Android's vold's incremental-fs APIs trust paths from system_server for mounting. There is supposed to be privilege separation between vold (TCB) and system_server (privileged process). However, vold's IPC handlers related to incremental-fs (mountIncFs, unmountIncFs, bindMount) allow system_server to specify semi-arbitrary paths, allowing system_server to trigger mounting on directories that shouldn't be under system_server control.
6308f611ecd07bd987f8455171c29a25eff87e81ccf2cc8daeca7812645ea262
Linux suffered from a use-after-free read vulnerability related to an SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()). This has been addressed in stable versions 5.14.10, 5.10.71, 5.4.151, 4.19.209, 4.14.249, 4.4.288, and 4.9.286.
e9d2577d94228c65d76a056d879671aaba39469ae3acffd647bebed060eeeb31
Linux suffers from a use-after-free read in the SELinux handler for PTRACE_TRACEME.
796440de4a29bc2603d127196092fc9ccdd7e9044bbb208b4660cc96ceeb0dcd
Tor suffers from an issue where half-closed connection tracking ignores layer_hint and due to this, entry/middle relays can spoof RELAY_END cells on half-closed streams, which can lead to stream confusion between OP and exit.
0544acc1f8cb71eaae260f7d2c03e6b0c3ebabe6b8549cd83018b8757f7db64a
ChromeOS suffers from a missing path restriction vulnerability in arc-obb-mounter.
5a39171dc660d2c47df5696635fea0f20a0814593c67d9aa4f2ca1cf665e8660
Linux suffers from broken locking in TIOCSPGRP that can lead to a corrupted refcount.
3d16d56ff43c2ab3355f19116f22e1a94fc89347899d1d2c15556ab0e4b4191b
Linux io_uring suffers from mm and files access across suid binaries.
31c54d98daff1e1981a30c608516455dff4f229558f13e5503ad476e283c3e0f
udisks and the Linux kernel have an issue where udisks permits users to mount romfs and romfs leaks uninitialized memory to userspace.
35a3fb65f205fc4d18eb799a00a5f48e0f59e4554d59a19758e3936768b1b633
A race condition exists with munmap() downgrades in Linux kernel versions since 4.20.
12c19d8bb64bc07c6c91f0dc616830116f9cf648c2c843890b7c779c318ceed4
A Linux copy-on-write issue can wrongly grant write access.
fb12dc1d9b3c3b8710974411c8e04357da6fc10cd0ae77c98600c7e8fdfa8813
On Android, app zygotes do not properly guard against UID reuse attacks, leak AID_READPROC, and expose mlstrustedsubject.
259e249f92035fcc7a0f05456a83799f739c985a9863269f49049822d3dfa37f
c-ares version 1.16.0 has an issue where ares_destroy() with pending ares_getaddrinfo() leads to a use-after-free condition.
7dac05abea704e153870ceb3821b9fcf3b37ca198add02caa774bdda39438cd9
Linux 5.6 has an issue with IORING_OP_MADVISE racing with coredumping.
3d4ed25c006b4d44e2fc925724eb8ef4c383a536453c0793e4b5aa7eb8d74965
Linux futex+VFS suffers from an improper inode reference in get_futex_key() that causes a use-after-free if the superblock goes away.
1f2f71584b62477d5804bbbbde1135bf3a474ccf5086c8de8d354737d3f45ec5
Linux has an issue where the SLUB bulk allocation slowpath omits a required TID increment.
14cca69626f7eaf7a068b4d1e29e645abe5f5066bfb2ea4db2fa373a5b4f17a5
Linux versions 5.3 and above appear to have an issue where io_uring suffers from insecure handling of the root directory for path lookups.
ed2dd2cbf35df24e9ba5bd981126270b47009603233e401d33e76fe529690153
Android Binder use-after-free exploit.
8311b9bec91595d2878834472570bf80e596b211d30a53cac581c4c7c5478c85
Samsung suffers from a use-after-free vulnerability due to a missing lock in the SEND_FILE_WITH_HEADER handler in f_mtp_samsung.c.
ea573306aed9a22cf4e84307a09985e94b4983da700b10db9db6aea800e9e9aa
The Samsung kernel has logic bug and locking issues in PROCA that can lead to use-after-free and double-free issues from an application's context.
a7e1e4d76f40e9e3e676716682ea5ddbdc59531377348afc082fea2a8f0e792a
This Metasploit module attempts to gain root privileges on Linux systems by abusing a NULL pointer dereference in the rds_atomic_free_op function in the Reliable Datagram Sockets (RDS) kernel module (rds.ko). Successful exploitation requires the RDS kernel module to be loaded. If the RDS module is not blacklisted (default); then it will be loaded automatically. This exploit supports 64-bit Ubuntu Linux systems, including distributions based on Ubuntu, such as Linux Mint and Zorin OS. This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on various 4.4 and 4.8 kernels.
561f5de542c8d58118095440168a640aad5069622602f1d8eac2d963687098c9
Android suffers from ashmem read-only bypass vulnerabilities via remap_file_pages() and ASHMEM_UNPIN.
689f8071ae95d70db5dd1910063463a8d8fb46ef07c27f4a5369f3a1700ddf3f
Linux suffers from a privilege escalation vulnerability via io_uring offload of sendmsg() onto kernel thread with kernel creds.
a834b29ddf4d2217f0c133698262209db2f3b93925e28fd750acde84f14c06eb
macOS suffers from an update_dyld_shared_cache privilege escalation vulnerability.
07e51301d8683d6e39251cf95eaee6c25ac3c5aa9945b3f9d48ce358af325a02
Ubuntu suffers from refcount underflow and type confusion vulnerabilities in shiftfs.
fc083eb6624e5af7dd882d1267361f52f304c19c1c96a185b84a12e9f221811d
Ubuntu suffers from an issue where ubuntu-aufs-modified mmap_region() breaks refcounting in overlayfs/shiftfs error path.
6fd8ea0bfd5005c0587ede33931bd50267efbc08f87c7a08b67be5dac56165f1