Linux suffers from two bugs in PT_SUSPEND_SECCOMP. One allows for permission bypass and the other relates to a ptracer death race.
090e7e5a723be850497afe230306c956241cce0eb429877bf07e8c0f06eb2a40
This Metasploit module exploits a vulnerability in the Linux Kernel's watch_queue event notification system. It relies on a heap out-of-bounds write in kernel memory. The exploit may fail on the first attempt so multiple attempts may be needed. Note that the exploit can potentially cause a denial of service if multiple failed attempts occur, however this is unlikely.
b59181d9b536ad31ebdc6b3f83985c65e49fbe3242468f7709e7bb7a2d4b1e5f
BlueZ suffers from a vulnerability where a malicious USB device can steal Bluetooth link keys over HCI using a fake BD_ADDR. It was also discovered that bluetoothd suffers from a double-free memory corruption flaw.
8a1aa43e53f3253ec88afc78d193bedf1f90ff6d4fdbe4fc1be57e91906b1055
Linux suffers from a vulnerability where FUSE allows use-after-free reads of write() buffers, allowing theft of (partial) /etc/shadow hashes.
2013a523f6140f5f94778f15578c0f1d52f0a0bddd81e46cc48963fbe8fd4efb
The Linux watch_queue filter suffers from an out of bounds write vulnerability.
48bdbb27c736f9c5dd12453993d4bc23ee38e3c25b3e23faef205b92dcf36f51
In Linux, drivers/net/usb/ax88179_178a.c contains multiple out-of-bounds accesses in ax88179_rx_fixup(), the function responsible for taking a buffer received over USB and splitting it up into ethernet packets.
d31f6a101db6dc5fd85ff3bf16404acb26c0969c2cd57cc1adc10f3d4419cf21
Linux suffers from a garbage collection memory corruption vulnerability by resurrecting a file reference through RCU.
638d1db3f45bcd59a8ce424b7eb6551bbe0ff49ecd4eb9c767f096560f4687de
This bug report describes a vulnerability in ART that allows normal applications to insert arbitrary code into unused executable memory in zygote and other applications.
0b76a7bc1be55f6a0ca439ea53194142e663f42e1e49261458b945a5c953244c
Android's vold's incremental-fs APIs trust paths from system_server for mounting. There is supposed to be privilege separation between vold (TCB) and system_server (privileged process). However, vold's IPC handlers related to incremental-fs (mountIncFs, unmountIncFs, bindMount) allow system_server to specify semi-arbitrary paths, allowing system_server to trigger mounting on directories that shouldn't be under system_server control.
6308f611ecd07bd987f8455171c29a25eff87e81ccf2cc8daeca7812645ea262
Linux suffered from a use-after-free read vulnerability related to an SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()). This has been addressed in stable versions 5.14.10, 5.10.71, 5.4.151, 4.19.209, 4.14.249, 4.4.288, and 4.9.286.
e9d2577d94228c65d76a056d879671aaba39469ae3acffd647bebed060eeeb31
Linux suffers from a use-after-free read in the SELinux handler for PTRACE_TRACEME.
796440de4a29bc2603d127196092fc9ccdd7e9044bbb208b4660cc96ceeb0dcd
Tor suffers from an issue where half-closed connection tracking ignores layer_hint and due to this, entry/middle relays can spoof RELAY_END cells on half-closed streams, which can lead to stream confusion between OP and exit.
0544acc1f8cb71eaae260f7d2c03e6b0c3ebabe6b8549cd83018b8757f7db64a
ChromeOS suffers from a missing path restriction vulnerability in arc-obb-mounter.
5a39171dc660d2c47df5696635fea0f20a0814593c67d9aa4f2ca1cf665e8660
Linux suffers from broken locking in TIOCSPGRP that can lead to a corrupted refcount.
3d16d56ff43c2ab3355f19116f22e1a94fc89347899d1d2c15556ab0e4b4191b
Linux io_uring suffers from mm and files access across suid binaries.
31c54d98daff1e1981a30c608516455dff4f229558f13e5503ad476e283c3e0f
udisks and the Linux kernel have an issue where udisks permits users to mount romfs and romfs leaks uninitialized memory to userspace.
35a3fb65f205fc4d18eb799a00a5f48e0f59e4554d59a19758e3936768b1b633
A race condition exists with munmap() downgrades in Linux kernel versions since 4.20.
12c19d8bb64bc07c6c91f0dc616830116f9cf648c2c843890b7c779c318ceed4
A Linux copy-on-write issue can wrongly grant write access.
fb12dc1d9b3c3b8710974411c8e04357da6fc10cd0ae77c98600c7e8fdfa8813
On Android, app zygotes do not properly guard against UID reuse attacks, leak AID_READPROC, and expose mlstrustedsubject.
259e249f92035fcc7a0f05456a83799f739c985a9863269f49049822d3dfa37f
c-ares version 1.16.0 has an issue where ares_destroy() with pending ares_getaddrinfo() leads to a use-after-free condition.
7dac05abea704e153870ceb3821b9fcf3b37ca198add02caa774bdda39438cd9
Linux 5.6 has an issue with IORING_OP_MADVISE racing with coredumping.
3d4ed25c006b4d44e2fc925724eb8ef4c383a536453c0793e4b5aa7eb8d74965
Linux futex+VFS suffers from an improper inode reference in get_futex_key() that causes a use-after-free if the superblock goes away.
1f2f71584b62477d5804bbbbde1135bf3a474ccf5086c8de8d354737d3f45ec5
Linux has an issue where the SLUB bulk allocation slowpath omits a required TID increment.
14cca69626f7eaf7a068b4d1e29e645abe5f5066bfb2ea4db2fa373a5b4f17a5
Linux versions 5.3 and above appear to have an issue where io_uring suffers from insecure handling of the root directory for path lookups.
ed2dd2cbf35df24e9ba5bd981126270b47009603233e401d33e76fe529690153
Android Binder use-after-free exploit.
8311b9bec91595d2878834472570bf80e596b211d30a53cac581c4c7c5478c85