Suse
Monthly
A double-free vulnerability in the Linux kernel's xe/nvm driver allows local users with low privileges to cause a denial of service or potential code execution through improper memory management during auxiliary device initialization failures. The flaw occurs when auxiliary_device_add() fails and triggers both the release callback and an additional kfree() operation on the same memory region. This affects Linux systems with the xe driver, and no patch is currently available.
A race condition in Linux kernel shmem swap entry handling allows local attackers with user privileges to cause denial of service through memory corruption when swap entries are truncated concurrently with other operations. The vulnerability stems from an unprotected order lookup that can become stale before the actual swap entry removal, potentially causing truncation to erase data beyond intended boundaries. No patch is currently available.
The Linux kernel's octeon_ep driver fails to properly clean up allocated memory and mapped resources when the octep_ctrl_net_init() function fails during device setup, resulting in a local denial of service condition. An authenticated local attacker could trigger this memory leak by causing the initialization to fail, exhausting system memory over time. A patch is not currently available for this vulnerability.
A null pointer dereference in the Linux kernel's perf scheduler functionality causes a denial of service when handling user space stacktraces for certain kernel tasks. Local attackers with low privileges can trigger this crash by exploiting inconsistent task classification logic that fails to properly identify user versus kernel tasks. The vulnerability affects the Linux kernel with no patch currently available.
A use-after-free vulnerability in the Linux kernel's gpio-virtuser configfs release path allows local users with standard privileges to trigger memory corruption and potentially achieve code execution by causing mutex operations on freed memory. The flaw exists because the device structure is freed while a mutex guard scope is still active, leading to undefined behavior when the guard attempts to unlock the already-destroyed mutex. This vulnerability affects Linux systems with the affected kernel versions and requires local access to exploit.
Linux kernel dirty page throttling can cause system hangs when cgroup memory limits are restrictive, as processes become stuck waiting on balance_dirty_pages() io_schedule_timeout() calls. A local user with write permissions can trigger a denial of service by exhausting dirty page limits through intensive file operations, potentially freezing the system. No patch is currently available for affected kernels prior to v6.18.
The Linux kernel's efivarfs implementation fails to propagate errors from __efivar_entry_get(), causing the efivar_entry_get() function to mask failures and return success regardless of the underlying operation's result. This error handling flaw enables uninitialized heap memory to be copied to userspace through the efivarfs_file_read() path, potentially exposing sensitive kernel data to local users with read access to efivarfs. No patch is currently available for this high-severity vulnerability affecting the Linux kernel.
A null pointer dereference in the Linux kernel's gs_usb driver can cause a denial of service when processing malformed USB bulk transfer callbacks, affecting systems with vulnerable CAN interface hardware. Local attackers with unprivileged access can trigger this crash by submitting crafted USB requests that fail resubmission. No patch is currently available for this vulnerability.
GSO segmentation when forwarding GRO packets containing a frag_list. The function skb_segment_list cannot correctly process GRO skbs contains a security vulnerability.
A race condition in the Linux kernel's FireWire core transaction handling allows local attackers with low privileges to cause a denial of service by triggering concurrent processing of AR response and AT request completion events without proper synchronization. The vulnerability stems from transaction list enumeration occurring outside the card lock scope, enabling memory corruption or system crashes when exploited. No patch is currently available for this issue.
The Linux kernel's mac80211 WiFi implementation contains a parsing error when processing TID-To-Link Mapping (TTLM) elements with default link configurations, causing out-of-bounds memory reads. This vulnerability affects systems running vulnerable Linux kernels and could lead to denial of service through kernel crashes or information disclosure. No patch is currently available for this medium-severity issue.
The Linux kernel's Bluetooth MGMT subsystem fails to properly deallocate memory structures in the set_ssp_complete() function, resulting in a memory leak for each completed SSP command. A local attacker with unprivileged user access can exploit this to cause denial of service through memory exhaustion over time. No patch is currently available.
A memory leak in the Linux kernel's NFC LLCP implementation allows local attackers to exhaust memory by exploiting a race condition between the nfc_llcp_send_ui_frame() function and local device cleanup routines. An attacker with local access can trigger the vulnerability by sending NFC frames while the underlying device is being destroyed, causing socket buffers to accumulate in the transmit queue and never be freed.
A local attacker with unprivileged access can trigger kernel warnings in the Linux kernel's DRM subsystem by passing oversized handle values to drm_gem_change_handle_ioctl(), exploiting improper input validation between userspace u32 and kernel int types. This vulnerability affects the Linux kernel and allows denial of service through repeated warning generation, though no patch is currently available.
A race condition in the Linux kernel's NVMe target bio completion handler can cause a NULL pointer dereference when a bio is re-submitted while simultaneously being deinitialized, leading to denial of service on systems running affected kernel versions. Local attackers with access to NVMe target functionality can trigger this race to crash the kernel. A patch is not currently available.
A memory leak in the Linux kernel's btrfs zlib compression module on S390 hardware-accelerated systems fails to properly release file cache pages, potentially leading to memory exhaustion and denial of service on affected systems. The vulnerability stems from missing cleanup code introduced during a refactoring of the S390x hardware acceleration buffer handling. Local attackers with access to the system could trigger the leak through repeated compression operations.
A race condition in the Linux kernel's Bluetooth HCI UART driver allows local attackers with user privileges to trigger a null pointer dereference and cause a denial of service by initiating a TTY write wakeup during driver initialization. The vulnerability occurs when hci_uart_tx_wakeup() schedules write work before the protocol handler's private data structure is initialized, leading to a crash in hci_uart_write_work(). No patch is currently available for this issue.
A resource leak in the Linux kernel's ext4 filesystem implementation fails to properly release buffer head references in the xattr inode update function, potentially causing memory exhaustion on systems with local access. This medium-severity vulnerability affects Linux kernel versions and could allow local attackers to degrade system availability through repeated resource consumption. No patch is currently available.
Linux kernel DAMON sysfs interface fails to properly clean up subdirectories when context setup encounters errors, leaving orphaned directory structures and leaked memory that degrades functionality until system reboot. A local user with appropriate privileges can trigger this condition to cause denial of service by making the DAMON sysfs interface unreliable or unusable. This vulnerability requires local access and user interaction to exploit, with no available patch currently issued.
A memory alignment flaw in the Linux kernel's virtio_net driver allows local attackers with user-level privileges to cause denial of service through misalignment of flexible array members in the virtnet_info structure. The vulnerability results in potential memory corruption when accessing the rss_hash_key_data field, impacting systems running affected Linux kernel versions. No patch is currently available for this medium-severity issue.
Linux kernel DAMON sysfs interface fails to properly clean up access_pattern subdirectories when scheme directory setup fails, causing memory leaks and rendering the sysfs interface non-functional until system reboot. A local privileged user can trigger this condition to degrade system functionality and exhaust memory resources. No patch is currently available for this medium-severity vulnerability.
The Linux kernel's btrfs send functionality fails to validate whether file extent items are inline extents before accessing the disk_bytenr field, potentially causing invalid memory access or metadata corruption on affected systems. A local attacker with file system access could exploit this to trigger a denial of service condition through carefully crafted inline extent items. No patch is currently available for this medium-severity vulnerability.
The Linux kernel's BPF test_run component fails to properly validate XDP frame metadata size, allowing local users with appropriate privileges to specify oversized metadata that exhausts frame headroom and leaves the frame structure uninitialized. This can lead to denial of service or memory corruption during packet transmission. No patch is currently available for this issue.
The Linux kernel netfilter connection tracking module fails to properly manage garbage collection timing, allowing an attacker with local access to bypass cleanup operations and cause unbounded memory consumption on affected systems. By maintaining a sufficiently high packet rate, an attacker can prevent the garbage collector from executing, causing the connection tracking list to grow indefinitely and potentially lead to denial of service. No patch is currently available for this vulnerability.
The Linux kernel's ftrace stack trace recording mechanism lacks proper recursion protection, allowing local users with sufficient privileges to trigger an infinite recursion loop when kernel stack trace triggers are enabled on RCU events, resulting in denial of service through system hang or crash. The vulnerability affects systems where tracing is configured to capture stack traces during RCU event monitoring. No patch is currently available to address this medium-severity defect.
Memory leak in the Linux kernel's device tree unittest module allows local users with standard privileges to cause a denial of service by exhausting system memory when the of_resolve_phandles() function fails during unit test execution. The vulnerability stems from improper resource cleanup in the unittest_data_add() function, where allocated memory is not freed on error paths. A patch is not currently available.
The Linux kernel's libceph library fails to reset sparse-read state machine tracking during OSD connection failures, causing the client to misinterpret new replies as continuations of previous ones. This can lead to the sparse-read machinery entering an unrecoverable failure state, resulting in denial of service through infinite error loops. Local attackers or systems experiencing network faults could exploit this to crash or hang OSD client operations.
The Linux kernel ath12k WiFi driver incorrectly frees DMA memory buffers using aligned addresses instead of the original unaligned pointers returned by dma_alloc_coherent(), potentially causing memory management errors and denial of service on systems using affected WiFi hardware. A local attacker with user privileges can trigger this vulnerability through normal WiFi driver operations, leading to system instability or crashes. No patch is currently available for this medium-severity vulnerability.
The Linux kernel's kmalloc_nolock() function on PREEMPT_RT systems fails to properly validate execution context before acquiring a sleeping lock, causing a kernel panic when BPF programs execute from tracepoints with preemption disabled. A local attacker with ability to run BPF programs can trigger a denial of service by causing the kernel to attempt sleeping operations in invalid contexts. No patch is currently available for this medium-severity vulnerability.
The ath10k WiFi driver in the Linux kernel incorrectly frees DMA-allocated memory by using aligned addresses instead of the original unaligned pointers, potentially causing memory corruption and system denial of service on affected systems. A local attacker with appropriate privileges can trigger this vulnerability to crash the kernel or cause system instability. No patch is currently available for this issue.
The Linux kernel's Synopsys DesignWare DisplayPort bridge driver contains improper error handling in the dw_dp_bind() function that fails to unregister auxiliary devices and return error codes correctly, potentially causing resource leaks or kernel instability for systems using affected display hardware. A local attacker with sufficient privileges could trigger these error paths to cause a denial of service through resource exhaustion or kernel panic.
In the Linux kernel, the following vulnerability has been resolved: iommu/sva: invalidate stale IOTLB entries for kernel address space Introduce a new IOMMU interface to flush IOTLB paging cache entries for the CPU kernel address space.
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix early read unlock of page with EOF in middle The read result collection for buffered reads seems to run ahead of the completion of subrequests under some circumstances, as can be seen in the following log snippet: 9p_client_res: client 18446612686390831168 response P9_TREAD tag 0 err 0 ...
The HP BIOS configuration driver in the Linux kernel fails to validate attribute names before kobject registration, causing kernel warnings and potential denial of service when HP BIOS returns empty name strings. A local user with standard privileges can trigger this vulnerability to crash or destabilize the system by supplying malformed BIOS attribute data. No patch is currently available for this medium-severity flaw affecting Linux systems with HP BIOS configuration support.
A deadlock condition in the Linux kernel's ath12k WiFi driver occurs when management frame transmission is blocked by the wiphy lock during flush operations, causing the wireless interface to hang and preventing authentication. Local users with sufficient privileges can trigger this condition by initiating WiFi authentication while pending management frames are being flushed, resulting in a denial of service. No patch is currently available for this medium-severity vulnerability.
The Linux kernel's DPLL subsystem fails to prevent duplicate pin registrations, allowing callers to register the same pin multiple times and causing memory management issues during unregistration. A local attacker with unprivileged access could trigger this condition to cause a denial of service through kernel warnings or crashes. No patch is currently available for this vulnerability.
The Linux kernel's ARM64 hibernation resume function fails to disable Control Flow Integrity (CFI) checking, causing a data abort exception when resuming from hibernation on affected systems. A local attacker with hibernation access could trigger a denial of service by invoking the resume function without proper CFI validation. This affects Linux kernel deployments on ARM64 architecture, though no patch is currently available.
Linux kernel perf subsystem allows local authenticated users to trigger a use-after-free condition via refcount manipulation when creating perf event group members with PERF_FLAG_FD_OUTPUT flag, resulting in denial of service through kernel warnings and potential system instability. This vulnerability requires local access and existing privileges to exploit, with no patch currently available.
The Linux kernel netdevsim driver contains a race condition in the bpf_bound_progs list operations where concurrent calls to nsim_bpf_create_prog() and nsim_bpf_destroy_prog() can corrupt the list and trigger kernel crashes. A local attacker with limited privileges can exploit this vulnerability to cause a denial of service by manipulating eBPF program creation and destruction. No patch is currently available for this issue.
A null pointer dereference in the Linux kernel's SCTP authentication initialization can be triggered by local attackers with user privileges to cause a denial of service through a crash in the packet transmission path. The vulnerability occurs when SCTP-AUTH key setup fails during association peer initialization, leaving a dangling pointer that is subsequently dereferenced. No patch is currently available for this medium-severity issue affecting the Linux kernel.
A data race condition in the Linux kernel's IPv6 NDISC router discovery function allows concurrent unsynchronized read/write access to the ra_mtu field, potentially causing denial of service through system instability or crashes on local systems. The vulnerability affects all Linux systems running vulnerable kernel versions and requires local access to trigger. No patch is currently available, though the race condition is considered low-impact as the affected field represents best-effort MTU configuration.
Uninitialized pointer dereferences in the Linux kernel's interconnect debugfs implementation can cause denial of service when users interact with src_node and dst_node debugfs entries. A local attacker with standard user privileges can trigger memory access violations through reads or writes to these debugfs interfaces, crashing the system or causing kernel instability. No patch is currently available for this medium-severity vulnerability.
The Intel i225/i226 Ethernet controller driver in the Linux kernel is susceptible to TX unit hangs during heavy timestamping operations due to insufficient packet buffer allocation. A local user with low privileges can trigger denial of service by generating sustained timestamped network traffic that exhausts the 7KB per-queue TX buffer, requiring a kernel patch that reduces the buffer to 5KB per hardware specification to mitigate the hang condition.
A data-race condition in the Linux kernel's mISDN subsystem allows local attackers with unprivileged access to cause a denial of service by triggering concurrent access to the dev->work field through ioctl and read operations without proper synchronization. The vulnerability affects the mISDN timer device driver where unsynchronized reads and writes to shared data can result in system availability issues. No patch is currently available for this medium-severity vulnerability.
A data-race condition in the Linux kernel's L2TP tunnel deletion function can cause a denial of service on systems using L2TP networking. Local attackers with unprivileged access can trigger concurrent socket operations to crash the kernel or cause system instability. No patch is currently available for this vulnerability.
The Linux kernel bonding driver fails to properly provide a network namespace pointer to the flow dissector function, allowing a local attacker with unprivileged access to trigger a kernel warning and cause a denial of service. The vulnerability exists in the bond_flow_dissect() code path used for XDP packet transmission, where crafted network packets lacking proper device or socket context can be processed unsafely.
A race condition in the Linux kernel's rxrpc subsystem allows local attackers with limited privileges to cause a denial of service by exploiting unsynchronized access to the last_tx_at timestamp variable, potentially triggering load/store tearing on 32-bit architectures. The vulnerability requires local access and specific timing conditions to trigger, but can result in system instability or crash when successfully exploited. No patch is currently available.
A NULL pointer dereference in the Linux kernel's ice driver occurs when devlink reload fails and the driver is subsequently removed, affecting systems using Intel ice network adapters. A local privileged user can trigger this denial of service condition by initiating a devlink reinit operation that fails, leaving the hardware in an uninitialized state. The vulnerability stems from a missing ice_deinit_hw() call in the devlink reinit path that leaves control queues uninitialized.
Improper handling of reset and clock masking in the Linux kernel's i.MX8MQ VPU power domain controller can cause system hangs when attempting to independently reset GPU cores. Local attackers with sufficient privileges can trigger this vulnerability by manipulating VPU reset operations, leading to denial of service. A patch is not currently available.
A race condition in the Linux kernel's serial driver allows local attackers with low privileges to bypass TTY device linkage during console configuration, potentially enabling unauthorized access to serial console interfaces on Qualcomm SoCs and other affected systems. The vulnerability stems from improper initialization ordering that fails to configure tty->port before uart_configure_port() is called, creating a window where user-space applications can open the console without proper driver linkage. No patch is currently available.
Linux kernel ptrace operations on ARM64 systems without SME support can corrupt SVE register state, causing the kernel to enter an invalid FPSIMD configuration that triggers warnings and potential instability. A local attacker with ptrace privileges can exploit this to cause a denial of service by manipulating SVE register writes on affected systems. The vulnerability requires local access and is present on Linux systems running vulnerable kernel versions without an available patch.
The Linux kernel io_uring/io-wq subsystem fails to properly monitor exit signals during work execution loops, allowing a local attacker with user privileges to cause the work queue to hang indefinitely by queuing operations that take excessive time to complete. This denial of service condition prevents the io-wq worker threads from shutting down gracefully, potentially blocking system operations that depend on io_uring. No patch is currently available for this vulnerability.
In the Linux kernel, the following vulnerability has been resolved: mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode When operating in HS200 or HS400 timing modes, reducing the clock frequency below 52MHz will lead to link broken as the Rockchip DWC MSHC controller requires maintaining a minimum clock of 52MHz in these modes.
Stack buffer overflow in Vim's NetBeans integration allows a malicious NetBeans server to corrupt memory and potentially crash the editor or execute arbitrary code through a specially crafted specialKeys command. The vulnerability affects Vim builds with NetBeans support enabled and requires user interaction to connect to a compromised server. A patch is available in Vim version 9.1.2148 and later.
Google Chrome's CSS engine contains a use-after-free vulnerability (CVE-2026-2441, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox through crafted HTML pages. KEV-listed with public PoC, this vulnerability enables drive-by exploitation when users visit malicious or compromised websites.
Unauthenticated API access in Milvus vector database before 2.5.27/2.6.10. TCP port 9091 exposed by default without authentication. EPSS 0.32% with PoC and patch available.
Authenticated users in lakeFS prior to version 1.77.0 can exploit path traversal vulnerabilities in the local block adapter to read and write files outside their intended storage boundaries by bypassing insufficient prefix validation checks. An attacker with valid credentials can manipulate object identifiers and path sequences to access sibling directories and storage namespaces they should not have access to. A patch is available in version 1.77.0 and later.
Linux kernel NVMe-oF TCP transport lacks proper bounds checking in PDU processing, allowing a local attacker with low privileges to trigger a kernel panic by crafting malicious PDU parameters that exceed scatter-gather list boundaries. The vulnerability enables denial of service through GPF/KASAN errors when invalid memory offsets are dereferenced during data copy operations. No patch is currently available for affected systems.
A use-after-free vulnerability in the Linux kernel's netfilter nf_tables module allows local attackers with unprivileged access to cause memory corruption and denial of service through an inverted logic check in catchall map element activation during failed transactions. The flaw occurs in nft_map_catchall_activate() which incorrectly processes already-active elements instead of inactive ones, potentially leading to privilege escalation or system crash. No patch is currently available.
libsoup's improper validation of HTTP Range headers enables remote attackers to read sensitive server memory when processing specially crafted requests against vulnerable SoupServer instances. The flaw affects GNOME-based systems using certain build configurations and requires no authentication or user interaction. No patch is currently available, and exploitation likelihood remains low at 0.1% EPSS.
Mattermost versions 11.1.2, 10.11.9, and 11.2.1 and earlier fail to properly enforce access controls in the Jira plugin's /create-issue API endpoint, allowing authenticated users to read restricted post content and attachments from channels they cannot access by referencing post IDs. An attacker with Jira plugin access can exploit this to enumerate and exfiltrate sensitive information from private or restricted channels. No patch is currently available for affected versions.
ClamAV versions up to 0.103.0 contains a vulnerability that allows attackers to manipulate bytecode function names (CVSS 8.4).
ntpd-rs versions prior to 1.7.1 are vulnerable to remote denial of service through crafted NTS (Network Time Protocol Security) packets that force excessive CPU consumption on affected servers. An unauthenticated attacker can exploit this by sending malformed NTS cookie requests that require significantly more processing resources to handle, degrading server performance and availability. The vulnerability affects ntpd-rs deployments with NTS enabled and is resolved in version 1.7.1.
Arbitrary code execution in Yoke's Air Traffic Controller component allows authenticated users with CustomResource create/update permissions to execute malicious WebAssembly modules by injecting crafted URLs into the overrides.yoke.cd/flight annotation, potentially enabling cluster-admin privilege escalation. The vulnerability affects Yoke 0.19.0 and earlier, with no patch currently available and an 8.8 CVSS severity rating.
Unauthenticated webhook endpoints in Yoke's Air Traffic Controller component allow any pod within a Kubernetes cluster to submit AdmissionReview requests and execute WASM modules in the controller's context without authorization. This affects Yoke versions 0.19.0 and earlier, enabling attackers with cluster access to bypass API Server authentication and potentially compromise the infrastructure-as-code deployment pipeline. No patch is currently available.
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter injection. PoC and patch available.
Denial of service in Traefik versions prior to 3.6.8 allows unauthenticated remote attackers to exhaust connection resources by exploiting improper timeout handling in STARTTLS request processing. An attacker can send a PostgreSQL SSLRequest prelude and then stall the connection indefinitely, bypassing the readTimeout protection and accumulating open connections until service availability is degraded. A patch is available in version 3.6.8.
CGI path splitting vulnerability in FrankenPHP before 1.11.2 — Unicode characters bypass path validation during CGI processing. PoC and patch available.
FrankenPHP versions prior to 1.11.2 fail to properly isolate session data between worker requests, enabling cross-user session fixation where an attacker can read sensitive $_SESSION information intended for other users. This high-severity flaw affects multi-request worker mode deployments and has public exploit code available. A patched version 1.11.2 is available and should be deployed immediately.
Webtransport-go versions prior to 0.10.0 fail to properly clean up closed WebTransport streams from internal session maps, allowing remote attackers to exhaust server memory through repeated stream creation and closure. This denial-of-service condition requires no authentication or user interaction and affects all deployments using the vulnerable library. A patch is available in version 0.10.0.
Webtransport-go versions prior to 0.10.0 are vulnerable to denial of service attacks where a malicious peer can withhold QUIC flow control credits to indefinitely block WebTransport session closure. An attacker can exploit this to hang close operations and prevent proper session termination, leaving connections in a suspended state. Affected applications using webtransport-go for protocol communication should upgrade to version 0.10.0 or later to mitigate this vulnerability.
Webtransport-go versions 0.3.0 through 0.9.0 fail to enforce the 1024-byte limit on Application Error Messages in WT_CLOSE_SESSION capsules, allowing remote attackers to trigger unbounded memory consumption by sending oversized payloads. An unauthenticated attacker can exhaust server memory and cause denial of service, requiring only sufficient bandwidth to transmit the malicious payload. The vulnerability is resolved in version 0.10.0, though no patch is currently available for affected versions.
Heap buffer overflow in the pg_trgm extension of PostgreSQL 18.0 and 18.1 allows authenticated database users to trigger memory corruption through specially crafted input strings. An attacker with database access could potentially achieve privilege escalation or cause service disruption, though exploit complexity is currently limited by restricted control over written data. No patch is currently available.
Arbitrary code execution in PostgreSQL results from insufficient validation of multibyte character lengths in text manipulation functions, allowing authenticated database users to trigger buffer overflows and execute commands with database process privileges. Affected versions include PostgreSQL 14.x before 14.21, 15.x before 15.16, 16.x before 16.12, 17.x before 17.8, and all versions before 18.2. No patch is currently available, leaving databases vulnerable to privilege escalation attacks from database-level users.
Arbitrary code execution in PostgreSQL pgcrypto module (versions before 14.21, 15.16, 16.12, 17.8, and 18.2) stems from a heap buffer overflow that allows attackers with database access to execute commands with the privileges of the PostgreSQL system user. An authenticated attacker can exploit this vulnerability by providing specially crafted ciphertext to trigger the overflow condition. No patch is currently available, leaving affected PostgreSQL installations vulnerable to privilege escalation and full system compromise.
PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21 contain insufficient input validation in the intarray extension's selectivity estimator function, enabling authenticated users with object creation privileges to execute arbitrary code with database server privileges. The vulnerability requires valid database credentials but allows complete system compromise through code execution at the OS level. No patch is currently available for affected deployments.
Improper validation of the "oidvector" type in PostgreSQL allows authenticated database users to read small amounts of server memory, potentially exposing sensitive data. This vulnerability affects PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21, with no patch currently available for impacted systems.
Grafana public dashboards with annotations enabled fail to enforce the dashboard's locked timerange restriction on annotation queries, allowing unauthenticated attackers to retrieve the complete annotation history beyond the intended viewing window. This information disclosure affects any organization exposing public dashboards with annotations, though only annotations already visible on the dashboard are accessible. No patch is currently available for this vulnerability.
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. [CVSS 6.8 MEDIUM]
Markdown-It versions up to 14.1.1 is affected by inefficient regular expression complexity (redos) (CVSS 5.3).
Safari web extensions on Apple platforms can leak user tracking information due to inadequate state management controls, allowing websites to identify and monitor individual users across browsing sessions. This vulnerability affects iOS, iPadOS, macOS, and visionOS, and is resolved in version 26.3 of each platform. The low CVSS score reflects limited direct user impact, though it represents a privacy concern for Safari users.
Remote denial-of-service attacks against Apple's macOS, iOS, iPadOS, Safari, and visionOS result from improper memory handling that allows unauthenticated attackers to crash affected systems over the network. The vulnerability affects multiple Apple platforms and requires no user interaction or elevated privileges to exploit. Patches are available for macOS Tahoe 26.3, iOS/iPadOS 18.7.5, visionOS 26.3, and Safari 26.3.
Memory handling flaws in Apple's macOS, iOS, iPadOS, and Safari allow remote attackers to crash affected processes by serving specially crafted web content, requiring only user interaction to trigger the denial of service. The vulnerability affects multiple Apple platforms and products across recent versions, with fixes available in macOS Tahoe 26.3, iOS 18.7.5, iPadOS 18.7.5, and Safari 26.3. No patches are currently available for all affected versions.
Denial of service in Apple Safari, iOS, iPadOS, and macOS results from improper memory handling when processing maliciously crafted web content, causing unexpected process crashes. An unauthenticated remote attacker can trigger this vulnerability through a specially crafted webpage, affecting users who view the malicious content. No patch is currently available for this vulnerability.
Denial of service affecting Apple's macOS, iOS, iPadOS, watchOS, tvOS, and visionOS results from a memory handling flaw that crashes processes when parsing malicious web content. An unauthenticated remote attacker can trigger unexpected application termination through crafted web pages, requiring only user interaction to visit a malicious site. A patch is not currently available for this medium-severity vulnerability.
Denial of service in Apple macOS, iOS, and iPadOS results from improper state management when processing malicious web content, causing unexpected process crashes. Local attackers with user interaction can trigger this vulnerability to disrupt system availability. No patch is currently available.
D-Link products using BusyBox are vulnerable to privilege escalation through malicious tar archives containing unvalidated symlink or hardlink entries that extract files outside the intended directory. An attacker with local access can craft a specially crafted archive to modify critical system files when extraction occurs with elevated privileges, potentially gaining unauthorized system access. No patch is currently available for this vulnerability.
BusyBox archive extraction utilities contain insufficient path validation that enables attackers to write files outside intended directories through specially crafted archives, potentially leading to arbitrary file overwrite and code execution on affected systems. Local attackers with user interaction can exploit this vulnerability to modify sensitive system files and gain elevated privileges. No patch is currently available for this vulnerability.
Pion DTLS is a Go implementation of Datagram Transport Layer Security. [CVSS 5.9 MEDIUM]
Out-of-bounds write in Pillow versions 10.3.0 through 12.1.0 allows remote denial of service when processing maliciously crafted PSD image files. An attacker can trigger a crash by supplying a specially crafted image without authentication or user interaction. A patch is available in version 12.1.1.
A double-free vulnerability in the Linux kernel's xe/nvm driver allows local users with low privileges to cause a denial of service or potential code execution through improper memory management during auxiliary device initialization failures. The flaw occurs when auxiliary_device_add() fails and triggers both the release callback and an additional kfree() operation on the same memory region. This affects Linux systems with the xe driver, and no patch is currently available.
A race condition in Linux kernel shmem swap entry handling allows local attackers with user privileges to cause denial of service through memory corruption when swap entries are truncated concurrently with other operations. The vulnerability stems from an unprotected order lookup that can become stale before the actual swap entry removal, potentially causing truncation to erase data beyond intended boundaries. No patch is currently available.
The Linux kernel's octeon_ep driver fails to properly clean up allocated memory and mapped resources when the octep_ctrl_net_init() function fails during device setup, resulting in a local denial of service condition. An authenticated local attacker could trigger this memory leak by causing the initialization to fail, exhausting system memory over time. A patch is not currently available for this vulnerability.
A null pointer dereference in the Linux kernel's perf scheduler functionality causes a denial of service when handling user space stacktraces for certain kernel tasks. Local attackers with low privileges can trigger this crash by exploiting inconsistent task classification logic that fails to properly identify user versus kernel tasks. The vulnerability affects the Linux kernel with no patch currently available.
A use-after-free vulnerability in the Linux kernel's gpio-virtuser configfs release path allows local users with standard privileges to trigger memory corruption and potentially achieve code execution by causing mutex operations on freed memory. The flaw exists because the device structure is freed while a mutex guard scope is still active, leading to undefined behavior when the guard attempts to unlock the already-destroyed mutex. This vulnerability affects Linux systems with the affected kernel versions and requires local access to exploit.
Linux kernel dirty page throttling can cause system hangs when cgroup memory limits are restrictive, as processes become stuck waiting on balance_dirty_pages() io_schedule_timeout() calls. A local user with write permissions can trigger a denial of service by exhausting dirty page limits through intensive file operations, potentially freezing the system. No patch is currently available for affected kernels prior to v6.18.
The Linux kernel's efivarfs implementation fails to propagate errors from __efivar_entry_get(), causing the efivar_entry_get() function to mask failures and return success regardless of the underlying operation's result. This error handling flaw enables uninitialized heap memory to be copied to userspace through the efivarfs_file_read() path, potentially exposing sensitive kernel data to local users with read access to efivarfs. No patch is currently available for this high-severity vulnerability affecting the Linux kernel.
A null pointer dereference in the Linux kernel's gs_usb driver can cause a denial of service when processing malformed USB bulk transfer callbacks, affecting systems with vulnerable CAN interface hardware. Local attackers with unprivileged access can trigger this crash by submitting crafted USB requests that fail resubmission. No patch is currently available for this vulnerability.
GSO segmentation when forwarding GRO packets containing a frag_list. The function skb_segment_list cannot correctly process GRO skbs contains a security vulnerability.
A race condition in the Linux kernel's FireWire core transaction handling allows local attackers with low privileges to cause a denial of service by triggering concurrent processing of AR response and AT request completion events without proper synchronization. The vulnerability stems from transaction list enumeration occurring outside the card lock scope, enabling memory corruption or system crashes when exploited. No patch is currently available for this issue.
The Linux kernel's mac80211 WiFi implementation contains a parsing error when processing TID-To-Link Mapping (TTLM) elements with default link configurations, causing out-of-bounds memory reads. This vulnerability affects systems running vulnerable Linux kernels and could lead to denial of service through kernel crashes or information disclosure. No patch is currently available for this medium-severity issue.
The Linux kernel's Bluetooth MGMT subsystem fails to properly deallocate memory structures in the set_ssp_complete() function, resulting in a memory leak for each completed SSP command. A local attacker with unprivileged user access can exploit this to cause denial of service through memory exhaustion over time. No patch is currently available.
A memory leak in the Linux kernel's NFC LLCP implementation allows local attackers to exhaust memory by exploiting a race condition between the nfc_llcp_send_ui_frame() function and local device cleanup routines. An attacker with local access can trigger the vulnerability by sending NFC frames while the underlying device is being destroyed, causing socket buffers to accumulate in the transmit queue and never be freed.
A local attacker with unprivileged access can trigger kernel warnings in the Linux kernel's DRM subsystem by passing oversized handle values to drm_gem_change_handle_ioctl(), exploiting improper input validation between userspace u32 and kernel int types. This vulnerability affects the Linux kernel and allows denial of service through repeated warning generation, though no patch is currently available.
A race condition in the Linux kernel's NVMe target bio completion handler can cause a NULL pointer dereference when a bio is re-submitted while simultaneously being deinitialized, leading to denial of service on systems running affected kernel versions. Local attackers with access to NVMe target functionality can trigger this race to crash the kernel. A patch is not currently available.
A memory leak in the Linux kernel's btrfs zlib compression module on S390 hardware-accelerated systems fails to properly release file cache pages, potentially leading to memory exhaustion and denial of service on affected systems. The vulnerability stems from missing cleanup code introduced during a refactoring of the S390x hardware acceleration buffer handling. Local attackers with access to the system could trigger the leak through repeated compression operations.
A race condition in the Linux kernel's Bluetooth HCI UART driver allows local attackers with user privileges to trigger a null pointer dereference and cause a denial of service by initiating a TTY write wakeup during driver initialization. The vulnerability occurs when hci_uart_tx_wakeup() schedules write work before the protocol handler's private data structure is initialized, leading to a crash in hci_uart_write_work(). No patch is currently available for this issue.
A resource leak in the Linux kernel's ext4 filesystem implementation fails to properly release buffer head references in the xattr inode update function, potentially causing memory exhaustion on systems with local access. This medium-severity vulnerability affects Linux kernel versions and could allow local attackers to degrade system availability through repeated resource consumption. No patch is currently available.
Linux kernel DAMON sysfs interface fails to properly clean up subdirectories when context setup encounters errors, leaving orphaned directory structures and leaked memory that degrades functionality until system reboot. A local user with appropriate privileges can trigger this condition to cause denial of service by making the DAMON sysfs interface unreliable or unusable. This vulnerability requires local access and user interaction to exploit, with no available patch currently issued.
A memory alignment flaw in the Linux kernel's virtio_net driver allows local attackers with user-level privileges to cause denial of service through misalignment of flexible array members in the virtnet_info structure. The vulnerability results in potential memory corruption when accessing the rss_hash_key_data field, impacting systems running affected Linux kernel versions. No patch is currently available for this medium-severity issue.
Linux kernel DAMON sysfs interface fails to properly clean up access_pattern subdirectories when scheme directory setup fails, causing memory leaks and rendering the sysfs interface non-functional until system reboot. A local privileged user can trigger this condition to degrade system functionality and exhaust memory resources. No patch is currently available for this medium-severity vulnerability.
The Linux kernel's btrfs send functionality fails to validate whether file extent items are inline extents before accessing the disk_bytenr field, potentially causing invalid memory access or metadata corruption on affected systems. A local attacker with file system access could exploit this to trigger a denial of service condition through carefully crafted inline extent items. No patch is currently available for this medium-severity vulnerability.
The Linux kernel's BPF test_run component fails to properly validate XDP frame metadata size, allowing local users with appropriate privileges to specify oversized metadata that exhausts frame headroom and leaves the frame structure uninitialized. This can lead to denial of service or memory corruption during packet transmission. No patch is currently available for this issue.
The Linux kernel netfilter connection tracking module fails to properly manage garbage collection timing, allowing an attacker with local access to bypass cleanup operations and cause unbounded memory consumption on affected systems. By maintaining a sufficiently high packet rate, an attacker can prevent the garbage collector from executing, causing the connection tracking list to grow indefinitely and potentially lead to denial of service. No patch is currently available for this vulnerability.
The Linux kernel's ftrace stack trace recording mechanism lacks proper recursion protection, allowing local users with sufficient privileges to trigger an infinite recursion loop when kernel stack trace triggers are enabled on RCU events, resulting in denial of service through system hang or crash. The vulnerability affects systems where tracing is configured to capture stack traces during RCU event monitoring. No patch is currently available to address this medium-severity defect.
Memory leak in the Linux kernel's device tree unittest module allows local users with standard privileges to cause a denial of service by exhausting system memory when the of_resolve_phandles() function fails during unit test execution. The vulnerability stems from improper resource cleanup in the unittest_data_add() function, where allocated memory is not freed on error paths. A patch is not currently available.
The Linux kernel's libceph library fails to reset sparse-read state machine tracking during OSD connection failures, causing the client to misinterpret new replies as continuations of previous ones. This can lead to the sparse-read machinery entering an unrecoverable failure state, resulting in denial of service through infinite error loops. Local attackers or systems experiencing network faults could exploit this to crash or hang OSD client operations.
The Linux kernel ath12k WiFi driver incorrectly frees DMA memory buffers using aligned addresses instead of the original unaligned pointers returned by dma_alloc_coherent(), potentially causing memory management errors and denial of service on systems using affected WiFi hardware. A local attacker with user privileges can trigger this vulnerability through normal WiFi driver operations, leading to system instability or crashes. No patch is currently available for this medium-severity vulnerability.
The Linux kernel's kmalloc_nolock() function on PREEMPT_RT systems fails to properly validate execution context before acquiring a sleeping lock, causing a kernel panic when BPF programs execute from tracepoints with preemption disabled. A local attacker with ability to run BPF programs can trigger a denial of service by causing the kernel to attempt sleeping operations in invalid contexts. No patch is currently available for this medium-severity vulnerability.
The ath10k WiFi driver in the Linux kernel incorrectly frees DMA-allocated memory by using aligned addresses instead of the original unaligned pointers, potentially causing memory corruption and system denial of service on affected systems. A local attacker with appropriate privileges can trigger this vulnerability to crash the kernel or cause system instability. No patch is currently available for this issue.
The Linux kernel's Synopsys DesignWare DisplayPort bridge driver contains improper error handling in the dw_dp_bind() function that fails to unregister auxiliary devices and return error codes correctly, potentially causing resource leaks or kernel instability for systems using affected display hardware. A local attacker with sufficient privileges could trigger these error paths to cause a denial of service through resource exhaustion or kernel panic.
In the Linux kernel, the following vulnerability has been resolved: iommu/sva: invalidate stale IOTLB entries for kernel address space Introduce a new IOMMU interface to flush IOTLB paging cache entries for the CPU kernel address space.
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix early read unlock of page with EOF in middle The read result collection for buffered reads seems to run ahead of the completion of subrequests under some circumstances, as can be seen in the following log snippet: 9p_client_res: client 18446612686390831168 response P9_TREAD tag 0 err 0 ...
The HP BIOS configuration driver in the Linux kernel fails to validate attribute names before kobject registration, causing kernel warnings and potential denial of service when HP BIOS returns empty name strings. A local user with standard privileges can trigger this vulnerability to crash or destabilize the system by supplying malformed BIOS attribute data. No patch is currently available for this medium-severity flaw affecting Linux systems with HP BIOS configuration support.
A deadlock condition in the Linux kernel's ath12k WiFi driver occurs when management frame transmission is blocked by the wiphy lock during flush operations, causing the wireless interface to hang and preventing authentication. Local users with sufficient privileges can trigger this condition by initiating WiFi authentication while pending management frames are being flushed, resulting in a denial of service. No patch is currently available for this medium-severity vulnerability.
The Linux kernel's DPLL subsystem fails to prevent duplicate pin registrations, allowing callers to register the same pin multiple times and causing memory management issues during unregistration. A local attacker with unprivileged access could trigger this condition to cause a denial of service through kernel warnings or crashes. No patch is currently available for this vulnerability.
The Linux kernel's ARM64 hibernation resume function fails to disable Control Flow Integrity (CFI) checking, causing a data abort exception when resuming from hibernation on affected systems. A local attacker with hibernation access could trigger a denial of service by invoking the resume function without proper CFI validation. This affects Linux kernel deployments on ARM64 architecture, though no patch is currently available.
Linux kernel perf subsystem allows local authenticated users to trigger a use-after-free condition via refcount manipulation when creating perf event group members with PERF_FLAG_FD_OUTPUT flag, resulting in denial of service through kernel warnings and potential system instability. This vulnerability requires local access and existing privileges to exploit, with no patch currently available.
The Linux kernel netdevsim driver contains a race condition in the bpf_bound_progs list operations where concurrent calls to nsim_bpf_create_prog() and nsim_bpf_destroy_prog() can corrupt the list and trigger kernel crashes. A local attacker with limited privileges can exploit this vulnerability to cause a denial of service by manipulating eBPF program creation and destruction. No patch is currently available for this issue.
A null pointer dereference in the Linux kernel's SCTP authentication initialization can be triggered by local attackers with user privileges to cause a denial of service through a crash in the packet transmission path. The vulnerability occurs when SCTP-AUTH key setup fails during association peer initialization, leaving a dangling pointer that is subsequently dereferenced. No patch is currently available for this medium-severity issue affecting the Linux kernel.
A data race condition in the Linux kernel's IPv6 NDISC router discovery function allows concurrent unsynchronized read/write access to the ra_mtu field, potentially causing denial of service through system instability or crashes on local systems. The vulnerability affects all Linux systems running vulnerable kernel versions and requires local access to trigger. No patch is currently available, though the race condition is considered low-impact as the affected field represents best-effort MTU configuration.
Uninitialized pointer dereferences in the Linux kernel's interconnect debugfs implementation can cause denial of service when users interact with src_node and dst_node debugfs entries. A local attacker with standard user privileges can trigger memory access violations through reads or writes to these debugfs interfaces, crashing the system or causing kernel instability. No patch is currently available for this medium-severity vulnerability.
The Intel i225/i226 Ethernet controller driver in the Linux kernel is susceptible to TX unit hangs during heavy timestamping operations due to insufficient packet buffer allocation. A local user with low privileges can trigger denial of service by generating sustained timestamped network traffic that exhausts the 7KB per-queue TX buffer, requiring a kernel patch that reduces the buffer to 5KB per hardware specification to mitigate the hang condition.
A data-race condition in the Linux kernel's mISDN subsystem allows local attackers with unprivileged access to cause a denial of service by triggering concurrent access to the dev->work field through ioctl and read operations without proper synchronization. The vulnerability affects the mISDN timer device driver where unsynchronized reads and writes to shared data can result in system availability issues. No patch is currently available for this medium-severity vulnerability.
A data-race condition in the Linux kernel's L2TP tunnel deletion function can cause a denial of service on systems using L2TP networking. Local attackers with unprivileged access can trigger concurrent socket operations to crash the kernel or cause system instability. No patch is currently available for this vulnerability.
The Linux kernel bonding driver fails to properly provide a network namespace pointer to the flow dissector function, allowing a local attacker with unprivileged access to trigger a kernel warning and cause a denial of service. The vulnerability exists in the bond_flow_dissect() code path used for XDP packet transmission, where crafted network packets lacking proper device or socket context can be processed unsafely.
A race condition in the Linux kernel's rxrpc subsystem allows local attackers with limited privileges to cause a denial of service by exploiting unsynchronized access to the last_tx_at timestamp variable, potentially triggering load/store tearing on 32-bit architectures. The vulnerability requires local access and specific timing conditions to trigger, but can result in system instability or crash when successfully exploited. No patch is currently available.
A NULL pointer dereference in the Linux kernel's ice driver occurs when devlink reload fails and the driver is subsequently removed, affecting systems using Intel ice network adapters. A local privileged user can trigger this denial of service condition by initiating a devlink reinit operation that fails, leaving the hardware in an uninitialized state. The vulnerability stems from a missing ice_deinit_hw() call in the devlink reinit path that leaves control queues uninitialized.
Improper handling of reset and clock masking in the Linux kernel's i.MX8MQ VPU power domain controller can cause system hangs when attempting to independently reset GPU cores. Local attackers with sufficient privileges can trigger this vulnerability by manipulating VPU reset operations, leading to denial of service. A patch is not currently available.
A race condition in the Linux kernel's serial driver allows local attackers with low privileges to bypass TTY device linkage during console configuration, potentially enabling unauthorized access to serial console interfaces on Qualcomm SoCs and other affected systems. The vulnerability stems from improper initialization ordering that fails to configure tty->port before uart_configure_port() is called, creating a window where user-space applications can open the console without proper driver linkage. No patch is currently available.
Linux kernel ptrace operations on ARM64 systems without SME support can corrupt SVE register state, causing the kernel to enter an invalid FPSIMD configuration that triggers warnings and potential instability. A local attacker with ptrace privileges can exploit this to cause a denial of service by manipulating SVE register writes on affected systems. The vulnerability requires local access and is present on Linux systems running vulnerable kernel versions without an available patch.
The Linux kernel io_uring/io-wq subsystem fails to properly monitor exit signals during work execution loops, allowing a local attacker with user privileges to cause the work queue to hang indefinitely by queuing operations that take excessive time to complete. This denial of service condition prevents the io-wq worker threads from shutting down gracefully, potentially blocking system operations that depend on io_uring. No patch is currently available for this vulnerability.
In the Linux kernel, the following vulnerability has been resolved: mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode When operating in HS200 or HS400 timing modes, reducing the clock frequency below 52MHz will lead to link broken as the Rockchip DWC MSHC controller requires maintaining a minimum clock of 52MHz in these modes.
Stack buffer overflow in Vim's NetBeans integration allows a malicious NetBeans server to corrupt memory and potentially crash the editor or execute arbitrary code through a specially crafted specialKeys command. The vulnerability affects Vim builds with NetBeans support enabled and requires user interaction to connect to a compromised server. A patch is available in Vim version 9.1.2148 and later.
Google Chrome's CSS engine contains a use-after-free vulnerability (CVE-2026-2441, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox through crafted HTML pages. KEV-listed with public PoC, this vulnerability enables drive-by exploitation when users visit malicious or compromised websites.
Unauthenticated API access in Milvus vector database before 2.5.27/2.6.10. TCP port 9091 exposed by default without authentication. EPSS 0.32% with PoC and patch available.
Authenticated users in lakeFS prior to version 1.77.0 can exploit path traversal vulnerabilities in the local block adapter to read and write files outside their intended storage boundaries by bypassing insufficient prefix validation checks. An attacker with valid credentials can manipulate object identifiers and path sequences to access sibling directories and storage namespaces they should not have access to. A patch is available in version 1.77.0 and later.
Linux kernel NVMe-oF TCP transport lacks proper bounds checking in PDU processing, allowing a local attacker with low privileges to trigger a kernel panic by crafting malicious PDU parameters that exceed scatter-gather list boundaries. The vulnerability enables denial of service through GPF/KASAN errors when invalid memory offsets are dereferenced during data copy operations. No patch is currently available for affected systems.
A use-after-free vulnerability in the Linux kernel's netfilter nf_tables module allows local attackers with unprivileged access to cause memory corruption and denial of service through an inverted logic check in catchall map element activation during failed transactions. The flaw occurs in nft_map_catchall_activate() which incorrectly processes already-active elements instead of inactive ones, potentially leading to privilege escalation or system crash. No patch is currently available.
libsoup's improper validation of HTTP Range headers enables remote attackers to read sensitive server memory when processing specially crafted requests against vulnerable SoupServer instances. The flaw affects GNOME-based systems using certain build configurations and requires no authentication or user interaction. No patch is currently available, and exploitation likelihood remains low at 0.1% EPSS.
Mattermost versions 11.1.2, 10.11.9, and 11.2.1 and earlier fail to properly enforce access controls in the Jira plugin's /create-issue API endpoint, allowing authenticated users to read restricted post content and attachments from channels they cannot access by referencing post IDs. An attacker with Jira plugin access can exploit this to enumerate and exfiltrate sensitive information from private or restricted channels. No patch is currently available for affected versions.
ClamAV versions up to 0.103.0 contains a vulnerability that allows attackers to manipulate bytecode function names (CVSS 8.4).
ntpd-rs versions prior to 1.7.1 are vulnerable to remote denial of service through crafted NTS (Network Time Protocol Security) packets that force excessive CPU consumption on affected servers. An unauthenticated attacker can exploit this by sending malformed NTS cookie requests that require significantly more processing resources to handle, degrading server performance and availability. The vulnerability affects ntpd-rs deployments with NTS enabled and is resolved in version 1.7.1.
Arbitrary code execution in Yoke's Air Traffic Controller component allows authenticated users with CustomResource create/update permissions to execute malicious WebAssembly modules by injecting crafted URLs into the overrides.yoke.cd/flight annotation, potentially enabling cluster-admin privilege escalation. The vulnerability affects Yoke 0.19.0 and earlier, with no patch currently available and an 8.8 CVSS severity rating.
Unauthenticated webhook endpoints in Yoke's Air Traffic Controller component allow any pod within a Kubernetes cluster to submit AdmissionReview requests and execute WASM modules in the controller's context without authorization. This affects Yoke versions 0.19.0 and earlier, enabling attackers with cluster access to bypass API Server authentication and potentially compromise the infrastructure-as-code deployment pipeline. No patch is currently available.
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter injection. PoC and patch available.
Denial of service in Traefik versions prior to 3.6.8 allows unauthenticated remote attackers to exhaust connection resources by exploiting improper timeout handling in STARTTLS request processing. An attacker can send a PostgreSQL SSLRequest prelude and then stall the connection indefinitely, bypassing the readTimeout protection and accumulating open connections until service availability is degraded. A patch is available in version 3.6.8.
CGI path splitting vulnerability in FrankenPHP before 1.11.2 — Unicode characters bypass path validation during CGI processing. PoC and patch available.
FrankenPHP versions prior to 1.11.2 fail to properly isolate session data between worker requests, enabling cross-user session fixation where an attacker can read sensitive $_SESSION information intended for other users. This high-severity flaw affects multi-request worker mode deployments and has public exploit code available. A patched version 1.11.2 is available and should be deployed immediately.
Webtransport-go versions prior to 0.10.0 fail to properly clean up closed WebTransport streams from internal session maps, allowing remote attackers to exhaust server memory through repeated stream creation and closure. This denial-of-service condition requires no authentication or user interaction and affects all deployments using the vulnerable library. A patch is available in version 0.10.0.
Webtransport-go versions prior to 0.10.0 are vulnerable to denial of service attacks where a malicious peer can withhold QUIC flow control credits to indefinitely block WebTransport session closure. An attacker can exploit this to hang close operations and prevent proper session termination, leaving connections in a suspended state. Affected applications using webtransport-go for protocol communication should upgrade to version 0.10.0 or later to mitigate this vulnerability.
Webtransport-go versions 0.3.0 through 0.9.0 fail to enforce the 1024-byte limit on Application Error Messages in WT_CLOSE_SESSION capsules, allowing remote attackers to trigger unbounded memory consumption by sending oversized payloads. An unauthenticated attacker can exhaust server memory and cause denial of service, requiring only sufficient bandwidth to transmit the malicious payload. The vulnerability is resolved in version 0.10.0, though no patch is currently available for affected versions.
Heap buffer overflow in the pg_trgm extension of PostgreSQL 18.0 and 18.1 allows authenticated database users to trigger memory corruption through specially crafted input strings. An attacker with database access could potentially achieve privilege escalation or cause service disruption, though exploit complexity is currently limited by restricted control over written data. No patch is currently available.
Arbitrary code execution in PostgreSQL results from insufficient validation of multibyte character lengths in text manipulation functions, allowing authenticated database users to trigger buffer overflows and execute commands with database process privileges. Affected versions include PostgreSQL 14.x before 14.21, 15.x before 15.16, 16.x before 16.12, 17.x before 17.8, and all versions before 18.2. No patch is currently available, leaving databases vulnerable to privilege escalation attacks from database-level users.
Arbitrary code execution in PostgreSQL pgcrypto module (versions before 14.21, 15.16, 16.12, 17.8, and 18.2) stems from a heap buffer overflow that allows attackers with database access to execute commands with the privileges of the PostgreSQL system user. An authenticated attacker can exploit this vulnerability by providing specially crafted ciphertext to trigger the overflow condition. No patch is currently available, leaving affected PostgreSQL installations vulnerable to privilege escalation and full system compromise.
PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21 contain insufficient input validation in the intarray extension's selectivity estimator function, enabling authenticated users with object creation privileges to execute arbitrary code with database server privileges. The vulnerability requires valid database credentials but allows complete system compromise through code execution at the OS level. No patch is currently available for affected deployments.
Improper validation of the "oidvector" type in PostgreSQL allows authenticated database users to read small amounts of server memory, potentially exposing sensitive data. This vulnerability affects PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21, with no patch currently available for impacted systems.
Grafana public dashboards with annotations enabled fail to enforce the dashboard's locked timerange restriction on annotation queries, allowing unauthenticated attackers to retrieve the complete annotation history beyond the intended viewing window. This information disclosure affects any organization exposing public dashboards with annotations, though only annotations already visible on the dashboard are accessible. No patch is currently available for this vulnerability.
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. [CVSS 6.8 MEDIUM]
Markdown-It versions up to 14.1.1 is affected by inefficient regular expression complexity (redos) (CVSS 5.3).
Safari web extensions on Apple platforms can leak user tracking information due to inadequate state management controls, allowing websites to identify and monitor individual users across browsing sessions. This vulnerability affects iOS, iPadOS, macOS, and visionOS, and is resolved in version 26.3 of each platform. The low CVSS score reflects limited direct user impact, though it represents a privacy concern for Safari users.
Remote denial-of-service attacks against Apple's macOS, iOS, iPadOS, Safari, and visionOS result from improper memory handling that allows unauthenticated attackers to crash affected systems over the network. The vulnerability affects multiple Apple platforms and requires no user interaction or elevated privileges to exploit. Patches are available for macOS Tahoe 26.3, iOS/iPadOS 18.7.5, visionOS 26.3, and Safari 26.3.
Memory handling flaws in Apple's macOS, iOS, iPadOS, and Safari allow remote attackers to crash affected processes by serving specially crafted web content, requiring only user interaction to trigger the denial of service. The vulnerability affects multiple Apple platforms and products across recent versions, with fixes available in macOS Tahoe 26.3, iOS 18.7.5, iPadOS 18.7.5, and Safari 26.3. No patches are currently available for all affected versions.
Denial of service in Apple Safari, iOS, iPadOS, and macOS results from improper memory handling when processing maliciously crafted web content, causing unexpected process crashes. An unauthenticated remote attacker can trigger this vulnerability through a specially crafted webpage, affecting users who view the malicious content. No patch is currently available for this vulnerability.
Denial of service affecting Apple's macOS, iOS, iPadOS, watchOS, tvOS, and visionOS results from a memory handling flaw that crashes processes when parsing malicious web content. An unauthenticated remote attacker can trigger unexpected application termination through crafted web pages, requiring only user interaction to visit a malicious site. A patch is not currently available for this medium-severity vulnerability.
Denial of service in Apple macOS, iOS, and iPadOS results from improper state management when processing malicious web content, causing unexpected process crashes. Local attackers with user interaction can trigger this vulnerability to disrupt system availability. No patch is currently available.
D-Link products using BusyBox are vulnerable to privilege escalation through malicious tar archives containing unvalidated symlink or hardlink entries that extract files outside the intended directory. An attacker with local access can craft a specially crafted archive to modify critical system files when extraction occurs with elevated privileges, potentially gaining unauthorized system access. No patch is currently available for this vulnerability.
BusyBox archive extraction utilities contain insufficient path validation that enables attackers to write files outside intended directories through specially crafted archives, potentially leading to arbitrary file overwrite and code execution on affected systems. Local attackers with user interaction can exploit this vulnerability to modify sensitive system files and gain elevated privileges. No patch is currently available for this vulnerability.
Pion DTLS is a Go implementation of Datagram Transport Layer Security. [CVSS 5.9 MEDIUM]
Out-of-bounds write in Pillow versions 10.3.0 through 12.1.0 allows remote denial of service when processing maliciously crafted PSD image files. An attacker can trigger a crash by supplying a specially crafted image without authentication or user interaction. A patch is available in version 12.1.1.