Linux kernel: Exploitable NULL pointer dereference. A Linux kernel thread before 3.10.0 is vulnerable to a NULL pointer dereference if it is invoked with a NULL pointer as an argument to pthread_join(), when called from __pthread_wqprocessing(). The NULL pointer dereference issue is caused by the lack of understanding of the semaphore accounting in the scheduler. The scheduler is not able to maintain the semaphore correctly, so by calling __pthread_wqprocessing() with the *pthread_join* argument set to the NULL pointer, the scheduler incorrectly decrements both the waiter semaphore and the one waiting for the thread use-after-free-dump. Other affected Linux kernels include 2.6.37, 2.6.38, 2.6.39, 2.6.30, 2.6.32, and 2.6.33.
A buffer overflow vulnerability in the sendmsg() function in net/ipv4/tcp_output.c in the Linux kernel before 3.8.9 allows local users to cause a denial of service (crash the kernel) via a crafted pkt_outmsg() sendmsg() system call.
A return-to-libc heap-based buffer overflow vulnerability in the dns_gethostbyname() function in net/ipv4/udp_dns.c in the Linux kernel before 4.7 allows remote attackers to execute arbitrary commands via a large DNS name.
The tty driver in the Linux kernel before 3.10.0 does not match the ttyp discipline when doing a stop check, which can be used to cause a denial of service (crash the kernel) as demonstrated by the linuxoverflow.com pwnvm tool. d2c66b5586