Sendmail WIZ command enabled, allowing root access.

Denial of service in Qmail by specifying a large number of recipients with the RCPT command.

Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys.

The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts.

Java Bytecode Verifier allows malicious applets to execute arbitrary commands as the user of the applet.

Denial of service in RAS/PPTP on NT systems.

Buffer overflow in Solaris x86 mkcookie allows local users to obtain root access.

The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access.

The dip program on many Linux systems allows local users to gain root access via a buffer overflow.

Kodak Color Management System (KCMS) on Solaris allows a local user to write to arbitrary files and gain root access.

admintool in Solaris allows a local user to write to arbitrary files and gain root access.

vold in Solaris 2.x allows local users to gain root access.

fm_fls license server for Adobe Framemaker allows local users to overwrite arbitrary files and gain root access.

Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access.

Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users.

Local users can start Sendmail in daemon mode and gain root privileges.

Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file.

Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death.

swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access.

SGI IRIX buffer overflow in xterm and Xaw allows root access.