| 881763 | Index-out-of-bounds in vrend_set_single_ssbo | - | 2018-12-29 |
| 887626 | Heap-use-after-free in CPDF_StreamAcc::~CPDF_StreamAcc | - | 2018-12-29 |
| 877767 | CHECK failure: FinalAssessment::cast(assessment)->virtual_register() == virtual_register in reg | - | 2018-12-28 |
| 879965 | Canceling a browser-initiated navigation by using the history.back function | $500 | 2018-12-28 |
| 880675 | Security: heap-buffer-overflow in CPDF_DIBSource::DownSampleScanline8Bit | $1,000 | 2018-12-28 |
| 880207 | Security: incorrect type information on Math.expm1 | - | 2018-12-28 |
| 887891 | CHECK failure: byte_length() <= JSArrayBuffer::kMaxByteLength in objects-debug.cc | - | 2018-12-28 |
| 779028 | Security: content security policy bypass by writing to loading Frame's ContentDocument | $1,000 | 2018-12-27 |
| 880173 | heap use-after-free on AsyncCompileJob::CompileTask::Cancel | - | 2018-12-27 |
| 884052 | DCHECK failure in RegionObservability::kObservable == region_observability_ in effect-control-line | - | 2018-12-26 |
| 884664 | Security: Use-after-free in XFA_DataExporter_DealWithDataGroupNode | $3,000 | 2018-12-26 |
| 885383 | Use-of-uninitialized-value in blink::LayoutTable::RecalcSections | - | 2018-12-26 |
| 885907 | Use-of-uninitialized-value in blink::LayoutTable::RecalcSections | - | 2018-12-26 |
| 852634 | Security: Chrome for iOS URL spoofing using location.replace and history.back | $500 | 2018-12-25 |
| 863703 | Extension popovers do not overlap the Chrome, so they can be spoofed in the viewport. | - | 2018-12-25 |
| 880786 | CrOS: Vulnerability reported in sys-apps/busybox | - | 2018-12-25 |
| 884179 | Security: http authentication spoof on chrome android | $1,000 | 2018-12-25 |
| 884242 | P2P TCP sockets may crash the network service after receiving invalid packet | - | 2018-12-25 |
| 879543 | CrOS: Vulnerability reported in sys-apps/busybox | - | 2018-12-24 |
| 868592 | Window state leaking from one page to another. | - | 2018-12-22 |
| 879226 | Crash in es2::Texture2D::getFormat | - | 2018-12-22 |
| 881917 | Heap-buffer-overflow in cc::SurfaceLayer::SetHasPointerEventsNone | - | 2018-12-22 |
| 883492 | DCHECK failure in !array_buffer_transfer_map_.Find(array_buffer) in value-serializer.cc | $3,500 | 2018-12-22 |
| 882078 | Security: IDN URL Spoofing with âà¸â | $500 | 2018-12-21 |
| 880906 | Security: ANGLE TextureStorage11::setData Memory Corruption | $1,000 | 2018-12-21 |
| 883172 | CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSNumberFormat()) in js-nu | - | 2018-12-21 |
| 835667 | pdfium: stack-buffer-overflow in IntersectSides | $500 | 2018-12-20 |
| 880015 | Security: Mixed content check is bypassed when loading Worklets | - | 2018-12-20 |
| 880023 | Security: Mixed content check is bypassed in data: workers created from HTTPS Documents | - | 2018-12-20 |
| 882449 | Use-of-uninitialized-value in void base::Pickle::WriteBytesStatic<4ul> | - | 2018-12-20 |
| 883059 | DCHECK failure in is_resolved() in ast.h | - | 2018-12-20 |
| 883164 | Use-after-poison in v8::internal::interpreter::BytecodeGenerator::BuildVariableLoad | - | 2018-12-20 |
| 883215 | Use-after-poison in v8::internal::Variable::location | - | 2018-12-20 |
| 883280 | DCHECK failure in 0 != kLiftoffAssemblerGpCacheRegs & reg.bit() in liftoff-register.h | - | 2018-12-20 |
| 872651 | DCHECK failure in !name->AsArrayIndex(&index) in lookup-inl.h | - | 2018-12-19 |
| 882686 | Stack-buffer-overflow in content::ChildProcessSecurityPolicyImpl::GetMatchingIsolatedOrigin | - | 2018-12-19 |
| 883181 | Crash in v8::internal::interpreter::BytecodeRegisterOptimizer::GetRegisterInfo | - | 2018-12-19 |
| 824130 | Security: Several CORS security issues in browsers and specs, asking for comments | $2,000 | 2018-12-17 |
| 876252 | Use-of-uninitialized-value in v8::internal::Factory::NewNumber | - | 2018-12-15 |
| 877785 | Crash in cc::RestoreOp::Serialize | - | 2018-12-15 |
| 880123 | Crash in _platform_memmove$VARIANT$Nehalem | - | 2018-12-15 |
| 875579 | Bad-cast to v8::internal::wasm::AsyncCompileJob::CompileTask from invalid vptr in v8::internal::wasm::AsyncCompileJob::CancelPendingForegroundTask | - | 2018-12-14 |
| 880322 | Security: Update third_party/libpng to mitigate CVE-2016-10087 | - | 2018-12-14 |
| 881644 | Bad-cast to const blink::LayoutBlock from blink::LayoutEmbeddedObject in blink::BoxModelObjectPainter::PaintTextClipMask | - | 2018-12-14 |
| 881736 | Security DCHECK failure: object.IsLayoutBlock() in layout_block.h | - | 2018-12-14 |
| 840163 | Crash in glvmRasterOpRead | - | 2018-12-13 |
| 866016 | Security: Chrome OS (dev channel): app->VM via garcon TCP command socket | - | 2018-12-13 |
| 880697 | CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSReceiver()) in objects-i | - | 2018-12-13 |
| 880759 | Chrome 69 URL Spoof via double-click | $1,000 | 2018-12-13 |
| 881021 | DCHECK failure in CanSubclassHaveInobjectProperties(instance_type) in objects.cc | - | 2018-12-13 |
| 731640 | CrOS: Vulnerability reported in net-nds/openldap | - | 2018-12-12 |
| 855008 | CrOS: Vulnerability reported in sys-libs/glibc | - | 2018-12-12 |
| 877036 | CVE-2018-1000204 CrOS: Vulnerability reported in Linux kernel | - | 2018-12-12 |
| 879142 | Use-of-uninitialized-value in v8::internal::Simulator::FPCompare | - | 2018-12-11 |
| 879898 | CHECK failure: TypeError: node #28:JSToNumber type Numeric is not Number in verifier.cc | - | 2018-12-11 |
| 880181 | Use-of-uninitialized-value in network::P2PSocketUdp::HandleReadResult | - | 2018-12-11 |
| 844881 | Security: Address spoofing in Omnibox | $3,000 | 2018-12-08 |
| 870804 | Crash in es2::Program::linkAttributes | - | 2018-12-08 |
| 508641 | Integer overflow checking in SkAutoTMalloc/SkAutoSTMalloc | - | 2018-12-07 |
| 846296 | CrOS: Vulnerability reported in dev-libs/openssl | - | 2018-12-07 |
| 872189 | Security: Little-CMS (lcms) Heap Buffer Overflow in AllocateDataSet | $3,500 | 2018-12-07 |
| 875322 | Function Signature Mismatch Error When Using Dynamic Linking for WebAssembly | $3,000 | 2018-12-07 |
| 878652 | Use-of-uninitialized-value in content::FileSystemDispatcher::ReadDirectorySync | - | 2018-12-07 |
| 878725 | Bad-cast to blink::LayoutTableRow from blink::LayoutSVGText in blink::ToLayoutTableRow | - | 2018-12-07 |
| 878735 | CVE-2018-13405 CrOS: Vulnerability reported in Linux kernel | - | 2018-12-07 |
| 879085 | Use-of-uninitialized-value in void base::Pickle::WriteBytesStatic<4ul> | - | 2018-12-07 |
| 879025 | Security: PDFium UAF in CFX_CodecMemory::~CFX_CodecMemory | - | 2018-12-07 |
| 874030 | CrOS: Vulnerability reported in net-dialup/ppp | - | 2018-12-06 |
| 874614 | CVE-2018-3620: L1 Terminal Fault: OS/SMM | - | 2018-12-06 |
| 874617 | CVE-2018-3646: L1 Terminal Fault: VMM | - | 2018-12-06 |
| 877874 | Crash in gpu::gles2::Texture::ClearRenderableLevels | $1,000 | 2018-12-06 |
| 878761 | Use-after-poison in blink::HTMLImportsController::Dispose | - | 2018-12-06 |
| 878845 | CHECK failure: Type cast failed in CAST(p_o) at ../../src/code-stub-assembler.h:351 in code-ass | - | 2018-12-06 |
| 877182 | Security: Mojo DataPipe*Dispatcher deserialization lacking validation | - | 2018-12-05 |
| 877766 | Heap-use-after-free in fxcrt::UnownedPtr<unsigned char>::ProbeForLowSeverityLifetimeIssue | - | 2018-12-05 |
| 812769 | Security: Cast UI hides Full-screen warning | $500 | 2018-12-04 |
| 853520 | use-after-free in operator-> buildtools/third_party/libc++/trunk/include/memory (WebAudio thread) | $1,000 | 2018-12-04 |
| 870678 | heap-use-after-free on IsSweepingInProgress() | $1,000 | 2018-12-04 |
| 875621 | Read AV in browser process | $5,000 | 2018-12-04 |
| 875680 | Crash in vp8_decode_mb_tokens | - | 2018-12-04 |
| 877641 | Stack overflow | - | 2018-12-04 |
| 867356 | Security: Chrome OS: filesystem restrictions bypass using crosvm sshfs | - | 2018-12-03 |
| 877470 | SVG element can cause bad-cast to LayoutTableCell | - | 2018-12-03 |
| 877498 | Bad-cast to blink::InlineTextBox from blink::InlineBox in blink::ToInlineTextBox | - | 2018-12-03 |
| 857469 | CHECK failure: ==NUMBER==ABORTING in int64-lowering.cc | - | 2018-12-02 |
| 340512 | Security: ImageBurner path validation on ChromeOS | - | 2018-12-01 |
| 866129 | Security: Chrome OS runs ancient unrar in CAP_SYS_ADMIN context | - | 2018-12-01 |
| 875739 | Security: Unauthenticated EAPOL-Key decryption in wpa_supplicant | - | 2018-12-01 |
| 869941 | CVE-2018-5391: Issue 3: FragmentSmack (IP fragments) | - | 2018-11-30 |
| 875494 | heap-buffer-overflow in [@ SkDashPath::InternalFilter] | - | 2018-11-30 |
| 876696 | DCHECK failure in kSmiValueSize < layout_descriptor_length in layout-descriptor.cc | - | 2018-11-30 |
| 877198 | Bad-cast to v8::(anonymous namespace)::ArrayBufferAllocator from v8::(anonymous namespace)::ShellArrayBufferAllocator in v8::ArrayBufferDeleter | - | 2018-11-30 |
| 817595 | Crash in libappindicator3.so.1 | - | 2018-11-29 |
| 876443 | CHECK failure: Type cast failed in CAST(p_o) at ../../src/code-stub-assembler.h:351 in code-ass | - | 2018-11-29 |
| 876991 | Crash in gldRenderFillPolygonPtr | - | 2018-11-29 |
| 875556 | Heap-buffer-overflow in int v8::internal::wasm::Decoder::read_leb_tail<int, | - | 2018-11-28 |
| 876222 | Container-overflow in CJBig2_GRDProc::ProgressiveArithDecodeState::~ProgressiveArithDecodeState | - | 2018-11-28 |
| 870226 | Security: v8 compactor may operate on undefined slots | $3,000 | 2018-11-27 |
| 875158 | Heap-buffer-overflow in media::VideoFrame::visible_data | $1,500 | 2018-11-27 |
| 875712 | Bad-cast to blink::MediaKeySystemConfiguration from invalid vptr in bool WTF::TraceInCollectionTrait< | - | 2018-11-27 |
| 875847 | DCHECK failure in obj->IsExternalString() in heap.cc | - | 2018-11-27 |
| 875885 | Bad-cast to CharacterStream<uint16_t>' (aka 'CharacterStream<unsigned short>') from v8::internal::RelocatingCharacterStream<unsigned char> in v8::internal::wasm::AsmJsParser::AsmJsParser | - | 2018-11-27 |
| 876255 | CHECK failure: mem_size <= wasm::kV8MaxWasmMemoryBytes in wasm-objects.cc | - | 2018-11-27 |
| 874460 | Heap-use-after-free in message_center::MessagePopupView::UpdateContents | - | 2018-11-26 |
| 873436 | Heap-use-after-free in test_runner::WebWidgetTestClient::AnimateNow | - | 2018-11-24 |
| 874550 | Potential browser crash from zlib | - | 2018-11-24 |
| 852251 | Heap-use-after-free in blink::LayoutObject::WillBeDestroyed | - | 2018-11-23 |
| 873529 | Heap-use-after-free in base::MessageLoop::DeletePendingTasks | - | 2018-11-23 |
| 874416 | CrOS: Vulnerability reported in net-vpn/strongswan | - | 2018-11-23 |
| 874433 | Use-of-uninitialized-value in blink::ColorSpaceUtilities::GetColorSpaceGamut | - | 2018-11-23 |
| 874572 | Global-buffer-overflow in MemoryRead<unsigned | - | 2018-11-23 |
| 874613 | CVE-2018-3615: L1 Terminal Fault: SGX | - | 2018-11-23 |
| 853422 | DCHECK failure in address % access_size == 0 in simulator-arm64.cc | - | 2018-11-22 |
| 872746 | Security: Vulnerable SRK may survive in case of interrupted TPM firmware update | - | 2018-11-22 |
| 873080 | Security: fullscreen UI spoof using pdf prompt | $1,000 | 2018-11-22 |
| 873500 | CVE-2018-1120 CrOS: Vulnerability reported in Linux kernel | - | 2018-11-22 |
| 874359 | Security: heap-buffer-overflow in CJS_PublicMethods::AFRange_Validate | - | 2018-11-22 |
| 874396 | Crash in blink::HeapLinkedHashSet<blink::WeakMember<blink::SVGSMILElement>, WTF::MemberHa | - | 2018-11-22 |
| 874393 | Crash in TableSizeMask | - | 2018-11-22 |
| 874420 | Crash in blink::SMILTimeContainer::Unschedule | - | 2018-11-22 |
| 874461 | Use-after-poison in blink::SMILTimeContainer::UpdateAnimations | - | 2018-11-22 |
| 874458 | Crash in blink::HeapHashTableBacking<WTF::HashTable<blink::QualifiedName, WTF::KeyValuePa | - | 2018-11-22 |
| 874462 | Crash in blink::SMILTimeContainer::SetElapsed | - | 2018-11-22 |
| 874469 | Crash in Unlink | - | 2018-11-22 |
| 874528 | Bad-cast to blink::GarbageCollectedMixin from invalid vptr in void blink::Visitor::Trace<blink::SVGAnimatedPropertyBase> | - | 2018-11-22 |
| 874568 | Crash in blink::SMILTimeContainer::SetElapsed | - | 2018-11-22 |
| 874582 | Crash in Unlink | - | 2018-11-22 |
| 874578 | Bad-cast to blink::ActiveScriptWrappableBase from invalid vptr in blink::ActiveScriptWrappableBase::TraceActiveScriptWrappables | - | 2018-11-22 |
| 874585 | Bad-cast to blink::SVGElement from invalid vptr in blink::SVGElement::RemoveAllOutgoingReferences | - | 2018-11-22 |
| 874600 | Crash in InsertBefore | - | 2018-11-22 |
| 874757 | Use-after-poison in blink::ActiveScriptWrappableBase::TraceActiveScriptWrappables | - | 2018-11-22 |
| 874714 | Use-after-poison in blink::TreeScope::RemoveElementById | - | 2018-11-22 |
| 873693 | Heap-buffer-overflow in av_encryption_init_info_add_side_data | - | 2018-11-21 |
| 873914 | Bad-cast to blink::ImageBitmap from base class subobject at offset 80 in blink::WebGLRenderingContextBase::TexImageByGPU | - | 2018-11-21 |
| 873993 | Use-of-uninitialized-value in spvtools::val::CheckDecorationsOfEntryPoints | - | 2018-11-21 |
| 865380 | Use-of-uninitialized-value in test_runner::PrintFrameDescription | - | 2018-11-20 |
| 866766 | Use-of-uninitialized-value in gpu::CommonDecoder::Bucket::GetAsStrings | - | 2018-11-20 |
| 869837 | Crash in v8::internal::Simulator::LoadStoreHelper | - | 2018-11-20 |
| 873442 | Heap-buffer-overflow in spvtools::val::Instruction::word | - | 2018-11-20 |
| 871787 | Use-of-uninitialized-value in storage::DatabaseTracker::UpdateOpenDatabaseInfoAndNotify | - | 2018-11-18 |
| 871731 | CVE-2018-12232 CrOS: Vulnerability reported in Linux kernel | - | 2018-11-17 |
| 872514 | CHECK failure: 0 < icu_length in intl-objects.cc | - | 2018-11-17 |
| 849691 | Android app on CrOS allows capture of a HTML select tag when FLAG_SECURE is set | - | 2018-11-16 |
| 872140 | Bad-cast to content::BrowserGpuClientDelegate from device::mojom::ScreenOrientationRequestValidator in void base::internal::FunctorTraits<void | - | 2018-11-16 |
| 872219 | Bad-cast to content::BrowserGpuClientDelegatevoid base::internal::FunctorTraits<void in MakeItSo<void | - | 2018-11-16 |
| 872244 | Crash in __ubsan::checkDynamicType | - | 2018-11-16 |
| 872573 | Heap-use-after-free in spvtools::opt::Instruction::NumOperands | - | 2018-11-16 |
| 867370 | use-after-poison in mojo::InterfaceEndpointClient::HandleValidatedMessage) | $3,000 | 2018-11-15 |
| 871005 | Heap-use-after-free in views::Slider::SetValueInternal | - | 2018-11-15 |
| 871928 | Security: libaom/av1_dec_fuzzer: Crash in av1_decode_tg_tiles_and_wrapup | - | 2018-11-15 |
| 859218 | Security: Referrer leak when Chrome Web App is installed on a path (repro issue 791216 on Mac) | - | 2018-11-14 |
| 870178 | Heap-buffer-overflow in SkPaint::getTextWidths | - | 2018-11-14 |
| 870571 | Heap-buffer-overflow in spvtools::val::ValidateCopyMemory | - | 2018-11-14 |
| 870941 | Crash in SkRect::set | - | 2018-11-14 |
| 863069 | Site Isolation: Attacker-controlled data URLs end up in wrong process after tab restore | $3,000 | 2018-11-13 |
| 870306 | Use-after-poison in void blink::Visitor::HandleWeakCell<blink::SVGElement> | $3,500 | 2018-11-13 |
| 870675 | Heap-use-after-free in base::DeleteHelper<content::ResolveProxyMsgHelper>::DoDelete | - | 2018-11-13 |
| 862004 | Security: stack-buffer-underflow in Break | - | 2018-11-12 |
| 866229 | CHECK failure: !descriptors->GetKey(i)->IsInterestingSymbol() in objects-debug.cc | - | 2018-11-11 |
| 866895 | Security: Chrome OS: symlink traversal issue in /sbin/crash_reporter | - | 2018-11-11 |
| 833138 | Consider blocking U+0307 after other i-like characters (e.g. U+1EC9) | $500 | 2018-11-10 |
| 870567 | Use-of-uninitialized-value in content::StatusCallbackAdapter | - | 2018-11-10 |
| 870649 | Linux kernel: CVE-2017-18344: arbitrary-read vulnerability in the timer subsystem | - | 2018-11-10 |
| 870682 | Crash in content::RunCallbacks | - | 2018-11-10 |
| 751423 | heap-buffer-overflow in SkMatrix::setRSXform | $500 | 2018-11-09 |
| 868333 | CHECK failure: receiver->IsJSFunction() in objects.cc | - | 2018-11-09 |
| 869313 | CHECK failure: Type cast failed in CAST(LoadObjectField(data_view, JSDataView::kByteLengthOffse | - | 2018-11-09 |
| 870351 | Bad-cast to blink::V8EventListener from blink::V8LazyEventListener in blink::V8EventListenerHelper::GetEventListener | - | 2018-11-09 |
| 865387 | Use-after-poison in blink::HTMLImportsController::Dispose | - | 2018-11-08 |
| 866301 | Heap-use-after-free in views::Slider::SetValueInternal | - | 2018-11-08 |
| 868463 | Security: libaom build default values | - | 2018-11-08 |
| 868619 | Security: Kernel Level Memory Leak as a result of GDI object creations | - | 2018-11-08 |
| 869593 | Heap-use-after-free in message_center::MessagePopupCollection::OnNotificationUpdated | - | 2018-11-08 |
| 869716 | Heap-use-after-free in message_center::NotificationList::GetNotification | - | 2018-11-08 |
| 822518 | iframe sandbox escape | $1,000 | 2018-11-07 |
| 848123 | Cross-origin-read attack by chaining three vulnerabilities | $2,000 | 2018-11-07 |
| 864162 | ASSERT: GTK_IS_WIDGET (widget) | - | 2018-11-07 |
| 869347 | DCHECK failure in !IsClearedWeakHeapObject() in maybe-object-inl.h | - | 2018-11-07 |
| 751921 | Security: stack-buffer-overflow in SkPoint | $1,000 | 2018-11-06 |
| 750561 | Heap-buffer-overflow in ClipRestore | $1,000 | 2018-11-06 |
| 856967 | Crash in getAddress | - | 2018-11-06 |
| 857383 | DCHECK failure in result in int64-lowering.cc | - | 2018-11-06 |
| 860522 | Null-dereference READ in blink::AudioNode::Handler | $500 | 2018-11-06 |
| 867776 | V8 OOB write BigInt64Array.of and BigInt64Array.from side effect neuter | $5,000 | 2018-11-06 |
| 869293 | DCHECK failure in !IsClearedWeakHeapObject() in maybe-object-inl.h | - | 2018-11-06 |
| 805496 | Security: Self-update service worker to stay alive | $500 | 2018-11-05 |
| 867374 | Security: ARC: mount-passthrough sandbox bypass via procfs | - | 2018-11-05 |
| 808407 | CSP bypass and XSS introduction via JavaScript URI in view source | - | 2018-11-03 |
| 818376 | Security: Off-by-1 buffer over-read in Crashpad | - | 2018-11-03 |
| 821704 | ASSERT: G_IS_OBJECT (object) | - | 2018-11-03 |
| 845983 | Security: Android WebView can be tricked into navigating the top frame from a sandboxed iframe without allow-top-navigation | - | 2018-11-03 |
| 848535 | Security: history.back() can be used to bypass multiple downloads restriction. | - | 2018-11-03 |
| 858929 | Security: URL bar spoofing with Full-screen mode | $500 | 2018-11-03 |
| 866427 | Security: Taps on the parent window pass through to an iframe in Android Chrome | - | 2018-11-03 |
| 866698 | Security: libaom/av1_dec_fuzzer_threaded: ASSERT: 0 <= sum && sum < (1 << (bd + FILTER_BITS + 1)) | - | 2018-11-03 |
| 867792 | Security: corrupt VP9 frame will cause tab crash | - | 2018-11-03 |
| 868203 | Heap-use-after-free in base::sequence_manager::LazyNow::Now | - | 2018-11-03 |
| 868586 | DCHECK failure in !object->IsClearedWeakHeapObject() in maybe-handles-inl.h | - | 2018-11-03 |
| 868628 | DCHECK failure in !object->IsClearedWeakHeapObject() in maybe-handles-inl.h | - | 2018-11-03 |
| 569955 | Security: Universal XSS by using fullscreen API | - | 2018-11-02 |
| 760416 | Security: Python scripts use HTTP to interact with Closure compiler web service | - | 2018-11-02 |
| 838098 | Use-of-uninitialized-value in v8::internal::Simulator::FPRoundInt | - | 2018-11-02 |
| 865950 | Heap-use-after-free in blink::WorkerThread::PrepareForShutdownOnWorkerThread | - | 2018-11-02 |
| 867314 | Use-of-uninitialized-value in SkOpAngle::lastMarked | - | 2018-11-02 |
| 867762 | Bad-cast to std::__1::locale::__imp from std::__1::locale::__imp in base::LoadNativeLibraryWithOptions | - | 2018-11-02 |
| 868077 | Global-buffer-overflow in SkOpPtT::prev | - | 2018-11-02 |
| 867789 | Bad-cast to llvm::cl::Option from llvm::cl::opt<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, false, llvm::cl::parser<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > in llvm::cl::applicator<llvm::cl::FormattingFlags>::opt | - | 2018-11-02 |
| 842503 | Security: Uninitialized Memory Read in CXFA_LayoutPageMgr::GetAvailHeight | $3,000 | 2018-11-01 |
| 866282 | CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSReceiver()) in objects-i | - | 2018-11-01 |
| 866357 | DCHECK failure in UnusedPropertyFields() == map->UnusedPropertyFields() in map-inl.h | - | 2018-11-01 |
| 866727 | DCHECK failure in 2 == subnode->op()->ControlOutputCount() in js-inlining.cc | - | 2018-11-01 |
| 867306 | Fix DOMStorageNamespace UAF | - | 2018-11-01 |
| 728200 | Security: PDFium JS: Field::m_pJSDoc lifetime issue | - | 2018-10-31 |
| 860697 | Security: Use-after-free in CPDFSDK_Widget::Synchronize | $3,000 | 2018-10-31 |
| 866635 | gcm's SocketOutputStream::Flush can write arbitrary data to the network | - | 2018-10-31 |
| 867048 | Use-of-uninitialized-value in v8::internal::Scanner::SkipMultiLineComment | - | 2018-10-31 |
| 866208 | DCHECK failure in !Contains(string) in heap-inl.h | - | 2018-10-30 |
| 532374 | Service Worker should not intercept the fetch requests which are initiated from opaque (cross-origin no-cors) stylesheet. | - | 2018-10-29 |
| 861953 | DCHECK failure in (token.literal_chars) != nullptr in scanner.cc | - | 2018-10-27 |
| 863623 | Security: Blob URL created from Data URL shares same process despite creator being cross-site | $3,000 | 2018-10-27 |
| 866210 | Use-of-uninitialized-value in mojo::core::ChannelPosix::WriteNoLock | - | 2018-10-27 |
| 866227 | Use-of-uninitialized-value in void cc::PaintOpReader::ReadFlattenable<SkMaskFilter> | - | 2018-10-27 |
| 866233 | Use-of-uninitialized-value in cc::PaintOpReader::Read | - | 2018-10-27 |
| 848306 | use-after-poison in operator blink::ExecutionContext * | $1,000 | 2018-10-26 |
| 863974 | Incomplete fix of issue 853937 | $3,133 | 2018-10-25 |
| 864932 | Security: Little-CMS (lcms) Heap Buffer Overflow | $2,500 | 2018-10-25 |
| 865264 | DCHECK failure in !dictionary->requires_slow_elements() in elements.cc | - | 2018-10-25 |
| 865312 | DCHECK failure in end <= array->length_value() in elements.cc | - | 2018-10-25 |
| 862635 | Heap-use-after-free in blink::DisplayItemRasterInvalidator::Generate | $3,500 | 2018-10-24 |
| 862929 | Turbofan violates Liftoff's assumption of zero-extended 32-bit values in 64-bit registers | - | 2018-10-24 |
| 864358 | Use-of-uninitialized-value in cc::PictureLayerImpl::AppendQuads | - | 2018-10-24 |
| 864509 | Liftoff must ensure that i32 stack parameters are zero extended | - | 2018-10-24 |
| 856823 | Security: WebRTC Out-of-bounds read in FEC | - | 2018-10-23 |
| 862163 | OpenOffice extensions need to be flagged as potentially dangerous | - | 2018-10-23 |
| 863810 | [turbofan] TruncateInt64ToInt32 must generate zero-extended value | - | 2018-10-23 |
| 863840 | Crash in webrtc::ForwardErrorCorrection::XorPayloads | - | 2018-10-23 |
| 863709 | Heap-use-after-free in ui::I18nSourceStream::FilterData | - | 2018-10-22 |
| 863482 | Heap-use-after-free in views::Slider::SetValueInternal | - | 2018-10-21 |
| 859032 | CrOS: Vulnerability reported in net-misc/curl | - | 2018-10-20 |
| 862112 | CrOS: Vulnerability reported in net-vpn/strongswan: CVE-2018-5388 | - | 2018-10-20 |
| 863105 | DCHECK failure in external_backing_store_bytes_[type] >= amount in spaces.cc | - | 2018-10-20 |
| 854455 | Security: Automatic file execution without any warnings | $500 | 2018-10-19 |
| 859511 | Security: Interrupted TPM firmware update doesn't clear out weak SRK | - | 2018-10-19 |
| 862059 | Security: Bad cast in JSPropGetter in js_define.h | $5,000 | 2018-10-19 |
| 849192 | Stack-use-after-scope in bsdiff::SinkFile::Write | - | 2018-10-18 |
| 853937 | XSS by hosting JS and JSON looking file | $3,000 | 2018-10-18 |
| 859303 | AddressSanitizer: attempting free on address which was not malloc()-ed in tt_face_vary_cvt | - | 2018-10-18 |
| 855119 | URL spoofing with post urls | - | 2018-10-17 |
| 858820 | Security: Credit card information leakage in Chrome autofill | $1,000 | 2018-10-17 |
| 861602 | Heap-use-after-free in blink::AXObjectCacheImpl::GetOrCreate | - | 2018-10-17 |
| 862536 | Heap-use-after-free in blink::AXObjectCacheImpl::GetOrCreate | - | 2018-10-17 |
| 835887 | Chrome exploit: WebAssembly type confusion + V8 OOB read + sandbox escape | $40,633 | 2018-10-16 |
| 836859 | Security: Privilege Escalation via chrome://resources filesystem URL | - | 2018-10-16 |
| 846311 | signal 11 SEGV_MAPERR 000000000000 in get /v8/src/objects/fixed-array-inl.h:64:10 | - | 2018-10-16 |
| 860721 | ComputeRandomMagic produces less randomness on 64-bit platforms than 32-bit platforms | - | 2018-10-16 |
| 860788 | CHECK failure: !isolate->has_scheduled_exception() in builtins-console.cc | - | 2018-10-16 |
| 861571 | Security DCHECK failure: !node || (node->IsHTMLElement()) in html_element.h | - | 2018-10-16 |
| 855211 | Security: WebRTC: Use-after-free in VP9 Processing | - | 2018-10-15 |
| 853424 | Stack-use-after-return in TDiagnostics::writeDebug | - | 2018-10-13 |
| 855932 | Security DCHECK failure: !object || (object->IsBox()) in layout_box.h | - | 2018-10-13 |
| 860096 | Crash in v8_wasm_async_fuzzer | - | 2018-10-13 |
| 861523 | Crash in v8_wasm_async_fuzzer | - | 2018-10-13 |
| 859308 | Crash in v8_wasm_compile_fuzzer | - | 2018-10-12 |
| 860392 | DCHECK failure in pc == code->instruction_start() in wasm-code-manager.cc | - | 2018-10-12 |
| 860536 | CHECK failure: args[0]->IsObject() in async-hooks-wrapper.cc | - | 2018-10-12 |
| 851662 | Security: WebRTC: Unchecked Optional Access in Updating timestamp after RED packet | - | 2018-10-11 |
| 854887 | Bad-cast to blink::ScriptWrappable from invalid vptr in blink::V8Element::ToImpl | - | 2018-10-11 |
| 855960 | DCHECK failure in Capacity() <= heap()->MaxOldGenerationSize() in spaces.cc | - | 2018-10-11 |
| 857479 | [animationworklet] AnimationWorklet declared in child frame may override animations in parent | - | 2018-10-11 |
| 843960 | Heap-use-after-free in content::RenderFrameImpl::PostAccessibilityEvent | - | 2018-10-09 |
| 844845 | Bad-cast to content::RenderFrameImpl from invalid vptr in test_runner::WebFrameTestProxy<content::RenderFrameImpl, content::RenderFrameImpl::CreateParams>::PostAccessibilityEvent | - | 2018-10-09 |
| 854816 | Heap-use-after-free in media::AudioManagerWin::InitializeOnAudioThread | - | 2018-10-09 |
| 856999 | Use-of-uninitialized-value in OmniboxView::OpenMatch | - | 2018-10-09 |
| 857500 | Heap-buffer-overflow in _ZNSt3__16vectorIhNS_9allocatorIhEEE18__construct_at_endIPKhEENS_9enable_ifIXsr2 | - | 2018-10-09 |
| 857524 | Heap-use-after-free in TemplateURLRef::SearchTermsArgs::SearchTermsArgs | - | 2018-10-09 |
| 859809 | DCHECK failure in !object->IsFiller() in mark-compact.cc | - | 2018-10-09 |
| 856578 | heap-use-after-free in memory_instrumentation::CoordinatorImpl::OnQueuedRequestTimedOut | - | 2018-10-08 |
| 857439 | CVE-2018-1000199 CrOS: Vulnerability reported in Linux kernel | - | 2018-10-08 |
| 859294 | Heap-use-after-free in blink::PaintController::FinishCycle | - | 2018-10-08 |
| 850350 | Security: stack-buffer-overflow in Break | $5,000 | 2018-10-06 |
| 856474 | Heap-use-after-free in fxcrt::UnownedPtr<CFX_XMLNode>::ProbeForLowSeverityLifetimeIssue | - | 2018-10-06 |
| 856761 | Global-buffer-overflow in webrtc::internal::AudioSendStream::RegisterCngPayloadType | - | 2018-10-06 |
| 857017 | CVE-2018-11412 CrOS: Vulnerability reported in Linux kernel | - | 2018-10-06 |
| 853538 | Heap-use-after-free in blink::LayoutBlock::ComputeBlockPreferredLogicalWidths | - | 2018-10-05 |
| 857139 | Heap-use-after-free in EnsureAncestorDependentCompositingInputs | - | 2018-10-05 |
| 857262 | Heap-use-after-free in viz::SingleReleaseCallback::Run | - | 2018-10-05 |
| 857311 | Use-after-poison in blink::PersistentBase<blink::DummyGCBase, | - | 2018-10-05 |
| 327295 | speech-dispatcher crashes with window.speechSynthesis() | $1,000 | 2018-10-04 |
| 666299 | Security: debugger extension API bypasses normal opt-in for file:// access | - | 2018-10-04 |
| 856532 | Heap-use-after-free in AutocompleteMatch::AutocompleteMatch | - | 2018-10-04 |
| 856962 | Heap-buffer-overflow in autofill::FormStructure::RationalizeAddressStateCountry | - | 2018-10-04 |
| 854556 | Bad-cast to blink::LayoutObject from invalid vptr in blink::AXObjectCacheImpl::GetOrCreate | - | 2018-10-03 |
| 856054 | Use-of-uninitialized-value in FXSYS_round | - | 2018-10-03 |
| 856354 | Security: [pdfium] CJS_Field::m_pJSDoc may outlive the document. | - | 2018-10-03 |
| 856471 | Heap-buffer-overflow in Decode | - | 2018-10-03 |
| 856954 | Heap-use-after-free in blink::AXObjectCacheImpl::GetOrCreate | - | 2018-10-03 |
| 867501 | Security: Talos Security Advisory for Google PDFium (TALOS-2018-0639) | $2,000 | 2018-10-03 |
| 851241 | Crash in gfx::RenderTextHarfBuzz::DrawVisualText | - | 2018-10-02 |
| 852085 | CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (object->IsSmi()) in objects-inl.h | - | 2018-10-02 |
| 854883 | Security: Buffer overflow in usrsctplib | - | 2018-09-30 |
| 849217 | Security: Reference count leak in SwiftShader OpenGL texture bindings | - | 2018-09-29 |
| 850476 | Crash in quic::QuicConnection::OnAckRange | - | 2018-09-28 |
| 852644 | Security: negative-size-param in Skia | $1,000 | 2018-09-28 |
| 853434 | Heap-use-after-free in ash::UnifiedSystemTrayBubble::ActivateBubble | - | 2018-09-28 |
| 854066 | Security: OOB read in TypedArray.from | - | 2018-09-28 |
| 854296 | Heap-buffer-overflow in avio_read | - | 2018-09-28 |
| 854623 | Security: Out-of-bound access in CFXJSE_FormCalcContext::Lower | $1,000 | 2018-09-28 |
| 835613 | Heap-use-after-free in blink::FloatingObject::FloatingObject | - | 2018-09-27 |
| 854213 | DCHECK failure in var < ParameterCount() in scope-info.cc | - | 2018-09-27 |
| 854299 | Security: OOB read in Array.prototype.sort | $4,000 | 2018-09-27 |
| 854476 | Use-of-uninitialized-value in v8::internal::Isolate::RunHostImportModuleDynamicallyCallback | - | 2018-09-27 |
| 854941 | DCHECK failure in var < ParameterCount() in scope-info.cc | - | 2018-09-27 |
| 847570 | Security: heap-buffer-overflow in blink::ScriptFunction::~ScriptFunction() | $3,000 | 2018-09-26 |
| 848617 | Heap-use-after-free in blink::AXObjectCacheImpl::GetOrCreate | - | 2018-09-26 |
| 849840 | Bad-cast to blink::LayoutObject from invalid vptr in blink::AXObjectCacheImpl::GetOrCreate | - | 2018-09-26 |
| 852944 | DCHECK failure in !it.done() in module-compiler.cc | - | 2018-09-26 |
| 854160 | Crash in v8::internal::Heap::MergeAllocationSitePretenuringFeedback | - | 2018-09-26 |
| 854463 | Crash in v8::internal::TypedElementsAccessor< | - | 2018-09-26 |
| 849131 | Heap-use-after-free in gpu::gles2::GLES2Implementation::OnGpuControlLostContext | - | 2018-09-25 |
| 851398 | Stack-buffer-overflow in sw::Surface::Buffer::read | - | 2018-09-25 |
| 851955 | Pixelbook embedded U2F Tokens Should be Locked to a Single Account and NOT be permitted in Guest Mode | - | 2018-09-25 |
| 852592 | Security: OOB read/write in Array.prototype.sort | $7,500 | 2018-09-25 |
| 852641 | Stack-buffer-overflow in libGLESv2_swiftshader | - | 2018-09-25 |
| 852759 | CVE-2018-10940 CrOS: Vulnerability reported in Linux kernel | - | 2018-09-25 |
| 852258 | JSTypedArray ByteLength out of bounds | - | 2018-09-24 |
| 853552 | Heap-use-after-free in blink::LayoutObject::ContainingBlock | - | 2018-09-24 |
| 377995 | Security: CSP Sandbox bypass | $1,000 | 2018-09-22 |
| 840857 | Security: Browser process should catch commits of extension URLs in web processes | - | 2018-09-22 |
| 848716 | Security: Multiple integer overflows in Skia GPU path rendering when computing vertex/idex count | - | 2018-09-22 |
| 853421 | Use-of-uninitialized-value in void base::Pickle::WriteBytesStatic<4ul> | - | 2018-09-22 |
| 853423 | Use-after-poison in void blink::ElementRuleCollector::CollectMatchingRulesForList<blink::HeapTermina | - | 2018-09-22 |
| 853436 | Use-after-poison in blink::MemberBase<blink::ContentSecurityPolicy, | - | 2018-09-22 |
| 835317 | Scroll TLD into view for publisher attribution in Custom Tabs | - | 2018-09-21 |
| 850493 | Heap-buffer-overflow in webrtc::internal::CopyColumn | - | 2018-09-21 |
| 847903 | Multiple UAF bugs fixed in the upstream kernel (most in the year 2017), but not patched in stable/latest chromeos4.4 kernel. | - | 2018-09-20 |
| 850910 | CVE-2018-10675 CrOS: Vulnerability reported in Linux kernel | - | 2018-09-20 |
| 845136 | heap use-after-free in link::VideoFrameSubmitter::~VideoFrameSubmitter() | $500 | 2018-09-19 |
| 847242 | Security: IDN URL Spoofing with Myanmar character "á" (U+1012) | - | 2018-09-19 |
| 849073 | Crash in blink::PersistentBase<blink::DummyGCBase, | - | 2018-09-19 |
| 852207 | Crash in v8::internal::FullEvacuationVerifier::VerifyPointers | - | 2018-09-19 |
| 849398 | Security: IDN URL Spoofing with Georgian Letter Vin | $500 | 2018-09-18 |
| 849329 | Security: CVE-2018-5383 | - | 2018-09-18 |
| 848786 | Cross-origin stylesheet content is readable using SW | $500 | 2018-09-17 |
| 831117 | Termination GC leaves behind persistents | - | 2018-09-14 |
| 850354 | Use-of-uninitialized-value in blink::ImageFrame::BlendRGBARaw | - | 2018-09-14 |
| 850407 | Crash in HintTableForFuzzing::Fuzz | - | 2018-09-14 |
| 850440 | Crash in CPDF_HintTables::ReadPageHintTable | - | 2018-09-14 |
| 850490 | CVE-2018-8781 CrOS: Vulnerability reported in Linux kernel | - | 2018-09-14 |
| 839983 | Cross-origin audio leak using Web Audio API | $1,000 | 2018-09-13 |
| 847226 | Current update_engine code breaks rollback protection for enterprise devices | - | 2018-09-13 |
| 847328 | Security DCHECK failure: !object || (object->IsLayoutMultiColumnSet()) in layout_multi_column_set.h | - | 2018-09-13 |
| 850005 | CHECK failure: Type cast failed in CAST(var_elements.value()) at ../../src/builtins/builtins-ca | - | 2018-09-13 |
| 850305 | Use-of-uninitialized-value in disk_cache::SimpleEntryImpl::WriteDataInternal | - | 2018-09-13 |
| 850365 | Use-of-uninitialized-value in void net::PrioritizedTaskRunner::PostTaskAndReplyWithResult<int, int> | - | 2018-09-13 |
| 826552 | Redirect circumvents same-origin restrictions for AudioWorklet | $1,000 | 2018-09-12 |
| 841105 | Security: uXSS in Chrome on iOS | $7,500 | 2018-09-12 |
| 843736 | Security: ChromeOS Settings Template Injection | - | 2018-09-12 |
| 844833 | heap-use-after-free on AudioOutputDevi | $2,000 | 2018-09-12 |
| 845859 | CVE-2018-10021 CrOS: Vulnerability reported in Linux kernel | - | 2018-09-12 |
| 846295 | CVE-2018-10124 CrOS: Vulnerability reported in Linux kernel | - | 2018-09-12 |
| 847060 | Heap-buffer-overflow in mov_read_saio | - | 2018-09-12 |
| 848672 | Security: V8 Incorrect type cast in String.p.split function leads to OOB write | $5,000 | 2018-09-12 |
| 848779 | Use-of-uninitialized-value in content::SignedExchangePrologue::Parse | - | 2018-09-12 |
| 849062 | Heap-buffer-overflow in avio_read | - | 2018-09-12 |
| 849142 | Use-of-uninitialized-value in test_runner::CopyImageAtAndCapturePixels | - | 2018-09-12 |
| 849144 | Heap-buffer-overflow in content::SignedExchangePrologue::ParseEncodedLength | - | 2018-09-12 |
| 849663 | DCHECK failure in x <= INT_MAX in conversions.h | - | 2018-09-12 |
| 813349 | Heap-use-after-free in CPDF_ContentParser::~CPDF_ContentParser | - | 2018-09-11 |
| 836760 | CrOS: Vulnerability reported in dev-libs/openssl | - | 2018-09-11 |
| 848238 | Security: Floating-point precision errors in Swiftshader blitting | - | 2018-09-11 |
| 848914 | Security: heap-buffer-overflow in gpu::gles2::StrictIdHandler::FreeIds | $3,000 | 2018-09-11 |
| 849595 | Use-of-uninitialized-value in blink::AudioHandler::ProcessIfNecessary | - | 2018-09-11 |
| 840536 | Security: WebRTC: Type Confusion when processing H264 NAL packet | - | 2018-09-10 |
| 848531 | Security: Simulated Alt + Click event can download a cross origin file | - | 2018-09-10 |
| 849033 | Heap-use-after-free in blink::TransformPaintPropertyNode::GetTransformCache | - | 2018-09-10 |
| 849036 | Heap-use-after-free in blink::GeometryMapper::SourceToDestinationProjectionInternal | - | 2018-09-10 |
| 849072 | Heap-use-after-free in test_runner::WebWidgetTestClient::AnimateNow | - | 2018-09-10 |
| 849109 | Heap-use-after-free in blink::GeometryMapper::LocalToAncestorClipRectInternal | - | 2018-09-10 |
| 847089 | Use-of-uninitialized-value in cc::PaintOp::AreSkMatricesEqual | - | 2018-09-09 |
| 844828 | Heap-use-after-free in gpu::gles2::GLES2Implementation::OnGpuControlLostContext | - | 2018-09-08 |
| 847386 | Security: Skia: Uninitialized variable in gen_alpha_deltas | - | 2018-09-08 |
| 833143 | Lao could lead to idn spoof | $500 | 2018-09-07 |
| 847718 | Chrome URL Spoofing (via refreshed) | $500 | 2018-09-07 |
| 839358 | CVE-2018-1094 CrOS: Vulnerability reported in Linux kernel | - | 2018-09-06 |
| 844428 | Security: Extension is able to inject script into chrome://newtab/ | $500 | 2018-09-06 |
| 845006 | ASSERT: GTK_IS_TREE_MODEL (tree_model) | - | 2018-09-06 |
| 845489 | Security: Incomplete fix for crbug/844457 (Heap overflow in SkScan::FillPath due to precision error) | - | 2018-09-06 |
| 846262 | Security: Qualys procps audit | - | 2018-09-06 |
| 847346 | Use-of-uninitialized-value in CFX_DIBitmap::Clear | - | 2018-09-06 |
| 847809 | Stack-buffer-overflow in webrtc::VideoQualityObserver::OnDecodedFrame | - | 2018-09-06 |
| 847780 | DCHECK failure in !HasWeakHeapObjectTag(object) in scavenger.cc | - | 2018-09-06 |
| 839357 | CVE-2018-1093 CrOS: Vulnerability reported in Linux kernel | - | 2018-09-05 |
| 842265 | Security: WebRTC: Use-after-free in VP8 Block Decoding | - | 2018-09-05 |
| 847728 | DCHECK failure in !IsSmi() == Internals::HasHeapObjectTag(this) in objects.h | - | 2018-09-05 |
| 849355 | Clickjacking on the inline extension installation dialog | - | 2018-09-04 |
| 788936 | Steal local file contents by abusing liberal CSS parsing | $2,000 | 2018-09-04 |
| 847247 | Heap-buffer-overflow in CPDF_DeviceCS::GetRGB | - | 2018-09-04 |
| 841280 | heap-use-after-free in BlinkGC | $2,000 | 2018-09-03 |
| 846635 | Heap-buffer-overflow in blink::NormalizeLineEndingsToCRLF | $500 | 2018-09-03 |
| 847012 | Heap-use-after-free in blink::LayoutBlockFlow::RemoveChild | - | 2018-09-03 |
| 847177 | Use-after-poison in blink::HTMLSlotElement::DetachLayoutTree | - | 2018-09-03 |
| 847182 | Heap-use-after-free in blink::LayoutObjectChildList::RemoveChildNode | - | 2018-09-03 |
| 844195 | Security: SpeechSynthesisEvent exposes high-resolution timestamps | $500 | 2018-09-01 |
| 845961 | Security: Setting arbitrary http request headers via <iframe csp> attribute | $3,133 | 2018-09-01 |
| 846827 | Use-of-uninitialized-value in assist_ranker::RankerURLFetcher::Request | - | 2018-09-01 |
| 846000 | Container-overflow in v8::internal::compiler::JsonPrintAllSourceWithPositions | - | 2018-08-31 |
| 844872 | Heap-buffer-overflow in transform_scanline_bgrA | - | 2018-08-31 |
| 846182 | Heap-use-after-free in blink::MIDIInput::DidReceiveMIDIData | - | 2018-08-31 |
| 844578 | Bad-cast to blink::CSSProperty from invalid vptr in blink::ToCSSProperty | - | 2018-08-30 |
| 844796 | Bad-cast to const blink::CSSProperty from invalid vptr in blink::CSSProperty::Get | - | 2018-08-30 |
| 844840 | Bad-cast to const blink::CSSPropertyblink::CSSProperty::Get in blink::CSSComputedStyleDeclaration::SetPropertyInternal | - | 2018-08-30 |
| 846192 | Bad-cast to blink::LayoutObject from invalid vptr in blink::LayoutBlockFlow::RemoveChild | - | 2018-08-30 |
| 845040 | Heap-use-after-free in blink::SVGResources::LayoutIfNeeded | - | 2018-08-29 |
| 841962 | Security: WebRTC: Overflow in FEC Processing | - | 2018-08-28 |
| 844301 | Heap-use-after-free in PreviousSibling | - | 2018-08-27 |
| 844857 | Use-of-uninitialized-value in blink::LayoutObject::NextInPreOrderAfterChildren | - | 2018-08-27 |
| 828265 | MediaError message property leaks cross-origin response status | $500 | 2018-08-25 |
| 835299 | Security: Integer overflow in Swiftshader texture allocation | - | 2018-08-25 |
| 843970 | CrOS: Vulnerability reported in dev-libs/libxml2 | - | 2018-08-25 |
| 844089 | Security DCHECK failure: !object || (object->IsBox()) in layout_box.h | - | 2018-08-25 |
| 844254 | Heap-buffer-overflow in void SkMatrixConvolutionImageFilter::filterPixels<RepeatPixelFetcher, true> | - | 2018-08-25 |
| 844275 | CHECK failure: Type cast failed in CAST(length.value()) at ../../src/builtins/builtins-array-ge | - | 2018-08-25 |
| 844366 | Bad-cast to SkPixelRef from invalid vptr in SkBitmap::getGenerationID | - | 2018-08-25 |
| 844457 | Security: Chrome/Skia: Heap overflow in SkScan::FillPath due to precision error. | - | 2018-08-25 |
| 685747 | Extension names aren't sanitized when displayed in the UI | - | 2018-08-24 |
| 770709 | Latin "with dot below" not rendered as PunyCode | - | 2018-08-24 |
| 826019 | Security: IDN URL Spoofing with using U+0525 | - | 2018-08-24 |
| 835554 | U+0153 (Å), U+00e6 (æ) may lead to url spoofing | $500 | 2018-08-24 |
| 836885 | Security: IDN URL Spoofing with âÒâ (U+0499) | - | 2018-08-24 |
| 840161 | Security: use-after-free or double-free in Virtio Wayland ChromiumOS code | $1,500 | 2018-08-24 |
| 842990 | Security: Sandbox Escape - Use After Free with IndexedDBConnection | $10,000 | 2018-08-24 |
| 843563 | [wasm] Shared js-to-wasm wrappers call to instance-specific wasm-to-js wrapper | - | 2018-08-24 |
| 844200 | CHECK failure: Type cast failed in CAST(length.value()) at ../../src/builtins/builtins-array-ge | - | 2018-08-24 |
| 817920 | Security: ChromeOS persistent command execution as root | $33,337 | 2018-08-23 |
| 818032 | Security: Passing PATH variable to Upstart jobs allows for privilege escalation. | - | 2018-08-23 |
| 826434 | Security: Concern about WebAssembly table mutability | - | 2018-08-23 |
| 835889 | Various filesystem CVEs | - | 2018-08-23 |
| 843493 | Crash in CPWL_Timer::KillPWLTimer | - | 2018-08-23 |
| 843543 | Security: OOB reads due to missing map check | - | 2018-08-23 |
| 804123 | Security: TexImage3D heap-buffer-overflow in WebKit Webgl | $1,000 | 2018-08-22 |
| 836362 | Security: download.default_directory should not be modifiable via settingsPrivate.setPref | - | 2018-08-22 |
| 839197 | Heap-use-after-free in PermissionRequestManager::AddRequest | - | 2018-08-22 |
| 843022 | Security: OOB access in RegExpBuiltinsAssembler::LoadRegExpResultFirstMatch | $2,000 | 2018-08-22 |
| 843120 | [wasm] We call the start function with the wrong instance | - | 2018-08-22 |
| 829528 | Heap-use-after-free in cc::ResourceProvider::ContextGL | - | 2018-08-21 |
| 838886 | Crash in CFX_DIBitmap::~CFX_DIBitmap | - | 2018-08-21 |
| 839822 | Chrome URL spoofing vulnerability on IOS | $1,000 | 2018-08-21 |
| 840695 | Heap-use-after-free in CJBig2_Image::~CJBig2_Image | - | 2018-08-21 |
| 840855 | DCHECK failure in current_pos <= num_indices in runtime-array.cc | - | 2018-08-21 |
| 842501 | Stack-buffer-overflow in v8::internal::compiler::VisitBinop | - | 2018-08-21 |
| 842545 | Heap-use-after-free in TabStripModel::SendDetachWebContentsNotifications | - | 2018-08-21 |
| 839695 | pdfium: global-buffer-overflow in CFX_BidiLine::ResolveImplicit | $1,000 | 2018-08-20 |
| 840320 | Security: type confusion trigger DCHECK fail in ReadableStreamBytesConsumer::OnFulfilled::Call | $5,000 | 2018-08-20 |
| 842028 | Security: libglesv2 heap-buffer-overflow in VertexBuffer11::storeVertexAttributes | $1,000 | 2018-08-20 |
| 837097 | Heap-use-after-free in base::debug::TaskAnnotator::RunTask | - | 2018-08-19 |
| 830100 | Heap-use-after-free in cc::VideoResourceUpdater::HardwarePlaneResource::~HardwarePlaneResource | - | 2018-08-18 |
| 839356 | CVE-2018-1092 CrOS: Vulnerability reported in Linux kernel | - | 2018-08-18 |
| 839660 | TargetAutoAttacher::AutoAttachToFrame UaF (Sandbox Escape) | - | 2018-08-18 |
| 842078 | Crash in v8::internal::String::MakeExternal | - | 2018-08-18 |
| 812667 | Security: Cross-origin information leak via subresource integrity (SRI), fetch and Service Workers | $1,000 | 2018-08-17 |
| 840106 | Security: heap-use-after-free in TypedArrayBuiltinsAssembler::ConstructByArrayLike | $7,500 | 2018-08-17 |
| 838867 | CVE-2017-18255 CrOS: Vulnerability reported in Linux kernel | - | 2018-08-17 |
| 823194 | Security: Long extension name allows spoofing of Debugging InfoBar | $500 | 2018-08-16 |
| 832246 | Bad-cast to blink::LayoutBlock from blink::LayoutText in blink::ToLayoutBlock | - | 2018-08-16 |
| 836162 | Crash in blink::LayoutObject::NextInPreOrder | - | 2018-08-16 |
| 837477 | Crash in _pthread_key_global_init | - | 2018-08-16 |
| 838588 | Crash in blink::TextOffsetMapping::TextOffsetMapping | - | 2018-08-16 |
| 838589 | Bad-cast to blink::LayoutBlock from blink::LayoutTextCombine in blink::TextOffsetMapping::ComputeContainigBlock | - | 2018-08-16 |
| 838859 | Use-of-uninitialized-value in blink::SlotAssignment::Trace | - | 2018-08-16 |
| 839961 | Heap-use-after-free in test_runner::PrintFrameDescription | - | 2018-08-16 |
| 840776 | Bad-cast to blink::LayoutSVGResourceContainer from invalid vptr in blink::SVGResources::RemoveClientFromCacheAffectingObjectBounds | - | 2018-08-16 |
| 840864 | Heap-use-after-free in blink::SVGFilterPainter::PrepareEffect | - | 2018-08-16 |
| 840923 | Heap-use-after-free in blink::SVGResourcesCache::CachedResourcesForLayoutObject | - | 2018-08-16 |
| 840924 | Heap-use-after-free in blink::SVGResources::LayoutIfNeeded | - | 2018-08-16 |
| 840979 | TextOffsetMapping make blink::SlotAssignment::Trace() to crash | - | 2018-08-16 |
| 841046 | Bad-cast to blink::LayoutObject from invalid vptr in blink::LayoutObject::LayoutIfNeeded | - | 2018-08-16 |
| 841055 | Use-of-uninitialized-value in blink::LayoutSVGResourceFilter::RemoveClientFromCache | - | 2018-08-16 |
| 841109 | Heap-use-after-free in SelfNeedsLayout | - | 2018-08-16 |
| 841059 | Heap-use-after-free in blink::LayoutSVGResourceFilter::ResourceBoundingBox | - | 2018-08-16 |
| 841118 | Heap-use-after-free in Lookup<WTF::IdentityHashTranslator<WTF::MemberHash<blink::SVGResourceClient>, | - | 2018-08-16 |
| 841153 | Heap-use-after-free in GetDocument | - | 2018-08-16 |
| 841154 | Bad-cast to blink::SVGMarkerElement from blink::SVGPathElement in blink::SVGMarkerElement* blink::ToElement<blink::SVGMarkerElement> | - | 2018-08-16 |
| 841201 | Heap-use-after-free in blink::SVGResources::LayoutIfNeeded | - | 2018-08-16 |
| 841210 | Use-of-uninitialized-value in skcms_TransferFunction_eval | - | 2018-08-16 |
| 841275 | Crash in blink::SVGAnimatedPropertyCommon<blink::SVGEnumerationBase>::CurrentValue | - | 2018-08-16 |
| 841698 | Use-of-uninitialized-value in blink::HTMLMediaElement::StartPlayerLoad | - | 2018-08-16 |
| 841592 | Crash in IntToSmi<31> | - | 2018-08-16 |
| 841705 | Heap-use-after-free in blink::SVGResources::LayoutIfNeeded | $3,500 | 2018-08-16 |
| 826187 | Security: Cross Site Resource Size Estimation via OnProgress events | $500 | 2018-08-14 |
| 683418 | Don't allow web iframes on chrome:// pages | - | 2018-08-14 |
| 835589 | Security: CSS Paint API leaks visited status of links (up to ~3k/sec) | $2,000 | 2018-08-14 |
| 839960 | Security: Use of uninitialized memory caused by AcmReceiver::AcmReceiver() | $500 | 2018-08-14 |
| 840376 | Add back retpoline for indirect function calls in wasm | - | 2018-08-14 |
| 840220 | CHECK failure: Type cast failed in CAST(TypedArraySpeciesConstructor(context, exemplar)) at ../ | - | 2018-08-13 |
| 837048 | Security: URL spoofing (wrong url in omnibox after going back from search result) | - | 2018-08-10 |
| 837585 | Security: CXFA_Node::FindSplitPos container overflow | $1,000 | 2018-08-10 |
| 839348 | Use-of-uninitialized-value in CFX_GifContext::LoadFrame | - | 2018-08-10 |
| 839361 | Use-of-uninitialized-value in bool pdfium::base::internal::CheckedMulOp<unsigned int, unsigned int, void>::Do< | - | 2018-08-10 |
| 839399 | Use-of-uninitialized-value in v8::internal::Serializer<v8::internal::DefaultSerializerAllocator>::ObjectSerial | - | 2018-08-10 |
| 813155 | Heap-use-after-free in fxcrt::UnownedPtr<CFX_XMLNode>::ProbeForLowSeverityLifetimeIssue | - | 2018-08-09 |
| 837578 | Security: pdfium heap-use-after-free | - | 2018-08-09 |
| 838402 | Security: WebRTC: Out-of-bounds memory access in WebRTC VP9 Frame Processing | - | 2018-08-09 |
| 838672 | WebRTC: Out-of-bounds memory access in WebRTC VP9 Missing Frame Processing | - | 2018-08-09 |
| 618264 | Security: PDFium: Out-Of-Bounds Read in libtiff's TIFFReadDirectory Function | - | 2018-08-08 |
| 618936 | Security: PDFium: Heap Buffer Overflow in libtiff's EstimateStripByteCounts Function | - | 2018-08-08 |
| 818138 | Security: Download directory can be set to arbitrary paths via chrome://settings | - | 2018-08-08 |
| 836858 | Security: Privilege Escalation using extension filesystem URLs | - | 2018-08-08 |
| 837939 | Security: [v8] Information Leak in Map constructor | $4,500 | 2018-08-08 |
| 797461 | Security: Extensions can run code in the local/instant NTP | $500 | 2018-08-07 |
| 834624 | DCHECK failure in !trap_handler::IsThreadInWasm() in wasm-interpreter.cc | - | 2018-08-07 |
| 835371 | Bad-cast to blink::LayoutBox from invalid vptr in blink::LayoutBlockFlow::XPositionForFloatIncludingMargin | - | 2018-08-07 |
| 835577 | Flaky UaF when running TabRestoreTest.RestoreFirstBrowserWhenSessionServiceEnabled | - | 2018-08-07 |
| 837943 | Heap-use-after-free in blink::ChunkToLayerMapper::SwitchToChunk | - | 2018-08-05 |
| 803748 | Use-of-uninitialized-value in LZWPreDecode | - | 2018-08-04 |
| 821640 | CSP bypass by navigating same-origin page to JavaScript URI | $1,000 | 2018-08-04 |
| 823864 | Make WebUI more robust to user gesture spoofing | - | 2018-08-04 |
| 837417 | Null-dereference READ in v8::internal::wasm::InstantiateToInstanceObject | - | 2018-08-04 |
| 830303 | Security: heap-use-after-free in check_client_download_request.cc when in incognito mode | $3,000 | 2018-08-03 |
| 834619 | DCHECK failure in func_index == code->index() in wasm-code-manager.cc | - | 2018-08-03 |
| 837479 | Crash in CopyRow_ERMS | - | 2018-08-03 |
| 808333 | Security: PDFium UAF in CXFA_Document::DoProtoMerge | $3,000 | 2018-08-01 |
| 826404 | Use-of-uninitialized-value in gdk_pixbuf_new | - | 2018-08-01 |
| 832734 | Security: URL spoofing on iOS (repro issue 796777) | $500 | 2018-08-01 |
| 834716 | CVE-2018-7566 CrOS: Vulnerability reported in Linux kernel | - | 2018-08-01 |
| 834875 | Container-overflow in webrtc::FftData::CopyToPackedArray | - | 2018-08-01 |
| 836131 | Heap-buffer-overflow in angle::LoadToNative<signed char,1> | $1,500 | 2018-08-01 |
| 836141 | Null-dereference READ in v8::internal::wasm::InstantiateToInstanceObject | - | 2018-08-01 |
| 791324 | Security: Fetch API reveals existence of Redirection in no-cors mode | $500 | 2018-07-31 |
| 834693 | Crash in Call | - | 2018-07-31 |
| 835184 | Global-buffer-overflow in fxcrt::WideString::WStringLength | - | 2018-07-31 |
| 835602 | Use-of-uninitialized-value in blink::ColorSpaceUtilities::GetColorSpaceGamut | - | 2018-07-31 |
| 835639 | Security: FileReader - Use After Free in FileReaderLoader::OnCalculatedSize() | $3,000 | 2018-07-31 |
| 829280 | Heap-use-after-free in cc::VideoResourceUpdater::AllocateResource | - | 2018-07-29 |
| 831054 | Security: Web Worker - Use After Free with Cross Thread Persisten Node | $3,000 | 2018-07-28 |
| 834850 | Bad-cast to blink::InlineTextBox from blink::InlineBox in blink::ToInlineTextBox | - | 2018-07-28 |
| 834851 | Security DCHECK failure: box.IsInlineTextBox() in inline_text_box.h | - | 2018-07-28 |
| 835048 | Use-of-uninitialized-value in SkPictureShader::onMakeContext | $1,500 | 2018-07-28 |
| 814987 | Heap-buffer-overflow in getAddress | - | 2018-07-27 |
| 834149 | Security: PDFium UAF in CFX_XMLElement::Save | $3,500 | 2018-07-27 |
| 834941 | CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (object->IsWeakCell()) in objects-inl | - | 2018-07-27 |
| 834854 | CHECK failure: cell->cleared() || cell->value()->IsMap() in objects-debug.cc | - | 2018-07-27 |
| 810220 | Security: Extension with <all_urls> permission can read arbitrary local files and chrome:// pages | $2,000 | 2018-07-26 |
| 831963 | Security: In-memory Cache UaF 2 | $10,500 | 2018-07-26 |
| 832589 | Security: PDFium UAF in CFGAS_FontMgr::FindFont | $5,500 | 2018-07-26 |
| 833721 | Security: PDFium heap-buffer-overflow WRITE in CPDF_ExpIntFunc::v_Call | $5,000 | 2018-07-26 |
| 833729 | Improper Gzip Decompressing allows content to be added to the file | - | 2018-07-26 |
| 816685 | Security: Extension popups can read local files if a Browser Action invoked on a file:/// URL | $500 | 2018-07-25 |
| 817247 | Security: IDN URL Spoofing with using U+04CF | $500 | 2018-07-25 |
| 827667 | Security: ANGLE LoadToNative memory corruption | $1,000 | 2018-07-25 |
| 831170 | Out-of-bounds read in Promise | - | 2018-07-25 |
| 831984 | Ill in v8::internal::FullEvacuationVerifier::VerifyPointers | - | 2018-07-25 |
| 832101 | TextOffsetMapping::ComputeContainigBlock() crashes with all elements are float | - | 2018-07-25 |
| 832261 | TextOffsetMapping::ComputeContainigBlock() crashes with position:aboslute | - | 2018-07-25 |
| 833172 | TextOffsetMapping::ComputeContaingBlock() crashes with position:fixed | - | 2018-07-25 |
| 750298 | Security: Spoofing with chrome://cache (Chrome icon as SecurityIndicator) | - | 2018-07-24 |
| 832787 | Use-of-uninitialized-value in TParseContext::nonInitErrorCheck | - | 2018-07-22 |
| 801648 | Use-of-uninitialized-value in TType::operator== | - | 2018-07-21 |
| 826041 | Multiple concurrent screen capture sessions are not handled correctly on ChromeOS | - | 2018-07-21 |
| 831539 | CVE-2018-1068 CrOS: Vulnerability reported in Linux kernel | - | 2018-07-21 |
| 796794 | Use-of-uninitialized-value in TParseContext::addIndexExpression | - | 2018-07-20 |
| 797174 | Use-of-uninitialized-value in TParseContext::nonInitErrorCheck | - | 2018-07-20 |
| 818133 | MacViews: views::Textfield doesn't enable secure input for password in HTTP Authentication prompt | - | 2018-07-20 |
| 823074 | Security DCHECK failure: line_layout_item.IsLayoutInline() || line_layout_item.IsEqual(this) in LayoutBlo | - | 2018-07-20 |
| 831943 | Security: Crash with JavaScript RegExp subclassing | $1,500 | 2018-07-20 |
| 811158 | Bookmark Apps of non-secure origins do not show security indicators | - | 2018-07-19 |
| 819809 | Security: SEE_MASK_FLAG_NO_UI behavior changes in Windows 10, allowing SmartScreen bypass | $500 | 2018-07-19 |
| 829213 | Security: Crash in content::SpeechRecognitionDispatcher::OnRecognitionEnded() | $3,000 | 2018-07-19 |
| 830194 | Heap-use-after-free in [thunk]:rtc::VideoSourceInterface<class | - | 2018-07-19 |
| 831537 | CrOS: Vulnerability reported in net-misc/curl | - | 2018-07-19 |
| 813376 | Crash in v8::internal::Invoke | - | 2018-07-18 |
| 829777 | CVE-2018-7995 CrOS: Vulnerability reported in Linux kernel | - | 2018-07-18 |
| 829881 | Security DCHECK failure: value.IsValueList() in CSSValueList.h | - | 2018-07-18 |
| 831111 | CVE-2018-8087 CrOS: Vulnerability reported in Linux kernel | - | 2018-07-18 |
| 831463 | CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (object->IsWasmInstanceObject()) in w | - | 2018-07-18 |
| 797465 | Referrer Policy bypass using Navigation Timing API | $500 | 2018-07-17 |
| 825480 | CVE-2017-18208 CrOS: Vulnerability reported in Linux kernel | - | 2018-07-17 |
| 830179 | Heap-use-after-free in blink::PaintLayer::UpdateHasSelfPaintingLayerDescendant | - | 2018-07-17 |
| 830256 | Heap-buffer-overflow in display::EdidParser::ParseEdid | - | 2018-07-16 |
| 828323 | Bad-cast to blink::WebAudioSourceProvider from invalid vptr in blink::HTMLMediaElement::AudioSourceProviderImpl::Wrap | - | 2018-07-15 |
| 830138 | Heap-buffer-overflow in display::EdidParser::ParseEdid | - | 2018-07-15 |
| 830146 | Bad-cast to NiceMock<media::MockMediaLog> from media::MockMediaLog in testing::internal::NiceMockBase<media::MockMediaLog>::NiceMockBase | - | 2018-07-14 |
| 823096 | Crash in sw::Renderer::executeTask | - | 2018-07-13 |
| 825524 | Heap-buffer-overflow in Decode | - | 2018-07-13 |
| 828234 | Use-of-uninitialized-value in send_delete_event | - | 2018-07-13 |
| 829679 | CHECK failure: Type cast failed in CAST(properties) at ../../src/code-stub-assembler.cc:1412 in | - | 2018-07-13 |
| 793402 | Mac: Add hardening to protect against sandboxed processes calling CTFontManagerRegisterFontsForURL(), tricking LoadFontOnFileThread() | $500 | 2018-07-12 |
| 826659 | Heap-use-after-free in blink::PaintController::GenerateRasterInvalidationsComparingChunks | - | 2018-07-12 |
| 826166 | Security: Out-Of-Bounds Write Vulnerability in Skia | $3,000 | 2018-07-12 |
| 828359 | Heap-buffer-overflow in cast_message_fuzzer.cc | - | 2018-07-12 |
| 828575 | Heap-use-after-free in base::internal::BindState<void | - | 2018-07-12 |
| 828715 | Heap-use-after-free in base::internal::WeakPtrFactoryBase::~WeakPtrFactoryBase | - | 2018-07-12 |
| 828924 | Crash in base::debug::TaskAnnotator::RunTask | - | 2018-07-12 |
| 829058 | Bad-cast to safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState from invalid vptr in Invoke<scoped_refptr<safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState>> | - | 2018-07-12 |
| 805224 | Security: chrome.debugger can attach to any target | $2,000 | 2018-07-11 |
| 826671 | CVE-2017-18221 CrOS: Vulnerability reported in Linux kernel | - | 2018-07-11 |
| 827013 | CHECK failure: Type cast failed in CAST(LoadFixedArrayElement( descriptors, DescriptorArray::To | - | 2018-07-11 |
| 827806 | Heap-use-after-free in v8::internal::Isolate::UnregisterFromReleaseAtTeardown | - | 2018-07-11 |
| 828049 | pdfium: oob array write in CPDF_StreamParser::ParseNextElement | $500 | 2018-07-11 |
| 828522 | Use-of-uninitialized-value in v8::internal::Sweeper::PauseOrCompleteScope::PauseOrCompleteScope | - | 2018-07-11 |
| 828524 | Heap-use-after-free in safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::GetURLLoaderF | - | 2018-07-11 |
| 732718 | Security: X64 assembler incorrectly encodes RIP+disp operand when followed by immediate. | - | 2018-07-10 |
| 825045 | DCHECK failure in descriptor_number < number_of_descriptors() in objects-inl.h | - | 2018-07-10 |
| 826232 | Heap-use-after-free in blink::DeferredTaskHandler::FinishTailProcessing | - | 2018-07-10 |
| 826626 | Security: Blockfile Media Cache UaF | $10,000 | 2018-07-10 |
| 827039 | Heap-use-after-free in gpu::CommandBufferProxyImpl::DisconnectChannel | - | 2018-07-10 |
| 827046 | Heap-use-after-free in gpu::CommandBufferProxyImpl::DisconnectChannel | - | 2018-07-10 |
| 827492 | Security: In-memory Cache UaF | $10,500 | 2018-07-10 |
| 828221 | Heap-use-after-free in blink::DeferredTaskHandler::FinishTailProcessing | - | 2018-07-10 |
| 822821 | Heap-buffer-overflow in BrotliCopyBytes | - | 2018-07-07 |
| 825545 | Security: Heap Buffer Overflow (4 byte read) in sw::Blitter::blit3D (swiftshader) | - | 2018-07-07 |
| 826673 | CVE-2018-7740 CrOS: Vulnerability reported in Linux kernel | - | 2018-07-07 |
| 826783 | Bad-cast to rtc::PacketTransportInternal from content::(anonymous namespace)::IpcPacketSocket in webrtc::RtpTransport::IsTransportWritable | - | 2018-07-07 |
| 826876 | Use-of-uninitialized-value in webrtc::RtpTransport::OnWritableState | - | 2018-07-07 |
| 827715 | Bad-cast to rtc::PacketTransportInternal from invalid vptr in webrtc::RtpTransport::IsTransportWritable | - | 2018-07-07 |
| 810736 | Heap-use-after-free in sw::Renderer::finishRendering | $3,000 | 2018-07-06 |
| 823150 | Use-of-uninitialized-value in blink::ScrollAnchor::NotifyBeforeLayout | - | 2018-07-06 |
| 826725 | Heap-use-after-free in webrtc::RtpTransport::OnWritableState | - | 2018-07-06 |
| 827106 | DCHECK failure in handler->IsStoreHandler() in handler-configuration-inl.h | - | 2018-07-06 |
| 813541 | Security: Referrer leak + CSS injection at home page of remote debugging server = RCE | $500 | 2018-07-05 |
| 823039 | Stack-use-after-return in TDiagnostics::writeDebug | - | 2018-07-05 |
| 826658 | Security: Unauthorized users can edit features on https://www.chromestatus.com | $100 | 2018-07-05 |
| 826785 | DCHECK failure in handler->IsStoreHandler() in handler-configuration-inl.h | - | 2018-07-05 |
| 826364 | Security: RFI / XSS on https://www.chromestatus.com/ | $500 | 2018-07-04 |
| 826389 | Use-of-uninitialized-value in gpu::CommandBufferHelper::Finish | - | 2018-07-04 |
| 825503 | Uninitialized variable usage in ANGLE may cause a memory disclosure | $500 | 2018-07-03 |
| 793715 | Heap-use-after-free in xmlParseGetLasts | - | 2018-06-30 |
| 799707 | Chromium: Vulnerability reported in libxml | - | 2018-06-30 |
| 813540 | Security: remote debugging + DNS rebinding = UXSS | $500 | 2018-06-30 |
| 818472 | Security: WebUSB HID Device Access + OOB Read / Crash Via WebUSB transferIn | $5,000 | 2018-06-30 |
| 822976 | Security: egl::Image::loadImageData - SwiftShader | $1,000 | 2018-06-30 |
| 823345 | Heap-use-after-free in xmlParseGetLasts | - | 2018-06-30 |
| 825087 | DCHECK failure in is_wasm_memory == GetIsolate()->wasm_engine()->memory_tracker()->IsWasmMemory( b | - | 2018-06-30 |
| 825273 | Security: Bug in BoringSSL P-256 point_add | $500 | 2018-06-30 |
| 791216 | Referrer leak when Chrome Web App is installed on a path | - | 2018-06-29 |
| 821364 | Heap-buffer-overflow in base::internal::JSONParser::ConsumeStringRaw | - | 2018-06-29 |
| 822120 | Heap-buffer-overflow in base::IteratorRangeToNumber<base::BaseHexIteratorRangeToIntTraits<char const*> > | - | 2018-06-29 |
| 824531 | Security: Redirected URL leak on iOS | - | 2018-06-29 |
| 824714 | CVE-2017-18203 CrOS: Vulnerability reported in Linux kernel | - | 2018-06-29 |
| 820984 | CHECK failure: InstructionSelector::SupportsSpeculationPoisoning() in pipeline.cc | - | 2018-06-28 |
| 821334 | CVE-2017-18174 CrOS: Vulnerability reported in Linux kernel | - | 2018-06-28 |
| 823116 | Use-of-uninitialized-value in void base::Pickle::WriteBytesStatic<4ul> | - | 2018-06-28 |
| 823048 | CVE-2018-6927 CrOS: Vulnerability reported in Linux kernel | - | 2018-06-28 |
| 823125 | CVE-2018-7480 CrOS: Vulnerability reported in Linux kernel | - | 2018-06-28 |
| 824102 | Chromium: Vulnerability reported in libxml | - | 2018-06-28 |
| 824586 | Use-of-uninitialized-value in void base::Pickle::WriteBytesStatic<4ul> | - | 2018-06-28 |
| 799711 | Security: Bypass password for PIN/lock on sleep settings on Chrome OS | $500 | 2018-06-27 |
| 820913 | Security: Heap-buffer-overflow in AAHairlineOp::onPrepareDraws | $3,000 | 2018-06-27 |
| 821138 | Privilege elevation via PDFium | - | 2018-06-27 |
| 822799 | Security: WebRtc - Use After Free in AudioRtpSender::CanInsertDtmf() | $5,000 | 2018-06-27 |
| 823353 | Security: Show javascript alert on a site by clicking on a link from that site | $1,000 | 2018-06-27 |
| 823654 | Use-of-uninitialized-value in content::RenderFrameMetadataObserverImpl::OnRenderFrameSubmission | - | 2018-06-27 |
| 818396 | Use-of-uninitialized-value in blink::SubresourceIntegrity::ParseAlgorithmPrefix | - | 2018-06-26 |
| 818808 | Use-of-uninitialized-value in gtk_widget_destroy | - | 2018-06-26 |
| 820703 | Heap-use-after-free in GrTextureStripAtlas::unlockRow | - | 2018-06-26 |
| 822986 | Use-of-uninitialized-value in gdk_pixbuf_new | - | 2018-06-26 |
| 823239 | Use-of-uninitialized-value in g_type_module_register_type | - | 2018-06-26 |
| 822266 | Security:crash(SEGV_MAPERR ) in wasm module | - | 2018-06-25 |
| 816769 | Security: IDN URL Spoofing with U+04FD, U+050F, U+050B | - | 2018-06-23 |
| 817686 | Global-buffer-overflow in puffin::Huffer::HuffDeflate | - | 2018-06-23 |
| 817733 | Heap-buffer-overflow in puffin::BufferPuffReader::GetNext | - | 2018-06-23 |
| 818527 | Security: ChromeOS ff_debug command execution from crosh shell | $500 | 2018-06-23 |
| 820068 | Security: IDN URL Spoofing with using "U+0437" (cyrillic small letter Ze) | $500 | 2018-06-23 |
| 805924 | mXSS: Potential XSS via MathML gotten from innerHTML | $500 | 2018-06-22 |
| 822091 | Heap-use-after-free in PDFiumEngine::GetVisiblePageIndex | $5,000 | 2018-06-22 |
| 822284 | ThinStrings are incompatible with TurboFan SeqString types | - | 2018-06-22 |
| 822424 | Security: Local Privilege Escalation due to unsafe use of Distributed Objects in Google Software Updater on MacOS | - | 2018-06-22 |
| 813703 | Heap-buffer-overflow in swrast_dri.so | - | 2018-06-21 |
| 819954 | Use-of-uninitialized-value in base::BaseCharToDigit<char, 16, false>::Convert | - | 2018-06-21 |
| 821137 | OOB read/write using Array.prototype.from | - | 2018-06-21 |
| 821367 | Use-after-poison in base::IteratorRangeToNumber<base::BaseHexIteratorRangeToIntTraits<char const*> > | - | 2018-06-21 |
| 821596 | Security: Enforce blob/filesystem "local scheme" checks in FilterURL | - | 2018-06-21 |
| 804198 | Security: Adobe Flash NetStream Object Use After Free | $3,000 | 2018-06-20 |
| 804636 | Security: Adobe Flash AdBannerAsset Object Type Confusion | $3,000 | 2018-06-20 |
| 821613 | Restrict PDFium extension from running script inside chrome:// URLs | - | 2018-06-20 |
| 819330 | Crash in next | - | 2018-06-19 |
| 819953 | Use-after-poison in base::internal::JSONParser::ConsumeStringRaw | - | 2018-06-19 |
| 820399 | Use-of-uninitialized-value in cc::PaintOpReader::Read | - | 2018-06-19 |
| 820685 | Heap-use-after-free in media::GpuMemoryBufferVideoFramePool::PoolImpl::GetOrCreateFrameResources | - | 2018-06-19 |
| 820769 | Use-of-uninitialized-value in rtc::ClosureTask<webrtc::VideoStreamEncoder::OnEncodedImage | - | 2018-06-19 |
| 820779 | Security DCHECK failure: line_layout_item.IsLayoutInline() || line_layout_item.IsEqual(this) in LayoutBlo | - | 2018-06-19 |
| 820827 | Heap-use-after-free in rtc::TaskQueue::Impl::RunTask | - | 2018-06-19 |
| 820830 | Bad-cast to webrtc::VideoStreamEncoder from invalid vptr in rtc::ClosureTask<webrtc::VideoStreamEncoder::OnEncodedImage | - | 2018-06-19 |
| 820834 | Bad-cast to blink::LayoutInline from blink::LayoutSVGForeignObject in blink::LineLayoutInline::LastLineBox | - | 2018-06-19 |
| 819311 | DCHECK failure in op->opcode() == IrOpcode::kStateValues || op->opcode() == IrOpcode::kTypedStateV | - | 2018-06-16 |
| 820312 | Security: V8: PromiseAllResolveElementClosure can cause elements kind confusion | - | 2018-06-16 |
| 820341 | Use of an invalid mutex in media::AudioOutputDevice::NotifyRenderCallbackOfError | - | 2018-06-16 |
| 820376 | DCHECK failure in IsInterpreted() in objects.cc | - | 2018-06-16 |
| 820596 | DCHECK failure in static_cast<unsigned>(length_) > static_cast<unsigned>(i) in zone.h | - | 2018-06-16 |
| 819563 | Security: Chrome OS drive and downloads exposed to arbitrary Android apps | - | 2018-06-15 |
| 819869 | Security: Integer Overflow when Processing WebAssembly Locals | - | 2018-06-15 |
| 819973 | Use-of-uninitialized-value in resource_coordinator::TabManager::PurgeBackgroundedTabsIfNeeded | - | 2018-06-15 |
| 818592 | Security: WinUSB - multiple issues | $5,000 | 2018-06-13 |
| 807517 | Container-overflow in views::Textfield::UpdateAfterChange | - | 2018-06-13 |
| 798222 | Security: DevTools protocol can be abused to download and run external programs | $2,000 | 2018-06-12 |
| 805445 | Security: arbitrarily file write + bypass dangerous file check via DevTools API | $2,000 | 2018-06-12 |
| 805905 | Security: Bad cast to ChromeDownloadManagerDelegate* from DevToolsDownloadManagerDelegate* | $500 | 2018-06-12 |
| 808205 | Should XSDB also block some headers (not just response body)? | - | 2018-06-12 |
| 818135 | Potential root privilege escalation via debugd | - | 2018-06-12 |
| 818177 | Merge VP9 RTP fix to M65 | - | 2018-06-12 |
| 818807 | Security: prevent WebUSB from accessing all Yubico devices | - | 2018-06-12 |
| 818811 | Bad-cast to v8::internal::compiler::Operator1<int, v8::internal::compiler::OpEqualTo<int>, v8::internal::compiler::OpHash<int> > from v8::internal::compiler::Operator1<v8::internal::compiler::IfValueParameters, v8::internal::compiler::OpEqualTo<v8::internal::compiler::IfValueParameters>, v8::internal::compiler::OpHash<v8::internal::compiler::IfValueParameters> > in int const& v8::internal::compiler::OpParameter<int> | - | 2018-06-12 |
| 819086 | CHECK failure: Node::New() Error: #392:DeoptimizeIf[1] is nullptr in node.cc | - | 2018-06-12 |
| 817993 | Command injection bug in crash_sender | - | 2018-06-10 |
| 816787 | Use-of-uninitialized-value in mov_read_packet | - | 2018-06-09 |
| 816961 | Security: Use-after-free in TypedArrayOf and TypedArrayFrom | $7,500 | 2018-06-09 |
| 818144 | Bad-cast to v8::internal::compiler::Operator1<int, v8::internal::compiler::OpEqualTo<int>, v8::internal::compiler::OpHash<int> > from v8::internal::compiler::Operator1<v8::internal::compiler::IfValueParameters, v8::internal::compiler::OpEqualTo<v8::internal::compiler::IfValueParameters>, v8::internal::compiler::OpHash<v8::internal::compiler::IfValueParameters> > in OpParameter<int> | - | 2018-06-09 |
| 816033 | Security: Permission request UI spoof | $500 | 2018-06-08 |
| 816768 | Security DCHECK failure: i < length_ in StringImpl.h | $1,500 | 2018-06-08 |
| 817380 | DCHECK failure in code->kind() == wasm::WasmCode::kFunction || code->kind() == wasm::WasmCode::kWa | - | 2018-06-08 |
| 798105 | Chromium fails to leave full screen mode | $1,000 | 2018-06-07 |
| 674887 | tel: URL scheme Reference Origin Spoof in Chrome iOS | $500 | 2018-06-06 |
| 813621 | Crash in v8::internal::Code::marked_for_deoptimization | - | 2018-06-06 |
| 796776 | Use-of-uninitialized-value in ConstantUnion::operator+ | - | 2018-06-05 |
| 797234 | Use-of-uninitialized-value in ConstantUnion::cast | - | 2018-06-05 |
| 797281 | Heap-buffer-overflow in getIConst | - | 2018-06-05 |
| 799499 | Heap-buffer-overflow in WebRtcSpl_DownsampleFastC | - | 2018-06-05 |
| 812519 | Negative-size-param in SkPixmap::erase | - | 2018-06-05 |
| 813632 | Crash in FromAddress | - | 2018-06-05 |
| 813714 | Heap-buffer-overflow in TIntermConstantUnion::fold | - | 2018-06-05 |
| 814913 | Some renderer-initiated network loads are bypassing ResourceDispatcherHost (with the network service disabled) | - | 2018-06-05 |
| 816317 | DCHECK failure in source->length_value() <= destination->length_value() - offset in elements.cc | - | 2018-06-05 |
| 797258 | CVE-2017-8824 CrOS: Vulnerability reported in Linux kernel | - | 2018-06-02 |
| 810235 | user namespaces allow for unprivileged noexec bypass | - | 2018-06-02 |
| 812567 | Heap-buffer-overflow in mov_read_trun | - | 2018-06-02 |
| 815318 | Crash in libappindicator3.so.1 | - | 2018-06-02 |
| 806162 | Security: Chrome fullscreen without any warning and dialog no orgin for spoof | $1,000 | 2018-06-01 |
| 813012 | CVE-2017-18079 CrOS: Vulnerability reported in Linux kernel | - | 2018-06-01 |
| 813142 | Heap-buffer-overflow in blink::PNGImageDecoder::RowAvailable | - | 2018-06-01 |
| 813814 | Security: Whole-script confusable domain label spoofing (Cyrillic) | $500 | 2018-06-01 |
| 814562 | DCHECK failure in code->owner()->compiled_module()->owning_instance() == codemap()->instance() in | - | 2018-06-01 |
| 814950 | Heap-buffer-overflow in SkPath::moveTo | - | 2018-06-01 |
| 805900 | Security: URL spoofing via forward and backward navigation on iOS | - | 2018-05-31 |
| 809823 | Make chrome://view-http-cache use WebUI bindings | - | 2018-05-31 |
| 811691 | CSP object-src 'none' allows load of image in <object> tag | - | 2018-05-31 |
| 813201 | Heap-buffer-overflow in wm::FocusController::SetActiveWindow | - | 2018-05-31 |
| 771933 | SW can intercept potential-navigation-or-subresource request | $500 | 2018-05-30 |
| 810146 | Heap-use-after-free in blink::LayoutObject::WillBeDestroyed | - | 2018-05-30 |
| 813427 | CHECK failure: constructor_initial_map->instance_size() <= instance_size in objects.cc | - | 2018-05-30 |
| 737648 | Security: bypassing CORS of multipart images by ServiceWorker | - | 2018-05-29 |
| 813590 | Crash in v8::internal::Code::unwinding_info_size | - | 2018-05-29 |
| 813598 | Crash in /build/eglibc-ripdx6/eglibc-NUMBER/string/../sysdeps/x86_64/multiarch/memcpy-sse | - | 2018-05-29 |
| 813593 | Crash in v8::internal::ConcurrentMarking::Run | - | 2018-05-29 |
| 813605 | Crash in unwinding_info_start | - | 2018-05-29 |
| 813628 | Crash in FromAddress | - | 2018-05-29 |
| 813618 | Crash in v8::internal::FeedbackVector::GetKind | - | 2018-05-29 |
| 813633 | Crash in v8::internal::HeapObject::map_word | - | 2018-05-29 |
| 808316 | Security: IDN URL Spoofing with using Å (U+014B) | - | 2018-05-28 |
| 811117 | Myanmar character in domain names can lead to spoofing | $500 | 2018-05-28 |
| 797298 | Heap-use-after-free in blink::PaintLayerScrollableArea::UpdateScrollOffset | - | 2018-05-26 |
| 806122 | Crash in get_chroma_qp | - | 2018-05-26 |
| 808838 | Security: Same origin bypass with Service Workers + PDF plugin | $4,500 | 2018-05-26 |
| 809759 | Security: Latest Win10 builds fail to set Mark-of-the-Web on downloaded filenames approaching MAX_PATH | $1,000 | 2018-05-26 |
| 482558 | Security: CSP does not block favicon request | - | 2018-05-25 |
| 560695 | Security: Anchor Elements Ping attribute security settings bypass | - | 2018-05-25 |
| 582387 | CSP not inherited to popups with "javascript:"-URL | $500 | 2018-05-25 |
| 758523 | Security: document.baseURI contains not-encoded representation of URI and may lead to DOM based XSS | $500 | 2018-05-25 |
| 776418 | Security: Fullscreen notification can be overlapped | $1,000 | 2018-05-25 |
| 798150 | Crash in v8::internal::Invoke | - | 2018-05-25 |
| 811048 | CVE-2018-5750 CrOS: Vulnerability reported in Linux kernel | - | 2018-05-25 |
| 811733 | Stack-buffer-overflow in CFX_MemoryStream::ReadBlock | - | 2018-05-25 |
| 812923 | Crash in _fini | - | 2018-05-25 |
| 441275 | referrer leakage with XSS Auditor page block | - | 2018-05-24 |
| 481190 | Security: BoringSSL ECDSA signing is never constant time with p256-64.c. | - | 2018-05-24 |
| 526341 | Adobe Flash Player PCRE find_parens Out-Of-Bounds Read Access | $1,000 | 2018-05-24 |
| 585555 | Security: Function constructor cotext escape when using template string as the default argument | - | 2018-05-24 |
| 602625 | Security: untrusted code exec to kernel code exec, applicable from chrome render process as well | - | 2018-05-24 |
| 644907 | Security: Linking to chrome:// and file:// urls inside print preview | - | 2018-05-24 |
| 683824 | The browser and d8 crashed caused by segv | - | 2018-05-24 |
| 685750 | Security: RTL characters are not handled properly in extension permission patterns | - | 2018-05-24 |
| 754980 | Security: Permission changes in Guest mode persist for next Guest session | - | 2018-05-24 |
| 766592 | Security: `\n` and `<` in `ping` aren't completely blocked. | - | 2018-05-24 |
| 801821 | Heap-buffer-overflow in mov_read_stts | - | 2018-05-24 |
| 804097 | Use-of-uninitialized-value in find_prev_closest_index | - | 2018-05-24 |
| 807215 | Security: heap-use-after-free in ProbeForLowSeverityLifetimeIssue | - | 2018-05-24 |
| 811853 | Use-of-uninitialized-value in CFX_BmpDecompressor::ReadHeader | - | 2018-05-24 |
| 812451 | Crash in /build/eglibc-ripdx6/eglibc-NUMBER/string/../sysdeps/x86_64/multiarch/memcpy-sse | - | 2018-05-24 |
| 812512 | Use-of-uninitialized-value in sk_store_a8 | - | 2018-05-24 |
| 808192 | Security: V8 Integer overflow in object allocation size | - | 2018-05-23 |
| 808825 | WebVTT CORS bypass using ServiceWorker | $500 | 2018-05-23 |
| 811049 | CrOS: Vulnerability reported in net-misc/curl | - | 2018-05-23 |
| 811144 | Heap-use-after-free in blink::LayoutObject::MaybeClearIsScrollAnchorObject | - | 2018-05-23 |
| 811246 | Heap-use-after-free in GetLayoutBox | - | 2018-05-23 |
| 812167 | Heap-use-after-free in blink::LayoutObject::MaybeClearIsScrollAnchorObject | - | 2018-05-23 |
| 810973 | CHECK failure: !result.failed() in wasm-engine.cc | - | 2018-05-22 |
| 807985 | Heap-use-after-free in CPDF_ContentParser::~CPDF_ContentParser | - | 2018-05-20 |
| 808341 | Use-of-uninitialized-value in blink::LayoutObject::MaybeClearIsScrollAnchorObject | - | 2018-05-20 |
| 784012 | DCHECK failure in last_slash != std::string::npos in d8.cc | - | 2018-05-19 |
| 799477 | Cross-Origin image data leak via cache and canvas | $4,000 | 2018-05-19 |
| 810107 | DCHECK failure in obj->IsFixedArray() in wasm-objects-inl.h | - | 2018-05-19 |
| 810368 | Use-after-poison in blink::ComputePresentationAttributeStyle | - | 2018-05-19 |
| 810923 | Use-of-uninitialized-value in webrtc::AecState::Update | - | 2018-05-19 |
| 511480 | Security: User not notified about an extension changing the NTP | - | 2018-05-18 |
| 792538 | Improve extension content verification logic when the extension requests a resource at folder urls | - | 2018-05-18 |
| 798099 | Security DCHECK failure: offset + length <= impl.length() in StringView.h | - | 2018-05-18 |
| 798410 | Security DCHECK failure: !object || (object->IsTableCell()) in LayoutTableCell.h | - | 2018-05-18 |
| 780694 | Security: Heap-use-after-free in content::protocol::NetworkHandler::SetNetworkConditions | - | 2018-05-17 |
| 798933 | Chrome for Android - Window.open combined with the onbeforeunload dialog crashes Chrome's WebView render | $2,000 | 2018-05-17 |
| 800032 | Security: V8: Bugs in Genesis::InitializeGlobal | - | 2018-05-17 |
| 802392 | Chrome: Crash Report - cc::LayerTreeHost::AnimateLayers | - | 2018-05-17 |
| 806388 | Security: A bug in JSFunction::GetDerivedMap | - | 2018-05-17 |
| 807096 | Security: Arrow function scope fixing bug | - | 2018-05-17 |
| 809824 | Security: PDFium OOB Read in CFX_BmpDecompressor::ReadHeader | $1,000 | 2018-05-17 |
| 801861 | Web Store extensions can be made to have no toolbar icon | - | 2018-05-16 |
| 808336 | Security: PDFium OOB Read in BMPDecompressor::ReadHeader | $1,000 | 2018-05-16 |
| 808389 | CVE-2018-5344 CrOS: Vulnerability reported in Linux kernel | - | 2018-05-16 |
| 808786 | CVE-2018-1000004 CrOS: Vulnerability reported in Linux kernel | - | 2018-05-16 |
| 809613 | Use-of-uninitialized-value in blink::MediaAttributeMatches | - | 2018-05-16 |
| 767018 | Security: arc setup code in session_manager writes lots of untrusted file system locations carelessly | - | 2018-05-15 |
| 773229 | Security: Use-After-Free in PDFium | $7,500 | 2018-05-15 |
| 803936 | Security: Heap Buffer Overflow (Read) in PlanGauss::Gauss::blur (using filter_fuzz_stub) | - | 2018-05-15 |
| 808785 | CVE-2017-15129 CrOS: Vulnerability reported in Linux kernel | - | 2018-05-15 |
| 808787 | CrOS: Vulnerability reported in media-libs/tiff | - | 2018-05-15 |
| 808876 | Bad-cast to blink::LayoutTableRow from blink::LayoutTableCell in blink::ToLayoutTableRow | - | 2018-05-15 |
| 808878 | Use-of-uninitialized-value in mojo::ScopedInterfaceEndpointHandle::id | - | 2018-05-15 |
| 808980 | [v8] Uninitialized wasm_compiled_module for deserialized module | $3,500 | 2018-05-15 |
| 805892 | Heap-buffer-overflow in autofill::PagePasswordsAnalyser::AnalyseDocumentDOM | - | 2018-05-14 |
| 805729 | Security: V8: AwaitedPromise update bug | - | 2018-05-14 |
| 779428 | Security: global-buffer-overflow in SkBitmap IPC Deserialization | $2,000 | 2018-05-12 |
| 807887 | Heap-use-after-free in video_capture::DeviceMediaToMojoAdapter::Stop | - | 2018-05-12 |
| 808386 | Heap-use-after-free in cc::PlaybackImageProvider::GetDecodedDrawImage | - | 2018-05-12 |
| 780435 | Read cross-origin video using Canvas and Service Worker | $4,000 | 2018-05-11 |
| 802060 | DCHECK failure in op->IsAnyLocationOperand() in instruction.h | - | 2018-05-11 |
| 807628 | Use-of-uninitialized-value in content::QuotaDispatcherHost::QueryStorageUsageAndQuota | - | 2018-05-11 |
| 808320 | Bad-cast to gin::(anonymous namespace)::PageAllocator from invalid vptr in base::NoDestructor<gin::PageAllocator>::NoDestructor<> | - | 2018-05-11 |
| 617149 | Security: libtiff in pdfium may have a security issue | - | 2018-05-10 |
| 617494 | Security: PDFium: Heap Buffer Overflow in libtiff's NeXTDecode Function | - | 2018-05-10 |
| 618254 | Security: PDFium: Out-Of-Bounds Read in libtiff's putRGBUAcontig8bittile Function | - | 2018-05-10 |
| 780919 | Security: heap-use-after-free blink::AudioSummingJunction::UpdateRenderingState | $3,000 | 2018-05-10 |
| 806151 | Heap-use-after-free in blink::LayoutObject::DestroyAndCleanupAnonymousWrappers | - | 2018-05-10 |
| 618931 | Security: PDFium: Heap Buffer Overflow in libtiff's TIFFFetchStripThing Function | - | 2018-05-09 |
| 765605 | Security: ble adv flooding: kernel panics/crashes | - | 2018-05-09 |
| 777104 | CrOS: Vulnerability reported in net-misc/curl | - | 2018-05-09 |
| 797555 | Heap-use-after-free in test_runner::WebWidgetTestClient::AnimateNow | - | 2018-05-09 |
| 799705 | CrOS: Vulnerability reported in sys-libs/glibc | - | 2018-05-09 |
| 806582 | Heap-use-after-free in get_scalar_from_data_ptr | - | 2018-05-09 |
| 807214 | Security: global-buffer-overflow in CFX_GetCSSPropertyByName | $1,000 | 2018-05-09 |
| 807240 | Heap-use-after-free in blink::GraphicsLayer::PaintRecursivelyInternal | - | 2018-05-09 |
| 807480 | Heap-use-after-free in blink::GraphicsLayer::UpdateContentsRect | - | 2018-05-09 |
| 807508 | DCHECK failure in !__isolate__->has_pending_exception() in builtins-api.cc | - | 2018-05-09 |
| 807529 | Null-dereference READ in base::CreateThread | - | 2018-05-09 |
| 616667 | Security: PDFium: Heap Buffer Overflow in bmp_decode_rle4 | - | 2018-05-08 |
| 616668 | Security: PDFium: Heap Buffer Overflow in CGifLZWDecoder::ClearTable | - | 2018-05-08 |
| 616669 | Security: PDFium: Out-Of-Bounds Read in GetDWord_LSBFirst | - | 2018-05-08 |
| 616672 | Security: PDFium: Out-Of-Bounds Read in CCodec_ProgressiveDecoder::GifInputRecordPositionBufCallback | - | 2018-05-08 |
| 618939 | Security: PDFium: Out-Of-Bounds Read in libtiff's TIFFReadDirectory Function 2 | - | 2018-05-08 |
| 771709 | PWA app installation can be requested from sandboxed page | - | 2018-05-08 |
| 804118 | Security: WriteTexture heap-buffer-overflow in WebGL on macOS | $1,000 | 2018-05-08 |
| 806179 | DCHECK failure in top() >= to_space_.page_low() in spaces.h | - | 2018-05-08 |
| 806539 | Use-of-uninitialized-value in net::QuicUrlUtilsImpl::GetPushPromiseUrl | - | 2018-05-07 |
| 805396 | Use-of-uninitialized-value in WebRtcSpl_MaxAbsValueW16C | - | 2018-05-06 |
| 633030 | Oilpan reintroduced inline meta-data | $2,000 | 2018-05-05 |
| 800257 | OOB in _sk_lerp_u8_sse2 | - | 2018-05-05 |
| 758848 | Security: Use after free vulnerability about psdk in the latest version | $5,000 | 2018-05-04 |
| 758863 | Security: Use after free vulnerability about psdk in the latest version of Flash player | $5,000 | 2018-05-04 |
| 792028 | Security: Information disclosure via "memory_instrumentation::mojom::Coordinator" interface in "resource_coordinator" service | - | 2018-05-04 |
| 802333 | Security: V8: A bug in the ObjectDescriptor class | - | 2018-05-04 |
| 794402 | Security: use-of-uninitialized-value in sse2::blit_row_s32a_opaque (filter_fuzz_stub) | - | 2018-05-03 |
| 797796 | Crash in _sk_load_bgra_sse2 | - | 2018-05-03 |
| 798096 | Security: Linkified URLs in DevTools are not sanitized (can open privileged URLs) | - | 2018-05-03 |
| 799775 | Security: use-of-unitialized-value in GetScale (SkUnPeMultiply.h:29) in filter_fuzz_stub | - | 2018-05-03 |
| 803571 | 'Security: IDN URL Spoofing with "Cyrillic Letter Ukrainian Ie" | - | 2018-05-03 |
| 804476 | Security: use-of-uninitialized-value in unpremul_pm (filter_fuzz_stub) | - | 2018-05-03 |
| 792900 | Security: Calling "mojo::WrapSharedMemoryHandle" is insufficient to produce read-only descriptors for IPC | - | 2018-05-02 |
| 800389 | Security: use-of-unitialized-value in getType (SkMatrix.h:128) in filter_fuzz_stub | - | 2018-05-02 |
| 803022 | DCHECK failure in current_ == next_ in node.h | $3,500 | 2018-05-02 |
| 804177 | DCHECK failure in map() != GetHeap()->fixed_cow_array_map() in fixed-array-inl.h | - | 2018-05-02 |
| 804651 | Security: use-of-uninitialized-value in getType (filter_fuzz_stub) | - | 2018-05-02 |
| 804801 | CHECK failure: Type cast failed in CAST(add_func) at ../../src/builtins/builtins-collections-ge | - | 2018-05-02 |
| 804837 | CHECK failure: LoadElement of kRepFloat64 (NumberOrHole) cannot be changed to kRepTagged in rep | - | 2018-05-02 |
| 805039 | Use-after-poison in blink::TreeScope::Retarget | - | 2018-05-02 |
| 805283 | Security: Use-of-uninitialized-value in SkReadBuffer.h (filter_fuzz_stub) | - | 2018-05-02 |
| 789959 | Security: Read-only SharedMemory descriptors on Android are writable | - | 2018-05-01 |
| 801514 | Security: local privilege escalation via glibc realpath() buffer underflow (CVE-2018-1000001) | - | 2018-05-01 |
| 803352 | Heap-use-after-free in blink::HTMLCollection::NamedItems | - | 2018-05-01 |
| 803812 | CVE-2017-18017 CrOS: Vulnerability reported in Linux kernel | - | 2018-05-01 |
| 803427 | DCHECK failure in (native_module_->lazy_builtin_) == nullptr in wasm-serialization.cc | - | 2018-05-01 |
| 804096 | Crash in v8::internal::Sweeper::EnsurePageIsIterable | - | 2018-05-01 |
| 804631 | Heap-use-after-free in app_list::PageSwitcher::~PageSwitcher | - | 2018-05-01 |
| 804288 | DCHECK failure in IsNativeContext() in contexts-inl.h | - | 2018-05-01 |
| 791368 | DCHECK failure in descriptors->GetValue(descriptor) != value || value->FitsRepresentation(details. | - | 2018-04-30 |
| 803788 | DCHECK failure in wasm::WasmCode::kLazyStub == code->kind() in module-compiler.cc | - | 2018-04-30 |
| 803750 | CHECK failure: size <= kMaxRegularHeapObjectSize in runtime-internal.cc | - | 2018-04-28 |
| 707539 | Security: Persistent pre and post login command execution as chronos user, with noexec bypass allowing any binary | $5,000 | 2018-04-27 |
| 802983 | Heap-buffer-overflow in CJBig2_Image::composeTo_opt2 | - | 2018-04-27 |
| 629431 | Security: extension system must respect the page load deferrer | - | 2018-04-26 |
| 792163 | Review U+04CF confusable mapping and make it platform-dependent if necessary | - | 2018-04-26 |
| 801378 | Use-of-uninitialized-value in v8::internal::Assembler::target_address_at | - | 2018-04-26 |
| 801772 | DCHECK failure in scope_data_->ReadUint32() == static_cast<uint32_t>(name->length()) in preparsed- | - | 2018-04-26 |
| 801789 | Use-of-uninitialized-value in SkIRect::isEmpty | - | 2018-04-26 |
| 793074 | Cross-Directory Shared Worker | $500 | 2018-04-25 |
| 797497 | Security: Extension can run code in the chrome-devtools://devtools (e.g. to read local files) | $2,500 | 2018-04-25 |
| 798133 | CVE-2017-17712 CrOS: Vulnerability reported in Linux kernel | - | 2018-04-25 |
| 801000 | iOS: wrong url in omnibox after going back from search result | - | 2018-04-25 |
| 801602 | ASSERT: 0 <= value && value < symbolsCount | - | 2018-04-25 |
| 801859 | Stack-use-after-return in TDiagnostics::writeDebug | - | 2018-04-24 |
| 608669 | Security: a@download feature can be abused to leak sensitive information from third party sites | $500 | 2018-04-23 |
| 801627 | Security: V8: JIT: Type confusion in NodeProperties::InferReceiverMaps | - | 2018-04-23 |
| 668645 | Security: CSP in WebUI can trivially be bypassed by extensions | $1,000 | 2018-04-22 |
| 797500 | Security: chrome-devtools://devtools/remote/ can be modified by extensions | $2,500 | 2018-04-22 |
| 797511 | Security: heap-use-after-free in WebUIExtension::Send (chrome.send) | - | 2018-04-22 |
| 797525 | Security: XSS in "Site blocked" (supervised user) interstitial and chrome://interstitials/supervised_user | $1,000 | 2018-04-22 |
| 798163 | Security: privileged XSS in chrome-devtools://devtools/remote with old frontend (insufficient validation of remoteFrontendUrl) | $2,500 | 2018-04-22 |
| 793628 | Security: IDN URL Spoofing with Cyrillic | $500 | 2018-04-21 |
| 797469 | Heap-buffer-overflow in xiph_lacing_16bit | - | 2018-04-21 |
| 798892 | Security: IDN URL Spoofing with using "U+00FE" | $500 | 2018-04-21 |
| 799363 | Crash in mov_read_trun | - | 2018-04-21 |
| 800810 | DCHECK failure in receiver->map() == *original_map in elements.cc | - | 2018-04-21 |
| 801647 | Crash in __msan_memset | - | 2018-04-21 |
| 797481 | Crash in v8::internal::Simulator::LoadStorePairHelper | - | 2018-04-20 |
| 799715 | heap overflow read in filter_fuzz_stub | $1,000 | 2018-04-20 |
| 799847 | Redirect URL leak via error message of WebGL texture | $2,000 | 2018-04-20 |
| 799918 | Stack-buffer-overflow in SkPackBits::Unpack8 | $1,500 | 2018-04-20 |
| 801105 | CrOS: Vulnerability reported in media-libs/tiff | - | 2018-04-20 |
| 759289 | CrOS: Vulnerability reported in media-libs/tiff | - | 2018-04-19 |
| 767354 | Security: Detect open SSH port via FTP protocol | - | 2018-04-19 |
| 799706 | CrOS: Vulnerability reported in media-libs/tiff | - | 2018-04-19 |
| 798644 | Security: V8: Type confusion in ElementsAccessorBase::CollectValuesOrEntriesImpl | - | 2018-04-19 |
| 800230 | XSS on chrome-search://most-visited/title.html (NTP) | - | 2018-04-19 |
| 800692 | Security DCHECK failure: object.IsBox() in LayoutBox.h | - | 2018-04-19 |
| 800919 | Use-of-uninitialized-value in blink::ResourceLoadScheduler::TrafficMonitor::Report | - | 2018-04-19 |
| 794091 | Security: race condition lead to many fatal Error D in WebAssembly.validate | $3,000 | 2018-04-18 |
| 800025 | Heap-use-after-free in blink::ShapeOutsideInfo::IsEnabledFor | - | 2018-04-18 |
| 800077 | CHECK failure: Type cast failed in CAST(key) at ../../src/code-stub-assembler.cc:7137 in code-a | - | 2018-04-18 |
| 800277 | CVE-2017-17805 CrOS: Vulnerability reported in Linux kernel | - | 2018-04-18 |
| 800356 | CHECK failure: object->IsAbstractCode() || object->IsSeqString() || object->IsExternalString() | - | 2018-04-18 |
| 799325 | Use-of-uninitialized-value in cc::PaintOpReader::Read | - | 2018-04-17 |
| 799690 | DCHECK failure in total_offset == offset_table->get_int(kOTESize * left) in wasm-objects.cc | - | 2018-04-17 |
| 799813 | DCHECK failure in index >= 0 && index < length() in string-inl.h | - | 2018-04-17 |
| 800225 | Use-of-uninitialized-value in cc::PaintOpReader::Read | - | 2018-04-17 |
| 800228 | CSS Injection on chrome-search://most-visited/single.html (NTP) | - | 2018-04-17 |
| 789966 | Deadlysignal in base::internal::CallbackBase::CallbackBase | - | 2018-04-15 |
| 798695 | Use-of-uninitialized-value in path_to_polys | - | 2018-04-15 |
| 796107 | Heap-buffer-overflow in SkRecorder::onDrawPosTextH | $2,000 | 2018-04-14 |
| 798912 | Use-of-uninitialized-value in sweep_lt_vert | - | 2018-04-14 |
| 799097 | Use-of-uninitialized-value in blink::LayoutBlock::AddChildBeforeDescendant | - | 2018-04-14 |
| 799202 | Heap-use-after-free in blink::LayoutBlock::EnclosingFirstLineStyleBlock | - | 2018-04-14 |
| 799341 | Heap-use-after-free in blink::LayoutObject::SetPreferredLogicalWidthsDirty | - | 2018-04-14 |
| 790013 | Heap-buffer-overflow in safe_browsing::dmg::ConvertBigEndian | - | 2018-04-13 |
| 795493 | Bad-cast to webrtc::MetricsObserverInterface from invalid vptr in cricket::BasicPortAllocator::OnIceRegathering | - | 2018-04-13 |
| 796777 | Security: URL spoofing on iOS after UI action | $500 | 2018-04-13 |
| 797254 | CVE-2017-1000410 CrOS: Vulnerability reported in Linux kernel | - | 2018-04-13 |
| 797483 | CrOS: Vulnerability reported in dev-libs/openssl | - | 2018-04-13 |
| 799017 | Security DCHECK failure: value.IsValuePair() in CSSValuePair.h | - | 2018-04-13 |
| 799051 | Use-of-uninitialized-value in blink::LayoutBox::WillBeDestroyed | - | 2018-04-13 |
| 799052 | Bad-cast to blink::LayoutObject from invalid vptr in blink::LayoutObject::IsRooted | - | 2018-04-13 |
| 799055 | Bad-cast to blink::InlineBox from invalid vptr in blink::InlineBox::Root | - | 2018-04-13 |
| 799058 | Use-of-uninitialized-value in blink::InlineFlowBox::RemoveChild | - | 2018-04-13 |
| 799060 | Heap-use-after-free in blink::InlineBox::Root | - | 2018-04-13 |
| 799063 | Use-of-uninitialized-value in blink::InlineBox::Root | - | 2018-04-13 |
| 799065 | Use-of-uninitialized-value in blink::LayoutBlock::MarkFixedPositionObjectForLayoutIfNeeded | - | 2018-04-13 |
| 799067 | Use-of-uninitialized-value in blink::LayoutObject::PaintingLayer | - | 2018-04-13 |
| 799068 | Bad-cast to blink::LayoutObject from invalid vptr in blink::LayoutBlock::AddChildBeforeDescendant | - | 2018-04-13 |
| 799069 | Use-of-uninitialized-value in blink::StyleEngine::NodeWillBeRemoved | - | 2018-04-13 |
| 799098 | Heap-use-after-free in blink::LayoutTableRow::StyleDidChange | - | 2018-04-13 |
| 799100 | Use-of-uninitialized-value in blink::PODRedBlackTree<blink::PODInterval<blink::LayoutUnit, blink::LayoutMultiC | - | 2018-04-13 |
| 799104 | Bad-cast to blink::LayoutObject from invalid vptr in blink::LayoutObject::DestroyAndCleanupAnonymousWrappers | - | 2018-04-13 |
| 799108 | Heap-use-after-free in blink::LayoutTableCell::BorderLeft | - | 2018-04-13 |
| 799110 | Bad-cast to blink::LayoutObject from invalid vptr in blink::LayoutBox::IsOrthogonalWritingModeRoot | - | 2018-04-13 |
| 799113 | Heap-use-after-free in blink::ScrollAnchor::NotifyBeforeLayout | - | 2018-04-13 |
| 799119 | Heap-use-after-free in blink::ShouldEmitNewlinesBeforeAndAfterNode | - | 2018-04-13 |
| 799121 | Bad-cast to blink::InlineBox from invalid vptr in blink::InlineBox::DirtyLineBoxes | - | 2018-04-13 |
| 799123 | Use-of-uninitialized-value in blink::LayoutObject::DestroyAndCleanupAnonymousWrappers | - | 2018-04-13 |
| 799128 | Heap-use-after-free in blink::LayoutObject::SetPreferredLogicalWidthsDirty | - | 2018-04-13 |
| 799188 | Bad-cast to blink::LayoutBox from blink::LayoutInline in blink::LayoutBox::SplitAnonymousBoxesAroundChild | - | 2018-04-13 |
| 799206 | Heap-use-after-free in blink::LayoutBox::IsFlexItemIncludingDeprecated | - | 2018-04-13 |
| 799207 | Bad-cast to blink::LayoutObject from invalid vptr in blink::LayoutBlock::EnclosingFirstLineStyleBlock | - | 2018-04-13 |
| 799210 | Heap-use-after-free in blink::AXLayoutObject::LayoutParentObject | - | 2018-04-13 |
| 799214 | Heap-use-after-free in blink::PrimaryDirectionOf | - | 2018-04-13 |
| 799222 | Use-of-uninitialized-value in base::internal::CallbackBase::~CallbackBase | - | 2018-04-13 |
| 799224 | Heap-use-after-free in blink::SVGResourcesCache::CachedResourcesForLayoutObject | - | 2018-04-13 |
| 799263 | Security: V8: JIT: A bug in LoadElimination::ReduceTransitionElementsKind | - | 2018-04-13 |
| 799274 | Use-of-uninitialized-value in blink::PrimaryDirectionOf | - | 2018-04-13 |
| 799276 | Bad-cast to blink::LayoutObject from invalid vptr in blink::ScrollAnchor::ComputeScrollAnchorDisablingStyleChanged | - | 2018-04-13 |
| 799277 | Heap-use-after-free in blink::LayoutObject::NextInPreOrderAfterChildren | - | 2018-04-13 |
| 799282 | Heap-use-after-free in blink::LayoutObject::OffsetParent | - | 2018-04-13 |
| 799280 | Heap-use-after-free in SetNeedsCollectInlines | - | 2018-04-13 |
| 799286 | Use-of-uninitialized-value in blink::InlineBox::DirtyLineBoxes | - | 2018-04-13 |
| 799289 | Use-of-uninitialized-value in void blink::PODIntervalTree<blink::LayoutUnit, blink::LayoutMultiColumnSet*>::Se | - | 2018-04-13 |
| 799295 | Use-of-uninitialized-value in blink::LayoutObject::IsRooted | - | 2018-04-13 |
| 799298 | Use-of-uninitialized-value in blink::ObjectPaintInvalidator::SlowSetPaintingLayerNeedsRepaint | - | 2018-04-13 |
| 799303 | Heap-use-after-free in blink::LayoutObject::SetNeedsPaintPropertyUpdate | - | 2018-04-13 |
| 799340 | Heap-use-after-free in blink::LayoutObject::Container | - | 2018-04-13 |
| 799366 | Heap-use-after-free in blink::ContainerNode::GetUpperLeftCorner | - | 2018-04-13 |
| 799408 | Heap-use-after-free in blink::LayoutTableCell::BorderLeft | - | 2018-04-13 |
| 799432 | Heap-use-after-free in blink::LayoutBlock::MarkFixedPositionObjectForLayoutIfNeeded | - | 2018-04-13 |
| 759225 | CHECK failure in SyntheticGestureTargetBase::DispatchInputEventToPlatform() | - | 2018-04-12 |
| 773930 | Security: Whole-script confusable domain label spoofing (Cyrillic) | $500 | 2018-04-12 |
| 798066 | heap-buffer-overflow in SkAAClip::quickContains | $500 | 2018-04-12 |
| 798256 | Heap-buffer-overflow in SkMatrix::setRSXform | - | 2018-04-12 |
| 798173 | Use-of-uninitialized-value in SkMatrix::postConcat | - | 2018-04-11 |
| 770106 | CHECK failure: actual_unused_property_fields > map()->unused_property_fields() in objects-debug | - | 2018-04-10 |
| 786809 | Use-of-uninitialized-value in update_current_folder_get_info_cb | - | 2018-04-06 |
| 797184 | Use-of-uninitialized-value in SkMatrix::postConcat | - | 2018-04-06 |
| 797482 | CVE-2017-1000407 CrOS: Vulnerability reported in Linux kernel | - | 2018-04-06 |
| 797596 | DCHECK failure in IrOpcode::kMerge == control->opcode() in node-properties.cc | - | 2018-04-05 |
| 824799 | Security: Bug in X509_VERIFY_PARAM_set1_host() with namelen 0 | $500 | 2018-04-04 |
| 779325 | Unknown exception in Register | - | 2018-03-31 |
| 793620 | Security: Sandbox escape / automatic code execution via downloads.open | $1,000 | 2018-03-31 |
| 796930 | CHECK failure: Node #610:Phi in B121 is not dominated by input@1 #632:Call in verifier.cc | - | 2018-03-31 |
| 797130 | DCHECK failure in min_block == BasicBlock::GetCommonDominator(block, min_block) in scheduler.cc | - | 2018-03-31 |
| 797192 | CHECK failure: Node #370:Phi in B34 is not dominated by input@1 #392:Call in verifier.cc | - | 2018-03-31 |
| 716932 | Use-after-poison in blink::probe::breakableLocation | - | 2018-03-30 |
| 736882 | Security: chrome://discards/ accepts WebContents pointers as URL parameters | - | 2018-03-30 |
| 789001 | Container-overflow in views::Textfield::OnKeyPressed | - | 2018-03-30 |
| 796473 | Heap-buffer-overflow in SkUTF8_NextUnichar | $1,000 | 2018-03-30 |
| 760914 | CrOS: Vulnerability reported in media-libs/tiff | - | 2018-03-29 |
| 792851 | CrOS: Vulnerability reported in dev-libs/libxml2 | - | 2018-03-29 |
| 794126 | CVE-2017-12190 CrOS: Vulnerability reported in Linux kernel | - | 2018-03-29 |
| 794491 | CVE-2017-12193 CrOS: Vulnerability reported in Linux kernel | - | 2018-03-29 |
| 794504 | Security: CVE-2017-17558 - OOB write in kernel USB core | - | 2018-03-29 |
| 796476 | Crash in sw::Surface::genericUpdate | - | 2018-03-29 |
| 796570 | Heap-buffer-overflow in ConstantUnion::operator- | - | 2018-03-29 |
| 796825 | Use-of-uninitialized-value in media::internal::DecimatedSearch | - | 2018-03-29 |
| 789393 | Security: V8: Integer overflow with PropertyArray | - | 2018-03-28 |
| 792109 | Heap-buffer-overflow in ConstantUnion::operator- | - | 2018-03-28 |
| 792578 | Heap-buffer-overflow in TParseContext::addConstVectorNode | - | 2018-03-28 |
| 792819 | Use-of-uninitialized-value in TParseContext::parseSingleDeclaration | - | 2018-03-28 |
| 792896 | Use-of-uninitialized-value in ConstantUnion::cast | - | 2018-03-28 |
| 792936 | Heap-buffer-overflow in getIConst | - | 2018-03-28 |
| 794990 | Security: Pdfium: integer overflows in pattern shading | - | 2018-03-28 |
| 795131 | Heap-buffer-overflow in unsigned char v8::internal::ReadUnalignedValue<unsigned char> | - | 2018-03-28 |
| 795569 | Security: WebRTC - Memory corruption in PeerConnection::RemoveTrack() | $3,000 | 2018-03-28 |
| 795587 | Use-of-uninitialized-value in GrGLAttribArrayState::set | - | 2018-03-28 |
| 795889 | heap-use-after-free in ProbeForLowSeverityLifetimeIssue | - | 2018-03-28 |
| 795922 | DCHECK failure in !has_null_prototype() in ast.cc | - | 2018-03-28 |
| 793699 | Security: WebRTC - Memory corruption in WebRtcVoiceMediaChannel::GetSources() | $3,000 | 2018-03-27 |
| 794924 | Crash in v8::internal::Invoke | - | 2018-03-27 |
| 794969 | Security: Incorrect size calculation when deserializing Mojo "Event" messages leading to OOB access | - | 2018-03-27 |
| 795501 | Container-overflow in content::AudioStreamMonitor::UpdateStreamAudibleStateOnUIThread | - | 2018-03-27 |
| 795856 | Heap-buffer-overflow in v8::internal::SharedFunctionInfo::GetSourceCodeHarmony | - | 2018-03-27 |
| 820848 | Incorrect-function-pointer-type in gl::Debug::insertMessage | - | 2018-03-27 |
| 825679 | Use of an invalid mutex in media::AudioOutputDevice::NotifyRenderCallbackOfError | - | 2018-03-27 |
| 793588 | Use-of-uninitialized-value in v8::internal::TextNode::GetQuickCheckDetails | - | 2018-03-26 |
| 794825 | Security: V8: Empty BytecodeJumpTable may lead to OOB read | - | 2018-03-25 |
| 795568 | Heap-use-after-free in test_runner::WebWidgetTestClient::AnimateNow | - | 2018-03-25 |
| 777150 | Bad-cast to blink::LayoutBox from blink::LayoutInline;blink::AXLayoutObject::AccessibilityHitTest;blink::WebAXObject::HitTest | - | 2018-03-24 |
| 786723 | DCHECK failure in !compilation_info()->dependencies() || !compilation_info()->dependencies()->HasA | - | 2018-03-24 |
| 791256 | DCHECK failure in kNoSourcePosition != start_position() in scopes.cc | - | 2018-03-24 |
| 792537 | Cherry-pick an upstream buffer overrun fix for Calendar class in ICU | - | 2018-03-24 |
| 793714 | DCHECK failure in *code->owner()->compiled_module()->owning_instance() == codemap()->instance() in | - | 2018-03-24 |
| 793793 | Use-after-poison in v8::internal::RegExpParser::GetCapture | - | 2018-03-24 |
| 794390 | Cherry-pick an upstream fix for UTF-8 to UTF-8 converter | - | 2018-03-24 |
| 794394 | Security: V8: JIT: JSBuiltinReducer::ReduceObjectCreate fails to ensure that the prototype is "null" | - | 2018-03-24 |
| 794401 | Crash in GetValueByObjectIndex | - | 2018-03-24 |
| 794406 | Security: Use of Uninitialized Value in approx_log2 (msan build filter_fuzz_stub) | - | 2018-03-24 |
| 794492 | Security: pdfium: out-of-bounds read with nested colorspaces | - | 2018-03-24 |
| 794822 | Security: V8: JIT: Type confusion in GetSpecializationContext | - | 2018-03-24 |
| 794932 | CHECK failure: arg_elements == isolate->heap()->empty_fixed_array() in objects-debug.cc | - | 2018-03-24 |
| 795251 | Security: pdfium: out-of-bounds read with shading pattern backed by pattern colorspace | - | 2018-03-24 |
| 795502 | CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (index >= 0 && index < this->length() | - | 2018-03-24 |
| 793196 | DCHECK failure in retained_size_ + length >= retained_size_ in array-buffer-tracker-inl.h | - | 2018-03-22 |
| 793285 | Use-of-uninitialized-value in sse41::blit_row_s32a_opaque | - | 2018-03-22 |
| 793372 | Bad-cast to CJX_Node from CJX_Content in CXFA_Node::JSNode | - | 2018-03-22 |
| 793519 | DeviceSensorHost exposes shared memory handles from StartPolling as read-write | - | 2018-03-22 |
| 793876 | chrome!ui::AXPlatformNodeWin::IsSameHypertextCharacter out-of-bounds read | $500 | 2018-03-22 |
| 794405 | CHECK failure: LoadElement of kRepFloat64 (NumberOrHole) cannot be changed to kRepTagged in rep | - | 2018-03-22 |
| 719907 | Security: Cert manager allows import of CA roots an messing with trust bits on Kiosk network config screen | - | 2018-03-21 |
| 791317 | Use-of-uninitialized-value in sk_store_a8 | - | 2018-03-21 |
| 792464 | Global-buffer-overflow in blink::CSSParserToken::GetType | - | 2018-03-21 |
| 793282 | DCHECK failure in size + CallSize(target, offset, cond, rs, rt, bd) == SizeOfCodeGeneratedSince(&s | - | 2018-03-21 |
| 793292 | DCHECK failure in IsCodeTarget(rmode_) || IsRuntimeEntry(rmode_) in assembler-mips-inl.h | - | 2018-03-21 |
| 793617 | Bad-cast to SkPathEffect from SkColorShader in sk_sp<SkPathEffect> SkReadBuffer::readFlattenable<SkPathEffect> | - | 2018-03-21 |
| 793637 | Security: MSAN detects use of unitialized value in makeWithLocalMatrix (using filter_fuzz_stub) | - | 2018-03-21 |
| 793639 | Security: global-buffer-overflow in MakeComposeFilter (filter_fuzz_stub) | - | 2018-03-21 |
| 793863 | CHECK failure: arg_elements == isolate->heap()->empty_fixed_array() in objects-debug.cc | - | 2018-03-21 |
| 738401 | CrOS: Vulnerability reported in media-libs/tiff | - | 2018-03-20 |
| 791988 | CVE-2017-1000405: Security: "Dirty COW" variant on transparent huge pages | - | 2018-03-20 |
| 793571 | Crash in SkPngEncoder::onEncodeRows | - | 2018-03-20 |
| 793671 | Heap-buffer-overflow in v8::internal::FixedArray::set | - | 2018-03-20 |
| 792439 | Security DCHECK failure: !object || (object->IsBox()) in LayoutBox.h | - | 2018-03-19 |
| 793099 | Use-after-free in DnsTransaction, again | - | 2018-03-18 |
| 791243 | Heap-use-after-free in ui::X11CursorFactoryOzone::RefImageCursor | - | 2018-03-17 |
| 792221 | Navigation entry's SSL status is not updated when navigating to an existing page | - | 2018-03-17 |
| 822465 | Manage Passwords is set to "Off" but it still autofills credentials | - | 2018-03-16 |
| 648608 | PlzNavigate: Properly set the initator of the navigation. | - | 2018-03-16 |
| 791253 | Heap-use-after-free in ui::AXSystemCaretWin::~AXSystemCaretWin | - | 2018-03-16 |
| 792316 | Stack-buffer-overflow in SkGaussFilter::SkGaussFilter | - | 2018-03-16 |
| 792422 | Security: buffer overflow in AudioSyncReader | - | 2018-03-16 |
| 792549 | CHECK failure: dest_data + dest_byte_length <= source_data || source_data + source_byte_length | - | 2018-03-16 |
| 792810 | Heap-buffer-overflow in SkReader32::readInt | - | 2018-03-16 |
| 792827 | Heap-buffer-overflow in SkReadBuffer::readFlattenable | - | 2018-03-16 |
| 793030 | Security: Merge CVE-2017-3738 fix to M64. | - | 2018-03-16 |
| 793170 | Use-of-uninitialized-value in SkReadBuffer::readFlattenable | - | 2018-03-16 |
| 746132 | bluetooth::mojom::AdapterFactory is available to any renderer without permission checks | - | 2018-03-15 |
| 760342 | Issuing multiple redirects hangs any subsequent navigation. This allows URL Spoofing and also a crash. | $500 | 2018-03-15 |
| 774174 | Security: heap-buffer-overflow in UnpackOneRowOfRGBA5551LittleToRGBA8 | $1,000 | 2018-03-15 |
| 784183 | signed integer overflow in blink::WebGLRenderingContextBase::ValidateTexImageSubRectangle<blink::Image> | $4,000 | 2018-03-15 |
| 786784 | Crash in v8::internal::Invoke | - | 2018-03-15 |
| 791245 | Security: V8: JIT: Simplified-lowererer IrOpcode::kStoreField, IrOpcode::kStoreElement optimization bug | - | 2018-03-15 |
| 791491 | Security: CVE-2017-17095 - libtiff: Heap-based buffer overflow bug in pal2rgb(pal2rgb.c) | - | 2018-03-15 |
| 792117 | shared_memory_posix.cc memfd_create does not support read-only segments | - | 2018-03-15 |
| 792306 | Use-of-uninitialized-value in bool blink::FastParseColorInternal<unsigned char> | - | 2018-03-15 |
| 792658 | DCHECK failure in retained_size_ + length >= retained_size_ in array-buffer-tracker-inl.h | - | 2018-03-15 |
| 771482 | Use-of-uninitialized-value in media::DecoderBuffer::timestamp | - | 2018-03-14 |
| 780354 | Heap-buffer-overflow in ConstantUnion::operator- | - | 2018-03-14 |
| 781147 | Heap-buffer-overflow in sw::Array<sw::Float4, 1>::operator | - | 2018-03-14 |
| 784761 | U+0D1F and U+0D2F can be used to spoof 'so.com' | - | 2018-03-14 |
| 785675 | pobfuzz: cc::DrawTextBlobOp::Deserialize -> use-of-uninitialized-value in int const& SkTMax<int> | - | 2018-03-14 |
| 789479 | Security: Multiple vulnerabilities in libcurl | - | 2018-03-14 |
| 791298 | Heap-use-after-free in ui::AXSystemCaretWin::~AXSystemCaretWin | - | 2018-03-14 |
| 791345 | Security: Integer overflow in FastArraySliceCodeStubAssembler::HandleFastSlice | $5,500 | 2018-03-14 |
| 791607 | Use-of-uninitialized-value in SkFontRequestCache::Request::Create | - | 2018-03-14 |
| 791616 | Heap-use-after-free in fxcrt::UnownedPtr<CFX_XMLParser>::ProbeForLowSeverityLifetimeIssue | - | 2018-03-14 |
| 791953 | CHECK failure: NumberToUint32 of kRepWord32 (Range(1, NUMBER)) cannot be changed to kRepTaggedS | - | 2018-03-14 |
| 791983 | Heap-use-after-free in net::DnsTransactionImpl::DoCallback | - | 2018-03-14 |
| 780301 | Use-of-uninitialized-value in TParseContext::parseSingleDeclaration | - | 2018-03-13 |
| 780451 | Use-of-uninitialized-value in TParseContext::nonInitErrorCheck | - | 2018-03-13 |
| 780698 | Use-of-uninitialized-value in ConstantUnion::cast | - | 2018-03-13 |
| 780750 | Heap-buffer-overflow in getAddress | - | 2018-03-13 |
| 785150 | Heap-buffer-overflow in getIConst | - | 2018-03-13 |
| 787301 | Stack-overflow in v8::internal::TranslatedState::MaterializeAt | - | 2018-03-13 |
| 788070 | Use-of-uninitialized-value in net::DnsTransactionImpl::DoCallback | - | 2018-03-13 |
| 788131 | Heap-use-after-free in net::DnsTransactionImpl::DoCallback | - | 2018-03-13 |
| 788304 | Security: CVE-2017-16939 Linux Kernel XFRM Privilege Escalation | - | 2018-03-13 |
| 789767 | MSAN detects use-of-uninitialized-value in analyze_3x4_matrix() in filter_fuzz_stub | - | 2018-03-13 |
| 789764 | Crash in v8::internal::Script::FindSharedFunctionInfo | - | 2018-03-13 |
| 791288 | Use-after-poison in blink::KURL::KURL | - | 2018-03-13 |
| 791291 | Use-after-poison in blink::DocumentThreadableLoader::SetDefersLoading | - | 2018-03-13 |
| 791347 | Bad-cast to blink::Resource from invalid vptr in blink::DocumentThreadableLoader::Cancel | - | 2018-03-13 |
| 791348 | Use-after-poison in url::Parsed::Parsed | - | 2018-03-13 |
| 791484 | Heap-use-after-free in blink::LayoutObject::NextInPreOrder | - | 2018-03-13 |
| 791548 | CHECK failure: arg_elements == isolate->heap()->empty_fixed_array() in objects-debug.cc | - | 2018-03-13 |
| 791589 | Bad-cast to blink::Resourceblink::DocumentThreadableLoader::SetDefersLoading in media::MultiBuffer::AddReader | - | 2018-03-13 |
| 791597 | Crash in media::MultiBuffer::AddReader | - | 2018-03-13 |
| 774382 | Security: Persian Calendar Integer overflow lead to OOB read | - | 2018-03-12 |
| 782594 | [syzkaller] Linux kernel: multiple vulnerabilities in the USB subsystem | - | 2018-03-12 |
| 779326 | Crash in sw::Renderer::taskLoop | - | 2018-03-10 |
| 779364 | Security: SwiftShader sw::Renderer::taskLoop | $1,000 | 2018-03-10 |
| 788208 | Use-of-uninitialized-value in SkFontRequestCache::Request::Create | - | 2018-03-10 |
| 791003 | Security: Sandbox escape via exposed "filesystem::mojom::Directory" mojo interface in "catalog" service | - | 2018-03-10 |
| 791105 | Heap-use-after-free in blink::LayoutObject::NextInPreOrder | - | 2018-03-10 |
| 765371 | Security: bluetooth LE advertisement storm can remotely hang/crash chromebooks, android devices, and some iOS devices with little or no user action needed | - | 2018-03-09 |
| 789109 | CrOS: Vulnerability reported in net-misc/curl | - | 2018-03-09 |
| 789492 | CVE-2017-16647 CrOS: Vulnerability reported in Linux kernel | - | 2018-03-09 |
| 789494 | CVE-2017-16649 CrOS: Vulnerability reported in Linux kernel | - | 2018-03-09 |
| 789496 | CrOS: Vulnerability reported in net-misc/rsync | - | 2018-03-09 |
| 789682 | ServiceWorkerScriptURLLoader does not check for certificate errors properly | - | 2018-03-09 |
| 789812 | Use-of-uninitialized-value in sse41::blit_row_s32a_opaque | - | 2018-03-09 |
| 789952 | Security: NCSC Vulnerability Report - Google Chrome - V8 JavaScript Engine | $2,000 | 2018-03-09 |
| 790684 | Crash in FromAddress | - | 2018-03-09 |
| 790687 | Crash in v8::internal::Heap::InNewSpace | - | 2018-03-09 |
| 790696 | DCHECK failure in !MarkCompactCollector::IsOnEvacuationCandidate(target) in mark-compact.cc | - | 2018-03-09 |
| 790721 | Crash in v8::internal::HeapObject::map_word | - | 2018-03-09 |
| 790729 | Crash in InNewSpace | - | 2018-03-09 |
| 790753 | Crash in void v8::internal::BodyDescriptorBase::IteratePointers<v8::internal::ConcurrentM | - | 2018-03-09 |
| 790758 | CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (object->IsString()) in string-inl.h | - | 2018-03-09 |
| 790885 | DCHECK failure in !MarkCompactCollector::IsOnEvacuationCandidate(target) in mark-compact.cc | - | 2018-03-09 |
| 740556 | Security: HTML sandbox restrictions are removed after a redirect through docs.google.com | - | 2018-03-08 |
| 777350 | Relative report-uri for CSP combined against wrong base | $500 | 2018-03-08 |
| 778658 | Security: content security policy bypass | $1,000 | 2018-03-08 |
| 787103 | Cross-origin Shared Worker | $2,000 | 2018-03-08 |
| 789497 | Security: Information Leak in mincore() | - | 2018-03-08 |
| 734931 | Security: c-ares NAPTR parser out of bounds access | - | 2018-03-07 |
| 787712 | Use After Free (write) in SkPerlinNoiseShaderImpl | - | 2018-03-07 |
| 788441 | DCHECK failure in non_compiled_functions.size() == idx in module-compiler.cc | - | 2018-03-07 |
| 788508 | Heap-use-after-free in media::PipelineImpl::RendererWrapper::Stop | - | 2018-03-07 |
| 789113 | Global-buffer-overflow in CXFA_Node::NameToElement | - | 2018-03-07 |
| 789372 | DCHECK failure in isolate == nullptr implies icache_flush_mode == SKIP_ICACHE_FLUSH in assembler-a | - | 2018-03-07 |
| 788230 | Crash in mov_read_sidx | - | 2018-03-06 |
| 788469 | Crash in v8::internal::CallInternal | - | 2018-03-06 |
| 788539 | CHECK failure: frame_state->opcode() == IrOpcode::kFrameState || (node->opcode() == IrOpcode::k | - | 2018-03-06 |
| 785809 | Security: Chrome does not percent-escape the URL passed to external handler | $500 | 2018-03-05 |
| 786020 | CHECK failure: !descriptors->GetKey(i)->IsInterestingSymbol() in objects-debug.cc | - | 2018-03-05 |
| 779629 | Security: Google's Chrome Cleanup Tool DLL Preloading Vulnerability | - | 2018-03-01 |
| 783132 | CHECK failure: is_transitionable_fast_elements_kind implies !Map::IsInplaceGeneralizableField(d | - | 2018-03-01 |
| 784808 | CVE-2017-15951 CrOS: Vulnerability reported in Linux kernel | - | 2018-03-01 |
| 784080 | Crash in v8::internal::Simulator::DecodeType3 | $1,500 | 2018-03-01 |
| 787910 | Use-after-poison in parameter_count | - | 2018-03-01 |
| 781529 | Crash in CPDF_HintTables::ReadPageHintTable | - | 2018-02-28 |
| 783729 | CVE-2017-15649 CrOS: Vulnerability reported in Linux kernel | - | 2018-02-28 |
| 786700 | CrOS: Vulnerability reported in net-misc/wget | - | 2018-02-28 |
| 786754 | Bad-cast to const blink::BeginTransformDisplayItem from blink::DisplayItem in blink::BeginTransformDisplayItem::Equals | - | 2018-02-28 |
| 787606 | Bad-cast to const blink::ClipDisplayItem from blink::DisplayItem in blink::ClipDisplayItem::Equals | - | 2018-02-28 |
| 787661 | Heap-buffer-underflow in cc::DisplayItemList::EndPaintOfPairedEnd | - | 2018-02-28 |
| 771973 | DCHECK failure in (location_) != nullptr in handles.cc | - | 2018-02-27 |
| 786524 | Heap-buffer-overflow in SkTextBlob::RunRecord::RunRecord | - | 2018-02-27 |
| 786573 | Security: V8: Integer overflow in Runtime_RegExpReplace | - | 2018-02-27 |
| 786934 | Use-after-poison in std::__1::vector<v8::internal::MachineRepresentation, v8::internal::ZoneAllocato | - | 2018-02-27 |
| 770734 | Heap-buffer-overflow in bool url::DoExtractQueryKeyValue<char> | - | 2018-02-26 |
| 785804 | DCHECK failure in !IsSmi() == Internals::HasHeapObjectTag(this) in objects.h | - | 2018-02-26 |
| 774842 | Security: Visually-perfect domain spoofing using dotless-i plus combining mark | $500 | 2018-02-25 |
| 615608 | Security: Chrome browser not respecting no-referrer meta tag | - | 2018-02-24 |
| 740314 | CHECK failure: actual_unused_property_fields > map()->unused_property_fields() in objects-debug | - | 2018-02-24 |
| 774438 | Security: Permission request UI spoof (improper URL truncation) | $500 | 2018-02-24 |
| 775527 | Security: Privileged XSS in DevTools | $1,000 | 2018-02-24 |
| 776256 | CHECK failure: input->op()->ValueOutputCount() > index in verifier.cc | - | 2018-02-24 |
| 780699 | Crash in __printf_chk | - | 2018-02-24 |
| 782119 | Security DCHECK failure: value.IsPrimitiveValue() in CSSPrimitiveValue.h | - | 2018-02-24 |
| 785760 | Heap-use-after-free in media::FrameBufferPool::OnVideoFrameDestroyed | - | 2018-02-24 |
| 786278 | Crash in v8::internal::FreeList::Allocate | - | 2018-02-24 |
| 786587 | DCHECK failure in raw_properties_or_hash()->IsSmi() || (raw_properties_or_hash()->IsDictionary() = | - | 2018-02-24 |
| 786649 | Crash in v8::internal::Heap::AllocateCode | - | 2018-02-24 |
| 617963 | Security: Service Workers Response Size Info Leak | - | 2018-02-22 |
| 699028 | Security: Canvas composite operations and CSS blend modes leak cross-origin data via timing attacks. | $2,000 | 2018-02-22 |
| 772262 | DCHECK failure in cursor - bytes.get() + buffer->length() <= total_size_ in streaming-decoder.cc | - | 2018-02-22 |
| 778668 | Crash in v8::internal::Invoke | - | 2018-02-22 |
| 781766 | Crash in media::SourceBufferRangeByPts::GetBufferIndexAt | - | 2018-02-22 |
| 784863 | CHECK failure: nof_elements <= array_length in objects-debug.cc | - | 2018-02-22 |
| 784869 | pobfuzz: SkTextBlob::Deserialize -> SkPaint::unflatten heap-buffer-overflow | - | 2018-02-22 |
| 784990 | DCHECK failure in nod == removed_holes_index in objects.cc | - | 2018-02-22 |
| 785095 | DCHECK failure in !done() || handler_ == nullptr in frames.cc | - | 2018-02-22 |
| 785270 | Heap-buffer-overflow in SkReadBuffer::readRect | - | 2018-02-22 |
| 785520 | DCHECK failure in !heap->HasRecordedSlot( *object, HeapObject::RawField(*object, index.offset())) | - | 2018-02-22 |
| 777041 | Crash in blink::PersistentBase<blink::DummyGCBase, | - | 2018-02-21 |
| 779457 | DCHECK failure in outer_scope_ == scope->outer_scope() in bytecode-generator.cc | - | 2018-02-21 |
| 780402 | Pwn2own: V8 - isolate control via function deoptimization | - | 2018-02-21 |
| 781518 | Chromium: Vulnerability reported in expat | - | 2018-02-21 |
| 783914 | Heap-buffer-overflow in safe_browsing::dmg::HFSBTreeIterator::Next | - | 2018-02-21 |
| 784862 | CHECK failure: size <= kMaxRegularHeapObjectSize in runtime-internal.cc | - | 2018-02-21 |
| 784867 | DCHECK failure in node->id() < count_ in simplified-lowering.cc | - | 2018-02-21 |
| 699461 | Security: HSTS Bypass via flooding of the HSTS policy file | - | 2018-02-20 |
| 780484 | Security: unsafe navigation in chromecast plugin possibly causing UXSS and popup block bypass | $500 | 2018-02-20 |
| 780780 | CrOS: Vulnerability reported in net-misc/curl | - | 2018-02-20 |
| 783119 | CHECK failure: nof_elements <= array_length in objects-debug.cc | - | 2018-02-20 |
| 783815 | Heap-buffer-overflow in SkReader32::readInt | - | 2018-02-20 |
| 783926 | DCHECK failure in kSmi == type() in ast.cc | - | 2018-02-20 |
| 784146 | DCHECK failure in !isolate_->has_pending_exception() in module-compiler.cc | - | 2018-02-20 |
| 784242 | Heap-buffer-overflow in SkTextBlob::RunRecord::RunRecord | - | 2018-02-20 |
| 784533 | DCHECK failure in IsTyped(node) in node-properties.h | - | 2018-02-20 |
| 758169 | Website thumbnail screenshot access even after all private data is deleted | - | 2018-02-19 |
| 783902 | CHECK failure: method->map()->instance_descriptors()->GetKey(kHomeObjectPropertyIndex) == isola | - | 2018-02-19 |
| 783828 | Heap-buffer-overflow in SkReadBuffer::readRect | - | 2018-02-19 |
| 784054 | Heap-buffer-overflow in SkString::Rec::Make | - | 2018-02-19 |
| 784336 | Heap-buffer-overflow in SkReadBuffer::peekByte | - | 2018-02-19 |
| 778101 | SPAKE password-scalar not multiplied by 8 | $500 | 2018-02-17 |
| 781520 | CVE-2017-12192 CrOS: Vulnerability reported in Linux kernel | - | 2018-02-17 |
| 781592 | Received signal 11 SEGV_MAPERR running mutant1110_regress-arguments-slice.js | - | 2018-02-17 |
| 783243 | CVE-2017-16528: CrOS: ALSA: seq: Use after free at unbind device | - | 2018-02-17 |
| 783822 | DCHECK failure in key->IsSmi() in runtime-classes.cc | - | 2018-02-17 |
| 797484 | CrOS: Vulnerability reported in net-misc/rsync | - | 2018-02-16 |
| 776309 | CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSReceiver()) in objects-i | - | 2018-02-16 |
| 782754 | DCHECK failure in this->IsInhabited() in types.cc | - | 2018-02-16 |
| 783019 | CHECK failure: #863:JSCallRuntime should be followed by IfSuccess/IfException, but is only foll | - | 2018-02-16 |
| 783035 | CHECK failure: Representation inference: unsupported opcode 61 (Dead), node #NUMBER in simplifi | - | 2018-02-16 |
| 676773 | Security: Adobe Flash MovieClip.createTextField Use After Free | $3,000 | 2018-02-15 |
| 676778 | Security: Adobe Flash Camera Object Use After Free | $3,000 | 2018-02-15 |
| 676789 | Security: Adobe Flash TextField.variable property setter Use After Free | $3,000 | 2018-02-15 |
| 708957 | Origin missing from AMP content delivered by AGSA | - | 2018-02-15 |
| 726142 | Security: RenderFrameHostImpl::UpdatePermissionsForNavigation is called too often | - | 2018-02-15 |
| 767359 | Security: Blink Bindings - Use After Free in blink::ScriptState::From | - | 2018-02-15 |
| 779242 | Bad-cast to std::__1::__shared_weak_count from invalid vptr;v8::internal::wasm::AsyncCompile;v8::WebAssemblyCompile | - | 2018-02-15 |
| 780782 | CVE-2017-1000111 CrOS: Vulnerability reported in Linux kernel | - | 2018-02-15 |
| 780783 | CVE-2017-1000112 CrOS: Vulnerability reported in Linux kernel | - | 2018-02-15 |
| 782267 | DCHECK failure in !isolate_->has_pending_exception() in module-compiler.cc | - | 2018-02-15 |
| 782596 | Heap-buffer-overflow in CPDF_TextPage::IsHyphen | - | 2018-02-15 |
| 347200 | Security: Drag-Drop is possible in fullscreen and not canceled on fullscreen exit | - | 2018-02-14 |
| 591804 | Should an <iframe> access chrome://resources? | - | 2018-02-14 |
| 782145 | Security:V8:Type Confusion Leads To OOB Read Write | $3,000 | 2018-02-14 |
| 782413 | DCHECK failure in slot == stack_state.end() in liftoff-assembler.cc | - | 2018-02-14 |
| 775868 | Heap-use-after-free in SkPathRef::countVerbs | - | 2018-02-13 |
| 779407 | DCHECK failure in !done() || handler_ == nullptr in frames.cc | - | 2018-02-13 |
| 780784 | CVE-2017-15537 CrOS: Vulnerability reported in Linux kernel | - | 2018-02-13 |
| 782075 | Use-of-uninitialized-value in gray_set_cell | - | 2018-02-13 |
| 771972 | Heap-buffer-overflow in v8::internal::wasm::ModuleDecoderImpl::DecodeFunctionBody | - | 2018-02-10 |
| 780558 | Heap-use-after-free in blink::LayoutObject::NextInPreOrder | - | 2018-02-10 |
| 780708 | Security: "googlechrome" scheme allows opening downloaded files in content scheme | - | 2018-02-10 |
| 777215 | Security: ChromeOS printer zeroconf remote code execution | $2,000 | 2018-02-09 |
| 778251 | InputScalesValid has a potential buffer overflow | - | 2018-02-09 |
| 758478 | Incorrect-function-pointer-type in _hb_blob_destroy_user_data | - | 2018-02-09 |
| 761245 | Incorrect-function-pointer-type in _hb_blob_destroy_user_data | - | 2018-02-09 |
| 778505 | Security: OOB Write in QuicStreamSequencerBuffer::OnStreamData | $10,500 | 2018-02-09 |
| 781116 | DCHECK failure in false == cell_reports_intact in isolate.cc | - | 2018-02-09 |
| 768203 | Heap-use-after-free in blink::AXLayoutObject::GetDocument | - | 2018-02-08 |
| 774846 | Heap-buffer-overflow in base::BigEndianWriter::WriteBytes | - | 2018-02-08 |
| 774854 | Use-of-uninitialized-value in void base::internal::VectorBuffer<std::__1::basic_string<char, std::__1::char_tr | - | 2018-02-08 |
| 777728 | Security: Stack Buffer Overflow in QuicClientPromisedInfo::OnPromiseHeaders | $10,500 | 2018-02-08 |
| 778189 | CVE-2017-15265 CrOS: Vulnerability reported in Linux kernel | - | 2018-02-08 |
| 779314 | Security: OOB Read in BlobStorageContext::BlobFlattener::BlobFlattener | $2,500 | 2018-02-08 |
| 779919 | Heap-use-after-free in net::HttpNetworkTransaction::~HttpNetworkTransaction | - | 2018-02-08 |
| 779949 | Heap-buffer-overflow in SkPixmap::getColor | - | 2018-02-08 |
| 666824 | Security: bypass user gesture requirement for dangerous download types: Chrome extension â local user privilege escalation | - | 2018-02-07 |
| 753645 | Security: Autocomplete data can be stolen by malicious webpage | $1,000 | 2018-02-06 |
| 772897 | DCHECK failure in !has_pending_exception() in isolate.cc | - | 2018-02-06 |
| 778940 | Crash in LoadImageRow<DataType::RGB565> | - | 2018-02-06 |
| 778951 | Crash in LoadImageRow<DataType::Bytes_2> | - | 2018-02-06 |
| 779327 | Use-of-uninitialized-value in sw::RegisterArray<16, false>::RegisterArray | - | 2018-02-06 |
| 779826 | DCHECK failure in !has_pending_exception() in isolate.cc | - | 2018-02-06 |
| 779918 | CHECK failure: !obj->IsHashTable() in code-serializer.cc | - | 2018-02-06 |
| 617611 | Heap-buffer-overflow in CPDF_StreamParser::ParseNextElement | - | 2018-02-03 |
| 771848 | Security: URL bar does not update correctly on redirects with extension blocking requests | $500 | 2018-02-02 |
| 777419 | Security: URL spoof when navigating back if the first real load ends up hitting an error | $500 | 2018-02-02 |
| 778926 | Crash in v8::internal::CopyObjectToObjectElements | - | 2018-02-02 |
| 778931 | CHECK failure: !thrower.error() in module-compiler.cc | - | 2018-02-02 |
| 479620 | Security: Omnibox data privacy leak and MITM vulnerability | - | 2018-02-01 |
| 693991 | Security: Chrome Information Leakage - Prediction Service & Preload | - | 2018-02-01 |
| 763194 | Referrer policy bypass with about:blank and document.write() | $500 | 2018-01-31 |
| 637098 | Security: Read all local files using minimal user interaction and gesture laundering | $2,000 | 2018-01-30 |
| 757882 | Unknown exception in C:\windows\SYSTEM32\KERNELBASE.dll | - | 2018-01-30 |
| 770313 | Security: Enterprise ChromeOS OOBE page loads web URLs inside chrome:// process | - | 2018-01-30 |
| 776673 | Use-of-uninitialized-value in WebRtcNs_ProcessCore | - | 2018-01-30 |
| 772636 | DCHECK failure in CanSubclassHaveInobjectProperties(instance_type) in objects.cc | - | 2018-01-29 |
| 776623 | Crash in sw::Renderer::taskLoop | - | 2018-01-29 |
| 768975 | Heap-buffer-overflow in blink::DecodingImageGenerator::GetContentIdForFrame | - | 2018-01-28 |
| 776677 | Security: V8:Use After Free Leads to Remote Code Execution | $7,500 | 2018-01-28 |
| 743276 | WPA1/2 all-zero session key & key reinstallation attacks | $8,837 | 2018-01-27 |
| 764197 | Security DCHECK failure: !object || (object->IsBox()) in LayoutBox.h | - | 2018-01-27 |
| 774436 | CrOS: Vulnerability reported in net-vpn/openvpn | - | 2018-01-27 |
| 774821 | Negative-size-param in mov_read_trun | - | 2018-01-27 |
| 774833 | ASSERT: 0 <= value && value < symbolsCount | - | 2018-01-27 |
| 775501 | Use-of-uninitialized-value in media::internal::DecimatedSearch | - | 2018-01-27 |
| 775888 | DCHECK failure in array->map() != fixed_cow_array_map() in heap.cc | - | 2018-01-27 |
| 776307 | Heap-buffer-overflow in safe_browsing::dmg::HFSBTreeIterator::Next | - | 2018-01-27 |
| 776511 | DCHECK failure in BackingStore::get(backing_store, i, isolate)->IsSmi() || (IsHoleyElementsKind(Ki | - | 2018-01-27 |
| 772420 | DCHECK failure in right_type()->Is(Type::PlainPrimitive()) in js-typed-lowering.cc | - | 2018-01-24 |
| 773952 | Use-of-uninitialized-value in gpu::gles2::ScopedPixelUnpackBufferOverride::ScopedPixelUnpackBufferOverride | - | 2018-01-24 |
| 772848 | CVE-2017-5123: Chrome Sandbox escape through linux kernel vulnerability introduced in 4.13 in waitid | $15,000 | 2018-01-24 |
| 774613 | DCHECK failure in !compilation_info()->dependencies()->HasAborted() in compiler.cc | - | 2018-01-24 |
| 774780 | DCHECK failure in original_constructor->IsConstructor() in js-create-lowering.cc | - | 2018-01-24 |
| 774824 | CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (object->IsFixedArray()) in objects-i | - | 2018-01-24 |
| 775457 | Use-of-uninitialized-value in IconLabelBubbleView::SeparatorView::UpdateOpacity | - | 2018-01-24 |
| 772331 | Heap-buffer-overflow in base::BasicStringPiece<std::__1::basic_string<char, std::__1::char_traits<char>, | - | 2018-01-23 |
| 773161 | USB notification bubble: RTL text gets intermingled with URL. | - | 2018-01-23 |
| 774475 | DCHECK failure in (function_) == nullptr in scopes.cc | - | 2018-01-23 |
| 774860 | CHECK failure: map->IsMap() in spaces.cc | - | 2018-01-23 |
| 768080 | CHECK failure: args[1]->IsJSReceiver() in runtime-object.cc | - | 2018-01-20 |
| 774448 | CHECK failure: start_position == start_position_from_data in preparsed-scope-data.cc | - | 2018-01-20 |
| 773620 | Security: WebRtc - Another Type Confusion in cricket::Codec::Matches() | $1,000 | 2018-01-20 |
| 766039 | Heap-use-after-free in test_runner::AccessibilityController::FocusedElement | - | 2018-01-19 |
| 771697 | PVer4: Send chrome::NOTIFICATION_SAFE_BROWSING_UPDATE_COMPLETE notification when the database update completes | - | 2018-01-19 |
| 771948 | Clusterfuzz UNKNOWN WRITE crash in D8 after enabling trap handlers | - | 2018-01-19 |
| 773576 | CHECK failure: start_position == start_position_from_data in preparsed-scope-data.cc | - | 2018-01-19 |
| 774015 | Bad-cast to blink::CSSPropertyAPIblink::ParseKeywordValue;blink::CSSParserFastPaths::MaybeParseValue;_start | - | 2018-01-19 |
| 774020 | Bad-cast to blink::CSSPropertyAPI from __cxxabiv1::__function_type_info;blink::ParseKeywordValue;blink::CSSParserFastPaths::MaybeParseValue | - | 2018-01-19 |
| 774060 | Global-buffer-overflow in blink::GetAPI | - | 2018-01-19 |
| 767385 | CVE-2017-14489 CrOS: Vulnerability reported in Linux kernel | - | 2018-01-18 |
| 770452 | Stack-buffer-overflow in icu_59::NumberingSystem::createInstance | $3,000 | 2018-01-18 |
| 770450 | Stack-buffer-overflow in Runtime_CanonicalizeLanguageTag | $1,000 | 2018-01-18 |
| 772720 | CHECK failure: NodeProperties::GetType(val)->Is(NodeProperties::GetType(node)) in verifier.cc | - | 2018-01-18 |
| 773954 | DCHECK failure in 0 == node->op()->EffectOutputCount() in memory-optimizer.cc | - | 2018-01-18 |
| 772151 | Heap-use-after-free in fxcrt::UnownedPtr<CPDF_Array const>::ProbeForLowSeverityLifetimeIssue | - | 2018-01-17 |
| 771479 | Heap-use-after-free in CPDF_SecurityHandler::~CPDF_SecurityHandler | - | 2018-01-17 |
| 772376 | Heap-use-after-free in CPDF_SecurityHandler::~CPDF_SecurityHandler | - | 2018-01-17 |
| 772615 | Heap-buffer-overflow in chrome_pdf::PDFiumEngine::TraverseBookmarks | - | 2018-01-17 |
| 772625 | DCHECK failure in isolate->context() == nullptr || isolate->context()->IsContext() in runtime-obje | - | 2018-01-17 |
| 772666 | Heap-use-after-free in SkPathRef::countVerbs | - | 2018-01-17 |
| 772752 | Use-of-uninitialized-value in GrCCPRCoverageOpsBuilder::parsePath | - | 2018-01-17 |
| 773231 | CHECK failure: Unexpected operator #61:Dead @ node #4 in instruction-selector.cc | - | 2018-01-17 |
| 771932 | CVE-2017-12153 CrOS: Vulnerability reported in Linux kernel | - | 2018-01-16 |
| 772635 | CHECK failure: size <= kMaxRegularHeapObjectSize in runtime-internal.cc | - | 2018-01-16 |
| 772873 | DCHECK failure in IsTyped(node) in node-properties.h | - | 2018-01-16 |
| 772684 | Crash in _sk_table_r_sse2 | - | 2018-01-16 |
| 772878 | CHECK failure: Unexpected operator #61:Dead @ node #4 in instruction-selector.cc | - | 2018-01-16 |
| 772621 | Heap-buffer-overflow in sandbox::ActualCallParams<1ul, 1024ul>::GetSize | - | 2018-01-15 |
| 772689 | CHECK failure: 0 == field_count_ in deoptimizer.cc | - | 2018-01-15 |
| 772640 | Heap-buffer-overflow in sandbox::ActualCallParams<3ul, 1024ul>::GetSize | - | 2018-01-15 |
| 608494 | MixedContentChecker::handleCertificateErrors() does not downgrade lock icon for active broken-https subresource loads in iframes | - | 2018-01-13 |
| 759457 | MediaStreamTrack.applyConstraints will crash the tab if executed in quick succession | $1,000 | 2018-01-13 |
| 771117 | Bad-cast to media::WebMediaPlayerImpl from base class subobject at offset 8;content::HtmlVideoElementCapturerSource::CreateFromWebMediaPlayerImpl;content::RendererBlinkPlatformImpl::CreateHTMLVideoElementCapturer | - | 2018-01-13 |
| 771474 | CHECK failure: scope_data_->RemainingBytes() >= kUint8Size in preparsed-scope-data.cc | - | 2018-01-13 |
| 771916 | DCHECK failure in units_.empty() in module-compiler.cc | - | 2018-01-13 |
| 771971 | DCHECK failure in index < GetJSCallArity() in js-builtin-reducer.cc | - | 2018-01-13 |
| 697451 | Heap-buffer-overflow in GetWord_LSBFirst | - | 2018-01-12 |
| 756427 | Use-after-free in CFFL_TextField::SaveData | $6,500 | 2018-01-12 |
| 770337 | Heap-buffer-overflow in CCodec_ProgressiveDecoder::ReSampleScanline | - | 2018-01-12 |
| 772056 | DCHECK failure in new_len >= old_len in heap.cc | - | 2018-01-12 |
| 771979 | Security: Use-after-free in Field::UpdateFormControl | $3,000 | 2018-01-12 |
| 799059 | Crash in blink::StyleEngine::NodeWillBeRemoved | - | 2018-01-12 |
| 727039 | Security: UAF/double free with XSLT XPath expressions containing function calls in predicates | $3,500 | 2018-01-11 |
| 756456 | Security: IDN domain spoof with unicode (U+0F37 U+0F84) | - | 2018-01-11 |
| 756226 | Security: URL spoofing with Armenian characters | - | 2018-01-11 |
| 756735 | Security: Gujarati character in domain names are not blacklisted | - | 2018-01-11 |
| 763021 | Crash in v8::internal::Invoke | - | 2018-01-11 |
| 770148 | Security: UAF in CPWL_ComboBox::KillFocus | $5,000 | 2018-01-11 |
| 769976 | DCHECK failure in isolate->context() == nullptr || isolate->context()->IsContext() in runtime-obje | - | 2018-01-11 |
| 770465 | Security: Insuficience punycode handling leading to address spoofing | - | 2018-01-11 |
| 770458 | Use-of-uninitialized-value in blink::MojoWatcher::RunReadyCallback | - | 2018-01-11 |
| 771470 | CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSObject()) in objects-inl | - | 2018-01-11 |
| 771822 | animated webp with frame < 8 bytes can cause a crash | - | 2018-01-11 |
| 763382 | Crash in sw::Renderer::taskLoop | - | 2018-01-10 |
| 763384 | Crash in libGLESv2_swiftshader | - | 2018-01-10 |
| 765939 | Crash in sw::Thread::Thread | - | 2018-01-10 |
| 768716 | Use-of-uninitialized-value in blink::InlineTextBox::GetSelectionState | - | 2018-01-10 |
| 769252 | CVE-2017-14340 CrOS: Vulnerability reported in Linux kernel | - | 2018-01-10 |
| 624515 | Heap-buffer-overflow in FPDFAPI_inflate | - | 2018-01-09 |
| 763798 | Use-after-poison in blink::OfflineAudioDestinationHandler::RenderIfNotSuspended | - | 2018-01-09 |
| 761622 | Security: Video streams sourced from cross-origin videos aren't tainted | $4,000 | 2018-01-08 |
| 764399 | Use-of-uninitialized-value in sse41::blit_row_s32a_opaque | - | 2018-01-08 |
| 765479 | DCHECK failure in index < length() in builtins-utils.h | - | 2018-01-08 |
| 770154 | CVE-2017-1000252 CrOS: Vulnerability reported in Linux kernel | - | 2018-01-08 |
| 770155 | CVE-2017-12154 CrOS: Vulnerability reported in Linux kernel | - | 2018-01-08 |
| 770257 | CHECK failure: Unexpected operator #60:DeadValue @ node #NUMBER in instruction-selector.cc | - | 2018-01-07 |
| 769657 | Security: Linux PIE/stack corruption (CVE-2017-1000253) | - | 2018-01-06 |
| 769846 | DCHECK failure in !IsThreadInWasm() in trap-handler.h | - | 2018-01-06 |
| 770143 | Heap-use-after-free in base::internal::WeakReference::is_valid | - | 2018-01-06 |
| 718858 | Chrome 32 bit only: Float argument passed to function is garbage inside the function | $3,000 | 2018-01-05 |
| 764921 | Stack-buffer-overflow in test_runner::EventSender::SendCurrentTouchEvent | - | 2018-01-05 |
| 768910 | Security: Drag and drop of JavaScript to the URL bar incompletely blocked | - | 2018-01-05 |
| 769173 | DCHECK failure in marking_state()->IsGrey(obj) || marking_state()->IsBlack(obj) in incremental-mar | - | 2018-01-05 |
| 769134 | Security: Use-of-uninitialized-value on Heap | - | 2018-01-05 |
| 769345 | Crash in Relaxed_Load | - | 2018-01-05 |
| 769522 | Security: WebAssembly potential arbitrary code execution in render process with trap handlers | - | 2018-01-05 |
| 769913 | DCHECK failure in IrOpcode::kFrameState == state->opcode() in instruction-selector.cc | - | 2018-01-05 |
| 769842 | Bad-cast to v8::internal::compiler::Operator1<v8::internal::compiler::FrameStateInfo, v8::internal::compiler::OpEqualTo<v8::internal::compiler::FrameStateInfo>, v8::internal::compiler::OpHash<v8::internal::compiler::FrameStateInfo> > from v8::internal::compiler::CommonOperatorGlobalCache::DeadValueOperator;OpParameter<v8::internal::compiler::FrameStateInfo>;OpParameter<v8::internal::compiler::FrameStateInfo> | - | 2018-01-05 |
| 769975 | CHECK failure: Unexpected operator #60:DeadValue @ node #NUMBER in instruction-selector.cc | - | 2018-01-05 |
| 764248 | Crash in content::RenderWidgetHostInputEventRouter::RouteMouseWheelEvent | - | 2018-01-04 |
| 765450 | Security: image_burner arbitrary root file-write | $5,000 | 2018-01-04 |
| 768185 | Heap-buffer-overflow in CCodec_ProgressiveDecoder::ReSampleScanline | - | 2018-01-04 |
| 769292 | Use-of-uninitialized-value in CFX_LZWDecoder::Create | - | 2018-01-04 |
| 769580 | CHECK failure: map->IsMap() in spaces.cc | - | 2018-01-04 |
| 769587 | Crash in v8::internal::NewSpace::Verify | - | 2018-01-04 |
| 220189 | Security: [iSEC] Gobi3K Features Allow Code Execution, Persistent Changes | - | 2018-01-03 |
| 722079 | libxml2 - Heap Overflow in xmlMemStrdupLoc | - | 2018-01-03 |
| 763707 | CrOS: Vulnerability reported in sys-kernel/chromeos-kernel-3_14 | - | 2018-01-03 |
| 765469 | Security: heap buffer overflow in WebGLImageConversion::PackPixels | $3,000 | 2018-01-03 |
| 768367 | DCHECK failure in kMaxUInt32 != index_ in lookup.h | - | 2018-01-03 |
| 764540 | cryptohomed: InvalidateCertificate silently fails to clear pagecache | - | 2018-01-03 |
| 737531 | CrOS: CVE-2017-1000370: Vulnerability reported in Linux kernel | - | 2018-01-02 |
| 765858 | Security: Use-of-uninitialized-value on Heap | $1,000 | 2018-01-02 |
| 768091 | Stack-buffer-overflow in content::BlinkTestController::OnAllServiceWorkersCleared | - | 2018-01-02 |
| 758745 | Security: Hostname not elided securely | - | 2018-01-01 |
