Suse
Monthly
Buffer overflow in Linux kernel's ksmbd SMB server allows authenticated remote attackers to trigger ~8 MB heap allocation from manipulated NTACL xattr values, potentially leading to memory exhaustion, information disclosure via uninitialized heap memory, or code execution. Exploitation requires low-privilege SMB authentication plus ability to corrupt backing filesystem metadata (offline xattr tampering or race condition). EPSS score of 0.02% indicates minimal observed exploitation activity. Vendor patches available across multiple stable kernel branches (6.12.84, 6.18.25, 7.0.2, 7.1-rc1).
Use-after-free in Linux kernel virt_wifi driver allows local authenticated users to trigger memory corruption during ethtool operations on virtual WiFi devices being unregistered. The vulnerability stems from improper device parent reference handling via SET_NETDEV_DEV, where ethnl_ops_begin() calls pm_runtime_get_sync() on already-freed memory when a virt_wifi device unregisters concurrently with ethtool operations. Patches are available across multiple stable kernel branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit identified at time of analysis, though CVSS 7.8 reflects potential for complete system compromise if successfully triggered.
Use-after-free in Linux kernel's MANA network driver allows local authenticated attackers to corrupt memory and potentially execute code with kernel privileges. The flaw occurs when auxiliary_device_add() fails in add_adev(), triggering cleanup that frees memory still referenced by subsequent error-handling code. Patches available across stable kernel branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public exploit identified at time of analysis.
Uninitialized memory in the Linux kernel SCSI target subsystem (target_core_file) causes write operations to fail unpredictably when bogus ki_write_stream values trigger block device validation checks. Affected versions span Linux kernel 6.16 through development branches, with stable patches released for 6.18.22, 6.19.12, and 7.0. While CVSS scores this as 7.5 High with network vector (AV:N), the description indicates a local kernel subsystem issue affecting SCSI target configurations, suggesting a vector/impact mismatch. EPSS probability is very low (0.02%, 4th percentile) with no evidence of active exploitation or public POC, indicating minimal real-world targeting despite the high CVSS score.
tcm_loop target reset handler fails to drain in-flight SCSI commands, violating SCSI error handling contract and causing LUN reference leaks that deadlock configfs LUN unlink operations. Local users with appropriate privileges can trigger denial of service by initiating reset sequences while SCSI commands are in flight, leaving the kernel in an unkillable D-state waiting for LUN reference counts to clear. This is a local denial of service affecting the SCSI target core's tcm_loop loopback driver across multiple kernel versions.
XFS filesystem crashes during log recovery when inodes with node-format extended attributes are inactivated following an untimely log shutdown, due to stale metadata block references in the attribute B-tree. Unprivileged local attackers with write access to XFS filesystems can trigger this denial-of-service condition by inducing log shutdown during extended attribute cleanup, causing the filesystem to unmount and require repair. The vulnerability affects Linux kernel versions prior to 6.19.12 and later stable branches.
An out-of-bounds read vulnerability in the Linux kernel's Wacom HID driver (wacom_intuos_bt_irq function) allows adjacent network attackers to cause information disclosure or denial of service through maliciously crafted short Bluetooth HID reports. The vulnerability affects the Bluetooth interface of Wacom Intuos tablets, where report types 0x03 and 0x04 are processed without validating minimum lengths (22 and 32 bytes respectively), enabling memory reads beyond buffer boundaries. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) with no active exploitation confirmed (EPSS 0.02%, not in CISA KEV).
Race condition in Linux kernel ATM LEC driver allows local attackers with low privileges to trigger use-after-free memory corruption in sock_def_readable(), potentially achieving arbitrary code execution, privilege escalation, or denial of service. The flaw affects systems using ATM (Asynchronous Transfer Mode) LAN Emulation Client functionality, present since Linux kernel version 2.4 (commit 1da177e4c3f4). EPSS score of 0.02% (7th percentile) suggests low probability of mass exploitation. Vendor patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). Not listed in CISA KEV; no public exploit code identified at time of analysis.
Use-after-free in Linux kernel HID subsystem allows local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service when force feedback initialization fails on Logitech G920 racing wheels. The vulnerability occurs when userspace continues accessing freed memory structures (sysfs and /dev/input) after initialization errors. Vendor patches available across multiple stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of mass exploitation, consistent with hardware-specific local attack surface requiring physical device presence.
Adjacent network attackers can achieve high-severity code execution, information disclosure, or denial of service in the Linux kernel HID (Human Interface Device) subsystem by exploiting a bounds-checking flaw in hid_report_raw_event(). A bogus memset() operation intended to zero unused buffer space instead creates out-of-bounds read/write conditions when processing malformed HID input reports from adjacent devices (USB, Bluetooth). Vendor patches available for stable branches 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% suggests minimal observed exploitation, but the unauthenticated adjacent-network attack vector with low complexity makes this exploitable in environments with untrusted HID peripherals.
Out-of-bounds memory writes in Linux kernel HID multitouch driver allow local authenticated users to achieve code execution or crash systems via malicious USB/HID devices. The vulnerability exists in the HID multitouch report parsing logic where mismatched report IDs in feature requests can confuse the HID core. Vendor-released patches are available across multiple kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score is low (0.02%, 7th percentile), indicating minimal observed exploitation attempts. No public exploit code identified at time of analysis.
Kernel denial of service via crafted btrfs metadata allowing local attackers to trigger an unguarded BUG_ON() condition during relocation recovery at mount time. The vulnerability arises when a root item on disk contains a non-zero drop_progress with zero drop_level, an invalid state that should not exist but lacks validation on read. CVSS 5.5 reflects local attack vector and availability impact; EPSS 0.02% indicates minimal real-world exploitation likelihood.
Memory corruption and page reference leaks in the Linux kernel mshv (Microsoft Hyper-V) module occur when pin_user_pages_fast() returns a partial pin count, which the current code incorrectly treats as success. A local authenticated attacker with privileges can trigger this vulnerability to corrupt memory or cause denial of service on systems using the mshv module, particularly in Hyper-V guest environments.
Memory corruption in the Linux kernel CAAM (Cryptographic Acceleration and Assurance Module) crypto driver allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The vulnerability occurs when HMAC keys longer than the hash block size are processed - the driver allocates a DMA-aligned buffer size but fails to use it, causing the hashed key to overwrite adjacent memory. Vendor patches are available for stable kernel versions 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.
Denial of service in the Linux kernel AF_ALG crypto interface allows local authenticated attackers to trigger a NULL pointer dereference and kernel panic by sending sequential sendmsg() calls that cause scatter-gather list chain operations to fail to properly unmark SGL boundaries. The vulnerability occurs when AF_ALG allocates chained SGL structures without clearing end markers on previous entries, causing the crypto scatterwalk to encounter premature termination and dereference NULL pointers. CVSS 5.5 (AV:L/AC:L/PR:L) reflects local-only attack requirement with low complexity; EPSS 0.02% (7th percentile) indicates minimal real-world exploitation risk despite kernel panic severity.
Race condition in Linux kernel MPLS subsystem allows local authenticated users to trigger out-of-bounds memory access via concurrent label table resizing. The vulnerability affects RCU-protected codepaths (mpls_forward, mpls_dump_routes) that can obtain inconsistent snapshots of platform_labels array metadata during resize operations, potentially leading to information disclosure or denial of service. Vendor patch available addressing the issue through seqcount-based synchronization. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no active exploitation or public POC identified.
In the Linux kernel, the following vulnerability has been resolved: net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak __radix_tree_create() allocates and links intermediate nodes into the tree one by one. If a subsequent allocation fails, the already-linked nodes remain in the tree with no corresponding leaf entry. These orphaned internal nodes are never reclaimed because radix_tree_for_each_slot() only visits slots containing leaf values. The radix_tree API is deprecated in favor of xarray. As suggested by Matthew Wilcox, migrate qrtr_tx_flow from radix_tree to xarray instead of fixing the radix_tree itself [1]. xarray properly handles cleanup of internal nodes - xa_destroy() frees all internal xarray nodes when the qrtr_node is released, preventing the leak. [1] https://lore.kernel.org/all/20260225071623.41275-1-jiayuan.chen@linux.dev/T/
Remote code execution and information disclosure in Linux Kernel's TI ICSSG PRU Ethernet driver allows unauthenticated network attackers to leak kernel heap memory to userspace and potentially corrupt page_pool state. The zero-copy RX dispatch path fails to copy received packet data into newly allocated skbs, instead forwarding uninitialized heap memory up the network stack. Vendor patches available for kernel 6.19.12 and 7.0. EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity despite critical CVSS 9.8 rating and network attack vector.
Linux kernel GSO feature check reads uninitialized IPv4 header data when processing packets from PF_PACKET paths, causing kernel memory disclosure or denial of service. The vulnerability affects multiple kernel versions before 6.12.81, 6.19.12, and 7.0, and requires local user access to trigger via raw packet injection.
A local denial of service vulnerability in the Linux kernel bnxt_en driver allows authenticated local users to crash the system by triggering an out-of-bounds array access during backing store capability queries. The vulnerability stems from incorrect use of firmware-provided type values to index fixed metadata arrays, rather than using the known loop iteration index. Exploitation requires local access and user-level privileges (PR:L), and no active exploitation has been reported.
Denial of service in the Linux kernel NFC PN533 UART driver allows local authenticated attackers to exhaust memory by sending malformed NFC frames without valid headers, causing unbounded socket buffer growth until kernel crash. Affects Linux 5.5 through 7.0 with patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0); EPSS exploitation probability is minimal at 0.02%, but local privilege is required.
Linux kernel axienet driver can permanently stall network transmit queues due to incorrect Byte Queue Limits (BQL) accounting when scatter-gather TX packets span multiple NAPI polls. When a multi-buffer-descriptor packet completes across different polling cycles, only partial byte counts are credited to BQL, causing the subsystem to incorrectly believe bytes remain in-flight indefinitely and halting transmission. Vendor patches available for stable branches (6.18.22, 6.19.12, 7.0). EPSS exploitation probability is 2% (4th percentile), no active exploitation confirmed, indicating low real-world targeting despite the 7.5 CVSS score.
Denial of service via soft lockup in Linux kernel MPTCP (Multipath TCP) receive function allows remote unauthenticated attackers to lock up a CPU core indefinitely when applications use MSG_PEEK with MSG_WAITALL flags. The vulnerability stems from improper handling of peeked socket buffers that remain in the receive queue, causing sk_wait_data() to never actually wait and spinning in an infinite loop. EPSS score is low (0.02%, 4th percentile) indicating minimal observed exploitation probability. Vendor patches available for kernel versions 6.18.x and 6.19.x series.
Race condition in the Linux kernel's Bluetooth SCO socket implementation allows local authenticated users to trigger use-after-free and memory corruption via concurrent connect() syscalls on the same socket. The vulnerability affects the sco_sock_connect() function which fails to properly serialize state checks, enabling two threads to simultaneously progress through connection setup on a socket already marked for cleanup, leading to double-free conditions and connection object leaks. Vendor-released patches are available for kernel versions 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates very low observed exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis.
Local privilege escalation in Linux kernel Bluetooth subsystem allows authenticated local users to cause denial of service through improper resource management in hci_cmd_sync_queue_once() function. The vulnerability affects Bluetooth HCI synchronization queue handling, where the function fails to properly indicate queue item addition status, leading to potential resource leaks and system unavailability. EPSS score of 0.02% indicates minimal real-world exploitation probability despite moderate CVSS severity.
Memory and reference leaks in the Linux kernel Bluetooth hci_sync subsystem allow local authenticated attackers to cause denial of service by triggering hci_cmd_sync_queue_once() failures without invoking the destroy callback, leading to unreclaimed resources. The vulnerability affects Linux kernel versions prior to 6.19.12 and 7.0, with EPSS score of 0.02% indicating very low real-world exploitation probability despite moderate CVSS score.
Stack buffer overflow in Linux kernel Bluetooth MGMT subsystem allows local authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability stems from insufficient validation of the encryption key size (enc_size) parameter when loading Long Term Keys (LTKs) via the Bluetooth management interface. When processing LE LTK requests, the kernel uses the attacker-controlled enc_size value to perform stack operations against a fixed 16-byte buffer, enabling stack corruption through oversized values. Vendor-released patches are available across all active kernel branches. EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit has been identified at time of analysis, though the attack complexity is low once local authenticated access is obtained.
Use-after-free in Linux Kernel Bluetooth stack allows adjacent network attackers to execute arbitrary code, escalate privileges, or cause denial of service without authentication. The vulnerability exists in hci_le_remote_conn_param_req_evt where hci_conn lookup and field access occurs outside the hdev lock protection, enabling concurrent memory corruption. Patches are available across multiple stable kernel branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.
Linux kernel Bluetooth MGMT subsystem fails to validate the advertised data length field in mesh send operations, allowing local authenticated attackers to trigger denial of service by reading beyond allocated buffer boundaries. The vulnerability affects the mesh_send() function which accepts a truncated MGMT_OP_MESH_SEND command that passes length checks but contains mismatched adv_data_len and actual payload, leading to out-of-bounds access during async mesh transmission. Patch versions include 6.6.134, 6.12.81, 6.1.168, 6.18.22, and 7.0.
Use-after-free in Linux kernel's BPF sockmap implementation allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs in sk_psock_verdict_data_ready() when handling AF_UNIX sockets, where sk->sk_socket can be accessed after being freed following sock_orphan(). This affects Linux kernel versions 5.15 through 6.19.12, with patches available for stable branches 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates very low observed exploitation probability in the wild, and no active exploitation or public exploit code has been identified at time of analysis.
Use-after-free in Linux kernel macb driver allows local authenticated attackers to cause denial of service or potentially escalate privileges during module removal. The vulnerability occurs in the PCI glue driver when platform_device_unregister() triggers a runtime resume callback that attempts to access already-freed clock structures. EPSS score is low (0.02%) with no evidence of active exploitation. Vendor patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0).
Memory leak in the MACB (Cadence Gigabit Ethernet Controller) driver allows local authenticated attackers to cause denial of service through resource exhaustion by failing to unregister fixed-rate clocks allocated during device probe, resulting in memory and clock resource depletion. EPSS exploitation probability is minimal at 0.02%, indicating low real-world risk despite CVSS score of 5.5. Patch versions are available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Null pointer dereference in Linux kernel net/mlx5 LAG (Link Aggregation) driver allows local authenticated attackers to cause denial of service by accessing debugfs interfaces when LAG device context is invalid. The vulnerability exists in mlx5_ldev_add_debugfs() which creates debugfs entries without validating that a valid LAG context exists, exposing the members file and other interfaces that depend on a valid ldev pointer. EPSS exploitation probability is 0.02% (percentile 7%), indicating low real-world exploitation likelihood despite the vulnerability's availability for patching.
A denial of service vulnerability in the Linux kernel's mlx5 (Mellanox/NVIDIA) network driver causes a kernel panic when switchdev mode initialization fails during rollback to legacy mode. A local unprivileged user on systems with affected mlx5 hardware can trigger improper netdevice unregistration, leading to a kernel BUG at net/core/dev.c:12070 and system crash. The vulnerability affects multiple stable kernel versions; vendor-released patches are available.
Linux kernel BPF verifier incorrectly prunes execution paths due to imprecise state tracking in atomic fetch operations, allowing local attackers to bypass security checks in eBPF programs. The verifier's backtracking logic fails to mark stack slots as precise when BPF_ATOMIC instructions with BPF_FETCH modify both memory and destination registers, causing two legitimately different program states to be incorrectly considered equivalent during path pruning. Vendor patches available in kernel versions 6.19.12 and 7.0. EPSS score of 0.02% (5th percentile) indicates low probability of mass exploitation, though successful exploitation grants high confidentiality, integrity, and availability impact per CVSS 7.8.
Denial of service via null pointer dereference in Linux kernel gpio-qixis-fpga driver affects local users with limited privileges. The driver incorrectly checks for NULL return value from devm_regmap_init_mmio(), which returns ERR_PTR() on failure, allowing a local attacker with user-level privileges to trigger a kernel panic by causing improper error handling. EPSS score is low (0.02%), indicating limited exploitation probability despite CVSS 5.5 severity.
A use-after-free resource management flaw in the Linux kernel's Qualcomm AI accelerator (QAIC) driver allows local authenticated users to cause denial of service and potentially escalate privileges. When a DBC (Device Binding Context) owner process terminates before handling device-initiated deactivation messages, the kernel fails to release DBC resources, causing subsequent activation attempts to hang indefinitely and creating exploitable resource state inconsistencies. The vulnerability affects Linux kernel versions 6.4 through 6.19.12, with vendor patches available across multiple stable branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation or public POC has been identified.
Out-of-bounds memory read in Linux kernel io_uring subsystem allows local authenticated users to leak kernel memory or trigger denial of service. The vulnerability exists in io_uring's fixed buffer import logic when registering zero-length buffer regions, causing the bvec skip logic to read beyond allocated slab memory. Patches available across stable kernel branches (6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (4th percentile) indicates low likelihood of widespread exploitation. No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis.
In the Linux kernel, the following vulnerability has been resolved: hwmon: (tps53679) Fix array access with zero-length block read i2c_smbus_read_block_data() can return 0, indicating a zero-length read. When this happens, tps53679_identify_chip() accesses buf[ret - 1] which is buf[-1], reading one byte before the buffer on the stack. Fix by changing the check from "ret < 0" to "ret <= 0", treating a zero-length read as an error (-EIO), which prevents the out-of-bounds array access. Also fix a typo in the adjacent comment: "if present" instead of duplicate "if".
In the Linux kernel, the following vulnerability has been resolved: spi: stm32-ospi: Fix resource leak in remove() callback The remove() callback returned early if pm_runtime_resume_and_get() failed, skipping the cleanup of spi controller and other resources. Remove the early return so cleanup completes regardless of PM resume result.
In the Linux kernel, the following vulnerability has been resolved: drm/xe/xe_pagefault: Disallow writes to read-only VMAs The page fault handler should reject write/atomic access to read only VMAs. Add code to handle this in xe_pagefault_service after the VMA lookup. v2: - Apply max line length (Matthew) (cherry picked from commit 714ee6754ac5fa3dc078856a196a6b124cd797a0)
A denial-of-service vulnerability in the Linux kernel's DRM/XE PXP (Protected Execution) driver causes an infinite loop when a restart flag is not cleared after a jump operation, allowing local authenticated users to hang or crash the system. The vulnerability affects multiple kernel versions through a logic error in the pxp_start function that was resolved in stable patches for Linux 6.18.22, 6.19.12, and 7.0.
In the Linux kernel, the following vulnerability has been resolved: spi: amlogic: spifc-a4: unregister ECC engine on probe failure and remove() callback aml_sfc_probe() registers the on-host NAND ECC engine, but teardown was missing from both probe unwind and remove-time cleanup. Add a devm cleanup action after successful registration so nand_ecc_unregister_on_host_hw_engine() runs automatically on probe failures and during device removal.
Out-of-bounds memory read in Linux kernel's Intel PMU (Performance Monitoring Unit) handling allows local authenticated attackers with low privileges to potentially access sensitive kernel memory, modify data, or cause system crashes. The flaw occurs when perf auto counter reload groups contain software events, triggering an unsafe container_of operation that can dereference memory outside valid bounds. EPSS exploitation probability is very low (0.02%, 4th percentile), and no public exploit or active exploitation has been identified at time of analysis. Patches available for kernel versions 6.18.22, 6.19.12, and 7.0.
In the Linux kernel, the following vulnerability has been resolved: drm/ioc32: stop speculation on the drm_compat_ioctl path The drm compat ioctl path takes a user controlled pointer, and then dereferences it into a table of function pointers, the signature method of spectre problems. Fix this up by calling array_index_nospec() on the index to the function pointer list.
A heap buffer overflow in the Linux kernel's wilc1000 WiFi driver allows local authenticated users to trigger memory corruption via crafted SSID scan requests. The driver miscalculates buffer size due to u8 integer overflow (330 bytes wrapping to 74), causing kmalloc to allocate 75 bytes while memcpy writes up to 331 bytes - a 256-byte overflow. Patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.03% (9th percentile) suggests low likelihood of widespread exploitation, and CISA KEV does not list this CVE, indicating no confirmed active exploitation at time of analysis.
Out-of-bounds read in Linux kernel iwlwifi driver allows adjacent network attackers to disclose sensitive kernel memory or trigger denial of service without authentication. The vulnerability affects the iwlwifi wireless driver's network detection match handler function, where insufficient packet length validation enables memcpy to read beyond allocated buffer boundaries. EPSS probability is low (0.02%, 7th percentile) and no active exploitation confirmed (not in CISA KEV). Vendor patches available across multiple kernel stable branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Stack buffer out-of-bounds read in Linux kernel ALSA snd_usb_caiaq driver allows local authenticated users to disclose kernel stack memory and potentially trigger denial of service. The vulnerability affects systems with USB audio devices using the caiaq driver when product names contain many non-ASCII characters. Present since kernel v2.6.31-rc1 (June 2009), this 16-year-old off-by-one error lacks null terminator validation during whitespace stripping. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Denial of service in the Linux kernel ALSA ctxfi audio driver allows local authenticated attackers to crash the system via improper error handling in the daio_device_index() function. The ctxfi driver failed to validate return values from index mapping operations, enabling a local user with standard privileges to trigger an unhandled error condition that disables audio functionality or causes system instability.
Out-of-bounds array access in Linux kernel ALSA ctxfi driver allows local authenticated users to achieve arbitrary code execution with high integrity and confidentiality impact. The flaw stems from improper SPDIF1 DAIO type handling in daio_device_index() for hw20k2 hardware, which returns -EINVAL instead of a valid index, leading to buffer overflow conditions (CWE-129). Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation activity; no CISA KEV listing or public POC identified at time of analysis.
Denial of service in Linux kernel ALSA ctxfi audio driver allows local authenticated attackers to crash the system via improper SPDIF1 enumeration during DAIO initialization on hw20k2 hardware. The vulnerability affects kernel versions 6.19 through 7.0 due to a refactoring that loops over all DAIO types including the hw20k2-incompatible SPDIF1 entry, triggering a kernel crash when the undefined hardware info is accessed. Patch available from Linux stable repositories.
Integer overflow in Linux kernel io_uring subsystem allows local authenticated users to trigger slab-out-of-bounds memory reads and denial of service. The vulnerability stems from improper type casting of user-supplied length values in network bundled receive/send operations, where values exceeding INT_MAX cause negative overflow leading to infinite loops and out-of-bounds array access. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. Vendor patches available for affected stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0), making this a straightforward patching priority for systems running vulnerable versions with io_uring enabled.
Incorrect authentication labeling in Linux kernel's Bluetooth SMP legacy pairing allows adjacent attackers to bypass security controls and gain high-level access without proper authentication. The flaw affects the Short Term Key (STK) derivation in Just Works/Confirm pairing modes, where keys are incorrectly marked as authenticated even when Man-in-the-Middle (MITM) protection was not established. With CVSS 8.8 (AV:A/AC:L/PR:N/UI:N), this enables adjacent network attackers to exploit Bluetooth pairing flows without authentication. EPSS score of 0.05% suggests low widespread exploitation likelihood. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Stack buffer overflow in Linux kernel Bluetooth subsystem allows local authenticated attackers to achieve code execution, privilege escalation, or denial of service through malformed ISO socket parameters. The vulnerability occurs when binding an ISO Bluetooth socket with up to 31 BIS entries while the hci_le_big_create_sync() function only allocates stack space for 17 entries, resulting in a 14-byte overflow that corrupts adjacent stack memory. Patches are available across multiple kernel versions (6.12.81, 6.18.22, 6.19.12, 7.0), with EPSS indicating 0.02% exploitation probability and no active exploitation confirmed.
Out-of-bounds memory read in Linux kernel Bluetooth HCI event processing allows adjacent network attackers to disclose kernel memory or trigger denial of service without authentication. The vulnerability stems from premature wake reason storage before per-event payload length validation, enabling crafted short HCI event frames to reach bacpy() operations before bounds checking. EPSS score is low (0.02%, 6th percentile) with no evidence of active exploitation or public POC at time of analysis. Vendor patches available for kernel versions 5.10+ through 6.19.12 and mainline 7.0.
Denial of service via divide-by-zero crash in the hwmon OCC (On-Chip Controller) power monitoring driver affects Linux kernels when the power sensor is queried before initial data samples are collected, typically during early boot. Local attackers with unprivileged user privileges can trigger a kernel panic by accessing the affected sysfs power attribute, causing system availability impact. CVSS 5.5 reflects local attack vector and low complexity; EPSS 0.02% indicates low real-world exploitation probability despite the straightforward trigger condition.
Use-after-free in Linux kernel GPIB subsystem allows local authenticated attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs in IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers when concurrent IBCLOSEDEV calls free descriptors still in use by I/O operations. EPSS probability is very low (0.02%, 4th percentile), indicating minimal observed exploitation activity. Vendor patches available for stable branches 6.18.22, 6.19.12, and mainline 7.0 via commits cae26eff, 28c75dd1, and d1857f82.
Division-by-zero denial of service in Linux kernel's Intel i915 DRM driver when loading on certain machines with DSC (Display Stream Compression) enabled in command mode. The driver incorrectly applies horizontal timing adjustments based on compression ratio in command mode, causing line_time_us to become zero and triggering a kernel panic. Affects Linux kernel versions 5.6 and later; patch available via stable kernel releases.
Integer overflow in AMD GPU driver's user queue doorbell handling allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The amdgpu driver fails to validate user-supplied doorbell_offset values before calculating buffer offsets, enabling out-of-bounds writes to kernel doorbell space. Patches available in Linux 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% (4th percentile) indicates low probability of mass exploitation, though CVSS 7.1 reflects serious local privilege escalation potential. No active exploitation confirmed; attack requires local authenticated access to systems with AMD GPU hardware.
Kernel NULL pointer dereference in AMD GPU driver on systems with 64KB page sizes allows local authenticated attackers to crash the system by triggering memory allocation mismatches between reserved trap area (8KB) and required allocation size (128KB) during GPU memory initialization. The vulnerability affects systems running ROCm workloads and causes denial of service when executing rocminfo or rccl unit tests on IBM POWER10 and similar 64K-page architectures. EPSS exploitation probability is very low (0.02%), and no public exploit code or active in-the-wild exploitation has been identified.
Out-of-bounds array access in the st_lsm6dsx IMU driver allows local authenticated users with low privileges to achieve high-impact code execution, data disclosure, or denial of service. The vulnerability exists in the buffer sampling frequency sysfs handler, which fails to validate sensor type before indexing a 2-entry array with sensor IDs beyond accelerometer and gyroscope. Exploitation requires write access to sysfs attributes for non-standard sensor types in the driver. EPSS exploitation probability is very low (0.02%, 5th percentile), no active exploitation confirmed, and vendor patches are available for Linux 6.19.12 and 7.0.
Denial of service in the Linux kernel's mpu3050 gyroscope driver allows local authenticated attackers to crash the system via incorrect IRQ handler cleanup during module unload. A mismatch between the registered IRQ handler (mpu3050->trig) and the handler passed to free_irq() (mpu3050) causes improper cleanup, leading to resource leaks and potential kernel panic when the device is removed or the driver is unloaded. No public exploit code identified; patch available across affected kernel series.
Resource leak in the Linux kernel MPU3050 gyro driver allows local authenticated users to cause denial of service through memory exhaustion by repeatedly triggering iio_trigger_register() failures that fail to release previously allocated interrupt handlers. The vulnerability affects multiple kernel versions and requires local access with unprivileged user privileges, resulting in potential system availability impact with low real-world exploitation likelihood (EPSS 0.02%).
Memory leak in the Linux kernel's GPIB lpvo_usb driver allows local authenticated users to cause a denial of service through resource exhaustion by repeatedly connecting and disconnecting USB devices, as the driver fails to release USB device references during interface enumeration. The EPSS score of 0.02% indicates minimal real-world exploitation risk despite the moderate CVSS 5.5 severity, reflecting the combination of local-only access requirement, authentication need, and the niche nature of GPIB USB device usage.
Double-free memory corruption in Linux kernel USB ULPI subsystem allows local authenticated attackers with low privileges to potentially achieve arbitrary code execution, denial of service, or information disclosure. The flaw exists in ulpi_register_interface() error handling since kernel 4.2 (commit 289fcff4b), where device_register() failure triggers cleanup via put_device() followed by redundant kfree(), corrupting kernel memory. Patches available across stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% suggests low likelihood of mass exploitation despite high CVSS 7.8, likely due to local attack vector and requirement for device registration failure conditions.
Use-after-free condition in Linux kernel USB Test and Measurement Class (USBTMC) driver allows local authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability occurs when the usbtmc_release function fails to properly flush pending anchored URBs, leaving dangling references that can be exploited in the HCD giveback path. Vendor patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0). Despite the high CVSS score of 7.8, the EPSS exploitation probability is very low at 0.02% (7th percentile), indicating limited real-world targeting, and no active exploitation or public POC has been identified.
A memory leak in the Linux kernel's USB misc usbio driver allows local attackers with low privileges to cause a denial of service by exhausting kernel memory through repeated USB device probe failures. The vulnerability arises when usb_submit_urb() fails during device initialization, leaving allocated URB structures unreleased and accumulating with each failed probe attempt.
Denial of service in Linux kernel USB dwc2 gadget driver allows local authenticated users to trigger a deadlock via improper spin lock handling in dwc2_hsotg_udc_stop(). The vulnerability stems from a locking protocol violation where dwc2_gadget_exit_clock_gating() expects a held lock but is called without one, causing spin_unlock on an unheld lock followed by a lock held indefinitely, resulting in system hang. No public exploit code identified at time of analysis.
A denial of service condition in the Linux kernel's Cadence USB3 (cdns3) gadget driver occurs when gadget initialization fails, leaving the DRD hardware in gadget mode while software state remains inactive. Switching the device to USB host mode via sysfs triggers a synchronous external abort in the xHCI host controller setup, causing a kernel crash. Local authenticated users with access to the USB role-switch sysfs interface can trigger this condition, affecting Linux kernel versions 5.4 through current releases. A patch is available from the Linux kernel project.
In the Linux kernel, the following vulnerability has been resolved: auxdisplay: line-display: fix NULL dereference in linedisp_release linedisp_release() currently retrieves the enclosing struct linedisp via to_linedisp(). That lookup depends on the attachment list, but the attachment may already have been removed before put_device() invokes the release callback. This can happen in linedisp_unregister(), and can also be reached from some linedisp_register() error paths. In that case, to_linedisp() returns NULL and linedisp_release() dereferences it while freeing the display resources. The struct device released here is the embedded linedisp->dev used by linedisp_register(), so retrieve the enclosing object directly with container_of() instead.
Denial of service in the Linux kernel comedi dt2815 driver allows local authenticated users to crash the system by attaching the driver to arbitrary I/O addresses without actual hardware present via the COMEDI_DEVCONFIG ioctl. The vulnerability occurs when outb() operations are performed on non-existent hardware, triggering page faults under race conditions. A patch adding hardware detection via status register reads prevents the crash.
Memory leak in Linux kernel comedi subsystem allows local privileged users to exhaust kernel memory and cause denial of service. The vulnerability exists in do_cmd_ioctl() where chanlist memory is not properly freed when runflags is not set following an exceptional exit, due to incomplete reference counting logic introduced in commit 4e1da516debb. CVSS 5.5 (local, low complexity, requires user privilege) with EPSS 0.02% indicates this is a lower-priority local DoS affecting systems with comedi driver loaded and untrusted local users.
Null pointer dereference and invalid I/O port writes in the Linux kernel's comedi ni_atmio16d driver occur when the device attach handler fails, causing the detach handler to call reset_atmio16d() with uninitialized device state. Local privileged attackers can trigger a denial of service by causing attach to fail, resulting in kernel memory access violations or writes to address zero. No public exploit code or active exploitation has been identified; patch versions are available from the Linux kernel stable branches.
Buffer overflow in Linux kernel COMEDI me_daq driver allows local authenticated users to achieve arbitrary code execution with kernel privileges. The me2600_xilinx_download() function fails to validate firmware file length before reading data streams, enabling out-of-bounds memory access during firmware loading operations. Patches available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates low probability of widespread exploitation despite high CVSS 7.8 rating, and no active exploitation or public exploit code identified at time of analysis.
Out-of-bounds write in Linux kernel comedi me4000 driver firmware loader allows local authenticated users to achieve high-impact code execution, data corruption, or system crash. The me4000_xilinx_download() function blindly trusts firmware file format headers without validating buffer boundaries, reading a length field from the first 4 bytes and then reading that many bytes from offset 16 without checking total file size. Patch available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating. No public exploit code or active exploitation confirmed.
Memory leak in Linux kernel s390/zcrypt subsystem allows local authenticated attackers to exhaust memory resources by repeatedly using CCA cards as accelerators for clear key RSA requests (ME and CRT operations). The vulnerability stems from incomplete refactoring where AP message allocations via ap_init_apmsg() are not properly freed in two code paths, causing heap memory exhaustion over time and enabling denial of service on s390 systems with CCA cryptographic hardware.
Double-free memory corruption in the Linux kernel reset-gpio subsystem allows local authenticated users to escalate privileges or crash the system. The vulnerability exists in reset_add_gpio_aux_device() error handling since commit 5fc4e4cf7a22, where auxiliary_device_uninit() triggers a release callback that frees memory, but the error path then calls kfree() on the same pointer. Patches available for kernel versions 6.19.12+ and 7.0+. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. Not listed in CISA KEV; no public exploit identified at time of analysis.
Denial of service in Linux kernel energy model netlink handler allows local authenticated attackers to crash the system via NULL pointer dereference when requesting non-existent performance domain IDs. The dev_energymodel_nl_get_perf_domains_doit() function fails to validate the return value from em_perf_domain_get_by_id() before dereferencing the performance domain structure, causing immediate kernel panic when an invalid domain ID is supplied. EPSS exploitation probability is very low (0.02%, 5th percentile), and no public exploit code or active exploitation has been identified.
Memory corruption in the Linux kernel zynqmp_nvmem driver allows local authenticated users to achieve privilege escalation through undersized DMA buffer exploitation. The vulnerability stems from incorrect buffer size calculations in dma_alloc_coherent and memcpy operations, enabling heap or memory corruption that can lead to complete system compromise. With a 7.8 CVSS score but only 0.02% EPSS (5th percentile), this represents a high-severity issue affecting specific Xilinx Zynq UltraScale+ deployments rather than a widespread exploitation target. Patches available across multiple stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0) with upstream fixes confirmed in git commits.
Memory corruption in the Linux kernel virtual terminal (vt) subsystem allows local authenticated users to trigger kernel crashes and potentially escalate privileges. When a console switches to an alternate screen and then gets resized, the saved Unicode buffer retains stale dimensions. Upon returning to the primary screen, operations like screen clearing (csi_J) access memory out of bounds using current dimensions against the old buffer, causing kernel oops. EPSS exploitation probability is low (0.02%, 4th percentile), no active exploitation confirmed, but vendor patches are available across multiple stable kernel branches (5.x, 6.18.x, 6.19.x).
Denial of service via runtime PM usage count underflow in the rz-mtu3-cnt counter driver allows local privileged users to disable hardware counters and trigger kernel warnings by repeatedly writing to the sysfs enable file. Multiple writes of the same value (0 or 1) to the enable attribute cause the runtime PM reference count to become misaligned with actual hardware state, leading to register access with clocks disabled and potential PWM channel conflicts. EPSS exploitation probability is minimal (0.02%) despite local access requirement, indicating this is primarily a local reliability issue rather than a remote attack vector.
Denial of service in Linux kernel counter driver (rz-mtu3-cnt) allows local attackers with low privileges to crash the system by exploiting a race condition where counter and PWM sub-drivers overwrite a shared device pointer, causing incorrect runtime power management operations. The vulnerability affects kernel versions prior to specific patch levels across the 6.x and 7.x branches, with EPSS exploitation probability of 0.02% indicating low real-world exploitation likelihood despite the availability of a vendor patch.
Missing CRYPTO_ALG_ASYNC flag in Linux kernel's Tegra crypto driver causes the crypto API to incorrectly select asynchronous algorithms for synchronous-only requests, resulting in system crashes. This affects Tegra-based Linux systems (typically NVIDIA Jetson devices) running kernel versions 6.10 through early 7.0 development branches. Vendor patches are available across stable branches (6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability, and no active exploitation or public POC has been identified. The CVSS vector (AV:N/AC:L/PR:L/UI:N) suggests network-based exploitation requiring authenticated access, though this conflicts with the technical nature of a local driver configuration bug.
Denial of service in Linux kernel VXLAN module allows local authenticated attackers to crash the system via malformed IPv6 neighbor discovery options in vxlan_na_create(). A crafted ND option with incorrect length values can cause out-of-bounds access or undersized payload reads, triggering a kernel panic. EPSS exploitation probability is low at 0.02%, but the vulnerability is confirmed patched across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12).
Denial of service via NULL pointer dereference in the MediaTek Ethernet PPE (packet processing engine) driver occurs when gmac0 (the primary ethernet interface) is disabled on affected systems. A local authenticated attacker can trigger a kernel crash by sending traffic through the networking stack when the driver incorrectly checks for a valid ingress device without verifying if the first network device pointer is actually initialized. The vulnerability affects Linux kernel versions prior to fixes released in stable branches 6.18.22, 6.12.81, 6.19.12, and 7.0.
Linux kernel IOMMU page table unmapping operations fail to invalidate extended memory regions when unmapping lands mid-entry in large/contiguous mappings, causing stale TLB entries. Affects kernel 6.19 through pre-7.0 versions with IOMMU subsystem enabled. Local authenticated attackers with low privileges can potentially access unmapped memory or escalate privileges by exploiting incomplete invalidations during IOMMU unmap operations. EPSS score of 0.02% (5th percentile) suggests minimal real-world exploitation likelihood. No public exploit identified at time of analysis, though vendor acknowledges theoretical risk is low as 'nothing relies on unmapping a large entry.' Vendor-released patches available for stable branches.
Denial of service in Linux kernel scheduler extension (sched_ext) allows local privileged attackers to crash systems by triggering incorrect task migration validation. The vulnerability exists in the is_bpf_migration_disabled() function, which fails to correctly identify migration-disabled tasks on non-PREEMPT_RCU configurations, potentially dispatching such tasks to remote CPUs and triggering kernel errors in task_can_run_on_remote_rq(). EPSS exploitation probability is very low at 0.02%, but CVSS 5.5 indicates local attackers with standard user privileges can cause denial of service.
A denial of service condition in the Linux kernel scheduler extension (sched_ext) subsystem allows local authenticated attackers to trigger a kernel warning and potential crash via improper handling of stale direct dispatch state in the ddsp_dsq_id field. When a task's direct dispatch verdict is not properly cleared across all code paths that consume or cancel such verdicts, a subsequent wakeup operation calling ops.select_cpu() with scx_bpf_dsq_insert() triggers a spurious WARN_ON_ONCE() in mark_direct_dispatch(), exposing the availability impact of the vulnerability. The issue affects Linux kernels with sched_ext enabled and requires local access with low privilege (non-root user capable of triggering task scheduling operations).
Use-after-free in Linux kernel thermal subsystem allows local attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability stems from race conditions between thermal zone removal and power management resume operations, where delayed work items can continue executing after thermal zone objects are freed. EPSS score of 0.02% (5th percentile) suggests low probability of mass exploitation despite high CVSS severity. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.22, 6.19.12, 7.0) via upstream commits. No active exploitation confirmed in CISA KEV at time of analysis.
Double-free memory corruption in the Linux kernel's fastrpc driver allows local attackers with low privileges to achieve high-impact code execution, privilege escalation, or denial of service. The vulnerability occurs when fastrpc_init_create_static_process() fails to nullify a freed heap pointer (cctx->remote_heap) in its error path, enabling fastrpc_rpmsg_remove() to free the same memory twice during device removal. Patches available across kernel versions 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates low observed exploitation probability, with no active exploitation confirmed at time of analysis.
Buffer overflow in Linux kernel's ksmbd SMB server allows authenticated remote attackers to trigger ~8 MB heap allocation from manipulated NTACL xattr values, potentially leading to memory exhaustion, information disclosure via uninitialized heap memory, or code execution. Exploitation requires low-privilege SMB authentication plus ability to corrupt backing filesystem metadata (offline xattr tampering or race condition). EPSS score of 0.02% indicates minimal observed exploitation activity. Vendor patches available across multiple stable kernel branches (6.12.84, 6.18.25, 7.0.2, 7.1-rc1).
Use-after-free in Linux kernel virt_wifi driver allows local authenticated users to trigger memory corruption during ethtool operations on virtual WiFi devices being unregistered. The vulnerability stems from improper device parent reference handling via SET_NETDEV_DEV, where ethnl_ops_begin() calls pm_runtime_get_sync() on already-freed memory when a virt_wifi device unregisters concurrently with ethtool operations. Patches are available across multiple stable kernel branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit identified at time of analysis, though CVSS 7.8 reflects potential for complete system compromise if successfully triggered.
Use-after-free in Linux kernel's MANA network driver allows local authenticated attackers to corrupt memory and potentially execute code with kernel privileges. The flaw occurs when auxiliary_device_add() fails in add_adev(), triggering cleanup that frees memory still referenced by subsequent error-handling code. Patches available across stable kernel branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public exploit identified at time of analysis.
Uninitialized memory in the Linux kernel SCSI target subsystem (target_core_file) causes write operations to fail unpredictably when bogus ki_write_stream values trigger block device validation checks. Affected versions span Linux kernel 6.16 through development branches, with stable patches released for 6.18.22, 6.19.12, and 7.0. While CVSS scores this as 7.5 High with network vector (AV:N), the description indicates a local kernel subsystem issue affecting SCSI target configurations, suggesting a vector/impact mismatch. EPSS probability is very low (0.02%, 4th percentile) with no evidence of active exploitation or public POC, indicating minimal real-world targeting despite the high CVSS score.
tcm_loop target reset handler fails to drain in-flight SCSI commands, violating SCSI error handling contract and causing LUN reference leaks that deadlock configfs LUN unlink operations. Local users with appropriate privileges can trigger denial of service by initiating reset sequences while SCSI commands are in flight, leaving the kernel in an unkillable D-state waiting for LUN reference counts to clear. This is a local denial of service affecting the SCSI target core's tcm_loop loopback driver across multiple kernel versions.
XFS filesystem crashes during log recovery when inodes with node-format extended attributes are inactivated following an untimely log shutdown, due to stale metadata block references in the attribute B-tree. Unprivileged local attackers with write access to XFS filesystems can trigger this denial-of-service condition by inducing log shutdown during extended attribute cleanup, causing the filesystem to unmount and require repair. The vulnerability affects Linux kernel versions prior to 6.19.12 and later stable branches.
An out-of-bounds read vulnerability in the Linux kernel's Wacom HID driver (wacom_intuos_bt_irq function) allows adjacent network attackers to cause information disclosure or denial of service through maliciously crafted short Bluetooth HID reports. The vulnerability affects the Bluetooth interface of Wacom Intuos tablets, where report types 0x03 and 0x04 are processed without validating minimum lengths (22 and 32 bytes respectively), enabling memory reads beyond buffer boundaries. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) with no active exploitation confirmed (EPSS 0.02%, not in CISA KEV).
Race condition in Linux kernel ATM LEC driver allows local attackers with low privileges to trigger use-after-free memory corruption in sock_def_readable(), potentially achieving arbitrary code execution, privilege escalation, or denial of service. The flaw affects systems using ATM (Asynchronous Transfer Mode) LAN Emulation Client functionality, present since Linux kernel version 2.4 (commit 1da177e4c3f4). EPSS score of 0.02% (7th percentile) suggests low probability of mass exploitation. Vendor patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). Not listed in CISA KEV; no public exploit code identified at time of analysis.
Use-after-free in Linux kernel HID subsystem allows local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service when force feedback initialization fails on Logitech G920 racing wheels. The vulnerability occurs when userspace continues accessing freed memory structures (sysfs and /dev/input) after initialization errors. Vendor patches available across multiple stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of mass exploitation, consistent with hardware-specific local attack surface requiring physical device presence.
Adjacent network attackers can achieve high-severity code execution, information disclosure, or denial of service in the Linux kernel HID (Human Interface Device) subsystem by exploiting a bounds-checking flaw in hid_report_raw_event(). A bogus memset() operation intended to zero unused buffer space instead creates out-of-bounds read/write conditions when processing malformed HID input reports from adjacent devices (USB, Bluetooth). Vendor patches available for stable branches 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% suggests minimal observed exploitation, but the unauthenticated adjacent-network attack vector with low complexity makes this exploitable in environments with untrusted HID peripherals.
Out-of-bounds memory writes in Linux kernel HID multitouch driver allow local authenticated users to achieve code execution or crash systems via malicious USB/HID devices. The vulnerability exists in the HID multitouch report parsing logic where mismatched report IDs in feature requests can confuse the HID core. Vendor-released patches are available across multiple kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score is low (0.02%, 7th percentile), indicating minimal observed exploitation attempts. No public exploit code identified at time of analysis.
Kernel denial of service via crafted btrfs metadata allowing local attackers to trigger an unguarded BUG_ON() condition during relocation recovery at mount time. The vulnerability arises when a root item on disk contains a non-zero drop_progress with zero drop_level, an invalid state that should not exist but lacks validation on read. CVSS 5.5 reflects local attack vector and availability impact; EPSS 0.02% indicates minimal real-world exploitation likelihood.
Memory corruption and page reference leaks in the Linux kernel mshv (Microsoft Hyper-V) module occur when pin_user_pages_fast() returns a partial pin count, which the current code incorrectly treats as success. A local authenticated attacker with privileges can trigger this vulnerability to corrupt memory or cause denial of service on systems using the mshv module, particularly in Hyper-V guest environments.
Memory corruption in the Linux kernel CAAM (Cryptographic Acceleration and Assurance Module) crypto driver allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The vulnerability occurs when HMAC keys longer than the hash block size are processed - the driver allocates a DMA-aligned buffer size but fails to use it, causing the hashed key to overwrite adjacent memory. Vendor patches are available for stable kernel versions 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.
Denial of service in the Linux kernel AF_ALG crypto interface allows local authenticated attackers to trigger a NULL pointer dereference and kernel panic by sending sequential sendmsg() calls that cause scatter-gather list chain operations to fail to properly unmark SGL boundaries. The vulnerability occurs when AF_ALG allocates chained SGL structures without clearing end markers on previous entries, causing the crypto scatterwalk to encounter premature termination and dereference NULL pointers. CVSS 5.5 (AV:L/AC:L/PR:L) reflects local-only attack requirement with low complexity; EPSS 0.02% (7th percentile) indicates minimal real-world exploitation risk despite kernel panic severity.
Race condition in Linux kernel MPLS subsystem allows local authenticated users to trigger out-of-bounds memory access via concurrent label table resizing. The vulnerability affects RCU-protected codepaths (mpls_forward, mpls_dump_routes) that can obtain inconsistent snapshots of platform_labels array metadata during resize operations, potentially leading to information disclosure or denial of service. Vendor patch available addressing the issue through seqcount-based synchronization. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no active exploitation or public POC identified.
In the Linux kernel, the following vulnerability has been resolved: net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak __radix_tree_create() allocates and links intermediate nodes into the tree one by one. If a subsequent allocation fails, the already-linked nodes remain in the tree with no corresponding leaf entry. These orphaned internal nodes are never reclaimed because radix_tree_for_each_slot() only visits slots containing leaf values. The radix_tree API is deprecated in favor of xarray. As suggested by Matthew Wilcox, migrate qrtr_tx_flow from radix_tree to xarray instead of fixing the radix_tree itself [1]. xarray properly handles cleanup of internal nodes - xa_destroy() frees all internal xarray nodes when the qrtr_node is released, preventing the leak. [1] https://lore.kernel.org/all/20260225071623.41275-1-jiayuan.chen@linux.dev/T/
Remote code execution and information disclosure in Linux Kernel's TI ICSSG PRU Ethernet driver allows unauthenticated network attackers to leak kernel heap memory to userspace and potentially corrupt page_pool state. The zero-copy RX dispatch path fails to copy received packet data into newly allocated skbs, instead forwarding uninitialized heap memory up the network stack. Vendor patches available for kernel 6.19.12 and 7.0. EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity despite critical CVSS 9.8 rating and network attack vector.
Linux kernel GSO feature check reads uninitialized IPv4 header data when processing packets from PF_PACKET paths, causing kernel memory disclosure or denial of service. The vulnerability affects multiple kernel versions before 6.12.81, 6.19.12, and 7.0, and requires local user access to trigger via raw packet injection.
A local denial of service vulnerability in the Linux kernel bnxt_en driver allows authenticated local users to crash the system by triggering an out-of-bounds array access during backing store capability queries. The vulnerability stems from incorrect use of firmware-provided type values to index fixed metadata arrays, rather than using the known loop iteration index. Exploitation requires local access and user-level privileges (PR:L), and no active exploitation has been reported.
Denial of service in the Linux kernel NFC PN533 UART driver allows local authenticated attackers to exhaust memory by sending malformed NFC frames without valid headers, causing unbounded socket buffer growth until kernel crash. Affects Linux 5.5 through 7.0 with patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0); EPSS exploitation probability is minimal at 0.02%, but local privilege is required.
Linux kernel axienet driver can permanently stall network transmit queues due to incorrect Byte Queue Limits (BQL) accounting when scatter-gather TX packets span multiple NAPI polls. When a multi-buffer-descriptor packet completes across different polling cycles, only partial byte counts are credited to BQL, causing the subsystem to incorrectly believe bytes remain in-flight indefinitely and halting transmission. Vendor patches available for stable branches (6.18.22, 6.19.12, 7.0). EPSS exploitation probability is 2% (4th percentile), no active exploitation confirmed, indicating low real-world targeting despite the 7.5 CVSS score.
Denial of service via soft lockup in Linux kernel MPTCP (Multipath TCP) receive function allows remote unauthenticated attackers to lock up a CPU core indefinitely when applications use MSG_PEEK with MSG_WAITALL flags. The vulnerability stems from improper handling of peeked socket buffers that remain in the receive queue, causing sk_wait_data() to never actually wait and spinning in an infinite loop. EPSS score is low (0.02%, 4th percentile) indicating minimal observed exploitation probability. Vendor patches available for kernel versions 6.18.x and 6.19.x series.
Race condition in the Linux kernel's Bluetooth SCO socket implementation allows local authenticated users to trigger use-after-free and memory corruption via concurrent connect() syscalls on the same socket. The vulnerability affects the sco_sock_connect() function which fails to properly serialize state checks, enabling two threads to simultaneously progress through connection setup on a socket already marked for cleanup, leading to double-free conditions and connection object leaks. Vendor-released patches are available for kernel versions 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates very low observed exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis.
Local privilege escalation in Linux kernel Bluetooth subsystem allows authenticated local users to cause denial of service through improper resource management in hci_cmd_sync_queue_once() function. The vulnerability affects Bluetooth HCI synchronization queue handling, where the function fails to properly indicate queue item addition status, leading to potential resource leaks and system unavailability. EPSS score of 0.02% indicates minimal real-world exploitation probability despite moderate CVSS severity.
Memory and reference leaks in the Linux kernel Bluetooth hci_sync subsystem allow local authenticated attackers to cause denial of service by triggering hci_cmd_sync_queue_once() failures without invoking the destroy callback, leading to unreclaimed resources. The vulnerability affects Linux kernel versions prior to 6.19.12 and 7.0, with EPSS score of 0.02% indicating very low real-world exploitation probability despite moderate CVSS score.
Stack buffer overflow in Linux kernel Bluetooth MGMT subsystem allows local authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability stems from insufficient validation of the encryption key size (enc_size) parameter when loading Long Term Keys (LTKs) via the Bluetooth management interface. When processing LE LTK requests, the kernel uses the attacker-controlled enc_size value to perform stack operations against a fixed 16-byte buffer, enabling stack corruption through oversized values. Vendor-released patches are available across all active kernel branches. EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit has been identified at time of analysis, though the attack complexity is low once local authenticated access is obtained.
Use-after-free in Linux Kernel Bluetooth stack allows adjacent network attackers to execute arbitrary code, escalate privileges, or cause denial of service without authentication. The vulnerability exists in hci_le_remote_conn_param_req_evt where hci_conn lookup and field access occurs outside the hdev lock protection, enabling concurrent memory corruption. Patches are available across multiple stable kernel branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.
Linux kernel Bluetooth MGMT subsystem fails to validate the advertised data length field in mesh send operations, allowing local authenticated attackers to trigger denial of service by reading beyond allocated buffer boundaries. The vulnerability affects the mesh_send() function which accepts a truncated MGMT_OP_MESH_SEND command that passes length checks but contains mismatched adv_data_len and actual payload, leading to out-of-bounds access during async mesh transmission. Patch versions include 6.6.134, 6.12.81, 6.1.168, 6.18.22, and 7.0.
Use-after-free in Linux kernel's BPF sockmap implementation allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs in sk_psock_verdict_data_ready() when handling AF_UNIX sockets, where sk->sk_socket can be accessed after being freed following sock_orphan(). This affects Linux kernel versions 5.15 through 6.19.12, with patches available for stable branches 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates very low observed exploitation probability in the wild, and no active exploitation or public exploit code has been identified at time of analysis.
Use-after-free in Linux kernel macb driver allows local authenticated attackers to cause denial of service or potentially escalate privileges during module removal. The vulnerability occurs in the PCI glue driver when platform_device_unregister() triggers a runtime resume callback that attempts to access already-freed clock structures. EPSS score is low (0.02%) with no evidence of active exploitation. Vendor patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0).
Memory leak in the MACB (Cadence Gigabit Ethernet Controller) driver allows local authenticated attackers to cause denial of service through resource exhaustion by failing to unregister fixed-rate clocks allocated during device probe, resulting in memory and clock resource depletion. EPSS exploitation probability is minimal at 0.02%, indicating low real-world risk despite CVSS score of 5.5. Patch versions are available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Null pointer dereference in Linux kernel net/mlx5 LAG (Link Aggregation) driver allows local authenticated attackers to cause denial of service by accessing debugfs interfaces when LAG device context is invalid. The vulnerability exists in mlx5_ldev_add_debugfs() which creates debugfs entries without validating that a valid LAG context exists, exposing the members file and other interfaces that depend on a valid ldev pointer. EPSS exploitation probability is 0.02% (percentile 7%), indicating low real-world exploitation likelihood despite the vulnerability's availability for patching.
A denial of service vulnerability in the Linux kernel's mlx5 (Mellanox/NVIDIA) network driver causes a kernel panic when switchdev mode initialization fails during rollback to legacy mode. A local unprivileged user on systems with affected mlx5 hardware can trigger improper netdevice unregistration, leading to a kernel BUG at net/core/dev.c:12070 and system crash. The vulnerability affects multiple stable kernel versions; vendor-released patches are available.
Linux kernel BPF verifier incorrectly prunes execution paths due to imprecise state tracking in atomic fetch operations, allowing local attackers to bypass security checks in eBPF programs. The verifier's backtracking logic fails to mark stack slots as precise when BPF_ATOMIC instructions with BPF_FETCH modify both memory and destination registers, causing two legitimately different program states to be incorrectly considered equivalent during path pruning. Vendor patches available in kernel versions 6.19.12 and 7.0. EPSS score of 0.02% (5th percentile) indicates low probability of mass exploitation, though successful exploitation grants high confidentiality, integrity, and availability impact per CVSS 7.8.
Denial of service via null pointer dereference in Linux kernel gpio-qixis-fpga driver affects local users with limited privileges. The driver incorrectly checks for NULL return value from devm_regmap_init_mmio(), which returns ERR_PTR() on failure, allowing a local attacker with user-level privileges to trigger a kernel panic by causing improper error handling. EPSS score is low (0.02%), indicating limited exploitation probability despite CVSS 5.5 severity.
A use-after-free resource management flaw in the Linux kernel's Qualcomm AI accelerator (QAIC) driver allows local authenticated users to cause denial of service and potentially escalate privileges. When a DBC (Device Binding Context) owner process terminates before handling device-initiated deactivation messages, the kernel fails to release DBC resources, causing subsequent activation attempts to hang indefinitely and creating exploitable resource state inconsistencies. The vulnerability affects Linux kernel versions 6.4 through 6.19.12, with vendor patches available across multiple stable branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation or public POC has been identified.
Out-of-bounds memory read in Linux kernel io_uring subsystem allows local authenticated users to leak kernel memory or trigger denial of service. The vulnerability exists in io_uring's fixed buffer import logic when registering zero-length buffer regions, causing the bvec skip logic to read beyond allocated slab memory. Patches available across stable kernel branches (6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (4th percentile) indicates low likelihood of widespread exploitation. No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis.
In the Linux kernel, the following vulnerability has been resolved: hwmon: (tps53679) Fix array access with zero-length block read i2c_smbus_read_block_data() can return 0, indicating a zero-length read. When this happens, tps53679_identify_chip() accesses buf[ret - 1] which is buf[-1], reading one byte before the buffer on the stack. Fix by changing the check from "ret < 0" to "ret <= 0", treating a zero-length read as an error (-EIO), which prevents the out-of-bounds array access. Also fix a typo in the adjacent comment: "if present" instead of duplicate "if".
In the Linux kernel, the following vulnerability has been resolved: spi: stm32-ospi: Fix resource leak in remove() callback The remove() callback returned early if pm_runtime_resume_and_get() failed, skipping the cleanup of spi controller and other resources. Remove the early return so cleanup completes regardless of PM resume result.
In the Linux kernel, the following vulnerability has been resolved: drm/xe/xe_pagefault: Disallow writes to read-only VMAs The page fault handler should reject write/atomic access to read only VMAs. Add code to handle this in xe_pagefault_service after the VMA lookup. v2: - Apply max line length (Matthew) (cherry picked from commit 714ee6754ac5fa3dc078856a196a6b124cd797a0)
A denial-of-service vulnerability in the Linux kernel's DRM/XE PXP (Protected Execution) driver causes an infinite loop when a restart flag is not cleared after a jump operation, allowing local authenticated users to hang or crash the system. The vulnerability affects multiple kernel versions through a logic error in the pxp_start function that was resolved in stable patches for Linux 6.18.22, 6.19.12, and 7.0.
In the Linux kernel, the following vulnerability has been resolved: spi: amlogic: spifc-a4: unregister ECC engine on probe failure and remove() callback aml_sfc_probe() registers the on-host NAND ECC engine, but teardown was missing from both probe unwind and remove-time cleanup. Add a devm cleanup action after successful registration so nand_ecc_unregister_on_host_hw_engine() runs automatically on probe failures and during device removal.
Out-of-bounds memory read in Linux kernel's Intel PMU (Performance Monitoring Unit) handling allows local authenticated attackers with low privileges to potentially access sensitive kernel memory, modify data, or cause system crashes. The flaw occurs when perf auto counter reload groups contain software events, triggering an unsafe container_of operation that can dereference memory outside valid bounds. EPSS exploitation probability is very low (0.02%, 4th percentile), and no public exploit or active exploitation has been identified at time of analysis. Patches available for kernel versions 6.18.22, 6.19.12, and 7.0.
In the Linux kernel, the following vulnerability has been resolved: drm/ioc32: stop speculation on the drm_compat_ioctl path The drm compat ioctl path takes a user controlled pointer, and then dereferences it into a table of function pointers, the signature method of spectre problems. Fix this up by calling array_index_nospec() on the index to the function pointer list.
A heap buffer overflow in the Linux kernel's wilc1000 WiFi driver allows local authenticated users to trigger memory corruption via crafted SSID scan requests. The driver miscalculates buffer size due to u8 integer overflow (330 bytes wrapping to 74), causing kmalloc to allocate 75 bytes while memcpy writes up to 331 bytes - a 256-byte overflow. Patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.03% (9th percentile) suggests low likelihood of widespread exploitation, and CISA KEV does not list this CVE, indicating no confirmed active exploitation at time of analysis.
Out-of-bounds read in Linux kernel iwlwifi driver allows adjacent network attackers to disclose sensitive kernel memory or trigger denial of service without authentication. The vulnerability affects the iwlwifi wireless driver's network detection match handler function, where insufficient packet length validation enables memcpy to read beyond allocated buffer boundaries. EPSS probability is low (0.02%, 7th percentile) and no active exploitation confirmed (not in CISA KEV). Vendor patches available across multiple kernel stable branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Stack buffer out-of-bounds read in Linux kernel ALSA snd_usb_caiaq driver allows local authenticated users to disclose kernel stack memory and potentially trigger denial of service. The vulnerability affects systems with USB audio devices using the caiaq driver when product names contain many non-ASCII characters. Present since kernel v2.6.31-rc1 (June 2009), this 16-year-old off-by-one error lacks null terminator validation during whitespace stripping. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Denial of service in the Linux kernel ALSA ctxfi audio driver allows local authenticated attackers to crash the system via improper error handling in the daio_device_index() function. The ctxfi driver failed to validate return values from index mapping operations, enabling a local user with standard privileges to trigger an unhandled error condition that disables audio functionality or causes system instability.
Out-of-bounds array access in Linux kernel ALSA ctxfi driver allows local authenticated users to achieve arbitrary code execution with high integrity and confidentiality impact. The flaw stems from improper SPDIF1 DAIO type handling in daio_device_index() for hw20k2 hardware, which returns -EINVAL instead of a valid index, leading to buffer overflow conditions (CWE-129). Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation activity; no CISA KEV listing or public POC identified at time of analysis.
Denial of service in Linux kernel ALSA ctxfi audio driver allows local authenticated attackers to crash the system via improper SPDIF1 enumeration during DAIO initialization on hw20k2 hardware. The vulnerability affects kernel versions 6.19 through 7.0 due to a refactoring that loops over all DAIO types including the hw20k2-incompatible SPDIF1 entry, triggering a kernel crash when the undefined hardware info is accessed. Patch available from Linux stable repositories.
Integer overflow in Linux kernel io_uring subsystem allows local authenticated users to trigger slab-out-of-bounds memory reads and denial of service. The vulnerability stems from improper type casting of user-supplied length values in network bundled receive/send operations, where values exceeding INT_MAX cause negative overflow leading to infinite loops and out-of-bounds array access. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. Vendor patches available for affected stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0), making this a straightforward patching priority for systems running vulnerable versions with io_uring enabled.
Incorrect authentication labeling in Linux kernel's Bluetooth SMP legacy pairing allows adjacent attackers to bypass security controls and gain high-level access without proper authentication. The flaw affects the Short Term Key (STK) derivation in Just Works/Confirm pairing modes, where keys are incorrectly marked as authenticated even when Man-in-the-Middle (MITM) protection was not established. With CVSS 8.8 (AV:A/AC:L/PR:N/UI:N), this enables adjacent network attackers to exploit Bluetooth pairing flows without authentication. EPSS score of 0.05% suggests low widespread exploitation likelihood. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Stack buffer overflow in Linux kernel Bluetooth subsystem allows local authenticated attackers to achieve code execution, privilege escalation, or denial of service through malformed ISO socket parameters. The vulnerability occurs when binding an ISO Bluetooth socket with up to 31 BIS entries while the hci_le_big_create_sync() function only allocates stack space for 17 entries, resulting in a 14-byte overflow that corrupts adjacent stack memory. Patches are available across multiple kernel versions (6.12.81, 6.18.22, 6.19.12, 7.0), with EPSS indicating 0.02% exploitation probability and no active exploitation confirmed.
Out-of-bounds memory read in Linux kernel Bluetooth HCI event processing allows adjacent network attackers to disclose kernel memory or trigger denial of service without authentication. The vulnerability stems from premature wake reason storage before per-event payload length validation, enabling crafted short HCI event frames to reach bacpy() operations before bounds checking. EPSS score is low (0.02%, 6th percentile) with no evidence of active exploitation or public POC at time of analysis. Vendor patches available for kernel versions 5.10+ through 6.19.12 and mainline 7.0.
Denial of service via divide-by-zero crash in the hwmon OCC (On-Chip Controller) power monitoring driver affects Linux kernels when the power sensor is queried before initial data samples are collected, typically during early boot. Local attackers with unprivileged user privileges can trigger a kernel panic by accessing the affected sysfs power attribute, causing system availability impact. CVSS 5.5 reflects local attack vector and low complexity; EPSS 0.02% indicates low real-world exploitation probability despite the straightforward trigger condition.
Use-after-free in Linux kernel GPIB subsystem allows local authenticated attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs in IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers when concurrent IBCLOSEDEV calls free descriptors still in use by I/O operations. EPSS probability is very low (0.02%, 4th percentile), indicating minimal observed exploitation activity. Vendor patches available for stable branches 6.18.22, 6.19.12, and mainline 7.0 via commits cae26eff, 28c75dd1, and d1857f82.
Division-by-zero denial of service in Linux kernel's Intel i915 DRM driver when loading on certain machines with DSC (Display Stream Compression) enabled in command mode. The driver incorrectly applies horizontal timing adjustments based on compression ratio in command mode, causing line_time_us to become zero and triggering a kernel panic. Affects Linux kernel versions 5.6 and later; patch available via stable kernel releases.
Integer overflow in AMD GPU driver's user queue doorbell handling allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The amdgpu driver fails to validate user-supplied doorbell_offset values before calculating buffer offsets, enabling out-of-bounds writes to kernel doorbell space. Patches available in Linux 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% (4th percentile) indicates low probability of mass exploitation, though CVSS 7.1 reflects serious local privilege escalation potential. No active exploitation confirmed; attack requires local authenticated access to systems with AMD GPU hardware.
Kernel NULL pointer dereference in AMD GPU driver on systems with 64KB page sizes allows local authenticated attackers to crash the system by triggering memory allocation mismatches between reserved trap area (8KB) and required allocation size (128KB) during GPU memory initialization. The vulnerability affects systems running ROCm workloads and causes denial of service when executing rocminfo or rccl unit tests on IBM POWER10 and similar 64K-page architectures. EPSS exploitation probability is very low (0.02%), and no public exploit code or active in-the-wild exploitation has been identified.
Out-of-bounds array access in the st_lsm6dsx IMU driver allows local authenticated users with low privileges to achieve high-impact code execution, data disclosure, or denial of service. The vulnerability exists in the buffer sampling frequency sysfs handler, which fails to validate sensor type before indexing a 2-entry array with sensor IDs beyond accelerometer and gyroscope. Exploitation requires write access to sysfs attributes for non-standard sensor types in the driver. EPSS exploitation probability is very low (0.02%, 5th percentile), no active exploitation confirmed, and vendor patches are available for Linux 6.19.12 and 7.0.
Denial of service in the Linux kernel's mpu3050 gyroscope driver allows local authenticated attackers to crash the system via incorrect IRQ handler cleanup during module unload. A mismatch between the registered IRQ handler (mpu3050->trig) and the handler passed to free_irq() (mpu3050) causes improper cleanup, leading to resource leaks and potential kernel panic when the device is removed or the driver is unloaded. No public exploit code identified; patch available across affected kernel series.
Resource leak in the Linux kernel MPU3050 gyro driver allows local authenticated users to cause denial of service through memory exhaustion by repeatedly triggering iio_trigger_register() failures that fail to release previously allocated interrupt handlers. The vulnerability affects multiple kernel versions and requires local access with unprivileged user privileges, resulting in potential system availability impact with low real-world exploitation likelihood (EPSS 0.02%).
Memory leak in the Linux kernel's GPIB lpvo_usb driver allows local authenticated users to cause a denial of service through resource exhaustion by repeatedly connecting and disconnecting USB devices, as the driver fails to release USB device references during interface enumeration. The EPSS score of 0.02% indicates minimal real-world exploitation risk despite the moderate CVSS 5.5 severity, reflecting the combination of local-only access requirement, authentication need, and the niche nature of GPIB USB device usage.
Double-free memory corruption in Linux kernel USB ULPI subsystem allows local authenticated attackers with low privileges to potentially achieve arbitrary code execution, denial of service, or information disclosure. The flaw exists in ulpi_register_interface() error handling since kernel 4.2 (commit 289fcff4b), where device_register() failure triggers cleanup via put_device() followed by redundant kfree(), corrupting kernel memory. Patches available across stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% suggests low likelihood of mass exploitation despite high CVSS 7.8, likely due to local attack vector and requirement for device registration failure conditions.
Use-after-free condition in Linux kernel USB Test and Measurement Class (USBTMC) driver allows local authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability occurs when the usbtmc_release function fails to properly flush pending anchored URBs, leaving dangling references that can be exploited in the HCD giveback path. Vendor patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0). Despite the high CVSS score of 7.8, the EPSS exploitation probability is very low at 0.02% (7th percentile), indicating limited real-world targeting, and no active exploitation or public POC has been identified.
A memory leak in the Linux kernel's USB misc usbio driver allows local attackers with low privileges to cause a denial of service by exhausting kernel memory through repeated USB device probe failures. The vulnerability arises when usb_submit_urb() fails during device initialization, leaving allocated URB structures unreleased and accumulating with each failed probe attempt.
Denial of service in Linux kernel USB dwc2 gadget driver allows local authenticated users to trigger a deadlock via improper spin lock handling in dwc2_hsotg_udc_stop(). The vulnerability stems from a locking protocol violation where dwc2_gadget_exit_clock_gating() expects a held lock but is called without one, causing spin_unlock on an unheld lock followed by a lock held indefinitely, resulting in system hang. No public exploit code identified at time of analysis.
A denial of service condition in the Linux kernel's Cadence USB3 (cdns3) gadget driver occurs when gadget initialization fails, leaving the DRD hardware in gadget mode while software state remains inactive. Switching the device to USB host mode via sysfs triggers a synchronous external abort in the xHCI host controller setup, causing a kernel crash. Local authenticated users with access to the USB role-switch sysfs interface can trigger this condition, affecting Linux kernel versions 5.4 through current releases. A patch is available from the Linux kernel project.
In the Linux kernel, the following vulnerability has been resolved: auxdisplay: line-display: fix NULL dereference in linedisp_release linedisp_release() currently retrieves the enclosing struct linedisp via to_linedisp(). That lookup depends on the attachment list, but the attachment may already have been removed before put_device() invokes the release callback. This can happen in linedisp_unregister(), and can also be reached from some linedisp_register() error paths. In that case, to_linedisp() returns NULL and linedisp_release() dereferences it while freeing the display resources. The struct device released here is the embedded linedisp->dev used by linedisp_register(), so retrieve the enclosing object directly with container_of() instead.
Denial of service in the Linux kernel comedi dt2815 driver allows local authenticated users to crash the system by attaching the driver to arbitrary I/O addresses without actual hardware present via the COMEDI_DEVCONFIG ioctl. The vulnerability occurs when outb() operations are performed on non-existent hardware, triggering page faults under race conditions. A patch adding hardware detection via status register reads prevents the crash.
Memory leak in Linux kernel comedi subsystem allows local privileged users to exhaust kernel memory and cause denial of service. The vulnerability exists in do_cmd_ioctl() where chanlist memory is not properly freed when runflags is not set following an exceptional exit, due to incomplete reference counting logic introduced in commit 4e1da516debb. CVSS 5.5 (local, low complexity, requires user privilege) with EPSS 0.02% indicates this is a lower-priority local DoS affecting systems with comedi driver loaded and untrusted local users.
Null pointer dereference and invalid I/O port writes in the Linux kernel's comedi ni_atmio16d driver occur when the device attach handler fails, causing the detach handler to call reset_atmio16d() with uninitialized device state. Local privileged attackers can trigger a denial of service by causing attach to fail, resulting in kernel memory access violations or writes to address zero. No public exploit code or active exploitation has been identified; patch versions are available from the Linux kernel stable branches.
Buffer overflow in Linux kernel COMEDI me_daq driver allows local authenticated users to achieve arbitrary code execution with kernel privileges. The me2600_xilinx_download() function fails to validate firmware file length before reading data streams, enabling out-of-bounds memory access during firmware loading operations. Patches available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates low probability of widespread exploitation despite high CVSS 7.8 rating, and no active exploitation or public exploit code identified at time of analysis.
Out-of-bounds write in Linux kernel comedi me4000 driver firmware loader allows local authenticated users to achieve high-impact code execution, data corruption, or system crash. The me4000_xilinx_download() function blindly trusts firmware file format headers without validating buffer boundaries, reading a length field from the first 4 bytes and then reading that many bytes from offset 16 without checking total file size. Patch available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating. No public exploit code or active exploitation confirmed.
Memory leak in Linux kernel s390/zcrypt subsystem allows local authenticated attackers to exhaust memory resources by repeatedly using CCA cards as accelerators for clear key RSA requests (ME and CRT operations). The vulnerability stems from incomplete refactoring where AP message allocations via ap_init_apmsg() are not properly freed in two code paths, causing heap memory exhaustion over time and enabling denial of service on s390 systems with CCA cryptographic hardware.
Double-free memory corruption in the Linux kernel reset-gpio subsystem allows local authenticated users to escalate privileges or crash the system. The vulnerability exists in reset_add_gpio_aux_device() error handling since commit 5fc4e4cf7a22, where auxiliary_device_uninit() triggers a release callback that frees memory, but the error path then calls kfree() on the same pointer. Patches available for kernel versions 6.19.12+ and 7.0+. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. Not listed in CISA KEV; no public exploit identified at time of analysis.
Denial of service in Linux kernel energy model netlink handler allows local authenticated attackers to crash the system via NULL pointer dereference when requesting non-existent performance domain IDs. The dev_energymodel_nl_get_perf_domains_doit() function fails to validate the return value from em_perf_domain_get_by_id() before dereferencing the performance domain structure, causing immediate kernel panic when an invalid domain ID is supplied. EPSS exploitation probability is very low (0.02%, 5th percentile), and no public exploit code or active exploitation has been identified.
Memory corruption in the Linux kernel zynqmp_nvmem driver allows local authenticated users to achieve privilege escalation through undersized DMA buffer exploitation. The vulnerability stems from incorrect buffer size calculations in dma_alloc_coherent and memcpy operations, enabling heap or memory corruption that can lead to complete system compromise. With a 7.8 CVSS score but only 0.02% EPSS (5th percentile), this represents a high-severity issue affecting specific Xilinx Zynq UltraScale+ deployments rather than a widespread exploitation target. Patches available across multiple stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0) with upstream fixes confirmed in git commits.
Memory corruption in the Linux kernel virtual terminal (vt) subsystem allows local authenticated users to trigger kernel crashes and potentially escalate privileges. When a console switches to an alternate screen and then gets resized, the saved Unicode buffer retains stale dimensions. Upon returning to the primary screen, operations like screen clearing (csi_J) access memory out of bounds using current dimensions against the old buffer, causing kernel oops. EPSS exploitation probability is low (0.02%, 4th percentile), no active exploitation confirmed, but vendor patches are available across multiple stable kernel branches (5.x, 6.18.x, 6.19.x).
Denial of service via runtime PM usage count underflow in the rz-mtu3-cnt counter driver allows local privileged users to disable hardware counters and trigger kernel warnings by repeatedly writing to the sysfs enable file. Multiple writes of the same value (0 or 1) to the enable attribute cause the runtime PM reference count to become misaligned with actual hardware state, leading to register access with clocks disabled and potential PWM channel conflicts. EPSS exploitation probability is minimal (0.02%) despite local access requirement, indicating this is primarily a local reliability issue rather than a remote attack vector.
Denial of service in Linux kernel counter driver (rz-mtu3-cnt) allows local attackers with low privileges to crash the system by exploiting a race condition where counter and PWM sub-drivers overwrite a shared device pointer, causing incorrect runtime power management operations. The vulnerability affects kernel versions prior to specific patch levels across the 6.x and 7.x branches, with EPSS exploitation probability of 0.02% indicating low real-world exploitation likelihood despite the availability of a vendor patch.
Missing CRYPTO_ALG_ASYNC flag in Linux kernel's Tegra crypto driver causes the crypto API to incorrectly select asynchronous algorithms for synchronous-only requests, resulting in system crashes. This affects Tegra-based Linux systems (typically NVIDIA Jetson devices) running kernel versions 6.10 through early 7.0 development branches. Vendor patches are available across stable branches (6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability, and no active exploitation or public POC has been identified. The CVSS vector (AV:N/AC:L/PR:L/UI:N) suggests network-based exploitation requiring authenticated access, though this conflicts with the technical nature of a local driver configuration bug.
Denial of service in Linux kernel VXLAN module allows local authenticated attackers to crash the system via malformed IPv6 neighbor discovery options in vxlan_na_create(). A crafted ND option with incorrect length values can cause out-of-bounds access or undersized payload reads, triggering a kernel panic. EPSS exploitation probability is low at 0.02%, but the vulnerability is confirmed patched across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12).
Denial of service via NULL pointer dereference in the MediaTek Ethernet PPE (packet processing engine) driver occurs when gmac0 (the primary ethernet interface) is disabled on affected systems. A local authenticated attacker can trigger a kernel crash by sending traffic through the networking stack when the driver incorrectly checks for a valid ingress device without verifying if the first network device pointer is actually initialized. The vulnerability affects Linux kernel versions prior to fixes released in stable branches 6.18.22, 6.12.81, 6.19.12, and 7.0.
Linux kernel IOMMU page table unmapping operations fail to invalidate extended memory regions when unmapping lands mid-entry in large/contiguous mappings, causing stale TLB entries. Affects kernel 6.19 through pre-7.0 versions with IOMMU subsystem enabled. Local authenticated attackers with low privileges can potentially access unmapped memory or escalate privileges by exploiting incomplete invalidations during IOMMU unmap operations. EPSS score of 0.02% (5th percentile) suggests minimal real-world exploitation likelihood. No public exploit identified at time of analysis, though vendor acknowledges theoretical risk is low as 'nothing relies on unmapping a large entry.' Vendor-released patches available for stable branches.
Denial of service in Linux kernel scheduler extension (sched_ext) allows local privileged attackers to crash systems by triggering incorrect task migration validation. The vulnerability exists in the is_bpf_migration_disabled() function, which fails to correctly identify migration-disabled tasks on non-PREEMPT_RCU configurations, potentially dispatching such tasks to remote CPUs and triggering kernel errors in task_can_run_on_remote_rq(). EPSS exploitation probability is very low at 0.02%, but CVSS 5.5 indicates local attackers with standard user privileges can cause denial of service.
A denial of service condition in the Linux kernel scheduler extension (sched_ext) subsystem allows local authenticated attackers to trigger a kernel warning and potential crash via improper handling of stale direct dispatch state in the ddsp_dsq_id field. When a task's direct dispatch verdict is not properly cleared across all code paths that consume or cancel such verdicts, a subsequent wakeup operation calling ops.select_cpu() with scx_bpf_dsq_insert() triggers a spurious WARN_ON_ONCE() in mark_direct_dispatch(), exposing the availability impact of the vulnerability. The issue affects Linux kernels with sched_ext enabled and requires local access with low privilege (non-root user capable of triggering task scheduling operations).
Use-after-free in Linux kernel thermal subsystem allows local attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability stems from race conditions between thermal zone removal and power management resume operations, where delayed work items can continue executing after thermal zone objects are freed. EPSS score of 0.02% (5th percentile) suggests low probability of mass exploitation despite high CVSS severity. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.22, 6.19.12, 7.0) via upstream commits. No active exploitation confirmed in CISA KEV at time of analysis.
Double-free memory corruption in the Linux kernel's fastrpc driver allows local attackers with low privileges to achieve high-impact code execution, privilege escalation, or denial of service. The vulnerability occurs when fastrpc_init_create_static_process() fails to nullify a freed heap pointer (cctx->remote_heap) in its error path, enabling fastrpc_rpmsg_remove() to free the same memory twice during device removal. Patches available across kernel versions 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates low observed exploitation probability, with no active exploitation confirmed at time of analysis.