..possible integer overflow in _procRegSystemCall function from the Kernel.sol file. There is a piece of code that calculates the length of the capabilities array in bytes:
In normal circumstances (when the system call is executed using proc_reg function of BeakerContract) msg.data.length is always greater or equal than capsStartOffset. But someone can try to make system call directly and compose incorrect message with smaller length than needed. What will happen in this case here, and how does kernel react to malformed system calls in general?
From @17451k: