What I find frustrating is that there still has to be an exploit to have these crashes taken seriously/be blog worthy. We know that in c/C++ based programs input parsing errors carry high probability for arbitrary code execution. Instead of just supplying 50 PDFs that seem to crash the program or lib in unique ways and author/vendor fixing their code researchers have to ‘waste’ time writing exploits to really rub it in.
Any sort of memory corruption is usually considered to be “potential arbitrary code execution” unless proven otherwise, even if the bug finder hasn’t written up a PoC for it. Even the most unlikely corruptions have been shown to be exploitable given enough effort, so usually they’re just lumped in the “we should fix this” bin.
