For anyone curious like me: https://nvd.nist.gov/vuln/detail/CVE-2017-8368.

@Wlinzi Can you send details to me at will@wbond.net please?

Just an FYI to observers, I have received a report via email from @Wlinzi and will be working on confirming the issue and implementing a patch as necessary.

While you evaluate, can you clarify if this is denial of service (in title) or arbitrary code execution (in body), so people can better evaluate risk?

I do not know for sure yet, but from the description I received there does not appear to be a code execution vulnerability involved.

I was not able to reproduce the DoS vulnerability on Windows 10 with build 3126 x64 or build 3131 x64.

Just for the record, this was finally reproduced and was fixed as part of build 3143 – aka 3.0.

Many security issues are disclosed in public after they are fixed (or after a deadline to increase pressure on vendors). Take the most recent Meltdown and Spectre reveals for example: https://googleprojectzero.blogspot.de/2018/01/reading-privileged-memory-with-side.html.

The public has a right to know about security flaws, even if they are fixed. Knowing that old software is vulnerable to attacks and how severe these attacks are is an important incentive to upgrade to newer software with these attack vectors fixed. Not disclosing this information would create a false sense of security and cause more harm than good.

Edit: Also, isn't this exactly what the CVE database is for?

Just to clarify, I am not affiliated with Sublime Hq Pty Ltd. I am merely a community member co-managing this issue list. What I stated above is my own opinion on the matter.

Regardless, I thank you for your concern and the submission of the report.

Edit: For context, there had been a reply by @Wlinzi to my earlier comment which has been deleted.