NachoRoot

On ASUS Transformer Pime /data/sensors/AMI304Config.ini is set world writable on boot and so a /data/local.prop symlink attack can be mounted...

TacoRoot

HTC recovery log on some devices is world writable and so can be deleted and symlinked to /data/local.prop to allow root on reboot, this is a appears to be a unstable exploit and requires the user to reboot into recovery mode...

zergRush

...

Browser Cross-App Scripting

Android browser could be tricked into running javascript in the domain of a different app...

Gingerbreak

The vold volume manager daemon on Android 3.0 and 2.x before 2.3.4 trusts messages that are received from a PFNETLINK socket, which allows local users to execute arbitrary code and gain root privileges...

Android Browser Exploit WebKit

A series of vulnerabilities in XSL in WebKit that allow denial of service and other effects...

KillingInTheNameOf psneuter ashmem

Android before 2.3 does not properly restrict access to the system property space, which allows local applications to bypass the application sandbox and gain privileges...

Use-After-Free Remote

WebKit does not properly validate floating-point data in Android versions prior to 2.2, which allows a remote arbitrary code execution attack to occur through a crafted HTML page...

Zysploit

Takes advantage of a setuid vulnerability few details available...

exploid udev

udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space...

Volez

Ability to modify a signed OTA recovery package due to an error in the signature verifier...

sock_sendpage

A vulnerability in the kernel allows local users to gain privileges due to function pointers not being initialised. According to one source, Android versions up to 3.2.6 are vulnerable...