1040837
|
Security: open an evil exe file via a "shortcut" in chrome://downloads/
|
$500
|
2021-12-31
|
1233375
|
Referrer Spoof using <base href> and <style>
|
$500
|
2021-12-30
|
1248567
|
SEGV in vk::Image::clear()
|
$5000
|
2021-12-30
|
1252351
|
tint_binding_remapper_fuzzer: Heap-buffer-overflow in tint::fuzzers::RandomGenerator::CalculateSeed
|
-
|
2021-12-30
|
1233566
|
Cryptohome ephemeral mounts lack nosymfollow
|
-
|
2021-12-29
|
1251787
|
Security: ASLR bypass via memory_instrumentation.mojom.Coordinator
|
-
|
2021-12-29
|
1251727
|
Security: heap-use-after-free in content::RenderFrameHostImpl::delegate
|
-
|
2021-12-29
|
1283234
|
Payment Handler gets cropped or partially lives outside of popup window
|
-
|
2021-12-29
|
1108714
|
Security: WPA2-Enterprise/EAP WiFi Connection UI Discrepancy
|
$3000
|
2021-12-28
|
1195566
|
crash in ModalCloseWatcher::Close
|
-
|
2021-12-28
|
1240921
|
Symlink traversal in network driver modprobe script
|
$20000
|
2021-12-28
|
1250660
|
Potential race condition during concurrent JIT compilation
|
-
|
2021-12-28
|
1250730
|
h264_bitstream_parser_fuzzer: Crash in webrtc::BitstreamReader::ReadExponentialGolomb
|
-
|
2021-12-28
|
1250775
|
Security DCHECK failure: IsA<Derived>(from) in casting.h
|
-
|
2021-12-28
|
1251010
|
vp9_encoder_references_fuzzer: Use-of-uninitialized-value in webrtc::LibvpxVp9Encoder::SetSvcRates
|
-
|
2021-12-28
|
1248435
|
SUMMARY: AddressSanitizer: use-after-poison event_listener_map.cc:144 in blink::EventListenerMap::Add
|
$7500
|
2021-12-27
|
1152952
|
Security: Cast tab can appear after navigation to a different origin
|
$1000
|
2021-12-25
|
1085762
|
Security: Improper Theme name sanitization in theme manager.
|
$500
|
2021-12-24
|
1182188
|
Chromium: Vulnerability reported in third_party/xstream
|
-
|
2021-12-24
|
1206928
|
use-after-poison network_state_notifier.cc:314 in blink::NetworkStateNotifier::NotifyObserversOnTaskRunner
|
$5000
|
2021-12-24
|
1245607
|
CrOS: Vulnerability reported in dev-libs/openssl
|
-
|
2021-12-24
|
1248665
|
Null-dereference READ in ubsan_GetStackTrace
|
-
|
2021-12-24
|
1249602
|
tint_regex_spv_writer_fuzzer.exe: Illegal-instruction in tint::fuzzers::FatalError
|
-
|
2021-12-24
|
1244348
|
Security: Heap-use-after-free in ui::EventDispatcher::DispatchEventToEventHandlers
|
$15000
|
2021-12-23
|
1246728
|
dawn_wire_server_and_vulkan_backend_fuzzer.exe: Heap-use-after-free in tint::transform::DataMap::Add<tint::transform::SingleEntryPoint::Config,const
|
-
|
2021-12-23
|
1248661
|
Security: heap-use-after-free in app_controller_mac.mm
|
$10000
|
2021-12-23
|
1094945
|
Security: Speculative type confusion - [1/3 - eBPF]
|
$10000
|
2021-12-22
|
1182687
|
Executable libraries could be loaded from noexec partitions
|
-
|
2021-12-22
|
1241643
|
Crash in memfd:swiftshader_jit
|
-
|
2021-12-22
|
1246631
|
SUMMARY: AddressSanitizer: heap-buffer-overflow SkPixmap.cpp:321 in SkPixmap::getColor
|
$20000
|
2021-12-22
|
1246692
|
skia_image_filter_deserialize_fuzzer: Illegal-instruction in SkSL::DSLParser::swizzle
|
-
|
2021-12-22
|
1193196
|
CrOS: Vulnerability reported in dev-libs/glib
|
-
|
2021-12-21
|
1218099
|
Yoga commit may be a security fix
|
-
|
2021-12-21
|
1238944
|
Android Chrome & Chromium Browsers Address Bar Spoofing
|
$3000
|
2021-12-21
|
1242392
|
heap buffer overflow iin FingerprintHandler::HandleGetEnrollmentLabel
|
$10000
|
2021-12-21
|
1247395
|
Security: WebView's CookieManager APIs fix up URLs incorrectly, potentially allowing cookie theft
|
-
|
2021-12-21
|
1248768
|
Heap-use-after-free in blink::ElementRuleCollector::CollectMatchingRules
|
-
|
2021-12-21
|
456994
|
Extension Debugger API restrictions are trivially circumvented
|
-
|
2021-12-20
|
1246394
|
Security: heap-use-after-free C:\b\s\w\ir\cache\builder\src\chrome\browser\ui\views\media_router\web_contents_display_observer_view.cc:56:22 in media_router::WebContentsDisplayObserverView::OnBrowserSetLastActive(class Browser *)
|
$15000
|
2021-12-20
|
1248514
|
Heap buffer overflow in PasswordSpecFetcher
|
-
|
2021-12-20
|
1248030
|
Security: Use After Free in FileSystemAccessManagerImpl
|
$15000
|
2021-12-19
|
1141803
|
Heap-use-after-free in content::RenderFrameImpl::GetLocalRootRenderWidget
|
-
|
2021-12-17
|
1234050
|
Nearby Share UI incorrectly appears in non-ChromeOS browsers: causes UAF
|
$15000
|
2021-12-17
|
1241123
|
Security: [ANGLE] Stack buffer overwrite in rx::StateManager11::syncVertexBuffersAndInputLayout
|
$7500
|
2021-12-16
|
1242257
|
Heap-use-after-free in ui::SendDamagedRectsRecursive
|
$16000
|
2021-12-16
|
1245879
|
Security: Incomplete fix for CVE-2021-30577
|
$10000
|
2021-12-16
|
1246163
|
tint_first_index_offset_fuzzer: Illegal-instruction in tint::fuzzers::FatalError
|
-
|
2021-12-16
|
1246301
|
angle_translator_fuzzer: Use-of-uninitialized-value in sh::StructNameString
|
-
|
2021-12-16
|
1246612
|
Use-after-poison in base::internal::WeakReferenceOwner::Invalidate
|
-
|
2021-12-16
|
1246652
|
Bad-cast to SkSL::dsl::DSLGlobalVar from invalid vptr in SkTArray<SkSL::dsl::DSLGlobalVar, false>::checkRealloc
|
-
|
2021-12-16
|
1246705
|
Crash in cppgc::internal::ConcurrentMarkingTask::Run
|
-
|
2021-12-16
|
1246780
|
SUMMARY: AddressSanitizer: use-after-poison timer.cc:217 in base::internal::TimerBase::OnScheduledTaskInvoked
|
$7500
|
2021-12-16
|
1246919
|
Use-after-poison in blink::LayoutGrid::LayoutPositionedObjects
|
-
|
2021-12-16
|
1247182
|
rtcp_receiver_fuzzer: Use-of-uninitialized-value in webrtc::RTCPReceiver::ParseCompoundPacket
|
-
|
2021-12-16
|
1247686
|
Security DCHECK failure: unit.TextContentEnd() <= text.length() in ng_offset_mapping.cc
|
-
|
2021-12-16
|
1240952
|
Security: [Chrome OS Readiness Tool] Public tracking bug: Service installer assigns wrong permissions to DCOM objects
|
-
|
2021-12-14
|
1243318
|
M94 Merge Request for crbug.com/dawn/1065
|
-
|
2021-12-14
|
1244568
|
Security: Cross-Origin information leak or delete in ContentIndex
|
$5000
|
2021-12-14
|
1246748
|
dawn_wire_server_and_vulkan_backend_fuzzer: Heap-use-after-free in dawn_native::vulkan::ComputePipeline::Initialize
|
-
|
2021-12-14
|
1245881
|
AddressSanitizer: use-after-poison execution_context_lifecycle_observer.cc:40 in blink::ExecutionContextLifecycleObserver::GetExecutionContext
|
$5000
|
2021-12-13
|
1246606
|
Security DCHECK failure: i < length() in string_view.h
|
-
|
2021-12-13
|
1246619
|
Security DCHECK failure: unit.TextContentEnd() <= text.length() in ng_offset_mapping.cc
|
-
|
2021-12-13
|
1244408
|
dawn_wire_server_and_vulkan_backend_fuzzer: Heap-use-after-free in sw::PixelRoutine::PixelRoutine
|
-
|
2021-12-11
|
1245141
|
dawn_wire_server_and_vulkan_backend_fuzzer: Heap-use-after-free in vk::CommandBuffer::submit
|
-
|
2021-12-11
|
1245605
|
Chromium: Vulnerability reported in third_party/xstream
|
-
|
2021-12-11
|
1245786
|
Security: Security DCHECK failure at blink::LayoutInline
|
$5000
|
2021-12-11
|
1246412
|
code_cache_host_mojolpm_fuzzer: Illegal-instruction in StackTraceGetter::CurrentStackTrace
|
-
|
2021-12-11
|
1240538
|
BluetoothRemoteGattCharacteristicTestWinrtOnly.StartNotifySessionDisconnectOnError failing on builder "win-asan"
|
-
|
2021-12-10
|
1240884
|
Security: UAF in EditAddressProfileView::WindowClosing
|
$17000
|
2021-12-10
|
1241036
|
Chrome ANGLE Out-of-Bound in texStorage3D
|
$7500
|
2021-12-10
|
1243117
|
Security: UAF in AvailableOfflineContentProvider
|
$15000
|
2021-12-10
|
1243622
|
Security: Cross-Origin information leak in GetDeveloperIdsTask
|
$2000
|
2021-12-10
|
1243535
|
Security: AddressSanitizer: heap-use-after-free on address 0x11de0a00f100 SkPathEffectBase::asPoints and AddressSanitizer: heap-use-after-free on address 0x119b5ac92cd8 base::circular_deque
|
-
|
2021-12-10
|
1244490
|
[sparkplug]Security: jit code memory corruption after use the generated baseline code to optimiztion the machine code
|
-
|
2021-12-10
|
1245053
|
Security: Cross-Origin Response Size Leak Via BackgroundFetch
|
$3000
|
2021-12-10
|
1245870
|
DCHECK failure in (class_variable_) == nullptr in scopes.cc
|
-
|
2021-12-10
|
1245907
|
Heap-use-after-free in chromeos::LoginApiDataForNextLoginAttemptPrefCleaner::~LoginApiDataForNextLoginA
|
-
|
2021-12-10
|
1246158
|
dawn_wire_server_and_vulkan_backend_fuzzer: Heap-use-after-free in dawn_native::vulkan::ComputePipeline::Initialize
|
-
|
2021-12-10
|
1234284
|
Use-after-Free in AudioDebugRecordingsHandler::StartAudioDebugRecordings
|
$20000
|
2021-12-09
|
1242404
|
oob in function StartupPagesHandler::HandleEditStartupPage
|
$6000
|
2021-12-09
|
1242742
|
Security: heap-buffer-overflow in TabStripModel::MoveWebContentsAtImpl
|
$10000
|
2021-12-09
|
1243646
|
Security: container-overflow in RecordEngagementMetric
|
$20000
|
2021-12-09
|
1245046
|
tint_ast_hlsl_writer_fuzzer.exe: Illegal-instruction in tint::fuzzers::FatalError
|
-
|
2021-12-09
|
1246065
|
DCHECK failure in storage_.is_populated_ in optional.h
|
-
|
2021-12-09
|
1214199
|
Security: Heap-use-after-free in BackgroundFetchDelegateBase::CancelDownload
|
$10000
|
2021-12-08
|
1232279
|
Security: Security: Clickjacking RCE of Chrome headless with Remote Debugging
|
$3000
|
2021-12-08
|
1233942
|
Use-after-Free on AudioDebugRecordingsHandler::StopAudioDebugRecordings
|
$20000
|
2021-12-08
|
1239516
|
use after free in sharing_hub::ScreenshotCapturedBubbleController::Capture
|
$10000
|
2021-12-08
|
1239709
|
Security: Insufficient CORS Check Leads to Cross-Origin Size Leak via BackgroundFetch API
|
$3000
|
2021-12-08
|
1243733
|
virgl_venus_fuzzer: Use-of-uninitialized-value in vn_decode_VkFormatProperties2_pnext_partial_temp
|
-
|
2021-12-08
|
1243989
|
Use-after-poison in v8::internal::Scope::AllocateVariablesRecursively
|
-
|
2021-12-08
|
1244254
|
Trap in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvInRegister_NoBuiltinExit
|
-
|
2021-12-08
|
1244435
|
DCHECK failure in header->IsMarked() in pointer-policies.cc
|
-
|
2021-12-08
|
1245003
|
CHECK failure: black_size <= marking_state->live_bytes(page) in paged-spaces.cc
|
-
|
2021-12-08
|
1245079
|
CHECK failure: bitmap(page)->AllBitsSetInRange( page->AddressToMarkbitIndex(current), page->Add
|
-
|
2021-12-08
|
1245145
|
CHECK failure: map_object.IsMap() in mark-compact-inl.h
|
-
|
2021-12-08
|
1245357
|
CHECK failure: black_size <= marking_state->live_bytes(page) in paged-spaces.cc
|
-
|
2021-12-08
|
1245405
|
CHECK failure: bitmap(page)->AllBitsSetInRange( page->AddressToMarkbitIndex(current), page->Add
|
-
|
2021-12-08
|
1242269
|
Security: Blink - Use After Free of DawnCallback.
|
$7500
|
2021-12-04
|
1243562
|
WebGPU mapped buffer range ArrayBuffers can be transferred
|
-
|
2021-12-04
|
1243920
|
Security DCHECK failure: IsA<Derived>(from) in casting.h
|
-
|
2021-12-04
|
1244134
|
tint_spirv_tools_msl_writer_fuzzer.exe: Illegal-instruction in tint::fuzzers::FatalError
|
-
|
2021-12-04
|
1203612
|
Chrome OS cannot handle multiple/wildcard server names for "SubjectMatch" in .onc profiles, opening doors to impersonation attacks and credential thefts
|
$3000
|
2021-12-03
|
1233932
|
CrOS: Vulnerability reported in app-arch/libarchive
|
-
|
2021-12-03
|
1242315
|
Security: Manifest.json can display overlay on non-origin tabs
|
$1000
|
2021-12-03
|
1242841
|
Security: UAF in WebAppIdentityUpdate
|
$7000
|
2021-12-03
|
1242865
|
tint_msl_transform_fuzzer: Heap-buffer-overflow in tint::writer::msl::GeneratorImpl::EmitTypeConstructor
|
-
|
2021-12-03
|
1243944
|
tint_renamer_fuzzer: Stack-use-after-return in tint::sem::Pointer::Pointer
|
-
|
2021-12-03
|
1072444
|
Security: cryptohomed file system interactions with less-privileged chronos user at /home/chronos/u-<hash>
|
-
|
2021-12-02
|
1100761
|
Security: Possible to download files from sandboxed frames
|
$3000
|
2021-12-02
|
1239910
|
Security: Web GPU - Out of bound object manupilation in WebGPUImplementation::OnGpuControlReturnData()
|
$7500
|
2021-12-02
|
1242862
|
Heap-use-after-free in base::UnguessableToken const& base::internal::FunctorTraits<base::UnguessableTok
|
-
|
2021-12-02
|
1203399
|
gpu_swangle_passthrough_fuzzer: Crash in gpu::gles2::GLES2DecoderPassthroughImpl::DoBindTexture
|
-
|
2021-12-01
|
1228248
|
Feedback WebUIDialog does not observe Profile lifetime
|
$5000
|
2021-12-01
|
1234544
|
Bad-cast to blink::ScriptWrappable from invalid vptr in blink::DOMDataStore::GetWrapper
|
-
|
2021-12-01
|
1238108
|
Heap-use-after-free in content::WebAXObjectProxy::ActiveDescendant
|
-
|
2021-12-01
|
1241193
|
tint_regex_spv_writer_fuzzer.exe: Illegal-instruction in tint::fuzzers::FatalError
|
-
|
2021-12-01
|
1242650
|
Heap-use-after-free in content::MediaStreamDispatcherHost::OnWebContentsFocused
|
-
|
2021-12-01
|
1233067
|
Security: Overlong iframe CSP attribute allows you to send near-arbitrary length headers to a server and induce server errors
|
$2000
|
2021-11-30
|
1237533
|
TALOS-2021-1352: Google Chrome Blink setBaseAndExtent use after free vulnerability
|
$7500
|
2021-11-30
|
1238158
|
heap-use-after-free : ChromeAppDelegate::OnHide
|
-
|
2021-11-30
|
1238178
|
heap-use-after-free : WebUIAllowlist::GetRuleIterator
|
-
|
2021-11-30
|
1241024
|
uaf in sharing_hub::ScreenshotCapturedBubble::DownloadButtonPressed
|
-
|
2021-11-30
|
1241606
|
M94 Merge Request for crbug.com/dawn/837
|
-
|
2021-11-30
|
1241912
|
media_h265_decoder_fuzzer: Heap-buffer-overflow in media::H265Decoder::CalcRefPicPocs
|
-
|
2021-11-30
|
1241687
|
crash in qrcode_generator::QRCodeGeneratorBubbleController::UpdateIcon
|
-
|
2021-11-30
|
1241913
|
CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (!(!concurrent_search) || (array->IsS
|
-
|
2021-11-30
|
1242666
|
CrOS: Vulnerability reported in dev-libs/nettle
|
-
|
2021-11-30
|
1242669
|
CrOS: Vulnerability reported in net-misc/curl
|
-
|
2021-11-30
|
1202613
|
Security: Stack overflow in nested message loops
|
-
|
2021-11-29
|
1242319
|
Security: CVE-2021-3560 local privilege escalation through polkit
|
-
|
2021-11-29
|
1239895
|
Security DCHECK failure: !resource_clipper->NeedsLayout() in clip_path_clipper.cc
|
-
|
2021-11-28
|
1239057
|
Security: UaF in TabStripModel::MoveWebContentsAtImpl
|
$10000
|
2021-11-26
|
1239472
|
Security: UAF in dav1d_get_bits function
|
$5000
|
2021-11-26
|
1240033
|
Heap-use-after-free in ash::AppDragIconProxy::GetBoundsInScreen
|
-
|
2021-11-26
|
1241192
|
vp9_qp_parser_fuzzer: Heap-buffer-overflow in rtc::BitBuffer::ReadBits
|
-
|
2021-11-26
|
1241297
|
vp9_qp_parser_fuzzer: Heap-buffer-overflow in rtc::BitBuffer::PeekBits
|
-
|
2021-11-26
|
1221913
|
cras_rclient_message_fuzzer: Use-of-uninitialized-value in cras_main_message_send
|
-
|
2021-11-25
|
1232095
|
CHECK failure: args[0].IsJSPromise()
|
-
|
2021-11-25
|
1232658
|
Security: ChromeOS root privilege escalation (pita, vm_concierge, arc-setup, DBus)
|
$30000
|
2021-11-25
|
1232875
|
CHECK failure: static_cast<uintptr_t>(caller_frame_top_) > stack_guard->real_jslimit() in deopt
|
-
|
2021-11-25
|
1233570
|
Risky mkdirs and chowns in vm_tools init
|
-
|
2021-11-25
|
1234701
|
dawn_wire_server_and_vulkan_backend_fuzzer: Crash in memfd:swiftshader_jit
|
-
|
2021-11-25
|
1235949
|
Security: heap-use-after-free in ~PermissionRequestChip
|
$10000
|
2021-11-25
|
1236209
|
cras_rclient_message_fuzzer: Use-of-uninitialized-value in cras_main_message_send
|
-
|
2021-11-25
|
1240670
|
v8_wasm_compile_fuzzer: Crash in v8::internal::WasmArray::GcSafeSizeFor
|
-
|
2021-11-25
|
1213238
|
heap-use-after-free : media_router::MediaRouterAndroidBridge::DetachRoute
|
-
|
2021-11-24
|
1234491
|
Security: ChromeOS root privilege escalation (cups, crash-reporter, ghostscript, Upstart)
|
$30000
|
2021-11-24
|
1234882
|
Security: cupsd.conf Upstart root file write target
|
-
|
2021-11-24
|
1239595
|
use after free in DiceTurnSyncOnHelperDelegateImpl::ShowEnterpriseAccountConfirmation(
|
$5000
|
2021-11-24
|
1240714
|
CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (IsName_NonInline(*this)) in name-tq-
|
-
|
2021-11-24
|
1235165
|
Heap-use-after-free in ash::TrayBubbleView::~TrayBubbleView
|
-
|
2021-11-23
|
1235316
|
use after free in blink::FrameLoader::DetachDocument
|
$7500
|
2021-11-23
|
1240548
|
dawn_wire_server_and_frontend_fuzzer: Heap-use-after-free in dawn_wire::server::Server::InjectDevice
|
-
|
2021-11-23
|
1239522
|
DCHECK failure in native_module == current_native_module_ in code-space-access.cc
|
-
|
2021-11-22
|
1239820
|
DCHECK failure in !header->IsFree() in pointer-policies.cc
|
-
|
2021-11-22
|
1238406
|
cras_rclient_message_fuzzer: Use-of-uninitialized-value in cras_main_message_send
|
-
|
2021-11-20
|
1238466
|
hb_subset_fuzzer: Crash in OT::CPALV1Tail::serialize
|
-
|
2021-11-20
|
1239116
|
v8_wasm_code_fuzzer: Crash in v8::internal::Simulator::LoadStoreHelper
|
-
|
2021-11-20
|
1237069
|
Heap-use-after-free in ui::AXNode::GetUnignoredParent
|
-
|
2021-11-18
|
1238469
|
hb_subset_fuzzer: Use-of-uninitialized-value in TrySubset
|
-
|
2021-11-18
|
1238731
|
paint_op_buffer_fuzzer: Heap-use-after-free in SkCanvas::internalRestore
|
-
|
2021-11-18
|
1232914
|
Security: Heap-use-after-free in AutofillManager::OnLoadedServerPredictions
|
$1000
|
2021-11-17
|
1234878
|
Security: Arbitrary code execution in ghostscript
|
-
|
2021-11-17
|
1234880
|
Security: crash-reporter dirty root write
|
-
|
2021-11-17
|
1238268
|
Security: heap-use-after-free in in download::NetworkStatusListenerImpl::OnNetworkStatusReady
|
$20000
|
2021-11-17
|
1083337
|
URL spoofing on iOS by repeatedly navigating a new window
|
$500
|
2021-11-16
|
1221914
|
cras_rclient_message_fuzzer: Use-of-uninitialized-value in volume_gain
|
-
|
2021-11-16
|
1230767
|
Google Chrome WebRTC addIceCandidate use after free vulnerability (TALOS-2021-1348)
|
$22000
|
2021-11-16
|
1232628
|
uaf in display::DisplayList::GetCurrentDisplay (chromeos version)
|
$15000
|
2021-11-16
|
1234259
|
Security: a READ memory access in jsimd_huff_encode_one_block_sse2
|
$5000
|
2021-11-16
|
1234829
|
Security: [ANGLE] Heap use-after-free in TextureD3D::releaseTexStorage
|
$9500
|
2021-11-16
|
1236701
|
Security: UAF in Screens::UpdateScreenInfos due to iterator invalidation
|
$7500
|
2021-11-16
|
1236958
|
v8_wasm_compile_fuzzer: DCHECK failure in node->InputAt(1) == loop_header in loop-analysis.cc
|
-
|
2021-11-16
|
1209469
|
Security: OOB write after creating pinned tab that's also in a group
|
$10000
|
2021-11-15
|
1209616
|
Security: OOB read when window is closed while a link is being dragged over the tab strip
|
$5000
|
2021-11-15
|
1223388
|
hb_subset_fuzzer: Heap-buffer-overflow in OT::CPALV1Tail::serialize
|
-
|
2021-11-15
|
1230932
|
libaom_av1_dec_fuzzer: Use-of-uninitialized-value in aom_lowbd_blend_a64_d16_mask_c
|
-
|
2021-11-15
|
1231650
|
tint_spv_reader_wgsl_writer_fuzzer: Illegal-instruction in tint::fuzzers::FatalError
|
-
|
2021-11-15
|
1232808
|
libaom_av1_dec_fuzzer: Use-of-uninitialized-value in av1_dist_wtd_convolve_2d_copy_c
|
-
|
2021-11-15
|
1236809
|
Heap-use-after-free in ash::TrayBubbleView::RerouteEventHandler::OnKeyEvent
|
-
|
2021-11-15
|
1237387
|
CHECK failure: Ref construction failed in heap-refs.cc
|
-
|
2021-11-15
|
999110
|
CrOS: Vulnerability reported in net-wireless/hostapd
|
-
|
2021-11-12
|
1199865
|
Security: spook.js attacks on site vs origin isolation; extensions
|
$3000
|
2021-11-12
|
1221068
|
heap-use-after-free : content::NativeIOManager::OnDeleteOriginDataCompleted
|
-
|
2021-11-12
|
1228557
|
Security: UaF in TabGroupEditorBubbleView::UpdateGroup()
|
$10000
|
2021-11-12
|
1233564
|
Security: Data race in HRTFDatabaseLoader::WaitForLoaderThreadCompletion
|
-
|
2021-11-12
|
1233585
|
vm_concierge init allows bind mounting over symlinks
|
-
|
2021-11-12
|
1235222
|
Security: Autofill prompt can render over browser UI (bypasses of recent reports)
|
$3000
|
2021-11-12
|
1236563
|
CHECK failure: Ref construction failed
|
-
|
2021-11-12
|
1236614
|
DCHECK failure in FLAG_flush_baseline_code || FLAG_flush_bytecode in heap-inl.h
|
-
|
2021-11-12
|
1236694
|
Security: BigInt ToStringFormatter Crash
|
$5000
|
2021-11-12
|
1237073
|
CHECK failure: Ref construction failed in heap-refs.cc
|
-
|
2021-11-12
|
1004112
|
CVE-2019-16234 CrOS: Vulnerability reported in Linux kernel
|
-
|
2021-11-09
|
1209622
|
AddressSanitizer: heap-use-after-free scoped_blocking_call_internal.cc:208 in base::internal::IOJankMonitoringWindow::OnBlockingCallCompleted
|
$15000
|
2021-11-09
|
1234764
|
v8/Turbofan: Invalid rotate-right optimization + Typer hardening bypass
|
$21000
|
2021-11-09
|
1234770
|
v8/Turbofan: Wrong optimization of bitfield checks
|
$21000
|
2021-11-09
|
1231933
|
Security: UAF in perfromance_manager's site_data_impl.cc
|
$10000
|
2021-11-08
|
1234009
|
Use-after-Free in FileSystemChooseEntryFunction::FilesSelected
|
$20000
|
2021-11-08
|
1234321
|
Security: blink_platform!blink::CreateImageFromVideoFrame checkfailed
|
-
|
2021-11-08
|
1235072
|
dawn_wire_server_and_vulkan_backend_fuzzer: Heap-use-after-free in dawn_wire::server::Server::InjectDevice
|
-
|
2021-11-08
|
1232617
|
use after free in IsIndeterminate (chromeos version)
|
$15000
|
2021-11-07
|
1234676
|
Stack-use-after-return in blink::StyleVariables::GetValue
|
-
|
2021-11-07
|
1231877
|
tint_msl_transform_fuzzer: Heap-buffer-overflow in tint::writer::msl::GeneratorImpl::EmitTypeConstructor
|
-
|
2021-11-05
|
1233975
|
Use-after-Free on HandleOnPerformDrop
|
$20000
|
2021-11-05
|
1022790
|
Security: SameSite=Lax cookie sent with cross-origin request inside iframe
|
$1000
|
2021-11-04
|
1217396
|
trunks_tpm_pinweaver_fuzzer: Global-buffer-overflow in google::protobuf::internal::EpsCopyInputStream::ReadString
|
-
|
2021-11-04
|
1230128
|
tint_inspector_fuzzer.exe: Illegal-instruction in tint::fuzzers::FatalError
|
-
|
2021-11-04
|
1231134
|
UAF in PrintViewManager
|
$20000
|
2021-11-04
|
1233354
|
Heap-buffer-overflow in CJS_Field::setFocus
|
-
|
2021-11-04
|
1233430
|
Type confusion in blink::StyleBuilderConverterBase::ConvertFontSize Security DCHECK failed: IsA<Derived>(from).
|
$5000
|
2021-11-04
|
1233572
|
dawn_wire_server_and_frontend_fuzzer: Bad-cast to dawn_wire::server::Server from invalid vptr in dawn_wire::server::Server::InjectDevice
|
-
|
2021-11-04
|
1233707
|
sqlite3_select_printf_lpm_fuzzer: Use-of-uninitialized-value in fixDistinctOpenEph
|
-
|
2021-11-04
|
1234206
|
CHECK failure: !map.is_dictionary_map() implies map.is_stable()
|
-
|
2021-11-04
|
1234357
|
dawn_wire_server_and_frontend_fuzzer: Bad-cast to dawn_wire::server::Serverdawn_wire::server::Server::InjectDevice in dawn_native::LoggingCallbackTask::HandleShutDown
|
-
|
2021-11-04
|
1190550
|
Security: UAF in InputHandler::InputInjector::InjectKeyboardEvent
|
$10000
|
2021-11-02
|
1216898
|
Security: heap-buffer-overflow in TabStripModel::IsTabBlocked
|
-
|
2021-11-02
|
1219354
|
URL spoofing using tel:
|
$1000
|
2021-11-02
|
1222120
|
Heap-use-after-free in ash::DesksBarView::FinalizeDragDesk
|
-
|
2021-11-02
|
1224238
|
use after free content::FontAccessManagerImpl::DidChooseLocalFonts
|
$20000
|
2021-11-02
|
1224753
|
Security: SkAbort_FileLine Assert Failed
|
-
|
2021-11-02
|
1228036
|
CHECK failure: addr + size <= chunk_->area_end()
|
-
|
2021-11-02
|
1231369
|
tint_binding_remapper_fuzzer: Heap-buffer-overflow in tint::fuzzers::ExtractBindingRemapperInputs
|
-
|
2021-11-02
|
1231503
|
tint_all_transforms_fuzzer: Use-of-uninitialized-value in tint::fuzzers::Reader::string
|
-
|
2021-11-02
|
1231950
|
v8_wasm_async_fuzzer: Crash in v8::internal::LogicVRegister::ReadUintFromMem
|
-
|
2021-11-02
|
1232733
|
DCHECK failure in chars[i] != bigint::kStringZapValue in bigint.cc
|
-
|
2021-11-02
|
1233397
|
Security: Out of bounds memory access in BigInt
|
$15000
|
2021-11-02
|
1251541
|
Security: Universal Cross-Site Scripting (UXSS) - completing previously searched text in NTP
|
$1000
|
2021-11-01
|
663512
|
Redirects should be handled by CSP form-action in a spec-compliant way
|
-
|
2021-10-30
|
823241
|
Referrer Policy bypass with javascript URL
|
$1000
|
2021-10-30
|
923648
|
CrOS: Vulnerability reported in sys-apps/busybox
|
-
|
2021-10-30
|
1101897
|
Security: Possible to escape sandbox via devtools_page (alternative method)
|
$5000
|
2021-10-30
|
1215711
|
v8_inspector_fuzzer: Trap in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit
|
-
|
2021-10-29
|
1223390
|
dawn_wire_server_and_d3d12_backend_fuzzer.exe: Heap-use-after-free in dawn_wire::server::Server::InjectDevice::<lambda_1>::__invoke
|
-
|
2021-10-29
|
1223603
|
dawn_wire_server_and_vulkan_backend_fuzzer: Heap-use-after-free in dawn_wire::server::Server::InjectDevice
|
-
|
2021-10-29
|
1227777
|
Security: HeapOverflow in RecentlyUsedFoldersComboModel
|
$20000
|
2021-10-29
|
1227933
|
Heap-use-after-free in blink::NGOutOfFlowLayoutPart::SaveStaticPositionOnPaintLayer
|
-
|
2021-10-29
|
1228134
|
dawn_wire_server_and_frontend_fuzzer: Use-of-uninitialized-value in void dawn_wire::ChunkedCommandSerializer::SerializeCommandImpl<dawn_wire::Return
|
-
|
2021-10-29
|
1228672
|
CrOS: Vulnerability reported in dev-libs/libxml2
|
-
|
2021-10-29
|
1229298
|
Security: Chrome: UAF in BindFileUtilitiesHost
|
$20000
|
2021-10-29
|
1229516
|
Security: WebShare from ephemeral tab triggers browser crash
|
-
|
2021-10-29
|
1229625
|
TaskManager fails to keep Profile alive leading to UAF in CreateNativeWidget
|
$1000
|
2021-10-29
|
1230369
|
webcodecs_audio_encoder_fuzzer: Use-of-uninitialized-value in media::AudioOpusEncoder::OnFifoOutput
|
-
|
2021-10-29
|
1230409
|
webcodecs_image_decoder_fuzzer: Heap-buffer-overflow in media::DownShiftHighbitVideoFrame
|
-
|
2021-10-29
|
1230431
|
DCHECK failure in IsNumber() in objects-inl.h
|
-
|
2021-10-29
|
1230530
|
Security: heap-use-after-free in the PaymentCredential in the browser process
|
$20000
|
2021-10-29
|
1230513
|
Security: heap-use-after-free in WebDataRequestManager::RequestCompletedOnThread
|
$10000
|
2021-10-29
|
1231117
|
CHECK failure: proto.map().oddball_type() == OddballType::kNull in compilation-dependencies.cc
|
-
|
2021-10-29
|
1231169
|
tint_all_transforms_fuzzer: Use-of-uninitialized-value in tint::fuzzers::AddPlatformIndependentPasses
|
-
|
2021-10-29
|
1231432
|
use after poison in ImageDecoderExternal
|
$5000
|
2021-10-29
|
1231704
|
Crash in v8::internal::ClearStaleLeftTrimmedHandlesVisitor::FixHandle
|
-
|
2021-10-29
|
1231705
|
DCHECK failure in current.map_word(kRelaxedLoad).IsForwardingAddress() || current.IsFixedArrayBase
|
-
|
2021-10-29
|
1231952
|
CHECK failure: Promise::kPending == promise->status() in objects.cc
|
-
|
2021-10-29
|
1232115
|
garcon_mime_types_parser_fuzzer: Use-of-uninitialized-value in ReadInt
|
-
|
2021-10-29
|
1221130
|
CrOS: Vulnerability reported in dev-libs/libgcrypt
|
-
|
2021-10-26
|
1226373
|
Security: Clickjacking
|
$500
|
2021-10-26
|
1229196
|
code_cache_host_mojolpm_fuzzer: Illegal-instruction in StackTraceGetter::CurrentStackTrace
|
-
|
2021-10-26
|
1230324
|
tint_ast_clone_fuzzer: Illegal-instruction in TintInternalCompilerErrorReporter
|
-
|
2021-10-26
|
1230784
|
Crash in cppgc::internal::PageBackend::FreeLargePageMemory
|
-
|
2021-10-26
|
1230936
|
DCHECK failure in isolate->context().is_null() || isolate->context().IsContext() in runtime-compil
|
-
|
2021-10-26
|
1203880
|
heap-use-after-free : system_media_permissions::`anonymous namespace'::CheckSystemMediaCapturePermission
|
-
|
2021-10-25
|
1227351
|
v8_wasm_fuzzer: DCHECK failure in force_emit || !require_jump in assembler-arm.cc
|
-
|
2021-10-25
|
1230239
|
vp9_replay_fuzzer.exe: Illegal-instruction in webrtc::vp9::BitstreamReader::IfNextBoolean
|
-
|
2021-10-25
|
1230265
|
Trap in v8::internal::__RT_impl_Runtime_AbortCSAAssert
|
-
|
2021-10-25
|
1230266
|
tint_all_transforms_fuzzer: Stack-buffer-overflow in tint::fuzzers::Reader::read
|
-
|
2021-10-25
|
1197196
|
tint_spv_reader_msl_writer_fuzzer.exe: Illegal-instruction in tint::fuzzers::TintInternalCompilerErrorReporter
|
-
|
2021-10-24
|
1218468
|
heap use after free in ChromePageInfoDelegate::OpenConnectionHelpCenterPage
|
-
|
2021-10-24
|
1230139
|
Security: heap-buffer-overflow in libavif's avifImageScale() function
|
-
|
2021-10-24
|
1205883
|
COOP is ignored on navigation errors followed by reloads
|
-
|
2021-10-22
|
1220692
|
BrlTTY allows for arbitrary chmod 777
|
-
|
2021-10-22
|
1220696
|
BrlTTY allows for arbitrary root write
|
-
|
2021-10-22
|
1226909
|
Security: crossOriginIsolated bypass
|
$3000
|
2021-10-22
|
1228720
|
v8_wasm_async_fuzzer: DCHECK failure in pc_offset() <= first_const_pool_32_use_ + kMaxDistToIntPool in assembler-arm.h
|
-
|
2021-10-22
|
1220237
|
Null-dereference READ in ubsan_GetStackTrace
|
-
|
2021-10-21
|
1226318
|
virgl_fuzzer: Use-of-uninitialized-value in vrend_destroy_shader_object
|
-
|
2021-10-21
|
1228233
|
DCHECK failure in effect_edges > 0 in verifier.cc
|
-
|
2021-10-21
|
1228669
|
tint_robustness_fuzzer.exe: Illegal-instruction in tint::fuzzers::FatalError
|
-
|
2021-10-21
|
1229198
|
Heap-use-after-free in blink::LayoutObject::PropagateStyleToAnonymousChildren
|
-
|
2021-10-21
|
1227315
|
Security: HeapOverflow in ProtocolHandler
|
$20000
|
2021-10-20
|
1227979
|
Security DCHECK failure: as_image_observer_count_ > 0u in layout_object.cc
|
-
|
2021-10-20
|
1228643
|
zucchini_disassembler_win32_fuzzer: Use-of-uninitialized-value in zucchini::DisassemblerWin32<zucchini::Win32X86Traits>::MakeReadAbs32
|
-
|
2021-10-20
|
1228641
|
zucchini_disassembler_win32_fuzzer: Use-of-uninitialized-value in zucchini::RemoveOverlappingAbs32Locations
|
-
|
2021-10-20
|
1228730
|
Bad-cast to blink::LayoutObject from invalid vptr in blink::LayoutInline::SplitFlow
|
-
|
2021-10-20
|
1228950
|
zucchini_imposed_ensemble_matcher_fuzzer: Use-of-uninitialized-value in zucchini::DisassemblerWin32<zucchini::Win32X64Traits>::MakeReadAbs32
|
-
|
2021-10-20
|
1229001
|
Crash in blink::LayoutObject::SlowLastChild
|
-
|
2021-10-20
|
1229004
|
Heap-use-after-free in blink::Text::RecalcTextStyle
|
-
|
2021-10-20
|
1229031
|
Heap-use-after-free in blink::HasRenderedNonAnonymousDescendantsWithHeight
|
-
|
2021-10-20
|
1229056
|
Crash in blink::LayoutListItem* blink::DynamicTo<blink::LayoutListItem, blink::LayoutObje
|
-
|
2021-10-20
|
1229032
|
Heap-use-after-free in blink::NGBlockNode::FirstChild
|
-
|
2021-10-20
|
1229071
|
Heap-use-after-free in blink::LayoutObject::SetNeedsLayoutAndFullPaintInvalidation
|
-
|
2021-10-20
|
1229201
|
Heap-use-after-free in blink::LocalFrameView::UpdateDocumentAnnotatedRegions
|
-
|
2021-10-20
|
1163124
|
arc-sensor.conf can be used to break out the user namespace when creating /dev/.arc_sensor_ready
|
-
|
2021-10-19
|
1193925
|
Security: Overflow in handwriting
|
-
|
2021-10-19
|
1217064
|
v8_wasm_code_fuzzer: CHECK failure: interpreter_result.result() == result_compiled
|
-
|
2021-10-19
|
1228069
|
tint_msl_transform_fuzzer: Heap-buffer-overflow in tint::writer::msl::GeneratorImpl::EmitTypeConstructor
|
-
|
2021-10-19
|
1228365
|
CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (IsHeapObject()) in heap-object.h
|
-
|
2021-10-19
|
854424
|
Cross-origin download bypasses SameSite cookie
|
$1000
|
2021-10-18
|
1209154
|
zucchini_disassembler_elf_fuzzer: Use-of-uninitialized-value in zucchini::RemoveOverlappingAbs32Locations
|
-
|
2021-10-18
|
1224142
|
Debug check failed: scheduled_exception() == ReadOnlyRoots(heap()).termination_exception()
|
-
|
2021-10-18
|
1228229
|
CHECK failure: kind() == CodeKind::BASELINE
|
-
|
2021-10-18
|
1226337
|
Container-overflow in cc::draw_property_utils::LayerShouldBeSkippedForDrawPropertiesComputation
|
-
|
2021-10-17
|
1226357
|
Container-overflow in cc::LayerImpl::LayerPropertyChangedFromPropertyTrees
|
-
|
2021-10-17
|
1174491
|
CrOS: Vulnerability reported in sys-libs/glibc
|
-
|
2021-10-16
|
1214481
|
(Chrome & Chromium Browsers) Blank Address Bar Temporary Spoof
|
$1000
|
2021-10-16
|
1223426
|
gpu_raster_passthrough_fuzzer: Crash in CopyRow_C
|
-
|
2021-10-16
|
1226890
|
Security: Use-After-Free in FileSystemAccessManager.GetEntryFromDataTransferToken
|
-
|
2021-10-16
|
1226298
|
Container-overflow in cc::draw_property_utils::CalculateDrawProperties
|
-
|
2021-10-16
|
936397
|
CrOS: Vulnerability reported in sys-libs/glibc
|
-
|
2021-10-15
|
1220810
|
CHECK failure: addr + size <= chunk_->area_end()
|
-
|
2021-10-15
|
1219994
|
Chromium: Vulnerability reported in third_party/libxml
|
-
|
2021-10-15
|
1225929
|
Security: Web pages can use ProcessInternals and ConversionInternals Mojo interfaces
|
-
|
2021-10-15
|
1226323
|
Security: Security DCHECK failed i < length() in WTF::StringView::operator[]
|
$2000
|
2021-10-15
|
1227241
|
Bad-cast to blink::ScriptWrappable from invalid vptr in blink::DOMDataStore::GetWrapper
|
-
|
2021-10-15
|
1227596
|
CHECK failure: JSFunctionRef construction failed
|
-
|
2021-10-15
|
1259077
|
Security: form-action's blocking of redirects allows top-navigation XSLeak
|
-
|
2021-10-15
|
1214234
|
Security: Heap-use-after-free in CreditCardAccessManager::FetchCreditCard
|
$20000
|
2021-10-14
|
1216822
|
Security: An <option> with a long label causes browser crash
|
$6000
|
2021-10-14
|
1221880
|
Invalid-free in base::TaskAnnotator::RunTask
|
-
|
2021-10-14
|
1219995
|
CrOS: Vulnerability reported in dev-libs/libxml2
|
-
|
2021-10-14
|
1224419
|
UAF in WebAppInternalsPageHandlerImpl::GetExternallyInstalledWebAppPrefs
|
-
|
2021-10-14
|
1226659
|
Use-after-poison in blink::ImageResourceContent::ShouldPauseAnimation
|
-
|
2021-10-14
|
1226988
|
CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (IsHeapObject()) in heap-object.h
|
-
|
2021-10-14
|
1227228
|
heap-use-after-free : IOSurfaceNotifierNotifyFunc
|
-
|
2021-10-14
|
1226360
|
Segv on unknown address in blink::ScriptState::From
|
-
|
2021-10-13
|
1190493
|
Heap-use-after-free in vk::Buffer::getOffsetPointer
|
$6000
|
2021-10-12
|
1225607
|
DCHECK failure in object->FitsRepresentation(representation) in objects.cc
|
-
|
2021-10-12
|
1223839
|
DCHECK failure in is_liftoff() || tier() == ExecutionTier::kTurbofan in wasm-code-manager.cc
|
-
|
2021-10-11
|
1226056
|
Crash in MergeUVRow_SSE2
|
-
|
2021-10-10
|
1219082
|
Security: [ANGLE] Out-of-bounds write in Renderer11::blitRenderbufferRect
|
$7500
|
2021-10-09
|
1225786
|
DCHECK failure in !broker->IsMainThread() in heap-refs.cc
|
-
|
2021-10-09
|
1197149
|
Add FTPS to request port blocklist to combat ALPACA attack
|
-
|
2021-10-07
|
1200995
|
heap-use-after-free : extensions::ChromeAppSorting::FixNTPOrdinalCollisions
|
-
|
2021-10-07
|
1204722
|
Security: Autofill suggestion UI should dismiss permissions UI
|
-
|
2021-10-07
|
1219870
|
Security: Use-after-free in NavigatorShare::OnConnectionError
|
$7500
|
2021-10-07
|
1223667
|
Security: HeapOverflow in BookmarkBarView
|
$10000
|
2021-10-07
|
1207839
|
tint_first_index_offset_fuzzer: Stack-buffer-overflow in tint::fuzzers::Reader::read
|
-
|
2021-10-05
|
1214842
|
Security: GC freeing reachable objects in JSON parser
|
$5000
|
2021-10-05
|
1217598
|
Heap-use-after-free in blink::TextPainterBase::CreateDrawLooper
|
-
|
2021-10-05
|
1219209
|
Security: Use-after-free with XSLT strip-space
|
$2000
|
2021-10-05
|
1219630
|
Security: JS object corruption in WasmJs::InstallConditionalFeatures
|
-
|
2021-10-05
|
1219886
|
AddressSanitizer: heap-buffer-overflow on gpu::CopyArraysToBuffer transfer_buffer_cmd_copy_helpers.h:80
|
$8500
|
2021-10-05
|
1220250
|
Crash in GL_GenerateMipmap method.
|
$7500
|
2021-10-05
|
1221309
|
OpenXR VR session exits with Samsung mixed reality controllers
|
$500
|
2021-10-05
|
1221406
|
heap-use-after-free in task_manager
|
$15000
|
2021-10-05
|
1224041
|
Crash in v8::internal::ElementsAccessorBase<v8::internal::FastHoleyObjectElementsAccessor
|
-
|
2021-10-05
|
1219199
|
dawn_wire_server_and_vulkan_backend_fuzzer: Stack-buffer-overflow in rr::Variable::loadValue
|
-
|
2021-10-02
|
1223103
|
cras_rclient_message_fuzzer: Use-of-uninitialized-value in cras_main_message_send
|
-
|
2021-10-02
|
1223459
|
virgl_fuzzer: Segv on unknown address in virgl_renderer_context_destroy
|
-
|
2021-10-02
|
1127594
|
CrOS: Vulnerability reported in dev-libs/libxml2
|
-
|
2021-10-01
|
1194959
|
CrOS: Vulnerability reported in app-arch/tar
|
-
|
2021-10-01
|
1211312
|
CrOS: Vulnerability reported in dev-libs/libxml2
|
-
|
2021-10-01
|
1215243
|
counters_service_fuzzer: Heap-buffer-overflow in patchpanel::ParseOutput
|
-
|
2021-10-01
|
1216022
|
dawn_wire_server_and_vulkan_backend_fuzzer: Heap-buffer-overflow in rr::optimize
|
-
|
2021-10-01
|
1220068
|
DCHECK fail in webaudio worklet
|
-
|
2021-10-01
|
1221221
|
Use-after-poison in blink::HTMLSlotElement::DetachLayoutTree
|
-
|
2021-10-01
|
1221890
|
Security DCHECK failure: !resource_clipper->NeedsLayout() in clip_path_clipper.cc
|
-
|
2021-10-01
|
1223191
|
Heap-use-after-free in blink::PropertyTreeManager::EnsureCompositorTransformNode
|
-
|
2021-10-01
|
1223549
|
ec_pchg_fuzzer: Global-buffer-overflow in test_fuzz_one_input
|
-
|
2021-10-01
|
1223584
|
CHECK failure: args.Length() == 2 in d8-test.cc
|
-
|
2021-10-01
|
1223740
|
heap-use-after-free : blink::PaintController::FinishCycle
|
-
|
2021-10-01
|
1206407
|
tint_single_entry_point_fuzzer: Illegal-instruction in tint::fuzzers::ValidityErrorReporter
|
-
|
2021-09-30
|
1210550
|
gpu_raster_passthrough_fuzzer: Crash in CopyRow_ERMS
|
-
|
2021-09-30
|
1210985
|
Security: OOB write after moving pinned tab into a group
|
$15000
|
2021-09-30
|
1218973
|
Heap-use-after-free in ash::TrayBubbleView::~TrayBubbleView
|
-
|
2021-09-30
|
1219377
|
Heap-use-after-free in ash::TrayBubbleView::~TrayBubbleView
|
-
|
2021-09-30
|
1194689
|
heap-buffer-overflow : media::D3D11H264Accelerator::SubmitFrameMetadata
|
-
|
2021-09-29
|
1209517
|
sqlite3_fts3_lpm_fuzzer: Heap-buffer-overflow in sqlite3Fts3Incrmerge
|
-
|
2021-09-29
|
1218707
|
Security: UAF in websql
|
$500
|
2021-09-29
|
1218974
|
Security: ChromeOS root privilege escalation (brltty, vpn-manager, cros_camera_server)
|
$30000
|
2021-09-29
|
1220754
|
skia_path_fuzzer: Crash in blit_aaa_trapezoid_row
|
-
|
2021-09-29
|
1221897
|
Heap-use-after-free in blink::LayoutBlockFlow::RemoveChild
|
-
|
2021-09-29
|
1221840
|
Heap-use-after-free in blink::PropertyTreeManager::EnsureCompositorTransformNode
|
$6000
|
2021-09-29
|
1222160
|
Bad-cast to blink::LayoutBox from blink::LayoutInline in blink::LayoutBox::SplitAnonymousBoxesAroundChild
|
-
|
2021-09-29
|
1178183
|
cups_ipp_t_fuzzer: Crash in ippDelete
|
-
|
2021-09-28
|
1202102
|
Security: UAF when attempting to move tab group in restored window
|
$10000
|
2021-09-28
|
1212599
|
AddressSanitizer: heap-use-after-free fft_frame_pffft.cc:81 in blink::FFTFrame::FFTSetupForSize
|
$7500
|
2021-09-28
|
1214641
|
Heap-use-after-free in blink::IsLayoutObjectRelevantForAccessibility
|
-
|
2021-09-28
|
1215029
|
Security: UAF when sending tab to device
|
$10000
|
2021-09-28
|
1221812
|
DCHECK failure in details.representation().Equals( map.GetPropertyDetails(descriptor).representati
|
-
|
2021-09-28
|
1216678
|
Heap-buffer-overflow in cc::PaintWorkletImageProvider::GetPaintRecordResult
|
-
|
2021-09-26
|
1215912
|
Freelist Corruption with PartitionAlloc on 93.0.4541.0+ related to allocation of LayoutObjects/PaintLayers
|
-
|
2021-09-24
|
1219925
|
Heap-use-after-free in ash::TrayBubbleView::RerouteEventHandler::OnKeyEvent
|
-
|
2021-09-24
|
1221031
|
Crash in cppgc::internal::PageBackend::AllocateLargePageMemory
|
-
|
2021-09-24
|
1221062
|
heap-use-after-free : disk_cache::SparseControl::GetAvailableRange
|
-
|
2021-09-24
|
1212612
|
Security: Use after free in Payments
|
$20000
|
2021-09-23
|
1219539
|
Heap-buffer-overflow in ash::ScrollableShelfView::CalculateTappableIconIndices
|
-
|
2021-09-23
|
1219898
|
v8_wasm_fuzzer: DCHECK failure in 0 < code.size() in function-compiler.cc
|
-
|
2021-09-23
|
1151507
|
Security: Cross-origin iframe can navigate top window to different site via same-site open redirect or XSS redirect
|
$3000
|
2021-09-22
|
1183440
|
Heap-use-after-free in views::MenuController::ExitMenu
|
-
|
2021-09-22
|
1195278
|
UAF in bookmark
|
$7500
|
2021-09-22
|
1200679
|
Security: Double-free when extension is uninstalled while uninstall dialog is being shown
|
$10000
|
2021-09-22
|
1201033
|
Security: Out-of-bounds access in WebAudio
|
$7500
|
2021-09-22
|
1206458
|
heap-use-after-free : resource_coordinator::TabLifecycleUnitSource::TabLifecycleUnit::SetFocused
|
-
|
2021-09-22
|
1145553
|
bypass blocked autoredirects from cross-origin iframes
|
$5000
|
2021-09-21
|
1181522
|
CrOS: Intel graphics drivers advisory INTEL-SA-00438
|
-
|
2021-09-21
|
1194899
|
BigInt toLocaleString free invalid pointer
|
$1000
|
2021-09-21
|
1211308
|
Heap-buffer-overflow in rx::vk::ImageViewHelper::getLevelLayerDrawImageView
|
-
|
2021-09-21
|
1213350
|
Security: Incorrect Security UI in downloads
|
$3000
|
2021-09-21
|
1219101
|
Security: Simplified Lowering DCHECK restriction type
|
-
|
2021-09-21
|
1219634
|
v8_wasm_code_fuzzer: DCHECK failure in exception_stack.back() == control_stack.size() - 1 in wasm-interpreter.cc
|
-
|
2021-09-21
|
1214699
|
Null-dereference READ in ubsan_GetStackTrace
|
-
|
2021-09-20
|
1216941
|
Null-dereference READ in content::BrowserContext::GetDefaultStoragePartition
|
-
|
2021-09-19
|
1219231
|
Heap-use-after-free in ash::TrayBubbleView::RerouteEventHandler::OnKeyEvent
|
-
|
2021-09-19
|
1216837
|
Use-after-poison in blink::HTMLSlotElement::DetachLayoutTree
|
-
|
2021-09-18
|
1218439
|
Bad-cast to blink::ImageResourceObserver from invalid vptr in blink::ImageResourceContent::PriorityFromObservers
|
-
|
2021-09-18
|
1218587
|
Heap-use-after-free in blink::StyleCrossfadeImage::ImageChanged
|
-
|
2021-09-18
|
1218811
|
Heap-buffer-overflow in ash::ScrollableShelfView::CalculateTappableIconIndices
|
-
|
2021-09-18
|
1219036
|
Crash in v8::internal::ElementsAccessorBase<v8::internal::FastHoleyObjectElementsAccessor
|
-
|
2021-09-18
|
1210487
|
AddressSanitizer: use-after-poison long_task_detector.cc:46 in blink::LongTaskDetector::DidProcessTask
|
$7500
|
2021-09-17
|
1214140
|
Heap-use-after-free in views::Widget::OnNativeWidgetDestroying
|
-
|
2021-09-17
|
1214584
|
Heap-use-after-free in ui::LayerAnimationSequence::ProgressToEnd
|
-
|
2021-09-17
|
1215504
|
CrOS: Vulnerability reported in net-nds/openldap
|
-
|
2021-09-17
|
1217741
|
dawn_wire_server_and_frontend_fuzzer: Heap-use-after-free in dawn_native::ObjectBase::IsError
|
-
|
2021-09-17
|
1206911
|
Security: heap-use-after-free in autofill::SaveCardBubbleViews::WindowClosing
|
-
|
2021-09-16
|
1209558
|
Breakpoint with empty stacktrace
|
-
|
2021-09-16
|
1209769
|
uaf in browser process DestroyURLLoader(network::cors::CorsURLLoaderFactory)
|
$15000
|
2021-09-16
|
1210547
|
dawn_wire_server_and_vulkan_backend_fuzzer: Stack-buffer-overflow in rr::Variable::loadValue
|
-
|
2021-09-16
|
1211215
|
DCHECK failure in *p != to_check_ in heap.cc
|
-
|
2021-09-16
|
1212498
|
Security: UAF after user clicks help link in enhanced spell check dialog
|
$10000
|
2021-09-16
|
1212500
|
Security: UAF after use clicks help link in accessibility labels dialog
|
$10000
|
2021-09-16
|
1212618
|
Security: UAF in ServiceWorker with bfcache
|
$25000
|
2021-09-16
|
1212862
|
Security: Crash in Zenith dialog
|
-
|
2021-09-16
|
1216437
|
Security: Unexpected JS execution in GetScriptableObjectProperty leads to JS object corruption
|
-
|
2021-09-16
|
1176218
|
Security: TALOS-2021-1241 Google Chrome WebAudio blink::AudioNodeOutput::Pull code execution vulnerability
|
$7500
|
2021-09-15
|
1187797
|
Security: UAF in usrsctp on sctp_association->str_reset
|
$7500
|
2021-09-15
|
1191778
|
policy_fuzzer: Heap-use-after-free in base::JoinString
|
-
|
2021-09-15
|
1197146
|
Security: UAF when extension removes tab group during drag
|
$10000
|
2021-09-15
|
1198717
|
Security: OOB write after extension pins tab during drag
|
$10000
|
2021-09-15
|
1199198
|
Security: UAF caused by some WebUIMessageHandlers when OnJavascriptDisallowed() is not called before destruction
|
$15000
|
2021-09-15
|
1202598
|
Security: Heap-buffer-overflow in TabStripModel::MoveWebContentsAtImpl
|
$10000
|
2021-09-15
|
1203693
|
dawn_wire_server_and_frontend_fuzzer: Container-overflow in tint::diag::Formatter::format
|
-
|
2021-09-15
|
1204814
|
sqlite3_lpm_fuzzer: Segv on unknown address in sqlite3MemCompare
|
-
|
2021-09-15
|
1206631
|
Chrome: Crash Report - base::CancelableTaskTracker::Untrack
|
-
|
2021-09-15
|
1215974
|
CrOS: Vulnerability reported in x11-libs/gdk-pixbuf
|
-
|
2021-09-15
|
1216212
|
hb_subset_fuzzer: Crash in OT::hb_colrv1_closure_context_t::return_t OT::Paint::dispatch<OT::hb_colrv1_clos
|
-
|
2021-09-15
|
1140831
|
harbfuzz is affected by unfixed upstream bugs
|
-
|
2021-09-14
|
1201073
|
Security: UAP in FileReader
|
$7500
|
2021-09-14
|
1202534
|
v8_inspector_fuzzer: DCHECK failure in enabled() in v8-debugger-agent-impl.cc
|
-
|
2021-09-14
|
1209444
|
Trap in Builtins_JSEntryTrampoline
|
-
|
2021-09-14
|
1211782
|
CrOS: Vulnerability reported in net-fs/samba
|
-
|
2021-09-14
|
1212460
|
CrOS: Vulnerability reported in net-fs/samba
|
-
|
2021-09-14
|
1215250
|
paint_op_buffer_fuzzer: Use-of-uninitialized-value in cc::PaintOpReader::ReadRecordPaintFilter
|
-
|
2021-09-14
|
1215808
|
DCHECK failure in new_pages * wasm::kWasmPageSize >= byte_length_ in backing-store.cc
|
-
|
2021-09-14
|
1215976
|
Memcpy-param-overlap in v8::base::Memcpy
|
-
|
2021-09-14
|
1216595
|
Attaching an inner contents that has already created a platform RenderWidgetHostView causes a bad cast on Mac and Android
|
-
|
2021-09-14
|
1216928
|
code_cache_host_mojolpm_fuzzer: Illegal-instruction in StackTraceGetter::CurrentStackTrace
|
-
|
2021-09-14
|
1217311
|
DCHECK failure in new_pages * wasm::kWasmPageSize >= byte_length_ in backing-store.cc
|
-
|
2021-09-14
|
1210823
|
dawn_wire_server_and_vulkan_backend_fuzzer: Crash in vk::DescriptorSetLayout::DescriptorSetLayout
|
-
|
2021-09-12
|
1202661
|
Security: Stack overflow in printing
|
$10000
|
2021-09-11
|
1201031
|
Security: Use-after-free in extension install dialog
|
$20000
|
2021-09-10
|
1209802
|
tint_ast_clone_fuzzer: Illegal-instruction in tint_ast_clone_fuzzer.cc
|
-
|
2021-09-10
|
1210414
|
Security: [ANGLE] Out-of-bound write in rx::Image11::GenerateMipmap
|
$7500
|
2021-09-10
|
1216021
|
counters_service_fuzzer: Use-of-uninitialized-value in patchpanel::ParseOutput
|
-
|
2021-09-10
|
1216215
|
DCHECK failure in (optimizing_compile_dispatcher_) != nullptr in isolate.h
|
-
|
2021-09-10
|
1211326
|
SUMMARY: AddressSanitizer: heap-use-after-free devtools_agent_host_impl.h:84 in std::__1::vector<content::protocol::TargetHandler*, std::__1::allocator<content::protocol::TargetHandler*> > content::DevToolsAgentHostImpl::HandlersByName<content::protocol::TargetHandler>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&)
|
$10000
|
2021-09-09
|
1213313
|
Security: HeapOverflow in FillPhoneCountryCode
|
$15000
|
2021-09-09
|
1214280
|
dawn_wire_server_and_vulkan_backend_fuzzer: Heap-buffer-overflow in sw::SpirvShader::Operand::Float
|
-
|
2021-09-09
|
921607
|
Cross-Origin URL steal using Fetch and no-cors requests on iOS Chrome.
|
$2000
|
2021-09-08
|
1070399
|
Security: URL spoofing using 'very-long-hostname' URL in the Suggestion box
|
$500
|
2021-09-08
|
1200440
|
ExtensionFunction::browser_context() and deleted private profiles
|
-
|
2021-09-08
|
1180210
|
Security: CVE-2020-12362: Privilege escalation vulnerability in i915 GuC firmware
|
-
|
2021-09-06
|
1181227
|
Security: Failure to enforce EC is booted from RO when performing dev mode transitions on dedede, volteer
|
-
|
2021-09-06
|
1213770
|
CHECK failure: unregister_token().IsUndefined(isolate) implies key_list_prev().IsUndefined(isol
|
-
|
2021-09-05
|
1214311
|
counters_service_fuzzer: Heap-buffer-overflow in patchpanel::ParseOutput
|
-
|
2021-09-05
|
1195722
|
Security: UAP in JS Self-Profiling API
|
$5000
|
2021-09-04
|
1195431
|
Security: UAF in Android-specific (not in upstream Linux) xt_qtaguid kernel module
|
-
|
2021-09-04
|
1213709
|
DCHECK failure in 0 < number_of_all_descriptors in factory-base.cc
|
-
|
2021-09-04
|
1201938
|
DCHECK failure in descriptor_number.as_int() < number_of_descriptors() in descriptor-array-inl.h
|
-
|
2021-09-02
|
1206404
|
Use-after-poison in blink::HTMLSlotElement::DetachLayoutTree
|
-
|
2021-09-02
|
1208264
|
Security: Heap-use-after-free in media_router::WebContentsDisplayObserverView::OnBrowserSetLastActive
|
$15000
|
2021-09-02
|
1208782
|
DCHECK failure in IsAligned(reinterpret_cast<uintptr_t>(dst), kAtomicWordSize) in atomicops.h
|
-
|
2021-09-02
|
1210394
|
crash in canvas filter
|
$5000
|
2021-09-02
|
1212694
|
Security: libxml CVE-2021-3541
|
-
|
2021-09-02
|
1213476
|
Heap-use-after-free in blink::mojom::CodeCacheHostStubDispatch::Accept
|
-
|
2021-09-02
|
1213678
|
DCHECK failure in that == nullptr || v8::internal::Object( *reinterpret_cast<const v8::internal::A
|
-
|
2021-09-02
|
1213764
|
Crash in v8::internal::Map::instance_type
|
-
|
2021-09-02
|
1213851
|
CHECK failure: ReadOnlyRoots(isolate).empty_descriptor_array() == *this
|
-
|
2021-09-02
|
1023503
|
Security: PlatformSensorReaderWin32 use after free bug
|
-
|
2021-09-01
|
1094449
|
CrOS: Vulnerability reported in sys-apps/dbus
|
-
|
2021-09-01
|
1204811
|
Security: Local Elevation of Privilege vulnerability in Google Update Service
|
$10000
|
2021-09-01
|
1210593
|
CHECK failure: byte_length() <= JSArrayBuffer::kMaxByteLength in objects-debug.cc
|
-
|
2021-09-01
|
1212206
|
Heap-use-after-free in rx::FramebufferVk::startNewRenderPass
|
-
|
2021-09-01
|
1212321
|
Security DCHECK failure: IsA<Derived>(from) in casting.h
|
-
|
2021-09-01
|
1212733
|
Security: expat vulnerable to CVE-2013-0340?
|
$500
|
2021-09-01
|
538562
|
Chrome inherits window name from sandboxed iframe, enabling global variable confusion
|
-
|
2021-08-31
|
1129379
|
CrOS: Vulnerability reported in dev-libs/openssl
|
-
|
2021-08-31
|
1207277
|
Security: heap-use-after-free in BrowserView::ProcessFullscreen
|
$7500
|
2021-08-31
|
1207334
|
CrOS: Vulnerability reported in sys-libs/binutils-libs
|
-
|
2021-08-31
|
1209798
|
CHECK failure: Ref construction failed
|
-
|
2021-08-31
|
1212582
|
DCHECK failure in !node->op()->HasProperty(Operator::kNoThrow) in simplified-lowering.cc
|
-
|
2021-08-31
|
1172694
|
Heap-use-after-free in ui::LayerAnimationSequence::ProgressToEnd
|
-
|
2021-08-28
|
1197431
|
Bad-cast to rx::RenderTargetVk from invalid vptr in rx::FramebufferVk::startNewRenderPass
|
-
|
2021-08-28
|
1203607
|
Security: Heap-use-after-free in TabStripLayoutHelper::CalculateMinimumWidth
|
$7500
|
2021-08-28
|
1184954
|
Security: Heap-use-after-free in TabStrip::GetSizeNeededForViews
|
$10000
|
2021-08-27
|
1196480
|
Security: Multiple Bugs in WebP
|
-
|
2021-08-27
|
1196773
|
Security: heap-use-after-free in libwebp ConvertBGRAToRGB_SSE41
|
-
|
2021-08-27
|
1196775
|
Security: heap-buffer-overflow in libwebp PlanarTo24b_SSE41
|
-
|
2021-08-27
|
1196777
|
Security: heap-buffer-overflow in libwebp VP8YuvToRgb
|
-
|
2021-08-27
|
1196778
|
Security: heap-buffer-overflow in libwebp UpsampleRgbLinePair_SSE41
|
-
|
2021-08-27
|
1206289
|
CHECK failure: function->closure_feedback_cell_array().length() == function->shared().feedback_
|
-
|
2021-08-27
|
1211711
|
dawn_wire_server_and_vulkan_backend_fuzzer: Heap-buffer-overflow in rr::optimize
|
-
|
2021-08-27
|
1178202
|
Security: X-Chrome-offline allows arbitrary file reads from compromised renderer.
|
-
|
2021-08-26
|
1196232
|
CrOS: Vulnerability reported in sys-libs/binutils-libs
|
-
|
2021-08-26
|
1197199
|
gpu_raster_swangle_passthrough_fuzzer: Heap-use-after-free in libvk_swiftshader.so
|
-
|
2021-08-26
|
1196309
|
Security: OOB vector insertion when extension highlights tab during drag
|
$10000
|
2021-08-26
|
1197875
|
Security: OOB read when attempting to add tab to group after groups have changed
|
$11000
|
2021-08-26
|
1201340
|
DCHECK failure in offset_imm <= std::numeric_limits<int32_t>::max() in liftoff-assembler-ia32.h
|
-
|
2021-08-26
|
1201446
|
Security: heap-buffer-overflow in CreateFaviconImageSkia
|
$20000
|
2021-08-26
|
1203590
|
container-overflow in dom_distiller::TaskTracker::NotifyViewersAndCallbacks
|
-
|
2021-08-26
|
1209118
|
SUMMARY: AddressSanitizer: heap-use-after-free (Chromium/asan-mac-release-876501/Chromium.app/Contents/Frameworks/Chromium Framework.framework/Versions/92.0.4491.0/Chromium Framework:x86_64+0x1958102f) in blink::ComputedAccessibleNode::checked()
|
$5000
|
2021-08-26
|
1185801
|
Remove header sizes from ResourceTiming transferSize
|
-
|
2021-08-25
|
1194431
|
Security: UAF in TracingHandler
|
$5000
|
2021-08-25
|
1194896
|
Security: UAF after moving tab associated with undocked devtools instance into another browser window
|
$10000
|
2021-08-25
|
1200766
|
UAF in AutofillPopupControllerImpl
|
$20000
|
2021-08-25
|
1203674
|
AddressSanitizer: heap-use-after-free in dom_distiller::UMAHelper::LogTimeOnDistillablePage
|
-
|
2021-08-25
|
1205059
|
video_capture_host_mojolpm_fuzzer: Bad parameters to --sanitizer-annotate-contiguous-container in media::FakeV4L2Impl::ioctl
|
-
|
2021-08-25
|
1208414
|
render_text_api_fuzzer: Crash in gfx::RenderTextHarfBuzz::EnsureLayout
|
-
|
2021-08-25
|
1208721
|
Security: heap-over-flow in AutofillPopupControllerImpl::RemoveSuggestion
|
$20000
|
2021-08-25
|
1209178
|
render_text_api_fuzzer: Crash in gfx::RenderTextHarfBuzz::EnsureLayout
|
-
|
2021-08-25
|
1209638
|
dawn_wire_server_and_vulkan_backend_fuzzer: Crash in vk::DescriptorSetLayout::DescriptorSetLayout
|
-
|
2021-08-25
|
1206623
|
DCHECK failure in StackFrame::IsTypeMarker(marker) in frames.cc
|
-
|
2021-08-23
|
1177325
|
libyuv_scale_fuzzer: Heap-buffer-overflow in InterpolateRow_Any_AVX2
|
-
|
2021-08-22
|
1190030
|
Crash in rx::IOSurfaceSurfaceVkMac::releaseTexImage
|
-
|
2021-08-21
|
1200246
|
dawn_wire_server_and_frontend_fuzzer: Heap-use-after-free in dawn_native::ObjectBase::IsError
|
-
|
2021-08-21
|
1204347
|
Security: 3d css can still glitch onto native browser UI
|
-
|
2021-08-21
|
1206131
|
Security: PresentationRequest dialog can appear over the wrong tab
|
$1000
|
2021-08-21
|
1208984
|
Heap-buffer-overflow in GrPathUtils::generateQuadraticPoints
|
-
|
2021-08-21
|
1189110
|
Crash in sw::SpirvShader::getImageSampler
|
-
|
2021-08-20
|
1205981
|
Visited links leak via CSS transitions and the transitionrun event (Windows 10, Linux)
|
$5000
|
2021-08-20
|
1207078
|
v8_inspector_fuzzer: DCHECK failure in has_scheduled_exception() in isolate-inl.h
|
-
|
2021-08-20
|
1208865
|
zucchini_disassembler_elf_fuzzer: Use-of-uninitialized-value in zucchini::DisassemblerElfIntel<zucchini::Elf32IntelTraits>::MakeReadAbs32
|
-
|
2021-08-20
|
1194058
|
Security: heap-use-after-free in the payment dialog in the browser process
|
$15000
|
2021-08-19
|
1195340
|
Security: HeapOverflow in MediaFeeds
|
$15000
|
2021-08-19
|
1195573
|
Security: UAF when WebContents being dragged is destroyed
|
$1000
|
2021-08-19
|
1197436
|
Security: heap-use-after-free in DesktopWindowTreeHostPlatform::SetFullscreen
|
$10000
|
2021-08-19
|
1200019
|
Security: heap-buffer-overflow in PlatformNotificationServiceImpl::CreateNotificationFromData
|
$20000
|
2021-08-19
|
1206329
|
UAF in InternalAuthenticatorAndroid::InvokeIsUserVerifyingPlatformAuthenticatorAvailableResponse
|
-
|
2021-08-19
|
1207992
|
Heap-use-after-free in viz::SkiaRenderer::DrawRenderPassQuad
|
-
|
2021-08-19
|
1153363
|
Security: With full pointers, a wrong SmiUntag() operation on a TaggedIndex value can cause operating on the wrong feedback slot.
|
-
|
2021-08-18
|
1198216
|
sqlite3_dbfuzz2_fuzzer.exe: Heap-buffer-overflow in insertCell
|
-
|
2021-08-18
|
1200490
|
0 and -0 confusion in SpeculativeNumberMultiply
|
-
|
2021-08-18
|
1203593
|
Static-imported scripts are wrongly considered main scripts during service worker update
|
-
|
2021-08-18
|
1204071
|
Segv on unknown address in Builtins_InterpreterEntryTrampoline
|
-
|
2021-08-18
|
1206674
|
Heap-use-after-free in hsw::run_program
|
-
|
2021-08-18
|
1206822
|
Trap in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_BuiltinExit
|
-
|
2021-08-18
|
1207680
|
CHECK failure: Ref construction failed
|
-
|
2021-08-18
|
1194829
|
use after poison write in mojo::InterfaceEndpointClient::NotifyError when deal with WebBundle
|
$5000
|
2021-08-17
|
1205670
|
CVE-2021-31829 - Linux kernel protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory
|
-
|
2021-08-17
|
1206754
|
DCHECK failure in !__isolate__->has_pending_exception() in ic.cc
|
-
|
2021-08-17
|
1206994
|
CHECK failure: promise_result.is_null() == promise_->GetIsolate()->has_pending_exception()
|
-
|
2021-08-17
|
1207679
|
CHECK failure: storage_.is_populated_
|
-
|
2021-08-17
|
1205752
|
tint_spv_reader_wgsl_writer_fuzzer: Bad-cast to const tint::ast::Pointer from tint::ast::Vector in tint::typ::TypePair<tint::ast::Pointer, tint::sem::Pointer> tint::typ::Call_type
|
-
|
2021-08-15
|
1149086
|
gstoraster_fuzzer: Use-of-uninitialized-value in gp_pwrite_impl
|
-
|
2021-08-14
|
1164941
|
Heap-buffer-overflow in sw::SpirvShader::getImageSampler
|
-
|
2021-08-14
|
1198369
|
Security: ink refers to non-existent upstream
|
-
|
2021-08-14
|
1204484
|
tint_first_index_offset_fuzzer: Stack-buffer-overflow in tint::fuzzers::ExtractFirstIndexOffsetInputs
|
-
|
2021-08-14
|
1171630
|
gstoraster_fuzzer: Use-of-uninitialized-value in cf_decode_2d
|
-
|
2021-08-13
|
1172655
|
gstoraster_fuzzer: Use-of-uninitialized-value in template_compose_group
|
-
|
2021-08-13
|
1201501
|
Bad-cast to content::ChildThreadImpl from invalid vptr in content::ChildThreadImpl::OnFieldTrialGroupFinalized
|
-
|
2021-08-13
|
1201710
|
gstoraster_fuzzer: Segv on unknown address in stream_dct_end_passthrough
|
-
|
2021-08-13
|
1202506
|
gstoraster_fuzzer: Heap-use-after-free in real_param
|
-
|
2021-08-13
|
1203122
|
Security: Type confusion bug in LoadSuperIC
|
$20000
|
2021-08-13
|
1168081
|
CrOS: Vulnerability reported in sys-libs/glibc
|
-
|
2021-08-12
|
1193233
|
Security: Arbitrary file read when caching file using CallAsSelfAndImpersonate2
|
$5000
|
2021-08-12
|
1200017
|
Heap-use-after-free in gl::GLFenceNV::~GLFenceNV
|
-
|
2021-08-12
|
1201074
|
Security: use-of-uninitialized-value in libavif when decode the crafted avif file
|
$7500
|
2021-08-12
|
1202203
|
Heap-buffer-overflow in vk::Buffer::getOffsetPointer
|
-
|
2021-08-12
|
1201772
|
FLEDGE passes privileged url_loader_factory to utility process
|
-
|
2021-08-11
|
1203240
|
freetype_cidtype1_render_ftengine_fuzzer: Use-of-uninitialized-value in cf2_interpT2CharString
|
-
|
2021-08-11
|
1203738
|
freetype_cidtype1_fuzzer: Use-of-uninitialized-value in cid_read_subrs
|
-
|
2021-08-11
|
1204829
|
Heap-use-after-free in cricket::AllocationSequence::Init
|
-
|
2021-08-11
|
1197786
|
sqlite3_lpm_fuzzer: Segv on unknown address in sqlite3MemCompare
|
-
|
2021-08-10
|
1194021
|
CrOS: Vulnerability reported in x11-libs/cairo
|
-
|
2021-08-09
|
1203060
|
freetype_bdf_fuzzer: Use-of-uninitialized-value in inflate
|
-
|
2021-08-07
|
1204313
|
Heap-use-after-free in viz::SkiaRenderer::PrepareRenderPassOverlay
|
-
|
2021-08-07
|
1177875
|
Security: Openjpeg security fix may be missing
|
$500
|
2021-08-04
|
1198705
|
Security: Range miscalculation for nodes of type SpeculativeSafeIntegerAdd in v8's TurboFan
|
$7500
|
2021-08-04
|
1199345
|
missing the -0 case in VisitSpeculativeIntegerAdditiveOp
|
$15000
|
2021-08-04
|
1202736
|
DCHECK failure in stack_capacity_end_ > stack_end_ in function-body-decoder-impl.h
|
-
|
2021-08-04
|
1139156
|
Security: chrome.debugger API bypasses the runtime_blocked_hosts Enterprise policy
|
$5000
|
2021-08-03
|
1195331
|
Trap in v8::internal::Map::UpdateFieldType
|
-
|
2021-08-03
|
1198854
|
use after poison inMediaStreamAudioTrack::StopAndNotify
|
$5000
|
2021-08-03
|
1202119
|
Stack-use-after-return in SkRect::x
|
$6000
|
2021-08-03
|
1202609
|
incorrect range constraint converting {u,}int64_t to double
|
-
|
2021-08-03
|
1189092
|
Security: Steal arbitrary data in Android chrome private directory
|
$5000
|
2021-08-03
|
1180510
|
security: click-to-call across devices has inconsistent escaping & URL validation
|
$3000
|
2021-08-02
|
1163228
|
Security: Missing usrsctp fixes
|
-
|
2021-07-31
|
1201537
|
vp9_encoder_references_fuzzer: Use-of-uninitialized-value in webrtc::FrameValidator::OnEncodedImage
|
-
|
2021-07-31
|
1195650
|
Security: v8 SIGTRAP in optimized code
|
$5000
|
2021-07-30
|
1199402
|
Security: Remote Code Execution?
|
-
|
2021-07-30
|
1200231
|
Crash in v8::internal::compiler::Operator1<v8::internal::Handle<v8::internal::HeapObject>
|
-
|
2021-07-30
|
1110036
|
gstoraster_fuzzer: Use-of-uninitialized-value in parse_dict
|
-
|
2021-07-29
|
1107972
|
gstoraster_fuzzer: Use-of-uninitialized-value in charstring_font_params
|
-
|
2021-07-29
|
1157498
|
gstoraster_fuzzer: Use-of-uninitialized-value in load_truetype_glyph
|
-
|
2021-07-29
|
1159499
|
gstoraster_fuzzer: Use-of-uninitialized-value in gs_scan_token
|
-
|
2021-07-29
|
1160913
|
gstoraster_fuzzer: Use-of-uninitialized-value in charstring_font_params
|
-
|
2021-07-29
|
1198895
|
use-after-poison in blink::ImageDecoderExternal::OnMetadata
|
$7500
|
2021-07-29
|
1200184
|
v8_wasm_compile_fuzzer: Trap in v8::internal::wasm::fuzzer::InterpretAndExecuteModule
|
-
|
2021-07-29
|
1201113
|
Crash in v8::internal::Simulator::LoadStoreHelper
|
-
|
2021-07-29
|
1201432
|
Crash in Builtins_RunMicrotasks
|
-
|
2021-07-29
|
1175058
|
Security: heap-use-after-free using Presentation API
|
-
|
2021-07-28
|
1175522
|
sqlite3_dbfuzz2_fuzzer: Use-of-uninitialized-value in vdbeRecordCompareInt
|
-
|
2021-07-28
|
1181276
|
sqlite3_dbfuzz2_fuzzer: Use-of-uninitialized-value in sqlite3VdbeRecordCompareWithSkip
|
-
|
2021-07-28
|
1188889
|
Security: UAF in PageHandler::Navigate
|
$10000
|
2021-07-28
|
1194046
|
Security: Site isolation break because of double fetch of shared buffer
|
$15000
|
2021-07-28
|
1194491
|
Security: Potential out-of-bound write, origin confusion, permission type confusion in PermissionManager
|
-
|
2021-07-28
|
1195308
|
Security: Integer Overflow leads to heap buffer overflow in the function
|
$20000
|
2021-07-28
|
1195686
|
Security: Heap-use-after-free in constrained_window::CreateWebModalDialogViews
|
$5000
|
2021-07-28
|
1195777
|
Security: Incorrect representation change from Word64 to Word32
|
$20000
|
2021-07-28
|
1196654
|
CrOS: Vulnerability reported in net-misc/curl
|
-
|
2021-07-28
|
1197829
|
[cros] Device unlocked after resume from sleep
|
-
|
2021-07-28
|
1197904
|
Security: UAF in NavigationPredictor
|
$27000
|
2021-07-28
|
1198165
|
(Chrome & Chromium Browsers) File Download Pop-up Origin Spoof
|
$7500
|
2021-07-28
|
1198696
|
Harden ArrayPrototypePop and ArrayPrototypeShift against typer bugs
|
-
|
2021-07-28
|
1199662
|
v8_wasm_compile_fuzzer: DCHECK failure in 0 == four_lanes & in code-generator-arm.cc
|
-
|
2021-07-28
|
1200162
|
freetype_colrv1_fuzzer: Use-of-uninitialized-value in tt_face_get_paint
|
-
|
2021-07-28
|
1172533
|
Security: Autofill suggestion drop-down can cover browser UI
|
-
|
2021-07-26
|
1173297
|
Security: Autofill dropdown can be made hidden
|
-
|
2021-07-26
|
1198611
|
freetype_colrv1_fuzzer: Crash in tt_face_get_paint
|
-
|
2021-07-26
|
1185732
|
UAF in indexeddb database
|
$5000
|
2021-07-24
|
1195579
|
DCHECK failure in CpuFeatures::IsSupported(*feature) in macro-assembler-shared-ia32-x64.h
|
-
|
2021-07-24
|
1025683
|
Permission Service Use After Free
|
$20000
|
2021-07-23
|
1192552
|
heap-use-after-free : views::HWNDMessageHandler::OnDisplayChange
|
-
|
2021-07-23
|
1195333
|
Security: The Browser Process wrongly handle ACCEPT_BROKER_CLIENT message
|
$15000
|
2021-07-23
|
1199526
|
v8_wasm_compile_fuzzer: Trap in V8_Dcheck
|
-
|
2021-07-23
|
1195977
|
Security: v8 Array.concat IterateElements OOB access leads to RCE
|
$22000
|
2021-07-22
|
1197759
|
Segv on unknown address in HistoryClustersTabHelper::OnOmniboxUrlCopied
|
-
|
2021-07-22
|
1197852
|
Trap in void v8::internal::SharedTurboAssembler::AvxHelper<v8::internal::XMMRegister, v8
|
-
|
2021-07-22
|
1198385
|
heap-buffer-overflow : metal::`anonymous namespace'::TestShaderNow
|
-
|
2021-07-22
|
1198871
|
Abrt in blink::FontCache::GetLastResortFallbackFont
|
-
|
2021-07-22
|
830101
|
SameSite cookie bypass via redirect
|
$3000
|
2021-07-21
|
1166502
|
Known vulnerability detected in third_party/unrar
|
-
|
2021-07-21
|
1175503
|
Security: same-to-cross-to-same-origin redirects are allowed for dedicated module workers
|
-
|
2021-07-21
|
1178032
|
heap-use-after-free : PermissionBubbleMediaAccessHandler::ProcessQueuedAccessRequest
|
-
|
2021-07-21
|
1196683
|
Security: 2021 pwn2own entry
|
-
|
2021-07-21
|
1196803
|
iframe sandbox escape using incognito intent fallback URLs
|
-
|
2021-07-21
|
1197492
|
Security: Security DCHECK failed: !NeedsLayout() || ChildLayoutBlockedByDisplayLock() in blink::LayoutObject::AssertLaidOut
|
-
|
2021-07-21
|
1197839
|
Chromium: Vulnerability reported in third_party/xstream
|
-
|
2021-07-21
|
1072486
|
Security: udev: root file write -> command execution privilege escalation
|
-
|
2021-07-20
|
1161806
|
potential uaf in webmidi
|
-
|
2021-07-20
|
1166012
|
Heap-buffer-overflow in ash::ScrollableShelfView::ShouldCountActivatedInkDrop
|
-
|
2021-07-20
|
1166496
|
Known vulnerability detected in third_party/unrar
|
-
|
2021-07-20
|
1166497
|
Known vulnerability detected in third_party/unrar
|
-
|
2021-07-20
|
1166498
|
Known vulnerability detected in third_party/unrar
|
-
|
2021-07-20
|
1166499
|
Known vulnerability detected in third_party/unrar
|
-
|
2021-07-20
|
1166500
|
Known vulnerability detected in third_party/unrar
|
-
|
2021-07-20
|
1166501
|
Known vulnerability detected in third_party/unrar
|
-
|
2021-07-20
|
1181688
|
Security: UAF in Ozone Clipboard
|
$20000
|
2021-07-20
|
1184294
|
Security: xdgmime missing security-relevant commits
|
-
|
2021-07-20
|
1190525
|
Heap-buffer-overflow in SkScalerContext_FreeType_Base::generateGlyphImage
|
-
|
2021-07-20
|
1197393
|
Stack-buffer-overflow in void v8::internal::compiler::VisitBinop<v8::internal::compiler::BinopMatcher<v8:
|
-
|
2021-07-20
|
448539
|
Autofill should not fill hidden fields
|
-
|
2021-07-19
|
1197819
|
Bad-cast to int (const char *, void *) in xdg_run_command_on_dirs
|
-
|
2021-07-19
|
1197910
|
Heap-use-after-free in ash::TrayBubbleView::~TrayBubbleView
|
-
|
2021-07-19
|
1195552
|
Crash in v8::internal::Isolate::embedded_blob_code
|
-
|
2021-07-16
|
1195615
|
Crash in blink::HTMLPopupElement::hide
|
-
|
2021-07-16
|
1168541
|
Security: cryptohome chronos-access chgrp
|
-
|
2021-07-15
|
1168549
|
Security: Cryptohome chown chronos
|
-
|
2021-07-15
|
1190519
|
Heap-buffer-overflow in rx::vk::ImageViewHelper::getLevelLayerDrawImageView
|
-
|
2021-07-15
|
1193739
|
heap-use-after-free : media::MojoVideoDecoder::OnVideoFrameDecoded
|
-
|
2021-07-15
|
1194358
|
Security: OOB in v8
|
$15000
|
2021-07-15
|
1195356
|
Trap in void v8::internal::SharedTurboAssembler::AvxHelper<v8::internal::XMMRegister, v8
|
-
|
2021-07-15
|
1157030
|
CrOS: Vulnerability reported in app-text/poppler
|
-
|
2021-07-14
|
1165654
|
Security: 30x Redirect On Reload Can Navigate to Unsafe URLs / Cause Spoofing Issues
|
-
|
2021-07-14
|
1195370
|
Trap in v8::internal::Handle<v8::internal::JSFunctionOrBoundFunction> const v8::internal
|
-
|
2021-07-14
|
1196503
|
Crash in v8::base::Relaxed_Load
|
-
|
2021-07-14
|
1184929
|
v8_wasm_async_fuzzer: DCHECK failure in min_block == BasicBlock::GetCommonDominator(block, min_block) in scheduler.cc
|
-
|
2021-07-13
|
1194417
|
Security: PermissionControllerImpl::UnsubscribePermissionStatusChange UAF
|
-
|
2021-07-13
|
1195343
|
CrOS: Vulnerability reported in dev-libs/openssl
|
-
|
2021-07-13
|
1193327
|
freetype_colrv1_fuzzer: Heap-buffer-overflow in tt_face_get_paint
|
-
|
2021-07-11
|
1189926
|
Aww snap crash when editing canvas text
|
$1000
|
2021-07-10
|
1191389
|
dawn_wire_server_and_vulkan_backend_fuzzer: Crash in dawn_native::ValidateImageCopyTexture
|
-
|
2021-07-10
|
1192574
|
Security: 30x to data URI aren't blocked on iOS
|
-
|
2021-07-10
|
1192789
|
Security: upgrade to openssl 1.1.1k.
|
-
|
2021-07-10
|
1156531
|
Security: IDN Spoofing
|
-
|
2021-07-09
|
1175992
|
Security: Heap-buffer-overflow in TabStripModel::IsTabPinned
|
$10000
|
2021-07-08
|
1184399
|
Security: Legacy ipc::Message passed via shared memory.
|
-
|
2021-07-08
|
1190462
|
CrOS: Vulnerability reported in net-libs/gnutls
|
-
|
2021-07-08
|
1192054
|
Security: heap-use-after-free in blink::InvalidatableInterpolation::MaybeConvertPairwise
|
$5000
|
2021-07-08
|
1192313
|
v8_wasm_compile_fuzzer: Negative-size-param in v8::internal::wasm::WasmFullDecoder<
|
-
|
2021-07-08
|
1193257
|
webcodecs_audio_decoder_fuzzer: Bad-cast to media::MediaLog from invalid vptr in media::LogHelper::~LogHelper
|
-
|
2021-07-08
|
1194784
|
v8_wasm_code_fuzzer: DCHECK failure in this->ok() in function-body-decoder-impl.h
|
-
|
2021-07-08
|
1194669
|
Trap in v8::internal::FunctionLiteral::GetDebugName
|
-
|
2021-07-08
|
1161379
|
kCanvasReadback is used for two fingerprint surfaces
|
-
|
2021-07-07
|
1161847
|
Trap in Builtins_InterpreterEntryTrampoline
|
-
|
2021-07-07
|
1173903
|
Security: container-overflow in TabStrip
|
-
|
2021-07-07
|
1181228
|
Security: UAF in DesktopCapture
|
$20000
|
2021-07-07
|
1182647
|
Security: Use after free in V8
|
$15000
|
2021-07-07
|
1185463
|
DCHECK failure in PropertyConstness::kMutable == old_descriptors_->GetDetails(modified_descriptor_
|
-
|
2021-07-07
|
1185482
|
Security: use-after-free in WindowTreeHostPlatform::OnBoundsChanged
|
$1000
|
2021-07-07
|
1186641
|
Security: heap-use-after-free in Blink
|
$7500
|
2021-07-07
|
1192311
|
Use-after-poison in blink::AXObjectCacheImpl::Dispose
|
-
|
2021-07-07
|
1193098
|
gpu_raster_swiftshader_fuzzer: Use-of-uninitialized-value in cc::ServiceImageTransferCacheEntry::Deserialize
|
-
|
2021-07-07
|
1193209
|
pdf_codec_jbig2_fuzzer: Stack-use-after-scope in fxcrt::UnownedPtr<std::__Cr::list<std::__Cr::pair<std::__Cr::pair<unsigned int,
|
-
|
2021-07-07
|
1193493
|
CHECK failure: !available->IsEmpty() in macro-assembler-arm64.cc
|
-
|
2021-07-07
|
1193728
|
CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (IsDereferenceAllowed()) in handles.h
|
-
|
2021-07-07
|
1194316
|
DCHECK failure in this->ok() in function-body-decoder-impl.h
|
-
|
2021-07-07
|
1177419
|
Use-after-poison in blink::HTMLSlotElement::DetachLayoutTree [LayoutNG only]
|
-
|
2021-07-06
|
1187210
|
sqlite3_dbfuzz2_fuzzer: Use-of-uninitialized-value in vdbeRecordCompareInt
|
-
|
2021-07-06
|
1169049
|
Security: ARM GPU driver vulnerabilities
|
-
|
2021-07-05
|
1192926
|
Use-of-uninitialized-value in mojo::core::ChannelPosix::WriteNoLock
|
-
|
2021-07-05
|
1193116
|
Use-after-poison in blink::HTMLSlotElement::DetachLayoutTree
|
-
|
2021-07-04
|
1193210
|
Heap-use-after-free in blink::AXLayoutObject::GetDocument
|
-
|
2021-07-04
|
1188407
|
Security: ChromeOS: missing path restriction in arc-obb-mounter
|
-
|
2021-07-03
|
1189576
|
crash in VideoFrame
|
$2000
|
2021-07-03
|
1190554
|
Use-of-uninitialized-value in media::MediaMetricsProvider::~MediaMetricsProvider
|
-
|
2021-07-03
|
1191853
|
v8_wasm_async_fuzzer: DCHECK failure in function->has_prototype_slot() in js-function.cc
|
-
|
2021-07-03
|
1192418
|
Segv on unknown address in blink::Node::parentNode
|
-
|
2021-07-03
|
1192456
|
Use-of-uninitialized-value in blink::AXLayoutObject::CanHaveChildren
|
-
|
2021-07-03
|
1192569
|
Heap-use-after-free in blink::AXLayoutObject::GetDocument
|
-
|
2021-07-03
|
1190290
|
v8_inspector_fuzzer: DCHECK failure in has_exception == isolate->has_pending_exception() in execution.cc
|
-
|
2021-06-30
|
1106907
|
uaf in WebRTC_Network
|
$5000
|
2021-06-29
|
1176510
|
Use-of-uninitialized-value in GURL::SchemeIs
|
-
|
2021-06-29
|
1189890
|
Heap-buffer-overflow in v8::internal::Simulator::LoadStoreHelper
|
-
|
2021-06-29
|
1184562
|
Security: NAT Slipstreaming via RTSP(TCP/554) allows attacker to access local udp ports
|
$3000
|
2021-06-27
|
1185611
|
Heap-use-after-free in libvk_swiftshader.dylib
|
$6000
|
2021-06-27
|
1187217
|
Security DCHECK failure: IsTextControl(node) in text_control_element.h
|
-
|
2021-06-27
|
1187896
|
v8_wasm_code_fuzzer: DCHECK failure in !unreachable implies stack_height >= c->end_label->target_stack_height in wasm-i
|
-
|
2021-06-27
|
1190077
|
Container-overflow in views::View::Layout
|
-
|
2021-06-27
|
1000248
|
Using the CSS Layout API and contenteditable causes the page to crash
|
$5000
|
2021-06-24
|
1100748
|
Security: Possible for extensions to access chrome.cloudPrintPrivate API
|
$1000
|
2021-06-24
|
1115045
|
CSP frame-src bypass using: window.open + javascript-url + about:srcdoc + doubly-nested-iframe.
|
$3000
|
2021-06-24
|
1116869
|
Security: heap-buffer-overflow in "SkiaState::AdjustClip" function
|
$5000
|
2021-06-24
|
1145024
|
Security&UI: WPA2-Enterprise/EAP WiFi Connection "Default" UI Discrepancy
|
$500
|
2021-06-24
|
1161891
|
Security: Reloading iframes with data: src causes partial CSP bypass
|
$500
|
2021-06-24
|
1166091
|
Security: Use of conditionally uninitialised stack variable may leak stack state
|
$500
|
2021-06-24
|
1166462
|
Security: Use of conditionally uninitialised stack variable may leak stack state
|
$500
|
2021-06-24
|
1166478
|
Security: Use of conditionally uninitialised stack variable may leak stack state
|
$500
|
2021-06-24
|
1166972
|
Security: Use of conditionally uninitialised stack variable may leak stack state
|
$500
|
2021-06-24
|
1167507
|
Security: Offline view bypasses Content-Security-Policy of the original page
|
$3000
|
2021-06-24
|
1167629
|
Security: Context menu "Open" on a javascript: link bypasses Content-Security-Policy
|
$1000
|
2021-06-24
|
1180588
|
Memcpy-param-overlap in mojo::core::Channel::Message::ExtendPayload
|
-
|
2021-06-24
|
1182767
|
Security: Amended fix for Side-channel attack against Autofill Preview
|
$5000
|
2021-06-24
|
1184037
|
Container-overflow in blink::LocalFrameView::PushPaintArtifactToCompositor
|
-
|
2021-06-24
|
1184147
|
Security: Incorrect Security UI in payment
|
$500
|
2021-06-24
|
1185735
|
[spark-plug]SharedFunctionInfo pending execption error which can lead to RCE
|
-
|
2021-06-24
|
1188868
|
DCHECK failure in 0 == result in mutex.cc
|
-
|
2021-06-24
|
1189396
|
CHECK failure: all.IsLive(use) && (use->opcode() == IrOpcode::kIfTrue || use->opcode() == IrOpc
|
-
|
2021-06-24
|
1189467
|
Use-of-uninitialized-value in v8::internal::compiler::Schedule::block
|
-
|
2021-06-24
|
1146813
|
Crash in v8::internal::Builtins::builtin_handle
|
-
|
2021-06-23
|
1166138
|
Security: Debug check failed: kMinCPOffset <= by (-32768 vs. -65536).
|
$5000
|
2021-06-23
|
1187203
|
Security: SandboxedUnpacker unsafe use of shared memory.
|
-
|
2021-06-23
|
1187403
|
Heap-use-after-free in CurrentTabDesktopMediaList::Refresh
|
$15000
|
2021-06-23
|
1187826
|
CrOS: Vulnerability reported in media-libs/tiff
|
-
|
2021-06-23
|
1187836
|
v8_wasm_compile_fuzzer: DCHECK failure in is_gp() in liftoff-register.h
|
-
|
2021-06-23
|
1188483
|
DCHECK failure in invalidated_object.map().IsMap() in invalidated-slots-inl.h
|
-
|
2021-06-23
|
1188974
|
DCHECK failure in !is_linked() in label.h
|
-
|
2021-06-23
|
1186603
|
v8_wasm_async_fuzzer: Use-after-poison in v8::internal::wasm::WasmFullDecoder<
|
-
|
2021-06-22
|
1167357
|
potential uaf in rtc_peer_connection
|
$500
|
2021-06-18
|
1179915
|
heap-use-after-free : ui::EventTarget::RemovePreTargetHandler
|
-
|
2021-06-18
|
1181387
|
Security: container-overflow in TabGroups
|
-
|
2021-06-18
|
1182109
|
Security: dPWAs can change their icons after installation
|
-
|
2021-06-18
|
1187170
|
DCHECK failure in IsPrimitiveMap() in map-inl.h
|
-
|
2021-06-18
|
1177674
|
Security: Site Isolation bypass after BrowsingInstance state deleted
|
-
|
2021-06-17
|
1185829
|
v8_wasm_compile_fuzzer: DCHECK failure in source.stack_height() == target.stack_height() in liftoff-assembler.cc
|
-
|
2021-06-17
|
1186802
|
v8_wasm_compile_fuzzer: DCHECK failure in sig->return_count() <= cache_state_.stack_height() in liftoff-assembler.cc
|
-
|
2021-06-17
|
1040988
|
media_pipeline_integration_fuzzer: Use-of-uninitialized-value in decode_residuals
|
-
|
2021-06-16
|
1152226
|
Leaking the URL of any cross-origin redirect through AppCache's network section
|
$5000
|
2021-06-16
|
1152334
|
Security: UAF in PaymentResponseHelper::GeneratePaymentResponse
|
$15000
|
2021-06-16
|
1174493
|
CrOS: Vulnerability reported in dev-python/jinja
|
-
|
2021-06-16
|
1185512
|
cups_ipp_t_fuzzer: Heap-buffer-overflow in ippAddDate
|
-
|
2021-06-16
|
1185999
|
v8_wasm_code_fuzzer: DCHECK failure in (cond) != nullptr in wasm-compiler.cc
|
-
|
2021-06-16
|
916326
|
CSP bypass via wrong inheritance
|
-
|
2021-06-15
|
1097480
|
CrOS: Vulnerability reported in dev-libs/libpcre
|
-
|
2021-06-15
|
1146651
|
X-Frame-Options console error leaks cross-origin redirect information to a cross-site renderer process
|
-
|
2021-06-15
|
1161144
|
Security: UAF in Bookmark OpenAll
|
$10000
|
2021-06-15
|
1173879
|
Security: Autofill preview suggestion value can be made to persist
|
-
|
2021-06-15
|
1175507
|
Security: heap-use-after-free in TabSearchPageHandler::CloseTab
|
-
|
2021-06-15
|
1175975
|
WebCodecs VideoFrame allows tainting bypass for ImageBitmaps.
|
-
|
2021-06-15
|
1181131
|
CrOS: Multiple vulnerabilities in dev-libs/openssl
|
-
|
2021-06-15
|
1182571
|
v8_wasm_compile_fuzzer: DCHECK failure in IsSimd128Register() in instruction.h
|
-
|
2021-06-15
|
1183026
|
v8_wasm_async_fuzzer: DCHECK failure in function->has_prototype_slot() in js-function.cc
|
-
|
2021-06-15
|
1184182
|
Heap-use-after-free in aura::Window::~Window
|
-
|
2021-06-15
|
1184928
|
DCHECK failure in stack_capacity_end_ > stack_end_ in function-body-decoder-impl.h
|
-
|
2021-06-15
|
1184964
|
DCHECK failure in !cache_state_.stack_state.empty() in liftoff-assembler.cc
|
-
|
2021-06-15
|
1184966
|
CHECK failure: Node::New() Error: #743:Phi[0] is nullptr in node.cc
|
-
|
2021-06-15
|
1184991
|
DCHECK failure in (val.node) != nullptr in graph-builder-interface.cc
|
-
|
2021-06-15
|
1185072
|
DCHECK failure in (location_) != nullptr in handles.cc
|
-
|
2021-06-15
|
1185322
|
DCHECK failure in kBottom != kind in value-type.h
|
-
|
2021-06-15
|
1185579
|
CHECK failure: Node::New() Error: #287:Float32LessThanOrEqual[1] is nullptr in node.cc
|
-
|
2021-06-15
|
1178181
|
cups_ipp_t_fuzzer: Crash in create_item
|
-
|
2021-06-12
|
583058
|
Security: root->kernel scribble in cros_ec_dev:ec_device_ioctl_xcmd on 32bit
|
$5000
|
2021-06-11
|
957606
|
Security: CSP restrictions aren't applied when navigating a frame to about:blank
|
$7500
|
2021-06-11
|
971231
|
Chrome Content security Policy bypass
|
$1000
|
2021-06-11
|
1075734
|
Security: Side-channel attack against Autofill Preview that can steal user's data (e.g., credit card number).
|
$500
|
2021-06-11
|
1115298
|
Full CSP bypass by opening a blob URL in a new tab and reloading it with history.back
|
$3000
|
2021-06-11
|
1115628
|
Security: Full CSP bypass through blob: URIs
|
$5000
|
2021-06-11
|
1117687
|
Security: Full CSP bypass through filesystem URIs
|
$5000
|
2021-06-11
|
1154250
|
Security: determining size of CORB/CORP'd cross-origin responses
|
$500
|
2021-06-11
|
1155302
|
Security: UaF in V4L2VideoEncodeAccelerator
|
-
|
2021-06-11
|
1158010
|
Security: Referrer Header Spoofing Vulnerability via <base> tags
|
$500
|
2021-06-11
|
1170584
|
UI/URL Spoofing by putting the page into fullscreen when a user opens the emoji dialog
|
$1000
|
2021-06-11
|
1174943
|
uaf in DestroyURLLoader(network::cors::CorsURLLoaderFactory)
|
$15000
|
2021-06-11
|
1175436
|
uaf in CrossOriginEmbedderPolicyReporter(browser)
|
$15000
|
2021-06-11
|
1178165
|
cups_ipp_t_fuzzer: Heap-buffer-overflow in ippAddDate
|
-
|
2021-06-11
|
1181701
|
CrOS: Vulnerability reported in dev-libs/glib
|
-
|
2021-06-11
|
1183192
|
Use-of-uninitialized-value in blink::LayoutGrid::FirstLineBoxBaseline
|
-
|
2021-06-11
|
1184441
|
Racy UAF when handling usrsctp notification on timer thread
|
-
|
2021-06-11
|
1173311
|
Security: Backport futex fix to older kernels
|
-
|
2021-06-09
|
1181673
|
noopener not applied to popups opened from a cross origin iframe in a cross-origin-isolated environment
|
-
|
2021-06-09
|
1181684
|
v8_wasm_fuzzer: Segv on unknown address in v8::base::Memcpy
|
-
|
2021-06-09
|
1183122
|
Heap-use-after-free in blink::GridLayoutUtils::FlowAwareDirectionForChild
|
-
|
2021-06-09
|
1181676
|
Security: UAF in ClipboardHistory
|
$20000
|
2021-06-08
|
1182572
|
Heap-buffer-overflow in mojo::core::Channel::Message::ExtendPayload
|
-
|
2021-06-05
|
1013133
|
CHECK failure: API call returned invalid object in api-arguments-inl.h
|
-
|
2021-06-04
|
1181310
|
Container-overflow in blink::LocalVideoCapturerSource::OnLog
|
-
|
2021-06-04
|
1181125
|
Container-overflow in blink::LocalVideoCapturerSource::OnLog
|
-
|
2021-06-04
|
1181599
|
sanitizer_api_fuzzer: Security DCHECK failure: IsA<Derived>(from) in casting.h
|
-
|
2021-06-04
|
996770
|
Security: [xfa] pdfium SEGV on RelocateTableRowCells
|
$5000
|
2021-06-02
|
1180435
|
Crash in v8::internal::Simulator::DecodeType2
|
-
|
2021-06-01
|
1180871
|
Heap-use-after-free in storage::DataPipeTransportStrategy::OnDataPipeReadable
|
-
|
2021-06-01
|
1180129
|
v8_wasm_compile_fuzzer: Use-after-poison in v8::internal::compiler::LiveRangeBuilder::ComputeLiveOut
|
-
|
2021-05-30
|
1180563
|
Use-of-uninitialized-value in v8::internal::JSDateTimeFormat::New
|
-
|
2021-05-30
|
1180579
|
v8_wasm_compile_fuzzer: Use-after-poison in v8::internal::compiler::LiveRangeBuilder::ComputeLiveOut
|
-
|
2021-05-30
|
1177623
|
Use-of-uninitialized-value in v8::internal::JSDateTimeFormat::New
|
-
|
2021-05-29
|
1177812
|
Use-of-uninitialized-value in v8::internal::JSDateTimeFormat::New
|
-
|
2021-05-29
|
1180181
|
v8_wasm_fuzzer: Segv on unknown address in v8::internal::Simulator::LoadStoreHelper
|
-
|
2021-05-29
|
1180157
|
tint_spv_reader_wgsl_writer_fuzzer: Use-of-uninitialized-value in tint::ValidatorImpl::Validate
|
-
|
2021-05-29
|
1159255
|
cras_rclient_message_fuzzer: Crash in cras_system_state_stream_added
|
-
|
2021-05-28
|
1160414
|
heapoverflow in web gpu
|
$5000
|
2021-05-28
|
1179120
|
Known vulnerability detected in third_party/harfbuzz-ng
|
-
|
2021-05-28
|
1179118
|
Known vulnerability detected in third_party/harfbuzz-ng
|
-
|
2021-05-28
|
1179182
|
v8_wasm_fuzzer: Segv on unknown address in v8::base::Memcpy
|
-
|
2021-05-28
|
1179292
|
Heap-buffer-overflow in base::internal::VectorBuffer<char>::RangesOverlap
|
-
|
2021-05-28
|
1179545
|
v8_wasm_compile_fuzzer: Stack-use-after-scope in v8::internal::wasm::fuzzer::WasmGenerator::BlockScope::BlockScope
|
-
|
2021-05-28
|
1179595
|
[sparkplug]baseline optimize function PrologueFillFrame register_count can be 0 .which can lead to code execution
|
$5000
|
2021-05-28
|
1179677
|
Heap-use-after-free in base::ScopedMultiSourceObservation<aura::WindowTreeHost, aura::WindowTreeHostObs
|
-
|
2021-05-28
|
1179948
|
wayland_fuzzer: Heap-use-after-free in decltype
|
-
|
2021-05-28
|
1144074
|
Heap-use-after-free in EGL_DestroyContext
|
-
|
2021-05-27
|
1160218
|
dawn_spirv_cross_glsl_fast_fuzzer: Crash in spirv_cross::CompilerGLSL::to_array_size_literal
|
-
|
2021-05-27
|
1160258
|
crash in gpu::gles2::GLES2Implementation::ReadPixels
|
$5000
|
2021-05-27
|
1176728
|
Security: Does eigen3 need updating?
|
-
|
2021-05-27
|
1178219
|
Security DCHECK failure: IsA<Derived>(from) in casting.h
|
-
|
2021-05-27
|
1179336
|
Heap-buffer-overflow in base::circular_deque<char>::MoveBuffer
|
-
|
2021-05-27
|
1143526
|
Security: leak cross-site response size - countermeasure bypass
|
$3000
|
2021-05-26
|
1168544
|
Security: crash-reporter chmod 660
|
-
|
2021-05-26
|
1171049
|
Security: container-overflow in TabStrip::SetSelection
|
$10000
|
2021-05-26
|
1174373
|
UAP in MojoWatcher::OnHandleReady
|
$2000
|
2021-05-26
|
1177593
|
heap-buffer-overflow : blink::H264Encoder::EncodeOnEncodingTaskRunner
|
-
|
2021-05-26
|
1178008
|
dawn_spirv_cross_glsl_fast_fuzzer: Use-of-uninitialized-value in spirv_cross::Compiler::CombinedImageSamplerUsageHandler::add_dependency
|
-
|
2021-05-26
|
1178136
|
Chromium: Vulnerability reported in third_party/libzip
|
-
|
2021-05-26
|
1179025
|
DCHECK failure in !pinned.has(reg) in liftoff-assembler.h
|
-
|
2021-05-26
|
1172054
|
UaF in WebRTC P2PSocketManagerProxy::CreateSocket
|
$5000
|
2021-05-25
|
1174626
|
datapath_fuzzer: Use-of-uninitialized-value in patchpanel::IPv6AddressToString
|
-
|
2021-05-25
|
1178224
|
Bad-cast to blink::LayoutTableSection from blink::LayoutNGTableSection in blink::LayoutTable::AddChild
|
-
|
2021-05-25
|
1178263
|
Heap-buffer-overflow in blink::LayoutTable::AddColumn
|
$6000
|
2021-05-25
|
1128895
|
CHECK failure: IsValidHeapObject(heap_, heap_object) in heap.cc
|
-
|
2021-05-24
|
1178455
|
Test report from guest gmail account
|
-
|
2021-05-24
|
1176909
|
Heap-use-after-free in blink::DisplayItemClient::IsJustCreated
|
-
|
2021-05-23
|
1177273
|
Heap-use-after-free in blink::PaintLayer::RemoveAncestorScrollContainerLayer
|
-
|
2021-05-23
|
1178142
|
Crash in blink::LayoutTable::AddCaption
|
-
|
2021-05-23
|
1178074
|
Security DCHECK failure: IsA<Derived>(from) in casting.h
|
-
|
2021-05-23
|
1111646
|
Security: Possible to spoof URL after renderer crash
|
$3000
|
2021-05-22
|
1174186
|
CSS 3D transform intersection glitch in Chrome / Windows
|
$500
|
2021-05-22
|
1177684
|
Use-of-uninitialized-value in blink::LayoutTable::AddCaption
|
-
|
2021-05-22
|
1177832
|
Security DCHECK failure: IsA<Derived>(from) in casting.h
|
-
|
2021-05-22
|
1178007
|
Crash in blink::LayoutObjectChildList::RemoveChildNode
|
-
|
2021-05-22
|
1174582
|
Security: ScriptProcessorNode allows write of Float32Array across threads
|
-
|
2021-05-21
|
1176606
|
Heap-use-after-free in ash::NotificationCounterView::~NotificationCounterView
|
-
|
2021-05-21
|
1177341
|
Security: Insufficient fix for CVE-2021-21148
|
-
|
2021-05-21
|
1155819
|
gpu_raster_swiftshader_fuzzer: Bad-cast to llvm::cl::Option from llvm::cl::opt<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, false, llvm::cl::parser<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > in llvm::cl::applicator<llvm::cl::FormattingFlags>::opt
|
-
|
2021-05-20
|
1176557
|
dawn_spirv_cross_glsl_fast_fuzzer: Use-of-uninitialized-value in spirv_cross::Compiler::CombinedImageSamplerUsageHandler::add_dependency
|
-
|
2021-05-20
|
1177070
|
Crash in v8::internal::interpreter::BytecodeArrayAccessor::Advance
|
-
|
2021-05-20
|
1170531
|
Talos Security Advisory for Google Chrome browser (TALOS-2021-1235)
|
$7500
|
2021-05-19
|
1170776
|
Security: V8 Incorrect array bounds calculation
|
-
|
2021-05-19
|
1176318
|
DCHECK failure in CanTransitionTo(new_details, *new_value) in property-cell-inl.h
|
-
|
2021-05-19
|
1035260
|
libyuv_scale_fuzzer: Heap-buffer-overflow in InterpolateRow_Any_SSSE3
|
-
|
2021-05-18
|
1172819
|
Heap-buffer-overflow in blink::NGTableLayoutAlgorithm::Layout
|
-
|
2021-05-18
|
1175222
|
Security DCHECK failure: IsA<Derived>(from) in casting.h
|
-
|
2021-05-18
|
1175500
|
Security: Heap-buffer-overflow in TabStripModel::GroupTab (Windows-only)
|
$7500
|
2021-05-18
|
1174551
|
Heap-buffer-overflow in unsigned int v8::internal::StringHasher::HashSequentialString<char>
|
-
|
2021-05-17
|
1174900
|
dawn_spirv_cross_glsl_fast_fuzzer: Use-of-uninitialized-value in spirv_cross::Compiler::CombinedImageSamplerUsageHandler::add_dependency
|
-
|
2021-05-17
|
1165724
|
CrOS: Vulnerability reported in sys-libs/e2fsprogs-libs
|
-
|
2021-05-15
|
1168545
|
Security: Arbitrary code execution in ghostscript
|
-
|
2021-05-15
|
1168555
|
Security: android-root persistence
|
-
|
2021-05-14
|
1173269
|
Security: heap-buffer-overflow in TabStripModel
|
-
|
2021-05-14
|
1173702
|
Security: Heap buffer overflow in Tab Groups
|
$7500
|
2021-05-14
|
1174641
|
ANGLE: Out-of-bounds read for emulated compressed texture formats in 3D textures
|
-
|
2021-05-14
|
1166932
|
Security: ChromeOS root privilege escalation and android-root persistence
|
$45000
|
2021-05-13
|
1173925
|
Use-of-uninitialized-value in blink::PaintPropertyTreeBuilder::UpdateForSelf
|
-
|
2021-05-13
|
1160459
|
AddressSanitizer: access-violation on unknown address 0x000000000000
|
-
|
2021-05-12
|
1170826
|
Third party apps and web pages can switch Chrome tabs
|
-
|
2021-05-12
|
1171785
|
Heap-use-after-free in blink::LocalFrameView::PerformPreLayoutTasks
|
-
|
2021-05-12
|
1172192
|
Security: UAF in Drag and Drop Download
|
$20000
|
2021-05-12
|
1098582
|
Security: allow-top-navigation-by-user-activation bypasses via message event listeners on iOS
|
$5000
|
2021-05-11
|
1164655
|
dawn_wire_server_and_vulkan_backend_fuzzer: Crash in vk::DescriptorSetLayout::DescriptorSetLayout
|
-
|
2021-05-11
|
1168552
|
Security: host root file write
|
-
|
2021-05-11
|
1171954
|
DCHECK failure in other->values_[index] != builder()->jsgraph()->OptimizedOutConstant() in bytecod
|
-
|
2021-05-11
|
1172121
|
v8_inspector_fuzzer: DCHECK failure in host_import_module_dynamically_callback_ != nullptr == host_import_module_dynami
|
-
|
2021-05-11
|
1172591
|
Heap-use-after-free in views::ColorChooser::OnViewClosing
|
-
|
2021-05-11
|
1172687
|
Use-of-uninitialized-value in blink::LayoutObject::SetNeedsOverflowRecalc
|
-
|
2021-05-11
|
1172885
|
dawn_spirv_cross_glsl_fast_fuzzer: Use-of-uninitialized-value in spirv_cross::Compiler::CombinedImageSamplerUsageHandler::add_dependency
|
-
|
2021-05-11
|
1172912
|
v8_wasm_code_fuzzer: Heap-buffer-overflow in v8::internal::wasm::LiftoffAssembler::MergeFullStackWith
|
-
|
2021-05-11
|
1171846
|
v8_multi_return_fuzzer: DCHECK failure in saved_fpregisters[i] == dreg_bits(PopLowestIndexAsCode(&fpregister_list)) in sim
|
-
|
2021-05-10
|
1171759
|
v8_multi_return_fuzzer: DCHECK failure in stack_decrement == kSystemPointerSize in code-generator-arm.cc
|
-
|
2021-05-09
|
1171956
|
dawn_spirv_cross_glsl_fast_fuzzer: Use-of-uninitialized-value in spirv_cross::Compiler::CombinedImageSamplerUsageHandler::add_dependency
|
-
|
2021-05-08
|
1172117
|
Bad-cast to blink::LayoutTableCol from blink::LayoutNGTableColumn in blink::HTMLTableColElement::ParseAttribute
|
-
|
2021-05-08
|
1172118
|
Heap-buffer-overflow in blink::NGTablePainter::PaintBoxDecorationBackground
|
-
|
2021-05-08
|
1094642
|
gstoraster_fuzzer: Segv on unknown address in s_DCTD_process
|
-
|
2021-05-06
|
1160665
|
Requests for script sent even when main document is text/plain
|
$500
|
2021-05-06
|
1161759
|
DCHECK failure in 0 == Heap::GetFillToAlign(obj->address(), HeapObject::RequiredAlignment(*map)) i
|
-
|
2021-05-06
|
1166504
|
heap bufferoverflow in VideoFrameYUVConverter
|
$5000
|
2021-05-06
|
1170657
|
use after poison in DOMWebSocket
|
$5000
|
2021-05-06
|
1170933
|
garcon_ini_parse_util_fuzzer: Heap-buffer-overflow in vm_tools::garcon::ExtractKeyLocale
|
-
|
2021-05-06
|
1171195
|
DCHECK failure in scope_data_->ReadUint32() == static_cast<uint32_t>(name->length()) in preparse-d
|
-
|
2021-05-06
|
1171327
|
Security: Sudo vulnerability
|
-
|
2021-05-06
|
1171600
|
DCHECK failure in expr->scope()->outer_scope() == current_scope() in bytecode-generator.cc
|
-
|
2021-05-06
|
1171441
|
tint_spv_reader_hlsl_writer_fuzzer: Heap-use-after-free in tint::fuzzers::CommonFuzzer::Run
|
-
|
2021-05-06
|
1158376
|
Security: Browser process heap-use-after-free in the portal element
|
$15000
|
2021-05-05
|
1169317
|
Security: UaF in payments::SecurePaymentConfirmationAppFactory
|
$20000
|
2021-05-05
|
1170615
|
garcon_ini_parse_util_fuzzer: Use-of-uninitialized-value in vm_tools::garcon::ExtractKeyLocale
|
-
|
2021-05-05
|
1170990
|
CHECK failure: serialized_prototype_ in js-heap-broker.cc
|
-
|
2021-05-05
|
1165624
|
Security: UaF in chrome!payments::PaymentRequestSheetController::UpdateHeaderView
|
$15000
|
2021-05-04
|
1170112
|
tint_spv_reader_wgsl_writer_fuzzer: Heap-use-after-free in tint::fuzzers::CommonFuzzer::Run
|
-
|
2021-05-04
|
1168116
|
v8_wasm_async_fuzzer.exe: Null-dereference in v8::base::Thread::Start
|
-
|
2021-05-02
|
1155974
|
Security: WebGL Shader Stack Exhaustion leading to PC control in llvmpipe
|
$1000
|
2021-05-01
|
1168550
|
Security: mediadrm command injection
|
-
|
2021-05-01
|
1156170
|
Security: Oilpan: Use After Poision in IsInConstruction<>() with chrome/xfa
|
-
|
2021-04-30
|
1161739
|
Security: UAP in animate
|
-
|
2021-04-30
|
1167337
|
tint_spv_reader_spv_writer_fuzzer: Segv on unknown address in tint::fuzzers::CommonFuzzer::Run
|
-
|
2021-04-30
|
1167759
|
tint_spv_reader_msl_writer_fuzzer.exe: Heap-use-after-free in tint::fuzzers::CommonFuzzer::Run
|
-
|
2021-04-30
|
1168408
|
tint_spv_reader_wgsl_writer_fuzzer: Heap-use-after-free in tint::fuzzers::CommonFuzzer::Run
|
-
|
2021-04-30
|
1168725
|
tint_spv_reader_spv_writer_fuzzer: Heap-use-after-free in tint::fuzzers::CommonFuzzer::Run
|
-
|
2021-04-30
|
1138542
|
gstoraster_fuzzer: Heap-buffer-overflow in mem_mapped4_copy_mono
|
-
|
2021-04-29
|
1155426
|
Security: UAF in MediaStreamCapture
|
$20000
|
2021-04-29
|
1162942
|
Security: website is able to draw over protected UI elements (URL, padlock, tab list, titlebar) using 3D CSS transforms
|
$5000
|
2021-04-29
|
1167242
|
dawn_spirv_cross_glsl_fast_fuzzer: Use-of-uninitialized-value in spirv_cross::Compiler::CombinedImageSamplerUsageHandler::add_dependency
|
-
|
2021-04-29
|
1166549
|
v8_inspector_fuzzer: DCHECK failure in isolate->has_pending_exception() != result in bootstrapper.cc
|
-
|
2021-04-29
|
1167277
|
Lacros 3D Canvas can leak outside of iFrame
|
-
|
2021-04-29
|
1167918
|
DCHECK failure in HasRemainingBytes(kUint8Size) in preparse-data-impl.h
|
-
|
2021-04-29
|
1167981
|
CHECK failure: Bytecode mismatch at offset 2 in interpreter.cc
|
-
|
2021-04-29
|
1167988
|
DCHECK failure in expr->scope()->outer_scope() == current_scope() in bytecode-generator.cc
|
-
|
2021-04-29
|
1168055
|
CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (IsJSReceiver()) in js-objects-inl.h
|
-
|
2021-04-29
|
1169077
|
tint_spv_reader_hlsl_writer_fuzzer.exe: Heap-use-after-free in tint::fuzzers::CommonFuzzer::Run
|
-
|
2021-04-29
|
1167709
|
DCHECK failure in !done() in state-values-utils.cc
|
-
|
2021-04-27
|
1161705
|
Security: heap-user-after-free in SearchTabHelper::DidStartNavigation
|
-
|
2021-04-26
|
1167505
|
Security DCHECK failure: IsA<Derived>(from) in casting.h
|
-
|
2021-04-26
|
1167430
|
Heap-use-after-free in content::RenderWidgetHostViewAura::ForwardKeyboardEventWithLatencyInfo
|
-
|
2021-04-25
|
1138143
|
segmentation fault in mojom::clipboard
|
$20000
|
2021-04-24
|
1154965
|
use after poison in blink::TimerBase::RunInternal
|
$7500
|
2021-04-24
|
1163504
|
Security: heap-buffer-overflow in extension
|
$10000
|
2021-04-24
|
1163845
|
Security: HeapOverflow in TabStripModel
|
$10000
|
2021-04-24
|
1158381
|
Security: Bypass iframe security policy in the portal element
|
$500
|
2021-04-23
|
1159377
|
CrOS: Vulnerability reported in net-misc/curl
|
-
|
2021-04-23
|
1162123
|
heap-use-after-free : web_app::WebAppMetrics::~WebAppMetrics
|
-
|
2021-04-23
|
1165966
|
v8_wasm_compile_fuzzer: DCHECK failure in IsSimd128Register() in instruction.h
|
-
|
2021-04-23
|
1166354
|
Use-of-uninitialized-value in v8::internal::RootScavengeVisitor::VisitRootPointers
|
-
|
2021-04-22
|
1160952
|
dawn_spirv_cross_glsl_fast_fuzzer: Use-of-uninitialized-value in spirv_cross::Compiler::CombinedImageSamplerUsageHandler::add_dependency
|
-
|
2021-04-21
|
1162303
|
Security: ChromeOS chronos privilege escalation to root
|
$30000
|
2021-04-21
|
1164055
|
Security: Blink web_test fonts unowned
|
-
|
2021-04-21
|
1164816
|
Security: chrome://settings ImportData out-of-bounds READ
|
-
|
2021-04-21
|
1152894
|
Security: WebView and Chromium based browser Omnibar Spoofing with Race Condition
|
$3000
|
2021-04-19
|
1163184
|
DCHECK failure in !code.marked_for_deoptimization() in compiler.cc
|
-
|
2021-04-19
|
1161654
|
v8_wasm_fuzzer: DCHECK failure in has(reg.low()) == has(reg.high()) in liftoff-register.h
|
-
|
2021-04-17
|
1164158
|
Security: PDFIum (XFA) Heap Overflow in RelocateTableRowCells
|
$5000
|
2021-04-17
|
1164187
|
Heap-use-after-free in ash::tray::TimeTrayItemView::~TimeTrayItemView
|
-
|
2021-04-17
|
1164326
|
wayland_fuzzer: Heap-use-after-free in decltype
|
-
|
2021-04-17
|
1157818
|
performance API reveals information about redirects (XS-Leak)
|
-
|
2021-04-16
|
1160448
|
uaf in webgpu
|
-
|
2021-04-16
|
1162131
|
Security: heap-use-after-free in IsBox
|
$5000
|
2021-04-16
|
1163122
|
Security: /run/arc/host_generated allows chronos to configure any Android system properties
|
-
|
2021-04-16
|
1163882
|
Chromium: Vulnerability reported in third_party/binutils
|
-
|
2021-04-16
|
1147416
|
uaf in dawn_wire::server::Server::OnBufferMapAsyncCallback(--enable-unsafe-webgpu)
|
-
|
2021-04-15
|
1160602
|
Security: Use After Free in WebSQL
|
$5000
|
2021-04-15
|
1161357
|
Security: Debug check failed: code == topmost_ implies safe_to_deopt_
|
$16000
|
2021-04-15
|
1161943
|
dawn_wire_server_and_frontend_fuzzer: Heap-use-after-free in void dawn_wire::ChunkedCommandSerializer::SerializeCommandImpl<dawn_wire::Return
|
-
|
2021-04-15
|
1162156
|
dawn_wire_server_and_frontend_fuzzer: Heap-use-after-free in dawn_wire::server::KnownObjects<WGPUBufferImpl*>::Get
|
-
|
2021-04-15
|
1162198
|
heap-use-after-free : mojo::core::NodeController::DropPeer
|
-
|
2021-04-15
|
1156904
|
Security DCHECK failure: IsA<Derived>(from) in casting.h
|
-
|
2021-04-14
|
1157743
|
Security: spoof download on any websites
|
$500
|
2021-04-14
|
1162036
|
UAF in MediaStreamTrackProcessor
|
$5000
|
2021-04-14
|
1162834
|
Heap-use-after-free in blink::ShadowList::CreateDrawLooper
|
-
|
2021-04-14
|
1161954
|
v8_wasm_compile_fuzzer: DCHECK failure in IsSimd128Register() in instruction.h
|
-
|
2021-04-13
|
1162400
|
v8_wasm_compile_fuzzer: Crash in Builtins_JSEntryTrampoline
|
-
|
2021-04-13
|
1150012
|
gstoraster_fuzzer: Use-of-uninitialized-value in gs_scan_token
|
-
|
2021-04-10
|
1062941
|
libyuv_scale_fuzzer: Heap-buffer-overflow in ScaleFilterCols_16_C
|
-
|
2021-04-07
|
1161048
|
Upgrade SQLite to 3.34.0
|
-
|
2021-04-07
|
1160225
|
CrOS: Vulnerability reported in dev-util/glib-utils
|
-
|
2021-04-06
|
1160224
|
CrOS: Vulnerability reported in dev-libs/glib
|
-
|
2021-04-05
|
1151727
|
spvtools_opt_size_fuzzer: Heap-buffer-overflow in spvtools::opt::analysis::IntConstant::GetU64BitValue
|
-
|
2021-04-02
|
1159663
|
uaf in media::learning::MojoLearningTaskControllerService::PredictDistribution
|
$15000
|
2021-04-01
|
1128206
|
Security: Possible for extension to escape sandbox via devtools_page and intentionally crashed renderer
|
$10000
|
2021-03-30
|
1131346
|
Potential UAF in Speech Recognizer
|
-
|
2021-03-30
|
1099985
|
Heap-use-after-free for desks widget in bool ui::PropertyHandler::GetProperty<bool>
|
-
|
2021-03-29
|
1153993
|
Security: Skia etc1 missing an uninitialized data fix
|
-
|
2021-03-29
|
1158266
|
uaf in use-after-poison in blink::CanvasResourceHost::InitializeForRecording(canvas_resource_host.cc)
|
$500
|
2021-03-29
|
1137607
|
dawn_spirv_cross_glsl_fast_fuzzer: Use-of-uninitialized-value in spirv_cross::Compiler::CombinedImageSamplerUsageHandler::add_dependency
|
-
|
2021-03-28
|
1159267
|
Security: URL bar spoofing in Payments API
|
$500
|
2021-03-27
|
1160286
|
Use-of-uninitialized-value in base::BasicStringPiece<std::__1::basic_string<char, std::__1::char_traits<char>,
|
-
|
2021-03-27
|
1155876
|
cgpt_fuzzer: Use-of-uninitialized-value in Crc32
|
-
|
2021-03-26
|
1159763
|
CrOS: Vulnerability reported in net-misc/curl
|
-
|
2021-03-26
|
1137247
|
Security: Spoofing download filename extension in 86 chrome - showSaveFilePicker
|
$1000
|
2021-03-25
|
1159164
|
Use-of-uninitialized-value in v8::internal::PerfJitLogger::LogWriteDebugInfo
|
-
|
2021-03-25
|
1159679
|
dawn_spirv_cross_glsl_fast_fuzzer: Crash in spirv_cross::CompilerGLSL::to_array_size_literal
|
-
|
2021-03-25
|
1152645
|
Security: Race condition on destruction of GpuMemoryBufferFactoryNativePixmap may cause use after free
|
-
|
2021-03-24
|
1157800
|
Incomplete fix for auth dialog spoof in iOS
|
$500
|
2021-03-24
|
1157814
|
Security: UAF in PasswordProtectionRequest
|
$20000
|
2021-03-24
|
1158774
|
ots_fuzzer: Use-of-uninitialized-value in ots::OpenTypeGLYF::ParseSimpleGlyph
|
-
|
2021-03-24
|
1157790
|
Security: Out of Bounds in V8
|
$1000
|
2021-03-23
|
1157799
|
CrOS: Vulnerability reported in dev-libs/openssl
|
-
|
2021-03-23
|
1157994
|
DCHECK failure in !SharedStringAccessGuardIfNeeded::IsNeeded(*this) in string-inl.h
|
-
|
2021-03-22
|
1158071
|
Bad-cast to mojo::InterfaceEndpointClient from content::RenderFrameImpl in mojo::internal::AssociatedInterfacePtrStateBase::~AssociatedInterfacePtrStateBas
|
-
|
2021-03-21
|
1153516
|
Heap-buffer-overflow in SkAnalyticEdge::setLine
|
$6000
|
2021-03-19
|
1154468
|
use after poison in content::InspectorMediaEventHandler::SendQueuedMediaEvents
|
$5000
|
2021-03-19
|
1155854
|
CrOS: Vulnerability reported in net-fs/samba
|
-
|
2021-03-19
|
1156431
|
v8_multi_return_fuzzer: DCHECK failure in saved_fpregisters[i] == dreg_bits(PopLowestIndexAsCode(&fpregister_list)) in sim
|
-
|
2021-03-19
|
1157324
|
v8_wasm_compile_fuzzer: DCHECK failure in caller->CanTailCall(callee) in instruction-selector.cc
|
-
|
2021-03-19
|
1020667
|
Security: Insecure Memory Copy in Trousers
|
$500
|
2021-03-18
|
1101961
|
Heap-buffer-overflow in cc::PaintWorkletImageProvider::GetPaintRecordResult
|
-
|
2021-03-18
|
1150810
|
Security: File System Access API - getFileHandle() allowing to save .lnk files
|
$1000
|
2021-03-18
|
1151726
|
Heap-use-after-free in printing::PrintManager::GetPrintRenderFrame
|
-
|
2021-03-18
|
1156513
|
pdf_codec_jpeg_fuzzer: Use-of-uninitialized-value in decompress_smooth_data
|
-
|
2021-03-18
|
831761
|
SameSite cookie bypass via Custom Scheme
|
$1000
|
2021-03-17
|
1148749
|
Double free/UAF in RegionDataLoaderImpl::DeleteThis
|
$20000
|
2021-03-17
|
1150065
|
UaF in AudioHandler::ProcessIfNecessary
|
-
|
2021-03-17
|
1153658
|
uaf in AudioNodeOutput::Pull
|
$6000
|
2021-03-17
|
1155710
|
Iterating a directory with the File System Access API does not check current permissions.
|
-
|
2021-03-17
|
1156510
|
Security: Use After Free in UserMediaRequest::OnMediaStreamInitialized
|
$5000
|
2021-03-17
|
957042
|
Security: Possible to partially break sandbox restrictions imposed upon popup windows
|
$1000
|
2021-03-16
|
1105875
|
Security: XS-Leak with Resource Timing API and CSP Embedded Enforcement
|
$1000
|
2021-03-16
|
1131929
|
[Resource Timing] Missing PerformanceResourceTiming entries for iframe Requests that don't receive a Response
|
$1000
|
2021-03-16
|
1149171
|
Heap-buffer-overflow in blink::NGOffsetMapping::GetMappingUnitsForLayoutObject
|
-
|
2021-03-16
|
1149895
|
Security: OpenSSL certificate blocklist isn't installed in images
|
-
|
2021-03-16
|
1151069
|
Security: heap-buffer-overflow in AudioWorkletProcessor::CopyParamValueMapToObject
|
-
|
2021-03-16
|
1151298
|
Security: Use-After-Free in DeflateTransformer
|
$7500
|
2021-03-16
|
1154936
|
webcodecs_video_encoder_fuzzer: Heap-buffer-overflow in init_encode_frame_mb_context
|
-
|
2021-03-16
|
1155497
|
v8_wasm_compile_fuzzer: DCHECK failure in IsSimd128Register() in instruction.h
|
-
|
2021-03-16
|
1155959
|
DCHECK failure in kCanBeWeak || (!IsSmi() == (((static_cast<i::Tagged_t>(ptr_) & ::i::kHeapObjectT
|
-
|
2021-03-15
|
1156001
|
Crash in v8::internal::HandleBase::IsDereferenceAllowed
|
-
|
2021-03-15
|
1140435
|
Security: showSaveFilePicker allowing to save file extension with space at the end - cannot delete file on windows
|
-
|
2021-03-13
|
1140403
|
Security: Hide real extension of file by many white spaces - showSaveFilePicker
|
$1000
|
2021-03-13
|
1140410
|
Security: Hide real extension of file by RTL - showSaveFilePicker
|
$1000
|
2021-03-12
|
1140417
|
Security: showSaveFilePicker allowing to save .lnk and .local files on windows!
|
$1000
|
2021-03-12
|
1146855
|
Heap-use-after-free in blink::AggregatingSampleCollector::Flush
|
-
|
2021-03-12
|
1150249
|
Index-out-of-bounds in blink::AudioArray<float>::Allocate
|
-
|
2021-03-12
|
1150798
|
Security: UAF in the views::DialogDelegate in the browser process
|
$5000
|
2021-03-12
|
1152327
|
Security: File System Access API & Symlinks
|
-
|
2021-03-12
|
1153595
|
Security: UAF in Drag-and-drop
|
$20000
|
2021-03-12
|
1155178
|
Security: Skia GPU bug
|
$6000
|
2021-03-12
|
1149125
|
Security: Some WebUI pages enable MojoJS bindings for the subsequently-navigated site
|
$7500
|
2021-03-10
|
1150772
|
Index-out-of-bounds in blink::NGPhysicalBoxFragment::Create
|
-
|
2021-03-10
|
1152387
|
Crash in icu_68::RuleBasedBreakIterator::handleNext
|
-
|
2021-03-10
|
1153442
|
DCHECK failure in UseScratchRegisterScope{this}.CanAcquire() in liftoff-assembler-arm.h
|
-
|
2021-03-10
|
1154439
|
DCHECK failure in num_locals_ == local_types_.size() in function-body-decoder-impl.h
|
-
|
2021-03-10
|
1114062
|
heap-use-after-free in is_null
|
-
|
2021-03-09
|
1149204
|
Security: heap-buffer-overflow in blink::WebGLRenderingContextBase::MakeXrCompatibleSync
|
$5000
|
2021-03-09
|
1110751
|
Security: GoogleCrashHandler exist Any process DOS vulnerability
|
-
|
2021-03-08
|
1149115
|
Heap-buffer-overflow in v8::internal::Simulator::WriteW
|
-
|
2021-03-08
|
1152937
|
v8_wasm_fuzzer: DCHECK failure in decoder->ok() in graph-builder-interface.cc
|
-
|
2021-03-05
|
1049265
|
Extensions with no special privileges are allowed to navigate to devtools:// scheme pages.
|
$1000
|
2021-03-04
|
1108126
|
Security: Chrome Apps can access chrome.storage for other extensions via webview
|
$3000
|
2021-03-04
|
1150371
|
Security: OOBW in the icu_68::FormattedStringBuilder::insert
|
$5000
|
2021-03-04
|
1151865
|
Security: OOB-read in network DataElement struct traits.
|
-
|
2021-03-04
|
1151890
|
Security: Uninitialised memory read with BigInt right-shift
|
$3000
|
2021-03-04
|
1143412
|
Security: Pixelbook reveals windows underneath lock screen when external display is plugged in
|
-
|
2021-03-03
|
1151684
|
webcodecs_video_encoder_fuzzer: Heap-buffer-overflow in vp9_enc_setup_mi
|
-
|
2021-03-03
|
1151799
|
heap-buffer-overflow in MoveWebContentsAtImpl(extension)
|
$15000
|
2021-03-03
|
978798
|
Security: Possible to fake the lock or login screen in full screen mode to phish user passwords
|
-
|
2021-03-02
|
1142024
|
heap-use-after-free : gpu::SharedImageRepresentationDawnIOSurface::EndAccess
|
-
|
2021-03-02
|
1146872
|
Security DCHECK failure: IsA<Derived>(from) in casting.h
|
-
|
2021-03-02
|
1149586
|
v8_inspector_fuzzer: DCHECK failure in ThreadId::Current() == isolate->thread_id() in compiler.cc
|
-
|
2021-03-02
|
1150649
|
DCHECK failure in 0 <= length && length <= kMaxSafeInteger in builtins-array.cc
|
-
|
2021-03-02
|
1151270
|
Heap-buffer-overflow in avx::rect_memset32
|
-
|
2021-03-02
|
1151248
|
Crash in hsw::load_NUMBER_dst
|
-
|
2021-03-02
|
1151294
|
Crash in erms::rect_memset32
|
-
|
2021-03-02
|
1151320
|
Crash in hsw::load_NUMBER_dst
|
-
|
2021-03-02
|
1151322
|
Crash in hsw::blit_row_s32a_opaque
|
-
|
2021-03-02
|
1151460
|
Crash in SkARGB32_Black_Blitter::blitAntiH
|
-
|
2021-03-02
|
1151532
|
Heap-buffer-overflow in ssse3::blit_mask_d32_a8
|
-
|
2021-03-02
|
1151551
|
Heap-buffer-overflow in hsw::lowp::load_NUMBER_dst
|
-
|
2021-03-02
|
1151601
|
Heap-use-after-free in hsw::blit_row_s32a_opaque
|
-
|
2021-03-02
|
1151602
|
Use-after-poison in v8::internal::AstRawString::Compare
|
-
|
2021-03-02
|
1151611
|
Heap-buffer-overflow in hsw::S32_alpha_D32_filter_DX
|
-
|
2021-03-02
|
709946
|
Security: <link rel='prerender'> causes same-site cookies to be sent along with cross-site requests
|
$2000
|
2021-02-26
|
1038002
|
Unintended Data Leakage Through HTTP Request Headers
|
$2000
|
2021-02-26
|
1149692
|
Security: Heap-use-after-free in BluetoothChooserController::AddOrUpdateDevice
|
$15000
|
2021-02-26
|
1150317
|
Security: Potential remote code exec from web content in u2fd
|
-
|
2021-02-26
|
1138683
|
Security: Use-after-free in MediaStreamCaptureIndicator::WebContentsDeviceUsage::AddDevices()
|
$10000
|
2021-02-24
|
1141376
|
Security: --experimental-wasm-gc array length allocation wraps on 32bit
|
-
|
2021-02-24
|
1147357
|
Heap-use-after-free in blink::NGContainerFragmentBuilder::MoveOutOfFlowDescendantCandidatesToDescendant
|
-
|
2021-02-24
|
1146670
|
TFC chrome full chain
|
-
|
2021-02-22
|
1142331
|
Security: use-after-poison in blink::FileReaderLoader::OnReceivedData
|
$5000
|
2021-02-20
|
1148504
|
media_h265_decoder_fuzzer: Stack-buffer-overflow in media::H265Decoder::BuildRefPicLists
|
-
|
2021-02-20
|
1148657
|
Use-after-poison in blink::MediaInspectorContextImpl::RemovePlayer
|
-
|
2021-02-20
|
1106424
|
gstoraster_fuzzer: Use-of-uninitialized-value in s_A85D_process
|
-
|
2021-02-19
|
1130226
|
gstoraster_fuzzer: Use-of-uninitialized-value in load_truetype_glyph
|
-
|
2021-02-19
|
1141062
|
gstoraster_fuzzer: Use-of-uninitialized-value in aes_setkey_enc
|
-
|
2021-02-19
|
1142020
|
heap-buffer-overflow : gfx::internal::StyleIterator::GetTextBreakingRange
|
-
|
2021-02-19
|
1143662
|
use-after-poison in blink::CanvasResourceHost::InitializeForRecording(canvas_resource_host.cc)
|
$5000
|
2021-02-19
|
1146025
|
Content-Security-Policy headers are lost when the page is restored from bfcache
|
-
|
2021-02-19
|
1144646
|
NAT Slipstream: Overlong usernames in TURN credentials
|
-
|
2021-02-19
|
1146068
|
Crash in icu_68::FormattedValueStringBuilderImpl::nextPositionImpl
|
-
|
2021-02-19
|
1147430
|
Security: Heap-buffer-overflow in SkBitmapOperations::UnPreMultiply
|
-
|
2021-02-19
|
1147516
|
airscan_query_fuzzer: Index-out-of-bounds in log_message
|
-
|
2021-02-19
|
1147944
|
airscan_query_fuzzer: Use-of-uninitialized-value in trace_unref
|
-
|
2021-02-19
|
1147943
|
DCHECK failure in vector->optimization_marker() != OptimizationMarker::kCompileOptimizedConcurrent
|
-
|
2021-02-19
|
1148772
|
media_h265_decoder_fuzzer: Crash in base::AtomicRefCount::Decrement
|
-
|
2021-02-19
|
1146654
|
media_h265_parser_fuzzer: Stack-buffer-overflow in media::H265Parser::ParseStRefPicSet
|
-
|
2021-02-17
|
1146673
|
Security: type confusion in wasm cache
|
-
|
2021-02-17
|
1146709
|
Security: Browser UAF when detaching a provisional frame
|
-
|
2021-02-17
|
1146714
|
DCHECK failure in vector->optimization_marker() != OptimizationMarker::kCompileOptimizedConcurrent
|
-
|
2021-02-17
|
1147431
|
Security: Heap-buffer-overflow in ClipboardWin::WriteBitmap
|
-
|
2021-02-17
|
1147623
|
media_h265_decoder_fuzzer: Stack-buffer-overflow in scoped_refptr<media::H265Picture>::swap
|
-
|
2021-02-17
|
1128479
|
Heap-buffer-overflow in cc::TransformTree::StickyPositionOffset
|
-
|
2021-02-16
|
1137606
|
Heap-use-after-free in ui::LayerAnimationSequence::ProgressToEnd
|
-
|
2021-02-16
|
1142069
|
heap-use-after-free : content::DownloadManagerImpl::GetDownload
|
-
|
2021-02-16
|
1145906
|
heap-use-after-free : ProfileInfoCache::NotifyProfileAuthInfoChanged
|
-
|
2021-02-16
|
1146675
|
Security: UAF in PepperFileIOHost
|
-
|
2021-02-16
|
1146761
|
Security: UAF in ImageDecoderExternal due to ArrayBuffer Neuter
|
$7500
|
2021-02-16
|
1146789
|
Bad-cast to blink::LayoutBox from blink::LayoutTextFragment in blink::LayoutBox::LastChildBox
|
-
|
2021-02-16
|
1146861
|
DCHECK failure in dst.low_gp() != lhs.high_gp() in liftoff-assembler-arm.h
|
-
|
2021-02-16
|
1146873
|
net_host_resolver_manager_fuzzer: Heap-buffer-overflow in net::ServiceFormHttpsRecordRdata::IsEqual
|
-
|
2021-02-16
|
1147331
|
Bad-cast to int () in x11::InitXlib
|
-
|
2021-02-16
|
1136078
|
UaF in PaymentCredential::DidDownloadFavicon
|
-
|
2021-02-15
|
1137362
|
Security: Chrome Browser Policy Bypass "Allow invocation of file selection dialogs"
|
$500
|
2021-02-15
|
1146728
|
DCHECK failure in vector->optimization_tier() == OptimizationTier::kNone || (vector->optimization_
|
-
|
2021-02-15
|
1144017
|
Use-of-uninitialized-value in policy::UserCloudPolicyManager::IsFirstPolicyLoadComplete
|
-
|
2021-02-14
|
1146679
|
Security: WeakPtr checks are optimized out
|
-
|
2021-02-14
|
1139411
|
Security: cryptohomed skeleton copy can be raced to chown things to user chronos
|
-
|
2021-02-12
|
1139414
|
Security: imageburner path check can be raced
|
-
|
2021-02-12
|
1144489
|
Security: OSExchangeDataProviderWin::SetDragImage
|
-
|
2021-02-11
|
1144603
|
v8_wasm_code_fuzzer: DCHECK failure in array_buffer->is_shared() in isolate.cc
|
-
|
2021-02-11
|
1146013
|
DCHECK failure in function->is_compiled() in compiler.cc
|
-
|
2021-02-11
|
1137104
|
uaf in load4 SkRasterPipeline_opts.h
|
$5000
|
2021-02-10
|
1137179
|
Security: Root priv escalation through cryptohomed, imageburner, arc-obb-mounter
|
$30000
|
2021-02-10
|
1140376
|
neteq_rtp_fuzzer: Use-of-uninitialized-value in webrtc::test::NetEqTest::RunToNextGetAudio
|
-
|
2021-02-10
|
1143448
|
Heap-use-after-free in ScopedObserver<views::Widget, views::WidgetObserver, &
|
-
|
2021-02-10
|
1144449
|
cras_rclient_message_fuzzer: Heap-buffer-overflow in ccr_handle_message_from_client
|
-
|
2021-02-10
|
1116444
|
Security: Extensions can capture contents of local files using Page.captureScreenshot
|
$5000
|
2021-02-09
|
1125362
|
Security: Possible for extension to escape sandbox via chrome.debugger API and error page
|
$10000
|
2021-02-09
|
1140949
|
CrOS: Vulnerability reported in net-wireless/bluez
|
-
|
2021-02-09
|
1143057
|
Security: WebUSB permission dialog can appear over the wrong tab
|
$500
|
2021-02-09
|
1145124
|
Bad-cast to icu_68::UVector from invalid vptr in icu_68::AliasReplacer::outputToString
|
-
|
2021-02-09
|
1144368
|
Security: ConvertToJavaBitmap heap-buffer-overflow.
|
-
|
2021-02-07
|
1144070
|
mediasource_MP2T_AACSBR_pipeline_integration_fuzzer: Use-of-uninitialized-value in float media::FloatSampleTypeTraits<float>::From<float>
|
-
|
2021-02-06
|
1119873
|
Security: UAF in CSSLayout worklet
|
$5000
|
2021-02-05
|
1143772
|
Security: V8: Turbofan fails to deoptimize code after map deprecation, leading to type confusion
|
-
|
2021-02-05
|
1084649
|
dawn_wire_server_and_frontend_fuzzer: Use-of-uninitialized-value in libvulkan.so.1
|
-
|
2021-02-04
|
1137581
|
cups_ippreadio_fuzzer: Use-of-uninitialized-value in create_item
|
-
|
2021-02-04
|
1137604
|
Heap-use-after-free in ScopedObserver<aura::Window, aura::WindowObserver, &
|
-
|
2021-02-04
|
1143053
|
v8_wasm_code_fuzzer: Crash in v8::internal::TaggedField<v8::internal::WasmModuleObject, 112>::load
|
-
|
2021-02-04
|
1141350
|
Security: Yet another universal XSS via copy&paste
|
$3000
|
2021-02-03
|
1142675
|
uaf in VideoFrame::CreateImageBitmap
|
$5000
|
2021-02-03
|
1134107
|
Security: stack buffer overflow write in RtcEventLogEncoderLegacy::EncodeRtcpPacket
|
$1000
|
2021-02-02
|
1137594
|
CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (IsDereferenceAllowed()) in handles.h
|
-
|
2021-02-02
|
1137603
|
Heap-use-after-free in blink::PropertyTreeStateOrAlias::Unalias
|
-
|
2021-02-02
|
1139409
|
Security: cros-disks will mount local loop devices
|
-
|
2021-02-02
|
1093791
|
Security: Chrome's insecure construction of curl commands allows untrusted websites to retrieve local files from the user's system
|
$500
|
2021-02-01
|
1140549
|
v8_wasm_compile_fuzzer: DCHECK failure in src.is_byte_register() in assembler-ia32.cc
|
-
|
2021-01-30
|
1141868
|
Security DCHECK failure: IsA<Derived>(from) in casting.h
|
-
|
2021-01-30
|
1132954
|
Security: Root priv escalation through shill, arc-setup, and upstart
|
$30000
|
2021-01-29
|
1133047
|
Security: arc-setup should validate /run/arc/oem/etc/media_profiles.xml is not a symlink
|
-
|
2021-01-29
|
1136714
|
Incorrect security UI at screen share API
|
$500
|
2021-01-29
|
1138878
|
Possible UAF in SctpTransport's sctp_inpcb_free
|
-
|
2021-01-29
|
1141743
|
Use-of-uninitialized-value in blink::IsOperatorWithSpecialShaping
|
-
|
2021-01-29
|
1125018
|
Arbitrary file deletion in google chrome updater in master/chrome/updater/installer.cc
|
$1000
|
2021-01-28
|
1127595
|
Chromium: Vulnerability reported in third_party/libxml
|
-
|
2021-01-28
|
1138190
|
pdfium CompositeRow_8bppRgb2Rgb_NoBlend_RgbByteOrder heap-buffer-overflow
|
-
|
2021-01-28
|
1139153
|
Security: Heap-use-after-free in WebRTC
|
$7500
|
2021-01-28
|
1139825
|
pdfium heapoverflow CompositeRow_Argb2Argb_RgbByteOrder
|
-
|
2021-01-28
|
1141256
|
Variables on the stack are not initialized in pp::FloatRect FloatPageRectToPixelRect
|
-
|
2021-01-28
|
1097499
|
pdf_scanlinecompositor_fuzzer: Crash in GetAlphaWithSrc
|
-
|
2021-01-27
|
1137580
|
Bad-cast to content::AgentSchedulingGroup from invalid vptr in content::RenderFrameImpl::Send
|
-
|
2021-01-27
|
1138942
|
Bad-cast to content::AgentSchedulingGroup from invalid vptr in base::internal::Invoker<base::internal::BindState<content::RenderFrameImpl::OnUn
|
-
|
2021-01-27
|
1139398
|
Security: [ANGLE] Invalid memory access in libglesv2!rx::IndexDataManager::streamIndexData
|
$15000
|
2021-01-27
|
1037839
|
pdf_scanlinecompositor_fuzzer: Crash in RGB_Blend
|
-
|
2021-01-26
|
1128340
|
CVE-2020-25211 CrOS: Vulnerability reported in Linux kernel
|
-
|
2021-01-26
|
1134261
|
Security: UAF in Skia SkContourMeasureIter caused by SkPath::shrinkToFit
|
-
|
2021-01-26
|
1137608
|
v8_wasm_compile_fuzzer: DCHECK failure in 0 <= offset in assembler-arm.cc
|
-
|
2021-01-26
|
1138877
|
Security: heap-buffer-overflow in window.find
|
$2000
|
2021-01-26
|
1138911
|
Security: UAF in TabStrip
|
$15000
|
2021-01-26
|
1139786
|
CHECK failure: Type cast failed in CAST(p->receiver()) at ../../src/ic/accessor-assembler.cc:25
|
-
|
2021-01-26
|
1140197
|
Security: Apply fix for freetype heap buffer overflow to Chrome OS
|
-
|
2021-01-26
|
1137583
|
DCHECK failure in CpuFeatures::IsSupported(*feature) in macro-assembler-x64.h
|
-
|
2021-01-25
|
1137584
|
Bad-cast to blink::DrawingDisplayItem from blink::DisplayItem in blink::ConversionContext::Convert
|
-
|
2021-01-25
|
1137591
|
Heap-use-after-free in blink::PaintArtifactCompositor::UpdateDebugInfo
|
-
|
2021-01-25
|
1139408
|
arc-media-removable-{read,write} are not using noexec
|
-
|
2021-01-25
|
945997
|
Using Flash's ProgressEvent to extract the length of cross-site responses
|
$1000
|
2021-01-24
|
1138446
|
Security: webrtc container-overflow in the browser process
|
$5000
|
2021-01-24
|
1139163
|
Security DCHECK failure: tree_order < tree_scopes_.size() in match_result.h
|
-
|
2021-01-24
|
830808
|
SameSite cookie bypass via openWindow
|
$500
|
2021-01-22
|
1115590
|
CSP Bypass via Chrome Extension
|
$3000
|
2021-01-22
|
1133527
|
Security: Debug check failed: IsFound() || !holder_->HasFastProperties(isolate_)
|
$5000
|
2021-01-22
|
1135594
|
Security: woff2 missing upstream fix for integer overflow
|
-
|
2021-01-22
|
1137630
|
Security: PDFium heap-use-after-free in CPWL_ListBox::~CPWL_ListBox()
|
$7500
|
2021-01-22
|
1125614
|
UaF in Payment (Android)
|
-
|
2021-01-21
|
1135018
|
Security: UaF in TabSharingUI
|
$15000
|
2021-01-21
|
1137586
|
DCHECK failure in effect_edges > 0 in verifier.cc
|
-
|
2021-01-21
|
1137590
|
Crash in blink::NGBlockLayoutAlgorithm::CreateConstraintSpaceForChild
|
-
|
2021-01-21
|
1137609
|
Crash in blink::ShapeResultView::CreateShapeResult
|
-
|
2021-01-21
|
1137650
|
Crash in blink::ComputedStyleBase::MutableFilterInternal
|
-
|
2021-01-21
|
1138577
|
Use-after-poison in blink::VideoFrameCallbackRequesterImpl::~VideoFrameCallbackRequesterImpl
|
-
|
2021-01-21
|
1138776
|
CHECK failure: fixed_size_above_fp + in deoptimizer.cc
|
-
|
2021-01-21
|
1138915
|
DCHECK failure in effect_edges > 0 in verifier.cc
|
-
|
2021-01-21
|
1107970
|
gstoraster_fuzzer: Use-of-uninitialized-value in clip_runs_enumerate
|
-
|
2021-01-20
|
1116729
|
dawn_wire_server_and_vulkan_backend_fuzzer: Heap-buffer-overflow in vk::DescriptorSetLayout::DescriptorSetLayout
|
-
|
2021-01-20
|
1125240
|
dawn_wire_server_and_frontend_fuzzer: Heap-use-after-free in dawn_wire::server::Server::GetCmdSpace
|
-
|
2021-01-20
|
1137578
|
v8_wasm_compile_fuzzer: Use-after-poison in v8::internal::wasm::WasmFullDecoder<
|
-
|
2021-01-20
|
1137579
|
Crash in cc::DroppedFrameCounter::ReportFrames
|
-
|
2021-01-20
|
1137582
|
DCHECK failure in stack_capacity_end_ > stack_end_ in function-body-decoder-impl.h
|
-
|
2021-01-20
|
1137588
|
Use-after-poison in blink::VideoFrameCallbackRequesterImpl::~VideoFrameCallbackRequesterImpl
|
-
|
2021-01-20
|
1137587
|
ndproxy_fuzzer: Use-of-uninitialized-value in patchpanel::NDProxy::GetPrefixInfoOption
|
-
|
2021-01-20
|
1137596
|
v8_wasm_compile_fuzzer: Crash in unsigned int v8::base::ReadUnalignedValue<unsigned int>
|
-
|
2021-01-20
|
1137597
|
CHECK failure: IsValidHeapObject(isolate->heap(), HeapObject::cast(p)) in objects-debug.cc
|
-
|
2021-01-20
|
1137598
|
dawn_wire_server_and_frontend_fuzzer: Heap-use-after-free in dawn_wire::server::KnownObjects<WGPUBufferImpl*>::Get
|
-
|
2021-01-20
|
1137601
|
CHECK failure: IsValidHeapObject(heap_, heap_object) in heap.cc
|
-
|
2021-01-20
|
1137600
|
v8_wasm_compile_fuzzer: Use-after-poison in v8::internal::wasm::WasmFullDecoder<v8::internal::wasm::Decoder::kValidate,v8::i
|
-
|
2021-01-20
|
1137602
|
Crash in Builtins_TestEqualStrictHandler
|
-
|
2021-01-20
|
1137605
|
Crash in Builtins_TypeOfHandler
|
-
|
2021-01-20
|
1137652
|
Bad-cast to float (float) noexcept in skvx::Vec<sizeof...
|
-
|
2021-01-20
|
1137668
|
PDFium(XFA) Heap-use-after-free in ProbeForLowSeverityLifetimeIssue
|
-
|
2021-01-20
|
1138197
|
DCHECK failure in 2 == args.length() in builtins-reflect.cc
|
-
|
2021-01-20
|
1133009
|
Security: login_manager symlink attack
|
-
|
2021-01-19
|
1134338
|
Security: Incorrect Handling of XFrameOptions with mailMsg in the PDF Viewer
|
$3000
|
2021-01-19
|
1136327
|
Security: Use of use-of-uninitialized-value in UsbDeviceHandleUsbfs
|
-
|
2021-01-19
|
1137595
|
Bad-cast to content::AgentSchedulingGroup from mojo::core::UserMessageImpl in base::internal::Invoker<base::internal::BindState<content::RenderFrameImpl::OnUn
|
-
|
2021-01-19
|
1133210
|
DCHECK failure in !IsJSGlobalObject(isolate) in js-objects-inl.h
|
$5000
|
2021-01-18
|
1133635
|
Security: UAF in PasswordGenerationPopupControllerImpl::PasswordAccepted
|
$20000
|
2021-01-18
|
1135835
|
DialURLFetcher::Start may bypass Sec-Fetch-Site
|
-
|
2021-01-18
|
1125337
|
Portrait photos (taken by Pixel3aXL) with EXIF crash on Desktop
|
$500
|
2021-01-15
|
1128270
|
Security: UAF in UrlLoaderFactoryProxyImpl
|
$20000
|
2021-01-14
|
1132998
|
CrosDisks accepts arbitrary bind mount parameters
|
-
|
2021-01-14
|
1134960
|
Security: Use-after-free with using print dialog
|
$3000
|
2021-01-14
|
1135857
|
Security: UAF in USBDevice
|
$10000
|
2021-01-14
|
1133006
|
Security: network_diag does not validate multiline input
|
-
|
2021-01-12
|
1134983
|
CrOS: Vulnerability reported in net-fs/samba
|
-
|
2021-01-12
|
1110195
|
Security: Method field allows injection of HTTP requests
|
-
|
2021-01-09
|
1122487
|
UAF in devtools
|
$500
|
2021-01-08
|
1133183
|
Incorrect Security UI when using Tab preview
|
$500
|
2021-01-08
|
1133275
|
CrOS: Vulnerability reported in sys-libs/ldb
|
-
|
2021-01-08
|
1133668
|
Use after free triggered from mojo::SyncEventWatcher
|
-
|
2021-01-08
|
1133671
|
Security: UAF in AutofillPopupControllerImpl::HandleKeyPressEvent
|
$20000
|
2021-01-08
|
1133688
|
Security: UAF in PasswordGenerationPopupControllerImpl::HandleKeyPressEvent
|
$20000
|
2021-01-08
|
1133983
|
Security: UaF in printing::PrintRenderFrameHelper::PreviewPageRendered()
|
$5000
|
2021-01-08
|
1124661
|
Bad-cast to blink::LayoutInline from blink::LayoutBlockFlow in blink::NGInlineNode::ComputeOffsetMapping
|
-
|
2021-01-06
|
1124963
|
Heap-buffer-overflow in blink::NGOffsetMapping::GetMappingUnitsForLayoutObject
|
-
|
2021-01-06
|
1128657
|
audio.captureStream() may allow cross-origin resource theft
|
-
|
2021-01-06
|
1133000
|
ArcObbMounter mounts without noexec
|
-
|
2021-01-06
|
1133001
|
Security: ArcObbMounterInterface.MountObb takes arbitrary gid offset
|
-
|
2021-01-06
|
960357
|
Chrome v74 JS dialog description Spoof vulnerability on IOS
|
$500
|
2021-01-05
|
1127322
|
UaF in ServiceWorkerPaymentApp
|
-
|
2021-01-05
|
1129850
|
uaf in browser process(ServiceWorkerScriptLoaderFactory())
|
-
|
2021-01-05
|
1127620
|
DCHECK failure in OperatorProperties::GetTotalInputCount(node->op()) == node->InputCount() in veri
|
-
|
2021-01-05
|
1132641
|
Security: out of bounds write in CanonicalizeTimeZoneID
|
-
|
2021-01-05
|
1132926
|
Step "browser_tests" failing on builder "Linux ChromiumOS MSan Tests"
|
-
|
2021-01-05
|
1080395
|
Android/iOS: URL spoofing using long sub-domain for blob:URL
|
$3000
|
2021-01-04
|
1126881
|
CrOS: Vulnerability reported in net-libs/gnutls
|
-
|
2021-01-02
|
1131040
|
Check secure payment confirmation feature state in browser process.
|
-
|
2021-01-02
|