Memory Corruption

Sandbox escape in Google Chrome's DevTools component allows attackers who have already compromised the renderer process to break out of the browser sandbox and execute code on the underlying system. Affects all Chrome versions prior to 148.0.7778.96. Google has released version 148.0.7778.96 to patch this vulnerability. The attack requires high complexity and user interaction (visiting a malicious page), but successful exploitation enables complete system compromise with changed scope (S:C in CVSS vector), escalating from renderer-level access to full system access. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis.

Remote code execution in Google Chrome versions prior to 148.0.7778.96 allows attackers to execute arbitrary code within the browser's sandbox by exploiting a use-after-free vulnerability in the Blink rendering engine through a specially crafted HTML page. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, though exploitation requires user interaction (visiting a malicious webpage). EPSS data not available. Not listed in CISA KEV at time of analysis. Vendor-released patch available in Chrome 148.0.7778.96.

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox through a use-after-free vulnerability in the TopChrome component. Attack requires user interaction with a malicious HTML page and has high attack complexity. EPSS data not available; no active exploitation confirmed at time of analysis. Vendor-released patch available in Chrome 148.0.7778.96.

Remote code execution in Google Chrome's Media component on macOS and iOS versions prior to 148.0.7778.96 allows attackers to execute arbitrary code within the browser sandbox by exploiting an out-of-bounds write vulnerability. Attack requires the compromised renderer process prerequisite plus user interaction with a malicious HTML page. CVSS rates this 8.8 (High) due to network attack vector and no authentication required, though exploitation remains constrained by the sandbox boundary and requires initial renderer compromise. Vendor-released patch available in Chrome 148.0.7778.96. No active exploitation (CISA KEV) or public exploit code identified at time of analysis.

Sandbox escape in Google Chrome prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox via a use-after-free vulnerability in the Navigation component. This requires user interaction with a malicious HTML page and successful renderer compromise as a prerequisite, making it a two-stage attack requiring high attack complexity. Vendor-released patch available in Chrome 148.0.7778.96. No public exploit or active exploitation (CISA KEV) identified at time of analysis. CVSS 8.3 (High) reflects the severe post-compromise impact (sandbox escape enabling system-level access), but real-world risk depends heavily on successful initial renderer compromise.

Remote code execution within Chrome's sandbox affects all versions prior to 148.0.7778.96 through an out-of-bounds write in the WebRTC component. Attackers can achieve arbitrary code execution by convincing users to visit a specially crafted HTML page, though execution remains confined to Chrome's sandbox. EPSS data not available for this recent CVE (May 2026). Vendor-released patch version 148.0.7778.96 addresses the vulnerability with Chromium security severity rated Medium despite 8.8 CVSS score.

Use-after-free in Chrome's V8 JavaScript engine enables remote code execution inside the sandbox when users install a malicious extension. Google Chrome versions prior to 148.0.7778.96 are vulnerable to arbitrary code execution through specially crafted Chrome Extensions exploiting memory corruption in V8. CVSS rates this 8.8 (High) with network attack vector requiring user interaction. Vendor-released patch available in Chrome 148.0.7778.96 per Google's May 2026 stable channel update. EPSS and KEV data not provided; exploitation requires social engineering to install malicious extension, limiting automated exploitation scenarios.

Remote code execution in Google Chrome before 148.0.7778.96 allows unauthenticated attackers to execute arbitrary code within the Chrome sandbox by exploiting a use-after-free vulnerability in the CSS rendering engine through a malicious webpage. Requires victim interaction (visiting attacker-controlled page) but needs no authentication. Vendor-released patch available as Chrome 148.0.7778.96. EPSS score not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis, though browser vulnerabilities are high-value targets.

Remote code execution in Google Chrome's MediaRecording component (versions prior to 148.0.7778.96) allows attackers to execute arbitrary code when victims perform specific UI interactions with a malicious webpage. The use-after-free vulnerability in memory management has been patched by Google in version 148.0.7778.96. EPSS data not available; no CISA KEV listing identified, suggesting no confirmed widespread exploitation at time of analysis, though publicly available exploit code exists per Chromium bug tracker disclosure.

Remote code execution in Google Chrome for Windows below version 148.0.7778.96 allows unauthenticated attackers to execute arbitrary code within Chrome's sandbox via specially crafted HTML pages exploiting a use-after-free vulnerability in the WebRTC implementation. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability. EPSS data not provided, but Google's 'High' severity classification and immediate patch release indicate active concern. No CISA KEV listing or public POC identified at time of analysis, though the vulnerability is already patched.

Remote code execution in Google Chrome versions prior to 148.0.7778.96 occurs when attackers exploit a type confusion vulnerability in the JavaScript runtime through malicious web pages. The vulnerability requires only that users visit a crafted HTML page, making it highly accessible for social engineering attacks. No active exploitation confirmed by CISA KEV at time of analysis, though Google has released patches addressing this high-severity memory corruption flaw with confirmed public disclosure through Chromium issue tracker.

Remote code execution in Google Chrome prior to version 148.0.7778.96 allows attackers to execute arbitrary code within the browser's sandbox by exploiting a use-after-free vulnerability in the Presentation API through a specially crafted HTML page. User interaction is required (visiting a malicious webpage). EPSS data not available for this recent CVE. No public exploit confirmed at time of analysis, though the vulnerability has been patched by Google in the stable channel release.

Use-after-free memory corruption in Chrome Remote Desktop (Chromoting) on Windows enables local privilege escalation to SYSTEM via malicious file interaction. Attackers with local access can gain OS-level administrative control by inducing users to open specially crafted files processed by the Chromoting component. Patch available in Chrome 148.0.7778.96. No evidence of active exploitation (not in CISA KEV), but the local attack vector with low complexity and high impact warrants immediate patching for Windows Chrome deployments, especially in multi-user environments where privilege boundaries are critical.

Renderer sandbox escape in Google Chrome versions prior to 148.0.7778.96 leverages an out-of-bounds write in the Skia graphics library. An attacker who has already compromised Chrome's renderer process through other means (such as a separate browser vulnerability) can deliver a specially crafted HTML page to break out of Chrome's security sandbox, gaining elevated code execution on the underlying operating system. EPSS data not available; no CISA KEV listing identified. Google has released Chrome 148.0.7778.96 addressing this high-severity flaw, classified as CWE-787 (Out-of-bounds Write) affecting the Skia graphics rendering engine.

Sandbox escape in Google Chrome via ServiceWorker use-after-free allows remote attackers to break out of Chrome's security sandbox through a specially crafted HTML page. Affects all Chrome versions prior to 148.0.7778.96. EPSS data not yet available for this recent CVE. Google has released a patch in version 148.0.7778.96. While rated high severity by Chromium project, the attack complexity is high (AC:H) and requires user interaction (UI:R), limiting widespread exploitation risk despite the critical scope change (S:C) indicating sandbox escape capability.

Remote code execution in Google Chrome prior to 148.0.7778.96 enables attackers to execute arbitrary code by exploiting a use-after-free vulnerability in the Passwords component through a malicious HTML page. User interaction (visiting the crafted page) is required. CVSS score of 8.8 reflects network-based attack requiring no authentication but requiring user interaction, with high impact to confidentiality, integrity, and availability. Vendor patch available in Chrome 148.0.7778.96. No public exploitation confirmed at time of analysis.

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox through a use-after-free vulnerability in the Skia graphics library. Exploitation requires user interaction with a malicious HTML page and successful prior renderer compromise, representing a second-stage attack rather than initial access. No active exploitation confirmed (not in CISA KEV), though the vulnerability's sandbox escape capability makes it valuable for targeted attack chains.

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 enables remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox through a use-after-free vulnerability in the Aura UI framework. The attack requires user interaction with a malicious webpage and presents high attack complexity, but successfully chains renderer compromise with sandbox escape to achieve full system impact. No active exploitation confirmed (not in CISA KEV), though this vulnerability class is frequently targeted given Chrome's wide deployment and the high value of sandbox escapes.

Sandbox escape in Google Chrome's GPU component prior to version 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox via a use-after-free memory corruption vulnerability triggered by a malicious web page. This represents a critical second-stage attack where initial renderer compromise is chained with GPU exploitation to achieve full system access. Vendor-released patch available in Chrome 148.0.7778.96. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis.

Sandbox escape in Google Chrome on Windows allows attackers who have already compromised the renderer process to break out of Chrome's security sandbox via a use-after-free flaw in the Fullscreen API. Affects Chrome versions prior to 148.0.7778.96 on Windows platforms. Google has released a patch (version 148.0.7778.96) and rated this High severity. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code at time of analysis, though the vulnerability requires initial renderer compromise making it a second-stage exploitation vector.

Sandbox escape in Google Chrome on Windows versions prior to 148.0.7778.96 allows attackers who have already compromised the renderer process to break out of Chrome's security sandbox via type confusion in the Accessibility subsystem. The attack requires user interaction with a malicious webpage and successful renderer compromise as a prerequisite, representing a critical escalation path in multi-stage attacks. Vendor-released patch available in Chrome 148.0.7778.96. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Sandbox escape in Google Chrome for Windows versions prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of the Chrome sandbox via a use-after-free vulnerability in the Aura UI framework. The attack requires user interaction with a specially crafted HTML page and has high attack complexity (AC:H), but grants complete control over confidentiality, integrity, and availability with changed scope (S:C). No active exploitation confirmed in CISA KEV at time of analysis. EPSS data not provided, but the vulnerability targets a browser component with over 3 billion users globally.

Use-after-free in the Views component of Google Chrome versions prior to 148.0.7778.96 enables site isolation bypass after renderer compromise. A remote attacker who has already compromised the renderer process can escape sandbox protections via a malicious HTML page, potentially accessing cross-origin data or executing code outside the renderer sandbox. Patch released by Google in version 148.0.7778.96. EPSS score of 0.02% (3rd percentile) indicates very low probability of exploitation in the wild currently, with no evidence of active exploitation or public proof-of-concept at time of analysis.

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers to break out of the browser's security sandbox through a use-after-free vulnerability in the Fullscreen API component. Attackers can deliver exploitation via a specially crafted HTML page requiring only user visit to the page (no additional interaction). With CVSS 9.6 (Critical) and scope change indicating containment breach, this represents a serious risk to browser security model integrity. No evidence of active exploitation (not in CISA KEV) and EPSS data not available at time of analysis.

Remote code execution within Chrome's sandbox affects all versions prior to 148.0.7778.96 via crafted HTML pages exploiting a use-after-free vulnerability in DOM handling. Remote unauthenticated attackers can achieve arbitrary code execution with high integrity and confidentiality impact by convincing users to visit a malicious webpage. Vendor patch released (Chrome 148.0.7778.96). No confirmed active exploitation (not in CISA KEV), but the low attack complexity (AC:L) and publicly disclosed bug tracker entry (Chromium issue 496292089) increase exploitation risk. EPSS data not provided but RCE in widely-deployed browser warrants immediate patching despite sandbox containment limiting full system compromise.

Remote code execution in Google Chrome versions prior to 148.0.7778.96 allows attackers to execute arbitrary code within the browser's sandbox through a use-after-free vulnerability in SVG rendering. User interaction (visiting a malicious webpage) is required, but no authentication is needed. Vendor-released patch available in Chrome 148.0.7778.96. No public exploit identified at time of analysis, though CVSS score of 8.8 reflects high impact if successfully exploited.

Remote code execution within Chrome's V8 sandbox affects all versions prior to 148.0.7778.96 when users visit malicious web pages. The out-of-bounds memory access vulnerability in V8 JavaScript engine enables arbitrary code execution with user interaction (visiting crafted HTML), rated high severity by Chromium team. EPSS and KEV data not available, but Google confirmed the vulnerability and released patches. Attack complexity is low (CVSS AC:L) with no authentication required, making this exploitable at scale once proof-of-concept becomes public.

Remote code execution in Google Chrome for macOS (versions prior to 148.0.7778.96) allows attackers to execute arbitrary code within the browser's sandbox by exploiting a use-after-free vulnerability in the ANGLE graphics library through a malicious HTML page. The vulnerability requires user interaction (visiting a crafted webpage) but can be exploited remotely without authentication. Google has released Chrome 148.0.7778.96 to address this high-severity memory corruption issue, which affects the confidentiality, integrity, and availability of sandboxed browser processes.

Remote code execution in Google Chrome's Chromoting component (remote desktop feature) on Linux allows unauthenticated attackers to execute arbitrary code through specially crafted network packets when a user interacts with a malicious remote desktop session. Fixed in Chrome 148.0.7778.96. Vendor rates severity as Critical. No public exploit code identified at time of analysis, but the use-after-free class (CWE-416) is well-understood and exploitable. CVSS 8.8 reflects network attack vector with low complexity requiring only user interaction, enabling full system compromise (high confidentiality, integrity, and availability impact).

Remote code execution in Google Chrome for iOS prior to version 148.0.7778.96 through use-after-free memory corruption in the mobile UI handler. Exploitation requires convincing a user to perform specific UI gestures while viewing a malicious HTML page. Google confirms Critical severity and has released a patched version. EPSS data unavailable; not currently listed in CISA KEV. Attack complexity is rated High due to the required user interaction pattern, limiting opportunistic exploitation but enabling targeted attacks via social engineering.

Type confusion in Qt SVG renderer allows remote denial of service through malicious SVG images. Attackers can craft SVG files with self-referencing marker elements that trigger out-of-bounds heap reads and infinite recursion, crashing applications that parse the SVG. Affects Qt 6.7.0-6.8.7 and 6.9.0-6.11.0. Vendor patch available via code review platform. CVSS 8.7 reflects network delivery vector with no authentication required, though actual exploitation requires victim to open or render the crafted SVG file.

Out-of-bounds buffer writes in Linux kernel ALSA USB audio subsystem allow local authenticated attackers to crash the kernel or potentially achieve privilege escalation. The flaw occurs during implicit feedback mode playback when stream configurations mismatch between capture and playback, causing the prepare_silent_urb() function to write beyond allocated buffer boundaries. Affects all Linux kernel versions from initial commit 1da177e4c3f4 through multiple stable branches; vendor patches available for 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploits or active exploitation confirmed.

Local privilege escalation and memory corruption in Linux kernel on Alpha architecture allows authenticated users to execute arbitrary code, corrupt heap memory, or crash systems via insufficient TLB shootdown during memory compaction. The vulnerability affects Alpha systems exclusively and manifests as SIGSEGV crashes, glibc allocator corruption, and compiler failures. EPSS score of 0.02% indicates low likelihood of widespread exploitation, though vendor patches are available across multiple stable kernel branches. Attack requires local authenticated access with low complexity (CVSS AV:L/AC:L/PR:L), limiting remote exploitation scenarios.

In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke() The ChipIdea UDC driver can encounter "not page aligned sg buffer" errors when a USB device is reconnected after being disconnected during an active transfer. This occurs because _ep_nuke() returns requests to the gadget layer without properly unmapping DMA buffers or cleaning up scatter-gather bounce buffers. Root cause: When a disconnect happens during a multi-segment DMA transfer, the request's num_mapped_sgs field and sgt.sgl pointer remain set with stale values. The request is returned to the gadget driver with status -ESHUTDOWN but still has active DMA state. If the gadget driver reuses this request on reconnect without reinitializing it, the stale DMA state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero num_mapped_sgs) and attempt to use freed/invalid DMA addresses, leading to alignment errors and potential memory corruption. The normal completion path via _hardware_dequeue() properly calls usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before returning the request. The _ep_nuke() path must do the same cleanup to ensure requests are returned in a clean, reusable state. Fix: Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror the cleanup sequence in _hardware_dequeue(): - Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set - Call sglist_do_debounce() with copy=false if bounce buffer exists This ensures that when requests are returned due to endpoint shutdown, they don't retain stale DMA mappings. The 'false' parameter to sglist_do_debounce() prevents copying data back (appropriate for shutdown path where transfer was aborted).

Out-of-bounds write in Linux kernel vhost_vdpa subsystem allows local authenticated users to achieve arbitrary kernel memory corruption via ASID group assignment. Affects Linux kernel versions 5.19 through 6.19.x, with vendor patches available for stable branches 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. Exploitation requires local access with low privileges but no user interaction (CVSS:3.1/AV:L/AC:L/PR:L/UI:N). EPSS score of 0.02% (5th percentile) indicates low predicted exploitation probability, and no public exploit code or active exploitation confirmed at time of analysis.

Use-after-free and reference count underflow in the Linux kernel's amdgpu DRM driver allows local authenticated users with low privileges to cause kernel panic, denial of service, and potentially execute arbitrary code with kernel privileges. The vulnerability affects amdgpu_gem_va_ioctl handling of GPU timeline fences where stale or freed fences are used due to premature fence selection and improper reference management. Patch available in kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit or active exploitation has been identified.

Use-after-free in Linux kernel's Atmel HLCDC DRM driver allows local authenticated users to execute arbitrary code, escalate privileges, or cause denial of service. The atmel_hlcdc_plane_atomic_duplicate_state() function incorrectly copies plane state without properly duplicating the drm_plane_state structure, leaving a stale commit pointer that triggers use-after-free during subsequent drm_atomic_commit() calls. Vulnerability surfaces when reopening the device node while another DRM client remains attached. EPSS score is low (0.02%) and no active exploitation confirmed at time of analysis, but local privilege escalation potential and vendor-released patches across multiple stable kernel branches indicate genuine risk for systems using Atmel HLCDC display hardware.

Use-after-free in Linux kernel farsync driver allows remote code execution when FarSync T-series WAN cards are detached while tasklets remain active. The vulnerability occurs when fst_tx_task or fst_int_task continue executing after fst_card_info is freed in fst_remove_one(), causing the kernel to access deallocated memory. Despite the CVSS 8.8 score with network vector, the EPSS score is extremely low (0.02%, 7th percentile), suggesting minimal real-world exploitation likelihood. No active exploitation confirmed (not in CISA KEV). Patches available across multiple stable kernel versions (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).

Out-of-bounds memory access in Linux kernel RPS (Receive Packet Steering) subsystem allows remote unauthenticated attackers to trigger kernel crashes or potentially achieve code execution with SYSTEM privileges. The flaw stems from incorrect assumptions about RPS hash table sizing across receive queues, introduced in commit 48aa30443e52. Exploitation requires no authentication (CVSS AV:N/PR:N) but EPSS probability remains low at 0.02% (4th percentile), suggesting limited real-world targeting. Patches available for stable kernel branches 6.18.16, 6.19.6, and 7.0.

Out-of-bounds kernel memory write in Linux kernel's AMD KFD (Kernel Fusion Driver) allows local authenticated attackers with low privileges to escalate to root privileges. The kfd_event_page_set() function performs unchecked memset operations of fixed size (KFD_SIGNAL_EVENT_LIMIT * 8 bytes) regardless of user-supplied buffer size, enabling unprivileged userspace processes to corrupt kernel memory. Patches are available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability despite high CVSS severity, likely due to the local attack vector and requirement for systems with AMD GPU hardware running the amdkfd driver.

In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds. Add a bound check for num_ifs in dpaa2_switch_init(). dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry. The check uses >= because num_ifs == DPSW_MAX_IF is also functionally broken. build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= ...

Use-after-free in Linux kernel fore200e ATM driver allows local attackers to achieve high-severity impacts during PCA-200E or SBA-200E adapter removal. When the device is detached, tx_tasklet or rx_tasklet may still be running and access already-freed memory in fore200e_tx_tasklet() or fore200e_rx_tasklet(), potentially leading to code execution, information disclosure, or denial of service. Patches available across stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. Not listed in CISA KEV. Identified through static analysis, suggesting no active in-the-wild exploitation at time of disclosure.

Heap buffer overflow in Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) packet processing allows remote unauthenticated attackers to corrupt kernel memory and trigger system crashes. Attackers send crafted IPv6 packets with inconsistent IOAM trace headers (nodelen=0 with type bits set), causing __ioam6_fill_trace_data() to write ~100 bytes beyond allocated memory into skb_shared_info structures. Despite CVSS 9.8 critical rating, EPSS exploitation probability is low (0.05%, 16th percentile) and no active exploitation or public POC has been identified. Vendor patches available across multiple stable kernel branches (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).

Out-of-bounds read in Linux kernel EROFS filesystem allows local attackers with user interaction to read kernel memory and cause denial of service via crafted compressed images. The vulnerability stems from incorrect classification of unaligned plain extents, triggering OOB access in z_erofs_transform_plain(). Vendor patches are available across multiple stable kernel branches (6.15, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, with no active exploitation confirmed at time of analysis.

Memory corruption in Linux kernel XFS filesystem allows authenticated users with write access to trigger kernel assertion failures and system shutdowns via crafted extended attribute operations. The vulnerability stems from incorrect freemap adjustment logic when adding xattrs to leaf blocks, causing the entries array and free space tracking to claim overlapping memory regions. This results in firstused pointer corruption where the name area starts below the end of the entries array. Vendor-released patches are available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). Low EPSS score (0.02%, 7th percentile) and no CISA KEV listing indicate no widespread exploitation observed, though the high CVSS 8.8 reflects severe impact on availability and potential for data corruption in XFS filesystems.

Buffer overflow in Linux kernel's ARM CMN performance monitoring driver allows local attackers with low privileges to execute arbitrary code and gain elevated access. The perf/arm-cmn driver fails to validate hardware configuration parameters against assumed maximum sizes, enabling memory corruption through crafted CMN device configurations. While EPSS indicates low exploitation probability (0.02%), patches are available across all maintained kernel branches (6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) per vendor advisories. The local attack vector and requirement for low-privileged user access limit remote exploitation scenarios.

In the Linux kernel, the following vulnerability has been resolved: reset: gpio: suppress bind attributes in sysfs This is a special device that's created dynamically and is supposed to stay in memory forever. We also currently don't have a devlink between it and the actual reset consumer. Suppress sysfs bind attributes so that user-space can't unbind the device because - as of now - it will cause a use-after-free splat from any user that puts the reset control handle.

Remote unauthenticated attackers can cause critical out-of-bounds writes in the Linux kernel's Distributed Lock Manager (DLM) subsystem by sending malformed network messages with unvalidated length parameters to dlm_dump_rsb_name(). When the length exceeds DLM_RESNAME_MAXLEN, dlm_search_rsb_tree() writes beyond allocated buffers, enabling arbitrary code execution, denial of service, or information disclosure. Patches available for kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS exploitation probability is very low (0.02%, 5th percentile), and no public exploit or active exploitation has been identified at time of analysis, despite the critical CVSS 9.8 score.

Race condition in Linux kernel HID roccat driver enables local privilege escalation through use-after-free memory corruption. Local authenticated attackers can exploit concurrent access to device reader lists during roccat_report_event() operations, achieving arbitrary code execution with high integrity impact (CVSS 7.8). Vendor-released patches available across multiple kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite moderate severity, suggesting limited weaponization in current threat landscape.

Local privilege escalation in Linux kernel netfilter nfnetlink_queue allows authenticated users with low privileges to execute arbitrary code with high integrity and availability impact via race condition in shared hash table. The vulnerability stems from a use-after-free condition when multiple queues share a global hash table, enabling parallel CPU operations to access freed nf_queue_entry structures. EPSS score is low (0.02%, 5th percentile) indicating minimal observed exploitation activity. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.24, 6.19.14) with upstream commits confirmed.

Memory corruption in the Linux kernel's AF_ALG crypto subsystem allows local authenticated users to execute arbitrary code or cause denial of service through a page reassignment overflow in af_alg_pull_tsgl. The vulnerability affects multiple stable kernel branches (4.14 through 7.0) and has been patched across all maintained versions. With CVSS 7.8 and low attack complexity (AC:L), this presents a realistic privilege escalation path for local attackers, though EPSS exploitation probability remains low at 0.02% and no public exploit or KEV listing exists at time of analysis.

Use-after-free in Linux kernel's OCFS2 filesystem allows local attackers with user interaction to achieve arbitrary code execution, privilege escalation, or denial of service via crafted filesystem images. Affects kernels since initial OCFS2 implementation (2.6.16+) through 6.19.13. Vendor patches available across all supported stable branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) suggests low probability of mass exploitation, though CVSS 7.8 reflects high impact if triggered. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.

Out-of-bounds write in Linux kernel's ocfs2 filesystem driver allows local attackers with low privileges to achieve arbitrary code execution or system crash via a corrupted ocfs2 filesystem image. Exploitation occurs during copy_file_range operations when the malicious id_count field in the inode block exceeds physical inline data capacity, causing a buffer overflow past the inode block buffer. Vendor patches are available across multiple stable kernel versions (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS exploitation probability is low (0.02%, 5th percentile), and no active exploitation or public POC is currently identified.

Redis-server with Lua scripting allows authenticated attackers to trigger a use-after-free vulnerability on replicas where replica-read-only is disabled, potentially leading to remote code execution. The vulnerability exploits the master-replica synchronization mechanism and is present in all versions prior to 8.6.3. Patch vendor-released patch: 8.6.3.

Use-after-free in Redis 7.2.0 through 8.6.2 allows authenticated attackers to achieve remote code execution by exploiting error handling in the unblock client flow. When a blocked client is evicted during command re-execution, the server fails to handle the error return from processCommandAndResetClient, triggering memory corruption. Redis has released version 8.6.3 with a security fix. No public exploit code or CISA KEV listing identified at time of analysis, suggesting limited observed exploitation despite the critical RCE impact.

Use-after-free vulnerability in Qualcomm Snapdragon chipsets enables local privilege escalation to achieve full device compromise. Low-privilege authenticated users can trigger memory corruption during performance counter deselect operations, gaining high-integrity code execution with kernel-level access. Qualcomm has released patches in their May 2026 security bulletin. EPSS data not yet available for this future-dated CVE; no confirmed active exploitation or public exploit code identified at time of analysis.

Mutt before 2.3.2 mishandles the IMAP GSS security level due to improper integer casting and insufficient bounds checking, allowing remote attackers to trigger memory corruption and information disclosure via a crafted IMAP server response during GSS-API authentication. The vulnerability requires high attack complexity (malicious IMAP server) but affects all versions prior to 2.3.2.

Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege escalation to full system compromise when an attacker already holds System privilege. The vulnerability requires no user interaction and affects 32 MediaTek chipset models. CISA SSVC framework rates technical impact as total; however, EPSS score of 0.02% suggests limited real-world exploitation despite the high CVSS score of 6.7, likely due to the requirement for pre-existing System privilege.

Stack buffer overflow in GeoVision GV-VMS V20 20.0.2 WebCam Server Login functionality enables remote unauthenticated code execution via crafted HTTP requests. CVSS 9.0 with scope change reflects potential for full system compromise beyond the vulnerable component. High attack complexity (AC:H) suggests exploit requires precise memory manipulation techniques, though no authentication barrier exists. No public exploit identified at time of analysis, and EPSS data unavailable to assess weaponization probability.

Remote code execution in GeoVision GV-VMS V20 20.0.2 allows unauthenticated attackers to execute arbitrary code as SYSTEM via stack overflow in WebCam Server Login functionality. A specially crafted HTTP request with oversized username or password fields (exceeding 40 characters) triggers unconstrained sscanf buffer handling. CVSS 9.0 with high attack complexity reflects exploitation constraints (no null bytes allowed in payload), though network vector and lack of authentication requirements present significant risk. No active exploitation confirmed (not in CISA KEV); EPSS data unavailable for final risk assessment.

Remote unauthenticated code execution in GeoVision GV-VMS V20 WebCam Server allows attackers to execute arbitrary code as SYSTEM via stack buffer overflow. The `gvapi` endpoint bypasses standard authentication and copies base64-decoded HTTP Authorization headers into a 256-byte stack buffer without bounds checking, enabling full stack control. The WebCam Server binary is compiled without ASLR, significantly lowering exploitation complexity. CVSS 10.0 with network vector, no prerequisites, and changed scope reflecting system-level compromise. Publicly disclosed by Cisco Talos and vendor advisory available from GeoVision.

Use-after-free in Imagination Graphics DDK GPU GLES user-space library allows authenticated remote attackers to crash the GPU render process via crafted WebGPU content. CVSS 8.1 (High) with network vector and low complexity. On platforms where the GPU process runs with elevated system privileges, successful exploitation could enable system-level compromise beyond the initial crash. EPSS and KEV data not provided; SSVC framework indicates no confirmed exploitation, non-automatable attack, but total technical impact. Vendor patches available across affected DDK versions 1.18, 23.2, 24.1-24.2, and 25.1-25.3.

Remote authenticated attackers can execute code or cause persistent denial-of-service in Imagination Technologies Graphics DDK by triggering a use-after-free in the GPU GLES render process via specially crafted WebGPU content. On platforms where the GPU driver runs with elevated system privileges, successful exploitation enables device-level compromise beyond the browser sandbox. EPSS data not available, no CISA KEV listing identified, no public POC confirmed. SSVC framework indicates no active exploitation and non-automatable attack requiring authenticated interaction.

Heap-based buffer overflow in hashcat 7.1.2 enables remote code execution or denial of service through maliciously crafted PKZIP hash files. Attackers can exploit inadequate input validation in the hex_to_binary function affecting PKZIP hash parser modules (17200, 17210, 17220, 17225, 17230) to overflow fixed-size buffers with arbitrary hex data. CVSS 9.8 reflects network-accessible attack vector requiring no authentication or user interaction, though real-world exploitation requires victim to process attacker-supplied hash files. EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation. Public proof-of-concept exists (GitHub Gist), elevating exploitation risk for environments processing untrusted hash files.

Heap-based buffer overflow in hashcat 7.1.2's Kerberos hash parser enables remote code execution without authentication. Attacker supplies a maliciously crafted Kerberos hash file with manipulated delimiter positions to overflow the fixed-size account_info buffer during memcpy operations in module_hash_decode. The vulnerability affects multiple Kerberos-related hashcat modules due to missing upper-bound validation on account_info_len before memory copy. CVSS 9.8 with network attack vector, but real-world exploitation requires user processing the malicious file. EPSS data not available; no active exploitation confirmed in CISA KEV at time of analysis.

Stack-based buffer overflow in hashcat 7.1.2's rule processing functions enables remote code execution when processing password candidates of 128+ characters. The vulnerability stems from inadequate bounds checking in mangle_to_hex_lower() and mangle_to_hex_upper() functions that fail to account for 2x memory expansion during byte-to-hex conversion. CVSS 9.8 (critical) with network attack vector and no authentication required. Public proof-of-concept code available via GitHub gist. No CISA KEV listing suggests targeted rather than widespread exploitation despite theoretical network exploitability.

Use-after-free in Linux kernel ksmbd (SMB server) during durable file handle scavenging allows memory corruption and potential remote code execution. When a durable SMB2 file handle survives session disconnect, the cleanup path dereferences a freed connection object via NULL fp->conn pointer during lock cleanup, causing a slab use-after-free. Exploitation probability is extremely low (EPSS 0.02%, 5th percentile) with no active exploitation confirmed. Vendor patches available across multiple stable kernel branches (6.12.84, 6.18.25, 7.0.2, 7.1-rc1) address the asymmetric cleanup by properly managing byte-range lock lifetimes during durable handle reconnection.

Integer underflow in Linux kernel NTFS3 driver during journal replay allows local attackers to trigger massive out-of-bounds memory copies into a 4KB buffer when processing corrupted filesystems. The check_file_record() function fails to validate rec->used field before using it in memmove() length calculations across DeleteAttribute, CreateAttribute, and change_attr_size handlers, enabling slab-out-of-bounds writes. No public exploit identified at time of analysis. EPSS score of 0.02% (5th percentile) indicates low exploitation probability. Vendor-released patches available across kernel versions 6.6.136, 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1.

Use-after-free in Linux kernel F2FS filesystem allows local authenticated attackers to trigger kernel panic or potentially achieve code execution. The vulnerability (CWE-416) occurs during concurrent write callback and unmount operations when f2fs_write_end_io() decrements page count before checking node inode validity, leading to NULL pointer dereference. Discovered via xfstests generic/107 and syzbot fuzzing. EPSS exploitation probability is low (0.02%, 4th percentile), no active exploitation confirmed. Vendor patches available across stable kernel branches 6.18.25, 7.0.2, and 7.1-rc1.

Out-of-bounds read in Linux kernel ksmbd allows authenticated SMB clients to trigger memory corruption by crafting malicious DACL ACEs with undersized headers. Attackers with permission to set ACLs on files can cause kernel KASAN reports and state corruption when subsequent CREATE operations walk the stored DACL via smb_check_perm_dacl(). Vendor patches available for kernel versions 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1. EPSS score of 0.02% (5th percentile) indicates low likelihood of mass exploitation despite network attack vector, consistent with the requirement for authenticated access and specific file permission prerequisites.

Integer overflow in Linux kernel's ksmbd (SMB server) allows local authenticated attackers to bypass size validation and trigger memory corruption via crafted daemon responses. The vulnerability affects three IPC message handlers that fail to detect arithmetic overflow when computing expected message sizes from attacker-controlled fields (payload_sz, ngroups), enabling out-of-bounds memcpy operations. Vendor patches available for affected 5.15+ kernels. EPSS score 0.02% (5th percentile) indicates low observed exploitation probability. No CISA KEV listing or public exploit identified at time of analysis.

Out-of-bounds write in Linux kernel's ksmbd SMB server allows memory corruption when processing extended attributes (EA) in QUERY_INFO responses. The smb2_get_ea() function performs 4-byte alignment padding without checking remaining buffer space, causing 1-3 bytes to write past allocation boundaries when EA values exactly fill the response buffer. This occurs in compound SMB2 requests where shared response buffers are tightly constrained. EPSS score of 0.02% suggests minimal observed exploitation activity, though the CVSS 9.8 critical rating reflects the theoretical network-accessible, unauthenticated attack surface. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.84, 7.0.2, 7.1-rc1). Not listed in CISA KEV. This represents the third instance of the same vulnerability pattern in ksmbd QUERY_INFO handlers, following fixes in commits beef2634f81f and fda9522ed6af.

Use-after-free condition in Linux kernel writeback subsystem allows local authenticated attackers to potentially execute arbitrary code, escalate privileges, or trigger kernel crashes. The vulnerability affects Linux kernel versions 6.18.x through 7.1-rc1 and arises from improper synchronization between work queue processing and memory deallocation in inode_switch_wbs_work_fn(). Vendor patches are available across stable kernel branches (6.18.25, 7.0.2, 7.1-rc1) with low EPSS score (0.02%) indicating minimal observed exploitation activity, though the CVSS 7.8 score reflects significant impact if successfully exploited by authenticated local users.

Use-after-free in Linux kernel f2fs compressed writeback allows local authenticated users to trigger memory corruption, potentially executing arbitrary code or causing system crashes. Affects f2fs-compressed filesystems in Linux kernel 5.6 through 7.1-rc2, with patches available in 6.6.136, 6.12.84, 7.0.2, and 7.1-rc1. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite CVSS 7.8 rating. This mirrors CVE-2026-23234's race condition pattern but in the compression code path that was missed by the earlier fix. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.

Buffer overflow in Linux kernel's AMD CCP (Cryptographic Coprocessor) driver leaks kernel memory to userspace when retrieving PEK CSR (Platform Endorsement Key Certificate Signing Request). Affecting Linux kernel 4.16+ through 7.0.x, the vulnerability allows local authenticated users to read arbitrary kernel memory due to improper error handling when firmware returns invalid buffer length requirements. Patches available across stable branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1). EPSS score of 0.02% indicates minimal observed exploitation probability, though the CVSS 7.1 reflects significant confidentiality impact. No CISA KEV listing or public exploit identified at time of analysis.

Information disclosure in Linux kernel's AMD Cryptographic Coprocessor (CCP) driver allows local authenticated attackers to leak kernel memory to userspace via out-of-bounds read. When retrieving PDH certificates through SEV ioctl, the driver incorrectly copies data to userspace even after firmware command failures, potentially reading 2084+ bytes beyond allocated buffer boundaries. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1) per upstream commits.

Buffer overflow in Linux kernel CCP SEV driver allows local authenticated users to leak kernel memory to userspace. When the PSP firmware command to retrieve SEV CPU ID fails due to insufficient buffer size, the driver attempts to copy data beyond the allocated kernel buffer boundary, exposing up to 64 bytes of kernel memory. Exploitation requires local access with low privileges (CVSS PR:L) to invoke the SEV ioctl interface. EPSS score is very low (0.02%, 5th percentile) indicating minimal real-world exploitation observed. No public exploit identified at time of analysis, though the KASAN stack trace in the CVE description provides a clear exploitation path. Patches available across multiple stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1).

Buffer overflow in Linux kernel rxrpc subsystem allows local authenticated users to trigger memory corruption via malformed key payloads. The non-XDR parsing path in rxrpc_preparse() fails to validate ticket length against AFSTOKEN_RK_TIX_MAX, enabling unprivileged users to supply oversized tickets that cause WARN_ON() triggers and potential memory corruption when keys are read. Vendor patches available for kernel versions 6.6.136, 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1. EPSS score of 0.02% indicates low observed exploitation probability, with no public exploit identified at time of analysis.

Use-after-free in Linux kernel virt_wifi driver allows local authenticated users to trigger memory corruption during ethtool operations on virtual WiFi devices being unregistered. The vulnerability stems from improper device parent reference handling via SET_NETDEV_DEV, where ethnl_ops_begin() calls pm_runtime_get_sync() on already-freed memory when a virt_wifi device unregisters concurrently with ethtool operations. Patches are available across multiple stable kernel branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit identified at time of analysis, though CVSS 7.8 reflects potential for complete system compromise if successfully triggered.

Use-after-free in Linux kernel's MANA network driver allows local authenticated attackers to corrupt memory and potentially execute code with kernel privileges. The flaw occurs when auxiliary_device_add() fails in add_adev(), triggering cleanup that frees memory still referenced by subsequent error-handling code. Patches available across stable kernel branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public exploit identified at time of analysis.

Race condition in Linux kernel ATM LEC driver allows local attackers with low privileges to trigger use-after-free memory corruption in sock_def_readable(), potentially achieving arbitrary code execution, privilege escalation, or denial of service. The flaw affects systems using ATM (Asynchronous Transfer Mode) LAN Emulation Client functionality, present since Linux kernel version 2.4 (commit 1da177e4c3f4). EPSS score of 0.02% (7th percentile) suggests low probability of mass exploitation. Vendor patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). Not listed in CISA KEV; no public exploit code identified at time of analysis.

Use-after-free in Linux kernel HID subsystem allows local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service when force feedback initialization fails on Logitech G920 racing wheels. The vulnerability occurs when userspace continues accessing freed memory structures (sysfs and /dev/input) after initialization errors. Vendor patches available across multiple stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of mass exploitation, consistent with hardware-specific local attack surface requiring physical device presence.

Out-of-bounds memory writes in Linux kernel HID multitouch driver allow local authenticated users to achieve code execution or crash systems via malicious USB/HID devices. The vulnerability exists in the HID multitouch report parsing logic where mismatched report IDs in feature requests can confuse the HID core. Vendor-released patches are available across multiple kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score is low (0.02%, 7th percentile), indicating minimal observed exploitation attempts. No public exploit code identified at time of analysis.

A stack-based buffer overflow in the Linux kernel's IPv6-to-IPv4 tunneling (ip6_tunnel) code allows remote unauthenticated attackers to achieve arbitrary code execution. The vulnerability occurs when ip4ip6_err() passes a cloned skb with IPv6-formatted control buffer data to icmp_send(), which misinterprets it as IPv4 control buffer data. This type confusion causes __ip_options_echo() to read attacker-controlled packet data as a length value and copy up to that many bytes into a fixed 40-byte stack buffer, enabling remote exploitation with no prerequisites. EPSS score of 0.02% suggests limited exploitation probability despite critical CVSS 9.8 rating. Vendor-released patches are available across all maintained kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0).

Use-after-free in Linux kernel netfilter subsystem allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs when unregistering connection tracking helpers - expectations referencing the helper survive cleanup and later dereference the freed helper object during expectation dumps or new connection establishment. Vendor-released patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% indicates low observed exploitation probability; no active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Stack buffer overflow in Linux kernel Bluetooth MGMT subsystem allows local authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability stems from insufficient validation of the encryption key size (enc_size) parameter when loading Long Term Keys (LTKs) via the Bluetooth management interface. When processing LE LTK requests, the kernel uses the attacker-controlled enc_size value to perform stack operations against a fixed 16-byte buffer, enabling stack corruption through oversized values. Vendor-released patches are available across all active kernel branches. EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit has been identified at time of analysis, though the attack complexity is low once local authenticated access is obtained.

Use-after-free in Linux kernel Bluetooth subsystem allows local authenticated attackers to achieve arbitrary code execution with high privileges. The vulnerability exists in set_cig_params_sync where hci_conn objects can be freed or modified concurrently during lookup and field access due to inadequate locking. Vendor patches are available across multiple stable kernel branches (6.6, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% indicates low observed exploitation probability, no CISA KEV listing, and no public exploit identified at time of analysis.

Use-after-free in Linux Kernel Bluetooth stack allows adjacent network attackers to execute arbitrary code, escalate privileges, or cause denial of service without authentication. The vulnerability exists in hci_le_remote_conn_param_req_evt where hci_conn lookup and field access occurs outside the hdev lock protection, enabling concurrent memory corruption. Patches are available across multiple stable kernel branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.

Use-after-free in Linux kernel's BPF sockmap implementation allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs in sk_psock_verdict_data_ready() when handling AF_UNIX sockets, where sk->sk_socket can be accessed after being freed following sock_orphan(). This affects Linux kernel versions 5.15 through 6.19.12, with patches available for stable branches 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates very low observed exploitation probability in the wild, and no active exploitation or public exploit code has been identified at time of analysis.

Use-after-free in Linux kernel macb driver allows local authenticated attackers to cause denial of service or potentially escalate privileges during module removal. The vulnerability occurs in the PCI glue driver when platform_device_unregister() triggers a runtime resume callback that attempts to access already-freed clock structures. EPSS score is low (0.02%) with no evidence of active exploitation. Vendor patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0).