Skip to main content

Denial of Service

other MEDIUM

Denial of Service attacks render applications or systems unavailable by overwhelming resources or triggering failure conditions.

How It Works

Denial of Service attacks render applications or systems unavailable by overwhelming resources or triggering failure conditions. Attackers exploit asymmetry: minimal attacker effort produces disproportionate resource consumption on the target. Application-level attacks use specially crafted inputs that trigger expensive operations—a regex engine processing malicious patterns can backtrack exponentially, or XML parsers recursively expand entities until memory exhausts. Network-level attacks flood targets with connection requests or amplify traffic through reflection, but application vulnerabilities often provide the most efficient attack surface.

The attack typically begins with reconnaissance to identify resource-intensive operations or unprotected endpoints. For algorithmic complexity attacks, adversaries craft inputs hitting worst-case performance—hash collision inputs filling hash tables with collisions, deeply nested JSON triggering recursive parsing, or pathological regex patterns like (a+)+b against strings of repeated 'a' characters. Resource exhaustion attacks open thousands of connections, upload massive files to unbounded storage, or trigger memory leaks through repeated operations. Crash-based attacks target error handling gaps: null pointer dereferences, unhandled exceptions in parsers, or assertion failures that terminate processes.

Impact

  • Service unavailability preventing legitimate users from accessing applications during attack duration
  • Revenue loss from downtime in e-commerce, SaaS platforms, or transaction processing systems
  • Cascading failures as resource exhaustion spreads to dependent services or database connections pool out
  • SLA violations triggering financial penalties and damaging customer trust
  • Security team distraction providing cover for data exfiltration or intrusion attempts running concurrently

Real-World Examples

CVE-2018-1000544 in Ruby's WEBrick server allowed ReDoS through malicious HTTP headers containing specially crafted patterns that caused the regex engine to backtrack exponentially, freezing request processing threads. A single attacker could saturate all available workers.

Cloudflare experienced a global outage in 2019 when a single WAF rule containing an unoptimized regex hit pathological cases on legitimate traffic spikes. The .*(?:.*=.*)* pattern exhibited catastrophic backtracking, consuming CPU cycles across their edge network until the rule was disabled.

CVE-2013-1664 demonstrated XML bomb vulnerabilities in Python's XML libraries. Attackers uploaded XML documents with nested entity definitions-each entity expanding to ten copies of the previous level. A 1KB upload could expand to gigabytes in memory during parsing, crashing applications instantly.

Mitigation

  • Strict input validation enforcing size limits, complexity bounds, and nesting depth restrictions before processing
  • Request rate limiting per IP address, API key, or user session with exponential backoff
  • Timeout enforcement terminating operations exceeding reasonable execution windows (typically 1-5 seconds)
  • Resource quotas limiting memory allocation, CPU time, and connection counts per request or tenant
  • Regex complexity analysis using linear-time algorithms or sanitizing patterns to eliminate backtracking
  • Circuit breakers automatically rejecting requests when error rates or latency thresholds indicate degradation
  • Load balancing and autoscaling distributing traffic across instances with automatic capacity expansion

Recent CVEs (36495)

EPSS 0% CVSS 7.3
HIGH PATCH This Week

Heap-based buffer overflow in libtiff's PixarLog codec decoder lets attackers crash or potentially execute code in any application that decodes a maliciously crafted PixarLog-compressed TIFF using the PIXARLOGDATAFMT_8BITABGR output format with a specific stride value. Any software linking libtiff for TIFF decoding is exposed, with impact ranging from denial of service to potential arbitrary code execution. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, so exploitation is theoretical rather than observed.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

SQL injection in FrontAccounting's Audit Trail report handler (reporting/rep710.php) lets authenticated users holding the SA_GLANALYTIC permission run arbitrary SQL through the PARAM_2 and PARAM_3 POST parameters in all releases prior to 2.4.20. Attackers can extract arbitrary database contents via UNION-based injection or knock the application offline by amplifying SLEEP() across JOINed result sets to exhaust database connections. Publicly available exploit code exists (VulnCheck/Jiva Security writeup), but the issue is not in CISA KEV, so it is no public exploit identified as actively exploited.

SQLi Denial Of Service Frontaccounting
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Arbitrary file overwrite in libzypp before 17.38.10 lets a remote attacker who controls a software repository plant crafted repository metadata (repomd/SUSE content files) with '../' location paths that escape the repo root, allowing files anywhere on the system to be overwritten when a victim adds and refreshes that repository. Because zypper-based refresh operations typically run as root, this can escalate to privilege escalation or denial of service. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Privilege Escalation Path Traversal Denial Of Service +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Out-of-bounds read in Eclipse tinydtls prior to commit b3efd41ad111a4920f599f51ffa4f5e9f1e72221 allows unauthenticated network attackers to crash memory-constrained IoT devices by sending a specially crafted Certificate handshake message during DTLS epoch 0. The vulnerable check_server_certificate() function omits buffer length validation before uint24 reads, memcmp, and memcpy operations, enabling reads beyond valid buffer boundaries on both client and server code paths. No public exploit code or active exploitation has been identified at time of analysis; however, the unauthenticated, network-reachable nature makes this straightforward to trigger against any exposed tinydtls endpoint.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Heap use-after-free read in libblkid (util-linux) enables unauthenticated local attackers to crash udisks or leak root-process heap data by presenting a crafted block device image during nested partition probing. BSD, Minix, Solaris x86, and UnixWare partition table parsers cache raw pointers into a dynamically allocated partition array; when subsequent partition additions trigger array reallocation, those pointers become stale and dereference freed memory. Because udev and udisks invoke libblkid automatically as root on block-device hot-plug events, USB insertion alone is sufficient to trigger the flaw without any user interaction or authentication. No public exploit identified at time of analysis.

Memory Corruption Denial Of Service Use After Free +9
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Integer overflow in spice-vdagent's message parsing allows a malicious or compromised SPICE host to crash the guest VM's vdagent daemon by delivering a specially crafted message that triggers a downstream heap buffer overflow. Affected deployments span spice-vdagent as packaged in Red Hat Enterprise Linux 6 through 10, where the daemon runs inside guests handling host-to-guest SPICE protocol communications. No public exploit code or CISA KEV listing exists at time of analysis; exploitation is structurally constrained by the requirement that the attacking SPICE host itself be untrusted or already compromised prior to the attack.

Integer Overflow Denial Of Service Buffer Overflow +5
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's AMD64 AGP driver crashes systems running in virtualized environments without physical AMD northbridge hardware. Broken error propagation in `agp_amd64_probe()` - comparing `cache_nbs()` return value against exactly `-1` rather than `< 0` - masks the `-ENODEV` error code, allowing the driver to proceed with initialization, ultimately causing a General Protection Fault in `amd64_fetch_size()` when `node_to_amd_nb(0)` returns NULL. No public exploit has been identified at time of analysis, EPSS is 0.18% (7th percentile), and impact is confined to local denial of service via kernel crash; patches are confirmed available across multiple stable branches.

Linux Amd Denial Of Service +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in EIPStackGroup OpENer (commit 76b95c), an open-source EtherNet/IP stack, allows remote attackers to crash the device by sending a crafted Common Packet Format (CPF) packet that triggers a buffer overflow in the Get_Attribute_List handler. The flaw is network-reachable without authentication or user interaction (CVSS 7.5, availability-only impact), and SSVC indicates proof-of-concept exploit code exists and that exploitation is automatable. EPSS is low (0.17%, 7th percentile) and the CVE is not on CISA KEV, so there is no public evidence of active exploitation yet.

Authentication Bypass Denial Of Service Buffer Overflow +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

A heap buffer overflow in the HighPriorityASDUQueue_hasUnconfirmedIMessages function of lib60870 v2.3.3 to v2.3.6 allows attackers to cause a Denial of Service (DoS) via a crafted payload.

Denial Of Service Buffer Overflow N A +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Heap buffer overflow in snap7 v1.4.3 crashes the embedded S7 server when processing a specially crafted write function packet targeting TS7Worker::PerformFunctionWrite() in /core/s7_server.cpp. Systems deploying snap7 as an S7-compatible communication server - common in industrial SCADA, HMI, and IoT gateway applications bridging to Siemens S7-series PLCs - can be disrupted remotely with no privileges required per the CVSS PR:N designation. No public exploit identified at time of analysis, and the EPSS score of 0.19% (8th percentile) reflects minimal current exploitation activity; however, operational impact in OT environments can exceed what the CVSS Availability score alone suggests.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD GitHub
EPSS 0% CVSS 2.9
LOW POC PATCH Monitor

Denial-of-service in xiaozhi-esp32 MQTT firmware (versions up to 2.2.6) allows a remote attacker to crash the device's MQTT session handler by sending a crafted goodbye message containing a non-string session_id field. The MQTT Goodbye Handler in mqtt_protocol.cc fails to validate the cJSON type of the session_id node before dereferencing its valuestring member, producing undefined behavior that terminates the session. A public proof-of-concept exists (GitHub issue #2022), but attack complexity is rated high (AC:H) and the vulnerability is not listed in the CISA KEV catalog, suggesting exploitation requires deliberate effort rather than opportunistic scanning.

Denial Of Service Xiaozhi Esp32
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

NULL pointer dereference in the Zephyr Bluetooth LE Audio Basic Audio Profile unicast client crashes devices running Zephyr v4.3.0 and v4.4.0 (and earlier) when connected to a malicious or buggy remote ASCS server. The handler unicast_client_ep_qos_state() writes attacker-controlled QoS fields through stream->qos without verifying the pointer is non-NULL - a condition that legitimately exists during the window between bt_bap_stream_config() and unicast_group_add_stream(). No public exploit code has been identified and this vulnerability is not listed in CISA KEV, but CVSS adjacency (AV:A) and no-auth (PR:N) make it exploitable by any device within Bluetooth LE radio range acting as a rogue ASCS server.

Denial Of Service Null Pointer Dereference Zephyr
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Memory corruption and denial of service in Zephyr RTOS (v4.0.0 through v4.4.0) arises in the BSD-sockets getaddrinfo() implementation, where a timed-out DNS query is retried without cancelling the prior query, leaving a callback holding a pointer into a stack frame that goes out of scope after getaddrinfo() returns. A network-delivered DNS response matched by its spoofable 16-bit transaction id, or the resolver's own delayed timeout work, then writes through that stale pointer, enabling crashes or reused-stack corruption. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; exploitation is gated by a timing/race window reflected in CVSS AC:H.

Memory Corruption Buffer Overflow Denial Of Service +2
NVD GitHub VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Out-of-bounds write in Zephyr RTOS's Microchip SERCOM-G1 UART driver (introduced in v4.4.0) allows an adjacent attacker who can send serial data to corrupt one byte of memory immediately beyond the caller-supplied RX buffer, potentially causing a crash or denial of service. The flaw exists only when CONFIG_UART_MCHP_ASYNC is enabled (non-default on in-tree PIC32CM-JH board configs) and the consuming application calls uart_rx_enable() with a one-byte buffer - a narrow but real embedded firmware scenario. No exploit code is publicly available and this vulnerability is not listed in CISA KEV; the upstream fix has been committed but a tagged patched release version has not been independently confirmed.

Memory Corruption Denial Of Service Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Out-of-bounds reads and a process crash in Nmap through 7.99 can be triggered remotely by any host that is being scanned, or by an on-path attacker, via a crafted IPv6 packet with a truncated extension header. The root cause is an integer underflow in the `ipv6_get_data_primitive` function (libnetutil/netutil.cc) where an insufficiently strict bounds check allows the extension-header walk pointer to advance past the captured packet buffer, causing the remaining-length subtraction to wraparound to a very large value. A publicly available exploit proof-of-concept exists; this vulnerability is not currently listed in the CISA KEV catalog.

Integer Overflow Denial Of Service Nmap
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in the FreeBSD kernel sound subsystem lets an unprivileged user map kernel memory outside the audio buffer via an integer-overflow flaw in dsp_mmap_single(). Because /dev/dsp device nodes are world-accessible by default, any local user on a system with an audio device can read and write arbitrary kernel memory, enabling full system compromise or a kernel panic (DoS). No public exploit identified at time of analysis; EPSS is low (0.19%, 9th percentile), and FreeBSD has released errata patches.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 7.0
HIGH This Week

Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping. The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).

Memory Corruption Denial Of Service Use After Free +1
NVD VulDB
CVSS 8.8
HIGH This Week

Cross-operator authorization bypass in juev/nebula-mesh (<= 0.3.4) lets any authenticated non-admin operator read and mutate resources owned by other operators through the web UI (/ui/*), which-unlike the JSON API fixed in GHSA-598g-never applies per-operator CA scoping. An attacker with a low-privileged operator account can enumerate every operator's hosts and networks (names, Nebula/public IPs, certificate fingerprints, CIDRs) and can block (revoke certificates) or delete any host in the deployment, causing cross-operator denial of service. No public exploit identified at time of analysis and the issue is not in CISA KEV, but exploitation is trivial for any non-admin user once one exists.

Authentication Bypass Denial Of Service
NVD GitHub
CVSS 7.5
HIGH PATCH This Week

Memory-exhaustion denial of service in the python-socketio server (Socket.IO for Python, versions <= 5.16.1) lets remote clients pin server memory by sending binary EVENT or ACK packets while deliberately withholding one or more of the declared binary attachments. Because the server buffers the partial message and its received attachments in memory until all attachments arrive, an attacker can repeatedly open such incomplete messages to grow memory consumption unbounded and exhaust server resources. No public exploit identified at time of analysis; not listed in CISA KEV.

Python Denial Of Service
NVD GitHub
CVSS 7.5
HIGH PATCH This Week

Denial of service in the python-engineio server (versions <= 4.13.1) allows remote unauthenticated attackers to exhaust server resources by abusing the heartbeat mechanism, which spawns a new background thread on each connection and on every PONG packet received. Synchronous servers are most at risk because each heartbeat is a physical OS thread; asynchronous deployments allocate lightweight tasks and are far less affected. No public exploit has been identified at the time of analysis, and the issue is not listed in CISA KEV; a vendor-released patch (version 4.13.2) is available.

Python Denial Of Service
NVD GitHub
CVSS 7.5
HIGH PATCH This Week

Uncontrolled memory allocation in python-engineio (versions <= 4.13.1) lets remote attackers exhaust server memory by sending oversized messages that are loaded before any size check, causing denial of service (availability-only impact). The flaw triggers in two specific transport configurations - ASGI with long-polling POST requests, and Aiohttp with the WebSocket transport - and is fixed in 4.13.2. No public exploit identified at time of analysis, and the issue is not in CISA KEV; no EPSS score was provided.

Python Denial Of Service
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by submitting tens of KB of repeated email/link-like text. The core public API LinkifyIt.prototype.match runs an O(N²) scan loop that re-slices the input and re-runs unanchored fuzzy regex searches once per match, so 64 KB of "a@b.com" burns ~2.5 s of single-threaded CPU and 128 KB ~10 s. The flaw is inherited by markdown-it (~21.6M weekly npm downloads) whenever linkify:true is set, exposing forums, chat, wikis and AI chat UIs; publicly available exploit code (a PoC in the GHSA advisory) exists, but there is no evidence of active exploitation.

Apple Node.js Mattermost +2
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel MANA (Microsoft Azure Network Adapter) driver crashes the host kernel when initializing Virtual Function (VF) devices in VFIO passthrough or nested KVM environments where `pdev->slot` is unpopulated. Systems running affected kernel versions in Azure-style or nested virtualization deployments face deterministic kernel panics and total availability loss on the host. No public exploit code has been identified, and EPSS probability is 0.16% (5th percentile), indicating low opportunistic exploitation risk - though in targeted Azure or nested KVM environments, the crash is straightforwardly reproducible.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's mt76/mt7925 WiFi driver crashes the kernel when the 'sta' pointer is dereferenced before a NULL check in mt7925_tx_check_aggr(). Systems with MediaTek mt7925 WiFi hardware running affected kernel versions are exposed to a local denial-of-service via kernel panic. No public exploit exists and EPSS is at the 5th percentile (0.16%), indicating no observed widespread exploitation; patches have been applied across multiple stable kernel branches.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Firmware crash in the Linux kernel's mt76/mt7921 WiFi driver allows a local low-privileged user to cause denial of service by triggering station Association ID (AID) values above the firmware's undocumented limit of 20. Affected hardware includes Mediatek mt7922 chipsets operating in AP mode (IFTYPE_AP). Exploitation requires running a non-standard hostapd configuration that allocates AIDs starting at 65 or higher - stock hostapd is not affected. No public exploit has been identified and EPSS is 0.16% (5th percentile), indicating very low exploitation likelihood.

Linux Mediatek Denial Of Service
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's AMD RAS subsystem crashes systems with AMD GPU hardware. The function `ras_core_ras_interrupt_detected()` in `drm/amd/ras` fails to validate the `ras_core` pointer before dereferencing `ras_core->dev` in an error path, enabling a local low-privilege user to trigger a kernel panic and denial of service. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS at 0.14% (4th percentile) confirms negligible current exploitation probability. Upstream fix commits are available in stable kernel trees.

Linux Amd Denial Of Service +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's drm/amd/ras subsystem allows a local low-privileged user to crash the kernel on systems with AMD GPUs. The flaw in ras_core_get_utc_second_timestamp() occurs when a NULL ras_core pointer passes a conditional check but is then dereferenced in the subsequent error-printing path, producing a kernel panic. No public exploit exists and EPSS sits at 0.15% (4th percentile), placing this firmly as a low-urgency local denial-of-service hardening issue despite the Availability:High CVSS rating.

Linux Amd Denial Of Service +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel AMD display driver (drm/amd/display) can cause a kernel panic on systems running AMD GPUs, resulting in a complete denial of service. The flaw resides in dc_dmub_srv_log_diagnostic_data() and dc_dmub_srv_enable_dpia_trace() in dc_dmub_srv.c, where a combined NULL guard incorrectly permits DC_LOG_ERROR() - which internally dereferences dc_dmub_srv->ctx - to execute when dc_dmub_srv itself is NULL. No public exploit has been identified at time of analysis and EPSS sits at the 4th percentile, indicating very low exploitation probability in the wild.

Linux Amd Denial Of Service +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Integer overflow on the RISC-V IOMMU invalidation path in the Linux kernel triggers an infinite loop, causing a local denial of service. A low-privileged local user on an affected RISC-V system with IOMMU hardware can hang the kernel by inducing an invalidation where gather->end equals ULONG_MAX, exploiting the sign-extended page table range supported by RISC-V. EPSS is 0.15% (5th percentile), no active exploitation has been identified, and no public exploit code is known.

Linux Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's pinctrl subsystem allows a local low-privileged attacker to crash the kernel, causing a denial of service. The flaw exists in pinconf_generic_parse_dt_pinmux(), which fails to validate that a 'pinmux' Device Tree property is non-empty before use - an empty property causes the allocator to return an invalid non-NULL pointer, and subsequent memory access triggers a kernel panic. No public exploit code exists and EPSS is 0.15% (5th percentile), reflecting low real-world exploitation probability; exploitation is further constrained to systems with specific pinctrl hardware and Device Tree configurations.

Linux Denial Of Service Null Pointer Dereference
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's ps883x USB Type-C retimer driver causes a kernel Oops during device unbind, resulting in a denial of service. The ps883x_retimer_remove() function calls i2c_get_clientdata() to retrieve driver-private state, but i2c_set_clientdata() was never called during probe, leaving the pointer NULL; dereference at offset 0x20 triggers a fatal translation fault. Systems with ps883x retimer hardware running affected kernel versions are vulnerable when a privileged local user unbinds the driver via sysfs. No active exploitation is confirmed (no CISA KEV listing), and the EPSS score of 0.17% (6th percentile) reflects negligible real-world exploitation probability.

Linux Lenovo Denial Of Service +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's EIP93 hardware crypto driver triggers a kernel panic during AEAD crypto operations on affected embedded systems. The root cause is a self-contradictory algorithm lookup mask in eip93_hmac_setkey() - CRYPTO_ALG_ASYNC is passed as an exclusion mask, yet EIP93 algorithms are inherently async, so the lookup always returns -ENOENT. This leaves the AEAD security association record with zeroed digest fields; any subsequent crypto operation then dereferences a NULL context pointer, crashing the kernel. No public exploit is identified at time of analysis, and EPSS is very low (0.17%, 6th percentile), reflecting the narrow hardware-specific attack surface.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the Amlogic T7 SoC reset driver crashes the Linux kernel when uninitialized reset operation callbacks are invoked, causing a full system denial of service. Local low-privilege users on systems physically equipped with an Amlogic T7 SoC are affected across kernel versions from the introduction commit through the patched releases 6.18.33, 7.0.10, and 7.1. No public exploit has been identified and EPSS of 0.17% (6th percentile) reflects negligible real-world exploitation interest; this is a hardware-specific stability fix rather than an actively exploited security threat.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's Airoha QDMA network driver causes a kernel panic (denial of service) when queue entry list allocation fails during TX queue initialization. Systems running Airoha-based network hardware on affected kernel versions - including Linux 6.19 - are vulnerable when the driver's cleanup path dereferences an uninitialized descriptor array pointer. No public exploit exists and EPSS sits at 0.17% (6th percentile), indicating minimal real-world exploitation activity; no CISA KEV listing.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's airoha QDMA network driver crashes the kernel when RX queue initialization fails mid-way through allocation. The flaw exists in airoha_qdma_init_rx_queue() where early ndesc initialization causes the cleanup routine to call netif_napi_del() on NAPI structures never registered via netif_napi_add(), dereferencing a null pointer and causing a local denial of service. No public exploit identified and EPSS at 0.17% (6th percentile) reflects minimal real-world exploitation probability; impact is constrained to systems running Airoha QDMA-based network hardware.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic via NULL pointer dereference in the Linux kernel MANA (Microsoft Azure Network Adapter) driver allows a local low-privileged user to crash the host when a power management resume failure leaves the driver in a torn-down state. The mana_remove() function is invoked twice - first during a failed mana_probe() recovery path that nullifies gdma_context and driver_data, and again when the driver is subsequently unbound - dereferencing a NULL gc pointer. No public exploit exists and EPSS is 0.17% (6th percentile), indicating minimal real-world exploitation activity; however, the impact on Azure Linux VM availability is complete (kernel panic).

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic via reachable assertion in the Linux kernel Phonet subsystem allows any low-privileged local user to crash the system. The flaw exists in pn_socket_autobind() at net/phonet/socket.c:213, where a BUG_ON() assertion fires when pn_socket_bind() returns -EINVAL for a reason other than an already-bound socket - specifically, when sk->sk_state is not TCP_CLOSE on an unbound socket. This was confirmed exploitable by syzbot fuzzing. No public exploit exists independent of the syzbot reproducer, and no active exploitation is reported in CISA KEV; EPSS at the 5th percentile confirms low real-world exploitation probability.

Linux Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel crash via NULL pointer dereference in the ALSA HDA Conexant audio driver affects Linux kernel stable branches from 5.15 through 7.0, exploitable by a local low-privileged user on systems with Conexant HDA audio hardware. The cx_probe() function ignores the error pointer returned by snd_hda_jack_detect_enable_callback() on memory allocation failure, leaving the jack detection callback unregistered and an internal structure uninitialized; a subsequent audio jack event then triggers a kernel panic. No public exploit exists and no CISA KEV listing is present; EPSS is 0.17% (7th percentile), confirming very low real-world exploitation probability.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel ice driver's ice_reset_all_vfs() function crashes the host kernel when a Virtual Function VSI rebuild fails during concurrent NVM firmware updates on Intel E800-series NICs. Systems with SR-IOV enabled on Intel E800-series adapters running kernel versions from 5.8 through the patched stable releases are affected. An attacker or privileged local process can trigger a kernel panic by initiating a VF reset while nvmupdate64e has placed Admin Queue commands in a transitional failure state, resulting in complete host denial of service. No public exploit exists and EPSS is negligible at 0.17% (7th percentile); CISA KEV listing is absent.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory corruption in the arm64 early kernel mapping on Linux allows a local low-privileged user to cause a kernel panic through an off-by-one page-table allocation error introduced since commit 5973a62efa34. Affected systems running 4K page granule on arm64 hardware may have the [data, end) segment overflow into the guard gap page before early_init_stack, corrupting critical early initialization memory. No public exploit exists and EPSS is 0.17% (6th percentile), reflecting this as primarily a kernel stability and reliability concern for arm64 deployments rather than an actively weaponized attack vector.

Linux Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel crash in Linux DRM/AMD DCN32 display subsystem affects systems equipped with AMD RDNA3-generation GPUs running x86 non-RT kernels. The dcn32_validate_bandwidth() function locks FPU registers via DC_FP_START(), disabling local softirqs, then calls kvzalloc() for a ~335 KiB phantom-plane allocation that triggers the vmalloc path; vmalloc fires BUG_ON(in_interrupt()), crashing the kernel. No public exploit has been identified at time of analysis, and EPSS at 0.15% (5th percentile) reflects low real-world exploitation interest.

Linux Amd Denial Of Service
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Improper error handling in the btrfs filesystem's transaction commit path (btrfs_write_and_wait_transaction) lets a failed metadata writeout leave dirty extent buffers uncleaned, forcing the filesystem read-only and triggering kernel warnings at unmount. The flaw affects Linux kernels prior to 6.18.33, 7.0.10, and 7.1 and is an availability/data-integrity issue on btrfs volumes, with no confidentiality impact despite an 'Information Disclosure' tag in the source data. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.17%, 6th percentile).

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Boot-time kernel crash in Linux 6.16+ on AMD IOMMU-equipped systems causes a General Protection Fault when a PCI device whose Bus:Device.Function address is absent from the ACPI IVRS table is encountered during IOMMU initialization. The root cause is a missing bounds check in __rlookup_amd_iommu() that was latent until commit e874c666b15b changed the rlookup_table allocation from a zeroed page-order block (which returned NULL on overrun) to a tight kvcalloc(), causing adjacent slab contents to be dereferenced as a valid struct amd_iommu pointer. The result is a non-recoverable GPF at boot time, confirmed in production on Google Compute Engine ct6e VMs; no public exploit code and no CISA KEV listing exist at time of analysis.

Google Linux Amd +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stack access fault in the x86/kexec purgatory handoff crashes non-kjump kexec operations on affected Linux kernel versions, resulting in a local denial of service. A prior regression removed a 'gratuitous' stack push in the non-kjump path; however, the purgatory code shipped by kexec-tools still reads above its stack top expecting that return address, triggering a memory fault that aborts the kexec reboot or crashes the system. No public exploit exists and EPSS sits at the 6th percentile, placing this firmly in the reliability-regression category rather than an adversarial attack surface.

Linux Denial Of Service
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Local privilege escalation or denial of service in the Linux kernel's Intel VT-d IOMMU driver (iommu/vt-d) arises from incomplete handling of a missing dev_pasid entry during PASID teardown; an authenticated low-privileged actor able to drive IOMMU/PASID detach operations can trigger a NULL pointer dereference or unbalanced refcount that may decay into a use-after-free. This completes an earlier partial fix (commit 60f030f7418d) and is tagged as Denial of Service. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.17% (6th percentile).

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel IOMMU subsystem crashes affected systems during PCI device reset when a default domain allocation has previously failed. Local users with low-privilege access on Linux kernel versions in the 7.0 branch (prior to 7.0.10) and before 7.1 can trigger a kernel panic through the `pci_dev_reset_iommu_done()` function, resulting in a denial of service. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.15% (5th percentile) reflects the low real-world exploitation likelihood given the edge-case hardware precondition and local-only attack vector.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel arm_mpam subsystem allows a local low-privileged attacker to crash the kernel by triggering a specific cleanup code path before initialization completes. The flaw exists in __destroy_component_cfg(), which unconditionally dereferences the embedded 'garbage' structure to free the configuration array even when mpam_disable() is called before __allocate_component_cfg() has ever run. No public exploit code exists and the EPSS score of 0.15% (5th percentile) confirms negligible real-world exploitation activity; vendor-supplied patches are available via upstream stable commits.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
LOW POC PATCH Monitor

Nil pointer dereference in the Incus daemon (incusd) `CreateCustomVolumeFromBackup` function crashes the entire daemon process when a crafted backup tarball omits the `expires_at` field on any volume snapshot entry. Any authenticated user holding the `can_create_storage_volumes` entitlement on any project - below the admin tier - can trigger this with a single POST to the storage backup import endpoint, making it a persistent denial-of-service against all container, VM, and storage operations on the affected host or cluster member. A proof-of-concept exploit (479-byte tarball, confirmed against Incus 7.0.0) was bundled with the advisory; no public exploit identified at time of analysis beyond the reporter-supplied PoC. Fix is available in 7.1.0.

Ubuntu Denial Of Service Null Pointer Dereference
NVD GitHub
LOW POC PATCH Monitor

Nil-pointer dereference in Incus daemon (incusd) v7.0.0 allows any authenticated user holding the low-privilege `can_create_instances` permission to crash the entire incusd process with a single crafted HTTP request. The flaw resides in `createDependentVolumesFromBackup` (backend.go:9352-9412), where a prior partial fix (commit d768f81c) guarded only the outer loop variable but left three inner sub-fields - `disk.Volume`, `disk.Pool`, and `disk.VolumeSnapshots[i]` - unguarded against nil; an uploaded backup tarball with a null snapshot entry or omitted volume/pool block triggers a Go panic, taking down all container and VM operations on the host. No public exploit identified at time of analysis per CISA KEV, though a working 666-byte proof-of-concept tarball is publicly bundled with the report and was confirmed against the production 7.0.0 release.

Ubuntu Denial Of Service Null Pointer Dereference
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Envoy proxy versions 1.37.0 through 1.37.4 and 1.38.x before 1.38.3 lets remote attackers crash the proxy by sending a request that omits the Host header when access logging is configured with the %REQUESTED_SERVER_NAME(X:Y)% operator using host-related options (e.g. HOST_FIRST, SNI_FIRST). The missing header triggers a null pointer dereference (CWE-476), taking down the data-plane proxy and any traffic flowing through it. No public exploit identified at time of analysis and the issue is not in CISA KEV.

Denial Of Service Null Pointer Dereference Envoy
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Use-After-Free crash in Envoy's ext_authz HTTP filter allows remote unauthenticated attackers to trigger a segmentation fault and process crash by rapidly establishing and tearing down downstream connections when per-route authorization overrides are configured. Affected are Envoy versions 1.36.0-1.36.8, 1.37.0-1.37.4, and 1.38.0-1.38.2. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, though the race condition exploitability is constrained by requiring specific ext_authz per-route override configuration.

Memory Corruption Denial Of Service Use After Free +1
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Envoy proxy's External Processing (ext_proc) filter crashes with a use-after-free when an ext_proc gRPC server sends a single batched gRPC message containing multiple specially crafted ProcessingResponse objects. Affected versions span 1.34.0 through pre-fix releases across four maintained branches; fixed releases are 1.35.13, 1.36.9, 1.37.5, and 1.38.3. With CVSS PR:L, exploitation requires control of or compromise of the ext_proc gRPC server endpoint, limiting the realistic attacker population but making this a high-priority patch for any deployment running ext_proc. No public exploit code and no CISA KEV listing exist at time of analysis.

Memory Corruption Denial Of Service Use After Free +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The envoy.filters.http.grpc_stats HTTP filter in Envoy versions 1.26.0 through the pre-fix releases crashes with a null pointer dereference when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) is routed to a direct_response route, terminating the Envoy process entirely. The vendor description states a single unauthenticated HTTP request is sufficient to trigger the crash, giving any network-reachable attacker a trivial one-packet denial of service against affected deployments. No confirmed active exploitation (absent from CISA KEV) and no public exploit code has been identified at time of analysis, but the trivial trigger condition makes this high practical risk for any deployment with both preconditions present.

Denial Of Service Null Pointer Dereference Envoy
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Null pointer dereference in Envoy's router filter crashes the entire proxy process, terminating all active connections, when body-less non-GET/HEAD requests (POST, PUT, DELETE, PATCH) encounter an upstream HTTP 303 response on a route configured with internal redirect policy. Affected versions span 1.18.0 through the fixes released in branches 1.35.13, 1.36.9, 1.37.5, and 1.38.3. An unauthenticated remote attacker who can influence upstream response codes or reach a vulnerable route configuration can cause complete denial of service; no public exploit identified at time of analysis and no CISA KEV listing.

Denial Of Service Null Pointer Dereference Envoy
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Envoy proxy (versions 1.23.0 through 1.35.10, 1.36.6, 1.37.2, and 1.38.0) allows remote unauthenticated attackers to crash the proxy by sending a specially crafted, highly compressed zstd payload that triggers massive memory allocation in the ZstdDecompressorImpl, leading to Out-Of-Memory kills. The flaw is a decompression-bomb (data amplification) issue that only manifests when zstd decompression is enabled. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the high CVSS reflects availability impact only (A:H, no confidentiality or integrity loss).

Denial Of Service Envoy
NVD GitHub
CVSS 5.3
MEDIUM PATCH This Month

Memory exhaustion in fluent-plugin-opentelemetry versions 0.5.2 and earlier allows unauthenticated remote attackers to crash the Fluentd process by sending an oversized HTTP request body or a decompression bomb to the `in_opentelemetry` HTTP input endpoint (default port 4318). The plugin reads and decompresses the entire payload into memory without enforcing size thresholds, enabling an OOM kill of Fluentd and complete disruption of log collection and forwarding on the affected node. No public exploit code or CISA KEV listing has been identified at time of analysis.

Nginx Denial Of Service
NVD GitHub
CVSS 2.7
LOW PATCH Monitor

Memory exhaustion via decompression bomb in fluent-plugin-s3's `in_s3` input plugin enables an attacker with S3 bucket write access to crash the Fluentd log collection process. Versions 0.7.0 through 1.8.4 decompress gzip, lzma2, and lzop files from S3 into memory with no size cap, allowing a crafted high-ratio compressed payload to trigger an OS OOM kill and disrupt all log ingestion on the affected node. No public exploit has been identified at time of analysis, and the CVSS PR:H requirement tightly constrains real-world exploitability.

Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial of service in DragonflyDB before 1.39.0 lets an unauthenticated attacker crash the entire server with a single ~24-byte RESTORE command carrying a malformed listpack payload, triggering an out-of-bounds read (SIGSEGV). Because Dragonfly ships with no authentication enabled by default and RESTORE is an ordinary keyspace command, any client that can reach the port can repeatedly kill the process. No CISA KEV listing exists, but the fixing pull request publishes the exact crash payloads as regression tests, so working trigger data is effectively public.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Denial of service in Fluentd (rubygems package, versions <= 1.19.2) lets remote attackers crash the log collector by sending a gzip decompression bomb to the in_http (default port 9880) or in_forward (default port 24224) plugins. Although Fluentd enforces body_size_limit and chunk_size_limit on the compressed payload, it applies no ceiling on the decompressed output, so a tiny crafted payload expands in memory until the OS OOM-kills the process. No public exploit identified at time of analysis and it is not in CISA KEV, but EPSS-style risk is bounded by the requirement that an input port be reachable from an untrusted network.

Nginx Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Memory exhaustion in AutoGPT's AITextSummarizerBlock allows authenticated users to trigger extreme resource amplification - approximately 10 KB of crafted input causes the server to allocate roughly 50 GB of memory, crashing the platform for all users. All versions prior to 0.6.32 are affected per the vendor's GitHub Security Advisory (GHSA-955p-gpfx-r66j). No public exploit or CISA KEV listing has been identified, but the low attack complexity for any authenticated user makes this a realistic internal or multi-tenant threat.

Denial Of Service Autogpt
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Memory amplification denial-of-service in AutoGPT's ExtractTextInformationBlock enables authenticated users to exhaust server memory with disproportionately small inputs - a 10KB submission forces approximately 50GB of server-side memory allocation, a 5,000,000:1 amplification ratio. All AutoGPT versions prior to 0.6.32 by Significant-Gravitas are affected. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the vendor released a fix in version 0.6.32.

Denial Of Service Autogpt
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Nil-pointer dereference in LXD's CreateCustomVolumeFromBackup function allows an authenticated user with can_create_storage_volumes permissions to crash the LXD daemon via a crafted backup tarball, affecting all containers running on the host. Versions up to 6.8 (current branch) and 5.21 (LTS branch) on Linux are vulnerable. No public exploit or CISA KEV listing exists at time of analysis, but upstream fix commits are available from Canonical.

Denial Of Service Null Pointer Dereference Lxd
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Signal delivery bypass in FreeBSD's thr_kill2(2) system call allows an unprivileged local user - or a jailed process - to send arbitrary signals to any process on the system, including root-owned processes and critical daemons, causing Denial of Service. The flaw stems from a missing check on the return value of p_cansignal(), the kernel's permission enforcement primitive: the signal is unconditionally delivered before the error is propagated to the caller. No public exploit has been identified at time of analysis and SSVC assesses exploitation as none, though globally sequential thread IDs reduce the skill requirement to simple brute force, and the jail boundary bypass adds a container-escape dimension absent from the base CVSS score.

Privilege Escalation Denial Of Service Freebsd
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary code execution and denial of service in FastStone Image Viewer 8.3 occur when the application parses a maliciously crafted Photoshop (PSD) file, triggering an integer overflow in its PSD parsing component. Affected users are those who open attacker-supplied PSD files in this Windows freeware image viewer; successful exploitation can crash the application or, per the reporter and tags, lead to code execution in the user's context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Denial Of Service RCE
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Denial of service in Apache Kerby allows remote attackers to crash a Kerby client or service by delivering a deeply nested ASN1 structure that exhausts JVM stack depth and triggers an unhandled StackOverflowException. All versions prior to 2.1.2 are affected. No public exploit code or CISA KEV listing has been identified at time of analysis, but the attack primitive (malformed Kerberos ASN1 message) requires no authentication and is trivially constructible, making this a realistic operational risk for any internet- or network-exposed Kerby deployment.

Denial Of Service Apache Apache Kerby +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote unauthenticated stack-based buffer overflow in the vlsvr login service of GeoVision GV-LPC2011 and GV-LPC2211 license plate capture cameras (firmware V1.12 and earlier) lets a remote attacker corrupt memory by sending an over-length login field, enabling denial of service and potentially arbitrary code execution. The flaw requires no authentication and no user interaction (CVSS 9.8). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Buffer Overflow Denial Of Service Stack Overflow +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated remote code execution and denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license plate camera devices (firmware V1.12 and earlier) stems from a stack-based buffer overflow in the ssvr streaming component's RTSP Digest authentication parser. A remote attacker reachable on the RTSP service can send overly long authentication field data to corrupt the stack, crashing the device or potentially executing arbitrary code with no credentials or user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 9.8 rating and unauthenticated network vector make it a high-priority patching target.

Buffer Overflow Denial Of Service Stack Overflow +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote code execution and denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-recognition cameras (V1.12 and earlier) arise from a stack-based buffer overflow in the ssvr component's RTSP custom authentication handling. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates an unauthenticated remote attacker can trigger memory corruption with a single crafted RTSP request, yielding crash-level DoS and potential arbitrary code execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Denial Of Service Stack Overflow +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote code execution in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-recognition cameras (firmware V1.12 and earlier) stems from a stack-based buffer overflow in the embedded thttpd web server, where overly long parameters in a specific request path overrun a fixed-size stack buffer. An unauthenticated remote attacker (per CVSS PR:N) can send a single crafted HTTP request to corrupt memory and cause denial of service or potentially execute arbitrary code on the device. No public exploit has been identified at time of analysis, but the CVSS 9.8 rating and lack of authentication make this a high-priority embedded-device exposure.

Buffer Overflow Denial Of Service Stack Overflow +2
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Unauthenticated format string flaw in the vlsvr service of GeoVision GV-LPC2011 and GV-LPC2211 license plate recognition cameras (firmware V1.12 and earlier) lets remote attackers send crafted login data that the device passes unsanitized into a log-formatting routine. Successful exploitation can leak memory contents, corrupt memory, or crash the service, with the high availability impact (CVSS 8.6) reflecting denial of service as the most reliable outcome. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Denial Of Service Information Disclosure Gv Lpclpc2011 2211
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license plate recognition cameras (firmware V1.12 and earlier) lets remote, unauthenticated attackers crash the device by sending a crafted HTTP request to onvif.cgi. The ONVIF CGI handler fails to bounds-check HTTP request body data, so oversized input triggers an out-of-bounds write and memory corruption. No public exploit identified at time of analysis, and the flaw yields availability impact only — no code execution or data disclosure is claimed by the vendor.

Memory Corruption Denial Of Service Buffer Overflow +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license-plate capture devices (firmware V1.12 and earlier) lets a remote, unauthenticated attacker crash the device by sending a single malformed HTTP request to its CGI interface. The flaw is a NULL pointer dereference in HTTP request-parsing logic shared across multiple CGI components, triggered when required request metadata is missing or malformed. No public exploit identified at time of analysis, and the issue has no confidentiality or integrity impact - only availability.

Denial Of Service Null Pointer Dereference Gv Lpclpc2011 2211
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-capture devices (firmware V1.12 and earlier) allows remote unauthenticated attackers to crash the device by sending a multipart upload request with an overly long filename to IEEE8021x_upload.cgi. The flaw is a classic stack/heap buffer overflow (CWE-120) with availability-only impact and no confidentiality or integrity loss. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Denial Of Service Buffer Overflow Gv Lpclpc2011 2211
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license plate cameras (firmware V1.12 and earlier) lets remote unauthenticated attackers crash the IEEE8021x_upload.cgi process by sending a malformed multipart upload request, triggering a NULL pointer dereference (CWE-476). The high availability impact (CVSS 7.5, A:H) means the device's 802.1x certificate-upload functionality - and potentially the management interface - becomes unavailable until the process or device restarts. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.

Denial Of Service Null Pointer Dereference Gv Lpclpc2011 2211
NVD
EPSS 0% CVSS 3.8
LOW Monitor

Unbounded memory allocation in KubeVirt's downward metrics virtio-serial server within Red Hat OpenShift Virtualization 4 allows a local VM guest user to exhaust host-side memory. The virt-handler process - which runs on the Kubernetes node and manages VM lifecycle - uses textproto.Reader.ReadLine() with no read deadline or buffer cap, so a continuous byte stream from the guest causes virt-handler to allocate memory without bound until the Linux OOM killer terminates it. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; the CVSS score of 3.8 reflects low severity but the scope-change flag (S:C) correctly captures that the disruption crosses the guest boundary to a privileged host process.

Denial Of Service Red Hat Openshift Virtualization 4
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by getting it to load a maliciously crafted shared library, which mishandles resources in the DSO::mmap_and_copy dynamic-linking routine (CWE-404). Publicly available exploit code exists, but the flaw is not in CISA KEV and EPSS is very low (0.17%, 6th percentile), indicating no observed in-the-wild exploitation. Impact is confined to availability - no confidentiality or integrity loss.

Denial Of Service N A
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC This Week

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of Service (DoS) via parsing a crafted input.

Denial Of Service N A
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Stack overflow in Bento4's MP4 parsing component allows an attacker to crash any application built on the library by supplying a crafted MP4 file. The flaw resides in AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity, a dynamic array growth function invoked while processing Track Run (trun) atoms, and affects all Bento4 releases before v1.8.9. A public proof-of-concept exists (poc4.zip), though EPSS sits at 0.17% and CISA KEV has not listed this CVE, indicating no confirmed widespread exploitation at time of analysis.

Buffer Overflow Denial Of Service Stack Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

An issue in Technitium DNS Server v.14.3 and before allows a remote attacker to cause a denial of service via the DnsServerApp.exe, DnsServerApp.dll, TechnitiumLibrary.Net/Dns/DnsClient.cs components

Denial Of Service N A
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Denial Of Service N A Stack Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Use after free in AdFilter in Google Chrome on Android prior to 149.0.7827.201 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Google Denial Of Service +4
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Use-after-free memory corruption in Google Chrome's Payments component on Android (prior to 149.0.7827.201) enables a local attacker with physical access to the device to trigger heap corruption, yielding high impact across confidentiality, integrity, and availability. The physical-access requirement (CVSS AV:P) substantially constrains the exploitable population to scenarios such as unattended or stolen devices. No public exploit identified at time of analysis, and no CISA KEV listing exists, indicating this has not been observed in active exploitation campaigns.

Memory Corruption Denial Of Service Use After Free +3
NVD VulDB
CVSS 7.5
HIGH PATCH This Week

Remote unauthenticated denial of service in Sigstore Rekor (>= 0.3.0, < 1.5.2) allows attackers to crash the transparency log server via a gzip decompression bomb in its Alpine APK parsing path. The Package.Unmarshal() function decompresses the signature and control gzip members of a submitted APK into memory without bounding total decompressed size, so a ~1000:1 compression ratio payload (e.g. 2MB compressed to 2GB) exhausts heap and triggers a fatal Go runtime OOM or OS OOM-kill that the recover() middleware cannot catch. No public exploit identified at time of analysis; it is not in CISA KEV, and the impact is availability-only (no confidentiality or integrity loss).

Denial Of Service Suse
NVD GitHub
EPSS 0% CVSS 8.5
HIGH This Week

Server-side request forgery and denial of service in Red Hat Build of Apicurio Registry 3 stem from unsafe XML parsing in the ContentTypeUtil.isParsableXml() method, which builds a SAXParserFactory without secure processing or external-entity restrictions (CWE-611, XXE). An attacker with artifact-write permission - or any unauthenticated client when the registry runs in its default configuration - can upload a crafted XML artifact whose external DTD/entity references force the server to fetch attacker-chosen URLs (blind SSRF into internal networks) or expand nested entities for resource-exhaustion DoS. CVSS is 8.5 (scope-changed, high availability impact); no public exploit identified at time of analysis.

XXE SSRF Denial Of Service +1
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Out-of-bounds heap read in wolfSSL's SM2/SM3 certificate parser exposes applications to remote denial of service when processing malformed certificates. During Subject Key Identifier computation in SM3wSM2 certificate verification, the library unconditionally reads 65 bytes from the public key field without first validating that the key is at least that long - a crafted certificate with a sub-65-byte public key triggers a heap over-read, crashing the process. This vulnerability is scoped exclusively to wolfSSL builds compiled with SM2 support (--enable-sm2 or --enable-all), and no public exploit or CISA KEV listing exists at time of analysis.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Remote denial of service in wolfSSL's Renesas TSIP TLS 1.3 client port (WOLFSSL_RENESAS_TSIP_TLS on Renesas MCUs with TSIP hardware) arises from an out-of-bounds heap write in tsip_StoreMessage(), where the capacity check guarding the fixed 8 KB message bag sets an error code but omits the return, letting execution fall through to an XMEMCPY that overruns the buffer once the accumulated handshake transcript exceeds 8 KB. A malicious or man-in-the-middle TLS 1.3 server (or an unusually large but legitimate certificate chain) can trigger heap corruption and crash the client. There is no public exploit identified at time of analysis, it is not on CISA KEV, and the upstream fix is available as wolfSSL PR #10705.

Memory Corruption Denial Of Service Buffer Overflow +1
NVD GitHub VulDB
CVSS 5.3
MEDIUM PATCH This Month

Unbounded resource consumption in the Rust opentelemetry_sdk's BaggagePropagator::extract_with_context allows unauthenticated remote attackers to cause elevated CPU and heap allocation overhead by sending oversized W3C baggage propagation headers to any service using versions 0.32.0 or earlier. The SDK parsed the full header content before applying storage limits, meaning attacker-supplied data was processed and then discarded - wasting resources on every malicious request. A parallel design-level gap affects the Java (GHSA-rcgg-9c38-7xpx) and Go (GHSA-mh2q-q3fh-2475) OpenTelemetry SDKs, suggesting a cross-ecosystem pattern; no public exploit or active exploitation (KEV) has been identified.

Java Denial Of Service RCE +1
NVD GitHub
EPSS 0% CVSS 7.0
HIGH POC PATCH This Week

Denial of service in CANBoat (the open-source NMEA 2000/CAN bus analyzer) through version 6.22 allows attackers to crash the analyzer by delivering a crafted NMEA-2000 message containing an out-of-range PGN value. The flaw is an off-by-one global buffer overflow in the searchForPgn() binary-search routine in analyzer/pgn.c, where an out-of-range PGN causes a one-element read past the end of the pgnList[] table. Publicly available exploit code exists (FuzzingLabs PoC value 393216 via issue #644), and a vendor patch is available; there is no public exploit identified as actively exploited.

Denial Of Service Buffer Overflow Canboat
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC This Month

Out-of-bounds read in RTKLIB through 2.4.3 exposes users to denial of service and potential memory disclosure when processing maliciously crafted RINEX observation files. The getcodepri function fails to validate unrecognized observation codes, performing negative array indexing into the codepris table - producing reliable crashes and leaking adjacent global data segments. A publicly available proof-of-concept exists via the upstream GitHub issue tracker; this CVE is not listed in the CISA KEV catalog, and no EPSS data was provided in available intelligence.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Off-by-one out-of-bounds read in RTKLIB's decode_ssr3 function (src/rtcm3.c:1446) allows unauthenticated remote attackers to trigger a global buffer overflow by sending crafted RTCM3 SSR correction messages with attacker-controlled signal mode fields over NTRIP or serial connections. All RTKLIB versions through 2.4.3 are affected, with the primary impact being denial of service or crash of GNSS rovers and CORS server deployments. A publicly available exploit exists per VulnCheck intelligence, though this vulnerability is not confirmed in CISA KEV at time of analysis.

Denial Of Service Buffer Overflow Rtklib
NVD GitHub VulDB
Prev Page 9 of 406 Next

Quick Facts

Typical Severity
MEDIUM
Category
other
Total CVEs
36495

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy