Disclosed Chromium Security Bugs

jackson-dataformat-xml:XmlFuzzer: Security exception in com.sun.xml.stream.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next

#383588432Reporter: 87...@developer.gserviceaccount.com
$0
3/12/2025

wasm3:fuzzer: Heap-buffer-overflow in PreserveRegisterIfOccupied

#383379140Reporter: 87...@developer.gserviceaccount.com
$0
3/11/2025

Security DCHECK failure: dom_start_ <= dom_end_. 3 vs in offset_mapping.cc

#379254069Reporter: 24...@project.gserviceaccount.com
$0
3/11/2025

V8 Sandbox Bypass: AAR/W via WASM dispatch table index OOB from `WasmTableObject.uses`

#350628675Reporter: se...@gmail.com
$20,000
3/11/2025

Arbitrary Wasm type confusion due to improper fix of b/380397544

#381696874Reporter: se...@gmail.com
$55,000
3/11/2025

Arbitrary WASM type confusion due to improper fix of b/379009132

#380397544Reporter: se...@gmail.com
$55,000
3/11/2025

DCHECK failure in kCanBeWeak || (!IsSmi() == HAS_STRONG_HEAP_OBJECT_TAG(ptr_)) in tagged-impl.h

#379843860Reporter: 24...@project.gserviceaccount.com
$0
3/11/2025

Check if WasmImportData::call_origin allows sandbox escapes

#369748454Reporter: jk...@chromium.org
$0
3/11/2025

MemorySanitizer: SEGV v8/src/heap/remembered-set-inl.h:46:38 in heap::base::SlotCallbackResult v8::internal::UpdateTypedSlotHelper::UpdateTypedSlot(v8::internal::WritableJitAllocation&, v8::internal::Heap*, v8::internal::SlotType, unsigned long, v8::internal::Scavenger::ScavengePage(v8::internal::MutablePageMetadata*)::$_2)

#380474992Reporter: al...@goodmanemail.com
$0
3/11/2025

Memory corruption in TransitiveTypeFeedbackProcessor with --wasm-deopt and multi-instance modules

#381281318Reporter: ml...@chromium.org
$0
3/11/2025
Showing 2141-2150 of 10209 bugs
1...214215216...1021