There is an ipc_port_t reference count leak due to incorrect externalMethod overrides that lead to a Mac OS X / iOS kernel use-after-free vulnerability.
67d8687d9545ab1a2ccd1bda5d239a1cd88fcab8e19837adaef0762100aedf39
The XNU kernel suffers from a use-after-free vulnerability due to a lack of locking in set_dp_control_port.
70fb5d71ad7edf4688efba8a24e70c1786a30e2f5bd97f65e9e036050daf0c32
A logic issue in launchd message requeuing allows arbitrary mach message control. Mac OS X version 10.11.6 is affected.
0c4a95bb9942e2aa50c7ff4c3ea1baae30e2d99475cd575f65c1e1f70c6285a5
Multiple memory safety issues exist in Mac OS X and iOS inside of mach_ports_register.
164ada40109fdf8bff76ff09d76b270061f06289e2e74b857944849bdf5cb42e
task_t should be considered harmful and can lead to many XNU elevations of privilege.
0c7485685996e007a105a58f511a032918e4823a30285759e8c6228026ef145c
Mac OS X and iOS kernels suffer from a use-after-free vulnerability in IOSurface.
cab947c5829745a9dc2e51fbb1535572f84a96ed53d059d6709dbadfcef94a30
The Mac OS X kernel suffers from a use-after-free vulnerability. in IOBluetoothFamily.kext.
171e7e87f8a2e1db0040d43d705559a25b69ab0a6f469ad2e2cb08be3384709b
There is an OS X exploitable kernel NULL dereference in CoreCaptureResponder due to unchecked return value.
46db86ae3c269c855be0fa86158ce3d865227cc9c9d762ba3c3f0f9abf418370
There is an OS X exploitable kernel NULL pointer dereference in AppleGraphicsDeviceControl.
fff8a4440decd556ffa6cebdc500fc713db56d8a1a1d8bb199d49b0b849765b5
This is a proof of concept of an OS X / iOS kernel use-after-free racing getProperty on IOHDIXController and testNetBootMethod on IOHDIXControllerUserClient.
79081df20f058ae04524d60bd64ede2274ad0427278d2da4608b9c9253bfcd1f
There is an OS X exploitable kernel NULL pointer dereference in IOAudioEngine.
4918561f38647def9464de2b414899c5d7557c4435012dbcbcea3c5497c082bb
Proof of concept demonstrating an OS X kernel out-of-bounds read of an object pointer due to insufficient checks in raw cast to enum type.
589a7ffaa9683f1d874572aef114c962c63306ff50bb686d2a107d9d170bac41
There is an OS X exploitable kernel NULL pointer dereference in nvCommandQueue::GetHandleIndex in GeForce.kext.
9867c3b07af33066486e5bd1019b6c4444cefb3ae2ffd7c607b4787e32aebfd0
There's an OS X kernel stack buffer overflow in the GeForce gpu driver.
bd03809ea947c0522405f8f40bebc6bc8cceafabe05084804c9bf2911e696feb
There is an OS X exploitable kernel NULL pointer dereference in AppleMuxControl.kext.
882ed3c4cf58751cbf4938eb0d1c050d9a0e55f797c654e4b25181c2edfb6e6a
The OS X kernel suffers from a use-after-free vulnerability due to bad locking in IOAcceleratorFamily2.
a8600ecd3178e15e44a38fe6d006ebd5db953d2b5664662921d97ffa1ab5c4f2
There is an OS X exploitable kernel NULL dereference in IOAccelSharedUserClient2::page_off_resource.
35fee7c0806456b5b64e9ba3318bc1a3ba2c423a3d6c5686c17965f2c8c6c06d
A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs.
34223fcdcb6cbd70c6b1a484cbbe82f7969a88b8b78a173e0396adc447df53aa
Mac OS X kernel suffers from a code execution vulnerability due to a lack of bounds checking in AppleUSBPipe::Abort.
143c8edb082144d486e1c248032995f02f0e99555d57358b3a070cca59501529
The AppleKeyStore userclient uses an IOCommandGate to serialize access to its userclient methods, however by racing two threads, one of which closes the userclient (which frees the IOCommandGate) and one of which tries to make an external method call we can cause a use-after-free of the IOCommandGate.
1db8ce601471ad3e19f7c84c23572709a3952990a28f5b5d130277dfb0f639dc
Mac OS X kernel has an issue where an unchecked array index can be used to read an object pointer then call a virtual method in the Nvidia GEForce driver.
8f940c5ed303d010b19d9f30337e7546f4aff5203b1fbca11bcbe729635d754b
The Mac OS X kernel suffers from use-after-free and double delete issues due to incorrect locking in the Intel GPU driver.
ca15dbb2b908cc1bd1b9e630c704f934d111095bea1cb1c8e14eacb07227a2e0
The code responsible for loading a suid-binary following a call to the execve syscall invalidates the task port after first swapping the new vm_map into the old task object leaving a short race window where we can manipulate the memory of the euid(0) process before the old task port is destroyed.
6be58b3f0fc092cb166e20a9e2e0ef99de307b957f1541a6ea0dd7a8f7ca8531
The avmplus bytecode verifier misses a control-flow path via op_pushwith throwing an exception allowing crafted bytecode to be incorrectly optimized which can trivially be abused to get code execution.
15e844ae6193dee99a1f13d80853248247c00f3baaac1706b37ffdc2478eb54a
The Chrome GPU process suffers from a sandbox escape vulnerability due to the use of an invalid iterator in its IPC handler.
d2d9c1487cfb63d12edeb554dbcb77ba9f610f4a712c8e1c702ea55db2525c82