Multiple memory corruptions in Microsoft Edge browser, there are several issues here but they all generally can be summed up as "self-corruptions".Its things like a use-after-free by opening a dialog, closing the backing page that spawned the dialog, and then closing the dialog triggering a callback that no longer exists...
At its core, a simple, yet odd Linux kernel issue, `__io_req_init_async` assumes that the new request (`req`) being submitted was submitted by its own worker, so it sets the `req->work.identity` to `current->io_uring`.
An integer overflow in the official SHA-3 implementation as used by PHP, Python, Ruby and I'm sure other places.When updating a block that already has some data in it, it will try to calculate if the new partial block bytes will go out of bounds, it makes the classic mistake of adding the current index and the length of new data, then just checking if it is lower than a bounding value...
A couple integer overflows in the the Windows Kernel through the registry, the core problem being that a 16bit integer is used for the `Count` field storing the number of subkeys inside an index.Under normal circumstances, when adding new subkeys the registry will automatically divide itself so you won't have more than ~1000 subkeys, but you can import arbitrarily formatted indexes, using this you can craft one with 65535 keys...
A format-string bug in Trackmania Forever server accessible from server clients, pretty straight forward bug, input in a client RPC gets printed on the server.
When a docx parser encounters an end element, it assumes the pointer to the start element is already available and attempts to operate on it, leading to an out of bounds access immediate before the buffer.
The core issue is the use of MAP_FIXED flag with mmap.Basically `pthread_allocate_stack` for every thread it creates, starting its mapping a new `STACK_SIZE` memory segment to a fixed address (calculated relative to `THREAD_STACK_START_ADDRESS` and the number of threads already allocated)...
In responding to a static file request, the Crow HTTP framework would allocate a 16kb buffer and read the target file into it. It would then send the whole buffer to the client regardless of how many bytes were actually read.
A use-after-free vulnerability in the Crow HTTP Framework owing to the input reader being agnostic to HTTP Pipelining (sending more than one HTTP request without waiting for a response on the same connection) and asynchronous workers tracking state expecting one request per connection.
The two null-dereferences are pretty straight forward instances, the first being that when an error happens early on, a buffer is never assigned a value after the initial `NULL` assignment.In generic error handling code, it gets dereferenced assuming the error happened after it had been setup...
Plenty of background regarding even getting to a place to start hunting for bugs on this printer, leading up two heap based overflows in `pjcc_act_checkUserPassword2`, and some discussion about exploiting the DryOS heap allocator.
The majority of this post is going into background on Fuchsia and exploiting a fake vulnerability, there was one novel vulnerability that the author came across though.To obtain a KASLR bypass, the author thought to try and gain access to the kernel log for any pointers that might be leaked...
On its own a pretty simple overflow.There exists a buffer for up to 32 elements to be read into, but the value that is used to determine how many elements to copy is not bounded and can be as high as 255...
Taking an unexpected reference to a `memoryview` object resulting in a use-after-free when the parent of said object is destroyed.Though this is a rather low impact bug because it requires control over the code being executed, so one could just write an `os.system(...)` call or something similar...