| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-15031 |
200 |
|
+Info |
2019-09-13 |
2019-09-18 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
None |
Partial |
|
In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via an interrupt. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process, because MSR_TM_ACTIVE is misused in arch/powerpc/kernel/process.c. |
|
2 |
CVE-2019-15030 |
20 |
|
|
2019-09-13 |
2019-09-18 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
None |
Partial |
|
In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check. |
|
3 |
CVE-2019-3874 |
119 |
|
DoS Overflow |
2019-03-25 |
2019-05-28 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are believed to be vulnerable. |
|
4 |
CVE-2019-3460 |
200 |
|
+Info |
2019-04-11 |
2019-05-28 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP was found in the Linux kernel before 5.1-rc1. |
|
5 |
CVE-2019-3459 |
200 |
|
+Info |
2019-04-11 |
2019-05-28 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel before 5.1-rc1. |
|
6 |
CVE-2018-18021 |
20 |
|
DoS |
2018-10-07 |
2019-04-02 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
arch/arm64/kvm/guest.c in KVM in the Linux kernel before 4.18.12 on the arm64 platform mishandles the KVM_SET_ON_REG ioctl. This is exploitable by attackers who can create virtual machines. An attacker can arbitrarily redirect the hypervisor flow of control (with full register control). An attacker can also cause a denial of service (hypervisor panic) via an illegal exception return. This occurs because of insufficient restrictions on userspace access to the core register file, and because PSTATE.M validation does not prevent unintended execution modes. |
|
7 |
CVE-2018-16658 |
200 |
|
+Info |
2018-09-07 |
2019-08-06 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
None |
Partial |
|
An issue was discovered in the Linux kernel before 4.18.6. An information leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940. |
|
8 |
CVE-2018-1120 |
119 |
|
DoS Overflow |
2018-06-20 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
None |
Partial |
|
A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks). |
|
9 |
CVE-2017-18270 |
|
|
DoS |
2018-05-18 |
2019-10-02 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands, setting unwanted defaults or causing a denial of service. |
|
10 |
CVE-2017-12154 |
|
|
|
2017-09-26 |
2019-10-02 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel through 4.13.3 does not ensure that the "CR8-load exiting" and "CR8-store exiting" L0 vmcs02 controls exist in cases where L1 omits the "use TPR shadow" vmcs12 control, which allows KVM L2 guest OS users to obtain read and write access to the hardware CR8 register. |
|
11 |
CVE-2017-11472 |
755 |
|
Bypass +Info |
2017-07-20 |
2019-10-02 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel before 4.12 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table. |
|
12 |
CVE-2017-5551 |
|
|
+Priv |
2017-02-06 |
2019-10-02 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7097. |
|
13 |
CVE-2017-2584 |
416 |
|
DoS +Info |
2017-01-14 |
2018-08-24 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
None |
Partial |
|
arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free) via a crafted application that leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt. |
|
14 |
CVE-2016-7097 |
285 |
|
+Priv |
2016-10-16 |
2018-01-04 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr call, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. |
|
15 |
CVE-2015-8956 |
476 |
|
DoS +Info |
2016-10-10 |
2018-01-04 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
None |
Partial |
|
The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket. |
|
16 |
CVE-2015-2922 |
17 |
|
|
2015-05-27 |
2018-01-04 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message. |
|
17 |
CVE-2014-9717 |
284 |
|
Bypass |
2016-05-02 |
2016-08-11 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
fs/namespace.c in the Linux kernel before 4.0.2 processes MNT_DETACH umount2 system calls without verifying that the MNT_LOCKED flag is unset, which allows local users to bypass intended access restrictions and navigate to filesystem locations beneath a mount by calling umount2 within a user namespace. |
|
18 |
CVE-2014-9683 |
189 |
|
DoS Overflow +Priv |
2015-03-03 |
2016-12-23 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename. |
|
19 |
CVE-2014-3917 |
200 |
|
DoS +Info |
2014-06-05 |
2019-04-22 |
3.3 |
None |
Local |
Medium |
Not required |
Partial |
None |
Partial |
|
kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number. |
|
20 |
CVE-2014-2038 |
20 |
|
+Info |
2014-02-28 |
2014-03-16 |
3.7 |
None |
Local |
High |
Not required |
Partial |
Partial |
Partial |
|
The nfs_can_extend_write function in fs/nfs/write.c in the Linux kernel before 3.13.3 relies on a write delegation to extend a write operation without a certain up-to-date verification, which allows local users to obtain sensitive information from kernel memory in opportunistic circumstances by writing to a file in an NFS filesystem and then reading the same file. |
|
21 |
CVE-2013-4270 |
20 |
|
Bypass |
2013-12-09 |
2014-03-05 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
The net_ctl_permissions function in net/sysctl_net.c in the Linux kernel before 3.11.5 does not properly determine uid and gid values, which allows local users to bypass intended /proc/sys/net restrictions via a crafted application. |
|
22 |
CVE-2013-2930 |
264 |
|
|
2013-12-09 |
2014-03-05 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
The perf_trace_event_perm function in kernel/trace/trace_event_perf.c in the Linux kernel before 3.12.2 does not properly restrict access to the perf subsystem, which allows local users to enable function tracing via a crafted application. |
|
23 |
CVE-2013-2929 |
264 |
|
Bypass +Info |
2013-12-09 |
2018-04-27 |
3.3 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
None |
|
The Linux kernel before 3.12.2 does not properly use the get_dumpable function, which allows local users to bypass intended ptrace restrictions or obtain sensitive information from IA64 scratch registers via a crafted application, related to kernel/ptrace.c and arch/ia64/include/asm/processor.h. |
|
24 |
CVE-2013-2140 |
20 |
|
DoS |
2013-09-25 |
2014-01-03 |
3.8 |
None |
Local Network |
Medium |
Single system |
None |
Partial |
Partial |
|
The dispatch_discard_io function in drivers/block/xen-blkback/blkback.c in the Xen blkback implementation in the Linux kernel before 3.10.5 allows guest OS users to cause a denial of service (data loss) via filesystem write operations on a read-only disk that supports the (1) BLKIF_OP_DISCARD (aka discard or TRIM) or (2) SCSI UNMAP feature. |
|
25 |
CVE-2013-1959 |
264 |
1
|
+Priv |
2013-05-03 |
2013-11-30 |
3.7 |
None |
Local |
High |
Not required |
Partial |
Partial |
Partial |
|
kernel/user_namespace.c in the Linux kernel before 3.8.9 does not have appropriate capability requirements for the uid_map and gid_map files, which allows local users to gain privileges by opening a file within an unprivileged process and then modifying the file within a privileged process. |
|
26 |
CVE-2013-0914 |
264 |
|
Bypass |
2013-03-22 |
2014-02-06 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. |
|
27 |
CVE-2013-0343 |
|
|
DoS +Info |
2013-02-28 |
2014-03-05 |
3.2 |
None |
Local Network |
High |
Not required |
Partial |
None |
Partial |
|
The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages. |
|
28 |
CVE-2012-1174 |
362 |
|
|
2012-07-12 |
2012-08-13 |
3.3 |
None |
Local |
Medium |
Not required |
None |
Partial |
Partial |
|
The rm_rf_children function in util.c in the systemd-logind login manager in systemd before 44, when logging out, allows local users to delete arbitrary files via a symlink attack on unspecified files, related to "particular records related with user session." |
|
29 |
CVE-2011-1833 |
264 |
|
Bypass |
2012-10-03 |
2014-03-07 |
3.3 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
None |
|
Race condition in the ecryptfs_mount function in fs/ecryptfs/main.c in the eCryptfs subsystem in the Linux kernel before 3.1 allows local users to bypass intended file permissions via a mount.ecryptfs_private mount with a mismatched uid. |
|
30 |
CVE-2011-1676 |
264 |
|
|
2011-04-09 |
2017-08-16 |
3.3 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
None |
|
mount in util-linux 2.19 and earlier does not remove the /etc/mtab.tmp file after a failed attempt to add a mount entry, which allows local users to trigger corruption of the /etc/mtab file via multiple invocations. |
|
31 |
CVE-2011-1675 |
399 |
|
|
2011-04-09 |
2018-01-09 |
3.3 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
None |
|
mount in util-linux 2.19 and earlier attempts to append to the /etc/mtab.tmp file without first checking whether resource limits would interfere, which allows local users to trigger corruption of the /etc/mtab file via a process with a small RLIMIT_FSIZE value, a related issue to CVE-2011-1089. |
|
32 |
CVE-2011-1585 |
264 |
|
Bypass |
2013-06-08 |
2015-05-11 |
3.3 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
None |
|
The cifs_find_smb_ses function in fs/cifs/connect.c in the Linux kernel before 2.6.36 does not properly determine the associations between users and sessions, which allows local users to bypass CIFS share authentication by leveraging a mount of a share by a different user. |
|
33 |
CVE-2011-1182 |
|
|
|
2013-03-01 |
2014-01-13 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
kernel/signal.c in the Linux kernel before 2.6.39 allows local users to spoof the uid and pid of a signal sender via a sigqueueinfo system call. |
|
34 |
CVE-2011-1021 |
264 |
|
|
2012-06-21 |
2012-06-22 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
drivers/acpi/debugfs.c in the Linux kernel before 3.0 allows local users to modify arbitrary kernel memory locations by leveraging root privileges to write to the /sys/kernel/debug/acpi/custom_method file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4347. |
|
35 |
CVE-2010-4648 |
|
|
|
2012-06-21 |
2012-06-26 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
The orinoco_ioctl_set_auth function in drivers/net/wireless/orinoco/wext.c in the Linux kernel before 2.6.37 does not properly implement a TKIP protection mechanism, which makes it easier for remote attackers to obtain access to a Wi-Fi network by reading Wi-Fi frames. |
|
36 |
CVE-2010-2955 |
189 |
|
+Info |
2010-09-08 |
2012-03-19 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
The cfg80211_wext_giwessid function in net/wireless/wext-compat.c in the Linux kernel before 2.6.36-rc3-next-20100831 does not properly initialize certain structure members, which allows local users to leverage an off-by-one error in the ioctl_standard_iw_point function in net/wireless/wext-core.c, and obtain potentially sensitive information from kernel heap memory, via vectors involving an SIOCGIWESSID ioctl call that specifies a large buffer size. |
|
37 |
CVE-2009-0835 |
264 |
|
Bypass |
2009-03-06 |
2012-03-19 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
The __secure_computing function in kernel/seccomp.c in the seccomp subsystem in the Linux kernel 2.6.28.7 and earlier on the x86_64 platform, when CONFIG_SECCOMP is enabled, does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass intended access restrictions via crafted syscalls that are misinterpreted as (a) stat or (b) chmod, a related issue to CVE-2009-0342 and CVE-2009-0343. |
|
38 |
CVE-2009-0834 |
264 |
|
Bypass |
2009-03-06 |
2018-10-10 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
The audit_syscall_entry function in the Linux kernel 2.6.28.7 and earlier on the x86_64 platform does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass certain syscall audit configurations via crafted syscalls, a related issue to CVE-2009-0342 and CVE-2009-0343. |
|
39 |
CVE-2008-2148 |
264 |
|
DoS |
2008-05-12 |
2017-08-07 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
The utimensat system call (sys_utimensat) in Linux kernel 2.6.22 and other versions before 2.6.25.3 does not check file permissions when certain UTIME_NOW and UTIME_OMIT combinations are used, which allows local users to modify file times of arbitrary files, possibly leading to a denial of service. |
|
40 |
CVE-2008-0001 |
|
|
Bypass |
2008-01-15 |
2018-10-15 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
VFS in the Linux kernel before 2.6.22.16, and 2.6.23.x before 2.6.23.14, performs tests of access mode by using the flag variable instead of the acc_mode variable, which might allow local users to bypass intended permissions and remove directories. |
|
41 |
CVE-2006-5158 |
|
|
DoS |
2006-10-05 |
2017-10-10 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
The nlmclnt_mark_reclaim in clntlock.c in NFS lockd in Linux kernel before 2.6.16 allows remote attackers to cause a denial of service (process crash) and deny access to NFS exports via unspecified vectors that trigger a kernel oops (null dereference) and a deadlock. |
|
42 |
CVE-2006-1524 |
264 |
|
Bypass |
2006-04-19 |
2017-07-19 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
madvise_remove in Linux kernel 2.6.16 up to 2.6.16.6 does not follow file and mmap restrictions, which allows local users to bypass IPC permissions and replace portions of readonly tmpfs files with zeroes, aka the MADV_REMOVE vulnerability. NOTE: this description was originally written in a way that combined two separate issues. The mprotect issue now has a separate name, CVE-2006-2071. |
|
43 |
CVE-2005-4618 |
|
|
DoS Overflow |
2005-12-31 |
2018-10-03 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
Buffer overflow in sysctl in the Linux Kernel 2.6 before 2.6.15 allows local users to corrupt user memory and possibly cause a denial of service via a long string, which causes sysctl to write a zero byte outside the buffer. NOTE: since the sysctl is called from a userland program that provides the argument, this might not be a vulnerability, unless a legitimate user-assisted or setuid scenario can be identified. |
|
44 |
CVE-2005-2617 |
|
|
|
2005-08-17 |
2008-09-05 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
The syscall32_setup_pages function in syscall32.c for Linux kernel 2.6.12 and later, on the 64-bit x86 platform, does not check the return value of the insert_vm_struct function, which allows local users to trigger a memory leak via a 32-bit application with crafted ELF headers. |
|
45 |
CVE-2005-2492 |
264 |
|
DoS |
2005-09-14 |
2018-10-19 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
None |
Partial |
|
The raw_sendmsg function in the Linux kernel 2.6 before 2.6.13.1 allows local users to cause a denial of service (change hardware state) or read from arbitrary memory via crafted input. |
|
46 |
CVE-2005-1768 |
|
|
DoS Exec Code Overflow |
2005-07-11 |
2017-10-10 |
3.7 |
User |
Local |
High |
Not required |
Partial |
Partial |
Partial |
|
Race condition in the ia32 compatibility code for the execve system call in Linux kernel 2.4 before 2.4.31 and 2.6 before 2.6.6 allows local users to cause a denial of service (kernel panic) and possibly execute arbitrary code via a concurrent thread that increments a pointer count after the nargs function has counted the pointers, but before the count is copied from user space to kernel space, which leads to a buffer overflow. |
|
47 |
CVE-2005-0180 |
|
|
Bypass |
2005-03-07 |
2017-10-10 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
Multiple integer signedness errors in the sg_scsi_ioctl function in scsi_ioctl.c for Linux 2.6.x allow local users to read or modify kernel memory via negative integers in arguments to the scsi ioctl, which bypass a maximum length check before calling the copy_from_user and copy_to_user functions. |
|
48 |
CVE-2003-0246 |
|
|
+Priv |
2003-06-16 |
2017-10-10 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports. |
|
49 |
CVE-2003-0018 |
|
|
|
2003-02-19 |
2008-09-10 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
None |
Partial |
|
Linux kernel 2.4.10 through 2.4.21-pre4 does not properly handle the O_DIRECT feature, which allows local attackers with write privileges to read portions of previously deleted files, or cause file system corruption. |
|
50 |
CVE-2002-0429 |
|
|
|
2002-08-12 |
2016-10-17 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a a binary compatibility interface (lcall). |
