https://feed.craftedsignal.io/tags/local-privilege-escalation/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 23 Apr 2026 21:16:06 +0000https://feed.craftedsignal.io/briefs/2026-04-radare2-path-traversal/Thu, 23 Apr 2026 21:16:06 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-radare2-path-traversal/Radare2 versions prior to 6.1.4 are vulnerable to a path traversal in project deletion, allowing local attackers to recursively delete arbitrary directories by escaping the 'dir.projects' root, leading to integrity and availability loss.Radare2, a reverse engineering framework, is susceptible to a path traversal vulnerability (CVE-2026-6940) affecting versions prior to 6.1.4. This flaw allows a local attacker to delete arbitrary directories outside of the intended project storage location. By crafting project marker files with absolute paths that escape the configured dir.projects root directory, an attacker can trick the radare2 process into recursively deleting directories they should not have access to. This vulnerability poses a significant risk to system integrity and availability, as attackers can potentially delete critical system files or data. This vulnerability was published on 2026-04-23 and could be exploited immediately.

Attack Chain

1. Attacker gains local access to a system with radare2 installed.
2. Attacker identifies the location where radare2 stores project files (configured by dir.projects).
3. Attacker crafts a malicious radare2 project file containing an absolute path pointing outside the designated project directory. This path includes traversal sequences (e.g., ../) to escape the dir.projects root.
4. The attacker places the malicious project marker file in a location where radare2 will discover it (e.g. a default projects directory).
5. Attacker uses radare2’s project deletion functionality, specifying the malicious project for deletion.
6. Radare2, without proper validation of the project file path, recursively deletes the directory specified in the crafted path.
7. This deletion occurs with the permissions of the radare2 process, potentially allowing the attacker to delete files and directories they would normally not have access to.
8. The attacker achieves arbitrary directory deletion, leading to loss of system integrity and availability.

Impact

Successful exploitation of this vulnerability allows a local attacker to recursively delete arbitrary directories on the affected system. This can lead to significant data loss, system instability, and denial of service. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high level of severity. While no specific victim numbers or sector targeting have been disclosed, the potential impact on any system running a vulnerable version of radare2 is substantial.

Recommendation

• Upgrade radare2 to version 6.1.4 or later to patch CVE-2026-6940.
• Implement the process creation rule below to detect suspicious radare2 executions that could indicate exploitation attempts.
• Consider limiting local user access to systems running radare2 to reduce the attack surface.

]]>highadvisorypath-traversalradare2local-privilege-escalationhttps://feed.craftedsignal.io/briefs/2026-04-ms-graphics-overflow/Tue, 14 Apr 2026 18:17:30 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-ms-graphics-overflow/CVE-2026-32221 is a heap-based buffer overflow vulnerability in the Microsoft Graphics Component, allowing a local attacker to execute arbitrary code.CVE-2026-32221 describes a heap-based buffer overflow vulnerability residing within the Microsoft Graphics Component. This flaw allows an attacker with local access to execute arbitrary code on a vulnerable system. The vulnerability stems from improper handling of memory allocation within the graphics component when processing malformed or specially crafted image files or graphics data. An unauthenticated, local attacker could exploit this vulnerability to gain elevated privileges or potentially take control of the targeted system. The vulnerability was published on April 14, 2026, and defenders should promptly investigate and apply applicable patches as provided by Microsoft.

Attack Chain

1. An attacker crafts a malicious image file or graphic data specifically designed to trigger the buffer overflow in the Microsoft Graphics Component.
2. The attacker must gain local access to a vulnerable system. This could be achieved through various means, such as social engineering or exploiting other existing vulnerabilities.
3. The attacker triggers the vulnerable graphics component to process the malicious image file or graphic data through a local application that uses the component.
4. The Microsoft Graphics Component attempts to allocate memory to process the crafted image, but the size calculation is flawed.
5. The component writes data beyond the allocated buffer on the heap due to the buffer overflow.
6. This overwrite corrupts adjacent heap memory, potentially overwriting critical data structures or function pointers.
7. The attacker gains control of the program execution flow by overwriting function pointers with malicious code addresses.
8. The attacker executes arbitrary code within the context of the application using the graphics component, potentially leading to privilege escalation or system compromise.

Impact

Successful exploitation of CVE-2026-32221 allows a local attacker to execute arbitrary code on the target system. Given the high CVSS score (8.4), this vulnerability poses a significant risk. If successfully exploited, an attacker could potentially gain complete control of the compromised system, leading to data theft, malware installation, or denial of service. The impact is significant for any system utilizing the vulnerable Microsoft Graphics Component, affecting both workstations and servers. The scope of the impact is limited to local access, but it can be a stepping stone for more far-reaching attacks if combined with other vulnerabilities or social engineering techniques.

Recommendation

• Apply the security updates released by Microsoft to address CVE-2026-32221 on all affected systems immediately, as referenced in the advisory URL.
• Enable and review process creation logs for unexpected processes spawned by applications that use the Microsoft Graphics Component to identify potential exploitation attempts.
• Implement the provided Sigma rule to detect suspicious process execution following a crash or error related to graphics processing.

]]>highadvisorycve-2026-32221buffer-overflowlocal-privilege-escalationgraphics-componenthttps://feed.craftedsignal.io/briefs/2026-04-easy-video-overflow/Sun, 12 Apr 2026 13:16:32 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-easy-video-overflow/Easy Video to iPod Converter 1.6.20 is vulnerable to a local buffer overflow in the user registration field, allowing a local attacker to overwrite the structured exception handler (SEH) by providing a crafted payload exceeding 996 bytes in the username field, potentially leading to arbitrary code execution with user privileges.Easy Video to iPod Converter version 1.6.20 is susceptible to a local buffer overflow vulnerability (CVE-2019-25701) within the user registration functionality. This vulnerability allows an attacker with local access to the system to potentially overwrite the Structured Exception Handler (SEH) by providing a crafted payload larger than 996 bytes in the username field during registration. This could lead to arbitrary code execution within the context of the user running the vulnerable application. Successful exploitation requires a local attacker with the ability to interact with the Easy Video to iPod Converter software. This vulnerability was published on 2026-04-12 and poses a significant risk because it allows for local privilege escalation.

Attack Chain

1. The attacker gains local access to a system with Easy Video to iPod Converter 1.6.20 installed.
2. The attacker launches the Easy Video to iPod Converter application.
3. The attacker navigates to the user registration field within the application.
4. The attacker inputs a specially crafted payload exceeding 996 bytes into the username registration field.
5. Due to the buffer overflow vulnerability, the payload overwrites the Structured Exception Handler (SEH).
6. The application attempts to handle an exception, triggering the overwritten SEH.
7. Control is transferred to the attacker’s payload within the overwritten SEH.
8. The attacker executes arbitrary code with the privileges of the user running the application.

Impact

Successful exploitation of CVE-2019-25701 allows a local attacker to execute arbitrary code on the targeted system. This could lead to privilege escalation, allowing the attacker to gain elevated access and control over the system. The impact includes potential data theft, system compromise, and further malicious activities initiated from the compromised host. The severity is high due to the potential for full system compromise, and the vulnerability is exploitable locally.

Recommendation

• Monitor process creations for suspicious processes spawned from the Easy Video to iPod Converter executable, as this may indicate successful exploitation (see rule: “Suspicious Process Creation from Easy Video to iPod Converter”).
• Monitor for registry modifications performed by the Easy Video to iPod Converter process, as some exploitation techniques might involve persistence mechanisms via registry keys (see rule: “Registry Modification by Easy Video to iPod Converter”).
• Consider upgrading or removing the vulnerable application if a patch is not available to mitigate CVE-2019-25701.

]]>highadvisorycve-2019-25701buffer-overflowlocal-privilege-escalationwindowshttps://feed.craftedsignal.io/briefs/2026-04-vim-code-exec/Thu, 09 Apr 2026 08:09:38 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-vim-code-exec/A local attacker can exploit a vulnerability in Vim to execute arbitrary code on a vulnerable system.A vulnerability exists within the Vim text editor that allows a local attacker to execute arbitrary code. While the specific details of the vulnerability are not provided in the source, the potential impact is significant. Successful exploitation could lead to privilege escalation, data compromise, or complete system takeover. Defenders should focus on identifying potential exploit attempts and ensuring systems are patched to the latest available version of Vim. Given the lack of specifics, a proactive approach is recommended, focusing on detecting unusual process execution patterns associated with Vim. This is a locally exploitable vulnerability and requires existing access to the target machine.

Attack Chain

1. The attacker gains local access to a system with a vulnerable version of Vim installed. This could be achieved through social engineering, physical access, or exploiting other vulnerabilities on the system.
2. The attacker crafts a malicious file specifically designed to trigger the Vim vulnerability. This file could be a text file with specially crafted syntax highlighting rules or other malicious content.
3. The attacker opens the malicious file within Vim.
4. Vim parses the malicious file, triggering the vulnerability due to a flaw in its code.
5. The vulnerability allows the attacker to inject and execute arbitrary code within the context of the Vim process.
6. The attacker’s code performs malicious actions, such as creating new files, modifying existing files, or launching other processes.
7. The attacker escalates privileges by exploiting additional vulnerabilities, leveraging the initial code execution to gain higher-level access.
8. The attacker achieves their final objective, such as data exfiltration, system compromise, or denial of service.

Impact

A successful exploit could lead to a complete compromise of the affected system. Given that this is a local vulnerability, the attacker needs to have some level of access already. However, the ability to execute arbitrary code from within Vim could be leveraged to escalate privileges and gain full control of the system. The number of potential victims is broad, as Vim is a commonly used text editor on various operating systems. The primary risk is unauthorized access to sensitive data, system instability, or use of the compromised system for further malicious activities.

Recommendation

• Monitor process creation events for Vim spawning child processes, especially those with unusual command-line arguments, using the provided Sigma rule Detect Suspicious Vim Child Processes.
• Implement file integrity monitoring on the Vim executable and related libraries to detect unauthorized modifications.
• Investigate any suspicious activity originating from Vim processes, particularly if it involves network connections or file system modifications.
• Apply any available patches or updates for Vim as soon as they are released to address the underlying vulnerability.

]]>highadvisoryvimcode-executionlocal-privilege-escalationhttps://feed.craftedsignal.io/briefs/2026-03-flat-assembler-overflow/Sat, 28 Mar 2026 12:16:02 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-flat-assembler-overflow/Flat Assembler version 1.71.21 is susceptible to a stack-based buffer overflow vulnerability, allowing local attackers to achieve arbitrary code execution by providing a crafted, oversized input file.<p>The Flat Assembler (FASM) version 1.71.21 is vulnerable to a stack-based buffer overflow (CVE-2017-20228). This vulnerability allows a local attacker to execute arbitrary code on a vulnerable system. The attack requires the attacker to supply a specially crafted assembly file as input to FASM. By providing an input file larger than 5895 bytes, the attacker can overwrite the instruction pointer, leading to arbitrary code execution. This is achieved through return-oriented programming (ROP)…</p> highadvisorycve-2017-20228buffer-overflowlocal-privilege-escalationhttps://feed.craftedsignal.io/briefs/2024-01-pinfo-buffer-overflow/Sat, 28 Mar 2026 12:16:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-pinfo-buffer-overflow/PInfo version 0.6.9-5.1 is susceptible to a local buffer overflow vulnerability, enabling local attackers to execute arbitrary code by providing an overly large argument to the '-m' parameter, ultimately allowing for shellcode execution with user privileges.PInfo 0.6.9-5.1 contains a critical local buffer overflow vulnerability (CVE-2016-20044) that allows a malicious local attacker to execute arbitrary code. This vulnerability stems from the application’s insufficient input validation when handling the ‘-m’ parameter. By exploiting this flaw, an attacker can overwrite the instruction pointer and gain unauthorized access. This can potentially lead to full system compromise. The attacker crafts a malicious input string with 564 bytes of padding followed by a return address.

Attack Chain

1. The attacker gains local access to the vulnerable system.
2. The attacker identifies the PInfo binary (likely located in /usr/bin or /usr/local/bin).
3. The attacker crafts a malicious input string exceeding the buffer size allocated for the ‘-m’ parameter. This malicious string includes 564 bytes of padding.
4. The attacker appends a return address to the malicious string, pointing to a memory location containing the attacker’s shellcode.
5. The attacker executes the PInfo binary with the crafted malicious input as an argument to the ‘-m’ parameter. pinfo -m "A"*564 + <return_address>.
6. The buffer overflow occurs, overwriting the return address on the stack.
7. When the PInfo function returns, it jumps to the attacker-controlled address, executing the shellcode.
8. The attacker’s shellcode executes with the privileges of the user running PInfo. This can lead to privilege escalation if PInfo is run by a privileged user or via setuid.

Impact

Successful exploitation of this vulnerability allows a local attacker to execute arbitrary code with the privileges of the user running the vulnerable PInfo application. This could lead to sensitive data disclosure, unauthorized modification of system files, or complete system compromise. While the exact number of affected systems is unknown, any system running PInfo 0.6.9-5.1 is potentially vulnerable.

Recommendation

• Apply available patches or upgrade to a version of PInfo that addresses CVE-2016-20044.
• Monitor process creation events for executions of pinfo with unusually long arguments to the -m parameter, using the Sigma rule provided.
• Implement strict input validation for all command-line arguments in applications to prevent buffer overflows.

]]>highadvisorybuffer-overflowlocal-privilege-escalationcve-2016-20044https://feed.craftedsignal.io/briefs/2026-03-tiemu-buffer-overflow/Sat, 28 Mar 2026 12:15:59 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-tiemu-buffer-overflow/TiEmu 3.03 is vulnerable to a buffer overflow in ROM parameter handling, enabling local attackers to crash the application or execute arbitrary code by providing an oversized ROM parameter via the command-line interface.<p>TiEmu, a Texas Instruments (TI) calculator emulator, version 3.03-nogdb+dfsg-3, is susceptible to a buffer overflow vulnerability (CVE-2016-20040). This flaw resides within the handling of ROM parameters passed via the command-line interface. An unauthenticated, local attacker can exploit this vulnerability by supplying an oversized ROM parameter. Successful exploitation allows the attacker to crash the application, potentially leading to a denial of service, or, more seriously, execute…</p> highadvisorycve-2016-20040buffer-overflowlocal-privilege-escalationhttps://feed.craftedsignal.io/briefs/2026-03-flexhex-overflow/Tue, 24 Mar 2026 12:16:02 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-flexhex-overflow/FlexHEX 2.71 is vulnerable to a local buffer overflow in the Stream Name field, allowing local attackers to execute arbitrary code via a structured exception handler (SEH) overflow.<p>FlexHEX 2.71 is susceptible to a local buffer overflow vulnerability (CVE-2019-25627) found within the Stream Name field. This flaw enables a local attacker to execute arbitrary code by exploiting a structured exception handler (SEH) overflow. The attack involves crafting a malicious text file containing precisely aligned shellcode and SEH chain pointers. By pasting this crafted content into the Stream Name dialog within FlexHEX, the attacker can trigger the SEH overflow and execute commands…</p> highadvisorybuffer-overflowseh-overflowlocal-privilege-escalationwindowshttps://feed.craftedsignal.io/briefs/2026-03-lavavo-cd-ripper-seh-overflow/Mon, 23 Mar 2026 14:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-lavavo-cd-ripper-seh-overflow/Lavavo CD Ripper 4.20 is vulnerable to a structured exception handling (SEH) buffer overflow, allowing local attackers to execute arbitrary code by supplying a malicious string in the License Activation Name field leading to arbitrary code execution and a bind shell.Lavavo CD Ripper version 4.20 is susceptible to a critical structured exception handling (SEH) buffer overflow vulnerability. This vulnerability allows a local attacker to execute arbitrary code on a targeted system by crafting a malicious string and providing it as the License Activation Name. The vulnerability, identified as CVE-2019-25615, stems from insufficient bounds checking when handling the license activation data. Successful exploitation enables attackers to gain complete control over the affected system, potentially leading to data theft, system compromise, or further malicious activities within the local network. This poses a significant risk to users of Lavavo CD Ripper 4.20.

Attack Chain

1. Attacker prepares a malicious string crafted to exploit the SEH buffer overflow vulnerability in Lavavo CD Ripper 4.20. This string includes controlled buffer data, NSEH jump instructions, and SEH handler addresses.
2. The attacker launches Lavavo CD Ripper 4.20 on a vulnerable system.
3. The attacker navigates to the license activation section of the application.
4. The attacker enters the malicious string into the License Activation Name field.
5. The application processes the crafted input without proper bounds checking, resulting in a buffer overflow.
6. The overflow overwrites the SEH frame on the stack, replacing the standard SEH handler with the attacker-controlled SEH handler address.
7. An exception is triggered within the application, causing the program to jump to the attacker-controlled SEH handler.
8. The attacker’s code is executed, which sets up a bind shell on port 3110, allowing the attacker to remotely connect and control the system.

Impact

Successful exploitation of the SEH buffer overflow vulnerability in Lavavo CD Ripper 4.20 grants a local attacker the ability to execute arbitrary code with the privileges of the user running the application. This can lead to complete system compromise, including unauthorized access to sensitive data, installation of malware, and further lateral movement within the network. The bind shell on port 3110 provides a persistent backdoor for the attacker to maintain control over the compromised system.

Recommendation

• Apply any available patches or updates for Lavavo CD Ripper to address CVE-2019-25615.
• Implement application control mechanisms to prevent the execution of unauthorized or modified versions of Lavavo CD Ripper.
• Deploy the Sigma rules below to detect potential exploitation attempts based on process creation (logsource: process_creation).
• Monitor network connections for unexpected services listening on port 3110, which may indicate a successful bind shell (logsource: network_connection).

]]>criticaladvisorybuffer-overflowsehcve-2019-25615local-privilege-escalationwindowshttps://feed.craftedsignal.io/briefs/2026-03-admin-express-buffer-overflow/Mon, 23 Mar 2026 14:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-admin-express-buffer-overflow/Admin Express 1.2.5.485 is susceptible to a local structured exception handling buffer overflow vulnerability, enabling local attackers to execute arbitrary code via a crafted payload in the Folder Path field of the System Compare feature.Admin Express 1.2.5.485 contains a local structured exception handling (SEH) buffer overflow vulnerability that allows a local attacker to execute arbitrary code with the privileges of the application. This vulnerability, identified as CVE-2019-25612, was reported in March 2026. The attack involves crafting a specific alphanumeric encoded payload and injecting it into the ‘Folder Path’ field within the Admin Express application. Successful exploitation could lead to complete system compromise under the context of the running application. Defenders should prioritize detection and mitigation strategies to prevent potential exploitation attempts.

Attack Chain

1. The attacker gains local access to a system with Admin Express 1.2.5.485 installed.
2. The attacker opens the Admin Express application.
3. The attacker navigates to the System Compare feature within the application.
4. The attacker pastes a specially crafted alphanumeric encoded payload into the left-hand side ‘Folder Path’ field. The payload is designed to trigger a structured exception handling (SEH) buffer overflow.
5. The attacker clicks the “scale” icon associated with the ‘Folder Path’ field.
6. The application attempts to process the crafted payload, leading to a buffer overflow in the SEH handler.
7. The overflow overwrites the SEH record, redirecting control to attacker-controlled shellcode.
8. The attacker’s shellcode executes with the privileges of the Admin Express application, enabling arbitrary code execution.

Impact

Successful exploitation of this vulnerability allows a local attacker to execute arbitrary code on the affected system with the privileges of the Admin Express application. This could lead to complete system compromise, data theft, or installation of malware. Given the lack of information about victimology, potential damage is limited to systems running vulnerable versions of Admin Express.

Recommendation

• Monitor process creation events for the execution of suspicious processes originating from Admin Express using process creation logs, specifically looking for unusual child processes spawned after Admin Express performs file comparison (log source: process_creation).
• Implement a Sigma rule to detect potentially malicious command line arguments being passed to processes spawned by Admin Express (see Sigma rule below).
• Consider using application whitelisting to restrict the execution of unauthorized applications from the Admin Express application.

]]>highadvisorycve-2019-25612buffer-overflowlocal-privilege-escalationwindows