XNU has an issue where missing locking in checkdirs_callback() enables a race condition with fchdir_common().
95a3930fb861862d1fc4d07fbe47e96c19c11dc95352a6bd0f5aaec35a64ddf7
This Metasploit module exploits an issue in ptrace_link in kernel/ptrace.c before Linux kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but not over an SSH session, as it requires execution from within the context of a user with an active Polkit agent. In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME.
072effef6153caac38d664913a4c85d900178cc8a6bc497726bd11fee5a2a0bc
XNU suffers from a remote double-free vulnerability due to a data race in IPComp input path.
d2fc78044e01a775c566e0e02db2a7c5884a244d49e01e4d99427a7661199c8b
Linux suffers from use-after-free read vulnerabilities in show_numa_stats().
7daf0340da4a54780b2816f43fc842a167e5ce5eecd0e0c90c87101a262a8f9e
Linux suffers from broken permission and object lifetime handling for PTRACE_TRACEME.
30dafcd01fe3416a51e40e4a4f49ab60f981e89f93b9635b6199d3e4fa21fde9
Google ChromeOS SafeSetID LSM suffers from privilege escalation vulnerabilities.
d249d4de09d46c55a0307f0dc5339f1d018313709dc668eae4f4e4959313d6b0
Linux suffers from a use-after-free via a race condition between modify_ldt() and #BR exception.
1fcbfa390531a70742295db73f9e7ff8f089236459ea40c9adc0d8c41303b3d3
The Qualcomm Android kernel suffers from a use-after-free vulnerability via an incorrect set_page_dirty() in KGSL.
d1eaf5eaeeac362ce563227b34a9b558decbd017fd35378e6adfac048ff8284f
Linux suffers from a missing locking between ELF coredump code and userfaultfd VMA modification.
673a7d5b5c8c34c1c31d9a3eff1b04dbcf78b701cc9cca3e53ef0c155170313f
This bug report describes a bug in systemd that allows a service with DynamicUser in collaboration with another service or user to create a setuid binary that can be used to access its UID beyond the lifetime of the service. This bug probably has relatively low severity, given that there are not many services yet that use DynamicUser, and the requirement of collaboration with another process limits the circumstances in which it would be useful to an attacker further; but in a system that makes heavy use of DynamicUser, it would probably have impact.
064bbdd76f48df03346ba02e71f7b8230c92792ac615692d64f9d04ec97b425c
The Siemens R3964 line discipline code in drivers/tty/n_r3964.c has a few races around its ioctl handler; for example, the handler for R3964_ENABLE_SIGNALS just allocates and deletes elements in a linked list with zero locking. This code is reachable by an unprivileged user if the line discipline is enabled in the kernel config; Ubuntu 18.04, for example, ships this line discipline as a module.
a396888582339ffe59796c61b8e3097b97ece3e13bcd1b03ad7f6bb0490ef36d
Linux suffers from a page->_refcount overflow via FUSE with ~140GiB RAM usage.
8f223059c2e0c5c532eddc4777ac58f752854b9d67abeac1f06d8d9bf6855b94
systemd suffers from a lack of seat verification in the PAM module and in turn permits the spoofing of an active session to polkit.
efa1f343df5f4bc0df38f6d33e7cbd58c47f076df86f9ef3d5559612c36b0a32
libseccomp suffers from an issue where there are incorrect compilations of arithmetic comparisons.
dddc73c41f25c68017fa3018c96fe964b4326e43e6cabe8e18b658d2b9935a72
It was discovered that virtual address 0 is mappable via privileged write() to /proc/*/mem on Linux.
304236f8a1050e3e16648cbdbb32b50ffb3020bab9e3c600151f688ea0e19fe3
getpidcon() usage in hardware binder servicemanager on Android permits ACL bypass.
08f452e1fd544b7af038c758a58f8c160ba8c63c0faeb7a4ea44ade0b02d4a65
Android suffer from a binder use-after-free via a racy initialization of ->allow_user_free.
6742e2b4193d7750763a8c792e031aa30b53a3561c2c1e363288b3e13e7e73af
XNU suffers from a copy-on-write behavior bypass via mount of user-owned filesystem image.
1cbe8d9b00a17be65ba28a162ea9cc8b19a0075c2fd69b22351c86753940b808
Linux suffers from out-of-bounds read and write vulnerabilities in the SNMP NAT module.
7bd49b3bb3d086c38ebc75bb8575f700166986bda831d3c8b3ef390d3ddb262f
On Android, a ptrace hold makes the seccomp filter useless on devices with a kernel with a version lower than 4.8.
3e453d8a0b66eabf3fb14496e3b956eb35595602fa7cd46eabc06f12c2f17e88
Linux kvm_ioctl_create_device() installs fd before taking reference.
6033e3d8087f707cca80ae2b210063193f8832909919ef387c2905dae1a56a0d
Android binder suffers from a use-after-free vulnerability in VMA via a race between reclaim and munmap.
30e7b19cade88138c58960f0d7e5f5b18ba1d4a346ffb29b3faf11ceb745b600
Android binder suffers from a use-after-free vulnerability via fdget() optimization.
e1809748df02c9d09d6f4feddfb033fdc2a0eee3d38b0c8d9099f338a04d4eed
It has been discovered that the Linux eBPF Spectre v1 mitigation is insufficient.
65b55f81ae1e297c2fa073eefef20c50eb4ccfe96285d46d743eed5b9ac99c78
XNU suffers from a copy-on-write behavior bypass via partial-page truncation of file.
ce2ac26d2111768bdd27f895202eac13116d1f30581d7892e8a671a7f8ac55db