Disclosed Chromium Security Bugs

V8 Sandbox Bypass: In-sandbox corruption allows execution of dangerous / experimental code

#435630464Reporter: se...@gmail.com
$20,000
1/13/2026

Type confusion in inline cache prototype loading with Webassembly object prototype

#447613211Reporter: m-...@github.com
$50,000
1/13/2026

Check failed: !WriteBarrier::IsRequired(heap_object, Tagged(value)).

#446463984Reporter: je...@gmail.com
$10,000
1/3/2026

heap-use-after-free in content::indexed_db::Database::connections_ when force_closing_ is true

#446722008Reporter: so...@gmail.com
$100,000
1/2/2026

Triggering screenshare from an unloading page in a cross-process navigation displays the wrong origin

#442860743Reporter: do...@gmail.com
$10,000
1/2/2026

V8 Sandbox Bypass: WasmCPT handle UAF by import dispatch table growth

#446113730Reporter: se...@gmail.com
$20,000
1/1/2026

Wasm type confusion due to custom descriptors spec ambiguity in `ref.get_desc` exactness typing

#446124893Reporter: se...@gmail.com
$55,000
12/31/2025

Wasm type confusion due to missing exactness check on JS-Wasm boundary

#446124892Reporter: se...@gmail.com
$55,000
12/31/2025

Wasm type confusion due to wrong reachability analysis in `WasmGCTypeAnalyzer::ProcessBranchOnTarget()` with custom descriptor casts

#446122633Reporter: se...@gmail.com
$55,000
12/31/2025

Wasm type confusion due to custom descriptors spec unsoundness on `ref.func` exact typing

#446113731Reporter: se...@gmail.com
$55,000
12/31/2025
Showing 1-10 of 408 bugs
1234...41