Samsung NPU (Neural Processing Unit) suffers from a memory corruption vulnerability in shared memory parsing.
ae0ce502ea239b6ff62e9ce804417d80f2414f3377885e22e112a0fe2059f1e5
Samsung NPU (Neural Processing Unit) suffers from an out-of-bounds write vulnerability in npu_session_format.
c1b571dff4d7f86aae1597fdb8aa5e8932400ee1c1aed35b56eab3315ec48ed8
Qualcomm Adreno GPU PID reuse can lead to a shared mapping leak vulnerability.
3e3e7b15f4478de5e65c145f4176a69491a971efa9d024d29399588336df506c
The Microsoft Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).
dcd9bb74f157ccd45992a6aeffd77f590ad19684a1b4e9e165f72d39d919d700
The Qualcomm Adreno GPU shares a global mapping called a "scratch" buffer with the Adreno KGSL kernel driver. The contents of the scratch buffer can be overwritten by untrusted GPU commands. This results in a logic error in the Adreno driver's ringbuffer allocation code, which can be used to corrupt ringbuffer data. A race condition exists between the ringbuffer corruption and a GPU context switch, and this results in a bypass of the GPU protected mode setting. This ultimately means that an attacker can read and write arbitrary physical addresses from userland by running GPU commands while protected mode disabled, which results in arbitrary kernel code execution.
d663ef06eb4e7deef8bdea200e905217412428d8532fa626e3c1c5c2a7641f51
This proof of concept crashes 32-bit Windows 7 with special pool enabled on win32k.sys. It might take several runs in order to reproduce.
b7aa281ca915adfcd3f0036cfcc5520eaeec49ed0e0bd9d5eefcf699d19dd4d5
This proof of concept triggers a blue screen on Windows 7 with special pool enabled on win32k.sys. A reference to the bitmap object still exists in the device context after it has been deleted.
f04d7b9b1c0e9540acf78ea24f4a7cb1a5447a0d505993588c4d2ec4d70d0eef
The attached testcases crashes Windows 7 64-bit while attempting to write to an unmapped memory region. On 32-bit Windows 7 it triggers a null pointer read.
d89d761020ed70dcb07f77ce385b34df9657da7e12a58b54828167ae00247fe1
The included proof of concept crashes Windows 7 with special pool enabled on win32k.sys. The crashes are triggering in multiple different ways (two examples attached).
334ccb9b33707106918a652ebdbd6d7df094cb52fd14eb8f7403eeb469b3b0e0
The included proof of concept crashes Windows 7 with special pool enabled on win32k.sys. The crash is due to accessing memory past the end of a buffer.
d1cb75bbdfdf9855ca5d70385b89f109e579981fd6cb4edadbfa504aac5e36b2
A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing.
03f257b053d3c64d24ffa875e29a5087f0fb6d4e4e961129c6bb78d5f11f52a4
The Adreno GPU driver for the MSM Linux kernel contains a heap overflow in the IOCTL_KGSL_PERFCOUNTER_QUERY ioctl command. The bug results from an incorrect conversion to a signed type when calculating the minimum count value for the query option. This results in a negative integer being used to calculate the size of a buffer, which can result in an integer overflow and a small sized allocation on 32-bit systems.
11c959c3433bd2e4a4a0b93cec8f7ba66f5dab8a114dc0cadb5fc6c6bc5f818f
In certain kernel versions it is possible to use the AIO subsystem (io_submit syscall) to pass size values larger than MAX_RW_COUNT to the networking subsystem's sendmsg implementation. In the L2TP PPP sendmsg implementation, a large size parameter can lead to an integer overflow and kernel heap corruption during socket buffer allocation. This could be exploited to allow local privilege escalation from an unprivileged user account.
4e8facb5af3635bb5a75286e2815b09aff43b1be7ba523d3b34d41c5a7c53bed
The Samsung m2m1shot driver framework is used to provide hardware acceleration for certain media functions, such as JPEG decoding and scaling images. The driver endpoint (/dev/m2m1shot_jpeg) is accessible by the media server. The Samsung S6 Edge is a 64-bit device, so a compatibility layer is used to allow 32-bit processes to provide structures that are expected by the 64-bit driver. There is a stack buffer overflow in the compat ioctl for m2m1shot.
b0c5900d4ce52a323271b9224cc5fd02fc37af255afea06a937e89a8d81fdecd
Microsoft Office 2007 suffers from a RTF XML SmartTags use-after-free vulnerability.
9112fd06f8a9594124ac555685a4c390b42d8b36cbf029a9deca63894f80b49e
Microsoft Office 2007 suffers from a OneTableDocumentStream invalid object vulnerability.
71aae25eeff40a890630b5def4b9a4c33395e8cd48b05b1af664a30be591e023
Microsoft Office 2007 suffers from a stack-based buffer overflow vulnerability when handling a malformed document.
fc3f3a43acba1f2993d16df8be2f8af7217caf24ea88bc37b3ab71571b41e296
Adobe Flash suffers from a URL resource use-after-free vulnerability.
b04ff115627b5b76c68978f46ab63e22389ddd834b882f77fa2abc234019242e
An out-of-bounds memory read occurs when Adobe Flash parses a mutated TTF file embedded in a swf.
3e2118575612a001e7d4cabff18c63bc1b2734d53f9b701a601c82011bcff5be
An access violation occurs in Adobe Flash Player plugin while parsing a mutated swf file.
a9bceda55620d3ed4cd20aec8a272a586fc3442122decbc24a9ba59a81f9b08b
An access violation occurs in Adobe Flash Player plugin while parsing a mutated swf file.
d1b4ab4f8b0404b6ba7f6fd0ce0dddffa431bd6d447a9316b9385e81916c89f2
This is a OOB read vulnerability when processing the SCRIPTDATASTRING object in Flv file.
b7ac22badf51c7c646164605a8e31a6bc88e7bf96892a72cbd86c59704b16c46