Avatar of this page

Chromium Disclosed Security Bugs

Chromium security bugs are publicly disclosed by Google 14 weeks after fixing. They have a great learning value but it's difficult to keep track of when exactly they're derestricted. This page is a hub of security bugs that have recently gone public.

Bugs can also be followed on Twitter: @BugsChromium or Mastodon.

Bugs disclosed in 2023

Options
# Summary $$$ Disclosure date
1418223 pdf_formcalc_context_fuzzer: Segv on unknown address in Builtins_InterpreterPushArgsThenCall - 2023-06-04
1418706 v8_wasm_code_fuzzer: DCHECK failure in opcode >> 8 == kGCPrefix in function-body-decoder-impl.h - 2023-06-03
1412658 Security: stack-buffer-overflow in crashpad $3000 2023-06-02
1418078 Vulnerability reported in /third_party/libxml - 2023-06-02
1418508 blink_storage_key_fuzzer: Trap in NotImplemented - 2023-06-02
1418621 DCHECK failure in !HAS_WEAK_HEAP_OBJECT_TAG(ptr_) in tagged-impl-inl.h - 2023-06-02
1285604 Side-channel attack can deanonymize users (potential risk to journalists and activists) "Targeted Deanonymization via the Cache Side Channel: Attacks and Defenses" - 2023-06-01
1404279 DCHECK failure in code == topmost_ implies safe_to_deopt_ in deoptimizer.cc - 2023-05-31
1414278 UAF in aura::Window $1000 2023-05-31
1414581 Security: Heap-use-after-free in ash::WizardController::HandleAccelerator $1000 2023-05-31
1414975 Security: Document PIP origin spoof $3000 2023-05-31
1415008 Security: Possible UAF in PinManager::NotifyDelete $1000 2023-05-31
1417122 Security: UAF in PlatformAuthNavigationThrottle::FetchHeadersCallback $38000 2023-05-31
1417185 Security: heap-buffer-overflow in base::SampleVectorBase::MoveSingleSampleToCounts - 2023-05-31
1417389 [Security] V8 Debug check failed: OFFSET_OF(Isolate, string_stream_current_security_token_) == strin $7000 2023-05-31
1412487 Security: Type confusion in v8 value serializer $10000 2023-05-30
1413539 Heap-use-after-free in ui::Layer::OnDeviceScaleFactorChanged - 2023-05-30
1414224 heap-use-after-free : TemplateURLService::CreateSyncDataFromTemplateURL - 2023-05-30
1415328 Security: heap-buffer-overflow in base::debug::ActivityUserData::ActivityUserData - 2023-05-30
1416785 base_activity_analyzer_fuzzer: Heap-buffer-overflow in base::debug::ThreadActivityTracker::IsValid - 2023-05-30
1416921 base_activity_analyzer_fuzzer: Use-of-uninitialized-value in base::debug::GlobalActivityAnalyzer::PrepareAllAnalyzers - 2023-05-30
1417089 Security: Heap-use-after-free in PasswordAutofillManager::DidAcceptSuggestion $42000 2023-05-30
1417353 Security: Debug check failed: 0 != new_nodes_.count(value) (0 vs. 0). - 2023-05-30
1417380 DCHECK failure in CpuFeatures::IsSupported(*feature) in macro-assembler-shared-ia32-x64.h - 2023-05-30
1417412 DCHECK failure in 0 != new_nodes_.count(value) in maglev-graph-builder.h - 2023-05-30
1417463 DCHECK failure in ValidOpInputRep(graph, left(), input_rep) in operations.h - 2023-05-30
1417585 Map deprecation racing with concurrent compilation can break invariant - 2023-05-30
1417908 v8_wasm_fuzzer: Global-buffer-overflow in v8::internal::wasm::WasmFullDecoder<v8::internal::wasm::Decoder::NoValidationTag - 2023-05-30
1415366 UAF in permissions::PermissionRequest::request_type $41000 2023-05-29
1381812 sql_recovery_fuzzer: Use-of-uninitialized-value in sql::recover::LeafPayloadReader::ReadPayload - 2023-05-28
1415371 crashpad_process_snapshot_intermediate_dump_fuzzer: Heap-buffer-overflow in crashpad::internal::ExceptionSnapshotIOSIntermediateDump::InitializeFromMachExce - 2023-05-28
1416828 Heap-use-after-free in ui::Layer::OnDeviceScaleFactorChanged - 2023-05-28
1411210 Security: [swiftshader] heap-use-after-free on vk::Query::start $15000 2023-05-27
1417317 heap-buffer-overflow in base::PersistentHistogramAllocator::GetHistogram - 2023-05-27
1417370 Use-after-poison in v8::internal::maglev::MaxCallDepthProcessor::ConservativeFrameSize - 2023-05-27
1417386 DCHECK failure in new_properties.can_eager_deopt() implies properties().can_eager_deopt() in magle - 2023-05-27
1341430 Security: Page can obtain autofill data with two consecutive taps with minimal user awareness, bypasses issue 1240472 and issue 1279268 fixes $3000 2023-05-26
1394736 Security:UAF in content::SyntheticMouseDriver::DispatchEvent(browser process) $2000 2023-05-26
1402533 heap-use-after-free : base::ScopedObservation<ash::WindowState, ash::WindowStateObserver>::Reset - 2023-05-26
1412343 v8 oob read in turboshaft::Graph::IncrementInputUses $7000 2023-05-26
1413628 Security: use-after-poison rtp_contributing_source_cache.cc:215 in blink::RtpContributingSourceCache::ClearCache $4000 2023-05-26
1414146 DCHECK failure in !detail::is_float_special_value(min) in types.h - 2023-05-26
1414201 DCHECK failure in IsFloat64() in types.h - 2023-05-26
1414255 DCHECK failure in min <= max in type-inference-reducer.h - 2023-05-26
1415158 flac_audio_handler_fuzzer: Heap-buffer-overflow in media::FlacAudioHandler::WriteCallbackInternal - 2023-05-26
1415249 DCHECK failure in !receiver->IsAccessCheckNeeded() || lookup->name()->IsPrivate() in ic.cc - 2023-05-26
1416146 flac_audio_handler_fuzzer: Trap in std::Cr::__libcpp_verbose_abort - 2023-05-26
1416695 DCHECK failure in !detail::is_float_special_value(max) in types.h - 2023-05-26
1413618 Security: Bug 1238631 regression (Share dialog on Windows can render over address bar, window controls) $1000 2023-05-23
1414511 Security: ChromeOS root privilege escalation (mount-passthrough-jailed) $31000 2023-05-23
1414738 Security: UAF in AppFinder::OnGetAppDescriptions $31000 2023-05-23
1400589 Buffer overflow in the rndis_wlan driver for Linux kernel $20000 2023-05-22
1413945 Security: Security DCHECK failed: IsA<Derived>(from) blink::LayoutMultiColumnFlowThread::ComputeSize layout_multi_column_flow_thread.cc:1666 $8000 2023-05-22
1413842 flac_audio_handler_fuzzer: Global-buffer-overflow in media::AudioFifo::Consume - 2023-05-20
1414788 Bad-cast to unsigned int (const void *) in FcHashTableFind - 2023-05-20
1401560 Security: UAF in drm_gem_object_release_handle2 $1000 2023-05-19
1413005 Security: A UAF in WebRTC $2000 2023-05-19
1413600 Segv on unknown address in blink::LayoutObjectChildList::Trace - 2023-05-19
1409761 Security: Race Condition Double Free in i915_gem_set_tiling_ioctl $20000 2023-05-17
1410942 heap-use-after-free : nearby::connections::`anonymous namespace'::IncomingStreamInternalPayload::Close - 2023-05-17
1412020 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2023-05-17
1412629 type mismatch with turboshaft,1 vs NaN $7000 2023-05-17
1413194 Segv on unknown address in v8::internal::StackFrame::ComputeType - 2023-05-17
1413533 DCHECK failure in iterator_.next_bytecode() == interpreter::Bytecode::kJumpIfUndefined in maglev-g - 2023-05-17
1413584 safe_browsing_dmg_fuzzer: Trap in std::Cr::__libcpp_verbose_abort - 2023-05-17
1413651 DCHECK failure in main-thread handle can only be created on the main thread in handles-inl.h - 2023-05-17
1293640 Security: Linux Kernel i915 Linear Out-Of-Bound read and write access - 2023-05-15
1412643 DCHECK failure in !MarkCompactCollector::IsOnEvacuationCandidate(target) in scavenger.cc - 2023-05-15
1412940 v8_wasm_compile_fuzzer: DCHECK failure in !SlotInterference(target.stack_state[i], base::VectorOf(cache_state_.stack_state - 2023-05-15
1410766 heap-buffer-overflow in aom_yv12_copy_v_c $10000 2023-05-14
1045681 Security: Extension fingerprinting by detecting fetched resources $1000 2023-05-13
1382969 Security: heap-use-after-free in observer_list.h triggered via Notes/Annotation feature $1000 2023-05-13
1398638 Security: UAF in drm_gem_shmem_vm_close - 2023-05-13
1399742 stack use after return in gpu::raster::(anonymous namespace)::OnReadYUVImagePixelsDone $10000 2023-05-13
1401562 Security: UAF in drm_gem_object_release_handle3 $21000 2023-05-13
1401595 Security: Race Condition UAF in i915_gem_context_getparam_ioctl $21000 2023-05-13
1406429 v8 oobr on an obj $7000 2023-05-13
1411558 Segv on unknown address in v8::internal::TracedHandlesImpl::Create $9000 2023-05-13
1411656 CrOS: Vulnerability reported in media-libs/tiff - 2023-05-13
1412023 boringssl_conf_fuzzer: Use-of-uninitialized-value in ASN1_template_free - 2023-05-13
1412233 boringssl_conf_fuzzer: Heap-use-after-free in sk_num - 2023-05-13
1412236 pdfium_fuzzer: Heap-use-after-free in CPDF_PageImageCache::StartGetCachedBitmap - 2023-05-13
1412309 Use-after-poison in cppgc::internal::ConservativeTracingVisitor::TraceConservativelyIfNeeded - 2023-05-13
1412352 boringssl_conf_fuzzer: Heap-use-after-free in sk_num - 2023-05-13
878351 CrOS: Vulnerability reported in media-libs/tiff - 2023-05-10
1350740 Security: access-violation on unknown address 0x12dfa490bbaa in dawn::native::TextureBase::TextureBase(browser process) $5000 2023-05-10
1354505 Security: Hide real extension of file by many white spaces via suggestedName parameter - showSaveFilePicker $1000 2023-05-10
1394272 Security: stack-use-after-scope in dawn::native::CommandEncoder::BeginRenderPass $10000 2023-05-10
1403515 Heap Buffer Overflow in AudioWorkletProcessor::ClonePortTopology $7000 2023-05-10
1407595 DCHECK failure in !object.InSharedHeap() in code-inl.h - 2023-05-10
1407701 UAF in blink::VideoFrameSubmitter::OnContextLost $3000 2023-05-10
1410970 Security: SEGV_ACCERR in Maglev $7000 2023-05-10
1411076 DCHECK failure in old_.bytes_ >= bytes in array-buffer-sweeper.cc - 2023-05-10
1411153 Security: Debug check failed: kCanBeWeak || (!IsSmi() == HAS_STRONG_HEAP_OBJECT_TAG(ptr_)) $7000 2023-05-10
1411533 Crash in ProbeMemory - 2023-05-10
1412001 Security: Potential security bug in JSCallReducer::ReduceDataViewAccess - 2023-05-10
1350329 Security: UAFin CreateMdnsResponder $2000 2023-05-09
1406588 Security: Heap-buffer-overflowREAD 1 in g_utf8_substring - 2023-05-09
1407095 Debug check failed: !MarkCompactCollector::IsOnEvacuationCandidate(target). - 2023-05-09
1407955 Security DCHECK failure: IsA<Derived>(from) in casting.h $9000 2023-05-09
1409217 CrOS: Vulnerability reported in net-fs/samba - 2023-05-09
1411113 DCHECK failure in collector == GarbageCollector::MINOR_MARK_COMPACTOR implies !pretenuring_handler - 2023-05-09
1401594 Security: Race Condition UAF in i915_gem_context_create_ioctl $21000 2023-05-06
1258363 URL Spoof after crash $1000 2023-05-05
1365100 Security: Bypass iframe sandbox on Android via intent:// URLs (possibly due to intent:// url popups not inheriting sandbox) $3000 2023-05-05
1404621 Security: Incognito Mode-specific external protocol prompts can be overlaid on other origins on Android. $1000 2023-05-05
1406032 RendererAppContainer overwrites PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY mitigation - 2023-05-05
1406162 v8 crash in maglev::UseMarkingProcessor::MarkUse with maglev compiler $7000 2023-05-05
1407101 Security: Debug check failed: result->owner() == owner (<unprintable> vs. <unprintable>). - 2023-05-05
1407342 Security: Debug check failed: begin.valid(). $7000 2023-05-05
1407360 Security: Debug check failed: entry->Is<InitialValue>(). - 2023-05-05
1407477 Security: unreachable code in deoptimizer/translated-state.cc - 2023-05-05
1408354 Security: Debug check failed: pred_reverse_index != -1 (-1 vs. -1) $7000 2023-05-05
837495 Security: Heap Buffer Overflow found in stream_decoder.c of libFLAC used by chromium - 2023-05-03
1299235 gpu_swangle_passthrough_fuzzer: Incorrect-function-pointer-type in rx::vk::PersistentCommandPool::init - 2023-05-03
1311885 Security: heap-use-after-free ash/host/ash_window_tree_host_unified.cc $2000 2023-05-03
1409785 DCHECK failure in code->IsBytecodeArray(cage_base) || code->GetCode().kind() == CodeKind::BASELINE - 2023-05-03
1410126 Crash in ProbeMemory - 2023-05-03
1337747 v8_inspector_fuzzer: Use-of-uninitialized-value in v8_crdtp::cbor::CBOREncoder::HandleInt32 - 2023-05-02
1348791 Security: heap-use-after-free ash/drag_drop/drag_drop_controller.cc (Lacros) $3000 2023-05-02
1408392 TALOS-2023-1693 - Google Chrome WebRTC RTCStatsCollector out of bounds memory access vulnerability - 2023-05-02
1408993 Security: Security DCHECK failed: IsA<Derived>(from) blink::`anonymous namespace'::CalcToNumericValue:css_numeric_value.cc:162 $8000 2023-05-02
1409171 heap-use-after-free : PrefService::RemovePrefObserver via ash::input_method::NativeInputMethodEngineObserver::~NativeInputMethodEngineObserver() - 2023-05-02
1409210 DCHECK failure in !object.InSharedHeap() in code-inl.h - 2023-05-02
1409650 Security: SwiftShader binaries are included in the following Dockerfile by just pulling them from a bucket $2000 2023-05-02
1394659 DCHECK failure in code->IsCode(cage_base) implies code->kind(cage_base) == CodeKind::BASELINE in p - 2023-05-01
1408957 Crash in ProbeMemory - 2023-05-01
1409225 DCHECK failure in receiver == lookup_start_object in maglev-graph-builder.cc - 2023-05-01
1407045 rtp_packet_fuzzer: Use-of-uninitialized-value in webrtc::ReadLeb128 - 2023-04-30
1406034 memory corruption in blink::ReadableStreamDefaultControllerWithScriptScope::Enqueue $3000 2023-04-29
1274887 Security: Autofill suggestion covers URL bar on Android - 2023-04-28
1346924 Security: ResourceTiming entries are not generated for responses with 204, 205 status codes when loaded in a iframe $2000 2023-04-28
1398579 Security: Android - Bypass the Protection of input fields cache (Autofill) $5000 2023-04-28
1403573 oob in RTCStatsCollector::ProduceTransportStats_n $2000 2023-04-28
1406265 UAP in blink::WebGPUSwapBufferProvider::DiscardCurrentSwapBuffer(with --enable-unsafe-webgpu) $7000 2023-04-28
1408467 Crash in blink::HTMLFastPathParser<unsigned char>::ParseAttributes $4000 2023-04-28
1257537 CrOS: Vulnerabilities reported in net-misc/curl - 2023-04-27
1341541 Security: Bypass(1301873)Chrome for Android Hide Custom Fullscreen Toast View with Repeated delayed Enter Fullscreen Request $4000 2023-04-27
1386011 UAF in MerchantViewerDataManager $1000 2023-04-27
1407571 [TF::OptimizationBug] After optimization, running the "poc.js" yields segmentation fault $7000 2023-04-27
1048852 Security: Leak of user's local IP address via unenforced Cross Site Origin policy and leak of networking timing - 2023-04-27
1404822 FedCM privacy_policy_url and terms_of_service_url accepts arbitrary URL - 2023-04-26
1405123 Google Chrome Console WebUI Heap-Overflow Vulnerability $2000 2023-04-26
1406115 Out of bounds array access in SyncPointManager::GetSyncPointClientState() - 2023-04-26
1407930 DCHECK failure in isolate->context().is_null() || isolate->context().IsContext() in runtime-intern - 2023-04-26
1408337 v8_wasm_code_fuzzer: DCHECK failure in base::IsInBounds<uintptr_t>(offset, access_size, env_->module->max_memory_size) - 2023-04-26
1382477 Security: Fenced frames: can use focus to communicate across the fenced frame boundary - 2023-04-25
1405574 type confusion in chrome $1000 2023-04-25
1407606 Crash in Builtins_Construct_WithFeedback - 2023-04-25
1404230 Security: (Android) PWA Install prompt can be overlaid over other origins. $2000 2023-04-24
1406203 DCHECK failure in clients_head_ == shared_heap_isolate_ in safepoint.cc - 2023-04-24
1406729 Security: Debug check failed: old_entry.IsRegularEntry() in v8 $8000 2023-04-24
1400037 Security: UAF in VIRTGPU_RESOURCE_CREATE and VIRTGPU_RESOURCE_CREATE_BLOB $21000 2023-04-23
1401666 Security: sideload APKs on ChromeOS without enabling developer mode nor ADB $3000 2023-04-22
1405107 Security: UAF in KAnonymityServiceSqlStorage::InitializeOnDbSequence - 2023-04-22
1405568 Security: Race Condition Double Free in adreno_set_param $21000 2023-04-22
1406041 Browser crashes when right clicking on input text - 2023-04-22
1407363 Heap-use-after-free in blink::CharacterData::ContainsOnlyWhitespaceOrEmpty - 2023-04-22
1404864 Security: Integer overflows in CountPages $11000 2023-04-21
1405256 UAF in blink::RTCPeerConnectionHandler::OnIceCandidate $3000 2023-04-21
1406727 Security: Debug check failed: kCanBeWeak || (!IsSmi() == HAS_STRONG_HEAP_OBJECT_TAG(ptr_)). - 2023-04-21
1406760 template_url_parser_fuzzer: Heap-buffer-overflow in xmlParseTryOrFinish - 2023-04-21
1361204 Security: heap-buffer-overflow components/ui_devtools/ui_element.cc:112:5 $2000 2023-04-20
1364115 Security: UAF in device_is_authenticating $500 2023-04-20
1382971 Chrome_ChromeOS: Crash Report - content::RenderFrameHostImpl::CreateURLLoaderNetworkObserver - 2023-04-20
1400841 Security: UAF in GuestViewBase::StopTrackingEmbedderZoomLevel $7000 2023-04-20
1401765 Page background behind semi-transparent canvas leak content from other pages - 2023-04-20
1402920 DCHECK failure in !value->IsShared() in objects.cc - 2023-04-20
1403539 Security: PaymentRequest dialog selects an accept button by default $5000 2023-04-20
1403910 Security: Debug check failed: IsJSObject(). - 2023-04-20
1404052 Security: Debug check failed: ReadOnlyHeap::Contains(object) || heap_->Contains(object) $7000 2023-04-20
1404128 Security: [maglev] Debug check failed: last_position.IsKnown() - 2023-04-20
1404704 V8 type confusion of object as v8::Function in CallMethodOnFrame $1000 2023-04-20
1376011 heap-use-after-free : lens::LensSidePanelController::~LensSidePanelController - 2023-04-18
1385343 Security: Extension with <all_urls> permission can read arbitrary local files although (Allow access to file URLs) is disabled $10000 2023-04-18
1400522 Security: heap-use-after-free in blink::PropertyTreeManager::EnsureCompositorTransformNode $8000 2023-04-18
1402921 Crash in Builtins_ConstructProxy - 2023-04-18
1403129 Security: Fatal error in ../../src/heap/mark-compact.cc $7000 2023-04-18
1404079 Security: segmentation fault in ResizableArrayBuffer in v8 $8000 2023-04-18
1404123 DCHECK failure in Shared heap must not have clients at teardown. The first isolate that is created - 2023-04-18
1405324 CHECK failure: !v8::internal::v8_flags.enable_slow_asserts || (!MarkCompactCollector::IsOnEvacu - 2023-04-18
1394852 Heap-use-after-free in v8::Isolate::IsInUse - 2023-04-17
1401525 CHECK failure: external_page_bytes[t] == page->ExternalBackingStoreBytes(t) - 2023-04-17
1404652 Crash in v8::internal::SamplingEventsProcessor::Run - 2023-04-17
1405157 Heap-use-after-free in v8::Isolate::IsInUse - 2023-04-17
1405707 DCHECK failure in current_code_reachable_and_ok_ == this->ok() && control_.back().reachable() in f - 2023-04-17
1404986 Security DCHECK failure: IsA<Derived>(from) in casting.h - 2023-04-15
1405110 Security: Heap-use-after-free in KAnonymityServiceSqlStorage::WaitUntilReady - 2023-04-15
1398989 Security: ChromeOS On halt/reboot root file overwrite $20000 2023-04-14
1404639 V8 type confusion of Undefined as v8::Function in ServiceWorkerGlobalScope::FetchHandlerType $7500 2023-04-14
1376354 UAF in network::WebTransport::TearDown $16000 2023-04-13
1395354 Security:UAF in content::SyntheticPointerAction::ForwardTouchOrMouseInputEvents(browser process) $7000 2023-04-13
1400809 DCHECK failure in _is_listening_to_code_events == IsListeningToCodeEvents() in code-events.h - 2023-04-13
1402113 Security: UAF in policy::DlpCopyOrMoveHookDelegate::RequestCopyAccess $7000 2023-04-13
1403531 UAF in AsyncCompileJob::Abort $10000 2023-04-13
1405150 DCHECK failure in element_size == 2 || element_size == 4 in maglev-ir-x64.cc - 2023-04-13
1372356 Flaky uninitialized memory in SkChromeRemoteGlyphCache - 2023-04-12
1400113 Security: Race Condition UAF in panfrost_ioctl_create_bo $20000 2023-04-12
1401965 Security: Container-overflow in SavedTabGroupModel::RemoveTabFromGroup $2000 2023-04-12
1403546 CHECK failure: !v8::internal::v8_flags.enable_slow_asserts || (IsSeqString_NonInline(*this)) in - 2023-04-12
1403574 register assign error with jit $7000 2023-04-12
1381857 Security: ChromiumOS CRAS Server D-Bus SetGlobalOutputChannelRemix heap-over-flow $13000 2023-04-11
1404299 flexfec_receiver_fuzzer: Use-of-uninitialized-value in webrtc::RtpPacket::ParseBuffer - 2023-04-11
1403099 DCHECK failure in !was_told_to_yield_ in default-job.h - 2023-04-10
1404232 Heap-use-after-free in base::internal::CrashImmediatelyOnUseAfterFree - 2023-04-08
1401933 Heap-use-after-free in content::RendererCancellationThrottle::NavigationCancellationWindowEnded - 2023-04-07
1320701 CrOS: Vulnerability reported in sys-libs/ncurses - 2023-04-06
1403397 flexfec_receiver_fuzzer: Use-of-uninitialized-value in webrtc::RtpPacket::ParseBuffer - 2023-04-06
1402000 Security: heap-buffer-overflow in HidDeviceManager::GetApiDevicesFromList $2000 2023-04-05
1403168 Security: Heap-use-after-free in ExtensionViewHost::OnDidStopFirstLoad $4000 2023-04-05
1401995 Crash in content::GetDocumentUserData - 2023-03-31
1402660 DCHECK failure in ((chunk->slot_set<OLD_TO_OLD, AccessMode::ATOMIC>())) == nullptr in mark-compact - 2023-03-31
1403399 DCHECK failure in is_loadable() in maglev-ir.h - 2023-03-31
1160485 Security: Access to camera with clickjacking and popup window $2000 2023-03-30
1385982 Security: Escape the page sandbox to the Chromium debugger via Chrome headless snapshots $2000 2023-03-30
1398992 Security: ChromeOS potential crosvm command execution via virgl_render_server (unexploitable) $1000 2023-03-30
1400048 Security: Debug check failed: string->InSharedHeap() in v8 $8000 2023-03-30
1402270 Debug check failed: value.IsForeign(). $7000 2023-03-30
1042963 Security: bypass of CSP validator to run remote code in extensions $3000 2023-03-28
1395027 Heap-use-after-free in blink::AXObject::ComputeIsInertViaStyle - 2023-03-28
1401996 CHECK failure: !control->Is<JumpLoop>() in maglev-regalloc.cc - 2023-03-28
1402139 CHECK failure: is_backed_by_rab == typed_array->is_backed_by_rab() in value-serializer.cc - 2023-03-28
1398987 Security: ChromeOS debugd denial of service/service restart - 2023-03-27
1400257 Use-of-uninitialized-value in v8::sampler::SamplerManager::DoSample - 2023-03-27
1401582 2 vulnerabilities reported in /third_party/libxml - 2023-03-27
1402011 CHECK failure: non_atomic_marking_state()->IsWhite(obj) in mark-compact.cc - 2023-03-27
1402012 Segv on unknown address in v8::internal::Heap::ExternalStringTable::TearDown - 2023-03-27
1402057 CHECK failure: untyped_->count(slot.address()) > 0 in heap-verifier.cc - 2023-03-27
1383708 Heap-buffer-overflow in Fill32BppDestStorageWithPalette - 2023-03-26
1396730 Use-after-poison in content::InspectorMediaEventHandler::SendQueuedMediaEvents $9000 2023-03-25
1401295 DCHECK failure in this->is_prototype_map() in map-inl.h - 2023-03-25
1401571 Vulnerability reported in /third_party/dav1d - 2023-03-25
1401574 2 vulnerabilities reported in /third_party/libxml - 2023-03-25
813542 Security: Web sites can open privileged pages via remote debugging server (CSRF) $3000 2023-03-24
1399331 Crash in v8::internal::MemoryAllocator::LookupChunkContainingAddress - 2023-03-24
1400176 GetEntriesWithChildFrames exposes top-level same origin iframes to cross-origin ones - 2023-03-24
1401528 DCHECK failure in entry.IsRegularEntry() in external-pointer-table-inl.h - 2023-03-24
1394968 DCHECK failure in Shared heap must not have clients at teardown. The first isolate that is created - 2023-03-23
1400730 Use-of-uninitialized-value in v8::internal::MarkingBarrier::Write - 2023-03-23
1401069 CHECK failure: untyped_->count(slot.address()) > 0 in heap-verifier.cc - 2023-03-23
1401077 DCHECK failure in ReadOnlyHeap::Contains(obj) || heap()->Contains(obj) in mark-compact-inl.h - 2023-03-23
1401078 CHECK failure: external_page_bytes[t] == page->ExternalBackingStoreBytes(t) - 2023-03-23
1401180 DCHECK failure in !heap_->always_allocate() in incremental-marking.cc - 2023-03-23
1401181 CHECK failure: InTypedSet(SlotType::kEmbeddedObjectFull, rinfo->pc()) || InTypedSet(SlotType::k - 2023-03-23
1401183 CHECK failure: IsValidHeapObject(heap_, heap_object) in heap-verifier.cc - 2023-03-23
1401336 CHECK failure: InTypedSet(SlotType::kEmbeddedObjectFull, rinfo->pc()) || InTypedSet(SlotType::k - 2023-03-23
1401337 CHECK failure: IsValidHeapObject(heap_, heap_object) in heap-verifier.cc - 2023-03-23
1361294 CrOS: Vulnerability reported in net-wireless/bluez - 2023-03-22
1386095 CrOS: Vulnerability reported in media-libs/tiff - 2023-03-22
1394279 DCHECK failure in code == topmost_ implies safe_to_deopt_ in deoptimizer.cc - 2023-03-22
1394408 Security: Debug check failed: enum_length == map->NumberOfEnumerableProperties() $11000 2023-03-22
1394973 Fatal error in Bytecode mismatch at offset 2 in interpreter.cc - 2023-03-22
1395604 Abrt in v8::internal::abort_with_reason - 2023-03-22
1397348 memory corruption in v8 $7000 2023-03-22
1398994 Security: ChromeOS CrosDisks mount-zip fuse argument injection $1000 2023-03-22
1399379 DCHECK failure in ThreadId::Current() == thread_id() in isolate.cc - 2023-03-22
1399424 v8_wasm_fuzzer: Crash in v8::internal::Simulator::WriteW - 2023-03-22
1399511 Security: UAF in MojoQueryQuotaIpcz $30000 2023-03-22
1399799 CHECK failure: !destination.IsDetachedOrOutOfBounds() in elements.cc - 2023-03-22
1399805 Crash in Builtins_PromiseRejectReactionJob - 2023-03-22
1399904 Security: Container Overflow in UDPSocket::OnLeaveGroupCompleted $10000 2023-03-22
1400054 Bad-cast to mojo::core::ipcz_driver::ObjectBase from ipcz::ParcelWrapper in mojo::core::ipcz_driver::Object<mojo::core::ipcz_driver::DataPipe>::FromHandle - 2023-03-22
1400062 CrOS: Vulnerability reported in net-misc/curl - 2023-03-22
1400431 v8_serialized_script_value_fuzzer: Heap-buffer-overflow in v8::internal::ValueDeserializer::ReadJSArrayBuffer - 2023-03-22
1400549 DCHECK failure in frame->is_unoptimized() in frames.h - 2023-03-22
1400551 DCHECK failure in pred_reverse_index != -1 in graph.h - 2023-03-22
1400810 DCHECK failure in 0 < level_ in mutex.h - 2023-03-22
1400051 Security: Debug check failed: Shared heap must not have clients at teardown, leading to SEGV_ACCERR $8000 2023-03-19
1385941 DCHECK failure in !initializing_store && property_details_.constness() == PropertyConstness::kCons - 2023-03-18
1393499 Security: UAF in drm_gem_object_release_handle $2000 2023-03-18
1395029 CrOS: Vulnerability reported in dev-libs/libxml2 - 2023-03-18
1399080 Security: libtiff CVE vulnerabilities in Chromium 106.0.5249.103 $500 2023-03-18
1399328 Crash in v8::internal::BasicMemoryChunk::area_start - 2023-03-18
1399330 CHECK failure: untyped_->count(slot.address()) > 0 - 2023-03-18
1399488 Crash in v8::internal::LookupIterator::Start<0> - 2023-03-18
1399489 CHECK failure: index < size() - 2023-03-18
1399491 Crash in void v8::internal::MarkingVisitorBase<v8::internal::ConcurrentMarkingVisitor, v8 - 2023-03-18
1399696 CHECK failure: value__value.IsJSReceiver() || value__value.IsSmi() || value__value.IsHeapNumber - 2023-03-18
866311 Security: Google Update for Windows allows arbitrary file creation when logs are enabled $5000 2023-03-16
1083278 Security: DNS Cache Poisoning through resource exhaustion in Chrome. $5000 2023-03-16
1357366 Sandbox bypass "allow-downloads" $3000 2023-03-16
1384737 AppCommands: perhaps deprecate older command format - 2023-03-16
1393547 DCHECK failure in IsInRegister(target_state, incoming) in maglev-regalloc.cc - 2023-03-16
1395603 DCHECK failure in !value->allocation().IsConstant() in maglev-assembler-x64-inl.h - 2023-03-16
1395718 Security: UAF in HandleExpandedPaths $31000 2023-03-16
1399332 DCHECK failure in heap()->non_atomic_marking_state()->IsWhite(target) in scavenger-inl.h - 2023-03-16
1399377 CHECK failure: external_page_bytes[t] == page->ExternalBackingStoreBytes(t) - 2023-03-16
1378233 CrOS: Vulnerability reported in dev-libs/libtasn1 - 2023-03-15
1396254 Security: CVE-2022-3970 was fixed in libtiff and published but not propagated to Pdfium yet $1000 2023-03-15
1057218 Security: Implement Resource Isolation with Random Restricted SIDs - 2023-03-14
1392661 Security: heap-use-after-free drop_target_event.cc:28 in ui::DropTargetEvent::DropTargetEvent $5000 2023-03-14
1395542 Security: heap-use-after-free third_party/swiftshader/src/WSI/VkSwapchainKHR.cpp:43:13 $2000 2023-03-14
1396222 Security: Fatal error in ../../src/heap/sweeper.cc $7000 2023-03-14
1396338 Crash in v8::internal::HeapObject::SizeFromMap - 2023-03-14
1396339 CHECK failure: marking_state_->IsBlack(heap_object) in mark-compact.cc - 2023-03-14
1396341 Use-of-uninitialized-value in v8::internal::MarkingBarrier::Write - 2023-03-14
1396342 DCHECK failure in handle & ~kVisitedHandleMarker == index << kExternalPointerIndexShift in externa - 2023-03-14
1396344 DCHECK failure in page->area_size() >= static_cast<size_t>(marking_state_->live_bytes(page)) in sw - 2023-03-14
1018214 Security: Updated Google Password. One of my Chrome OS machines still takes the old password though after over a week $1000 2023-03-13
1384403 DCHECK failure in GetCurrentStackPosition() >= stack_guard()->real_climit() - 8 * KB in isolate.cc - 2023-03-13
1394741 DCHECK failure in isolate()->thread_id() == ThreadId::Current() in heap.cc - 2023-03-13
1395117 Crash in v8::internal::JsonParser<unsigned char>::ParseJson - 2023-03-13
1395237 Heap-use-after-free in v8::internal::NodeBase<v8::internal::GlobalHandles::Node>::index - 2023-03-13
1395520 CHECK failure: untyped_->count(slot.address()) > 0 - 2023-03-13
1395737 DCHECK failure in LocationOperand::cast(source)->IsCompatible( LocationOperand::cast(destination)) - 2023-03-13
1371859 stack-use-after-return in gpu::gles2::ProgramInfoManager::Program::UpdateES2 $3000 2023-03-12
1383991 blink::MediaInspectorContextImpl::CullPlayers $7000 2023-03-12
1395311 CHECK failure: !base::IsInRange(slot.address(), start, end + 1) in remembered-set.h - 2023-03-12
840716 Unicode Line Terminators Can Cause UI Manipulation and Browser Crashes - 2023-03-10
1385831 UAF in CartService $2500 2023-03-10
1392721 Security: heap-use-after-free on chromeOS using PhoneHub + Screensharing $2000 2023-03-10
1393384 webcodecs_video_encoder_fuzzer: Heap-buffer-overflow in av1_get_one_pass_rt_params - 2023-03-10
1393564 Security: UAF in content::NavigationRequest::SetViewTransitionState in browser process $20000 2023-03-10
1394382 Chromium: Vulnerability reported in third_party/libxml - 2023-03-10
1395183 Crash in v8::internal::SpaceWithLinearArea::InvokeAllocationObservers - 2023-03-10
1395186 Chromium: Vulnerability reported in third_party/libxml - 2023-03-10
1395240 Crash in Builtins_JSEntryTrampoline - 2023-03-10
1349146 Security: Source maps support for file:// URLs gives devtools_page extensions local file access $5000 2023-03-09
1365366 Security: [maglev] VisitSwitchOnGeneratorState function JumpTableTargetOffsets can be 0 $7000 2023-03-09
1380645 Security: Use After Free in PasswordsPrivateDelegateImpl::OsReauthTimeoutCall, $1000 2023-03-09
1382484 Security: Chrome on Android Keyboard Able to Overlap Fullscreen Notification Toast $7500 2023-03-09
1392588 Security: Security DCHECK failed: IsA<Derived>(from) blink::CSSPrimitiveValue::ConvertToLength $8000 2023-03-09
1393728 Security: stack-use-after-scope in dawn::native::d3d12::ShaderModule::Compile $10000 2023-03-09
1393732 Security: Download notification can hide "Press and hold Esc to exit full screen" $3000 2023-03-09
1393865 Turbofan-Optimization Bug: "Check failed: IsBigInt()" $7000 2023-03-09
1394692 UAF in OnSyncMessageEventReady $6000 2023-03-09
1384516 gpu_raster_fuzzer: Use-of-uninitialized-value in cc::ServiceImageTransferCacheEntry::Deserialize - 2023-03-08
1385368 Security: Debug check failed: s->IsFlat(). $7000 2023-03-08
1393227 Security: dcheck failed in object.InSharedHeap $7000 2023-03-08
1393270 Crash in v8::internal::IsPrimitiveHeapObject_NonInline - 2023-03-08
1393733 CHECK failure: InstructionBlockAt(predecessor_id)->IsDeferred() in instruction.cc - 2023-03-08
1393940 CHECK failure: is_int8(disp) in assembler-x64.cc - 2023-03-08
1394036 CHECK failure: !control->Is<JumpLoop>() in maglev-regalloc.cc - 2023-03-08
1394403 Security: [0-day] FeedbackCell issue leading to type confusion - 2023-03-08
1246736 Security: Imagination PowerVR DRM Driver Integer overflow vulnerabilities on MTK platform Chromebook $20000 2023-03-07
1350386 Security: UAF in ArcInputOverlayManager::ReadDefaultData - 2023-03-07
1356760 Reject hidden name-only cookie prefixes - 2023-03-07
1370562 uaf in ui::PropertyHandler::GetPropertyInternal(with ) $2000 2023-03-07
1375131 Security: Unknown crash with READ of size 8 when access the chrome://gpu with WebGPU enabled - 2023-03-07
1380602 Security: heap-use-after-free ui/views/view.cc:1921:7 in views::View::HandleAccessibleAction $2000 2023-03-07
1383442 Security: UAF IN video_capture::VideoSourceImpl::OnClientDisconnected() services/video_capture/video_source_impl.cc:88:14 $16000 2023-03-07
1386120 Security: Pdfium heap-buffer-overflow in RgbByteOrderTransferBitmap() - 2023-03-07
1386122 Security: heap-buffer-overflow in CFX_DIBBase::SwapXY() - 2023-03-07
1386123 Security: Pdfium heap-buffer-overflow in RgbByteOrderTransferBitmap() - 2023-03-07
1386124 Security: Pdfium heap-buffer-overflow in CPDF_RenderStatus::LoadSMask() - 2023-03-07
1392061 Security: Debug check failed: IsPrimitiveMap() $10000 2023-03-07
1393097 mhtml_parser_fuzzer: Heap-buffer-overflow in modp_b64_decode - 2023-03-07
1393177 Security: WebGPU UAF in Dawn Memory Transfer Service - 2023-03-07
1392755 DCHECK failure in isolate()->thread_id() == ThreadId::Current() in heap.cc - 2023-03-06
1392934 v8_wasm_async_fuzzer: DCHECK failure in has_index() in value-type.h - 2023-03-06
1393468 gpu_swangle_passthrough_fuzzer: Segv on unknown address in __tls_get_addr - 2023-03-05
1393375 Security: Read OOB due to resizing underline typed array buffer - 2023-03-03
1393464 DCHECK failure in handle & ~kVisitedHandleMarker == index << kExternalPointerIndexShift in externa - 2023-03-03
1381871 UAF in blink::WidgetBase::BeginMainFrame(base::TimeTicks) $1500 2023-03-02
1382761 UAF in search::(anonymous namespace)::NewTabURLDetails::ForProfile(Profile*) $3000 2023-03-02
1386249 Security: Unretained() can be used for objects on the Oilpan heap $3000 2023-03-02
1386667 Negative-size-param in ipcz::BlockAllocator::InitializeRegion - 2023-03-02
1392585 Crash in Builtins_ConstructProxy - 2023-03-02
1392865 CHECK failure: InTypedSet(SlotType::kEmbeddedObjectFull, rinfo->pc()) || InTypedSet(SlotType::k - 2023-03-02
1392936 DCHECK failure in receiver_mode_ != ConvertReceiverMode::kNullOrUndefined in maglev-graph-builder. - 2023-03-02
1392953 Optimization bug in TurboShaft::MachineOptimizationReducer::ReduceSignedDiv $10000 2023-03-02
1316301 DCHECK failure at blink::WebFrameWidgetImpl::DragTargetDragEnter $1500 2023-03-01
1382033 Security: heap-buffer-overflow in network::ThrottlingNetworkInterceptor::UpdateThrottledRecords $2000 2023-03-01
1385709 UAF in CartHandler $2500 2023-03-01
1386121 Security: Pdfium heap-buffer-overflow in CFX_BitmapComposer::ComposeScanlineV() - 2023-03-01
1392577 Security: Debug Check end <= typed_aray->GetLength() - 2023-03-01
1392589 substring_set_matcher_fuzzer: Crash in base::SubstringSetMatcher::AhoCorasickNode::SetEdge - 2023-03-01
1392715 Security: heap-buffer-overflow in gpu::gles2::Texture::SetLevelCleared - 2023-03-01
1385691 Security: global-buffer-overflow css_property.cc:27 in blink::CSSProperty::Get $7000 2023-02-28
1385717 Security: Debug check failed: slot < sentinel_ in UpdateUntypedOldToSharedPointers $8000 2023-02-28
1386647 tint_regex_msl_writer_fuzzer.exe: Illegal-instruction in tint::Program::Program - 2023-02-28
1386129 substring_set_matcher_fuzzer: Heap-buffer-overflow in base::SubstringSetMatcher::AhoCorasickNode::SetEdge - 2023-02-27
1386287 DCHECK failure in result.valid() in optimization-phase.h - 2023-02-27
1387883 DCHECK failure in bytecode_offset >= kFunctionEntryBytecodeOffset in factory.cc - 2023-02-27
1388938 v8_wasm_streaming_fuzzer: DCHECK failure in sub_module->has_type(sub_index) in wasm-subtyping.cc - 2023-02-27
1386649 audio_encoder_isac_float_fuzzer.exe: Stack-buffer-overflow in webrtc::AudioEncoderIsacT<webrtc::IsacFloat>::EncodeImpl - 2023-02-26
1360743 Security: heap-use-after-free in the Metal features in the GPU process $1000 2023-02-25
1369205 Tests are failing: Verify that the placeholder <canvas> associated with an OffscreenCanvas tainted with cross-origin content cannot be read once commit has propagated... - 2023-02-25
1382074 ui_x11_cursor_loader_fuzzer: Heap-buffer-overflow in ui::ParseCursorFile - 2023-02-25
1383203 DCHECK failure in input_count <= std::numeric_limits<decltype(this->input_count)>::max() in operat - 2023-02-25
1384847 Revisit configurations for CoInitializeSecurity calls - 2023-02-25
1385673 DCHECK failure in IsJSFunction() in heap-refs.cc - 2023-02-25
1385935 DCHECK failure in page->area_size() >= static_cast<size_t>(marking_state_->live_bytes(page)) in sw - 2023-02-25
1379359 MTLDeviceProxy does not properly copy NSStrings - 2023-02-23
1155961 wildcard entry with runtime_blocked_hosts in ExtensionSettings policy is not enforced correctly - 2023-02-22
1339079 Security: GPU process continues running even if we fail to initialize the sandbox - 2023-02-22
1378564 Use-after-free in Mojo ChannelMac::SendMessageLocked $30000 2023-02-22
1381849 Memory corruption in PresentationRequest $8500 2023-02-22
1383755 tint_ast_clone_fuzzer: Heap-use-after-free in tint::utils::HashmapBase<tint::sem::Type const*, tint::Source const*, 8ul, tint: - 2023-02-22
1383976 DCHECK failure in !initializing_store && property_details_.constness() == PropertyConstness::kCons - 2023-02-22
1384318 DCHECK failure in value->Is<Int32Constant>() || value->Is<StringLength>() || value->Is<BuiltinStri - 2023-02-22
1384408 Crash in v8::internal::Invoke - 2023-02-22
1384411 Crash in Builtins_StringSubstring - 2023-02-22
1384474 DCHECK failure in count <= destination.GetLength() in elements.cc - 2023-02-22
1384513 Stack-use-after-return in blink::NGConstraintSpaceBuilder::NGConstraintSpaceBuilder - 2023-02-22
1384765 Check return from AddAllowedAce in ServiceMain::InitializeComSecurity - 2023-02-22
1384796 Maybe use PROCESS_QUERY_LIMITED_INFORMATION in LegacyProcessLauncherImpl::LaunchCmdElevated - 2023-02-22
1385291 DCHECK failure in kCanBeWeak || (!IsSmi() == HAS_STRONG_HEAP_OBJECT_TAG(ptr_)) in tagged-impl.h - 2023-02-22
1385305 Segv on unknown address in Builtins_InterpreterEntryTrampoline - 2023-02-22
1238642 Security: Refcount overflow in RefCountedThreadSafeBase $1000 2023-02-21
1368230 Security: SameSite cookie bypass on Android by redirecting to to intent-picker $5000 2023-02-21
1378357 Security: Avast aswJsFlt.dll 18.0.1479.0 exposes vulnerable pipe endpoint to renderers - 2023-02-21
1382363 UAF in AppIconReader $2000 2023-02-21
1382581 Security: UAF in validation_message_overlay_delegate $7000 2023-02-21
1383204 Trap in Builtins_CheckTurbofanType - 2023-02-21
1383422 Security: Heap-buffer-overflow in CommerceHintAgent::DidFinishLoadCallback $2500 2023-02-21
1383791 Security: UAF in lens::LensStaticPageController::LoadChromeLens $4000 2023-02-21
1384520 Crash in Builtins_StringEqual - 2023-02-21
1371215 Security: Forced user interaction for permission prompts by freezing the browser $3000 2023-02-20
1379860 DCHECK failure in !HAS_WEAK_HEAP_OBJECT_TAG(ptr_) in tagged-impl-inl.h - 2023-02-20
1381763 CrOS: Vulnerability reported in x11-libs/pixman - 2023-02-20
1372019 Security: ClientNativePixmapFactory implementations are probably not validating enough and should use checked math - 2023-02-18
1344756 Security: Heap-use-after-free in ReadAnythingCoordinator::CreateAndRegisterEntry $4000 2023-02-17
1381094 Security: UAF in DlpScopedFileAccessDelegate::OnResponse - 2023-02-17
1381217 Security: Bypass 1342722, sourceMappingURL directive allows use of UNC paths on Windows $5000 2023-02-17
1382652 Security: global-buffer-overflow in ash::default_user_image::GetRandomDefaultImageIndex() - 2023-02-17
1382816 v8_wasm_code_fuzzer: DCHECK failure in opcode >> 8 == kNumericPrefix in function-body-decoder-impl.h - 2023-02-17
1382993 Security: UAF in content::RenderFrameDevToolsAgentHost::RenderProcessExited $31000 2023-02-17
1383362 DCHECK failure in type == MachineType::Int32() || type == MachineType::Uint32() || type.representa - 2023-02-17
1383367 DCHECK failure in value->Is<Int32Constant>() || value->Is<StringLength>() || value->Is<BuiltinStri - 2023-02-17
1383369 Crash in v8::internal::maglev::GetInputLocationsArraySize - 2023-02-17
1383374 Crash in Builtins_ConstructProxy - 2023-02-17
1375021 uaf in FederatedAuthRequestImpl $10000 2023-02-16
1376995 uaf in FederatedAuthRequestimpl $10000 2023-02-16
1377165 Reading local files through an extension that only has the "downloads" permission $5000 2023-02-16
1380860 gl_lpm_fuzzer: Use-of-uninitialized-value in wsi_unsupported_instance_extension - 2023-02-16
1382369 UAF in ScreenAIService $2500 2023-02-16
1382434 Security: Copy-on-write check bypass in JSNativeContextSpecialization::BuildElementAccess - 2023-02-16
1382690 UAF in ScreenAIServiceRouter $5000 2023-02-16
1377783 Security: heap-use-after-free in StreamFactory::DestroyMuter - 2023-02-15
1378601 webcodecs_video_encoder_fuzzer: Heap-buffer-overflow in aom_variance64x64_avx2 - 2023-02-15
1381335 Security: Debug check failed: kCanBeWeak || (!IsSmi() == HAS_STRONG_HEAP_OBJECT_TAG(ptr_)). $11000 2023-02-15
1381401 Security: UAF in VideoCaptureDeviceWin $11000 2023-02-15
1358647 Security: Bypass the Protection of input fields cache (Autofill) 1108181 $5000 2023-02-14
1367632 Security: Extension sanitization bypass by using %% $2000 2023-02-14
1376099 Security: Design flaw in Synchronous Mojo message handling introduces unexpected reentrancy and allows for multiple UAFs - 2023-02-14
1379242 UAF in ExtensionInstalledWaiter $2000 2023-02-14
1380751 CrOS: Vulnerability reported in net-vpn/strongswan - 2023-02-14
1382423 Trap in Builtins_CheckTurbofanType - 2023-02-14
1358505 Security: V8: Missing TurboFan bounds check on DataView when buffer is resizable - 2023-02-13
1365053 CHECK failure: result.failed() implies v8_flags.wasm_lazy_validation in module-compiler.cc - 2023-02-13
1379579 Security: heap-use-after-free browser\renderer_host\render_process_host_impl.cc:2068 in content::RenderProcessHostImpl::CreateNotificationService $8000 2023-02-13
1381330 v8_wasm_async_fuzzer: DCHECK failure in opcode >> 8 == kAtomicPrefix in function-body-decoder-impl.h - 2023-02-13
1381663 Crash in v8::internal::maglev::InterpreterFrameState::get - 2023-02-13
1381665 DCHECK failure in count() > 0 in maglev-graph-builder.h - 2023-02-13
1326788 Security: Lackluster "File System Access API" block-list provides full disk read/write access $1000 2023-02-10
1359122 Security: SOP bypass leaks navigation history of iframe from other subdomain if location changed to about:blank $2000 2023-02-10
1372457 Possible vulnerability in crosvm: Invalid check for Virtio descriptors - 2023-02-10
1378457 Security: UAF in PasswordAutofillManager::OnBiometricReauthCompleted $7000 2023-02-10
1378813 extension_file_highlighter_fuzzer: Trap in std::Cr::__libcpp_verbose_abort - 2023-02-10
1378997 Security: FileChooserImpl still traverse symlink in symlink to directory $3000 2023-02-10
1380398 Crash in Builtins_StringEqual - 2023-02-10
1380498 v8_wasm_code_fuzzer: DCHECK failure in a == b in liftoff-assembler.cc - 2023-02-10
956979 Mixed content can be bypassed by sandboxed pages $1000 2023-02-09
1359678 CrOS: Vulnerability reported in media-libs/tiff - 2023-02-09
1377610 CrOS: Vulnerability reported in media-libs/tiff - 2023-02-09
1377790 Security: CSA_DCHECK failed: Torque assert 'remainingElementsCount >= 0' failed in v8 - 2023-02-09
1379740 Security DCHECK failure: unit.TextContentEnd() <= text.length() in ng_offset_mapping.cc - 2023-02-09
1380478 Security: clang-analyzer-cplusplus.NewDelete in third_party/pdfium/core/fpdfapi/parser/cpdf_object_walker.cpp - 2023-02-09
1352445 Security: heap-use-after-free in password_manager::WellKnownChangePasswordState::SetChangePasswordResponseCode - 2023-02-08
1356987 Security: External notifications from external apps (such as Telegram) can block Android fullscreen notification. (Testes on latest Chrome stable) $2000 2023-02-08
1375132 Security: Android: Bluetooth and USB chooser dialogs do not use top-level origin with permission delegation $3000 2023-02-08
1378456 Security: UAF in PasswordAutofillManager::DidAcceptSuggestion - 2023-02-08
1378814 DCHECK failure in properties().can_eager_deopt() in maglev-ir.h - 2023-02-08
1378916 Security: local IP address disclosure using WebRTC candidate foundation - 2023-02-08
1379054 Security: Promise.any.call leak hole, leading to RCE $15000 2023-02-08
1379201 Security: Stack-buffer-overflow in WebGL vulkan backend $11000 2023-02-08
1379364 DCHECK failure in IsImmAddSub(frame_size) in liftoff-assembler-arm64.h - 2023-02-08
1379468 DCHECK failure in 0 != new_nodes_.count(value) in maglev-graph-builder.h - 2023-02-08
1379831 Security: stack-buffer-overflow in mojo::core::ipcz_driver::ObjectBase::PeekBox(browser process) - 2023-02-08
1379864 DCHECK failure in new_target->IsConstructor() in js-objects.cc - 2023-02-08
1380313 Use-after-poison in blink::CSSSelector::SelectorListOrParent $12000 2023-02-08
1370028 Security: Chrome on Android the Fullscreen Notification Toast Not shown when fullscreen (screen lock mode landscape) $5000 2023-02-06
1374995 Trap in Builtins_CheckTurbofanType - 2023-02-03
1375073 DCHECK failure in constructor->IsNull(isolate) in runtime-classes.cc - 2023-02-03
1378571 Security: UAF in MultiplexEncoderFactory $11000 2023-02-03
1345045 CSP Bypass (Old Issue) $3000 2023-02-02
1371844 Security: UAF in PluginVmInstaller::DetectImageType $1000 2023-02-02
1374746 CHECK failure: proto.map().oddball_type() == OddballType::kNull in compilation-dependencies.cc - 2023-02-02
1377775 Crash in Builtins_StringIndexOf - 2023-02-02
1377816 Security: WebAssembly UAF in catch block with stale memory start pointer $21000 2023-02-02
1377840 Security: Incorrect rab flags setting leads to type confusion in V8 - 2023-02-02
1378286 Security: Heap-use-after-free in InstallablePaymentAppCrawler::OnPaymentMethodManifestParsed $39000 2023-02-02
1378287 Security: Heap-use-after-free in ChromeAutofillClient::DidFinishNavigation - 2023-02-02
1378323 compositor_frame_fuzzer: Global-buffer-overflow in gfx::Transform::RotateAboutZAxis - 2023-02-02
1365877 Security: Esc doesn't exit fullscreen in Crostini apps - 2023-02-01
1374294 Security: access-violation src\v8\src\api\api.cc:5809 in v8::String::WriteOneByte $5000 2023-02-01
1378437 Crash in Builtins_Construct_WithFeedback - 2023-02-01
1378494 Crash in Builtins_StringSubstring - 2023-02-01
1378495 Crash in Builtins_InterpreterEntryTrampoline - 2023-02-01
1340924 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1343339 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1344118 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1344821 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1346256 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1346675 Security: UTF chartorune heap-buffer-overflow crash $8000 2023-01-31
1361911 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1362225 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1362331 Generic CORS bypass that enables Cross-Site-Tracing (XST) $1000 2023-01-31
1363579 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1366771 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1367617 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1368560 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1369956 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1370293 CrOS: Vulnerability reported in app-editors/vim - 2023-01-31
1372757 Security: Heap-use-after-free in ash::OverviewItem::ShowWindowInOverview $1500 2023-01-31
1378168 Use-of-uninitialized-value in v8::internal::compiler::BranchElimination::SimplifyBranchCondition - 2023-01-31
1368739 Security: FencedFrame - Two way communication between embedder and frame $6000 2023-01-30
1251790 Security: Top-level redirect from cross-origin iframe by setting `Content-Security-Policy: sandbox allow-top-navigation` $5000 2023-01-28
1375059 Multiple checks fail, cross process crash, maybe race condition & use-after-free in video_encoder.cc $7000 2023-01-28
1303597 Heap-use-after-free in blink::BoxPainterBase::PaintFillLayer $10000 2023-01-27
1342072 Security: Presentation API dialog unexpectedly shows top-level origin when called by cross-origin iframe without explicit allow-presentation delegation $7500 2023-01-27
1361066 Security: OOB write on Lacros $2000 2023-01-27
1365945 Security: UAF in ash::network_diagnostics::DnsResolutionRoutine::CreateHostResolver() (browser process) $3000 2023-01-27
1376856 Crash in Builtins_Construct_WithFeedback - 2023-01-27
1376930 CHECK failure: BigIntNegate of kRepTaggedPointer (BigInt) cannot be changed to kRepTaggedPointe - 2023-01-27
1377250 UaF in PRM observerlist after browser change (confirmation chip) - 2023-01-27
985740 CrOS: Vulnerability reported in sys-libs/glibc - 2023-01-25
1372746 Security: Heap-use-after-free in ash::ScopedOverviewHideWindows::~ScopedOverviewHideWindows $2000 2023-01-25
1373941 Security: heap-use-after-free in ProfileDestroyer::DestroyProfileNow $2000 2023-01-25
1374513 Security: Bypass powerwash using factory_install_reset file - 2023-01-25
1375088 Security: UAF in webgpu\gpu.cc in blink::`anonymous namespace'::CreateContextProviderOnMainThread $8000 2023-01-25
1376067 Heap-buffer-overflow in blink::CSSParserImpl::ConsumeStyleRule - 2023-01-25
1355718 Security: UAF in hci_cmd_timeout $15000 2023-01-24
1367547 Security: Heap-use-after-free in autofill::AutofillContextMenuManager::ExecuteCommand $5000 2023-01-24
1370393 Container-overflow in ui::Layer::OnDeviceScaleFactorChanged - 2023-01-24
1374341 Heap-buffer-overflow in blink::GetCrossOriginAttributeValue - 2023-01-24
1375932 DCHECK failure in isolate->context().is_null() || isolate->context().IsContext() in runtime-string - 2023-01-24
1376069 Crash in v8::internal::Runtime_StringCharCodeAt - 2023-01-24
1370502 Security: Double free in setup_cb_free - 2023-01-23
1372665 Security: UAF in MyFilesSizeCalculator::ComputeLocalFilesSize, - 2023-01-23
1372695 Security: heap-use-after-free third_party\blink\renderer\core\workers\worker_thread.cc:905 in blink::WorkerThread::PauseOrFreezeOnWorkerThread $7000 2023-01-23
1329374 Security: heap-buffer-overflow on ash/shelf/shelf_view.cc (chromeOS) - 2023-01-21
1368587 Security: heap-use-after-free on aura::WindowOcclusionTracker::MaybeObserveAnimatedWindow $1000 2023-01-21
1374226 Illegal-instruction in blink::NGTableSectionLayoutAlgorithm::Layout - 2023-01-21
1374535 DCHECK failure in imm.index < num_locals() in function-body-decoder-impl.h - 2023-01-21
1374626 DCHECK failure in JSFunction::cast(entry.map(isolate).GetConstructor()) == native_context.array_fu - 2023-01-21
1372999 Security: Heap-use-after-free in SpeechRecognitionRecognizerImpl::ChangeLanguage $10000 2023-01-19
1373314 Security: WebGPU: Out of bounds write in OnBufferMapAsyncCallback - 2023-01-19
1374232 v8_regexp_parser_fuzzer: DCHECK failure in index <= known_captures in regexp-parser.cc - 2023-01-19
1344647 chrome.debugger API bypasses the runtime_blocked_hosts cookie protection $3000 2023-01-18
1354518 Security: .url files can be saved via getFileHandle and redirect showSaveFilePicker to arbitrary file $1000 2023-01-18
1366330 CrOS: Vulnerability reported in media-libs/tiff - 2023-01-18
1371860 Security: UAF in mojo::SimpleWatcher::Context in MojoIpcz feature (browser process) $20000 2023-01-18
1371926 Security: file_type_policies changes reintroduce attack surface - 2023-01-18
1372500 CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (IsJSReceiver_NonInline(*this)) in js - 2023-01-18
1372653 Use-after-poison in blink::NGBlockNode::StoreResultInLayoutBox - 2023-01-18
1372784 use after poison in HeapObjectHeader::LoadEncoded() $10000 2023-01-18
1373770 DCHECK failure in gc_epilogue_callbacks_.IsEmpty() in local-heap.cc - 2023-01-18
1373772 CHECK failure: diff <= 0.5 - 2023-01-18
1080624 CrOS: Vulnerability reported in sys-libs/glibc - 2023-01-16
1162252 CrOS: Vulnerability reported in x11-libs/gdk-pixbuf - 2023-01-16
1176031 Reading local files through an extension that only has the "downloads" permission $5000 2023-01-16
1294202 CrOS: Vulnerability reported in dev-libs/protobuf - 2023-01-16
1298886 CrOS: Vulnerability reported in media-libs/tiff - 2023-01-16
1354271 Security: [ANGLE] Heap-buffer-overflow caused by writing exceeding the querypool size $17000 2023-01-14
1365004 Security: Chrome Android: Incognito Mode grants access to the address bar although reauthentication is required - 2023-01-14
1279268 Security: Page can cause autofill prompt to render near cursor in order to bypass intentional mouse movement input requirements for autofill (Bypass of issue 1240472 fix) $3000 2023-01-13
1356211 Security: XML object's heap memory difference leaking or potential ASLR bypass in libXML $1000 2023-01-13
1365330 Security: heap-use-after-free in blink::LocalFrameView::PerformLayout (incomplete fix for CVE-2022-3199) - 2023-01-12
1366415 UAF in AccessibilityManager $2000 2023-01-12
1369871 Security: Race condition in JSCreateLowering, leading to RCE $20000 2023-01-12
1369882 Security: use-after-poison interface_endpoint_client.cc:900 in mojo::InterfaceEndpointClient::HandleValidatedMessage $10000 2023-01-12
1370439 UAF in SelectFileDialogLinuxKde::CallKDialogOutput $7000 2023-01-12
1370969 Crash in blink::NGBlockNode::StoreResultInLayoutBox - 2023-01-12
1350442 Security: UAF in BackForwardCache $30000 2023-01-11
1358168 Security: clang-analyzer-core.uninitialized.Assign in third_party/ffmpeg/libavformat/riffdec.c - 2023-01-11
1364662 Security: UAF in in safe_browsing::IncidentReportingService::AddIncident(browser process) $7000 2023-01-11
1367650 DCHECK failure in offsets.size() != 0 in maglev-graph-builder.cc - 2023-01-11
1370416 DCHECK failure in is_loadable() in maglev-ir.h - 2023-01-11
1370423 DCHECK failure in HAS_SMI_TAG(ptr) in smi.h - 2023-01-11
587956 Security: Android: Apps with external storage access can steal CSRF tokens - 2023-01-10
1361612 heap-use-after-free : webrtc::`anonymous namespace'::ProduceRemoteInboundRtpStreamStatsFromReportBlockData - 2023-01-10
1363583 Security: Heap-use-after-free in UserNoteService::OnNoteCreationDone $5000 2023-01-10
1366843 uaf in v8_inspector::InjectedScript::addPromiseCallback $1000 2023-01-10
1367862 DCHECK failure in IsPrimitiveMap() in map-inl.h - 2023-01-10
1368046 Security: Type confusion in V8 $10000 2023-01-10
1370400 DCHECK failure in key->IsJSReceiver() in runtime-collections.cc - 2023-01-10
1370402 DCHECK failure in target().IsUndefined() || target().IsJSReceiver() in js-weak-refs-inl.h - 2023-01-10
1259492 Security UI Spoofing on Chrome for Android due to the Contact permission dialog hiding the fullscreen alert message $7500 2023-01-09
1363287 DCHECK failure in GetCurrentStackPosition() >= stack_guard()->real_climit() - 32 * KB in isolate.c - 2023-01-08
1368076 Security: Report 2 Vulnerabilities in WebSQL $13000 2023-01-07
1051198 Compromised renderer can arbitrarily read the clipboard - 2023-01-06
1363040 uaf in PermissionStatus::OnPermissionStatusChange $2500 2023-01-06
1366812 Security: UAF in content::DevToolsSession::DispatchProtocolResponse (browser process) $1000 2023-01-06
1366464 Back Forward Cache storage of RenderViewHost is unsafe - 2023-01-05
1367680 GPU failure in blink::NGPhysicalBoxFragment::CheckSameForSimplifiedLayout - 2023-01-05
1355560 heap-use-after-free ui/views/view.cc:1898:7 in views::View::HandleAccessibleAction $2000 2023-01-04
1366806 Security: Heap-use-after-free in InstallablePaymentAppCrawler::OnPaymentMethodManifestParsed $38000 2023-01-04
1367678 DCHECK failure in generator_block->control_node()->opcode() == Opcode::kSwitch in maglev-regalloc. - 2023-01-04
345205 DevTools: Combat self-xss - 2023-01-04
1360042 V8: Generic lowering of JSForInPrepare tries to read from FixedArray - 2023-01-03
1363030 uaf in ArcInputOverlayManager::ReadData - 2023-01-03
1364604 Security: heap-use-after-free in GrClientMappedBufferManager::owningDirectContext $15000 2023-01-03
1367231 Security: UAF in AutofillContextMenuManager::ExecuteCommand $7000 2023-01-03
1367651 CHECK failure: size <= kMaxRegularHeapObjectSize - 2023-01-03
1367993 Security: WebRTC crash in `AudioMultiVector::PushBackInterleaved` - 2023-01-03
1340879 Security: Custom Tab HTTP Header Injection $3000 2023-01-02