Race UAF in the Linux kernel.The issue is the `SO_PEERCRED` and `SO_PEERGROUPS` socket options don't maintain ownership / lock when copying `sk->sk_peer_cred` to userspace...
A use-after-free in `AddIceCandidate()` for adding Interactive Connection Establishment candidates when starting a WebRTC session.The problem is, it's possible to setup a `Promise` that can call `setLocalDescription()`, which will mark part of the local description memory for collection by the garbage collector...
Three vulnerabilities in Qualcomm's Neural Processing Unit (NPU) driver. Specifically the article focuses on Samsung devices, as, for whatever reason, the NPU device is accessible to untrusted users where it isn't on most other devices.
Multiple bugs within the Microsoft RDP Client (Server being the attacker) found through fuzzing. None covered at this time are very impactful but there is some background in Virtual Channels within RDP and experieince getting a fuzzing envrionment setup that might be of value.
A relatively trivial heap overflow in the Transparent Inter-Process Communication (TIPC) module of the kernel.The `crypto_key_rcv` function in the driver takes a received packet and parses it for key data...
Multiple vulnerabilities in the Trusted Application, `tzdemuxerservice` used by Samsung Smart TVs, five of the six issues have the same root cause.When a "normal world" application is calling into the "trusted execution environment" (TEE) the parameters can be passed as either by value or by reference...
Gerbv uses a fixed size array to store `gerbv_aperture_t` structures but is indexed by an unrestricted integer providing an out-of-bounds read and write. This array is indexed through an attacker controlled value `tool_num`, while the value is checked against the MIN and MAX values for the array, being out-of-bounds only results in an error message.
Heap overflow in the AMD GPU driver's debugfs write handler for display port test patterns.The driver allocates a 100 byte write buffer to copy data into, but uses the debugfs handler's size parameter for the actual copy...
Always a fun issue to see, the root of it being that a user-mode callback during a `ResetDC` (Reset Device Context) can unexpectedly tamper with the device context data that the kernel thinks will be stable.
Android's NFC stack uses `TCB` or which is assumed to stand for "task control blocks", which are used to track tasks that come from the NFC controller.The NFC specification supports a variety of formats for different types of NFC tags, and this tag type has to be tracked in the control block...
Ignoring plenty of nuance, `tiocspgrp` (TTY IOCTL Set Process Group) would grab the wrong lock.Pseudoterminals (pty) have a master and a slave device, both of which are controlled by userland and can have ioctls called on them...
A logic bug in the Chrome garbage collector was discovered which could cause use-after-free. The garbage collector (GC) is a monolithic and complex component of the browser, and some background knowledge is needed to appreciate the issue.
Amazingly simple issue as far as browser bugs go.The `removeFromFacesLookupTable` method in the `CSSFontFaceSet` class failed to properly check if they reached the end of the table when looking up a font...