Local privilege escalation via execve()

rvz

> IV. Workaround > No workaround is available. Oh dear.

doublerabbit

Linux is on their second and FreeBSD is on their first. How many is Windows on?

cyberpunk

This is from April 28th, it was patched in 15.0R-p7.

cryptbe

Nice to randomly encounter our own work here. Check out our blog post for a fun walkthrough: https://blog.calif.io/p/cve-2026-7270-how-i-get-root-on-free... AI-generated working exploit, write-up and prompts: https://github.com/califio/publications/tree/main/MADBugs/fr...

tptacek

Calif is just killing it these past couple months. Reminder that Calif is Thai Duong's new firm.

wolvoleo

Oof that's a pretty big one, I didn't realise but I had already updated anyway.

0xbadcafebee

memmove(args->begin_argv + extend, args->begin_argv + consume, args->endp - args->begin_argv + consume); // ← bug C code like this is why we can't have nice things. Arithmetic operation in the arguments of a dangerous function call with no explicit bounds check.

Groxx

- args->endp - args->begin_argv + consume); + args->endp - (args->begin_argv + consume)); tbh I've considered simply banning math-operator-precedence in projects I work on, and requiring all mixed-operator code to use parenthesis or split to multiple statements. I do that myself, at least. I've seen so many mistakes from it, and seen people spend so much pointless and avoidable time deciphering and verifying it, it really doesn't seem worth it (in most code) for the extremely minor character savings.

dnw

A CVE for exeCVE()