Total
38 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-32629 | 1 Bytecodealliance | 1 Cranelift-codegen | 2023-03-01 | 4.6 MEDIUM | 8.8 HIGH |
Cranelift is an open-source code generator maintained by Bytecode Alliance. It translates a target-independent intermediate representation into executable machine code. There is a bug in 0.73 of the Cranelift x64 backend that can create a scenario that could result in a potential sandbox escape in a Wasm program. This bug was introduced in the new backend on 2020-09-08 and first included in a release on 2020-09-30, but the new backend was not the default prior to 0.73. The recently-released version 0.73 with default settings, and prior versions with an explicit build flag to select the new backend, are vulnerable. The bug in question performs a sign-extend instead of a zero-extend on a value loaded from the stack, under a specific set of circumstances. If those circumstances occur, the bug could allow access to memory addresses upto 2GiB before the start of the Wasm program heap. If the heap bound is larger than 2GiB, then it would be possible to read memory from a computable range dependent on the size of the heaps bound. The impact of this bug is highly dependent on heap implementation, specifically: * if the heap has bounds checks, and * does not rely exclusively on guard pages, and * the heap bound is 2GiB or smaller * then this bug cannot be used to reach memory from another Wasm program heap. The impact of the vulnerability is mitigated if there is no memory mapped in the range accessible using this bug, for example, if there is a 2 GiB guard region before the Wasm program heap. The bug in question performs a sign-extend instead of a zero-extend on a value loaded from the stack, when the register allocator reloads a spilled integer value narrower than 64 bits. This interacts poorly with another optimization: the instruction selector elides a 32-to-64-bit zero-extend operator when we know that an instruction producing a 32-bit value actually zeros the upper 32 bits of its destination register. Hence, we rely on these zeroed bits, but the type of the value is still i32, and the spill/reload reconstitutes those bits as the sign extension of the i32’s MSB. The issue would thus occur when: * An i32 value in a Wasm program is greater than or equal to 0x8000_0000; * The value is spilled and reloaded by the register allocator due to high register pressure in the program between the value’s definition and its use; * The value is produced by an instruction that we know to be “special� in that it zeroes the upper 32 bits of its destination: add, sub, mul, and, or; * The value is then zero-extended to 64 bits in the Wasm program; * The resulting 64-bit value is used. Under these circumstances there is a potential sandbox escape when the i32 value is a pointer. The usual code emitted for heap accesses zero-extends the Wasm heap address, adds it to a 64-bit heap base, and accesses the resulting address. If the zero-extend becomes a sign-extend, the program could reach backward and access memory up to 2GiB before the start of its heap. In addition to assessing the nature of the code generation bug in Cranelift, we have also determined that under specific circumstances, both Lucet and Wasmtime using this version of Cranelift may be exploitable. See referenced GitHub Advisory for more details. | |||||
CVE-2023-0103 | 1 Ls-electric | 2 Xbc-dn32u, Xbc-dn32u Firmware | 2023-02-24 | N/A | 7.5 HIGH |
If an attacker were to access memory locations of LS ELECTRIC XBC-DN32U with operating system version 01.80 that are outside of the communication buffer, the device stops operating. This could allow an attacker to cause a denial-of-service condition. | |||||
CVE-2021-42735 | 3 Adobe, Apple, Microsoft | 3 Photoshop, Macos, Windows | 2022-06-24 | 6.8 MEDIUM | 7.8 HIGH |
Adobe Photoshop version 22.5.1 (and earlier versions ) is affected by an Access of Memory Location After End of Buffer vulnerability, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | |||||
CVE-2021-43755 | 3 Adobe, Apple, Microsoft | 3 After Effects, Macos, Windows | 2022-06-24 | 6.8 MEDIUM | 7.8 HIGH |
Adobe After Effects versions 22.0 (and earlier) and 18.4.2 (and earlier) are affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | |||||
CVE-2021-43756 | 3 Adobe, Apple, Microsoft | 3 Media Encoder, Macos, Windows | 2022-06-24 | 9.3 HIGH | 7.8 HIGH |
Adobe Media Encoder versions 22.0, 15.4.2 (and earlier) are affected by a memory corruption vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
CVE-2021-39820 | 3 Adobe, Apple, Microsoft | 3 Indesign, Macos, Windows | 2022-06-24 | 6.8 MEDIUM | 8.8 HIGH |
Adobe InDesign versions 16.3 (and earlier), and 16.3.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious TIFF file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | |||||
CVE-2021-42732 | 3 Adobe, Apple, Microsoft | 3 Indesign, Macos, Windows | 2022-06-23 | 6.8 MEDIUM | 7.8 HIGH |
Access of Memory Location After End of Buffer (CWE-788) | |||||
CVE-2021-40727 | 3 Adobe, Apple, Microsoft | 3 Indesign, Macos, Windows | 2022-06-23 | 9.3 HIGH | 7.8 HIGH |
Access of Memory Location After End of Buffer (CWE-788 | |||||
CVE-2021-42725 | 1 Adobe | 1 Bridge | 2022-06-03 | 6.8 MEDIUM | 7.8 HIGH |
Adobe Bridge version 11.1.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious M4A file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | |||||
CVE-2020-27738 | 1 Siemens | 6 Nucleus Net, Nucleus Readystart V3, Nucleus Readystart V4 and 3 more | 2022-04-22 | 5.8 MEDIUM | 7.4 HIGH |
A vulnerability has been identified in Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus ReadyStart V4 (All versions < V4.1.0), Nucleus Source Code (Versions including affected DNS modules), SIMOTICS CONNECT 400 (All versions < V0.5.0.0). The DNS domain name record decompression functionality does not properly validate the pointer offset values. The parsing of malformed responses could result in a read access past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition. | |||||
CVE-2022-0521 | 2 Fedoraproject, Radare | 2 Fedora, Radare2 | 2022-04-08 | 5.8 MEDIUM | 7.1 HIGH |
Access of Memory Location After End of Buffer in GitHub repository radareorg/radare2 prior to 5.6.2. | |||||
CVE-2021-40786 | 3 Adobe, Apple, Microsoft | 3 Premiere Elements, Macos, Windows | 2022-03-22 | 9.3 HIGH | 7.8 HIGH |
Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | |||||
CVE-2021-40787 | 3 Adobe, Apple, Microsoft | 3 Premiere Elements, Macos, Windows | 2022-03-22 | 9.3 HIGH | 7.8 HIGH |
Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | |||||
CVE-2021-40792 | 3 Adobe, Apple, Microsoft | 3 Premiere Pro, Macos, Windows | 2022-03-22 | 6.8 MEDIUM | 7.8 HIGH |
Adobe Premiere Pro version 15.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | |||||
CVE-2021-40793 | 3 Adobe, Apple, Microsoft | 3 Premiere Pro, Macos, Windows | 2022-03-22 | 6.8 MEDIUM | 7.8 HIGH |
Adobe Premiere Pro version 15.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | |||||
CVE-2021-40794 | 3 Adobe, Apple, Microsoft | 3 Premiere Pro, Macos, Windows | 2022-03-22 | 6.8 MEDIUM | 7.8 HIGH |
Adobe Premiere Pro version 15.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | |||||
CVE-2021-42526 | 3 Adobe, Apple, Microsoft | 3 Premiere Elements, Macos, Windows | 2022-03-22 | 9.3 HIGH | 7.8 HIGH |
Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | |||||
CVE-2021-42527 | 3 Adobe, Apple, Microsoft | 3 Premiere Elements, Macos, Windows | 2022-03-22 | 9.3 HIGH | 7.8 HIGH |
Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | |||||
CVE-2021-42730 | 2 Adobe, Microsoft | 2 Bridge, Windows | 2022-03-22 | 6.8 MEDIUM | 7.8 HIGH |
Adobe Bridge version 11.1.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious PSD file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | |||||
CVE-2021-42729 | 2 Adobe, Microsoft | 2 Bridge, Windows | 2022-03-22 | 6.8 MEDIUM | 7.8 HIGH |
Adobe Bridge version 11.1.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious WAV file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. |