Linux-privesc-PoC

Linux Privilege Escalation PoC Lab Educational disclaimer...

Exploit for CVE-2026-31431

Copy Fail - Defense-in-Depth Primitives for CVE-2026-31431 Ke...

PT-2026-34502

The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows...

CVE-2026-39420

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the LDPRELOAD-based sandbox. By env command the attacker can clear the environment variables and drop...

CVE-2026-39421 MaxKB: Sandbox escape via ctypes and unhooked SYS_pkey_mprotect

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a sandbox escape vulnerability in the ToolExecutor component. By leveraging Python's ctypes library to execute raw system calls, an authenticated attacker with workspace privileges can bypass the LDPRELOAD-based...

CVE-2026-39420 MaxKB: Sandbox escape via LD_PRELOAD bypass

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the LDPRELOAD-based sandbox. By env command the attacker can clear the environment variables and drop...

CVE-2026-39420

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the LDPRELOAD-based sandbox. By env command the attacker can clear the environment variables and drop...

PT-2026-32574

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the LD PRELOAD-based sandbox. By env command the attacker can clear the environment variables and drop...

PT-2026-32573

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, sandbox network protection can be bypassed by using socket.sendto with the MSG FASTOPEN flag. This allows authenticated user with tool-editing permissions to reach internal services that are explicitly blocked by th...

CVE-2025-34190

Vasion Print (PrinterLogic) PrinterInstallerClientService is affected by an authentication bypass through LD_PRELOAD hooking of geteuid, enabling local privilege escalation. Affected versions include Virtual Appliance Host prior to 25.1.102 and Application (macOS/Linux client deployments) prior t...

Untrusted Search Path

Overview Affected versions of this package are vulnerable to Untrusted Search Path though incorrect handling of the OCI hook createContainer during container initialization when enable-cuda-compat is used. An attacker with low privileges in a container can run arbitrary code with higher privilege...

DEBIAN-CVE-2023-1521

On Linux the sccache client can execute arbitrary code with the privileges of a local sccache server, by preloading the code in a shared library passed to LDPRELOAD. If the server is run as root which is the default when installing the snap package https://snapcraft.io/sccache , this means a user...

PT-2024-29904 · Litestar · Litestar

Name of the Vulnerable Software and Affected Versions: Litestar versions 2.10.0 and prior Description: The issue is related to Environment Variable injection in Litestar's docs-preview.yml workflow, which may lead to secret exfiltration and repository manipulation. This grants a malicious actor...

PT-2024-6167 · Unknown +2 · Soft Serve +2

Name of the Vulnerable Software and Affected Versions: Soft Serve versions prior to 0.7.5 Description: The issue is related to Soft Serve passing all environment variables given by the client to git subprocesses, including variables that control program execution, such as LD PRELOAD. This can be...

PT-2023-21000 · Pax Technology · Pax Technology A930 Paydroid

Name of the Vulnerable Software and Affected Versions: PAX Technology A930 PayDroid version 7.1.1 Virgo V04.5.02 20220722 Description: The issue allows attackers to compile a malicious shared library and use LD PRELOAD to bypass authorization checks. This can be achieved by utilizing the LD PRELO...

PT-2023-17049 · Sccache +2 · Sccache +2

Name of the Vulnerable Software and Affected Versions: sccache versions prior to 0.4.0 Description: The sccache client can execute arbitrary code with the privileges of a local sccache server by preloading the code in a shared library passed to LD PRELOAD. If the server is run as root, which is t...

SUSE CVE-2011-1658

ld.so in the GNU C Library aka glibc or libc6 2.13 and earlier expands the $ORIGIN dynamic string token when RPATH is composed entirely of this token, which might allow local users to gain privileges by creating a hard link in an arbitrary directory to a 1 setuid or 2 setgid program with this RPA...

CVE-2017-17562

Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc...

PT-2017-3348

Name of the Vulnerable Software and Affected Versions Embedthis GoAhead versions prior to 3.6.5 Description The issue is related to the initialization of the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function. This can be abused for remote code...

UBUNTU-CVE-2015-8325

The dosetupenv function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pamenvironment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as...