Linux Kernel Security Vulnerabilities
Multiple integer overflows in Sbus PROM driver (drivers/sbus/char/openprom.c) for the Linux kernel 2.4.x up to 2.4.27, 2.6.x up to 2.6.7, and possibly later versions, allow local users to execute arbitrary code by specifying (1) a small buffer size to the copyin_string function or (2) a negative bu...
7.3AI Score
0.0004EPSS
Race condition in the page fault handler (fault.c) for Linux kernel 2.2.x to 2.2.7, 2.4 to 2.4.29, and 2.6 to 2.6.10, when running on multiprocessor machines, allows local users to execute arbitrary code via concurrent threads that share the same virtual memory space and simultaneously request stac...
7.5AI Score
0.001EPSS
The 64 bit ELF support in Linux kernel 2.6 before 2.6.10, on 64-bit architectures, does not properly check for overlapping VMA (virtual memory address) allocations, which allows local users to cause a denial of service (system crash) or execute arbitrary code via a crafted ELF or a.out file.
7.4AI Score
0.001EPSS
The coda_pioctl function in the coda functionality (pioctl.c) for Linux kernel 2.6.9 and 2.4.x before 2.4.29 may allow local users to cause a denial of service (crash) or execute arbitrary code via negative vi.in_size or vi.out_size values, which may trigger a buffer overflow.
6AI Score
0.001EPSS
The unw_unwind_to_user function in unwind.c on Itanium (ia64) architectures in Linux kernel 2.6 allows local users to cause a denial of service (system crash).
5.6AI Score
0.0004EPSS
The Linux kernel before 2.6.11 on the Itanium IA64 platform has certain "ptrace corner cases" that allow local users to cause a denial of service (crash) via crafted syscalls, possibly related to MCA/INIT, a different vulnerability than CVE-2005-1761.
5.4AI Score
0.001EPSS
Linux kernel 2.6 on Itanium (ia64) architectures allows local users to cause a denial of service via a "missing Itanium syscall table entry."
5.9AI Score
0.0004EPSS
The shmctl function in Linux 2.6.9 and earlier allows local users to unlock the memory of other processes, which could cause sensitive memory to be swapped to disk, which could allow it to be read by other users once it has been released.
5.8AI Score
0.003EPSS
nls_ascii.c in Linux before 2.6.8.1 uses an incorrect table size, which allows attackers to cause a denial of service (kernel crash) via a buffer overflow.
6.4AI Score
0.005EPSS
Race condition in the setsid function in Linux before 2.6.8.1 allows local users to cause a denial of service (crash) and possibly access portions of kernel memory, related to TTY changes, locking, and semaphores.
5.2AI Score
0.0004EPSS
Linux kernel 2.4.x and 2.6.x allows local users to cause a denial of service (CPU and memory consumption) and bypass RLIM_MEMLOCK limits via the mlockall call.
5.2AI Score
0.0004EPSS
Multiple integer signedness errors in the sg_scsi_ioctl function in scsi_ioctl.c for Linux 2.6.x allow local users to read or modify kernel memory via negative integers in arguments to the scsi ioctl, which bypass a maximum length check before calling the copy_from_user and copy_to_user functions.
7.3AI Score
0.0004EPSS
Linux kernel before 2.6.9, when running on the AMD64 and Intel EM64T architectures, allows local users to write to privileged IO ports via the OUTS instruction.
6AI Score
0.0004EPSS
Unknown vulnerability in Linux kernel 2.4.x, 2.5.x, and 2.6.x allows NFS clients to cause a denial of service via O_DIRECT.
6.2AI Score
0.001EPSS
Netfilter in Linux kernel 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) via crafted IP packet fragments.
5.1AI Score
0.019EPSS
Netfilter in the Linux kernel 2.6.8.1 allows local users to cause a denial of service (memory consumption) via certain packet fragments that are reassembled twice, which causes a data structure to be allocated twice.
5.2AI Score
0.001EPSS
The ext2_make_empty function call in the Linux kernel before 2.6.11.6 does not properly initialize memory when creating a block for a new directory entry, which allows local users to obtain potentially sensitive information by reading the block.
4.8AI Score
0.0004EPSS
The netfilter/iptables module in Linux before 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) or bypass firewall rules via crafted packets, which are not properly handled by the skb_checksum_help function.
5.3AI Score
0.018EPSS
The /proc handling (proc/base.c) Linux kernel 2.4 before 2.4.17 allows local users to cause a denial of service via unknown vectors that cause an invalid access of free memory.
5.8AI Score
0.0004EPSS
Buffer overflow in the MoxaDriverIoctl function for the moxa serial driver (moxa.c) in Linux 2.2.x, 2.4.x, and 2.6.x before 2.6.22 allows local users to execute arbitrary code via a certain modified length value.
5.9AI Score
0.001EPSS
Linux kernel 2.6.10 and 2.6.11rc1-bk6 uses different size types for offset arguments to the proc_file_read and locks_read_proc functions, which leads to a heap-based buffer overflow when a signed comparison causes negative integers to be used in a positive context.
6.5AI Score
0.001EPSS
Signedness error in the copy_from_read_buf function in n_tty.c for Linux kernel 2.6.10 and 2.6.11rc1 allows local users to read kernel memory via a negative argument.
5AI Score
0.0004EPSS
The atm_get_addr function in addr.c for Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4 may allow local users to trigger a buffer overflow via negative arguments.
5.4AI Score
0.0004EPSS
The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c for Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4, when running on 64-bit architectures, may allow local users to trigger a buffer overflow as a result of casting discrepancies between size_t and int data types.
5.5AI Score
0.0004EPSS
Integer overflow in sys_epoll_wait in eventpoll.c for Linux kernel 2.6 to 2.6.11 allows local users to overwrite kernel memory via a large number of events.
6AI Score
0.0004EPSS
The load_elf_library in the Linux kernel before 2.6.11.6 allows local users to cause a denial of service (kernel crash) via a crafted ELF library or executable, which causes a free of an invalid pointer.
5AI Score
0.001EPSS
The bluez_sock_create function in the Bluetooth stack for Linux kernel 2.4.6 through 2.4.30-rc1 and 2.6 through 2.6.11.5 allows local users to gain privileges via (1) socket or (2) socketpair call with a negative protocol value.
5.3AI Score
0.0004EPSS
ptrace in Linux kernel 2.6.8.1 does not properly verify addresses on the amd64 platform, which allows local users to cause a denial of service (kernel crash).
5.8AI Score
0.001EPSS
Race condition in the Radeon DRI driver for Linux kernel 2.6.8.1 allows local users with DRI privileges to execute arbitrary code as root.
5.8AI Score
0.0004EPSS
Multiple "range checking flaws" in the ISO9660 filesystem handler in Linux 2.6.11 and earlier may allow attackers to cause a denial of service or corrupt memory via a crafted filesystem.
5.2AI Score
0.003EPSS
Linux kernel 2.6 before 2.6.11 does not restrict access to the N_MOUSE line discipline for a TTY, which allows local users to gain privileges by injecting mouse or keyboard events into other user sessions.
5.4AI Score
0.0004EPSS
Integer overflow in Linux kernel 2.6 allows local users to overwrite kernel memory by writing to a sysfs file.
6AI Score
0.0004EPSS
AIO in the Linux kernel 2.6.11 on the PPC64 or IA64 architectures with CONFIG_HUGETLB_PAGE enabled allows local users to cause a denial of service (system panic) via a process that executes the io_queue_init function but exits without running io_queue_release, which causes exit_aio and is_hugepage_...
5.1AI Score
0.0004EPSS
Some futex functions in futex.c for Linux kernel 2.6.x perform get_user calls while holding the mmap_sem semaphore, which could allow local users to cause a deadlock condition in do_page_fault by triggering get_user faults while another thread is executing mmap or other functions.
5.2AI Score
0.0004EPSS
The shmem_nopage function in shmem.c for the tmpfs driver in Linux kernel 2.6 does not properly verify the address argument, which allows local users to cause a denial of service (kernel crash) via an invalid address.
6AI Score
0.001EPSS
The fib_seq_start function in fib_hash.c in Linux kernel allows local users to cause a denial of service (system crash) via /proc/net/route.
5AI Score
0.001EPSS
The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pa...
5.8AI Score
0.0004EPSS
Raw character devices (raw.c) in the Linux kernel 2.6.x call the wrong function before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space, a similar vulnerability to CVE-2005-1589.
5.2AI Score
0.001EPSS
The mmap function in the Linux Kernel 2.6.10 can be used to create memory maps with a start address beyond the end address, which allows local users to cause a denial of service (kernel crash).
7AI Score
0.001EPSS
The key_user_lookup function in security/keys/key.c in Linux kernel 2.6.10 to 2.6.11.8 may allow attackers to cause a denial of service (oops) via SMP.
5.2AI Score
0.001EPSS
The (1) it87 and (2) via686a drivers in I2C for Linux 2.6.x before 2.6.11.8, and 2.6.12 before 2.6.12-rc2, create the sysfs "alarms" file with write permissions, which allows local users to cause a denial of service (CPU consumption) by attempting to write to the file, which does not have an associ...
5.3AI Score
0.0004EPSS
The pkt_ioctl function in the pktcdvd block device ioctl handler (pktcdvd.c) in Linux kernel 2.6.12-rc4 and earlier calls the wrong function before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space and allows local user...
6AI Score
0.001EPSS
The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform allows local users to cause a denial of service (kernel crash) via a "non-canonical" address.
5.7AI Score
0.001EPSS
Linux 2.6.11 on 64-bit x86 (x86_64) platforms does not use a guard page for the 47-bit address page to protect against an AMD K8 bug, which allows local users to cause a denial of service.
6.1AI Score
0.001EPSS
syscall in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform, when running in 32-bit compatibility mode, allows local users to cause a denial of service (kernel hang) via crafted arguments.
5.8AI Score
0.0004EPSS
Race condition in the ia32 compatibility code for the execve system call in Linux kernel 2.4 before 2.4.31 and 2.6 before 2.6.6 allows local users to cause a denial of service (kernel panic) and possibly execute arbitrary code via a concurrent thread that increments a pointer count after the nargs ...
6.5AI Score
0.001EPSS
The Linux kernel 2.6 before 2.6.12.1 allows local users to cause a denial of service (kernel panic) via a non group-leader thread executing a different program than was pending in itimer, which causes the signal to be delivered to the old group-leader task, which does not exist.
7AI Score
0.0004EPSS
The KEYCTL_JOIN_SESSION_KEYRING operation in the Linux kernel before 2.6.12.5 contains an error path that does not properly release the session management semaphore, which allows local users or remote attackers to cause a denial of service (semaphore hang) via a new session keyring (1) with an empt...
6AI Score
0.029EPSS
The Linux kernel before 2.6.12.5 does not properly destroy a keyring that is not instantiated properly, which allows local users or remote attackers to cause a denial of service (kernel oops) via a keyring with a payload that is not empty, which causes the creation to fail, leading to a null derefe...
6AI Score
0.029EPSS
Array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c in Linux kernel 2.6 allows local users to cause a denial of service (oops or deadlock) and possibly execute arbitrary code via a p->dir value that is larger than XFRM_POLICY_OUT, which is used as an index in the sock->s...
5.5CVSS
6.8AI Score
0.001EPSS