logoalt Hacker News

Local privilege escalation via execve()

82 pointsby Deeg9rie9usiyesterday at 8:31 PM57 commentsview on HN

Comments

cryptbeyesterday at 9:58 PM

Nice to randomly encounter our own work here.

Check out our blog post for a fun walkthrough: https://blog.calif.io/p/cve-2026-7270-how-i-get-root-on-free...

AI-generated working exploit, write-up and prompts: https://github.com/califio/publications/tree/main/MADBugs/fr...

tptacekyesterday at 10:02 PM

Calif is just killing it these past couple months. Reminder that Calif is Thai Duong's new firm.

show 1 reply
cyberpunkyesterday at 9:06 PM

This is from April 28th, it was patched in 15.0R-p7.

show 2 replies
0xbadcafebeetoday at 12:35 AM

  memmove(args->begin_argv + extend, args->begin_argv + consume,
      args->endp - args->begin_argv + consume);   // ← bug
C code like this is why we can't have nice things. Arithmetic operation in the arguments of a dangerous function call with no explicit bounds check.
show 1 reply
wolvoleoyesterday at 10:08 PM

Oof that's a pretty big one, I didn't realise but I had already updated anyway.

rvzyesterday at 8:45 PM

> IV. Workaround

> No workaround is available.

Oh dear.

show 3 replies
doublerabbityesterday at 9:03 PM

Linux is on their second and FreeBSD is on their first. How many is Windows on?

show 2 replies