A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | ID | Brief Description Green for OOB, Red for UAF | References | ||||||||||||||||||||||||
2 | CVE-2021-33909 | page-level nonlinear-oob | https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt | ||||||||||||||||||||||||
3 | CVE-2021-22555 | 4 zero bytes overwrite on slab | https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html | ||||||||||||||||||||||||
4 | CVE-2021-32606 | uaf on struct isotp_sock | https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-32606/cve-2021-32606.md | ||||||||||||||||||||||||
5 | CVE-2021-27365 | slab-oob write in kmalloc 4096, vulnerable object: buffer | https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html | ||||||||||||||||||||||||
6 | CVE-2020-0423 | uaf on Binder | https://www.longterm.io/cve-2020-0423.html | ||||||||||||||||||||||||
7 | CVE-2020-8835 | eBPF, out of bound read/write, not a heap-based vulnerability | https://github.com/socketcall/CVE-2020-8835 | https://www.thezdi.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification | |||||||||||||||||||||||
8 | CVE-2020-27194 | bpf, similar to CVE-2020-8835 | https://github.com/xmzyshypnc/CVE-2020-27194 | https://github.com/scannells/exploits/blob/master/CVE-2020-27194/exploit.c | |||||||||||||||||||||||
9 | CVE-2020-16119 | dccp UAF | https://github.com/HadarManor/Public-Vulnerabilities/blob/master/CVE-2020-16119/CVE-2020-16119.md | ||||||||||||||||||||||||
10 | CVE-2020-14386 | in packet sockets, similar as CVE-2017-7308, zero 1-10 bytes behind a __get_free_pages alloaction | https://github.com/cgwalters/cve-2020-14386 | [writeup+PoC] https://unit42.paloaltonetworks.com/cve-2020-14386/ | https://blog.frizn.fr/linux-kernel/cve-2020-14381 | ||||||||||||||||||||||
11 | CVE-2019-9213 + CVE-2018-5333 | logic error, map null address, Exp (combine with CVE-2019-8956 or CVE-2018-5333), CVE-2018-5333 is a NULL ptr dereference | https://github.com/HaleyWei/POC-available/tree/master/CVE-2019-9213 | http://wiki.m4p1e.com/article/getById/80 | https://xz.aliyun.com/t/6570 | https://cert.360.cn/report/detail?id=58e8387ec4c79693354d4797871536ea | |||||||||||||||||||||
12 | CVE-2019-8956 + CVE-2018-5333 | null ptr deref (actually 0xbc), SCTP, UAF, When traversing a doubly-linked list of sctp_association, one node is freed and deleted, making ->next = LIST_POISON1 (0x100). Thus, the list is corrupted with the next stcp_association pretended to be near (0x100), PoC + Exp (combine with CVE-2019-9213, ref2), PoC (ref4) | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-8956 | https://xz.aliyun.com/t/6570 | https://paper.seebug.org/938/ | ||||||||||||||||||||||
13 | CVE-2019-19377 | UAF, unknown | https://cyberweek.ae/materials/2020/D1T2%20-%20Kernel%20Exploitation%20with%20a%20File%20System%20Fuzzer.pdf | ||||||||||||||||||||||||
14 | CVE-2019-19241 | logic error, no memory corruption | https://www.exploit-db.com/exploits/47779 | https://www.anquanke.com/post/id/200486 | |||||||||||||||||||||||
15 | CVE-2019-18683 | UAF on kmalloc 1k. race condition, uaf, exploited by Alexander Popov | https://www.offensivecon.org/speakers/2020/alexander-popov.html | https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html | |||||||||||||||||||||||
16 | CVE-2019-15666 | OOB (harmless) and UAF, reported out-of-bound array access is harmless, there exists another execution path leading to use-after-free and reliable privilege escalatioin | https://duasynt.com/blog/ubuntu-centos-redhat-privesc | https://github.com/duasynt/xfrm_poc | |||||||||||||||||||||||
17 | CVE-2019-13272 | logic error, ptrace, out of scope | https://github.com/jas502n/CVE-2019-13272 | ||||||||||||||||||||||||
18 | CVE-2019-10639 | kaslr bypassing, writeup (ref1) side channel | https://arxiv.org/pdf/1906.10478.pdf | ||||||||||||||||||||||||
19 | CVE-2018-9568 | Type Confusion, in both Android and Linux | https://github.com/ThomasKing2014/slides/blob/master/Building%20universal%20Android%20rooting%20with%20a%20type%20confusion%20vulnerability.pdf | ||||||||||||||||||||||||
20 | CVE-2018-8781 | Arbitrary Write, require DisplayLink device to trigger this vulnerability, Additional checks showed that the user can read and write from/to the mapped pages, giving an attacker a powerful primitive that could be used to trigger code execution in kernel space. | https://research.checkpoint.com/mmap-vulnerabilities-linux-kernel/ | ||||||||||||||||||||||||
21 | CVE-2018-6555 | UAF, IrDA, CVE-2018-6554, LPE, kmalloc-96, UAF overwrite a->q_prev (offset is 0x8) with 0xffff8800xxxxxxxx, exploit can do heap spray to modify a->q_prev with a kernel address, and then 0xffff8800xxxxxxxx is written to the kernel address. If operating in the order of insert s1, s2, s3, reinsert s3, free s3, s2, a->q_next is corrupted | https://ssd-disclosure.com/ssd-advisory-irda-linux-driver-uaf/ | https://cyseclabs.com/slides/bevx-talk.pdf | |||||||||||||||||||||||
22 | CVE-2018-5703 | Slab OOB,Vuln object is struct tcp6_sock size 2536, kmallc-4096. This slab includes 2 pages but 1 object in total. Vuln overflow 160 bytes with content not under control. Weiteng: the vuln object is allocated by a special cache 'TCP'. | https://groups.google.com/d/msg/syzkaller-bugs/0PBeVnSzfqQ/5eXAlM46BQAJ | KOOBE | |||||||||||||||||||||||
23 | CVE-2018-18955 | logic error | https://bugs.chromium.org/p/project-zero/issues/detail?id=1712 | https://github.com/bcoles/kernel-exploits/blob/master/CVE-2018-18955/ | |||||||||||||||||||||||
24 | CVE-2018-18559 | UAF on packet_sock, kmalloc 4096 | https://ssd-disclosure.com/ssd-advisory-linux-kernel-af_packet-use-after-free-2/ | ||||||||||||||||||||||||
25 | CVE-2018-18281 | racing in the buddy system, TLB | https://googleprojectzero.blogspot.com/2019/01/taking-page-from-kernels-book-tlb-issue.html | https://xz.aliyun.com/t/4005 | |||||||||||||||||||||||
26 | CVE-2018-17182 | UAF, VMA | https://bugs.chromium.org/p/project-zero/issues/detail?id=1664 | https://www.anquanke.com/post/id/161632 | https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html | ||||||||||||||||||||||
27 | CVE-2018-14634 | Integer oveflow, Logic error, A local attacker can exploit this vulnerability via a SUID-root binary and obtain full root privileges. 32-bit system and machine whose memory is less than 32GB are not affected. | https://github.com/luan0ap/cve-2018-14634 | https://www.openwall.com/lists/oss-security/2018/09/25/4 | |||||||||||||||||||||||
28 | CVE-2018-1000204 | infoleak, copy uninit data to userspace | https://seclists.org/oss-sec/2018/q2/168?utm_source=dlvr.it&utm_medium=twitter | ||||||||||||||||||||||||
29 | CVE-2017-8890 | double free, struct ip_mc_socklist, size=0x30, kmalloc-64 | http://www.freebuf.com/articles/terminal/160041.html | https://0x3f97.github.io/exploit/2018/08/13/cve-2017-8890-root-case-analysis/ | https://xz.aliyun.com/t/2383 | ||||||||||||||||||||||
30 | CVE-2017-8824 | UAF only read no write, DCCP | http://www.openwall.com/lists/oss-security/2017/12/05/1 | https://www.exploit-db.com/exploits/43234 | https://github.com/ww9210/Linux_kernel_exploits | ||||||||||||||||||||||
31 | CVE-2017-7616 | stack infoleak | https://grsecurity.net/the_infoleak_that_mostly_wasnt | ||||||||||||||||||||||||
32 | CVE-2017-7558 | oob read, kaslr bypassing | https://www.exploit-db.com/exploits/45919 | ||||||||||||||||||||||||
33 | CVE-2017-7533 | slab OOB, notify, race condition, kmalloc-96, overwrite no more than 12 bytes to the next object with last byte '\0'; overwrite freelist pointer to exploit | https://github.com/hardenedlinux/offensive_poc/tree/master/CVE-2017-7533 | ||||||||||||||||||||||||
34 | CVE-2017-7308 | slab OOB, project zero, page allocator, overflow from page of 0x8000 allocated buddy allocator. cross-cache overwrite to 2048, which is packet_sock | https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html | ||||||||||||||||||||||||
35 | CVE-2017-7184 | slab OOB, chaitin, 000...01, controable cache, kmalloc 256, overwrite file structure | https://zhuanlan.zhihu.com/p/26674557 | ||||||||||||||||||||||||
36 | CVE-2017-6074 | double free, sizeof(struct sk_buff), kmalloc-256 works | https://www.openwall.com/lists/oss-security/2017/02/26/2 | https://zhuanlan.zhihu.com/p/25690077 | https://0x3f97.github.io/exploit/2018/08/16/cve-2017-6074-briefly-analyze/ | https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074 | |||||||||||||||||||||
37 | CVE-2017-5123 | arbitrary write, do 5 bytes arbitrary write look like 0x**********000000, where the *'s can be anything | https://github.com/nongiach/CVE/tree/master/CVE-2017-5123 | https://salls.github.io/Linux-Kernel-CVE-2017-5123/ | https://github.com/salls/kernel-exploits/blob/master/CVE-2017-5123/exploit_no_smap.c | ||||||||||||||||||||||
38 | CVE-2017-2636 | double free, exploited by Alexander Popov, kmalloc-8192 (sizeof(struct n_hdlc_buf)) | https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html | http://blog.ptsecurity.com/2017/03/cve-2017-2636-exploit-race-condition-in.html | |||||||||||||||||||||||
39 | CVE-2017-18344 | arbitrary read, oob read | https://www.openwall.com/lists/oss-security/2018/08/09/6 | https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-18344 | https://www.immunityinc.com/downloads/Kernel-Memory-Disclosure-and-Canvas_Part_2.pdf | ||||||||||||||||||||||
40 | CVE-2017-17053 | double free, sizeof (struct ldt_struct)=0x10 usage is address of next free chunk | https://xorl.wordpress.com/2017/12/03/cve-2017-17053-linux-kernel-ldt-use-after-free/ | https://github.com/ww9210/Linux_kernel_exploits/tree/master/cve-2017-17053 | |||||||||||||||||||||||
41 | CVE-2017-16995 | logic error, bpf | https://www.youtube.com/watch?v=MYEAGmP_id4 | https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html | https://www.exploit-db.com/exploits/45010 | ||||||||||||||||||||||
42 | CVE-2017-15649 | UAF read/write, race condition, sizeof(struct packet_fanout) in kmalloc-4096 (4.14.0-rc1), packet_fanout->prot_hook is dereferenced in dev_add_pack() zr: cannot transform to type2 | https://ssd-disclosure.com/ssd-advisory-linux-kernel-af_packet-use-after-free/ | https://github.com/ww9210/Linux_kernel_exploits/tree/master/cve-2017-15649 | |||||||||||||||||||||||
43 | CVE-2017-11176 | UAF read, reference count, double sock_put() bug, kmalloc-1024 or kmalloc-2048, depending on the target's sizeof (struct sock), sock->__sk_common.skc_refcnt whose offset is 0x80 in v4.11, using collison can do exploitation | https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html#understanding-the-bug | ||||||||||||||||||||||||
44 | CVE-2017-10661 | UAF,, hard to reproduce, kmalloc-256 sizeof(timerfd_ctx) = 216. Can be mitigated by DEBUG_LIST. exploiting this needs to carefully craft the data of link. | https://www.youtube.com/watch?v=MYEAGmP_id4 | https://paper.seebug.org/596/ | |||||||||||||||||||||||
45 | CVE-2017-1000380 | infoleak, data race, ALSA, unitialized memory | https://seclists.org/oss-sec/2017/q2/455 | ||||||||||||||||||||||||
46 | CVE-2017-1000367 | logic error, no memory corruption | https://www.openwall.com/lists/oss-security/2017/05/30/16 | ||||||||||||||||||||||||
47 | CVE-2017-1000251 | stack buffer overflow, bluetooth, BlueZ | [PoC] https://github.com/marsyy/littl_tools/tree/master/bluetooth/CVE-2017-1000251 | [analysis] https://paper.seebug.org/408/ | [exp] https://github.com/marsyy/littl_tools/tree/master/bluetooth/exploit | ||||||||||||||||||||||
48 | CVE-2017-1000250 | info leak, BlueZ, oob read | [analysis] https://paper.seebug.org/408/ | [exp] https://github.com/olav-st/CVE-2017-1000250-PoC | |||||||||||||||||||||||
49 | CVE-2017-1000112 | slab OOB,i.e., skb data oob, overflow inside struct with function ptr | https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112/ | |||||||||||||||||||||||
50 | CVE-2016-9793 | integer overflow, sk_sndbuf in sk is an int type value but a u32-type value is assigned to this. An attacker can craft a very large unsigned int value to make sk_sndbuf a negative number, referring a user space address. | https://dangokyo.me/2017/11/05/analysis-on-cve-2016-9793/ | https://github.com/xairy/kernel-exploits/blob/master/CVE-2016-9793/poc.c | |||||||||||||||||||||||
51 | CVE-2016-9555 | slab OOB read, STCP | https://bugzilla.redhat.com/show_bug.cgi?id=1397930 | https://groups.google.com/forum/#!topic/syzkaller/pAUcHsUJbjk | |||||||||||||||||||||||
52 | CVE-2016-8655 | UAF, race condition, sizeof (struct sock) = 1408, kmalloc-2048 | http://seclists.org/oss-sec/2016/q4/607 | https://github.com/LakshmiDesai/CVE-2016-8655/blob/master/CVE-2016-8655.c | https://www.anquanke.com/post/id/85162 | ||||||||||||||||||||||
53 | CVE-2016-8633 | oob on skb->data, can be used to overwrite skb_shared_info | https://eyalitkin.wordpress.com/2016/11/06/cve-publication-cve-2016-8633/ | ||||||||||||||||||||||||
54 | CVE-2016-7117 | UAF, sizeof (struct socket_alloc) = 608 in v4.5, socket_alloc->socket->sk->sk_err = -err | https://blog.lizzie.io/notes-about-cve-2016-7117.html | ||||||||||||||||||||||||
55 | CVE-2016-6787 | UAF on struct perf_event_context | https://speakerdeck.com/retme7/the-art-of-exploiting-unconventional-use-after-free-bugs-in-android-kernel | https://hardenedlinux.github.io/system-security/2017/10/16/Exploiting-on-CVE-2016-6787.html | |||||||||||||||||||||||
56 | CVE-2016-6516 | double fetch, write bunch of 0. | https://github.com/wpengfei/CVE-2016-6516-exploit/blob/master/CVE-2016-6516.docx | ||||||||||||||||||||||||
57 | CVE-2016-6187 | slab off-by-one, corrupt free list and direct allocation to physmap, controlable (<= 128) | http://cyseclabs.com/blog/cve-2016-6187-heap-off-by-one-exploit | ||||||||||||||||||||||||
58 | CVE-2016-5195 | logic error, race condition, dirty cow | https://chao-tic.github.io/blog/2017/05/24/dirty-cow | ||||||||||||||||||||||||
59 | CVE-2016-4557 | UAF, reference count, fdput() decrementes file->f_count whose offset is 0x38 (56), reopen with append flag can possibly modify file->f_flags whose offset is 0x40 (64) | https://bugs.chromium.org/p/project-zero/issues/detail?id=808 | ||||||||||||||||||||||||
60 | CVE-2016-2384 | double free, usb-midi module, sizeof(struct snd_usb_midi), exploit requires a hardware usb emulator which emulates a particular malicious usb device | https://cxsecurity.com/issue/WLB-2017050093 | ||||||||||||||||||||||||
61 | CVE-2016-1583 | Recursion, stack overflow | https://googleprojectzero.blogspot.de/2016/06/exploiting-recursion-in-linux-kernel_20.html | ||||||||||||||||||||||||
62 | CVE-2016-1576 | logic error, no memory corruption | https://www.openwall.com/lists/oss-security/2016/02/24/8 | ||||||||||||||||||||||||
63 | CVE-2016-10150 | UAF, sizeof(struct kvm_device), usage is address of next free chunk. type1 in structure kvm_device. Cannot hijack to physmap. list_del() modify kvm_device->vm_node.next and kvm_devce_vm_node.prev whose offset is 0x18 (24) and 0x20 (32) | https://www.openwall.com/lists/oss-security/2017/01/18/10 | https://github.com/ww9210/Linux_kernel_exploits/tree/master/cve-2016-10150 | |||||||||||||||||||||||
64 | CVE-2016-0728 | UAF, type1, key, sizeof(struct key), usage is address of next free chunk | https://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ | https://github.com/ww9210/Linux_kernel_exploits | |||||||||||||||||||||||
65 | |||||||||||||||||||||||||||
66 | |||||||||||||||||||||||||||
67 | |||||||||||||||||||||||||||
68 | |||||||||||||||||||||||||||
69 | |||||||||||||||||||||||||||
70 | |||||||||||||||||||||||||||
71 | |||||||||||||||||||||||||||
72 | |||||||||||||||||||||||||||
73 | |||||||||||||||||||||||||||
74 | |||||||||||||||||||||||||||
75 | |||||||||||||||||||||||||||
76 | |||||||||||||||||||||||||||
77 | |||||||||||||||||||||||||||
78 | |||||||||||||||||||||||||||
79 | |||||||||||||||||||||||||||
80 | |||||||||||||||||||||||||||
81 | |||||||||||||||||||||||||||
82 | |||||||||||||||||||||||||||
83 | |||||||||||||||||||||||||||
84 | |||||||||||||||||||||||||||
85 | |||||||||||||||||||||||||||
86 | |||||||||||||||||||||||||||
87 | |||||||||||||||||||||||||||
88 | |||||||||||||||||||||||||||
89 | |||||||||||||||||||||||||||
90 | |||||||||||||||||||||||||||
91 | |||||||||||||||||||||||||||
92 | |||||||||||||||||||||||||||
93 | |||||||||||||||||||||||||||
94 | |||||||||||||||||||||||||||
95 | |||||||||||||||||||||||||||
96 | |||||||||||||||||||||||||||
97 | |||||||||||||||||||||||||||
98 | |||||||||||||||||||||||||||
99 | |||||||||||||||||||||||||||
100 |