Jann Horn (Project Zero)

9 exploits Active since May 2016
CVE-2017-7228 EXPLOITDB HIGH text WORKING POC
Xen 4.4.x-4.8.x - Improper Validation of Array Index in XENMEM_exchange
An issue (known as XSA-212) was discovered in Xen, with fixes available for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA-29 fix introduced an insufficient check on XENMEM_exchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays.
CVSS 8.2
CVE-2016-1583 EXPLOITDB HIGH WORKING POC
Linux kernel <4.6.3 - Privilege Escalation
The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling.
CVSS 7.8
EIP-2026-102897 EXPLOITDB text WORKING POC
Linux Kernel (Ubuntu 14.04.3) - 'perf_event_open()' Can Race with execve() (Access /etc/shadow)
EIP-2026-103038 EXPLOITDB text WORKING POC
Xen 64bit PV Guest - pagetable use-after-type-change Breakout
EIP-2026-102665 EXPLOITDB c WORKING POC
Linux SELinux - W+X Protection Bypass via AIO
CVE-2016-4558 EXPLOITDB HIGH text WORKING POC
Linux Kernel < 4.5.5 - Use-After-Free in BPF Subsystem
The BPF subsystem in the Linux kernel before 4.5.5 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted application on (1) a system with more than 32 Gb of memory, related to the program reference count or (2) a 1 Tb system, related to the map reference count.
CVSS 7.0
CVE-2019-2023 EXPLOITDB HIGH text WORKING POC
Android 8.0-9 - Insecure Permission Assignment in ServiceManager::add
In ServiceManager::add function in the hardware service manager, there is an insecure permissions check based on the PID of the caller. This could allow an app to add or replace a HAL service with its own service, gaining code execution in a privileged process.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9Android ID: A-121035042Upstream kernel
CVSS 7.8
EIP-2026-100029 EXPLOITDB text WORKING POC
Google Android - Insufficient Binder Message Verification Pointer Leak
EIP-2026-100028 EXPLOITDB text WRITEUP
Google Android - getpidcon Usage binder Service Replacement Race Condition