Went over a few of these with a pretty keen eye, and they aren't that particularly interesting. The Docker one is just a weird bug, it's not a vulnerability, and certainly not a "0-day" (which is a pretty loaded term and people expect bad stuff to happen).
The nghttp2 nghttpx one is more interesting, and could potentially be used for phishing, but it's very hard to line up properly because the request queue is non-deterministic so basically impossible to target a specific victim (assuming proxy traffic).
The VLC one is just a straight-up crash/bug. And VLC crashes all the time when using weird codecs, so that's nothing new.
Am I missing something here?
I mean, that's how people get hacked. If vlc crashed on my computer, and every day I should raise thanks to my gods that I do not use vlc, I would immediately unplug it and thoughtfully consider the circumstances under which it would be safe to turn it back on.
Right, this is why video parse / decode ought to be sandboxed. Writing secure code for these formats, especially in C, is really hard. I just sort of glanced at the bug in the repo, but it sounds plausible. It certainly wouldn’t be the first of its kind.
> I mean, that's how people get hacked.
...when was the last documented case of an in-the-wild hack targeting VNC?