Avatar of this page

Chromium Disclosed Security Bugs

Chromium security bugs are publicly disclosed by Google 14 weeks after fixing. They have a great learning value but it's difficult to keep track of when exactly they're derestricted. This page is a hub of security bugs that have recently gone public.

Bugs can also be followed on Twitter: @BugsChromium or Mastodon.

Bugs disclosed in 2016

Options
# Summary $$$ Disclosure date
645811 Crash in mojo::internal::Router::OnConnectionError - 2016-12-31
648031 Heap-use-after-free in pp::MacroExpander::expandMacro - 2016-12-31
647922 Crash in SuperBlitter::blitH - 2016-12-31
648935 Crash in FindBit - 2016-12-31
649826 Heap-use-after-free in CPDF_ViewerPreferences::IsDirectionR2L - 2016-12-31
622271 Security: Adobe Flash ContextMenu Use After Free $3000 2016-12-30
622634 Security: use-after-free vulnerability in flash player 22.0.0.192 $3000 2016-12-30
630544 Security: use-after-free vulnerability in flash player 22.0.0.209 $3000 2016-12-30
630547 Security: use-after-free vulnerability in Adobe flash player $3000 2016-12-30
640177 Security: use-after-free vulnerability in flash player latest version $3000 2016-12-30
647791 Heap-buffer-overflow in gpu::gles2::ShaderTranslator::Translate - 2016-12-30
648620 CRASH() writes to a fixed mappable address - 2016-12-30
649056 Assertion failed: !object || (object->isBox()) - 2016-12-30
649095 Bad-cast to blink::LayoutBox from blink::LayoutInline;blink::LayoutBox::firstChildBox;blink::ThemePainterDefault::setupMenuListArrow - 2016-12-30
649058 Use-of-uninitialized-value in blink::BoxPainter::paint - 2016-12-30
649599 Crash in blink::ThemePainterDefault::setupMenuListArrow - 2016-12-30
502871 Security: adobe flash NetStream.appendBytes ByteArray data Use-After-Free $3000 2016-12-29
646278 Security: Address Bar URL Spoofing $500 2016-12-29
648671 Bad-cast to webrtc::Module from webrtc::BitrateControllerImpl;webrtc::CongestionController::TimeUntilNextProcess;webrtc::ProcessThreadImpl::Process - 2016-12-29
647329 Use-after-poison in fuzz_wasm_section - 2016-12-28
645540 Update It2Me host to show confirmation prompt for incoming connections. - 2016-12-28
648373 Crash in v8::internal::SloppyArgumentsElementsAccessor<v8::internal::SlowSloppyArgumentsE - 2016-12-28
645028 Web accessible resources checks should work with blob: and filesystem: URLs that have chrome-extension:// inner URLs - 2016-12-27
647612 Heap-use-after-free in CPDF_RenderStatus::LoadSMask - 2016-12-27
647893 Use-of-uninitialized-value in CPDF_DIBSource::TranslateScanline24bpp - 2016-12-27
647683 Wrong security state when going back/forward after HTML5 history push - 2016-12-27
639750 XSS using Dropjacking - 2016-12-26
646351 Crash in v8::internal::SloppyArgumentsElementsAccessor<v8::internal::SlowSloppyArgumentsE - 2016-12-26
640233 Use-of-uninitialized-value in SkGradientShaderBase::SkGradientShaderBase - 2016-12-25
645729 Use-after-poison in blink::TimerBase::runInternal $3500 2016-12-25
646178 Heap-use-after-free in blink::ShapeOutsideInfo::isEnabledFor - 2016-12-25
647197 Heap-double-free in v8::internal::wasm::testing::InterpretWasmModule - 2016-12-24
647110 Heap-double-free in v8::internal::wasm::testing::InterpretWasmModule - 2016-12-24
647027 Heap-use-after-free in v8::internal::wasm::ThreadImpl::Execute - 2016-12-24
647481 Use-of-uninitialized-value in SkGradientShaderBase::SkGradientShaderBase - 2016-12-24
647267 Crash in blink::TopDocumentRootScrollerController::globalRootScroller - 2016-12-24
644674 Attempting free in void v8::internal::LocalArrayBufferTracker::Free< - 2016-12-23
647269 Bad-cast to blink::TopDocumentRootScrollerController from blink::RootScrollerController;blink::PaintLayerCompositor::updateClippingOnCompositorLayers;blink::PaintLayerCompositor::updateIfNeeded - 2016-12-23
646258 Crash in ReadUnalignedValue<int> - 2016-12-23
627399 Use-of-uninitialized-value in CCodec_TiffContext::Decode - 2016-12-22
621838 Memcpy-param-overlap in CCodec_ProgressiveDecoder::JpegReadMoreData - 2016-12-22
645745 Unable to block cookies $500 2016-12-22
646786 Use-of-uninitialized-value in SkMatrix44::computeTypeMask - 2016-12-22
646350 Heap-use-after-free in ash::WmWindowAura::StackChildAbove - 2016-12-22
641239 Use-of-uninitialized-value in blink::PointerEventManager::setPointerCapture - 2016-12-21
638159 Use-of-uninitialized-value in test_runner::MockWebSpeechRecognizer::PostRunTaskFromQueue - 2016-12-21
642070 Use-of-uninitialized-value in update_current_folder_get_info_cb - 2016-12-21
643939 Crash in v8::internal::Invoke - 2016-12-21
645839 Heap-use-after-free in cc::Scheduler::BeginImplFrameWithDeadline - 2016-12-21
644733 Heap-buffer-overflow in blink::LazyLineBreakIterator::nextBreakablePositionIgnoringNBSP - 2016-12-21
645777 Use-of-uninitialized-value in base::time_internal::SaturatedSub - 2016-12-20
645186 Memcpy-param-overlap in CCodec_ProgressiveDecoder::JpegReadMoreData - 2016-12-20
645201 Use-of-uninitialized-value in webrtc::PlayoutDelayLimits::Parse - 2016-12-19
645770 Heap-buffer-overflow in void std::vector<aura::Window*, std::allocator<aura::Window*> >::_M_insert_aux<a - 2016-12-18
644373 Security - Unexploitable: Integer Overflow in media::mp4::TrackRunIterator::Init leading to arbitrary size OOB read in an arbitrary offset from the buffer. - 2016-12-17
645034 Use-of-uninitialized-value in blink::TraceMethodDelegate<blink::PersistentBase<blink::DOMArrayBuffer, - 2016-12-17
645657 Use-of-uninitialized-value in base::Pickle::WriteBytes - 2016-12-17
641995 value.isFunctionValue() - 2016-12-16
632709 Heap-use-after-free in CPDFSDK_Widget::SetAppModified - 2016-12-15
642803 Heap-use-after-free in cc::SurfaceManager::UnregisterBeginFrameSource - 2016-12-15
643726 Heap-buffer-overflow in safe_browsing::dmg::UDIFBlock::ParseBlockData - 2016-12-15
643173 Wrong security state when redirecting to HTTP $2000 2016-12-15
644182 Heap-buffer-overflow in unibrow::Utf8::Validate - 2016-12-15
648971 Chrome OS exploit: c-ares OOB write + dump_vpd_log > symlink $100000 2016-12-14
632848 !object || (object->isBox()) - 2016-12-14
637899 Heap-buffer-overflow in Decode - 2016-12-14
640998 Crash in CPDF_Parser::LoadCrossRefV5 - 2016-12-14
643431 Crash in v8::internal::Object::SetPropertyInternal - 2016-12-14
643665 Crash inside SuperBlitter::blitH - 2016-12-14
643933 Crash in SuperBlitter::blitH - 2016-12-14
643935 Heap-buffer-overflow in gpu::gles2::Texture::SetLevelInfo - 2016-12-14
640999 Heap-use-after-free in base::ObserverListBase<content::RenderThreadObserver>::RemoveObserver - 2016-12-13
642987 Heap-buffer-overflow in unibrow::Utf8::Validate - 2016-12-13
643137 Heap-use-after-free in blink::TimerBase::getTimerTaskRunner - 2016-12-13
643970 Use-of-uninitialized-value in SkUnPreMultiply::PMColorToColor - 2016-12-13
644003 Use-of-uninitialized-value in mojo::edk::ChannelPosix::WriteNoLock - 2016-12-13
624011 Security: UAF with namespace nodes in XPointer ranges $3500 2016-12-11
638220 Heap-buffer-overflow in test_runner::BoundsForCharacter - 2016-12-10
638166 Heap-use-after-free in content::RenderFrameImpl::NavigateInternal - 2016-12-09
642867 Crash in v8::internal::wasm::WasmFullDecoder::AnalyzeLoopAssignment - 2016-12-09
642639 <no crash state available> - 2016-12-09
643071 Crash in v8::internal::NewSpace::Verify - 2016-12-09
640576 Heap-use-after-free in base::WaitableEvent::Signal - 2016-12-08
642028 Use-of-uninitialized-value in void WTF::copyToVector<WTF::HashSet<blink::LayoutObject*, WTF::PtrHash<blink::La - 2016-12-08
497302 Integer-overflow in sfntly::FontData::Bound $1000 2016-12-06
642063 Crash in v8::internal::HeapObject::SizeFromMap - 2016-12-06
641575 Crash in v8::internal::InstantiateObject - 2016-12-05
623992 Use-of-uninitialized-value in unicodetoupper - 2016-12-04
622197 Heap-buffer-overflow in u16_u8 - 2016-12-03
633473 Use-of-uninitialized-value in Hunspell::spell - 2016-12-03
638570 Use-of-uninitialized-value in AffixMgr::compound_check - 2016-12-03
638562 Stack-buffer-overflow in SfxEntry::checkword - 2016-12-03
625915 Mac: 'Press Esc to exit fullscreen' covered up by permission prompts - 2016-12-02
638615 Security: heap-buffer-overflow in ImageBitmap::ImageBitmap $5500 2016-12-02
619368 Heap-buffer-overflow in content::WriteMemory - 2016-12-01
631375 Security: mbspatch: Malform patch file may access heap out of bound - 2016-12-01
635602 Heap-use-after-free in content::RenderProcessHostImpl::ConnectionFilterImpl::GetInterface - 2016-12-01
635879 Security: Format String Vulnerability in Chrome OS $1000 2016-12-01
638223 Use-of-uninitialized-value in Break - 2016-12-01
638742 Security: Universal XSS using ThreadDebugger::setMonitorEventsCallback $2000 2016-12-01
617124 Use-of-uninitialized-value in WebRtcSpl_CountLeadingZeros32 - 2016-11-30
637594 Security: Universal XSS using DevTools $2000 2016-11-30
639658 Security: Navigating to "chrome://" URLs via 'about:' protocol $500 2016-11-30
637546 Security: UNKOWN in CFX_Edit_Provider::GetCharWidthW $1000 2016-11-29
639451 Heap-use-after-free in std::__1::__tree_const_iterator<std::__1::__value_type<CFX_ByteString, CPDF_Obje - 2016-11-29
639984 Heap-use-after-free in FORM_DoDocumentAAction - 2016-11-29
639985 Use-of-uninitialized-value in shell::internal::InterfaceFactoryBinder<IPC::mojom::ChannelBootstrap>::BindInter - 2016-11-29
633306 CSP can be abused to disclose URIs cross-origin - 2016-11-25
638571 Heap-use-after-free in blink::DepthOrderedLayoutObjectList::ordered - 2016-11-25
638928 !m_deletionHasBegun - 2016-11-25
628942 Security: Universal XSS with ScopedPageLoadDeferrer and RemoteFrame $17500 2016-11-24
630654 Heap-use-after-free in CPDFSDK_Document::KillFocusAnnot $3000 2016-11-24
633474 Negative-size-param in blink::LayoutGrid::populateExplicitGridAndOrderIterator - 2016-11-24
638186 Use-after-poison in blink::SVGLengthContext::convertValueToUserUnits - 2016-11-24
638192 Use-after-poison in blink::ElementResolveContext::ElementResolveContext - 2016-11-24
638226 Use-of-uninitialized-value in v8::internal::PointerUpdateJobTraits< - 2016-11-24
619381 Crash in GrCircleBlurFragmentProcessor::CreateCircleBlurProfileTexture - 2016-11-23
633385 CUPS domain socket should only be openable by user chonos - 2016-11-23
635848 Security: Crash in CPDF_Dictionary::GetObjectBy $1000 2016-11-23
638185 Bad-cast to const blink::LayoutBox from blink::LayoutSVGResourcePattern;blink::PaintInvalidationState::updateForNormalChildren;blink::PaintInvalidationState::updateForChildren - 2016-11-23
638219 Bad-cast to blink::LayoutBox from blink::LayoutSVGEllipse;blink::LayoutObject::positionForPoint;blink::LayoutBox::clippingRect - 2016-11-23
622033 Heap-buffer-overflow in sctp_send_deferred_reset_response - 2016-11-22
630870 Security: Universal XSS by intercepting a UA shadow tree $7500 2016-11-22
636268 Security: heap-buffer-overflow in SkColorSpace $3500 2016-11-22
634557 Security: Blob file entries aren't checked against security policy - 2016-11-22
628999 Crash in blink::Geolocation::onGeolocationPermissionUpdated - 2016-11-21
635577 Crash in mojo::AssociatedBinding<blink::mojom::blink::BroadcastChannelClient>::RunConnect - 2016-11-19
637320 Security: Unchecked .end() iterator dereference in VTVideoDecodeAccelerator::ReusePictureBuffer - 2016-11-19
625404 Security: use-after-free in AttachFilteredEvent on event_bindings.cc $3000 2016-11-18
628920 Security: Address bar spoofing on iOS - 2016-11-18
625575 Security: bypassing CORS by XHR + MemoryCache + ServiceWorker - 2016-11-18
633687 Security: Full browser crash when trying to open missing 'downloaded' resource file. - 2016-11-18
626893 Security: Arbitrary memory write in v8::internal::GlobalHandles::IterateNewSpaceWeakUnmodifiedRoots() $3000 2016-11-17
628542 Heap-buffer-overflow in unibrow::Utf8::Validate - 2016-11-17
631368 Crash in blink::getPropertyNameString - 2016-11-17
634954 Security: Address bar spoofing with itunes page on iOS - 2016-11-17
636194 Crash in void SkLinearGradient::LinearGradientContext::shade4_dx_clamp<false, false> - 2016-11-17
635571 Crash in blink::EventTarget::fireEventListeners - 2016-11-17
622420 Security: Type confusion in StylePropertySerializer::getCustomPropertyText. - 2016-11-16
632124 Global-buffer-overflow in silk_NLSF2A - 2016-11-16
635574 Use-after-poison in blink::CrossThreadPersistentRegion::shouldTracePersistentNode $3500 2016-11-16
600352 Security: Cross-Protocol Theft from non-HTTP services via DNS rebinding + HTTP/0.9 - 2016-11-15
611955 //components/filesystem/public/interfaces/*.mojom files need security review - 2016-11-15
618037 Security: Devtools old remote frontend allows running privileged scripts via overwriting localStorage settings $1000 2016-11-15
633472 Use-of-uninitialized-value in segment - 2016-11-15
632849 Heap-buffer-overflow in SkA8_Blitter::blitH - 2016-11-13
628890 Security: heap-buffer-overflow in opj_tcd_code_block_dec_allocate $3500 2016-11-12
628304 Security: heap-buffer-overflow in opj_v4dwt_interleave_h $3500 2016-11-12
634238 Security: Adobe Flash Button.blendMode setter uninitialized stack variable - 2016-11-12
635045 Use-of-uninitialized-value in blink::ImagePattern::isLocalMatrixChanged - 2016-11-12
619429 Security: Able to bypass permission prompt on keypress - 2016-11-11
624514 Heap-buffer-overflow in CWeightTable::Calc $3500 2016-11-11
634114 Heap-use-after-free in blink::LayoutFieldset::adjustInnerStyle - 2016-11-11
634394 Security: UAF in PDFium's TimerProc() - 2016-11-11
627355 Crash in _platform_memmove$VARIANT$Nehalem - 2016-11-10
632965 Security: OOB read with CallSite and wasm - 2016-11-10
633585 Crash in v8::internal::InnerPointerToCodeCache::GcSafeFindCodeForInnerPointer - 2016-11-10
633471 Use-of-uninitialized-value in GrPipeline::CreateAt - 2016-11-08
633486 Tracking bug for internal fixes: Chrome M52, release 1 - 2016-11-08
479961 Apply wpa_supplicant P2P vulnerability fixes - 2016-11-07
632634 Security: Universal XSS with static methods and ScriptState::forHolderObject $7500 2016-11-07
610644 Heap-buffer-overflow in ps_table_add $1500 2016-11-06
632850 Crash in CPDFSDK_InterForm::GetWidget - 2016-11-06
632851 Heap-use-after-free in CJS_Timer::KillJSTimer - 2016-11-06
632860 Heap-buffer-overflow in copy - 2016-11-05
616429 Security: Saving WebPage with file: resources access SMB resources $1000 2016-11-04
631052 Use-after-poison in blink::CompositorAnimationPlayer::NotifyAnimationStarted $3500 2016-11-04
631320 Heap-use-after-free in content::WebRTCEventLogHost::PeerConnectionRemoved - 2016-11-04
629919 Security: heap-buffer-overflow in opj_tcd_update_tile_data $5000 2016-11-03
631050 Crash in v8::internal::JSObject::UpdateAllocationSite - 2016-11-03
573131 Security: some extension bindings incorrectly injected into about:blank frames $7500 2016-11-02
627414 Crash in MaskSuperBlitter::blitH - 2016-11-02
630377 Heap-use-after-free in ProfileIOData::FromResourceContext - 2016-11-02
629455 Heap-buffer-overflow in SuperBlitter::blitH - 2016-11-02
631319 Container-overflow in gpu::gles2::GLES2DecoderImpl::DoScheduleCALayerFilterEffectsCHROMIUM - 2016-11-02
631752 Tracking bug for internal fixes: Chrome OS 52.0.2743.85 (Platform version: 8350.60.0) - 2016-11-02
628992 Heap-use-after-free in SuperBlitter::blitH - 2016-11-01
627454 Use-of-uninitialized-value in blink::PointerEventManager::setPointerCapture - 2016-11-01
630736 Crash in segment - 2016-11-01
630369 Use-of-uninitialized-value in GrShape::attemptToSimplifyPath - 2016-10-31
630749 Heap-use-after-free in mojo::BindingSet<network_hints::mojom::NetworkHints>::AddBinding - 2016-10-31
623195 Use-of-uninitialized-value in base::Pickle::WriteData - 2016-10-29
630649 Stack-buffer-overflow in SkDCubic::searchRoots - 2016-10-29
399951 Security: Cross-origin information leak via ECMAScript harmony proxies $1000 2016-10-28
614647 Use-of-uninitialized-value in get_advance - 2016-10-28
621362 Security: Universal XSS with Flash calling into JavaScript inside Node::removedFrom $7500 2016-10-28
629962 Use-of-uninitialized-value in segment - 2016-10-28
628117 Heap-use-after-free in blink::PaintController::commitNewDisplayItems $3500 2016-10-28
630378 Use-of-uninitialized-value in SkDPoint::approximatelyEqual - 2016-10-28
624213 Security: Address bar RTL character spoofing on Mac - 2016-10-27
624214 Security: Address bar RTL character spoofing on iOS - 2016-10-27
629795 Use-of-uninitialized-value in gpu::gles2::GLES2DecoderImpl::HandleGetBufferParameteriv - 2016-10-27
626186 Crash in SkOpAngle::setSpans - 2016-10-26
627401 Crash in SkOpCoincidence::mark - 2016-10-26
628995 Use-of-uninitialized-value in CPWL_List_Notify::IOnInvalidateRect - 2016-10-26
629452 Crash in segment - 2016-10-26
629454 Use-of-uninitialized-value in containsCoincidence - 2016-10-26
616623 Use-of-uninitialized-value in walk_convex_edges - 2016-10-25
629004 Use-of-uninitialized-value in gpu::gles2::GLES2DecoderImpl::DoDrawBuffersEXT - 2016-10-25
629008 Use-of-uninitialized-value in gpu::gles2::GLES2Implementation::WaitSyncTokenCHROMIUM - 2016-10-25
629435 Crash in v8::internal::Invoke - 2016-10-25
623319 URL Spoof due to subframes and NavigationEntry corruption $2000 2016-10-21
627436 Negative-size-param in content::MediaStreamDispatcherHost::OnCancelDeviceChangeNotifications - 2016-10-21
627756 Security: SEGV on unknown address in toCSSValuePair $3000 2016-10-21
627443 Use-of-uninitialized-value in gpu::gles2::GLES2Implementation::BufferDataHelper - 2016-10-21
628113 Use-of-uninitialized-value in blink::LayoutObject::setPreferredLogicalWidthsDirty - 2016-10-21
628130 Stack-buffer-overflow in saturated_add - 2016-10-21
626790 Crash in blink::ComputeFloatOffsetForFloatLayoutAdapter<2>::heightRemaining - 2016-10-20
627354 Negative-size-param in content::WebRTCEventLogHost::PeerConnectionRemoved - 2016-10-20
627434 Use-of-uninitialized-value in sk_sse41::blit_row_s32a_opaque - 2016-10-20
627447 Use-of-uninitialized-value in ProfileChooserView::ButtonPressed - 2016-10-20
627457 Use-after-poison in content::WebMessagePortChannelImpl::OnMessage $3500 2016-10-20
611957 //components/leveldb/public/interfaces/leveldb.mojom needs a security review - 2016-10-19
618295 Security: [PDFium]AddressSanitizer: negative-size-param - 2016-10-19
623168 Use-of-uninitialized-value in v8::internal::Factory::NewNumber - 2016-10-19
626182 Heap-use-after-free in blink::PaintController::commitNewDisplayItems - 2016-10-19
623365 Heap Buffer Overflow in iframe URL Parse - 2016-10-17
579934 Chromium allows to open popup window from Flash object without user gesture or blocking $1000 2016-10-15
610986 ASSERTION FAILED: !object || (object->isBox()) - 2016-10-15
617648 Heap-use-after-free in content::FilteringNetworkManager::Initialize - 2016-10-15
626562 Crash in v8::internal::HandleBase::IsDereferenceAllowed - 2016-10-15
626792 Heap-use-after-free in GURL::GURL - 2016-10-15
617105 Security: use-after-free vulnerability in flash player $3000 2016-10-14
623072 Use-of-uninitialized-value in containsCoincidence - 2016-10-14
625541 Security: heap-buffer-overflow in opj_tcd_init_tile $3000 2016-10-14
625823 Security: SEGV in blink::DOMWindowV8Internal::blurMethodCallback $1000 2016-10-14
625945 Security: browser history sniffing via HSTS + CSP (bypass previous fix) $1000 2016-10-14
613949 Extension install crashes browser at onDownloadProgress and onInstallStageChanged $500 2016-10-13
625903 Security: heap-use-after-free in blink::LayoutBox::pixelSnappedOffsetHeight $2000 2016-10-13
624818 Use-of-uninitialized-value in gpu::gles2::GLES2Implementation::BufferDataHelper - 2016-10-13
623378 Security: UAF related to XPointer range-to function $3500 2016-10-12
625752 Crash in v8::internal::LocalArrayBufferTracker::Free<1> - 2016-10-12
625393 Security: Heap-use-after-free in ScriptInjector $1000 2016-10-11
616907 Security: Universal XSS using a ScopedPageLoadDeferrer bypass $8000 2016-10-10
619379 CharacterData::setData() should handle first-letter correctly - 2016-10-06
620952 i < m_len - 2016-10-06
624713 Security: Calling from WASM to JS should not pass the global object - 2016-10-06
291417 Security: <webview>/App Request Contexts may not be so isolated - 2016-10-05
561978 Vulnerability reported in media-libs/libpng - 2016-10-05
609382 Security: Use after free of task_struct in Mali Midgard driver. - 2016-10-05
612050 Heap-use-after-free in views::Widget::OnNativeWidgetDestroying - 2016-10-05
609680 Chrome For Android Address Bar Spoofing Issue Due To Mishandling Of RTL Characters $3000 2016-10-05
617882 Crash in v8::internal::PointerUpdateJobTraits< - 2016-10-05
618333 Security: Parameter sanitization failure in DevTools leads to privileged script execution $2000 2016-10-05
619414 Security: Devtools has Insuffient sanitization of remoteBase parameter $2000 2016-10-05
620981 Crash in _platform_bzero$VARIANT$Merom - 2016-10-05
621843 Heap-buffer-overflow in float blink::ShapeResultSpacing::computeSpacing<unsigned short> - 2016-10-05
623985 Use-after-poison in blink::PersistentBase<blink::WorkerWebSocketChannel::Bridge, $3500 2016-10-05
623996 Use-of-uninitialized-value in blink::LineBoxList::deleteLineBoxes - 2016-10-05
617084 Crash in v8::internal::HandleBase::IsDereferenceAllowed - 2016-10-04
619377 Bad-cast to blink::WebGLObject from invalid vptr;blink::WebGLProgram::deleteObjectImpl;blink::WebGLSharedObject::detachContextGroup - 2016-10-04
621095 SIGSEGV, RIP = 0x0 - 2016-10-04
118642 Heap-use-after-free in v8::internal::JSObject::GetElementWithInterceptor $1000 2016-10-02
118662 Regression(r109014): Heap-use-after-free in WebCore::InlineTextBox::isLineBreak $500 2016-10-02
118593 Heap-use-after-free in WebCore::SVGStyledElement::buildPendingResourcesIfNeeded $1000 2016-10-02
118490 Heap-use-after-free in WebCore::RenderObject::containingBlock $1000 2016-10-02
118467 open.call(other_window) circumvents check in other_window.open() - 2016-10-02
118633 Security: Frame sniffing is not fixed - 2016-10-02
118414 Heap use after free on chrome_content_browser_client.cc with webrtc $1000 2016-10-02
118374 Long autofilled value causes render issue - 2016-10-02
118273 ZDI-CAN-1528: Webkit HTMLMedia Element beforeLoad Remote Code Execution Vulnerability - 2016-10-02
118227 Security: cross-origin iframes can be resized from within in M18 - 2016-10-02
118018 Heap-buffer-overflow in S32_opaque_D32_nofilter_DXDY - 2016-10-02
118317 Popup blocker bypass triggering mouse event on tag with rel=noreferrer - 2016-10-02
118185 Heap-use-after-free in WebCore::V8HTMLBodyElement::wrapSlow - 2016-10-02
117890 Use-after-free in CrashGenerationServer - 2016-10-02
117912 Heap-buffer-overflow in memcmp - 2016-10-02
117794 [LangFuzz] Crash on heap with invalid read through GetPropertyWithCallback $500 2016-10-02
117736 No permission prompt when loading unpacked extension with NPAPI plugin - 2016-10-02
117728 Heap-use-after-free in WebCore::InlineBox::root $1000 2016-10-02
117724 Event handlers firing during Text::splitText trigger use-after-free. - 2016-10-02
118009 Heap-buffer-overflow in void WTF::Vector<unsigned short, 0ul>::append<unsigned short> - 2016-10-02
117889 Dangerous download warnings are suppressed for a larger class of downloads than are handled by SafeBrowsing - 2016-10-02
117698 Heap-use-after-free in WebCore::RenderLayer::addChild $1000 2016-10-02
117696 Heap-use-after-free in WebCore::RenderBlock::addPositionedFloats - 2016-10-02
117674 Heap-use-after-free in WebCore::GraphicsContext3D::getExtensions - 2016-10-02
117672 Uptake angle security fix - 2016-10-02
117656 Pwnium bug: GPU memory corruption - 2016-10-02
117627 Security: IPC Channel does not validate the listener. - 2016-10-02
117620 Pwnium bug: Prerendering issues with NACL $60000 2016-10-02
117715 LoadExtension binding in chrome://extensions/ is too permissive - 2016-10-02
117583 Iframe hijacking from Pwnium - 2016-10-02
117588 Security: Memory Corruption in MaskSuperBlitter $1000 2016-10-02
117545 ICU lang buffer overflow - 2016-10-02
117471 Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled $1000 2016-10-02
117446 App popup user gesture exemption should be based on process type, not just extent - 2016-10-02
117418 Security: Don't grant WebUI bindings to a process shared with normal views - 2016-10-02
117417 Security: Don't let a normal web renderer navigate to a privileged URL - 2016-10-02
117413 Heap-use-after-free in WebCore::RenderScrollbar::getScrollbarPseudoStyle - 2016-10-02
117409 Chrome: Crash Report - Stack Signature: v8::internal::MarkCompactCollector::RecordS... - 2016-10-02
117400 Uptake fixes on weak node iteration patterns - 2016-10-02
117511 Heap-use-after-free in WTF::equal - 2016-10-02
117335 Occasional heap-use-after-free in non-virtual thunk to AudioDevice::OnStateChanged $500 2016-10-02
117341 Heap-use-after-free in MessageLoop::AddToIncomingQueue $1000 2016-10-02
117230 Part 2 of Pwnium Bug - 2016-10-02
117226 Part 1 of Pwnium Bug: UXSS $60000 2016-10-02
117150 REGRESSION(wk109285): Heap-use-after-free in WebCore::Document::nodeChildrenWillBeRemoved $1000 2016-10-02
117110 Heap-use-after-free in WebCore::RenderObjectChildList::destroyLeftoverChildren - 2016-10-02
116994 Heap-use-after-free in chrome::ChromeContentBrowserClient::RequestMediaAccessPermission - 2016-10-02
116967 Heap-buffer-overflow in WebCore::SVGUseElement::instanceForShadowTreeElement - 2016-10-02
116927 Heap-buffer-overflow in av_freep $1000 2016-10-02
116806 Heap-use-after-free in WebCore::RenderInline::continuationBefore - 2016-10-02
116746 Heap-use-after-free in WebCore::RenderBlock::splitBlocks $1000 2016-10-02
116637 Renderer process crash when doing WebGL canvas to 2D canvas drawImage() - 2016-10-02
116524 Security: Off-by-one in OTS resulting in arbitrary code execution - 2016-10-02
116461 Heap-use-after-free in WebCore::CSSCrossfadeValue::~CSSCrossfadeValue $1000 2016-10-02
116405 Mitigate stale layout root bugs - 2016-10-02
116398 Security: SSL proxy seems to not care about the cert - 2016-10-02
116474 Merge SVG use fix to stable - 2016-10-02
121926 Heap-buffer-overflow in WebCore::FEConvolveMatrix::platformApplySoftware - 2016-10-02
121937 glGetProgramInfoLog regression in ANGLE - 2016-10-02
121734 Heap-use-after-free in WebCore::V8AbstractEventListener::~V8AbstractEventListener - 2016-10-02
121726 Sandbox IPC length checking race - 2016-10-02
121703 Crash in NSMutableRLEArray replaceObjectsInRange:withObject:length with long URL - 2016-10-02
121692 Heap-use-after-free in WebCore::SelectorChecker::checkOneSelector - 2016-10-02
121645 Heap-use-after-free in WebCore::RenderBlock::removeFloatingObject - 2016-10-02
121899 Security: use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer() $1000 2016-10-02
121736 Heap-use-after-free in WebCore::EventDispatcher::dispatchEvent - 2016-10-02
121347 Heap-buffer-overflow in WebCore::RenderBlock::LineBreaker::nextLineBreak $500 2016-10-02
121524 Use after free with reflections and composited layers - 2016-10-02
121206 Heap-buffer-overflow in WebCore::HTMLSelectElement::setRecalcListItems - 2016-10-02
121128 Heap-buffer-overflow in void WTF::Vector<unsigned short, 1024ul>::append<unsigned short> - 2016-10-02
120977 Crash in texSubImage2D on Mozilla's WebGL performance regression tests - 2016-10-02
121269 invalid cast in WebCore::toHTMLElement / WebCore::HTMLFieldSetElement::disabledAttributeChanged - 2016-10-02
121223 Heap-use-after-free in WebCore::WorkerThreadableWebSocketChannel::Bridge::mainThreadCreateWebSocketChannel $500 2016-10-02
121407 [LangFuzz] Invalid write in v8::internal::ElementsAccessorBase<...>::CopyElements $1000 2016-10-02
120648 UNKNOWN in SkARGB32_Blitter::blitV $500 2016-10-02
120457 Global-buffer-overflow in WebCore::InlineTextBox::isLineBreak - 2016-10-02
120711 Heap-use-after-free in WebCore::Element::recalcStyle $1000 2016-10-02
120944 Use-after-free due to issues in counter layout. $1000 2016-10-02
120912 Heap-use-after-free in WebCore::RenderText::removeTextBox $1000 2016-10-02
120320 Flash Broker Bypass 0x2B (CVE-2012-0724) - 2016-10-02
120318 Flash Broker Bypass 0x2D (CVE-2012-0725) - 2016-10-02
120222 Heap-use-after-free in WebCore::RenderTableSection::paintCell $1000 2016-10-02
120205 Security: <svg:use> elements in the parser can create elements not marked as created by the parser - 2016-10-02
120404 Heap-buffer-overflow in WebCore::Font::codePath - 2016-10-02
120037 Heap-use-after-free in WebCore::ContainerNode::resumePostAttachCallbacks $1000 2016-10-02
120007 Heap-use-after-free in WebCore::WorkerEventQueue::close - 2016-10-02
120403 Heap-use-after-free in WebCore::ContainerNode::insertBefore - 2016-10-02
120189 Heap-use-after-free in WebCore::V8RecursionScope::didLeaveScriptContext - 2016-10-02
119926 Use after free in v8::internal::IncrementalMarking::Step $1000 2016-10-02
119501 Heap-use-after-free in WebCore::SVGStyledElement::buildPendingResourcesIfNeeded $1000 2016-10-02
119429 UNKNOWN in v8::Message::GetScriptResourceName $500 2016-10-02
120006 Heap-use-after-free in WebCore::RenderBlock::finishDelayUpdateScrollInfo - 2016-10-02
119525 Heap-use-after-free in WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange $1000 2016-10-02
119281 Heap-use-after-free in WebCore::GenericEventQueue::~GenericEventQueue $500 2016-10-02
119230 Heap-use-after-free in WebCore::RenderBlock::splitBlocks - 2016-10-02
119150 Sandboxed processes should not be able to open other sandboxed processes - 2016-10-02
119084 Heap-use-after-free in utext_setNativeIndex_46 - 2016-10-02
118970 GPU process crash below DoDrawArrays (Nvidia) $500 2016-10-02
119305 Heap-use-after-free in WebCore::Node::~Node $1000 2016-10-02
119250 GPU, Plugin, and NaCl processes have PROCESS_DUP_HANDLE permission on renderer processes - 2016-10-02
118803 Heap-use-after-free in WebCore::SVGTextLayoutAttributesBuilder::fillCharacterDataMap - 2016-10-02
118784 Heap-buffer-overflow in void WTF::Vector<unsigned short, 1024ul>::insert<unsigned short> - 2016-10-02
118853 Heap-use-after-free in WebCore::InlineFlowBox::deleteLine - 2016-10-02
118664 Security: Swapped out URL must be a unique origin - 2016-10-02
118721 Extensions resources can be fetched across incognito - 2016-10-02
116162 Heap-buffer-overflow in wk_png_inflate - 2016-10-02
116128 Content scripts should never be run in the webstore isolate - 2016-10-02
116093 Heap-buffer-overflow in WebCore::SVGDocumentExtensions::removeAnimationElementFromTarget $1000 2016-10-02
116069 WebCore::MediaStreamListInternal::itemCallback $500 2016-10-02
116224 Heap-use-after-free in WebCore::FrameLoader::urlSelected - 2016-10-02
115998 Heap-use-after-free in WebCore::RenderMenuList::addChild - 2016-10-02
115862 Heap-use-after-free in WebCore::InlineFlowBox::deleteLine - 2016-10-02
115756 Heap-use-after-free in WebCore::InlineFlowBox::deleteLine - 2016-10-02
115754 Heap-use-after-free in WebCore::RenderLayer::addChild $1000 2016-10-02
115695 Heap-buffer-overflow in WebCore::StaticNodeList::itemWithName $1000 2016-10-02
115681 Heap-use-after-free in WebCore::RenderBox::enclosingFloatPaintingLayer $1000 2016-10-02
115680 Heap-use-after-free in WebCore::RenderListItem::updateMarkerLocation - 2016-10-02
115807 Heap-use-after-free in WebCore::RenderMenuList::addChild - 2016-10-02
116027 Heap-buffer-overflow in WebCore::InlineFlowBox::addToLine - 2016-10-02
115159 Security: Setting innerText allows DOMSubtreeModified listeners to cause crashes - 2016-10-02
115028 Bad cast in splitAnonymousBlocksAroundChild (part 3) $1000 2016-10-02
115003 Heap-use-after-free in WebCore::RenderObject::previousInPreOrder - 2016-10-02
115299 Use-after-free in AudioDeviceThread::Callback::InitializeOnAudioThread $500 2016-10-02
115471 Heap-buffer-overflow in SkAlphaRuns::add $1000 2016-10-02
114924 Bad cast in splitAnonymousBlocksAroundChild $1000 2016-10-02
114911 Heap-buffer-overflow in WebCore::Element::setAttribute - 2016-10-02
114858 Heap-use-after-free in WebCore::RenderTableSection::willBeDestroyed - 2016-10-02
114960 Heap-use-after-free in WebCore::SVGTextLayoutAttributesBuilder::fillCharacterDataMap - 2016-10-02
114219 Heap-use-after-free in WebCore::RenderTableSection::nodeAtPoint $1000 2016-10-02
114152 Heap-use-after-free in WebCore::InspectorStyleSheet::deleteRule - 2016-10-02
114144 Crash by clicking the time field of maps.google.com - 2016-10-02
114068 Heap-use-after-free in WebCore::HTMLElement::isPresentationAttribute $1000 2016-10-02
114056 Heap-buffer-overflow in WebCore::previousBoundary $500 2016-10-02
114054 Heap-buffer-overflow in void WTF::Vector<unsigned short, 0ul>::append<unsigned short> $500 2016-10-02
113924 [LangFuzz] Crash at v8::internal::HashTable<...>::FindEntry with invalid read $1000 2016-10-02
114342 Stack-buffer-overflow at strcpy $1000 2016-10-02
113837 Heap-use-after-free in WebCore::Document::unregisterForPageCacheSuspensionCallbacks $1000 2016-10-02
113800 Heap-use-after-free in WebCore::RenderBlock::computeOverflow - 2016-10-02
113902 Heap-use-after-free in WebCore::InlineBox::root $1000 2016-10-02
113799 Heap-use-after-free in WebCore::RenderTable::layout - 2016-10-02
113801 Heap-use-after-free in WebCore::RenderBlock::outlineStyleForRepaint - 2016-10-02
113733 Security: Flash deployed via component updater runs outside the sandbox - 2016-10-02
113755 Heap-use-after-free in WebCore::RenderObjectChildList::destroyLeftoverChildren - 2016-10-02
113707 Heap-use-after-free in WebCore::RenderQuote::placeQuote $1000 2016-10-02
113690 Heap-use-after-free in WebCore::RenderButton::removeChild - 2016-10-02
113567 Heap-use-after-free in WebCore::RenderRegion::setRegionBoxesRegionStyle - 2016-10-02
113562 Heap-use-after-free in WebCore::NavigationScheduler::schedule - 2016-10-02
113730 Integer wrap in CSSParser::quoteCSSString() can cause a buffer overflow - 2016-10-02
113497 Heap-use-after-free in WebCore::InlineFlowBox::computeUnderAnnotationAdjustment $1000 2016-10-02
113496 Links in settings page (like learn more, google dashboard) are opened in the webui renderer process - 2016-10-02
113439 Bad casts due to issues in splitAnonymousBlocksAroundChild $1000 2016-10-02
113415 Heap-use-after-free in WebCore::InlineFlowBox::deleteLine - 2016-10-02
113258 Bad cast in WebCore::RenderBlock::createLineBoxes $1000 2016-10-02
113178 Adding a ShadowRoot to a SELECT element causes crashes - 2016-10-02
113174 Attaching a ShadowRoot to a VIDEO element causes heap-use-after-free - 2016-10-02
113160 Security: Tracking bug for WK77971 - Replaces the [CheckNodeSecurity] IDL attribute - 2016-10-02
113119 Security: Report bad translation link uses http:// - 2016-10-02
112976 Heap-use-after-free in vorbis_decode_frame - 2016-10-02
112961 TCP and UDP IPCs should not be exposed to arbitrary renderers - 2016-10-02
112983 Browser crash with FTP video source - 2016-10-02
125462 Security: libxml2 1-byte heap-buffer-overflow in xmlXPtrEvalXPtrPart $1500 2016-10-02
125436 Heap-use-after-free in WebCore::HTMLFormControlElement::disabled - 2016-10-02
125249 Heap-buffer-overflow in seg_to - 2016-10-02
125225 Domui process can be ptraced from a compromised renderer leading to sandbox escape, take 2 - 2016-10-02
125159 Chrome chrashes when pressing back button on a page that is still downloading a big gif image $1337 2016-10-02
125151 Heap-use-after-free in WebCore::Node::compareDocumentPosition - 2016-10-02
125010 Stealing AutoFill data with window.getSelection() before users actually select form contents - 2016-10-02
125494 Heap-buffer-overflow in WebCore::HTMLTreeBuilder::processEndTag - 2016-10-02
125374 Heap-use-after-free in WebCore::RenderSVGContainer::paint $1000 2016-10-02
124992 Heap-use-after-free in WebCore::swapInNodePreservingAttributesAndChildren - 2016-10-02
124923 Heap-use-after-free in WebCore::parseToDoubleForNumberType - 2016-10-02
124919 Heap-use-after-free in WebCore::RenderBlock::addOverflowFromFloats - 2016-10-02
124895 Heap-use-after-free in WebCore::ScriptController::executeIfJavaScriptURL - 2016-10-02
124893 Heap-buffer-overflow in WebCore::HTMLOptionElement::selected - 2016-10-02
124870 Heap-use-after-free in WebCore::InsertParagraphSeparatorCommand::doApply - 2016-10-02
124868 Heap-use-after-free in WebCore::RenderObject* WebCore::bidiNextShared<WebCore::BidiResolver<WebCore::InlineIterator, WebCor - 2016-10-02
124836 NSS should reject DH public values equal to one - 2016-10-02
125000 Heap-buffer-overflow in WTF::VectorMover<false, WebCore::Attribute>::move - 2016-10-02
124924 Heap-buffer-overflow in WebCore::XPath::sortBlock - 2016-10-02
124652 Heap-buffer-overflow in SkDashPathEffect::SkDashPathEffect - 2016-10-02
124625 Chrome: Crash Report - Stack Signature: WebCore::npObjectNamedGetter<WebCore::V8HTM... - 2016-10-02
124617 Heap-buffer-overflow in WebCore::RenderBlock::createLineBoxes - 2016-10-02
124669 Heap-use-after-free in WebCore::SVGLength::value - 2016-10-02
124530 Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects - 2016-10-02
124594 UNKNOWN in v8::internal::MarkCompactCollector::PrepareThreadForCodeFlushing $500 2016-10-02
124479 Use after free in PDF with corrupt CID font encoding name - 2016-10-02
124356 Heap-use-after-free in WebCore::GraphicsContext::restore $1000 2016-10-02
124263 OOB read with PDF in cell sorting - 2016-10-02
124228 Security: Component updater parses unauthenticated XML with libxml in the browser process - 2016-10-02
124216 Security: MSVR:159 - Google Chrome NPAPI Plugin Insecure Loading Elevation of Privilege Vulnerability - 2016-10-02
124191 OOB read in PDF when parsing / processing text - 2016-10-02
124190 OOB read, off-by-one in PDF predictor code with specific decode parameters - 2016-10-02
124184 OOB read with 1bpp image and ICC profile - 2016-10-02
124183 OOB read in PDF fax codec - 2016-10-02
124389 Heap-use-after-free in WebCore::TargetListener::clear - 2016-10-02
124182 Out of bounds write in PDF with sample function with lots of inputs - 2016-10-02
124179 PDF crash under ASAN with character maps - 2016-10-02
123929 Out-of-bounds read in PDF with undersized "O" key and revision 3 crypto - 2016-10-02
123858 Use-after-free in WebPagePopupImpl instance - 2016-10-02
123735 OOB reads in PDF AES support due to buffer mismanagement - 2016-10-02
123733 Out-of-bounds reads with bad parameters to PDF "sampled function" function - 2016-10-02
123709 Breakpad ClientInfo::PopulateCustomInfo() integer wrap leads to heap overflow - 2016-10-02
123656 OOB read in PDF whilst scanning for "startxref" - 2016-10-02
123631 Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled - 2016-10-02
123544 Heap-use-after-free in WebCore::CachedResource::checkNotify - 2016-10-02
123530 Heap-use-after-free in AutocompleteMatch::AutocompleteMatch - 2016-10-02
123484 Global-buffer-overflow in WebCore::InlineTextBox::isLineBreak - 2016-10-02
123481 Security: ERROR: AddressSanitizer heap-buffer-overflow on address 0x7fde15ff9890 at pc 0x7fde364c5034 $1000 2016-10-02
123105 Heap-buffer-overflow in Color32_SSE2 - 2016-10-02
123054 Security: renderer can grant itself read permissions to arbitrary files - 2016-10-02
123029 OOB write in SkARGB32_Black_Blitter::blitAntiH -> sk_memset32_SSE2 $1000 2016-10-02
123012 Chrome: Crash Report - Stack Signature:WebCore::V8BindingPerContextData::constructorForType(WebCore::WrapperTypeInfo *) - 2016-10-02
122925 Security: Autofill info can be captured by innocuous social engineering $1000 2016-10-02
122865 Heap-use-after-free in SkCanvas::internalDrawBitmapRect - 2016-10-02
122760 Heap-use-after-free in WebCore::RenderTable::computePreferredLogicalWidths - 2016-10-02
122692 UNKNOWN in /lib/libc-2.11.1.so+Unknown - 2016-10-02
122681 [LangFuzz] CHECK(fixed_size + height_in_bytes == input_frame_size) failed or crash with invalid read $500 2016-10-02
122654 Chrome: Crash Report: SocketStreamDispatcherHost::CancelSSLRequest - 2016-10-02
122586 Global-buffer-overflow in HB_TibetanShape - 2016-10-02
122585 Security: stack-buffer-overflow in WebCore::GlyphPage::fill with surrogate characters $500 2016-10-02
122573 Heap-use-after-free in WebCore::CachedRawResource::didAddClient - 2016-10-02
122854 Security: Potential (racy) use after free error in DownloadResourceHandler::OnResponseCompletedInternal - 2016-10-02
122503 Heap-buffer-overflow in erode - 2016-10-02
122337 [LangFuzz] Crash on heap with invalid write (32 bit only). $1000 2016-10-02
122208 GCing a node observed by a WebKitMutationObserver can cause an invalid HashSet iterator - 2016-10-02
122029 Heap-buffer-overflow in WebCore::InlineFlowBox::addToLine - 2016-10-02
122014 Heap-use-after-free in WorkerEventQueue::close - 2016-10-02
121968 Heap-use-after-free in WebCore::GraphicsLayer::willBeDestroyed - 2016-10-02
122562 Heap-use-after-free in ModuleSystem::LazyFieldGetter $1000 2016-10-02
112847 Bad cast in addChildToAnonymousColumnBlocks $1000 2016-10-02
112833 Heap-use-after-free in webkit_media::BufferedResourceLoader::Start $1000 2016-10-02
112822 Security: Heap-buffer-overflow in png_decompress_chunk $1337 2016-10-02
112814 Safe Browsing client doesn't always check for MAC field in response - 2016-10-02
112775 Heap-use-after-free in WebCore::Node::traverseNextNode - 2016-10-02
112764 Heap-use-after-free in RendererAccessibility::SendPendingAccessibilityNotifications - 2016-10-02
112738 Security: User Interface - infobar confusion, spamming, and spoofing - 2016-10-02
112735 Bad cast in FormSubmission::create - 2016-10-02
112694 Heap-use-after-free in WebCore::Node::normalize - 2016-10-02
112670 avcodec_53!ff_h264_get_profile - crash $500 2016-10-02
112451 X509UserCertResourceHandler::OnResponseCompleted crash - 2016-10-02
112443 [Mac] Regular SSL certificate incorrectly displayed with EV color badge - 2016-10-02
112542 Heap-use-after-free in WebCore::TextIterator::rangeFromLocationAndLength - 2016-10-02
112411 Heap-use-after-free in WebCore::SVGUseElement::expandSymbolElementsInShadowTree $1000 2016-10-02
112391 Heap-use-after-free in ExtensionHost - 2016-10-02
112339 Security: chrome allows TDR looping leading to win7 OS crash through page refresh html tag + WebGL - 2016-10-02
112325 Security: Copy-paste preserves <embed> tags containing active content - 2016-10-02
112317 Heap-buffer-overflow in WebCore::Font::codePath $500 2016-10-02
112259 Heap-use-after-free in WebCore::EventTarget::dispatchEvent $500 2016-10-02
112236 Security: Chrome translation script downloaded over HTTP - 2016-10-02
112212 Heap-use-after-free in WebCore::ContainerNode::appendChild $2000 2016-10-02
112151 Heap-use-after-free in WebCore::RenderRegion::setRegionBoxesRegionStyle $1000 2016-10-02
112093 Heap-use-after-free in WebCore::Node::dispatchSubtreeModifiedEvent - 2016-10-02
112055 Heap-buffer-overflow in WebCore::CSSParser::lex - 2016-10-02
111779 Heap-use-after-free in WebCore::SubframeLoader::loadSubframe $1000 2016-10-02
111748 Heap-use-after-free in WebCore::SVGElement::removedFromDocument $1000 2016-10-02
111656 Security: Accessibility bad cast - 2016-10-02
111575 Security: NaCl dynamic code modification allows direct calls inside existing super instructions. - 2016-10-02
111491 AddressSanitizer reports a heap-use-after-free in icu_46::RuleBasedBreakIterator::handleNext in DownloadTest.CrxLargeTheme (browser_tests) on Chrome OS - 2016-10-02
111088 Heap-use-after-free in WebCore::FrameLoader::checkTimerFired - 2016-10-02
111467 Heap-buffer-overflow in WebCore::SVGSVGElement::currentViewBoxRect $1000 2016-10-02
110849 Heap-buffer-overflow in matroska_parse_block - 2016-10-02
110764 Heap-use-after-free in WebCore::DocumentLoader::detachFromFrame $1000 2016-10-02
110723 Heap-use-after-free in WebCore::RenderSVGResourceContainer::markAllClientsForInvalidation - 2016-10-02
111342 Heap-use-after-free in AudioDevice::FireRenderCallback - 2016-10-02
110559 Heap-buffer-overflow in GPU ShaderTranslator - 2016-10-02
110374 Heap-use-after-free in WebCore::EventHandler::mouseMoved $1000 2016-10-02
110360 Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled - 2016-10-02
110277 Heap-buffer-overflow in xsltCompilePatternInternal $500 2016-10-02
110172 Heap-buffer-overflow in SkAlphaRuns::add $1000 2016-10-02
110545 Security: AssociatedURLLoader exposes non-whitelisted response headers when loading with access control (CORS) - 2016-10-02
110076 Heap-use-after-free in WebCore::CompositeEditCommand::ensureComposition - 2016-10-02
109743 Heap-use-after-free in WebCore::CSSStyleSelector::matchRulesForList $1000 2016-10-02
109717 Security: crash when viewing a certificate without issuer signature - 2016-10-02
109716 Heap-use-after-free in xsltParseGlobalVariable $1000 2016-10-02
109691 Security: Losing user-set pin data on HSTS header receipt - 2016-10-02
110112 Heap-use-after-free in WebCore::FrameView::forceLayoutParentViewIfNeeded $1000 2016-10-02
109912 Security: read sandbox escape: NaCl validator for x86-64 allow REP string instructions to have out-of-bound source addresses - 2016-10-02
109623 Chrome: Crash Report - Stack Signature: WebKit::WebMediaPlayerClientImpl::loadInter... - 2016-10-02
109574 Potential XSS attack with [0x8E][0xE3] in EUC-JP page $500 2016-10-02
109556 Heap-buffer-overflow in WebCore::HTMLTreeBuilder::HTMLTreeBuilder $1000 2016-10-02
109411 Regression: Crash in WebCore::DynamicSubtreeNodeList::length() - 2016-10-02
109245 Security: Chrome Drag Spoofing - 2016-10-02
109664 safe_browsing::SignatureUtil::CheckSignature() - crash - 2016-10-02
109094 Possible wild read in internal PDF-reader - 2016-10-02
108958 Heap-use-after-free in WebCore::RenderBlock::determineStartPosition - 2016-10-02
129158 Heap-use-after-free in WebCore::AccessibilityObject::getAttribute - 2016-10-02
129191 UNKNOWN in WebCore::HTMLDocumentParser::prepareToStopParsing $1000 2016-10-02
128971 Heap-use-after-free in WebCore::InlineBox::deleteLine - 2016-10-02
128711 Run-in UAF crashes relating to generated content and inline line box tree not clearing. - 2016-10-02
128704 Crash when opening and closing chrome://chrome - 2016-10-02
128688 Heap-buffer-overflow in gpu::gles2::GLES2Implementation::TexSubImage2DImpl - 2016-10-02
128800 Use after free in WebCore::SVGTextLayoutAttributesBuilder::fillCharacterDataMap - 2016-10-02
128597 RenderViewImpl's shared_popup_counter_ isn't incremented properly - 2016-10-02
128498 Heap-buffer-overflow in WebCore::CSSSelector::specificityForOneSelector - 2016-10-02
128497 CachedImage does not clear the ImageObserver pointer when dropping its Image ref - 2016-10-02
128458 Security: NTP Promo data is downloaded via HTTP, but then rendered on the NTP - 2016-10-02
128665 Heap-use-after-free in WebCore::Node::isInShadowTree - 2016-10-02
128342 Heap-buffer-overflow in WebCore::SVGUseElement::instanceForShadowTreeElement - 2016-10-02
128336 Heap-buffer-overflow in WebCore::SubframeLoader::createJavaAppletWidget - 2016-10-02
128256 tabs permission exploit on the Chrome RSS Extension - 2016-10-02
128204 Assertion failure (toRenderBox() called on a RenderInline) beneath RenderBlock::blockBeforeWithinSelectionRoot() - 2016-10-02
128178 Heap-use-after-free in fileapi::FileSystemOperation::DidGetUsageAndQuotaAndRunTask $3133 2016-10-02
128163 Heap-buffer-overflow in GIFImageReader::read - 2016-10-02
128159 Heap-use-after-free in WTF::HashMap<int, WTF::RefPtr<WebCore::CalculationValue>, WTF::IntHash<unsigned int>, WTF::HashTrait - 2016-10-02
128157 Heap-use-after-free in WebCore::HTMLFormControlElement::disabled - 2016-10-02
128151 Heap-use-after-free in WebKit::MainThreadFileSystemCallbacks::didSucceed - 2016-10-02
128146 UNKNOWN in v8::internal::DescriptorArray::Set - 2016-10-02
128018 [LangFuzz] Crash in v8::internal::ShortCircuitConsString with invalid read $1000 2016-10-02
127889 Use after free in WebCore::Font::characterRangeCodePath / WebCore::Font::codePath - 2016-10-02
127764 Heap-use-after-free in WebCore::RenderBlock::xPositionForFloatIncludingMargin - 2016-10-02
127701 Heap-use-after-free in WebCore::RenderObject::repaint - 2016-10-02
127648 Out of bounds read in WebCore::Region::Shape::compareShapes - 2016-10-02
127624 Security: pepper plugins - protect plugin's data files from other plugins and the renderer itself. - 2016-10-02
127525 Dragging a file into a web renderer exposes the file: scheme $500 2016-10-02
127522 Security: Chrome Allows "Carpet Bomb" from File Download - 2016-10-02
127727 Heap-use-after-free in WebCore::ContextDestructionObserver::contextDestroyed - 2016-10-02
127449 PPAPI processes hold privileged process handles - 2016-10-02
127418 Heap-use-after-free in WebCore::SVGTextLayoutEngine::layoutTextOnLineOrPath $1000 2016-10-02
127417 Security: Arbitrary memory read in libxslt $500 2016-10-02
127371 Heap-use-after-free in WebCore::AXObjectCache::postNotification - 2016-10-02
127368 Heap-use-after-free in WebCore::SVGAnimatedLengthAnimator::resetAnimValToBaseVal - 2016-10-02
127367 Heap-use-after-free in WebCore::ApplyStyleCommand::joinChildTextNodes - 2016-10-02
127366 Heap-use-after-free in WebCore::ReplaceSelectionCommand::performTrivialReplace - 2016-10-02
127424 Heap-use-after-free in WebKit::WebPagePopupImpl::closePopup $1000 2016-10-02
127234 Heap-use-after-free in WebCore::SVGPropertyTearOff<WebCore::FloatRect>::commitChange - 2016-10-02
126723 Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine - 2016-10-02
126652 Heap-buffer-overflow in bool WebCore::Region::Shape::compareShapes<WebCore::Region::Shape::CompareIntersectsOperation> - 2016-10-02
126475 Heap-use-after-free in WebCore::InlineBox::root - 2016-10-02
126414 [LangFuzz] Crash on heap with invalid read from random address (32 bit) $500 2016-10-02
126406 Heap-use-after-free in WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks - 2016-10-02
126343 OOB write in PDF character code mapping - 2016-10-02
126337 Stack buffer overflow in character range parsing - 2016-10-02
126296 Security: Browser crash document.createEvent("MouseEvents").initMouseEvent in background tab $1000 2016-10-02
125730 Heap-use-after-free in WebCore::Document::nodeChildrenWillBeRemoved - 2016-10-02
126105 Global-buffer-overflow in RgnOper::addSpan - 2016-10-02
126074 Heap-use-after-free in WebCore::SpellChecker::didCheckSucceeded - 2016-10-02
126048 Heap-use-after-free in SpeechRecognitionManagerImpl::DispatchEvent $1000 2016-10-02
126040 Heap-use-after-free in WebCore::ContainerNode::insertBefore - 2016-10-02
126015 Heap-use-after-free in WebCore::HTMLFormControlElement::disabled - 2016-10-02
125921 Heap-buffer-overflow in WebCore::FontCache::releaseFontData - 2016-10-02
125919 Heap-buffer-overflow in WebCore::SVGAnimatedPointListAnimator::calculateAnimatedValue $500 2016-10-02
125821 The Linux setuid sandbox has becomre (even more) insanely complex - 2016-10-02
126075 Stack-buffer-overflow in SuggestMgr::forgotchar_utf - 2016-10-02
125563 Heap-use-after-free in WebCore::RenderBlock::determineStartPosition - 2016-10-02
125557 Heap-use-after-free in WebCore::AudioParam::disconnect - 2016-10-02
125555 Heap-use-after-free in WTF::HashMap<int, WTF::RefPtr<WebCore::CalculationValue>, WTF::IntHash<unsigned int>, WTF::HashTrait - 2016-10-02
125529 Heap-use-after-free in WebCore::HTMLLinkElement::setCSSStyleSheet - 2016-10-02
125515 [LangFuzz] Crash on heap with invalid write to random address $1000 2016-10-02
108918 Heap-use-after-free in WebCore::RenderTableSection::rowLogicalHeightChanged - 2016-10-02
108901 Heap-buffer-overflow in compute_pos_tan $500 2016-10-02
108894 Heap-use-after-free in WebCore::HTMLCollection::length - 2016-10-02
108871 IndexedDB with autoincrement fails on object put and crashes chrome $1000 2016-10-02
108605 Use of uninitialized value in SkAlphaRuns::Break $1000 2016-10-02
108798 Heap-use-after-free in WebCore::(anonymous namespace)::AllowFileSystemMainThreadBridge::signalCompleted - 2016-10-02
108695 Heap-use-after-free in WebKit::WebFrameImpl::viewImpl $1000 2016-10-02
108648 Security: Malicious extension could avoid being blacklisted via extension blacklist - 2016-10-02
108476 Heap-buffer-overflow in WebCore::Font::codePath $500 2016-10-02
108544 Heap-use-after-free in SubresourceLoader::didFinishLoading $1000 2016-10-02
108579 Heap-buffer-overflow in void WTF::Vector<WTF::RefPtr<WebCore::TextTrack>, 0ul>::insert<WTF::RefPtr<WebCore::TextTrack> > - 2016-10-02
108461 Heap-use-after-free in WebCore::HTMLInputElement::copyNonAttributeProperties - 2016-10-02
108416 Global-buffer-overflow in render_line $500 2016-10-02
108071 Browser process heap-use-after-free with indexeddb cursors $3133 2016-10-02
108037 Heap-buffer-overflow in WebCore::SVGLength::valueAsString $1000 2016-10-02
108006 Stack-buffer-overflow in HB_MyanmarShape - 2016-10-02
108267 Heap-use-after-free in WebCore::RenderBlock::selectionGaps - 2016-10-02
108207 Heap-use-after-free in WebCore::RenderTable::borderBefore $1000 2016-10-02
107758 Heap-use-after-free in WebCore::RenderRegion::offsetFromLogicalTopOfFirstPage $1000 2016-10-02
107565 Security: dragging a file URL between two http-spawned windows goes remote->local - 2016-10-02
107873 Heap-use-after-free in WebCore::DatabaseTracker::interruptAllDatabasesForContext - 2016-10-02
107616 UXSS in v8 bindings npCreateV8ScriptObject() - 2016-10-02
107939 Heap-buffer-overflow in WebCore::RenderBlock::layoutRunsAndFloatsInRange - 2016-10-02
107258 Freed m_renderer used in InlineBox::deleteLine - 2016-10-02
107244 Heap-use-after-free in DatabaseObserver $1000 2016-10-02
107376 Memory corruption crash in ExtensionPrefs::MigrateAppIndex. - 2016-10-02
107128 Heap-buffer-overflow in xmlStringLenDecodeEntities $4000 2016-10-02
107277 Heap-use-after-free in WebCore::RenderTextFragment::willBeDestroyed - 2016-10-02
107182 Heap use after free with malware blocking page $3133 2016-10-02
106672 Security: Crash in requestAnimationFrame when removing a frame $1000 2016-10-02
106671 Heap-use-after-free in WebCore::InlineFlowBox::deleteLine - 2016-10-02
106577 Heap-buffer-overflow in SkAAClipBlitter::blitAntiH $500 2016-10-02
107032 Sad tab when visiting https://code.google.com and --no-displaying-insecure-content - 2016-10-02
106441 Stack-buffer-overflow in _canonicalize $1000 2016-10-02
106419 Global-buffer-overflow in SkFileDescriptorStream::read - 2016-10-02
106413 Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine - 2016-10-02
106340 Heap-use-after-free in WebCore::RenderTable::outerBorderAfter $3000 2016-10-02
106336 Heap-use-after-free in WebCore::CounterNode::insertAfter $500 2016-10-02
106334 Security: Popupblocker is ignored, downloads are invisible - 2016-10-02
106484 Heap-use-after-free in WebCore::RenderObject::childAt $1000 2016-10-02
106309 Heap-buffer-overflow in WebCore::InlineFlowBox::addToLine (regions issue) - 2016-10-02
106165 Heap-buffer-overflow in safe_browsing protocol parser - 2016-10-02
105867 Use after free in V8HTMLElementWrapperFactory.cpp $1000 2016-10-02
105803 PDF missing integer validation for Flate / LZW / Fax prediction codes and other parameters - 2016-10-02
106200 Heap-use-after-free in WebCore::InlineBox::deleteLine $500 2016-10-02
106316 Heap-buffer-overflow in WebCore::HTMLTreeBuilder::processEndTag - 2016-10-02
105482 Security: CSP connect-src and script-src not enforced on workers - 2016-10-02
105459 Use-after frees and bad casts with -webkit-column-span $2000 2016-10-02
105714 Nasty looking INVALID_POINTER_READ in internal PDF-reader $500 2016-10-02
134123 Heap-use-after-free in WebCore::VisibleSelection::rootEditableElement - 2016-10-02
105162 Stack-buffer-overflow in base::files::(anonymous namespace)::InotifyReaderTask::Run - 2016-10-02
134305 Heap-use-after-free in WebCore::RenderObject::absoluteBoundingBoxRect - 2016-10-02
133725 Security: public chromium site is leaking internal Google DNS names - 2016-10-02
134088 Use-after-free: LabelsNodeList isn't updated properly after its owner node is adopted into a new document - 2016-10-02
133892 Heap-use-after-free in WebCore::RenderListItem::updateMarkerLocation - 2016-10-02
133288 Heap-buffer-overflow in WebCore::CSPSourceList::parseSource - 2016-10-02
133571 Heap-use-after-free in SkARGB32_Black_Blitter::blitAntiH $1000 2016-10-02
133418 Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects - 2016-10-02
134101 Security: webRequest API allows extensions to XSS chrome.google.com and gain access to webstorePrivate API $2000 2016-10-02
133214 UNKNOWN in WebCore::RenderTableSection::addCell $1000 2016-10-02
133196 Heap-use-after-free in WebCore::RenderInline::willBeDestroyed - 2016-10-02
132806 ChromeContentBrowserClient::AllowSocketAPI using allowed_socket_origins_ without scheme check - 2016-10-02
132779 Security: WebM heap-buffer-overflow in matroskadec.c:matroska_parse_block() $1000 2016-10-02
132699 Update Java version metadata for Jun 2012 CPU - 2016-10-02
132690 Heap-use-after-free in WebCore::RenderSVGModelObject::checkIntersection - 2016-10-02
132890 Crash when using Web Audio + media element with no audio or when user navigates - 2016-10-02
131969 Heap-use-after-free in WebCore::AccessibilityObject::getAttribute - 2016-10-02
132396 Heap-use-after-free in WebCore::RenderBlock::layoutRunsAndFloats - 2016-10-02
132398 Global-buffer-overflow in D_Clear_BitmapXferProc - 2016-10-02
132203 UAF in ValueStoreFrontend::Backend::Get - 2016-10-02
132019 Heap-use-after-free in WebCore::InlineFlowBox::deleteLine - 2016-10-02
132270 Global-buffer-overflow in WebCore::mediaControlElementType - 2016-10-02
131968 Heap-use-after-free in WebCore::AccessibilityTable::isDataTable - 2016-10-02
132241 Heap-use-after-free in WebCore::DocumentThreadableLoader::cancel - 2016-10-02
131934 Heap-use-after-free in WTF::Vector<WebCore::Attribute, 0ul>::~Vector - 2016-10-02
131348 Security: Use-after-free in safe_browseing::DownloadProtectionService found by Valgrind - 2016-10-02
131347 heap-use-after-free in DictionaryValue while closing chrome, requires extension. - 2016-10-02
131087 UAF due to Document::removePendingSheet re-entering JavaScript during Document cleanup - 2016-10-02
130927 Heap-use-after-free in WebCore::CompositeEditCommand::breakOutOfEmptyListItem - 2016-10-02
130824 Security: Linux crash report generation code reads past the end of an unterminated string buffer. - 2016-10-02
130802 Heap-buffer-overflow in void WTF::Vector<unsigned short, 0ul>::append<unsigned short> - 2016-10-02
130743 Chromium is no more asking you for permissions to run WMP plugin via the Infobar. Is it intentional? - 2016-10-02
130723 Use after free after setting -webkit-line-clamp to none - 2016-10-02
130722 Heap-use-after-free in WebCore::InsertParagraphSeparatorCommand::doApply - 2016-10-02
130595 Heap-use-after-free in WebCore::RenderBlock::layoutBlockChildren $1000 2016-10-02
130356 Heap-use-after-free in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget $1000 2016-10-02
130276 Chrome attempts to load metro_driver.dll when Metro is not supported - 2016-10-02
130241 [crash] WebCore::RenderStyle::fontMetrics(void)+0xa - 2016-10-02
130240 Heap-buffer-overflow WRITE in read_markers third_party/libjpeg_turbo/jdmarker $1000 2016-10-02
130237 Heap-use-after-free in WebCore::RenderObject::arenaDelete - 2016-10-02
130235 Heap-use-after-free in WebCore::HTMLElement::adjustDirectionalityIfNeededAfterChildrenChanged - 2016-10-02
130369 Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects $1000 2016-10-02
129826 Chrome_Mac: Zombie <DownloadItemController: 0x1f1e6fd0> received -handleReveal: (via -performSelector:withObject:) - 2016-10-02
129947 Heap-use-after-free in WebCore::RenderObject::setStyle $1000 2016-10-02
129942 UNKNOWN in v8_i18n::IntlNumberFormat::JSInternalFormat $1000 2016-10-02
129936 Heap-use-after-free in WebCore::InlineTextBox::nodeAtPoint - 2016-10-02
129930 Security: libxml2 growBuffer integer overflow on 64-bit machines $3000 2016-10-02
129898 Heap-use-after-free in WebCore::CounterNode::lastDescendant $1000 2016-10-02
129890 Heap-use-after-free in WebCore::cancelAll - 2016-10-02
129951 UNKNOWN in v8::Function::Call $1000 2016-10-02
129394 Heap-use-after-free in WebCore::AccessibilityTable::isDataTable - 2016-10-02
129569 Heap-use-after-free in WebCore::RenderLayer::updateCompositingLayersAfterScroll - 2016-10-02
129396 Heap-buffer-overflow in WebCore::RenderTable::colElement - 2016-10-02
129357 Heap-buffer-overflow in WebCore::RenderProgress::isDeterminate - 2016-10-02
129301 Heap-use-after-free in WebCore::AXObjectCache::postPlatformNotification - 2016-10-02
129299 Run-in UAFs part 2 - 2016-10-02
129360 Heap-use-after-free in WebCore::InlineFlowBox::removeChild - 2016-10-02
105143 Cross-origin drag-and-drop prevention ineffective - 2016-10-02
105157 Heap-use-after-free in WebCore::InlineFlowBox::removeChild - 2016-10-02
105133 Heap-use-after-free in WebCore::RenderObject::isDescendantOf - 2016-10-02
105012 Global-buffer-overflow in WebCore::RenderFlexibleBox::mainAxisBorderAndPaddingExtentForChild - 2016-10-02
104935 Security: HSTS "cookies" do not obey expected policy. - 2016-10-02
104863 Heap-use-after-free in WebCore::SubresourceLoader::didFail $1000 2016-10-02
104859 Heap-use-after-free in WebCore::InlineFlowBox::computeOverAnnotationAdjustment $1000 2016-10-02
104617 Heap-use-after-free in WebCore::CSSImageGeneratorValue::addClient - 2016-10-02
104529 PDF-reader tab-crash with editable crash address. $2000 2016-10-02
104959 Nasty looking crash on internal pdf-reader $500 2016-10-02
104461 Security: chrome://workers/ crash - 2016-10-02
104325 Heap-use-after-free in WebCore::RenderBlock::determineStartPosition - 2016-10-02
104315 Heap-use-after-free WebCore::RenderObject::container - 2016-10-02
104272 Security: Directory traversal in extension docs - 2016-10-02
104266 Heap-use-after-free in WebCore::nextBreakablePosition - 2016-10-02
104466 Schema check on navigations to chrome/file schemas should be avoided - 2016-10-02
104317 Stale RenderObject in RenderBlock::addChildIgnoringAnonymousColumnBlocks() - 2016-10-02
104056 Crash with PDF at bad IP $1000 2016-10-02
104223 Security: MHTML can be used to steal cookies - 2016-10-02
103867 Security: chrome.test.resetQuota extension API exposed to all extensions - 2016-10-02
103750 minor self-inflicted xss on chrome://tracking2 - 2016-10-02
103738 Security: out of bounds array access in WebCore::RenderTableSection::rowLogicalHeightChanged - 2016-10-02
104011 v8_i18n::BCP47ToICUFormat() - crash $1000 2016-10-02
104151 Bad cast in WebCore::RenderThemeMac::paintMediaToggleClosedCaptionsButton - 2016-10-02
103921 Use-after-free in DOM Range $1000 2016-10-02
103239 Security: INVALID_POINTER_READ/WRITE_EXPLOITABLE_chrome!SkRgnBuilder::blitH $1000 2016-10-02
103259 [LangFuzz] Crash at v8::internal::WriteQuoteJsonString with invalid write $1000 2016-10-02
102810 Security: buffer overflow in link prefetching $1000 2016-10-02
103630 Security: iFrame SandBox Unique Origin not enforced in extensions - 2016-10-02
103126 Heap-use-after-free in WebCore::RenderTextFragment::styleDidChange - 2016-10-02
103244 Pinning checks aren't enforced in the case of a minor error. - 2016-10-02
103058 Security: missing xslt import causes crash w/preloading $1000 2016-10-02
102037 Security: Use after free in CSSStyleDeclarationInternal::parentRuleAttrGetter - 2016-10-02
101900 Security: bug rendering web pages with flash content - 2016-10-02
101835 Exit full screen button crashs browser - 2016-10-02
101779 OOB read with corrupt PDF; possible stability issue too - 2016-10-02
101624 Security: buffer overrun leading to heap corruption in ANGLE shader translator - 2016-10-02
102242 ZDI-CAN-1416: WebKit ContentEditable swapInNode Use-After-Free Remote Code Execution Vulnerability - 2016-10-02
101901 Security:scrolling web with flash content rendering bug - 2016-10-02
102628 Security: Adobe regions use-after-free with multiple region css thingies $1000 2016-10-02
102461 Failure to infobar JRE7 - 2016-10-02
102359 Use-after-free in SVG renderer $1000 2016-10-02
101446 Use after free in TextTrack::~TextTrack - 2016-10-02
101235 Security: Location bar spoofing when using replaceState in unload event handler - 2016-10-02
101205 Security: marketplace - 2016-10-02
101172 Seeking on webm 1080p video causes crash - 2016-10-02
101580 Heap-use-after-free in WebCore::RenderObject::enclosingLayer - 2016-10-02
101548 Test: ABCD - 2016-10-02
101494 OOB read in media::ScaleYUVToRGB32 - 2016-10-02
101458 OOB read in WebM/vorbis vorbis_decode_frame() $1000 2016-10-02
101018 Use after free in fullscreen unwraprenderer - 2016-10-02
101010 Security: css/CSSParser.cpp memory corruption bug - 2016-10-02
100958 Heap-use-after-free WebCore::RenderBlock::layoutPositionedObjects - 2016-10-02
100879 Problem with full-screen infobar permission prompt - 2016-10-02
100863 OOB read in SVG at WebCore::parseArcFlag - 2016-10-02
100543 OOB read in WebM/vorbis at render_line() $500 2016-10-02
101065 Use after free with counters and inline-table and :before content - 2016-10-02
101127 BlackBerry¼ - 2016-10-02
101136 Security: Search terms hijacked to return only one site for search terms - 2016-10-02
138210 Information and credential disclosure by file:// URLs (Android) $500 2016-10-02
138035 Security: Google Chrome for Android: Current-tab cross-application scripting (UXSS) $500 2016-10-02
138012 Heap-buffer-overflow in WebCore::FontCache::releaseFontData - 2016-10-02
137912 Heap-buffer-overflow in WebCore::DelayDSPKernel::process - 2016-10-02
137891 Security: HTTPS proxy can run JavaScript on requested HTTPS sites - 2016-10-02
137852 Heap-use-after-free in WebKit::WebElement::document - 2016-10-02
137778 Heap-use-after-free in webkit::ppapi::PPB_URLLoader_Impl::FillUserBuffer - 2016-10-02
138208 Crash in SkGlyphCache::findImage $1000 2016-10-02
100492 Use after free in WebM/matroska at matroska_execute_seekhead() $3000 2016-10-02
100465 OOB read in OGV at unpack_vlcs $500 2016-10-02
100464 Use-after-free in WebM at decode_mb_mode $1000 2016-10-02
100459 Use after free in RenderDeprecatedFlexibleBox::layoutHorizontalBox(bool) [and first-letter] - 2016-10-02
100447 ClusterFuzz Account Check. - 2016-10-02
100322 Security: Calling arbitrary V8 native functions from JavaScript - 2016-10-02
138196 Stack-buffer-overflow in NPObjectProxy::NPNEvaluate - 2016-10-02
138192 Heap-buffer-overflow in WebCore::HTMLInputElement::dataList - 2016-10-02
100526 Use after free in floats and first-letter - 2016-10-02
137623 Heap-buffer-overflow in WebPluginDelegateProxy::BackgroundChanged - 2016-10-02
137532 Security: Android APIs exposed to JavaScript $500 2016-10-02
137471 Heap-use-after-free in WebCore::Element::cloneElementWithoutChildren - 2016-10-02
137413 Heap-buffer-overflow in WebCore::RenderTableSection::setCellLogicalWidths - 2016-10-02
137409 Heap-use-after-free in WebCore::RenderObject::container - 2016-10-02
137407 Security: Chrome for iOS security bug - 2016-10-02
137364 Heap-use-after-free in WebCore::CSSFontSelector::beginLoadTimerFired - 2016-10-02
137707 Security: Chrome extensions bug cause crash in all Chrome processes $500 2016-10-02
137671 Security: Bad cast in WebCore::CalendarPickerElement::hostInput() $2000 2016-10-02
137541 Reproduceable crash. Changing tabs while a specific text field has focus. - 2016-10-02
137233 Heap-buffer-overflow in WebCore::RenderBlock::handleTrailingSpaces - 2016-10-02
137125 UNKNOWN in WebCore::StylePropertySet::addParsedProperties $1000 2016-10-02
137208 Security: Mouse lock permission and iframe on different host - 2016-10-02
137174 UNKNOWN in WebCore::SVGAnimationElement::currentValuesForValuesAnimation - 2016-10-02
137147 UNKNOWN in WebCore::RenderTable::cellBefore - 2016-10-02
137303 Corrupted rendering with many MapsGL tabs open - 2016-10-02
137052 Heap-use-after-free in WebCore::EllipsisBox::paint - 2016-10-02
137363 Heap-use-after-free in WebCore::RenderBlock::removeChild - 2016-10-02
137362 Heap-buffer-overflow in WebCore::CCLayerTreeHostImpl::CullRenderPassesWithNoQuads::shouldRemoveRenderPass - 2016-10-02
137232 UNKNOWN in WebCore::ElementAttributeData::addAttribute - 2016-10-02
136497 Security: XSS via Copy&Paste protection bypass using @formaction / General Iframe Sandbox Considerations regarding copy&paste / drag&drop - 2016-10-02
136881 Security: race condition with workers and sync xmlhttprequests $500 2016-10-02
136894 Heap-buffer-overflow in UpsampleBgraLinePairSSE2 $1000 2016-10-02
136952 Heap-use-after-free in WebCore::RenderLineBoxList::dirtyLinesFromChangedChild - 2016-10-02
136226 Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine - 2016-10-02
136182 Heap-use-after-free in WebCore::ImageLoader::updateRenderer - 2016-10-02
136344 Heap-use-after-free in WebCore::FrameLoader::stopAllLoaders - 2016-10-02
136116 Heap-use-after-free in WebCore::RenderLayer::enclosingFilterLayer - 2016-10-02
136046 Bad intersection of injected HTTP headers leads to Content Security Policy (CSP) Bypass - 2016-10-02
136296 Heap-use-after-free in WebCore::SVGSMILElement::resetTargetElement - 2016-10-02
136235 Heap-use-after-free in WebCore::StyleResolver::collectMatchingRulesForList $1000 2016-10-02
136145 Security: Heap-buffer-overflow on TextFieldDecorationElement::defaultEventHandler - 2016-10-02
135697 Heap-use-after-free in WebCore::RenderLayer::repaintBlockSelectionGaps - 2016-10-02
135658 Turn off <iframe> seamless for m21 - 2016-10-02
135595 Heap-use-after-free in WebCore::ImageLoader::notifyFinished - 2016-10-02
135705 Heap-buffer-overflow in WebCore::TextIterator::handleTextBox - 2016-10-02
135432 Heap-buffer-overflow in skia::BGRAConvolve2D $1000 2016-10-02
135698 Heap-use-after-free in WebCore::HTMLInputElement::isPresentationAttribute - 2016-10-02
135485 SPDY - Pushed stream - crash accessing https://jetty.intalio.com:10111/spdy - 2016-10-02
135071 Heap-buffer-overflow in void WTF::Vector<unsigned short, 1024ul>::append<unsigned short> - 2016-10-02
134897 Bad cast with run-ins and <input> $1000 2016-10-02
135173 Heap-use-after-free in WebCore::RenderQuote::rendererRemovedFromTree - 2016-10-02
135043 Heap-use-after-free in media_stream:: $3133 2016-10-02
134429 Heap-use-after-free in WebCore::Document::clearNodeListCaches - 2016-10-02
134639 Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers - 2016-10-02
134428 Heap-buffer-overflow in WebCore::SVGDocumentExtensions::removeAnimationElementFromTarget - 2016-10-02
134519 Security: memory address disclosure through JavaScript in WebUI's cookies page - 2016-10-02
134402 Heap buffer overflows in WebCore::CSSParser::lex - 2016-10-02
134324 Heap-use-after-free in WebCore::RenderBlock::layoutPositionedObjects - 2016-10-02
134325 Security: Use after free with mouse lock and window.open $1000 2016-10-02
100177 Use after free in first-letter container destruction handling. - 2016-10-02
100149 Use after free in AX Scrollbars - 2016-10-02
99991 Use after free in ImageBuffer::toDataURL - 2016-10-02
100059 Generic fix: Register custom fonts at creation time, rather than retire time. $1337 2016-10-02
99652 OOB read in vp8_decode_frame $1000 2016-10-02
99732 Use after free in table parts. - 2016-10-02
99603 Use after free due to flexible box not laying some of its children. - 2016-10-02
99597 Use after free in tables, float, :after content - 2016-10-02
99840 Windows OpenGL performance drops by 2/3 with GPU sandbox on - 2016-10-02
99880 Use after free in table :before, :after content. $1000 2016-10-02
99901 BinScope reports SafeSEH not supported on video DLLs - 2016-10-02
99615 Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled - 2016-10-02
99465 Security: AccessibilityImageMapLink holds onto it's parent even after it's been freed - 2016-10-02
99348 Use after free in tables - 2016-10-02
99338 Use after free in RenderTableSection::splitColumn - 2016-10-02
99596 Use after free in media::FFmpegDemuxerStream::Read - 2016-10-02
99553 repeatedly re-setting video.src crashes in WebCore::VideoLayerChromium::updateCompositorResources - 2016-10-02
99480 OOB read in media::ScaleYUVToRGB32 - 2016-10-02
99294 Use after free with :after in display table and :first-letter $1000 2016-10-02
99167 [LangFuzz] Crash on Heap involving GC (invalid write) $1000 2016-10-02
99104 WebKit: invalid cast in WebCore::toRenderBlock / WebCore::RenderBlock::blockSelectionGaps - 2016-10-02
99016 Security: HTTPS Address Bar Spoofing Using View-source And Redirection $1000 2016-10-02
99003 changing proxy - 2016-10-02
99229 WebKit: Use after free in ~Node because ~HTMLLinkElement triggers script execution - 2016-10-02
99211 Heap buffer overflow in Webaudio FFTFrame::doFFT $2000 2016-10-02
99138 Use-after-free with plugin and editing $1000 2016-10-02
98556 Use after free with first-letter $1000 2016-10-02
98262 Chrome 16 crash when resizing window - 2016-10-02
98161 Bug 68816 - Rapidly refreshing a feMorphology[erode] with r=0 can sometimes cause display corruption - 2016-10-02
98773 [LangFuzz] Crash at v8::Object::SlowGetPointerFromInternalField with invalid read $1000 2016-10-02
98809 Renderer crash with PDF at isalnum $500 2016-10-02
98582 Security: invalid memory reference to window object - 2016-10-02
97994 Use after free due to stale fonts - 2016-10-02
97952 Stale layout root generic fix from Mitz - 2016-10-02
97898 Regression: Use after free in RenderBlock::linkToEndLineIfNeeded - 2016-10-02
97867 Security: Major Google Plus and Google Chrome Problem - 2016-10-02
98089 memory corruption in ANGLE shader translator - 2016-10-02
98064 Use-after-free when font is missing $1000 2016-10-02
97784 [v8] Stale pointer in CSSStyleSheet, Invalid cast in V8ListenerList::doFindWrapper $1500 2016-10-02
97608 Use after free in counters in :before, :after content $500 2016-10-02
97596 Security: anonymous proxy - 2016-10-02
97553 Clicking a link on a page that has been fullscreened by JS doesn't exit fullscreen - 2016-10-02
97546 Use after free in ruby text :after, :before content due to stale styles. - 2016-10-02
97278 Security: Tracking bug for CachedResourceLoader::canRequest in a redirect chain - 2016-10-02
97148 Crashes in PhishingDOMFeatureExtractor::ExtractFeaturesWithTimeout - 2016-10-02
97092 Stale canvas used in WebCore::PlatformContextSkia::save() $1000 2016-10-02
97674 Security: Extension can get at tabs details (url/title) without requesting tabs permission - 2016-10-02
97599 More stale styles in listmarkers $1000 2016-10-02
96747 Security: Magic iframe transfer vulnerability for Pepper/NaCl plugins - 2016-10-02
96902 Use-after-free in findPlaceForCounter $1000 2016-10-02
97006 Use after free due to issues in element detachment when entering fullscreen - 2016-10-02
96665 Use after free in Element::recalcStyle due to reparenting issues in treebuilder - 2016-10-02
96382 out-of-bounds access in Gradient::sortStopsIfNecessary - 2016-10-02
96292 Use after free in media BufferedResourceLoader::Start - 2016-10-02
141815 Heap-use-after-free in WebCore::RenderQuote::detachQuote - 2016-10-02
141651 Heap-buffer-overflow in SkA8_Blitter::blitAntiH $500 2016-10-02
141564 Heap-use-after-free in WebCore::HTMLLinkElement::removedFrom - 2016-10-02
141462 Extension resources that are not web accessible should not be able to be linked to from the web - 2016-10-02
141444 Security: Support pinning for Google ccTLDs - 2016-10-02
141395 UNKNOWN in v8::internal::SemiSpaceIterator::Next $1000 2016-10-02
96499 Heap-use-after-free in WebCore::RenderLayer::updateVisibilityStatus - 2016-10-02
96444 Freed scrollbar used in RenderScrollbarPart::imageChanged [not related to previous stale m_owner issues] - 2016-10-02
96149 Use after free in WebCore::AudioChannel::sumFrom - 2016-10-02
141093 Security: Dev only restriction for declarativeWebRequest does not seem to work - 2016-10-02
96150 Use after free in OfflineAudioDestinationNode::notifyCompleteDispatch - 2016-10-02
140805 Heap-use-after-free in WebCore::RenderRegion::restoreRegionObjectsOriginalStyle - 2016-10-02
140803 Heap-buffer-overflow in SkA8_Blitter::blitH $1000 2016-10-02
140720 Heap-use-after-free in WebCore::RenderBlock::removeChild - 2016-10-02
140656 Heap-use-after-free in WebCore::CachedResource::didAddClient $1000 2016-10-02
140647 UNKNOWN in ogg_calc_pts - 2016-10-02
140642 Heap-buffer-overflow in SkDashPathEffect::SkDashPathEffect - 2016-10-02
96131 Closing parent then child in gmail = sad tab - 2016-10-02
96170 Use after free in InspectorPageAgent::resourceContent - 2016-10-02
140495 Text box fails to render contents and does not accept user input. - 2016-10-02
140484 Heap-use-after-free in WebCore::RenderBlock::determineStartPosition - 2016-10-02
140368 Security: heap-use-after-free in xsltGenerateIdFunction - 2016-10-02
140165 Heap-buffer-overflow in vorbis_decode_frame - 2016-10-02
140142 Heap-use-after-free in base::internal::WeakReference::is_valid - 2016-10-02
140532 Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer - 2016-10-02
140544 Security: CSP doesn't turn off eval, etc. in Web Workers - 2016-10-02
140083 [LangFuzz] Crash on heap trying to execute address 0x0000000200000000. $1000 2016-10-02
140045 REGRESSION(r122498): Assertion failure: m_nodeListCounts is sometimes not zero in the Document destructor - 2016-10-02
139961 Heap-use-after-free in WebCore::TargetListener::handleEvent [Stale target] - 2016-10-02
139814 UAF in DOMContentLoaded $2000 2016-10-02
139789 Heap-buffer-overflow in WebCore::CSSParser::updateLastSelectorLineAndPosition - 2016-10-02
139772 AddressSanitizer reports a global buffer underflow in swizzle_for_size() in Mesa - 2016-10-02
139744 Security: SSL compression infoleak $5337 2016-10-02
140085 UNKNOWN in /mnt/scratch0/clusterfuzz/slave-bot/builds/revisions/asan-linux-release-149416/chrome+Unknown - 2016-10-02
139685 OOB read atleast in WebCore::SVGListProperty<WebCore::SVGTransformList>::getItemValuesAndWrappers - 2016-10-02
139690 Heap-use-after-free in WebCore::GenericEventQueue::timerFired - 2016-10-02
139646 Heap-use-after-free in WebCore::DynamicNodeList::itemWithName - 2016-10-02
139679 Bad cast in RenderFrameSet::computeEdgeInfo - 2016-10-02
139530 Heap-use-after-free in WebCore::Node::~Node - 2016-10-02
139475 Heap-use-after-free in WebCore::TargetListener::handleEvent [Stale event listener] - 2016-10-02
139462 Heap-use-after-free in SkCanvas::updateDeviceCMCache - 2016-10-02
139541 UNKNOWN in v8::HandleScope::CreateHandle - 2016-10-02
139464 Heap-use-after-free in WebCore::RenderSVGShape::calculateStrokeBoundingBox - 2016-10-02
139321 Heap-use-after-free in WebCore::InlineBox::extractLine - 2016-10-02
139402 Heap-use-after-free in D_Clear_BitmapXferProc - 2016-10-02
139215 Heap-use-after-free in WebCore::StyleResolver::collectMatchingRules - 2016-10-02
139168 Security: Creating a loop in the DOM tree (99% a DoS) $500 2016-10-02
139131 Heap-use-after-free in WebCore::StyleResolver::collectMatchingRulesForList - 2016-10-02
139290 Heap-use-after-free in WebCore::StyleResolver::loadPendingImage - 2016-10-02
139383 Heap-use-after-free in WebCore::HTMLTextFormControlElement::fixPlaceholderRenderer - 2016-10-02
139240 Heap-buffer-overflow in WebCore::TextTrackCueList::add - 2016-10-02
138738 Crash in extensions::SetContentSettingFunction - 2016-10-02
138915 Heap-use-after-free in WebCore::ContainerNode::cloneChildNodes - 2016-10-02
138422 Heap-use-after-free in WebCore::Font::glyphDataAndPageForCharacter - 2016-10-02
138404 Heap-use-after-free in WebCore::Document::page - 2016-10-02
138673 Heap-buffer-overflow in xsltApplyTemplates $1000 2016-10-02
138990 Heap-use-after-free in WebCore::SVGStyledElement::clearHasPendingResourcesIfPossible - 2016-10-02
138672 Heap-double-free in xsltCompileStepPattern - 2016-10-02
138901 Heap-use-after-free in ProfileKeyedBaseFactory::GetProfileToUse - 2016-10-02
138302 Stack-buffer-overflow in NPObjectProxy::NPInvokePrivate - 2016-10-02
138318 UXSS with pointer lock - 2016-10-02
138382 Heap-use-after-free in WebCore::AutoTableLayout::recalcColumn - 2016-10-02
138316 Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer - 2016-10-02
95849 Security: any Chrome committer (or parhaps even any user with Google account?) can compromise Google Chrome - 2016-10-02
95842 Security: Chrome Gives Unreliable Security Info - 2016-10-02
95761 Use after free in ContainerNode::removeChild (looks related to plugin) - 2016-10-02
95672 Use after free in ListIterms and RunIns rendering (from bug 88680) $1000 2016-10-02
95669 Regression(r93913): Use after free in ScriptController::executeScript - 2016-10-02
95992 Security: header injection when using embeded \0 in headerline - 2016-10-02
95920 [LangFuzz] Crash at v8::internal::ElementsAccessorBase with invalid read $1000 2016-10-02
95917 Security: Chrome does not ask for approval when "not trusted" SSL cert. changes - 2016-10-02
95563 OOB read in tibetan_nextSyllableBoundary - 2016-10-02
95625 OOB read in gpu::gles2::GLES2DecoderImpl::HandleDrawArrays - 2016-10-02
95499 Use after free due to style not updated and having stale fonts. - 2016-10-02
95485 [LangFuzz] Crash at v8::internal::Object::Lookup $1000 2016-10-02
95639 Use after free in Document::fullScreenChangeDelayTimerFired - 2016-10-02
95620 use-after-free in browser_tests - 2016-10-02
95520 Child not placed correctly when :before, :after placed in same table part container causing stale style - 2016-10-02
95359 Use after free in WebCore::SVGTRefElement::updateReferencedText - 2016-10-02
95360 use after free in WebCore::ContainerNode::removeChild via Range.deleteContents() - 2016-10-02
95083 Security: Reveal stored passwords using the Developer Tool - 2016-10-02
95072 Use after free due to style not updated for svg text runs. $1000 2016-10-02
95012 Add defensive bounds checking in AudioNode - 2016-10-02
94834 Security: Thread safety with AudioChannelMerger - 2016-10-02
95374 Redirect to chrome:// URIs via Location: header $2337 2016-10-02
95465 4 OOB reads in XMLDocumentParser::doWrite - 2016-10-02
95333 ERROR:the following pages have become unresponsive. you can wait to become responsive or kill them - 2016-10-02
94820 Don't allow nodes of one context to be connected to nodes of another context - 2016-10-02
94743 Regression(r93913): Use after free in ScheduledAction::execute(WebCore::V8Proxy*) - 2016-10-02
94578 Security: Brute forcing Intranet WWW-Auth with script element - 2016-10-02
94487 Security: JSC::Yarr regexp 32/48 to the left of 768 with workers $1000 2016-10-02
94464 Security: e - 2016-10-02
94463 Security: e - 2016-10-02
94462 Security: e - 2016-10-02
94461 Security: e - 2016-10-02
94460 Security: e - 2016-10-02
94459 Security: e - 2016-10-02
94458 Security: e - 2016-10-02
94810 Use after free with Floats and Ruby - 2016-10-02
94809 Use after free in ruby overhang. - 2016-10-02
94456 Security: - 2016-10-02
94275 Make sure that AudioArray is 16-byte aligned - 2016-10-02
94273 V8 custom bindings for AudioNode must do proper object checking and throw exception in case of error - 2016-10-02
94186 WebAudio node lifetype crash when tearing down audio nodes / media element node - 2016-10-02
94025 WebAudio: Integer overflows in AudioArray - 2016-10-02
93978 Out of bounds reads and writes when FFT size is changed. - 2016-10-02
93918 Regression(93122): Use after free in InspectorCSSAgent::clearFrontend - 2016-10-02
94457 Security: e - 2016-10-02
94278 Fix thread-safety of AudioNode deletion - 2016-10-02
93596 Bad read in bundled PDF viewer - 2016-10-02
93497 Security: Accessibility of the chrome.webstorePrivate-API - 2016-10-02
93472 Yet another double-free caused by malformed XPath expression in XSLT $1000 2016-10-02
93420 Use after free in FocusController::advanceFocusInDocumentOrder $1000 2016-10-02
93788 Use after free in RenderText lineboxes. $1000 2016-10-02
93587 Use after free in WebCore::Text::recalcStyle due to before after content issue in table parts $1000 2016-10-02
93856 Use after free in RenderFlowThread::nextRendererForNode - 2016-10-02
93146 Security: Possible race condition in Windows Policy reading that can lead to stale policy. - 2016-10-02
93106 Failing assertion in IDBTransaction.cpp - 2016-10-02
93097 Defensively null out danging pointers in the NaCl browser plugin memory safety for M14 - 2016-10-02
93059 OOB read in EventDispatcher::adjustToShadowBoundaries - 2016-10-02
93416 Security: Arbitrary cross-origin bypass using __defineGetter__ prototype override $2000 2016-10-02
93236 Stale Pointer Crash in PrintWebViewHelper::PrintPreviewContext::CreatePreviewDocument - 2016-10-02
92959 Stale node in StyleSheetCandidateListHashSet $1000 2016-10-02
92769 Use after free in TreeBuilder - 2016-10-02
92651 Use after free due to style not updated for ANONYMOUS boxes (e.g RenderRow), inline-blocks (e.g. RenderRubyRun) $1000 2016-10-02
92621 Use after free in VisibleSelection::selectionFromContentsOfNode - 2016-10-02
92550 Chrome (main process) crashes when setVersion is called when all (Indexed) database name space is used up - 2016-10-02
92226 Use after free in CounterNode::lastDescendant - 2016-10-02
92840 Use after free in HarfbuzzFace::~HarfbuzzFace - 2016-10-02
146433 Chrome_Mac: Crash Report - base::::CrMallocErrorBreak / invalid free in SkWriter32::rewindToOffset - 2016-10-02
146235 WTF::equal is too aggressive and may trigger ASan reports - 2016-10-02
146208 Heap-buffer-overflow in WebCore::RenderTableSection::nodeAtPoint - 2016-10-02
146145 Heap-use-after-free in WebCore::RenderText::computePreferredLogicalWidths - 2016-10-02
146144 Heap-use-after-free in WebCore::FrameView::scrollContentsFastPath - 2016-10-02
146111 Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer - 2016-10-02
145976 Heap-use-after-free in WebCore::HTMLTextFormControlElement::fixPlaceholderRenderer - 2016-10-02
145921 AddressSanitizer reports a UAF in WebCore::RenderStyle::letterSpacing - 2016-10-02
146146 Heap-buffer-overflow in WebCore::FlowThreadController::unregisterNamedFlowContentNode - 2016-10-02
145867 Heap-use-after-free in WebCore::FrameView::scrollContentsFastPath - 2016-10-02
145915 Security/Privacy: <img>-embedded SVG will load external content referenced by CSS @import @font-face - 2016-10-02
145530 Mitigation: Kill OOB reads(or few writes) by preventing access to harmful locals in dirty text lineboxes - 2016-10-02
145525 Security: heap buffer overflow in gpu process with webgl $3500 2016-10-02
145492 Web Inspector: Page with @import and :last-child in an edited stylesheet will crash (UAF) - 2016-10-02
145544 Security: integer overflow in gpu process with webgl $1000 2016-10-02
145272 Heap-use-after-free in WebCore::nextBreakablePosition - 2016-10-02
145018 Heap-use-after-free in WebCore::StyleSheetContents::checkLoadCompleted - 2016-10-02
144886 Security: webgl crash on mesa $3133 2016-10-02
144866 Security: Chrome for Android Bypassing SOP for Local Files By Symlinks $500 2016-10-02
144831 Heap-buffer-overflow in WebCore::StylePropertySet::copyPropertiesFrom - 2016-10-02
145363 Security: Chrome extension DEP crash - 2016-10-02
144899 SkPaint::SkPaint - crash $1000 2016-10-02
144799 Heap-double-free in xmlFreeNodeList - 2016-10-02
144813 Security: UXSS via com.android.browser.application_id Intent extra $500 2016-10-02
144671 Heap-use-after-free in WebCore::GCPrologueVisitor<void, WebCore::SpecialCasePrologueObjectHandler>::visitDOMWrapper - 2016-10-02
144466 Crash when verifying ECDSA certificate on XP - 2016-10-02
144734 Heap-buffer-overflow in WebCore::RenderTable::removeCaption - 2016-10-02
144810 Heap-use-after-free in WebCore::RenderTable::calcBorderEnd - 2016-10-02
144704 Tracking bug for fixing rel=noreferrer aslr bypass - 2016-10-02
143761 Heap-use-after-free in WebCore::GraphicsContext::restore $1000 2016-10-02
143672 Flapper Crash in BrokerProcessDispatcher::GetSitesWithData - 2016-10-02
143859 Security: World-writable shared memory segments for X/Linux UI - 2016-10-02
144051 Security: Memory address disclosure through JavaScript in Print Preview WebUI - 2016-10-02
143846 Security: Chromoting creates a world-writable shared memory segment - 2016-10-02
143609 Heap-use-after-free in WebCore::ElementV8Internal::onclickAttrGetter $1000 2016-10-02
143604 Heap-use-after-free in WebCore::RenderBlock::LineBreaker::nextLineBreak [SVG text] - 2016-10-02
143593 Heap-buffer-overflow in WebCore::SurrogatePairAwareTextIterator::consume - 2016-10-02
143582 Heap-use-after-free in WTF::OwnPtr<WTF::Vector<WebCore::RegisteredEventListener, 1ul> >::~OwnPtr - 2016-10-02
143551 Heap-use-after-free in WebCore::TreeScopeAdopter::moveTreeToNewScope - 2016-10-02
143656 Heap-use-after-free in WebCore::SVGTRefElement::updateReferencedText $1000 2016-10-02
143648 Heap-buffer-overflow in WebCore::StyleResolver::applyProperty - 2016-10-02
143176 Heap-use-after-free in WebCore::AccessibilityNodeObject::document - 2016-10-02
143409 Heap-buffer-overflow in SkScalerContext_FreeType::generateImage - 2016-10-02
142956 Security: XSS in SSL Certificate error page $500 2016-10-02
142876 Heap-buffer-overflow in WebCore::HarfBuzzShaperBase::isWordEnd - 2016-10-02
143329 Bad cast in RenderGrid::layoutGridItems - 2016-10-02
143004 Security: Untrustworthy Chrome OS user-wallpaper png's are loaded pre-login (in the sandboxed utility process) - 2016-10-02
142310 ASan reports a use-after-free in IndexedDBBrowserTest.Bug109187Test - 2016-10-02
142395 Bad cast in computeReplacedLogicalHeightUsing - 2016-10-02
142145 Heap-use-after-free in WebCore::RenderBlock::removeChild - 2016-10-02
142746 Security: Potential use after destruction in ui/gfx/image - 2016-10-02
142169 Heap-buffer-overflow in SkAlphaRuns::add $500 2016-10-02
142088 UNKNOWN in v8::internal::Invoke - 2016-10-02
142087 UNKNOWN in void v8::internal::String::WriteToFlat<char> - 2016-10-02
141901 Security: mesa stack scribbling thingamadoo $3133 2016-10-02
141889 Security: Cookie theft from Chrome by malicious Android app $500 2016-10-02
91972 Regression(85705): Use after free on m_originatingLine in floats - 2016-10-02
91940 Security: Romanian colloquialism meaning penis when viewing YouTube channels - 2016-10-02
91939 Security: Romanian colloquialism meaning penis when viewing YouTube channels - 2016-10-02
91921 Use after free in RenderRubyBase - 2016-10-02
91911 Freed m_renderer used in InlineBox::deleteLine - 2016-10-02
91973 Regression(90971): Use after free in Textarea placeholder - 2016-10-02
91665 Crash on bad rip when opening a PDF $1000 2016-10-02
91801 Use after free of RootInlineBox - 2016-10-02
91577 file:// URL access is defaulting to opt-in - 2016-10-02
91554 Possible use-after-free in AddToConsole - 2016-10-02
91633 Security: When upgrade to 13.0.782.107, chrome will run js and load image which had be disabled in chrome - 2016-10-02
91502 Security: Malware Page forbids user from closing a tab.(window.onunload hijack) - 2016-10-02
91362 Regression(91331): Bad cast due to html renderer created for svg glyphref - 2016-10-02
91312 Security: Native Client app can crash trusted code. - 2016-10-02
91218 XSS in chrome://appcache-internals - 2016-10-02
91517 Security: V8 asserts (crashes) when entering simple JS snippit - 2016-10-02
91321 Regression(91788): Bad cast in WebCore::blockWithNextLineBox - 2016-10-02
91020 Use after free in MediaTest.FLAKY_VideoBearWebm on Mac OS - 2016-10-02
91099 OOB read in RenderScrollbarPart::computeScrollbarWidth - 2016-10-02
91120 [LangFuzz] Crash at Runtime_QuoteJSONString with invalid write $500 2016-10-02
91082 Security: Major Privacy Loop Hole ! - 2016-10-02
91079 where to submit Google account bug - 2016-10-02
91093 Bad cast in paintMediaPlayButton - 2016-10-02
91016 Security: Canvas toDataURL security error: It is taking page information and not the canvas when making the image $500 2016-10-02
91013 [LangFuzz] Crash at RootMarkingVisitor::VisitPointers (32 bit) $1000 2016-10-02
91010 [LangFuzz] Crash at JSObject::SetDictionaryElement with invalid read (32 bit) $1000 2016-10-02
91197 Use after free or bad cast with empty .swf file - 2016-10-02
91092 Use after free in SVGUseElement::buildShadowTree - 2016-10-02
90978 read out of bounds in sUnpremultiplyData_RGBA8888 / ImageBufferData::getData (WEBKIT 65352) - 2016-10-02
90668 Use after free in WebCore::findPlainText $1000 2016-10-02
90498 Security: automatically downloading of .crdownload-files - 2016-10-02
91008 [LangFuzz] Crash at JSObject::PrepareElementsForSort with invalid read $1000 2016-10-02
90357 OOB read in WebCore::previousBoundary - 2016-10-02
90217 Prevent silent truncation of trailing characters in downloaded file names - 2016-10-02
90173 OOB read in media::ScaleYUVToRGB32 due to failure to account for zero source width and accessing negative indices - 2016-10-02
90134 OOB read in harfbuzz with khmer character - 2016-10-02
90105 Heap-buffer-overflow in WebCore::RenderBlock::LineBreaker::nextLineBreak - 2016-10-02
89991 Regression(82144): OOB InlineIterator read in TrailingObjects::updateMidpointsForTrailingBoxes $500 2016-10-02
90175 Security: remove any site from Google Index - 2016-10-02
89795 Browser crash in net::WebSocketJob::SendPending - 2016-10-02
89580 Use after free due to continuation splitting issues in -webkit-column-span - 2016-10-02
89599 Freed SVGTRefElement used in SVGStyledElement::buildPendingResourcesIfNeeded - 2016-10-02
89836 Tracking bug for ANGLE memory corruption on Windows $1337 2016-10-02
89575 Use after free of markers in CompositeEditCommand::replaceTextInNodePreservingMarkers - 2016-10-02
89564 Possible URL Bar Spoofing when history.forward() is ignored using forward button $500 2016-10-02
89678 Use after free in ReplacementFragment::removeUnrenderedNodes - 2016-10-02
89552 Use after free in CSSStyleSheet::checkLoaded - 2016-10-02
89522 SVG animation API crashes on SVGAnimateTransform - 2016-10-02
89511 Use after free in IDBRequest::abort - 2016-10-02
89493 Use after free in SVG foreignobject rendering. - 2016-10-02
89422 Two use after frees in NPObjectStub - 2016-10-02
89558 Use after free in SVGUseElement::buildShadowTree $500 2016-10-02
89402 Memory corruption (double free) caused by malformed XPath expression in XSLT $1000 2016-10-02
89330 DocumentLoader use after free in KURL::strippedForUseAsReferrer $1000 2016-10-02
89219 Use after free due to document destruction within unload event $1000 2016-10-02
89142 PDF viewer crash $500 2016-10-02
89020 Security: ftp - 2016-10-02
88976 possible use after free WebCore::FontCache::getFontDataForCharacters - 2016-10-02
88949 Security: Location Bar Spoofing using very long string on a web address in the location bar - 2016-10-02
88944 Use-after free in leveldb $3133 2016-10-02
88932 Security: Exploit in google+ - 2016-10-02
152691 chrome!std::_Tree<std::_Tmap_traits<tracked_objects::Location,tracked_objects::Births *,std::less<tracked_objects::Location>,std::allocator<std::pair<tracked_objects::Location const ,tracked_objects::Births *> >,0> >::find+15 - crash $2000 2016-10-02
152585 Heap-use-after-free in WebCore::ContainerNode::removeAllChildren - 2016-10-02
152420 Heap-use-after-free in content::P2PSocketClient::OnDataReceived - 2016-10-02
152354 Mask RenderArena freelist entries. - 2016-10-02
152569 Chrome_Mac: Crash Report - Stack Signature: CompositorOutputSurface::OnMessageReceived-... $500 2016-10-02
152442 Heap-use-after-free in icu_46::RuleBasedCollator::RuleBasedCollator - 2016-10-02
151895 Defense to throw "unauthorized" infobar for excessively crashing plug-in does not work for Pepper Flash! - 2016-10-02
151888 Crash in v8::internal::SlotsBuffer::UpdateSlotsRecordedIn - 2016-10-02
151854 Heap-use-after-free in WebCore::CachedResource::addClientToSet - 2016-10-02
151795 Security: remove chrome.experimental.offscreenTabs API - 2016-10-02
152104 out of bounds array access in WTF::TypedArrayBase<unsigned char>::item(unsigned int) / WebCore::FEMorphology::platformApplyGeneric - 2016-10-02
151992 Heap-use-after-free in VideoCaptureImpl::RemoveClient - 2016-10-02
151860 Heap-use-after-free in WebCore::DateTimeFieldElement::didBlur $1000 2016-10-02
151008 Heap-use-after-free in WebCore::CanvasRenderingContext2D::setFont $1000 2016-10-02
151424 Chrome: Crash Report - Stack Signature: WebCore::CachedImage::likelyToBeUsedSoon()-... - 2016-10-02
151449 Heap-buffer-overflow in cc::CCKeyframedTransformAnimationCurve::getValue - 2016-10-02
150966 Heap-use-after-free in WebCore::Node::~Node - 2016-10-02
151049 Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers - 2016-10-02
150571 Global-buffer-overflow in v128_copy_octet_string - 2016-10-02
150067 Heap-buffer-overflow in WebCore::InlineFlowBox::placeBoxesInInlineDirection - 2016-10-02
149999 Heap-use-after-free in WebCore::WebKitCSSSVGDocumentValue::load - 2016-10-02
150842 Heap-use-after-free in content::P2PSocketClient::DeliverOnSocketCreated - 2016-10-02
150545 UNKNOWN in v8::internal::RootMarkingVisitor::MarkObjectByPointer - 2016-10-02
150650 MSI installer ships an out-of-date GoogleUpdate.exe with no ASLR or DEP (and may not be updating) - 2016-10-02
150729 UNKNOWN in v8::internal::Invoke $1500 2016-10-02
150737 IndexedDB causes V8 heap corruption $1000 2016-10-02
149717 Security: integer overflow in webgl on osx $1000 2016-10-02
149877 Security: Omnibox drop target enables navigation to restricted URLs - 2016-10-02
149904 Security: webgl - after running out of memory, buffer can still be written $1000 2016-10-02
149840 Heap-use-after-free in WebCore::StyleRuleImport::setCSSStyleSheet - 2016-10-02
149871 Untrustworthy navigation causes HTTP Basic Auth dialog origin confusion/spoofing - 2016-10-02
148612 Heap-use-after-free in WebCore::pushFullyClippedState - 2016-10-02
148896 UNKNOWN in v8::internal::ElementsAccessorBase<v8::internal::ExternalUnsignedByteElementsAccessor, v8::internal: - 2016-10-02
148378 [LangFuzz] Crash due to invalid free in v8::internal::Runtime_RegExpExecMultiple $1000 2016-10-02
148692 Heap-buffer-overflow in ucstrTextExtract $500 2016-10-02
148638 Heap-buffer-overflow in SkAAClipBlitter::blitAntiH $500 2016-10-02
148567 Touch events allow cross-origin access $500 2016-10-02
147625 Security: UXSS/SOP bypass with document.write (Chrome on iOS) $500 2016-10-02
147499 Heap-use-after-free in media::AudioOutputDevice::AudioThreadCallback::Process $3133 2016-10-02
147475 UNKNOWN in v8::internal::Deoptimizer::DoComputeOutputFrames - 2016-10-02
147459 Heap-use-after-free in WebCore::ImageLoader::updateRenderer - 2016-10-02
148376 [LangFuzz] Crash at v8::internal::MarkCompactCollector::EvacuateNewSpace with invalid read $1000 2016-10-02
147700 Heap-use-after-free in WebCore::Document::fullScreenChangeDelayTimerFired - 2016-10-02
147592 Chrome_ChromeOS: Crash Report - Stack Signature: WebKit::WebWorkerClientImpl::openFileSystem... - 2016-10-02
146882 Heap-use-after-free in WebCore::InlineBox::adjustPosition - 2016-10-02
146760 Security: URL bar spoofing with SSL error messages (Chrome on iOS) $500 2016-10-02
146725 AddressSanitizer reports a use-after-free in WebKit::DateTimeChooserImpl::didClosePopup - 2016-10-02
147435 Heap-use-after-free in WebCore::InlineBox::root - 2016-10-02
147436 UNKNOWN in sk_memset32_SSE2 - 2016-10-02
147290 Heap-use-after-free in WebCore::DateTimeEditElement::setEmptyValue $1000 2016-10-02
146492 Check behavior of "," in "content_security_policy" manifest attribute. - 2016-10-02
88850 Use after free with fuzzed ogv file $1000 2016-10-02
88846 Use-after-free in FrameLoader with no form post method $1000 2016-10-02
88889 Stale pointer due to floats not removed (flexible box display) $1000 2016-10-02
88858 [LangFuzz] Crash at JSObject::LocalLookupRealNamedProperty with invalid read on gc $1000 2016-10-02
88757 AudioContext GainNode memory corruption - 2016-10-02
88730 Use after free in SVGUseElement::invalidateShadowTree / SVGElementInstance::invalidateAllInstancesOfElement - 2016-10-02
88723 REGRESSION (r85964): Use after free in WebCore::RenderObject::localToAbsolute - 2016-10-02
88684 Stale m_owner in RenderScrollbar (m_owner is deleted body element) - 2016-10-02
88670 ZDI-CAN-1283: Webkit fontface Invalid Font Family Remote Code Execution Vulnerability - 2016-10-02
88649 HRTFDatabaseLoader memory corruption - 2016-10-02
88647 webkitAudioContext can be called as a function instead of a constructor. - 2016-10-02
88827 OOB read due to Integer overflow in SkDashPathEffect constructor (len and phase) - 2016-10-02
88729 Security: PPB_Graphics2D_Create will lead to integer overflow in shm alloc - 2016-10-02
88436 Ogg memory corruption - 2016-10-02
88337 The beforeload event allows tracking URI changes in a frame $500 2016-10-02
88131 Aw, Snap! with context.createBuffer(request.response, false) on certain files - 2016-10-02
88093 Security: out-of-bounds read in v8 with defineProperty and arguments $1000 2016-10-02
88591 [LangFuzz] CHECK(!value->IsTheHole()) failed // Crash with invalid read in shell $1000 2016-10-02
88531 Use-after-free in SafeBrowsingResourceHandler::OnBrowseUrlCheckResult - 2016-10-02
88216 Regression: Use-after-free in CounterNode::insertAfter $1000 2016-10-02
87861 Security: OOB read in svg text run - 2016-10-02
87815 chrome-devtools:// can be navigated from http - 2016-10-02
87746 Security: Chrome content script listener - 2016-10-02
87925 Use after free in range extract contents $1000 2016-10-02
87965 webkitAudioContext multiple issues - 2016-10-02
87862 Security: Use after free in svg text - 2016-10-02
87701 Stale pointer in WebCore::PlatformContextSkia::save - 2016-10-02
87548 use after free in skia blitter - 2016-10-02
87520 Security: Webpage can gain access to extension content-script variables when content-script triggers events - 2016-10-02
87478 [LangFuzz] Crash on heap with invalid read $1000 2016-10-02
87339 XSS injection via prototype chain $500 2016-10-02
87298 OOB read due to iterating over wrong textbox in TextIterator::emitText (first-letter + RTL) $500 2016-10-02
87729 Use after free in third_party/WebKit/LayoutTests/fast/dom/HTMLLinkElement/link-and-subresource-test.html $1000 2016-10-02
87728 Regression(89733): Use after free in fast/forms/text-control-intrinsic-widths.html $1000 2016-10-02
87120 Use after free on 2-Step-Authentication-method-change $500 2016-10-02
87148 use after free due to floats not removed $1000 2016-10-02
86758 URL Bar Spoofing using History.back() and History.forward $500 2016-10-02
86705 Use after free in Geolocation::fatalErrorOccurred - 2016-10-02
87227 Use after free due to refcounting issue in MediaQueryMatcher::prepareEvaluator $1000 2016-10-02
86900 Heap memory corruption in web database support (SQLite/ICU) $1000 2016-10-02
86502 Use after free due to floats not cleared from parent's next siblings blocks (on losing ability to intrude floats) $1000 2016-10-02
86191 Security: web-exposed manifest from Chrome extensions diverges from the real manifest in regards to NPAPI - 2016-10-02
86304 Google Chrome Acess Violation in Frame manipulation - 2016-10-02
86609 OOB read in fontfallbacklist due to issue in CSSPrimitiveValues clamping - 2016-10-02
86178 URL bar introduces NUMEROUS vulnerabilities. - 2016-10-02
86648 Use after free in formassociatedelement not removed from m_formElementsWithFormAttribute - 2016-10-02
86367 Use after free of frame in Document::finishedParsing - 2016-10-02
85992 Renderers can have registry handle which would allow a Windows sandbox escape - 2016-10-02
85943 Use after free in Stylesheet due to issue in CLONE nodes - 2016-10-02
85808 chrome_1c30000!webkit::ppapi::PPB_Widget_Impl::Invalidate crash $500 2016-10-02
85559 Web Inspector: Crash by buffer overrun crash when serializing inspector object tree. - 2016-10-02
86133 Add GRP to dangerous file list - 2016-10-02
86108 Security: FileSystem API can be used to learn about installed software on the user's computer - 2016-10-02
85418 Use-after-free in WebCore::RenderTextControl::isSelectableElement $1000 2016-10-02
85309 Crash when closing a child window that uses a canvas - 2016-10-02
85302 Crasher in WebCore::StyleBase::stylesheet - 2016-10-02
85256 OOB read in UniscribleController::advance - 2016-10-02
85211 Use after free in SVGUseElement::buildShadowTree $1000 2016-10-02
85177 Renderer crash with javascript + setInterval $500 2016-10-02
85158 Content script can gain access to the "window" object of the page using custom events - 2016-10-02
85350 Browser Crash in ~TabContents caused by PrerenderManager::PeriodicCleanup - 2016-10-02
156906 Heap-use-after-free in WebCore::XMLDocumentParser::doEnd - 2016-10-02
156826 UNKNOWN in S32A_Blend_BlitRow32_SSE2 - 2016-10-02
156828 UNKNOWN in WebCore::Font::drawGlyphs - 2016-10-02
156669 Origin.com somehow manages to open its result page in the previous tab (which was gmail) - 2016-10-02
156619 Heap-use-after-free in WebCore::ApplyStyleCommand::cleanupUnstyledAppleStyleSpans - 2016-10-02
156431 Security: Use after free in IDBDatabaseCallbacksImpl::onVersionChange - 2016-10-02
156418 Heap-use-after-free in SpellCheckHostImpl::SaveDictionaryData - 2016-10-02
156689 Heap-buffer-overflow in WTF::StringImpl::findIgnoringCase - 2016-10-02
156567 Security: use-after-free in WebCore::GraphicsContext::paintingDisabled $1000 2016-10-02
156282 Heap-use-after-free in WebCore::StyleResolver::pseudoStyleRulesForElement - 2016-10-02
156383 Security: chrome_to_device makes use of HTTP for cloudprint - 2016-10-02
156096 Heap-buffer-overflow in WebCore::RenderBlock::LineBreaker::nextLineBreak - 2016-10-02
156231 UNKNOWN in _wordcopy_fwd_aligned $1000 2016-10-02
156366 Heap-use-after-free in PluginPlaceholder::ReplacePlugin - 2016-10-02
156152 Issues with HSTS / public key pins state tracking - 2016-10-02
155977 Security: remove uses of innerHTML in commented code for Getting Started Guide. - 2016-10-02
155860 WebCore::SharedBuffer::append(data, 0) can cause unitialized memory to be added to the SharedBuffer - 2016-10-02
155711 Security: forced oom in browser process due to indefinitely growing buffer in chunked decoder - 2016-10-02
155643 Heap-use-after-free in content::RenderWidgetHostImpl::OnMsgInputEventAck - 2016-10-02
156015 Heap-use-after-free in WebCore::FontPlatformData::uniqueID - 2016-10-02
156051 Heap use-after-free in ExtensionFunctionDispatcher::Dispatch caught by ASan when using "Screen Capture by Google" - 2016-10-02
155877 Chrome: RenderViewImpl::OnContextMenuClosed(content::CustomContextMenuContext const &) - 2016-10-02
155293 Heap-use-after-free in WebCore::ContextMenu::appendItem - 2016-10-02
155285 Heap-use-after-free in WebCore::Node::setNeedsStyleRecalc - 2016-10-02
155117 Security: GetReadonlyPnaclFD IPC security issues - 2016-10-02
154987 Pwnium SVG use after free - 2016-10-02
154983 Security: Pwnium 2 TCMalloc profile bug $60000 2016-10-02
155421 Security: javascript scheme links auto-generated in devtools console - 2016-10-02
154617 Heap-use-after-free in WebCore::Node::~Node - 2016-10-02
155323 Out of bounds array access in GPU process - 2016-10-02
154926 Heap-use-after-free in WebIntentPickerGtk::OnDestroyThunk - 2016-10-02
154488 Heap-use-after-free in WebCore::FrameLoader::stopLoading - 2016-10-02
154465 Bad cast in webkit_glue::GetSubResourceLinkFromElement - 2016-10-02
154460 Heap-use-after-free in WebCore::ScrollableArea::scroll - 2016-10-02
154448 Heap-use-after-free in TransportDIB::DecreaseInFlightCounter - 2016-10-02
154362 Heap-buffer-overflow in WebCore::HTMLSelectElement::typeAheadFind - 2016-10-02
154590 Stack-buffer-overflow in SkFontHost::GetAdvancedTypefaceMetrics - 2016-10-02
154485 Heap-buffer-overflow in std::vector<scoped_refptr<printing::PrintJob>, std::allocator<scoped_refptr<printing::PrintJob> > >: - 2016-10-02
154158 Security: ensure that a user has willing-fully logged-in to his Google account before triggering the one click Chrome login feature -