CVE-2019-16508

The Imagination Technologies driver for Chrome OS before R74-11895.B, R75 before R75-12105.B, and R76 before R76-12208.0.0 allows attackers to trigger an Integer Overflow and gain privileges via a malicious application. This occurs because of intentional access for the GPU process to /dev/dri/car...

Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition

/ The Siemens R3964 line discipline code in drivers/tty/nr3964.c has a few races around its ioctl handler; for example, the handler for R3964ENABLESIGNALS just allocates and deletes elements in a linked list with zero locking. This code is reachable by an unprivileged user if the line discipline ...

Linux Siemens R3964 Line Discipline Missing Lock

Linux: missing locking in Siemens R3964 line discipline The Siemens R3964 line discipline code in drivers/tty/nr3964.c has a few races around its ioctl handler; for example, the handler for R3964ENABLESIGNALS just allocates and deletes elements in a linked list with zero locking. This code is...

Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition

Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition / The Siemens R3964 line discipline code in drivers/tty/nr3964.c has a few races around its ioctl handler; for example, the handler for R3964ENABLESIGNALS just allocates and deletes elements in a linked list with zero locking...

Symantec Endpoint Protection Small Business Edition ccSetx86.sys 0x224844 kernel memory information disclosure vulnerability

Summary An exploitable kernel memory disclosure vulnerability exists in the 0x224844 IOCTL handler function of Symantec Endpoint Protection Small Business Edition ccSetx86.sys, version 16.0.0.77. A specially crafted IRP request can cause the driver to return uninitialized memory, resulting in...

kernel: MIDI driver race condition leads to a double-free

It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc double free in sndrawmidiinputparams and sndrawmidioutputstatus which are part of sndrawmidiioctl handler in rawmidi.c file. A malicious local attacker could possibly use this f...

CVE-2018-3990

An exploitable pool corruption vulnerability exists in the 0x8200E804 IOCTL handler functionality of WIBU-SYSTEMS WibuKey.sys Version 6.40 Build 2400. A specially crafted IRP request can cause a buffer overflow, resulting in kernel memory corruption and, potentially, privilege escalation. An...

WIBU-SYSTEMS WibuKey.sys 0x8200E804 pool corruption privilege escalation vulnerability

Summary An exploitable pool corruption vulnerability exists in the 0x8200E804 IOCTL handler functionality of WIBU-SYSTEMS WibuKey.sys Version 6.40 Build 2400. A specially crafted IRP request can cause a buffer overflow, resulting in kernel memory corruption and, potentially, privilege escalation...

WIBU-SYSTEMS WibuKey.sys 0x8200E804 kernel memory information disclosure vulnerability

Summary An exploitable kernel memory disclosure vulnerability exists in the 0x8200E804 IOCTL handler functionality of WIBU-SYSTEMS WibuKey.sys Version 6.40 Build 2400. A specially crafted IRP request can cause the driver to return uninitialized memory, resulting in kernel memory disclosure. An...

Design/Logic Flaw

An exploitable arbitrary write vulnerability exists in the 0x2222CC IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744. A specially crafted IRP request can cause the driver to write data under controlled by an attacker address, resulting in memory corruption. An attacker can send IRP...

Design/Logic Flaw

An exploitable memory disclosure vulnerability exists in the 0x222000 IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744. A specially crafted IRP request can cause the driver to return uninitialized memory, resulting in kernel memory disclosure. An attacker can send an IRP request to...

Sophos HitmanPro.Alert hmpalert 0x2222CC privilege escalation vulnerability

Summary An exploitable arbitrary write vulnerability exists in the 0x2222CC IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744. A specially crafted IRP request can cause the driver to write data under controlled by an attacker address, resulting in memory corruption. An attacker can...

UBUNTU-CVE-2018-10902

It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc double free in sndrawmidiinputparams and sndrawmidioutputstatus which are part of sndrawmidiioctl handler in rawmidi.c file. A malicious local attacker could possibly use this f...

CVE-2018-5832

Due to a race condition in a camera driver ioctl handler in Android releases from CAF using the linux kernel Android for MSM, Firefox OS for MSM, QRD Android before security patch level 2018-06-05, a Use After Free condition can occur...

CVE-2017-14881

While calling the IPA IOCTL handler for IPAIOCADDHDRPROCCTX in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-10-13, a use-after-free condition may potentially occur...

CODE EXECUTION (CVE-2018-5189) WALKTHROUGH ON JUNGO WINDRIVER 12.5.1

INTRODUCTION Windows kernel exploitation can be a daunting area to get into. There are tons of helpful tutorials out there and originally this post was going to add to that list. This is the story of how I found CVE-2018-5189 and a complete walkthrough of the exploit development cycle. The idea w...

Design/Logic Flaw

In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in a graphics driver ioctl handler, the lack of copyfromuser function calls may result in writes to kernel memory...

CVE-2017-11047

CVE-2017-11047 applies to Android for MSM, Firefox OS for MSM, and QRD Android builds using CAF Linux kernel; the issue is in a graphics-driver ioctl handler where missing copy_from_user() calls can allow writes to kernel memory. Impact per CVSS indicates LOCAL access with LOW user interaction an...

Integer overflow

In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in a qbt1000 ioctl handler, an incorrect buffer size check has an integer overflow vulnerability potentially leading to a buffer overflow...

CVE-2016-5863

In an ioctl handler in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android, several sanity checks are missing which can lead to out-of-bounds accesses...