A race condition exists with munmap() downgrades in Linux kernel versions since 4.20.
af84b28deac71be6c5fa63ed3e242c89The StorageFolder class when used out of process can bypass security checks to read and write files not allowed to an AppContainer.
fcac5139eefb819b4a7b0e211caa1f0dThe Qualcomm Adreno GPU shares a global mapping called a "scratch" buffer with the Adreno KGSL kernel driver. The contents of the scratch buffer can be overwritten by untrusted GPU commands. This results in a logic error in the Adreno driver's ringbuffer allocation code, which can be used to corrupt ringbuffer data. A race condition exists between the ringbuffer corruption and a GPU context switch, and this results in a bypass of the GPU protected mode setting. This ultimately means that an attacker can read and write arbitrary physical addresses from userland by running GPU commands while protected mode disabled, which results in arbitrary kernel code execution.
1b8910b13d2d3595dcd217d98080e491The CloundExperienceHostBroker hosts unsafe COM objects accessible to a normal user leading to elevation of privilege.
c38651bc173d658ea5caddd8450163b6Apache2 suffers from an incorrect handling of large requests issue in mod_proxy_uwsgi.
794813ee73c7fb742550accd8b61f2e2Chrome suffers from a missing array size check in NewFixedArray.
3f2e8b27a8a3776f81ab7b46459f8a8eA Linux copy-on-write issue can wrongly grant write access.
cb589228c2f3845aa384c84f4717d60eThe handling of KTM logs when initializing a Registry Hive contains no bounds checks which results in privilege escalation.
47cc29fc3f9a4152d374689e8d8dbe44The handling of KTM logs does not limit Registry Key operations to the loading hive leading to elevation of privilege.
cde9e4062cc05fc18d17cf5eabad623bPAC aims to prevent an attacker with the ability to read and write memory from executing arbitrary code. It does that by cryptographically signing and validating code pointers (as well as some data pointers) at runtime. However, it seems that imports of function pointers from shared libraries in userspace are not properly protected by PAC, allowing an attacker to sign arbitrary pointers and thus bypass PAC.
1d4d2c1d8f30ccfd1c36adfae489b2a3Samsung Android suffers from a heap buffer overflow vulnerability and other issues in the Skia Qmage image codec.
95361e7360e3cb6d869c21f91cad170eA PAC and JIT hardening bypass exists in WebKit on iOS.
a3ac179138a9ac48c78209344b6266c3On Android, app zygotes do not properly guard against UID reuse attacks, leak AID_READPROC, and expose mlstrustedsubject.
eebe6e6bf1383e7dfd3785cc4de920bcOn Microsoft Windows 10 1909, LSASS does not correctly enforce the Enterprise Authentication Capability which allows any AppContainer to perform network authentication with the user's credentials.
a9c5a593a7fd8beb544d51baa38c1730c-ares version 1.16.0 has an issue where ares_destroy() with pending ares_getaddrinfo() leads to a use-after-free condition.
1464ba2a11ec60f5b9714b8e26693d59iOS suffers from a Page Protection Layer (PPL) bypass due to incorrect argument verification in pmap_protect_options_internal() and pmap_remove_options_internal().
880d5a7841d44d213ff1f1ca340b8776When usrsctp is used with a custom transport, an address must be provided to usrsctp_conninput be used as the source and destination address of the incoming packet. WebRTC uses the address of the SctpTransport instance for this value. Unfortunately, this value is often transmitted to the peer, for example to validate signing of the cookie. This could allow an attacker access to the location in memory of the SctpTransport of a peer, bypassing ASLR.
6a5a0cbe8a76c5e374b2d723099f60cdThere is a stack buffer overflow in usrsctp when a server processes a skipped auth block from an incoming connection. Proof of concept exploit included.
f695f6ee0ee2bf74c0b85f014497b37fSeveral security issues have been identified in the VMware ESIx virtual machine monitor (VMM). A use-after-free (UAF) vulnerability in PVNVRAM, a missing return value check in EHCI USB controller leading to private heap information disclosure, and several out-of-bounds reads.
d2417f8af8ebed99ebd6fdfff7a2c153iOS and macOS suffered from a wifi proximity kernel double-free vulnerability in AWDL BSS Steering.
cdd1c47241bd866a69b6c59cc0b23828Insecure TLS session reuse can lead to a hostname verification bypass in Node.js.
9bde5356a44eb307d096d404cbcdc1d0The DFG and FTL JIT compilers incorrectly replace Checked with Unchecked ArithNegate operations (and vice versa) during Common Subexpression Elimination. This can then be exploited to cause out-of-bounds accesses and potentially other memory safety violations.
0b1a6974a8c2118b0cb88077ae99fe29Avast suffers from an out-of-bounds copy vulnerability in Array.prototype.toString.
59b15e0413a1cb080644249586af9699The Firefox content processes do not sufficiently lockdown access control which can result in a sandbox escape.
1b90a8f7ec30889bdb9321cdf60bc14eSecureCRT suffers from a memory corruption vulnerability in CSI functions.
e90a6d22c2cdbe99b5796b3c3e382581
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed