When the `DOMWindow::open` method receives a frame name of `_top` or `_parent`, they're treated as special cases which get an immediate scheduling for a location change.The `scheduleLocationChange` function is usually invoked in a asynchronous manner if the URL is the same as the old one, but if the URL fragments differ, it'll run synchronously and fire a `popstate` event...
Seven vulnerabilities in Windows.Starts off with a lot of background information on Windows kernel I/O, how Time-of-Check Time-of-Use (TOCTOU) works, and an overview of Advanced Local Procedure Calling (ALPC), which is a set of high performance IPC syscalls...
This issue resides in the `nt!ObpCreateSymbolicLinkName` syscall for creating symbolic links.One of the first things it does is creates a user handle for the symbolic link object...
`pci_vtblk_proc` handling of incoming `virtio` descriptiors and the `VBH_OP_DISCORD` operation has a likely typo that allows for a guest to perform an out of bound memory read.
When parsing session establishment request packets in `ogs_fqdn_parse()`, the function would take an unmitigated length and pass it directly to `memcpy()`.The blogpost indicates the destination is a stack buffer, leading to stack overflow...
There is a use-after-free on Chrome for Android when fetching credit card details to autofill. This vulnerability does require the victim have credit card details saved by Chrome.
Straight forward version is two Out-Of-Bounds accesses in reading and writing the `Driver feature set`. A guest provided value is stored, and then used as an array index without any validation both in `PciVirtIOWriteMM` and in `PciVirtIOReadMM` giving relative read/write primitives.
A Use-After-Free in Android's ION Allocator used by the kernel for DMA buffers that can be shared across user/kernel/device boundaries.The issue starts from the `DMA_BUF_IOCTL_SYNC` that is exposed by the buffer's file descriptor, this IOCTL can arbitrarily increment or decrement the reference counter for the shared buffer...
This Talos report covers a non-trivial issue where a stack pointer is used after it went out of scope when invoking JS bindings, which are provided to document creators by Nitro Pro PDF for automating aspects of the document.When one of these bindings needs to be executed by the SpiderMonkey library, the `js32u.dll!js_Invoke` function is used to create stack space and push a `JSStackFrame` object to be used by the invoked binding...
This post covers an infoleak in Microsoft's Azure Sphere Security Monitor, which is a linux-based operating system for IOT devices.They focus on the `SMSyscallPeripheralAcquire` system call, which is used for switching the mux mode on a given pin, and change the layout of how the pins are configured...
Its hard to even call this one a vulnerability, the driver developers simply expose some kernel primitives directly to userland, nothing crazy needed.The driver supporting HP OMEN Gaming Hub software directly exposes several privileged instructions through IOCTLs...