The Microsoft Windows kernel registry has a SID table poisoning problem that leads to bad locking and other issues.
c61efe9fac6bb66fd179b7a7a24132f82e660151050984d2cf1aae1c81d256aeThe Microsoft Windows kernel suffers from multiple security issues in the key replication feature of registry virtualization.
c3387e7bd189cc7e8d8449ad27e2b524a0fc939d2cc467c5961cc148cdbb9019The Microsoft Windows kernel suffers from a use-after-free vulnerability due to a dangling registry link node under paged pool memory pressure.
54ec3add551cac7b508b2e8157d5a658c016115390f2b327d14cac78af270263Android Binder VMA management suffers from multiple security issues.
ab667a607662e113616863f74924dec25552f0f3627b28b830dcd1cef1dc0df9Microsoft Windows suffers from a kernel memory corruption due to an insufficient handling of predefined keys in registry virtualization.
ded3419927998aaa3da4fea3f80263227d729920c448e2a3cf6f50b41f8c867dChrome suffers from a copy-on-write check bypass in JSNativeContextSpecialization::BuildElementAccess.
e557b72be711db4993d6e8b8912d3a2b8d46fe92a763b730da3097b4ad6eb837A XNU race condition in vm_map_copy_overwrite_unaligned allows writing to read-only mappings.
d28599b3adaf36ddb22cc63b493aedbe6d4bd9c80ab19441c0799cf163fd9d83XNU VM suffers from a copy-on-write bypass vulnerability due to incorrect shadow creation logic used during unaligned vm_map_copy operations.
5a1b882267ecf571c7ea7314e620f51e45be202a17fa7c8a02fcea5a7a5b3641On newer macOS/iOS versions, entitlements in binary signature blobs are stored in the DER format. libCoreEntitlements.dylib is the userspace library for parsing and querying such entitlements. The kernel has its own version of this library inside the AppleMobileFileIntegrity module. libCoreEntitlements exposes several functions, such as, for example, to convert entitlements to a dictionary representation (e.g. CEQueryContextToCFDictionary) or to query a specific entitlement (CEContextQuery). Unfortunately, different functions traverse the DER structure in a subtly different way, which allows one API to see one set of entitlements and another API to see a different set of entitlements.
9313c983a56ba7500d8b9861b16b1c103ae3a9454de12a836126f89cec59a1b8WebKit suffers from a RenderMathMLToken use-after-free vulnerability in CSSCrossfadeValue::crossfadeChanged.
2b3fca29e24705325c2e8f69792ec1fc6a23682a01cfd1f0ecc2b118ac3f4ef8The Windows Kernel suffers from a use-after-free vulnerability due to bad handling of predefined keys in NtNotifyChangeMultipleKeys.
e31318a053707141296573a167ad796cc33514ff394bc3820404fedfd9233256khugepaged on Linux races with rmap-based zap, races with GUP-fast, and fails to call MMU notifiers.
4a7e3cd6f113b1a612bf06b09dde29c3da416e1312821de9fb2c055f4fb2c180Linux kernel version 4.10 suffers from a use-after-free vulnerability in __do_semtimedop() due to a lockless check outside the RCU section.
07d8df8e54828f8f33482f1bf22aa6ffd633c656b7301bc40395e4379d31e449The Mali driver tries to use the KBASE_REG_NO_USER_FREE flag to ensure that the memory region referenced by kbase_csf_tiler_heap::buf_desc_reg cannot be freed by userspace. However, this flag is only a single bit, and there can be multiple tiler heaps referencing the same memory region. This can lead to a use-after-free condition.
b873567924105769f827e9318b7b58298191410905a58cc3d3192c6ce29f3225A vb2_mmap race with vb2_core_reqbufs leads to a use-after-free vulnerability in the Linux videobuf2 system.
d61a2203442211de402e6420b838d2d46c53994de2af84b1f343bfe1d3ad0231An unsafe use of follow_pfn in get_vaddr_frames in videobuf2 on Linux leads to use-after-free issues or writes to ro-pages.
f545295793aea2d033e2e1720bb35ac7db855bcaa8fafcd55848d3dffe8ce90bLinux suffers from two seccomp bugs with a PT_SUSPEND_SECCOMP permission bypass and ptracer death race condition.
6d7f253f354c0c71a5692bbeb6bcd2a20b50e96fc05afeda0286131716d7b406A design flaw in the Chrome Synchronous Mojo message handling introduces unexpected reentrancy and allows for multiple use-after-free vulnerabilities.
8a4497a8ccb25f14e2dfe008e25cc2f2541b2d1e30345fff6f3169f4cac5313dThe crewjam/saml go library is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements.
b98f26482dd59c89089a43c62936c2461318247bab55a7aaca8bb5e77ff8ba10The HTTP server implemented in HTTP.SYS on Windows handles authentication in a system thread which bypasses PAC verification leading to escalation of privilege.
73ffca14ecbbd49fef40fa8d7691f553f1cd6ed289aaa1f61656fcd866416f5apixman versions prior to 0.42.2 suffer from an out-of-bounds write vulnerability in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y.
e8d1ce418867fdf8b59910f6c8d388ea1ee007702037ba0202790a597b53fd71Evernote Web Clipper suffered from a same-origin policy bypass vulnerability. The link to the demo exploit was a 403 at the time of addition and has not been included in this post.
edeb6d56c9d50dfe6a6599592c18c494c4d5dc6ad6ea545586270e0e19511589Chrome suffers from a heap use-after-free vulnerability in blink::LocalFrameView::PerformLayout due to an incomplete fix for CVE-2022-3199.
ede5dbd6ee9c5895a1b02c8bc6cefd5dfe9adef84fd2fceb45bd3140cd0fa16bXNU suffers from a vm_object use-after-free vulnerability due to invalid error handling in vm_map_enter.
5ef6c77b173e377d874346d025662d6a74af50dd2789a4af20f0430f362f87dfXNU suffers from a dangling PTE entry due to integer truncation when collapsing vm_object shadow chains.
29e4042cd9a0b7666d0b7fda5c45703a1a078adf7f5202670b30f28e36559698
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed