Chrome suffers from a heap use-after-free vulnerability in AccountSelectionBubbleView::OnAccountImageFetched.
58250b99dc0491f82cdc58424c569b8f9d2df212310a3407eb9441507e365641There is a vulnerability in Cisco Jabber that allows an attacker to send arbitrary XMPP stanzas (XMPP control messages) to another Cisco Jabber client, including XMPP stanzas that are normally sent only by the trusted server.
ed2115ba91caeae4b0245ae0141359b56fa7d27077ea7a8cb6d34c1aa2ad914cChrome suffers from a heap buffer overflow vulnerability in offline_items_collection::OfflineContentAggregator::OnItemRemoved.
a12649cc87b93dc4f1206b4520f0269c90067ff6042cf3fbf667a38af1956ab3The Windows Kernel suffers from integer overflow vulnerabilities in its registry subkey lists leading to memory corruption.
4f2712bf388769633e54ee7cdd01205295aa838cb4c905e9fab301e7f201a73eLinux has an issue with munmap() racing with pagemap_read() that leads to a page use-after-free vulnerability.
6e43fff37a6d90cd02b391b72b480aba2d74433d269f96e0cefcf585c8e51dd3Linux suffers from an anon_vma use-after-free vulnerability through the bogus merge of VMAs caused by double-reuse of leaf anon_vma because of ->degree misinterpretation.
e27e13af66dddafc7e4588c3b561b058fe6859b4fbc060de1741e0003a7d5b45Google Chrome version 103.0.5060.53 (Official Build) and Chromium version 105.0.5148.0 (Developer Build) (64-bit) suffer from a network::URLLoader::NotifyCompleted heap use-after-free vulnerability.
0a0cfa991a833e133ec250fb094a0a8fff51e2ddc48df648d1193d2e2686ead0Google Chrome version 103.0.5060.53 suffers from an Autofill Assistant universal cross site scripting vulnerability.
15976aab9647c7b90f0f40144b888ee5fa37af45baa02bcd0adbe3fc7fae4979The Windows KDC allows an interposing attacker to downgrade to RC4 MD4 encryption in compromising the user's TGT session key resulting in escalation of privilege.
7cbb12797e608e56c65513653347b2c0b4cee93da07a7ca593f276da0197c595Linux stable versions 5.4 and 5.10 suffers from a page use-after-free via stale TLB caused by an rmap lock not held during PUD move.
b9d45dd1409659792dcfd15c2c4781345acb1b7ca05dc637d666213b43252dffIn the Linux Mali driver, when building with MALI_USE_CSF, the VFS read handler of the main Mali file descriptor (kbase_read()) never looks at its "count" parameter. This means that a simple userspace program that sets up a Mali file descriptor, then calls read(mali_fd, buf, 1), will see read() returning a higher length than requested, and out-of-bounds data in the userspace buffer will be clobbered.
3d801b6f86d2cf6dcafab0fab084495a709669823b168ea8d4eaa15c04e2a64cThe Mali driver frees GPU page tables before removing the higher-level PTEs pointing to those page tables (and, therefore, also before issuing the required flushes). This means a racing memory write instruction on the GPU can write to an attacker-controlled physical address.
b9314770c55b858e1768dc0c89581aba6dcd511b77abe5a7a6849771f7835386Arm Mali has an issue where a driver exposes physical addresses to unprivileged userspace.
0dd6b9f2ab5a6a54b712bd8da62800520f10d77e1129a4be99b021e528de767aOn Mali devices without the new CSF interface, IMPORTED_USER_BUF is released without flushing host-side VMAs, leading to a page use-after-free vulnerability.
51a2923bc823fc6d20b96117084be18b4a15d5a3f49b9f2dc2e04e3c069198a0A use-after-free issue exists in Chrome 104 and earlier versions. Processing maliciously crafted web content may lead to arbitrary code execution in the browser process. LinkToTextMenuObserver holds a raw pointer to a RenderFrameHost object, but is not owned by the frame host and does not watch for frame host destruction events. Therefore, if an attacker manages to destroy the frame host right after the observer is created but before the timeout task posted in StartLinkGenerationRequestWithTimeout() is executed, use-after-free will occur.
071c2f32b441a15bf0f0c6db3397a3899a646938aeb7df15abb5fc345c9589e8XML signature verification in .NET 6 as implemented in System.Security.Cryptography.Xml.SignedXml is vulnerable to external entity injection attacks.
fb9e0a77092860baf50e4dd27de48b363926968c3606d0db1631fac8f83f0ff4On Windows, the Kerberos ticket renewal process can be used with CG to get an unencrypted TGT session key for a currently authenticated user leading to information disclosure.
1f9bd51e7f807ea1be820b38b4053f9b704e41211fd5779bce57f43bf497716aOn Windows, the handling of cryptographic data comparison in the CG secure process does not use constant time algorithms resulting in information disclosure.
1eae27125e32160c8f3573cd0f12536dc12d59971e45282431a815f2a69f4009On Windows, the KerbIumGetNtlmSupplementalCredential CG API does not check the encryption key type leading to information disclosure of key material.
bfc4de1d074e4d56008f260f7b9c997af5b2161990204d92efb3480c889c7baaOn Windows, CG API KerbIumCreateApReqAuthenticator can be used to decrypt arbitrary encrypted Kerberos keys leading to information disclosure.
795dc1d7b2670d24abb7d74a9852a53667f29e9616266571270c30ddde0cf221Windows Credential guard does not prevent using encrypted Kerberos keys to change a user's password leading to elevation of privilege.
963aa15cc46082f2880e53f09434bff0855b293f238fa1b7b59fcc34a5c7c568Windows CG APIs, which take encrypted keys, do not limit what encryption or checksum types can be used with those keys. This can result in using weak encryption algorithms which could be abused to either generate keystreams or brute force encryption keys.
a89b74c0dc18c8ac3c1161dc1b3af00aa0758ae52080749f23434cc90472d8b2On Windows, the method for allocating a context when using the CG BCrypt APIs is insecure leading to use-after-free of secure memory resulting in elevation of privilege.
c22c4583f57e6b94c3c87d7e06f1807aec4eb6add28377b878080567d6bba7a8On Windows, a number of Kerberos CG APIs do not verify the ASN1 PDU type when decoding and encoding Kerberos ASN1 structures leading to type confusion and elevation of privilege.
af00e87e42028f79ab35606912cd654841bc7965655e5d68e202a8ef913306f4The Windows kernel suffers from multiple memory problems when handling incorrectly formatted security descriptors in registry hives.
293c30cffcbb94043ce3d944e538e450e3725f0cfaac4a97ac6e1fd8f5cb1152
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed