Avatar of this page

Chromium Disclosed Security Bugs

Chromium security bugs are publicly disclosed by Google 14 weeks after fixing. They have a great learning value but it's difficult to keep track of when exactly they're derestricted. This page is a hub of security bugs that have recently gone public.

Bugs can also be followed on Twitter: @BugsChromium or Mastodon.

Bugs disclosed in 2022

Options
# Summary $$$ Disclosure date
1322425 CrOS: Vulnerability reported in media-libs/freetype - 2022-12-31
1322858 CrOS: Vulnerability reported in media-libs/freetype - 2022-12-31
1343384 heap-buffer-overflow in RPHReferenceManager::OnWebContentsDestroyedOrNavigated $7000 2022-12-31
1365082 Existing Trusted Types check for javascript url can be bypassed - 2022-12-31
1366633 heap-use-after-free supports_user_data.cc:30 in base::SupportsUserData::GetUserData - 2022-12-31
1366813 Security: custom_element_registry use-after-poison $7000 2022-12-31
1367107 CHECK failure: elements() == ReadOnlyRoots(isolate).empty_fixed_array() - 2022-12-31
1367133 CHECK failure: fixed_size_above_fp + (stack_slots * kSystemPointerSize) - CommonFrameConstants: - 2022-12-31
1364492 Security: Heap-use-after-free in UnusedSitePermissionsService::UpdateUnusedPermissionsAsync $1000 2022-12-29
1366521 Security: Cast cert verification: builtin certificate verifier can be bypassed with invalid TBS signature algorithm - 2022-12-29
1302813 Heap-use-after-free in ImportDataHandler::~ImportDataHandler $2000 2022-12-28
1303306 Security: Locked devices - VPN adding possible $5000 2022-12-28
1328708 UAF in SessionLogHandler::FileSelected $2000 2022-12-28
1344514 Heap-use-after-free on CaptionBubble::BackToTabButtonPressed $1000 2022-12-28
1350564 Security: heap-use-after-free chrome/browser/ui/views/tabs/tab_drag_controller.cc:1480:7 (Lacros) $2000 2022-12-28
1351339 double-free in libXml's error handling - 2022-12-28
1359937 ASSERT: i >= 0 && i < len_ - 2022-12-28
1365248 Heap-use-after-free in void base::internal::Invoker<base::internal::BindState<void - 2022-12-28
1362529 v8_inspector_fuzzer: DCHECK failure in maybe_result.is_null() in microtask-queue.cc - 2022-12-27
1358026 Security: Heap-use-after-free in FrameUserNoteChanges $7000 2022-12-26
1363021 uaf in TemplateStore::GetTemplates - 2022-12-26
1363998 Security: UAF in TransportClientSocket $11000 2022-12-26
1363859 v8_wasm_compile_fuzzer: DCHECK failure in static_cast<unsigned>(index) < static_cast<unsigned>(length()) in fixed-array-in - 2022-12-25
1363895 v8_wasm_compile_fuzzer: Trap in v8::internal::Scavenger::Process - 2022-12-25
1348464 Security: container-overflow in HistoryClustersHandler::OpenVisitUrlsInTabGroup $2000 2022-12-23
1362487 Trap in v8::internal::__RT_impl_Runtime_AbortCSADcheck - 2022-12-23
1364319 DCHECK failure in type.representation() == MachineRepresentation::kFloat64 || type.representation( - 2022-12-23
1364539 CHECK failure: next_index().Number() >= 0 in objects-debug.cc - 2022-12-23
1183604 Compromised web renderer that *hasn't* run any content scripts can spoof chrome.storage (and other API calls) for any extension - 2022-12-22
1237637 wayland_buffer_fuzzer: Use-of-uninitialized-value in ui::WaylandScreen::AddOrUpdateDisplay - 2022-12-22
1351177 Security: Potential UAF in WebstoreInstallWithPrompt $2000 2022-12-22
1358375 Heap-use-after-free in PresShell::DispatchSynthMouseMove - 2022-12-22
1358870 Security: UAF in CompoundTabContainer $8000 2022-12-22
1358907 Heap-use-after-free in blink::StyleVariables::operator== $9000 2022-12-22
1359382 DCHECK failure in !node->is_dead() in maglev-regalloc.cc - 2022-12-22
1359429 CHECK failure: properties_or_hash__value.IsSmi() || properties_or_hash__value.IsFixedArrayBase( - 2022-12-22
1359745 DCHECK failure in IsPrimitiveMap() in map-inl.h - 2022-12-22
1359928 CHECK failure: shared(isolate).IsSharedFunctionInfo() in objects-debug.cc - 2022-12-22
1360792 Crash in Builtins_JSEntryTrampoline - 2022-12-22
1360797 CHECK failure: map.IsMap(cage_base) in new-spaces.cc - 2022-12-22
1360801 Trap in v8::internal::Isolate::PushStackTraceAndDie - 2022-12-22
1360875 Crash in Builtins_StringEqual - 2022-12-22
1362954 Crash in v8::internal::Invoke - 2022-12-22
1364069 Segv on unknown address in v8::internal::IsolateData::cage_base - 2022-12-22
1323488 memeory corruption in frame_queue_underlying_source.cc $3000 2022-12-20
1358872 DCHECK failure in descriptors.GetDetails(index).representation().IsDouble() in maglev-graph-builde - 2022-12-20
1358878 DCHECK failure in is_loadable() in maglev-ir.h - 2022-12-20
1359427 DCHECK failure in (heap) != nullptr in heap-write-barrier-inl.h - 2022-12-20
1359926 DCHECK failure in (prediction) == nullptr in frames.cc - 2022-12-20
1361245 DCHECK failure in topmost_optimized_code.is_null() || safe_if_deopt_triggered || is_builtin_code i - 2022-12-20
1361332 DCHECK failure in input.node()->has_register() || input.node()->is_loadable() in maglev-regalloc.c - 2022-12-20
1361377 Security: UAF in CrostiniUpgraderDialog::OnDialogCloseRequested - 2022-12-20
1361627 heap-use-after-free : display::Display::id - 2022-12-20
1362174 Crash in v8::internal::LookupIterator::ComputeConfiguration - 2022-12-20
1362298 DCHECK failure in !has_optimized_code() || optimized_code().marked_for_deoptimization() || (CodeKi - 2022-12-20
1271406 Fenced Frame can trigger downloads - 2022-12-19
1360936 Security: WebRTC VP9 Simulcast screenshare crash - 2022-12-19
1361849 pdfium_fuzzer: Heap-use-after-free in CPDF_StreamAcc::~CPDF_StreamAcc - 2022-12-18
1345275 Security: Symbolic Link Following + Upload Warning Bypass $3000 2022-12-17
1351619 Security: UAF in LocalDeskDataManager $1000 2022-12-17
1359958 Use-after-poison in v8::internal::maglev::StraightForwardRegisterAllocator::InitializeEmptyBlockRegi - 2022-12-17
1360736 DCHECK failure in to_kind == DICTIONARY_ELEMENTS || to_kind == SLOW_STRING_WRAPPER_ELEMENTS || IsT - 2022-12-17
1361345 Crash in v8::internal::maglev::Input::node - 2022-12-17
1361434 Trap in v8::internal::__RT_impl_Runtime_AbortCSADcheck - 2022-12-17
1361899 Trap in Builtins_CheckTurbofanType - 2022-12-17
1361903 freetype_cff_ftengine_fuzzer: Heap-buffer-overflow in TT_Get_MM_Var - 2022-12-17
1319229 UAF in ash::HatsDialog $3000 2022-12-15
1320139 UAF in ash::HatsDialog::Show $2000 2022-12-15
1338114 webcodecs_video_encoder_fuzzer: Stack-buffer-overflow in aom_scaled_2d_ssse3 - 2022-12-15
1361159 freetype_cff_ftengine_fuzzer: Invalid-free in ft_free - 2022-12-15
1339656 audio_encoder_isac_float_fuzzer: Stack-buffer-overflow in WebRtcIsac_PitchAnalysis - 2022-12-14
1342163 Security: Heap-use-after-free in UserNoteUICoordinator::Invalidate $7000 2022-12-14
1358381 Security: OOB Write in sqlite3FindInIndex $7000 2022-12-14
1359227 DCHECK failure in (shared_object_conveyor_) != nullptr in value-serializer.cc - 2022-12-14
1359675 CHECK failure: key.IsName() - 2022-12-14
1359776 DCHECK failure in HAS_SMI_TAG(ptr) in smi.h - 2022-12-14
1359991 DCHECK failure in !is_length_tracking() in js-array-buffer-inl.h - 2022-12-14
1360189 Crash in void v8::internal::BodyDescriptorBase::IteratePointers<v8::internal::ScavengeVis - 2022-12-14
1360295 freetype_cff_ftengine_fuzzer: Heap-buffer-overflow in TT_Get_MM_Var - 2022-12-14
1360432 Trap in v8::internal::__RT_impl_Runtime_Abort - 2022-12-14
1360684 Stack-use-after-scope in base::SplitStringPiece - 2022-12-14
1360793 Crash in v8::internal::CheckObjectComparisonAllowed - 2022-12-14
1360796 DCHECK failure in HAS_SMI_TAG(ptr) in smi.h - 2022-12-14
1360803 CHECK failure: IsJSFunction() - 2022-12-14
1332924 MicrosoftEdgeUpdate DACL Privilege Escalation - 2022-12-13
1356895 Crash in c:\clusterfuzz\bot\builds\v8-asan_win64-release_4b2f02da5ce6ecbd9ca48ce0c60db498 - 2022-12-13
1358732 Security: clang-analyzer-cplusplus.NewDelete in third_party/pdfium/core/fpdfapi/parser/cpdf_object_walker.cpp - 2022-12-13
1359519 Crash in v8::internal::LookupIterator::ComputeConfiguration - 2022-12-13
1359637 DCHECK failure in !context().is_null() in isolate-inl.h - 2022-12-13
1359639 Crash in Builtins_ConstructWithArrayLike_WithFeedback - 2022-12-13
1359784 Crash in Builtins_AsyncFunctionEnter - 2022-12-13
1359812 Crash in v8::internal::Isolate::MayAccess - 2022-12-13
1359835 DCHECK failure in static_cast<uintptr_t>(type) < Type::NUMBER_OF_TYPES in frames.h - 2022-12-13
1359931 Crash in Builtins_DatePrototypeGetUTCFullYear - 2022-12-13
1360061 Crash in v8::internal::LookupIterator::GetRootForNonJSReceiver - 2022-12-13
1355237 use-after-poison local_frame_view.cc:816 in blink::LocalFrameView::PerformLayout $9000 2022-12-12
1359163 CHECK failure: untyped_->count(slot.address()) > 0 in heap-verifier.cc - 2022-12-12
1359215 CHECK failure: proto.map().oddball_type() == OddballType::kNull - 2022-12-12
1359425 CHECK failure: context__value.IsContext() in class-verifiers.cc - 2022-12-12
1359426 CHECK failure: context__value.IsContext() - 2022-12-12
1359598 Crash in Builtins_DatePrototypeGetUTCSeconds - 2022-12-12
1359658 Crash in v8::internal::Factory::NewCatchContext - 2022-12-12
1359662 Crash in Builtins_FastNewClosure - 2022-12-12
1359822 Crash in Builtins_CEntry_Return2_SaveFPRegs_ArgvOnStack_BuiltinExit - 2022-12-12
1359868 Crash in v8::internal::Map::instance_type - 2022-12-12
1359936 DCHECK failure in !map->is_deprecated() in map-updater.cc - 2022-12-12
1357397 Security: UAF in ash::PrintServersProviderImpl::NotifyObservers $2000 2022-12-10
1359294 CHECK failure: addr + size <= chunk_->area_end() in mark-compact-inl.h - 2022-12-10
1359638 Crash in v8::internal::Scavenger::Process - 2022-12-10
1343104 Extensions can Page.navigate to chrome-untrusted://crosh and chrome-untrusted://terminal $3000 2022-12-09
1343219 Heap-use-after-free in ash::AshNotificationView::ActionButtonPressed $6000 2022-12-09
1344878 use-after-free in Serial $3000 2022-12-09
1346938 webcodecs_video_encoder_fuzzer: Stack-buffer-overflow in aom_scaled_2d_ssse3 - 2022-12-09
1348283 Security: Pending fix for ffmpeg memory corruption bug - 2022-12-09
1356308 Breakpoint with empty stacktrace - 2022-12-09
1357413 uaf in webrtc::VideoStreamEncoder::RequestRefreshFrame $7500 2022-12-09
1358059 create_trials_from_seed_fuzzer: Use-of-uninitialized-value in variations::internal::ShouldAddStudy - 2022-12-09
1358075 Security: heap-use-after-free in SearchNameNodeByNameInternal $10000 2022-12-09
1358597 heap-use-after-free html_element.cc:1850 in blink::HTMLElement::offsetTopForBinding $7000 2022-12-09
1359084 CHECK failure: c_wrapper_code__value.IsCodeDataContainer() in class-verifiers.cc - 2022-12-09
1359114 DCHECK failure in !has_optimized_code() || optimized_code().marked_for_deoptimization() || (CodeKi - 2022-12-09
1317904 Security: Select dropdown able to overlap fullscreen notification toast $3000 2022-12-07
1350111 Security: compromised renderer is able to send extension message to another tab $3000 2022-12-07
1352817 Security: UAF in FeedbackData::CompressSystemInfo $2000 2022-12-07
1355252 use-after-free in BrowserCrashEventRouter $6000 2022-12-07
1355902 Security: UAF in content::CrOSSystemTracingSession::StartTracingCallbackProxy (browser process) $5000 2022-12-07
1356234 MessagingAPIMessageFilter::OnOpenChannelToNativeApp doesn't verify `const PortContext& source_context` - 2022-12-07
1358090 Security: heap-use-after-free in CPDF_FormField::ResetField() $10000 2022-12-07
1189392 ChromeRenderFrame.RequestImageForContextNode violates the Rule of 2 - 2022-12-06
1267867 Security: It is possible to lock the pointer while window is not focused. $1000 2022-12-06
1335706 CrOS: Vulnerability reported in app-editors/vim - 2022-12-06
1336938 CrOS: Vulnerability reported in app-editors/vim - 2022-12-06
1337542 CrOS: Vulnerability reported in app-editors/vim - 2022-12-06
1348498 Security: UAF in LockScreenReauthHandler::HandleCompleteAuthentication $3000 2022-12-06
1350609 Security: heap-use-after-free ash/app_list/views/apps_grid_view.cc:653:26 in ash::AppsGridView::EndDrag(bool) (chromeOS) $2000 2022-12-06
1357303 Security: PDFium OOB Write in OpenJPEG due to a missed patch $7000 2022-12-06
1357884 Heap-use-after-free in ash::MultiCaptureNotification::~MultiCaptureNotification - 2022-12-06
1243932 gpu_swangle_passthrough_fuzzer: Crash in gpu::gles2::GLES2DecoderPassthroughImpl::DoBindTexture - 2022-12-04
1355892 rtp_video_layers_allocation_fuzzer: Trap in rtc::webrtc_checks_impl::WriteFatalLog - 2022-12-04
1355103 Security: potential buffer overflow in zlib - CVE-2022-37434 $1000 2022-12-02
1355682 Security: PDFium OOB Access in CXFA_ViewLayoutProcessor::GetNextAvailContentHeight $7000 2022-12-02
1356187 heap-buffer-overflow in FederatedAuthRequestImpl::RequestToken - 2022-12-02
1215946 Security: Chrome OS - Guest mode | critical commands via crosh which even persist guest by guest changes $1000 2022-12-01
1301333 Security: bypass resource requests whose URLs contained both removed whitespace (`\n`, `\r`, `\t`) characters and less-than characters (`<`) in the fencedframe element $1000 2022-12-01
1327505 Security: Chrome on Android Tablet Mode Select Dropdown Spinner able to Overlap Fullscreen Notification Toast $1000 2022-12-01
1354923 Security: heap-buffer-overflow on ash/system/accessibility/dictation_bubble_controller.cc $2000 2022-12-01
1350558 Security: heap-use-after-free ash/wm/gestures/wm_fling_handler.cc:59:22 in ash::WmFlingHandler::OnAnimationStep(base::TimeTicks) $2000 2022-11-30
1355748 Security DCHECK failure: num_chars <= length() in segmented_string.cc - 2022-11-30
1355752 Security: heap-use-after-free in CaptureModeController::CaptureImage $1000 2022-11-30
1355866 Crash in blink::LayoutObjectChildList::RemoveChildNode - 2022-11-30
1290236 Security: CDP Runtime.queryObjects leaks internal objects in JS heap, allowing CDP clients to compromise V8 process $1000 2022-11-29
1339648 Security: v8: corrupt typed array from bad deserializer input $15000 2022-11-29
1346911 libwebp_enc_dec_api_fuzzer: Heap-buffer-overflow in VP8LHashChainFill - 2022-11-29
1352802 Security: Use After Free of Device object in GPU process. $17000 2022-11-29
1354972 v8_inspector_fuzzer: DCHECK failure in maybe_result.is_null() in microtask-queue.cc - 2022-11-29
1355679 CHECK failure: push_segment_ implies push_segment_->IsEmpty() - 2022-11-29
1338023 Security: heap-after-free on base/task/thread_pool/pooled_single_thread_task_runner_manager.cc (Lacros) - 2022-11-28
1345540 Security: heap-use-after-free third_party/wayland/src/src/wayland-server.c:799:17 in wl_resource_set_user_data (ChromeOS Lacros) - 2022-11-28
1352388 Security: Download notification can hide 'Press Esc to exit fullscreen' warning $3000 2022-11-25
1352549 Security: v8/blink: Leaked ObservableArray Object leads to TypeConfusions, leading to RCE - 2022-11-25
1243802 Security: RCE - Download Silently *.exe or *.dll to users Desktop or Downloads folder $3000 2022-11-23
1346048 heap-use-after-free in WebDragSourceAura::CancelDrag $10000 2022-11-23
1347015 Security: UAF in HidService::GetDevices $6000 2022-11-23
1351969 Security: Heap-use-after-free in ManagePasswordsUIController::SavePassword $4000 2022-11-23
1347868 Null-dereference READ in blink::NGPhysicalBoxFragment::OverflowClipRect - 2022-11-21
1351580 heap-use-after-free : ash::AppListItemList::FindItem - 2022-11-21
957002 Security: Possible to include mixed content in an about:blank popup opened by a https page $3000 2022-11-19
1346245 Security: UAF in AppWindowContentsImpl::~AppWindowContentsImpl $10000 2022-11-18
1350743 Security: Use-After-Free in CaptureModeSessionFocusCycler::~CaptureModeSessionFocusCycler $2000 2022-11-18
1240065 javascript URL is broken in ChromeCustom tab for Android Apps $1000 2022-11-17
1345630 Security: Android in-the-wild Intent Redirect Vulnerability - 2022-11-17
1351170 Security: [ANGLE] Heap use-after-free caused by changing the framebuffer cache to sharing in context $16000 2022-11-17
1338393 Security: AMD-SN-1040: IBPB and Return Address Predictor Interactions Vulnerabilities impact assessment - 2022-11-16
1347707 Security: UAF in UserNoteService $30000 2022-11-16
1351243 Crash in cppgc::internal::ConcurrentMarkingTask::Run - 2022-11-16
1247577 Security: Connectivity establishment continues even if certificate verification using SSLCertificateVerifier failed - 2022-11-15
1348716 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2022-11-15
1350097 Chrome: heap-buffer-overflow in offline_items_collection::OfflineContentAggregator::OnItemRemoved - 2022-11-15
1350711 Security: Use-After-Free in UserNudgeController::PerformViewScaleAnimation $2000 2022-11-15
1346808 Heap-use-after-free in rx::ShareGroupVk::onMutableTextureUpload - 2022-11-14
1348474 UAP style_invalidator.cc:192 in blink::StyleInvalidator::PushInvalidationSetsForContainerNode $7000 2022-11-14
1349493 Security: console.log still allows loading images via %c formatter $500 2022-11-14
1349687 Security: Heap-use-after-free in WebContentsImpl::OpenURL $3000 2022-11-14
1350270 DCHECK failure in ONE_BYTE == state_ in string.h - 2022-11-14
1337538 Security: use after free in GraphicsPipeline::containsImageWrite $7000 2022-11-12
1345546 Security: Use-After-Free in WebUIBubbleDialogView::ClearContentsWrapper $3000 2022-11-12
1348415 Security: UAF in ChromeOS webui chrome://assistant-optin/ $4000 2022-11-11
1349322 Security: heap-use-after-free in AccountSelectionBubbleView::OnAccountImageFetched - 2022-11-11
1338553 Incorrect use of weakptr lead to uaf $5000 2022-11-10
1346154 Security: heap-buffer-overflow in ash::DesksBarView::OnDeskRemoved $2000 2022-11-10
1348714 Security DCHECK failed: !NeedsLayout() || ChildLayoutBlockedByDisplayLock() $7000 2022-11-10
1349761 vp9_encoder_references_fuzzer: Trap in rtc::webrtc_checks_impl::WriteFatalLog - 2022-11-10
1330038 Security: Heap-use-after-free in ash::TabletModeBrowserWindowDragSessionWindowsHider::~TabletModeBrowserWindowDragSessionWindowsHider $3000 2022-11-09
1300539 Security: Url Hijacking using intent:// when onload web page using bookmark (Google Chrome Android) $2000 2022-11-08
1345039 v8_inspector_fuzzer: DCHECK failure in isolate->has_scheduled_exception() implies maybe_result.is_null() && maybe_excep - 2022-11-08
1346810 Security DCHECK failure: to <= length() in string_view.cc - 2022-11-08
1348082 Security: heap-buffer-overflow in TableView $4000 2022-11-08
1342586 Security: `chrome.downloads.onDeterminingFilename` can be used to bypass the fix for issue 1310461 and steal environment variables $7000 2022-11-07
1333623 Safebrowsing does not trigger a malware warning for malware loaded through an embed $5000 2022-11-05
1322812 Security DCHECK(TypeConfuse) failed: IsA<Derived>(from) in blink::VisualViewport::StartTrackingPinch $7000 2022-11-04
1333995 Security: heap-use-after-free on IsLacrosWindow ash/drag_drop/tab_drag_drop_delegate.cc (Lacros) $3000 2022-11-04
1346969 TypeConfuse in blink::NGLayoutInputNode::IsEmptyTableSection ng_layout_input_node.cc:87 $7500 2022-11-04
1347722 CHECK failure: (location_) != nullptr in maybe-handles.h - 2022-11-04
1338412 Security: UAF in chromeos::multidevice::MultidevicePhoneHubHandler $3000 2022-11-03
1338560 Incorrect use of weakptr lead to UAF in NearbyShare $3000 2022-11-03
1341918 Security: use after free in DiceWebSigninInterceptor $5000 2022-11-03
1342722 sourceMappingURL directive allows use of UNC paths on Windows $7500 2022-11-03
1345042 wild read in DrawCall::run $7000 2022-11-03
1347943 tint_renamer_fuzzer: Use-of-uninitialized-value in tint::reader::wgsl::ParserImpl::sync_to - 2022-11-03
1318791 use-after-free in reboot_notifications_scheduler $3000 2022-11-02
1338135 AddressSanitizer: heap-use-after-free html_element.cc:1802 in blink::HTMLElement::offsetTopForBindin $5000 2022-11-02
1345193 Security: = prepended in document.cookie allows to bypass __Secure and __Host prefixes $2000 2022-11-02
1347721 Heap-buffer-overflow in void v8::internal::TypedElementsAccessor< - 2022-11-02
1338637 Security: heap-use-after-free chrome/browser/enterprise/browser_management/browser_management_status_provider.cc - 2022-11-01
1343141 Security: UAF in OnAccessTokenRefreshFailed $3000 2022-11-01
1345921 UAF in AccessCodeCastSinkService $9500 2022-11-01
1346236 Security: Code Injection in WebUI page leading to sandbox escape $5000 2022-11-01
1347298 tint_single_entry_point_fuzzer: Container-overflow in tint::reader::wgsl::ParserImpl::sync_to - 2022-11-01
1345088 Security: type confusion in chrome $1000 2022-10-31
1158477 Security: Bypassing HTTP auth block for subresource loads - 2022-10-31
1326856 CrOS: Vulnerability reported in app-admin/rsyslog - 2022-10-30
1336768 heap-buffer-overflow : charntorune - 2022-10-29
1345245 Security: heap-buffer-overflow on components/exo/shell_surface_util.cc:230:40 (Lacros) $2000 2022-10-29
1345547 libwebp_enc_dec_api_fuzzer: Heap-buffer-overflow in VP8LHashChainFill - 2022-10-29
1345772 libwebp_enc_dec_api_fuzzer: Use-of-uninitialized-value in VP8LHistogramAddSinglePixOrCopy - 2022-10-29
1345894 TypeConfuse in blink::LayoutTable::AddChild layout_table.cc:194 $5000 2022-10-29
1345947 Security: Another UAF in WebSQL sqlite3Select $7500 2022-10-29
1346204 GPU failure in blink::NGInlineNode::ComputeMinMaxSizes - 2022-10-29
1346477 Heap-use-after-free in ash::AppListItemList::FindItem - 2022-10-29
1099587 Use unique identifier rather than timestamps for verifying V8 code cache entries - 2022-10-27
1232402 heap buffer over flow in printing::PrintPreviewUI::SetInitialParams(use devtools) $2000 2022-10-27
1338470 Security: Invalid function pointer in ~ExternalImageDXGI() in D3D backend $7000 2022-10-27
1346041 Security: WebGPU OOB read in writeTexture - 2022-10-27
1286203 Security: Potential UaF in TabStripModel (chromeOS) $3000 2022-10-26
1344814 Security: Heap-use-after-free in user_notes::FrameUserNoteChanges::Apply (Annotation - deleting a note that was just created in another tab causes crash) $3000 2022-10-26
1303308 Security: Manipulate Session State (open webpages in locked sessions) $5000 2022-10-25
1319172 Security: heap-use-after-free in exo::wayland::WaylandDisplayHandler::UnsetXdgOutputResource (Lacros) $1000 2022-10-25
1329147 CrOS: Vulnerability reported in app-editors/vim - 2022-10-25
1329798 CrOS: Vulnerability reported in app-editors/vim - 2022-10-25
1332958 CrOS: Vulnerability reported in app-editors/vim - 2022-10-25
1333970 heap-use-after-free : gfx::IsValidCodePointIndex - 2022-10-25
1335014 CrOS: Vulnerability reported in app-editors/vim - 2022-10-25
1337002 Security: heap-use-after-free ash/drag_drop/drag_drop_tracker.cc:111:1 (chromeOS) $3000 2022-10-25
1340219 CrOS: Vulnerability reported in app-editors/vim - 2022-10-25
1344744 Security: UAF in VolumeManager::OnSshfsCrostiniUnmountCallback $3000 2022-10-24
1307271 CrOS: Vulnerability reported in net-wireless/bluez - 2022-10-23
1343889 Security: Dicey DCHECK in WebRTC - 2022-10-23
1336145 Security: heap-use-after-free ash/system/tray/tray_bubble_view.cc (chromeOS) $2000 2022-10-21
1343348 Security: UAF in WebSQL sqlite3Select, Potential RCE in Chrome $10000 2022-10-21
1314674 Use-after-Free on ArcBluetoothBridge::OnBluetoothConnectingSocketReady $4000 2022-10-20
1316983 Security: Heap-use-after-free in ash::DesksTemplatesPresenter::OnNewDeskCreatedForTemplate $1000 2022-10-20
1339140 Security: container-overflow in TabStripModel::AddToNewGroupImpl $2000 2022-10-20
1341539 heap-overflow in blink::TableLayoutAlgorithmAuto::InsertSpanCell table_layout_algorithm_auto.cc $9000 2022-10-20
1344113 Security: Heap-buffer-overflow in BrowserThemePack::GenerateMissingNtpColors - 2022-10-20
1265193 Referrer leakage via object & embed tags despite setting referrer policy to no-referrer $2000 2022-10-19
1311399 User gesture requirements on external navigation are ineffective - 2022-10-19
1338765 Security: heap-use-after-free on ash/webui/eche_app_ui/eche_uid_provider.cc:51:23 (chromeOS) - 2022-10-19
1339844 Security: heap-use-after-free in content::ServiceWorkerVersion::MaybeTimeoutRequest - 2022-10-19
1340253 Security: heap-use-after-free in network::URLLoader::NotifyCompleted - 2022-10-19
1342078 Security: Pdfium heap bof in CFDE_TextOut::RetrievePieces() $7500 2022-10-19
1316892 Security: heap-buffer-overflow on ash/host/ash_window_tree_host_platform.cc (chromeOS) $3000 2022-10-18
1340654 Security: WebGPU: Missing Validation in DoBufferUpdateMappedData leads to OOB write - 2022-10-18
1341603 Security: UAF in CloseBubbleOnTabActivationHelper::~CloseBubbleOnTabActivationHelper $2000 2022-10-18
1329814 Security: UAF in PermissionPromptBubbleView $20000 2022-10-17
1341907 Security: use after free in AccountReconcilor $5000 2022-10-17
1325256 UAF in GestureRecognizerImpl. $5000 2022-10-15
1330050 Security: minijail mounts rw,noexec /var as ro - 2022-10-15
1335015 CrOS: Vulnerability reported in net-print/cups - 2022-10-15
1336904 An iframe on a different domain can change the location to about:blank which enables you to access properties on the window. document.baseURI is leaked from the parent frame. $2000 2022-10-15
1337132 Security: HeapOverflow in PluralStringHandler::HandleGetPluralString $3000 2022-10-15
1341887 Security: use after free in IPH DemoMode NeverAvailabilityModel $3000 2022-10-15
1342155 Security: Use After Free of GPUExternalTexture object in renderer process. $7500 2022-10-15
1342452 Heap-use-after-free in ash::DeskPreviewView::MaybeActivateHighlightedView - 2022-10-15
1292451 Security: heap-use-after-free on third_party/abseil-cpp/absl/types/internal/optional.h:208:13 in optional_data (chromeOS) $2000 2022-10-14
1315313 sqlite3_lpm_fuzzer: Heap-use-after-free in renameTokenCheckAll - 2022-10-14
1332593 Remote Code Execution(RCE) via Dependency confusion $1000 2022-10-14
1337304 Security: UAF in content::WebUI::Call $2000 2022-10-14
1341168 Security: Heap-use-after-free in SidePanelCoordinator::PopulateSidePanel $3000 2022-10-14
1341619 Typeconfuse in blink::LayoutTableRow::AddChild layout_table_row.cc:193 $5000 2022-10-14
1342104 chrome.debugger 'Page.navigate' can navigate iframes to file:// when not enabled. $3000 2022-10-14
1342122 freetype_cff_ftengine_fuzzer: Heap-buffer-overflow in tt_face_load_colr - 2022-10-14
1342201 Security: [iOS] Heap-use-afer-free in BrowsingHistoryService::QueryComplete - 2022-10-14
1308391 Security: UAF in SyncConfirmation $10000 2022-10-13
1330857 sqlite3_fts3_lpm_fuzzer: Crash in sqlite3Fts3Incrmerge - 2022-10-13
1335412 Use-after-poison in blink::CSSParserImpl::ConsumeMediaRule - 2022-10-13
1335902 Security: chromeos Root priv escalation to write file - 2022-10-13
1339745 Security: container-overflow in chrome_pdf::PDFiumEngine::SelectFindResult $2000 2022-10-13
1336668 Security: ChromeOS root privilege escalation (arcvm_server_proxy, virtio-wl, vmplugin_dispatcher, upstart) $30000 2022-10-12
1337676 Security: use after free in DiceWebSigninInterceptor::OnAccountLevelManagedAccountsSigninRestrictionReceived $1000 2022-10-12
1338057 heap-use-after-free in RenderViewContextMenu::ExecuteCommand $2000 2022-10-12
1330489 Security: UAF in ManagedConfigurationAPI::GetConfigurationOnBackend $5000 2022-10-12
1341465 Crash in cppgc::internal::ConcurrentMarkingTask::Run - 2022-10-12
1341520 Crash in blink::LayoutTable::SlowColElementAtAbsoluteColumn - 2022-10-12
1341829 Crash in cppgc::internal::TraceConservatively - 2022-10-12
1341923 Out of memory in unsigned int v8::internal::StringTable::Data::TryStringToIndexOrLookupExisting<u - 2022-10-12
1341504 Use-after-poison in blink::SVGElement::AddToPropertyMap - 2022-10-10
1052690 iframe sandbox allows redirecting to intents, including redirecting to navigation intents $2000 2022-10-08
1148777 Security: Navigation to external protocol, not blocked from allow-origin sandboxed iframe. - 2022-10-08
1334864 Security: GetExecutionContext Type Confusion in OffscreenCanvas - 2022-10-08
1336451 tint_ast_spv_writer_fuzzer: Heap-buffer-overflow in tint::writer::spirv::Builder::GenerateBuiltinCall - 2022-10-08
1341311 freetype_type1_fuzzer: Negative-size-param in cf2_interpT2CharString - 2022-10-08
1341330 render_text_api_fuzzer: Heap-buffer-overflow in gfx::internal::StyleIterator::GetTextBreakingRange - 2022-10-08
1323449 Security: Use-after-Free in InstallUpdateCallback $1000 2022-10-07
1329794 Security: heap-use-after-free in LinkToTextMenuObserver::CompleteWithError - 2022-10-07
1336979 Security: heap-buffer-overflow ui/wm/core/transient_window_stacking_client.cc (chromeOS) $3000 2022-10-07
1338030 Security: heap-use-after-free v8/src/base/bounded-page-allocator.cc:203:27 (Lacros) - 2022-10-07
1338044 render_text_api_fuzzer: Heap-buffer-overflow in gfx::BreakList<gfx::BaselineStyle>::GetRange - 2022-10-07
1338591 Security: UAF in WebContentsFrameTracker $20000 2022-10-06
1339741 Security: type confusion in chrome $8500 2022-10-06
1340488 DCHECK failure in !cache_state_.frozen in liftoff-assembler.h - 2022-10-06
1335316 Security: Use-After-Free in safe_browsing::ExtensionTelemetryPersister::InitHelper $10000 2022-10-05
1335470 Security: Heap-use-after-free in ash::CalendarEventListView::~CalendarEventListView $3000 2022-10-05
1337798 Security: potential use after free in OfflinePageModelTaskified::Unpublish $1000 2022-10-05
1340335 CHECK failure: !translated_values->IsMaterializedObject() in frames.cc - 2022-10-05
1293820 UAF in WindowManagementImpl::SetWindowBounds $2000 2022-10-04
1335688 WebGL glCompressedTexImage3D Heap-Based Buffer Overflow Vulnerability $5000 2022-10-04
1339321 Security: wasm br_* instructions update cache_state conditionally - 2022-10-04
1245773 audio_encoder_isac_float_fuzzer: Stack-buffer-overflow in WebRtcIsac_PitchAnalysis - 2022-10-02
1339498 Crash in v8::internal::PagedSpaceBase::Verify - 2022-10-02
1316960 Security: negative-size-param SnapWindow (chromeOS) $3000 2022-10-01
1337990 Heap-use-after-free in blink::PaintPropertyNode<blink::EffectPaintPropertyNodeOrAlias, blink::EffectPai - 2022-10-01
1338947 v8_wasm_code_fuzzer: Use-after-poison in v8::internal::compiler::Node::ReplaceInput - 2022-10-01
1338950 v8_wasm_code_fuzzer: DCHECK failure in other_effect == nullptr in branch-elimination.cc - 2022-10-01
1283033 Security: (Android) Arbitrary munmap memory Vulnerability Can Cause Chrome Sandbox Escape to system_server on Pixel 6 - 2022-09-30
1283040 Security: (Android) Heap buffer overflow Vulnerability May Can Cause Chrome Sandbox Escape to system_server on Pixel 6 - 2022-09-30
1283640 Security: (Android) Heap buffer overflow write in Bitmap_createFromParcel Can Cause Chrome Sandbox Escape to system_server on Android 12 - 2022-09-30
1321350 Security: Keystroke side-channel leakage $5000 2022-09-30
1329946 Security: ChromeOS rma_fw_keeper command execution (UpdateAndVerifyFWOnUsb, Physical Access) $15000 2022-09-30
962815 Potential use after free in CPDFSDK_FormFillEnvironment::ClearAllFocusedAnnots (XFA) - 2022-09-29
1329460 'unsafe-inline' is not ignored even though 'strict-dynamic' is specified in dafault-src. $3000 2022-09-29
1336014 Security: WebGPU UAF leading to OOB read/write in the renderer process - 2022-09-29
1268580 Security: Continued cookie bypasses $4000 2022-09-28
1330775 Security: Heap-use-after-free in ash::OverviewGrid::OnDesksTemplatesGridFadedOut $3000 2022-09-28
1336057 dawn_wire_server_and_vulkan_backend_fuzzer: Use-of-uninitialized-value in sw::Blitter::clear - 2022-09-28
1336334 Security DCHECK failure: IsA<Derived>(from) in casting.h $6000 2022-09-28
1336622 Security: UAF in CacheAliasSearchPrefetchURLLoader::StartPrefetchRequest $1000 2022-09-28
1336865 Trap in v8::internal::Intl::NumberFieldToType - 2022-09-28
1337388 Security: heap-use-after-free chrome/browser/profiles/profile_destroyer.cc:137:16 (chromeOS) $1000 2022-09-28
1337524 tint_regex_spv_writer_fuzzer: Illegal-instruction in c:\clusterfuzz\bot\builds\chromium-browser-libfuzzer_win32-release_x64-asan_4834 - 2022-09-28
1336204 Security: Heap-use-after-free in Controller::Shutdown $7000 2022-09-28
1336266 Security: Use After Free in JavaScriptDialogHelper::OnPermissionResponse $16000 2022-09-27
1337523 Use-after-poison in blink::NGGridNode::GridItemsIncludingSubgridded - 2022-09-26
1287804 render_text_api_fuzzer: Heap-buffer-overflow in gfx::internal::StyleIterator::GetTextBreakingRange - 2022-09-23
1318514 Security: heap-buffer-overflow on OverviewItem (chromeOS) - 2022-09-23
1334963 Test failures in AppNotificationsWebNotificationTest.PersistentNotificationWhenInstallAndUninstallApp on Linux Chromium OS ASan LSan Tests bot - 2022-09-23
1335013 CrOS: Vulnerability reported in net-misc/curl - 2022-09-23
1336869 Security: Misuse of CanCover $7500 2022-09-23
1308422 Security: Abuse the user's system environment variables in <a> download attribute may cause DLL Hijacking or Path Interception $2000 2022-09-22
1316368 Security: WebGL uniform integer overflows - 2022-09-22
1329541 Security: Web Share dialog URL is not elided correctly on Android $500 2022-09-22
1335655 <foreignObject> should collect inlines when unicode-bidi attribute/CSS property changed - 2022-09-22
1335861 Security: heap-use-after-free in SearchNameNodeByNameInternal $7500 2022-09-22
1336449 freetype_colrv1_fuzzer: Use-of-uninitialized-value in sfnt_load_face - 2022-09-22
1330125 Security: heap-after-free on components/exo/extended_drag_source.cc (Lacros) $3000 2022-09-20
1332392 Diagcab file extension is not blocklisted to prevent users from downloading harmful files $1000 2022-09-20
1335195 DCHECK failure in !HAS_WEAK_HEAP_OBJECT_TAG(ptr_) in tagged-impl-inl.h - 2022-09-20
1303278 libfuzzer_chrome_ubsan is behind by four weeks - 2022-09-19
1307656 Type confuse in blink::To<blink::LayoutTableSection,blink::LayoutObject> layout_table.cc:175 $6000 2022-09-19
1325699 AddressSanitizer: heap-use-after-free location_bar\permission_request_chip.cc:127 in PermissionReque $15000 2022-09-19
1329879 Security: Remote code execution vulnerability in YouTube Embedded SDK - 2022-09-19
1335458 Security: raw_ptr broke implicit scoped_refptr for receivers in base::Bind. - 2022-09-19
1335523 Security: V8: GenericJsToWasmWrapper is broken, creates type confusion on the stack - 2022-09-19
1329945 Security: ChromeOS root privilege escalation (debugd, shill-scripts, minijail0, authpolicyd) $37500 2022-09-16
1333374 Security: heap-buffer-overflow in chrome_pdf::PDFiumEngine::GetNamedDestination $7500 2022-09-16
1333977 Security: Unsafe pivot root in authpolicyd init script - 2022-09-16
1335054 DCHECK failure in *p != to_check_ in heap.cc - 2022-09-16
1158375 Security: Security DCHECK failed: !NeedsLayout() || ChildLayoutBlockedByDisplayLock() in blink::LayoutObject::AssertLaidOut $5000 2022-09-15
1264288 views::Combobox(ui::ComboboxModel*) is prone to UAF - 2022-09-15
1290098 Security: Autofill prompt can render over different origin in extension-created popup, allows spoofing of autofill context origin and browser UI $2000 2022-09-15
1306450 Security: Sanitizer API bypass via prototype pollution $1000 2022-09-15
1327087 Security: Heap-use-after-free in ash::SavedDeskDialogController::CreateDialogWidget $3000 2022-09-15
1330042 Security: Heap-use-after-free in ash::OverviewItem::DestroyPhantomsForDragging $3000 2022-09-15
1335021 Heap-use-after-free in ash::CalendarEventListView::~CalendarEventListView - 2022-09-15
1278255 Security: BackgroundFetch leaks URL of cross-origin redirects $8000 2022-09-14
1332613 tint_renamer_fuzzer.exe: Illegal-instruction in tint::fuzzers::TintInternalCompilerErrorReporter - 2022-09-14
1332881 Security: XSS in Chrome UI (password settings) with malicious extension name $2000 2022-09-14
1333180 dawn_wire_server_and_vulkan_backend_fuzzer: Use-of-uninitialized-value in std::Cr::__hash_const_iterator<std::Cr::__hash_node<std::Cr::__hash_value_type<s - 2022-09-14
1334483 Heap-use-after-free in rx::vk::BindingPointer<rx::vk::ObjectAndSerial<rx::vk::ShaderModule>>::valid - 2022-09-14
1334487 Segv on unknown address in rx::GraphicsPipelineCache::getPipeline - 2022-09-14
1280901 CrOS: Vulnerability reported in dev-libs/nss - 2022-09-13
1280903 CrOS: Vulnerability reported in app-crypt/nss - 2022-09-13
1323564 Security: UAF in SystemExtensionsInternalsPageHandler::InstallSystemExtensionFromDownloadsDir - 2022-09-13
1327927 AddressSanitizer: heap-use-after-free storage::QuotaDatabase::CreateBucketInternal quota_database.cc $16000 2022-09-13
1328664 Heap-use-after-free in [thunk]: - 2022-09-13
1332385 v8_wasm_compile_fuzzer: Trap in v8::internal::compiler::WasmTyper::Reduce - 2022-09-13
1332438 QuickAnswersControllerTest.* cause use after free on ASAN builds. - 2022-09-13
1333333 Use-after-poison in content::InspectorMediaEventHandler::SendQueuedMediaEvents $6000 2022-09-13
1302159 Security: Extension can obscure active window with an inactive window, user can interact with sensitive UI using keyboard without being aware $3000 2022-09-12
1329875 AddressSanitizer: heap-buffer-overflow in content::BucketManagerHost::DidGetBucket content/browser/b $21000 2022-09-12
1330039 Security: Set NoNewPrivs in ShillScriptsTool - 2022-09-11
982361 Compromised web renderer should be unable to spoof MessageSender.id if it never run a content script from the given extension - 2022-09-10
1297283 Security: use after free in JS self-profiling API - 2022-09-10
1316578 GPU failure in content::CreateChildProcessCrashWatcher - 2022-09-10
1324563 CrOS: Vulnerability reported in dev-libs/libxml2 - 2022-09-10
1327241 CrOS: Vulnerability reported in dev-libs/libxslt - 2022-09-10
1327872 angle_translator_fuzzer: Use-of-uninitialized-value in sh::OutputHLSL::header - 2022-09-10
1330289 Security: heap-use-after-free in views::DialogDelegate::CancelDialog $3000 2022-09-10
1331087 dcsctp_socket_fuzzer: Use-of-uninitialized-value in dcsctp::OutstandingData::ExtractChunksThatCanFit - 2022-09-10
1331309 CHECK failure: kind == DeoptimizeKind::kLazy in deoptimizer.cc - 2022-09-10
1313429 CrOS: Vulnerability reported in app-editors/vim - 2022-09-08
1313885 CrOS: Vulnerability reported in app-editors/vim - 2022-09-08
1317673 Security: webgl2 CompileShader Heap Corruption $7000 2022-09-08
1317714 use after free in SendQueuedMediaEvents $5000 2022-09-08
1320700 CrOS: Vulnerability reported in app-editors/vim - 2022-09-08
1321096 CrOS: Vulnerability reported in app-editors/vim - 2022-09-08
1324561 Chromium: Vulnerability reported in third_party/libxml - 2022-09-08
1326857 CrOS: Vulnerability reported in app-editors/vim - 2022-09-08
1330083 tint_robustness_fuzzer: Illegal-instruction in tint::fuzzers::TintInternalCompilerErrorReporter - 2022-09-08
1206235 Crash in icu_69::UnicodeString::isBogus - 2022-09-07
1296934 dawn_wire_server_and_vulkan_backend_fuzzer: Incorrect-function-pointer-type in dawn::native::vulkan::VulkanInstance::RegisterDebugUtils - 2022-09-07
1321698 dawn_wire_server_and_vulkan_backend_fuzzer: Use-of-uninitialized-value in llvm::PassNameParser::passRegistered - 2022-09-07
1325298 Security: PaintImage deserialization OOB-read - 2022-09-07
1326928 CHECK failure: GetLength() <= JSTypedArray::kMaxLength - 2022-09-07
1327312 Security: UAF in InterestGroupPermissionsChecker::OnRequestComplete $20000 2022-09-07
1328045 AddressSanitizer: heap-use-after-free in content::ScreenlockMonitor::RemoveObserver content/browser/ $11000 2022-09-07
1329298 Security: PageSpeed Insights: DDOS via Blind XSS $500 2022-09-07
1329417 Security DCHECK failure: unit.TextContentEnd() <= text.length() in ng_offset_mapping.cc - 2022-09-07
1329766 CHECK failure: external_backing_store_bytes[t] == ExternalBackingStoreBytes(t) in large-spaces. - 2022-09-07
1330379 Security: Heap use-after-free when bind/unbind TransformFeedback after deleting buffer $12000 2022-09-07
1330405 Use-of-uninitialized-value in v8::internal::Runtime_NotifyDeoptimized - 2022-09-07
1330410 Crash in v8::internal::ReadOnlyHeap::Contains - 2022-09-07
1330423 CHECK failure: kind == DeoptimizeKind::kLazy - 2022-09-07
1330452 DCHECK failure in !done() in bytecode-array-iterator.h - 2022-09-07
1330454 Index-out-of-bounds in v8::internal::interpreter::Bytecodes::Size - 2022-09-07
1330456 dawn_wire_server_and_frontend_fuzzer: Use-of-uninitialized-value in dawn::native::vulkan::GatherGlobalInfo - 2022-09-07
1330484 CHECK failure: kind == DeoptimizeKind::kLazy in deoptimizer.cc - 2022-09-07
1330486 Crash in Builtins_AsyncFromSyncIteratorPrototypeThrow - 2022-09-07
1330545 Crash in v8::internal::DeoptAllOsrLoopsContainingDeoptExit - 2022-09-07
1330584 DCHECK failure in !IsCleared() in tagged-impl-inl.h - 2022-09-07
1320538 Security: Chrome on Android Hide Fullscreen Notification Toast When Multiple Times Enter and Exit Fullscreen $5000 2022-08-31
1329064 DCHECK failure in !heap_->memory_allocator()->unmapper()->IsRunning() in mark-compact.cc - 2022-08-31
1017145 iOS Chrome javascript: URI nonce based CSP bypass $3000 2022-08-30
1306751 mediasource_MP2T_AVC_pipeline_integration_fuzzer: Heap-buffer-overflow in ff_h264_update_thread_context - 2022-08-30
1321899 DCHECK failure in !transition_map->is_access_check_needed() in handler-configuration.cc - 2022-08-30
1328808 DCHECK failure in IsStackSlot() || IsFPStackSlot() in instruction.h - 2022-08-30
1308341 UAF in std::__Cr::vector<base::internal::CheckedObserverAdapter $7000 2022-08-29
1319227 UAF in ChromeScanningAppDelegate $5000 2022-08-27
1323841 DCHECK failure in merged == unmerged in maglev-interpreter-frame-state.h - 2022-08-27
1322873 [Region Capture] cropTo a non self-capture video track should reject - 2022-08-26
1323595 Security: Share hub dialog doesn't show the origin elided from the right $500 2022-08-26
1324407 Security: ProcessLock can change from allows_any_site to is_locked_to_site after process loads content - 2022-08-26
1325636 gpu_swangle_passthrough_fuzzer: Use-of-uninitialized-value in sw::PixelProcessor::setBlendConstant - 2022-08-26
1301203 Security: Extension can move window off screen, user can interact with sensitive UI using keyboard without being aware $3000 2022-08-25
1310790 Security: kNativeDataProperty case for SuperIC can have type confusion - 2022-08-25
1321078 Security: Debug check failed: marking_state_->IsBlackOrGrey(heap_object). $7500 2022-08-25
1326749 Container-overflow in tint::resolver::DependencyScanner::TraverseExpression - 2022-08-25
1297209 Security: memory bug on webui tab dragging $3000 2022-08-24
1325615 Security: heap-after-free on iOS 15.4 simulator + Chromium Dev Asan $2000 2022-08-24
1326210 Security: Use-after-free in WebGPU $10000 2022-08-24
1325664 Security: pdfium use-after-free in v8 cppgc::internal::GCInvoker::GCInvokerImpl::GCTask::Run() - 2022-08-23
1291060 CSP is bypassed for status code 100, 101, and 102 pages. $1000 2022-08-22
1316846 Security: Heap-use-after-free in location::nearby::chrome::ScheduledExecutor::PendingTaskWithTimer $3000 2022-08-22
1320051 Security: ChromeOS root privilege escalation (debugd GetPerfOutput eBPF) $35000 2022-08-22
1320917 Security: ChromeOS cras D-Bus SetPlayerIdentity memory corruption $25000 2022-08-22
1321086 AddressSanitizer: heap-use-after-free in PermissionPromptBubbleView::ClosingPermission - 2022-08-22
1325341 Security: UAF in WebAuthnIconView $10000 2022-08-22
1325259 AddressSanitizer: use-after-poison blink\renderer\bindings\core\v8\script_promise_resolver.h:164 in $6000 2022-08-21
1305406 Security: nosymfollow bind mount bypass - 2022-08-20
1323605 tint_ast_wgsl_writer_fuzzer: Heap-buffer-overflow in tint::writer::spirv::Builder::GenerateBuiltinCall - 2022-08-20
1323738 Global-buffer-overflow in v8::internal::Simulator::DecodeType2 - 2022-08-20
1324864 AddressSanitizer: heap-use-after-free __memory/unique_ptr.h:312:28 in mojo::Connector::HandleError(b $21000 2022-08-20
1303614 Security: HeapOverflow in Diagnostics $5000 2022-08-19
1320181 Security: Heap-use-after-free in ReadAnythingToolbarView $3000 2022-08-19
1321013 DCHECK failure in !is_length_tracking() in js-array-buffer-inl.h - 2022-08-19
1321980 DCHECK failure in byte_capacity_ >= max_byte_length_ in backing-store.cc - 2022-08-19
1323690 DCHECK failure in frame->is_unoptimized() in frames.h - 2022-08-19
1324067 Crash in int v8::base::AsAtomicImpl<int>::Relaxed_Load<int> - 2022-08-19
1227995 Security: Ability to mask file type with another extention. IE JPEG $2000 2022-08-18
1307930 Security: .url files can redirect showSaveFilePicker into an arbitrary file $2000 2022-08-18
1323239 Security: UAF in UserEducationInternalsPageHandlerImpl::GetFeaturePromos $3000 2022-08-18
1302494 audio_decoder_g722_fuzzer: Use-of-uninitialized-value in WebRtc_g722_decode - 2022-08-17
1312670 VideoTrackGenerator fails Security DCHECK(TypeConfuse) failure: IsA<Derived>(from) in casting.h - 2022-08-17
1320624 Use-after-Free on BuildWebAppInternalsJson $5000 2022-08-17
1324302 Heap-use-after-free in blink::NGHighlightPainter::NGHighlightPainter $6000 2022-08-17
1323236 Security: UAF in AppServiceInternalsPageHandlerImpl::GetPreferredApps $3000 2022-08-16
1323553 Security: heap-use-after-free ash/shelf/hotseat_widget.cc (chromeOS) $1000 2022-08-16
1320024 Security: [ANGLE] Heap use-after-free when deleting TransformFeedback $10000 2022-08-15
1322552 paint_op_buffer_fuzzer: Heap-buffer-overflow in cc::PaintOpReader::Read - 2022-08-13
1322744 Security: UAF in DiscardsGraphDumpImpl $1000 2022-08-13
1312144 Security: heap-use-after-free in content::WebContentsViewAura::StartDragging $15000 2022-08-12
1314998 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2022-08-12
1290713 Uaf in OmniboxPopup $3000 2022-08-11
1320854 DecodeStringMessage is missing bounds checks - 2022-08-11
1322554 transfer_cache_fuzzer: Heap-buffer-overflow in cc::PaintOpReader::ReadSize - 2022-08-11
1305117 Security: Lockscreen leaks stored words in on-screen keyboard $1000 2022-08-10
1317746 Security: container-overflow in ui::Compositor::StopThroughtputTracker $3000 2022-08-10
1319217 Crash in v8::internal::HeapObject::SizeFromMap - 2022-08-09
1320614 v8_wasm_compile_fuzzer: DCHECK failure in kCanBeWeak || (!IsSmi() == HAS_STRONG_HEAP_OBJECT_TAG(ptr_)) in tagged-impl.h - 2022-08-09
1321827 CHECK failure: heap()->concurrent_marking()->IsStopped() - 2022-08-09
1321841 CHECK failure: object.Size() == size in heap.cc - 2022-08-09
1316889 heap-use-after-free in DevToolsWindow::ActivateWindow $3000 2022-08-08
1320278 Unreachable code in objects-body-descriptors-inl.h - 2022-08-08
1320408 Security: heap-buffer-overflow ui/views/view_model.h:83:28 in ViewAtBase (chromeOS) $500 2022-08-08
1320894 CHECK failure: object.Size() == size in heap.cc - 2022-08-08
1321349 CHECK failure: object.Size() == size - 2022-08-08
1316946 [v8] Integer overflow leading to OOB/CHECK in icu_71::FormattedStringBuilder::prepareForInsertHelper $5000 2022-08-06
1319797 AddressSanitizer: heap-use-after-free in PermissionRequestChip::CreateBubble $3000 2022-08-06
1228661 AddressSanitizer: use-after-poison connector.cc:546 in mojo::Connector::DispatchMessageW $7500 2022-08-05
1319841 Security: Type Confusion in Portal::ActivateImpl $20000 2022-08-05
1320592 Security: Heap-use-after-free in sharing_hub::SharingHubBubbleController::OnBubbleClosed $3000 2022-08-05
1320896 CHECK failure: local_weak_objects() ->discovered_ephemerons_local.IsLocalAndGlobalEmpty() - 2022-08-05
1311683 Android Chrome FullScreen Notification Can be Overlapped by Pop-up Blocker Notification $3000 2022-08-04
1312354 Security: heap-use-after-free ash/shelf/hotseat_widget.cc - 2022-08-04
1314908 Security: Heap-use-after-free in remote_cocoa::NativeWidgetNSWindowBridge::SetVisibilityState $3000 2022-08-04
1315563 Security: navigator.clipboard.read() can lead to mutation XSS $3000 2022-08-04
1316990 Security: Heap-use-after-free in ash::sharesheet::SharesheetBubbleView::CloseWidgetWithReason $5000 2022-08-04
1318610 heap-buffer-overflow : device::BluetoothAdapterMac::LowEnergyCentralManagerUpdatedState - 2022-08-04
1318792 dawn_wire_server_and_frontend_fuzzer: Heap-use-after-free in dawn::native::DeviceBase::DestroyObjects - 2022-08-04
1316740 Security: heap-use-after-free in views::View::GetEffectiveViewTargeter $5000 2022-08-03
1319302 heap-use-after-free on content::DevToolsAgentHostImpl::ForceDetachAllSessions $3000 2022-08-03
1320007 CHECK failure: object.Size() == size in heap.cc - 2022-08-03
1223475 Security: Content-Security-Policy bypass via Console API CSS-formatted messages $500 2022-08-02
1248059 Security: heap-use-after-free in the views::Widget::GetNativeTheme in the browser process $3000 2022-08-02
1268445 Security: Bypassing of security interstitials using debugger API $1000 2022-08-02
1315102 UAF in SupportToolMessageHandler $10000 2022-08-02
1318181 DCHECK failure in MarkCompactCollector::IsMapOrForwarded(invalidated_object.map()) in invalidated- - 2022-08-02
1319081 Heap-use-after-free in reporting::NetworkConditionService::NetworkConditionServiceObserver::RegisterRTT - 2022-08-02
1319265 Trap in auto v8::internal::BodyDescriptorApply<v8::internal::CallIsValidSlot, v8::intern - 2022-08-02
1319855 CHECK failure: object.Size() == size in heap.cc - 2022-08-02
1116450 Security: Extensions can capture contents of local files using Page.captureScreenshot with fromSurface set to false $3000 2022-08-01
1317650 Security: [ANGLE] Heap use-after-free caused by State::detachBuffer $10000 2022-08-01
1317875 Security: Heap-use-after-free in ash::ScopedOverviewTransformWindow::~ScopedOverviewTransformWindow $3000 2022-08-01
1318673 Heap-buffer-overflow in CJBig2_Context::ParseSymbolDict - 2022-07-31
1308968 Use-after-free crash in WaylandWindow when tabdrag source window gets destroyed - 2022-07-30
1318013 Trap in auto v8::internal::BodyDescriptorApply<v8::internal::CallIsValidSlot, v8::intern - 2022-07-30
1250993 Security: URL spoofing using LATIN SMALL LETTER L WITH STROKE $500 2022-07-29
1312563 heap-use-after-free : media::VTVideoEncodeAccelerator::GetSupportedProfiles - 2022-07-29
1313977 Security: heap-buffer-overflow on ash/wm/window_animations.cc (chromeOS) $3000 2022-07-29
1314310 Tab reliably crashing with STATUS_ACCESS_VIOLATION with reproduction steps $1000 2022-07-29
1315080 Security: Segv on unknown address in views::internal::NativeWidgetPrivate::ReparentNativeView $3000 2022-07-29
1298867 gpu_angle_passthrough_fuzzer: Crash in rx::BufferNULL::setSubData - 2022-07-28
1301071 CrOS: Vulnerability reported in app-editors/vim - 2022-07-28
1309843 CrOS: Vulnerability reported in app-editors/vim - 2022-07-28
1311820 Security: Browser-side origin confusion for javascript/data URLs opened in a new window/tab by cross-origin iframe $20000 2022-07-28
1312790 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2022-07-28
1317725 DCHECK failure in MarkCompactCollector::IsMapOrForwarded(invalidated_object.map()) in invalidated- - 2022-07-28
1311814 Security: heap-use-after-free ash/accessibility/chromevox/touch_exploration_manager.cc $3000 2022-07-27
1317054 Heap-use-after-free in PrintDialogGtk::OnResponse - 2022-07-27
1317681 DCHECK failure in U_SUCCESS(status) in intl-objects.cc - 2022-07-27
1018669 Security: binder: UAF write from context manager via transaction-to-self - 2022-07-26
1304987 clang-analyzer-core.uninitialized.Branch in third_party/blink/renderer/platform/graphics/gpu/webgl_image_conversion.cc - 2022-07-26
1307515 DCHECK failure in U_SUCCESS(status) in intl-objects.cc - 2022-07-26
1313600 Security: heap-buffer-overflow on components/ui_devtools/views/devtools_server_util.cc - 2022-07-25
1306861 Security: Incomplete patch for issue 1246631 (CVE-2021-37981) and inaccurate scaling in EyeDropperView $7000 2022-07-22
1316113 Heap-use-after-free in policy::RebootNotificationsScheduler::~RebootNotificationsScheduler - 2022-07-22
1316278 dawn_wire_server_and_vulkan_backend_fuzzer: Check failed in CheckUnwind - 2022-07-22
1315901 Security: [0-day] JIT optimisation issue - 2022-07-21
1305394 Leaking window.length without opener reference. $2000 2022-07-20
1312270 heap-buffer-overflow on ui_devtools::UIElement::ReorderChild $2000 2022-07-20
1312419 Security: heap-use-after-free on components/global_media_controls/public/views/media_item_ui_list_view.cc $3000 2022-07-20
1312799 gpu_raster_fuzzer: Use-of-uninitialized-value in cc::ReadPixmap - 2022-07-20
1313905 Security: [ANGLE] Heap use-after-free in ContextVk::onBeginTransformFeedback $10000 2022-07-20
1314383 bad free in gpu ~PackedEnumMap $7000 2022-07-20
1314616 Security: JS object corruption in WasmJS::InstallConditionFeatures (CVE-2021-30561 variant) $7500 2022-07-20
1314676 Security: UAF in SegmentationPlatformServiceImpl $3000 2022-07-20
1314754 Security: Missing bounds check in WebGPUDecoderImpl::DoRequestDevice - 2022-07-20
1315031 Heap-use-after-free in ash::SearchResultView::PreferredHeight - 2022-07-20
1315040 Security: Drag and Drop XSS $2000 2022-07-20
1315192 Security: oob read in AudioDelayDSPKernel::ProcessKRate $2000 2022-07-20
1303552 hb_shape_fuzzer: Use-of-uninitialized-value in OT::hb_ot_apply_context_t::skipping_iterator_t::prev - 2022-07-18
1314363 DCHECK failure in CpuFeatures::IsSupported(*feature) in macro-assembler-shared-ia32-x64.h - 2022-07-18
1314658 Security: heap-use-after-free in PDFium CPDFSDK_AppStream::Write $5000 2022-07-17
1309035 AddressSanitizer: heap-use-after-free in isCubeCompatible third_party/swiftshader/src/Vulkan/VkImage.cpp:905:25 - 2022-07-16
1312699 AddressSanitizer: heap-use-after-free element.cc:3611 in blink::Element::RecalcOwnStyle $5000 2022-07-16
1314536 DCHECK failure in !IsInProgress(function->tiering_state()) in runtime-compiler.cc - 2022-07-16
1302949 Security: Heap-use-after-free in send_tab_to_self::SendTabToSelfBubbleController::OnBubbleClosed $5000 2022-07-15
1310717 Use-after-Free on crostini::CrostiniExportImport::OpenFileDialog $7000 2022-07-15
1311923 CHECK failure: (location_) != nullptr in maybe-handles.h - 2022-07-15
1314184 v8_wasm_compile_fuzzer: Null-dereference WRITE in v8::internal::Simulator::WriteW - 2022-07-15
1314644 DCHECK failure in osr_cache->FindEntry(*shared, osr_offset) == -1 in osr-optimized-code-cache.cc - 2022-07-15
1289192 Security: UAF in BookmarkDragHelper $3000 2022-07-14
1300995 Heap-use-after-free under ash::HandleToggleOverview in base::ObserverList<aura::WindowObserver, true, true, base::internal::CheckedObse - 2022-07-14
1304884 Security: use after free in cups_printers_handler $3000 2022-07-14
1305068 Security: UAF in SelectFileDialogExtension::NotifyListener $5000 2022-07-14
1306391 Security: Use-After-Free in SelectFileDialog $1000 2022-07-14
1309467 Type confusion in handling of accessor in ReduceNamedAccess - 2022-07-14
1313983 DCHECK failure in !try_catch.HasCaught() in d8.cc - 2022-07-14
1311903 Security: heap-use-after-free on ash/capture_mode/capture_mode_session.cc - 2022-07-13
1312838 DCHECK failure in static_cast<unsigned>(index) < static_cast<unsigned>(length()) in fixed-array-in - 2022-07-13
1313172 Google Chrome WebGPU DoBufferDestroy kDirect allocation use-after-free vulnerability - TALOS-2022-1508 $10000 2022-07-13
1106456 Security: Possible to escape sandbox via devtools_page and Feedback app $15000 2022-07-12
1270539 heap-use-after-free in TabGroupModel::GetTabGroup $3000 2022-07-12
1292870 Security: UAF after adding undocked DevTools tab to a group $5000 2022-07-12
1300561 Security: container-overflow in ash::ScrollableShelfView::ShouldCountActivatedInkDrop $2000 2022-07-12
1305267 Security: ChromeOS root privilege escalation (arcvm, arcvm_server_proxy, vm_concierge, arc-create-data) $30000 2022-07-12
1305834 gpu_angle_fuzzer: Trap in gpu::CommandBufferSetup::LogGLDebugMessage - 2022-07-12
1311701 Security: UAF in DumpDatabaseHandler $15000 2022-07-12
1307445 transfer_cache_fuzzer: Use-of-uninitialized-value in cc::ReadPixmap - 2022-07-10
1302959 Security: Extension permission escalation $5000 2022-07-09
1312022 CHECK failure: !HasJobs() in optimizing-compile-dispatcher.h - 2022-07-09
1307603 v8_wasm_compile_fuzzer: DCHECK failure in kCanBeWeak || (!IsSmi() == HAS_STRONG_HEAP_OBJECT_TAG(ptr_)) in tagged-impl.h - 2022-07-08
1311641 Security: Incomplete fix for CVE-2022-1096 - 2022-07-08
1101001 Security: UAF Read in Content process $15000 2022-07-07
1292308 Security: UAF in CalendarView 2 $6000 2022-07-07
1303330 Security: heap-use-after-free in ui::EventTarget::RemovePreTargetHandler $15000 2022-07-07
1304660 CrOS: Vulnerability reported in dev-libs/libxml2 - 2022-07-07
1310295 Use-after-poison in blink::HTMLSlotElement::DetachLayoutTree - 2022-07-07
1305190 [ANGLE] Vulkan Use After Free in onBeginTransformFeedback $7000 2022-07-06
1305900 Security:SEGV on unknown address in ash::DeskPreviewView::RecreateDeskContentsMirrorLayers() $3000 2022-07-06
1307946 v8_wasm_compile_fuzzer: Segv on unknown address in v8::internal::MarkCompactCollector::RootMarkingVisitor::VisitRootPointer - 2022-07-06
1308199 Security: Chrome Apps: Possible to read environment variables using suggestedName in chrome.fileSystem.chooseEntry $7000 2022-07-06
1234267 Bad-cast to ui::Layer from cc::PictureLayer in ui::SendDamagedRectsRecursive - 2022-07-05
1268541 Security: Another Cross-Origin Response Size Leak Via BackgroundFetch $3000 2022-07-05
1281808 Security: UAF in AXVirtualViewWrapper $15000 2022-07-05
1285234 AddressSanitizer: heap-use-after-free in blink::BlobBytesProvider::AppendData $6000 2022-07-05
1292905 Security DCHECK failure: IsA<Derived>(from) in casting.h $6000 2022-07-05
1301180 Security: Bypass Apk Warning In Andriod $1000 2022-07-05
1305423 Security: installer: encrypted_import: Disk access to root command execution - 2022-07-05
1310461 Security: chrome.downloads.download could be abused to steal user's environment variables like secrets, tokens or keys on windows. $7000 2022-07-05
1310597 Chromium: Vulnerability reported in third_party/liblouis - 2022-07-05
1283050 Heap-use-after-free in RenderViewHostImpl::ActivatePrerenderedPage - 2022-07-04
1278608 Security: CA certificate import exploitable with large DSA and RSA-PSS signatures on Linux/ChromeOS - 2022-07-02
1299211 Use After Free in TextureVk::releaseAndDeleteImageAndViews $10000 2022-07-02
1301148 Security: heap UaF in DesksTemplates dialog - 2022-07-02
1305403 Security: mnt_concierge semi-arbitrary bind mount - 2022-07-02
1236325 Security: Extensions with debugger permission can list URLs and send commands to incognito tabs and other profile tabs $5000 2022-07-01
1251588 Security: download protection bypass on macOS with .inetloc $500 2022-07-01
1301873 Security: Chrome for Android Hide Custom Fullscreen Toast View with Repeated Exit Enter Fullscreen Request $3000 2022-07-01
1308360 Type confusion when using simple api call accessors with SuperIC - 2022-07-01
1305401 Security: Arcvm custom init - 2022-06-30
1306768 Security: UAF in SelectFileDialogLacros::OnSelected (lacros-chrome) $3000 2022-06-30
1308178 DCHECK failure in HasBytecodeArray() in shared-function-info-inl.h - 2022-06-30
1309767 DCHECK failure in string.length() == source.length() in string-table.cc - 2022-06-30
1309842 CrOS: Vulnerability reported in dev-libs/openssl - 2022-06-30
1306458 Security: Potential UAF in ChromeDesksTemplatesDelegate::OnLacrosChromeUrlsReturned $1000 2022-06-29
1306443 getThumbnail() CHECK leaks number of available PDF pages $500 2022-06-29
1308253 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2022-06-29
1309023 Illegal-instruction in permissions::PermissionRequestManager::FinalizeCurrentRequests - 2022-06-29
1270008 OS Command Injection in node-opencv - 2022-06-28
1297643 Security: heap-use-after-free ash/drag_drop/drag_drop_tracker.cc:109 $3000 2022-06-28
1304075 uaf in FrameSinkVideoCaptureDevice::OnLog $500 2022-06-28
1306507 AddressSanitizer: heap-use-after-free components/history/core/browser/history_backend.cc:2542:22 in history::HistoryBackend::KillHistoryDatabase() $16000 2022-06-28
1307667 Bad-cast to blink::MathMLSpaceElement from blink::MathMLElement in blink::MathMLSpaceElement* blink::DynamicTo<blink::MathMLSpaceElement, blink::El - 2022-06-28
1266953 Tricking a user into a same-page drag-and-drop can disclose data to cross-origin frames - 2022-06-27
1293357 Security: Samba vulnerabilities CVE-2021-44141, CVE-2021-44142, CVE-2022-0336 - 2022-06-27
1300507 CrOS: Vulnerability reported in net-fs/samba - 2022-06-27
1300508 CrOS: Vulnerability reported in sys-libs/ldb - 2022-06-27
1302431 CrOS: Vulnerability reported in net-fs/samba - 2022-06-27
1307610 Security: RegExp[@@replace] missing write barrier, leading to RCE $20000 2022-06-27
1305706 uaf in BookmarkBarView::OnTabGroupButtonPressed $2000 2022-06-25
1299287 Video escapes content area $3000 2022-06-24
1299743 Security: heap-use-after-free in FileSystemAccessRegularFileDelegate::DoFlush $7500 2022-06-24
1300253 Security: Chrome for Android Cancel Enter Fullscreen able to Hide Omnibox $3000 2022-06-24
1304658 Security: Debug check failed: type.representation() == MachineRepresentation::kFloat64 || type.representation() == MachineRepresentation::kTagged. $8500 2022-06-24
1275600 Security: UAF in ViewsAXTreeManager $20000 2022-06-23
1282384 Security: UAF in FocusController::SetFocusedWindow $20000 2022-06-23
1299261 Security: [ANGLE] Heap overflow read in vk::IndexBuffer::getIndexBuffers $7000 2022-06-23
1302321 gpu_raster_fuzzer: Use-of-uninitialized-value in cc::ServiceImageTransferCacheEntry::Deserialize - 2022-06-23
1303410 Security: ChromeOS - Lockscreen leaks clipboard contents, i.a. $5000 2022-06-23
1305776 AddressSanitizer: use-after-poison in blink::WebrtcVideoPerfReporter::InitializeOnTaskRunner webrtc_video_perf_reporter.cc:36 $6000 2022-06-23
1297138 Security: leak user html content using Dangling Markup injection when http upgrade to https $500 2022-06-22
1298122 Security: TrustedTypes does not block assignment when modifying existing attribute value via nodeValue/textContent $1000 2022-06-22
1304545 Security: Potential Use After Free in ManagedValueStoreCache::OnPolicyUpdated $1000 2022-06-22
1261191 Security: Form validation UI dialog can cover whole page $1000 2022-06-21
1301134 Security: heap-use-after-free ash/wm/overview/overview_highlightable_view.cc:17:18 in ash::OverviewHighlightableView::SetHighlightVisibility(bool) $3000 2022-06-21
1303458 [TurboFan]v8 crashed when compling optimization $5000 2022-06-21
1304368 Security: UAF in ui/ozone/platform/wayland/host/wayland_window.cc $7000 2022-06-20
1275414 Security: heap-use-after-free in network::server::HttpServer::FindConnection $1000 2022-06-18
1297404 Security: heap-use-after-free in global_media_controls::MediaItemManagerImpl::HideItem - 2022-06-17
1304045 Security: AddressSanitizer: heap-use-after-free ui/views/window/dialog_delegate.cc:419:26 in views::DialogDelegate::AcceptDialog() - 2022-06-17
1304145 Security: UAF in ScanningHandler $5000 2022-06-17
1162424 Security: racing UAF during usrsctp_close in usrsctp in webrtc $5000 2022-06-16
1303253 use after free in SelectFileDialogExtension::ExtensionTerminated $3000 2022-06-16
1303613 Security: HeapOverflow in ScanningHandler $3000 2022-06-16
1303615 Security: HeapOverflow in CertificatesHandler $3000 2022-06-16
1304659 Chromium: Vulnerability reported in third_party/libxml - 2022-06-16
1301920 Security: Web Share API allows to write in UNC paths and/or in C:/Users/<username>/AppData/Local/Temp/ on Windows $5000 2022-06-15
1302644 Security: Use After Free in ChromePasswordProtectionService::HandleUserActionOnModalWarning $16000 2022-06-15
1303919 Security: libtiff CVE vulnerabilities in 4.2.0 (from pdfium) - 2022-06-15
1297429 [WebUI] StartupPagesHandler does not adequately verify arguments from JS $7500 2022-06-14
1299264 use after free in rx::FramebufferVk::startNewRenderPass $7000 2022-06-14
1302157 Security: Heap-use-after-free in ~ExtensionUninstallDialogViews $3000 2022-06-14
1301320 Security: heap-use-after-free in extensions::ExtensionApiFrameIdMap::GetFrameId - 2022-06-11
1180745 stack over flow in swiftshader $7500 2022-06-10
1284582 CrOS: Vulnerability reported in app-editors/vim - 2022-06-10
1285554 CrOS: Vulnerability reported in app-editors/vim - 2022-06-10
1287844 CrOS: Vulnerability reported in app-editors/vim - 2022-06-10
1290799 CrOS: Vulnerability reported in app-editors/vim - 2022-06-10
1291951 CrOS: Vulnerability reported in app-editors/vim - 2022-06-10
1292966 CrOS: Vulnerability reported in app-editors/vim - 2022-06-10
1294201 CrOS: Vulnerability reported in app-editors/vim - 2022-06-10
1294503 CrOS: Vulnerability reported in app-editors/vim - 2022-06-10
1295411 Security: [ANGLE] Heap use-after-free in CommandBufferHelperCommon::bufferWrite $7000 2022-06-10
1296101 CrOS: Vulnerability reported in app-editors/vim - 2022-06-10
1296866 Security: heap-buffer-overflow in getImageActualFormat $7000 2022-06-10
1299225 Security: Heap-use-after-free in QuickAnswersUiController::CloseQuickAnswersView $3000 2022-06-10
1301840 uaf in browser_switcher::`anonymous namespace'::OpenBrowserSwitchPage $2000 2022-06-10
1302625 DCHECK failure in lhs.Is(Type::Number()) in operation-typer.cc - 2022-06-10
1264543 Security: Popup with noopener does not consume user activation - 2022-06-09
1292360 Security: UAF in CalendarView 3 $7000 2022-06-09
1296467 Security: [ANGLE] Heap use-after-free in BufferHelper::recordReadBarrier $7000 2022-06-09
1302280 wayland_fuzzer: Heap-use-after-free in destroy_queued_closure - 2022-06-09
1280205 Security: Heap-use-after-free in TabStrip::OnGroupCreated $7000 2022-06-08
1299422 Security: heap-use-after-free in content::DisplayCutoutHostImpl::SendSafeAreaToFrame - 2022-06-08
1207335 Chromium: Vulnerability reported in third_party/binutils - 2022-06-07
1292304 Security: UAF in CalendarView $5000 2022-06-07
1301209 dawn_wire_server_and_vulkan_backend_fuzzer: Use-of-uninitialized-value in llvm::PassNameParser::passRegistered - 2022-06-07
1233333 v8_inspector_fuzzer: Use-of-uninitialized-value in v8_crdtp::cbor::CBOREncoder::HandleInt32 - 2022-06-06
1292261 Security: Heap-use-after-free in BrowserList::AddBrowser $7000 2022-06-06
1295654 CrOS: Vulnerability reported in net-vpn/strongswan - 2022-06-06
1298986 dawn_wire_server_and_vulkan_backend_fuzzer: Use-of-uninitialized-value in llvm::PassNameParser::passRegistered - 2022-06-06
1273841 AddressSanitizer: heap-use-after-free in blink::Screen::AreWebExposedScreenPropertiesEqual $5000 2022-06-04
1290586 Calling stopTrack() in a worker fails a To<> cast DCHECK - 2022-06-04
1291472 MediaStreamTrackinWorker fails Security DCHECK failure: IsA<Derived>(from) in casting.h - 2022-06-04
1291891 Uaf in qrcode_generator::QRCodeGeneratorBubbleController::OnBubbleClosed $5000 2022-06-04
1296841 CrOS: Vulnerability reported in app-editors/vim - 2022-06-04
1296876 v8_wasm_code_fuzzer: Crash in Builtins_GenericJSToWasmWrapper - 2022-06-04
1300139 CrOS: Vulnerability reported in app-editors/vim - 2022-06-04
1298884 CrOS: Vulnerability reported in app-editors/vim - 2022-06-04
1291986 Security heap-use-after-free ash/wm/splitview/split_view_divider.cc (chromeOS) $7000 2022-06-03
1296334 heap-use-after-free : safe_browsing::VerdictCacheManager::CacheRealTimeUrlVerdict - 2022-06-03
1297498 UAF in ThreatDetailsCacheCollector::OpenEntry $15000 2022-06-03
1299259 freetype_type1_fuzzer: Crash in cf2_interpT2CharString - 2022-06-03
1000408 getOriginFromUrl in cryptotoken component extension doesn't use real origin - 2022-06-02
1292004 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2022-06-01
1294612 uaf in AppLaunchHandler::LaunchApp - 2022-06-01
1298015 Security: heap-use-after-free in base::SupportsUserData::GetUserData $7000 2022-06-01
1299814 CHECK failure: !isolate->concurrent_osr_enabled() - 2022-06-01
1279775 Security: Stack-Buffer-Overflow in g711_interface.c - 2022-05-31
1280851 Security: Stack-Buffer-Overflow in WebRtc_g722_decode - 2022-05-31
1299418 CHECK failure: !isolate->concurrent_osr_enabled() in runtime-test.cc - 2022-05-31
1299438 CHECK failure: !isolate->concurrent_osr_enabled() - 2022-05-31
1083835 heap-use-after-free : rlz::RLZTracker::GetAccessPointRlzImpl - 2022-05-29
1293191 Propagating inertness into nested browsing contexts leaks information, privacy concern? - 2022-05-29
1298149 Use-after-poison in mojo::internal::InterfacePtrStateBase::Bind - 2022-05-29
1298213 heap-use-after-free : ash::`anonymous namespace'::EncodeBitmapToPNG - 2022-05-29
1193390 gpu_raster_swangle_passthrough_fuzzer: Incorrect-function-pointer-type in rx::vk::PersistentCommandPool::init - 2022-05-26
1276002 Security: fencedframe element bypass the security policy restrictions of the devtools preview limit $3000 2022-05-26
1296120 Security: ChromeOS root privilege escalation (arcvm_server_proxy, cups, arc-create-data) $30000 2022-05-26
1227636 Security: [SkPixmap] pdfium SEGV on getColor() - 2022-05-25
1280852 Security: Stack-Buffer-Overflow in WebRtcPcm16b_Decode $5000 2022-05-25
1292271 Security: heap-use-after-free on ash/wm/desks/desks_controller.cc (chromeOS) $7000 2022-05-25
1296407 Heap-use-after-free in content::SavePackage::ContinueGetSaveInfo - 2022-05-25
1297269 Security: Chrome Enterprise MSI installer Elevation of Privileges Vulnerability $20000 2022-05-25
1297541 Heap-use-after-free in cppgc::internal::BasicPersistent<blink::NGLayoutResult const, cppgc::internal::S - 2022-05-25
1297764 Defense in depth: Remove TMP directory fallback for installer payload - 2022-05-25
1253281 Security: UAF in SQLite renameTokenCheckAll - 2022-05-24
1281908 Security: DeserializeFromMessage should validate the message header - 2022-05-24
1292333 DCHECK failure in op->IsStackSlot() || op->IsFPStackSlot() in code-generator-x64.cc - 2022-05-24
1295786 uaf in blink::MediaInspectorContextImpl::CullPlayers(blink::WebString const&) $5000 2022-05-24
1263825 Heap-use-after-free in base::ObserverList<aura::WindowObserver, true, true, base::internal::CheckedObse - 2022-05-23
1267318 SameSite cookies leak via embedded browsing context $500 2022-05-23
1291735 Security: Sharesheet dialog doesn't show the origin elided from the right $500 2022-05-23
1295699 Residual UAF in token fetcher code $1000 2022-05-23
1195549 dawn_wire_server_and_vulkan_backend_fuzzer: Incorrect-function-pointer-type in dawn_native::vulkan::Device::PrepareRecordingContext - 2022-05-21
1270117 [iOS] CSP Bypass via Service Worker $500 2022-05-21
1294723 dawn_wire_server_and_frontend_fuzzer: Crash in tint::diag::Formatter::format - 2022-05-21
1296526 Heap-use-after-free in history_clusters::OnDeviceClusteringBackend::ClusterVisitsOnBackgroundThread - 2022-05-21
1285885 Security: [ANGLE] Vulkan : Out-of-bounds memory can be accessed using bound offsets $7000 2022-05-20
1290150 Security: redirect detection via Performance API $1000 2022-05-20
1294097 Security: Heap-use-after-free in NearbyShareAction::HandleKeyboardEvent $7000 2022-05-20
1295087 Bad-cast to blink::LayoutBlock from blink::LayoutImage in blink::LayoutBlock& blink::To<blink::LayoutBlock, blink::LayoutObject> - 2022-05-20
1296150 Security: [0-day] Use-After-Free in UpdateAnimationTiming - 2022-05-20
1077756 Security: sandbox doesn't prevent setgid("disk") in shill process tree - 2022-05-19
1290700 uaf in BrowserSwitchHandler::OnLaunchFinished $2000 2022-05-19
1295999 renderer_proto_tree_fuzzer: Use-of-uninitialized-value in blink::NGLayoutResult::NGLayoutResult - 2022-05-19
1289394 file_system_manager_mojolpm_fuzzer: Heap-use-after-free in storage::ObfuscatedFileUtil::GetDirectoryForStorageKey - 2022-05-18
1292537 Crash in memfd:swiftshader_jit - 2022-05-18
1295221 Security: Variant analysis of UAF in AccessiblePaneView - 2022-05-18
1264561 Security: Chrome for Android Hide Entering Fullscreen Notification Toast using Multiple Toast from Failed to Copy $2500 2022-05-16
1266631 Cross-site information leak - CSP Violation reports contain blockedURI's hostname $2000 2022-05-16
1288919 tint_wgsl_reader_spv_writer_fuzzer: Illegal-instruction in tint::fuzzers::CommonFuzzer::Run - 2022-05-15
1289116 Heap-use-after-free in rx::vk::GarbageObject::destroy - 2022-05-15
1292829 dawn_wire_server_and_frontend_fuzzer: Heap-use-after-free in tint::diag::Formatter::format - 2022-05-15
1293906 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2022-05-14
1142269 Security: Chromium doesn't conform to SMS Verification APIs leading to potential Access to app protected components vulnerability $1000 2022-05-13
1291482 Chrome should ignore responses with http status code 1** - 2022-05-13
1270005 Heap-buffer-overflow in flatbuffers::EscapeString - 2022-05-12
1283546 Security: UAF in ProtocolHandlerThrottle using PlzDedicatedWorker $20000 2022-05-12
1291109 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2022-05-12
1291471 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2022-05-12
1156237 heap-use-after-free : __72+[NSRemoteViewMarshal _addFreeWindow:parameters:listenerEndpoint:reply:]_block_invoke - 2022-05-11
1246188 Security: Compromised renderer can set custom cursor up to 1024px over browser UI and other windows $2000 2022-05-11
1273397 Security: Heap-buffer-overflow in tabgroup $7000 2022-05-11
1279665 Security DCHECK failed: IsA<Derived>(from) in ng_layout_input_node.cc:96 blink::NGLayoutInputNode::TableCellColspan $5000 2022-05-11
1284293 AddressSanitizer: heap-use-after-free in TryProcess ui/base/accelerators/accelerator_manager.cc:152:17 $7000 2022-05-11
1285601 Security: heap-use-after-use in DiscountURLLoader::NavigateToDiscountURL $16000 2022-05-11
1286940 Security: heap-use-after-free in ProfileImpl::IsSameOrParent $7000 2022-05-11
1288020 heap buffer overflow in sw::Blitter::fastResolve $7000 2022-05-11
1289507 dawn_wire_server_and_frontend_fuzzer: Crash in dawn_native::OwnedCompilationMessages::AddMessages - 2022-05-11
1291728 Security: heap-use-after-free in base::ObserverList::RemoveObserver $10000 2022-05-11
1293248 css_parser_fast_paths_fuzzer: Use-of-uninitialized-value in bool blink::ParsePercentage<unsigned char> - 2022-05-11
1268448 Fix unsafe use of lambdas in BaseRenderingContext2D - 2022-05-10
1269999 Heap-use-after-free in xmlAddNextSibling - 2022-05-10
1287864 Security: iOS Webkit can leak IndexedDB names - 2022-05-09
1290008 UAF in printing $15000 2022-05-09
1283402 Heap-use-after-free in ChromePermissionsClient::OverrideCanonicalOrigin $15000 2022-05-06
1289383 Security: [ANGLE] Heap-buffer-overflow in ImageHelper::SubresourceUpdate::isUpdateToLayers $10000 2022-05-06
1289846 Security: CSS keylogger extension using PageStateMatcher and chrome.action.openPopup() $5000 2022-05-06
1290107 tint_ast_hlsl_writer_fuzzer.exe: Illegal-instruction in tint::fuzzers::CommonFuzzer::Run - 2022-05-06
1035344 API: parameterized overload of GetPropertyNames promises more flexibility than it actually supports - 2022-05-05
1280132 Security DCHECK failed: IsA<Derived>(from) in ng_block_node.cc:1032 blink::NGBlockNode::FirstChild $5000 2022-05-05
1280233 Origin spoofing in WebUSB $3000 2022-05-05
1285636 gpu_raster_swangle_passthrough_fuzzer: Use-of-uninitialized-value in sse3::store_NUMBER - 2022-05-05
1288251 AddressSanitizer: heap-use-after-free asan-linux-release-960248 content::StoragePartitionImpl::GetLockManager() content/browser/storage_partition_impl.cc:1493 $15000 2022-05-05
1288881 gpu_raster_swangle_passthrough_fuzzer: Use-of-uninitialized-value in GrDirectContextPriv::validPMUPMConversionExists - 2022-05-05
1289678 v8_wasm_compile_fuzzer: DCHECK failure in 3 == element_size_log2(kind) in liftoff-assembler-x64.h - 2022-05-05
1289715 Security: heap-use-after-free in ExtensionFunction::Shutdown $15000 2022-05-05
1290587 DCHECK failure in !scope_info_.is_null() in scopes.cc - 2022-05-05
1250655 #Summary SUMMARY: AddressSanitizer: heap-use-after-free in gpu::CommandBufferProxyImpl::OnDisconnect $7000 2022-05-03
1269996 Heap-buffer-overflow in hb_array_t<OT::IntType<unsigned int, 4u> const> hb_array_t<OT::IntType<unsigned - 2022-05-03
1270333 Security: Integer overflow in HandleTable::AddDispatchersFromTransit leading to memory corruption - 2022-05-03
1289378 heap-use-after-free : media_router::CastActivityManager::TerminateSession - 2022-05-03
1289384 Security: might be possible to UaF JavaScriptIsolatedWorldRequest - 2022-05-03
1289798 Heap-use-after-free in blink::NGBoxFragmentBuilder::PropagateBreakInfo - 2022-05-03
1290079 v8_wasm_compile_fuzzer: Use-after-poison in v8::internal::compiler::SinglePassRegisterAllocator::SpillRegisterAtMerge - 2022-05-03
1242962 Security: heap-buffer-overflow in SelectFileDialogImpl::OnSelectFileExecuted $7000 2022-05-02
1270052 Security: Chrome for Android Hide Entering Fullscreen Notification Toast with HTML Select Dropdown $3000 2022-05-02
1270470 Security: Scrolls are detectable cross-site upon using the Scroll to text fragment feature. $2000 2022-05-02
1278322 Security: heap-use-after-free in TemplateURLRef::ParseHostAndSearchTermKey $7000 2022-05-02
1284916 Security: UAF in DistilledPagePrefs::SetFontScaling $20000 2022-05-02
1289523 Security: heap-use-after-free in TemplateURLFetcher::RequestDelegate::OnTemplateURLParsed $7000 2022-05-02
1289802 Use-of-uninitialized-value in v8::internal::JSFunction::EnsureFeedbackVector - 2022-05-02
1286816 WebUSB out-of-bound access to selected_alternates_ in usb_device if the device has non-sequential alternative interface number - 2022-04-29
1285759 Security: double-free in content::RenderFrameHostImpl::ResetNavigationRequests $5000 2022-04-28
1288130 tint_regex_spv_writer_fuzzer.exe: Illegal-instruction in tint::fuzzers::CommonFuzzer::Run - 2022-04-28
1288769 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2022-04-28
1057296 COOP isn't inherited to Blob URL - 2022-04-27
1253155 CrOS: Vulnerability reported in app-editors/vim - 2022-04-27
1266771 CrOS: Vulnerability reported in app-editors/vim - 2022-04-27
1268369 CrOS: Vulnerability reported in app-editors/vim - 2022-04-27
1268803 CrOS: Vulnerability reported in app-editors/vim - 2022-04-27
1273811 CrOS: Vulnerability reported in app-editors/vim - 2022-04-27
1276679 CrOS: Vulnerability reported in app-editors/vim - 2022-04-27
1277921 CrOS: Vulnerability reported in app-editors/vim - 2022-04-27
1281941 Heap-use-after-free in extensions::ChromeExtensionsBrowserClient::GetOriginalContext $1000 2022-04-27
1283018 CrOS: Vulnerability reported in app-editors/vim - 2022-04-27
1286110 Security: heap-buffer-overflow swiftshader Image::copy 3D - 2022-04-27
1287364 Page can use EyeDropper API to bypass mouse movement/keyboard input requirements for autofill (bypass of issue 1240472 fix) $2000 2022-04-27
1287962 Security: [ANGLE] Heap-buffer-overflow in TextureVk::prepareForGenerateMipmap $12000 2022-04-27
1283434 A GPU crash (or anything that causes loss of GPU support for Chrome) will create framebuffer ghosting with ImageBitmap $1000 2022-04-26
1287843 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2022-04-26
1285622 tint_regex_spv_writer_fuzzer.exe: Illegal-instruction in tint::fuzzers::CommonFuzzer::Run - 2022-04-24
1281078 Security: heap-buffer-overflow in TabStripModel::MoveWebContentsAtImpl $7000 2022-04-23
1282480 Security: AddressSanitizer: heap-use-after-free on drag_drop_controller.cc (chromeOS and Lacros) $2000 2022-04-23
1244205 uaf in content::DesktopCaptureDevice::Core::AllocateAndStart $10000 2022-04-22
1252716 Security: heap-use-after-free in PrefChangeRegistrar::~PrefChangeRegistrar $10000 2022-04-22
1260007 Security: State tracking issue in RenderFrameHostImpl leading to UaF - 2022-04-22
1274445 Security: v8 Debug check failed: target_inobject < GetInObjectProperties(). $5000 2022-04-22
1278375 Security: stack-buffer-overflow in views::ScrollView::OnMouseWheel(ui::MouseWheelEvent const&) in the browser process $3000 2022-04-22
1280941 pdf_jpx_fuzzer: Trap in pdfium::base::AlignedAlloc - 2022-04-22
1283609 Security: UAF in OOBEUI $7000 2022-04-22
1284584 Security: UAF in safe_browsing::DownloadRequestMaker::Start $20000 2022-04-22
1285116 Security: heap-use-after-free in web_app::ShortcutInfoForExtensionAndProfile $2000 2022-04-22
1286837 Global-buffer-overflow in blink::CompositeOperatorName - 2022-04-22
1287342 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2022-04-22
1262902 Security: Heap-use-after-free in AccessibilityUIMessageHandler::RequestWebContentsTree $7000 2022-04-21
1274113 Security: mojo race NodeName reuse to leak messages - 2022-04-21
1212957 AddressSanitizer: use-after-poison frame_or_worker_scheduler.cc:88 in blink::FrameOrWorkerScheduler::NotifyLifecycleObservers $8500 2022-04-20
1280743 Security: JBIG2_Context.cpp arithmetic looks prone to overflow. - 2022-04-20
1283077 Security: heap-buffer-overflow in webui tabstrip - 2022-04-20
1232866 Security: Heap UAF in media_gpu!media::VideoProcessorProxy::VideoProcessorBlt $7000 2022-04-19
1251065 Chrome downgrades long-running requests from HTTPS to HTTP after 3 s. $3000 2022-04-19
1275438 Security: UAF in DateTimeChooserAndroid::ReplaceDateTime $25000 2022-04-19
1281763 Security: UAF in GoogleSearchDomainMixingMetricsEmitter $10000 2022-04-19
1282118 Security: UAF in BookmarkDragHelper::OnBookmarkIconLoaded $10000 2022-04-19
1285596 Crash in cppgc::internal::MemberBase::MemberBase - 2022-04-19
1285882 Crash in blink::LayoutObject::RemoveChild - 2022-04-19
1273017 Security: Inappropriate implementation in PushMessaging $10000 2022-04-18
1282320 Security: use-after-poison in blink::InspectorAccessibilityAgent::RefreshFrontendNodes $500 2022-04-18
1283124 AddressSanitizer: use-after-poison cc\layers\texture_layer.cc:169 in cc::TextureLayer::Update $5000 2022-04-18
1285007 DCHECK failure in reg.ToInt() < register_data_.size() in mid-tier-register-allocator.cc - 2022-04-18
1281859 CrOS: Vulnerability reported in sys-libs/binutils-libs - 2022-04-17
1277917 heap-use-after-free : mojo::DataPipeDrainer::WaitComplete - 2022-04-16
1283375 UAF in PrintViewManagerBase $15000 2022-04-16
1284138 heap-use-after-free base/memory/scoped_refptr.h:261:43 in operator bool (chromeOS) $7000 2022-04-16
1249964 intent:// URIs can launch BROWSABLE non-exported activities in the sending app - 2022-04-15
1267748 sqlite3_fts3_lpm_fuzzer: Use-of-uninitialized-value in sqlite3VdbeExec - 2022-04-15
1270593 Security: Chrome for Android Delay Navigate then requestFullScreen will Hide Omnibox $7500 2022-04-15
1271896 CrOS: Vulnerability reported in dev-libs/gmp - 2022-04-15
1275531 CrOS: Vulnerability reported in net-wireless/bluez - 2022-04-15
1275622 file_system_manager_mojolpm_fuzzer.exe: Heap-use-after-free in storage::ObfuscatedFileUtil::InitOriginDatabase - 2022-04-15
1277328 Security: heap-use-after-free in ui::AXTree::NotifyNodeWillBeReparentedOrDeleted $7000 2022-04-15
1279188 Security: Elevation of Privileges in chrome installer when removing scoped directory during updates $10000 2022-04-15
1279531 heap-use-after-free in media_router::CastMediaSinkService::StartMdnsDiscovery $7000 2022-04-15
1282651 dawn_wire_server_and_vulkan_backend_fuzzer: Container-overflow in dawn_native::OwnedCompilationMessages::AddMessage - 2022-04-15
1282782 Type Confuse Security DCHECK failed: !node || IsTextControl(*node) text_control_element.h(268) $5000 2022-04-15
1283090 heap-use-after-free : DefaultPrefStore::~DefaultPrefStore - 2022-04-15
1283371 Security: UAF in ChromeContentBrowserClient::CreateURLLoaderThrottles $15000 2022-04-15
1283805 Heap-buffer-overflow in TableView::OnItemsRemoved - 2022-04-15
1283807 Container-overflow in TableView::UpdateVirtualAccessibilityChildrenBounds - 2022-04-15
1284367 Security: heap-use-after-free in safe_browsing::ThreatDetails::OnReceivedThreatDOMDetails - 2022-04-15
1284509 tint_regex_hlsl_writer_fuzzer: Illegal-instruction in tint::fuzzers::CommonFuzzer::Run - 2022-04-15
1284742 freetype_truetype_fuzzer: Heap-buffer-overflow in tt_face_vary_cvt - 2022-04-15
1285122 v8_inspector_fuzzer: DCHECK failure in IsInvalid(c0_) || base::IsInRange(c0_, 0u, unibrow::Utf16::kMaxNonSurrogateCharC - 2022-04-15
1249626 heap-use-after-free : void exo::wayland::DestroyUserData<exo::wayland::`anonymous namespace'::WaylandPointerStylusDelegate> - 2022-04-13
1250227 SUMMARY: AddressSanitizer: heap-use-after-free web_view_impl.cc:1020 in blink::WebViewImpl::ClosePagePopup $7500 2022-04-13
1254422 Intent selectors allow intents from the web to bypass intent filter requirements - 2022-04-13
1282224 v8_wasm_compile_fuzzer: DCHECK failure in allocated_registers_bits_ == register_state_ ? GetAllocatedRegBitVector(register - 2022-04-13
1282645 Container-overflow in content::RenderFrameHostImpl::OnBackForwardCacheDisablingFeatureRemoved - 2022-04-13
1283042 v8_wasm_compile_fuzzer: DCHECK failure in allocated_registers_bits_ == register_state_ ? GetAllocatedRegBitVector(register - 2022-04-13
1283681 Security: UAF in heap-use-after-free inin DevToolsWindow::Show(browser process) $3000 2022-04-13
1261713 Security: Heap-use-after-free in feedback::FeedbackData::SendReport $1000 2022-04-12
1279368 AddressSanitizer: use-after-poison local_frame_view.cc:818 in blink::LocalFrameView::PerformLayout - 2022-04-12
1283255 heap-use-after-free : DownloadItemView::DropdownButtonPressed - 2022-04-09
1283198 Security: heap-buffer-overflow in chrome_pdf::PDFiumEngine::RequestThumbnail - 2022-04-07
1278960 Security: Heap-use-after-free in autofill::EditAddressProfileView::WindowClosing $7000 2022-04-05
1282272 Google Chrome Browser Private key leaks on github - 2022-04-03
1274323 Crash in SkArenaAllocWithReset::reset $6000 2022-04-01
1268240 Security: UaF in AccessibilityUIMessageHandler::Callback $1000 2022-03-31
1275020 SUMMARY: AddressSanitizer: heap-use-after-free base/bind_internal.h:535:12 in BindState<void (content::StorageNotificationService::*)(url::Origin), UnretainedWrapper<content::StorageNotificationService> $20000 2022-03-31
1277327 Security: heap-use-after-free ui::AXEventRecorder::OnEvent $7000 2022-03-31
1280456 Security: container-overflow in ash::ScrollableShelfView::ShouldCountActivatedInkDrop $3000 2022-03-31
1281881 Heap-use-after-free in optimization_guide::OptimizationGuideStore::ClearFetchedHintsFromDatabase $2000 2022-03-31
1276331 Security: heap-buffer-overflow around blink::mojom::WidgetInputHandlerProxy::DispatchEvent - 2022-03-30
1281800 UAF crash may happen on child_process_launcher_android.cc - 2022-03-30
1270358 Security: FencedFrames reachable from compromised renderer due to lacking features::isEnabled(kFencedFrames) checks in Browser Process and FencedFrame::Navigate can navigate to file:// and chrome:// origins $17000 2022-03-29
1270498 heap-buffer-underflow : ash::ScrollableShelfView::GetTargetScreenBoundsOfItemIcon - 2022-03-29
1278988 Security DCHECK failed: IsA<Derived>(from) in blink::LayoutTableSection::AddCell layout_table_section.cc:277 - 2022-03-29
1264196 heap-use-after-free : ash::ShelfID::IsNull - 2022-03-27
1271538 v8_wasm_compile_fuzzer: Use-after-poison in v8::internal::compiler::SinglePassRegisterAllocator::AllocateInput - 2022-03-27
1280822 Use-after-poison in blink::FrameOrWorkerScheduler::NotifyLifecycleObservers - 2022-03-27
1274316 uaf in rx::vk::CommandBufferHelper::bufferWrite $5000 2022-03-24
1278180 Security: Heap-use-after-free in ui::MenuModel::GetModelAndIndexForCommandId $10000 2022-03-24
1209467 CrOS: Vulnerability reported in net-fs/samba - 2022-03-23
1231037 Security: invalid parsing of HTML by tree_builder_simulator leading to mutation XSS $5000 2022-03-23
1261790 CrOS: Vulnerability reported in sys-libs/ldb - 2022-03-23
1261791 CrOS: Vulnerability reported in net-fs/samba - 2022-03-23
1249426 heap buffer overflow in BookmarkManagerPrivateDropFunction::RunOnReady $1000 2022-03-22
1261689 Security: scrollTop of ListBox autofill preview discloses sensitive information $4000 2022-03-22
1272967 Security: UAF in P2PSocketTcpServer::DoAccept $5000 2022-03-22
1276203 heap-use-after-free : ash::DeskActivationAnimation::EndSwipeAnimation - 2022-03-22
1279147 Heap-use-after-free in CPDF_AnnotContext::~CPDF_AnnotContext - 2022-03-22
1279151 crash in v8 heap(--js-flags=--experimental-wasm-gc) $5000 2022-03-22
1279383 DCHECK failure in IsAligned(result, kAlignmentInBytes) in zone.cc - 2022-03-22
1238209 container-overflow in blink::UserMediaProcessor::DetermineExistingAudioSessionId $5000 2022-03-21
1132124 Security: SODA is provided a privileged URLLoaderFactory - 2022-03-19
1272266 Security: swiftshader heap-use-after-free in getOffsetPointer $5000 2022-03-19
1242339 CHECK failure: byte_length() <= JSArrayBuffer::kMaxByteLength in objects-debug.cc - 2022-03-18
1247389 Security: Possible to see the user's system environment variables like secrets, tokens or keys $10000 2022-03-18
1268903 Security: Use of uninitialized on-stack pointer in storage::BlobBuilderFromStream - 2022-03-18
1276850 UAF in AutofillPopupControllerImpl::HandleKeyPressEvent $20000 2022-03-18
1278589 Security: Certificate Viewer remotely expoitable with large DSA and RSA-PSS signatures on Linux/ChromeOS (before 98.0.4714.0) - 2022-03-18
1259557 Security: mojo AddBrokerClient can be sent to non-broker nodes (node<->node mitm) - 2022-03-17
1276715 Heap-use-after-free in content::TestRunnerBindings::InvokeV8Callback - 2022-03-17
1262080 Security: heap-buffer-overflow swiftshader Image::copy $5000 2022-03-16
1262676 SUMMARY: AddressSanitizer: access-violation regexp-interpreter.cc:461 in v8::internal::`anonymous namespace'::RawMatch<unsigned char> $5000 2022-03-16
1263457 Security: Interface ID reuse leading to memory corruption in IPC::ChannelAssociatedGroupController - 2022-03-16
1273537 heap-use-after-free : chromeos::AppDownloadingScreenHandler::Bind - 2022-03-16
1273661 Security: webgl global-buffer-overflow in getIncompleteTexture $5000 2022-03-16
1274248 wayland_buffer_fuzzer: Crash in libwayland-server.so.0 - 2022-03-16
1276923 Security: Debug Check failed in HAS_WEAK_HEAP_OBJECT_TAG - 2022-03-16
1272068 Security: Wild read with renderbuffers $5000 2022-03-13
1270095 Security: Use after Free in content::AccessibilityEventRecorderWin::AccessibleObjectFromWindowWrapper $1000 2022-03-12
1274376 uaf in chrome_pdf::PdfViewPluginBase::LoadAccessibility $5000 2022-03-12
1240472 Security: Page can cause autofill prompt to render under cursor in order to bypass mouse movement/keyboard input requirements for autofill $3000 2022-03-11
1241585 Security: Page can use space key input to cause autofill prompt to render under cursor, bypasses mouse movement/designated keyboard input requirements for autofill $1000 2022-03-11
1267060 Chrome_ChromeOS: Crash Report - views::Widget::CloseWithReason via TabStripPageHandler::OnTabGroupChanged $1000 2022-03-11
1270007 Heap-buffer-overflow in int flatbuffers::ReadScalar<int> - 2022-03-11
1270658 Security: use after free in swiftshader $5000 2022-03-11
1274499 Security: [ANGLE] D3D11 : Integer Underflow in ElementsInBuffer results in wild copy $7500 2022-03-11
1275431 code_cache_host_mojolpm_fuzzer: Segv on unknown address in content::GeneratedCodeCache::IssueNextOperation - 2022-03-11
1275559 dcsctp_socket_fuzzer: Use-of-uninitialized-value in crc32c::ExtendSse42 - 2022-03-11
1275892 Security: UAF in ScreenCaptureMachineAndroid::OnActivityResult $15000 2022-03-11
1270014 UNKNOWN READ in WelsDec::WelsMarkAsRef - 2022-03-10
1115460 Security: Possible for extension to escape sandbox via Input.dispatchKeyEvent and devtools_page $15000 2022-03-09
1201032 Security: Use-After-Free in SelectFileDialog $25000 2022-03-09
1252562 heap-use-after-free : content::ViewsWidgetVideoCaptureDeviceMac::UIThreadDelegate::OnScopedCGWindowIDMouseMoved - 2022-03-09
1271747 heap-use-after-free : safe_browsing::SafeBrowsingPrimaryAccountTokenFetcher::OnTokenFetched - 2022-03-09
1272250 Security: CSS transform and backface-visibility: hidden allow to render over Chrome UI $1000 2022-03-09
1273197 heap-use-after-free window_dimmer.cc (chromeOS) $7000 2022-03-09
1273395 Container-overflow in blink::DisplayLockContext::DetachDescendantTopLayerElements - 2022-03-09
1273674 uaf in local_card_migration_dialog_view $7500 2022-03-09
1274061 Security: UAF in BluetoothPrefStateObserver - 2022-03-09
1265806 Security: webrtc: out-of-bounds write in audio channel processing $8500 2022-03-08
1267426 Deleting broker decoder in error callback path is risky - 2022-03-08
1270990 Performance API is not consistent for preloaded requests which can be used to leak the size of cross-origin resources $2000 2022-03-08
1271853 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2022-03-08
1272208 Security: heap-use-after-free in the media::AudioManagerBase in the browser process $15000 2022-03-08
1272403 Security: HeapOverflow in PageLoadMetrics $15000 2022-03-08
1273609 heap-use-after-free video_recording_watcher.cc:673:7 $10000 2022-03-08
1274641 Security: UaF on DesksBarView::EndDragDesk in desks_bar_view.cc:663:5 $7000 2022-03-08
1260939 Security: TFC 2021 loader bug $10000 2022-03-07
1263417 Non-positive-vla-bound-value in blink::CanvasPath::roundRect $1000 2022-03-07
1267496 Security: webgl heap-buffer-overflow LoadCompressedToNative $2000 2022-03-07
1274322 Bad-cast to views::FootnoteContainerView from views::BubbleFrameView in views::BubbleFrameView::ViewHierarchyChanged - 2022-03-07
1274324 Bad-cast to content::RenderWidgetHostViewChildFrame from content::RenderWidgetHostViewBase in content::RenderWidgetHostInputEventRouter::OnRenderWidgetHostViewBaseDestroyed - 2022-03-07
1274044 Bad-cast to void *(unsigned long) in xmlAllocParserInputBuffer - 2022-03-06
1271835 CHECK failure: marking_state_->IsBlackOrGrey(heap_object) - 2022-03-04
1273001 Segv on unknown address in tint::writer::msl::Options::operator= - 2022-03-04
1273140 Security: heap-use-after-free in DevToolsWindow::ActivateWindow - 2022-03-04
1273176 Security: heap-use-after-free in DevToolsWindow::Show - 2022-03-04
1273593 Crash in blink::NGInlineItemsBuilderTemplate<blink::EmptyOffsetMappingBuilder>::AppendTex - 2022-03-04
1273705 CHECK failure: (location_) != nullptr in maybe-handles.h - 2022-03-04
1177652 The destruction timing issue between RenderFrameHostImpl and DedicatedWorkerHost/DedicatedWorkerHostFactoryImpl - 2022-03-03
1239496 Security: Pointer lock can be used to bypass mouse movement/keyboard input requirements for autofill $3000 2022-03-03
1239760 Security: Autofill prompt for a page can render over different origin, allows spoofing of autofill context origin $5000 2022-03-03
1261415 webcodecs_video_encoder_fuzzer: Heap-buffer-overflow in vp9_encode_tiles_row_mt - 2022-03-03
1268400 Security: Heap-use-after-free in ui::EventDispatcher::DispatchEventToEventHandlers() $1000 2022-03-03
1267791 [ozone/wayland]use-after-free in WaylandWindow $10000 2022-03-03
1272269 Security: Heap-use-after-free in ash::sharesheet::SharesheetBubbleViewDelegate::IsBubbleVisible $7000 2022-03-03
1273344 Null-dereference READ in rx::vk::QueryHelper::writeTimestamp - 2022-03-03
1272180 webcodecs_image_decoder_fuzzer: Crash in mv_projection - 2022-03-02
1115847 Security: SameSite policy bypassed with Service Worker FetchEvent - 2022-03-01
1266510 Security: container-overflow in ExtensionsToolbarContainer::SetExtensionIconVisibility $1000 2022-03-01
1271384 Security: Debug check failed: receiver->IsJSReceiver() - 2022-03-01
1272181 Bad-cast to content::ServiceVideoCaptureProvider::ServiceProcessObserver from invalid vptr in base::internal::UnretainedWrapper<content::ServiceVideoCaptureProvider::ServiceP - 2022-03-01
1113812 Security: Linux Kernel shift-out-of-bounds in arch/x86/kvm/vmx/pmu_intel.c:365:45 - 2022-02-27
1117173 Security: Possible for extension to escape sandbox via Input.synthesizeTapGesture $10000 2022-02-27
1269151 Security: Extension can automatically start Crostini on log-in - 2022-02-27
1271456 Access violation with --turbo_inline_js_wasm_calls - 2022-02-27
1272076 pdf_formcalc_context_fuzzer: DCHECK failure in marking_support_ != MarkingType::kAtomic in heap.cc - 2022-02-27
661852 CSP form-action checks full URL on redirects - 2022-02-24
1027592 Security: Chrome for ios crash when selecting long message with special characters - 2022-02-24
1245629 heap-use-after-free in OnBrowserSetLastActive $5000 2022-02-24
1255713 Security: UI spoofing using a very long URL $3000 2022-02-24
1259899 heap-use-after-free : blink::RTCVideoEncoder::Impl::EncodeFrameFinished - 2022-02-24
1267661 Security: heap-use-after-free in content::WebContentsObserver::web_contents $15000 2022-02-24
1267811 UAF on nearby_share_contact_downloader_impl.cc $10000 2022-02-24
1268738 V8 debug check failed: new_target->IsConstructor() $5000 2022-02-24
1269344 uaf in content::BroadcastChannelService::ConnectToChannel $20000 2022-02-24
1270817 CHECK failure: IsValidHeapObject(heap_, heap_object) in heap.cc - 2022-02-24
1270826 Crash in v8::internal::MarkCompactCollector::ProcessMarkingWorklist<0> - 2022-02-24
1230444 Cross-site information leak - Leaking cross-origin redirect destination URI due to CORS (iOS) $1000 2022-02-22
1262525 CrOS: Vulnerability reported in net-vpn/strongswan - 2022-02-22
1264705 Crash in hsw::lowp::gather_NUMBER - 2022-02-22
1266688 Heap-use-after-free in blink::NGPhysicalFragment::HasSelfPaintingLayer - 2022-02-22
1269307 Security: Use after free in WebApkIconHasher $20000 2022-02-22
1270356 DCHECK failure in !scope_info_.is_null() in scopes.h - 2022-02-22
1242424 Security: History Cached Page of the Lens region search cause url spoof $2000 2022-02-21
1267514 DCHECK failure in !scope_info_.is_null() in scopes.h - 2022-02-21
1269225 Security: Memory corruption in renderer process - 2022-02-19
1171997 heap-use-after-free : UnloadController::ProcessPendingTabs - 2022-02-18
1265570 DCHECK failure in shared_info->HasBytecodeArray() in js-objects.cc - 2022-02-18
1268682 mediasource_MP4_AV1_pipeline_integration_fuzzer: Crash in dav1d_refmvs_load_tmvs - 2022-02-18
1268759 Security: Use After Free AppServiceContextMenu::ExecuteCommand $15000 2022-02-18
1248289 Service worker can use web assembly without unsafe-eval. - 2022-02-17
1263741 Security: libjxl has security bugs - 2022-02-17
1267627 Security: Web Serial - Out of bound read in SerialPortUnderlyingSink::WriteData(). $7500 2022-02-17
1269315 DCHECK failure in old_code_pages->size() == new_code_pages->size() + 1 in isolate.cc - 2022-02-17
1011497 Security: Remote debug can be used to access protected profile data (e.g. cookies) - 2022-02-16
1202970 Security: Sanitizer API bypass - 2022-02-16
1240593 Security: heap-use-after-free in blink::NativeIOFile::DoRead - 2022-02-16
1262953 Improper restriction in password saving form, while navigation from one site to another site - 2022-02-16
1262183 Security: heap-use-after-free in storage::BlobURLStoreImpl::Revoke - 2022-02-16
1264873 Security: SOP bypass using drag and drop - 2022-02-16
1265197 XSS from chrome-untrusted://new-tab-page URL parsing $500 2022-02-16
1267276 Use-after-poison in blink::HTMLSlotElement::DetachLayoutTree - 2022-02-16
1267624 Security: Wild write in angle $5000 2022-02-16
1268274 Security: Storage Foundation read()/write() access DOMArrayBufferView off the heap's thread - 2022-02-16
1241188 Security: "Origin" header incorrectly set for cross-site request via service worker $3000 2022-02-15
1267027 Security: webgl heap-use-after-free in BitSetT $5000 2022-02-15
1267420 CrOS: Vulnerability reported in net-libs/libmicrohttpd - 2022-02-15
1267424 Security: webgl heap-buffer-overflow getDrawSubresourceSerial $5000 2022-02-15
1241091 Security: heap-use-after-free in ThreadedIconLoader::DecodeAndResizeImageOnBackgroundThread - 2022-02-14
1254189 Primitive type confusion in ia32 AssembleCodePhase $7500 2022-02-14
1266293 Security: heap-use-after-free in BluetoothSerialDeviceEnumerator::OnGotClassicAdapter - 2022-02-14
1266437 Use after free in getSamplerTexture $5000 2022-02-14
1267674 v8_regexp_parser_fuzzer: DCHECK failure in index < length() / kUInt16Size in fixed-array-inl.h - 2022-02-14
1238631 Security: Share dialog on Windows can render over address bar, window controls - 2022-02-12
1264584 heap-use-after-free : location::nearby::chrome::SubmittableExecutor::RunTask - 2022-02-12
1264988 Security: ASan reports wild reads in swiftshader $5000 2022-02-12
1264703 Security: Heap-use-after-free in sharing_hub::SharingHubBubbleController::~SharingHubBubbleController $5000 2022-02-11
1259170 Unsafe uses of uninitialized graphics memory - 2022-02-09
1264477 Security: Site Isolation bypass via NavigationPreloadRequest - 2022-02-09
1264508 v8_regexp_parser_fuzzer: DCHECK failure in r.to() < kMaxUInt16 in regexp-macro-assembler.cc - 2022-02-09
1168553 Security: host root command execution - 2022-02-08
1260649 Leaking size of cross-origin resources by using Range Requests, Service Workers, Fetch API, and the Cache API $2000 2022-02-08
1260783 Use after free in gl::VertexArray::setDependentDirtyBit $5000 2022-02-08
1262791 Security: Type confusion in UnderlyingSinkBase::start $15000 2022-02-08
1264013 Trap in Builtins_CheckTurbofanType - 2022-02-08
1264282 Security: UAF in SharingHub $5000 2022-02-08
1265275 CHECK failure: function_literal_id < script->shared_function_info_count() in objects.cc - 2022-02-08
1237310 Security: Autofill prompt can render over permission prompts after they have opened $3000 2022-02-05
1248963 CrOS: Vulnerability reported in app-editors/vim - 2022-02-05
1260858 Heap-use-after-free in color input on switching screens (MacOS) $10000 2022-02-05
1263620 Google Chrome MediaStreamTrackGenerator use after free vulnerability (TALOS-2021-1398) $7500 2022-02-05
1139417 arc-setup: ArcMounterImpl::LoopMount() can be raced - 2022-02-03
1254113 heap-use-after-free : crosapi::DriveIntegrationServiceAsh::~DriveIntegrationServiceAsh - 2022-02-03
1256822 Sandbox escape: bypass allow-popups-to-escape-sandbox $2500 2022-02-03
1259694 Contact dialog can be shown over a cross-origin page which might confuse a user into leaking sensitive information to an attacker $1000 2022-02-03
1262091 Security: heap-use-after-free swiftshader getCurrentViewCount $5000 2022-02-03
1262208 Security: Write setgid_resetriction policy files - 2022-02-03
1248444 Guessing the URL a cross-origin iframe was redirected to by listening to the load event $5000 2022-02-02
1258932 Use-after-poison in blink::HTMLSlotElement::DetachLayoutTree - 2022-02-02
1263462 Security: JSON.stringify leaks TheHole value, leading to RCE - 2022-02-02
1263486 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2022-02-02
1263961 Use-of-uninitialized-value in v8::internal::StackGuard::PopInterruptsScope - 2022-02-02
1264015 CHECK failure: push_segment_ implies push_segment_->IsEmpty() - 2022-02-02
1248438 uaf in FileManagerPrivateInternalComputeChecksumFunction::Run $10000 2022-02-01
1258809 Security: UaF in extension management policy parsing - 2022-02-01
1263327 v8_regexp_parser_fuzzer: DCHECK failure in !ranges->is_empty() in regexp-compiler.cc - 2022-02-01
1260621 Security: PDFium Use-After-Free in v8::internal::ArrayBufferExtension::Mark $1000 2022-01-31
1251567 Heap-buffer-overflow in rx::ProgramExecutableVk::updateBuffersDescriptorSet - 2022-01-30
1261542 freetype_cff_ftengine_fuzzer: Use-of-uninitialized-value in ft_mem_free - 2022-01-28
1261728 freetype_type1_render_fuzzer: Use-of-uninitialized-value in T1_Get_MM_Var - 2022-01-28
1261762 freetype_type1_fuzzer: Use-of-uninitialized-value in T1_Set_MM_Design - 2022-01-28
1262112 dawn_wire_server_and_frontend_fuzzer.exe: Heap-use-after-free in dawn_native::AbslFormatConvert - 2022-01-28
1197889 Security: Origin spoof in external protocol dialogs via server-side redirect to external protocol $2000 2022-01-27
1261343 freetype_colrv1_fuzzer: Use-of-uninitialized-value in ft_mem_free - 2022-01-27
1261450 freetype_truetype_fuzzer: Use-of-uninitialized-value in FT_Get_Gasp - 2022-01-27
1227170 Security: Another autocomplete preview text leak $5000 2022-01-26
1242667 CrOS: Vulnerability reported in sys-libs/glibc - 2022-01-26
1248889 CSP Violation reports contain blockedURI's hostname $1000 2022-01-26
1253038 Security: negative-size-param in image_editor::ScreenshotFlow::RemoveUIOverlay $5000 2022-01-26
1253101 Security: font side-channel attack against <input> and <textarea> autofill preview discloses sensitive information - 2022-01-26
1254746 SUMMARY: AddressSanitizer: stack-use-after-scope renderer11_utils.cpp:2299 in rx::d3d11::SetDebugName $5000 2022-01-26
1259022 Security: UAF when sending tab to device in android - 2022-01-26
1260577 Security: TianfuCup RCE bug Type confusion in LoadIC::ComputeHandler - 2022-01-26
1260606 gpu_raster_swangle_passthrough_fuzzer: Use-of-uninitialized-value in vk::DescriptorSet::ParseDescriptors - 2022-01-26
1260690 Segv on unknown address in sh::OutputSPIRVTraverser::visitConstantUnion - 2022-01-26
1260940 Security: TFC WebTransport bug - 2022-01-26
1167028 Security: WPA2-Enterprise/EAP Subject Matching Vulnerability $3000 2022-01-24
1243279 CrOS: Vulnerability reported in sys-libs/glibc - 2022-01-24
1249962 Security: In-the-wild using intents to redirect to other browsers - 2022-01-24
1251673 Security: Continued AddEventListener GC problems $5000 2022-01-24
1260189 PotentiallyDanglingMarkup() lost when removing fragment identifier - 2022-01-24
1039885 Dangling markup attack through background attribute allows data exfiltration $1000 2022-01-22
1256885 Security: Page.addCompilationCache devtools API could lead to arbitrary machine code execution - 2022-01-21
1259864 Security: heap-use-after-free in ForceSigninVerifier::SendRequestIfNetworkAvailable $10000 2022-01-21
1259587 Security: UAP on creating WebAssembly memories on document reload $7500 2022-01-20
1258398 Use-after-poison in blink::HTMLSlotElement::DetachLayoutTree - 2022-01-19
1244289 Security: SameSite Cookie Bypass via BackgroundFetch $3000 2022-01-18
1257891 heap-buffer-overflow in WebMediaPlayerMSCompositor::ReplaceCurrentFrameWithACopyInternal() $7500 2022-01-18
1258603 DCHECK failure in function->shared().HasFeedbackMetadata() in js-function.cc - 2022-01-18
1258663 CHECK failure: !field_type.NowStable() || field_type.NowContains(value) - 2022-01-18
1258839 freetype_type1_fuzzer: Heap-buffer-overflow in ps_parser_skip_spaces - 2022-01-18
1259045 freetype_type1_ftengine_fuzzer: Use-of-uninitialized-value in t1_decoder_parse_metrics - 2022-01-18
1249491 use after free in ash::sharesheet::SharesheetBubbleView::CloseBubble $7500 2022-01-17
1255464 Use-after-poison in blink::HTMLSlotElement::DetachLayoutTree - 2022-01-16
1251073 Container-overflow in ash::ScrollableShelfView::ShouldCountActivatedInkDrop - 2022-01-15
1258235 Bad-cast to blink::HTMLSlotElement from blink::HTMLStyleElement in blink::HTMLDetailsElement::ManuallyAssignSlots - 2022-01-15
906200 Security: XSS in chromium-cq-status.appspot.com - 2022-01-14
1255332 UaF in PDF accessibility due to relayout $5000 2022-01-14
1257254 Use-after-poison in mojo::InterfaceEndpointClient::NotifyError - 2022-01-14
957553 Security: Extension messages can indefinitely extend user activation expiry and repeatedly use of it $3000 2022-01-13
1222498 Sanitize CompositorFrame for shared element directives. - 2022-01-13
1253746 Security: WebAudio oob read in AudioDelayDSPKernel::ProcessKRate $2000 2022-01-13
1255314 hb_subset_fuzzer: Crash in BEInt<unsigned short, 2>::operator unsigned short - 2022-01-13
1237730 Security: v8 CHECK Failed IsStruct_NonInline in Torgue Struct-Tq-Inl $5000 2022-01-12
1249810 Security: Use After Free in DevToolsFileHelper::GetFileSystems $10000 2022-01-12
1250904 tint_regex_spv_writer_fuzzer: Crash in LLVMFuzzerCustomMutator - 2022-01-12
1254656 hb_subset_fuzzer: Heap-buffer-overflow in bool OT::OffsetTo<OT::MathGlyphAssembly, OT::IntType<unsigned short, 2u>, true>: - 2022-01-12
1255152 pdf_formcalc_context_fuzzer: DCHECK failure in header->IsMarked() in pointer-policies.cc - 2022-01-12
1255368 DCHECK failure in first_const_pool_32_use_ == -1 in assembler-arm.cc - 2022-01-12
1256835 hb_subset_fuzzer: Heap-buffer-overflow in OT::MathValueRecord* hb_serialize_context_t::embed<OT::MathValueRecord> - 2022-01-12
1236318 AddressSanitizer: heap-buffer-overflow mojo::internal::Serializer<BigBufferDataView,BigBufferView>::Serialize $7500 2022-01-10
1238309 Security: Chrome incorrectly interprets newlines in HTTP headers in HTTP/3, allowing for some header splitting possibilities - 2022-01-10
1247260 Google Chrome WebRTC RTPSenderVideoFrameTransformerDelegate memory corruption vulnerability (TALOS-2021-1372) $7500 2022-01-10
1254704 v8_regexp_parser_fuzzer: Use-of-uninitialized-value in v8::internal::IrregexpInterpreter::Result v8::internal::RawMatch<unsigned char> - 2022-01-10
1255354 CHECK failure: all.IsLive(use) && (use->opcode() == IrOpcode::kIfTrue || use->opcode() == IrOpc - 2022-01-10
1255330 Trap in Builtins_CheckNumberInRange - 2022-01-10
1252074 Security: ChromeOS root command persistence $15000 2022-01-08
1252878 use after poison in blink::Element::DidMoveToNewDocument $10000 2022-01-08
1254675 CHECK failure: thrower->error() - 2022-01-08
1251664 tint_ast_spv_writer_fuzzer: Illegal-instruction in tint::fuzzers::FatalError - 2022-01-07
1252858 Security: mojo OnIntroduce doesn't validate peer node (node<->node mitm) - 2022-01-07
1254131 Security: Crash when closing tab with sending tab to device dialog - 2022-01-07
1254631 Security: Chrome 94 does not correctly set Integrity level of all processes to Untrusted $3000 2022-01-07
1255123 Crash in PreflightLoader::HandleResponseHeader on failed preflight - 2022-01-07
1252354 Security: UAF in IdentityDialogController::ShowIdProviderWindow $25000 2022-01-05
1251179 Security: Fetch leaks information about cross-origin redirects $1000 2022-01-05
1253399 Security: pdfium heap buffer overflow in cfx_dibbase.cpp $7500 2022-01-05
1253976 DCHECK failure in \\' == current() in regexp-parser.cc - 2022-01-05
1254396 Segv on unknown address in device::PlatformSensorFusion::Factory::SensorCreated - 2022-01-05
1241860 SUMMARY: AddressSanitizer: heap-use-after-free Runtime.cpp:439 in v8_inspector::protocol::Runtime::Frontend::exceptionThrown $5000 2022-01-04
1252148 Security: Arbitrary bind mount - 2022-01-04
1252620 Heap-use-after-free in v8::internal::TurboAssemblerBase::set_root_array_available - 2022-01-03
1253041 DCHECK failure in header->IsMarked() in pointer-policies.cc - 2022-01-02
1245578 Security: heap-use-after-free in PPAPIDownloadRequest::AllowlistCheckComplete $20000 2022-01-01
1252634 pdf_formcalc_context_fuzzer: DCHECK failure in header->IsMarked() in pointer-policies.cc - 2022-01-01
1252729 tint_all_transforms_fuzzer: Use-of-uninitialized-value in tint_all_transforms_fuzzer.cc - 2022-01-01
1252795 tint_vertex_pulling_fuzzer: Use-of-uninitialized-value in tint::fuzzers::DataBuilder::string - 2022-01-01
1252942 tint_wgsl_reader_msl_writer_fuzzer: Use-of-uninitialized-value in tint::writer::msl::Sanitize - 2022-01-01