There is an out-of-bounds access that comes because of a difference between parsing the huffman tables vs using the huffman tables.While parsing the table, the function ensures that each identifier can only be between 0 and 3...
The first issue, is an incorrect computation in golang impacting `go-ethereum`.Its an interesting case, because a base computation might lead to some issues but it usually isn't a security issue...
Mistrusting some extended attributes, using them to calculate an offset leading to out-of-bound read/write primitives; presumably exploitable since these were used at Pwn2Own.In the `fruit_pread` function will read the `org.netatalk.Metadata` extended attribute which can unauthenticated user can set...
A cool bug in H2O's QUIC implementation leading to disclosing uninitialized memory.Stream data in HTTP/3 comes in an encoding similar to chunked encoding, including an offset in the chain, the data size and teh data itself...
Once again, the use of user-mode callbacks in the Windows kernel enabled an attacker to change out the type of an object unexpectedly leading to a type confusion.
This was an interesting data based attack all because it was assumed there would be arguments in `argv`.A for-loop starts with `n=1` looping until `n < argv`...
Two vulnerabilities in Zoom, a buffer overflow that affected Multi-Media Routers (MMR) servers and client, and an infoleak that only affected MMR servers. Both issues were found in various `load_from()` methods for serialization classes used in Real-time Transport Protocol (RTP) for audio/video content.
Use-after-free in the `ipc_port` subsystem of XNU, specifically the `ipc_port_copy_send()` function.This function would try to copy and send data on an IPC port, and attempts to account for a bunch of edge-cases on the state of the port...
Kernel bug in KCodes' NetUSB kernel module, which is used by various network device vendors for routers and such.The vulnerability is in the `dispatchNormalEPMsgOut()` handler for an unlabelled command of `0x805f`...
Integer underflow in `fs_context.c`'s `legacy_parse_param()` function which was introduced in v5.1.When bounds checking the provided options length, they compare it with `system page size - 2 - context data size`...
The inital vulnerability here is an unbounded `sscanf` into a stack variable.In terms of discovery just checking those format strings for unbounded string reads will find plenty of bugs out there in the world...
Basic idea is that the identifier pulled out of a message can point to a different handler between the initial check to redirect the message to the proper "sequence" and that sequence finding the proper endpoint/handler for it.