David Howells

16 exploits Active since Nov 2009
CVE-2014-3631 WRITEUP WRITEUP
Linux Kernel 3.13-3.14.19 - Denial of Service via Associative Array Garbage Collection
The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via multiple "keyctl newring" operations followed by a "keyctl timeout" operation.
CVE-2015-7872 WRITEUP WRITEUP
Linux Kernel < 4.2.6 - Denial of Service via Keyctl Commands
The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 4.2.6 allows local users to cause a denial of service (OOPS) via crafted keyctl commands.
CVE-2016-0728 WRITEUP HIGH WRITEUP
Linux kernel <4.4.1 - Privilege Escalation/DoS
The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.
CVSS 7.8
CVE-2017-7472 WRITEUP MEDIUM WRITEUP
Linux kernel < 4.10.13 - Denial of Service via KEY_REQKEY_DEFL_THREAD_KEYRING Keyctl Calls
The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.
CVSS 5.5
CVE-2013-1792 WRITEUP WRITEUP
Linux Kernel < 3.8.3 - Denial of Service via Race Condition in Keyring Operations
Race condition in the install_user_keyrings function in security/keys/process_keys.c in the Linux kernel before 3.8.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) via crafted keyctl system calls that trigger keyring operations in simultaneous threads.
CVE-2015-1333 WRITEUP WRITEUP
Linux Kernel < 4.1.4 - Denial of Service via Keyring Memory Leak
Memory leak in the __key_link_end function in security/keys/keyring.c in the Linux kernel before 4.1.4 allows local users to cause a denial of service (memory consumption) via many add_key system calls that refer to existing keys.
CVE-2016-7914 WRITEUP MEDIUM WRITEUP
Linux Kernel < 4.5.2 - Out-of-bounds Read in assoc_array_insert_into_terminal_node
The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.5.3 does not check whether a slot is a leaf, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and out-of-bounds read) via an application that uses associative-array data structures, as demonstrated by the keyutils test suite.
CVSS 5.5
CVE-2016-8650 WRITEUP MEDIUM WRITEUP
Linux Kernel < 4.8.11 - Denial of Service via RSA Key with Zero Exponent
The mpi_powm function in lib/mpi/mpi-pow.c in the Linux kernel through 4.8.11 does not ensure that memory is allocated for limb data, which allows local users to cause a denial of service (stack memory corruption and panic) via an add_key system call for an RSA key with a zero exponent.
CVSS 5.5
CVE-2016-9313 WRITEUP HIGH WRITEUP
Linux Kernel 4.7-4.8.7 - Denial of Service via Big Key Crypto Registration
security/keys/big_key.c in the Linux kernel before 4.8.7 mishandles unsuccessful crypto registration in conjunction with successful key-type registration, which allows local users to cause a denial of service (NULL pointer dereference and panic) or possibly have unspecified other impact via a crafted application that uses the big_key data type.
CVSS 7.8
CVE-2017-12193 WRITEUP MEDIUM WRITEUP
Linux kernel < 4.13.11 - Denial of Service via assoc_array_insert_into_terminal_node Node Splitting
The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations.
CVSS 5.5
CVE-2017-15274 WRITEUP MEDIUM WRITEUP
Linux Kernel < 4.11.4 - Denial of Service via NULL Payload in keyctl System Call
security/keys/keyctl.c in the Linux kernel before 4.11.5 does not consider the case of a NULL payload in conjunction with a nonzero length value, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192.
CVSS 5.5
CVE-2017-15951 WRITEUP HIGH WRITEUP
Linux Kernel < 4.4.95 - Denial of Service via KEYS Subsystem Race Condition
The KEYS subsystem in the Linux kernel before 4.13.10 does not correctly synchronize the actions of updating versus finding a key in the "negative" state to avoid a race condition, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls.
CVSS 7.8
CVE-2017-17807 WRITEUP LOW WRITEUP
Linux Kernel < 4.14.6 - Missing Authorization in KEYS Subsystem
The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to the current task's "default request-key keyring" via the request_key() system call, allowing a local user to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.
CVSS 3.3
CVE-2022-2959 WRITEUP HIGH WRITEUP
Linux Kernel 5.8-5.10.120 - Race Condition in Pipe Buffer Handling
A race condition was found in the Linux kernel's watch queue due to a missing lock in pipe_resize_ring(). The specific flaw exists within the handling of pipe buffers. The issue results from the lack of proper locking when performing operations on an object. This flaw allows a local user to crash the system or escalate their privileges on the system.
CVSS 7.0
CVE-2023-2006 WRITEUP HIGH WRITEUP
Linux Kernel >=5.10 <5.10.157 - Privilege Escalation via RxRPC Bundle Processing Race Condition
A race condition was found in the Linux kernel's RxRPC network protocol, within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an object. This may allow an attacker to escalate privileges and execute arbitrary code in the context of the kernel.
CVSS 7.0
CVE-2009-3888 EXPLOITDB c STUB
Linux Kernel < 2.6.31.6 - Denial of Service via do_mmap_pgoff Memory Allocation
The do_mmap_pgoff function in mm/nommu.c in the Linux kernel before 2.6.31.6, when the CPU lacks a memory management unit, allows local users to cause a denial of service (OOPS) via an application that attempts to allocate a large amount of memory.