There is a use-after-free vulnerability in VP9 processing in WebRTC.
46a569d07b8a5affa552ca7aa5867a06There is an out-of-bounds read in FEC processing in WebRTC. If a very short RTP packet is received, FEC will assume the packet is longer and process data outside of the allocated buffer.
f5cc50595786ed774a0112b7002d39e0Microsoft Windows suffers from a double dereference in NtEnumerateKey that leads to elevation of privilege.
4f74d58bd627bf009b466bba6d3ced66Microsoft Windows suffers from a CiSetFileCache TOCTOU CVE-2017-11830 variant WDAC security feature bypass vulnerability.
ec7d5c98907d960bda7e631701207804Microsoft Edge Chakra suffers from a type confusion vulnerability with PathTypeHandlerBase::SetAttributesHelper.
5bdea5cae9762e60edfaa8a268f78dbbMicrosoft Edge Chakra JIT suffers from a type confusion vulnerability in localeCompare.
f4b3619f1626d973adb28bf93ce037e3Linux suffers from an arbitrary kernel read into dmesg via a missing address check in the segfault handler.
06e9283f3dd8c10929847de0f7b403d2There is a variety of RPC communication channels between the Chrome OS host system and the crosvm guest. This bug report focuses on communication on TCP port 8889, which is used by the "garcon" service. garcon uses gRPC, which is an RPC protocol that sends protobufs over plaintext HTTP/2. (Other system components communicate with the VM over gRPC-over-vsock, but garcon uses gRPC-over-TCP.) For some command types, the TCP connection is initiated by the host; for others, it is initiated by the guest. Both guest and host are listening on [::]:8889; however, the iptables rules of the host prevent an outside host from simply connecting to those sockets. However, apps running on the host are not affected by such restrictions.
aff1ab159e8069bed85cefa1dff66810Android suffers from a privilege escalation vulnerability in zygote that can be leveraged by CVE-2018-9445.
ab958bdb52ab9f8d11c64fe093731380Linux suffers from an insufficient shootdown for paging-structure caches.
8c0d36eab2a0b162e885643f73377706gVisor Sentry permits access to the renameat() syscall. As the sentry is not chrooted, it permits renaming files in the host system.
82846292495d155d34683eb88e13fadeLinux suffers from a reiserfs listxattr_filler() heap overflow vulnerability.
32f35281c7d063fa006860df2819530eWayland suffers from an out-of-bounds memory access vulnerability in wl_connection_demarshal() on 32-bit systems.
d6df3a560088b2c39f11b2f8dc3a2c2dThere is a use-after-free vulnerability in jscript.dll related to how the lastIndex property of a RegExp object is handled. This vulnerability can be exploited through Internet Explorer or potentially through WPAD over local network. The vulnerability has been reproduced on multiple Windows versions with the most recent patches applied.
b2cf3dec9e5bd796bccbeb593fafdabdAdobe Flash suffers from an out-of-bounds read vulnerability during AVC processing.
542426b18d0d3fbe815b6571db42555fGhostscript suffers from file disclosure, shell command execution, memory corruption, and type confusion bugs.
1bbaaab44336f199ff5bab7ea5351935Race conditions exist on percpu refcounts on struct mount.
2431157d4031096f9869974723e0f6f4Xen suffers from an integer overflow vulnerability in xen-netback xenvif_set_hash_mapping.
056a37f9c265e3d9566b012c2ea95423The InitializeNumberFormat function in Intl.js is used to initialize an Intl.NumberFormat object, and InitializeDateTimeFormat is used for an Intl.DateTimeFormat object. There are two versions of each initializer. One is for WinGlob and the other is for ICU. The problem is that the versions for ICU don't check whether the given object has been initialized. This allows to initialize the same object multiple times which can lead to type confusion.
1b3261f5867fe61b3069b230e5d96d54Microsoft Edge Chakra JIT suffers from a type confusion vulnerability with InlineArrayPush.
10eb2bef76e9e5e5df10028a6b00b0b7Microsoft Edge Chakra has an issue where DictionaryPropertyDescriptor::CopyFrom does not copy all fields.
58ac89a215bdcc730aeb2f04f26ab26dMicrosoft Edge Chakra suffers from a parameter scope parsing bug.
8b8b33096fd8de5b5ebbe8619cff7a64Microsoft Edge Chakra JIT suffers from an ImplicitCallFlags check bypass vulnerability with Intl.
b06d81dae646fb997c8078d09c0343baAndroid suffers from a directory traversal vulnerability leveraged over USB via injection in blkid output.
54330565924c07e00a436420e71adec0cgit suffers from a directory traversal vulnerability in cgit_clone_objects().
f306e9c0fb056a4bc0fe47e73bb69b90
© 2018 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed