Disclosed Chromium Security Bugs

←Back to Dashboard

Search Titles

Sort By

Time Range

Reward Range

Bugs per Page

Incorrect Optimization of ArrayConstructor by Maglev Leads to Creation of Malformed JSArray Objects

#454485895•Reporter: hu...@gmail.com

$50,000

1/31/2026

Out-of-bound read in the jmp table of ActiveMediaSessionController leads to sandbox escape.

#453094710•Reporter: bl...@gmail.com

$250,000

1/28/2026

TDZ check elision leading to hole leak

#450618029•Reporter: ry...@gmail.com

$50,000

1/22/2026

Type confusion in inline cache prototype loading with Webassembly object prototype

#447613211•Reporter: m-...@github.com

$50,000

1/13/2026

heap-use-after-free in content::indexed_db::Database::connections_ when force_closing_ is true

#446722008•Reporter: so...@gmail.com

$100,000

1/2/2026

Wasm type confusion due to custom descriptors spec ambiguity in `ref.get_desc` exactness typing

#446124893•Reporter: se...@gmail.com

$55,000

12/31/2025

Wasm type confusion due to missing exactness check on JS-Wasm boundary

#446124892•Reporter: se...@gmail.com

$55,000

12/31/2025

Wasm type confusion due to wrong reachability analysis in `WasmGCTypeAnalyzer::ProcessBranchOnTarget()` with custom descriptor casts

#446122633•Reporter: se...@gmail.com

$55,000

12/31/2025

Wasm type confusion due to custom descriptors spec unsoundness on `ref.func` exact typing

#446113731•Reporter: se...@gmail.com

$55,000

12/31/2025

Wasm type confusion due to spec unsoundness in `cast_desc` operations

#446113732•Reporter: se...@gmail.com

$55,000

12/31/2025

Showing 1-10 of 36 bugs