None (Thursday, June 24, 2021) 0/0 bugs

None (Thursday, June 17, 2021) 4/4 bugs

[$TBD][1219857] High CVE-2021-30554: Use after free in WebGL. Reported by anonymous on 2021-06-15
- Issue 1219857 (Permission denied.)
[$10000][1215029] High CVE-2021-30555: Use after free in Sharing. Reported by David Erceg on 2021-06-01
- Issue 1215029 (Permission denied.)
[$7500][1212599] High CVE-2021-30556: Use after free in WebAudio. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-24
- Issue 1212599 (Permission denied.)
[$10000][1202102] High CVE-2021-30557: Use after free in TabGroups. Reported by David Erceg on 2021-04-23
- Issue 1202102 (Permission denied.)

None (Monday, June 14, 2021) 0/0 bugs

None (Wednesday, June 9, 2021) 14/14 bugs

[$25000][1212618] Critical CVE-2021-30544: Use after free in BFCache. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-05-24
- Issue 1212618 (Permission denied.)
[$20000][1201031] High CVE-2021-30545: Use after free in Extensions. Reported by kkwon with everpall and kkomdal on 2021-04-21
- Issue 1201031 (Permission denied.)
[$NA][1206911] High CVE-2021-30546: Use after free in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-05-08
- Issue 1206911 (Permission denied.)
[$TBD][1210414] High CVE-2021-30547: Out of bounds write in ANGLE. Reported by Seong-Hwan Park (SeHwa) of SecunologyLab on 2021-05-18
- Issue 1210414 (Permission denied.)
[$TBD][1210487] High CVE-2021-30548: Use after free in Loader. Reported by Yangkang(@dnpushme) & Wanglu of Qihoo360 Qex Team on 2021-05-18
- Issue 1210487 (Permission denied.)
[$TBD][1212498] High CVE-2021-30549: Use after free in Spell check. Reported by David Erceg on 2021-05-23
- Issue 1212498 (Permission denied.)
[$TBD][1212500] High CVE-2021-30550: Use after free in Accessibility. Reported by David Erceg on 2021-05-23
- Issue 1212500 (Permission denied.)
[$NA][1216437] High CVE-2021-30551: Type Confusion in V8. Reported by Clement Lecigne of Google's Threat Analysis Group and Sergei Glazunov of Google Project Zero on 2021-06-04
- Issue 1216437 (Permission denied.)
[$TBD][1200679] Medium CVE-2021-30552: Use after free in Extensions. Reported by David Erceg on 2021-04-20
- Issue 1200679 (Permission denied.)
[$TBD][1209769] Medium CVE-2021-30553: Use after free in Network service. Reported by Anonymous on 2021-05-17
- Issue 1209769 (Permission denied.)
[1218029] internal.

91.0.4472.77 (Tuesday, May 25, 2021) 32/34 bugs

[$7500][1176218] High CVE-2021-30522: Use after free in WebAudio. Reported by Piotr Bania of Cisco Talos on 2021-02-09
- Issue 1176218 (Permission denied.)
[$7500][1187797] High CVE-2021-30523: Use after free in WebRTC. Reported by Tolyan Korniltsev on 2021-03-13
- Issue 1187797 (Permission denied.)
[$TBD][1197146] High CVE-2021-30524: Use after free in TabStrip. Reported by David Erceg on 2021-04-08
- Issue 1197146 (Permission denied.)
[$TBD][1197888] High CVE-2021-30525: Use after free in TabGroups. Reported by David Erceg on 2021-04-11
- Issue 1197888 (Permission denied.)
[$TBD][1198717] High CVE-2021-30526: Out of bounds write in TabStrip. Reported by David Erceg on 2021-04-13
- Issue 1198717 (Permission denied.)
[$TBD][1199198] High CVE-2021-30527: Use after free in WebUI. Reported by David Erceg on 2021-04-15
- Issue 1199198 (Permission denied.)
[$NA][1206329] High CVE-2021-30528: Use after free in WebAuthentication. Reported by Man Yue Mo of GitHub Security Lab on 2021-05-06
- Issue 1206329 (Permission denied.)
[$7500][1195278] Medium CVE-2021-30529: Use after free in Bookmarks. Reported by koocola (@alo_cook) and Nan Wang (@eternalsakura13) of 360 Alpha Lab on 2021-04-02
- Issue 1195278 (Permission denied.)
[$7500][1201033] Medium CVE-2021-30530: Out of bounds memory access in WebAudio. Reported by kkwon on 2021-04-21
- Issue 1201033 (Permission denied.)
[$5000][1115628] Medium CVE-2021-30531: Insufficient policy enforcement in Content Security Policy. Reported by Philip Papurt on 2020-08-12
- Issue 1115628: Security: Full CSP bypass through blob: URIs (gink...@gmail.com)
[$5000][1117687] Medium CVE-2021-30532: Insufficient policy enforcement in Content Security Policy. Reported by Philip Papurt on 2020-08-18
- Issue 1117687: Security: Full CSP bypass through filesystem URIs (gink...@gmail.com)
[$5000][1145553] Medium CVE-2021-30533: Insufficient policy enforcement in PopupBlocker. Reported by Eliya Stein on 2020-11-04
- Issue 1145553 (Permission denied.)
[$3000][1151507] Medium CVE-2021-30534: Insufficient policy enforcement in iFrameSandbox. Reported by Alesandro Ortiz on 2020-11-20
- Issue 1151507 (Permission denied.)
[$1000][1194899] Medium CVE-2021-30535: Double free in ICU. Reported by nocma, leogan, cheneyxu of WeChat Open Platform Security Team on 2021-04-01
- Issue 1194899 (Permission denied.)
[$TBD][1203607] Medium CVE-2021-30543: Use after free in Tab Strip. Reported by Khalil Zhani on 2021-04-28
- Issue 1203607 (Permission denied.)
[$NA][916326] Medium CVE-2021-30558: Insufficient policy enforcement in content security policy. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2018-12-19
- Issue 916326: CSP bypass via wrong inheritance (jun.k...@microsoft.com)
[$15000][1194358] Low CVE-2021-30536: Out of bounds read in V8. Reported by Chris Salls (@salls) on 2021-03-31
- Issue 1194358 (Permission denied.)
[$3000][830101] Low CVE-2021-30537: Insufficient policy enforcement in cookies. Reported by Jun Kokatsu (@shhnjk) on 2018-04-06
- Issue 830101 (Permission denied.)
[$3000][1115045] Low CVE-2021-30538: Insufficient policy enforcement in content security policy. Reported by Tianze Ding (@D1iv3) of Tencent Security Xuanwu Lab on 2020-08-11
- Issue 1115045: CSP frame-src bypass using: window.open + javascript-url + about:srcdoc + doubly-nested-iframe. (dddl...@gmail.com)
[$1000][971231] Low CVE-2021-30539: Insufficient policy enforcement in content security policy. Reported by unnamed researcher on 2019-06-05
- Issue 971231: Chrome Content security Policy bypass (nohac...@gmail.com)
[$500][1184147] Low CVE-2021-30540: Incorrect security UI in payments. Reported by @retsew0x01 on 2021-03-03
- Issue 1184147: Security: Incorrect Security UI in payment (zyzen...@gmail.com)
[1213064] internal.
- Issue 1150558 (Permission denied.)
- Issue 1206631 (Permission denied.)
- Issue 1202534 (Permission denied.)
- Issue 1197786 (Permission denied.)
- Issue 1194021 (Permission denied.)
- Issue 1192574: Security: 30x to data URI aren't blocked on iOS (gambard@chromium.org)
- Issue 1191778 (Permission denied.)
- Issue 1172694 (Permission denied.)
- Issue 1194959 (Permission denied.)
- Issue 1183440 (Permission denied.)
- Issue 1184294 (Permission denied.)

None (Monday, May 10, 2021) 20/19 bugs

[$3000][1180126] High CVE-2021-30506: Incorrect security UI in Web App Installs. Reported by @retsew0x01 on 2021-02-19
- Issue 1180126 (Permission denied.)
[$NA][1178202] High CVE-2021-30507: Inappropriate implementation in Offline. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2021-02-14
- Issue 1178202 (Permission denied.)
[$TBD][1195340] High CVE-2021-30508: Heap buffer overflow in Media Feeds. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-04-02
- Issue 1195340 (Permission denied.)
[$TBD][1196309] High CVE-2021-30509: Out of bounds write in Tab Strip. Reported by David Erceg on 2021-04-06
- Issue 1196309 (Permission denied.)
[$TBD][1197436] High CVE-2021-30510: Race in Aura. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-04-09
- Issue 1197436 (Permission denied.)
[$TBD][1197875] High CVE-2021-30511: Out of bounds read in Tab Groups. Reported by David Erceg on 2021-04-10
- Issue 1197875 (Permission denied.)
[$TBD][1200019] High CVE-2021-30512: Use after free in Notifications. Reported by ZhanJia Song on 2021-04-17
- Issue 1200019 (Permission denied.)
[$NA][1200490] High CVE-2021-30513: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2021-04-19
- Issue 1200490 (Permission denied.)
[$TBD][1200766] High CVE-2021-30514: Use after free in Autofill. Reported by koocola (@alo_cook) and Nan Wang (@eternalsakura13) of 360 Alpha Lab on 2021-04-20
- Issue 1200766 (Permission denied.)
[$TBD][1201073] High CVE-2021-30515: Use after free in File API. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-04-21
- Issue 1201073 (Permission denied.)
[$TBD][1201446] High CVE-2021-30516: Heap buffer overflow in History. Reported by ZhanJia Song on 2021-04-22
- Issue 1201446 (Permission denied.)
[$TBD][1203122] High CVE-2021-30517: Type Confusion in V8. Reported by laural on 2021-04-27
- Issue 1203122 (Permission denied.)
[$NA][1203590] High CVE-2021-30518: Heap buffer overflow in Reader Mode. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2021-04-28
- Issue 1203590 (Permission denied.)
[$15000][1194058] Medium CVE-2021-30519: Use after free in Payments. Reported by asnine on 2021-03-30
- Issue 1194058 (Permission denied.)
[$10000][1193362] Medium CVE-2021-30520: Use after free in Tab Strip. Reported by Khalil Zhani on 2021-04-03
- Issue 1193362 (Permission denied.)
[1207457] internal.

None (Monday, April 26, 2021) 10/9 bugs

[$15000][1199345] High CVE-2021-21227: Insufficient data validation in V8. Reported by Gengming Liu of Singular Security Lab on 2021-04-15
- Issue 1199345 (Permission denied.)
[$NA][1175058] High CVE-2021-21232: Use after free in Dev Tools. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-05
- Issue 1175058 (Permission denied.)
[$TBD][1182937] High CVE-2021-21233: Heap buffer overflow in ANGLE. Reported by Abraruddin Khan and Omair on 2021-02-26
- Issue 1182937 (Permission denied.)
[$5000][1139156] Medium CVE-2021-21228: Insufficient policy enforcement in extensions. Reported by Rob Wu on 2020-10-16
- Issue 1139156 (Permission denied.)
[$TBD][1198165] Medium CVE-2021-21229: Incorrect security UI in downloads. Reported by Mohit Raj (shadow2639) on 2021-04-12
- Issue 1198165 (Permission denied.)
[$TBD][1198705] Medium CVE-2021-21230: Type Confusion in V8. Reported by Manfred Paul on 2021-04-13
- Issue 1198705 (Permission denied.)
[$NA][1198696] Low CVE-2021-21231: Insufficient data validation in V8. Reported by Sergei Glazunov of Google Project Zero on 2021-04-13
- Issue 1198696 (Permission denied.)
[1202729] internal.

None (Tuesday, April 20, 2021) 7/7 bugs

[$TBD][1194046] High CVE-2021-21222: Heap buffer overflow in V8. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-03-30
- Issue 1194046 (Permission denied.)
[$TBD][1195308] High CVE-2021-21223: Integer overflow in Mojo. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-04-02
- Issue 1195308 (Permission denied.)
[$TBD][1195777] High CVE-2021-21224: Type Confusion in V8. Reported by Jose Martinez (tr0y4) from VerSprite Inc. on 2021-04-05
- Issue 1195777 (Permission denied.)
[$22000 + $22000][1195977] High CVE-2021-21225: Out of bounds memory access in V8. Reported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04-05
- Issue 1195977 (Permission denied.)
[$27000 + $27000][1197904] High CVE-2021-21226: Use after free in navigation. Reported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04-11
- Issue 1197904 (Permission denied.)
[1200824] internal.
- Issue 1192552 (Permission denied.)
- Issue 1155297 (Permission denied.)

90.0.4430.72 (Wednesday, April 14, 2021) 37/37 bugs

[$20000][1025683] High CVE-2021-21201: Use after free in permissions. Reported by Gengming Liu and Jianyu Chen when working at Tencent KeenLab on 2019-11-18
- Issue 1025683 (Permission denied.)
[$10000][1188889] High CVE-2021-21202: Use after free in extensions. Reported by David Erceg on 2021-03-16
- Issue 1188889 (Permission denied.)
[$5000][1192054] High CVE-2021-21203: Use after free in Blink. Reported by asnine on 2021-03-24
- Issue 1192054: Security: heap-use-after-free in blink::InvalidatableInterpolation::MaybeConvertPairwise (0xasn...@gmail.com)
[$1000][1189926] High CVE-2021-21204: Use after free in Blink. Reported by Chelse Tsai-Simek, Jeanette Ulloa, and Emily Voigtlander of Seesaw on 2021-03-19
- Issue 1189926: Aww snap crash when editing canvas text (che...@seesaw.me)
[$TBD][1165654] High CVE-2021-21205: Insufficient policy enforcement in navigation. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2021-01-12
- Issue 1165654: Security: 30x Redirect On Reload Can Navigate to Unsafe URLs / Cause Spoofing Issues (ahuff...@microsoft.com)
[$TBD][1195333] High CVE-2021-21221: Insufficient validation of untrusted input in Mojo. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-04-02
- Issue 1195333 (Permission denied.)
[$5000][1185732] Medium CVE-2021-21207: Use after free in IndexedDB. Reported by koocola (@alo_cook) and Nan Wang (@eternalsakura13) of 360 Alpha Lab on 2021-03-08
- Issue 1185732 (Permission denied.)
[$3000][1039539] Medium CVE-2021-21208: Insufficient data validation in QR scanner. Reported by Ahmed Elsobky (@0xsobky) on 2020-01-07
- Issue 1039539 (Permission denied.)
[$3000][1143526] Medium CVE-2021-21209: Inappropriate implementation in storage. Reported by Tom Van Goethem (@tomvangoethem) on 2020-10-29
- Issue 1143526: Security: leak cross-site response size - countermeasure bypass (tomva...@gmail.com)
[$3000][1184562] Medium CVE-2021-21210: Inappropriate implementation in Network. Reported by @bananabr on 2021-03-04
- Issue 1184562: Security: NAT Slipstreaming via RTSP(TCP/554) allows attacker to access local udp ports (vovoh...@gmail.com)
[$2000][1103119] Medium CVE-2021-21211: Inappropriate implementation in Navigation. Reported by Akash Labade (m0ns7er) on 2020-07-08
- Issue 1103119 (Permission denied.)
[$500][1145024] Medium CVE-2021-21212: Incorrect security UI in Network Config UI. Reported by Hugo Hue and Sze Yiu Chau of the Chinese University of Hong Kong on 2020-11-03
- Issue 1145024: Security&UI: WPA2-Enterprise/EAP WiFi Connection "Default" UI Discrepancy (hugoh...@gmail.com)
[$N/A][1161806] Medium CVE-2021-21213: Use after free in WebMIDI. Reported by raven (@raid_akame) on 2020-12-25
- Issue 1161806 (Permission denied.)
[$TBD][1170148] Medium CVE-2021-21214: Use after free in Network API. Reported by Anonymous on 2021-01-24
- Issue 1170148 (Permission denied.)
[$TBD][1172533] Medium CVE-2021-21215: Inappropriate implementation in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-01-30
- Issue 1172533 (Permission denied.)
[$TBD][1173297] Medium CVE-2021-21216: Inappropriate implementation in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-02
- Issue 1173297 (Permission denied.)
[$500][1166462] Low CVE-2021-21217: Uninitialized Use in PDFium. Reported by Zhou Aiting (@zhouat1) of Qihoo 360 Vulcan Team on 2021-01-14
- Issue 1166462: Security: Use of conditionally uninitialised stack variable may leak stack state (zhoua...@gmail.com)
[$500][1166478] Low CVE-2021-21218: Uninitialized Use in PDFium. Reported by Zhou Aiting (@zhouat1) of Qihoo 360 Vulcan Team on 2021-01-14
- Issue 1166478: Security: Use of conditionally uninitialised stack variable may leak stack state (zhoua...@gmail.com)
[$500][1166972] Low CVE-2021-21219: Uninitialized Use in PDFium. Reported by Zhou Aiting (@zhouat1) of Qihoo 360 Vulcan Team on 2021-01-15
- Issue 1166972: Security: Use of conditionally uninitialised stack variable may leak stack state (zhoua...@gmail.com)
[1198709] internal.
- Issue 1194417: Security: PermissionControllerImpl::UnsubscribePermissionStatusChange UAF (engedy@chromium.org)
- Issue 1193739 (Permission denied.)
- Issue 1190525 (Permission denied.)
- Issue 1184441: Racy UAF when handling usrsctp notification on timer thread (deadbeef@chromium.org)
- Issue 1183276 (Permission denied.)
- Issue 1178032 (Permission denied.)
- Issue 1182109: Security: dPWAs can change their icons after installation (est...@chromium.org)
- Issue 1181276 (Permission denied.)
- Issue 1179118: Known vulnerability detected in third_party/harfbuzz-ng (serv...@oss-vdb.iam.gserviceaccount.com)
- Issue 1176728: Security: Does eigen3 need updating? (adetaylor@google.com)
- Issue 1175522 (Permission denied.)
- Issue 1175503 (Permission denied.)
- Issue 1174551: Heap-buffer-overflow in unsigned int v8::internal::StringHasher::HashSequentialString<char> (ClusterFuzz)
- Issue 1166012 (Permission denied.)
- Issue 1132030 (Permission denied.)
- Issue 1170826: Third party apps and web pages can switch Chrome tabs (mthiesse@chromium.org)
- Issue 1167491 (Permission denied.)
- Issue 1161759: DCHECK failure in 0 == Heap::GetFillToAlign(obj->address(), HeapObject::RequiredAlignment(*map)) i (ClusterFuzz)

None (Tuesday, April 13, 2021) 2/2 bugs

[$TBD][1196781] High CVE-2021-21206: Use after free in Blink. Reported by Anonymous on 2021-04-07
- Issue 1196781 (Permission denied.)
[$N/A][1196683] High CVE-2021-21220: Insufficient validation of untrusted input in V8 for x86_64. Reported by Bruno Keith (@bkth_) & Niklas Baumstark (@_niklasb) of Dataflow Security (@dfsec_it) via ZDI (ZDI-CAN-13569) on 2021-04-07
- Issue 1196683 (Permission denied.)

None (Tuesday, March 30, 2021) 5/8 bugs

[$20000][1181228] High CVE-2021-21194: Use after free in screen capture. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-02-23
- Issue 1181228: Security: UAF in DesktopCapture (leecraso@gmail.com)
[$15000][1182647] High CVE-2021-21195: Use after free in V8. Reported by Bohan Liu (@P4nda20371774) and Moon Liang of Tencent Security Xuanwu Lab on 2021-02-26
- Issue 1182647: Security: Use after free in V8 (p4nda...@gmail.com)
[$10000][1175992] High CVE-2021-21196: Heap buffer overflow in TabStrip. Reported by Khalil Zhani on 2021-02-08
- Issue 1175992: Security: Heap-buffer-overflow in TabStripModel::IsTabPinned (chrom...@gmail.com)
[$TBD][1173903] High CVE-2021-21197: Heap buffer overflow in TabStrip. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-03
- Issue 1173903: Security: container-overflow in TabStrip (abalq...@microsoft.com)
[$TBD][1184399] High CVE-2021-21198: Out of bounds read in IPC. Reported by Mark Brand of Google Project Zero on 2021-03-03
- Issue 1184399: Security: Legacy ipc::Message passed via shared memory. (markbrand@google.com)

None (Friday, March 12, 2021) 5/5 bugs

[$500][1167357] High CVE-2021-21191: Use after free in WebRTC. Reported by raven (@raid_akame) on 2021-01-15
- Issue 1167357: potential uaf in rtc_peer_connection (wxhu...@gmail.com)
[$TBD][1181387] High CVE-2021-21192: Heap buffer overflow in tab groups. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-23
- Issue 1181387: Security: container-overflow in TabGroups (abalq...@microsoft.com)
[$TBD][1186287] High CVE-2021-21193: Use after free in Blink. Reported by Anonymous on 2021-03-09
- Issue 1186287 (Permission denied.)
[1187298] internal.
- Issue 1179915: heap-use-after-free : ui::EventTarget::RemovePreTargetHandler (crash...@system.gserviceaccount.com)
- Issue 1177674: Security: Site Isolation bypass after BrowsingInstance state deleted (creis@chromium.org)

None (Friday, March 5, 2021) 0/0 bugs

89.0.4389.72 (Tuesday, March 2, 2021) 46/47 bugs

[$10000][1171049] High CVE-2021-21159: Heap buffer overflow in TabStrip. Reported by Khalil Zhani on 2021-01-27
- Issue 1171049: Security: container-overflow in TabStrip::SetSelection (chrom...@gmail.com)
[$7500][1170531] High CVE-2021-21160: Heap buffer overflow in WebAudio. Reported by Marcin 'Icewall' Noga of Cisco Talos on 2021-01-25
- Issue 1170531: Talos Security Advisory for Google Chrome browser (TALOS-2021-1235) (regiw...@sourcefire.com)
[$7500][1173702] High CVE-2021-21161: Heap buffer overflow in TabStrip. Reported by Khalil Zhani on 2021-02-02
- Issue 1173702: Security: Heap buffer overflow in Tab Groups (chrom...@gmail.com)
[$5000][1172054] High CVE-2021-21162: Use after free in WebRTC. Reported by Anonymous on 2021-01-29
- Issue 1172054: UaF in WebRTC P2PSocketManagerProxy::CreateSocket (emily...@gmail.com)
[$TBD][1111239] High CVE-2021-21163: Insufficient data validation in Reader Mode. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-07-30
- Issue 1111239 (Permission denied.)
[$TBD][1164846] High CVE-2021-21164: Insufficient data validation in Chrome for iOS. Reported by Muneaki Nishimura (nishimunea) on 2021-01-11
- Issue 1164846 (Permission denied.)
[$TBD][1174582] High CVE-2021-21165: Object lifecycle issue in audio. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2021-02-04
- Issue 1174582: Security: ScriptProcessorNode allows write of Float32Array across threads (ahuff...@microsoft.com)
[$TBD][1177465] High CVE-2021-21166: Object lifecycle issue in audio. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2021-02-11
- Issue 1177465 (Permission denied.)
[$10000][1161144] Medium CVE-2021-21167: Use after free in bookmarks. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-22
- Issue 1161144: Security: UAF in Bookmark OpenAll (leecraso@gmail.com)
[$5000][1152226] Medium CVE-2021-21168: Insufficient policy enforcement in appcache. Reported by Luan Herrera (@lbherrera_) on 2020-11-24
- Issue 1152226: Leaking the URL of any cross-origin redirect through AppCache's network section (herre...@gmail.com)
[$5000][1166138] Medium CVE-2021-21169: Out of bounds memory access in V8. Reported by Bohan Liu (@P4nda20371774) and Moon Liang of Tencent Security Xuanwu Lab on 2021-01-13
- Issue 1166138: Security: Debug check failed: kMinCPOffset <= by (-32768 vs. -65536). (p4nda...@gmail.com)
[$3000][1111646] Medium CVE-2021-21170: Incorrect security UI in Loader. Reported by David Erceg on 2020-07-31
- Issue 1111646: Security: Possible to spoof URL after renderer crash (derce...@gmail.com)
[$3000][1152894] Medium CVE-2021-21171: Incorrect security UI in TabStrip and Navigation. Reported by Irvan Kurniawan (sourc7) on 2020-11-25
- Issue 1152894: Security: WebView and Chromium based browser Omnibar Spoofing with Race Condition (susah...@gmail.com)
[$1000][1150810] Medium CVE-2021-21172: Insufficient policy enforcement in File System API. Reported by Maciej Pulikowski on 2020-11-19
- Issue 1150810: Security: File System Access API - getFileHandle() allowing to save .lnk files (macie...@gmail.com)
[$500][1154250] Medium CVE-2021-21173: Side-channel information leakage in Network Internals. Reported by Tom Van Goethem from imec-DistriNet, KU Leuven on 2020-12-01
- Issue 1154250: Security: determining size of CORB/CORP'd cross-origin responses (tomva...@gmail.com)
[$TBD][1146651] Medium CVE-2021-21175: Inappropriate implementation in Site isolation. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-11-07
- Issue 1146651: X-Frame-Options console error leaks cross-origin redirect information to a cross-site renderer process (jun.k...@microsoft.com)
[$TBD][1170584] Medium CVE-2021-21176: Inappropriate implementation in full screen mode. Reported by Luan Herrera (@lbherrera_) on 2021-01-26
- Issue 1170584: UI/URL Spoofing by putting the page into fullscreen when a user opens the emoji dialog (herre...@gmail.com)
[$TBD][1173879] Medium CVE-2021-21177: Insufficient policy enforcement in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-03
- Issue 1173879: Security: Autofill preview suggestion value can be made to persist (abalq...@microsoft.com)
[$TBD][1174186] Medium CVE-2021-21178: Inappropriate implementation in Compositing. Reported by Japong on 2021-02-03
- Issue 1174186: CSS 3D transform intersection glitch in Chrome / Windows (jap...@gmail.com)
[$TBD][1174943] Medium CVE-2021-21179: Use after free in Network Internals. Reported by Anonymous on 2021-02-05
- Issue 1174943: uaf in DestroyURLLoader(network::cors::CorsURLLoaderFactory) (emily...@gmail.com)
[$TBD][1175507] Medium CVE-2021-21180: Use after free in tab search. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-07
- Issue 1175507: Security: heap-use-after-free in TabSearchPageHandler::CloseTab (abalq...@microsoft.com)
[$TBD][1177875] Medium CVE-2020-27844: Heap buffer overflow in OpenJPEG. Reported by Sean Campbell at Tableau on 2021-02-12
- Issue 1177875 (Permission denied.)
[$TBD][1182767] Medium CVE-2021-21181: Side-channel information leakage in autofill. Reported by Xu Lin (University of Illinois at Chicago), Panagiotis Ilia (University of Illinois at Chicago), Jason Polakis (University of Illinois at Chicago) on 2021-02-26
- Issue 1182767: Security: Amended fix for Side-channel attack against Autofill Preview (adetaylor@google.com)
[$1000][1049265] Low CVE-2021-21182: Insufficient policy enforcement in navigations. Reported by Luan Herrera (@lbherrera_) on 2020-02-05
- Issue 1049265: Extensions with no special privileges are allowed to navigate to devtools:// scheme pages. (herre...@gmail.com)
[$1000][1105875] Low CVE-2021-21183: Inappropriate implementation in performance APIs. Reported by Takashi Yoneuchi (@y0n3uchy) on 2020-07-15
- Issue 1105875: Security: XS-Leak with Resource Timing API and CSP Embedded Enforcement (takas...@shift-js.info)
[$1000][1131929] Low CVE-2021-21184: Inappropriate implementation in performance APIs. Reported by James Hartig on 2020-09-24
- Issue 1131929: [Resource Timing] Missing PerformanceResourceTiming entries for iframe Requests that don't receive a Response (faste...@gmail.com)
[$TBD][1100748] Low CVE-2021-21185: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-06-30
- Issue 1100748: Security: Possible for extensions to access chrome.cloudPrintPrivate API (derce...@gmail.com)
[$TBD][1153445] Low CVE-2021-21186: Insufficient policy enforcement in QR scanning. Reported by dhirajkumarnifty on 2020-11-28
- Issue 1153445 (Permission denied.)
[$TBD][1155516] Low CVE-2021-21187: Insufficient data validation in URL formatting. Reported by Kirtikumar Anandrao Ramchandani on 2020-12-04
- Issue 1155516 (Permission denied.)
[$N/A][1161739] Low CVE-2021-21188: Use after free in Blink. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2020-12-24
- Issue 1161739: Security: UAP in animate (rapid...@gmail.com)
[$TBD][1165392] Low CVE-2021-21189: Insufficient policy enforcement in payments. Reported by Khalil Zhani on 2021-01-11
- Issue 1165392 (Permission denied.)
[$TBD][1166091] Low CVE-2021-21190: Uninitialized Use in PDFium. Reported by Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Team on 2021-01-13
- Issue 1166091: Security: Use of conditionally uninitialised stack variable may leak stack state (zhoua...@gmail.com)
[1183883] internal.
- Issue 1180871: Heap-use-after-free in storage::DataPipeTransportStrategy::OnDataPipeReadable (ClusterFuzz)
- Issue 1177593: heap-buffer-overflow : blink::H264Encoder::EncodeOnEncodingTaskRunner (crash...@system.gserviceaccount.com)
- Issue 1163122: Security: /run/arc/host_generated allows chronos to configure any Android system properties (jorgelo@chromium.org)
- Issue 1175975: WebCodecs VideoFrame allows tainting bypass for ImageBitmaps. (dalec...@chromium.org)
- Issue 1167277: Lacros 3D Canvas can leak outside of iFrame (petermcneeley@chromium.org)
- Issue 1161048: Upgrade SQLite to 3.34.0 (huangdarwin@chromium.org)
- Issue 1146813: Crash in v8::internal::Builtins::builtin_handle (ClusterFuzz)
- Issue 1146319 (Permission denied.)
- Issue 1142712: heap-use-after-free : base::ReleaseHelper<content::IndexedDBContextImpl>::DoRelease (crash...@system.gserviceaccount.com)
- Issue 1062941: libyuv_scale_fuzzer: Heap-buffer-overflow in ScaleFilterCols_16_C (ClusterFuzz)
- Issue 1164055: Security: Blink web_test fonts unowned (adetaylor@google.com)
- Issue 1162123: heap-use-after-free : web_app::WebAppMetrics::~WebAppMetrics (crash...@system.gserviceaccount.com)
- Issue 1155710: Iterating a directory with the File System Access API does not check current permissions. (mek@chromium.org)
- Issue 1099985: Heap-use-after-free for desks widget in bool ui::PropertyHandler::GetProperty<bool> (ClusterFuzz)

None (Monday, February 22, 2021) 0/0 bugs

None (Tuesday, February 16, 2021) 10/10 bugs

[$20000][1138143] High CVE-2021-21149: Stack overflow in Data Transfer. Reported by Ryoya Tsukasaki on 2020-10-14
- Issue 1138143: segmentation fault in mojom::clipboard (work3...@gmail.com)
[$20000][1172192] High CVE-2021-21150: Use after free in Downloads. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2021-01-29
- Issue 1172192: Security: UAF in Drag and Drop Download (rapid...@gmail.com)
[$15000][1165624] High CVE-2021-21151: Use after free in Payments. Reported by Khalil Zhani on 2021-01-12
- Issue 1165624: Security: UaF in chrome!payments::PaymentRequestSheetController::UpdateHeaderView (chrom...@gmail.com)
[$5000][1166504] High CVE-2021-21152: Heap buffer overflow in Media. Reported by Anonymous on 2021-01-14
- Issue 1166504: heap bufferoverflow in VideoFrameYUVConverter (emily...@gmail.com)
[$1000][1155974] High CVE-2021-21153: Stack overflow in GPU Process. Reported by Jan Ruge of ERNW GmbH on 2020-12-06
- Issue 1155974: Security: WebGL Shader Stack Exhaustion leading to PC control in llvmpipe (jan.s...@gmail.com)
[$TBD][1173269] High CVE-2021-21154: Heap buffer overflow in Tab Strip . Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-01
- Issue 1173269: Security: heap-buffer-overflow in TabStripModel (abalq...@microsoft.com)
[$TBD][1175500] High CVE-2021-21155: Heap buffer overflow in Tab Strip . Reported by Khalil Zhani on 2021-02-07
- Issue 1175500: Security: Heap-buffer-overflow in TabStripModel::GroupTab (Windows-only) (chrom...@gmail.com)
[$TBD][1177341] High CVE-2021-21156: Heap buffer overflow in V8. Reported by Sergei Glazunov of Google Project Zero on 2021-02-11
- Issue 1177341: Security: Insufficient fix for CVE-2021-21148 (glazunov@google.com)
[$TBD][1170657] Medium CVE-2021-21157: Use after free in Web Sockets. Reported by Anonymous on 2021-01-26
- Issue 1170657: use after poison in DOMWebSocket (nekla...@gmail.com)
[1178973] internal.
- Issue 1171954: DCHECK failure in other->values_[index] != builder()->jsgraph()->OptimizedOutConstant() in bytecod (ClusterFuzz)

None (Thursday, February 4, 2021) 1/1 bugs

[$TBD][1170176] High CVE-2021-21148: Heap buffer overflow in V8. Reported by Mattias Buelens on 2021-01-24
- Issue 1170176 (Permission denied.)

None (Tuesday, February 2, 2021) 8/6 bugs

[$20000][1169317] Critical CVE-2021-21142: Use after free in Payments . Reported by Khalil Zhani on 2021-01-21
- Issue 1169317: Security: UaF in payments::SecurePaymentConfirmationAppFactory (chrom...@gmail.com)
[$10000][1163504] High CVE-2021-21143: Heap buffer overflow in Extensions. Reported by Allen Parker & Alex Morgan of MU on 2021-01-06
- Issue 1163504: Security: heap-buffer-overflow in extension (gambi...@gmail.com)
[$10000][1163845] High CVE-2021-21144: Heap buffer overflow in Tab Groups. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-01-07
- Issue 1163845: Security: HeapOverflow in TabStripModel (leecraso@gmail.com)
[$7500][1154965] High CVE-2021-21145: Use after free in Fonts. Reported by Anonymous on 2020-12-03
- Issue 1154965 (Permission denied.)
[$TBD][1161705] High CVE-2021-21146: Use after free in Navigation. Reported by Alison Huffman and Choongwoo Han of Microsoft Browser Vulnerability Research on 2020-12-24
- Issue 1161705: Security: heap-user-after-free in SearchTabHelper::DidStartNavigation (ahuff...@microsoft.com)
[$5000][1162942] Medium CVE-2021-21147: Inappropriate implementation in Skia. Reported by Roman Starkov on 2021-01-04
- Issue 1162942: Security: website is able to draw over protected UI elements (URL, padlock, tab list, titlebar) using 3D CSS transforms (rstar...@gmail.com)
[1154775] internal.
- Issue 1147357: Heap-use-after-free in blink::NGContainerFragmentBuilder::MoveOutOfFlowDescendantCandidatesToDescendant (ClusterFuzz)
- Issue 1146861: DCHECK failure in dst.low_gp() != lhs.high_gp() in liftoff-assembler-arm.h (ClusterFuzz)

None (Tuesday, January 19, 2021) 36/36 bugs

[$30000][1137179] Critical CVE-2021-21117: Insufficient policy enforcement in Cryptohome. Reported by Rory McNamara on 2020-10-10
- Issue 1137179: Security: Root priv escalation through cryptohomed, imageburner, arc-obb-mounter (rory@rorym.cnamara.com)
[$16000][1161357] High CVE-2021-21118: Insufficient data validation in V8. Reported by Tyler Nighswander (@tylerni7) of Theori on 2020-12-23
- Issue 1161357: Security: Debug check failed: code == topmost_ implies safe_to_deopt_ (tyler...@gmail.com)
[$5000][1160534] High CVE-2021-21119: Use after free in Media. Reported by Anonymous on 2020-12-20
- Issue 1160534 (Permission denied.)
[$5000][1160602] High CVE-2021-21120: Use after free in WebSQL. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2020-12-21
- Issue 1160602: Security: Use After Free in WebSQL (etern...@gmail.com)
[$5000][1161143] High CVE-2021-21121: Use after free in Omnibox. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-22
- Issue 1161143: Security: UAF in LocationBar (leecraso@gmail.com)
[$5000][1162131] High CVE-2021-21122: Use after free in Blink. Reported by Renata Hodovan on 2020-12-28
- Issue 1162131: Security: heap-use-after-free in IsBox (hodov...@gmail.com)
[$1000][1137247] High CVE-2021-21123: Insufficient data validation in File System API. Reported by Maciej Pulikowski on 2020-10-11
- Issue 1137247: Security: Spoofing download filename extension in 86 chrome - showSaveFilePicker (macie...@gmail.com)
[$N/A][1131346] High CVE-2021-21124: Potential user after free in Speech Recognizer. Reported by Chaoyang Ding(@V4kst1z) from Codesafe Team of Legendsec at Qi'anxin Group on 2020-09-23
- Issue 1131346: Potential UAF in Speech Recognizer (dcyd...@gmail.com)
[$N/A][1152327] High CVE-2021-21125: Insufficient policy enforcement in File System API. Reported by Ron Masas (Imperva) on 2020-11-24
- Issue 1152327: Security: File System Access API & Symlinks (ronma...@gmail.com)
[$N/A][1163228] High CVE-2020-16044: Use after free in WebRTC. Reported by Ned Williamson of Project Zero on 2021-01-05
- Issue 1163228 (Permission denied.)
[$3000][1108126] Medium CVE-2021-21126: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-07-22
- Issue 1108126: Security: Chrome Apps can access chrome.storage for other extensions via webview (derce...@gmail.com)
[$3000][1115590] Medium CVE-2021-21127: Insufficient policy enforcement in extensions. Reported by Jasminder Pal Singh, Web Services Point WSP, Kotkapura on 2020-08-12
- Issue 1115590: CSP Bypass via Chrome Extension (ghuli...@gmail.com)
[$2000][1138877] Medium CVE-2021-21128: Heap buffer overflow in Blink. Reported by Liang Dong on 2020-10-15
- Issue 1138877: Security: heap-buffer-overflow in window.find (liangdong46@gmail.com)
[$1000][1140403] Medium CVE-2021-21129: Insufficient policy enforcement in File System API. Reported by Maciej Pulikowski on 2020-10-20
- Issue 1140403: Security: Hide real extension of file by many white spaces - showSaveFilePicker (macie...@gmail.com)
[$1000][1140410] Medium CVE-2021-21130: Insufficient policy enforcement in File System API. Reported by Maciej Pulikowski on 2020-10-20
- Issue 1140410: Security: Hide real extension of file by RTL - showSaveFilePicker (macie...@gmail.com)
[$1000][1140417] Medium CVE-2021-21131: Insufficient policy enforcement in File System API. Reported by Maciej Pulikowski on 2020-10-20
- Issue 1140417: Security: showSaveFilePicker allowing to save .lnk and .local files on windows! (macie...@gmail.com)
[$TBD][1128206] Medium CVE-2021-21132: Inappropriate implementation in DevTools. Reported by David Erceg on 2020-09-15
- Issue 1128206: Security: Possible for extension to escape sandbox via devtools_page and intentionally crashed renderer (derce...@gmail.com)
[$TBD][1157743] Medium CVE-2021-21133: Insufficient policy enforcement in Downloads. Reported by wester0x01(https://twitter.com/wester0x01) on 2020-12-11
- Issue 1157743 (Permission denied.)
[$TBD][1157800] Medium CVE-2021-21134: Incorrect security UI in Page Info. Reported by wester0x01(https://twitter.com/wester0x01) on 2020-12-11
- Issue 1157800 (Permission denied.)
[$TBD][1157818] Medium CVE-2021-21135: Inappropriate implementation in Performance API. Reported by ndevtk on 2020-12-11
- Issue 1157818: performance API reveals information about redirects (XS-Leak) (terjanq@google.com)
[$2000][1038002] Low CVE-2021-21136: Insufficient policy enforcement in WebView. Reported by Shiv Sahni, Movnavinothan V and Imdad Mohammed on 2019-12-27
- Issue 1038002: Unintended Data Leakage Through HTTP Request Headers (shivs...@gmail.com)
[$500][1093791] Low CVE-2021-21137: Inappropriate implementation in DevTools. Reported by bobblybear on 2020-06-11
- Issue 1093791: Security: Chrome's insecure construction of curl commands allows untrusted websites to retrieve local files from the user's system (paulm...@gmail.com)
[$500][1122487] Low CVE-2021-21138: Use after free in DevTools. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2020-08-27
- Issue 1122487: UAF in devtools (merc....@gmail.com)
[$N/A][937131] Low CVE-2021-21139: Inappropriate implementation in iframe sandbox. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-03-01
- Issue 937131: Feature Policy 'allow' attribute can override top-level policy in frames (jun.k...@microsoft.com)
[$N/A][1136327] Low CVE-2021-21140: Uninitialized Use in USB. Reported by David Manouchehri on 2020-10-08
- Issue 1136327: Security: Use of use-of-uninitialized-value in UsbDeviceHandleUsbfs (da...@davidmanouchehri.com)
[$N/A][1140435] Low CVE-2021-21141: Insufficient policy enforcement in File System API. Reported by Maciej Pulikowski on 2020-10-20
- Issue 1140435: Security: showSaveFilePicker allowing to save file extension with space at the end - cannot delete file on windows (macie...@gmail.com)
[1168217] internal.
- Issue 1162198: heap-use-after-free : mojo::core::NodeController::DropPeer (crash...@system.gserviceaccount.com)
- Issue 1161654: v8_wasm_fuzzer: DCHECK failure in has(reg.low()) == has(reg.high()) in liftoff-register.h (ClusterFuzz)
- Issue 1156904: Security DCHECK failure: IsA<Derived>(from) in casting.h (ClusterFuzz)
- Issue 1153329 (Permission denied.)
- Issue 1142069: heap-use-after-free : content::DownloadManagerImpl::GetDownload (crash...@system.gserviceaccount.com)
- Issue 1097499: pdf_scanlinecompositor_fuzzer: Crash in GetAlphaWithSrc (ClusterFuzz)
- Issue 1145906: heap-use-after-free : ProfileInfoCache::NotifyProfileAuthInfoChanged (crash...@system.gserviceaccount.com)
- Issue 1144646: NAT Slipstream: Overlong usernames in TURN credentials (hta@chromium.org)
- Issue 1135835: DialURLFetcher::Start may bypass Sec-Fetch-Site (lukasza@chromium.org)
- Issue 1135594: Security: woff2 missing upstream fix for integer overflow (adetaylor@google.com)

None (Wednesday, January 6, 2021) 16/16 bugs

[$20000][1148749] High CVE-2021-21106: Use after free in autofill. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2020-11-13
- Issue 1148749: Double free/UAF in RegionDataLoaderImpl::DeleteThis (merc....@gmail.com)
[$20000][1153595] High CVE-2021-21107: Use after free in drag and drop. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-11-30
- Issue 1153595: Security: UAF in Drag-and-drop (leecraso@gmail.com)
[$20000][1155426] High CVE-2021-21108: Use after free in media. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-04
- Issue 1155426: Security: UAF in MediaStreamCapture (leecraso@gmail.com)
[$15000][1152334] High CVE-2021-21109: Use after free in payments. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2020-11-24
- Issue 1152334: Security: UAF in PaymentResponseHelper::GeneratePaymentResponse (jtrro...@gmail.com)
[$15000][1152451] High CVE-2021-21110: Use after free in safe browsing. Reported by Anonymous on 2020-11-24
- Issue 1152451 (Permission denied.)
[$7500][1149125] High CVE-2021-21111: Insufficient policy enforcement in WebUI. Reported by Alesandro Ortiz on 2020-11-15
- Issue 1149125: Security: Some WebUI pages enable MojoJS bindings for the subsequently-navigated site (alesa...@alesandroortiz.com)
[$7500][1151298] High CVE-2021-21112: Use after free in Blink. Reported by YoungJoo Lee(@ashuu_lee) of Raon Whitehat on 2020-11-20
- Issue 1151298: Security: Use-After-Free in DeflateTransformer (borig...@gmail.com)
[$6000][1155178] High CVE-2021-21113: Heap buffer overflow in Skia. Reported by tsubmunu on 2020-12-03
- Issue 1155178: Security: Skia GPU bug (adetaylor@google.com)
[$N/A][1148309] High CVE-2020-16043: Insufficient data validation in networking. Reported by Samy Kamkar, Ben Seri at Armis, Gregory Vishnepolsky at Armis on 2020-11-12
- Issue 1148309 (Permission denied.)
[$N/A][1150065] High CVE-2021-21114: Use after free in audio. Reported by Man Yue Mo of GitHub Security Lab on 2020-11-17
- Issue 1150065: UaF in AudioHandler::ProcessIfNecessary (rtoy@chromium.org)
[$TBD][1157790] High CVE-2020-15995: Out of bounds write in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2020-12-11
- Issue 1157790: Security: Out of Bounds in V8 (p4nda...@gmail.com)
[$TBD][1157814] High CVE-2021-21115: Use after free in safe browsing. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-11
- Issue 1157814: Security: UAF in PasswordProtectionRequest (leecraso@gmail.com)
[$N/A][1151069] Medium CVE-2021-21116: Heap buffer overflow in audio. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-11-19
- Issue 1151069: Security: heap-buffer-overflow in AudioWorkletProcessor::CopyParamValueMapToObject (ahuff...@microsoft.com)
[1163626] internal.

None (Wednesday, December 2, 2020) 8/8 bugs

[$5000][1142331] High CVE-2020-16037: Use after free in clipboard. Reported by Ryoya Tsukasaki on 2020-10-26
- Issue 1142331: Security: use-after-poison in blink::FileReaderLoader::OnReceivedData (work3...@gmail.com)
[$TBD][1138683] High CVE-2020-16038: Use after free in media. Reported by Khalil Zhani on 2020-10-14
- Issue 1138683: Security: Use-after-free in MediaStreamCaptureIndicator::WebContentsDeviceUsage::AddDevices() (chrom...@gmail.com)
[$TBD][1149177] High CVE-2020-16039: Use after free in extensions. Reported by Anonymous on 2020-11-15
- Issue 1149177 (Permission denied.)
[$TBD][1150649] High CVE-2020-16040: Insufficient data validation in V8. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2020-11-19
- Issue 1150649: DCHECK failure in 0 <= length && length <= kMaxSafeInteger in builtins-array.cc (lupin...@microsoft.com)
[$TBD][1151865] Medium CVE-2020-16041: Out of bounds read in networking. Reported by Sergei Glazunov and Mark Brand of Google Project Zero on 2020-11-23
- Issue 1151865: Security: OOB-read in network DataElement struct traits. (markbrand@google.com)
[$TBD][1151890] Medium CVE-2020-16042: Uninitialized Use in V8. Reported by André Bargull on 2020-11-23
- Issue 1151890: Security: Uninitialised memory read with BigInt right-shift (andre...@googlemail.com)
[1154775] internal.
- Issue 1147357 (Permission denied.)
- Issue 1146861 (Permission denied.)

None (Tuesday, November 17, 2020) 33/33 bugs

[$TBD][1136078] High CVE-2020-16018: Use after free in payments. Reported by Man Yue Mo of GitHub Security Lab on 2020-10-07
- Issue 1136078: UaF in PaymentCredential::DidDownloadFavicon (m...@semmle.com)
[$TBD][1139408] High CVE-2020-16019: Inappropriate implementation in filesystem. Reported by Rory McNamara on 2020-10-16
- Issue 1139408: arc-media-removable-{read,write} are not using noexec (jorgelo@chromium.org)
[$TBD][1139411] High CVE-2020-16020: Inappropriate implementation in cryptohome. Reported by Rory McNamara on 2020-10-16
- Issue 1139411: Security: cryptohomed skeleton copy can be raced to chown things to user chronos (jorgelo@chromium.org)
[$TBD][1139414] High CVE-2020-16021: Race in ImageBurner. Reported by Rory McNamara on 2020-10-16
- Issue 1139414: Security: imageburner path check can be raced (jorgelo@chromium.org)
[$TBD][1145680] High CVE-2020-16022: Insufficient policy enforcement in networking. Reported by @SamyKamkar on 2020-11-04
- Issue 1145680: Ports 5060 and 5061 should be blocked (ricea@chromium.org)
[$TBD][1146673] High CVE-2020-16015: Insufficient data validation in WASM. Reported by Rong Jian and Leecraso of 360 Alpha Lab on 2020-11-07
- Issue 1146673: Security: type confusion in wasm cache (wfh@chromium.org)
[$TBD][1146675] High CVE-2020-16014: Use after free in PPAPI. Reported by Rong Jian and Leecraso of 360 Alpha Lab on 2020-11-07
- Issue 1146675: Security: UAF in PepperFileIOHost (wfh@chromium.org)
[$7500+$7500][1146761] High CVE-2020-16023: Use after free in WebCodecs. Reported by Brendon Tiszka and David Manouchehri supporting the @eff on 2020-11-07
- Issue 1146761: Security: UAF in ImageDecoderExternal due to ArrayBuffer Neuter (btiszka@gmail.com)
[$NA][1147430] High CVE-2020-16024: Heap buffer overflow in UI. Reported by Sergei Glazunov of Google Project Zero on 2020-11-10
- Issue 1147430: Security: Heap-buffer-overflow in SkBitmapOperations::UnPreMultiply (glazunov@google.com)
[$NA][1147431] High CVE-2020-16025: Heap buffer overflow in clipboard. Reported by Sergei Glazunov of Google Project Zero on 2020-11-10
- Issue 1147431: Security: Heap-buffer-overflow in ClipboardWin::WriteBitmap (glazunov@google.com)
[$7500][1139153] Medium CVE-2020-16026: Use after free in WebRTC. Reported by Jong-Gwon Kim (kkwon) on 2020-10-16
- Issue 1139153: Security: Heap-use-after-free in WebRTC (kkwon...@gmail.com)
[$5000][1116444] Medium CVE-2020-16027: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-08-14
- Issue 1116444: Security: Extensions can capture contents of local files using Page.captureScreenshot (derce...@gmail.com)
[$5000][1138446] Medium CVE-2020-16028: Heap buffer overflow in WebRTC. Reported by asnine on 2020-10-14
- Issue 1138446: Security: webrtc container-overflow in the browser process (0xasn...@gmail.com)
[$3000][1134338] Medium CVE-2020-16029: Inappropriate implementation in PDFium. Reported by Anonymous on 2020-10-01
- Issue 1134338: Security: Incorrect Handling of XFrameOptions with mailMsg in the PDF Viewer (chama...@gmail.com)
[$3000][1141350] Medium CVE-2020-16030: Insufficient data validation in Blink. Reported by Michał Bentkowski of Securitum on 2020-10-22
- Issue 1141350: Security: Yet another universal XSS via copy&paste (mic...@bentkowski.info)
[$1000][945997] Medium CVE-2019-8075: Insufficient data validation in Flash. Reported by Nethanel Gelernter, Cyberpion (https://www.cyberpion.com) on 2019-03-26
- Issue 945997 (Permission denied.)
[$500][1133183] Medium CVE-2020-16031: Incorrect security UI in tab preview. Reported by wester0x01(https://twitter.com/wester0x01) on 2020-09-29
- Issue 1133183: Incorrect Security UI when using Tab preview (zyzen...@gmail.com)
[$500][1136714] Medium CVE-2020-16032: Incorrect security UI in sharing. Reported by wester0x01(https://twitter.com/wester0x01) on 2020-10-09
- Issue 1136714: Incorrect security UI at screen share API (zyzen...@gmail.com)
[$500][1143057] Medium CVE-2020-16033: Incorrect security UI in WebUSB. Reported by Khalil Zhani on 2020-10-28
- Issue 1143057: Security: WebUSB permission dialog can appear over the wrong tab (chrom...@gmail.com)
[$TBD][1137362] Medium CVE-2020-16034: Inappropriate implementation in WebRTC. Reported by vvmute (Benjamin Petermaier) on 2020-10-12
- Issue 1137362: Security: Chrome Browser Policy Bypass "Allow invocation of file selection dialogs" (benj...@gmail.com)
[$TBD][1139409] Medium CVE-2020-16035: Insufficient data validation in cros-disks. Reported by Rory McNamara on 2020-10-16
- Issue 1139409: Security: cros-disks will mount local loop devices (jorgelo@chromium.org)
[$5000][1088224] Low CVE-2020-16012: Side-channel information leakage in graphics. Reported by Aleksejs Popovs on 2020-05-30
- Issue 1088224: Security: drawImage timing depends on alpha-channel value, allowing to read cross-origin images (aleks...@popovs.lv)
[$500][830808] Low CVE-2020-16036: Inappropriate implementation in cookies. Reported by Jun Kokatsu (@shhnjk) on 2018-04-09
- Issue 830808 (Permission denied.)
[1149434] internal.
- Issue 1140197: Security: Apply fix for freetype heap buffer overflow to Chrome OS (mnissler@chromium.org)
- Issue 1142020: heap-buffer-overflow : gfx::internal::StyleIterator::GetTextBreakingRange (crash...@system.gserviceaccount.com)
- Issue 1140949: CrOS: Vulnerability reported in net-wireless/bluez (vomit...@appspot.gserviceaccount.com)
- Issue 1137603: Heap-use-after-free in blink::PropertyTreeStateOrAlias::Unalias (ClusterFuzz)
- Issue 1133047: Security: arc-setup should validate /run/arc/oem/etc/media_profiles.xml is not a symlink (kerrnel@chromium.org)
- Issue 1133009: Security: login_manager symlink attack (kerrnel@chromium.org)
- Issue 1127595: Chromium: Vulnerability reported in third_party/libxml (vomit...@appspot.gserviceaccount.com)
- Issue 1146025: Content-Security-Policy headers are lost when the page is restored from bfcache (altimin@chromium.org)
- Issue 1123035 (Permission denied.)
- Issue 1055608 (Permission denied.)

86.0.4240.198 (Wednesday, November 11, 2020) 2/2 bugs

[$TBD][1147206] High CVE-2020-16013: Inappropriate implementation in V8. Reported by Anonymous on 2020-11-09
- Issue 1147206 (Permission denied.)
[$TBD][1146709] High CVE-2020-16017: Use after free in site isolation. Reported by Anonymous on 2020-11-07
- Issue 1146709: Security: Browser UAF when detaching a provisional frame (dcheng@chromium.org)

86.0.4240.193 (Monday, November 9, 2020) 1/1 bugs

[$N/A][1146679] High CVE-2020-16016: Inappropriate implementation in base. Reported by Rong Jian and Leecraso of 360 Alpha Lab on 2020-11-07
- Issue 1146679: Security: WeakPtr checks are optimized out (adetaylor@google.com)

86.0.4240.183 (Monday, November 2, 2020) 9/10 bugs

[$15000][1138911] High CVE-2020-16004: Use after free in user interface. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-10-15
- Issue 1138911: Security: UAF in TabStrip (leecraso@gmail.com)
[$15000][1139398] High CVE-2020-16005: Insufficient policy enforcement in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2020-10-16
- Issue 1139398: Security: [ANGLE] Invalid memory access in libglesv2!rx::IndexDataManager::streamIndexData (n...@nesk.kr)
[$5000][1133527] High CVE-2020-16006: Inappropriate implementation in V8. Reported by Bill Parks on 2020-09-29
- Issue 1133527: Security: Debug check failed: IsFound() || !holder_->HasFastProperties(isolate_) (albnt...@gmail.com)
[$1000][1125018] High CVE-2020-16007: Insufficient data validation in installer. Reported by Abdelhamid Naceri (halov) on 2020-09-04
- Issue 1125018: Arbitrary file deletion in google chrome updater in master/chrome/updater/installer.cc (ve23h...@gmail.com)
[$TBD][1134107] High CVE-2020-16008: Stack buffer overflow in WebRTC. Reported by Tolya Korniltsev on 2020-10-01
- Issue 1134107: Security: stack buffer overflow write in RtcEventLogEncoderLegacy::EncodeRtcpPacket (korni...@gmail.com)
[$NA][1143772] High CVE-2020-16009: Inappropriate implementation in V8. Reported by Clement Lecigne of Google's Threat Analysis Group and Samuel Groß of Google Project Zero on 2020-10-29
- Issue 1143772: Security: V8: Turbofan fails to deoptimize code after map deprecation, leading to type confusion (saelo@google.com)
[$NA][1144489] High CVE-2020-16011: Heap buffer overflow in UI on Windows. Reported by Sergei Glazunov of Google Project Zero on 2020-11-01
- Issue 1144489: Security: OSExchangeDataProviderWin::SetDragImage (adetaylor@google.com)
[1144284] internal.
- Issue 1140549: v8_wasm_compile_fuzzer: DCHECK failure in src.is_byte_register() in assembler-ia32.cc (ClusterFuzz)
- Issue 1137608: v8_wasm_compile_fuzzer: DCHECK failure in 0 <= offset in assembler-arm.cc (ClusterFuzz)

86.0.4240.111 (Tuesday, October 20, 2020) 5/0 bugs

[$500][1125337] High CVE-2020-16000: Inappropriate implementation in Blink. Reported by amaebi_jp on 2020-09-06
- Issue 1125337: Portrait photos (taken by Pixel3aXL) with EXIF crash on Desktop (zubor...@gmail.com)
[$TBD][1135018] High CVE-2020-16001: Use after free in media. Reported by Khalil Zhani on 2020-10-05
- Issue 1135018: Security: UaF in TabSharingUI (chrom...@gmail.com)
[$TBD][1137630] High CVE-2020-16002: Use after free in PDFium. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2020-10-13
- Issue 1137630: Security: PDFium heap-use-after-free in CPWL_ListBox::~CPWL_ListBox() (merc....@gmail.com)
[$NA][1139963] High CVE-2020-15999: Heap buffer overflow in Freetype. Reported by Sergei Glazunov of Google Project Zero on 2020-10-19
- Issue 1139963: Security: Heap buffer overflow due to integer truncation in FreeType (glazunov@google.com)
[$3000][1134960] Medium CVE-2020-16003: Use after free in printing. Reported by Khalil Zhani on 2020-10-04
- Issue 1134960: Security: Use-after-free with using print dialog (chrom...@gmail.com)

None (Monday, October 12, 2020) 0/0 bugs

86.0.4240.75 (Tuesday, October 6, 2020) 38/35 bugs

[$N/A][1127322] Critical CVE-2020-15967: Use after free in payments. Reported by Man Yue Mo of GitHub Security Lab on 2020-09-11
- Issue 1127322: UaF in ServiceWorkerPaymentApp (m...@semmle.com)
[$5000][1126424] High CVE-2020-15968: Use after free in Blink. Reported by Anonymous on 2020-09-09
- Issue 1126424 (Permission denied.)
[$500][1124659] High CVE-2020-15969: Use after free in WebRTC. Reported by Anonymous on 2020-09-03
- Issue 1124659 (Permission denied.)
[$N/A][1108299] High CVE-2020-15970: Use after free in NFC. Reported by Man Yue Mo of GitHub Security Lab on 2020-07-22
- Issue 1108299: UaF in NFCHost::GetNFC (m...@semmle.com)
[$N/A][1114062] High CVE-2020-15971: Use after free in printing. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-08-07
- Issue 1114062: heap-use-after-free in is_null (jun.k...@microsoft.com)
[$TBD][1115901] High CVE-2020-15972: Use after free in audio. Reported by Anonymous on 2020-08-13
- Issue 1115901 (Permission denied.)
[$TBD][1133671] High CVE-2020-15990: Use after free in autofill. Reported by Rong Jian and Guang Gong of Alpha Lab, Qihoo 360 on 2020-09-30
- Issue 1133671: Security: UAF in AutofillPopupControllerImpl::HandleKeyPressEvent (jtrro...@gmail.com)
[$TBD][1133688] High CVE-2020-15991: Use after free in password manager. Reported by Rong Jian and Guang Gong of Alpha Lab, Qihoo 360 on 2020-09-30
- Issue 1133688: Security: UAF in PasswordGenerationPopupControllerImpl::HandleKeyPressEvent (jtrro...@gmail.com)
[$15000][1106890] Medium CVE-2020-15973: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-07-17
- Issue 1106890: Security: Possible for apps to access http/https sites outside of a webview context via blob URLs (derce...@gmail.com)
[$7500][1104103] Medium CVE-2020-15974: Integer overflow in Blink. Reported by Juno Im (junorouse) of Theori on 2020-07-10
- Issue 1104103: Security: Insufficient data validation in deserialize TransformStream (junor...@gmail.com)
[$7500][1110800] Medium CVE-2020-15975: Integer overflow in SwiftShader. Reported by Anonymous on 2020-07-29
- Issue 1110800 (Permission denied.)
[$7500][1123522] Medium CVE-2020-15976: Use after free in WebXR. Reported by YoungJoo Lee(@ashuu_lee) of Raon Whitehat on 2020-08-31
- Issue 1123522: Security: Use-After-Poison in XRFrameProvider (borig...@gmail.com)
[$5000][1083278] Medium CVE-2020-6557: Inappropriate implementation in networking. Reported by Matthias Gierlings and Marcus Brinkmann (NDS Ruhr-University Bochum) on 2020-05-15
- Issue 1083278 (Permission denied.)
[$5000][1097724] Medium CVE-2020-15977: Insufficient data validation in dialogs. Reported by Narendra Bhati (https://twitter.com/imnarendrabhati) on 2020-06-22
- Issue 1097724 (Permission denied.)
[$5000][1116280] Medium CVE-2020-15978: Insufficient data validation in navigation. Reported by Luan Herrera (@lbherrera_) on 2020-08-14
- Issue 1116280: Self-XSS / Crash via window.open and delayed navigation (herre...@gmail.com)
[$5000][1127319] Medium CVE-2020-15979: Inappropriate implementation in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2020-09-11
- Issue 1127319: Security: Debug check failed: IrOpcode::IsInlineeOpcode(node->opcode()). (b3nd3...@gmail.com)
[$3000][1092453] Medium CVE-2020-15980: Insufficient policy enforcement in Intents. Reported by Yongke Wang(@Rudykewang) and Aryb1n(@aryb1n) of Tencent Security Xuanwu Lab (腾讯安全玄武实验室） on 2020-06-08
- Issue 1092453: Restrictions on navigation to the content scheme can be bypassed on Android (mbarb...@chromium.org)
[$3000][1123023] Medium CVE-2020-15981: Out of bounds read in audio. Reported by Christoph Guttandin on 2020-08-28
- Issue 1123023: Web Audio DelayNode of an OfflineAudioContext adds one sample to the delay. (chris...@gmail.com)
[$2000][1039882] Medium CVE-2020-15982: Side-channel information leakage in cache. Reported by Luan Herrera (@lbherrera_) on 2020-01-07
- Issue 1039882: Leaking size of cross-origin resource by caching it twice (herre...@gmail.com)
[$N/A][1076786] Medium CVE-2020-15983: Insufficient data validation in webUI. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-04-30
- Issue 1076786: Script Gadgets in chrome://oobe and chrome://assistant-optin through Polymer (jun.k...@microsoft.com)
[$TBD][1080395] Medium CVE-2020-15984: Insufficient policy enforcement in Omnibox. Reported by Rayyan Bijoora on 2020-05-07
- Issue 1080395: Android/iOS: URL spoofing using long sub-domain for blob:URL (rayya...@gmail.com)
[$N/A][1099276] Medium CVE-2020-15985: Inappropriate implementation in Blink. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2020-06-25
- Issue 1099276: Security: Cursor hijacking mitigation bypass (abalq...@microsoft.com)
[$N/A][1100247] Medium CVE-2020-15986: Integer overflow in media. Reported by Mark Brand of Google Project Zero on 2020-06-29
- Issue 1100247: Security: Potential UAF in AndroidCdmFactory (markbrand@google.com)
[$N/A][1127774] Medium CVE-2020-15987: Use after free in WebRTC. Reported by Philipp Hancke on 2020-09-14
- Issue 1127774 (Permission denied.)
[$N/A][1110195] Medium CVE-2020-15992: Insufficient policy enforcement in networking. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-07-28
- Issue 1110195: Security: Method field allows injection of HTTP requests (ahuff...@microsoft.com)
[$500][1092518] Low CVE-2020-15988: Insufficient policy enforcement in downloads. Reported by Samuel Attard on 2020-06-08
- Issue 1092518: Security: OpenFileViaShell may open executables in the same directory with similar filenames unexpectedly (samue...@gmail.com)
[$N/A][1108351] Low CVE-2020-15989: Uninitialized Use in PDFium. Reported by Gareth Evans (Microsoft) on 2020-07-22
- Issue 1108351: Security: Use of conditionally uninitialised stack variable may leak stack state (garet...@microsoft.com)
[1135164] internal.
- Issue 1128657: audio.captureStream() may allow cross-origin resource theft (cassew@google.com)
- Issue 1127496: Security: Screen share clickjacking secondary issue (adetaylor@chromium.org)
- Issue 1125199: heap-use-after-free : content::WebContentsImpl::SetNotWaitingForResponse (crash...@system.gserviceaccount.com)
- Issue 1107824: Security: 'unsafe-eval' in CSP is not properly enforced for default-src 'self' (terjanq@google.com)
- Issue 1106091: Security: Sending uninitialized bytes between processes (adetaylor@google.com)
- Issue 1100247: Security: Potential UAF in AndroidCdmFactory (markbrand@google.com)
- Issue 1099945: Security: Print compositor does not copy out of shared memory before attempting to deserialize SkPicture (dcheng@chromium.org)
- Issue 1092453: Restrictions on navigation to the content scheme can be bypassed on Android (mbarb...@chromium.org)
- Issue 1108091: Race condition in NativeFileSystemWriter close logic (mek@chromium.org)
- Issue 1100286: Chromium: Vulnerability reported in third_party/requests (vomit...@appspot.gserviceaccount.com)
- Issue 1012955: Security: Reader mode needs improved sanitization (creis@chromium.org)

85.0.4183.121 (Monday, September 21, 2020) 10/10 bugs

[$15000][1100136] High CVE-2020-15960: Out of bounds read in storage. Reported by Anonymous on 2020-06-28
- Issue 1100136: heap-buffer-overflow in storage::ObfuscatedFileUtilMemoryDelegate(browser process) (cdsrc...@gmail.com)
[$15000][1114636] High CVE-2020-15961: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-08-10
- Issue 1114636: Security: Possible for extension to escape sandbox via Target.setAutoAttach and Target.sendMessageToTarget (derce...@gmail.com)
[$10000][1121836] High CVE-2020-15962: Insufficient policy enforcement in serial. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-08-26
- Issue 1121836: Security: HeapOverflow in SerialHandle (leecraso@gmail.com)
[$5000][1113558] High CVE-2020-15963: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-08-06
- Issue 1113558: Security: Possible to navigate frames not attached to the debugger using the chrome.debugger API (derce...@gmail.com)
[$TBD][1126249] High CVE-2020-15965: Out of bounds write in V8. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2020-09-08
- Issue 1126249: Security: DCHECK failed: 0 <= length && length <= kMaxSafeInteger (lupin...@microsoft.com)
[$TBD][1113565] Medium CVE-2020-15966: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-08-06
- Issue 1113565: Security: Extensions can use chrome.debugger API to access contents of local files (derce...@gmail.com)
[$TBD][1121414] Low CVE-2020-15964: Insufficient data validation in media. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2020-08-25
- Issue 1121414: Security: Missing IsContextDestroyed in MediaKeys (rapid...@gmail.com)
[1130676] internal.

85.0.4183.102 (Tuesday, September 8, 2020) 5/5 bugs

[$20000][1116304] High CVE-2020-6573: Use after free in video. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-08-14
- Issue 1116304: Security: UAF in VideoCapture (leecraso@gmail.com)
[$10000][1102196] High CVE-2020-6574: Insufficient policy enforcement in installer. Reported by CodeColorist of Ant-Financial LightYear Labs on 2020-07-05
- Issue 1102196: Security: Keystone for macOS should use auditToken to validate incoming XPC message (codec...@gmail.com)
[$TBD][1081874] High CVE-2020-6575: Race in Mojo. Reported by Microsoft on 2020-05-12
- Issue 1081874: Double free on NodeChannel (ssm...@microsoft.com)
[$TBD][1111737] High CVE-2020-6576: Use after free in offscreen canvas. Reported by Looben Yang on 2020-07-31
- Issue 1111737: Security: OffscreenCanvas - Use After Free in OffscreenCanvasRenderingContext2D::DrawTextInternal() (loobe...@gmail.com)
[$TBD][1122684] High CVE-2020-15959: Insufficient policy enforcement in networking. Reported by Eric Lawrence of Microsoft on 2020-08-27
- Issue 1122684 (Permission denied.)

85.0.4183.83 (Tuesday, August 25, 2020) 20/20 bugs

[$N/A][1109120] High CVE-2020-6558: Insufficient policy enforcement in iOS. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-07-24
- Issue 1109120: Security: (UXSS) Long-Press Open Runs Javascript Links from Child in Parent Origin / Page (ahuff...@microsoft.com)
[$TBD][1116706] High CVE-2020-6559: Use after free in presentation API. Reported by Liu Wei and Wu Zekai of Tencent Security Xuanwu Lab on 2020-08-15
- Issue 1116706: Security: Use After Free in PresentationConnectionCallbacks::OnSuccess (lw17q...@gmail.com)
[$5000][1108181] Medium CVE-2020-6560: Insufficient policy enforcement in autofill. Reported by Nadja Ungethuem from www.unnex.de on 2020-07-22
- Issue 1108181: Security: bypas of the protection of input field cache (gcun...@gmail.com)
[$1000][932892] Medium CVE-2020-6561: Inappropriate implementation in Content Security Policy. Reported by Rob Wu on 2019-02-16
- Issue 932892: Security: CSP violation reports leak the destination origin of a blocked redirect in the blocked-uri / blockedURI field (rob@robwu.nl)
[$1000][1086845] Medium CVE-2020-6562: Insufficient policy enforcement in Blink. Reported by Masato Kinugawa on 2020-05-27
- Issue 1086845: Security: Blob ignores charset specified in type attribute (masat...@gmail.com)
[$1000][1104628] Medium CVE-2020-6563: Insufficient policy enforcement in intent handling. Reported by Pedro Oliveira on 2020-07-12
- Issue 1104628: Security: Private file upload (data exfiltration) (kan...@gmail.com)
[$500][841622] Medium CVE-2020-6564: Incorrect security UI in permissions. Reported by Khalil Zhani on 2018-05-10
- Issue 841622 (Permission denied.)
[$500][1029907] Medium CVE-2020-6565: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2019-12-02
- Issue 1029907: Security: URL bar spoofing with prompt dialog on iOS (chrom...@gmail.com)
[$N/A][1065264] Medium CVE-2020-6566: Insufficient policy enforcement in media. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-03-27
- Issue 1065264: No validation of origin in initializing CDM (jun.k...@microsoft.com)
[$500][937179] Low CVE-2020-6567: Insufficient validation of untrusted input in command line handling. Reported by Joshua Graham of TSS on 2019-03-01
- Issue 937179 (Permission denied.)
[$500][1092451] Low CVE-2020-6568: Insufficient policy enforcement in intent handling. Reported by Yongke Wang(@Rudykewang) and Aryb1n(@aryb1n) of Tencent Security Xuanwu Lab (腾讯安全玄武实验室） on 2020-06-08
- Issue 1092451: Multiple-file download restrictions can be bypassed using Android intents (mbarb...@chromium.org)
[$N/A][995732] Low CVE-2020-6569: Integer overflow in WebUSB. Reported by guaixiaomei on 2019-08-20
- Issue 995732: Potential out of bounds write vulnerability in webusb (usb_device_handle_usbfs.cc) (Linux 32bit) (guaix...@gmail.com)
[$N/A][1084699] Low CVE-2020-6570: Side-channel information leakage in WebRTC. Reported by Signal/Tenable on 2020-05-19
- Issue 1084699: [WebRTC] Remote ICE Candidate Hostname Lookup Privacy Issue (a_deleted_user)
[$N/A][1085315] Low CVE-2020-6571: Incorrect security UI in Omnibox. Reported by Rayyan Bijoora on 2020-05-21
- Issue 1085315: URL spoofing using 'GURMUKHI LETTER RRA' (U+0A5C) (rayyan...@gmail.com)
[1121299] internal.

84.0.4147.135 (Tuesday, August 18, 2020) 1/1 bugs

[$TBD][1115345] High CVE-2020-6556: Heap buffer overflow in SwiftShader. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-08-12
- Issue 1115345: Security: Heap-Buffer-Overflow in libGLESv2 Library - es2::Device::stretchRect (ahuff...@microsoft.com)

84.0.4147.125 (Monday, August 10, 2020) 15/15 bugs

[$10000][1107433] High CVE-2020-6542: Use after free in ANGLE. Reported by Piotr Bania of Cisco Talos on 2020-07-20
- Issue 1107433: Google Chrome WebGL Buffer11::getBufferStorage Code Execution Vulnerability (vulnd...@sourcefire.com)
[$7500][1104046] High CVE-2020-6543: Use after free in task scheduling. Reported by Looben Yang on 2020-07-10
- Issue 1104046: Security: Task Scheduling - Use After Free in TaskQueueImpl::CreateTaskRunner(). (loobe...@gmail.com)
[$7500][1108497] High CVE-2020-6544: Use after free in media. Reported by Tim Becker of Theori on 2020-07-22
- Issue 1108497: Security: UAF in RemotePlayback due to iterator invalidation (Android only) (tjbec...@theori.io)
[$5000][1095584] High CVE-2020-6545: Use after free in audio. Reported by Anonymous on 2020-06-16
- Issue 1095584 (Permission denied.)
[$TBD][1100280] High CVE-2020-6546: Inappropriate implementation in installer. Reported by Andrew Hess (any1) on 2020-06-29
- Issue 1100280: Security: Chrome Update - Arbitrary Folder Delete // Privilege Escalation (hess....@gmail.com)
[$TBD][1102153] High CVE-2020-6547: Incorrect security UI in media. Reported by David Albert on 2020-07-05
- Issue 1102153: Security: Information disclosure through screenshare with clickjacking (garko...@gmail.com)
[$TBD][1103827] High CVE-2020-6548: Heap buffer overflow in Skia. Reported by Choongwoo Han, Microsoft Browser Vulnerability Research on 2020-07-09
- Issue 1103827: Security: heap-buffer-overflow in TextDetection detect (choon...@microsoft.com)
[$N/A][1105426] High CVE-2020-6549: Use after free in media. Reported by Sergei Glazunov of Google Project Zero on 2020-07-14
- Issue 1105426: Security: Use-after-free in MediaElementEventListener::UpdateSources (glazunov@google.com)
[$N/A][1106682] High CVE-2020-6550: Use after free in IndexedDB. Reported by Sergei Glazunov of Google Project Zero on 2020-07-17
- Issue 1106682: Security: Use-after-free in WebIDBGetDBNamesCallbacksImpl::SuccessNamesAndVersionsList (glazunov@google.com)
[$N/A][1107815] High CVE-2020-6551: Use after free in WebXR. Reported by Sergei Glazunov of Google Project Zero on 2020-07-21
- Issue 1107815: Security: Use-after-free in XRSystem::FocusedFrameChanged and FocusController::NotifyFocusChangedObservers (glazunov@google.com)
[$TBD][1108518] High CVE-2020-6552: Use after free in Blink. Reported by Tim Becker of Theori on 2020-07-22
- Issue 1108518: Security: UAF in ScriptPromiseProperty due to iterator invalidation (tjbec...@theori.io)
[$TBD][1111307] High CVE-2020-6553: Use after free in offline mode. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-07-30
- Issue 1111307: Security: UAF in OfflinePageTabHelper::LoadData (ahuff...@microsoft.com)
[$5000][1094235] Medium CVE-2020-6554: Use after free in extensions. Reported by Anonymous on 2020-06-12
- Issue 1094235: uaf in extensions (cdsrc...@gmail.com)
[$1000][1105202] Medium CVE-2020-6555: Out of bounds read in WebGL. Reported by Marcin Towalski of Cisco Talos on 2020-07-13
- Issue 1105202: Security: Google Chrome DrawElementsInstanced Information Leak Vulnerability (TALOS-2020-1123) (vulnd...@sourcefire.com)
[1114335] internal.
- Issue 1108116: heap-use-after-free : autofill::FormStructure::GetFieldTypePredictions (crash...@system.gserviceaccount.com)

84.0.4147.105 (Monday, July 27, 2020) 8/8 bugs

[$10000][1105318] High CVE-2020-6537: Type Confusion in V8. Reported by Alphalaab on 2020-07-14
- Issue 1105318 (Permission denied.)
[$N/A][1096677] High CVE-2020-6538: Inappropriate implementation in WebView. Reported by Yongke Wang(@Rudykewang) and Aryb1n(@aryb1n) of Tencent Security Xuanwu Lab (腾讯安全玄武实验室） on 2020-06-18
- Issue 1096677: WebView: Cross-domain content can be fetched from resources loaded by the content scheme (adetaylor@google.com)
[$TBD][1104061] High CVE-2020-6532: Use after free in SCTP. Reported by Anonymous on 2020-07-09
- Issue 1104061: UAF in sctp_transport (cdsrc...@gmail.com)
[$N/A][1105635] High CVE-2020-6539: Use after free in CSS. Reported by Oriol Brufau on 2020-07-14
- Issue 1105635: Security: use-after-poison when using CSS var() with revert as fallback (obru...@igalia.com)
[$TBD][1105720] High CVE-2020-6540: Heap buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2020-07-15
- Issue 1105720: Security: heap-buffer-overflow in SkReader32::readInt (zhouz...@gmail.com)
[$N/A][1106773] High CVE-2020-6541: Use after free in WebUSB. Reported by Sergei Glazunov of Google Project Zero on 2020-07-17
- Issue 1106773: Security: Use-after-free in USB::OnServiceConnectionError (glazunov@google.com)
[1109361] internal.
- Issue 1102408: Heap-use-after-free in blink::LayoutBox::FindAutoscrollable (ClusterFuzz)
- Issue 1102054: Disable (or fix) YUV image decoding before M86 due to use after free (andrescj@chromium.org)

None (Tuesday, July 14, 2020) 39/38 bugs

[$TBD][1103195] Critical CVE-2020-6510: Heap buffer overflow in background fetch. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-07-08
- Issue 1103195: Security: HeapOverflow in BackgroundFetch (leecraso@gmail.com)
[$5000][1074317] High CVE-2020-6511: Side-channel information leakage in content security policy. Reported by Mikhail Oblozhikhin on 2020-04-24
- Issue 1074317: Security: The CSP reports and stacktraces of errors leaks post-redirect URL for <script> (obmih...@gmail.com)
[$5000][1084820] High CVE-2020-6512: Type Confusion in V8. Reported by nocma, leogan, cheneyxu of WeChat Open Platform Security Team on 2020-05-20
- Issue 1084820: DCHECK failure in value.IsHeapObject() in objects-debug.cc (wxmp...@gmail.com)
[$2000][1091404] High CVE-2020-6513: Heap buffer overflow in PDFium. Reported by Aleksandar Nikolic of Cisco Talos on 2020-06-04
- Issue 1091404: Google Chrome PDFium Javascript Active Document Memory Corruption Vulnerability - TALOS-2020-1092 (regiw...@sourcefire.com)
[$TBD][1076703] High CVE-2020-6514: Inappropriate implementation in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2020-04-30
- Issue 1076703 (Permission denied.)
[$TBD][1082755] High CVE-2020-6515: Use after free in tab strip. Reported by DDV_UA on 2020-05-14
- Issue 1082755: Heap UaF in TabStrip::CloseTab (dmitr...@gmail.com)
[$TBD][1092449] High CVE-2020-6516: Policy bypass in CORS. Reported by Yongke Wang(@Rudykewang) and Aryb1n(@aryb1n) of Tencent Security Xuanwu Lab (腾讯安全玄武实验室） on 2020-06-08
- Issue 1092449 (Permission denied.)
[$TBD][1095560] High CVE-2020-6517: Heap buffer overflow in history. Reported by ZeKai Wu (@hellowuzekai) of Tencent Security Xuanwu Lab on 2020-06-16
- Issue 1095560: Security: heap-buffer-overflow on media_history::MediaHistoryKeyedService::OnURLsDeleted (hello...@gmail.com)
[$3000][986051] Medium CVE-2020-6518: Use after free in developer tools. Reported by David Erceg on 2019-07-20
- Issue 986051: Security: Use-after-free of CommandLineAPIScope object (derce...@gmail.com)
[$3000][1064676] Medium CVE-2020-6519: Policy bypass in CSP. Reported by Gal Weizman (@WeizmanGal) of PerimeterX on 2020-03-25
- Issue 1064676: full CSP bypass while evaluating a javascript-URL in iframe. (g...@perimeterx.com)
[$1000][1092274] Medium CVE-2020-6520: Heap buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2020-06-08
- Issue 1092274: Security: global-buffer-overflow in bytesPerVertex (zhouz...@gmail.com)
[$500][1075734] Medium CVE-2020-6521: Side-channel information leakage in autofill. Reported by Xu Lin (University of Illinois at Chicago), Panagiotis Ilia (University of Illinois at Chicago), Jason Polakis (University of Illinois at Chicago) on 2020-04-27
- Issue 1075734: Security: Side-channel attack against Autofill Preview that can steal user's data (e.g., credit card number). (jpola...@gmail.com)
[$TBD][1052093] Medium CVE-2020-6522: Inappropriate implementation in external protocol handlers. Reported by Eric Lawrence of Microsoft on 2020-02-13
- Issue 1052093: Security: Custom Scheme escaping bypassed if a scheme is in the URLWhitelist (ericlaw@microsoft.com)
[$N/A][1080481] Medium CVE-2020-6523: Out of bounds write in Skia. Reported by Liu Wei and Wu Zekai of Tencent Security Xuanwu Lab on 2020-05-08
- Issue 1080481: Security: Skia: Integer Overflow in GrTextBlob::Make (lw17q...@gmail.com)
[$N/A][1081722] Medium CVE-2020-6524: Heap buffer overflow in WebAudio. Reported by Sung Ta (@Mipu94) of SEFCOM Lab, Arizona State University on 2020-05-12
- Issue 1081722: Security: memcpy-param-overlap in AudioBuffer::copyFromChannel (tadinhs...@gmail.com)
[$N/A][1091670] Medium CVE-2020-6525: Heap buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2020-06-05
- Issue 1091670: Security: heap-buffer-overflow in sk_careful_memcpy (zhouz...@gmail.com)
[$1000][1074340] Low CVE-2020-6526: Inappropriate implementation in iframe sandbox. Reported by Jonathan Kingston on 2020-04-24
- Issue 1074340: Security: javascript URI sandbox flags aren't propagated in a blank string case (kingston...@gmail.com)
[$500][992698] Low CVE-2020-6527: Insufficient policy enforcement in CSP. Reported by Zhong Zhaochen of andsecurity.cn on 2019-08-10
- Issue 992698: Security: Bypass the CSP when popup with "javascript:"-URL (tiebuc...@gmail.com)
[$500][1063690] Low CVE-2020-6528: Incorrect security UI in basic auth. Reported by Rayyan Bijoora on 2020-03-22
- Issue 1063690: Untrustworthy navigation causes HTTP Basic Auth dialog origin confusion/spoofing (rayyan...@gmail.com)
[$N/A][978779] Low CVE-2020-6529: Inappropriate implementation in WebRTC. Reported by kaustubhvats7 on 2019-06-26
- Issue 978779: Chromium uses expired certificate for Baltimore CyberTrust (kaustubh...@gmail.com)
[$N/A][1016278] Low CVE-2020-6530: Out of bounds memory access in developer tools. Reported by myvyang on 2019-10-21
- Issue 1016278: Security: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS when exec chrome.debugger.sendCommand (myvy...@gmail.com)
[$TBD][1042986] Low CVE-2020-6531: Side-channel information leakage in scroll to text. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-01-17
- Issue 1042986: iframe in victim page can detect Scroll To Text Fragment activation (jun.koka...@microsoft.com)
[$N/A][1069964] Low CVE-2020-6533: Type Confusion in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2020-04-11
- Issue 1069964: Security: Check failed: receiver.IsJSFunction(). (b3nd3...@gmail.com)
[$N/A][1072412] Low CVE-2020-6534: Heap buffer overflow in WebRTC. Reported by Anonymous on 2020-04-20
- Issue 1072412 (Permission denied.)
[$TBD][1073409] Low CVE-2020-6535: Insufficient data validation in WebUI. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-04-22
- Issue 1073409: XSS on chrome://histograms/ with a compromised renderer (jun.koka...@microsoft.com)
[$TBD][1080934] Low CVE-2020-6536: Incorrect security UI in PWAs. Reported by Zhiyang Zeng of Tencent security platform department on 2020-05-09
- Issue 1080934 (Permission denied.)
[1105224] internal.
- Issue 1092449: Cross-domain content can be fetched from resources loaded by the content scheme (mbarb...@chromium.org)
- Issue 1090543: heap-use-after-free : content::NavigationRequest::OnWillProcessResponseProcessed (crash...@system.gserviceaccount.com)
- Issue 1087629: Upgrade SQLite to 3.32.1 (huangdarwin@chromium.org)
- Issue 1076703: Security: WebRTC: usrsctp is called with pointer as network address (natashenka@google.com)
- Issue 1065122: heap-use-after-free : ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::LeastCommonAncestor (crash-fe...@system.gserviceaccount.com)
- Issue 1094453: Security: Memory stomper in InfoBarManager::RemoveInfoBarInternal() (rohitrao@chromium.org)
- Issue 1072165: libjingle_xmpp_xmlparser_fuzzer: Incorrect-function-pointer-type with empty stacktrace (ClusterFuzz)
- Issue 1067869: Chromium: Vulnerability reported in third_party/guava (vomit.go...@appspot.gserviceaccount.com)
- Issue 1065731: audio_decoder_fuzzer: Use-of-uninitialized-value in amr_read_header (ClusterFuzz)
- Issue 1052492: Use-of-uninitialized-value in blink::ImageDataBuffer::ImageDataBuffer (ClusterFuzz)
- Issue 961644: Heap-buffer-overflow in courgette::Read32LittleEndian (ClusterFuzz)
- Issue 1067854: Chromium: Vulnerability reported in third_party/binutils (vomit...@appspot.gserviceaccount.com)
- Issue 1029569: sqlite3_shadow_table_fuzzer: ASSERT: nDoclist>0 (ClusterFuzz)

83.0.4103.116 (Monday, June 22, 2020) 1/2 bugs

[$TBD][1092308] High CVE-2020-6509: Use after free in extensions. Reported by Anonymous on 2020-06-08
- Issue 1092308: uaf in extensions (cdsrc...@gmail.com)

83.0.4103.106 (Monday, June 15, 2020) 3/4 bugs

[$15000][1081350] High CVE-2020-6505: Use after free in speech. Reported by Khalil Zhani on 2020-05-11
- Issue 1081350: Security: Browser_crash - heap-use-after-free in extensions::ChromeExtensionsBrowserClient::GetOriginalContext(content::BrowserContext*) (chrom...@gmail.com)
[$15000][1083819] High CVE-2020-6506: Insufficient policy enforcement in WebView. Reported by Alesandro Ortiz on 2020-05-18
- Issue 1083819: Security: Android WebView: iframe on different origin can execute arbitrary JavaScript in top document via window.open() or links with _blank target (alesa...@alesandroortiz.com)
[$N/A][1086890] High CVE-2020-6507: Out of bounds write in V8. Reported by Sergei Glazunov of Google Project Zero on 2020-05-27
- Issue 1086890: Security: Missing array size check in NewFixedArray (glazunov@google.com)

83.0.4103.97 (Wednesday, June 3, 2020) 6/5 bugs

[$20000][1082105] High CVE-2020-6493: Use after free in WebAuthentication. Reported by Anonymous on 2020-05-13
- Issue 1082105: uaf in device::FidoRequestHandlerBase::InitializeAuthenticatorAndDispatchRequest (cdsrc2...@gmail.com)
[$7500][1083972] High CVE-2020-6494: Incorrect security UI in payments. Reported by Juho Nurminen on 2020-05-18
- Issue 1083972 (Permission denied.)
[$TBD][1072116] High CVE-2020-6495: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-04-18
- Issue 1072116: Security: Possible for extensions to escape sandbox via devtools watch expressions (derce...@gmail.com)
[$N/A][1085990] High CVE-2020-6496: Use after free in payments. Reported by Khalil Zhani on 2020-05-24
- Issue 1085990: Security: Browser_crash - heap-use-after-free in Payments API (chromium...@gmail.com)
[$1500][1069246] Medium CVE-2020-6497: Insufficient policy enforcement in Omnibox. Reported by Rayyan Bijoora on 2020-04-08
- Issue 1069246: iOS: Omnibox doesn't display blob: origin for long URL (rayyan...@gmail.com)
[$500][1081081] Medium CVE-2020-6498: Incorrect security UI in progress display. Reported by Rayyan Bijoora on 2020-05-11
- Issue 1081081: Security: URL spoofing using slow page loading on iOS (rayyan...@gmail.com)

83.0.4103.61 (Tuesday, May 19, 2020) 43/38 bugs

[$20000][1073015] High CVE-2020-6465: Use after free in reader mode. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2020-04-21
- Issue 1073015: Security: UAF in DistillerJavaScriptService (Android) (rapid....@gmail.com)
[$15000][1074706] High CVE-2020-6466: Use after free in media. Reported by Zhe Jin from cdsrc of Qihoo 360 on 2020-04-26
- Issue 1074706: uaf in TabSharingInfoBarDelegate (cdsrc2...@gmail.com)
[$7500][1068084] High CVE-2020-6467: Use after free in WebRTC. Reported by ZhanJia Song on 2020-04-06
- Issue 1068084: Security: Use after free in WebRTC (zhanjias...@gmail.com)
[$7500][1076708] High CVE-2020-6468: Type Confusion in V8. Reported by Chris Salls and Jake Corina of Seaside Security, Chani Jindal of Shellphish on 2020-04-30
- Issue 1076708: OOB read/write in v8::internal::ElementsAccessorBase<v8::internal::FastHoleyDoubleElementsAccessor (chrissal...@gmail.com)
[$5000][1067382] High CVE-2020-6469: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-04-02
- Issue 1067382: Security: Sandbox escape via chrome.input.ime (derce...@gmail.com)
[$5000][1065761] Medium CVE-2020-6470: Insufficient validation of untrusted input in clipboard. Reported by Michał Bentkowski of Securitum on 2020-03-30
- Issue 1065761 (Permission denied.)
[$3000][1059577] Medium CVE-2020-6471: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-03-08
- Issue 1059577: Security: Possible to escape sandbox via devtools_page (derce...@gmail.com)
[$3000][1064519] Medium CVE-2020-6472: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-03-25
- Issue 1064519: Security: DevTools doesn't fully validate channel messages it receives (derce...@gmail.com)
[$2000][1049510] Medium CVE-2020-6473: Insufficient policy enforcement in Blink. Reported by Soroush Karami and Panagiotis Ilia on 2020-02-06
- Issue 1049510: Unexpected reveal of service worker interception by using nextHopProtocol (shimazu@chromium.org)
[$2000][1059533] Medium CVE-2020-6474: Use after free in Blink. Reported by Zhe Jin from cdsrc of Qihoo 360 on 2020-03-07
- Issue 1059533: use-after-free in web_graphics_context_3d_provider_wrapper (cdsrc2...@gmail.com)
[$1000][1020026] Medium CVE-2020-6475: Incorrect security UI in full screen. Reported by Khalil Zhani on 2019-10-31
- Issue 1020026: Security: 'Press Esc to exit fullscreen' covered up by a popup page (chromium...@gmail.com)
[$1000][1035315] Medium CVE-2020-6476: Insufficient policy enforcement in tab strip. Reported by Alexandre Le Borgne on 2019-12-18
- Issue 1035315: iframe sandbox allow_top_navigation_by_user_activation can be bypassed with certain extensions (alexandre.leborgne.83@gmail.com)
[$500][946156] Medium CVE-2020-6477: Inappropriate implementation in installer. Reported by RACK911 Labs on 2019-03-26
- Issue 946156: Security: Chrome (Mac OS X) - Arbitrary File Permission Modification (p...@rack911labs.com)
[$500][1037730] Medium CVE-2020-6478: Inappropriate implementation in full screen. Reported by Khalil Zhani on 2019-12-24
- Issue 1037730: Security: Full screen notification overlap on Windows and Linux (chromium...@gmail.com)
[$500][1041749] Medium CVE-2020-6479: Inappropriate implementation in sharing. Reported by Zhong Zhaochen of andsecurity.cn on 2020-01-14
- Issue 1041749: Security: tel: protocal spoofing 2 (tiebuc...@gmail.com)
[$500][1054966] Medium CVE-2020-6480: Insufficient policy enforcement in enterprise. Reported by Marvin Witt on 2020-02-21
- Issue 1054966: Policy page opens a file dialogue even if the AllowFileSelectionDialogs policy is set to false (nurmar...@protonmail.com)
[$500][1068531] Medium CVE-2020-6481: Insufficient policy enforcement in URL formatting. Reported by Rayyan Bijoora on 2020-04-07
- Issue 1068531: Security: Character “⠀” (U+2800) should be converted into code. (rayyan...@gmail.com)
[$TBD][795595] Medium CVE-2020-6482: Insufficient policy enforcement in developer tools. Reported by Abdulrahman Alqabandi (@qab) on 2017-12-17
- Issue 795595 (Permission denied.)
[$TBD][966507] Medium CVE-2020-6483: Insufficient policy enforcement in payments. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-05-23
- Issue 966507: Possible Sec-Fetch-Site bypass via PaymentRequest (jun.koka...@microsoft.com)
[$N/A][1045787] Medium CVE-2020-6484: Insufficient data validation in ChromeDriver. Reported by Artem Zinenko on 2020-01-26
- Issue 1045787: Security: ChromeDriver is vulnerable to CSRF attack (zinenkoa...@gmail.com)
[$N/A][1047285] Medium CVE-2020-6485: Insufficient data validation in media router. Reported by Sergei Glazunov of Google Project Zero on 2020-01-30
- Issue 1047285: Security of media-router built-in extension relies on untrustworthy MessageSender.id (lukasza@chromium.org)
[$TBD][1055524] Medium CVE-2020-6486: Insufficient policy enforcement in navigations. Reported by David Erceg on 2020-02-24
- Issue 1055524: Not only "devools://" but also "chrome-devtools://" should be registered as display-isolated (lukasza@chromium.org)
[$500][539938] Low CVE-2020-6487: Insufficient policy enforcement in downloads. Reported by Jun Kokatsu (@shhnjk) on 2015-10-06
- Issue 539938 (Permission denied.)
[$500][1044277] Low CVE-2020-6488: Insufficient policy enforcement in downloads. Reported by David Erceg on 2020-01-21
- Issue 1044277: Security: Possible to bypass restrictions on multiple downloads by initiating download from data: frame (derce...@gmail.com)
[$500][1050756] Low CVE-2020-6489: Inappropriate implementation in developer tools. Reported by @lovasoa (Ophir LOJKINE) on 2020-02-10
- Issue 1050756: Security: 'Copy As Curl' in the network panel of the devtools uses '--data' instead of '--data-raw', leading to arbitrary local file access (pere.j...@gmail.com)
[$TBD][1035887] Low CVE-2020-6490: Insufficient data validation in loader. Reported by Twitter on 2019-12-19
- Issue 1035887 (Permission denied.)
[$N/A][1050011] Low CVE-2020-6491: Incorrect security UI in site information. Reported by Sultan Haikal M.A on 2020-02-07
- Issue 1050011: Security: URL Spoof in Android PageInfo (b3kt0wor...@gmail.com)
[1084009] internal.
- Issue 1075907 (Permission denied.)
- Issue 1070012: Chromium: Vulnerability reported in third_party/sqlite (vomit.go...@appspot.gserviceaccount.com)
- Issue 1030901: Site Isolation Bypass: QuotaDispatcherHost doesn't properly check origin from renderer (creis@chromium.org)
- Issue 1025302: Security: usrsctplib has not been updated since 2018 and is missing fuzzers and security fixes (davidben@chromium.org)
- Issue 978632: heap-use-after-free : sctp_release_pr_sctp_chunk (crash-fe...@system.gserviceaccount.com)
- Issue 1065761: Security: Copy & paste XSS via noscript (adetaylor@chromium.org)
- Issue 1061933: aec3_fuzzer: Container-overflow in webrtc::FilterAnalyzer::AnalyzeRegion (ClusterFuzz)
- Issue 1058515: Chrome fetches DevTools stuff using insecure http protocol (lukasza@chromium.org)
- Issue 1057369: Use-of-uninitialized-value in double_conversion::DoubleToStringConverter::ToPrecision (ClusterFuzz)
- Issue 1056161 (Permission denied.)
- Issue 1055524: Not only "devools://" but also "chrome-devtools://" should be registered as display-isolated (lukasza@chromium.org)
- Issue 1051439: Security: sendBeacon allows sending arbitrary POST requests with application/octet-stream content type without CORS (saldiaz@google.com)
- Issue 1049510: Unexpected reveal of service worker interception by using nextHopProtocol (shimazu@chromium.org)
- Issue 1048619 (Permission denied.)
- Issue 1008635 (Permission denied.)
- Issue 1035887 (Permission denied.)

81.0.4044.138 (Tuesday, May 5, 2020) 4/3 bugs

[$N/A][1073602] High CVE-2020-6831: Stack buffer overflow in SCTP. Reported by Natalie Silvanovich of Google Project Zero on 2020-04-22
- Issue 1073602 (Permission denied.)
[$7500][1071059] High CVE-2020-6464: Type Confusion in Blink. Reported by Looben Yang on 2020-04-15
- Issue 1071059: Security: Blink - Type Confusion with Custom Element (loobeny...@gmail.com)
[1077866] internal.
- Issue 1073602: SCTP stack buffer overflow from malicious AUTH chunks (deadbeef@chromium.org)
- Issue 1062861: heap-buffer-overflow : autofill::AutofillCountry::AutofillCountry (crash-fe...@system.gserviceaccount.com)

81.0.4044.129 (Monday, April 27, 2020) 2/2 bugs

[$10000][1064891] High CVE-2020-6462: Use after free in task scheduling. Reported by Zhe Jin from cdsrc of Qihoo 360 on 2020-03-26
- Issue 1064891: use after free in mojom::ClipboardHost (cdsrc2...@gmail.com)
[$TBD][1072983] High CVE-2020-6461: Use after free in storage. Reported by Zhe Jin from cdsrc of Qihoo 360 on 2020-04-21
- Issue 1072983: use-after-free in BlobRegistryImpl(browser process) (cdsrc2...@gmail.com)

81.0.4044.122 (Tuesday, April 21, 2020) 10/9 bugs

[$20000][1065298] High CVE-2020-6459: Use after free in payments. Reported by Zhe Jin from cdsrc of Qihoo 360 on 2020-03-27
- Issue 1065298: UAF in base::SupportsUserData::SetUserData (cdsrc2...@gmail.com)
[$15000][1063566] High CVE-2020-6460: Insufficient data validation in URL formatting. Reported by Anonymous on 2020-03-21
- Issue 1063566 (Permission denied.)
[$5000][1065186] High CVE-2020-6463: Use after free in ANGLE. Reported by Pawel Wylecial of REDTEAM.PL on 2020-03-26
- Issue 1065186 (Permission denied.)
[$5000][1065186] High CVE-2020-6463: Use after free in ANGLE. Reported by Pawel Wylecial of REDTEAM.PL on 2020-03-26
- Issue 1065186: UAF in libglesv2!gl::Texture::onUnbindAsSamplerTexture (pa...@blackowlsec.com)
[$5000][1067270] High CVE-2020-6458: Out of bounds read and write in PDFium. Reported by Aleksandar Nikolic of Cisco Talos on 2020-04-02
- Issue 1067270: Talos Security Advisory for Google Chrome PDFium (TALOS-2020-1044) (regiw...@sourcefire.com)
[1072815] internal.

81.0.4044.113 (Wednesday, April 15, 2020) 1/1 bugs

[$TBD][1067851] Critical CVE-2020-6457: Use after free in speech recognizer. Reported by Leecraso and Guang Gong of Alpha Lab, Qihoo 360 on 2020-04-04
- Issue 1067851: Security: UAF in Speech Recognizer (leecraso@gmail.com)

81.0.4044.92 (Tuesday, April 7, 2020) 33/32 bugs

[$7500][1019161] High CVE-2020-6454: Use after free in extensions. Reported by Leecraso and Guang Gong of Alpha Lab, Qihoo 360 on 2019-10-29
- Issue 1019161: UAF In ProcessManager (leecraso@gmail.com)
[$5000][1043446] High CVE-2020-6423: Use after free in audio. Reported by Anonymous on 2020-01-18
- Issue 1043446 (Permission denied.)
[$3000][1059669] High CVE-2020-6455: Out of bounds read in WebSQL. Reported by Nan Wang(@eternalsakura13) and Guang Gong of Alpha Lab, Qihoo 360 on 2020-03-09
- Issue 1059669: Out-of-bounds read in WebSQL (eternals...@gmail.com)
[$2000][1031479] Medium CVE-2020-6430: Type Confusion in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2019-12-06
- Issue 1031479: Security: Debug check failed: has_feedback_vector() (b3nd3...@gmail.com)
[$2000][1040755] Medium CVE-2020-6456: Insufficient validation of untrusted input in clipboard. Reported by Michał Bentkowski of Securitum on 2020-01-10
- Issue 1040755: Security: Another "universal" XSS via copy&paste (mic...@bentkowski.info)
[$1000][852645] Medium CVE-2020-6431: Insufficient policy enforcement in full screen. Reported by Luan Herrera (@lbherrera_) on 2018-06-14
- Issue 852645: requestFullscreen should consume user activation to prevent UI/URL spoofing (luan.her...@hotmail.com)
[$1000][965611] Medium CVE-2020-6432: Insufficient policy enforcement in navigations. Reported by David Erceg on 2019-05-21
- Issue 965611: Security: Possible to open chrome-native:// pages on Android and the new tab page on desktop using window.open (derce...@gmail.com)
[$1000][1043965] Medium CVE-2020-6433: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-01-21
- Issue 1043965: Security: Possible to navigate to extension resources not listed in web_accessible_resources (derce...@gmail.com)
[$500][1048555] Medium CVE-2020-6434: Use after free in devtools. Reported by HyungSeok Han (DaramG) of Theori on 2020-02-04
- Issue 1048555: Use after free in CodeSerializer::Deserialize (gksgudtj...@gmail.com)
[$N/A][1032158] Medium CVE-2020-6435: Insufficient policy enforcement in extensions. Reported by Sergei Glazunov of Google Project Zero on 2019-12-09
- Issue 1032158: Security of some component extensions relies on untrustworthy MessageSender.id (lukasza@chromium.org)
[$TBD][1034519] Medium CVE-2020-6436: Use after free in window management. Reported by Igor Bukanov from Vivaldi on 2019-12-16
- Issue 1034519: Security: WebContentsViewAura::EndDrag may dereference a pointer to deleted RenderWidgetHost (i...@vivaldi.com)
[$500][639173] Low CVE-2020-6437: Inappropriate implementation in WebView. Reported by Jann Horn on 2016-08-19
- Issue 639173: ignored TLS errors propagate from webview to main browser (jannhorn@googlemail.com)
[$500][714617] Low CVE-2020-6438: Insufficient policy enforcement in extensions. Reported by Ng Yik Phang on 2017-04-24
- Issue 714617: Security: chrome.tabs.executeScript can reveal Chrome's profile path (ngy...@gmail.com)
[$500][868145] Low CVE-2020-6439: Insufficient policy enforcement in navigations. Reported by remkoboonstra on 2018-07-26
- Issue 868145: Security: Loading mixed content without insecure warning (remkoboo...@gmail.com)
[$500][894477] Low CVE-2020-6440: Inappropriate implementation in extensions. Reported by David Erceg on 2018-10-11
- Issue 894477: Security: Extensions can continue to temporarily execute code and access file after being uninstalled (derce...@gmail.com)
[$500][959571] Low CVE-2020-6441: Insufficient policy enforcement in omnibox. Reported by David Erceg on 2019-05-04
- Issue 959571: Security: Mixed content state reset when navigating back (derce...@gmail.com)
[$500][1013906] Low CVE-2020-6442: Inappropriate implementation in cache. Reported by B@rMey on 2019-10-12
- Issue 1013906: Security: expose stored (in cache) cross-site response's size (bar...@gmail.com)
[$500][1040080] Low CVE-2020-6443: Insufficient data validation in developer tools. Reported by @lovasoa (Ophir LOJKINE) on 2020-01-08
- Issue 1040080: Security: 'Copy As Curl' in the network panel of the devtools does not escape the HTTP method properly, leading to local code execution (pere.j...@gmail.com)
[$N/A][922882] Low CVE-2020-6444: Uninitialized Use in WebRTC. Reported by mlfbrown on 2019-01-17
- Issue 922882: Security: Possible load of unitialized memory in WebRtcAec_Create (mlfbr...@stanford.edu)
[$N/A][933171] Low CVE-2020-6445: Insufficient policy enforcement in trusted types. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-18
- Issue 933171: Trusted Types bypass with blob and meta refresh (jun.koka...@microsoft.com)
[$N/A][933172] Low CVE-2020-6446: Insufficient policy enforcement in trusted types. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-18
- Issue 933172: Trusted Type bypass with SVG (jun.koka...@microsoft.com)
[$N/A][991217] Low CVE-2020-6447: Inappropriate implementation in developer tools. Reported by David Erceg on 2019-08-06
- Issue 991217: Security: Memory access violations when setting a breakpoint at a specific location (derce...@gmail.com)
[$N/A][1037872] Low CVE-2020-6448: Use after free in V8. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2019-12-26
- Issue 1037872: Security:Potential Use after free in the function PerfJitLogger::LogWriteDebugInfo (higonggu...@gmail.com)
[1067891] internal.
- Issue 1066893 (Permission denied.)
- Issue 1018080 (Permission denied.)
- Issue 1050090: Fix security vulnerability in PaintController on subsequence under-invalidation (wangxianzhu@chromium.org)
- Issue 1047838: Missing browser-process permission checks for WebNFC (reillyg@chromium.org)
- Issue 1038868 (Permission denied.)
- Issue 1031697: AutofillAssistantFacade.callerIsOnWhitelist() is not secure (rsesek@chromium.org)
- Issue 1029602 (Permission denied.)
- Issue 1030167: Crash in v8::internal::Simulator::LoadStorePairHelper (ClusterFuzz)
- Issue 818327 (Permission denied.)
- Issue 609527: Make sure active mixed content and broken-https subresources do something reasonable on weird origins (est...@chromium.org)

80.0.3987.163 (Thursday, April 2, 2020) 0/0 bugs

80.0.3987.162 (Tuesday, March 31, 2020) 8/8 bugs

[$TBD][1062247] High CVE-2020-6450: Use after free in WebAudio. Reported by Man Yue Mo of GitHub Security Lab on 2020-03-17
- Issue 1062247: Incomplete fix of 1055788 and 1057627 (m...@semmle.com)
[$TBD][1061018] High CVE-2020-6451: Use after free in WebAudio. Reported by Man Yue Mo of GitHub Security Lab on 2020-03-12
- Issue 1061018: UaF in DeferredTaskHandler::ProcessAutomaticPullNodes (m...@semmle.com)
[$N/A][1059764] High CVE-2020-6452: Heap buffer overflow in media. Reported by asnine on 2020-03-09
- Issue 1059764: Security: container-overflow in MediaStream mojo (0xasn...@gmail.com)
[1066247] internal.

80.0.3987.149 (Wednesday, March 18, 2020) 12/13 bugs

[$8500][1051748] High CVE-2020-6422: Use after free in WebGL. Reported by David Manouchehri on 2020-02-13
- Issue 1051748: Use-after-poison in WebGLRenderingContextBase (da...@davidmanouchehri.com)
[$NA][1031142] High CVE-2020-6424: Use after free in media. Reported by Sergei Glazunov of Google Project Zero on 2019-12-05
- Issue 1031142: Security: ☂ Site Isolation Bypass and Browser Code execution with heap-use-after-free in DesktopMediaPickerController::WebContentsDestroyed (glazunov@google.com)
[$NA][1031670] High CVE-2020-6425: Insufficient policy enforcement in extensions. Reported by Sergei Glazunov of Google Project Zero on 2019-12-06
- Issue 1031670: ☂ Site Isolation Bypass via component extensions (e.g. via "Google Hangouts") (metzman@chromium.org)
[$TBD][1052647] High CVE-2020-6426: Inappropriate implementation in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2020-02-16
- Issue 1052647: Security: Debug check failed: !context.get(context_entry).IsTheHole(isolate) (b3nd3...@gmail.com)
[$TBD][1055788] High CVE-2020-6427: Use after free in audio. Reported by Man Yue Mo of GitHub Security Lab on 2020-02-25
- Issue 1055788: UaP in IIRFilterHandler::Process (m...@semmle.com)
[$TBD][1057593] High CVE-2020-6428: Use after free in audio. Reported by Man Yue Mo of GitHub Security Lab on 2020-03-02
- Issue 1057593: UaF in DeferredTaskHandler::BreakConnections (m...@semmle.com)
[$TBD][1057627] High CVE-2020-6429: Use after free in audio. Reported by Man Yue Mo of GitHub Security Lab on 2020-03-02
- Issue 1057627: UaP in AudioScheduledSourceHandler::NotifyEnded (m...@semmle.com)
[$NA][1059349] High CVE-2019-20503: Out of bounds read in usersctplib. Reported by Natalie Silvanovich of Google Project Zero on 2020-03-06
- Issue 1059349: Security: usersctp: out-of-bounds reads in sctp_load_addresses_from_init (adetaylor@google.com)
[$TBD][1059686] High CVE-2020-6449: Use after free in audio. Reported by Man Yue Mo of GitHub Security Lab on 2020-03-09
- Issue 1059686: UaF in DeferredTaskHandler::BreakConnections(2) (m...@semmle.com)
[1057473] internal.

80.0.3987.132 (Tuesday, March 3, 2020) 4/4 bugs

[$1000][1050996] High CVE-2020-6420: Insufficient policy enforcement in media. Reported by Taras Uzdenov on 2020-02-11
- Issue 1050996: Security: MediaElementAudioSourceNode bypasses CORS checks (uzdenov....@gmail.com)
[1057473] internal.

80.0.3987.122 (Monday, February 24, 2020) 2/3 bugs

[N/A][1045931] High CVE-2020-6407: Out of bounds memory access in streams. Reported by Sergei Glazunov of Google Project Zero on 2020-01-27
- Issue 1045931: Security: General check for streams not checking states correctly (adetaylor@google.com)
[N/A][1053604] High CVE-2020-6418: Type confusion in V8. Reported by Clement Lecigne of Google's Threat Analysis Group on 2020-02-18
- Issue 1053604: Security: Incorrect side effect modelling for JSCreate (cleci...@google.com)

80.0.3987.116 (Tuesday, February 18, 2020) 6/5 bugs

[N/A][1051017] High CVE-2020-6383: Type confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2020-02-11
- Issue 1051017 (Permission denied.)
[$7500][1048473] High CVE-2020-6384: Use after free in WebAudio. Reported by David Manouchehri on 2020-02-04
- Issue 1048473: Use-after-destroy in WebAudio (da...@davidmanouchehri.com)
[$5000][1043603] High CVE-2020-6386: Use after free in speech. Reported by Zhe Jin from cdsrc of Qihoo 360 on 2020-01-20
- Issue 1043603: use-after-poison in mojo::MessageDispatcher (cdsrc2...@gmail.com)
[1054478] internal.

80.0.3987.106 (Thursday, February 13, 2020) 3/3 bugs

[1051555] internal.

80.0.3987.100 (Tuesday, February 11, 2020) 0/0 bugs

80.0.3987.87 (Tuesday, February 4, 2020) 64/56 bugs

[$5000][1034394] High CVE-2020-6381: Integer overflow in JavaScript. Reported by The UK's National Cyber Security Centre (NCSC) on 2019-12-09
- Issue 1034394: A null pointer dereference has been discovered in V8 compiler which affects the latest version. (secur...@ncsc.gov.uk)
[$2000][1031909] High CVE-2020-6382: Type Confusion in JavaScript. Reported by Soyeon Park and Wen Xu from SSLab, Gatech on 2019-12-08
- Issue 1031909: SIGTRAP hit in JIT code (Builtins_InterpreterEntryTrampoline) (tarafa...@gmail.com)
[$500][1020745] High CVE-2019-18197: Multiple vulnerabilities in XML. Reported by Jordan Pryde from the BlackBerry Security Incident Response Team on 2019-11-01
- Issue 1020745: Security: Roll expat to patch CVE-2019-18197, CVE-2019-13117, CVE-2019-13118 (jpr...@blackberry.com)
[$500][1042700] High CVE-2019-19926: Inappropriate implementation in SQLite. Reported by Richard Lorenz, SAP on 2020-01-16
- Issue 1042700: Security: SQLite CVE-2019-19926 (adetaylor@chromium.org)
[$N/A][1035399] High CVE-2020-6385: Insufficient policy enforcement in storage. Reported by Sergei Glazunov of Google Project Zero on 2019-12-18
- Issue 1035399: Security: Site Isolation bypass in BlobURLStoreImpl::Register (glazunov@google.com)
[$N/A][1038863] High CVE-2019-19880, CVE-2019-19925: Multiple vulnerabilities in SQLite. Reported by Richard Lorenz, SAP on 2020-01-03
- Issue 1038863: Security: SQLite 3.30.1 vulnerabilities reported: CVE-2019-19880 and CVE-2019-19925 (richard....@sap.com)
[$N/A][1042535] High CVE-2020-6387: Out of bounds write in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2020-01-16
- Issue 1042535: Security: webrtc: out-of-bounds write in FEC extension processing (natashenka@google.com)
[$N/A][1042879] High CVE-2020-6388: Out of bounds memory access in WebAudio. Reported by Sergei Glazunov of Google Project Zero on 2020-01-16
- Issue 1042879: Security: Data race in AudioArray::Allocate can lead to OOB access (glazunov@google.com)
[$N/A][1042933] High CVE-2020-6389: Out of bounds write in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2020-01-16
- Issue 1042933: Security: WebRTC: out-of-bounds write when updating layer info with frame marking extension (natashenka@google.com)
[$N/A][1045874] High CVE-2020-6390: Out of bounds memory access in streams. Reported by Sergei Glazunov of Google Project Zero on 2020-01-27
- Issue 1045874: Security: OOB access in ReadableStream::Close (glazunov@google.com)
[$10000][1017871] Medium CVE-2020-6391: Insufficient validation of untrusted input in Blink. Reported by Michał Bentkowski of Securitum on 2019-10-24
- Issue 1017871: Security: Injecting styles via copy-and-paste (adetaylor@chromium.org)
[$5000][1030411] Medium CVE-2020-6392: Insufficient policy enforcement in extensions. Reported by Microsoft Edge Team on 2019-12-03
- Issue 1030411: JavaScript injection via malicious WebExtension in CWS (jun.koka...@microsoft.com)
[$5000][1035058] Medium CVE-2020-6393: Insufficient policy enforcement in Blink. Reported by Mark Amery on 2019-12-17
- Issue 1035058: Security: Autocomplete preview text leak #4: using ::first-line pseudo-element (markrobe...@gmail.com)
[$3000][1014371] Medium CVE-2020-6394: Insufficient policy enforcement in Blink. Reported by Phil Freo on 2019-10-15
- Issue 1014371: Security: iframe sandbox can be worked around via javascript: links and window.opener (philf...@gmail.com)
[$3000][1022855] Medium CVE-2020-6395: Out of bounds read in JavaScript. Reported by Pierre Langlois from Arm on 2019-11-08
- Issue 1022855: Security: Missing HasPrototypeSlot() check in ConstructorBuiltinsbAssembler::EmitFastNewObject() results in out-of-bound read. (pierre.langlois@arm.com)
[$3000][1035271] Medium CVE-2020-6396: Inappropriate implementation in Skia. Reported by William Luc Ritchie on 2019-12-18
- Issue 1035271: Security: 3D CSS transform and drop-shadow can draw over address bar (luc.ritc...@gmail.com)
[$2000][1027408] Medium CVE-2020-6397: Incorrect security UI in sharing. Reported by Khalil Zhani on 2019-11-22
- Issue 1027408: Security: tel: URL scheme reference origin spoof on Windows and Linux (chromium...@gmail.com)
[$2000][1032090] Medium CVE-2020-6398: Uninitialized use in PDFium. Reported by pdknsk on 2019-12-09
- Issue 1032090: pdfium: use-of-uninitialized-value in CRYPT_AESSetKey (pdknsk@gmail.com)
[$2000][1039869] Medium CVE-2020-6399: Insufficient policy enforcement in AppCache. Reported by Luan Herrera (@lbherrera_) on 2020-01-07
- Issue 1039869: Leaking the URL of any cross-origin redirect through AppCache's network section and wildcards (herrera...@gmail.com)
[$1000][1038036] Medium CVE-2020-6400: Inappropriate implementation in CORS. Reported by Takashi Yoneuchi (@y0n3uchy) on 2019-12-27
- Issue 1038036: Security: Cross-Origin (Partial) Status Code Leakage (takashi....@shift-js.info)
[$500][1017707] Medium CVE-2020-6401: Insufficient validation of untrusted input in Omnibox. Reported by Tzachy Horesh on 2019-10-24
- Issue 1017707: Security: Phishing with Unicode Domains (tzac...@gmail.com)
[$500][1029375] Medium CVE-2020-6402: Insufficient policy enforcement in downloads. Reported by Vladimir Metnew (@vladimir_metnew) on 2019-11-28
- Issue 1029375: Security: extensions with downloads.open permission can execute code on the device using .fileloc files (vladimir...@gmail.com)
[$TBD][1006012] Medium CVE-2020-6403: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2019-09-19
- Issue 1006012: Security: URL bar spoofing on iOS (chromium...@gmail.com)
[$N/A][1024256] Medium CVE-2020-6404: Inappropriate implementation in Blink. Reported by kanchi on 2019-11-13
- Issue 1024256: Crash in blink::FindBuffer::RangeFromBufferIndex with emoji input (goldenbo...@gmail.com)
[$N/A][1042145] Medium CVE-2020-6405: Out of bounds read in SQLite. Reported by Yongheng Chen(Ne0) & Rui Zhong(zr33) on 2020-01-15
- Issue 1042145: Null-dereference READ in sqlite3VdbeExec (changoch...@gmail.com)
[$N/A][1042254] Medium CVE-2020-6406: Use after free in audio. Reported by Sergei Glazunov of Google Project Zero on 2020-01-15
- Issue 1042254: Security: More UaFs in WebAudio (adetaylor@chromium.org)
[$N/A][1042578] Medium CVE-2019-19923: Out of bounds memory access in SQLite. Reported by Richard Lorenz, SAP on 2020-01-16
- Issue 1042578: Security: SQLite 3.30.1 CVE-2019-19923 - NULL pointer dereference (or incorrect results) (richard....@sap.com)
[$1000][1026546] Low CVE-2020-6408: Insufficient policy enforcement in CORS. Reported by Zhong Zhaochen of andsecurity.cn on 2019-11-20
- Issue 1026546: Security: Steal any local picture when open a local html file (tiebuc...@gmail.com)
[$1000][1037889] Low CVE-2020-6409: Inappropriate implementation in Omnibox. Reported by Divagar S and Bharathi V from Karya Technologies on 2019-12-26
- Issue 1037889: From secure page it is navigating to insecure page. (divagaru...@gmail.com)
[$500][881675] Low CVE-2020-6410: Insufficient policy enforcement in navigation. Reported by evi1m0 of Bilibili Security Team on 2018-09-07
- Issue 881675: Chrome v69 URL Spoof via FILE_SCHEME (evi1m0.bat@gmail.com)
[$500][929711] Low CVE-2020-6411: Insufficient validation of untrusted input in Omnibox. Reported by Khalil Zhani on 2019-02-07
- Issue 929711: Security: Idn-spoof with using U+00F0 (ð) (chromium...@gmail.com)
[$N/A][968505] Low CVE-2020-6412: Insufficient validation of untrusted input in Omnibox. Reported by Zihan Zheng (@zzh1996) of University of Science and Technology of China on 2019-05-30
- Issue 968505: Security: Domain name spoofing on Unicode top-level domains (zhengzih...@gmail.com)
[$N/A][1005713] Low CVE-2020-6413: Inappropriate implementation in Blink. Reported by Michał Bentkowski of Securitum on 2019-09-19
- Issue 1005713: Security: Parser bug can introduce mXSS and HTML sanitizers bypass (mic...@bentkowski.info)
[$N/A][1021855] Low CVE-2020-6414: Insufficient policy enforcement in Safe Browsing. Reported by Lijo A.T on 2019-11-06
- Issue 1021855: Download Protection bypass (lijopara...@gmail.com)
[$N/A][1029576] Low CVE-2020-6415: Inappropriate implementation in JavaScript. Reported by Avihay Cohen @ SeraphicAlgorithms on 2019-11-30
- Issue 1029576: Security: Debug check failed: 0 <= index && index < node->op()->ValueInputCount(). (b3nd3...@gmail.com)
[$N/A][1031895] Low CVE-2020-6416: Insufficient data validation in streams. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2019-12-08
- Issue 1031895: Security: ReadableStream::pipeTo do not check IsLockedStream (rapid....@gmail.com)
[$N/A][1033824] Low CVE-2020-6417: Inappropriate implementation in installer. Reported by Renato "Wrath" Moraes and Altieres "FallenHawk" Rohr on 2019-12-13
- Issue 1033824: Security: Unquoted Path in user Chrome Updater registry key (moraes...@gmail.com)
[1048330] internal.
- Issue 1045874: Security: OOB access in ReadableStream::Close (glazunov@google.com)
- Issue 1042933: Security: WebRTC: out-of-bounds write when updating layer info with frame marking extension (natashenka@google.com)
- Issue 1042879: Security: Data race in AudioArray::Allocate can lead to OOB access (glazunov@google.com)
- Issue 1042700: Security: SQLite CVE-2019-19926 (adetaylor@chromium.org)
- Issue 1042535: Security: webrtc: out-of-bounds write in FEC extension processing (natashenka@google.com)
- Issue 1035723: Security: Heap-use-after-free in PaintController::FinishCycle() related to devtools overlay (wangxianzhu@chromium.org)
- Issue 1035399: Security: Site Isolation bypass in BlobURLStoreImpl::Register (glazunov@google.com)
- Issue 1033461: sqlite3_select_expr_lpm_fuzzer: Heap-use-after-free in resetAccumulator (ClusterFuzz)
- Issue 1030892: Site Isolation Bypass: SpeechRecognitionDispatcherHost doesn't properly check origin from renderer (creis@chromium.org)
- Issue 1029865: heap-use-after-free : content::MediaInterfaceFactory::CreateVideoDecoder (crash-fe...@system.gserviceaccount.com)
- Issue 965025 (Permission denied.)
- Issue 925035: CodeCacheHostImpl::DidGenerateCacheableMetadataInCacheStorage should verify |cache_storage_origin|. (lukasza@chromium.org)
- Issue 1042254: Security: More UaFs in WebAudio (adetaylor@chromium.org)
- Issue 1042091: Warn Chrome on downloads of for all .HTA files (rossgibb@google.com)
- Issue 1020031: CHECK failure: static_cast<uintptr_t>(caller_frame_top_) - total_output_frame_size > stack_guar (ClusterFuzz)
- Issue 1018629: Use-of-uninitialized-value in SkPngEncoder::onEncodeRows (ClusterFuzz)
- Issue 1017871: Security: Injecting styles via copy-and-paste (adetaylor@chromium.org)
- Issue 1016506: heap-buffer-overflow : WebRtcSpl_DownsampleFastC (crash-fe...@system.gserviceaccount.com)
- Issue 1000887: Crash in v8::internal::Simulator::LoadStorePairHelper (ClusterFuzz)
- Issue 996211: gpu_raster_passthrough_fuzzer: Use-of-uninitialized-value in SkDescriptor::isValid (ClusterFuzz)
- Issue 951330 (Permission denied.)
- Issue 699342: Security: //components/search_engine appears to be parsing arbitrary XML in the browser process (dcheng@chromium.org)
- Issue 1027292: Security: import maps are executed as classic scripts when the import map's flag is disabled (hirosh...@chromium.org)
- Issue 1026293 (Permission denied.)
- Issue 1025442: Security: IDN spoof with Latin Middle Dot (U+00B7) (mea...@chromium.org)
- Issue 1016038: Security: IndexedDB transactions should be inactive during structured serialization (pwnall@chromium.org)
- Issue 1011893 (Permission denied.)

79.0.3945.130 (Thursday, January 16, 2020) 11/11 bugs

[$TBD][1018677] Critical CVE-2020-6378: Use-after-free in speech recognizer. Reported by Antti Levomäki and Christian Jalio from Forcepoint on 2019-10-28
- Issue 1018677: Security: heap-use-after-free in content::SpeechRecognizerImpl::Abort (christia...@gmail.com)
[$2000][1033407] High CVE-2020-6379: Use-after-free in speech recognizer. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2019-12-12
- Issue 1033407: Security:Potential Use after free in the function ProfilerListener::CodeCreateEvent (higonggu...@gmail.com)
[$N/A][1032170] High CVE-2020-6380: Extension message verification error. Reported by Sergei Glazunov of Google Project Zero on 2019-12-09
- Issue 1032170: Use browser-side URL to verify if extension messaging connection is allowed (lukasza@chromium.org)
[1042448] internal.

79.0.3945.117 (Tuesday, January 7, 2020) 3/3 bugs

[$7500][1029462] High CVE-2020-6377: Use after free in audio. Reported by Zhe Jin from cdsrc of Qihoo 360 on 2019-11-29
- Issue 1029462: use-after-free in AudioWorklet (cdsrc2...@gmail.com)
[1039803] internal.
- Issue 1033260: Heap-use-after-free in net::VerifyWithGivenFlags (ClusterFuzz)
- Issue 889276 (Permission denied.)

79.0.3945.88 (Tuesday, December 17, 2019) 1/1 bugs

[$N/A][1031653] High CVE-2019-13767: Use after free in media picker. Reported by Sergei Glazunov of Google Project Zero on 2019-12-06
- Issue 1031653: Security: heap-use-after-free in DesktopMediaPickerController::WebContentsDestroyed (metzman@chromium.org)

79.0.3945.79 (Tuesday, December 10, 2019) 60/51 bugs

[$20000][1025067] Critical CVE-2019-13725: Use after free in Bluetooth. Reported by Gengming Liu, Jianyu Chen at Tencent Keen Security Lab on 2019-11-15
- Issue 1025067: UaF in BluetoothAdapter::OnDiscoveryChangeComplete (ifl...@gmail.com)
[$TBD][1027152] Critical CVE-2019-13726: Heap buffer overflow in password manager. Reported by Sergei Glazunov of Google Project Zero on 2019-11-21
- Issue 1027152: Security: heap-buffer-overflow in PasswordFormManager::OnGeneratedPasswordAccepted (glazunov@google.com)
[$10000][944619] High CVE-2019-13727: Insufficient policy enforcement in WebSockets. Reported by @piochu on 2019-03-21
- Issue 944619: Security: CORB not enforced for WebSocket requests (mar...@piosek.pl)
[$7500][1024758] High CVE-2019-13728: Out of bounds write in V8. Reported by Rong Jian and Guang Gong of Alpha Lab, Qihoo 360 on 2019-11-14
- Issue 1024758: Security: OOB Write in ReduceRegExpPrototypeTest (jtrrod...@gmail.com)
[$5000][1025489] High CVE-2019-13729: Use after free in WebSockets. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2019-11-16
- Issue 1025489: use-after-poison in base::internal::WeakReferenceOwner::Invalidate() (cdsrc2...@gmail.com)
[$5000][1028862] High CVE-2019-13730: Type Confusion in V8. Reported by Soyeon Park and Wen Xu at SSLab, Georgia Tech on 2019-11-27
- Issue 1028862: Trap in Builtins_InterpreterEntryTrampoline (tarafa...@gmail.com)
[$TBD][1023817] High CVE-2019-13732: Use after free in WebAudio. Reported by Sergei Glazunov of Google Project Zero on 2019-11-12
- Issue 1023817 (Permission denied.)
[$TBD][1025466] High CVE-2019-13734: Out of bounds write in SQLite. Reported by Wenxiang Qian of Tencent Blade Team on 2019-11-16
- Issue 1025466: Security: Arbitrary memory overwrites (write-what-where) by nHeight in fts3IncrmergeLoad (adetaylor@google.com)
[$TBD][1025468] High CVE-2019-13735: Out of bounds write in V8. Reported by Gengming Liu and Zhen Feng from Tencent Keen Lab on 2019-11-16
- Issue 1025468: DCHECK failure in result.NumberOfOwnDescriptors() == result.instance_descriptors().number_of_descr (wfh@chromium.org)
[$TBD][1028863] High CVE-2019-13764: Type Confusion in V8. Reported by Soyeon Park and Wen Xu at SSLab, Georgia Tech on 2019-11-26
- Issue 1028863: v8: Wrong JIT code that triggers SIGTRAP at runtime (tarafa...@gmail.com)
[$7500][1020899] Medium CVE-2019-13736: Integer overflow in PDFium. Reported by Anonymous on 2019-11-03
- Issue 1020899 (Permission denied.)
[$5000][1013882] Medium CVE-2019-13737: Insufficient policy enforcement in autocomplete. Reported by Mark Amery on 2019-10-12
- Issue 1013882: Security: Autocomplete preview text STILL leaks credit card numbers - attacker can simply override system-ui font (markrobe...@gmail.com)
[$5000][1017441] Medium CVE-2019-13738: Insufficient policy enforcement in navigation. Reported by Johnathan Norman and Daniel Clark of Microsoft Edge Team on 2019-10-23
- Issue 1017441: Sandboxed iframe Document can end up sharing execution context/type system with iframe's initial about:blank Document (dan...@microsoft.com)
[$3000][824715] Medium CVE-2019-13739: Incorrect security UI in Omnibox. Reported by xisigr of Tencent's Xuanwu Lab on 2018-03-22
- Issue 824715: Security: RTL+ space, formatting, invisible characters can lead to URL Spoofing (xis...@gmail.com)
[$2000][1005596] Medium CVE-2019-13740: Incorrect security UI in sharing. Reported by Khalil Zhani on 2019-09-19
- Issue 1005596: Security: tel: URL scheme reference origin spoof (chromium...@gmail.com)
[$2000][1011950] Medium CVE-2019-13741: Insufficient validation of untrusted input in Blink. Reported by Michał Bentkowski of Securitum on 2019-10-07
- Issue 1011950: Security: "universal" XSS via copy&paste (mic...@bentkowski.info)
[$2000][1017564] Medium CVE-2019-13742: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2019-10-24
- Issue 1017564: Security: URL bar spoofing on iOS with a very long URL (chromium...@gmail.com)
[$1000][754304] Medium CVE-2019-13743: Incorrect security UI in external protocol handling. Reported by Zhiyang Zeng of Tencent security platform department on 2017-08-10
- Issue 754304: UI Spoofing in External Protocol confirmation (zyzengst...@gmail.com)
[$1000][853670] Medium CVE-2019-13744: Insufficient policy enforcement in cookies. Reported by Prakash (@1lastBr3ath) on 2018-06-18
- Issue 853670: SameSite cookies leakage via child browsing context (prakash0...@gmail.com)
[$500][990867] Medium CVE-2019-13745: Insufficient policy enforcement in audio. Reported by Luan Herrera (@lbherrera_) on 2019-08-05
- Issue 990867: Cross-origin-read attack by using an audio tag to download a cross-origin resource (herrera...@gmail.com)
[$500][999932] Medium CVE-2019-13746: Insufficient policy enforcement in Omnibox. Reported by David Erceg on 2019-09-02
- Issue 999932: Security: Possible to spoof URL through use of document.open (derce...@gmail.com)
[$500][1018528] Medium CVE-2019-13747: Uninitialized Use in rendering. Reported by Ivan Popelyshev and André Bonatti on 2019-10-26
- Issue 1018528: Flickering WebGL with {alpha:false} on mali-400 (ivan.pop...@gmail.com)
[$N/A][993706] Medium CVE-2019-13748: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2019-08-14
- Issue 993706: Security: Possible to obtain results of queryObjects using custom devtools formatters (derce...@gmail.com)
[$N/A][1010765] Medium CVE-2019-13749: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2019-10-03
- Issue 1010765: Security: URL in Omnibox doesn't always match page content on iOS (chromium...@gmail.com)
[$TBD][1025464] Medium CVE-2019-13750: Insufficient data validation in SQLite. Reported by Wenxiang Qian of Tencent Blade Team on 2019-11-16
- Issue 1025464: Security: SQLite defense-in-depth bypass (adetaylor@google.com)
[$TBD][1025465] Medium CVE-2019-13751: Uninitialized Use in SQLite. Reported by Wenxiang Qian of Tencent Blade Team on 2019-11-16
- Issue 1025465: Security: Uninitialized memory leak by nPrefix in fts3SegReaderNext (adetaylor@google.com)
[$TBD][1025470] Medium CVE-2019-13752: Out of bounds read in SQLite. Reported by Wenxiang Qian of Tencent Blade Team on 2019-11-16
- Issue 1025470: Security: Negative size passed to memcpy() in fts3NodeAddTerm (OOB read) (adetaylor@google.com)
[$TBD][1025471] Medium CVE-2019-13753: Out of bounds read in SQLite. Reported by Wenxiang Qian of Tencent Blade Team on 2019-11-16
- Issue 1025471: Security: Negative size passed to memcpy() in fts3IncrmergePush (adetaylor@google.com)
[$500][442579] Low CVE-2019-13754: Insufficient policy enforcement in extensions. Reported by Cody Crews on 2014-12-16
- Issue 442579: It's possible to load chrome-extension:// URLs (codycrew...@gmail.com)
[$500][696208] Low CVE-2019-13755: Insufficient policy enforcement in extensions. Reported by Masato Kinugawa on 2017-02-25
- Issue 696208: Security: Chrome extension is disabled by crafted chrome-extension:// URL (masatoki...@gmail.com)
[$500][708595] Low CVE-2019-13756: Incorrect security UI in printing. Reported by Khalil Zhani on 2017-04-05
- Issue 708595: Security: Print Preview allows spoofing on other tab (chromium...@gmail.com)
[$500][884693] Low CVE-2019-13757: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2018-09-17
- Issue 884693: Security: IDN URL Spoofing with using "ы" (chromium...@gmail.com)
[$500][979441] Low CVE-2019-13758: Insufficient policy enforcement in navigation. Reported by Khalil Zhani on 2019-06-28
- Issue 979441: Security: Navigating to "chrome://" URLs on Android (chromium...@gmail.com)
[$N/A][901789] Low CVE-2019-13759: Incorrect security UI in interstitials. Reported by Wenxu Wu (@ma7h1as) of Tencent Security Xuanwu Lab on 2018-11-05
- Issue 901789: Security: Same origin policy bypass via 401 page (ma7h1a...@gmail.com)
[$N/A][1002687] Low CVE-2019-13761: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2019-09-10
- Issue 1002687: Security: Idn-spoof with using CJK character skeletons (chromium...@gmail.com)
[$N/A][1004212] Low CVE-2019-13762: Insufficient policy enforcement in downloads. Reported by csanuragjain (@csanuragjain) on 2019-09-16
- Issue 1004212: Security: Insecure Chrome download allows malicious software to change downloaded file integrity (cs.anura...@gmail.com)
[$TBD][1011600] Low CVE-2019-13763: Insufficient policy enforcement in payments. Reported by weiwangpp93 on 2019-10-05
- Issue 1011600: PaymentManager: attacker has some control over PaymentManager/PaymentInstruments of a cross-origin context (weiwangp...@gmail.com)
[1032080] internal.
- Issue 1027152: Security: heap-buffer-overflow in PasswordFormManager::OnGeneratedPasswordAccepted (glazunov@google.com)
- Issue 1028191: CHECK failure: IsValidHeapObject(isolate->heap(), HeapObject::cast(p)) in objects-debug.cc (ClusterFuzz)
- Issue 1027905 (Permission denied.)
- Issue 1027176: Check feature policy for payment in the browser. (rouslan@chromium.org)
- Issue 1025468: DCHECK failure in result.NumberOfOwnDescriptors() == result.instance_descriptors().number_of_descr (wfh@chromium.org)
- Issue 1025466: Security: Arbitrary memory overwrites (write-what-where) by nHeight in fts3IncrmergeLoad (adetaylor@google.com)
- Issue 1025463: Security: TFC2019 - Multiple issues in sqlite (Tracking Bug) (wfh@chromium.org)
- Issue 1025089: Security: Fix number of arguments being passed when setting the thread name on Windows. (awhalley@google.com)
- Issue 1023817 (Permission denied.)
- Issue 1023442: ExcludeSchemeFromRequestInitiatorSiteLockChecks bypasses GetTrustworthyInitiator (lukasza@chromium.org)
- Issue 1014607: Security: Out-of-bounds read/write in RegisterAllocationData after ResetSpillState (davidben@chromium.org)
- Issue 1025471: Security: Negative size passed to memcpy() in fts3IncrmergePush (adetaylor@google.com)
- Issue 1025470: Security: Negative size passed to memcpy() in fts3NodeAddTerm (OOB read) (adetaylor@google.com)
- Issue 1025465: Security: Uninitialized memory leak by nPrefix in fts3SegReaderNext (adetaylor@google.com)
- Issue 1025464: Security: SQLite defense-in-depth bypass (adetaylor@google.com)
- Issue 1006435: spvtools_opt_size_fuzzer: Container-overflow in spvtools::opt::Instruction::GetSingleWordOperand (ClusterFuzz)
- Issue 999188 (Permission denied.)
- Issue 974375: ClientNativePixmapDmaBuf::ImportFromDmabuf() doesn't validate buffer size (sergeyu@chromium.org)
- Issue 965765 (Permission denied.)
- Issue 961540: Heap-buffer-overflow in courgette::DisassemblerElf32ARM::ParseRelocationSection (ClusterFuzz)
- Issue 1016703: DCHECK failure in static_cast<unsigned>(index) < static_cast<unsigned>(capacity()) in fixed-array- (ClusterFuzz)
- Issue 981100: Security: ChromeVox exposes browser text from locked screen (alekseyb@google.com)
- Issue 856927: Omnibox with URL is displayed on NTP when forward history is browsed with Wifi or Mobile network disabled. (vbarig...@chromium.org)

78.0.3904.108 (Monday, November 18, 2019) 5/5 bugs

[$TBD][1024121] High CVE-2019-13723: Use-after-free in Bluetooth. Reported by Yuxiang Li (@Xbalien29) of Tencent Blade Team on 2019-11-13
- Issue 1024121: Heap-use-after-free in WebBluetoothServiceImpl (xbalie...@gmail.com)
[$TBD][1024116] High CVE-2019-13724: Out-of-bounds access in Bluetooth. Reported by Yuxiang Li (@Xbalien29) of Tencent Blade Team on 2019-11-13
- Issue 1024116: Out-of-bounds access in WebBluetoothServiceImpl (xbalie...@gmail.com)
[1025968] internal.

78.0.3904.97 (Wednesday, November 6, 2019) 4/4 bugs

[1021723] internal.

78.0.3904.87 (Thursday, October 31, 2019) 2/2 bugs

[$7500][1013868] High CVE-2019-13721: Use-after-free in PDFium. Reported by banananapenguin on 2019-10-12
- Issue 1013868: Security: heap-use-after-free in CPDF_AnnotList::CPDF_AnnotList (bananana...@gmail.com)
[$TBD][1019226] High CVE-2019-13720: Use-after-free in audio. Reported by Anton Ivanov and Alexey Kulaev at Kaspersky Labs on 2019-10-29
- Issue 1019226: Security - UAF in OfflineAudioContext (ivanov.a...@gmail.com)

78.0.3904.70 (Tuesday, October 22, 2019) 40/37 bugs

[$20000][1001503] High CVE-2019-13699: Use-after-free in media. Reported by Man Yue Mo of Semmle Security Research Team on 2019-09-06
- Issue 1001503: Security: UaF in Aura (m...@semmle.com)
[$15000][998431] High CVE-2019-13700: Buffer overrun in Blink. Reported by Man Yue Mo of Semmle Security Research Team on 2019-08-28
- Issue 998431: Security: Accessing set::end in GamepadService (m...@semmle.com)
[$1000][998284] High CVE-2019-13701: URL spoof in navigation. Reported by David Erceg on 2019-08-27
- Issue 998284: Security: Possible to temporarily spoof URL by navigating back then forward (derce...@gmail.com)
[$5000][1007194] High CVE-2019-13765: Use-after-free in content delivery manager. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2019-09-24
- Issue 1007194: Security: Use after free in MojoCdmProxyService (higonggu...@gmail.com)
[$5000][1007194] High CVE-2019-13765: Use-after-free in content delivery manager. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2019-09-24
- Issue 1007194: Security: Use after free in MojoCdmProxyService (higonggu...@gmail.com)
[$5000][991125] Medium CVE-2019-13702: Privilege elevation in Installer. Reported by Phillip Langlois (phillip.langlois@nccgroup.com) and Edward Torkington (edward.torkington@nccgroup.com), NCC Group on 2019-08-06
- Issue 991125: Security: Privilege Elevation via Google Chrome Elevation Service (phillip....@nccgroup.trust)
[$3000][992838] Medium CVE-2019-13703: URL bar spoofing. Reported by Khalil Zhani on 2019-08-12
- Issue 992838: Security: URL bar spoofing on Android with a very long URL (chromium...@gmail.com)
[$3000][1001283] Medium CVE-2019-13704: CSP bypass. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-09-05
- Issue 1001283: CSP bypass with about:srcdoc (jun.koka...@microsoft.com)
[$2000][989078] Medium CVE-2019-13705: Extension permission bypass. Reported by Luan Herrera (@lbherrera_) on 2019-07-30
- Issue 989078: Reading local files and cross-origin resources through an extension that only has the "downloads" permission (herrera...@gmail.com)
[$2000][1001159] Medium CVE-2019-13706: Out-of-bounds read in PDFium. Reported by pdknsk on 2019-09-05
- Issue 1001159: pdfium: oob read in PDF_DecodeText (pdknsk@gmail.com)
[$1000][859349] Medium CVE-2019-13707: File storage disclosure. Reported by Andrea Palazzo on 2018-07-01
- Issue 859349: Security: Confused deputy attack against Chrome Android application might lead to internal storage file disclosure (andrea.p...@truel.it)
[$1000][931894] Medium CVE-2019-13708: HTTP authentication spoof. Reported by Khalil Zhani on 2019-02-13
- Issue 931894: Security: http authentication spoof on chrome iOS (chromium...@gmail.com)
[$1000][1005218] Medium CVE-2019-13709: File download protection bypass. Reported by Zhong Zhaochen of andsecurity.cn on 2019-09-18
- Issue 1005218: Security: Multiple file download protection bypass 2 (tiebuc...@gmail.com)
[$500][756825] Medium CVE-2019-13710: File download protection bypass. Reported by bernardo.mrod on 2017-08-18
- Issue 756825: Chrome automatically downloads certain files even though the "Ask before downloading" option is enabled (bernardo...@gmail.com)
[$500][986063] Medium CVE-2019-13711: Cross-context information leak. Reported by David Erceg on 2019-07-20
- Issue 986063: Security: Calling console utility functions causes data to be shared between contexts (derce...@gmail.com)
[$500][1004341] Medium CVE-2019-15903: Buffer overflow in expat. Reported by Sebastian Pipping on 2019-09-16
- Issue 1004341: Security: Upgrade expat to 2.2.8 (adetaylor@google.com)
[$N/A][993288] Medium CVE-2019-13713: Cross-origin data leak. Reported by David Erceg on 2019-08-13
- Issue 993288: Security: Possible to read cross-origin data using debug console utility function (derce...@gmail.com)
[$2000][982812] Low CVE-2019-13714: CSS injection. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-07-10
- Issue 982812: CSS injection in any website using Color Enhancer extension (jun.koka...@microsoft.com)
[$500][760855] Low CVE-2019-13715: Address bar spoofing. Reported by xisigr of Tencent's Xuanwu Lab on 2017-08-31
- Issue 760855: Security: Address bar RTL spoofing using hebrew (xis...@gmail.com)
[$500][1005948] Low CVE-2019-13716: Service worker state error. Reported by Barron Hagerman on 2019-09-19
- Issue 1005948: Security: Headers are processed for aborted requests when passed through service worker (barron.h...@banno.com)
[$N/A][839239] Low CVE-2019-13717: Notification obscured. Reported by xisigr of Tencent's Xuanwu Lab on 2018-05-03
- Issue 839239: Security: Fullscreen notification can be obscured by external protocol prompt (xis...@gmail.com)
[$N/A][866162] Low CVE-2019-13718: IDN spoof. Reported by Khalil Zhani on 2018-07-20
- Issue 866162: Security: IDN URL Spoofing with Greek Letter (chromium...@gmail.com)
[$N/A][927150] Low CVE-2019-13719: Notification obscured. Reported by Khalil Zhani on 2019-01-31
- Issue 927150: Security: 'Press Esc to exit fullscreen' covered up by <select> (chromium...@gmail.com)
[1016016] internal.
- Issue 1003313 (Permission denied.)
- Issue 993415: Use-after-poison in blink::Node::EnsureEventTargetData (ClusterFuzz)
- Issue 969420 (Permission denied.)
- Issue 1011551 (Permission denied.)
- Issue 1006544: Use-of-uninitialized-value in gfx::CubicBezier::SolveCurveX (ClusterFuzz)
- Issue 1004341: Security: Upgrade expat to 2.2.8 (adetaylor@google.com)
- Issue 997401: CHECK failure: U_SUCCESS(status) in intl-objects.cc (ClusterFuzz)
- Issue 996786: Check cookie domain on setting cookies (chlily@chromium.org)
- Issue 995591: IndexedDB: GetDatabaseInfo() should check AllowIndexedDB() before issuing a request to the browser (c...@chromium.org)
- Issue 993266: blink_png_decoder_fuzzer: Heap-buffer-overflow in blink::PNGImageDecoder::RowAvailable (ClusterFuzz)
- Issue 989909: Accessors created from FunctionTemplate have the wrong native context (szuend@chromium.org)
- Issue 988219 (Permission denied.)
- Issue 985499: third_party/liblouis version 3.2.0 is vulnerable (mmoroz@chromium.org)
- Issue 961614 (Permission denied.)
- Issue 775511 (Permission denied.)
- Issue 955191: Disk cache refcount overflows? (mpdenton@google.com)
- Issue 951262: Crash in rr::optimize (ClusterFuzz)

None (Thursday, October 10, 2019) 3/8 bugs

[1011875] internal.

None (Wednesday, September 18, 2019) 4/4 bugs

[$TBD][1000934] Critical CVE-2019-13685: Use-after-free in UI. Reported by Khalil Zhani on 2019-09-05
- Issue 1000934: Security: Heap-use-after-free in SharingDialogView::WindowClosing() (chromium...@gmail.com)
[$20000][995964] High CVE-2019-13688: Use-after-free in media. Reported by Man Yue Mo of Semmle Security Research Team on 2019-08-20
- Issue 995964: Security: UAF in InProcessVideoCaptureDeviceLauncher (m...@semmle.com)
[$20000][998548] High CVE-2019-13687: Use-after-free in media. Reported by Man Yue Mo of Semmle Security Research Team on 2019-08-28
- Issue 998548: Security: UaF in ImageCapture (m...@semmle.com)
[$TBD][1000002] High CVE-2019-13686: Use-after-free in offline pages. Reported by Brendon Tiszka on 2019-09-02
- Issue 1000002: Security: OfflinePageAutoFetcher UAF 2 (btis...@gmail.com)

77.0.3865.75 (Tuesday, September 10, 2019) 54/54 bugs

[$30000][999311] Critical CVE-2019-5870: Use-after-free in media. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2019-08-29
- Issue 999311: Security: Use after free in MojoCdmService (awhalley@google.com)
[$10000][989969] Critical CVE-2019-13766: Use-after-free in accessibility. Reported by Pawel Wylecial of REDTEAM.PL on 2019-08-01
- Issue 989969 (Permission denied.)
[$10000][989969] Critical CVE-2019-13766: Use-after-free in accessibility. Reported by Pawel Wylecial of REDTEAM.PL on 2019-08-01
- Issue 989969 (Permission denied.)
[$7500][990570] High CVE-2019-5871: Heap overflow in Skia. Reported by Anonymous on 2019-08-03
- Issue 990570 (Permission denied.)
[$3000][989497] High CVE-2019-5873: URL bar spoofing on iOS. Reported by Khalil Zhani on 2019-07-31
- Issue 989497: Security: URL bar spoofing on iOS (with SlimNav ON) (chromium...@gmail.com)
[$3000][989797] High CVE-2019-5874: External URIs may trigger other browsers. Reported by James Lee (@Windowsrcer) on 2019-08-01
- Issue 989797 (Permission denied.)
[$2000][979443] High CVE-2019-5875: URL bar spoof via download redirect. Reported by Khalil Zhani on 2019-06-28
- Issue 979443: Security: URL bar spoofing via download redirect (chromium...@gmail.com)
[$3000][966914] High CVE-2019-13691: Omnibox spoof. Reported by David Erceg on 2019-05-24
- Issue 966914: Security: Possible to spoof the contents of the omnibox to display any http/https URL, some extension URLs and some internal URLs (derce...@gmail.com)
[$5000][991888] High CVE-2019-13692: SOP bypass. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-08-08
- Issue 991888: SOP & Site Isolation bypass with Reader mode (jun.koka...@microsoft.com)
[$20000][997190] High CVE-2019-5876: Use-after-free in media. Reported by Man Yue Mo of Semmle Security Research Team on 2019-08-23
- Issue 997190: Security: UaF in MediaSession, Android only (m...@semmle.com)
[$10000][999310] High CVE-2019-5877: Out-of-bounds access in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2019-08-29
- Issue 999310: Security: OOB Access in V8 (awhalley@google.com)
[$N/A][1000217] High CVE-2019-5878: Use-after-free in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2019-09-03
- Issue 1000217: Security: Potential UAF in Isolate::ReportPendingMessagesImpl (higonggu...@gmail.com)
[$3000][986043] Medium CVE-2019-5879: Extensions can read some local files. Reported by Jinseo Kim on 2019-07-20
- Issue 986043: Security: Malicious Extension can ignore SOP, with only downloads permission. (contact@kjsman.me)
[$2000][831725] Medium CVE-2019-5880: SameSite cookie bypass. Reported by Jun Kokatsu (@shhnjk) on 2018-04-11
- Issue 831725: SameSite cookie bypass via prerender (s.h.h.n....@gmail.com)
[$1000][868846] Medium CVE-2019-13659: URL spoof. Reported by Lnyas Zhang on 2018-07-30
- Issue 868846: Security: URL spoof using CJK combining character (U+3099 U+309A) (zxyrz...@gmail.com)
[$1000][882363] Medium CVE-2019-13660: Full screen notification overlap. Reported by Wenxu Wu (@ma7h1as) of Tencent Security Xuanwu Lab on 2018-09-10
- Issue 882363: Security: fullscreen notification overlap (ma7h1a...@gmail.com)
[$1000][882812] Medium CVE-2019-13661: Full screen notification spoof. Reported by Wenxu Wu (@ma7h1as) of Tencent Security Xuanwu Lab on 2018-09-11
- Issue 882812: Security: fullscreen notification spoof (registerProtocolHandler) (ma7h1a...@gmail.com)
[$1000][967780] Medium CVE-2019-13662: CSP bypass. Reported by David Erceg on 2019-05-28
- Issue 967780: Security: Code run by redirecting same-origin download to a javascript: URL gains user activation and bypasses CSP (derce...@gmail.com)
[$500][863661] Medium CVE-2019-13663: IDN spoof. Reported by Lnyas Zhang on 2018-07-14
- Issue 863661: Security:IDN url spoofing using U+4e00 (zxyrz...@gmail.com)
[$500][915538] Medium CVE-2019-13664: CSRF bypass. Reported by thomas "zemnmez" shadwell on 2018-12-16
- Issue 915538: Security: Origin header-based CSRF protection bypass (tshadw...@justin.tv)
[$500][959640] Medium CVE-2019-13665: Multiple file download protection bypass. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-05-05
- Issue 959640: Multiple file download protection bypass (jun.koka...@microsoft.com)
[$500][960305] Medium CVE-2019-13666: Side channel using storage size estimate. Reported by Tom Van Goethem from imec-DistriNet, KU Leuven on 2019-05-07
- Issue 960305: Security: storage estimate allows obtaining size of cached cross-origin resource (tomvango...@gmail.com)
[$500][973056] Medium CVE-2019-13667: URI bar spoof when using external app URIs. Reported by Khalil Zhani on 2019-06-11
- Issue 973056: URL is updated incorrectly when navigating to external app urls (srikanthg@chromium.org)
[$500][986393] Medium CVE-2019-13668: Global window leak via console. Reported by David Erceg on 2019-07-22
- Issue 986393: Security: Possible to leak global window object via console (derce...@gmail.com)
[$N/A][968451] Medium CVE-2019-13669: HTTP authentication spoof. Reported by Khalil Zhani on 2019-05-30
- Issue 968451: Security: http authentication spoof (repro issue 928974) (chromium...@gmail.com)
[$N/A][980891] Medium CVE-2019-13670: V8 memory corruption in regex. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2019-07-03
- Issue 980891: Security: CSA_ASSERT failed: IsRegularHeapObjectSize(size_in_bytes) (higonggu...@gmail.com)
[$1000][696454] Medium CVE-2019-13671: Dialog box fails to show origin. Reported by xisigr of Tencent's Xuanwu Lab on 2017-02-27
- Issue 696454: Security: Filesystem dialog box to cover the self-window and no origin for spoof (xis...@gmail.com)
[$500][997925] Medium CVE-2019-13673: Cross-origin information leak using devtools. Reported by David Erceg on 2019-08-26
- Issue 997925: Security: Possible to retrieve cross-origin data in certain cases using devtools custom formatters (derce...@gmail.com)
[$500][896533] Low CVE-2019-13674: IDN spoofing. Reported by Khalil Zhani on 2018-10-18
- Issue 896533: Security: IDN URL Spoofing with Georgian Letter Jil "ძ" (chromium...@gmail.com)
[$500][929578] Low CVE-2019-13675: Extensions can be disabled by trailing slash. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-07
- Issue 929578: Any extension can be disbled by simply adding a trailing slash (jun.koka...@microsoft.com)
[$N/A][875178] Low CVE-2019-13676: Google URI shown for certificate warning. Reported by Wenxu Wu (@ma7h1as) of Tencent Security Xuanwu Lab on 2018-08-17
- Issue 875178: Security: spoof google via onbeforeunload of ssl error page (ma7h1a...@gmail.com)
[$500][939108] Low CVE-2019-13677: Chrome web store origin needs to be isolated. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-03-06
- Issue 939108: Isolate chrome.google.com from *.google.com (jun.koka...@microsoft.com)
[$500][946633] Low CVE-2019-13678: Download dialog spoofing. Reported by Ronni Skansing on 2019-03-27
- Issue 946633: Security: Download dialog spoofing (rskans...@gmail.com)
[$N/A][968914] Low CVE-2019-13679: User gesture needed for printing. Reported by Conrad Irwin, Superhuman on 2019-05-31
- Issue 968914: this.print() should required a user gesture (con...@superhuman.com)
[$500][969684] Low CVE-2019-13680: IP address spoofing to servers. Reported by Thijs Alkemade from Computest on 2019-06-03
- Issue 969684 (Permission denied.)
[$500][970378] Low CVE-2019-13681: Bypass on download restrictions. Reported by David Erceg on 2019-06-04
- Issue 970378: Security: Sites can bypass restrictions on multiple downloads by redirecting page to about:srcdoc (derce...@gmail.com)
[$3000][971917] Low CVE-2019-13682: Site isolation bypass. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-06-07
- Issue 971917: Site Isolation: Multiple restriction bypasses in registerProtocolHandler (jun.koka...@microsoft.com)
[$N/A][987502] Low CVE-2019-13683: Exceptions leaked by devtools. Reported by David Erceg on 2019-07-25
- Issue 987502: Security: Possible to leak exceptions across contexts via devtools (derce...@gmail.com)
[1002279] internal.
- Issue 997057: Heap-use-after-free in v8::internal::compiler::ConstantFoldingReducer::Reduce (ClusterFuzz)
- Issue 996741: Security: Site Isolation bypass and local file disclosure via Payment Handler API (glazunov@google.com)
- Issue 992914: Security: v8 Map migration doesn't respect element kinds changes, leading to type confusion (saelo@google.com)
- Issue 981573: Use-of-uninitialized-value in blink::PaintLayerScrollableArea::InvalidateAllStickyConstraints (ClusterFuzz)
- Issue 980226: Crash in Builtins_GetPropertyWithReceiver (ClusterFuzz)
- Issue 974354: GpuMemoryBufferImplIOSurface doesn't validate handle (sergeyu@chromium.org)
- Issue 971904: Heap-use-after-free in content::GpuChildThread::QuitMainMessageLoop (ClusterFuzz)
- Issue 964938: Use-of-uninitialized-value in ui::SolveLeastSquares (ClusterFuzz)
- Issue 946978 (Permission denied.)
- Issue 946351 (Permission denied.)
- Issue 981597: Pointer lock propagates user activation to sandboxed frame (hexed@google.com)
- Issue 981459: Bad-cast to blink::LayoutEmbeddedContent from blink::LayoutNGBlockFlow in blink::ToLayoutEmbeddedContent (ClusterFuzz)
- Issue 979373: Security DCHECK failure: line_layout_item.IsLayoutInline() || line_layout_item.IsEqual(this) in layout_bl (ClusterFuzz)
- Issue 973628: Don't rewrite about:srcdoc into chrome://srcdoc (just as we make an exception for about:blank) (lukasza@chromium.org)
- Issue 960354 (Permission denied.)
- Issue 953516: Potential map end() access in MojoMjpegDecodeAcceleratorService (och...@chromium.org)

76.0.3809.132 (Monday, August 26, 2019) 3/3 bugs

[$5500][978793] High CVE-2019-5869: Use-after-free in Blink. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2019-06-26
- Issue 978793: UAP in UpdatePlaceholderImage (cdsrc2...@gmail.com)
[997760] internal.
- Issue 989305: Bad-cast to blink::LayoutBoxModelObject from invalid vptr in blink::LayoutBlockFlow::AddOverhangingFloats (ClusterFuzz)
- Issue 986211: Heap-buffer-overflow in net::SpdyReadQueue::Dequeue (ClusterFuzz)

76.0.3809.100 (Tuesday, August 6, 2019) 4/4 bugs

[$5000][983867] High CVE-2019-5868: Use-after-free in PDFium ExecuteFieldAction. Reported by banananapenguin on 2019-07-14
- Issue 983867: Security: Use-after-free in CPDFSDK_ActionHandler::ExecuteFieldAction (bananana...@gmail.com)
[$TBD][984344] Medium CVE-2019-5867: Out-of-bounds read in V8. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2019-07-15
- Issue 984344: V8 Invalid Read in v8::internal::HeapObject::IsHeapNumber (lupin...@microsoft.com)
[991355] internal.
- Issue 977341: heap-use-after-free : GrTextBlobCache::purgeStaleBlobs (crash-fe...@system.gserviceaccount.com)
- Issue 987270: audio_decoder_fuzzer: Use-of-uninitialized-value in wav_parse_bext_string (ClusterFuzz)

76.0.3809.87 (Tuesday, July 30, 2019) 41/43 bugs

[$10000][977462] High CVE-2019-5850: Use-after-free in offline page fetcher. Reported by Brendon Tiszka on 2019-06-21
- Issue 977462: Security: UAF in OfflinePageAutoFetcher::CancelSchedule (btis...@gmail.com)
[$6000][956947] High CVE-2019-5860: Use-after-free in PDFium. Reported by Anonymous on 2019-04-26
- Issue 956947: Heap-use-after-free in CPDF_ShadingPattern::Load() (chamal.d...@gmail.com)
[$3000][976627] High CVE-2019-5853: Memory corruption in regexp length check. Reported by yngwei(@yngweijw) of IIE Varas and sakura(@eternalsakura13) of Tecent Xuanwu Lab on 2019-06-19
- Issue 976627: v8 crash on regexp length check (yngwe...@gmail.com)
[$3000][977107] High CVE-2019-5851: Use-after-poison in offline audio context. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2019-06-20
- Issue 977107: UAP in offline audio context (cdsrc2...@gmail.com)
[$TBD][959438] High CVE-2019-5859: Some URIs can load alternative browsers. Reported by James Lee (@Windowsrcer) of Kryptos Logic on 2019-05-03
- Issue 959438 (Permission denied.)
[$5000][964245] Medium CVE-2019-5856: Insufficient checks on filesystem: URI permissions. Reported by Yongke Wang of Tencent's Xuanwu Lab (xlab.tencent.com) on 2019-05-17
- Issue 964245: Site Isolation breaking bug in filesystem (wykcompu...@gmail.com)
[$N/A][943494] Medium CVE-2019-5863: Use-after-free in WebUSB on Windows. Reported by Yuxiang Li (@Xbalien29) of Tencent Blade Team on 2019-03-19
- Issue 943494: Security: UAF on WebUSB (Windows, windows_usb.c) (xbalie...@gmail.com)
[$N/A][964872] Medium CVE-2019-5855: Integer overflow in PDFium. Reported by Zhen Zhou of NSFOCUS Security Team on 2019-05-20
- Issue 964872: Security: signed-integer-overflow in FX_RECT::Height (zhouzhen...@gmail.com)
[$TBD][973103] Medium CVE-2019-5865: Site isolation bypass from compromised renderer. Reported by Ivan Fratric of Google Project Zero on 2019-06-11
- Issue 973103: Security: site isolation bypass: request headers overwrite via URLLoader::FollowRedirect (ifratric@google.com)
[$500][960209] Low CVE-2019-5858: Insufficient filtering of Open URL service parameters. Reported by evi1m0 of Bilibili Security Team on 2019-05-07
- Issue 960209: Chrome CORS Causes Unauthorized File Download and Arbitrary File Execution on macOS (evi1m0.bat@gmail.com)
[$500][936900] Low CVE-2019-5864: Insufficient port filtering in CORS for extensions. Reported by Devin Grindle on 2019-02-28
- Issue 936900: Security: CORS issue with Chrome Extensions (grindl...@gmail.com)
[$TBD][946260] Low CVE-2019-5862: AppCache not robust to compromised renderers. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-03-26
- Issue 946260: AppCache can be registered to arbitrary site with renderer compromise (jun.koka...@microsoft.com)
[$TBD][951525] Low CVE-2019-5861: Click location incorrectly checked. Reported by Robin Linus ( robinlinus.com ) on 2019-04-10
- Issue 951525: Security: IntersectionObserver V2 fails for CSS property scale transform (ueberl...@gmail.com)
[$N/A][961237] Low CVE-2019-5857: Comparison of -0 and null yields crash. Reported by cloudfuzzer on 2019-05-09
- Issue 961237: Security: jit difference on comparison in d8 (cloudfuz...@gmail.com)
[$N/A][966263] Low CVE-2019-5854: Integer overflow in PDFium text rendering. Reported by Zhen Zhou of NSFOCUS Security Team on 2019-05-23
- Issue 966263: Security: signed integer overflow in CPDF_RenderStatus::ProcessType3Text (zhouzhen...@gmail.com)
[$TBD][976713] Low CVE-2019-5852: Object leak of utility functions. Reported by David Erceg on 2019-06-19
- Issue 976713: Security: Possible to leak internal objects like arrayBufferConstructor_DoNotInitialize and InternalPackedArray via console utility functions (derce...@gmail.com)
[988889] internal.

75.0.3770.142 (Monday, July 15, 2019) 3/3 bugs

[$TBD][972921] High CVE-2019-5847: V8 sealed/frozen elements cause crash. Reported by m3plex on 2019-06-11
- Issue 972921: Security: v8 dcheck failure and fatal error (th3m...@gmail.com)
[$TBD][951487] Medium CVE-2019-5848: Font sizes may expose sensitive information. Reported by Mark Amery on 2019-04-10
- Issue 951487: Security: Two autocomplete flaws STILL allow stealing credit card numbers (mark.am...@shielddx.com)
[$TBD][978382] Medium CVE-2019-5866: Incorrect heap object handling in V8. Reported by Zhiyi Zhang and Zhunki from Codesafe Team of Legendsec at Qi'anxin Group on 2019-06-25
- Issue 978382: Incorrect heap object handling in v8 (vulb...@gmail.com)

75.0.3770.100 (Tuesday, June 18, 2019) 0/0 bugs

75.0.3770.90 (Thursday, June 13, 2019) 1/1 bugs

[$N/A][961413] High CVE-2019-5842: Use-after-free in Blink. Reported by BUGFENSE Anonymous Bug Bounties https://bugfense.io on 2019-05-09
- Issue 961413: Use-after-poison in blink::xpath::Expression::AddSubExpression (ClusterFuzz)

75.0.3770.80 (Tuesday, June 4, 2019) 45/47 bugs

[$5000][956597] High CVE-2019-5828: Use after free in ServiceWorker. Reported by leecraso of Beihang University and Guang Gong of Alpha Team, Qihoo 360 on 2019-04-25
- Issue 956597: Security: UAF in ServiceWorkerPaymentInstrument (leecraso@gmail.com)
[$500][958533] High CVE-2019-5829: Use after free in Download Manager. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2019-05-01
- Issue 958533 (Permission denied.)
[$TBD][665766] Medium CVE-2019-5830: Incorrectly credentialed requests in CORS. Reported by Andrew Krasichkov, Yandex Security Team on 2016-11-16
- Issue 665766: Change on the credentials mode on redirect specified by the CORS algorithm should be propagated to net/ (dhar...@gmail.com)
[$TBD][950328] Medium CVE-2019-5831: Incorrect map processing in V8. Reported by yngwei(JiaWei, Yin) of IIE Varas and sakura of Tecent Xuanwu Lab on 2019-04-07
- Issue 950328: v8 crash on map-check (yngwe...@gmail.com)
[$TBD][959390] Medium CVE-2019-5832: Incorrect CORS handling in XHR. Reported by Sergey Shekyan (Shape Security) on 2019-05-03
- Issue 959390: Security: Access-Control-Expose-Headers is not honored for redirects (shek...@gmail.com)
[$N/A][945067] Medium CVE-2019-5833: Inconsistent security UI placement. Reported by Khalil Zhani on 2019-03-23
- Issue 945067 (Permission denied.)
[$N/A][962368] Medium CVE-2019-5834: URL spoof in Omnibox on iOS. Reported by Khalil Zhani on 2019-05-13
- Issue 962368: Security: Wrong url in omnibox on iOS (URL spoof) (chromium...@gmail.com)
[$1000][939239] Medium CVE-2019-5835: Out of bounds read in Swiftshader. Reported by Wenxiang Qian of Tencent Blade Team on 2019-03-07
- Issue 939239: Arbitrary Read in swiftshader (leonwxq...@gmail.com)
[$1000][947342] Medium CVE-2019-5836: Heap buffer overflow in Angle. Reported by Omair on 2019-03-29
- Issue 947342: Security: heap-buffer-overflow TextureD3D_2DArray::getImage (om...@krash.in)
[$500][918293] Medium CVE-2019-5837: Cross-origin resources size disclosure in Appcache . Reported by Adam Iwaniuk on 2018-12-30
- Issue 918293: Security: Cross origin resource size infoleak (adamiwan...@gmail.com)
[$N/A][954891] Medium CVE-2019-5849: Out-of-bounds read in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2019-04-22
- Issue 954891: Security: OOB Read in ReflexHash::checkTriangle (zhouzhen...@gmail.com)
[$500][893087] Low CVE-2019-5838: Overly permissive tab access in Extensions. Reported by David Erceg on 2018-10-08
- Issue 893087: Security: pageCapture permission allows access to arbitrary local files and chrome:// pages (derce...@gmail.com)
[$500][925614] Low CVE-2019-5839: Incorrect handling of certain code points in Blink. Reported by Masato Kinugawa on 2019-01-26
- Issue 925614: protocol property of URL including specific character doesn't return correct value (masatoki...@gmail.com)
[$N/A][951782] Low CVE-2019-5840: Popup blocker bypass. Reported by Eliya Stein, Jerome Dangu on 2019-04-11
- Issue 951782: Security: Pop-Up blocker bypass via race condition (el...@confiant.com)
[970244] internal.

74.0.3729.169 (Tuesday, May 21, 2019) 0/0 bugs

74.0.3729.157 (Tuesday, May 14, 2019) 1/0 bugs

[963080] internal.
- Issue 951322: Crash in v8::internal::Simulator::LoadStorePairHelper (ClusterFuzz)

74.0.3729.131 (Tuesday, April 30, 2019) 1/2 bugs

[$500][952406] High CVE-2019-5827: Out-of-bounds access in SQLite. Reported by mlfbrown on 2019-04-12
- Issue 952406: Security: Possible OOB related to chrome_sqlite3_malloc (mlfbr...@stanford.edu)

74.0.3729.108 (Tuesday, April 23, 2019) 42/39 bugs

[$3000][913320] High CVE-2019-5805: Use after free in PDFium. Reported by Anonymous on 2018-12-10
- Issue 913320: Heap-use-after-free in CPDF_ShadingPattern::Load() (chamal.d...@gmail.com)
[$3000][943087] High CVE-2019-5806: Integer overflow in Angle. Reported by Wen Xu of SSLab, Georgia Tech on 2019-03-18
- Issue 943087: Integer overflow in libANGLE that results in memory corruption in GPU process (tarafa...@gmail.com)
[$3000][945644] High CVE-2019-5807: Memory corruption in V8. Reported by TimGMichaud of Leviathan Security Group. on 2019-03-26
- Issue 945644: Security: Failed Debug Check in src/compiler/verifier.cc, line 121 (tmm...@acu.edu)
[$3000][947029] High CVE-2019-5808: Use after free in Blink. Reported by cloudfuzzer on 2019-03-28
- Issue 947029: Security: heap-use-after-free in SMILTimeContainer::UpdateAnimations() (cloudfuz...@gmail.com)
[$N/A][941008] High CVE-2019-5809: Use after free in Blink. Reported by Mark Brand of Google Project Zero on 2019-03-12
- Issue 941008: Security: UAF in FileChooserImpl (markbrand@google.com)
[$2000+$1,337][916838] Medium CVE-2019-5810: User information disclosure in Autofill. Reported by Mark Amery on 2018-12-20
- Issue 916838: Security: Two autocomplete flaws together allow sites to invisibly read credit card numbers after a single keypress (mark.am...@shielddx.com)
[$2000][771815] Medium CVE-2019-5811: CORS bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-10-04
- Issue 771815 (Permission denied.)
[$2000][925598] Medium CVE-2019-5812: URL spoof in Omnibox on iOS. Reported by Khalil Zhani on 2019-01-26
- Issue 925598: Security: URL bar spoofing on iOS (repro issue 844881) (chromium...@gmail.com)
[$2000][942699] Medium CVE-2019-5813: Out of bounds read in V8. Reported by Aleksandar Nikolic of Cisco Talos on 2019-03-15
- Issue 942699: Security: Google V8 Array.prototype Memory Corruption Vulnerability (TALOS-2019-0791) (regiw...@sourcefire.com)
[$1000][930057] Medium CVE-2019-5814: CORS bypass in Blink. Reported by @AaylaSecura1138 on 2019-02-08
- Issue 930057: Security: CORS policy not applied for bitmap canvases loaded without CORS support (aayla.se...@gmail.com)
[$1000][930663] Medium CVE-2019-5815: Heap buffer overflow in Blink. Reported by Nicolas Grégoire, Agarri on 2019-02-11
- Issue 930663: Security: READ heap-buffer-overflow in libxslt (type confusion?) (nicolas....@agarri.fr)
[$1000][940245] Medium CVE-2019-5816: Exploit persistence extension on Android. Reported by Yongke Wang of Tencent's Xuanwu Lab (xlab.tencent.com) on 2019-03-10
- Issue 940245: Security: Security: Chrome renderer process persistence bug on android (wykcompu...@gmail.com)
[$1000][943709] Medium CVE-2019-5817: Heap buffer overflow in Angle on Windows. Reported by Wen Xu of SSLab, Georgia Tech on 2019-03-19
- Issue 943709: libANGLE heap-buffer-overflow triggered by WebGL2 on Windows 10 (tarafa...@gmail.com)
[$500][929962] Medium CVE-2019-5818: Uninitialized value in media reader. Reported by Adrian Tolbaru on 2019-02-08
- Issue 929962: Code review: ReadBits may return uninitialized value due to unchecked return status. (adtol...@microsoft.com)
[$N/A][919356] Medium CVE-2019-5819: Incorrect escaping in developer tools. Reported by Svyat Mitin on 2019-01-06
- Issue 919356: Security: RCE via "copy as curl" on mac (watashiw...@gmail.com)
[$N/A][919635] Medium CVE-2019-5820: Integer overflow in PDFium. Reported by pdknsk on 2019-01-07
- Issue 919635: pdfium: signed-integer-overflow in CFX_RenderDevice::DrawNormalText (pdknsk@gmail.com)
[$N/A][919640] Medium CVE-2019-5821: Integer overflow in PDFium. Reported by pdknsk on 2019-01-07
- Issue 919640: pdfium: signed-integer-overflow in CFX_AggDeviceDriver::StretchDIBits (pdknsk@gmail.com)
[$500][926105] Low CVE-2019-5822: CORS bypass in download manager. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-01-29
- Issue 926105: Framebusting protection bypass because a download redirected cross-origin gets processed as a main frame navigation (jun.koka...@microsoft.com)
[$500][930154] Low CVE-2019-5823: Forced navigation from service worker. Reported by David Erceg on 2019-02-08
- Issue 930154: Security: Possible to override browser-initiated navigation using WindowClient.navigate (derce...@gmail.com)
[955186] internal.
- Issue 949015: Bad-cast to blink::LayoutObject from invalid vptr in blink::SVGResources::LayoutIfNeeded (ClusterFuzz)
- Issue 944971: Security: OOB memory access in v8 regexp (wfh@chromium.org)
- Issue 941008: Security: UAF in FileChooserImpl (markbrand@google.com)
- Issue 940205: Heap-use-after-free in renameTokenCheckAll (ClusterFuzz)
- Issue 939316: V8: Turbofan may read a Map pointer out-of-bounds when optimizing Reflect.construct (saelo@google.com)
- Issue 931949: Security: Type confusion in JSPromise::TriggerPromiseReactions (meacer@google.com)
- Issue 927982: Heap-use-after-free in egl::Surface::deleteResources (ClusterFuzz)
- Issue 923654: Heap-use-after-free in media_router::WebContentsDisplayObserverView::OnBrowserSetLastActive (ClusterFuzz)
- Issue 908669: Bad-free in base::internal::BindState<void (ClusterFuzz)
- Issue 937663: Use-of-uninitialized-value in mov_read_dfla (ClusterFuzz)
- Issue 932867: Stack-buffer-overflow in sw::Shader::analyzeCallSites (ClusterFuzz)
- Issue 929521: Crash in metrics::CallStackProfile_Location* google::protobuf::Arena::CreateMaybeMessage< (ClusterFuzz)
- Issue 928223: Crash in base::RunLoop::Run (ClusterFuzz)
- Issue 928138: Crash in base::CreateThread (ClusterFuzz)
- Issue 928051: Crash in base::Thread::ThreadMain (ClusterFuzz)
- Issue 928044: Crash in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run (ClusterFuzz)
- Issue 928014: Crash in base::FilePath::FilePath (ClusterFuzz)
- Issue 927849: is_corb_enabled=false for requests from shared workers (lukasza@chromium.org)
- Issue 927471: AppCache may be used to bypass CORB (URLs covered by manifest) (lukasza@chromium.org)
- Issue 915423: Use-of-uninitialized-value in v8::internal::Factory::NewNumberFromUint (ClusterFuzz)
- Issue 906601: Use-of-uninitialized-value in sse41::blit_row_s32a_opaque (ClusterFuzz)
- Issue 894933: Heap-buffer-overflow in xmlParseAttValueInternal (ClusterFuzz)
- Issue 352465: Security: terminalPrivate API should use an unforgeable process reference (mdempsky@chromium.org)

73.0.3683.103 (Thursday, April 4, 2019) 1/0 bugs

[N/A][944971] High CVE-2019-13698: OOB access in V8. Reported by Richard Zhu and Amat Cama (Team Fluoroacetate) on 2019-03-22
- Issue 944971: Security: OOB memory access in v8 regexp (wfh@chromium.org)

73.0.3683.86 (Wednesday, March 20, 2019) 0/0 bugs

73.0.3683.75 (Tuesday, March 12, 2019) 65/60 bugs

[$TBD][913964] High CVE-2019-5787: Use after free in Canvas. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-12-11
- Issue 913964: UAP in blink::UpdatePlaceHolderImage (cdsrc2...@gmail.com)
[$N/A][925864] High CVE-2019-5788: Use after free in FileAPI. Reported by Mark Brand of Google Project Zero on 2019-01-28
- Issue 925864: Security: UAF in FileSystemOperationRunner (markbrand@google.com)
[$N/A][921581] High CVE-2019-5789: Use after free in WebMIDI. Reported by Mark Brand of Google Project Zero on 2019-01-14
- Issue 921581: Security: UAF in MidiManagerWin (markbrand@google.com)
[$7500][914736] High CVE-2019-5790: Heap buffer overflow in V8. Reported by Dimitri Fourny (Blue Frost Security) on 2018-12-13
- Issue 914736: Security: Heap buffer overflow in the V8 language parser (fourn...@gmail.com)
[$1000][926651] High CVE-2019-5791: Type confusion in V8. Reported by Choongwoo Han of Naver Corporation on 2019-01-30
- Issue 926651: Security: [v8] Type Confusion in Builtins_CallUndefinedReceiver1Handler (cwhan.t...@gmail.com)
[$500][914983] High CVE-2019-5792: Integer overflow in PDFium. Reported by pdknsk on 2018-12-13
- Issue 914983: pdfium: signed-integer-overflow in AdjustGlyphSpace / CFX_DIBBase::GetOverlapRect (pdknsk@gmail.com)
[$TBD][937487] Medium CVE-2019-5793: Excessive permissions for private API in Extensions. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-03-01
- Issue 937487: chrome.dashboardPrivate API is exposed to whole origin of https://chrome.google.com (jun.koka...@microsoft.com)
[$TBD][935175] Medium CVE-2019-5794: Security UI spoofing. Reported by Juno Im of Theori on 2019-02-24
- Issue 935175: Security: Address bar spoofing with mishandling canceled requests. (junoro...@gmail.com)
[$N/A][919643] Medium CVE-2019-5795: Integer overflow in PDFium. Reported by pdknsk on 2019-01-07
- Issue 919643: pdfium: signed-integer-overflow in FX_RECT::Width (pdknsk@gmail.com)
[$N/A][918861] Medium CVE-2019-5796: Race condition in Extensions. Reported by Mark Brand of Google Project Zero on 2019-01-03
- Issue 918861: Security: Data race in ExtensionsGuestViewMessageFilter (markbrand@google.com)
[$N/A][916523] Medium CVE-2019-5797: Race condition in DOMStorage. Reported by Mark Brand of Google Project Zero on 2018-12-19
- Issue 916523: Security: Double-destruction race in StoragePartitionService (markbrand@google.com)
[$N/A][883596] Medium CVE-2019-5798: Out of bounds read in Skia. Reported by Tran Tien Hung (@hungtt28) of Viettel Cyber Security on 2018-09-13
- Issue 883596: Security: Skia missing reset fLastMoveToIndex in SkPath::transform() lead to out-of-bound (hungtt28...@gmail.com)
[$1000][905301] Medium CVE-2019-5799: CSP bypass with blob URL. Reported by sohalt on 2018-11-14
- Issue 905301: Security: CSP does not propagate to blob: URIs (paolo.ho...@googlemail.com)
[$1000][894228] Medium CVE-2019-5800: CSP bypass with blob URL. Reported by Jun Kokatsu (@shhnjk) on 2018-10-10
- Issue 894228: CSP bypass with blob URL (s.h.h.n....@gmail.com)
[$500][921390] Medium CVE-2019-5801: Incorrect Omnibox display on iOS. Reported by Khalil Zhani on 2019-01-13
- Issue 921390: Security: Hostname not elided securely (URL spoofing on iOS) (chromium...@gmail.com)
[$500][632514] Medium CVE-2019-5802: Security UI spoofing. Reported by Ronni Skansing on 2016-07-28
- Issue 632514 (Permission denied.)
[$1000][909865] Low CVE-2019-5803: CSP bypass with Javascript URLs'. Reported by Andrew Comminos of Facebook on 2018-11-28
- Issue 909865: Security: iframe.contentWindow.location.href can bypass CSP for javascript URLs (acomminos@fb.com)
[$500][933004] Low CVE-2019-5804: Command line command injection on Windows. Reported by Joshua Graham of TSS on 2019-02-17
- Issue 933004: Security: command line injection in Windows (--user-data-dir) (jpg.inc...@gmail.com)
[940992] internal.

72.0.3626.121 (Friday, March 1, 2019) 1/1 bugs

[$N/A][936448] High CVE-2019-5786: Use-after-free in FileReader. Reported by Clement Lecigne of Google's Threat Analysis Group on 2019-02-27
- Issue 936448: Heap-use-after-free WRITE 4 · v8::internal::ElementsAccessorBase (awhalley@google.com)

72.0.3626.119 (Thursday, February 21, 2019) 0/0 bugs

72.0.3626.109 (Wednesday, February 13, 2019) 0/0 bugs

72.0.3626.96 (Wednesday, February 6, 2019) 1/0 bugs

[$3000][915975] Medium CVE-2019-5784: Inappropriate implementation in V8. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2018-12-18
- Issue 915975: V8 HeapObject pointing to JIT memory (lupin...@microsoft.com)

72.0.3626.81 (Tuesday, January 29, 2019) 65/58 bugs

[$7500][914497] Critical CVE-2019-5754: Inappropriate implementation in QUIC Networking. Reported by Klzgrad on 2018-12-12
- Issue 914497: QUIC proxying breaks end-to-end encryption (kiz...@gmail.com)
[$5000][913296] High CVE-2019-5755: Inappropriate implementation in V8. Reported by Jay Bosamiya on 2018-12-10
- Issue 913296: Security: V8: Incorrect type information on SpeculativeSafeIntegerSubtract (jaybosam...@gmail.com)
[$5000][895152] High CVE-2019-5756: Use after free in PDFium. Reported by Anonymous on 2018-10-14
- Issue 895152: Security: Heap-use-after-free in CJS_Document::get_info (chamal.d...@gmail.com)
[$3000][915469] High CVE-2019-5757: Type Confusion in SVG. Reported by Alexandru Pitis, Microsoft Browser Vulnerability Research on 2018-12-15
- Issue 915469: Security: Type Confusion in LayoutBlockFlow::CreateLineBoxes (orminap...@gmail.com)
[$3000][913970] High CVE-2019-5758: Use after free in Blink. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-12-11
- Issue 913970: UAP in blink::FileReaderLoader::OnStartLoading (cdsrc2...@gmail.com)
[$3000][912211] High CVE-2019-5759: Use after free in HTML select elements. Reported by Almog Benin on 2018-12-05
- Issue 912211: Security: a use-after-free in RenderFrameImple can lead to an RCE (almogb....@gmail.com)
[$3000][912074] High CVE-2019-5760: Use after free in WebRTC. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-12-05
- Issue 912074: heap-use-after-free on RTCPeerConnectionHandler (cdsrc2...@gmail.com)
[$3000][904714] High CVE-2019-5761: Use after free in SwiftShader. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-11-13
- Issue 904714: heap-use-after-free on sw::Renderer::finishRendering (cdsrc2...@gmail.com)
[$3000][900552] High CVE-2019-5762: Use after free in PDFium. Reported by Anonymous on 2018-10-31
- Issue 900552: Heap-use-after-free in CPDF_OCContext::CheckOCGVisible (chamal.d...@gmail.com)
[$1000][914731] High CVE-2019-5763: Insufficient validation of untrusted input in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-12-13
- Issue 914731: Security: The serialized data is corrupted because the return value is always true. (higonggu...@gmail.com)
[$1000][913246] High CVE-2019-5764: Use after free in WebRTC. Reported by Eyal Itkin from Check Point Software Technologies on 2018-12-09
- Issue 913246: WebRTC: Potential Use-after-free in VP8 Block Decoding (MFQE feature) (eyal.it...@gmail.com)
[$N/A][922677] High: Use after free in FileAPI. Reported by Mark Brand of Google Project Zero on 2019-01-16[$TBD][922627] High CVE-2019-5765: Insufficient policy enforcement in the browser. Reported by Sergey Toshin (@bagipro) on 2019-01-16
- Issue 922677: Security: UAF in FileWriterImpl (markbrand@google.com)
[$N/A][916080] High: Use after free in Mojo interface. Reported by Mark Brand of Google Project Zero on 2018-12-18[$N/A][912947] High: Use after free in Payments. Reported by Mark Brand of Google Project Zero on 2018-12-07
- Issue 916080: Security: UAF in RenderProcessHostImpl binding for P2PSocketDispatcherHost (markbrand@google.com)
[$N/A][912520] High: Use after free in Mojo interface. Reported by Mark Brand of Google Project Zero on 2018-12-06[$N/A][899689] High CVE-2019-5785: Stack buffer overflow in Skia. Reported by Ivan Fratric of Google Project Zero on 2018-10-29
- Issue 912520: Security: UAF in RenderFrameHostImpl::CreateMediaStreamDispatcherHost (markbrand@google.com)
[$4000][907047] Medium CVE-2019-5766: Insufficient policy enforcement in Canvas. Reported by David Erceg on 2018-11-20
- Issue 907047: Security: Possible to retrieve cross-origin image data from canvas (derce...@gmail.com)
[$2000][902427] Medium CVE-2019-5767: Incorrect security UI in WebAPKs. Reported by Haoran Lu, Yifan Zhang, Luyi Xing, and Xiaojing Liao from Indiana University Bloomington on 2018-11-06
- Issue 902427: Permissions request clickjacking flaw report: (user.pwa...@gmail.com)
[$2000][805557] Medium CVE-2019-5768: Insufficient policy enforcement in DevTools. Reported by Rob Wu on 2018-01-24
- Issue 805557: Security: DevTools protocol clients (e.g. extensions) can read arbitrary local files via DOM.setFileInputFiles (rob@robwu.nl)
[$1000][913975] Medium CVE-2019-5769: Insufficient validation of untrusted input in Blink. Reported by Guy Eshel on 2018-12-11
- Issue 913975: Chrome tab crashes when a pattern containing a Hebrew character followed by 2 horizontal tabs and then another character is clicked. (guy.es...@covercy.com)
[$1000][908749] Medium CVE-2019-5770: Heap buffer overflow in WebGL. Reported by hemidallt@ on 2018-11-27
- Issue 908749: Security: WebGL heap-buffer-overflow in clearBufferuiv() (hemida...@gmail.com)
[$1000][904265] Medium CVE-2019-5771: Heap buffer overflow in SwiftShader. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-11-12
- Issue 904265: OOB operation in swiftshader's JIT (cdsrc2...@gmail.com)
[$500][908292] Medium CVE-2019-5772: Use after free in PDFium. Reported by Zhen Zhou of NSFOCUS Security Team on 2018-11-26
- Issue 908292: Security: heap-use-after-free in __tree_next_iter (zhouzhen...@gmail.com)
[$N/A][917668] Medium CVE-2019-5773: Insufficient data validation in IndexedDB. Reported by Yongke Wang of Tencent's Xuanwu Lab (xlab.tencent.com) on 2018-12-24
- Issue 917668: Security: Cross Domain Bug of Indexeddb Database (wykcompu...@gmail.com)
[$N/A][904182] Medium CVE-2019-5774: Insufficient validation of untrusted input in SafeBrowsing. Reported by Junghwan Kang (ultract) and Juno Im on 2018-11-11
- Issue 904182: Downloaded .desktop file execution in Linux (ultrac...@gmail.com)
[$N/A][896722] Medium CVE-2019-5775: Insufficient policy enforcement in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-10-18
- Issue 896722: Security: IDN URL Spoofing with U+0a67 (evi1m0.bat@gmail.com)
[$N/A][863663] Medium CVE-2019-5776: Insufficient policy enforcement in Omnibox. Reported by Lnyas Zhang on 2018-07-14
- Issue 863663: Security:IDN url spoofing using U+0517(ԗ) (zxyrz...@gmail.com)
[$N/A][849421] Medium CVE-2019-5777: Insufficient policy enforcement in Omnibox. Reported by Khalil Zhani on 2018-06-04
- Issue 849421: Security: IDN URL spoofing - "ଠ" can be used to spoof "o2.co.uk" (chromium...@gmail.com)
[$N/A][733943] Medium CVE-2018-20073: Inappropriate implementation in downloads. Reported on 2017-06-15.[$500][918470] Low CVE-2019-5778: Insufficient policy enforcement in Extensions. Reported by David Erceg on 2019-01-02
- Issue 733943: Do not store URLs in xattr (uekawa@google.com)
[$500][904219] Low CVE-2019-5779: Insufficient policy enforcement in ServiceWorker. Reported by David Erceg on 2018-11-11
- Issue 904219: Security: Sites can open extension pages using WindowClient.navigate (derce...@gmail.com)
[$500][891697] Low CVE-2019-5780: Insufficient policy enforcement. Reported by Andreas Hegenberg (folivora.AI GmbH) on 2018-10-03
- Issue 891697: Security: macOS: the option to "Allow JavaScript From Apple Events" can easily be activated by malicious apps. (andr...@hegenberg.me)
[$500][895081] Low CVE-2019-5783: Insufficient validation of untrusted input in DevTools. Reported by Shintaro Kobori on 2018-10-13
- Issue 895081: Security: Markup injection is possible in the Preview feature in the Developer Tools due to mishandling of URI encoded strings (shin...@gmail.com)
[$N/A][896725] Low CVE-2019-5781: Insufficient policy enforcement in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-10-18
- Issue 896725: Security: IDN URL Spoofing with U+0a24 (evi1m0.bat@gmail.com)
[926238] internal.
- Issue 922677: Security: UAF in FileWriterImpl (markbrand@google.com)
- Issue 922627: Chromium - Exposed GPU profiler allows to dump all URLs and headers from requested pages (geuteneier@google.com)
- Issue 916080: Security: UAF in RenderProcessHostImpl binding for P2PSocketDispatcherHost (markbrand@google.com)
- Issue 912947: Security: UAFs in PaymentRequest service (markbrand@google.com)
- Issue 912520: Security: UAF in RenderFrameHostImpl::CreateMediaStreamDispatcherHost (markbrand@google.com)
- Issue 912508: Heap-buffer-overflow in sh::SetUnionArrayFromMatrix (ClusterFuzz)
- Issue 911253: SQLite3 exprCodeBetween heap-buffer overflow (mpdenton@chromium.org)
- Issue 910098: Heap-use-after-free in blink::AudioNodeOutput::RemoveInput (ClusterFuzz)
- Issue 908358: Heap-buffer-overflow in mov_read_trun (ClusterFuzz)
- Issue 906043: Security: Tianfu CUP RCE (xzhou@chromium.org)
- Issue 903500: Potential Use-After-Free in ui/accessibility/ax_tree.cc (mmoroz@chromium.org)
- Issue 902208: Heap-use-after-free in views::InkDropHostView::OnMouseEvent (ClusterFuzz)
- Issue 901677: Heap-use-after-free in baseline::exec_ops (ClusterFuzz)
- Issue 899689: Security: Incorrect convexity assumptions in Skia leading to buffer overflows (ifratric@google.com)
- Issue 895117: Heap-use-after-free in hb_buffer_t::replace_glyphs (ClusterFuzz)
- Issue 894937 (Permission denied.)
- Issue 916960: CrOS: Vulnerability reported in net-vpn/strongswan (vomit.go...@appspot.gserviceaccount.com)
- Issue 912505: Heap-buffer-overflow in sh::TConstantUnion::getFConst (ClusterFuzz)
- Issue 906837: User can open browser in sign-in profile from captive profile dialog (tbarzic@chromium.org)
- Issue 904772: Use-of-uninitialized-value in v8::internal::Factory::NewNumber (ClusterFuzz)
- Issue 904368: Use-of-uninitialized-value in v8::internal::Simulator::FPRoundInt (ClusterFuzz)
- Issue 904093: Heap-buffer-overflow in spvtools::utils::SmallVector<unsigned int, 2ul>::operator (ClusterFuzz)
- Issue 901768: Need a reliable mechanism to make the login profile inaccessible after login completes (mnissler@chromium.org)
- Issue 901206: Memcpy-param-overlap in av1_convolve_2d_copy_sr_sse2 (ClusterFuzz)
- Issue 897491: ASSERT: mutex->__data.__owner == 0 (ClusterFuzz)
- Issue 897263: Security: potential integer overflow in SkStreamBuffer.cpp (mmoroz@chromium.org)
- Issue 895970: Update expat to latest stable (palmer@chromium.org)
- Issue 894934: Stack-buffer-overflow in v8::internal::GenerateSourceString (ClusterFuzz)
- Issue 891559: Use-of-uninitialized-value in blink::AXObjectCacheImpl::ChildrenChanged (ClusterFuzz)
- Issue 812168 (Permission denied.)
- Issue 733943: Do not store URLs in xattr (uekawa@google.com)
- Issue 157736 (Permission denied.)
- Issue 916869: Ill in v8::internal::wasm::fuzzer::WasmExecutionFuzzer::FuzzWasmModule (ClusterFuzz)
- Issue 911255: sqlite3ExprCompare Assertion Failure: (combinedFlags & EP_Reduced)==0 (mpdenton@chromium.org)

71.0.3578.98 (Wednesday, December 12, 2018) 1/1 bugs

[$6000][901654] High CVE-2018-17481: Use after free in PDFium. Reported by Anonymous on 2018-11-04
- Issue 901654 (Permission denied.)

71.0.3578.80 (Tuesday, December 4, 2018) 47/43 bugs

[$N/A][905940] High CVE-2018-17480: Out of bounds write in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 via Tianfu Cup on 2018-11-16
- Issue 905940: OOB Write in ValueDeserializer::ReadDenseJSArray (Tian Fu Cup exploit) (infe...@chromium.org)
[$6000][901654] High CVE-2018-17481: Use after frees in PDFium. Reported by Anonymous on 2018-11-04
- Issue 901654 (Permission denied.)
[$5000][895362] High CVE-2018-18335: Heap buffer overflow in Skia. Reported by Anonymous on 2018-10-15
- Issue 895362 (Permission denied.)
[$5000][898531] High CVE-2018-18336: Use after free in PDFium. Reported by Huyna at Viettel Cyber Security on 2018-10-24
- Issue 898531: Security: Use-after-free in CPWL_Wnd::Destroy (huyn...@gmail.com)
[$3000][886753] High CVE-2018-18337: Use after free in Blink. Reported by cloudfuzzer on 2018-09-19
- Issue 886753: Security: use-after-poison in MarkSheetListDirty (cloudfuz...@gmail.com)
[$3000][890576] High CVE-2018-18338: Heap buffer overflow in Canvas. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-09-29
- Issue 890576: heap buffer overflow in skia::SkTDPQueue::insert (cdsrc2...@gmail.com)
[$3000][891187] High CVE-2018-18339: Use after free in WebAudio. Reported by cloudfuzzer on 2018-10-02
- Issue 891187: Security: heap-use-after-free in blink::AudioNodeOutput::Pull (cloudfuz...@gmail.com)
[$3000][896736] High CVE-2018-18340: Use after free in MediaRecorder. Reported by Anonymous on 2018-10-18
- Issue 896736: Security: use-after-poison in blink::AsyncMethodRunner<class blink::MediaRecorder>::RunAsync (serg.gla...@gmail.com)
[$3000][901030] High CVE-2018-18341: Heap buffer overflow in Blink. Reported by cloudfuzzer on 2018-11-01
- Issue 901030: Heap-buffer-overflow in bool WTF::TextCodecUTF8::HandlePartialSequence<unsigned short> (cloudfuz...@gmail.com)
[$3000][906313] High CVE-2018-18342: Out of bounds write in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-11-17
- Issue 906313: redefine unconfiguable length attribute of array object (higonggu...@gmail.com)
[$1000][882423] High CVE-2018-18343: Use after free in Skia. Reported by Tran Tien Hung (@hungtt28) of Viettel Cyber Security on 2018-09-10
- Issue 882423: Security: Skia heap use-after-freed in SkPath::addPath (hungtt28...@gmail.com)
[$N/A][866426] High CVE-2018-18344: Inappropriate implementation in Extensions. Reported by Jann Horn of Google Project Zero on 2018-07-23
- Issue 866426: Security: debugger extension API is too powerful (jannh@google.com)
[$10337][900910] High To be allocated: Multiple issues in SQLite via WebSQL. Reported by Wenxiang Qian of Tencent Blade Team on 2018-11-01
- Issue 900910: Multiple vulnerabilities in sqlite; Cast is 1 attack vector/target (leonwxq...@gmail.com)
[$8000][886976] Medium CVE-2018-18345: Inappropriate implementation in Site Isolation. Reported by Masato Kinugawa and Jun Kokatsu (@shhnjk) on 2018-09-19
- Issue 886976: Security: Site Isolation bypass using Blob URL (s.h.h.n....@gmail.com)
[$2000][606104] Medium CVE-2018-18346: Incorrect security UI in Blink. Reported by Luan Herrera (@lbherrera_) on 2016-04-23
- Issue 606104: Chrome for Android - Modal dialog being executed after window.open is called allows for URL Spoofing (luan.her...@hotmail.com)
[$2000][850824] Medium CVE-2018-18347: Inappropriate implementation in Navigation. Reported by Luan Herrera (@lbherrera_) on 2018-06-08
- Issue 850824: Self-XSS via modal, window.open, and delayed navigation (luan.her...@hotmail.com)
[$2000][881659] Medium CVE-2018-18348: Inappropriate implementation in Omnibox. Reported by Ahmed Elsobky (@0xsobky) on 2018-09-07
- Issue 881659: Security: URL Spoofing via Bidirectional Domain Names (0xso...@gmail.com)
[$2000][894399] Medium CVE-2018-18349: Insufficient policy enforcement in Blink. Reported by David Erceg on 2018-10-11
- Issue 894399: Security: window.location update methods don't always restrict access to local resources (derce...@gmail.com)
[$1000][799747] Medium CVE-2018-18350: Insufficient policy enforcement in Blink. Reported by Jun Kokatsu (@shhnjk) on 2018-01-06
- Issue 799747: CSP bypass with blob URL (s.h.h.n....@gmail.com)
[$1000][833847] Medium CVE-2018-18351: Insufficient policy enforcement in Navigation. Reported by Jun Kokatsu (@shhnjk) on 2018-04-17
- Issue 833847: SameSite Lax bypass with multiple-nested scenarios (s.h.h.n....@gmail.com)
[$1000][849942] Medium CVE-2018-18352: Inappropriate implementation in Media. Reported by Jun Kokatsu (@shhnjk) on 2018-06-06
- Issue 849942: ServiceWorker circumvents same-origin restrictions for Audio (s.h.h.n....@gmail.com)
[$1000][884179] Medium CVE-2018-18353: Inappropriate implementation in Network Authentication. Reported by Wenxu Wu (@ma7h1as) of Tencent Security Xuanwu Lab on 2018-09-14
- Issue 884179: Security: http authentication spoof on chrome android (ma7h1a...@gmail.com)
[$1000][889459] Medium CVE-2018-18354: Insufficient data validation in Shell Integration. Reported by Wenxu Wu (@ma7h1as) of Tencent Security Xuanwu Lab on 2018-09-26
- Issue 889459: Security: remote code execution attack chain (ma7h1a...@gmail.com)
[$500][896717] Medium CVE-2018-18355: Insufficient policy enforcement in URL Formatter. Reported by evi1m0 of Bilibili Security Team on 2018-10-18
- Issue 896717: Security: IDN URL Spoofing with U+02ec (evi1m0.bat@gmail.com)
[$N/A][883666] Medium CVE-2018-18356: Use after free in Skia. Reported by Tran Tien Hung (@hungtt28) of Viettel Cyber Security on 2018-09-13
- Issue 883666: Security: Skia integer-overflow in SkPathRef::resetToSize() (hungtt28...@gmail.com)
[$N/A][895207] Medium CVE-2018-18357: Insufficient policy enforcement in URL Formatter. Reported by evi1m0 of Bilibili Security Team on 2018-10-15
- Issue 895207: Security: IDN URL Spoofing with U+10de (evi1m0.bat@gmail.com)
[$N/A][899126] Medium CVE-2018-18358: Insufficient policy enforcement in Proxy. Reported by Jann Horn of Google Project Zero on 2018-10-26
- Issue 899126: Security: malicious WPAD server can proxy localhost (leading to XSS in http://localhost:/) (jannh@google.com)
[$1000][907714] Medium CVE-2018-18359: Out of bounds read in V8. Reported by cyrilliu of Tencent Zhanlu Lab on 2018-11-22
- Issue 907714: Debug check failed JSFunction::GetDerivedMap (hit.lius...@gmail.com)
[$500][851821] Low CVE-2018-20065: Inappropriate implementation in PDFium. Reported by Salem Faisal Elmrayed on 2018-06-12
- Issue 851821: Security: Chrome PDF reader has no restrictions/user confirmation on URI action (shenegam...@gmail.com)
[$500][856135] Low CVE-2018-20066: Use after free in Extensions. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-06-25
- Issue 856135: heap-use-after-free in ProfileCompare::operator() (cdsrc2...@gmail.com)
[$500][879965] Low CVE-2018-20067: Inappropriate implementation in Navigation. Reported by Luan Herrera (@lbherrera_) on 2018-09-03
- Issue 879965: Canceling a browser-initiated navigation by using the history.back function (luan.her...@hotmail.com)
[$500][882270] Low CVE-2018-20068: Inappropriate implementation in Navigation. Reported by Jesper van den Ende on 2018-09-09
- Issue 882270: Security: url spoofing using 304 status code (jesperth...@gmail.com)
[$500][890558] Low CVE-2018-20069: Insufficient policy enforcement in Navigation. Reported by Ryan Pickren (ryanpickren.com) on 2018-09-29
- Issue 890558: Data URLs can be loaded on the top frame using iOS Mobile Chrome (pickr...@gmail.com)
[$N/A][895885] Low CVE-2018-20070: Insufficient policy enforcement in URL Formatter. Reported by evi1m0 of Bilibili Security Team on 2018-10-16
- Issue 895885: \u0909, \u0993 may lead to IDN URL Spoof (evi1m0.bat@gmail.com)
[$3000][853937] Medium CVE-2018-20071: Insufficient policy enforcement in Payments. Reported by Jun Kokatsu (@shhnjk) on 2018-06-18
- Issue 853937: XSS by hosting JS and JSON looking file (s.h.h.n....@gmail.com)
[911706] internal.
- Issue 905940: OOB Write in ValueDeserializer::ReadDenseJSArray (Tian Fu Cup exploit) (infe...@chromium.org)
- Issue 898343: Security: Idn spoof checker not checking some domains properly (mea...@chromium.org)
- Issue 896326: Crash in MemoryWrite<unsigned (ClusterFuzz)
- Issue 892643: Stack-use-after-return in gpu::raster::ClientFontManager::Serialize (ClusterFuzz)
- Issue 881252: Crash in v8::internal::Simulator::LoadStorePairHelper (ClusterFuzz)
- Issue 880665: Heap-use-after-free in base::debug::TaskAnnotator::RunTask (ClusterFuzz)
- Issue 880207: Security: incorrect type information on Math.expm1 (sroett...@google.com)
- Issue 866426: Security: debugger extension API is too powerful (jannh@google.com)
- Issue 839250: Heap-use-after-free in content::ClipboardHostImpl::ReadText (ClusterFuzz)
- Issue 899126: Security: malicious WPAD server can proxy localhost (leading to XSS in http://localhost:/) (jannh@google.com)
- Issue 884932: Extensions can intercept sensitive browser initiated requests (karandeepb@chromium.org)
- Issue 877843: Heap-buffer-overflow in rtc::BitBuffer::PeekBits (ClusterFuzz)

70.0.3538.110 (Monday, November 19, 2018) 0/1 bugs

70.0.3538.102 (Friday, November 9, 2018) 2/3 bugs

[903891] internal.
- Issue 897366: DCHECK failure in *p != to_check_ in heap.cc (ClusterFuzz)
- Issue 881247: Fatal error related to field tracking (ClusterFuzz)

70.0.3538.77 (Wednesday, October 24, 2018) 0/0 bugs

70.0.3538.67 (Tuesday, October 16, 2018) 25/23 bugs

[$N/A][888926] High CVE-2018-17462: Sandbox escape in AppCache. Reported by Ned Williamson and Niklas Baumstark working with Beyond Security’s SecuriTeam Secure Disclosure program on 2018-09-25
- Issue 888926: Security: UaF in Appcache (no...@beyondsecurity.com)
[$N/A][888923] High CVE-2018-17463: Remote code execution in V8. Reported by Samuel Gross working with Beyond Security’s SecuriTeam Secure Disclosure program on 2018-09-25
- Issue 888923: Security: Chrome RCE (no...@beyondsecurity.com)
[$3000][887273] High CVE-2018-17464: URL spoof in Omnibox. Reported by xisigr of Tencent's Xuanwu Lab on 2018-09-20
- Issue 887273: Security:Chrome URL Spoofing in Omnibox (xis...@gmail.com)
[$3000][870226] High CVE-2018-17465: Use after free in V8. Reported by Lin Zuojian on 2018-08-02
- Issue 870226: Security: v8 compactor may operate on undefined slots (manjian2...@gmail.com)
[$1000][880906] High CVE-2018-17466: Memory corruption in Angle. Reported by Omair on 2018-09-05
- Issue 880906: Security: ANGLE TextureStorage11::setData Memory Corruption (om...@krash.in)
[$3000][844881] Medium CVE-2018-17467: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-05-19
- Issue 844881: Security: Address spoofing in Omnibox (chromium...@gmail.com)
[$2000][876822] Medium CVE-2018-17468: Cross-origin URL disclosure in Blink. Reported by James Lee (@Windowsrcer) of Kryptos Logic on 2018-08-22
- Issue 876822 (Permission denied.)
[$1000][880675] Medium CVE-2018-17469: Heap buffer overflow in PDFium. Reported by Zhen Zhou of NSFOCUS Security Team on 2018-09-05
- Issue 880675: Security: heap-buffer-overflow in CPDF_DIBSource::DownSampleScanline8Bit (zhouzhen...@gmail.com)
[$1000][877874] Medium CVE-2018-17470: Memory corruption in GPU Internals. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-08-27
- Issue 877874: Crash in gpu::gles2::Texture::ClearRenderableLevels (cdsrc2...@gmail.com)
[$1000][873080] Medium CVE-2018-17471: Security UI occlusion in full screen mode. Reported by Lnyas Zhang on 2018-08-10
- Issue 873080: Security: fullscreen UI spoof using pdf prompt (zxyrz...@gmail.com)
[$1000][822518] Medium CVE-2018-17472: iframe sandbox escape on iOS. Reported by Jun Kokatsu (@shhnjk) on 2018-03-16
- Issue 822518: iframe sandbox escape (s.h.h.n....@gmail.com)
[$500][882078] Medium CVE-2018-17473: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-09-08
- Issue 882078: Security: IDN URL Spoofing with “ก” (chromium...@gmail.com)
[$500][843151] Medium CVE-2018-17474: Use after free in Blink. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-05-15
- Issue 843151: use-after-poison in operator-> (from HTMLImportsController::Dispose) (cdsrc2...@gmail.com)
[$500][852634] Low CVE-2018-17475: URL spoof in Omnibox. Reported by Vladimir Metnew on 2018-06-14
- Issue 852634: Security: Chrome for iOS URL spoofing using location.replace and history.back (vladimir...@gmail.com)
[$500][812769] Low CVE-2018-17476: Security UI occlusion in full screen mode. Reported by Khalil Zhani on 2018-02-15
- Issue 812769: Security: Cast UI hides Full-screen warning (chromium...@gmail.com)
[$500][805496] Low CVE-2018-5179: Lack of limits on update() in ServiceWorker. Reported by Yannic Bonenberger on 2018-01-24
- Issue 805496: Security: Self-update service worker to stay alive (yannic.b...@gmail.com)
[$N/A][863703] Low CVE-2018-17477: UI spoof in Extensions. Reported by Aaron Muir Hamilton aaron@correspondwith.me on 2018-07-14
- Issue 863703: Extension popovers do not overlap the Chrome, so they can be spoofed in the viewport. (aa...@xqz.ca)
[895893] internal.

69.0.3497.100 (Monday, September 17, 2018) 0/1 bugs

69.0.3497.92 (Tuesday, September 11, 2018) 2/2 bugs

[$3000][875322] High CVE-2018-17458: Function signature mismatch in WebAssembly. Reported by Kevin Cheung from Autodesk on 2018-08-17
- Issue 875322: Function Signature Mismatch Error When Using Dynamic Linking for WebAssembly (knightac...@gmail.com)
[$1000][880759] Medium CVE-2018-17459: URL Spoofing in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-09-05
- Issue 880759: Chrome 69 URL Spoof via double-click (evi1m0.bat@gmail.com)

69.0.3497.81 (Tuesday, September 4, 2018) 45/40 bugs

[$5000][867776] High CVE-2018-16065: Out of bounds write in V8. Reported by Brendon Tiszka on 2018-07-26
- Issue 867776: V8 OOB write BigInt64Array.of and BigInt64Array.from side effect neuter (btis...@gmail.com)
[$3000][847570] High CVE-2018-16066: Out of bounds read in Blink. Reported by cloudfuzzer on 2018-05-29
- Issue 847570: Security: heap-buffer-overflow in blink::ScriptFunction::~ScriptFunction() (cloudfuz...@gmail.com)
[$1000][848306] High CVE-2018-17457: Use after free in WebAudio. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-05-31
- Issue 848306: use-after-poison in operator blink::ExecutionContext * (cdsrc2...@gmail.com)
[$500][860522] High CVE-2018-16067: Out of bounds read in WebAudio. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-07-05
- Issue 860522: Null-dereference READ in blink::AudioNode::Handler (cdsrc2...@gmail.com)
[N/A][877182] High CVE-2018-16068: Out of bounds write in Mojo. Reported by Mark Brand of Google Project Zero on 2018-08-23
- Issue 877182: Security: Mojo DataPipe*Dispatcher deserialization lacking validation (markbrand@google.com)
[N/A][848716] High CVE-2018-16070: Integer overflow in Skia. Reported by Ivan Fratric of Google Project Zero on 2018-06-01
- Issue 848716: Security: Multiple integer overflows in Skia GPU path rendering when computing vertex/idex count (ifratric@google.com)
[N/A][855211] High CVE-2018-16071: Use after free in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-06-21
- Issue 855211: Security: WebRTC: Use-after-free in VP9 Processing (natashenka@google.com)
[$4000][864283] Medium CVE-2018-16072: Cross origin pixel leak in Chrome's interaction with Android's MediaPlayer. Reported by Jun Kokatsu (@shhnjk) on 2018-07-17
- Issue 864283: Stealing cross-origin video pixel with HLS (s.h.h.n....@gmail.com)
[$3000][863069] Medium CVE-2018-16073: Site Isolation bypass after tab restore. Reported by Jun Kokatsu (@shhnjk) on 2018-07-12
- Issue 863069: Site Isolation: Attacker-controlled data URLs end up in wrong process after tab restore (s.h.h.n....@gmail.com)
[$3000][863623] Medium CVE-2018-16074: Site Isolation bypass using Blob URLS. Reported by Jun Kokatsu (@shhnjk) on 2018-07-13
- Issue 863623: Security: Blob URL created from Data URL shares same process despite creator being cross-site (s.h.h.n....@gmail.com)
[$2000][788936] Medium CVE-2018-16075: Local file access in Blink. Reported by Pepe Vila (@cgvwzq) on 2017-11-27
- Issue 788936: Steal local file contents by abusing liberal CSS parsing (pvtolk...@gmail.com)
[$2000][867501] Medium CVE-2018-16076: Out of bounds read in PDFium. Reported by Aleksandar Nikolic of Cisco Talos on 2018-07-25
- Issue 867501: Security: Talos Security Advisory for Google PDFium (TALOS-2018-0639) (regiw...@sourcefire.com)
[$1000][377995] Medium CVE-2018-16077: Content security policy bypass in Blink. Reported by Manuel Caballero on 2014-05-27
- Issue 377995: Security: CSP Sandbox bypass (man...@caballero.com.ar)
[$1000][858820] Medium CVE-2018-16078: Credit card information leak in Autofill. Reported by Cailan Sacks on 2018-06-28
- Issue 858820: Security: Credit card information leakage in Chrome autofill (cailan.s...@gmail.com)
[$500][723503] Medium CVE-2018-16079: URL spoof in permission dialogs. Reported by Markus Vervier and Michele Orrù (antisnatchor) on 2017-05-17
- Issue 723503: Security: Mismatched Origin Display in WebUSB and WebBluetooth Permissions Dialogs (vervier...@gmail.com)
[$500][858929] Medium CVE-2018-16080: URL spoof in full screen mode. Reported by Khalil Zhani on 2018-06-29
- Issue 858929: Security: URL bar spoofing with Full-screen mode (chromium...@gmail.com)
[N/A][666299] Medium CVE-2018-16081: Local file access in DevTools. Reported by Jann Horn of Google Project Zero on 2016-11-17
- Issue 666299: Security: debugger extension API bypasses normal opt-in for file:// access (jannh@google.com)
[N/A][851398] Medium CVE-2018-16082: Stack buffer overflow in SwiftShader. Reported by Omair on 2018-06-11
- Issue 851398: Stack-buffer-overflow in sw::Surface::Buffer::read (om...@krash.in)
[N/A][856823] Medium CVE-2018-16083: Out of bounds read in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-06-26
- Issue 856823: Security: WebRTC Out-of-bounds read in FEC (natashenka@google.com)
[$1000][865202] Low CVE-2018-16084: User confirmation bypass in external protocol handling. Reported by Jun Kokatsu (@shhnjk) on 2018-07-18
- Issue 865202 (Permission denied.)
[$500][844428] Low CVE-2018-16086: Script injection in New Tab Page. Reported by Alexander Shutov (Dark Reader extension) on 2018-05-18
- Issue 844428: Security: Extension is able to inject script into chrome://newtab/ (shuto...@gmail.com)
[N/A][856578] Low CVE-2018-16085: Use after free in Memory Instrumentation. Reported by Roman Kuksin of Yandex on 2018-06-26
- Issue 856578: heap-use-after-free in memory_instrumentation::CoordinatorImpl::OnQueuedRequestTimedOut (rkuk...@yandex-team.ru)
[880418] internal.
- Issue 877182: Security: Mojo DataPipe*Dispatcher deserialization lacking validation (markbrand@google.com)
- Issue 855960: DCHECK failure in Capacity() <= heap()->MaxOldGenerationSize() in spaces.cc (ClusterFuzz)
- Issue 855211: Security: WebRTC: Use-after-free in VP9 Processing (natashenka@google.com)
- Issue 854883: Security: Buffer overflow in usrsctplib (awhalley@chromium.org)
- Issue 848716: Security: Multiple integer overflows in Skia GPU path rendering when computing vertex/idex count (ifratric@google.com)
- Issue 848238: Security: Floating-point precision errors in Swiftshader blitting (markbrand@google.com)
- Issue 845006: ASSERT: GTK_IS_TREE_MODEL (tree_model) (ClusterFuzz)
- Issue 836859: Security: Privilege Escalation via chrome://resources filesystem URL (creis@chromium.org)
- Issue 835613: Heap-use-after-free in blink::FloatingObject::FloatingObject (ClusterFuzz)
- Issue 821704: ASSERT: G_IS_OBJECT (object) (ClusterFuzz)
- Issue 869062 (Permission denied.)
- Issue 867792: Security: corrupt VP9 frame will cause tab crash (jzern@chromium.org)
- Issue 867306: Fix DOMStorageNamespace UAF (tzik@chromium.org)
- Issue 866635: gcm's SocketOutputStream::Flush can write arbitrary data to the network (xunji...@chromium.org)
- Issue 856823: Security: WebRTC Out-of-bounds read in FEC (natashenka@google.com)
- Issue 854476: Use-of-uninitialized-value in v8::internal::Isolate::RunHostImportModuleDynamicallyCallback (ClusterFuzz)
- Issue 850493: Heap-buffer-overflow in webrtc::internal::CopyColumn (ClusterFuzz)
- Issue 840857: Security: Browser process should catch commits of extension URLs in web processes (creis@chromium.org)
- Issue 666299: Security: debugger extension API bypasses normal opt-in for file:// access (jannh@google.com)
- Issue 862163: OpenOffice extensions need to be flagged as potentially dangerous (infe...@chromium.org)
- Issue 853424: Stack-use-after-return in TDiagnostics::writeDebug (ClusterFuzz)
- Issue 848535: Security: history.back() can be used to bypass multiple downloads restriction. (mea...@chromium.org)
- Issue 836412 (Permission denied.)

68.0.3440.106 (Wednesday, August 8, 2018) 0/0 bugs

68.0.3440.84 (Tuesday, July 31, 2018) 0/0 bugs

68.0.3440.75 (Tuesday, July 24, 2018) 49/42 bugs

[$5000][850350] High CVE-2018-6153: Stack buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2018-06-07
- Issue 850350: Security: stack-buffer-overflow in Break (zhouzhen...@gmail.com)
[$3000][848914] High CVE-2018-6154: Heap buffer overflow in WebGL. Reported by Omair on 2018-06-01
- Issue 848914: Security: heap-buffer-overflow in gpu::gles2::StrictIdHandler::FreeIds (om...@krash.in)
[$N/A][842265] High CVE-2018-6155: Use after free in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-11
- Issue 842265: Security: WebRTC: Use-after-free in VP8 Block Decoding (natashenka@google.com)
[$N/A][841962] High CVE-2018-6156: Heap buffer overflow in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-10
- Issue 841962: Security: WebRTC: Overflow in FEC Processing (natashenka@google.com)
[$N/A][840536] High CVE-2018-6157: Type confusion in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-07
- Issue 840536: Security: WebRTC: Type Confusion when processing H264 NAL packet (natashenka@google.com)
[$2000][841280] Medium CVE-2018-6158: Use after free in Blink. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-05-09
- Issue 841280: heap-use-after-free in BlinkGC (cdsrc2...@gmail.com)
[$2000][837275] Medium CVE-2018-6159: Same origin policy bypass in ServiceWorker. Reported by Jun Kokatsu (@shhnjk) on 2018-04-26
- Issue 837275 (Permission denied.)
[$1000][839822] Medium CVE-2018-6160: URL spoof in Chrome on iOS. Reported by evi1m0 of Bilibili Security Team on 2018-05-04
- Issue 839822: Chrome URL spoofing vulnerability on IOS (evi1m0.bat@gmail.com)
[$1000][826552] Medium CVE-2018-6161: Same origin policy bypass in WebAudio. Reported by Jun Kokatsu (@shhnjk) on 2018-03-27
- Issue 826552: Redirect circumvents same-origin restrictions for AudioWorklet (s.h.h.n....@gmail.com)
[$1000][804123] Medium CVE-2018-6162: Heap buffer overflow in WebGL. Reported by Omair on 2018-01-21
- Issue 804123: Security: TexImage3D heap-buffer-overflow in WebKit Webgl (om...@krash.in)
[$500][849398] Medium CVE-2018-6163: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-06-04
- Issue 849398: Security: IDN URL Spoofing with Georgian Letter Vin (chromium...@gmail.com)
[$500][848786] Medium CVE-2018-6164: Same origin policy bypass in ServiceWorker. Reported by Jun Kokatsu (@shhnjk) on 2018-06-01
- Issue 848786: Cross-origin stylesheet content is readable using SW (s.h.h.n....@gmail.com)
[$500][847718] Medium CVE-2018-6165: URL spoof in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-05-30
- Issue 847718: Chrome URL Spoofing (via refreshed) (evi1m0.bat@gmail.com)
[$500][835554] Medium CVE-2018-6166: URL spoof in Omnibox. Reported by Lnyas Zhang on 2018-04-21
- Issue 835554: U+0153 (œ), U+00e6 (æ) may lead to url spoofing (zxyrz...@gmail.com)
[$500][833143] Medium CVE-2018-6167: URL spoof in Omnibox. Reported by Lnyas Zhang on 2018-04-15
- Issue 833143: Lao could lead to idn spoof (zxyrz...@gmail.com)
[$500][828265] Medium CVE-2018-6168: CORS bypass in Blink. Reported by Gunes Acar and Danny Y. Huang of Princeton University, Frank Li of UC Berkeley on 2018-04-03
- Issue 828265: MediaError message property leaks cross-origin response status (acargu...@gmail.com)
[$500][394518] Medium CVE-2018-6169: Permissions bypass in extension installation . Reported by Sam P on 2014-07-16
- Issue 394518 (Permission denied.)
[$TBD][862059] Medium CVE-2018-6170: Type confusion in PDFium. Reported by Anonymous on 2018-07-10
- Issue 862059: Security: Bad cast in JSPropGetter in js_define.h (chamal.d...@gmail.com)
[$TBD][851799] Medium CVE-2018-6171: Use after free in WebBluetooth. Reported by amazon@mimetics.ca on 2018-06-12
- Issue 851799 (Permission denied.)
[$TBD][847242] Medium CVE-2018-6172: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-05-28
- Issue 847242: Security: IDN URL Spoofing with Myanmar character "ဒ" (U+1012) (chromium...@gmail.com)
[$TBD][836885] Medium CVE-2018-6173: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-04-25
- Issue 836885: Security: IDN URL Spoofing with “ҙ” (U+0499) (chromium...@gmail.com)
[$N/A][835299] Medium CVE-2018-6174: Integer overflow in SwiftShader. Reported by Mark Brand of Google Project Zero on 2018-04-20
- Issue 835299: Security: Integer overflow in Swiftshader texture allocation (markbrand@google.com)
[$TBD][826019] Medium CVE-2018-6175: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-03-26
- Issue 826019: Security: IDN URL Spoofing with using U+0525 (chromium...@gmail.com)
[$N/A][666824] Medium CVE-2018-6176: Local user privilege escalation in Extensions. Reported by Jann Horn of Google Project Zero on 2016-11-18
- Issue 666824: Security: bypass user gesture requirement for dangerous download types: Chrome extension → local user privilege escalation (jannh@google.com)
[$500][826187] Low CVE-2018-6177: Cross origin information leak in Blink. Reported by Ron Masas (Imperva) on 2018-03-27
- Issue 826187: Security: Cross Site Resource Size Estimation via OnProgress events (ronma...@gmail.com)
[$500][823194] Low CVE-2018-6178: UI spoof in Extensions. Reported by Khalil Zhani on 2018-03-19
- Issue 823194: Security: Long extension name allows spoofing of Debugging InfoBar (chromium...@gmail.com)
[$500][816685] Low CVE-2018-6179: Local file information leak in Extensions. Reported by Anonymous on 2018-02-26
- Issue 816685: Security: Extension popups can read local files if a Browser Action invoked on a file:/// URL (93m4qau...@gmail.com)
[$500][797461] Low CVE-2018-6044: Request privilege escalation in Extensions . Reported by Rob Wu on 2017-12-23
- Issue 797461: Security: Extensions can run code in the local/instant NTP (rob@robwu.nl)
[$500][791324] Low CVE-2018-4117: Cross origin information leak in Blink. Reported by AhsanEjaz - @AhsanEjazA on 2017-12-03
- Issue 791324: Security: Fetch API reveals existence of Redirection in no-cors mode (ahsaneja...@gmail.com)
[866821] Various fixes from internal audits, fuzzing and other initiativesThe following bugs were fixed in previous Chrome releases, but were mistakenly omitted from the release notes at the time:[$1000][812667] Medium CVE-2018-6150: Cross origin information disclosure in Service Workers. Reported by Rob Wu on 2018-02-15
- Issue 812667: Security: Cross-origin information leak via subresource integrity (SRI), fetch and Service Workers (rob@robwu.nl)
[$500][805905] Medium CVE-2018-6151: Bad cast in DevTools. Reported by Rob Wu on 2018-01-25
- Issue 805905: Security: Bad cast to ChromeDownloadManagerDelegate* from DevToolsDownloadManagerDelegate* (rob@robwu.nl)
[$2000][805445] Medium CVE-2018-6152: Local file write in DevTools. Reported by Rob Wu on 2018-01-24
- Issue 805445: Security: arbitrarily file write + bypass dangerous file check via DevTools API (rob@robwu.nl)
[866821] internal.
- Issue 861571: Security DCHECK failure: !node || (node->IsHTMLElement()) in html_element.h (ClusterFuzz)
- Issue 854887: Bad-cast to blink::ScriptWrappable from invalid vptr in blink::V8Element::ToImpl (ClusterFuzz)
- Issue 854066: Security: OOB read in TypedArray.from (creis@chromium.org)
- Issue 844254: Heap-buffer-overflow in void SkMatrixConvolutionImageFilter::filterPixels<RepeatPixelFetcher, true> (ClusterFuzz)
- Issue 842265: Security: WebRTC: Use-after-free in VP8 Block Decoding (natashenka@google.com)
- Issue 841962: Security: WebRTC: Overflow in FEC Processing (natashenka@google.com)
- Issue 840536: Security: WebRTC: Type Confusion when processing H264 NAL packet (natashenka@google.com)
- Issue 839197: Heap-use-after-free in PermissionRequestManager::AddRequest (ClusterFuzz)
- Issue 831117: Termination GC leaves behind persistents (mlippautz@chromium.org)
- Issue 835299: Security: Integer overflow in Swiftshader texture allocation (markbrand@google.com)
- Issue 826761 (Permission denied.)
- Issue 814987: Heap-buffer-overflow in getAddress (ClusterFuzz)
- Issue 683418: Don't allow web iframes on chrome:// pages (creis@chromium.org)
- Issue 666824: Security: bypass user gesture requirement for dangerous download types: Chrome extension → local user privilege escalation (jannh@google.com)
- Issue 860721: ComputeRandomMagic produces less randomness on 64-bit platforms than 32-bit platforms (dtapu...@chromium.org)
- Issue 840695: Heap-use-after-free in CJBig2_Image::~CJBig2_Image (ClusterFuzz)
- Issue 838886: Crash in CFX_DIBitmap::~CFX_DIBitmap (ClusterFuzz)

67.0.3396.99 (Monday, June 25, 2018) 0/0 bugs

67.0.3396.87 (Tuesday, June 12, 2018) 1/1 bugs

[$TBD][848672] High CVE-2018-6149: Out of bounds write in V8. Reported by Yu Zhou and Jundong Xie of Ant-financial Light-Year Security Lab on 2018-06-01
- Issue 848672: Security: V8 Incorrect type cast in String.p.split function leads to OOB write (chinaxia...@gmail.com)

67.0.3396.79 (Wednesday, June 6, 2018) 1/1 bugs

[$TBD][845961] High CVE-2018-6148: Incorrect handling of CSP header. Reported by Michał Bentkowski on 2018-05-23
- Issue 845961: Security: Setting arbitrary http request headers via <iframe csp> attribute (mic...@bentkowski.info)

67.0.3396.62 (Tuesday, May 29, 2018) 38/34 bugs

[$3000][835639] High CVE-2018-6123: Use after free in Blink. Reported by Looben Yang on 2018-04-22
- Issue 835639: Security: FileReader - Use After Free in FileReaderLoader::OnCalculatedSize() (loobeny...@gmail.com)
[$5000][840320] High CVE-2018-6124: Type confusion in Blink. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-07
- Issue 840320: Security: type confusion trigger DCHECK fail in ReadableStreamBytesConsumer::OnFulfilled::Call (higonggu...@gmail.com)
[$5000][818592] High CVE-2018-6125: Overly permissive policy in WebUSB. Reported by Yubico, Inc on 2018-03-05
- Issue 818592: Security: WinUSB - multiple issues (c...@yubico.com)
[$N/A][844457] High CVE-2018-6126: Heap buffer overflow in Skia. Reported by Ivan Fratric of Google Project Zero on 2018-05-18
- Issue 844457: Security: Chrome/Skia: Heap overflow in SkScan::FillPath due to precision error. (ifratric@google.com)
[$10,000][842990] High CVE-2018-6127: Use after free in indexedDB. Reported by Looben Yang on 2018-05-15
- Issue 842990: Security: Sandbox Escape - Use After Free with IndexedDBConnection (loobeny...@gmail.com)
[$7,500][841105] High CVE-2018-6128: uXSS in Chrome on iOS. Reported by Tomasz Bojarski on 2018-05-09
- Issue 841105: Security: uXSS in Chrome on iOS (th...@inbox.com)
[$N/A][838672] High CVE-2018-6129: Out of bounds memory access in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-01
- Issue 838672: WebRTC: Out-of-bounds memory access in WebRTC VP9 Missing Frame Processing (natashenka@google.com)
[$N/A][838402] High CVE-2018-6130: Out of bounds memory access in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-04-30
- Issue 838402: Security: WebRTC: Out-of-bounds memory access in WebRTC VP9 Frame Processing (natashenka@google.com)
[$N/A][826434] High CVE-2018-6131: Incorrect mutability protection in WebAssembly. Reported by Natalie Silvanovich of Google Project Zero on 2018-03-27
- Issue 826434: Security: Concern about WebAssembly table mutability (natashenka@google.com)
[$500][839960] Medium CVE-2018-6132: Use of uninitialized memory in WebRTC. Reported by Ronald E. Crane on 2018-05-04
- Issue 839960: Security: Use of uninitialized memory caused by AcmReceiver::AcmReceiver() (googleb...@zippenhop.com)
[$500][817247] Medium CVE-2018-6133: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-28
- Issue 817247: Security: IDN URL Spoofing with using U+04CF (chromium...@gmail.com)
[$500][797465] Medium CVE-2018-6134: Referrer Policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-12-23
- Issue 797465: Referrer Policy bypass using Navigation Timing API (s.h.h.n....@gmail.com)
[$1000][823353] Medium CVE-2018-6135: UI spoofing in Blink. Reported by Jasper Rebane on 2018-03-19
- Issue 823353: Security: Show javascript alert on a site by clicking on a link from that site (rebane2...@gmail.com)
[$1500][831943] Medium CVE-2018-6136: Out of bounds memory access in V8. Reported by Peter Wong on 2018-04-12
- Issue 831943: Security: Crash with JavaScript RegExp subclassing (peter.wm...@gmail.com)
[$2000][835589] Medium CVE-2018-6137: Leak of visited status of page in Blink. Reported by Michael Smith (spinda.net) on 2018-04-21
- Issue 835589: Security: CSS Paint API leaks visited status of links (up to ~3k/sec) (mds...@gmail.com)
[$2000][810220] Medium CVE-2018-6138: Overly permissive policy in Extensions. Reported by François Lajeunesse-Robert on 2018-02-08
- Issue 810220: Security: Extension with <all_urls> permission can read arbitrary local files and chrome:// pages (francois...@gmail.com)
[$2000][805224] Medium CVE-2018-6139: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-24
- Issue 805224: Security: chrome.debugger can attach to any target (rob@robwu.nl)
[$2000][798222] Medium CVE-2018-6140: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-01
- Issue 798222: Security: DevTools protocol can be abused to download and run external programs (rob@robwu.nl)
[$2000][796107] Medium CVE-2018-6141: Heap buffer overflow in Skia. Reported by Yangkang(@dnpushme) & Wanglu of Qihoo360 Qex Team on 2017-12-19
- Issue 796107: Heap-buffer-overflow in SkRecorder::onDrawPosTextH (m.cooo...@gmail.com)
[$4500][837939] Medium CVE-2018-6142: Out of bounds memory access in V8. Reported by Choongwoo Han of Naver Corporation on 2018-04-28
- Issue 837939: Security: [v8] Information Leak in Map constructor (cwhan.t...@gmail.com)
[$2,000][843022] Medium CVE-2018-6143: Out of bounds memory access in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-15
- Issue 843022: Security: OOB access in RegExpBuiltinsAssembler::LoadRegExpResultFirstMatch (higonggu...@gmail.com)
[$500][828049] Low CVE-2018-6144: Out of bounds memory access in PDFium. Reported by pdknsk on 2018-04-02
- Issue 828049: pdfium: oob array write in CPDF_StreamParser::ParseNextElement (pdknsk@gmail.com)
[$500][805924] Low CVE-2018-6145: Incorrect escaping of MathML in Blink. Reported by Masato Kinugawa on 2018-01-25
- Issue 805924: mXSS: Potential XSS via MathML gotten from innerHTML (masatoki...@gmail.com)
[$N/A][818133] Low CVE-2018-6147: Password fields not taking advantage of OS protections in Views. Reported by Michail Pishchagin (Yandex) on 2018-03-02
- Issue 818133: MacViews: views::Textfield doesn't enable secure input for password in HTTP Authentication prompt (mbl...@gmail.com)
[847542] internal.
- Issue 844457: Security: Chrome/Skia: Heap overflow in SkScan::FillPath due to precision error. (ifratric@google.com)
- Issue 838672: WebRTC: Out-of-bounds memory access in WebRTC VP9 Missing Frame Processing (natashenka@google.com)
- Issue 838402: Security: WebRTC: Out-of-bounds memory access in WebRTC VP9 Frame Processing (natashenka@google.com)
- Issue 836511 (Permission denied.)
- Issue 836362: Security: download.default_directory should not be modifiable via settingsPrivate.setPref (asanka@chromium.org)
- Issue 835371: Bad-cast to blink::LayoutBox from invalid vptr in blink::LayoutBlockFlow::XPositionForFloatIncludingMargin (ClusterFuzz)
- Issue 835184: Global-buffer-overflow in fxcrt::WideString::WStringLength (ClusterFuzz)
- Issue 826946 (Permission denied.)
- Issue 826434: Security: Concern about WebAssembly table mutability (natashenka@google.com)
- Issue 826193 (Permission denied.)
- Issue 823864: Make WebUI more robust to user gesture spoofing (dcheng@chromium.org)
- Issue 840376: Add back retpoline for indirect function calls in wasm (clemensh@chromium.org)
- Issue 832787: Use-of-uninitialized-value in TParseContext::nonInitErrorCheck (ClusterFuzz)
- Issue 825524: Heap-buffer-overflow in Decode (ClusterFuzz)

66.0.3359.181 (Tuesday, May 15, 2018) 0/0 bugs

66.0.3359.170 (Thursday, May 10, 2018) 1/4 bugs

[$5000][833721] High CVE-2018-6120: Heap buffer overflow in PDFium. Reported by Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Team on 2018-04-17
- Issue 833721: Security: PDFium heap-buffer-overflow WRITE in CPDF_ExpIntFunc::v_Call (zhouat2...@gmail.com)

66.0.3359.139 (Thursday, April 26, 2018) 3/3 bugs

[$10500][831963] Critical CVE-2018-6118: Use after free in Media Cache. Reported by Ned Williamson on 2018-04-12
- Issue 831963: Security: In-memory Cache UaF 2 (nedwilli...@gmail.com)
[837635] internal.
- Issue 836141: Null-dereference READ in v8::internal::wasm::InstantiateToInstanceObject (ClusterFuzz)
- Issue 831984: Ill in v8::internal::FullEvacuationVerifier::VerifyPointers (ClusterFuzz)

66.0.3359.117 (Tuesday, April 17, 2018) 68/62 bugs

[$TBD][826626] Critical CVE-2018-6085: Use after free in Disk Cache. Reported by Ned Williamson on 2018-03-28
- Issue 826626: Security: Blockfile Media Cache UaF (nedwilli...@gmail.com)
[$TBD][827492] Critical CVE-2018-6086: Use after free in Disk Cache. Reported by Ned Williamson on 2018-03-30
- Issue 827492: Security: In-memory Cache UaF (nedwilli...@gmail.com)
[$7500][813876] High CVE-2018-6087: Use after free in WebAssembly. Reported by Anonymous on 2018-02-20
- Issue 813876 (Permission denied.)
[$5000][822091] High CVE-2018-6088: Use after free in PDFium. Reported by Anonymous on 2018-03-15
- Issue 822091: Heap-use-after-free in PDFiumEngine::GetVisiblePageIndex (chamal.d...@gmail.com)
[$4500][808838] High CVE-2018-6089: Same origin policy bypass in Service Worker. Reported by Rob Wu on 2018-02-04
- Issue 808838: Security: Same origin bypass with Service Workers + PDF plugin (rob@robwu.nl)
[$3000][820913] High CVE-2018-6090: Heap buffer overflow in Skia. Reported by ZhanJia Song on 2018-03-12
- Issue 820913: Security: Heap-buffer-overflow in AAHairlineOp::onPrepareDraws (zhanjias...@gmail.com)
[$500][771933] High CVE-2018-6091: Incorrect handling of plug-ins by Service Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-10-05
- Issue 771933: SW can intercept potential-navigation-or-subresource request (s.h.h.n....@gmail.com)
[$N/A][819869] High CVE-2018-6092: Integer overflow in WebAssembly. Reported by Natalie Silvanovich of Google Project Zero on 2018-03-08
- Issue 819869: Security: Integer Overflow when Processing WebAssembly Locals (natashenka@google.com)
[$4000][780435] Medium CVE-2018-6093: Same origin bypass in Service Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-11-01
- Issue 780435: Read cross-origin video using Canvas and Service Worker (s.h.h.n....@gmail.com)
[$2000][805445] Medium CVE-2018-6152: Local file write in DevTools. Reported by Rob Wu on 2018-01-24
- Issue 805445: Security: arbitrarily file write + bypass dangerous file check via DevTools API (rob@robwu.nl)
[$2000][633030] Medium CVE-2018-6094: Exploit hardening regression in Oilpan. Reported by Chris Rohlf on 2016-08-01
- Issue 633030: Oilpan reintroduced inline meta-data (chris.ro...@gmail.com)
[$2000][637098] Medium CVE-2018-6095: Lack of meaningful user interaction requirement before file upload. Reported by Abdulrahman Alqabandi (@qab) on 2016-08-11
- Issue 637098: Security: Read all local files using minimal user interaction and gesture laundering (greencar...@hotmail.com)
[$1000][812667] Medium CVE-2018-6150: Cross origin information disclosure in Service Workers. Reported by Rob Wu on 2018-02-15
- Issue 812667: Security: Cross-origin information leak via subresource integrity (SRI), fetch and Service Workers (rob@robwu.nl)
[$1000][776418] Medium CVE-2018-6096: Fullscreen UI spoof. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-19
- Issue 776418: Security: Fullscreen notification can be overlapped (ma7h1a...@gmail.com)
[$1000][806162] Medium CVE-2018-6097: Fullscreen UI spoof. Reported by xisigr of Tencent's Xuanwu Lab on 2018-01-26
- Issue 806162: Security: Chrome fullscreen without any warning and dialog no orgin for spoof (xis...@gmail.com)
[$500][805905] Medium CVE-2018-6151: Bad cast in DevTools. Reported by Rob Wu on 2018-01-25
- Issue 805905: Security: Bad cast to ChromeDownloadManagerDelegate* from DevToolsDownloadManagerDelegate* (rob@robwu.nl)
[$500][798892] Medium CVE-2018-6098: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-01-03
- Issue 798892: Security: IDN URL Spoofing with using "U+00FE" (chromium...@gmail.com)
[$500][808825] Medium CVE-2018-6099: CORS bypass in ServiceWorker. Reported by Jun Kokatsu (@shhnjk) on 2018-02-03
- Issue 808825: WebVTT CORS bypass using ServiceWorker (s.h.h.n....@gmail.com)
[$500][811117] Medium CVE-2018-6100: URL spoof in Omnibox. Reported by Lnyas Zhang on 2018-02-11
- Issue 811117: Myanmar character in domain names can lead to spoofing (zxyrz...@gmail.com)
[$500][813540] Medium CVE-2018-6101: Insufficient protection of remote debugging prototol in DevTools . Reported by Rob Wu on 2018-02-19
- Issue 813540: Security: remote debugging + DNS rebinding = UXSS (rob@robwu.nl)
[$500][813814] Medium CVE-2018-6102: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-20
- Issue 813814: Security: Whole-script confusable domain label spoofing (Cyrillic) (chromium...@gmail.com)
[$500][816033] Medium CVE-2018-6103: UI spoof in Permissions. Reported by Khalil Zhani on 2018-02-24
- Issue 816033: Security: Permission request UI spoof (chromium...@gmail.com)
[$500][820068] Medium CVE-2018-6104: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-03-08
- Issue 820068: Security: IDN URL Spoofing with using "U+0437" (cyrillic small letter Ze) (chromium...@gmail.com)
[$N/A][803571] Medium CVE-2018-6105: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-01-18
- Issue 803571: 'Security: IDN URL Spoofing with "Cyrillic Letter Ukrainian Ie" (chromium...@gmail.com)
[$N/A][805729] Medium CVE-2018-6106: Incorrect handling of promises in V8. Reported by lokihardt of Google Project Zero on 2018-01-25
- Issue 805729: Security: V8: AwaitedPromise update bug (lokihardt@google.com)
[$N/A][808316] Medium CVE-2018-6107: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-02
- Issue 808316: Security: IDN URL Spoofing with using ŋ (U+014B) (chromium...@gmail.com)
[$N/A][816769] Medium CVE-2018-6108: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-27
- Issue 816769: Security: IDN URL Spoofing with U+04FD, U+050F, U+050B (chromium...@gmail.com)
[$N/A][710190] Low CVE-2018-6109: Incorrect handling of files by FileAPI. Reported by Dominik Weber (@DoWeb_) on 2017-04-10
- Issue 710190: Security: Reloading the content of a changed file (dowe...@gmail.com)
[$N/A][777737] Low CVE-2018-6110: Incorrect handling of plaintext files via file:// . Reported by Wenxiang Qian (aka blastxiang) on 2017-10-24
- Issue 777737: Security: Google Chrome renders text file as HTML under file:// protocol (blastxi...@gmail.com)
[$N/A][780694] Low CVE-2018-6111: Heap-use-after-free in DevTools. Reported by Khalil Zhani on 2017-11-02
- Issue 780694: Security: Heap-use-after-free in content::protocol::NetworkHandler::SetNetworkConditions (chromium...@gmail.com)
[$N/A][798096] Low CVE-2018-6112: Incorrect URL handling in DevTools. Reported by Rob Wu on 2017-12-29
- Issue 798096: Security: Linkified URLs in DevTools are not sanitized (can open privileged URLs) (rob@robwu.nl)
[$N/A][805900] Low CVE-2018-6113: URL spoof in Navigation. Reported by Khalil Zhani on 2018-01-25
- Issue 805900: Security: URL spoofing via forward and backward navigation on iOS (chromium...@gmail.com)
[$N/A][811691] Low CVE-2018-6114: CSP bypass. Reported by Lnyas Zhang on 2018-02-13
- Issue 811691: CSP object-src 'none' allows load of image in <object> tag (zxyrz...@gmail.com)
[$TBD][819809] Low CVE-2018-6115: SmartScreen bypass in downloads. Reported by James Feher on 2018-03-07
- Issue 819809: Security: SEE_MASK_FLAG_NO_UI behavior changes in Windows 10, allowing SmartScreen bypass (jk...@cornell.edu)
[$N/A][822266] Low CVE-2018-6116: Incorrect low memory handling in WebAssembly. Reported by Jin from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. on 2018-03-15
- Issue 822266: Security:crash(SEGV_MAPERR ) in wasm module (jinzhe6...@gmail.com)
[$N/A][822465] Low CVE-2018-6117: Confusing autofill settings. Reported by Spencer Dailey on 2018-03-15
- Issue 822465: Manage Passwords is set to "Off" but it still autofills credentials (sdailey....@gmail.com)
[$N/A][822424] Low CVE-2018-6084: Incorrect use of Distributed Objects in Google Software Updater on MacOS. Reported by Ian Beer of Google Project Zero on 2018-03-15
- Issue 822424: Security: Local Privilege Escalation due to unsafe use of Distributed Objects in Google Software Updater on MacOS (ianbeer@chromium.org)
[833889] internal.
- Issue 825045: DCHECK failure in descriptor_number < number_of_descriptors() in objects-inl.h (ClusterFuzz)
- Issue 823345: Heap-use-after-free in xmlParseGetLasts (ClusterFuzz)
- Issue 821613: Restrict PDFium extension from running script inside chrome:// URLs (creis@chromium.org)
- Issue 821138: Privilege elevation via PDFium (mbarbe...@chromium.org)
- Issue 819869: Security: Integer Overflow when Processing WebAssembly Locals (natashenka@google.com)
- Issue 808386: Heap-use-after-free in cc::PlaybackImageProvider::GetDecodedDrawImage (ClusterFuzz)
- Issue 807887: Heap-use-after-free in video_capture::DeviceMediaToMojoAdapter::Stop (ClusterFuzz)
- Issue 803022: DCHECK failure in current_ == next_ in node.h (ClusterFuzz)
- Issue 797555: Heap-use-after-free in test_runner::WebWidgetTestClient::AnimateNow (ClusterFuzz)
- Issue 797298: Heap-use-after-free in blink::PaintLayerScrollableArea::UpdateScrollOffset (ClusterFuzz)
- Issue 793715: Heap-use-after-free in xmlParseGetLasts (ClusterFuzz)
- Issue 818177: Merge VP9 RTP fix to M65 (philipel@chromium.org)
- Issue 816768: Security DCHECK failure: i < length_ in StringImpl.h (ClusterFuzz)
- Issue 813142: Heap-buffer-overflow in blink::PNGImageDecoder::RowAvailable (ClusterFuzz)
- Issue 807628: Use-of-uninitialized-value in content::QuotaDispatcherHost::QueryStorageUsageAndQuota (ClusterFuzz)
- Issue 805729: Security: V8: AwaitedPromise update bug (lokihardt@google.com)
- Issue 804476: Security: use-of-uninitialized-value in unpremul_pm (filter_fuzz_stub) (metzman@chromium.org)
- Issue 800389: Security: use-of-unitialized-value in getType (SkMatrix.h:128) in filter_fuzz_stub (metzman@chromium.org)
- Issue 799775: Security: use-of-unitialized-value in GetScale (SkUnPeMultiply.h:29) in filter_fuzz_stub (metzman@chromium.org)
- Issue 799499: Heap-buffer-overflow in WebRtcSpl_DownsampleFastC (ClusterFuzz)
- Issue 797796: Crash in _sk_load_bgra_sse2 (ClusterFuzz)
- Issue 797281: Heap-buffer-overflow in getIConst (ClusterFuzz)
- Issue 797234: Use-of-uninitialized-value in ConstantUnion::cast (ClusterFuzz)
- Issue 796776: Use-of-uninitialized-value in ConstantUnion::operator+ (ClusterFuzz)
- Issue 794402: Security: use-of-uninitialized-value in sse2::blit_row_s32a_opaque (filter_fuzz_stub) (metzman@chromium.org)
- Issue 737648: Security: bypassing CORS of multipart images by ServiceWorker (hirosh...@chromium.org)
- Issue 822424: Security: Local Privilege Escalation due to unsafe use of Distributed Objects in Google Software Updater on MacOS (ianbeer@chromium.org)
- Issue 808205: Should XSDB also block some headers (not just response body)? (lukasza@chromium.org)
- Issue 806483 (Permission denied.)
- Issue 804822 (Permission denied.)
- Issue 792538: Improve extension content verification logic when the extension requests a resource at folder urls (proberge@chromium.org)

65.0.3325.181 (Tuesday, March 20, 2018) 1/1 bugs

[823553] internal.
- Issue 812532 (Permission denied.)

65.0.3325.162 (Tuesday, March 13, 2018) 0/0 bugs

65.0.3325.146 (Tuesday, March 6, 2018) 52/45 bugs

[$5000][758848] High CVE-2017-11215: Use after free in Flash. Reported by JieZeng of Tencent Zhanlu Lab on 2017-08-25
- Issue 758848: Security: Use after free vulnerability about psdk in the latest version (jiezengo...@gmail.com)
[$5000][758863] High CVE-2017-11225: Use after free in Flash. Reported by JieZeng of Tencent Zhanlu Lab on 2017-08-25
- Issue 758863: Security: Use after free vulnerability about psdk in the latest version of Flash player (jiezengo...@gmail.com)
[$3000][780919] High CVE-2018-6060: Use after free in Blink. Reported by Omair on 2017-11-02
- Issue 780919: Security: heap-use-after-free blink::AudioSummingJunction::UpdateRenderingState (om...@krash.in)
[$3000][794091] High CVE-2018-6061: Race condition in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2017-12-12
- Issue 794091: Security: race condition lead to many fatal Error D in WebAssembly.validate (higonggu...@gmail.com)
[$1000][780104] High CVE-2018-6062: Heap buffer overflow in Skia. Reported by Anonymous on 2017-10-31
- Issue 780104 (Permission denied.)
[$N/A][789959] High CVE-2018-6057: Incorrect permissions on shared memory. Reported by Gal Beniamini of Google Project Zero on 2017-11-30
- Issue 789959: Security: Read-only SharedMemory descriptors on Android are writable (laginimaineb@google.com)
[$N/A][792900] High CVE-2018-6063: Incorrect permissions on shared memory. Reported by Gal Beniamini of Google Project Zero on 2017-12-07
- Issue 792900: Security: Calling "mojo::WrapSharedMemoryHandle" is insufficient to produce read-only descriptors for IPC (laginimaineb@google.com)
[$N/A][798644] High CVE-2018-6064: Type confusion in V8. Reported by lokihardt of Google Project Zero on 2018-01-03
- Issue 798644: Security: V8: Type confusion in ElementsAccessorBase::CollectValuesOrEntriesImpl (lokihardt@google.com)
[$N/A][808192] High CVE-2018-6065: Integer overflow in V8. Reported by Mark Brand of Google Project Zero on 2018-02-01
- Issue 808192: Security: V8 Integer overflow in object allocation size (markbrand@google.com)
[$4000][799477] Medium CVE-2018-6066: Same Origin Bypass via canvas. Reported by Masato Kinugawa on 2018-01-05
- Issue 799477: Cross-Origin image data leak via cache and canvas (masatoki...@gmail.com)
[$2000][779428] Medium CVE-2018-6067: Buffer overflow in Skia. Reported by Ned Williamson on 2017-10-30
- Issue 779428: Security: global-buffer-overflow in SkBitmap IPC Deserialization (nedwilli...@gmail.com)
[$2000][798933] Medium CVE-2018-6068: Object lifecycle issues in Chrome Custom Tab. Reported by Luan Herrera on 2018-01-04
- Issue 798933: Chrome for Android - Window.open combined with the onbeforeunload dialog crashes Chrome's WebView render (luan.her...@hotmail.com)
[$1500][799918] Medium CVE-2018-6069: Stack buffer overflow in Skia. Reported by Wanglu & Yangkang(@dnpushme) of Qihoo360 Qex Team on 2018-01-08
- Issue 799918: Stack-buffer-overflow in SkPackBits::Unpack8 (jonaluw...@gmail.com)
[$1000][668645] Medium CVE-2018-6070: CSP bypass through extensions. Reported by Rob Wu on 2016-11-25
- Issue 668645: Security: CSP in WebUI can trivially be bypassed by extensions (rob@robwu.nl)
[$1000][777318] Medium CVE-2018-6071: Heap bufffer overflow in Skia. Reported by Anonymous on 2017-10-23
- Issue 777318 (Permission denied.)
[$1000][791048] Medium CVE-2018-6072: Integer overflow in PDFium. Reported by Atte Kettunen of OUSPG on 2017-12-01
- Issue 791048 (Permission denied.)
[$1000][804118] Medium CVE-2018-6073: Heap bufffer overflow in WebGL. Reported by Omair on 2018-01-20
- Issue 804118: Security: WriteTexture heap-buffer-overflow in WebGL on macOS (om...@krash.in)
[$1000][809759] Medium CVE-2018-6074: Mark-of-the-Web bypass. Reported by Abdulrahman Alqabandi (@qab) on 2018-02-06
- Issue 809759: Security: Latest Win10 builds fail to set Mark-of-the-Web on downloaded filenames approaching MAX_PATH (greencar...@hotmail.com)
[$500][608669] Medium CVE-2018-6075: Overly permissive cross origin downloads. Reported by Inti De Ceukelaire (intigriti.com) on 2016-05-03
- Issue 608669: Security: a@download feature can be abused to leak sensitive information from third party sites (inti.de....@gmail.com)
[$500][758523] Medium CVE-2018-6076: Incorrect handling of URL fragment identifiers in Blink. Reported by Mateusz Krzeszowiec on 2017-08-24
- Issue 758523: Security: document.baseURI contains not-encoded representation of URI and may lead to DOM based XSS (mateusz....@gmail.com)
[$500][778506] Medium CVE-2018-6077: Timing attack using SVG filters. Reported by Khalil Zhani on 2017-10-26
- Issue 778506 (Permission denied.)
[$500][793628] Medium CVE-2018-6078: URL Spoof in OmniBox. Reported by Khalil Zhani on 2017-12-10
- Issue 793628: Security: IDN URL Spoofing with Cyrillic (chromium...@gmail.com)
[$TBD][788448] Medium CVE-2018-6079: Information disclosure via texture data in WebGL. Reported by Ivars Atteka on 2017-11-24
- Issue 788448 (Permission denied.)
[$N/A][792028] Medium CVE-2018-6080: Information disclosure in IPC call. Reported by Gal Beniamini of Google Project Zero on 2017-12-05
- Issue 792028: Security: Information disclosure via "memory_instrumentation::mojom::Coordinator" interface in "resource_coordinator" service (laginimaineb@google.com)
[$1000][797525] Low CVE-2018-6081: XSS in interstitials. Reported by Rob Wu on 2017-12-24
- Issue 797525: Security: XSS in "Site blocked" (supervised user) interstitial and chrome://interstitials/supervised_user (rob@robwu.nl)
[$N/A][767354] Low CVE-2018-6082: Circumvention of port blocking. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-09-21
- Issue 767354: Security: Detect open SSH port via FTP protocol (ma7h1a...@gmail.com)
[$N/A][771709] Low CVE-2018-6083: Incorrect processing of AppManifests. Reported by Jun Kokatsu (@shhnjk) on 2017-10-04
- Issue 771709: PWA app installation can be requested from sandboxed page (s.h.h.n....@gmail.com)
[819271] internal.
- Issue 812567: Heap-buffer-overflow in mov_read_trun (ClusterFuzz)
- Issue 808192: Security: V8 Integer overflow in object allocation size (markbrand@google.com)
- Issue 801000: iOS: wrong url in omnibox after going back from search result (est...@chromium.org)
- Issue 798644: Security: V8: Type confusion in ElementsAccessorBase::CollectValuesOrEntriesImpl (lokihardt@google.com)
- Issue 798410: Security DCHECK failure: !object || (object->IsTableCell()) in LayoutTableCell.h (ClusterFuzz)
- Issue 798099: Security DCHECK failure: offset + length <= impl.length() in StringView.h (ClusterFuzz)
- Issue 797481: Crash in v8::internal::Simulator::LoadStorePairHelper (ClusterFuzz)
- Issue 793715: Heap-use-after-free in xmlParseGetLasts (ClusterFuzz)
- Issue 792900: Security: Calling "mojo::WrapSharedMemoryHandle" is insufficient to produce read-only descriptors for IPC (laginimaineb@google.com)
- Issue 789959: Security: Read-only SharedMemory descriptors on Android are writable (laginimaineb@google.com)
- Issue 770106: CHECK failure: actual_unused_property_fields > map()->unused_property_fields() in objects-debug (ClusterFuzz)
- Issue 746132: bluetooth::mojom::AdapterFactory is available to any renderer without permission checks (sa...@chromium.org)
- Issue 806122: Crash in get_chroma_qp (ClusterFuzz)
- Issue 805892: Heap-buffer-overflow in autofill::PagePasswordsAnalyser::AnalyseDocumentDOM (ClusterFuzz)
- Issue 802983: Heap-buffer-overflow in CJBig2_Image::composeTo_opt2 (ClusterFuzz)
- Issue 798150: Crash in v8::internal::Invoke (ClusterFuzz)
- Issue 794674 (Permission denied.)
- Issue 794406: Security: Use of Uninitialized Value in approx_log2 (msan build filter_fuzz_stub) (metzman@chromium.org)
- Issue 793519: DeviceSensorHost exposes shared memory handles from StartPolling as read-write (rsesek@chromium.org)
- Issue 792163: Review U+04CF confusable mapping and make it platform-dependent if necessary (js...@chromium.org)
- Issue 792028: Security: Information disclosure via "memory_instrumentation::mojom::Coordinator" interface in "resource_coordinator" service (laginimaineb@google.com)
- Issue 791317: Use-of-uninitialized-value in sk_store_a8 (ClusterFuzz)
- Issue 789767: MSAN detects use-of-uninitialized-value in analyze_3x4_matrix() in filter_fuzz_stub (metzman@chromium.org)
- Issue 789764: Crash in v8::internal::Script::FindSharedFunctionInfo (ClusterFuzz)
- Issue 779326: Crash in sw::Renderer::taskLoop (ClusterFuzz)

None (Thursday, February 22, 2018) 0/0 bugs

None (Tuesday, February 13, 2018) 1/1 bugs

[$N/A][806388] High CVE-2018-6056: Incorrect derived class instantiation in V8. Reported by lokihardt of Google Project Zero on 2018-01-26
- Issue 806388: Security: A bug in JSFunction::GetDerivedMap (lokihardt@google.com)

64.0.3282.140 (Thursday, February 1, 2018) 1/1 bugs

[808163] internal.
- Issue 800032: Security: V8: Bugs in Genesis::InitializeGlobal (lokihardt@google.com)

64.0.3282.119 (Wednesday, January 24, 2018) 56/53 bugs

[$3000][780450] High CVE-2018-6031: Use after free in PDFium. Reported by Anonymous on 2017-11-01
- Issue 780450 (Permission denied.)
[$2000][787103] High CVE-2018-6032: Same origin bypass in Shared Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-11-20
- Issue 787103: Cross-origin Shared Worker (s.h.h.n....@gmail.com)
[$1000][793620] High CVE-2018-6033: Race when opening downloaded files. Reported by Juho Nurminen on 2017-12-09
- Issue 793620: Security: Sandbox escape / automatic code execution via downloads.open (juhon...@gmail.com)
[$4000][784183] Medium CVE-2018-6034: Integer overflow in Blink. Reported by Tobias Klein (www.trapkit.de) on 2017-11-12
- Issue 784183: signed integer overflow in blink::WebGLRenderingContextBase::ValidateTexImageSubRectangle<blink::Image> (tk.chrom...@googlemail.com)
[$2500][797500] Medium CVE-2018-6035: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23
- Issue 797500: Security: chrome-devtools://devtools/remote/ can be modified by extensions (rob@robwu.nl)
[$2000][789952] Medium CVE-2018-6036: Integer underflow in WebAssembly. Reported by The UK's National Cyber Security Centre (NCSC) on 2017-11-30
- Issue 789952: Security: NCSC Vulnerability Report - Google Chrome - V8 JavaScript Engine (secur...@ncsc.gov.uk)
[$1000][753645] Medium CVE-2018-6037: Insufficient user gesture requirements in autofill. Reported by Paul Stone of Context Information Security on 2017-08-09
- Issue 753645: Security: Autocomplete data can be stolen by malicious webpage (stoned...@gmail.com)
[$1000][774174] Medium CVE-2018-6038: Heap buffer overflow in WebGL. Reported by cloudfuzzer on 2017-10-12
- Issue 774174: Security: heap-buffer-overflow in UnpackOneRowOfRGBA5551LittleToRGBA8 (cloudfuz...@gmail.com)
[$1000][775527] Medium CVE-2018-6039: XSS in DevTools. Reported by Juho Nurminen on 2017-10-17
- Issue 775527: Security: Privileged XSS in DevTools (juhon...@gmail.com)
[$1000][778658] Medium CVE-2018-6040: Content security policy bypass. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-26
- Issue 778658: Security: content security policy bypass (ma7h1a...@gmail.com)
[$500][760342] Medium CVE-2018-6041: URL spoof in Navigation. Reported by Luan Herrera on 2017-08-29
- Issue 760342: Issuing multiple redirects hangs any subsequent navigation. This allows URL Spoofing and also a crash. (luan.her...@hotmail.com)
[$500][773930] Medium CVE-2018-6042: URL spoof in OmniBox. Reported by Khalil Zhani on 2017-10-12
- Issue 773930: Security: Whole-script confusable domain label spoofing (Cyrillic) (chromium...@gmail.com)
[$500][785809] Medium CVE-2018-6043: Insufficient escaping with external URL handlers. Reported by 0x09AL on 2017-11-16
- Issue 785809: Security: Chrome does not percent-escape the URL passed to external handler (rio.she...@fshnstudent.info)
[$TBD][797497] Medium CVE-2018-6045: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23
- Issue 797497: Security: Extension can run code in the chrome-devtools://devtools (e.g. to read local files) (rob@robwu.nl)
[$TBD][798163] Medium CVE-2018-6046: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-31
- Issue 798163: Security: privileged XSS in chrome-devtools://devtools/remote with old frontend (insufficient validation of remoteFrontendUrl) (rob@robwu.nl)
[$TBD][799847] Medium CVE-2018-6047: Cross origin URL leak in WebGL. Reported by Masato Kinugawa on 2018-01-08
- Issue 799847: Redirect URL leak via error message of WebGL texture (masatoki...@gmail.com)
[$500][763194] Low CVE-2018-6048: Referrer policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-09-08
- Issue 763194: Referrer policy bypass with about:blank and document.write() (s.h.h.n....@gmail.com)
[$500][771848] Low CVE-2017-15420: URL spoofing in Omnibox. Reported by Drew Springall (@aaspring) on 2017-10-05
- Issue 771848: Security: URL bar does not update correctly on redirects with extension blocking requests (aaspring@umich.edu)
[$500][774438] Low CVE-2018-6049: UI spoof in Permissions. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-13
- Issue 774438: Security: Permission request UI spoof (improper URL truncation) (ma7h1a...@gmail.com)
[$500][774842] Low CVE-2018-6050: URL spoof in OmniBox. Reported by Jonathan Kew on 2017-10-15
- Issue 774842: Security: Visually-perfect domain spoofing using dotless-i plus combining mark (jfkth...@gmail.com)
[$N/a][441275] Low CVE-2018-6051: Referrer leak in XSS Auditor. Reported by Antonio Sanso (@asanso) on 2014-12-11
- Issue 441275: referrer leakage with XSS Auditor page block (antonio....@gmail.com)
[$N/A][615608] Low CVE-2018-6052: Incomplete no-referrer policy implementation. Reported by Tanner Emek on 2016-05-28
- Issue 615608: Security: Chrome browser not respecting no-referrer meta tag (tann...@gmail.com)
[$N/A][758169] Low CVE-2018-6053: Leak of page thumbnails in New Tab Page. Reported by Asset Kabdenov on 2017-08-23
- Issue 758169: Website thumbnail screenshot access even after all private data is deleted (akabde...@gmail.com)
[$N/A][797511] Low CVE-2018-6054: Use after free in WebUI. Reported by Rob Wu on 2017-12-24
- Issue 797511: Security: heap-use-after-free in WebUIExtension::Send (chrome.send) (rob@robwu.nl)
[805285] internal.
- Issue 794990: Security: Pdfium: integer overflows in pattern shading (markbrand@google.com)
- Issue 794969: Security: Incorrect size calculation when deserializing Mojo "Event" messages leading to OOB access (laginimaineb@google.com)
- Issue 794924: Crash in v8::internal::Invoke (ClusterFuzz)
- Issue 794394: Security: V8: JIT: JSBuiltinReducer::ReduceObjectCreate fails to ensure that the prototype is "null" (lokihardt@google.com)
- Issue 792537: Cherry-pick an upstream buffer overrun fix for Calendar class in ICU (js...@chromium.org)
- Issue 792422: Security: buffer overflow in AudioSyncReader (maxmorin@chromium.org)
- Issue 791245: Security: V8: JIT: Simplified-lowererer IrOpcode::kStoreField, IrOpcode::kStoreElement optimization bug (lokihardt@google.com)
- Issue 791003: Security: Sandbox escape via exposed "filesystem::mojom::Directory" mojo interface in "catalog" service (laginimaineb@google.com)
- Issue 789393: Security: V8: Integer overflow with PropertyArray (lokihardt@google.com)
- Issue 787712: Use After Free (write) in SkPerlinNoiseShaderImpl (metzman@chromium.org)
- Issue 787301: Stack-overflow in v8::internal::TranslatedState::MaterializeAt (ClusterFuzz)
- Issue 786723: DCHECK failure in !compilation_info()->dependencies() || !compilation_info()->dependencies()->HasA (ClusterFuzz)
- Issue 780402: Pwn2own: V8 - isolate control via function deoptimization (awhalley@chromium.org)
- Issue 779457: DCHECK failure in outer_scope_ == scope->outer_scope() in bytecode-generator.cc (ClusterFuzz)
- Issue 765371: Security: bluetooth LE advertisement storm can remotely hang/crash chromebooks, android devices, and some iOS devices with little or no user action needed (dmitrygr@google.com)
- Issue 797469: Heap-buffer-overflow in xiph_lacing_16bit (ClusterFuzz)
- Issue 795251: Security: pdfium: out-of-bounds read with shading pattern backed by pattern colorspace (markbrand@google.com)
- Issue 794825: Security: V8: Empty BytecodeJumpTable may lead to OOB read (lokihardt@google.com)
- Issue 794822: Security: V8: JIT: Type confusion in GetSpecializationContext (lokihardt@google.com)
- Issue 793030: Security: Merge CVE-2017-3738 fix to M64. (davidben@chromium.org)
- Issue 786109: Security: Sanity check IP addresses for Cast devices (mfoltz@chromium.org)
- Issue 783243: CVE-2017-16528: CrOS: ALSA: seq: Use after free at unbind device (groeck@chromium.org)
- Issue 782594: [syzkaller] Linux kernel: multiple vulnerabilities in the USB subsystem (mnissler@chromium.org)
- Issue 773952: Use-of-uninitialized-value in gpu::gles2::ScopedPixelUnpackBufferOverride::ScopedPixelUnpackBufferOverride (ClusterFuzz)
- Issue 770734: Heap-buffer-overflow in bool url::DoExtractQueryKeyValue<char> (ClusterFuzz)
- Issue 740556: Security: HTML sandbox restrictions are removed after a redirect through docs.google.com (a...@google.com)
- Issue 736882: Security: chrome://discards/ accepts WebContents pointers as URL parameters (nick@chromium.org)
- Issue 792221: Navigation entry's SSL status is not updated when navigating to an existing page (est...@chromium.org)
- Issue 784761: U+0D1F and U+0D2F can be used to spoof 'so.com' (js...@chromium.org)
- Issue 774833: ASSERT: 0 <= value && value < symbolsCount (ClusterFuzz)
- Issue 773161: USB notification bubble: RTL text gets intermingled with URL. (lgar...@chromium.org)
- Issue 761245: Incorrect-function-pointer-type in _hb_blob_destroy_user_data (ClusterFuzz)

63.0.3239.132 (Thursday, January 4, 2018) 0/0 bugs

63.0.3239.108 (Thursday, December 14, 2017) 2/2 bugs

[$7500][788453] High CVE-2017-15429: UXSS in V8. Reported by Anonymous on 2017-11-24
- Issue 788453 (Permission denied.)
[794792] internal.
- Issue 793099: Use-after-free in DnsTransaction, again (mge...@chromium.org)

63.0.3239.84 (Wednesday, December 6, 2017) 35/37 bugs

[$10500][778505] Critical CVE-2017-15407: Out of bounds write in QUIC. Reported by Ned Williamson on 2017-10-26
- Issue 778505: Security: OOB Write in QuicStreamSequencerBuffer::OnStreamData (nedwilli...@gmail.com)
[$6337][762374] High CVE-2017-15408: Heap buffer overflow in PDFium. Reported by Ke Liu of Tencent's Xuanwu LAB on 2017-09-06
- Issue 762374: Security: PDFium Heap Buffer Overflow Vulnerability in OpenJPEG (stackexp...@gmail.com)
[$5000][763972] High CVE-2017-15409: Out of bounds write in Skia. Reported by Anonymous on 2017-09-11
- Issue 763972 (Permission denied.)
[$5000][765921] High CVE-2017-15410: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-16
- Issue 765921: Security: UAF in CPWL_Caret::SetCaret (manhluat...@gmail.com)
[$5000][770148] High CVE-2017-15411: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-29
- Issue 770148: Security: UAF in CPWL_ComboBox::KillFocus (manhluat...@gmail.com)
[$3500][727039] High CVE-2017-15412: Use after free in libXML. Reported by Nick Wellnhofer on 2017-05-27
- Issue 727039: Security: UAF/double free with XSLT XPath expressions containing function calls in predicates (wellnho...@aevum.de)
[$500][766666] High CVE-2017-15413: Type confusion in WebAssembly. Reported by Gaurav Dewan(@007gauravdewan) of Adobe Systems India Pvt. Ltd. on 2017-09-19
- Issue 766666 (Permission denied.)
[$3337][765512] Medium CVE-2017-15415: Pointer information disclosure in IPC call. Reported by Viktor Brange of Microsoft Offensive Security Research Team on 2017-09-15
- Issue 765512: Security: METHOD_LOCALTIME browser->renderer infoleak (vibra...@microsoft.com)
[$2500][779314] Medium CVE-2017-15416: Out of bounds read in Blink. Reported by Ned Williamson on 2017-10-28
- Issue 779314: Security: OOB Read in BlobStorageContext::BlobFlattener::BlobFlattener (nedwilli...@gmail.com)
[$2000][699028] Medium CVE-2017-15417: Cross origin information disclosure in Skia . Reported by Max May on 2017-03-07
- Issue 699028: Security: Canvas composite operations and CSS blend modes leak cross-origin data via timing attacks. (permutat...@gmail.com)
[$1000][765858] Medium CVE-2017-15418: Use of uninitialized value in Skia. Reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-09-15
- Issue 765858: Security: Use-of-uninitialized-value on Heap (kushal89...@gmail.com)
[$1000][780312] Medium CVE-2017-15419: Cross origin leak of redirect URL in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-10-31
- Issue 780312 (Permission denied.)
[$500][777419] Medium CVE-2017-15420: URL spoofing in Omnibox. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-23
- Issue 777419: Security: URL spoof when navigating back if the first real load ends up hitting an error (ma7h1a...@gmail.com)
[$TBD][774382] Medium CVE-2017-15422: Integer overflow in ICU. Reported by Yuan Deng of Ant-financial Light-Year Security Lab on 2017-10-13
- Issue 774382: Security: Persian Calendar Integer overflow lead to OOB read (scdengy...@gmail.com)
[$500][778101] Low CVE-2017-15423: Issue with SPAKE implementation in BoringSSL. Reported by Greg Hudson on 2017-10-25
- Issue 778101: SPAKE password-scalar not multiplied by 8 (ghud...@gmail.com)
[$N/A][756226] Low CVE-2017-15424: URL Spoof in Omnibox. Reported by Khalil Zhani on 2017-08-16
- Issue 756226: Security: URL spoofing with Armenian characters (chromium...@gmail.com)
[$N/A][756456] Low CVE-2017-15425: URL Spoof in Omnibox. Reported by xisigr of Tencent's Xuanwu Lab on 2017-08-17
- Issue 756456: Security: IDN domain spoof with unicode (U+0F37 U+0F84) (xis...@gmail.com)
[$N/A][756735] Low CVE-2017-15426: URL Spoof in Omnibox. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-08-18
- Issue 756735: Security: Gujarati character in domain names are not blacklisted (ma7h1a...@gmail.com)
[$N/A][768910] Low CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox. Reported by Junaid Farhan (fb.me/junaid.farhan.54) on 2017-09-26
- Issue 768910: Security: Drag and drop of JavaScript to the URL bar incompletely blocked (farhankh...@gmail.com)
[792099] internal.
- Issue 778966 (Permission denied.)
- Issue 778251: InputScalesValid has a potential buffer overflow (courbet@google.com)
- Issue 776309: CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSReceiver()) in objects-i (ClusterFuzz)
- Issue 771474: CHECK failure: scope_data_->RemainingBytes() >= kUint8Size in preparsed-scope-data.cc (ClusterFuzz)
- Issue 771117: Bad-cast to media::WebMediaPlayerImpl from base class subobject at offset 8;content::HtmlVideoElementCapturerSource::CreateFromWebMediaPlayerImpl;content::RendererBlinkPlatformImpl::CreateHTMLVideoElementCapturer (ClusterFuzz)
- Issue 770313: Security: Enterprise ChromeOS OOBE page loads web URLs inside chrome:// process (creis@chromium.org)
- Issue 768080: CHECK failure: args[1]->IsJSReceiver() in runtime-object.cc (ClusterFuzz)
- Issue 758745: Security: Hostname not elided securely (elawrence@chromium.org)
- Issue 726643 (Permission denied.)
- Issue 705778: Android: Omnibox doesn't elide origins correctly (lgar...@chromium.org)
- Issue 774846: Heap-buffer-overflow in base::BigEndianWriter::WriteBytes (ClusterFuzz)
- Issue 771822: animated webp with frame < 8 bytes can cause a crash (jzern@chromium.org)
- Issue 735752: Need to update to latest libexpat 2.2.1 (palmer@chromium.org)
- Issue 730379: Heap-buffer-overflow in displayP4 (ClusterFuzz)
- Issue 617963: Security: Service Workers Response Size Info Leak (evn@google.com)
- Issue 766906 (Permission denied.)

62.0.3202.94 (Monday, November 13, 2017) 0/0 bugs

62.0.3202.89 (Monday, November 6, 2017) 1/2 bugs

[$7500][776677] High CVE-2017-15399: Use after free in V8. Reported by Zhao Qixun(@S0rryMybad) of Qihoo 360 Vulcan Team on 2017-10-20
- Issue 776677: Security: V8:Use After Free Leads to Remote Code Execution (soulchen...@gmail.com)

62.0.3202.75 (Thursday, October 26, 2017) 3/2 bugs

[$3000][770452] High CVE-2017-15396: Stack overflow in V8. Reported by Yuan Deng of Ant-financial Light-Year Security Lab on 2017-09-30
- Issue 770452: Stack-buffer-overflow in icu_59::NumberingSystem::createInstance (scdengy...@gmail.com)
[$1000][770450] Medium CVE-2017-15406: Stack overflow in V8. Reported by Yuan Deng of Ant-financial Light-Year Security Lab on 2017-09-30
- Issue 770450: Stack-buffer-overflow in Runtime_CanonicalizeLanguageTag (scdengy...@gmail.com)
[$1000][770450] Medium CVE-2017-15406: Stack overflow in V8. Reported by Yuan Deng of Ant-financial Light-Year Security Lab on 2017-09-30
- Issue 770450: Stack-buffer-overflow in Runtime_CanonicalizeLanguageTag (scdengy...@gmail.com)

62.0.3202.62 (Tuesday, October 17, 2017) 35/35 bugs

[$7500+$1337][762930] High CVE-2017-5124: UXSS with MHTML. Reported by Anonymous on 2017-09-07
- Issue 762930 (Permission denied.)
[$5000][749147] High CVE-2017-5125: Heap overflow in Skia. Reported by Anonymous on 2017-07-26
- Issue 749147 (Permission denied.)
[$3000][760455] High CVE-2017-5126: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-08-30
- Issue 760455: Security: Use-after-free in CPWL_Edit::OnKillFocus() (manhluat...@gmail.com)
[$3000][765384] High CVE-2017-5127: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-14
- Issue 765384: Security: UAF in CFFL_InteractiveFormFiller::OnBeforeKeyStroke (manhluat...@gmail.com)
[$3000][765469] High CVE-2017-5128: Heap overflow in WebGL. Reported by Omair on 2017-09-14
- Issue 765469: Security: heap buffer overflow in WebGLImageConversion::PackPixels (om...@krash.in)
[$3000][765495] High CVE-2017-5129: Use after free in WebAudio. Reported by Omair on 2017-09-15
- Issue 765495: Security: heap-use-after-free ScriptProcessorHandler::FireProcessEvent (om...@krash.in)
[$3000][718858] High CVE-2017-5132: Incorrect stack manipulation in WebAssembly. Reported by Gaurav Dewan (@007gauravdewan) of Adobe Systems India Pvt. Ltd. on 2017-05-05
- Issue 718858: Chrome 32 bit only: Float argument passed to function is garbage inside the function (gauravde...@gmail.com)
[$N/A][722079] High CVE-2017-5130: Heap overflow in libxml2. Reported by Pranjal Jumde (@pjumde) on 2017-05-14
- Issue 722079: libxml2 - Heap Overflow in xmlMemStrdupLoc (pranjal....@gmail.com)
[$5000][744109] Medium CVE-2017-5131: Out of bounds write in Skia. Reported by Anonymous on 2017-07-16
- Issue 744109 (Permission denied.)
[$2000][762106] Medium CVE-2017-5133: Out of bounds write in Skia. Reported by Aleksandar Nikolic of Cisco Talos on 2017-09-05
- Issue 762106: PDFium TIFF Image Flate Decoder Code Execution Vulnerability (regiw...@sourcefire.com)
[$1000][752003] Medium CVE-2017-15386: UI spoofing in Blink. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-08-03
- Issue 752003: Security: URL spoofing via crafted flash file and UI overlay (ma7h1a...@gmail.com)
[$1000][756040] Medium CVE-2017-15387: Content security bypass. Reported by Jun Kokatsu (@shhnjk) on 2017-08-16
- Issue 756040 (Permission denied.)
[$1000][756563] Medium CVE-2017-15388: Out of bounds read in Skia. Reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-08-17
- Issue 756563: Security: Out-Of-Bounds Read Vulnerability in Skia (kushal89...@gmail.com)
[$500][739621] Medium CVE-2017-15389: URL spoofing in OmniBox. Reported by xisigr of Tencent's Xuanwu Lab on 2017-07-06
- Issue 739621: Security: Address bar spoof (repro Issue 648117) (xis...@gmail.com)
[$500][750239] Medium CVE-2017-15390: URL spoofing in OmniBox. Reported by Haosheng Wang (@gnehsoah) on 2017-07-28
- Issue 750239: Security: IDN spoofing with Combining Dot Above U+0307 (gnehs...@gmail.com)
[$500][598265] Low CVE-2017-15391: Extension limitation bypass in Extensions. Reported by João Lucas Melo Brasio (whitehathackers.com.br) on 2016-03-28
- Issue 598265: Security: Bypassing web_accessible_resources protections (jaumlu...@gmail.com)
[$N/A][714401] Low CVE-2017-15392: Incorrect registry key handling in PlatformIntegration. Reported by Xiaoyin Liu (@general_nfs) on 2017-04-22
- Issue 714401: Security: NtQueryValueKey may not return null-terminated string (xiaoyi...@outlook.com)
[$N/A][732751] Low CVE-2017-15393: Referrer leak in Devtools. Reported by Svyat Mitin on 2017-06-13
- Issue 732751: Security: Referer leakage in chrome debug protocol (watashiw...@gmail.com)
[$N/A][745580] Low CVE-2017-15394: URL spoofing in extensions UI. Reported by Sam @sudosammy on 2017-07-18
- Issue 745580: Security: Chrome extensions UI does not respect IDN display policy (samreid...@gmail.com)
[$N/A][759457] Low CVE-2017-15395: Null pointer dereference in ImageCapture. Reported by Johannes Bergman (johberlvi@) on 2017-08-28
- Issue 759457: MediaStreamTrack.applyConstraints will crash the tab if executed in quick succession (johber...@gmail.com)
[775550] internal.
- Issue 769522: Security: WebAssembly potential arbitrary code execution in render process with trap handlers (eholk@chromium.org)
- Issue 766262: Security: privesc to war-extensions with PageState (mea...@chromium.org)
- Issue 762472: DCHECK failure in !isolate->has_pending_exception() in asm-js.cc (ClusterFuzz)
- Issue 757199: DCHECK failure in result->owns_descriptors() in objects.cc (ClusterFuzz)
- Issue 754404 (Permission denied.)
- Issue 639451: Heap-use-after-free in std::__1::__tree_const_iterator<std::__1::__value_type<CFX_ByteString, CPDF_Obje (ClusterFuzz)
- Issue 756289: Use-of-uninitialized-value in fclamp (ClusterFuzz)
- Issue 755007: conent_shell: Heap-use-after-free in net::NetLog::AddEntry (ClusterFuzz)
- Issue 752725: Heap-buffer-overflow in TetrahedralInterpFloat - pdf_codec_icc_fuzzer (ClusterFuzz)
- Issue 746784 (Permission denied.)
- Issue 724880: Heap-buffer-overflow in gfx::internal::TextRunHarfBuzz::GetClusterAt (ClusterFuzz)
- Issue 749228: Security: buffer overrun in ReplaceSubstringsAfterOffset (nick@chromium.org)
- Issue 734729: Compromised renderer can draw form validation bubbles over omnibox (lukasza@chromium.org)
- Issue 696729: Incorrect-function-pointer-type in _hb_blob_destroy_user_data (ClusterFuzz)
- Issue 527499: Security: SAN-01-001 Angular ngSanitize using Unicode Whitespace & innerHTML in Blink (d...@google.com)

61.0.3163.100 (Thursday, September 21, 2017) 3/3 bugs

[$7500][765433] High CVE-2017-5121: Out-of-bounds access in V8. Reported by Jordan Rabet, Microsoft Offensive Security Research and Microsoft ChakraCore team on 2017-09-14
- Issue 765433: Security: V8 JIT escape analysis bug (jo...@microsoft.com)
[$3000][752423] High CVE-2017-5122: Out-of-bounds access in V8. Reported by Choongwoo Han of Naver Corporation on 2017-08-04
- Issue 752423: [wasm] OOB access in v8 wasm after Symbol.toPrimitive overwrite (cwhan.t...@gmail.com)
[767508] internal.
- Issue 762874: Security: off by one in TurboFan range optimization for String.indexOf (sroett...@google.com)

61.0.3163.91 (Thursday, September 14, 2017) 0/0 bugs

61.0.3163.79 (Tuesday, September 5, 2017) 22/22 bugs

[$5000][737023] High CVE-2017-5111: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-06-27
- Issue 737023: Security: Use-after-free in ResetPDFWindow(); (manhluat...@gmail.com)
[$5000][740603] High CVE-2017-5112: Heap buffer overflow in WebGL. Reported by Tobias Klein (www.trapkit.de) on 2017-07-10
- Issue 740603: Security: heap-buffer-overflow in gpu::gles2::GLES2Implementation::ReadPixels (tk.chrom...@googlemail.com)
[$5000][747043] High CVE-2017-5113: Heap buffer overflow in Skia. Reported by Anonymous on 2017-07-20
- Issue 747043 (Permission denied.)
[$3500][752829] High CVE-2017-5114: Memory lifecycle issue in PDFium. Reported by Ke Liu of Tencent's Xuanwu LAB on 2017-08-07
- Issue 752829: Security: PDFium calls PartitionFree() on heap memory returned by opj_calloc() (stackexp...@gmail.com)
[$3000][744584] High CVE-2017-5115: Type confusion in V8. Reported by Marco Giovannini on 2017-07-17
- Issue 744584: Fatal error in ../../v8/src/compiler/representation-change.cc, line 1055 (mgi...@gmail.com)
[$1000][739190] Medium CVE-2017-5117: Use of uninitialized value in Skia. Reported by Tobias Klein (www.trapkit.de) on 2017-07-04
- Issue 739190: Security: use-of-uninitialized-value in SkPathMeasure::distanceToSegment (tk.chrom...@googlemail.com)
[$1000][747847] Medium CVE-2017-5118: Bypass of Content Security Policy in Blink. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-07-24
- Issue 747847: Security: CSP not inherited after navigation to JavaScript scheme uri (ma7h1a...@gmail.com)
[$N/A][725127] Medium CVE-2017-5119: Use of uninitialized value in Skia. Reported by Anonymous on 2017-05-22
- Issue 725127 (Permission denied.)
[$N/A][718676] Low CVE-2017-5120: Potential HTTPS downgrade during redirect navigation. Reported by Xiaoyin Liu (@general_nfs) on 2017-05-05
- Issue 718676: Security: Potential HTTPS downgrade attacks by abusing WWW mismatch redirect (xiaoyi...@outlook.com)
[762099] internal.

60.0.3112.113 (Thursday, August 24, 2017) 0/0 bugs

60.0.3112.101 (Monday, August 14, 2017) 0/0 bugs

60.0.3112.90 (Wednesday, August 2, 2017) 0/0 bugs

60.0.3112.78 (Tuesday, July 25, 2017) 39/40 bugs

[$10000][728887] High CVE-2017-5091: Use after free in IndexedDB. Reported by Ned Williamson on 2017-06-02
- Issue 728887: Security: IndexedDB OpenCursor UaF (nedwilli...@gmail.com)
[$5000][733549] High CVE-2017-5092: Use after free in PPAPI. Reported by Yu Zhou, Yuan Deng of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室) on 2017-06-15
- Issue 733549: Chrome sandbox escape due to use of invalid PP_Instance in IPC handler OnMsgDidDeleteInProcessInstance (chinaxia...@gmail.com)
[$3000][550017] High CVE-2017-5093: UI spoofing in Blink. Reported by Luan Herrera on 2015-10-31
- Issue 550017: Security: Modal dialogs overlaying Fullscreen permission dialog (luan.her...@hotmail.com)
[$1000][702946] High CVE-2017-5094: Type confusion in extensions. Reported by Anonymous on 2017-03-19
- Issue 702946 (Permission denied.)
[$1000][732661] High CVE-2017-5095: Out-of-bounds write in PDFium. Reported by Anonymous on 2017-06-13
- Issue 732661 (Permission denied.)
[$TBD][714442] High CVE-2017-5096: User information leak via Android intents. Reported by Takeshi Terada on 2017-04-23
- Issue 714442: Security: Navigation from http: to file: etc. is possible (Android) (websec02...@gmail.com)
[$TBD][740789] High CVE-2017-5097: Out-of-bounds read in Skia. Reported by Anonymous on 2017-07-11
- Issue 740789 (Permission denied.)
[$TBD][740803] High CVE-2017-5098: Use after free in V8. Reported by Jihoon Kim on 2017-07-11
- Issue 740803: Security: Use After Free in v8 (june901...@gmail.com)
[$N/A][733548] High CVE-2017-5099: Out-of-bounds write in PPAPI. Reported by Yuan Deng, Yu Zhou of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室) on 2017-06-15
- Issue 733548: Chrome broker PP_Instance overwrite in IPC handler OnMsgDidCreateInProcessInstance (scdengy...@gmail.com)
[$2000][718292] Medium CVE-2017-5100: Use after free in Chrome Apps. Reported by Anonymous on 2017-05-04
- Issue 718292 (Permission denied.)
[$1000][681740] Medium CVE-2017-5101: URL spoofing in OmniBox. Reported by Luan Herrera on 2017-01-17
- Issue 681740: Security: URL Spoofing (with HTTPS lock) by focusing the omnibox while changing the location hash and calling a modal dialog (luan.her...@hotmail.com)
[$1000][727678] Medium CVE-2017-5102: Uninitialized use in Skia. Reported by Anonymous on 2017-05-30
- Issue 727678 (Permission denied.)
[$500][726199] Medium CVE-2017-5103: Uninitialized use in Skia. Reported by Anonymous on 2017-05-25
- Issue 726199 (Permission denied.)
[$500][729105] Medium CVE-2017-5104: UI spoofing in browser. Reported by Khalil Zhani on 2017-06-02
- Issue 729105: Security: Mac-only URL bar spoofing via HTTPS error interstitial? (chromium...@gmail.com)
[$1000][729979] Low CVE-2017-5105: URL spoofing in OmniBox. Reported by Rayyan Bijoora on 2017-06-06
- Issue 729979: Near homograph URL Spoofing with Arabic (rayyan...@gmail.com)
[$TBD][714628] Medium CVE-2017-5106: URL spoofing in OmniBox. Reported by Jack Zac on 2017-04-24
- Issue 714628: Security: Additional whole-script confusable domain label spoofing (Cyrillic) (jackwill...@gmail.com)
[$N/A][686253] Low CVE-2017-5107: User information leak via SVG. Reported by David Kohlbrenner of UC San Diego on 2017-01-27
- Issue 686253: Security: Cross-origin pixel reading and history sniffing via SVG filter timing attack (dkohl...@eng.ucsd.edu)
[$N/A][695830] Low CVE-2017-5108: Type confusion in PDFium. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2017-02-24
- Issue 695830: Security: release assert trigger in pdfium (higonggu...@gmail.com)
[$N/A][710400] Low CVE-2017-5109: UI spoofing in browser. Reported by José María Acuña Morgado on 2017-04-11
- Issue 710400: Permission Prompt not correctly dismissed on top window navigation (jm.acun...@gmail.com)
[$N/A][717476] Low CVE-2017-5110: UI spoofing in payments dialog. Reported by xisigr of Tencent's Xuanwu Lab on 2017-05-02
- Issue 717476: Security: Chrome PaymentRequestAPI Payment-Origin Spoof (xis...@gmail.com)
[748565] internal.
- Issue 735707 (Permission denied.)
- Issue 741750: [wasm] Signature confusion in function table import/export/init (clemensh@chromium.org)
- Issue 740710: Security: service_manager{client_process} Capability Not Properly Enforced (tjbecker@google.com)
- Issue 734348: Heap-use-after-free in blink::LayoutQuote::DetachQuote (ClusterFuzz)
- Issue 726989: Heap-use-after-free in ??$insert@U?$HashMapTranslator@U?$HashMapValueTraits@U?$HashTraits@U?$pair@EPAVS (ClusterFuzz)
- Issue 726067: Compromised renderer can upload arbitrary files (lukasza@chromium.org)
- Issue 716936: Use-after-poison in v8::internal::wasm::ThreadImpl::Push (ClusterFuzz)
- Issue 716510: Use-after-poison in void blink::FrameView::forAllNonThrottledFrameViews<blink::FrameView::updateLife (ClusterFuzz)
- Issue 738952: Null-dereference READ in MemoryRead<unsigned (ClusterFuzz)
- Issue 731351: Crash in v8::internal::Invoke (ClusterFuzz)
- Issue 727090: Crash in v8::internal::Stats_Runtime_AllocateInNewSpace (ClusterFuzz)
- Issue 724829: <no crash state available> (ClusterFuzz)
- Issue 716265 (Permission denied.)
- Issue 713545: Use-of-uninitialized-value in blink::Notification::PrepareShow (ClusterFuzz)
- Issue 706207: Use-of-uninitialized-value in blink::Notification::prepareShow (ClusterFuzz)
- Issue 703750: Near-homoglyph whole-script IDN spoofing (palmer@chromium.org)
- Issue 702041: Crash in bilinear_interpol (ClusterFuzz)
- Issue 670296: Heap-buffer-overflow in v8::internal::Simulator::DecodeType3 (ClusterFuzz)
- Issue 726080: NTLM implementation can have security downgraded by bad server (zentaro@google.com)

59.0.3071.115 (Monday, June 26, 2017) 0/0 bugs

59.0.3071.109 (Tuesday, June 20, 2017) 0/0 bugs

59.0.3071.104 (Thursday, June 15, 2017) 4/5 bugs

[$10,500][725032] High CVE-2017-5087: Sandbox Escape in IndexedDB. Reported by Ned Williamson on 2017-05-22
- Issue 725032: Security: Use-after-free in IndexedDB Transactions (nedwilli...@gmail.com)
[$4,000][729991] High CVE-2017-5088: Out of bounds read in V8. Reported by Xiling Gong of Tencent Security Platform Department on 2017-06-06
- Issue 729991: Security: Information Disclosure Issue in v8::wasm (xilinggg...@gmail.com)
[$2,000][714196] Medium CVE-2017-5089: Domain spoofing in Omnibox. Reported by Michał Bentkowski on 2017-04-21
- Issue 714196: Security: Domain spoofing thanks to U+0F8C rendered as 'space' on Mac (mic...@bentkowski.info)
[732498] internal.
- Issue 726636: Crash in v8::internal::Simulator::DecodeType2 (ClusterFuzz)

59.0.3071.86 (Monday, June 5, 2017) 28/30 bugs

[$7500][722756] High CVE-2017-5070: Type confusion in V8. Reported by Zhao Qixun(@S0rryMybad) of Qihoo 360 Vulcan Team on 2017-05-16
- Issue 722756: Type Confusion In Chrome Lead to RCE (soulchen...@gmail.com)
[$3000][715582] High CVE-2017-5071: Out of bounds read in V8. Reported by Choongwoo Han on 2017-04-26
- Issue 715582: Security: Out of bound read in FindSharedFunctionInfo (V8) (cwhan.t...@gmail.com)
[$3000][709417] High CVE-2017-5072: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-04-07
- Issue 709417: Security: RTL character in URL flips domain and path (Android 4.2 and earlier) (rayyan...@gmail.com)
[$2000][716474] High CVE-2017-5073: Use after free in print preview. Reported by Khalil Zhani on 2017-04-28
- Issue 716474: Security: Use-after-poison in blink::FrameView::AdjustMediaTypeForPrinting (chromium...@gmail.com)
[$1000][700040] High CVE-2017-5074: Use after free in Apps Bluetooth. Reported by anonymous on 2017-03-09
- Issue 700040 (Permission denied.)
[$2000][678776] Medium CVE-2017-5075: Information leak in CSP reporting. Reported by Emmanuel Gil Peyrot on 2017-01-05
- Issue 678776: Security: Content-Security-Policy reporting leaks the URL fragment (collab...@linkmauve.fr)
[$1000][722639] Medium CVE-2017-5086: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-05-16
- Issue 722639: IDN URL Spoofing with TIFINAGH LETTER YAN (rayyan...@gmail.com)
[$1000][719199] Medium CVE-2017-5076: Address spoofing in Omnibox. Reported by Samuel Erb on 2017-05-06
- Issue 719199: Security: disallow "Canadian Syllabics" unicode block from IDN domains (samr...@erbbysam.com)
[$1000][716311] Medium CVE-2017-5077: Heap buffer overflow in Skia. Reported by Sweetchip on 2017-04-28
- Issue 716311: Heap-buffer-overflow in SkSpecularLightingImageFilter::onFilterImage (sweetv...@gmail.com)
[$1000][711020] Medium CVE-2017-5078: Possible command injection in mailto handling. Reported by Jose Carlos Exposito Bueno on 2017-04-12
- Issue 711020: Security: DoCanonicalizeMailtoURL() fails to canonicalize characters leading to command injection (jose.car...@gmail.com)
[$500][713686] Medium CVE-2017-5079: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-20
- Issue 713686: Security: Field validation bubbles can appear over the wrong tab (chromium...@gmail.com)
[$500][708819] Medium CVE-2017-5080: Use after free in credit card autofill. Reported by Khalil Zhani on 2017-04-05
- Issue 708819: Security: Heap-use-after-free in autofill::SaveCardBubbleViews::WindowClosing (chromium...@gmail.com)
[$N/A][672008] Medium CVE-2017-5081: Extension verification bypass. Reported by Andrey Kovalev (@L1kvID) Yandex Security Team on 2016-12-07
- Issue 672008: Security: Extension's verification bypass (andrey.k...@gmail.com)
[$N/A][721579] Low CVE-2017-5082: Insufficient hardening in credit card editor. Reported by Nightwatch Cybersecurity Research on 2017-05-11
- Issue 721579: Security: FLAG_SECURE not used on Android for credit cards pre-fills (ya...@nightwatchcybersecurity.com)
[$N/A][714849] Low CVE-2017-5083: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-24
- Issue 714849: Security: Field validation bubbles can appear over the wrong tab with using print() (chromium...@gmail.com)
[$N/A][692378] Low CVE-2017-5085: Inappropriate javascript execution on WebUI pages. Reported by Zhiyang Zeng of Tencent security platform department on 2017-02-15
- Issue 692378: CSP bypass in domain "chrome://" via.bookmark? (zyzengst...@gmail.com)
[729639] internal.

58.0.3029.110 (Tuesday, May 9, 2017) 0/0 bugs

58.0.3029.96 (Tuesday, May 2, 2017) 1/1 bugs

[$500][679306] High CVE-2017-5068: Race condition in WebRTC. Reported by Philipp Hancke on None
- Issue 679306: WebRTC crash (?) on appear.in (philipp....@googlemail.com)

58.0.3029.81 (Wednesday, April 19, 2017) 25/29 bugs

[$3000][695826] High CVE-2017-5057: Type confusion in PDFium. Reported by Guang Gong of Alpha Team, Qihoo 360 on None
- Issue 695826: Security: type confusion in JSPropGetter of pdfium (higonggu...@gmail.com)
[$2000][694382] High CVE-2017-5058: Heap use after free in Print Preview. Reported by Khalil Zhani on None
- Issue 694382: Security: Heap-use-after-free in PrintPreviewHandler::HandleGetPreview (chromium...@gmail.com)
[$N/A][684684] High CVE-2017-5059: Type confusion in Blink. Reported by SkyLined working with Trend Micro's Zero Day Initiative on None
- Issue 684684: Email Subject: ZDI-CAN-4429: New Vulnerability Report (zdi-disc...@hp.com)
[$2000][683314] Medium CVE-2017-5060: URL spoofing in Omnibox. Reported by Xudong Zheng on None
- Issue 683314: Security: Whole-script confusable domain label spoofing (Cyrillic) (wrepr...@slicealias.com)
[$2000][672847] Medium CVE-2017-5061: URL spoofing in Omnibox. Reported by Haosheng Wang (@gnehsoah) on None
- Issue 672847: Security: Address spoofing when switching away from tab and back (gnehs...@gmail.com)
[$1500][702896] Medium CVE-2017-5062: Use after free in Chrome Apps. Reported by anonymous on None
- Issue 702896 (Permission denied.)
[$1000][700836] Medium CVE-2017-5063: Heap overflow in Skia. Reported by Sweetchip on None
- Issue 700836: Security: SEGV on unknown address 0x7f9b9b71c828 in (anonymous namespace)::PixelAccessor (sweetv...@gmail.com)
[$1000][693974] Medium CVE-2017-5064: Use after free in Blink. Reported by Wadih Matar on None
- Issue 693974: Corrupted memory use in blink::visualRectForDisplayItem (wadih.ma...@gmail.com)
[$500][704560] Medium CVE-2017-5065: Incorrect UI in Blink. Reported by Khalil Zhani on None
- Issue 704560: Security: Form field validation bubbles can appear over the wrong tab (chromium...@gmail.com)
[$500][690821] Medium CVE-2017-5066: Incorrect signature handing in Networking. Reported by Prof. Zhenhua Duan, Prof. Cong Tian, and Ph.D candidate Chu Chen (ICTT, Xidian University) on None
- Issue 690821: Security: Chrome accepts a certificate whose signature algorithms identifiers are different without any warning (chen...@stu.xidian.edu.cn)
[$500][648117] Medium CVE-2017-5067: URL spoofing in Omnibox. Reported by Khalil Zhani on None
- Issue 648117: Security: Address bar spoof with location.replace() (chromium...@gmail.com)
[$N/A][691726] Low CVE-2017-5069: Cross-origin bypass in Blink. Reported by Michael Reizelman on None
- Issue 691726: Security: Bypassing CORS restrictions using X-XSS-PROTECTION report value (michael....@gmail.com)
[713205] internal.

57.0.2987.133 (Wednesday, March 29, 2017) 5/5 bugs

[$9337][698622] Critical CVE-2017-5055: Use after free in printing. Reported by Wadih Matar on None
- Issue 698622: UaF outside the sandbox (Print in onunload) (wadih.ma...@gmail.com)
[$3000][699166] High CVE-2017-5054: Heap buffer overflow in V8. Reported by Nicolas Trippar of Zimperium zLabs on None
- Issue 699166: Security: heap-buffer-overflow hashtable. (ntrip...@gmail.com)
[$1000][662767] High CVE-2017-5052: Bad cast in Blink. Reported by JeongHoon Shin on None
- Issue 662767: Security: LayoutBlock Security DCHECK FAILED (sjh...@gmail.com)
[$N/A][705445] High CVE-2017-5056: Use after free in Blink. Reported by anonymous on None
- Issue 705445 (Permission denied.)
[$N/A][702058] High CVE-2017-5053: Out of bounds memory access in V8. Reported by Team Sniper (Keen Lab and PC Mgr) reported through ZDI (ZDI-CAN-4587) on None
- Issue 702058: Security: ZDI-CAN-4587 - chrome OOB read (pwn2own 2017) (wfh@chromium.org)

57.0.2987.110 (Thursday, March 16, 2017) 0/0 bugs

57.0.2987.98 (Thursday, March 9, 2017) 17/36 bugs

[$7500][682194] High CVE-2017-5030: Memory corruption in V8. Reported by Brendon Tiszka on None
- Issue 682194: Security: Out-of-bounds read in V8 Array.concat (btis...@gmail.com)
[$5000][682020] High CVE-2017-5031: Use after free in ANGLE. Reported by Looben Yang on None
- Issue 682020: Security: WebGL - Use After Free in Buffer11::updateBufferStorage() (loobeny...@gmail.com)
[$3000][668724] High CVE-2017-5032: Out of bounds write in PDFium. Reported by Ashfaq Ansari - Project Srishti on None
- Issue 668724: Security: Out of Bound Write/Invalid Pointer Write while parsing PDF (mohammad...@gmail.com)
[$3000][676623] High CVE-2017-5029: Integer overflow in libxslt. Reported by Holger Fuhrmannek on None
- Issue 676623: Security: libxslt generation of text nodes integer overflow (hofu...@gmail.com)
[$3000][678461] High CVE-2017-5034: Use after free in PDFium. Reported by Ke Liu of Tencent's Xuanwu LAB on None
- Issue 678461: Security: PDFium OpenJPEG Use-After-Free Vulnerability (stackexp...@gmail.com)
[$3000][688425] High CVE-2017-5035: Incorrect security UI in Omnibox. Reported by Enzo Aguado on None
- Issue 688425: Security: www.google.fr marked as "secure" with a Microsoft SSL certificate (erasmus...@gmail.com)
[$3000][691371] High CVE-2017-5036: Use after free in PDFium. Reported by Anonymous on None
- Issue 691371 (Permission denied.)
[$500][679649] High CVE-2017-5039: Use after free in PDFium. Reported by jinmo123 on None
- Issue 679649: Security: potential UAF in pdfium timer (jinmot...@gmail.com)
[$2000][691323] Medium CVE-2017-5040: Information disclosure in V8. Reported by Choongwoo Han on None
- Issue 691323: Security: Information Leak in Array indexOf (cwhan.t...@gmail.com)
[$1000][642490] Medium CVE-2017-5041: Address spoofing in Omnibox. Reported by Jordi Chancel on None
- Issue 642490: Location Bar URL and SSL Spoofing Risk using "Confirm Form Resubmission" box and a targeted website which allow a redirect (jconsult...@gmail.com)
[$1000][669086] Medium CVE-2017-5033: Bypass of Content Security Policy in Blink. Reported by Nicolai Grødum on None
- Issue 669086: Security: Circumvent CSP Header restrictions via about:blank (gro...@gmail.com)
[$1000][671932] Medium CVE-2017-5042: Incorrect handling of cookies in Cast. Reported by Mike Ruddy on None
- Issue 671932: Security: non-interactive request forcing (m...@michaelruddy.com)
[$1000][695476] Medium CVE-2017-5038: Use after free in GuestView. Reported by Anonymous on None
- Issue 695476 (Permission denied.)
[$1000][683523] Medium CVE-2017-5043: Use after free in GuestView. Reported by Anonymous on None
- Issue 683523 (Permission denied.)
[$1000][688987] Medium CVE-2017-5044: Heap overflow in Skia. Reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs on None
- Issue 688987: Security: Heap Buffer OverFlow Vulnerability in Skia (kushal89...@gmail.com)
[$500][667079] Medium CVE-2017-5045: Information disclosure in XSS Auditor. Reported by Dhaval Kapil (vampire) on None
- Issue 667079: Security: Information Leak through XSS Auditor (dhavalka...@gmail.com)
[$500][680409] Medium CVE-2017-5046: Information disclosure in Blink. Reported by Masato Kinugawa on None
- Issue 680409: Security: Spoofing location object by overriding Symbol.toPrimitive (masatoki...@gmail.com)
[699618] internal.

56.0.2924.87 (Wednesday, February 1, 2017) 0/0 bugs

56.0.2924.76 (Wednesday, January 25, 2017) 45/51 bugs

[$8837][671102] High CVE-2017-5007: Universal XSS in Blink. Reported by Mariusz Mlynski on None
- Issue 671102: Security: Universal XSS through bypassing ScopedPageSuspender with closing windows (marius.mlynski@gmail.com)
[$8000][673170] High CVE-2017-5006: Universal XSS in Blink. Reported by Mariusz Mlynski on None
- Issue 673170: Security: Universal XSS using late widget updates (marius.mlynski@gmail.com)
[$8000][668552] High CVE-2017-5008: Universal XSS in Blink. Reported by Mariusz Mlynski on None
- Issue 668552: Security: Universal XSS by polluting private scripts with named properties (marius.mlynski@gmail.com)
[$7500][663476] High CVE-2017-5010: Universal XSS in Blink. Reported by Mariusz Mlynski on None
- Issue 663476: Security: Universal XSS through removing link elements (marius.mlynski@gmail.com)
[$3000][662859] High CVE-2017-5011: Unauthorised file access in Devtools. Reported by Khalil Zhani on None
- Issue 662859: Security: chrome-devtools protocol allows to read the content of C:\ drive (chromium...@gmail.com)
[$3000][667504] High CVE-2017-5009: Out of bounds memory access in WebRTC. Reported by Sean Stanek and Chip Bradford on None
- Issue 667504: WebRTC UsingFlexibleMode OOB memory write from picture id (i...@vulture.fm)
[$5500][681843] High CVE-2017-5012: Heap overflow in V8. Reported by Gergely Nagy (Tresorit) on None
- Issue 681843: Security: Heap buffer overflow in V8 ValueDeserializer::ReadJSArrayBuffer() (n...@tresorit.com)
[$2000][677716] Medium CVE-2017-5013: Address spoofing in Omnibox. Reported by Haosheng Wang (@gnehsoah) on None
- Issue 677716: Security: Address spoofing in Omnibox with HTTPS lock (gnehs...@gmail.com)
[$2000][675332] Medium CVE-2017-5014: Heap overflow in Skia. Reported by sweetchip on None
- Issue 675332: Security: heap-buffer-overflow in SkAlphaThresholdFilterImpl::onFilterImage (sweetv...@gmail.com)
[$2000][673971] Medium CVE-2017-5015: Address spoofing in Omnibox. Reported by Armin Razmdjou on None
- Issue 673971: Security: Unicode hyphens in domain names are not blacklisted (ar...@rawsec.net)
[$2000][666714] Medium CVE-2017-5019: Use after free in Renderer. Reported by Wadih Matar on None
- Issue 666714: Onbeforeunload use after free (wadih.ma...@gmail.com)
[$1000][673163] Medium CVE-2017-5016: UI spoofing in Blink. Reported by Haosheng Wang (@gnehsoah) on None
- Issue 673163: Security: Form validation bubbles allow spoofing on other tabs (gnehs...@gmail.com)
[$500][676975] Medium CVE-2017-5017: Uninitialised memory access in webm video. Reported by Dan Berman on None
- Issue 676975: Security: Chrome webm rendering on OS X includes image artifacts from video memory (danb...@gmail.com)
[$500][668665] Medium CVE-2017-5018: Universal XSS in chrome://apps. Reported by Rob Wu on None
- Issue 668665: Security: XSS in chrome://apps (NTP) after drag and drop (rob@robwu.nl)
[$TBD][668653] Medium CVE-2017-5020: Universal XSS in chrome://downloads. Reported by Rob Wu on None
- Issue 668653: Security: XSS in chrome://downloads, enables extensions to run any program (rob@robwu.nl)
[$N/A][663726] Low CVE-2017-5021: Use after free in Extensions. Reported by Rob Wu on None
- Issue 663726: Use-after-free in ChromeExtensionsBrowserClient::GetOriginalContext upon opening menu after switching from incognito mode (rob@robwu.nl)
[$N/A][663620] Low CVE-2017-5022: Bypass of Content Security Policy in Blink. Reported by evi1m0#ly.com on None
- Issue 663620: Bypass unsafe-inline mode CSP (masa....@gmail.com)
[$N/A][651443] Low CVE-2017-5023: Type confusion in metrics. Reported by the UK's National Cyber Security Centre (NCSC) on None
- Issue 651443: Security: Histogram Type Confusion Crashes the Browser Process (secur...@cesg.gsi.gov.uk)
[$N/A][643951] Low CVE-2017-5024: Heap overflow in FFmpeg. Reported by Paul Mehta on None
- Issue 643951: Security: FFMPEG MP4 Decoder chrome_child!mov_read_uuid heap allocation wrap (p...@paulmehta.com)
[$N/A][643950] Low CVE-2017-5025: Heap overflow in FFmpeg. Reported by Paul Mehta on None
- Issue 643950: Security: FFMPEG MP4 Decoder chrome_child!mov_read_hdlr heap allocation wrap (p...@paulmehta.com)
[$500][634108] Low CVE-2017-5026: UI spoofing. Reported by Ronni Skansing on None
- Issue 634108: Security: Hijack navigation and spoofed alert dialog via. unbeforeload (rskans...@gmail.com)
[$N/A][661126] Low CVE-2017-5027: Bypass of Content Security Policy in Blink. Reported by 李普君 of 无声信息技术PKAV Team on None
- Issue 661126: meta bug: Bypass unsafe-inline mode CSP (masa....@gmail.com)
[685349] internal.
- Issue 674203: Security: Merge general javascript: UXSS fix to beta / stable (dcheng@chromium.org)
- Issue 669624 (Permission denied.)
- Issue 668970: Security: Debugger API exposes UA shadow trees, and can cause bad-casts (tkent@chromium.org)
- Issue 663612 (Permission denied.)
- Issue 658555: Heap-use-after-free in pp::MacroExpander::pushMacro (ClusterFuzz)
- Issue 656817: Use-after-poison in virtual thunk to blink::Document::isHeapObjectAlive (ClusterFuzz)
- Issue 627809 (Permission denied.)
- Issue 681350: Crash in base::PersistentMemoryAllocator::AllocateImpl (ClusterFuzz)
- Issue 680941: CrOS: Vulnerability reported in sys-kernel/chromeos-kernel-3_18 (vomit.go...@appspot.gserviceaccount.com)
- Issue 678551: Use-of-uninitialized-value in chromium_jpeg_make_d_derived_tbl (ClusterFuzz)
- Issue 677960: Heap-double-free in g_error_free (ClusterFuzz)
- Issue 677800: Multiple Linux Kernel CVE vulnerability reports (mnissler@chromium.org)
- Issue 675444: Heap-buffer-overflow in S32_opaque_D32_filter_DX_SSSE3 (ClusterFuzz)
- Issue 675120 (Permission denied.)
- Issue 674472: CrOS: Vulnerability reported in app-arch/tar (vomit.go...@appspot.gserviceaccount.com)
- Issue 673297: [wasm] Illegal reuse of contexts (clemensh@chromium.org)
- Issue 671328: Security DCHECK failed: offset + length <= impl.length() in StringView.h (ClusterFuzz)
- Issue 670155 (Permission denied.)
- Issue 667063 (Permission denied.)
- Issue 598812: Security: Flash file creation omits Mark-of-the-Web, bypassing SmartScreen/AES (elawrence@chromium.org)
- Issue 679915: WebTaskRunner::postTask is thread unsafe (dcheng@chromium.org)
- Issue 644632: Component cloud policy signature validation missing (mnissler@chromium.org)
- Issue 641841: Stack-buffer-overflow in Hunspell::suggest (ClusterFuzz)

55.0.2883.87 (Friday, December 9, 2016) 0/0 bugs

55.0.2883.75 (Thursday, December 1, 2016) 26/36 bugs

[$N/A][664411] High CVE-2016-9651: Private property access in V8. Reported by Guang Gong of Alpha Team Of Qihoo 360 reported through Pwnfest on None
- Issue 664411: Pwnfest 2016: Chrome V8 Private Property Re-assign issue (bug in fast-path of Object.assign) (rickyz@chromium.org)
[$7500][658535] High CVE-2016-5208: Universal XSS in Blink. Reported by Mariusz Mlynski on None
- Issue 658535: Security: Universal XSS using an <input type="color"> element (marius.mlynski@gmail.com)
[$7500][655904] High CVE-2016-5207: Universal XSS in Blink. Reported by Mariusz Mlynski on None
- Issue 655904: Security: Universal XSS via fullscreen element updates (marius.mlynski@gmail.com)
[$7500][653749] High CVE-2016-5206: Same-origin bypass in PDFium. Reported by Rob Wu (robwu.nl) on None
- Issue 653749: Security: Bypass of same-origin policy via range requests in PDF plugin (rob@robwu.nl)
[$7500][646610] High CVE-2016-5205: Universal XSS in Blink. Reported by Anonymous on None
- Issue 646610: Security: Universal XSS using OOPIF (serg.gla...@gmail.com)
[$7500][630870] High CVE-2016-5204: Universal XSS in Blink. Reported by Mariusz Mlynski on None
- Issue 630870: Security: Universal XSS by intercepting a UA shadow tree (marius.mlynski@gmail.com)
[$5000][664139] High CVE-2016-5209: Out of bounds write in Blink. Reported by Giwan Go of STEALIEN on None
- Issue 664139: Security: Bad-Casting in ArrayBuffer resulting in Out-Of-Bounds write vulnerability (gogil@stealien.com)
[$3000][644219] High CVE-2016-5203: Use after free in PDFium. Reported by Anonymous on None
- Issue 644219 (Permission denied.)
[$3500][654183] High CVE-2016-5210: Out of bounds write in PDFium. Reported by Ke Liu of Tencent's Xuanwu LAB on None
- Issue 654183: Security: PDFium (XFA) Heap Buffer Overflow in CWeightTable::Calc (stackexp...@gmail.com)
[$3000][653134] High CVE-2016-5212: Local file disclosure in DevTools. Reported by Khalil Zhani on None
- Issue 653134: Security: chrome-devtools protocol allows to read the content of C:\ drive (chromium...@gmail.com)
[$3000][649229] High CVE-2016-5211: Use after free in PDFium. Reported by Anonymous on None
- Issue 649229 (Permission denied.)
[$500][652548] High CVE-2016-5213: Use after free in V8. Reported by Khalil Zhani on None
- Issue 652548: Security: UNKNOWN in v8::internal::GlobalHandles::Node::Release (chromium...@gmail.com)
[$N/A][601538] Medium CVE-2016-5214: File download protection bypass. Reported by Jonathan Birch and MSVR on None
- Issue 601538: Mark of the Web bypass in Chrome (msvulnre...@gmail.com)
[$3000][653090] Medium CVE-2016-5216: Use after free in PDFium. Reported by Anonymous on None
- Issue 653090: Security: Heap-use-after-free in Field::UpdateFormField (chamal.d...@gmail.com)
[$3000][619463] Medium CVE-2016-5215: Use after free in Webaudio. Reported by Looben Yang on None
- Issue 619463 (Permission denied.)
[$2500][654280] Medium CVE-2016-5217: Use of unvalidated data in PDFium. Reported by Rob Wu (robwu.nl) on None
- Issue 654280: Security: Use of unvalidated URL in PDF viewer (rob@robwu.nl)
[$2000][660498] Medium CVE-2016-5218: Address spoofing in Omnibox. Reported by Abdulrahman Alqabandi (@qab) on None
- Issue 660498: Security: Temporary addressbar spoof with PDF navigation to sites with long response time (greencar...@hotmail.com)
[$1500][657568] Medium CVE-2016-5219: Use after free in V8. Reported by Rob Wu (robwu.nl) on None
- Issue 657568: Security: Heap-use-after-free in InspectedContext::createInjectedScript (rob@robwu.nl)
[$1000][660854] Medium CVE-2016-5221: Integer overflow in ANGLE. Reported by Tim Becker of ForAllSecure on None
- Issue 660854: Security: Incorrect validation of CopyBufferSubData in ANGLE (tjbecker...@gmail.com)
[$1000][654279] Medium CVE-2016-5220: Local file access in PDFium. Reported by Rob Wu (robwu.nl) on None
- Issue 654279: Security: PDFs can navigate to file:-URLs (rob@robwu.nl)
[$500][657720] Medium CVE-2016-5222: Address spoofing in Omnibox. Reported by xisigr of Tencent's Xuanwu Lab on None
- Issue 657720: Security:Chrome Address Bar URL Spoofing (xis...@gmail.com)
[$N/A][653034] Low CVE-2016-9650: CSP Referrer disclosure. Reported by Jakub Żoczek on None
- Issue 653034: Security: Leaking referrer using iframe (with referrer policy turned on) (zoc...@gmail.com)
[$N/A][652038] Low CVE-2016-5223: Integer overflow in PDFium. Reported by Hwiwon Lee on None
- Issue 652038: Security: PDFium Signed Integer Overflow Bug (develac...@gmail.com)
[$N/A][639750] Low CVE-2016-5226: Limited XSS in Blink. Reported by Jun Kokatsu (@shhnjk) on None
- Issue 639750: XSS using Dropjacking (s.h.h.n....@gmail.com)
[$N/A][630332] Low CVE-2016-5225: CSP bypass in Blink. Reported by Scott Helme (@Scott_Helme, scotthelme.co.uk) on None
- Issue 630332: CSP form-action seems to be ignored if target="_blank" (scott.he...@gmail.com)
[$N/A][615851] Low CVE-2016-5224: Same-origin bypass in SVG. Reported by Roeland Krak on None
- Issue 615851: Security: Timing attack on denormalized floating point arithmetic in SVG filters circumvents same-origin policy (roelandk...@gmail.com)

54.0.2840.99 (Wednesday, November 9, 2016) 3/4 bugs

[$5500][643948] High CVE-2016-5199: Heap corruption in FFmpeg. Reported by Paul Mehta on None
- Issue 643948: Security: chrome_child!mov_read_keys - Heap corruption as a result of an off-by-1 zero allocation (p...@paulmehta.com)
[$5000][658114] High CVE-2016-5200: Out of bounds memory access in V8. Reported by Choongwoo Han on None
- Issue 658114: Security: V8 OOB read/write in asm.js (cwhan.t...@gmail.com)
[$1000][660678] Medium CVE-2016-5201: Info leak in extensions. Reported by Jann Horn on None
- Issue 660678: expose() leaks privateClass via Object[@@hasInstance] (jannhorn@googlemail.com)

54.0.2840.87 (Tuesday, November 1, 2016) 1/0 bugs

[$NA][659475] High CVE-2016-5198: Out of bounds memory access in V8. Reported by Tencent Keen Security Lab, working with Trend Micro's Zero Day Initiative on None
- Issue 659475: Pwn2Own: V8 OOB Bug. (infe...@chromium.org)

Files

crbug.md

Latest commit

History

crbug.md

File metadata and controls

None (Thursday, June 24, 2021) 0/0 bugs

None (Thursday, June 17, 2021) 4/4 bugs

None (Monday, June 14, 2021) 0/0 bugs

None (Wednesday, June 9, 2021) 14/14 bugs

91.0.4472.77 (Tuesday, May 25, 2021) 32/34 bugs

None (Monday, May 10, 2021) 20/19 bugs

None (Monday, April 26, 2021) 10/9 bugs

None (Tuesday, April 20, 2021) 7/7 bugs

90.0.4430.72 (Wednesday, April 14, 2021) 37/37 bugs

None (Tuesday, April 13, 2021) 2/2 bugs

None (Tuesday, March 30, 2021) 5/8 bugs

None (Friday, March 12, 2021) 5/5 bugs

None (Friday, March 5, 2021) 0/0 bugs

89.0.4389.72 (Tuesday, March 2, 2021) 46/47 bugs

None (Monday, February 22, 2021) 0/0 bugs

None (Tuesday, February 16, 2021) 10/10 bugs

None (Thursday, February 4, 2021) 1/1 bugs

None (Tuesday, February 2, 2021) 8/6 bugs

None (Tuesday, January 19, 2021) 36/36 bugs

None (Wednesday, January 6, 2021) 16/16 bugs

None (Wednesday, December 2, 2020) 8/8 bugs

None (Tuesday, November 17, 2020) 33/33 bugs

86.0.4240.198 (Wednesday, November 11, 2020) 2/2 bugs

86.0.4240.193 (Monday, November 9, 2020) 1/1 bugs

86.0.4240.183 (Monday, November 2, 2020) 9/10 bugs

86.0.4240.111 (Tuesday, October 20, 2020) 5/0 bugs

None (Monday, October 12, 2020) 0/0 bugs

86.0.4240.75 (Tuesday, October 6, 2020) 38/35 bugs

85.0.4183.121 (Monday, September 21, 2020) 10/10 bugs

85.0.4183.102 (Tuesday, September 8, 2020) 5/5 bugs

85.0.4183.83 (Tuesday, August 25, 2020) 20/20 bugs

84.0.4147.135 (Tuesday, August 18, 2020) 1/1 bugs

84.0.4147.125 (Monday, August 10, 2020) 15/15 bugs

84.0.4147.105 (Monday, July 27, 2020) 8/8 bugs

None (Tuesday, July 14, 2020) 39/38 bugs

83.0.4103.116 (Monday, June 22, 2020) 1/2 bugs

83.0.4103.106 (Monday, June 15, 2020) 3/4 bugs

83.0.4103.97 (Wednesday, June 3, 2020) 6/5 bugs

83.0.4103.61 (Tuesday, May 19, 2020) 43/38 bugs

81.0.4044.138 (Tuesday, May 5, 2020) 4/3 bugs

81.0.4044.129 (Monday, April 27, 2020) 2/2 bugs

81.0.4044.122 (Tuesday, April 21, 2020) 10/9 bugs

81.0.4044.113 (Wednesday, April 15, 2020) 1/1 bugs

81.0.4044.92 (Tuesday, April 7, 2020) 33/32 bugs

80.0.3987.163 (Thursday, April 2, 2020) 0/0 bugs

80.0.3987.162 (Tuesday, March 31, 2020) 8/8 bugs

80.0.3987.149 (Wednesday, March 18, 2020) 12/13 bugs

80.0.3987.132 (Tuesday, March 3, 2020) 4/4 bugs

80.0.3987.122 (Monday, February 24, 2020) 2/3 bugs

80.0.3987.116 (Tuesday, February 18, 2020) 6/5 bugs

80.0.3987.106 (Thursday, February 13, 2020) 3/3 bugs

80.0.3987.100 (Tuesday, February 11, 2020) 0/0 bugs

80.0.3987.87 (Tuesday, February 4, 2020) 64/56 bugs

79.0.3945.130 (Thursday, January 16, 2020) 11/11 bugs

79.0.3945.117 (Tuesday, January 7, 2020) 3/3 bugs

79.0.3945.88 (Tuesday, December 17, 2019) 1/1 bugs

79.0.3945.79 (Tuesday, December 10, 2019) 60/51 bugs

78.0.3904.108 (Monday, November 18, 2019) 5/5 bugs

78.0.3904.97 (Wednesday, November 6, 2019) 4/4 bugs

78.0.3904.87 (Thursday, October 31, 2019) 2/2 bugs

78.0.3904.70 (Tuesday, October 22, 2019) 40/37 bugs

None (Thursday, October 10, 2019) 3/8 bugs

None (Wednesday, September 18, 2019) 4/4 bugs

77.0.3865.75 (Tuesday, September 10, 2019) 54/54 bugs

76.0.3809.132 (Monday, August 26, 2019) 3/3 bugs

76.0.3809.100 (Tuesday, August 6, 2019) 4/4 bugs

76.0.3809.87 (Tuesday, July 30, 2019) 41/43 bugs

75.0.3770.142 (Monday, July 15, 2019) 3/3 bugs

75.0.3770.100 (Tuesday, June 18, 2019) 0/0 bugs

75.0.3770.90 (Thursday, June 13, 2019) 1/1 bugs

75.0.3770.80 (Tuesday, June 4, 2019) 45/47 bugs

74.0.3729.169 (Tuesday, May 21, 2019) 0/0 bugs

74.0.3729.157 (Tuesday, May 14, 2019) 1/0 bugs

74.0.3729.131 (Tuesday, April 30, 2019) 1/2 bugs