Tag: cve-reproduce (3)Random stuff > CVE-2019-13288 > XPDF Infinite recursion & Null pointer dereferenceVuln: CVE-2019-13288 breaks Xpdf’s invariant that the “object stream” referenced by a compressed object must be an uncompressed stream, because the fetch path doesn’t enforce that rule and a crafted xref can make the supposed object stream itself compressed, causing unbounded recursive fetching and a crash.December 22, 2025Linux Privilege Escalation > Nimbuspwn > Linux LPE via Path Traversal and TOCTOU in networkd-dispatcherVuln: Nimbuspwn breaks the invariant that “networkd-dispatcher only executes trusted root-owned scripts from its own hooks directory,” which is violated when an attacker first escapes the hooks path via directory traversal and then swaps the checked script path between validation and execution via a TOCTOU race to get arbitrary code run as root.November 9, 2025Random stuff > CVE-2022-0324 > Buffer Overflow in dhcp6relay of SONiCVuln: CVE-2022-0324 breaks the invariant that SONiC’s dhcp6relay must validate DHCPv6 option/payload lengths so it never copies more bytes than the destination buffer can hold.The invariant is violated when a remote attacker sends a crafted DHCPv6 packet that reaches a memcpy with an unchecked length, causing an out-of-bounds write (buffer overflow).November 4, 2025