Disclosed Chromium Security Bugs

V8 Sandbox Bypass: WasmCPT handle UAF by import dispatch table growth

#446113730Reporter: se...@gmail.com
$20,000
1/1/2026

Heap-use-after-free in ui::AcceleratorManager::Process

#446986774Reporter: 24...@project.gserviceaccount.com
$0
1/1/2026

Heap-use-after-free in ui::AcceleratorManager::Process

#446962939Reporter: 24...@project.gserviceaccount.com
$0
1/1/2026

Crash in v8::internal::compiler::ObjectData::IsBigInt

#446735537Reporter: 24...@project.gserviceaccount.com
$0
1/1/2026

Crash in v8::internal::Map::instance_type

#446725502Reporter: 24...@project.gserviceaccount.com
$0
1/1/2026

Crash in v8::internal::compiler::ObjectData::IsContext

#446944035Reporter: 24...@project.gserviceaccount.com
$0
1/1/2026

Crash in v8::internal::compiler::JSNativeContextSpecialization::InferRootMap

#446730213Reporter: 24...@project.gserviceaccount.com
$0
1/1/2026

Crash in v8::internal::compiler::HeapObjectRef::map

#446730212Reporter: 24...@project.gserviceaccount.com
$0
1/1/2026

Crash in v8::internal::compiler::ObjectData::IsJSFunction

#446561512Reporter: 24...@project.gserviceaccount.com
$0
1/1/2026

DCHECK failure in v8_flags.assert_hole_checked_by_value implies !SafeIsAnyHole(obj) in heap-object

#446190088Reporter: 24...@project.gserviceaccount.com
$0
1/1/2026
Showing 1391-1400 of 10808 bugs
1...139140141...1081