Solaris 2.4 before kernel jumbo patch -35 allows set-gid programs to dump core even if the real user id is not in the set-gid group, which allows local users to overwrite or create files at higher privileges by causing a core dump, e.g. through dmesg.

Local user gains root privileges via buffer overflow in rdist, via expstr() function.

Buffer overflow in syslog utility allows local or remote attackers to gain root privileges.