Skip to main content

Information Disclosure

other MEDIUM

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.

How It Works

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.

Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.

The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.

Impact

  • Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
  • Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
  • Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
  • Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
  • Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures

Real-World Examples

A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.

Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.

Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.

Mitigation

  • Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
  • Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
  • Access control audits: Restrict or remove development artifacts (.git, backup files, phpinfo()) and internal endpoints before deployment
  • Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
  • Security headers: Deploy X-Content-Type-Options, remove server version banners, and disable directory indexing
  • Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity

Recent CVEs (66671)

EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Out-of-bounds read in Vim's text property subsystem allows a crafted undo file to crash the editor and potentially disclose adjacent heap memory. All Vim releases prior to 9.2.0670 are affected; the vulnerability is reachable whenever a user loads a malicious undo file with the persistent-undo feature compiled in and enabled. No public exploit or CISA KEV listing exists at time of analysis, placing real-world risk in the low-to-medium range despite the local crash severity.

Buffer Overflow Information Disclosure Vim +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Vim crashes with an out-of-bounds read when opening a maliciously crafted file encrypted with the xchacha20poly1305 cipher (VimCrypt~04! or VimCrypt~05!) whose body is shorter than a libsodium secretstream header. An unsigned integer underflow in the length calculation inside crypt_sodium_buffer_decode() causes the subsequent crypto_secretstream_xchacha20poly1305_pull() call to read far past the end of the input buffer, resulting in a denial-of-service crash. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the fix commit includes a concrete reproducer test case confirming the crash path.

Buffer Overflow Information Disclosure Vim +1
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Out-of-bounds heap read in Vim 9.2.0320-9.2.0678 allows a crafted undo or swap file to disclose adjacent heap memory or crash the editor when a victim opens it. The flaw resides in the text property (textprop) subsystem: a maliciously encoded virtual-text property with an oversized tp_text_offset is converted directly to a heap pointer without bounds validation in both the undo-restoration path (um_goto_line) and the display path (get_text_props). The CVSS 4.0 score of 6.8 (Medium) reflects local-only exploitation requiring active user interaction; no public exploit is confirmed at time of analysis, though the fix commit includes detailed test scaffolding constituting a near-complete attack blueprint.

Buffer Overflow Information Disclosure Vim +2
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Mass-assignment in the K2 Extension for Joomla (versions up to 2.24 per CVE description, up to 2.26 per EUVD-2026-39438) allows any registered Joomla user to overwrite hidden database columns - notes, image, and plugins - in their own #__k2_users row by injecting the K2UserForm=1 parameter into a standard com_users profile.save POST request. The attack is automatable per SSVC assessment, but impact is constrained to the attacker's own user record, with no current active exploitation identified. The plugins column exposure warrants particular scrutiny, as it may influence per-user K2 component behavior in ways beyond simple data tampering.

Information Disclosure K2 Extension For Joomla
NVD
EPSS 0% CVSS 2.2
LOW PATCH Monitor

Use-after-free in Nokogiri's CRuby XInclude processing (versions prior to 1.19.4) can leave Ruby wrapper objects pointing at freed libxml2 memory after `#do_xinclude` is called on a document whose nodes have already been exposed to Ruby. An application that triggers this condition may experience invalid memory reads or writes, potentially resulting in a crash or memory disclosure. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.2 reflects the high attack complexity driven by an unusual, non-default API usage pattern required to reach the vulnerable code path.

Memory Corruption Use After Free Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 1.7
LOW PATCH Monitor

Use-after-free in Nokogiri's CRuby implementation (versions prior to 1.19.4) allows an application crash via segfault when an `XML::XPathContext` object outlives its source document and that document is freed by Ruby's garbage collector. Only CRuby is affected; JRuby is not. This is not triggerable by malicious document input and cannot be reached through the standard `Document#xpath`, `#css`, or related methods - it requires an unusual direct API usage pattern in application code. No public exploit has been identified, this is not listed in CISA KEV, and the CVSS 4.0 score of 1.7 reflects the tightly constrained triggering conditions.

Memory Corruption Use After Free Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 1.7
LOW PATCH Monitor

Heap use-after-free in Nokogiri's CRuby implementation (prior to 1.19.4) can corrupt process memory when application code assigns a DTD node as a document root via `Document#root=`. The root cause is insufficient type validation in the setter, which accepted any `Nokogiri::XML::Node` subclass rather than restricting to element nodes, leaving libxml2 in an inconsistent internal state that triggers a dangling pointer dereference during Ruby garbage collection or finalization. No active exploitation is confirmed (not in CISA KEV), no public exploit is identified, and the Nokogiri maintainers rate this low severity; the CVSS 4.0 score of 1.7 with E:U corroborates that assessment.

Memory Corruption Use After Free Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 1.7
LOW PATCH Monitor

Use-after-free in Nokogiri's CRuby native extension (versions prior to 1.19.4) can corrupt process memory or cause a segfault when an application accesses an XML attribute's child node and subsequently replaces that attribute's value via `Attr#value=` or `#content=`. The underlying libxml2 wrapper frees the native child node while a Ruby object in the document node cache retains a stale pointer, which a later GC mark pass or direct access can dereference. With a CVSS 4.0 score of 1.7, no KEV listing, and no public exploit identified at time of analysis, real-world risk is low and constrained to application availability.

Memory Corruption Use After Free Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Out-of-bounds read in Nokogiri's `NodeSet#[]` method (all versions before 1.19.4) enables an attacker who can supply a large negative integer index to bypass a 32-bit-truncated bounds check and trigger a read outside the node set's allocated memory. On CRuby (MRI Ruby), this typically crashes the process - denial of service - with ancillary potential for heap memory disclosure; on JRuby, the runtime's managed memory prevents memory corruption, but an incorrect node is silently returned. No public exploit or active exploitation has been identified; exploitation requires the target application to forward attacker-controlled integers directly to the `NodeSet#[]` or `#slice` API.

Buffer Overflow Information Disclosure Nokogiri +1
NVD GitHub VulDB
EPSS 0% CVSS 1.7
LOW PATCH Monitor

Use-after-free in Nokogiri's CRuby (libxml2) implementation allows freed heap memory to be read on subsequent calls to Document#encoding, potentially causing a segmentation fault or leaking stale heap bytes into a Ruby String object. Versions prior to 1.19.4 are affected when the three-step exploitation pattern occurs: an invalid encoding assignment, exception rescue, and continued document use. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 1.7 accurately reflects the low real-world priority.

Memory Corruption Use After Free Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Rolling-code authentication in the Alps Alpine RKES (FCC ID CWTR53R0, 433 MHz) can be bypassed by an attacker within RF range who captures two consecutive key fob transmissions and replays them in sequence to lock or unlock the target vehicle. Replaying the first captured signal causes the receiver to enter a vulnerable state, after which replaying the second signal completes a successful unauthorized lock or unlock operation. No active exploitation confirmed per CISA KEV and no public exploit code identified, though the attack is technically accessible to anyone with commodity software-defined radio hardware given CVSS AV:A/AC:L/PR:N.

Information Disclosure Remote Keyless Entry System Rkes R53R0
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Payment status replay in pretix-mollie allows unauthenticated attackers to obtain multiple valid event tickets by reusing a single legitimate Mollie payment confirmation. The plugin fails to bind payment status responses to their originating transaction, so a successful payment callback for order A can be submitted against order B. No active exploitation or public proof-of-concept has been identified at time of analysis; a vendor patch was released on 2026-06-25 in version 2026.5.2.

Information Disclosure Pretix Mollie
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Payment response replay vulnerability in the pretix-oppwa integration allows a remote attacker to reuse a legitimate Oppwa payment confirmation from one transaction to authorize separate, unpaid orders - effectively obtaining multiple valid event tickets with a single payment. All known versions of the pretix-oppwa plugin (cpe:2.3:a:pretix:pretix-oppwa:*) are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the business logic bypass enables direct financial fraud for event organizers. A vendor patch was released in conjunction with Pretix version 2026-5.2.

Information Disclosure Pretix Oppwa
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Payment response replay in the pretix-computop integration allows an unauthenticated network attacker to obtain multiple valid event tickets by paying only once. The Pretix Computop plugin fails to bind successful payment status responses to their originating transaction, so a response captured from a completed payment can be submitted against any other pending order. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified, though the vendor disclosed the issue alongside a fix on 2026-06-25.

Information Disclosure Pretix Computop
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Remote denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device crash the target by sending a malformed Simple Metering GetProfileResponse message that triggers an out-of-bounds read while iterating interval entries, terminating the process. Exploitation requires the attacker to be an authenticated member of the Zigbee network and only affects devices implementing the Simple Metering cluster. No public exploit identified at time of analysis, and no information leakage back to the sender was observed.

Buffer Overflow Information Disclosure Emberznet
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows a device already joined to the Zigbee network to crash a target node by sending a malformed Level Control 'Step' command that triggers a divide-by-zero (CWE-369) fault and terminates the process. Only nodes implementing the Level Control cluster are affected, and exploitation requires the attacker to already be an authenticated member of the network (CVSS 4.0 PR:L, VA:H). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Emberznet
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allows an already-joined network device to crash the host process via a malformed Level Control 'Move' command that triggers a divide-by-zero fault. Only deployments where the target device supports the Level Control cluster are affected, and exploitation requires the attacker to be an authenticated member of the Zigbee network (PR:L). No public exploit identified at time of analysis; this is not on CISA KEV.

Information Disclosure Emberznet
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device crash the target by sending Door Lock cluster messages containing malformed or out-of-range user identifiers, which trigger an out-of-bounds table read (CWE-125) that terminates the process. Only devices that implement the Door Lock cluster are affected, and no data is leaked back to the sender. There is no public exploit identified at time of analysis, and the issue is not in CISA KEV.

Buffer Overflow Information Disclosure Emberznet
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows an already-joined network device to crash a target by sending malformed GetGroupMembership commands, which cause repeated out-of-bounds reads past the message payload and terminate the process. Only devices implementing the Groups cluster are affected, and no information leakage to the sender was observed despite the read primitive. There is no public exploit identified at time of analysis, no CISA KEV listing, and the impact is availability-only (process termination), not code execution or data disclosure.

Buffer Overflow Information Disclosure Emberznet
NVD GitHub
EPSS 0% CVSS 7.0
HIGH This Week

Local privilege escalation in Dell Display and Peripheral Manager (DDPM) for Mac, versions prior to 2.3, lets a low-privileged local user win a race condition (CWE-362) to gain elevated privileges. The flaw stems from improper synchronization around a shared resource, and successful exploitation yields full compromise of confidentiality, integrity, and availability on the host. No public exploit identified at time of analysis, and EPSS is negligible (0.07%); CISA SSVC marks exploitation as none but technical impact as total.

Dell Race Condition Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device send malformed Over-The-Air (OTA) update requests that drive the OTA Server cluster parser past buffer boundaries, leaking a small, size- and location-limited amount of RAM back to the requester and potentially disrupting the OTA service. Only nodes that implement the OTA Server cluster are affected, and exploitation requires prior network membership (PR:L authenticated). No public exploit is identified and the CVE is not in CISA KEV; the CVSS 4.0 base score of 7.1 is driven mainly by high availability impact (VA:H) rather than data theft.

Buffer Overflow Information Disclosure Emberznet
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device crash a target by sending malformed Color Control cluster messages that trip a reachable assertion and terminate the process. Only devices implementing the Color Control cluster (typically color-capable lighting) are affected, and the attacker must already be a member of the Zigbee network. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Emberznet
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows an already-joined network device to crash the target by sending malformed Color Control cluster messages, which trigger a reachable assertion that terminates the process. Only devices implementing the Color Control cluster (typically Zigbee lighting/color-capable nodes and coordinators) are affected. Vendor-rated CVSS 4.0 7.1 with availability-only impact; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Emberznet
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allows an already-joined Zigbee device to crash the process by sending malformed global ZCL (Zigbee Cluster Library) messages that trigger out-of-bounds reads in the framework parsing logic. The flaw affects availability only - no information leakage back to the sender was observed despite the dataset's 'Information Disclosure' tag. A vendor patch is available, and there is no public exploit identified at time of analysis.

Buffer Overflow Information Disclosure Emberznet
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Predictable cryptographic key generation in Silicon Labs EFR32xG27 wireless SoCs stems from incorrect use of the on-chip PUF (Physical Unclonable Function) when deriving user keys, allowing an adjacent attacker to anticipate or reconstruct keys that should be unique and secret. Affected firmware built with the Silicon Labs SiSDK loses the confidentiality and authentication guarantees of derived keys. No public exploit identified at time of analysis; the issue was self-reported by Silicon Labs and a vendor patch is available.

Information Disclosure Sisdk
NVD GitHub
EPSS 0% CVSS 8.3
HIGH This Week

Sensitive data exposure in the APIExperts Square for WooCommerce WordPress plugin (also known as woosquare) through version 4.7.3 allows remote attackers to retrieve embedded sensitive information that the plugin inserts into data it sends. Reported by Patchstack and rated CVSS 8.3, the flaw stems from CWE-201 (Insertion of Sensitive Information Into Sent Data) and is exploitable without authentication or user interaction per its CVSS vector. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Information Disclosure Apiexperts Square For Woocommerce
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

DNS response manipulation in PowerDNS Recursor 5.4.x allows network-positioned attackers to inject false DNS records through insufficient validation of answers received from authoritative servers, resulting in low-integrity violations in name resolution for downstream clients. The 5.4.x branch received hardening patches per PowerDNS advisory 2026-08 to close this validation gap. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Recursor Suse
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

EDNS OPT filter bypass in DNSdist exposes backend DNS servers to EDNS extension options that DNSdist was configured to suppress. The flaw is triggered specifically by the EDNS Client Subnet (ECS) insertion code path, which silently normalizes a crafted malformed OPT record - one that evaded DNSdist's filter - into a syntactically valid OPT record forwarded to the upstream backend. No public exploit code exists and no active exploitation has been confirmed; CVSS rates this Low (3.7) reflecting both the high attack complexity and the limited integrity-only impact.

Information Disclosure
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Query processing delays in dnsdist's DoH3 (DNS over HTTPS/3) implementation allow unauthenticated remote attackers to partially degrade DNS resolution availability by sending crafted GET requests containing invalid HTTP/3 DATA frames. Affected deployments are limited to those with DoH3 explicitly enabled; the CVSS score of 3.7 reflects high attack complexity and only a low availability impact. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Prometheus metrics endpoint corruption in PowerDNS dnsdist allows a remote unauthenticated attacker to disrupt monitoring visibility by flooding the resolver with crafted DNS queries. The flood triggers insertion of a dynamic block whose value serialises into invalid Prometheus exposition format, causing the /metrics endpoint to be rejected by the scraper until the dynamic block TTL expires naturally. No public exploit code is identified at time of analysis, and exploitation requires high attack complexity - a sustained, high-volume crafted query campaign - keeping real-world risk low despite network accessibility.

Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cache poisoning in PowerDNS Recursor allows a malicious or compromised authoritative DNS server to inject forged records by returning a crafted zone that the resolver ingests through its ZoneToCache feature. Because the poisoned data lands in the shared recursor cache, all downstream clients can be served attacker-controlled answers, enabling traffic redirection and spoofing. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 7.5 (high) rating reflects high integrity impact with a scope change but high attack complexity.

Information Disclosure Suse
NVD
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host, exposing PAM provider credentials as a NTLMv2 challenge-response, via a crafted DomainName parameter.

Information Disclosure Server
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the WordPress 'Meta Data and Taxonomy Filter' (MDTF) plugin by pluginus.net affects all versions up to and including 1.3.8, allowing remote attackers without credentials to coerce the PHP application into including arbitrary local files. Per its CVSS:3.1 vector (AV:N/PR:N), exploitation is network-reachable and unauthenticated, though the high attack complexity (AC:H) implies non-trivial preconditions. This is classified as information disclosure but rated 8.1 with full C/I/A impact; there is no public exploit identified at time of analysis and it is not on the CISA KEV list.

LFI Information Disclosure PHP +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated sensitive data exposure in the Vitepos WordPress plugin (versions 3.4.2 and earlier) lets remote attackers read sensitive information without any authentication. The flaw is reported by Patchstack and classified as CWE-201 (information exposure through sent data), with a CVSS 3.1 base score of 7.5 driven entirely by a high confidentiality impact. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Information Disclosure Vitepos
NVD
EPSS 0% CVSS 7.4
HIGH This Week

Sensitive data exposure in the Visual Link Preview WordPress plugin (versions 2.3.1 and earlier) allows a low-privileged Subscriber-level authenticated user to access information they should not be authorized to view. The CVSS 3.1 vector (PR:L) indicates only minimal authenticated access is needed, and the changed scope reflects data leaking beyond the plugin's intended security boundary. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Information Disclosure Visual Link Preview
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive data exposure in Elementor Website Builder for WordPress (versions <= 4.1.3) allows contributor-level authenticated users to access protected information due to missing authorization checks (CWE-862). The vulnerability stems from insufficient capability verification before exposing sensitive data to lower-privileged roles, enabling a contributor to retrieve data they should not have access to. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and high confidentiality impact make this a meaningful risk on any site with untrusted contributor accounts.

Authentication Bypass Information Disclosure Elementor Website Builder
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

ZONEMD validation bypass in PowerDNS Recursor allows a cryptographically invalid DNS zone to be accepted as legitimate when ZoneToCache is configured with ZONEMD validation enabled. This undermines the integrity guarantee that ZONEMD is designed to provide - an attacker capable of serving a crafted zone to the resolver (e.g., via a rogue authoritative source or network interception) can cause the recursor to cache and serve tampered DNS data. No public exploit code has been identified and exploitation is not confirmed in CISA KEV; real-world risk is constrained by the non-default configuration prerequisite.

Information Disclosure Recursor Suse
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper packet cache handling in PowerDNS Recursor causes ECS zero-scoped DNS answers to be stored in the cache when they should be discarded or handled as global entries, creating an information disclosure pathway. All Recursor versions (cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*) are affected, but only deployments with EDNS Client Subnet (ECS) explicitly enabled are exposed. The CVSS score of 5.3 with a network vector and no required privileges reflects that any DNS client can trigger the improper caching behavior, though real-world impact is bounded by the non-default ECS configuration requirement. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Recursor Suse
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation potential via a use-after-free in the Linux kernel's Bluetooth ISO (Isochronous) subsystem affects kernels through 6.19 and related stable trees. In iso_sock_rebind_bc(), the code caches the hci_conn pointer (bis) and then drops the socket lock to acquire hci_dev_lock; a concurrent close() during this unlocked window can destroy the connection and free the bis structure, so the subsequent hci_dev_lock(bis->hdev) dereferences freed memory. There is no public exploit identified at time of analysis and EPSS is low (0.15%, 5th percentile), but a kernel UAF reachable by a local user warrants timely patching.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's IPv6 multicast (MLD) query processing path allows an adjacent-network attacker to corrupt or read freed kernel slab memory by sending a crafted MLD query. The flaw stems from a stale pointer to the multicast group address being dereferenced in __mld_query_work() after pskb_may_pull() reallocated the skb header, confirmed by a KASAN slab-use-after-free report. Carries an 8.8 CVSS (adjacent vector); no public exploit identified at time of analysis and EPSS is low at 0.17% (6th percentile).

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's EROFS filesystem lets a local attacker who can trigger a decompression I/O race during unmount corrupt kernel memory. When z_erofs_decompress_kickoff() queues asynchronous decompression work, a concurrent unmount can free the superblock info (sbi) before the kworker accesses sbi->sync_decompress, producing a CWE-416 use-after-free with high confidentiality, integrity and availability impact (CVSS 7.8). EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis; the flaw is not on CISA KEV.

Memory Corruption Linux Use After Free +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's IPVS (IP Virtual Server) load balancer allows a local privileged user to corrupt kernel memory by editing a virtual service's scheduler. ip_vs_edit_service() cleared svc->scheduler only after the old scheduler module had already initiated RCU callbacks, so in-flight packets could dereference svc->sched_data after it was freed at the end of the RCU grace period. The flaw carries CVSS 7.8 with high confidentiality, integrity, and availability impact; EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial-of-service via race condition in the Linux kernel's netfilter synproxy subsystem allows a local low-privileged user to crash the system by triggering concurrent netfilter hook registration. The synproxy infrastructure registers hooks on-demand when iptables targets or nftables expressions are added; without serialization, concurrent additions race on the reference count control blocks, corrupting kernel state. No public exploit exists and EPSS is 7th percentile (0.17%), but any Linux system running a kernel from 5.3 onward with the ability for unprivileged users to manipulate netfilter rules is technically exposed.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's netfilter IRC connection-tracking helper (nf_conntrack_irc) lets remote attackers leak adjacent kernel memory or crash the host when the parser fails to bail out after matching a DCC command string. The CVSS 3.1 vector (AV:N/PR:N) describes unauthenticated remote reachability with low confidentiality impact and high availability impact, but exploitation is gated on the legacy IRC conntrack helper being loaded and assigned to traffic - a non-default condition on most modern systems. There is no public exploit identified at time of analysis, EPSS is low (0.17%, 7th percentile), and the issue is not on CISA KEV.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out-of-bounds/illegitimate write in the Linux kernel's bridge netfilter ebtables SNAT target (ebt_snat) lets the optional ARP sender-hardware-address rewrite copy a MAC address into a non-linear skb fragment that is still backed by a splice-imported file page, corrupting memory the kernel should not write to. The flaw affects systems using the bridge ebtables SNAT target with ARP rewrite enabled; the fix makes the ARP SHA range writable via skb_ensure_writable() before skb_store_bits() runs. There is no public exploit identified at time of analysis and EPSS is low (0.17%), but CVSS is rated 8.8 with a scope change reflecting the cross-context write.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-escalation/memory-corruption in the Linux kernel device-mapper dm-cache 'smq' policy allows a low-privileged local user to trigger a check-then-act race in smq_invalidate_mapping(). The e->allocated predicate was evaluated outside mq->lock, so two concurrent cache-block invalidators can both see an entry as allocated and free it twice, corrupting the SMQ queues/hash table and tripping the allocation assertion in free_entry(). No public exploit is identified at time of analysis and EPSS exploitation probability is low (0.17%, 7th percentile); the issue is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-bearing users can trigger a use-after-free in the Linux kernel's net/sched action subsystem (act_api) by racing concurrent NEWTFILTER and DELFILTER operations, where an action object can be kfree()'d immediately on one CPU while another CPU still holds an RCU-protected reference and calls refcount_inc_not_zero() on freed memory. Affecting the tc action lifecycle, exploitation can corrupt kernel memory and lead to local privilege escalation or denial of service (kernel panic). This issue has no public exploit identified at time of analysis and carries a low EPSS exploitation probability (0.17%, 7th percentile).

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel stack memory disclosure and multicast address corruption in the Linux kernel's 6lowpan IPHC subsystem affects all deployments running the vulnerable code path from commit 5609c185f24d onward. A local unprivileged user on a system with an active 6lowpan interface can trigger `lowpan_iphc_mcast_ctx_addr_compress()` to transmit uninitialized kernel stack bytes over the 6lowpan link layer while also corrupting the RIID field in compressed multicast addresses, breaking multicast connectivity. No public exploit identified at time of analysis; EPSS is 0.17% (7th percentile), and this is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation via use-after-free in the Linux kernel's L2TP PPP (pppol2tp) subsystem allows a low-privileged local user holding a pppol2tp socket to corrupt freed kernel memory. The flaw is a race in pppol2tp_ioctl(), where sk_user_data was dereferenced without reference counting; an attacker stalls the ioctl mid-copy (e.g. via a userfaultfd page-fault sleep) while concurrently closing the socket, freeing the l2tp_session and leaving a dangling pointer. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.16%, 6th percentile).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel devlink subsystem allows a local low-privileged user to trigger resource exhaustion by inducing a Sub-Function (SF) probe failure, leaving a nested devlink relation unreleased. The flaw occurs because devlink_free() does not clear devlink->rel when an instance fails probe before reaching devl_register(), bypassing the normal cleanup path in devl_unregister(). No public exploit has been identified and EPSS is 0.16% (6th percentile), consistent with a low-real-world-risk kernel memory management defect; patch is available across multiple stable branches.

Linux Information Disclosure
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Denial of service and potential memory corruption in the Linux kernel TCP stack arises from a refcount underflow / use-after-free in reqsk_queue_hash_req(), affecting kernels built with PREEMPT_RT (real-time preemption). On affected systems a request socket (reqsk) can lose both its ehash and timer reference counts when reqsk_queue_hash_req() is preempted between mod_timer() and refcount_set(), letting reqsk_timer_handler() drop the object twice and trigger a use-after-free flagged by refcount_warn_saturate. The fix was reported via syzbot fuzzing; there is no public weaponized exploit identified at time of analysis and the EPSS score is very low (0.15%, 5th percentile), and despite the NVD 9.8 score real-world exploitability is constrained to PREEMPT_RT kernels and a narrow timing window.

Linux Information Disclosure Google +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory corruption via a use-after-free in the Linux kernel's IPv6 anycast subsystem allows a local attacker to read freed slab memory and potentially corrupt kernel state. The flaw lives in __ipv6_dev_ac_inc()/ipv6_add_acaddr_hash(), where an ifacaddr6 (aca) object is published into the global inet6_acaddr_lst[] hash outside idev->lock, opening a race with device teardown (ipv6_ac_destroy_dev) that frees the object while it is still linked in the RCU-walked hash. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis, but the vendor has shipped a fix.

Linux Information Disclosure Google +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Memory leak in the Linux kernel wifi cfg80211 subsystem allows a local low-privileged user to cause gradual kernel memory exhaustion by repeatedly triggering failed 6 GHz split scans. The leaked object is a 512-byte allocation in rdev->int_scan_req that escapes the cleanup path in ___cfg80211_scan_done() because rdev->scan_req is NULL at freeing time, causing an early return. No public exploit has been identified; EPSS of 0.16% (6th percentile) reflects very low real-world exploitation probability, and this vulnerability is not listed in CISA KEV.

Linux Information Disclosure
NVD
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Use-after-free in the Linux kernel's Bluetooth RFCOMM subsystem allows an attacker within Bluetooth range to corrupt kernel memory by racing an incoming RFCOMM connection against the close of a listener socket. The flaw lives in rfcomm_connect_ind(), which uses a listener socket returned by rfcomm_get_sock_by_channel() after the protecting list lock is dropped and without taking a reference, so a concurrent rfcomm_sock_release() can free the parent socket before it is locked and a child is enqueued. KASAN confirmed a slab-use-after-free in lock_sock_nested(); EPSS is low (0.17%, 7th percentile), there is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel Bluetooth management (MGMT) interface lets a local user with Bluetooth privileges trigger a one-byte read past the advertising-data buffer by submitting a malformed MGMT_OP_ADD_ADVERTISING request. The flaw lives in tlv_data_is_valid(), which inspects the type octet at data[i+1] before confirming the current TLV element fits in the buffer; KASAN flags it as a vmalloc-out-of-bounds read. No public exploit identified at time of analysis and EPSS risk is low (0.17%), consistent with a local-only kernel memory-safety bug rather than a remotely weaponizable one.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's Bluetooth RFCOMM stack allows a malicious paired or in-range remote device to leak adjacent kernel memory or crash the host by sending truncated MCC (Multiplexer Control Channel) frames. The RFCOMM MCC handlers cast skb->data to protocol structs without first checking skb->len, so short frames cause reads past the buffer; impact is confidentiality and availability loss (CVSS 8.1). There is no public exploit identified at time of analysis and EPSS estimates exploitation probability at just 0.18%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's Bluetooth BNEP (Bluetooth Network Encapsulation Protocol) subsystem allows an adjacent attacker to crash the kernel by sending a malformed short BNEP frame over an established PAN connection. The flaw in bnep_rx_frame()/bnep_rx_control() in net/bluetooth/bnep/core.c reads the packet-type, control-opcode, and setup UUID-size bytes before confirming they are present, producing a KASAN-confirmed slab-out-of-bounds read past a 1-byte kmalloc-8 allocation. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.18%, 8th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Percpu memory leak in the Linux kernel Bluetooth subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering early failures in Bluetooth HCI UART device initialization. Affected kernels spanning stable branches from 5.10 through 6.16-rc4 fail to invoke cleanup_srcu_struct() when hci_register_dev() never completes, causing the SRCU struct allocated early in hci_alloc_dev() to persist indefinitely. No public exploit code has been identified at time of analysis, and EPSS at 0.19% (9th percentile) reflects negligible exploitation interest; however the availability impact is rated High by NVD given the potential for kernel memory exhaustion.

Linux Information Disclosure
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Reference leak in the Linux kernel Bluetooth ISO subsystem allows a local low-privileged user to exhaust kernel resources and cause a denial of service. The `iso_conn_big_sync` function acquires an `hci_dev` reference via `hci_dev_hold()` through `hci_get_route()` but never releases it, violating the borrow contract. No active exploitation has been confirmed and EPSS is very low at 0.18% (7th percentile), but the affected surface - the BLE Audio Broadcast Isochronous Group (BIG) synchronization path - is present on any Linux system with a Bluetooth controller.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Unprivileged local users on Linux systems running unpatched kernels can set IPOPT_SSRR (Strict Source and Record Route) and IPOPT_LSRR (Loose Source and Record Route) IPv4 options without the CAP_NET_RAW capability, enabling them to force outbound packets through attacker-controlled network nodes and leak TCP Initial Sequence Numbers (ISN) along with other protocol metadata. Affected systems span Linux kernel versions from 2.6.12 through multiple stable branches prior to their respective patch releases. No public exploit has been identified at time of analysis, and EPSS remains at 0.18% (8th percentile), indicating low automated exploitation risk.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Three distinct logic errors in the Linux kernel's MRP (Multiple Registration Protocol) PDU parser `mrp_pdu_parse_vecattr()` allow an attacker to corrupt kernel MRP applicant state and PDU parsing offsets, resulting in denial of service. Affected systems must have the `mrp` kernel module loaded with an active IEEE 802.1ak bridge interface. No public exploit exists and EPSS is 0.18% (8th percentile), reflecting low active targeting, though patches across multiple stable branches are available and should be applied routinely.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in the Linux kernel's NFSD server affects systems that export filesystems implementing the VFS ->atomic_create operation. A mismatch between the dentry_create() error-handling contract and the newer start_creating()/end_creating() locking pattern means that when ->atomic_create returns an error, nfsd4_create_file() passes an error pointer to end_creating() and never unlocks the parent directory inode, leaving the lock permanently held. This is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and it is not in CISA KEV, but the held lock can stall NFS service for all clients.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Uninitialized stack variable use in the Linux kernel's rseq (restartable sequences) subsystem exposes systems to kernel information leak and denial-of-service. The flaw in `rseq_exit_user_update()` arises from a C standard evaluation-order ambiguity in struct initialization, detected by syzbot's KMSAN (Kernel Memory Sanitizer) as a kernel-infoleak. Affected are Linux 7.0.10 through 7.0.12 and 7.1 release candidates rc3-rc6; exploitation requires local low-privilege access, no public exploit exists, and EPSS is very low at 0.16%.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stack overread in the Linux kernel ALSA MIDI sequencer dummy client (snd_seq_dummy) allows a local low-privileged user to crash the kernel or potentially leak kernel stack contents by sending a crafted Universal MIDI Packet (UMP) event. The dummy port copies incoming events into a legacy-sized stack temporary, but when the UMP flag remains set the delivery path calls snd_seq_event_packet_size() and copies a larger UMP-sized packet from that undersized allocation, reading past the stack buffer end. No public exploit has been identified and EPSS is 0.18% (7th percentile), placing this firmly in routine-patch rather than emergency-response territory.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's XFRM IP-TFS (IPsec Traffic Flow Confidentiality, RFC 9347) inbound reassembly path lets a race between __input_process_payload() and a concurrent iptfs_reassem_cont()/drop_timer handler operate on a freed sk_buff in skbuff_head_cache, causing memory corruption. The flaw affects kernels from 6.14 (where IP-TFS was introduced) running an IPsec SA in IP-TFS mode, and is fixed in stable releases including 6.18.36, 7.0.13 and 7.1. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.17%, 7th percentile).

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation via use-after-free in the Linux kernel's XFRM (IPsec) policy subsystem allows a local low-privileged attacker to corrupt kernel memory by racing XFRM_MSG_DELPOLICY and XFRM_MSG_NEWSPDINFO netlink operations. In xfrm_policy_bysel_ctx(), the inexact policy bin was pruned after dropping xfrm_policy_lock, leaving a window where a concurrent xfrm_hash_rebuild() could kfree_rcu() the same bin, leading to a use-after-free. No public exploit identified at time of analysis; EPSS probability is low (0.18%) and it is not listed in CISA KEV.

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Out-of-bounds read in the Linux kernel netlabel subsystem allows a local low-privileged attacker to crash the kernel by submitting a crafted Generic Netlink request with a valid IPv4/IPv6 address attribute paired with a shorter-than-expected mask attribute. The netlbl_unlabel_addrinfo_get() function relied solely on the address attribute length to determine address family, then unconditionally read the mask attribute as a full struct in_addr (4 bytes) or struct in6_addr (16 bytes) without independently validating the mask length. No public exploit or active exploitation has been identified (EPSS 0.18%, 8th percentile); patches are available across all maintained stable branches.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

TCP socket side-channel information disclosure in the Linux kernel allows unprivileged local users to attach classic BPF (cBPF) filters via SO_ATTACH_FILTER to TCP sockets and observe TCP sequence and acknowledgment numbers, potentially enabling session inference or TCP injection assistance. The vulnerability exists because no capability check was enforced before this patch, which now restricts SO_ATTACH_FILTER on TCP sockets to processes holding CAP_NET_ADMIN. No public exploit identified at time of analysis; EPSS stands at 0.18% (8th percentile), and patched releases are available across multiple stable kernel branches including 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, and 7.1.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial-of-service in the Linux kernel networking stack (GRO path) lets attackers crash a host by triggering a reachable kernel BUG_ON() panic. The flaw lives in skb_gro_receive_list(), which calls skb_pull() without a preceding pskb_may_pull() guard; when frames arrive via napi_gro_frags() with all data in page fragments (skb_headlen == 0) and a non-zero GRO offset, the pull makes skb->len drop below skb->data_len and hits BUG_ON(skb->len < skb->data_len). It affects kernels from 6.10 up to the fixed stable releases, carries CVSS 7.5 (availability-only), has a low EPSS of 0.18% (7th percentile), is not in CISA KEV, and has no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local memory corruption (double-free) in the Linux kernel netdev generic-netlink interface affects the device-memory RX binding path (netdev_nl_bind_rx_doit) in kernels 7.1-rc1 through 7.1-rc7 and backport-affected stable branches. Because genlmsg_reply() unconditionally consumes the reply skb, the buggy error path then calls nlmsg_free() on that same buffer, freeing it a second time; a local user able to reach the BIND_RX netlink command and force a reply failure can trigger the flaw. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with a hard-to-reach error path rather than easy exploitation.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use of a dangling pointer in the Linux kernel's phylib/SFP networking subsystem occurs when PHY probing fails but sfp_bus_del_upstream() is never called, leaving the sfp-bus 'upstream' field pointing at freed/torn-down state that can be dereferenced during a later SFP hot-plug event. Affected systems are Linux hosts and appliances using PHY drivers with SFP cage support across kernels from 5.5 up to the fix in commit 48774e87. There is no public exploit identified at time of analysis, the EPSS score is very low (0.16%, 5th percentile), and the issue is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Deadlock in the Linux kernel PHY networking subsystem (net/phy) allows a local low-privileged user to freeze the networking stack on systems using the generic PHY driver (genphy) with SFP cage hardware. When genphy triggers PHY probing - which occurs while holding the RTNL lock - it erroneously calls sfp_bus_add_upstream(), which itself attempts to acquire RTNL, producing a self-deadlock confirmed by reproduction. No public exploit exists and EPSS is 0.16% (6th percentile), reflecting that exploitation requires an uncommon hardware and driver combination.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux mlx5_core driver's mlx5_query_nic_vport_mac_list() function allows a slab-out-of-bounds access when querying a VF vport whose configured MAC-list maximum exceeds the PF's log_max_current_uc/mc_list capability. The driver sizes its firmware command buffer using the PF capabilities rather than the vport's own HCA caps, so an oversized firmware response overflows the buffer during eswitch vport-change handling. This affects systems running NVIDIA/Mellanox ConnectX (mlx5) NICs in SR-IOV/switchdev mode; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 7th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Resource exhaustion (DMA mapping and xdp_frame leak) in the Linux kernel's mlx5e driver affects systems using AF_XDP (XSK) zero-copy sockets on NVIDIA/Mellanox ConnectX NICs. In the XSK path of mlx5e_xmit_xdp_buff(), an XDP_TX transmit failure (e.g. a full XDP send queue) returns without unmapping the DMA address or freeing the converted xdp_frame, slowly leaking kernel memory and DMA mappings until availability degrades. No public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and the issue is not in CISA KEV, so real-world risk is gradual leakage under heavy XSK workloads rather than direct remote compromise.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Use-after-free read in the Linux kernel's IPv6 SIT (IPv6-in-IPv4) tunnel transmit path lets a stale inner-IPv6-header pointer be dereferenced after GSO offload processing relocates the skb head, exposing freed kernel memory or crashing the host. The flaw affects systems running SIT tunnels in ipip6_tunnel_xmit(), where iptunnel_handle_offloads() may call pskb_expand_head() and move the buffer while the code keeps reading the old iph6 pointer. There is no public exploit identified at time of analysis; EPSS is low (0.18%, 8th percentile) and the issue is not in CISA KEV. The vendor-tagged impact is Information Disclosure, which is materially narrower than the assigned CVSS 9.8.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Invalid pointer free in the Linux kernel's Open vSwitch (OVS) subsystem allows a local low-privileged user to crash the kernel, resulting in denial of service. The net/openvswitch reply skb cleanup code incorrectly assumes allocation always occurs before mutex acquisition; when allocation fails after locking, an ERR_PTR is passed to kfree_skb(), triggering a kernel panic on any host with OVS active. No public exploit has been identified and EPSS is 0.20% (10th percentile), but the crash is likely deterministic once the code path is reached on a vulnerable kernel.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds uninitialized-memory read in the Linux kernel SCTP stack lets an unauthenticated network peer trigger the receive path to read up to 16 bytes past a truncated ASCONF address parameter. The flaw lives in __sctp_rcv_asconf_lookup() in net/sctp/input.c, which validates only the ADDIP and parameter headers before calling af->from_addr_param(), trusting the parameter's declared length without bounding the full address against the chunk. No public exploit is identified at time of analysis, and EPSS exploitation probability is low at 0.18% (8th percentile); the issue is already patched upstream and classed as information disclosure.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds memory reads in the Linux kernel SCTP stack allow remote attackers to trigger information disclosure and kernel crashes by sending a malformed COOKIE_ECHO chunk. The flaw lives in sctp_unpack_cookie(), which fails to verify that an embedded INIT chunk is large enough for a complete INIT header and does not fully validate raw_addr_list_len, so sctp_process_init() and the address parser read past the cookie payload. EPSS is low (0.21%) and there is no public exploit identified at time of analysis, but the network-reachable, unauthenticated nature (CVSS 9.1) makes it a meaningful patch priority for any host with SCTP in use.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local heap disclosure and kernel crash in the Linux kernel networking stack arises because skb_is_err_queue() misidentifies AF_PACKET outgoing-tap skbs as error-queue skbs, letting AF_PACKET control-buffer state be misread as sock_exterr_skb::opt_stats. When timestamping and SO_RXQ_OVFL are enabled, an odd packet-drop counter makes the timestamp cmsg path emit SCM_TIMESTAMPING_OPT_STATS over non-linear skbs, reading past the linear head to leak adjacent kernel heap or trip hardened usercopy (BUG/panic). CVSS is 7.1 (C:H/A:H, local, low-priv); EPSS is low at 0.18% (8th percentile), and there is no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Use-after-free in the Linux kernel ptp_ocp driver crashes the kernel during device removal on systems equipped with Open Compute Platform PTP hardware. The teardown function ptp_ocp_detach() frees pin resources before calling ptp_clock_unregister(), which then accesses those freed resources via ptp_disable_all_events(), introduced by commit a60fc3294a37. EPSS is 0.15% (5th percentile) and this vulnerability is not listed in CISA KEV, indicating no public exploitation and very low real-world risk outside specialized environments.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Incorrect tunnel matching in the Linux kernel's IPv6 Virtual Tunnel Interface (vti6) lets the vti6_tnl_lookup() fallback path select the wrong tunnel when an exact match fails, because the wildcard-search loops omitted checks that a candidate tunnel actually holds a wildcard local or remote address. On hosts configured with multiple vti6 tunnels sharing the ip6n->tnls_r_l hash table, hash collisions can cause inbound IPv6/IPsec packets to be associated with an unintended tunnel, enabling traffic misdirection and information disclosure. There is no public exploit identified at time of analysis, EPSS probability is low (0.18%), and the issue is not in CISA KEV; the upstream fix is available across multiple stable kernel branches.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Netfilter x_tables in the Linux kernel leaks raw percpu counter pointer addresses to userspace on SMP systems via a crafted fault-window attack against the get-entries path. A local user with netfilter access can engineer a userspace buffer that triggers a page fault after the kernel copies the internal percpu allocation pointer (pcnt) but before the sanitized counter snapshot overwrites it, causing the syscall to return -EFAULT while leaving the raw kernel virtual address exposed in the caller's buffer. No public exploit is identified at time of analysis and EPSS sits at 0.18% (8th percentile), but the leaked percpu address functions as a KASLR bypass primitive chainable with a second vulnerability to achieve privilege escalation.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Register tracking corruption in the Linux kernel's netfilter nft_exthdr subsystem allows a local low-privileged attacker with nftables configuration rights to trigger reads of uninitialized stack data from nft_regs, resulting in kernel instability or denial of service. The flaw affects any kernel version since the introduction of commit c078ca3b0c5b through the respective unpatched stable branches. EPSS is 0.18% (8th percentile) and this vulnerability is not listed in CISA KEV, indicating low exploitation activity; however, the ubiquity of Linux deployments means patching across stable LTS branches is warranted.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Information disclosure and frame corruption in the Linux kernel's Marvell mvpp2 network driver allows stale cache contents to be read into received packets on non-coherent DMA systems. Because the driver synced the RX buffer starting at the raw DMA address rather than at the hardware packet offset (MVPP2_SKB_HEADROOM), it synchronized unused headroom and missed an equal number of bytes at the packet tail, leaving the CPU to read stale cache lines for the end of each frame. EPSS is low (0.18%), there is no public exploit identified at time of analysis, and the issue is bounded to specific Marvell Armada-class hardware rather than general-purpose servers.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Memory corruption in the Linux kernel's Marvell mvpp2 (PPv2) Ethernet driver allows the XDP fast-path to write past the real packet buffer on hardware using short BM pools. The driver hard-codes PAGE_SIZE as the XDP frame size even when short-pool buffers are smaller, so bpf_xdp_adjust_tail() can legitimately grow a frame beyond its actual allocation, corrupting adjacent memory or later tripping skb tailroom checks. EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis; despite the auto-assigned 9.8 CVSS, realistic exploitation is constrained to systems running an XDP program on affected Marvell hardware.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Memory corruption in the Linux kernel's Marvell mvpp2 (PPv2) Ethernet driver arises from an incorrect RX buffer-recycling order: when mvpp2_rx_refill() fails after the current buffer has already been handed to XDP or attached to an skb, the driver still returns that buffer to the hardware Buffer Manager (BM) pool, allowing the NIC to DMA into memory the RX ring no longer owns. Systems running Marvell Armada SoCs with the mvpp2 driver and XDP or skb RX processing are affected; the fix reorders the refill to complete before the buffer is handed off. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and the CVE is not listed in CISA KEV despite the inflated 9.8 NVD score.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's drm/vc4 (Broadcom VideoCore IV DRM) driver allows a local low-privileged user to gradually exhaust kernel memory under allocation-failure conditions. The flaw arises because the return value of krealloc() is assigned directly back to the original pointer without a NULL check - if krealloc() fails and returns NULL, the reference to the previously allocated buffer is silently overwritten, permanently leaking that memory. No public exploit code is identified at time of analysis, and EPSS probability is extremely low at 0.18% (8th percentile), consistent with the local-only, condition-dependent nature of the bug.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation potential in the Linux kernel netfilter nf_tables tunnel module (nft_tunnel) stems from a use-after-free triggered when a tunnel object is destroyed while packets still hold a reference to its metadata_dst. The flawed nft_tunnel_obj_destroy() path calls metadata_dst_free(), which kfree()s the structure while ignoring the dst_entry refcount, so packets queued in a qdisc (e.g. netem) later call dst_release() on freed memory. CVSS is 7.8 (high) with CVSS:3.1 vector AV:L/PR:L; EPSS is low at 0.18% (7th percentile), it is not in CISA KEV, and no public exploit identified at time of analysis.

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel stack information disclosure in the Linux kernel's netfilter nft_meta_bridge subsystem leaks 2 bytes of uninitialized stack data to userspace via the IIFHWADDR register. A local attacker with CAP_NET_ADMIN privileges can craft an nftables bridge rule that reads the full 8-byte register span after a memcpy writes only 6 bytes, exposing stale nft_do_chain() stack content. No public exploit exists and EPSS is 0.17%; however, on hardened systems kernel stack leaks can assist KASLR bypass when chained with other primitives.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel TEE subsystem's register_shm_helper() function allows a local low-privileged user to exhaust kernel memory and degrade system availability. Triggering the leak requires calling the TEE_IOC_SHM_REGISTER ioctl with a length of zero, causing the function to allocate shared memory and then skip its deallocation when iov_iter_npages() returns 0. No public exploit has been identified at time of analysis, and EPSS sits at the 7th percentile, indicating very low real-world exploitation probability.

Linux Information Disclosure
NVD VulDB
Prev Page 18 of 741 Next

Quick Facts

Typical Severity
MEDIUM
Category
other
Total CVEs
66671

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy