Avatar of this page

Chromium Disclosed Security Bugs

Chromium security bugs are publicly disclosed by Google 14 weeks after fixing. They have a great learning value but it's difficult to keep track of when exactly they're derestricted. This page is a hub of security bugs that have recently gone public.

Bugs can also be followed on Twitter: @BugsChromium or Mastodon.

Bugs disclosed in 2021

Options
# Summary $$$ Disclosure date
1040837 Security: open an evil exe file via a "shortcut" in chrome://downloads/ $500 2021-12-31
1233375 Referrer Spoof using <base href> and <style> $500 2021-12-30
1248567 SEGV in vk::Image::clear() $5000 2021-12-30
1252351 tint_binding_remapper_fuzzer: Heap-buffer-overflow in tint::fuzzers::RandomGenerator::CalculateSeed - 2021-12-30
1233566 Cryptohome ephemeral mounts lack nosymfollow - 2021-12-29
1251787 Security: ASLR bypass via memory_instrumentation.mojom.Coordinator - 2021-12-29
1251727 Security: heap-use-after-free in content::RenderFrameHostImpl::delegate - 2021-12-29
1283234 Payment Handler gets cropped or partially lives outside of popup window - 2021-12-29
1108714 Security: WPA2-Enterprise/EAP WiFi Connection UI Discrepancy $3000 2021-12-28
1195566 crash in ModalCloseWatcher::Close - 2021-12-28
1240921 Symlink traversal in network driver modprobe script $20000 2021-12-28
1250660 Potential race condition during concurrent JIT compilation - 2021-12-28
1250730 h264_bitstream_parser_fuzzer: Crash in webrtc::BitstreamReader::ReadExponentialGolomb - 2021-12-28
1250775 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2021-12-28
1251010 vp9_encoder_references_fuzzer: Use-of-uninitialized-value in webrtc::LibvpxVp9Encoder::SetSvcRates - 2021-12-28
1248435 SUMMARY: AddressSanitizer: use-after-poison event_listener_map.cc:144 in blink::EventListenerMap::Add $7500 2021-12-27
1152952 Security: Cast tab can appear after navigation to a different origin $1000 2021-12-25
1085762 Security: Improper Theme name sanitization in theme manager. $500 2021-12-24
1182188 Chromium: Vulnerability reported in third_party/xstream - 2021-12-24
1206928 use-after-poison network_state_notifier.cc:314 in blink::NetworkStateNotifier::NotifyObserversOnTaskRunner $5000 2021-12-24
1245607 CrOS: Vulnerability reported in dev-libs/openssl - 2021-12-24
1248665 Null-dereference READ in ubsan_GetStackTrace - 2021-12-24
1249602 tint_regex_spv_writer_fuzzer.exe: Illegal-instruction in tint::fuzzers::FatalError - 2021-12-24
1244348 Security: Heap-use-after-free in ui::EventDispatcher::DispatchEventToEventHandlers $15000 2021-12-23
1246728 dawn_wire_server_and_vulkan_backend_fuzzer.exe: Heap-use-after-free in tint::transform::DataMap::Add<tint::transform::SingleEntryPoint::Config,const - 2021-12-23
1248661 Security: heap-use-after-free in app_controller_mac.mm $10000 2021-12-23
1094945 Security: Speculative type confusion - [1/3 - eBPF] $10000 2021-12-22
1182687 Executable libraries could be loaded from noexec partitions - 2021-12-22
1241643 Crash in memfd:swiftshader_jit - 2021-12-22
1246631 SUMMARY: AddressSanitizer: heap-buffer-overflow SkPixmap.cpp:321 in SkPixmap::getColor $20000 2021-12-22
1246692 skia_image_filter_deserialize_fuzzer: Illegal-instruction in SkSL::DSLParser::swizzle - 2021-12-22
1193196 CrOS: Vulnerability reported in dev-libs/glib - 2021-12-21
1218099 Yoga commit may be a security fix - 2021-12-21
1238944 Android Chrome & Chromium Browsers Address Bar Spoofing $3000 2021-12-21
1242392 heap buffer overflow iin FingerprintHandler::HandleGetEnrollmentLabel $10000 2021-12-21
1247395 Security: WebView's CookieManager APIs fix up URLs incorrectly, potentially allowing cookie theft - 2021-12-21
1248768 Heap-use-after-free in blink::ElementRuleCollector::CollectMatchingRules - 2021-12-21
456994 Extension Debugger API restrictions are trivially circumvented - 2021-12-20
1246394 Security: heap-use-after-free C:\b\s\w\ir\cache\builder\src\chrome\browser\ui\views\media_router\web_contents_display_observer_view.cc:56:22 in media_router::WebContentsDisplayObserverView::OnBrowserSetLastActive(class Browser *) $15000 2021-12-20
1248514 Heap buffer overflow in PasswordSpecFetcher - 2021-12-20
1248030 Security: Use After Free in FileSystemAccessManagerImpl $15000 2021-12-19
1141803 Heap-use-after-free in content::RenderFrameImpl::GetLocalRootRenderWidget - 2021-12-17
1234050 Nearby Share UI incorrectly appears in non-ChromeOS browsers: causes UAF $15000 2021-12-17
1241123 Security: [ANGLE] Stack buffer overwrite in rx::StateManager11::syncVertexBuffersAndInputLayout $7500 2021-12-16
1242257 Heap-use-after-free in ui::SendDamagedRectsRecursive $16000 2021-12-16
1245879 Security: Incomplete fix for CVE-2021-30577 $10000 2021-12-16
1246163 tint_first_index_offset_fuzzer: Illegal-instruction in tint::fuzzers::FatalError - 2021-12-16
1246301 angle_translator_fuzzer: Use-of-uninitialized-value in sh::StructNameString - 2021-12-16
1246612 Use-after-poison in base::internal::WeakReferenceOwner::Invalidate - 2021-12-16
1246652 Bad-cast to SkSL::dsl::DSLGlobalVar from invalid vptr in SkTArray<SkSL::dsl::DSLGlobalVar, false>::checkRealloc - 2021-12-16
1246705 Crash in cppgc::internal::ConcurrentMarkingTask::Run - 2021-12-16
1246780 SUMMARY: AddressSanitizer: use-after-poison timer.cc:217 in base::internal::TimerBase::OnScheduledTaskInvoked $7500 2021-12-16
1246919 Use-after-poison in blink::LayoutGrid::LayoutPositionedObjects - 2021-12-16
1247182 rtcp_receiver_fuzzer: Use-of-uninitialized-value in webrtc::RTCPReceiver::ParseCompoundPacket - 2021-12-16
1247686 Security DCHECK failure: unit.TextContentEnd() <= text.length() in ng_offset_mapping.cc - 2021-12-16
1240952 Security: [Chrome OS Readiness Tool] Public tracking bug: Service installer assigns wrong permissions to DCOM objects - 2021-12-14
1243318 M94 Merge Request for crbug.com/dawn/1065 - 2021-12-14
1244568 Security: Cross-Origin information leak or delete in ContentIndex $5000 2021-12-14
1246748 dawn_wire_server_and_vulkan_backend_fuzzer: Heap-use-after-free in dawn_native::vulkan::ComputePipeline::Initialize - 2021-12-14
1245881 AddressSanitizer: use-after-poison execution_context_lifecycle_observer.cc:40 in blink::ExecutionContextLifecycleObserver::GetExecutionContext $5000 2021-12-13
1246606 Security DCHECK failure: i < length() in string_view.h - 2021-12-13
1246619 Security DCHECK failure: unit.TextContentEnd() <= text.length() in ng_offset_mapping.cc - 2021-12-13
1244408 dawn_wire_server_and_vulkan_backend_fuzzer: Heap-use-after-free in sw::PixelRoutine::PixelRoutine - 2021-12-11
1245141 dawn_wire_server_and_vulkan_backend_fuzzer: Heap-use-after-free in vk::CommandBuffer::submit - 2021-12-11
1245605 Chromium: Vulnerability reported in third_party/xstream - 2021-12-11
1245786 Security: Security DCHECK failure at blink::LayoutInline $5000 2021-12-11
1246412 code_cache_host_mojolpm_fuzzer: Illegal-instruction in StackTraceGetter::CurrentStackTrace - 2021-12-11
1240538 BluetoothRemoteGattCharacteristicTestWinrtOnly.StartNotifySessionDisconnectOnError failing on builder "win-asan" - 2021-12-10
1240884 Security: UAF in EditAddressProfileView::WindowClosing $17000 2021-12-10
1241036 Chrome ANGLE Out-of-Bound in texStorage3D $7500 2021-12-10
1243117 Security: UAF in AvailableOfflineContentProvider $15000 2021-12-10
1243622 Security: Cross-Origin information leak in GetDeveloperIdsTask $2000 2021-12-10
1243535 Security: AddressSanitizer: heap-use-after-free on address 0x11de0a00f100 SkPathEffectBase::asPoints and AddressSanitizer: heap-use-after-free on address 0x119b5ac92cd8 base::circular_deque - 2021-12-10
1244490 [sparkplug]Security: jit code memory corruption after use the generated baseline code to optimiztion the machine code - 2021-12-10
1245053 Security: Cross-Origin Response Size Leak Via BackgroundFetch $3000 2021-12-10
1245870 DCHECK failure in (class_variable_) == nullptr in scopes.cc - 2021-12-10
1245907 Heap-use-after-free in chromeos::LoginApiDataForNextLoginAttemptPrefCleaner::~LoginApiDataForNextLoginA - 2021-12-10
1246158 dawn_wire_server_and_vulkan_backend_fuzzer: Heap-use-after-free in dawn_native::vulkan::ComputePipeline::Initialize - 2021-12-10
1234284 Use-after-Free in AudioDebugRecordingsHandler::StartAudioDebugRecordings $20000 2021-12-09
1242404 oob in function StartupPagesHandler::HandleEditStartupPage $6000 2021-12-09
1242742 Security: heap-buffer-overflow in TabStripModel::MoveWebContentsAtImpl $10000 2021-12-09
1243646 Security: container-overflow in RecordEngagementMetric $20000 2021-12-09
1245046 tint_ast_hlsl_writer_fuzzer.exe: Illegal-instruction in tint::fuzzers::FatalError - 2021-12-09
1246065 DCHECK failure in storage_.is_populated_ in optional.h - 2021-12-09
1214199 Security: Heap-use-after-free in BackgroundFetchDelegateBase::CancelDownload $10000 2021-12-08
1232279 Security: Security: Clickjacking RCE of Chrome headless with Remote Debugging $3000 2021-12-08
1233942 Use-after-Free on AudioDebugRecordingsHandler::StopAudioDebugRecordings $20000 2021-12-08
1239516 use after free in sharing_hub::ScreenshotCapturedBubbleController::Capture $10000 2021-12-08
1239709 Security: Insufficient CORS Check Leads to Cross-Origin Size Leak via BackgroundFetch API $3000 2021-12-08
1243733 virgl_venus_fuzzer: Use-of-uninitialized-value in vn_decode_VkFormatProperties2_pnext_partial_temp - 2021-12-08
1243989 Use-after-poison in v8::internal::Scope::AllocateVariablesRecursively - 2021-12-08
1244254 Trap in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvInRegister_NoBuiltinExit - 2021-12-08
1244435 DCHECK failure in header->IsMarked() in pointer-policies.cc - 2021-12-08
1245003 CHECK failure: black_size <= marking_state->live_bytes(page) in paged-spaces.cc - 2021-12-08
1245079 CHECK failure: bitmap(page)->AllBitsSetInRange( page->AddressToMarkbitIndex(current), page->Add - 2021-12-08
1245145 CHECK failure: map_object.IsMap() in mark-compact-inl.h - 2021-12-08
1245357 CHECK failure: black_size <= marking_state->live_bytes(page) in paged-spaces.cc - 2021-12-08
1245405 CHECK failure: bitmap(page)->AllBitsSetInRange( page->AddressToMarkbitIndex(current), page->Add - 2021-12-08
1242269 Security: Blink - Use After Free of DawnCallback. $7500 2021-12-04
1243562 WebGPU mapped buffer range ArrayBuffers can be transferred - 2021-12-04
1243920 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2021-12-04
1244134 tint_spirv_tools_msl_writer_fuzzer.exe: Illegal-instruction in tint::fuzzers::FatalError - 2021-12-04
1203612 Chrome OS cannot handle multiple/wildcard server names for "SubjectMatch" in .onc profiles, opening doors to impersonation attacks and credential thefts $3000 2021-12-03
1233932 CrOS: Vulnerability reported in app-arch/libarchive - 2021-12-03
1242315 Security: Manifest.json can display overlay on non-origin tabs $1000 2021-12-03
1242841 Security: UAF in WebAppIdentityUpdate $7000 2021-12-03
1242865 tint_msl_transform_fuzzer: Heap-buffer-overflow in tint::writer::msl::GeneratorImpl::EmitTypeConstructor - 2021-12-03
1243944 tint_renamer_fuzzer: Stack-use-after-return in tint::sem::Pointer::Pointer - 2021-12-03
1072444 Security: cryptohomed file system interactions with less-privileged chronos user at /home/chronos/u-<hash> - 2021-12-02
1100761 Security: Possible to download files from sandboxed frames $3000 2021-12-02
1239910 Security: Web GPU - Out of bound object manupilation in WebGPUImplementation::OnGpuControlReturnData() $7500 2021-12-02
1242862 Heap-use-after-free in base::UnguessableToken const& base::internal::FunctorTraits<base::UnguessableTok - 2021-12-02
1203399 gpu_swangle_passthrough_fuzzer: Crash in gpu::gles2::GLES2DecoderPassthroughImpl::DoBindTexture - 2021-12-01
1228248 Feedback WebUIDialog does not observe Profile lifetime $5000 2021-12-01
1234544 Bad-cast to blink::ScriptWrappable from invalid vptr in blink::DOMDataStore::GetWrapper - 2021-12-01
1238108 Heap-use-after-free in content::WebAXObjectProxy::ActiveDescendant - 2021-12-01
1241193 tint_regex_spv_writer_fuzzer.exe: Illegal-instruction in tint::fuzzers::FatalError - 2021-12-01
1242650 Heap-use-after-free in content::MediaStreamDispatcherHost::OnWebContentsFocused - 2021-12-01
1233067 Security: Overlong iframe CSP attribute allows you to send near-arbitrary length headers to a server and induce server errors $2000 2021-11-30
1237533 TALOS-2021-1352: Google Chrome Blink setBaseAndExtent use after free vulnerability $7500 2021-11-30
1238158 heap-use-after-free : ChromeAppDelegate::OnHide - 2021-11-30
1238178 heap-use-after-free : WebUIAllowlist::GetRuleIterator - 2021-11-30
1241024 uaf in sharing_hub::ScreenshotCapturedBubble::DownloadButtonPressed - 2021-11-30
1241606 M94 Merge Request for crbug.com/dawn/837 - 2021-11-30
1241912 media_h265_decoder_fuzzer: Heap-buffer-overflow in media::H265Decoder::CalcRefPicPocs - 2021-11-30
1241687 crash in qrcode_generator::QRCodeGeneratorBubbleController::UpdateIcon - 2021-11-30
1241913 CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (!(!concurrent_search) || (array->IsS - 2021-11-30
1242666 CrOS: Vulnerability reported in dev-libs/nettle - 2021-11-30
1242669 CrOS: Vulnerability reported in net-misc/curl - 2021-11-30
1202613 Security: Stack overflow in nested message loops - 2021-11-29
1242319 Security: CVE-2021-3560 local privilege escalation through polkit - 2021-11-29
1239895 Security DCHECK failure: !resource_clipper->NeedsLayout() in clip_path_clipper.cc - 2021-11-28
1239057 Security: UaF in TabStripModel::MoveWebContentsAtImpl $10000 2021-11-26
1239472 Security: UAF in dav1d_get_bits function $5000 2021-11-26
1240033 Heap-use-after-free in ash::AppDragIconProxy::GetBoundsInScreen - 2021-11-26
1241192 vp9_qp_parser_fuzzer: Heap-buffer-overflow in rtc::BitBuffer::ReadBits - 2021-11-26
1241297 vp9_qp_parser_fuzzer: Heap-buffer-overflow in rtc::BitBuffer::PeekBits - 2021-11-26
1221913 cras_rclient_message_fuzzer: Use-of-uninitialized-value in cras_main_message_send - 2021-11-25
1232095 CHECK failure: args[0].IsJSPromise() - 2021-11-25
1232658 Security: ChromeOS root privilege escalation (pita, vm_concierge, arc-setup, DBus) $30000 2021-11-25
1232875 CHECK failure: static_cast<uintptr_t>(caller_frame_top_) > stack_guard->real_jslimit() in deopt - 2021-11-25
1233570 Risky mkdirs and chowns in vm_tools init - 2021-11-25
1234701 dawn_wire_server_and_vulkan_backend_fuzzer: Crash in memfd:swiftshader_jit - 2021-11-25
1235949 Security: heap-use-after-free in ~PermissionRequestChip $10000 2021-11-25
1236209 cras_rclient_message_fuzzer: Use-of-uninitialized-value in cras_main_message_send - 2021-11-25
1240670 v8_wasm_compile_fuzzer: Crash in v8::internal::WasmArray::GcSafeSizeFor - 2021-11-25
1213238 heap-use-after-free : media_router::MediaRouterAndroidBridge::DetachRoute - 2021-11-24
1234491 Security: ChromeOS root privilege escalation (cups, crash-reporter, ghostscript, Upstart) $30000 2021-11-24
1234882 Security: cupsd.conf Upstart root file write target - 2021-11-24
1239595 use after free in DiceTurnSyncOnHelperDelegateImpl::ShowEnterpriseAccountConfirmation( $5000 2021-11-24
1240714 CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (IsName_NonInline(*this)) in name-tq- - 2021-11-24
1235165 Heap-use-after-free in ash::TrayBubbleView::~TrayBubbleView - 2021-11-23
1235316 use after free in blink::FrameLoader::DetachDocument $7500 2021-11-23
1240548 dawn_wire_server_and_frontend_fuzzer: Heap-use-after-free in dawn_wire::server::Server::InjectDevice - 2021-11-23
1239522 DCHECK failure in native_module == current_native_module_ in code-space-access.cc - 2021-11-22
1239820 DCHECK failure in !header->IsFree() in pointer-policies.cc - 2021-11-22
1238406 cras_rclient_message_fuzzer: Use-of-uninitialized-value in cras_main_message_send - 2021-11-20
1238466 hb_subset_fuzzer: Crash in OT::CPALV1Tail::serialize - 2021-11-20
1239116 v8_wasm_code_fuzzer: Crash in v8::internal::Simulator::LoadStoreHelper - 2021-11-20
1237069 Heap-use-after-free in ui::AXNode::GetUnignoredParent - 2021-11-18
1238469 hb_subset_fuzzer: Use-of-uninitialized-value in TrySubset - 2021-11-18
1238731 paint_op_buffer_fuzzer: Heap-use-after-free in SkCanvas::internalRestore - 2021-11-18
1232914 Security: Heap-use-after-free in AutofillManager::OnLoadedServerPredictions $1000 2021-11-17
1234878 Security: Arbitrary code execution in ghostscript - 2021-11-17
1234880 Security: crash-reporter dirty root write - 2021-11-17
1238268 Security: heap-use-after-free in in download::NetworkStatusListenerImpl::OnNetworkStatusReady $20000 2021-11-17
1083337 URL spoofing on iOS by repeatedly navigating a new window $500 2021-11-16
1221914 cras_rclient_message_fuzzer: Use-of-uninitialized-value in volume_gain - 2021-11-16
1230767 Google Chrome WebRTC addIceCandidate use after free vulnerability (TALOS-2021-1348) $22000 2021-11-16
1232628 uaf in display::DisplayList::GetCurrentDisplay (chromeos version) $15000 2021-11-16
1234259 Security: a READ memory access in jsimd_huff_encode_one_block_sse2 $5000 2021-11-16
1234829 Security: [ANGLE] Heap use-after-free in TextureD3D::releaseTexStorage $9500 2021-11-16
1236701 Security: UAF in Screens::UpdateScreenInfos due to iterator invalidation $7500 2021-11-16
1236958 v8_wasm_compile_fuzzer: DCHECK failure in node->InputAt(1) == loop_header in loop-analysis.cc - 2021-11-16
1209469 Security: OOB write after creating pinned tab that's also in a group $10000 2021-11-15
1209616 Security: OOB read when window is closed while a link is being dragged over the tab strip $5000 2021-11-15
1223388 hb_subset_fuzzer: Heap-buffer-overflow in OT::CPALV1Tail::serialize - 2021-11-15
1230932 libaom_av1_dec_fuzzer: Use-of-uninitialized-value in aom_lowbd_blend_a64_d16_mask_c - 2021-11-15
1231650 tint_spv_reader_wgsl_writer_fuzzer: Illegal-instruction in tint::fuzzers::FatalError - 2021-11-15
1232808 libaom_av1_dec_fuzzer: Use-of-uninitialized-value in av1_dist_wtd_convolve_2d_copy_c - 2021-11-15
1236809 Heap-use-after-free in ash::TrayBubbleView::RerouteEventHandler::OnKeyEvent - 2021-11-15
1237387 CHECK failure: Ref construction failed in heap-refs.cc - 2021-11-15
999110 CrOS: Vulnerability reported in net-wireless/hostapd - 2021-11-12
1199865 Security: spook.js attacks on site vs origin isolation; extensions $3000 2021-11-12
1221068 heap-use-after-free : content::NativeIOManager::OnDeleteOriginDataCompleted - 2021-11-12
1228557 Security: UaF in TabGroupEditorBubbleView::UpdateGroup() $10000 2021-11-12
1233564 Security: Data race in HRTFDatabaseLoader::WaitForLoaderThreadCompletion - 2021-11-12
1233585 vm_concierge init allows bind mounting over symlinks - 2021-11-12
1235222 Security: Autofill prompt can render over browser UI (bypasses of recent reports) $3000 2021-11-12
1236563 CHECK failure: Ref construction failed - 2021-11-12
1236614 DCHECK failure in FLAG_flush_baseline_code || FLAG_flush_bytecode in heap-inl.h - 2021-11-12
1236694 Security: BigInt ToStringFormatter Crash $5000 2021-11-12
1237073 CHECK failure: Ref construction failed in heap-refs.cc - 2021-11-12
1004112 CVE-2019-16234 CrOS: Vulnerability reported in Linux kernel - 2021-11-09
1209622 AddressSanitizer: heap-use-after-free scoped_blocking_call_internal.cc:208 in base::internal::IOJankMonitoringWindow::OnBlockingCallCompleted $15000 2021-11-09
1234764 v8/Turbofan: Invalid rotate-right optimization + Typer hardening bypass $21000 2021-11-09
1234770 v8/Turbofan: Wrong optimization of bitfield checks $21000 2021-11-09
1231933 Security: UAF in perfromance_manager's site_data_impl.cc $10000 2021-11-08
1234009 Use-after-Free in FileSystemChooseEntryFunction::FilesSelected $20000 2021-11-08
1234321 Security: blink_platform!blink::CreateImageFromVideoFrame checkfailed - 2021-11-08
1235072 dawn_wire_server_and_vulkan_backend_fuzzer: Heap-use-after-free in dawn_wire::server::Server::InjectDevice - 2021-11-08
1232617 use after free in IsIndeterminate (chromeos version) $15000 2021-11-07
1234676 Stack-use-after-return in blink::StyleVariables::GetValue - 2021-11-07
1231877 tint_msl_transform_fuzzer: Heap-buffer-overflow in tint::writer::msl::GeneratorImpl::EmitTypeConstructor - 2021-11-05
1233975 Use-after-Free on HandleOnPerformDrop $20000 2021-11-05
1022790 Security: SameSite=Lax cookie sent with cross-origin request inside iframe $1000 2021-11-04
1217396 trunks_tpm_pinweaver_fuzzer: Global-buffer-overflow in google::protobuf::internal::EpsCopyInputStream::ReadString - 2021-11-04
1230128 tint_inspector_fuzzer.exe: Illegal-instruction in tint::fuzzers::FatalError - 2021-11-04
1231134 UAF in PrintViewManager $20000 2021-11-04
1233354 Heap-buffer-overflow in CJS_Field::setFocus - 2021-11-04
1233430 Type confusion in blink::StyleBuilderConverterBase::ConvertFontSize Security DCHECK failed: IsA<Derived>(from). $5000 2021-11-04
1233572 dawn_wire_server_and_frontend_fuzzer: Bad-cast to dawn_wire::server::Server from invalid vptr in dawn_wire::server::Server::InjectDevice - 2021-11-04
1233707 sqlite3_select_printf_lpm_fuzzer: Use-of-uninitialized-value in fixDistinctOpenEph - 2021-11-04
1234206 CHECK failure: !map.is_dictionary_map() implies map.is_stable() - 2021-11-04
1234357 dawn_wire_server_and_frontend_fuzzer: Bad-cast to dawn_wire::server::Serverdawn_wire::server::Server::InjectDevice in dawn_native::LoggingCallbackTask::HandleShutDown - 2021-11-04
1190550 Security: UAF in InputHandler::InputInjector::InjectKeyboardEvent $10000 2021-11-02
1216898 Security: heap-buffer-overflow in TabStripModel::IsTabBlocked - 2021-11-02
1219354 URL spoofing using tel: $1000 2021-11-02
1222120 Heap-use-after-free in ash::DesksBarView::FinalizeDragDesk - 2021-11-02
1224238 use after free content::FontAccessManagerImpl::DidChooseLocalFonts $20000 2021-11-02
1224753 Security: SkAbort_FileLine Assert Failed - 2021-11-02
1228036 CHECK failure: addr + size <= chunk_->area_end() - 2021-11-02
1231369 tint_binding_remapper_fuzzer: Heap-buffer-overflow in tint::fuzzers::ExtractBindingRemapperInputs - 2021-11-02
1231503 tint_all_transforms_fuzzer: Use-of-uninitialized-value in tint::fuzzers::Reader::string - 2021-11-02
1231950 v8_wasm_async_fuzzer: Crash in v8::internal::LogicVRegister::ReadUintFromMem - 2021-11-02
1232733 DCHECK failure in chars[i] != bigint::kStringZapValue in bigint.cc - 2021-11-02
1233397 Security: Out of bounds memory access in BigInt $15000 2021-11-02
1251541 Security: Universal Cross-Site Scripting (UXSS) - completing previously searched text in NTP $1000 2021-11-01
663512 Redirects should be handled by CSP form-action in a spec-compliant way - 2021-10-30
823241 Referrer Policy bypass with javascript URL $1000 2021-10-30
923648 CrOS: Vulnerability reported in sys-apps/busybox - 2021-10-30
1101897 Security: Possible to escape sandbox via devtools_page (alternative method) $5000 2021-10-30
1215711 v8_inspector_fuzzer: Trap in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit - 2021-10-29
1223390 dawn_wire_server_and_d3d12_backend_fuzzer.exe: Heap-use-after-free in dawn_wire::server::Server::InjectDevice::<lambda_1>::__invoke - 2021-10-29
1223603 dawn_wire_server_and_vulkan_backend_fuzzer: Heap-use-after-free in dawn_wire::server::Server::InjectDevice - 2021-10-29
1227777 Security: HeapOverflow in RecentlyUsedFoldersComboModel $20000 2021-10-29
1227933 Heap-use-after-free in blink::NGOutOfFlowLayoutPart::SaveStaticPositionOnPaintLayer - 2021-10-29
1228134 dawn_wire_server_and_frontend_fuzzer: Use-of-uninitialized-value in void dawn_wire::ChunkedCommandSerializer::SerializeCommandImpl<dawn_wire::Return - 2021-10-29
1228672 CrOS: Vulnerability reported in dev-libs/libxml2 - 2021-10-29
1229298 Security: Chrome: UAF in BindFileUtilitiesHost $20000 2021-10-29
1229516 Security: WebShare from ephemeral tab triggers browser crash - 2021-10-29
1229625 TaskManager fails to keep Profile alive leading to UAF in CreateNativeWidget $1000 2021-10-29
1230369 webcodecs_audio_encoder_fuzzer: Use-of-uninitialized-value in media::AudioOpusEncoder::OnFifoOutput - 2021-10-29
1230409 webcodecs_image_decoder_fuzzer: Heap-buffer-overflow in media::DownShiftHighbitVideoFrame - 2021-10-29
1230431 DCHECK failure in IsNumber() in objects-inl.h - 2021-10-29
1230530 Security: heap-use-after-free in the PaymentCredential in the browser process $20000 2021-10-29
1230513 Security: heap-use-after-free in WebDataRequestManager::RequestCompletedOnThread $10000 2021-10-29
1231117 CHECK failure: proto.map().oddball_type() == OddballType::kNull in compilation-dependencies.cc - 2021-10-29
1231169 tint_all_transforms_fuzzer: Use-of-uninitialized-value in tint::fuzzers::AddPlatformIndependentPasses - 2021-10-29
1231432 use after poison in ImageDecoderExternal $5000 2021-10-29
1231704 Crash in v8::internal::ClearStaleLeftTrimmedHandlesVisitor::FixHandle - 2021-10-29
1231705 DCHECK failure in current.map_word(kRelaxedLoad).IsForwardingAddress() || current.IsFixedArrayBase - 2021-10-29
1231952 CHECK failure: Promise::kPending == promise->status() in objects.cc - 2021-10-29
1232115 garcon_mime_types_parser_fuzzer: Use-of-uninitialized-value in ReadInt - 2021-10-29
1221130 CrOS: Vulnerability reported in dev-libs/libgcrypt - 2021-10-26
1226373 Security: Clickjacking $500 2021-10-26
1229196 code_cache_host_mojolpm_fuzzer: Illegal-instruction in StackTraceGetter::CurrentStackTrace - 2021-10-26
1230324 tint_ast_clone_fuzzer: Illegal-instruction in TintInternalCompilerErrorReporter - 2021-10-26
1230784 Crash in cppgc::internal::PageBackend::FreeLargePageMemory - 2021-10-26
1230936 DCHECK failure in isolate->context().is_null() || isolate->context().IsContext() in runtime-compil - 2021-10-26
1203880 heap-use-after-free : system_media_permissions::`anonymous namespace'::CheckSystemMediaCapturePermission - 2021-10-25
1227351 v8_wasm_fuzzer: DCHECK failure in force_emit || !require_jump in assembler-arm.cc - 2021-10-25
1230239 vp9_replay_fuzzer.exe: Illegal-instruction in webrtc::vp9::BitstreamReader::IfNextBoolean - 2021-10-25
1230265 Trap in v8::internal::__RT_impl_Runtime_AbortCSAAssert - 2021-10-25
1230266 tint_all_transforms_fuzzer: Stack-buffer-overflow in tint::fuzzers::Reader::read - 2021-10-25
1197196 tint_spv_reader_msl_writer_fuzzer.exe: Illegal-instruction in tint::fuzzers::TintInternalCompilerErrorReporter - 2021-10-24
1218468 heap use after free in ChromePageInfoDelegate::OpenConnectionHelpCenterPage - 2021-10-24
1230139 Security: heap-buffer-overflow in libavif's avifImageScale() function - 2021-10-24
1205883 COOP is ignored on navigation errors followed by reloads - 2021-10-22
1220692 BrlTTY allows for arbitrary chmod 777 - 2021-10-22
1220696 BrlTTY allows for arbitrary root write - 2021-10-22
1226909 Security: crossOriginIsolated bypass $3000 2021-10-22
1228720 v8_wasm_async_fuzzer: DCHECK failure in pc_offset() <= first_const_pool_32_use_ + kMaxDistToIntPool in assembler-arm.h - 2021-10-22
1220237 Null-dereference READ in ubsan_GetStackTrace - 2021-10-21
1226318 virgl_fuzzer: Use-of-uninitialized-value in vrend_destroy_shader_object - 2021-10-21
1228233 DCHECK failure in effect_edges > 0 in verifier.cc - 2021-10-21
1228669 tint_robustness_fuzzer.exe: Illegal-instruction in tint::fuzzers::FatalError - 2021-10-21
1229198 Heap-use-after-free in blink::LayoutObject::PropagateStyleToAnonymousChildren - 2021-10-21
1227315 Security: HeapOverflow in ProtocolHandler $20000 2021-10-20
1227979 Security DCHECK failure: as_image_observer_count_ > 0u in layout_object.cc - 2021-10-20
1228643 zucchini_disassembler_win32_fuzzer: Use-of-uninitialized-value in zucchini::DisassemblerWin32<zucchini::Win32X86Traits>::MakeReadAbs32 - 2021-10-20
1228641 zucchini_disassembler_win32_fuzzer: Use-of-uninitialized-value in zucchini::RemoveOverlappingAbs32Locations - 2021-10-20
1228730 Bad-cast to blink::LayoutObject from invalid vptr in blink::LayoutInline::SplitFlow - 2021-10-20
1228950 zucchini_imposed_ensemble_matcher_fuzzer: Use-of-uninitialized-value in zucchini::DisassemblerWin32<zucchini::Win32X64Traits>::MakeReadAbs32 - 2021-10-20
1229001 Crash in blink::LayoutObject::SlowLastChild - 2021-10-20
1229004 Heap-use-after-free in blink::Text::RecalcTextStyle - 2021-10-20
1229031 Heap-use-after-free in blink::HasRenderedNonAnonymousDescendantsWithHeight - 2021-10-20
1229056 Crash in blink::LayoutListItem* blink::DynamicTo<blink::LayoutListItem, blink::LayoutObje - 2021-10-20
1229032 Heap-use-after-free in blink::NGBlockNode::FirstChild - 2021-10-20
1229071 Heap-use-after-free in blink::LayoutObject::SetNeedsLayoutAndFullPaintInvalidation - 2021-10-20
1229201 Heap-use-after-free in blink::LocalFrameView::UpdateDocumentAnnotatedRegions - 2021-10-20
1163124 arc-sensor.conf can be used to break out the user namespace when creating /dev/.arc_sensor_ready - 2021-10-19
1193925 Security: Overflow in handwriting - 2021-10-19
1217064 v8_wasm_code_fuzzer: CHECK failure: interpreter_result.result() == result_compiled - 2021-10-19
1228069 tint_msl_transform_fuzzer: Heap-buffer-overflow in tint::writer::msl::GeneratorImpl::EmitTypeConstructor - 2021-10-19
1228365 CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (IsHeapObject()) in heap-object.h - 2021-10-19
854424 Cross-origin download bypasses SameSite cookie $1000 2021-10-18
1209154 zucchini_disassembler_elf_fuzzer: Use-of-uninitialized-value in zucchini::RemoveOverlappingAbs32Locations - 2021-10-18
1224142 Debug check failed: scheduled_exception() == ReadOnlyRoots(heap()).termination_exception() - 2021-10-18
1228229 CHECK failure: kind() == CodeKind::BASELINE - 2021-10-18
1226337 Container-overflow in cc::draw_property_utils::LayerShouldBeSkippedForDrawPropertiesComputation - 2021-10-17
1226357 Container-overflow in cc::LayerImpl::LayerPropertyChangedFromPropertyTrees - 2021-10-17
1174491 CrOS: Vulnerability reported in sys-libs/glibc - 2021-10-16
1214481 (Chrome & Chromium Browsers) Blank Address Bar Temporary Spoof $1000 2021-10-16
1223426 gpu_raster_passthrough_fuzzer: Crash in CopyRow_C - 2021-10-16
1226890 Security: Use-After-Free in FileSystemAccessManager.GetEntryFromDataTransferToken - 2021-10-16
1226298 Container-overflow in cc::draw_property_utils::CalculateDrawProperties - 2021-10-16
936397 CrOS: Vulnerability reported in sys-libs/glibc - 2021-10-15
1220810 CHECK failure: addr + size <= chunk_->area_end() - 2021-10-15
1219994 Chromium: Vulnerability reported in third_party/libxml - 2021-10-15
1225929 Security: Web pages can use ProcessInternals and ConversionInternals Mojo interfaces - 2021-10-15
1226323 Security: Security DCHECK failed i < length() in WTF::StringView::operator[] $2000 2021-10-15
1227241 Bad-cast to blink::ScriptWrappable from invalid vptr in blink::DOMDataStore::GetWrapper - 2021-10-15
1227596 CHECK failure: JSFunctionRef construction failed - 2021-10-15
1259077 Security: form-action's blocking of redirects allows top-navigation XSLeak - 2021-10-15
1214234 Security: Heap-use-after-free in CreditCardAccessManager::FetchCreditCard $20000 2021-10-14
1216822 Security: An <option> with a long label causes browser crash $6000 2021-10-14
1221880 Invalid-free in base::TaskAnnotator::RunTask - 2021-10-14
1219995 CrOS: Vulnerability reported in dev-libs/libxml2 - 2021-10-14
1224419 UAF in WebAppInternalsPageHandlerImpl::GetExternallyInstalledWebAppPrefs - 2021-10-14
1226659 Use-after-poison in blink::ImageResourceContent::ShouldPauseAnimation - 2021-10-14
1226988 CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (IsHeapObject()) in heap-object.h - 2021-10-14
1227228 heap-use-after-free : IOSurfaceNotifierNotifyFunc - 2021-10-14
1226360 Segv on unknown address in blink::ScriptState::From - 2021-10-13
1190493 Heap-use-after-free in vk::Buffer::getOffsetPointer $6000 2021-10-12
1225607 DCHECK failure in object->FitsRepresentation(representation) in objects.cc - 2021-10-12
1223839 DCHECK failure in is_liftoff() || tier() == ExecutionTier::kTurbofan in wasm-code-manager.cc - 2021-10-11
1226056 Crash in MergeUVRow_SSE2 - 2021-10-10
1219082 Security: [ANGLE] Out-of-bounds write in Renderer11::blitRenderbufferRect $7500 2021-10-09
1225786 DCHECK failure in !broker->IsMainThread() in heap-refs.cc - 2021-10-09
1197149 Add FTPS to request port blocklist to combat ALPACA attack - 2021-10-07
1200995 heap-use-after-free : extensions::ChromeAppSorting::FixNTPOrdinalCollisions - 2021-10-07
1204722 Security: Autofill suggestion UI should dismiss permissions UI - 2021-10-07
1219870 Security: Use-after-free in NavigatorShare::OnConnectionError $7500 2021-10-07
1223667 Security: HeapOverflow in BookmarkBarView $10000 2021-10-07
1207839 tint_first_index_offset_fuzzer: Stack-buffer-overflow in tint::fuzzers::Reader::read - 2021-10-05
1214842 Security: GC freeing reachable objects in JSON parser $5000 2021-10-05
1217598 Heap-use-after-free in blink::TextPainterBase::CreateDrawLooper - 2021-10-05
1219209 Security: Use-after-free with XSLT strip-space $2000 2021-10-05
1219630 Security: JS object corruption in WasmJs::InstallConditionalFeatures - 2021-10-05
1219886 AddressSanitizer: heap-buffer-overflow on gpu::CopyArraysToBuffer transfer_buffer_cmd_copy_helpers.h:80 $8500 2021-10-05
1220250 Crash in GL_GenerateMipmap method. $7500 2021-10-05
1221309 OpenXR VR session exits with Samsung mixed reality controllers $500 2021-10-05
1221406 heap-use-after-free in task_manager $15000 2021-10-05
1224041 Crash in v8::internal::ElementsAccessorBase<v8::internal::FastHoleyObjectElementsAccessor - 2021-10-05
1219199 dawn_wire_server_and_vulkan_backend_fuzzer: Stack-buffer-overflow in rr::Variable::loadValue - 2021-10-02
1223103 cras_rclient_message_fuzzer: Use-of-uninitialized-value in cras_main_message_send - 2021-10-02
1223459 virgl_fuzzer: Segv on unknown address in virgl_renderer_context_destroy - 2021-10-02
1127594 CrOS: Vulnerability reported in dev-libs/libxml2 - 2021-10-01
1194959 CrOS: Vulnerability reported in app-arch/tar - 2021-10-01
1211312 CrOS: Vulnerability reported in dev-libs/libxml2 - 2021-10-01
1215243 counters_service_fuzzer: Heap-buffer-overflow in patchpanel::ParseOutput - 2021-10-01
1216022 dawn_wire_server_and_vulkan_backend_fuzzer: Heap-buffer-overflow in rr::optimize - 2021-10-01
1220068 DCHECK fail in webaudio worklet - 2021-10-01
1221221 Use-after-poison in blink::HTMLSlotElement::DetachLayoutTree - 2021-10-01
1221890 Security DCHECK failure: !resource_clipper->NeedsLayout() in clip_path_clipper.cc - 2021-10-01
1223191 Heap-use-after-free in blink::PropertyTreeManager::EnsureCompositorTransformNode - 2021-10-01
1223549 ec_pchg_fuzzer: Global-buffer-overflow in test_fuzz_one_input - 2021-10-01
1223584 CHECK failure: args.Length() == 2 in d8-test.cc - 2021-10-01
1223740 heap-use-after-free : blink::PaintController::FinishCycle - 2021-10-01
1206407 tint_single_entry_point_fuzzer: Illegal-instruction in tint::fuzzers::ValidityErrorReporter - 2021-09-30
1210550 gpu_raster_passthrough_fuzzer: Crash in CopyRow_ERMS - 2021-09-30
1210985 Security: OOB write after moving pinned tab into a group $15000 2021-09-30
1218973 Heap-use-after-free in ash::TrayBubbleView::~TrayBubbleView - 2021-09-30
1219377 Heap-use-after-free in ash::TrayBubbleView::~TrayBubbleView - 2021-09-30
1194689 heap-buffer-overflow : media::D3D11H264Accelerator::SubmitFrameMetadata - 2021-09-29
1209517 sqlite3_fts3_lpm_fuzzer: Heap-buffer-overflow in sqlite3Fts3Incrmerge - 2021-09-29
1218707 Security: UAF in websql $500 2021-09-29
1218974 Security: ChromeOS root privilege escalation (brltty, vpn-manager, cros_camera_server) $30000 2021-09-29
1220754 skia_path_fuzzer: Crash in blit_aaa_trapezoid_row - 2021-09-29
1221897 Heap-use-after-free in blink::LayoutBlockFlow::RemoveChild - 2021-09-29
1221840 Heap-use-after-free in blink::PropertyTreeManager::EnsureCompositorTransformNode $6000 2021-09-29
1222160 Bad-cast to blink::LayoutBox from blink::LayoutInline in blink::LayoutBox::SplitAnonymousBoxesAroundChild - 2021-09-29
1178183 cups_ipp_t_fuzzer: Crash in ippDelete - 2021-09-28
1202102 Security: UAF when attempting to move tab group in restored window $10000 2021-09-28
1212599 AddressSanitizer: heap-use-after-free fft_frame_pffft.cc:81 in blink::FFTFrame::FFTSetupForSize $7500 2021-09-28
1214641 Heap-use-after-free in blink::IsLayoutObjectRelevantForAccessibility - 2021-09-28
1215029 Security: UAF when sending tab to device $10000 2021-09-28
1221812 DCHECK failure in details.representation().Equals( map.GetPropertyDetails(descriptor).representati - 2021-09-28
1216678 Heap-buffer-overflow in cc::PaintWorkletImageProvider::GetPaintRecordResult - 2021-09-26
1215912 Freelist Corruption with PartitionAlloc on 93.0.4541.0+ related to allocation of LayoutObjects/PaintLayers - 2021-09-24
1219925 Heap-use-after-free in ash::TrayBubbleView::RerouteEventHandler::OnKeyEvent - 2021-09-24
1221031 Crash in cppgc::internal::PageBackend::AllocateLargePageMemory - 2021-09-24
1221062 heap-use-after-free : disk_cache::SparseControl::GetAvailableRange - 2021-09-24
1212612 Security: Use after free in Payments $20000 2021-09-23
1219539 Heap-buffer-overflow in ash::ScrollableShelfView::CalculateTappableIconIndices - 2021-09-23
1219898 v8_wasm_fuzzer: DCHECK failure in 0 < code.size() in function-compiler.cc - 2021-09-23
1151507 Security: Cross-origin iframe can navigate top window to different site via same-site open redirect or XSS redirect $3000 2021-09-22
1183440 Heap-use-after-free in views::MenuController::ExitMenu - 2021-09-22
1195278 UAF in bookmark $7500 2021-09-22
1200679 Security: Double-free when extension is uninstalled while uninstall dialog is being shown $10000 2021-09-22
1201033 Security: Out-of-bounds access in WebAudio $7500 2021-09-22
1206458 heap-use-after-free : resource_coordinator::TabLifecycleUnitSource::TabLifecycleUnit::SetFocused - 2021-09-22
1145553 bypass blocked autoredirects from cross-origin iframes $5000 2021-09-21
1181522 CrOS: Intel graphics drivers advisory INTEL-SA-00438 - 2021-09-21
1194899 BigInt toLocaleString free invalid pointer $1000 2021-09-21
1211308 Heap-buffer-overflow in rx::vk::ImageViewHelper::getLevelLayerDrawImageView - 2021-09-21
1213350 Security: Incorrect Security UI in downloads $3000 2021-09-21
1219101 Security: Simplified Lowering DCHECK restriction type - 2021-09-21
1219634 v8_wasm_code_fuzzer: DCHECK failure in exception_stack.back() == control_stack.size() - 1 in wasm-interpreter.cc - 2021-09-21
1214699 Null-dereference READ in ubsan_GetStackTrace - 2021-09-20
1216941 Null-dereference READ in content::BrowserContext::GetDefaultStoragePartition - 2021-09-19
1219231 Heap-use-after-free in ash::TrayBubbleView::RerouteEventHandler::OnKeyEvent - 2021-09-19
1216837 Use-after-poison in blink::HTMLSlotElement::DetachLayoutTree - 2021-09-18
1218439 Bad-cast to blink::ImageResourceObserver from invalid vptr in blink::ImageResourceContent::PriorityFromObservers - 2021-09-18
1218587 Heap-use-after-free in blink::StyleCrossfadeImage::ImageChanged - 2021-09-18
1218811 Heap-buffer-overflow in ash::ScrollableShelfView::CalculateTappableIconIndices - 2021-09-18
1219036 Crash in v8::internal::ElementsAccessorBase<v8::internal::FastHoleyObjectElementsAccessor - 2021-09-18
1210487 AddressSanitizer: use-after-poison long_task_detector.cc:46 in blink::LongTaskDetector::DidProcessTask $7500 2021-09-17
1214140 Heap-use-after-free in views::Widget::OnNativeWidgetDestroying - 2021-09-17
1214584 Heap-use-after-free in ui::LayerAnimationSequence::ProgressToEnd - 2021-09-17
1215504 CrOS: Vulnerability reported in net-nds/openldap - 2021-09-17
1217741 dawn_wire_server_and_frontend_fuzzer: Heap-use-after-free in dawn_native::ObjectBase::IsError - 2021-09-17
1206911 Security: heap-use-after-free in autofill::SaveCardBubbleViews::WindowClosing - 2021-09-16
1209558 Breakpoint with empty stacktrace - 2021-09-16
1209769 uaf in browser process DestroyURLLoader(network::cors::CorsURLLoaderFactory) $15000 2021-09-16
1210547 dawn_wire_server_and_vulkan_backend_fuzzer: Stack-buffer-overflow in rr::Variable::loadValue - 2021-09-16
1211215 DCHECK failure in *p != to_check_ in heap.cc - 2021-09-16
1212498 Security: UAF after user clicks help link in enhanced spell check dialog $10000 2021-09-16
1212500 Security: UAF after use clicks help link in accessibility labels dialog $10000 2021-09-16
1212618 Security: UAF in ServiceWorker with bfcache $25000 2021-09-16
1212862 Security: Crash in Zenith dialog - 2021-09-16
1216437 Security: Unexpected JS execution in GetScriptableObjectProperty leads to JS object corruption - 2021-09-16
1176218 Security: TALOS-2021-1241 Google Chrome WebAudio blink::AudioNodeOutput::Pull code execution vulnerability $7500 2021-09-15
1187797 Security: UAF in usrsctp on sctp_association->str_reset $7500 2021-09-15
1191778 policy_fuzzer: Heap-use-after-free in base::JoinString - 2021-09-15
1197146 Security: UAF when extension removes tab group during drag $10000 2021-09-15
1198717 Security: OOB write after extension pins tab during drag $10000 2021-09-15
1199198 Security: UAF caused by some WebUIMessageHandlers when OnJavascriptDisallowed() is not called before destruction $15000 2021-09-15
1202598 Security: Heap-buffer-overflow in TabStripModel::MoveWebContentsAtImpl $10000 2021-09-15
1203693 dawn_wire_server_and_frontend_fuzzer: Container-overflow in tint::diag::Formatter::format - 2021-09-15
1204814 sqlite3_lpm_fuzzer: Segv on unknown address in sqlite3MemCompare - 2021-09-15
1206631 Chrome: Crash Report - base::CancelableTaskTracker::Untrack - 2021-09-15
1215974 CrOS: Vulnerability reported in x11-libs/gdk-pixbuf - 2021-09-15
1216212 hb_subset_fuzzer: Crash in OT::hb_colrv1_closure_context_t::return_t OT::Paint::dispatch<OT::hb_colrv1_clos - 2021-09-15
1140831 harbfuzz is affected by unfixed upstream bugs - 2021-09-14
1201073 Security: UAP in FileReader $7500 2021-09-14
1202534 v8_inspector_fuzzer: DCHECK failure in enabled() in v8-debugger-agent-impl.cc - 2021-09-14
1209444 Trap in Builtins_JSEntryTrampoline - 2021-09-14
1211782 CrOS: Vulnerability reported in net-fs/samba - 2021-09-14
1212460 CrOS: Vulnerability reported in net-fs/samba - 2021-09-14
1215250 paint_op_buffer_fuzzer: Use-of-uninitialized-value in cc::PaintOpReader::ReadRecordPaintFilter - 2021-09-14
1215808 DCHECK failure in new_pages * wasm::kWasmPageSize >= byte_length_ in backing-store.cc - 2021-09-14
1215976 Memcpy-param-overlap in v8::base::Memcpy - 2021-09-14
1216595 Attaching an inner contents that has already created a platform RenderWidgetHostView causes a bad cast on Mac and Android - 2021-09-14
1216928 code_cache_host_mojolpm_fuzzer: Illegal-instruction in StackTraceGetter::CurrentStackTrace - 2021-09-14
1217311 DCHECK failure in new_pages * wasm::kWasmPageSize >= byte_length_ in backing-store.cc - 2021-09-14
1210823 dawn_wire_server_and_vulkan_backend_fuzzer: Crash in vk::DescriptorSetLayout::DescriptorSetLayout - 2021-09-12
1202661 Security: Stack overflow in printing $10000 2021-09-11
1201031 Security: Use-after-free in extension install dialog $20000 2021-09-10
1209802 tint_ast_clone_fuzzer: Illegal-instruction in tint_ast_clone_fuzzer.cc - 2021-09-10
1210414 Security: [ANGLE] Out-of-bound write in rx::Image11::GenerateMipmap $7500 2021-09-10
1216021 counters_service_fuzzer: Use-of-uninitialized-value in patchpanel::ParseOutput - 2021-09-10
1216215 DCHECK failure in (optimizing_compile_dispatcher_) != nullptr in isolate.h - 2021-09-10
1211326 SUMMARY: AddressSanitizer: heap-use-after-free devtools_agent_host_impl.h:84 in std::__1::vector<content::protocol::TargetHandler*, std::__1::allocator<content::protocol::TargetHandler*> > content::DevToolsAgentHostImpl::HandlersByName<content::protocol::TargetHandler>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) $10000 2021-09-09
1213313 Security: HeapOverflow in FillPhoneCountryCode $15000 2021-09-09
1214280 dawn_wire_server_and_vulkan_backend_fuzzer: Heap-buffer-overflow in sw::SpirvShader::Operand::Float - 2021-09-09
921607 Cross-Origin URL steal using Fetch and no-cors requests on iOS Chrome. $2000 2021-09-08
1070399 Security: URL spoofing using 'very-long-hostname' URL in the Suggestion box $500 2021-09-08
1200440 ExtensionFunction::browser_context() and deleted private profiles - 2021-09-08
1180210 Security: CVE-2020-12362: Privilege escalation vulnerability in i915 GuC firmware - 2021-09-06
1181227 Security: Failure to enforce EC is booted from RO when performing dev mode transitions on dedede, volteer - 2021-09-06
1213770 CHECK failure: unregister_token().IsUndefined(isolate) implies key_list_prev().IsUndefined(isol - 2021-09-05
1214311 counters_service_fuzzer: Heap-buffer-overflow in patchpanel::ParseOutput - 2021-09-05
1195722 Security: UAP in JS Self-Profiling API $5000 2021-09-04
1195431 Security: UAF in Android-specific (not in upstream Linux) xt_qtaguid kernel module - 2021-09-04
1213709 DCHECK failure in 0 < number_of_all_descriptors in factory-base.cc - 2021-09-04
1201938 DCHECK failure in descriptor_number.as_int() < number_of_descriptors() in descriptor-array-inl.h - 2021-09-02
1206404 Use-after-poison in blink::HTMLSlotElement::DetachLayoutTree - 2021-09-02
1208264 Security: Heap-use-after-free in media_router::WebContentsDisplayObserverView::OnBrowserSetLastActive $15000 2021-09-02
1208782 DCHECK failure in IsAligned(reinterpret_cast<uintptr_t>(dst), kAtomicWordSize) in atomicops.h - 2021-09-02
1210394 crash in canvas filter $5000 2021-09-02
1212694 Security: libxml CVE-2021-3541 - 2021-09-02
1213476 Heap-use-after-free in blink::mojom::CodeCacheHostStubDispatch::Accept - 2021-09-02
1213678 DCHECK failure in that == nullptr || v8::internal::Object( *reinterpret_cast<const v8::internal::A - 2021-09-02
1213764 Crash in v8::internal::Map::instance_type - 2021-09-02
1213851 CHECK failure: ReadOnlyRoots(isolate).empty_descriptor_array() == *this - 2021-09-02
1023503 Security: PlatformSensorReaderWin32 use after free bug - 2021-09-01
1094449 CrOS: Vulnerability reported in sys-apps/dbus - 2021-09-01
1204811 Security: Local Elevation of Privilege vulnerability in Google Update Service $10000 2021-09-01
1210593 CHECK failure: byte_length() <= JSArrayBuffer::kMaxByteLength in objects-debug.cc - 2021-09-01
1212206 Heap-use-after-free in rx::FramebufferVk::startNewRenderPass - 2021-09-01
1212321 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2021-09-01
1212733 Security: expat vulnerable to CVE-2013-0340? $500 2021-09-01
538562 Chrome inherits window name from sandboxed iframe, enabling global variable confusion - 2021-08-31
1129379 CrOS: Vulnerability reported in dev-libs/openssl - 2021-08-31
1207277 Security: heap-use-after-free in BrowserView::ProcessFullscreen $7500 2021-08-31
1207334 CrOS: Vulnerability reported in sys-libs/binutils-libs - 2021-08-31
1209798 CHECK failure: Ref construction failed - 2021-08-31
1212582 DCHECK failure in !node->op()->HasProperty(Operator::kNoThrow) in simplified-lowering.cc - 2021-08-31
1172694 Heap-use-after-free in ui::LayerAnimationSequence::ProgressToEnd - 2021-08-28
1197431 Bad-cast to rx::RenderTargetVk from invalid vptr in rx::FramebufferVk::startNewRenderPass - 2021-08-28
1203607 Security: Heap-use-after-free in TabStripLayoutHelper::CalculateMinimumWidth $7500 2021-08-28
1184954 Security: Heap-use-after-free in TabStrip::GetSizeNeededForViews $10000 2021-08-27
1196480 Security: Multiple Bugs in WebP - 2021-08-27
1196773 Security: heap-use-after-free in libwebp ConvertBGRAToRGB_SSE41 - 2021-08-27
1196775 Security: heap-buffer-overflow in libwebp PlanarTo24b_SSE41 - 2021-08-27
1196777 Security: heap-buffer-overflow in libwebp VP8YuvToRgb - 2021-08-27
1196778 Security: heap-buffer-overflow in libwebp UpsampleRgbLinePair_SSE41 - 2021-08-27
1206289 CHECK failure: function->closure_feedback_cell_array().length() == function->shared().feedback_ - 2021-08-27
1211711 dawn_wire_server_and_vulkan_backend_fuzzer: Heap-buffer-overflow in rr::optimize - 2021-08-27
1178202 Security: X-Chrome-offline allows arbitrary file reads from compromised renderer. - 2021-08-26
1196232 CrOS: Vulnerability reported in sys-libs/binutils-libs - 2021-08-26
1197199 gpu_raster_swangle_passthrough_fuzzer: Heap-use-after-free in libvk_swiftshader.so - 2021-08-26
1196309 Security: OOB vector insertion when extension highlights tab during drag $10000 2021-08-26
1197875 Security: OOB read when attempting to add tab to group after groups have changed $11000 2021-08-26
1201340 DCHECK failure in offset_imm <= std::numeric_limits<int32_t>::max() in liftoff-assembler-ia32.h - 2021-08-26
1201446 Security: heap-buffer-overflow in CreateFaviconImageSkia $20000 2021-08-26
1203590 container-overflow in dom_distiller::TaskTracker::NotifyViewersAndCallbacks - 2021-08-26
1209118 SUMMARY: AddressSanitizer: heap-use-after-free (Chromium/asan-mac-release-876501/Chromium.app/Contents/Frameworks/Chromium Framework.framework/Versions/92.0.4491.0/Chromium Framework:x86_64+0x1958102f) in blink::ComputedAccessibleNode::checked() $5000 2021-08-26
1185801 Remove header sizes from ResourceTiming transferSize - 2021-08-25
1194431 Security: UAF in TracingHandler $5000 2021-08-25
1194896 Security: UAF after moving tab associated with undocked devtools instance into another browser window $10000 2021-08-25
1200766 UAF in AutofillPopupControllerImpl $20000 2021-08-25
1203674 AddressSanitizer: heap-use-after-free in dom_distiller::UMAHelper::LogTimeOnDistillablePage - 2021-08-25
1205059 video_capture_host_mojolpm_fuzzer: Bad parameters to --sanitizer-annotate-contiguous-container in media::FakeV4L2Impl::ioctl - 2021-08-25
1208414 render_text_api_fuzzer: Crash in gfx::RenderTextHarfBuzz::EnsureLayout - 2021-08-25
1208721 Security: heap-over-flow in AutofillPopupControllerImpl::RemoveSuggestion $20000 2021-08-25
1209178 render_text_api_fuzzer: Crash in gfx::RenderTextHarfBuzz::EnsureLayout - 2021-08-25
1209638 dawn_wire_server_and_vulkan_backend_fuzzer: Crash in vk::DescriptorSetLayout::DescriptorSetLayout - 2021-08-25
1206623 DCHECK failure in StackFrame::IsTypeMarker(marker) in frames.cc - 2021-08-23
1177325 libyuv_scale_fuzzer: Heap-buffer-overflow in InterpolateRow_Any_AVX2 - 2021-08-22
1190030 Crash in rx::IOSurfaceSurfaceVkMac::releaseTexImage - 2021-08-21
1200246 dawn_wire_server_and_frontend_fuzzer: Heap-use-after-free in dawn_native::ObjectBase::IsError - 2021-08-21
1204347 Security: 3d css can still glitch onto native browser UI - 2021-08-21
1206131 Security: PresentationRequest dialog can appear over the wrong tab $1000 2021-08-21
1208984 Heap-buffer-overflow in GrPathUtils::generateQuadraticPoints - 2021-08-21
1189110 Crash in sw::SpirvShader::getImageSampler - 2021-08-20
1205981 Visited links leak via CSS transitions and the transitionrun event (Windows 10, Linux) $5000 2021-08-20
1207078 v8_inspector_fuzzer: DCHECK failure in has_scheduled_exception() in isolate-inl.h - 2021-08-20
1208865 zucchini_disassembler_elf_fuzzer: Use-of-uninitialized-value in zucchini::DisassemblerElfIntel<zucchini::Elf32IntelTraits>::MakeReadAbs32 - 2021-08-20
1194058 Security: heap-use-after-free in the payment dialog in the browser process $15000 2021-08-19
1195340 Security: HeapOverflow in MediaFeeds $15000 2021-08-19
1195573 Security: UAF when WebContents being dragged is destroyed $1000 2021-08-19
1197436 Security: heap-use-after-free in DesktopWindowTreeHostPlatform::SetFullscreen $10000 2021-08-19
1200019 Security: heap-buffer-overflow in PlatformNotificationServiceImpl::CreateNotificationFromData $20000 2021-08-19
1206329 UAF in InternalAuthenticatorAndroid::InvokeIsUserVerifyingPlatformAuthenticatorAvailableResponse - 2021-08-19
1207992 Heap-use-after-free in viz::SkiaRenderer::DrawRenderPassQuad - 2021-08-19
1153363 Security: With full pointers, a wrong SmiUntag() operation on a TaggedIndex value can cause operating on the wrong feedback slot. - 2021-08-18
1198216 sqlite3_dbfuzz2_fuzzer.exe: Heap-buffer-overflow in insertCell - 2021-08-18
1200490 0 and -0 confusion in SpeculativeNumberMultiply - 2021-08-18
1203593 Static-imported scripts are wrongly considered main scripts during service worker update - 2021-08-18
1204071 Segv on unknown address in Builtins_InterpreterEntryTrampoline - 2021-08-18
1206674 Heap-use-after-free in hsw::run_program - 2021-08-18
1206822 Trap in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_BuiltinExit - 2021-08-18
1207680 CHECK failure: Ref construction failed - 2021-08-18
1194829 use after poison write in mojo::InterfaceEndpointClient::NotifyError when deal with WebBundle $5000 2021-08-17
1205670 CVE-2021-31829 - Linux kernel protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory - 2021-08-17
1206754 DCHECK failure in !__isolate__->has_pending_exception() in ic.cc - 2021-08-17
1206994 CHECK failure: promise_result.is_null() == promise_->GetIsolate()->has_pending_exception() - 2021-08-17
1207679 CHECK failure: storage_.is_populated_ - 2021-08-17
1205752 tint_spv_reader_wgsl_writer_fuzzer: Bad-cast to const tint::ast::Pointer from tint::ast::Vector in tint::typ::TypePair<tint::ast::Pointer, tint::sem::Pointer> tint::typ::Call_type - 2021-08-15
1149086 gstoraster_fuzzer: Use-of-uninitialized-value in gp_pwrite_impl - 2021-08-14
1164941 Heap-buffer-overflow in sw::SpirvShader::getImageSampler - 2021-08-14
1198369 Security: ink refers to non-existent upstream - 2021-08-14
1204484 tint_first_index_offset_fuzzer: Stack-buffer-overflow in tint::fuzzers::ExtractFirstIndexOffsetInputs - 2021-08-14
1171630 gstoraster_fuzzer: Use-of-uninitialized-value in cf_decode_2d - 2021-08-13
1172655 gstoraster_fuzzer: Use-of-uninitialized-value in template_compose_group - 2021-08-13
1201501 Bad-cast to content::ChildThreadImpl from invalid vptr in content::ChildThreadImpl::OnFieldTrialGroupFinalized - 2021-08-13
1201710 gstoraster_fuzzer: Segv on unknown address in stream_dct_end_passthrough - 2021-08-13
1202506 gstoraster_fuzzer: Heap-use-after-free in real_param - 2021-08-13
1203122 Security: Type confusion bug in LoadSuperIC $20000 2021-08-13
1168081 CrOS: Vulnerability reported in sys-libs/glibc - 2021-08-12
1193233 Security: Arbitrary file read when caching file using CallAsSelfAndImpersonate2 $5000 2021-08-12
1200017 Heap-use-after-free in gl::GLFenceNV::~GLFenceNV - 2021-08-12
1201074 Security: use-of-uninitialized-value in libavif when decode the crafted avif file $7500 2021-08-12
1202203 Heap-buffer-overflow in vk::Buffer::getOffsetPointer - 2021-08-12
1201772 FLEDGE passes privileged url_loader_factory to utility process - 2021-08-11
1203240 freetype_cidtype1_render_ftengine_fuzzer: Use-of-uninitialized-value in cf2_interpT2CharString - 2021-08-11
1203738 freetype_cidtype1_fuzzer: Use-of-uninitialized-value in cid_read_subrs - 2021-08-11
1204829 Heap-use-after-free in cricket::AllocationSequence::Init - 2021-08-11
1197786 sqlite3_lpm_fuzzer: Segv on unknown address in sqlite3MemCompare - 2021-08-10
1194021 CrOS: Vulnerability reported in x11-libs/cairo - 2021-08-09
1203060 freetype_bdf_fuzzer: Use-of-uninitialized-value in inflate - 2021-08-07
1204313 Heap-use-after-free in viz::SkiaRenderer::PrepareRenderPassOverlay - 2021-08-07
1177875 Security: Openjpeg security fix may be missing $500 2021-08-04
1198705 Security: Range miscalculation for nodes of type SpeculativeSafeIntegerAdd in v8's TurboFan $7500 2021-08-04
1199345 missing the -0 case in VisitSpeculativeIntegerAdditiveOp $15000 2021-08-04
1202736 DCHECK failure in stack_capacity_end_ > stack_end_ in function-body-decoder-impl.h - 2021-08-04
1139156 Security: chrome.debugger API bypasses the runtime_blocked_hosts Enterprise policy $5000 2021-08-03
1195331 Trap in v8::internal::Map::UpdateFieldType - 2021-08-03
1198854 use after poison inMediaStreamAudioTrack::StopAndNotify $5000 2021-08-03
1202119 Stack-use-after-return in SkRect::x $6000 2021-08-03
1202609 incorrect range constraint converting {u,}int64_t to double - 2021-08-03
1189092 Security: Steal arbitrary data in Android chrome private directory $5000 2021-08-03
1180510 security: click-to-call across devices has inconsistent escaping & URL validation $3000 2021-08-02
1163228 Security: Missing usrsctp fixes - 2021-07-31
1201537 vp9_encoder_references_fuzzer: Use-of-uninitialized-value in webrtc::FrameValidator::OnEncodedImage - 2021-07-31
1195650 Security: v8 SIGTRAP in optimized code $5000 2021-07-30
1199402 Security: Remote Code Execution? - 2021-07-30
1200231 Crash in v8::internal::compiler::Operator1<v8::internal::Handle<v8::internal::HeapObject> - 2021-07-30
1110036 gstoraster_fuzzer: Use-of-uninitialized-value in parse_dict - 2021-07-29
1107972 gstoraster_fuzzer: Use-of-uninitialized-value in charstring_font_params - 2021-07-29
1157498 gstoraster_fuzzer: Use-of-uninitialized-value in load_truetype_glyph - 2021-07-29
1159499 gstoraster_fuzzer: Use-of-uninitialized-value in gs_scan_token - 2021-07-29
1160913 gstoraster_fuzzer: Use-of-uninitialized-value in charstring_font_params - 2021-07-29
1198895 use-after-poison in blink::ImageDecoderExternal::OnMetadata $7500 2021-07-29
1200184 v8_wasm_compile_fuzzer: Trap in v8::internal::wasm::fuzzer::InterpretAndExecuteModule - 2021-07-29
1201113 Crash in v8::internal::Simulator::LoadStoreHelper - 2021-07-29
1201432 Crash in Builtins_RunMicrotasks - 2021-07-29
1175058 Security: heap-use-after-free using Presentation API - 2021-07-28
1175522 sqlite3_dbfuzz2_fuzzer: Use-of-uninitialized-value in vdbeRecordCompareInt - 2021-07-28
1181276 sqlite3_dbfuzz2_fuzzer: Use-of-uninitialized-value in sqlite3VdbeRecordCompareWithSkip - 2021-07-28
1188889 Security: UAF in PageHandler::Navigate $10000 2021-07-28
1194046 Security: Site isolation break because of double fetch of shared buffer $15000 2021-07-28
1194491 Security: Potential out-of-bound write, origin confusion, permission type confusion in PermissionManager - 2021-07-28
1195308 Security: Integer Overflow leads to heap buffer overflow in the function $20000 2021-07-28
1195686 Security: Heap-use-after-free in constrained_window::CreateWebModalDialogViews $5000 2021-07-28
1195777 Security: Incorrect representation change from Word64 to Word32 $20000 2021-07-28
1196654 CrOS: Vulnerability reported in net-misc/curl - 2021-07-28
1197829 [cros] Device unlocked after resume from sleep - 2021-07-28
1197904 Security: UAF in NavigationPredictor $27000 2021-07-28
1198165 (Chrome & Chromium Browsers) File Download Pop-up Origin Spoof $7500 2021-07-28
1198696 Harden ArrayPrototypePop and ArrayPrototypeShift against typer bugs - 2021-07-28
1199662 v8_wasm_compile_fuzzer: DCHECK failure in 0 == four_lanes & in code-generator-arm.cc - 2021-07-28
1200162 freetype_colrv1_fuzzer: Use-of-uninitialized-value in tt_face_get_paint - 2021-07-28
1172533 Security: Autofill suggestion drop-down can cover browser UI - 2021-07-26
1173297 Security: Autofill dropdown can be made hidden - 2021-07-26
1198611 freetype_colrv1_fuzzer: Crash in tt_face_get_paint - 2021-07-26
1185732 UAF in indexeddb database $5000 2021-07-24
1195579 DCHECK failure in CpuFeatures::IsSupported(*feature) in macro-assembler-shared-ia32-x64.h - 2021-07-24
1025683 Permission Service Use After Free $20000 2021-07-23
1192552 heap-use-after-free : views::HWNDMessageHandler::OnDisplayChange - 2021-07-23
1195333 Security: The Browser Process wrongly handle ACCEPT_BROKER_CLIENT message $15000 2021-07-23
1199526 v8_wasm_compile_fuzzer: Trap in V8_Dcheck - 2021-07-23
1195977 Security: v8 Array.concat IterateElements OOB access leads to RCE $22000 2021-07-22
1197759 Segv on unknown address in HistoryClustersTabHelper::OnOmniboxUrlCopied - 2021-07-22
1197852 Trap in void v8::internal::SharedTurboAssembler::AvxHelper<v8::internal::XMMRegister, v8 - 2021-07-22
1198385 heap-buffer-overflow : metal::`anonymous namespace'::TestShaderNow - 2021-07-22
1198871 Abrt in blink::FontCache::GetLastResortFallbackFont - 2021-07-22
830101 SameSite cookie bypass via redirect $3000 2021-07-21
1166502 Known vulnerability detected in third_party/unrar - 2021-07-21
1175503 Security: same-to-cross-to-same-origin redirects are allowed for dedicated module workers - 2021-07-21
1178032 heap-use-after-free : PermissionBubbleMediaAccessHandler::ProcessQueuedAccessRequest - 2021-07-21
1196683 Security: 2021 pwn2own entry - 2021-07-21
1196803 iframe sandbox escape using incognito intent fallback URLs - 2021-07-21
1197492 Security: Security DCHECK failed: !NeedsLayout() || ChildLayoutBlockedByDisplayLock() in blink::LayoutObject::AssertLaidOut - 2021-07-21
1197839 Chromium: Vulnerability reported in third_party/xstream - 2021-07-21
1072486 Security: udev: root file write -> command execution privilege escalation - 2021-07-20
1161806 potential uaf in webmidi - 2021-07-20
1166012 Heap-buffer-overflow in ash::ScrollableShelfView::ShouldCountActivatedInkDrop - 2021-07-20
1166496 Known vulnerability detected in third_party/unrar - 2021-07-20
1166497 Known vulnerability detected in third_party/unrar - 2021-07-20
1166498 Known vulnerability detected in third_party/unrar - 2021-07-20
1166499 Known vulnerability detected in third_party/unrar - 2021-07-20
1166500 Known vulnerability detected in third_party/unrar - 2021-07-20
1166501 Known vulnerability detected in third_party/unrar - 2021-07-20
1181688 Security: UAF in Ozone Clipboard $20000 2021-07-20
1184294 Security: xdgmime missing security-relevant commits - 2021-07-20
1190525 Heap-buffer-overflow in SkScalerContext_FreeType_Base::generateGlyphImage - 2021-07-20
1197393 Stack-buffer-overflow in void v8::internal::compiler::VisitBinop<v8::internal::compiler::BinopMatcher<v8: - 2021-07-20
448539 Autofill should not fill hidden fields - 2021-07-19
1197819 Bad-cast to int (const char *, void *) in xdg_run_command_on_dirs - 2021-07-19
1197910 Heap-use-after-free in ash::TrayBubbleView::~TrayBubbleView - 2021-07-19
1195552 Crash in v8::internal::Isolate::embedded_blob_code - 2021-07-16
1195615 Crash in blink::HTMLPopupElement::hide - 2021-07-16
1168541 Security: cryptohome chronos-access chgrp - 2021-07-15
1168549 Security: Cryptohome chown chronos - 2021-07-15
1190519 Heap-buffer-overflow in rx::vk::ImageViewHelper::getLevelLayerDrawImageView - 2021-07-15
1193739 heap-use-after-free : media::MojoVideoDecoder::OnVideoFrameDecoded - 2021-07-15
1194358 Security: OOB in v8 $15000 2021-07-15
1195356 Trap in void v8::internal::SharedTurboAssembler::AvxHelper<v8::internal::XMMRegister, v8 - 2021-07-15
1157030 CrOS: Vulnerability reported in app-text/poppler - 2021-07-14
1165654 Security: 30x Redirect On Reload Can Navigate to Unsafe URLs / Cause Spoofing Issues - 2021-07-14
1195370 Trap in v8::internal::Handle<v8::internal::JSFunctionOrBoundFunction> const v8::internal - 2021-07-14
1196503 Crash in v8::base::Relaxed_Load - 2021-07-14
1184929 v8_wasm_async_fuzzer: DCHECK failure in min_block == BasicBlock::GetCommonDominator(block, min_block) in scheduler.cc - 2021-07-13
1194417 Security: PermissionControllerImpl::UnsubscribePermissionStatusChange UAF - 2021-07-13
1195343 CrOS: Vulnerability reported in dev-libs/openssl - 2021-07-13
1193327 freetype_colrv1_fuzzer: Heap-buffer-overflow in tt_face_get_paint - 2021-07-11
1189926 Aww snap crash when editing canvas text $1000 2021-07-10
1191389 dawn_wire_server_and_vulkan_backend_fuzzer: Crash in dawn_native::ValidateImageCopyTexture - 2021-07-10
1192574 Security: 30x to data URI aren't blocked on iOS - 2021-07-10
1192789 Security: upgrade to openssl 1.1.1k. - 2021-07-10
1156531 Security: IDN Spoofing - 2021-07-09
1175992 Security: Heap-buffer-overflow in TabStripModel::IsTabPinned $10000 2021-07-08
1184399 Security: Legacy ipc::Message passed via shared memory. - 2021-07-08
1190462 CrOS: Vulnerability reported in net-libs/gnutls - 2021-07-08
1192054 Security: heap-use-after-free in blink::InvalidatableInterpolation::MaybeConvertPairwise $5000 2021-07-08
1192313 v8_wasm_compile_fuzzer: Negative-size-param in v8::internal::wasm::WasmFullDecoder< - 2021-07-08
1193257 webcodecs_audio_decoder_fuzzer: Bad-cast to media::MediaLog from invalid vptr in media::LogHelper::~LogHelper - 2021-07-08
1194784 v8_wasm_code_fuzzer: DCHECK failure in this->ok() in function-body-decoder-impl.h - 2021-07-08
1194669 Trap in v8::internal::FunctionLiteral::GetDebugName - 2021-07-08
1161379 kCanvasReadback is used for two fingerprint surfaces - 2021-07-07
1161847 Trap in Builtins_InterpreterEntryTrampoline - 2021-07-07
1173903 Security: container-overflow in TabStrip - 2021-07-07
1181228 Security: UAF in DesktopCapture $20000 2021-07-07
1182647 Security: Use after free in V8 $15000 2021-07-07
1185463 DCHECK failure in PropertyConstness::kMutable == old_descriptors_->GetDetails(modified_descriptor_ - 2021-07-07
1185482 Security: use-after-free in WindowTreeHostPlatform::OnBoundsChanged $1000 2021-07-07
1186641 Security: heap-use-after-free in Blink $7500 2021-07-07
1192311 Use-after-poison in blink::AXObjectCacheImpl::Dispose - 2021-07-07
1193098 gpu_raster_swiftshader_fuzzer: Use-of-uninitialized-value in cc::ServiceImageTransferCacheEntry::Deserialize - 2021-07-07
1193209 pdf_codec_jbig2_fuzzer: Stack-use-after-scope in fxcrt::UnownedPtr<std::__Cr::list<std::__Cr::pair<std::__Cr::pair<unsigned int, - 2021-07-07
1193493 CHECK failure: !available->IsEmpty() in macro-assembler-arm64.cc - 2021-07-07
1193728 CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (IsDereferenceAllowed()) in handles.h - 2021-07-07
1194316 DCHECK failure in this->ok() in function-body-decoder-impl.h - 2021-07-07
1177419 Use-after-poison in blink::HTMLSlotElement::DetachLayoutTree [LayoutNG only] - 2021-07-06
1187210 sqlite3_dbfuzz2_fuzzer: Use-of-uninitialized-value in vdbeRecordCompareInt - 2021-07-06
1169049 Security: ARM GPU driver vulnerabilities - 2021-07-05
1192926 Use-of-uninitialized-value in mojo::core::ChannelPosix::WriteNoLock - 2021-07-05
1193116 Use-after-poison in blink::HTMLSlotElement::DetachLayoutTree - 2021-07-04
1193210 Heap-use-after-free in blink::AXLayoutObject::GetDocument - 2021-07-04
1188407 Security: ChromeOS: missing path restriction in arc-obb-mounter - 2021-07-03
1189576 crash in VideoFrame $2000 2021-07-03
1190554 Use-of-uninitialized-value in media::MediaMetricsProvider::~MediaMetricsProvider - 2021-07-03
1191853 v8_wasm_async_fuzzer: DCHECK failure in function->has_prototype_slot() in js-function.cc - 2021-07-03
1192418 Segv on unknown address in blink::Node::parentNode - 2021-07-03
1192456 Use-of-uninitialized-value in blink::AXLayoutObject::CanHaveChildren - 2021-07-03
1192569 Heap-use-after-free in blink::AXLayoutObject::GetDocument - 2021-07-03
1190290 v8_inspector_fuzzer: DCHECK failure in has_exception == isolate->has_pending_exception() in execution.cc - 2021-06-30
1106907 uaf in WebRTC_Network $5000 2021-06-29
1176510 Use-of-uninitialized-value in GURL::SchemeIs - 2021-06-29
1189890 Heap-buffer-overflow in v8::internal::Simulator::LoadStoreHelper - 2021-06-29
1184562 Security: NAT Slipstreaming via RTSP(TCP/554) allows attacker to access local udp ports $3000 2021-06-27
1185611 Heap-use-after-free in libvk_swiftshader.dylib $6000 2021-06-27
1187217 Security DCHECK failure: IsTextControl(node) in text_control_element.h - 2021-06-27
1187896 v8_wasm_code_fuzzer: DCHECK failure in !unreachable implies stack_height >= c->end_label->target_stack_height in wasm-i - 2021-06-27
1190077 Container-overflow in views::View::Layout - 2021-06-27
1000248 Using the CSS Layout API and contenteditable causes the page to crash $5000 2021-06-24
1100748 Security: Possible for extensions to access chrome.cloudPrintPrivate API $1000 2021-06-24
1115045 CSP frame-src bypass using: window.open + javascript-url + about:srcdoc + doubly-nested-iframe. $3000 2021-06-24
1116869 Security: heap-buffer-overflow in "SkiaState::AdjustClip" function $5000 2021-06-24
1145024 Security&UI: WPA2-Enterprise/EAP WiFi Connection "Default" UI Discrepancy $500 2021-06-24
1161891 Security: Reloading iframes with data: src causes partial CSP bypass $500 2021-06-24
1166091 Security: Use of conditionally uninitialised stack variable may leak stack state $500 2021-06-24
1166462 Security: Use of conditionally uninitialised stack variable may leak stack state $500 2021-06-24
1166478 Security: Use of conditionally uninitialised stack variable may leak stack state $500 2021-06-24
1166972 Security: Use of conditionally uninitialised stack variable may leak stack state $500 2021-06-24
1167507 Security: Offline view bypasses Content-Security-Policy of the original page $3000 2021-06-24
1167629 Security: Context menu "Open" on a javascript: link bypasses Content-Security-Policy $1000 2021-06-24
1180588 Memcpy-param-overlap in mojo::core::Channel::Message::ExtendPayload - 2021-06-24
1182767 Security: Amended fix for Side-channel attack against Autofill Preview $5000 2021-06-24
1184037 Container-overflow in blink::LocalFrameView::PushPaintArtifactToCompositor - 2021-06-24
1184147 Security: Incorrect Security UI in payment $500 2021-06-24
1185735 [spark-plug]SharedFunctionInfo pending execption error which can lead to RCE - 2021-06-24
1188868 DCHECK failure in 0 == result in mutex.cc - 2021-06-24
1189396 CHECK failure: all.IsLive(use) && (use->opcode() == IrOpcode::kIfTrue || use->opcode() == IrOpc - 2021-06-24
1189467 Use-of-uninitialized-value in v8::internal::compiler::Schedule::block - 2021-06-24
1146813 Crash in v8::internal::Builtins::builtin_handle - 2021-06-23
1166138 Security: Debug check failed: kMinCPOffset <= by (-32768 vs. -65536). $5000 2021-06-23
1187203 Security: SandboxedUnpacker unsafe use of shared memory. - 2021-06-23
1187403 Heap-use-after-free in CurrentTabDesktopMediaList::Refresh $15000 2021-06-23
1187826 CrOS: Vulnerability reported in media-libs/tiff - 2021-06-23
1187836 v8_wasm_compile_fuzzer: DCHECK failure in is_gp() in liftoff-register.h - 2021-06-23
1188483 DCHECK failure in invalidated_object.map().IsMap() in invalidated-slots-inl.h - 2021-06-23
1188974 DCHECK failure in !is_linked() in label.h - 2021-06-23
1186603 v8_wasm_async_fuzzer: Use-after-poison in v8::internal::wasm::WasmFullDecoder< - 2021-06-22
1167357 potential uaf in rtc_peer_connection $500 2021-06-18
1179915 heap-use-after-free : ui::EventTarget::RemovePreTargetHandler - 2021-06-18
1181387 Security: container-overflow in TabGroups - 2021-06-18
1182109 Security: dPWAs can change their icons after installation - 2021-06-18
1187170 DCHECK failure in IsPrimitiveMap() in map-inl.h - 2021-06-18
1177674 Security: Site Isolation bypass after BrowsingInstance state deleted - 2021-06-17
1185829 v8_wasm_compile_fuzzer: DCHECK failure in source.stack_height() == target.stack_height() in liftoff-assembler.cc - 2021-06-17
1186802 v8_wasm_compile_fuzzer: DCHECK failure in sig->return_count() <= cache_state_.stack_height() in liftoff-assembler.cc - 2021-06-17
1040988 media_pipeline_integration_fuzzer: Use-of-uninitialized-value in decode_residuals - 2021-06-16
1152226 Leaking the URL of any cross-origin redirect through AppCache's network section $5000 2021-06-16
1152334 Security: UAF in PaymentResponseHelper::GeneratePaymentResponse $15000 2021-06-16
1174493 CrOS: Vulnerability reported in dev-python/jinja - 2021-06-16
1185512 cups_ipp_t_fuzzer: Heap-buffer-overflow in ippAddDate - 2021-06-16
1185999 v8_wasm_code_fuzzer: DCHECK failure in (cond) != nullptr in wasm-compiler.cc - 2021-06-16
916326 CSP bypass via wrong inheritance - 2021-06-15
1097480 CrOS: Vulnerability reported in dev-libs/libpcre - 2021-06-15
1146651 X-Frame-Options console error leaks cross-origin redirect information to a cross-site renderer process - 2021-06-15
1161144 Security: UAF in Bookmark OpenAll $10000 2021-06-15
1173879 Security: Autofill preview suggestion value can be made to persist - 2021-06-15
1175507 Security: heap-use-after-free in TabSearchPageHandler::CloseTab - 2021-06-15
1175975 WebCodecs VideoFrame allows tainting bypass for ImageBitmaps. - 2021-06-15
1181131 CrOS: Multiple vulnerabilities in dev-libs/openssl - 2021-06-15
1182571 v8_wasm_compile_fuzzer: DCHECK failure in IsSimd128Register() in instruction.h - 2021-06-15
1183026 v8_wasm_async_fuzzer: DCHECK failure in function->has_prototype_slot() in js-function.cc - 2021-06-15
1184182 Heap-use-after-free in aura::Window::~Window - 2021-06-15
1184928 DCHECK failure in stack_capacity_end_ > stack_end_ in function-body-decoder-impl.h - 2021-06-15
1184964 DCHECK failure in !cache_state_.stack_state.empty() in liftoff-assembler.cc - 2021-06-15
1184966 CHECK failure: Node::New() Error: #743:Phi[0] is nullptr in node.cc - 2021-06-15
1184991 DCHECK failure in (val.node) != nullptr in graph-builder-interface.cc - 2021-06-15
1185072 DCHECK failure in (location_) != nullptr in handles.cc - 2021-06-15
1185322 DCHECK failure in kBottom != kind in value-type.h - 2021-06-15
1185579 CHECK failure: Node::New() Error: #287:Float32LessThanOrEqual[1] is nullptr in node.cc - 2021-06-15
1178181 cups_ipp_t_fuzzer: Crash in create_item - 2021-06-12
583058 Security: root->kernel scribble in cros_ec_dev:ec_device_ioctl_xcmd on 32bit $5000 2021-06-11
957606 Security: CSP restrictions aren't applied when navigating a frame to about:blank $7500 2021-06-11
971231 Chrome Content security Policy bypass $1000 2021-06-11
1075734 Security: Side-channel attack against Autofill Preview that can steal user's data (e.g., credit card number). $500 2021-06-11
1115298 Full CSP bypass by opening a blob URL in a new tab and reloading it with history.back $3000 2021-06-11
1115628 Security: Full CSP bypass through blob: URIs $5000 2021-06-11
1117687 Security: Full CSP bypass through filesystem URIs $5000 2021-06-11
1154250 Security: determining size of CORB/CORP'd cross-origin responses $500 2021-06-11
1155302 Security: UaF in V4L2VideoEncodeAccelerator - 2021-06-11
1158010 Security: Referrer Header Spoofing Vulnerability via <base> tags $500 2021-06-11
1170584 UI/URL Spoofing by putting the page into fullscreen when a user opens the emoji dialog $1000 2021-06-11
1174943 uaf in DestroyURLLoader(network::cors::CorsURLLoaderFactory) $15000 2021-06-11
1175436 uaf in CrossOriginEmbedderPolicyReporter(browser) $15000 2021-06-11
1178165 cups_ipp_t_fuzzer: Heap-buffer-overflow in ippAddDate - 2021-06-11
1181701 CrOS: Vulnerability reported in dev-libs/glib - 2021-06-11
1183192 Use-of-uninitialized-value in blink::LayoutGrid::FirstLineBoxBaseline - 2021-06-11
1184441 Racy UAF when handling usrsctp notification on timer thread - 2021-06-11
1173311 Security: Backport futex fix to older kernels - 2021-06-09
1181673 noopener not applied to popups opened from a cross origin iframe in a cross-origin-isolated environment - 2021-06-09
1181684 v8_wasm_fuzzer: Segv on unknown address in v8::base::Memcpy - 2021-06-09
1183122 Heap-use-after-free in blink::GridLayoutUtils::FlowAwareDirectionForChild - 2021-06-09
1181676 Security: UAF in ClipboardHistory $20000 2021-06-08
1182572 Heap-buffer-overflow in mojo::core::Channel::Message::ExtendPayload - 2021-06-05
1013133 CHECK failure: API call returned invalid object in api-arguments-inl.h - 2021-06-04
1181310 Container-overflow in blink::LocalVideoCapturerSource::OnLog - 2021-06-04
1181125 Container-overflow in blink::LocalVideoCapturerSource::OnLog - 2021-06-04
1181599 sanitizer_api_fuzzer: Security DCHECK failure: IsA<Derived>(from) in casting.h - 2021-06-04
996770 Security: [xfa] pdfium SEGV on RelocateTableRowCells $5000 2021-06-02
1180435 Crash in v8::internal::Simulator::DecodeType2 - 2021-06-01
1180871 Heap-use-after-free in storage::DataPipeTransportStrategy::OnDataPipeReadable - 2021-06-01
1180129 v8_wasm_compile_fuzzer: Use-after-poison in v8::internal::compiler::LiveRangeBuilder::ComputeLiveOut - 2021-05-30
1180563 Use-of-uninitialized-value in v8::internal::JSDateTimeFormat::New - 2021-05-30
1180579 v8_wasm_compile_fuzzer: Use-after-poison in v8::internal::compiler::LiveRangeBuilder::ComputeLiveOut - 2021-05-30
1177623 Use-of-uninitialized-value in v8::internal::JSDateTimeFormat::New - 2021-05-29
1177812 Use-of-uninitialized-value in v8::internal::JSDateTimeFormat::New - 2021-05-29
1180181 v8_wasm_fuzzer: Segv on unknown address in v8::internal::Simulator::LoadStoreHelper - 2021-05-29
1180157 tint_spv_reader_wgsl_writer_fuzzer: Use-of-uninitialized-value in tint::ValidatorImpl::Validate - 2021-05-29
1159255 cras_rclient_message_fuzzer: Crash in cras_system_state_stream_added - 2021-05-28
1160414 heapoverflow in web gpu $5000 2021-05-28
1179120 Known vulnerability detected in third_party/harfbuzz-ng - 2021-05-28
1179118 Known vulnerability detected in third_party/harfbuzz-ng - 2021-05-28
1179182 v8_wasm_fuzzer: Segv on unknown address in v8::base::Memcpy - 2021-05-28
1179292 Heap-buffer-overflow in base::internal::VectorBuffer<char>::RangesOverlap - 2021-05-28
1179545 v8_wasm_compile_fuzzer: Stack-use-after-scope in v8::internal::wasm::fuzzer::WasmGenerator::BlockScope::BlockScope - 2021-05-28
1179595 [sparkplug]baseline optimize function PrologueFillFrame register_count can be 0 .which can lead to code execution $5000 2021-05-28
1179677 Heap-use-after-free in base::ScopedMultiSourceObservation<aura::WindowTreeHost, aura::WindowTreeHostObs - 2021-05-28
1179948 wayland_fuzzer: Heap-use-after-free in decltype - 2021-05-28
1144074 Heap-use-after-free in EGL_DestroyContext - 2021-05-27
1160218 dawn_spirv_cross_glsl_fast_fuzzer: Crash in spirv_cross::CompilerGLSL::to_array_size_literal - 2021-05-27
1160258 crash in gpu::gles2::GLES2Implementation::ReadPixels $5000 2021-05-27
1176728 Security: Does eigen3 need updating? - 2021-05-27
1178219 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2021-05-27
1179336 Heap-buffer-overflow in base::circular_deque<char>::MoveBuffer - 2021-05-27
1143526 Security: leak cross-site response size - countermeasure bypass $3000 2021-05-26
1168544 Security: crash-reporter chmod 660 - 2021-05-26
1171049 Security: container-overflow in TabStrip::SetSelection $10000 2021-05-26
1174373 UAP in MojoWatcher::OnHandleReady $2000 2021-05-26
1177593 heap-buffer-overflow : blink::H264Encoder::EncodeOnEncodingTaskRunner - 2021-05-26
1178008 dawn_spirv_cross_glsl_fast_fuzzer: Use-of-uninitialized-value in spirv_cross::Compiler::CombinedImageSamplerUsageHandler::add_dependency - 2021-05-26
1178136 Chromium: Vulnerability reported in third_party/libzip - 2021-05-26
1179025 DCHECK failure in !pinned.has(reg) in liftoff-assembler.h - 2021-05-26
1172054 UaF in WebRTC P2PSocketManagerProxy::CreateSocket $5000 2021-05-25
1174626 datapath_fuzzer: Use-of-uninitialized-value in patchpanel::IPv6AddressToString - 2021-05-25
1178224 Bad-cast to blink::LayoutTableSection from blink::LayoutNGTableSection in blink::LayoutTable::AddChild - 2021-05-25
1178263 Heap-buffer-overflow in blink::LayoutTable::AddColumn $6000 2021-05-25
1128895 CHECK failure: IsValidHeapObject(heap_, heap_object) in heap.cc - 2021-05-24
1178455 Test report from guest gmail account - 2021-05-24
1176909 Heap-use-after-free in blink::DisplayItemClient::IsJustCreated - 2021-05-23
1177273 Heap-use-after-free in blink::PaintLayer::RemoveAncestorScrollContainerLayer - 2021-05-23
1178142 Crash in blink::LayoutTable::AddCaption - 2021-05-23
1178074 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2021-05-23
1111646 Security: Possible to spoof URL after renderer crash $3000 2021-05-22
1174186 CSS 3D transform intersection glitch in Chrome / Windows $500 2021-05-22
1177684 Use-of-uninitialized-value in blink::LayoutTable::AddCaption - 2021-05-22
1177832 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2021-05-22
1178007 Crash in blink::LayoutObjectChildList::RemoveChildNode - 2021-05-22
1174582 Security: ScriptProcessorNode allows write of Float32Array across threads - 2021-05-21
1176606 Heap-use-after-free in ash::NotificationCounterView::~NotificationCounterView - 2021-05-21
1177341 Security: Insufficient fix for CVE-2021-21148 - 2021-05-21
1155819 gpu_raster_swiftshader_fuzzer: Bad-cast to llvm::cl::Option from llvm::cl::opt<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, false, llvm::cl::parser<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > in llvm::cl::applicator<llvm::cl::FormattingFlags>::opt - 2021-05-20
1176557 dawn_spirv_cross_glsl_fast_fuzzer: Use-of-uninitialized-value in spirv_cross::Compiler::CombinedImageSamplerUsageHandler::add_dependency - 2021-05-20
1177070 Crash in v8::internal::interpreter::BytecodeArrayAccessor::Advance - 2021-05-20
1170531 Talos Security Advisory for Google Chrome browser (TALOS-2021-1235) $7500 2021-05-19
1170776 Security: V8 Incorrect array bounds calculation - 2021-05-19
1176318 DCHECK failure in CanTransitionTo(new_details, *new_value) in property-cell-inl.h - 2021-05-19
1035260 libyuv_scale_fuzzer: Heap-buffer-overflow in InterpolateRow_Any_SSSE3 - 2021-05-18
1172819 Heap-buffer-overflow in blink::NGTableLayoutAlgorithm::Layout - 2021-05-18
1175222 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2021-05-18
1175500 Security: Heap-buffer-overflow in TabStripModel::GroupTab (Windows-only) $7500 2021-05-18
1174551 Heap-buffer-overflow in unsigned int v8::internal::StringHasher::HashSequentialString<char> - 2021-05-17
1174900 dawn_spirv_cross_glsl_fast_fuzzer: Use-of-uninitialized-value in spirv_cross::Compiler::CombinedImageSamplerUsageHandler::add_dependency - 2021-05-17
1165724 CrOS: Vulnerability reported in sys-libs/e2fsprogs-libs - 2021-05-15
1168545 Security: Arbitrary code execution in ghostscript - 2021-05-15
1168555 Security: android-root persistence - 2021-05-14
1173269 Security: heap-buffer-overflow in TabStripModel - 2021-05-14
1173702 Security: Heap buffer overflow in Tab Groups $7500 2021-05-14
1174641 ANGLE: Out-of-bounds read for emulated compressed texture formats in 3D textures - 2021-05-14
1166932 Security: ChromeOS root privilege escalation and android-root persistence $45000 2021-05-13
1173925 Use-of-uninitialized-value in blink::PaintPropertyTreeBuilder::UpdateForSelf - 2021-05-13
1160459 AddressSanitizer: access-violation on unknown address 0x000000000000 - 2021-05-12
1170826 Third party apps and web pages can switch Chrome tabs - 2021-05-12
1171785 Heap-use-after-free in blink::LocalFrameView::PerformPreLayoutTasks - 2021-05-12
1172192 Security: UAF in Drag and Drop Download $20000 2021-05-12
1098582 Security: allow-top-navigation-by-user-activation bypasses via message event listeners on iOS $5000 2021-05-11
1164655 dawn_wire_server_and_vulkan_backend_fuzzer: Crash in vk::DescriptorSetLayout::DescriptorSetLayout - 2021-05-11
1168552 Security: host root file write - 2021-05-11
1171954 DCHECK failure in other->values_[index] != builder()->jsgraph()->OptimizedOutConstant() in bytecod - 2021-05-11
1172121 v8_inspector_fuzzer: DCHECK failure in host_import_module_dynamically_callback_ != nullptr == host_import_module_dynami - 2021-05-11
1172591 Heap-use-after-free in views::ColorChooser::OnViewClosing - 2021-05-11
1172687 Use-of-uninitialized-value in blink::LayoutObject::SetNeedsOverflowRecalc - 2021-05-11
1172885 dawn_spirv_cross_glsl_fast_fuzzer: Use-of-uninitialized-value in spirv_cross::Compiler::CombinedImageSamplerUsageHandler::add_dependency - 2021-05-11
1172912 v8_wasm_code_fuzzer: Heap-buffer-overflow in v8::internal::wasm::LiftoffAssembler::MergeFullStackWith - 2021-05-11
1171846 v8_multi_return_fuzzer: DCHECK failure in saved_fpregisters[i] == dreg_bits(PopLowestIndexAsCode(&fpregister_list)) in sim - 2021-05-10
1171759 v8_multi_return_fuzzer: DCHECK failure in stack_decrement == kSystemPointerSize in code-generator-arm.cc - 2021-05-09
1171956 dawn_spirv_cross_glsl_fast_fuzzer: Use-of-uninitialized-value in spirv_cross::Compiler::CombinedImageSamplerUsageHandler::add_dependency - 2021-05-08
1172117 Bad-cast to blink::LayoutTableCol from blink::LayoutNGTableColumn in blink::HTMLTableColElement::ParseAttribute - 2021-05-08
1172118 Heap-buffer-overflow in blink::NGTablePainter::PaintBoxDecorationBackground - 2021-05-08
1094642 gstoraster_fuzzer: Segv on unknown address in s_DCTD_process - 2021-05-06
1160665 Requests for script sent even when main document is text/plain $500 2021-05-06
1161759 DCHECK failure in 0 == Heap::GetFillToAlign(obj->address(), HeapObject::RequiredAlignment(*map)) i - 2021-05-06
1166504 heap bufferoverflow in VideoFrameYUVConverter $5000 2021-05-06
1170657 use after poison in DOMWebSocket $5000 2021-05-06
1170933 garcon_ini_parse_util_fuzzer: Heap-buffer-overflow in vm_tools::garcon::ExtractKeyLocale - 2021-05-06
1171195 DCHECK failure in scope_data_->ReadUint32() == static_cast<uint32_t>(name->length()) in preparse-d - 2021-05-06
1171327 Security: Sudo vulnerability - 2021-05-06
1171600 DCHECK failure in expr->scope()->outer_scope() == current_scope() in bytecode-generator.cc - 2021-05-06
1171441 tint_spv_reader_hlsl_writer_fuzzer: Heap-use-after-free in tint::fuzzers::CommonFuzzer::Run - 2021-05-06
1158376 Security: Browser process heap-use-after-free in the portal element $15000 2021-05-05
1169317 Security: UaF in payments::SecurePaymentConfirmationAppFactory $20000 2021-05-05
1170615 garcon_ini_parse_util_fuzzer: Use-of-uninitialized-value in vm_tools::garcon::ExtractKeyLocale - 2021-05-05
1170990 CHECK failure: serialized_prototype_ in js-heap-broker.cc - 2021-05-05
1165624 Security: UaF in chrome!payments::PaymentRequestSheetController::UpdateHeaderView $15000 2021-05-04
1170112 tint_spv_reader_wgsl_writer_fuzzer: Heap-use-after-free in tint::fuzzers::CommonFuzzer::Run - 2021-05-04
1168116 v8_wasm_async_fuzzer.exe: Null-dereference in v8::base::Thread::Start - 2021-05-02
1155974 Security: WebGL Shader Stack Exhaustion leading to PC control in llvmpipe $1000 2021-05-01
1168550 Security: mediadrm command injection - 2021-05-01
1156170 Security: Oilpan: Use After Poision in IsInConstruction<>() with chrome/xfa - 2021-04-30
1161739 Security: UAP in animate - 2021-04-30
1167337 tint_spv_reader_spv_writer_fuzzer: Segv on unknown address in tint::fuzzers::CommonFuzzer::Run - 2021-04-30
1167759 tint_spv_reader_msl_writer_fuzzer.exe: Heap-use-after-free in tint::fuzzers::CommonFuzzer::Run - 2021-04-30
1168408 tint_spv_reader_wgsl_writer_fuzzer: Heap-use-after-free in tint::fuzzers::CommonFuzzer::Run - 2021-04-30
1168725 tint_spv_reader_spv_writer_fuzzer: Heap-use-after-free in tint::fuzzers::CommonFuzzer::Run - 2021-04-30
1138542 gstoraster_fuzzer: Heap-buffer-overflow in mem_mapped4_copy_mono - 2021-04-29
1155426 Security: UAF in MediaStreamCapture $20000 2021-04-29
1162942 Security: website is able to draw over protected UI elements (URL, padlock, tab list, titlebar) using 3D CSS transforms $5000 2021-04-29
1167242 dawn_spirv_cross_glsl_fast_fuzzer: Use-of-uninitialized-value in spirv_cross::Compiler::CombinedImageSamplerUsageHandler::add_dependency - 2021-04-29
1166549 v8_inspector_fuzzer: DCHECK failure in isolate->has_pending_exception() != result in bootstrapper.cc - 2021-04-29
1167277 Lacros 3D Canvas can leak outside of iFrame - 2021-04-29
1167918 DCHECK failure in HasRemainingBytes(kUint8Size) in preparse-data-impl.h - 2021-04-29
1167981 CHECK failure: Bytecode mismatch at offset 2 in interpreter.cc - 2021-04-29
1167988 DCHECK failure in expr->scope()->outer_scope() == current_scope() in bytecode-generator.cc - 2021-04-29
1168055 CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (IsJSReceiver()) in js-objects-inl.h - 2021-04-29
1169077 tint_spv_reader_hlsl_writer_fuzzer.exe: Heap-use-after-free in tint::fuzzers::CommonFuzzer::Run - 2021-04-29
1167709 DCHECK failure in !done() in state-values-utils.cc - 2021-04-27
1161705 Security: heap-user-after-free in SearchTabHelper::DidStartNavigation - 2021-04-26
1167505 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2021-04-26
1167430 Heap-use-after-free in content::RenderWidgetHostViewAura::ForwardKeyboardEventWithLatencyInfo - 2021-04-25
1138143 segmentation fault in mojom::clipboard $20000 2021-04-24
1154965 use after poison in blink::TimerBase::RunInternal $7500 2021-04-24
1163504 Security: heap-buffer-overflow in extension $10000 2021-04-24
1163845 Security: HeapOverflow in TabStripModel $10000 2021-04-24
1158381 Security: Bypass iframe security policy in the portal element $500 2021-04-23
1159377 CrOS: Vulnerability reported in net-misc/curl - 2021-04-23
1162123 heap-use-after-free : web_app::WebAppMetrics::~WebAppMetrics - 2021-04-23
1165966 v8_wasm_compile_fuzzer: DCHECK failure in IsSimd128Register() in instruction.h - 2021-04-23
1166354 Use-of-uninitialized-value in v8::internal::RootScavengeVisitor::VisitRootPointers - 2021-04-22
1160952 dawn_spirv_cross_glsl_fast_fuzzer: Use-of-uninitialized-value in spirv_cross::Compiler::CombinedImageSamplerUsageHandler::add_dependency - 2021-04-21
1162303 Security: ChromeOS chronos privilege escalation to root $30000 2021-04-21
1164055 Security: Blink web_test fonts unowned - 2021-04-21
1164816 Security: chrome://settings ImportData out-of-bounds READ - 2021-04-21
1152894 Security: WebView and Chromium based browser Omnibar Spoofing with Race Condition $3000 2021-04-19
1163184 DCHECK failure in !code.marked_for_deoptimization() in compiler.cc - 2021-04-19
1161654 v8_wasm_fuzzer: DCHECK failure in has(reg.low()) == has(reg.high()) in liftoff-register.h - 2021-04-17
1164158 Security: PDFIum (XFA) Heap Overflow in RelocateTableRowCells $5000 2021-04-17
1164187 Heap-use-after-free in ash::tray::TimeTrayItemView::~TimeTrayItemView - 2021-04-17
1164326 wayland_fuzzer: Heap-use-after-free in decltype - 2021-04-17
1157818 performance API reveals information about redirects (XS-Leak) - 2021-04-16
1160448 uaf in webgpu - 2021-04-16
1162131 Security: heap-use-after-free in IsBox $5000 2021-04-16
1163122 Security: /run/arc/host_generated allows chronos to configure any Android system properties - 2021-04-16
1163882 Chromium: Vulnerability reported in third_party/binutils - 2021-04-16
1147416 uaf in dawn_wire::server::Server::OnBufferMapAsyncCallback(--enable-unsafe-webgpu) - 2021-04-15
1160602 Security: Use After Free in WebSQL $5000 2021-04-15
1161357 Security: Debug check failed: code == topmost_ implies safe_to_deopt_ $16000 2021-04-15
1161943 dawn_wire_server_and_frontend_fuzzer: Heap-use-after-free in void dawn_wire::ChunkedCommandSerializer::SerializeCommandImpl<dawn_wire::Return - 2021-04-15
1162156 dawn_wire_server_and_frontend_fuzzer: Heap-use-after-free in dawn_wire::server::KnownObjects<WGPUBufferImpl*>::Get - 2021-04-15
1162198 heap-use-after-free : mojo::core::NodeController::DropPeer - 2021-04-15
1156904 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2021-04-14
1157743 Security: spoof download on any websites $500 2021-04-14
1162036 UAF in MediaStreamTrackProcessor $5000 2021-04-14
1162834 Heap-use-after-free in blink::ShadowList::CreateDrawLooper - 2021-04-14
1161954 v8_wasm_compile_fuzzer: DCHECK failure in IsSimd128Register() in instruction.h - 2021-04-13
1162400 v8_wasm_compile_fuzzer: Crash in Builtins_JSEntryTrampoline - 2021-04-13
1150012 gstoraster_fuzzer: Use-of-uninitialized-value in gs_scan_token - 2021-04-10
1062941 libyuv_scale_fuzzer: Heap-buffer-overflow in ScaleFilterCols_16_C - 2021-04-07
1161048 Upgrade SQLite to 3.34.0 - 2021-04-07
1160225 CrOS: Vulnerability reported in dev-util/glib-utils - 2021-04-06
1160224 CrOS: Vulnerability reported in dev-libs/glib - 2021-04-05
1151727 spvtools_opt_size_fuzzer: Heap-buffer-overflow in spvtools::opt::analysis::IntConstant::GetU64BitValue - 2021-04-02
1159663 uaf in media::learning::MojoLearningTaskControllerService::PredictDistribution $15000 2021-04-01
1128206 Security: Possible for extension to escape sandbox via devtools_page and intentionally crashed renderer $10000 2021-03-30
1131346 Potential UAF in Speech Recognizer - 2021-03-30
1099985 Heap-use-after-free for desks widget in bool ui::PropertyHandler::GetProperty<bool> - 2021-03-29
1153993 Security: Skia etc1 missing an uninitialized data fix - 2021-03-29
1158266 uaf in use-after-poison in blink::CanvasResourceHost::InitializeForRecording(canvas_resource_host.cc) $500 2021-03-29
1137607 dawn_spirv_cross_glsl_fast_fuzzer: Use-of-uninitialized-value in spirv_cross::Compiler::CombinedImageSamplerUsageHandler::add_dependency - 2021-03-28
1159267 Security: URL bar spoofing in Payments API $500 2021-03-27
1160286 Use-of-uninitialized-value in base::BasicStringPiece<std::__1::basic_string<char, std::__1::char_traits<char>, - 2021-03-27
1155876 cgpt_fuzzer: Use-of-uninitialized-value in Crc32 - 2021-03-26
1159763 CrOS: Vulnerability reported in net-misc/curl - 2021-03-26
1137247 Security: Spoofing download filename extension in 86 chrome - showSaveFilePicker $1000 2021-03-25
1159164 Use-of-uninitialized-value in v8::internal::PerfJitLogger::LogWriteDebugInfo - 2021-03-25
1159679 dawn_spirv_cross_glsl_fast_fuzzer: Crash in spirv_cross::CompilerGLSL::to_array_size_literal - 2021-03-25
1152645 Security: Race condition on destruction of GpuMemoryBufferFactoryNativePixmap may cause use after free - 2021-03-24
1157800 Incomplete fix for auth dialog spoof in iOS $500 2021-03-24
1157814 Security: UAF in PasswordProtectionRequest $20000 2021-03-24
1158774 ots_fuzzer: Use-of-uninitialized-value in ots::OpenTypeGLYF::ParseSimpleGlyph - 2021-03-24
1157790 Security: Out of Bounds in V8 $1000 2021-03-23
1157799 CrOS: Vulnerability reported in dev-libs/openssl - 2021-03-23
1157994 DCHECK failure in !SharedStringAccessGuardIfNeeded::IsNeeded(*this) in string-inl.h - 2021-03-22
1158071 Bad-cast to mojo::InterfaceEndpointClient from content::RenderFrameImpl in mojo::internal::AssociatedInterfacePtrStateBase::~AssociatedInterfacePtrStateBas - 2021-03-21
1153516 Heap-buffer-overflow in SkAnalyticEdge::setLine $6000 2021-03-19
1154468 use after poison in content::InspectorMediaEventHandler::SendQueuedMediaEvents $5000 2021-03-19
1155854 CrOS: Vulnerability reported in net-fs/samba - 2021-03-19
1156431 v8_multi_return_fuzzer: DCHECK failure in saved_fpregisters[i] == dreg_bits(PopLowestIndexAsCode(&fpregister_list)) in sim - 2021-03-19
1157324 v8_wasm_compile_fuzzer: DCHECK failure in caller->CanTailCall(callee) in instruction-selector.cc - 2021-03-19
1020667 Security: Insecure Memory Copy in Trousers $500 2021-03-18
1101961 Heap-buffer-overflow in cc::PaintWorkletImageProvider::GetPaintRecordResult - 2021-03-18
1150810 Security: File System Access API - getFileHandle() allowing to save .lnk files $1000 2021-03-18
1151726 Heap-use-after-free in printing::PrintManager::GetPrintRenderFrame - 2021-03-18
1156513 pdf_codec_jpeg_fuzzer: Use-of-uninitialized-value in decompress_smooth_data - 2021-03-18
831761 SameSite cookie bypass via Custom Scheme $1000 2021-03-17
1148749 Double free/UAF in RegionDataLoaderImpl::DeleteThis $20000 2021-03-17
1150065 UaF in AudioHandler::ProcessIfNecessary - 2021-03-17
1153658 uaf in AudioNodeOutput::Pull $6000 2021-03-17
1155710 Iterating a directory with the File System Access API does not check current permissions. - 2021-03-17
1156510 Security: Use After Free in UserMediaRequest::OnMediaStreamInitialized $5000 2021-03-17
957042 Security: Possible to partially break sandbox restrictions imposed upon popup windows $1000 2021-03-16
1105875 Security: XS-Leak with Resource Timing API and CSP Embedded Enforcement $1000 2021-03-16
1131929 [Resource Timing] Missing PerformanceResourceTiming entries for iframe Requests that don't receive a Response $1000 2021-03-16
1149171 Heap-buffer-overflow in blink::NGOffsetMapping::GetMappingUnitsForLayoutObject - 2021-03-16
1149895 Security: OpenSSL certificate blocklist isn't installed in images - 2021-03-16
1151069 Security: heap-buffer-overflow in AudioWorkletProcessor::CopyParamValueMapToObject - 2021-03-16
1151298 Security: Use-After-Free in DeflateTransformer $7500 2021-03-16
1154936 webcodecs_video_encoder_fuzzer: Heap-buffer-overflow in init_encode_frame_mb_context - 2021-03-16
1155497 v8_wasm_compile_fuzzer: DCHECK failure in IsSimd128Register() in instruction.h - 2021-03-16
1155959 DCHECK failure in kCanBeWeak || (!IsSmi() == (((static_cast<i::Tagged_t>(ptr_) & ::i::kHeapObjectT - 2021-03-15
1156001 Crash in v8::internal::HandleBase::IsDereferenceAllowed - 2021-03-15
1140435 Security: showSaveFilePicker allowing to save file extension with space at the end - cannot delete file on windows - 2021-03-13
1140403 Security: Hide real extension of file by many white spaces - showSaveFilePicker $1000 2021-03-13
1140410 Security: Hide real extension of file by RTL - showSaveFilePicker $1000 2021-03-12
1140417 Security: showSaveFilePicker allowing to save .lnk and .local files on windows! $1000 2021-03-12
1146855 Heap-use-after-free in blink::AggregatingSampleCollector::Flush - 2021-03-12
1150249 Index-out-of-bounds in blink::AudioArray<float>::Allocate - 2021-03-12
1150798 Security: UAF in the views::DialogDelegate in the browser process $5000 2021-03-12
1152327 Security: File System Access API & Symlinks - 2021-03-12
1153595 Security: UAF in Drag-and-drop $20000 2021-03-12
1155178 Security: Skia GPU bug $6000 2021-03-12
1149125 Security: Some WebUI pages enable MojoJS bindings for the subsequently-navigated site $7500 2021-03-10
1150772 Index-out-of-bounds in blink::NGPhysicalBoxFragment::Create - 2021-03-10
1152387 Crash in icu_68::RuleBasedBreakIterator::handleNext - 2021-03-10
1153442 DCHECK failure in UseScratchRegisterScope{this}.CanAcquire() in liftoff-assembler-arm.h - 2021-03-10
1154439 DCHECK failure in num_locals_ == local_types_.size() in function-body-decoder-impl.h - 2021-03-10
1114062 heap-use-after-free in is_null - 2021-03-09
1149204 Security: heap-buffer-overflow in blink::WebGLRenderingContextBase::MakeXrCompatibleSync $5000 2021-03-09
1110751 Security: GoogleCrashHandler exist Any process DOS vulnerability - 2021-03-08
1149115 Heap-buffer-overflow in v8::internal::Simulator::WriteW - 2021-03-08
1152937 v8_wasm_fuzzer: DCHECK failure in decoder->ok() in graph-builder-interface.cc - 2021-03-05
1049265 Extensions with no special privileges are allowed to navigate to devtools:// scheme pages. $1000 2021-03-04
1108126 Security: Chrome Apps can access chrome.storage for other extensions via webview $3000 2021-03-04
1150371 Security: OOBW in the icu_68::FormattedStringBuilder::insert $5000 2021-03-04
1151865 Security: OOB-read in network DataElement struct traits. - 2021-03-04
1151890 Security: Uninitialised memory read with BigInt right-shift $3000 2021-03-04
1143412 Security: Pixelbook reveals windows underneath lock screen when external display is plugged in - 2021-03-03
1151684 webcodecs_video_encoder_fuzzer: Heap-buffer-overflow in vp9_enc_setup_mi - 2021-03-03
1151799 heap-buffer-overflow in MoveWebContentsAtImpl(extension) $15000 2021-03-03
978798 Security: Possible to fake the lock or login screen in full screen mode to phish user passwords - 2021-03-02
1142024 heap-use-after-free : gpu::SharedImageRepresentationDawnIOSurface::EndAccess - 2021-03-02
1146872 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2021-03-02
1149586 v8_inspector_fuzzer: DCHECK failure in ThreadId::Current() == isolate->thread_id() in compiler.cc - 2021-03-02
1150649 DCHECK failure in 0 <= length && length <= kMaxSafeInteger in builtins-array.cc - 2021-03-02
1151270 Heap-buffer-overflow in avx::rect_memset32 - 2021-03-02
1151248 Crash in hsw::load_NUMBER_dst - 2021-03-02
1151294 Crash in erms::rect_memset32 - 2021-03-02
1151320 Crash in hsw::load_NUMBER_dst - 2021-03-02
1151322 Crash in hsw::blit_row_s32a_opaque - 2021-03-02
1151460 Crash in SkARGB32_Black_Blitter::blitAntiH - 2021-03-02
1151532 Heap-buffer-overflow in ssse3::blit_mask_d32_a8 - 2021-03-02
1151551 Heap-buffer-overflow in hsw::lowp::load_NUMBER_dst - 2021-03-02
1151601 Heap-use-after-free in hsw::blit_row_s32a_opaque - 2021-03-02
1151602 Use-after-poison in v8::internal::AstRawString::Compare - 2021-03-02
1151611 Heap-buffer-overflow in hsw::S32_alpha_D32_filter_DX - 2021-03-02
709946 Security: <link rel='prerender'> causes same-site cookies to be sent along with cross-site requests $2000 2021-02-26
1038002 Unintended Data Leakage Through HTTP Request Headers $2000 2021-02-26
1149692 Security: Heap-use-after-free in BluetoothChooserController::AddOrUpdateDevice $15000 2021-02-26
1150317 Security: Potential remote code exec from web content in u2fd - 2021-02-26
1138683 Security: Use-after-free in MediaStreamCaptureIndicator::WebContentsDeviceUsage::AddDevices() $10000 2021-02-24
1141376 Security: --experimental-wasm-gc array length allocation wraps on 32bit - 2021-02-24
1147357 Heap-use-after-free in blink::NGContainerFragmentBuilder::MoveOutOfFlowDescendantCandidatesToDescendant - 2021-02-24
1146670 TFC chrome full chain - 2021-02-22
1142331 Security: use-after-poison in blink::FileReaderLoader::OnReceivedData $5000 2021-02-20
1148504 media_h265_decoder_fuzzer: Stack-buffer-overflow in media::H265Decoder::BuildRefPicLists - 2021-02-20
1148657 Use-after-poison in blink::MediaInspectorContextImpl::RemovePlayer - 2021-02-20
1106424 gstoraster_fuzzer: Use-of-uninitialized-value in s_A85D_process - 2021-02-19
1130226 gstoraster_fuzzer: Use-of-uninitialized-value in load_truetype_glyph - 2021-02-19
1141062 gstoraster_fuzzer: Use-of-uninitialized-value in aes_setkey_enc - 2021-02-19
1142020 heap-buffer-overflow : gfx::internal::StyleIterator::GetTextBreakingRange - 2021-02-19
1143662 use-after-poison in blink::CanvasResourceHost::InitializeForRecording(canvas_resource_host.cc) $5000 2021-02-19
1146025 Content-Security-Policy headers are lost when the page is restored from bfcache - 2021-02-19
1144646 NAT Slipstream: Overlong usernames in TURN credentials - 2021-02-19
1146068 Crash in icu_68::FormattedValueStringBuilderImpl::nextPositionImpl - 2021-02-19
1147430 Security: Heap-buffer-overflow in SkBitmapOperations::UnPreMultiply - 2021-02-19
1147516 airscan_query_fuzzer: Index-out-of-bounds in log_message - 2021-02-19
1147944 airscan_query_fuzzer: Use-of-uninitialized-value in trace_unref - 2021-02-19
1147943 DCHECK failure in vector->optimization_marker() != OptimizationMarker::kCompileOptimizedConcurrent - 2021-02-19
1148772 media_h265_decoder_fuzzer: Crash in base::AtomicRefCount::Decrement - 2021-02-19
1146654 media_h265_parser_fuzzer: Stack-buffer-overflow in media::H265Parser::ParseStRefPicSet - 2021-02-17
1146673 Security: type confusion in wasm cache - 2021-02-17
1146709 Security: Browser UAF when detaching a provisional frame - 2021-02-17
1146714 DCHECK failure in vector->optimization_marker() != OptimizationMarker::kCompileOptimizedConcurrent - 2021-02-17
1147431 Security: Heap-buffer-overflow in ClipboardWin::WriteBitmap - 2021-02-17
1147623 media_h265_decoder_fuzzer: Stack-buffer-overflow in scoped_refptr<media::H265Picture>::swap - 2021-02-17
1128479 Heap-buffer-overflow in cc::TransformTree::StickyPositionOffset - 2021-02-16
1137606 Heap-use-after-free in ui::LayerAnimationSequence::ProgressToEnd - 2021-02-16
1142069 heap-use-after-free : content::DownloadManagerImpl::GetDownload - 2021-02-16
1145906 heap-use-after-free : ProfileInfoCache::NotifyProfileAuthInfoChanged - 2021-02-16
1146675 Security: UAF in PepperFileIOHost - 2021-02-16
1146761 Security: UAF in ImageDecoderExternal due to ArrayBuffer Neuter $7500 2021-02-16
1146789 Bad-cast to blink::LayoutBox from blink::LayoutTextFragment in blink::LayoutBox::LastChildBox - 2021-02-16
1146861 DCHECK failure in dst.low_gp() != lhs.high_gp() in liftoff-assembler-arm.h - 2021-02-16
1146873 net_host_resolver_manager_fuzzer: Heap-buffer-overflow in net::ServiceFormHttpsRecordRdata::IsEqual - 2021-02-16
1147331 Bad-cast to int () in x11::InitXlib - 2021-02-16
1136078 UaF in PaymentCredential::DidDownloadFavicon - 2021-02-15
1137362 Security: Chrome Browser Policy Bypass "Allow invocation of file selection dialogs" $500 2021-02-15
1146728 DCHECK failure in vector->optimization_tier() == OptimizationTier::kNone || (vector->optimization_ - 2021-02-15
1144017 Use-of-uninitialized-value in policy::UserCloudPolicyManager::IsFirstPolicyLoadComplete - 2021-02-14
1146679 Security: WeakPtr checks are optimized out - 2021-02-14
1139411 Security: cryptohomed skeleton copy can be raced to chown things to user chronos - 2021-02-12
1139414 Security: imageburner path check can be raced - 2021-02-12
1144489 Security: OSExchangeDataProviderWin::SetDragImage - 2021-02-11
1144603 v8_wasm_code_fuzzer: DCHECK failure in array_buffer->is_shared() in isolate.cc - 2021-02-11
1146013 DCHECK failure in function->is_compiled() in compiler.cc - 2021-02-11
1137104 uaf in load4 SkRasterPipeline_opts.h $5000 2021-02-10
1137179 Security: Root priv escalation through cryptohomed, imageburner, arc-obb-mounter $30000 2021-02-10
1140376 neteq_rtp_fuzzer: Use-of-uninitialized-value in webrtc::test::NetEqTest::RunToNextGetAudio - 2021-02-10
1143448 Heap-use-after-free in ScopedObserver<views::Widget, views::WidgetObserver, & - 2021-02-10
1144449 cras_rclient_message_fuzzer: Heap-buffer-overflow in ccr_handle_message_from_client - 2021-02-10
1116444 Security: Extensions can capture contents of local files using Page.captureScreenshot $5000 2021-02-09
1125362 Security: Possible for extension to escape sandbox via chrome.debugger API and error page $10000 2021-02-09
1140949 CrOS: Vulnerability reported in net-wireless/bluez - 2021-02-09
1143057 Security: WebUSB permission dialog can appear over the wrong tab $500 2021-02-09
1145124 Bad-cast to icu_68::UVector from invalid vptr in icu_68::AliasReplacer::outputToString - 2021-02-09
1144368 Security: ConvertToJavaBitmap heap-buffer-overflow. - 2021-02-07
1144070 mediasource_MP2T_AACSBR_pipeline_integration_fuzzer: Use-of-uninitialized-value in float media::FloatSampleTypeTraits<float>::From<float> - 2021-02-06
1119873 Security: UAF in CSSLayout worklet $5000 2021-02-05
1143772 Security: V8: Turbofan fails to deoptimize code after map deprecation, leading to type confusion - 2021-02-05
1084649 dawn_wire_server_and_frontend_fuzzer: Use-of-uninitialized-value in libvulkan.so.1 - 2021-02-04
1137581 cups_ippreadio_fuzzer: Use-of-uninitialized-value in create_item - 2021-02-04
1137604 Heap-use-after-free in ScopedObserver<aura::Window, aura::WindowObserver, & - 2021-02-04
1143053 v8_wasm_code_fuzzer: Crash in v8::internal::TaggedField<v8::internal::WasmModuleObject, 112>::load - 2021-02-04
1141350 Security: Yet another universal XSS via copy&paste $3000 2021-02-03
1142675 uaf in VideoFrame::CreateImageBitmap $5000 2021-02-03
1134107 Security: stack buffer overflow write in RtcEventLogEncoderLegacy::EncodeRtcpPacket $1000 2021-02-02
1137594 CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (IsDereferenceAllowed()) in handles.h - 2021-02-02
1137603 Heap-use-after-free in blink::PropertyTreeStateOrAlias::Unalias - 2021-02-02
1139409 Security: cros-disks will mount local loop devices - 2021-02-02
1093791 Security: Chrome's insecure construction of curl commands allows untrusted websites to retrieve local files from the user's system $500 2021-02-01
1140549 v8_wasm_compile_fuzzer: DCHECK failure in src.is_byte_register() in assembler-ia32.cc - 2021-01-30
1141868 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2021-01-30
1132954 Security: Root priv escalation through shill, arc-setup, and upstart $30000 2021-01-29
1133047 Security: arc-setup should validate /run/arc/oem/etc/media_profiles.xml is not a symlink - 2021-01-29
1136714 Incorrect security UI at screen share API $500 2021-01-29
1138878 Possible UAF in SctpTransport's sctp_inpcb_free - 2021-01-29
1141743 Use-of-uninitialized-value in blink::IsOperatorWithSpecialShaping - 2021-01-29
1125018 Arbitrary file deletion in google chrome updater in master/chrome/updater/installer.cc $1000 2021-01-28
1127595 Chromium: Vulnerability reported in third_party/libxml - 2021-01-28
1138190 pdfium CompositeRow_8bppRgb2Rgb_NoBlend_RgbByteOrder heap-buffer-overflow - 2021-01-28
1139153 Security: Heap-use-after-free in WebRTC $7500 2021-01-28
1139825 pdfium heapoverflow CompositeRow_Argb2Argb_RgbByteOrder - 2021-01-28
1141256 Variables on the stack are not initialized in pp::FloatRect FloatPageRectToPixelRect - 2021-01-28
1097499 pdf_scanlinecompositor_fuzzer: Crash in GetAlphaWithSrc - 2021-01-27
1137580 Bad-cast to content::AgentSchedulingGroup from invalid vptr in content::RenderFrameImpl::Send - 2021-01-27
1138942 Bad-cast to content::AgentSchedulingGroup from invalid vptr in base::internal::Invoker<base::internal::BindState<content::RenderFrameImpl::OnUn - 2021-01-27
1139398 Security: [ANGLE] Invalid memory access in libglesv2!rx::IndexDataManager::streamIndexData $15000 2021-01-27
1037839 pdf_scanlinecompositor_fuzzer: Crash in RGB_Blend - 2021-01-26
1128340 CVE-2020-25211 CrOS: Vulnerability reported in Linux kernel - 2021-01-26
1134261 Security: UAF in Skia SkContourMeasureIter caused by SkPath::shrinkToFit - 2021-01-26
1137608 v8_wasm_compile_fuzzer: DCHECK failure in 0 <= offset in assembler-arm.cc - 2021-01-26
1138877 Security: heap-buffer-overflow in window.find $2000 2021-01-26
1138911 Security: UAF in TabStrip $15000 2021-01-26
1139786 CHECK failure: Type cast failed in CAST(p->receiver()) at ../../src/ic/accessor-assembler.cc:25 - 2021-01-26
1140197 Security: Apply fix for freetype heap buffer overflow to Chrome OS - 2021-01-26
1137583 DCHECK failure in CpuFeatures::IsSupported(*feature) in macro-assembler-x64.h - 2021-01-25
1137584 Bad-cast to blink::DrawingDisplayItem from blink::DisplayItem in blink::ConversionContext::Convert - 2021-01-25
1137591 Heap-use-after-free in blink::PaintArtifactCompositor::UpdateDebugInfo - 2021-01-25
1139408 arc-media-removable-{read,write} are not using noexec - 2021-01-25
945997 Using Flash's ProgressEvent to extract the length of cross-site responses $1000 2021-01-24
1138446 Security: webrtc container-overflow in the browser process $5000 2021-01-24
1139163 Security DCHECK failure: tree_order < tree_scopes_.size() in match_result.h - 2021-01-24
830808 SameSite cookie bypass via openWindow $500 2021-01-22
1115590 CSP Bypass via Chrome Extension $3000 2021-01-22
1133527 Security: Debug check failed: IsFound() || !holder_->HasFastProperties(isolate_) $5000 2021-01-22
1135594 Security: woff2 missing upstream fix for integer overflow - 2021-01-22
1137630 Security: PDFium heap-use-after-free in CPWL_ListBox::~CPWL_ListBox() $7500 2021-01-22
1125614 UaF in Payment (Android) - 2021-01-21
1135018 Security: UaF in TabSharingUI $15000 2021-01-21
1137586 DCHECK failure in effect_edges > 0 in verifier.cc - 2021-01-21
1137590 Crash in blink::NGBlockLayoutAlgorithm::CreateConstraintSpaceForChild - 2021-01-21
1137609 Crash in blink::ShapeResultView::CreateShapeResult - 2021-01-21
1137650 Crash in blink::ComputedStyleBase::MutableFilterInternal - 2021-01-21
1138577 Use-after-poison in blink::VideoFrameCallbackRequesterImpl::~VideoFrameCallbackRequesterImpl - 2021-01-21
1138776 CHECK failure: fixed_size_above_fp + in deoptimizer.cc - 2021-01-21
1138915 DCHECK failure in effect_edges > 0 in verifier.cc - 2021-01-21
1107970 gstoraster_fuzzer: Use-of-uninitialized-value in clip_runs_enumerate - 2021-01-20
1116729 dawn_wire_server_and_vulkan_backend_fuzzer: Heap-buffer-overflow in vk::DescriptorSetLayout::DescriptorSetLayout - 2021-01-20
1125240 dawn_wire_server_and_frontend_fuzzer: Heap-use-after-free in dawn_wire::server::Server::GetCmdSpace - 2021-01-20
1137578 v8_wasm_compile_fuzzer: Use-after-poison in v8::internal::wasm::WasmFullDecoder< - 2021-01-20
1137579 Crash in cc::DroppedFrameCounter::ReportFrames - 2021-01-20
1137582 DCHECK failure in stack_capacity_end_ > stack_end_ in function-body-decoder-impl.h - 2021-01-20
1137588 Use-after-poison in blink::VideoFrameCallbackRequesterImpl::~VideoFrameCallbackRequesterImpl - 2021-01-20
1137587 ndproxy_fuzzer: Use-of-uninitialized-value in patchpanel::NDProxy::GetPrefixInfoOption - 2021-01-20
1137596 v8_wasm_compile_fuzzer: Crash in unsigned int v8::base::ReadUnalignedValue<unsigned int> - 2021-01-20
1137597 CHECK failure: IsValidHeapObject(isolate->heap(), HeapObject::cast(p)) in objects-debug.cc - 2021-01-20
1137598 dawn_wire_server_and_frontend_fuzzer: Heap-use-after-free in dawn_wire::server::KnownObjects<WGPUBufferImpl*>::Get - 2021-01-20
1137601 CHECK failure: IsValidHeapObject(heap_, heap_object) in heap.cc - 2021-01-20
1137600 v8_wasm_compile_fuzzer: Use-after-poison in v8::internal::wasm::WasmFullDecoder<v8::internal::wasm::Decoder::kValidate,v8::i - 2021-01-20
1137602 Crash in Builtins_TestEqualStrictHandler - 2021-01-20
1137605 Crash in Builtins_TypeOfHandler - 2021-01-20
1137652 Bad-cast to float (float) noexcept in skvx::Vec<sizeof... - 2021-01-20
1137668 PDFium(XFA) Heap-use-after-free in ProbeForLowSeverityLifetimeIssue - 2021-01-20
1138197 DCHECK failure in 2 == args.length() in builtins-reflect.cc - 2021-01-20
1133009 Security: login_manager symlink attack - 2021-01-19
1134338 Security: Incorrect Handling of XFrameOptions with mailMsg in the PDF Viewer $3000 2021-01-19
1136327 Security: Use of use-of-uninitialized-value in UsbDeviceHandleUsbfs - 2021-01-19
1137595 Bad-cast to content::AgentSchedulingGroup from mojo::core::UserMessageImpl in base::internal::Invoker<base::internal::BindState<content::RenderFrameImpl::OnUn - 2021-01-19
1133210 DCHECK failure in !IsJSGlobalObject(isolate) in js-objects-inl.h $5000 2021-01-18
1133635 Security: UAF in PasswordGenerationPopupControllerImpl::PasswordAccepted $20000 2021-01-18
1135835 DialURLFetcher::Start may bypass Sec-Fetch-Site - 2021-01-18
1125337 Portrait photos (taken by Pixel3aXL) with EXIF crash on Desktop $500 2021-01-15
1128270 Security: UAF in UrlLoaderFactoryProxyImpl $20000 2021-01-14
1132998 CrosDisks accepts arbitrary bind mount parameters - 2021-01-14
1134960 Security: Use-after-free with using print dialog $3000 2021-01-14
1135857 Security: UAF in USBDevice $10000 2021-01-14
1133006 Security: network_diag does not validate multiline input - 2021-01-12
1134983 CrOS: Vulnerability reported in net-fs/samba - 2021-01-12
1110195 Security: Method field allows injection of HTTP requests - 2021-01-09
1122487 UAF in devtools $500 2021-01-08
1133183 Incorrect Security UI when using Tab preview $500 2021-01-08
1133275 CrOS: Vulnerability reported in sys-libs/ldb - 2021-01-08
1133668 Use after free triggered from mojo::SyncEventWatcher - 2021-01-08
1133671 Security: UAF in AutofillPopupControllerImpl::HandleKeyPressEvent $20000 2021-01-08
1133688 Security: UAF in PasswordGenerationPopupControllerImpl::HandleKeyPressEvent $20000 2021-01-08
1133983 Security: UaF in printing::PrintRenderFrameHelper::PreviewPageRendered() $5000 2021-01-08
1124661 Bad-cast to blink::LayoutInline from blink::LayoutBlockFlow in blink::NGInlineNode::ComputeOffsetMapping - 2021-01-06
1124963 Heap-buffer-overflow in blink::NGOffsetMapping::GetMappingUnitsForLayoutObject - 2021-01-06
1128657 audio.captureStream() may allow cross-origin resource theft - 2021-01-06
1133000 ArcObbMounter mounts without noexec - 2021-01-06
1133001 Security: ArcObbMounterInterface.MountObb takes arbitrary gid offset - 2021-01-06
960357 Chrome v74 JS dialog description Spoof vulnerability on IOS $500 2021-01-05
1127322 UaF in ServiceWorkerPaymentApp - 2021-01-05
1129850 uaf in browser process(ServiceWorkerScriptLoaderFactory()) - 2021-01-05
1127620 DCHECK failure in OperatorProperties::GetTotalInputCount(node->op()) == node->InputCount() in veri - 2021-01-05
1132641 Security: out of bounds write in CanonicalizeTimeZoneID - 2021-01-05
1132926 Step "browser_tests" failing on builder "Linux ChromiumOS MSan Tests" - 2021-01-05
1080395 Android/iOS: URL spoofing using long sub-domain for blob:URL $3000 2021-01-04
1126881 CrOS: Vulnerability reported in net-libs/gnutls - 2021-01-02
1131040 Check secure payment confirmation feature state in browser process. - 2021-01-02