C Exploits
3,622 exploits tracked across all sources.
Linux Kernel 3.13-3.14.19 - Denial of Service via Associative Array Garbage Collection
The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via multiple "keyctl newring" operations followed by a "keyctl timeout" operation.
by Emeric Nasi
Linux Kernel <3.15.6 - Privilege Escalation
The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket.
by Emeric Nasi
SoftSphere DefenseWall Personal Firewall 3.24 - Privilege Escalation
The dwall.sys driver in SoftSphere DefenseWall Personal Firewall 3.24 allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted 0x00222000, 0x00222004, 0x00222008, 0x0022200c, or 0x00222010 IOCTL call.
by Parvez Anwar
K7 Computing Ultimate Security - Memory Corruption
K7Sentry.sys in K7 Computing Ultimate Security, Anti-Virus Plus, and Total Security before 14.2.0.253 allows local users to write to arbitrary memory locations, and consequently gain privileges, via a crafted 0x95002570, 0x95002574, 0x95002580, 0x950025a8, 0x950025ac, or 0x950025c8 IOCTL call.
by Parvez Anwar
BullGuard Antivirus <15.0.288 - Privilege Escalation
bdagent.sys in BullGuard Antivirus, Internet Security, Premium Protection, and Online Backup before 15.0.288 allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted 0x0022405c IOCTL call.
by Parvez Anwar
AVG Internet Security <2013.3495-2015.5315 - Privilege Escalation
The TDI driver (avgtdix.sys) in AVG Internet Security before 2013.3495 Hot Fix 18 and 2015.x before 2015.5315 and Protection before 2015.5315 allows local users to write to arbitrary memory locations, and consequently gain privileges, via a crafted 0x830020f8 IOCTL call.
by Parvez Anwar
Symantec Deployment Solution <6.9 - Buffer Overflow
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.
by Parvez Anwar
Trend Micro Antivirus <2.0.0.1015 - Privilege Escalation
The tmeext.sys driver before 2.0.0.1015 in Trend Micro Antivirus Plus, Internet Security, and Maximum Security allows local users to write to arbitrary memory locations, and consequently gain privileges, via a crafted 0x00222400 IOCTL call.
by Parvez Anwar
McAfee Data Loss Prevention Endpoint - Privilege Escalation
McAfee Data Loss Prevention Endpoint (DLPe) before 9.3.400 allows local users to write to arbitrary memory locations, and consequently gain privileges, via a crafted (1) 0x00224014 or (2) 0x0022c018 IOCTL call.
by Parvez Anwar
COMODO Backup <4.4.1.23 - Privilege Escalation
The bdisk.sys driver in COMODO Backup before 4.4.1.23 allows remote attackers to gain privileges via a crafted device handle, which triggers a NULL pointer dereference.
by Parvez Anwar
Malwarebytes Anti-Exploit < 1.04.1.1012 - Denial of Service via IOCTL Call
mbae.sys in Malwarebytes Anti-Exploit before 1.05.1.2014 allows local users to cause a denial of service (crash) via a crafted size in an unspecified IOCTL call, which triggers an out-of-bounds read. NOTE: some of these details are obtained from third party information.
by Parvez Anwar
Apple iOS <8.1.3, OS X <10.10.2, TV <7.0.3 - RCE
libnetcore in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not verify that certain values have the expected data type, which allows attackers to execute arbitrary code in an _networkd context via a crafted XPC message from a sandboxed app, as demonstrated by lack of verification of the XPC dictionary data type.
by Google Security Research
Apple Mac OSX 10.9.5 - IOKit IntelAccelerator Null Pointer Dereference
by Google Security Research
Apple Mac OSX 10.10 - IOKit IntelAccelerator Null Pointer Dereference
by Google Security Research
Apple Mac OSX 10.10 - BlueTooth TransferACLPacketToHW Crash (PoC)
by rpaleari & joystick
Apple Mac OSX 10.10 - BlueTooth DispatchHCIWriteStoredLinkKey Crash (PoC)
by rpaleari & joystick
Apple Mac OSX 10.10 - BlueTooth DispatchHCICreateConnection Crash (PoC)
by rpaleari & joystick
Apple Mac OSX 10.10 - BlueTooth BlueToothHCIChangeLocalName Crash (PoC)
by rpaleari & joystick
Apple macOS X < 10.10.2 - Remote Code Execution via XPC Type Confusion in libxpc
The xpc_data_get_bytes function in libxpc in Apple OS X before 10.10.2 does not verify that a dictionary's Attributes key has the xpc_data data type, which allows attackers to execute arbitrary code by providing a crafted dictionary to sysmond, related to an "XPC type confusion" issue.
by Google Security Research
Linux kernel 3.x - Memory Corruption
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or cause a denial of service (memory corruption) via a crafted application.
by retme
Linux Kernel <=3.14.5 - Privilege Escalation
The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.
by Kaiqu Chen
CVSS 7.8
Apple Mac OSX (Mavericks) - 'IOBluetoothHCIUserClient' Privilege Escalation
by rpaleari & joystick
OpenBSD 5.5 - Local Kernel Panic (Denial of Service)
by nitr0us
aircrack-ng < 1.2 RC 1 - Remote Code Execution via Crafted Length Parameter
Stack-based buffer overflow in the tcp_test function in aireplay-ng.c in Aircrack-ng before 1.2 RC 1 allows remote attackers to execute arbitrary code via a crafted length parameter value.
by Nick Sampanis
CVSS 9.8
By Source