Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

67 matches found

Packet Storm
Packet Stormadded 2019/08/29 12:0 a.m.231 views

Webkit JSC JIT ArgumentsEliminationPhase::transform Uninitialized Variable Access

https://github.com/WebKit/webkit/blob/94e868c940d46c5745869192d07255331d00102b/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cppL743 case GetByVal: ... unsigned numberOfArgumentsToSkip = 0; if candidate-op == PhantomCreateRest numberOfArgumentsToSkip = candidate-numberOfArgumentsToSkip;...

0.4AI score0.12955EPSS
Exploits2
Packet Storm
Packet Stormadded 2019/07/30 12:0 a.m.162 views

JSC YarrJIT initParenContextFreeList Byte Overwrite

JSC: YarrJIT: A bug in initParenContextFreeList void initParenContextFreeList RegisterID parenContextPointer = regT0; RegisterID nextParenContextPointer = regT2; sizet parenContextSize = ParenContext::sizeFormparenContextSizes; parenContextSize = WTF::roundUpToMultipleOfparenContextSize; // Check...

7.4AI score
Exploits0
Packet Storm
Packet Stormadded 2019/07/30 12:0 a.m.180 views

JSC BytecodeGenerator::emitEqualityOpImpl Data Mishandling

JSC: A bug in BytecodeGenerator::emitEqualityOpImpl Related CVE Numbers: CVE-2019-8684. PoC: let a = 1 || typeof 1 === 'string'; Generated bytecode: BPmgTo:0x7ff1965a0000-0x7ff1965a8000, NoneGlobal, 37: 11 instructions 0 wide instructions, 2 instructions with metadata; 225 bytes 188 metadata byte...

0.1AI score0.02451EPSS
Exploits1
Packet Storm
Packet Stormadded 2019/02/21 12:0 a.m.52 views

WebKit JSC reifyStaticProperty Attribute Flag Issue

WebKit: JSC: reifyStaticProperty needs to set the PropertyAttribute::CustomAccessor flag for CustomGetterSetter CVE-2019-6215 https://github.com/WebKit/webkit/blob/3fff8c40c665a09de5e3ede46fc35908f69353c3/Source/JavaScriptCore/runtime/Lookup.hL392 if value.attributes &...

0.09755EPSS
Exploits3
Packet Storm
Packet Stormadded 2018/11/30 12:0 a.m.48 views

WebKit JIT ByteCodeParser::handleIntrinsicCall Type Confusion

WebKit: JIT: Type confusion bugs in ByteCodeParser::handleIntrinsicCall CVE-2018-4382 case ArrayPushIntrinsic: ... if staticcastargumentCountIncludingThis = MINSPARSEARRAYINDEX return false; ArrayMode arrayMode = getArrayModemcurrentInstructionOPCODELENGTHopcall - 2.u.arrayProfile, Array::Write;...

8.2AI score0.05827EPSS
Exploits2
Packet Storm
Packet Stormadded 2018/11/19 12:0 a.m.285 views

Microsoft Edge Chakra OP_Memset Type Confusion

Microsoft Edge: Chakra: Type confusion with OPMemset Microsoft Edge: Chakra: Type confusion with OPMemset Since the patch for CVE-2018-8372, it checks all inputs to native arrays, and if any input equals to the MissingItem value which can cause type confusion, it starts the bailout process. But i...

7.6CVSS0.2AI score0.24766EPSS
Exploits4
Packet Storm
Packet Stormadded 2018/10/11 12:0 a.m.69 views

Microsoft Edge Chakra JIT Type Confusion Bug

Microsoft Edge: Chakra: JIT: Type confusion bug CVE-2018-8467 The switch statement only handles Js::TypeIdsArray but not Js::TypeIdsNativeIntArray and Js::TypeIdsNativeFloatArray. So for example, a native float array can be considered as of type ObjectType::Object under certain circumstances wher...

6.6AI score0.69019EPSS
Exploits2
Packet Storm
Packet Stormadded 2018/09/18 12:0 a.m.50 views

Microsoft Edge Chakra PathTypeHandlerBase::SetAttributesHelper Type Confusion

Microsoft Edge: Chakra: Type confusion with PathTypeHandlerBase::SetAttributesHelper CVE-2018-8384 Here's a snippet of PathTypeHandlerBase::SetAttributesHelper. PathTypeHandlerBase predTypeHandler = this; DynamicType currentType = instance-GetDynamicType; while predTypeHandler-GetPathLength...

0.1AI score0.6211EPSS
Exploits2
Packet Storm
Packet Stormadded 2018/08/17 12:0 a.m.40 views

Microsoft Edge Chakra Parameter Scope Parsing Bug

Microsoft Edge: Chakra: Parameter scope parsing bug CVE-2018-8279 PoC: async function triggera = class b await 1 let spray = ; for let i = 0; i 0016 SetHomeObj R13 R14 001b NewScObjectSimple R9 001d ProfiledStFld R9.value = R2 1 0021 ProfiledStFld R9.done = R4 2 0025 Yield R9 R9 0037...

7.6CVSS0.5AI score0.71043EPSS
Exploits3
Packet Storm
Packet Stormadded 2018/08/17 12:0 a.m.42 views

Microsoft Edge Chakra DictionaryPropertyDescriptor::CopyFrom Failed Copy

Microsoft Edge: Chakra: DictionaryPropertyDescriptor::CopyFrom doesn't copy all fields CVE-2018-8291 Here's the method. template template void DictionaryPropertyDescriptor::CopyFromDictionaryPropertyDescriptor& descriptor this-Attributes = descriptor.Attributes; this-Data = descriptor.Data ==...

0.4AI score0.70028EPSS
Exploits3
Packet Storm
Packet Stormadded 2018/08/17 12:0 a.m.25 views

Microsoft Edge Chakra JIT InlineArrayPush Type Confusion

Microsoft Edge: Chakra: JIT: Type confusion with InlineArrayPush This is similar to issue 1531 . The patch seems to prevent type confusion triggered from StElemIA instructions. But the SetItem method can also be invoked through the Array.prototype.push method which can be inlineed. We can achieve...

0.3AI score
Exploits0
Packet Storm
Packet Stormadded 2018/07/12 12:0 a.m.29 views

Microsoft Edge Chakra JIT BoundFunction::NewInstance Bug

Microsoft Edge: Chakra: A bug in BoundFunction::NewInstance CVE-2018-8139 BoundFunction::NewInstance is used to handle calls to a bound function. The method first allocates a new argument array and copies the prepended arguments and others into the new argument array and calls the actual function...

7.6CVSS0.66913EPSS
Exploits3
Packet Storm
Packet Stormadded 2018/04/11 12:0 a.m.30 views

Chrome V8 JIT LoadElimination::ReduceTransitionElementsKind Bug

Chrome: V8: JIT: A bug in LoadElimination::ReduceTransitionElementsKind I think this commit has introduced the bug: https://chromium.googlesource.com/v8/v8.git/+/9884bc5dee488bf206655f07b8a487afef4ded9b Reduction LoadElimination::ReduceTransitionElementsKindNode node ... if...

0.1AI score
Exploits0
Packet Storm
Packet Stormadded 2018/04/03 12:0 a.m.56 views

Chrome V8 ElementsAccessorBase::CollectValuesOrEntriesImpl Type Confusion

Chrome: V8: Type confusion in ElementsAccessorBase::CollectValuesOrEntriesImpl CVE-2018-6064 Here's a snippet of the method. https://cs.chromium.org/chromium/src/v8/src/elements.cc?rcl=3cbf26e8a21aa76703d2c3c51adb9c96119500da&l=1051 static Maybe CollectValuesOrEntriesImpl Isolate isolate, Handle...

8.6AI score0.06892EPSS
Exploits2
Packet Storm
Packet Stormadded 2018/03/05 12:0 a.m.27 views

Chrome V8 JIT GetSpecializationContext Type Confusion

Chrome: V8: JIT: Type confusion in GetSpecializationContext PoC: function optarg = = arg let tmp = opt.x; // LdaNamedProperty for ;; arg; yield; function inner tmp; break; for let i = 0; i arg; this; , opt let tmp = arg.x; for ;; arg; yield; tmp = inner tmp; ; for let i = 0; i 10000; i++ opt; Wha...

0.4AI score
Exploits0
Packet Storm
Packet Stormadded 2018/03/05 12:0 a.m.28 views

Chrome V8 Out-Of-Bounds Read

Chrome: V8: Empty BytecodeJumpTable may lead to OOB read In the current implementation, the bytecode generator also emits empty jump tables. https://cs.chromium.org/chromium/src/v8/src/interpreter/bytecode-array-writer.cc?rcl=111e990462823c9faeee06b67c0dcf05749d4da8&l=89 So the bytecode for the...

Exploits0
Packet Storm
Packet Stormadded 2018/03/05 12:0 a.m.22 views

Chrome V8 JIT JSBuiltinReducer::ReduceObjectCreate NULL Check Fail

Chrome: V8: JIT: JSBuiltinReducer::ReduceObjectCreate fails to ensure that the prototype is "null" I think this commit has introduced the bug. https://chromium.googlesource.com/v8/v8/+/ff7063c7d5d8ad8eafcce3da59e65d7fe2b4f915%5E%21/F2 According to the description, Object.create is supposed to be...

7.4AI score
Exploits0
0day.today
0day.todayadded 2018/02/27 12:0 a.m.16 views

Chrome V8 TranslatedState::MaterializeCapturedObjectAt Caching Bug Exploit

Exploit for multiple platform in category dos / poc Chrome: V8: TranslatedState::MaterializeCapturedObjectAt caching bug Here'a snippet of TranslatedState::MaterializeCapturedObjectAt. case JSSETKEYVALUEITERATORTYPE: case JSSETVALUEITERATORTYPE: Handle object = Handle::cast...

7.1AI score
Exploits0
Packet Storm
Packet Stormadded 2018/02/26 12:0 a.m.18 views

Microsoft Edge Chakra JIT CallRegExSymbolFunction Return Check Fail

Microsoft Edge: Chakra: JIT: CallRegExSymbolFunction doesn't check the return type The "CallRegExSymbolFunction" method is used to call symbol functions in regexp objects. But it doesn't check the return value's type. Since the user can define the symbol functions, it can break the JIT compiler's...

7.1AI score
Exploits0
Packet Storm
Packet Stormadded 2018/02/15 12:0 a.m.42 views

Microsoft Edge Chakra JIT LdThis Type Confusion

Microsoft Edge: Chakra: JIT: LdThis type confusion CVE-2018-0837 LdThis instructions' value type is assumed to be "Object". Since "this" can be other objects like an array, it has to be assumed to be "LikelyObject", otherwise, operations to "this" will not be checked properly. PoC: function optar...

7.5AI score0.65559EPSS
Exploits3
Rows per page
Query Builder