There is a use-after-free in Sprite Creation. If a Sprite is created, and then the handler for the frameConstructed event triggers a remove object action, the Sprite is then used after it has been freed.
c39ed19e599f2e87429baaa1420ef1c22c03fa613b8ce27ef51b01a165eed4b8
The ActionScript parameter conversion in the fix for an issue in the December Flash bulletin APSB15-32 can sometimes access a parameter on the native stack that is uninitialized.
982e087bae1ff3d75902f159298bed43a1c32bb041ce513c46a96da67786a262
The ActionScript parameter conversion in the fix for an issue in the December Flash bulletin APSB15-32 can sometimes access a parameter on the native stack that is uninitialized.
fca666e43ec07be074a4810a7671db92ce36a0d756afde739005726379118d6f
The ActionScript parameter conversion in the fix for Google Security Research issue 403 can sometimes access a parameter on the native stack that is uninitialized.
ccc716718377c7f69a2d68eb3c1540336084d2a28e046619c48fea014951002e
The AppleKeyStore userclient uses an IOCommandGate to serialize access to its userclient methods, however by racing two threads, one of which closes the userclient (which frees the IOCommandGate) and one of which tries to make an external method call we can cause a use-after-free of the IOCommandGate.
1db8ce601471ad3e19f7c84c23572709a3952990a28f5b5d130277dfb0f639dc
Mac OS X kernel has an issue where an unchecked array index can be used to read an object pointer then call a virtual method in the Nvidia GEForce driver.
8f940c5ed303d010b19d9f30337e7546f4aff5203b1fbca11bcbe729635d754b
The Mac OS X kernel suffers from use-after-free and double delete issues due to incorrect locking in the Intel GPU driver.
ca15dbb2b908cc1bd1b9e630c704f934d111095bea1cb1c8e14eacb07227a2e0
There is a use-after-free in setInterval. If the interval length is an object with valueOf defined, this method gets executed, and can delete the object the interval is being set on.
cc2adc9a2940710a875fafa69fdae84c7e355762d1060554d76af5275b287193
There is a use-after-free in Sound.setTransform similar to the one described in CVE-2015-8434. If the transform object provided is an integer primitive, and the Number constructor is overwritten, this constructor will be executed and can free the internal sound transform, which is then written to.
9cf5ceec9d1b8789d8ae0b14a3c45b7fe4d93c657668793da9239af45b02f16d
The code responsible for loading a suid-binary following a call to the execve syscall invalidates the task port after first swapping the new vm_map into the old task object leaving a short race window where we can manipulate the memory of the euid(0) process before the old task port is destroyed.
6be58b3f0fc092cb166e20a9e2e0ef99de307b957f1541a6ea0dd7a8f7ca8531
An included fuzzing case demonstrates a crash in Adobe Flash shape rendering.
efc9af51bcd69cfee5ecf9979add44fc4891f75646247fc53ec96acdedf5bccb
Securimage version 3.6.2 suffers from a cross site scripting vulnerability.
cef5c2470c562793c29df7022f016d538fa8aecde6d8f3749e5047f3dfdb89ee
WordPress HB Audio Gallery Lite plugin version 1.0.0 suffers from an arbitrary file download vulnerability.
56a6cc400f6bf87cdcab4b117e69833f99576b61f0f4dfc5d6693a04f1f226ed
Adobe Flash suffers from a wild write at 0x453b0cf0 in color conversion that causes a crash.
051621ef0094ab8b55b05d6b364d50f6b9948eb005475d56a5738771d2f6685f
Adobe Flash suffers from an information leak that may render non-deterministic content that apparently contains pointers.
41c6dbb42e26cd157241d1aeb71129cad02abd56098cd0be0d24a4218914f04d
Adobe Flash suffers from an out-of-bounds read in AAC audio handling.
4bcaa997a98d2899f0ece2d75dffe49e567d8dc983b849e3e2064ea6b326e3c7
Adobe Flash suffers from an out-of-bounds crash due to a negative table indexing error loading an 8-byte wide value.
b3ad0dc02ed41ab14eba6c462db84fb45a39c098eb29704bf6b8223a07f586b3
Adobe Flash has an issue where a corrupt stack leads to misaligned XMM instruction decoding h.264.
086db050537a7703e18f330b90eadb38bd185e96a3d67e197511bc2195eeb98f
Adobe Flash suffers from a crash due to a wild pointer 0x1808121a502959a4 decoding h.264.
74a5f32e448690af1d7c9d399017241a40f3bdb279dde7a3861f9ea7c03354ce
Achievo version 1.4.5 suffers from a cross site scripting vulnerability.
2bb51e2f4e2f8702ae0035b8966a60f8a3ecf72ef374d448dab6e86e0d05ee6d
AbsoluteTelnet version 10.14 suffers from a DLL hijacking vulnerability.
2129cfd8f7159c9f48e17173b9fc9fa7e5f92f84ba90cf738827dec0c074e314
D-Link DWR-932 with firmware versions 4.00 and below suffer from authentication bypass and password disclosure vulnerabilities.
f86505f0c1e4921225059a0b8cf6188a72de7d3c8ab3ee65fa7c5bc636a0fd1b
WordPress eBook Download plugin version 1.1 suffers from a directory traversal vulnerability.
318fb4f76e3092c8ff33ac73fd09fc95ac7ed8b8879301abfb411e910e2b8bba
WordPress Import CSV plugin version 1.1 suffers from a directory traversal vulnerability.
707a5fc82a6731639583d67130bd989dfed85f9b4b0f10af7dcc9e0f8b036b3c
DORG Disc Organization System suffers from cross site scripting and remote SQL injection vulnerabilities.
b7f23955a8300938467a5000dab30ca14634b797f3fb1d7e029e85191454903c