Full Disclosure Mailing List

A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

List Archives

Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
2025
24
20
9
32
24
28
40
19
39
–
–
–
2024
75
25
44
29
37
13
24
41
60
21
20
22
2023
29
17
27
14
28
10
52
33
21
32
15
30
2022
91
57
63
54
48
57
27
17
30
52
26
32
2021
84
93
81
77
81
60
72
39
59
79
56
50
2020
52
36
57
63
60
35
37
24
55
34
45
60
2019
71
54
64
41
52
49
40
37
45
59
34
37
2018
102
84
79
61
73
46
95
53
57
54
69
56
2017
99
103
91
113
108
52
95
58
98
71
51
89
2016
100
128
97
93
75
79
89
139
85
103
162
88
2015
134
101
165
115
133
112
126
86
121
115
111
129
2014
194
273
434
325
213
173
167
89
115
135
103
138
2013
282
162
290
263
227
259
277
303
187
294
222
224
2012
611
477
390
382
323
428
394
393
210
277
236
280
2011
580
687
439
561
572
565
367
393
370
995
466
511
2010
637
502
564
452
408
631
417
445
414
523
342
696
2009
979
380
465
318
282
291
550
455
421
339
386
502
2008
615
496
600
821
681
403
591
557
639
531
739
634
2007
593
629
573
744
555
661
662
530
709
935
582
641
2006
992
740
1865
865
789
1058
770
771
578
678
545
493
2005
927
676
950
654
678
437
766
1078
890
677
1065
1531
2004
1358
1534
1499
1153
1451
1031
1370
1314
1091
1174
1424
731
2003
505
405
296
500
421
890
1251
1942
1763
1806
1123
782
2002
–
–
–
–
–
–
314
835
684
381
454
313

Latest Posts

User Enumeration in IServ Schoolserver Web Login naphthalin via Fulldisclosure (Sep 10)
“I know where your children go to school.”
The web front end of the IServ school server from IServ GmbH allows user
enumeration. Responses during failed login attempts differ, depending on
if the user account exists, does not exist and other conditions. While
this does not pose a security risk in many applications, it has to be
considered extremely problematic in software designed for schools. Due
to the widespread use of IServ in...

Re: Apple’s A17 Pro Chip: Critical Flaw Causes Dual Subsystem Failure & Forensic Log Loss Matthew Fernandez (Sep 10)
Can you elaborate on why you consider this high severity? From the
description, it sounds as if this behaviour is fail-closed. That is, the
effects are limited to DoS, with security properties preserved.

Defense in depth -- the Microsoft way (part 92): more stupid blunders of Windows' File Explorer Stefan Kanthak via Fulldisclosure (Sep 08)
Hi @ll,

this extends the two previous posts titled Defense in depth --
the Microsoft way (part 90): "Digital Signature" property sheet
missing without "Read Extended Attributes" access permission
<https://seclists.org/fulldisclosure/2025/Jul/39> and Defense
in depth -- the Microsoft way (part 91): yet another 30 year
old bug of the "Properties" shell extension
<https://seclists.org/fulldisclosure/2025/Aug/2...

Critical Security Report – Remote Code Execution via Persistent Discord WebRTC Automation Taylor Newsome (Sep 08)
Reporter: [Taylor Christian Newsome / SleepRaps () gmail com]
Date: [8/21/2025]
Target: Discord WebRTC / Voice Gateway API
Severity: Critical

1. Executive Summary
A proof-of-concept (PersistentRTC) demonstrates remote code execution (RCE)
capability against Discord users. The PoC enables
Arbitrary JavaScript execution in a victim’s browser context via WebRTC
automation.
Persistent access to Discord voice channels without user consent.
Optional...

Submission of Critical Firmware Parameters – PCIe HCA Cards Taylor Newsome (Sep 08)
*To:* support () mellanox com, networking-support () nvidia com

*From:* Taylor Christian Newsome

*Date:* August 20, 2025

*Dear Mellanox/NVIDIA Networking Support Team,*

I am writing to formally submit the critical firmware parameters for
Mellanox PCI Express Host Channel Adapter (HCA) cards, as detailed in the
official documentation available here:
https://content.mellanox.com/firmware/critical_params.txt.

This document specifies essential...

SEC Consult SA-20250908-0 :: NFC Card Vulnerability Exploitation Leading to Free Top-Up in KioSoft "Stored Value" Unattended Payment Solution (Mifare) SEC Consult Vulnerability Lab via Fulldisclosure (Sep 08)
SEC Consult Vulnerability Lab Security Advisory < 20250908-0 >
=======================================================================
title: NFC Card Vulnerability Exploitation Leading to Free Top-Up
product: KioSoft "Stored Value" Unattended Payment Solution (Mifare)
vulnerable version: Current firmware/hardware as of Q2/2025
fixed version: No version numbers available
CVE number:...

FFmpeg 7.0+ Integer Overflow in FFmpeg cache: Protocol (CacheEntry::size) Ron E (Sep 08)
An integer overflow vulnerability exists in the FFmpeg cache: URL protocol
implementation. The CacheEntry structure uses a 32-bit signed integer to
store cache entry sizes (int size), but the cache layer can accumulate
cached data exceeding 2 GB. Once entry->size grows beyond INT_MAX and new
data is appended, an overflow occurs. This results in corrupted cache
metadata and can lead to logic errors, incorrect data reads, and possible...

FFmpeg 7.0+ Integer Overflow in DSCP Option Handling of FFmpeg UDP Protocol Ron E (Sep 08)
A vulnerability exists in the FFmpeg UDP protocol implementation (
libavformat/udp.c) where the dscp parameter is parsed from a URI and
left-shifted without bounds checking. Supplying a maximum 32-bit signed
integer (2147483647) triggers undefined behavior due to a left shift that
exceeds the representable range of int. This results in abnormal process
termination (DoS) and may lead to miscompiled logic or further memory
corruption depending on...

FFmpeg 7.0+ Integer Overflow in UDP Protocol Handler (fifo_size option) Ron E (Sep 08)
A signed integer overflow exists in FFmpeg’s udp.c implementation when
parsing the fifo_size option from a user-supplied UDP URL. The overflow
occurs during multiplication, which is used to compute the size of the
circular receive buffer. This can result in undefined behavior, allocation
failures, or potentially memory corruption depending on compiler
optimizations and downstream usage. (FFmpeg 7.0-8.0))
*Impact:*

-

Denial of Service...

FFmpeg 7.0+ LADSPA Filter Arbitrary Shared Object Loading via Unsanitized Environment Variables Ron E (Sep 08)
The ladspa audio filter implementation (libavfilter/af_ladspa.c) in FFmpeg
allows unsanitized environment variables to influence dynamic library
loading. Specifically, the filter uses getenv("LADSPA_PATH") and
getenv("HOME") when resolving the plugin shared object (.so) name provided
through the file option. These values are concatenated into a filesystem
path and passed directly into dlopen() without validation or...

FFmpeg 7.0+ NULL Pointer Dereference in FFmpeg String Handling (avstring.c) Ron E (Sep 08)
Improper validation in libavutil/avstring.c allows a NULL pointer
dereference when processing certain strings in HLS contexts. UBSan reports
"applying zero offset to null pointer." Triggers denial of service (DoS)
when FFmpeg processes malicious playlists or malformed URLs. (FFmpeg 7.0 –
8.0)

*Impact:*

-

Consistently crashes the process (DoS).
-

Exploitation beyond denial of service is unlikely on modern OSes.

*Proof...

FFmpeg 7.0+ Type Confusion in FFmpeg Function Pointer Calls (libavformat/utils.c) Ron E (Sep 08)
FFmpeg invokes function pointers through incorrect type casting, leading to
type confusion. UndefinedBehaviorSanitizer logs mismatched signatures in
utils.c:528. Crafted inputs can cause UB, misaligned function dispatch, and
possible arbitrary code execution depending on platform ABI. (FFmpeg 7.0 –
8.0)

*Impact:*

-

DoS in normal builds.
-

Potential information disclosure or RCE under certain
compilers/architectures.

*Proof...

FFmpeg 7.0+ Integer Overflow in FFmpeg yuvcmp Tool Leads to Out-of-Bounds Allocation Ron E (Sep 08)
The FFmpeg tools/yuvcmp utility is vulnerable to an integer overflow when
large width and height parameters are supplied. The overflow occurs during
buffer size calculations (width * height) leading to incorrect allocation
sizes and subsequent memory corruption. An attacker controlling input
dimensions can trigger large or invalid memory allocations, leading to
denial of service (DoS), memory exhaustion, or potential heap corruption.
(FFmpeg...

FFmpeg 7.0+ Heap Use-After-Free in FFmpeg HLS Demuxer (libavformat/utils.c) Ron E (Sep 08)
Malformed .m3u8 playlists can trigger a heap use-after-free when the HLS
demuxer handles segment references. ASan reports access to freed memory
inside libavformat/utils.c:528. A crafted .m3u8 could allow remote
attackers to achieve denial of service (DoS), information disclosure, or
potentially remote code execution depending on heap state. (FFmpeg 7.0-8.0)

*Impact:*

-

Remote attackers can crash the transcoder with a malicious playlist....

DjVuLibre 3.5.29 ZPCodec Unsigned Integer Overflow in Arithmetic Encoding Ron E (Sep 08)
The DjVuLibre document compression library (tested version 3.5.29) contains
multiple instances of unsigned integer overflow in the ZPCodec.cpp
component. During arithmetic encoding operations (e.g., zemit, encode_lps,
encode_lps_simple, eflush), crafted input can cause arithmetic wraparound
(0-1, 1-2, or value+UINT_MAX). These operations rely on precise probability
modeling for entropy encoding, and wraparound corrupts encoder state. An
attacker...

More Lists

Dozens of other network security lists are archived at SecLists.Org.