Skip to main content

Suse

9341 CVEs vendor

Monthly

CVE-2026-31706 HIGH PATCH This Week

Buffer overflow in Linux kernel's ksmbd SMB server allows authenticated remote attackers to trigger ~8 MB heap allocation from manipulated NTACL xattr values, potentially leading to memory exhaustion, information disclosure via uninitialized heap memory, or code execution. Exploitation requires low-privilege SMB authentication plus ability to corrupt backing filesystem metadata (offline xattr tampering or race condition). EPSS score of 0.02% indicates minimal observed exploitation activity. Vendor patches available across multiple stable kernel branches (6.12.84, 6.18.25, 7.0.2, 7.1-rc1).

Red Hat Suse Buffer Overflow Linux
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-31695 HIGH PATCH This Week

Use-after-free in Linux kernel virt_wifi driver allows local authenticated users to trigger memory corruption during ethtool operations on virtual WiFi devices being unregistered. The vulnerability stems from improper device parent reference handling via SET_NETDEV_DEV, where ethnl_ops_begin() calls pm_runtime_get_sync() on already-freed memory when a virt_wifi device unregisters concurrently with ethtool operations. Patches are available across multiple stable kernel branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit identified at time of analysis, though CVSS 7.8 reflects potential for complete system compromise if successfully triggered.

Red Hat Suse Memory Corruption Use After Free Information Disclosure +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43056 HIGH PATCH This Week

Use-after-free in Linux kernel's MANA network driver allows local authenticated attackers to corrupt memory and potentially execute code with kernel privileges. The flaw occurs when auxiliary_device_add() fails in add_adev(), triggering cleanup that frees memory still referenced by subsequent error-handling code. Patches available across stable kernel branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public exploit identified at time of analysis.

Information Disclosure Linux Use After Free Memory Corruption Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43055 HIGH PATCH This Week

Uninitialized memory in the Linux kernel SCSI target subsystem (target_core_file) causes write operations to fail unpredictably when bogus ki_write_stream values trigger block device validation checks. Affected versions span Linux kernel 6.16 through development branches, with stable patches released for 6.18.22, 6.19.12, and 7.0. While CVSS scores this as 7.5 High with network vector (AV:N), the description indicates a local kernel subsystem issue affecting SCSI target configurations, suggesting a vector/impact mismatch. EPSS probability is very low (0.02%, 4th percentile) with no evidence of active exploitation or public POC, indicating minimal real-world targeting despite the high CVSS score.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43054 MEDIUM PATCH This Month

tcm_loop target reset handler fails to drain in-flight SCSI commands, violating SCSI error handling contract and causing LUN reference leaks that deadlock configfs LUN unlink operations. Local users with appropriate privileges can trigger denial of service by initiating reset sequences while SCSI commands are in flight, leaving the kernel in an unkillable D-state waiting for LUN reference counts to clear. This is a local denial of service affecting the SCSI target core's tcm_loop loopback driver across multiple kernel versions.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43053 MEDIUM PATCH This Month

XFS filesystem crashes during log recovery when inodes with node-format extended attributes are inactivated following an untimely log shutdown, due to stale metadata block references in the attribute B-tree. Unprivileged local attackers with write access to XFS filesystems can trigger this denial-of-service condition by inducing log shutdown during extended attribute cleanup, causing the filesystem to unmount and require repair. The vulnerability affects Linux kernel versions prior to 6.19.12 and later stable branches.

Denial Of Service Linux Red Hat Suse
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-43051 HIGH PATCH This Week

An out-of-bounds read vulnerability in the Linux kernel's Wacom HID driver (wacom_intuos_bt_irq function) allows adjacent network attackers to cause information disclosure or denial of service through maliciously crafted short Bluetooth HID reports. The vulnerability affects the Bluetooth interface of Wacom Intuos tablets, where report types 0x03 and 0x04 are processed without validating minimum lengths (22 and 32 bytes respectively), enabling memory reads beyond buffer boundaries. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) with no active exploitation confirmed (EPSS 0.02%, not in CISA KEV).

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-43050 HIGH PATCH This Week

Race condition in Linux kernel ATM LEC driver allows local attackers with low privileges to trigger use-after-free memory corruption in sock_def_readable(), potentially achieving arbitrary code execution, privilege escalation, or denial of service. The flaw affects systems using ATM (Asynchronous Transfer Mode) LAN Emulation Client functionality, present since Linux kernel version 2.4 (commit 1da177e4c3f4). EPSS score of 0.02% (7th percentile) suggests low probability of mass exploitation. Vendor patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). Not listed in CISA KEV; no public exploit code identified at time of analysis.

Authentication Bypass Use After Free Memory Corruption Linux Red Hat +1
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-43049 HIGH PATCH This Week

Use-after-free in Linux kernel HID subsystem allows local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service when force feedback initialization fails on Logitech G920 racing wheels. The vulnerability occurs when userspace continues accessing freed memory structures (sysfs and /dev/input) after initialization errors. Vendor patches available across multiple stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of mass exploitation, consistent with hardware-specific local attack surface requiring physical device presence.

Information Disclosure Use After Free Memory Corruption Linux Red Hat +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43048 HIGH PATCH This Week

Adjacent network attackers can achieve high-severity code execution, information disclosure, or denial of service in the Linux kernel HID (Human Interface Device) subsystem by exploiting a bounds-checking flaw in hid_report_raw_event(). A bogus memset() operation intended to zero unused buffer space instead creates out-of-bounds read/write conditions when processing malformed HID input reports from adjacent devices (USB, Bluetooth). Vendor patches available for stable branches 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% suggests minimal observed exploitation, but the unauthenticated adjacent-network attack vector with low complexity makes this exploitable in environments with untrusted HID peripherals.

Information Disclosure Linux Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43047 HIGH PATCH This Week

Out-of-bounds memory writes in Linux kernel HID multitouch driver allow local authenticated users to achieve code execution or crash systems via malicious USB/HID devices. The vulnerability exists in the HID multitouch report parsing logic where mismatched report IDs in feature requests can confuse the HID core. Vendor-released patches are available across multiple kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score is low (0.02%, 7th percentile), indicating minimal observed exploitation attempts. No public exploit code identified at time of analysis.

Linux Memory Corruption Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43046 MEDIUM PATCH This Month

Kernel denial of service via crafted btrfs metadata allowing local attackers to trigger an unguarded BUG_ON() condition during relocation recovery at mount time. The vulnerability arises when a root item on disk contains a non-zero drop_progress with zero drop_level, an invalid state that should not exist but lacks validation on read. CVSS 5.5 reflects local attack vector and availability impact; EPSS 0.02% indicates minimal real-world exploitation likelihood.

Checkpoint Ubuntu Debian Linux Information Disclosure +2
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43045 MEDIUM PATCH This Month

Memory corruption and page reference leaks in the Linux kernel mshv (Microsoft Hyper-V) module occur when pin_user_pages_fast() returns a partial pin count, which the current code incorrectly treats as success. A local authenticated attacker with privileges can trigger this vulnerability to corrupt memory or cause denial of service on systems using the mshv module, particularly in Hyper-V guest environments.

Buffer Overflow Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43044 HIGH PATCH This Week

Memory corruption in the Linux kernel CAAM (Cryptographic Acceleration and Assurance Module) crypto driver allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The vulnerability occurs when HMAC keys longer than the hash block size are processed - the driver allocates a DMA-aligned buffer size but fails to use it, causing the hashed key to overwrite adjacent memory. Vendor patches are available for stable kernel versions 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43043 MEDIUM PATCH This Month

Denial of service in the Linux kernel AF_ALG crypto interface allows local authenticated attackers to trigger a NULL pointer dereference and kernel panic by sending sequential sendmsg() calls that cause scatter-gather list chain operations to fail to properly unmark SGL boundaries. The vulnerability occurs when AF_ALG allocates chained SGL structures without clearing end markers on previous entries, causing the crypto scatterwalk to encounter premature termination and dereference NULL pointers. CVSS 5.5 (AV:L/AC:L/PR:L) reflects local-only attack requirement with low complexity; EPSS 0.02% (7th percentile) indicates minimal real-world exploitation risk despite kernel panic severity.

Denial Of Service Null Pointer Dereference Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43042 HIGH PATCH This Week

Race condition in Linux kernel MPLS subsystem allows local authenticated users to trigger out-of-bounds memory access via concurrent label table resizing. The vulnerability affects RCU-protected codepaths (mpls_forward, mpls_dump_routes) that can obtain inconsistent snapshots of platform_labels array metadata during resize operations, potentially leading to information disclosure or denial of service. Vendor patch available addressing the issue through seqcount-based synchronization. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no active exploitation or public POC identified.

Information Disclosure Linux Buffer Overflow Red Hat Suse
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43041 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak __radix_tree_create() allocates and links intermediate nodes into the tree one by one. If a subsequent allocation fails, the already-linked nodes remain in the tree with no corresponding leaf entry. These orphaned internal nodes are never reclaimed because radix_tree_for_each_slot() only visits slots containing leaf values. The radix_tree API is deprecated in favor of xarray. As suggested by Matthew Wilcox, migrate qrtr_tx_flow from radix_tree to xarray instead of fixing the radix_tree itself [1]. xarray properly handles cleanup of internal nodes - xa_destroy() frees all internal xarray nodes when the qrtr_node is released, preventing the leak. [1] https://lore.kernel.org/all/20260225071623.41275-1-jiayuan.chen@linux.dev/T/

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43039 CRITICAL PATCH Act Now

Remote code execution and information disclosure in Linux Kernel's TI ICSSG PRU Ethernet driver allows unauthenticated network attackers to leak kernel heap memory to userspace and potentially corrupt page_pool state. The zero-copy RX dispatch path fails to copy received packet data into newly allocated skbs, instead forwarding uninitialized heap memory up the network stack. Vendor patches available for kernel 6.19.12 and 7.0. EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity despite critical CVSS 9.8 rating and network attack vector.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43036 MEDIUM PATCH This Month

Linux kernel GSO feature check reads uninitialized IPv4 header data when processing packets from PF_PACKET paths, causing kernel memory disclosure or denial of service. The vulnerability affects multiple kernel versions before 6.12.81, 6.19.12, and 7.0, and requires local user access to trigger via raw packet injection.

Code Injection Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43034 MEDIUM PATCH This Month

A local denial of service vulnerability in the Linux kernel bnxt_en driver allows authenticated local users to crash the system by triggering an out-of-bounds array access during backing store capability queries. The vulnerability stems from incorrect use of firmware-provided type values to index fixed metadata arrays, rather than using the known loop iteration index. Exploitation requires local access and user-level privileges (PR:L), and no active exploitation has been reported.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43032 MEDIUM PATCH This Month

Denial of service in the Linux kernel NFC PN533 UART driver allows local authenticated attackers to exhaust memory by sending malformed NFC frames without valid headers, causing unbounded socket buffer growth until kernel crash. Affects Linux 5.5 through 7.0 with patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0); EPSS exploitation probability is minimal at 0.02%, but local privilege is required.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43031 HIGH PATCH This Week

Linux kernel axienet driver can permanently stall network transmit queues due to incorrect Byte Queue Limits (BQL) accounting when scatter-gather TX packets span multiple NAPI polls. When a multi-buffer-descriptor packet completes across different polling cycles, only partial byte counts are credited to BQL, causing the subsystem to incorrectly believe bytes remain in-flight indefinitely and halting transmission. Vendor patches available for stable branches (6.18.22, 6.19.12, 7.0). EPSS exploitation probability is 2% (4th percentile), no active exploitation confirmed, indicating low real-world targeting despite the 7.5 CVSS score.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43029 HIGH PATCH This Week

Denial of service via soft lockup in Linux kernel MPTCP (Multipath TCP) receive function allows remote unauthenticated attackers to lock up a CPU core indefinitely when applications use MSG_PEEK with MSG_WAITALL flags. The vulnerability stems from improper handling of peeked socket buffers that remain in the receive queue, causing sk_wait_data() to never actually wait and spinning in an infinite loop. EPSS score is low (0.02%, 4th percentile) indicating minimal observed exploitation probability. Vendor patches available for kernel versions 6.18.x and 6.19.x series.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43023 HIGH PATCH This Week

Race condition in the Linux kernel's Bluetooth SCO socket implementation allows local authenticated users to trigger use-after-free and memory corruption via concurrent connect() syscalls on the same socket. The vulnerability affects the sco_sock_connect() function which fails to properly serialize state checks, enabling two threads to simultaneously progress through connection setup on a socket already marked for cleanup, leading to double-free conditions and connection object leaks. Vendor-released patches are available for kernel versions 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates very low observed exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis.

Information Disclosure Linux Race Condition Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43022 MEDIUM PATCH This Month

Local privilege escalation in Linux kernel Bluetooth subsystem allows authenticated local users to cause denial of service through improper resource management in hci_cmd_sync_queue_once() function. The vulnerability affects Bluetooth HCI synchronization queue handling, where the function fails to properly indicate queue item addition status, leading to potential resource leaks and system unavailability. EPSS score of 0.02% indicates minimal real-world exploitation probability despite moderate CVSS severity.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43021 MEDIUM PATCH This Month

Memory and reference leaks in the Linux kernel Bluetooth hci_sync subsystem allow local authenticated attackers to cause denial of service by triggering hci_cmd_sync_queue_once() failures without invoking the destroy callback, leading to unreclaimed resources. The vulnerability affects Linux kernel versions prior to 6.19.12 and 7.0, with EPSS score of 0.02% indicating very low real-world exploitation probability despite moderate CVSS score.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43020 HIGH PATCH This Week

Stack buffer overflow in Linux kernel Bluetooth MGMT subsystem allows local authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability stems from insufficient validation of the encryption key size (enc_size) parameter when loading Long Term Keys (LTKs) via the Bluetooth management interface. When processing LE LTK requests, the kernel uses the attacker-controlled enc_size value to perform stack operations against a fixed 16-byte buffer, enabling stack corruption through oversized values. Vendor-released patches are available across all active kernel branches. EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit has been identified at time of analysis, though the attack complexity is low once local authenticated access is obtained.

Memory Corruption Buffer Overflow Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43018 HIGH PATCH This Week

Use-after-free in Linux Kernel Bluetooth stack allows adjacent network attackers to execute arbitrary code, escalate privileges, or cause denial of service without authentication. The vulnerability exists in hci_le_remote_conn_param_req_evt where hci_conn lookup and field access occurs outside the hdev lock protection, enabling concurrent memory corruption. Patches are available across multiple stable kernel branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.

Information Disclosure Linux Memory Corruption Use After Free Red Hat +1
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43017 MEDIUM PATCH This Month

Linux kernel Bluetooth MGMT subsystem fails to validate the advertised data length field in mesh send operations, allowing local authenticated attackers to trigger denial of service by reading beyond allocated buffer boundaries. The vulnerability affects the mesh_send() function which accepts a truncated MGMT_OP_MESH_SEND command that passes length checks but contains mismatched adv_data_len and actual payload, leading to out-of-bounds access during async mesh transmission. Patch versions include 6.6.134, 6.12.81, 6.1.168, 6.18.22, and 7.0.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43016 HIGH PATCH This Week

Use-after-free in Linux kernel's BPF sockmap implementation allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs in sk_psock_verdict_data_ready() when handling AF_UNIX sockets, where sk->sk_socket can be accessed after being freed following sock_orphan(). This affects Linux kernel versions 5.15 through 6.19.12, with patches available for stable branches 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates very low observed exploitation probability in the wild, and no active exploitation or public exploit code has been identified at time of analysis.

Google Information Disclosure Linux Use After Free Memory Corruption +2
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43015 HIGH PATCH This Week

Use-after-free in Linux kernel macb driver allows local authenticated attackers to cause denial of service or potentially escalate privileges during module removal. The vulnerability occurs in the PCI glue driver when platform_device_unregister() triggers a runtime resume callback that attempts to access already-freed clock structures. EPSS score is low (0.02%) with no evidence of active exploitation. Vendor patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0).

Denial Of Service Use After Free Memory Corruption Linux Red Hat +1
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43014 MEDIUM PATCH This Month

Memory leak in the MACB (Cadence Gigabit Ethernet Controller) driver allows local authenticated attackers to cause denial of service through resource exhaustion by failing to unregister fixed-rate clocks allocated during device probe, resulting in memory and clock resource depletion. EPSS exploitation probability is minimal at 0.02%, indicating low real-world risk despite CVSS score of 5.5. Patch versions are available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43013 MEDIUM PATCH This Month

Null pointer dereference in Linux kernel net/mlx5 LAG (Link Aggregation) driver allows local authenticated attackers to cause denial of service by accessing debugfs interfaces when LAG device context is invalid. The vulnerability exists in mlx5_ldev_add_debugfs() which creates debugfs entries without validating that a valid LAG context exists, exposing the members file and other interfaces that depend on a valid ldev pointer. EPSS exploitation probability is 0.02% (percentile 7%), indicating low real-world exploitation likelihood despite the vulnerability's availability for patching.

Denial Of Service Null Pointer Dereference Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43012 MEDIUM PATCH This Month

A denial of service vulnerability in the Linux kernel's mlx5 (Mellanox/NVIDIA) network driver causes a kernel panic when switchdev mode initialization fails during rollback to legacy mode. A local unprivileged user on systems with affected mlx5 hardware can trigger improper netdevice unregistration, leading to a kernel BUG at net/core/dev.c:12070 and system crash. The vulnerability affects multiple stable kernel versions; vendor-released patches are available.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43009 HIGH PATCH This Week

Linux kernel BPF verifier incorrectly prunes execution paths due to imprecise state tracking in atomic fetch operations, allowing local attackers to bypass security checks in eBPF programs. The verifier's backtracking logic fails to mark stack slots as precise when BPF_ATOMIC instructions with BPF_FETCH modify both memory and destination registers, causing two legitimately different program states to be incorrectly considered equivalent during path pruning. Vendor patches available in kernel versions 6.19.12 and 7.0. EPSS score of 0.02% (5th percentile) indicates low probability of mass exploitation, though successful exploitation grants high confidentiality, integrity, and availability impact per CVSS 7.8.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43008 MEDIUM PATCH This Month

Denial of service via null pointer dereference in Linux kernel gpio-qixis-fpga driver affects local users with limited privileges. The driver incorrectly checks for NULL return value from devm_regmap_init_mmio(), which returns ERR_PTR() on failure, allowing a local attacker with user-level privileges to trigger a kernel panic by causing improper error handling. EPSS score is low (0.02%), indicating limited exploitation probability despite CVSS 5.5 severity.

Denial Of Service Null Pointer Dereference Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43007 HIGH PATCH This Week

A use-after-free resource management flaw in the Linux kernel's Qualcomm AI accelerator (QAIC) driver allows local authenticated users to cause denial of service and potentially escalate privileges. When a DBC (Device Binding Context) owner process terminates before handling device-initiated deactivation messages, the kernel fails to release DBC resources, causing subsequent activation attempts to hang indefinitely and creating exploitable resource state inconsistencies. The vulnerability affects Linux kernel versions 6.4 through 6.19.12, with vendor patches available across multiple stable branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation or public POC has been identified.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43006 HIGH PATCH This Week

Out-of-bounds memory read in Linux kernel io_uring subsystem allows local authenticated users to leak kernel memory or trigger denial of service. The vulnerability exists in io_uring's fixed buffer import logic when registering zero-length buffer regions, causing the bvec skip logic to read beyond allocated slab memory. Patches available across stable kernel branches (6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (4th percentile) indicates low likelihood of widespread exploitation. No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis.

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43005 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: hwmon: (tps53679) Fix array access with zero-length block read i2c_smbus_read_block_data() can return 0, indicating a zero-length read. When this happens, tps53679_identify_chip() accesses buf[ret - 1] which is buf[-1], reading one byte before the buffer on the stack. Fix by changing the check from "ret < 0" to "ret <= 0", treating a zero-length read as an error (-EIO), which prevents the out-of-bounds array access. Also fix a typo in the adjacent comment: "if present" instead of duplicate "if".

Information Disclosure Buffer Overflow Linux Red Hat Suse
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43004 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: spi: stm32-ospi: Fix resource leak in remove() callback The remove() callback returned early if pm_runtime_resume_and_get() failed, skipping the cleanup of spi controller and other resources. Remove the early return so cleanup completes regardless of PM resume result.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31785 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm/xe/xe_pagefault: Disallow writes to read-only VMAs The page fault handler should reject write/atomic access to read only VMAs. Add code to handle this in xe_pagefault_service after the VMA lookup. v2: - Apply max line length (Matthew) (cherry picked from commit 714ee6754ac5fa3dc078856a196a6b124cd797a0)

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31784 MEDIUM PATCH This Month

A denial-of-service vulnerability in the Linux kernel's DRM/XE PXP (Protected Execution) driver causes an infinite loop when a restart flag is not cleared after a jump operation, allowing local authenticated users to hang or crash the system. The vulnerability affects multiple kernel versions through a logic error in the pxp_start function that was resolved in stable patches for Linux 6.18.22, 6.19.12, and 7.0.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31783 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: spi: amlogic: spifc-a4: unregister ECC engine on probe failure and remove() callback aml_sfc_probe() registers the on-host NAND ECC engine, but teardown was missing from both probe unwind and remove-time cleanup. Add a devm cleanup action after successful registration so nand_ecc_unregister_on_host_hw_engine() runs automatically on probe failures and during device removal.

Red Hat Suse Information Disclosure Linux
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31782 HIGH PATCH This Week

Out-of-bounds memory read in Linux kernel's Intel PMU (Performance Monitoring Unit) handling allows local authenticated attackers with low privileges to potentially access sensitive kernel memory, modify data, or cause system crashes. The flaw occurs when perf auto counter reload groups contain software events, triggering an unsafe container_of operation that can dereference memory outside valid bounds. EPSS exploitation probability is very low (0.02%, 4th percentile), and no public exploit or active exploitation has been identified at time of analysis. Patches available for kernel versions 6.18.22, 6.19.12, and 7.0.

Red Hat Suse Information Disclosure Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31781 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm/ioc32: stop speculation on the drm_compat_ioctl path The drm compat ioctl path takes a user controlled pointer, and then dereferences it into a table of function pointers, the signature method of spectre problems. Fix this up by calling array_index_nospec() on the index to the function pointer list.

Red Hat Suse Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31780 HIGH PATCH This Week

A heap buffer overflow in the Linux kernel's wilc1000 WiFi driver allows local authenticated users to trigger memory corruption via crafted SSID scan requests. The driver miscalculates buffer size due to u8 integer overflow (330 bytes wrapping to 74), causing kmalloc to allocate 75 bytes while memcpy writes up to 331 bytes - a 256-byte overflow. Patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.03% (9th percentile) suggests low likelihood of widespread exploitation, and CISA KEV does not list this CVE, indicating no confirmed active exploitation at time of analysis.

Red Hat Suse Buffer Overflow Linux Memory Corruption
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31779 HIGH PATCH This Week

Out-of-bounds read in Linux kernel iwlwifi driver allows adjacent network attackers to disclose sensitive kernel memory or trigger denial of service without authentication. The vulnerability affects the iwlwifi wireless driver's network detection match handler function, where insufficient packet length validation enables memcpy to read beyond allocated buffer boundaries. EPSS probability is low (0.02%, 7th percentile) and no active exploitation confirmed (not in CISA KEV). Vendor patches available across multiple kernel stable branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).

Red Hat Suse Buffer Overflow Linux Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-31778 HIGH PATCH This Week

Stack buffer out-of-bounds read in Linux kernel ALSA snd_usb_caiaq driver allows local authenticated users to disclose kernel stack memory and potentially trigger denial of service. The vulnerability affects systems with USB audio devices using the caiaq driver when product names contain many non-ASCII characters. Present since kernel v2.6.31-rc1 (June 2009), this 16-year-old off-by-one error lacks null terminator validation during whitespace stripping. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).

Red Hat Suse Information Disclosure Buffer Overflow Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-31777 MEDIUM PATCH This Month

Denial of service in the Linux kernel ALSA ctxfi audio driver allows local authenticated attackers to crash the system via improper error handling in the daio_device_index() function. The ctxfi driver failed to validate return values from index mapping operations, enabling a local user with standard privileges to trigger an unhandled error condition that disables audio functionality or causes system instability.

Red Hat Suse Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31776 HIGH PATCH This Week

Out-of-bounds array access in Linux kernel ALSA ctxfi driver allows local authenticated users to achieve arbitrary code execution with high integrity and confidentiality impact. The flaw stems from improper SPDIF1 DAIO type handling in daio_device_index() for hw20k2 hardware, which returns -EINVAL instead of a valid index, leading to buffer overflow conditions (CWE-129). Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation activity; no CISA KEV listing or public POC identified at time of analysis.

Red Hat Suse Buffer Overflow Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31775 MEDIUM PATCH This Month

Denial of service in Linux kernel ALSA ctxfi audio driver allows local authenticated attackers to crash the system via improper SPDIF1 enumeration during DAIO initialization on hw20k2 hardware. The vulnerability affects kernel versions 6.19 through 7.0 due to a refactoring that loops over all DAIO types including the hw20k2-incompatible SPDIF1 entry, triggering a kernel crash when the undefined hardware info is accessed. Patch available from Linux stable repositories.

Red Hat Suse Denial Of Service Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31774 HIGH PATCH This Week

Integer overflow in Linux kernel io_uring subsystem allows local authenticated users to trigger slab-out-of-bounds memory reads and denial of service. The vulnerability stems from improper type casting of user-supplied length values in network bundled receive/send operations, where values exceeding INT_MAX cause negative overflow leading to infinite loops and out-of-bounds array access. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. Vendor patches available for affected stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0), making this a straightforward patching priority for systems running vulnerable versions with io_uring enabled.

Red Hat Suse Denial Of Service Buffer Overflow Linux +1
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-31773 HIGH PATCH This Week

Incorrect authentication labeling in Linux kernel's Bluetooth SMP legacy pairing allows adjacent attackers to bypass security controls and gain high-level access without proper authentication. The flaw affects the Short Term Key (STK) derivation in Just Works/Confirm pairing modes, where keys are incorrectly marked as authenticated even when Man-in-the-Middle (MITM) protection was not established. With CVSS 8.8 (AV:A/AC:L/PR:N/UI:N), this enables adjacent network attackers to exploit Bluetooth pairing flows without authentication. EPSS score of 0.05% suggests low widespread exploitation likelihood. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).

Red Hat Suse Information Disclosure Linux
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-31772 HIGH PATCH This Week

Stack buffer overflow in Linux kernel Bluetooth subsystem allows local authenticated attackers to achieve code execution, privilege escalation, or denial of service through malformed ISO socket parameters. The vulnerability occurs when binding an ISO Bluetooth socket with up to 31 BIS entries while the hci_le_big_create_sync() function only allocates stack space for 17 entries, resulting in a 14-byte overflow that corrupts adjacent stack memory. Patches are available across multiple kernel versions (6.12.81, 6.18.22, 6.19.12, 7.0), with EPSS indicating 0.02% exploitation probability and no active exploitation confirmed.

Red Hat Suse Buffer Overflow Linux Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31771 HIGH PATCH This Week

Out-of-bounds memory read in Linux kernel Bluetooth HCI event processing allows adjacent network attackers to disclose kernel memory or trigger denial of service without authentication. The vulnerability stems from premature wake reason storage before per-event payload length validation, enabling crafted short HCI event frames to reach bacpy() operations before bounds checking. EPSS score is low (0.02%, 6th percentile) with no evidence of active exploitation or public POC at time of analysis. Vendor patches available for kernel versions 5.10+ through 6.19.12 and mainline 7.0.

Red Hat Suse Information Disclosure Linux
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-31770 MEDIUM PATCH This Month

Denial of service via divide-by-zero crash in the hwmon OCC (On-Chip Controller) power monitoring driver affects Linux kernels when the power sensor is queried before initial data samples are collected, typically during early boot. Local attackers with unprivileged user privileges can trigger a kernel panic by accessing the affected sysfs power attribute, causing system availability impact. CVSS 5.5 reflects local attack vector and low complexity; EPSS 0.02% indicates low real-world exploitation probability despite the straightforward trigger condition.

Red Hat Suse Denial Of Service Linux
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31769 HIGH PATCH This Week

Use-after-free in Linux kernel GPIB subsystem allows local authenticated attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs in IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers when concurrent IBCLOSEDEV calls free descriptors still in use by I/O operations. EPSS probability is very low (0.02%, 4th percentile), indicating minimal observed exploitation activity. Vendor patches available for stable branches 6.18.22, 6.19.12, and mainline 7.0 via commits cae26eff, 28c75dd1, and d1857f82.

Red Hat Suse Authentication Bypass Linux Use After Free +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31767 MEDIUM PATCH This Month

Division-by-zero denial of service in Linux kernel's Intel i915 DRM driver when loading on certain machines with DSC (Display Stream Compression) enabled in command mode. The driver incorrectly applies horizontal timing adjustments based on compression ratio in command mode, causing line_time_us to become zero and triggering a kernel panic. Affects Linux kernel versions 5.6 and later; patch available via stable kernel releases.

Red Hat Suse Huawei Microsoft Information Disclosure +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31766 HIGH PATCH This Week

Integer overflow in AMD GPU driver's user queue doorbell handling allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The amdgpu driver fails to validate user-supplied doorbell_offset values before calculating buffer offsets, enabling out-of-bounds writes to kernel doorbell space. Patches available in Linux 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% (4th percentile) indicates low probability of mass exploitation, though CVSS 7.1 reflects serious local privilege escalation potential. No active exploitation confirmed; attack requires local authenticated access to systems with AMD GPU hardware.

Red Hat Suse Buffer Overflow Linux
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-31765 MEDIUM PATCH This Month

Kernel NULL pointer dereference in AMD GPU driver on systems with 64KB page sizes allows local authenticated attackers to crash the system by triggering memory allocation mismatches between reserved trap area (8KB) and required allocation size (128KB) during GPU memory initialization. The vulnerability affects systems running ROCm workloads and causes denial of service when executing rocminfo or rccl unit tests on IBM POWER10 and similar 64K-page architectures. EPSS exploitation probability is very low (0.02%), and no public exploit code or active in-the-wild exploitation has been identified.

Red Hat Suse Denial Of Service Null Pointer Dereference Amd +2
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31764 HIGH PATCH This Week

Out-of-bounds array access in the st_lsm6dsx IMU driver allows local authenticated users with low privileges to achieve high-impact code execution, data disclosure, or denial of service. The vulnerability exists in the buffer sampling frequency sysfs handler, which fails to validate sensor type before indexing a 2-entry array with sensor IDs beyond accelerometer and gyroscope. Exploitation requires write access to sysfs attributes for non-standard sensor types in the driver. EPSS exploitation probability is very low (0.02%, 5th percentile), no active exploitation confirmed, and vendor patches are available for Linux 6.19.12 and 7.0.

Red Hat Suse Buffer Overflow Linux
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31763 MEDIUM PATCH This Month

Denial of service in the Linux kernel's mpu3050 gyroscope driver allows local authenticated attackers to crash the system via incorrect IRQ handler cleanup during module unload. A mismatch between the registered IRQ handler (mpu3050->trig) and the handler passed to free_irq() (mpu3050) causes improper cleanup, leading to resource leaks and potential kernel panic when the device is removed or the driver is unloaded. No public exploit code identified; patch available across affected kernel series.

Red Hat Suse Information Disclosure Linux
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31762 MEDIUM PATCH This Month

Resource leak in the Linux kernel MPU3050 gyro driver allows local authenticated users to cause denial of service through memory exhaustion by repeatedly triggering iio_trigger_register() failures that fail to release previously allocated interrupt handlers. The vulnerability affects multiple kernel versions and requires local access with unprivileged user privileges, resulting in potential system availability impact with low real-world exploitation likelihood (EPSS 0.02%).

Red Hat Suse Information Disclosure Linux
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31760 MEDIUM PATCH This Month

Memory leak in the Linux kernel's GPIB lpvo_usb driver allows local authenticated users to cause a denial of service through resource exhaustion by repeatedly connecting and disconnecting USB devices, as the driver fails to release USB device references during interface enumeration. The EPSS score of 0.02% indicates minimal real-world exploitation risk despite the moderate CVSS 5.5 severity, reflecting the combination of local-only access requirement, authentication need, and the niche nature of GPIB USB device usage.

Red Hat Suse Information Disclosure Linux
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31759 HIGH PATCH This Week

Double-free memory corruption in Linux kernel USB ULPI subsystem allows local authenticated attackers with low privileges to potentially achieve arbitrary code execution, denial of service, or information disclosure. The flaw exists in ulpi_register_interface() error handling since kernel 4.2 (commit 289fcff4b), where device_register() failure triggers cleanup via put_device() followed by redundant kfree(), corrupting kernel memory. Patches available across stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% suggests low likelihood of mass exploitation despite high CVSS 7.8, likely due to local attack vector and requirement for device registration failure conditions.

Red Hat Suse Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31758 HIGH PATCH This Week

Use-after-free condition in Linux kernel USB Test and Measurement Class (USBTMC) driver allows local authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability occurs when the usbtmc_release function fails to properly flush pending anchored URBs, leaving dangling references that can be exploited in the HCD giveback path. Vendor patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0). Despite the high CVSS score of 7.8, the EPSS exploitation probability is very low at 0.02% (7th percentile), indicating limited real-world targeting, and no active exploitation or public POC has been identified.

Red Hat Suse Information Disclosure Linux Use After Free +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31757 MEDIUM PATCH This Month

A memory leak in the Linux kernel's USB misc usbio driver allows local attackers with low privileges to cause a denial of service by exhausting kernel memory through repeated USB device probe failures. The vulnerability arises when usb_submit_urb() fails during device initialization, leaving allocated URB structures unreleased and accumulating with each failed probe attempt.

Red Hat Suse Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31756 MEDIUM PATCH This Month

Denial of service in Linux kernel USB dwc2 gadget driver allows local authenticated users to trigger a deadlock via improper spin lock handling in dwc2_hsotg_udc_stop(). The vulnerability stems from a locking protocol violation where dwc2_gadget_exit_clock_gating() expects a held lock but is called without one, causing spin_unlock on an unheld lock followed by a lock held indefinitely, resulting in system hang. No public exploit code identified at time of analysis.

Red Hat Suse Information Disclosure Linux
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31754 MEDIUM PATCH This Month

A denial of service condition in the Linux kernel's Cadence USB3 (cdns3) gadget driver occurs when gadget initialization fails, leaving the DRD hardware in gadget mode while software state remains inactive. Switching the device to USB host mode via sysfs triggers a synchronous external abort in the xHCI host controller setup, causing a kernel crash. Local authenticated users with access to the USB role-switch sysfs interface can trigger this condition, affecting Linux kernel versions 5.4 through current releases. A patch is available from the Linux kernel project.

Red Hat Suse Denial Of Service Linux
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31753 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: auxdisplay: line-display: fix NULL dereference in linedisp_release linedisp_release() currently retrieves the enclosing struct linedisp via to_linedisp(). That lookup depends on the attachment list, but the attachment may already have been removed before put_device() invokes the release callback. This can happen in linedisp_unregister(), and can also be reached from some linedisp_register() error paths. In that case, to_linedisp() returns NULL and linedisp_release() dereferences it while freeing the display resources. The struct device released here is the embedded linedisp->dev used by linedisp_register(), so retrieve the enclosing object directly with container_of() instead.

Red Hat Suse Denial Of Service Null Pointer Dereference Linux
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31751 MEDIUM PATCH This Month

Denial of service in the Linux kernel comedi dt2815 driver allows local authenticated users to crash the system by attaching the driver to arbitrary I/O addresses without actual hardware present via the COMEDI_DEVCONFIG ioctl. The vulnerability occurs when outb() operations are performed on non-existent hardware, triggering page faults under race conditions. A patch adding hardware detection via status register reads prevents the crash.

Red Hat Suse Denial Of Service Race Condition Linux
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-31750 MEDIUM PATCH This Month

Memory leak in Linux kernel comedi subsystem allows local privileged users to exhaust kernel memory and cause denial of service. The vulnerability exists in do_cmd_ioctl() where chanlist memory is not properly freed when runflags is not set following an exceptional exit, due to incomplete reference counting logic introduced in commit 4e1da516debb. CVSS 5.5 (local, low complexity, requires user privilege) with EPSS 0.02% indicates this is a lower-priority local DoS affecting systems with comedi driver loaded and untrusted local users.

Red Hat Suse Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31749 MEDIUM PATCH This Month

Null pointer dereference and invalid I/O port writes in the Linux kernel's comedi ni_atmio16d driver occur when the device attach handler fails, causing the detach handler to call reset_atmio16d() with uninitialized device state. Local privileged attackers can trigger a denial of service by causing attach to fail, resulting in kernel memory access violations or writes to address zero. No public exploit code or active exploitation has been identified; patch versions are available from the Linux kernel stable branches.

Red Hat Suse Denial Of Service Null Pointer Dereference Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31748 HIGH PATCH This Week

Buffer overflow in Linux kernel COMEDI me_daq driver allows local authenticated users to achieve arbitrary code execution with kernel privileges. The me2600_xilinx_download() function fails to validate firmware file length before reading data streams, enabling out-of-bounds memory access during firmware loading operations. Patches available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates low probability of widespread exploitation despite high CVSS 7.8 rating, and no active exploitation or public exploit code identified at time of analysis.

Red Hat Suse Memory Corruption Buffer Overflow Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31747 HIGH PATCH This Week

Out-of-bounds write in Linux kernel comedi me4000 driver firmware loader allows local authenticated users to achieve high-impact code execution, data corruption, or system crash. The me4000_xilinx_download() function blindly trusts firmware file format headers without validating buffer boundaries, reading a length field from the first 4 bytes and then reading that many bytes from offset 16 without checking total file size. Patch available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating. No public exploit code or active exploitation confirmed.

Red Hat Suse Memory Corruption Buffer Overflow Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31746 MEDIUM PATCH This Month

Memory leak in Linux kernel s390/zcrypt subsystem allows local authenticated attackers to exhaust memory resources by repeatedly using CCA cards as accelerators for clear key RSA requests (ME and CRT operations). The vulnerability stems from incomplete refactoring where AP message allocations via ap_init_apmsg() are not properly freed in two code paths, causing heap memory exhaustion over time and enabling denial of service on s390 systems with CCA cryptographic hardware.

Red Hat Suse Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31745 HIGH PATCH This Week

Double-free memory corruption in the Linux kernel reset-gpio subsystem allows local authenticated users to escalate privileges or crash the system. The vulnerability exists in reset_add_gpio_aux_device() error handling since commit 5fc4e4cf7a22, where auxiliary_device_uninit() triggers a release callback that frees memory, but the error path then calls kfree() on the same pointer. Patches available for kernel versions 6.19.12+ and 7.0+. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. Not listed in CISA KEV; no public exploit identified at time of analysis.

Red Hat Suse Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31744 MEDIUM PATCH This Month

Denial of service in Linux kernel energy model netlink handler allows local authenticated attackers to crash the system via NULL pointer dereference when requesting non-existent performance domain IDs. The dev_energymodel_nl_get_perf_domains_doit() function fails to validate the return value from em_perf_domain_get_by_id() before dereferencing the performance domain structure, causing immediate kernel panic when an invalid domain ID is supplied. EPSS exploitation probability is very low (0.02%, 5th percentile), and no public exploit code or active exploitation has been identified.

Red Hat Suse Denial Of Service Null Pointer Dereference Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31743 HIGH PATCH This Week

Memory corruption in the Linux kernel zynqmp_nvmem driver allows local authenticated users to achieve privilege escalation through undersized DMA buffer exploitation. The vulnerability stems from incorrect buffer size calculations in dma_alloc_coherent and memcpy operations, enabling heap or memory corruption that can lead to complete system compromise. With a 7.8 CVSS score but only 0.02% EPSS (5th percentile), this represents a high-severity issue affecting specific Xilinx Zynq UltraScale+ deployments rather than a widespread exploitation target. Patches available across multiple stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0) with upstream fixes confirmed in git commits.

Red Hat Suse Buffer Overflow Linux Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31742 HIGH PATCH This Week

Memory corruption in the Linux kernel virtual terminal (vt) subsystem allows local authenticated users to trigger kernel crashes and potentially escalate privileges. When a console switches to an alternate screen and then gets resized, the saved Unicode buffer retains stale dimensions. Upon returning to the primary screen, operations like screen clearing (csi_J) access memory out of bounds using current dimensions against the old buffer, causing kernel oops. EPSS exploitation probability is low (0.02%, 4th percentile), no active exploitation confirmed, but vendor patches are available across multiple stable kernel branches (5.x, 6.18.x, 6.19.x).

Red Hat Suse Information Disclosure Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31741 MEDIUM PATCH This Month

Denial of service via runtime PM usage count underflow in the rz-mtu3-cnt counter driver allows local privileged users to disable hardware counters and trigger kernel warnings by repeatedly writing to the sysfs enable file. Multiple writes of the same value (0 or 1) to the enable attribute cause the runtime PM reference count to become misaligned with actual hardware state, leading to register access with clocks disabled and potential PWM channel conflicts. EPSS exploitation probability is minimal (0.02%) despite local access requirement, indicating this is primarily a local reliability issue rather than a remote attack vector.

Red Hat Suse Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31740 MEDIUM PATCH This Month

Denial of service in Linux kernel counter driver (rz-mtu3-cnt) allows local attackers with low privileges to crash the system by exploiting a race condition where counter and PWM sub-drivers overwrite a shared device pointer, causing incorrect runtime power management operations. The vulnerability affects kernel versions prior to specific patch levels across the 6.x and 7.x branches, with EPSS exploitation probability of 0.02% indicating low real-world exploitation likelihood despite the availability of a vendor patch.

Red Hat Suse Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31739 HIGH PATCH This Week

Missing CRYPTO_ALG_ASYNC flag in Linux kernel's Tegra crypto driver causes the crypto API to incorrectly select asynchronous algorithms for synchronous-only requests, resulting in system crashes. This affects Tegra-based Linux systems (typically NVIDIA Jetson devices) running kernel versions 6.10 through early 7.0 development branches. Vendor patches are available across stable branches (6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability, and no active exploitation or public POC has been identified. The CVSS vector (AV:N/AC:L/PR:L/UI:N) suggests network-based exploitation requiring authenticated access, though this conflicts with the technical nature of a local driver configuration bug.

Red Hat Suse Denial Of Service Linux
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-31738 MEDIUM PATCH This Month

Denial of service in Linux kernel VXLAN module allows local authenticated attackers to crash the system via malformed IPv6 neighbor discovery options in vxlan_na_create(). A crafted ND option with incorrect length values can cause out-of-bounds access or undersized payload reads, triggering a kernel panic. EPSS exploitation probability is low at 0.02%, but the vulnerability is confirmed patched across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12).

Red Hat Suse Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31736 MEDIUM PATCH This Month

Denial of service via NULL pointer dereference in the MediaTek Ethernet PPE (packet processing engine) driver occurs when gmac0 (the primary ethernet interface) is disabled on affected systems. A local authenticated attacker can trigger a kernel crash by sending traffic through the networking stack when the driver incorrectly checks for a valid ingress device without verifying if the first network device pointer is actually initialized. The vulnerability affects Linux kernel versions prior to fixes released in stable branches 6.18.22, 6.12.81, 6.19.12, and 7.0.

Red Hat Suse Denial Of Service Null Pointer Dereference Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31735 HIGH PATCH This Week

Linux kernel IOMMU page table unmapping operations fail to invalidate extended memory regions when unmapping lands mid-entry in large/contiguous mappings, causing stale TLB entries. Affects kernel 6.19 through pre-7.0 versions with IOMMU subsystem enabled. Local authenticated attackers with low privileges can potentially access unmapped memory or escalate privileges by exploiting incomplete invalidations during IOMMU unmap operations. EPSS score of 0.02% (5th percentile) suggests minimal real-world exploitation likelihood. No public exploit identified at time of analysis, though vendor acknowledges theoretical risk is low as 'nothing relies on unmapping a large entry.' Vendor-released patches available for stable branches.

Red Hat Suse Information Disclosure Linux
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-31734 MEDIUM PATCH This Month

Denial of service in Linux kernel scheduler extension (sched_ext) allows local privileged attackers to crash systems by triggering incorrect task migration validation. The vulnerability exists in the is_bpf_migration_disabled() function, which fails to correctly identify migration-disabled tasks on non-PREEMPT_RCU configurations, potentially dispatching such tasks to remote CPUs and triggering kernel errors in task_can_run_on_remote_rq(). EPSS exploitation probability is very low at 0.02%, but CVSS 5.5 indicates local attackers with standard user privileges can cause denial of service.

Red Hat Suse Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31733 MEDIUM PATCH This Month

A denial of service condition in the Linux kernel scheduler extension (sched_ext) subsystem allows local authenticated attackers to trigger a kernel warning and potential crash via improper handling of stale direct dispatch state in the ddsp_dsq_id field. When a task's direct dispatch verdict is not properly cleared across all code paths that consume or cancel such verdicts, a subsequent wakeup operation calling ops.select_cpu() with scx_bpf_dsq_insert() triggers a spurious WARN_ON_ONCE() in mark_direct_dispatch(), exposing the availability impact of the vulnerability. The issue affects Linux kernels with sched_ext enabled and requires local access with low privilege (non-root user capable of triggering task scheduling operations).

Red Hat Suse Authentication Bypass Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31731 HIGH PATCH This Week

Use-after-free in Linux kernel thermal subsystem allows local attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability stems from race conditions between thermal zone removal and power management resume operations, where delayed work items can continue executing after thermal zone objects are freed. EPSS score of 0.02% (5th percentile) suggests low probability of mass exploitation despite high CVSS severity. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.22, 6.19.12, 7.0) via upstream commits. No active exploitation confirmed in CISA KEV at time of analysis.

Red Hat Suse Information Disclosure Use After Free Memory Corruption +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31730 HIGH PATCH This Week

Double-free memory corruption in the Linux kernel's fastrpc driver allows local attackers with low privileges to achieve high-impact code execution, privilege escalation, or denial of service. The vulnerability occurs when fastrpc_init_create_static_process() fails to nullify a freed heap pointer (cctx->remote_heap) in its error path, enabling fastrpc_rpmsg_remove() to free the same memory twice during device removal. Patches available across kernel versions 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates low observed exploitation probability, with no active exploitation confirmed at time of analysis.

Red Hat Suse Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Buffer overflow in Linux kernel's ksmbd SMB server allows authenticated remote attackers to trigger ~8 MB heap allocation from manipulated NTACL xattr values, potentially leading to memory exhaustion, information disclosure via uninitialized heap memory, or code execution. Exploitation requires low-privilege SMB authentication plus ability to corrupt backing filesystem metadata (offline xattr tampering or race condition). EPSS score of 0.02% indicates minimal observed exploitation activity. Vendor patches available across multiple stable kernel branches (6.12.84, 6.18.25, 7.0.2, 7.1-rc1).

Red Hat Suse Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel virt_wifi driver allows local authenticated users to trigger memory corruption during ethtool operations on virtual WiFi devices being unregistered. The vulnerability stems from improper device parent reference handling via SET_NETDEV_DEV, where ethnl_ops_begin() calls pm_runtime_get_sync() on already-freed memory when a virt_wifi device unregisters concurrently with ethtool operations. Patches are available across multiple stable kernel branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit identified at time of analysis, though CVSS 7.8 reflects potential for complete system compromise if successfully triggered.

Red Hat Suse Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel's MANA network driver allows local authenticated attackers to corrupt memory and potentially execute code with kernel privileges. The flaw occurs when auxiliary_device_add() fails in add_adev(), triggering cleanup that frees memory still referenced by subsequent error-handling code. Patches available across stable kernel branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public exploit identified at time of analysis.

Information Disclosure Linux Use After Free +3
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Uninitialized memory in the Linux kernel SCSI target subsystem (target_core_file) causes write operations to fail unpredictably when bogus ki_write_stream values trigger block device validation checks. Affected versions span Linux kernel 6.16 through development branches, with stable patches released for 6.18.22, 6.19.12, and 7.0. While CVSS scores this as 7.5 High with network vector (AV:N), the description indicates a local kernel subsystem issue affecting SCSI target configurations, suggesting a vector/impact mismatch. EPSS probability is very low (0.02%, 4th percentile) with no evidence of active exploitation or public POC, indicating minimal real-world targeting despite the high CVSS score.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

tcm_loop target reset handler fails to drain in-flight SCSI commands, violating SCSI error handling contract and causing LUN reference leaks that deadlock configfs LUN unlink operations. Local users with appropriate privileges can trigger denial of service by initiating reset sequences while SCSI commands are in flight, leaving the kernel in an unkillable D-state waiting for LUN reference counts to clear. This is a local denial of service affecting the SCSI target core's tcm_loop loopback driver across multiple kernel versions.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

XFS filesystem crashes during log recovery when inodes with node-format extended attributes are inactivated following an untimely log shutdown, due to stale metadata block references in the attribute B-tree. Unprivileged local attackers with write access to XFS filesystems can trigger this denial-of-service condition by inducing log shutdown during extended attribute cleanup, causing the filesystem to unmount and require repair. The vulnerability affects Linux kernel versions prior to 6.19.12 and later stable branches.

Denial Of Service Linux Red Hat +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

An out-of-bounds read vulnerability in the Linux kernel's Wacom HID driver (wacom_intuos_bt_irq function) allows adjacent network attackers to cause information disclosure or denial of service through maliciously crafted short Bluetooth HID reports. The vulnerability affects the Bluetooth interface of Wacom Intuos tablets, where report types 0x03 and 0x04 are processed without validating minimum lengths (22 and 32 bytes respectively), enabling memory reads beyond buffer boundaries. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) with no active exploitation confirmed (EPSS 0.02%, not in CISA KEV).

Buffer Overflow Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Race condition in Linux kernel ATM LEC driver allows local attackers with low privileges to trigger use-after-free memory corruption in sock_def_readable(), potentially achieving arbitrary code execution, privilege escalation, or denial of service. The flaw affects systems using ATM (Asynchronous Transfer Mode) LAN Emulation Client functionality, present since Linux kernel version 2.4 (commit 1da177e4c3f4). EPSS score of 0.02% (7th percentile) suggests low probability of mass exploitation. Vendor patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). Not listed in CISA KEV; no public exploit code identified at time of analysis.

Authentication Bypass Use After Free Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel HID subsystem allows local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service when force feedback initialization fails on Logitech G920 racing wheels. The vulnerability occurs when userspace continues accessing freed memory structures (sysfs and /dev/input) after initialization errors. Vendor patches available across multiple stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of mass exploitation, consistent with hardware-specific local attack surface requiring physical device presence.

Information Disclosure Use After Free Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Adjacent network attackers can achieve high-severity code execution, information disclosure, or denial of service in the Linux kernel HID (Human Interface Device) subsystem by exploiting a bounds-checking flaw in hid_report_raw_event(). A bogus memset() operation intended to zero unused buffer space instead creates out-of-bounds read/write conditions when processing malformed HID input reports from adjacent devices (USB, Bluetooth). Vendor patches available for stable branches 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% suggests minimal observed exploitation, but the unauthenticated adjacent-network attack vector with low complexity makes this exploitable in environments with untrusted HID peripherals.

Information Disclosure Linux Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds memory writes in Linux kernel HID multitouch driver allow local authenticated users to achieve code execution or crash systems via malicious USB/HID devices. The vulnerability exists in the HID multitouch report parsing logic where mismatched report IDs in feature requests can confuse the HID core. Vendor-released patches are available across multiple kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score is low (0.02%, 7th percentile), indicating minimal observed exploitation attempts. No public exploit code identified at time of analysis.

Linux Memory Corruption Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel denial of service via crafted btrfs metadata allowing local attackers to trigger an unguarded BUG_ON() condition during relocation recovery at mount time. The vulnerability arises when a root item on disk contains a non-zero drop_progress with zero drop_level, an invalid state that should not exist but lacks validation on read. CVSS 5.5 reflects local attack vector and availability impact; EPSS 0.02% indicates minimal real-world exploitation likelihood.

Checkpoint Ubuntu Debian +4
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory corruption and page reference leaks in the Linux kernel mshv (Microsoft Hyper-V) module occur when pin_user_pages_fast() returns a partial pin count, which the current code incorrectly treats as success. A local authenticated attacker with privileges can trigger this vulnerability to corrupt memory or cause denial of service on systems using the mshv module, particularly in Hyper-V guest environments.

Buffer Overflow Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory corruption in the Linux kernel CAAM (Cryptographic Acceleration and Assurance Module) crypto driver allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The vulnerability occurs when HMAC keys longer than the hash block size are processed - the driver allocates a DMA-aligned buffer size but fails to use it, causing the hashed key to overwrite adjacent memory. Vendor patches are available for stable kernel versions 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in the Linux kernel AF_ALG crypto interface allows local authenticated attackers to trigger a NULL pointer dereference and kernel panic by sending sequential sendmsg() calls that cause scatter-gather list chain operations to fail to properly unmark SGL boundaries. The vulnerability occurs when AF_ALG allocates chained SGL structures without clearing end markers on previous entries, causing the crypto scatterwalk to encounter premature termination and dereference NULL pointers. CVSS 5.5 (AV:L/AC:L/PR:L) reflects local-only attack requirement with low complexity; EPSS 0.02% (7th percentile) indicates minimal real-world exploitation risk despite kernel panic severity.

Denial Of Service Null Pointer Dereference Linux +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Race condition in Linux kernel MPLS subsystem allows local authenticated users to trigger out-of-bounds memory access via concurrent label table resizing. The vulnerability affects RCU-protected codepaths (mpls_forward, mpls_dump_routes) that can obtain inconsistent snapshots of platform_labels array metadata during resize operations, potentially leading to information disclosure or denial of service. Vendor patch available addressing the issue through seqcount-based synchronization. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no active exploitation or public POC identified.

Information Disclosure Linux Buffer Overflow +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak __radix_tree_create() allocates and links intermediate nodes into the tree one by one. If a subsequent allocation fails, the already-linked nodes remain in the tree with no corresponding leaf entry. These orphaned internal nodes are never reclaimed because radix_tree_for_each_slot() only visits slots containing leaf values. The radix_tree API is deprecated in favor of xarray. As suggested by Matthew Wilcox, migrate qrtr_tx_flow from radix_tree to xarray instead of fixing the radix_tree itself [1]. xarray properly handles cleanup of internal nodes - xa_destroy() frees all internal xarray nodes when the qrtr_node is released, preventing the leak. [1] https://lore.kernel.org/all/20260225071623.41275-1-jiayuan.chen@linux.dev/T/

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution and information disclosure in Linux Kernel's TI ICSSG PRU Ethernet driver allows unauthenticated network attackers to leak kernel heap memory to userspace and potentially corrupt page_pool state. The zero-copy RX dispatch path fails to copy received packet data into newly allocated skbs, instead forwarding uninitialized heap memory up the network stack. Vendor patches available for kernel 6.19.12 and 7.0. EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity despite critical CVSS 9.8 rating and network attack vector.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Linux kernel GSO feature check reads uninitialized IPv4 header data when processing packets from PF_PACKET paths, causing kernel memory disclosure or denial of service. The vulnerability affects multiple kernel versions before 6.12.81, 6.19.12, and 7.0, and requires local user access to trigger via raw packet injection.

Code Injection Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A local denial of service vulnerability in the Linux kernel bnxt_en driver allows authenticated local users to crash the system by triggering an out-of-bounds array access during backing store capability queries. The vulnerability stems from incorrect use of firmware-provided type values to index fixed metadata arrays, rather than using the known loop iteration index. Exploitation requires local access and user-level privileges (PR:L), and no active exploitation has been reported.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in the Linux kernel NFC PN533 UART driver allows local authenticated attackers to exhaust memory by sending malformed NFC frames without valid headers, causing unbounded socket buffer growth until kernel crash. Affects Linux 5.5 through 7.0 with patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0); EPSS exploitation probability is minimal at 0.02%, but local privilege is required.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Linux kernel axienet driver can permanently stall network transmit queues due to incorrect Byte Queue Limits (BQL) accounting when scatter-gather TX packets span multiple NAPI polls. When a multi-buffer-descriptor packet completes across different polling cycles, only partial byte counts are credited to BQL, causing the subsystem to incorrectly believe bytes remain in-flight indefinitely and halting transmission. Vendor patches available for stable branches (6.18.22, 6.19.12, 7.0). EPSS exploitation probability is 2% (4th percentile), no active exploitation confirmed, indicating low real-world targeting despite the 7.5 CVSS score.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service via soft lockup in Linux kernel MPTCP (Multipath TCP) receive function allows remote unauthenticated attackers to lock up a CPU core indefinitely when applications use MSG_PEEK with MSG_WAITALL flags. The vulnerability stems from improper handling of peeked socket buffers that remain in the receive queue, causing sk_wait_data() to never actually wait and spinning in an infinite loop. EPSS score is low (0.02%, 4th percentile) indicating minimal observed exploitation probability. Vendor patches available for kernel versions 6.18.x and 6.19.x series.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Race condition in the Linux kernel's Bluetooth SCO socket implementation allows local authenticated users to trigger use-after-free and memory corruption via concurrent connect() syscalls on the same socket. The vulnerability affects the sco_sock_connect() function which fails to properly serialize state checks, enabling two threads to simultaneously progress through connection setup on a socket already marked for cleanup, leading to double-free conditions and connection object leaks. Vendor-released patches are available for kernel versions 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates very low observed exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis.

Information Disclosure Linux Race Condition +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local privilege escalation in Linux kernel Bluetooth subsystem allows authenticated local users to cause denial of service through improper resource management in hci_cmd_sync_queue_once() function. The vulnerability affects Bluetooth HCI synchronization queue handling, where the function fails to properly indicate queue item addition status, leading to potential resource leaks and system unavailability. EPSS score of 0.02% indicates minimal real-world exploitation probability despite moderate CVSS severity.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory and reference leaks in the Linux kernel Bluetooth hci_sync subsystem allow local authenticated attackers to cause denial of service by triggering hci_cmd_sync_queue_once() failures without invoking the destroy callback, leading to unreclaimed resources. The vulnerability affects Linux kernel versions prior to 6.19.12 and 7.0, with EPSS score of 0.02% indicating very low real-world exploitation probability despite moderate CVSS score.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Stack buffer overflow in Linux kernel Bluetooth MGMT subsystem allows local authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability stems from insufficient validation of the encryption key size (enc_size) parameter when loading Long Term Keys (LTKs) via the Bluetooth management interface. When processing LE LTK requests, the kernel uses the attacker-controlled enc_size value to perform stack operations against a fixed 16-byte buffer, enabling stack corruption through oversized values. Vendor-released patches are available across all active kernel branches. EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit has been identified at time of analysis, though the attack complexity is low once local authenticated access is obtained.

Memory Corruption Buffer Overflow Linux +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in Linux Kernel Bluetooth stack allows adjacent network attackers to execute arbitrary code, escalate privileges, or cause denial of service without authentication. The vulnerability exists in hci_le_remote_conn_param_req_evt where hci_conn lookup and field access occurs outside the hdev lock protection, enabling concurrent memory corruption. Patches are available across multiple stable kernel branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.

Information Disclosure Linux Memory Corruption +3
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Linux kernel Bluetooth MGMT subsystem fails to validate the advertised data length field in mesh send operations, allowing local authenticated attackers to trigger denial of service by reading beyond allocated buffer boundaries. The vulnerability affects the mesh_send() function which accepts a truncated MGMT_OP_MESH_SEND command that passes length checks but contains mismatched adv_data_len and actual payload, leading to out-of-bounds access during async mesh transmission. Patch versions include 6.6.134, 6.12.81, 6.1.168, 6.18.22, and 7.0.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel's BPF sockmap implementation allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs in sk_psock_verdict_data_ready() when handling AF_UNIX sockets, where sk->sk_socket can be accessed after being freed following sock_orphan(). This affects Linux kernel versions 5.15 through 6.19.12, with patches available for stable branches 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates very low observed exploitation probability in the wild, and no active exploitation or public exploit code has been identified at time of analysis.

Google Information Disclosure Linux +4
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel macb driver allows local authenticated attackers to cause denial of service or potentially escalate privileges during module removal. The vulnerability occurs in the PCI glue driver when platform_device_unregister() triggers a runtime resume callback that attempts to access already-freed clock structures. EPSS score is low (0.02%) with no evidence of active exploitation. Vendor patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0).

Denial Of Service Use After Free Memory Corruption +3
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the MACB (Cadence Gigabit Ethernet Controller) driver allows local authenticated attackers to cause denial of service through resource exhaustion by failing to unregister fixed-rate clocks allocated during device probe, resulting in memory and clock resource depletion. EPSS exploitation probability is minimal at 0.02%, indicating low real-world risk despite CVSS score of 5.5. Patch versions are available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in Linux kernel net/mlx5 LAG (Link Aggregation) driver allows local authenticated attackers to cause denial of service by accessing debugfs interfaces when LAG device context is invalid. The vulnerability exists in mlx5_ldev_add_debugfs() which creates debugfs entries without validating that a valid LAG context exists, exposing the members file and other interfaces that depend on a valid ldev pointer. EPSS exploitation probability is 0.02% (percentile 7%), indicating low real-world exploitation likelihood despite the vulnerability's availability for patching.

Denial Of Service Null Pointer Dereference Linux +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A denial of service vulnerability in the Linux kernel's mlx5 (Mellanox/NVIDIA) network driver causes a kernel panic when switchdev mode initialization fails during rollback to legacy mode. A local unprivileged user on systems with affected mlx5 hardware can trigger improper netdevice unregistration, leading to a kernel BUG at net/core/dev.c:12070 and system crash. The vulnerability affects multiple stable kernel versions; vendor-released patches are available.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Linux kernel BPF verifier incorrectly prunes execution paths due to imprecise state tracking in atomic fetch operations, allowing local attackers to bypass security checks in eBPF programs. The verifier's backtracking logic fails to mark stack slots as precise when BPF_ATOMIC instructions with BPF_FETCH modify both memory and destination registers, causing two legitimately different program states to be incorrectly considered equivalent during path pruning. Vendor patches available in kernel versions 6.19.12 and 7.0. EPSS score of 0.02% (5th percentile) indicates low probability of mass exploitation, though successful exploitation grants high confidentiality, integrity, and availability impact per CVSS 7.8.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service via null pointer dereference in Linux kernel gpio-qixis-fpga driver affects local users with limited privileges. The driver incorrectly checks for NULL return value from devm_regmap_init_mmio(), which returns ERR_PTR() on failure, allowing a local attacker with user-level privileges to trigger a kernel panic by causing improper error handling. EPSS score is low (0.02%), indicating limited exploitation probability despite CVSS 5.5 severity.

Denial Of Service Null Pointer Dereference Linux +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A use-after-free resource management flaw in the Linux kernel's Qualcomm AI accelerator (QAIC) driver allows local authenticated users to cause denial of service and potentially escalate privileges. When a DBC (Device Binding Context) owner process terminates before handling device-initiated deactivation messages, the kernel fails to release DBC resources, causing subsequent activation attempts to hang indefinitely and creating exploitable resource state inconsistencies. The vulnerability affects Linux kernel versions 6.4 through 6.19.12, with vendor patches available across multiple stable branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation or public POC has been identified.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds memory read in Linux kernel io_uring subsystem allows local authenticated users to leak kernel memory or trigger denial of service. The vulnerability exists in io_uring's fixed buffer import logic when registering zero-length buffer regions, causing the bvec skip logic to read beyond allocated slab memory. Patches available across stable kernel branches (6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (4th percentile) indicates low likelihood of widespread exploitation. No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis.

Buffer Overflow Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: hwmon: (tps53679) Fix array access with zero-length block read i2c_smbus_read_block_data() can return 0, indicating a zero-length read. When this happens, tps53679_identify_chip() accesses buf[ret - 1] which is buf[-1], reading one byte before the buffer on the stack. Fix by changing the check from "ret < 0" to "ret <= 0", treating a zero-length read as an error (-EIO), which prevents the out-of-bounds array access. Also fix a typo in the adjacent comment: "if present" instead of duplicate "if".

Information Disclosure Buffer Overflow Linux +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: spi: stm32-ospi: Fix resource leak in remove() callback The remove() callback returned early if pm_runtime_resume_and_get() failed, skipping the cleanup of spi controller and other resources. Remove the early return so cleanup completes regardless of PM resume result.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm/xe/xe_pagefault: Disallow writes to read-only VMAs The page fault handler should reject write/atomic access to read only VMAs. Add code to handle this in xe_pagefault_service after the VMA lookup. v2: - Apply max line length (Matthew) (cherry picked from commit 714ee6754ac5fa3dc078856a196a6b124cd797a0)

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A denial-of-service vulnerability in the Linux kernel's DRM/XE PXP (Protected Execution) driver causes an infinite loop when a restart flag is not cleared after a jump operation, allowing local authenticated users to hang or crash the system. The vulnerability affects multiple kernel versions through a logic error in the pxp_start function that was resolved in stable patches for Linux 6.18.22, 6.19.12, and 7.0.

Information Disclosure Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: spi: amlogic: spifc-a4: unregister ECC engine on probe failure and remove() callback aml_sfc_probe() registers the on-host NAND ECC engine, but teardown was missing from both probe unwind and remove-time cleanup. Add a devm cleanup action after successful registration so nand_ecc_unregister_on_host_hw_engine() runs automatically on probe failures and during device removal.

Red Hat Suse Information Disclosure +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds memory read in Linux kernel's Intel PMU (Performance Monitoring Unit) handling allows local authenticated attackers with low privileges to potentially access sensitive kernel memory, modify data, or cause system crashes. The flaw occurs when perf auto counter reload groups contain software events, triggering an unsafe container_of operation that can dereference memory outside valid bounds. EPSS exploitation probability is very low (0.02%, 4th percentile), and no public exploit or active exploitation has been identified at time of analysis. Patches available for kernel versions 6.18.22, 6.19.12, and 7.0.

Red Hat Suse Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: drm/ioc32: stop speculation on the drm_compat_ioctl path The drm compat ioctl path takes a user controlled pointer, and then dereferences it into a table of function pointers, the signature method of spectre problems. Fix this up by calling array_index_nospec() on the index to the function pointer list.

Red Hat Suse Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A heap buffer overflow in the Linux kernel's wilc1000 WiFi driver allows local authenticated users to trigger memory corruption via crafted SSID scan requests. The driver miscalculates buffer size due to u8 integer overflow (330 bytes wrapping to 74), causing kmalloc to allocate 75 bytes while memcpy writes up to 331 bytes - a 256-byte overflow. Patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.03% (9th percentile) suggests low likelihood of widespread exploitation, and CISA KEV does not list this CVE, indicating no confirmed active exploitation at time of analysis.

Red Hat Suse Buffer Overflow +2
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out-of-bounds read in Linux kernel iwlwifi driver allows adjacent network attackers to disclose sensitive kernel memory or trigger denial of service without authentication. The vulnerability affects the iwlwifi wireless driver's network detection match handler function, where insufficient packet length validation enables memcpy to read beyond allocated buffer boundaries. EPSS probability is low (0.02%, 7th percentile) and no active exploitation confirmed (not in CISA KEV). Vendor patches available across multiple kernel stable branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).

Red Hat Suse Buffer Overflow +2
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Stack buffer out-of-bounds read in Linux kernel ALSA snd_usb_caiaq driver allows local authenticated users to disclose kernel stack memory and potentially trigger denial of service. The vulnerability affects systems with USB audio devices using the caiaq driver when product names contain many non-ASCII characters. Present since kernel v2.6.31-rc1 (June 2009), this 16-year-old off-by-one error lacks null terminator validation during whitespace stripping. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).

Red Hat Suse Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in the Linux kernel ALSA ctxfi audio driver allows local authenticated attackers to crash the system via improper error handling in the daio_device_index() function. The ctxfi driver failed to validate return values from index mapping operations, enabling a local user with standard privileges to trigger an unhandled error condition that disables audio functionality or causes system instability.

Red Hat Suse Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds array access in Linux kernel ALSA ctxfi driver allows local authenticated users to achieve arbitrary code execution with high integrity and confidentiality impact. The flaw stems from improper SPDIF1 DAIO type handling in daio_device_index() for hw20k2 hardware, which returns -EINVAL instead of a valid index, leading to buffer overflow conditions (CWE-129). Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation activity; no CISA KEV listing or public POC identified at time of analysis.

Red Hat Suse Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Linux kernel ALSA ctxfi audio driver allows local authenticated attackers to crash the system via improper SPDIF1 enumeration during DAIO initialization on hw20k2 hardware. The vulnerability affects kernel versions 6.19 through 7.0 due to a refactoring that loops over all DAIO types including the hw20k2-incompatible SPDIF1 entry, triggering a kernel crash when the undefined hardware info is accessed. Patch available from Linux stable repositories.

Red Hat Suse Denial Of Service +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Integer overflow in Linux kernel io_uring subsystem allows local authenticated users to trigger slab-out-of-bounds memory reads and denial of service. The vulnerability stems from improper type casting of user-supplied length values in network bundled receive/send operations, where values exceeding INT_MAX cause negative overflow leading to infinite loops and out-of-bounds array access. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. Vendor patches available for affected stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0), making this a straightforward patching priority for systems running vulnerable versions with io_uring enabled.

Red Hat Suse Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Incorrect authentication labeling in Linux kernel's Bluetooth SMP legacy pairing allows adjacent attackers to bypass security controls and gain high-level access without proper authentication. The flaw affects the Short Term Key (STK) derivation in Just Works/Confirm pairing modes, where keys are incorrectly marked as authenticated even when Man-in-the-Middle (MITM) protection was not established. With CVSS 8.8 (AV:A/AC:L/PR:N/UI:N), this enables adjacent network attackers to exploit Bluetooth pairing flows without authentication. EPSS score of 0.05% suggests low widespread exploitation likelihood. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).

Red Hat Suse Information Disclosure +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Stack buffer overflow in Linux kernel Bluetooth subsystem allows local authenticated attackers to achieve code execution, privilege escalation, or denial of service through malformed ISO socket parameters. The vulnerability occurs when binding an ISO Bluetooth socket with up to 31 BIS entries while the hci_le_big_create_sync() function only allocates stack space for 17 entries, resulting in a 14-byte overflow that corrupts adjacent stack memory. Patches are available across multiple kernel versions (6.12.81, 6.18.22, 6.19.12, 7.0), with EPSS indicating 0.02% exploitation probability and no active exploitation confirmed.

Red Hat Suse Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out-of-bounds memory read in Linux kernel Bluetooth HCI event processing allows adjacent network attackers to disclose kernel memory or trigger denial of service without authentication. The vulnerability stems from premature wake reason storage before per-event payload length validation, enabling crafted short HCI event frames to reach bacpy() operations before bounds checking. EPSS score is low (0.02%, 6th percentile) with no evidence of active exploitation or public POC at time of analysis. Vendor patches available for kernel versions 5.10+ through 6.19.12 and mainline 7.0.

Red Hat Suse Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service via divide-by-zero crash in the hwmon OCC (On-Chip Controller) power monitoring driver affects Linux kernels when the power sensor is queried before initial data samples are collected, typically during early boot. Local attackers with unprivileged user privileges can trigger a kernel panic by accessing the affected sysfs power attribute, causing system availability impact. CVSS 5.5 reflects local attack vector and low complexity; EPSS 0.02% indicates low real-world exploitation probability despite the straightforward trigger condition.

Red Hat Suse Denial Of Service +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel GPIB subsystem allows local authenticated attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs in IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers when concurrent IBCLOSEDEV calls free descriptors still in use by I/O operations. EPSS probability is very low (0.02%, 4th percentile), indicating minimal observed exploitation activity. Vendor patches available for stable branches 6.18.22, 6.19.12, and mainline 7.0 via commits cae26eff, 28c75dd1, and d1857f82.

Red Hat Suse Authentication Bypass +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Division-by-zero denial of service in Linux kernel's Intel i915 DRM driver when loading on certain machines with DSC (Display Stream Compression) enabled in command mode. The driver incorrectly applies horizontal timing adjustments based on compression ratio in command mode, causing line_time_us to become zero and triggering a kernel panic. Affects Linux kernel versions 5.6 and later; patch available via stable kernel releases.

Red Hat Suse Huawei +3
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Integer overflow in AMD GPU driver's user queue doorbell handling allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The amdgpu driver fails to validate user-supplied doorbell_offset values before calculating buffer offsets, enabling out-of-bounds writes to kernel doorbell space. Patches available in Linux 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% (4th percentile) indicates low probability of mass exploitation, though CVSS 7.1 reflects serious local privilege escalation potential. No active exploitation confirmed; attack requires local authenticated access to systems with AMD GPU hardware.

Red Hat Suse Buffer Overflow +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel NULL pointer dereference in AMD GPU driver on systems with 64KB page sizes allows local authenticated attackers to crash the system by triggering memory allocation mismatches between reserved trap area (8KB) and required allocation size (128KB) during GPU memory initialization. The vulnerability affects systems running ROCm workloads and causes denial of service when executing rocminfo or rccl unit tests on IBM POWER10 and similar 64K-page architectures. EPSS exploitation probability is very low (0.02%), and no public exploit code or active in-the-wild exploitation has been identified.

Red Hat Suse Denial Of Service +4
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds array access in the st_lsm6dsx IMU driver allows local authenticated users with low privileges to achieve high-impact code execution, data disclosure, or denial of service. The vulnerability exists in the buffer sampling frequency sysfs handler, which fails to validate sensor type before indexing a 2-entry array with sensor IDs beyond accelerometer and gyroscope. Exploitation requires write access to sysfs attributes for non-standard sensor types in the driver. EPSS exploitation probability is very low (0.02%, 5th percentile), no active exploitation confirmed, and vendor patches are available for Linux 6.19.12 and 7.0.

Red Hat Suse Buffer Overflow +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in the Linux kernel's mpu3050 gyroscope driver allows local authenticated attackers to crash the system via incorrect IRQ handler cleanup during module unload. A mismatch between the registered IRQ handler (mpu3050->trig) and the handler passed to free_irq() (mpu3050) causes improper cleanup, leading to resource leaks and potential kernel panic when the device is removed or the driver is unloaded. No public exploit code identified; patch available across affected kernel series.

Red Hat Suse Information Disclosure +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource leak in the Linux kernel MPU3050 gyro driver allows local authenticated users to cause denial of service through memory exhaustion by repeatedly triggering iio_trigger_register() failures that fail to release previously allocated interrupt handlers. The vulnerability affects multiple kernel versions and requires local access with unprivileged user privileges, resulting in potential system availability impact with low real-world exploitation likelihood (EPSS 0.02%).

Red Hat Suse Information Disclosure +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's GPIB lpvo_usb driver allows local authenticated users to cause a denial of service through resource exhaustion by repeatedly connecting and disconnecting USB devices, as the driver fails to release USB device references during interface enumeration. The EPSS score of 0.02% indicates minimal real-world exploitation risk despite the moderate CVSS 5.5 severity, reflecting the combination of local-only access requirement, authentication need, and the niche nature of GPIB USB device usage.

Red Hat Suse Information Disclosure +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Double-free memory corruption in Linux kernel USB ULPI subsystem allows local authenticated attackers with low privileges to potentially achieve arbitrary code execution, denial of service, or information disclosure. The flaw exists in ulpi_register_interface() error handling since kernel 4.2 (commit 289fcff4b), where device_register() failure triggers cleanup via put_device() followed by redundant kfree(), corrupting kernel memory. Patches available across stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% suggests low likelihood of mass exploitation despite high CVSS 7.8, likely due to local attack vector and requirement for device registration failure conditions.

Red Hat Suse Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free condition in Linux kernel USB Test and Measurement Class (USBTMC) driver allows local authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability occurs when the usbtmc_release function fails to properly flush pending anchored URBs, leaving dangling references that can be exploited in the HCD giveback path. Vendor patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0). Despite the high CVSS score of 7.8, the EPSS exploitation probability is very low at 0.02% (7th percentile), indicating limited real-world targeting, and no active exploitation or public POC has been identified.

Red Hat Suse Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A memory leak in the Linux kernel's USB misc usbio driver allows local attackers with low privileges to cause a denial of service by exhausting kernel memory through repeated USB device probe failures. The vulnerability arises when usb_submit_urb() fails during device initialization, leaving allocated URB structures unreleased and accumulating with each failed probe attempt.

Red Hat Suse Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Linux kernel USB dwc2 gadget driver allows local authenticated users to trigger a deadlock via improper spin lock handling in dwc2_hsotg_udc_stop(). The vulnerability stems from a locking protocol violation where dwc2_gadget_exit_clock_gating() expects a held lock but is called without one, causing spin_unlock on an unheld lock followed by a lock held indefinitely, resulting in system hang. No public exploit code identified at time of analysis.

Red Hat Suse Information Disclosure +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A denial of service condition in the Linux kernel's Cadence USB3 (cdns3) gadget driver occurs when gadget initialization fails, leaving the DRD hardware in gadget mode while software state remains inactive. Switching the device to USB host mode via sysfs triggers a synchronous external abort in the xHCI host controller setup, causing a kernel crash. Local authenticated users with access to the USB role-switch sysfs interface can trigger this condition, affecting Linux kernel versions 5.4 through current releases. A patch is available from the Linux kernel project.

Red Hat Suse Denial Of Service +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: auxdisplay: line-display: fix NULL dereference in linedisp_release linedisp_release() currently retrieves the enclosing struct linedisp via to_linedisp(). That lookup depends on the attachment list, but the attachment may already have been removed before put_device() invokes the release callback. This can happen in linedisp_unregister(), and can also be reached from some linedisp_register() error paths. In that case, to_linedisp() returns NULL and linedisp_release() dereferences it while freeing the display resources. The struct device released here is the embedded linedisp->dev used by linedisp_register(), so retrieve the enclosing object directly with container_of() instead.

Red Hat Suse Denial Of Service +2
NVD
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Denial of service in the Linux kernel comedi dt2815 driver allows local authenticated users to crash the system by attaching the driver to arbitrary I/O addresses without actual hardware present via the COMEDI_DEVCONFIG ioctl. The vulnerability occurs when outb() operations are performed on non-existent hardware, triggering page faults under race conditions. A patch adding hardware detection via status register reads prevents the crash.

Red Hat Suse Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in Linux kernel comedi subsystem allows local privileged users to exhaust kernel memory and cause denial of service. The vulnerability exists in do_cmd_ioctl() where chanlist memory is not properly freed when runflags is not set following an exceptional exit, due to incomplete reference counting logic introduced in commit 4e1da516debb. CVSS 5.5 (local, low complexity, requires user privilege) with EPSS 0.02% indicates this is a lower-priority local DoS affecting systems with comedi driver loaded and untrusted local users.

Red Hat Suse Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference and invalid I/O port writes in the Linux kernel's comedi ni_atmio16d driver occur when the device attach handler fails, causing the detach handler to call reset_atmio16d() with uninitialized device state. Local privileged attackers can trigger a denial of service by causing attach to fail, resulting in kernel memory access violations or writes to address zero. No public exploit code or active exploitation has been identified; patch versions are available from the Linux kernel stable branches.

Red Hat Suse Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Buffer overflow in Linux kernel COMEDI me_daq driver allows local authenticated users to achieve arbitrary code execution with kernel privileges. The me2600_xilinx_download() function fails to validate firmware file length before reading data streams, enabling out-of-bounds memory access during firmware loading operations. Patches available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates low probability of widespread exploitation despite high CVSS 7.8 rating, and no active exploitation or public exploit code identified at time of analysis.

Red Hat Suse Memory Corruption +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds write in Linux kernel comedi me4000 driver firmware loader allows local authenticated users to achieve high-impact code execution, data corruption, or system crash. The me4000_xilinx_download() function blindly trusts firmware file format headers without validating buffer boundaries, reading a length field from the first 4 bytes and then reading that many bytes from offset 16 without checking total file size. Patch available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating. No public exploit code or active exploitation confirmed.

Red Hat Suse Memory Corruption +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in Linux kernel s390/zcrypt subsystem allows local authenticated attackers to exhaust memory resources by repeatedly using CCA cards as accelerators for clear key RSA requests (ME and CRT operations). The vulnerability stems from incomplete refactoring where AP message allocations via ap_init_apmsg() are not properly freed in two code paths, causing heap memory exhaustion over time and enabling denial of service on s390 systems with CCA cryptographic hardware.

Red Hat Suse Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Double-free memory corruption in the Linux kernel reset-gpio subsystem allows local authenticated users to escalate privileges or crash the system. The vulnerability exists in reset_add_gpio_aux_device() error handling since commit 5fc4e4cf7a22, where auxiliary_device_uninit() triggers a release callback that frees memory, but the error path then calls kfree() on the same pointer. Patches available for kernel versions 6.19.12+ and 7.0+. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. Not listed in CISA KEV; no public exploit identified at time of analysis.

Red Hat Suse Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Linux kernel energy model netlink handler allows local authenticated attackers to crash the system via NULL pointer dereference when requesting non-existent performance domain IDs. The dev_energymodel_nl_get_perf_domains_doit() function fails to validate the return value from em_perf_domain_get_by_id() before dereferencing the performance domain structure, causing immediate kernel panic when an invalid domain ID is supplied. EPSS exploitation probability is very low (0.02%, 5th percentile), and no public exploit code or active exploitation has been identified.

Red Hat Suse Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory corruption in the Linux kernel zynqmp_nvmem driver allows local authenticated users to achieve privilege escalation through undersized DMA buffer exploitation. The vulnerability stems from incorrect buffer size calculations in dma_alloc_coherent and memcpy operations, enabling heap or memory corruption that can lead to complete system compromise. With a 7.8 CVSS score but only 0.02% EPSS (5th percentile), this represents a high-severity issue affecting specific Xilinx Zynq UltraScale+ deployments rather than a widespread exploitation target. Patches available across multiple stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0) with upstream fixes confirmed in git commits.

Red Hat Suse Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory corruption in the Linux kernel virtual terminal (vt) subsystem allows local authenticated users to trigger kernel crashes and potentially escalate privileges. When a console switches to an alternate screen and then gets resized, the saved Unicode buffer retains stale dimensions. Upon returning to the primary screen, operations like screen clearing (csi_J) access memory out of bounds using current dimensions against the old buffer, causing kernel oops. EPSS exploitation probability is low (0.02%, 4th percentile), no active exploitation confirmed, but vendor patches are available across multiple stable kernel branches (5.x, 6.18.x, 6.19.x).

Red Hat Suse Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service via runtime PM usage count underflow in the rz-mtu3-cnt counter driver allows local privileged users to disable hardware counters and trigger kernel warnings by repeatedly writing to the sysfs enable file. Multiple writes of the same value (0 or 1) to the enable attribute cause the runtime PM reference count to become misaligned with actual hardware state, leading to register access with clocks disabled and potential PWM channel conflicts. EPSS exploitation probability is minimal (0.02%) despite local access requirement, indicating this is primarily a local reliability issue rather than a remote attack vector.

Red Hat Suse Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Linux kernel counter driver (rz-mtu3-cnt) allows local attackers with low privileges to crash the system by exploiting a race condition where counter and PWM sub-drivers overwrite a shared device pointer, causing incorrect runtime power management operations. The vulnerability affects kernel versions prior to specific patch levels across the 6.x and 7.x branches, with EPSS exploitation probability of 0.02% indicating low real-world exploitation likelihood despite the availability of a vendor patch.

Red Hat Suse Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Missing CRYPTO_ALG_ASYNC flag in Linux kernel's Tegra crypto driver causes the crypto API to incorrectly select asynchronous algorithms for synchronous-only requests, resulting in system crashes. This affects Tegra-based Linux systems (typically NVIDIA Jetson devices) running kernel versions 6.10 through early 7.0 development branches. Vendor patches are available across stable branches (6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability, and no active exploitation or public POC has been identified. The CVSS vector (AV:N/AC:L/PR:L/UI:N) suggests network-based exploitation requiring authenticated access, though this conflicts with the technical nature of a local driver configuration bug.

Red Hat Suse Denial Of Service +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Linux kernel VXLAN module allows local authenticated attackers to crash the system via malformed IPv6 neighbor discovery options in vxlan_na_create(). A crafted ND option with incorrect length values can cause out-of-bounds access or undersized payload reads, triggering a kernel panic. EPSS exploitation probability is low at 0.02%, but the vulnerability is confirmed patched across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12).

Red Hat Suse Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service via NULL pointer dereference in the MediaTek Ethernet PPE (packet processing engine) driver occurs when gmac0 (the primary ethernet interface) is disabled on affected systems. A local authenticated attacker can trigger a kernel crash by sending traffic through the networking stack when the driver incorrectly checks for a valid ingress device without verifying if the first network device pointer is actually initialized. The vulnerability affects Linux kernel versions prior to fixes released in stable branches 6.18.22, 6.12.81, 6.19.12, and 7.0.

Red Hat Suse Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Linux kernel IOMMU page table unmapping operations fail to invalidate extended memory regions when unmapping lands mid-entry in large/contiguous mappings, causing stale TLB entries. Affects kernel 6.19 through pre-7.0 versions with IOMMU subsystem enabled. Local authenticated attackers with low privileges can potentially access unmapped memory or escalate privileges by exploiting incomplete invalidations during IOMMU unmap operations. EPSS score of 0.02% (5th percentile) suggests minimal real-world exploitation likelihood. No public exploit identified at time of analysis, though vendor acknowledges theoretical risk is low as 'nothing relies on unmapping a large entry.' Vendor-released patches available for stable branches.

Red Hat Suse Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Linux kernel scheduler extension (sched_ext) allows local privileged attackers to crash systems by triggering incorrect task migration validation. The vulnerability exists in the is_bpf_migration_disabled() function, which fails to correctly identify migration-disabled tasks on non-PREEMPT_RCU configurations, potentially dispatching such tasks to remote CPUs and triggering kernel errors in task_can_run_on_remote_rq(). EPSS exploitation probability is very low at 0.02%, but CVSS 5.5 indicates local attackers with standard user privileges can cause denial of service.

Red Hat Suse Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A denial of service condition in the Linux kernel scheduler extension (sched_ext) subsystem allows local authenticated attackers to trigger a kernel warning and potential crash via improper handling of stale direct dispatch state in the ddsp_dsq_id field. When a task's direct dispatch verdict is not properly cleared across all code paths that consume or cancel such verdicts, a subsequent wakeup operation calling ops.select_cpu() with scx_bpf_dsq_insert() triggers a spurious WARN_ON_ONCE() in mark_direct_dispatch(), exposing the availability impact of the vulnerability. The issue affects Linux kernels with sched_ext enabled and requires local access with low privilege (non-root user capable of triggering task scheduling operations).

Red Hat Suse Authentication Bypass +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel thermal subsystem allows local attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability stems from race conditions between thermal zone removal and power management resume operations, where delayed work items can continue executing after thermal zone objects are freed. EPSS score of 0.02% (5th percentile) suggests low probability of mass exploitation despite high CVSS severity. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.22, 6.19.12, 7.0) via upstream commits. No active exploitation confirmed in CISA KEV at time of analysis.

Red Hat Suse Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Double-free memory corruption in the Linux kernel's fastrpc driver allows local attackers with low privileges to achieve high-impact code execution, privilege escalation, or denial of service. The vulnerability occurs when fastrpc_init_create_static_process() fails to nullify a freed heap pointer (cctx->remote_heap) in its error path, enabling fastrpc_rpmsg_remove() to free the same memory twice during device removal. Patches available across kernel versions 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates low observed exploitation probability, with no active exploitation confirmed at time of analysis.

Red Hat Suse Information Disclosure +1
NVD VulDB
Prev Page 25 of 104 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy