Buffer overflow in run-time linkers (1) ld.so or (2) ld-linux.so for Linux systems allows local users to gain privileges by calling a setuid program with a long program name (argv[0]) and forcing ld.so/ld-linux.so to report an error.

Buffer overflow in suidperl (sperl), Perl 4.x and 5.x.

Buffer overflow in University of Washington's implementation of IMAP and POP servers.

ucbmail allows remote attackers to execute commands via shell metacharacters that are passed to it from INN.

Buffer overflow in NLS (Natural Language Service).

rcp on various Linux systems including Red Hat 4.0 allows a "nobody" user or other user with UID of 65535 to overwrite arbitrary files, since 65535 is interpreted as -1 by chown and other system calls, which causes the calls to fail to modify the ownership of the file.

Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others.

Local users can start Sendmail in daemon mode and gain root privileges.