Disclosed Chromium Security Bugs

V8 Sandbox Bypass: Heap Buffer Overflow while Changing the Length of a Corrupted Array

#430498032Reporter: da...@hirsch.cx
$5,000
11/14/2025

V8 sandbox bypass due to recreating funcref for imported wasm function

#432289371Reporter: pv...@gmail.com
$5,000
11/11/2025

Crash with three-way self Jitsi Meet call

#432035817Reporter: jo...@gmail.com
$7,000
11/6/2025

Consumers of ReadableStream subject to data race with SharedArrayBuffer, leading to RCE + V8 Sandbox bypass

#433533359Reporter: se...@gmail.com
$70,000
11/6/2025

Security: Compromised renderer can steal cross-site data with minimal user interaction

#433800617Reporter: al...@alesandroortiz.com
$7,000
11/5/2025

CSP doesn't block sourceMappingURL

#361116749Reporter: no...@applitools.com
$1,000
11/4/2025

Security: heap-use-after-free on aura::Window::CleanupGestureState

#432497641Reporter: xp...@gmail.com
$11,000
11/4/2025

V8 sandbox bypass due to NativeModule swapping while module instantiation was ongoing

#433407763Reporter: pv...@gmail.com
$20,000
10/31/2025

Command injection in "Copy as cURL (cmd)" due to improper sanitization

#427367145Reporter: am...@gmail.com
$1,500
10/31/2025

V8 Sandbox Bypass: InstantiateAsmJs builtin doesn't protect against mid-builtin dispatch handle swaps

#430960844Reporter: ma...@popax21.dev
$20,000
10/30/2025
Showing 1-10 of 1572 bugs
1234...158