Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2 HEADERS frames. To remediate this issue, users should upgrade to aws-c-http version 0.11.0.

unbounded_spsc is an "unbounded" extension of bounded_spsc_queue. In versions 0.2.0 and prior, sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race. At time of publication, there are no publicly available patches.

Issue summary: A malicious server can exploit TLS OCSP stapling by delivering a crafted response through the status_request extension, triggering a double-free in the client's certificate verification path. Impact summary: Successful exploitation allows an attacker to corrupt heap memory via a double-free, potentially leading to a Denial of Service or possibly an attacker controlled code executio

Rizin 是一个类 Unix 的逆向工程框架和命令行工具集。该漏洞存在于 librz/core/cmd/cmd_search.c 文件的 byte_pattern_search() 函数中，由于指针所有权声明错误，导致发生了双重释放（double free）漏洞。攻击者可能通过诱导用户使用特制的输入触发该漏洞，在特定条件下造成程序崩溃或内存损坏，从而可能引发拒绝服务或信息泄露。虽然 CVSS 评分为 3.3（低危），但考虑到 Rizin 在逆向工程和安全分析中的广泛使用，任何稳定性问题都可能导致分析工作中断。官方已通过提交 045fff363b42b8a6dda8ad5229c29ec3267e7dbe 修复此问题，建议用户升级到包含该修复的版本（如 Rizin 0.7.2 或更高版本）。临时缓解措施包括限制对 Rizin 工具的网络暴露，避免处理不可信的输入文件，以及确保运行环境受控。目前未发现该漏洞已被在野利用的证据。

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. The generic destructor

## Summary `Sender::send` in `src/lib.rs` contains an `unsafe` block in the `DISCONNECTED` arm that transmutes a **raw pointer** (`*mut Producer`) into the bytes of a **value-level** `Consumer`. The author's intent, visible in the surrounding comment at lines 386-390, was a value transmute. The shipped code is one level of indirection off. The resulting `Consumer` has its internal `Arc::ptr` set

PuTTY 0.72 before 0.84 has a double free in RSA KEX.

NetBSD prior to commit ec8451e contains a race condition vulnerability in cryptodev_op() within the opencrypto subsystem that allows local attackers to trigger a double-free condition by concurrently issuing CIOCCRYPT operations on the same session identifier on SMP systems. Attackers can exploit mutable per-operation state embedded in the csession struct to corrupt kernel heap memory.

libbabl 0.1.62 contains a broken double free detection vulnerability that allows attackers to bypass memory safety checks by exploiting signature overwriting in freed chunks. Attackers can call babl_free() twice on the same pointer without triggering detection, as libc's malloc metadata overwrites babl's signature field upon freeing, enabling potential memory corruption and code execution.

libbabl 0.1.62 contains a broken double free detection vulnerability that allows attackers to bypass memory safety checks by exploiting signature overwriting in freed chunks. Attackers can call babl_free() twice on the same pointer without triggering detection, as libc's malloc metadata overwrites babl's signature field upon freeing, enabling potential memory corruption and code execution.

`InlineVec::clear()` and `SerVec::clear()` in `rkyv` were not panic-safe. Both functions iterate over their elements and call `drop_in_place` on each, updating `self.len` only *after* the loop. If an element's `Drop` implementation panics during the loop, `self.len` is left at its original value. A subsequent invocation of `clear()` on the same container then re-visits the already-freed elements:

PoDoFo is a C++17 PDF manipulation library. From 1.0.0 to before 1.0.4, a double-free vulnerability exists in compute_hash_to_sign() in src/podofo/private/OpenSSLInternal_Ripped.cpp. If EVP_DigestFinal fails after buf has already been freed, the Error label frees buf a second time, causing heap corruption. This vulnerability is fixed in 1.0.4.

Double free in Windows Link-Layer Discovery Protocol (LLDP) allows an authorized attacker to elevate privileges locally.

Double free in Windows Message Queuing allows an authorized attacker to elevate privileges locally.

Double free in Windows Rich Text Edit Control allows an authorized attacker to elevate privileges locally.

Double free in Windows Rich Text Edit allows an authorized attacker to elevate privileges locally.

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

iLBC codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service

iLBC codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service