The key vulnerability discovered is a relative heap out-of-bounds write in the parsing of MDL files within CS:GO.
A very powerful bug in the `io_uring ` driver of the linux kernel.In this case, the vulnerability is in the handling of registering fixed buffers via the `IORING_REGISTER_BUFFERS` opcode, which allows an application to 'pin' and register memory for long-term use, which includes making it exempt from paging mechanics...
What happens when you don't properly validate OAuth access tokens? Account takeovers.
An object type confusion was discovered in the Microsoft Kernel Streaming Server (`mskssrv.sys`), which is used for virtualizing camera devices and allowing multiple applications to access camera streams.The driver uses two main object types for allowing userspace to acquire a context and send/receive data, a `context` and a `stream`...
Post from Man Yue Mo at GitHub Security Lab on an RCE in Chrome due to a bug in Chrome's JIT compiler (TurboFan).As a bit of background, modern browsers will often compile code/functions that are deemed as 'hotpaths' (aka executed a lot)...
I thought this was an excellent post when it came to explaining the exploitation strategy, and has it dealt with encrypted pointers the exploitation was pretty cool to see documented. However I did have some problems following on the actual vulnerability details.
Three hard to exploit (beyond denial of service) out-of-bounds read vulnerabilities in MIT Kerberos V5 but each with a bit of an interest cause.
Effectively, a double-fetch vulnerability in Intel SMM's SMI handler that could allow a local attacker to escelate into System manage Mode.It recieves a `CommBuffer` that contains a `Data` pointer and a size value...
A 19-year-old bug in XNUs Data Link Interface Layer or DLIL that lead to an out-of-bounds write on the heap.The root cause is that `ifnet_attach()` will get the next interface `index` as a 32-bit integer and downcast it to a `uint16_t` when saving the index...
Out of bounds read in `cmark-gfm` due to a lack of bounds check in `validate_protocol`.