Disclosed Chromium Security Bugs

Type confusion in inline cache prototype loading with Webassembly object prototype

#447613211Reporter: m-...@github.com
$50,000
1/13/2026

heap-use-after-free in content::indexed_db::Database::connections_ when force_closing_ is true

#446722008Reporter: so...@gmail.com
$100,000
1/2/2026

Wasm type confusion due to custom descriptors spec ambiguity in `ref.get_desc` exactness typing

#446124893Reporter: se...@gmail.com
$55,000
12/31/2025

Wasm type confusion due to missing exactness check on JS-Wasm boundary

#446124892Reporter: se...@gmail.com
$55,000
12/31/2025

Wasm type confusion due to wrong reachability analysis in `WasmGCTypeAnalyzer::ProcessBranchOnTarget()` with custom descriptor casts

#446122633Reporter: se...@gmail.com
$55,000
12/31/2025

Wasm type confusion due to custom descriptors spec unsoundness on `ref.func` exact typing

#446113731Reporter: se...@gmail.com
$55,000
12/31/2025

Wasm type confusion due to spec unsoundness in `cast_desc` operations

#446113732Reporter: se...@gmail.com
$55,000
12/31/2025

Consumers of ReadableStream subject to data race with SharedArrayBuffer, leading to RCE + V8 Sandbox bypass

#433533359Reporter: se...@gmail.com
$70,000
11/6/2025

heap-use-after-free in cc::LayerTreeHost::NotifyTransitionRequestsFinished

#411573532Reporter: m....@gmail.com
$50,000
8/21/2025

ipcz bug can allow renderer duplicate browser process handle to escape sandbox

#412578726Reporter: ha...@gmail.com
$250,000
8/6/2025
Showing 1-10 of 33 bugs
1234