The Mediatek wlan driver on Android has several files exposed under the `/proc` virtual filesystem.Some of these read handles do not check the caller-provided buffer size before copying data out into the user buffer...
Qualys at it again this time with a skipped initialization code path leading to a small allocation and a buffer overflow deep in glibc's `syslog`.
The vulnerability in the `__io_uaddr_map()` function of the Linux kernel involves the incorrect handling of multi-page regions imported from userspace.This function is intended to map a physically contiguous region of memory from userspace into the kernel's linear mapping area...
A fun but simple buffer overflow in Factorio.When loading save files, the game will load a `PropertyTree` from the file...
What happens when you don't properly validate OAuth access tokens? Account takeovers.
A buffer overflow vulnerability was introduced in a 2021 patch to glibc's dynamic loader when processing `GLIBC_TUNABLES` environment variables.Tunables are basically configuration settings of the runtime that can be set via key/value pairs in the form of `key=val`...
A rather complex-bug to trigger that was found being exploited in the wild against libwebp's VP8L compression and was reachable through an iMessage.
A bit of an unexpected fault in GCC's `-fstack-protector` implementation that meant that the saved return address wasn't actually protected by the stack-protector on AArch64 in some cases.
A pretty classic string escaping bug in GhostScript, one common and buggy edge case when escaping characters in a buffer is to not properly account for escapes that happen at the very limit of the destination buffer.As was the case here, despite checking that the limit of the buffer was not reached on every iteration, when a character was found that should be escaped, it would write to the destination buffer write, first with the escape character (`0x01`) and then again with an XOR'd version of the character to be escaped...
A fun bug, likely stemming from misunderstanding the return value from an `snprintf` call. Unfortunately (for us, good for security) only seems to be useful for a denial of service attack.