Apple ColorSync suffers from a use of uninitialized memory in CMMNDimLinear::Interpolate.
adb6e755eddd6edbb2599dcfeeefff61Samsung NPU (Neural Processing Unit) suffers from a memory corruption vulnerability in shared memory parsing.
6afdb4402bb5a568057a8d66184fffacA KVM guest using SEV-ES (Secure Encrypted Virtualization - Encrypted State) can trigger out-of-bounds reads and writes in the host kernel via a malicious VMGEXIT using the exit reason SVM_EXIT_IOIO.
24767f69b195bc395343e5e0783896f5Linux suffered from a use-after-free read vulnerability related to an SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()). This has been addressed in stable versions 5.14.10, 5.10.71, 5.4.151, 4.19.209, 4.14.249, 4.4.288, and 4.9.286.
814de16a8e850b47ecca6eb0680d6e00The WSAQuerySocketSecurity API returns full anonymous impersonation tokens for connected peers in an AppContainer leading to a sandbox escape.
ade1ded7ab08f8d11cd681665642d7eaAndroid NFC suffers from a type confusion vulnerability due to a race condition during a tag type change.
494a9f73dba12ce43174446f59b9df77Linux suffers from a use-after-free read in the SELinux handler for PTRACE_TRACEME.
afc595f0a0d266cd0be01d4bd803c343The Windows IKEEXT service does not verify the SPN when performing AuthIP authentication leading to leaking authentication tokens to untrusted systems.
19bf4133c3ff6d58a5febb0a150ebaf7WebKit suffers from a heap use-after-free vulnerability in DOMWindow::open.
fcb529386a430d5c97cf9addb3eafc75WebKit suffers from a heap use-after-free vulnerability in EventHandler::keyEvent.
0f7868eaf28b9a9f6b987cd467e31156WebKit suffers from a heap use-after-free vulnerability in PointerCaptureController::processPendingPointerCapture.
85982c0cc7c08c6c433738b10d8364c7Chrome suffers from a HRTFDatabaseLoader::WaitForLoaderThreadCompletion data race condition.
0aaadc59ac484d75a50e47a84bef9a4bInternet Explorer suffers from an issue where incorrect JIT optimization in jscript9.dll leads to memory corruption.
cfe73c3966a4fda1a054c3bbf8b40ca9WebKit suffers from a heap use-after-free vulnerability in Element::dispatchMouseEvent.
00ae9f727423a384d7b2d0f6cc4fee8dJavaScriptCore suffers from a crash condition due to an uninitialized register in slow_path_profile_catch. Proof of concept that affects Safari is included.
e71c83e4865ffd73fb78888a127c18efWebKit suffers from a heap use-after-free vulnerability in WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy.
d78ada391f19ec5a1e1fe4607e66e169Chrome suffers from a JS object corruption vulnerability in WasmJs::InstallConditionalFeatures.
82306f20d8e71a874d0ad3ab78e2655aMicrosoft Windows suffers from unsafe temporary directory use with the Malicious Software Removal Tool that can lead to elevation of privilege.
5aed3041b0a73a2779b0e3f52d9274adThe msExchStorageGroup schema class added during Exchange installation can be used to create almost any AD object including users, groups or domain trusts leading to elevation of privilege.
5f885a87a9be3f10bfe9e9e4c08c923cThe default rules for the WFP connect layers permit certain executables to connect TCP sockets in AppContainers without capabilities leading to elevation of privilege.
37069deaf47980f1a4c39f62bc13ce25Tor suffers from an issue where half-closed connection tracking ignores layer_hint and due to this, entry/middle relays can spoof RELAY_END cells on half-closed streams, which can lead to stream confusion between OP and exit.
e8e6c45ee71383e0832c1cb3f3a8c903Microsoft Windows has an issue where you can use the CreateProcessWithLogon API to escape a write restricted service and achieve full write access as the service user.
00f7a019dea4bf3a1d19442fae579890XNU suffers from a network stack kernel heap overflow due to an out-of-bounds memmove in 6lowpan. Proof of concept code included.
9333b7751aa7686ac0ca4c62a49c3d4eASProtect embeds a runtime DLL that is susceptible to memory corruption. Crash testcase provided.
c5dfe0f9444bf0d36677505f5db2acdcA KVM guest on AMD can launch a L2 guest without the Intercept VMRUN control bit by exploiting a TOCTOU vulnerability in nested_svm_vmrun. Executing vmrun from the L2 guest, will then trigger a second call to nested_svm_vmrun and corrupt svm->nested.hsave with data copied out of the L2 vmcb. For kernel versions that include the commit "2fcf4876: KVM: nSVM: implement on demand allocation of the nested state" (>=5.10), the guest can free the MSR permission bit in svm->nested.msrpm, while it's still in use and gain unrestricted access to host MSRs.
814987fd3e7902c83f77c7f4aa4a3585
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed