Telegram for Android suffers from a use-after-free vulnerability in Connection::onReceivedData.
b50977499b859adec9bc55d49621466231a4ab00aa44223747f9839cecd9995eIn the tgnet library used in Telegram messenger for Android, there is a use-after-free vulnerability in Connection::onReceivedData that can be triggered remotely.
bca6a67a76c752f1ecdcd8907312e1eb9daa4808f56fcf845f91420c4d98f5d4Chrome suffers from a type confusion vulnerability in BindTextSuggestionHostForFrame.
1e0d6c4d28506761410dab47785b5675017ec524a79f43e93784caf59927dfbaWhen deserializing an SkPath, there is some basic validation performed to ensure that the contents are consistent. This validation does not use safe integer types, or perform additional validation, so it's possible for a large path to overflow the point count, resulting in an unsafe SkPath object.
7e0793cb8767bd5e3e5ac3845bbfc7ec6d83d30f81733f1592b40df7805b3a2fChrome IPCZ FragmentDescriptors are not validated allowing for an out-of-bounds crash condition.
adc68a8b0a6ff50085071702ac5d18e4499b667b8b192dadf209cd4cf9ae81eeDuring a Mojo IPC method call, there are multiple stages of validation and deserialization that take place. These assume that the contents of the message cannot be modified during the deserialization process, but the new core_ipcz implementation returns message contents directly in shared memory.
572a756cadc51b22a907293f84e2b304799a3abe0592f9635a0caac2967f8acdChrome has an issue where there is an out-of-bounds string copy that can occur when parsing a uniform sampler name in SpvGetMappedSamplerName.
6d914ad5ce8a9613e3083a3bd37687308877fb722821402fb41c97094ed4c0e7Chrome has an issue where the GL_ShaderBinary is exposed to untrusted processes.
aaac59d091c9d8a436590663b90c29e1fe3765edf9f601ab76805baa4e39f431Chrome suffers from an issue where the traits for media::mojom::VideoFrame do not perform any validation on the stride and offset parameters when deserializing untrusted message data.
eef4ad83a3864cabde0b440774e63637f5458711c23fa69aeeee0b48adefd113The WebGL implementation for setting uniform values with an ArrayBuffer argument do not properly handle large buffer sizes. As WASM now allows allocating large ArrayBuffers, this can lead to buffer overflows when writing to the GPU command buffer.
0bdf6d06a281ed2823e5f46ea472615509e7f1f676d5bd3238d8cfd3b783d262Chrome has an issue where raw_ptr broke implicit scoped_refptr for receivers in base::Bind.
608734695dfbbf56d37a25c6b0e92ec571e720ac20c50496dd9608c3ee36b587The code in cc::PaintImageReader::Read (cc::PaintImage*) does not properly check the incoming data when handling embedded image data, resulting in an out-of-bounds copy into the filter bitmap data.
3442a632be9dec3260619421059a97062f1e5b5331769ad612a11a97ecf3ec9bChrome suffers from a missing bounds check in WebGPUDecoderImpl::DoRequestDevice.
ef3fbfbf0d934cc45efe08abfdf55bd55ba171f52a654e23e476c7b46f1b6ccaChrome suffers from making use of an uninitialized on-stack pointer in storage::BlobBuilderFromStream.
7508021fc3ad459f9d4a21d3d34a8201df4467cbbf9015fe49fb42a0ad822203SandboxedUnpacker in Chrome uses shared memory in an unsafe fashion.
bc91dd004d418d7fd6b56285f99323944f8802e8dd4b5215b649c990046ed88aLooking at the Mojo implementation of Chrome's legacy IPC, the legacy ipc::Message type is transferred inside a BigBuffer.
f543ac8b2cefa9c2b0092803dc79ebe3d0ccba182ed6661ceb724163521a8580Chrome suffers from an out-of-bounds read vulnerability in network DataElement struct traits.
73bdb3c2018e4f00483c57023d4ad271b24afb3c0d0373d8371a68762c872680Chrome suffers from a use-after-free vulnerability due to a double call to IndexedDBConnection::Close.
224d81c1e2768b3a4b05adfeb30a609ac48d837bde76d9cc912b62b3f06e8733Chrome suffers from a use-after-free vulnerability in ~LevelDBIteratorImpl.
422a3b74a14e37e109fac59aed3661fc56ae4c327305a6990330758d6c77737fChrome suffers from a use-after-free vulnerability in FileChooserImpl.
0ecbde145d35a4fdef837ba560c9160db3335f5c84f0365d90e9552d8eb3e971There's a race condition in the destruction of the BindingState for bindings to the StoragePartitionService in Chrome. It looks like the root cause of the issue is that since we can get two concurrent calls to callbacks returned from mojo::BindingSet::GetBadMessageCallback() from the same BindingSet, which results in a data race destroying the same BindingState.
e74b2b8256d75d7a1f9c0936ff14ed0a0b8cf12cea0653834d4403581f08f4b0Chrome suffers from a use-after-free vulnerability in MidiManagerWin.
5561abfbf792852e4be2a5a6f9908418ba3bb61c352292347a907340f971abf6Chrome suffers from a use-after-free vulnerability in FileSystemOperationRunner.
175e33f2fe84321b31ba9922dcb3c0c36eff272a29a2b1a39380be7b60162958There appears to be a race condition in the destruction of the ExtensionsGuestViewMessageFilter if the ProcessIdToFilterMap is modified concurrently in Chrome.
153cc2f98cfe6458909e177b32d616e5357adc7532ae04962d456870e9b99131Chrome suffers from multiple use-after-free vulnerabilities in the PaymentRequest service.
fb9baf689c47875cf56ed6918386a270499142ea5e915be52d8936b09ba2adbb
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed