Disclosed Chromium Security Bugs

libGLES_mali UAF via WebGPU shaders at llvm::BasicBlock::getTerminator

#442273697Reporter: a7...@gmail.com
$25,000
4/17/2026

Crash in Maglev due to Stale ScopeInfo Cache with Async Generators

#470831166Reporter: hu...@gmail.com
$10,000
4/17/2026

Maglev's handling of target and new.target is incorrect

#467247247Reporter: hu...@gmail.com
$50,000
3/19/2026

V8 Sandbox Bypass: AAW/PC control via dispatch entry UAF during InstantiateAsmJs by hijacking start

#462217236Reporter: kr...@gmail.com
$20,000
3/12/2026

[bugSWAT] GPU process crash via WebGPU shader - wild-deref in Mesa aco::combine_instruction

#448294721Reporter: a7...@gmail.com
$10,000
3/10/2026

DCHECK Fail when Maglev Generates Exception Handler Trampoline Instructions

#457351015Reporter: hu...@gmail.com
$10,000
2/17/2026

V8 Sandbox Bypass: AAW/PC control via CallKnownJSFunction reduction for builtins

#454927471Reporter: kr...@gmail.com
$22,000
2/7/2026

Maglev - CallBuiltin (input @0 = LoadHoleyFixedDoubleArrayElement) type HoleyFloat64 is not Tagged

#456547591Reporter: sh...@gmail.com
$11,000
2/7/2026

V8 Sandbox Bypass: WasmCPT handle UAF by import dispatch table corruption (multiple variants of b/446113730)

#452605803Reporter: se...@gmail.com
$20,000
2/6/2026

Incorrect Optimization of ArrayConstructor by Maglev Leads to Creation of Malformed JSArray Objects

#454485895Reporter: hu...@gmail.com
$50,000
1/31/2026
Showing 1-10 of 424 bugs
1234...43