ABCDEFGHIJKLMNOPQRSTUVWXYZAA
1
IDBrief Description Green for OOB, Red for UAFReferences
2
CVE-2021-33909page-level nonlinear-oob
https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt
3
CVE-2021-225554 zero bytes overwrite on slab
https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
4
CVE-2021-32606uaf on struct isotp_sock
https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-32606/cve-2021-32606.md
5
CVE-2021-27365slab-oob write in kmalloc 4096, vulnerable object: buffer
https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html
6
CVE-2020-0423uaf on Binder
https://www.longterm.io/cve-2020-0423.html
7
CVE-2020-8835eBPF, out of bound read/write, not a heap-based vulnerability
https://github.com/socketcall/CVE-2020-8835
https://www.thezdi.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification
8
CVE-2020-27194bpf, similar to CVE-2020-8835
https://github.com/xmzyshypnc/CVE-2020-27194
https://github.com/scannells/exploits/blob/master/CVE-2020-27194/exploit.c
9
CVE-2020-16119dccp UAF
https://github.com/HadarManor/Public-Vulnerabilities/blob/master/CVE-2020-16119/CVE-2020-16119.md
10
CVE-2020-14386
in packet sockets, similar as CVE-2017-7308, zero 1-10 bytes behind a __get_free_pages alloaction
https://github.com/cgwalters/cve-2020-14386
[writeup+PoC] https://unit42.paloaltonetworks.com/cve-2020-14386/
https://blog.frizn.fr/linux-kernel/cve-2020-14381
11
CVE-2019-9213 + CVE-2018-5333
logic error, map null address, Exp (combine with CVE-2019-8956 or CVE-2018-5333), CVE-2018-5333 is a NULL ptr dereference
https://github.com/HaleyWei/POC-available/tree/master/CVE-2019-9213
http://wiki.m4p1e.com/article/getById/80
https://xz.aliyun.com/t/6570
https://cert.360.cn/report/detail?id=58e8387ec4c79693354d4797871536ea
12
CVE-2019-8956 + CVE-2018-5333
null ptr deref (actually 0xbc), SCTP, UAF, When traversing a doubly-linked list of sctp_association, one node is freed and deleted, making ->next = LIST_POISON1 (0x100). Thus, the list is corrupted with the next stcp_association pretended to be near (0x100), PoC + Exp (combine with CVE-2019-9213, ref2), PoC (ref4)
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-8956
https://xz.aliyun.com/t/6570
https://paper.seebug.org/938/
13
CVE-2019-19377UAF, unknown
https://cyberweek.ae/materials/2020/D1T2%20-%20Kernel%20Exploitation%20with%20a%20File%20System%20Fuzzer.pdf
14
CVE-2019-19241logic error, no memory corruption
https://www.exploit-db.com/exploits/47779
https://www.anquanke.com/post/id/200486
15
CVE-2019-18683UAF on kmalloc 1k. race condition, uaf, exploited by Alexander Popov
https://www.offensivecon.org/speakers/2020/alexander-popov.html
https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
16
CVE-2019-15666
OOB (harmless) and UAF, reported out-of-bound array access is harmless, there exists another execution path leading to use-after-free and reliable privilege escalatioin
https://duasynt.com/blog/ubuntu-centos-redhat-privesc
https://github.com/duasynt/xfrm_poc
17
CVE-2019-13272logic error, ptrace, out of scope
https://github.com/jas502n/CVE-2019-13272
18
CVE-2019-10639kaslr bypassing, writeup (ref1) side channel
https://arxiv.org/pdf/1906.10478.pdf
19
CVE-2018-9568Type Confusion, in both Android and Linux
https://github.com/ThomasKing2014/slides/blob/master/Building%20universal%20Android%20rooting%20with%20a%20type%20confusion%20vulnerability.pdf
20
CVE-2018-8781
Arbitrary Write, require DisplayLink device to trigger this vulnerability, Additional checks showed that the user can read and write from/to the mapped pages, giving an attacker a powerful primitive that could be used to trigger code execution in kernel space.
https://research.checkpoint.com/mmap-vulnerabilities-linux-kernel/
21
CVE-2018-6555
UAF, IrDA, CVE-2018-6554, LPE, kmalloc-96, UAF overwrite a->q_prev (offset is 0x8) with 0xffff8800xxxxxxxx, exploit can do heap spray to modify a->q_prev with a kernel address, and then 0xffff8800xxxxxxxx is written to the kernel address. If operating in the order of insert s1, s2, s3, reinsert s3, free s3, s2, a->q_next is corrupted
https://ssd-disclosure.com/ssd-advisory-irda-linux-driver-uaf/
https://cyseclabs.com/slides/bevx-talk.pdf
22
CVE-2018-5703
Slab OOB,Vuln object is struct tcp6_sock size 2536, kmallc-4096. This slab includes 2 pages but 1 object in total. Vuln overflow 160 bytes with content not under control. Weiteng: the vuln object is allocated by a special cache 'TCP'.
https://groups.google.com/d/msg/syzkaller-bugs/0PBeVnSzfqQ/5eXAlM46BQAJ
KOOBE
23
CVE-2018-18955logic error
https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
https://github.com/bcoles/kernel-exploits/blob/master/CVE-2018-18955/
24
CVE-2018-18559UAF on packet_sock, kmalloc 4096
https://ssd-disclosure.com/ssd-advisory-linux-kernel-af_packet-use-after-free-2/
25
CVE-2018-18281racing in the buddy system, TLB
https://googleprojectzero.blogspot.com/2019/01/taking-page-from-kernels-book-tlb-issue.html
https://xz.aliyun.com/t/4005
26
CVE-2018-17182UAF, VMA
https://bugs.chromium.org/p/project-zero/issues/detail?id=1664
https://www.anquanke.com/post/id/161632
https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
27
CVE-2018-14634
Integer oveflow, Logic error, A local attacker can exploit this vulnerability via a SUID-root binary and obtain full root privileges. 32-bit system and machine whose memory is less than 32GB are not affected.
https://github.com/luan0ap/cve-2018-14634
https://www.openwall.com/lists/oss-security/2018/09/25/4
28
CVE-2018-1000204infoleak, copy uninit data to userspace
https://seclists.org/oss-sec/2018/q2/168?utm_source=dlvr.it&utm_medium=twitter
29
CVE-2017-8890double free, struct ip_mc_socklist, size=0x30, kmalloc-64
http://www.freebuf.com/articles/terminal/160041.html
https://0x3f97.github.io/exploit/2018/08/13/cve-2017-8890-root-case-analysis/
https://xz.aliyun.com/t/2383
30
CVE-2017-8824UAF only read no write, DCCP
http://www.openwall.com/lists/oss-security/2017/12/05/1
https://www.exploit-db.com/exploits/43234
https://github.com/ww9210/Linux_kernel_exploits
31
CVE-2017-7616stack infoleak
https://grsecurity.net/the_infoleak_that_mostly_wasnt
32
CVE-2017-7558oob read, kaslr bypassing
https://www.exploit-db.com/exploits/45919
33
CVE-2017-7533
slab OOB, notify, race condition, kmalloc-96, overwrite no more than 12 bytes to the next object with last byte '\0'; overwrite freelist pointer to exploit
https://github.com/hardenedlinux/offensive_poc/tree/master/CVE-2017-7533
34
CVE-2017-7308
slab OOB, project zero, page allocator, overflow from page of 0x8000 allocated buddy allocator. cross-cache overwrite to 2048, which is packet_sock
https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
35
CVE-2017-7184slab OOB, chaitin, 000...01, controable cache, kmalloc 256, overwrite file structure
https://zhuanlan.zhihu.com/p/26674557
36
CVE-2017-6074double free, sizeof(struct sk_buff), kmalloc-256 works
https://www.openwall.com/lists/oss-security/2017/02/26/2
https://zhuanlan.zhihu.com/p/25690077
https://0x3f97.github.io/exploit/2018/08/16/cve-2017-6074-briefly-analyze/
https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074
37
CVE-2017-5123
arbitrary write, do 5 bytes arbitrary write look like 0x**********000000, where the *'s can be anything
https://github.com/nongiach/CVE/tree/master/CVE-2017-5123
https://salls.github.io/Linux-Kernel-CVE-2017-5123/
https://github.com/salls/kernel-exploits/blob/master/CVE-2017-5123/exploit_no_smap.c
38
CVE-2017-2636double free, exploited by Alexander Popov, kmalloc-8192 (sizeof(struct n_hdlc_buf))
https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
http://blog.ptsecurity.com/2017/03/cve-2017-2636-exploit-race-condition-in.html
39
CVE-2017-18344arbitrary read, oob read
https://www.openwall.com/lists/oss-security/2018/08/09/6
https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-18344
https://www.immunityinc.com/downloads/Kernel-Memory-Disclosure-and-Canvas_Part_2.pdf
40
CVE-2017-17053double free, sizeof (struct ldt_struct)=0x10 usage is address of next free chunk
https://xorl.wordpress.com/2017/12/03/cve-2017-17053-linux-kernel-ldt-use-after-free/
https://github.com/ww9210/Linux_kernel_exploits/tree/master/cve-2017-17053
41
CVE-2017-16995logic error, bpf
https://www.youtube.com/watch?v=MYEAGmP_id4
https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
https://www.exploit-db.com/exploits/45010
42
CVE-2017-15649
UAF read/write, race condition, sizeof(struct packet_fanout) in kmalloc-4096 (4.14.0-rc1), packet_fanout->prot_hook is dereferenced in dev_add_pack() zr: cannot transform to type2
https://ssd-disclosure.com/ssd-advisory-linux-kernel-af_packet-use-after-free/
https://github.com/ww9210/Linux_kernel_exploits/tree/master/cve-2017-15649
43
CVE-2017-11176
UAF read, reference count, double sock_put() bug, kmalloc-1024 or kmalloc-2048, depending on the target's sizeof (struct sock), sock->__sk_common.skc_refcnt whose offset is 0x80 in v4.11, using collison can do exploitation
https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html#understanding-the-bug
44
CVE-2017-10661
UAF,, hard to reproduce, kmalloc-256 sizeof(timerfd_ctx) = 216. Can be mitigated by DEBUG_LIST. exploiting this needs to carefully craft the data of link.
https://www.youtube.com/watch?v=MYEAGmP_id4
https://paper.seebug.org/596/
45
CVE-2017-1000380infoleak, data race, ALSA, unitialized memory
https://seclists.org/oss-sec/2017/q2/455
46
CVE-2017-1000367logic error, no memory corruption
https://www.openwall.com/lists/oss-security/2017/05/30/16
47
CVE-2017-1000251stack buffer overflow, bluetooth, BlueZ
[PoC] https://github.com/marsyy/littl_tools/tree/master/bluetooth/CVE-2017-1000251
[analysis] https://paper.seebug.org/408/
[exp] https://github.com/marsyy/littl_tools/tree/master/bluetooth/exploit
48
CVE-2017-1000250info leak, BlueZ, oob read
[analysis] https://paper.seebug.org/408/
[exp] https://github.com/olav-st/CVE-2017-1000250-PoC
49
CVE-2017-1000112slab OOB,i.e., skb data oob, overflow inside struct with function ptr
https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112/
50
CVE-2016-9793
integer overflow, sk_sndbuf in sk is an int type value but a u32-type value is assigned to this. An attacker can craft a very large unsigned int value to make sk_sndbuf a negative number, referring a user space address.
https://dangokyo.me/2017/11/05/analysis-on-cve-2016-9793/
https://github.com/xairy/kernel-exploits/blob/master/CVE-2016-9793/poc.c
51
CVE-2016-9555slab OOB read, STCP
https://bugzilla.redhat.com/show_bug.cgi?id=1397930
https://groups.google.com/forum/#!topic/syzkaller/pAUcHsUJbjk
52
CVE-2016-8655UAF, race condition, sizeof (struct sock) = 1408, kmalloc-2048
http://seclists.org/oss-sec/2016/q4/607
https://github.com/LakshmiDesai/CVE-2016-8655/blob/master/CVE-2016-8655.c
https://www.anquanke.com/post/id/85162
53
CVE-2016-8633oob on skb->data, can be used to overwrite skb_shared_info
https://eyalitkin.wordpress.com/2016/11/06/cve-publication-cve-2016-8633/
54
CVE-2016-7117UAF, sizeof (struct socket_alloc) = 608 in v4.5, socket_alloc->socket->sk->sk_err = -err
https://blog.lizzie.io/notes-about-cve-2016-7117.html
55
CVE-2016-6787UAF on struct perf_event_context
https://speakerdeck.com/retme7/the-art-of-exploiting-unconventional-use-after-free-bugs-in-android-kernel
https://hardenedlinux.github.io/system-security/2017/10/16/Exploiting-on-CVE-2016-6787.html
56
CVE-2016-6516double fetch, write bunch of 0.
https://github.com/wpengfei/CVE-2016-6516-exploit/blob/master/CVE-2016-6516.docx
57
CVE-2016-6187slab off-by-one, corrupt free list and direct allocation to physmap, controlable (<= 128)
http://cyseclabs.com/blog/cve-2016-6187-heap-off-by-one-exploit
58
CVE-2016-5195 logic error, race condition, dirty cow
https://chao-tic.github.io/blog/2017/05/24/dirty-cow
59
CVE-2016-4557
UAF, reference count, fdput() decrementes file->f_count whose offset is 0x38 (56), reopen with append flag can possibly modify file->f_flags whose offset is 0x40 (64)
https://bugs.chromium.org/p/project-zero/issues/detail?id=808
60
CVE-2016-2384
double free, usb-midi module, sizeof(struct snd_usb_midi), exploit requires a hardware usb emulator which emulates a particular malicious usb device
https://cxsecurity.com/issue/WLB-2017050093
61
CVE-2016-1583Recursion, stack overflow
https://googleprojectzero.blogspot.de/2016/06/exploiting-recursion-in-linux-kernel_20.html
62
CVE-2016-1576logic error, no memory corruption
https://www.openwall.com/lists/oss-security/2016/02/24/8
63
CVE-2016-10150
UAF, sizeof(struct kvm_device), usage is address of next free chunk. type1 in structure kvm_device. Cannot hijack to physmap. list_del() modify kvm_device->vm_node.next and kvm_devce_vm_node.prev whose offset is 0x18 (24) and 0x20 (32)
https://www.openwall.com/lists/oss-security/2017/01/18/10
https://github.com/ww9210/Linux_kernel_exploits/tree/master/cve-2016-10150
64
CVE-2016-0728UAF, type1, key, sizeof(struct key), usage is address of next free chunk
https://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
https://github.com/ww9210/Linux_kernel_exploits
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100