In the Arm Mali driver's handling of CSF user I/O mappings, VMA splitting is handled incorrectly, leading to a page being given back to the kernel's page allocator while it is still mapped into userspace. On devices with recent Mali GPUs that support CSF, this is a security bug that should be very straightforward to exploit.
6ee0db58337e2459a3e0a317b84488b6c9019397c42a860c2baea1a6661f8592
Xen's _get_page_type() contains an ABAC cmpxchg() race, where the code incorrectly assumes that if it reads a specific type_info value, and then later cmpxchg() succeeds, the type_info can't have changed in between.
88fe91f31a1fa5b68860cd0112d829c44076320a17d995120f8a3d426cc59af7
On CPUs without SELFSNOOP support, a Xen PV domain that has access to a PCI device (which grants the domain the ability to set arbitrary cache attributes on all its pages) can trick Xen into validating an L2 pagetable that contains a cacheline that is marked as clean in the cache but actually differs from main memory. After the pagetable has been validated, an attacker can flush the "clean" cacheline, such that on the next load, unvalidated data from main memory shows up in the pagetable.
0ca3bec4eaa9cefc4bd68628da583653303fb2bb08f1b14700118565ff032f9c
ChromeOS uses usbguard when the screen is locked but appears to suffer from bypass issues.
686e2d50596cc3cee3dd66e0fc5f2a715094be5a79c099a547c49d3457af1129
Linux usbnet code tells minidrivers to unbind while netdev is still up, causing use-after-free conditions.
9cbdb1ccc149a355b2d267a848a75d3513d0e33cb89787801e49bf0110235f37
Linux suffers from two bugs in PT_SUSPEND_SECCOMP. One allows for permission bypass and the other relates to a ptracer death race.
090e7e5a723be850497afe230306c956241cce0eb429877bf07e8c0f06eb2a40
This Metasploit module exploits a vulnerability in the Linux Kernel's watch_queue event notification system. It relies on a heap out-of-bounds write in kernel memory. The exploit may fail on the first attempt so multiple attempts may be needed. Note that the exploit can potentially cause a denial of service if multiple failed attempts occur, however this is unlikely.
b59181d9b536ad31ebdc6b3f83985c65e49fbe3242468f7709e7bb7a2d4b1e5f
BlueZ suffers from a vulnerability where a malicious USB device can steal Bluetooth link keys over HCI using a fake BD_ADDR. It was also discovered that bluetoothd suffers from a double-free memory corruption flaw.
8a1aa43e53f3253ec88afc78d193bedf1f90ff6d4fdbe4fc1be57e91906b1055
Linux suffers from a vulnerability where FUSE allows use-after-free reads of write() buffers, allowing theft of (partial) /etc/shadow hashes.
2013a523f6140f5f94778f15578c0f1d52f0a0bddd81e46cc48963fbe8fd4efb
The Linux watch_queue filter suffers from an out of bounds write vulnerability.
48bdbb27c736f9c5dd12453993d4bc23ee38e3c25b3e23faef205b92dcf36f51
In Linux, drivers/net/usb/ax88179_178a.c contains multiple out-of-bounds accesses in ax88179_rx_fixup(), the function responsible for taking a buffer received over USB and splitting it up into ethernet packets.
d31f6a101db6dc5fd85ff3bf16404acb26c0969c2cd57cc1adc10f3d4419cf21
Linux suffers from a garbage collection memory corruption vulnerability by resurrecting a file reference through RCU.
638d1db3f45bcd59a8ce424b7eb6551bbe0ff49ecd4eb9c767f096560f4687de
This bug report describes a vulnerability in ART that allows normal applications to insert arbitrary code into unused executable memory in zygote and other applications.
0b76a7bc1be55f6a0ca439ea53194142e663f42e1e49261458b945a5c953244c
Android's vold's incremental-fs APIs trust paths from system_server for mounting. There is supposed to be privilege separation between vold (TCB) and system_server (privileged process). However, vold's IPC handlers related to incremental-fs (mountIncFs, unmountIncFs, bindMount) allow system_server to specify semi-arbitrary paths, allowing system_server to trigger mounting on directories that shouldn't be under system_server control.
6308f611ecd07bd987f8455171c29a25eff87e81ccf2cc8daeca7812645ea262
Linux suffered from a use-after-free read vulnerability related to an SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()). This has been addressed in stable versions 5.14.10, 5.10.71, 5.4.151, 4.19.209, 4.14.249, 4.4.288, and 4.9.286.
e9d2577d94228c65d76a056d879671aaba39469ae3acffd647bebed060eeeb31
Linux suffers from a use-after-free read in the SELinux handler for PTRACE_TRACEME.
796440de4a29bc2603d127196092fc9ccdd7e9044bbb208b4660cc96ceeb0dcd
Tor suffers from an issue where half-closed connection tracking ignores layer_hint and due to this, entry/middle relays can spoof RELAY_END cells on half-closed streams, which can lead to stream confusion between OP and exit.
0544acc1f8cb71eaae260f7d2c03e6b0c3ebabe6b8549cd83018b8757f7db64a
ChromeOS suffers from a missing path restriction vulnerability in arc-obb-mounter.
5a39171dc660d2c47df5696635fea0f20a0814593c67d9aa4f2ca1cf665e8660
Linux suffers from broken locking in TIOCSPGRP that can lead to a corrupted refcount.
3d16d56ff43c2ab3355f19116f22e1a94fc89347899d1d2c15556ab0e4b4191b
Linux io_uring suffers from mm and files access across suid binaries.
31c54d98daff1e1981a30c608516455dff4f229558f13e5503ad476e283c3e0f
udisks and the Linux kernel have an issue where udisks permits users to mount romfs and romfs leaks uninitialized memory to userspace.
35a3fb65f205fc4d18eb799a00a5f48e0f59e4554d59a19758e3936768b1b633
A race condition exists with munmap() downgrades in Linux kernel versions since 4.20.
12c19d8bb64bc07c6c91f0dc616830116f9cf648c2c843890b7c779c318ceed4
A Linux copy-on-write issue can wrongly grant write access.
fb12dc1d9b3c3b8710974411c8e04357da6fc10cd0ae77c98600c7e8fdfa8813
On Android, app zygotes do not properly guard against UID reuse attacks, leak AID_READPROC, and expose mlstrustedsubject.
259e249f92035fcc7a0f05456a83799f739c985a9863269f49049822d3dfa37f
c-ares version 1.16.0 has an issue where ares_destroy() with pending ares_getaddrinfo() leads to a use-after-free condition.
7dac05abea704e153870ceb3821b9fcf3b37ca198add02caa774bdda39438cd9