Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-002504)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-002504 advisory. The rawcmdcopyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioc...

CVE-2022-23085

A user-provided integer option was passed to nmreqcopyin without checking if it would overflow. This insufficient bounds checking could lead to kernel memory corruption. On systems configured to include netmap in their devfsruleset, a privileged process running in a jail can affect the host...

CVE-2022-23084

The total size of the user-provided nmreq to nmreqcopyin was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption. On systems configured to include netmap in their devfsruleset, a privileged process running in a jail can...

SUSE CVE-2004-2731

Multiple integer overflows in Sbus PROM driver drivers/sbus/char/openprom.c for the Linux kernel 2.4.x up to 2.4.27, 2.6.x up to 2.6.7, and possibly later versions, allow local users to execute arbitrary code by specifying 1 a small buffer size to the copyinstring function or 2 a negative buffer...

PT-2022-6122 · Freebsd · Freebsd

Name of the Vulnerable Software and Affected Versions: FreeBSD affected versions not specified Description: The issue is related to a time-of-check to time-of-use bug in the nmreq copyin function of the netmap component in FreeBSD. This bug could lead to kernel memory corruption. On systems...

Apple iOS - Kernel Stack Memory Disclosure due to Failure to Check copyin Return Value

Here's a code snippet from sleh.c with the second level exception handler for undefined instruction exceptions: static void handleuncategorizedarmsavedstatet state, booleant instrLen2 exceptiontypet exception = EXCBADINSTRUCTION; machexceptiondatatypet codes2 = EXCARMUNDEFINED; machmsgtypenumbert...

Apple iOS Kernel - Stack Memory Disclosure due to Failure to Check copyin Return Value Exploit

Exploit for iOS platform in category dos / poc Apple iOS - Kernel Stack Memory Disclosure due to Failure to Check copyin Return Value Exploit Here's a code snippet from sleh.c with the second level exception handler for undefined instruction exceptions: static void handleuncategorizedarmsavedstat...

Apple iOS - Kernel Stack Memory Disclosure due to Failure to Check copyin Return Value

Apple iOS - Kernel Stack Memory Disclosure due to Failure to Check copyin Return Value Here's a code snippet from sleh.c with the second level exception handler for undefined instruction exceptions: static void handleuncategorizedarmsavedstatet state, booleant instrLen2 exceptiontypet exception =...

Oracle Re-Patches Decade-Old Solaris Bug

Oracle has issued three fixes for a critical Solaris vulnerability that could allow kernel-level privilege escalation. Impacted are the Solaris 10 and 11.3 operating environments. Sun Microsystems now owned by Oracle originally patched the vulnerability in 2009. But, a “re-fix” is now required,...

macOS / iOS - Kernel Double Free due to Incorrect API Usage in Flow Divert Socket Option Handling

Exploit for multiple platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1373 SOFLOWDIVERTTOKEN is a socket option on the SOLSOCKET layer. It's implemented by flowdiverttokensetstruct socket so, struct sockopt sopt in flowdivert.c. The relevant code is...

Apple XNU Kernel - Memory Corruption due to Integer Overflow in __offsetof Usage in posix_spawn on 32-bit Platforms

Apple XNU Kernel - Memory Corruption due to Integer Overflow in offsetof Usage in posixspawn on 32-bit Platforms posixspawn is a complex syscall which takes a lot of arguments from userspace. The third argument is a pointer to a further arguments descriptor in userspace with the following structu...

Buffer overflow

Little Snitch version 3.0 through 3.6.1 suffer from a buffer overflow vulnerability that could be locally exploited which could lead to an escalation of privileges EoP and unauthorised ring0 access to the operating system. The buffer overflow is related to insufficient checking of parameters to t...

CVE-2016-8661

Little Snitch version 3.0 through 3.6.1 suffer from a buffer overflow vulnerability that could be locally exploited which could lead to an escalation of privileges EoP and unauthorised ring0 access to the operating system. The buffer overflow is related to insufficient checking of parameters to t...

CVE-2016-8661

Little Snitch version 3.0 through 3.6.1 suffer from a buffer overflow vulnerability that could be locally exploited which could lead to an escalation of privileges EoP and unauthorised ring0 access to the operating system. The buffer overflow is related to insufficient checking of parameters to t...

UBUNTU-CVE-2014-1737

The rawcmdcopyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device...

PT-2014-1007 · Linux +5 · Linux Kernel +5

Name of the Vulnerable Software and Affected Versions: Linux kernel versions through 3.14.3 Description: The issue is related to the raw cmd copyin function in drivers/block/floppy.c, which does not properly handle error conditions during processing of an FDRAWCMD ioctl call. This allows local...

FreeBSD Kernel nfs_mount() Exploit

Exploit for freebsd platform in category local exploits ================================== FreeBSD Kernel nfsmount Exploit ================================== / nfsmountex.c -- Patroklos Argyroudis, argp at domain census-labs.com Local kernel exploit for FreeBSD 8.0, 7.3 and 7.2. FreeBSD...