Al Viro

9 exploits Active since Aug 2015
CVE-2015-2686 WRITEUP HIGH WRITEUP
Linux Kernel - Access Control
net/socket.c in the Linux kernel 3.19 before 3.19.3 does not validate certain range data for (1) sendto and (2) recvfrom system calls, which allows local users to gain privileges by leveraging a subsystem that uses the copy_from_iter function in the iov_iter interface, as demonstrated by the Bluetooth subsystem.
CVSS 7.8
CVE-2015-5706 WRITEUP WRITEUP
Linux kernel <4.0.4 - Use After Free
Use-after-free vulnerability in the path_openat function in fs/namei.c in the Linux kernel 3.x and 4.x before 4.0.4 allows local users to cause a denial of service or possibly have unspecified other impact via O_TMPFILE filesystem operations that leverage a duplicate cleanup operation.
CVE-2015-5707 WRITEUP WRITEUP
Linux Kernel <4.1 - DoS
Integer overflow in the sg_start_req function in drivers/scsi/sg.c in the Linux kernel 2.6.x through 4.x before 4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a large iov_count value in a write request.
CVE-2016-9178 WRITEUP MEDIUM WRITEUP
Linux <4.7.5 - Info Disclosure
The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel before 4.7.5 does not initialize a certain integer variable, which allows local users to obtain sensitive information from kernel stack memory by triggering failure of a get_user_ex call.
CVSS 5.5
CVE-2017-12190 WRITEUP MEDIUM WRITEUP
Linux kernel <4.13.8 - Memory Corruption
The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition.
CVSS 6.5
CVE-2017-15868 WRITEUP HIGH WRITEUP
Linux Kernel < 3.2.97 - Improper Input Validation
The bnep_add_connection function in net/bluetooth/bnep/core.c in the Linux kernel before 3.19 does not ensure that an l2cap socket is available, which allows local users to gain privileges via a crafted application.
CVSS 7.8
CVE-2017-5550 WRITEUP MEDIUM WRITEUP
Linux Kernel < 4.9.4 - Information Disclosure
Off-by-one error in the pipe_advance function in lib/iov_iter.c in the Linux kernel before 4.9.5 allows local users to obtain sensitive information from uninitialized heap-memory locations in opportunistic circumstances by reading from a pipe after an incorrect buffer-release decision.
CVSS 5.5
CVE-2017-5551 WRITEUP MEDIUM WRITEUP
Linux kernel <4.9.6 - Privilege Escalation
The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7097.
CVSS 4.4
CVE-2020-8428 WRITEUP HIGH WRITEUP
Linux kernel <5.5 - Use After Free
fs/namei.c in the Linux kernel before 5.5 has a may_create_in_sticky use-after-free, which allows local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9. One attack vector may be an open system call for a UNIX domain socket, if the socket is being moved to a new parent directory and its old parent directory is being removed.
CVSS 7.1