Chrome has an issue where the chrome.pageCapture.saveAsMHTML() extension API can be used on blocked origins due to a racy access check.
c081d9b3a89b0a80ccfbb9fc08c3373284b83957b305d8759f551dfbed038c66
Linux versions 5.6 and above appear to suffer from a cred refcount overflow when handling approximately 39 gigabytes of memory usage via io_uring.
eb6cd67301b0a3753b8bd45f998819605fcd09521aac98683535cba1e70af180
Linux versions 4.20 and above have an issue where ktls writes into spliced readonly pages.
c8a387c3d377fb9915457e6c2add6c04bc585011d822e7f419d1a632b108342d
Linux suffers from an io_uring use-after-free vulnerability due to broken unix GC interaction.
f69e0977a025727662a99855b4620c72daf61a181fc942af121b5a2aba667456
Linux versions 6.4 and above suffer from an io_uring page use-after-free vulnerability via buffer ring mmap.
bdd56a2cf8ae5ffb5b1e0cf855da69a640ead67ed0ab5559b57abc88c22cd6f9
__io_uaddr_map() in io_uring suffers from dangerous handling of the multi-page region.
36027428c2c544777c9a58e5240c8a00ac64b96a28b3c1c2a02ca9c040ca0b42
Arm Mali CSF has a refcount overflow bugfix in r43p0 that was misclassified as a memory leak fix.
05a93b8780cfb3ee2e1142acedfd65b47dbf3a86e2c48f3c8256e45ceaf5837b
ARM Mali r44p0 suffers from a use-after-free vulnerability by freeing waitqueue with elements on it.
4fea6948aa6c6c134d3f0e82d4d907da692a000feadff0b07880f486048867a4
PowerVR suffers from a multitude of memory management bugs including out-of-bounds access and information leakage.
c135dd9da4f49945f6ffab49beafba001bf366477d6ac30866c7fd5a8b312a8e
Linux suffers from a small remote binary information leak in DCCP.
8f509db352a5daf100520971c2666cea99bc2b733614a6fbd107c438f44733be
The Linux 6.4 kernel suffers from a use-after-free condition due to per-VMA locks that introduce a race between page fault and MREMAP_DONTUNMAP.
3d39c971dd3c9a3c68ba92f6935c1ac85bc812d562760cadb42454ab84afcb68
There is a race between mbind() and VMA-locked page faults in the Linux 6.4 kernel, leading to a use-after-free condition.
78b0a4905933278287d325ebef0bf5c144a4c579eaaf4874daf17a797f5aa2b7
Qualcomm Adreno/KGSL suffers from an issue where code in user-writable mapping is executed in non-protected mode.
795d9bc48251143119585b455550c6ef9db1db6cead5a6bfba90baa195ff4c43
On Qualcomm Adreno/KGSL builds where CONFIG_QCOM_KGSL_USE_SHMEM is not set (or on older KGSL versions without CONFIG_QCOM_KGSL_USE_SHMEM), KGSL allocates GPU-shared memory from its own page pool. Pages from this pool are inserted into VMAs that don't have any weird flags like VM_PFNMAP set, which means userspace can grab extra references to these pages through get_user_pages() (for example, using vmsplice()). But when GPU-shared memory is freed, KGSL puts the freed pages into its own page pool without checking the page refcount. This means that pages that are still accessible from userspace can be reallocated as GPU memory by another process.
912899972d766ddbe72f5a9e3255c982b1f4d47a09b7d4e6f29f8440583aa47c
Qualcomm Adreno/KGSL suffers from an unchecked cast of vma->vm_file->private_data in kgsl_setup_dmabuf_useraddr().
607fa965d699b8530e3007ef7ceaca726a5ef18f66dd831e4ec632ad32adcccd
Qualcomm Adreno/KGSL suffers from an issue where secure buffers are addressable by all GPU users. Qualcomm believes this finding has no security impact and will not address it.
d9b987714309cbf4e6d06626329557ab19e9a3e5c17b45b14e62e612bd881e23
wfc-pkt-router suffers from a vulnerability where it can wrongly bind to an external network interface instead of the VPN tunnel.
03509814b094fdcb874430f7b5654f15f7ca1ccdd20e1463ac75f2a0d6edef4c
CentOS Stream 9 has a missing kernel security fix for a tun double-free amongst other missing fixes. Included is a local root exploit to demonstrate the issue.
ff7d7021860395c29340e572b9c37574d2458d361ce7c71f08cc837f0834b69e
The kernel tree of CentOS Stream 9 suffers from multiple use-after-free conditions that were already patched in upstream stable trees.
a5f94e90c58a4d65e7349c5ac6abff2cbc680f758ae71b7d0bf35a8ec6642057
Linux USB usbnet tells minidrivers to unbind while netdev is still up, causing use-after-free conditions.
a79f67a4ff4419f1ee030e5d31da09ffc097f7a7aff75a313677c344131a2bc4
Android GKI kernels contain broken non-upstream Speculative Page Faults MM code that can lead to multiple use-after-free conditions.
52bdc4d424513850282af302704976ef18a76f8dae3b5f71cf887f9e9577e262
kbase_csf_kcpu_queue_enqueue() locks the kctx->csf.kcpu_queues, looks up a pointer from inside that structure, then drops the lock before continuing to use the kbase_kcpu_command_queue that was looked up. This is a classic use-after-free pattern, where the lookup of a pointer is protected but the protective lock is then released without first acquiring any other lock or reference to keep the referenced object alive.
4fd61c0109d183f3b2a909d608ec4f7ebeb118f98b4d057a01a280c10f5a5339
Arm Mali suffers from an insufficient cache invalidation for non-page-aligned user buffer imports.
1cc19cb79a91228a44e5c6196c91a498b37c74f153ea14e278fe6327355cc218
Android Binder VMA management suffers from multiple security issues.
ab667a607662e113616863f74924dec25552f0f3627b28b830dcd1cef1dc0df9
khugepaged on Linux races with rmap-based zap, races with GUP-fast, and fails to call MMU notifiers.
4a7e3cd6f113b1a612bf06b09dde29c3da416e1312821de9fb2c055f4fb2c180