Disclosed Chromium Security Bugs

DCHECK Fail when Maglev Generates Exception Handler Trampoline Instructions

#457351015Reporter: hu...@gmail.com
$10,000
2/17/2026

V8 Sandbox Bypass: AAW/PC control via CallKnownJSFunction reduction for builtins

#454927471Reporter: kr...@gmail.com
$22,000
2/7/2026

Maglev - CallBuiltin (input @0 = LoadHoleyFixedDoubleArrayElement) type HoleyFloat64 is not Tagged

#456547591Reporter: sh...@gmail.com
$11,000
2/7/2026

V8 Sandbox Bypass: WasmCPT handle UAF by import dispatch table corruption (multiple variants of b/446113730)

#452605803Reporter: se...@gmail.com
$20,000
2/6/2026

Incorrect Optimization of ArrayConstructor by Maglev Leads to Creation of Malformed JSArray Objects

#454485895Reporter: hu...@gmail.com
$50,000
1/31/2026

V8 Sandbox Bypass: Wasm streaming compilation cache confusion via "double streaming"

#452605804Reporter: se...@gmail.com
$20,000
1/31/2026

Security: Compromised renderer can control mouse after single tap (UXSS, sandbox escape, and more)

#447172715Reporter: al...@alesandroortiz.com
$30,000
1/30/2026

Out-of-bound read in the jmp table of ActiveMediaSessionController leads to sandbox escape.

#453094710Reporter: bl...@gmail.com
$250,000
1/28/2026

Type confusion in v8 caused by incorrect unregistration of prototype users

#452541294Reporter: my...@gmail.com
$10,000
1/27/2026

V8 Sandbox Bypass: AAW/PC control via OOB builtin in SharedFunctionInfo

#451355210Reporter: kr...@gmail.com
$20,000
1/23/2026
Showing 1-10 of 419 bugs
1234...42