Skip to main content

Denial of Service

other MEDIUM

Denial of Service attacks render applications or systems unavailable by overwhelming resources or triggering failure conditions.

How It Works

Denial of Service attacks render applications or systems unavailable by overwhelming resources or triggering failure conditions. Attackers exploit asymmetry: minimal attacker effort produces disproportionate resource consumption on the target. Application-level attacks use specially crafted inputs that trigger expensive operations—a regex engine processing malicious patterns can backtrack exponentially, or XML parsers recursively expand entities until memory exhausts. Network-level attacks flood targets with connection requests or amplify traffic through reflection, but application vulnerabilities often provide the most efficient attack surface.

The attack typically begins with reconnaissance to identify resource-intensive operations or unprotected endpoints. For algorithmic complexity attacks, adversaries craft inputs hitting worst-case performance—hash collision inputs filling hash tables with collisions, deeply nested JSON triggering recursive parsing, or pathological regex patterns like (a+)+b against strings of repeated 'a' characters. Resource exhaustion attacks open thousands of connections, upload massive files to unbounded storage, or trigger memory leaks through repeated operations. Crash-based attacks target error handling gaps: null pointer dereferences, unhandled exceptions in parsers, or assertion failures that terminate processes.

Impact

  • Service unavailability preventing legitimate users from accessing applications during attack duration
  • Revenue loss from downtime in e-commerce, SaaS platforms, or transaction processing systems
  • Cascading failures as resource exhaustion spreads to dependent services or database connections pool out
  • SLA violations triggering financial penalties and damaging customer trust
  • Security team distraction providing cover for data exfiltration or intrusion attempts running concurrently

Real-World Examples

CVE-2018-1000544 in Ruby's WEBrick server allowed ReDoS through malicious HTTP headers containing specially crafted patterns that caused the regex engine to backtrack exponentially, freezing request processing threads. A single attacker could saturate all available workers.

Cloudflare experienced a global outage in 2019 when a single WAF rule containing an unoptimized regex hit pathological cases on legitimate traffic spikes. The .*(?:.*=.*)* pattern exhibited catastrophic backtracking, consuming CPU cycles across their edge network until the rule was disabled.

CVE-2013-1664 demonstrated XML bomb vulnerabilities in Python's XML libraries. Attackers uploaded XML documents with nested entity definitions-each entity expanding to ten copies of the previous level. A 1KB upload could expand to gigabytes in memory during parsing, crashing applications instantly.

Mitigation

  • Strict input validation enforcing size limits, complexity bounds, and nesting depth restrictions before processing
  • Request rate limiting per IP address, API key, or user session with exponential backoff
  • Timeout enforcement terminating operations exceeding reasonable execution windows (typically 1-5 seconds)
  • Resource quotas limiting memory allocation, CPU time, and connection counts per request or tenant
  • Regex complexity analysis using linear-time algorithms or sanitizing patterns to eliminate backtracking
  • Circuit breakers automatically rejecting requests when error rates or latency thresholds indicate degradation
  • Load balancing and autoscaling distributing traffic across instances with automatic capacity expansion

Recent CVEs (36508)

EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out-of-bounds heap read and infinite loop in the Linux kernel Bluetooth HCI event handler (hci_le_create_big_complete_evt) allows an adjacent attacker to trigger denial of service on systems with Bluetooth LE Isochronous (BIG) connections. The flaw arises when a malicious or malformed controller returns an LE_Create_BIG_Complete event with fewer bis_handle entries than expected, causing the kernel to read past the flex array and spin indefinitely while holding hci_dev_lock. No public exploit identified at time of analysis, and EPSS probability is very low (0.02%), but the issue is patched across multiple stable trees.

Linux Denial Of Service Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Denial-of-service in the Linux kernel mt76/mt7921 MediaTek Wi-Fi driver lets a buffer-length (buf_len) underflow occur while iterating the CLC (country location configuration) power table, producing a near-infinite loop or an invalid power setting that crashes driver initialization. Systems running affected kernels with MediaTek MT7921 Wi-Fi hardware are impacted; classified CWE-787 (out-of-bounds write) with a vendor-assigned CVSS of 7.8 (local, AV:L). No public exploit identified at time of analysis and EPSS is very low (0.02%), consistent with a reliability/DoS defect rather than a readily weaponizable memory-corruption primitive.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's cros_ec_typec driver crashes the kernel when a Thunderbolt alternate mode operation is processed on affected ChromeOS devices. The flaw originates in cros_typec_register_thunderbolt(), which allocates the adata structure but omits mutex_init(&adata->lock); when cros_typec_altmode_work() later acquires that uninitialized mutex, the kernel dereferences a NULL or garbage pointer and panics. No public exploit code exists and EPSS of 0.02% (4th percentile) reflects the narrow hardware prerequisite and strictly local-only attack surface; the vulnerability is not listed in CISA KEV.

Linux Denial Of Service Google +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's RDMA/ocrdma driver crashes systems running Emulex OneConnect RDMA adapters. The flaw exists in `ocrdma_copy_pd_uresp()`, where error-path code dereferences `pd->uctx` before it is initialized, producing a kernel panic and complete system unavailability when triggered. No public exploit code has been identified and EPSS sits at 0.02% (5th percentile), reflecting very low exploitation probability at this time; however, the local low-privilege vector means any unprivileged user on an affected system with ocrdma hardware present could trigger the crash.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's pseries/papr-hvpipe subsystem crashes IBM POWER/pSeries hosts via a local ioctl call. The flaw was introduced by commit 6d3789d347a7, which refactored papr_hvpipe_dev_create_handle() to use FD_PREPARE() but left src_info accessible after retain_and_null_ptr() nulled it, causing a write to address 0x0 when the pointer is subsequently used in the global list insertion path. Exploitation requires local low-privileged access on pSeries hardware; no public exploit exists and EPSS is 0.02%, indicating negligible opportunistic exploitation risk.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's xfrm (IPsec) state management subsystem allows local attackers with low privileges to trigger memory corruption via concurrent xfrm_state lifecycle operations. The flaw resides in __xfrm_state_delete() where value-based predicates on x->km.seq and x->id.spi can race with xfrm_alloc_spi() outside of xfrm_state_lock, leading to slab-use-after-free writes through LIST_POISON pointers on the byseq/byspi/bydst/bysrc hash chains. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (5th percentile), but a vendor patch is available.

Linux Denial Of Service Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote information disclosure in the Linux kernel's RDMA Soft-RoCE (rxe) driver allows unauthenticated network attackers to leak adjacent kernel skb head-buffer memory by sending zero-length ATOMIC_WRITE RDMA packets. The flaw, tracked as CVE-2026-46114 and affecting kernels from 6.2 onward, lets a remote initiator extract 4 bytes of kernel tailroom per probe - including kernel strings and partial direct-map pointer words - into an attacker-controlled memory region. No public exploit identified at time of analysis and EPSS is low (0.05%, 17th percentile), but the vendor (kernel.org) has released stable patches across multiple branches.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel's stmmac Ethernet driver allows remote attackers to trigger a NULL pointer dereference and kernel panic on systems using STMicroelectronics MAC network controllers under sustained memory pressure. The flaw stems from incomplete handling of the DMA RX descriptor ring lifecycle, where stmmac_rx() cannot distinguish 'full' from 'dirty' descriptors when stmmac_rx_refill() fails to allocate replacement buffers. EPSS rates exploitation probability at only 0.02% (5th percentile), and no public exploit identified at time of analysis.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Keycloak's ClientRegistrationAuth component can be crashed by a remote unauthenticated attacker through a specially crafted POST request bearing a malformed 'Authorization: Bearer' header, triggering an unhandled ArrayIndexOutOfBoundsException and returning HTTP 500 to all subsequent callers of the affected endpoint. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero prerequisites for exploitation beyond network reachability, making any publicly exposed Keycloak client registration endpoint a viable target. No public exploit has been identified at time of analysis and no EPSS data was supplied, but the trivial attack mechanics mean no specialized tooling is required to reproduce the denial of service.

Information Disclosure Denial Of Service Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Denial of service in Keycloak's LDAP federation layer allows an authenticated realm administrator - or an attacker who has compromised an upstream LDAP server - to crash the entire Keycloak JVM by inducing an OutOfMemoryError through a malformed LDAP password policy response. Because Keycloak typically serves multiple realms from a single JVM process, a successful attack denies service to all realms on the affected node, not just the targeted one. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Java Denial Of Service Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in the Symfony Yaml component (symfony/yaml and the monolithic symfony/symfony) allows remote attackers to hang the parser via catastrophic regular-expression backtracking in Parser::cleanup(). Supplying a YAML document with an oversized %YAML directive header, leading comment, or document-start/end marker forces the CPU to spin for an arbitrarily long time (CWE-1333), stalling any application that parses attacker-influenced YAML. No public weaponized exploit is identified, though the advisory and patch tests disclose the trigger payloads; EPSS is low at 0.08%, and the issue is not on CISA KEV.

Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Denial of service in the Symfony Yaml component (symfony/yaml and the symfony/symfony monolith) lets remote attackers crash PHP worker processes by submitting a YAML document with deeply nested mappings or sequences. Because neither the block-level parser (Parser::parseBlock()) nor the inline parser (Inline::parseSequence()/parseMapping()) enforced a recursion depth limit, a compact crafted payload exhausts the PHP call stack, killing the process. EPSS is low (0.09%, 26th percentile) and there is no public exploit identified at time of analysis, but the bug is trivially triggerable wherever untrusted YAML is parsed.

PHP Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

NULL pointer dereference in pam_usb prior to 0.8.7 allows a physically present attacker to crash the PAM authentication stack by inserting a USB device whose serial, vendor, or model metadata fields are absent. The module in src/device.c passes return values from udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() directly to strcmp() without NULL checks, despite the GIO/UDisks2 API explicitly documenting that these accessors can return NULL for devices not exposing those fields. The result is undefined behavior - typically a SIGSEGV - that terminates the authentication process. No public exploit has been identified at time of analysis and no active exploitation is confirmed.

Null Pointer Dereference Denial Of Service
NVD GitHub
EPSS 1% CVSS 8.3
HIGH PATCH This Week

Unauthenticated PHP object deserialization in Symfony's Monolog Bridge affects the development-time `server:log` console command, which by default binds its TCP log listener to 0.0.0.0:9911 and passes every received frame through `unserialize(base64_decode(...))` with no allowed_classes allowlist, authentication, or integrity check. Any host that can reach port 9911 on a machine running `server:log` can crash the listener (unauthenticated DoS) or trigger PHP object injection whose magic-method side effects may reach remote code execution when a usable gadget chain exists in the target's autoload set. No public exploit identified at time of analysis; EPSS is low (0.99%, 77th percentile) and the flaw is not in CISA KEV, consistent with a dev-only tool rather than a production-facing service.

Denial Of Service PHP Deserialization +1
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Incorrect authorization in Apache ActiveMQ Artemis allows authenticated STOMP protocol clients to modify address routing-type settings without sufficient privilege checks. Affects Artemis versions through 2.44.0 and 2.53.0 respectively, the flaw (CWE-863) permits low-privileged network users to alter broker address routing configuration, impacting message routing integrity. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, placing this in a monitor-and-patch priority tier rather than emergency response.

Apache Command Injection Jenkins +4
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

pam_usb prior to 0.9.0 crashes under memory pressure due to assert()-based OOM guards in src/mem.c that are silently stripped by standard distribution build flags, enabling a local denial-of-service against authentication subsystems. Any allocation failure in xmalloc(), xrealloc(), or xstrdup() returns NULL, which every caller then dereferences unconditionally - the intended abort-before-dereference guarantee exists only in debug builds, not in Debian, Fedora, or Arch Linux packages that define -DNDEBUG via CFLAGS. A local attacker who can induce memory pressure at authentication time causes the PAM module to crash, locking all users out of sudo and login for the duration of the crash. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Denial Of Service Null Pointer Dereference Debian
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Gladinet Triofox lets unauthenticated remote attackers crash the web service by sending an HTTP request whose URL path begins with /status or /sysinfo. The server tries to load WOSHttpStatusModule.dll to service those paths and calls WOSBin_LoadHttpModule, but that DLL ships missing from the installation, so the resolved function pointer is NULL and the code invokes a function at address 0, terminating the process (CWE-476). The flaw was discovered and reported by Tenable (TRA-2026-45); no public exploit identified at time of analysis and it is not on the CISA KEV list, with availability-only impact (CVSS 7.5).

Denial Of Service Null Pointer Dereference Triofox
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Gladinet Triofox lets remote unauthenticated attackers crash the Triofox Server Agent by triggering a NULL pointer dereference. The function WOSSysInfoGetDeviceInterface() in WOSCommonUtil.dll returns NULL whenever no user is logged into the Server Agent Management Console, and callers such as WOSProfileMgrModule.dll and WOSWebDavModule.dll dereference that pointer without checking it, causing a process crash. There is no public exploit identified at time of analysis and the issue affects only availability (CVSS 7.5).

Denial Of Service Null Pointer Dereference Triofox
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Denial of service in GitLab CE/EE affects all versions from 17.1 through those prior to 18.10.7, 18.11.4, and 19.0.1, allowing a low-privileged authenticated user to crash or degrade service availability through insufficient input validation. The root cause is CWE-770 (resource allocation without limits or throttling), meaning a specially crafted request can exhaust server-side resources under certain conditions. Publicly available exploit code exists per SSVC assessment, though CISA has not added this to the Known Exploited Vulnerabilities catalog and automated mass exploitation is considered unlikely.

Gitlab Denial Of Service
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in MapServer 6.4.0 through 8.6.2 allows remote unauthenticated attackers to crash the server by submitting a small well-formed SLD document via the WMS SLD_BODY= parameter. The flaw is a NULL pointer dereference reached when an SLD <Rule> carries <ElseFilter/> but defines no symbolizer, causing the styling code to index a class array at position -1. No public exploit has been identified at time of analysis, and the issue is fixed in version 8.6.3.

Denial Of Service Mapserver
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in Wireshark's ROHC protocol dissector causes application crashes across two active release branches, constituting a denial-of-service condition. Affected versions span Wireshark 4.6.0 through 4.6.5 and 4.4.0 through 4.4.15; patched releases 4.6.6 and 4.4.16 are available per the vendor advisory wnpa-sec-2026-51. The attack vector is local with required user interaction (CVSS AV:L/UI:R), meaning exploitation requires a victim to open a specially crafted packet capture file - no remote or automated exploitation path exists, and no public exploit code or active exploitation has been identified at time of analysis.

Denial Of Service Null Pointer Dereference Red Hat
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Reachable assertion in TeamSpeak 3 Server's client handshake handler allows remote unauthenticated attackers to crash the server by manipulating the 'proof' argument during connection setup, resulting in a denial of service. All versions from 3.13.0 through 3.13.7 are affected; the issue was independently researched by modzero and disclosed via TeamSpeak security advisory TS-SA-2026-001. No public exploit or CISA KEV listing exists at time of analysis, but the low-complexity, no-privileges-required attack surface makes this straightforward to trigger remotely.

Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Use-after-free in TeamSpeak 3 Server versions 3.13.0 through 3.13.7 allows a low-privileged remote attacker to corrupt server memory via the process_resend_queue function within Connection State Management, resulting in limited integrity and availability impact. Discovered and disclosed by modzero.com (advisory MZ-26-01) and acknowledged by TeamSpeak via official security advisory TS-SA-2026-001, the vendor has released version 3.13.8 as the fix. No public exploit code exists and no active exploitation has been identified at time of analysis.

Denial Of Service Buffer Overflow
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Quadratic-complexity denial of service in Botan's BER parser affects all versions prior to 3.12.0, allowing unauthenticated remote attackers to exhaust CPU resources by submitting crafted ASN.1 data. The parser accepted indefinite-length encodings even in structures required to use DER (which explicitly prohibits them), and specific patterns of such encodings trigger O(n²) algorithmic behavior. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Denial Of Service Botan
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in liquidjs (npm) versions before 10.26.0 arises from a quadratic-backtracking (ReDoS) regular expression in the default-registered strip_html filter, reachable from any template via {{ x | strip_html }}. A remote, unauthenticated attacker who submits a string containing many unbalanced <script, <style, or <!-- opener tokens (for example a single ~350 KB body) forces O(N^2) V8 regex backtracking that blocks the single-threaded Node.js event loop for roughly 10 seconds, stalling every other request on the worker. A proof-of-concept with measured scaling is published in the GitHub Security Advisory (GHSA-r7g9-xpmj-5fcq); the issue is not listed in CISA KEV and no EPSS score was provided.

Denial Of Service Node.js
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

{{ x | date: f }}` can generate multi-megabyte output or trigger an out-of-memory crash of the host Node.js process. Publicly available exploit code (a verified PoC) exists; there is no CISA KEV listing and no EPSS score in the provided data.

Denial Of Service Node.js
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC This Month

NULL pointer dereference in GPAC MP4Box crashes the application when parsing specially crafted truncated MP4 files, resulting in a denial-of-service condition. The vulnerability triggers in the gf_media_map_esd function (media_tools/isom_tools.c, line ~1364) when an invalid or unknown stsd (Sample Table Sample Description) entry leaves codec, mime, or profile descriptor fields uninitialized - the function then calls strlen() on a NULL pointer, producing a segmentation fault (SEGV). A publicly available exploit code exists demonstrating the crash, though EPSS at 0.02% (6th percentile) signals negligible widespread exploitation probability and the vulnerability is not listed in CISA KEV.

Null Pointer Dereference Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Remote denial of service in IBM Aspera High-Speed Transfer Endpoint and High-Speed Transfer Server (versions 3.7.4 through 4.4.7 Fix Pack 1) allows an unauthenticated network attacker to crash the asperahttpd service via a NULL pointer dereference. Exploitation requires no credentials and no user interaction, yielding a complete loss of availability for the affected transfer service. There is no public exploit identified at time of analysis, and the issue has no confidentiality or integrity impact.

Denial Of Service Null Pointer Dereference IBM
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Transfer Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) through a heap-based buffer overflow in the asperahttpd component. An unauthenticated network attacker can corrupt memory to crash the service (denial of service) and, in the worst case, hijack execution flow to run arbitrary code or bypass authentication. There is no public exploit identified at time of analysis and SSVC lists exploitation as none, but the CVSS 9.8 rating and 'Automatable: yes' assessment mark this as a high-priority patching target.

RCE Denial Of Service Buffer Overflow +3
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Denial of service in IBM Langflow OSS 1.0.0 through 1.9.0 lets a low-privileged, authenticated remote attacker drive uncontrolled resource consumption (CWE-400) to degrade or crash the service, with a high availability impact and a minor confidentiality exposure per the CVSS vector. The flaw is network-reachable, requires no user interaction, and needs only a low-privilege account. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was supplied.

Denial Of Service IBM
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Denial-of-service exposure in IBM OpenBMC firmware versions FW1110.00 through FW1110.11 allows unauthenticated remote attackers to partially degrade system availability by sending specially crafted network requests exploiting improper input quantity validation (CWE-1284). The attack requires no authentication, no user interaction, and low complexity, making it fully automatable per SSVC assessment - though no public exploit code has been identified at time of analysis. Because BMCs operate independently of the host OS and remain network-accessible even when servers are powered down, disrupting this layer carries operational risk disproportionate to the CVSS 5.3 Medium score alone.

Denial Of Service IBM
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Denial of service in IBM Db2 11.5.x and 12.1.x allows a low-privileged local user to crash the database engine by executing a specially crafted query against range partitioned tables. The vulnerability stems from uncontrolled resource allocation (CWE-770) during query processing, resulting in complete availability loss with no impact to confidentiality or integrity. No public exploit code exists and this vulnerability has not been listed in the CISA KEV catalog at time of analysis.

Denial Of Service IBM
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Memory exhaustion in IBM Db2 11.5.x and 12.1.x allows an authenticated remote attacker to crash the database engine by submitting certain queries targeting Multi-Dimensional Clustering (MDC) tables, resulting in a denial of service. The vulnerability carries a CVSS 6.5 score with network-accessible attack vector and low-privilege requirement, meaning any valid database user can trigger it. No active exploitation has been identified at time of analysis; SSVC rates exploitation status as none and technical impact as partial.

Denial Of Service IBM
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Denial of service in IBM Db2 versions 11.5.0-11.5.9 and 12.1.0-12.1.4 allows a locally authenticated, low-privileged user to crash the database service by executing a specially crafted SQL query against an instance configured with a small statement heap. The vulnerability stems from uncontrolled resource consumption (CWE-400) during query processing, resulting in high availability impact with no confidentiality or integrity exposure. No public exploit code and no active exploitation have been identified at time of analysis; SSVC classifies exploitation status as none.

Denial Of Service IBM
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Memory exhaustion in IBM WebSphere Application Server (Liberty 19.0.0.7-26.0.0.5, traditional WAS 8.5 and 9.0) allows an adjacent-network, low-privileged attacker to trigger uncontrolled memory consumption by sending a specially crafted request. The attack requires both network adjacency and high complexity conditions, constraining the realistic threat surface significantly compared to the High availability impact rating. No public exploit code exists and CISA SSVC rates exploitation as 'none' with technical impact classified as 'partial', placing this vulnerability in a lower operational priority tier despite the A:H component impact.

Denial Of Service IBM
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Out-of-bounds read in libusb's parse_iad_array() function (descriptor.c) affects all releases before 1.0.30, enabling local attackers in virtualized environments with USB passthrough to crash libusb-dependent processes via a crafted USB descriptor. The off-by-one error causes the bounds check to evaluate against the original total buffer size rather than the remaining unparsed size, allowing a one-byte read past the end of the malloc allocation when a descriptor's bLength is set to exactly (total_size - 1). No public exploit code exists and the vulnerability is absent from CISA KEV; a vendor-released patch is confirmed in v1.0.30.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Use-after-free in the Linux kernel CAIF networking subsystem allows a local low-privileged user to crash the kernel via a double invocation of caif_free_client(). The CAIF socket layer in caif_connect() can tear down a client on remote shutdown, freeing the service object via adap_layer->dn but leaving that pointer stale; when the socket is later destroyed, caif_sock_destructor() dereferences the already-freed pointer, triggering a NULL pointer dereference (CWE-476) and kernel oops. No public exploit exists and EPSS sits at 0.02% (5th percentile), but vendor-released patches are available across multiple stable kernel branches.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel rtw88 PCIe WiFi driver for the Realtek 8821CE adapter crashes the kernel during driver probing when the card is installed directly on a root PCI bus without an upstream PCI-to-PCI bridge. The defect was discovered via Svace static analysis by the Linux Verification Center - not through active exploitation - and no public exploit has been identified at time of analysis. EPSS of 0.02% (5th percentile) reflects the highly hardware-specific triggering condition, though the crash is deterministic when that condition is met.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel bridge subsystem's FDB (Forwarding Database) RCU readers allows a local low-privileged user to crash the kernel via a sysfs read race. The vulnerability in `br_fdb_fillbuf()` - reached through the `brforward_read()` sysfs path - loads `f->dst` multiple times without synchronization, enabling a concurrent `fdb_delete_local()` call to nullify the pointer between the NULL check and the subsequent `port_no` dereference. No active exploitation has been identified (EPSS 0.02%, not in CISA KEV), but vendor patch commits are available across all active stable kernel branches.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Credit exhaustion in the OCFS2 DIO completion path of the Linux kernel can cause the JBD2 journaling layer to exceed its maximum transaction credit limit, resulting in kernel warnings and a high-availability denial-of-service condition. Systems running the Linux kernel with the OCFS2 cluster filesystem configured for direct I/O workloads across multiple stable branches (6.6.x, 6.12.x, 6.18.x, 7.0.x) are affected. A local attacker with low privileges and write access to an OCFS2 volume can trigger complex extent tree merges that request more than 5449 JBD2 credits, destabilizing the filesystem journal. No public exploit is identified at time of analysis, and EPSS sits at the 5th percentile, reflecting very low real-world exploitation probability.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null-pointer dereference in the Linux kernel's RBD (RADOS Block Device) subsystem crashes the kernel when device_add_disk() fails after device_add() has already succeeded. Systems running Linux kernel with Ceph RBD support enabled are affected across multiple stable branches from the introduction of commit 27c97abc30e2 through the patched releases. A local attacker with sufficient privileges to map RBD images via the sysfs interface can trigger this error path to cause a kernel panic and system-wide denial of service. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.02% at the 5th percentile signals negligible weaponization probability.

Linux Canonical Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic in the Linux Ceph filesystem client affects systems running fscrypt-encrypted CephFS on kernel versions 6.18.16-6.18.29, 6.19.6, and 7.0.x prior to 7.0.4. An off-by-one error (CWE-193) in `ceph_wbc->num_ops` during encrypted writeback causes a hard BUG_ON assertion in `ceph_submit_write()`, crashing the kernel when a bounce buffer allocation fails under memory pressure. No public exploit exists and EPSS is 0.02% (4th percentile), but the CVE description contains a precise reproduction recipe, making reliable local triggering straightforward for anyone with write access to an affected encrypted mount.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's amphion VPU media driver allows local privileged users to trigger a kernel panic and potential memory corruption due to a race condition between v4l2_m2m_ctx_release() and v4l2_m2m_try_run(). The flaw affects systems using the amphion video encode/decode driver (introduced in 5.18) and has been resolved upstream by removing reliance on the m2m framework's job scheduling. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the local high-impact CVSS of 7.8 makes it relevant for multi-tenant or hardened kernel deployments.

Linux Denial Of Service Race Condition
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Soft lockup in the Linux kernel's md/raid5 subsystem allows a local low-privileged user to trigger an infinite loop in the raid5d kernel thread, causing a kernel soft lockup and system-wide denial of service on hosts running RAID5 arrays. The fault lies in retry_aligned_read() using the wrong stripe release path when encountering overlapping stripes, permanently starving handle_stripe() of the work item needed to resolve the overlap. No public exploit has been identified and EPSS at 0.02% (5th percentile) confirms negligible exploitation probability; however, multiple active stable kernel branches from 3.12 onward are affected and vendor-released patches are confirmed across five fix versions.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Deadlock in the Linux kernel md/raid10 subsystem causes a permanent denial-of-service when NOWAIT IO requests coincide with an array check (resync) operation. The md resync thread becomes permanently stuck because the nr_pending atomic counter underflows to a large negative value, preventing it from ever reaching the zero threshold needed to proceed. Systems running RAID-10 arrays where applications use O_NOWAIT IO (e.g., filesystem writeback paths via ext4) are affected. No public exploit code exists and EPSS is 0.02%, indicating low exploitation probability, but the bug is deterministically reproducible by any local user with IO access to the affected array.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel vfio/cdx subsystem allows a local low-privileged user with access to a CDX VFIO device to crash the kernel by issuing an out-of-order ioctl sequence. Specifically, calling VFIO_DEVICE_SET_IRQS with DATA_BOOL or DATA_NONE flags before ever initializing MSI interrupts via the EVENTFD path dereferences an unallocated cdx_irqs pointer, producing a kernel panic and denial-of-service. No public exploit code exists and EPSS is 0.02%, but vendor-released patches are confirmed available across all affected stable branches.

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel's libceph subsystem allows remote attackers to crash the kernel via a malformed CEPH_MSG_AUTH_REPLY message containing zero values for both protocol and result fields. The flaw resides in ceph_handle_auth_reply() where a missing validation causes ac->ops to be set to NULL before being dereferenced. No public exploit identified at time of analysis, and EPSS is extremely low (0.02%), but the network attack vector with no authentication and high availability impact warrants prompt patching on Ceph-enabled systems.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows privileged local users to crash the kernel by supplying arbitrary node IDs to damos_quota_goal via DAMON_SYSFS. Affecting Linux 6.16 and fixed in 6.18.27, 7.0.4, and 7.1-rc1, the flaw stems from missing validation before si_meminfo_node()/NODE_DATA() lookups and is reproducible with the upstream 'damo' user-space tool. No public exploit identified at time of analysis and EPSS is very low at 0.02%.

Denial Of Service Linux Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's Xilinx remoteproc (xlnx) IPI receive callback enables a local low-privileged user to crash the kernel on Xilinx SoC-based systems. The receive callback unconditionally accesses buffer information without first validating whether the message pointer is NULL, which occurs when IPI is operating in non-buffered mode. No public exploit exists and no active exploitation is confirmed; with EPSS at 0.02% (5th percentile), real-world risk is very low and hardware-specific.

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory exhaustion denial-of-service in the Linux kernel's rxkad Kerberos authentication layer allows a local low-privilege attacker to leak kernel memory by repeatedly triggering error paths in rxkad_verify_response(). The vulnerability affects kernels from approximately 5.11 through all unpatched stable series prior to 6.6.140, 6.12.86, 6.18.27, and 7.0.4. No public exploit exists and EPSS sits at 0.02% (5th percentile), indicating minimal real-world exploitation likelihood; however, systems running AFS workloads with rxrpc active warrant patching at next maintenance.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's ACPICA subsystem crashes the kernel via a missed execution path in acpi_ev_address_space_dispatch(), resulting in a local denial of service. Affected systems run Linux kernel versions tracing back to commit 0acf24ad7e10f547809faefb8069f8f5482eb4d9, spanning multiple stable branches through at least 6.19.x. No public exploit exists and EPSS is negligible at 0.02% (7th percentile), but the high availability impact and wide kernel version coverage make patching prudent for any multi-tenant or availability-sensitive Linux environment.

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and denial of service in the Linux kernel's AMD XDNA (amdxdna) accelerator driver allows authenticated local users to trigger a use-after-free condition by submitting jobs to a hardware context concurrently with resource release. The flaw affects kernels in the 6.14.9 through 6.15 series and was resolved upstream by stopping job scheduling around aie2_release_resource() and validating context state in aie2_sched_job_run(). No public exploit identified at time of analysis, and EPSS scoring (0.02%) indicates negligible near-term exploitation probability.

Linux Denial Of Service Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's staging Greybus lights driver (`drivers/staging/greybus/lights.c`) causes a local denial of service via kernel panic. The flaw affects systems running Greybus-enabled kernels since commit 2870b52b (Linux 4.9 onward), where a low-privileged local user can trigger a kernel crash if `kcalloc()` fails during lights channel initialization. No public exploit exists and EPSS is 0.02% (7th percentile), reflecting niche hardware dependency; the vulnerability is not listed in CISA KEV.

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel bonding driver's Adaptive Load Balancing (ALB) subsystem allows a local low-privileged user to crash the kernel by racing rlb_arp_recv() against rlb_deinitialize() during rapid bond interface up/down cycling. Specifically, the RX handler continues to dereference rx_hashtbl entries after rlb_deinitialize() frees them, because recv_probe is set to NULL without first draining in-flight softirq handlers via synchronize_net(). Systems running bonded NICs in ALB mode (mode=6) on affected kernel versions - including Dell PowerEdge hardware and Canonical-distributed kernels - are at risk of kernel panic. No public exploit identified at time of analysis, and EPSS at 0.02% (7th percentile) confirms no observed mass exploitation.

Linux Canonical Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel HID PlayStation driver crashes the kernel when force feedback (FF) effects are triggered on a PlayStation controller that experienced a silent initialization failure. Systems running Linux 5.12 through unpatched stable branches with PlayStation controllers (DualSense, DualShock 4, or compatible HID devices) attached are affected. A local low-privileged attacker who can trigger FF effects on a controller where input_ff_create_memless() returned an error can cause a kernel panic, resulting in a full system denial of service. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with a niche hardware driver flaw.

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's cpuidle ladder governor crashes PowerNV systems when only a single idle state is registered - the governor incorrectly indexes into state 1 as if it were the first usable non-polling state, resulting in a NULL enter callback invocation and immediate kernel panic. Systems running IBM PowerNV hardware without a power-mgt device tree node are specifically at risk, as this firmware configuration causes cpuidle to register only the polling state (state 0). No public exploit code exists and EPSS probability is 0.02% (7th percentile), reflecting this is a platform-specific availability issue rather than a broadly exploitable attack surface; it is not listed in CISA KEV.

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's AppArmor LSM (`__unix_needs_revalidation()`) allows a local low-privileged user to crash the kernel, resulting in a denial of service. Introduced as a regression in kernel 6.17 with AppArmor 5.0.0, the flaw is triggered by passing file descriptors over UNIX domain sockets via SCM_RIGHTS when the receiving socket or its `sk` pointer is NULL during transient setup or teardown states. No active exploitation is confirmed (absent from CISA KEV), and EPSS sits at 0.02% (4th percentile), indicating low exploitation probability; patches are available in stable releases 6.18.14, 6.19.4, and 7.0.

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel NULL pointer dereference in the Linux AppArmor security module allows a local low-privileged user to crash the system by reading an apparmorfs symbolic link under a specific runtime configuration sequence. The flaw exists in rawdata_get_link_base, where profile->rawdata->name is dereferenced without first verifying that rawdata is non-NULL after a profile replacement clears it. No public exploit exists and EPSS stands at 0.02%, though the crash is fully reproducible from the conditions documented in the commit description.

Linux Denial Of Service Ubuntu +4
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel crash via use-after-free race in the Linux kernel nau8821 ASoC audio codec driver affects systems including the Valve Steam Deck when a jack detection workqueue item executes after the driver component has been removed. The missing cancel_delayed_work_sync call in the component remove path allows nau8821_jdet_work to dereference freed kernel structures, producing a fatal page fault. No public exploit exists and EPSS is 0.02%, but any NAU8821-equipped system on kernel versions from 5.16 through pre-6.19.4 is vulnerable to local denial-of-service via kernel panic.

Denial Of Service Linux Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leaks in the GFS2 cluster filesystem driver (fs/gfs2/) allow a local low-privileged user to exhaust kernel memory over time, producing availability degradation or denial of service on affected Linux systems. Two distinct leak paths exist in gfs2_fill_super() error handling: kernel thread objects for logd and quotad (~4480 bytes each) are not released when gfs2_freeze_lock_shared() fails after init_threads() succeeds, and a quota bitmap buffer (8192 bytes) is not freed when gfs2_make_fs_rw() fails after gfs2_quota_init() completes. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with a triggered-path defect requiring GFS2-specific failure conditions rather than opportunistic mass exploitation.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation or denial-of-service in the Linux kernel's AMD CCP (Cryptographic Coprocessor) driver stems from a misuse of the __cleanup(kfree) attribute on a local pointer, causing kfree() to be invoked with the address of a stack variable rather than the heap allocation returned by kmalloc. The resulting invalid deallocation of a stack address crashes the kernel and could be leveraged by a low-privileged local user for impact on confidentiality, integrity, and availability (CVSS 7.8). EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but vendor patches are available in stable trees 6.18.14 and 6.19.4.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local privilege escalation and kernel memory corruption in the Linux kernel's Exynos DRM (drm/exynos) vidi driver allows a low-privileged local user to access arbitrary kernel memory by exploiting an unsafe user pointer dereference in vidi_connection_ioctl(). The flaw affects multiple kernel branches up to 6.18.14 and is fixed in stable releases 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.77, 6.18.14, 6.19.4, and 7.0. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 7th percentile).

Linux Samsung Denial Of Service +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in the Linux kernel's RCU (Read-Copy-Update) subsystem allows a local condition to trigger an infinite recursion deadloop in rcu_read_unlock_special() when ftrace is enabled, leading to kernel hang or crash. The flaw stems from a missing recursion-protection flag when raise_softirq_irqoff() is invoked from the RCU unlock path, causing repeated re-entry through the softirq/trace stack. No public exploit identified at time of analysis and EPSS rates exploitation probability at 0.02%.

Denial Of Service Linux Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's Exynos DRM VIDI (Virtual Display) driver allows local users with access to the DRM device to trigger null pointer dereferences, garbage value accesses, out-of-bounds reads, or use-after-free conditions via the vidi_connection_ioctl() handler. The flaw stems from an incorrect device-to-context lookup that retrieves driver_data from the exynos-drm master device instead of the VIDI component device. A vendor patch is available across multiple stable branches, no public exploit identified at time of analysis, and EPSS rates exploitation probability at only 0.02%.

Denial Of Service Samsung Linux +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's ab8500 power supply driver (drivers/power/supply/ab8500) can be triggered during device removal or probe due to incorrect ordering of devm_-managed resource allocation. The race allows an IRQ handler to invoke power_supply_changed() against a freed or uninitialized power_supply handle, typically resulting in a kernel crash or silent memory corruption. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the flaw is not on CISA KEV.

Linux Use After Free Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Kernel NULL pointer dereference in the Linux EROFS compressed filesystem driver allows a local user reading from an EROFS image to crash the system. The flaw lives in z_erofs_decompress_pcluster(), where compressed folios for ztailpacking pclusters are added to I/O chains before being validated; if inline-data reading fails (notably when a fatal signal interrupts read_mapping_folio()), decompression assumes the folios are valid and dereferences a NULL pointer. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%), and the issue is not in CISA KEV.

Linux Denial Of Service Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory corruption in the Linux kernel's pm8916_lbc power-supply driver (Qualcomm PM8916 PMIC linear battery charger) stems from a use-after-free in power_supply_changed(), where devm-managed teardown ordering lets a charger interrupt fire against a freed or not-yet-initialized power_supply handle during driver probe or removal. Local attackers able to trigger device unbind/rebind or module load/unload can crash the system or silently corrupt kernel memory. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis; the issue is not in CISA KEV.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's goldfish power-supply driver (drivers/power/supply/goldfish_battery) allows a local attacker to crash the system or corrupt kernel memory by racing device probe/removal against the battery IRQ handler. The driver requested its IRQ via devm_ before registering the power_supply handle, so on teardown the handle is freed while the still-live interrupt can fire and call power_supply_changed() on freed (or, during probe, uninitialized) memory. No public exploit identified at time of analysis; EPSS is negligible (0.02%) and the bug is not in CISA KEV.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation or denial-of-service in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) arises from a use-after-free of the mm structure during iommu_sva_unbind_device(). The driver previously released the mm reference before unbinding, allowing iommu_mm access on freed memory. No public exploit identified at time of analysis and EPSS scores this at 0.02% (4th percentile), indicating very low expected exploitation activity in the near term.

Linux Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

An infinite self-IPI loop in the Linux kernel's real-time scheduler `rto_next_cpu()` function causes a CPU hardlockup, resulting in a complete denial of service on affected multi-CPU systems. Systems with `HAVE_RT_PUSH_IPI` enabled are vulnerable when a specific concurrent mix of CPU-bound RT tasks, non-CPU-bound RT tasks, and kernel-stuck CFS tasks triggers a race condition between `rd->rto_loop` and `rd->rto_loop_next` during RT load balancing. No public exploit exists and this is not listed in CISA KEV; the EPSS score of 0.02% (7th percentile) confirms low real-world exploitation probability.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's ovpn (in-kernel OpenVPN) TCP socket handling causes a local denial of service via kernel crash. The race condition - between keepalive-driven peer release and concurrent userspace socket closure via tcp_close() - allows a low-privileged local user to trigger a kernel crash when ovpn attempts to dereference a NULL sk->sk_socket pointer during socket detachment. No public exploit has been identified and EPSS stands at 0.02% (4th percentile), reflecting narrow real-world exploitability constrained by the specific configuration and timing required.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-relevant memory corruption in the Linux kernel's sbs-battery power supply driver (drivers/power/supply/sbs-battery) stems from a use-after-free in power_supply_changed(). Because the driver requested its IRQ via devm_ before allocating/registering the power_supply handle, devm teardown frees the handle in reverse order while the interrupt is still live, so an SMBus battery interrupt firing during device removal (or before registration during probe) invokes power_supply_changed() on a freed or uninitialized pointer, typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile), no public exploit is identified, and it is not on CISA KEV; the fix is upstream-committed and shipped in multiple stable releases.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local memory corruption affects the Linux kernel's hwmon ibmpex driver, where commit 6946c726c3f4 - intended to fix a use-after-free in the high/low sysfs store handlers - instead introduced a new race condition by setting driver data to NULL before removing sensor attributes. The remediation is a revert of that flawed commit across the 6.1, 6.6, 6.12, 6.18, and 6.19 stable trees. With EPSS at 0.02% (7th percentile), no public exploit identified at time of analysis, and no CISA KEV listing, real-world risk is minimal given the obscure IBM PowerExecutive sensor hardware the driver targets.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's cdns3 USB dual-role driver crashes the kernel when a USB OTG role switch to host mode occurs during a system resume from suspend. The host role's resume() operation calls usb_hcd_is_primary_hcd() on an xhci-hcd device whose probe has been deferred by the driver model, yielding a dereference at virtual address 0x208 and a kernel oops. Impact is limited to denial of service (system crash); no privilege escalation or data disclosure is possible. No active exploitation is confirmed (CISA KEV absent, EPSS 0.02%), and the vulnerability is practically relevant only on hardware platforms featuring the Cadence USB3 cdns3 controller.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's pf1550 power-supply driver (drivers/power/supply/pf1550) lets a queued hardware interrupt invoke power_supply_changed() on an already-freed power_supply handle during module/device removal, and can also dereference an uninitialized handle during probe. The flaw stems from devm-managed resource ordering: the IRQ was requested before the power_supply was registered, so devm teardown frees the power_supply first. Impact is typically a kernel crash or silent memory corruption. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-level use-after-free in the Linux kernel's bq256xx battery charger driver (power: supply: bq256xx) allows memory corruption when a charger IRQ fires during device probe or removal, calling power_supply_changed() against a freed or uninitialized power_supply handle. The flaw stems from devm_ resources being released in reverse order, so the IRQ outlives the power_supply registration; triggering it typically crashes the system or silently corrupts kernel memory. No public exploit is identified at time of analysis and EPSS exploitation probability is negligible (0.02%, 7th percentile), with no CISA KEV listing.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-impacting memory corruption in the Linux kernel's cpcap-battery power supply driver allows a use-after-free in power_supply_changed() triggered during device probe or removal. The driver requested its IRQ via devm_ before registering the power_supply handle, so on teardown the handle is freed while the interrupt handler can still fire, dereferencing freed memory and typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile) and there is no public exploit identified at time of analysis; the issue is confined to Motorola CPCAP PMIC hardware (e.g. Droid 4) rather than general-purpose servers.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's pm8916_bms_vm power-supply driver (for Qualcomm PM8916 battery monitoring on certain Snapdragon SoCs) lets a freed power_supply handle be dereferenced when an IRQ fires during device removal or probe, corrupting kernel memory or crashing the system. The flaw stems from devm-managed IRQ registration occurring before the power_supply handle was registered, so devm's reverse-order teardown frees the handle while the interrupt is still live. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; impact is realistically a local denial of service on the narrow set of devices using this driver.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-level use-after-free in the Linux kernel's bq25980 battery charger power-supply driver (drivers/power/supply/bq25980.c) allows a triggered IRQ to call power_supply_changed() on a freed or uninitialized power_supply handle, typically crashing the system or corrupting memory. The flaw stems from devm-managed IRQ registration ordering relative to power_supply registration, creating a race during driver probe and removal. EPSS is negligible (0.02%, 7th percentile), there is no public exploit identified at time of analysis, and it is not on CISA KEV; the fix is committed upstream and shipped in multiple stable kernels.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's Intel ISH HID subsystem (`intel_ishtp` module) causes a kernel panic and local denial of service during warm reset operations. The `ishtp_bus_remove_all_clients()` function dereferences `cl->device->reference_count` without a NULL guard, which is reachable when a firmware reset interrupts ISH client enumeration mid-flight. No public exploit or active exploitation (CISA KEV) exists; EPSS probability is 0.02% at the 5th percentile, consistent with a timing-dependent, hardware-specific kernel crash path.

Linux Denial Of Service Intel +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Error handling failure in the Linux kernel's arm64 Guarded Control Stack (GCS) subsystem allows a local low-privileged user on ARMv9 hardware to trigger a kernel denial of service by exploiting an incorrect NULL check in arch_set_shadow_stack_status(). Because alloc_gcs() propagates do_mmap() failures as error-encoded pointers rather than NULL, the existing guard is bypassed and the kernel proceeds to use an invalid GCS address, risking a kernel panic. No public exploit exists and EPSS sits at the 4th percentile, but the vulnerability is confirmed patched in Linux 6.18.14, 6.19.4, and 7.0.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's NXP i.MX8QM HSIO PHY driver crashes the kernel on affected embedded hardware. The flaw exists in `imx_hsio_configure_clk_pad()`, which unconditionally dereferences `refclk_pad` even when the `fsl,refclk-pad-mode` devicetree property is absent, setting the pointer to NULL during probe. A local low-privileged user on NXP i.MX8QM-based systems with vulnerable kernel versions can trigger a kernel panic, causing a full denial-of-service. No public exploit or active exploitation (CISA KEV) has been identified; EPSS of 0.02% at the 5th percentile confirms negligible exploitation probability.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's wm97xx battery power supply driver crashes the kernel when a hardware interrupt fires during a narrow initialization race window. Systems running Linux kernel versions from 2.6.32 through various stable branches (pre-patch releases in 5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19, and 7.0 series) with wm97xx-equipped hardware are affected. A local attacker - or natural hardware interrupt timing - can trigger a kernel panic (denial of service) during driver probe; no public exploit has been identified and EPSS sits at the 7th percentile, reflecting the narrow hardware footprint.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation potential via a use-after-free in the Linux kernel's act8945a power supply driver, where the ACT8945A PMIC IRQ is requested before the power_supply handle is registered (and torn down after it during removal), letting an interrupt invoke power_supply_changed() on a freed or uninitialized handle. Affected systems run vulnerable Linux kernel builds (pre-6.6.128, pre-6.12.75, pre-6.1.165, pre-5.15.202, pre-5.10.252, and others) with the act8945a driver bound to real Atmel/Microchip SAMA5-class hardware. There is no public exploit identified at time of analysis; EPSS is very low (0.02%, 7th percentile) and the flaw is not in CISA KEV.

Memory Corruption Linux Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Infinite loop denial of service in the Linux kernel's ntfs3 filesystem driver allows a local low-privileged user to hang the kernel's I/O subsystem by triggering a non-terminating loop in the file write path. The flaw in `ntfs_file_write_iter` (fs/ntfs3/file.c:1284) occurs when iterating over the valid data range [valid:pos) during a write operation - if the `valid` pointer fails to advance (returning the same value), the loop condition is never satisfied and the inode lock is held indefinitely, causing a full write-path hang. No active exploitation has been identified (absent from CISA KEV) and EPSS of 0.02% at the 7th percentile confirms negligible observed exploitation activity; a patch is available across all affected stable branches.

Linux Denial Of Service Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's csiostor SCSI driver (Chelsio T5 iSCSI storage controller) causes a local denial-of-service via kernel panic. The flaw resides in the error exit path: when the pointer rn is NULL, the CSIO_INC_STATS macro still dereferences it, triggering a kernel crash. Exploitation requires local low-privilege access on a system equipped with Chelsio csiostor hardware; no active exploitation is confirmed (not in CISA KEV) and EPSS sits at 0.02% (7th percentile), indicating minimal real-world exploitation pressure.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's AppArmor LSM function `aa_sock_file_perm` allows a local authenticated user to crash the kernel (oops) during socket setup or teardown. The flaw affects the fallback mediation path for AF_UNIX sockets and all other socket families when AppArmor is in enforcing mode, because neither `sock` nor `sock->sk` are validated for NULL before dereferencing. Impact is limited to availability (system crash); no confidentiality or integrity loss is possible. No public exploit is identified at time of analysis, and EPSS at 0.02% (7th percentile) indicates negligible exploitation probability.

Linux Denial Of Service Null Pointer Dereference +2
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Authenticated denial-of-service in IBM Db2 for Linux, UNIX, and Windows allows a low-privileged network user to crash database availability by submitting specially crafted data queries against the Fenced environment. The vulnerability affects IBM Cloud APM Base Private 8.1.4 and Advanced Private 8.1.4, which bundle Db2 as a backend component. No public exploit has been identified at time of analysis, and the CVSS score of 6.5 reflects meaningful but bounded risk due to the authentication prerequisite.

IBM Microsoft Denial Of Service
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

NULL pointer dereference in libusb's USB descriptor parser allows any attacker who can supply a crafted configuration descriptor to crash any application that uses libusb for USB device enumeration. Affected versions are all libusb releases before 1.0.30; the flaw resides in parse_interface() within descriptor.c and is reachable through the public APIs libusb_get_active_config_descriptor and libusb_get_config_descriptor. No public exploit code is identified at time of analysis and this CVE does not appear in the CISA KEV catalog, but the availability impact is confirmed high (CVSS 4.0 VA:H) and regression corpus files in the fix commit demonstrate reliable crash reproduction.

Information Disclosure Denial Of Service Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 allows an authenticated database user to crash or exhaust the database engine by submitting a specially crafted query when the autonomous transactions feature is enabled. The flaw (CWE-770, uncontrolled resource allocation) carries a CVSS 7.1 with high availability impact but no confidentiality or integrity loss. There is no public exploit identified at time of analysis, and CISA SSVC rates exploitation as 'none', indicating no observed activity to date.

Denial Of Service IBM
NVD VulDB
Prev Page 22 of 406 Next

Quick Facts

Typical Severity
MEDIUM
Category
other
Total CVEs
36508

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy