Shannon Baseband suffers from a memory corruption vulnerability that occurs when the baseband modem processes SDP when setting up a call. When an fmtp attribute is parsed, the integer that represents the payload type is copied into an 8-byte buffer using memcpy with the length of payload type as the length parameter. There are no checks that the payload type is less than 8-bytes long or actually an integer.
51aa5a7a2ca1d9308cad99d6da19581180aa08b8653f1c44406c7c5c7dc253b9Shannon Baseband suffers from a memory corruption vulnerability that occurs when the baseband modem processes SDP when setting up a call. SDP supports attributes acfg and pcfg that allow configuration information to be specified as integers. The baseband software allocates a fixed-size buffer for this information, but does not check that the number of integers specified by the SDP is within this bound. This can lead to memory corruption when processing an acfg or pcfg attribute that contains more than 14 format types.
f7237e53d6febca38b353f2be59e9064bb4853fb37c38f9779aa9f273abc1ff6Shannon Baseband suffers from a memory corruption vulnerability that occurs when the baseband modem processes SDP when setting up a call. SDP supports an attribute chatroom that allows multiple chat properties to be specified. The baseband software allocates a fixed-size buffer for these types, but does not check that the number of properties specified by the SDP is within this bound. This can lead to memory corruption when processing a chatroom attribute that contains more than 12 format types.
8cb6ebadee250d2e79ec5b2160d5e18c8dae53fae64e54aa90dddc180b42ce0dShannon Baseband suffers from a memory corruption vulnerability that occurs when the baseband modem processes SDP when setting up a call. SDP supports an attribute accept-type that allows multiple format types to be specified. The baseband software allocates a fixed-size buffer for these types, but does not check that the number of format types specified by the SDP is within this bound. This can lead to memory corruption when processing an accept-type attribute that contains more than 12 format types.
3e5dd3b9a11c7e00afc44d10af02f39c84d18710dc6778f472e078fbfd7d018bChrome has an issue where there is an out-of-bounds string copy that can occur when parsing a uniform sampler name in SpvGetMappedSamplerName.
6d914ad5ce8a9613e3083a3bd37687308877fb722821402fb41c97094ed4c0e7Chrome has an issue where the GL_ShaderBinary is exposed to untrusted processes.
aaac59d091c9d8a436590663b90c29e1fe3765edf9f601ab76805baa4e39f431Chrome suffers from an issue where the traits for media::mojom::VideoFrame do not perform any validation on the stride and offset parameters when deserializing untrusted message data.
eef4ad83a3864cabde0b440774e63637f5458711c23fa69aeeee0b48adefd113CentOS Stream 9 has a missing kernel security fix for a tun double-free amongst other missing fixes. Included is a local root exploit to demonstrate the issue.
ff7d7021860395c29340e572b9c37574d2458d361ce7c71f08cc837f0834b69eThe Microsoft Windows Kernel has insufficient validation of new registry key names in transacted NtRenameKey.
ba4961014d277f2fb882589dbc8a7ae2231b9cbad4ecebf074ca3f4b40c660ccThe Microsoft Windows Kernel suffers from multiple issues in the prepare/commit phase of a transactional registry key rename.
7c97ca8d9eaa67f309b42a02ec5443fcab57797d0ac534a80dbe853a97cb2939Chrome suffers from a heap buffer overflow vulnerability in base::SampleVectorBase::MoveSingleSampleToCounts.
56c179a58f11cc0f38bddec251f01ed9bc46c971de948deee99ccf3ae1bbc48fChrome suffers from a heap buffer overflow vulnerability in base::debug::ActivityUserData::ActivityUserData.
bf0edebf8c86d69106bb2e6045c77ad82ba926fd2ae83f98fa7a0b19855f6185The Microsoft Windows kernel suffers from multiple issues with subkeys of transactionally renamed registry keys.
a73d43acd9edc53a2cab893ea9e5bb5beca43de488582970092616f1af85341cThe kernel tree of CentOS Stream 9 suffers from multiple use-after-free conditions that were already patched in upstream stable trees.
a5f94e90c58a4d65e7349c5ac6abff2cbc680f758ae71b7d0bf35a8ec6642057There is an intra-object overflow in Shannon Baseband, inside the 5G SM protocol implementation (NrSmMsgCodec as it is called in Shannon according to debug strings), when decoding the Extended protocol configuration options message (IEI = 0x7B).
fbcb90e472d2e3ece0a5999daefccbac91cb16b93b5bdde7163bb7f5b46c8021There is an intra-object overflow in Shannon Baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the Service Area List message (IEI = 0x27).
ca27ff3f40a5cef1422ff326c82c6ac37d4d2a24ac33342144bc8a5c84aa2848There is a heap buffer overflow in Shannon Baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the Operator-defined access category definitions message (IEI = 0x76).
0d9b32ed9b931576486f7e7630f9b8e393f008ff2bccc77a8e30f84a45f1e0f0There is a heap buffer overflow in Shannon baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the "Extended emergency number list" message (IEI = 0x7A).
ba04bb179ad4db118c637bfe6c329d2d3ebef7e310034bd5a8af11fa0123adc3There is a heap buffer overflow in Shannon baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the "Emergency number list" message (IEI = 0x34).
ff7c534a4bbc11dc3cd3ac7fb2571e8b2fc9cddf789fa05fff2fc30be17f2acaXNU NFSSVC suffers from root check bypass and use-after-free vulnerabilities due to insufficient locking in upcall worker threads.
dd5db6e40185f5ad1603a814730e94b92ca2cfb3086268f82937050b80986d44Linux USB usbnet tells minidrivers to unbind while netdev is still up, causing use-after-free conditions.
a79f67a4ff4419f1ee030e5d31da09ffc097f7a7aff75a313677c344131a2bc4Android GKI kernels contain broken non-upstream Speculative Page Faults MM code that can lead to multiple use-after-free conditions.
52bdc4d424513850282af302704976ef18a76f8dae3b5f71cf887f9e9577e262kbase_csf_kcpu_queue_enqueue() locks the kctx->csf.kcpu_queues, looks up a pointer from inside that structure, then drops the lock before continuing to use the kbase_kcpu_command_queue that was looked up. This is a classic use-after-free pattern, where the lookup of a pointer is protected but the protective lock is then released without first acquiring any other lock or reference to keep the referenced object alive.
4fd61c0109d183f3b2a909d608ec4f7ebeb118f98b4d057a01a280c10f5a5339Arm Mali suffers from an insufficient cache invalidation for non-page-aligned user buffer imports.
1cc19cb79a91228a44e5c6196c91a498b37c74f153ea14e278fe6327355cc218XNU has a race condition leading to use-after-free between the NFSSVC_NFSD command and an upcall worker thread.
558e5741f83f094c1d723a718badc745f6249cf15cef1cd4a50ca6eee80f69f8
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed