sinkthemall

4 exploits Active since Sep 2023
CVE-2022-2586 GITHUB MEDIUM c
Linux Kernel < 5.19.17 - Use-After-Free via NFT Object or Expression Reference
It was discovered that a nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted.
CVSS 5.3
CVE-2023-2163 GITHUB CRITICAL c
Linux Kernel >=5.4 - Privilege Escalation
Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape.
CVSS 10.0
CVE-2024-0582 GITHUB HIGH c
Linux Kernel 6.4-6.6.4 - Use-After-Free in io_uring Buffer Ring Registration
A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then frees it. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVSS 7.8
CVE-2025-39946 GITHUB CRITICAL c
Linux Kernel 6.0-6.1.153, 6.2-6.6.107, 6.7-6.12.48, 6.13-6.16.8 - Denial of Service via TLS Stream Header Parsing
In the Linux kernel, the following vulnerability has been resolved: tls: make sure to abort the stream if headers are bogus Normally we wait for the socket to buffer up the whole record before we service it. If the socket has a tiny buffer, however, we read out the data sooner, to prevent connection stalls. Make sure that we abort the connection when we find out late that the record is actually invalid. Retrying the parsing is fine in itself but since we copy some more data each time before we parse we can overflow the allocated skb space. Constructing a scenario in which we're under pressure without enough data in the socket to parse the length upfront is quite hard. syzbot figured out a way to do this by serving us the header in small OOB sends, and then filling in the recvbuf with a large normal send. Make sure that tls_rx_msg_size() aborts strp, if we reach an invalid record there's really no way to recover.
CVSS 9.8