**tl;dr** Android Parcels have their own memory pool rather than being free'd all the way back to the general Java memory pool. This custom memory management, combined with a bug resulting in a dangling reference in a Parcel to an older version of the parcel creates a "use-after-free" like situation
A post by project zero on a vuln in a new library used for DER entitlements.Entitlements are Apple's fine-grained permission system and essentially define what capabilities an app or service has...
An out-of-bounds read/write in FreeBSD's bhyve hypervisor.The vulnerability here is in the E82545 gigabit ethernet controller's emulator, specifically `e82545_transmit()`...
A total of either issues impacting various companies in the automotive industry, mix of issues from simple SQL injection to some interesting Single Sign On (SSO) implementation decisions.
Excellent post covering three vulnerabilities in Huawei's Secure Monitor used to proxy/transition requests from the "normal world" usually from the hypervisor or kernel into the secure world.
An email normalization issue allowing for remote control of a vehicle.
The core vulnerability here is a case where a DOM clobbering attack could be used to hijack a service worker.
The `username`, `from_name` and `password` fields of the SMTP server configuration accept new-line characters that will be printed directly into the resulting configuration file.Using this it is possible to include configuration parameters that are not normally exposed...
A number of bugs in Tailscale leading to an RCE chain.
A timing-based side-channel in the `CHECK_DATA` Device Configuration Data could allow the value of memory to be disclosed and read even when reading was disabled.