Jann Horn

81 exploits Active since May 2015
CVE-2017-16995 WRITEUP HIGH WRITEUP
Linux BPF Sign Extension Local Privilege Escalation
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.
CVSS 7.8
CVE-2018-11508 WRITEUP MEDIUM WRITEUP
Linux Kernel < 4.16.9 - Unauthorized Memory Read via adjtimex
The compat_get_timex function in kernel/compat.c in the Linux kernel before 4.16.9 allows local users to obtain sensitive information from kernel memory via adjtimex.
CVSS 5.5
CVE-2018-18955 WRITEUP HIGH WRITEUP
Linux Nested User Namespace idmap Limit Local Privilege Escalation
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.
CVSS 7.0
CVE-2019-13272 WRITEUP HIGH WRITEUP
Linux Polkit pkexec helper PTRACE_TRACEME local root exploit
In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.
CVSS 7.8
CVE-2019-19927 WRITEUP MEDIUM WRITEUP
Linux Kernel 5.0.0-rc7 - Out-of-bounds Read in ttm_put_pages
In the Linux kernel 5.0.0-rc7 (as distributed in ubuntu/linux.git on kernel.ubuntu.com), mounting a crafted f2fs filesystem image and performing some operations can lead to slab-out-of-bounds read access in ttm_put_pages in drivers/gpu/drm/ttm/ttm_page_alloc.c. This is related to the vmwgfx or ttm module.
CVSS 6.0
CVE-2019-6974 WRITEUP HIGH WRITEUP
Linux kernel <4.20.8 - Use After Free
In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free.
CVSS 8.1
CVE-2019-9162 WRITEUP HIGH WRITEUP
Linux Kernel 4.19-4.19.24 - Out-of-bounds Write in SNMP NAT Module
In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and write operations possible, leading to an OOPS or local privilege escalation. This affects snmp_version and snmp_helper.
CVSS 7.8
CVE-2019-9213 WRITEUP MEDIUM WRITEUP
Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation
In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.
CVSS 5.5
CVE-2022-30594 WRITEUP HIGH WRITEUP
Linux Kernel < 5.17.2 - Missing Authorization via PT_SUSPEND_SECCOMP Flag
The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag.
CVSS 7.8
CVE-2022-42703 WRITEUP MEDIUM WRITEUP
Linux Kernel < 5.19.7 - Use-After-Free in anon_vma Reuse
mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.
CVSS 5.5
CVE-2018-5333 METASPLOIT MEDIUM ruby WORKING POC
Linux kernel <4.14.13 - Memory Corruption
In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference.
CVSS 5.5
CVE-2019-2215 VULNCHECK_XDB HIGH WORKING POC
Android Binder Use-After-Free Exploit
A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095
CVSS 7.8
CVE-2021-29155 INTHEWILD MEDIUM WORKING POC
Linux Kernel < 5.11.16 - Out-of-Bounds Read via BPF Verifier Pointer Arithmetic
An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.
CVSS 5.5
CVE-2021-33624 INTHEWILD MEDIUM WORKING POC
Linux kernel <5.12.13 - Memory Corruption
In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db.
CVSS 4.7
CVE-2018-5333 EXPLOITDB MEDIUM ruby WORKING POC
Linux kernel <4.14.13 - Memory Corruption
In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference.
CVSS 5.5
CVE-2015-3339 WRITEUP WRITEUP
Linux kernel <3.19.6 - Privilege Escalation
Race condition in the prepare_binprm function in fs/exec.c in the Linux kernel before 3.19.6 allows local users to gain privileges by executing a setuid program at a time instant when a chown to root is in progress, and the ownership is changed but the setuid bit is not yet stripped.
CVE-2017-16996 WRITEUP HIGH WRITEUP
Linux kernel <4.14.8 - Memory Corruption
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging register truncation mishandling.
CVSS 7.8
CVE-2017-17852 WRITEUP HIGH WRITEUP
Linux Kernel 4.14-4.14.8 - Memory Corruption via BPF Verifier 32-bit ALU Operations
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of 32-bit ALU ops.
CVSS 7.8
CVE-2017-17853 WRITEUP HIGH WRITEUP
Linux Kernel 4.14-4.14.8 - Memory Corruption via BPF Verifier Signed Bounds Miscalculations
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect BPF_RSH signed bounds calculations.
CVSS 7.8
CVE-2017-17855 WRITEUP HIGH WRITEUP
Linux Kernel < 4.14.9 - Memory Corruption via BPF Verifier Pointer Handling
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging improper use of pointers in place of scalars.
CVSS 7.8
CVE-2017-17856 WRITEUP HIGH WRITEUP
Linux Kernel < 4.14.9 - Memory Corruption via BPF Verifier Stack-Pointer Misalignment
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the lack of stack-pointer alignment enforcement.
CVSS 7.8
CVE-2017-17857 WRITEUP HIGH WRITEUP
Linux Kernel 4.14-4.14.8 - Memory Corruption via BPF Verifier Stack Boundary Check
The check_stack_boundary function in kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of invalid variable stack read operations.
CVSS 7.8
CVE-2018-16276 WRITEUP HIGH WRITEUP
Linux Kernel < 4.17.7 - Out-of-bounds Write in yurex USB Driver
An issue was discovered in yurex_read in drivers/usb/misc/yurex.c in the Linux kernel before 4.17.7. Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges.
CVSS 7.8
CVE-2018-18445 WRITEUP HIGH WRITEUP
Linux Kernel 4.14.9-4.18.12 - Out-of-bounds Read in BPF Verifier
In the Linux kernel 4.14.x, 4.15.x, 4.16.x, 4.17.x, and 4.18.x before 4.18.13, faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandles 32-bit right shifts.
CVSS 7.8
CVE-2019-13233 WRITEUP HIGH WRITEUP
Linux Kernel < 5.1.9 - Use-After-Free via Race Condition in LDT Entry Access
In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds violation.
CVSS 7.0