One vulnerability a use-after-free in the Linux nftable subsystem, exploitable on the three kernelCTF targets: latest Long-term Stable (LTS) release, Container-optimized build as used by Google Cloud, and a Mitigation build that isn't as up-to-date but includes experimentation mitigations to be bypassed.
This was a fun authorization check bypass because when checking if higher privileges were needed the `flag` value was checked for equality with the two privileged actions.Later on however, when deciding what handler to use to handle to request, it used a bitwise operation to check if the specific bit is set...
Yet another case of bad syncronization or just performing operations in the wrong order.IIn this case `ene_remove` called when removing the device, will remove its internal allocations and everything before it actually unregisters the device...
A fairly complex exploit of a use-after-free in netfilter.The vuln is detailed more in other posts linked off by exodus, but effectively the bug is a lifetime issue with netfilter sets that don't have the `NFT_EXPR_STATEFUL` flag set but contain a reference to another set (such as `lookup` and `dynset` expressions)...
A post on exploiting a bug that Jann Horn discovered in the linux kernel's memory management (MM) subsystem.The bug isn't detailed in this post and is fairly complex (there is a project zero bug report but it's difficult to understand without deep knowledge of MM internals), though they state it will be written up in a future blogpost...
An in-the-wild exploit chain was discovered that exploits three vulnerabilities in Samsung exynos devices running kernel 4.14.113. It consisted of one userland exploit in Samsung's custom clipboard provider, a kernel infoleak through their `sec_log` functionality, and finally a UAF in the Display Processing Unit (DPU) driver.
Callbacks can be tricky in memory-unsafe languages, here we have the Chrome Account Selection feature creating an image view and an image fetcher. Sets up a callback function to be called once the account's image has been fetched and passes in the raw pointer to the created image_view, the problem being that the image view may be destroyed before the callback happens.
Multiple memory corruptions in Microsoft Edge browser, there are several issues here but they all generally can be summed up as "self-corruptions".Its things like a use-after-free by opening a dialog, closing the backing page that spawned the dialog, and then closing the dialog triggering a callback that no longer exists...
A use-after-free vulnerability in the Crow HTTP Framework owing to the input reader being agnostic to HTTP Pipelining (sending more than one HTTP request without waiting for a response on the same connection) and asynchronous workers tracking state expecting one request per connection.