Three vulnerabilities found in MediaTek's audio Digital Signal Processor (DSP) firmware.They first go into some background on the DSP (which runs on a custom architecture and is interfaced with via the `/dev/audio_ipi` driver)...
Exploitation of the TIPC heap overflow bug based on a keylength being used in a `memcpy()` call before it was validated.Two objects are used in combination with the overflow to achieve code execution...
Heap based overflow in the Windows Kernel (ntfs.sys). This was originally found in the wild by Kaspersky, though Alex Plaskett here digs much more into the vulnerability and exploitation, and takes it in bit of a new direction removing the need for a separate info-leak.
Three vulnerabilities in Qualcomm's Neural Processing Unit (NPU) driver. Specifically the article focuses on Samsung devices, as, for whatever reason, the NPU device is accessible to untrusted users where it isn't on most other devices.
Multiple bugs within the Microsoft RDP Client (Server being the attacker) found through fuzzing. None covered at this time are very impactful but there is some background in Virtual Channels within RDP and experieince getting a fuzzing envrionment setup that might be of value.
A privilege escalation to root in PHP FPM from a worker process where the attacker has arbitrary memory read/write and has escaped the PHP sandbox.
There is an out-of-bounds access that occures by causing Squirel to lookup a method in the array of class fields.
A logic bug in the Chrome garbage collector was discovered which could cause use-after-free. The garbage collector (GC) is a monolithic and complex component of the browser, and some background knowledge is needed to appreciate the issue.
Seven vulnerabilities in Windows.Starts off with a lot of background information on Windows kernel I/O, how Time-of-Check Time-of-Use (TOCTOU) works, and an overview of Advanced Local Procedure Calling (ALPC), which is a set of high performance IPC syscalls...
SharePoint Workflows are essentially a series of tasks to streamline a business process.With the clear potential for abuse there exist an `authorizedTypes` list that will both allow and block classes...