Tag: code-review (2)Linux Privilege Escalation > Nimbuspwn > Linux LPE via Path Traversal and TOCTOU in networkd-dispatcherVuln: Nimbuspwn breaks the invariant that “networkd-dispatcher only executes trusted root-owned scripts from its own hooks directory,” which is violated when an attacker first escapes the hooks path via directory traversal and then swaps the checked script path between validation and execution via a TOCTOU race to get arbitrary code run as root.November 9, 2025Random stuff > CVE-2022-0324 > Buffer Overflow in dhcp6relay of SONiCVuln: CVE-2022-0324 breaks the invariant that SONiC’s dhcp6relay must validate DHCPv6 option/payload lengths so it never copies more bytes than the destination buffer can hold.The invariant is violated when a remote attacker sends a crafted DHCPv6 packet that reaches a memcpy with an unchecked length, causing an out-of-bounds write (buffer overflow).November 4, 2025