Kernel bug in KCodes’ NetUSB kernel module, which is used by various network device vendors for routers and such. The vulnerability is in the dispatchNormalEPMsgOut() handler for an unlabelled command of 0x805f. A user-supplied size is read from the socket and is added to 0x11 to allocate a heap buffer with kmalloc(). This can be integer overflowed to get a small buffer allocated (kmalloc-32), meanwhile the unadjusted size is used for the copy, allowing heap overflow. Furthermore, this overflow is somewhat controlled because while you would have to pass a very large size, in practice it’ll only copy data up to the received size of the packet, so the amount you overflow is controllable.