Disclosed Chromium Security Bugs

OOB in GPU process: Missing negative length validation in Bucket::GetAsStrings.

#487755344Reporter: se...@gmail.com
$2,000
6/24/2026

TWA Origin Spoofing & UI Redressing via Intent Injection

#477876507Reporter: ha...@gmail.com
$2,000
6/24/2026

Wrong CheckSmi elision because of CheckValueEqualsInt32

#490558172Reporter: 24...@project.gserviceaccount.com
$0
6/24/2026

SubAppsServiceImpl::Remove() use-after-free: ReportBadMessageAndDeleteThis() mid-loop deletes `this`, next iteration accesses freed memory

#492465356Reporter: os...@gmail.com
$36,000
6/24/2026

Use-After-Free in ReadbackBufferShadowTracker via getBufferSubData with Non-Zero Offset

#492228019Reporter: je...@gmail.com
$11,000
6/24/2026

Heap-buffer-overflow in XNNPACK

#492350403Reporter: he...@gmail.com
$3,000
6/24/2026

OOB Write in GraphBuilderTflite::SerializeConv2d

#492350400Reporter: he...@gmail.com
$23,000
6/24/2026

Insufficient bounds check in ANGLE Metal UBO bool conversion leads to heap OOB read in GPU process on Mac

#489585044Reporter: je...@gmail.com
$3,000
6/24/2026

SharedStorage custom-data-origin authorization bypass via stale match state

#488408915Reporter: oj...@gmail.com
$1,000
6/24/2026

GPU sandbox escape on macOS via lsd.modifydb > RCE

#491422244Reporter: ma...@advert.com.au
$0
6/24/2026
Showing 451-460 of 11332 bugs