Overview

Linux kernel bug List

Siamese
April 11, 2026
5 min read
linux security vulnerability

This list includes 367 entries in total. Each entry is a SHA-256 digest corresponding to a bug report and is backed by a confirmed KASAN report. We group them into three broad categories.

  • Memory corruption includes heap out-of-bounds accesses, use-after-free, stack overflows, invalid frees, and double frees.
    • Unprivileged
    • Privileged (default root-triggerable)
  • DoS includes null pointer dereferences, refcount leaks leading to OOM, deadlocks, and some race conditions that we did not have enough time to analyze in detail.

Most of these bugs (more than 300) were found by us within 60 hours and we did not have enough time to perform detailed manual analysis and validation for every single bug. We do have a full LLM-based automation pipeline for analysis, but pasting LLM-generated severity claims without manual verification would be irresponsible. Because of that, some bugs currently classified as memory corruption may not actually be exploitable for privilege escalation and may turn out to be DoS only.

Likewise, some bugs currently classified as DoS may still be exploitable, because the observable symptom is only one of several possible end states after the bug is triggered. A good example is CVE-2025-38477, where a bug that looked like a null pointer dereference was eventually turned into a clean and reliable local privilege escalation by researchers from ASU.

So our classification is more like a first-pass triage. But we do guarantee the definitions are precise at the reporting level: every listed bug has a corresponding KASAN report.

Unprivileged Memory Corruptions

Here are 67 unique memory corruption bugs that can be triggered from unprivileged userspace. Every one of them is backed by a confirmed KASAN report.

More specifically, 14 of these bugs can be triggered by a low-privilege user with no additional privileges at all, while 55 require the ability to create unprivileged user namespaces. Whether that is allowed depends on the distribution and configuration, e.g. Fedora generally allows it, while on recent Ubuntu releases, unprivileged user namespaces are restricted by default.

07ce0b3c5573a9b61ff857da65b234bb3c0af6d66fb4ced91c423ab8ecda497a
37e558166ca064f1482ee061843cdaf02a28c03d9e6ed765248dcb47ef61f589
43931b759e35b05c208bc37c23f9e7c2587d6027278116aa0b7c91ddd3ccf479
11d940bea65eaf40876a006f903d5211f25519a8073e0b567b668abfeaf0ec3b
6080897c60699531d75e5d65ac9de0e4d9b162199c53dfb026451fbde412ecde
d5d272f4076f0fd0964f659be55170af3dc74327da448244000a2061b071518f
20814190d6f8f27c354199470b571d689c43d3bb7912c1282c4f7a0209ab2736
c9b3ee6ec349b48e988d7c091a366377004ed14e0b83e34b070be080f140cf1f
1e226dfff96c360571de5261106679232c3688a9cd26ac659ec262eae79f3a0e
03c9abcd63bb8ff720a85675f93bf14053cba446a59a780955b73aca6dc32d4c
a1f1bb6f3e277d739e9470d89038bc371598a8b35b4fbb8eabccf3f4bc28aee5
a1783d5c30f10a0281668eed2ea32ea6deeb88d4168441c6c6ea1e2ed086f570
0369cb51a9ea5dac1f28bb81bf72c7a0adf9216203295f8a5f7a8e42686620c0
3e4154d992ffd059ca70ea503cb175605bd3ea134ea3b45c6d3342b68a2fa5a9
e4cf63d0f85e7c076e70a5b00217545405fa43b4dbc5e085a937995e95a94334
980bfc9509586a45e8fae5b368a56b8a14deee664ec1023644ef782943cf4de6
f6b4d22e672c8b334fb04910f13c64e2155d0bfd89ab360f14690872069d80d6
e3c60105a3bff9c027138da9c90a96a43e847a51cbe8943e2c5dd3712591869e
a4b51bbaf33a23abf670221aa3269fd4e0cbe8104aa4a381c70a9dc94e8d10b5
4e33924e7889abd756ec1c5b517b8516d4d8d0b58981e346a6d0642e8383b932
53179c388d960de3da06668c520f3da2b36a90b9468c02eba82c7420ce1b2fa3
937d157316d6704789b716fb61f7afaf229ffdd1567c3a983d77718ea8fdbddb
28f6485394c79f2e11534df9d6cbc69f95a997e68e0d0da70f2b2dbfd7a74ff5
11a8b1905431d05fa48b2c6807592a67780f9be5db5657721317f07b3220a7fb
2c33b884f1453e4bcf581d22006d144bb90bb2d109fc0ef75904b1d06ddc270b
bece50e366c88bc75b3ba7e909e4bb26a66df3afe240df40f9a9fa94cc83f1d7
d6fbca56d61f48d3a234ba5f15471c9e971184194e01ef8b0b802d329c829c90
a8af033853b53a868ebb82de59c26a3a16338eba9c69d88f0172ffe7f04d4e6d
70a595d8b8f4299b01955643eb80d2a09676e511ce9c86fe828b86c96491faf6
6aa0d7edd2f9530cc9387b8c2fa1ed54597d3f66bccba326dba5f131a7ef3246
5c469632cdfa0e107012e721d9794a1e80d0e1a070928d698df86607021b8d19
4da9e02ba701090168922e62d3ce88ef7a0cd551d23f531533d813cd3fe9a966
8252ee06dcff75e570cdf0a7562042bd44fc2660ec3efa3ef9f52975ef5a224c
9725b491c1e984754043a71f79be3bf4ac6e8d635a20a1a3af4bb3398bad1901
d4da70daf58a54c82f77c750f8122a502027c5f8b6d27146f708c6e717cf6504
bef1f6950fe6ab511ffe0218ef6b8d1e4c2e04e5b1397ab37653797f62a52fab
1de41f5cb4c9359e54513915034238329990a96354e9f8dd186860127071bf0b
70ef3ecb8ffbfdaa6d9ca2bf6e242f99625d60ff75180a9c8b4fd615b3a26e44
03d719846ee6f9a773d577ac98ed4c87099a5a6af81e5feecd3bb95c725b8f5d
524e37da3982a7d3af24838f42ab05938ea34f9a00927f309135b5db77c7772a
c5b9f7ebd3621f1431f60a2ac88d1aca7451083c6ec4cc71d0be309fd7591b0a
816387758dce28c10ade87d333e98561d5b61b3beb745a403eaedb05be45021d
0e19bf96062f9ce6242614ba1ae8ecb03c69c24fd7bccd70c84ce6c057009fd4
d67e116c6331bfe6076d7dd1308032b03081a7a1d268c093d885e8da4cf0eec1
988f9981fefa711332ffd5b04dae26c031941cba0ab5f3b42edf153288fc7b70
b78560278b7ffbc45fd4103b2c5cbfe212c6975e13594051775fb10a32a5f5e6
38d726fe760f226ca20faf26552df0ea25acc9824bd52e2a14aa3204340c4277
150d97f7b1d66b5ae8d289606abca3eeaad7fd34e744e7dd1f53373373ce79ba
d0b9fd74917d07b1a6222ad8eb7f06462f3d8e645b760f4b42876b0f0027f740
64f9bfcac8863593fa87b9ede90b7b3f1d37cb2024008129577f3dae48c96453
4b0d01392583cb6169a0861c9fc25b80a3b7d6e56c2f8546fff9c2014645708c
5cb99d2bdfa024f9681a4fea34b0b055cd9ef1f72c240c4acdf13a3313593f2a
5a25f3bfc664edc8ccf5998380aaa01165f3a4202cb9156b80f5bec2b6964730
c73d71bd3159315d408df72c9d53e2a5dfead77320884c112d9187494c46b3f4
ec33d73159624ccbfc2eac58e5cba8c10fbb4818fc298618ec2cfeddaa63ba04
c289beab9a23d8533f33f551a956c6386b40d211b06c93c4502b7bbb9f04750e
2ad2c0dbf91f59271fd27278a63e13fb65e7cce5a9d10833b9852ada05b12e3b
7a6aca7330926cf591b6ff17e0c4e047b9e69f7d15dcecbf2f1b387d6ce7c8e6
98defc740cfea0b5def9f52f6e96b171ab7eedb262c21117dbc40ac392de4e51
ab140fef16cf0e311e51985e2ac1c0f5531b332a275e21afb3d0497c3957569a
09f208f5458aab24427b74cb0ccedb0a9d3e93b7b14df8fbac7f4e2cf5515c1b
e8d62fa99fff1abb8d215fece21e7c7ded4e5389d9312ffbcb5904c4b38405a9
56819dce6a5080e5b382e5e455c471eb7837d6ccc55f91d4e7eee472ed8acb0d
d1cd7f474c3dc961ce685cad12c9464b21f55db292ae205351f5cb64dd89088b
ec2ce36b5f5fa6eb85615543780a7f9f13910ee1241d2929b8974a35db2f244f
84e8af3f6aefe24dae0a8697dcba3b4c2f77f429316daad49cb5d4a0e83cb541
78dd8cf2002944e4b1ae4f76f8a15f7af2df361536792598f3975b523514d17f
4c465a20e35f90a9989e270113c73e9c3cc56d7ec1b15a321ef2a84e6ea0b5fb
ab7d298ba56f9c152c58f3a945802401aad0ddb78d0798b6d10762630b3aa53b

Privileged Memory Corruptions

Here are 171 unique memory corruption bugs that, on a default and fresh Linux setup, appear to require root to trigger. Every one of them is backed by a confirmed KASAN report.

In kernel security, there are very few absolute standards. Kernel maintainers and CNAs are still willing to assign CVEs to non-DoS memory corruption bugs that appear to be root-only, because proving that a bug is truly reachable only by root across all distributions is often close to impossible, and non-DoS memory corruption can still have LPE potential.

For example, a user may install a third-party driver that exposes a code path that used to be reachable only by root, while still allowing limited but sufficient interaction from an unprivileged user to trigger the bug.

And yes, if you go shopping for a sufficiently accommodating third-party CNA, you can sometimes even get a CVE for a local root-only DoS that is obviously not going to become LPE (and then sell your “high-value” CVE to public). That is absurd, but it seems to be the reality.

d8157ec2378efa7560adb216afe3dc9b242fd328bb054285c9b6078b94666d27
72bc44c33a25b6bf3bec783a6dc351f9aa0012c5ca52f8a92bda6dbd43048cf8
693655f59c7f52606491050380e0236d9ebf5cc5a6dde4c4cabd32419ac911dd
1d0e82447fe61d60015d5e376e7936793892be0e036848ba0de74f7c77353205
2bdd57b210e47a57740ff93a292cbf05402357345ed79e8dd8f739a7c2d3b45f
08970a99397510d77a0d7f99e31dd461c1958c976aaee986270581138e02c047
a8201e5a1e4fef7c049e633f45a5deda9f3476e9c9673dbcaac359c8522d5af7
c76c2b701937e1265b552e32b7c540c51a04c3d821e38157b6de4249e1170d61
e3382a5504269b47b41798cbf23d7546a83f5048feaf56650fdc8f76d96ddf1d
5a0c827698682f88b7784fa6684374bbd9a362d93efd45d5f58f2156bbf43a1f
6e039a64c1594ffd8d36af85b11e6dac1d850b3be8120108bc4b25fbbe730d83
c1ade2193d21d2f8a0502af11ebd3535badeb7a32c4758aab978a25f2e213f44
c2d2002955c71010d1f58f32fdf84f89d3b25064efe7a54bca292eb2773bf8bf
4bde0e97c58b7b1312a6b42624f0a7f4255b2c531087e30799cee3249995ba78
1c341d96c22d9447f9e8ec909c4e2ff2b0111cf2d74e65fa3331681e3fe5067f
6e11accf70802a324f093105e944239748485119a22e904cebcb5063e7662b41
004eb611627d3200a8e965b758c84b74c04bfc6fde0ae6ea84f2c357bc0d6f4a
b2f535912c2cf7455bc05b4b3c74f06d43cc476cabe972660de107537b42871a
c7a12a68d288724fbddc7f89b878bcc11f679133e8a02a205667b236c8136934
10e4a485f17bd6443759a03bb602bc27555f51229fec37a4df7afdc9c419a1a6
ec39e8b08160174f006d46556f74d06ecde7765f389125edf9f3cf21e8ab77df
d7d18d000b39ea7473a84b4c3897be49acfbb54374333fe8b1138799c648c913
d0dc32a5779f875befff209a2354f5f24b7e8205ba119c16c72de65f21c69268
e20af2baadd45457dcc6cc91c2469ed97285e0f28d87c2f65f81cf0d67642fbd
634df81ad621aea1082a8285314341b4a902b3f8763035fb7e59b31bb41980c4
17713b6c3f69e4e17d9af44c71da48247548ab4a613737a6bc8af5bc001eb8e3
dbc002c6bca5cb18e5bdfb442fcbdf4e981f5353a79dc68c0f3d552fd7f47531
824f542c75674a7450f6b4bb0651f4ba78e8a65f16af512ddc0455ab8cd8a693
4733807b9a798bcdcbe26165fe1df22fa484dc1f913182968fe82bf960a628ca
7dca1443e24576e79c93e037cb3bb3e48b85889fba95394c29d0f9c6cf37d78e
1347cbd255efce1a1a66e3ffd6353f5ae957074167672157196fb65d54a67794
82d8b9f770cad82013c1c6f2167bb923571290a8ec2a7dfe6572c01d2615e2cd
254c8177a30ae3011296457c4b75722042be6042d6eb6d40d252b1e6f94c625f
1456fff6cc09c6a040995532466de40b0a947f6875ccf3e62c2fc68a8eb89bc5
353691ad63786a1c85cabe73b48e2394a1b788ec0ee27374e85a1cce52d784d3
d70514029d7b7b38ad9da5bc07c0fa73aa9316dd2f93fe1a8b27220d3c95dc28
74fd02ec7b0f2816baf3b84f103a39b53d81e1b0b35ae394216d650225fcfb36
d3f8d2132f5012f134ce81114a11b6047b186047467ef02eb8e0bda43851e13b
c38ce81c7678524e8b641664affb9c59f94e2f97b3f26103db017418ac23094f
882dd1b755e40cfa8479237a2854ee8f7cd1218155c3f59bd1baf1b3483bb16a
4df6f7189c608fd995982b021f48c4bf5d8befdf9ffbe14eb993cf6d1dbbe08a
cfee9cb76b44d504c308bb6a9b4e34033f9c092394a8baf96feefea7140b5d38
c17867c6dd81996b05e1f49703cffa7fd9de877cf670d83cebcea9d5267670b0
76657d527223b64262c984ae9258aac972175a52f1fae7e85c280cfb63f679d1
2d1d2eb3cd5521b952cb42ed88df515ac35235f72a03520adbfaa51f2895532a
7631d5bf894ea452c4a5f48b4cd0f11d8e34dbf7e701cabb07bec150fd12c13d
96ba46adcf4851153c5bb0b3b6aa286f7e739a97efdb1006ec3d74e0dae4531d
efb6ab8b8f24f6c2f1abca0b83417094359af97885028a695369acf3f51df173
fda6b9fc563023e2d86d173fc9b553a7b1d0539c21f7246dd0c640496769bb7b
d505a44b3c525bca5c98e4f56a5ce778e795b378894cc0fe0b2748640a47cd2d
6c67ce8119cdcdc1b188504a16e6a82834966a5df0bcb04d99904673c9530822
a85f2cc9bd7d7e7410aeb8dd3dec63e4355d1a3361ebe180ac538ef6eda18984
16be8117de03620ce2dbc9b707aee37f4abc2d801bf7a3ff562673bad7d663a5
adceae42c09afa632c140fa8078c8ff08f852f5c62fde9d04d744b9ff85a58fa
4d6af634f30c25e99fb1bff1f0132224a3dae32f1dc0c44046497ab69c03ce11
0a5b84ace02ecf77abdfb316381fb644e7e30879a66ac243b43eadbd3007d846
4a358a46bfc9219f3281a6b1b374b2306b5c4c56dfe758ef225ced74a6cf596e
b277b8b3ec851d501e7f5eb01f43488a7274c0319cbb37832787e253528c5c67
464c3bbb9080749fba867f05702f9cfdac30a7e11beb3c7d85318c88a584d7fe
ce93a0aebd79d0da039b8250767d25ed4366784b2d3bb846a4e4b8b01c2455e4
a3ea9528fee49e95e4d1a2ac7f8808d6d1c64f51946f3570fe50b174d325d7b2
13f71b218b11fb47f7416771f4eda5a57a4cd221a6d11a40ad5d930905246013
763fb74482719eab102847e51ca93549dddee798ba5f205175eaaf01489404c3
0f9dab8064db123f84e86624b0d5c83f730cb18a2e6b778216c60bb8d06df92f
2c4df124b8179ef22ab088fb75e0ab60db436cd2914cc611665aab193cce4dd6
f86396a5daadb9b10e62045ac59ca66fd8ea7f3ce30265a776cecac9c27e0649
a9b61ad1b9159d106fa0fb4d50bc7a9462eecb0dd8453da8a5cc92441509bbab
46130ff47b786b62faeb4431b8bffec5dd274f6afae2ebea18d66776bee835f0
e9b2365837e01b5f09b13655b29ae3a4b82f35921055b8aa1ad3df46811be031
cb2c33d86465b14c15267bf112fb0007d4275f5ed7213fc527861c27bd0d7480
e681dad5a19388bee15e2abfd6ee8cb10648e47eee20a7a71bad8cae6fc03075
d6a5173a5647483c98b6bdb0d7ae6a3a901b325cc65120474645a188cf627f54
fb7395e253ac06aa64255f627ae3856c84d0555122ac7b78a61b496170a96d88
815071433171c5aee0527dd005efe998cd093862a2fa7c817248451d98f57a62
2c91c0b46ca59d5cb2b890ffd31ecc644c067da9b99b43490c389b0b16a4bcf0
97f4b10e111c1b06e0710fc2d98bb4d741175d686c4f6c02417800480695134f
d79dc09b1f259e4555a7b79a8afe39c26d420cc6b38cded6b8f80ebef75000f4
83b9e99136a152f008800c37b975cd4b46886a87affd65c1a9bdbf00817d756e
3690c2e3bb1a05b3b6e542bf7776feddc3f4f637c05fa609bb817990faefd887
8805a6f0bca8a56aa247ef84e69a50c6c4d600747b1df5acc3226b722e7bd60c
dfa6220c6ce68dec5aea5d3b1eacdba890f4755a5e675f070577c7f516e453a7
6162bc5c469487a740684bb4f3edea1d9642a6ba4bc5ef7e4495b527d17a8346
458dcbe2232a90e1e82a251d16c66640589f19ac740c096d9860561c79cecbda
8a0d26d7929c46519eddaa641abdd4d58452fdbe20cec025f8f9ed06216c3f9e
740ffbf9330cde0fca0569b21ea14bdfb6e963484809d07a37e65ff69d2ad43d
a3c1a72c901aaf8d798692b313b3f8aa5a47e63718ec2592f0b3b8056a57d54c
4d7acf8018dddfec936433cd11f60d024706dfcf337e364145efb49ba99602f9
b7d1b4cd320886b4e5809fd2e7b99e4b855993b60175d6d62cf143c067958a20
6558268983902a7f1a0e743d76aa7a7dfd26cb0bb98825721625d2c2b0234cbe
4bcbeee8ab8109e5ab281935d678eb80ae77d21d60da61b387ad88faaaeab649
9d7b2234e7b4085811b6d25588725c5966a55ef2955c0e32628ac66ed9261309
2bd66807016364bf36829924b034a018cce07ea1306687fe97b81038aa54ad67
975a8d518cdf5a544ffa521e46af21d74af02873a3541784bb026495df0cd83e
b7e2406b66d58966fc221f1befddfc261382f852a60339516f2d131be126b609
8ae3ae644ab08a706203cf9f37b16d17c1fc9d26ce042e5aea1c1ffd4590f892
9de0f16719dbd349362697f13ace6470fa25fe56edcfc1058a546d784e6c55c8
798c283c86f6446931bdc59e20652c23c1c158eef6cc0c6580c808c8f19946bc
65e9402a3fc1d68e4aeac644c16c2af57c8398b19b1360dbe77b2f514fd364ed
458b752ec26b9d8b870e48060254cd2f14bfdc8ac5f5d3db88d392382741434b
6e7a8d616f8e69384a41a078e11441bf9e36abbd2f506d5cd13023cbbd72834b
d2054c3ebdfc71e856c7fafc210137e32569d184307b6283ad98ba8bed45dd91
4d338f43e411c19881fbc0dea85548a7e304fa0935d8d7643551e71ce8b1fedd
9b3533e74d0978d2c8b5230663401b848a8dcb44d3ad951f7e527f1d6fe7c743
242175ab85d43879807ef3fb0a9318d5b0830f97dd95bd369afb8bcb35798b23
80ff27d5d6b32cf0de1388c54aa661f690ecdde137dead380a17c861c3e1e8b7
e873b6f3ba5fa9c0b2c94c700a276097921fe722e7ba430c5bc59cb0a2737b1d
aeac99e454907d021a14a6f906251597993aaae4832c8fcc89ccce821f8d179e
496fdcdc356b4fe27349f0b6863334e2d2623373ae118c74a21757b28c215dad
c2bc648a851a58a7a3781349cb21026e713f986a3db2988dcd61da2826ad3fbe
78691b20eee6b80087dfb9c3140d09b92828b0b190c243d3b959ae78fc869f85
0ca16d7b25fc83ef04db1fd9710cdd24f44a9e0e29d653f4edee2a2ee7973c37
aaa4cc344ce044e68779a247322a916022c5bd8ee44e78e76e26518bd3f58786
d94cb657427682822078bb20bc8c628435edccd659c366fc4caf214efc95cc71
04a3e85e2235f9e410053278f1f4202710202f591461202dbf644421e801fa26
402a5ca8ab3725ace5e847fa9ca6b20508551c171ab4d4250e20d511018bd7c5
a9dd8c6f53a78e5d875f15736969391b18e86fb2b6e1599c315d8d9ee446c32f
b5a06ff07b35064533893af5dd221c185712e3fec804ad6b59d6473c05a5589a
9831126fb73f91245e99c8788050b9de3abbc2c88594400b6a784e2acd87ff09
baa37510df5ea3f309c74e4c348660787c4e83c92d7688069d551fb093ca5d5f
7ec3ab473abd7afcbaa1f944d41a28c953f1d6b1fce0d61aed7f2e18296f3763
517764d72877795609e301e504c5f6466c486e0e50a580c203ed2539374849f7
fce507a8c23738145aa54e9589609f3e49c03c0eeb2026ba31a5ed971defe469
9da15c39b1bfd1d3e46cd956b32acf458c38966a6b3a6204af4fd130571454ee
345dbec0c61d105826013aa50b3dcaa79a13dc31dcd9734e0f77439385f891aa
e65ebdd1be2067e8c89eb28376c91cdc70914db3db7629e5dc1ffd6129ebdded
ccd6c9421a12c5e55e804fb23eee0e5eab033b66fbd24d3398af07ea53447d9a
a9ecee415a26c97df85fb500edae9fbeb49e925416f20158d51b59519321d73d
5e0f79e81f603ef5ff7aec08d14c3b886a97b49126a998cbef42aebd90d731d3
416578adf520c26e330eb36d3ead928bc29d59182aff81b557ae9e1f1a706ac4
9427b721bfe41471908066fb267d25d7af998279b68f34665157e6adf7cab2e5
0b4c1a1e983757f3981d4870c3f41c981e6ef966ca3f5dba73d005fc6388ce74
5d7615a3f17a59eb647617597a3cb3093b89f4c1bf3c6fe0eb21a68ee3202530
e9da07e00c567e35566e94209d4ba949f9925d3a994807e136c0338910ff6e1b
768227e8b816afaafc98d210e75914438e36957dc83072649e2e39e302aa105d
ab581120542d0e147bfb6d8744c6fdb17a4535289ddbdadbd84a075a2c838a8a
c4bd4a6cda5b58972556e5fd0d63ce7e8702929591d96f62653a7056893f253b
654672797c1e9f32d658335ed4631606fb6b906408149a80b0ba0c0a20e072df
0ccf54938e1d591a136c38ae222028714326cb9f04c19b121122ceb290a4d3b6
15782ec357a04f99deacc34ec1315c9248cc08d8fa001be4ad06dedc3c019a9e
b821cc7f44971b64f0def7dc3f764f20715c825ebf15b05d1b7783b0dbb1e1c6
e6e2756838a967f60042f915f771753b4323b7d5dd35a0ff747b3e4fc1ba886b
36dc117bd19bbc32086c20c05f58321a2b4d0c592f357aa756feb61524d5df81
d8729ae6884cf42902b934f312b413f44c007f69ce931d13727bbff119724769
e1d78224ba3084658e90481dee55061b753d13e70215bf898419347a1b0770e6
2882cea37c414054472814e9558693a637bdb562f1a1464447dd688abf836c82
6cd0818a049d0e8603d6b35cdfb998d4a8fc60abed830dbae3d8a62b28718d77
61a67d43d7327c6825420b1211f0ca856d459c1515aea04c661bc30a9366120e
b6f7b78f46996f020b21b19a85cc283a6f64b49466fb49975e2d4507d5f7a6e4
8e7a8fb72e4062cbcfe93cd546ac1a6ef5120ac449c326f8b714cd8605cb5855
6bfbadee354059012c9a3711302de84f09d1563d963a4e0d3931285b14b943d7
d4c8b4087abc29c4c2c507844a0ce682f65ab458ba60d88840e1a7fbd2d25053
3eec678f6aa7d7668ff90898baa20ad8cf090ca3730e7f2de46dfa284b11a376
8f3a1a205a1014d2b29d2e59d18bd3c62a3a32c241892deae52634598fb54153
1bfd978665351426065ae320a9e0f66a435ff2b54d2c1b72c12a84f85f727b3e
32afe4a7456b8fa390f49ccb9db79c3d77b6e35886b5e552a296736331277bbe
66f6565ff1fe1f92acd8cfdcf520123200088a15a9b4ee6a6d32a237b28544c9
d26e2fee466cfe284d418ee59b1c5c0e26ee6a820d5cad76f180796a25f7267f
0ab2d9639921bc59d66ef55d3249b2da688453507b306a1a157eef9f50c7f05b
738aca84ecd49a87f6ff9affb32e9bc3b3043ee858728b087ff7d255748db18c
e64bf5fafcfd3433f702f8594eb4c5e3f033170040520f78cd5e2f466b9880a9
c8f0fc126f2e939f1e717ac104a7a585e9b726ba9c67ed10f3b762c6b45f9ad0
df04d8bf78646db871e946bb015bd8b20ce9331f264d8c18e0ee70149342454e
be09d323a42ca2d7da4d56f8752fbd8c984f617591fb5fcd2b99b96fef2ec04a
02b5971831c2e0aa2fcd01a9fdb0fd02d78d4f84ecb0eb40a2603f70f4d139ef
37a40918cc409860cdb6988de87e2e430ae99c8bfab0f3de2c6a9e0b094353b0
5f8562674887d656ca3e5443717970dc14ec1c00641fac1e042e59f37d9c7f3d
9cd0325c5050980feddfeafd55bdcff303fd0cfa9bfe1e63994a8f261a89acfa
57762b536de8352d40072f8450225426b75836519215b512247aa18dd37c5037
b2ef80fb8d6db30bee0877ef4d4a662e717ce575c0a73bcd9630536ef0062e90
5a6a3efe1419eea0c4e777e65f3529a8e782eb50f06af85dc11e006a2920930d

Denial of Service

Here are 129 unique bugs that may result in DoS conditions, including null pointer dereferences and OOM. Every one of them is backed by a confirmed KASAN report.

Most of these bugs are unlikely to be exploitable for LPE or RCE, and we do not count DoS as “exploitable” in our statistics. As noted above, issues such as null pointer dereferences can still sometimes be turned into LPE. But for most DoS bugs, DoS is still where they end. We are not going to hype them up as “critical security issues” just to inflate the numbers.

That said, we still consider these bugs worth fixing, and we intend to fix all of them responsibly and disclose them after the fixes are merged.

6d457ae852443af4a6ed4b00afd4fac965f8a412eaa3bfb1e16552ae3b103c02
ea79c24c2ea0e46ea772884e294579dcc7ba8b8ce3367c49dbe7ed9000211435
8c9578b1a93160d5f562939fd7910b0cc8e21795e57163bd6a4f3274968745ac
ce156a6c851393f5b7e2548706023733f30ff9ddf94b777a2b1e03dfef4db840
0b4082dc614f5b0b3d1d6428099180389bd3c721d361c8c7d5e88ef39fb14841
9c74f553502ac3c33c1cdeae4f3add1170cf4174953e00d042ca74df4e74923f
df2d1c153034c32724a1024eb42c9e879ff8ada0b4902c1a04fff48f511336e4
f2bb5c908c51338261ad7ab9e44f69e46d82d729eeb579bfca2d4d71c35d54e2
bca1ee8484d3832b02183d53c950c1def086884fc48761b5c0e226660f766e24
8d14c45a6b0d87a8e51592d0883c23236e804741928fe3b69e9cc97b012f63fa
6635e03108c21cd7ed433d4799517a1b4e70ce43ae0f7cf17ee630656b35674f
712c606d38768a01b6be615c38165d82ba7c129829b0d56fca89650fe3d2bac3
82e5f1bfaa58e698560c5b1849a3f900f1e7f7b3c1e96c76c4c5359f975c6400
377cdd414a6981fa6a8a61eca1fd28e5617016df9105121281af0246547d8581
6d3ac988508b9920e8cf1734650d8c113040e993f14f97b0c8bc496e1339af3b
932e5000931d34a7d11cc74496e7fa31299fd044c6482b5ec210305c7b164b69
465a3be27f5eac17db16af7ea4741115ad2f295b41ceb72d8361239dcd573fba
9da444c38bd5945ddbf6588b56ccbe628ed115b4c35e83604170f9b7f305aa9f
31c8998187a0b1989d5ecef9007d57ae2124defa2708679bb38786862d994943
f9ba1e4b2f9c23f88a950989c5ae08923c8ac1913446026a844084f02c4f82fc
1624a9b50594837402d210f99ecbabbabc24d2681c6af7a7c007f077cfbfad5e
47a1ad2d07c7d60808cba8fbf3d925b46d05ca99f2099d87488955befab06ad3
12a3f327b6770dab26c51ac420161a4807fbe0a69ebbbf907478556532d954e1
b54ef29ad901e7559a382cdba84b7af15debf0df1758d2c958f34dbf10be7bb7
42033d11f12d89ce2e11167648d8d10dd8620906dce39a8293f7551aee3be51a
35b825d019656870f0c2e29adf358827c34acf8d0227eff48c6254c558fe9371
bea7ff2a312f2bd4fc4e3ec23ab9749c9d123b1e4b3c373d97c93fe086183459
c6cbc5d9122d92197298e1ad02e471ed60df5ab6be38bc43b1cd2e4748b6afb7
03ad647ca32d2e087187bf3c7f93aeadedcced1d8a3c99c07b482ec48f813833
ea9944dcb42d1e5d0906500c90150c5667c14868726cf8e96f712f7293230691
5c592026414df96e633e2c766e322809ff6d7b6b15968f1aadbcdd8c6a6676f8
79a2549faac613b67b482cfac752a5f18efce938e6ee043105a561e0e6709d72
bdb3f2fe16fce6cd51aabc2ad285a8a43e5d2aa7b99f75f9bdf1167e881f3777
829f17cbf5d8689a3981554a3e0880a57aa1e05141ca6851a6f1e188ebc1579c
e925e1ea7344f9162550e591f94cd207604b859b8f5acf9424fa404b3a320e70
a2c2f728ab1d3acc941e7b98d9d256e4181c6f485a90c3b5cf03c81fb7354404
67b2f402a1de78be74a3d9e4ceec81b0b3fed8942991f0497b9ba72b88bc9008
a5a3e715f927f03a5d5074ee01c2c8c52597a09f1c74e193a55047e8af87f0b6
3255d56fc328f88735aff198f1f0460082a422f5207903d6848dfd1faf89bbf2
6cbf5ccddb09f82be966ed99d070c6f693e4e3ff8123eb49fce9af71c5258a10
2fbc1b6e774c3f07cacd2effabfeca5e6f571ab30f4b1c1b70883150b59de992
4b53bc2285d7e87575289ae95dd7cc0843635770fc6b3c222efdd57ecebfe08f
73c40837717b6c202a90418c72a63a3788bc5dbaa3fd5a5f6e32a39d3fd3ec51
97f73d3f2f78fe2e5c452f9b8e909d719038ff759d2a109a6735d127bd1d0119
4de8a80c1df021ae13296d3c7619f8608a93ca7e1254d41c1f1008664c2f953f
226281a8e5deb056e0a7a48d945f4a74952712ebae862574efe27abaf2f7b8bd
e1ffb1e001e3ee5d428a779895102b322d6c177e6cc5d508a20399bc3102c944
71914fde8027a90bb915e4be364f6928fb9f4a0709e87f5cf4e84ae16699c4ce
bda10e0590b554eb9122560bd2de7467ee629191afa77bf1a7a13e3e9c85cb05
380f23225bec3e92e43d3007476438cd9d4c080277d053814cbc58b5cd5299a4
431c03c729e1fd434011e9ba35fe0ed0d1ae8922fe006c214ac3641ea3ea8653
8d072e065a4c3ec7c1cf27efe06c1281a54f86771870e53b7690bff0202a4614
c2b9b09450940a27ad5b1e264e4cbebcab3c8db080e6501df7245fda852d0ffc
30f6b96449b05d5fa675140f964141de3cb1e9e7a3f4c0c22377984213a44963
23ad4385a0470900b2aa5c8ac5b974526bb60eab99d647b30a922905eb4b3023
282ef78e53e3500722bf0b39645c97eeb4e997d282f02b82893e57c5f6030be5
a8af290d8ea3c46cb542c74d3e1ec1024baa28283192d7460d0f3a5b9cbb87c2
e51bbf6dd8bec5b068573d4373ac7261968ca1efbb6b9041f394b2f937a74605
4ed2dbf35271d9a871db15b84a6f8a35c7507e578ca1c1526fd289183b3350f9
121752a6cd785d9b982b13fb7fc4c66e8c9ac8080dd89d90b81ca0b2a4d3981d
4abcb7e2e791c3e4478958b1b7ba3cee691ff0f89ba1203e833d472b1eccc03f
d0f8efac5612e697297803d374905a20e04bafaf7e4d10d255ea4158494ae862
a31cfe333f2fea636e4c5b6bcf3cc5e8a86e3bbadb39e97cd4fdaa735302c4df
09383ab7751b6e6b8e6adecfe0e83af49cd3a7ed30839f84c85189c04fad5f01
ec0608cd92455211a94644d564d4f2a2cbad8a43efd831dbc01304afb23a4257
ff7ea74a80ef3ef71e02098fa8981a3ba0a98708bbffd1f5ad6e97f9122a728b
8e5778bfd2672e1d89786705bb86c1adb59ecf6f0983361c1f22b513b5f08f1a
c13a03eab988304178df71830212d9282d3225c4dccfd846f41164c4c5e3c6c4
c4ae08fc695b7285e540b22ee04b63a033e845d6564392b64846b907e3ef6360
143a860a98550f2eb896b7e2b8c9f83303074f495c27a281151b492381814d23
19a2a6785d677f6c9b0b2c957465cd8d748eb4dc25d1e6fd361a203ff35771b8
92e47b348f55a6aa8566ee771a85c9a39c10f3fa9c5022dce0310dafbda4a4f8
ecac63211920b7f57e84d2a69be621b401853e88fe31beb09fd7084ada31915d
04d1f9b7da4109155a5710df31e2020181101aeac35c4ab94bda299807df0c2a
9caeba7538f379a782872cf0b3df3e9ace9a0dd2ab03f2cd109f4e994092df8b
d32f4827982ade573c3787302854c8b15e82ed52ed272b042e917eb638cd3ce6
5628a1389e92aaac8aa470011f5273b04789a7680e1af28c06cf1a1bcb87f9c0
ce6ee9cbd422c7c59d0d0ad1cbe7437c2b6d6e78c1ed2b35a0f97874473d8b17
8530a6577bfcddafdd465b3285e5ac2ffec7eea33ee75ac311b8d3046a5ff6c1
3cb0fff74ee31214458a37597cb68266942af0562e77b89c94bb04f353de55cb
3af24ab333ab03248127f5e5370d28808e391884af57fe0bce70776c897c8417
aeb990e7be54b0cf32c37d6bcddf630e89220026c8dc68691d67926c8d0c5bb6
dc2ff564c83f63d2482878041d432ca8d61476abebe8301a57bc32c741183e29
68373d0ae1cca24deadda144764c85fec3f29f656349be951e7d4841d1c101d0
d2446782efc9b8c57ab50908c18e42ccb44fdba9fad205277443103085e1f5a3
b37ecc5767993c0579a3a68f13776cc0a868b4bd987e34d5dd0fce3062163112
a460e2c7c49c1e07d7b908c389f771384601edcffc8144635c0a06cbfa2f19ec
a46b053b22fe5d1b4a40ffd25abb4e002c18e33be51f89c1d94e5f15d0403d29
7144c82887a261f2d5c5b297d0cd2b883e0f3f436a94af7fdf7c29ce5547da80
7cfab96425e1f9de0bc060e12cbaa918eb0d325eb106d47aa686a4c79ec21cac
b70565705fc644d6205cbb08b94831ea63239f8c9f288163ce0c73070f6ec196
f0de3f2e84d5855ad28f84992391ee8e4b19b77169b2a568ecb0ce435fef0513
e7c584f52829b162aa4f52ba2acfc20538c40fe4dc697466a8812f4e133ebc86
295d467c9d4315614be70f2d48933611ce068bf5b63a5bc94410657c6f4052b0
e2128a1ab6f746dbc22053ba5e99709fea041c0e9dafdbe35a06265bc0573c36
8f79c3b7a50b3511c690768b4c3eceaab7120136eeeb86b2d307ddfba6e64320
82d14aa6a08db6e051494840d087f5dde4af5d6757c0b0d3a6721ff00dd1113b
c8bd35f730ffa5b13abc75400599ebce0246eb8129977ec4e41a4299a09bc62e
f8e0c6987ed5b6e1640c22fff1f880070040541246f5318b3ee8eedbf2f0b055
03accd9a65a105f209073c762226c0849e90a567f0de6f2ff6e8985ef0dc04ca
522ace4623e53b306611f2aeba8c36dc8f50cc8e7bd33df776d1791bac961f1b
fed2060e76486a29acd85cc1adb88ea00db694192df8c64b368df88046865619
982a67c3a90433a919016948559abca9af332fd7f5ef88a8500015703b154db8
e0fc0704aee9833d42c215853d986c2beb5f12f896d0fa67a7ccae35d8d5a24d
2dfcc148c09461dc5d677e3f9d5c89c165bf0b5914917f224d9c736260da86dd
686c6f40af866d68e10cbab12c4ef2d9002efc8436e7d0ce629b0ba01e17a2f1
05d01b5c261e9abbb69f08002c7bc03e28763133bb89d5b54b30dc2cb88824c7
1b277b5be784aeef809dec7000fba002e59892fce3578be8cc6dca4a858f40d8
f74f42a8758df00733ee0651c361b964431119409f0486a6f21b1d68a9e8a03c
3510ad03dc5fb4750f18b0e4c9698413f05c21ffa58afd56d6b3d3bd4dd94399
e0f02b795d2aecc7e5396899703c0ec3953d6e25b52f049fd2608a35133ab153
ccecfa5dca6a84eae1ec0f51cf53fd350b838890b0501fd3f2c1293e2557937b
70c97390ceb0ceca2b213b899db6a44249beefae095c8a43359f8e664897ee50
0789f878b564495da85ebb8274872cf5c51c42a3f5414e51e3525225da9df7fc
2a0613e86a1601de256511cbf4592422d007cb0864f5cce4155029ee90e36ddf
3da9a1966606d27b4bdddd9365101292166d9417f91a361d899f4bcb3ac108c8
16be917ef26a8f7d2705f1f8341c9b23bc08270de8c0ef9197eb599560be4bee
72eb517ce8ec4bd7981143e574cd11c581ea2f9f32f0af9252402a755f761b91
b3e2b9dd019b9f13fdd8379c5bbd3a0c4d616be2e214ae22171596f2ef7b5c5c
5cc6d77d699e7e69b132ed548082945905d31d527704598a2c9b02278912a3df
3304456f7ccf6d7e3ca82b5903a03fea23ab71dfd6292b05f4f7c1e22a2544b7
c8ef292861a317c2f0ffd2a35c1644f7d027e9b87bdc7b694cc62629f17a1c52
f16d19840258ad31e6c9fe1f382c4108ae50e0b16569ed8308aa3d1b164c7446
214d37b46a05c7b7577a5a4fd8add5e95bb7512772412eb429666ad769532fa1
ac35e027c1585c59b383171c49d5864b2e92abf0f34fd50e3cad723495336a17
f6f79f577dbdb8a8a3c0409ff6e0b4be4a75c0fc2fb2b7bb4afc9c5e54fa7492
ac820113e32f81ac9a51380c8f7ce5265b973275199b4fb5db9ea648bf894a63
4cbfa31e2f935c8703fda3949fb2b78671106459026b60c8cccac27ba69e99e8