ArubaOS 8.13.2.0 exposes an unauthenticated XML parser on port 32000 that resolves external entities, enabling OOB SSRF and internal port scanning. Wire-level pcap + target sshd log confirm server-side execution. Bugcrowd closed it as theoretical. No fix issued.
MAX_LFS_FILESIZE only gates the superblock. Once the FUSE connection is up, every FUSE_GETATTR reply can mutate i_size to 0xFFFFFFFFFFFFFFFF. The page cache’s (pos + count - 1) » PAGE_SHIFT arithmetic wraps unsigned, inverts loop invariants, and turns vma_merge() into an arbitrary OOB-write primitive on Maple Tree-backed kernels.
An unprivileged FUSE daemon controls the semantic authority of an entire filesystem. By lying about i_size in vfs_getattr replies, it desynchronizes kernel allocation from kernel ingestion — turning finit_module(2), the firmware loader, and kexec_file_load(2) into kmalloc-4k slab overflow primitives.
struct fuse_req borrows inode references without bumping i_count. A SIGKILL’d reader, an unrelated drop_caches sysctl, and a delayed daemon abort conspire to dereference freed-and-reoccupied slab memory. The result: a refcount decrement on whatever struct cred lands in the freed slot — the entire kill chain in three syscalls and one signal.
Exploit the Time-of-Check to Time-of-Use (TOCTOU) window in udisks2. This analysis covers Polkit bypass, XFS image crafting, and Race Condition triggers for LPE.