Android's NFC stack uses `TCB` or which is assumed to stand for "task control blocks", which are used to track tasks that come from the NFC controller.The NFC specification supports a variety of formats for different types of NFC tags, and this tag type has to be tracked in the control block...
There is an out-of-bounds access that occures by causing Squirel to lookup a method in the array of class fields.
Ignoring plenty of nuance, `tiocspgrp` (TTY IOCTL Set Process Group) would grab the wrong lock.Pseudoterminals (pty) have a master and a slave device, both of which are controlled by userland and can have ioctls called on them...
A logic bug in the Chrome garbage collector was discovered which could cause use-after-free. The garbage collector (GC) is a monolithic and complex component of the browser, and some background knowledge is needed to appreciate the issue.
Amazingly simple issue as far as browser bugs go.The `removeFromFacesLookupTable` method in the `CSSFontFaceSet` class failed to properly check if they reached the end of the table when looking up a font...
When the `DOMWindow::open` method receives a frame name of `_top` or `_parent`, they're treated as special cases which get an immediate scheduling for a location change.The `scheduleLocationChange` function is usually invoked in a asynchronous manner if the URL is the same as the old one, but if the URL fragments differ, it'll run synchronously and fire a `popstate` event...
Seven vulnerabilities in Windows.Starts off with a lot of background information on Windows kernel I/O, how Time-of-Check Time-of-Use (TOCTOU) works, and an overview of Advanced Local Procedure Calling (ALPC), which is a set of high performance IPC syscalls...
This issue resides in the `nt!ObpCreateSymbolicLinkName` syscall for creating symbolic links.One of the first things it does is creates a user handle for the symbolic link object...
`pci_vtblk_proc` handling of incoming `virtio` descriptiors and the `VBH_OP_DISCORD` operation has a likely typo that allows for a guest to perform an out of bound memory read.
When parsing session establishment request packets in `ogs_fqdn_parse()`, the function would take an unmitigated length and pass it directly to `memcpy()`.The blogpost indicates the destination is a stack buffer, leading to stack overflow...