Linux kernel version 4.10 suffers from a use-after-free vulnerability in __do_semtimedop() due to a lockless check outside the RCU section.
07d8df8e54828f8f33482f1bf22aa6ffd633c656b7301bc40395e4379d31e449The Mali driver tries to use the KBASE_REG_NO_USER_FREE flag to ensure that the memory region referenced by kbase_csf_tiler_heap::buf_desc_reg cannot be freed by userspace. However, this flag is only a single bit, and there can be multiple tiler heaps referencing the same memory region. This can lead to a use-after-free condition.
b873567924105769f827e9318b7b58298191410905a58cc3d3192c6ce29f3225A vb2_mmap race with vb2_core_reqbufs leads to a use-after-free vulnerability in the Linux videobuf2 system.
d61a2203442211de402e6420b838d2d46c53994de2af84b1f343bfe1d3ad0231An unsafe use of follow_pfn in get_vaddr_frames in videobuf2 on Linux leads to use-after-free issues or writes to ro-pages.
f545295793aea2d033e2e1720bb35ac7db855bcaa8fafcd55848d3dffe8ce90bLinux suffers from two seccomp bugs with a PT_SUSPEND_SECCOMP permission bypass and ptracer death race condition.
6d7f253f354c0c71a5692bbeb6bcd2a20b50e96fc05afeda0286131716d7b406A design flaw in the Chrome Synchronous Mojo message handling introduces unexpected reentrancy and allows for multiple use-after-free vulnerabilities.
8a4497a8ccb25f14e2dfe008e25cc2f2541b2d1e30345fff6f3169f4cac5313dThe crewjam/saml go library is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements.
b98f26482dd59c89089a43c62936c2461318247bab55a7aaca8bb5e77ff8ba10The HTTP server implemented in HTTP.SYS on Windows handles authentication in a system thread which bypasses PAC verification leading to escalation of privilege.
73ffca14ecbbd49fef40fa8d7691f553f1cd6ed289aaa1f61656fcd866416f5apixman versions prior to 0.42.2 suffer from an out-of-bounds write vulnerability in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y.
e8d1ce418867fdf8b59910f6c8d388ea1ee007702037ba0202790a597b53fd71Evernote Web Clipper suffered from a same-origin policy bypass vulnerability. The link to the demo exploit was a 403 at the time of addition and has not been included in this post.
edeb6d56c9d50dfe6a6599592c18c494c4d5dc6ad6ea545586270e0e19511589Chrome suffers from a heap use-after-free vulnerability in blink::LocalFrameView::PerformLayout due to an incomplete fix for CVE-2022-3199.
ede5dbd6ee9c5895a1b02c8bc6cefd5dfe9adef84fd2fceb45bd3140cd0fa16bXNU suffers from a vm_object use-after-free vulnerability due to invalid error handling in vm_map_enter.
5ef6c77b173e377d874346d025662d6a74af50dd2789a4af20f0430f362f87dfXNU suffers from a dangling PTE entry due to integer truncation when collapsing vm_object shadow chains.
29e4042cd9a0b7666d0b7fda5c45703a1a078adf7f5202670b30f28e36559698In the function AppleAVDUserClient::decodeFrameFig, a location in the decoder's IOSurface input buffer is calculated, and then bzero is called on it. The size of this IOSurface's allocation is controllable by the userspace caller, so the calculated pointer can go out of bounds, leading to memory corruption. This issue could potentially allow an unprivileged local application to escalate its privileges to the kernel.
a9f971c8dcec3381b92b6bafb61fc99c1b1da326eec460ede2682c51580f3f3eIn AppleAVD.kext, pixel buffers are mapped by calling AppleAVDUserClient::_mapPixelBuffer, which eventually calls AppleAVD::allocateKernelMemoryInternal. If the buffer is an IOSurface, the function calls IOSurface::deviceLockSurface before allocating memory by calling prepare. But when a pixel buffer is unmapped by calling AppleAVDUserClient::_unmapPixelBuffer, which calls AppleAVD::deallocateKernelMemoryInternal, the IOSurface is not locked before calling complete. This means that mapping and unmapping can occur at the same time, leading to kernel memory corruption. This bug could allow escalation to kernel privileges from a local app.
fa06dd34c9fcfaf9f03c6a70c7fd7fc078ff6872d40e76e3295731e58256ce8aNode-saml and its partner project passport-saml are vulnerable to an authentication bypass due to lax parsing of SAML responses.
1409b388d1ff3591b0f738957b81678639bad9a730829cf9d04b2f5f4e2e8a40libxml2 suffers from an integer overflow vulnerability in xmlParseNameComplex.
460eceed9569ffcdce27d0a183f57f2e49ab67429e91901bbb4e3224a94ee5b0libxml2 suffers from a double-free vulnerability when parsing default attributes.
1a8d29ae40a3deaa9cedd289845638ea24b570780c91b8644c9fbebb133eb6aeChrome suffers from a password_manager::WellKnownChangePasswordState::SetChangePasswordResponseCode heap use-after-free vulnerability.
95f6fb186156d8852bfb88cde51b59609bb9e1bb18fedd24876a32ee97f9a6faThe Windows kernel suffers from out-of-bounds reads and other issues when operating on long registry key and value names.
8b59c6140909e13954c81f8ebbddfeb70a1e3eaf5675031e13f783c0db187379The Windows kernel suffers from multiple memory corruption vulnerabilities when operating on very long registry paths.
98287a2f682dd844bcaa8bbc51f70cb0d694e997a42fcb83f27b010fb379d61dThe Windows Kernel suffers from a memory corruption vulnerability due to type confusion of subkey index leaves in registry hives.
5243d82498c43a219718d01db84be2571a427237b6a4a54d1f50e487c8526feaThe Windows kernel registry suffers from a use-after-free vulnerability due to bad handling of failed reallocations under memory pressure.
8bfa22378d9e50ef4b418d4748365b0da33423d42dc3533797aebf4653bedc6dWebKit suffers from an HTMLSelectElement use-after-free vulnerability.
f919800224aa99b055b40b0996b148ca88778d53438f1227fbb9b98b78728a09Chrome suffers from a heap use-after-free vulnerability in AccountSelectionBubbleView::OnAccountImageFetched.
58250b99dc0491f82cdc58424c569b8f9d2df212310a3407eb9441507e365641
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed