The Microsoft Windows kernel registry has a SID table poisoning problem that leads to bad locking and other issues.
c61efe9fac6bb66fd179b7a7a24132f82e660151050984d2cf1aae1c81d256ae
The Microsoft Windows kernel suffers from multiple security issues in the key replication feature of registry virtualization.
c3387e7bd189cc7e8d8449ad27e2b524a0fc939d2cc467c5961cc148cdbb9019
The Microsoft Windows kernel suffers from a use-after-free vulnerability due to a dangling registry link node under paged pool memory pressure.
54ec3add551cac7b508b2e8157d5a658c016115390f2b327d14cac78af270263
Android Binder VMA management suffers from multiple security issues.
ab667a607662e113616863f74924dec25552f0f3627b28b830dcd1cef1dc0df9
Microsoft Windows suffers from a kernel memory corruption due to an insufficient handling of predefined keys in registry virtualization.
ded3419927998aaa3da4fea3f80263227d729920c448e2a3cf6f50b41f8c867d
Chrome suffers from a copy-on-write check bypass in JSNativeContextSpecialization::BuildElementAccess.
e557b72be711db4993d6e8b8912d3a2b8d46fe92a763b730da3097b4ad6eb837
A XNU race condition in vm_map_copy_overwrite_unaligned allows writing to read-only mappings.
d28599b3adaf36ddb22cc63b493aedbe6d4bd9c80ab19441c0799cf163fd9d83
XNU VM suffers from a copy-on-write bypass vulnerability due to incorrect shadow creation logic used during unaligned vm_map_copy operations.
5a1b882267ecf571c7ea7314e620f51e45be202a17fa7c8a02fcea5a7a5b3641
On newer macOS/iOS versions, entitlements in binary signature blobs are stored in the DER format. libCoreEntitlements.dylib is the userspace library for parsing and querying such entitlements. The kernel has its own version of this library inside the AppleMobileFileIntegrity module. libCoreEntitlements exposes several functions, such as, for example, to convert entitlements to a dictionary representation (e.g. CEQueryContextToCFDictionary) or to query a specific entitlement (CEContextQuery). Unfortunately, different functions traverse the DER structure in a subtly different way, which allows one API to see one set of entitlements and another API to see a different set of entitlements.
9313c983a56ba7500d8b9861b16b1c103ae3a9454de12a836126f89cec59a1b8
WebKit suffers from a RenderMathMLToken use-after-free vulnerability in CSSCrossfadeValue::crossfadeChanged.
2b3fca29e24705325c2e8f69792ec1fc6a23682a01cfd1f0ecc2b118ac3f4ef8
The Windows Kernel suffers from a use-after-free vulnerability due to bad handling of predefined keys in NtNotifyChangeMultipleKeys.
e31318a053707141296573a167ad796cc33514ff394bc3820404fedfd9233256
khugepaged on Linux races with rmap-based zap, races with GUP-fast, and fails to call MMU notifiers.
4a7e3cd6f113b1a612bf06b09dde29c3da416e1312821de9fb2c055f4fb2c180
Linux kernel version 4.10 suffers from a use-after-free vulnerability in __do_semtimedop() due to a lockless check outside the RCU section.
07d8df8e54828f8f33482f1bf22aa6ffd633c656b7301bc40395e4379d31e449
The Mali driver tries to use the KBASE_REG_NO_USER_FREE flag to ensure that the memory region referenced by kbase_csf_tiler_heap::buf_desc_reg cannot be freed by userspace. However, this flag is only a single bit, and there can be multiple tiler heaps referencing the same memory region. This can lead to a use-after-free condition.
b873567924105769f827e9318b7b58298191410905a58cc3d3192c6ce29f3225
A vb2_mmap race with vb2_core_reqbufs leads to a use-after-free vulnerability in the Linux videobuf2 system.
d61a2203442211de402e6420b838d2d46c53994de2af84b1f343bfe1d3ad0231
An unsafe use of follow_pfn in get_vaddr_frames in videobuf2 on Linux leads to use-after-free issues or writes to ro-pages.
f545295793aea2d033e2e1720bb35ac7db855bcaa8fafcd55848d3dffe8ce90b
Linux suffers from two seccomp bugs with a PT_SUSPEND_SECCOMP permission bypass and ptracer death race condition.
6d7f253f354c0c71a5692bbeb6bcd2a20b50e96fc05afeda0286131716d7b406
A design flaw in the Chrome Synchronous Mojo message handling introduces unexpected reentrancy and allows for multiple use-after-free vulnerabilities.
8a4497a8ccb25f14e2dfe008e25cc2f2541b2d1e30345fff6f3169f4cac5313d
The crewjam/saml go library is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements.
b98f26482dd59c89089a43c62936c2461318247bab55a7aaca8bb5e77ff8ba10
The HTTP server implemented in HTTP.SYS on Windows handles authentication in a system thread which bypasses PAC verification leading to escalation of privilege.
73ffca14ecbbd49fef40fa8d7691f553f1cd6ed289aaa1f61656fcd866416f5a
pixman versions prior to 0.42.2 suffer from an out-of-bounds write vulnerability in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y.
e8d1ce418867fdf8b59910f6c8d388ea1ee007702037ba0202790a597b53fd71
Evernote Web Clipper suffered from a same-origin policy bypass vulnerability. The link to the demo exploit was a 403 at the time of addition and has not been included in this post.
edeb6d56c9d50dfe6a6599592c18c494c4d5dc6ad6ea545586270e0e19511589
Chrome suffers from a heap use-after-free vulnerability in blink::LocalFrameView::PerformLayout due to an incomplete fix for CVE-2022-3199.
ede5dbd6ee9c5895a1b02c8bc6cefd5dfe9adef84fd2fceb45bd3140cd0fa16b
XNU suffers from a vm_object use-after-free vulnerability due to invalid error handling in vm_map_enter.
5ef6c77b173e377d874346d025662d6a74af50dd2789a4af20f0430f362f87df
XNU suffers from a dangling PTE entry due to integer truncation when collapsing vm_object shadow chains.
29e4042cd9a0b7666d0b7fda5c45703a1a078adf7f5202670b30f28e36559698