Tag: privilege-escalation (3)

CVE Reproduction > Reproducing Nimbuspwn: Linux Privilege Escalation via Path Traversal and TOCTOU in networkd-dispatcher

Vulnerability: Nimbuspwn breaks the invariant that “networkd-dispatcher only executes trusted root-owned scripts from its own hooks directory,” which is violated when an attacker first escapes the hooks path via directory traversal and then swaps the checked script path between validation and execution via a TOCTOU race to get arbitrary code run as root.

path-traversal toc-tou race-condition linux privilege-escalation d-bus systemd-networkd networkd-dispatcher sink-to-source cve-2022-29799 cve-2022-29800 great-chall

February 14, 2026 • November 9, 2025 • Research

CVE Reproduction > Reproducing CVE-2020-8831: Privilege Escalation via Symlink Attack on Apport's Lock File Implementation

Vulnerability: CVE-2020-8831 breaks the invariant that Apport’s lock file is created atomically as a real file in a trusted location (without following symlinks), which is violated when an attacker pre-creates a symlink at the lock path so Apport opens/writes the symlink target and enables local privilege escalation.

symlink lock-file apport cve-2020-8831 privilege-escalation linux

February 8, 2026 • November 8, 2025 • Research

Learning Stuff > Getting Started With Linux Kernel Exploitation

linux kernel kernel-module qemu privilege-escalation bypass-seccomp

January 4, 2026 • December 6, 2025 • Research