULL pointer dereference in the Linux kernel's SPI WPCM FIU driver allows a local low-privileged attacker to crash the kernel via a denial-of-service condition. The wpcm_fiu_probe() function passes the return value of platform_get_resource_byname() directly to resource_size() without validating against NULL, meaning if the named resource is absent the kernel dereferences a NULL pointer and panics. No public exploit exists and no active exploitation is confirmed; EPSS of 0.02% (5th percentile) reflects the narrow, hardware-specific attack surface.
Out-of-bounds read in the Linux kernel's IPv6 routing subsystem (fib6_add_rt2node) allows a local user with network configuration privileges to trigger memory corruption when adding routes that use the RTA_NH_ID nexthop attribute. The flaw was discovered by syzkaller and confirmed via KASAN slab-out-of-bounds reports. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the bug is in mainline kernel code paths reachable through netlink and is fixed across multiple stable trees.
Use-after-free in the Linux kernel's procfs subsystem allows a local low-privileged attacker to potentially trigger memory corruption when reading /proc/[pid]/stat due to missing RCU protection around task->real_parent access in do_task_stat(). The race condition occurs when a parent task is released concurrently with another process reading its stat file, leading to a UAF dereference. No public exploit identified at time of analysis, and EPSS scoring is very low (0.02%, 7th percentile), indicating limited expected exploitation activity.
NULL pointer dereference in the Linux kernel's GPIO character device subsystem (gpio/cdev) allows a local, low-privileged user to crash the kernel via a denial-of-service. In linehandle_create(), the macro retain_and_null_ptr(lh) sets lh to NULL, but a subsequent debug printout immediately dereferences that same pointer - triggering a kernel panic. No public exploit has been identified at time of analysis, and EPSS indicates very low exploitation probability at 0.02% (5th percentile), consistent with a local-access-only DoS with no code execution or data exposure component.
Local denial-of-service via kernel Oops in the Linux kernel SP804 timer driver on ARM32 platforms when read_current_timer() dereferences an uninitialized sched_clkevt pointer. Affected systems are those where sp804_clocksource_and_sched_clock_init is invoked without use_sched_clock=1, yet sp804_register_delay_timer is still called unconditionally - creating the conditions for a NULL/uninitialized pointer access in sp804_read(). EPSS is 0.02% (5th percentile), no KEV listing exists, and no public exploit has been identified, placing this as low operational priority outside specialized ARM32 embedded deployments.
Denial-of-service via recursion deadlock in the Linux kernel's NFS LOCALIO subsystem when direct memory reclaim occurs on systems using loopback NFS mounts. The LOCALIO optimization - which bypasses network I/O when NFS client and server share the same host - fails to restrict its page cache allocations to GFP_NOFS context, allowing the kernel memory allocator to re-enter NFS via nfs_writepages during reclaim (path: NFS LOCALIO → XFS → NFS), producing a deadlock and kernel hang. No public exploit exists and EPSS stands at 0.02% (4th percentile), consistent with a kernel subsystem defect that requires a specific local configuration rather than a broadly exploitable condition. Vendor-released patches are available across stable kernel branches.
Double-disable of managed clocks in the Linux kernel's fsl-edma (Freescale/NXP eDMA) DMA engine driver triggers kernel WARN_ON warnings during driver removal, causing an availability impact on affected systems. The bug originates from commit a9903de3aa16731846bf924342eca44bdabe9be6, where clocks allocated via devm_clk_get_enabled() - which automatically handles teardown - are also manually disabled in fsl_edma_remove(), resulting in a 'already disabled/unprepared' warning for each clock. No public exploit has been identified at time of analysis, and EPSS is 0.02% (5th percentile), reflecting the low likelihood of targeted exploitation of this kernel quality defect.
Unaligned memory access in the Linux Kernel's AppArmor DFA table parser causes a denial of service on strict-alignment architectures. AppArmor's deterministic finite automaton (DFA) policy tables, which can originate from either kernel or userspace via apparmor_parser, lack guaranteed 8-byte alignment; on architectures that fault or warn on unaligned access (confirmed via SPARC call trace in the description), loading AppArmor profiles triggers a kernel WARNING at security/apparmor/match.c:316 and fails profile loading. No public exploit exists and no KEV listing is present; EPSS is 0.02% (5th percentile), consistent with a low-severity, architecture-specific, local-only issue.
Heap buffer overflow in the Linux kernel's pstore/ram subsystem (persistent_ram_save_old function) allows local attackers with low privileges to trigger out-of-bounds writes and reads when the ramoops buffer size grows across boot cycles. The flaw affects Linux kernel versions from 3.5 onward and carries a CVSS 7.8 (High) rating, though exploitation requires a highly improbable chain of conditions across reboots. No public exploit identified at time of analysis, and EPSS is very low at 0.03%.
Linked-list corruption in the Linux kernel's btrfs filesystem allows a local user with btrfs write access to trigger memory corruption and a transaction abort when EXTENT_TREE_V2 incompat flag is enabled. The flaw stems from the block group tree being added twice to the switch_commits list, corrupting prev/next pointers and ultimately leading to filesystem inconsistency. No public exploit identified at time of analysis and EPSS probability is low at 0.02%, but the CVSS 8.4 reflects high local impact on confidentiality, integrity, and availability.
Denial of service in the Linux kernel's MIPS architecture support affects builds compiled with LLVM/Clang versions 18 through 21, where the compiler incorrectly restores the $gp global register variable in the relocate_kernel() epilogue. The result is that __current_thread_info points to the unrelocated kernel address space, causing an immediate NULL-pointer dereference in init_idle during early boot and a panic before userspace ever starts. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the issue is a boot-time crash rather than a remotely triggerable flaw.
Kernel crash in the Linux octeontx2-af driver exposes Marvell OcteonTX2 systems to a denial-of-service condition triggered by kexec reboots when both AF and PF drivers are loaded as modules. Because kexec does not power-cycle hardware, the RVUM block revision register retains its pre-reboot value; the PF driver misinterprets this stale register value as confirmation that AF initialization is complete and proceeds to access hardware state that has not yet been reinitialized in the new kernel, producing a kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), confirming this is a niche reliability defect in a specific hardware/driver configuration rather than an adversarially weaponizable flaw.
Stale link mapping in the ath12k Wi-Fi 7 driver causes a kernel WARN_ON condition when MLO (Multi-Link Operation) connection preparation fails mid-initialization, leaving ahvif->links_map in an inconsistent state. Systems running the Linux kernel with Qualcomm ath12k hardware (e.g., QCN9274) are affected across stable branches through 6.18.13, 6.19.3, and pre-7.0 releases. A local low-privileged user capable of triggering repeated MLO authentication failures can induce kernel warning conditions, resulting in high availability impact with no public exploit identified at time of analysis.
Kernel crash (denial of service) affects Qualcomm GFX3D GPU clock management on ARM64 Linux systems running vulnerable kernel versions. A regression introduced by commit d228ece36345 ('clk: divider: remove round_rate() in favor of determine_rate()') left the best_parent_hw field unpopulated in parent_req during GFX3D clock rate determination, causing a NULL dereference crash triggered by normal GPU devfreq monitoring. A local low-privileged user on a Qualcomm MSM/Snapdragon device can induce this crash through GPU frequency scaling activity. No public exploit exists and EPSS is 0.02%, consistent with a narrow hardware-specific bug rather than broadly exploitable vulnerability.
Use-after-free in the Linux kernel's pm8916_lbc power supply driver allows a local attacker to potentially trigger memory corruption or kernel crashes during device removal. The flaw stems from incorrect ordering of devm_-managed resources: the extcon handle is freed before the IRQ is unregistered, leaving a window where the IRQ handler invokes extcon_set_state_sync() on freed memory. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02% (5th percentile), reflecting low real-world attacker interest in this driver-specific race.
Null pointer dereference in the Linux kernel's AMD GPU display driver (drm/amd/display) crashes the kernel during Hot Plug Detection (HPD) initialization on systems with AMD GPUs. The amdgpu_dm_hpd_init() function assigns dc_link from a connector but then unconditionally dereferences it at line 940 of amdgpu_dm_irq.c without first confirming it is non-NULL - connectors lacking a valid dc_link trigger a kernel NULL dereference. Exploitation requires local, low-privileged access to a system with an affected AMD GPU; no public exploit has been identified at time of analysis and EPSS probability is 0.02% (5th percentile), indicating very limited real-world exploitation pressure.
Denial of service in the Linux kernel's DRM Panthor GPU driver allows a local authenticated user to trigger an unrecoverable system hang via a blocked GPU memory subsystem. Specifically, when `panthor_gpu_flush_caches()` times out due to a blocked memory subsystem - a condition inducible through buggy GPU jobs submitted by user-mode drivers (UMD) - the driver previously had no recovery path, causing indefinite waits and system unavailability. The fix introduces timeout-aware reset scheduling and immediate -EIO short-circuiting for queued flush operations after a failure, but until patched, the condition is exploitable by any local user with access to the GPU device. No public exploit code exists and EPSS is extremely low (0.02%), consistent with a niche hardware-specific local DoS.
NULL pointer dereference in the Linux kernel's PCI endpoint NTB driver allows an authenticated local attacker to crash the kernel (denial of service) by triggering a memory allocation failure during driver initialization. The missing NULL check after `alloc_workqueue()` in `epf_ntb_epc_init()` causes a subsequent `queue_work()` call to dereference a NULL pointer, resulting in a kernel panic. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects the narrow hardware-specific attack surface; this is not confirmed actively exploited (CISA KEV absent).
Header injection via parser differential in daphne before 4.2.2 allows unauthenticated remote attackers to smuggle synthetic headers into the ASGI scope received by Django applications during WebSocket handshake processing. The root cause is that Twisted (which daphne uses to parse inbound HTTP) ignores six specific Unicode bytes as line separators, while autobahn (which daphne feeds for WebSocket negotiation) calls Python's str.splitlines() and recognizes them - causing a single header value to be split into multiple injected header lines. No public exploit has been identified at time of analysis, and CVSS scores this at 3.7 (Low) due to high attack complexity, though real-world severity scales with how heavily the downstream application trusts ASGI-scope headers for security decisions.
Log injection in morgan Node.js middleware versions 1.2.0 through 1.10.1 allows unauthenticated remote attackers to forge access log entries by embedding CR or LF control characters in the Basic authentication username of the Authorization request header. The :remote-user format token writes this value to the log stream without sanitization, breaking the one-request-per-line log structure and enabling attackers to fabricate arbitrary log lines visible to downstream consumers such as SIEMs or log aggregators. No active exploitation is confirmed (not in CISA KEV) and no public exploit code is identified at time of analysis, but the zero-prerequisite network attack vector and widespread use of morgan across the Node.js/Express ecosystem make this a meaningful integrity risk for security monitoring pipelines.
Error message injection in Go's net/textproto standard library package allows unauthenticated remote attackers to embed attacker-controlled content into error strings that applications subsequently print or log. Affected Go releases span all net/textproto versions prior to 1.25.11 and 1.26.4, covering a broad surface area of Go-based HTTP, MIME, and mail-handling applications. No public exploit code exists and exploitation probability is extremely low (EPSS 0.02%, 5th percentile), but the integrity risk is real in deployments where net/textproto errors are surfaced to logs, monitoring systems, or user-facing output without sanitization.
Unbounded memory allocation in warmcat libwebsockets up to 4.5.8 allows remote unauthenticated attackers to exhaust server heap resources by sending SSH packets with a crafted oversized `msg_len` value, resulting in denial of service. The vulnerability is confined to deployments using the optional SSH server plugin (`protocol_lws_ssh_base`) and carries a CVSS 5.3 Medium rating with no confidentiality or integrity impact. A public proof-of-concept exploit exists and the CVSS temporal vector confirms exploit availability (E:P) and an official patch (RL:O); no CISA KEV listing indicates no confirmed widespread in-the-wild exploitation as of the analysis date.
Denial of service in React Router 7.0.0-7.14.x and @remix-run/server-runtime 2.10.0-2.17.4 allows remote unauthenticated attackers to exhaust server resources by sending crafted requests to the __manifest endpoint, which triggers unbounded path expansion. Only applications running in React Router Framework Mode or Remix are affected; Declarative Mode (<BrowserRouter>) and Data Mode (createBrowserRouter) deployments are not. No public exploit identified at time of analysis, and the issue is patched in react-router 7.15.0 and @remix-run/server-runtime 2.17.5.
Open redirect in React Router's programmatic `redirect()` function allows unauthenticated remote attackers to redirect users to arbitrary external domains by supplying path values beginning with `//`, which browsers interpret as protocol-relative (scheme-relative) URLs. Affected are applications in the v7 series (7.0.0-7.14.0) and v6 series (6.7.0-6.30.3) that expose user-influenced input to `redirect()` without validating the path prefix. No public exploit identified at time of analysis - CVSS 4.0 supplemental metric E:U (Unreported) confirms no known active exploitation - but the technique is trivially constructible from the advisory description alone, and patched releases 7.14.1 and 6.30.4 are available.
Client-side Cross-Site Scripting in React Router 7.7.0 through 7.13.1 affects applications using the unstable React Server Components (RSC) APIs, where redirect handling fails to sanitize destinations originating from untrusted sources. An attacker who can influence redirect targets consumed by RSC handlers may inject script payloads that execute in the victim's browser, with no public exploit identified at time of analysis. The advisory is published as GHSA-rxv8-25v2-qmq8 and the issue is fixed in 7.13.2.
Client-side cross-site scripting in React Router 7.7.0 through 7.13.1 allows remote attackers to execute arbitrary script in a victim's browser when the application uses the unstable React Server Components (RSC) APIs and processes redirects originating from untrusted sources. The flaw is patched in 7.13.2; no public exploit identified at time of analysis and the vulnerability does not affect deployments that do not opt into the RSC APIs.
Cross-site scripting in React Router's Framework Mode (versions 7.5.1-7.13.1) allows an authenticated attacker with influence over redirect destinations to inject malicious content into statically pre-rendered HTML files via an unsanitized HTTP Location header. Exploitation requires both low-privilege authentication (confirmed by CVSS PR:L) and victim user interaction (UI:R), limiting mass exploitation. No public exploit has been identified at time of analysis, and CISA KEV status is not confirmed. A vendor-released patch exists in version 7.13.2.
Remote code execution in Google Chrome versions prior to 149.0.7827.53 allows an attacker on the same local network segment (adjacent network) to execute arbitrary code by sending malicious traffic to the browser's Cast component. The flaw stems from a use-after-free memory corruption issue in the Cast feature (used for media streaming to devices like Chromecast) and is rated High severity by Chromium with a CVSS score of 8.8. No public exploit identified at time of analysis, though a vendor patch has been released.
Sandbox escape in Google Chrome on macOS prior to 149.0.7827.53 lets a remote attacker who has already compromised the renderer process break out of the Chromium sandbox via a crafted HTML page that triggers an out-of-bounds write in Skia. Google rates the underlying Chromium issue High severity and a vendor patch is available, though no public exploit code has been identified at time of analysis.
Sandbox escape in Google Chrome's Chromecast component prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. Rated High severity by the Chromium project with a CVSS of 8.3, the flaw requires a prior renderer compromise and user interaction, and no public exploit identified at time of analysis. Successful exploitation gives attackers code execution outside the renderer's restricted context, dramatically expanding impact on the host.
Arbitrary code execution in Google Chrome for Android prior to 149.0.7827.53 stems from a use-after-free flaw in the WebAppInstalls component, triggered when a victim opens a malicious file. Although the CVSS vector lists a network attack vector with high impact across confidentiality, integrity, and availability, exploitation requires user interaction and no public exploit identified at time of analysis. EPSS probability is very low (0.01%) and SSVC indicates no observed exploitation, suggesting the immediate threat is limited despite the High severity rating from Chromium.
Same-origin policy bypass in Google Chrome's DevTools component prior to version 149.0.7827.53 allows remote attackers to violate browser security boundaries when victims perform specific UI gestures on attacker-controlled pages. The flaw stems from insufficient validation of untrusted input within DevTools and is rated High severity by Chromium with a CVSS of 8.8, though no public exploit identified at time of analysis and EPSS is very low at 0.02%.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 is possible via an integer overflow in the Dawn WebGPU implementation, allowing a remote attacker who has already compromised the renderer process to break out of the browser sandbox using a crafted HTML page. Google rates the Chromium severity as High and a vendor patch is available; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Sandbox escape in Google Chrome on macOS prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page abusing the WebShare component. The bug is rated High severity by Chromium and carries a CVSS 8.3 with scope change reflecting the sandbox boundary crossing, though no public exploit has been identified at time of analysis.
Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High severity by Chromium and CVSS 8.3, and while no public exploit is identified at time of analysis, sandbox escapes in ANGLE have historically been chained with renderer RCE bugs to achieve full system compromise.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a use-after-free flaw in the Viz compositor component. Exploitation requires a crafted HTML page and victim interaction, and Google has rated the underlying Chromium security severity as High. No public exploit has been identified at time of analysis, but this class of bug is historically chained with renderer RCE bugs to achieve full browser compromise.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page exploiting insufficient input validation in the Media component. Google rates the Chromium security severity as High, and no public exploit has been identified at time of analysis. Successful exploitation requires chaining with a separate renderer compromise plus user interaction, raising attack complexity but yielding full host-level impact if achieved.
Universal Cross-Site Scripting (UXSS) in Google Chrome's DevTools component allows an attacker who has already compromised the renderer process to inject arbitrary scripts or HTML across security origins via a crafted HTML page, bypassing the same-origin policy. Affected versions are all Chrome releases prior to 149.0.7827.53. No public exploit code exists and no active exploitation has been observed; this vulnerability functions as a second-stage capability within a broader attack chain requiring prior renderer compromise.
Sandbox escape in Google Chrome on iOS prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free in the Core component rated High severity by Chromium, and no public exploit identified at time of analysis. Exploitation requires user interaction (visiting a malicious page) and chaining with a prior renderer compromise, raising the practical bar despite the 8.3 CVSS score.
Remote code execution in Google Chrome's ANGLE graphics layer on Windows prior to version 149.0.7827.53 allows attackers to execute arbitrary code inside the renderer sandbox when a victim visits a crafted HTML page. The flaw is a use-after-free (CWE-416) memory corruption issue rated High severity by Chromium, requires user interaction to trigger, and no public exploit has been identified at time of analysis.
Remote code execution in Google Chrome on Windows (versions prior to 149.0.7827.53) is possible through a use-after-free vulnerability in the ANGLE graphics translation layer, triggered when a victim visits a crafted HTML page. Successful exploitation yields arbitrary code execution constrained to the Chrome renderer sandbox, with Chromium rating the severity as High and CVSS scored at 8.8. There is no public exploit identified at time of analysis and CISA SSVC marks exploitation status as none, but the bug class (UAF in GPU translation) is historically a popular target for chained sandbox escapes.
Same-origin policy bypass in Google Chrome's Extensions component prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to perform unauthorized cross-origin actions via a crafted HTML page. The vulnerability stems from insufficient input validation (CWE-20) in the Extensions subsystem and carries a CVSS integrity impact of High with no confidentiality or availability loss. No active exploitation has been confirmed - EPSS sits at 0.02% (6th percentile), SSVC exploitation status is 'none', and the CVE is not listed in CISA KEV - but a vendor-released patch is available.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page abusing the Media component. Google rates the issue High severity and a vendor patch is available, though no public exploit has been identified at time of analysis.
Remote code execution in Google Chrome's V8 JavaScript engine prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. The flaw is a type confusion bug (CWE-843) rated High severity by Chromium with a CVSS 8.8 score; no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV. User interaction is required, as the victim must visit attacker-controlled or compromised content.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 enables a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a use-after-free flaw in the Dawn WebGPU implementation. Exploitation requires luring a victim to a crafted HTML page and chaining this bug with a prior renderer compromise, but the impact is full sandbox escape with high confidentiality, integrity, and availability consequences. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Out-of-bounds write in the ANGLE graphics layer of Google Chrome versions prior to 149.0.7827.53 enables remote attackers to trigger heap corruption and potentially execute arbitrary code by luring a victim to a crafted HTML page. Chromium rates the severity as High and CVSS 8.8 reflects the network attack vector with required user interaction. No public exploit identified at time of analysis, though the bug class (memory corruption in a browser-exposed component) is historically a prime target for weaponization.
Heap corruption in Google Chrome's WebAuthentication component prior to version 149.0.7827.53 allows remote attackers to potentially execute arbitrary code through a crafted HTML page combined with user interaction. The flaw is a use-after-free (CWE-416) rated High severity by Chromium and carries a CVSS 7.5 score, though exploitation requires specific UI gestures from the victim. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Sandbox escape in Google Chrome prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a use-after-free in the Network component, triggered by a crafted HTML page. Chromium rates the severity as High and a vendor patch is available; no public exploit identified at time of analysis.
Remote code execution in Google Chrome's V8 JavaScript engine prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the browser sandbox by luring a user to a crafted HTML page. Rated High severity by Chromium with a CVSS 8.8, the flaw requires user interaction (visiting a malicious site) but no authentication or privileges. No public exploit has been identified at the time of analysis, and the issue is not currently listed in CISA KEV.
Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the WebRTC component that lets a remote attacker run arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. Google rates the underlying Chromium issue as High severity, and no public exploit is identified at time of analysis, though publicly available patch metadata and Chromium bug tracker entries (issue 503422316) confirm the fix.
Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the Ozone graphics abstraction layer, rated Critical by Chromium's internal severity classification. Remote attackers can trigger arbitrary code execution within the browser's rendering context by enticing a victim to visit a crafted HTML page. There is no public exploit identified at time of analysis, and CISA SSVC scoring indicates no observed exploitation, though the technical impact is rated total.
Remote code execution in Google Chrome on macOS prior to version 149.0.7827.53 stems from a use-after-free condition in the Passwords component, allowing a remote attacker to execute arbitrary code if a victim is convinced to perform specific UI gestures on a crafted HTML page. Chromium rates the underlying severity as Critical, though CVSS scores it 7.5 due to high attack complexity and required user interaction. There is no public exploit identified at time of analysis and SSVC indicates exploitation status is none.
Remote heap corruption in Google Chrome on macOS prior to 149.0.7827.53 stems from a use-after-free in the Passwords component, letting a remote attacker who lures a user into specific UI interactions trigger memory corruption via a crafted HTML page. Chromium rates the underlying flaw Critical and a vendor patch is available, though no public exploit has been identified at time of analysis and active exploitation has not been confirmed by CISA KEV.
Heap corruption in Google Chrome's Ozone display layer on Linux versions prior to 149.0.7827.53 allows remote attackers to potentially achieve code execution by enticing a user to perform specific UI gestures on a crafted HTML page. Chromium rates the underlying issue as Critical severity, and no public exploit has been identified at time of analysis. The defect is a use-after-free (CWE-416) reachable from the renderer's interaction with the Linux display abstraction.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows remote attackers who have already compromised the renderer process to potentially break out of the sandbox via a stack buffer overflow in the GPU component triggered by a crafted HTML page. Chromium rates this as Critical severity, and while no public exploit has been identified at time of analysis, the vendor has released a patched stable channel build addressing the issue.
Sandbox escape in Google Chrome's GPU component prior to version 149.0.7827.53 allows remote attackers to break out of the renderer sandbox via a crafted HTML page when a user visits a malicious site. Google's Chromium team rated the underlying issue Critical severity, and while a patch is available, no public exploit identified at time of analysis and EPSS estimates exploitation probability at only 0.03%.
Remote code execution in Google Chrome for iOS prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code by enticing a user to visit a crafted HTML page. Chromium rates the underlying use-after-free as Critical severity, though SSVC currently shows no observed exploitation and no public exploit identified at time of analysis. The CVSS 8.8 rating reflects high impact across confidentiality, integrity, and availability, tempered by a required user interaction (visiting the malicious page).
Remote code execution in Google Chrome's Ozone display server layer affects all desktop versions prior to 149.0.7827.53, where a use-after-free memory corruption flaw can be triggered by a crafted HTML page. Chromium-internal severity is rated Critical and the CVSS 3.1 score of 8.8 reflects high impact across confidentiality, integrity, and availability, though exploitation requires user interaction (visiting an attacker-controlled page). No public exploit has been identified at time of analysis, and CISA SSVC currently lists Exploitation as 'none'.
Sandbox escape in Google Chrome on Linux prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that triggers a use-after-free in the Printing component. Google rates the underlying Chromium issue as Critical severity, and no public exploit is identified at time of analysis. The CVSS 8.3 score reflects the chained nature of the attack and the scope change that results when sandbox boundaries are crossed.
Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the Chromoting (Chrome Remote Desktop) component, which Google rated Critical internally. A remote attacker can deliver malicious network traffic to a user with an active Chromoting session and execute arbitrary code in the browser context, though user interaction is required per the CVSS vector. No public exploit identified at time of analysis, and EPSS probability is very low (0.04%).
Sandbox escape in Google Chrome for Android versions prior to 149.0.7827.53 stems from an out-of-bounds write in the GPU process that a remote attacker can trigger via a crafted HTML page. Google rates the underlying Chromium issue as Critical severity, and while a vendor patch is available, no public exploit identified at time of analysis and EPSS sits at 0.03% (11th percentile). The CVSS scope-changed vector (S:C) reflects the impact of breaking out of Chrome's sandbox to affect the broader Android OS context.
Heap corruption in Google Chrome's GFX component on Linux prior to version 149.0.7827.53 allows remote attackers to potentially achieve code execution when a victim visits a crafted HTML page. Google rates the underlying Chromium issue as Critical severity, and a vendor patch is available; no public exploit identified at time of analysis.
Heap corruption in Google Chrome's Cast component prior to version 149.0.7827.53 allows adjacent-network attackers to trigger a use-after-free condition through crafted network traffic, potentially leading to arbitrary code execution within the renderer. Chromium rates the underlying severity as Critical, and no public exploit identified at time of analysis, though the AV:A vector means any attacker sharing the victim's LAN or Wi-Fi segment can attempt exploitation without authentication or user interaction.
Out-of-bounds read in the ANGLE graphics layer of Google Chrome before 149.0.7827.53 enables a remote attacker who has already compromised the renderer process to potentially escape the browser sandbox via a crafted HTML page. Chromium rates the underlying issue Critical severity, and while no public exploit has been identified at time of analysis, the bug is in a historically targeted attack surface (GPU/ANGLE) frequently abused in renderer-to-broker escape chains.
Remote code execution in Google Chrome's Cast Streaming component (versions prior to 149.0.7827.53) allows an attacker on the same local network segment to execute arbitrary code by sending malicious network traffic to a vulnerable browser. The flaw is rated Critical by the Chromium project and carries a CVSS 3.1 score of 8.8, with no public exploit identified at time of analysis.
Remote code execution in Google Chrome on macOS prior to 149.0.7827.53 stems from a use-after-free flaw in the Chromoting (Chrome Remote Desktop) component, allowing remote attackers to execute arbitrary code by delivering malicious network traffic. Google's Chromium team rates the underlying defect as Critical severity, and no public exploit has been identified at time of analysis, though the bug class historically attracts in-the-wild exploitation against browser users.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows remote attackers to exploit a use-after-free condition in the FileSystem component via a crafted HTML page, with user interaction required. Google has rated the underlying Chromium issue as Critical severity, and a vendor patch is available; no public exploit identified at time of analysis, though the high CVSS score (9.6) and scope-changed impact warrant rapid patching.
Remote code execution in Google Chrome for iOS versions prior to 149.0.7827.53 allows a remote attacker to execute arbitrary code by luring a victim to a crafted HTML page that triggers a use-after-free condition. The flaw is rated Critical by Chromium and carries a CVSS 8.8 score, and while no public exploit is identified at time of analysis, the user-interaction-only barrier (visiting a page) makes drive-by exploitation a realistic concern for unpatched iOS Chrome users.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 enables a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page targeting a use-after-free flaw in the Chromecast component. Google classifies the underlying issue as Critical severity, and no public exploit has been identified at time of analysis. The bug requires chaining with a separate renderer compromise, which lowers standalone exploitability but makes it valuable as the second stage of a full browser exploit chain.
Heap corruption in Google Chrome's ANGLE graphics translation layer prior to version 149.0.7827.53 allows remote attackers to potentially achieve code execution by enticing a user to visit a crafted HTML page. Chromium rates the severity as Critical and the CVSS score is 8.8 (High), but no public exploit identified at time of analysis. The flaw is a type confusion issue that maps to CWE-787 (out-of-bounds write), affecting the browser's WebGL/graphics rendering path.
Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the Network component, allowing a remote attacker to execute arbitrary code within the renderer process when a user visits a crafted HTML page. Google rated this issue Critical at the Chromium level, and a vendor patch is available; no public exploit identified at time of analysis.
Sandbox escape in Google Chrome's ANGLE graphics layer prior to version 149.0.7827.53 allows a remote attacker to trigger an out-of-bounds read and write via a crafted HTML page, with a CVSS 9.6 reflecting scope change and high impact across confidentiality, integrity, and availability. The flaw was rated Critical internally by Chromium and reported by Google's own CVE admin team; no public exploit identified at time of analysis, and CISA SSVC currently lists exploitation status as none.
Local root code execution in libinput versions before 1.30.4 and 1.31.x before 1.31.3 is possible because the libinput-device-group helper fails to escape the 'phys' string returned for an input device, allowing injection of attacker-controlled udev properties that are subsequently evaluated as privileged actions. The flaw, tracked as CWE-93 (CRLF/property injection), enables an unprivileged local user who can attach or simulate a device with a crafted physical-path identifier to escalate to root. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Open redirect in WebOb (pip/webob <= 1.8.9) enables unauthenticated network attackers to redirect victims to arbitrary attacker-controlled domains by bypassing the prior CVE-2024-42353 patch. The bypass exploits Python 3.10+'s silent stripping of ASCII control characters (tab, CR, LF) from URLs before parsing, so a crafted path like /\t/attacker.com passes the previous // guard, then gets normalized by urlsplit into a protocol-relative URL pointing to attacker.com. No public exploit has been identified at time of analysis beyond the advisory's own proof-of-concept code, but the bypass technique is trivial and the full exploit path is published in the GitHub advisory GHSA-fh3h-vg37-cc95.
Local privilege escalation in NetworkManager's dhclient backend allows a low-privileged local user to execute arbitrary OS commands with elevated privileges by supplying a crafted Manufacturer Usage Description (MUD) URL. Exploitation is strictly limited to systems where an administrator has explicitly reconfigured NetworkManager to use the dhclient backend - a non-default setting - meaning the vast majority of deployments are unaffected by design. CVSS 6.7 (local vector, high complexity, user interaction required) accurately reflects the constrained exploitation conditions; no public exploit code or CISA KEV listing exists at time of analysis.
Use-after-free in libexpat before 2.8.2 allows memory corruption, information disclosure, and potential code execution when prohibited API functions are called from within XML event handler callbacks. All libexpat consumers - including language bindings such as CPython's xml.parsers.expat - are affected when handler code (or attacker-influenced handler logic) invokes XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset in a re-entrant manner during active parsing. No public exploit code exists at time of analysis and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog, but the CPython project has an associated open issue (python/cpython#146169) indicating ecosystem-wide reach.
Resource exhaustion in Open vSwitch v3.6.90 allows an authenticated attacker with OVSDB write access to crash the virtual switch by requesting an unbounded number of handler or revalidation threads via a missing upper-bound check in the udpif_set_threads() function. The SSVC framework confirms a proof-of-concept exploit exists, though the vulnerability is not listed in CISA KEV and automated mass exploitation is assessed as unlikely due to the required management-plane authentication. With CVSS 6.5 and impact limited to availability, this is a moderate-priority finding that becomes high-priority in environments where OVSDB write access is broadly granted or inadequately segmented.
Arbitrary file write on OpenStack Ironic conductor nodes is achievable via path traversal in virtual media ISO handling (OSSA-2026-018). Authenticated attackers who can supply a malicious ISO image through the deploy_iso_href parameter can write files to arbitrary locations on the conductor host, constrained only by the ironic-conductor process's filesystem permissions. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV, but the vulnerability carries a CVSS 3.1 score of 6.5 and is rated Critical severity by the Ironic project.
Remote denial of service in the Linux kernel ibmveth driver on IBM Power systems allows attackers to freeze physical network adapters by transmitting GSO packets with an MSS below 224 bytes, halting all traffic until manual reset. The flaw affects multiple stable kernel branches and is fixed upstream, with no public exploit identified at time of analysis and an EPSS score of 0.02% (7th percentile) reflecting low expected exploitation volume despite the high CVSS of 8.6.
Race condition in the Linux kernel's CoreSight TMC-ETR (Trace Memory Controller, Embedded Trace Router) driver triggers a kernel WARN_ON() when sysfs and perf hardware tracing modes are enabled concurrently, resulting in a denial-of-service condition against the tracing subsystem. The sysfs enable path is split across two separate spinlock-protected critical sections, creating a window where perf mode can initialize drvdata->etr_buf between the sysfs buffer allocation and hardware enablement steps - causing tmc_etr_enable_hw() to encounter an already-initialized pointer and fire WARN_ON(). No public exploit exists and EPSS is 0.02% (4th percentile), indicating near-zero real-world exploitation probability; patched kernel versions 6.18.14, 6.19.4, and 7.0 are available.
Denial of service in the Linux kernel ath12k Wi-Fi driver affects systems using Qualcomm WCN7850 chipsets with multi-link operation (MLO) connections. When Wake-on-WLAN (WoW) offloads are configured on both primary and secondary links during a multi-link connection, the WCN7850 firmware crashes, disrupting wireless connectivity. EPSS exploitation probability is very low (0.02%, 4th percentile) and no public exploit identified at time of analysis, suggesting this is primarily a stability/reliability fix rather than a security priority.
Use-after-free in the Linux kernel's rt9455 power supply driver allows local attackers to trigger memory corruption or system crashes via a race condition during driver probe or removal. The flaw stems from incorrect ordering of devm_-managed resource allocation, where the IRQ handler can fire against a freed or uninitialized power_supply handle. EPSS is very low (0.02%, 7th percentile) and no public exploit is identified at time of analysis, but the CVSS score of 8.4 reflects high impact on confidentiality, integrity, and availability for systems shipping the rt9455 Richtek battery charger driver.
NULL pointer dereference in the Linux kernel's Canaan K230 pinctrl driver causes a local denial of service during device tree parsing. Specifically, k230_pinctrl_parse_functions() dereferences info->pctl_dev->dev before info->pctl_dev is initialized, triggering a kernel panic on systems using the K230 SoC. A low-privileged local attacker on affected hardware can crash the kernel, fully denying system availability. No public exploit code exists and EPSS of 0.02% (5th percentile) indicates minimal exploitation probability; however, the straightforward trigger condition and kernel-crash impact warrant prompt patching on K230-based deployments.
Inverted debug assertion in the Linux kernel PCI/P2PDMA subsystem triggers a spurious kernel warning in p2pmem_alloc_mmap() when CONFIG_DEBUG_VM is enabled, resulting in high availability impact on affected systems. The root cause is a stale VM_WARN_ON_ONCE_PAGE condition that was not updated after commit b7e282378773 changed the initial page refcount from one to zero, causing the assertion to fire on every valid P2PDMA allocation. Authenticated local users with access to P2PDMA-capable hardware can exploit this on debug-compiled kernels to cause denial of service; no public exploit exists and EPSS is 0.02% (4th percentile), reflecting negligible real-world exploitation likelihood.
Use-after-free in the Linux kernel NFC HCI SHDLC subsystem allows local low-privileged attackers to corrupt memory and potentially escalate privileges by triggering teardown races against active timers and queued work items. The flaw exists because llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc structure while timers and the sm_work state-machine handler may still execute concurrently. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the high-impact CVSS (7.8) reflects full CIA compromise on successful exploitation.
Remote manipulation of the Linux kernel's IPv4 routing cache is possible through RAW sockets bound to IPPROTO_RAW (protocol 255), where a malicious incoming ICMP packet whose inner header advertises protocol 255 will be matched to the socket and trigger FNHE (Forwarding Next Hop Exception) cache changes. The flaw affects Linux systems where a process has opened a RAW socket on protocol 255, and remote attackers can use crafted ICMP fragmentation-needed messages to influence routing decisions. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the CVSS 9.1 reflects high integrity and availability impact via unauthenticated network reachability.
Denial-of-service condition in the Linux kernel's HNS RoCE (RDMA over Converged Ethernet) driver affects systems using HiSilicon RDMA hardware alongside SUNRPC/NFS-over-RDMA workloads. The hns_roce_irq_workq workqueue lacks the WQ_MEM_RECLAIM flag while being flushed during QP (Queue Pair) destruction from a memory-reclaim context, triggering a kernel warning and potential stall during RDMA transport reset. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis.
Local privilege escalation potential exists in the Linux kernel's Intel Xe DRM driver (drm/xe/pf) due to a sysfs initialization ordering bug in SR-IOV Physical Function setup, where a failed devm_add_action_or_reset() call invokes kobject_put() on an uninitialized kobject, triggering refcount underflow and use-after-free conditions. The flaw affects Linux kernel 6.19 prior to the 6.19.4 stable patch and has been resolved upstream; no public exploit identified at time of analysis and EPSS rates exploitation probability at only 0.02%.
Out-of-bounds array access in the Linux kernel's AMD GPU display driver (drm/amd/display) allows local privileged users to trigger memory corruption via the dcn35_stream_encoder_create() function when eng_id equals ENGINE_ID_DIGF (value 5) or is negative, indexing past the 5-element stream_enc_regs[] array. The flaw stems from a faulty boundary check using <= instead of <, and no public exploit has been identified at time of analysis with an EPSS score of 0.02% (5th percentile) indicating very low exploitation probability.
Deadlock in the Linux kernel's ASoC fsl_xcvr audio driver causes a hung task and denial of service on NXP i.MX hardware. The defect was introduced by a prior patch (commit f51424872760) that erroneously added a read lock acquisition on controls_rwsem inside fsl_xcvr_mode_put(), unaware that the caller snd_ctl_elem_write() already holds the write lock on that same semaphore for the duration of the put operation. A local user with low privileges who triggers an ALSA control write on an affected system can induce an unresolvable deadlock. No public exploit exists and EPSS is 0.02%, reflecting very low real-world exploitation probability.
NULL pointer dereference in the Linux kernel's SPI WPCM FIU driver allows a local low-privileged attacker to crash the kernel via a denial-of-service condition. The wpcm_fiu_probe() function passes the return value of platform_get_resource_byname() directly to resource_size() without validating against NULL, meaning if the named resource is absent the kernel dereferences a NULL pointer and panics. No public exploit exists and no active exploitation is confirmed; EPSS of 0.02% (5th percentile) reflects the narrow, hardware-specific attack surface.
Out-of-bounds read in the Linux kernel's IPv6 routing subsystem (fib6_add_rt2node) allows a local user with network configuration privileges to trigger memory corruption when adding routes that use the RTA_NH_ID nexthop attribute. The flaw was discovered by syzkaller and confirmed via KASAN slab-out-of-bounds reports. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the bug is in mainline kernel code paths reachable through netlink and is fixed across multiple stable trees.
Use-after-free in the Linux kernel's procfs subsystem allows a local low-privileged attacker to potentially trigger memory corruption when reading /proc/[pid]/stat due to missing RCU protection around task->real_parent access in do_task_stat(). The race condition occurs when a parent task is released concurrently with another process reading its stat file, leading to a UAF dereference. No public exploit identified at time of analysis, and EPSS scoring is very low (0.02%, 7th percentile), indicating limited expected exploitation activity.
NULL pointer dereference in the Linux kernel's GPIO character device subsystem (gpio/cdev) allows a local, low-privileged user to crash the kernel via a denial-of-service. In linehandle_create(), the macro retain_and_null_ptr(lh) sets lh to NULL, but a subsequent debug printout immediately dereferences that same pointer - triggering a kernel panic. No public exploit has been identified at time of analysis, and EPSS indicates very low exploitation probability at 0.02% (5th percentile), consistent with a local-access-only DoS with no code execution or data exposure component.
Local denial-of-service via kernel Oops in the Linux kernel SP804 timer driver on ARM32 platforms when read_current_timer() dereferences an uninitialized sched_clkevt pointer. Affected systems are those where sp804_clocksource_and_sched_clock_init is invoked without use_sched_clock=1, yet sp804_register_delay_timer is still called unconditionally - creating the conditions for a NULL/uninitialized pointer access in sp804_read(). EPSS is 0.02% (5th percentile), no KEV listing exists, and no public exploit has been identified, placing this as low operational priority outside specialized ARM32 embedded deployments.
Denial-of-service via recursion deadlock in the Linux kernel's NFS LOCALIO subsystem when direct memory reclaim occurs on systems using loopback NFS mounts. The LOCALIO optimization - which bypasses network I/O when NFS client and server share the same host - fails to restrict its page cache allocations to GFP_NOFS context, allowing the kernel memory allocator to re-enter NFS via nfs_writepages during reclaim (path: NFS LOCALIO → XFS → NFS), producing a deadlock and kernel hang. No public exploit exists and EPSS stands at 0.02% (4th percentile), consistent with a kernel subsystem defect that requires a specific local configuration rather than a broadly exploitable condition. Vendor-released patches are available across stable kernel branches.
Double-disable of managed clocks in the Linux kernel's fsl-edma (Freescale/NXP eDMA) DMA engine driver triggers kernel WARN_ON warnings during driver removal, causing an availability impact on affected systems. The bug originates from commit a9903de3aa16731846bf924342eca44bdabe9be6, where clocks allocated via devm_clk_get_enabled() - which automatically handles teardown - are also manually disabled in fsl_edma_remove(), resulting in a 'already disabled/unprepared' warning for each clock. No public exploit has been identified at time of analysis, and EPSS is 0.02% (5th percentile), reflecting the low likelihood of targeted exploitation of this kernel quality defect.
Unaligned memory access in the Linux Kernel's AppArmor DFA table parser causes a denial of service on strict-alignment architectures. AppArmor's deterministic finite automaton (DFA) policy tables, which can originate from either kernel or userspace via apparmor_parser, lack guaranteed 8-byte alignment; on architectures that fault or warn on unaligned access (confirmed via SPARC call trace in the description), loading AppArmor profiles triggers a kernel WARNING at security/apparmor/match.c:316 and fails profile loading. No public exploit exists and no KEV listing is present; EPSS is 0.02% (5th percentile), consistent with a low-severity, architecture-specific, local-only issue.
Heap buffer overflow in the Linux kernel's pstore/ram subsystem (persistent_ram_save_old function) allows local attackers with low privileges to trigger out-of-bounds writes and reads when the ramoops buffer size grows across boot cycles. The flaw affects Linux kernel versions from 3.5 onward and carries a CVSS 7.8 (High) rating, though exploitation requires a highly improbable chain of conditions across reboots. No public exploit identified at time of analysis, and EPSS is very low at 0.03%.
Linked-list corruption in the Linux kernel's btrfs filesystem allows a local user with btrfs write access to trigger memory corruption and a transaction abort when EXTENT_TREE_V2 incompat flag is enabled. The flaw stems from the block group tree being added twice to the switch_commits list, corrupting prev/next pointers and ultimately leading to filesystem inconsistency. No public exploit identified at time of analysis and EPSS probability is low at 0.02%, but the CVSS 8.4 reflects high local impact on confidentiality, integrity, and availability.
Denial of service in the Linux kernel's MIPS architecture support affects builds compiled with LLVM/Clang versions 18 through 21, where the compiler incorrectly restores the $gp global register variable in the relocate_kernel() epilogue. The result is that __current_thread_info points to the unrelocated kernel address space, causing an immediate NULL-pointer dereference in init_idle during early boot and a panic before userspace ever starts. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the issue is a boot-time crash rather than a remotely triggerable flaw.
Kernel crash in the Linux octeontx2-af driver exposes Marvell OcteonTX2 systems to a denial-of-service condition triggered by kexec reboots when both AF and PF drivers are loaded as modules. Because kexec does not power-cycle hardware, the RVUM block revision register retains its pre-reboot value; the PF driver misinterprets this stale register value as confirmation that AF initialization is complete and proceeds to access hardware state that has not yet been reinitialized in the new kernel, producing a kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), confirming this is a niche reliability defect in a specific hardware/driver configuration rather than an adversarially weaponizable flaw.
Stale link mapping in the ath12k Wi-Fi 7 driver causes a kernel WARN_ON condition when MLO (Multi-Link Operation) connection preparation fails mid-initialization, leaving ahvif->links_map in an inconsistent state. Systems running the Linux kernel with Qualcomm ath12k hardware (e.g., QCN9274) are affected across stable branches through 6.18.13, 6.19.3, and pre-7.0 releases. A local low-privileged user capable of triggering repeated MLO authentication failures can induce kernel warning conditions, resulting in high availability impact with no public exploit identified at time of analysis.
Kernel crash (denial of service) affects Qualcomm GFX3D GPU clock management on ARM64 Linux systems running vulnerable kernel versions. A regression introduced by commit d228ece36345 ('clk: divider: remove round_rate() in favor of determine_rate()') left the best_parent_hw field unpopulated in parent_req during GFX3D clock rate determination, causing a NULL dereference crash triggered by normal GPU devfreq monitoring. A local low-privileged user on a Qualcomm MSM/Snapdragon device can induce this crash through GPU frequency scaling activity. No public exploit exists and EPSS is 0.02%, consistent with a narrow hardware-specific bug rather than broadly exploitable vulnerability.
Use-after-free in the Linux kernel's pm8916_lbc power supply driver allows a local attacker to potentially trigger memory corruption or kernel crashes during device removal. The flaw stems from incorrect ordering of devm_-managed resources: the extcon handle is freed before the IRQ is unregistered, leaving a window where the IRQ handler invokes extcon_set_state_sync() on freed memory. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02% (5th percentile), reflecting low real-world attacker interest in this driver-specific race.
Null pointer dereference in the Linux kernel's AMD GPU display driver (drm/amd/display) crashes the kernel during Hot Plug Detection (HPD) initialization on systems with AMD GPUs. The amdgpu_dm_hpd_init() function assigns dc_link from a connector but then unconditionally dereferences it at line 940 of amdgpu_dm_irq.c without first confirming it is non-NULL - connectors lacking a valid dc_link trigger a kernel NULL dereference. Exploitation requires local, low-privileged access to a system with an affected AMD GPU; no public exploit has been identified at time of analysis and EPSS probability is 0.02% (5th percentile), indicating very limited real-world exploitation pressure.
Denial of service in the Linux kernel's DRM Panthor GPU driver allows a local authenticated user to trigger an unrecoverable system hang via a blocked GPU memory subsystem. Specifically, when `panthor_gpu_flush_caches()` times out due to a blocked memory subsystem - a condition inducible through buggy GPU jobs submitted by user-mode drivers (UMD) - the driver previously had no recovery path, causing indefinite waits and system unavailability. The fix introduces timeout-aware reset scheduling and immediate -EIO short-circuiting for queued flush operations after a failure, but until patched, the condition is exploitable by any local user with access to the GPU device. No public exploit code exists and EPSS is extremely low (0.02%), consistent with a niche hardware-specific local DoS.
NULL pointer dereference in the Linux kernel's PCI endpoint NTB driver allows an authenticated local attacker to crash the kernel (denial of service) by triggering a memory allocation failure during driver initialization. The missing NULL check after `alloc_workqueue()` in `epf_ntb_epc_init()` causes a subsequent `queue_work()` call to dereference a NULL pointer, resulting in a kernel panic. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects the narrow hardware-specific attack surface; this is not confirmed actively exploited (CISA KEV absent).
Header injection via parser differential in daphne before 4.2.2 allows unauthenticated remote attackers to smuggle synthetic headers into the ASGI scope received by Django applications during WebSocket handshake processing. The root cause is that Twisted (which daphne uses to parse inbound HTTP) ignores six specific Unicode bytes as line separators, while autobahn (which daphne feeds for WebSocket negotiation) calls Python's str.splitlines() and recognizes them - causing a single header value to be split into multiple injected header lines. No public exploit has been identified at time of analysis, and CVSS scores this at 3.7 (Low) due to high attack complexity, though real-world severity scales with how heavily the downstream application trusts ASGI-scope headers for security decisions.
Log injection in morgan Node.js middleware versions 1.2.0 through 1.10.1 allows unauthenticated remote attackers to forge access log entries by embedding CR or LF control characters in the Basic authentication username of the Authorization request header. The :remote-user format token writes this value to the log stream without sanitization, breaking the one-request-per-line log structure and enabling attackers to fabricate arbitrary log lines visible to downstream consumers such as SIEMs or log aggregators. No active exploitation is confirmed (not in CISA KEV) and no public exploit code is identified at time of analysis, but the zero-prerequisite network attack vector and widespread use of morgan across the Node.js/Express ecosystem make this a meaningful integrity risk for security monitoring pipelines.
Error message injection in Go's net/textproto standard library package allows unauthenticated remote attackers to embed attacker-controlled content into error strings that applications subsequently print or log. Affected Go releases span all net/textproto versions prior to 1.25.11 and 1.26.4, covering a broad surface area of Go-based HTTP, MIME, and mail-handling applications. No public exploit code exists and exploitation probability is extremely low (EPSS 0.02%, 5th percentile), but the integrity risk is real in deployments where net/textproto errors are surfaced to logs, monitoring systems, or user-facing output without sanitization.
Unbounded memory allocation in warmcat libwebsockets up to 4.5.8 allows remote unauthenticated attackers to exhaust server heap resources by sending SSH packets with a crafted oversized `msg_len` value, resulting in denial of service. The vulnerability is confined to deployments using the optional SSH server plugin (`protocol_lws_ssh_base`) and carries a CVSS 5.3 Medium rating with no confidentiality or integrity impact. A public proof-of-concept exploit exists and the CVSS temporal vector confirms exploit availability (E:P) and an official patch (RL:O); no CISA KEV listing indicates no confirmed widespread in-the-wild exploitation as of the analysis date.
Denial of service in React Router 7.0.0-7.14.x and @remix-run/server-runtime 2.10.0-2.17.4 allows remote unauthenticated attackers to exhaust server resources by sending crafted requests to the __manifest endpoint, which triggers unbounded path expansion. Only applications running in React Router Framework Mode or Remix are affected; Declarative Mode (<BrowserRouter>) and Data Mode (createBrowserRouter) deployments are not. No public exploit identified at time of analysis, and the issue is patched in react-router 7.15.0 and @remix-run/server-runtime 2.17.5.
Open redirect in React Router's programmatic `redirect()` function allows unauthenticated remote attackers to redirect users to arbitrary external domains by supplying path values beginning with `//`, which browsers interpret as protocol-relative (scheme-relative) URLs. Affected are applications in the v7 series (7.0.0-7.14.0) and v6 series (6.7.0-6.30.3) that expose user-influenced input to `redirect()` without validating the path prefix. No public exploit identified at time of analysis - CVSS 4.0 supplemental metric E:U (Unreported) confirms no known active exploitation - but the technique is trivially constructible from the advisory description alone, and patched releases 7.14.1 and 6.30.4 are available.
Client-side Cross-Site Scripting in React Router 7.7.0 through 7.13.1 affects applications using the unstable React Server Components (RSC) APIs, where redirect handling fails to sanitize destinations originating from untrusted sources. An attacker who can influence redirect targets consumed by RSC handlers may inject script payloads that execute in the victim's browser, with no public exploit identified at time of analysis. The advisory is published as GHSA-rxv8-25v2-qmq8 and the issue is fixed in 7.13.2.
Client-side cross-site scripting in React Router 7.7.0 through 7.13.1 allows remote attackers to execute arbitrary script in a victim's browser when the application uses the unstable React Server Components (RSC) APIs and processes redirects originating from untrusted sources. The flaw is patched in 7.13.2; no public exploit identified at time of analysis and the vulnerability does not affect deployments that do not opt into the RSC APIs.
Cross-site scripting in React Router's Framework Mode (versions 7.5.1-7.13.1) allows an authenticated attacker with influence over redirect destinations to inject malicious content into statically pre-rendered HTML files via an unsanitized HTTP Location header. Exploitation requires both low-privilege authentication (confirmed by CVSS PR:L) and victim user interaction (UI:R), limiting mass exploitation. No public exploit has been identified at time of analysis, and CISA KEV status is not confirmed. A vendor-released patch exists in version 7.13.2.