Avatar of this page

Chromium Disclosed Security Bugs

Google discloses Chromium security bugs 14 weeks after fixing them. This website makes it easier to keep track of them.

This page is run by @securityMB but it is not an official Google product.

You can also follow this project on the following social platforms:

Bugs disclosed in 2024.json

Options
#Summary$$$Disclosure date
1483991Security: arbitrary address access in vrend_renderer_blit_gl$2,0002024-02-02
1496001Use-after-poison in cppgc::internal::HeapVisitor<cppgc::internal::UnmarkedObjectsPoisoner>::Traverse-2024-02-02
1496806Use-after-poison in cppgc::internal::MarkingStateBase::MarkAndPush-2024-02-02
1343955Security: Contextual search selection offsets should be sanitized-2024-02-01
1472898chrome.inspectedWindow.eval execution on Web Store with trailing URL dot$5,0002024-02-01
1472961Security: Chrome OS: Multiple controllable OOB write bugs in Qcom camx drivers may cause sandbox escape to kernel-2024-02-01
1486350Security: Race Condition UAF in virtio_transport_space_update$2,0002024-02-01
1495512Use-after-poison in blink::HTMLPlugInElement::DetachLayoutTree-2024-02-01
1480661Security: OOB access in -2024-01-31
1494573heap-buffer-overflow in ~SingleShotFrameHandler(imagecapture/image_capture_frame_grabber.cc)$8,0002024-01-31
1495279lightweight-heap-use-after-free : web_app::WebAppCommandManager::StartCommand-2024-01-31
1453577Security: UAF in gpu::ClientSharedImageInterface::DestroySharedImage(browser process)$2,0002024-01-30
1474410Security: Heap buffer overflow write due to bound check missing-2024-01-30
1474415Security: Out-of-Bound Write due to bound check missing$5,0002024-01-30
1476281Security: Integer-Overflow in ChapsAdaptor::GenerateRandom-2024-01-30
1488199Heap-buffer-overflow in v8::internal::Simulator::WriteW-2024-01-30
1492396Security: readanything render frame UAF fix of crbug.com/1488268 is not robust.$2,0002024-01-30
1493380Security: Heap-use-after-free in ReadAnythingUntrustedPageHandler::LogTextStyle$2,0002024-01-30
1474639security: libmbim | out-of-bounds access on mbim-message.c$2502024-01-29
1475712Security: Heap buffer overflow Read due to Integer Overflow-2024-01-29
1478443Security: heap-use-after-free in vrend_destroy_sampler_view$3,0002024-01-29
1478444Security: heap-use-after-free in vrend_destroy_so_target$3,0002024-01-29
1483307Security: heap-use-after-free on vrend_renderer_get_meminfo$2,0002024-01-29
1485120Security: Heap-use-after-free in ash::OverviewWindowDragController::CompleteDrag-2024-01-29
1494647media_webm_muxer_fuzzer: Heap-use-after-free in mkvmuxer::Segment::WriteFramesAll-2024-01-29
1492381Security: Out of bounds access in UsbDeviceHandleUsbfs::IsochronousTransferInternal$11,0002024-01-27
1493435Google Chrome opens a suspicious file if "Download anyway" button is clicked.-2024-01-27
1485769Clickjacking of chromium infra pages-2024-01-26
1486961Heap-use-after-free in ash::TrayBubbleWrapper::ShowBubble-2024-01-26
1493383Trap in Builtins_InterpreterEntryTrampoline-2024-01-26
1493427Crash in v8_internal_simulator_ProbeMemory-2024-01-26
1494164DCHECK failure in allow_empty_handle || !v8::internal::ValueHelper::IsEmpty(that) in api-inl.h-2024-01-26
1479870Heap-use-after-free in ash::TrayBubbleWrapper::ShowBubble-2024-01-25
1491809v8_wasm_compile_fuzzer: DCHECK failure in index.valid() in sidetable.h-2024-01-25
1491874Heap-use-after-free in ash::UnifiedSystemTrayBubble::UpdateBubbleBounds-2024-01-25
1492228sqlite3_shadow_table_fuzzer: Incorrect-function-pointer-type in sqlite3VdbeMemGrow-2024-01-25
1492698Security: Persistent XSS via malicious user-uploaded PaymentRequest manifest and service worker$16,0002024-01-25
1477054WiFi Password from Policy Uncensored in ChromeOS-2024-01-24
1492153sqlite3_select_printf_lpm_fuzzer: Incorrect-function-pointer-type in vdbeMemClearExternAndSetNull-2024-01-24
1492235DCHECK failure in (minor_marking_state_) == nullptr in concurrent-marking.cc-2024-01-23
1492391Fatal error in Type cast failed in CAST(LoadFromParentFrame(InterpreterFrameConstants::kContext-2024-01-23
1464020Extensions on lens.google.com can bypass host permissions and open chrome-untrusted:// URLs with side panel$3,0002024-01-22
1469845Security: Arbitrary address write with controllable value due to API misuse-2024-01-22
1471421Security: A Use After Free Bug Exist ChromeOS Kenrel-2024-01-22
1471429Security: Chrome OS: Qcom camx driver type confusion in function __cam_node_handle_dump_dev may cause sandbox escape to kernel-2024-01-22
1472567Security: heap-buffer-overflow in vk_shader_module_init-2024-01-22
1473881Security: Chrome OS: Multiple controllable OOB write/read bugs in Qcom camx icp driver may cause sandbox escape to kernel-2024-01-22
1492212CHECK failure: IsMap(map, cage_base_) in heap-verifier.cc-2024-01-22
1462155Security: UAF in hci_add_adv_monitor-2024-01-19
1468594Security: UAF in drm_gem_object_release_handle-2024-01-19
1469607Security: Race Condition Double Free in i915_gem_set_tiling_ioctl-2024-01-19
1487944Security: heap after free at `RenderFrameHostManager::GetFrameHostForNavigation`$1,0002024-01-19
1492010Security: UAF in blink::CanvasResourceDispatcher::OnBeginFrame-2024-01-19
1492073tint_wgsl_fuzzer: Heap-buffer-overflow in tint::SymbolTable::RegisterInternal-2024-01-19
1478462Security: heap-buffer-overflow vrend_write_to_iovec$2502024-01-18
1482848Security: SOP bypass: Portal activation bypasses same-page drag and drop source check$3,0002024-01-18
1488055UAF in vk::Buffer::getOffsetPointer$11,0002024-01-18
1490823Crash in blink::AXObjectCacheImpl::RemoveSubtreeWithFlatTraversal-2024-01-18
1490847Security: Debug check failed: !can_be_invalid implies result.valid() in v8/src/compiler/turboshaft/optimization-phase.h:224-2024-01-18
1491296Security: heap-use-after-free on BrandcodeConfigFetcher::OnSimpleLoaderComplete$3,0002024-01-18
1491788sqlite3_fts3_lpm_fuzzer: Heap-buffer-overflow in nodeReaderNext-2024-01-18
1491912tint_wgsl_fuzzer: Crash in tint::SymbolTable::~SymbolTable-2024-01-18
1492096DCHECK failure in (address & ::v8::internal::kHeapObjectTagMask) == 0 in heap-object.h-2024-01-18
1472566Security: Heap buffer overflow due to Integer Overflow$5,0002024-01-16
1473015Security: Heap buffer overflow$1,0002024-01-16
1475224Security: DoS due to check missing$5002024-01-16
1479005Security: heap-buffer-overflow vrend_read_from_iovec$2502024-01-16
1483058Security:Race Condition UAF in i915_gem_context_getparam_ioctl again-2024-01-16
1487973Abrt in v8::internal::Simulator::DoRuntimeCall-2024-01-16
1490819Heap-use-after-free in viz::mojom::blink::CompositorFrameSinkClientStubDispatch::Accept-2024-01-16
1454371Security: OOB in evdi_gem_fault$1,5002024-01-15
1372919The PWA's installation dialog isn't being dismissed after redirects, which allows an attacker to show it on cross-origin pages$4,0002024-01-14
1478613Security: Bypass the Protection of input fields cache (Autofill) due to inappropriate code design (Bypass 1472404),Similar to(1449874)$2,0002024-01-14
1480152Security: Use-After-Free in WebContentsFrameTracker::OnPossibleTargetChange$1,0002024-01-13
1457704Security: [Fix bypass] PWA Install prompt can still be overlaid over other origins$3,0002024-01-12
1470524Security: UAF in vrend_destroy_dsa_object-2024-01-12
1472706Security: Heap buffer overflow due to bound check missing-2024-01-12
1473613Security: Heap buffer overflow due to integer overflow-2024-01-12
1482240Security: segment fault in libmali.so.0.40.0-2024-01-12
1485266Navigations during drag-and-drop allow for bypass of same-tab cross-origin drag-and-drop restriction-2024-01-12
1487110Security: heap-use-after-free on RenderFrameHostImpl::Init$28,0002024-01-12
1488263Crash in v8::internal::EvacuationVerifier::VerifyEvacuation$9,0002024-01-12
1424416sqlite3_fts3_lpm_fuzzer: Heap-buffer-overflow in nodeReaderNext-2024-01-11
1488157Security: Download started notification can suppressed "exit full screen" notification lead to spoof$1,0002024-01-11
1488267Chrome's Profile Picker UAF$1,0002024-01-11
1489290gpu_raster_swangle_passthrough_fuzzer: Incorrect-function-pointer-type in rx::vk::priv::SecondaryCommandBuffer::executeCommands-2024-01-11
1458329Security: Chrome OS : Race condition Use-After-Free in function PVRSRVBridgeDevmemIntAcquireRemoteCtx of PowerVR GPU Driver-2024-01-10
1469603Security: Use-After-Free due to refcount leak-2024-01-10
1486414h265_bitstream_parser_fuzzer: Use-of-uninitialized-value in webrtc::H265BitstreamParser::ParseNonParameterSetNalu-2024-01-10
1486550Security: Debug check failed: output_instr_index_ == definition_block->last_instruction_index() in v8/src/compiler/backend/mid-tier-register-allocator.cc:583$7,0002024-01-10
1488268Chrome's Reading Mode UAF$2,0002024-01-10
1488365DCHECK failure in IsNumberDictionary(fixed_array, cage_base) in js-objects-inl.h-2024-01-10
1488746Trap in Builtins_JSEntryTrampoline-2024-01-10
1488106tint_wgsl_reader_spv_writer_fuzzer: Heap-use-after-free in tint::core::ir::transform::MultiplanarExternalTexture-2024-01-09
1454596Security: Wi-Fi: skip Phase-2 authentication when using PEAP-2024-01-08
1475716Security: Heap buffer overflow Write due to Integer Overflow-2024-01-08
1477523Security: OOB read in get_source_info-2024-01-08
1478921Security: Chrome OS cros_camera_service OOB read in function CameraDeviceAdapter::RegisterBufferLoc-2024-01-08
1424264Security: Race Condition UAF in radeon_gem_set_domain_ioctl$2502024-01-05
1444597Security: another UAF in content::SyntheticPointerAction::ForwardTouchOrMouseInputEvents(browser process)$2,0002024-01-05
1485381Security: Heap-use-after-free in SidePanelCoordinator::Show-2024-01-05
1487322DCHECK failure in Heap::InFromPage(object) in scavenger-inl.h-2024-01-05
1487543CHECK failure: IsMap(heap_object->map(cage_base()))-2024-01-05
1487809GPU failure in blink::ReparentParentScopes-2024-01-05
1485793gpu_raster_swangle_passthrough_fuzzer: Incorrect-function-pointer-type in VmaAllocator_T::AllocateVulkanMemory-2024-01-04
1487074Use-after-poison in blink::HTMLSlotElement::DetachLayoutTree-2024-01-04
1487226tint_wgsl_reader_spv_writer_fuzzer: Heap-use-after-free in tint::core::ir::transform::RunShaderIOBase-2024-01-04
1487463DCHECK failure in (current_block_) != nullptr in assembler.h-2024-01-04
1403716Security: Improper origin elision in downloads prompt initiated in Chrome Custom Tab (Android)$1,0002024-01-03
1443238Security: Chrome iOS$1,0002024-01-03
1445712Security: Chrome iOS iframe SandBox Download$1,0002024-01-03
1478908Security: Chromium illegally paints outside of iframe when using -webkit-box-reflect-2024-01-03
1483939Security: UAF in base::win::MessageWindow::WindowProc$4,0002024-01-03
1486439potentional UAF -2024-01-03
1486441Security: [0-day] heap overflow in vp8_encode_frame after frame re-sizing-2024-01-03
1486826DCHECK failure in !HAS_WEAK_HEAP_OBJECT_TAG(ptr_) in tagged-impl-inl.h-2024-01-03
1428730Security: Chrome on IOS ignores Content-Type header when rendering XML and SVG content$3,0002024-01-02
1441017System tray icon & Message permanently appearing informing that the "Camera and microphone in use"-2024-01-02
1467111Security : OOB Access in amdgpu_cs_pass1 -2024-01-02
1480838Security: heap-buffer-overflow in vrend_shader_dump-2024-01-02
1482626Bypass PaymentRequest.show() calls after the first.$1,0002024-01-02
1486048DCHECK failure in 0 < reps.size() in typer.h-2024-01-02
1486238DCHECK failure in (current_block) != nullptr in optimization-phase.h-2024-01-02
1486316update_client_protocol_parser_fuzzer: Trap in std::__Cr::__libcpp_verbose_abort-2024-01-02
1486581[test/pls ignore] bughunters site -> monorail report submission workflow -2024-01-02
1486613Use-of-uninitialized-value in v8::internal::Decoder<v8::internal::Simulator>::DecodeBranchSystemException-2024-01-02
1281972File Download Origin Spoof Using Long Subdomain$3,0002024-01-01
1456876Security: (Android) file download with long name cannot show the extension file it lead to spoof$1,0002024-01-01