PowerVR has a security issue where a writability check in PMRMMapPMR() does not clear VM_MAYWRITE.
3c6be466dbc5e6f19541750720a0f82bfbd11613fafa5557f44c1df26aa893b2The Windows Kernel suffers from a subkey list use-after-free vulnerability due to a mishandling of partial success in CmpAddSubKeyEx.
371f9505662bb6a768bb624f24a62e46fef4ad9feab889c6189fe75092e31989PowerVR has an issue where DevmemIntUnexportCtx destroys export before unlinking it, leading to a use-after-free condition.
6f9202099fe090be7419d76b62ea9327f8db8be77898b1207baaaa4a3a3cd10eLinux versions starting with 6.5 suffer from a read-after-type-change of folio in cachestat() that leads to a kernel pointer leak.
9ed32c7cf46a882e510759c307e0ac2758225c4d00df31c8c83be548a01fd482There is a memory corruption issue in the MFC media processing core on the Pixel 7. It occurs when decoding a malformed H264 stream in Chrome, likely to due to an out of bounds quantization parameter. A write to plane 0 that occurs during macroblock decoding extends past the allocated bounds of the plane, and can overwrite the motion vector (MV) buffer or cause a crash if the adjacent address is unmapped. Both of these allocations are DMA buffers and it is unclear whether this condition is exploitable.
03533e71b8963179a0ae3ad68550b9e5e705a79dd75292d232b287f1c47b89f6PowerVR has an issue where the RGXCreateZSBufferKM2 error path frees object while on list.
b77c7757a3ce5ef36d49453304cff99bfbbd56c1ff428ecdf3cd2b4c3033e628There is an integer overflow in dav1d when decoding an AV1 video with large width/height. The integer overflow may result in an out-of-bounds write.
258b775b05e2d4378551ee4e66e5c90a5df4e7d9ef5dc5c37abec0ba66db8a8eIn the tgnet library used in Telegram messenger for Android, there is a use-after-free vulnerability in Connection::onReceivedData that can be triggered remotely.
bca6a67a76c752f1ecdcd8907312e1eb9daa4808f56fcf845f91420c4d98f5d4Chrome has an issue where the chrome.pageCapture.saveAsMHTML() extension API can be used on blocked origins due to a racy access check.
c081d9b3a89b0a80ccfbb9fc08c3373284b83957b305d8759f551dfbed038c66The MediaTek WLAN driver has VFS read handlers that do not check buffer size leading to userland memory corruption.
e02f5b1f1d435ca3340b9ddef6433031cb241ad315800f041e8e425d3ac596ddChrome suffers from a heap use-after-free vulnerability in content::NavigationURLLoaderImpl::FallbackToNonInterceptedRequest.
5991378cd81b0bd15e90459d13e7396782910b67862cf292906e095dca2e9175Linux versions 5.6 and above appear to suffer from a cred refcount overflow when handling approximately 39 gigabytes of memory usage via io_uring.
eb6cd67301b0a3753b8bd45f998819605fcd09521aac98683535cba1e70af180macOS suffers from an out-of-bounds write vulnerability in AppleVADriver when decoding mpeg2 videos.
a755a34876f36a8a24fb4024eeda524426d61439be93ad37d2aa3f187ed43ce5On Intel macOS, HEVC video decoding is performed in the AppleGVA module. Using fuzzing, researchers identified multiple issues in this decoder. The issues range from out-of-bounds writes, out-of-bounds reads and, in one case, free() on an invalid address. All of the issues were reproduced on macOS Ventura 13.6 running on a 2018 Mac mini (Intel based).
ed851479d112d861e65e1f2c3cbdcfb9751f8aafbae00aece5139de5128c88b0Linux versions 4.20 and above have an issue where ktls writes into spliced readonly pages.
c8a387c3d377fb9915457e6c2add6c04bc585011d822e7f419d1a632b108342dLinux suffers from an io_uring use-after-free vulnerability due to broken unix GC interaction.
f69e0977a025727662a99855b4620c72daf61a181fc942af121b5a2aba667456Predefined keys in the Microsoft Windows Registry may lead to confused deputy problems and local privilege escalation.
a4c3435d9c5e52f576c70ff4db3da2de108e219bbd349f1ce79de1a81c042945Linux versions 6.4 and above suffer from an io_uring page use-after-free vulnerability via buffer ring mmap.
bdd56a2cf8ae5ffb5b1e0cf855da69a640ead67ed0ab5559b57abc88c22cd6f9__io_uaddr_map() in io_uring suffers from dangerous handling of the multi-page region.
36027428c2c544777c9a58e5240c8a00ac64b96a28b3c1c2a02ca9c040ca0b42Any unprivileged, local user in Microsoft Windows can disclose whether a specific file, directory or registry key exists in the system or not, even if they do not have the open right to it or enumerate right to its parent.
eba081f5682137a596749db83d8591dfa5e5d9dffadba5ca011381bdd72018c4Chrome suffers from a type confusion vulnerability in BindTextSuggestionHostForFrame.
1e0d6c4d28506761410dab47785b5675017ec524a79f43e93784caf59927dfbaThe Microsoft Windows Kernel has an issue with bad locking in registry virtualization that can result in race conditions.
8cf51c7afd8e880ffabc644d09f791fed4bac36689d7102f629eb746b2c13124The Microsoft Windows Kernel has a time-of-check / time-of-use issue in verifying layered key security which may lead to information disclosure from privileged registry keys.
d827eb89d09814af2562b27f8d81aceb5f4a617c3fbb070846fd5b39ebfaa03eArm Mali CSF has a refcount overflow bugfix in r43p0 that was misclassified as a memory leak fix.
05a93b8780cfb3ee2e1142acedfd65b47dbf3a86e2c48f3c8256e45ceaf5837bARM Mali r44p0 suffers from a use-after-free vulnerability by freeing waitqueue with elements on it.
4fea6948aa6c6c134d3f0e82d4d907da692a000feadff0b07880f486048867a4
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed