There is a race between mbind() and VMA-locked page faults in the Linux 6.4 kernel, leading to a use-after-free condition.
78b0a4905933278287d325ebef0bf5c144a4c579eaaf4874daf17a797f5aa2b7Microsoft Windows Kernel renaming layered keys does not reference count security descriptors, leading to a use-after-free condition.
07ccb330f6ce87a10f6763766477dee076f0af9a3d5ca41262bb308dae53fe47Chrome IPCZ FragmentDescriptors are not validated allowing for an out-of-bounds crash condition.
adc68a8b0a6ff50085071702ac5d18e4499b667b8b192dadf209cd4cf9ae81eeThe Microsoft Windows Kernel CmDeleteLayeredKey may delete predefined tombstone keys, leading to security descriptor use-after-free.
a393bdd205b55a25a4010667d7d283c1bd373af4b7bb30a36f33608cf1edeb3fThe Microsoft Windows Kernel may reference rolled-back transacted keys through differencing hives.
b39149935b26f2a93874ead5ff16c8bafcc4acc7b2b341ba68ed2751bb86aa82The Microsoft Windows Kernel may reference unbacked layered keys through registry virtualization.
7b5280c111b616102ccc14ddef413c7f8bbeeb1ba04df2aa047b88bdfe97d452There is a Microsoft Windows Kernel arbitrary read that can be performed by accessing predefined keys through differencing hives.
492807027a3cf7a8d886110c04d56bed4abbb83ec85e31ab445e48ddc7826fceChrome suffers from a heap use-after-free vulnerability in device::OpenXrApiWrapper::InitSession. Versions affected include Google Chrome 114.0.5735.45 (Official Build) and Chromium 116.0.5806.0 (Developer Build).
31d602a3d96e944d063ead1d9fbfca2a6e74125a6f3f1b9fd9de66da1262572cDue to some design problems in how transactions are implemented in the registry, it is possible for a low-privileged local attacker to force a non-atomic outcome of a transaction used by another high-privileged process in the system.
b0795c7263336afd69a53bbf47a57747eb1f8d4323fcb570f007bee06c510954Qualcomm Adreno/KGSL suffers from an issue where code in user-writable mapping is executed in non-protected mode.
795d9bc48251143119585b455550c6ef9db1db6cead5a6bfba90baa195ff4c43During a Mojo IPC method call, there are multiple stages of validation and deserialization that take place. These assume that the contents of the message cannot be modified during the deserialization process, but the new core_ipcz implementation returns message contents directly in shared memory.
572a756cadc51b22a907293f84e2b304799a3abe0592f9635a0caac2967f8acdv8::internal::JSObject::SetAccessor does not check if the receiver is extensible before adding a new property. A potential attacker can exploit the ability to extend non-extensible objects to achieve arbitrary code execution inside the renderer process. Google Chrome version 113.0.5672.63 is affected.
5dea486a3e6ad9015ccd5bcf3a079867756de3fea0de37f9a81a4fdb0213817bGoogle Chrome version 112.0.5615.137 and Chromium version 115.0.5737.0 suffer from a type confusion vulnerability in v8::internal::Object::SetPropertyWithAccessor.
ca1ae2932c65327ead4a64b612c744bc25a9a0ee96064ba953dcf011ba640f7eChrome suffers from an internal javascript object access vulnerability. suffers from a code execution vulnerability.
ffd1bc4c7c03a984e8cd76542fd8b6610321410abd4663e7c81762fe8f30c5aeThere is a use-after-free vulnerability in libIPTelephony.dylib inside the SIP message decoder (SipMessageDecoder::decode() function). The vulnerable library is present on both iOS and macOS and was confirmed on macOS Ventura 13.2.1.
6d3cab99ce231d2cf5def080ffac1a0b2fd80f0e9852f330e033cb0e5ceb0b2dOn Qualcomm Adreno/KGSL builds where CONFIG_QCOM_KGSL_USE_SHMEM is not set (or on older KGSL versions without CONFIG_QCOM_KGSL_USE_SHMEM), KGSL allocates GPU-shared memory from its own page pool. Pages from this pool are inserted into VMAs that don't have any weird flags like VM_PFNMAP set, which means userspace can grab extra references to these pages through get_user_pages() (for example, using vmsplice()). But when GPU-shared memory is freed, KGSL puts the freed pages into its own page pool without checking the page refcount. This means that pages that are still accessible from userspace can be reallocated as GPU memory by another process.
912899972d766ddbe72f5a9e3255c982b1f4d47a09b7d4e6f29f8440583aa47cQualcomm Adreno/KGSL suffers from an unchecked cast of vma->vm_file->private_data in kgsl_setup_dmabuf_useraddr().
607fa965d699b8530e3007ef7ceaca726a5ef18f66dd831e4ec632ad32adcccdThe Windows kernel suffers from out-of-bounds read vulnerabilities when operating on invalid registry paths in CmpDoReDoCreateKey / CmpDoReOpenTransKey.
76ec9aa7a319065af82cafdd465533228021c8f1589b7dfe874c3ed0033910d0The Windows Kernel suffers from a disclosure of kernel pointers and uninitialized memory through registry KTM transaction log files.
d28ae7b6f77689b87212fa778ce097dbeda0292d731f4abdb493b75f067884e7There is a heap buffer overflow in Shannon Baseband when processing the Retry-After header in the SIP protocol decoder (IMSPL_SipRetryAfter.c according to the debug strings in the firmware image).
dd3027619afa3f34e33a8c7c8fa273a3caead4344694e68e00f0bf7658948980There is a stack buffer overflow in Shannon Baseband when processing the Min-SE header in the SIP protocol decoder (IMSPL_SipMinSE.c according to the debug strings in the firmware image).
e0cd48f57c8b65b8d3f033aad592c288cb156a5fc17e43743d268337dab80c20There is a negative-size memcpy (heap overflow) when decoding the body of SIP multipart messages. According to debug strings in the modem image, this functionality is implemented in IMSPL_SipFragDecode.
008713e1403417d96115cab8cea235d3b9c02eefab2c7765ee120627abe0c5b3There is a stack buffer overflow in Shannon Baseband when processing the Session-Expires header in the SIP protocol decoder (IMSPL_SipDecode.c according to the debug strings in the firmware image).
e11bd9abdf4b3c1c338a567873ee29ab281b3106b929fa8c9cb91119afcbc1f7There is a stack buffer overflow in Shannon Baseband when processing the status line of a SIP message (this happens in IMSPL_SipStatusLine.c according to the debug strings in the firmware image).
775cec97675cbb8c305fcd017b6eeee470cd0ac86f5bca8f85e29ef9c9c3e283There is a stack buffer overflow in Shannon Baseband when processing the Via header in the SIP protocol decoder (IMSPL_SipDecode.c according to the debug strings in the firmware image).
0afa5f6ef5d703a73b0521ecca5d80bc302663f045296001e5c9f592b245d7f9
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed