A neat vuln with an interesting impact in Mario Kart 8 Deluxe on the Switch.The game has a feature where players can create tournaments with their own ruleset, accessibility, dates it will run, etc...
The root of the issue is that XSLTC (turns XSLT into a Java Class to be executed for better performance) does not account for that fact that the `constant_pool_count` in a Java class is only 16bits. An attacker can create an XSLT document containing too many constants, all of which will be written to the class file, but the count will be truncated to 16bits, leading to some of those constants being interpreted as part of the classfile containing things like field and method descriptions for the class.
The problem starts in `remove_liquidity` where a contract can remove funds that they added. It will updated the `total_supply` and burn tokens, then in a loop for each coin it will decrement the `balances` and transfer them to the attacker's contract...
Facebook's SMS Captcha page would as you might expect, display a captcha, the user fills it out, and then it makes a POST request to the next page including the anti-CSRF token. The problem being that the next location was determined by the `next` url parameter which was entirely attacker controlled, and could be pointed to sensitive GraphQL endpoints.
At its core, a simple, yet odd Linux kernel issue, `__io_req_init_async` assumes that the new request (`req`) being submitted was submitted by its own worker, so it sets the `req->work.identity` to `current->io_uring`.
A couple integer overflows in the the Windows Kernel through the registry, the core problem being that a 16bit integer is used for the `Count` field storing the number of subkeys inside an index.Under normal circumstances, when adding new subkeys the registry will automatically divide itself so you won't have more than ~1000 subkeys, but you can import arbitrarily formatted indexes, using this you can craft one with 65535 keys...