Race UAF in the Linux kernel.The issue is the `SO_PEERCRED` and `SO_PEERGROUPS` socket options don't maintain ownership / lock when copying `sk->sk_peer_cred` to userspace...
A use-after-free in `AddIceCandidate()` for adding Interactive Connection Establishment candidates when starting a WebRTC session.The problem is, it's possible to setup a `Promise` that can call `setLocalDescription()`, which will mark part of the local description memory for collection by the garbage collector...
Three vulnerabilities in Qualcomm's Neural Processing Unit (NPU) driver. Specifically the article focuses on Samsung devices, as, for whatever reason, the NPU device is accessible to untrusted users where it isn't on most other devices.
Multiple bugs within the Microsoft RDP Client (Server being the attacker) found through fuzzing. None covered at this time are very impactful but there is some background in Virtual Channels within RDP and experieince getting a fuzzing envrionment setup that might be of value.
A relatively trivial heap overflow in the Transparent Inter-Process Communication (TIPC) module of the kernel.The `crypto_key_rcv` function in the driver takes a received packet and parses it for key data...
Multiple vulnerabilities in the Trusted Application, `tzdemuxerservice` used by Samsung Smart TVs, five of the six issues have the same root cause.When a "normal world" application is calling into the "trusted execution environment" (TEE) the parameters can be passed as either by value or by reference...
Gerbv uses a fixed size array to store `gerbv_aperture_t` structures but is indexed by an unrestricted integer providing an out-of-bounds read and write. This array is indexed through an attacker controlled value `tool_num`, while the value is checked against the MIN and MAX values for the array, being out-of-bounds only results in an error message.
Heap overflow in the AMD GPU driver's debugfs write handler for display port test patterns.The driver allocates a 100 byte write buffer to copy data into, but uses the debugfs handler's size parameter for the actual copy...
Always a fun issue to see, the root of it being that a user-mode callback during a `ResetDC` (Reset Device Context) can unexpectedly tamper with the device context data that the kernel thinks will be stable.
A privilege escalation to root in PHP FPM from a worker process where the attacker has arbitrary memory read/write and has escaped the PHP sandbox.