There is an ipc_port_t reference count leak due to incorrect externalMethod overrides that lead to a Mac OS X / iOS kernel use-after-free vulnerability.
67d8687d9545ab1a2ccd1bda5d239a1cd88fcab8e19837adaef0762100aedf39The XNU kernel suffers from a use-after-free vulnerability due to a lack of locking in set_dp_control_port.
70fb5d71ad7edf4688efba8a24e70c1786a30e2f5bd97f65e9e036050daf0c32A logic issue in launchd message requeuing allows arbitrary mach message control. Mac OS X version 10.11.6 is affected.
0c4a95bb9942e2aa50c7ff4c3ea1baae30e2d99475cd575f65c1e1f70c6285a5Multiple memory safety issues exist in Mac OS X and iOS inside of mach_ports_register.
164ada40109fdf8bff76ff09d76b270061f06289e2e74b857944849bdf5cb42etask_t should be considered harmful and can lead to many XNU elevations of privilege.
0c7485685996e007a105a58f511a032918e4823a30285759e8c6228026ef145cMac OS X and iOS kernels suffer from a use-after-free vulnerability in IOSurface.
cab947c5829745a9dc2e51fbb1535572f84a96ed53d059d6709dbadfcef94a30The Mac OS X kernel suffers from a use-after-free vulnerability. in IOBluetoothFamily.kext.
171e7e87f8a2e1db0040d43d705559a25b69ab0a6f469ad2e2cb08be3384709bThere is an OS X exploitable kernel NULL dereference in CoreCaptureResponder due to unchecked return value.
46db86ae3c269c855be0fa86158ce3d865227cc9c9d762ba3c3f0f9abf418370There is an OS X exploitable kernel NULL pointer dereference in AppleGraphicsDeviceControl.
fff8a4440decd556ffa6cebdc500fc713db56d8a1a1d8bb199d49b0b849765b5This is a proof of concept of an OS X / iOS kernel use-after-free racing getProperty on IOHDIXController and testNetBootMethod on IOHDIXControllerUserClient.
79081df20f058ae04524d60bd64ede2274ad0427278d2da4608b9c9253bfcd1fThere is an OS X exploitable kernel NULL pointer dereference in IOAudioEngine.
4918561f38647def9464de2b414899c5d7557c4435012dbcbcea3c5497c082bbProof of concept demonstrating an OS X kernel out-of-bounds read of an object pointer due to insufficient checks in raw cast to enum type.
589a7ffaa9683f1d874572aef114c962c63306ff50bb686d2a107d9d170bac41There is an OS X exploitable kernel NULL pointer dereference in nvCommandQueue::GetHandleIndex in GeForce.kext.
9867c3b07af33066486e5bd1019b6c4444cefb3ae2ffd7c607b4787e32aebfd0There's an OS X kernel stack buffer overflow in the GeForce gpu driver.
bd03809ea947c0522405f8f40bebc6bc8cceafabe05084804c9bf2911e696febThere is an OS X exploitable kernel NULL pointer dereference in AppleMuxControl.kext.
882ed3c4cf58751cbf4938eb0d1c050d9a0e55f797c654e4b25181c2edfb6e6aThe OS X kernel suffers from a use-after-free vulnerability due to bad locking in IOAcceleratorFamily2.
a8600ecd3178e15e44a38fe6d006ebd5db953d2b5664662921d97ffa1ab5c4f2There is an OS X exploitable kernel NULL dereference in IOAccelSharedUserClient2::page_off_resource.
35fee7c0806456b5b64e9ba3318bc1a3ba2c423a3d6c5686c17965f2c8c6c06dA race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs.
34223fcdcb6cbd70c6b1a484cbbe82f7969a88b8b78a173e0396adc447df53aaMac OS X kernel suffers from a code execution vulnerability due to a lack of bounds checking in AppleUSBPipe::Abort.
143c8edb082144d486e1c248032995f02f0e99555d57358b3a070cca59501529The AppleKeyStore userclient uses an IOCommandGate to serialize access to its userclient methods, however by racing two threads, one of which closes the userclient (which frees the IOCommandGate) and one of which tries to make an external method call we can cause a use-after-free of the IOCommandGate.
1db8ce601471ad3e19f7c84c23572709a3952990a28f5b5d130277dfb0f639dcMac OS X kernel has an issue where an unchecked array index can be used to read an object pointer then call a virtual method in the Nvidia GEForce driver.
8f940c5ed303d010b19d9f30337e7546f4aff5203b1fbca11bcbe729635d754bThe Mac OS X kernel suffers from use-after-free and double delete issues due to incorrect locking in the Intel GPU driver.
ca15dbb2b908cc1bd1b9e630c704f934d111095bea1cb1c8e14eacb07227a2e0The code responsible for loading a suid-binary following a call to the execve syscall invalidates the task port after first swapping the new vm_map into the old task object leaving a short race window where we can manipulate the memory of the euid(0) process before the old task port is destroyed.
6be58b3f0fc092cb166e20a9e2e0ef99de307b957f1541a6ea0dd7a8f7ca8531The avmplus bytecode verifier misses a control-flow path via op_pushwith throwing an exception allowing crafted bytecode to be incorrectly optimized which can trivially be abused to get code execution.
15e844ae6193dee99a1f13d80853248247c00f3baaac1706b37ffdc2478eb54aThe Chrome GPU process suffers from a sandbox escape vulnerability due to the use of an invalid iterator in its IPC handler.
d2d9c1487cfb63d12edeb554dbcb77ba9f610f4a712c8e1c702ea55db2525c82
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed