chown: users can change the group affiliation of arbitrary files to the group they belong to, missing DAC check in chown(2): local privilege escalation, overflow with signals: local denial-of-service, pss, mpu401 sound driver: read/write to complete memory, airo driver: read/write to complete memory, ALSA: copy_from_user/copy_to_user confused, acpi_asus: read from random memory, decnet: write to memory without checking, e1000 driver: read complete memory
