Skip to main content

Red Hat

8624 CVEs vendor

Monthly

CVE-2026-9874 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to exploit a use-after-free condition in the Dawn WebGPU implementation through a crafted HTML page, leading to potential escape from the browser's renderer sandbox. The flaw carries a CVSS 9.6 with scope change reflecting cross-boundary impact, and while no public exploit identified at time of analysis, Google's own classification of the underlying Chromium severity as Critical signals significant risk to end users. EPSS is currently low (0.03%, 11th percentile), suggesting no widespread exploitation has been observed yet despite the severity.

Google Use After Free Denial Of Service Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-9873 HIGH PATCH This Week

Remote code execution in Google Chrome desktop versions prior to 148.0.7778.216 allows a remote attacker to execute arbitrary code within the renderer sandbox by serving a crafted HTML page that triggers a use-after-free condition in the Network component. Google rates the underlying Chromium issue as Critical severity, and no public exploit identified at time of analysis, though the bug class and reachable attack surface make it a high-priority browser patch.

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-49299 PyPI MEDIUM PATCH This Month

Incorrect authorization in OpenStack Neutron 26.0.0 through pre-28.0.1 allows authenticated project readers to write (create and update) tags on same-project resources, exceeding their intended read-only scope. The root cause is a naming mismatch in the tagging controller: single-tag write operations are enforced using plural policy action names (e.g., 'add_tags'), while the configured policy rules use singular names (e.g., 'add_tag'). Because the plural names do not match any defined rule, OpenStack's default policy behavior evaluates the action as permitted. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV.

Authentication Bypass Red Hat
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-48525 PyPI MEDIUM POC PATCH GHSA This Month

Uncontrolled resource consumption in PyJWT 2.8.0-2.12.1 exposes any service that verifies detached JWS tokens to unauthenticated denial-of-service. When the unencoded-payload extension (b64=false, RFC 7797) is in use, PyJWT unnecessarily Base64URL-decodes the compact-serialization payload segment before discarding it in favor of the caller-supplied detached payload - turning that segment into an attacker-controlled amplifier for CPU and memory exhaustion regardless of signature validity. No public exploit has been identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms fully unauthenticated remote exploitation against any affected endpoint using this feature.

Python Denial Of Service Red Hat
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-48523 PyPI MEDIUM PATCH GHSA This Month

Algorithm allow-list bypass in PyJWT 2.9.0-2.12.1 permits an attacker who controls a registered JWK/JWKS private key to circumvent caller-enforced algorithm restrictions during JWT signature verification. The library correctly checks the token header's alg claim against the caller-supplied allow-list, but then performs the actual cryptographic verification using the algorithm bound to the PyJWK object rather than the header-declared algorithm - creating a exploitable mismatch. Specifically, the documented PyJWKClient.get_signing_key_from_jwt() flow is affected, meaning applications relying on this pattern for algorithm-restricted JWT validation may accept tokens signed with algorithms they explicitly prohibited. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Authentication Bypass Jwt Attack Python Red Hat
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-48522 PyPI MEDIUM PATCH GHSA This Month

PyJWKClient in PyJWT prior to 2.13.0 passes attacker-influenced URIs directly to Python's urllib.request.urlopen() without restricting URI schemes, enabling Server-Side Request Forgery (SSRF) across file://, FTP, and data-URI schemes against applications that accept untrusted jku values. Affected deployments include any Python application using PyJWKClient where the jku URL originates from a JWT header, OAuth flow parameter, or externally influenced configuration. No public exploit exists and no CISA KEV listing is present; real-world exploitation is constrained by a CVSS-confirmed high attack complexity (AC:H) and required user interaction (UI:R), making opportunistic mass exploitation unlikely.

SSRF Python Red Hat
NVD GitHub
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-48155 PyPI MEDIUM PATCH GHSA This Month

Memory exhaustion in pypdf prior to 6.12.0 allows an attacker who supplies a crafted PDF to cause large memory consumption in any application that processes it using layout mode text extraction. The vulnerability is triggered by PDFs containing text positioning operators with abnormally large x- or y-coordinate offsets, causing the library to allocate unbounded whitespace and newline characters during rendering. No confirmed active exploitation exists (not in CISA KEV), and SSVC rates this as non-automatable with partial technical impact, placing it in a lower operational priority tier despite the straightforward exploitation mechanic.

Python Denial Of Service Suse Red Hat
NVD GitHub
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-48156 PyPI MEDIUM PATCH GHSA This Month

Denial-of-service via algorithmic complexity in pypdf before 6.12.0 allows an attacker who can supply a crafted PDF file to cause excessive processing time during cross-reference stream parsing. The vulnerability is triggered by crafting a PDF with /W [0 0 0] field values in a cross-reference stream combined with a large /Size value, which causes the library to perform unbounded iteration over zero-byte entries. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, any application that processes untrusted PDF input using pypdf is exposed.

Information Disclosure Python Suse Red Hat
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48735 PyPI MEDIUM PATCH GHSA This Month

Memory exhaustion in pypdf's XMP metadata parser allows denial of service via specially crafted PDF files containing oversized or element-dense XMP blocks, affecting all versions prior to 6.12.1. The vulnerability stems from an absence of input limits in the XML-based XMP parsing subsystem (CWE-770), meaning processing a malicious PDF can consume unbounded system memory. No public exploit code has been identified at time of analysis, and no confirmed active exploitation exists; however, the patch diff is publicly visible on GitHub, making trivial exploit construction feasible.

Python Denial Of Service Suse Red Hat
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-42250 MEDIUM PATCH This Month

Out-of-bounds write in bzip2's bzip2recover utility allows a local attacker to supply a specially crafted file that triggers an off-by-one error, corrupting a global buffer and crashing the process. Per the CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:N), the attack requires no privileges and no user interaction beyond the utility being invoked against a malicious file. Impact is strictly denial of service against the bzip2recover process - no confidentiality or integrity exposure - and the CVSS 4.0 score of 5.1 (Medium) reflects this constrained scope. No public exploit or active exploitation has been identified at time of analysis.

Memory Corruption Denial Of Service Buffer Overflow Red Hat
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-41565 HIGH PATCH This Week

Denial-of-service via stack buffer overflow in CryptX (Perl cryptography module) versions before 0.088_001 affects four AEAD decryption helpers that copy attacker-controlled authentication tags into a fixed 144-byte stack buffer without bounds checking. Remote attackers can crash any Perl application that passes untrusted tags to gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify, or eax_decrypt_verify, resulting in process termination. No public exploit identified at time of analysis, and EPSS scoring (0.04%, 13th percentile) reflects low expected exploitation activity despite the network attack vector.

Buffer Overflow Stack Overflow Cryptx Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46241 HIGH PATCH This Week

Use-after-free in the Linux kernel SPI controller driver for Freescale MPC52xx (spi-mpc52xx) occurs when controller registration fails and the previously requested interrupts are not properly disabled or released, leaving dangling interrupt handlers tied to freed memory. Local users with the ability to load or interact with this SPI driver on affected systems could potentially trigger memory corruption or information disclosure. EPSS is 0.02% and there is no public exploit identified at time of analysis, but the issue is rated CVSS 7.8 due to high impact on confidentiality, integrity, and availability.

Linux Use After Free Memory Corruption Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46239 MEDIUM PATCH This Month

Runtime PM reference count leak in the Linux kernel's OmniVision OV5647 camera sensor driver (media/i2c/ov5647) causes availability loss for systems equipped with this camera hardware. The s_ctrl function's handling of three V4L2 controls - AUTOGAIN, EXPOSURE_AUTO, and ANALOGUE_GAIN - returns early without invoking pm_runtime_put(), allowing unpaired runtime PM get/put calls to accumulate. A local user with access to the camera device node can trigger this imbalance repeatedly, exhausting the PM reference count and preventing the device from entering low-power states, ultimately making it unavailable. No public exploit has been identified; EPSS is 0.02% (5th percentile) and this vulnerability does not appear in CISA KEV.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46236 MEDIUM PATCH This Month

Availability impact in the Linux kernel's xbox_remote media/rc driver allows a local, low-privileged user with access to the affected device to crash the kernel via a DMA coherency violation. The IO buffer used for USB transfers is embedded directly within the device structure, which violates DMA coherency rules and can trigger memory corruption leading to kernel panic. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% reflects minimal observed exploitation activity. Vendor-released patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46235 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's saa7164 media driver can crash the kernel when ioremap() fails during PCI device initialization. Systems with SAA7164-based PCIe capture cards (e.g., Phillips/NXP SAA7164) running unpatched kernel versions from 2.6.32 through stable branches prior to 6.6.140, 6.12.90, 6.18.32, and 7.0.9 are affected. A local, low-privileged attacker who can trigger driver initialization under memory pressure conditions may cause a kernel oops or panic, resulting in denial of service. No public exploit exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46234 HIGH PATCH This Week

Local privilege escalation in the Linux kernel's vsock (virtio sockets) subsystem stems from inverted buffer-size clamping logic in vsock_update_buffer_size(), allowing a local user to grow vsk->buffer_size beyond the configured vsk->buffer_max_size and violate intended socket memory boundaries. Affected branches include stable trees prior to 6.6.140, 6.12.90, 6.18.32, 7.0.9, and 7.1-rc1; no public exploit identified at time of analysis and EPSS is 0.02% (5th percentile).

Linux Memory Corruption Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46233 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's batman-adv Bridge Loop Avoidance (BLA) subsystem enables local denial of service via kernel panic. The race condition exists in batadv_bla_purge_claims(), which traverses the claim hash list under rcu_read_lock() without accounting for concurrent claim releases - when batadv_claim_release() NULLs the backbone_gw pointer mid-traversal, a subsequent call to batadv_bla_claim_get_backbone_gw() on the partially-freed claim triggers a NULL dereference. Exploitation requires local low-privilege access on systems actively running batman-adv with BLA enabled; no active exploitation is confirmed and EPSS stands at 0.02% (5th percentile).

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46231 MEDIUM PATCH This Month

Reference counting failure in the Linux kernel's batman-adv Bridge Loop Avoidance (BLA) subsystem allows a local low-privileged user to cause a slow kernel memory leak and eventual denial of service. Specifically, batadv_bla_add_claim() omits the required batadv_backbone_gw_put() call on the error path when a claim hash insertion fails, preventing the backbone_gw object's reference count from ever reaching zero. The vulnerability has been present since at least kernel 4.7 and is patched across multiple stable branches; no public exploit exists and EPSS is extremely low at 0.02% (5th percentile), placing this firmly in the low-urgency tier except for environments actively running batman-adv with BLA.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46229 MEDIUM PATCH This Month

Stale VRAM exposure in the Linux kernel's amdkfd driver (drm/amdkfd) allows local authenticated users to observe prior occupants' GPU memory contents and crash multi-GPU compute workloads. The KFD allocation path omitted the AMDGPU_GEM_CREATE_VRAM_CLEARED flag - present in every other userspace GEM allocation path - leaving freshly allocated VRAM buffers populated with data from previous processes. The primary documented availability impact is deterministic crashes in RCCL peer-to-peer transport when stale values corrupt the ptrExchange, head, and tail protocol fields; a secondary information-disclosure risk exists because stale page-table remnants are observable by unprivileged compute kernels. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile).

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46228 MEDIUM PATCH This Month

Memory leak in the Linux kernel's spi: ch341 USB-to-SPI driver allows a local user to degrade system availability by triggering driver unbind without physical device disconnection. The defect lies in incorrect devres (device-managed resource) lifetime scoping - resources are anchored to the parent USB device rather than the USB interface, so they are not released when the driver unbinds during events such as probe deferral or runtime configuration changes. No public exploit has been identified at time of analysis, and an EPSS score of 0.02% (4th percentile) indicates negligible exploitation probability in the near term.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46226 MEDIUM PATCH This Month

Improper driver teardown ordering in the Linux kernel's Freescale (FSL) SPI controller driver allows a local low-privileged user to trigger a denial-of-service condition during driver unbind. The SPI controller is not deregistered before underlying resources such as DMA are released, creating a window where the controller may reference freed memory. No public exploit has been identified at time of analysis, and EPSS sits at 0.02% (5th percentile), reflecting low real-world exploitation probability.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46225 MEDIUM PATCH This Month

Improper resource deregistration ordering in the Linux kernel's spi/rspi (Renesas SPI controller) driver causes a local denial-of-service condition during driver unbind. The rspi driver releases DMA resources before deregistering the SPI controller, creating a window where in-flight controller operations can reference freed memory, resulting in a kernel crash or panic. With CVSS availability impact rated High and EPSS at 0.02% (5th percentile), this is a low-probability but locally exploitable stability issue affecting systems with Renesas SPI hardware. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46224 MEDIUM PATCH This Month

Memory leak in the Linux kernel's drm/xe Intel Xe GPU driver allows a local, low-privileged user to exhaust kernel memory by repeatedly triggering DMA buffer import failures, leading to denial of service. The bug resides in xe_dma_buf_init_obj(), where a pre-allocated buffer object (bo) is not freed when drm_gpuvm_resv_object_alloc() fails, due to ambiguous ownership semantics between the caller and callee on error paths. No public exploit exists and EPSS probability is extremely low at 0.02% (4th percentile), placing this in the maintenance-priority category rather than urgent remediation for most environments.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46223 MEDIUM PATCH This Month

An A-A (same-task) deadlock in the Linux kernel cgroup rmdir path (versions 7.0 through 7.1-rc2 and 6.19.x) can permanently hang the entire system, requiring a hard reboot. When a process acting as both a PID namespace zombie reaper (e.g., systemd/PID 1) and the cgroup rmdir(2) caller encounters dying tasks still linked to cgroup csets, the kernel blocks the reaper indefinitely in TASK_UNINTERRUPTIBLE, creating a circular dependency from which the system cannot recover. No public exploit has been identified at time of analysis, EPSS exploitation probability is extremely low (0.02%), and no CISA KEV listing exists - consistent with the scenario's narrow, operationally specific triggering conditions.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46222 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's Rockchip RKCIF (Camera Interface) media driver crashes the kernel when a local user enables streaming on a video device with no connected subdevice. Affected systems are Rockchip SoC-based platforms running Linux kernel versions from the introduction of the rkcif driver up through 6.19. A low-privileged local attacker can trigger a kernel panic - full denial of service - via the standard V4L2 VIDIOC_STREAMON ioctl. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.02% (5th percentile) reflects the narrow hardware-specific attack surface.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46221 MEDIUM PATCH This Month

Memory leak in the Linux kernel's EDAC/versalnet driver allows a local low-privileged user to gradually exhaust kernel heap memory, rated CVSS 5.5 with high availability impact. The flaw exists in init_one_mc() where a kzalloc()-allocated device name string becomes permanently unreachable after device_register() copies and nullifies the pointer, preventing any subsequent free on device removal. No public exploit identified at time of analysis; EPSS at 0.02% (4th percentile) confirms this is a low-exploitation-probability defect rather than an actively targeted vulnerability.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46220 MEDIUM PATCH This Month

Kernel panic via reachable assertion in the Linux kernel's AMDGPU SDMA v4 driver allows a local low-privileged user to crash the system by submitting crafted GPU command buffers. The sdma_v4_0_ring_emit_fence() function contains BUG_ON() assertions verifying dword-alignment of fence writeback addresses; these assertions are reachable through the DRM_IOCTL_AMDGPU_CS ioctl from unprivileged userspace, causing a fatal panic in a kernel scheduler worker thread. No public exploit or active exploitation has been identified at time of analysis, and EPSS at 0.02% reflects low exploitation likelihood, but the impact on shared GPU compute systems warrants prompt patching.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46219 HIGH PATCH This Week

Use-after-free in the Linux kernel's MPC52xx SPI driver (spi-mpc52xx) can be triggered when the driver is unbound, because the interrupt-scheduled state machine work is not cancelled after interrupts are disabled. Local users with the ability to unbind the driver could potentially corrupt kernel memory, with confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.

Use After Free Linux Information Disclosure Memory Corruption Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46217 MEDIUM PATCH This Month

Integer overflow in the AMDGPU VCN4 (Video Core Next 4) multimedia driver within the Linux kernel allows a local low-privileged user to cause a kernel denial of service. The bounds check on incoming messages to the VCN4 encoder/decoder engine contains an overflow-vulnerable condition, meaning a crafted message can bypass intended size validation. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at the 5th percentile, indicating very low real-world exploitation likelihood currently.

Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46216 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's Intel Xe DRM HDCP GSC subsystem allows a local, low-privileged user to crash the kernel when media GT is disabled via configfs. The function `intel_hdcp_gsc_check_status()` evaluates `&gt->uc.gsc` without first verifying that `media_gt` is non-NULL, producing a kernel pagefault on systems where media GT has been explicitly disabled through the configfs interface. Exploitation yields a denial of service (kernel panic) with no confidentiality or integrity impact; no public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating very low exploitation likelihood in the wild.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46214 MEDIUM PATCH This Month

Denial-of-service via accept queue counter leak in the Linux kernel's vsock/virtio subsystem allows an authenticated local attacker to permanently exhaust a listener socket's backlog, causing it to reject all new connections. The flaw exists from kernel 5.5 onward in virtio_transport_recv_listen(), where sk_acceptq_added() is called before vsock_assign_transport() validation; failed transport assignments never call the paired sk_acceptq_removed(), permanently inflating sk_ack_backlog. No public exploit exists and EPSS is at the 5th percentile, but the impact in multi-tenant virtualized environments relying on vsock communication is a complete denial of vsock listener service.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46213 HIGH PATCH This Week

Use-after-free in the Linux kernel's appletb-kbd HID driver allows local low-privileged users on Apple Touch Bar-equipped MacBooks to potentially trigger memory corruption during driver tear-down. The flaw stems from incorrect ordering of timer cleanup and device reference release in the inactivity-timer cleanup path, leaving two race windows where a softirq can dereference freed backlight_device memory. EPSS is very low (0.02%) and no public exploit identified at time of analysis; impact is limited to systems running the appletb-kbd driver, primarily Apple MacBook Pro hardware with Touch Bars.

Information Disclosure Use After Free Apple Microsoft Memory Corruption +3
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46211 MEDIUM PATCH This Month

NULL pointer dereference and silent error suppression in the Linux kernel's Qualcomm MSM DRM/GEM subsystem allows a low-privileged local user to crash the kernel (denial of service) via a crafted GEM_INFO ioctl call. The msm_ioctl_gem_info_get_metadata() function unconditionally returns 0 on error and fails to check kmemdup() for a NULL return, enabling a dereference in the subsequent copy_to_user() call. No public exploit has been identified at time of analysis and EPSS is 0.02% (5th percentile), reflecting minimal real-world exploitation pressure despite the confirmed availability of upstream patch commits.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46207 MEDIUM PATCH This Month

Uninitialized socket buffer data exposure in the Linux kernel's vsock/virtio transport layer (6.7 and later) corrupts vsockmon tap monitoring output when non-linear skbs are in use. The `virtio_transport_copy_nonlinear_skb()` function constructs an `iov_iter` without setting `iov_iter.count`, causing zero-length copies that leave skb payloads uninitialized on the monitor interface - potentially exposing stale kernel memory to vsockmon consumers. Patched stable releases 6.12.90, 6.18.32, and 7.0.9 are available; no public exploit exists and EPSS stands at 0.02% (5th percentile), placing real-world exploitation risk very low but warranting attention in environments actively using vsockmon debugging.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46202 MEDIUM PATCH This Month

Kernel crash (denial of service) in the Linux kernel's hid-appletb-kbd driver results from calling a mutex-acquiring function from softirq and IRQ atomic contexts on Apple Touch Bar MacBooks running Linux. Authenticated local attackers with low privileges can trigger a kernel BUG by inducing Touch Bar inactivity or generating HID events that exercise the broken brightness-reset path, crashing the system. No public exploit has been identified and EPSS is 0.02% (4th percentile), reflecting the niche hardware requirement; patches are available in kernel versions 6.18.32, 7.0.9, and 7.1-rc4.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46200 MEDIUM PATCH This Month

Denial-of-service via improper resource teardown ordering in the Linux kernel's MPC52xx SPI controller driver (spi/mpc52xx) affects systems running PowerPC-based embedded hardware. During driver unbind, the SPI controller was deregistered after - rather than before - disabling underlying resources such as interrupts and GPIOs, creating a window where the kernel could access freed or disabled resources and trigger a system crash. No public exploit has been identified at time of analysis, and with an EPSS of 0.02% (5th percentile), real-world exploitation is assessed as very low probability.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46194 MEDIUM PATCH This Month

Kernel panic via race condition in the f2fs filesystem extent node management affects Linux kernel across multiple stable branches. When f2fs_destroy_extent_node() is invoked from f2fs_drop_inode() with I_SYNC set, a concurrent kworker writeback thread can insert new extent nodes into the same extent tree between lock releases, causing node_cnt to become non-zero upon loop exit and triggering f2fs_bug_on() - a deliberate kernel assertion failure resulting in a system crash. A secondary gap leaves EX_BLOCK_AGE extent tree updates completely unprotected by the FI_NO_EXTENT flag check, compounding the race surface. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile), indicating low exploitation probability in the near term.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-46192 MEDIUM PATCH This Month

Denial of service in the Linux kernel's Microchip Core QSPI driver corrupts SPI transfers on systems using this controller. The spi-microchip-core-qspi driver incorrectly attempts to transmit garbage data during emulated read-only dual/quad SPI operations - a protocol violation, since QSPI lacks a dedicated MOSI line and the core hardware is expected to generate read clock cycles autonomously. The result is a bricked (permanently failed) SPI transfer, causing availability loss for any kernel component or userspace process depending on that SPI bus. No public exploit exists and EPSS probability is 0.02%, consistent with a hardware-specific, locally-triggered driver defect.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46188 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's octeon_ep_vf driver crashes the kernel when napi_build_skb() fails during memory allocation in the receive path. Systems running kernels from the introduction of the octeon_ep_vf driver (commit 1cd3b407977c) through multiple stable branches are affected where Marvell Octeon EP VF network adapters are in use. A local, low-privileged attacker who can induce memory pressure while network traffic flows through an Octeon EP VF interface can trigger a kernel panic, resulting in full system unavailability. No public exploit code exists, EPSS is 0.02% (5th percentile), and this vulnerability has not been added to CISA KEV.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46187 MEDIUM PATCH This Month

Use-after-free in the Linux kernel's RSI (Redpine Signals) WiFi driver allows a local low-privileged attacker to crash the kernel by exploiting a race condition between kthread self-exit and external stop operations. When `kthread_complete_and_exit` races ahead of `kthread_stop`, the already-freed task struct is dereferenced, causing a kernel denial of service. No public exploit has been identified and EPSS sits at 0.02% (5th percentile), reflecting very low real-world exploitation probability; the vulnerability is not listed in CISA KEV.

Race Condition Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-46186 MEDIUM PATCH This Month

Uninitialized memory read in Linux kernel's Bluetooth virtio_bt driver allows a malicious or compromised virtio backend to trigger kernel DoS and potential information disclosure against guest VMs. The driver's virtbt_rx_handle() function fails to validate that received RX socket buffers contain sufficient bytes to cover the fixed HCI header for the declared packet type before forwarding to hci_recv_frame(). A backend-supplied one-byte completion with type HCI_ACLDATA_PKT causes the ACL classification path in hci_dev_classify_pkt_type() to dereference hci_acl_hdr(skb)->handle on an empty buffer when the HCI device holds an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with a kernel subsystem bug requiring privileged backend access in a virtualized environment.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46184 MEDIUM PATCH This Month

Division by zero in the Linux kernel's ua101 USB audio driver allows a local attacker to crash the kernel by presenting a crafted USB device with a malformed audio class descriptor. The ua101 driver's `detect_usb_format()` function fails to validate the `bNrChannels` field before use, so a device reporting `bNrChannels = 0` causes `frame_bytes` to become zero, which is subsequently used as a divisor in both `playback_urb_complete()` and `capture_urb_complete()` URB handlers, triggering a fatal kernel panic. No public exploit has been identified and EPSS is 0.02% (5th percentile), but the vulnerability affects multiple supported stable branches and patches are available across all of them.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46183 HIGH PATCH This Week

Use-after-free in the Linux kernel's DAMON (Data Access MONitor) sysfs-schemes interface allows local users with sysfs access to read freed memory by racing concurrent reads and writes of the quota goal 'path' file across separate file descriptors. EPSS is 0.02% and no public exploit identified at time of analysis, but the CVSS 7.8 reflects full CIA impact if a local attacker can win the race.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46182 MEDIUM PATCH This Month

Kernel stack memory disclosure in the Linux kernel's pseries/papr-hvpipe driver exposes up to 43 bytes of uninitialized stack data to unprivileged local users on IBM Power (pseries) systems. The `struct papr_hvpipe_hdr` reserved padding fields (`reserved[3]` and `reserved2[40]`) are never zeroed before `copy_to_user()` copies the full structure to userspace, allowing a local attacker to harvest stale kernel stack contents - potentially including ASLR offsets or residual cryptographic material. No public exploit exists and no CISA KEV listing applies; EPSS at 0.02% (4th percentile) reflects low exploitation probability consistent with the narrow pseries-only deployment scope. Vendor-released patches are confirmed in stable branches 6.18.30, 7.0.7, and 7.1-rc3.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46179 MEDIUM PATCH This Month

Divide-by-zero in the Linux kernel ASoC SOF compressed audio subsystem allows a low-privileged local user to crash the kernel by querying stream pointer position before stream parameters are configured. Affected are Linux kernel stable branches 6.6 through 7.0 (pre-patch), all running on hardware with SOF audio drivers loaded. No active exploitation has been confirmed - EPSS sits at 0.02% (5th percentile) and the vulnerability is absent from CISA KEV - making this a medium-severity availability risk relevant primarily to multi-user desktop and embedded audio platforms.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46172 MEDIUM PATCH This Month

Resource exhaustion via dst entry reference leak in the Linux kernel's IPv6 IPsec (xfrm6) receive path allows a local attacker with low privileges to cause a denial of service by exhausting kernel memory. The flaw exists in xfrm6_rcv_encap(), which calls ip6_route_input_lookup() returning a referenced dst entry even for error routes, but fails to release that reference before dropping the packet when dst->error is set. Repeated packets hitting this code path therefore accumulate unreleased dst references, ultimately crashing the system. No public exploit exists and this vulnerability is not in the CISA KEV list; EPSS exploitation probability is extremely low at 0.02% (5th percentile).

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46171 MEDIUM PATCH This Month

Memory leak in the Linux kernel's RISC-V KVM vector context allocation allows a local low-privileged attacker to exhaust kernel memory, causing denial of service on RISC-V hypervisor hosts. The flaw exists in kvm_riscv_vcpu_alloc_vector_context() where a failed second kzalloc call (host_context.vector.datap) returns an error without freeing the first allocation (guest_context.vector.datap), accumulating unreleased kernel memory across repeated vCPU creation attempts. No public exploit exists and no active exploitation is confirmed; EPSS at 0.02% (4th percentile) reflects the narrow RISC-V KVM deployment surface.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46170 MEDIUM PATCH This Month

The MPTCP (Multipath TCP) path manager in the Linux kernel mishandles socket reference counting during ADD_ADDR retransmission timer callbacks, resulting in a local denial-of-service. When the retransmit timer fires and holds the last reference to a socket, calling __sock_put() instead of sock_put() leaks the socket; and if sock_put() is used without first marking the timer done, the resulting sk_free() call invokes sk_stop_timer_sync() on the same in-flight timer, causing the kernel to wait indefinitely. No public exploit has been identified at time of analysis; EPSS is 0.02% (4th percentile), and the vulnerability is not listed in CISA KEV.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46168 MEDIUM PATCH This Month

Scheduling-while-atomic kernel panic in the Linux kernel MPTCP subsystem allows a local low-privileged user to crash the host by setting timestamp socket options on an MPTCP socket. The defect stems from invoking sleepable helpers - sock_set_timestamp() and sock_set_timestamping() - inside the atomic context established by lock_sock_fast(), violating the kernel's non-sleeping constraint for spinlock holders. No public exploit code has been identified and EPSS sits at 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time. Note: the 'Information Disclosure' tag applied by some sources appears incorrect - the actual impact is limited to availability (kernel panic/crash) with no confidentiality or integrity consequence per the CVSS vector.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46167 MEDIUM PATCH This Month

Uninitialized heap memory in the Linux kernel's usblp USB printer driver leaks a stale kernel byte to userspace through the LPGETSTATUS ioctl when a malicious or non-compliant USB printer returns zero bytes to a one-byte status request. Affected branches span kernel versions from 2.6.12 through 6.18.x, 7.0.x, and 7.1-rc3, with fixes available in stable releases 6.6.140, 6.12.88, 6.18.30, and 7.0.7. No public exploit exists and EPSS stands at 0.02% (5th percentile); exploitation requires local access, a cooperating malicious USB device, and access to the printer device node - substantially narrowing real-world risk despite the breadth of affected kernel versions.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46165 MEDIUM PATCH This Month

OpenVSwitch tunnel port removal in the Linux kernel triggers a self-deadlock that permanently hangs the kernel's RTNL lock, causing a denial of service requiring system reboot. The flaw affects systems across multiple stable kernel branches (6.6.x, 6.12.x, 6.18.x, 7.0.x) where OVS tunnel vports (VXLAN, GRE, GENEVE) are actively managed. Patched versions are available across all affected stable branches; no public exploit identified at time of analysis, and the EPSS score of 0.02% (5th percentile) indicates negligible observed exploitation probability.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46163 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's b43legacy wireless driver allows a local attacker with low privileges to read beyond the dev->key[] array when firmware reports a key index exceeding dev->max_nr_keys. The existing B43legacy_WARN_ON check was non-enforcing in production builds, permitting memory disclosure during RX packet handling on systems with vulnerable Broadcom legacy WiFi chipsets. No public exploit identified at time of analysis, and EPSS is very low (0.02%), suggesting limited near-term mass exploitation despite a high CVSS of 7.8.

Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46162 HIGH PATCH This Week

Double-free memory corruption in the Linux kernel's Intel ice (E810) network driver occurs in the ice_sf_eth_activate() error path when auxiliary_device_add() fails, causing sf_dev to be freed twice. Affecting Linux kernel versions starting at 6.12 through pre-patch builds, a local privileged user triggering the failure path can corrupt kernel heap state, with no public exploit identified at time of analysis and a very low EPSS score of 0.02%.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46161 MEDIUM PATCH This Month

Divide-by-zero in the Linux kernel's md/raid10 subsystem allows a local authenticated user to crash the kernel by supplying a zero far_copies value when configuring a RAID10 array with the 'improved' far set layout. The affected function setup_geo() performs the division geo->far_set_size = disks / fc without first validating that fc is non-zero, triggering a kernel oops or panic and producing a high availability impact. EPSS is 0.02% (5th percentile) and this CVE is not listed in CISA KEV, consistent with the local-only, configuration-specific attack vector and no public exploit identified at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46158 MEDIUM PATCH This Month

Socket reference count leak in the Linux kernel MPTCP path manager allows a local low-privilege attacker to cause kernel resource exhaustion and denial of service by repeatedly triggering ADD_ADDR retransmission events. Affected versions span from Linux 5.10 through 7.1-rc2, with patches confirmed available in stable releases 6.18.30, 7.0.7, and 7.1-rc3. No public exploit has been identified and EPSS probability is negligible at 0.02%, placing this firmly in routine maintenance priority rather than emergency response.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46156 MEDIUM PATCH This Month

Kernel panic (ADE - Address Error for Memory access) in the LoongArch-specific PCI fixup function loongson_gpu_fixup_dma_hang() crashes systems that boot with a discrete Loongson GPU whose PCI device ID does not match any handled case in the switch statement. The missing default case causes readl() to be called with a garbage MMIO address derived from uninitialized register state, resulting in a hard kernel panic at boot time (PID 1, swapper/0) and rendering the system unavailable. No public exploit identified at time of analysis, and EPSS is 0.02% (5th percentile), consistent with a hardware-specific local DoS requiring no attacker interaction.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46153 MEDIUM PATCH This Month

Memory exhaustion in the Linux kernel's 8021q VLAN subsystem allows a local user with low privileges to cause denial-of-service by repeatedly manipulating VLAN egress QoS priority mappings. The function `vlan_dev_set_egress_priority()` retains cleared priority entries as unreachable tombstones in the kernel hash table across set/clear cycles, accumulating until device teardown and leaking kernel memory. No public exploit exists and EPSS is 0.02% at the 5th percentile, indicating negligible real-world exploitation interest; however, the High availability impact in CVSS reflects potential OOM-triggered system instability on affected hosts.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46151 MEDIUM PATCH This Month

Heap memory disclosure in the Linux kernel usblp USB printer driver allows a local attacker with a malicious USB printer to expose up to 1021 bytes of uninitialized kmalloc heap to userspace. The driver's usblp_cache_device_id_string() blindly trusts a device-supplied 2-byte big-endian length prefix in the IEEE 1284 GET_DEVICE_ID response, leaking stale kernel heap contents via the ieee1284_id sysfs attribute and the IOCNR_GET_DEVICE_ID ioctl. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile) and the vulnerability is not listed in CISA KEV, but vendor patches are confirmed across multiple stable kernel branches.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46148 MEDIUM PATCH This Month

Incorrect hardware chip-select management in the Linux kernel spi/microchip-core-qspi driver causes the built-in hardware CS line to assert spuriously during SPI transactions directed at GPIO-managed chip selects on multi-device coreQSPI controllers. Systems using Microchip coreQSPI IP hardware with two or more attached SPI devices - where at least one device uses the built-in hardware CS - are subject to unintended bus assertion that can crash or disrupt SPI-dependent peripherals, producing a high-availability impact. No public exploit exists and EPSS stands at 0.02% (4th percentile), consistent with the narrow embedded-hardware topology required for manifestation; the vulnerability is not in CISA KEV.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46147 MEDIUM PATCH This Month

Two distinct bugs in the Linux kernel's pKVM (protected KVM) arm64 vCPU initialization path allow a local low-privileged user to cause persistent resource pin leaks and observe partially initialized memory objects. The pin leak (Bug 1) occurs when an error path in __pkvm_init_vcpu() jumps to cleanup without releasing hyp_pin_shared_mem() references on host vCPU and SVE state pages, permanently exhausting pin references and ultimately degrading or crashing the hypervisor subsystem. A separate memory ordering flaw (Bug 2) uses a bare store to publish the vCPU pointer into hyp_vm->vcpus[], allowing a concurrent pkvm_load_hyp_vcpu() caller to read a partially initialized vCPU object. No active exploitation has been identified and EPSS is 0.02%, consistent with a kernel subsystem bug affecting a specialized configuration rather than a broadly targeted attack surface.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46146 MEDIUM PATCH This Month

Denial of service in the Linux kernel ALSA USB audio subsystem allows a local attacker to hang a CPU core indefinitely by presenting a malformed USB audio class v3 channel map descriptor. The affected function `convert_chmap_v3()` uses the descriptor field `cs_desc->wLength` as a loop increment without validating it, so a zero-length descriptor causes an unescapable infinite loop that saturates a CPU core until the process is killed or the system rebooted. No active exploitation has been confirmed - the vulnerability is absent from CISA KEV, and the EPSS score of 0.02% at the 5th percentile indicates negligible current attacker interest.

Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46144 MEDIUM PATCH This Month

Resource leak in the Linux kernel's RDMA/mana driver allows a local low-privileged user to exhaust kernel resources via a missing cleanup in the error unwind path of mana_ib_create_qp_rss(). The Microsoft Azure Network Adapter (MANA) InfiniBand subsystem fails to release mana_ib_cfg_vport_steering() allocations when QP RSS creation fails mid-flight, while the normal destroy path handles cleanup correctly - leaving the error path mismatched. No public exploit is identified and EPSS sits at 0.02% (5th percentile), reflecting very low real-world exploitation probability, though patches are confirmed available across multiple stable kernel branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46143 MEDIUM PATCH This Month

Memory leak in the Linux kernel's Qualcomm ASoC q6apm-lpass-dai audio driver allows a local low-privileged user to exhaust kernel memory by repeatedly invoking the ALSA prepare callback, which opens multiple APM graphs on the playback path without corresponding release. Affected systems are limited to those running Qualcomm LPASS audio hardware across several Linux stable branches (6.6.x, 6.9.x, 6.10, 6.12.x). No public exploit exists and EPSS at 0.02% (5th percentile) reflects negligible real-world exploitation interest; the practical impact is local denial of service on Qualcomm SoC-equipped devices.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46142 MEDIUM PATCH This Month

System hang vulnerability in the Linux kernel's libwx (WangXun) network driver affects systems using SR-IOV Virtual Functions. During VF initialization, the driver attempts to read register WX_CFG_PORT_ST, which is restricted to Physical Functions only; this illegal register access causes the system to hang, resulting in a complete denial of service. No public exploit exists and EPSS is 0.02%, but any system running a WangXun NIC with SR-IOV enabled and attaching a VF is directly exposed.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46141 MEDIUM PATCH This Month

Memory leak in the Linux kernel's powerpc XIVE interrupt subsystem causes progressive kernel heap exhaustion on IBM POWER9+ systems when MSI-X vectors are allocated and then freed for PCI devices such as NVMe controllers. The regression was introduced by commit cc0cc23babc9 which refactored the XIVE/child interrupt controller relationship: xive_irq_free_data() subsequently used the wrong domain lookup path, causing every allocated struct xive_irq_data (64 bytes) to be orphaned on irqdomain teardown. No public exploit is identified and EPSS stands at 0.02% (4th percentile), consistent with the narrow hardware-specific scope and local-only access requirement.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46139 MEDIUM PATCH This Month

The Linux kernel SMB client transmits uninitialized kernel heap data in the reserved Sbz2 field of Windows ACL security descriptors to remote Samba servers, causing chmod operations on SMB-mounted filesystems to fail with EINVAL. This regression was introduced by commit 62e7dd0a39c2d, which split a struct field but left a newly created 2-byte reserved field unpopulated due to use of kmalloc() instead of kzalloc(). No public exploit exists (EPSS 0.02%, no KEV listing); the practical impact is an operational disruption of file permission management on Samba-backed mounts, with a secondary minor information disclosure of heap contents to the remote server.

Linux Microsoft Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46136 HIGH PATCH This Week

Denial-of-service in the Linux kernel mt76/mt7921 MediaTek Wi-Fi driver lets a buffer-length (buf_len) underflow occur while iterating the CLC (country location configuration) power table, producing a near-infinite loop or an invalid power setting that crashes driver initialization. Systems running affected kernels with MediaTek MT7921 Wi-Fi hardware are impacted; classified CWE-787 (out-of-bounds write) with a vendor-assigned CVSS of 7.8 (local, AV:L). No public exploit identified at time of analysis and EPSS is very low (0.02%), consistent with a reliability/DoS defect rather than a readily weaponizable memory-corruption primitive.

Memory Corruption Linux Denial Of Service Buffer Overflow Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46134 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's cros_ec_typec driver crashes the kernel when a Thunderbolt alternate mode operation is processed on affected ChromeOS devices. The flaw originates in cros_typec_register_thunderbolt(), which allocates the adata structure but omits mutex_init(&adata->lock); when cros_typec_altmode_work() later acquires that uninitialized mutex, the kernel dereferences a NULL or garbage pointer and panics. No public exploit code exists and EPSS of 0.02% (4th percentile) reflects the narrow hardware prerequisite and strictly local-only attack surface; the vulnerability is not listed in CISA KEV.

Linux Denial Of Service Google Null Pointer Dereference Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46132 MEDIUM PATCH This Month

Kernel stack information leak in Linux rtnetlink's rtnl_fill_vfinfo() exposes up to 26 bytes of uninitialized kernel stack memory to any unprivileged local user on systems with SR-IOV NICs. The flaw exists because struct ifla_vf_broadcast (32 bytes) is declared on the stack without zeroing, only the first 6 bytes are filled via memcpy on Ethernet devices, and the full struct is transmitted to userspace via RTM_GETLINK responses. No public exploit is identified at time of analysis and EPSS is 0.02% (5th percentile), but the attack is trivially repeatable without any special privileges, making it a practical KASLR bypass primitive or sensitive-data harvesting tool on multi-tenant or shared-access Linux systems.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46131 MEDIUM PATCH This Month

Availability impact in Linux Kernel KVM's x86 nested virtualization subsystem allows a low-privileged user operating within an L2 (nested) guest to trigger a host kernel denial-of-service via incorrect hypercall handling. The root cause is an incorrect guard condition in slow-flush hypercall paths: KVM checks `is_guest_mode(vcpu)` before calling `translate_nested_gpa()`, but that translation function is only valid when the L2 guest is running with nested EPT/NPT actually enabled - not merely when guest mode is active. No public exploit has been identified at time of analysis, and EPSS exploitation probability is 0.02% (5th percentile). Vendor-released patches are available across multiple stable branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46130 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's dm-verity-fec (forward error correction) subsystem allows kernel memory disclosure or a crash when decoding Reed-Solomon parity data. The flaw affects the device-mapper verity FEC code where fec_decode_bufs() wrongly assumes parity bytes of the first RS codeword never span a parity-block boundary; with certain non-default fec_roots values combined with low-memory buffer-allocation failures, the decoder reads past the end of the parity block buffer. Tracked as CWE-125, it carries a 7.1 CVSS (local, low complexity per NVD) but a negligible EPSS of 0.02%, and there is no public exploit identified at time of analysis.

Linux Buffer Overflow Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46128 MEDIUM PATCH This Month

Denial-of-service in the Linux kernel IPMI subsystem allows a system crash when the BMC (Baseboard Management Controller) returns a malformed empty event message buffer instead of a proper error code. The kernel's IPMI driver defers response size validation to later processing stages rather than checking immediately upon receipt, causing it to process invalid data from certain non-compliant BMC firmware. No public exploit exists and EPSS is 0.02% (5th percentile); the trigger is hardware-driven misbehavior rather than deliberate attacker input, but the availability impact is high (kernel panic). Patched kernel versions are available across multiple stable branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46127 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's RDMA/ocrdma driver crashes systems running Emulex OneConnect RDMA adapters. The flaw exists in `ocrdma_copy_pd_uresp()`, where error-path code dereferences `pd->uctx` before it is initialized, producing a kernel panic and complete system unavailability when triggered. No public exploit code has been identified and EPSS sits at 0.02% (5th percentile), reflecting very low exploitation probability at this time; however, the local low-privilege vector means any unprivileged user on an affected system with ocrdma hardware present could trigger the crash.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46126 MEDIUM PATCH This Month

Improper error-path cleanup in the RDMA/mana driver's `mana_ib_create_qp_rss()` function allows a local low-privileged user on Azure VMs with Microsoft MANA NICs to crash the kernel. Two logic bugs in the WQ table unwind - a redundant `i--` that skips a cleanup iteration, and a missed `mana_destroy_wq_obj()` call when `mana_ib_install_cq_cb()` fails - leave kernel objects in a dangling state, producing a high-availability (DoS) impact. No public exploit exists and EPSS is at the 5th percentile; this vulnerability is not in CISA KEV.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46122 HIGH PATCH This Week

Out-of-bounds memory read in the Linux kernel's b43 Broadcom wireless driver allows leakage of adjacent kernel memory when the device firmware supplies a key index that exceeds the 58-entry dev->key[] array in b43_rx(). The pre-patch guard (B43_WARN_ON) is a no-op in production kernels, so the invalid index was used to index the array unchecked. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%); the fix enforces the bounds check and drops the offending frame.

Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46121 HIGH PATCH This Week

Use-after-free in the Linux kernel's DAMON sysfs interface (mm/damon/sysfs-schemes) lets a local actor with access to the 'memcg_path' file race a read against a concurrent write that frees the underlying buffer, accessing freed kernel memory. The flaw affects DAMON-enabled builds across the 6.6.96, 6.12.36, 6.15.5 and 6.16-rc lines, and is fixed by serializing both direct reads and writes under damon_sysfs_lock. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; it is not in CISA KEV.

Memory Corruption Linux Use After Free Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46118 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's pseries/papr-hvpipe subsystem crashes IBM POWER/pSeries hosts via a local ioctl call. The flaw was introduced by commit 6d3789d347a7, which refactored papr_hvpipe_dev_create_handle() to use FD_PREPARE() but left src_info accessible after retain_and_null_ptr() nulled it, causing a write to address 0x0 when the pointer is subsequently used in the global list insertion path. Exploitation requires local low-privileged access on pSeries hardware; no public exploit exists and EPSS is 0.02%, indicating negligible opportunistic exploitation risk.

Linux Denial Of Service Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46109 MEDIUM PATCH This Month

Memory leak in the Linux kernel USB ULPI subsystem allows a local low-privilege attacker to gradually exhaust kernel memory by repeatedly triggering registration failures in the ulpi_register() function. A prior fix for a double-free (commit 01af542392b5) removed the kfree(ulpi) call on the device_register() failure path but inadvertently left the allocation unreleased when ulpi_of_register() or ulpi_read_id() fail before device_register() is ever reached. No public exploit exists and EPSS is 0.02%, indicating minimal real-world exploitation pressure; however, patched kernel stable releases are available across all supported branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46108 MEDIUM PATCH This Month

Denial of service in the Linux kernel's IPMI SI (System Interface) driver results from improper state machine recovery when message allocation fails, leaving the driver stuck in a non-normal state and rendering the IPMI subsystem non-functional. Locally authenticated users with low privileges on affected systems with an active ipmi_si module can trigger this condition, typically under memory-pressure scenarios. No public exploit has been identified at time of analysis; EPSS at 0.02% (5th percentile) confirms negligible exploitation interest, and patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46106 MEDIUM PATCH This Month

Three concurrent race conditions in the Linux kernel's eventfs subsystem (tracefs) can be triggered during remount operations, leading to kernel denial-of-service via LIST_POISON1 pointer dereference or use-after-free. Systems running affected kernel versions with tracefs mounted are vulnerable when a local user with sufficient privilege simultaneously remounts the filesystem while kprobe events are being added or removed. No public exploit code has been identified at time of analysis, and EPSS at 0.02% (5th percentile) indicates very low observed exploitation probability.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46104 MEDIUM PATCH This Month

SELinux socket permission helpers in the Linux kernel misread security blob data in stacked LSM configurations, causing kernel crashes or incorrect AVC (Access Vector Cache) decisions. Specifically, sock_has_perm() and nlmsg_sock_has_extended_perms() dereference sk->sk_security directly under the assumption that the SELinux blob always sits at offset zero, which fails when another LSM allocates socket blob storage ahead of SELinux in a stacked configuration. No public exploit has been identified at time of analysis, EPSS is 0.02%, and patches are available for Linux 6.18.30 and 7.0.7.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-44394 PyPI MEDIUM PATCH This Month

OpenStack Keystone's federated token rescoping mechanism allows authenticated federated users to indefinitely extend their session beyond operator-configured token lifetime policies by repeatedly calling POST /v3/auth/tokens before each token expires. The root cause is that handle_scoped_token() in the mapped authentication plugin omits the expires_at field from its response, causing the token provider to silently issue a fresh default-TTL token instead of inheriting the original token's expiry. This effectively renders token lifetime enforcement inoperative for all SAML2 and OpenID Connect-backed federated deployments running Keystone versions prior to 29.0.2. No public exploit code exists and this is not listed in CISA KEV, but the technique is trivially repeatable by any valid federated user.

Authentication Bypass Red Hat
NVD VulDB
CVSS 3.1
6.0
EPSS
0.1%
CVE-2026-42998 PyPI MEDIUM PATCH This Month

User impersonation in OpenStack Keystone before 29.0.2 allows an authenticated attacker to obtain a valid Keystone token attributed to an arbitrary victim user by exploiting a missing ownership check in the application credential authentication plugin. The attacker supplies their own application credential ID and secret while embedding a different user's name and domain in the request body, and Keystone issues a project-scoped token carrying the intersection of the attacker's application credential roles and the victim's project roles. This enables audit log evasion, exposure of the victim's credentials, and unauthorized action within shared OpenStack projects. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Red Hat
NVD VulDB
CVSS 3.1
6.0
EPSS
0.1%
CVE-2026-9759 MEDIUM PATCH This Month

Null pointer dereference in Wireshark's ROHC protocol dissector causes application crashes across two active release branches, constituting a denial-of-service condition. Affected versions span Wireshark 4.6.0 through 4.6.5 and 4.4.0 through 4.4.15; patched releases 4.6.6 and 4.4.16 are available per the vendor advisory wnpa-sec-2026-51. The attack vector is local with required user interaction (CVSS AV:L/UI:R), meaning exploitation requires a victim to open a specially crafted packet capture file - no remote or automated exploitation path exists, and no public exploit code or active exploitation has been identified at time of analysis.

Denial Of Service Null Pointer Dereference Red Hat
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-48921 Maven HIGH PATCH GHSA This Week

Arbitrary file read on the Jenkins controller is possible in the Jenkins 'Pipeline: Groovy Libraries Plugin' (version 797.v90ea_a_9b_e45a_0 and earlier), where the plugin fails to prohibit symbolic links inside shared libraries. An attacker who can control the contents of a shared library consumed by a Pipeline job can plant symlinks that resolve to sensitive files (credentials, secrets, configuration) on the controller filesystem and exfiltrate them through the build. There is no public exploit identified at time of analysis, and SSVC marks exploitation status as none, so this is a patch-and-move-on issue rather than an active-exploitation emergency.

Information Disclosure Jenkins Red Hat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-48920 Maven HIGH PATCH GHSA This Week

Arbitrary file disclosure in the Jenkins Email Extension Plugin (email-ext) versions 1933.v45cec755423f and earlier lets users who can control email content abuse the data-inline image attribute to supply file: URLs, causing the Jenkins controller to read local files and embed their contents as base64 inside outgoing emails. An authenticated attacker with rights to edit job email configuration or templates (CVSS PR:L) can exfiltrate controller secrets, credentials, and configuration. There is no public exploit identified at time of analysis and CISA's SSVC rates exploitation as none, but the CVSS 8.8 score and 'total' technical impact make controller secret theft a serious concern in shared Jenkins environments.

Information Disclosure Jenkins Red Hat
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44839 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in the RabbitMQ Management Plugin web UI allows a high-privileged authenticated attacker to inject malicious script content that executes in the browser of another administrative user viewing the affected page. Affected deployments span RabbitMQ Server 3.7.0 through 4.0.12 and 4.1.0-alpha through 4.1.1. No public exploit code or active exploitation has been identified at time of analysis; however, successful exploitation can result in high confidentiality impact, consistent with session token theft or credential harvesting within the management console.

XSS Rabbitmq Server Red Hat
NVD GitHub VulDB
CVSS 4.0
5.6
EPSS
0.0%
CVE-2025-70103 HIGH POC PATCH This Week

Heap buffer overflow in libjxl 0.12.0 lets remote attackers corrupt heap memory by feeding a crafted PBM/PNM image to the jxl::extras::DecodeImagePNM routine, which writes decoded rows into an output buffer without first checking that the buffer is large enough for the header-declared dimensions. The CVSS vector (AV:N/AC:L/PR:N/UI:N) describes unauthenticated, low-complexity exploitation with no user interaction, and CISA's SSVC framework rates it automatable with partial technical impact. Publicly available exploit code exists, though it is not listed in CISA KEV and no public exploit has been tied to active exploitation.

Heap Overflow Buffer Overflow Red Hat
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-46103 MEDIUM PATCH This Month

Memory leak in the Linux kernel's CAN UCAN USB driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering driver unbind cycles without physical device disconnection. The flaw (CWE-401) exists because devres-managed buffers are incorrectly scoped to the parent USB device rather than the USB interface, so they are never released during software-initiated unbind events such as probe deferral or configuration changes. No public exploit code exists and EPSS sits at 0.02% (5th percentile), indicating near-zero real-world exploitation probability despite the CVSS Availability: High rating.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46101 MEDIUM PATCH This Month

Undefined behavior in the Linux kernel's nftables bitwise expression handler allows a local attacker with low privileges to crash the kernel. The nft_bitwise subsystem failed to reject zero-value shift operands during rule initialization; a zero shift causes the carry propagation formula (BITS_PER_TYPE(u32) - shift = 32 - 0 = 32) to perform a 32-bit shift of a 32-bit type, which is undefined behavior in C and can result in a kernel panic. No public exploit is identified at time of analysis, and EPSS at 0.02% (5th percentile) indicates very low automated exploitation activity, consistent with the local-only attack vector requiring nftables configuration privileges.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to exploit a use-after-free condition in the Dawn WebGPU implementation through a crafted HTML page, leading to potential escape from the browser's renderer sandbox. The flaw carries a CVSS 9.6 with scope change reflecting cross-boundary impact, and while no public exploit identified at time of analysis, Google's own classification of the underlying Chromium severity as Critical signals significant risk to end users. EPSS is currently low (0.03%, 11th percentile), suggesting no widespread exploitation has been observed yet despite the severity.

Google Use After Free Denial Of Service +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome desktop versions prior to 148.0.7778.216 allows a remote attacker to execute arbitrary code within the renderer sandbox by serving a crafted HTML page that triggers a use-after-free condition in the Network component. Google rates the underlying Chromium issue as Critical severity, and no public exploit identified at time of analysis, though the bug class and reachable attack surface make it a high-priority browser patch.

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Incorrect authorization in OpenStack Neutron 26.0.0 through pre-28.0.1 allows authenticated project readers to write (create and update) tags on same-project resources, exceeding their intended read-only scope. The root cause is a naming mismatch in the tagging controller: single-tag write operations are enforced using plural policy action names (e.g., 'add_tags'), while the configured policy rules use singular names (e.g., 'add_tag'). Because the plural names do not match any defined rule, OpenStack's default policy behavior evaluates the action as permitted. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV.

Authentication Bypass Red Hat
NVD
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Uncontrolled resource consumption in PyJWT 2.8.0-2.12.1 exposes any service that verifies detached JWS tokens to unauthenticated denial-of-service. When the unencoded-payload extension (b64=false, RFC 7797) is in use, PyJWT unnecessarily Base64URL-decodes the compact-serialization payload segment before discarding it in favor of the caller-supplied detached payload - turning that segment into an attacker-controlled amplifier for CPU and memory exhaustion regardless of signature validity. No public exploit has been identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms fully unauthenticated remote exploitation against any affected endpoint using this feature.

Python Denial Of Service Red Hat
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Algorithm allow-list bypass in PyJWT 2.9.0-2.12.1 permits an attacker who controls a registered JWK/JWKS private key to circumvent caller-enforced algorithm restrictions during JWT signature verification. The library correctly checks the token header's alg claim against the caller-supplied allow-list, but then performs the actual cryptographic verification using the algorithm bound to the PyJWK object rather than the header-declared algorithm - creating a exploitable mismatch. Specifically, the documented PyJWKClient.get_signing_key_from_jwt() flow is affected, meaning applications relying on this pattern for algorithm-restricted JWT validation may accept tokens signed with algorithms they explicitly prohibited. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Authentication Bypass Jwt Attack Python +1
NVD GitHub
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

PyJWKClient in PyJWT prior to 2.13.0 passes attacker-influenced URIs directly to Python's urllib.request.urlopen() without restricting URI schemes, enabling Server-Side Request Forgery (SSRF) across file://, FTP, and data-URI schemes against applications that accept untrusted jku values. Affected deployments include any Python application using PyJWKClient where the jku URL originates from a JWT header, OAuth flow parameter, or externally influenced configuration. No public exploit exists and no CISA KEV listing is present; real-world exploitation is constrained by a CVSS-confirmed high attack complexity (AC:H) and required user interaction (UI:R), making opportunistic mass exploitation unlikely.

SSRF Python Red Hat
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Memory exhaustion in pypdf prior to 6.12.0 allows an attacker who supplies a crafted PDF to cause large memory consumption in any application that processes it using layout mode text extraction. The vulnerability is triggered by PDFs containing text positioning operators with abnormally large x- or y-coordinate offsets, causing the library to allocate unbounded whitespace and newline characters during rendering. No confirmed active exploitation exists (not in CISA KEV), and SSVC rates this as non-automatable with partial technical impact, placing it in a lower operational priority tier despite the straightforward exploitation mechanic.

Python Denial Of Service Suse +1
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Denial-of-service via algorithmic complexity in pypdf before 6.12.0 allows an attacker who can supply a crafted PDF file to cause excessive processing time during cross-reference stream parsing. The vulnerability is triggered by crafting a PDF with /W [0 0 0] field values in a cross-reference stream combined with a large /Size value, which causes the library to perform unbounded iteration over zero-byte entries. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, any application that processes untrusted PDF input using pypdf is exposed.

Information Disclosure Python Suse +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Memory exhaustion in pypdf's XMP metadata parser allows denial of service via specially crafted PDF files containing oversized or element-dense XMP blocks, affecting all versions prior to 6.12.1. The vulnerability stems from an absence of input limits in the XML-based XMP parsing subsystem (CWE-770), meaning processing a malicious PDF can consume unbounded system memory. No public exploit code has been identified at time of analysis, and no confirmed active exploitation exists; however, the patch diff is publicly visible on GitHub, making trivial exploit construction feasible.

Python Denial Of Service Suse +1
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Out-of-bounds write in bzip2's bzip2recover utility allows a local attacker to supply a specially crafted file that triggers an off-by-one error, corrupting a global buffer and crashing the process. Per the CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:N), the attack requires no privileges and no user interaction beyond the utility being invoked against a malicious file. Impact is strictly denial of service against the bzip2recover process - no confidentiality or integrity exposure - and the CVSS 4.0 score of 5.1 (Medium) reflects this constrained scope. No public exploit or active exploitation has been identified at time of analysis.

Memory Corruption Denial Of Service Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial-of-service via stack buffer overflow in CryptX (Perl cryptography module) versions before 0.088_001 affects four AEAD decryption helpers that copy attacker-controlled authentication tags into a fixed 144-byte stack buffer without bounds checking. Remote attackers can crash any Perl application that passes untrusted tags to gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify, or eax_decrypt_verify, resulting in process termination. No public exploit identified at time of analysis, and EPSS scoring (0.04%, 13th percentile) reflects low expected exploitation activity despite the network attack vector.

Buffer Overflow Stack Overflow Cryptx +2
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel SPI controller driver for Freescale MPC52xx (spi-mpc52xx) occurs when controller registration fails and the previously requested interrupts are not properly disabled or released, leaving dangling interrupt handlers tied to freed memory. Local users with the ability to load or interact with this SPI driver on affected systems could potentially trigger memory corruption or information disclosure. EPSS is 0.02% and there is no public exploit identified at time of analysis, but the issue is rated CVSS 7.8 due to high impact on confidentiality, integrity, and availability.

Linux Use After Free Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Runtime PM reference count leak in the Linux kernel's OmniVision OV5647 camera sensor driver (media/i2c/ov5647) causes availability loss for systems equipped with this camera hardware. The s_ctrl function's handling of three V4L2 controls - AUTOGAIN, EXPOSURE_AUTO, and ANALOGUE_GAIN - returns early without invoking pm_runtime_put(), allowing unpaired runtime PM get/put calls to accumulate. A local user with access to the camera device node can trigger this imbalance repeatedly, exhausting the PM reference count and preventing the device from entering low-power states, ultimately making it unavailable. No public exploit has been identified; EPSS is 0.02% (5th percentile) and this vulnerability does not appear in CISA KEV.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Availability impact in the Linux kernel's xbox_remote media/rc driver allows a local, low-privileged user with access to the affected device to crash the kernel via a DMA coherency violation. The IO buffer used for USB transfers is embedded directly within the device structure, which violates DMA coherency rules and can trigger memory corruption leading to kernel panic. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% reflects minimal observed exploitation activity. Vendor-released patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's saa7164 media driver can crash the kernel when ioremap() fails during PCI device initialization. Systems with SAA7164-based PCIe capture cards (e.g., Phillips/NXP SAA7164) running unpatched kernel versions from 2.6.32 through stable branches prior to 6.6.140, 6.12.90, 6.18.32, and 7.0.9 are affected. A local, low-privileged attacker who can trigger driver initialization under memory pressure conditions may cause a kernel oops or panic, resulting in denial of service. No public exploit exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time.

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Linux kernel's vsock (virtio sockets) subsystem stems from inverted buffer-size clamping logic in vsock_update_buffer_size(), allowing a local user to grow vsk->buffer_size beyond the configured vsk->buffer_max_size and violate intended socket memory boundaries. Affected branches include stable trees prior to 6.6.140, 6.12.90, 6.18.32, 7.0.9, and 7.1-rc1; no public exploit identified at time of analysis and EPSS is 0.02% (5th percentile).

Linux Memory Corruption Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's batman-adv Bridge Loop Avoidance (BLA) subsystem enables local denial of service via kernel panic. The race condition exists in batadv_bla_purge_claims(), which traverses the claim hash list under rcu_read_lock() without accounting for concurrent claim releases - when batadv_claim_release() NULLs the backbone_gw pointer mid-traversal, a subsequent call to batadv_bla_claim_get_backbone_gw() on the partially-freed claim triggers a NULL dereference. Exploitation requires local low-privilege access on systems actively running batman-adv with BLA enabled; no active exploitation is confirmed and EPSS stands at 0.02% (5th percentile).

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Reference counting failure in the Linux kernel's batman-adv Bridge Loop Avoidance (BLA) subsystem allows a local low-privileged user to cause a slow kernel memory leak and eventual denial of service. Specifically, batadv_bla_add_claim() omits the required batadv_backbone_gw_put() call on the error path when a claim hash insertion fails, preventing the backbone_gw object's reference count from ever reaching zero. The vulnerability has been present since at least kernel 4.7 and is patched across multiple stable branches; no public exploit exists and EPSS is extremely low at 0.02% (5th percentile), placing this firmly in the low-urgency tier except for environments actively running batman-adv with BLA.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stale VRAM exposure in the Linux kernel's amdkfd driver (drm/amdkfd) allows local authenticated users to observe prior occupants' GPU memory contents and crash multi-GPU compute workloads. The KFD allocation path omitted the AMDGPU_GEM_CREATE_VRAM_CLEARED flag - present in every other userspace GEM allocation path - leaving freshly allocated VRAM buffers populated with data from previous processes. The primary documented availability impact is deterministic crashes in RCCL peer-to-peer transport when stale values corrupt the ptrExchange, head, and tail protocol fields; a secondary information-disclosure risk exists because stale page-table remnants are observable by unprivileged compute kernels. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile).

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's spi: ch341 USB-to-SPI driver allows a local user to degrade system availability by triggering driver unbind without physical device disconnection. The defect lies in incorrect devres (device-managed resource) lifetime scoping - resources are anchored to the parent USB device rather than the USB interface, so they are not released when the driver unbinds during events such as probe deferral or runtime configuration changes. No public exploit has been identified at time of analysis, and an EPSS score of 0.02% (4th percentile) indicates negligible exploitation probability in the near term.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper driver teardown ordering in the Linux kernel's Freescale (FSL) SPI controller driver allows a local low-privileged user to trigger a denial-of-service condition during driver unbind. The SPI controller is not deregistered before underlying resources such as DMA are released, creating a window where the controller may reference freed memory. No public exploit has been identified at time of analysis, and EPSS sits at 0.02% (5th percentile), reflecting low real-world exploitation probability.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper resource deregistration ordering in the Linux kernel's spi/rspi (Renesas SPI controller) driver causes a local denial-of-service condition during driver unbind. The rspi driver releases DMA resources before deregistering the SPI controller, creating a window where in-flight controller operations can reference freed memory, resulting in a kernel crash or panic. With CVSS availability impact rated High and EPSS at 0.02% (5th percentile), this is a low-probability but locally exploitable stability issue affecting systems with Renesas SPI hardware. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's drm/xe Intel Xe GPU driver allows a local, low-privileged user to exhaust kernel memory by repeatedly triggering DMA buffer import failures, leading to denial of service. The bug resides in xe_dma_buf_init_obj(), where a pre-allocated buffer object (bo) is not freed when drm_gpuvm_resv_object_alloc() fails, due to ambiguous ownership semantics between the caller and callee on error paths. No public exploit exists and EPSS probability is extremely low at 0.02% (4th percentile), placing this in the maintenance-priority category rather than urgent remediation for most environments.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

An A-A (same-task) deadlock in the Linux kernel cgroup rmdir path (versions 7.0 through 7.1-rc2 and 6.19.x) can permanently hang the entire system, requiring a hard reboot. When a process acting as both a PID namespace zombie reaper (e.g., systemd/PID 1) and the cgroup rmdir(2) caller encounters dying tasks still linked to cgroup csets, the kernel blocks the reaper indefinitely in TASK_UNINTERRUPTIBLE, creating a circular dependency from which the system cannot recover. No public exploit has been identified at time of analysis, EPSS exploitation probability is extremely low (0.02%), and no CISA KEV listing exists - consistent with the scenario's narrow, operationally specific triggering conditions.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's Rockchip RKCIF (Camera Interface) media driver crashes the kernel when a local user enables streaming on a video device with no connected subdevice. Affected systems are Rockchip SoC-based platforms running Linux kernel versions from the introduction of the rkcif driver up through 6.19. A low-privileged local attacker can trigger a kernel panic - full denial of service - via the standard V4L2 VIDIOC_STREAMON ioctl. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.02% (5th percentile) reflects the narrow hardware-specific attack surface.

Linux Null Pointer Dereference Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's EDAC/versalnet driver allows a local low-privileged user to gradually exhaust kernel heap memory, rated CVSS 5.5 with high availability impact. The flaw exists in init_one_mc() where a kzalloc()-allocated device name string becomes permanently unreachable after device_register() copies and nullifies the pointer, preventing any subsequent free on device removal. No public exploit identified at time of analysis; EPSS at 0.02% (4th percentile) confirms this is a low-exploitation-probability defect rather than an actively targeted vulnerability.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic via reachable assertion in the Linux kernel's AMDGPU SDMA v4 driver allows a local low-privileged user to crash the system by submitting crafted GPU command buffers. The sdma_v4_0_ring_emit_fence() function contains BUG_ON() assertions verifying dword-alignment of fence writeback addresses; these assertions are reachable through the DRM_IOCTL_AMDGPU_CS ioctl from unprivileged userspace, causing a fatal panic in a kernel scheduler worker thread. No public exploit or active exploitation has been identified at time of analysis, and EPSS at 0.02% reflects low exploitation likelihood, but the impact on shared GPU compute systems warrants prompt patching.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's MPC52xx SPI driver (spi-mpc52xx) can be triggered when the driver is unbound, because the interrupt-scheduled state machine work is not cancelled after interrupts are disabled. Local users with the ability to unbind the driver could potentially corrupt kernel memory, with confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.

Use After Free Linux Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Integer overflow in the AMDGPU VCN4 (Video Core Next 4) multimedia driver within the Linux kernel allows a local low-privileged user to cause a kernel denial of service. The bounds check on incoming messages to the VCN4 encoder/decoder engine contains an overflow-vulnerable condition, meaning a crafted message can bypass intended size validation. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at the 5th percentile, indicating very low real-world exploitation likelihood currently.

Linux Buffer Overflow Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's Intel Xe DRM HDCP GSC subsystem allows a local, low-privileged user to crash the kernel when media GT is disabled via configfs. The function `intel_hdcp_gsc_check_status()` evaluates `&gt->uc.gsc` without first verifying that `media_gt` is non-NULL, producing a kernel pagefault on systems where media GT has been explicitly disabled through the configfs interface. Exploitation yields a denial of service (kernel panic) with no confidentiality or integrity impact; no public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating very low exploitation likelihood in the wild.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial-of-service via accept queue counter leak in the Linux kernel's vsock/virtio subsystem allows an authenticated local attacker to permanently exhaust a listener socket's backlog, causing it to reject all new connections. The flaw exists from kernel 5.5 onward in virtio_transport_recv_listen(), where sk_acceptq_added() is called before vsock_assign_transport() validation; failed transport assignments never call the paired sk_acceptq_removed(), permanently inflating sk_ack_backlog. No public exploit exists and EPSS is at the 5th percentile, but the impact in multi-tenant virtualized environments relying on vsock communication is a complete denial of vsock listener service.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's appletb-kbd HID driver allows local low-privileged users on Apple Touch Bar-equipped MacBooks to potentially trigger memory corruption during driver tear-down. The flaw stems from incorrect ordering of timer cleanup and device reference release in the inactivity-timer cleanup path, leaving two race windows where a softirq can dereference freed backlight_device memory. EPSS is very low (0.02%) and no public exploit identified at time of analysis; impact is limited to systems running the appletb-kbd driver, primarily Apple MacBook Pro hardware with Touch Bars.

Information Disclosure Use After Free Apple +5
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference and silent error suppression in the Linux kernel's Qualcomm MSM DRM/GEM subsystem allows a low-privileged local user to crash the kernel (denial of service) via a crafted GEM_INFO ioctl call. The msm_ioctl_gem_info_get_metadata() function unconditionally returns 0 on error and fails to check kmemdup() for a NULL return, enabling a dereference in the subsequent copy_to_user() call. No public exploit has been identified at time of analysis and EPSS is 0.02% (5th percentile), reflecting minimal real-world exploitation pressure despite the confirmed availability of upstream patch commits.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Uninitialized socket buffer data exposure in the Linux kernel's vsock/virtio transport layer (6.7 and later) corrupts vsockmon tap monitoring output when non-linear skbs are in use. The `virtio_transport_copy_nonlinear_skb()` function constructs an `iov_iter` without setting `iov_iter.count`, causing zero-length copies that leave skb payloads uninitialized on the monitor interface - potentially exposing stale kernel memory to vsockmon consumers. Patched stable releases 6.12.90, 6.18.32, and 7.0.9 are available; no public exploit exists and EPSS stands at 0.02% (5th percentile), placing real-world exploitation risk very low but warranting attention in environments actively using vsockmon debugging.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel crash (denial of service) in the Linux kernel's hid-appletb-kbd driver results from calling a mutex-acquiring function from softirq and IRQ atomic contexts on Apple Touch Bar MacBooks running Linux. Authenticated local attackers with low privileges can trigger a kernel BUG by inducing Touch Bar inactivity or generating HID events that exercise the broken brightness-reset path, crashing the system. No public exploit has been identified and EPSS is 0.02% (4th percentile), reflecting the niche hardware requirement; patches are available in kernel versions 6.18.32, 7.0.9, and 7.1-rc4.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial-of-service via improper resource teardown ordering in the Linux kernel's MPC52xx SPI controller driver (spi/mpc52xx) affects systems running PowerPC-based embedded hardware. During driver unbind, the SPI controller was deregistered after - rather than before - disabling underlying resources such as interrupts and GPIOs, creating a window where the kernel could access freed or disabled resources and trigger a system crash. No public exploit has been identified at time of analysis, and with an EPSS of 0.02% (5th percentile), real-world exploitation is assessed as very low probability.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Kernel panic via race condition in the f2fs filesystem extent node management affects Linux kernel across multiple stable branches. When f2fs_destroy_extent_node() is invoked from f2fs_drop_inode() with I_SYNC set, a concurrent kworker writeback thread can insert new extent nodes into the same extent tree between lock releases, causing node_cnt to become non-zero upon loop exit and triggering f2fs_bug_on() - a deliberate kernel assertion failure resulting in a system crash. A secondary gap leaves EX_BLOCK_AGE extent tree updates completely unprotected by the FI_NO_EXTENT flag check, compounding the race surface. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile), indicating low exploitation probability in the near term.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in the Linux kernel's Microchip Core QSPI driver corrupts SPI transfers on systems using this controller. The spi-microchip-core-qspi driver incorrectly attempts to transmit garbage data during emulated read-only dual/quad SPI operations - a protocol violation, since QSPI lacks a dedicated MOSI line and the core hardware is expected to generate read clock cycles autonomously. The result is a bricked (permanently failed) SPI transfer, causing availability loss for any kernel component or userspace process depending on that SPI bus. No public exploit exists and EPSS probability is 0.02%, consistent with a hardware-specific, locally-triggered driver defect.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's octeon_ep_vf driver crashes the kernel when napi_build_skb() fails during memory allocation in the receive path. Systems running kernels from the introduction of the octeon_ep_vf driver (commit 1cd3b407977c) through multiple stable branches are affected where Marvell Octeon EP VF network adapters are in use. A local, low-privileged attacker who can induce memory pressure while network traffic flows through an Octeon EP VF interface can trigger a kernel panic, resulting in full system unavailability. No public exploit code exists, EPSS is 0.02% (5th percentile), and this vulnerability has not been added to CISA KEV.

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Use-after-free in the Linux kernel's RSI (Redpine Signals) WiFi driver allows a local low-privileged attacker to crash the kernel by exploiting a race condition between kthread self-exit and external stop operations. When `kthread_complete_and_exit` races ahead of `kthread_stop`, the already-freed task struct is dereferenced, causing a kernel denial of service. No public exploit has been identified and EPSS sits at 0.02% (5th percentile), reflecting very low real-world exploitation probability; the vulnerability is not listed in CISA KEV.

Race Condition Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Uninitialized memory read in Linux kernel's Bluetooth virtio_bt driver allows a malicious or compromised virtio backend to trigger kernel DoS and potential information disclosure against guest VMs. The driver's virtbt_rx_handle() function fails to validate that received RX socket buffers contain sufficient bytes to cover the fixed HCI header for the declared packet type before forwarding to hci_recv_frame(). A backend-supplied one-byte completion with type HCI_ACLDATA_PKT causes the ACL classification path in hci_dev_classify_pkt_type() to dereference hci_acl_hdr(skb)->handle on an empty buffer when the HCI device holds an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with a kernel subsystem bug requiring privileged backend access in a virtualized environment.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Division by zero in the Linux kernel's ua101 USB audio driver allows a local attacker to crash the kernel by presenting a crafted USB device with a malformed audio class descriptor. The ua101 driver's `detect_usb_format()` function fails to validate the `bNrChannels` field before use, so a device reporting `bNrChannels = 0` causes `frame_bytes` to become zero, which is subsequently used as a divisor in both `playback_urb_complete()` and `capture_urb_complete()` URB handlers, triggering a fatal kernel panic. No public exploit has been identified and EPSS is 0.02% (5th percentile), but the vulnerability affects multiple supported stable branches and patches are available across all of them.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's DAMON (Data Access MONitor) sysfs-schemes interface allows local users with sysfs access to read freed memory by racing concurrent reads and writes of the quota goal 'path' file across separate file descriptors. EPSS is 0.02% and no public exploit identified at time of analysis, but the CVSS 7.8 reflects full CIA impact if a local attacker can win the race.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel stack memory disclosure in the Linux kernel's pseries/papr-hvpipe driver exposes up to 43 bytes of uninitialized stack data to unprivileged local users on IBM Power (pseries) systems. The `struct papr_hvpipe_hdr` reserved padding fields (`reserved[3]` and `reserved2[40]`) are never zeroed before `copy_to_user()` copies the full structure to userspace, allowing a local attacker to harvest stale kernel stack contents - potentially including ASLR offsets or residual cryptographic material. No public exploit exists and no CISA KEV listing applies; EPSS at 0.02% (4th percentile) reflects low exploitation probability consistent with the narrow pseries-only deployment scope. Vendor-released patches are confirmed in stable branches 6.18.30, 7.0.7, and 7.1-rc3.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Divide-by-zero in the Linux kernel ASoC SOF compressed audio subsystem allows a low-privileged local user to crash the kernel by querying stream pointer position before stream parameters are configured. Affected are Linux kernel stable branches 6.6 through 7.0 (pre-patch), all running on hardware with SOF audio drivers loaded. No active exploitation has been confirmed - EPSS sits at 0.02% (5th percentile) and the vulnerability is absent from CISA KEV - making this a medium-severity availability risk relevant primarily to multi-user desktop and embedded audio platforms.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource exhaustion via dst entry reference leak in the Linux kernel's IPv6 IPsec (xfrm6) receive path allows a local attacker with low privileges to cause a denial of service by exhausting kernel memory. The flaw exists in xfrm6_rcv_encap(), which calls ip6_route_input_lookup() returning a referenced dst entry even for error routes, but fails to release that reference before dropping the packet when dst->error is set. Repeated packets hitting this code path therefore accumulate unreleased dst references, ultimately crashing the system. No public exploit exists and this vulnerability is not in the CISA KEV list; EPSS exploitation probability is extremely low at 0.02% (5th percentile).

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's RISC-V KVM vector context allocation allows a local low-privileged attacker to exhaust kernel memory, causing denial of service on RISC-V hypervisor hosts. The flaw exists in kvm_riscv_vcpu_alloc_vector_context() where a failed second kzalloc call (host_context.vector.datap) returns an error without freeing the first allocation (guest_context.vector.datap), accumulating unreleased kernel memory across repeated vCPU creation attempts. No public exploit exists and no active exploitation is confirmed; EPSS at 0.02% (4th percentile) reflects the narrow RISC-V KVM deployment surface.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The MPTCP (Multipath TCP) path manager in the Linux kernel mishandles socket reference counting during ADD_ADDR retransmission timer callbacks, resulting in a local denial-of-service. When the retransmit timer fires and holds the last reference to a socket, calling __sock_put() instead of sock_put() leaks the socket; and if sock_put() is used without first marking the timer done, the resulting sk_free() call invokes sk_stop_timer_sync() on the same in-flight timer, causing the kernel to wait indefinitely. No public exploit has been identified at time of analysis; EPSS is 0.02% (4th percentile), and the vulnerability is not listed in CISA KEV.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Scheduling-while-atomic kernel panic in the Linux kernel MPTCP subsystem allows a local low-privileged user to crash the host by setting timestamp socket options on an MPTCP socket. The defect stems from invoking sleepable helpers - sock_set_timestamp() and sock_set_timestamping() - inside the atomic context established by lock_sock_fast(), violating the kernel's non-sleeping constraint for spinlock holders. No public exploit code has been identified and EPSS sits at 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time. Note: the 'Information Disclosure' tag applied by some sources appears incorrect - the actual impact is limited to availability (kernel panic/crash) with no confidentiality or integrity consequence per the CVSS vector.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Uninitialized heap memory in the Linux kernel's usblp USB printer driver leaks a stale kernel byte to userspace through the LPGETSTATUS ioctl when a malicious or non-compliant USB printer returns zero bytes to a one-byte status request. Affected branches span kernel versions from 2.6.12 through 6.18.x, 7.0.x, and 7.1-rc3, with fixes available in stable releases 6.6.140, 6.12.88, 6.18.30, and 7.0.7. No public exploit exists and EPSS stands at 0.02% (5th percentile); exploitation requires local access, a cooperating malicious USB device, and access to the printer device node - substantially narrowing real-world risk despite the breadth of affected kernel versions.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

OpenVSwitch tunnel port removal in the Linux kernel triggers a self-deadlock that permanently hangs the kernel's RTNL lock, causing a denial of service requiring system reboot. The flaw affects systems across multiple stable kernel branches (6.6.x, 6.12.x, 6.18.x, 7.0.x) where OVS tunnel vports (VXLAN, GRE, GENEVE) are actively managed. Patched versions are available across all affected stable branches; no public exploit identified at time of analysis, and the EPSS score of 0.02% (5th percentile) indicates negligible observed exploitation probability.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's b43legacy wireless driver allows a local attacker with low privileges to read beyond the dev->key[] array when firmware reports a key index exceeding dev->max_nr_keys. The existing B43legacy_WARN_ON check was non-enforcing in production builds, permitting memory disclosure during RX packet handling on systems with vulnerable Broadcom legacy WiFi chipsets. No public exploit identified at time of analysis, and EPSS is very low (0.02%), suggesting limited near-term mass exploitation despite a high CVSS of 7.8.

Linux Buffer Overflow Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Double-free memory corruption in the Linux kernel's Intel ice (E810) network driver occurs in the ice_sf_eth_activate() error path when auxiliary_device_add() fails, causing sf_dev to be freed twice. Affecting Linux kernel versions starting at 6.12 through pre-patch builds, a local privileged user triggering the failure path can corrupt kernel heap state, with no public exploit identified at time of analysis and a very low EPSS score of 0.02%.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Divide-by-zero in the Linux kernel's md/raid10 subsystem allows a local authenticated user to crash the kernel by supplying a zero far_copies value when configuring a RAID10 array with the 'improved' far set layout. The affected function setup_geo() performs the division geo->far_set_size = disks / fc without first validating that fc is non-zero, triggering a kernel oops or panic and producing a high availability impact. EPSS is 0.02% (5th percentile) and this CVE is not listed in CISA KEV, consistent with the local-only, configuration-specific attack vector and no public exploit identified at time of analysis.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Socket reference count leak in the Linux kernel MPTCP path manager allows a local low-privilege attacker to cause kernel resource exhaustion and denial of service by repeatedly triggering ADD_ADDR retransmission events. Affected versions span from Linux 5.10 through 7.1-rc2, with patches confirmed available in stable releases 6.18.30, 7.0.7, and 7.1-rc3. No public exploit has been identified and EPSS probability is negligible at 0.02%, placing this firmly in routine maintenance priority rather than emergency response.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic (ADE - Address Error for Memory access) in the LoongArch-specific PCI fixup function loongson_gpu_fixup_dma_hang() crashes systems that boot with a discrete Loongson GPU whose PCI device ID does not match any handled case in the switch statement. The missing default case causes readl() to be called with a garbage MMIO address derived from uninitialized register state, resulting in a hard kernel panic at boot time (PID 1, swapper/0) and rendering the system unavailable. No public exploit identified at time of analysis, and EPSS is 0.02% (5th percentile), consistent with a hardware-specific local DoS requiring no attacker interaction.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory exhaustion in the Linux kernel's 8021q VLAN subsystem allows a local user with low privileges to cause denial-of-service by repeatedly manipulating VLAN egress QoS priority mappings. The function `vlan_dev_set_egress_priority()` retains cleared priority entries as unreachable tombstones in the kernel hash table across set/clear cycles, accumulating until device teardown and leaking kernel memory. No public exploit exists and EPSS is 0.02% at the 5th percentile, indicating negligible real-world exploitation interest; however, the High availability impact in CVSS reflects potential OOM-triggered system instability on affected hosts.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Heap memory disclosure in the Linux kernel usblp USB printer driver allows a local attacker with a malicious USB printer to expose up to 1021 bytes of uninitialized kmalloc heap to userspace. The driver's usblp_cache_device_id_string() blindly trusts a device-supplied 2-byte big-endian length prefix in the IEEE 1284 GET_DEVICE_ID response, leaking stale kernel heap contents via the ieee1284_id sysfs attribute and the IOCNR_GET_DEVICE_ID ioctl. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile) and the vulnerability is not listed in CISA KEV, but vendor patches are confirmed across multiple stable kernel branches.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Incorrect hardware chip-select management in the Linux kernel spi/microchip-core-qspi driver causes the built-in hardware CS line to assert spuriously during SPI transactions directed at GPIO-managed chip selects on multi-device coreQSPI controllers. Systems using Microchip coreQSPI IP hardware with two or more attached SPI devices - where at least one device uses the built-in hardware CS - are subject to unintended bus assertion that can crash or disrupt SPI-dependent peripherals, producing a high-availability impact. No public exploit exists and EPSS stands at 0.02% (4th percentile), consistent with the narrow embedded-hardware topology required for manifestation; the vulnerability is not in CISA KEV.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Two distinct bugs in the Linux kernel's pKVM (protected KVM) arm64 vCPU initialization path allow a local low-privileged user to cause persistent resource pin leaks and observe partially initialized memory objects. The pin leak (Bug 1) occurs when an error path in __pkvm_init_vcpu() jumps to cleanup without releasing hyp_pin_shared_mem() references on host vCPU and SVE state pages, permanently exhausting pin references and ultimately degrading or crashing the hypervisor subsystem. A separate memory ordering flaw (Bug 2) uses a bare store to publish the vCPU pointer into hyp_vm->vcpus[], allowing a concurrent pkvm_load_hyp_vcpu() caller to read a partially initialized vCPU object. No active exploitation has been identified and EPSS is 0.02%, consistent with a kernel subsystem bug affecting a specialized configuration rather than a broadly targeted attack surface.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in the Linux kernel ALSA USB audio subsystem allows a local attacker to hang a CPU core indefinitely by presenting a malformed USB audio class v3 channel map descriptor. The affected function `convert_chmap_v3()` uses the descriptor field `cs_desc->wLength` as a loop increment without validating it, so a zero-length descriptor causes an unescapable infinite loop that saturates a CPU core until the process is killed or the system rebooted. No active exploitation has been confirmed - the vulnerability is absent from CISA KEV, and the EPSS score of 0.02% at the 5th percentile indicates negligible current attacker interest.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource leak in the Linux kernel's RDMA/mana driver allows a local low-privileged user to exhaust kernel resources via a missing cleanup in the error unwind path of mana_ib_create_qp_rss(). The Microsoft Azure Network Adapter (MANA) InfiniBand subsystem fails to release mana_ib_cfg_vport_steering() allocations when QP RSS creation fails mid-flight, while the normal destroy path handles cleanup correctly - leaving the error path mismatched. No public exploit is identified and EPSS sits at 0.02% (5th percentile), reflecting very low real-world exploitation probability, though patches are confirmed available across multiple stable kernel branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's Qualcomm ASoC q6apm-lpass-dai audio driver allows a local low-privileged user to exhaust kernel memory by repeatedly invoking the ALSA prepare callback, which opens multiple APM graphs on the playback path without corresponding release. Affected systems are limited to those running Qualcomm LPASS audio hardware across several Linux stable branches (6.6.x, 6.9.x, 6.10, 6.12.x). No public exploit exists and EPSS at 0.02% (5th percentile) reflects negligible real-world exploitation interest; the practical impact is local denial of service on Qualcomm SoC-equipped devices.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

System hang vulnerability in the Linux kernel's libwx (WangXun) network driver affects systems using SR-IOV Virtual Functions. During VF initialization, the driver attempts to read register WX_CFG_PORT_ST, which is restricted to Physical Functions only; this illegal register access causes the system to hang, resulting in a complete denial of service. No public exploit exists and EPSS is 0.02%, but any system running a WangXun NIC with SR-IOV enabled and attaching a VF is directly exposed.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's powerpc XIVE interrupt subsystem causes progressive kernel heap exhaustion on IBM POWER9+ systems when MSI-X vectors are allocated and then freed for PCI devices such as NVMe controllers. The regression was introduced by commit cc0cc23babc9 which refactored the XIVE/child interrupt controller relationship: xive_irq_free_data() subsequently used the wrong domain lookup path, causing every allocated struct xive_irq_data (64 bytes) to be orphaned on irqdomain teardown. No public exploit is identified and EPSS stands at 0.02% (4th percentile), consistent with the narrow hardware-specific scope and local-only access requirement.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The Linux kernel SMB client transmits uninitialized kernel heap data in the reserved Sbz2 field of Windows ACL security descriptors to remote Samba servers, causing chmod operations on SMB-mounted filesystems to fail with EINVAL. This regression was introduced by commit 62e7dd0a39c2d, which split a struct field but left a newly created 2-byte reserved field unpopulated due to use of kmalloc() instead of kzalloc(). No public exploit exists (EPSS 0.02%, no KEV listing); the practical impact is an operational disruption of file permission management on Samba-backed mounts, with a secondary minor information disclosure of heap contents to the remote server.

Linux Microsoft Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Denial-of-service in the Linux kernel mt76/mt7921 MediaTek Wi-Fi driver lets a buffer-length (buf_len) underflow occur while iterating the CLC (country location configuration) power table, producing a near-infinite loop or an invalid power setting that crashes driver initialization. Systems running affected kernels with MediaTek MT7921 Wi-Fi hardware are impacted; classified CWE-787 (out-of-bounds write) with a vendor-assigned CVSS of 7.8 (local, AV:L). No public exploit identified at time of analysis and EPSS is very low (0.02%), consistent with a reliability/DoS defect rather than a readily weaponizable memory-corruption primitive.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's cros_ec_typec driver crashes the kernel when a Thunderbolt alternate mode operation is processed on affected ChromeOS devices. The flaw originates in cros_typec_register_thunderbolt(), which allocates the adata structure but omits mutex_init(&adata->lock); when cros_typec_altmode_work() later acquires that uninitialized mutex, the kernel dereferences a NULL or garbage pointer and panics. No public exploit code exists and EPSS of 0.02% (4th percentile) reflects the narrow hardware prerequisite and strictly local-only attack surface; the vulnerability is not listed in CISA KEV.

Linux Denial Of Service Google +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel stack information leak in Linux rtnetlink's rtnl_fill_vfinfo() exposes up to 26 bytes of uninitialized kernel stack memory to any unprivileged local user on systems with SR-IOV NICs. The flaw exists because struct ifla_vf_broadcast (32 bytes) is declared on the stack without zeroing, only the first 6 bytes are filled via memcpy on Ethernet devices, and the full struct is transmitted to userspace via RTM_GETLINK responses. No public exploit is identified at time of analysis and EPSS is 0.02% (5th percentile), but the attack is trivially repeatable without any special privileges, making it a practical KASLR bypass primitive or sensitive-data harvesting tool on multi-tenant or shared-access Linux systems.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Availability impact in Linux Kernel KVM's x86 nested virtualization subsystem allows a low-privileged user operating within an L2 (nested) guest to trigger a host kernel denial-of-service via incorrect hypercall handling. The root cause is an incorrect guard condition in slow-flush hypercall paths: KVM checks `is_guest_mode(vcpu)` before calling `translate_nested_gpa()`, but that translation function is only valid when the L2 guest is running with nested EPT/NPT actually enabled - not merely when guest mode is active. No public exploit has been identified at time of analysis, and EPSS exploitation probability is 0.02% (5th percentile). Vendor-released patches are available across multiple stable branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's dm-verity-fec (forward error correction) subsystem allows kernel memory disclosure or a crash when decoding Reed-Solomon parity data. The flaw affects the device-mapper verity FEC code where fec_decode_bufs() wrongly assumes parity bytes of the first RS codeword never span a parity-block boundary; with certain non-default fec_roots values combined with low-memory buffer-allocation failures, the decoder reads past the end of the parity block buffer. Tracked as CWE-125, it carries a 7.1 CVSS (local, low complexity per NVD) but a negligible EPSS of 0.02%, and there is no public exploit identified at time of analysis.

Linux Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial-of-service in the Linux kernel IPMI subsystem allows a system crash when the BMC (Baseboard Management Controller) returns a malformed empty event message buffer instead of a proper error code. The kernel's IPMI driver defers response size validation to later processing stages rather than checking immediately upon receipt, causing it to process invalid data from certain non-compliant BMC firmware. No public exploit exists and EPSS is 0.02% (5th percentile); the trigger is hardware-driven misbehavior rather than deliberate attacker input, but the availability impact is high (kernel panic). Patched kernel versions are available across multiple stable branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's RDMA/ocrdma driver crashes systems running Emulex OneConnect RDMA adapters. The flaw exists in `ocrdma_copy_pd_uresp()`, where error-path code dereferences `pd->uctx` before it is initialized, producing a kernel panic and complete system unavailability when triggered. No public exploit code has been identified and EPSS sits at 0.02% (5th percentile), reflecting very low exploitation probability at this time; however, the local low-privilege vector means any unprivileged user on an affected system with ocrdma hardware present could trigger the crash.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper error-path cleanup in the RDMA/mana driver's `mana_ib_create_qp_rss()` function allows a local low-privileged user on Azure VMs with Microsoft MANA NICs to crash the kernel. Two logic bugs in the WQ table unwind - a redundant `i--` that skips a cleanup iteration, and a missed `mana_destroy_wq_obj()` call when `mana_ib_install_cq_cb()` fails - leave kernel objects in a dangling state, producing a high-availability (DoS) impact. No public exploit exists and EPSS is at the 5th percentile; this vulnerability is not in CISA KEV.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds memory read in the Linux kernel's b43 Broadcom wireless driver allows leakage of adjacent kernel memory when the device firmware supplies a key index that exceeds the 58-entry dev->key[] array in b43_rx(). The pre-patch guard (B43_WARN_ON) is a no-op in production kernels, so the invalid index was used to index the array unchecked. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%); the fix enforces the bounds check and drops the offending frame.

Linux Buffer Overflow Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's DAMON sysfs interface (mm/damon/sysfs-schemes) lets a local actor with access to the 'memcg_path' file race a read against a concurrent write that frees the underlying buffer, accessing freed kernel memory. The flaw affects DAMON-enabled builds across the 6.6.96, 6.12.36, 6.15.5 and 6.16-rc lines, and is fixed by serializing both direct reads and writes under damon_sysfs_lock. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; it is not in CISA KEV.

Memory Corruption Linux Use After Free +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's pseries/papr-hvpipe subsystem crashes IBM POWER/pSeries hosts via a local ioctl call. The flaw was introduced by commit 6d3789d347a7, which refactored papr_hvpipe_dev_create_handle() to use FD_PREPARE() but left src_info accessible after retain_and_null_ptr() nulled it, causing a write to address 0x0 when the pointer is subsequently used in the global list insertion path. Exploitation requires local low-privileged access on pSeries hardware; no public exploit exists and EPSS is 0.02%, indicating negligible opportunistic exploitation risk.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel USB ULPI subsystem allows a local low-privilege attacker to gradually exhaust kernel memory by repeatedly triggering registration failures in the ulpi_register() function. A prior fix for a double-free (commit 01af542392b5) removed the kfree(ulpi) call on the device_register() failure path but inadvertently left the allocation unreleased when ulpi_of_register() or ulpi_read_id() fail before device_register() is ever reached. No public exploit exists and EPSS is 0.02%, indicating minimal real-world exploitation pressure; however, patched kernel stable releases are available across all supported branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in the Linux kernel's IPMI SI (System Interface) driver results from improper state machine recovery when message allocation fails, leaving the driver stuck in a non-normal state and rendering the IPMI subsystem non-functional. Locally authenticated users with low privileges on affected systems with an active ipmi_si module can trigger this condition, typically under memory-pressure scenarios. No public exploit has been identified at time of analysis; EPSS at 0.02% (5th percentile) confirms negligible exploitation interest, and patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Three concurrent race conditions in the Linux kernel's eventfs subsystem (tracefs) can be triggered during remount operations, leading to kernel denial-of-service via LIST_POISON1 pointer dereference or use-after-free. Systems running affected kernel versions with tracefs mounted are vulnerable when a local user with sufficient privilege simultaneously remounts the filesystem while kprobe events are being added or removed. No public exploit code has been identified at time of analysis, and EPSS at 0.02% (5th percentile) indicates very low observed exploitation probability.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

SELinux socket permission helpers in the Linux kernel misread security blob data in stacked LSM configurations, causing kernel crashes or incorrect AVC (Access Vector Cache) decisions. Specifically, sock_has_perm() and nlmsg_sock_has_extended_perms() dereference sk->sk_security directly under the assumption that the SELinux blob always sits at offset zero, which fails when another LSM allocates socket blob storage ahead of SELinux in a stacked configuration. No public exploit has been identified at time of analysis, EPSS is 0.02%, and patches are available for Linux 6.18.30 and 7.0.7.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenStack Keystone's federated token rescoping mechanism allows authenticated federated users to indefinitely extend their session beyond operator-configured token lifetime policies by repeatedly calling POST /v3/auth/tokens before each token expires. The root cause is that handle_scoped_token() in the mapped authentication plugin omits the expires_at field from its response, causing the token provider to silently issue a fresh default-TTL token instead of inheriting the original token's expiry. This effectively renders token lifetime enforcement inoperative for all SAML2 and OpenID Connect-backed federated deployments running Keystone versions prior to 29.0.2. No public exploit code exists and this is not listed in CISA KEV, but the technique is trivially repeatable by any valid federated user.

Authentication Bypass Red Hat
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

User impersonation in OpenStack Keystone before 29.0.2 allows an authenticated attacker to obtain a valid Keystone token attributed to an arbitrary victim user by exploiting a missing ownership check in the application credential authentication plugin. The attacker supplies their own application credential ID and secret while embedding a different user's name and domain in the request body, and Keystone issues a project-scoped token carrying the intersection of the attacker's application credential roles and the victim's project roles. This enables audit log evasion, exposure of the victim's credentials, and unauthorized action within shared OpenStack projects. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Red Hat
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in Wireshark's ROHC protocol dissector causes application crashes across two active release branches, constituting a denial-of-service condition. Affected versions span Wireshark 4.6.0 through 4.6.5 and 4.4.0 through 4.4.15; patched releases 4.6.6 and 4.4.16 are available per the vendor advisory wnpa-sec-2026-51. The attack vector is local with required user interaction (CVSS AV:L/UI:R), meaning exploitation requires a victim to open a specially crafted packet capture file - no remote or automated exploitation path exists, and no public exploit code or active exploitation has been identified at time of analysis.

Denial Of Service Null Pointer Dereference Red Hat
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Arbitrary file read on the Jenkins controller is possible in the Jenkins 'Pipeline: Groovy Libraries Plugin' (version 797.v90ea_a_9b_e45a_0 and earlier), where the plugin fails to prohibit symbolic links inside shared libraries. An attacker who can control the contents of a shared library consumed by a Pipeline job can plant symlinks that resolve to sensitive files (credentials, secrets, configuration) on the controller filesystem and exfiltrate them through the build. There is no public exploit identified at time of analysis, and SSVC marks exploitation status as none, so this is a patch-and-move-on issue rather than an active-exploitation emergency.

Information Disclosure Jenkins Red Hat
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary file disclosure in the Jenkins Email Extension Plugin (email-ext) versions 1933.v45cec755423f and earlier lets users who can control email content abuse the data-inline image attribute to supply file: URLs, causing the Jenkins controller to read local files and embed their contents as base64 inside outgoing emails. An authenticated attacker with rights to edit job email configuration or templates (CVSS PR:L) can exfiltrate controller secrets, credentials, and configuration. There is no public exploit identified at time of analysis and CISA's SSVC rates exploitation as none, but the CVSS 8.8 score and 'total' technical impact make controller secret theft a serious concern in shared Jenkins environments.

Information Disclosure Jenkins Red Hat
NVD
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in the RabbitMQ Management Plugin web UI allows a high-privileged authenticated attacker to inject malicious script content that executes in the browser of another administrative user viewing the affected page. Affected deployments span RabbitMQ Server 3.7.0 through 4.0.12 and 4.1.0-alpha through 4.1.1. No public exploit code or active exploitation has been identified at time of analysis; however, successful exploitation can result in high confidentiality impact, consistent with session token theft or credential harvesting within the management console.

XSS Rabbitmq Server Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

Heap buffer overflow in libjxl 0.12.0 lets remote attackers corrupt heap memory by feeding a crafted PBM/PNM image to the jxl::extras::DecodeImagePNM routine, which writes decoded rows into an output buffer without first checking that the buffer is large enough for the header-declared dimensions. The CVSS vector (AV:N/AC:L/PR:N/UI:N) describes unauthenticated, low-complexity exploitation with no user interaction, and CISA's SSVC framework rates it automatable with partial technical impact. Publicly available exploit code exists, though it is not listed in CISA KEV and no public exploit has been tied to active exploitation.

Heap Overflow Buffer Overflow Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's CAN UCAN USB driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering driver unbind cycles without physical device disconnection. The flaw (CWE-401) exists because devres-managed buffers are incorrectly scoped to the parent USB device rather than the USB interface, so they are never released during software-initiated unbind events such as probe deferral or configuration changes. No public exploit code exists and EPSS sits at 0.02% (5th percentile), indicating near-zero real-world exploitation probability despite the CVSS Availability: High rating.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Undefined behavior in the Linux kernel's nftables bitwise expression handler allows a local attacker with low privileges to crash the kernel. The nft_bitwise subsystem failed to reject zero-value shift operands during rule initialization; a zero shift causes the carry propagation formula (BITS_PER_TYPE(u32) - shift = 32 - 0 = 32) to perform a 32-bit shift of a 32-bit type, which is undefined behavior in C and can result in a kernel panic. No public exploit is identified at time of analysis, and EPSS at 0.02% (5th percentile) indicates very low automated exploitation activity, consistent with the local-only attack vector requiring nftables configuration privileges.

Linux Information Disclosure Red Hat +1
NVD VulDB
Prev Page 9 of 96 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy