Linux Kernel ksmbd Session Race Condition Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable. The specific flaw exists within the processing of SMB2SESSIONSETUP...

CVE-2023-2007

The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the...

Apple macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver

Apple macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver / nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService. It calls taskdeallocate without locking. Two threads can race calling this external method to drop two task references when on...

Apple macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver

/ nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService. It calls taskdeallocate without locking. Two threads can race calling this external method to drop two task references when only one is held. Note that the repro forks a child which give the nvAccelerator a...

macOS #Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver Exploit

Exploit for macOS platform in category dos / poc / nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService. It calls taskdeallocate without locking. Two threads can race calling this external method to drop two task references when only one is held. Note that the repro...

macOS Kernel - Use-After-Free Due to Lack of Locking in AppleEmbeddedOSSupportHostClient::registerNo

Exploit for macOS platform in category dos / poc / AppleEmbeddedOSSupportHost.kext is presumably involved in the communication with the OS running on the touch bar on new MBP models. Here's the userclient's registerNotificationPort method: text:0000000000002DE4 ;...

macOS Kernel - Use-After-Free Due to Lack of Locking in AppleEmbeddedOSSupportHostClient::registerNotificationPort

macOS Kernel - Use-After-Free Due to Lack of Locking in AppleEmbeddedOSSupportHostClient::registerNotificationPort / AppleEmbeddedOSSupportHost.kext is presumably involved in the communication with the OS running on the touch bar on new MBP models. Here's the userclient's registerNotificationPort...

macOS Kernel - Use-After-Free Due to Lack of Locking in 'AppleEmbeddedOSSupportHostClient::registerNotificationPort'

/ AppleEmbeddedOSSupportHost.kext is presumably involved in the communication with the OS running on the touch bar on new MBP models. Here's the userclient's registerNotificationPort method: text:0000000000002DE4 ; AppleEmbeddedOSSupportHostClient::registerNotificationPortipcport , unsigned int,...

macOS 10.12.1 / iOS Kernel - host_self_trap Use-After-Free Exploit

Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1034 The task struct has a lock itklockdata, taken via the itklock macros which is supposed to protect the task-itk ports. The hostselftrap mach trap accesses task-itkhost witho...

iOS 10.1.1 / macOS 10.12 16A323 XNU Kernel - set_dp_control_port Lack of Locking Use-After-Free Vuln

Exploit for multiple platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=965 setdpcontrolport is a MIG method on the hostprivport so this bug is a root-kernel escalation. kernreturnt setdpcontrolport hostprivt hostpriv, ipcportt controlport if hostpriv...

Apple macOS 10.12 16A323 XNU Kernel / iOS 10.1.1 - 'set_dp_control_port' Lack of Locking Use-After-Free

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=965 setdpcontrolport is a MIG method on the hostprivport so this bug is a root-kernel escalation. kernreturnt setdpcontrolport hostprivt hostpriv, ipcportt controlport if hostpriv == HOSTPRIVNULL return KERNINVALIDHOST; if...

Apple macOS 10.12 16A323 XNU Kernel iOS 10.1.1 - set_dp_control_port Lack of Locking Use-After-Free

Apple macOS 10.12 16A323 XNU Kernel iOS 10.1.1 - setdpcontrolport Lack of Locking Use-After-Free Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=965 setdpcontrolport is a MIG method on the hostprivport so this bug is a root-kernel escalation. kernreturnt setdpcontrolport hostpri...

Apple Mac OSX / iOS Kernel - IOHDIXControllUserClient::clientClose Use-After-Free/Double-Free

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=599 OS X and iOS kernel UaF/double free due to lack of locking in IOHDIXControllUserClient::clientClose Here's the clientClose method of IOHDIXControllUserClient on OS X 10.11.1: text:0000000000005B38 ; int64 fastcall...