Shannon Baseband suffers from a memory corruption vulnerability that occurs when the baseband modem processes SDP when setting up a call. When an fmtp attribute is parsed, the integer that represents the payload type is copied into an 8-byte buffer using memcpy with the length of payload type as the length parameter. There are no checks that the payload type is less than 8-bytes long or actually an integer.
51aa5a7a2ca1d9308cad99d6da19581180aa08b8653f1c44406c7c5c7dc253b9
Shannon Baseband suffers from a memory corruption vulnerability that occurs when the baseband modem processes SDP when setting up a call. SDP supports attributes acfg and pcfg that allow configuration information to be specified as integers. The baseband software allocates a fixed-size buffer for this information, but does not check that the number of integers specified by the SDP is within this bound. This can lead to memory corruption when processing an acfg or pcfg attribute that contains more than 14 format types.
f7237e53d6febca38b353f2be59e9064bb4853fb37c38f9779aa9f273abc1ff6
Shannon Baseband suffers from a memory corruption vulnerability that occurs when the baseband modem processes SDP when setting up a call. SDP supports an attribute chatroom that allows multiple chat properties to be specified. The baseband software allocates a fixed-size buffer for these types, but does not check that the number of properties specified by the SDP is within this bound. This can lead to memory corruption when processing a chatroom attribute that contains more than 12 format types.
8cb6ebadee250d2e79ec5b2160d5e18c8dae53fae64e54aa90dddc180b42ce0d
Shannon Baseband suffers from a memory corruption vulnerability that occurs when the baseband modem processes SDP when setting up a call. SDP supports an attribute accept-type that allows multiple format types to be specified. The baseband software allocates a fixed-size buffer for these types, but does not check that the number of format types specified by the SDP is within this bound. This can lead to memory corruption when processing an accept-type attribute that contains more than 12 format types.
3e5dd3b9a11c7e00afc44d10af02f39c84d18710dc6778f472e078fbfd7d018b
Chrome has an issue where there is an out-of-bounds string copy that can occur when parsing a uniform sampler name in SpvGetMappedSamplerName.
6d914ad5ce8a9613e3083a3bd37687308877fb722821402fb41c97094ed4c0e7
Chrome has an issue where the GL_ShaderBinary is exposed to untrusted processes.
aaac59d091c9d8a436590663b90c29e1fe3765edf9f601ab76805baa4e39f431
Chrome suffers from an issue where the traits for media::mojom::VideoFrame do not perform any validation on the stride and offset parameters when deserializing untrusted message data.
eef4ad83a3864cabde0b440774e63637f5458711c23fa69aeeee0b48adefd113
CentOS Stream 9 has a missing kernel security fix for a tun double-free amongst other missing fixes. Included is a local root exploit to demonstrate the issue.
ff7d7021860395c29340e572b9c37574d2458d361ce7c71f08cc837f0834b69e
The Microsoft Windows Kernel has insufficient validation of new registry key names in transacted NtRenameKey.
ba4961014d277f2fb882589dbc8a7ae2231b9cbad4ecebf074ca3f4b40c660cc
The Microsoft Windows Kernel suffers from multiple issues in the prepare/commit phase of a transactional registry key rename.
7c97ca8d9eaa67f309b42a02ec5443fcab57797d0ac534a80dbe853a97cb2939
Chrome suffers from a heap buffer overflow vulnerability in base::SampleVectorBase::MoveSingleSampleToCounts.
56c179a58f11cc0f38bddec251f01ed9bc46c971de948deee99ccf3ae1bbc48f
Chrome suffers from a heap buffer overflow vulnerability in base::debug::ActivityUserData::ActivityUserData.
bf0edebf8c86d69106bb2e6045c77ad82ba926fd2ae83f98fa7a0b19855f6185
The Microsoft Windows kernel suffers from multiple issues with subkeys of transactionally renamed registry keys.
a73d43acd9edc53a2cab893ea9e5bb5beca43de488582970092616f1af85341c
The kernel tree of CentOS Stream 9 suffers from multiple use-after-free conditions that were already patched in upstream stable trees.
a5f94e90c58a4d65e7349c5ac6abff2cbc680f758ae71b7d0bf35a8ec6642057
There is an intra-object overflow in Shannon Baseband, inside the 5G SM protocol implementation (NrSmMsgCodec as it is called in Shannon according to debug strings), when decoding the Extended protocol configuration options message (IEI = 0x7B).
fbcb90e472d2e3ece0a5999daefccbac91cb16b93b5bdde7163bb7f5b46c8021
There is an intra-object overflow in Shannon Baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the Service Area List message (IEI = 0x27).
ca27ff3f40a5cef1422ff326c82c6ac37d4d2a24ac33342144bc8a5c84aa2848
There is a heap buffer overflow in Shannon Baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the Operator-defined access category definitions message (IEI = 0x76).
0d9b32ed9b931576486f7e7630f9b8e393f008ff2bccc77a8e30f84a45f1e0f0
There is a heap buffer overflow in Shannon baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the "Extended emergency number list" message (IEI = 0x7A).
ba04bb179ad4db118c637bfe6c329d2d3ebef7e310034bd5a8af11fa0123adc3
There is a heap buffer overflow in Shannon baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the "Emergency number list" message (IEI = 0x34).
ff7c534a4bbc11dc3cd3ac7fb2571e8b2fc9cddf789fa05fff2fc30be17f2aca
XNU NFSSVC suffers from root check bypass and use-after-free vulnerabilities due to insufficient locking in upcall worker threads.
dd5db6e40185f5ad1603a814730e94b92ca2cfb3086268f82937050b80986d44
Linux USB usbnet tells minidrivers to unbind while netdev is still up, causing use-after-free conditions.
a79f67a4ff4419f1ee030e5d31da09ffc097f7a7aff75a313677c344131a2bc4
Android GKI kernels contain broken non-upstream Speculative Page Faults MM code that can lead to multiple use-after-free conditions.
52bdc4d424513850282af302704976ef18a76f8dae3b5f71cf887f9e9577e262
kbase_csf_kcpu_queue_enqueue() locks the kctx->csf.kcpu_queues, looks up a pointer from inside that structure, then drops the lock before continuing to use the kbase_kcpu_command_queue that was looked up. This is a classic use-after-free pattern, where the lookup of a pointer is protected but the protective lock is then released without first acquiring any other lock or reference to keep the referenced object alive.
4fd61c0109d183f3b2a909d608ec4f7ebeb118f98b4d057a01a280c10f5a5339
Arm Mali suffers from an insufficient cache invalidation for non-page-aligned user buffer imports.
1cc19cb79a91228a44e5c6196c91a498b37c74f153ea14e278fe6327355cc218
XNU has a race condition leading to use-after-free between the NFSSVC_NFSD command and an upcall worker thread.
558e5741f83f094c1d723a718badc745f6249cf15cef1cd4a50ca6eee80f69f8