XNU suffers from a dangling PTE entry due to integer truncation when collapsing vm_object shadow chains.
29e4042cd9a0b7666d0b7fda5c45703a1a078adf7f5202670b30f28e36559698
In the function AppleAVDUserClient::decodeFrameFig, a location in the decoder's IOSurface input buffer is calculated, and then bzero is called on it. The size of this IOSurface's allocation is controllable by the userspace caller, so the calculated pointer can go out of bounds, leading to memory corruption. This issue could potentially allow an unprivileged local application to escalate its privileges to the kernel.
a9f971c8dcec3381b92b6bafb61fc99c1b1da326eec460ede2682c51580f3f3e
In AppleAVD.kext, pixel buffers are mapped by calling AppleAVDUserClient::_mapPixelBuffer, which eventually calls AppleAVD::allocateKernelMemoryInternal. If the buffer is an IOSurface, the function calls IOSurface::deviceLockSurface before allocating memory by calling prepare. But when a pixel buffer is unmapped by calling AppleAVDUserClient::_unmapPixelBuffer, which calls AppleAVD::deallocateKernelMemoryInternal, the IOSurface is not locked before calling complete. This means that mapping and unmapping can occur at the same time, leading to kernel memory corruption. This bug could allow escalation to kernel privileges from a local app.
fa06dd34c9fcfaf9f03c6a70c7fd7fc078ff6872d40e76e3295731e58256ce8a
Node-saml and its partner project passport-saml are vulnerable to an authentication bypass due to lax parsing of SAML responses.
1409b388d1ff3591b0f738957b81678639bad9a730829cf9d04b2f5f4e2e8a40
libxml2 suffers from an integer overflow vulnerability in xmlParseNameComplex.
460eceed9569ffcdce27d0a183f57f2e49ab67429e91901bbb4e3224a94ee5b0
libxml2 suffers from a double-free vulnerability when parsing default attributes.
1a8d29ae40a3deaa9cedd289845638ea24b570780c91b8644c9fbebb133eb6ae
Chrome suffers from a password_manager::WellKnownChangePasswordState::SetChangePasswordResponseCode heap use-after-free vulnerability.
95f6fb186156d8852bfb88cde51b59609bb9e1bb18fedd24876a32ee97f9a6fa
The Windows kernel suffers from out-of-bounds reads and other issues when operating on long registry key and value names.
8b59c6140909e13954c81f8ebbddfeb70a1e3eaf5675031e13f783c0db187379
The Windows kernel suffers from multiple memory corruption vulnerabilities when operating on very long registry paths.
98287a2f682dd844bcaa8bbc51f70cb0d694e997a42fcb83f27b010fb379d61d
The Windows Kernel suffers from a memory corruption vulnerability due to type confusion of subkey index leaves in registry hives.
5243d82498c43a219718d01db84be2571a427237b6a4a54d1f50e487c8526fea
The Windows kernel registry suffers from a use-after-free vulnerability due to bad handling of failed reallocations under memory pressure.
8bfa22378d9e50ef4b418d4748365b0da33423d42dc3533797aebf4653bedc6d
WebKit suffers from an HTMLSelectElement use-after-free vulnerability.
f919800224aa99b055b40b0996b148ca88778d53438f1227fbb9b98b78728a09
Chrome suffers from a heap use-after-free vulnerability in AccountSelectionBubbleView::OnAccountImageFetched.
58250b99dc0491f82cdc58424c569b8f9d2df212310a3407eb9441507e365641
There is a vulnerability in Cisco Jabber that allows an attacker to send arbitrary XMPP stanzas (XMPP control messages) to another Cisco Jabber client, including XMPP stanzas that are normally sent only by the trusted server.
ed2115ba91caeae4b0245ae0141359b56fa7d27077ea7a8cb6d34c1aa2ad914c
Chrome suffers from a heap buffer overflow vulnerability in offline_items_collection::OfflineContentAggregator::OnItemRemoved.
a12649cc87b93dc4f1206b4520f0269c90067ff6042cf3fbf667a38af1956ab3
The Windows Kernel suffers from integer overflow vulnerabilities in its registry subkey lists leading to memory corruption.
4f2712bf388769633e54ee7cdd01205295aa838cb4c905e9fab301e7f201a73e
Linux has an issue with munmap() racing with pagemap_read() that leads to a page use-after-free vulnerability.
6e43fff37a6d90cd02b391b72b480aba2d74433d269f96e0cefcf585c8e51dd3
Linux suffers from an anon_vma use-after-free vulnerability through the bogus merge of VMAs caused by double-reuse of leaf anon_vma because of ->degree misinterpretation.
e27e13af66dddafc7e4588c3b561b058fe6859b4fbc060de1741e0003a7d5b45
Google Chrome version 103.0.5060.53 (Official Build) and Chromium version 105.0.5148.0 (Developer Build) (64-bit) suffer from a network::URLLoader::NotifyCompleted heap use-after-free vulnerability.
0a0cfa991a833e133ec250fb094a0a8fff51e2ddc48df648d1193d2e2686ead0
Google Chrome version 103.0.5060.53 suffers from an Autofill Assistant universal cross site scripting vulnerability.
15976aab9647c7b90f0f40144b888ee5fa37af45baa02bcd0adbe3fc7fae4979
The Windows KDC allows an interposing attacker to downgrade to RC4 MD4 encryption in compromising the user's TGT session key resulting in escalation of privilege.
7cbb12797e608e56c65513653347b2c0b4cee93da07a7ca593f276da0197c595
Linux stable versions 5.4 and 5.10 suffers from a page use-after-free via stale TLB caused by an rmap lock not held during PUD move.
b9d45dd1409659792dcfd15c2c4781345acb1b7ca05dc637d666213b43252dff
In the Linux Mali driver, when building with MALI_USE_CSF, the VFS read handler of the main Mali file descriptor (kbase_read()) never looks at its "count" parameter. This means that a simple userspace program that sets up a Mali file descriptor, then calls read(mali_fd, buf, 1), will see read() returning a higher length than requested, and out-of-bounds data in the userspace buffer will be clobbered.
3d801b6f86d2cf6dcafab0fab084495a709669823b168ea8d4eaa15c04e2a64c
The Mali driver frees GPU page tables before removing the higher-level PTEs pointing to those page tables (and, therefore, also before issuing the required flushes). This means a racing memory write instruction on the GPU can write to an attacker-controlled physical address.
b9314770c55b858e1768dc0c89581aba6dcd511b77abe5a7a6849771f7835386
Arm Mali has an issue where a driver exposes physical addresses to unprivileged userspace.
0dd6b9f2ab5a6a54b712bd8da62800520f10d77e1129a4be99b021e528de767a