OpenEXR suffers from multiple memory safety issues including out-of-bounds access.
8d08baf0c93f03a247b45a66e29d52b0XNU suffers from a remote mbuf double-free vulnerability in ip6_notify_pmtu.
39b3d56c2e54db8163253c7eaf5f31c9The Samsung kernel suffers from a heap out-of-bounds write in /dev/tsmux.
00005339bd5f67a8a2ca1f91df549119XPC fast path fails to ensure NULL termination of XPC strings, leading to memory disclosure and corruption vulnerabilities in XPC services.
0f1657d7f62dc322829fee09424c0e5claunchd on macOS and iOS suffer from a memory corruption issue due to a lack of bounds checking when parsing XPC messages.
1214e0a3adca8432caea6990153f7571Samsung suffers from a use-after-free vulnerability due to a missing lock in the SEND_FILE_WITH_HEADER handler in f_mtp_samsung.c.
c32b0a6b8edad815d87eab3aadeb33e9The Samsung kernel has logic bug and locking issues in PROCA that can lead to use-after-free and double-free issues from an application's context.
4809998625c6770bf24721a33e8e7f18Google Chrome suffers from a heap buffer overflow in PasswordFormManager::OnGeneratedPasswordAccepted.
807c6fca1ba5cabf11c809f7eb06d603Google Chrome suffers from a heap use-after-free vulnerability in PannerHandler::TailTime.
978f6ee66cfcab4ee4a316ce1a962b16usersctp is SCTP library used by a variety of software including WebRTC. There is a vulnerability in the sctp_load_addresses_from_init function of usersctp that can lead to a number of out-of-bound reads. The input to sctp_load_addresses_from_init is verified by calling sctp_arethere_unrecognized_parameters, however there is a difference in how these functions handle parameter bounds. The function sctp_arethere_unrecognized_parameters does not process a parameter that is partially outside of the limit of the chunk, meanwhile, sctp_load_addresses_from_init will continue processing until a parameter that is entirely outside of the chunk occurs. This means that the last parameter of a chunk is not always verified, which can lead to parameters with very short plen values being processed by sctp_load_addresses_from_init. This can lead to out-of-bounds reads whenever the plen is subtracted from the header len.
f7629110af96666d0b8af7e76ecfa60dmacOS and iOS suffers from an out-of-bounds timestamp write in IOAccelCommandQueue2::processSegmentKernelCommand().
04c093e6bde68cbe168364f56f38b9eemacOS and iOS suffer from an ImageIO out-of-bounds read when processing PVR images.
65a5c4717babccedb508eed5edd77a7dmacOS and iOS have an ImageIO heap corruption issue when processing malformed PVR images.
09ee6affef93456d05af1a19df94303bsystemd has an issue in systemd-machined where it decrements the reference count when references are still held.
892461d03b79e21e6c1303c5d998422eThe XNU function IOUserClient::_sendAsyncResult64() discloses the address of the ipc_port to which the notification is sent in the Mach message enqueued on the notification port.
6ecb90fde4136a6abb3c8382394b9ae5macOS and iOS suffer from a race condition in XNU's mk_timer_create_trap() that can lead to type confusion.
4e9dc95b3aaaa93bb8e5558c52ec93c3libx264 suffers from an out-of-bounds write when converting to H264.
a454ee0a3cf6ffcdaf4ffb1e2f6f1ea5ImageIO on macOS suffers from an issue where a heap out-of-bounds write occurs when processing JPEG images.
97e1f93434c4368069b75479c4a0d5c6macOS and iOS suffer from an issue where kern_stack_snapshot_internal() shares non-zeroed kernel pages with userspace.
9ba8ef3758b3008ca2cd79dcec2effb0macOS and iOS suffer from an out-of-bounds read when processing DDS images with ImageIO.
744a77b150f3b9b90f322d4ef38f096dmacOS and iOS suffers from an ImageIO heap corruption vulnerability when processing malformed TIFF images.
f09a3684b3b87ef878c518dc38922c1cAn insufficient fix for CVE-2019-6205 means XNU vm_map_copy optimization which requires atomicity still is not atomic.
f8e6dfd4187cd8bfbcbdada394e14738Android suffers from ashmem read-only bypass vulnerabilities via remap_file_pages() and ASHMEM_UNPIN.
1ce1f492c6697220a1377f632e2b8f79There is a memory corruption vulnerability in audio processing during a voice call in WeChat. When an RTP packet is processed, there is a call to UnpacketRTP. This function decrements the length of the packet by 12 without checking that the packet has at least 12 bytes in it. This leads to a negative packet length. Then, CAudioJBM::InputAudioFrameToJBM will check that the packet size is smaller than the size of a buffer before calling memcpy, but this check (n < 300) does not consider that the packet length could be negative due to the previous error. This leads to an out-of-bounds copy.
d5e852c27b43a4bc7e13605282d84e25FaceTime suffers from an out-of-bounds read vulnerability in _RSU_DecodeByteBuffer.
77e7d5ed9577e8022d167f6d39eeded3
© 2016 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed