Disclosed Chromium Security Bugs

Maglev's handling of target and new.target is incorrect

#467247247Reporter: hu...@gmail.com
$50,000
3/19/2026

V8 Sandbox Bypass: AAW/PC control via dispatch entry UAF during InstantiateAsmJs by hijacking start

#462217236Reporter: kr...@gmail.com
$20,000
3/12/2026

[bugSWAT] GPU process crash via WebGPU shader - wild-deref in Mesa aco::combine_instruction

#448294721Reporter: a7...@gmail.com
$10,000
3/10/2026

DCHECK Fail when Maglev Generates Exception Handler Trampoline Instructions

#457351015Reporter: hu...@gmail.com
$10,000
2/17/2026

V8 Sandbox Bypass: AAW/PC control via CallKnownJSFunction reduction for builtins

#454927471Reporter: kr...@gmail.com
$22,000
2/7/2026

Maglev - CallBuiltin (input @0 = LoadHoleyFixedDoubleArrayElement) type HoleyFloat64 is not Tagged

#456547591Reporter: sh...@gmail.com
$11,000
2/7/2026

V8 Sandbox Bypass: WasmCPT handle UAF by import dispatch table corruption (multiple variants of b/446113730)

#452605803Reporter: se...@gmail.com
$20,000
2/6/2026

Incorrect Optimization of ArrayConstructor by Maglev Leads to Creation of Malformed JSArray Objects

#454485895Reporter: hu...@gmail.com
$50,000
1/31/2026

V8 Sandbox Bypass: Wasm streaming compilation cache confusion via "double streaming"

#452605804Reporter: se...@gmail.com
$20,000
1/31/2026

Security: Compromised renderer can control mouse after single tap (UXSS, sandbox escape, and more)

#447172715Reporter: al...@alesandroortiz.com
$30,000
1/30/2026
Showing 1-10 of 422 bugs
1234...43