Google Security Research

1,215 exploits Active since May 2013
CVE-2019-15793 EXPLOITDB MEDIUM text WORKING POC
Linux kernel <5.3 - Privilege Escalation
In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, several locations which shift ids translate user/group ids before performing operations in the lower filesystem were translating them into init_user_ns, whereas they should have been translated into the s_user_ns for the lower filesystem. This resulted in using ids other than the intended ones in the lower fs, which likely did not map into the shifts s_user_ns. A local attacker could use this to possibly bypass discretionary access control permissions.
CVSS 6.5
CVE-2019-3842 EXPLOITDB HIGH text WORKING POC
systemd < 242-rc4 - Improper Authorization via XDG_SEAT Environment Variable
In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the "allow_active" element rather than "allow_any".
CVSS 7.0
CVE-2019-3844 EXPLOITDB HIGH text WORKING POC
systemd < 242 - Privilege Escalation via DynamicUser SUID Binary Execution
It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.
CVSS 7.8
CVE-2018-15686 EXPLOITDB HIGH c WORKING POC
Canonical Ubuntu Linux < 239 - Insecure Deserialization
A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.
CVSS 7.8
CVE-2019-7303 EXPLOITDB HIGH c WORKING POC
Canonical snapd <2.37.4 - Privilege Escalation
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert characters into a terminal on a 64-bit host. The seccomp rules were generated to match 64-bit ioctl(2) commands on a 64-bit platform; however, the Linux kernel only uses the lower 32 bits to determine which ioctl(2) commands to run. This issue affects: Canonical snapd versions prior to 2.37.4.
CVSS 7.5
EIP-2026-102716 EXPLOITDB c WORKING POC
polkit - Temporary auth Hijacking via PID Reuse and Non-atomic Fork
CVE-2016-9150 EXPLOITDB CRITICAL text WRITEUP
Palo Alto Networks PAN-OS <7.1.6 - Buffer Overflow
Buffer overflow in the management web interface in Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x before 6.0.15, 6.1.x before 6.1.15, 7.0.x before 7.0.11, and 7.1.x before 7.1.6 allows remote attackers to execute arbitrary code via unspecified vectors.
CVSS 9.8
EIP-2026-102671 EXPLOITDB text WORKING POC
MatrixSSL < 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates
EIP-2026-102670 EXPLOITDB text WORKING POC
MatrixSSL < 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates
EIP-2026-102665 EXPLOITDB c WORKING POC
Linux SELinux - W+X Protection Bypass via AIO
CVE-2018-11412 EXPLOITDB MEDIUM text WORKING POC
Linux Kernel 4.13-4.16.11 - Use-After-Free in ext4_read_inline_data
In the Linux kernel 4.13 through 4.16.11, ext4_read_inline_data() in fs/ext4/inline.c performs a memcpy with an untrusted length value in certain circumstances involving a crafted filesystem that stores the system.data extended attribute value in a dedicated inode.
CVSS 5.9
CVE-2017-9150 EXPLOITDB MEDIUM c WORKING POC
Linux kernel <4.11.1 - Info Disclosure
The do_check function in kernel/bpf/verifier.c in the Linux kernel before 4.11.1 does not make the allow_ptr_leaks value available for restricting the output of the print_bpf_insn function, which allows local users to obtain sensitive address information via crafted bpf system calls.
CVSS 5.5
CVE-2016-3134 EXPLOITDB HIGH text WORKING POC
SUSE Linux Enterprise - Heap Memory Corruption via netfilter IPT_SO_SET_REPLACE
The netfilter subsystem in the Linux kernel through 4.5.2 does not validate certain offset fields, which allows local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call.
CVSS 8.4
EIP-2026-102644 EXPLOITDB c WORKING POC
Linux Kernel - io_submit L2TP sendmsg Integer Overflow
CVE-2017-16994 EXPLOITDB MEDIUM c WORKING POC
Linux Kernel <4.14.2 - Info Disclosure
The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call.
CVSS 5.5
CVE-2016-4558 EXPLOITDB HIGH text WORKING POC
Linux Kernel < 4.5.5 - Use-After-Free in BPF Subsystem
The BPF subsystem in the Linux kernel before 4.5.5 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted application on (1) a system with more than 32 Gb of memory, related to the program reference count or (2) a 1 Tb system, related to the map reference count.
CVSS 7.0
CVE-2019-9213 EXPLOITDB MEDIUM text WORKING POC
Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation
In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.
CVSS 5.5
EIP-2026-102642 EXPLOITDB c WORKING POC
Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall
CVE-2019-9162 EXPLOITDB HIGH text WORKING POC
Linux Kernel 4.19-4.19.24 - Out-of-bounds Write in SNMP NAT Module
In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and write operations possible, leading to an OOPS or local privilege escalation. This affects snmp_version and snmp_helper.
CVSS 7.8
CVE-2017-11120 EXPLOITDB CRITICAL text WORKING POC
Broadcom BCM4355C0 Wi-Fi Firmware 9.44.78.27.0.1.56 - Buffer Overflow via Malformed RRM Neighbor Report Frame
On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, an attacker can craft a malformed RRM neighbor report frame to trigger an internal buffer overflow in the Wi-Fi firmware, aka B-V2017061204.
CVSS 9.8
EIP-2026-102341 EXPLOITDB text WORKING POC
FireEye - Wormable Remote Code Execution in MIP JAR Analysis
EIP-2026-102333 EXPLOITDB text WORKING POC
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions
EIP-2026-102332 EXPLOITDB text WORKING POC
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass
EIP-2026-102331 EXPLOITDB text WRITEUP
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in AlternateSubstitutionSubtable::process
EIP-2026-102330 EXPLOITDB text WORKING POC
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour