Kernel bug in KCodes' NetUSB kernel module, which is used by various network device vendors for routers and such.The vulnerability is in the `dispatchNormalEPMsgOut()` handler for an unlabelled command of `0x805f`...
Integer underflow in `fs_context.c`'s `legacy_parse_param()` function which was introduced in v5.1.When bounds checking the provided options length, they compare it with `system page size - 2 - context data size`...
The inital vulnerability here is an unbounded `sscanf` into a stack variable.In terms of discovery just checking those format strings for unbounded string reads will find plenty of bugs out there in the world...
Basic idea is that the identifier pulled out of a message can point to a different handler between the initial check to redirect the message to the proper "sequence" and that sequence finding the proper endpoint/handler for it.
An integer overflow in Adobe Reader's parsing of gesture coordinates.
Missing bounds-check leading to out-of-bounds write in Samsung Exynos S20 device's DSP driver.
Integer overflows everywhere in this elf loader leading to overflowing kernel memory with controlled content.
This is one of those issues that is an obvious code-smell once you're aware of it, `inp_join_group` will release a lock, so that is can call another function that requires the same lock, and then take the lock back after the function has executed creating a window where another function can obtain the lock and free the pointer from under it.
Here, we have a case of one function returning a pointer to a caller, but expecting to retain ownership over that pointer; the caller, thinking it has ownership, frees it; and by calling the same function multiple times the same pointer gets freed multiple times.
Basic idea here is that you could mount unintended paths due to embeding null-bytes in acceptable mount and generally improper handling of null-bytes within a mount source.While Go does not provide any special handling for strings containing null bytes, the `send_mountsources` written in C just iterates over the provided message mounting every null-terminated substring and passes the resultant fds to the child...