249
CVEs
0
Critical
39
High
0
KEV
1
PoC
0
Unpatched C/H
66.7%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
0
HIGH
39
MEDIUM
2
LOW
0
Monthly CVE Trend
Affected Products (30)
Linux Kernel
3414
Ubuntu
725
Null Pointer Dereference
606
Debian Linux
535
Memory Corruption
453
Use After Free
376
Race Condition
132
Windows
86
Integer Overflow
50
Db2
20
Android
13
Windows Server 2025
12
Windows 11 24h2
11
macOS
11
Windows 11 25h2
10
Exynos 1330 Firmware
10
Exynos 1480 Firmware
10
Windows Server 2022 23h2
10
Windows Server 2022
10
Dx Netops Spectrum
10
Exynos 1380 Firmware
10
Exynos 1580 Firmware
10
Exynos 1280 Firmware
9
Exynos 850 Firmware
9
Exynos W1000 Firmware
9
Exynos W930 Firmware
9
Exynos 1080 Firmware
9
Windows 11 23h2
9
Exynos W920 Firmware
9
Exynos 980 Firmware
9
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-23395 | A buffer overflow vulnerability exists in the Linux kernel's Bluetooth L2CAP implementation where the code fails to properly validate command identifiers when accepting L2CAP_ECRED_CONN_REQ requests, allowing multiple pending requests with identical identifiers to exceed the L2CAP_ECRED_MAX_CID limit of 5 channels and trigger a buffer overflow. All Linux kernel versions containing the vulnerable L2CAP Bluetooth code are affected. An attacker with local Bluetooth access or remote capability could trigger this vulnerability to cause a kernel crash or potentially execute arbitrary code with kernel privileges, though exploitation requires interaction with the Bluetooth subsystem. | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2026-23246 | A stack out-of-bounds write vulnerability exists in the Linux kernel's mac80211 WiFi subsystem in the ieee80211_ml_reconfiguration function, where the link_id parameter extracted from the ML Reconfiguration element is not properly bounds-checked before being used as an array index. The vulnerability affects Linux kernel versions across multiple release branches (6.5 through 7.0-rc2), allowing an attacker with network proximity to craft a malicious WiFi frame to trigger a buffer overflow and potentially cause denial of service or code execution. While no CVSS score or EPSS data is currently published, the vulnerability has been assigned EUVD-2026-12809 and patches are available across stable kernel branches. | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2026-31788 | The Xen privcmd driver in the Linux kernel allows unprivileged domain users (domU) to issue arbitrary hypercalls that can bypass Secure Boot protections by modifying kernel memory contents. This vulnerability affects Linux kernel across multiple distributions (particularly Debian with 8 tracked releases) and impacts systems running Xen hypervisor with Secure Boot enabled, where a root process in an unprivileged guest domain could circumvent boot integrity protections. The fix restricts privcmd hypercall access to target a specific domain when running in unprivileged domU contexts, preventing unauthorized memory modification while preserving legitimate device model functionality. | HIGH | 8.2 | 0.0% | 41 |
|
| CVE-2026-23351 | A use-after-free vulnerability exists in the Linux kernel's netfilter nft_set_pipapo (Pipelined Packet Processing) set type garbage collection mechanism. The vulnerability allows local attackers to trigger denial of service through soft lockup warnings and RCU stall reports by creating a large number of expired elements that trigger prolonged, non-preemptible garbage collection operations. The affected product is the Linux kernel across all versions, with patches available in the stable series via multiple commit references. | HIGH | 7.8 | 0.0% | 39 |
|
| CVE-2026-23243 | A negative integer underflow vulnerability exists in the Linux kernel's RDMA/umad subsystem where the ib_umad_write function fails to validate user-controlled data_len calculations, allowing a mismatch between user MAD header size and RMPP header length to produce negative values. This negative data_len can propagate to ib_create_send_mad() and trigger an out-of-bounds memset in alloc_send_rmpp_list(), causing kernel memory corruption and denial of service. The vulnerability affects Linux kernel versions from 2.6.24 through multiple stable branches (5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19) and requires local access to RDMA user-mode interface to exploit, with patches available across multiple stable kernel versions as referenced in the git commits. | HIGH | 7.8 | 0.0% | 39 |
|
| CVE-2026-23273 | A use-after-free race condition exists in the Linux kernel's macvlan driver within the macvlan_common_newlink() error handling path. When a macvlan device creation fails after the network device becomes visible to the RCU (Read-Copy-Update) subsystem, the caller's subsequent free_netdev(dev) can race with ongoing packet forwarding operations, causing kernel memory corruption and potential information disclosure. This vulnerability affects Linux kernel versions 5.10 through 6.19 and later, and while no public exploit exists, the issue is reproducible via crafted netlink commands that trigger concurrent device creation and packet transmission. | HIGH | 7.8 | 0.0% | 39 |
|
| CVE-2026-23306 | A use-after-free vulnerability exists in the Linux kernel's pm8001 SCSI driver where the pm8001_queue_command() function incorrectly returns -ENODEV after already freeing a SAS task, causing the upper-layer libsas driver to attempt a second free operation. This affects all Linux kernel versions with the vulnerable pm8001 driver code, and while not remotely exploitable by default, it can lead to kernel memory corruption and denial of service on systems using PM8001-compatible SCSI controllers. No CVSS score, EPSS data, or active KEV status is currently available, but multiple stable kernel patches have been released across multiple branches. | HIGH | 7.8 | 0.0% | 39 |
|
| CVE-2026-23317 | A logic error in the Linux kernel's drm/vmwgfx driver causes the vmw_translate_ptr functions to return success when pointer lookups actually fail, because the error handling was not updated when the underlying lookup function's return mechanism changed from returning a pointer to returning an error code with pointer as an out parameter. This allows uninitialized pointer dereferences and out-of-bounds memory access when the functions incorrectly report success, potentially enabling information disclosure or privilege escalation via the VMware graphics driver. | HIGH | 7.8 | 0.0% | 39 |
|
| CVE-2026-23336 | A use-after-free vulnerability exists in the Linux kernel's cfg80211 WiFi subsystem where the rfkill_block work queue is not properly cancelled during wireless device (wiphy) unregistration, allowing a worker thread to access freed memory. This affects all Linux kernel versions in the cfg80211 module (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), and while no CVSS score or EPSS data is available, the vulnerability can trigger a kernel crash or information disclosure when a WiFi device is removed while rfkill operations are pending. | HIGH | 7.8 | 0.0% | 39 |
|
| CVE-2026-23340 | A use-after-free (UAF) vulnerability exists in the Linux kernel's network queue discipline (qdisc) subsystem when shrinking the number of transmit queues on network interfaces. The vulnerability occurs because qdisc_reset_all_tx_gt() can reset and free skb buffers concurrently with the lockless dequeue path (qdisc_run_begin/end), allowing freed memory to be accessed during packet dequeuing. All Linux kernels with lockless qdisc support are affected, and the vulnerability has been demonstrated via a practical reproduction case involving virtio-net devices under heavy traffic while changing queue pair counts. Multiple stable kernel patches are available addressing the issue. | HIGH | 7.8 | 0.0% | 39 |
|
| CVE-2026-23372 | A race condition exists in the Linux kernel's NFC rawsock implementation where the tx_work function can execute concurrently with socket teardown, leading to use-after-free vulnerabilities when accessing NCI device structures. This affects all Linux kernel versions with the vulnerable NFC rawsock code path, particularly impacting systems where processes are forcefully terminated (e.g., via SIGKILL). An attacker with local access to trigger socket teardown race conditions could cause kernel memory corruption, information disclosure, or denial of service. | HIGH | 7.8 | 0.0% | 39 |
|
| CVE-2026-23378 | A buffer overflow vulnerability exists in the Linux kernel's IFE (Intermediate Functional Element) traffic control action module where metadata list replacement incorrectly appends new metadata instead of replacing old entries, causing unbounded metadata accumulation. This affects all Linux kernel versions with the vulnerable IFE scheduling code (cpe:2.3:a:linux:linux). An attacker with the ability to modify traffic control rules can trigger an out-of-bounds write via the ife_tlv_meta_encode function, potentially achieving kernel memory corruption and denial of service. The vulnerability is not listed as actively exploited in public KEV databases, but patches are available across multiple stable kernel branches. | HIGH | 7.8 | 0.0% | 39 |
|
| CVE-2026-23391 | A use-after-free vulnerability exists in the Linux kernel's netfilter xt_CT module where pending enqueued packets maintain references to template objects that can be freed when helper modules are removed or timeout policies are deleted via nfnetlink_cttimeout. An attacker with the ability to unload kernel modules or manipulate netfilter timeout policies could trigger a kernel crash or information disclosure by causing the kernel to access freed memory when processing queued packets. While no CVSS score, EPSS probability, or KEV status has been assigned, the availability of six distinct kernel patch commits across stable branches indicates active remediation and acknowledgment of the vulnerability as a real kernel stability issue. | HIGH | 7.8 | 0.0% | 39 |
|
| CVE-2026-23392 | A use-after-free vulnerability exists in the Linux kernel's netfilter nf_tables flowtable implementation during error handling in the hook registration path. When hook registration fails (due to reaching maximum hook limits or hardware offload setup failures), the flowtable is not properly synchronized with RCU grace periods before being released, allowing concurrent packet processing or control plane operations (nfnetlink_hook) to access freed memory. This vulnerability affects all Linux kernel versions with the vulnerable nf_tables code and was discovered via KASAN reports during hook dumping operations; while not currently listed in known exploited vulnerabilities (KEV) databases, the use-after-free nature presents a real risk for denial of service or information disclosure in environments utilizing netfilter flowtables. | HIGH | 7.8 | 0.0% | 39 |
|
| CVE-2026-23253 | This vulnerability in the Linux kernel's DVB core media subsystem causes improper reinitialization of a shared ringbuffer waitqueue when the DVR device is reopened, orphaning existing io_uring poll and epoll waitqueue entries with stale pointers. Affected Linux kernels of all versions prior to the patched commits are vulnerable, potentially leading to information disclosure or kernel instability when multiple readers interact with the DVR device simultaneously. While no CVSS score or EPSS probability has been assigned and no active exploitation in the wild is documented, the vulnerability has been patched in stable kernel releases, indicating developer recognition of its severity. | HIGH | 7.8 | 0.0% | 39 |
|