what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 1,862 RSS Feed

Files from Google Security Research

First Active2000-02-18
Last Active2024-05-13
Arm Mali 5th Gen Dangling ATE
Posted May 13, 2024
Authored by Jann Horn, Google Security Research

In mmu_insert_pages_no_flush(), when a HUGE_HEAD page is mapped to a 2M aligned GPU address, this is done by creating an Address Translation Entry (ATE) at MIDGARD_MMU_LEVEL(2) (in other words, an ATE covering 2M of memory is created). This is wrong because it assumes that at least 2M of memory should be mapped. mmu_insert_pages_no_flush() can be called in cases where less than that should be mapped, for example when creating a short alias of a big native allocation. Later, when kbase_mmu_teardown_pgd_pages() tries to tear down this region, it will detect that unmapping a subsection of a 2M ATE is not possible and write a log message complaining about this, but then proceed as if everything was fine while leaving the ATE intact. This means the higher-level code will proceed to free the referenced physical memory while the ATE still points to it.

tags | exploit
advisories | CVE-2024-0671
SHA-256 | 02b7002e9ef87f42111b8b994ec26a71eab28f5f71c23d3899c25a6cc7a85c92
PowerVR PMRMMapPMR() Writability Check
Posted Apr 25, 2024
Authored by Jann Horn, Google Security Research

PowerVR has a security issue where a writability check in PMRMMapPMR() does not clear VM_MAYWRITE.

tags | exploit
SHA-256 | 3c6be466dbc5e6f19541750720a0f82bfbd11613fafa5557f44c1df26aa893b2
Windows Kernel Subkey List Use-After-Free
Posted Apr 11, 2024
Authored by Google Security Research, mjurczyk

The Windows Kernel suffers from a subkey list use-after-free vulnerability due to a mishandling of partial success in CmpAddSubKeyEx.

tags | exploit, kernel
systems | windows
advisories | CVE-2024-26182
SHA-256 | 371f9505662bb6a768bb624f24a62e46fef4ad9feab889c6189fe75092e31989
PowerVR DevmemIntUnexportCtx Use-After-Free
Posted Apr 8, 2024
Authored by Jann Horn, Google Security Research

PowerVR has an issue where DevmemIntUnexportCtx destroys export before unlinking it, leading to a use-after-free condition.

tags | exploit
SHA-256 | 6f9202099fe090be7419d76b62ea9327f8db8be77898b1207baaaa4a3a3cd10e
Linux 6.5 Kernel Pointer Leak
Posted Apr 5, 2024
Authored by Jann Horn, Google Security Research

Linux versions starting with 6.5 suffer from a read-after-type-change of folio in cachestat() that leads to a kernel pointer leak.

tags | exploit, kernel
systems | linux
advisories | CVE-2024-26630
SHA-256 | 9ed32c7cf46a882e510759c307e0ac2758225c4d00df31c8c83be548a01fd482
Google Pixel MFC H264 Processing Memory Corruption
Posted Apr 3, 2024
Authored by Google Security Research, natashenka

There is a memory corruption issue in the MFC media processing core on the Pixel 7. It occurs when decoding a malformed H264 stream in Chrome, likely to due to an out of bounds quantization parameter. A write to plane 0 that occurs during macroblock decoding extends past the allocated bounds of the plane, and can overwrite the motion vector (MV) buffer or cause a crash if the adjacent address is unmapped. Both of these allocations are DMA buffers and it is unclear whether this condition is exploitable.

tags | exploit
advisories | CVE-2024-27228
SHA-256 | 03533e71b8963179a0ae3ad68550b9e5e705a79dd75292d232b287f1c47b89f6
PowerVR RGXCreateZSBufferKM2 Use-After-Free
Posted Apr 2, 2024
Authored by Jann Horn, Google Security Research

PowerVR has an issue where the RGXCreateZSBufferKM2 error path frees object while on list.

tags | exploit
SHA-256 | b77c7757a3ce5ef36d49453304cff99bfbbd56c1ff428ecdf3cd2b4c3033e628
dav1d Integer Overflow / Out-Of-Bounds Write
Posted Mar 18, 2024
Authored by Ivan Fratric, Google Security Research, Nick Galloway

There is an integer overflow in dav1d when decoding an AV1 video with large width/height. The integer overflow may result in an out-of-bounds write.

tags | exploit, overflow
advisories | CVE-2024-1580
SHA-256 | 258b775b05e2d4378551ee4e66e5c90a5df4e7d9ef5dc5c37abec0ba66db8a8e
Telegram For Android Connection::onReceivedData Use-After-Free
Posted Feb 28, 2024
Authored by Google Security Research, Mark Brand

In the tgnet library used in Telegram messenger for Android, there is a use-after-free vulnerability in Connection::onReceivedData that can be triggered remotely.

tags | exploit
SHA-256 | bca6a67a76c752f1ecdcd8907312e1eb9daa4808f56fcf845f91420c4d98f5d4
Chrome chrome.pageCapture.saveAsMHTML() Extension API Blocked Origin Bypass
Posted Feb 19, 2024
Authored by Jann Horn, Google Security Research

Chrome has an issue where the chrome.pageCapture.saveAsMHTML() extension API can be used on blocked origins due to a racy access check.

tags | exploit
advisories | CVE-2024-0811
SHA-256 | c081d9b3a89b0a80ccfbb9fc08c3373284b83957b305d8759f551dfbed038c66
MediaTek WLAN Driver Memory Corruption
Posted Feb 8, 2024
Authored by Google Security Research, Seth Jenkins

The MediaTek WLAN driver has VFS read handlers that do not check buffer size leading to userland memory corruption.

tags | exploit
SHA-256 | e02f5b1f1d435ca3340b9ddef6433031cb241ad315800f041e8e425d3ac596dd
Chrome content::NavigationURLLoaderImpl::FallbackToNonInterceptedRequest Heap Use-After-Free
Posted Jan 26, 2024
Authored by Google Security Research, Glazvunov

Chrome suffers from a heap use-after-free vulnerability in content::NavigationURLLoaderImpl::FallbackToNonInterceptedRequest.

tags | exploit
advisories | CVE-2023-6112
SHA-256 | 5991378cd81b0bd15e90459d13e7396782910b67862cf292906e095dca2e9175
Linux 5.6 io_uring Cred Refcount Overflow
Posted Jan 19, 2024
Authored by Jann Horn, Google Security Research

Linux versions 5.6 and above appear to suffer from a cred refcount overflow when handling approximately 39 gigabytes of memory usage via io_uring.

tags | exploit, overflow
systems | linux
SHA-256 | eb6cd67301b0a3753b8bd45f998819605fcd09521aac98683535cba1e70af180
macOS AppleVADriver Out-Of-Bounds Write
Posted Jan 12, 2024
Authored by Ivan Fratric, Google Security Research

macOS suffers from an out-of-bounds write vulnerability in AppleVADriver when decoding mpeg2 videos.

tags | exploit
advisories | CVE-2023-42882
SHA-256 | a755a34876f36a8a24fb4024eeda524426d61439be93ad37d2aa3f187ed43ce5
macOS AppleGVA Memory Handling
Posted Jan 12, 2024
Authored by Ivan Fratric, Google Security Research

On Intel macOS, HEVC video decoding is performed in the AppleGVA module. Using fuzzing, researchers identified multiple issues in this decoder. The issues range from out-of-bounds writes, out-of-bounds reads and, in one case, free() on an invalid address. All of the issues were reproduced on macOS Ventura 13.6 running on a 2018 Mac mini (Intel based).

tags | exploit
advisories | CVE-2023-42926
SHA-256 | ed851479d112d861e65e1f2c3cbdcfb9751f8aafbae00aece5139de5128c88b0
Linux 4.20 KTLS Read-Only Write
Posted Jan 12, 2024
Authored by Jann Horn, Google Security Research

Linux versions 4.20 and above have an issue where ktls writes into spliced readonly pages.

tags | exploit
systems | linux
advisories | CVE-2022-0847
SHA-256 | c8a387c3d377fb9915457e6c2add6c04bc585011d822e7f419d1a632b108342d
Linux Broken Unix GC Interaction Use-After-Free
Posted Jan 12, 2024
Authored by Jann Horn, Google Security Research

Linux suffers from an io_uring use-after-free vulnerability due to broken unix GC interaction.

tags | exploit
systems | linux, unix
advisories | CVE-2022-2602, CVE-2023-6531
SHA-256 | f69e0977a025727662a99855b4620c72daf61a181fc942af121b5a2aba667456
Microsoft Windows Registry Predefined Keys Privilege Escalation
Posted Jan 11, 2024
Authored by Google Security Research, mjurczyk

Predefined keys in the Microsoft Windows Registry may lead to confused deputy problems and local privilege escalation.

tags | exploit, local, registry
systems | windows
advisories | CVE-2023-35356, CVE-2023-35633
SHA-256 | a4c3435d9c5e52f576c70ff4db3da2de108e219bbd349f1ce79de1a81c042945
Linux 6.4 io_uring Use-After-Free
Posted Jan 8, 2024
Authored by Jann Horn, Google Security Research

Linux versions 6.4 and above suffer from an io_uring page use-after-free vulnerability via buffer ring mmap.

tags | exploit
systems | linux
SHA-256 | bdd56a2cf8ae5ffb5b1e0cf855da69a640ead67ed0ab5559b57abc88c22cd6f9
io_uring __io_uaddr_map() Dangerous Multi-Page Handling
Posted Jan 8, 2024
Authored by Jann Horn, Google Security Research

__io_uaddr_map() in io_uring suffers from dangerous handling of the multi-page region.

tags | exploit
advisories | CVE-2023-6560
SHA-256 | 36027428c2c544777c9a58e5240c8a00ac64b96a28b3c1c2a02ca9c040ca0b42
Microsoft Windows Kernel Information Disclosure
Posted Jan 3, 2024
Authored by Google Security Research, mjurczyk

Any unprivileged, local user in Microsoft Windows can disclose whether a specific file, directory or registry key exists in the system or not, even if they do not have the open right to it or enumerate right to its parent.

tags | exploit, local, registry
systems | windows
SHA-256 | eba081f5682137a596749db83d8591dfa5e5d9dffadba5ca011381bdd72018c4
Chrome BindTextSuggestionHostForFrame Type Confusion
Posted Jan 3, 2024
Authored by Google Security Research, Mark Brand

Chrome suffers from a type confusion vulnerability in BindTextSuggestionHostForFrame.

tags | exploit
advisories | CVE-2023-6348
SHA-256 | 1e0d6c4d28506761410dab47785b5675017ec524a79f43e93784caf59927dfba
Windows Kernel Race Conditions
Posted Dec 14, 2023
Authored by Google Security Research, mjurczyk

The Microsoft Windows Kernel has an issue with bad locking in registry virtualization that can result in race conditions.

tags | exploit, kernel, registry
systems | windows
advisories | CVE-2023-36403
SHA-256 | 8cf51c7afd8e880ffabc644d09f791fed4bac36689d7102f629eb746b2c13124
Windows Kernel Information Disclosure
Posted Dec 8, 2023
Authored by Google Security Research, mjurczyk

The Microsoft Windows Kernel has a time-of-check / time-of-use issue in verifying layered key security which may lead to information disclosure from privileged registry keys.

tags | exploit, kernel, registry, info disclosure
systems | windows
advisories | CVE-2023-36404
SHA-256 | d827eb89d09814af2562b27f8d81aceb5f4a617c3fbb070846fd5b39ebfaa03e
Arm Mali CSF Overflow / Use-After-Free
Posted Dec 8, 2023
Authored by Jann Horn, Google Security Research

Arm Mali CSF has a refcount overflow bugfix in r43p0 that was misclassified as a memory leak fix.

tags | exploit, overflow, memory leak
advisories | CVE-2023-4295
SHA-256 | 05a93b8780cfb3ee2e1142acedfd65b47dbf3a86e2c48f3c8256e45ceaf5837b
Page 1 of 75
Back12345Next

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close