Memory Corruption

A heap buffer overflow in the Linux kernel's wilc1000 WiFi driver allows local authenticated users to trigger memory corruption via crafted SSID scan requests. The driver miscalculates buffer size due to u8 integer overflow (330 bytes wrapping to 74), causing kmalloc to allocate 75 bytes while memcpy writes up to 331 bytes - a 256-byte overflow. Patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.03% (9th percentile) suggests low likelihood of widespread exploitation, and CISA KEV does not list this CVE, indicating no confirmed active exploitation at time of analysis.

Stack buffer overflow in Linux kernel Bluetooth subsystem allows local authenticated attackers to achieve code execution, privilege escalation, or denial of service through malformed ISO socket parameters. The vulnerability occurs when binding an ISO Bluetooth socket with up to 31 BIS entries while the hci_le_big_create_sync() function only allocates stack space for 17 entries, resulting in a 14-byte overflow that corrupts adjacent stack memory. Patches are available across multiple kernel versions (6.12.81, 6.18.22, 6.19.12, 7.0), with EPSS indicating 0.02% exploitation probability and no active exploitation confirmed.

Use-after-free in Linux kernel GPIB subsystem allows local authenticated attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs in IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers when concurrent IBCLOSEDEV calls free descriptors still in use by I/O operations. EPSS probability is very low (0.02%, 4th percentile), indicating minimal observed exploitation activity. Vendor patches available for stable branches 6.18.22, 6.19.12, and mainline 7.0 via commits cae26eff, 28c75dd1, and d1857f82.

Use-after-free condition in Linux kernel USB Test and Measurement Class (USBTMC) driver allows local authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability occurs when the usbtmc_release function fails to properly flush pending anchored URBs, leaving dangling references that can be exploited in the HCD giveback path. Vendor patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0). Despite the high CVSS score of 7.8, the EPSS exploitation probability is very low at 0.02% (7th percentile), indicating limited real-world targeting, and no active exploitation or public POC has been identified.

Buffer overflow in Linux kernel COMEDI me_daq driver allows local authenticated users to achieve arbitrary code execution with kernel privileges. The me2600_xilinx_download() function fails to validate firmware file length before reading data streams, enabling out-of-bounds memory access during firmware loading operations. Patches available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates low probability of widespread exploitation despite high CVSS 7.8 rating, and no active exploitation or public exploit code identified at time of analysis.

Out-of-bounds write in Linux kernel comedi me4000 driver firmware loader allows local authenticated users to achieve high-impact code execution, data corruption, or system crash. The me4000_xilinx_download() function blindly trusts firmware file format headers without validating buffer boundaries, reading a length field from the first 4 bytes and then reading that many bytes from offset 16 without checking total file size. Patch available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating. No public exploit code or active exploitation confirmed.

Memory corruption in the Linux kernel zynqmp_nvmem driver allows local authenticated users to achieve privilege escalation through undersized DMA buffer exploitation. The vulnerability stems from incorrect buffer size calculations in dma_alloc_coherent and memcpy operations, enabling heap or memory corruption that can lead to complete system compromise. With a 7.8 CVSS score but only 0.02% EPSS (5th percentile), this represents a high-severity issue affecting specific Xilinx Zynq UltraScale+ deployments rather than a widespread exploitation target. Patches available across multiple stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0) with upstream fixes confirmed in git commits.

Use-after-free in Linux kernel thermal subsystem allows local attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability stems from race conditions between thermal zone removal and power management resume operations, where delayed work items can continue executing after thermal zone objects are freed. EPSS score of 0.02% (5th percentile) suggests low probability of mass exploitation despite high CVSS severity. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.22, 6.19.12, 7.0) via upstream commits. No active exploitation confirmed in CISA KEV at time of analysis.

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_uac1_legacy: validate control request size f_audio_complete() copies req->length bytes into a 4-byte stack variable: u32 data = 0; memcpy(&data, req->buf, req->length); req->length is derived from the host-controlled USB request path, which can lead to a stack out-of-bounds write. Validate req->actual against the expected payload size for the supported control selectors and decode only the expected amount of data. This avoids copying a host-influenced length into a fixed-size stack object.

Remote denial of service in FRRouting stable/10.0 allows unauthenticated attackers to crash the BGP daemon via malformed FlowSpec NLRI messages. The off-by-one vulnerability in bgp_flowspec_op_decode() enables out-of-bounds writes when parsing crafted BGP FlowSpec components, causing process termination. EPSS exploitation probability data not available, but SSVC marks this as automatable with partial technical impact. No public exploit code identified at time of analysis, and not listed in CISA KEV, suggesting theoretical rather than actively exploited risk.

Buffer overflow in Linux kernel Xen hypervisor interface allows local authenticated users to achieve arbitrary code execution with high privilege escalation impact. The vulnerability stems from improper handling of non-NUL-terminated build ID data from HYPERVISOR_xen_version(XENVER_build_id) in drivers/xen/sys-hypervisor.c, where sprintf reads past buffer boundaries seeking a NUL terminator. Affects Linux kernel versions from 5.10 through 7.0 series when running as Xen domain. Vendor-released patches available across all affected stable branches (5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85, 6.18.26, 7.0.3). EPSS score of 0.08% (23rd percentile) indicates low probability of mass exploitation despite high CVSS 7.8, reflecting specialized Xen-only attack surface. No public exploit identified at time of analysis.

Denial of service in Wireshark 4.6.0 through 4.6.4 via crafted SDP protocol packets allows local attackers with user interaction to crash the application through a use-after-free memory corruption vulnerability in the SDP protocol dissector. EPSS and KEV status not available at analysis time; no public exploit code identified.

Denial of service via MySQL protocol dissector crash in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 allows local users with no privileges to crash the application through a crafted malicious pcap file or network capture, requiring only user interaction to open the file. The vulnerability stems from improper memory access in the MySQL dissector parser (CWE-824: Access of Uninitialized Pointer), resulting in application termination and loss of packet analysis capability. No public exploit code or active exploitation has been identified at time of analysis.

Denial of service via crash in the GSM RP protocol dissector affects Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14. A local attacker with user privileges can trigger a dissector crash by crafting a malicious GSM RP packet and inducing a user to open it, causing application termination and loss of packet capture session. CVSS 5.5 reflects local attack vector and user interaction requirement; no remote exploitation path identified.

Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause memory corruption by sending a crafted Router Advertisement with a prefix length value exceeding the maximum valid length, resulting in a heap buffer overflow. Users processing IPv4 RA only are not impacted. To mitigate this issue, users should upgrade to the fixed version when available.

Local privilege escalation due to improper input validation. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212, Acronis Cyber Protect Cloud Agent (Windows) before build 42183.

Use after free in Media in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Use after free in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use after free in WebView in Google Chrome on Android prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use after free in Cast in Google Chrome prior to 147.0.7727.138 allowed an attacker on the local network segment to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High)

Use after free in Chromoting in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: High)

Type Confusion in V8 in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use after free in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use after free in media in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use after free in Codecs in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use after free in Cast in Google Chrome prior to 147.0.7727.138 allowed an attacker on the local network segment to execute arbitrary code inside a sandbox via malicious network traffic. (Chromium security severity: High)

Use after free in WebMIDI in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Use after free in Media in Google Chrome on Android prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Use after free in Navigation in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Use after free in GPU in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Use after free in Views in Google Chrome on Mac prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Use after free in Animation in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use after free in ANGLE in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Use after free in GPU in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Use after free in Views in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Use after free in Accessibility in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Use after free in iOS in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

Use after free in Canvas in Google Chrome on Linux, ChromeOS prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)

Memory safety bugs present in Firefox ESR 140.10.0, Thunderbird ESR 140.10.0, Firefox 150.0.0 and Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1 and Firefox ESR 140.10.1.

Out-of-bounds write in GNU C Library 2.2+ allows remote unauthenticated attackers to corrupt memory and potentially execute arbitrary code through specially crafted TSIG DNS records processed by deprecated ns_printrrf, ns_printrr, or fp_nquery functions. While these functions are deprecated, any application still using them for DNS record printing remains vulnerable to network-based attacks with low complexity and no authentication barriers. No public exploit identified at time of analysis, but the deprecated status suggests limited real-world exposure despite the network attack vector.

Buffer overflow in TH1520 AON firmware protocol driver allows local authenticated attackers with low privileges to execute arbitrary code and gain elevated system access. The vulnerability stems from unsafe pointer arithmetic when accessing the 'mode' field through the 'resource' pointer with unchecked offsets in the T-HEAD firmware driver. Patches available across stable kernel branches (6.18.23, 6.19.13, 7.0) with low EPSS score (0.02%) indicating minimal observed exploitation attempts, though CVSS 7.8 reflects high impact if exploited on affected T-HEAD TH1520 systems.

Use-after-free in Linux kernel driver core allows local authenticated users to execute arbitrary code, escalate privileges, or crash the system via race condition in device-driver binding operations. The vulnerability stems from inconsistent locking in driver_match_device() function calls, specifically affecting driver_override functionality where device_lock was not held during bind_store() and __driver_attach() operations. EPSS probability is very low (0.02%, 5th percentile), indicating minimal real-world exploitation observed. No active exploitation confirmed - no CISA KEV listing identified. Patch available in kernel 7.0+ and backport commit dc23806a7c47.

Use-after-free in Foxit PDF Reader and Foxit PDF Editor allows arbitrary code execution when specially crafted PDF documents trigger UI refresh operations after comment deletion via scripting. Local attackers can deliver malicious PDFs and achieve code execution with high integrity and confidentiality impact once a user opens the file. CVSS 7.8 indicates high severity but requires user interaction, limiting automated exploitation. No public exploit code or active exploitation confirmed at time of analysis.

Use-after-free vulnerability in Foxit PDF Editor and PDF Reader allows local attackers to crash the application by manipulating document page lifecycle events, causing internal component states to desynchronize and subsequent operations to reference invalidated memory objects. Attack requires user interaction to open a malicious PDF file and does not enable information disclosure or code execution; impact is denial of service with CVSS 5.5 (medium severity). No public exploit code or active exploitation confirmed at time of analysis.

Use-after-free in Foxit PDF Reader and Foxit PDF Editor allows local attackers to execute arbitrary code or crash the application via specially crafted PDF documents. When scripts modify document structures, the software fails to maintain valid object references during page information queries, enabling pointer dereference of freed memory. Successful exploitation requires user interaction to open a malicious PDF file, achieving high confidentiality, integrity, and availability impact with CVSS 7.8. No active exploitation or public exploit code identified at time of analysis, though CVSS vector indicates low attack complexity once victim interaction occurs.

Use-after-free memory corruption in Foxit PDF Editor and Foxit PDF Reader allows local attackers to crash the application or execute arbitrary code by opening a crafted XFA PDF file during calculate event processing. The vulnerability requires user interaction (opening a malicious PDF) but impacts both products across all versions listed in CPE data. No public exploit code or active exploitation has been confirmed at this time.

Buffer overwrite vulnerability in uuid JavaScript library versions prior to 14.0.0 enables remote attackers to corrupt memory and potentially disclose sensitive information through out-of-range writes when applications use v3, v5, or v6 UUID generation functions with caller-provided output buffers. The library fails to validate buffer boundaries, allowing partial writes beyond allocated memory regions. Vendor patch available in version 14.0.0 per GitHub security advisory GHSA-w5hq-g745-h8pq. No confirmed active exploitation (not in CISA KEV), and CVSS 4.0 Environmental Score suggests exploitation status is unproven (E:U).

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in __inet_lookup_established The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have their slab caches created with this flag via proto_register(). However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_initcall, level 5), before inet6_init() (module_init/device_initcall, level 6) has called proto_register(&tcpv6_prot). At that point, tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab remains NULL permanently. This causes MPTCP v6 subflow child sockets to be allocated via kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so when these sockets are freed without SOCK_RCU_FREE (which is cleared for child sockets by design), the memory can be immediately reused. Concurrent ehash lookups under rcu_read_lock can then access freed memory, triggering a slab-use-after-free in __inet_lookup_established. Fix this by splitting the IPv6-specific initialization out of mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called from mptcp_proto_v6_init() before protocol registration. This ensures tcpv6_prot_override.slab correctly inherits the SLAB_TYPESAFE_BY_RCU slab cache.

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: fix use-after-free in timeout object destroy nft_ct_timeout_obj_destroy() frees the timeout object with kfree() immediately after nf_ct_untimeout(), without waiting for an RCU grace period. Concurrent packet processing on other CPUs may still hold RCU-protected references to the timeout object obtained via rcu_dereference() in nf_ct_timeout_data(). Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer freeing until after an RCU grace period, matching the approach already used in nfnetlink_cttimeout.c. KASAN report: BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0 Read of size 4 at addr ffff8881035fe19c by task exploit/80 Call Trace: nf_conntrack_tcp_packet+0x1381/0x29d0 nf_conntrack_in+0x612/0x8b0 nf_hook_slow+0x70/0x100 __ip_local_out+0x1b2/0x210 tcp_sendmsg_locked+0x722/0x1580 __sys_sendto+0x2d8/0x320 Allocated by task 75: nft_ct_timeout_obj_init+0xf6/0x290 nft_obj_init+0x107/0x1b0 nf_tables_newobj+0x680/0x9c0 nfnetlink_rcv_batch+0xc29/0xe00 Freed by task 26: nft_obj_destroy+0x3f/0xa0 nf_tables_trans_destroy_work+0x51c/0x5c0 process_one_work+0x2c4/0x5a0

In the Linux kernel, the following vulnerability has been resolved: mm/damon/stat: deallocate damon_call() failure leaking damon_ctx damon_stat_start() always allocates the module's damon_ctx object (damon_stat_context). Meanwhile, if damon_call() in the function fails, the damon_ctx object is not deallocated. Hence, if the damon_call() is failed, and the user writes Y to “enabled” again, the previously allocated damon_ctx object is leaked. This cannot simply be fixed by deallocating the damon_ctx object when damon_call() fails. That's because damon_call() failure doesn't guarantee the kdamond main function, which accesses the damon_ctx object, is completely finished. In other words, if damon_stat_start() deallocates the damon_ctx object after damon_call() failure, the not-yet-terminated kdamond could access the freed memory (use-after-free). Fix the leak while avoiding the use-after-free by keeping returning damon_stat_start() without deallocating the damon_ctx object after damon_call() failure, but deallocating it when the function is invoked again and the kdamond is completely terminated. If the kdamond is not yet terminated, simply return -EAGAIN, as the kdamond will soon be terminated. The issue was discovered [1] by sashiko.

In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix use-after-free on disconnect The vub300 driver maintains an explicit reference count for the controller and its driver data and the last reference can in theory be dropped after the driver has been unbound. This specifically means that the controller allocation must not be device managed as that can lead to use-after-free. Note that the lifetime is currently also incorrectly tied the parent USB device rather than interface, which can lead to memory leaks if the driver is unbound without its device being physically disconnected (e.g. on probe deferral). Fix both issues by reverting to non-managed allocation of the controller.

Use-after-free in Linux kernel's lan966x network driver allows local authenticated attackers to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The flaw occurs in lan966x_fdma_reload() when RX buffer allocation fails - freed pages remain referenced by active DMA descriptors, causing hardware to write into memory now controlled by other kernel subsystems. Vendor patches available for stable branches 6.12.82, 6.18.23, 6.19.13, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public exploit identified at time of analysis, but successful exploitation grants kernel-level privileges to local attackers.

Buffer overread in Linux kernel's rxgk_do_verify_authenticator() function allows remote unauthenticated attackers to trigger information disclosure and high-availability denial of service through network-accessible RxGK authentication handling. The vulnerability stems from improper buffer size validation before nonce verification in the RxRPC subsystem. Patches are available from the Linux kernel stable tree (versions 6.19.13, 6.18.23, and 7.0). EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, and no active exploitation or public POC has been identified. Despite the high CVSS base score of 8.2, real-world risk appears limited to environments using RxRPC with RxGK authentication.

Heap buffer overflow in Linux kernel USB/IP client allows malicious USB/IP servers to execute arbitrary code with kernel privileges via crafted RET_SUBMIT responses. A rogue server can specify a larger number_of_packets value than originally submitted, causing out-of-bounds writes when processing isochronous USB transfers. Patched in kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS score of 0.02% (5th percentile) suggests low probability of widespread exploitation despite CVSS 9.8 criticality, indicating this is primarily a risk in environments using USB/IP with untrusted servers rather than a general internet-facing threat.

Use-after-free in Linux kernel OCFS2 filesystem enables local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability occurs when filemap_fault() drops mmap_lock before returning VM_FAULT_RETRY, allowing concurrent munmap() to free the vm_area_struct while ocfs2_fault() still holds a dangling pointer. Vendor patches available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS exploitation probability is very low (0.02%, 5th percentile) with no public exploit identified at time of analysis.

Use-after-free in Linux kernel memory management allows remote code execution when the folio_unmap_invalidate() function incorrectly accesses freed mapping structures. Kernel versions between 1da177e4c3f4 and patches 6.19.14/7.0.1 are affected. Exploitation probability is low (EPSS 2%, percentile 5%), with no confirmed active exploitation or public POC at time of analysis. Despite the critical CVSS 9.8 score indicating network-based unauthenticated attack, the description suggests this is a kernel memory corruption bug requiring local kernel code paths to trigger, not direct remote network exploitation - CVSS vector conflicts with technical nature and should be validated against vendor guidance.

Use-after-free in Linux kernel KVM x86 MMIO emulation allows local authenticated users with low privileges to potentially execute arbitrary code, escalate privileges, or cause denial of service. The flaw occurs when KVM's emulator initiates MMIO writes using on-stack variables that cross page boundaries between two MMIO pages, creating dangling pointers when fragments are processed across separate KVM_RUN calls, especially when different tasks handle subsequent runs. EPSS exploitation probability is very low (0.02%, 5th percentile), and vendor patches are available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. No active exploitation or public POC identified at time of analysis.

Use-after-free in Linux kernel q6apm audio driver allows local authenticated attackers with low privileges to achieve arbitrary code execution, denial of service, or information disclosure with high impact to confidentiality, integrity, and availability. The flaw affects Qualcomm ASoC q6apm component registration code used in devices like Lenovo 21N2ZC5PUS laptops. Vendor-released patches are available across multiple kernel version branches (6.12.83, 6.18.24, 6.19.14, 7.0.1). EPSS score of 0.02% (5th percentile) indicates low probability of mass exploitation despite high CVSS 7.8, with no confirmed active exploitation or public POC identified at time of analysis.

Use-after-free in Linux kernel blk-cgroup subsystem allows local authenticated users to potentially execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs in cgwb_release_workfn() when releasing cgroup writeback structures, where a CSS reference is dropped before subsequent dereference, creating a race condition. Meta reports sporadic crashes in production across multiple kernel versions. Patches available for stable branches 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS score of 0.02% suggests low widespread exploitation probability, and no active exploitation or public POC identified at time of analysis.

Use-after-free in Linux kernel MediaTek video encoder allows local authenticated users to corrupt memory and potentially execute arbitrary code. The flaw affects the vcodec driver's encoder release path where ctx memory is freed before canceling scheduled workqueue tasks, enabling race conditions between cleanup and worker threads that may dereference freed memory. KASAN-confirmed exploitation requires local access with low privileges (CVSS AV:L/PR:L). Patches available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS score of 0.02% (5th percentile) indicates very low probability of automated exploitation, with no public exploit identified at time of analysis.

In the Linux kernel, the following vulnerability has been resolved: media: em28xx: fix use-after-free in em28xx_v4l2_open() em28xx_v4l2_open() reads dev->v4l2 without holding dev->lock, creating a race with em28xx_v4l2_init()'s error path and em28xx_v4l2_fini(), both of which free the em28xx_v4l2 struct and set dev->v4l2 to NULL under dev->lock. This race leads to two issues: - use-after-free in v4l2_fh_init() when accessing vdev->ctrl_handler, since the video_device is embedded in the freed em28xx_v4l2 struct. - NULL pointer dereference in em28xx_resolution_set() when accessing v4l2->norm, since dev->v4l2 has been set to NULL. Fix this by moving the mutex_lock() before the dev->v4l2 read and adding a NULL check for dev->v4l2 under the lock.

In the Linux kernel, the following vulnerability has been resolved: hwmon: (powerz) Fix use-after-free on USB disconnect After powerz_disconnect() frees the URB and releases the mutex, a subsequent powerz_read() call can acquire the mutex and call powerz_read_data(), which dereferences the freed URB pointer. Fix by: - Setting priv->urb to NULL in powerz_disconnect() so that powerz_read_data() can detect the disconnected state. - Adding a !priv->urb check at the start of powerz_read_data() to return -ENODEV on a disconnected device. - Moving usb_set_intfdata() before hwmon registration so the disconnect handler can always find the priv pointer.

In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: fix use-after-free on disconnect In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed() is called and no file handles are open, the card and embedded chip are freed synchronously. The subsequent chip->card = NULL write then hits freed slab memory. Call trace: usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182 usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458 ... hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953 Fix by moving the card lifecycle out of usb6fire_chip_abort() and into usb6fire_chip_disconnect(). The card pointer is saved in a local before any teardown, snd_card_disconnect() is called first to prevent new opens, URBs are aborted while chip is still valid, and snd_card_free_when_closed() is called last so chip is never accessed after the card may be freed.

In the Linux kernel, the following vulnerability has been resolved: bcache: fix cached_dev.sb_bio use-after-free and crash In our production environment, we have received multiple crash reports regarding libceph, which have caught our attention: ``` [6888366.280350] Call Trace: [6888366.280452] blk_update_request+0x14e/0x370 [6888366.280561] blk_mq_end_request+0x1a/0x130 [6888366.280671] rbd_img_handle_request+0x1a0/0x1b0 [rbd] [6888366.280792] rbd_obj_handle_request+0x32/0x40 [rbd] [6888366.280903] __complete_request+0x22/0x70 [libceph] [6888366.281032] osd_dispatch+0x15e/0xb40 [libceph] [6888366.281164] ? inet_recvmsg+0x5b/0xd0 [6888366.281272] ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph] [6888366.281405] ceph_con_process_message+0x79/0x140 [libceph] [6888366.281534] ceph_con_v1_try_read+0x5d7/0xf30 [libceph] [6888366.281661] ceph_con_workfn+0x329/0x680 [libceph] ``` After analyzing the coredump file, we found that the address of dc->sb_bio has been freed. We know that cached_dev is only freed when it is stopped. Since sb_bio is a part of struct cached_dev, rather than an alloc every time. If the device is stopped while writing to the superblock, the released address will be accessed at endio. This patch hopes to wait for sb_write to complete in cached_dev_free. It should be noted that we analyzed the cause of the problem, then tell all details to the QWEN and adopted the modifications it made.

In the Linux kernel, the following vulnerability has been resolved: media: as102: fix to not free memory after the device is registered in as102_usb_probe() In as102_usb driver, the following race condition occurs: ``` CPU0 CPU1 as102_usb_probe() kzalloc(); // alloc as102_dev_t .... usb_register_dev(); fd = sys_open("/path/to/dev"); // open as102 fd .... usb_deregister_dev(); .... kfree(); // free as102_dev_t .... sys_close(fd); as102_release() // UAF!! as102_usb_release() kfree(); // DFB!! ``` When a USB character device registered with usb_register_dev() is later unregistered (via usb_deregister_dev() or disconnect), the device node is removed so new open() calls fail. However, file descriptors that are already open do not go away immediately: they remain valid until the last reference is dropped and the driver's .release() is invoked. In as102, as102_usb_probe() calls usb_register_dev() and then, on an error path, does usb_deregister_dev() and frees as102_dev_t right away. If userspace raced a successful open() before the deregistration, that open FD will later hit as102_release() --> as102_usb_release() and access or free as102_dev_t again, occur a race to use-after-free and double-free vuln. The fix is to never kfree(as102_dev_t) directly once usb_register_dev() has succeeded. After deregistration, defer freeing memory to .release(). In other words, let release() perform the last kfree when the final open FD is closed.

In the Linux kernel, the following vulnerability has been resolved: media: hackrf: fix to not free memory after the device is registered in hackrf_probe() In hackrf driver, the following race condition occurs: ``` CPU0 CPU1 hackrf_probe() kzalloc(); // alloc hackrf_dev .... v4l2_device_register(); .... fd = sys_open("/path/to/dev"); // open hackrf fd .... v4l2_device_unregister(); .... kfree(); // free hackrf_dev .... sys_ioctl(fd, ...); v4l2_ioctl(); video_is_registered() // UAF!! .... sys_close(fd); v4l2_release() // UAF!! hackrf_video_release() kfree(); // DFB!! ``` When a V4L2 or video device is unregistered, the device node is removed so new open() calls are blocked. However, file descriptors that are already open-and any in-flight I/O-do not terminate immediately; they remain valid until the last reference is dropped and the driver's release() is invoked. Therefore, freeing device memory on the error path after hackrf_probe() has registered dev it will lead to a race to use-after-free vuln, since those already-open handles haven't been released yet. And since release() free memory too, race to use-after-free and double-free vuln occur. To prevent this, if device is registered from probe(), it should be modified to free memory only through release() rather than calling kfree() directly.

Use-after-free in Linux kernel AMD GPU driver allows local authenticated users to potentially execute arbitrary code, escalate privileges, or cause denial of service. The amdgpu_amdkfd_submit_ib() function in the AMD KFD (Kernel Fusion Driver) prematurely releases a DMA fence reference before waiting on it, creating a race condition where the fence memory may be freed before use. Vendor-released patches are available for multiple stable kernel branches (6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS exploitation probability is very low at 0.02% (7th percentile), and no public exploit or active exploitation has been identified at time of analysis.

Use-after-free in Linux kernel futex subsystem allows local authenticated attackers to achieve code execution, privilege escalation, or denial of service via sys_futex_requeue() with mismatched flags. Discovered through automated LLM analysis by Nicholas, this affects kernel versions 6.7 through 6.19.x, with patches available in 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation or public POC has been identified. The vulnerability requires local access with low-privilege authenticated user credentials (PR:L), making it a post-compromise escalation vector rather than a remote entry point.

Use-after-free in Linux kernel tracing subsystem allows local authenticated attackers to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability occurs when deleting tracing instances with copy_trace_marker enabled, where improper RCU synchronization leaves freed memory accessible. Exploitation requires local access with low privileges to manipulate kernel tracing facilities. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability. Vendor patches available across multiple stable kernel versions (6.18.20, 6.19.10, 7.0).

A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.

Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

In the Linux kernel, the following vulnerability has been resolved: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 ("net: tls: handle backlogging of crypto requests"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry. When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist. The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record. Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.

Use-after-free in Linux kernel CAN raw socket implementation allows local authenticated attackers to corrupt memory and potentially achieve code execution. The vulnerability stems from premature deallocation of percpu uniq storage in raw_release() while raw_rcv() may still access it via deferred RCU callbacks. Patches available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS exploitation probability remains low (0.02%, 5th percentile) with no active exploitation confirmed at time of analysis.

Libgcrypt before version 1.12.2 contains a bounds-check vulnerability in Dilithium signing operations where writes to a static array lack proper bounds validation, potentially causing memory corruption and integrity loss. The vulnerability affects local attackers with non-privileged access on systems running vulnerable versions 1.12.0 and 1.12.1. While the vulnerability does not involve attacker-controlled data in the array writes themselves, the missing bounds check creates an integrity and availability risk through uncontrolled memory modification.

Heap-based buffer overflow in Libgcrypt before 1.12.2 allows local attackers to trigger denial of service and corrupt memory via crafted ECDH ciphertext passed to gcry_pk_decrypt, affecting cryptographic operations in dependent applications including GnuPG. No public exploit code or active exploitation has been identified at time of analysis; vendor has released patched versions 1.10.4, 1.11.3, and 1.12.2 to resolve the vulnerability.

Out-of-bounds memory write in rust-openssl's AES key unwrap function allows attackers who control buffer sizes to corrupt memory via safe API misuse. The aes::unwrap_key() function contains an inverted bounds assertion that accepts undersized output buffers and rejects correctly sized ones, causing the function to write beyond allocated memory by in_.len() - 8 - out.len() bytes. Vendor patch available via GitHub PR #2604 and commit 718d07ff, released in openssl-v0.10.78. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis, but the logic flaw is clearly documented in vendor advisory GHSA-8c75-8mhr-p7r9.

Use-after-free in Linux kernel CXL (Compute Express Link) subsystem allows local authenticated attackers to corrupt memory and potentially execute arbitrary code or cause kernel panics. The flaw occurs in cxl_detach_ep() during device removal when parent port references are freed prematurely, before child operations complete. Affects Linux kernel 6.3 through 7.0-rc5; patched in versions 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% indicates low exploitation probability. No active exploitation or public exploit code identified at time of analysis.

Use-after-free in Linux Kernel platform driver core allows local authenticated attackers to achieve high-severity impacts including code execution, privilege escalation, or denial of service. The vulnerability stems from unsafe access to the driver_override field during device probing when the bus match() callback executes without device lock protection. Patches are available across multiple kernel branches (6.12.80, 6.18.21, 6.19.11, 7.0) per vendor commits. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no CISA KEV listing exists, suggesting this remains a theoretical risk rather than actively exploited threat despite the high CVSS 7.8 score.

Signed integer overflow in the Linux kernel's BPF interpreter enables local attackers with low privileges to achieve out-of-bounds memory access and potentially execute arbitrary code. The flaw occurs when the 32-bit signed division/modulo operations handle INT_MIN (0x80000000), causing the abs() macro to trigger undefined behavior that creates a mismatch between the verifier's abstract interpretation and the interpreter's runtime behavior. With an EPSS score of 0.02% and no confirmed active exploitation, the primary risk is to systems where unprivileged users can load BPF programs, though default kernel configurations typically restrict BPF to privileged users. Patches are available across multiple stable kernel branches (6.6.131, 6.12.80, 6.18.21, 6.19.11).

Linux kernel module loader fails to validate ELF section index bounds in simplify_symbols(), causing kernel panic when processing modules with out-of-bounds st_shndx values such as SHN_XINDEX (0xffff). Local privileged attackers can crash the system by loading malformed or legitimately-crafted modules that exploit this missing bounds check, resulting in denial of service. The vulnerability affects all stable kernel versions from 2.6.12 through current releases; patches are available across multiple stable branches (5.15.203+, 6.1.168+, 6.6.131+, 6.12.80+, 6.18.21+, 6.19.11+, 7.0+).

Use-after-free in Linux kernel Bluetooth MGMT subsystem allows local authenticated users to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability stems from improper condition checking in mgmt_add_adv_patterns_monitor_complete(), which can leave dangling pointers after freeing memory without unlinking from the list. Patches available across multiple kernel versions (6.12.80, 6.17, 6.18.21, 6.19.11, 7.0). No evidence of active exploitation (not in CISA KEV), low EPSS score (0.02%, 5th percentile) suggests limited attacker interest despite high CVSS severity.

Out-of-bounds memory write in Linux kernel iavf (Intel Adaptive Virtual Function) driver allows local authenticated attackers with low privileges to achieve high confidentiality, integrity, and availability impact via race condition during concurrent ethtool operations. The vulnerability stems from inconsistent use of queue counters (real_num_tx_queues vs num_active_queues vs num_tx_queues) across ethtool statistics functions, enabling memory corruption when changing network channels via 'ethtool -L' while simultaneously querying statistics with 'ethtool -S'. Patches available for kernel versions 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS exploitation probability is low (0.02%, 5th percentile) with no public exploit or active exploitation identified at time of analysis.

Use-after-free in Linux kernel packet socket handling allows local attackers with low privileges to achieve kernel memory corruption, potentially leading to privilege escalation, information disclosure, or denial of service. The vulnerability stems from a race condition in packet_release() where NETDEV_UP events can re-register a socket into a fanout group's array after cleanup begins but before the socket number is zeroed, leaving dangling pointers. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score is low (0.02%, 7th percentile) and no active exploitation is confirmed (not in CISA KEV), suggesting limited real-world exploitation despite high CVSS 7.8 rating.

Type confusion in Linux kernel team driver allows local authenticated users to trigger memory corruption and potential privilege escalation. The team_setup_by_port() function incorrectly copies header_ops from non-Ethernet lower devices (such as GRE interfaces) without proper context validation, causing callbacks like dev_hard_header() to interpret netdev_priv() as the wrong structure type when processing stacked network topologies (e.g., gre → bond → team). While CVSS rates this 7.8 (High), EPSS probability is very low at 0.02% (5th percentile), and no active exploitation or public POC has been identified. Vendor patches are available across multiple stable kernel branches (6.12.80, 6.18.21, 6.19.11, 7.0).

Use-after-free in Linux kernel ICSSG PRU Ethernet driver allows remote code execution with CVSS 9.8 scoring. Affects TI ICSSG network driver in kernels 6.15 through 7.0 (patched in 6.19.11 and 7.0). The flaw causes CPPI descriptors to be freed before timestamp processing completes on every received packet, creating a exploitable memory corruption condition. Despite critical CVSS scoring, EPSS probability is very low (0.02%, 5th percentile) and no active exploitation or public POC has been identified. The network attack vector (AV:N) combined with zero-day timing suggests this may be scored for worst-case remote exploitation scenario, but actual exploitability via network packets requires deeper investigation of ICSSG hardware context and packet processing pipeline.

Use-after-free in Linux kernel Bluetooth Intel driver enables local privilege escalation to kernel code execution. Affects Linux kernel 4.3 through 7.0-rc5, with patches available in versions 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0. Exploitation requires local authenticated access with low privileges (CVSS PR:L). EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. No public exploit code or active exploitation confirmed at time of analysis, though technical details in CVE description provide implementation roadmap.

Out-of-bounds write in the Linux kernel macb Ethernet driver allows local authenticated users with low privileges to corrupt kernel memory, potentially leading to privilege escalation, denial of service, or information disclosure. The vulnerability affects the ethtool statistics collection path where gem_get_ethtool_stats() writes statistics for MACB_MAX_QUEUES regardless of the actual number of active queues, causing a 760-byte buffer overflow when fewer queues are configured. KASAN validation confirms heap corruption with a write beyond allocated vmalloc region boundaries. No active exploitation confirmed (not in CISA KEV), and EPSS score is low (0.03%, 10th percentile), indicating minimal observed exploitation activity. Patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0).

Use-after-free in Linux kernel RDMA/EFA driver allows local authenticated users with low privileges to execute arbitrary code with high confidentiality, integrity, and availability impact. The vulnerability affects the admin queue completion handling where completion context data is accessed after being freed, creating a window for memory corruption exploitation. Affects kernel versions from 5.12 through 7.0-rc7, with vendor patches available for stable branches 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing identified at time of analysis.

Use-after-free in Linux kernel's xe GPU driver allows local authenticated users to execute arbitrary code with kernel privileges. The vulnerability occurs in the SR-IOV physical function migration restore path when error handling fails to nullify a freed data pointer, enabling subsequent write operations to reference deallocated memory. With CVSS 7.8 (High) and very low EPSS (0.02%), this represents typical kernel memory corruption risk requiring local access and low privileges. Vendor patches are available for affected 6.19 and 7.0-rc versions.

Use-after-free in Linux kernel AMD display driver allows local authenticated users to execute arbitrary code, corrupt memory, or cause denial of service. Affects systems with AMD graphics using Display Stream Compression (DSC) and multi-stream transport (MST), particularly laptops with integrated displays and external DP-MST monitors. The vulnerability arises when mode changes occur simultaneously with DSC reconfigurations, causing improper stream lifecycle management. Vendor patch available across multiple kernel versions (6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% indicates low exploitation probability in the wild, with no CISA KEV listing or public exploit identified at time of analysis.