V8 Sandbox escape/bypass/violation and VR collection

RT @IOActive: Check out our Silicon Team's latest research paper!

RT @IOActive: Download our FREE e-book, 'The State of Silicon Chip Hacking,' to learn about Silicon microchip hacking, a highly specialized…

@ilove2pwn_ One of the few songs in my playlist that I like both in the original and variations, it doesn't bother me during research and I listen in any mood, remembering the past and thinking about the present.

RT @wh1ant: I'm looking for a remote job. I was a N-day and 0-day researcher. I found vulnerabilities from browsers when I worked at a comp…

[$55000](CVE-2024-8904)[365376497][wasm][jspi] 😅Add regression test

RT @thatjiaozi: I almost did it! I found an exploitable buffer oob in qemu. No cve tho due to canokey being a development only device tho…

[374811614][$10000][maglev]DCHECK failure in id_ != kInvalidNodeId in maglev-ir.h PoC:

[352689356][sandbox] @0x10n

[395062211][sandbox] Only use TrustedPointerPublishingScopes on main thread

RT @axboe: The networking side of the io_uring receive zero-copy support was finally merged, it's queued for the 6.15 kernel. See this merg…

(CVE-2024-34730)[308429049][Bluetooth]HID profile accepted any new incoming HID connection. Even when the connection policy disabled HID connection, remote devices could initiate HID connection

😅That's interesting, I'll try a chain with... (CVE-2024-34722)[251514170]When pairing with BLE legacy pairing initiated from remote, authentication can be bypassed(in SMP)

🤣🤣🤣 (CVE-2025-0098)[367266072]Malicious app could register the organizer via one-way binder call to disguise as running on pid 0(activity token leaked to another process)

😂😂😂 (CVE-2025-0096)[356630194] "Fix malloc buffer size": - *NewTlv = (uint8_t*)malloc(8 * sizeof(uint8_t)); + *NewTlv = (uint8_t*)malloc(9 * sizeof(uint8_t)); Introduced here:

[394402574][turboshaft] Fix wrong comparison in DCHECK function foo(x) { let v = 0; [2, 3].forEach(y => v += y + x); } %PrepareFunctionForOptimization(foo); foo(3); foo(3); %OptimizeFunctionOnNextCall(foo); foo();

[394767640][wasm][type-reflection] Fix nested WasmJSFunction

[388844115, 394650781][turbofan] Fix related to the TypedArray type const a = new Uint8Array(); function foo() { return ArrayBuffer.isView(a); } assertTrue(foo()); %PrepareFunctionForOptimization(foo); %OptimizeFunctionOnNextCall(foo); assertTrue(foo());

WIP: improve the type hint mechanism in sparkplug

[42202660]Tracking bug for enabling 256-bit vector for WASM SIMD