470
CVEs
36
Critical
178
High
0
KEV
1
PoC
10
Unpatched C/H
94.9%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
36
HIGH
178
MEDIUM
156
LOW
6
Monthly CVE Trend
Affected Products (30)
Linux Kernel
9021
Debian Linux
1338
Ubuntu
740
Android
549
Ubuntu Linux
496
Enterprise Linux
259
Fedora
254
Leap
195
Enterprise Linux Server
135
Enterprise Linux Workstation
132
H410c Firmware
130
Enterprise Linux Desktop
130
H700s Firmware
119
H500s Firmware
119
H410s Firmware
119
H300s Firmware
118
Enterprise Linux Server Aus
116
Enterprise Linux Server Tus
90
Windows
84
Active Iq Unified Manager
78
Opensuse
75
Cloud Backup
74
H700E Firmware
68
Enterprise Linux Server Eus
68
H500E Firmware
68
H300E Firmware
68
Enterprise Linux Eus
61
Solidfire
57
Hci Management Node
57
Solaris
53
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-53176 | Remote denial of service in the Linux kernel's iSER (iSCSI Extensions for RDMA) target driver (IB/isert) allows an unauthenticated attacker on the RDMA fabric to crash a storage target node by sending an undersized iSCSI login PDU. The isert_login_recv_done() handler subtracts the 76-byte ISER_HEADERS_LEN from the received byte count without a lower bound, producing a negative signed login_req_len that is later sign-extended into a multi-gigabyte memcpy() length, causing a faulting out-of-bounds copy. Because the login phase precedes iSCSI authentication, no credentials are required; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.21%). | CRITICAL | 9.8 | 0.2% | 49 |
|
| CVE-2026-52982 | Use-after-free in the Linux kernel rtl8150 USB-to-Ethernet driver (drivers/net/usb/rtl8150.c) lets the transmit path read freed socket-buffer memory: rtl8150_start_xmit() reads skb->len for TX byte accounting after usb_submit_urb(), but the URB completion handler write_bulk_callback() can free the skb on another CPU first, producing a slab-use-after-free read flagged by KASAN/syzbot. Affected systems are those using an RTL8150-based USB Ethernet adapter; the practical impact is a stale/garbage stat read or a potential crash from freed-memory access rather than reliable info disclosure. There is no public exploit identified at time of analysis (not in CISA KEV, EPSS 0.18%/8th percentile), and the issue was found and fixed via upstream syzbot fuzzing. | CRITICAL | 9.8 | 0.2% | 49 |
|
| CVE-2026-53006 | Use-after-free in the Linux kernel's IPv6 ICMPv6 receive path (icmpv6_rcv()) allows stale pointers to freed socket buffer memory to be dereferenced after a pskb_pull() call relocates skb->head. The affected code cached the source and destination addresses (saddr/daddr) before the pull, and these stale references were only consumed by net_dbg_ratelimited() in the slow path, limiting practical impact. The flaw is fixed upstream across all maintained stable trees; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile). | CRITICAL | 9.8 | 0.2% | 49 |
|
| CVE-2026-52986 | Out-of-bounds memory access in the Linux kernel's netfilter SIP connection-tracking helper (nf_conntrack_sip) stems from parsing port numbers in non-NUL-terminated socket-buffer data with simple_strtoul() and dereferencing pointers after sip_parse_addr() without bounds checks. Remote attackers sending crafted SIP messages through a host where the SIP conntrack/NAT helper is active could read past the packet buffer, risking information disclosure or instability (tagged Information Disclosure). Despite a CVSS of 9.8, EPSS is only 0.18% (8th percentile) and no public exploit is identified at time of analysis; a vendor fix is available across multiple stable trees. | CRITICAL | 9.8 | 0.2% | 49 |
|
| CVE-2026-53221 | Incorrect tunnel matching in the Linux kernel's IPv6 Virtual Tunnel Interface (vti6) lets the vti6_tnl_lookup() fallback path select the wrong tunnel when an exact match fails, because the wildcard-search loops omitted checks that a candidate tunnel actually holds a wildcard local or remote address. On hosts configured with multiple vti6 tunnels sharing the ip6n->tnls_r_l hash table, hash collisions can cause inbound IPv6/IPsec packets to be associated with an unintended tunnel, enabling traffic misdirection and information disclosure. There is no public exploit identified at time of analysis, EPSS probability is low (0.18%), and the issue is not in CISA KEV; the upstream fix is available across multiple stable kernel branches. | CRITICAL | 9.8 | 0.2% | 49 |
|
| CVE-2026-52955 | Out-of-bounds memory access in the Linux kernel's libceph CRUSH map decoder (crush_decode()) lets a malicious or compromised Ceph cluster corrupt kernel memory on a connecting client. A crafted CEPH_MSG_OSD_MAP message whose bucket carries mismatched algorithm fields (alg vs b->alg) causes memory to be allocated for one bucket type but processed and later freed as another, leading to OOB access during decode and again during crush map destruction. Despite a 9.8 CVSS, there is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile); the realistic attack surface is limited to hosts mounting/connecting to attacker-controlled Ceph (RBD/CephFS) infrastructure. | CRITICAL | 9.8 | 0.2% | 49 |
|
| CVE-2026-53228 | Use-after-free read in the Linux kernel's IPv6 SIT (IPv6-in-IPv4) tunnel transmit path lets a stale inner-IPv6-header pointer be dereferenced after GSO offload processing relocates the skb head, exposing freed kernel memory or crashing the host. The flaw affects systems running SIT tunnels in ipip6_tunnel_xmit(), where iptunnel_handle_offloads() may call pskb_expand_head() and move the buffer while the code keeps reading the old iph6 pointer. There is no public exploit identified at time of analysis; EPSS is low (0.18%, 8th percentile) and the issue is not in CISA KEV. The vendor-tagged impact is Information Disclosure, which is materially narrower than the assigned CVSS 9.8. | CRITICAL | 9.8 | 0.2% | 49 |
|
| CVE-2026-53247 | Memory corruption (use-after-free) in the Linux kernel's MediaTek mtk_eth_soc Ethernet driver allows the metadata destination object to be freed via kfree() during driver teardown while the RX path may still hold a non-refcounted (noref) pointer to it from a live skb. Affects systems running the mtk_eth_soc driver (MediaTek SoC networking, common in routers/embedded devices) across multiple kernel branches; the fix routes the free through dst_release() so the RCU grace period is honored. No public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and it is not in CISA KEV - despite the input's nominal CVSS of 9.8. | CRITICAL | 9.8 | 0.2% | 49 |
|
| CVE-2026-53046 | Denial-of-service (NULL-pointer dereference / use-after-free) in the Linux kernel's in-kernel SMB3 server (ksmbd) affects systems that offload SMB3 message encryption to asynchronous hardware crypto engines such as the Qualcomm Crypto Engine (QCE). ksmbd_crypt_message() installs a NULL completion callback and misinterprets the -EINPROGRESS return from async AEAD requests as a fatal error, freeing the request while the hardware DMA is still running so the later qce_skcipher_done() callback dereferences freed memory and crashes the kernel. There is no public exploit identified at time of analysis, it is not in CISA KEV, and EPSS is low (0.18%, 8th percentile), consistent with the narrow hardware/configuration prerequisites despite the NVD CVSS of 9.8. | CRITICAL | 9.8 | 0.2% | 49 |
|
| CVE-2026-53216 | Memory corruption in the Linux kernel's Marvell mvpp2 (PPv2) Ethernet driver allows the XDP fast-path to write past the real packet buffer on hardware using short BM pools. The driver hard-codes PAGE_SIZE as the XDP frame size even when short-pool buffers are smaller, so bpf_xdp_adjust_tail() can legitimately grow a frame beyond its actual allocation, corrupting adjacent memory or later tripping skb tailroom checks. EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis; despite the auto-assigned 9.8 CVSS, realistic exploitation is constrained to systems running an XDP program on affected Marvell hardware. | CRITICAL | 9.8 | 0.2% | 49 |
|
| CVE-2026-53215 | Memory corruption in the Linux kernel's Marvell mvpp2 (PPv2) Ethernet driver arises from an incorrect RX buffer-recycling order: when mvpp2_rx_refill() fails after the current buffer has already been handed to XDP or attached to an skb, the driver still returns that buffer to the hardware Buffer Manager (BM) pool, allowing the NIC to DMA into memory the RX ring no longer owns. Systems running Marvell Armada SoCs with the mvpp2 driver and XDP or skb RX processing are affected; the fix reorders the refill to complete before the buffer is handed off. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and the CVE is not listed in CISA KEV despite the inflated 9.8 NVD score. | CRITICAL | 9.8 | 0.2% | 49 |
|
| CVE-2026-52914 | Denial of service in the Linux kernel's batman-adv mesh networking module arises from faulty length accounting during fragment reassembly, where the accumulated payload length can be truncated during updates, letting malformed fragment chains bypass validation and drive reassembly with inconsistent length state. The flaw affects systems running the B.A.T.M.A.N. Advanced (batman-adv) module across many stable kernel series and results in a local denial of service per the upstream description. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 7th percentile), and the NVD CVSS of 9.8 conflicts with the upstream 'local denial of service' characterization. | CRITICAL | 9.8 | 0.2% | 49 |
|
| CVE-2026-53002 | Stack out-of-bounds write in the Linux kernel's netfilter connection-tracking SIP application-layer gateway (ALG) allows remote attackers to corrupt kernel stack memory by sending crafted SIP/SDP traffic through a NAT device. The flaw lives in mangle_content_len(), reached via nf_nat_sdp_session → process_sdp when rewriting the SDP Content-Length during SIP INVITE handling, where an unbounded sprintf() overflowed an undersized stack buffer (caught by KASAN). There is no public exploit identified at time of analysis and EPSS is low (0.18%), so despite the NVD 9.8 rating the practical risk is gated by whether the SIP conntrack/NAT helper is in use. | CRITICAL | 9.8 | 0.2% | 49 |
|
| CVE-2026-52993 | Memory corruption in the Linux kernel's TIPC (Transparent Inter-Process Communication) protocol stack allows remote attackers to trigger a double-free in tipc_buf_append() during message reassembly, where tipc_msg_validate() may reallocate and free the working skb while the error path frees a now-stale pointer. Affected systems are those running a vulnerable kernel (introduced around 4.15-era code, present across 5.10-7.0 branches) with the TIPC subsystem in use; successful exploitation can crash the kernel and, depending on heap conditions, potentially lead to privilege escalation. There is no public exploit identified at time of analysis, EPSS risk is low (0.18%, 7th percentile), and it is not listed in CISA KEV. | CRITICAL | 9.8 | 0.2% | 49 |
|
| CVE-2026-53045 | Incorrect DLL-enable logic in the Linux kernel's Tegra124 External Memory Controller (EMC) driver (drivers/memory/tegra/tegra124-emc) caused a reversed check of the EMRS register's A0 bit, which determines whether the memory DLL is enabled (DLL is on when A0 is low). On affected NVIDIA Tegra124 SoC platforms this could mis-program DRAM timing during frequency scaling, leading to memory instability rather than a remotely triggerable compromise. The fix has been backported across stable trees; no public exploit identified at time of analysis, and EPSS is very low (0.18%, 7th percentile). | CRITICAL | 9.8 | 0.2% | 49 |
|