Suse
Monthly
Denial-of-service via kernel panic in the Linux kernel's greybus gb-beagleplay driver allows a local low-privileged user to crash the system by triggering an illegal sleep-in-atomic-context condition. The greybus HDLC TX path calls usleep_range() inside hdlc_append() while the tx_producer_lock spinlock is held, violating the fundamental Linux kernel rule that sleeping is forbidden in atomic context and triggering a 'BUG: scheduling while atomic' kernel oops. No public exploit has been identified at time of analysis, and EPSS at 0.02% (5th percentile) reflects the hardware-specific and local-access-only nature of this flaw. The input tag 'Information Disclosure' appears to be a misclassification - the actual impact is exclusively availability (kernel crash), consistent with the CVSS vector's A:H/C:N/I:N ratings.
Resource accounting exhaustion in the Linux kernel's inotify subsystem allows a local low-privileged user to permanently leak watch counts by repeatedly triggering a failure path in inotify_new_watch() that increments the per-namespace watch counter without a corresponding decrement. Over time this exhausts the max_user_watches limit, causing all subsequent inotify watch creation within the namespace to fail with -ENOSPC even when no watches are genuinely active, constituting a local denial-of-service against inotify-dependent applications. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects very low real-world exploitation probability with no CISA KEV listing.
Lock re-entrancy corruption in the Linux kernel's mm/page_alloc subsystem affects uniprocessor (UP/!CONFIG_SMP) builds, allowing freelist corruption that crashes the kernel. On UP kernels, spin_trylock() is a compile-time no-op that unconditionally succeeds; when alloc_frozen_pages_nolock() is invoked from NMI context, it re-enters rmqueue() and acquires the zone lock already held by the interrupted context, corrupting the page allocator's freelists. No public exploit exists and EPSS sits at the 4th percentile (0.02%), consistent with the narrow scope: only non-default UP kernel builds on specific kernel versions are affected, making this a targeted stability concern for embedded or legacy uniprocessor deployments rather than a broad production threat.
NULL pointer dereference in the Linux kernel vfio/cdx subsystem allows a local low-privileged user with access to a CDX VFIO device to crash the kernel by issuing an out-of-order ioctl sequence. Specifically, calling VFIO_DEVICE_SET_IRQS with DATA_BOOL or DATA_NONE flags before ever initializing MSI interrupts via the EVENTFD path dereferences an unallocated cdx_irqs pointer, producing a kernel panic and denial-of-service. No public exploit code exists and EPSS is 0.02%, but vendor-released patches are confirmed available across all affected stable branches.
Nested SVM virtualization in the Linux kernel KVM subsystem can leave the host hypervisor (L1) running with corrupted page-table state when CR3 restoration fails during a nested #VMEXIT. The root function nested_svm_vmexit() returns an error code that most callers silently ignore, meaning the host continues executing against corrupt address-space mappings rather than triggering the shutdown behavior mandated by the AMD Architecture Programmer's Manual. The fix injects a triple fault - mirroring real hardware behavior - and continues cleanup to avoid leaving vCPU state partially torn down. No public exploit exists and EPSS is 0.02%, but the availability impact is high for any host running nested AMD virtualization.
Memory leak in the Linux kernel's EDAC/versalnet driver (mc_probe()) results in unreleased device_node references, enabling local low-privileged users to cause kernel memory exhaustion and availability degradation on AMD/Xilinx Versal SoC systems. The root cause is a missing of_node_put() call on all exit paths of mc_probe(), with the fix applied across stable branches including 6.18.27 and 7.0.4. No public exploit or CISA KEV listing exists, and EPSS sits at 0.02% (4th percentile), reflecting minimal active exploitation risk.
Race condition in the Linux kernel's AF_ALG AEAD AIO interface allows a local low-privileged user to trigger a denial of service by exploiting shared socket-wide IV buffer state across concurrent asynchronous AEAD requests. The algif_aead subsystem fails to snapshot the Initialization Vector into per-request storage before dispatching async operations, meaning any concurrent socket activity that updates the shared IV can corrupt an in-flight request before it completes. No public exploit has been identified and EPSS is extremely low at 0.02% (7th percentile); vendor-released patches are available across all supported stable kernel branches.
Deadlock and memory leak in the Linux kernel DAMON subsystem arise from a race condition between damon_call() request registration and kdamond_fn() thread exit, affecting systems using the Data Access MONitor (DAMON) API. A local low-privileged process can trigger the race at precisely the moment a kdamond thread is terminating - causing the calling thread to wait indefinitely for a handler that has already exited, resulting in a kernel-level availability denial. No active exploitation is confirmed (EPSS 0.02%, not in CISA KEV), and the high attack complexity required to win the race significantly constrains real-world risk.
Integer overflow in the Linux kernel's device mapper mirror (dm-mirror) subsystem allows a local attacker with device mapper configuration privileges to crash the kernel via a denial-of-service condition. The flaw resides in create_dirty_log() where an unchecked unsigned addition of 2 + param_count wraps around to a small value when param_count approaches UINT_MAX, bypassing an argc bounds check and triggering out-of-bounds reads in dm_dirty_log_create(). No public exploit code exists and EPSS is exceptionally low at 0.02% (5th percentile); this CVE has not been added to the CISA KEV catalog, indicating no confirmed active exploitation at time of analysis.
Out-of-bounds MMIO read in the Linux kernel's ibmasm (IBM Advanced System Management) misc driver allows a compromised IBM service processor to read 8 bytes from unintended device registers or trigger a machine check exception (system crash) by writing an out-of-range queue reader/writer index before asserting an interrupt. The flaw resides in ibmasm_handle_mouse_interrupt() where raw readl() values are passed unchecked to get_queue_entry(), and is fixed by bounds-checking both indices against REMOTE_QUEUE_SIZE (60). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%.
Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows privileged local users to crash the kernel by supplying arbitrary node IDs to damos_quota_goal via DAMON_SYSFS. Affecting Linux 6.16 and fixed in 6.18.27, 7.0.4, and 7.1-rc1, the flaw stems from missing validation before si_meminfo_node()/NODE_DATA() lookups and is reproducible with the upstream 'damo' user-space tool. No public exploit identified at time of analysis and EPSS is very low at 0.02%.
The atmel-aes crypto driver in the Linux kernel leaks 3 pages of kernel memory per cleanup cycle due to a mismatch between allocation and deallocation functions: atmel_aes_buff_init() allocates 4 contiguous pages via __get_free_pages() with ATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() frees only a single page via free_page() instead of the correct free_pages(). Systems running on Atmel/Microchip ARM SoC hardware with this driver loaded are vulnerable to gradual kernel memory exhaustion leading to denial of service. No public exploit code exists and no active exploitation has been confirmed; the EPSS score of 0.02% (5th percentile) reflects the extremely narrow hardware-specific attack surface, and vendor-released patches are available across multiple stable kernel branches.
Availability degradation in the Linux kernel ALSA USB audio subsystem allows a local attacker with a crafted UAC2 USB audio device to trigger an unbounded parsing loop that holds register_mutex while repeatedly flooding the kernel log with error messages. Affected systems running snd-usb-audio on multiple stable kernel branches from 3.x through 7.0 are exposed to denial-of-service via mutex contention during USB device probe. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (6th percentile) reflects minimal threat actor interest; no CISA KEV listing exists.
Race condition in the Linux kernel memory management subsystem during large-folio migration can cause kernel availability disruption on SMP/NUMA systems. The flaw in migrate_folio_move() causes a destination folio to become visible to concurrent rmap-removal paths before being requeued onto the deferred split queue, triggering a kernel WARN in deferred_split_folio() or silently losing a folio from split_queue when the shrinker races the migration lock. With no public exploit, no CISA KEV listing, and an EPSS of 0.02%, this is a low real-world risk issue primarily relevant to HPC, virtualization, and database workloads with heavy NUMA migration activity.
NULL pointer dereference in the Linux kernel's Xilinx remoteproc (xlnx) IPI receive callback enables a local low-privileged user to crash the kernel on Xilinx SoC-based systems. The receive callback unconditionally accesses buffer information without first validating whether the message pointer is NULL, which occurs when IPI is operating in non-buffered mode. No public exploit exists and no active exploitation is confirmed; with EPSS at 0.02% (5th percentile), real-world risk is very low and hardware-specific.
Broken LBR MSR save/restore in the Linux kernel KVM/SVM subsystem allows a low-privileged local attacker to cause high-impact availability failures in virtualized environments running on AMD SVM hardware. MSR_IA32_DEBUGCTLMSR and Last Branch Record (LBR) MSRs are not enumerated by KVM_GET_MSR_INDEX_LIST and cannot be set via KVM_SET_MSRS, meaning VM state is not correctly preserved across save/restore or live migration cycles, particularly when L2 guests are running. No public exploit has been identified at time of analysis, and EPSS of 0.02% indicates very low exploitation probability, but the flaw affects a foundational hypervisor state management path on production AMD virtualization infrastructure.
Incorrect physical address conversion in the Linux kernel's mm/memfd_luo subsystem can crash the kernel when the put_folios error-cleanup path executes during memfd Live Update Object (LUO) operations. The cleanup passes a raw Page Frame Number (PFN) where kho_restore_folio() requires a phys_addr_t, and a missing sparse-hole guard (pfn==0) risks misprocessing file holes. No public exploit identified at time of analysis; EPSS of 0.02% (5th percentile) and absence from CISA KEV confirm very low real-world exploitation probability, with impact confined to local denial of service on systems running the experimental KHO/LUO subsystem.
Memory exhaustion denial-of-service in the Linux kernel's rxkad Kerberos authentication layer allows a local low-privilege attacker to leak kernel memory by repeatedly triggering error paths in rxkad_verify_response(). The vulnerability affects kernels from approximately 5.11 through all unpatched stable series prior to 6.6.140, 6.12.86, 6.18.27, and 7.0.4. No public exploit exists and EPSS sits at 0.02% (5th percentile), indicating minimal real-world exploitation likelihood; however, systems running AFS workloads with rxrpc active warrant patching at next maintenance.
Duplicate resource teardown in the Linux kernel's PCI endpoint NTB (Non-Transparent Bridge) driver causes a kernel oops when link state transitions fail or complete, enabling a local low-privileged user to crash the kernel. The `epf_ntb_epc_destroy()` helper performs teardown that its callers also execute, resulting in a double-free-class condition. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV); the EPSS score of 0.02% at the 5th percentile reflects extremely low observed exploitation probability.
Deadlock in Linux kernel DAMON (Data Access Monitor) subsystem allows a local low-privileged user or kernel code path to cause an indefinite thread hang in the mm/damon/core module via a race condition between damos_walk() request registration and kdamond_fn() exit sequencing. Systems running Linux kernels from commit bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61 through the patch commits are affected, with availability as the sole impact (CVSS C:N/I:N/A:H). No public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating negligible real-world exploitation interest.
Cache coherency violation in the Linux kernel hwmon powerz driver allows a local low-privileged user to crash the kernel on architectures where DMA buffer cacheline aliasing with adjacent kernel structures (here, a mutex) produces undefined behavior. Affected systems must have the powerz USB hardware monitor driver loaded and the specific hardware attached. No public exploit code exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation activity; nonetheless the kernel availability impact (system crash) is concrete once triggered on a vulnerable architecture.
Use-after-free in the Linux kernel ALSA caiaq USB audio driver allows local code execution when the device probe path encounters an error during setup_card(). The setup_card() function previously ignored failures from snd_card_register() and continued executing, leaving freed card structures accessible to subsequent initialization calls such as snd_usb_caiaq_control_init(). No public exploit identified at time of analysis, and EPSS is low at 0.02% (5th percentile), consistent with the local attack vector and narrow hardware-driver scope.
The ext2 filesystem driver in the Linux kernel allows a local user to trigger kernel WARN_ON panics by mounting a crafted ext2 image containing an inode with zero link count (i_nlink=0), non-zero mode, and zero deletion timestamp - a combination that bypasses the incomplete corruption check in ext2_iget() and reaches drop_nlink() in an invalid state. Discovered by the Linux Verification Center using Syzkaller fuzzing, the flaw affects Linux kernel versions from 2.6.12 through multiple stable branches and results in denial of service via kernel instability. No public exploit exists and no KEV listing; EPSS is negligible at 0.02%, consistent with the local access requirement and specialized image-crafting prerequisite.
Stack buffer overrun in the Linux kernel's pt5161l hwmon driver allows a malicious or malfunctioning I2C device to write up to 32 bytes into a 24-byte stack buffer during pt5161l_read_block_data(), corrupting kernel memory. The flaw affects Linux 6.9 through versions before the stable fixes, and a secondary bug causes the driver to process stale data as valid when retries are exhausted with a length mismatch. EPSS is very low (0.02%) and no public exploit identified at time of analysis.
The rxrpc connection-level packet handler in the Linux kernel modifies RESPONSE packet data in-place within a potentially shared sk_buff, exposing decrypted rxrpc authentication material to co-attached packet sniffers and risking kernel instability when a cloned buffer is written without unsharing. Systems running the rxrpc subsystem (primarily AFS clients and servers) from kernel 2.6.22 onward through the affected stable branches are vulnerable. No public exploit exists and EPSS sits at 0.02% (5th percentile) with no CISA KEV listing, indicating minimal real-world exploitation pressure; patches are confirmed across stable branches 6.6.140, 6.12.88, 7.0.4, 6.18.27, and 7.1-rc1.
Reference count leak in the Linux kernel SCSI disk driver (drivers/scsi/sd.c) allows a local low-privileged user to cause kernel resource exhaustion and system crash. In sd_probe(), when device_add(&sdkp->disk_dev) fails, the cleanup path correctly invokes put_device() triggering scsi_disk_release() to free the scsi_disk structure, but omits the corresponding put_disk(gd) call - leaving the gendisk object with an unreleased reference. This asymmetry with the device_add_disk() error path means repeated probe failures accumulate reference leaks that can exhaust kernel memory and deny service. No public exploit has been identified and EPSS probability is 0.02% (5th percentile), consistent with a stability fix rather than an attacker-targeted flaw.
Use-after-free in the Linux kernel's io_uring zero-copy receive (zcrx) subsystem allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from io_free_rbuf_ring() accessing a struct user_struct after io_zcrx_ifq_free() has already released the reference, creating a UAF window. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the bug class (UAF in io_uring) has historically been weaponized for LPE.
Out-of-bounds read in the Linux kernel's ibmasm driver allows a local low-privileged user with write access to the ibmasm command character device to leak kernel heap memory to the IBM Advanced System Management service processor and potentially destabilize the host. The flaw resides in command_file_write(), which trusts attacker-controlled command_size/data_size header fields after allocating a buffer of arbitrary count, enabling get_dot_command_size() to return a value larger than the allocation. EPSS is 0.02% and no public exploit is identified at time of analysis; the issue is not on CISA KEV.
Out-of-bounds write and data-loss bugs in the Linux kernel SLUB allocator's krealloc() function affect kernels incorporating commit 2cd8231796b5, which introduced NUMA node and alignment forcing to k[v]realloc(). A local attacker with low privileges who can trigger the krealloc_node_align() or kvrealloc() reallocation fallback path - specifically when shrinking an allocation while simultaneously forcing a new alignment or NUMA node - can cause kernel heap memory corruption leading to a system panic or silent heap object corruption. No public exploit exists beyond the lkdtm reproducer in the CVE description; EPSS stands at the 4th percentile and the vulnerability is not in CISA KEV. Vendor-released patches are confirmed available in Linux 6.18.27, 7.0.4, and 7.1-rc1.
Use-after-free in the Linux kernel's Open Firmware (OF) device tree unittest driver (testdrv_probe) allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from an erroneous of_node_put() call that releases a device_node reference owned by the device model, which can then be dereferenced later in of_platform_default_populate(). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a vendor patch is available.
Interrupt shadow state desynchronization in the Linux kernel KVM nSVM subsystem can hang L2 nested virtual machines on AMD-V hosts when VM state is restored in a specific ioctl ordering. Systems using KVM nested virtualization (kvm_amd with nested=1) are affected when a live migration or checkpoint-restore operation calls KVM_SET_VCPU_EVENTS before KVM_SET_NESTED_STATE, causing the interrupt shadow to be written into vmcb01 (L1 context) instead of vmcb02 (L2 context). No public exploit has been identified and EPSS is 0.02% (5th percentile), placing this squarely as a correctness and operational availability issue for nested virtualization deployments rather than a broadly exploitable security threat.
Memory exhaustion in the Linux kernel's ccree (ARM CryptoCell) driver allows a local low-privileged user to cause a denial of service by repeatedly triggering an error path in cc_mac_digest() that fails to release mapped memory. The vulnerability exists because cc_unmap_result() is not called when cc_map_hash_request_final() returns an error, causing each failed MAC digest operation to leak kernel memory. No active exploitation is confirmed; EPSS is 0.02% at the 5th percentile, consistent with a low-severity, hardware-specific kernel maintenance fix. The 'Information Disclosure' tag in the source data is inconsistent with the CVSS vector (C:N) and description - impact is availability-only.
Stale data exposure in the Linux kernel's ext4 filesystem affects systems using the dioread_nolock mount option, triggered by a flag-handling logic error in the extent-splitting code path during Direct I/O operations. When `EXT4_GET_BLOCKS_CONVERT` is incorrectly passed during a pre-I/O split of an unwritten extent, a simultaneous `-ENOSPC` failure in `ext4_split_extent_at()` causes the entire on-disk extent to be prematurely converted to written state while the in-memory extent status tree retains an inconsistent unwritten marker for the second half; if the DIO write subsequently fails, a future read of that region exposes stale pre-zero data. No public exploit has been identified at time of analysis, EPSS is 0.02% (7th percentile), and there is no CISA KEV listing, indicating no confirmed active exploitation.
NFSv4 server slot exhaustion in the Linux kernel nfsd subsystem causes persistent denial of service for NFS clients when idmap upcall delays occur during compound argument decoding. Specifically, when a SETATTR or similar compound operation triggers an idmap lookup upcall that exceeds the allowed time limit, cache_check() sets RQ_USEDEFERRAL and drops the request before nfs4svc_encode_compoundres() can execute - meaning the NFSD4_SLOT_INUSE session slot flag is never cleared. All subsequent client requests on that session slot fail with NFSERR_JUKEBOX indefinitely. No public exploit has been identified and EPSS is 0.02% (7th percentile), indicating no active exploitation pressure; this is a logic flaw with confirmed upstream patches across all major stable branches.
NULL pointer dereference in the Linux kernel's ACPICA subsystem crashes the kernel via a missed execution path in acpi_ev_address_space_dispatch(), resulting in a local denial of service. Affected systems run Linux kernel versions tracing back to commit 0acf24ad7e10f547809faefb8069f8f5482eb4d9, spanning multiple stable branches through at least 6.19.x. No public exploit exists and EPSS is negligible at 0.02% (7th percentile), but the high availability impact and wide kernel version coverage make patching prudent for any multi-tenant or availability-sensitive Linux environment.
Use-after-free and double-free conditions in the Linux kernel's s390/cio Channel I/O subsystem expose IBM Z (mainframe) systems to local denial-of-service attacks via kernel crash. The flaw resides in `css_alloc_subchannel()`, where `device_initialize()` is invoked before DMA mask configuration; if that configuration fails, the error path incorrectly calls `kfree()` directly, bypassing the kernel device model's reference counting and corrupting kernel memory. With a CVSS score of 5.5 (AV:L), an EPSS of 0.02% (7th percentile), no KEV listing, and strict hardware-architecture scope limited to s390/IBM Z, this is no public exploit identified at time of analysis and represents a low-urgency but architecturally significant stability fix.
Improper mutex cleanup in the Linux kernel's amdgpu DRM driver allows a local low-privileged user to cause a GPU subsystem denial-of-service on systems equipped with AMD GPU hardware. When kmalloc fails under low memory conditions inside amdgpu_cs_parser_bos, the error path previously returned without releasing the held mutex, leaving it permanently locked and stalling GPU command submission for all users. No public exploit exists and the vulnerability is not listed in CISA KEV; with an EPSS of 0.02% (5th percentile), real-world exploitation risk is low.
NULL pointer dereference in the Linux kernel's staging Greybus lights driver (`drivers/staging/greybus/lights.c`) causes a local denial of service via kernel panic. The flaw affects systems running Greybus-enabled kernels since commit 2870b52b (Linux 4.9 onward), where a low-privileged local user can trigger a kernel crash if `kcalloc()` fails during lights channel initialization. No public exploit exists and EPSS is 0.02% (7th percentile), reflecting niche hardware dependency; the vulnerability is not listed in CISA KEV.
Use-after-free race condition in the Linux kernel's fbnic (Facebook NIC) driver can be triggered by a local attacker to crash the system. The fw_log firmware log buffer is freed during device teardown before the mailbox IRQ is disabled, allowing a concurrent MSIX interrupt handler to dereference a freed or NULL pointer. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.02% (4th percentile) reflects very low real-world exploitation probability; the primary risk is a denial of service to systems hosting fbnic NICs.
Memory leak in the Linux kernel's amdgpu DRM driver allows a local low-privileged user to gradually exhaust kernel memory on systems equipped with AMD GPUs. The flaw exists in amdgpu_ras_init(), where a failed call to amdgpu_nbio_ras_sw_init() causes the function to return an error without freeing the previously allocated 'con' context structure, bypassing the existing release_con cleanup label. No public exploit exists and EPSS is 0.02% (5th percentile), classifying this as a low-priority maintenance fix with no confirmed active exploitation.
Race condition in the Linux kernel's ublk (userspace block device) subsystem allows a local low-privileged attacker to crash the kernel by concurrently modifying io_uring submission queue entries during kernel processing. The ublksrv_ctrl_cmd struct resides in userspace-mapped shared memory, and unguarded normal loads let a racing userspace thread corrupt the kernel's view of the command, triggering a denial-of-service condition. No public exploit exists and EPSS is 0.02%, but fixed kernel versions 6.19.4 and 7.0 are confirmed available.
Invalid leaf access in the btrfs quota subsystem of the Linux kernel allows a local low-privileged user to crash the system by triggering a denial-of-service condition in `btrfs_quota_enable()`. When `btrfs_search_slot_for_read()` returns 1 - signaling end-of-tree with no valid key found - the function fails to exit its loop and proceeds to dereference the now-invalid path pointer, causing a kernel panic. Patched versions are confirmed across multiple stable series (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0); no public exploit or CISA KEV listing exists at time of analysis.
Indefinite kernel hang in the Linux mlx5_ib RDMA driver causes denial of service during device unload when a firmware reset occurs in LAG (Link Aggregation Group) mode. The race condition leaves UMR (User Memory Registration) deregistration operations blocked forever - posted on the master NIC but awaiting completions from a slave that is already dead - deadlocking the teardown sequence and requiring a hard reboot. No public exploit has been identified, EPSS sits at 0.02% (5th percentile), and impact is confined to systems with Mellanox/NVIDIA mlx5 hardware explicitly configured in bonded LAG mode with active RDMA workloads.
Uncontrolled BPF program signature size in the Linux kernel allows a low-privileged local user to force the kernel into expensive memory allocation paths (kmalloc_large or vmalloc) by supplying an arbitrarily large signature size value to the BPF_PROG_LOAD operation. Affected kernel versions prior to 6.18.14, 6.19.4, and 7.0 are vulnerable to local denial-of-service through kernel memory exhaustion. No public exploit has been identified at time of analysis and no active exploitation is confirmed (not in CISA KEV), with an EPSS score of 0.02% (4th percentile) indicating very low automated exploitation probability.
NULL pointer dereference in the Linux kernel HID PlayStation driver crashes the kernel when force feedback (FF) effects are triggered on a PlayStation controller that experienced a silent initialization failure. Systems running Linux 5.12 through unpatched stable branches with PlayStation controllers (DualSense, DualShock 4, or compatible HID devices) attached are affected. A local low-privileged attacker who can trigger FF effects on a controller where input_ff_create_memless() returned an error can cause a kernel panic, resulting in a full system denial of service. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with a niche hardware driver flaw.
Null pointer dereference in the Linux kernel's cpuidle ladder governor crashes PowerNV systems when only a single idle state is registered - the governor incorrectly indexes into state 1 as if it were the first usable non-polling state, resulting in a NULL enter callback invocation and immediate kernel panic. Systems running IBM PowerNV hardware without a power-mgt device tree node are specifically at risk, as this firmware configuration causes cpuidle to register only the polling state (state 0). No public exploit code exists and EPSS probability is 0.02% (7th percentile), reflecting this is a platform-specific availability issue rather than a broadly exploitable attack surface; it is not listed in CISA KEV.
Kernel crash (denial of service) in the Linux kernel BPF subsystem affects local low-privileged users due to a double-offset bug in the instruction array map. The `map_direct_value_addr()` function incorrectly adds the caller-supplied offset to the returned address, then `resolve_pseudo_ldimm64()` adds it a second time, resulting in an incorrect memory address that can trigger a kernel fault. No public exploit exists and the EPSS score is 0.02% (5th percentile), indicating very low opportunistic exploitation risk, but the availability impact is rated High per CVSS.
NULL pointer dereference in the Linux kernel's AppArmor LSM (`__unix_needs_revalidation()`) allows a local low-privileged user to crash the kernel, resulting in a denial of service. Introduced as a regression in kernel 6.17 with AppArmor 5.0.0, the flaw is triggered by passing file descriptors over UNIX domain sockets via SCM_RIGHTS when the receiving socket or its `sk` pointer is NULL during transient setup or teardown states. No active exploitation is confirmed (absent from CISA KEV), and EPSS sits at 0.02% (4th percentile), indicating low exploitation probability; patches are available in stable releases 6.18.14, 6.19.4, and 7.0.
Kernel NULL pointer dereference in the Linux AppArmor security module allows a local low-privileged user to crash the system by reading an apparmorfs symbolic link under a specific runtime configuration sequence. The flaw exists in rawdata_get_link_base, where profile->rawdata->name is dereferenced without first verifying that rawdata is non-NULL after a profile replacement clears it. No public exploit exists and EPSS stands at 0.02%, though the crash is fully reproducible from the conditions documented in the commit description.
Memory exhaustion in the Linux kernel's SUNRPC GSS authentication subsystem (net/sunrpc/auth_gss/auth_gss.c) allows a local low-privileged user to leak kernel memory by repeatedly triggering a specific error path where kstrdup_const() fails during gss_alloc_msg() processing, preventing gss_auth structures from ever being freed. The defect was introduced by commit 5940d1cf9f42, which added kref_get(&gss_auth->kref) without the corresponding kref_put() on the err_put_pipe_version error path when service_name is non-NULL. With EPSS at 0.02% (7th percentile), no CISA KEV listing, and no public exploit, this is a low-urgency memory management defect primarily relevant to systems running NFS with Kerberos/RPCSEC_GSS authentication.
Kernel crash via use-after-free race in the Linux kernel nau8821 ASoC audio codec driver affects systems including the Valve Steam Deck when a jack detection workqueue item executes after the driver component has been removed. The missing cancel_delayed_work_sync call in the component remove path allows nau8821_jdet_work to dereference freed kernel structures, producing a fatal page fault. No public exploit exists and EPSS is 0.02%, but any NAU8821-equipped system on kernel versions from 5.16 through pre-6.19.4 is vulnerable to local denial-of-service via kernel panic.
Out-of-bounds memory access in the Linux kernel ublk (userspace block device) subsystem allows a local low-privilege user to crash the kernel by submitting an io_uring control command without the IO_URING_F_SQE128 flag set. The root cause is that ublk_ctrl_cmd_dump() unconditionally accesses the extended cmd field of a Submission Queue Entry before ublk_ctrl_uring_cmd() validates that the SQE is 128 bytes in size, reading beyond the 64-byte standard SQE boundary. No public exploit is identified at time of analysis, and the EPSS score of 0.02% at the 7th percentile signals very low exploitation probability.
Memory leaks in the GFS2 cluster filesystem driver (fs/gfs2/) allow a local low-privileged user to exhaust kernel memory over time, producing availability degradation or denial of service on affected Linux systems. Two distinct leak paths exist in gfs2_fill_super() error handling: kernel thread objects for logd and quotad (~4480 bytes each) are not released when gfs2_freeze_lock_shared() fails after init_threads() succeeds, and a quota bitmap buffer (8192 bytes) is not freed when gfs2_make_fs_rw() fails after gfs2_quota_init() completes. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with a triggered-path defect requiring GFS2-specific failure conditions rather than opportunistic mass exploitation.
Kernel panic via reference count corruption in the Linux kernel's HFS+ filesystem driver (hfsplus) allows a local attacker with low privileges to crash the system. The function hfs_bnode_create() returns an already-hashed B-tree node without incrementing its reference count when it unexpectedly encounters a node that should not yet exist - a condition triggered by filesystem corruption or a logic error in hfs_bmap_alloc(). When hfs_bnode_put() later decrements the reference count to zero and attempts cleanup, the kernel triggers a fatal BUG_ON(!atomic_read(&node->refcnt)) assertion at bnode.c:676, causing an immediate kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with the local-only attack vector and niche trigger conditions, but the availability impact is total for affected systems.
Denial of service in the Linux kernel's RCU (Read-Copy-Update) subsystem allows a local condition to trigger an infinite recursion deadloop in rcu_read_unlock_special() when ftrace is enabled, leading to kernel hang or crash. The flaw stems from a missing recursion-protection flag when raise_softirq_irqoff() is invoked from the RCU unlock path, causing repeated re-entry through the softirq/trace stack. No public exploit identified at time of analysis and EPSS rates exploitation probability at 0.02%.
Memory leak in Linux kernel's fbdev au1200fb framebuffer driver causes resource exhaustion when the probe function encounters IRQ allocation failure. The vulnerability exists in au1200fb_drv_probe() within the au1200fb driver: when platform_get_irq() returns an error, the function returns immediately without releasing previously allocated memory, leading to kernel heap exhaustion over time. Local attackers or repeated probe failures (e.g., via hotplug events on affected MIPS-based Alchemy hardware) can deplete kernel memory, resulting in denial of service. No public exploit has been identified at time of analysis, and EPSS at 0.02% (7th percentile) confirms negligible exploitation interest.
IO deadloop in Linux kernel's md/raid5 subsystem causes complete availability loss on systems running degraded RAID5 arrays with llbitmap enabled. When llbitmap bit state is 'unwritten', the missing synchronization check in need_this_block() diverges from the check present in handle_stripe_dirtying(), trapping handle_stripe() in an infinite loop that never makes progress - effectively hanging all IO on the affected array. No public exploit is identified at time of analysis, and EPSS at 0.02% (4th percentile) reflects very low real-world exploitation probability, consistent with the narrow deployment conditions required.
Missing MTU validation in the Linux kernel fbnic Ethernet driver allows a local low-privileged user to trigger a denial of service by increasing the interface MTU after an XDP program is already attached. Increasing the MTU beyond the HDS (Header Data Split) threshold causes the fbnic hardware to fragment packets across multiple buffers; since single-buffer XDP programs cannot process multi-fragment frames, the driver silently drops them - breaking new TCP streams and discarding oversized non-TCP traffic. No public exploit exists and EPSS is 0.02% (4th percentile), placing this firmly in the low-priority tier despite its High availability rating; patches are confirmed available in Linux 6.18.14, 6.19.4, and 7.0.
Memory leak in the Linux kernel's StarFive AES crypto driver allows a local low-privileged user on affected StarFive JH7110 RISC-V hardware to exhaust kernel memory and cause a denial of service. The flaw resides in starfive_aes_aead_do_one_req(), where kzalloc()-allocated memory for rctx->adata is not freed on two distinct error paths - failures in sg_copy_to_buffer() or starfive_aes_hw_init() - resulting in unreleased heap memory each time an AEAD operation fails. No public exploit exists and EPSS is extremely low at 0.02%, consistent with a hardware-specific, analysis-discovered defect rather than an actively targeted weakness.
Use-after-free race condition in the Linux kernel hwrng (hardware random number generator) core subsystem allows a local attacker with low privileges to crash the kernel, causing a denial of service. The race occurs when hwrng_register() and hwrng_unregister() execute concurrently, leaving the hwrng_fill pointer dirty and enabling kthread_stop() to be invoked on an already-freed task_struct - confirmed in the virtrng_remove call path, making virtualized Linux environments a primary real-world attack surface. No public exploit code exists and no active exploitation (KEV) has been confirmed; the EPSS score of 0.02% reflects minimal opportunistic exploitation activity.
Memory exhaustion in the Linux kernel's ext4 filesystem driver allows a local low-privilege user to gradually degrade system availability by repeatedly triggering a kernel memory leak in ext4_ext_shift_extents(). The flaw, present since approximately kernel 3.15, causes path structures allocated by ext4_find_extent() to go unreleased when a NULL extent is encountered during fallocate shift operations. With no CISA KEV listing, an EPSS of 0.02%, and no public exploit code identified, this is a low-urgency but genuine patch priority for long-lived ext4 systems with unprivileged local users.
Memory exhaustion in the Linux kernel's drm/amdgpu driver allows a local low-privileged user on AMD GPU-equipped systems to degrade host availability by repeatedly triggering an error path in amdgpu_acpi_enumerate_xcc() that leaks kernel heap memory. The root cause is a missing free of the xcc_info structure when amdgpu_acpi_dev_init() returns -ENOMEM, identified through static analysis and code review rather than active exploitation. With EPSS at 0.02% (5th percentile) and no CISA KEV listing, this is a low-priority maintenance fix for most environments, most relevant to long-running AMD GPU compute workloads where repeated enumeration failures could accumulate leaked memory.
Use-after-free in the Linux kernel's ab8500 power supply driver (drivers/power/supply/ab8500) can be triggered during device removal or probe due to incorrect ordering of devm_-managed resource allocation. The race allows an IRQ handler to invoke power_supply_changed() against a freed or uninitialized power_supply handle, typically resulting in a kernel crash or silent memory corruption. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the flaw is not on CISA KEV.
Kernel NULL pointer dereference in the Linux EROFS compressed filesystem driver allows a local user reading from an EROFS image to crash the system. The flaw lives in z_erofs_decompress_pcluster(), where compressed folios for ztailpacking pclusters are added to I/O chains before being validated; if inline-data reading fails (notably when a fatal signal interrupts read_mapping_folio()), decompression assumes the folios are valid and dereferences a NULL pointer. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%), and the issue is not in CISA KEV.
TPM locality leak in the Linux kernel's tpm_i2c_infineon driver allows a local user on an affected system to exhaust TPM localities and render the TPM device unavailable. The tpm_tis_i2c_send() function acquires a TPM locality at entry but fails to release it when get_burstcount() times out with -EBUSY, causing a resource leak on every such timeout. Patches are available across multiple stable kernel branches; no public exploit code or active exploitation (CISA KEV) has been identified, and EPSS is 0.02% at the 7th percentile.
Kernel crash (oops) in the stmmac GMAC4 Ethernet driver causes a denial of service when split header reception is enabled. The stmmac receive path incorrectly assumes that buf2 of the first DMA descriptor is always fully populated with payload, but the GMAC4 hardware does not guarantee this in all cases. When the assumption is violated, the driver miscalculates the length of buf2 in the second descriptor, resulting in an invalid virtual address dereference deep in the DMA cache-invalidation path, crashing the kernel. No public exploit has been identified at time of analysis, and EPSS is 0.02% (4th percentile), indicating negligible opportunistic exploitation interest.
Memory leak in the Linux kernel's NI USB GPIB driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering a failed initialization path. The flaw exists in ni_usb_init(), where a writes buffer is allocated but never freed when ni_usb_setup_init() returns failure, compounding the issue with an incorrect error code (-EFAULT instead of -EINVAL). No public exploit is identified at time of analysis, and EPSS sits at 0.02%, consistent with the niche hardware driver context and local-only attack surface.
Memory corruption in the Linux kernel's pm8916_lbc power-supply driver (Qualcomm PM8916 PMIC linear battery charger) stems from a use-after-free in power_supply_changed(), where devm-managed teardown ordering lets a charger interrupt fire against a freed or not-yet-initialized power_supply handle during driver probe or removal. Local attackers able to trigger device unbind/rebind or module load/unload can crash the system or silently corrupt kernel memory. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis; the issue is not in CISA KEV.
Kernel panic in the Linux kernel's Inside Secure EIP-93 hardware crypto driver occurs during driver detach due to a loop iterator bug that causes the same hash algorithm to be unregistered multiple times. Systems equipped with Inside Secure EIP-93 cryptographic accelerator hardware and running unpatched kernels between the introducing commit (9739f5f93b78) and the fix commits are vulnerable. A local low-privileged user who can trigger driver detach - via module unload or device removal - can crash the kernel, resulting in a full system denial of service. No public exploit exists and EPSS is 0.02% (4th percentile), indicating negligible in-the-wild activity.
Use-after-free in the Linux kernel's goldfish power-supply driver (drivers/power/supply/goldfish_battery) allows a local attacker to crash the system or corrupt kernel memory by racing device probe/removal against the battery IRQ handler. The driver requested its IRQ via devm_ before registering the power_supply handle, so on teardown the handle is freed while the still-live interrupt can fire and call power_supply_changed() on freed (or, during probe, uninitialized) memory. No public exploit identified at time of analysis; EPSS is negligible (0.02%) and the bug is not in CISA KEV.
Btrfs transaction aborts in the Linux kernel allow local low-privileged users to crash the filesystem by triggering a logic defect in DUP chunk allocation that generates overlapping physical address ranges in the chunk map. Systems running btrfs with DUP metadata profiles - the default for single-device btrfs deployments - can encounter EEXIST (-17) errors in insert_dev_extents() during btrfs_create_pending_block_groups(), causing the transaction to abort and the filesystem to enter an error state. No public exploit or active exploitation (CISA KEV) has been identified; with an EPSS of 0.02% (4th percentile), this is a kernel reliability defect of operational concern to btrfs operators rather than a traditional attack vector.
Uninitialized kernel memory leaks to local users via the MCTP netlink subsystem in the Linux kernel, where RTM_GETNEIGH responses return stale kernel data in the pad bytes of ndmsg structures across link, addr, and neigh response messages. Any local user with PR:L access to the MCTP netlink interface can extract arbitrary pad-byte contents from kernel memory allocations, potentially exposing pointers, partial stack data, or remnants of prior allocations that could assist in defeating kernel address space layout randomization (KASLR). Disclosed by Syed Faraz Abrar (Zellic) and Pumpkin (DEVCORE Research Team) via Trend Micro Zero Day Initiative; no public exploit code exists and EPSS sits at the 5th percentile (0.02%), indicating negligible active exploitation at time of analysis.
Memory leak in the Linux kernel's chips-media wave5 VPU media driver allows a local low-privileged user to exhaust kernel memory, resulting in denial of service. The flaw exists in both the encoder and decoder open paths - wave5_vpu_open_enc() and wave5_vpu_open_dec() - where a VPU instance allocated via kzalloc() is not freed when the subsequent codec_info allocation fails. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting the hardware-specific and local-only nature of this issue.
BPF map hash verification in the Linux kernel is vulnerable to a TOCTOU race condition that allows a local low-privileged attacker to bypass integrity checks enforced by trusted BPF loaders. Userspace can call BPF_OBJ_GET_INFO_BY_FD to prime the hash cache, then modify the map contents in the race window before freezing it, causing a trusted loader to verify the original (stale) hash against the silently-altered map. No active exploitation is confirmed (not in CISA KEV) and EPSS is 0.02%, but the attack's integrity impact appears understated by the published CVSS vector, which records A:H/I:N - inconsistent with a hash-bypass that enables modified code/data to be loaded as trusted.
Memory leak in the Linux kernel's Rust-language PWM subsystem allows a local low-privileged attacker to gradually exhaust kernel memory through repeated PWM chip initialization failures. The `pwmchip_alloc()` function allocates a device structure holding an initial reference that must be explicitly released via `pwmchip_put()` on error paths, but when `__pinned_init()` fails the reference is never dropped, leaking the `pwm_chip` allocation. EPSS stands at 0.02% (5th percentile) and the vulnerability is not listed in CISA KEV, indicating no known active exploitation; no public exploit code has been identified at time of analysis.
Reference leak in the Linux kernel's thermal/of subsystem allows a local low-privileged user to degrade system availability through repeated kernel resource exhaustion. The thermal_of_cm_lookup() function acquires a device_node reference via of_parse_phandle() but never releases it, causing reference counts to accumulate without bound on systems with Device Tree-based thermal configuration. No active exploitation is identified (EPSS 0.02%, 5th percentile; no CISA KEV listing), and this is a reliability and availability defect rather than a code-execution primitive; patched stable kernel versions are available across multiple maintained branches.
Improper lock release in the Linux kernel ksmbd subsystem (in-kernel SMB server) allows a local low-privileged user to trigger a deadlock by inducing error paths in `ksmbd_vfs_kern_path_locked` where `ksmbd_vfs_kern_path_end_removing()` is never called to balance the corresponding `ksmbd_vfs_kern_path_start_removing()`. Affected kernel versions span multiple stable branches from 5.15 through 6.17. No public exploit or active exploitation is known; EPSS stands at 0.02% (7th percentile), confirming low real-world exploitation probability.
Missing endpoint descriptor validation in the Linux kernel catc USB Ethernet driver allows a physically-present attacker with a crafted USB device to cause a kernel denial of service. The catc_probe() function submits URBs against hardcoded endpoint pipes (bulk on endpoint 1, interrupt on endpoint 2) without confirming that the connected device actually presents those endpoint types - a malformed device can exploit this assumption to trigger undefined behavior at the URB submission layer. No active exploitation has been confirmed (not listed in CISA KEV), and the EPSS score is extremely low at 0.02% (7th percentile), reflecting limited real-world exploitation likelihood.
Memory leak in the Linux kernel's RDMA/mlx5 subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering the error path in the GET_DATA_DIRECT_SYSFS_PATH uverbs handler. The flaw affects multiple stable kernel branches requiring mlx5-family InfiniBand/RDMA hardware, and was discovered through static analysis and code review rather than active exploitation. No public exploit exists and EPSS probability is 0.02% (5th percentile), indicating no public exploit or active exploitation at time of analysis.
Memory leak in the Linux kernel's MTD TP-Link SafeLoader partition parser allows a local low-privileged user to cause availability degradation on affected embedded systems. The `mtd_parser_tplink_safeloader_parse()` function omits freeing a temporary buffer `buf` on the error path when a subsequent `kmalloc()` for `parts[idx].name` fails inside the parsing loop. No public exploit exists and EPSS is negligible at 0.02% (5th percentile); this vulnerability was identified via static analysis and code review, not observed exploitation.
Local denial-of-condition in the Linux kernel ext4 filesystem driver allows an internal counter (s_dirtyclusters_counter) to be double-decremented to -1 along the block-allocation error path that triggers during filesystem shutdown, surfacing as a WARNING in ext4_put_super(). The flaw lives between ext4_mb_mark_diskspace_used() and ext4_mb_new_blocks(), where a metadata-write failure causes the dirty-clusters reservation to be released twice. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 7th percentile); despite the CWE-415 (double free) classification and a 7.8 CVSS, the observed effect is cluster-accounting corruption rather than demonstrated memory corruption.
An infinite self-IPI loop in the Linux kernel's real-time scheduler `rto_next_cpu()` function causes a CPU hardlockup, resulting in a complete denial of service on affected multi-CPU systems. Systems with `HAVE_RT_PUSH_IPI` enabled are vulnerable when a specific concurrent mix of CPU-bound RT tasks, non-CPU-bound RT tasks, and kernel-stuck CFS tasks triggers a race condition between `rd->rto_loop` and `rd->rto_loop_next` during RT load balancing. No public exploit exists and this is not listed in CISA KEV; the EPSS score of 0.02% (7th percentile) confirms low real-world exploitation probability.
NULL pointer dereference in the Linux kernel's ovpn (in-kernel OpenVPN) TCP socket handling causes a local denial of service via kernel crash. The race condition - between keepalive-driven peer release and concurrent userspace socket closure via tcp_close() - allows a low-privileged local user to trigger a kernel crash when ovpn attempts to dereference a NULL sk->sk_socket pointer during socket detachment. No public exploit has been identified and EPSS stands at 0.02% (4th percentile), reflecting narrow real-world exploitability constrained by the specific configuration and timing required.
Reference leak in the Linux kernel IPVS (IP Virtual Server) subsystem allows a local low-privileged user to trigger a race condition between the netdev notifier handler and destination cache update logic, potentially causing kernel resource exhaustion. When a network device is shutting down, the FIB routing subsystem may return a valid route after ip_vs_dst_event() finishes processing, allowing that route to be cached against a closing device and leaking a device reference until the IPVS destination is removed. This is a medium-severity availability issue with no public exploit identified at time of analysis and a very low EPSS score of 0.02% (5th percentile), indicating it is not currently a prioritized exploitation target.
Local privilege-relevant memory corruption in the Linux kernel's sbs-battery power supply driver (drivers/power/supply/sbs-battery) stems from a use-after-free in power_supply_changed(). Because the driver requested its IRQ via devm_ before allocating/registering the power_supply handle, devm teardown frees the handle in reverse order while the interrupt is still live, so an SMBus battery interrupt firing during device removal (or before registration during probe) invokes power_supply_changed() on a freed or uninitialized pointer, typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile), no public exploit is identified, and it is not on CISA KEV; the fix is upstream-committed and shipped in multiple stable releases.
Availability impact in the Linux kernel FAT filesystem driver allows a local low-privileged user to trigger a kernel WARN_ON by mounting and operating on a corrupted FAT image with incorrect directory link counts. Specifically, rmdir unconditionally decrements the parent inode's i_nlink without first verifying it is at least 3, allowing underflow to zero on malformed images. No public exploit has been identified and the EPSS probability is 0.02% (7th percentile), but the kernel WARN_ON can cause a system crash, making the real-world availability impact high on affected systems where users can mount FAT images.
Local memory corruption affects the Linux kernel's hwmon ibmpex driver, where commit 6946c726c3f4 - intended to fix a use-after-free in the high/low sysfs store handlers - instead introduced a new race condition by setting driver data to NULL before removing sensor attributes. The remediation is a revert of that flawed commit across the 6.1, 6.6, 6.12, 6.18, and 6.19 stable trees. With EPSS at 0.02% (7th percentile), no public exploit identified at time of analysis, and no CISA KEV listing, real-world risk is minimal given the obscure IBM PowerExecutive sensor hardware the driver targets.
Bridge multicast MDB entry counter underflow in the Linux kernel's `net/bridge/br_multicast.c` allows local attackers with low privileges to trigger a kernel WARN_ON - and a system panic on hosts configured with `panic_on_warn=1` - by manipulating VLAN snooping state on a bridge interface before flushing multicast group entries. Multiple stable kernel branches are affected across all architectures that include the bridge multicast subsystem. No public exploit identified at time of analysis, with an EPSS score of 0.02% (5th percentile) confirming low exploitation probability; patches are available across kernel stable series 6.12, 6.6, 6.18, 6.19, and 7.0.
Ext4 filesystem extent-splitting logic in the Linux kernel incorrectly caches extents mid-operation, leaving stale hole entries in the in-memory extent status tree (ESTree). When a Direct I/O write partially covers a pre-allocated unwritten extent, ext4_split_extent_at() can insert an incorrect hole entry that persists uncorrected, causing space accounting errors when subsequent delayed buffer writes target the same region. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.02% (7th percentile) reflects negligible real-world exploitation likelihood; this is primarily a kernel correctness and filesystem availability defect rather than a targeted attack surface.
NULL pointer dereference in the Linux kernel's cdns3 USB dual-role driver crashes the kernel when a USB OTG role switch to host mode occurs during a system resume from suspend. The host role's resume() operation calls usb_hcd_is_primary_hcd() on an xhci-hcd device whose probe has been deferred by the driver model, yielding a dereference at virtual address 0x208 and a kernel oops. Impact is limited to denial of service (system crash); no privilege escalation or data disclosure is possible. No active exploitation is confirmed (CISA KEV absent, EPSS 0.02%), and the vulnerability is practically relevant only on hardware platforms featuring the Cadence USB3 cdns3 controller.
Denial-of-service via kernel panic in the Linux kernel's greybus gb-beagleplay driver allows a local low-privileged user to crash the system by triggering an illegal sleep-in-atomic-context condition. The greybus HDLC TX path calls usleep_range() inside hdlc_append() while the tx_producer_lock spinlock is held, violating the fundamental Linux kernel rule that sleeping is forbidden in atomic context and triggering a 'BUG: scheduling while atomic' kernel oops. No public exploit has been identified at time of analysis, and EPSS at 0.02% (5th percentile) reflects the hardware-specific and local-access-only nature of this flaw. The input tag 'Information Disclosure' appears to be a misclassification - the actual impact is exclusively availability (kernel crash), consistent with the CVSS vector's A:H/C:N/I:N ratings.
Resource accounting exhaustion in the Linux kernel's inotify subsystem allows a local low-privileged user to permanently leak watch counts by repeatedly triggering a failure path in inotify_new_watch() that increments the per-namespace watch counter without a corresponding decrement. Over time this exhausts the max_user_watches limit, causing all subsequent inotify watch creation within the namespace to fail with -ENOSPC even when no watches are genuinely active, constituting a local denial-of-service against inotify-dependent applications. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects very low real-world exploitation probability with no CISA KEV listing.
Lock re-entrancy corruption in the Linux kernel's mm/page_alloc subsystem affects uniprocessor (UP/!CONFIG_SMP) builds, allowing freelist corruption that crashes the kernel. On UP kernels, spin_trylock() is a compile-time no-op that unconditionally succeeds; when alloc_frozen_pages_nolock() is invoked from NMI context, it re-enters rmqueue() and acquires the zone lock already held by the interrupted context, corrupting the page allocator's freelists. No public exploit exists and EPSS sits at the 4th percentile (0.02%), consistent with the narrow scope: only non-default UP kernel builds on specific kernel versions are affected, making this a targeted stability concern for embedded or legacy uniprocessor deployments rather than a broad production threat.
NULL pointer dereference in the Linux kernel vfio/cdx subsystem allows a local low-privileged user with access to a CDX VFIO device to crash the kernel by issuing an out-of-order ioctl sequence. Specifically, calling VFIO_DEVICE_SET_IRQS with DATA_BOOL or DATA_NONE flags before ever initializing MSI interrupts via the EVENTFD path dereferences an unallocated cdx_irqs pointer, producing a kernel panic and denial-of-service. No public exploit code exists and EPSS is 0.02%, but vendor-released patches are confirmed available across all affected stable branches.
Nested SVM virtualization in the Linux kernel KVM subsystem can leave the host hypervisor (L1) running with corrupted page-table state when CR3 restoration fails during a nested #VMEXIT. The root function nested_svm_vmexit() returns an error code that most callers silently ignore, meaning the host continues executing against corrupt address-space mappings rather than triggering the shutdown behavior mandated by the AMD Architecture Programmer's Manual. The fix injects a triple fault - mirroring real hardware behavior - and continues cleanup to avoid leaving vCPU state partially torn down. No public exploit exists and EPSS is 0.02%, but the availability impact is high for any host running nested AMD virtualization.
Memory leak in the Linux kernel's EDAC/versalnet driver (mc_probe()) results in unreleased device_node references, enabling local low-privileged users to cause kernel memory exhaustion and availability degradation on AMD/Xilinx Versal SoC systems. The root cause is a missing of_node_put() call on all exit paths of mc_probe(), with the fix applied across stable branches including 6.18.27 and 7.0.4. No public exploit or CISA KEV listing exists, and EPSS sits at 0.02% (4th percentile), reflecting minimal active exploitation risk.
Race condition in the Linux kernel's AF_ALG AEAD AIO interface allows a local low-privileged user to trigger a denial of service by exploiting shared socket-wide IV buffer state across concurrent asynchronous AEAD requests. The algif_aead subsystem fails to snapshot the Initialization Vector into per-request storage before dispatching async operations, meaning any concurrent socket activity that updates the shared IV can corrupt an in-flight request before it completes. No public exploit has been identified and EPSS is extremely low at 0.02% (7th percentile); vendor-released patches are available across all supported stable kernel branches.
Deadlock and memory leak in the Linux kernel DAMON subsystem arise from a race condition between damon_call() request registration and kdamond_fn() thread exit, affecting systems using the Data Access MONitor (DAMON) API. A local low-privileged process can trigger the race at precisely the moment a kdamond thread is terminating - causing the calling thread to wait indefinitely for a handler that has already exited, resulting in a kernel-level availability denial. No active exploitation is confirmed (EPSS 0.02%, not in CISA KEV), and the high attack complexity required to win the race significantly constrains real-world risk.
Integer overflow in the Linux kernel's device mapper mirror (dm-mirror) subsystem allows a local attacker with device mapper configuration privileges to crash the kernel via a denial-of-service condition. The flaw resides in create_dirty_log() where an unchecked unsigned addition of 2 + param_count wraps around to a small value when param_count approaches UINT_MAX, bypassing an argc bounds check and triggering out-of-bounds reads in dm_dirty_log_create(). No public exploit code exists and EPSS is exceptionally low at 0.02% (5th percentile); this CVE has not been added to the CISA KEV catalog, indicating no confirmed active exploitation at time of analysis.
Out-of-bounds MMIO read in the Linux kernel's ibmasm (IBM Advanced System Management) misc driver allows a compromised IBM service processor to read 8 bytes from unintended device registers or trigger a machine check exception (system crash) by writing an out-of-range queue reader/writer index before asserting an interrupt. The flaw resides in ibmasm_handle_mouse_interrupt() where raw readl() values are passed unchecked to get_queue_entry(), and is fixed by bounds-checking both indices against REMOTE_QUEUE_SIZE (60). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%.
Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows privileged local users to crash the kernel by supplying arbitrary node IDs to damos_quota_goal via DAMON_SYSFS. Affecting Linux 6.16 and fixed in 6.18.27, 7.0.4, and 7.1-rc1, the flaw stems from missing validation before si_meminfo_node()/NODE_DATA() lookups and is reproducible with the upstream 'damo' user-space tool. No public exploit identified at time of analysis and EPSS is very low at 0.02%.
The atmel-aes crypto driver in the Linux kernel leaks 3 pages of kernel memory per cleanup cycle due to a mismatch between allocation and deallocation functions: atmel_aes_buff_init() allocates 4 contiguous pages via __get_free_pages() with ATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() frees only a single page via free_page() instead of the correct free_pages(). Systems running on Atmel/Microchip ARM SoC hardware with this driver loaded are vulnerable to gradual kernel memory exhaustion leading to denial of service. No public exploit code exists and no active exploitation has been confirmed; the EPSS score of 0.02% (5th percentile) reflects the extremely narrow hardware-specific attack surface, and vendor-released patches are available across multiple stable kernel branches.
Availability degradation in the Linux kernel ALSA USB audio subsystem allows a local attacker with a crafted UAC2 USB audio device to trigger an unbounded parsing loop that holds register_mutex while repeatedly flooding the kernel log with error messages. Affected systems running snd-usb-audio on multiple stable kernel branches from 3.x through 7.0 are exposed to denial-of-service via mutex contention during USB device probe. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (6th percentile) reflects minimal threat actor interest; no CISA KEV listing exists.
Race condition in the Linux kernel memory management subsystem during large-folio migration can cause kernel availability disruption on SMP/NUMA systems. The flaw in migrate_folio_move() causes a destination folio to become visible to concurrent rmap-removal paths before being requeued onto the deferred split queue, triggering a kernel WARN in deferred_split_folio() or silently losing a folio from split_queue when the shrinker races the migration lock. With no public exploit, no CISA KEV listing, and an EPSS of 0.02%, this is a low real-world risk issue primarily relevant to HPC, virtualization, and database workloads with heavy NUMA migration activity.
NULL pointer dereference in the Linux kernel's Xilinx remoteproc (xlnx) IPI receive callback enables a local low-privileged user to crash the kernel on Xilinx SoC-based systems. The receive callback unconditionally accesses buffer information without first validating whether the message pointer is NULL, which occurs when IPI is operating in non-buffered mode. No public exploit exists and no active exploitation is confirmed; with EPSS at 0.02% (5th percentile), real-world risk is very low and hardware-specific.
Broken LBR MSR save/restore in the Linux kernel KVM/SVM subsystem allows a low-privileged local attacker to cause high-impact availability failures in virtualized environments running on AMD SVM hardware. MSR_IA32_DEBUGCTLMSR and Last Branch Record (LBR) MSRs are not enumerated by KVM_GET_MSR_INDEX_LIST and cannot be set via KVM_SET_MSRS, meaning VM state is not correctly preserved across save/restore or live migration cycles, particularly when L2 guests are running. No public exploit has been identified at time of analysis, and EPSS of 0.02% indicates very low exploitation probability, but the flaw affects a foundational hypervisor state management path on production AMD virtualization infrastructure.
Incorrect physical address conversion in the Linux kernel's mm/memfd_luo subsystem can crash the kernel when the put_folios error-cleanup path executes during memfd Live Update Object (LUO) operations. The cleanup passes a raw Page Frame Number (PFN) where kho_restore_folio() requires a phys_addr_t, and a missing sparse-hole guard (pfn==0) risks misprocessing file holes. No public exploit identified at time of analysis; EPSS of 0.02% (5th percentile) and absence from CISA KEV confirm very low real-world exploitation probability, with impact confined to local denial of service on systems running the experimental KHO/LUO subsystem.
Memory exhaustion denial-of-service in the Linux kernel's rxkad Kerberos authentication layer allows a local low-privilege attacker to leak kernel memory by repeatedly triggering error paths in rxkad_verify_response(). The vulnerability affects kernels from approximately 5.11 through all unpatched stable series prior to 6.6.140, 6.12.86, 6.18.27, and 7.0.4. No public exploit exists and EPSS sits at 0.02% (5th percentile), indicating minimal real-world exploitation likelihood; however, systems running AFS workloads with rxrpc active warrant patching at next maintenance.
Duplicate resource teardown in the Linux kernel's PCI endpoint NTB (Non-Transparent Bridge) driver causes a kernel oops when link state transitions fail or complete, enabling a local low-privileged user to crash the kernel. The `epf_ntb_epc_destroy()` helper performs teardown that its callers also execute, resulting in a double-free-class condition. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV); the EPSS score of 0.02% at the 5th percentile reflects extremely low observed exploitation probability.
Deadlock in Linux kernel DAMON (Data Access Monitor) subsystem allows a local low-privileged user or kernel code path to cause an indefinite thread hang in the mm/damon/core module via a race condition between damos_walk() request registration and kdamond_fn() exit sequencing. Systems running Linux kernels from commit bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61 through the patch commits are affected, with availability as the sole impact (CVSS C:N/I:N/A:H). No public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating negligible real-world exploitation interest.
Cache coherency violation in the Linux kernel hwmon powerz driver allows a local low-privileged user to crash the kernel on architectures where DMA buffer cacheline aliasing with adjacent kernel structures (here, a mutex) produces undefined behavior. Affected systems must have the powerz USB hardware monitor driver loaded and the specific hardware attached. No public exploit code exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation activity; nonetheless the kernel availability impact (system crash) is concrete once triggered on a vulnerable architecture.
Use-after-free in the Linux kernel ALSA caiaq USB audio driver allows local code execution when the device probe path encounters an error during setup_card(). The setup_card() function previously ignored failures from snd_card_register() and continued executing, leaving freed card structures accessible to subsequent initialization calls such as snd_usb_caiaq_control_init(). No public exploit identified at time of analysis, and EPSS is low at 0.02% (5th percentile), consistent with the local attack vector and narrow hardware-driver scope.
The ext2 filesystem driver in the Linux kernel allows a local user to trigger kernel WARN_ON panics by mounting a crafted ext2 image containing an inode with zero link count (i_nlink=0), non-zero mode, and zero deletion timestamp - a combination that bypasses the incomplete corruption check in ext2_iget() and reaches drop_nlink() in an invalid state. Discovered by the Linux Verification Center using Syzkaller fuzzing, the flaw affects Linux kernel versions from 2.6.12 through multiple stable branches and results in denial of service via kernel instability. No public exploit exists and no KEV listing; EPSS is negligible at 0.02%, consistent with the local access requirement and specialized image-crafting prerequisite.
Stack buffer overrun in the Linux kernel's pt5161l hwmon driver allows a malicious or malfunctioning I2C device to write up to 32 bytes into a 24-byte stack buffer during pt5161l_read_block_data(), corrupting kernel memory. The flaw affects Linux 6.9 through versions before the stable fixes, and a secondary bug causes the driver to process stale data as valid when retries are exhausted with a length mismatch. EPSS is very low (0.02%) and no public exploit identified at time of analysis.
The rxrpc connection-level packet handler in the Linux kernel modifies RESPONSE packet data in-place within a potentially shared sk_buff, exposing decrypted rxrpc authentication material to co-attached packet sniffers and risking kernel instability when a cloned buffer is written without unsharing. Systems running the rxrpc subsystem (primarily AFS clients and servers) from kernel 2.6.22 onward through the affected stable branches are vulnerable. No public exploit exists and EPSS sits at 0.02% (5th percentile) with no CISA KEV listing, indicating minimal real-world exploitation pressure; patches are confirmed across stable branches 6.6.140, 6.12.88, 7.0.4, 6.18.27, and 7.1-rc1.
Reference count leak in the Linux kernel SCSI disk driver (drivers/scsi/sd.c) allows a local low-privileged user to cause kernel resource exhaustion and system crash. In sd_probe(), when device_add(&sdkp->disk_dev) fails, the cleanup path correctly invokes put_device() triggering scsi_disk_release() to free the scsi_disk structure, but omits the corresponding put_disk(gd) call - leaving the gendisk object with an unreleased reference. This asymmetry with the device_add_disk() error path means repeated probe failures accumulate reference leaks that can exhaust kernel memory and deny service. No public exploit has been identified and EPSS probability is 0.02% (5th percentile), consistent with a stability fix rather than an attacker-targeted flaw.
Use-after-free in the Linux kernel's io_uring zero-copy receive (zcrx) subsystem allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from io_free_rbuf_ring() accessing a struct user_struct after io_zcrx_ifq_free() has already released the reference, creating a UAF window. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the bug class (UAF in io_uring) has historically been weaponized for LPE.
Out-of-bounds read in the Linux kernel's ibmasm driver allows a local low-privileged user with write access to the ibmasm command character device to leak kernel heap memory to the IBM Advanced System Management service processor and potentially destabilize the host. The flaw resides in command_file_write(), which trusts attacker-controlled command_size/data_size header fields after allocating a buffer of arbitrary count, enabling get_dot_command_size() to return a value larger than the allocation. EPSS is 0.02% and no public exploit is identified at time of analysis; the issue is not on CISA KEV.
Out-of-bounds write and data-loss bugs in the Linux kernel SLUB allocator's krealloc() function affect kernels incorporating commit 2cd8231796b5, which introduced NUMA node and alignment forcing to k[v]realloc(). A local attacker with low privileges who can trigger the krealloc_node_align() or kvrealloc() reallocation fallback path - specifically when shrinking an allocation while simultaneously forcing a new alignment or NUMA node - can cause kernel heap memory corruption leading to a system panic or silent heap object corruption. No public exploit exists beyond the lkdtm reproducer in the CVE description; EPSS stands at the 4th percentile and the vulnerability is not in CISA KEV. Vendor-released patches are confirmed available in Linux 6.18.27, 7.0.4, and 7.1-rc1.
Use-after-free in the Linux kernel's Open Firmware (OF) device tree unittest driver (testdrv_probe) allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from an erroneous of_node_put() call that releases a device_node reference owned by the device model, which can then be dereferenced later in of_platform_default_populate(). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a vendor patch is available.
Interrupt shadow state desynchronization in the Linux kernel KVM nSVM subsystem can hang L2 nested virtual machines on AMD-V hosts when VM state is restored in a specific ioctl ordering. Systems using KVM nested virtualization (kvm_amd with nested=1) are affected when a live migration or checkpoint-restore operation calls KVM_SET_VCPU_EVENTS before KVM_SET_NESTED_STATE, causing the interrupt shadow to be written into vmcb01 (L1 context) instead of vmcb02 (L2 context). No public exploit has been identified and EPSS is 0.02% (5th percentile), placing this squarely as a correctness and operational availability issue for nested virtualization deployments rather than a broadly exploitable security threat.
Memory exhaustion in the Linux kernel's ccree (ARM CryptoCell) driver allows a local low-privileged user to cause a denial of service by repeatedly triggering an error path in cc_mac_digest() that fails to release mapped memory. The vulnerability exists because cc_unmap_result() is not called when cc_map_hash_request_final() returns an error, causing each failed MAC digest operation to leak kernel memory. No active exploitation is confirmed; EPSS is 0.02% at the 5th percentile, consistent with a low-severity, hardware-specific kernel maintenance fix. The 'Information Disclosure' tag in the source data is inconsistent with the CVSS vector (C:N) and description - impact is availability-only.
Stale data exposure in the Linux kernel's ext4 filesystem affects systems using the dioread_nolock mount option, triggered by a flag-handling logic error in the extent-splitting code path during Direct I/O operations. When `EXT4_GET_BLOCKS_CONVERT` is incorrectly passed during a pre-I/O split of an unwritten extent, a simultaneous `-ENOSPC` failure in `ext4_split_extent_at()` causes the entire on-disk extent to be prematurely converted to written state while the in-memory extent status tree retains an inconsistent unwritten marker for the second half; if the DIO write subsequently fails, a future read of that region exposes stale pre-zero data. No public exploit has been identified at time of analysis, EPSS is 0.02% (7th percentile), and there is no CISA KEV listing, indicating no confirmed active exploitation.
NFSv4 server slot exhaustion in the Linux kernel nfsd subsystem causes persistent denial of service for NFS clients when idmap upcall delays occur during compound argument decoding. Specifically, when a SETATTR or similar compound operation triggers an idmap lookup upcall that exceeds the allowed time limit, cache_check() sets RQ_USEDEFERRAL and drops the request before nfs4svc_encode_compoundres() can execute - meaning the NFSD4_SLOT_INUSE session slot flag is never cleared. All subsequent client requests on that session slot fail with NFSERR_JUKEBOX indefinitely. No public exploit has been identified and EPSS is 0.02% (7th percentile), indicating no active exploitation pressure; this is a logic flaw with confirmed upstream patches across all major stable branches.
NULL pointer dereference in the Linux kernel's ACPICA subsystem crashes the kernel via a missed execution path in acpi_ev_address_space_dispatch(), resulting in a local denial of service. Affected systems run Linux kernel versions tracing back to commit 0acf24ad7e10f547809faefb8069f8f5482eb4d9, spanning multiple stable branches through at least 6.19.x. No public exploit exists and EPSS is negligible at 0.02% (7th percentile), but the high availability impact and wide kernel version coverage make patching prudent for any multi-tenant or availability-sensitive Linux environment.
Use-after-free and double-free conditions in the Linux kernel's s390/cio Channel I/O subsystem expose IBM Z (mainframe) systems to local denial-of-service attacks via kernel crash. The flaw resides in `css_alloc_subchannel()`, where `device_initialize()` is invoked before DMA mask configuration; if that configuration fails, the error path incorrectly calls `kfree()` directly, bypassing the kernel device model's reference counting and corrupting kernel memory. With a CVSS score of 5.5 (AV:L), an EPSS of 0.02% (7th percentile), no KEV listing, and strict hardware-architecture scope limited to s390/IBM Z, this is no public exploit identified at time of analysis and represents a low-urgency but architecturally significant stability fix.
Improper mutex cleanup in the Linux kernel's amdgpu DRM driver allows a local low-privileged user to cause a GPU subsystem denial-of-service on systems equipped with AMD GPU hardware. When kmalloc fails under low memory conditions inside amdgpu_cs_parser_bos, the error path previously returned without releasing the held mutex, leaving it permanently locked and stalling GPU command submission for all users. No public exploit exists and the vulnerability is not listed in CISA KEV; with an EPSS of 0.02% (5th percentile), real-world exploitation risk is low.
NULL pointer dereference in the Linux kernel's staging Greybus lights driver (`drivers/staging/greybus/lights.c`) causes a local denial of service via kernel panic. The flaw affects systems running Greybus-enabled kernels since commit 2870b52b (Linux 4.9 onward), where a low-privileged local user can trigger a kernel crash if `kcalloc()` fails during lights channel initialization. No public exploit exists and EPSS is 0.02% (7th percentile), reflecting niche hardware dependency; the vulnerability is not listed in CISA KEV.
Use-after-free race condition in the Linux kernel's fbnic (Facebook NIC) driver can be triggered by a local attacker to crash the system. The fw_log firmware log buffer is freed during device teardown before the mailbox IRQ is disabled, allowing a concurrent MSIX interrupt handler to dereference a freed or NULL pointer. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.02% (4th percentile) reflects very low real-world exploitation probability; the primary risk is a denial of service to systems hosting fbnic NICs.
Memory leak in the Linux kernel's amdgpu DRM driver allows a local low-privileged user to gradually exhaust kernel memory on systems equipped with AMD GPUs. The flaw exists in amdgpu_ras_init(), where a failed call to amdgpu_nbio_ras_sw_init() causes the function to return an error without freeing the previously allocated 'con' context structure, bypassing the existing release_con cleanup label. No public exploit exists and EPSS is 0.02% (5th percentile), classifying this as a low-priority maintenance fix with no confirmed active exploitation.
Race condition in the Linux kernel's ublk (userspace block device) subsystem allows a local low-privileged attacker to crash the kernel by concurrently modifying io_uring submission queue entries during kernel processing. The ublksrv_ctrl_cmd struct resides in userspace-mapped shared memory, and unguarded normal loads let a racing userspace thread corrupt the kernel's view of the command, triggering a denial-of-service condition. No public exploit exists and EPSS is 0.02%, but fixed kernel versions 6.19.4 and 7.0 are confirmed available.
Invalid leaf access in the btrfs quota subsystem of the Linux kernel allows a local low-privileged user to crash the system by triggering a denial-of-service condition in `btrfs_quota_enable()`. When `btrfs_search_slot_for_read()` returns 1 - signaling end-of-tree with no valid key found - the function fails to exit its loop and proceeds to dereference the now-invalid path pointer, causing a kernel panic. Patched versions are confirmed across multiple stable series (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0); no public exploit or CISA KEV listing exists at time of analysis.
Indefinite kernel hang in the Linux mlx5_ib RDMA driver causes denial of service during device unload when a firmware reset occurs in LAG (Link Aggregation Group) mode. The race condition leaves UMR (User Memory Registration) deregistration operations blocked forever - posted on the master NIC but awaiting completions from a slave that is already dead - deadlocking the teardown sequence and requiring a hard reboot. No public exploit has been identified, EPSS sits at 0.02% (5th percentile), and impact is confined to systems with Mellanox/NVIDIA mlx5 hardware explicitly configured in bonded LAG mode with active RDMA workloads.
Uncontrolled BPF program signature size in the Linux kernel allows a low-privileged local user to force the kernel into expensive memory allocation paths (kmalloc_large or vmalloc) by supplying an arbitrarily large signature size value to the BPF_PROG_LOAD operation. Affected kernel versions prior to 6.18.14, 6.19.4, and 7.0 are vulnerable to local denial-of-service through kernel memory exhaustion. No public exploit has been identified at time of analysis and no active exploitation is confirmed (not in CISA KEV), with an EPSS score of 0.02% (4th percentile) indicating very low automated exploitation probability.
NULL pointer dereference in the Linux kernel HID PlayStation driver crashes the kernel when force feedback (FF) effects are triggered on a PlayStation controller that experienced a silent initialization failure. Systems running Linux 5.12 through unpatched stable branches with PlayStation controllers (DualSense, DualShock 4, or compatible HID devices) attached are affected. A local low-privileged attacker who can trigger FF effects on a controller where input_ff_create_memless() returned an error can cause a kernel panic, resulting in a full system denial of service. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with a niche hardware driver flaw.
Null pointer dereference in the Linux kernel's cpuidle ladder governor crashes PowerNV systems when only a single idle state is registered - the governor incorrectly indexes into state 1 as if it were the first usable non-polling state, resulting in a NULL enter callback invocation and immediate kernel panic. Systems running IBM PowerNV hardware without a power-mgt device tree node are specifically at risk, as this firmware configuration causes cpuidle to register only the polling state (state 0). No public exploit code exists and EPSS probability is 0.02% (7th percentile), reflecting this is a platform-specific availability issue rather than a broadly exploitable attack surface; it is not listed in CISA KEV.
Kernel crash (denial of service) in the Linux kernel BPF subsystem affects local low-privileged users due to a double-offset bug in the instruction array map. The `map_direct_value_addr()` function incorrectly adds the caller-supplied offset to the returned address, then `resolve_pseudo_ldimm64()` adds it a second time, resulting in an incorrect memory address that can trigger a kernel fault. No public exploit exists and the EPSS score is 0.02% (5th percentile), indicating very low opportunistic exploitation risk, but the availability impact is rated High per CVSS.
NULL pointer dereference in the Linux kernel's AppArmor LSM (`__unix_needs_revalidation()`) allows a local low-privileged user to crash the kernel, resulting in a denial of service. Introduced as a regression in kernel 6.17 with AppArmor 5.0.0, the flaw is triggered by passing file descriptors over UNIX domain sockets via SCM_RIGHTS when the receiving socket or its `sk` pointer is NULL during transient setup or teardown states. No active exploitation is confirmed (absent from CISA KEV), and EPSS sits at 0.02% (4th percentile), indicating low exploitation probability; patches are available in stable releases 6.18.14, 6.19.4, and 7.0.
Kernel NULL pointer dereference in the Linux AppArmor security module allows a local low-privileged user to crash the system by reading an apparmorfs symbolic link under a specific runtime configuration sequence. The flaw exists in rawdata_get_link_base, where profile->rawdata->name is dereferenced without first verifying that rawdata is non-NULL after a profile replacement clears it. No public exploit exists and EPSS stands at 0.02%, though the crash is fully reproducible from the conditions documented in the commit description.
Memory exhaustion in the Linux kernel's SUNRPC GSS authentication subsystem (net/sunrpc/auth_gss/auth_gss.c) allows a local low-privileged user to leak kernel memory by repeatedly triggering a specific error path where kstrdup_const() fails during gss_alloc_msg() processing, preventing gss_auth structures from ever being freed. The defect was introduced by commit 5940d1cf9f42, which added kref_get(&gss_auth->kref) without the corresponding kref_put() on the err_put_pipe_version error path when service_name is non-NULL. With EPSS at 0.02% (7th percentile), no CISA KEV listing, and no public exploit, this is a low-urgency memory management defect primarily relevant to systems running NFS with Kerberos/RPCSEC_GSS authentication.
Kernel crash via use-after-free race in the Linux kernel nau8821 ASoC audio codec driver affects systems including the Valve Steam Deck when a jack detection workqueue item executes after the driver component has been removed. The missing cancel_delayed_work_sync call in the component remove path allows nau8821_jdet_work to dereference freed kernel structures, producing a fatal page fault. No public exploit exists and EPSS is 0.02%, but any NAU8821-equipped system on kernel versions from 5.16 through pre-6.19.4 is vulnerable to local denial-of-service via kernel panic.
Out-of-bounds memory access in the Linux kernel ublk (userspace block device) subsystem allows a local low-privilege user to crash the kernel by submitting an io_uring control command without the IO_URING_F_SQE128 flag set. The root cause is that ublk_ctrl_cmd_dump() unconditionally accesses the extended cmd field of a Submission Queue Entry before ublk_ctrl_uring_cmd() validates that the SQE is 128 bytes in size, reading beyond the 64-byte standard SQE boundary. No public exploit is identified at time of analysis, and the EPSS score of 0.02% at the 7th percentile signals very low exploitation probability.
Memory leaks in the GFS2 cluster filesystem driver (fs/gfs2/) allow a local low-privileged user to exhaust kernel memory over time, producing availability degradation or denial of service on affected Linux systems. Two distinct leak paths exist in gfs2_fill_super() error handling: kernel thread objects for logd and quotad (~4480 bytes each) are not released when gfs2_freeze_lock_shared() fails after init_threads() succeeds, and a quota bitmap buffer (8192 bytes) is not freed when gfs2_make_fs_rw() fails after gfs2_quota_init() completes. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with a triggered-path defect requiring GFS2-specific failure conditions rather than opportunistic mass exploitation.
Kernel panic via reference count corruption in the Linux kernel's HFS+ filesystem driver (hfsplus) allows a local attacker with low privileges to crash the system. The function hfs_bnode_create() returns an already-hashed B-tree node without incrementing its reference count when it unexpectedly encounters a node that should not yet exist - a condition triggered by filesystem corruption or a logic error in hfs_bmap_alloc(). When hfs_bnode_put() later decrements the reference count to zero and attempts cleanup, the kernel triggers a fatal BUG_ON(!atomic_read(&node->refcnt)) assertion at bnode.c:676, causing an immediate kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with the local-only attack vector and niche trigger conditions, but the availability impact is total for affected systems.
Denial of service in the Linux kernel's RCU (Read-Copy-Update) subsystem allows a local condition to trigger an infinite recursion deadloop in rcu_read_unlock_special() when ftrace is enabled, leading to kernel hang or crash. The flaw stems from a missing recursion-protection flag when raise_softirq_irqoff() is invoked from the RCU unlock path, causing repeated re-entry through the softirq/trace stack. No public exploit identified at time of analysis and EPSS rates exploitation probability at 0.02%.
Memory leak in Linux kernel's fbdev au1200fb framebuffer driver causes resource exhaustion when the probe function encounters IRQ allocation failure. The vulnerability exists in au1200fb_drv_probe() within the au1200fb driver: when platform_get_irq() returns an error, the function returns immediately without releasing previously allocated memory, leading to kernel heap exhaustion over time. Local attackers or repeated probe failures (e.g., via hotplug events on affected MIPS-based Alchemy hardware) can deplete kernel memory, resulting in denial of service. No public exploit has been identified at time of analysis, and EPSS at 0.02% (7th percentile) confirms negligible exploitation interest.
IO deadloop in Linux kernel's md/raid5 subsystem causes complete availability loss on systems running degraded RAID5 arrays with llbitmap enabled. When llbitmap bit state is 'unwritten', the missing synchronization check in need_this_block() diverges from the check present in handle_stripe_dirtying(), trapping handle_stripe() in an infinite loop that never makes progress - effectively hanging all IO on the affected array. No public exploit is identified at time of analysis, and EPSS at 0.02% (4th percentile) reflects very low real-world exploitation probability, consistent with the narrow deployment conditions required.
Missing MTU validation in the Linux kernel fbnic Ethernet driver allows a local low-privileged user to trigger a denial of service by increasing the interface MTU after an XDP program is already attached. Increasing the MTU beyond the HDS (Header Data Split) threshold causes the fbnic hardware to fragment packets across multiple buffers; since single-buffer XDP programs cannot process multi-fragment frames, the driver silently drops them - breaking new TCP streams and discarding oversized non-TCP traffic. No public exploit exists and EPSS is 0.02% (4th percentile), placing this firmly in the low-priority tier despite its High availability rating; patches are confirmed available in Linux 6.18.14, 6.19.4, and 7.0.
Memory leak in the Linux kernel's StarFive AES crypto driver allows a local low-privileged user on affected StarFive JH7110 RISC-V hardware to exhaust kernel memory and cause a denial of service. The flaw resides in starfive_aes_aead_do_one_req(), where kzalloc()-allocated memory for rctx->adata is not freed on two distinct error paths - failures in sg_copy_to_buffer() or starfive_aes_hw_init() - resulting in unreleased heap memory each time an AEAD operation fails. No public exploit exists and EPSS is extremely low at 0.02%, consistent with a hardware-specific, analysis-discovered defect rather than an actively targeted weakness.
Use-after-free race condition in the Linux kernel hwrng (hardware random number generator) core subsystem allows a local attacker with low privileges to crash the kernel, causing a denial of service. The race occurs when hwrng_register() and hwrng_unregister() execute concurrently, leaving the hwrng_fill pointer dirty and enabling kthread_stop() to be invoked on an already-freed task_struct - confirmed in the virtrng_remove call path, making virtualized Linux environments a primary real-world attack surface. No public exploit code exists and no active exploitation (KEV) has been confirmed; the EPSS score of 0.02% reflects minimal opportunistic exploitation activity.
Memory exhaustion in the Linux kernel's ext4 filesystem driver allows a local low-privilege user to gradually degrade system availability by repeatedly triggering a kernel memory leak in ext4_ext_shift_extents(). The flaw, present since approximately kernel 3.15, causes path structures allocated by ext4_find_extent() to go unreleased when a NULL extent is encountered during fallocate shift operations. With no CISA KEV listing, an EPSS of 0.02%, and no public exploit code identified, this is a low-urgency but genuine patch priority for long-lived ext4 systems with unprivileged local users.
Memory exhaustion in the Linux kernel's drm/amdgpu driver allows a local low-privileged user on AMD GPU-equipped systems to degrade host availability by repeatedly triggering an error path in amdgpu_acpi_enumerate_xcc() that leaks kernel heap memory. The root cause is a missing free of the xcc_info structure when amdgpu_acpi_dev_init() returns -ENOMEM, identified through static analysis and code review rather than active exploitation. With EPSS at 0.02% (5th percentile) and no CISA KEV listing, this is a low-priority maintenance fix for most environments, most relevant to long-running AMD GPU compute workloads where repeated enumeration failures could accumulate leaked memory.
Use-after-free in the Linux kernel's ab8500 power supply driver (drivers/power/supply/ab8500) can be triggered during device removal or probe due to incorrect ordering of devm_-managed resource allocation. The race allows an IRQ handler to invoke power_supply_changed() against a freed or uninitialized power_supply handle, typically resulting in a kernel crash or silent memory corruption. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the flaw is not on CISA KEV.
Kernel NULL pointer dereference in the Linux EROFS compressed filesystem driver allows a local user reading from an EROFS image to crash the system. The flaw lives in z_erofs_decompress_pcluster(), where compressed folios for ztailpacking pclusters are added to I/O chains before being validated; if inline-data reading fails (notably when a fatal signal interrupts read_mapping_folio()), decompression assumes the folios are valid and dereferences a NULL pointer. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%), and the issue is not in CISA KEV.
TPM locality leak in the Linux kernel's tpm_i2c_infineon driver allows a local user on an affected system to exhaust TPM localities and render the TPM device unavailable. The tpm_tis_i2c_send() function acquires a TPM locality at entry but fails to release it when get_burstcount() times out with -EBUSY, causing a resource leak on every such timeout. Patches are available across multiple stable kernel branches; no public exploit code or active exploitation (CISA KEV) has been identified, and EPSS is 0.02% at the 7th percentile.
Kernel crash (oops) in the stmmac GMAC4 Ethernet driver causes a denial of service when split header reception is enabled. The stmmac receive path incorrectly assumes that buf2 of the first DMA descriptor is always fully populated with payload, but the GMAC4 hardware does not guarantee this in all cases. When the assumption is violated, the driver miscalculates the length of buf2 in the second descriptor, resulting in an invalid virtual address dereference deep in the DMA cache-invalidation path, crashing the kernel. No public exploit has been identified at time of analysis, and EPSS is 0.02% (4th percentile), indicating negligible opportunistic exploitation interest.
Memory leak in the Linux kernel's NI USB GPIB driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering a failed initialization path. The flaw exists in ni_usb_init(), where a writes buffer is allocated but never freed when ni_usb_setup_init() returns failure, compounding the issue with an incorrect error code (-EFAULT instead of -EINVAL). No public exploit is identified at time of analysis, and EPSS sits at 0.02%, consistent with the niche hardware driver context and local-only attack surface.
Memory corruption in the Linux kernel's pm8916_lbc power-supply driver (Qualcomm PM8916 PMIC linear battery charger) stems from a use-after-free in power_supply_changed(), where devm-managed teardown ordering lets a charger interrupt fire against a freed or not-yet-initialized power_supply handle during driver probe or removal. Local attackers able to trigger device unbind/rebind or module load/unload can crash the system or silently corrupt kernel memory. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis; the issue is not in CISA KEV.
Kernel panic in the Linux kernel's Inside Secure EIP-93 hardware crypto driver occurs during driver detach due to a loop iterator bug that causes the same hash algorithm to be unregistered multiple times. Systems equipped with Inside Secure EIP-93 cryptographic accelerator hardware and running unpatched kernels between the introducing commit (9739f5f93b78) and the fix commits are vulnerable. A local low-privileged user who can trigger driver detach - via module unload or device removal - can crash the kernel, resulting in a full system denial of service. No public exploit exists and EPSS is 0.02% (4th percentile), indicating negligible in-the-wild activity.
Use-after-free in the Linux kernel's goldfish power-supply driver (drivers/power/supply/goldfish_battery) allows a local attacker to crash the system or corrupt kernel memory by racing device probe/removal against the battery IRQ handler. The driver requested its IRQ via devm_ before registering the power_supply handle, so on teardown the handle is freed while the still-live interrupt can fire and call power_supply_changed() on freed (or, during probe, uninitialized) memory. No public exploit identified at time of analysis; EPSS is negligible (0.02%) and the bug is not in CISA KEV.
Btrfs transaction aborts in the Linux kernel allow local low-privileged users to crash the filesystem by triggering a logic defect in DUP chunk allocation that generates overlapping physical address ranges in the chunk map. Systems running btrfs with DUP metadata profiles - the default for single-device btrfs deployments - can encounter EEXIST (-17) errors in insert_dev_extents() during btrfs_create_pending_block_groups(), causing the transaction to abort and the filesystem to enter an error state. No public exploit or active exploitation (CISA KEV) has been identified; with an EPSS of 0.02% (4th percentile), this is a kernel reliability defect of operational concern to btrfs operators rather than a traditional attack vector.
Uninitialized kernel memory leaks to local users via the MCTP netlink subsystem in the Linux kernel, where RTM_GETNEIGH responses return stale kernel data in the pad bytes of ndmsg structures across link, addr, and neigh response messages. Any local user with PR:L access to the MCTP netlink interface can extract arbitrary pad-byte contents from kernel memory allocations, potentially exposing pointers, partial stack data, or remnants of prior allocations that could assist in defeating kernel address space layout randomization (KASLR). Disclosed by Syed Faraz Abrar (Zellic) and Pumpkin (DEVCORE Research Team) via Trend Micro Zero Day Initiative; no public exploit code exists and EPSS sits at the 5th percentile (0.02%), indicating negligible active exploitation at time of analysis.
Memory leak in the Linux kernel's chips-media wave5 VPU media driver allows a local low-privileged user to exhaust kernel memory, resulting in denial of service. The flaw exists in both the encoder and decoder open paths - wave5_vpu_open_enc() and wave5_vpu_open_dec() - where a VPU instance allocated via kzalloc() is not freed when the subsequent codec_info allocation fails. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting the hardware-specific and local-only nature of this issue.
BPF map hash verification in the Linux kernel is vulnerable to a TOCTOU race condition that allows a local low-privileged attacker to bypass integrity checks enforced by trusted BPF loaders. Userspace can call BPF_OBJ_GET_INFO_BY_FD to prime the hash cache, then modify the map contents in the race window before freezing it, causing a trusted loader to verify the original (stale) hash against the silently-altered map. No active exploitation is confirmed (not in CISA KEV) and EPSS is 0.02%, but the attack's integrity impact appears understated by the published CVSS vector, which records A:H/I:N - inconsistent with a hash-bypass that enables modified code/data to be loaded as trusted.
Memory leak in the Linux kernel's Rust-language PWM subsystem allows a local low-privileged attacker to gradually exhaust kernel memory through repeated PWM chip initialization failures. The `pwmchip_alloc()` function allocates a device structure holding an initial reference that must be explicitly released via `pwmchip_put()` on error paths, but when `__pinned_init()` fails the reference is never dropped, leaking the `pwm_chip` allocation. EPSS stands at 0.02% (5th percentile) and the vulnerability is not listed in CISA KEV, indicating no known active exploitation; no public exploit code has been identified at time of analysis.
Reference leak in the Linux kernel's thermal/of subsystem allows a local low-privileged user to degrade system availability through repeated kernel resource exhaustion. The thermal_of_cm_lookup() function acquires a device_node reference via of_parse_phandle() but never releases it, causing reference counts to accumulate without bound on systems with Device Tree-based thermal configuration. No active exploitation is identified (EPSS 0.02%, 5th percentile; no CISA KEV listing), and this is a reliability and availability defect rather than a code-execution primitive; patched stable kernel versions are available across multiple maintained branches.
Improper lock release in the Linux kernel ksmbd subsystem (in-kernel SMB server) allows a local low-privileged user to trigger a deadlock by inducing error paths in `ksmbd_vfs_kern_path_locked` where `ksmbd_vfs_kern_path_end_removing()` is never called to balance the corresponding `ksmbd_vfs_kern_path_start_removing()`. Affected kernel versions span multiple stable branches from 5.15 through 6.17. No public exploit or active exploitation is known; EPSS stands at 0.02% (7th percentile), confirming low real-world exploitation probability.
Missing endpoint descriptor validation in the Linux kernel catc USB Ethernet driver allows a physically-present attacker with a crafted USB device to cause a kernel denial of service. The catc_probe() function submits URBs against hardcoded endpoint pipes (bulk on endpoint 1, interrupt on endpoint 2) without confirming that the connected device actually presents those endpoint types - a malformed device can exploit this assumption to trigger undefined behavior at the URB submission layer. No active exploitation has been confirmed (not listed in CISA KEV), and the EPSS score is extremely low at 0.02% (7th percentile), reflecting limited real-world exploitation likelihood.
Memory leak in the Linux kernel's RDMA/mlx5 subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering the error path in the GET_DATA_DIRECT_SYSFS_PATH uverbs handler. The flaw affects multiple stable kernel branches requiring mlx5-family InfiniBand/RDMA hardware, and was discovered through static analysis and code review rather than active exploitation. No public exploit exists and EPSS probability is 0.02% (5th percentile), indicating no public exploit or active exploitation at time of analysis.
Memory leak in the Linux kernel's MTD TP-Link SafeLoader partition parser allows a local low-privileged user to cause availability degradation on affected embedded systems. The `mtd_parser_tplink_safeloader_parse()` function omits freeing a temporary buffer `buf` on the error path when a subsequent `kmalloc()` for `parts[idx].name` fails inside the parsing loop. No public exploit exists and EPSS is negligible at 0.02% (5th percentile); this vulnerability was identified via static analysis and code review, not observed exploitation.
Local denial-of-condition in the Linux kernel ext4 filesystem driver allows an internal counter (s_dirtyclusters_counter) to be double-decremented to -1 along the block-allocation error path that triggers during filesystem shutdown, surfacing as a WARNING in ext4_put_super(). The flaw lives between ext4_mb_mark_diskspace_used() and ext4_mb_new_blocks(), where a metadata-write failure causes the dirty-clusters reservation to be released twice. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 7th percentile); despite the CWE-415 (double free) classification and a 7.8 CVSS, the observed effect is cluster-accounting corruption rather than demonstrated memory corruption.
An infinite self-IPI loop in the Linux kernel's real-time scheduler `rto_next_cpu()` function causes a CPU hardlockup, resulting in a complete denial of service on affected multi-CPU systems. Systems with `HAVE_RT_PUSH_IPI` enabled are vulnerable when a specific concurrent mix of CPU-bound RT tasks, non-CPU-bound RT tasks, and kernel-stuck CFS tasks triggers a race condition between `rd->rto_loop` and `rd->rto_loop_next` during RT load balancing. No public exploit exists and this is not listed in CISA KEV; the EPSS score of 0.02% (7th percentile) confirms low real-world exploitation probability.
NULL pointer dereference in the Linux kernel's ovpn (in-kernel OpenVPN) TCP socket handling causes a local denial of service via kernel crash. The race condition - between keepalive-driven peer release and concurrent userspace socket closure via tcp_close() - allows a low-privileged local user to trigger a kernel crash when ovpn attempts to dereference a NULL sk->sk_socket pointer during socket detachment. No public exploit has been identified and EPSS stands at 0.02% (4th percentile), reflecting narrow real-world exploitability constrained by the specific configuration and timing required.
Reference leak in the Linux kernel IPVS (IP Virtual Server) subsystem allows a local low-privileged user to trigger a race condition between the netdev notifier handler and destination cache update logic, potentially causing kernel resource exhaustion. When a network device is shutting down, the FIB routing subsystem may return a valid route after ip_vs_dst_event() finishes processing, allowing that route to be cached against a closing device and leaking a device reference until the IPVS destination is removed. This is a medium-severity availability issue with no public exploit identified at time of analysis and a very low EPSS score of 0.02% (5th percentile), indicating it is not currently a prioritized exploitation target.
Local privilege-relevant memory corruption in the Linux kernel's sbs-battery power supply driver (drivers/power/supply/sbs-battery) stems from a use-after-free in power_supply_changed(). Because the driver requested its IRQ via devm_ before allocating/registering the power_supply handle, devm teardown frees the handle in reverse order while the interrupt is still live, so an SMBus battery interrupt firing during device removal (or before registration during probe) invokes power_supply_changed() on a freed or uninitialized pointer, typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile), no public exploit is identified, and it is not on CISA KEV; the fix is upstream-committed and shipped in multiple stable releases.
Availability impact in the Linux kernel FAT filesystem driver allows a local low-privileged user to trigger a kernel WARN_ON by mounting and operating on a corrupted FAT image with incorrect directory link counts. Specifically, rmdir unconditionally decrements the parent inode's i_nlink without first verifying it is at least 3, allowing underflow to zero on malformed images. No public exploit has been identified and the EPSS probability is 0.02% (7th percentile), but the kernel WARN_ON can cause a system crash, making the real-world availability impact high on affected systems where users can mount FAT images.
Local memory corruption affects the Linux kernel's hwmon ibmpex driver, where commit 6946c726c3f4 - intended to fix a use-after-free in the high/low sysfs store handlers - instead introduced a new race condition by setting driver data to NULL before removing sensor attributes. The remediation is a revert of that flawed commit across the 6.1, 6.6, 6.12, 6.18, and 6.19 stable trees. With EPSS at 0.02% (7th percentile), no public exploit identified at time of analysis, and no CISA KEV listing, real-world risk is minimal given the obscure IBM PowerExecutive sensor hardware the driver targets.
Bridge multicast MDB entry counter underflow in the Linux kernel's `net/bridge/br_multicast.c` allows local attackers with low privileges to trigger a kernel WARN_ON - and a system panic on hosts configured with `panic_on_warn=1` - by manipulating VLAN snooping state on a bridge interface before flushing multicast group entries. Multiple stable kernel branches are affected across all architectures that include the bridge multicast subsystem. No public exploit identified at time of analysis, with an EPSS score of 0.02% (5th percentile) confirming low exploitation probability; patches are available across kernel stable series 6.12, 6.6, 6.18, 6.19, and 7.0.
Ext4 filesystem extent-splitting logic in the Linux kernel incorrectly caches extents mid-operation, leaving stale hole entries in the in-memory extent status tree (ESTree). When a Direct I/O write partially covers a pre-allocated unwritten extent, ext4_split_extent_at() can insert an incorrect hole entry that persists uncorrected, causing space accounting errors when subsequent delayed buffer writes target the same region. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.02% (7th percentile) reflects negligible real-world exploitation likelihood; this is primarily a kernel correctness and filesystem availability defect rather than a targeted attack surface.
NULL pointer dereference in the Linux kernel's cdns3 USB dual-role driver crashes the kernel when a USB OTG role switch to host mode occurs during a system resume from suspend. The host role's resume() operation calls usb_hcd_is_primary_hcd() on an xhci-hcd device whose probe has been deferred by the driver model, yielding a dereference at virtual address 0x208 and a kernel oops. Impact is limited to denial of service (system crash); no privilege escalation or data disclosure is possible. No active exploitation is confirmed (CISA KEV absent, EPSS 0.02%), and the vulnerability is practically relevant only on hardware platforms featuring the Cadence USB3 cdns3 controller.