Two logic bugs that cause memory corruption in the handling of TLS packets due to unhandled error / return values when using the nanoSSL library, and a higher level design flaw with the firmware update system.
We have [previously](https://dayzerosec.com/vulns/2022/03/02/linux-kernel-heap-out-of-bounds-write-in-nfdupnetdevc-since-54.html) covered this bug, its an out-of-bounds access due to a broken assumption in every `dup` command having an associated immediate. When that assumption is broken by manually crafting netfilter rules `nft_fwd_dup_netdev_offload` function will perform an out of bounds access as it increments too far.
Out of bounds read in Chrome's PDFium Engine in the `RequestThumbnail()` method.The `page_index` parameter is used to index into a vector of pages to call that page's `RequestThumbnail()` callback, however the `page_index` isn't validated in production builds...
We have [previously discussed](https://dayzerosec.com/vulns/2021/09/29/iouring-vulnerability-resulting-in-freeing-wrong-kernel-buffer.html) this vulnerability, which provides a primitive to free adjacent memory.
A UAF in the Common Logging File System (CLFS).Some background is needed on how this custom filesystem works to provide context for the bug...
The vulnerability here is just a straight forward case of reading a size from the attacker, and using it in a `memcpy` into a fixed size destination buffer on the stack.
The core problem is an integer truncation due to a difference in the size of the `long` primitive type between Windows and Linux systems.On Linux and BSD systems, `sizeof(long)` will return 8, but on Windows this value is 4...
This is one of those cases where assumptions about state are made that can be violated.In `nft_fwd_dup_netdev_offload` when offloading a `dup` or `fwd` rule to hardware the `num_actions` value is used to index the `actions` array and incremented...
Off-by-one issue in computing the `bits_required` value. This computation was performed with a while loop, right-shifting the vlaue by 1 until it is zero, number of shifts is the number of bits needed.