C Exploits
3,621 exploits tracked across all sources.
Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel Pointer
by Jinbum Park
Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)
by Fabiano Anemone
Cisco Immunet & AMP for Endpoints - Resource Consumption in System Scanning
A vulnerability in the system scanning component of Cisco Immunet and Cisco Advanced Malware Protection (AMP) for Endpoints running on Microsoft Windows could allow a local attacker to disable the scanning functionality of the product. This could allow executable files to be launched on the system without being analyzed for threats. The vulnerability is due to improper process resource handling. An attacker could exploit this vulnerability by gaining local access to a system running Microsoft Windows and protected by Cisco Immunet or Cisco AMP for Endpoints and executing a malicious file. A successful exploit could allow the attacker to prevent the scanning services from functioning properly and ultimately prevent the system from being protected from further intrusion.
by hyp3rlinx
CVSS 5.5
LiquidVPN < 1.37 - Local Privilege Escalation via Unprotected XPC Service
Multiple local privilege escalation vulnerabilities have been identified in the LiquidVPN client through 1.37 for macOS. An attacker can communicate with an unprotected XPC service and directly execute arbitrary OS commands as root or load a potentially malicious kernel extension because com.smr.liquidvpn.OVPNHelper uses the system function to execute the "tun_path" or "tap_path" pathname within a shell command.
by Bernd Leitner
CVSS 7.8
LiquidVPN < 1.37 - Unauthenticated OS Command Injection via XPC Service
Multiple local privilege escalation vulnerabilities have been identified in the LiquidVPN client through 1.37 for macOS. An attacker can communicate with an unprotected XPC service and directly execute arbitrary OS commands as root or load a potentially malicious kernel extension because com.smr.liquidvpn.OVPNHelper uses the system function to execute the "command_line" parameter as a shell command.
by Bernd Leitner
CVSS 7.8
LiquidVPN < 1.37 - Local Privilege Escalation via Unprotected XPC Service
Multiple local privilege escalation vulnerabilities have been identified in the LiquidVPN client through 1.37 for macOS. An attacker can communicate with an unprotected XPC service and directly execute arbitrary OS commands as root or load a potentially malicious kernel extension because com.smr.liquidvpn.OVPNHelper uses the system function to execute the "openvpncmd" parameter as a shell command.
by Bernd Leitner
CVSS 7.8
LiquidVPN < 1.37 - Local Privilege Escalation via Unprotected XPC Service
Multiple local privilege escalation vulnerabilities have been identified in the LiquidVPN client through 1.37 for macOS. An attacker can communicate with an unprotected XPC service and directly execute arbitrary OS commands as root or load a potentially malicious kernel extension because com.smr.liquidvpn.OVPNHelper uses the value of the "tun_path" or "tap_path" pathname in a kextload() call.
by Bernd Leitner
CVSS 7.8
Canonical Ubuntu Linux < 239 - Insecure Deserialization
A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.
by Google Security Research
CVSS 7.8
LibTIFF 3.9.3-4.0.9 - Out-of-bounds Write in JBIG Decoder
LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.
by Google Security Research
CVSS 8.8
Apple iOS/macOS - Kernel Memory Corruption due to Integer Overflow in IOHIDResourceQueue::enqueueReport
by Google Security Research
Apple iOS/macOS - Kernel Memory Corruption due to Integer Overflow in IOHIDResourceQueue::enqueueReport
by Google Security Research
Apple Intel GPU Driver - Use-After-Free/Double-Delete due to bad Locking
by Google Security Research
Apple iOS Kernel - Use-After-Free due to bad Error Handling in Personas
by Google Security Research
Apple iOS Kernel - Use-After-Free due to bad Error Handling in Personas
by Google Security Research
NoMachine < 5.3.27 and 6.x < 6.3.6 - Untrusted Search Path via Trojan Horse wintab32.dll
NoMachine before 5.3.27 and 6.x before 6.3.6 allows attackers to gain privileges via a Trojan horse wintab32.dll file located in the same directory as a .nxs file, as demonstrated by a scenario where the .nxs file and the DLL are in the current working directory, and the Trojan horse code is executed. (The directory could, in general, be on a local filesystem or a network share.).
by hyp3rlinx
CVSS 7.8
Linux - Kernel Pointer Leak via BPF
by Google Security Research
Linux Kernel <= 4.11.9 - Use-After-Free in mq_notify Netlink Socket Handling
The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.
by Lexfo
CVSS 7.8
Linux kernel <4.14 - Privilege Escalation
An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerable.
by Qualys Corporation
CVSS 7.8
STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (2)
by Ivan Ivanovic
STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (1)
by Parvez Anwar
Cisco Umbrella Enterprise Roaming Client < 2.1.118 - Improper Privilege Management
A vulnerability in the Cisco Umbrella Enterprise Roaming Client (ERC) could allow an authenticated, local attacker to elevate privileges to Administrator. To exploit the vulnerability, the attacker must authenticate with valid local user credentials. This vulnerability is due to improper implementation of file system permissions, which could allow non-administrative users to place files within restricted directories. An attacker could exploit this vulnerability by placing an executable file within the restricted directory, which when executed by the ERC client, would run with Administrator privileges.
by ParagonSec
CVSS 7.8
Cisco Umbrella Enterprise Roaming Client < 2.1.127 Privilege Escalation via File Permission Bypass
A vulnerability in the Cisco Umbrella Enterprise Roaming Client (ERC) could allow an authenticated, local attacker to elevate privileges to Administrator. To exploit the vulnerability, the attacker must authenticate with valid local user credentials. This vulnerability is due to improper implementation of file system permissions, which could allow non-administrative users to place files within restricted directories. An attacker could exploit this vulnerability by placing an executable file within the restricted directory, which when executed by the ERC client, would run with Administrator privileges.
by ParagonSec
CVSS 7.8
Linux Kernel < 4.14.8 - Out-of-bounds Read via timer_create sigev_notify Field
The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).
by Andrey Konovalov
CVSS 5.5
Oracle Solaris <11 - Privilege Escalation
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Availability Suite Service). Supported versions that are affected are 10 and 11.3. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in takeover of Solaris. CVSS 3.0 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
by mu-b
CVSS 7.8
By Source