Avatar of this page

Chromium Disclosed Security Bugs

Google discloses Chromium security bugs 14 weeks after fixing them. This website makes it easier to keep track of them.

This page is run by @securityMB but it is not an official Google product.

You can also follow this project on the following social platforms:

Bugs disclosed in 2016.json

Options
#Summary$$$Disclosure date
645811Crash in mojo::internal::Router::OnConnectionError-2016-12-31
648031Heap-use-after-free in pp::MacroExpander::expandMacro-2016-12-31
647922Crash in SuperBlitter::blitH-2016-12-31
648935Crash in FindBit-2016-12-31
649826Heap-use-after-free in CPDF_ViewerPreferences::IsDirectionR2L-2016-12-31
622271Security: Adobe Flash ContextMenu Use After Free$3,0002016-12-30
622634Security: use-after-free vulnerability in flash player 22.0.0.192$3,0002016-12-30
630544Security: use-after-free vulnerability in flash player 22.0.0.209$3,0002016-12-30
630547Security: use-after-free vulnerability in Adobe flash player$3,0002016-12-30
640177Security: use-after-free vulnerability in flash player latest version$3,0002016-12-30
647791Heap-buffer-overflow in gpu::gles2::ShaderTranslator::Translate-2016-12-30
648620CRASH() writes to a fixed mappable address-2016-12-30
649056Assertion failed: !object || (object->isBox())-2016-12-30
649095Bad-cast to blink::LayoutBox from blink::LayoutInline;blink::LayoutBox::firstChildBox;blink::ThemePainterDefault::setupMenuListArrow-2016-12-30
649058Use-of-uninitialized-value in blink::BoxPainter::paint-2016-12-30
649599Crash in blink::ThemePainterDefault::setupMenuListArrow-2016-12-30
502871Security: adobe flash NetStream.appendBytes ByteArray data Use-After-Free$3,0002016-12-29
646278Security: Address Bar URL Spoofing$5002016-12-29
648671Bad-cast to webrtc::Module from webrtc::BitrateControllerImpl;webrtc::CongestionController::TimeUntilNextProcess;webrtc::ProcessThreadImpl::Process-2016-12-29
647329Use-after-poison in fuzz_wasm_section-2016-12-28
645540Update It2Me host to show confirmation prompt for incoming connections.-2016-12-28
648373Crash in v8::internal::SloppyArgumentsElementsAccessor<v8::internal::SlowSloppyArgumentsE-2016-12-28
645028Web accessible resources checks should work with blob: and filesystem: URLs that have chrome-extension:// inner URLs-2016-12-27
647612Heap-use-after-free in CPDF_RenderStatus::LoadSMask-2016-12-27
647893Use-of-uninitialized-value in CPDF_DIBSource::TranslateScanline24bpp-2016-12-27
647683Wrong security state when going back/forward after HTML5 history push-2016-12-27
639750XSS using Dropjacking-2016-12-26
646351Crash in v8::internal::SloppyArgumentsElementsAccessor<v8::internal::SlowSloppyArgumentsE-2016-12-26
640233Use-of-uninitialized-value in SkGradientShaderBase::SkGradientShaderBase-2016-12-25
645729Use-after-poison in blink::TimerBase::runInternal$3,5002016-12-25
646178Heap-use-after-free in blink::ShapeOutsideInfo::isEnabledFor-2016-12-25
647197Heap-double-free in v8::internal::wasm::testing::InterpretWasmModule-2016-12-24
647110Heap-double-free in v8::internal::wasm::testing::InterpretWasmModule-2016-12-24
647027Heap-use-after-free in v8::internal::wasm::ThreadImpl::Execute-2016-12-24
647481Use-of-uninitialized-value in SkGradientShaderBase::SkGradientShaderBase-2016-12-24
647267Crash in blink::TopDocumentRootScrollerController::globalRootScroller-2016-12-24
644674Attempting free in void v8::internal::LocalArrayBufferTracker::Free<-2016-12-23
647269Bad-cast to blink::TopDocumentRootScrollerController from blink::RootScrollerController;blink::PaintLayerCompositor::updateClippingOnCompositorLayers;blink::PaintLayerCompositor::updateIfNeeded-2016-12-23
646258Crash in ReadUnalignedValue<int>-2016-12-23
627399Use-of-uninitialized-value in CCodec_TiffContext::Decode-2016-12-22
621838Memcpy-param-overlap in CCodec_ProgressiveDecoder::JpegReadMoreData-2016-12-22
645745Unable to block cookies$5002016-12-22
646786Use-of-uninitialized-value in SkMatrix44::computeTypeMask-2016-12-22
646350Heap-use-after-free in ash::WmWindowAura::StackChildAbove-2016-12-22
641239Use-of-uninitialized-value in blink::PointerEventManager::setPointerCapture-2016-12-21
638159Use-of-uninitialized-value in test_runner::MockWebSpeechRecognizer::PostRunTaskFromQueue-2016-12-21
642070Use-of-uninitialized-value in update_current_folder_get_info_cb-2016-12-21
643939Crash in v8::internal::Invoke-2016-12-21
645839Heap-use-after-free in cc::Scheduler::BeginImplFrameWithDeadline-2016-12-21
644733Heap-buffer-overflow in blink::LazyLineBreakIterator::nextBreakablePositionIgnoringNBSP-2016-12-21
645777Use-of-uninitialized-value in base::time_internal::SaturatedSub-2016-12-20
645186Memcpy-param-overlap in CCodec_ProgressiveDecoder::JpegReadMoreData-2016-12-20
645201Use-of-uninitialized-value in webrtc::PlayoutDelayLimits::Parse-2016-12-19
645770Heap-buffer-overflow in void std::vector<aura::Window*, std::allocator<aura::Window*> >::_M_insert_aux<a-2016-12-18
644373Security - Unexploitable: Integer Overflow in media::mp4::TrackRunIterator::Init leading to arbitrary size OOB read in an arbitrary offset from the buffer.-2016-12-17
645034Use-of-uninitialized-value in blink::TraceMethodDelegate<blink::PersistentBase<blink::DOMArrayBuffer,-2016-12-17
645657Use-of-uninitialized-value in base::Pickle::WriteBytes-2016-12-17
641995value.isFunctionValue()-2016-12-16
632709Heap-use-after-free in CPDFSDK_Widget::SetAppModified-2016-12-15
642803Heap-use-after-free in cc::SurfaceManager::UnregisterBeginFrameSource-2016-12-15
643726Heap-buffer-overflow in safe_browsing::dmg::UDIFBlock::ParseBlockData-2016-12-15
643173Wrong security state when redirecting to HTTP$2,0002016-12-15
644182Heap-buffer-overflow in unibrow::Utf8::Validate-2016-12-15
648971Chrome OS exploit: c-ares OOB write + dump_vpd_log > symlink$100,0002016-12-14
632848!object || (object->isBox())-2016-12-14
637899Heap-buffer-overflow in Decode-2016-12-14
640998Crash in CPDF_Parser::LoadCrossRefV5-2016-12-14
643431Crash in v8::internal::Object::SetPropertyInternal-2016-12-14
643665Crash inside SuperBlitter::blitH-2016-12-14
643933Crash in SuperBlitter::blitH-2016-12-14
643935Heap-buffer-overflow in gpu::gles2::Texture::SetLevelInfo-2016-12-14
640999Heap-use-after-free in base::ObserverListBase<content::RenderThreadObserver>::RemoveObserver-2016-12-13
642987Heap-buffer-overflow in unibrow::Utf8::Validate-2016-12-13
643137Heap-use-after-free in blink::TimerBase::getTimerTaskRunner-2016-12-13
643970Use-of-uninitialized-value in SkUnPreMultiply::PMColorToColor-2016-12-13
644003Use-of-uninitialized-value in mojo::edk::ChannelPosix::WriteNoLock-2016-12-13
624011Security: UAF with namespace nodes in XPointer ranges$3,5002016-12-11
638220Heap-buffer-overflow in test_runner::BoundsForCharacter-2016-12-10
638166Heap-use-after-free in content::RenderFrameImpl::NavigateInternal-2016-12-09
642867Crash in v8::internal::wasm::WasmFullDecoder::AnalyzeLoopAssignment-2016-12-09
642639<no crash state available>-2016-12-09
643071Crash in v8::internal::NewSpace::Verify-2016-12-09
640576Heap-use-after-free in base::WaitableEvent::Signal-2016-12-08
642028Use-of-uninitialized-value in void WTF::copyToVector<WTF::HashSet<blink::LayoutObject*, WTF::PtrHash<blink::La-2016-12-08
497302Integer-overflow in sfntly::FontData::Bound$1,0002016-12-06
642063Crash in v8::internal::HeapObject::SizeFromMap-2016-12-06
641575Crash in v8::internal::InstantiateObject-2016-12-05
623992Use-of-uninitialized-value in unicodetoupper-2016-12-04
622197Heap-buffer-overflow in u16_u8-2016-12-03
633473Use-of-uninitialized-value in Hunspell::spell-2016-12-03
638570Use-of-uninitialized-value in AffixMgr::compound_check-2016-12-03
638562Stack-buffer-overflow in SfxEntry::checkword-2016-12-03
625915Mac: 'Press Esc to exit fullscreen' covered up by permission prompts-2016-12-02
638615Security: heap-buffer-overflow in ImageBitmap::ImageBitmap$5,5002016-12-02
619368Heap-buffer-overflow in content::WriteMemory-2016-12-01
631375Security: mbspatch: Malform patch file may access heap out of bound-2016-12-01
635602Heap-use-after-free in content::RenderProcessHostImpl::ConnectionFilterImpl::GetInterface-2016-12-01
635879Security: Format String Vulnerability in Chrome OS$1,0002016-12-01
638223Use-of-uninitialized-value in Break-2016-12-01
638742Security: Universal XSS using ThreadDebugger::setMonitorEventsCallback$2,0002016-12-01
617124Use-of-uninitialized-value in WebRtcSpl_CountLeadingZeros32-2016-11-30
637594Security: Universal XSS using DevTools$2,0002016-11-30
639658Security: Navigating to "chrome://" URLs via 'about:' protocol$5002016-11-30
637546Security: UNKOWN in CFX_Edit_Provider::GetCharWidthW$1,0002016-11-29
639451Heap-use-after-free in std::__1::__tree_const_iterator<std::__1::__value_type<CFX_ByteString, CPDF_Obje-2016-11-29
639984Heap-use-after-free in FORM_DoDocumentAAction-2016-11-29
639985Use-of-uninitialized-value in shell::internal::InterfaceFactoryBinder<IPC::mojom::ChannelBootstrap>::BindInter-2016-11-29
633306CSP can be abused to disclose URIs cross-origin-2016-11-25
638571Heap-use-after-free in blink::DepthOrderedLayoutObjectList::ordered-2016-11-25
638928!m_deletionHasBegun-2016-11-25
628942Security: Universal XSS with ScopedPageLoadDeferrer and RemoteFrame$17,5002016-11-24
630654Heap-use-after-free in CPDFSDK_Document::KillFocusAnnot$3,0002016-11-24
633474Negative-size-param in blink::LayoutGrid::populateExplicitGridAndOrderIterator-2016-11-24
638186Use-after-poison in blink::SVGLengthContext::convertValueToUserUnits-2016-11-24
638192Use-after-poison in blink::ElementResolveContext::ElementResolveContext-2016-11-24
638226Use-of-uninitialized-value in v8::internal::PointerUpdateJobTraits<-2016-11-24
619381Crash in GrCircleBlurFragmentProcessor::CreateCircleBlurProfileTexture-2016-11-23
633385CUPS domain socket should only be openable by user chonos-2016-11-23
635848Security: Crash in CPDF_Dictionary::GetObjectBy$1,0002016-11-23
638185Bad-cast to const blink::LayoutBox from blink::LayoutSVGResourcePattern;blink::PaintInvalidationState::updateForNormalChildren;blink::PaintInvalidationState::updateForChildren-2016-11-23
638219Bad-cast to blink::LayoutBox from blink::LayoutSVGEllipse;blink::LayoutObject::positionForPoint;blink::LayoutBox::clippingRect-2016-11-23
622033Heap-buffer-overflow in sctp_send_deferred_reset_response-2016-11-22
630870Security: Universal XSS by intercepting a UA shadow tree$7,5002016-11-22
636268Security: heap-buffer-overflow in SkColorSpace$3,5002016-11-22
634557Security: Blob file entries aren't checked against security policy-2016-11-22
628999Crash in blink::Geolocation::onGeolocationPermissionUpdated-2016-11-21
635577Crash in mojo::AssociatedBinding<blink::mojom::blink::BroadcastChannelClient>::RunConnect-2016-11-19
637320Security: Unchecked .end() iterator dereference in VTVideoDecodeAccelerator::ReusePictureBuffer-2016-11-19
625404Security: use-after-free in AttachFilteredEvent on event_bindings.cc$3,0002016-11-18
628920Security: Address bar spoofing on iOS-2016-11-18
625575Security: bypassing CORS by XHR + MemoryCache + ServiceWorker-2016-11-18
633687Security: Full browser crash when trying to open missing 'downloaded' resource file.-2016-11-18
626893Security: Arbitrary memory write in v8::internal::GlobalHandles::IterateNewSpaceWeakUnmodifiedRoots()$3,0002016-11-17
628542Heap-buffer-overflow in unibrow::Utf8::Validate-2016-11-17
631368Crash in blink::getPropertyNameString-2016-11-17
634954Security: Address bar spoofing with itunes page on iOS-2016-11-17
636194Crash in void SkLinearGradient::LinearGradientContext::shade4_dx_clamp<false, false>-2016-11-17
635571Crash in blink::EventTarget::fireEventListeners-2016-11-17
622420Security: Type confusion in StylePropertySerializer::getCustomPropertyText.-2016-11-16
632124Global-buffer-overflow in silk_NLSF2A-2016-11-16
635574Use-after-poison in blink::CrossThreadPersistentRegion::shouldTracePersistentNode$3,5002016-11-16
600352Security: Cross-Protocol Theft from non-HTTP services via DNS rebinding + HTTP/0.9-2016-11-15
611955//components/filesystem/public/interfaces/*.mojom files need security review-2016-11-15
618037Security: Devtools old remote frontend allows running privileged scripts via overwriting localStorage settings$1,0002016-11-15
633472Use-of-uninitialized-value in segment-2016-11-15
632849Heap-buffer-overflow in SkA8_Blitter::blitH-2016-11-13
628890Security: heap-buffer-overflow in opj_tcd_code_block_dec_allocate$3,5002016-11-12
628304Security: heap-buffer-overflow in opj_v4dwt_interleave_h$3,5002016-11-12
634238Security: Adobe Flash Button.blendMode setter uninitialized stack variable-2016-11-12
635045Use-of-uninitialized-value in blink::ImagePattern::isLocalMatrixChanged-2016-11-12
619429Security: Able to bypass permission prompt on keypress-2016-11-11
624514Heap-buffer-overflow in CWeightTable::Calc$3,5002016-11-11
634114Heap-use-after-free in blink::LayoutFieldset::adjustInnerStyle-2016-11-11
634394Security: UAF in PDFium's TimerProc()-2016-11-11
627355Crash in _platform_memmove$VARIANT$Nehalem-2016-11-10
632965Security: OOB read with CallSite and wasm-2016-11-10
633585Crash in v8::internal::InnerPointerToCodeCache::GcSafeFindCodeForInnerPointer-2016-11-10
633471Use-of-uninitialized-value in GrPipeline::CreateAt-2016-11-08
633486Tracking bug for internal fixes: Chrome M52, release 1-2016-11-08
479961Apply wpa_supplicant P2P vulnerability fixes-2016-11-07
632634Security: Universal XSS with static methods and ScriptState::forHolderObject$7,5002016-11-07
610644Heap-buffer-overflow in ps_table_add$1,5002016-11-06
632850Crash in CPDFSDK_InterForm::GetWidget-2016-11-06
632851Heap-use-after-free in CJS_Timer::KillJSTimer-2016-11-06
632860Heap-buffer-overflow in copy-2016-11-05
616429Security: Saving WebPage with file: resources access SMB resources$1,0002016-11-04
631052Use-after-poison in blink::CompositorAnimationPlayer::NotifyAnimationStarted$3,5002016-11-04
631320Heap-use-after-free in content::WebRTCEventLogHost::PeerConnectionRemoved-2016-11-04
629919Security: heap-buffer-overflow in opj_tcd_update_tile_data$5,0002016-11-03
631050Crash in v8::internal::JSObject::UpdateAllocationSite-2016-11-03
573131Security: some extension bindings incorrectly injected into about:blank frames$7,5002016-11-02
627414Crash in MaskSuperBlitter::blitH-2016-11-02
630377Heap-use-after-free in ProfileIOData::FromResourceContext-2016-11-02
629455Heap-buffer-overflow in SuperBlitter::blitH-2016-11-02
631319Container-overflow in gpu::gles2::GLES2DecoderImpl::DoScheduleCALayerFilterEffectsCHROMIUM-2016-11-02
631752Tracking bug for internal fixes: Chrome OS 52.0.2743.85 (Platform version: 8350.60.0)-2016-11-02
628992Heap-use-after-free in SuperBlitter::blitH-2016-11-01
627454Use-of-uninitialized-value in blink::PointerEventManager::setPointerCapture-2016-11-01
630736Crash in segment-2016-11-01
630369Use-of-uninitialized-value in GrShape::attemptToSimplifyPath-2016-10-31
630749Heap-use-after-free in mojo::BindingSet<network_hints::mojom::NetworkHints>::AddBinding-2016-10-31
623195Use-of-uninitialized-value in base::Pickle::WriteData-2016-10-29
630649Stack-buffer-overflow in SkDCubic::searchRoots-2016-10-29
399951Security: Cross-origin information leak via ECMAScript harmony proxies$1,0002016-10-28
614647Use-of-uninitialized-value in get_advance-2016-10-28
621362Security: Universal XSS with Flash calling into JavaScript inside Node::removedFrom$7,5002016-10-28
629962Use-of-uninitialized-value in segment-2016-10-28
628117Heap-use-after-free in blink::PaintController::commitNewDisplayItems$3,5002016-10-28
630378Use-of-uninitialized-value in SkDPoint::approximatelyEqual-2016-10-28
624213Security: Address bar RTL character spoofing on Mac-2016-10-27
624214Security: Address bar RTL character spoofing on iOS-2016-10-27
629795Use-of-uninitialized-value in gpu::gles2::GLES2DecoderImpl::HandleGetBufferParameteriv-2016-10-27
626186Crash in SkOpAngle::setSpans-2016-10-26
627401Crash in SkOpCoincidence::mark-2016-10-26
628995Use-of-uninitialized-value in CPWL_List_Notify::IOnInvalidateRect-2016-10-26
629452Crash in segment-2016-10-26
629454Use-of-uninitialized-value in containsCoincidence-2016-10-26
616623Use-of-uninitialized-value in walk_convex_edges-2016-10-25
629004Use-of-uninitialized-value in gpu::gles2::GLES2DecoderImpl::DoDrawBuffersEXT-2016-10-25
629008Use-of-uninitialized-value in gpu::gles2::GLES2Implementation::WaitSyncTokenCHROMIUM-2016-10-25
629435Crash in v8::internal::Invoke-2016-10-25
623319URL Spoof due to subframes and NavigationEntry corruption$2,0002016-10-21
627436Negative-size-param in content::MediaStreamDispatcherHost::OnCancelDeviceChangeNotifications-2016-10-21
627756Security: SEGV on unknown address in toCSSValuePair$3,0002016-10-21
627443Use-of-uninitialized-value in gpu::gles2::GLES2Implementation::BufferDataHelper-2016-10-21
628113Use-of-uninitialized-value in blink::LayoutObject::setPreferredLogicalWidthsDirty-2016-10-21
628130Stack-buffer-overflow in saturated_add-2016-10-21
626790Crash in blink::ComputeFloatOffsetForFloatLayoutAdapter<2>::heightRemaining-2016-10-20
627354Negative-size-param in content::WebRTCEventLogHost::PeerConnectionRemoved-2016-10-20
627434Use-of-uninitialized-value in sk_sse41::blit_row_s32a_opaque-2016-10-20
627447Use-of-uninitialized-value in ProfileChooserView::ButtonPressed-2016-10-20
627457Use-after-poison in content::WebMessagePortChannelImpl::OnMessage$3,5002016-10-20
611957//components/leveldb/public/interfaces/leveldb.mojom needs a security review-2016-10-19
618295Security: [PDFium]AddressSanitizer: negative-size-param-2016-10-19
623168Use-of-uninitialized-value in v8::internal::Factory::NewNumber-2016-10-19
626182Heap-use-after-free in blink::PaintController::commitNewDisplayItems-2016-10-19
623365Heap Buffer Overflow in iframe URL Parse-2016-10-17
579934Chromium allows to open popup window from Flash object without user gesture or blocking$1,0002016-10-15
610986ASSERTION FAILED: !object || (object->isBox())-2016-10-15
617648Heap-use-after-free in content::FilteringNetworkManager::Initialize-2016-10-15
626562Crash in v8::internal::HandleBase::IsDereferenceAllowed-2016-10-15
626792Heap-use-after-free in GURL::GURL-2016-10-15
617105Security: use-after-free vulnerability in flash player$3,0002016-10-14
623072Use-of-uninitialized-value in containsCoincidence-2016-10-14
625541Security: heap-buffer-overflow in opj_tcd_init_tile$3,0002016-10-14
625823Security: SEGV in blink::DOMWindowV8Internal::blurMethodCallback$1,0002016-10-14
625945Security: browser history sniffing via HSTS + CSP (bypass previous fix)$1,0002016-10-14
613949Extension install crashes browser at onDownloadProgress and onInstallStageChanged$5002016-10-13
625903Security: heap-use-after-free in blink::LayoutBox::pixelSnappedOffsetHeight$2,0002016-10-13
624818Use-of-uninitialized-value in gpu::gles2::GLES2Implementation::BufferDataHelper-2016-10-13
623378Security: UAF related to XPointer range-to function$3,5002016-10-12
625752Crash in v8::internal::LocalArrayBufferTracker::Free<1>-2016-10-12
625393Security: Heap-use-after-free in ScriptInjector$1,0002016-10-11
616907Security: Universal XSS using a ScopedPageLoadDeferrer bypass$8,0002016-10-10
619379CharacterData::setData() should handle first-letter correctly-2016-10-06
620952i < m_len-2016-10-06
624713Security: Calling from WASM to JS should not pass the global object-2016-10-06
291417Security: <webview>/App Request Contexts may not be so isolated-2016-10-05
561978Vulnerability reported in media-libs/libpng-2016-10-05
609382Security: Use after free of task_struct in Mali Midgard driver.-2016-10-05
612050Heap-use-after-free in views::Widget::OnNativeWidgetDestroying-2016-10-05
609680Chrome For Android Address Bar Spoofing Issue Due To Mishandling Of RTL Characters$3,0002016-10-05
617882Crash in v8::internal::PointerUpdateJobTraits<-2016-10-05
618333Security: Parameter sanitization failure in DevTools leads to privileged script execution$2,0002016-10-05
619414Security: Devtools has Insuffient sanitization of remoteBase parameter$2,0002016-10-05
620981Crash in _platform_bzero$VARIANT$Merom-2016-10-05
621843Heap-buffer-overflow in float blink::ShapeResultSpacing::computeSpacing<unsigned short>-2016-10-05
623985Use-after-poison in blink::PersistentBase<blink::WorkerWebSocketChannel::Bridge,$3,5002016-10-05
623996Use-of-uninitialized-value in blink::LineBoxList::deleteLineBoxes-2016-10-05
617084Crash in v8::internal::HandleBase::IsDereferenceAllowed-2016-10-04
619377Bad-cast to blink::WebGLObject from invalid vptr;blink::WebGLProgram::deleteObjectImpl;blink::WebGLSharedObject::detachContextGroup-2016-10-04
621095SIGSEGV, RIP = 0x0-2016-10-04
118642Heap-use-after-free in v8::internal::JSObject::GetElementWithInterceptor$1,0002016-10-02
118662Regression(r109014): Heap-use-after-free in WebCore::InlineTextBox::isLineBreak$5002016-10-02
118593Heap-use-after-free in WebCore::SVGStyledElement::buildPendingResourcesIfNeeded$1,0002016-10-02
118490Heap-use-after-free in WebCore::RenderObject::containingBlock$1,0002016-10-02
118467open.call(other_window) circumvents check in other_window.open()-2016-10-02
118633Security: Frame sniffing is not fixed-2016-10-02
118414Heap use after free on chrome_content_browser_client.cc with webrtc$1,0002016-10-02
118374Long autofilled value causes render issue-2016-10-02
118273ZDI-CAN-1528: Webkit HTMLMedia Element beforeLoad Remote Code Execution Vulnerability-2016-10-02
118227Security: cross-origin iframes can be resized from within in M18-2016-10-02
118018Heap-buffer-overflow in S32_opaque_D32_nofilter_DXDY-2016-10-02
118317Popup blocker bypass triggering mouse event on tag with rel=noreferrer-2016-10-02
118185Heap-use-after-free in WebCore::V8HTMLBodyElement::wrapSlow-2016-10-02
117890Use-after-free in CrashGenerationServer-2016-10-02
117912Heap-buffer-overflow in memcmp-2016-10-02
117794[LangFuzz] Crash on heap with invalid read through GetPropertyWithCallback$5002016-10-02
117736No permission prompt when loading unpacked extension with NPAPI plugin-2016-10-02
117728Heap-use-after-free in WebCore::InlineBox::root$1,0002016-10-02
117724Event handlers firing during Text::splitText trigger use-after-free.-2016-10-02
118009Heap-buffer-overflow in void WTF::Vector<unsigned short, 0ul>::append<unsigned short>-2016-10-02
117889Dangerous download warnings are suppressed for a larger class of downloads than are handled by SafeBrowsing-2016-10-02
117698Heap-use-after-free in WebCore::RenderLayer::addChild$1,0002016-10-02
117696Heap-use-after-free in WebCore::RenderBlock::addPositionedFloats-2016-10-02
117674Heap-use-after-free in WebCore::GraphicsContext3D::getExtensions-2016-10-02
117672Uptake angle security fix-2016-10-02
117656Pwnium bug: GPU memory corruption-2016-10-02
117627Security: IPC Channel does not validate the listener.-2016-10-02
117620Pwnium bug: Prerendering issues with NACL$60,0002016-10-02
117715LoadExtension binding in chrome://extensions/ is too permissive-2016-10-02
117583Iframe hijacking from Pwnium-2016-10-02
117588Security: Memory Corruption in MaskSuperBlitter$1,0002016-10-02
117545ICU lang buffer overflow-2016-10-02
117471Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled$1,0002016-10-02
117446App popup user gesture exemption should be based on process type, not just extent-2016-10-02
117418Security: Don't grant WebUI bindings to a process shared with normal views-2016-10-02
117417Security: Don't let a normal web renderer navigate to a privileged URL-2016-10-02
117413Heap-use-after-free in WebCore::RenderScrollbar::getScrollbarPseudoStyle-2016-10-02
117409Chrome: Crash Report - Stack Signature: v8::internal::MarkCompactCollector::RecordS...-2016-10-02
117400Uptake fixes on weak node iteration patterns-2016-10-02
117511Heap-use-after-free in WTF::equal-2016-10-02
117335Occasional heap-use-after-free in non-virtual thunk to AudioDevice::OnStateChanged$5002016-10-02
117341Heap-use-after-free in MessageLoop::AddToIncomingQueue$1,0002016-10-02
117230Part 2 of Pwnium Bug-2016-10-02
117226Part 1 of Pwnium Bug: UXSS$60,0002016-10-02
117150REGRESSION(wk109285): Heap-use-after-free in WebCore::Document::nodeChildrenWillBeRemoved$1,0002016-10-02
117110Heap-use-after-free in WebCore::RenderObjectChildList::destroyLeftoverChildren-2016-10-02
116994Heap-use-after-free in chrome::ChromeContentBrowserClient::RequestMediaAccessPermission-2016-10-02
116967Heap-buffer-overflow in WebCore::SVGUseElement::instanceForShadowTreeElement-2016-10-02
116927Heap-buffer-overflow in av_freep$1,0002016-10-02
116806Heap-use-after-free in WebCore::RenderInline::continuationBefore-2016-10-02
116746Heap-use-after-free in WebCore::RenderBlock::splitBlocks$1,0002016-10-02
116637Renderer process crash when doing WebGL canvas to 2D canvas drawImage()-2016-10-02
116524Security: Off-by-one in OTS resulting in arbitrary code execution-2016-10-02
116461Heap-use-after-free in WebCore::CSSCrossfadeValue::~CSSCrossfadeValue$1,0002016-10-02
116405Mitigate stale layout root bugs-2016-10-02
116398Security: SSL proxy seems to not care about the cert-2016-10-02
116474Merge SVG use fix to stable-2016-10-02
121926Heap-buffer-overflow in WebCore::FEConvolveMatrix::platformApplySoftware-2016-10-02
121937glGetProgramInfoLog regression in ANGLE-2016-10-02
121734Heap-use-after-free in WebCore::V8AbstractEventListener::~V8AbstractEventListener-2016-10-02
121726Sandbox IPC length checking race-2016-10-02
121703Crash in NSMutableRLEArray replaceObjectsInRange:withObject:length with long URL-2016-10-02
121692Heap-use-after-free in WebCore::SelectorChecker::checkOneSelector-2016-10-02
121645Heap-use-after-free in WebCore::RenderBlock::removeFloatingObject-2016-10-02
121899Security: use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer()$1,0002016-10-02
121736Heap-use-after-free in WebCore::EventDispatcher::dispatchEvent-2016-10-02
121347Heap-buffer-overflow in WebCore::RenderBlock::LineBreaker::nextLineBreak$5002016-10-02
121524Use after free with reflections and composited layers-2016-10-02
121206Heap-buffer-overflow in WebCore::HTMLSelectElement::setRecalcListItems-2016-10-02
121128Heap-buffer-overflow in void WTF::Vector<unsigned short, 1024ul>::append<unsigned short>-2016-10-02
120977Crash in texSubImage2D on Mozilla's WebGL performance regression tests-2016-10-02
121269invalid cast in WebCore::toHTMLElement / WebCore::HTMLFieldSetElement::disabledAttributeChanged-2016-10-02
121223Heap-use-after-free in WebCore::WorkerThreadableWebSocketChannel::Bridge::mainThreadCreateWebSocketChannel$5002016-10-02
121407[LangFuzz] Invalid write in v8::internal::ElementsAccessorBase<...>::CopyElements$1,0002016-10-02
120648UNKNOWN in SkARGB32_Blitter::blitV$5002016-10-02
120457Global-buffer-overflow in WebCore::InlineTextBox::isLineBreak-2016-10-02
120711Heap-use-after-free in WebCore::Element::recalcStyle$1,0002016-10-02
120944Use-after-free due to issues in counter layout.$1,0002016-10-02
120912Heap-use-after-free in WebCore::RenderText::removeTextBox$1,0002016-10-02
120320Flash Broker Bypass 0x2B (CVE-2012-0724)-2016-10-02
120318Flash Broker Bypass 0x2D (CVE-2012-0725)-2016-10-02
120222Heap-use-after-free in WebCore::RenderTableSection::paintCell$1,0002016-10-02
120205Security: <svg:use> elements in the parser can create elements not marked as created by the parser-2016-10-02
120404Heap-buffer-overflow in WebCore::Font::codePath-2016-10-02
120037Heap-use-after-free in WebCore::ContainerNode::resumePostAttachCallbacks$1,0002016-10-02
120007Heap-use-after-free in WebCore::WorkerEventQueue::close-2016-10-02
120403Heap-use-after-free in WebCore::ContainerNode::insertBefore-2016-10-02
120189Heap-use-after-free in WebCore::V8RecursionScope::didLeaveScriptContext-2016-10-02
119926Use after free in v8::internal::IncrementalMarking::Step$1,0002016-10-02
119501Heap-use-after-free in WebCore::SVGStyledElement::buildPendingResourcesIfNeeded$1,0002016-10-02
119429UNKNOWN in v8::Message::GetScriptResourceName$5002016-10-02
120006Heap-use-after-free in WebCore::RenderBlock::finishDelayUpdateScrollInfo-2016-10-02
119525Heap-use-after-free in WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange$1,0002016-10-02
119281Heap-use-after-free in WebCore::GenericEventQueue::~GenericEventQueue$5002016-10-02
119230Heap-use-after-free in WebCore::RenderBlock::splitBlocks-2016-10-02
119150Sandboxed processes should not be able to open other sandboxed processes-2016-10-02
119084Heap-use-after-free in utext_setNativeIndex_46-2016-10-02
118970GPU process crash below DoDrawArrays (Nvidia)$5002016-10-02
119305Heap-use-after-free in WebCore::Node::~Node$1,0002016-10-02
119250GPU, Plugin, and NaCl processes have PROCESS_DUP_HANDLE permission on renderer processes-2016-10-02
118803Heap-use-after-free in WebCore::SVGTextLayoutAttributesBuilder::fillCharacterDataMap-2016-10-02
118784Heap-buffer-overflow in void WTF::Vector<unsigned short, 1024ul>::insert<unsigned short>-2016-10-02
118853Heap-use-after-free in WebCore::InlineFlowBox::deleteLine-2016-10-02
118664Security: Swapped out URL must be a unique origin-2016-10-02
118721Extensions resources can be fetched across incognito-2016-10-02
116162Heap-buffer-overflow in wk_png_inflate-2016-10-02
116128Content scripts should never be run in the webstore isolate-2016-10-02
116093Heap-buffer-overflow in WebCore::SVGDocumentExtensions::removeAnimationElementFromTarget$1,0002016-10-02
116069WebCore::MediaStreamListInternal::itemCallback$5002016-10-02
116224Heap-use-after-free in WebCore::FrameLoader::urlSelected-2016-10-02
115998Heap-use-after-free in WebCore::RenderMenuList::addChild-2016-10-02
115862Heap-use-after-free in WebCore::InlineFlowBox::deleteLine-2016-10-02
115756Heap-use-after-free in WebCore::InlineFlowBox::deleteLine-2016-10-02
115754Heap-use-after-free in WebCore::RenderLayer::addChild$1,0002016-10-02
115695Heap-buffer-overflow in WebCore::StaticNodeList::itemWithName$1,0002016-10-02
115681Heap-use-after-free in WebCore::RenderBox::enclosingFloatPaintingLayer$1,0002016-10-02
115680Heap-use-after-free in WebCore::RenderListItem::updateMarkerLocation-2016-10-02
115807Heap-use-after-free in WebCore::RenderMenuList::addChild-2016-10-02
116027Heap-buffer-overflow in WebCore::InlineFlowBox::addToLine-2016-10-02
115159Security: Setting innerText allows DOMSubtreeModified listeners to cause crashes-2016-10-02
115028Bad cast in splitAnonymousBlocksAroundChild (part 3)$1,0002016-10-02
115003Heap-use-after-free in WebCore::RenderObject::previousInPreOrder-2016-10-02
115299Use-after-free in AudioDeviceThread::Callback::InitializeOnAudioThread$5002016-10-02
115471Heap-buffer-overflow in SkAlphaRuns::add$1,0002016-10-02
114924Bad cast in splitAnonymousBlocksAroundChild$1,0002016-10-02
114911Heap-buffer-overflow in WebCore::Element::setAttribute-2016-10-02
114858Heap-use-after-free in WebCore::RenderTableSection::willBeDestroyed-2016-10-02
114960Heap-use-after-free in WebCore::SVGTextLayoutAttributesBuilder::fillCharacterDataMap-2016-10-02
114219Heap-use-after-free in WebCore::RenderTableSection::nodeAtPoint$1,0002016-10-02
114152Heap-use-after-free in WebCore::InspectorStyleSheet::deleteRule-2016-10-02
114144Crash by clicking the time field of maps.google.com-2016-10-02
114068Heap-use-after-free in WebCore::HTMLElement::isPresentationAttribute$1,0002016-10-02
114056Heap-buffer-overflow in WebCore::previousBoundary$5002016-10-02
114054Heap-buffer-overflow in void WTF::Vector<unsigned short, 0ul>::append<unsigned short>$5002016-10-02
113924[LangFuzz] Crash at v8::internal::HashTable<...>::FindEntry with invalid read$1,0002016-10-02
114342Stack-buffer-overflow at strcpy$1,0002016-10-02
113837Heap-use-after-free in WebCore::Document::unregisterForPageCacheSuspensionCallbacks$1,0002016-10-02
113800Heap-use-after-free in WebCore::RenderBlock::computeOverflow-2016-10-02
113902Heap-use-after-free in WebCore::InlineBox::root$1,0002016-10-02
113799Heap-use-after-free in WebCore::RenderTable::layout-2016-10-02
113801Heap-use-after-free in WebCore::RenderBlock::outlineStyleForRepaint-2016-10-02
113733Security: Flash deployed via component updater runs outside the sandbox-2016-10-02
113755Heap-use-after-free in WebCore::RenderObjectChildList::destroyLeftoverChildren-2016-10-02
113707Heap-use-after-free in WebCore::RenderQuote::placeQuote$1,0002016-10-02
113690Heap-use-after-free in WebCore::RenderButton::removeChild-2016-10-02
113567Heap-use-after-free in WebCore::RenderRegion::setRegionBoxesRegionStyle-2016-10-02
113562Heap-use-after-free in WebCore::NavigationScheduler::schedule-2016-10-02
113730Integer wrap in CSSParser::quoteCSSString() can cause a buffer overflow-2016-10-02
113497Heap-use-after-free in WebCore::InlineFlowBox::computeUnderAnnotationAdjustment$1,0002016-10-02
113496Links in settings page (like learn more, google dashboard) are opened in the webui renderer process-2016-10-02
113439Bad casts due to issues in splitAnonymousBlocksAroundChild$1,0002016-10-02
113415Heap-use-after-free in WebCore::InlineFlowBox::deleteLine-2016-10-02
113258Bad cast in WebCore::RenderBlock::createLineBoxes$1,0002016-10-02
113178Adding a ShadowRoot to a SELECT element causes crashes-2016-10-02
113174Attaching a ShadowRoot to a VIDEO element causes heap-use-after-free-2016-10-02
113160Security: Tracking bug for WK77971 - Replaces the [CheckNodeSecurity] IDL attribute-2016-10-02
113119Security: Report bad translation link uses http://-2016-10-02
112976Heap-use-after-free in vorbis_decode_frame-2016-10-02
112961TCP and UDP IPCs should not be exposed to arbitrary renderers-2016-10-02
112983Browser crash with FTP video source-2016-10-02
125462Security: libxml2 1-byte heap-buffer-overflow in xmlXPtrEvalXPtrPart$1,5002016-10-02
125436Heap-use-after-free in WebCore::HTMLFormControlElement::disabled-2016-10-02
125249Heap-buffer-overflow in seg_to-2016-10-02
125225Domui process can be ptraced from a compromised renderer leading to sandbox escape, take 2-2016-10-02
125159Chrome chrashes when pressing back button on a page that is still downloading a big gif image$1,3372016-10-02
125151Heap-use-after-free in WebCore::Node::compareDocumentPosition-2016-10-02
125010Stealing AutoFill data with window.getSelection() before users actually select form contents-2016-10-02
125494Heap-buffer-overflow in WebCore::HTMLTreeBuilder::processEndTag-2016-10-02
125374Heap-use-after-free in WebCore::RenderSVGContainer::paint$1,0002016-10-02
124992Heap-use-after-free in WebCore::swapInNodePreservingAttributesAndChildren-2016-10-02
124923Heap-use-after-free in WebCore::parseToDoubleForNumberType-2016-10-02
124919Heap-use-after-free in WebCore::RenderBlock::addOverflowFromFloats-2016-10-02
124895Heap-use-after-free in WebCore::ScriptController::executeIfJavaScriptURL-2016-10-02
124893Heap-buffer-overflow in WebCore::HTMLOptionElement::selected-2016-10-02
124870Heap-use-after-free in WebCore::InsertParagraphSeparatorCommand::doApply-2016-10-02
124868Heap-use-after-free in WebCore::RenderObject* WebCore::bidiNextShared<WebCore::BidiResolver<WebCore::InlineIterator, WebCor-2016-10-02
124836NSS should reject DH public values equal to one-2016-10-02
125000Heap-buffer-overflow in WTF::VectorMover<false, WebCore::Attribute>::move-2016-10-02
124924Heap-buffer-overflow in WebCore::XPath::sortBlock-2016-10-02
124652Heap-buffer-overflow in SkDashPathEffect::SkDashPathEffect-2016-10-02
124625Chrome: Crash Report - Stack Signature: WebCore::npObjectNamedGetter<WebCore::V8HTM...-2016-10-02
124617Heap-buffer-overflow in WebCore::RenderBlock::createLineBoxes-2016-10-02
124669Heap-use-after-free in WebCore::SVGLength::value-2016-10-02
124530Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects-2016-10-02
124594UNKNOWN in v8::internal::MarkCompactCollector::PrepareThreadForCodeFlushing$5002016-10-02
124479Use after free in PDF with corrupt CID font encoding name-2016-10-02
124356Heap-use-after-free in WebCore::GraphicsContext::restore$1,0002016-10-02
124263OOB read with PDF in cell sorting-2016-10-02
124228Security: Component updater parses unauthenticated XML with libxml in the browser process-2016-10-02
124216Security: MSVR:159 - Google Chrome NPAPI Plugin Insecure Loading Elevation of Privilege Vulnerability-2016-10-02
124191OOB read in PDF when parsing / processing text-2016-10-02
124190OOB read, off-by-one in PDF predictor code with specific decode parameters-2016-10-02
124184OOB read with 1bpp image and ICC profile-2016-10-02
124183OOB read in PDF fax codec-2016-10-02
124389Heap-use-after-free in WebCore::TargetListener::clear-2016-10-02
124182Out of bounds write in PDF with sample function with lots of inputs-2016-10-02
124179PDF crash under ASAN with character maps-2016-10-02
123929Out-of-bounds read in PDF with undersized "O" key and revision 3 crypto-2016-10-02
123858Use-after-free in WebPagePopupImpl instance-2016-10-02
123735OOB reads in PDF AES support due to buffer mismanagement-2016-10-02
123733Out-of-bounds reads with bad parameters to PDF "sampled function" function-2016-10-02
123709Breakpad ClientInfo::PopulateCustomInfo() integer wrap leads to heap overflow-2016-10-02
123656OOB read in PDF whilst scanning for "startxref"-2016-10-02
123631Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled-2016-10-02
123544Heap-use-after-free in WebCore::CachedResource::checkNotify-2016-10-02
123530Heap-use-after-free in AutocompleteMatch::AutocompleteMatch-2016-10-02
123484Global-buffer-overflow in WebCore::InlineTextBox::isLineBreak-2016-10-02
123481Security: ERROR: AddressSanitizer heap-buffer-overflow on address 0x7fde15ff9890 at pc 0x7fde364c5034$1,0002016-10-02
123105Heap-buffer-overflow in Color32_SSE2-2016-10-02
123054Security: renderer can grant itself read permissions to arbitrary files-2016-10-02
123029OOB write in SkARGB32_Black_Blitter::blitAntiH -> sk_memset32_SSE2$1,0002016-10-02
123012Chrome: Crash Report - Stack Signature:WebCore::V8BindingPerContextData::constructorForType(WebCore::WrapperTypeInfo *)-2016-10-02
122925Security: Autofill info can be captured by innocuous social engineering$1,0002016-10-02
122865Heap-use-after-free in SkCanvas::internalDrawBitmapRect-2016-10-02
122760Heap-use-after-free in WebCore::RenderTable::computePreferredLogicalWidths-2016-10-02
122692UNKNOWN in /lib/libc-2.11.1.so+Unknown-2016-10-02
122681[LangFuzz] CHECK(fixed_size + height_in_bytes == input_frame_size) failed or crash with invalid read$5002016-10-02
122654Chrome: Crash Report: SocketStreamDispatcherHost::CancelSSLRequest-2016-10-02
122586Global-buffer-overflow in HB_TibetanShape-2016-10-02
122585Security: stack-buffer-overflow in WebCore::GlyphPage::fill with surrogate characters$5002016-10-02
122573Heap-use-after-free in WebCore::CachedRawResource::didAddClient-2016-10-02
122854Security: Potential (racy) use after free error in DownloadResourceHandler::OnResponseCompletedInternal-2016-10-02
122503Heap-buffer-overflow in erode-2016-10-02
122337[LangFuzz] Crash on heap with invalid write (32 bit only).$1,0002016-10-02
122208GCing a node observed by a WebKitMutationObserver can cause an invalid HashSet iterator-2016-10-02
122029Heap-buffer-overflow in WebCore::InlineFlowBox::addToLine-2016-10-02
122014Heap-use-after-free in WorkerEventQueue::close-2016-10-02
121968Heap-use-after-free in WebCore::GraphicsLayer::willBeDestroyed-2016-10-02
122562Heap-use-after-free in ModuleSystem::LazyFieldGetter$1,0002016-10-02
112847Bad cast in addChildToAnonymousColumnBlocks$1,0002016-10-02
112833Heap-use-after-free in webkit_media::BufferedResourceLoader::Start$1,0002016-10-02
112822Security: Heap-buffer-overflow in png_decompress_chunk$1,3372016-10-02
112814Safe Browsing client doesn't always check for MAC field in response-2016-10-02
112775Heap-use-after-free in WebCore::Node::traverseNextNode-2016-10-02
112764Heap-use-after-free in RendererAccessibility::SendPendingAccessibilityNotifications-2016-10-02
112738Security: User Interface - infobar confusion, spamming, and spoofing-2016-10-02
112735Bad cast in FormSubmission::create-2016-10-02
112694Heap-use-after-free in WebCore::Node::normalize-2016-10-02
112670avcodec_53!ff_h264_get_profile - crash$5002016-10-02
112451X509UserCertResourceHandler::OnResponseCompleted crash-2016-10-02
112443[Mac] Regular SSL certificate incorrectly displayed with EV color badge-2016-10-02
112542Heap-use-after-free in WebCore::TextIterator::rangeFromLocationAndLength-2016-10-02
112411Heap-use-after-free in WebCore::SVGUseElement::expandSymbolElementsInShadowTree$1,0002016-10-02
112391Heap-use-after-free in ExtensionHost-2016-10-02
112339Security: chrome allows TDR looping leading to win7 OS crash through page refresh html tag + WebGL-2016-10-02
112325Security: Copy-paste preserves <embed> tags containing active content-2016-10-02
112317Heap-buffer-overflow in WebCore::Font::codePath$5002016-10-02
112259Heap-use-after-free in WebCore::EventTarget::dispatchEvent$5002016-10-02
112236Security: Chrome translation script downloaded over HTTP-2016-10-02
112212Heap-use-after-free in WebCore::ContainerNode::appendChild$2,0002016-10-02
112151Heap-use-after-free in WebCore::RenderRegion::setRegionBoxesRegionStyle$1,0002016-10-02
112093Heap-use-after-free in WebCore::Node::dispatchSubtreeModifiedEvent-2016-10-02
112055Heap-buffer-overflow in WebCore::CSSParser::lex-2016-10-02
111779Heap-use-after-free in WebCore::SubframeLoader::loadSubframe$1,0002016-10-02
111748Heap-use-after-free in WebCore::SVGElement::removedFromDocument$1,0002016-10-02
111656Security: Accessibility bad cast-2016-10-02
111575Security: NaCl dynamic code modification allows direct calls inside existing super instructions.-2016-10-02
111491AddressSanitizer reports a heap-use-after-free in icu_46::RuleBasedBreakIterator::handleNext in DownloadTest.CrxLargeTheme (browser_tests) on Chrome OS-2016-10-02
111088Heap-use-after-free in WebCore::FrameLoader::checkTimerFired-2016-10-02
111467Heap-buffer-overflow in WebCore::SVGSVGElement::currentViewBoxRect$1,0002016-10-02
110849Heap-buffer-overflow in matroska_parse_block-2016-10-02
110764Heap-use-after-free in WebCore::DocumentLoader::detachFromFrame$1,0002016-10-02
110723Heap-use-after-free in WebCore::RenderSVGResourceContainer::markAllClientsForInvalidation-2016-10-02
111342Heap-use-after-free in AudioDevice::FireRenderCallback-2016-10-02
110559Heap-buffer-overflow in GPU ShaderTranslator-2016-10-02
110374Heap-use-after-free in WebCore::EventHandler::mouseMoved$1,0002016-10-02
110360Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled-2016-10-02
110277Heap-buffer-overflow in xsltCompilePatternInternal$5002016-10-02
110172Heap-buffer-overflow in SkAlphaRuns::add$1,0002016-10-02
110545Security: AssociatedURLLoader exposes non-whitelisted response headers when loading with access control (CORS)-2016-10-02
110076Heap-use-after-free in WebCore::CompositeEditCommand::ensureComposition-2016-10-02
109743Heap-use-after-free in WebCore::CSSStyleSelector::matchRulesForList$1,0002016-10-02
109717Security: crash when viewing a certificate without issuer signature-2016-10-02
109716Heap-use-after-free in xsltParseGlobalVariable$1,0002016-10-02
109691Security: Losing user-set pin data on HSTS header receipt-2016-10-02
110112Heap-use-after-free in WebCore::FrameView::forceLayoutParentViewIfNeeded$1,0002016-10-02
109912Security: read sandbox escape: NaCl validator for x86-64 allow REP string instructions to have out-of-bound source addresses-2016-10-02
109623Chrome: Crash Report - Stack Signature: WebKit::WebMediaPlayerClientImpl::loadInter...-2016-10-02
109574Potential XSS attack with [0x8E][0xE3] in EUC-JP page$5002016-10-02
109556Heap-buffer-overflow in WebCore::HTMLTreeBuilder::HTMLTreeBuilder$1,0002016-10-02
109411Regression: Crash in WebCore::DynamicSubtreeNodeList::length()-2016-10-02
109245Security: Chrome Drag Spoofing-2016-10-02
109664safe_browsing::SignatureUtil::CheckSignature() - crash-2016-10-02
109094Possible wild read in internal PDF-reader-2016-10-02
108958Heap-use-after-free in WebCore::RenderBlock::determineStartPosition-2016-10-02
129158Heap-use-after-free in WebCore::AccessibilityObject::getAttribute-2016-10-02
129191UNKNOWN in WebCore::HTMLDocumentParser::prepareToStopParsing$1,0002016-10-02
128971Heap-use-after-free in WebCore::InlineBox::deleteLine-2016-10-02
128711Run-in UAF crashes relating to generated content and inline line box tree not clearing.-2016-10-02
128704Crash when opening and closing chrome://chrome-2016-10-02
128688Heap-buffer-overflow in gpu::gles2::GLES2Implementation::TexSubImage2DImpl-2016-10-02
128800Use after free in WebCore::SVGTextLayoutAttributesBuilder::fillCharacterDataMap-2016-10-02
128597RenderViewImpl's shared_popup_counter_ isn't incremented properly-2016-10-02
128498Heap-buffer-overflow in WebCore::CSSSelector::specificityForOneSelector-2016-10-02
128497CachedImage does not clear the ImageObserver pointer when dropping its Image ref-2016-10-02
128458Security: NTP Promo data is downloaded via HTTP, but then rendered on the NTP-2016-10-02
128665Heap-use-after-free in WebCore::Node::isInShadowTree-2016-10-02
128342Heap-buffer-overflow in WebCore::SVGUseElement::instanceForShadowTreeElement-2016-10-02
128336Heap-buffer-overflow in WebCore::SubframeLoader::createJavaAppletWidget-2016-10-02
128256tabs permission exploit on the Chrome RSS Extension-2016-10-02
128204Assertion failure (toRenderBox() called on a RenderInline) beneath RenderBlock::blockBeforeWithinSelectionRoot()-2016-10-02
128178Heap-use-after-free in fileapi::FileSystemOperation::DidGetUsageAndQuotaAndRunTask$3,1332016-10-02
128163Heap-buffer-overflow in GIFImageReader::read-2016-10-02
128159Heap-use-after-free in WTF::HashMap<int, WTF::RefPtr<WebCore::CalculationValue>, WTF::IntHash<unsigned int>, WTF::HashTrait-2016-10-02
128157Heap-use-after-free in WebCore::HTMLFormControlElement::disabled-2016-10-02
128151Heap-use-after-free in WebKit::MainThreadFileSystemCallbacks::didSucceed-2016-10-02
128146UNKNOWN in v8::internal::DescriptorArray::Set-2016-10-02
128018[LangFuzz] Crash in v8::internal::ShortCircuitConsString with invalid read$1,0002016-10-02
127889Use after free in WebCore::Font::characterRangeCodePath / WebCore::Font::codePath-2016-10-02
127764Heap-use-after-free in WebCore::RenderBlock::xPositionForFloatIncludingMargin-2016-10-02
127701Heap-use-after-free in WebCore::RenderObject::repaint-2016-10-02
127648Out of bounds read in WebCore::Region::Shape::compareShapes-2016-10-02
127624Security: pepper plugins - protect plugin's data files from other plugins and the renderer itself.-2016-10-02
127525Dragging a file into a web renderer exposes the file: scheme$5002016-10-02
127522Security: Chrome Allows "Carpet Bomb" from File Download-2016-10-02
127727Heap-use-after-free in WebCore::ContextDestructionObserver::contextDestroyed-2016-10-02
127449PPAPI processes hold privileged process handles-2016-10-02
127418Heap-use-after-free in WebCore::SVGTextLayoutEngine::layoutTextOnLineOrPath$1,0002016-10-02
127417Security: Arbitrary memory read in libxslt$5002016-10-02
127371Heap-use-after-free in WebCore::AXObjectCache::postNotification-2016-10-02
127368Heap-use-after-free in WebCore::SVGAnimatedLengthAnimator::resetAnimValToBaseVal-2016-10-02
127367Heap-use-after-free in WebCore::ApplyStyleCommand::joinChildTextNodes-2016-10-02
127366Heap-use-after-free in WebCore::ReplaceSelectionCommand::performTrivialReplace-2016-10-02
127424Heap-use-after-free in WebKit::WebPagePopupImpl::closePopup$1,0002016-10-02
127234Heap-use-after-free in WebCore::SVGPropertyTearOff<WebCore::FloatRect>::commitChange-2016-10-02
126723Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine-2016-10-02
126652Heap-buffer-overflow in bool WebCore::Region::Shape::compareShapes<WebCore::Region::Shape::CompareIntersectsOperation>-2016-10-02
126475Heap-use-after-free in WebCore::InlineBox::root-2016-10-02
126414[LangFuzz] Crash on heap with invalid read from random address (32 bit)$5002016-10-02
126406Heap-use-after-free in WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks-2016-10-02
126343OOB write in PDF character code mapping-2016-10-02
126337Stack buffer overflow in character range parsing-2016-10-02
126296Security: Browser crash document.createEvent("MouseEvents").initMouseEvent in background tab$1,0002016-10-02
125730Heap-use-after-free in WebCore::Document::nodeChildrenWillBeRemoved-2016-10-02
126105Global-buffer-overflow in RgnOper::addSpan-2016-10-02
126074Heap-use-after-free in WebCore::SpellChecker::didCheckSucceeded-2016-10-02
126048Heap-use-after-free in SpeechRecognitionManagerImpl::DispatchEvent$1,0002016-10-02
126040Heap-use-after-free in WebCore::ContainerNode::insertBefore-2016-10-02
126015Heap-use-after-free in WebCore::HTMLFormControlElement::disabled-2016-10-02
125921Heap-buffer-overflow in WebCore::FontCache::releaseFontData-2016-10-02
125919Heap-buffer-overflow in WebCore::SVGAnimatedPointListAnimator::calculateAnimatedValue$5002016-10-02
125821The Linux setuid sandbox has becomre (even more) insanely complex-2016-10-02
126075Stack-buffer-overflow in SuggestMgr::forgotchar_utf-2016-10-02
125563Heap-use-after-free in WebCore::RenderBlock::determineStartPosition-2016-10-02
125557Heap-use-after-free in WebCore::AudioParam::disconnect-2016-10-02
125555Heap-use-after-free in WTF::HashMap<int, WTF::RefPtr<WebCore::CalculationValue>, WTF::IntHash<unsigned int>, WTF::HashTrait-2016-10-02
125529Heap-use-after-free in WebCore::HTMLLinkElement::setCSSStyleSheet-2016-10-02
125515[LangFuzz] Crash on heap with invalid write to random address$1,0002016-10-02
108918Heap-use-after-free in WebCore::RenderTableSection::rowLogicalHeightChanged-2016-10-02
108901Heap-buffer-overflow in compute_pos_tan$5002016-10-02
108894Heap-use-after-free in WebCore::HTMLCollection::length-2016-10-02
108871IndexedDB with autoincrement fails on object put and crashes chrome$1,0002016-10-02
108605Use of uninitialized value in SkAlphaRuns::Break$1,0002016-10-02
108798Heap-use-after-free in WebCore::(anonymous namespace)::AllowFileSystemMainThreadBridge::signalCompleted-2016-10-02
108695Heap-use-after-free in WebKit::WebFrameImpl::viewImpl$1,0002016-10-02
108648Security: Malicious extension could avoid being blacklisted via extension blacklist-2016-10-02
108476Heap-buffer-overflow in WebCore::Font::codePath$5002016-10-02
108544Heap-use-after-free in SubresourceLoader::didFinishLoading$1,0002016-10-02
108579Heap-buffer-overflow in void WTF::Vector<WTF::RefPtr<WebCore::TextTrack>, 0ul>::insert<WTF::RefPtr<WebCore::TextTrack> >-2016-10-02
108461Heap-use-after-free in WebCore::HTMLInputElement::copyNonAttributeProperties-2016-10-02
108416Global-buffer-overflow in render_line$5002016-10-02
108071Browser process heap-use-after-free with indexeddb cursors$3,1332016-10-02
108037Heap-buffer-overflow in WebCore::SVGLength::valueAsString$1,0002016-10-02
108006Stack-buffer-overflow in HB_MyanmarShape-2016-10-02
108267Heap-use-after-free in WebCore::RenderBlock::selectionGaps-2016-10-02
108207Heap-use-after-free in WebCore::RenderTable::borderBefore$1,0002016-10-02
107758Heap-use-after-free in WebCore::RenderRegion::offsetFromLogicalTopOfFirstPage$1,0002016-10-02
107565Security: dragging a file URL between two http-spawned windows goes remote->local-2016-10-02
107873Heap-use-after-free in WebCore::DatabaseTracker::interruptAllDatabasesForContext-2016-10-02
107616UXSS in v8 bindings npCreateV8ScriptObject()-2016-10-02
107939Heap-buffer-overflow in WebCore::RenderBlock::layoutRunsAndFloatsInRange-2016-10-02
107258Freed m_renderer used in InlineBox::deleteLine-2016-10-02
107244Heap-use-after-free in DatabaseObserver$1,0002016-10-02
107376Memory corruption crash in ExtensionPrefs::MigrateAppIndex.-2016-10-02
107128Heap-buffer-overflow in xmlStringLenDecodeEntities$4,0002016-10-02
107277Heap-use-after-free in WebCore::RenderTextFragment::willBeDestroyed-2016-10-02
107182Heap use after free with malware blocking page$3,1332016-10-02
106672Security: Crash in requestAnimationFrame when removing a frame$1,0002016-10-02
106671Heap-use-after-free in WebCore::InlineFlowBox::deleteLine-2016-10-02
106577Heap-buffer-overflow in SkAAClipBlitter::blitAntiH$5002016-10-02
107032Sad tab when visiting https://code.google.com and --no-displaying-insecure-content-2016-10-02
106441Stack-buffer-overflow in _canonicalize$1,0002016-10-02
106419Global-buffer-overflow in SkFileDescriptorStream::read-2016-10-02
106413Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine-2016-10-02
106340Heap-use-after-free in WebCore::RenderTable::outerBorderAfter$3,0002016-10-02
106336Heap-use-after-free in WebCore::CounterNode::insertAfter$5002016-10-02
106334Security: Popupblocker is ignored, downloads are invisible-2016-10-02
106484Heap-use-after-free in WebCore::RenderObject::childAt$1,0002016-10-02
106309Heap-buffer-overflow in WebCore::InlineFlowBox::addToLine (regions issue)-2016-10-02
106165Heap-buffer-overflow in safe_browsing protocol parser-2016-10-02
105867Use after free in V8HTMLElementWrapperFactory.cpp$1,0002016-10-02
105803PDF missing integer validation for Flate / LZW / Fax prediction codes and other parameters-2016-10-02
106200Heap-use-after-free in WebCore::InlineBox::deleteLine$5002016-10-02
106316Heap-buffer-overflow in WebCore::HTMLTreeBuilder::processEndTag-2016-10-02
105482Security: CSP connect-src and script-src not enforced on workers-2016-10-02
105459Use-after frees and bad casts with -webkit-column-span$2,0002016-10-02
105714Nasty looking INVALID_POINTER_READ in internal PDF-reader$5002016-10-02
134123Heap-use-after-free in WebCore::VisibleSelection::rootEditableElement-2016-10-02
105162Stack-buffer-overflow in base::files::(anonymous namespace)::InotifyReaderTask::Run-2016-10-02
134305Heap-use-after-free in WebCore::RenderObject::absoluteBoundingBoxRect-2016-10-02
133725Security: public chromium site is leaking internal Google DNS names-2016-10-02
134088Use-after-free: LabelsNodeList isn't updated properly after its owner node is adopted into a new document-2016-10-02
133892Heap-use-after-free in WebCore::RenderListItem::updateMarkerLocation-2016-10-02
133288Heap-buffer-overflow in WebCore::CSPSourceList::parseSource-2016-10-02
133571Heap-use-after-free in SkARGB32_Black_Blitter::blitAntiH$1,0002016-10-02
133418Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects-2016-10-02
134101Security: webRequest API allows extensions to XSS chrome.google.com and gain access to webstorePrivate API$2,0002016-10-02
133214UNKNOWN in WebCore::RenderTableSection::addCell$1,0002016-10-02
133196Heap-use-after-free in WebCore::RenderInline::willBeDestroyed-2016-10-02
132806ChromeContentBrowserClient::AllowSocketAPI using allowed_socket_origins_ without scheme check-2016-10-02
132779Security: WebM heap-buffer-overflow in matroskadec.c:matroska_parse_block()$1,0002016-10-02
132699Update Java version metadata for Jun 2012 CPU-2016-10-02
132690Heap-use-after-free in WebCore::RenderSVGModelObject::checkIntersection-2016-10-02
132890Crash when using Web Audio + media element with no audio or when user navigates-2016-10-02
131969Heap-use-after-free in WebCore::AccessibilityObject::getAttribute-2016-10-02
132396Heap-use-after-free in WebCore::RenderBlock::layoutRunsAndFloats-2016-10-02
132398Global-buffer-overflow in D_Clear_BitmapXferProc-2016-10-02
132203UAF in ValueStoreFrontend::Backend::Get-2016-10-02
132019Heap-use-after-free in WebCore::InlineFlowBox::deleteLine-2016-10-02
132270Global-buffer-overflow in WebCore::mediaControlElementType-2016-10-02
131968Heap-use-after-free in WebCore::AccessibilityTable::isDataTable-2016-10-02
132241Heap-use-after-free in WebCore::DocumentThreadableLoader::cancel-2016-10-02
131934Heap-use-after-free in WTF::Vector<WebCore::Attribute, 0ul>::~Vector-2016-10-02
131348Security: Use-after-free in safe_browseing::DownloadProtectionService found by Valgrind-2016-10-02
131347heap-use-after-free in DictionaryValue while closing chrome, requires extension.-2016-10-02
131087UAF due to Document::removePendingSheet re-entering JavaScript during Document cleanup-2016-10-02
130927Heap-use-after-free in WebCore::CompositeEditCommand::breakOutOfEmptyListItem-2016-10-02
130824Security: Linux crash report generation code reads past the end of an unterminated string buffer.-2016-10-02
130802Heap-buffer-overflow in void WTF::Vector<unsigned short, 0ul>::append<unsigned short>-2016-10-02
130743Chromium is no more asking you for permissions to run WMP plugin via the Infobar. Is it intentional?-2016-10-02
130723Use after free after setting -webkit-line-clamp to none-2016-10-02
130722Heap-use-after-free in WebCore::InsertParagraphSeparatorCommand::doApply-2016-10-02
130595Heap-use-after-free in WebCore::RenderBlock::layoutBlockChildren$1,0002016-10-02
130356Heap-use-after-free in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget$1,0002016-10-02
130276Chrome attempts to load metro_driver.dll when Metro is not supported-2016-10-02
130241[crash] WebCore::RenderStyle::fontMetrics(void)+0xa-2016-10-02
130240Heap-buffer-overflow WRITE in read_markers third_party/libjpeg_turbo/jdmarker$1,0002016-10-02
130237Heap-use-after-free in WebCore::RenderObject::arenaDelete-2016-10-02
130235Heap-use-after-free in WebCore::HTMLElement::adjustDirectionalityIfNeededAfterChildrenChanged-2016-10-02
130369Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects$1,0002016-10-02
129826Chrome_Mac: Zombie <DownloadItemController: 0x1f1e6fd0> received -handleReveal: (via -performSelector:withObject:)-2016-10-02
129947Heap-use-after-free in WebCore::RenderObject::setStyle$1,0002016-10-02
129942UNKNOWN in v8_i18n::IntlNumberFormat::JSInternalFormat$1,0002016-10-02
129936Heap-use-after-free in WebCore::InlineTextBox::nodeAtPoint-2016-10-02
129930Security: libxml2 growBuffer integer overflow on 64-bit machines$3,0002016-10-02
129898Heap-use-after-free in WebCore::CounterNode::lastDescendant$1,0002016-10-02
129890Heap-use-after-free in WebCore::cancelAll-2016-10-02
129951UNKNOWN in v8::Function::Call$1,0002016-10-02
129394Heap-use-after-free in WebCore::AccessibilityTable::isDataTable-2016-10-02
129569Heap-use-after-free in WebCore::RenderLayer::updateCompositingLayersAfterScroll-2016-10-02
129396Heap-buffer-overflow in WebCore::RenderTable::colElement-2016-10-02
129357Heap-buffer-overflow in WebCore::RenderProgress::isDeterminate-2016-10-02
129301Heap-use-after-free in WebCore::AXObjectCache::postPlatformNotification-2016-10-02
129299Run-in UAFs part 2-2016-10-02
129360Heap-use-after-free in WebCore::InlineFlowBox::removeChild-2016-10-02
105143Cross-origin drag-and-drop prevention ineffective-2016-10-02
105157Heap-use-after-free in WebCore::InlineFlowBox::removeChild-2016-10-02
105133Heap-use-after-free in WebCore::RenderObject::isDescendantOf-2016-10-02
105012Global-buffer-overflow in WebCore::RenderFlexibleBox::mainAxisBorderAndPaddingExtentForChild-2016-10-02
104935Security: HSTS "cookies" do not obey expected policy.-2016-10-02
104863Heap-use-after-free in WebCore::SubresourceLoader::didFail$1,0002016-10-02
104859Heap-use-after-free in WebCore::InlineFlowBox::computeOverAnnotationAdjustment$1,0002016-10-02
104617Heap-use-after-free in WebCore::CSSImageGeneratorValue::addClient-2016-10-02
104529PDF-reader tab-crash with editable crash address.$2,0002016-10-02
104959Nasty looking crash on internal pdf-reader$5002016-10-02
104461Security: chrome://workers/ crash-2016-10-02
104325Heap-use-after-free in WebCore::RenderBlock::determineStartPosition-2016-10-02
104315Heap-use-after-free WebCore::RenderObject::container-2016-10-02
104272Security: Directory traversal in extension docs-2016-10-02
104266Heap-use-after-free in WebCore::nextBreakablePosition-2016-10-02
104466Schema check on navigations to chrome/file schemas should be avoided-2016-10-02
104317Stale RenderObject in RenderBlock::addChildIgnoringAnonymousColumnBlocks()-2016-10-02
104056Crash with PDF at bad IP$1,0002016-10-02
104223Security: MHTML can be used to steal cookies-2016-10-02
103867Security: chrome.test.resetQuota extension API exposed to all extensions-2016-10-02
103750minor self-inflicted xss on chrome://tracking2-2016-10-02
103738Security: out of bounds array access in WebCore::RenderTableSection::rowLogicalHeightChanged-2016-10-02
104011v8_i18n::BCP47ToICUFormat() - crash$1,0002016-10-02
104151Bad cast in WebCore::RenderThemeMac::paintMediaToggleClosedCaptionsButton-2016-10-02
103921Use-after-free in DOM Range$1,0002016-10-02
103239Security: INVALID_POINTER_READ/WRITE_EXPLOITABLE_chrome!SkRgnBuilder::blitH$1,0002016-10-02
103259[LangFuzz] Crash at v8::internal::WriteQuoteJsonString with invalid write$1,0002016-10-02
102810Security: buffer overflow in link prefetching$1,0002016-10-02
103630Security: iFrame SandBox Unique Origin not enforced in extensions-2016-10-02
103126Heap-use-after-free in WebCore::RenderTextFragment::styleDidChange-2016-10-02
103244Pinning checks aren't enforced in the case of a minor error.-2016-10-02
103058Security: missing xslt import causes crash w/preloading$1,0002016-10-02
102037Security: Use after free in CSSStyleDeclarationInternal::parentRuleAttrGetter-2016-10-02
101900Security: bug rendering web pages with flash content-2016-10-02
101835Exit full screen button crashs browser-2016-10-02
101779OOB read with corrupt PDF; possible stability issue too-2016-10-02
101624Security: buffer overrun leading to heap corruption in ANGLE shader translator-2016-10-02
102242ZDI-CAN-1416: WebKit ContentEditable swapInNode Use-After-Free Remote Code Execution Vulnerability-2016-10-02
101901Security:scrolling web with flash content rendering bug-2016-10-02
102628Security: Adobe regions use-after-free with multiple region css thingies$1,0002016-10-02
102461Failure to infobar JRE7-2016-10-02
102359Use-after-free in SVG renderer$1,0002016-10-02
101446Use after free in TextTrack::~TextTrack-2016-10-02
101235Security: Location bar spoofing when using replaceState in unload event handler-2016-10-02
101205Security: marketplace-2016-10-02
101172Seeking on webm 1080p video causes crash-2016-10-02
101580Heap-use-after-free in WebCore::RenderObject::enclosingLayer-2016-10-02
101548Test: ABCD-2016-10-02
101494OOB read in media::ScaleYUVToRGB32-2016-10-02
101458OOB read in WebM/vorbis vorbis_decode_frame()$1,0002016-10-02
101018Use after free in fullscreen unwraprenderer-2016-10-02
101010Security: css/CSSParser.cpp memory corruption bug-2016-10-02
100958Heap-use-after-free WebCore::RenderBlock::layoutPositionedObjects-2016-10-02
100879Problem with full-screen infobar permission prompt-2016-10-02
100863OOB read in SVG at WebCore::parseArcFlag-2016-10-02
100543OOB read in WebM/vorbis at render_line()$5002016-10-02
101065Use after free with counters and inline-table and :before content-2016-10-02
101127BlackBerry¼-2016-10-02
101136Security: Search terms hijacked to return only one site for search terms-2016-10-02
138210Information and credential disclosure by file:// URLs (Android)$5002016-10-02
138035Security: Google Chrome for Android: Current-tab cross-application scripting (UXSS)$5002016-10-02
138012Heap-buffer-overflow in WebCore::FontCache::releaseFontData-2016-10-02
137912Heap-buffer-overflow in WebCore::DelayDSPKernel::process-2016-10-02
137891Security: HTTPS proxy can run JavaScript on requested HTTPS sites-2016-10-02
137852Heap-use-after-free in WebKit::WebElement::document-2016-10-02
137778Heap-use-after-free in webkit::ppapi::PPB_URLLoader_Impl::FillUserBuffer-2016-10-02
138208Crash in SkGlyphCache::findImage$1,0002016-10-02
100492Use after free in WebM/matroska at matroska_execute_seekhead()$3,0002016-10-02
100465OOB read in OGV at unpack_vlcs$5002016-10-02
100464Use-after-free in WebM at decode_mb_mode$1,0002016-10-02
100459Use after free in RenderDeprecatedFlexibleBox::layoutHorizontalBox(bool) [and first-letter]-2016-10-02
100447ClusterFuzz Account Check.-2016-10-02
100322Security: Calling arbitrary V8 native functions from JavaScript-2016-10-02
138196Stack-buffer-overflow in NPObjectProxy::NPNEvaluate-2016-10-02
138192Heap-buffer-overflow in WebCore::HTMLInputElement::dataList-2016-10-02
100526Use after free in floats and first-letter-2016-10-02
137623Heap-buffer-overflow in WebPluginDelegateProxy::BackgroundChanged-2016-10-02
137532Security: Android APIs exposed to JavaScript$5002016-10-02
137471Heap-use-after-free in WebCore::Element::cloneElementWithoutChildren-2016-10-02
137413Heap-buffer-overflow in WebCore::RenderTableSection::setCellLogicalWidths-2016-10-02
137409Heap-use-after-free in WebCore::RenderObject::container-2016-10-02
137407Security: Chrome for iOS security bug-2016-10-02
137364Heap-use-after-free in WebCore::CSSFontSelector::beginLoadTimerFired-2016-10-02
137707Security: Chrome extensions bug cause crash in all Chrome processes$5002016-10-02
137671Security: Bad cast in WebCore::CalendarPickerElement::hostInput()$2,0002016-10-02
137541Reproduceable crash. Changing tabs while a specific text field has focus.-2016-10-02
137233Heap-buffer-overflow in WebCore::RenderBlock::handleTrailingSpaces-2016-10-02
137125UNKNOWN in WebCore::StylePropertySet::addParsedProperties$1,0002016-10-02
137208Security: Mouse lock permission and iframe on different host-2016-10-02
137174UNKNOWN in WebCore::SVGAnimationElement::currentValuesForValuesAnimation-2016-10-02
137147UNKNOWN in WebCore::RenderTable::cellBefore-2016-10-02
137303Corrupted rendering with many MapsGL tabs open-2016-10-02
137052Heap-use-after-free in WebCore::EllipsisBox::paint-2016-10-02
137363Heap-use-after-free in WebCore::RenderBlock::removeChild-2016-10-02
137362Heap-buffer-overflow in WebCore::CCLayerTreeHostImpl::CullRenderPassesWithNoQuads::shouldRemoveRenderPass-2016-10-02
137232UNKNOWN in WebCore::ElementAttributeData::addAttribute-2016-10-02
136497Security: XSS via Copy&Paste protection bypass using @formaction / General Iframe Sandbox Considerations regarding copy&paste / drag&drop-2016-10-02
136881Security: race condition with workers and sync xmlhttprequests$5002016-10-02
136894Heap-buffer-overflow in UpsampleBgraLinePairSSE2$1,0002016-10-02
136952Heap-use-after-free in WebCore::RenderLineBoxList::dirtyLinesFromChangedChild-2016-10-02
136226Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine-2016-10-02
136182Heap-use-after-free in WebCore::ImageLoader::updateRenderer-2016-10-02
136344Heap-use-after-free in WebCore::FrameLoader::stopAllLoaders-2016-10-02
136116Heap-use-after-free in WebCore::RenderLayer::enclosingFilterLayer-2016-10-02
136046Bad intersection of injected HTTP headers leads to Content Security Policy (CSP) Bypass-2016-10-02
136296Heap-use-after-free in WebCore::SVGSMILElement::resetTargetElement-2016-10-02
136235Heap-use-after-free in WebCore::StyleResolver::collectMatchingRulesForList$1,0002016-10-02
136145Security: Heap-buffer-overflow on TextFieldDecorationElement::defaultEventHandler-2016-10-02
135697Heap-use-after-free in WebCore::RenderLayer::repaintBlockSelectionGaps-2016-10-02
135658Turn off <iframe> seamless for m21-2016-10-02
135595Heap-use-after-free in WebCore::ImageLoader::notifyFinished-2016-10-02
135705Heap-buffer-overflow in WebCore::TextIterator::handleTextBox-2016-10-02
135432Heap-buffer-overflow in skia::BGRAConvolve2D$1,0002016-10-02
135698Heap-use-after-free in WebCore::HTMLInputElement::isPresentationAttribute-2016-10-02
135485SPDY - Pushed stream - crash accessing https://jetty.intalio.com:10111/spdy-2016-10-02
135071Heap-buffer-overflow in void WTF::Vector<unsigned short, 1024ul>::append<unsigned short>-2016-10-02
134897Bad cast with run-ins and <input>$1,0002016-10-02
135173Heap-use-after-free in WebCore::RenderQuote::rendererRemovedFromTree-2016-10-02
135043Heap-use-after-free in media_stream::$3,1332016-10-02
134429Heap-use-after-free in WebCore::Document::clearNodeListCaches-2016-10-02
134639Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers-2016-10-02
134428Heap-buffer-overflow in WebCore::SVGDocumentExtensions::removeAnimationElementFromTarget-2016-10-02
134519Security: memory address disclosure through JavaScript in WebUI's cookies page-2016-10-02
134402Heap buffer overflows in WebCore::CSSParser::lex-2016-10-02
134324Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects-2016-10-02
134325Security: Use after free with mouse lock and window.open$1,0002016-10-02
100177Use after free in first-letter container destruction handling.-2016-10-02
100149Use after free in AX Scrollbars-2016-10-02
99991Use after free in ImageBuffer::toDataURL-2016-10-02
100059Generic fix: Register custom fonts at creation time, rather than retire time.$1,3372016-10-02
99652OOB read in vp8_decode_frame$1,0002016-10-02
99732Use after free in table parts.-2016-10-02
99603Use after free due to flexible box not laying some of its children.-2016-10-02
99597Use after free in tables, float, :after content-2016-10-02
99840Windows OpenGL performance drops by 2/3 with GPU sandbox on-2016-10-02
99880Use after free in table :before, :after content.$1,0002016-10-02
99901BinScope reports SafeSEH not supported on video DLLs-2016-10-02
99615Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled-2016-10-02
99465Security: AccessibilityImageMapLink holds onto it's parent even after it's been freed-2016-10-02
99348Use after free in tables-2016-10-02
99338Use after free in RenderTableSection::splitColumn-2016-10-02
99596Use after free in media::FFmpegDemuxerStream::Read-2016-10-02
99553repeatedly re-setting video.src crashes in WebCore::VideoLayerChromium::updateCompositorResources-2016-10-02
99480OOB read in media::ScaleYUVToRGB32-2016-10-02
99294Use after free with :after in display table and :first-letter$1,0002016-10-02
99167[LangFuzz] Crash on Heap involving GC (invalid write)$1,0002016-10-02
99104WebKit: invalid cast in WebCore::toRenderBlock / WebCore::RenderBlock::blockSelectionGaps-2016-10-02
99016Security: HTTPS Address Bar Spoofing Using View-source And Redirection$1,0002016-10-02
99003changing proxy-2016-10-02
99229WebKit: Use after free in ~Node because ~HTMLLinkElement triggers script execution-2016-10-02
99211Heap buffer overflow in Webaudio FFTFrame::doFFT$2,0002016-10-02
99138Use-after-free with plugin and editing$1,0002016-10-02
98556Use after free with first-letter$1,0002016-10-02
98262Chrome 16 crash when resizing window-2016-10-02
98161Bug 68816 - Rapidly refreshing a feMorphology[erode] with r=0 can sometimes cause display corruption-2016-10-02
98773[LangFuzz] Crash at v8::Object::SlowGetPointerFromInternalField with invalid read$1,0002016-10-02
98809Renderer crash with PDF at isalnum$5002016-10-02
98582Security: invalid memory reference to window object-2016-10-02
97994Use after free due to stale fonts-2016-10-02
97952Stale layout root generic fix from Mitz-2016-10-02
97898Regression: Use after free in RenderBlock::linkToEndLineIfNeeded-2016-10-02
97867Security: Major Google Plus and Google Chrome Problem-2016-10-02
98089memory corruption in ANGLE shader translator-2016-10-02
98064Use-after-free when font is missing$1,0002016-10-02
97784[v8] Stale pointer in CSSStyleSheet, Invalid cast in V8ListenerList::doFindWrapper$1,5002016-10-02
97608Use after free in counters in :before, :after content$5002016-10-02
97596Security: anonymous proxy-2016-10-02
97553Clicking a link on a page that has been fullscreened by JS doesn't exit fullscreen-2016-10-02
97546Use after free in ruby text :after, :before content due to stale styles.-2016-10-02
97278Security: Tracking bug for CachedResourceLoader::canRequest in a redirect chain-2016-10-02
97148Crashes in PhishingDOMFeatureExtractor::ExtractFeaturesWithTimeout-2016-10-02
97092Stale canvas used in WebCore::PlatformContextSkia::save()$1,0002016-10-02
97674Security: Extension can get at tabs details (url/title) without requesting tabs permission-2016-10-02
97599More stale styles in listmarkers$1,0002016-10-02
96747Security: Magic iframe transfer vulnerability for Pepper/NaCl plugins-2016-10-02
96902Use-after-free in findPlaceForCounter$1,0002016-10-02
97006Use after free due to issues in element detachment when entering fullscreen-2016-10-02
96665Use after free in Element::recalcStyle due to reparenting issues in treebuilder-2016-10-02
96382out-of-bounds access in Gradient::sortStopsIfNecessary-2016-10-02
96292Use after free in media BufferedResourceLoader::Start-2016-10-02
141815Heap-use-after-free in WebCore::RenderQuote::detachQuote-2016-10-02
141651Heap-buffer-overflow in SkA8_Blitter::blitAntiH$5002016-10-02
141564Heap-use-after-free in WebCore::HTMLLinkElement::removedFrom-2016-10-02
141462Extension resources that are not web accessible should not be able to be linked to from the web-2016-10-02
141444Security: Support pinning for Google ccTLDs-2016-10-02
141395UNKNOWN in v8::internal::SemiSpaceIterator::Next$1,0002016-10-02
96499Heap-use-after-free in WebCore::RenderLayer::updateVisibilityStatus-2016-10-02
96444Freed scrollbar used in RenderScrollbarPart::imageChanged [not related to previous stale m_owner issues]-2016-10-02
96149Use after free in WebCore::AudioChannel::sumFrom-2016-10-02
141093Security: Dev only restriction for declarativeWebRequest does not seem to work-2016-10-02
96150Use after free in OfflineAudioDestinationNode::notifyCompleteDispatch-2016-10-02
140805Heap-use-after-free in WebCore::RenderRegion::restoreRegionObjectsOriginalStyle-2016-10-02
140803Heap-buffer-overflow in SkA8_Blitter::blitH$1,0002016-10-02
140720Heap-use-after-free in WebCore::RenderBlock::removeChild-2016-10-02
140656Heap-use-after-free in WebCore::CachedResource::didAddClient$1,0002016-10-02
140647UNKNOWN in ogg_calc_pts-2016-10-02
140642Heap-buffer-overflow in SkDashPathEffect::SkDashPathEffect-2016-10-02
96131Closing parent then child in gmail = sad tab-2016-10-02
96170Use after free in InspectorPageAgent::resourceContent-2016-10-02
140495Text box fails to render contents and does not accept user input.-2016-10-02
140484Heap-use-after-free in WebCore::RenderBlock::determineStartPosition-2016-10-02
140368Security: heap-use-after-free in xsltGenerateIdFunction-2016-10-02
140165Heap-buffer-overflow in vorbis_decode_frame-2016-10-02
140142Heap-use-after-free in base::internal::WeakReference::is_valid-2016-10-02
140532Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer-2016-10-02
140544Security: CSP doesn't turn off eval, etc. in Web Workers-2016-10-02
140083[LangFuzz] Crash on heap trying to execute address 0x0000000200000000.$1,0002016-10-02
140045REGRESSION(r122498): Assertion failure: m_nodeListCounts is sometimes not zero in the Document destructor-2016-10-02
139961Heap-use-after-free in WebCore::TargetListener::handleEvent [Stale target]-2016-10-02
139814UAF in DOMContentLoaded$2,0002016-10-02
139789Heap-buffer-overflow in WebCore::CSSParser::updateLastSelectorLineAndPosition-2016-10-02
139772AddressSanitizer reports a global buffer underflow in swizzle_for_size() in Mesa-2016-10-02
139744Security: SSL compression infoleak$5,3372016-10-02
140085UNKNOWN in /mnt/scratch0/clusterfuzz/slave-bot/builds/revisions/asan-linux-release-149416/chrome+Unknown-2016-10-02
139685OOB read atleast in WebCore::SVGListProperty<WebCore::SVGTransformList>::getItemValuesAndWrappers-2016-10-02
139690Heap-use-after-free in WebCore::GenericEventQueue::timerFired-2016-10-02
139646Heap-use-after-free in WebCore::DynamicNodeList::itemWithName-2016-10-02
139679Bad cast in RenderFrameSet::computeEdgeInfo-2016-10-02
139530Heap-use-after-free in WebCore::Node::~Node-2016-10-02
139475Heap-use-after-free in WebCore::TargetListener::handleEvent [Stale event listener]-2016-10-02
139462Heap-use-after-free in SkCanvas::updateDeviceCMCache-2016-10-02
139541UNKNOWN in v8::HandleScope::CreateHandle-2016-10-02
139464Heap-use-after-free in WebCore::RenderSVGShape::calculateStrokeBoundingBox-2016-10-02
139321Heap-use-after-free in WebCore::InlineBox::extractLine-2016-10-02
139402Heap-use-after-free in D_Clear_BitmapXferProc-2016-10-02
139215Heap-use-after-free in WebCore::StyleResolver::collectMatchingRules-2016-10-02
139168Security: Creating a loop in the DOM tree (99% a DoS)$5002016-10-02
139131Heap-use-after-free in WebCore::StyleResolver::collectMatchingRulesForList-2016-10-02
139290Heap-use-after-free in WebCore::StyleResolver::loadPendingImage-2016-10-02
139383Heap-use-after-free in WebCore::HTMLTextFormControlElement::fixPlaceholderRenderer-2016-10-02
139240Heap-buffer-overflow in WebCore::TextTrackCueList::add-2016-10-02
138738Crash in extensions::SetContentSettingFunction-2016-10-02
138915Heap-use-after-free in WebCore::ContainerNode::cloneChildNodes-2016-10-02
138422Heap-use-after-free in WebCore::Font::glyphDataAndPageForCharacter-2016-10-02
138404Heap-use-after-free in WebCore::Document::page-2016-10-02
138673Heap-buffer-overflow in xsltApplyTemplates$1,0002016-10-02
138990Heap-use-after-free in WebCore::SVGStyledElement::clearHasPendingResourcesIfPossible-2016-10-02
138672Heap-double-free in xsltCompileStepPattern-2016-10-02
138901Heap-use-after-free in ProfileKeyedBaseFactory::GetProfileToUse-2016-10-02
138302Stack-buffer-overflow in NPObjectProxy::NPInvokePrivate-2016-10-02
138318UXSS with pointer lock-2016-10-02
138382Heap-use-after-free in WebCore::AutoTableLayout::recalcColumn-2016-10-02
138316Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer-2016-10-02
95849Security: any Chrome committer (or parhaps even any user with Google account?) can compromise Google Chrome-2016-10-02
95842Security: Chrome Gives Unreliable Security Info-2016-10-02
95761Use after free in ContainerNode::removeChild (looks related to plugin)-2016-10-02
95672Use after free in ListIterms and RunIns rendering (from bug 88680)$1,0002016-10-02
95669Regression(r93913): Use after free in ScriptController::executeScript-2016-10-02
95992Security: header injection when using embeded \0 in headerline-2016-10-02
95920[LangFuzz] Crash at v8::internal::ElementsAccessorBase with invalid read$1,0002016-10-02
95917Security: Chrome does not ask for approval when "not trusted" SSL cert. changes-2016-10-02
95563OOB read in tibetan_nextSyllableBoundary-2016-10-02
95625OOB read in gpu::gles2::GLES2DecoderImpl::HandleDrawArrays-2016-10-02
95499Use after free due to style not updated and having stale fonts.-2016-10-02
95485[LangFuzz] Crash at v8::internal::Object::Lookup$1,0002016-10-02
95639Use after free in Document::fullScreenChangeDelayTimerFired-2016-10-02
95620use-after-free in browser_tests-2016-10-02
95520Child not placed correctly when :before, :after placed in same table part container causing stale style-2016-10-02
95359Use after free in WebCore::SVGTRefElement::updateReferencedText-2016-10-02
95360use after free in WebCore::ContainerNode::removeChild via Range.deleteContents()-2016-10-02
95083Security: Reveal stored passwords using the Developer Tool-2016-10-02
95072Use after free due to style not updated for svg text runs.$1,0002016-10-02
95012Add defensive bounds checking in AudioNode-2016-10-02
94834Security: Thread safety with AudioChannelMerger-2016-10-02
95374Redirect to chrome:// URIs via Location: header$2,3372016-10-02
954654 OOB reads in XMLDocumentParser::doWrite-2016-10-02
95333ERROR:the following pages have become unresponsive. you can wait to become responsive or kill them-2016-10-02
94820Don't allow nodes of one context to be connected to nodes of another context-2016-10-02
94743Regression(r93913): Use after free in ScheduledAction::execute(WebCore::V8Proxy*)-2016-10-02
94578Security: Brute forcing Intranet WWW-Auth with script element-2016-10-02
94487Security: JSC::Yarr regexp 32/48 to the left of 768 with workers$1,0002016-10-02
94464Security: e-2016-10-02
94463Security: e-2016-10-02
94462Security: e-2016-10-02
94461Security: e-2016-10-02
94460Security: e-2016-10-02
94459Security: e-2016-10-02
94458Security: e-2016-10-02
94810Use after free with Floats and Ruby-2016-10-02
94809Use after free in ruby overhang.-2016-10-02
94456Security:-2016-10-02
94275Make sure that AudioArray is 16-byte aligned-2016-10-02
94273V8 custom bindings for AudioNode must do proper object checking and throw exception in case of error-2016-10-02
94186WebAudio node lifetype crash when tearing down audio nodes / media element node-2016-10-02
94025WebAudio: Integer overflows in AudioArray-2016-10-02
93978Out of bounds reads and writes when FFT size is changed.-2016-10-02
93918Regression(93122): Use after free in InspectorCSSAgent::clearFrontend-2016-10-02
94457Security: e-2016-10-02
94278Fix thread-safety of AudioNode deletion-2016-10-02
93596Bad read in bundled PDF viewer-2016-10-02
93497Security: Accessibility of the chrome.webstorePrivate-API-2016-10-02
93472Yet another double-free caused by malformed XPath expression in XSLT$1,0002016-10-02
93420Use after free in FocusController::advanceFocusInDocumentOrder$1,0002016-10-02
93788Use after free in RenderText lineboxes.$1,0002016-10-02
93587Use after free in WebCore::Text::recalcStyle due to before after content issue in table parts$1,0002016-10-02
93856Use after free in RenderFlowThread::nextRendererForNode-2016-10-02
93146Security: Possible race condition in Windows Policy reading that can lead to stale policy.-2016-10-02
93106Failing assertion in IDBTransaction.cpp-2016-10-02
93097Defensively null out danging pointers in the NaCl browser plugin memory safety for M14-2016-10-02
93059OOB read in EventDispatcher::adjustToShadowBoundaries-2016-10-02
93416Security: Arbitrary cross-origin bypass using __defineGetter__ prototype override$2,0002016-10-02
93236Stale Pointer Crash in PrintWebViewHelper::PrintPreviewContext::CreatePreviewDocument-2016-10-02
92959Stale node in StyleSheetCandidateListHashSet$1,0002016-10-02
92769Use after free in TreeBuilder-2016-10-02
92651Use after free due to style not updated for ANONYMOUS boxes (e.g RenderRow), inline-blocks (e.g. RenderRubyRun)$1,0002016-10-02
92621Use after free in VisibleSelection::selectionFromContentsOfNode-2016-10-02
92550Chrome (main process) crashes when setVersion is called when all (Indexed) database name space is used up-2016-10-02
92226Use after free in CounterNode::lastDescendant-2016-10-02
92840Use after free in HarfbuzzFace::~HarfbuzzFace-2016-10-02
146433Chrome_Mac: Crash Report - base::::CrMallocErrorBreak / invalid free in SkWriter32::rewindToOffset-2016-10-02
146235WTF::equal is too aggressive and may trigger ASan reports-2016-10-02
146208Heap-buffer-overflow in WebCore::RenderTableSection::nodeAtPoint-2016-10-02
146145Heap-use-after-free in WebCore::RenderText::computePreferredLogicalWidths-2016-10-02
146144Heap-use-after-free in WebCore::FrameView::scrollContentsFastPath-2016-10-02
146111Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer-2016-10-02
145976Heap-use-after-free in WebCore::HTMLTextFormControlElement::fixPlaceholderRenderer-2016-10-02
145921AddressSanitizer reports a UAF in WebCore::RenderStyle::letterSpacing-2016-10-02
146146Heap-buffer-overflow in WebCore::FlowThreadController::unregisterNamedFlowContentNode-2016-10-02
145867Heap-use-after-free in WebCore::FrameView::scrollContentsFastPath-2016-10-02
145915Security/Privacy: <img>-embedded SVG will load external content referenced by CSS @import @font-face-2016-10-02
145530Mitigation: Kill OOB reads(or few writes) by preventing access to harmful locals in dirty text lineboxes-2016-10-02
145525Security: heap buffer overflow in gpu process with webgl$3,5002016-10-02
145492Web Inspector: Page with @import and :last-child in an edited stylesheet will crash (UAF)-2016-10-02
145544Security: integer overflow in gpu process with webgl$1,0002016-10-02
145272Heap-use-after-free in WebCore::nextBreakablePosition-2016-10-02
145018Heap-use-after-free in WebCore::StyleSheetContents::checkLoadCompleted-2016-10-02
144886Security: webgl crash on mesa$3,1332016-10-02
144866Security: Chrome for Android Bypassing SOP for Local Files By Symlinks$5002016-10-02
144831Heap-buffer-overflow in WebCore::StylePropertySet::copyPropertiesFrom-2016-10-02
145363Security: Chrome extension DEP crash-2016-10-02
144899SkPaint::SkPaint - crash$1,0002016-10-02
144799Heap-double-free in xmlFreeNodeList-2016-10-02
144813Security: UXSS via com.android.browser.application_id Intent extra$5002016-10-02
144671Heap-use-after-free in WebCore::GCPrologueVisitor<void, WebCore::SpecialCasePrologueObjectHandler>::visitDOMWrapper-2016-10-02
144466Crash when verifying ECDSA certificate on XP-2016-10-02
144734Heap-buffer-overflow in WebCore::RenderTable::removeCaption-2016-10-02
144810Heap-use-after-free in WebCore::RenderTable::calcBorderEnd-2016-10-02
144704Tracking bug for fixing rel=noreferrer aslr bypass-2016-10-02
143761Heap-use-after-free in WebCore::GraphicsContext::restore$1,0002016-10-02
143672Flapper Crash in BrokerProcessDispatcher::GetSitesWithData-2016-10-02
143859Security: World-writable shared memory segments for X/Linux UI-2016-10-02
144051Security: Memory address disclosure through JavaScript in Print Preview WebUI-2016-10-02
143846Security: Chromoting creates a world-writable shared memory segment-2016-10-02
143609Heap-use-after-free in WebCore::ElementV8Internal::onclickAttrGetter$1,0002016-10-02
143604Heap-use-after-free in WebCore::RenderBlock::LineBreaker::nextLineBreak [SVG text]-2016-10-02
143593Heap-buffer-overflow in WebCore::SurrogatePairAwareTextIterator::consume-2016-10-02
143582Heap-use-after-free in WTF::OwnPtr<WTF::Vector<WebCore::RegisteredEventListener, 1ul> >::~OwnPtr-2016-10-02
143551Heap-use-after-free in WebCore::TreeScopeAdopter::moveTreeToNewScope-2016-10-02
143656Heap-use-after-free in WebCore::SVGTRefElement::updateReferencedText$1,0002016-10-02
143648Heap-buffer-overflow in WebCore::StyleResolver::applyProperty-2016-10-02
143176Heap-use-after-free in WebCore::AccessibilityNodeObject::document-2016-10-02
143409Heap-buffer-overflow in SkScalerContext_FreeType::generateImage-2016-10-02
142956Security: XSS in SSL Certificate error page$5002016-10-02
142876Heap-buffer-overflow in WebCore::HarfBuzzShaperBase::isWordEnd-2016-10-02
143329Bad cast in RenderGrid::layoutGridItems-2016-10-02
143004Security: Untrustworthy Chrome OS user-wallpaper png's are loaded pre-login (in the sandboxed utility process)-2016-10-02
142310ASan reports a use-after-free in IndexedDBBrowserTest.Bug109187Test-2016-10-02
142395Bad cast in computeReplacedLogicalHeightUsing-2016-10-02
142145Heap-use-after-free in WebCore::RenderBlock::removeChild-2016-10-02
142746Security: Potential use after destruction in ui/gfx/image-2016-10-02
142169Heap-buffer-overflow in SkAlphaRuns::add$5002016-10-02
142088UNKNOWN in v8::internal::Invoke-2016-10-02
142087UNKNOWN in void v8::internal::String::WriteToFlat<char>-2016-10-02
141901Security: mesa stack scribbling thingamadoo$3,1332016-10-02
141889Security: Cookie theft from Chrome by malicious Android app$5002016-10-02
91972Regression(85705): Use after free on m_originatingLine in floats-2016-10-02
91940Security: Romanian colloquialism meaning penis when viewing YouTube channels-2016-10-02
91939Security: Romanian colloquialism meaning penis when viewing YouTube channels-2016-10-02
91921Use after free in RenderRubyBase-2016-10-02
91911Freed m_renderer used in InlineBox::deleteLine-2016-10-02
91973Regression(90971): Use after free in Textarea placeholder-2016-10-02
91665Crash on bad rip when opening a PDF$1,0002016-10-02
91801Use after free of RootInlineBox-2016-10-02
91577file:// URL access is defaulting to opt-in-2016-10-02
91554Possible use-after-free in AddToConsole-2016-10-02
91633Security: When upgrade to 13.0.782.107, chrome will run js and load image which had be disabled in chrome-2016-10-02
91502Security: Malware Page forbids user from closing a tab.(window.onunload hijack)-2016-10-02
91362Regression(91331): Bad cast due to html renderer created for svg glyphref-2016-10-02
91312Security: Native Client app can crash trusted code.-2016-10-02
91218XSS in chrome://appcache-internals-2016-10-02
91517Security: V8 asserts (crashes) when entering simple JS snippit-2016-10-02
91321Regression(91788): Bad cast in WebCore::blockWithNextLineBox-2016-10-02
91020Use after free in MediaTest.FLAKY_VideoBearWebm on Mac OS-2016-10-02
91099OOB read in RenderScrollbarPart::computeScrollbarWidth-2016-10-02
91120[LangFuzz] Crash at Runtime_QuoteJSONString with invalid write$5002016-10-02
91082Security: Major Privacy Loop Hole !-2016-10-02
91079where to submit Google account bug-2016-10-02
91093Bad cast in paintMediaPlayButton-2016-10-02
91016Security: Canvas toDataURL security error: It is taking page information and not the canvas when making the image$5002016-10-02
91013[LangFuzz] Crash at RootMarkingVisitor::VisitPointers (32 bit)$1,0002016-10-02
91010[LangFuzz] Crash at JSObject::SetDictionaryElement with invalid read (32 bit)$1,0002016-10-02
91197Use after free or bad cast with empty .swf file-2016-10-02
91092Use after free in SVGUseElement::buildShadowTree-2016-10-02
90978read out of bounds in sUnpremultiplyData_RGBA8888 / ImageBufferData::getData (WEBKIT 65352)-2016-10-02
90668Use after free in WebCore::findPlainText$1,0002016-10-02
90498Security: automatically downloading of .crdownload-files-2016-10-02
91008[LangFuzz] Crash at JSObject::PrepareElementsForSort with invalid read$1,0002016-10-02
90357OOB read in WebCore::previousBoundary-2016-10-02
90217Prevent silent truncation of trailing characters in downloaded file names-2016-10-02
90173OOB read in media::ScaleYUVToRGB32 due to failure to account for zero source width and accessing negative indices-2016-10-02
90134OOB read in harfbuzz with khmer character-2016-10-02
90105Heap-buffer-overflow in WebCore::RenderBlock::LineBreaker::nextLineBreak-2016-10-02
89991Regression(82144): OOB InlineIterator read in TrailingObjects::updateMidpointsForTrailingBoxes$5002016-10-02
90175Security: remove any site from Google Index-2016-10-02
89795Browser crash in net::WebSocketJob::SendPending-2016-10-02
89580Use after free due to continuation splitting issues in -webkit-column-span-2016-10-02
89599Freed SVGTRefElement used in SVGStyledElement::buildPendingResourcesIfNeeded-2016-10-02
89836Tracking bug for ANGLE memory corruption on Windows$1,3372016-10-02
89575Use after free of markers in CompositeEditCommand::replaceTextInNodePreservingMarkers-2016-10-02
89564Possible URL Bar Spoofing when history.forward() is ignored using forward button$5002016-10-02
89678Use after free in ReplacementFragment::removeUnrenderedNodes-2016-10-02
89552Use after free in CSSStyleSheet::checkLoaded-2016-10-02
89522SVG animation API crashes on SVGAnimateTransform-2016-10-02
89511Use after free in IDBRequest::abort-2016-10-02
89493Use after free in SVG foreignobject rendering.-2016-10-02
89422Two use after frees in NPObjectStub-2016-10-02
89558Use after free in SVGUseElement::buildShadowTree$5002016-10-02
89402Memory corruption (double free) caused by malformed XPath expression in XSLT$1,0002016-10-02
89330DocumentLoader use after free in KURL::strippedForUseAsReferrer$1,0002016-10-02
89219Use after free due to document destruction within unload event$1,0002016-10-02
89142PDF viewer crash$5002016-10-02
89020Security: ftp-2016-10-02
88976possible use after free WebCore::FontCache::getFontDataForCharacters-2016-10-02
88949Security: Location Bar Spoofing using very long string on a web address in the location bar-2016-10-02
88944Use-after free in leveldb$3,1332016-10-02
88932Security: Exploit in google+-2016-10-02
152691chrome!std::_Tree<std::_Tmap_traits<tracked_objects::Location,tracked_objects::Births *,std::less<tracked_objects::Location>,std::allocator<std::pair<tracked_objects::Location const ,tracked_objects::Births *> >,0> >::find+15 - crash$2,0002016-10-02
152585Heap-use-after-free in WebCore::ContainerNode::removeAllChildren-2016-10-02
152420Heap-use-after-free in content::P2PSocketClient::OnDataReceived-2016-10-02
152354Mask RenderArena freelist entries.-2016-10-02
152569Chrome_Mac: Crash Report - Stack Signature: CompositorOutputSurface::OnMessageReceived-...$5002016-10-02
152442Heap-use-after-free in icu_46::RuleBasedCollator::RuleBasedCollator-2016-10-02
151895Defense to throw "unauthorized" infobar for excessively crashing plug-in does not work for Pepper Flash!-2016-10-02
151888Crash in v8::internal::SlotsBuffer::UpdateSlotsRecordedIn-2016-10-02
151854Heap-use-after-free in WebCore::CachedResource::addClientToSet-2016-10-02
151795Security: remove chrome.experimental.offscreenTabs API-2016-10-02
152104out of bounds array access in WTF::TypedArrayBase<unsigned char>::item(unsigned int) / WebCore::FEMorphology::platformApplyGeneric-2016-10-02
151992Heap-use-after-free in VideoCaptureImpl::RemoveClient-2016-10-02
151860Heap-use-after-free in WebCore::DateTimeFieldElement::didBlur$1,0002016-10-02
151008Heap-use-after-free in WebCore::CanvasRenderingContext2D::setFont$1,0002016-10-02
151424Chrome: Crash Report - Stack Signature: WebCore::CachedImage::likelyToBeUsedSoon()-...-2016-10-02
151449Heap-buffer-overflow in cc::CCKeyframedTransformAnimationCurve::getValue-2016-10-02
150966Heap-use-after-free in WebCore::Node::~Node-2016-10-02
151049Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers-2016-10-02
150571Global-buffer-overflow in v128_copy_octet_string-2016-10-02
150067Heap-buffer-overflow in WebCore::InlineFlowBox::placeBoxesInInlineDirection-2016-10-02
149999Heap-use-after-free in WebCore::WebKitCSSSVGDocumentValue::load-2016-10-02
150842Heap-use-after-free in content::P2PSocketClient::DeliverOnSocketCreated-2016-10-02
150545UNKNOWN in v8::internal::RootMarkingVisitor::MarkObjectByPointer-2016-10-02
150650MSI installer ships an out-of-date GoogleUpdate.exe with no ASLR or DEP (and may not be updating)-2016-10-02
150729UNKNOWN in v8::internal::Invoke$1,5002016-10-02
150737IndexedDB causes V8 heap corruption$1,0002016-10-02
149717Security: integer overflow in webgl on osx$1,0002016-10-02
149877Security: Omnibox drop target enables navigation to restricted URLs-2016-10-02
149904Security: webgl - after running out of memory, buffer can still be written$1,0002016-10-02
149840Heap-use-after-free in WebCore::StyleRuleImport::setCSSStyleSheet-2016-10-02
149871Untrustworthy navigation causes HTTP Basic Auth dialog origin confusion/spoofing-2016-10-02
148612Heap-use-after-free in WebCore::pushFullyClippedState-2016-10-02
148896UNKNOWN in v8::internal::ElementsAccessorBase<v8::internal::ExternalUnsignedByteElementsAccessor, v8::internal:-2016-10-02
148378[LangFuzz] Crash due to invalid free in v8::internal::Runtime_RegExpExecMultiple$1,0002016-10-02
148692Heap-buffer-overflow in ucstrTextExtract$5002016-10-02
148638Heap-buffer-overflow in SkAAClipBlitter::blitAntiH$5002016-10-02
148567Touch events allow cross-origin access$5002016-10-02
147625Security: UXSS/SOP bypass with document.write (Chrome on iOS)$5002016-10-02
147499Heap-use-after-free in media::AudioOutputDevice::AudioThreadCallback::Process$3,1332016-10-02
147475UNKNOWN in v8::internal::Deoptimizer::DoComputeOutputFrames-2016-10-02
147459Heap-use-after-free in WebCore::ImageLoader::updateRenderer-2016-10-02
148376[LangFuzz] Crash at v8::internal::MarkCompactCollector::EvacuateNewSpace with invalid read$1,0002016-10-02
147700Heap-use-after-free in WebCore::Document::fullScreenChangeDelayTimerFired-2016-10-02
147592Chrome_ChromeOS: Crash Report - Stack Signature: WebKit::WebWorkerClientImpl::openFileSystem...-2016-10-02
146882Heap-use-after-free in WebCore::InlineBox::adjustPosition-2016-10-02
146760Security: URL bar spoofing with SSL error messages (Chrome on iOS)$5002016-10-02
146725AddressSanitizer reports a use-after-free in WebKit::DateTimeChooserImpl::didClosePopup-2016-10-02
147435Heap-use-after-free in WebCore::InlineBox::root-2016-10-02
147436UNKNOWN in sk_memset32_SSE2-2016-10-02
147290Heap-use-after-free in WebCore::DateTimeEditElement::setEmptyValue$1,0002016-10-02
146492Check behavior of "," in "content_security_policy" manifest attribute.-2016-10-02
88850Use after free with fuzzed ogv file$1,0002016-10-02
88846Use-after-free in FrameLoader with no form post method$1,0002016-10-02
88889Stale pointer due to floats not removed (flexible box display)$1,0002016-10-02
88858[LangFuzz] Crash at JSObject::LocalLookupRealNamedProperty with invalid read on gc$1,0002016-10-02
88757AudioContext GainNode memory corruption-2016-10-02
88730Use after free in SVGUseElement::invalidateShadowTree / SVGElementInstance::invalidateAllInstancesOfElement-2016-10-02
88723REGRESSION (r85964): Use after free in WebCore::RenderObject::localToAbsolute-2016-10-02
88684Stale m_owner in RenderScrollbar (m_owner is deleted body element)-2016-10-02
88670ZDI-CAN-1283: Webkit fontface Invalid Font Family Remote Code Execution Vulnerability-2016-10-02
88649HRTFDatabaseLoader memory corruption-2016-10-02
88647webkitAudioContext can be called as a function instead of a constructor.-2016-10-02
88827OOB read due to Integer overflow in SkDashPathEffect constructor (len and phase)-2016-10-02
88729Security: PPB_Graphics2D_Create will lead to integer overflow in shm alloc-2016-10-02
88436Ogg memory corruption-2016-10-02
88337The beforeload event allows tracking URI changes in a frame$5002016-10-02
88131Aw, Snap! with context.createBuffer(request.response, false) on certain files-2016-10-02
88093Security: out-of-bounds read in v8 with defineProperty and arguments$1,0002016-10-02
88591[LangFuzz] CHECK(!value->IsTheHole()) failed // Crash with invalid read in shell$1,0002016-10-02
88531Use-after-free in SafeBrowsingResourceHandler::OnBrowseUrlCheckResult-2016-10-02
88216Regression: Use-after-free in CounterNode::insertAfter$1,0002016-10-02
87861Security: OOB read in svg text run-2016-10-02
87815chrome-devtools:// can be navigated from http-2016-10-02
87746Security: Chrome content script listener-2016-10-02
87925Use after free in range extract contents$1,0002016-10-02
87965webkitAudioContext multiple issues-2016-10-02
87862Security: Use after free in svg text-2016-10-02
87701Stale pointer in WebCore::PlatformContextSkia::save-2016-10-02
87548use after free in skia blitter-2016-10-02
87520Security: Webpage can gain access to extension content-script variables when content-script triggers events-2016-10-02
87478[LangFuzz] Crash on heap with invalid read$1,0002016-10-02
87339XSS injection via prototype chain$5002016-10-02
87298OOB read due to iterating over wrong textbox in TextIterator::emitText (first-letter + RTL)$5002016-10-02
87729Use after free in third_party/WebKit/LayoutTests/fast/dom/HTMLLinkElement/link-and-subresource-test.html$1,0002016-10-02
87728Regression(89733): Use after free in fast/forms/text-control-intrinsic-widths.html$1,0002016-10-02
87120Use after free on 2-Step-Authentication-method-change$5002016-10-02
87148use after free due to floats not removed$1,0002016-10-02
86758URL Bar Spoofing using History.back() and History.forward$5002016-10-02
86705Use after free in Geolocation::fatalErrorOccurred-2016-10-02
87227Use after free due to refcounting issue in MediaQueryMatcher::prepareEvaluator$1,0002016-10-02
86900Heap memory corruption in web database support (SQLite/ICU)$1,0002016-10-02
86502Use after free due to floats not cleared from parent's next siblings blocks (on losing ability to intrude floats)$1,0002016-10-02
86191Security: web-exposed manifest from Chrome extensions diverges from the real manifest in regards to NPAPI-2016-10-02
86304Google Chrome Acess Violation in Frame manipulation-2016-10-02
86609OOB read in fontfallbacklist due to issue in CSSPrimitiveValues clamping-2016-10-02
86178URL bar introduces NUMEROUS vulnerabilities.-2016-10-02
86648Use after free in formassociatedelement not removed from m_formElementsWithFormAttribute-2016-10-02
86367Use after free of frame in Document::finishedParsing-2016-10-02
85992Renderers can have registry handle which would allow a Windows sandbox escape-2016-10-02
85943Use after free in Stylesheet due to issue in CLONE nodes-2016-10-02
85808chrome_1c30000!webkit::ppapi::PPB_Widget_Impl::Invalidate crash$5002016-10-02
85559Web Inspector: Crash by buffer overrun crash when serializing inspector object tree.-2016-10-02
86133Add GRP to dangerous file list-2016-10-02
86108Security: FileSystem API can be used to learn about installed software on the user's computer-2016-10-02
85418Use-after-free in WebCore::RenderTextControl::isSelectableElement$1,0002016-10-02
85309Crash when closing a child window that uses a canvas-2016-10-02
85302Crasher in WebCore::StyleBase::stylesheet-2016-10-02
85256OOB read in UniscribleController::advance-2016-10-02
85211Use after free in SVGUseElement::buildShadowTree$1,0002016-10-02
85177Renderer crash with javascript + setInterval$5002016-10-02
85158Content script can gain access to the "window" object of the page using custom events-2016-10-02
85350Browser Crash in ~TabContents caused by PrerenderManager::PeriodicCleanup-2016-10-02
156906Heap-use-after-free in WebCore::XMLDocumentParser::doEnd-2016-10-02
156826UNKNOWN in S32A_Blend_BlitRow32_SSE2-2016-10-02
156828UNKNOWN in WebCore::Font::drawGlyphs-2016-10-02
156669Origin.com somehow manages to open its result page in the previous tab (which was gmail)-2016-10-02
156619Heap-use-after-free in WebCore::ApplyStyleCommand::cleanupUnstyledAppleStyleSpans-2016-10-02
156431Security: Use after free in IDBDatabaseCallbacksImpl::onVersionChange-2016-10-02
156418Heap-use-after-free in SpellCheckHostImpl::SaveDictionaryData-2016-10-02
156689Heap-buffer-overflow in WTF::StringImpl::findIgnoringCase-2016-10-02
156567Security: use-after-free in WebCore::GraphicsContext::paintingDisabled$1,0002016-10-02
156282Heap-use-after-free in WebCore::StyleResolver::pseudoStyleRulesForElement-2016-10-02
156383Security: chrome_to_device makes use of HTTP for cloudprint-2016-10-02
156096Heap-buffer-overflow in WebCore::RenderBlock::LineBreaker::nextLineBreak-2016-10-02
156231UNKNOWN in _wordcopy_fwd_aligned$1,0002016-10-02
156366Heap-use-after-free in PluginPlaceholder::ReplacePlugin-2016-10-02
156152Issues with HSTS / public key pins state tracking-2016-10-02
155977Security: remove uses of innerHTML in commented code for Getting Started Guide.-2016-10-02
155860WebCore::SharedBuffer::append(data, 0) can cause unitialized memory to be added to the SharedBuffer-2016-10-02
155711Security: forced oom in browser process due to indefinitely growing buffer in chunked decoder-2016-10-02
155643Heap-use-after-free in content::RenderWidgetHostImpl::OnMsgInputEventAck-2016-10-02
156015Heap-use-after-free in WebCore::FontPlatformData::uniqueID-2016-10-02
156051Heap use-after-free in ExtensionFunctionDispatcher::Dispatch caught by ASan when using "Screen Capture by Google"-2016-10-02
155877Chrome: RenderViewImpl::OnContextMenuClosed(content::CustomContextMenuContext const &)-2016-10-02
155293Heap-use-after-free in WebCore::ContextMenu::appendItem-2016-10-02
155285Heap-use-after-free in WebCore::Node::setNeedsStyleRecalc-2016-10-02
155117Security: GetReadonlyPnaclFD IPC security issues-2016-10-02
154987Pwnium SVG use after free-2016-10-02
154983Security: Pwnium 2 TCMalloc profile bug$60,0002016-10-02
155421Security: javascript scheme links auto-generated in devtools console-2016-10-02
154617Heap-use-after-free in WebCore::Node::~Node-2016-10-02
155323Out of bounds array access in GPU process-2016-10-02
154926Heap-use-after-free in WebIntentPickerGtk::OnDestroyThunk-2016-10-02
154488Heap-use-after-free in WebCore::FrameLoader::stopLoading-2016-10-02
154465Bad cast in webkit_glue::GetSubResourceLinkFromElement-2016-10-02
154460Heap-use-after-free in WebCore::ScrollableArea::scroll-2016-10-02
154448Heap-use-after-free in TransportDIB::DecreaseInFlightCounter-2016-10-02
154362Heap-buffer-overflow in WebCore::HTMLSelectElement::typeAheadFind-2016-10-02
154590Stack-buffer-overflow in SkFontHost::GetAdvancedTypefaceMetrics-2016-10-02
154485Heap-buffer-overflow in std::vector<scoped_refptr<printing::PrintJob>, std::allocator<scoped_refptr<printing::PrintJob> > >:-2016-10-02
154158Security: ensure that a user has willing-fully logged-in to his Google account before triggering the one click Chrome login feature-2016-10-02
154055Heap-use-after-free in WebCore::RenderLayerBacking::paintIntoLayer$1,0002016-10-02
153793Heap-use-after-free in WebCore::EventHandler::mouseMoved-2016-10-02
153666Security: Bypass for consumable user gesture on pop-up-2016-10-02
153592Heap-use-after-free in WebCore::RenderObject::isDescendantOf-2016-10-02
154284Heap-use-after-free in WebCore::SVGTextRunRenderingContext::glyphDataForCharacter-2016-10-02
154283Heap-buffer-overflow in _HB_GDEF_Check_Property-2016-10-02
153469Security: Nvidia - Kernel Panic - [@ gpu::gles2::GLES2DecoderImpl::ResizeOffscreenFrameBuffer]-2016-10-02
153239Heap-use-after-free in WebCore::GCEpilogueVisitor<void, WebCore::SpecialCaseEpilogueObjectHandler, &WebCore::DOMDataStore::-2016-10-02
153228Heap-use-after-free in WebCore::SVGImage::drawSVGToImageBuffer-2016-10-02
153211Heap-use-after-free in webrtc::ThreadPosix::Run-2016-10-02
153566Heap-use-after-free in WebCore::FontCache::purgeInactiveFontData-2016-10-02
153128Buffer overrun in Harfbuff-2016-10-02
153184Heap-use-after-free in WebCore::computeNonFastScrollableRegion-2016-10-02
153048Invalid pointer read in std::basic_string-2016-10-02
152916Security: browser process jump to bad address on osx with getUserMedia() and crazyness-2016-10-02
152707Invalid pointer write in GrGpu::clear$1,0002016-10-02
152921Browser crash, navigator.geolocation.watchPosition issue-2016-10-02
85102Use after free in WebCore::ContainerNode::parserAddChild$5002016-10-02
85041Memory Corruption in video decoding-2016-10-02
84946Merge http://trac.webkit.org/changeset/87959 and http://trac.webkit.org/changeset/87756 for documentloader use after frees-2016-10-02
85003Parsing issue with -webkit-calc$1,0002016-10-02
84950Merge http://trac.webkit.org/changeset/87856-2016-10-02
84885ASSERT obj->parentObject() == this in accessibility tree-2016-10-02
84919Memory corruption in browser process with interstitial that goes back-2016-10-02
84805Flash/GPU memory corruption in critical section.$5002016-10-02
84797Click Reload this page button after Conway's Game of Life starts causes Aw Snap error-2016-10-02
84763POssible mac use after free in drag & drop code-2016-10-02
84933Browser crash with IndexedDB and very long database names-2016-10-02
84819Bad cast in cloning elements with shadow DOM-2016-10-02
84597use-after-free in WebCore::LevelDBTransaction::commit-2016-10-02
84584Invalid memory access caused by ThumbnailGenerator-2016-10-02
84452Bad cast in HTMLMediaElement::mediaControls$1,0002016-10-02
84418Shockwave crashed-2016-10-02
84402Extensions permission elevevation using javascript: in homepage_url-2016-10-02
84355use-after-free in svg fontfacelement$1,0002016-10-02
84600Security: Web page can initiate speech recognition without user knowing about it-2016-10-02
84234[LangFuzz] Crash @ MarkCompactCollector::SweepSpaces() or SeqTwoByteString::SeqTwoByteStringReadBlockIntoBuffer() (64 bit)$1,0002016-10-02
84160Use after free in accessibility notifications.-2016-10-02
84016Use after free in BrowserAccessibility::DetachTree-2016-10-02
84002OOB read in ComplexTextController constructor (ComplexTextControllerLinux.cpp) + OOB read in WidthIterator-2016-10-02
83917OOB Write in Skia Shader Blitter-2016-10-02
83903Vai-2016-10-02
83848Use after free in LayerChromium::~LayerChromium-2016-10-02
83841User information leakage esp local paths, username in webgl getProgramInfoLog-2016-10-02
84333use after free in WebCore::ContainerNode::firstChild / WebCore::XMLDocumentParser::insertErrorMessageBlock-2016-10-02
83672Stale layout root set as input element when child of a keygen with autofocus-2016-10-02
83598OOB read in WebCore::parseColorIntOrPercentage-2016-10-02
83275UXSS with window.execScript$3,1332016-10-02
83273Browser prompt when installing unpacked npapi extensions-2016-10-02
83270oob read in WebCore::ImageBufferData::getData-2016-10-02
83743Universal XSS using contentWindow.eval$1,0002016-10-02
83235Bad cast in RenderBlock::createLineBoxes due to double attach in htmlformelement-2016-10-02
83012Use after free in XMLDocumentParser-2016-10-02
83010An extension can access and modify all chrome:// pages, options, etc.$1,0002016-10-02
82903OOB write in BlobURLRequestJob::HeadersCompleted-2016-10-02
82873Memory corruption in GPU command buffer-2016-10-02
83031Chrome spoof on 302 redirect-2016-10-02
82841Browser crash @ closing chrome://settings/syncSetup-2016-10-02
82817buffer overflow marshalling data from sandbox-2016-10-02
82653Use after free due to incorrectly setting document.body to non body elements, elements from other docs.-2016-10-02
82633Bad cast in CSSParser::createFontFaceRule-2016-10-02
82597document.execCommand('copy') return always false-2016-10-02
82552REGRESSION (83075): Use after free in line box culling optimization-2016-10-02
82546Stale pointer in WebCore::RenderBlock::marginBeforeForChild$1,0002016-10-02
82516write-after-free in third_party/WebKit/Source/WebCore/svg/animation/SVGSMILElement.h:58-2016-10-02
82438OOB read in media::FFmpegVideoDecodeEngine::Initialize-2016-10-02
82416IndexedDB crash on index.getKey-2016-10-02
82309CRASH @ DownloadItem::UpdateObservers()-2016-10-02
82184Renderer crash @ GrTHashTable<GrGpuGLShaders::ProgramCache::Entry,GrBinHashKey<GrGpuGLShaders::ProgramCache::Entry,32>,8>::remove(GrBinHashKey<GrGpuGLShaders::ProgramCache::Entry,32> const &,GrGpuGLShaders::ProgramCache::Entry const *)-2016-10-02
82161Google Chrome (Pwned)-2016-10-02
82154out-of-bound access in third_party/WebKit/Source/WebKit/chromium/src/WebFrameImpl.cpp-2016-10-02
82152Need to merge WebKit 64-bit issue http://trac.webkit.org/changeset/86106-2016-10-02
82096Merge http://trac.webkit.org/changeset/85693-2016-10-02
82444Local file disclosure when pasting stuff from Excel, etc.-2016-10-02
82018TEST TEST IGNORE-2016-10-02
81949use-after-free in imageloader with fallbackcontent$1,0002016-10-02
82083Google Chrome Pwned by VUPEN aka Sandbox/ASLR/DEP Bypass-2016-10-02
161077Invalid pointer write in GrRenderTarget::onRelease$1,0002016-10-02
161089Indexeddb createIndex() crashes the page-2016-10-02
161015Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement-2016-10-02
161239Heap-use-after-free in WebCore::IDBTransactionBackendImpl::taskTimerFired-2016-10-02
160926Security:Check for integer wrap in PPB_ImageData_Impl::Init() is insufficient-2016-10-02
160480Security: Integer overflow in opus_packet_parse_impl-2016-10-02
160450Heap-buffer-overflow in WebCore::InlineFlowBox::placeBoxRangeInInlineDirection-2016-10-02
160380Heap-use-after-free in WebKit::ChromePrintContext::spoolPage-2016-10-02
160760Security: NaCl sandbox escape; missing register check across a superinstruction-2016-10-02
160803Security: ugly crash with history.replaceState() while the window displays HTTPS interstitial-2016-10-02
160456Security: Restrict chromoting viewer plugin to chromoting extension-2016-10-02
160010[LangFuzz] Crash at v8::internal::BasicJsonStringifier::SerializeString$1,0002016-10-02
159829Heap-buffer-overflow in WebCore::HTMLInputElement::isImageButton-2016-10-02
159828Heap-use-after-free in WebCore::RenderLayer::hitTest-2016-10-02
159553Security: Integer overflow in remoting viewer AudioDecoderSpeex::Decode-2016-10-02
159429Security: Use after free on ~AssociatedURLLoader with pdf plugin$1,0002016-10-02
159338Heap-use-after-free in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget$1,0002016-10-02
160068Merge http://trac.webkit.org/changeset/133840-2016-10-02
160038Security: Unquoted Path vulnerability in GoogleCrashHandler-2016-10-02
159165Heap-use-after-free in webkit::ppapi::PluginInstance::PrintBegin-2016-10-02
159229Security: Integer overflow in remoting viewer AudioDecoderOpus::Decode-2016-10-02
158992Heap-use-after-free in WebCore::RenderTextTrackCue::layout-2016-10-02
158898Heap-use-after-free in WebCore::RenderBlock::removeChild-2016-10-02
158897Heap-buffer-overflow in WebCore::RenderBlock::clone-2016-10-02
159219Heap-use-after-free in WebCore::EventHandler::handleMousePressEvent-2016-10-02
159098Heap-buffer-overflow in WebCore::TextTrackCueList::add-2016-10-02
158693Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingLayer-2016-10-02
158695Heap-use-after-free in WebCore::WidgetHierarchyUpdatesSuspensionScope::moveWidgets-2016-10-02
158533Heap-use-after-free in WebCore::RenderLayer::paintLayerContents [MathML]-2016-10-02
158457Heap-use-after-free in non-virtual thunk to content::RenderViewImpl::createPopupMenu-2016-10-02
158249Security: Heap-buffer-underflow in xmlParseAttValueComplex-2016-10-02
158204Heap-use-after-free in WebCore::Frame::dispatchVisibilityStateChangeEvent$1,5002016-10-02
158199Heap-use-after-free in WebCore::StyleCachedImageSet::cssValue-2016-10-02
158707Heap-use-after-free in WebCore::RenderObject::isBody-2016-10-02
158547Heap-use-after-free in WebCore::HTMLInputElement::setValue for type=range, type=date, and type=time with datalist-2016-10-02
158060Heap-use-after-free in WebCore::CachedResource::checkNotify-2016-10-02
157951Heap-use-after-free in non-virtual thunk to WebKit::DateTimeChooserImpl::setValueAndClosePopup-2016-10-02
157875Heap-use-after-free in WebCore::OpenTypeVerticalData::substituteWithVerticalGlyphs-2016-10-02
157845Heap-use-after-free in skia::BGRAConvolve2D$5002016-10-02
157779Heap-use-after-free in WebKit::WebMediaStreamDescriptor::label-2016-10-02
157778Heap-use-after-free in WebCore::CSSStyleRule::style-2016-10-02
157585Heap-use-after-free in WebCore::BaseMultipleFieldsDateAndTimeInputType::~BaseMultipleFieldsDateAndTimeInputType-2016-10-02
158065Stack-buffer-overflow in WebCore::SVGMaskElement::~SVGMaskElement-2016-10-02
157463Heap-use-after-free in content::LocalVideoCapture::Stop-2016-10-02
157516Security: XSS auditor can sometimes be used to maliciously alter form action property.-2016-10-02
157363Heap-buffer-overflow in void std::__final_insertion_sort<WebCore::SMILTimeWithOrigin*>-2016-10-02
157289Invalid cast in WebCore::toInsertionPoint / WebCore::ContentDistributor::distribute-2016-10-02
157462Heap-use-after-free in webrtc::MediaStreamSignaling::UpdateRemoteStreams-2016-10-02
157079Security: Integer overflow in libwebp "ParseOptionalChunks" allows memory disclosure$3,5002016-10-02
157071Heap-use-after-free in non-virtual thunk to WebKit::DateTimeChooserImpl::setValueAndClosePopup-2016-10-02
157019UNKNOWN in v8::internal::Invoke-2016-10-02
157124UNKNOWN in v8::internal::ObjectHashTable::Put-2016-10-02
157053Heap-use-after-free in WebCore::Element::attributeChanged-2016-10-02
156977Heap-use-after-free in WebCore::RenderText::removeAndDestroyTextBoxes-2016-10-02
156980Security: workers can initialize the sandbox multithreaded-2016-10-02
157009Heap-use-after-free in WebCore::SubresourceLoader::willSendRequest-2016-10-02
81947Use after free in WebCore::requiresLineBox-2016-10-02
81753Valgrind reports issues in icu_46::RegexMatcher-2016-10-02
81916Stale observer in BrowsingDataRemover's observer_list_$5002016-10-02
81351CSSSelector double frees-2016-10-02
81348Use after free when removing elements with reflections-2016-10-02
81307Security: dropping file:/// URLs into gmail grants access to files-2016-10-02
81803out-of-bounds use in SkBitmapOperations::CreateMaskedBitmap-2016-10-02
81681Memory corruption in GraphicsContext::fillPath-2016-10-02
80680Security: .keystone_install_lock is insecurely handled in install.py-2016-10-02
80608Multiple integer overflows in SVG filter effects-2016-10-02
80401Url bar spoof using onbeforeunload when user cancels navigation-2016-10-02
80358WebCore::InspectorBackendDispatcher::Runtime_evaluate user after free-2016-10-02
81234Flash content vulnerability-2016-10-02
80255use after free in WebCore::RenderSVGInlineText::characterStartsNewTextChunk-2016-10-02
80222Herror of chrome-2016-10-02
80287Regression(81992): Stale node set as layout root-2016-10-02
80116Stale pointer in WebCore::Document::recalcStyleSelector-2016-10-02
79746Floats not cleared due to overflow (remaining usecase)$1,0002016-10-02
79726BrowserAccessibility browser process memory corruption-2016-10-02
79668invalid read w/new skia update-2016-10-02
79661Sandbox is broken (low integrity level)-2016-10-02
79595Bad cast due to childrenInline assumption in RenderSVGText-2016-10-02
79566Bypass extensions permission$5002016-10-02
79862Bypass extensions permission app launch web_url should not allow javascript: chrome:-2016-10-02
79452H-2016-10-02
79426HTTP Basic Auth Realm Spoof-2016-10-02
79371Use after free in ImplicitAnimation::~ImplicitAnimation-2016-10-02
79362Reproducible PDF crash (siryo3.pdf)-2016-10-02
79266Bypass unsafe file types dialog-2016-10-02
79075Stale node set as layout root, due to one caption not laid out in table with two captions-2016-10-02
79055Freed m_viewportRenderer in FrameView::updateOverflowStatus-2016-10-02
79025Use after free when inline runin precedes details tag-2016-10-02
78948Integer underflow in HTMLFormElement::m_associatedElementsAfterIndex-2016-10-02
78861Memory corruption in RenderViewHost related to observers code-2016-10-02
78842proslor.co.be-2016-10-02
78841invalid access with bad html$1,0002016-10-02
78798Security: XSS in dev tools HTML inspector-2016-10-02
78639Memory corruption leading to OOB read symptom in PDF initialization$1,0002016-10-02
78576compareDocumentPosition memory corruption-2016-10-02
78575Bad cast in reverseInlineBoxRangeAndValueListsIfNeeded-2016-10-02
78572CounterNode memory corruption-2016-10-02
78558chrome bug-2016-10-02
78524ANGLE buffer overflow$1,0002016-10-02
78516Looks like a stale frame in UserScriptSlave::InjectScripts-2016-10-02
78427url spoof through bookmark bar click-2016-10-02
78401Stale node being set as layout root-2016-10-02
78327Integer overflow in FilterEffect::copyImageBytes-2016-10-02
78296False warning of Google Chrome / Fake Antimalware Tool-2016-10-02
78270[LangFuzz] V8: Crash in HeapObject::map_word on GC$1,0002016-10-02
78559chrome bug-2016-10-02
78106ZDI-CAN-1108: WebKit ContentEditable Inline Style Remote Code Execution-2016-10-02
78071css parsing issue in calc$1,0002016-10-02
78038ThreadSanitizer reports a potential use after free in net::X509Certificate::Verify-2016-10-02
78031Url bar spoof$1,0002016-10-02
78145Invalid write in SVGTextLayoutEngine-2016-10-02
78053Stale m_fontList in svgFontAndFontFaceElementForFontData-2016-10-02
165747IPC: renderer out-of-bounds crash creating 3D context from malformed PPAPI message-2016-10-02
165836Information leak when sending messages cross process that use WriteData() on structures/objects which contain padding bytes.-2016-10-02
165549Security: Sandbox isolation not working-2016-10-02
165602Heap-use-after-free in WebCore::CSSStyleRule::style-2016-10-02
165804Security: SnapshotProvider exposed to other applications on the device-2016-10-02
165601Heap-use-after-free in matroska_parse_block-2016-10-02
165456Heap-use-after-free in WebCore::Element::hasPendingResources-2016-10-02
165430Heap-buffer-overflow in media::AudioRendererAlgorithm::OutputFasterPlayback-2016-10-02
165102Security: devtool xss-2016-10-02
165091Bypassing Chrome's XSS filter, XSSAuditor-2016-10-02
165537PDF: off-by-one read when scanning for startxref-2016-10-02
165538PDF: integer overflows in JS array handling-2016-10-02
165432Use after free in SVG path$5002016-10-02
164958IPC: PPAPI messages have problems with use of signed integers for lengths-2016-10-02
165015Heap-use-after-free in WebCore::Element::normalizeAttributes$1,0002016-10-02
164701PDF: regressions due to merge losing previous security fixes-2016-10-02
164697PDF: regressions in JBIG2 codec-2016-10-02
164682Input validation error in BrowserPluginEmbedderHelper::OnHandleInputEvent() leads to bad cast-2016-10-02
164643Security: ASan reports a use-after-free while using SecureShell-2016-10-02
165009Heap-use-after-free in WebCore::SVGSMILElement::disconnectConditions-2016-10-02
164946IPC: GPU messages have integer truncation (bad use of size_t) and integer sign extension (bad use of signed type) issues-2016-10-02
164582Heap-buffer-overflow in SkRectClipBlitter::blitAntiH-2016-10-02
164581Heap-use-after-free in WebCore::TextTrackCue::isActive-2016-10-02
164565Security: V8 bug may give out-of-bounds access to the stack-2016-10-02
164490IPC: integer overflow in Windows' SharedMemory::Create-2016-10-02
164454switch off mathml for m24-2016-10-02
164263Heap-use-after-free in WebCore::FrameSelection::directionOfSelection-2016-10-02
164584Translate should load resources over HTTPS even if the original page is loaded via HTTP.-2016-10-02
163593Heap-use-after-free in WebCore::RenderBlock::finishDelayUpdateScrollInfo [MathML]-2016-10-02
163588IPC::Channel::ChannelImpl::ProcessOutgoingMessages - crash-2016-10-02
163291Heap-buffer-overflow in WebCore::RenderGrid::layoutGridItems-2016-10-02
163238Security: XSS in bug tracker? <script>alert(0)</script> again?-2016-10-02
163218Heap-use-after-free in webkit_glue::WebURLLoaderImpl::Context::OnReceivedResponse-2016-10-02
163994Heap-use-after-free in WebCore::CachedResource::checkNotify-2016-10-02
163203IndexedDB: Assert hit in IDBObjectStoreBackendImpl::setIndexesReady-2016-10-02
162896Out of bounds read in WTF::String::String / WebCore::WebVTTParser::constructTreeFromToken-2016-10-02
163208Security: Workers don't initialize a sandbox on Mac-2016-10-02
162835Heap-use-after-free in WebCore::MediaPlayer::sourceSetTimestampOffset [exploitable]$7,3312016-10-02
162778PDF: use-after-frees in field name tree again-2016-10-02
162776PDF: out-of-bounds reads with crazy bits per component / num components values-2016-10-02
163110Heap-use-after-free in WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode-2016-10-02
162620Heap-use-after-free in WebCore::RenderSVGResourcePattern::applyResource-2016-10-02
162551Access violation write in _VEC_memcpy$1,0002016-10-02
162489Security: Small info leak in the SUID sandbox helper?-2016-10-02
162156PDF: more out-of-bounds reads with mismatched colorspaces-2016-10-02
162622Heap-use-after-free in WebCore::RenderBlock::willBeDestroyed-2016-10-02
162494Heap-use-after-free in WebCore::PopStateEvent::~PopStateEvent$1,0002016-10-02
162114Security: Renderer sandbox bypass by crafting LevelDB database in "profile/File System/"-2016-10-02
162115Heap-buffer-overflow in SkA8_Blitter::blitH-2016-10-02
162032Heap-use-after-free in udat_close_46-2016-10-02
161836Security: Possible directory traversal vulnerability in ExtensionResource::GetFilePath().-2016-10-02
161690Heap-use-after-free in WebCore::RenderSVGResourceContainer::markClientForInvalidation-2016-10-02
161662Heap-use-after-free in media::BlockingUrlProtocol::SignalReadCompleted-2016-10-02
162153PDF: bad cast if root page is not a dictionary object-2016-10-02
162066LOGFONT IPC deserializer doesn't require NULL terminated lfFaceName-2016-10-02
161564Security: Renderer sandbox bypass on ChildProcessSecurityPolicyImpl::SecurityState::HasPermissionsForFile()-2016-10-02
161484UNKNOWN in WebCore::RenderObject::propagateStyleToAnonymousChildren-2016-10-02
161478Heap-buffer-overflow in WebCore::Biquad::process-2016-10-02
161458Heap-buffer-overflow in apply_kernel_interp-2016-10-02
161420Heap-buffer-overflow in WTF::StringImpl::create-2016-10-02
161639Security: ffmpeg oob write4 (222)$2,0002016-10-02
161340Security: GPU sandbox is always disabled because of watchdog thread on Linux-2016-10-02
161240Heap-use-after-free in WebCore::AccessibilityRenderObject::remoteSVGRootElement-2016-10-02
77633write-after-free in v8::internal::RegExpMacroAssemblerX64::~RegExpMacroAssemblerX64-2016-10-02
77917Looks like a bad cast in RenderInputSpeech::paintInputFieldSpeechButton-2016-10-02
77786URL Bar Spoofing using redirection and location.reload();$5002016-10-02
7776512 bad cast in editing code relating to htmlelement conversions, isprimitivevalue problems.-2016-10-02
77703Use-after-free in WebCore::isDeletableElement-2016-10-02
77700Captured an attack used against Chrome on many google image links, uses chromes own error template against itself-2016-10-02
77690Use after free in WebCore::ContainerNode::insertedIntoDocument / WebCore::SVGElement::insertedIntoDocument-2016-10-02
77940ZDI-CAN-1021: Apple Safari Webkit SVG Marker Remote Code Execution Vulnerability-2016-10-02
77812Security: Chrome Security Pop-up-2016-10-02
77669Bad cast in WebCore::BreakBlockquoteCommand::doApply-2016-10-02
77507URL Bar Spoof$1,0002016-10-02
77493OOB read with Flash$1,0002016-10-02
77349When object destroyed, its select file dialog is not informed to cleared its listener which can call back that destroyed object-2016-10-02
77346Use After Free in Websockets - possible remote code execution within sandbox$1,0002016-10-02
77181OOB function pointer array call FEComponentTransfer::apply-2016-10-02
77130stale entries in gPercentHeightDescendantsMap$1,0002016-10-02
77053Bad cast in HTMLTreeBuilder with closed </form> tags-2016-10-02
77038repair-2016-10-02
77026Bypass extension manifest permission$1,3372016-10-02
76966RIP goes to zero with select tag, and form validation message with position:relative$1,0002016-10-02
76955Renderer crash when visiting http://runescape.wikia.com/wiki/Special:Search-2016-10-02
76784Bad cast to RenderBlock in accessibility assuming that anonymous blocks are renderblocks.-2016-10-02
76771use after free in WebCore::ScriptWrappable::wrapper-2016-10-02
76666URL bar spoof$1,0002016-10-02
76646OOB read in FEDisplacementMap::apply-2016-10-02
76589Crash@ anonymous namespace'::PureCall() when navigate to previous page while speech input API fetching result text-2016-10-02
76542Linux setuid sandbox allows local privilege escalation$5002016-10-02
76474crash in WebKit::WebPluginContainerImpl::handleEvent()-2016-10-02
76202DownloadThrottlingResourceHandler::OnResponseCompleted NOTREACHED()-2016-10-02
76198Bad cast in HTMLTreeBuilder::processStartTag-2016-10-02
76528use after free in AnimationBase::next / AnimationControllerPrivate::styleAvailable-2016-10-02
76194bad cast in WebCore::toRenderBoxModelObject / WebCore::RenderMathMLRoot::layout-2016-10-02
76059WebCore::LayerTilerChromium::invalidateRect() - crash$1,0002016-10-02
76031Crash when visiting http://kikafriends.forumcommunity.net/-2016-10-02
76029Crash in webcore::rendertable::cellafter when visiting http://broadband.biglobe.ne.jp/-2016-10-02
76027securiti-2016-10-02
76018Crash in network stack when running http/tests/loading/redirect-methods.html-2016-10-02
76195potential bad cast in WebCore::toRenderCombineText/WebCore::RenderBlock::computeInlinePreferredLogicalWidths-2016-10-02
76034Security:Instant hard-crash with JS code-2016-10-02
75821Should we reconsider the no-client-UI decision for the web store?-2016-10-02
75712Integer overflow in style elements$1,3372016-10-02
76001Stale pointer in WebCore::LayerRendererChromium::drawLayer$1,0002016-10-02
75835use of freed pointer in WebCore::RenderCounter::originalText()-2016-10-02
75696Security: pushState() should be available only for origin-bearing schemes-2016-10-02
75496chrome.dll!BrowserAccessibility..InternalReleaseReference ExecAV@NULL (cc7203fb809bd98728cf74b908e66edf)-2016-10-02
75629Use after free in gpu::gles2::ShaderTranslator-2016-10-02
75643CSS visited history disclosure-2016-10-02
75436Detach Geolocation from Frame when Page destroyed.-2016-10-02
75560Security: address bar updates not synchronized with document transitions-2016-10-02
75186(WebCore::RenderObjectChildList::destroyLeftoverChildren) Use-after-free with nesting ruby tag and css propierties$1,0002016-10-02
75210Harfbuzz segfault in GPOS_Do_Glyph_Lookup-2016-10-02
75021Use-after-free in InfoBar since ~r76800-2016-10-02
75311Bad cast in HTMLTreeBuilder::processStartTag-2016-10-02
75347Bad cast to RenderBlock with floating select element with required attribute$5002016-10-02
75155Integer overflow in WebCore::GraphicsContext::fillRect (Mac)-2016-10-02
75070Security: do not ignore type= on <object>-2016-10-02
75374REGRESSION (r80320): Bad cast assertion failure when processing mis-nested foreign content.-2016-10-02
74678v8 fuzzing - 1175 - use after free$1,0002016-10-02
74763Security: Domui process can be ptraced from a compromised renderer leading to sandbox escape-2016-10-02
74887memcpy from TexSubImage2D causes memory corruption-2016-10-02
74891chrome://appcache-internals/ xss-2016-10-02
74720Read uninitialized value from JavaScript.-2016-10-02
74677v8 fuzzing - 1160 - bad cast of object to string in array join-2016-10-02
169685Missing validation of webkit_base::DataElement across IPC-2016-10-02
169672Heap-buffer-overflow in WTF::AtomicString::add-2016-10-02
169632Security: extensions can silently gain file: host permissions via permissions API-2016-10-02
74675v8 fuzzing - 1146 - invalid memory access$1,0002016-10-02
74673v8 fuzzing - 1166 - exploitable write$1,0002016-10-02
74672v8 fuzzing - 1138 - use after free$1,0002016-10-02
74671v8 fuzzing - 1136 - corrupt JIT code$1,0002016-10-02
169247Attempting free in content::PeerConnectionTracker::UnregisterPeerConnection-2016-10-02
169156Security: Use after free in FlingAnimatorImplAndroid - writing value to this after this is deleted-2016-10-02
169054Security: memory corruption with webgl on linux intel driver$3,1332016-10-02
169295IPC: bad pointer used in browser if renderer sends mismatched vector lengths-2016-10-02
169398Heap-use-after-free in WebCore::RenderBlock::willBeDestroyed-2016-10-02
169401Security: JavaScript injection into arbitrary web pages via Intent with JavaScript URI$5002016-10-02
168968Heap-use-after-free in DownloadRequestInfoBarDelegate::~DownloadRequestInfoBarDelegate-2016-10-02
169006Heap-use-after-free in WebCore::accumulateDocumentEventTargetRects-2016-10-02
168768Heap-use-after-free in WebKit::WebMediaPlayerClientImpl::AudioSourceProviderImpl::setClient$1,0002016-10-02
168710IPC: avoid operator-new based integer overflow in Flash menu deserialization-2016-10-02
168982Heap-use-after-free in WebCore::SVGAnimateMotionElement::updateAnimationPath-2016-10-02
168969Heap-use-after-free in WebCore::Element::hasPendingResources-2016-10-02
168780Heap-use-after-free in WebCore::RenderObject::willBeRemovedFromTree-2016-10-02
168473Heap-buffer-overflow in vorbis_floor0_decode-2016-10-02
168570Crashing in webkit_media::WebMediaPlayerMS::putCurrentFrame(WebKit::WebVideoFrame *)-2016-10-02
168489Heap-use-after-free in WebCore::AccessibilityNodeObject::document-2016-10-02
168442Security: Non-privileged extensions can monitor browsing activity via chrome.tabs.onUpdated events-2016-10-02
167840Linux sandbox bypass in file_util_posix.cc CopyDirectory()-2016-10-02
167788Security: heap-buffer-overflow on GetImageRepToPaint.-2016-10-02
167780Heap-use-after-free in bool WebCore::SelectorChecker::checkOneSelector<WebCore::DOMSiblingTraversalStrategy>-2016-10-02
167868Heap-use-after-free in WebCore::Document::updateHoverActiveState-2016-10-02
168050Attacker controlled size mismatch in WidgetDidReceivePaintAtSizeAck()-2016-10-02
167827Heap-use-after-free in WebCore::Element::cloneElementWithoutChildren-2016-10-02
167924Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingLayer-2016-10-02
167498Heap-use-after-free in WebCore::CSSStyleRule::style-2016-10-02
167443Heap-buffer-overflow in WebCore::FontCache::releaseFontData-2016-10-02
167412IPC: GPU message OnMsgAssignPictureBuffers incorrectly assumed same-sized vectors-2016-10-02
167728Heap-use-after-free in WebCore::SVGTransformListV8Internal::numberOfItemsAttrGetter-2016-10-02
167607Security: Failure to enforce key usage-2016-10-02
167572Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement-2016-10-02
167147Heap-use-after-free in WebCore::Document::implicitClose-2016-10-02
167122HyphenatorHostMsg_OpenDictionary IPC allows arbitrary file reads from a compromised renderer-2016-10-02
167110Heap-buffer-overflow in WebCore::HTMLTreeBuilder::resetInsertionModeAppropriately-2016-10-02
167069Heap-buffer-overflow in matroska_parse_block$5002016-10-02
166916Security: mixed content XHR doesn't trigger mixed content warnings-2016-10-02
166867Security: ReferencesParent bypass with a 0x00 byte-2016-10-02
166795Harden audio stream creation in the browser-2016-10-02
167180Security: NaCl ARM validator sandbox escape, Chrome M25-2016-10-02
167311Heap-use-after-free in WebCore::GenericEventQueue::enqueueEvent-2016-10-02
167218Arbitrary server response with Content-Encoding including sdch can cause crashes if sdch is not configured-2016-10-02
166621Heap-use-after-free in WebCore::accumulateDocumentEventTargetRects-2016-10-02
166565Heap-buffer-overflow in media::AudioBus::FromInterleavedPartial-2016-10-02
166554[LangFuzz] Crash at v8::internal::Deoptimizer::DoComputeOutputFrames with invalid read$1,0002016-10-02
166553[LangFuzz] Crash at v8::internal::HeapObject::SizeFromMap with invalid read$1,0002016-10-02
166523[Mac] apprtc crashes when output sampling rate set to 96000 Hz-2016-10-02
166513Heap-use-after-free in WebCore::StyledElement::ensureMutableInlineStyle-2016-10-02
166503audio getUserMedia call crashes tab when input sampled at 88200 Hz-2016-10-02
166708BrowserPluginGuest blindly trusts the size of shared memory regions leading to overflow-2016-10-02
166627Heap-use-after-free in WebCore::Prerender::didStartPrerender-2016-10-02
166324Heap-use-after-free in WebCore::RenderBlock::insertIntoTrackedRendererMaps-2016-10-02
166336Heap-use-after-free in WebCore::RenderBlock::determineStartPosition-2016-10-02
166271PDF: use-after-free in colorspace cache-2016-10-02
166257Security: ChromeBrowserSyncAdapterService is exported, but does not need to be?-2016-10-02
165928Heap-use-after-free in WebCore::SVGSMILElement::isSMILElement-2016-10-02
166493IPC: missing integer checks on Pepper UDP socket handling-2016-10-02
166306WebCore::SMILTimeContainer::updateAnimations - crash-2016-10-02
165926Heap-use-after-free in WTF::Vector<WTF::RefPtr<WebCore::Node>, 0ul>::shrinkCapacity-2016-10-02
165864Heap-use-after-free in WebCore::ChildNodeInsertionNotifier::notifyDescendantInsertedIntoDocument$1,0002016-10-02
74665v8 fuzzing - 1109 (out of bounds write)$1,0002016-10-02
74662v8 fuzzing - 1108 potential use-after-free in RegExp code$1,0002016-10-02
74660v8 fuzzing - 1174 - out-of-bounds write in reloc info$1,0002016-10-02
74653bypass SOP with blob:$1,0002016-10-02
74669v8 fuzzing - 1113 - stack corruption$1,0002016-10-02
74670v8 fuzzing 1128 - out of bounds write$5002016-10-02
74666v8 fuzzing 1122 - stack corruption$1,0002016-10-02
74372chrome://blob-internals/ xss-2016-10-02
73962use after free due to floats not cleared (overflow)$1,0002016-10-02
74585Crash in CookieMonster DeleteAnyEquivalentCookie.-2016-10-02
74650Placeholder bug for v8 security issues affecting Chrome 9-2016-10-02
74649OOB read in SearchBuffer::append-2016-10-02
74348Regression: Stale node set as layout root (issue in Canvas parent layout)-2016-10-02
73887GMail renderer crash @ MessageLoop::PostTask_Helper(tracked_objects::Location const &,Task *,__int64,bool)-2016-10-02
73716Leak of address of heap object via xslt generate-id() function-2016-10-02
73932Bad cast to text node in CompositeEditCommand::breakOutOfEmptyMailBlockquotedParagraph-2016-10-02
73899Regression: Crash in RenderCombineText::combineText when running fast/text/international/text-combine-parser-test.html on Windows with full page heap enabled-2016-10-02
73893Chrome:+Crash+Report+-+Stack+Signature:+`anonymous+namespace'::PureCall()-0ba6cf43_1414c783_9939c740_d9e6ed78_7be33815-2016-10-02
73235Stale pointer in WebCore::RenderBlock::lowestPosition$1,0002016-10-02
73216Use after free of frame loader in DocumentLoader::commitLoad$1,0002016-10-02
73526Floats not cleared to logical height wraps.$1,0002016-10-02
73478Pages can continuously poll the OS clipboard for paste data-2016-10-02
73338Regression: stack buffer overflow in utf8 converter-2016-10-02
73001Use-after-free in ObserverListBase / TabContents-2016-10-02
73026dereference poisoned value in avcodec_52!ff_thread_decode_frame-2016-10-02
72910Browser crash/segfault when selecting very long option in select-2016-10-02
72908Freed timer heap element used-2016-10-02
72832Reliability issues with WebCore::RenderBlock due to use after free in floats-2016-10-02
73134Crash due to bad cast to rendertextfragment in updatefirstletter.$1,0002016-10-02
73163Heap corruption in safe_browsing detected on the Valgrind bot (might be fixed by SQLITE ROLL ??)-2016-10-02
72936Freed scrollbar in ScrollView::updateScrollbars-2016-10-02
72492Cross application unsafe redirect$1,0002016-10-02
72437Crash in ContainerNodeAlgorithms.h with outdated ice-tea plugin$1,0002016-10-02
72434stale pointer, invalid read, svg-2016-10-02
72523chrome.tabs.captureVisibleTab allows capturing images of any "file://" resource-2016-10-02
72517Dev. console null character crash @ history::URLDatabase::GetMostRecentKeywordSearchTerms$5002016-10-02
72399Valgrind reports on JPEG decoding since r74103-2016-10-02
72340use after free in WebCore::RenderCounter::destroyCounterNode$1,0002016-10-02
72189Bypass popup blocker using custom event and onMouseOver-2016-10-02
72135IDBTransaction and IDBRequest can be deleted while ScriptExecutionContext is iterating-2016-10-02
72134Potential buffer overrun in SVGTextRunWalker::walk()-2016-10-02
72028Stale continuation flow pointer for ContinuationOutlineTableMap$1,0002016-10-02
71960OOB Read in WebGL due to integer overflows-2016-10-02
72387Out of bounds read in WebCore::LayerTilerChromium::invalidateRect (dev only)$1,0002016-10-02
72217HTMLFormElement::formElementIndex() returns a bad index into a vector of form associated elements-2016-10-02
71786ThreadSanitizer reports a race on WebCore::schemesWithUniqueOrigins (on cross_fuzz)-2016-10-02
71734Security: accessing DataView methods with negative index could cause crash-2016-10-02
71717webgl causes segfault-2016-10-02
71601Switch to https by default in autofill toolbar server queries-2016-10-02
71788Memory corruption playing back specially crafted .ogg vorbis file.-2016-10-02
71763use-after-free when document.close and document.write are called after requesting a non-existing script$1,0002016-10-02
71855stale pointer in WebCore::RenderBlock::insertFloatingObject$1,0002016-10-02
71545Chrome_Mac: Crash Report - Stack Signature: WebKit::NotificationPresenterImpl::checkPermission-5428423-2016-10-02
71388Security:WebCore::HTMLTextAreaElement::updateValue+0xf$1,0002016-10-02
71386Stale nodes in Document::recalcStyleSelector$1,0002016-10-02
71370https not properly connected to google doc and gmail.-2016-10-02
71357PPAPI var objects reference invalid memory when the instance is deleted-2016-10-02
71586race in base/third_party/xdg_mime (crasher)$5002016-10-02
71296Stale iterator in SVGDocumentExtensions::startAnimations()$1,0002016-10-02
71551Cross_fuzz and ClusterFuzz crashes in WebCore::DatabaseTracker::removeOpenDatabase-2016-10-02
71345fail to connect with https when browsing google doc in chrome-2016-10-02
71203Branch ANGLE and merge fixes to m9-2016-10-02
173654Heap-use-after-free in WebCore::FrameSelection::notifyRendererOfSelectionChange-2016-10-02
173500XSS: chromiumbugs.appspot.com-2016-10-02
173483New search UI (1993) could lead to self-XSS$5002016-10-02
173402ASSERTION FAILED: !object || object->isRenderImage(), UNKNOWN in WebCore::HTMLAnchorElement::handleClick-2016-10-02
173399ASSERTION FAILED: !object || object->isBox(), UNKNOWN in WebCore::RenderListItem::positionListMarker-2016-10-02
173397Heap-buffer-overflow in WTF::MemoryInstrumentation::Wrapper<WebCore::ContainerNode>::callReportMemoryUsage-2016-10-02
173341Heap-use-after-free in content::PeerConnectionTracker::TrackSetSessionDescription-2016-10-02
173250Security: Heap-Buffer-Overflow in extensions::SetIconNatives-2016-10-02
173050Heap-use-after-free in WebCore::Node::removedLastRef-2016-10-02
173049Heap-use-after-free in WebKit::WebLayerImpl::layer-2016-10-02
172993Heap-use-after-free in WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewportConstrainedObjects-2016-10-02
173068ASSERTION FAILED: i < size(), UNKNOWN in WebCore::RenderFrameSet::paint-2016-10-02
172926Heap-buffer-overflow in WebCore::AudioBufferSourceNode::process$1,0002016-10-02
172918Flash shouldn't load if the "src" URL has a bad content type and Content-Type-Options: nosniff-2016-10-02
172824ASSERTION FAILED: i < size(), UNKNOWN in WebCore::commonTreeScope-2016-10-02
172822ASSERTION FAILED: !object || object->isTextControl(), UNKNOWN in WebCore::TextControlInnerTextElement::customStyleForRenderer-2016-10-02
172984Any MITM attacker can load NaCl :-(-2016-10-02
172814Heap-use-after-free in WebCore::RenderTextTrackCue::layout-2016-10-02
172658Security: TLS timing attack leading to message recovery-2016-10-02
172573Compromised renderer can load banned plug-in-2016-10-02
172342Heap-use-after-free in WebCore::AudioNodeInput::updateInternalBus$1,0002016-10-02
172331Use-after-free in WebCore::VectorMath::vsmul$1,0002016-10-02
172794ASSERTION FAILED: i < size(), UNKNOWN in WebCore::HTMLTreeBuilder::resetInsertionModeAppropriately-2016-10-02
172243Heap-buffer-overflow in WebCore::OscillatorNode::process$1,0002016-10-02
172119Security: Do not allow Chrome Web Store URLs to commit in unprivileged processes-2016-10-02
171962UNKNOWN in _wordcopy_fwd_aligned-2016-10-02
171951Security: UAF in WebCore::SecurityOrigin::databaseIdentifier()$1,5002016-10-02
172264DatabaseMessageFilter: path traversal in origin_identifier-2016-10-02
172071verify svn.golo.chromium.org subversion package is up-to-date with security fixes-2016-10-02
171557ASSERTION FAILED: !object || object->isBox(), UNKNOWN in WebCore::toRenderBox-2016-10-02
171392Cross-Origin copy&paste / drag&drop allowing XSS (again, this time srcdoc)-2016-10-02
171630ASSERTION FAILED: document() == newChild->document(), UNKNOWN in WebCore::ContainerNode::parserAppendChild-2016-10-02
171569Security: Escape from NaCl sandbox on Mac OS X due to signal handler without SA_ONSTACK-2016-10-02
170715SIGSEGV in NotificationUIManagerImpl::CancelAllBySourceOrigin()-2016-10-02
171130Heap-use-after-free in WebCore::AXObjectCache::notificationPostTimerFired-2016-10-02
170666Heap-use-after-free in SkAlphaRuns::add-2016-10-02
171131Heap-use-after-free in WebCore::AccessibilityRenderObject::remoteSVGRootElement-2016-10-02
170683Heap-use-after-free in ChromeURLDataManagerBackend::StartRequest-2016-10-02
171134XSS in 1993 history handling$5002016-10-02
170679Heap-buffer-overflow in WebCore::RenderBlock::clone-2016-10-02
170199Heap-use-after-free in WebCore::HTMLSelectElement::length-2016-10-02
170240Heap-use-after-free in WebCore::LiveNodeListBase::invalidateCache-2016-10-02
170360Use-after-free: Merge http://trac.webkit.org/changeset/139732-2016-10-02
170432UNKNOWN in WTF::equalIgnoringCase-2016-10-02
170237Heap-use-after-free in WebCore::InspectorInstrumentation::didHandleEventImpl-2016-10-02
170188Heap-use-after-free in WebCore::Document::updateHoverActiveState-2016-10-02
169973IPC: out-of-bounds vector accesses with mismatched vector-2016-10-02
169972Security: Heap-Buffer-Overflow in usb_api.cc:CreateBufferForTransfer-2016-10-02
169966IPC: negative integer in command to safe browsing host will cause bad vector access-2016-10-02
169770IPC: Unvalidated content type used as index for write into raw array-2016-10-02
169765Security: Integer overflow in libusb_alloc_transfer causes Heap-Buffer-Overflow in chrome.usb.isochronousTransfer-2016-10-02
170184Heap-buffer-overflow in WebCore::RenderTableSection::nodeAtPoint-2016-10-02
170034Security: ASAN issue in chromeos::VersionInfoUpdater::OnBootTimes()-2016-10-02
169981Security: chrome.usb Api missing parameter validation for "length"-2016-10-02
169723[LangFuzz] Crash at v8::internal::AccessorPair::GetComponent with invalid read$1,0002016-10-02
71115Stale pointer in WebCore::RenderTable::firstLineBoxBaseline$1,0002016-10-02
71114Stale pointer due to table childs incorrect added$1,0002016-10-02
71167Bypass popup blocker using custom event (variation of issue 3275)-2016-10-02
70877Arbitrary cross-origin bypass using SyntaxError and Number prototype overrides$1,3372016-10-02
70819Empty address bar after opening an URL from extension in new tab-2016-10-02
70779width of boundingClientRect for Range with unicode combining characters is corrupted-2016-10-02
70718crashes when opening a page with webgl-2016-10-02
70589race on a linked list in third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp-2016-10-02
71027REGRESSION: crash after download and close window (only in incognito)-2016-10-02
70885Bypass popup blocker using iframe-2016-10-02
70456OOM handler not always properly terminating process$1,0002016-10-02
70538Open popup in new tab using java applet-2016-10-02
70374Browser crash: DeterminePossibleFieldTypesForUpload-2016-10-02
70577Security: webgl crashes on all tabs + processing spike even after all webgl programs are closed-2016-10-02
70376Pickle::FindNext reads payload_size without checking that the header is complete-2016-10-02
70244height of <rect> - integer overflow(?)$1,0002016-10-02
70337Regression: new window.onerror() implementation leaks cross-origin Javascript errors-2016-10-02
70070WebGL crashes depending on uniform names$5002016-10-02
70231Prefetch: Do not present authentication prompt-2016-10-02
70336Cross-origin Javascript error message leak via Worker importScripts()$5002016-10-02
70078Crash by form controls with form attributes under orphan nodes$5002016-10-02
69934Use after free in LayoutPluginTester.SelfDeletePluginInvoke-2016-10-02
69825security flaw-2016-10-02
69970Invalid read in convertV8ObjectToNPVariant-2016-10-02
70027Stale text node in linebox due to failure to dirty linebox when that text child is dirtied$1,0002016-10-02
69965Use after free in geolocation infobars-2016-10-02
69628Probable memory corruption in WebCore::CounterNode::lastDescendant$5002016-10-02
69597Segfault in WebCore::ContainerNode::removeAllChildren()-2016-10-02
69569Crashed @ IPC::Channel::ChannelImpl::OnIOCompleted when delete browser history-2016-10-02
69657Not signing out from my https webmail account.-2016-10-02
69531Valgrind/Memcheck reports uninitialized use of SkGlyph::fMaskFormat in third_party/skia/src/core/SkScalerContext.cpp-2016-10-02
69640memcheck: read after free in third_party/icu/source/common/unormimp.h-2016-10-02
69556Issue with merging anonymous block in renderblock::removechild (2)$1,0002016-10-02
69275Use after free in scrollbars-2016-10-02
69187Error prototypes are called on remote scripts$1,3372016-10-02
69159Crash @ PasswordStore::RemoveLogin-2016-10-02
69106ZDI-CAN-1009: Apple Webkit setOuterText Memory Corruption Remote Code Execution Vulnerability-2016-10-02
69294Browser crash when executing indexedDb tutorial.html in an incognito window.-2016-10-02
69195playing Z-Type causes crash-2016-10-02
68741Stale pointers in CSSOM - 2$1,0002016-10-02
68646Integer overflow and signed comparison in RenderView::DidDownloadApplicationIcon()-2016-10-02
68641Stale form associated element pointer in Document object$1,0002016-10-02
68773Chrome: Crash Report - Stack Signature: UTF8ToUTF16(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)-382777c6_d21c627c_9e383e89_c1eaa2f5_ef047e8d-2016-10-02
68766Chrome: Crash Report - Stack Signature: net::HttpStreamFactory::~HttpStreamFactory()-2A77B8F-2016-10-02
68434Search Bug Dynamic dns-2016-10-02
68369Installing extensions in "popup"-type windows crash browser-2016-10-02
68342Aw snap on github.com with voice search extension installed$5002016-10-02
68439Destroying nextblock in RenderBlock::removeChild can cause oldChild and nextblock's next sibling to be merged.$1,0002016-10-02
68244Playing audio with volume set to undefined crashes browser-2016-10-02
68170invalid free() in bundled pdf viewer$1,0002016-10-02
68259Virus, exploit in maps-2016-10-02
68130Memory corruption in font draws for accelerated 2d canvas.-2016-10-02
68115Memory corruption with bad Vorbis streams (from CERT)$1,0002016-10-02
68075chrome.dll!WebCore::CounterNode::resetRenderers ExecAV@NULL (7b931db52815b50413964fbdd401fe15)-2016-10-02
68062OOB read crash in SVG length list parsing algorithm-2016-10-02
67968Use after free due to adjacent floats not cleared properly from parents-2016-10-02
67966the bank tell me my browser ar not safe-2016-10-02
67923Stale pointer in SVGImage-2016-10-02
68120Stale pointer in CSSFontFaceSource::m_svgFontFaceElement$1,0002016-10-02
177913Heap-buffer-overflow in AutofillExternalDelegate::OnSuggestionsReturned-2016-10-02
177876Heap-use-after-free in webkit::ppapi::PPB_URLLoader_Impl::FillUserBuffer-2016-10-02
177858Global-buffer-overflow in v8::internal::MaybeObject* v8::internal::SlowQuoteJsonString<unsigned char, v8::internal::SeqOneByte-2016-10-02
177932Heap-use-after-free in WebCore::SVGElementInstance::invalidateAllInstancesOfElement-2016-10-02
177873Security: out of bounds write with webgl and gl.DEPTH_COMPONENT$1,0002016-10-02
177688ASSERTION FAILED: obj->isRenderInline() || obj == this, Bad cast in WebCore::RenderBlock::createLineBoxes-2016-10-02
177620Heap-use-after-free in WebCore::HTMLMediaElement::~HTMLMediaElement$1,0002016-10-02
177410Heap-use-after-free in extensions::BookmarksIOFunction::ShowSelectFileDialog-2016-10-02
177403ASSERTION FAILED: !node || node->isElementNode(), UNKNOWN in WebCore::RenderBlock::clone-2016-10-02
177737Heap-use-after-free in webrtc::DataChannel::Send-2016-10-02
177686Heap-use-after-free in WebCore::ImageLoader::dispatchPendingErrorEvent-2016-10-02
177815pepper_flash_clipboard_message_filter.cc assumed same-sized vectors from untrusted Flash process-2016-10-02
176882Heap-use-after-free in WebCore::FrameLoader::checkCompleted$1,0002016-10-02
176863ASSERTION FAILED: !detachingNode, Heap-buffer-overflow in WebCore::CSSImageGeneratorValue::removeClient-2016-10-02
177215ASSERTION FAILED: static_cast<unsigned>(m_start + length) <= string.length(), UNKNOWN in WebCore::InlineTextBox::paint-2016-10-02
176719Global-buffer-overflow in cld::ProcessProbV25UniTote-2016-10-02
176692postTaskForModeToWorkerContext/dispatchTaskToWorkerThread invalid pointer crash with Workers/FileSystem API$1,0002016-10-02
177197Heap-buffer-overflow in void WTF::Vector<unsigned short, 1024ul>::insert<unsigned short>-2016-10-02
176738ASSERTION FAILED: itemIndex < m_values->size(), UNKNOWN in WebCore::SVGPathSegListPropertyTearOff::processIncomingListItemValue-2016-10-02
176514Heap-use-after-free in WebCore::RenderObject::propagateStyleToAnonymousChildren-2016-10-02
176298Heap-buffer-overflow in std::_Rb_tree<int, int, std::_Identity<int>, std::less<int>, std::allocator<int> >::erase-2016-10-02
176252RenderViewHostImpl::OnMessageReceived$1,0002016-10-02
176137Data extraction with XSS Auditor$5002016-10-02
176676Heap-use-after-free in cricket::TransportChannelProxy::SetImplementation-2016-10-02
176033Use-after-free in webrtc::WebRtcSession::data_channel()-2016-10-02
176027Heap-buffer-overflow in SkARGB32_Opaque_Blitter::blitMask-2016-10-02
175741UNKNOWN in webkit::ppapi::PluginInstance::PrintPDFOutput-2016-10-02
175343ASSERTION FAILED: i < size(), UNKNOWN in WebCore::AccessibilityMenuListPopup::didUpdateActiveOption-2016-10-02
175342Heap-use-after-free in WebCore::DeleteButtonController::enable-2016-10-02
175305ASSERTION FAILED: i < size(), UNKNOWN in WebCore::HTMLTreeBuilder::resetInsertionModeAppropriately-2016-10-02
176056Global-buffer-overflow in v8::internal::MarkCompactCollector::EmptyMarkingDeque-2016-10-02
174920Heap-use-after-free in WebCore::CachedCSSStyleSheet::checkNotify-2016-10-02
174676Heap-use-after-free in SpellcheckHunspellDictionary::InitializeDictionaryLocation-2016-10-02
174846Heap-use-after-free in WebCore::ElementRuleCollector::collectMatchingRulesForList-2016-10-02
175069Heap-use-after-free in net::SpdySession::DoLoop-2016-10-02
174895IndexedDB: missing check that index_ids and index_keys have equal size-2016-10-02
174566ASSERTION FAILED: i < size(), UNKNOWN in WebCore::SVGListProperty<WebCore::SVGPathSegList>::replaceItemValues-2016-10-02
174328IndexedDB: overflow of 2-bit index id size field-2016-10-02
174146Crashing in gpu::gles2::GLES2Implementation::ReadPixels(int,int,int,int,unsigned int,unsigned int,void *)-2016-10-02
174137Crashing in WebCore::ChannelMergerNode::process(unsigned int)-2016-10-02
174129Security: Silent HTTP Basic Authentification & HTTP Authentification Brute Force-2016-10-02
174579stack-buffer-overflow in ui::ScrollEvent::Scale on Chrome OS-2016-10-02
174150Crashing in media::VideoRendererBase::ThreadMain()-2016-10-02
174020ASSERTION FAILED: !object || object->isMenuList(), UNKNOWN in WebCore::HTMLSelectElement::menuListDefaultEventHandler-2016-10-02
173906document.referrer leakage with XSS Auditor page block-2016-10-02
173880Heap-buffer-overflow in media::OpusAudioDecoder::ConfigureDecoder-2016-10-02
174049ASSERTION FAILED: i < size(), UNKNOWN in WebCore::RenderTableSection::layout-2016-10-02
174017ASSERTION FAILED: i < size(), UNKNOWN in WebCore::SVGAnimationElement::currentValuesForValuesAnimation-2016-10-02
173781Heap-buffer-overflow in void std::__introsort_loop<WebCore::GridTrack**, long, bool-2016-10-02
173688Security: Non-web-accessible extension URLs should not load in non-extension processes-2016-10-02
67393Freeing invalid uninitialized pointer to bug_report_ object$1,0002016-10-02
67363EXTERNAL-REPORT: SVGElementInstance::m_useElement not cleared on corresponding use element destruction$5002016-10-02
67577Switch .jar and .class to always-warn-2016-10-02
67234Webkit crashes during animation event processing-2016-10-02
67303renderer crash when playing a corrupt webm video$1,0002016-10-02
67208VU#821271 Exception generated by code running in the Stack$1,0002016-10-02
66986Reparenting error due to double merge of anonymous blocks in removeChild-2016-10-02
66962browser crash when reproducing issue #64051-2016-10-02
66931Google Chrome crashes at https://webmail.afmc.af.mil/Exchange-2016-10-02
66841Chrome View keeps changing percentage(decreasing to 50%) automatically-2016-10-02
67100Crash in PDF form event handling when deleting page from underneath self-2016-10-02
66760ZDI-CAN-968: Apple Webkit Font Glyph Layout Remote Code Execution Vulnerability-2016-10-02
66718webgl page causes X server crash-2016-10-02
66700chrome.dll!WebCore::RenderTextControlSingleLine::speechAttributeChanged ReadAV@NULL (7acb553d23eecf733d9ececf57a499f7)-2016-10-02
66676REGRESSION: Crash on exit after clearing all downloads-2016-10-02
66486MAC OSX 10.6.5 google chrome-2016-10-02
66473Crash in ReplaceSelectionCommand::doApply when modified during mutation event-2016-10-02
66748CSSCursorImageValue not clearing SVGElement back pointer$5002016-10-02
66334Crashes at wild EIP when pressing "print" button on PDFs-2016-10-02
65942Stale pointer in Range::processContents when modified during mutation event-2016-10-02
65869crash when rapidly reloading a page with an applet-2016-10-02
65845Bad cast from RenderText to RenderBox due to details tag being shown inline.-2016-10-02
65796Children of cloned anonymous blocks should set childreninline flag-2016-10-02
65299Out of bound read when using modified webp file$5002016-10-02
65194Renderer crash @ gpu::gles2::GLES2Implementation::TexSubImage2D(unsigned int,int,int,int,int,int,unsigned int,unsigned int,void const *)-2016-10-02
64974Integer overflow leading to OOB read, possible memory corruption in webgl getfloat32-2016-10-02
64949Crash with progressive rendering-2016-10-02
64788Access data from my company Google Docs (domain wittit.com) with my gmail account.-2016-10-02
64669Not allow overwrite of field data when merging profile data-2016-10-02
64559Bad cast when selection changes for combo boxes.-2016-10-02
64456Chrome crashes when attempting to install a userscript.-2016-10-02
64945Crash when webp image is invalid$1,0002016-10-02
64364falla al inicio de abrir el navegador-2016-10-02
64331Stale node being set as layout root when rendering meter, progress elements.-2016-10-02
64088Use after free due to calling a stale timer on a closed frame/document-2016-10-02
64046WebKit 49902 - chrome.dll!WebCore::toWebWidgetClient ReadAV@NULL (08ffd4f21a8c6465bb1e19a2f52e4bd5)-2016-10-02
63982Memory corruption in RenderObjectChildList::removeChildNode-2016-10-02
64424Computing style on a stale node while sending pending accessibility notification-2016-10-02
64108Verify cross-origin push fails under SPDY-2016-10-02
63911Memory corruption in accelerated 2d canvas-2016-10-02
63945More memory corruption in accelerated 2d canvas, this time in moveTo-2016-10-02
63617Closing multiple WebGL tabs at the same time causes segfault in Xorg-2016-10-02
63609Delete any link promotes - Orkut OLD-2016-10-02
63552Windows media player plugin crashes all the time @ NPAPI::PluginLib::Load+0x116-2016-10-02
63533WebM Crash fix merge from M7-2016-10-02
63529Security: Segfault when dealing with Web Workers and MessageChannels-2016-10-02
63866WebKit CSS Font Face Parsing Type Confusion$1,0002016-10-02
63924Bad cast from RenderTableCol to RenderBlock in search css-2016-10-02
63732Browser crash @ JavaScriptAppModalDialog::Cleanup()$5002016-10-02
63389Setting small numeric CSS values using setFloatValues changes that value on all pages until the browser is quit-2016-10-02
63268Universal XSS via mutating style objects and read styles cross origins-2016-10-02
63248segfault in bundled PDF viewer (invalid read in strlen)$1,0002016-10-02
63444Security: possible memory corruption (double-free) in XPath processing code$1,0002016-10-02
63495WebCore::NamedNodeMap::setAttributes() stale iterator-2016-10-02
63454Analyze integer wraps in WebCore::Range.-2016-10-02
63380SVG Transformlist memory corruption-2016-10-02
63031Stale font accessed in WebCore::GlyphPage::glyphDataForCharacter-2016-10-02
63166CryptUnprotectData disclose sensitive information in stack-2016-10-02
63051chrome_6dc70000!WebCore::EventHandler::updateSelectionForMouseDrag use after free$5002016-10-02
63037Security: chrome.google.com Stored XSS-2016-10-02
189090Heap-use-after-free in WebCore::accumulateDocumentEventTargetRects-2016-10-02
189089ASSERTION FAILED: curr->isRenderBlock(), UNKNOWN in WebCore::RenderBlock::splitBlocks-2016-10-02
189250Security: pango loads config options from $HOME/.pangorc-2016-10-02
189091Heap-use-after-free in extensions::ObjectBackedNativeHandler::Router-2016-10-02
189084Bad cast in WebKit::WebPageSerializerImpl::endTagToString-2016-10-02
187243Heap-use-after-free in WebCore::InlineBox::deleteLine-2016-10-02
181617Security: Possible path traversal in file_util::AbsolutePath (Windows XP/2K3)$1,3372016-10-02
181580Heap-use-after-free in extensions::ModuleSystem::LazyFieldGetterInner-2016-10-02
187245Heap-use-after-free in SkTypeface::getTableSize-2016-10-02
188092Invalid pointer read in WebCore::WaveShaperProcessor::process-2016-10-02
183741arbitrary number of popups in response to single user action-2016-10-02
181083Security: H.264 scaling list parsing overflow$40,0002016-10-02
180920Heap-use-after-free in WebCore::ElementRuleCollector::collectMatchingRulesForList-2016-10-02
181438TransportDIB::Map doesn't validate size of mapped section on Windows-2016-10-02
180763PWN2OWN: Bad cast in SVGViewSpec::viewTarget-2016-10-02
180593Heap-use-after-free in WebCore::RenderBlock::logicalRightOffsetForLine-2016-10-02
180555Security: DevTools renderer navigation is handled in renderer and allows opening any URL in DevTools window.-2016-10-02
181375Heap-use-after-free in WebCore::AXObjectCache::getOrCreate-2016-10-02
180909Buffer overflow in URLLoader::ReadResponseBodyAck-2016-10-02
180051Use after free in PersistentTabRestoreService (during shutdown?)-2016-10-02
179653ANGLE shader compiler: struct size overflow-2016-10-02
179634Heap-use-after-free in (anonymous-2016-10-02
179632Heap-use-after-free in sigslot::_signal_base1<bool, sigslot::single_threaded>::disconnect-2016-10-02
179631Heap-use-after-free in WebCore::SegmentedString::SegmentedString-2016-10-02
179580Devtools uses dangling WebContents* when extension reloads-2016-10-02
180058Security: Loading NaCl from Web via permissive extension-2016-10-02
179654ANGLE shader compiler: validate numBytes in TPoolAllocator::allocate-2016-10-02
178848Chrome_Linux: Crash Report - Stack Signature: extensions::UserScriptSlave::GetDataSourceU...-2016-10-02
178706Mac AVCConfigRecordBuilder: integer overflow leading to heap-buffer-overflow-2016-10-02
178780Security: Chrome extensions whitelist leaks IDs-2016-10-02
178761Heap-use-after-free in WebCore::FrameView::maintainScrollPositionAtAnchor-2016-10-02
178760Heap-use-after-free in gtk_floating_container_add_floating-2016-10-02
179287ASSERTION FAILED: !object || object->isBox(), UNKNOWN in WebCore::RenderSliderContainer::layout-2016-10-02
179522Heap-use-after-free in WebCore::AudioNodeOutput::pull$3,1332016-10-02
178797Use-after-free under CachedRawResource::responseReceived-2016-10-02
178266Heap-use-after-free in WebCore::RenderBlock::determineStartPosition-2016-10-02
178242NavigationController can copy wrong NavigationEntry when committing a new page-2016-10-02
178269Heap-use-after-free in WebCore::FrameLoader::stopForUserCancel-2016-10-02
178130ASSERTION FAILED: node->treeScope() == m_oldScope, Heap-use-after-free in WebCore::TreeScopeAdopter::moveTreeToNewScope-2016-10-02
178581Heap-use-after-free in BrowsingDataRemover::DoClearCache-2016-10-02
178264Heap-use-after-free in WebCore::Frame::setPageAndTextZoomFactors-2016-10-02
178002Heap-use-after-free in WebCore::LiveNodeList::namedItem-2016-10-02
177933ASSERTION FAILED: i < size(), UNKNOWN in WebCore::SVGAnimatedTransformListAnimator::calculateAnimatedValue-2016-10-02
178003ASSERTION FAILED: !node || node->isElementNode(), UNKNOWN in WebCore::HTMLElementStack::popCommon-2016-10-02
177956cross-process memory address leak via sa_restorer$1,0002016-10-02
62987Use after free in EventSource-2016-10-02
62925<Unloaded_S.DLL>+0x42cd17f crash$1,0002016-10-02
62718renderer crash in PDF viewer (possibly due to overlapping memcpy)-2016-10-02
62674Valgrind detected invalid read in net::SingleRequestHostResolver::Cancel() - use-after-free?-2016-10-02
62623Crash at NULL IP in PDF when evaluating strange expression$1,0002016-10-02
62401Crash in WebCore::SMILTimeContainer::begin$1,0002016-10-02
62358Integer overflow in SVG Parsing-2016-10-02
62791Crash loading invalid crx extension file-2016-10-02
62354Bad cast in SVGImageBufferTools::renderSubtreeToImageBuffer-2016-10-02
62296Bad cast from renderinline to renderbox in animations-2016-10-02
62281Use after free due to overhanging floats in LEGEND block-2016-10-02
62276Out of bound memory access in webp decoder-2016-10-02
62261use after free in ContainerNode::willRemove-2016-10-02
62168Bad cast in WebDevToolsFrontendImpl::dispatchOnInspectorFrontend-2016-10-02
62158Exploitable-looking crash when simply selecting a drop-down value-2016-10-02
62293Bad cast in CSSStyleSelector::createTransformOperations-2016-10-02
62118Autosave - Password-2016-10-02
61975Page is shown before password is requested-2016-10-02
61919[Regression] Browser crash in GetMostVisitedThumbnailsOnDBThread-2016-10-02
61917[Regression] Purecall in TopSitesDatabase::UpdatePageThumbnail-2016-10-02
62127faulty webm file causes segfault$1,0002016-10-02
61954split webstorePrivate.install into two functions, one of which requires a gesture-2016-10-02
61719Chrome-2016-10-02
61691SECURITY FAIL-2016-10-02
61653MSVR-10-0108 - Integer Overflow in Chrome's VP8 decoding leads to memory corruption-2016-10-02
61634webstorePrivate.install method should not suppress install confirmation for extensions with NPAPI-2016-10-02
61721Security: Google Chrome 7.0.517.41 Multiple DLL Hijacking Vulnerability-2016-10-02
61701Security: google chrome crashes when a request passes through a proxy and recieves a 407 HTTP error code from the server-2016-10-02
61848Search results are displayed in bing.-2016-10-02
61555on double click of a password with comma in it, selects only the part separated by comma instead of selecting fully. The compromises security besides being an inconvenience.-2016-10-02
61502Floats left out of the incremental line break code due to failed image load.-2016-10-02
61338pdf viewer segfault after js syntax error$1,0002016-10-02
61577Security Bug: Google Docs Published Spreadsheets-2016-10-02
61255Bad cast in PageClickTracker::handleEvent-2016-10-02
61576WebKit 48831 - chrome.dll!WebCore::SVGLength::SVGLength WriteAV@Arbitrary (ab566cfad36b72d82883e59d51a1dbec)-2016-10-02
61313Use after free related to ApplyBlockElementCommand::formatSelection-2016-10-02
61129Double click selection behaviour exposes password information-2016-10-02
60978WebGL stencil buffers not correctly initialized-2016-10-02
60816Crash in hunspell::NodeReader::FindWord-2016-10-02
60769more bad casts in event handling.-2016-10-02
60761chrome_1c30000!TabContents::RemoveInfoBar(class InfoBarDelegate * delegate = 0x05dfe700)+0x1dfull tab crash-2016-10-02
61158Use after free in ApplyStyleCommand::removeInlineStyle-2016-10-02
60695Bad cast in RenderView docheight,docwidth calc due to adding non box childs-2016-10-02
60688chrome_55000000!WebCore::FEBlend::apply+0x1a5$1,0002016-10-02
60653Memory error inside WTF::String::format-2016-10-02
60496Speed tracer + AdBlock = Renderer Crash @ v8::internal::Invoke-2016-10-02
60327Bad cast to MouseEvent in Node::defaultEventHandler()$5002016-10-02
60238Use after free of m_frame in FrameLoader::loadWithDocumentLoader$5002016-10-02
60697CSS, background-repeat bug-2016-10-02
60029OOB read with StringImpl::find line 621-2016-10-02
59817Security: Add .html and .htm to the dangerous extensions list for OSX and OS_POSIX-2016-10-02
60055WebM crash in vp8_setup_intra_recon()$1,0002016-10-02
59663CSSPrimitiveValue::cssText() may cause a buffer overflow-2016-10-02
60013RenderIndicator childs not laid out at all.-2016-10-02
223145Security: <template> implementation fails to check for "template" in special list when handling "any other end tag for in body"-2016-10-02
223125Heap-buffer-overflow in WebCore::InlineIterator::atTextParagraphSeparator-2016-10-02
223032ASSERTION FAILED: !HashTranslator::equal(Extractor::extract(deletedValue), key), Heap-buffer-overflow in WebCore::Font::width-2016-10-02
222852Heap-use-after-free in WebCore::RenderObject::isDescendantOf-2016-10-02
222770UNKNOWN in WebCore::QualifiedName* WTF::HashTable<WebCore::QualifiedName, WebCore::QualifiedName, WTF::Identity-2016-10-02
222754Multiple ffmpeg security issues found by j00ru.-2016-10-02
222539UNKNOWN in WTF::Vector<WTF::Vector<WebCore::RenderBox*, 1ul>, 0ul>::reserveCapacity-2016-10-02
223034Heap-buffer-overflow in void media::ToInterleavedInternal<int, long>-2016-10-02
223238Heap-use-after-free in GIFImageReader::decode$1,0002016-10-02
222000Use after free - using speech API after loading a web page$1,0002016-10-02
222036Heap-use-after-free in cricket::WebRtcRenderAdapter::FrameSizeChange-2016-10-02
222136Heap-use-after-free in WebCore::AudioDSPKernelProcessor::reset-2016-10-02
221131HTML tags are not sanitized in chrome://network-2016-10-02
220039Security: Chrome extensions can manipulate Chrome sign-in screen-2016-10-02
219175Security: uid and gid 233 double-allocated to tlsdate-dbus and debugd-logs users/group in Chrome OS ToT-2016-10-02
216501enable manifest checking in chromiumos-overlay-2016-10-02
217858[LangFuzz] Crash on Heap with invalid read (possibly due to uninitialized value) on 64 bit$1,0002016-10-02
214314Enable GPU process seccomp filter sandbox on Chrome OS-2016-10-02
214730Security: Remove "--enable-nacl" on daisy/snow boards before production-2016-10-02
209604Heap-use-after-free in WebCore::RenderObject::container$1,0002016-10-02
213970Seccomp filter for avfsd on ARM-2016-10-02
203443use-after-free in views::View::parent() from chromeos::BalloonContainer::HasBalloonView()-2016-10-02
204504minijail ignores user/group id and runs as root when it can't find /lib/minijailpreload.so-2016-10-02
196575ASSERTION FAILED: i < size(), UNKNOWN in WebCore::RenderFrameSet::fillFromEdgeInfo-2016-10-02
196571ASSERTION FAILED: !node || node->isElementNode(), UNKNOWN in WebCore::Element::offsetParent-2016-10-02
196570ASSERTION FAILED: !object || object->isCanvas(), UNKNOWN in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored-2016-10-02
196456Any web site can launch Google Talk plug-ins (either of them) by fiddling with ':' in URL syntax-2016-10-02
196648IPC: destroy routes for video decoders on GpuCommandBufferStub destruction-2016-10-02
196174ASSERTION FAILED: i < size(), UNKNOWN in WebCore::HTMLTreeBuilder::resetInsertionModeAppropriately-2016-10-02
196071Security: XMLHttpRequest HTTP Referer Header Faking-2016-10-02
194749REGRESSION: Chrome crashed while launching Bejeweled game-2016-10-02
193197Security: Overflow READING BlueZ adapter's config from /var/lib on startup-2016-10-02
196393RIP == 0 in WebCore::StyleResolver::matchAllRules$1,0002016-10-02
59627Renderer crash while profiling @ v8::internal::Context::global_context()-2016-10-02
59625GPU ANGLE Preprocessor Extension Stack Overflow-2016-10-02
59623GPU ANGLE Symbol Parsing Multiple Stack Overflows-2016-10-02
59593Stale pointer in WebCore::ThreadTimers::sharedTimerFiredInternal-2016-10-02
59584repaired-2016-10-02
59554Use after free when encountering history.back() call during Page::goToItem execution$5002016-10-02
59504WebGL Context GPU Channel Dangling Pointer-2016-10-02
59320Segfault in x86_64/memset.S below SkScalerContext::getImage on Linux$1,0002016-10-02
59314[Merge] Blob / BlobBuilder can be put into bad state with wild integers and strings, due to integer overflows-2016-10-02
59036PDF JS engine doesn't work in 64 bit$1,3372016-10-02
58829Memory corruption in SyncChannel::SyncContext::OnChannelClosed()-2016-10-02
59081Security: do not allow on-page drag-and-drop from non-same-origin frames (or require an extra gesture)-2016-10-02
58731Invalid memory access (with possible avenue to corruption) in the xpath handling libxml$1,0002016-10-02
58657Bad cast on SVG use element due to mismatched shadow and instance pointers$1,0002016-10-02
58741Use after free in HTMLTextFormControlElement::selection()$5002016-10-02
58319Browser crash - creating unlimited number of File Dialogs-2016-10-02
58008Bad cast casting parent class obj InlineFlowBox to child class obj RootInlineBox-2016-10-02
57743Stale pointer in WebSocket connection handshake-2016-10-02
57691Security Bug: Uploading without ever choosing to upload-2016-10-02
58053Crash in BallonViewImpl::DelayedClose()-2016-10-02
57908build with -fPIE-2016-10-02
58069Windows Sandbox allows access to the console.-2016-10-02
57501Crash in PDF plugin when building cross-refs$5002016-10-02
57377Cross origin bypass with CSS getMatchedCSSRules()-2016-10-02
57347ZDI-CAN-874: Apple Webkit WholeText Integer Overflow Remote Code Execution Vulnerability-2016-10-02
57200Use after free from accessing stale renderers in m_floatingObjects in lowestPosition-2016-10-02
57002abcd-2016-10-02
56996Renderer crash when navigating between Field and Aquarium @ WebCore::Node::detach()-2016-10-02
56993Form data is not cleared or even offered in the "Clear browser history"-2016-10-02
57083Possible bug with Chrome and PayPal-2016-10-02
56760segfault in bundled pdf viewer$1,0002016-10-02
57080remove extension renaming code-2016-10-02
56796Bad cast in casting CSSInitialValue to SVGColor in css-2016-10-02
56692Bad cast from RenderInline to RenderBox in positionListMarker-2016-10-02
56621use after free in InlineBox::dirtyLineBoxes()-2016-10-02
56616Bad cast in 3d rendering in RenderObject::getTransformFromContainer-2016-10-02
56514Click to Play is vulnerable to UI redressing-2016-10-02
56653Named popup windows bug-2016-10-02
56468MAJOR Password Security problem-2016-10-02
56451cross_fuzz: Deleted elements lingering in Document::m_elementsById-2016-10-02
56449Crash in Pickle::ReadInt in net::HttpResponseInfo::InitFromPickle-2016-10-02
56722Browser crash on closing incognito @ ToolbarView::Layout()-2016-10-02
56474User after free in table destroy-2016-10-02
56252Factory::LookupSymbol+0x3e - Crash-2016-10-02
56237Browser crash in incognito mode with trying to close a large db.-2016-10-02
56206Use after free in CounterNode-2016-10-02
56144Memory corruption in adding text child to table column-2016-10-02
56127Ă©Â€ÂĂŁÂ‚ÂŠĂŁÂÂŸĂŁÂÂ™-2016-10-02
56394Bad cast in ApplyStyleCommand::applyInlineStyleToPushDown-2016-10-02
55957Merge webkit bug 45869: Use after free in ImageLayerChromium-2016-10-02
55901Merge Webkit Bug 45896 :CSS: Fix crash in getTimingFunctionValue()-2016-10-02
55751vulnerability Google chrome clickjacking-2016-10-02
55745MSVR-10-0105: Cross origin bypass using canvas and video-2016-10-02
55675Stale owner element called in frame's disconnectOwnerElement-2016-10-02
55607Flash intercepts key events when not in focus-2016-10-02
55350Chrome cross window & cross domain object access$1,0002016-10-02
55831Segmentation fault at WebCore::ImageLoader::updateFromElement due to malformed HTML$1,0002016-10-02
55330Treebuilder parsing in out of context when encountering special tags like </kbd>-2016-10-02
55346Load Timer fired on deleted HTMLMediaElement$1,0002016-10-02
230907Heap-use-after-free in WebCore::RenderBox::exclusionShapeOutsideInfo-2016-10-02
230730ASSERTION FAILED: m_insertionPoint->inDocument(), Heap-use-after-free in WebCore::ElementRuleCollector::collectMatchingRulesForList-2016-10-02
230729Heap-use-after-free in non-virtual thunk to WebKit::WebPluginContainerImpl::clearScriptObjects-2016-10-02
230915Security: strongSwan ECDSA signature vulnerability-2016-10-02
230726ASSERTION FAILED: i < m_length, UNKNOWN in WebCore::InlineTextBox::isLineBreak-2016-10-02
230725Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine-2016-10-02
230720Heap-use-after-free in WebCore::InlineFlowBox::deleteLine-2016-10-02
230176Security: Type confusion vulnerability in V8Clipboard::setDragImageMethodCustom$1,5002016-10-02
230117Heap-use-after-free in webkit_media::WebMediaPlayerImpl::paint$1,0002016-10-02
229504Interstitials allow bypass of extension permissions-2016-10-02
230728Heap-use-after-free in WebCore::WidgetHierarchyUpdatesSuspensionScope::moveWidgets-2016-10-02
229020ASSERTION FAILED: i < size(), UNKNOWN in WebCore::RenderLayer::hitTestList-2016-10-02
229019Input pointer corruption in xmlParseTryOrFinish-2016-10-02
227390ExtensionFunctionRegistry: missing check for iter != factories_.end()-2016-10-02
227350Security: UAF in ppapi::ScopedPPResource::CallRelease$1,0002016-10-02
227197Security: infoleak in Buffer::Set in O3D-2016-10-02
229402Another popunder scheme-2016-10-02
227158Security: domain authorization issue in O3D-2016-10-02
227157Global-buffer-overflow in WebCore::Font::expansionOpportunityCount-2016-10-02
227181Security: UAF in O3D-2016-10-02
226937Security: Postpwnium: Full exploit chain for ChromeOS$31,3362016-10-02
226928Null-pointer exec from SkDeferredCanvas::setDeferredDrawing-2016-10-02
226696Security: use-after-free removing a frame from its parent in a beforeload event of an OBJECT element$2,0002016-10-02
226659Harden WTF::Vector::operator[]-2016-10-02
226091ASSERTION FAILED: !node || node->isShadowRoot(), UNKNOWN in WebCore::EventRetargeter::eventTargetRespectingTargetRules-2016-10-02
226090Heap-use-after-free in WebCore::IDBDatabase::onComplete-2016-10-02
227040Heap-use-after-free in moveOverlapping-2016-10-02
226068Security: HSTS will not work if Strict-Transport-Security header and Public-Key-Pins header are present in this order-2016-10-02
226012clicking links using generated mouse events bypasses the popup blocker-2016-10-02
225979Heap-use-after-free in WebCore::RenderTextControl::visiblePositionForIndex-2016-10-02
225969Consider locking screen when turning screen off rather than when suspending-2016-10-02
225798Swiftshader images do not use aslr-2016-10-02
225565Security: strongswan must not write files into /mnt/stateful_partition directly-2016-10-02
225546Security: u-a-f in shared worker process in Allow{IndexedDB,FileSystem}MainThreadBridge$1,3372016-10-02
225496chrome_5eb80000!views::FocusManager::AdvanceFocus Crash-2016-10-02
225417Heap-use-after-free in TabStripGtk::DestroyDraggedTab-2016-10-02
225403ASSERTION FAILED: ownerElement->contentFrame() == frame || !ownerElement->contentFrame(), Heap-use-after-free in WebCore::Node::isDescendantOf-2016-10-02
225226It's possible to bypass the permission restrictions for chrome.tabs.captureVisibleTab-2016-10-02
224920ASSERTION FAILED: !object || object->isBox(), UNKNOWN in WebCore::RenderBlock::layoutBlockChildren-2016-10-02
224734Incorporate standalone utilities into futility-2016-10-02
223962Heap-use-after-free in WebCore::Reverb::latencyFrames$5002016-10-02
224624Security: XSS in 1993 chrome-2016-10-02
223772Attempting free when chrome.fontSettings.getFontList is called twice in background script-2016-10-02
223444Kernel stack info leak via the tkill and the tgkill syscalls$5002016-10-02
223376ASSERTION FAILED: !node || node->isHTMLElement(), UNKNOWN in WebCore::toHTMLElement-2016-10-02
223835ASSERTION FAILED: candidate.isCandidate(), Heap-use-after-free in WebKit::ChromeClientImpl::didAssociateFormControls-2016-10-02
223482Heap-use-after-free in WebCore::HTMLTreeBuilder::callTheAdoptionAgency-2016-10-02
55257Memory corruption in accessing floatptr of a textarea$1,0002016-10-02
55215Memory corruption with styled font-face-2016-10-02
55179Memory corruption with reparentchildren in new treebuilder-2016-10-02
55119SpdyFramer buffer resizing bug-2016-10-02
55114Bad cast with svg:g element$5002016-10-02
54794HTML5 Workers run outside of the sandbox-2016-10-02
54697Extension APIs should include password encryption-2016-10-02
54691segmentation fault in bundled pdf plugin$1,0002016-10-02
54661SSL connexion error after update to CHROME v6.0.472.53-2016-10-02
54653Memory corruption with creating lines on renderblocks.-2016-10-02
54636selectedStylesheetSet memory corruption-2016-10-02
54539OOB read in rendering text fragment-2016-10-02
54880Crash at gfx::CGImageToSkBitmap-2016-10-02
54532Issue with incorrect attribute, events handling in SVG and polyline-2016-10-02
54500Renderer crash on very big animated gif image @ WebCore::RGBA32Buffer::setRGBA(unsigned int *,unsigned int,unsigned int,unsigned int,unsigned int)$5002016-10-02
54312My Other MacBook Was Stolen/Robbed from My HOme and the Hacker is taking Pride in Torturing me-2016-10-02
54268MacOSX WebGL Uninitialized Canvas Information Leak-2016-10-02
54262Possible Location Bar & SSL Spoofing$1,0002016-10-02
54132Security: Insecure library loading in Google Chrome for Linux-2016-10-02
54054Device3DInitialize Uninitialized Object Vulnerability-2016-10-02
54313My Other MacBook Was Stolen/Robbed from My HOme and the Hacker is taking Pride in Torturing me-2016-10-02
54006Security: Extension history permission does not generate a warning-2016-10-02
53985Crash in chrome_browser_net_websocket_experiment::WebSocketExperimentRunner::DoLoop-2016-10-02
53949HTTPS -> HTTP redirected CSS and JS do not trigger mixed content-2016-10-02
53930Memory corruption on Linux when render Khmer script page-2016-10-02
53912Crash on shutdown in BrowsingInstance::GetSiteInstanceMap-2016-10-02
53892A Cryptographically secure random number generator implementation for V8-2016-10-02
53836wss:// does not validate SSL certs-2016-10-02
53747Use-after-free of renderer when recalcStyle() is called during layout or painting.-2016-10-02
53994save-2016-10-02
53645Function names are exposed to iframes from non-same origin using console API-2016-10-02
53640Merge Webkit Bug 41523 to 472-2016-10-02
53394Geolocation use after free$5002016-10-02
53361Browser crash in improper destruction of select file dialog (mac)$5002016-10-02
53230crash on google.at ajax search-2016-10-02
53176BlockedPopupContainer::GetBlockedContents ReadAV@NULL (882a25e76e991e980ffce6adda7cfcc5)-2016-10-02
53002pop blocker bypass-2016-10-02
53142EXTERNAL-REPORT: Another Windows kernel CFF font parsing bug-2016-10-02
53039Geolocation use after free-2016-10-02
53017MEMORY CORRUPT-2016-10-02
53008Security: can't update flash from about:plugins in chromium-2016-10-02
53068download without user permission-2016-10-02
53001Security: ability to read cross domain image data using toDataURL and getImageData via createPattern$5002016-10-02
52980GOOGLE CHOME MEMORY CORRUPT-2016-10-02
52961Security: user.qzone.qq.com-2016-10-02
52958Trojan can sync with my sync data ???-2016-10-02
53116Security: Chrome can't be downloaded securely.-2016-10-02
52870error-2016-10-02
52782close window with javascript-2016-10-02
52682Sandbox IPC out-of-bounds write in CrossCallParamsEx::CreateFromBuffer$1,0002016-10-02
52587cross_fuzz: CSSRule::parentStyleSheet use after free-2016-10-02
52581HTML5 TreeBuilder ASSERTs on <a><svg><tr><input></a>-2016-10-02
52456Chrome attempts to connect to HTTP://nikkomsgchannel when focus moves to a password field on any page-2016-10-02
52443Google Chrome Focus Handling Use-after-free Vulnerability-2016-10-02
52420MAJOR CHROME SECURITY BUG : Chrome exposes the secrete question and answer for google's gmail password retrial mechanism-2016-10-02
51739Numerous Integer wraps and errant pointers within WebSockets parser-2016-10-02
52413Major Chrome security BUG : Confidential User data accessiblity Security Bug :[ Test case of Gmail account registration included]-2016-10-02
52204Regression: Incorrect destruction of "empty anonymous block" in renderblock remove child.$1,0002016-10-02
52067ExtensionsService::IsGalleryDownloadUrl ignores scheme-2016-10-02
51919use after free in console.profile calls.$5002016-10-02
51865Chrome Search Box: Index error-2016-10-02
51846Null deref when socket stream is closed during hostname resolution-2016-10-02
52364Valgrind error in CGPDFDrawingContextDraw() on mac ui tests-2016-10-02
51727autocomplete entries submitted by javascript should not be stored in db (similar to autofill bug 48225)-2016-10-02
51709Fatal assertion failure when getting gdk custom cursor on safari books-2016-10-02
51690Security of accounts-2016-10-02
51680Omnibox url spoofing on pending events in page unload$5002016-10-02
51670Security: WebKit: WebCore::GeolocationService::positionChanged use after free$1,0002016-10-02
51658Add .xbap to dangerous extensions list-2016-10-02
238842Crash in WebCore::Canvas2DLayerBridge::prepareForDraw()-2016-10-02
238837Limit the depth of function calls in GLSL-2016-10-02
239013Two logins may happen at the same time if network goes offline during login-2016-10-02
238041document.cookie denial-of-service-2016-10-02
237800use-after-free on WebCore::MajorGCWrapperVisitor::VisitPersistentHandle-2016-10-02
237562Security: update curl to resolve CVE-2013-1944 and CVE-2013-2174-2016-10-02
237526~URLRequestFtpJob: NULL deref of request_-2016-10-02
237429Heap-use-after-free in WebCore::EventTarget::dispatchEvent-2016-10-02
237611Security: Screen capture via WebGL texture$5002016-10-02
237104Security: CSP doesn't get applied to inline event handlers that were executed once before.-2016-10-02
237022Cross-origin named subframe access leaks cross-origin subframes of the same name$1,5002016-10-02
236845ASSERTION FAILED: node->treeScope() == m_oldScope, Heap-use-after-free in WebCore::Node::~Node-2016-10-02
237263Security: Possible for renderer process to read arbitrary files by tricking session restore-2016-10-02
236846Global-buffer-overflow in WebRtcIsac_UpdateBwEstimate-2016-10-02
236556use-after-free on WebCore::FormController::createSavedFormStateMap-2016-10-02
236631GpuProcessHost: check channel_requests_.empty()-2016-10-02
236147Heap-use-after-free in printing::PrepareFrameAndViewForPrint::PrepareFrameAndViewForPrint-2016-10-02
236269ASSERTION FAILED: !m_deletionHasBegun, UNKNOWN in WebCore::DeviceOrientationEvent::~DeviceOrientationEvent-2016-10-02
236630Security: chronos-writable /var/run/chrome on Chrome OS subject to symlink tricks and other mal manipulations-2016-10-02
236245Heap-use-after-free in WebCore::FrameView::updateWidget-2016-10-02
235638ASSERTION FAILED: m_table, Heap-use-after-free in WTF::HashTable<WebCore::SVGElement const*, WTF::KeyValuePair<WebCore::SVGElement const*, WebCore::SV$1,0002016-10-02
235733Heap-use-after-free in WebCore::AudioNodeOutput::~AudioNodeOutput$1,0002016-10-02
236139ASSERTION FAILED: node->treeScope() == m_oldScope, Heap-use-after-free in void WebCore::Private::addChildNodesToDeletionQueue<WebCore::Node, WebCore::ContainerNode>$1,0002016-10-02
235311[LangFuzz] Crash on heap with invalid read on dangerous (possibly uninitialized) address (64 bit)$5002016-10-02
235732Heap-buffer-overflow in SkA1_Blitter::blitH-2016-10-02
235271Security: Isolated Filesystem API does not fully check for references to parent in pathname-2016-10-02
234689Possible XSS vector in New Tab Page-2016-10-02
234809URL spoof or renderer kill when committing prerendered/instant page with a pending entry-2016-10-02
234937Security: the GPU sandbox is not enabled in guest mode on Chrome OS.-2016-10-02
235161HostResolver can be caused to pass empty DNS components to DnsQuery-2016-10-02
234635UNKNOWN in cssyyparse-2016-10-02
234724Chrome Extension API bindings: Definition should not depend on any user/extension mutable prototype objects-2016-10-02
234491Heap-use-after-free in content::NavigationControllerImpl::RendererDidNavigateToExistingPage-2016-10-02
233261Heap-use-after-free in content::NotificationServiceImpl::Notify-2016-10-02
233848ASSERTION FAILED: run.charactersLength() >= run.length(), Heap-buffer-overflow in WebCore::Font::characterRangeCodePath$5002016-10-02
234190Heap-use-after-free in SkAlphaRuns::add-2016-10-02
234198ASSERTION FAILED: value->isValueList(), UNKNOWN in WebCore::createGridPosition-2016-10-02
232865Potential use after free in ApplyStyleCommand::splitAncestorsWithUnicodeBidi-2016-10-02
232743use-after-free on WebCore::DOMWrapperMap<void>::removeAndDispose-2016-10-02
232633use-after-free on net::SSLClientSocketNSS::Core::OnSendComplete-2016-10-02
232763use-after-free on WebCore::JPEGImageReader::decode-2016-10-02
232475use-after-free on AutofillPopupControllerImpl::Hide-2016-10-02
232393Heap-buffer-overflow in WebCore::CSSPrimitiveValue::cleanup-2016-10-02
232389ASSERTION FAILED: !object || object->isRenderInline(), UNKNOWN in WebCore::RenderTextTrackCue::initializeLayoutParameters-2016-10-02
232064Heap-use-after-free in WebCore::MediaStreamTrack::stop-2016-10-02
232625use-after-free on InstantController::ReloadOverlayIfStale-2016-10-02
232570use-after-free on content::RendererAccessibilityFocusOnly::HandleFocusedNodeChanged-2016-10-02
232532use-after-free on IPC::ChannelProxy::Context::OnChannelError-2016-10-02
232519use-after-free on ProfileKeyedServiceFactory::ProfileDestroyed-2016-10-02
231688Security: Chrome's IntentHandler relies on weak authentication-2016-10-02
231128UNKNOWN in cricket::VideoFrame::Validate-2016-10-02
231127Heap-buffer-overflow inWebCore::(anonymous namespace)::fixUnparsedProperties<unsigned char>(unsigned char const*, WebCore::CSSRuleSourceData*)-2016-10-02
51525Found a bug in the playback of media files via Google Chrome-2016-10-02
51511Crash in accessibility code on Windows when opening the wrench menu.-2016-10-02
51653Memory corruption in Counter Nodes.$5002016-10-02
51602Investigate rte_fuzz crashes-2016-10-02
51630Memory corruption in WebSocketChannel::skipBuffer() - underflow in buffer size$1,3372016-10-02
51654Memory corruption with moving ruby text nodes to runs without ruby bases.$1,0002016-10-02
51146Plain-text information leak of https://user:password due to autosuggest-2016-10-02
51070Another Windows kernel bug in the CFF font parser$1,3372016-10-02
51240Type confusion bug between LargeObjectChunk header and Page header-2016-10-02
51464Chromium use ActiveX Flash (not the NPAPI one) with potential WinINET cookie leak-2016-10-02
51476Memory corruption in tree builder-2016-10-02
51252Use after free with nested use elements$5002016-10-02
50920breakdown while alt+z clicked in win7-2016-10-02
50647Page with tables crashes the browser-2016-10-02
50553Crash when closing chrome - BalloonViewImpl::DelayedClose$1,3372016-10-02
50530Google Relay Service for the Deaf and Hard of Hearings.-2016-10-02
50428Browser crash @ TabContents::ExpireInfoBars-2016-10-02
50839Security: WebKit 43295 - cross_fuzz notification requestPermission memory corruption-2016-10-02
50741ChromeFrame allows navigation to "gcf:" urls-2016-10-02
50712Use after free with SVG use referencing svg style element$1,0002016-10-02
50377User gesture leaks from prompt (was: infinite prompts)-2016-10-02
50253Elide long omnibox entries on Mac.-2016-10-02
50250Use after free in document.close()$5002016-10-02
50110Downloading a file adds extension to the extension already in filename-2016-10-02
50409Zoom bug-2016-10-02
50383Glibc bug in getaddrinfo() may be exposed-2016-10-02
50315Code prevents the closing of tab/browser window.-2016-10-02
49932Failure on page load-2016-10-02
49747GTK message dialogs do not properly wrap overly long words or elide many short lines in js modal dialog-2016-10-02
49745Regression: Pop up blocker not working as expected-2016-10-02
49729Use after free in scroll bar layout-2016-10-02
49628Memory corruption with invalid text node cast for edit commands$5002016-10-02
49964Security: window.history.replaceState fails to enforce domain security$1,0002016-10-02
49910Compatibility error with power strip-2016-10-02
50029Security: showModalDialog() bypasses the usual anti-annoyance checks-2016-10-02
49982Proxy Config Fail - Security fail-2016-10-02
49332Autofill can hang the entire browser (DOS) because of stuck on IO Thread processing infinite data-2016-10-02
49318Merge webkit bug https://bugs.webkit.org/show_bug.cgi?id=39143-2016-10-02
49317Merge webkit bug https://bugs.webkit.org/show_bug.cgi?id=40407-2016-10-02
49222StringImpl::replace integer overflow-2016-10-02
49215Signed/Unsigned Comparison issue in MemoryAllocator::AllocateRawMemory-2016-10-02
49596Security issue in SVGUseElement::buildShadowTree$5002016-10-02
49377X509Certificate::Cache usage pattern may result in use after free-2016-10-02
49346Sync allows an attacker who compromises Google credentials to push extensions to a user's browser-2016-10-02
49166kdsfgmkladsfjljdf-2016-10-02
49188ChromeFrame window.open("javascript:window.open('http://example.com/');"); => NULL ptr crash-2016-10-02
48857Render crash in FormManager::FindCachedFormElement()-2016-10-02
49177Extension updates don't identify privilege increases when scheme changes-2016-10-02
49172AutoFill causes browser crash when saving large profiles-2016-10-02
49047Open a share-point site will cause the browser to crash-2016-10-02
48499Should autofill credit card infomation over an https page only-2016-10-02
48330Security: WebSocket: Integer underflow in header length calculation triggers browser DoS-2016-10-02
48288Crash site-2016-10-02
48597Incorrect eliding (windows), truncation(linux) for hostname in security information dialog-2016-10-02
48733Crash in third_party xdg_mime library when unable to handle long file paths$1,3372016-10-02
48440Localhost XSS-2016-10-02
48282LegacyHTMLTreeBuilder fires DOM mutation events-2016-10-02
48233Steal any autofill field using javascript while user is hovering over one of the selection.-2016-10-02
247038Heap-use-after-free in WebCore::V8HTMLFormControlsCollection::indexedPropertyGetter-2016-10-02
246724Security: Ensure that all request types use pinning-2016-10-02
48284<use> on <font-face> causes crashes, if SVGUseElement gets detached$5002016-10-02
246635Heap-buffer-overflow in WebCore::HTMLMapElement::imageElement-2016-10-02
246240ResourceHostMsg_DataReceived_ACK: heap corruption-2016-10-02
246205ASSERTION FAILED: obj->isRenderInline() || obj == this, UNKNOWN in WebCore::RenderBlock::createLineBoxes-2016-10-02
246203Heap-use-after-free in WebCore::V8GCController::opaqueRootForGC-2016-10-02
48283EXTERNAL-REPORT: Windows kernel crash on invalid font$1,3372016-10-02
246701UNKNOWN in WebCore::DownSampler::process-2016-10-02
245727Heap-use-after-free in WebCore::ShapeOutsideInfo::isEnabledFor-2016-10-02
245153PDF: OOB read in JPEG2000 image handling-2016-10-02
245941Heap-use-after-free in base::internal::CallbackBase::Reset-2016-10-02
245368Infobar Google Update plugin by default-2016-10-02
244415SpeechRecognizerImpl UaF-2016-10-02
244260Security: TLS Truncation attack on HTTP headers, including cookie flags$3,1332016-10-02
244056Heap-use-after-free in WebCore::RenderTextFragment::willBeDestroyed-2016-10-02
244036ASSERTION FAILED: node->parentNode(), Heap-use-after-free in WebCore::RenderBox::exclusionShapeOutsideInfo$1,0002016-10-02
244021Heap-use-after-free in WebCore::StyleResolver::loadPendingImages-2016-10-02
243991Heap-use-after-free in WebCore::InputType::stepUpFromRenderer$1,0002016-10-02
243881ASSERTION FAILED: actualInfo->derefObjectFunction == V8HTMLSpanElement::info.derefObjectFunction, UNKNOWN in WebCore::wrap-2016-10-02
245121Security: Cloud-printing Robot-Account storage in Local State lacks integrity, permits redirection to evil printers-2016-10-02
244746UrlRequestContext can be deleted while a live SocketStream has a pointer to it (vtable UAF)$3,1332016-10-02
244080UNKNOWN in v8::internal::Object::GetProperty-2016-10-02
243339Security: CheckDuplicateHandle (BreakDebugger) browser crash with (Web) Workers and WebSQL$2,0002016-10-02
242931ASSERTION FAILED: !value || value->isPrimitiveValue(), UNKNOWN in WebCore::StylePropertySerializer::getLayeredShorthandValue-2016-10-02
242924[LangFuzz] Crash at v8::internal::HeapObject::Size() on 64 bit with invalid read$1,0002016-10-02
242819Security: Registering on Gerrit with Any Email [Auth Problem]-2016-10-02
242786Heap-double-free in av_destruct_packet-2016-10-02
243512base/time_posix executes signed overflow with 64-bit time_t-2016-10-02
243875ResourceHostMsg_RequestResource: validate request_data.priority enum-2016-10-02
243818Heap-use-after-free in WebCore::StyledElement::ensureMutableInlineStyle$1,0002016-10-02
243045ASSERTION FAILED: !m_deletionHasBegun, Heap-use-after-free in WebCore::GenericEventQueue::enqueueEvent-2016-10-02
242322Escalate access to browser internals$5002016-10-02
242224Heap-use-after-free in WebCore::BaseMultipleFieldsDateAndTimeInputType::~BaseMultipleFieldsDateAndTimeInputType$1,0002016-10-02
242114Heap-use-after-free in WebCore::Range::compareBoundaryPoints-2016-10-02
242762Security: Use-after-free in net::SocketStream::Finish$3,1332016-10-02
242702NSS is unable to open /dev/urandom on OS X, resulting in insufficient entropy for renderers-2016-10-02
242502UNKNOWN in v8::internal::TypeFeedbackOracle::CanRetainOtherContext-2016-10-02
240984Security: Merge http://trac.webkit.org/changeset/150072-2016-10-02
240961Zero-sized textures must be considered incomplete-2016-10-02
240706Security: perf_swevent_init does not check negative argument-2016-10-02
242023ASSERTION FAILED: !value || value->isPrimitiveValue(), UNKNOWN in WebCore::StylePropertySerializer::getLayeredShorthandValue-2016-10-02
241607`git cl upload` can add patches to other peoples' issues-2016-10-02
241139Heap-use-after-free in webkit_glue::WebURLLoaderImpl::Context::OnReceivedResponse$1,0002016-10-02
240124Heap-use-after-free in WebCore::ImageInputType::attach$1,0002016-10-02
240056UNKNOWN in int v8::internal::FlexibleBodyVisitor<v8::internal::NewSpaceScavenger, v8::internal::JSObject::BodyD-2016-10-02
240139Security: gerrit.chromium.org is running an outdated version of OpenId4Java-2016-10-02
240057Heap-use-after-free in WebCore::accumulateDocumentEventTargetRects-2016-10-02
240449Crash in base::DeleteHelper<safe_browsing::DownloadProtectionService::CheckClientDownloadRequest>::DoDelete(void const *)-2016-10-02
240490Security: Set HSTS preloads for translate.google[apis].com-2016-10-02
240055ASSERTION FAILED: !value || value->isPrimitiveValue(), UNKNOWN in WebCore::StylePropertySerializer::getLayeredShorthandValue-2016-10-02
239699Instant Extended on mobile platforms allows sboxchip spoofing-2016-10-02
239580Heap-use-after-free in net::SniffMimeType-2016-10-02
240054ASSERTION FAILED: m_requestCount == 0, Heap-use-after-free in WebCore::CachedResourceLoader::decrementRequestCount-2016-10-02
240032Security: chrome_70ee0000!v8::internal::ScavengingVisitor<1,1>::EvacuateShortcutCandidate crash$5002016-10-02
239897Tab crashes when changing <audio> element source when used with Web Audio API$5002016-10-02
239411ANGLE: check negative vector/matrix/array index-2016-10-02
239134PDF: bad free in JBIG2 PDF decoder-2016-10-02
48115REGRESSION: Memory corruption in open source JPEG decoder (r61619)$5002016-10-02
48167Security: CRITICAL EXECUTABLE MISSING FUNCTION FLAW-2016-10-02
48043dadasdadasdas-2016-10-02
48225Autofill profile (address, perfsonal info) spam without any need of user interaction-2016-10-02
48093Chromoting enabled by default in Chromium-2016-10-02
47105Renderer crash for a multipart page-2016-10-02
47866Memory corruption with crash in RenderObject::containingBlock()$5002016-10-02
47253ref_fuzz crash 2-2016-10-02
47252ref_fuzz crash-2016-10-02
47160possblie access file: chrome:-2016-10-02
47395Security: Modification over GUI-2016-10-02
47086Memory corruption with DOM mutation on onchange event firing for select object-2016-10-02
47056Browser crash after AppModalDialogQueue::ShowNextDialog-2016-10-02
47915ZDI-CAN-806: Apple Safari's Webkit Runin Use-after-free Vulnerability-2016-10-02
47938error tags html-2016-10-02
47515Security: Reproducable and Controllable Memory Leak in about:memory page-2016-10-02
46750Browser crash in WebSocket creation-2016-10-02
46575DoS by opening unlimited number of print dialogs-2016-10-02
46516Need to sync extension permissions-2016-10-02
46509error al descargar-2016-10-02
46452::-webkit-scrollbar causes "Aw Snap" when combined with certain JavaScripts-2016-10-02
46401Google Chrome does not prompt for user permission before using HTML5's offline features-2016-10-02
46360Memory corruption in :first-letter rendering$5002016-10-02
46792Security Vulnerability in Chrome 5.0.375.70-2016-10-02
46788help me!-2016-10-02
46008Wrapping shared memory allocation in X backing store-2016-10-02
46018Crash - BalloonViewImpl::DelayedClose-2016-10-02
45923Browser not checking site's domain on password type inputs-2016-10-02
45876Web pages should NOT be able to load resources if there are NO content scripts from that extension on the page-2016-10-02
45799possible privilege escalation via named pipes (NaCL)-2016-10-02
45683jjjjj-2016-10-02
46126crash with processing invalid x509-user-cert responses.$5002016-10-02
45983Segmentation fault in WebCore::RenderLayer::paintList when a malformed PNG image is viewed$1,0002016-10-02
45614ZDI-CAN-782: Apple Webkit SVG First-Letter Style Remote Code Execution Vulnerability-2016-10-02
45615ZDI-CAN-785: Apple Webkit SVG Floating Text Element Remote Code Execution Vulnerability-2016-10-02
45524crash-2016-10-02
45506User ID Issue-2016-10-02
45494Function names are exposed to iframes from non-same origin using console API-2016-10-02
45412Trojan Horse exploit_c.FWR-2016-10-02
45267ViewHostMsg_UpdateVideo memory corruption-2016-10-02
45164Crash with invalid images.-2016-10-02
45659Stale pointer in SVGResourceFilter-2016-10-02
45609ZDI-CAN-784: Apple Webkit Rendering Counter Remote Code Execution Vulnerability-2016-10-02
44955Need to merge WebCore::toAlphabetic() crash to 375 branch.-2016-10-02
44868Geolocation events fire after document deletion-2016-10-02
448351337 on goggle search-2016-10-02
44796Please disallow "javascript:" URLs in the address bar-2016-10-02
45033Issue with frames[].location-2016-10-02
44742a bug of the scrollbar in iframe-2016-10-02
44740Need to merge fix for WebKit font issue to 375 branch-2016-10-02
44658Security: Insecure behavior in /tmp by Keystone on Mac OS X$5002016-10-02
44759sad tab with little script-2016-10-02
44556Security: WebKit: WebCore::RenderInline::destroy ExecAV@Arbitrary (b1c9c3c46df454874e36c9f86b2418fa)-2016-10-02
44424security:chrome_1c30000!WebCore::InlineBox::paint+0x70$5002016-10-02
44193Security: Chrome saves plaintext passwords even when "save passwords" is disabled-2016-10-02
43967REGRESSION: Currently loading subresource displayed in omnibox-2016-10-02
43902innerHTML decompilation issues in textarea-2016-10-02
43846Null deref during image drag, crash in drag selection controller.-2016-10-02
43813chrome_1c30000!SkAlphaRuns::Break+0x13 - Memory Corruption$5002016-10-02
44500Invalid read handling malformed SVG <use> element-2016-10-02
43487ZDI-CAN-765: CSS Charset Text Transformation Vulnerability-2016-10-02
43446Kapersky Vulnerablity-2016-10-02
43315[MD audit] Stale pointer error when normalizing DOM nodes-2016-10-02
43307[MD audit] Possible memory corruption with bad bitmap shared memory object in clipboard IPC-2016-10-02
43304[MD audit] Linux sandbox escape-2016-10-02
42989Mac sandbox allows calls to stat() on arbitrary paths.-2016-10-02
43488ZDI-CAN-766: SVG ForeignObject Rendering Layout Vulnerability-2016-10-02
43322[MD audit] Problems with video messages and sizes-2016-10-02
257892Security: local user can crash a system service daemon, causing DOS-2016-10-02
257852FileUtilitiesMessageFilter::OnOpenFile insufficient permission checks-2016-10-02
257357Heap-use-after-free in WebCore::CSSFontFace::setLoadState-2016-10-02
257353Heap-use-after-free in WebCore::BaseMultipleFieldsDateAndTimeInputType::destroyShadowSubtree-2016-10-02
257748Security: Origin bypass by writing window.frames[i]$5002016-10-02
257875UNKNOWN in _getKeywords-2016-10-02
257363Security: ANGLE libGLESv2 Integer Overflow$1,3372016-10-02
256724Remove the RELOAD exception for validating 1993 search chains-2016-10-02
257347ASSERTION FAILED: !value || value->isPrimitiveValue(), UNKNOWN in WebCore::StylePropertySerializer::getLayeredShorthandValue-2016-10-02
257348ASSERTION FAILED: !m_hasAXObject, Heap-use-after-free in WebCore::AccessibilityRenderObject::remoteSVGRootElement-2016-10-02
256531Issues with HSTS / HPKP state tracking-2016-10-02
257262Security: UAF in content::WebContentsObserver::web_contents()-2016-10-02
256288Security:Quota Management API's bug-2016-10-02
255934ASSERTION FAILED: width == frameRect.width(), UNKNOWN in WebCore::WEBPImageDecoder::applyPostProcessing-2016-10-02
256013Heap-use-after-free in WebCore::StyleResolver::loadPendingImages-2016-10-02
255931Heap-use-after-free in qcms_profile_from_memory-2016-10-02
255524Heap-use-after-free in content::RenderProcessHostImpl::ProcessDied-2016-10-02
256020Pasting a URL into the infobar, then hitting enter does not cause a scroll to the left-2016-10-02
256057going into fullscreen can be performed without even being in the foreground-2016-10-02
256280Security: Linux kernel perf interface allows tracing of setuid processes-2016-10-02
255932Heap-use-after-free in WTF::KeyValuePair<WTF::StringImpl*, WTF::RefPtr<WebCore::KeyframeAnimation> >* WTF::HashTable<WTF::S-2016-10-02
255523Security: X client library bugs allow malicious X servers to attack clients-2016-10-02
254728Heap-use-after-free in WebCore::AudioBufferSourceNode::renderFromBuffer-2016-10-02
254460Heap-buffer-overflow in url_parse::ExtractFileName-2016-10-02
254159Security: Chrome shared memory file can be world readable and lacks security checks when opening existing mappings.$5002016-10-02
253550ASSERTION FAILED: isMainThread(), Heap-use-after-free in WebCore::WaveShaperDSPKernel::lazyInitializeOversampling$5002016-10-02
253481Security: Insecure page shown as secure (insecure inlines and named anchors)-2016-10-02
255165Heap-use-after-free in content::WebPluginProxy::Paint-2016-10-02
254928Heap-use-after-free in net::HostResolverImpl::Job::OnDnsTaskFailure-2016-10-02
254783Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers$1,0002016-10-02
252712Security: Use-after-free in RadioInputType::handleKeydownEvent-2016-10-02
252216Security: spawn multiple windows in response to a single user interaction-2016-10-02
252062Security: an attacker can sign-in a victim to his own account.-2016-10-02
252034Security: NPAPI extension can be synced-2016-10-02
252848SpeechRecognitionManagerImpl::SessionStart: vector::front() on an empty vector.-2016-10-02
252888Security: <input type="file" directory> can trick user into uploading their entire Download/Desktop folder.$1,0002016-10-02
250003Use-after-free by navigating out a document during form validation message is shown-2016-10-02
249854MediaStreamHostMsg_GenerateStream: validate audio_type / video_type enums-2016-10-02
249640Heap-use-after-free in WebCore::Node::setNeedsStyleRecalc-2016-10-02
252010Chromium sync session fixation + code execution$21,5002016-10-02
249335Flash settings menu vulnerable to clickjacking-2016-10-02
251711Security: SVG Filter Timing Attack-2016-10-02
249502Security: (Shared) (WebSQL) Worker races cause invalid pointers in DatabaseObserver::databaseClosed and DatabaseObserver::reportOpenDatabaseResult$1,0002016-10-02
249199Heap-use-after-free in WebCore::ApplyStyleCommand::removeInlineStyle-2016-10-02
248960Heap-use-after-free in gfx::RenderTextWin::GetGlyphBounds-2016-10-02
248950Heap-use-after-free in WebCore::Document::dispose-2016-10-02
248843Heap-use-after-free in WebCore::StyleResolver::loadPendingImages-2016-10-02
248840Heap-use-after-free in WebCore::RenderBlock::willBeDestroyed-2016-10-02
249246Security: Open in incognito window doesn't work in panel.-2016-10-02
249064IndexedDBHostMsg_DatabaseGet: validate params.object_store_id-2016-10-02
247964Stack-buffer-overflow in cricket::ToString-2016-10-02
248023ASSERTION FAILED: m_path, UNKNOWN in SkPath::isEmpty-2016-10-02
42980Sandboxed iframes should not autocomplete/autofill unless allow-same-origin set-2016-10-02
42765top.close() is allowed on iframe@sandbox when allow-same-origin is not set-2016-10-02
42723Table layout crash bug from wushi$5002016-10-02
42578Navigation bar problem-2016-10-02
42575sessionStorage is shared on iframe@sandbox-2016-10-02
42574Sandboxed iframes should not allow navigation to history forward,back without allow-top-navigation set.-2016-10-02
42538segfault in net::X509Certificate::Verify [Linux]-2016-10-02
42396Security: WebKit: WebCore::WebGLUnsignedIntArrayInternal::getCallback ReadAV@Arbitrary (deef89ee3d0345edebeaf13cf974c47c)-2016-10-02
42391Chromium exposes file paths when dropping files-2016-10-02
42356User scripts can access chrome:// URLs-2016-10-02
42755Merge fix for WebKit CSS hover security bug to 375-2016-10-02
42736Memory corruption (read random system memory) or crash$5002016-10-02
42300Memory corruption / corrupt function pointer usage with bad AAC SBR-2016-10-02
42294WebCore::FontFallbackList::determinePitch memory corruption (0b4c05aab686a31bc4954a5bd6bae27b)$5002016-10-02
41878Problemas para abrir paginas webs-2016-10-02
41778"Go To" right click context menu option can open arbitary urls like chrome:// file:// etc.-2016-10-02
41654Security: Permanent Clipboard Hijack-2016-10-02
41469Drag and drop bad reference counting leads to re-use of freed memory: WebCore..String..length ReadAV@Arbitrary (394bb1a56acd66a43221b2a08fa5b25a)-2016-10-02
42306Possible num_patches array indexing errors in AAC SBR-2016-10-02
42228Security: a malicious page may gain access to context of an extension's content script-2016-10-02
41334Security: Selecting a address label in an address form field ALSO fills the default credit card-2016-10-02
41330Security: Label Name truncation with long field values leading to autofill data theft-2016-10-02
41265Security: Clicking an address form field shows credit card labels and can fill credit card fields.-2016-10-02
40801OOB Array Indexing Bug-2016-10-02
41428MALWARE-2016-10-02
41427Security: Autofill does not store sensitive data like cc info as encrypted on disk, should mimic password manager-2016-10-02
40628WebKit: WebCore::PageGroupLoadDeferrer::PageGroupLoadDeferrer ReadAV@NULL (7a3291a05aead0cc3a4bc8a6b440d145)-2016-10-02
40605Redirecting to a data URI without a / in the data section crashes the entire browser-2016-10-02
40575An HTTP page loaded quickly after NTP can gain DOMUI bindings privilege-2016-10-02
40487<video> inside <foreignObject> inside <svg> inside <img> --> crash-2016-10-02
40445Cross Origin Bypass using iframe & " " on JAVASCRIPT URI$1,0002016-10-02
40219Security: logged into google account but got gmail account-2016-10-02
40173Termination bugs in GpuProcessHost-2016-10-02
40147Security: XSS issue in the FTP parser-2016-10-02
40635Security: v8: WebKitPoint() memory corruption$5002016-10-02
40137Security: XSS in net-internals-2016-10-02
39985Cross-origin bypass: Javascript URL can be set in iframe.src via numerous DOM aliases (via Node and NamedNodeMap)$1,0002016-10-02
40138Security: XSS in chrome://downloads-2016-10-02
39861Cross-origin image theft via SVGs as a canvas pattern-2016-10-02
40136Security: Path Traversal in Devtools-2016-10-02
39698Security: Synchronous preflight XHR allows arbitrary XSRF-2016-10-02
39660Need to merge fix for CSSPrimitiveValue::setFloatValue() type confusion error-2016-10-02
39443crash with form tag$5002016-10-02
39303icudt42.dll does not support ASLR(on Win7/Vista)-2016-10-02
39277Browser GDI crash with excessive downloads.-2016-10-02
38937show bug-2016-10-02
38920extensions can circumvent access restrictions by over-writing chromeHidden.event.dispatchJSON-2016-10-02
38890"AutoFill Profiles"-feature information disclosure issue-2016-10-02
39740Plugins are not always blocked by content settings-2016-10-02
39639url redirect-2016-10-02
38650Chrome downladed XP Defender Pro java based virus from a website-2016-10-02
38512libpng < (1.4.1|1.2.43) suffer DoS issues (CVE-2010-0205)-2016-10-02
38310Security: *.kaiserpermanente.org sites report SSL Error (certificate failures), only on Linux-2016-10-02
38749HTTPS-2016-10-02
38845Out of bounds array read in FTP network transaction-2016-10-02
38550Mac: Don't send client cert before verifying received server cert-2016-10-02
38238Reproducible renderer crash on javascript-2016-10-02
266922Security: Address bar spoofing possible after navigating to an unhandled protocol-2016-10-02
266364Heap-use-after-free in WebCore::DocumentLoader::handleSubstituteDataLoadNow-2016-10-02
266346Widevine CDM is running with excessive permissions-2016-10-02
265930V8 SMI-only array optimizations misbehave with arrays created using the Array constructor of a different document-2016-10-02
265894UNKNOWN in v8::internal::JSObject::SetPropertyForResult-2016-10-02
265838Heap-use-after-free in WebCore::RenderBlock::determineStartPosition$2,0002016-10-02
266729strongswan denial-of-service vulnerability (CVE-2013-5018)-2016-10-02
266593ASSERTION FAILED: !element || element->hasTagName(summaryTag), UNKNOWN in WebCore::DetailsMarkerControl::summaryElement-2016-10-02
265221Security: URL spoof with http status 204$5002016-10-02
264988Chrome webrtc crashes if i try to remove remote video track in peer connection.-2016-10-02
264607SyzyASAN: Heap-use-after-free in GrTextureAccess::reset-2016-10-02
264574ASSERTION FAILED: !renderer->needsLayout(), Heap-use-after-free in WebCore::RenderBlock::LineBreaker::nextSegmentBreak-2016-10-02
265731Security: mach_override_ptr maps rwx pages at fixed address and leaves PROT_WRITE on text pages-2016-10-02
265493use-after-free on content::GpuVideoDecodeAcceleratorHost::OnErrorNotification-2016-10-02
264211ASSERTION FAILED: run.charactersLength() >= run.length(), Heap-buffer-overflow in WebCore::Font::characterRangeCodePath-2016-10-02
263811UNKNOWN in v8::internal::Heap::AllocateJSObject-2016-10-02
263878Security: kernel CVE-2013-4125 fib6_add_rt2node-2016-10-02
264212Heap-use-after-free in WebCore::Node::setCustomElementState-2016-10-02
263810ASSERTION FAILED: !object || object->isRenderBlock(), UNKNOWN in WebCore::RenderBox::containingBlockLogicalHeightForPositioned-2016-10-02
264504Heap-use-after-free in WebCore::RenderObjectChildList::destroyLeftoverChildren$2,0002016-10-02
263923Heap-use-after-free in WebCore::Scrollbar::invalidateRect-2016-10-02
263214Security: SSLPolicy isn't checking the error associated with a saved exception-2016-10-02
263178Heap-use-after-free in content::IndexedDBDatabase::DeleteDatabase-2016-10-02
262653Heap-use-after-free in WebCore::RootInlineBox::closestLeafChildForPoint$1,0002016-10-02
263386ASSERTION FAILED: !node || node->isShadowRoot(), UNKNOWN in WebCore::EventRetargeter::eventTargetRespectingTargetRules-2016-10-02
263255Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine-2016-10-02
262531Heap-buffer-overflow in FindSortableTop-2016-10-02
262177Heap-use-after-free in WebCore::InlineFlowBox::deleteLine-2016-10-02
261898Heap-buffer-overflow in autofill::AutofillPopupControllerImpl::UpdateDataListValues$1,0002016-10-02
262606use-after-free - speech API and window.close() ::SpeechRecognitionBubbleView::GetAnchorRect+0x23$1,0002016-10-02
261891Heap-use-after-free in WebCore::RenderFlexibleBox::firstLineBoxBaseline-2016-10-02
261836Heap-use-after-free in WebCore::Document::detach$3,0002016-10-02
261609Heap-use-after-free in WebCore::IdTargetObserverRegistry::removeObserver-2016-10-02
261454Heap-use-after-free in sk_atomic_inc-2016-10-02
261711Security: Upgrade to openssl 1.0.1e (or later)-2016-10-02
260667Security: Content process crash on (new Window.prototype.__proto__.constructor).toString();-2016-10-02
260428Heap-use-after-free in WebCore::TimerBase::start$1,0002016-10-02
260165Heap-use-after-free in WebCore::MutationObserverRegistration::~MutationObserverRegistration$1,0002016-10-02
260156Heap-use-after-free in content::WebMediaPlayerImpl::paint$1,0002016-10-02
260138Heap-use-after-free in WebCore::ElementShadow::removeAllShadowRoots-2016-10-02
260110Heap-use-after-free in WebCore::copyKeysToReferencingVector$1,0002016-10-02
260106Security: SEGV on unknown address with javascript url and __proto__$1,0002016-10-02
260105Heap-use-after-free in xsltApplySequenceConstructor$1,0002016-10-02
261171Heap-use-after-free in WebCore::RenderObjectChildList::destroyLeftoverChildren-2016-10-02
260375Heap-buffer-overflow in WebCore::Element::recalcStyle$1,0002016-10-02
259859Heap-use-after-free in content::RenderViewHostManager::ShutdownRenderViewHostsInSiteInstance-2016-10-02
259669Security: Drag-drop an image to the desktop: adds executable file to the desktop-2016-10-02
259389Heap-buffer-overflow in WebCore::parseDimension-2016-10-02
259366Security: JSON.stringify does not do cross context check.-2016-10-02
258771Lax permissions on the password database-2016-10-02
258723Security: JPEG info leak-2016-10-02
260087Heap-use-after-free in WebCore::IdTargetObserverRegistry::removeObserver-2016-10-02
259951Heap-use-after-free in WebCore::RenderStyle::fontDescription-2016-10-02
258419Heap-use-after-free in WebCore::CachedResource::cancelTimerFired-2016-10-02
38066Exploit.IFrame.Gen-2016-10-02
37876Issue when having saved password and favourite in the favourites bar-2016-10-02
38194bypass the popblock-2016-10-02
37841ĂÂżĂÂŸĂÂČĂ‘Â€ĂÂ”ĂÂ¶ĂÂŽĂÂ”ĂÂœ chrome.exe-2016-10-02
37840ĂÂżĂÂŸĂÂČĂ‘Â€ĂÂ”ĂÂ¶ĂÂŽĂÂ”ĂÂœ chrome.exe-2016-10-02
37826Need to merge fix for https://bugs.webkit.org/show_bug.cgi?id=35621 / ZDI-CAN-688-2016-10-02
37657Will not block all cookies when you select block all cookies-2016-10-02
37479Merge http://trac.webkit.org/changeset/53442-2016-10-02
37447Google Chrome OCX Automatic Download-2016-10-02
37383javascript: url with a leading NULL byte can bypass cross origin protection.$1,0002016-10-02
37362Security: Ogg Vorbis: Random crashes when playing .ogg-2016-10-02
37310Crash in media::FFmpegDemuxer::~FFmpegDemuxer()-2016-10-02
37201Omnibox visual spoofing with Japanese Maru-2016-10-02
37827Need to merge fix for https://bugs.webkit.org/show_bug.cgi?id=35598 / ZDI-CAN-704-2016-10-02
37190Security: WebSocket: WebCore::String::isEmpty ReadAV@Arbitrary-2016-10-02
37184Security: ff_vorbis_floor1_render_list ReadAV@Arbitrary (multiple stacks)-2016-10-02
37176Security bugs for $500 each.-2016-10-02
37061WebCore::SVGUseElement::updateContainerOffsets ExecAV@Arbitrary (1dc75f12fe3750aa1828ea20506a5d54)$5002016-10-02
37007Bypass unsafe file types dialog using extra dots at end of file name.-2016-10-02
36976WebCore::SVGAnimationElement::calculatePercentFromKeyPoints ReadAV@NULL (00939658970e30ddcc2953e88ebb851d)-2016-10-02
36774The 1 second timeout on safebrowsing get hash might be exploitable-2016-10-02
36772Security: HTTP AUTH dialog spoofing using long subdomains (Windows Only)-2016-10-02
36770HTTPS server can cause us to bypass certificate checking with NSS.-2016-10-02
36715Phishing site seems to be able to bypass Chrome's phish warning page-2016-10-02
36553Information Disclosure in "Web Data"-2016-10-02
36277Passwords may be easily seen.-2016-10-02
35994Security Issue Firefox 3.0.17 & Skype Add-on & Google Gmail-2016-10-02
35979Security: Opening a malformed XML file causes a segmentation fault in xmlParseGetLasts.-2016-10-02
35943[MD audit] HandleGetShaderSource Integer Underflow-2016-10-02
35942[MD audit] DrawElements Signed Integer Vulnerability-2016-10-02
35941[MD audit] GenGLObjects Buffer Overflow-2016-10-02
35938[MD audit] DeleteGLObjects Buffer Overflow-2016-10-02
35937[MD audit] GPU Signed Relatie Call Vulnerability-2016-10-02
35934[MD audit] GPU Signed Relative Jump Vulnerability-2016-10-02
35932[MD audit] GPU Signed Jump Vulnerability-2016-10-02
35931[MD audit] Command Buffer Service Integer Overflow-2016-10-02
35732Security: Renderer segfault when a malformed png file is loaded.$5002016-10-02
35649embed bug-2016-10-02
35408Pls Help Google Chrome Bug-2016-10-02
35936[MD audit] GPU Signed Call Vulnerability-2016-10-02
35168Crash when clicking long URL with unknown scheme-2016-10-02
35079Stale pointer in WebKit with captions-2016-10-02
34834SSL error reported in Chrome v.4.0.249.78 (36714); OK on Firefox v.3.5.7 and I.E. v.8.0.6001.18702-2016-10-02
35366[MD audit] DOM tree node reference errors when manipulating DOM tree inside certain callbacks-2016-10-02
34978WebCore::Document::recalcStyleSelector+0x7c$5002016-10-02
34765error en google mail de chrome-2016-10-02
34800Security bug found in 4.0.249.78-2016-10-02
34710[MD audit] out-of-bounds array access in worker_process_host.cc-2016-10-02
34566Security: WebCore::FEMorphology::apply memmove ReadAV@NULL (ec3ed2d76f7904e1c4df8ea3b1dd07e6)-2016-10-02
34498Navigating to a cached page can result in accessing a destroyed HTMLInputElement [CVE-2010-0052]-2016-10-02
34495Crash in XMLTokenizer::popCurrentNode if window.close() is called during parsing [CVE-2010-0048]-2016-10-02
34414Regression:m7: Chrome Popup Blocker ByPass-2016-10-02
34760I/O errors-2016-10-02
34782Browser hangs-2016-10-02
34721Long string in alert() 100% CPU DoS-2016-10-02
278912Heap-buffer-overflow in WebCore::Element::recalcStyle$2,0002016-10-02
279263use-after-free in ColorChooserDialog::DidCloseDialog$1,0002016-10-02
278908Heap-use-after-free in WebCore::XMLDocumentParser::append$1,0002016-10-02
279286ASSERT: Bad cast from CSSInitialValue to CSSValueList., UNKNOWN in WebCore::CSSValue::isCFCSSValueList-2016-10-02
279277Heap-use-after-free in WebCore::RenderBlock::determineStartPosition$2,0002016-10-02
278676Heap-buffer-overflow in content::SiteIsolationPolicy::ShouldBlockResponse-2016-10-02
278366Security: Page can DDOS and crash browser: while (1) window.open()-2016-10-02
277656ASSERT: isDocumentLifecycleObserver()ASAN:SIGSEGV, UNKNOWN in WebCore::DocumentLifecycleNotifier::notifyDocumentWasDisposed-2016-10-02
276368Heap-use-after-free in ppapi::proxy::PluginResource::NotifyInstanceWasDeleted$1,0002016-10-02
276339Use-after-free in content::WebPluginDelegateImpl::NativeWndProc-2016-10-02
275803Heap-buffer-overflow on icu_46::CharsetRecog_UTF_32_BE::getChar-2016-10-02
275590Heap-buffer-overflow in media::AudioBuffer::ReadFrames-2016-10-02
276111ASSERTION FAILED: splineIndex < m_keySplines.size(), UNKNOWN in WebCore::SVGAnimationElement::calculatePercentForSpline-2016-10-02
274843CORS-enabled image should fail to load when redirected with CORS failure.-2016-10-02
274658Heap-use-after-free in PluginPlaceholder::ReplacePlugin-2016-10-02
276106ASSERTION FAILED: actualInfo->derefObjectFunction == info.derefObjectFunction, UNKNOWN in WebCore::V8HTMLElement::createWrapper-2016-10-02
276042Use-after-free in views::HWNDMessageHandler::_ProcessWindowMessage-2016-10-02
275223Heap-use-after-free in WebCore::EditCommandComposition::~EditCommandComposition-2016-10-02
273734Heap-use-after-free in WebCore::SharedStyleFinder::canShareStyleWithElement-2016-10-02
273732Use-after-free in WebCore::GraphicsLayer::setContentsTo-2016-10-02
272954Heap-use-after-free in WebCore::SpaceSplitString::set-2016-10-02
272786Use-after-free in WebCore::TimerBase::stop$2,0002016-10-02
274020Security: Blocked popups can navigate anywhere once unblocked-2016-10-02
274408Security: Cross-origin information should not be available via JavaScript.-2016-10-02
271782Security: Incognito mode state not necessarily encrypted properly-2016-10-02
272072Regression: 301 redirect to data: URLs works-2016-10-02
271221Heap-use-after-free in WebCore::StylePendingImage::data-2016-10-02
271161Heap-use-after-free in WebCore::AudioDSPKernelProcessor::reset$5002016-10-02
271130ASSERTION FAILED: !node || node->isElementNode(), UNKNOWN in WebCore::CompositeEditCommand::cloneParagraphUnderNewElement-2016-10-02
271939Heap-use-after-free in xsltApplySequenceConstructor$1,0002016-10-02
271235ASSERTION FAILED: index < static_cast<unsigned>(length()), UNKNOWN in WebCore::TextIterator::characterAt-2016-10-02
270272Heap-use-after-free in WebCore::Node::compareDocumentPositionInternal-2016-10-02
270758Heap-use-after-free in WebCore::HRTFElevation::calculateKernelsForAzimuthElevation$5002016-10-02
269753Heap-use-after-free in webkitOfflineAudioContext$5002016-10-02
268565Security: use-after-free Speech with changing of the page$5002016-10-02
269837Heap-buffer-overflow in util::to_uint16_t-2016-10-02
269709Wild-access in WTF::HashTable<WebCore::RenderObject *,WTF::KeyValuePair<WebCore::RenderObject *,WebCore::FilterEffe-2016-10-02
269835Heap-buffer-overflow in office::doc::BxPap::Init-2016-10-02
268365Heap-use-after-free in std::pair<WTF::KeyValuePair<WTF::StringImpl*, WebCore::Element*>*, bool> WTF::HashTable<WTF::StringI-2016-10-02
267824ASSERTION FAILED: obj->isRenderInline() || obj == this, UNKNOWN in WebCore::RenderBlock::createLineBoxes-2016-10-02
267068Heap-use-after-free in WebCore::HTMLFormControlsCollectionV8Internal::indexedPropertyGetterCallback-2016-10-02
34151ChromeFrame: cookie policy not honored in chrome Frame-2016-10-02
34135Browser process crash (CHECK failure) in TabStripModel::GetContentsAt(int) const-2016-10-02
33906Why that-2016-10-02
33881Security Bug-2016-10-02
33876Security: LocalStorage Cross Domain Denial of Service Attack-2016-10-02
33873Confirm Close-2016-10-02
33995Bug ??-2016-10-02
33870VKontakte Checker-2016-10-02
33869VKontakte Tools-2016-10-02
33864chrome an chromium bug with flash-2016-10-02
33834MISTAKE (BŁĄD)-2016-10-02
33952Infinite redirects with long URL can cause browser process OOM.-2016-10-02
33872Chromepad-2016-10-02
33830Confirm Close-2016-10-02
33817ĂÂžĂ‘ÂˆĂÂžĂÂ±ĂÂșа про ĂÂŸĂ‘Â‚ĂÂșĂÂ»Ă‘ÂŽĂ‘Â‡ĂÂ”ĂÂœĂÂžĂÂž-2016-10-02
33791Trouble when opening a downloadable link-2016-10-02
33738r-2016-10-02
33736333-2016-10-02
33729chrome an chromium bug with flash-2016-10-02
33831some parameters not working-2016-10-02
33678y-2016-10-02
33664XSS Filter can disable legitimate code, creating vulnerabilities in otherwise safe webpages-2016-10-02
33607Security: SSL with Chrome using googlewave.com on Chromium-2016-10-02
33572Security: "Harmful websites" are allowed to initiate downloads without user intervention.-2016-10-02
33508Https issue-2016-10-02
33445STS design questions around probing what sites a user has been to-2016-10-02
33391Script tags are copied and pasted into xml, making cross-domain attacks possible-2016-10-02
33695Chrome problem.-2016-10-02
33053Use of stale HTMLImageElement pointer in JSHTMLFormElement::nameGetter-2016-10-02
32856Script tags are copied and pasted, making cross-domain attacks possible-2016-10-02
33324New windows opened within ChromeFrame in full tab mode don't use the host network stack-2016-10-02
32718Security: Cross-domain bug in password manager$5002016-10-02
32558auto text-2016-10-02
32457Security: WebKit Bug 33802 - WebCore::RenderMenuList::setText ExecAV@Arbitrary (fe810d95ab2c1eef13e951397ed944ce)-2016-10-02
32455ValidityState can hold a stale pointer to control-2016-10-02
32309Stylesheet URL property leaks redirection target-2016-10-02
32207The CLD (Compact Language Detection) code is run in the browser, it should run in the renderer.-2016-10-02
32014[MD audit] [clipboard] Type confusion possible in Linux clipboard implementation-2016-10-02
31953Resolve URL Before Proxy-2016-10-02
32915[MD audit] [Window Sandbox] CrossCallParamsEx::CreateFromBuffer() integer overflow-2016-10-02
31935appcache: https servers shouldn't be able to store no-store pages from other servers-2016-10-02
31880[MD audit] [plugins] Sandbox Violation: Raw pointer from renderer manipulated in plugin process-2016-10-02
31568Need to merge WebKit fix for ZDI-CAN-632 to Beta branch-2016-10-02
31554Invalid Read (possible code execution): Empty name parameter passed to v8::internal::LoadIC::Load()-2016-10-02
31542Use after free crash in RTL text handling-2016-10-02
31517ChildProcessSecurityPolicy::CanRequestURL recusion stack exhaustion in URL parsing with nested protocols-2016-10-02
31364[MD audit] [IPC] problems calling resize() on vectors with no sanitization-2016-10-02
31307[MD audit] [RPC] More errors deserializing SkBitmaps!!-2016-10-02
31298[MD audit] [RPC] Integer overflow in clipboard image deserialization-2016-10-02
31293Audio TAG MP3 plays noise burst at beginning-2016-10-02
31267Security: Popup & Focus URL Hijacking from ha.ckers.org, exploit works with chrome autodownload-2016-10-02
31144warn when downloading common Linux package files such as .deb-2016-10-02
31943Bypass of HTML5 iframe sandbox attribute (can set window.top.location)-2016-10-02
31692Bug 33266 - WebCore::InlineFlowBox::determineSpacingForFlowBoxes ReadAV@NULL (43c64e8abbda6766e5f5edbd254c2d57)-2016-10-02
30972Google Chrome XSS through MS Word Script Execution Object-2016-10-02
31009[MD audit] [V8]: integer errors lead to dangerous crashes in memory allocators-2016-10-02
31012[MD audit] [3d]-2016-10-02
30937Possible to execute script on unpermitted domains using chrome.tabs.executeScript()-2016-10-02
294242Url spoof with play store url-2016-10-02
294206Heap-use-after-free in WebCore::IDBDatabase::transactionFinished-2016-10-02
294202ASSERTION FAILED: hasRareData(), UNKNOWN in WebCore::Node::rareData-2016-10-02
294023Heap-buffer-overflow in bool WebCore::SelectorChecker::checkOne<WebCore::DOMSiblingTraversalStrategy>-2016-10-02
294464Heap-use-after-free in WebCore::SVGLength::SVGLength-2016-10-02
294456Heap-use-after-free in WebCore::canMergeLists$2,0002016-10-02
293521Heap-use-after-free in WebCore::CSSFontSelector::dispatchInvalidationCallbacks-2016-10-02
293127Use-after-free in WTF::HashTable<int,WTF::KeyValuePair<int,WTF::RefPtr<WebCore::CalculationValue> >,WTF::KeyValuePairK-2016-10-02
292679Heap-use-after-free in Pickle::~Pickle-2016-10-02
292422ASSERTION FAILED: m_pendingActivityCount > 0, Heap-use-after-free in WebCore::XMLHttpRequest::open$1,0002016-10-02
291854ASSERTION FAILED: !node || node->hasTagName(HTMLNames::metaTag), UNKNOWN in WebCore::TextAutosizer::detectContentType-2016-10-02
290566Heap-use-after-free in WTF::equalNonNull$1,0002016-10-02
293707ASSERTION FAILED: !value || value->isValueList(), UNKNOWN in WebCore::FontFace::createCSSFontFace-2016-10-02
293534Heap-use-after-free in WebCore::Document::updateLayout$3,0002016-10-02
290165ASSERTION FAILED: !needsLayout(), UNKNOWN in WebCore::RenderTableSection::paint$5002016-10-02
290163Heap-use-after-free in WebCore::InputMethodContext::selectedSegment-2016-10-02
289680Heap-buffer-overflow in PL_strdup-2016-10-02
289648Security: work around user gesture requirement-2016-10-02
288977Security: Insecure root-privileged file touch in /home/chronos by activate_date_spring.conf-2016-10-02
288797Heap-use-after-free in WebCore::TextFieldInputType::updateInnerTextValue-2016-10-02
290396Heap-use-after-free in WebCore::FrameLoader::load-2016-10-02
288771Heap-use-after-free in WebCore::SVGMatrixV8Internal::rotateMethodCallback-2016-10-02
288761Heap-use-after-free in WebCore::Document::updateLayout-2016-10-02
286975Heap-use-after-free in WebCore::Node::containsIncludingHostElements$2,0002016-10-02
286621Heap-use-after-free in BubbleGtk::Close-2016-10-02
286617Use-after-free in WebCore::RenderObject::previousInPreOrder-2016-10-02
286444Crash due to a bug in CoreText with some Arabic strings on Mac OS 10.8-10.8.4 and iOS 6-2016-10-02
286414Heap-use-after-free in WTF::KeyValuePair<WebCore::Resource*, WTF::RefPtr<WebCore::ResourceTimingInfo> >::~KeyValuePair$1,0002016-10-02
286368ASSERT: Bad cast from Element to HTMLDetailsElement., UNKNOWN in Bad cast from Element to HTMLDetailsElement-2016-10-02
288754Security: OOB in xfer32 in SKIA-2016-10-02
285783Heap-buffer-overflow in indic_ot_reorder-2016-10-02
285578Heap-use-after-free in gpu::CommandBufferHelper::~CommandBufferHelper-2016-10-02
285380Heap-use-after-free in content::QuotaDispatcherHost::RequestQuotaDispatcher::DidFinish-2016-10-02
284792FileAPIMessageFilter::OnOpenFile opens files with greater permissions than checked-2016-10-02
284786Heap-use-after-free in content::WebAudioSourceProviderImpl::provideInput$5002016-10-02
284785Heap-use-after-free in WebCore::ConvolverNode::tailTime$5002016-10-02
285787Heap-use-after-free in WebCore::ApplyBlockElementCommand::rangeForParagraphSplittingTextNodesIfNeeded$1,0002016-10-02
285742Heap-use-after-free in void url_parse::-2016-10-02
282925ASSERTION FAILED: !needsLayout(), UNKNOWN in WebCore::RenderSVGResourceClipper::applyClippingToContext$5002016-10-02
282923Heap-use-after-free in webrtc::voe::Channel::SendRTCPPacket-2016-10-02
282922Heap-use-after-free in WebCore::HTMLMediaElement::parseAttribute-2016-10-02
282738ASSERTION FAILED: offset + length <= m_length, UNKNOWN in WebCore::InlineTextBox::constructTextRun-2016-10-02
282736Javascript execution bug introduced with Chrome 29.0.1547.57$1,0002016-10-02
284532ASSERTION FAILED: !value || value->isPrimitiveValue(), UNKNOWN in WebCore::ViewportStyleResolver::getViewportLengthValue-2016-10-02
280352ASSERTION FAILED: !node || node->hasTagName(HTMLNames::tdTag) || node->hasTagName(HTMLNames::thTag), UNKNOWN in WebCore::AccessibilityTable::isDataTable-2016-10-02
282425Heap-use-after-free in WebCore::RenderLayer::renderer-2016-10-02
281256Address bar spoofing with window.open() + 204 No Content$2,0002016-10-02
280729Security: Linux HID flaws-2016-10-02
280552UNKNOWN in v8::internal::Invoke-2016-10-02
280512Possible to hide current address by going to "tel:" link and then a "#" link-2016-10-02
280470Security: Closing a webview while it is loading crashes the OS sessions.-2016-10-02
281480Heap-buffer-overflow in WebCore::ReverbConvolverStage::ReverbConvolverStage$5002016-10-02
280170Heap-use-after-free in WebRtcNetEQ_RecInRTPStruct-2016-10-02
280128ChromeView segfaults writing illegally during Vellamo test with drawPosTextH-2016-10-02
282088Heap-use-after-free in WebCore::RenderObjectChildList::destroyLeftoverChildren$1,0002016-10-02
279643Heap-use-after-free in cricket::StreamSelector::Matches-2016-10-02
279642Heap-use-after-free in non-virtual thunk to cricket::TransportChannelProxy::OnMessage-2016-10-02
279640UNKNOWN in extract_image_data-2016-10-02
279639Heap-use-after-free in cricket::Connection::local_candidate-2016-10-02
30794Out of bounds read when processing SVG feColorMatrix filter-2016-10-02
30682Disable the null encryption and weak encryption TLS/SSL cipher suites-2016-10-02
30660window.open() Method Javascript Same-Origin Policy Violation$1,0002016-10-02
30659Security: restrict sqlite functions in the function authorizer-2016-10-02
30525Merge HTMLParser security fix from WebKit-2016-10-02
30510Security: invalid pointer access when calling HTML5 Web Database REGEXP() function with just one argument-2016-10-02
30146chrome.tabs.executeScriptInTab allows running script in the gallery-2016-10-02
30080Extension pop-up page is loaded into main window-2016-10-02
30078Web Workers abuse - opt in required?-2016-10-02
29932Security: Websockets - malformed URL freezes browser-2016-10-02
29920Referer: header is sent when redirect from https to http-2016-10-02
30079Security SafeBrowsingService pure virtual function call and memory corruption-2016-10-02
29854Security: WebKit Bug 32316 - WebCore::RenderObject::arenaDelete ExecAV@??? (292164e5b2ee939ff3ddf062439c2a3e)-2016-10-02
29828Security: sandbox bypass due to directory traversal opening Web Database files-2016-10-02
29645Prevent exposing autocomplete values via Javascript-2016-10-02
29577Crash on complicated @font-face rule-2016-10-02
29543Bug-2016-10-02
29914DNS queries not forwarded through SOCKS v5 proxies-2016-10-02
29657[MD audit] [NPAPI] Unsafe use of raw pointers between processes-2016-10-02
29292HTTPS pages contain warning about not being secure.-2016-10-02
28811Security: WebKit Bug 31886 - Notification::Notification m_presenter reuse of freed memory-2016-10-02
28804[MD audit] [Window Sandbox] PreProcessName() Race Condition-2016-10-02
28798[MD audit] [Window Sandbox] Integrity Level Race Condition-2016-10-02
28606Security: Chrome/chromium crash in Skia (CSS) due to flashplugin crash-2016-10-02
28582Out-of-bounds read in memcpy() upon one line CSS - sometimes OOM too-2016-10-02
29294Security: What about support for the Green Address Bar? (SSL EV...)-2016-10-02
28880Security: Crash in WebCore/platform/graphics/chromium/FontLinux.cpp:355 (WebCore::TextRunWalker::setupFontForScriptRun)-2016-10-02
28566Security: Crash when opening a corrupted GIF image-2016-10-02
28449Linear gradient on a table row crashes Chromium-2016-10-02
28360Security: Chromium/chrome crash in WebCore::RenderMarquee::computePosition-2016-10-02
28346Security: net::HttpStreamParser::DoReadBodyComplete OOM browser crash using Content-Length-2016-10-02
28250Chrome/chromium crash in Skia (memset) due to excessive stroke-2016-10-02
28043Security: LocalStorage does not account the key strings in the quota enforcement-2016-10-02
28015Security: notifications can pop-up unsolicited windows-2016-10-02
28574Security: Memory corruption in WebCore::ResourceLoader-2016-10-02
27916Bounds error in skAlphaRuns causes renderer hang-2016-10-02
27544HTML notifications should only allow http URLs as content (or not have elevated privileges for data: / javascript:)-2016-10-02
27501Security: Bad reference counting in WTF:: PassRefPtr leads to use after free-2016-10-02
26771Let users choose the default privacy behaviour (like address bar and other stuff ... ) IMPORTANT !!!-2016-10-02
26770change default beaviour of bar: let choose users about their privacy chroium privacy-2016-10-02
26585Security: Flash does not lose focus, which allows things like key logging-2016-10-02
26179Security: Chromium bug for gears fts2 security vulnerability-2016-10-02
28014Security: crash when requestPermission() called-2016-10-02
27509Security: HttpStreamParser::DoReadBodyComplete buffer overflow.-2016-10-02
24733Browser crash in icu processing text from Japanese page-2016-10-02
26129Security: MSVR report: Chrome Frame allows x-domain data theft in IE$5002016-10-02
24375Unbounded read (possible write) in SDCH header parsing-2016-10-02
23979Security: add other common HTML extensions to the dangerous extensions list-2016-10-02
23693Security: sanitize URLs better before creating desktop shortcuts-2016-10-02
24646Security: Skia memory corruption with x<0 in SkA*_Blitter::blitH-2016-10-02
25578No more symbolic links in the .app (en.lproj -> en_US.lproj)-2016-10-02
24486Chrome does not checksum downloaded .bdic files; Leads to crashes, possible exploits.-2016-10-02
22846ChromeFrame does not respect IE Privacy features-2016-10-02
23188Gears DLL is not marked at NX compatible-2016-10-02
22115Two pages munged together if an anchor is clicked during unload-2016-10-02
22721Security: Chrome Frame 301/302 redirect URL spoofing-2016-10-02
23189avcodec-52.dll is not marked NX, SafeSEH or DBCompat-2016-10-02
23006Security: Chrome Frame links circumvent IE8's SmartScreen-2016-10-02
22451Use-after-free in IPC::Channel::ChannelImpl::ProcessOutgoingMessages() in UtilityProcessHostTest.ExtensionUnpacker-2016-10-02
21354ISO-2022-CN and ISO-2022-CN-Ext are not supported leading to a potential XSS attack-2016-10-02
21338Same Origin Policy Bypass via getSVGDocument() method.$5002016-10-02
21489Linux create fail for /tmp/chrome_shutdown_ms.txt in mixed user environment-2016-10-02
21770Security: ParseFTPList buffer fencepost, integer underflow-2016-10-02
21771Security: ParseFTPList integer underflow-2016-10-02
21385No prompt when installing extension from odd content type-2016-10-02
21242Merge webkit.org@48142 to mstone-3-2016-10-02
21238security: Content-Type: application/rss+xml being rendered as active content-2016-10-02
21128XMLHttpRequest allows loading from another origin-2016-10-02
309452Heap-use-after-free in WebCore::CSSSelectorList::selectorAt-2016-10-02
309453Heap-use-after-free in WebCore::RenderBlockFlow::computeBlockDirectionPositionsForLine-2016-10-02
309201Heap-buffer-overflow in WebCore::RenderView::positionDialog-2016-10-02
308988Use-after-free in v8::HandleScope::HandleScope-2016-10-02
307159Response splitting with 302 redirects allows chrome sync session fixation$1,3372016-10-02
306346Heap-use-after-free in WebCore::ResourceLoader::requestSynchronously-2016-10-02
306694Crash in WebKit::WebHelperPluginImpl::closeHelperPlugin()-2016-10-02
305951Security: Don't send encrypted extensions (Channel ID, NPN,OBC) when server certificate is untrusted$1,0002016-10-02
305904Heap-use-after-free in WebCore::RenderBlock::determineStartPosition-2016-10-02
305368Use-after-free in printing::PrintingContextWin::AskUserForSettings-2016-10-02
306802Heap-buffer-overflow in WebCore::Font::characterRangeCodePath-2016-10-02
306803Heap-use-after-free in content::RenderViewImpl::OnMessageReceived-2016-10-02
306255content_shell crash with --dump-render-tree and non-ASCII content-2016-10-02
305278Heap-use-after-free in WebCore::HTMLMediaElement::contextDestroyed-2016-10-02
305220TLS session caching occurs before certificate validation$5002016-10-02
305080Heap-use-after-free in WebCore::XMLHttpRequest::~XMLHttpRequest-2016-10-02
304967Use-after-free in content::GpuChannelHost::Send-2016-10-02
305350Heap-use-after-free in WebCore::SVGPropertyTearOff<WebCore::SVGTransform>::detachWrapper-2016-10-02
304787Heap-use-after-free in content::PluginURLFetcher::OnReceivedData$5002016-10-02
304547Security: popups opened in fullscreen mode are opened as popunders-2016-10-02
304398WebRTCIdentityStore should delete expired identities-2016-10-02
305279Heap-use-after-free in WebCore::GraphicsLayer::setContentsClippingMaskLayer-2016-10-02
304791Multiple libvpx potential security issues-2016-10-02
303927Use after free with new media::ScopedPtrAVFreeFrame-2016-10-02
303657Heap-use-after-free in WebCore::HTMLFormElement::submit-2016-10-02
303477ASSERTION FAILED: !node || node->isTextNode(), UNKNOWN in WebCore::RenderBlock::updateFirstLetter-2016-10-02
303476Heap-use-after-free in WebCore::SVGPropertyTearOff<WebCore::SVGNumber>::detachWrapper-2016-10-02
303232ASSERT: Bad cast from Event to GestureEvent., UNKNOWN in Bad cast from Event to GestureEvent-2016-10-02
304226Security: Address bar spoofing on Android with window.open() + 204 No Content-2016-10-02
303772Heap-use-after-free in WebCore::SliderThumbElement::dragFrom-2016-10-02
302539Heap-buffer-overflow in ssl3_HandleHandshakeMessage-2016-10-02
301941ASSERTION FAILED: npObject, UNKNOWN in content::NPObjectProxy::NPNEvaluate-2016-10-02
301196ASSERTION FAILED: offset + length <= m_length, UNKNOWN in WebCore::InlineTextBox::paint-2016-10-02
300892Heap-use-after-free in WebCore::Document::updateHoverActiveState-2016-10-02
302724Content Script Shared Memory Buffer is writable-2016-10-02
302810ASSERT: Bad cast from Event to TouchEvent., UNKNOWN in Bad cast from Event to TouchEvent-2016-10-02
302007Security: Chrome can be easily made to stop working-2016-10-02
299892HTTP 1xx response handling code allows a website to read memory from the main process' heap.$4,0002016-10-02
299835libjpeg_turbo huffval infoleak-2016-10-02
299803Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingLayer-2016-10-02
298660Sparse file confuses temporary storage quota-2016-10-02
297976Heap-buffer-overflow in bool WebCore::SelectorChecker::checkOne<WebCore::DOMSiblingTraversalStrategy>-2016-10-02
300129Heap-use-after-free in content::RenderViewHostImpl::JavaScriptDialogClosed-2016-10-02
299993ASSERTION FAILED: obj->isRenderInline() || obj == this, UNKNOWN in WebCore::RenderBlock::createLineBoxes-2016-10-02
297556Heap-use-after-free in content::IndexedDBBackingStore::Transaction::Begin-2016-10-02
297478Heap-use-after-free in WebCore::HTMLFormElement::submit$2,0002016-10-02
296690UNKNOWN in WebKit::WebSpeechRecognitionHandle::operator WTF::PassRefPtr<WebCore::SpeechRecognition>$1,0002016-10-02
296276Heap-use-after-free in WebCore::SVGMatrixV8Internal::aAttributeSetterCallback-2016-10-02
296268Heap-use-after-free in WebCore::accumulateDocumentTouchEventTargetRects-2016-10-02
297718HTML generated by coping url in address bar should url-encode the url-2016-10-02
296804Heap-use-after-free in webrtc::voe::Channel::SendRTCPPacket-2016-10-02
295725Heap-use-after-free in WebCore::SVGPropertyTearOff<WebCore::SVGMatrix>::detachWrapper-2016-10-02
295338ASSERTION FAILED: !object || object->isLayerModelObject(), UNKNOWN in WebKit::LinkHighlight::computeEnclosingCompositingLayer-2016-10-02
295010Heap-use-after-free in WebCore::RenderObject::childAt$2,0002016-10-02
294687Heap-use-after-free in task_manager::ExtensionProcessResource::GetProfileName-2016-10-02
294505ASSERTION FAILED: actualInfo->derefObjectFunction == info.derefObjectFunction, UNKNOWN in WebCore::V8IDBCursor::createWrapper-2016-10-02
296003Heap-buffer-overflow in void std::__final_insertion_sort<WebCore::RenderTableCell**, bool-2016-10-02
295695Security: Show javascript prompt over interstitial page-2016-10-02
20450Chromium shouldn't allow XHR to local directories-2016-10-02
20336Security: ensure proper escaping, filtering of user inputs in paths, login data for FTP-2016-10-02
20931chrome.tabs.update should not allow navigation to javascript: URLs w/o permission-2016-10-02
20318Security: do not auto-complete URLs with cloaked credentials-2016-10-02
19505Mixed content flash not causing mixed content warnings-2016-10-02
19340Themes from URLs without the ".crx" file extension install without prompt-2016-10-02
19334test-2016-10-02
19316Security: download shelf question for themes from untrusted locations is not honest-2016-10-02
19212Security: script injection possible in JSON.parse; will lead to XSS in some web apps-2016-10-02
19158libxml2 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529-2016-10-02
20334Security: restrict IPs, ports for PASV ftp mode-2016-10-02
20233Crash potentially due to resource exhaustion-2016-10-02
18682Extensions privileges granted to process that calls window.open-2016-10-02
18672yuv_row_linux.cc clip() DCHECK too conservative?-2016-10-02
18639Crash [@ 0xffffffff]-2016-10-02
18009Security: Investigate NTLM reflection vulnerability-2016-10-02
17655Security: Bypass pop-up blocker using javascript: url in a pop-up.-2016-10-02
16535Security: terminate busy loops on page transitions-2016-10-02
16413Security: Redirected XHR includes custom headers, CSRF risk-2016-10-02
18803Avast can't scan all files of chrome's cache: password protected-2016-10-02
15701XSS issue due to the lack of support for ISO-2022-KR-2016-10-02
15556innerHTML applies meta/link/title tags before getting commited.-2016-10-02
14508Security: browser crash with memmove() memory corruption upon large chunked encoding chunk size-2016-10-02
14211Reproducible browser crash when quickly scrolling wide page horizontally-2016-10-02
13997Clicking an external link in an extension page shouldn't reuse the same process.-2016-10-02
15766Security: focus() selective keystroke redirection-2016-10-02
14719Security: possible memory corruption in v8 regex execution engine-2016-10-02
12617Starting a hiden download can allow attacker to determine how long the browser stays open.-2016-10-02
12523Crash - Menu::RunMenuAt(int,int)-2016-10-02
12307Subtle mixed content bugs-2016-10-02
12303Chrome falls back to DIRECT connections once all proxies have failed.-2016-10-02
12810Renderer can crash browser through OOM using document.title-2016-10-02
13029NIL-2016-10-02
12591Popup blocker bypass/open webpage in default browser using WMP Active-X-2016-10-02
11776Security: Linux Chromium config directory is world/group-readable, including cookies-2016-10-02
11739V8Proxy::ToNativeObjectImpl ASSERT(MaybeDOMWrapper(object));-2016-10-02
11545Extensions can be loaded by web content-2016-10-02
11308ReadAV [ARBITRARY]@chrome!NPAPI::PluginInstance::NPP_DestroyStream+0x111-2016-10-02
11205CoInitialize called in renderer (before sandbox lockdown)-2016-10-02
11178New Layout test failures for WebKit merge 42932:42994-2016-10-02
12142Crash when proxy responds to CONNECT request with Content-Length: 0-2016-10-02
11934Crash: Alert box in event listeners-2016-10-02
9760pasting "( ĂŻÂœÂ„ĂÂ‰ĂŻÂœÂ„)ĂŻÂŸÂ‰ĂąÂ€Â•ĂąÂ€Â•ĂąÂ€Â•ĂąÂ€Â•ĂąÂ€Â•ĂąÂ€Â•ĂąÂ€Â•ĂąÂ€Â•ĂąÂ€Â•ĂąÂ€Â•ĂąÂ€Â•ĂąÂ€Â•ĂąÂ€Â•ĂąÂ€Â•@ ĂŻÂœÂŒĂŻÂœÂźĂŻÂŸÂŽĂŻÂŸÂžĂŻÂŸÂŽĂŻÂŸÂžĂŻÂŸÂŽĂŻÂŸÂžĂŻÂŸÂŽĂŻÂŸÂžĂŻÂœÂ°ĂŻÂœÂ°ĂŻÂœÂ°ĂŻÂŸÂ" to address bar causes full crash-2016-10-02
9860ChromeHTML URI handler vulnerability-2016-10-02
10957UXSS sharing window.external among frames-2016-10-02
10869Buffer overflow in browser process while de-serializing SkBitmap (heap overwrite)-2016-10-02
10736SkMask::computeImageSize() integer overflow-2016-10-02
9877Security: cross domain thefts via CSS string property injection-2016-10-02
10996Security: job object based restrictions no longer seem to be enforced-2016-10-02
9303Security: possible use-after-free in OpenTypeUtilities.cpp-2016-10-02
9608An HTTP response with code 401 and header with name="WWW-Authenticate" value="" crashes browser-2016-10-02
9019zdi-can-464: malformed svglist parsing code execution-2016-10-02
8757Cross-origin XMLHttpRequest is always allowed-2016-10-02
8706Mixed content warning can be removed-2016-10-02
8473Fix CONNECT requests with user-cancelled auth-2016-10-02
8198Need to upgrade ICU in third_party-2016-10-02
319117Master bug for Mobile Pwn2Own 2013 exploit from Pinkie Pie-2016-10-02
319040Heap-buffer-overflow in WebCore::Element::pseudoStyleCacheIsInvalid-2016-10-02
318791Security: Crash in aura::Window::NotifyWindowHierarchyChangeAtReceiver-2016-10-02
319125Security: ClipboardHostMsg_WriteObjectsAsync allows to escape the sandbox-2016-10-02
317999Security: Integer overflow leading to exploitable buffer overflow on 32-bit when parsing encrypted mp4-2016-10-02
317284ASSERTION FAILED: width == frameRect.width(), UNKNOWN in WebCore::WEBPImageDecoder::applyPostProcessing-2016-10-02
317819ASSERTION FAILED: obj->isRenderInline() || obj == this, UNKNOWN in WebCore::RenderBlockFlow::createLineBoxes-2016-10-02
317734Disabling filters over IPC for M32-2016-10-02
317485Use-after-free from SVGMatrixTearOff-2016-10-02
317423Heap-use-after-free in WebCore::RenderBlockFlow::determineStartPosition-2016-10-02
317286Stack-buffer-overflow in content::MakeWebMouseWheelEvent-2016-10-02
318577Heap-use-after-free in WebCore::V8SVGTransform::resolveWrapperReachability-2016-10-02
317913Heap-use-after-free in ChromeDownloadManagerDelegate::OnDownloadTargetDetermined-2016-10-02
315889Security: ASAN heap-use-after-free in AnimationController::endAnimationUpdate$3,0002016-10-02
317210Heap-use-after-free in WebCore::RenderText::firstAbstractInlineTextBox-2016-10-02
317097ASSERTION FAILED: m_context->document().documentElement() != m_context, Heap-use-after-free in WebCore::SVGTransformV8Internal::angleAttributeGetterCallback-2016-10-02
316697Missing Skia cls for M32 to complete safe SVG communication over IPC-2016-10-02
316339Heap-buffer-overflow in sk_getMetrics_glyph_00-2016-10-02
316298Security: Bad cast in ToRenderWidgetHostViewAura in web_contents_view_aura.cc-2016-10-02
316032HPKP Pin-Sets set over headers are appended without a uniqueness check-2016-10-02
317173CHECK failure in CHECK(p->IsSmi()) failed: ../../v8/src/objects-debug.cc(59)-2016-10-02
317211Heap-buffer-overflow in PL_strdup-2016-10-02
317174Heap-buffer-overflow in PORT_Alloc_Util-2016-10-02
314469Heap-use-after-free in WebCore::ReplaceSelectionCommand::doApply$2,0002016-10-02
314402UNKNOWN in WebCore::computeShapePaddingBounds-2016-10-02
314225Heap-buffer-overflow in Null_Cipher-2016-10-02
315842Heap-use-after-free in WebCore::HTMLTreeBuilder::adjustedCurrentStackItem$2,0002016-10-02
313939Security: Cross-origin information disclosure through createMediaElementSource and OfflineAudioContext$4,0002016-10-02
313743Heap-use-after-free in extensions::ExtensionAPI::SplitDependencyName-2016-10-02
313529Heap-use-after-free in WebCore::Node::containsIncludingShadowDOM-2016-10-02
313435Security: Prerendered pages can add incorrect alias URLs and intercept future navigations to them-2016-10-02
313399Security: backport ARM uaccess fix-2016-10-02
313005Heap-use-after-free in WebCore::Element::focus-2016-10-02
312689Chromeñ€™s HSTS preloads and certificate pinning does not work for wildcard-based domains when you input a ñ€œ-.ñ€ before the actual domain name. (e.g. https://abc.def-.drive.google.com)-2016-10-02
312639ASSERTION FAILED: !m_history, Heap-use-after-free in WebCore::Document::nodeChildrenWillBeRemoved-2016-10-02
314088Use-after-free in content::WebPluginDelegateStub::~WebPluginDelegateStub-2016-10-02
312210"Require password to wake from sleep" option does not take effect-2016-10-02
312250Security: Access after the end of the buffer due to undefined behavior in Pickle::FindNext-2016-10-02
312046Heap-use-after-free in content::RenderViewHostImpl::JavaScriptDialogClosed-2016-10-02
312028Heap-use-after-free in WebCore::SharedStyleFinder::canShareStyleWithElement-2016-10-02
312016ViewHostMsg_CreateWindow: next route_id can be taken from the wrong process-2016-10-02
311909Heap-use-after-free in WebCore::RenderTextFragment::originalText-2016-10-02
311908ASSERTION FAILED: !needsSectionRecalc(), Heap-use-after-free in WebCore::RenderTable::topNonEmptySection-2016-10-02
311548Security: inline svg that has not been marked as laid out causes ASSERT_WITH_SECURITY_IMPLICATION-2016-10-02
312050UNKNOWN in WebCore::CanvasRenderingContext2D::drawTextInternal-2016-10-02
311036strongswan: CVE-2013-6075-2016-10-02
310259ASSERTION FAILED: width == frameRect.width(), UNKNOWN in WebCore::WEBPImageDecoder::applyPostProcessing-2016-10-02
311040strongswan: CVE-2013-6076-2016-10-02
310257Heap-buffer-overflow in VP8LConvertFromBGRA-2016-10-02
310794Security: Blocking of HTTP iframes in HTTPS pages can be circumvented by using data: urls-2016-10-02
7986REGRESSION: file:// URLs can script web URLs-2016-10-02
7713Unescape according to the safe browsing spec-2016-10-02
733830x redirects silently honored in response to CONNECT-2016-10-02
7214Cross-domain access to stylesheet text should not be allowed-2016-10-02
6869SVG support is crashy in 2.0.157.2-2016-10-02
6264Security bug: something very wrong with same-origin checks-2016-10-02
6062Chrome: Crash Report - Stack Signature: WebCore::GIFImageDecoder::haveDecodedRow-2016-10-02
7590Rogue renderer can tamper with Windows.-2016-10-02
5825chromehtml: Elevate on Vista if no permission to modify key-2016-10-02
5596Bookmarklets clicked on new tab page execute in chrome-resource security context-2016-10-02
5271Add a test for bug 2074-2016-10-02
5248cross-frame-access-protocol*.html layout tests are failing-2016-10-02
5247Cross-frame-access-*-explicit-domain layout tests failing-2016-10-02
4943Rogue renderer could crash other renderers / browser via stats table.-2016-10-02
4772Stateless key event handling from renderer to browser-2016-10-02
4197Further restrict access of file URL-2016-10-02
4150Security: SwissSign Root marked for EV-2016-10-02
3896Make tests for bug 2074 fix and contribute to webkit-2016-10-02
3851Security: need backport of WebKit bug for v1.0 release-2016-10-02
3823Security: Empty string between ISO-2022 escape sequences can be potentially exploited. Make sure we don't suffer-2016-10-02
3645Security: intermittent NULL ptr crash when browser close attempted with a non-responsive tab-2016-10-02
4387Security: Microsoft "feature" causes dates > December 31st 3000 to crash renderer crash-2016-10-02
3538SSL CN mismatch not triggering warning-2016-10-02
3431Drag & drop javascript link to Windows desktop-2016-10-02
3275Security: Popup-blocker bypass using click event-2016-10-02
3256Security: block windows / prompts, or disable scripting altogether, while security interstitials are displayed-2016-10-02
3628Websites can spawn infinite external protocol handler popups.-2016-10-02
3382V8 crashes on lots of popups.-2016-10-02
2759A range of non-characters (U+FDD0 .. U+FDEF) are passed through in IsStringUTF8-2016-10-02
2966Chrome Window.open & alert DoS-2016-10-02
2618Web Inspector should not rely on the untrusted page to implement escapeHTML-2016-10-02
2579tab_strip_model.cc can Crash Chrome.dll-2016-10-02
2316Chromium automatically continues the request for a sub-resource with a certificate error under some conditions.-2016-10-02
2748Crash when doing a view-source on a https-link with invalid security certificate-2016-10-02
2957Clicking "Safe Browsing diagnostic page" link broken on malware interstitial-2016-10-02
2632Advisory: Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos-2016-10-02
1488Google Chrome Browser Exploit-2016-10-02
1414Chrome Buffer Overlow Vulnerability - "SaveAs" Function-2016-10-02
1980Content-Disposition triggers buffer overflow-2016-10-02
2074DBCS invalid multi-byte over-consumption leads to XSS vectors-2016-10-02
1967Append .download to downloaded DLL files-2016-10-02
1227Firedragging "polished" - drag an executable file to the desktop appearing to be an image-2016-10-02
1208Never elide file extensions (at least in download UI)-2016-10-02
1210Don't trigger buttons on second click of a double-click-2016-10-02
213Denial of Service-2016-10-02
100custom cursor icon rendered incorrectly-2016-10-02
326229Heap-buffer-overflow in SkBicubicImageFilter::onFilterImage-2016-10-02
326187UNKNOWN in SkMagnifierImageFilter::onFilterImage-2016-10-02
326199Heap-buffer-overflow in SkBitmap::copyTo-2016-10-02
325624ASSERTION FAILED: !object || (object->isRenderBlockFlow()), UNKNOWN in WebCore::toRenderBlockFlow-2016-10-02
326195Heap-buffer-overflow in SkSrcXfermode::xfer32-2016-10-02
326206Heap-buffer-overflow in SkDilateX_SSE2-2016-10-02
326197Heap-buffer-overflow in SkDiffuseLightingImageFilter::onFilterImage-2016-10-02
326198Heap-buffer-overflow in Clamp_S32_D32_nofilter_trans_shaderproc-2016-10-02
326118Security: chrome: address bar spoofing in Chrome for iOS-2016-10-02
324815Apps can be installed from outside CWS and from non-secure sites-2016-10-02
324812Security: leaking the raw global object when passing callbacks between contexts-2016-10-02
325071Use-after-free in content::WebGraphicsContext3DCommandBufferImpl::InitializeCommandBuffer-2016-10-02
324969Security: Address bar spoofing in Chrome for Android$1,0002016-10-02
325225Crash on keyed load invocation-2016-10-02
324817Security: Unprompted app installation allowed-2016-10-02
324321Heap-use-after-free in WebCore::Document::updateLayout-2016-10-02
324320ASSERTION FAILED: !tryCatch.HasCaught() || result.IsEmpty(), Heap-use-after-free in content::RenderViewHostImpl::JavaScriptDialogClosed-2016-10-02
324323ASSERTION FAILED: iteration >= 0, Heap-buffer-overflow in WebCore::KeyframeAnimationEffect::PropertySpecificKeyframeGroup::sample-2016-10-02
324324Heap-use-after-free in WebCore::ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline-2016-10-02
324530Heap-use-after-free in WebCore::DocumentMarkerController::removeMarkersFromList-2016-10-02
322965In-page search form steals focus/navigation control from Chrome's URL bar-2016-10-02
323969Attempting free in std::_Rb_tree<blink::WebFrame*, std::pair<blink::WebFrame* const, content::RenderFrameImpl*>, std::_-2016-10-02
323682Use-after-free in WebCore::SVGAnimatedProperty::detachAnimatedPropertiesForElement-2016-10-02
323595Heap-buffer-overflow in SkValidatingReadBuffer::getArrayCount-2016-10-02
322662Multiprofile: Screen does not lock when non-corp account is active-2016-10-02
322891Heap-use-after-free in WebCore::RenderLayerScrollableArea::updateCompositingLayersAfterScroll$2,0002016-10-02
322554Heap-use-after-free in WebCore::MediaStreamAudioSourceNode::process-2016-10-02
322527Incognito cookies make their way into non-incognito cookie space when using HTTPS Everywhere extension-2016-10-02
322959URL Spoof Vulnerability$5002016-10-02
322937Heap-use-after-free in WebCore::RenderBlockFlow::determineStartPosition-2016-10-02
322575ASSERTION FAILED: activeDuration >= 0, Heap-buffer-overflow in WebCore::KeyframeAnimationEffect::PropertySpecificKeyframeGroup::sample-2016-10-02
321831UNKNOWN in SkProcCoeffXfermode::CreateProc-2016-10-02
322195Heap-use-after-free in content::WebRTCIdentityServiceHost::OnRequestIdentity-2016-10-02
321783dev-libs/nspr needs upgrade from upstream portage-2016-10-02
321781dev-libs/nss needs upgrade from upstream portage-2016-10-02
322348Heap-use-after-free in WebCore::Element::focus-2016-10-02
321802Heap-buffer-overflow in SkValidatingReadBuffer::readPoint-2016-10-02
321790UNKNOWN in SkValidatingReadBuffer::readString-2016-10-02
321940Security: Inserting a Google account to Chrome and stealing user's private data$5,0002016-10-02
320762Heap-use-after-free in WebCore::SVGStringListV8Internal::clearMethodCallback-2016-10-02
321037Heap-use-after-free in WebCore::V8SVGStringList::resolveWrapperReachability$5002016-10-02
321495Heap-use-after-free in WebCore::StyleSheetCollection::resetAllRuleSetsInTreeScope-2016-10-02
320796Content-security-policy object-src: isn't applied against <param name="source">-2016-10-02
320239CHECK failure in CHECK failed: it != streams_.end() in media_stream_dispatcher_host.cc(242)-2016-10-02
320344Heap-use-after-free in WebCore::ChannelProvider::provideInput$5002016-10-02
319860OOB read in V8-2016-10-02
319835OOB write in V8 (only 64bit)-2016-10-02
319722Heap-buffer-overflow in v8::internal::ExternalByteArray::SetValue-2016-10-02
319477clipboard.cc issues-2016-10-02
320314Heap-use-after-free in autofill::PasswordAutofillAgent::DidStartProvisionalLoad-2016-10-02
320313Heap-use-after-free in base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void-2016-10-02
319914Use-after-free in v8::internal::GlobalHandles::Destroy-2016-10-02
331571Typing pandora.com in omnibox automatically redirects user to native app, if installed-2016-10-02
331444[LangFuzz] Crash at v8::internal::StoreBuffer::Compact with invalid write$3,0002016-10-02
331416[LangFuzz] Crash on Heap with Array access/length and invalid read$3,0002016-10-02
331725Security: body of POST request initiated 302-redirect chain can be recovered by script on last page in chain using XSS Auditor$5002016-10-02
331790Security: use-after-free in content::WebContentsImpl::~WebContentsImpl$1,0002016-10-02
331253Use-after-free in v8::HandleScope::HandleScope-2016-10-02
331389Heap-use-after-free in er_supported-2016-10-02
331219Using a long JavaScript alert() string can hide buttons and prevention checkbox-2016-10-02
331168Security: scrollbar-corner can be drawn outside the containing frame, allowing redress of parent frame.$5002016-10-02
331060Security: XSS Auditor behavior can cause leak of submitted form data because of about:blank redirection$1,0002016-10-02
331254Heap-buffer-overflow in WebCore::BisonCSSParser::parseValue-2016-10-02
331232Use-after-free in WebCore::Editor::rangeOfString-2016-10-02
330710UXSS can be performed because XSS Auditor processes tokens inside script tag separately-2016-10-02
330660use-after-free in SpeechRecognitionBubbleView::GetAnchorRect$5002016-10-02
330626Heap-use-after-free in WebCore::RenderInline::willBeDestroyed$2,0002016-10-02
330750ASSERTION FAILED: obj->isRenderInline() || obj == this, UNKNOWN in WebCore::RenderBlockFlow::createLineBoxes-2016-10-02
330663UXSS from a local MHTML file$1,0002016-10-02
330222UNKNOWN in TIntermSymbol::TIntermSymbol-2016-10-02
330420ASSERTION FAILED: m_stateStack.size() == 1, Heap-use-after-free in WebCore::ScrollView::paint$1,0002016-10-02
329978AutofillHostMsg_ShowPasswordSuggestions: validate that suggestions.size() == realms.size()-2016-10-02
330293UNKNOWN in SkRegion::setPath$3,0002016-10-02
329723Security: arbitrary memory read in logging::LogMessage::Init-2016-10-02
329258Global-buffer-overflow in BrotliHuffmanTreeBuildImplicit-2016-10-02
329547Heap-buffer-overflow in ReadHuffmanCode-2016-10-02
329006ASSERTION FAILED: std::isfinite(num), Heap-buffer-overflow in SkChopCubicAt-2016-10-02
329651UAF: Utterance should not keep a raw pointer to TtsMessageFilter-2016-10-02
329254Global-buffer-overflow in SkMallocPixelRef::SkMallocPixelRef-2016-10-02
329386Security: Handling HSTS headers effectively clobbers preloaded pins-2016-10-02
329238Heap-use-after-free in WebCore::RenderBlockFlow::computeBlockDirectionPositionsForLine-2016-10-02
328202Security: v8: invalid overflow checks in Zone::NewExpand()-2016-10-02
328231Security: incorrect overflow check in SparseControl::StartIO()-2016-10-02
328456ASSERTION FAILED: !m_deletionHasBegun, UNKNOWN in WebCore::FormAssociatedElement::formRemovedFromTree-2016-10-02
328620The GPU sandbox sometimes call InitializeSandbox() with threads appearing running.-2016-10-02
328203Security: WebGLRenderingContext::copyTexSubImage2D - invalid checks for overflow.-2016-10-02
327824The seccomp-bpf sandbox fails silently on the GPU process with threads-2016-10-02
327372Heap-buffer-overflow in SkDisplacementMapEffect::onFilterImage-2016-10-02
327729Heap-use-after-free in WebCore::SVGPropertyTearOff<WebCore::SVGMatrix>::detachWrapper-2016-10-02
327720Heap-use-after-free in chrome_browser_net::GetDataReductionRequestType-2016-10-02
327626Security: RELEASE_ASSERT in SubtreeLayoutScope destructor-2016-10-02
326860Heap-use-after-free in WebCore::RenderBlockFlow::determineStartPosition-2016-10-02
326854Heap-use-after-free in WebCore::FormAssociatedElement::formRemovedFromTree$1,0002016-10-02
327065Heap-use-after-free in StyleResolver::applyMatchedProperties-2016-10-02
327070ASSERTION FAILED: !m_hasBadParent, Heap-use-after-free in WebCore::InlineBox::nextLeafChild-2016-10-02
339610Heap-use-after-free in WebCore::Canvas2DLayerBridge::freeReleasedMailbox-2016-10-02
339498Heap-use-after-free in CacheCreator::DoCallback-2016-10-02
339337Use RefPtr in PageWidgetDelegate and guard RenderView-2016-10-02
339314Heap-use-after-free in content::VideoCaptureController::DoIncomingCapturedI420BufferOnIOThread-2016-10-02
338532UNKNOWN in /usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x6441f-2016-10-02
338524Security: TOCTOU Bug in Windows Sandbox Handle Duplication Service-2016-10-02
338561Heap-use-after-free in content::MediaStreamManager::FinalizeEnumerateDevices-2016-10-02
338393Heap-use-after-free in content::GpuChannelHost::Send-2016-10-02
338354Heap-use-after-free in IPC::Message::Header const* Pickle::headerT<IPC::Message::Header>-2016-10-02
338345Heap-use-after-free in content::WebContentsImpl::CreateNewWindow-2016-10-02
338538Security: Windows Sandbox Anonymous Kernel Object Unrestricted DACL$3,0002016-10-02
338464UaF of ColorChooserAura-2016-10-02
338164Heap-use-after-free in std::_Rb_tree<std::string, std::pair<std::string const, extensions::ExtensionDownloaderDelegate::Pin-2016-10-02
338109ASSERTION FAILED: !box || (box->isSVGInlineFlowBox()), UNKNOWN in WebCore::SVGRootInlineBox::layoutCharactersInTextBoxes-2016-10-02
337882Security: ASAN "heap-buffer-overflow" in CallBitmapXferProc$2,0002016-10-02
338341Heap-use-after-free in content::RenderProcessHostImpl::ProcessDied-2016-10-02
338124Heap-use-after-free in elapsed-2016-10-02
337572Heap-use-after-free in cricket::BaseChannel::SendPacket-2016-10-02
337561ASSERTION FAILED: controller->hasClientForTest(), Heap-buffer-overflow in WebCore::GeolocationClientMock::setPositionUnavailableError-2016-10-02
337488Security: Even when there are certificate errors, password auto-fill (easy-fill) works-2016-10-02
337428Tracking bug for internal security fixes for Chrome 32, Release 1-2016-10-02
337071UNKNOWN in NetworkASync::QueueDeletion-2016-10-02
337727Heap-buffer-overflow in __gnu_cxx::new_allocator<unsigned long>::construct-2016-10-02
337746Security: unicode character can create phishing-friendly address bar$1,5002016-10-02
337562Heap-use-after-free in WebCore::HTMLFormElement::removeImgElement-2016-10-02
336436Heap-use-after-free in WebCore::V8SVGAnimatedRect::visitDOMWrapper-2016-10-02
336875Heap-use-after-free in cc::FrameRateController::DidSwapBuffersComplete-2016-10-02
336841Security: WebRequest API allows modifying details in inline extension installations-2016-10-02
335416Heap-buffer-overflow in WebCore::Font::expansionOpportunityCount-2016-10-02
335242Heap-buffer-overflow in setup_frame_size_with_refs-2016-10-02
335921Heap-use-after-free in WebCore::AutofocusTask::performTask-2016-10-02
334448Uninit memory access in CLD2 inside translate::DeterminePageLanguage-2016-10-02
334314IndexedDB: Replace passing identically-sized vectors through IPC with passing pairs/tuples-2016-10-02
334897Security: Windows Sandbox Named Pipe Policy Doesn't Block Relative Paths$2,0002016-10-02
334204Same-origin security issue in <video> on Android-2016-10-02
334082Heap-use-after-free in plugins::PluginPlaceholder::ReplacePlugin-2016-10-02
333885Stack-use-after-return in _mesa_optimize_program-2016-10-02
334725Heap-use-after-free in WebCore::SpaceSplitString::set-2016-10-02
334274Security: Sandbox escape due to vector length mismatch in IndexedDBHostMsg_DatabasePut IPC message-2016-10-02
333378Heap-use-after-free in WebCore::ResourceFetcher::frame()$1,0002016-10-02
333156Use-after-free in WebCore::SVGAnimatedProperty::detachAnimatedPropertiesForElement-2016-10-02
333155Bad cast to XPath::Filter in XPathGrammar.y-2016-10-02
333094Security: Flash allows clipboard theft / manipulation for duration of session after receiving a single paste event-2016-10-02
333058Security: set_state global_handles renderer crash (UAF) with Web Workers and Web SQL$1,0002016-10-02
333038Security: Sandbox escape due to vector length mismatch in ImageHostMsg_DidDownloadImage IPC message-2016-10-02
333036Tracking bug for internal security fixes for Chrome 32, Release 0-2016-10-02
333431ASSERTION FAILED: !node || (node->isSVGElement()), UNKNOWN in WebCore::SVGSMILElement::connectEventBaseConditions-2016-10-02
332677ASSERTION FAILED: !node || (node->isElementNode()), UNKNOWN in WebCore::toElement-2016-10-02
332579Drag-and-drop files not working on Windows Aura-2016-10-02
332957PartialCircularBuffer is unsafe to use across security boundaries-2016-10-02
332675Use-after-free in plugins::PluginPlaceholder::UpdateMessage-2016-10-02
345526UNKNOWN in v8::internal::FixedArrayBase::length-2016-10-02
345715UNKNOWN in v8::internal::HeapObject::map_word-2016-10-02
344674UNKNOWN in content::TouchDispositionGestureFilter::OnGestureEventPacket-2016-10-02
344654Use-after-free in net::URLRequestContextGetter::OnDestruct-2016-10-02
345014Wild-access in WebCore::V8PerContextDataHolder::from-2016-10-02
344881Heap-use-after-free in WebCore::SpeechSynthesis::cancel$4,0002016-10-02
344359ASSERTION FAILED: bounds.width() >= 0 && bounds.height() >= 0 && radii.width() >= 0 && radii.height() >= 0, Heap-use-after-free in WebCore::RenderBlockFlow::constructLine-2016-10-02
344265Heap-use-after-free in views::TooltipManagerAura::UpdateTooltip-2016-10-02
344186OOB write due to invalid bounds check in v8-2016-10-02
344051Security: dump_vpd_log can be tricked into creating a file (or corrupt non-regular file)-2016-10-02
344492Heap-use-after-free in WebCore::SVGImage::setContainerSize$1,0002016-10-02
344360ASSERTION FAILED: !node || (node->isElementNode()), UNKNOWN in WebCore::RenderBlock::clone-2016-10-02
344230Use-after-free in WebCore::RootInlineBox::closestLeafChildForPoint$1,0002016-10-02
343648Stack-buffer-overflow in content::DecodeAudioFileData-2016-10-02
343582Use-after-free in WebCore::DocumentTimeline::createPlayer-2016-10-02
343383Renderer crash / heap-use-after-free in BrowserPlugin-2016-10-02
343265Heap-use-after-free in content::NavigatorImpl::NavigateToEntry-2016-10-02
343928UNKNOWN in v8::internal::FixedArrayBase::length-2016-10-02
343964UNKNOWN in v8::internal::FixedArray::get-2016-10-02
343461Global-buffer-overflow in SkBitmap::setConfig-2016-10-02
343661Security: UAF while deleting IndexedDB databases from (shared) workers$3,0002016-10-02
342618Security: UXSS via dispatchEvent on iframes (subject to some conditions)$3,0002016-10-02
342735Security: UaF in controller of color chooser$1,0002016-10-02
342949Security: Bypass extension install prompt with --install-from-webstore and --force-app-mode-2016-10-02
343050Use-after-free in WebCore::FrameView::autoSizeIfEnabled-2016-10-02
342856UNKNOWN in WebCore::ThreadState::visitStack-2016-10-02
341865Heap-use-after-free in WebCore::FrameLoader::loadHistoryItem-2016-10-02
342151Heap-use-after-free in ui::OnFileNotSelected-2016-10-02
341093Heap-use-after-free in WebCore::GraphicsContext::restore-2016-10-02
341220Chrome_ChromeOS: Crash Report - WebCore::KURL::init-2016-10-02
340687Heap-use-after-free in WebCore::CompositedLayerMapping::~CompositedLayerMapping-2016-10-02
340387Security: Unquoted path in mini_installer can lead to executing the wrong executable-2016-10-02
340125CHECK failure in CHECK(is_valid) failed: ../../v8/src/v8conversions.h(107)-2016-10-02
340124CHECK failure in CHECK(p->IsHeapObject()) failed: ../../v8/src/objects-debug.cc(219)-2016-10-02
340697ASSERTION FAILED: m_match == Tag, Heap-buffer-overflow in WebCore::RuleSet::findBestRuleSetAndAdd-2016-10-02
341754Heap-use-after-free in WebCore::WorkerThreadableWebSocketChannel::Peer::Peer-2016-10-02
341555HTTP iFrame loaded into HTTPS page (Mixed active content protection bypass)-2016-10-02
339994Heap-use-after-free in std::_Rb_tree<std::pair<int, media::AudioParameters>, std::pair<std::pair<int, media::AudioParameter-2016-10-02
340001Heap-use-after-free in WebCore::CSSParserValueList::~CSSParserValueList-2016-10-02
340007Heap-use-after-free in v8::internal::Heap::UpdateAllocationSiteFeedback-2016-10-02
340048Heap-use-after-free in WebCore::V8SVGAnimatedString::visitDOMWrapper-2016-10-02
339993ASSERTION FAILED: !box || (box->isSVGInlineFlowBox()), UNKNOWN in WebCore::SVGRootInlineBox::layoutCharactersInTextBoxes-2016-10-02
339667Heap-use-after-free in content::BrowserMessageFilter::Send-2016-10-02
351855Pwnium 4: Mali GPU driver does not mask out VM_MAYWRITE-2016-10-02
351852AsyncPixelTransfersCompletedQuery does not validate shared memory offset-2016-10-02
351811Security: Pwnium 4 GeoHot bug: cros-disks accepts labels, has path traversal issues.-2016-10-02
351796Security: Pwnium 4 GeoHot bug: try_touch_experiment command injection-2016-10-02
351788Security: Pwnium 4 GeoHot tracking bug$150,0002016-10-02
351787Pwnium 4: v8 OOB read/write with __defineGetter__ and bytesLength-2016-10-02
351729Use-after-free in WebCore::RenderObject::setPreferredLogicalWidthsDirty-2016-10-02
352043Chrome: Crash Report - WebCore::Resource::ResourceCallback::timerFired-2016-10-02
351815Pwnium: Extension system allows compromised renderer access to crosh-2016-10-02
351316Heap-use-after-free in WebCore::SMILTimeContainer::wakeupTimerFired-2016-10-02
351504Heap-use-after-free in gfx::ImageSkia::operator=-2016-10-02
351103sandbox::CodeGen::MergeTails (seccomp-bpf) is unsound for single-successor basic blocks$5002016-10-02
351314Heap-use-after-free in views::DesktopDispatcherClient::RunWithDispatcher-2016-10-02
351320UNKNOWN in v8::internal::Invoke-2016-10-02
351209UNKNOWN in v8::internal::MarkCompactCollector::ProcessMarkingDeque-2016-10-02
350760Use-after-free in WebCore::ShadowTreeStyleSheetCollection::collectStyleSheets-2016-10-02
350537Heap-use-after-free in printing::PrintViewManagerBase::ReleasePrinterQuery-2016-10-02
350535Security: Callers of showModalDialog can be trivially XSSed by a cross-origin modal dialog-2016-10-02
350863CHECK failure in CHECK(object->map()->IsMap()) failed: ../src/heap-inl.h(833)-2016-10-02
350930Heap-use-after-free in std::_Rb_tree<std::pair<int, media::AudioParameters>, std::pair<std::pair<int, media::AudioParameter-2016-10-02
350686Heap-use-after-free in webFrame-2016-10-02
350509ASSERTION FAILED: !value || (value->isPrimitiveValue()), UNKNOWN in WebCore::StyleBuilder::applyProperty-2016-10-02
350434[LangFuzz] Crash with jump to invalid address$2,0002016-10-02
350533Origin confusion bug in QUIC-2016-10-02
350055Heap-use-after-free in WebCore::CSSParserValueList::~CSSParserValueList-2016-10-02
349903ASSERTION FAILED: !object || (object->isListBox()), UNKNOWN in WebCore::HTMLSelectElement::listBoxDefaultEventHandler$1,5002016-10-02
349898Security: Integer Overflows in CharacterData::deleteData & CharacterData::replaceData$1,5002016-10-02
349465UNKNOWN in v8::internal::JSFunction::context-2016-10-02
350518Security: WinSock initialized in Utility Process.-2016-10-02
350100Heap-use-after-free in content::IndexedDBFactory::Open-2016-10-02
349079UNKNOWN in v8::internal::HeapObject::map_word-2016-10-02
348952Insecure marked as secure when restored from session-2016-10-02
348682ASSERTION FAILED: to <= m_run.length(), UNKNOWN in WebCore::HarfBuzzShaper::setDrawRange-2016-10-02
348581Dynamically created script tags disregard Content-Type and X-Content-Type-Options-2016-10-02
348550ParseHSTSHeader should tolerate trailing ";"-2016-10-02
348333Security: base::SHA1HashBytes produces wrong SHA1 hash when |len| >= 4GB-2016-10-02
348332Security: Integer overflow allocating shared memory in SoftwareFrameManager::SwapToNewFrame()$3,0002016-10-02
349135Heap-use-after-free in cc::internal::TaskGraphRunner::SetTaskGraph-2016-10-02
348175Tracking bug for internal security fixes for Chrome 33, Release 1-2016-10-02
347909CHECK failure in CHECK(value->IsHeapObject()) failed: ../src/objects-debug.cc(295)-2016-10-02
348319UNKNOWN in v8::internal::MemoryChunk::heap-2016-10-02
347720Security: Protocol handler UI does not filter "protocol" and "title" strings-2016-10-02
347543CHECK failure in CHECK(object_size <= Page::kMaxRegularHeapObjectSize) failed: ../src/ia32/macro-assembler-ia32.cc(15-2016-10-02
347532CHECK failure in CHECK(isolate->microtask_pending()) failed: ../src/execution.cc(358)-2016-10-02
347528CHECK failure in CHECK(IsNativeContext()) failed: ../src/contexts.h(462)-2016-10-02
347302Chrome_Linux: Crash Report - content::MediaStreamDispatcherHost::OnEnumerateDevices-2016-10-02
347846Bypassing policies set by removing battery (can be fixed)-2016-10-02
347284Scroll pointer iteration during tree sync is a really bad idea-2016-10-02
347177Use-after-free in media::GpuVideoDecoder::Initialize-2016-10-02
346997Security: Self signed assets don't fail.-2016-10-02
346744Security: download attribute allows download without user interaction-2016-10-02
346599Skia refcounted objects are held in non-refcounted places-2016-10-02
346557Heap-use-after-free in autofill::PasswordGenerator::Generate-2016-10-02
347262UNKNOWN in v8::internal::Map::instance_descriptors-2016-10-02
346343NO STACK-2016-10-02
346192Heap-use-after-free in WebCore::SVGFontFaceElement::associatedFontElement$1,0002016-10-02
346135Security: html files from file URLs can read data from other file URLs via drag-and-drop$1,0002016-10-02
346110Heap-use-after-free in get-2016-10-02
346489Heap-buffer-overflow in VariablePacker::searchColumn-2016-10-02
346141Global-buffer-overflow in GetVisitor-2016-10-02
345820UNKNOWN in v8::internal::HeapObject::map_word-2016-10-02
345929mirrorv2 crashes when nobody is receiving-2016-10-02
345959Integer overflows in StringBuilder-2016-10-02
358254Heap-buffer-overflow in UDataMemory_normalizeDataPointer_46-2016-10-02
358059UNKNOWN in v8::internal::HeapObject::map_word-2016-10-02
358057UNKNOWN in v8::internal::Simulator::DecodeType3-2016-10-02
358038Security: UAF/Crash in (websockets) onsentdata/reset with web and shared workers combined$2,0002016-10-02
357712Heap-use-after-free in void std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> >:-2016-10-02
358471importScripts ignores script-src CSP-2016-10-02
357382Security: ProcessManager::GetExtensionForRenderViewHost determines extension ID unsafely-2016-10-02
357292Use-after-free in WebCore::GraphicsLayer::updateContentsRect-2016-10-02
357669Heap-use-after-free in WebCore::FrameSelection::setSelection-2016-10-02
357242Heap-use-after-free in WebCore::RenderBox::enclosingFloatPaintingLayer-2016-10-02
357174Heap-use-after-free in WebCore::MemoryCache::insertInLRUList-2016-10-02
357452Heap-use-after-free in WebCore::RenderTreeBuilder::createRendererForElementIfNeeded-2016-10-02
357269Cross-origin request credentials are not removed properly in WebCore::DocumentThreadableLoader::loadRequest-2016-10-02
356736minijail should signal failure when it cannot change user/group-2016-10-02
356690Heap-use-after-free in WebCore::RenderObject::childAt$1,0002016-10-02
356653Security: Use after free in StyleEngine::createSheet$3,0002016-10-02
356652Extensions can modify the appearance of the Chrome Web Store-2016-10-02
356540Heap-use-after-free in content::BufferedResourceLoader::Stop-2016-10-02
356517Heap-use-after-free in WebCore::ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline-2016-10-02
357173Use-after-free in WebCore::AsyncCallStackTracker::didRemoveEventListener-2016-10-02
356235Untrusted synthetic gestures received in the browser are not verified-2016-10-02
356220NO STACK-2016-10-02
356211RETRY_AFTER_GC Failure Leak-2016-10-02
356181Security: WebGL texImage2D can enable out-of-bounds memory access on Android-2016-10-02
356095Heap-use-after-free in WebCore::HTMLBodyElement::insertedInto$2,0002016-10-02
356352ASSERTION FAILED: !webMediaPlayer(), Heap-use-after-free in blink::WebMediaPlayerClientImpl::load$1,0002016-10-02
355586UNKNOWN in int v8::internal::FlexibleBodyVisitor<v8::internal::NewSpaceScavenger, v8::internal::JSObject::BodyD-2016-10-02
355438Use-after-free in WebCore::RenderBlockFlow::checkFloatsInCleanLine-2016-10-02
355303UAF from RefCount Leak in Length::operator=-2016-10-02
355036Security: integer overflow validating size in mojo::internal::FixedBuffer::Allocate-2016-10-02
354931Security: UAF in NotifyAndDeleteIfDone/browser process crash related to WebSQL transactions in a Web Worker-2016-10-02
354878Heap-use-after-free in WebCore::RenderText::firstAbstractInlineTextBox-2016-10-02
355373ASSERTION FAILED: !widget || (widget->isPluginView()), UNKNOWN in WebCore::CompositedLayerMapping::updateGraphicsLayerConfiguration-2016-10-02
354297use-of-uninitialized-memory in WebCore::RenderStyle::fontDescription, may cause use-after-free or some such-2016-10-02
353895Heap-use-after-free in WebCore::StylePendingImage::cssValue-2016-10-02
353894Heap-use-after-free in WebCore::StyleEngine::createSheet-2016-10-02
354669Chrome_ChromeOS: Crash Report - net::QuicConnection::CanWrite-2016-10-02
354058UNKNOWN in DecodeContextMap-2016-10-02
353579Security: Android show full security for weak DH groups.-2016-10-02
353577ASSERTION FAILED: cc < codePointsNumber, UNKNOWN in WebCore::MediaQueryTokenizer::nextToken-2016-10-02
353224libwidevinecdm.so text section is writeable (rwx)-2016-10-02
353058Heap-buffer-overflow in v8::internal::Simulator::DecodeType2-2016-10-02
353035Heap-use-after-free in WebCore::MemoryCache::evict-2016-10-02
353013Security: admin.google.com should have HSTS preloaded-2016-10-02
352982CHECK failure in CHECK(object->map()->IsMap()) failed: ../src/heap-inl.h(818)-2016-10-02
353621Use-after-free in WebCore::InspectorCSSAgent::collectAllDocumentStyleSheets-2016-10-02
352941Use-after-free in WebCore::StyleSheetContents::startLoadingDynamicSheet-2016-10-02
352929UNKNOWN in v8::internal::Invoke-2016-10-02
352851Security: UaF in SpeechRecognitionBubbleImpl::~SpeechRecognitionBubbleImpl$1,0002016-10-02
352447Security: Use a narrowwhitelist for VFS names-2016-10-02
352429Security: Junction Point directory traversal vulnerability - pwn2own 2014-2016-10-02
352395Pwn2Own (3/13/2014): Compromised renderers can set arbitrary clipboard formats-2016-10-02
352380Geolocation permission is remembered on an HTTP site-2016-10-02
352905Security: Incorrect origin shown on modal windows opened by sub-frames of chrome.google.com/webstore-2016-10-02
352369Pwn2own (3/13/2014): VUPEN exploit.-2016-10-02
352181ASSERTION FAILED: !CustomElementCallbackDispatcher::inCallbackDeliveryScope(), UNKNOWN in WebCore::CustomElementMicrotaskDispatcher::doDispatch-2016-10-02
352178Heap-use-after-free in WebCore::SVGFontFaceElement::associatedFontElement-2016-10-02
352083Security: Chrome for Android - URL bar spoof$3,0002016-10-02
352374Pwn2own (3/13/2014): Use-after-free in bindings-2016-10-02
364511Buffer overflow vulnerability in glibc-2016-10-02
364405Security: input events to plugins bypass regular user gesture tracking-2016-10-02
364365Crash while creating a SPDY session-2016-10-02
364066ASSERTION FAILED: !activeAnimations || !activeAnimations->isAnimationStyleChange(), Heap-use-after-free in WebCore::CSSAnimations::AnimationEventDelegate::maybeDispatch-2016-10-02
364065SEGV in media::InMemoryUrlProtocol::Read$1,0002016-10-02
363873ASSERTION FAILED: !object || (object->isBox()), UNKNOWN in WebCore::CompositedLayerMapping::updateGraphicsLayerGeometry$3,0002016-10-02
363841Hosted app alerts from iframes show title of app, not domain of iframe-2016-10-02
363631ASSERTION FAILED: !value || (value->isPrimitiveValue()), UNKNOWN in WebCore::StyleBuilderFunctions::applyValueCSSPropertyFontVariant-2016-10-02
363390Security: 64-bit may leak kernel addresses via LDT-2016-10-02
362887Security: SSL CRL Vulnerability in Android Chrome-2016-10-02
362865Heap-use-after-free in WebCore::InlineBox::root-2016-10-02
362898Heap-use-after-free in WebCore::Resource::checkNotify-2016-10-02
362558Heap-use-after-free in content::VideoCaptureImpl::InitOnIOThread-2016-10-02
362480Use-after-free in WebCore::Chrome::notifyPopupOpeningObservers-2016-10-02
362110ASSERTION FAILED: positionOffset <= node->length(), UNKNOWN in WebCore::updatePositionAfterAdoptingTextReplacement-2016-10-02
362109ASSERTION FAILED: i <= length, UNKNOWN in WebCore::WindowFeatures::WindowFeatures-2016-10-02
361933Global-buffer-overflow in v8::internal::VisitorDispatchTable<void-2016-10-02
362762Import qcms buffer overflow fix-2016-10-02
362310Use-after-free in WebCore::MutableStylePropertySet::mergeAndOverrideOnConflict-2016-10-02
360784Use-after-free in WebCore::RenderTextFragment::originalText-2016-10-02
361608UNKNOWN in v8::internal::Invoke-2016-10-02
360733Heap-buffer-overflow in v8::internal::Simulator::HandleRList-2016-10-02
360798Security: openssl info leak-2016-10-02
360595Heap-buffer-overflow in bits_to_runs-2016-10-02
360448Eavesdrop on the user speech - abusing the old speech API-2016-10-02
360431Heap-buffer-overflow in getNextNormalizedChar-2016-10-02
360430ASSERTION FAILED: index < TypedArrayBase<T>::m_length, UNKNOWN in WebCore::FEDisplacementMap::applySoftware-2016-10-02
360429ASSERTION FAILED: actualInfo->derefObjectFunction == wrapperTypeInfo.derefObjectFunction, UNKNOWN in WebCore::V8HTMLElement::createWrapper-2016-10-02
360408Stack-buffer-overflow in opj_read_bytes_LE-2016-10-02
360403Heap-buffer-overflow in bool WebCore::CSSTokenizer::parseURIInternal<unsigned char, unsigned short>-2016-10-02
360478UNKNOWN in void v8::internal::String::Visit<v8::Utf8LengthHelper::Visitor, v8::internal::ConsStringCaptureOp>-2016-10-02
360433Heap-use-after-free in uprv_strdup_46-2016-10-02
360504Security: I accidentially disabled relro on chromeos arm m35.-2016-10-02
360481ASSERTION FAILED: !m_clusterStack.isEmpty(), UNKNOWN in WebCore::FastTextAutosizer::currentCluster-2016-10-02
360205Heap-buffer-overflow in opj_mct_decode-2016-10-02
360171ASSERTION FAILED: !m_clusterStack.isEmpty(), UNKNOWN in WebCore::FastTextAutosizer::currentCluster-2016-10-02
360163Heap-use-after-free in WebCore::BreakingContext::commitAndUpdateLineBreakIfNeeded-2016-10-02
360345Heap-use-after-free in media::DecryptingDemuxerStream::Stop-2016-10-02
360344UNKNOWN in opj_j2k_read_SQcd_SQcc-2016-10-02
360214Heap-use-after-free in WebCore::DocumentMarkerController::removeMarkersFromList-2016-10-02
359525CHECK failure in CHECK(size_in_bytes <= kMaxBlockSize) failed: ../src/spaces.cc(2378)-2016-10-02
360053Global-buffer-overflow in CFX_FaceCache::RenderGlyph-2016-10-02
359134UNKNOWN in v8::internal::MemoryChunk::IsFlagSet-2016-10-02
359130Heap-use-after-free in WebCore::SpeechSynthesisUtterance::startTime-2016-10-02
359802ZDI-CAN-2245: Google Chrome ImageData Signedness Error Remote Code Execution VulnerabilityImageData Signedness Error Remote Code Execution Vulnerability-2016-10-02
359454Security: Integer overflow allocating shared memory in AudioInputRendererHost::OnCreateStream$3,0002016-10-02
359602Heap-use-after-free in WebCore::InlineBox::root-2016-10-02
358571Security: appengine.google.com has wildcard but not include_subdomains-2016-10-02
358667Heap-buffer-overflow in void WebCore::CSSTokenizer::parseIdentifier<unsigned char>-2016-10-02
358960Heap-use-after-free in content::MediaStreamAudioSinkOwner::OnReadyStateChanged-2016-10-02
358813Heap-use-after-free in WebCore::Scrollbar::gestureEvent-2016-10-02
369760UNKNOWN in content::WAVEDecoder::ReadChunkHeader-2016-10-02
369759ASSERTION FAILED: positionOffset <= node->length(), UNKNOWN in WebCore::updatePositionAfterAdoptingTextReplacement-2016-10-02
369621Crash in content::RendererClipboardWriteContext::WriteBitmapFromPixels$5002016-10-02
369615ASSERT !m_paintStateIndex failure in ~GraphicsContext, missing a restore().-2016-10-02
369848double-click allows to steal form history-2016-10-02
369808Heap-use-after-free in void WebCore::ImageDecodingStore::insertCacheInternal<WebCore::ImageDecodingStore::ImageCacheEntry,-2016-10-02
369517UNKNOWN in SkPath::isRectContour-2016-10-02
369525ASSERTION FAILED: static_cast<FileError::ErrorCode>(code) != FileError::ABORT_ERR, Heap-use-after-free in v8::internal::GlobalHandles::Node::Release$1,0002016-10-02
368980Heap-buffer-overflow in ff_er_frame_end-2016-10-02
369519ASSERTION FAILED: !tryCatch.HasCaught() || result.IsEmpty(), Heap-use-after-free in WebCore::InlineBox::dirtyLineBoxes-2016-10-02
369127UNKNOWN in v8::internal::NoBarrier_Load-2016-10-02
368551Use-after-free in WebCore::ResourcePtrBase::setResource-2016-10-02
368978Bad-cast to WebCore::ShadowRoot from WebCore::Text;ShadowRoot.h:164:1-2016-10-02
368979UNKNOWN in v8::internal::NoBarrier_Load-2016-10-02
367817Cross origin bypass with Object.observe().-2016-10-02
367812Security: AppCache allows MITM of same-origin shared hosting-2016-10-02
367764UNKNOWN in SkValidatingReadBuffer::readString-2016-10-02
367567Security: Any extension can debug any other extension (e.g. crosh)$1,5002016-10-02
367985UNKNOWN in android::MPEG4Source::stop-2016-10-02
367544UNKNOWN in CJBig2_GSIDProc::decode_Arith-2016-10-02
367508Use-after-free in WebCore::RenderObjectChildList::destroyLeftoverChildren-2016-10-02
366781WebVector::initialize{From} should bounds check its size parameter-2016-10-02
366694UNKNOWN in opj_read_bytes_LE-2016-10-02
366693Global-buffer-overflow in CJS_PublicMethods::MakeFormatDate-2016-10-02
366692Heap-use-after-free in Document::title-2016-10-02
366690Heap-buffer-overflow in j2k_read_ppm_v3-2016-10-02
366947PSL matching should only apply to HTML forms-2016-10-02
366797Security: UAF in mojo::internal::DecodePointerRaw-2016-10-02
366510Heap-use-after-free in content::RenderFrameHostImpl::JavaScriptDialogClosed-2016-10-02
366687Heap-buffer-overflow in load_truetype_glyph-2016-10-02
366685Heap-buffer-overflow in CPDF_ColorSpace::TranslateImageLine-2016-10-02
366683UNKNOWN in libc.so.6-2016-10-02
366682UNKNOWN in CFXMEM_FixedMgr::AllocLarge-2016-10-02
366681UNKNOWN in CFXMEM_FixedMgr::Realloc-2016-10-02
366686Heap-buffer-overflow in j2k_read_ppm_v3-2016-10-02
366496Mobile Chrome Sync tokens used by the mobile Chrome browser can be used to push extensions.-2016-10-02
366688Heap-use-after-free in CPDFSDK_Document::GetInterForm-2016-10-02
366689Heap-use-after-free in opj_stream_read_data-2016-10-02
366182Use-after-free in std::_For_each<std::_Deque_unchecked_iterator<std::_Deque_val<std::_Deque_simple_types<appcache::App-2016-10-02
365359Malicious page can escalate to content script privilege level when content script modifies page DOM$1,0002016-10-02
366251Security: CSP policy matching can be used as a timing oracle-2016-10-02
365064Heap-use-after-free in WebCore::CompositedLayerMapping::~CompositedLayerMapping$2,0002016-10-02
365141Heap-use-after-free in media::Pipeline::StateTransitionTask-2016-10-02
377416Heap-use-after-free in WebCore::RenderBlockFlow::determineStartPosition-2016-10-02
377392Linux kernel futex() memory corruption vulnerability and exploit$10,0002016-10-02
377209UNKNOWN in v8::internal::MemoryChunk::heap-2016-10-02
377193Heap-use-after-free in SkPathRef::resetToSize-2016-10-02
377290UNKNOWN in v8::internal::Map::instance_type-2016-10-02
376951Security: webgl draw buffers extension can expose unitialized video memory to webpage$2,0002016-10-02
376802Heap-buffer-overflow in decoder_decode-2016-10-02
376748Heap-use-after-free in WebCore::ImageLoader::doUpdateFromElement-2016-10-02
377118Security: Close manually opened tab via scripting-2016-10-02
376800Heap-buffer-overflow in WebCore::TextResourceDecoder::checkForCSSCharset-2016-10-02
375954Heap-use-after-free in WebCore::ShapeOutsideInfo::isEnabledFor-2016-10-02
376438Heap-use-after-free in nextOnLine-2016-10-02
375672ThreadSanitizer reports a use-after-free in DomSerializerTests.SerializeHTMLDOMWithEmptyHead-2016-10-02
376433ASSERTION FAILED: obj->isRenderInline() || obj == this, UNKNOWN in WebCore::RenderBlockFlow::createLineBoxes-2016-10-02
374904ASSERTION FAILED: !node || (node->isShadowRoot()), UNKNOWN in WebCore::TextIterator::advance-2016-10-02
374443Heap-buffer-overflow in v8::internal::__RT_impl_Runtime_TypedArrayInitializeFromArrayLike-2016-10-02
374452Network icon should be updated when a VPN disconnects-2016-10-02
374052Heap-use-after-free in SkScaledImageCache::findAndLock-2016-10-02
373312Heap-buffer-overflow in WebRtcIsacfix_Decode-2016-10-02
374497Heap-use-after-free in WebCore::BaseMultipleFieldsDateAndTimeInputType::spinButtonElement-2016-10-02
374665Heap-use-after-free in WebCore::SQLiteStatement::prepare-2016-10-02
374176Security: no javascript: url pasting protection on android-2016-10-02
372525Security: heap write access due to integer overflow on bspatch implementations-2016-10-02
372413UNKNOWN in CFXMEM_Page::Free-2016-10-02
373283UNKNOWN in v8::internal::NoBarrier_Load-2016-10-02
372410Heap-buffer-overflow in CPDF_DIBSource::TranslateScanline24bpp-2016-10-02
372820ASSERTION FAILED: !value || (value->isStepsTimingFunctionValue()), UNKNOWN in WebCore::CSSToStyleMap::mapAnimationTimingFunction-2016-10-02
372411Global-buffer-overflow in CJS_PublicMethods::MakeFormatDate-2016-10-02
372110Heap-use-after-free in SkImageFilter::filterImage-2016-10-02
371380Heap-use-after-free in opj_read_from_memory-2016-10-02
372206Crash on content::WebURLLoaderImpl::cancel-2016-10-02
371813Heap-use-after-free in content::ResourceDispatcher::RemovePendingRequest-2016-10-02
371237Heap-buffer-overflow in SkBitmapHeap::getBitmap-2016-10-02
371240Global-buffer-overflow in SkBlitter::Choose-2016-10-02
369860Security: ASAN heap-use-after-free in SVGElement::propertyFromAttribute$2,0002016-10-02
385268Heap-use-after-free in WebCore::RenderBlock::computeBlockPreferredLogicalWidths-2016-10-02
385054UNKNOWN in v8::internal::Invoke-2016-10-02
385002Heap-buffer-overflow in v8::internal::Simulator::HandleRList-2016-10-02
384890Heap-use-after-free in WebCore::FrameLoaderStateMachine::advanceTo-2016-10-02
384662Security: Possible integer overflow in CFX_BasicArray::Append-2016-10-02
384365Heap-use-after-free in chrome_pdf::PDFiumPage::GetPage-2016-10-02
384223Security: http basic authentication dialog from background tab is displayed over the active tab-2016-10-02
383939Heap-use-after-free in JavaObjectWeakGlobalRef::get-2016-10-02
384891Heap-buffer-overflow in chrome_pdf::AlphaBlend-2016-10-02
383725[PowerProfiler] Browser crashes with active timeline recording for capturing power-2016-10-02
383777ASSERTION FAILED: positionOffset <= node->length()$1,0002016-10-02
383703ASSERT_WITH_SECURITY_IMPLICATION(i <= length) in WebCore::Document::processArguments-2016-10-02
382921Uninitialized members in OriginChipView-2016-10-02
382820Heap-buffer-overflow in CPDF_DeviceCS::TranslateImageLine-2016-10-02
382766Security: never build chrome-sandbox with ASAN coverage-2016-10-02
382667Security: Integer overflow from "offset + size" everywhere-2016-10-02
383704ASSERT_WITH_SECURITY_IMPLICATION(i <= length) in WebCore::WindowFeatures::WindowFeatures-2016-10-02
382260Heap-use-after-free in content::ThreadedDataProvider::Stop-2016-10-02
382639Security: Integer overflow in fpdfsdk/include/fsdk_mgr.h-2016-10-02
382522Heap-use-after-free in media::MidiManager::CompleteInitializationInternal-2016-10-02
382513UNKNOWN in v8::internal::Simulator::DecodeType2-2016-10-02
382279Heap-use-after-free in WebCore::HTMLFrameElementBase::openURL-2016-10-02
382601Integer overflow in FX_AllocStringW-2016-10-02
382243UNKNOWN in CFXMEM_FixedMgr::AllocLarge-2016-10-02
382242UNKNOWN in _CMapLookupCallback-2016-10-02
382241Heap-buffer-overflow in CPDF_TrueTypeFont::LoadGlyphMap-2016-10-02
382656Security: Integer overflow in ./core/include/fxcrt/fx_basic.h and ./core/include/fxcrt/fx_memory.h-2016-10-02
382606Security: Integer overflow in javascript/Document.cpp-2016-10-02
382239Heap-buffer-overflow in opj_j2k_update_image_data-2016-10-02
382121Heap-use-after-free in content::RenderFrameImpl::didFinishLoad-2016-10-02
381808Security: JavaScript can detect visited links via CSS nested <a><button> + getClientRects height (OSX)$1,0002016-10-02
381696Global-buffer-overflow in CFX_Font::LoadGlyphPath-2016-10-02
382240Stack-buffer-overflow in IccLib_Translate-2016-10-02
381521Heap-buffer-overflow in CFX_WideString::FromUTF16LE-2016-10-02
381534UNKNOWN in v8::internal::Invoke-2016-10-02
381465Crash when legacy EVP_PKEY outlives Java wrapper on Android 4.1.2.-2016-10-02
381200Security: OpenSSL CCS Vulnerability-2016-10-02
381031Attempting free in CJBig2_Context::~CJBig2_Context-2016-10-02
380885Security: Cache-based SOP-Bypass for Images$2,0002016-10-02
380723Heap-buffer-overflow in SkValidatingReadBuffer::readRect-2016-10-02
381244Heap-buffer-overflow in void SkMatrixConvolutionImageFilter::filterPixels<UncheckedPixelFetcher, true>-2016-10-02
380512UNKNOWN in v8::internal::Invoke-2016-10-02
379998Heap-use-after-free in WebCore::V8SVGTransformList::visitDOMWrapper-2016-10-02
379856Heap-use-after-free in content::PeerConnectionAudioSinkOwner::OnData-2016-10-02
379799UNKNOWN in unsafe_free-2016-10-02
379656Security: Integer overflow leads to buffer overflow in PDF_EncodeText-2016-10-02
380663Security: Safe Browsing for Executable Files can be bypassed by using the FileSystem API$5002016-10-02
379458Heap-buffer-overflow in WebRtcIsacfix_Decode-2016-10-02
379271Security: New UserGestureIndicator created for every touch event.-2016-10-02
378782Heap-buffer-overflow in matroska_read_seek-2016-10-02
378512Security: Clicking "export" in Certificate Viewer can cause navigation to arbitrary filesystem paths-2016-10-02
378469Heap-use-after-free in WebCore::GraphicsContext::drawImage-2016-10-02
378179Heap-use-after-free in cricket::ChannelManager::StopVideoCapture-2016-10-02
378175Heap-buffer-overflow in SkReadBuffer::readBitmap-2016-10-02
378167ASSERTION FAILED: value.isPrimitiveValue(), UNKNOWN in WebCore::StylePropertySerializer::backgroundRepeatPropertyValue-2016-10-02
387844Use-of-uninitialized-value in CPDF_StreamParser::ParseNextElement-2016-10-02
387843Use-of-uninitialized-value in EvalSegmentedFn-2016-10-02
387841Use-of-uninitialized-value in CPDF_DIBSource::TranslateScanline24bpp-2016-10-02
387840Use-of-uninitialized-value in T1_Load_Glyph-2016-10-02
387845Use-of-uninitialized-value in FPDFAPI_inflate-2016-10-02
387842Use-of-uninitialized-value in aes_decrypt_nb_4-2016-10-02
387837Use-of-uninitialized-value in opj_t2_read_packet_header-2016-10-02
387826Use-of-uninitialized-value in cmsXYZ2Lab-2016-10-02
387835Use-of-uninitialized-value in _DrawGouraud-2016-10-02
387834Use-of-uninitialized-value in CRYPT_ArcFourCryptBlock-2016-10-02
387833Use-of-uninitialized-value in CPDF_Parser::LoadCrossRefV4-2016-10-02
387832Use-of-uninitialized-value in CXML_Parser::SkipLiterals-2016-10-02
387831Use-of-uninitialized-value in CPDF_DeviceCS::GetRGB-2016-10-02
387827Use-of-uninitialized-value in CXML_Parser::SkipLiterals-2016-10-02
387838Use-of-uninitialized-value in CCodec_RLScanlineDecoder::Create-2016-10-02
387839Use-of-uninitialized-value in _CompositeRow_Argb2Rgb_NoBlend-2016-10-02
387836Use-of-uninitialized-value in CFX_Matrix::TransformRect-2016-10-02
387816Use-of-uninitialized-value in CXML_Parser::ParseElement-2016-10-02
387824Use-of-uninitialized-value in _A85Decode-2016-10-02
387820Use-of-uninitialized-value in CPDF_Function::Call-2016-10-02
387819Use-of-uninitialized-value in CPDF_SimpleParser::GetWord-2016-10-02
387818Use-of-uninitialized-value in CPDF_StreamParser::GetNextWord-2016-10-02
387817Use-of-uninitialized-value in _FaxG4GetRow-2016-10-02
387821Use-of-uninitialized-value in FXSYS_round-2016-10-02
387815Use-of-uninitialized-value in CPDF_RenderStatus::GetFillArgb-2016-10-02
387814Use-of-uninitialized-value in CXML_Parser::GetTagName-2016-10-02
387813Use-of-uninitialized-value in CXML_Parser::SkipLiterals-2016-10-02
387825Use-of-uninitialized-value in CLZWDecoder::Decode-2016-10-02
387822Use-of-uninitialized-value in CXML_Parser::GetCharRef-2016-10-02
387811Use-of-uninitialized-value in CStretchEngine::ContinueStretchHorz-2016-10-02
387809Use-of-uninitialized-value in CPDF_SeparationCS::GetRGB-2016-10-02
387808Use-of-uninitialized-value in _RGB_Blend-2016-10-02
387807Use-of-uninitialized-value in FXSYS_StrToInt<int,-2016-10-02
387806Use-of-uninitialized-value in CJBig2_Context::parseSegmentHeader-2016-10-02
387805Use-of-uninitialized-value in CJBig2_Context::parseSegmentHeader-2016-10-02
387803Use-of-uninitialized-value in CPDF_SimpleParser::ParseWord-2016-10-02
387812Use-of-uninitialized-value in IccLib_Translate-2016-10-02
387801Use-of-uninitialized-value in CPDF_DeviceNCS::GetRGB-2016-10-02
387800Use-of-uninitialized-value in _cmsReadHeader-2016-10-02
387802Use-of-uninitialized-value in CXML_Parser::ParseElement-2016-10-02
387798Use-of-uninitialized-value in CJBig2_Context::parseSymbolDict-2016-10-02
387796Use-of-uninitialized-value in CFX_MapByteStringToPtr::operator-2016-10-02
387793Use-of-uninitialized-value in CPDF_TrueTypeFont::LoadGlyphMap-2016-10-02
387792Use-of-uninitialized-value in compareCID-2016-10-02
387791Use-of-uninitialized-value in CPDF_Parser::LoadCrossRefV5-2016-10-02
387790Use-of-uninitialized-value in CPDF_Function::Call-2016-10-02
387789Use-of-uninitialized-value in CPDF_StreamParser::ReadString-2016-10-02
387788Use-of-uninitialized-value in CXML_Parser::ParseElement-2016-10-02
387786Use-of-uninitialized-value in CPDF_StreamParser::ReadHexString-2016-10-02
387785Use-of-uninitialized-value in CPDF_DeviceNCS::GetRGB-2016-10-02
387797Use-of-uninitialized-value in tt_glyph_load-2016-10-02
387783Use-of-uninitialized-value in CPDF_DataAvail::GetObject-2016-10-02
387778Use-of-uninitialized-value in CXML_Parser::GetCharRef-2016-10-02
387781Use-of-uninitialized-value in T1_Load_Glyph-2016-10-02
387780Use-of-uninitialized-value in _FaxGetRun-2016-10-02
387779Use-of-uninitialized-value in CPDF_Function::Call-2016-10-02
387784Use-of-uninitialized-value in PDF_DecodeText-2016-10-02
387777Use-of-uninitialized-value in MatShaperEval16-2016-10-02
387776Use-of-uninitialized-value in CPDF_Parser::LoadCrossRefV4-2016-10-02
387775Use-of-uninitialized-value in CPDF_RenderStatus::LoadSMask-2016-10-02
387774Use-of-uninitialized-value in CPDF_DataAvail::GetObject-2016-10-02
387506Use-of-uninitialized-value in FXSYS_round-2016-10-02
387782Use-of-uninitialized-value in CPDF_DIBSource::DownSampleScanline-2016-10-02
387389Heap-use-after-free in WebCore::DocumentV8Internal::getElementByIdMethodCallbackForMainWorld$2,0002016-10-02
387371Bad-cast to gfx::MultiAnimation from gfx::ThrobAnimation;tab.cc:1096:11-2016-10-02
387315Bad-cast to WebCore::HTMLLabelElement from WebCore::SVGUnknownElement;WebNode.h:164:16-2016-10-02
387313Use-of-uninitialized-value in t1_parse_font_matrix-2016-10-02
387211Bad-cast to WebCore::RenderInline from WebCore::RenderBlockFlow;RenderInline.h:195:1-2016-10-02
387037DownloadPathIsDangerous should verify that the path is a directory-2016-10-02
387033Navigation bypass for web -> file-2016-10-02
387031Security: V8 Array length getter override-2016-10-02
387016Bad-cast to WebCore::SpeechSynthesisUtterance from WebCore::SpeechSynthesis; V8EventTargetCustom.cpp:52:5-2016-10-02
387470Heap-use-after-free in WebCore::DocumentThreadableLoader::notifyFinished-2016-10-02
387014Use-of-uninitialized-value in CPDF_RenderStatus::GetStrokeArgb-2016-10-02
387013Use-of-uninitialized-value in CPDF_DIBSource::GetScanline-2016-10-02
387011Use-of-uninitialized-value in CPDF_StandardSecurityHandler::GetUserPassword-2016-10-02
387010Use-of-uninitialized-value in sfnt_open_font-2016-10-02
386730Use-of-uninitialized-value in CPDF_DeviceNCS::GetRGB-2016-10-02
386729Use-of-uninitialized-value in CPDF_RenderStatus::GetFillArgb-2016-10-02
386728Use-of-uninitialized-value in CPDF_DeviceCS::GetRGB-2016-10-02
386034UNKNOWN in v8::internal::Invoke-2016-10-02
386988Full chain exploit + sandbox escape: Array.concat -> extension install -> download exec$30,0002016-10-02
385691Bad cast from DevToolsNetworkTransactionFactory to HttpNetworkLayer-2016-10-02
385646Heap-buffer-overflow in vp9_resize_frame_buffers-2016-10-02
391570Stack-buffer-overflow in content::webcrypto::platform::CreatePublicKeyAlgorithm$1,0002016-10-02
391472Use-of-uninitialized-value in CPDF_DeviceNCS::GetRGB-2016-10-02
391470Use-of-uninitialized-value in CPDF_RenderStatus::DrawShading-2016-10-02
391301Use-of-uninitialized-value in cc::SolidColorDrawQuad::SetNew-2016-10-02
391023Uninitialized IPC message in OutOfProcessPPAPITest.ImageData-2016-10-02
391004Use-of-uninitialized-value in SkUnPreMultiply::UnPreMultiplyPreservingByteOrder-2016-10-02
391001Use-of-uninitialized-value in SkFlatDictionary<SkPaint, SkPaint::FlatteningTraits>::findAndReturnMutableF$5002016-10-02
391000Use-of-uninitialized-value in SkBitmap::setAlphaType-2016-10-02
390999Use-of-uninitialized-value in WebCore::OpaqueRegionSkia::markRectAsNonOpaque-2016-10-02
390997Use-of-uninitialized-value in FT_Outline_Get_Orientation-2016-10-02
390973Use-of-uninitialized-value in IPC::ChannelPosix::ProcessOutgoingMessages-2016-10-02
390970Use-of-uninitialized-value in IPC::ChannelPosix::ProcessOutgoingMessages-2016-10-02
390945Use-of-uninitialized-value in put_vp8_epel16_h6v6_c-2016-10-02
390944Use-of-uninitialized-value in vp3_h_loop_filter_c-2016-10-02
390941Use-of-uninitialized-value in vp8_h_loop_filter16_c-2016-10-02
390936Use-after-poison in WebCore::ThreadHeap<WebCore::FinalizedHeapObjectHeader>::addToFreeList-2016-10-02
390928Heap-use-after-free in v8::internal::GlobalHandles::Create$4,0002016-10-02
390711Security: umount can be called from non-root user via fusermount-2016-10-02
390567UNKNOWN in base::Time::LocalMidnight-2016-10-02
390709Security: Local Priv Esc - pppd malformed config file could lead to code execution in suid binary-2016-10-02
390601Use-of-uninitialized-value in CFX_WideString::InitStr-2016-10-02
390570Heap-use-after-free in WebCore::MediaValues::calculateMediaType-2016-10-02
390569Heap-use-after-free in WebCore::RenderBlockFlow::computeInlinePreferredLogicalWidths-2016-10-02
390624Security: Extensions can spoof the list of host permissions in the permission dialog$1,0002016-10-02
390563Heap-use-after-free in content::ChildSharedBitmapManager::FreeSharedMemory-2016-10-02
390314Use-of-uninitialized-value in WebCore::PositionOptions::PositionOptions-2016-10-02
390308Use-of-uninitialized-value in v8::internal::Factory::NewNumber-2016-10-02
390304Use-of-uninitialized-value in webrtc::BuildMediaDescription-2016-10-02
390176Heap-use-after-free in WebCore::HTMLImportLoader::removeImport-2016-10-02
389285Heap-use-after-free in WebCore::RenderInline::inlineElementContinuation-2016-10-02
389316Use-of-uninitialized-value in WebCore::TransformationMatrix::blend-2016-10-02
389451Security: SDCH dictionary URL check can be bypassed-2016-10-02
389570Heap-buffer-overflow in convolveVertically_SSE2-2016-10-02
389573Use-of-uninitialized-value in v8::internal::Decoder<v8::internal::Simulator>::DecodeBranchSystemException-2016-10-02
389595Use-of-uninitialized-value in void v8::internal::Simulator::AddSubHelper<long>-2016-10-02
389734Security: You can spoof any domain in the URL bar$5002016-10-02
390069Use-of-uninitialized-value in read_tag_lutmABType-2016-10-02
390174Heap-use-after-free in WebCore::KURL::~KURL$2,0002016-10-02
389574Global-buffer-overflow in SkBitmap::ReadRawPixels-2016-10-02
389223Chromoting host ignores NAT traversal policy-2016-10-02
389219Use-of-uninitialized-value in WebCore::BiquadDSPKernel::updateCoefficientsIfNecessary$5002016-10-02
389216Use-of-uninitialized-value in WebCore::AudioContext::scheduleNodeDeletion-2016-10-02
389204CRASH: media::AudioRendererMixer::OnRenderError()-2016-10-02
388771Heap-use-after-free in extensions::V8SchemaRegistry::GetSchema-2016-10-02
388762Use-after-free in content::LegacyRenderWidgetHostHWND::UpdateParent-2016-10-02
388759NO STACK-2016-10-02
389280Use-of-uninitialized-value in validate_layout-2016-10-02
388757Use-after-free in WebCore::RenderBlockFlow::addOverhangingFloats-2016-10-02
388665Penguins Puzzle WebGL game frequent Aw Snap$3,0002016-10-02
388294Heap-use-after-free in v8::HandleScope::Initialize$1,0002016-10-02
388267Use-after-poison in WebCore::IDBDatabase::trace-2016-10-02
388135Use-of-uninitialized-value in CPDF_CMap::GetNextChar-2016-10-02
388134Use-of-uninitialized-value in _SetLum-2016-10-02
388133Use-of-uninitialized-value in CFX_BidiChar::AppendChar-2016-10-02
388070Heap-buffer-overflow in media::FFmpegDemuxer::Seek-2016-10-02
388058Heap-use-after-free in cc::PictureLayerTiling::TilingEvictionTileIterator::Initialize-2016-10-02
387861Use-of-uninitialized-value in FPDFAPI_FT_DivFix-2016-10-02
387852Use-of-uninitialized-value in aes_decrypt_nb_4-2016-10-02
387860Use-of-uninitialized-value in FXSYS_atoi-2016-10-02
387856Use-of-uninitialized-value in _JpegScanSOI-2016-10-02
387855Use-of-uninitialized-value in _FaxSkipEOL-2016-10-02
387854Use-of-uninitialized-value in CPDF_RenderStatus::DrawShading-2016-10-02
387853Use-of-uninitialized-value in FPDFAPI_inflate-2016-10-02
387857Use-of-uninitialized-value in CPDF_SimpleParser::ParseWord-2016-10-02
387850Use-of-uninitialized-value in FXSYS_atoi64-2016-10-02
387848Use-of-uninitialized-value in CPDF_Function::Call-2016-10-02
387847Use-of-uninitialized-value in opj_j2k_read_header_procedure-2016-10-02
387846Use-of-uninitialized-value in _FaxGetRun-2016-10-02
398235Security: possible another uninit memory with jpeg parsing-2016-10-02
397834Use-of-uninitialized-value in CFX_WideString::InitStr-2016-10-02
397835Use-of-uninitialized-value in chrome_pdf::PDFiumEngine::Paint-2016-10-02
398109Security: Potential kernel privilege escalation when CONFIG_PPPOL2TP is enabled-2016-10-02
397396Investigate lifetime of the NativeWindow parent in ExtensionUninstallDialog-2016-10-02
398198Use-after-free in blink::WebSharedWorkerImpl::stopWorkerThread$1,5002016-10-02
397258Integer overflow from "offset + size" in extension.h and fpdfview.cpp-2016-10-02
397549All of cc_unittests failing on yakju-clang-clankium-2016-10-02
397656Heap-use-after-free in media::Pipeline::ErrorChangedTask-2016-10-02
396961HTTP authentication dialog doesn't replace web contents when you type in to URL bar-2016-10-02
396447Hooking up a remote audio track to local media stream would crash-2016-10-02
396255Security: Uninitialized value possible in CJS_PublicMethods::MakeFormatDate-2016-10-02
396054Security: Microphone access not blocked if you lock your phone.$5002016-10-02
397130HandleCloserAgent skips every other handle-2016-10-02
395441Google Chrome not clearing the account data properly-2016-10-02
395411ASSERTION FAILED: actualInfo->derefObjectFunction == wrapperTypeInfo.derefObjectFunction, UNKNOWN in blink::V8Event::createWrapper$5002016-10-02
395410Heap-use-after-free in syncer::SyncBackupManager::Init$1,0002016-10-02
395409Use-after-free in blink::MediaQueryList::stop-2016-10-02
395679V8 executable page caps are dangerously high-2016-10-02
395641UNKNOWN in SkImageFilter::Common::unflatten-2016-10-02
395972Improper handling of calc parsing results in read access to pointer addresses-2016-10-02
395461Use-after-free in CPDFSDK_PageView::LoadFXAnnots-2016-10-02
395650SEGV in LocalWriteClosure::writeBlobToFileOnIOThread-2016-10-02
395351Security: Chrome XSS Filter Bypassing-2016-10-02
394902Use-after-free in several skia routines of memory freed by skia.dll!DWriteFontTypeface::`scalar deleting destructor'-2016-10-02
395266Security: CJS_PublicMethods::StrRTrim() looks suspicious, may under/overflow-2016-10-02
394026Heap-use-after-free in WebCore::Element::attrIfExists-2016-10-02
393981Uninitialized IPC message in PopupBlockerTabHelper::ShowBlockedPopup-2016-10-02
393833Use-of-uninitialized-value in content::webcrypto::platform::CreatePublicKeyAlgorithm-2016-10-02
393831Use-of-uninitialized-value in CJS_PublicMethods::MakeRegularDate-2016-10-02
393829Heap-use-after-free in blink::AXNodeObject::textUnderElement-2016-10-02
394222Use-of-uninitialized-value in final_reordering_syllable-2016-10-02
393938Uninitialized IPC message in PPB_Instance_Proxy::DeliverFrame-2016-10-02
393605Heap-use-after-free in CPDF_Color::~CPDF_Color-2016-10-02
393765Tracking bug for internal security fixes for Chrome 36, Release 0-2016-10-02
393595Use-after-free in WebCore::CustomElementMicrotaskRunQueue::dispatch-2016-10-02
393572Padlock is shown after refresh despite displaying mixed content-2016-10-02
393452UNKNOWN in memset-2016-10-02
393603Use-of-uninitialized-value in CPDF_RenderStatus::GetStrokeArgb-2016-10-02
393744Use-after-poison in WebCore::HeapPage<WebCore::FinalizedHeapObjectHeader>::markOrphaned-2016-10-02
393602Heap-buffer-overflow in CCodec_FlateModule::FlateOrLZWDecode-2016-10-02
393312Heap-use-after-free in WebCore::EventHandlerRegistry::documentDetached-2016-10-02
393425Use-after-free in WebCore::FileReader::doAbort-2016-10-02
393448Use-after-free in WebCore::CompositeEditCommand::replaceTextInNodePreservingMarkers-2016-10-02
393221Heap-use-after-free in net::IOBuffer::data-2016-10-02
393401Popups opened from a sandboxed iframe are not themselves sandboxed$5002016-10-02
392723Use-of-uninitialized-value in SkRect::setBoundsCheck-2016-10-02
392598Use-after-free crash [@BrowserWindowCocoa::UpdateDevTools]-2016-10-02
392719heap-use-after-free in CPDF_Color::~CPDF_Color-2016-10-02
392510login_ChromeProfileSanitary indicates that Chrome is writing cookies to the Login profile-2016-10-02
392720Use-of-uninitialized-value in CPDF_DocPageData::ReleaseColorSpace-2016-10-02
392721Use-of-uninitialized-value in CXML_Parser::GetTagName-2016-10-02
391929Potential integer overflow in fpdf_render_loadimage.cpp-2016-10-02
392718Use-of-uninitialized-value in extensions::FrameNavigationState::SetNavigationCommitted-2016-10-02
391905Use-of-uninitialized-value in icu_46::RegexMatcher::findUsingChunk-2016-10-02
391910Use-of-uninitialized-value in WebCore::ErrorEventV8Internal::linenoAttributeGetterCallback-2016-10-02
406562Vulnerability reported in net-misc/strongswan-2016-10-02
406557Vulnerability reported in x11-libs/pixman-2016-10-02
406142Heap-buffer-overflow in CFX_WideString::FromUTF16LE-2016-10-02
405588Heap-buffer-overflow in CPDF_DeviceCS::GetRGB-2016-10-02
406549Vulnerability reported in net-firewall/iptables-2016-10-02
406548Vulnerability reported in dev-libs/libxml2-2016-10-02
406546Vulnerability reported in dev-libs/expat-2016-10-02
406144Global-buffer-overflow in CFX_Font::LoadGlyphPath-2016-10-02
404529Heap-use-after-free in blink::ImageQualityController::highQualityRepaintTimerFired-2016-10-02
405416Stack-buffer-overflow in avpriv_aac_parse_header-2016-10-02
404511Bad-cast to blink::IDBRequest from invalid vptrblink::GarbageCollectedFinalized<blink::IDBRequest>::finalizeGarbageCollectedObject;blink::HeapPage<blink::FinalizedHeapObjectHeader>::sweep;blink::ThreadHeap<blink::FinalizedHeapObjectHeader>::sweep$3,5002016-10-02
405421Heap-use-after-free in CPDF_IndexedCS::~CPDF_IndexedCS-2016-10-02
405417Heap-use-after-free in SkOpSegment::addT$1,0002016-10-02
405335Heap-use-after-free in RemoteMediaPlayerManager::DidDownloadPoster-2016-10-02
404513Heap-use-after-free in blink::FileReader::doAbort-2016-10-02
403596Security: __lookupGetter__ and __lookupSetter__ can be used to leak all cross-origin data-2016-10-02
403276Heap-use-after-free in blink::Document::didRemoveAllPendingStylesheet$2,0002016-10-02
403013use-after-free in mojo::internal::WeakServiceProvider::Clear-2016-10-02
403665Heap-use-after-free in blink::TreeScopeAdopter::moveTreeToNewScope-2016-10-02
404300Security: Blink inadequately whitelists child frames by name in access checks-2016-10-02
404462Heap-use-after-free in blink::RenderBlockFlow::determineStartPosition-2016-10-02
403409V8 Runtime_ArrayConcat uninitialized memory leak$4,5002016-10-02
402479Use-after-free in IDMap<blink::WebIDBCallbacks,1>::Releaser<1,0>::release_all-2016-10-02
402407Heap-use-after-free in blink::RenderLayerScrollableArea::updateCompositingLayersAfterScroll$3,0002016-10-02
402297Heap-buffer-overflow in bracketAddOpening-2016-10-02
402263Heap-use-after-free in blink::MediaQueryMatcher::viewportChanged-2016-10-02
402260Heap-use-after-free in CPDF_Color::SetValue$3,0002016-10-02
402255Heap-use-after-free in blink::DocumentOrderedMap::add-2016-10-02
402957Use-after-free in speech - saying "Hello" during the incognito window has closed$2,0002016-10-02
402702Security: Potential unsafe random number generation-2016-10-02
402653Use-after-free from ASAN base::PlatformThreadRef::is_null()-2016-10-02
401993Heap-use-after-free in unsigned long std::__1::__tree<std::__1::__value_type<unsigned int, std::__-2016-10-02
402240Heap-buffer-overflow in vp9_decode_frame-2016-10-02
401463Bad-cast to blink::RenderBox from blink::RenderText;RenderBox.h:769:1$3,0002016-10-02
401372Heap-use-after-free in CPDF_IndexedCS::~CPDF_IndexedCS$3,0002016-10-02
401364Heap-use-after-free in base::subtle::RefCountedThreadSafeBase::Release-2016-10-02
401363Heap-use-after-free in blink::WebPagePopupImpl::closePopup-2016-10-02
401362Heap-use-after-free in blink::RenderBox::pixelSnappedClientHeight$2,0002016-10-02
402218Bad-cast to blink::MediaQueryListListener from invalid vptr;ScriptedAnimationController.cpp:181:9-2016-10-02
401995Heap-buffer-overflow in CFX_ByteTextBuf::AppendChar-2016-10-02
401580Heap-double-free in CFX_PathData::~CFX_PathData-2016-10-02
400511Use-after-free in content::WebThreadBase::TaskObserverAdapter::WillProcessTask-2016-10-02
400339Bad-cast to blink::ShadowRoot from blink::HTMLDocument;ShadowRoot.h:165:1-2016-10-02
400950Tracking bug for internal security fixes for Chrome 36, Release 1-2016-10-02
401115Security: UAF with Blob creation and Shared Workers$1,5002016-10-02
400996Heap-use-after-free in CPDF_TextStateData::~CPDF_TextStateData$2,0002016-10-02
400476Heap-use-after-free in blink::Event::path$3,0002016-10-02
399654UNKNOWN in v8::base::NoBarrier_Load-2016-10-02
399495Heap-use-after-free in blink::WorkerSharedTimer::OnTimeout$3,0002016-10-02
399473Security: setpriority() is broadly allowed and allows to interact with other processes-2016-10-02
399321Heap-use-after-free in blink::constructBidiRunsForLine-2016-10-02
398925Security: SPDY connection sharing logic errors allows for MITM$1,0002016-10-02
399783Chrome_ChromeOS: Crash Report - blink::GraphicsLayer::setContentsOpaque-2016-10-02
399768Security: NaCl inner sandbox escape on Windows due to mmap hole bug-2016-10-02
399655Bad-cast to SessionService from invalid vptr;bind_internal.h:248:12$1,5002016-10-02
398818Heap-use-after-free in blink::TreeScope::clearScopedStyleResolver-2016-10-02
398438Heap-use-after-free in blink::Document::didRemoveAllPendingStylesheet$2,0002016-10-02
398384Security: Crash in memcpy in chrome_pdf::CopyImage$3,0002016-10-02
411165Use-of-uninitialized-value in std::__1::pair<std::__1::pair<WTF::StringImpl**, bool>, unsigned int> WTF::-2016-10-02
411160Use-of-uninitialized-value in cc::GLRenderer::EnqueueTextureQuad-2016-10-02
411163Use-of-uninitialized-value in FXSYS_round-2016-10-02
411162Use-of-uninitialized-value in webrtc::AudioDecoder::ConvertSpeechType-2016-10-02
411161Use-of-uninitialized-value in CPDF_RenderStatus::GetFillArgb-2016-10-02
411154Use-of-uninitialized-value in CPDF_DocPageData::ReleasePattern-2016-10-02
411026Heap-use-after-free in blink::PersistentBase<blink::ThreadLocalPersistents<-2016-10-02
410912UNKNOWN in v8::internal::MemoryChunk::IsFlagSet-2016-10-02
410556UNKNOWN in v8::internal::JSFunction::context$3,0002016-10-02
410552Heap-buffer-overflow in SkOpSegment::findNextOp$1,5002016-10-02
410326Heap-use-after-free in CPDFSDK_PageView::LoadFXAnnots-2016-10-02
411156Use-of-uninitialized-value in vp3_h_loop_filter_c-2016-10-02
411159Use-of-uninitialized-value in content::MessageChannel::DrainEarlyMessageQueue-2016-10-02
411133Bad-cast to cricket::WebRtcVoiceMediaChannel from webrtc::NetEqImpl;webrtcvideoengine.cc:1599:9-2016-10-02
409695Heap-buffer-overflow in CPDF_DIBSource::GetScanline-2016-10-02
409692Heap-buffer-overflow in CPDF_DIBSource::GetScanline-2016-10-02
409508Heap-use-after-free in blink::PODIntervalTree<int,blink::FloatingObject-2016-10-02
409507Use-of-uninitialized-value in CFX_ByteString::~CFX_ByteString-2016-10-02
410030CHECK failure in CHECK(!v8::internal::FLAG_enable_slow_asserts || (object->IsJSObject())) fa-2016-10-02
409880Heap-use-after-free in cricket::WebRtcVoiceMediaChannel::SetupSharedBandwidthEstimation-2016-10-02
409454Fetch event shouldn't fire for preflight requests-2016-10-02
409506Heap-use-after-free in blink::AXNodeObject::document-2016-10-02
409030After lock my Account login directly after clicking on google task manager-2016-10-02
409023Heap-buffer-overflow in SkScalerContext_DW::generateImage-2016-10-02
408739Heap-use-after-free in content::MessageChannel::DrainEarlyMessageQueue-2016-10-02
409475Heap-buffer-overflow in CPDF_DIBSource::GetScanline$3,0002016-10-02
409373Heap-use-after-free in CPDF_Color::~CPDF_Color$1,0002016-10-02
408426Security: Page can run arbitrary code in the context of a UserGestureIndicator-2016-10-02
408541Heap-buffer-overflow in CPDF_DIBSource::GetScanline$3,0002016-10-02
408154Heap-buffer-overflow in CPDF_DIBSource::DownSampleScanline-2016-10-02
408164Heap-use-after-free in CPDF_ShadingObject::~CPDF_ShadingObject$1,0002016-10-02
408532Heap-use-after-free in CFX_BaseSegmentedArray::Iterate$1,0002016-10-02
408160Bad-cast to blink::HTMLUnknownElement from blink::HTMLElement;ScriptWrappable.h:90:16-2016-10-02
407488Global-buffer-overflow in CFX_Font::LoadGlyphPath$1,0002016-10-02
407964Heap-buffer-overflow in opj_t2_read_packet_header$1,0002016-10-02
407341Stack-buffer-overflow in cf2_hintmap_build-2016-10-02
407339Vulnerability reported in elfutils-2016-10-02
407477Heap-use-after-free in blink::EventHandlerRegistry::documentDetached-2016-10-02
408141Heap-buffer-overflow in CPDF_LabCS::TranslateImageLine$3,0002016-10-02
407614Heap-buffer-overflow in TIFF_PredictLine-2016-10-02
407476Heap-buffer-overflow in CJPX_Decoder::Init-2016-10-02
406879Heap-use-after-free in cc::LayerTreeHost::RecreateUIResources-2016-10-02
406868Heap-use-after-free in CPDF_Object::Release$1,5002016-10-02
406850Bad-cast to blink::AudioSummingJunction from invalid vptr;AudioContext.cpp:787:9-2016-10-02
406806Heap-buffer-overflow in CPDF_ICCBasedCS::GetRGB-2016-10-02
406600Heap-buffer-overflow in CPDF_DIBSource::GetScanline$5002016-10-02
406895Heap-buffer-overflow in CPDF_DIBSource::GetScanline-2016-10-02
406908Heap-buffer-overflow in CPDF_DIBSource::TranslateScanline24bpp$1,0002016-10-02
407235libcurl: Wildcard IP in cert's CN field can allow server spoof-2016-10-02
406871ASSERTION FAILED: offset + length <= m_length, UNKNOWN in blink::InlineTextBox::constructTextRun-2016-10-02
406591Heap-buffer-overflow in CPDF_SyntaxParser::SearchWord$5002016-10-02
406593Draw the image outside of the inline frame$1,5002016-10-02
415689Add an HSTS and key pin preload rule for chrome.com-2016-10-02
415866Use-of-uninitialized-value in SkOpSegment::addTCoincident$2,0002016-10-02
415305UNKNOWN in blink::HRTFDatabaseLoader::load-2016-10-02
415256SSLBlockingPage option mask isn't ORed-2016-10-02
415012Heap-use-after-free in content::BrowserPlugin::~BrowserPlugin-2016-10-02
415307Heap-buffer-overflow in chrome_pdf::PDFiumEngine::GetPageRect$1,5002016-10-02
415407ASSERTION FAILED: curr->isRenderInline(), UNKNOWN in blink::RenderInline::splitInlines-2016-10-02
415306Heap-use-after-free in scoped_refptr<base::MessageLoopProxy>::operator=-2016-10-02
414504Heap-use-after-free in opj_t1_decode_cblks$1,0002016-10-02
414310Heap-buffer-overflow in opj_jp2_apply_cdef$1,0002016-10-02
414182Heap-buffer-overflow in opj_t2_read_packet_header-2016-10-02
414134Use-of-uninitialized-value in cricket::WebRtcVoiceMediaChannel::SetupSharedBweOnChannel-2016-10-02
414606Heap-buffer-overflow in opj_v4dwt_interleave_h$3,0002016-10-02
414661Security: heap-use-after-free in CPDF_ShadingPattern::Clear()-2016-10-02
414525Heap-buffer-overflow in opj_dwt_decode$3,0002016-10-02
414109Use-of-uninitialized-value in unsigned int blink::WidthIterator::advanceInternal<blink::SurrogatePairAwareTextIterator>$1,0002016-10-02
414100ASSERTION FAILED: node->isMediaControlElement(), UNKNOWN in blink::mediaControlElementType-2016-10-02
414089Heap-double-free in j2k_read_ppm_v3$3,0002016-10-02
414046Heap-use-after-free in CPDF_ImageObject::~CPDF_ImageObject$2,0002016-10-02
414036UNKNOWN in libc.so.6$2,0002016-10-02
414124Security: TLS handshake and certificate signature forgery is possible using Bleichenbacherñ€™s Low-Exponent Attack due to faulty ASN.1 length decoding$5,0002016-10-02
414118Heap-use-after-free in content::ServiceWorkerControlleeRequestHandler::DidLookupRegistrationForMai-2016-10-02
413850Use-of-uninitialized-value in chrome_pdf::PDFiumEngine::OnMouseMove-2016-10-02
414026Do Not Cache Resources Retrieved Via Broken HTTPS in AppCache Or Service Worker$5002016-10-02
413744Heap-use-after-free in JavaObjectWeakGlobalRef::Assign-2016-10-02
413743Heap-use-after-free in void cc::PreCalculateMetaInformation<cc::LayerImpl>-2016-10-02
413706Security: Hotspot+appcache allows permanent sslstrip attack-2016-10-02
413534Bad-cast to blink::AXMenuList from blink::AXList;AXMenuList.h:58:1-2016-10-02
413884Security: bug in nvmap Nvidia driver allows for privilege escalation.-2016-10-02
413831Security: Issue with facetime:// and facetime-audio:// schemes-2016-10-02
413375Negative-size-param in opj_t2_decode_packets$1,0002016-10-02
413316Use-after-free in blink::LocalDOMWindow::willDetachDocumentFromFrame-2016-10-02
413094Security: ServiceWorker onfetch should not intercept Flash files or crossdomain.xml-2016-10-02
413041Use-after-free in blink::ScriptWrappable::wrap-2016-10-02
412790Use-of-uninitialized-value in FindSortableTop-2016-10-02
413530Heap-use-after-free in blink::FrameView::scheduleRelayout-2016-10-02
413447Heap-double-free in opj_tcd_code_block_dec_deallocate-2016-10-02
413232Use-of-uninitialized-value in v8::internal::JSObject::UpdateAllocationSite-2016-10-02
412457Heap-buffer-overflow in tt_face_get_location-2016-10-02
411323Heap-use-after-free in content::RenderFrameImpl::Send-2016-10-02
411320Heap-use-after-free in media::TimeDeltaInterpolator::GetInterpolatedTime-2016-10-02
411318Heap-use-after-free in content::BufferedDataSource::ReadCallback-2016-10-02
411735Use-after-free in blink::V8SVGFEMergeNodeElement::refObject-2016-10-02
411329Use-of-uninitialized-value in SkColorTypeValidateAlphaType-2016-10-02
411177Use-of-uninitialized-value in chrome_pdf::PageIndicator::OnTimerFired-2016-10-02
411167Use-of-uninitialized-value in WebCore::RenderTableSection::dirtiedRows-2016-10-02
411213Possible out of bounds access in BreakIterator class-2016-10-02
411210CHECK failure in CHECK(start <= end) failed: ../../v8/src/heap/spaces.cc(1722)-2016-10-02
422621Security: Cloud Print Connect XMPP connection leaks auth token to active network attacker-2016-10-02
422492Heap-buffer-overflow in SkOpSegment::blindCoincident$1,0002016-10-02
421981Use-of-uninitialized-value in v8::internal::Factory::NewNumber-2016-10-02
421817Security: handleAuthenticatorUrl to launch any activity from web page$2,0002016-10-02
421720Crash in RenderBlock::willBeDestroyed when removing from a map and destroying a continuation that has been already destroyed-2016-10-02
422482Use-of-uninitialized-value in AvatarMenuBubbleView::LinkClicked-2016-10-02
422374Google Account Sync auth token leaked to active network attacker who suppresses XMPP STARTTLS-2016-10-02
421500Use-of-uninitialized-value in extensions::NativeMessageProcessHost::OnHostProcessLaunched-2016-10-02
421332Security: Completely spoofable origin, including lock sign$1,0002016-10-02
421504Heap-use-after-free in blink::XMLHttpRequest::handleRequestError-2016-10-02
421321Security: Use-after-free in blink::PageAnimator::serviceScriptedAnimations-2016-10-02
421196Security: intra-object-overflow in third_party/pdfium/core/src/fpdfapi/fpdf_cmaps/fpdf_cmaps.cpp-2016-10-02
421499Use-of-uninitialized-value in ucase_toupper_52-2016-10-02
421691Security: Accelerometer/gyroscope leak keystrokes and speech-2016-10-02
421090Security: NaCl sandbox escape via DRAM "rowhammer" memory corruption-2016-10-02
420450Heap-use-after-free in blink::RenderBlock::willBeDestroyed-2016-10-02
421130Heap-use-after-free in blink::Element::setAttribute-2016-10-02
421132Stack-buffer-underflow in SkDPoint::approximatelyEqual$1,5002016-10-02
419542Potential UAF in SSLErrorClassification during shutdown in tests-2016-10-02
419774Heap-use-after-free in blink::HarfBuzzShaper::setGlyphPositionsForHarfBuzzRun-2016-10-02
419428Uninit in featureWithPositiveInteger-2016-10-02
419383Security: SOP Bypass of Data Exfiltration with CSS$1,3372016-10-02
419265ASSERTION FAILED: fontPlatformData, Heap-use-after-free in base::MessageLoop::PostTask-2016-10-02
419060Heap-use-after-free in vorbis_decode_frame$1,5002016-10-02
419036UNKNOWN in v8::internal::Invoke-2016-10-02
418976Heap-buffer-overflow in opj_tcd_get_decoded_tile_size$5002016-10-02
418881Heap-buffer-overflow in color_sycc_to_rgb$1,0002016-10-02
418585Heap-buffer-overflow in cff_get_glyph_name-2016-10-02
419320Heap-use-after-free in CPDF_GeneralStateData::~CPDF_GeneralStateData-2016-10-02
418402Security: Cross-Page and Cross-Domain Propagation of Click events on Mobile Devices$1,0002016-10-02
418381Heap-buffer-overflow in SkOpSegment::addCoinOutsides$1,5002016-10-02
418114Use-after-free in base::MessageLoop::DeleteSoonInternal-2016-10-02
417841Mixed content resources (e.g. scripts) can be loaded using redirection$1,0002016-10-02
418582Heap-buffer-overflow in tt_cmap6_char_index-2016-10-02
418161Heap-buffer-overflow in void SkMatrixConvolutionImageFilter::filterPixels<ClampPixelFetcher, false>$2,0002016-10-02
417210ThreadSanitizer v2 reports a heap-use-after-free in _get_bitmap_surface-2016-10-02
417731Heap-use-after-free in blink::BaseMultipleFieldsDateAndTimeInputType::pickerIndicatorChooseValue-2016-10-02
416526V8 slow/fast properties confusion-2016-10-02
416696Container-overflow in chrome_pdf::PDFiumEngine::SelectFindResult-2016-10-02
417329Security: code execution via bash environment variables-2016-10-02
416528Out-of-bounds write in the browser via P2PHostMsg_Send IPC-2016-10-02
416319Heap-use-after-free in CPDF_Color::~CPDF_Color-2016-10-02
416323UNKNOWN in TcmapEncodingTable::GetSubtableAtIndex$1,0002016-10-02
416449Chrome exploit: V8 properties + P2PHostMsg_Send$27,6342016-10-02
416289Heap-buffer-overflow in GrBufferAllocPool::putBack-2016-10-02
416362Potential UAF at WebCore::TimerBase::setNextFireTime$2,0002016-10-02
426890A vulnerability in run-mailcap can lead to code execution on Debian-based Linux distros with certain (nonstandard) desktop environments$5002016-10-02
426762Use-of-uninitialized-value in blink::Font::glyphDataAndPageForCharacter$1,0002016-10-02
426760Bad-cast to blink::ScriptWrappable from invalid vptr;ScriptWrappable.h:202:9-2016-10-02
426758Heap-use-after-free in blink::ScriptStreamer::notifyFinished-2016-10-02
426757Use-after-free in blink::RenderSVGResourcePattern::patternForRenderer-2016-10-02
425280Security: Flash Cross Domain Policy Bypass by Using File Upload and Redirection - only in Chrome$2,0002016-10-02
425263Security: wpa_supplicant CVE-2014-3686-2016-10-02
425153Heap-buffer-overflow in j2k_read_ppm_v3-2016-10-02
425152Heap-buffer-overflow in opj_stream_read_data-2016-10-02
425151Heap-buffer-overflow in opj_tcd_init_decode_tile-2016-10-02
425150Heap-use-after-free in opj_t1_decode_cblks-2016-10-02
425040Heap-use-after-free in CFX_BaseSegmentedArray::Iterate-2016-10-02
425980UNKNOWN in media::container_names::DetermineContainer$5002016-10-02
425856Global-buffer-overflow in SkStrSearch-2016-10-02
425585Use-of-uninitialized-value in v8::internal::Decoder<v8::internal::Simulator>::DecodeBranchSystemException$2,5002016-10-02
424998Heap-use-after-free in SkTypefaceCache::FindByProcAndRef-2016-10-02
425001ASSERTION FAILED: repetitions > 0, UNKNOWN in blink::CSSPropertyParser::parseGridTrackRepeatFunction-2016-10-02
424961Security: Local file access in plugins via chrome-extension protocol handler vulnerability-2016-10-02
424957Use-of-uninitialized-value in blink::TransformationMatrix::rotate3d-2016-10-02
424956Bad-cast to blink::RenderText from blink::RenderImage;RenderText.h:230:1-2016-10-02
425006Heap-use-after-free in blink::WebGLRenderingContextBase::printGLErrorToConsole-2016-10-02
424999Use-of-uninitialized-value in aura::Window::GetNativeWindowProperty-2016-10-02
424981Security: Flash Camera.copyToByteArray() memory corruption-2016-10-02
424331UNKNOWN in opj_read_bytes_LE$1,0002016-10-02
424215Heap-buffer-overflow in WebRtcIsacfix_Decode-2016-10-02
423899Security: UAF in CFX_DIBSource::GetWidth()-2016-10-02
423891Bad-cast to blink::PODRedBlackTree<blink::PODInterval<int, blink::FloatingObject *> >::Node from invalid vptr;PODIntervalTree.h:175:33-2016-10-02
423703Security: Race condition in Flash workers may cause an exploitable double free$7,5002016-10-02
424619Reading from index -Infinity on typed array may cause random memory corruption (?)-2016-10-02
424914ASSERTION FAILED: !current.value()->isInheritedValue(), Heap-use-after-free in blink::Element::detach-2016-10-02
424216Heap-use-after-free in content::GpuChannelHost::Send-2016-10-02
422765Heap-use-after-free in net::ClientCertStoreNSS::GetClientCertsOnWorkerThread-2016-10-02
422693UNKNOWN in SuperBlitter::blitH$2,0002016-10-02
423084Chrome on iOS does not block active mixed content (scripts)-2016-10-02
422824Heap-buffer-overflow in icu_52::RegexMatcher::MatchChunkAt$4,0002016-10-02
429779Heap-use-after-free in SetVolume-2016-10-02
429922Security: A compromised renderer process could dismiss interstitial warnings it triggers-2016-10-02
429740Heap-use-after-free in content::RTCPeerConnectionHandler::Observer::OnIceCandidate-2016-10-02
429838Security: OpenSearch description files can be loaded from file:// URLs$5002016-10-02
429778UNKNOWN in webrtc::SdpSerialize-2016-10-02
429626heap-buffer-overflow (read of size 1) at an unpronounceable function below SkScalerContext_FreeType_Base::generateGlyphImage-2016-10-02
429679Heap-use-after-free in BookmarkContextMenuController::IsCommandIdEnabled-2016-10-02
429585Heap-use-after-free in GetStats-2016-10-02
429666Heap-use-after-free in blink::Node::setNeedsStyleRecalc$2,0002016-10-02
429542Security: file-to-file SOP bypass on Linux via /proc/self/fd/-2016-10-02
429276Security: Use after free in Flash (StageVideoAvailabilityEvent) can make bad things happen$7,5002016-10-02
429379Use-of-uninitialized-value in SkPath::arcTo-2016-10-02
429201Heap-use-after-free in cc::PictureLayerTiling::UpdateEvictionCacheIfNeeded-2016-10-02
429194Use-of-uninitialized-value in v8::internal::HOptimizedGraphBuilder::BuildBinaryOperation-2016-10-02
429166Security: Heap Memory Corruption off-by-one (Overwrite 0x2C with 0x00) in ffmpeg function matroska_fix_ass_packet-2016-10-02
429477Heap-use-after-free in TrackOnSuccess-2016-10-02
429478Heap-use-after-free in blink::WebGLRenderingContextBase::printGLErrorToConsole-2016-10-02
429244CSP Bypass on M39-2016-10-02
428829Heap-use-after-free in subtle::PrefMemberBase::VerifyPref-2016-10-02
428828Heap-use-after-free in content::IndexedDBDatabase::RunVersionChangeTransaction-2016-10-02
428800Heap-buffer-overflow in epoll_add-2016-10-02
428789Heap-use-after-free in SkXfermodeImageFilter::~SkXfermodeImageFilter-2016-10-02
428578Multiple Windows Kernel Crashes in Font Parsing$6,5002016-10-02
428561Heap-use-after-free in base::SupportsUserData::GetUserData$1,5002016-10-02
429139Heap-buffer-overflow in opj_t1_decode_cblks-2016-10-02
429134Heap-buffer-overflow in CPDF_LabCS::GetDefaultValue-2016-10-02
428557Stack-buffer-overflow in _XData32$2,0002016-10-02
427397Heap-buffer-overflow in blink::CSPSourceList::parseHash-2016-10-02
427272Security: UaF in FileSelectHelper::FileSelectedWithExtraInfo$1,0002016-10-02
427266Heap-use-after-free in matroska_read_seek$2,0002016-10-02
427249ASSERTION FAILED: m_pendingStylesheets > 0, Heap-use-after-free in blink::StyleEngine::clearResolver$2,0002016-10-02
427196console.log is breaking chrome://extensions-2016-10-02
428137Heap-buffer-overflow in void v8::internal::String::WriteToFlat<unsigned short>-2016-10-02
427303UNKNOWN in blink::HRTFDatabaseLoader::load-2016-10-02
427108Heap-use-after-free in blink::PendingScript::stopWatchingForLoad$2,0002016-10-02
436022Security: Race condition in workers may cause an exploitable double free by abusing bytearray.compress()$7,5002016-10-02
435825UNKNOWN in v8::internal::String::length-2016-10-02
435815Bad-cast to blink::RenderTable from blink::RenderBlockFlow;RenderTable.h:366:1-2016-10-02
435567Use-of-uninitialized-value in void v8::internal::ScavengingVisitor<-2016-10-02
435514Heap-use-after-free in rdft_calc_c-2016-10-02
435383Heap-based buffer overflow in Flash PCRE regex engine$3,0002016-10-02
435073CHECK failure in CHECK(p->IsSmi()) failed: ../../v8/src/objects-debug.cc(32)$3,5002016-10-02
435880Heap-buffer-overflow in std::less<std::string>::operator$4,5002016-10-02
434970Heap-use-after-free in blink::ScopedStyleResolver::collectFeaturesTo-2016-10-02
434964Chrome's uninstaller launches IE w/ an unquoted path to iexplore.exe-2016-10-02
434733Use-after-free in blink::ResourceFetcher::didFinishLoading-2016-10-02
434732ASSERTION FAILED: !m_deletionHasBegun, UNKNOWN in blink::Node::remove-2016-10-02
434972Heap-use-after-free in webrtc::internal::SynchronousMethodCall::Invoke-2016-10-02
434723Heap-use-after-free in content::MediaStreamTrackMetricsObserver::SendLifetimeMessages-2016-10-02
434569Security: Heap-use-after-free in SupportsUserData::GetUserData$5002016-10-02
434728Use-after-free in blink::RenderLayer::updatePagination-2016-10-02
434499Security: Hera color from previous page remains on interstitial load-2016-10-02
433866Use-of-uninitialized-value in getNextNormalizedChar$1,0002016-10-02
433860Use-after-free in blink::AXObject::document-2016-10-02
434136WebAudio render that coincides with GC graph mutation can cause snap$4,0002016-10-02
433359UNKNOWN in void SkMatrixConvolutionImageFilter::filterPixels<UncheckedPixelFetcher, fa-2016-10-02
433357Use-after-free in blink::HTMLPlugInElement::renderPartForJSBindings-2016-10-02
433078Security: OOB read in dhcpcd-2016-10-02
433445UNKNOWN in v8::internal::FixedArray::get$1,5002016-10-02
433170Media permission not displayed in PageInfo-2016-10-02
432209Heap-buffer-overflow in icu_52::RegexMatcher::MatchChunkAt-2016-10-02
432575ASSERTION FAILED: offset + length <= m_length, UNKNOWN in blink::InlineTextBox::constructTextRun-2016-10-02
432572Heap-use-after-free in std::unordered_map<int,enum gfx::GpuMemoryBufferType,std::hash<int>,std::eq-2016-10-02
431504Security: Cookie injection by Proxy with 407 response$5002016-10-02
431288Heap-buffer-overflow in opj_tcd_init_decode_tile$5002016-10-02
431860Heap-use-after-free in v8::internal::Isolate::counters-2016-10-02
431602UNKNOWN in v8::internal::RootMarkingVisitor::MarkObjectByPointer-2016-10-02
431603ASSERTION FAILED: to <= m_run.length(), UNKNOWN in blink::HarfBuzzShaper::setDrawRange-2016-10-02
430787UNKNOWN in v8::internal::HeapObjectIterator::FromCurrentPage-2016-10-02
430786Heap-use-after-free in webrtc::PeerConnection::OnAddDataChannel-2016-10-02
430630Security: Content settings (e.g. disallow images/javascript) not honored on frames created while interstitial is showing-2016-10-02
430925Heap-use-after-free in webrtc::PeerConnection::OnSessionStateChange-2016-10-02
430928Heap-use-after-free in webrtc::RemoteAudioSource::SetVolume-2016-10-02
430891Heap-buffer-overflow in opj_j2k_tcp_destroy$2,0002016-10-02
430533Heap-use-after-free in cc::ResourceProvider::ScopedWriteLockGpuMemoryBuffer::GetGpuMemoryBuffer-2016-10-02
430353UNKNOWN in icu_52::RegexMatcher::MatchChunkAt$5,0002016-10-02
430351Heap-buffer-overflow in blink::CSPSourceList::parseNonce-2016-10-02
430588Security: backport seccomp-tsync-2016-10-02
430566Heap-buffer-overflow in opj_jp2_apply_pclr$5002016-10-02
442710Stack-buffer-overflow in v8::internal::MarkCompactCollector::SweepInParallel$3,0002016-10-02
442756Security: Denial of service attack against third-parties using web sockets-2016-10-02
442585Security: Flash Player RegExp Object Integer Signedness Error$4,0002016-10-02
442454Use-after-free in blink::RenderLayer::invalidatePaintForBlockSelectionGaps-2016-10-02
442806Heap-use-after-free in blink::TreeScopeEventContext::ensureEventPath$3,0002016-10-02
442670Security: NPAPI windowless flash can listen system input events (bypassing browser)-2016-10-02
441834Chromoting host must call CloseClipboard() with anonymous access token-2016-10-02
442121ASSERTION FAILED: !value || (value->isValueList())$2,0002016-10-02
440694Security: Windows Token Hardening - Ensure Opening of Named Pipes Specifies Anonymous Impersonation Level-2016-10-02
440834Use-after-free in blink::HTMLImageFallbackHelper::createAltTextShadowTree-2016-10-02
440833Heap-buffer-underflow in blink::AXRenderObject::computeAccessibilityIsIgnored-2016-10-02
440990Security: module locking can be disable after boot in verified mode-2016-10-02
440693Security: Windows Token Hardening - Impersonate Anonymous Token Across CloseClipboard Calls-2016-10-02
440692Security: Windows Token Hardening - Modify Broker Process Token IL Policy-2016-10-02
440572Security: Circumvent Safe Browsing with data urls-2016-10-02
441095Heap-use-after-free in blink::ResourceResponse::~ResourceResponse-2016-10-02
440836Bad-cast to blink::Element from blink::CDATASection;Element.h:651:1-2016-10-02
440268Security: Encoded script URL can get around the path restriction-2016-10-02
439992Use-of-uninitialized-value in icu_52::RegexMatcher::findUsingChunk-2016-10-02
439877Security: HTML Imports ignores Content-Type and Content-Disposition headers.-2016-10-02
440435Heap-use-after-free in base::MessageLoop::PostTask-2016-10-02
439319Use-after-free in blink::TreeScope::comparePosition-2016-10-02
438638Use-after-free in blink::AXSpinButton::elementRect-2016-10-02
438364Heap-use-after-free in blink::VectorMath::vadd-2016-10-02
438363UNKNOWN in avio_read-2016-10-02
438157Windows Sandbox: Chromium's FILES_ALLOW_READONLY policy can be bypassed to create empty files or delete the contents of existing files-2016-10-02
437960chrome.identity.getAuthToken leaks master-token and gives attacker a full control over a two-factor-protected Google account-2016-10-02
438365Heap-use-after-free in views::X11WholeScreenMoveLoop::RunMoveLoop-2016-10-02
437681ASSERTION FAILED: !result, Heap-use-after-free in blink::DirectConvolver::process-2016-10-02
437655Heap-use-after-free in vp9_setup_mask-2016-10-02
437636Bad-cast to blink::AudioNode from invalid vptr;AudioNode.cpp:401:13-2016-10-02
437472Heap-buffer-overflow in android::BlobCache::flatten-2016-10-02
437464Use-of-uninitialized-value in udev_monitor_enable_receiving-2016-10-02
437682Heap-use-after-free in blink::AudioChannel::zero-2016-10-02
437651Heap-use-after-free in void blink::ImageDecodingStore::insertCacheInternal<blink::ImageDecodingSto$3,0002016-10-02
437399Heap-buffer-overflow in blink::BidiResolver<blink::InlineIterator, blink::BidiRun>::applyL1Rule$5002016-10-02
436520Heap-buffer-overflow in content::RtcDataChannelHandler::OnStateChange-2016-10-02
437458Heap-buffer-overflow in blink::Character::expansionOpportunityCount-2016-10-02
437441Security: Use After Free in Flash MessageChannel.send()$5,0002016-10-02
447773ASSERTION FAILED: !node || isElementOfType<const T>(*node)-2016-10-02
447644Use-of-uninitialized-value in blink::DocumentAnimations::updateAnimationTimingIfNeeded-2016-10-02
447567UNKNOWN in v8::internal::JSFunction::shared-2016-10-02
446672UNKNOWN in libc.so.6-2016-10-02
446538File download .dotfiles sanitization fails when the file starts with a space-2016-10-02
446537Add "Show hidden files" to gear menu-2016-10-02
447664ASSERTION FAILED: !value || (value->isPrimitiveValue())-2016-10-02
446164Security: Integer Overflow in WebGL$3,0002016-10-02
446078Persistent DoS attack on storage space on Chrome OS-2016-10-02
446076ASSERTION FAILED: !m_deletionHasBegun-2016-10-02
446037Use-after-free in blink::RenderQuote::attachQuote-2016-10-02
446033UNKNOWN in Read_CVT$1,0002016-10-02
446032Security: OOM situation can result in heap buffer overflow in CFX_BinaryBuf (pdfium)$3,0002016-10-02
446459Security: Proxy credential leak: WebSockets send proxy headers to destination server-2016-10-02
445831UNKNOWN in SA8_alpha_D32_nofilter_DX-2016-10-02
445808Stack-buffer-overflow in SkPackBits::Unpack8$2,0002016-10-02
445809Heap-buffer-overflow in SkBitmap::ReadRawPixels$5,0002016-10-02
445902Use-of-uninitialized-value in GrBitmapTextGeoProc::getGLProcessorKey-2016-10-02
445807Global-buffer-overflow in SkGradientShaderBase::SkGradientShaderBase$5,0002016-10-02
445810Heap-buffer-overflow in SkImageFilter::Common::unflatten$5,0002016-10-02
445741Heap-use-after-free in base::MessageLoop::DeleteSoonInternal-2016-10-02
445747Use-after-free in std::_Tree<std::_Tmap_traits<base::FilePath,bool,std::less<base::FilePath>,-2016-10-02
445653Security: Potential bugs/vulnerabilities in GPU code-2016-10-02
445638ASSERT_NOT_REACHED in blink::LengthStyleInterpolation::interpolableValueToLength-2016-10-02
445332ASSERTION FAILED: !value || (value->isPrimitiveValue())$1,5002016-10-02
445305Use-of-uninitialized-value in blink::MediaControls::shouldHideMediaControls-2016-10-02
445304ASSERTION FAILED: obj->isRenderInline() || obj == this-2016-10-02
445679Memory error when importing bogus EC private key from PKCS8 into BoringSSL-2016-10-02
445303Heap-buffer-overflow in void blink::SearchBuffer::append<unsigned char>-2016-10-02
445285Heap-use-after-free in blink::ShapeOutsideInfo::isEnabledFor$2,0002016-10-02
445267UNKNOWN in v8::internal::Invoke$3,5002016-10-02
445107Use of unitialized value in toDataUrl / jpeg encoding path-2016-10-02
444957Heap-use-after-free in OpenPDFInReaderBubbleView::ButtonPressed$5002016-10-02
444927Security: Inherited designMode and cross-window drag-n-drop allow to modify a cross-origin iframe's DOM$3,0002016-10-02
444717Invalid RenderFrameHost pointer is passed to WebNavigationTabObserver::DidOpenRequestedURL in test WebNavigationApiTest.CrossProcess-2016-10-02
444707Use-of-uninitialized-value in unsigned int blink::SimpleShaper::advanceInternal<blink::SurrogatePairAware$1,0002016-10-02
444695UNKNOWN in v8::internal::Invoke$3,5002016-10-02
444681Use-after-poison in v8::internal::compiler::InstructionSelector::InitializeCallBuffer$3,5002016-10-02
444573Use-of-uninitialized-value in ucnv_io_getConverterName_52$1,0002016-10-02
444546Heap/Stack Memory Info Leak - FFMPEG libavformat\mov.c$2,0002016-10-02
444539Heap Corruption - FFMPEG libavformat\mov.c - Use-After-Free/Double Free$4,0002016-10-02
444198Security: ViewHostMsg_RunFileChooser IPC allows renderer control over absolute path-2016-10-02
444084UNKNOWN in v8::internal::IC::raw_target-2016-10-02
443744UNKNOWN in v8::internal::Invoke-2016-10-02
443675Heap-use-after-free in blink::TreeScope::clearScopedStyleResolver-2016-10-02
444522Heap-buffer-overflow in ff_mov_read_stsd_entries$5,0002016-10-02
443356Security: No process swap between file:// and data: URLs-2016-10-02
443333Security: tracking bug for ffmpeg H.264 fixes-2016-10-02
443115Heap-use-after-free in blink::PendingScript::stopWatchingForLoad$2,0002016-10-02
443017Heap-use-after-free in blink::ScopedStyleResolver::collectFeaturesTo$3,0002016-10-02
443476Use-after-free in WTF::VectorDestructor<1,blink::Canvas2DLayerBridge::MailboxInfo>::destruct-2016-10-02
443274memory access bug in harfbuzz when a carefully crafted font is fed-2016-10-02
451918ASSERTION FAILED: it != m_customElementBindings.end()-2016-10-02
451773ASSERTION FAILED: !object || (object->isTableCell())-2016-10-02
451753UNKNOWN in DestroyPropertySheetPage+0x4e-2016-10-02
451685Use-after-poison in blink::callTransactionErrorCallback-2016-10-02
451684ASSERTION FAILED: node->isMediaControlElement()-2016-10-02
451770UNKNOWN in v8::internal::SharedFunctionInfo::code-2016-10-02
451799Heap overflow and integer overflow in ICU library$5002016-10-02
451755UNKNOWN in content::WebContentsImpl::OnOpenColorChooser-2016-10-02
451058Use-of-uninitialized-value in blink::HarfBuzzShaper::HarfBuzzShaper-2016-10-02
450844Heap-buffer-overflow in opj_dwt_decode_1$1,0002016-10-02
450654ASSERTION FAILED: !node || (node->isShadowRoot())-2016-10-02
451059Heap-use-after-free in blink::RenderObject::setNeedsLayout-2016-10-02
450939Negative-size-param in vp9_dec_setup_mi$1,0002016-10-02
451509Heap-buffer-overflow in Pickle::WriteData-2016-10-02
451456Heap-use-after-free in content::GpuChannelHost::DestroyChannel()$5002016-10-02
450389Use-of-uninitialized-value in SkPreMultiplyARGB$1,0002016-10-02
450198Adobe Flash Player Out-of-Bound Access Vulnerability$2,0002016-10-02
450096Heap-use-after-free in base::internal::DiscardableMemoryShmem::AllocateAndAcquireLock-2016-10-02
450653UNKNOWN in blink::InlineTextBox::isLineBreak-2016-10-02
450642UNKNOWN in v8::internal::Code::deoptimization_data-2016-10-02
450391Security: aarch64 seccomp lacks ability to redirect syscalls-2016-10-02
450038Heap-buffer-overflow in blink::BidiResolver<blink::InlineIterator, blink::BidiRun>::applyL1Rule-2016-10-02
449845Use-of-uninitialized-value in CFX_ByteString::FormatInteger-2016-10-02
449829Security: Illegal domain name resolving using leading dot creating unexpected behaviour/URL Bar Spoofing$1,0002016-10-02
449777UNKNOWN in content::WebContentsImpl::OnOpenColorChooser-2016-10-02
449739Security: Heap-use-after-free SpeechRecognitionDispatcher$1,0002016-10-02
449610ZDI-CAN-2662: Google Chrome V8EventListenerList::findOrCreateWrapper Type Confusion Remote Code Execution Vulnerability-2016-10-02
449893Heap-buffer-overflow in media::AudioBus::SwapChannels-2016-10-02
449958Heap-buffer-overflow in media::CopyPlane$2,0002016-10-02
449049Heap-use-after-free in blink::WorkerSharedTimer::setFireInterval-2016-10-02
449047Use-after-free in blink::Canvas2DLayerBridge::mailboxReleased-2016-10-02
449045Heap-use-after-free in blink::NavigationScheduler::shouldScheduleNavigation-2016-10-02
448798Use-of-uninitialized-value in IPC::ChannelPosix::ProcessOutgoingMessages-2016-10-02
449574Heap-use-after-free in extensions::MimeHandlerViewContainer::OnMessageReceived-2016-10-02
449291Global-buffer-overflow in v8::internal::MarkCompactCollector::EmptyMarkingDeque-2016-10-02
448423Heap-buffer-overflow in SkData::NewUninitialized$5,0002016-10-02
448314Heap-use-after-free in blink::V8PerContextData::constructorForTypeSlowCase$3,0002016-10-02
448189Wild read in aura::GetDeviceScaleFactorFromDisplay-2016-10-02
448102Bad-cast to v8::internal::OFStreamBase from base class subobject at offset 8;ostreams.cc:27:37-2016-10-02
448082Heap-use-after-free in content::ServiceWorkerScriptCacheMap::NotifyFinishedCaching$2,5002016-10-02
448081Heap-use-after-free in blink::FrameLoaderClientImpl::allowScript-2016-10-02
448428Heap-use-after-free in /usr/lib/libstdc++.6.dylib+0x2dfc9-2016-10-02
448299Heap-buffer-overflow in sk_memset32_SSE2-2016-10-02
448056UNKNOWN in content::WebContentsImpl::OnDidStartLoading-2016-10-02
448006Heap-use-after-free in blink::Node::compareDocumentPosition$3,0002016-10-02
447976Heap-use-after-free in blink::ScopedStyleResolver::collectMatchingAuthorRules$3,0002016-10-02
447906Heap-use-after-free in blink::DateTimeEditElement::~DateTimeEditElement$5,0002016-10-02
447889Global-buffer-overflow in hb_indic_get_categories-2016-10-02
447860global-buffer-overflow at vp56_rac_get_prob_branchy$5002016-10-02
448057Use-of-uninitialized-value in extract_image_data-2016-10-02
448061ASSERTION FAILED: !object || (object->isText())-2016-10-02
448008Select/option website clickjacking-2016-10-02
447852Vulnerability reported in dev-libs/openssl-2016-10-02
458777Heap-use-after-free in blink::Frame::host-2016-10-02
458776Heap-use-after-free in blink::WebPluginContainerImpl::scriptableObject-2016-10-02
458868Heap-use-after-free in content::ChildThreadImpl::ShutdownThread-2016-10-02
458861Heap-buffer-overflow in chromium_ijg_jpeg_idct_islow-2016-10-02
457480Heap-buffer-overflow in opj_dwt_decode$3,0002016-10-02
458184Use-after-free in blink::LayoutObject::isRooted-2016-10-02
458024[qcms] security - stack buffer overread in lut_inverse_interp16-2016-10-02
457680Security: Flash AS2 Use After Free in DisplacementMapFilter.mapBitmap$5,0002016-10-02
457583Security: Flash AS2 ConvolutionFilter Uninitialized Memory Leak$4,0002016-10-02
457493Heap-double-free in j2k_read_ppm_v3$2,0002016-10-02
458026[qcms] security - heap info leak in qcms-2016-10-02
458474Heap-use-after-free in net::FileStream::Context::ReadAsyncResult-2016-10-02
458191Heap-use-after-free in blink::HTMLImportTreeRoot::recalcTimerFired-2016-10-02
456920Heap-use-after-free in base::ElapsedTimer::Elapsed-2016-10-02
456841Security: Extensions can silently debug (run code) in ANY tab and escape the sandbox$1,0002016-10-02
456828Security: heap-buffer-overflow in SkGradientShaderBase::SkGradientShaderBase$5,0002016-10-02
457278Security: Flash AS2 Use After Free in TextField.filters$5,0002016-10-02
456635Heap-use-after-free in blink::Node::compareDocumentPosition-2016-10-02
456532Heap-use-after-free in blink::UserMediaRequest::start-2016-10-02
456516Security: MidiHostMsg_SendData vector OOB on Android$7,5002016-10-02
456391Don't supply invalid hostnames to the DNS resolver-2016-10-02
456206Heap-buffer-overflow in parse_encoding$5002016-10-02
456192Possibly invalid type cast in blink::V8LazyEventListener::prepareListenerObject$3,0002016-10-02
456636Use-of-uninitialized-value in blink::CustomElementUpgradeCandidateMap::~CustomElementUpgradeCandidateMap-2016-10-02
456101Security: Race condition in Flash workers may cause an exploitable double free by abusing bytearray.writeObject$7,5002016-10-02
456059Heap-use-after-free in blink::PendingScript::stopWatchingForLoad$3,0002016-10-02
455964Security: NaCl process are not marked non-dumpable.-2016-10-02
455953Security: file:// origins can use webkitRequestFullscreen and requestPointerLock without a prompt-2016-10-02
455857Google Chrome SpeechRecognitionClient Use-After-Free Remote Code Execution Vulnerability-2016-10-02
455839Security: NaCl processes should have an address space usage limit-2016-10-02
455994double free at content::RenderFrameImpl::~RenderFrameImpl-2016-10-02
455428Password is read out in the 'connect to corp network' window-2016-10-02
455368UNKNOWN in blink::SQLStatementBackend::execute$2,5002016-10-02
455215Security: HSTS not applied to WebSocket$5002016-10-02
454426Use-of-uninitialized-value in FT_RoundFix-2016-10-02
454280Use-of-uninitialized-value in CPDF_Function::Call-2016-10-02
454278Use-after-free in media::CdmSessionAdapter::Initialize-2016-10-02
454268Heap-buffer-overflow in PPP_GetInterface-2016-10-02
454231Heap Use After Free @blink::BaseMultipleFieldsDateAndTimeInputType::readonlyAttributeChanged$2,0002016-10-02
455735UNKNOWN in blink::WebSpeechSynthesisVoice::operator$2,0002016-10-02
455363Heap-buffer-overflow in ps_table_add-2016-10-02
453994Security: GaiaAuthExtension is too powerful and should validate parameter-2016-10-02
452794Heap-use-after-free in CPDFSDK_Widget::GetMixXFAWidget-2016-10-02
453553SIGSEGV in opj_j2k_update_image_data via pdfium_test-2016-10-02
453279Heap-use-after-free in blink::MutationObserverRegistration::unregister$3,0002016-10-02
453209Use-after-poison in blink::ThreadHeap::allocate+0x58-2016-10-02
453126Undefined behavior (bad virtual call) in net/socket/ssl_client_socket_pool.cc-2016-10-02
454153Global-buffer-overflow in blink::AXRenderObject::text-2016-10-02
452793Heap-use-after-free in FT_Stream_ReleaseFrame-2016-10-02
454157Use-of-uninitialized-value in void v8::internal::ScavengingVisitor<-2016-10-02
453979Security: UXSS in V8-2016-10-02
452135ASSERTION FAILED: !m_renderGrid.gridIsDirty() in blink::GridPainter::paintChildren-2016-10-02
452059Copy-Paste XSS (ODT to contenteditable)-2016-10-02
452638Heap-use-after-free in content::RenderFrameImpl::DecidePolicyForNavigation-2016-10-02
452455Heap-buffer-overflow in CPDF_SampledFunc::v_Call-2016-10-02
464409Update net-misc/radsecproxy to 1.6.6-2016-10-02
464391Heap-use-after-free in base::internal::CallbackBase::Reset-2016-10-02
464463Use-of-uninitialized-value in content::BrowserMessageFilter::Send-2016-10-02
464594Use-of-uninitialized-value in content::BrowserMessageFilter::Send-2016-10-02
463958Heap-use-after-free in xmlSwitchEncoding$1,0002016-10-02
463920Heap-use-after-free in SuperBlitter::blitH-2016-10-02
463599Heap-buffer-overflow in blink::WebString::fromUTF8$1,0002016-10-02
462843Security: UXSS in AuthenticatorHelper$7,5002016-10-02
462300Heap-buffer-overflow in resize_context_buffers-2016-10-02
461936Heap-use-after-free in gcm::GCMClientImpl::OnRegisterCompleted-2016-10-02
461858Chrome allows "Always open files of this type" to be used with executables$5002016-10-02
462319Heap-use-after-free in gcm::SocketInputStream::Refresh-2016-10-02
461474UNKNOWN in bool blink::outputRows<-2016-10-02
461191Security: UNKNOWN in RenderFrameImpl::OnMessageReceived$3,0002016-10-02
461481Security: HSTS bypass$1,0002016-10-02
460939Heap-use-after-free in content::GLHelper::CopyTextureToImpl::FinishRequest-2016-10-02
460938ASSERTION FAILED: !node || (node->isShadowRoot())-2016-10-02
460937UNKNOWN in v8::internal::IC::SetTargetAtAddress-2016-10-02
460936Use-of-uninitialized-value in FT_DivFix-2016-10-02
460917OOB write in v8 due to elements kind confusion$5002016-10-02
461472Heap-use-after-free in blink::PopupMenuImpl::didClosePopup-2016-10-02
460751Use-after-free in blink::ColorInputType::didEndChooser-2016-10-02
460426Add RELEASE_ASSERTs to ScriptRunner to crash in a more controlled way?-2016-10-02
460391Search query highlights the scheme of the search term and displays like a URL-2016-10-02
460145Unsafe %GeneratorFuntion% intrinsic cannot be denied-2016-10-02
459898Heap-use-after-free in CFX_BaseSegmentedArray::Iterate-2016-10-02
459897Use-of-uninitialized-value in SkConic::computeQuadPOW2-2016-10-02
460752Heap-use-after-free in blink::Document::didChangeVisibilityState-2016-10-02
460431Regression: Chrome crashes when "No thanks" link is dropped in any text-boxes on Chrome sign-in page.-2016-10-02
459637Use-of-uninitialized-value in v8::internal::compiler::Schedule::block-2016-10-02
459633Use-after-poison in v8::internal::compiler::Node::Input::Update-2016-10-02
459632Bad parameters to __sanitizer_annotate_contiguous_container in blink::EventListenerMap::EventListenerMap-2016-10-02
459564XSS in chrome://webrtc-internals/-2016-10-02
459533Heap-use-after-free in blink::LayoutLayerModelObject::hasSelfPaintingLayer$2,0002016-10-02
459483Use-of-uninitialized-value in sha1_final-2016-10-02
459445Security: Url Bar Spoofing using the redirections at shopping.paypal.com-2016-10-02
459862Heap-use-after-free in blink::VectorMath::zvmul-2016-10-02
458871Use-of-uninitialized-value in blink::RenderView::setSelection-2016-10-02
459215Security: pdfium - write past end of heap buffer when parsing invalid JPEG2000 image$3,0002016-10-02
459114Heap-use-after-free in get_lowest_part_y-2016-10-02
459043Chrome_Mac: Crash Report - blink::HarfBuzzShaper::setGlyphPositionsForHarfBuzzRun-2016-10-02
458876Use-of-uninitialized-value in v8::internal::compiler::Schedule::block$1,0002016-10-02
458875Global-buffer-overflow in cff_parse_real-2016-10-02
458873Heap-buffer-overflow in bloat_quad-2016-10-02
459115Heap-use-after-free in content::MessagePortService::UpdateMessagePort-2016-10-02
459239Heap-use-after-free in base::ElapsedTimer::Elapsed-2016-10-02
458870Heap-use-after-free in blink::TreeScopeStyleSheetCollection::analyzeStyleSheetChange-2016-10-02
458869UNKNOWN in TLine::GetMappedCharsInRange-2016-10-02
469395UNKNOWN in v8::internal::Invoke-2016-10-02
469305Update sqlite to uptake http://www.sqlite.org/src/info/ceebcdcaf1acf409-2016-10-02
469247Use-of-uninitialized-value in blink::TransformationMatrix::blend-2016-10-02
469244Stack-buffer-overflow in CFX_WideString::FormatV$1,0002016-10-02
469152P2PSocketDispatcherHost UaF-2016-10-02
469151GamepadProvider infoleak-2016-10-02
469148UNKNOWN in v8::internal::ExternalUint32Array::SetValue-2016-10-02
469082Security: sqlite bad ptr access-2016-10-02
468972Security: Two DoS bugs from OpenSSL 1.0.2a security advisory.-2016-10-02
468936Pwn2own gpu bug-2016-10-02
468931Security: Webpages have access to some extension resources$3,0002016-10-02
468933Security: pwn2own 2015 exploit #1-2016-10-02
468618ASSERTION FAILED: !value || (value->isValueList())-2016-10-02
468451Some cross-origin `location` properties are accessible$3,0002016-10-02
468179Alert popup with no and/or inaccurate origin identification$5002016-10-02
468167Use-of-uninitialized-value in parse_font_matrix$1,0002016-10-02
468519Container-overflow in blink::FEColorMatrix::createImageFilter$1,5002016-10-02
468406Container-overflow in blink::HTMLTreeBuilder::processStartTagForInBody-2016-10-02
467644Bad-cast to blink::LayoutBox from blink::LayoutText;LayoutBox.h:NUMBER:1-2016-10-02
467452Heap-use-after-free in blink::Node::recalcDistribution$2,0002016-10-02
467481UNKNOWN in v8::base::NoBarrier_Load-2016-10-02
467844Hosted apps running in windows don't show the origin.-2016-10-02
468166Use-of-uninitialized-value in blink::Member<blink::IDBKey>* blink::HeapAllocator::allocateVectorBacking<b$1,5002016-10-02
467593UNKNOWN in SkBlitMask::RowFactory-2016-10-02
467352UNKNOWN in gleUnbindDeleteHashNamesAndObjects-2016-10-02
467347UNKNOWN in SkBlitLCD16OpaqueRow_SSE2-2016-10-02
467184Use-of-uninitialized-value in cc::LayerQuad::ToQuadF-2016-10-02
467014Heap-use-after-free in blink::LayoutObject::container-2016-10-02
467372Heap-use-after-free in base::MessageLoop::DeleteSoonInternal-2016-10-02
467348Heap-use-after-free in blink::TextFieldInputType::handleKeydownEventForSpinButton$1,5002016-10-02
466990Heap-use-after-free in hb_ot_map_t::lookup_map_t::cmp-2016-10-02
466967UNKNOWN in sk_memset32_SSE2$1,0002016-10-02
466790Global-buffer-overflow in CPDF_CIDFont::_CharCodeFromUnicode-2016-10-02
466338Security: Unchecked memcpy in _png_load_bmp_attribute()-2016-10-02
466632Heap-use-after-free in v8::internal::Code::Disassemble-2016-10-02
466351Security: On Android, it's possible to inject text and icons to the page info bubble using crafted URL fragments$5002016-10-02
467011Heap-buffer-overflow in SkAAClipBlitter::blitMask-2016-10-02
465557Security: Browser-process out-of-bounds write of up to 7 bytes in BoringSSL ssl3_read_n.-2016-10-02
465586Use-after-free in _XReply-2016-10-02
466335Heap-use-after-free in content::WebSocketHost::AddChannel-2016-10-02
465759Use-of-uninitialized-value in v8::internal::Factory::NewNumber-2016-10-02
465517Origin header preserved for cross-origin redirects with 307 status code, should be null-2016-10-02
465002UNKNOWN in PluginObserver::PluginPlaceholderHost::DownloadFinished-2016-10-02
464995Heap-use-after-free in webrtc::DtlsIdentityStore::GenerateIdentity_w-2016-10-02
464871Flash: use-after-free in display list handling from KeenTeam (repros 2-5, 6)$4,0002016-10-02
464870Flash: use-after-free in display list handling from KeenTeam (repro 1)$3,0002016-10-02
464792Heap-use-after-free in blink::FrameView::setScrollbarModes-2016-10-02
465426Heap-use-after-free in get_lowest_part_y-2016-10-02
465185Heap-use-after-free in std::_Tree<std::_Tset_traits<enum-2016-10-02
465091Heap-buffer-overflow in blink::Document::Document-2016-10-02
474609Heap-use-after-free in blink::HTMLImportTreeRoot::recalcTimerFired-2016-10-02
474784Heap-use-after-free in blink::ScriptStreamer::streamingCompleteOnBackgroundThread-2016-10-02
474783UNKNOWN in v8::internal::Invoke-2016-10-02
474370Security: heap-use-after-free in content::MediaStreamDispatcher::OnStreamGenerated$1,0002016-10-02
474254Merge change to reject DHE for False Start-2016-10-02
474099Security: Use-after-free in webaudio/scriptprocessornode-premature-death.html and webaudio/scriptprocessornode-premature-death.html-2016-10-02
474297UNKNOWN in v8::internal::PropertyCell::UpdateCell-2016-10-02
473688Heap-buffer-overflow in media::MultiChannelResampler::Resample-2016-10-02
473253Security: heap-use-after-free in blink::ConsumerWrapper::consumeAudio$3,0002016-10-02
474082Container-overflow in TabDragController::GetTabsMatchingDraggedContents-2016-10-02
474077UNKNOWN in v8::internal::NativeRegExpMacroAssembler::Execute-2016-10-02
473903Clicking 'prevent additional dialogs' fails to work with some scammer sites-2016-10-02
472613Heap-buffer-overflow in blink::UTF16TextIterator::consumeSlowCase$5002016-10-02
472201Security: Flash: Uninitialized stack variable while parsing an MPD file can corrupt memory$3,0002016-10-02
472147Heap-buffer-overflow in SuperBlitter::blitH-2016-10-02
472146Heap-use-after-free in printing::PrintJobWorker::GetSettingsWithUIDone-2016-10-02
471991Global-buffer-overflow in CXFA_ItemLayoutProcessor::CalculatePositionedContainerPos-2016-10-02
471990UNKNOWN in CPDF_SampledFunc::v_Call-2016-10-02
472614Heap-use-after-free in content::IndexedDBBackingStore::Transaction::ChainedBlobWriterImpl::ReportW$3,5002016-10-02
472618WebSQL shoudn't run a nested message loop during renderer shutdown.-2016-10-02
472617Heap-use-after-free in content::UserMediaClientImpl::OnCreateNativeTracksCompleted-2016-10-02
471651Heap-buffer-overflow in CPDF_CMap::GetNextChar$5002016-10-02
471525Heap-buffer-overflow in url::ParsePort$1,0002016-10-02
471523Security: Heap-use-after-free in extensions::`anonymous namespace'::LoadWatcher::DidCreateDocumentElement+68$3,0002016-10-02
471445Bad-cast to blink::LayoutMultiColumnFlowThread from blink::LayoutTable;LayoutBlockFlow.cpp:3089:13-2016-10-02
471785Bad-cast to blink::DedicatedWorkerGlobalScope from blink::CompositorWorkerGlobalScope;WorkerMessagingProxy.cpp:76:47-2016-10-02
471652NO STACK-2016-10-02
470980Security: Unknown in convolve4RowsHorizontally_SSE2-2016-10-02
471000UNKNOWN in v8::internal::Invoke-2016-10-02
470837Security: Flash Player Integer Overflow in Function.apply$7,5002016-10-02
470777Heap-buffer-overflow in blink::WebSpeechRecognitionHandle::operator blink::SpeechRecognition*-2016-10-02
471072UNKNOWN in S32A_Opaque_BlitRow32_SSE4-2016-10-02
470864Security: Use After Free in Flash AVSS.setSubscribedTags can cause memory corruption$5,0002016-10-02
470856Use-of-uninitialized-value in webrtc::internal::TransportAdapter::SendRTCPPacket-2016-10-02
470470Heap-use-after-free in blink::PopupMenuImpl::addElementStyle-2016-10-02
470391Use-of-uninitialized-value in v8::internal::Simulator::LoadStoreHelper-2016-10-02
470390UNKNOWN in v8::internal::Heap::UpdateAllocationSiteFeedback-2016-10-02
470749Flash: bad cast(?) in display list handling from KeenTean$2,0002016-10-02
470392UNKNOWN in v8::internal::FixedArray::get-2016-10-02
470753Flash: out-of-bounds write in shader handling$3,0002016-10-02
470751Flash: AGAL information leak from KeenTeam$1,0002016-10-02
470121Bad-cast to webrtc::newapi::Transport from invalid vptr;transport_adapter.cc:36:18-2016-10-02
469814Looks like OOB call in memcpy-2016-10-02
470144Heap-use-after-free in ImageDecoder::OnMessageReceived-2016-10-02
469743UNKNOWN in libc.so.6-2016-10-02
469507Security: Screen contents from other origins and non-Chrome applications are displayed in the browser$1,0002016-10-02
469480NO STACK$3,5002016-10-02
470128UNKNOWN in v8::internal::TypeFeedbackOracle::CanRetainOtherContext-2016-10-02
470122Heap-use-after-free in webrtc::internal::TransportAdapter::SendRTCPPacket-2016-10-02
469756Use-of-uninitialized-value in blink::TransformationMatrix::rotate3d-2016-10-02
469416Container-overflow in content::MidiMessageFilter::HandleClientAdded-2016-10-02
481874Vulnerability reported in net-dialup/ppp-2016-10-02
481299OS X memory corruption in IOAccelSurface2::set_shape_backing_length_ext from KEEN Team$5,0002016-10-02
481298OS X memory corruption in IGFence::release from KEEN Team$5,0002016-10-02
481296Apple OS X Yosemite 10.10.2 IOAccelSurface2::set_id_mode OOB read on IOAccelMachine2 from KEEN Team$5,0002016-10-02
481218OS X kASLR defeat from KEEN Team$4,0002016-10-02
481044Security: use-after-free in WebAudio-2016-10-02
481015Security: XSS in the bookmark button$5002016-10-02
481639Security: Boundless Tunes - universal SOP bypass through ActionSctipt's Sound object$7,5002016-10-02
481306Flash use-after-free in display list handling from KEEN Team, round #2$3,0002016-10-02
480536Container-overflow in /mnt/scratch0/clusterfuzz/slave-bot/builds/chromium-browser-asan_linux-rele-2016-10-02
479825Use-after-free in blink::LayoutMenuList::setIndexToSelectOnCancel-2016-10-02
479427ASSERTION FAILED: !object || (object->isLayoutBlock())-2016-10-02
479743Security: 1503A - Chrome - ui::AXTree::Unserialize UAF-2016-10-02
480201Security: chrome url spoofing$1,0002016-10-02
478745Heap-use-after-free in blink::ContainerNode::addChildNodesToDeletionQueue-2016-10-02
478575Heap-use-after-free in blink::Node::parentOrShadowHostOrTemplateHostNode-2016-10-02
478578Heap-use-after-free in cc::ScrollbarLayerImplBase::PushScrollClipPropertiesTo-2016-10-02
479162Security: spell checking dictionaries are fetched over HTTP, and large responses lead to a crash$5002016-10-02
478556UNKNOWN in v8::internal::ExecutableAccessorInfo::set_setter-2016-10-02
478549Heap-use-after-free in blink::SMILTimeContainer::updateAnimations$2,0002016-10-02
478583Use-of-uninitialized-value in content::MediaInternals::OnMediaEvents-2016-10-02
478009UNKNOWN in v8::internal::PropertyCell::PropertyCellVerify-2016-10-02
478077Heap-use-after-free in v8::internal::CompilationDependencies::Abort-2016-10-02
477953UNKNOWN in v8::internal::JSObject::JSObjectVerify-2016-10-02
477868Decide on security style for resources loaded over bad HTTPS with user exception-2016-10-02
477955UNKNOWN in v8::internal::FixedArray::FixedArrayVerify-2016-10-02
477331Negative-size-param in cc::ListContainer<cc::DrawQuad>::EraseAndInvalidateAllPointers-2016-10-02
477333ASSERTION FAILED: node.isElementNode()-2016-10-02
477380Bad-cast to blink::RawResourceClient from blink::LinkLoader;RawResource.cpp:59:33-2016-10-02
477680Security: avatars are fetched over HTTP, and large responses lead to a crash-2016-10-02
477713ASSERTION FAILED: !needsLayout-2016-10-02
477819Heap-use-after-free in blink::FFTFrame::doInverseFFT-2016-10-02
477298UNKNOWN in v8::internal::HeapObject::SizeFromMap-2016-10-02
477278Security: URL spoof message of onbeforeunload-2016-10-02
476926Security: Flash AS2 Use After Free in TextField.filters (again)$5,0002016-10-02
477089Heap-use-after-free in void blink::ScriptPromiseResolver::resolveOrReject<blink::AudioBuffer*>-2016-10-02
476647Use-of-uninitialized-value in SkRecords::FillBounds::adjustAndMap$5002016-10-02
476107Heap-buffer-overflow in CJBig2_Context::parseSymbolDict-2016-10-02
477187Heap-use-after-free in blink::AudioScheduledSourceHandler::notifyEnded-2016-10-02
475749Heap-buffer-overflow in media::ChannelMixingMatrix::CreateTransformationMatrix-2016-10-02
475773Heap-use-after-free in blink::LayoutBox::contentBoxRect-2016-10-02
475070Security: Clank injects JavaScript into the main page's world-2016-10-02
475018Security: [FLASH] Issues in DefineBitsLossless and DefineBitsLossless2 leads to using uninitialized memory while rendering a picture$4,0002016-10-02
489764boringssl: x509v3 has possible use-after-free in do_check_string()-2016-10-02
488783Heap-buffer-overflow in url::CanonicalizeIPAddress-2016-10-02
489151UNKNOWN in v8::internal::Simulator::LoadStoreHelper-2016-10-02
487284Security: QCMS crash OOB read at src/chain.c:211-2016-10-02
487752Unsecure shared memory-2016-10-02
487286Negative-size-param in content::AppCacheUpdateJob::OnDestructionImminent-2016-10-02
487928Heap-use-after-free in CJS_WideStringArray::~CJS_WideStringArray$4,3372016-10-02
486947UNKNOWN in SkReader32::readString$5,0002016-10-02
486946UNKNOWN in _fini$5,0002016-10-02
487237Security: Flash AS2 Use After Free in DisplacementMapFilter.mapBitmap$5,0002016-10-02
486944Stack-buffer-overflow in SkPackBits::Unpack8$5,0002016-10-02
486538Heap-double-free in opj_j2k_tcp_destroy-2016-10-02
487155Security: CSP does not block svg image in nested iframe$1,0002016-10-02
486977Heap-buffer-overflow in SkData::NewUninitialized$5,0002016-10-02
486945Heap-double-free in SkPictureData::~SkPictureData$5,0002016-10-02
486434Stack-buffer-overflow in sandbox::BrokerServicesBase::SpawnTarget$2,5002016-10-02
486003UNKNOWN in v8::internal::Heap::EnsureDoubleAligned-2016-10-02
486000Heap-use-after-free in blink::LayoutMultiColumnSet::updateMinimumColumnHeight-2016-10-02
485893Security: Adobe Flash FLV SCRIPTDATDSTRING OOB read Information Leak-2016-10-02
486301Heap-use-after-free in blink::BMPImageReader::decodeBMP-2016-10-02
486004Heap-use-after-free in base::MessageLoop::PostTask-2016-10-02
485843Use-after-poison in blink::PlatformSpeechSynthesizer::setVoiceList-2016-10-02
485419UNKNOWN in v8::internal::Simulator::DecodeTypeImmediate-2016-10-02
485414ASSERTION FAILED: !object || (object->isBox())-2016-10-02
485413Heap-use-after-free in ExtensionLocalizationPeer::OnCompletedRequest-2016-10-02
485534Heap-use-after-free in v8::internal::JSObject::PrintElements-2016-10-02
485198XSS Auditor bypass: <link rel="import {garbage}"-2016-10-02
484998An integer overflow in libskia could be used to escalate from Chrome's sandbox in Android$3,0002016-10-02
484957UNKNOWN in v8::internal::Invoke-2016-10-02
485855Heap-use-after-free in /mnt/scratch0/clusterfuzz/slave-bot/builds/chromium-browser-asan_linux-release/r-2016-10-02
485412Heap-buffer-overflow in v8::internal::Simulator::DecodeType2-2016-10-02
484610Security: Flash UAF with Color.setRGB in AS2$7,5002016-10-02
484432Potential heap overflow in WebRTC's VCMEncodedFrame-2016-10-02
484270Security: Heap overflow in CertificateResourceHandler-2016-10-02
484211Apply upstream EAP-PWD, WPS and WMM fixes-2016-10-02
484614Heap-use-after-free in blink::CSSAnimations::maybeApplyPendingUpdate$3,0002016-10-02
483981Security: Heap Overflow Vulnerability in JBIG2 handling, used by PDF Reader$5,5002016-10-02
483923Use-of-uninitialized-value in SkRect::join-2016-10-02
483728UNKNOWN in v8::internal::RelocIterator::RelocIterator-2016-10-02
483727Heap-use-after-free in blink::InspectorResolver::resolveFrame-2016-10-02
483488Security: Service Workers let you bypass some same-origin checks (like verbose script parsing errors)-2016-10-02
483375Security: [FG-VD-15-037] Adobe Flash Player PCRE Handing Heap Overflow Vulnerability$3,0002016-10-02
483340Heap-buffer-overflow in blink::RejectedPromises::processQueue-2016-10-02
482639UNKNOWN in CJBig2_HuffmanTable::parseFromCodedBuffer-2016-10-02
482521Security: Flash UAF with MovieClip.scrollRect in AS2$7,5002016-10-02
483856Use-after-poison in blink::PendingScript::PendingScript-2016-10-02
482369ASSERTION FAILED: !entry->element || entry->element == element-2016-10-02
482380Security: URL Spoof with http authentication dialog and pdf prompt dialog$5002016-10-02
482214ASSERTION FAILED: !object || (object->isBox())$2,5002016-10-02
498982Security: XSS Auditor info disclosure using iframe length from different domains$1,3372016-10-02
498954Heap-use-after-free in content::BrowserPlugin::~BrowserPlugin-2016-10-02
498478Proximity Auth Base64URL decoding allows invalid messages through-2016-10-02
498475Heap-use-after-free in blink::InspectorDebuggerAgent::removeBreakpoint-2016-10-02
498338Security: Integer Overflow in Windows Sandbox Policy Engine String Comparison-2016-10-02
497632Security: SEGV on unknown address in offsetHeightAttributeGetter$3,0002016-10-02
497588Security: Chrome Address Spoofing with unresponsive page-2016-10-02
497579ASSERTION FAILED: offset + length <= m_length-2016-10-02
498984Security: Flash AS2 Use After Free in TextField.filters (again and again)$5,0002016-10-02
497576UNKNOWN in v8::internal::ArrayConcatVisitor::ToArray-2016-10-02
497523ASSERTION FAILED: !value || (value->isGridLineNamesValue())-2016-10-02
497578Heap-buffer-overflow in gfx::internal::TextRunHarfBuzz::GetClusterAt-2016-10-02
497507Security: Cross-origin scripting possible via native functions$7,5002016-10-02
497435Heap-use-after-free in blink::LayoutMultiColumnSet::pageLogicalHeight-2016-10-02
497357Heap-buffer-overflow in color_sycc_to_rgb$1,0002016-10-02
497355Heap-double-free in j2k_read_ppm_v3$3,0002016-10-02
497195ASSERTION FAILED: !object || (object->isLayoutMultiColumnSet())-2016-10-02
497524Use-after-free in WTF::Vector<blink::MultiColumnFragmentainerGroup,1,WTF::DefaultAllocator>::at-2016-10-02
495933Security: RTL character + IP address = spoofed domain-2016-10-02
495682Use-of-uninitialized-value in /mnt/scratch0/clusterfuzz/slave-bot/builds/linux_msan_chrome_ipc/custom/msan_ipc-2016-10-02
495300Security: heap-use-after-free in pdfium CFX_BaseSegmentedArray-2016-10-02
494987Security: Geolocation API Spoof in Chrome For iOS$5002016-10-02
494640Security: Universal XSS using IDBKeyRange static methods$7,5002016-10-02
494043ASSERTION FAILED: !node || (node->isContainerNode())-2016-10-02
495934Security: Unicode "Lock" character (-2016-10-02
492981Heap-use-after-free in blink::HTMLFormElement::item-2016-10-02
493243Heap-use-after-free in blink::Frame::deprecatedLocalOwner$2,0002016-10-02
493935Distinguish file: origins by hostname AND pathname, just not pathname-2016-10-02
492448Security: Update NSS to 3.19-2016-10-02
492490ASSERTION FAILED: offset + length <= m_length-2016-10-02
492634Security: Information for reporting Canary build bugs sends you to an insecure webpage-2016-10-02
492263UNKNOWN in SkSweepGradient::SweepGradientContext::shadeSpan$5,0002016-10-02
492052Security: libexpat buffer-overflow seems to affect latest version of chromium on Linux x86_64$5002016-10-02
491975Heap-buffer-overflow in SI8_opaque_D32_nofilter_DX$1,0002016-10-02
491742UNKNOWN in v8::internal::Simulator::DecodeType2-2016-10-02
492265Heap-use-after-free in SkCreateBitmapShader$1,0002016-10-02
491660Heap-buffer-overflow in convolve4RowsHorizontally_SSE2$5,0002016-10-02
491584Use-of-uninitialized-value in media::VideoFrameCompositor::GetCurrentFrameAndUpdateIfStale-2016-10-02
491582ASSERTION FAILED: !object || (object->isBox())-2016-10-02
491216Make IOBuffer, IOBufferWithSize and ShrinkableIOBufferWithSize resilient against truncation.-2016-10-02
490721Heap-buffer-overflow in blink::CSSSelector::matchNth-2016-10-02
490722Heap-use-after-free in blink::LayoutMultiColumnSet::flowThreadTranslationAtOffset-2016-10-02
490506UNKNOWN in v8::internal::CompilationDependencies::Abort-2016-10-02
490505Heap-use-after-free in blink::AXObject::document-2016-10-02
490496Heap-use-after-free in plugins::LoadablePluginPlaceholder::DidFinishLoadingCallback-2016-10-02
490492Security: heap-use-after-free in WebsiteSettingsInfoBarDelegate::Create$1,0002016-10-02
505614Use-of-uninitialized-value in std::__1::__tree<content::WebContents*, std::__1::less<content::WebContents*>, s-2016-10-02
505374UNKNOWN in blink::EventTarget::getEventListeners$1,0002016-10-02
505341UNKNOWN in v8::internal::ScopeIterator::Type-2016-10-02
505227Use-of-uninitialized-value in GrAAConvexTessellator::addTri-2016-10-02
504691Heap-buffer-overflow in content::NavigationControllerImpl::RendererDidNavigateToExistingPage-2016-10-02
504688Heap-use-after-free READ 8 in blink::DeprecatedPaintLayer::mapRectToPaintBackingCoordinates-2016-10-02
504727UNKNOWN in v8::internal::Object::GetProperty-2016-10-02
504692Heap-use-after-free in views::internal::NativeWidgetPrivate::GetNativeWidgetForNativeView-2016-10-02
504687Use-of-uninitialized-value in SkCanvas::concat-2016-10-02
504690Use-of-uninitialized-value in blink::encodePixels-2016-10-02
504685Heap-use-after-free in blink::WorkerScriptLoader::loadAsynchronously-2016-10-02
503217Security: improperly escaped "saved from url" info allows modification of saved pages$5002016-10-02
502863Use-after-poison in blink::HTMLMediaElement::setReadyState-2016-10-02
502859ASSERTION FAILED: !node || (node->isShadowRoot())-2016-10-02
502794Heap-use-after-free in CFX_BaseSegmentedArray::Iterate-2016-10-02
502793Heap-use-after-free in blink::Touch::Touch-2016-10-02
502792Stack-buffer-overflow in FixWinding-2016-10-02
502858Heap-use-after-free in blink::SuspendableScriptExecutor::contextDestroyed-2016-10-02
501973Heap-double-free in gfxReleaseSharedStateAndHash-2016-10-02
501891Bad-cast to blink::EventTarget from blink::MediaDevices;ScriptWrappable.h:67:16-2016-10-02
501888Heap-use-after-free in blink::ScreenOrientationController::dispatchChangeEvent-2016-10-02
502562Heap-use-after-free in WebLocalFrameImpl::printBegin$3,0002016-10-02
501889Heap-buffer-overflow in CPDF_ICCBasedCS::GetDefaultValue-2016-10-02
500877Security: XSSAuditor bypass with leading regexp inside svg script tag.-2016-10-02
501428Stack-use-after-return in blink::DisplayItemClientWrapper::displayItemClient-2016-10-02
501113Vulnerability reported in dev-libs/openssl-2016-10-02
500026Security: Non-temporal store row-hammer vulnerability-2016-10-02
499789Heap-use-after-free in v8::internal::JSTypedArray::MaterializeArrayBuffer-2016-10-02
500355Heap-use-after-free in v8::HandleScope::Initialize-2016-10-02
500175Heap-buffer-overflow in v8::internal::JSTypedArray::MaterializeArrayBuffer-2016-10-02
500352Use-after-poison in blink::HTMLMediaElement::~HTMLMediaElement-2016-10-02
499279Web MIDI performance crashes chrome canary$2,0002016-10-02
499465Security: WebKit ASLR is consistent across renderers-2016-10-02
512445Heap-use-after-free in in CPDFSDK_PageView::GetAnnotByDict-2016-10-02
511554Vulnerability reported in net-misc/curl-7.23.1-r1-2016-10-02
511616Security: Performance APIs reveal cross-origin URLs.$1,0002016-10-02
511553Vulnerability reported in dev-libs/openssl-1.0.1c-r9-2016-10-02
509775Remove unused jump_elimination_allowed parameter to Assembler::branch_offset()-2016-10-02
510702Heap-use-after-free in blink::CompositorWorkerManager::shutdown-2016-10-02
510707Heap-use-after-free in blink::Font::buildTextBlob-2016-10-02
510802Security: webRequest API allows intercepting XHR from apps and extensions$3,0002016-10-02
510850Security: Chrome inadvertently includes a supercookie via DTLS cert information-2016-10-02
509666Security: ARM constant pool can be blocked for too long-2016-10-02
509463ASSERTION FAILED: !object || (object->isLayoutMultiColumnSet())-2016-10-02
509461Heap-use-after-free in blink::Node::insertBefore-2016-10-02
509458Heap-use-after-free in v8::internal::MemoryReducer::TimerTask::Run$3,5002016-10-02
509670MIPS trampoline pool emission seems to be wrong sometimes-2016-10-02
509313chrome.embeddedSearch.newTabPage.navigateContentWindow is too powerful$1,0002016-10-02
508792Uninit read from cc::LayerTreeHostImpl::LayerTreeHostImpl-2016-10-02
508705Use-of-uninitialized-value in blink::MediaQueryExp::createIfValid-2016-10-02
508703Use-of-uninitialized-value in AAFillRectBatch::onCombineIfPossible-2016-10-02
508540Unicode-decoder: fix out-of-band write in utf16-2016-10-02
508086Security: Flash UAF with Color.setTransform in AS2-2016-10-02
508983ASSERTION FAILED: !node || (node->isShadowRoot())-2016-10-02
508979Heap-use-after-free in blink::DeprecatedPaintLayer::setGroupedMapping-2016-10-02
508876GetStringUTFChars() no longer returns Modified UTF-8 in Android M-2016-10-02
508872Merge out-of-bounds accesses found by WebRTC fuzzing.-2016-10-02
507990Use-after-free in blink::V8Window::namedPropertyGetterCustom-2016-10-02
507988Heap-use-after-free in blink::DeprecatedPaintLayer::setGroupedMapping$3,5002016-10-02
507821Send SafeBrowsing ping-backs for additional file types-2016-10-02
508072Security: Flash Heap-use-after-free in SurfaceFilterList::Cñ€‹reateFromScriptAtom. Alwayzzzzzzz$7,5002016-10-02
507020Use-after-free in blink::AXNodeObject::document-2016-10-02
507018Use-of-uninitialized-value in Browser::GetSecurityStyle-2016-10-02
508009Security: Flash Use After Free in TextLine.opaqueBackground-2016-10-02
507992Heap-use-after-free in blink::DeprecatedPaintLayer::updatePagination-2016-10-02
507272Potential Flash 0-day Exploit ('flash-0day-vitaly1')-2016-10-02
506749Heap-use-after-free in crypto::Encryptor::Decrypt-2016-10-02
507017Use-of-uninitialized-value in blink::GraphicsContext::realizePaintSave-2016-10-02
506763stack-use-after-return in opj_pi_next_rpcl$5002016-10-02
506540UNKNOWN in v8::internal::Simulator::InstructionDecode-2016-10-02
505829Byte Serving Information Leak-2016-10-02
516365Heap-use-after-free in media::DecryptingDemuxerStream::~DecryptingDemuxerStream-2016-10-02
516298Many media/track/ layout tests flakily crash-2016-10-02
516266Stack-buffer-overflow in SkIntersections::removeOne$3,0002016-10-02
516361Heap-buffer-overflow in gfx::FindValidBoundaryBefore-2016-10-02
516690Security: WebUI backends inject data into random web pages (tracking bug)-2016-10-02
514758Use-of-uninitialized-value in SkUnPreMultiply::UnPreMultiplyPreservingByteOrder-2016-10-02
514756Use-of-uninitialized-value in SuperBlitter::blitH-2016-10-02
516088Heap-buffer-overflow in content::NavigationControllerImpl::InsertOrReplaceEntry-2016-10-02
514891Heap-buffer-overflow in CJBig2_Context::parseSymbolDict$2,0002016-10-02
514759Use-of-uninitialized-value in vp3_h_loop_filter_c-2016-10-02
514080!field_type->NowStable() || field_type->NowContains(value) in src/objects-debug.-2016-10-02
514076Security: localStorage of file:// can be read from any remote origin through a blob: document with the origin of null$1,0002016-10-02
514122UNKNOWN in v8::internal::MemoryChunk::IsFlagSet-2016-10-02
514755Heap-use-after-free in blink::ComposedTreeTraversal::traverseParent-2016-10-02
514753Use-of-uninitialized-value in blink::Font::glyphDataForCharacter-2016-10-02
513917Heap-use-after-free in ui::InputMethodAuraLinux::ResetContext-2016-10-02
513602UNKNOWN in v8::internal::Invoke-2016-10-02
512678Security: CSS font loading API bypasses CORS$5002016-10-02
526286Container-overflow in blink::HTMLTreeBuilder::processStartTagForInBody-2016-10-02
526441Use-of-uninitialized-value in vp3_h_loop_filter_c-2016-10-02
526378Security: Pointerlock browser UI hijack-2016-10-02
526025SEGV in SkOpSpan::containsCoincidence-2016-10-02
526244Attempting free in v8::internal::Heap::FreeDeadArrayBuffersHelper-2016-10-02
525696ASSERTION FAILED: !containsWrapper()-2016-10-02
525330Null out DOMWindow::m_frame as soon as the frame/window is detached-2016-10-02
524899Adobe Flash Player AdBreakTimelineItem class Memory Corruption Vulnerability$3,0002016-10-02
525832chromewebdata intermediary page can throw a Javascript syntax error-2016-10-02
525763Heap-buffer-overflow in SkCreateBitmapShader-2016-10-02
524096Use-of-uninitialized-value from GpuCommandBufferStub::OnInitializeFailed()-2016-10-02
524094Use-of-uninitialized-value in GrTextureDomain::GLDomain::setData-2016-10-02
524694Heap-use-after-free in blink::FrameLoaderClientImpl::dispatchDidFinishDocumentLoad-2016-10-02
524682Bad-cast to blink::LayoutText from blink::LayoutBlockFlow;LayoutText.h:237:1-2016-10-02
524074Security: Universal XSS by loading a javascript: URI from an unloaded window$7,5002016-10-02
522791Security: Universal XSS using navigator.serviceWorker.ready$7,5002016-10-02
523453UNKNOWN in v8::internal::Deserializer::FlushICacheForNewCodeObjects-2016-10-02
522128Security: Blink passes NULL TypedArray backing stores to V8, leading to OOB R/W-2016-10-02
521655window.find() with unusual HTML fails to handle shadow tree-2016-10-02
522131UNKNOWN in _CMapLookupCallback$3,0002016-10-02
521588Security: leaking previous webpage through webGL canvas preserveDrawingbuffer and scissor.-2016-10-02
519558Security: Universal XSS via ContainerNode::parserInsertBefore$8,8372016-10-02
520422Security: Cross-site read access to PDF files$4,0002016-10-02
520792Heap-use-after-free in blink::DocumentLoader::dataReceived-2016-10-02
521343Popunder is possible again (seemingly using Flash)-2016-10-02
519642Security: Memory-safety bug in Image11::map$1,0002016-10-02
518827Security: chrome.runtime.setUninstallURL does not validate its URL parameter$3,0002016-10-02
517906Security: Installed extensions can read memory mapping information.-2016-10-02
517854Global-buffer-overflow in FXSYS_itoa-2016-10-02
518749Security: Heap-use-after-free in UsbContext::UsbEventHandler::Stop$3,0002016-10-02
518206Security: Overflow in VertexBufferInterface::reserveVertexSpace causes memory-safety bug$5,0002016-10-02
517913ASSERTION FAILED: it != m_scriptsToExecuteInOrder.end()-2016-10-02
516821latest Chrome Canary(syzyasan) crashes constantly when querying crbug.com-2016-10-02
517383Adobe Flash Player Regular Expression Out-Of-Bounds Write Remote Code Execution Vulnerability$3,0002016-10-02
534621Update FreeType with a recent series of patches-2016-10-02
534570CSP: wildcard source expression (*) should not match data URIs$5002016-10-02
534542CSP: `*.x.y` must match a host that ends with `.x.y` (4.2.2 step 4.6)$5002016-10-02
532967UNKNOWN in vp8_read_mv_component$5002016-10-02
533778Security: Changing URL from your website to any other that uses HTTP BASIC AUTHENTICATION.-2016-10-02
533520Security: Links to "file://" URLs in PDFs-2016-10-02
532758Vulnerability reported in libpng-2016-10-02
532450Vulnerability reported in sys-kernel/chromeos-kernel-3_10-2016-10-02
532448Vulnerability reported in sys-kernel/chromeos-kernel-3_10-2016-10-02
532762Vulnerability reported in libevent-2016-10-02
532449Vulnerability reported in sys-kernel/chromeos-kernel-3_10-2016-10-02
531891Security: Universal XSS using exceptions thrown from Object.observe$7,5002016-10-02
532439Vulnerability reported in sys-kernel/chromeos-kernel-3_8-2016-10-02
532440Vulnerability reported in sys-kernel/chromeos-kernel-3_8-2016-10-02
531057Bad-cast to blink::ScriptWrappable from blink::WorkerWebSocketChannel;DOMWrapperMap.h:148:20$3,5002016-10-02
530301Security: Universal XSS using stack overflow exceptions$7,5002016-10-02
529682Content script is able to eval code in background page of other extension$3,0002016-10-02
531664CFI: invalid cast in list_container.h-2016-10-02
529530Heap-use-after-free in blink::DateTimeChooserImpl::didClosePopup-2016-10-02
529527Use-of-uninitialized-value in content::EchoInformation::UpdateAecDelayStats-2016-10-02
529520Heap-use-after-free in content::EmbeddedWorkerInstance::ReleaseProcess$3,5002016-10-02
529489Security: Tracking bug for upstream NSS issues-2016-10-02
529310Bad-cast to CJS_EventHandler from ;PublicMethods.cpp:2026:7-2016-10-02
529552Heap-buffer-overflow in UpdateDelayMetrics-2016-10-02
529531Heap-use-after-free in blink::WebViewImpl::close-2016-10-02
529012Bad-cast to util from Document;JS_Define.h:165:13$3,5002016-10-02
528798Bad-cast to blink::ScriptWrappable from blink::WebGLRenderingContextBase::TypedExtensionTracker<blink::ANGLEInstancedArrays>;ScriptWrappable.h:192:32-2016-10-02
528505Security: Linking to chrome:// urls inside pdf$4,0002016-10-02
528799Bad-cast to icu_54::UnicodeSet from icu_54::Quantifier;rbt_pars.cpp:1105:22-2016-10-02
528628Heap-buffer-overflow in C:\clusterfuzz\slave-bot\builds\chrome-test-builds_media_win32-release_e999b7478-2016-10-02
527466Security: Linux x86_64 vsyscall provides attack vectors-2016-10-02
527514Security: SAN-01-001 Angular ngSanitize bypass using SVG <use> & insecure JSON Callback in Blink-2016-10-02
527423Security: Integer overflow in open-vcdiff results in OOB read in browser process-2016-10-02
545173Security: UAF in CPWL_ComboBox::OnKeyDown in PDFium-2016-10-02
544765Privacy: browser history sniffing attack using HSTS + CSP$5002016-10-02
544691Use-of-uninitialized-value in blink::encodePixels$2,0002016-10-02
544020Security: blink::WeekInputType uaf vulnerability$3,0002016-10-02
543994Crash in NULL@0x...60-2016-10-02
543528Heap-use-after-free in v8::internal::compiler::DeadCodeElimination::ReduceLoopOrMerge-2016-10-02
544270Update harfbuzz to 1.0.6-2016-10-02
542054Security: properly escaped href attribute leading to offline XSS upon saving a page$5002016-10-02
541669Security: Security: signed integer overflow in media/formats/mp2t/es_parser_h264.cc-2016-10-02
541594Bad-cast to v8::String::ExternalStringResource from invalid vptr;objects-inl.h:4047:10-2016-10-02
541593Heap-buffer-overflow in blink::SVGFilterGraphNodeMap::addPrimitive$1,5002016-10-02
542060CSP for Evil & Service Workers-2016-10-02
541323Heap-buffer-overflow in CJBig2_HuffmanTable::parseFromCodedBuffer-2016-10-02
541322Bad-cast to blink::WebTaskRunner from invalid vptr;BackgroundHTMLParser.cpp:109:36-2016-10-02
540949Security: Webpage can bypass arbitrary interstitial using HTTP auth dialog-2016-10-02
539908Heap-use-after-free in blink::RejectedPromises::processQueueNow-2016-10-02
539875Security: Symbols ignored in Object.{freeze, seal, isFrozen, isSealed}()-2016-10-02
539691Heap-buffer-overflow in SkBlitter::blitMask-2016-10-02
541415Security: URL Spoofing when victim tries to access another website from attacker's page.$5002016-10-02
541206Security: Universal XSS using document.adoptNode$7,5002016-10-02
539563Heap-buffer-overflow in net::HpackEncoder::EncodeHeaderSet-2016-10-02
538952Bad-cast to Profile from invalid vptr;chrome_extensions_network_delegate.cc:38:22-2016-10-02
537666Remove references to unloadEvent in runtime_custom_bindings.js-2016-10-02
538256Heap-use-after-free in blink::FrameLoaderClientImpl::dispatchDidFinishDocumentLoad-2016-10-02
538257Crash in v8::internal::FlexibleBodyVisitor<v8::internal::MarkCompactMarkingVisitor,v8::in-2016-10-02
537823Security: The password manager can be tricked to put one site's saved credential's into another's with HTTP auth-2016-10-02
537205Security: Crazy Linker on Android allows modification of Chrome APK without breaking signature$1,0002016-10-02
536917Heap-use-after-free in blink::RadioInputType::didDispatchClick-2016-10-02
537656Heap-use-after-free in blink::ShapeOutsideInfo::isEnabledFor-2016-10-02
537173Security: PureCall on CPWL_Edit::OnKillFocus$3,0002016-10-02
537660Remove stash_client.js dependency on unload_event-2016-10-02
537658Remove extension dependencies on unload_event.js-2016-10-02
536601Crash in ff_sbr_hf_apply_noise_3_sse2-2016-10-02
536231Heap-double-free in v8::internal::ArrayBufferTracker::FreeDead-2016-10-02
535605heap-use-after-free in AudioOutputDevice-2016-10-02
536701Chrome mobile for iOS thinks JavaScript redirects are a form of certificate spoofing of trusted domains$5002016-10-02
536652Security: Disrupting the omnibox from the attacker's website.$1,0002016-10-02
536640Heap-use-after-free in blink::InlineTextBox::selectionState-2016-10-02
534994Heap-use-after-free in extensions::BookmarkAppHelper::OnBubbleCompleted-2016-10-02
534923Security: Universal XSS via the unload_event module$7,5002016-10-02
534992Heap-use-after-free in blink::TimerBase::stop-2016-10-02
534993Heap-use-after-free in blink::CSSImageSetValue::valueWithURLsMadeAbsolute-2016-10-02
555784Heap-buffer-overflow in CCodec_RLScanlineDecoder::v_GetNextLine-2016-10-02
555575Heap-use-after-free in webrtc::PeerConnection::OnSessionStateChange-2016-10-02
555544crash in SkSweepGradient::SweepGradientContext::shadeSpan$2,0002016-10-02
554648Factory reset can be performed when it should be disallowed.-2016-10-02
554172Heap-buffer-overflow in opj_jp2_apply_pclr-2016-10-02
554151Heap-buffer-overflow in CPDF_DIBSource::DownSampleScanline32Bit-2016-10-02
554129Heap-buffer-overflow in opj_j2k_read_mcc-2016-10-02
554115Heap-buffer-overflow in CPDF_TextObject::CalcPositionData-2016-10-02
554946Security: Pwn2Own mobile case, out-of-bound access in json stringifier$7,5002016-10-02
554908Security: AppCacheDispatcherHost UaF with host transfer$10,0002016-10-02
554099Crash in v8::internal::StaticMarkingVisitor<v8::internal::IncrementalMarkingMarkingVisito-2016-10-02
553050Heap-use-after-free in blink::PartPainter::isSelected-2016-10-02
553054Heap-use-after-free in blink::V8SVGMatrix::visitDOMWrapper-2016-10-02
552870ASSERTION FAILED: index < arraySize-2016-10-02
553049Use-of-uninitialized-value in blink::LayoutObject::findNextLayer-2016-10-02
552749window.crypto.getRandomValues() uses a weak CSPRNG$5002016-10-02
553048Heap-use-after-free in blink::LayoutBlock::removeChild$3,5002016-10-02
552448Security: PDFium: XFA: UAF in CXFA_PDFFontMgr::~CXFA_PDFFontMgr()-2016-10-02
552046Heap-buffer-overflow in CPDF_DIBSource::GetScanline-2016-10-02
551503Heap-buffer-overflow in cff_get_glyph_name-2016-10-02
551470Heap-buffer-overflow in opj_t2_read_packet_header-2016-10-02
551460Stack-buffer-overflow in CPDF_Function::Call-2016-10-02
551116chrome crash during dark resume leaves zombie processes, reparented to init, which makes new chrome instance unusable.-2016-10-02
551044Security: AppCacheUpdateJob accesses map::end()$11,3372016-10-02
551028FreeType : pick up post-2.6.1 patches (or 2.6.2 when it's out)-2016-10-02
550972Security: app_mode_loader not signed on OSX-2016-10-02
551288Crash in v8::internal::Heap::DoScavenge-2016-10-02
550629Heap-use-after-free in content::RenderMessageFilter::OnKeygen-2016-10-02
551143Heap-use-after-free in content::BindWebGraphicsContext3DGLContextCallback-2016-10-02
550632Use-after-poison in blink::WorkerWebSocketChannel::Bridge::traceImpl<blink::InlinedGlobalMarkingVisi$3,5002016-10-02
549155Use-of-uninitialized-value in filter8-2016-10-02
550047Security: Inline extension installation dialog doesn't block and persists after redirect$1,0002016-10-02
546849ASSERTION FAILED: !object || (object->isBox())-2016-10-02
546848ASSERTION FAILED: !m_pendingInOrderScripts.isEmpty()-2016-10-02
546846Heap-use-after-free in views::NativeWidgetAura::ShouldDescendIntoChildForEventHandling-2016-10-02
546545Security: Universal XSS using plugin objects$7,5002016-10-02
545520Heap-buffer-overflow in blink::MarkupFormatter::appendCharactersReplacingEntities-2016-10-02
567688Vulnerability reported in dev-libs/openssl-2016-10-02
567445Security: URL Spoofing with HTTPS lock$1,0002016-10-02
566156Security: QUIC may send requests (including cookies) in the clear-2016-10-02
566142Heap-use-after-free in blink::WebLocalFrameImpl::didFail-2016-10-02
566231Security: chromeos-base/chromeos-ca-certificates is out of date-2016-10-02
565760Security: Drop-downs hiding any part of the browser UI, allowing for several types of spoof attacks$3,1332016-10-02
565543Privileged installer directory is writeable by lower privileged users-2016-10-02
565967Heap-use-after-free in webrtc::VCMGenericDecoder::Release-2016-10-02
565416Security: OpenSSL 1.0.2e fixes-2016-10-02
565048Heap-use-after-free in webrtc::DataChannel::UpdateState-2016-10-02
565046Crash in v8::internal::RootMarkingVisitor::MarkObjectByPointer-2016-10-02
565023Security: Google Chrome: Privilege Escalation from Renderer Process to Browser Process-2016-10-02
564501Security: UAF in MidiHost (Sandbox escape)-2016-10-02
564238Security: Windows Image Sections Allow Mapping Arbitrary Executable Memory into More Privileged Processes-2016-10-02
563964Security: GPU process to privileged renderer IPC bug?-2016-10-02
565049Heap-use-after-free in blink::FrameSelection::notifyLayoutObjectOfSelectionChange-2016-10-02
562986Heap-use-after-free in blink::FrameLoader::init-2016-10-02
562984Use-of-uninitialized-value in blink::CachingWordShapeIterator::nextWord-2016-10-02
561972Crash in v8::internal::HeapObject::VerifyHeapPointer-2016-10-02
563688Security: Code Review Clickjacking-2016-10-02
562208Heap-use-after-free in blink::LayoutBoxModelObject::hasSelfPaintingLayer-2016-10-02
561497Heap-use-after-free in content::VideoCaptureController::RemoveClient-2016-10-02
561505Global-buffer-overflow in blink::getPropertyName-2016-10-02
561869Bad-cast to blink::StaticBitmapImage from blink::BitmapImage;ImageBitmap.cpp:51:25-2016-10-02
561488Heap-buffer-overflow in blink::appendCharactersReplacingEntitiesInternal<unsigned char const >-2016-10-02
561478Heap-use-after-free in FT_Stream_ReleaseFrame-2016-10-02
560480Global-buffer-overflow in blink::getPropertyName-2016-10-02
560291Security: security vulnerabilities in libpng (CVE-2015-7981, CVE-2015-8126)$5002016-10-02
561492Heap-use-after-free in blink::PlatformEventDispatcher::notifyControllers-2016-10-02
559528Heap-use-after-free in blink::LayoutTextFragment::setTextFragment-2016-10-02
559515Security: Bypass to Multiple Files dialog allows for system crash or disk exhaustion-2016-10-02
560011Security: Universal XSS using widget updates in ContainerNode::parserRemoveChild$8,0002016-10-02
559292Security: heap-use-after-free in blink::ScopedStyleResolver::collectMatchingAuthorRules$3,0002016-10-02
559075Vulnerability reported in net-misc/strongswan-2016-10-02
559541Flash: Uninitialized variable in DateObject::_toString can cause memory corruption$5,0002016-10-02
559310Security: SharedWorkerDevToolsAgentHost UAF (sandbox escape)-2016-10-02
558589Security: AppCacheUpdateJob UaF$10,0002016-10-02
557981Security: heap-use-after-free in blink::MutationObserver::enqueueMutationRecord$2,0002016-10-02
557806Heap-use-after-free: text-transform CSS property breaks document life time cycle-2016-10-02
557802Bad-cast to blink::HTMLOptionElement from blink::HTMLOptGroupElement;Element.h:704:12-2016-10-02
558840Crash in NULL@0x...40-2016-10-02
557799Crash in Init-2016-10-02
557797Heap-use-after-free in I422ToARGBRow_Any_SSSE3-2016-10-02
557223Pdfium heap-buffer-overflow in sycc422_to_rgb$5002016-10-02
556725Investigate legality of call to ContextGL in RenderThreadImpl::SharedWorkerContextProvider-2016-10-02
556724Security: Universal XSS via persistence of subframes$8,0002016-10-02
557800Heap-use-after-free in autofill::FormStructure::ParseQueryResponse-2016-10-02
556351Crash in password_manager::ContentPasswordManagerDriver::OnPasswordFormsParsed-2016-10-02
556584Heap-use-after-free in content::MemoryMessageFilter::OnChannelClosing-2016-10-02
574802ASSERTION FAILED: index < arraySize$3,0002016-10-02
574114Use-of-uninitialized-value in S32A_Opaque_BlitRow32_SSE4$1,0002016-10-02
573332Heap-buffer-overflow in xmlParseXMLDecl-2016-10-02
573317UX and Extensions API confusion when file: URLs have hostnames$5002016-10-02
573284Heap-buffer-overflow in blink::TimerBase::stop$3,5002016-10-02
573281Heap-use-after-free in blink::InlineWalker::InlineWalker-2016-10-02
572871Security: PureCall on CPWL_Edit::OnKillFocus$3,0002016-10-02
573886Heap-use-after-free in extensions::MimeHandlerViewContainer::DidFinishLoading-2016-10-02
572409Crash in v8::internal::InnerPointerToCodeCache::GcSafeFindCodeForInnerPointer-2016-10-02
572408Use-of-uninitialized-value in v8::internal::compiler::VirtualState::MergeFrom-2016-10-02
572407Heap-use-after-free in blink::Node::assignedSlot-2016-10-02
572406Use-of-uninitialized-value in winding_mono_conic-2016-10-02
572404Heap-use-after-free in ash::WindowSelector::ContentsChanged$1,0002016-10-02
572537Security: heap-use-after-free in blink::NodeIteratorBase::root$3,0002016-10-02
572403Heap-buffer-overflow in SkARGB32_Opaque_Blitter::blitAntiH2-2016-10-02
572398Heap-use-after-free in content::WebMediaPlayerMSCompositor::StopRenderingInternal-2016-10-02
572224UNKNOWN in extensions::WebrtcAudioPrivateFunction::CalculateHMACImpl$1,0002016-10-02
571480ZDI-CAN-3447: New Vulnerability Report Google Chrome Pdfium JPEG2000 Out-Of-Bounds Read Remote Code Execution Vulnerability-2016-10-02
571479ZDI-CAN-3432: New Vulnerability Report-2016-10-02
571121Security: Devtools loads any URL with remoteBase parameter-2016-10-02
571617Security: dev-tools: URIs can be copy&paste'd-2016-10-02
570750Security: Android Chrome download files into arbitrary sdcard directory$5002016-10-02
570618Vulnerability reported in dev-libs/libxml2-2016-10-02
570561Bad-cast to const blink::LayoutBox from blink::LayoutInline;LayoutBox.h:1001:1-2016-10-02
570427UaF in blink::SearchInputType::didSetValueByUserEdit-2016-10-02
570262Crash in v8::internal::Invoke-2016-10-02
571119Security: Extensions can open privileged URLs using tabs URL-2016-10-02
570261Heap-buffer-overflow in sctp_setopt-2016-10-02
570255Heap-buffer-overflow: LayoutObject should have height even if it is placed very far place-2016-10-02
570241Stack-buffer-underflow in v8::internal::QuickCheckDetails::Advance-2016-10-02
569956ASSERTION FAILED: !object || (object->isBox())-2016-10-02
569940Stack-buffer-underflow in v8::internal::Trace::AdvanceCurrentPositionInTrace-2016-10-02
569496Security: Universal XSS using Flash message loop$7,5002016-10-02
569420Heap-use-after-free in cricket::ChannelManager::RemoveVideoRenderer-2016-10-02
569170Heap-use-after-free in blink::ColorInputType::didChooseColor-2016-10-02
569043onmouseenter/leave + ES6 on window leaks functions between origins-2016-10-02
568889Stack-buffer-overflow in WebRtcIlbcfix_CreateAugmentedVec-2016-10-02
568885Stack-buffer-overflow in WebRtcSpl_ElementwiseVectorMult-2016-10-02
569284Heap-use-after-free in blink::Node::assignedSlot-2016-10-02
568796Use-after-poison in blink::OfflineAudioContext::resolveSuspendOnMainThread-2016-10-02
568745Use-of-uninitialized-value in void base::Pickle::WriteBytesStatic<4ul>-2016-10-02
568742Heap-buffer-overflow in gpu::gles2::GLES2Implementation::TexImage2D-2016-10-02
568741Use-of-uninitialized-value in re2::NFA::AddToThreadq-2016-10-02
568433Heap-use-after-free in content::IndexedDBBackingStore::Transaction::ChainedBlobWriterImpl::ReportWriteC$5,5002016-10-02
567956adobe.com is (incorrectly) reporting out of date Flash plugin-2016-10-02
568797Heap-use-after-free in content::RenderWidgetHostImpl::ScheduleComposite-2016-10-02
568744Heap-use-after-free in blink::ShapeOutsideInfo::isEnabledFor-2016-10-02
584223Heap-buffer-overflow in cmsDupNamedColorList-2016-10-02
584185Security: Heap-use-after-free in blink::LayoutObject::parent-2016-10-02
583563Heap-buffer-overflow in ConvertWOFF2ToTTF$1,0002016-10-02
583445UXSS in DocumentLoader::createWriterFor-2016-10-02
583354Crash in ff_get_qtpalette-2016-10-02
583171Security: Memory leak in libxslt$1,0002016-10-02
583156Security: Type confusion and UAF in libxslt$1,0002016-10-02
583718Heap-use-after-free in favicon::FaviconDriverImpl::DidDownloadFavicon$5002016-10-02
584155Security: General bypass of SRI validation for subresources located on the same origin$2,0002016-10-02
583607Security: Buffer overflow in Brotli decompression$1,0002016-10-02
582716Heap-buffer-overflow in vp9_update_noise_estimate-2016-10-02
582721Use-of-uninitialized-value in SkUnPreMultiply::PMColorToColor-2016-10-02
582713Use-after-poison in blink::WebGLObject::detach-2016-10-02
583039Use-of-uninitialized-value in xmlCurrentChar-2016-10-02
583041Use-of-uninitialized-value in xmlNextChar-2016-10-02
582705Negative-size-param in SkRBufferWithSizeCheck::read-2016-10-02
582703Crash in v8::internal::Runtime_FunctionGetScript-2016-10-02
582710Bad-cast to blink::ContextLifecycleObserver from invalid vptr;DOMTimer.cpp:140:9-2016-10-02
582701Crash in blink::AudioParamTimeline::valuesForFrameRangeImpl-2016-10-02
582700Bad-cast to blink::LayoutBox from blink::LayoutInline;LayoutBox.h:1001:1-2016-10-02
582699Crash (assert) in blink::AudioDelayDSPKernel::process$1,5002016-10-02
582707Crash in chrome-2016-10-02
582706ASSERTION FAILED: !object || (object->isLayoutBlock())-2016-10-02
582702Crash in v8::internal::compiler::InstructionSequence::GetRepresentation-2016-10-02
582695Heap-buffer-overflow in gpu::gles2::GLES2Implementation::TexImage2D-2016-10-02
582480Use-of-uninitialized-value in icuLikeCompare-2016-10-02
582471Use-of-uninitialized-value in WebRtcIsac_DecLogisticMulti2-2016-10-02
582470Use-of-uninitialized-value in icu_54::RegexCompile::doParseActions-2016-10-02
582211With --site-per-process, body of POST request is not delivered to XSSAuditor-2016-10-02
582698ASSERTION FAILED: !object || (object->isTableRow())-2016-10-02
582697ASSERTION FAILED: !object || (object->isBox())-2016-10-02
581905Use-of-uninitialized-value in xmlGROW-2016-10-02
582008Heap-use-after-free when a content script synchronously removes a frame at document_start or document_end$1,5002016-10-02
581839Use-of-uninitialized-value in xmlParserPrintFileContextInternal-2016-10-02
581836Use-of-uninitialized-value in xmlParseComment-2016-10-02
581294Vulnerability reported in libpng-2016-10-02
581908Security: Master tracking bug for chrome issue tracker libvpx fixes (January 2016)-2016-10-02
581901Use-of-uninitialized-value in WebRtcIsacfix_AllpassFilter2FixDec16C-2016-10-02
578193Heap-buffer-overflow in webrtc::VP9EncoderImpl::GetEncodedLayerFrame-2016-10-02
577105Security: Universal XSS by circumventing the unload event$7,5002016-10-02
579801Security: CSP isn't applied to Service Workers in Chrome$1,0002016-10-02
577970ClientSideDetectionHost::OnPhishingDetectionDone never get called-2016-10-02
580181Security: Reproducible tab crash when opening inspector due to DOM object corruption via marquee tag in svg-2016-10-02
576867Security: Google Chrome <any version> Extensions Web Accessible Resources Bypass$5002016-10-02
576383Security: UaF in MidiHost round 2 (JS -> Browser code execution)-2016-10-02
575220Heap-buffer-overflows in sqlite3 when REGEXP keyword is used-2016-10-02
575206Heap-buffer-overflow in icu_54::RegexCompile::nextCharLL-2016-10-02
575205Heap-buffer-overflow in icuLikeCompare (called from sqlite3_step)-2016-10-02
576910Crash in SkRBufferWithSizeCheck::read-2016-10-02
576908Heap-buffer-overflow in SkPaint::unflatten-2016-10-02
590118Security: Universal XSS using an intercepted native function$7,5002016-10-02
589848Heap-use-after-free in FT_New_Size$3,0002016-10-02
589838Security: type confusion in blink::BaseButtonInputType::valueAttributeChanged$5,0002016-10-02
589792Security: [v8] Out of bound(??) memory write with asm.js$5,0002016-10-02
589512Use-of-uninitialized-value in ebml_read_num$1,5002016-10-02
589237Security: HTTP 302 can navigate to non-web-accessible chrome-extension:// URIs-2016-10-02
589186Security: use after free in memory-only disk cache-2016-10-02
590247Security: use-after-poison in blink::PersistentBase with FileSystemSync in a Shared Worker$3,5002016-10-02
590284Security: RWHI UaF from bad fullscreen widget routing id$10,5002016-10-02
588711Security: chrome canary chrome_child!blink::LayoutTableSection::layout UAF bug-2016-10-02
588566Crash in blink::DocumentThreadableLoader::cancelWithError-2016-10-02
588862Security: kernel CVE-2016-2384: arbitrary code execution due to a double-free in the usb-midi linux kernel driver-2016-10-02
588552Heap-use-after-free in blink::DepthOrderedLayoutObjectList::ordered-2016-10-02
588550Heap-use-after-free in blink::CanvasAsyncBlobCreator::createBlobAndCall$3,5002016-10-02
588548LayoutText::setTextWithOffset() should handle ::first-letter-2016-10-02
587897Update libxml to 2.9.3 or latest-2016-10-02
587852Use-of-uninitialized-value in WebRtcIsac_DecLogisticMulti2-2016-10-02
588200Global-buffer-overflow in XFA_FM_KeywordToString-2016-10-02
587227ZDI-CAN-3563: New Vulnerability Report-2016-10-02
586798Heap-use-after-free in ASN1_STRING_free-2016-10-02
586820Security: Timing attack on SVG feComposite filter circumvents same-origin policy-2016-10-02
586765Security: ASSERTION FAILED: obj->isLayoutInline() || obj == this in blink::LayoutBlockFlow::createLineBoxes-2016-10-02
586800Use-of-uninitialized-value in lh_retrieve-2016-10-02
586657Directory traversal on file:// via escaped slashes$5002016-10-02
586494Security: heap-use-after-free in blink::LayoutObject::parent-2016-10-02
586722Heap-use-after-free in blink::LayoutObject::markContainerChainForPaintInvalidation-2016-10-02
586720Heap-use-after-free in blink::InlineFlowBox::addToLine$3,5002016-10-02
586721Heap-use-after-free in blink::PaintArtifact::appendToWebDisplayItemList-2016-10-02
586079Heap-buffer-overflow in sqlite3VdbeMemSetStr-2016-10-02
585707Heap-use-after-free in media::GpuMemoryBufferVideoFramePool::PoolImpl::GetOrCreateFrameResources-2016-10-02
585704Bad-cast to blink::LayoutBox from blink::LayoutInline;LayoutBox.h:1045:1-2016-10-02
586266Security: heap-use-after-free in blink::LayoutObject::LayoutObjectBitfields::selfNeedsLayout$3,0002016-10-02
585698Use-of-uninitialized-value in SkUnPreMultiply::PMColorToColor-2016-10-02
585701LayoutText::previousOffsetForBackwardDeletion() should consider first-letter-2016-10-02
585595Heap-use-after-free in scheduler::internal::TaskQueueImpl::GetTimeDomain-2016-10-02
585282Restricted web APIs can easily be accessed from Chrome apps$1,0002016-10-02
585268Heap-use-after-free in LoadWatcher::CallbackAndDie (chrome.app.window.create)$2,0002016-10-02
585699Use-of-uninitialized-value in blink::LayoutObject::containingBlock-2016-10-02
585658Security: Upstream bug reported in NSS-2016-10-02
595656Crash in v8::internal::InnerPointerToCodeCache::GcSafeFindCodeForInnerPointer$3,5002016-10-02
595836libANGLE buffer-overflow (part of pwn2own exploit)-2016-10-02
595514Security: Navigating to "chrome://" URLs inside pdf (iOS)$5002016-10-02
595339Security: Navigating to "chrome://" URLs and "file://" URLs via window.open()$5002016-10-02
595262Heap-buffer-overflow in xmlParseEndTag2-2016-10-02
595259Crash in v8::internal::StackFrameIterator::StackFrameIterator$3,5002016-10-02
594958Crash in v8::internal::MarkCompactMarkingVisitor::MarkObjectByPointer-2016-10-02
594574Security: v8 Array.concat OOB access writeup$7,5002016-10-02
594512Use-of-uninitialized-value in Decode-2016-10-02
594383Security: UXSS via window.open() via file:// pages$3,0002016-10-02
593759Security: Proxy Auto-Config SSL/TLS Url Disclosure$5002016-10-02
593690Use-of-uninitialized-value in xmlParseEndTag2-2016-10-02
594120Heap-use-after-free in FXJS_GetPrivate$5,0002016-10-02
592956Security: XSS on NTP-2016-10-02
591785ZDI-CAN-3594: New Vulnerability Report-2016-10-02
592361Use-of-uninitialized-value in v8::InstantiateModuleFromAsm-2016-10-02
590882Chrome: Crash Report - gfx::Image::ToImageSkia-2016-10-02
590801Use-of-uninitialized-value in blink::CSSParserToken::operator==-2016-10-02
590620Heap-use-after-free in blink::FrameView::performLayout$3,5002016-10-02
590619Container-overflow in blink::HTMLMenuItemElement::defaultEventHandler-2016-10-02
591402Tracking bug for internal fixes: Chrome M49, release 0-2016-10-02
590832Security: Lazy bailout from TurboFan after CompareIC is wrong-2016-10-02
590615Heap-buffer-overflow in i2c_ASN1_INTEGER-2016-10-02
590610Bad-cast to const blink::WebPasswordCredential from blink::WebCredential;credential_manager_content_utils.cc:26:9-2016-10-02
601801Security: Unsigned wraparound in a multiply in kbasep_vinstr_attach_client leads to a heap overflow.-2016-10-02
601737content/ should destroy ImageDownloaderImpl() before shutting down Blink-2016-10-02
601706Security: Universal XSS using a flaw in the load deferral logic$7,5002016-10-02
601629Security: Read access violation on same-origin, cross-process frames$3,0002016-10-02
601362Security: PDFium Out-of-Bounds Read in CFX_FaceCache::RenderGlyph$1,0002016-10-02
602046ZDI-CAN-3655: Google Chrome PDFium JPEG Out-Of-Bounds Read Information Disclosure Vulnerability-2016-10-02
600977Use-of-uninitialized-value in webrtc::RTCPReceiver::HandleRPSI-2016-10-02
601234Security: SDCH Get-Dictionary follows cross-domain redirects-2016-10-02
600777Security: Merge bug for pdfium:419-2016-10-02
600735Heap-use-after-free in blink::LayoutObject::isAnonymousBlock-2016-10-02
600953Global-buffer-overflow in WebRtcIsacfix_PitchFilterCore-2016-10-02
600182Security: Universal XSS using deferred history loads$7,5002016-10-02
600671Use-of-uninitialized-value in base::Pickle::WriteData-2016-10-02
599861Heap-use-after-free in blink::PaintLayer::removeChild-2016-10-02
599855Use-of-uninitialized-value in blink::PaintLayerScrollableArea::invalidateAllStickyConstraints-2016-10-02
599854Crash in sk_ssse3::blit_mask_d32_a8-2016-10-02
599849Heap-use-after-free in blink::LayoutBoxModelObject::invalidateStickyConstraints$3,5002016-10-02
599846Heap-buffer-overflow in media::AudioBuffer::ReadFrames-2016-10-02
599866Heap-use-after-free LayoutBoxModelObject::continuation() (NO STACK)-2016-10-02
599627Bad-cast to blink::LayoutBlock from blink::LayoutTableRow;LayoutBlock.h:515:1-2016-10-02
599625Heap-buffer-overflow in media::AudioBus::AudioBus-2016-10-02
599458Use-of-uninitialized-value in sk_sse41::blit_row_s32a_opaque-2016-10-02
599409Crash in v8::internal::Invoke-2016-10-02
599081Security: GPU process BufferManager double-reads-2016-10-02
599003RUNTIME_ASSERT in map->IsMap() in src/heap/spaces.cc-2016-10-02
598848Crash in SkResizeFilter::computeFilters-2016-10-02
598752kMainSRTDownloadURL is HTTP$5002016-10-02
598312Security: ChromeOS accepts ICMP redirects-2016-10-02
598077Cross-Origin CSS Attack with Service Worker$5002016-10-02
598047Address bar not updated when returning from network error page.-2016-10-02
597636Security: Possible double-reads in GPU command buffer code.-2016-10-02
597625Security: GPU process MailboxManagerImpl double-reads-2016-10-02
598165Security: Universal XSS via the interception of |Binding| with Object.prototype.create$7,5002016-10-02
597926Heap-buffer-overflow in SkOpContour::operand$5002016-10-02
597333CVE-2015-1805 Linux kernel: pipe: iovec overrun leading to memory corruption-2016-10-02
596862Security: Block GPU Process Opening Renderer Processes-2016-10-02
597518Tracking bug for internal fixes: Chrome M49, release 2-2016-10-02
597322Security: URL spoof + iframe spoof$1,0002016-10-02
597532Security: Universal XSS using a FrameNavigationDisabler bypass$7,5002016-10-02
606390Security: V8ValueConverter::ToV8Value is insecure (e.g. heap-use-after-free in MimeHandlerViewContainer::PostMessage$3,5002016-10-02
606185Heap-buffer-overflow in CopyAlphaChannelIntoVideoFrame$1,0002016-10-02
606181Security: Due to out of index of 'Node' object , attacker can control all contents of 'Node' object$1,0002016-10-02
606115Security: Use After Free in RegExp of V8$3,0002016-10-02
605491Use-of-uninitialized-value in CPDF_TextPage::PreMarkedContent-2016-10-02
605488Bad-cast to v8::internal::AstNode from invalid vptr;wasm-js.cc:138:7-2016-10-02
605480Heap-use-after-free in base::trace_event::BlameContext::Enter-2016-10-02
605910Security: Universal XSS using iterables$7,5002016-10-02
605766Security: Universal XSS through adopting image elements$8,0002016-10-02
605470Crash in v8::internal::Invoke$3,5002016-10-02
605476Heap-use-after-free in extensions::ExtensionKeybindingRegistry::IsAcceleratorRegistered-2016-10-02
604901Security: Persistent UXSS via SchemaRegistry$7,5002016-10-02
605474Bad-cast to net::QuicSpdySession from net::QuicSession;quic_spdy_stream.cc:41:3-2016-10-02
605451CSP 'referrer' directive ignored for preload requests$5002016-10-02
604897Compiled regexps execute incorrectly on function source strings$1,0002016-10-02
603748Security: Leak of extension privates via utils module$1,0002016-10-02
603725Security: Web pages can load arbitrary extension modules$4,0002016-10-02
603682Pinned TLS public keys (HPKP) evicted after clearing cache$5002016-10-02
603518Security: PDFium Out-of-Bounds Read in CPDF_DeviceCS::TranslateImageLine$1,0002016-10-02
603732Security: Heap-use-after-free via GCCallback$3,0002016-10-02
602970Security: type confusion lead to information leak in decodeURI$7,5002016-10-02
602975Use-of-uninitialized-value in woff2::ConvertWOFF2ToTTF-2016-10-02
602697Tracking bug for internal fixes: Chrome M50, release 0-2016-10-02
602273Use-after-poison in blink::MediaStreamSource::setReadyState-2016-10-02
602185Heap-buffer-overflow in fixup_vorbis_headers-2016-10-02
602271Heap-use-after-free in blink::LayoutListItem::updateMarkerLocation-2016-10-02
612364Security: Heap buffer overflow from unchecked length in mojo::edk::ports::Message::Parse-2016-10-02
612132Security: Bypass CORS check by reopening XHRs-2016-10-02
612023Heap-buffer-overflow in setup_frame_size_with_refs-2016-10-02
612021Undefined-shift in vp9_parse_superframe_index-2016-10-02
611887Security: Multiple vulnerabilities in mojo channel implementation-2016-10-02
612049Heap-use-after-free in content::MediaStreamVideoSource::RemoveTrack-2016-10-02
611352Heap-use-after-free in CFX_StringDataTemplate<wchar_t>::Retain()$3,5002016-10-02
610990Heap-use-after-free in blink::LayoutImage::styleDidChange-2016-10-02
610989Heap-use-after-free in content::PermissionServiceImpl::CancelPendingOperations-2016-10-02
610987Heap-use-after-free in v8::Isolate::VisitHandlesWithClassIds$3,5002016-10-02
610985Heap-use-after-free in blink::LayoutTextFragment::setTextFragment-2016-10-02
610979Heap-use-after-free in blink::PrintContext::pageNumberForElement-2016-10-02
610973Heap-use-after-free in std::__1::__tree_const_iterator<std::__1::__value_type<CFX_ByteString, CPDF_Obje-2016-10-02
611782Heap-buffer-overflow in ReadScalar<unsigned-2016-10-02
610966Heap-use-after-free in v8::internal::ElementsAccessorBase<v8::internal::TypedElementsAccessor<-2016-10-02
610799Heap use after free in WorkerTarget::~WorkerTarget-2016-10-02
610645Heap-buffer-overflow in SkAAClipBlitter::blitMask-2016-10-02
610643Heap-use-after-free in blink::DeferredTaskHandler::handleDirtyAudioNodeOutputs$3,5002016-10-02
610600sandbox escape using ppapi broker$15,0002016-10-02
610646Bad-cast to const blink::WebPasswordCredential from blink::WebCredential;type_converters.cc:87:9-2016-10-02
610400Security: Bypass CORS using XHR and service workers-2016-10-02
610441Security: Upgrade-Insecure-Requests does not perform Navigational Upgrades-2016-10-02
610337Heap-buffer-overflow in epoll_add-2016-10-02
609286extensions can bypass native messaging origin whitelisting-2016-10-02
609260Security: heap-buffer-overflow in SkRegion::RunHead::findScanline$1,0002016-10-02
609134Crash in v8::Object::FindInstanceInPrototypeChain-2016-10-02
609097Use-of-uninitialized-value in DetermineTextLanguage-2016-10-02
608817Heap-use-after-free in blink::LayoutObject::containingBlock$3,5002016-10-02
608156Security: Heap-use-after-free in MessagingBindings::DispatchOnConnect-2016-10-02
608104Security: Heap-use-after-free in RuntimeCustomBindings::GetExtensionViews$1,5002016-10-02
608101Security: Heap-use-after-free in autofill components$1,0002016-10-02
608100Security: Heap-use-after-free in AutofillAgent::FillFieldWithValue$1,0002016-10-02
607939Security: Devtools allows running privileged scripts via XSS on chrome-devtools-frontend.appspot.com$3,5002016-10-02
607921Security: Heap-use-after-free in ProfileInfoCache::SetAuthInfoOfProfileAtIndex$1,0002016-10-02
607722Heap-buffer-overflow in void v8::internal::String::WriteToFlat<unsigned short>-2016-10-02
607721Use-of-uninitialized-value in woff2::ConvertWOFF2ToTTF-2016-10-02
607652Tracking bug for internal fixes: Chrome M50, release 2-2016-10-02
607543An https iframe in an http page can use service worker$1,0002016-10-02
607483Security: Universal XSS converting IDL array/sequence values-2016-10-02
618027Use-of-uninitialized-value in webrtc::H264::ParseRbsp-2016-10-02
617997Crash in v8::internal::LargeObjectSpace::FindPage-2016-10-02
618237Security: heap-use-after-free in getLineLayoutItem$3,0002016-10-02
617531Heap-buffer-overflow in webrtc::H264::ParseRbsp-2016-10-02
617495Security: Universal XSS via same document navigations$7,5002016-10-02
617104Security: access-violation in blink::ScriptState::from$1,0002016-10-02
617635Crash in FixWinding$3,5002016-10-02
617536Use-of-uninitialized-value in webrtc::RtpDepacketizerH264::ProcessStapAOrSingleNalu-2016-10-02
616970Heap-use-after-free in extensions::ExtensionKeybindingRegistry::IsAcceleratorRegistered-2016-10-02
616488Security: web_accessible_resources can be bypassed when Chrome runs in a site isolation mode.-2016-10-02
616386Security: Arbitrary Memory Read in v8$5,0002016-10-02
616352Heap-buffer-overflow in blink::concatenateFamilyName-2016-10-02
617097Heap-buffer-overflow in webrtc::RtpDepacketizerH264::ProcessStapAOrSingleNalu-2016-10-02
615910upgrade-insecure-requests is not upgrading iframe sources-2016-10-02
615820Heap-buffer-overflow in copy (in GURL::ReplaceComponents() )-2016-10-02
616119Heap-use-after-free in extensions::ConstructFileSystemList-2016-10-02
614962AddressSanitizer: heap-buffer-overflow on address 0x7f4a13edc800$1,0002016-10-02
614989Security: bypassing CORS by returning 308 for revalidating request for Resource previously without redirects from MemoryCache-2016-10-02
614934Security: sfntly font parsing heap-buffer-overflow$5002016-10-02
614701Heap-buffer-overflow in setup_frame_size_with_refs-2016-10-02
613915ASSERTION FAILED: i < m_len-2016-10-02
613971Security: bypass CORS check by returning 304 from URL that previously returned 308 during revalidation from MemoryCache-2016-10-02
613918Use-of-uninitialized-value in SkEvalCubicAt-2016-10-02
614767Tracking bug for internal fixes: Chrome M51, release 0-2016-10-02
614405Security: update libxml to 2.9.4-2016-10-02
613905Crash in v8::base::NoBarrier_Load-2016-10-02
613869Security: heap-use-after-free in blink::LayoutBox::shapeOutsideInfo$3,0002016-10-02
613698Security: mojo: Unchecked ports message payload lengths leading to buffer overflows and uafs-2016-10-02
613626Credential Phishing via Transparent Authenticating Proxy Vector$1,0002016-10-02
613907Bad-cast to blink::LayoutObject from blink::PaintLayer;LayoutTableSection.cpp:831:18-2016-10-02
613607Global-buffer-overflow in XFA_GetMethodByName-2016-10-02
613496Crash in v8::internal::Invoke-2016-10-02
613488Crash in v8::internal::Invoke-2016-10-02
613300Client-local parts of surface ID should be 64-bit and randomly generated-2016-10-02
613266Security: Universal XSS via reentrancy in FrameLoader::startLoad$7,5002016-10-02
613160Security: Cisco Talos Security Advisory for Google chrome product - TALOS-CAN-0174$3,0002016-10-02
612939Security: Wrong origin security indicators in Chrome Custom Tab-2016-10-02
612613Security: Heap buffer overflows from unchecked payload_size in mojo::edj::BrokerHost::OnChannelMessage-2016-10-02
612458Incorrect origin sent with message event in some cases-2016-10-02
623186Crash in v8::internal::JavaScriptFrame::receiver-2016-10-02
623193Stack-use-after-return in v8::internal::JsonStringifier::Result v8::internal::JsonStringifier::Serialize_<-2016-10-02
623185Heap-buffer-overflow in content::WriteMemory-2016-10-02
622522Security: unchecked size in mojo::Channel::Deserialize leads to memory corruption.-2016-10-02
622351Bad-cast to v8::internal::PagedSpace from v8::internal::SemiSpace-2016-10-02
622350Memcpy-param-overlap in CCodec_ProgressiveDecoder::GifReadMoreData-2016-10-02
622664Stack-use-after-return in v8::internal::HandleBase::IsDereferenceAllowed$3,5002016-10-02
622183Security: Chrome Address Bar URL spoofing on IOS$3,0002016-10-02
621849Heap-use-after-free in cc::SurfaceManager::Destroy-2016-10-02
621550Crash in v8::internal::StackTraceFrameIterator::Advance-2016-10-02
621547Bad-cast to blink::BlobCallback from invalid vptr;void WTF::PartBoundFunctionImpl<;base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<void-2016-10-02
622344Use-of-uninitialized-value in blink::Font::canShapeWordByWord-2016-10-02
621115Use-of-uninitialized-value in blink::Font::canShapeWordByWord-2016-10-02
621111Fatal error in v8::internal::List<T, P>::Add()-2016-10-02
620949Security: Adobe Flash PSDK.Object Use After Free$5,0002016-10-02
620766Heap-use-after-free in cc::DrawPolygon::Split-2016-10-02
620758Heap-buffer-overflow in epoll_add-2016-10-02
620754Use-after-poison in blink::CrossThreadPersistentRegion::prepareForThreadStateTermination-2016-10-02
620750Crash in v8::internal::Heap::AllocateHeapNumber-2016-10-02
620694Incorrect packet size check leads to heap-buffer-overflow in pseudotcp-2016-10-02
620553Security: V8 OOB Read(?) in GC with Array Object.$5,0002016-10-02
620737Security: Chrome does not distinguish between http and https proxies when saving passwords-2016-10-02
620277Security: heap buffer overflow when calling RtpHeader::Parse on untrusted data-2016-10-02
619405Security: Heap Buffer Overflow in opj_j2k_read_SQcd_SQcc$3,5002016-10-02
619382Use-of-uninitialized-value in long v8::internal::Simulator::AddWithCarry<long>-2016-10-02
619380Use-of-uninitialized-value in blink::FloatingObject::unsafeClone-2016-10-02
619378Crash in Sk4px::Load4-2016-10-02
619373Use-after-poison in blink::CrossThreadPersistentRegion::prepareForThreadStateTermination-2016-10-02
619372Heap-buffer-overflow in usrsctp_dumppacket-2016-10-02
619371Crash in SkAutoCanvasMatrixPaint::SkAutoCanvasMatrixPaint-2016-10-02
619355Security: XSS issue in Google Mail-2016-10-02
619006Security: Information leak in xsltFormatNumberConversion (libxslt)$1,5002016-10-02
618625Security: TSAN: data race in media::FFmpegDemuxer::~FFmpegDemuxer$2,0002016-10-02
609042Heap-buffer-overflow in Read-2016-10-02