Avatar of this page

Chromium Disclosed Security Bugs

Chromium security bugs are publicly disclosed by Google 14 weeks after fixing. They have a great learning value but it's difficult to keep track of when exactly they're derestricted. This page is a hub of security bugs that have recently gone public.

Bugs can also be followed on Twitter: @BugsChromium or Mastodon.

Bugs disclosed in 2023

Options
# Summary $$$ Disclosure date
813542 Security: Web sites can open privileged pages via remote debugging server (CSRF) $3000 2023-03-24
1399331 Crash in v8::internal::MemoryAllocator::LookupChunkContainingAddress - 2023-03-24
1400176 GetEntriesWithChildFrames exposes top-level same origin iframes to cross-origin ones - 2023-03-24
1401528 DCHECK failure in entry.IsRegularEntry() in external-pointer-table-inl.h - 2023-03-24
1394968 DCHECK failure in Shared heap must not have clients at teardown. The first isolate that is created - 2023-03-23
1400730 Use-of-uninitialized-value in v8::internal::MarkingBarrier::Write - 2023-03-23
1401069 CHECK failure: untyped_->count(slot.address()) > 0 in heap-verifier.cc - 2023-03-23
1401077 DCHECK failure in ReadOnlyHeap::Contains(obj) || heap()->Contains(obj) in mark-compact-inl.h - 2023-03-23
1401078 CHECK failure: external_page_bytes[t] == page->ExternalBackingStoreBytes(t) - 2023-03-23
1401180 DCHECK failure in !heap_->always_allocate() in incremental-marking.cc - 2023-03-23
1401181 CHECK failure: InTypedSet(SlotType::kEmbeddedObjectFull, rinfo->pc()) || InTypedSet(SlotType::k - 2023-03-23
1401183 CHECK failure: IsValidHeapObject(heap_, heap_object) in heap-verifier.cc - 2023-03-23
1401336 CHECK failure: InTypedSet(SlotType::kEmbeddedObjectFull, rinfo->pc()) || InTypedSet(SlotType::k - 2023-03-23
1401337 CHECK failure: IsValidHeapObject(heap_, heap_object) in heap-verifier.cc - 2023-03-23
1361294 CrOS: Vulnerability reported in net-wireless/bluez - 2023-03-22
1386095 CrOS: Vulnerability reported in media-libs/tiff - 2023-03-22
1394279 DCHECK failure in code == topmost_ implies safe_to_deopt_ in deoptimizer.cc - 2023-03-22
1394408 Security: Debug check failed: enum_length == map->NumberOfEnumerableProperties() $11000 2023-03-22
1394973 Fatal error in Bytecode mismatch at offset 2 in interpreter.cc - 2023-03-22
1395604 Abrt in v8::internal::abort_with_reason - 2023-03-22
1397348 memory corruption in v8 $7000 2023-03-22
1398994 Security: ChromeOS CrosDisks mount-zip fuse argument injection $1000 2023-03-22
1399379 DCHECK failure in ThreadId::Current() == thread_id() in isolate.cc - 2023-03-22
1399424 v8_wasm_fuzzer: Crash in v8::internal::Simulator::WriteW - 2023-03-22
1399511 Security: UAF in MojoQueryQuotaIpcz $30000 2023-03-22
1399799 CHECK failure: !destination.IsDetachedOrOutOfBounds() in elements.cc - 2023-03-22
1399805 Crash in Builtins_PromiseRejectReactionJob - 2023-03-22
1399904 Security: Container Overflow in UDPSocket::OnLeaveGroupCompleted $10000 2023-03-22
1400054 Bad-cast to mojo::core::ipcz_driver::ObjectBase from ipcz::ParcelWrapper in mojo::core::ipcz_driver::Object<mojo::core::ipcz_driver::DataPipe>::FromHandle - 2023-03-22
1400062 CrOS: Vulnerability reported in net-misc/curl - 2023-03-22
1400431 v8_serialized_script_value_fuzzer: Heap-buffer-overflow in v8::internal::ValueDeserializer::ReadJSArrayBuffer - 2023-03-22
1400549 DCHECK failure in frame->is_unoptimized() in frames.h - 2023-03-22
1400551 DCHECK failure in pred_reverse_index != -1 in graph.h - 2023-03-22
1400810 DCHECK failure in 0 < level_ in mutex.h - 2023-03-22
1400051 Security: Debug check failed: Shared heap must not have clients at teardown, leading to SEGV_ACCERR $8000 2023-03-19
1385941 DCHECK failure in !initializing_store && property_details_.constness() == PropertyConstness::kCons - 2023-03-18
1393499 Security: UAF in drm_gem_object_release_handle $2000 2023-03-18
1395029 CrOS: Vulnerability reported in dev-libs/libxml2 - 2023-03-18
1399080 Security: libtiff CVE vulnerabilities in Chromium 106.0.5249.103 $500 2023-03-18
1399328 Crash in v8::internal::BasicMemoryChunk::area_start - 2023-03-18
1399330 CHECK failure: untyped_->count(slot.address()) > 0 - 2023-03-18
1399488 Crash in v8::internal::LookupIterator::Start<0> - 2023-03-18
1399489 CHECK failure: index < size() - 2023-03-18
1399491 Crash in void v8::internal::MarkingVisitorBase<v8::internal::ConcurrentMarkingVisitor, v8 - 2023-03-18
1399696 CHECK failure: value__value.IsJSReceiver() || value__value.IsSmi() || value__value.IsHeapNumber - 2023-03-18
866311 Security: Google Update for Windows allows arbitrary file creation when logs are enabled $5000 2023-03-16
1083278 Security: DNS Cache Poisoning through resource exhaustion in Chrome. $5000 2023-03-16
1357366 Sandbox bypass "allow-downloads" $3000 2023-03-16
1384737 AppCommands: perhaps deprecate older command format - 2023-03-16
1393547 DCHECK failure in IsInRegister(target_state, incoming) in maglev-regalloc.cc - 2023-03-16
1395603 DCHECK failure in !value->allocation().IsConstant() in maglev-assembler-x64-inl.h - 2023-03-16
1395718 Security: UAF in HandleExpandedPaths $31000 2023-03-16
1399332 DCHECK failure in heap()->non_atomic_marking_state()->IsWhite(target) in scavenger-inl.h - 2023-03-16
1399377 CHECK failure: external_page_bytes[t] == page->ExternalBackingStoreBytes(t) - 2023-03-16
1378233 CrOS: Vulnerability reported in dev-libs/libtasn1 - 2023-03-15
1396254 Security: CVE-2022-3970 was fixed in libtiff and published but not propagated to Pdfium yet $1000 2023-03-15
1057218 Security: Implement Resource Isolation with Random Restricted SIDs - 2023-03-14
1392661 Security: heap-use-after-free drop_target_event.cc:28 in ui::DropTargetEvent::DropTargetEvent $5000 2023-03-14
1395542 Security: heap-use-after-free third_party/swiftshader/src/WSI/VkSwapchainKHR.cpp:43:13 $2000 2023-03-14
1396222 Security: Fatal error in ../../src/heap/sweeper.cc $7000 2023-03-14
1396338 Crash in v8::internal::HeapObject::SizeFromMap - 2023-03-14
1396339 CHECK failure: marking_state_->IsBlack(heap_object) in mark-compact.cc - 2023-03-14
1396341 Use-of-uninitialized-value in v8::internal::MarkingBarrier::Write - 2023-03-14
1396342 DCHECK failure in handle & ~kVisitedHandleMarker == index << kExternalPointerIndexShift in externa - 2023-03-14
1396344 DCHECK failure in page->area_size() >= static_cast<size_t>(marking_state_->live_bytes(page)) in sw - 2023-03-14
1018214 Security: Updated Google Password. One of my Chrome OS machines still takes the old password though after over a week $1000 2023-03-13
1384403 DCHECK failure in GetCurrentStackPosition() >= stack_guard()->real_climit() - 8 * KB in isolate.cc - 2023-03-13
1394741 DCHECK failure in isolate()->thread_id() == ThreadId::Current() in heap.cc - 2023-03-13
1395117 Crash in v8::internal::JsonParser<unsigned char>::ParseJson - 2023-03-13
1395237 Heap-use-after-free in v8::internal::NodeBase<v8::internal::GlobalHandles::Node>::index - 2023-03-13
1395520 CHECK failure: untyped_->count(slot.address()) > 0 - 2023-03-13
1395737 DCHECK failure in LocationOperand::cast(source)->IsCompatible( LocationOperand::cast(destination)) - 2023-03-13
1371859 stack-use-after-return in gpu::gles2::ProgramInfoManager::Program::UpdateES2 $3000 2023-03-12
1383991 blink::MediaInspectorContextImpl::CullPlayers $7000 2023-03-12
1395311 CHECK failure: !base::IsInRange(slot.address(), start, end + 1) in remembered-set.h - 2023-03-12
840716 Unicode Line Terminators Can Cause UI Manipulation and Browser Crashes - 2023-03-10
1385831 UAF in CartService $2500 2023-03-10
1392721 Security: heap-use-after-free on chromeOS using PhoneHub + Screensharing $2000 2023-03-10
1393384 webcodecs_video_encoder_fuzzer: Heap-buffer-overflow in av1_get_one_pass_rt_params - 2023-03-10
1393564 Security: UAF in content::NavigationRequest::SetViewTransitionState in browser process $20000 2023-03-10
1394382 Chromium: Vulnerability reported in third_party/libxml - 2023-03-10
1395183 Crash in v8::internal::SpaceWithLinearArea::InvokeAllocationObservers - 2023-03-10
1395186 Chromium: Vulnerability reported in third_party/libxml - 2023-03-10
1395240 Crash in Builtins_JSEntryTrampoline - 2023-03-10
1349146 Security: Source maps support for file:// URLs gives devtools_page extensions local file access $5000 2023-03-09
1365366 Security: [maglev] VisitSwitchOnGeneratorState function JumpTableTargetOffsets can be 0 $7000 2023-03-09
1380645 Security: Use After Free in PasswordsPrivateDelegateImpl::OsReauthTimeoutCall, $1000 2023-03-09
1382484 Security: Chrome on Android Keyboard Able to Overlap Fullscreen Notification Toast $7500 2023-03-09
1392588 Security: Security DCHECK failed: IsA<Derived>(from) blink::CSSPrimitiveValue::ConvertToLength $8000 2023-03-09
1393728 Security: stack-use-after-scope in dawn::native::d3d12::ShaderModule::Compile $10000 2023-03-09
1393732 Security: Download notification can hide "Press and hold Esc to exit full screen" $3000 2023-03-09
1393865 Turbofan-Optimization Bug: "Check failed: IsBigInt()" $7000 2023-03-09
1394692 UAF in OnSyncMessageEventReady $6000 2023-03-09
1384516 gpu_raster_fuzzer: Use-of-uninitialized-value in cc::ServiceImageTransferCacheEntry::Deserialize - 2023-03-08
1385368 Security: Debug check failed: s->IsFlat(). $7000 2023-03-08
1393227 Security: dcheck failed in object.InSharedHeap $7000 2023-03-08
1393270 Crash in v8::internal::IsPrimitiveHeapObject_NonInline - 2023-03-08
1393733 CHECK failure: InstructionBlockAt(predecessor_id)->IsDeferred() in instruction.cc - 2023-03-08
1393940 CHECK failure: is_int8(disp) in assembler-x64.cc - 2023-03-08
1394036 CHECK failure: !control->Is<JumpLoop>() in maglev-regalloc.cc - 2023-03-08
1394403 Security: [0-day] FeedbackCell issue leading to type confusion - 2023-03-08
1246736 Security: Imagination PowerVR DRM Driver Integer overflow vulnerabilities on MTK platform Chromebook $20000 2023-03-07
1350386 Security: UAF in ArcInputOverlayManager::ReadDefaultData - 2023-03-07
1356760 Reject hidden name-only cookie prefixes - 2023-03-07
1370562 uaf in ui::PropertyHandler::GetPropertyInternal(with ) $2000 2023-03-07
1375131 Security: Unknown crash with READ of size 8 when access the chrome://gpu with WebGPU enabled - 2023-03-07
1380602 Security: heap-use-after-free ui/views/view.cc:1921:7 in views::View::HandleAccessibleAction $2000 2023-03-07
1383442 Security: UAF IN video_capture::VideoSourceImpl::OnClientDisconnected() services/video_capture/video_source_impl.cc:88:14 $16000 2023-03-07
1386120 Security: Pdfium heap-buffer-overflow in RgbByteOrderTransferBitmap() - 2023-03-07
1386122 Security: heap-buffer-overflow in CFX_DIBBase::SwapXY() - 2023-03-07
1386123 Security: Pdfium heap-buffer-overflow in RgbByteOrderTransferBitmap() - 2023-03-07
1386124 Security: Pdfium heap-buffer-overflow in CPDF_RenderStatus::LoadSMask() - 2023-03-07
1392061 Security: Debug check failed: IsPrimitiveMap() $10000 2023-03-07
1393097 mhtml_parser_fuzzer: Heap-buffer-overflow in modp_b64_decode - 2023-03-07
1393177 Security: WebGPU UAF in Dawn Memory Transfer Service - 2023-03-07
1392755 DCHECK failure in isolate()->thread_id() == ThreadId::Current() in heap.cc - 2023-03-06
1392934 v8_wasm_async_fuzzer: DCHECK failure in has_index() in value-type.h - 2023-03-06
1393468 gpu_swangle_passthrough_fuzzer: Segv on unknown address in __tls_get_addr - 2023-03-05
1393375 Security: Read OOB due to resizing underline typed array buffer - 2023-03-03
1393464 DCHECK failure in handle & ~kVisitedHandleMarker == index << kExternalPointerIndexShift in externa - 2023-03-03
1381871 UAF in blink::WidgetBase::BeginMainFrame(base::TimeTicks) $1500 2023-03-02
1382761 UAF in search::(anonymous namespace)::NewTabURLDetails::ForProfile(Profile*) $3000 2023-03-02
1386249 Security: Unretained() can be used for objects on the Oilpan heap $3000 2023-03-02
1386667 Negative-size-param in ipcz::BlockAllocator::InitializeRegion - 2023-03-02
1392585 Crash in Builtins_ConstructProxy - 2023-03-02
1392865 CHECK failure: InTypedSet(SlotType::kEmbeddedObjectFull, rinfo->pc()) || InTypedSet(SlotType::k - 2023-03-02
1392936 DCHECK failure in receiver_mode_ != ConvertReceiverMode::kNullOrUndefined in maglev-graph-builder. - 2023-03-02
1392953 Optimization bug in TurboShaft::MachineOptimizationReducer::ReduceSignedDiv $10000 2023-03-02
1316301 DCHECK failure at blink::WebFrameWidgetImpl::DragTargetDragEnter $1500 2023-03-01
1382033 Security: heap-buffer-overflow in network::ThrottlingNetworkInterceptor::UpdateThrottledRecords $2000 2023-03-01
1385709 UAF in CartHandler $2500 2023-03-01
1386121 Security: Pdfium heap-buffer-overflow in CFX_BitmapComposer::ComposeScanlineV() - 2023-03-01
1392577 Security: Debug Check end <= typed_aray->GetLength() - 2023-03-01
1392589 substring_set_matcher_fuzzer: Crash in base::SubstringSetMatcher::AhoCorasickNode::SetEdge - 2023-03-01
1392715 Security: heap-buffer-overflow in gpu::gles2::Texture::SetLevelCleared - 2023-03-01
1385691 Security: global-buffer-overflow css_property.cc:27 in blink::CSSProperty::Get $7000 2023-02-28
1385717 Security: Debug check failed: slot < sentinel_ in UpdateUntypedOldToSharedPointers $8000 2023-02-28
1386647 tint_regex_msl_writer_fuzzer.exe: Illegal-instruction in tint::Program::Program - 2023-02-28
1386129 substring_set_matcher_fuzzer: Heap-buffer-overflow in base::SubstringSetMatcher::AhoCorasickNode::SetEdge - 2023-02-27
1386287 DCHECK failure in result.valid() in optimization-phase.h - 2023-02-27
1387883 DCHECK failure in bytecode_offset >= kFunctionEntryBytecodeOffset in factory.cc - 2023-02-27
1388938 v8_wasm_streaming_fuzzer: DCHECK failure in sub_module->has_type(sub_index) in wasm-subtyping.cc - 2023-02-27
1386649 audio_encoder_isac_float_fuzzer.exe: Stack-buffer-overflow in webrtc::AudioEncoderIsacT<webrtc::IsacFloat>::EncodeImpl - 2023-02-26
1360743 Security: heap-use-after-free in the Metal features in the GPU process $1000 2023-02-25
1369205 Tests are failing: Verify that the placeholder <canvas> associated with an OffscreenCanvas tainted with cross-origin content cannot be read once commit has propagated... - 2023-02-25
1382074 ui_x11_cursor_loader_fuzzer: Heap-buffer-overflow in ui::ParseCursorFile - 2023-02-25
1383203 DCHECK failure in input_count <= std::numeric_limits<decltype(this->input_count)>::max() in operat - 2023-02-25
1384847 Revisit configurations for CoInitializeSecurity calls - 2023-02-25
1385673 DCHECK failure in IsJSFunction() in heap-refs.cc - 2023-02-25
1385935 DCHECK failure in page->area_size() >= static_cast<size_t>(marking_state_->live_bytes(page)) in sw - 2023-02-25
1379359 MTLDeviceProxy does not properly copy NSStrings - 2023-02-23
1155961 wildcard entry with runtime_blocked_hosts in ExtensionSettings policy is not enforced correctly - 2023-02-22
1339079 Security: GPU process continues running even if we fail to initialize the sandbox - 2023-02-22
1378564 Use-after-free in Mojo ChannelMac::SendMessageLocked $30000 2023-02-22
1381849 Memory corruption in PresentationRequest $8500 2023-02-22
1383755 tint_ast_clone_fuzzer: Heap-use-after-free in tint::utils::HashmapBase<tint::sem::Type const*, tint::Source const*, 8ul, tint: - 2023-02-22
1383976 DCHECK failure in !initializing_store && property_details_.constness() == PropertyConstness::kCons - 2023-02-22
1384318 DCHECK failure in value->Is<Int32Constant>() || value->Is<StringLength>() || value->Is<BuiltinStri - 2023-02-22
1384408 Crash in v8::internal::Invoke - 2023-02-22
1384411 Crash in Builtins_StringSubstring - 2023-02-22
1384474 DCHECK failure in count <= destination.GetLength() in elements.cc - 2023-02-22
1384513 Stack-use-after-return in blink::NGConstraintSpaceBuilder::NGConstraintSpaceBuilder - 2023-02-22
1384765 Check return from AddAllowedAce in ServiceMain::InitializeComSecurity - 2023-02-22
1384796 Maybe use PROCESS_QUERY_LIMITED_INFORMATION in LegacyProcessLauncherImpl::LaunchCmdElevated - 2023-02-22
1385291 DCHECK failure in kCanBeWeak || (!IsSmi() == HAS_STRONG_HEAP_OBJECT_TAG(ptr_)) in tagged-impl.h - 2023-02-22
1385305 Segv on unknown address in Builtins_InterpreterEntryTrampoline - 2023-02-22
1238642 Security: Refcount overflow in RefCountedThreadSafeBase $1000 2023-02-21
1368230 Security: SameSite cookie bypass on Android by redirecting to to intent-picker $5000 2023-02-21
1378357 Security: Avast aswJsFlt.dll 18.0.1479.0 exposes vulnerable pipe endpoint to renderers - 2023-02-21
1382363 UAF in AppIconReader $2000 2023-02-21
1382581 Security: UAF in validation_message_overlay_delegate $7000 2023-02-21
1383204 Trap in Builtins_CheckTurbofanType - 2023-02-21
1383422 Security: Heap-buffer-overflow in CommerceHintAgent::DidFinishLoadCallback $2500 2023-02-21
1383791 Security: UAF in lens::LensStaticPageController::LoadChromeLens $4000 2023-02-21
1384520 Crash in Builtins_StringEqual - 2023-02-21
1371215 Security: Forced user interaction for permission prompts by freezing the browser $3000 2023-02-20
1379860 DCHECK failure in !HAS_WEAK_HEAP_OBJECT_TAG(ptr_) in tagged-impl-inl.h - 2023-02-20
1381763 CrOS: Vulnerability reported in x11-libs/pixman - 2023-02-20
1372019 Security: ClientNativePixmapFactory implementations are probably not validating enough and should use checked math - 2023-02-18
1344756 Security: Heap-use-after-free in ReadAnythingCoordinator::CreateAndRegisterEntry $4000 2023-02-17
1381094 Security: UAF in DlpScopedFileAccessDelegate::OnResponse - 2023-02-17
1381217 Security: Bypass 1342722, sourceMappingURL directive allows use of UNC paths on Windows $5000 2023-02-17
1382652 Security: global-buffer-overflow in ash::default_user_image::GetRandomDefaultImageIndex() - 2023-02-17
1382816 v8_wasm_code_fuzzer: DCHECK failure in opcode >> 8 == kNumericPrefix in function-body-decoder-impl.h - 2023-02-17
1382993 Security: UAF in content::RenderFrameDevToolsAgentHost::RenderProcessExited $31000 2023-02-17
1383362 DCHECK failure in type == MachineType::Int32() || type == MachineType::Uint32() || type.representa - 2023-02-17
1383367 DCHECK failure in value->Is<Int32Constant>() || value->Is<StringLength>() || value->Is<BuiltinStri - 2023-02-17
1383369 Crash in v8::internal::maglev::GetInputLocationsArraySize - 2023-02-17
1383374 Crash in Builtins_ConstructProxy - 2023-02-17
1375021 uaf in FederatedAuthRequestImpl $10000 2023-02-16
1376995 uaf in FederatedAuthRequestimpl $10000 2023-02-16
1377165 Reading local files through an extension that only has the "downloads" permission $5000 2023-02-16
1380860 gl_lpm_fuzzer: Use-of-uninitialized-value in wsi_unsupported_instance_extension - 2023-02-16
1382369 UAF in ScreenAIService $2500 2023-02-16
1382434 Security: Copy-on-write check bypass in JSNativeContextSpecialization::BuildElementAccess - 2023-02-16
1382690 UAF in ScreenAIServiceRouter $5000 2023-02-16
1377783 Security: heap-use-after-free in StreamFactory::DestroyMuter - 2023-02-15
1378601 webcodecs_video_encoder_fuzzer: Heap-buffer-overflow in aom_variance64x64_avx2 - 2023-02-15
1381335 Security: Debug check failed: kCanBeWeak || (!IsSmi() == HAS_STRONG_HEAP_OBJECT_TAG(ptr_)). $11000 2023-02-15
1381401 Security: UAF in VideoCaptureDeviceWin $11000 2023-02-15
1358647 Security: Bypass the Protection of input fields cache (Autofill) 1108181 $5000 2023-02-14
1367632 Security: Extension sanitization bypass by using %% $2000 2023-02-14
1376099 Security: Design flaw in Synchronous Mojo message handling introduces unexpected reentrancy and allows for multiple UAFs - 2023-02-14
1379242 UAF in ExtensionInstalledWaiter $2000 2023-02-14
1380751 CrOS: Vulnerability reported in net-vpn/strongswan - 2023-02-14
1382423 Trap in Builtins_CheckTurbofanType - 2023-02-14
1358505 Security: V8: Missing TurboFan bounds check on DataView when buffer is resizable - 2023-02-13
1365053 CHECK failure: result.failed() implies v8_flags.wasm_lazy_validation in module-compiler.cc - 2023-02-13
1379579 Security: heap-use-after-free browser\renderer_host\render_process_host_impl.cc:2068 in content::RenderProcessHostImpl::CreateNotificationService $8000 2023-02-13
1381330 v8_wasm_async_fuzzer: DCHECK failure in opcode >> 8 == kAtomicPrefix in function-body-decoder-impl.h - 2023-02-13
1381663 Crash in v8::internal::maglev::InterpreterFrameState::get - 2023-02-13
1381665 DCHECK failure in count() > 0 in maglev-graph-builder.h - 2023-02-13
1326788 Security: Lackluster "File System Access API" block-list provides full disk read/write access $1000 2023-02-10
1359122 Security: SOP bypass leaks navigation history of iframe from other subdomain if location changed to about:blank $2000 2023-02-10
1372457 Possible vulnerability in crosvm: Invalid check for Virtio descriptors - 2023-02-10
1378457 Security: UAF in PasswordAutofillManager::OnBiometricReauthCompleted $7000 2023-02-10
1378813 extension_file_highlighter_fuzzer: Trap in std::Cr::__libcpp_verbose_abort - 2023-02-10
1378997 Security: FileChooserImpl still traverse symlink in symlink to directory $3000 2023-02-10
1380398 Crash in Builtins_StringEqual - 2023-02-10
1380498 v8_wasm_code_fuzzer: DCHECK failure in a == b in liftoff-assembler.cc - 2023-02-10
956979 Mixed content can be bypassed by sandboxed pages $1000 2023-02-09
1359678 CrOS: Vulnerability reported in media-libs/tiff - 2023-02-09
1377610 CrOS: Vulnerability reported in media-libs/tiff - 2023-02-09
1377790 Security: CSA_DCHECK failed: Torque assert 'remainingElementsCount >= 0' failed in v8 - 2023-02-09
1379740 Security DCHECK failure: unit.TextContentEnd() <= text.length() in ng_offset_mapping.cc - 2023-02-09
1380478 Security: clang-analyzer-cplusplus.NewDelete in third_party/pdfium/core/fpdfapi/parser/cpdf_object_walker.cpp - 2023-02-09
1352445 Security: heap-use-after-free in password_manager::WellKnownChangePasswordState::SetChangePasswordResponseCode - 2023-02-08
1356987 Security: External notifications from external apps (such as Telegram) can block Android fullscreen notification. (Testes on latest Chrome stable) $2000 2023-02-08
1375132 Security: Android: Bluetooth and USB chooser dialogs do not use top-level origin with permission delegation $3000 2023-02-08
1378456 Security: UAF in PasswordAutofillManager::DidAcceptSuggestion - 2023-02-08
1378814 DCHECK failure in properties().can_eager_deopt() in maglev-ir.h - 2023-02-08
1378916 Security: local IP address disclosure using WebRTC candidate foundation - 2023-02-08
1379054 Security: Promise.any.call leak hole, leading to RCE $15000 2023-02-08
1379201 Security: Stack-buffer-overflow in WebGL vulkan backend $11000 2023-02-08
1379364 DCHECK failure in IsImmAddSub(frame_size) in liftoff-assembler-arm64.h - 2023-02-08
1379468 DCHECK failure in 0 != new_nodes_.count(value) in maglev-graph-builder.h - 2023-02-08
1379831 Security: stack-buffer-overflow in mojo::core::ipcz_driver::ObjectBase::PeekBox(browser process) - 2023-02-08
1379864 DCHECK failure in new_target->IsConstructor() in js-objects.cc - 2023-02-08
1380313 Use-after-poison in blink::CSSSelector::SelectorListOrParent $12000 2023-02-08
1370028 Security: Chrome on Android the Fullscreen Notification Toast Not shown when fullscreen (screen lock mode landscape) $5000 2023-02-06
1374995 Trap in Builtins_CheckTurbofanType - 2023-02-03
1375073 DCHECK failure in constructor->IsNull(isolate) in runtime-classes.cc - 2023-02-03
1378571 Security: UAF in MultiplexEncoderFactory $11000 2023-02-03
1345045 CSP Bypass (Old Issue) $3000 2023-02-02
1371844 Security: UAF in PluginVmInstaller::DetectImageType $1000 2023-02-02
1374746 CHECK failure: proto.map().oddball_type() == OddballType::kNull in compilation-dependencies.cc - 2023-02-02
1377775 Crash in Builtins_StringIndexOf - 2023-02-02
1377816 Security: WebAssembly UAF in catch block with stale memory start pointer $21000 2023-02-02
1377840 Security: Incorrect rab flags setting leads to type confusion in V8 - 2023-02-02
1378286 Security: Heap-use-after-free in InstallablePaymentAppCrawler::OnPaymentMethodManifestParsed $39000 2023-02-02
1378287 Security: Heap-use-after-free in ChromeAutofillClient::DidFinishNavigation - 2023-02-02
1378323 compositor_frame_fuzzer: Global-buffer-overflow in gfx::Transform::RotateAboutZAxis - 2023-02-02
1365877 Security: Esc doesn't exit fullscreen in Crostini apps - 2023-02-01
1374294 Security: access-violation src\v8\src\api\api.cc:5809 in v8::String::WriteOneByte $5000 2023-02-01
1378437 Crash in Builtins_Construct_WithFeedback - 2023-02-01
1378494 Crash in Builtins_StringSubstring - 2023-02-01
1378495 Crash in Builtins_InterpreterEntryTrampoline - 2023-02-01
1340924 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1343339 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1344118 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1344821 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1346256 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1346675 Security: UTF chartorune heap-buffer-overflow crash $8000 2023-01-31
1361911 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1362225 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1362331 Generic CORS bypass that enables Cross-Site-Tracing (XST) $1000 2023-01-31
1363579 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1366771 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1367617 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1368560 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1369956 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1370293 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1372757 Security: Heap-use-after-free in ash::OverviewItem::ShowWindowInOverview $1500 2023-01-31
1378168 Use-of-uninitialized-value in v8::internal::compiler::BranchElimination::SimplifyBranchCondition - 2023-01-31
1368739 Security: FencedFrame - Two way communication between embedder and frame $6000 2023-01-30
1251790 Security: Top-level redirect from cross-origin iframe by setting `Content-Security-Policy: sandbox allow-top-navigation` $5000 2023-01-28
1375059 Multiple checks fail, cross process crash, maybe race condition & use-after-free in video_encoder.cc $7000 2023-01-28
1303597 Heap-use-after-free in blink::BoxPainterBase::PaintFillLayer $10000 2023-01-27
1342072 Security: Presentation API dialog unexpectedly shows top-level origin when called by cross-origin iframe without explicit allow-presentation delegation $7500 2023-01-27
1361066 Security: OOB write on Lacros $2000 2023-01-27
1365945 Security: UAF in ash::network_diagnostics::DnsResolutionRoutine::CreateHostResolver() (browser process) $3000 2023-01-27
1376856 Crash in Builtins_Construct_WithFeedback - 2023-01-27
1376930 CHECK failure: BigIntNegate of kRepTaggedPointer (BigInt) cannot be changed to kRepTaggedPointe - 2023-01-27
1377250 UaF in PRM observerlist after browser change (confirmation chip) - 2023-01-27
985740 CrOS: Vulnerability reported in sys-libs/glibc - 2023-01-25
1372746 Security: Heap-use-after-free in ash::ScopedOverviewHideWindows::~ScopedOverviewHideWindows $2000 2023-01-25
1373941 Security: heap-use-after-free in ProfileDestroyer::DestroyProfileNow $2000 2023-01-25
1374513 Security: Bypass powerwash using factory_install_reset file - 2023-01-25
1375088 Security: UAF in webgpu\gpu.cc in blink::`anonymous namespace'::CreateContextProviderOnMainThread $8000 2023-01-25
1376067 Heap-buffer-overflow in blink::CSSParserImpl::ConsumeStyleRule - 2023-01-25
1355718 Security: UAF in hci_cmd_timeout $15000 2023-01-24
1367547 Security: Heap-use-after-free in autofill::AutofillContextMenuManager::ExecuteCommand $5000 2023-01-24
1370393 Container-overflow in ui::Layer::OnDeviceScaleFactorChanged - 2023-01-24
1374341 Heap-buffer-overflow in blink::GetCrossOriginAttributeValue - 2023-01-24
1375932 DCHECK failure in isolate->context().is_null() || isolate->context().IsContext() in runtime-string - 2023-01-24
1376069 Crash in v8::internal::Runtime_StringCharCodeAt - 2023-01-24
1370502 Security: Double free in setup_cb_free - 2023-01-23
1372665 Security: UAF in MyFilesSizeCalculator::ComputeLocalFilesSize, - 2023-01-23
1372695 Security: heap-use-after-free third_party\blink\renderer\core\workers\worker_thread.cc:905 in blink::WorkerThread::PauseOrFreezeOnWorkerThread $7000 2023-01-23
1329374 Security: heap-buffer-overflow on ash/shelf/shelf_view.cc (chromeOS) - 2023-01-21
1368587 Security: heap-use-after-free on aura::WindowOcclusionTracker::MaybeObserveAnimatedWindow $1000 2023-01-21
1374226 Illegal-instruction in blink::NGTableSectionLayoutAlgorithm::Layout - 2023-01-21
1374535 DCHECK failure in imm.index < num_locals() in function-body-decoder-impl.h - 2023-01-21
1374626 DCHECK failure in JSFunction::cast(entry.map(isolate).GetConstructor()) == native_context.array_fu - 2023-01-21
1372999 Security: Heap-use-after-free in SpeechRecognitionRecognizerImpl::ChangeLanguage $10000 2023-01-19
1373314 Security: WebGPU: Out of bounds write in OnBufferMapAsyncCallback - 2023-01-19
1374232 v8_regexp_parser_fuzzer: DCHECK failure in index <= known_captures in regexp-parser.cc - 2023-01-19
1344647 chrome.debugger API bypasses the runtime_blocked_hosts cookie protection $3000 2023-01-18
1354518 Security: .url files can be saved via getFileHandle and redirect showSaveFilePicker to arbitrary file $1000 2023-01-18
1366330 CrOS: Vulnerability reported in media-libs/tiff - 2023-01-18
1371860 Security: UAF in mojo::SimpleWatcher::Context in MojoIpcz feature (browser process) $20000 2023-01-18
1371926 Security: file_type_policies changes reintroduce attack surface - 2023-01-18
1372500 CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (IsJSReceiver_NonInline(*this)) in js - 2023-01-18
1372653 Use-after-poison in blink::NGBlockNode::StoreResultInLayoutBox - 2023-01-18
1372784 use after poison in HeapObjectHeader::LoadEncoded() $10000 2023-01-18
1373770 DCHECK failure in gc_epilogue_callbacks_.IsEmpty() in local-heap.cc - 2023-01-18
1373772 CHECK failure: diff <= 0.5 - 2023-01-18
1080624 CrOS: Vulnerability reported in sys-libs/glibc - 2023-01-16
1162252 CrOS: Vulnerability reported in x11-libs/gdk-pixbuf - 2023-01-16
1176031 Reading local files through an extension that only has the "downloads" permission $5000 2023-01-16
1294202 CrOS: Vulnerability reported in dev-libs/protobuf - 2023-01-16
1298886 CrOS: Vulnerability reported in media-libs/tiff - 2023-01-16
1354271 Security: [ANGLE] Heap-buffer-overflow caused by writing exceeding the querypool size $17000 2023-01-14
1365004 Security: Chrome Android: Incognito Mode grants access to the address bar although reauthentication is required - 2023-01-14
1279268 Security: Page can cause autofill prompt to render near cursor in order to bypass intentional mouse movement input requirements for autofill (Bypass of issue 1240472 fix) $3000 2023-01-13
1356211 Security: XML object's heap memory difference leaking or potential ASLR bypass in libXML $1000 2023-01-13
1365330 Security: heap-use-after-free in blink::LocalFrameView::PerformLayout (incomplete fix for CVE-2022-3199) - 2023-01-12
1366415 UAF in AccessibilityManager $2000 2023-01-12
1369871 Security: Race condition in JSCreateLowering, leading to RCE $20000 2023-01-12
1369882 Security: use-after-poison interface_endpoint_client.cc:900 in mojo::InterfaceEndpointClient::HandleValidatedMessage $10000 2023-01-12
1370439 UAF in SelectFileDialogLinuxKde::CallKDialogOutput $7000 2023-01-12
1370969 Crash in blink::NGBlockNode::StoreResultInLayoutBox - 2023-01-12
1350442 Security: UAF in BackForwardCache $30000 2023-01-11
1358168 Security: clang-analyzer-core.uninitialized.Assign in third_party/ffmpeg/libavformat/riffdec.c - 2023-01-11
1364662 Security: UAF in in safe_browsing::IncidentReportingService::AddIncident(browser process) $7000 2023-01-11
1367650 DCHECK failure in offsets.size() != 0 in maglev-graph-builder.cc - 2023-01-11
1370416 DCHECK failure in is_loadable() in maglev-ir.h - 2023-01-11
1370423 DCHECK failure in HAS_SMI_TAG(ptr) in smi.h - 2023-01-11
587956 Security: Android: Apps with external storage access can steal CSRF tokens - 2023-01-10
1361612 heap-use-after-free : webrtc::`anonymous namespace'::ProduceRemoteInboundRtpStreamStatsFromReportBlockData - 2023-01-10
1363583 Security: Heap-use-after-free in UserNoteService::OnNoteCreationDone $5000 2023-01-10
1366843 uaf in v8_inspector::InjectedScript::addPromiseCallback $1000 2023-01-10
1367862 DCHECK failure in IsPrimitiveMap() in map-inl.h - 2023-01-10
1368046 Security: Type confusion in V8 $10000 2023-01-10
1370400 DCHECK failure in key->IsJSReceiver() in runtime-collections.cc - 2023-01-10
1370402 DCHECK failure in target().IsUndefined() || target().IsJSReceiver() in js-weak-refs-inl.h - 2023-01-10
1259492 Security UI Spoofing on Chrome for Android due to the Contact permission dialog hiding the fullscreen alert message $7500 2023-01-09
1363287 DCHECK failure in GetCurrentStackPosition() >= stack_guard()->real_climit() - 32 * KB in isolate.c - 2023-01-08
1368076 Security: Report 2 Vulnerabilities in WebSQL $13000 2023-01-07
1051198 Compromised renderer can arbitrarily read the clipboard - 2023-01-06
1363040 uaf in PermissionStatus::OnPermissionStatusChange $2500 2023-01-06
1366812 Security: UAF in content::DevToolsSession::DispatchProtocolResponse (browser process) $1000 2023-01-06
1366464 Back Forward Cache storage of RenderViewHost is unsafe - 2023-01-05
1367680 GPU failure in blink::NGPhysicalBoxFragment::CheckSameForSimplifiedLayout - 2023-01-05
1355560 heap-use-after-free ui/views/view.cc:1898:7 in views::View::HandleAccessibleAction $2000 2023-01-04
1366806 Security: Heap-use-after-free in InstallablePaymentAppCrawler::OnPaymentMethodManifestParsed $38000 2023-01-04
1367678 DCHECK failure in generator_block->control_node()->opcode() == Opcode::kSwitch in maglev-regalloc. - 2023-01-04
345205 DevTools: Combat self-xss - 2023-01-04
1360042 V8: Generic lowering of JSForInPrepare tries to read from FixedArray - 2023-01-03
1363030 uaf in ArcInputOverlayManager::ReadData - 2023-01-03
1364604 Security: heap-use-after-free in GrClientMappedBufferManager::owningDirectContext $15000 2023-01-03
1367231 Security: UAF in AutofillContextMenuManager::ExecuteCommand $7000 2023-01-03
1367651 CHECK failure: size <= kMaxRegularHeapObjectSize - 2023-01-03
1367993 Security: WebRTC crash in `AudioMultiVector::PushBackInterleaved` - 2023-01-03
1340879 Security: Custom Tab HTTP Header Injection $3000 2023-01-02