Issues
tracking 6 issues since April 29, 2026
PinTheft
A double-free in the Linux kernel's RDS zerocopy send path allows an unprivileged local attacker to corrupt page reference counts and, combined with io_uring fixed buffers, overwrite SUID binaries in the page cache to gain root.
DirtyDecrypt
A missing copy-on-write check in the Linux kernel's RxGK subsystem allows in-place decryption to write into page-cache pages backed by privileged files, enabling an unprivileged local attacker to overwrite those files and escalate to root.
ssh-keysign-pwn
Race condition in the Linux kernel process exit sequence allows unprivileged users to steal file descriptors from exiting privileged processes, which can be used to read root-owned files.
Fragnesia
A flaw in the Linux kernel's XFRM ESP-in-TCP subsystem allows a low-privileged local attacker to write arbitrary bytes into the page cache of read-only files, which can be exploited to overwrite privileged binaries and gain root privileges.
Dirty Frag
Two Linux kernel vulnerabilities in the xfrm/ESP and RxRPC subsystems allow an unprivileged local attacker to overwrite arbitrary bytes in root-owned files in the page cache to achieve local privilege escalation.
Copy Fail
A logic flaw in the Linux kernel's crypto subsystem allows an unprivileged user to perform a controlled 4-byte write into the page cache of read-only files, enabling local privilege escalation.