diff --git a/vulns/CVE-2025-68775.yml b/vulns/CVE-2025-68775.yml
new file mode 100644
index 0000000..0ab25a2
--- /dev/null
+++ b/vulns/CVE-2025-68775.yml
@@ -0,0 +1,10 @@
+reachability: Remote
+memory_corruption: true
+bug_class: UAF
+impact: Remote DOS or RCE
+privileges_required: false
+notes: |2-
+   Remote duplicate handshake cancellations double-free a socket ref
+  (UAF/negative refcount) leading to kernel panic or leak; no privileges needed
+author: Oracle Corporation
+version: v0.1
diff --git a/vulns/CVE-2025-71089.yml b/vulns/CVE-2025-71089.yml
new file mode 100644
index 0000000..0c9756a
--- /dev/null
+++ b/vulns/CVE-2025-71089.yml
@@ -0,0 +1,14 @@
+reachability: Local
+memory_corruption: true
+bug_class: UAF
+impact: LPE
+privileges_required: false
+notes: |2-
+   Commit message particularly mentions "Currently, SVA contexts are
+  unprivileged and cannot access kernel mappings.  However, the IOMMU will
+  still walk kernel- only page tables all the way down to the leaf entries,
+  where it realizes the mapping is for the kernel and errors out.  This means
+  the IOMMU still caches these intermediate page table entries, making the
+  described vulnerability a real concern"
+author: Oracle Corporation
+version: v0.1
diff --git a/vulns/CVE-2026-23074.yml b/vulns/CVE-2026-23074.yml
new file mode 100644
index 0000000..31c880e
--- /dev/null
+++ b/vulns/CVE-2026-23074.yml
@@ -0,0 +1,10 @@
+reachability: Local
+memory_corruption: true
+bug_class: UAF
+impact: LPE
+privileges_required: false
+notes: |2-
+   use-after-free vulnerabilities in net/sched are generally exploitable for
+  LPE by local users(via unshare -rn)
+author: Oracle Corporation
+version: v0.1
diff --git a/vulns/CVE-2026-23231.yml b/vulns/CVE-2026-23231.yml
new file mode 100644
index 0000000..03d51d2
--- /dev/null
+++ b/vulns/CVE-2026-23231.yml
@@ -0,0 +1,10 @@
+reachability: Local
+memory_corruption: true
+bug_class: Use-After-Free
+impact: LPE
+privileges_required: false
+notes: |2-
+   UAF in netfilter subsystem, only check netlink_net_capable() which could be
+  bypassed with unshare -rn --> plausible LPE
+author: Oracle Corporation
+version: v0.1