By severity

Medium-severity vulnerabilities

CVEs rated Medium by CVSS, with SEC.co remediation and prioritization guidance.

40 published vulnerabilities

  • CVE-2025-48977MEDIUM 6.5

    Apache Ignite REST API contains a path traversal vulnerability that allows authenticated users to read arbitrary files from the server by manipulating the log path parameter in API commands. An attacker with valid REST API credentials can escape the intended log directory and access sensitive files anywhere on the system. This affects Ignite versions 2.0.0 through 2.17.0, and the vendor has released version 2.18.0 to address it.

  • CVE-2026-3173MEDIUM 6.5

    The Meta Field Block plugin for WordPress has a permission-checking flaw that lets Contributor-level users and above read sensitive data stored in WordPress metadata. An attacker with basic contributor access can specify any object ID and type—bypassing the plugin's validation—to retrieve private information like user details, customer billing addresses, or other metadata that WordPress site administrators expected to keep hidden. On sites running e-commerce or membership plugins, this can expose personally identifiable information at scale.

  • CVE-2026-41141MEDIUM 6.5

    EspoCRM versions before 9.3.5 contain an access control bypass in the email template preparation endpoint. An authenticated user with basic EmailTemplate read permissions can extract sensitive field data from any Contact, Lead, Account, or User record by providing the target's email address—effectively circumventing role-based visibility restrictions. This allows lower-privileged users to read information they should not have access to, such as financial details, personal fields, or team-restricted records.

  • CVE-2026-41184MEDIUM 6.5

    Calico's CNI installer container accidentally logs Kubernetes ServiceAccount tokens to standard output during deployment, specifically when using Canal or Flannel-Calico configurations. Any user with permission to view pod logs in the affected namespace can retrieve this token, which grants the ability to modify pod annotations—a vector for attacking workloads in your cluster. The vulnerability is a regression of a previously fixed issue and does not affect deployments using the default kubeconfig authentication method.

  • CVE-2026-41185MEDIUM 6.5

    Calico, a widely-used open-source networking plugin for Kubernetes, logs sensitive authentication credentials to plaintext files when deployed with Azure's IPAM plugin and token-based Kubernetes authentication. The vulnerability occurs because the Calico CNI binary adds subnet information to the configuration before forwarding it to Azure IPAM for processing. During this handoff, the entire configuration—including Kubernetes ServiceAccount tokens, client keys, and certificate authority data—is logged at INFO level to /var/log/calico/cni/cni.log. This happens on every pod scheduling or termination, creating a high-frequency credential leak. Any user or process with read access to node-level logs can extract cluster-wide Calico networking administrator credentials without triggering alarms.

  • CVE-2026-4334MEDIUM 6.4

    The Shariff Wrapper plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting versions up to 4.6.20. Attackers with Contributor-level access or higher can inject malicious scripts through the 'headline' parameter in the [shariff] shortcode. When other users view the affected page, the injected code executes in their browsers, potentially enabling session hijacking, credential theft, or further compromise. The vulnerability stems from the plugin's use of a permissive HTML sanitization routine followed by unsafe string replacement operations that reintroduce dangerous content after the sanitization check.

  • CVE-2026-44462MEDIUM 6.4

    Zed is a popular code editor that includes a terminal tool with permission controls meant to restrict which commands can be executed. Prior to version 0.229.0, an attacker could bypass these restrictions by chaining bash variable expansion syntax—specifically the ${var@P} expansion—to execute arbitrary commands even when they appeared to violate the allowed command prefix rules. This requires user interaction (opening a malicious project or terminal configuration) but grants the attacker code execution within the editor's process context.

  • CVE-2026-46104MEDIUM 5.5

    A flaw exists in how the Linux kernel's SELinux security module accesses socket security data when multiple security modules are stacked together. The vulnerability occurs because SELinux directly reads socket security information from a hardcoded memory location, assuming it will always find its own data there. When another security module is loaded first, SELinux reads the wrong data instead, potentially using invalid security identifiers in permission checks. This can cause the kernel to crash due to invalid memory access or improper security decisions.

  • CVE-2026-46106MEDIUM 5.5

    A race condition in the Linux kernel's eventfs subsystem can cause memory corruption or system crashes when users simultaneously remount the tracefs filesystem (which hosts performance monitoring tools) while creating or deleting tracepoints. The vulnerability arises because the kernel walks through a list of event structures during remount without proper synchronization, allowing concurrent operations to corrupt data structures or access freed memory. This is a local issue affecting only users with permission to remount filesystems and modify tracing events.

  • CVE-2026-46108MEDIUM 5.5

    A flaw in the Linux kernel's IPMI serial interface (SI) driver can leave the system in an abnormal state when message allocation fails. Normally, failed operations trigger cleanup routines that reset the driver to a ready state. This vulnerability occurs because certain error paths skip that reset logic, potentially causing the driver to remain hung or unresponsive. An attacker with local system access could trigger memory allocation failures under specific conditions, degrading system availability until the driver is manually restarted or the system reboots.

  • CVE-2026-46109MEDIUM 5.5

    A memory leak exists in the Linux kernel's USB ULPI (UTMI Low Pin Interface) driver registration code. When certain initialization steps fail early in the device registration process, allocated memory is not properly freed, allowing memory to accumulate over repeated failures. This is a residual issue from a prior fix that addressed a different memory safety problem. The vulnerability requires local access and elevated privileges to trigger.

  • CVE-2026-46118MEDIUM 5.5

    A flaw in the Linux kernel's PAPR hypervisor pipe driver can cause the kernel to crash when attempting to create a device handle. The issue stems from a recent code refactoring that changed how the driver manages memory allocation and cleanup. When the driver tries to reuse a data structure after it has been cleared, the kernel attempts to access invalid memory, leading to a null pointer dereference and system panic. An unprivileged local user with ioctl access can trigger this crash, resulting in a denial of service.

  • CVE-2026-46126MEDIUM 5.5

    CVE-2026-46126 is a memory cleanup bug in the Linux kernel's RDMA/mana driver that occurs during queue pair creation with RSS (Receive Side Scaling) support. When certain operations fail during setup, the kernel fails to properly release allocated work queue objects, leaving dangling resources. An unprivileged local user can trigger this condition to cause a denial of service by exhausting kernel resources or crashing the system.

  • CVE-2026-46127MEDIUM 5.5

    A local memory safety issue exists in the Linux kernel's RDMA over Converged Ethernet (OCRDMA) driver. During certain error conditions in the protection domain setup function, the code attempts to dereference a null pointer instead of using a valid reference, potentially crashing the system. The vulnerability requires local access and specific user privileges to trigger, making it a moderate-severity issue affecting system stability rather than confidentiality or integrity.

  • CVE-2026-46128MEDIUM 5.5

    A vulnerability in the Linux kernel's IPMI (Intelligent Platform Management Interface) subsystem allows local authenticated users to cause a denial of service. The issue stems from insufficient validation of event message buffer responses from Baseboard Management Controllers (BMCs). Some BMCs may return empty or malformed event messages instead of proper error responses, which the kernel fails to validate immediately. This can lead to kernel crashes or hangs when processing these invalid responses. The vulnerability requires local access and authenticated privileges to trigger, limiting its immediate blast radius but requiring attention in environments where untrusted local users have system access.

  • CVE-2026-46131MEDIUM 5.5

    A flaw exists in the Linux kernel's virtualization layer (KVM) where the hypervisor incorrectly validates guest memory operations in nested virtual machines. The vulnerability occurs when checking whether a guest is running nested virtualization—the code currently checks only whether an L2 guest exists, but fails to verify that nested EPT (Extended Page Tables) or NPT (Nested Page Tables) is actually enabled. This mismatch allows a local process running inside a nested guest to trigger denial-of-service conditions by invoking hypercalls that attempt invalid memory translations. The impact is limited to availability; an attacker cannot read or modify data.

  • CVE-2026-46132MEDIUM 5.5

    CVE-2026-46132 is a kernel memory leak in the Linux networking subsystem that allows unprivileged local users to read up to 26 bytes of uninitialized kernel stack memory per virtual function (VF) per request. The vulnerability exists in the rtnetlink interface handler that reports virtual NIC configuration. When a user requests virtual function information, the kernel fails to zero-initialize a buffer before partially filling it with MAC broadcast data, leaving residual stack contents exposed to userspace. An attacker needs only basic local network namespace access to trigger repeated information leaks.

  • CVE-2026-46134MEDIUM 5.5

    A Linux kernel vulnerability in the Chrome OS Embedded Controller (cros_ec) Thunderbolt registration code fails to initialize a mutex lock, causing the system to crash when the uninitialized lock is later accessed. This affects devices that use the affected kernel code path during Thunderbolt device registration and mode switching. An unprivileged local user can trigger the crash by interacting with Thunderbolt/USB-C functionality, resulting in a denial of service.

  • CVE-2026-46139MEDIUM 5.5

    A flaw in the Linux kernel's SMB client code leaves a security descriptor buffer partially uninitialized when building access control lists. Specifically, a 2-byte reserved field in the ACL structure—which must be zero according to the SMB protocol specification—is left containing whatever garbage data happened to be in that heap memory. When Samba or other SMB servers validate the descriptor, they reject it if those bytes are non-zero, causing file permission operations like chmod to fail with an invalid argument error. The fix is straightforward: replace the memory allocation function with one that zeroes the buffer before use.

  • CVE-2026-46141MEDIUM 5.5

    A memory leak vulnerability exists in the Linux kernel's PowerPC XIVE interrupt handling code. When allocating MSI-X interrupt vectors for NVMe devices, the kernel creates interrupt data structures but fails to properly clean them up when the interrupt domain is freed. This occurs because the code looks for the data in the wrong place during cleanup, causing allocated memory to be abandoned. While this is a localized memory management issue, repeated device allocation and deallocation cycles could gradually consume system memory and degrade performance.

  • CVE-2026-46142MEDIUM 5.5

    A flaw in the Linux kernel's libwx network driver allows a virtual machine or container running as a non-privileged user to trigger a system hang by reading a hardware register that should only be accessible to the physical device owner. During virtual function (VF) initialization, the driver incorrectly attempts to access a restricted register (WX_CFG_PORT_ST), causing the system to hang. The issue stems from the driver not properly distinguishing between physical function (PF) and virtual function device contexts when accessing low-level hardware state.

  • CVE-2026-46143MEDIUM 5.5

    CVE-2026-46143 is a memory leak vulnerability in the Linux kernel's QCOM audio subsystem. The issue occurs in the ASoC (ALSA System on Chip) driver for QCOM Q6APM LPASS audio interfaces, where the prepare function can be invoked multiple times. Each invocation opens a new graph for the playback path without checking if one is already open, resulting in cumulative resource exhaustion. While the vulnerability requires local access and low-privilege execution context, the impact is availability disruption through memory exhaustion.

  • CVE-2026-46144MEDIUM 5.5

    A memory cleanup issue exists in the Linux kernel's RDMA/mana driver when creating RSS (Receive-Side Scaling) queue pairs. If an error occurs during queue pair creation, a virtual port steering configuration is not properly freed, leading to a resource leak. While this is a memory management issue rather than a direct data breach risk, it can degrade system stability under error conditions or be exploited to exhaust kernel memory resources on systems with RDMA/mana network adapters.

  • CVE-2026-46146MEDIUM 5.5

    A vulnerability exists in the Linux kernel's USB audio driver that could cause the system to hang indefinitely when processing a specially crafted USB device descriptor. The flaw is in the convert_chmap_v3() function, which processes audio channel mapping information without properly validating the descriptor size field. An attacker with local access could trigger this endless loop, causing a denial of service. The issue affects multiple versions of the Linux kernel and requires local access to exploit.

  • CVE-2026-46147MEDIUM 5.5

    A flaw in the Linux kernel's ARM64 KVM (virtualization) implementation can cause system resource leaks and expose partially initialized virtual CPU objects to concurrent access. When vCPU initialization encounters an error partway through, cleanup code fails to release pinned memory references, accumulating leak over time. Additionally, the vCPU object is published to shared state without proper synchronization barriers, risking observers seeing an incompletely initialized structure. This affects hypervisor deployments using ARM64-based KVM virtualization.

  • CVE-2026-46148MEDIUM 5.5

    A flaw in the Linux kernel's Microchip CoreQSPI SPI controller driver causes incorrect chip select (CS) line management when multiple SPI devices are connected. The hardware's built-in CS is automatically controlled by design, but this automatic behavior conflicts with proper operation when GPIO-based chip selects are also in use. The driver was modified to manually control the CS line instead, allowing correct behavior for both active-low and active-high devices, and preventing the built-in CS from being asserted while other GPIO-controlled devices are being accessed.

  • CVE-2026-46151MEDIUM 5.5

    A flaw in the Linux kernel's USB printer driver (usblp) allows a malicious or malfunctioning printer to leak uninitialized kernel memory to local users. When a printer responds to a device ID request with fewer bytes than claimed in its length header, the driver fails to zero out the remaining buffer before exposing it via sysfs or an ioctl. An attacker with local access could craft a printer (or intercept USB traffic) to trigger this and read sensitive kernel memory.

  • CVE-2026-46153MEDIUM 5.5

    A memory leak exists in the Linux kernel's VLAN (802.1Q) network driver. When network administrators repeatedly configure and then clear egress QoS priority mappings on VLAN interfaces, the kernel fails to properly delete the cleared mappings. Instead, it retains them as empty placeholders (tombstones) in memory. Over time, this causes memory to accumulate and leak, eventually exhausting system resources when the VLAN device is torn down. The fix involves properly deleting these cleared mappings after a safe grace period rather than leaving them in place.

  • CVE-2026-46156MEDIUM 5.5

    A flaw in the Linux kernel's Loongson GPU driver can cause a system crash when the code attempts to read from an invalid memory address during hardware initialization. The vulnerability occurs in the `loongson_gpu_fixup_dma_hang()` function, which uses incorrect logic to identify and configure GPU devices on certain Loongarch-based systems. When a discrete GPU is present in a non-standard PCI slot configuration, the driver may try to access memory at a random address, triggering a kernel panic. This is a local issue that requires prior system access and affects the stability and availability of affected systems.

  • CVE-2026-46158MEDIUM 5.5

    CVE-2026-46158 is a resource leak in the Linux kernel's MPTCP (Multipath TCP) protocol implementation. When the kernel retransmits an ADD_ADDR control message, it fails to properly release a reference to a socket object in certain error paths, allowing the socket's memory to remain allocated longer than necessary. This leak occurs only when specific unlikely conditions are met during ADD_ADDR retransmission, making it a localized but real availability concern on systems handling MPTCP traffic.

  • CVE-2026-46160MEDIUM 5.5

    A flaw in the Linux kernel's Btrfs filesystem can corrupt the transaction log during recovery if a directory is removed while a process still holds an open file descriptor to it and performs an fsync operation. When the system crashes after this sequence, the filesystem becomes inconsistent and fails to mount, resulting in data loss or extended downtime. This is a local issue requiring user-level access and specific conditions to trigger.

  • CVE-2026-46161MEDIUM 5.5

    A divide-by-zero vulnerability exists in the Linux kernel's RAID10 disk management code. When a user configures RAID10 with a "far_copies" value of zero, the kernel crashes instead of rejecting the invalid configuration. This requires local access and root-level privileges to trigger, making it a local denial-of-service risk rather than a remote compromise threat.

  • CVE-2026-46165MEDIUM 5.5

    A self-deadlock vulnerability exists in the Linux kernel's Open vSwitch module when tunnel ports are released. The issue occurs because the code attempts to clean up network device references while holding locks that prevent the cleanup from completing, causing the system to hang during tunnel port deletion. This is a local denial-of-service condition that affects systems running vulnerable kernel versions with Open vSwitch configured.

  • CVE-2026-46167MEDIUM 5.5

    A flaw in the Linux kernel's USB printer driver (usblp) allows uninitialized kernel memory to leak to user-space applications through the LPGETSTATUS ioctl command. When a USB printer responds with fewer bytes than expected, the driver fails to initialize the response buffer properly, potentially exposing stale heap memory to callers. This can occur even with standard-behaving printers; the vulnerability is particularly concerning in multi-user environments where one user's application could inadvertently receive residual kernel memory from prior operations.

  • CVE-2026-46168MEDIUM 5.5

    A vulnerability in the Linux kernel's multipath TCP (MPTCP) implementation allows a local attacker with standard user privileges to trigger a denial-of-service condition. The issue stems from improper locking during socket option handling for timestamps. When the kernel attempts to set timestamp options, it uses a fast atomic lock that cannot safely call functions designed to sleep, resulting in a kernel panic. An unprivileged user can exploit this by making specific socket option calls, causing the system to crash or become unresponsive.

  • CVE-2026-46169MEDIUM 5.5

    CVE-2026-46169 is a memory initialization bug in the Linux kernel's HFS+ filesystem driver. When mounting a corrupted HFS+ filesystem, the kernel may read incomplete catalog records and fail to detect that the data is truncated. This leaves portions of a kernel data structure uninitialized. Later, when the filesystem code attempts to process the incomplete record—such as performing case-insensitive string comparison—it uses the uninitialized memory as array indices, triggering a kernel warning. An unprivileged local attacker with the ability to mount a crafted filesystem image could trigger this condition, potentially causing a denial of service or information disclosure.

  • CVE-2026-46170MEDIUM 5.5

    A flaw in the Linux kernel's MPTCP (Multipath TCP) path manager can cause a denial of service when certain network protocol messages are retransmitted. Specifically, when an ADD_ADDR message is resent, the kernel may mismanage internal reference counting for a socket object, potentially leading to a deadlock or crash. An unprivileged local user can trigger this condition, causing the affected system to become unresponsive.

  • CVE-2026-46159MEDIUM 4.7

    A race condition in the Linux kernel's btrfs filesystem driver can leak uninitialized kernel memory to unprivileged local users. The vulnerability exists in the ioctl handler that reports storage space information. When block groups are concurrently removed by the system during the space query operation, the kernel copies more data to userspace than it actually wrote, exposing sensitive kernel memory. An attacker with local access can exploit this timing window to read information that should not be accessible.

  • CVE-2026-40914MEDIUM 4.3

    Apache Artemis has a flaw in how it enforces permissions when users communicate via the STOMP protocol. A user with permission to send or receive messages on a particular address can trick the system into accepting messages with a message routing-type that the address doesn't normally support. This bypasses an important security boundary: only administrators with explicit createAddress permission should be able to change an address's routing-type capabilities. An attacker could exploit this to send or consume messages in ways that violate the intended security policy, even though their basic send/consume permissions are legitimate.

  • CVE-2026-41160MEDIUM 4.3

    EspoCRM contains a logic flaw that allows lower-privileged users to pin notes they don't have permission to edit. The vulnerability stems from a timing issue in the API backend: the system modifies the note in the database before checking whether the user is actually authorized to do so. Even though the server returns an error message afterward, the damage is already done—the note remains pinned. This affects EspoCRM versions before 9.3.5.