CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedHat Linux•added 2 days ago•6 views

kernel: mptcp: fix slab-use-after-free in __inet_lookup_established

A flaw was found in the Linux kernel's Multipath TCP MPTCP implementation. Due to incorrect memory allocation for IPv6 subflow child sockets, a use-after-free vulnerability exists. A remote attacker could exploit this by triggering concurrent lookups in the kernel's hash table, potentially leadin...

9.8CVSS5.9AI score0.004EPSS

8.8CVSS5.8AI score0.0026EPSS

kernel: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers

A flaw was found in the Linux kernel's Bluetooth subsystem. This vulnerability, a Use-After-Free UAF, exists within the Secure Simple Pairing SSP passkey handlers. It occurs when hciconn lookup and field access are performed without proper locking, allowing a connection to be freed concurrently...

7.8CVSS5.5AI score0.00183EPSS

kernel: xen/privcmd: fix double free via VMA splitting

A flaw was found in the Linux kernel's xen/privcmd module. A local user could exploit this by performing a partial unmapping of a privcmd memory region. This action causes a Virtual Memory Area VMA to split, leading to duplicated internal memory pointers. As a result, the same memory can be freed...

CVE•added 2 days ago•3 views

CVE-2026-0143

The CVE-2026-0143 issue is in LWIS (lwIS) device handling: in lwis_device_external_event_emit of lwis_event.c, a memory corruption via use-after-free is reported, enabling local escalation of privilege with System execution privileges, and no user interaction is required. Public documents from NV...

7.8CVSS5.7AI score0.00073EPSS

Exploits0References1Affected Software1

Cvelist•added 2 days ago•19 views

CVE-2026-0143

In lwisdeviceexternaleventemit of lwisevent.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation...

0.00073EPSS

CVE•added 2 days ago•6 views

CVE-2026-0137

CVE-2026-0137 affects the EdgeTPU kernel driver. The root cause is a use-after-free in the function edgetpu_sync_fence_group_shutdown() within edgetpu-dmabuf.c, which can enable a local elevation of privilege. The impact is local escalation to System execution privileges, with no user interaction...

7.8CVSS5.5AI score0.00074EPSS

Exploits0References1Affected Software1

Cvelist•added 2 days ago•19 views

CVE-2026-0137

In edgetpusyncfencegroupshutdown of edgetpu-dmabuf.c, there is a possible elevation of privilege due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation...

0.00074EPSS

Cvelist•added 2 days ago•19 views

CVE-2026-0125

0.00067EPSS

CVE•added 2 days ago•7 views

CVE-2026-0125

CVE-2026-0125 is a local elevation-of-privilege issue caused by a use-after-free in vpu_ioctl.c across multiple functions, triggered by a race condition. The vulnerability allows a local attacker to escalate privileges without additional execution privileges or user interaction, as described in s...

7CVSS5.6AI score0.00067EPSS

Exploits0References1Affected Software1

8.8CVSS5.8AI score0.0026EPSS

kernel: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers

9.8CVSS5.9AI score0.004EPSS

kernel: mptcp: fix slab-use-after-free in __inet_lookup_established

RedHat Linux•added 2 days ago•5 views

kernel: wifi: mac80211: remove station if connection prep fails

A flaw was found in the Linux kernel's mac80211 Wi-Fi subsystem. When Multi-Link Operation MLO connection preparation fails, the system may not correctly remove the associated station. This can lead to a use-after-free or double-free vulnerability in the debugfs component, potentially causing...

8.8CVSS5.4AI score0.00268EPSS

RedHat Linux•added 2 days ago•6 views

kernel: xen/privcmd: fix double free via VMA splitting

7.8CVSS5.5AI score0.00183EPSS

NVD•added 2 days ago•7 views

CVE-2026-10638

subsys/net/ip/icmpv6.c reads the network interface from a netpkt after that packet has been handed to nettrysenddata. In icmpv6handleechorequest and neticmpv6senderror, the post-send statistics update calls netpktifacereply/netpktifacepkt on the just-sent packet. The send path nettrysenddata -...

5.9CVSS0.00339EPSS

NVD•added 2 days ago•5 views

CVE-2026-10640

Zephyr's IPv6 Neighbor Discovery send paths netipv6sendna, netipv6sendns, netipv6sendrs in subsys/net/ip/ipv6nbr.c updated the per-interface ICMP-sent statistics by calling netpktifacepkt after netsenddatapkt had already returned successfully. On the success path the network stack owns and releas...

4.2CVSS0.00143EPSS

NVD•added 2 days ago•5 views

CVE-2026-10639

In Zephyr's native IPv4 stack, icmpv4handleechorequest in subsys/net/ip/icmpv4.c builds an echo-reply packet reply, hands it to nettrysenddata, and then, on success, calls netstatsupdateicmpsentnetpktifacereply. nettrysenddata transfers ownership of reply to the TX path netiftryqueuetx - netiftx ...

4.8CVSS0.00193EPSS

NVD•added 2 days ago•6 views

CVE-2026-10636

In Zephyr's IPv4 IGMP implementation, igmpsend in subsys/net/ip/igmp.c read the network interface back out of the packet via netpktifacepkt after the packet had been handed to netsenddata. On the successful-send path the packet's last reference may already have been released by the L2 driver or b...

3.7CVSS0.00252EPSS