Skip to main content

Information Disclosure

other MEDIUM

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.

How It Works

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.

Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.

The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.

Impact

  • Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
  • Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
  • Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
  • Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
  • Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures

Real-World Examples

A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.

Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.

Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.

Mitigation

  • Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
  • Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
  • Access control audits: Restrict or remove development artifacts (.git, backup files, phpinfo()) and internal endpoints before deployment
  • Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
  • Security headers: Deploy X-Content-Type-Options, remove server version banners, and disable directory indexing
  • Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity

Recent CVEs (66703)

EPSS 0% CVSS 7.7
HIGH PATCH This Week

Sensitive credential disclosure in Budibase low-code platform versions prior to 3.38.3 allows any authenticated low-privilege user to retrieve a configured Snowflake datasource's private key in plaintext. The flaw stems from an incomplete secret-masking filter that only redacts fields typed as PASSWORD, leaving the Snowflake privateKey field (typed SENSITIVE_LONGFORM) exposed through the GET /api/datasources/:datasourceId endpoint. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is fixed in 3.38.3.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Two-factor authentication bypass via TOTP secret disclosure affects FileRise self-hosted file manager before 3.12.0, where the /api/totp_setup.php endpoint can be reached from the intermediate 'pending_login_user' session state that exists after a correct password but before the TOTP check. For accounts that already have TOTP enabled, the endpoint decrypts and returns the existing TOTP secret inside the enrollment QR PNG rather than refusing, so an attacker who already holds the victim's password can extract the seed, compute a valid one-time code, and complete login without the victim's authenticator. No public exploit has been identified at time of analysis and no EPSS score is provided, but the issue fully defeats the second authentication factor.

PHP File Upload Information Disclosure
NVD GitHub
EPSS 27% 4.9 CVSS 9.3
CRITICAL POC KEV THREAT Emergency

Embedded malicious code in Nx Console (the editor extension for Nx and Lerna) version 18.95.0 turned a trusted developer tool into a trojan during a brief publish window on 19 May 2026. The poisoned build was live on the Visual Studio Marketplace for roughly 18 minutes (12:30-12:48 UTC) and on OpenVSX for roughly 36 minutes (12:33-13:09 UTC); any developer who installed or auto-updated during those windows executed attacker-controlled code inside their IDE, tagged here as information disclosure. It is confirmed actively exploited (CISA KEV) and publicly available exploit code exists, with CISA SSVC rating exploitation as active, automatable, and total technical impact; the clean release 18.100.0 is the fix.

Information Disclosure Nx Console
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Unsalted SHA-256 password hashing in WeGIA exposes all stored credentials to rainbow table attacks in versions prior to 3.7.3. Both the login flow (html/login.php) and the password-change flow (controle/FuncionarioControle.php) use PHP's hash() with SHA-256 and no per-user salt, meaning identical passwords always produce identical digests and a single precomputed table can compromise the entire credential database at once. No public exploit has been identified at time of analysis and no KEV listing exists, but exploitability is high once hash data is obtained - the attack requires only standard rainbow table tooling and no cryptographic skill.

PHP Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circumvent fingerprint or PIN protection and access locked applications such as Chrome. The flaw stems from the app's reliance on a custom UI overlay rather than enforcing authentication at a deeper system level - cascading interface navigation triggered via advertisement or browser intents exposes routes that allow the attacker to exit the lock screen without re-authenticating. No public exploitation (CISA KEV) has been confirmed, but a researcher-published proof-of-concept exists on GitHub, and EPSS is low at 0.04% (11th percentile), consistent with the physical-access requirement limiting opportunistic exploitation.

Google Information Disclosure Privilege Escalation +2
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Protocol-relative URL injection in Symfony's UrlGenerator allows open redirect via regex alternation bypass in route parameter validation. When route requirements use alternation patterns (e.g., `_locale: 'en|fr|vi|de'`), the validation regex `#^REQUIREMENT$#` fails to anchor middle alternatives due to regex operator precedence, enabling substring matching against attacker-supplied values. An attacker who can influence route parameters fed into the Twig `path()`/`url()` helpers can inject a value like `/evil.com` - which satisfies the requirement by containing `vi` as a substring - causing UrlGenerator to produce `//evil.com/...`, a protocol-relative URL the browser navigates off-site. No public exploit is identified at time of analysis, and the vulnerability is not listed in CISA KEV; patches are released across all supported Symfony branches.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Path traversal in Webmin's mailboxes component before version 2.640 lets an authenticated user write saved attachment files outside the intended directory by controlling the attachment's filename. The flaw lives in mailboxes/detachall.cgi, which constructs the on-disk filename directly from the email attachment's MIME name without stripping path separators, so a crafted name can redirect the write to an attacker-chosen location. Carrying a CVSS 4.0 base score of 9.4 with total technical impact, the issue is fixed in 2.640; CISA's SSVC framework currently lists exploitation status as none and no public exploit has been identified.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Arbitrary file read on the Jenkins controller is possible in the Jenkins 'Pipeline: Groovy Libraries Plugin' (version 797.v90ea_a_9b_e45a_0 and earlier), where the plugin fails to prohibit symbolic links inside shared libraries. An attacker who can control the contents of a shared library consumed by a Pipeline job can plant symlinks that resolve to sensitive files (credentials, secrets, configuration) on the controller filesystem and exfiltrate them through the build. There is no public exploit identified at time of analysis, and SSVC marks exploitation status as none, so this is a patch-and-move-on issue rather than an active-exploitation emergency.

Information Disclosure Jenkins Red Hat
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary file disclosure in the Jenkins Email Extension Plugin (email-ext) versions 1933.v45cec755423f and earlier lets users who can control email content abuse the data-inline image attribute to supply file: URLs, causing the Jenkins controller to read local files and embed their contents as base64 inside outgoing emails. An authenticated attacker with rights to edit job email configuration or templates (CVSS PR:L) can exfiltrate controller secrets, credentials, and configuration. There is no public exploit identified at time of analysis and CISA's SSVC rates exploitation as none, but the CVSS 8.8 score and 'total' technical impact make controller secret theft a serious concern in shared Jenkins environments.

Information Disclosure Jenkins Red Hat
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Information disclosure in IBM Business Automation Workflow (containers and traditional deployments) exposes internal database schema details through application error messages to authenticated low-privilege users. Affecting versions across the 24.0.0, 24.0.1, 25.0.0, and 25.0.1 release lines, a network-accessible authenticated attacker can deliberately trigger error conditions to harvest database structure information - table names, column names, or schema layout - without needing elevated permissions. No public exploit code exists and no active exploitation is confirmed; SSVC assessment classifies this as non-automatable with partial technical impact, consistent with its limited confidentiality scope.

IBM Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Credential exposure in IBM Guardium Data Protection's Long Term Retention (LTR) add-on feature allows authenticated network users to obtain sensitive credentials when the system is operating in debug mode. Affected versions are 12.2.1 (up to and including Fix Pack 4.4.7 Fix Pack 1) and 12.2.2. The high confidentiality impact (C:H) reflects that fully valid credentials - not just partial data - may be disclosed, potentially enabling lateral movement or privilege escalation within the data protection infrastructure. No public exploit has been identified at time of analysis, and SSVC assessment confirms no active exploitation.

IBM Information Disclosure
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Denial-of-service via uncontrolled recursion in the IBM i Integrated Language Environment (ILE) compiler affects versions 7.3, 7.4, 7.5 (≤12.1.4), and 7.6 (≤11.5.9). An authenticated network attacker can crash or hang the ILE compiler by submitting specially crafted source code containing a specific combination of statements that triggers infinite or deeply nested recursive processing. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low complexity and authenticated-only barrier makes this plausible for insider threat or compromised credential scenarios.

IBM Information Disclosure
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Sensitive information disclosure in IBM App Connect Enterprise 13.0.1.0 through 13.0.7.0 exposes potentially sensitive data via log files accessible to local users. The CVSS vector (AV:L/PR:L) confirms exploitation requires local, low-privileged authenticated access, limiting the attack surface to users already present on the system. No public exploit has been identified and CISA SSVC rates exploitation as none, but the confidentiality impact is rated High, meaning successful access to log files could yield significant sensitive data.

IBM Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Local File Inclusion in the SeedProd Pro WordPress plugin (all versions before 6.19.5) lets an authenticated, low-privileged user coerce a PHP include/require statement into loading attacker-influenced local files, leading to disclosure of sensitive server-side files and potential code execution if a controllable file (e.g. an uploaded payload or log) can be included. The flaw, reported by Patchstack and classified CWE-98, carries a CVSS 3.1 base score of 7.5 with high attack complexity. There is no public exploit identified at time of analysis, and CISA SSVC rates exploitation as 'none', indicating this is currently a patch-and-move-on item rather than an emergency.

Information Disclosure PHP LFI
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Out-of-bounds read in libusb's parse_iad_array() function (descriptor.c) affects all releases before 1.0.30, enabling local attackers in virtualized environments with USB passthrough to crash libusb-dependent processes via a crafted USB descriptor. The off-by-one error causes the bounds check to evaluate against the original total buffer size rather than the remaining unparsed size, allowing a one-byte read past the end of the malloc allocation when a descriptor's bLength is set to exactly (total_size - 1). No public exploit code exists and the vulnerability is absent from CISA KEV; a vendor-released patch is confirmed in v1.0.30.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's CAN UCAN USB driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering driver unbind cycles without physical device disconnection. The flaw (CWE-401) exists because devres-managed buffers are incorrectly scoped to the parent USB device rather than the USB interface, so they are never released during software-initiated unbind events such as probe deferral or configuration changes. No public exploit code exists and EPSS sits at 0.02% (5th percentile), indicating near-zero real-world exploitation probability despite the CVSS Availability: High rating.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial of service in the Linux kernel's stream parser (strparser) subsystem allows attackers to exhaust memory by repeatedly triggering message assembly timeouts that fail to release partially assembled skb buffers. The flaw resides in strp_abort_strp(), which leaks strp->skb_head on abort, and affects kernels from at least 4.9 through the 6.x and 7.x release lines until the fix introduced in 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No public exploit identified at time of analysis, and EPSS (0.02%, 5th percentile) reflects low predicted exploitation in the next 30 days despite the CVSS 7.5 rating.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Undefined behavior in the Linux kernel's nftables bitwise expression handler allows a local attacker with low privileges to crash the kernel. The nft_bitwise subsystem failed to reject zero-value shift operands during rule initialization; a zero shift causes the carry propagation formula (BITS_PER_TYPE(u32) - shift = 32 - 0 = 32) to perform a 32-bit shift of a 32-bit type, which is undefined behavior in C and can result in a kernel panic. No public exploit is identified at time of analysis, and EPSS at 0.02% (5th percentile) indicates very low automated exploitation activity, consistent with the local-only attack vector requiring nftables configuration privileges.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-impacting memory corruption in the Linux kernel's AFS filesystem can be triggered by an authenticated local user mapping AFS files, leading to a refcount leak that can cause kernel resource exhaustion or use-after-free conditions affecting confidentiality, integrity, and availability. The flaw stems from an incorrect conversion of AFS's mmap handler to the new .mmap_prepare() interface (commit 9d5403b1036c), which leaks reference counts when a VMA merge or allocation failure occurs after the prepare call. No public exploit identified at time of analysis and EPSS rates exploitation likelihood at just 0.02%.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Use-after-free in the Linux kernel's IPv6 SR (seg6) and RPL lightweight tunnel input paths can be triggered on PREEMPT_RT builds when a higher-priority task races ksoftirqd during a concurrent FIB lookup on a shared nexthop. The flaw causes dst_cache_set_ip6() to call dst_hold() on a freed per-CPU route, producing a kernel warning or memory corruption that an attacker on the network could leverage for denial of service or potential code execution. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's edt-ft5x06 capacitive touchscreen driver (CWE-416) lets a local actor with access to the driver's per-client debugfs interface read or corrupt freed kernel memory during device teardown. The regression was introduced by commit 68743c500c6e, which removed manual debugfs cleanup and left a window where debugfs files referencing tsdata->raw_buffer remained accessible after the buffer was freed. No public exploit identified at time of analysis; EPSS is very low (0.02%, 4th percentile) and it is not in CISA KEV, but a vendor (stable-tree) patch is available.

Memory Corruption Linux Use After Free +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's TPM2 session subsystem allows a local low-privileged user to exhaust kernel memory over time via repeated invocations of the vulnerable tpm2_read_public() function. The function allocates a kernel buffer via tpm_buf_init() but fails to call tpm_buf_destroy() on both its success path and its error path triggered by an unrecognized hash algorithm, leaking a page allocation each time. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% at the 4th percentile reflects very low real-world exploitation probability.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Race condition in the Linux kernel's md/md-llbitmap subsystem can cause availability loss on systems using software RAID with bitmap tracking. The barrier raise in llbitmap_start_write() and llbitmap_start_discard() occurs after the state machine transition is initiated, creating a window where concurrent state changes proceed without synchronization - potentially crashing the RAID subsystem or rendering an md array unavailable. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects negligible automated exploitation risk. Patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's ext4 filesystem driver allows a local attacker to read up to 3 bytes beyond a valid extended-attribute (xattr) region, potentially leaking adjacent kernel memory or crashing the system. The flaw lives in check_xattrs(), where a loose bounds check on the next xattr entry lets IS_LAST_ENTRY() perform a 4-byte read that overruns the buffer when parsing a crafted or corrupted ext4 xattr block. It is not in CISA KEV and no public exploit identified at time of analysis; EPSS is negligible at 0.02% (5th percentile), consistent with a low-impact local memory-safety bug that has already been patched upstream.

Linux Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Concurrent execution race in the Linux kernel's mm/vmalloc subsystem allows a local low-privileged attacker to trigger memory corruption or leaks by exercising the vmap_node shrinker simultaneously with lazy vmap purge operations. The flaw stems from unserialized invocation of decay_va_pool_node() between __purge_vmap_area_lazy() and the shrinker path. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the issue is patched upstream in the stable tree.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in the Linux kernel's igorplugusb infrared remote control driver allows a local low-privileged user to crash the kernel on systems where a compatible USB IR receiver is connected and the host controller performs DMA on control requests. The igorplugusb driver failed to allocate the USB control request structure separately, violating DMA coherency requirements enforced by certain host controllers - an object allocated on the kernel stack or embedded in a larger structure is not guaranteed to be DMA-safe. No public exploit code exists, and EPSS of 0.02% confirms negligible exploitation interest. Vendor-released patches are available across multiple stable branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation potential via use-after-free in the Linux kernel's ALSA aloop (snd-aloop) driver allows authenticated local users to trigger memory corruption by racing PCM stream close against a peer format-change stop. The flaw stems from snd_pcm_stop() running after cable->lock is dropped, leaving a stale peer substream pointer that can be freed by a concurrent close. Upstream fixes are merged into stable trees (6.12.88, 6.18.27, 7.0.4, 7.1-rc2); no public exploit identified at time of analysis and EPSS is very low at 0.02%.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The zram compressed-RAM block device driver in the Linux kernel hangs processes indefinitely when partial discard requests are submitted on systems where the discard granularity is smaller than the system page size (e.g., 4K discards on ARM64 systems with 64K pages). The driver correctly identifies partial discards as unsupported and returns early, but omits calling bio_endio(), leaving submit_bio_wait() blocked forever. Exploitation requires local access to a zram device with low privileges; no public exploit exists and EPSS is 0.02%, consistent with a niche local denial-of-service. Patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel panic via exhausted buffer in the ALSA control subsystem affects Linux kernel builds compiled with CONFIG_FORTIFY_SOURCE and Clang, allowing a local low-privileged user to crash the system. The function snd_ctl_elem_init_enum_names() fails to guard against a zero buf_len before invoking strnlen(), and Clang's fortified strnlen fires a BRK exception when it cannot determine the object size of the advanced pointer p inside the loop - panicking the kernel before the intended error-path return. Discovered through kernel fuzz testing on Xiaomi Smartphone hardware; no public exploit and no KEV listing; EPSS is 0.02%.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's DAMON statistics subsystem (mm/damon/stat) causes kernel memory exhaustion when damon_start() fails during damon_stat_start(). The allocated DAMON context is never freed on the failure path, and the stale global pointer is overwritten on each subsequent enable attempt, making prior allocations permanently unreachable. Exploitation requires local access with low privileges, yields high availability impact (A:H) via progressive kernel memory exhaustion, and no public exploit or active exploitation has been identified at time of analysis.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial-of-service in the Linux kernel rxrpc subsystem (rxkad authentication) allows unauthenticated network attackers to crash vulnerable hosts by sending packets with misaligned crypto length fields. The flaw stems from improper handling of decryption errors and a remotely-triggerable WARN_ON_ONCE() in the rxkad packet processing path. EPSS scoring is very low (0.02%) and no public exploit identified at time of analysis, but the CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) rating reflects the unauthenticated remote availability impact.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's RDMA mana_ib driver (Microsoft Azure Network Adapter) lets a local user trigger stale firmware RX steering after destroying an RSS QP, so incoming completions land on reused CQ IDs and corrupt kernel state. It affects Linux deployments on Azure VMs using MANA with RDMA/DPDK; an attacker who can create and destroy RSS QPs (e.g., via a DPDK application exit while a peer keeps transmitting) can drive completions onto TX CQs and crash or corrupt the driver. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 5th percentile), indicating low real-world exploitation likelihood.

Memory Corruption Linux Use After Free +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource leak in the Linux kernel SPI subsystem allows a local low-privileged attacker to exhaust kernel resources and cause denial of service. The flaw affects multiple stable kernel branches (5.4.x through 7.x) and occurs when spi_setup() fails during SPI device registration, leaving resources allocated by setup() unreleased because the controller cleanup() callback is never invoked on the error path. No public exploit exists and EPSS sits at 0.02% (5th percentile), indicating very low real-world exploitation probability; this is a stability fix appropriate for routine patching rather than emergency response.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's EROFS filesystem driver allows a local attacker to crash the system or potentially leak kernel memory by mounting a crafted EROFS image. The flaw stems from missing validation of the trailing dirent nameoff field, which can underflow during strnlen() and cause reads beyond the directory block. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a vendor patch is available across multiple stable kernel branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Incorrect DMA synchronization direction in the Linux kernel's atmel-tdes crypto driver exposes systems running on non-coherent cache architectures to stale cache data reads. The atmel-tdes driver incorrectly calls dma_sync_single_for_device() instead of dma_sync_single_for_cpu() before the CPU consumes DMA output, causing cache invalidation to be skipped on non-coherent platforms (typically ARM-based Atmel/Microchip SoCs). This means the CPU may read stale cached data rather than actual DES/3DES operation output, producing incorrect cryptographic results and potential information exposure from prior cache contents. No public exploit exists and EPSS is 0.02%, but hardware-platform specificity limits real-world reach significantly.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.9
HIGH PATCH This Week

Privilege escalation and denial of service in the Linux kernel's nested SVM (nSVM) virtualization subsystem allows an L2 guest to issue VMMCALL hypercalls as if it were L1 when nested_svm_l2_tlb_flush_enabled() is true, L1 does not intercept VMMCALL, and the hypercall is not a supported Hyper-V call. The fix forces KVM to synthesize a #UD exception in this scenario, matching architectural behavior; no public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's atmel-sha204a crypto driver allows an attacker who can remove or unbind the device to trigger a use-after-free during the driver teardown path. The flaw stems from failing to unregister the hwrng and flush the Atmel I2C workqueue before teardown, letting a queued ->read() callback execute against freed state, and an early return that also leaks the hwrng.priv allocation. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, so this is a defense-in-depth hardening fix rather than an urgent emergency.

Memory Corruption Linux Use After Free +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak and potential use-after-free in the Linux kernel's spi-ch341 USB driver expose systems to local denial-of-service when CH341 device probe failures occur without proper resource cleanup. Kernels from the commit introducing the spi-ch341 driver (8846739f52afa07e63395c80227dc544f54bd7b1) through the respective stable-branch fix commits across the 6.11 through 7.0 lineages are affected. Repeated probe failures accumulate leaked kernel memory that can exhaust system resources; no active exploitation is identified (EPSS 0.02%, no CISA KEV listing), placing this firmly in the maintenance-priority rather than incident-response category.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Linux kernel's hwmon powerz USB power meter driver fails to cancel an in-flight USB Request Block (URB) when a process is interrupted by a signal mid-read, resulting in reads from an unfilled DMA transfer buffer that can cause denial of service and potentially expose stale kernel buffer contents. Affected since commit 4381a36abdf1c5c0323c1c51f869dc000115eb20 and patched in stable releases 6.12.86, 7.0.4, and 6.18.27. No public exploit exists and EPSS is 0.02% (5th percentile), reflecting both the niche hardware dependency and strictly local attack surface; this issue is not listed in CISA KEV.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Out-of-bounds heap read in the Linux kernel ntfs3 driver's run_unpack() function allows a local user to crash the kernel by mounting a crafted NTFS image. The flaw affects multiple stable kernel branches from 5.15 onward, where run list parsing in MFT attributes consumes up to 15 bytes beyond the valid buffer boundary without checking remaining buffer size. No public exploit code exists and EPSS sits at 0.02% (5th percentile), but the local denial-of-service impact is A:H and patches are available across all affected stable branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

KVM nested SVM (AMD virtualization) in the Linux kernel incorrectly marks VMCB_LBR dirty in the guest's vmcb12 during nested VM exit processing, triggering architecturally undefined behavior that results in hypervisor availability loss. Affected are Linux kernels from 5.19 through versions preceding the stable-branch patches at 6.18.27 and 7.0.4. A low-privileged local attacker operating within a nested virtual machine on an AMD SVM-capable host can exploit this to crash or destabilize the host KVM layer. No public exploit and no CISA KEV listing exist; EPSS sits at 0.02% (4th percentile), confirming negligible opportunistic exploitation probability.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's mwifiex Wi-Fi driver (Marvell) occurs during adapter teardown: mwifiex_adapter_cleanup() calls the non-synchronous timer_delete() on the wakeup_timer, so a still-running wakeup_timer_fn callback can dereference adapter fields (hw_status, if_ops.card_reset) after mwifiex_free_adapter() frees them along the card-removal path. A local attacker who can trigger device removal while the timer fires could corrupt freed kernel memory, enabling privilege escalation or denial of service. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%, 5th percentile), and the fix (timer_delete_sync()) is merged into stable releases.

Memory Corruption Linux Use After Free +3
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows a local user with access to the DAMON sysfs interface to read out-of-bounds kernel memory or crash the system. The flaw exists because mm/damon/core failed to validate the user-supplied node ID (damos_quota_goal->nid) before using it in NODE_DATA() for the node_memcg_used_bp and node_memcg_free_bp quota goal metrics. The kernel description includes a working reproduction using the user-space 'damo' tool, but no public weaponized exploit and no active exploitation (CISA KEV) have been reported; EPSS is negligible at 0.02%.

Linux Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel fbdev deferred I/O subsystem allows local low-privileged users to trigger undefined behavior when a framebuffer device is hot-unplugged while user space retains an active memory mapping. The flaw stems from improper lifetime management between struct fb_info and deferred I/O state, leading to use-after-free conditions with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds heap read in the Linux kernel's ibmasm driver (the IBM Advanced System Management service-processor interface) lets a local privileged user leak adjacent kernel heap memory. The ibmasm_send_i2o_message() function trusts user-controlled command_size and data_size header fields to size a memcpy_toio() without validating them against the real allocation, so a small buffer with inflated header values forces a read of up to ~65 KB past the allocation, which is then forwarded to the service processor over MMIO. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.

Linux Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Deadlock in the Linux kernel's x86 Control-flow Enforcement Technology (CET) shadow stack implementation can be triggered by a local unprivileged user during signal return, causing a kernel hang and denial of service. The flaw exists in x86 SMP kernels with PER_VMA_LOCK configured where X86_USER_SHADOW_STACK is enabled: holding the mmap read lock while reading the shadow stack signal frame during sigreturn allows a recursive lock acquisition attempt that deadlocks when a concurrent mmap writer is waiting on another CPU. No public exploit has been identified at time of analysis and EPSS exploitation probability is extremely low at 0.02% (5th percentile), but the availability impact is high on affected systems with shadow stack enabled.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Deadlock in the Linux kernel jbd2 journal subsystem can hang filesystems and render systems unresponsive when filesystem blocksize is smaller than the system pagesize. Introduced by commit f76d4c28a46a, the flaw breaks the required folio-then-buffer lock ordering in jbd2_journal_cancel_revoke(), causing an ABBA deadlock between concurrent filesystem journal operations and block device writeback. No public exploit is identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with a race-condition kernel bug requiring a non-default configuration that is unlikely to be deliberately weaponized.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

IRQ handler cleanup failure in the Linux kernel Intel QAT (Quick Assist Technology) crypto driver for 6xxx-series devices causes kernel resource leaks and availability impact when device probe partially fails. The flaw manifests during adf_dev_up() failure: because pcim_enable_device() registers pcim_msi_release() as a devres action that runs in LIFO order, MSI-X vectors are torn down while IRQ handlers such as 'qat0-bundle0' are still attached, producing remove_proc_entry() warnings and leaking procfs entries. No public exploit has been identified at time of analysis, and EPSS at 0.02% (4th percentile) confirms negligible exploitation interest; impact is limited to systems that physically host Intel QAT 6xxx accelerator cards.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Landlock LSM's credential transfer hook in the Linux kernel silently drops the LOG_SUBDOMAINS_OFF audit-muting flag across fork() boundaries, breaking the documented sandboxing pattern where a parent process suppresses subdomain audit logs before spawning sandboxed children. Affected kernels from commit ead9079f75696 onward across the 6.15, 6.18, and 7.x stable branches allow child processes to emit unexpected Landlock audit records the operator explicitly intended to suppress. No public exploit identified at time of analysis; EPSS is 0.02% (4th percentile), and this is a logic correctness defect rather than a privilege-escalation or data-exfiltration path.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in the Linux kernel Bluetooth subsystem (hci_event) allows an adjacent attacker within Bluetooth range to potentially achieve memory corruption against vulnerable hosts during SSP pairing. The flaw stems from missing hdev locking in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), where an hci_conn structure can be freed concurrently while still in use. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%).

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local privilege-bounded information disclosure and integrity compromise in the Linux kernel's SELinux module affects overlayfs mounts where mmap() and mprotect() operations bypass the intended dual-credential access checks. A local authenticated user with access to an overlayfs top-level (user) file can map or change protections on backing files without the mounter's credentials being properly evaluated, undermining the SELinux overlayfs security model. EPSS is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation risk in the Linux kernel's RDS (Reliable Datagram Sockets) subsystem stems from a double-free condition in __rds_rdma_map() when a put_user() copy of the MR cookie fails after get_mr() has transferred sg/pages ownership to the transport. A local authenticated attacker triggering this race or fault path could cause memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis and EPSS is low at 0.02%, but a vendor-released patch is available across multiple stable branches.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel Ceph client allows local users with access to a Ceph-mounted filesystem to trigger d_hash list corruption and RCU stalls by inducing path lookups against reused cached negative dentries. The flaw stems from fs/ceph/dir.c calling d_add(dentry, NULL) on already-hashed negative dentries, creating self-loops in the hlist_bl bucket that cause __d_lookup() to spin indefinitely. EPSS is 0.02% (5th percentile) and no public exploit identified at time of analysis, but the bug has been reproduced organically in production (RCU stall on a Dell PowerEdge R7615 running 6.18.17).

Linux Amd Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Infinite loop denial-of-service in the Linux kernel ALSA ctxfi audio driver allows a local low-privileged user to hang the kernel by triggering S/PDIF passthrough playback at 32000 Hz on Creative Sound Blaster X-Fi hardware. The root cause is an uninitialized `pll_rate` field that causes a resource-calculation loop to never exit, consuming CPU indefinitely and degrading or halting system availability. No public exploit exists and the EPSS score of 0.02% (5th percentile) confirms negligible real-world exploitation pressure; the vulnerability is not listed in CISA KEV.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

USB device reference count leak in the Linux kernel ALSA CAIAQ driver allows a local attacker with access to USB hardware to trigger kernel memory exhaustion. The flaw exists because usb_get_dev() is called in create_card() but its matching usb_put_dev() is only installed as a destructor late in init_card(), leaving it unreachable on all intermediate failure paths. Syzbot has reproduced the issue using a malformed UAC3 USB audio device, and patches are available across all affected stable kernel branches. No public exploit has been identified at time of analysis, and EPSS is negligible at 0.02%.

Microsoft Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's QRTR (Qualcomm IPC Router) name service driver remove path allows local low-privileged users to corrupt memory and potentially escalate privileges. The flaw occurs because qrtr_ns_data_ready() can queue work to a workqueue that has already been destroyed during driver teardown, dereferencing freed memory. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the fix has landed across multiple stable kernel trees.

Linux Use After Free Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Missing brelse() in the ext4 filesystem's ext4_xattr_inode_dec_ref_all() function causes a buffer head refcount leak that can degrade system availability on affected Linux kernel versions. Introduced by commit c8e008b60492 (

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource leak in the Linux kernel IPMI SSIF driver leaves an orphaned kernel thread running when driver initialization fails mid-sequence. Systems with SSIF-capable IPMI hardware (BMC connected via SMBus/I2C) running unpatched kernels are affected across multiple stable branches. If initialization errors occur after the ssif kthread is spawned but before the IPMI core starts the interface, the thread is never stopped, degrading system availability over time. No public exploit exists and EPSS is 0.02% (4th percentile), making this a routine patch-cycle item rather than an emergency; fixes are confirmed in stable kernel releases 6.18.27 and 7.0.4.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote denial of service and potential memory corruption in the Linux kernel's RDMA Software RoCE (rxe) driver allows network attackers to send malformed RDMA packets that bypass length validation in rxe_rcv(). Affected systems with the rxe module loaded and reachable on the network can experience integer underflow in payload_size() due to an attacker-controlled BTH pad field, leading to negative values being passed to downstream receive-path handlers. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the CVSS 9.1 rating reflects the unauthenticated network attack surface where rxe is exposed.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Two kernel heap memory leaks in Linux kernel's weighted interleave NUMA memory policy subsystem allow a local low-privilege user to exhaust kernel memory and cause denial of service. The `weighted_interleave_auto_store()` function in `mm/mempolicy.c` fails to free `new_wi_state` on an early-return path and fails to free the old state object when overwritten via `rcu_assign_pointer()` when processing 'true' writes, because `old_wi_state` is only fetched inside the wrong conditional branch. The second leak is trivially automatable - any authorized sysfs writer can loop-write '1' indefinitely to drive the system into OOM - though no public exploit exists and EPSS sits at a negligible 0.02%.

Linux Information Disclosure IBM +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial-of-service via kernel panic in the Linux kernel's greybus gb-beagleplay driver allows a local low-privileged user to crash the system by triggering an illegal sleep-in-atomic-context condition. The greybus HDLC TX path calls usleep_range() inside hdlc_append() while the tx_producer_lock spinlock is held, violating the fundamental Linux kernel rule that sleeping is forbidden in atomic context and triggering a 'BUG: scheduling while atomic' kernel oops. No public exploit has been identified at time of analysis, and EPSS at 0.02% (5th percentile) reflects the hardware-specific and local-access-only nature of this flaw. The input tag 'Information Disclosure' appears to be a misclassification - the actual impact is exclusively availability (kernel crash), consistent with the CVSS vector's A:H/C:N/I:N ratings.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource accounting exhaustion in the Linux kernel's inotify subsystem allows a local low-privileged user to permanently leak watch counts by repeatedly triggering a failure path in inotify_new_watch() that increments the per-namespace watch counter without a corresponding decrement. Over time this exhausts the max_user_watches limit, causing all subsequent inotify watch creation within the namespace to fail with -ENOSPC even when no watches are genuinely active, constituting a local denial-of-service against inotify-dependent applications. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects very low real-world exploitation probability with no CISA KEV listing.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory exhaustion in the Linux Kernel's QRTR (Qualcomm IPC Router) nameserver subsystem exposes local, low-privileged users to a denial-of-service condition. The `ctrl_cmd_bye()` function, triggered when a QRTR node sends a BYE shutdown packet, fails to remove the node from the Xarray structure or release the associated memory - resulting in a persistent kernel memory leak (CWE-401). Affected systems are Linux kernels from 5.7 through multiple stable branches, with fixes backported to 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No active exploitation is confirmed (not in CISA KEV), and EPSS sits at 0.02% (5th percentile), indicating minimal real-world threat at this time.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's IPv4 ICMP handling allows remote attackers to trigger denial of service and potential information disclosure by sending crafted ICMP Extended Echo Reply packets. The flaw stems from the kernel consulting the icmp_pointers[] array with reply types (ICMP_EXT_ECHOREPLY) that fall outside its bounded range (NR_ICMP_TYPES). No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the network attack vector and high availability impact make patching a priority for exposed Linux hosts.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Linux kernel's vfio/cdx (Composable DMA-capable eXtension) driver allows a process with access to a VFIO device file descriptor to trigger a use-after-free of the cdx_irqs array via concurrent VFIO_DEVICE_SET_IRQS ioctls. The race in vfio_cdx_set_msi_trigger() can be exploited by a local low-privileged attacker for memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Lock re-entrancy corruption in the Linux kernel's mm/page_alloc subsystem affects uniprocessor (UP/!CONFIG_SMP) builds, allowing freelist corruption that crashes the kernel. On UP kernels, spin_trylock() is a compile-time no-op that unconditionally succeeds; when alloc_frozen_pages_nolock() is invoked from NMI context, it re-enters rmqueue() and acquires the zone lock already held by the interrupted context, corrupting the page allocator's freelists. No public exploit exists and EPSS sits at the 4th percentile (0.02%), consistent with the narrow scope: only non-default UP kernel builds on specific kernel versions are affected, making this a targeted stability concern for embedded or legacy uniprocessor deployments rather than a broad production threat.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's crypto authencesn AEAD wrapper allows a local user with AF_ALG access to trigger memory disclosure and possible denial of service by instantiating an authencesn transform built on an ahash whose digest size is 1-3 bytes (for example cbcmac(cipher_null)). The flaw stems from crypto_authenc_esn_create() failing to validate the inner digest size, letting an invalid default authsize bypass the existing setauthsize() check. No public exploit identified at time of analysis and EPSS probability is negligible (0.02%), but the upstream fix is shipping across multiple stable trees.

Linux Information Disclosure Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel ks8851 Ethernet driver allows a deadlock condition when handling concurrent IRQ and TX softirq processing on systems using the Micrel KS8851 MAC/PHY chip. The flaw manifests when the IRQ handler executes netdev_alloc_skb_ip_align() with bottom-halves enabled, triggering pending softirq processing that re-enters the driver's xmit path and attempts to re-acquire an already-held spinlock. EPSS scores this at 0.02% (5th percentile) and no public exploit identified at time of analysis, consistent with a local hardware-dependent stability bug rather than a remotely weaponizable vulnerability.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory leak in the Linux kernel's EDAC/versalnet driver (mc_probe()) results in unreleased device_node references, enabling local low-privileged users to cause kernel memory exhaustion and availability degradation on AMD/Xilinx Versal SoC systems. The root cause is a missing of_node_put() call on all exit paths of mc_probe(), with the fix applied across stable branches including 6.18.27 and 7.0.4. No public exploit or CISA KEV listing exists, and EPSS sits at 0.02% (4th percentile), reflecting minimal active exploitation risk.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Slab allocator corruption in the Linux kernel's mm/slab subsystem allows local low-privileged users on uniprocessor (UP, !CONFIG_SMP) builds to potentially corrupt kernel memory state when kmalloc_nolock() is invoked from NMI context. The flaw stems from spin_trylock() being a no-op on UP kernels, allowing re-entry into the slab allocator while n->list_lock is already held by the interrupted context. EPSS is very low (0.02%) and no public exploit has been identified at time of analysis, though an upstream patch is available.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Race condition in the Linux kernel's AF_ALG AEAD AIO interface allows a local low-privileged user to trigger a denial of service by exploiting shared socket-wide IV buffer state across concurrent asynchronous AEAD requests. The algif_aead subsystem fails to snapshot the Initialization Vector into per-request storage before dispatching async operations, meaning any concurrent socket activity that updates the shared IV can corrupt an in-flight request before it completes. No public exploit has been identified and EPSS is extremely low at 0.02% (7th percentile); vendor-released patches are available across all supported stable kernel branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial-of-service in the Linux kernel's SMC (Shared Memory Communications) networking subsystem allows remote attackers to crash the kernel by sending a CLC decline message during the early stage of an SMC handshake before the connection is associated with a link group. The flaw, tracked as EUVD-2026-32408, stems from smc_clc_wait_msg() accessing link-group sync state that does not yet exist at that point in the handshake. No public exploit identified at time of analysis and EPSS probability is very low (0.02%, 5th percentile), but the network attack vector and high availability impact warrant patching on systems that use SMC.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Uncontrolled resource consumption in the Linux kernel's QRTR (Qualcomm IPC Router) nameserver module allows a local authenticated user to exhaust nameserver resources by flooding it with unbounded NEW_LOOKUP messages over a single socket. The affected subsystem (net/qrtr/ns) restricted lookups to local clients but imposed no count limit, enabling a sustained denial-of-service against QRTR-dependent inter-process communication on Qualcomm SoC platforms. No public exploit has been identified and EPSS stands at 0.02% (5th percentile), placing this firmly in the low real-world priority tier despite its High availability impact rating.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Deadlock and memory leak in the Linux kernel DAMON subsystem arise from a race condition between damon_call() request registration and kdamond_fn() thread exit, affecting systems using the Data Access MONitor (DAMON) API. A local low-privileged process can trigger the race at precisely the moment a kdamond thread is terminating - causing the calling thread to wait indefinitely for a handler that has already exited, resulting in a kernel-level availability denial. No active exploitation is confirmed (EPSS 0.02%, not in CISA KEV), and the high attack complexity required to win the race significantly constrains real-world risk.

Race Condition Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds MMIO read in the Linux kernel's ibmasm (IBM Advanced System Management) misc driver allows a compromised IBM service processor to read 8 bytes from unintended device registers or trigger a machine check exception (system crash) by writing an out-of-range queue reader/writer index before asserting an interrupt. The flaw resides in ibmasm_handle_mouse_interrupt() where raw readl() values are passed unchecked to get_queue_entry(), and is fixed by bounds-checking both indices against REMOTE_QUEUE_SIZE (60). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%.

Linux Information Disclosure Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Two related memory-management defects in the Linux kernel thermal zone governor subsystem expose local low-privileged users to system availability loss. The first is a memory leak (CWE-401) in the registration error path of thermal_zone_device_register_with_trips(), which fails to remove an attached governor when registration fails mid-way. The second, and more critically impactful, is a race condition in thermal_zone_device_unregister(), which calls thermal_set_governor() without first acquiring the thermal zone lock - permitting a concurrent sysfs-based governor update to produce a use-after-free, which can trigger a kernel panic. No public exploit code exists and EPSS is 0.02% (5th percentile); vendor-released patches are available across multiple stable kernel branches including 6.6.140, 6.12.86, 6.18.27, and 7.0.4.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows privileged local users to crash the kernel by supplying arbitrary node IDs to damos_quota_goal via DAMON_SYSFS. Affecting Linux 6.16 and fixed in 6.18.27, 7.0.4, and 7.1-rc1, the flaw stems from missing validation before si_meminfo_node()/NODE_DATA() lookups and is reproducible with the upstream 'damo' user-space tool. No public exploit identified at time of analysis and EPSS is very low at 0.02%.

Denial Of Service Linux Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The atmel-aes crypto driver in the Linux kernel leaks 3 pages of kernel memory per cleanup cycle due to a mismatch between allocation and deallocation functions: atmel_aes_buff_init() allocates 4 contiguous pages via __get_free_pages() with ATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() frees only a single page via free_page() instead of the correct free_pages(). Systems running on Atmel/Microchip ARM SoC hardware with this driver loaded are vulnerable to gradual kernel memory exhaustion leading to denial of service. No public exploit code exists and no active exploitation has been confirmed; the EPSS score of 0.02% (5th percentile) reflects the extremely narrow hardware-specific attack surface, and vendor-released patches are available across multiple stable kernel branches.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Availability degradation in the Linux kernel ALSA USB audio subsystem allows a local attacker with a crafted UAC2 USB audio device to trigger an unbounded parsing loop that holds register_mutex while repeatedly flooding the kernel log with error messages. Affected systems running snd-usb-audio on multiple stable kernel branches from 3.x through 7.0 are exposed to denial-of-service via mutex contention during USB device probe. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (6th percentile) reflects minimal threat actor interest; no CISA KEV listing exists.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Race condition in the Linux kernel memory management subsystem during large-folio migration can cause kernel availability disruption on SMP/NUMA systems. The flaw in migrate_folio_move() causes a destination folio to become visible to concurrent rmap-removal paths before being requeued onto the deferred split queue, triggering a kernel WARN in deferred_split_folio() or silently losing a folio from split_queue when the shrinker races the migration lock. With no public exploit, no CISA KEV listing, and an EPSS of 0.02%, this is a low real-world risk issue primarily relevant to HPC, virtualization, and database workloads with heavy NUMA migration activity.

Nvidia Race Condition Linux +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Race condition and missed wake-up in the Linux kernel TCP listener migration path (SO_REUSEPORT) allows local low-privileged attackers to cause hangs and potentially exploit a use-after-free on listener sockets. Affects kernels from 5.14 up to versions fixed in 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No public exploit identified at time of analysis, and EPSS is very low (0.02%).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Broken LBR MSR save/restore in the Linux kernel KVM/SVM subsystem allows a low-privileged local attacker to cause high-impact availability failures in virtualized environments running on AMD SVM hardware. MSR_IA32_DEBUGCTLMSR and Last Branch Record (LBR) MSRs are not enumerated by KVM_GET_MSR_INDEX_LIST and cannot be set via KVM_SET_MSRS, meaning VM state is not correctly preserved across save/restore or live migration cycles, particularly when L2 guests are running. No public exploit has been identified at time of analysis, and EPSS of 0.02% indicates very low exploitation probability, but the flaw affects a foundational hypervisor state management path on production AMD virtualization infrastructure.

Linux Information Disclosure Intel +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Incorrect physical address conversion in the Linux kernel's mm/memfd_luo subsystem can crash the kernel when the put_folios error-cleanup path executes during memfd Live Update Object (LUO) operations. The cleanup passes a raw Page Frame Number (PFN) where kho_restore_folio() requires a phys_addr_t, and a missing sparse-hole guard (pfn==0) risks misprocessing file holes. No public exploit identified at time of analysis; EPSS of 0.02% (5th percentile) and absence from CISA KEV confirm very low real-world exploitation probability, with impact confined to local denial of service on systems running the experimental KHO/LUO subsystem.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's MediaTek JPEG (mtk-jpeg) media driver allows a local user with access to the device to trigger a use-after-free condition. The flaw occurs in mtk_jpeg_release() which frees the context structure without first cancelling pending workqueue items, creating a race window during device close where the worker thread accesses freed memory. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, but the bug is fixed across multiple stable trees.

Linux Information Disclosure Use After Free +1
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Memory exhaustion handling flaw in the Linux kernel's rxrpc/rxgk subsystem allows network-adjacent attackers to potentially trigger unsafe code paths when rxgk_decrypt_skb() returns -ENOMEM during RxGSS-Kerberos token extraction. Affected kernels include the 6.17 series and specific commits in 6.16.9 onward, fixed in upstream commits and stable backports targeting 6.18.27 and 7.1-rc1. No public exploit identified at time of analysis, and EPSS is very low (0.02%) despite the 8.1 CVSS score.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Duplicate resource teardown in the Linux kernel's PCI endpoint NTB (Non-Transparent Bridge) driver causes a kernel oops when link state transitions fail or complete, enabling a local low-privileged user to crash the kernel. The `epf_ntb_epc_destroy()` helper performs teardown that its callers also execute, resulting in a double-free-class condition. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV); the EPSS score of 0.02% at the 5th percentile reflects extremely low observed exploitation probability.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Deadlock in Linux kernel DAMON (Data Access Monitor) subsystem allows a local low-privileged user or kernel code path to cause an indefinite thread hang in the mm/damon/core module via a race condition between damos_walk() request registration and kdamond_fn() exit sequencing. Systems running Linux kernels from commit bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61 through the patch commits are affected, with availability as the sole impact (CVSS C:N/I:N/A:H). No public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating negligible real-world exploitation interest.

Race Condition Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Cache coherency violation in the Linux kernel hwmon powerz driver allows a local low-privileged user to crash the kernel on architectures where DMA buffer cacheline aliasing with adjacent kernel structures (here, a mutex) produces undefined behavior. Affected systems must have the powerz USB hardware monitor driver loaded and the specific hardware attached. No public exploit code exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation activity; nonetheless the kernel availability impact (system crash) is concrete once triggered on a vulnerable architecture.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource leak in the Linux kernel's XFS subsystem fails to release a DAX (Direct Access) device reference in the error path of xfs_alloc_buftarg(), leaving a dangling reference that prevents proper cleanup of persistent memory devices. Systems running XFS on DAX-capable persistent memory hardware are affected, spanning multiple stable kernel branches prior to the fix commits documented in EUVD-2026-32302. No public exploit identified at time of analysis, and an EPSS score of 0.02% (5th percentile) confirms negligible exploitation interest; patches are confirmed available across Linux 6.6.x, 6.12.x, 6.18.x, 7.0.x, and 7.1-rc1.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel ALSA caiaq USB audio driver allows local code execution when the device probe path encounters an error during setup_card(). The setup_card() function previously ignored failures from snd_card_register() and continued executing, leaving freed card structures accessible to subsequent initialization calls such as snd_usb_caiaq_control_init(). No public exploit identified at time of analysis, and EPSS is low at 0.02% (5th percentile), consistent with the local attack vector and narrow hardware-driver scope.

Linux Use After Free Memory Corruption +3
NVD VulDB
Prev Page 41 of 742 Next

Quick Facts

Typical Severity
MEDIUM
Category
other
Total CVEs
66703

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy