Linux suffered from a use-after-free read vulnerability related to an SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()). This has been addressed in stable versions 5.14.10, 5.10.71, 5.4.151, 4.19.209, 4.14.249, 4.4.288, and 4.9.286.
814de16a8e850b47ecca6eb0680d6e00Linux suffers from a use-after-free read in the SELinux handler for PTRACE_TRACEME.
afc595f0a0d266cd0be01d4bd803c343Tor suffers from an issue where half-closed connection tracking ignores layer_hint and due to this, entry/middle relays can spoof RELAY_END cells on half-closed streams, which can lead to stream confusion between OP and exit.
e8e6c45ee71383e0832c1cb3f3a8c903ChromeOS suffers from a missing path restriction vulnerability in arc-obb-mounter.
d37b7a8eceb81455f4119e17205b9635Linux suffers from broken locking in TIOCSPGRP that can lead to a corrupted refcount.
d37fdf0d783b8893341574d9756e44cbLinux io_uring suffers from mm and files access across suid binaries.
637f9c04457efc1d0b80725cfac4b5efudisks and the Linux kernel have an issue where udisks permits users to mount romfs and romfs leaks uninitialized memory to userspace.
c048313af977e032061fd3c992081768A race condition exists with munmap() downgrades in Linux kernel versions since 4.20.
af84b28deac71be6c5fa63ed3e242c89A Linux copy-on-write issue can wrongly grant write access.
cb589228c2f3845aa384c84f4717d60eOn Android, app zygotes do not properly guard against UID reuse attacks, leak AID_READPROC, and expose mlstrustedsubject.
eebe6e6bf1383e7dfd3785cc4de920bcc-ares version 1.16.0 has an issue where ares_destroy() with pending ares_getaddrinfo() leads to a use-after-free condition.
1464ba2a11ec60f5b9714b8e26693d59Linux 5.6 has an issue with IORING_OP_MADVISE racing with coredumping.
48173960a553b8ac2d2d1b4706631456Linux futex+VFS suffers from an improper inode reference in get_futex_key() that causes a use-after-free if the superblock goes away.
b10f0f2bf1162cf416ade38ced936f86Linux has an issue where the SLUB bulk allocation slowpath omits a required TID increment.
b56ff43167ac1143eeafa23f56b39a25Linux versions 5.3 and above appear to have an issue where io_uring suffers from insecure handling of the root directory for path lookups.
cd4620f1e39d2b19219c64ba6facc1f3Android Binder use-after-free exploit.
b8930f3f9adad2325c20b748158a44e3Samsung suffers from a use-after-free vulnerability due to a missing lock in the SEND_FILE_WITH_HEADER handler in f_mtp_samsung.c.
c32b0a6b8edad815d87eab3aadeb33e9The Samsung kernel has logic bug and locking issues in PROCA that can lead to use-after-free and double-free issues from an application's context.
4809998625c6770bf24721a33e8e7f18This Metasploit module attempts to gain root privileges on Linux systems by abusing a NULL pointer dereference in the rds_atomic_free_op function in the Reliable Datagram Sockets (RDS) kernel module (rds.ko). Successful exploitation requires the RDS kernel module to be loaded. If the RDS module is not blacklisted (default); then it will be loaded automatically. This exploit supports 64-bit Ubuntu Linux systems, including distributions based on Ubuntu, such as Linux Mint and Zorin OS. This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on various 4.4 and 4.8 kernels.
e83495fea436d8a384500ace26357f2fAndroid suffers from ashmem read-only bypass vulnerabilities via remap_file_pages() and ASHMEM_UNPIN.
1ce1f492c6697220a1377f632e2b8f79Linux suffers from a privilege escalation vulnerability via io_uring offload of sendmsg() onto kernel thread with kernel creds.
7594e7ead982b1ba2cb61b42fa00ac35macOS suffers from an update_dyld_shared_cache privilege escalation vulnerability.
ccb563e2e8325980cd5cfa90ec74c416Ubuntu suffers from refcount underflow and type confusion vulnerabilities in shiftfs.
0997e77626bf20fe372537310c94c69fUbuntu suffers from an issue where ubuntu-aufs-modified mmap_region() breaks refcounting in overlayfs/shiftfs error path.
dbc5f5b20329ede3b61e960c453e1e6aXNU has an issue where missing locking in checkdirs_callback() enables a race condition with fchdir_common().
85e06607829ab208006bfe5a5ef59847
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed