Polkit suffers from a temporary auth hijacking vulnerability via PID reuse and a non-atomic fork.
cda12b6164dcf7cc8e7788d38b12813f0f957ff6db104d4bad25b01f47fe046b
CUPS generates session cookies srandom(time(NULL)) and random() on Linux.
3b69505f07ce22a5883565aef22b4c6989365de343f9d6a0d32ff53d8c0cdb06
Linux userfaultfd bypasses tmpfs file permissions.
1b8d3ce7875318cd21ad32bec57be7ed660168064accdd2e8a8b60fc13d6aadf
Google Chrome version 70.0.3538.77 stable suffers from cross site scripting and man-in-the-middle vulnerabilities.
686c99bbb6418cc295a5495417a100d2846c41c5d5fb214b782fedc9a5df70c9
XNU POSIX has an issue where shared memory mapping have an incorrect maximum protection.
184646768496bcb8df3d6995ff94b42fcf57e71d6591dd588a4cb6bbb6906ef1
This Metasploit module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18, and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root (CVE-2018-18955). The target system must have unprivileged user namespaces enabled and the newuidmap and newgidmap helpers installed (from uidmap package). This Metasploit module has been tested successfully on: Fedora Workstation 28 kernel 4.16.3-301.fc28.x86_64; Kubuntu 18.04 LTS kernel 4.15.0-20-generic (x86_64); Linux Mint 19 kernel 4.15.0-20-generic (x86_64); Ubuntu Linux 18.04.1 LTS kernel 4.15.0-20-generic (x86_64).
c991b79ae898a222baf512ec75bc5ae786505466b71b6453fd873f6b5482343c
Linux has a broken uid/gid mapping for nested user namespaces with greater than 5 ranges.
53da54afe1913539df473ff36059802468d06980a436040ba7120c6c26f62627
gVisor runsc suffers from a guest->host breakout via filsystem cache desync.
84dc85244630be123fb4fe9e5458fa8f9c8b6b6f71755aa36a94074551a626e3
Linux has an issue where mremap() performs a TLB flush too late with concurrent ftruncate().
1d7a2b2f17f9389071731196edb3fe5f053e279a8809c199a21352f9cd90b984
Chrome OS runs an ancient unrar in CAP_SYS_ADMIN context.
6c47eeec17a92a7dddd947efe20d6c35cea27233a2be3ccff4e2ac591c94d089
Linux suffers from an issue with systemd where chown_one() can dereference symlinks.
d697c36e79f99a67f9cd338b7bd29e048c68c6bb76813a6a4825722f969d23a4
Linux has an issue with systemd where overlong input to fgets() during reexec state injection can lead to line splitting.
440ee81db71b86c228b05c447f6dbf1f3757cd7acd272aee23964553ff0bf0b2
The Chrome debugger extension API appears to have more power than necessary, including the ability to bypass the check for disabled natives.
d16b876453d1e286e57dd44173ed43d091358a3d10ac1b0c64b89737298f389e
The Linux BPF verifier has an issue where 32-bit RSH verification does not truncate input before the ALU op.
bd63997ae2acb84be7a1e8de8677be40bfb12f314579a9e60ee98b321c11a3a0
Linux suffers from a semi-arbitrary task stack read on ARM64 (and x86) via /proc/$pid/stack.
aa57cf6a492d7f45505fa3498cb8e656f5d02f443b0cde3a3cb505708affcfc3
Android sdcardfs changes current->fs without proper locking.
8d214a2b630981750d5c1762a10ef86a2a4ae621726bba9e014147f488f9c0f2
The Linux kernel suffers from a ptr leak via BPF due to a broken subtraction check.
d4223122e1ab1a77d32acc8af4e3ea5de0baa00f18f85d466df55a31d545bf23
Chrome OS suffers from a /sbin/crash_reporter symlink traversal vulnerability.
41e32bd294ce06037cae654ccff52add6f9d2e7cd27c6acfc1cf1da49939a2e6
The Debian/Ubuntu AppArmor policy for evince in bypassable.
ff472c98cc21174fede936caa3bc63c6a799eee6f6a780c628bab6a7a80777c1
AppArmor has an issue where filesystem blacklisting can be bypassed by moving parents.
b2024aa06da618d87af0a264562f40bcd8ebfa1535eb007f2251a6df21367000
gVisor reuses pagetables across levels without paging-structure invalidation.
193fccefc5c977b91f16570534ba06f19e07ed6de291fdd9b2d2eeba79b56a70
Linux suffers from a VMA use-after-free vulnerability via a buggy vmacache_flush_all() fastpath.
e61f826cfebf3e7bf6eb9726e31779f1707a0644cc3e2a4e3c0865759d272ace
Linux suffers from an arbitrary kernel read into dmesg via a missing address check in the segfault handler.
d3543609cf07f5bc3c6ff63fec8e66a77587ae2ca18d384c4afa15317c5fc42f
There is a variety of RPC communication channels between the Chrome OS host system and the crosvm guest. This bug report focuses on communication on TCP port 8889, which is used by the "garcon" service. garcon uses gRPC, which is an RPC protocol that sends protobufs over plaintext HTTP/2. (Other system components communicate with the VM over gRPC-over-vsock, but garcon uses gRPC-over-TCP.) For some command types, the TCP connection is initiated by the host; for others, it is initiated by the guest. Both guest and host are listening on [::]:8889; however, the iptables rules of the host prevent an outside host from simply connecting to those sockets. However, apps running on the host are not affected by such restrictions.
9263536fa5f7e9451ac5165732e05e723c9b21083c0ec421bcbc98dfed2d7d49
Android suffers from a privilege escalation vulnerability in zygote that can be leveraged by CVE-2018-9445.
07e2c94cf5dbc0bdc093f47b38ee2d8af3fbfc550336946724f110edbbd2295f