Straight forward version is two Out-Of-Bounds accesses in reading and writing the `Driver feature set`. A guest provided value is stored, and then used as an array index without any validation both in `PciVirtIOWriteMM` and in `PciVirtIOReadMM` giving relative read/write primitives.
A Use-After-Free in Android's ION Allocator used by the kernel for DMA buffers that can be shared across user/kernel/device boundaries.The issue starts from the `DMA_BUF_IOCTL_SYNC` that is exposed by the buffer's file descriptor, this IOCTL can arbitrarily increment or decrement the reference counter for the shared buffer...
An interesting primitive in `io_uring` resulting in the ability to free adjacent kernel buffers.
Four vulnerabilities related to XPC services either not sufficiently checking application entitlements leading to disclosure of sensitive information
Thirteen distinct vulnerabilities in Apache Dubbo related to insecure deserialization, and an excellent look at using CodeQL to assist manual vulnerability research and attack surface discovery. A lot of the interesting points in this post are more about the discovery of new attack surface rather than in the vulnerabilities themselves.
These are five issues that enabled file writes outside of the expected directory when NPM was unpacking an archive using the `node-tar` library.
The AWS WorkSpaces desktop application registers a custom URI on the host system and does not properly sanitize the parameters leading to argument injection. As the WorkSpaces client is based on Chromium Embeded Framework the debugging argument `--gpu-launcher` can be used to issue arbitrary commands.
This Talos report covers a non-trivial issue where a stack pointer is used after it went out of scope when invoking JS bindings, which are provided to document creators by Nitro Pro PDF for automating aspects of the document.When one of these bindings needs to be executed by the SpiderMonkey library, the `js32u.dll!js_Invoke` function is used to create stack space and push a `JSStackFrame` object to be used by the invoked binding...
This post covers an infoleak in Microsoft's Azure Sphere Security Monitor, which is a linux-based operating system for IOT devices.They focus on the `SMSyscallPeripheralAcquire` system call, which is used for switching the mux mode on a given pin, and change the layout of how the pins are configured...
Its hard to even call this one a vulnerability, the driver developers simply expose some kernel primitives directly to userland, nothing crazy needed.The driver supporting HP OMEN Gaming Hub software directly exposes several privileged instructions through IOCTLs...