Executive Summary This article presents a detailed analysis of a heap out-of-bounds read vulnerability discovered in Meta's Hermes JavaScript engine, specifically within the SerializedLiteralParser component. While the vulnerability was reported to Meta through their bug bounty program and acknowledged as a valid issue, it was deemed below the threshold for a monetary reward due to the component only processing "trusted input" in production scenarios. This writeup serves as a

I found a crash bug in IBM's FreeRADIUS reference module that anyone can trigger remotely, no authentication needed. The vulnerability is straightforward: when the module receives a massive HTTP response, it tries to grow a buffer with realloc(), doesn't check if that fails, and then crashes when it tries to use the NULL pointer. IBM pulled the repo and declined to assign a CVE, calling it "reference-only" code. But as you'll see from the README screenshots, it sure looked pr