Multiple memory corruption bugs in Accel-PPP, an open-source VPN server. These bugs all follow the same basic flawed logic, a length is read from an attacker controlled buffer and then that length of data is copied from the buffer into an awaiting structure. As the length is unchecked its possible to overflow the destination buffers.

There is also some interesting insight into the authors process for crafting some CodeQL queries to have originally found these bugs, and pointing out some of the limitations of CodeQL’s taint tracking