The 2011 Pwnie Nominee For Best Privilege Escalation Bug

Linux kernel set_fs kernel memory overwrite (CVE-2010-4258)

Credit: Nelson Elhage

Nelson Elhage found an interesting interaction between Linux threads created with the CLONE_CHILD_CLEARTID flag and the set_fs function in the kernel, which made fully exploitable bugs that would otherwise only cause a DoS. The public PoC for this vulnerability was later released by Dan Rosenberg.