There is an integer overflow in the BaseSrvActivationContextCacheDuplicateUnicodeString function in the sxssrv.dll module of the CSRSS process.

The vulnerable function can be accessed from the BaseSrvSxsCreateActivationContextFromMessage CSR routine. However, the default size of the CSR shared memory section is only 0x10000 bytes, so by default it is impossible to pass a large enough UNICODE_STRING to CSRSS. Fortunately, the section size is controlled entirely by the client process, and if an attacker can modify ntdll! CsrpConnectToServer early enough during the start of the process, you'll be able to pass strings larger than 0x10000 in size.

A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system

The vulnerability allowed a local low-privileged user to execute arbitrary Powershell as SYSTEM due to improper file permission assignment.

net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload.

A vulnerability was discovered in RealVNC VNC Server installations on Windows when running MSI repair, which can lead to a local user privilege escalation.

The bpf verifier(kernel/bpf/verifier.c) did not properly restrict several *_OR_NULL pointer types which allows these types to do pointer arithmetic. An unprivileged user could use this flaw to escalate their privileges on a system. Setting parameter "kernel.unprivileged_bpf_disabled=1" prevents such privilege escalation by restricting access to bpf(2) call.

Windows Ancillary Function Driver for WinSock is prone to a DoS because of an integer overflow.

An out-of-bounds (OOB) memory write flaw was found in the Linux kernel's watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.

This update improves the module to bypass UAC by adding support for Windows 11.

Improper initialization of the flags member of the pipe buffer structure in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel, could allow an unprivileged local user to write to pages in the page cache backed by read-only files and escalate privileges on the system.