**tl;dr** Android Parcels have their own memory pool rather than being free'd all the way back to the general Java memory pool. This custom memory management, combined with a bug resulting in a dangling reference in a Parcel to an older version of the parcel creates a "use-after-free" like situation
A post by project zero on a vuln in a new library used for DER entitlements.Entitlements are Apple's fine-grained permission system and essentially define what capabilities an app or service has...
A fairly complex exploit of a use-after-free in netfilter.The vuln is detailed more in other posts linked off by exodus, but effectively the bug is a lifetime issue with netfilter sets that don't have the `NFT_EXPR_STATEFUL` flag set but contain a reference to another set (such as `lookup` and `dynset` expressions)...
An out-of-bounds read/write in FreeBSD's bhyve hypervisor.The vulnerability here is in the E82545 gigabit ethernet controller's emulator, specifically `e82545_transmit()`...
A total of either issues impacting various companies in the automotive industry, mix of issues from simple SQL injection to some interesting Single Sign On (SSO) implementation decisions.
Excellent post covering three vulnerabilities in Huawei's Secure Monitor used to proxy/transition requests from the "normal world" usually from the hypervisor or kernel into the secure world.
A post on exploiting a bug that Jann Horn discovered in the linux kernel's memory management (MM) subsystem.The bug isn't detailed in this post and is fairly complex (there is a project zero bug report but it's difficult to understand without deep knowledge of MM internals), though they state it will be written up in a future blogpost...
Great documentation of the process finding a WAF process, building up the final payload bit by bit.
Two parts to the post the vulnerability is a simple SQL injection, URL data winds up in the query.Nothing too special there...
An email normalization issue allowing for remote control of a vehicle.