[ { "id": "469143679", "title": "JSON.parse(): Out-of-bounds access on DescriptorArray", "url": "https://issues.chromium.org/issues/469143679", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Runtime", "bounty_amount": 4000.0, "created_date": "2025-12-16T09:20:32+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/469143679", "has_markdown": true }, { "id": "468027781", "title": "Path traversal using \\.. causes sourceMappingURL to still load UNC paths on Windows", "url": "https://issues.chromium.org/issues/468027781", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools>Sources", "bounty_amount": 2000.0, "created_date": "2025-12-12T10:25:16+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/468027781", "has_markdown": true }, { "id": "467448811", "title": "Mini bar not rendered when omnibox is hidden (similar to issue 461532432)", "url": "https://issues.chromium.org/issues/467448811", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Mobile>Toolbar", "bounty_amount": 2000.0, "created_date": "2025-12-10T14:41:17+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/467448811", "has_markdown": true }, { "id": "467442136", "title": "when the filename contains a very long with special character can break/remove the extension of file in download buble", "url": "https://issues.chromium.org/issues/467442136", "status": "Fixed", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": 500.0, "created_date": "2025-12-10T07:52:02+00:00", "year": 2025, "attachment_count": 5, "local_path": "issues/467442136", "has_markdown": true }, { "id": "467474391", "title": "Use-after-poison in base::MemoryConsumer::UpdateMemoryLimit", "url": "https://issues.chromium.org/issues/467474391", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>MemoryCoordinator", "bounty_amount": 9000.0, "created_date": "2025-12-10T05:19:53+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/467474391", "has_markdown": true }, { "id": "467297219", "title": "Use-After-Poison in RouteMap::UpdateActiveRoutes", "url": "https://issues.chromium.org/issues/467297219", "status": "Accepted", "severity": "S3-Low", "component": "Blink>CSS", "bounty_amount": 8000.0, "created_date": "2025-12-09T13:48:25+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/467297219", "has_markdown": true }, { "id": "467247247", "title": "Maglev's handling of target and new.target is incorrect", "url": "https://issues.chromium.org/issues/467247247", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Runtime", "bounty_amount": 50000.0, "created_date": "2025-12-09T11:32:56+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/467247247", "has_markdown": true }, { "id": "466786677", "title": " v8 incorrect Integer Overflow Elimination leads to potential OOB R/W", "url": "https://issues.chromium.org/issues/466786677", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript, Blink>JavaScript>Compiler>Maglev", "bounty_amount": 7000.0, "created_date": "2025-12-08T06:56:21+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/466786677", "has_markdown": true }, { "id": "464725735", "title": "[WebGLOnWebGPU] Incorrect count passed to glUniformMatrix* functions", "url": "https://issues.chromium.org/issues/464725735", "status": "Accepted", "severity": "S3-Low", "component": "Blink>WebGPU", "bounty_amount": 2000.0, "created_date": "2025-11-30T12:49:36+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/464725735", "has_markdown": true }, { "id": "464459404", "title": "V8: OOB memmove in FixedArray::MoveElements triggered via Array.shift leads to negative-size copy", "url": "https://issues.chromium.org/issues/464459404", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Runtime", "bounty_amount": 5000.0, "created_date": "2025-11-29T12:13:49+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/464459404", "has_markdown": true }, { "id": "464173573", "title": "KeyframeEffect constructor leaks UA shadow root.", "url": "https://issues.chromium.org/issues/464173573", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Animation", "bounty_amount": 2000.0, "created_date": "2025-11-28T03:11:53+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/464173573", "has_markdown": true }, { "id": "463155954", "title": "Extensions can hijack Gemini in the browser webview process to perform PE attacks by abusing DNR permissions, allowing stealing prompts, PII leakage, unrestricted access to camera-microphone and more", "url": "https://issues.chromium.org/issues/463155954", "status": "Assigned", "severity": "S3-Low", "component": "Blink>SecurityFeature>ContentSecurityPolicy", "bounty_amount": 7000.0, "created_date": "2025-11-23T21:47:50+00:00", "year": 2025, "attachment_count": 14, "local_path": "issues/463155954", "has_markdown": true }, { "id": "462217236", "title": "V8 Sandbox Bypass: AAW/PC control via dispatch entry UAF during InstantiateAsmJs by hijacking start", "url": "https://issues.chromium.org/issues/462217236", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>GarbageCollection, Blink>JavaScript>Sandbox", "bounty_amount": 20000.0, "created_date": "2025-11-20T00:23:44+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/462217236", "has_markdown": true }, { "id": "461532432", "title": "Bottom Minibar Fails to Display URL – Potential Phishing via Spoof Bar", "url": "https://issues.chromium.org/issues/461532432", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Mobile>Toolbar", "bounty_amount": 2000.0, "created_date": "2025-11-18T06:34:28+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/461532432", "has_markdown": true }, { "id": "461214000", "title": "Cross thread stack corruption caused by RTCVideoDecoderAdapter::InitializeSync ", "url": "https://issues.chromium.org/issues/461214000", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Media", "bounty_amount": 2000.0, "created_date": "2025-11-16T23:33:20+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/461214000", "has_markdown": true }, { "id": "460678755", "title": "Security: SEGV_ACCERR 000044332211 in V8", "url": "https://issues.chromium.org/issues/460678755", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 8000.0, "created_date": "2025-11-14T11:05:50+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/460678755", "has_markdown": true }, { "id": "460599518", "title": "Security: Heap-use-after-free in LoginStateChecker::OnExecutionResponseCallback ", "url": "https://issues.chromium.org/issues/460599518", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Passwords", "bounty_amount": 2000.0, "created_date": "2025-11-14T07:22:54+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/460599518", "has_markdown": true }, { "id": "458914193", "title": "Dcheck failure in fixed-array-inl.h", "url": "https://issues.chromium.org/issues/458914193", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Runtime", "bounty_amount": 8000.0, "created_date": "2025-11-08T19:13:55+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/458914193", "has_markdown": true }, { "id": "457351015", "title": "DCHECK Fail when Maglev Generates Exception Handler Trampoline Instructions", "url": "https://issues.chromium.org/issues/457351015", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 10000.0, "created_date": "2025-11-03T14:45:31+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/457351015", "has_markdown": true }, { "id": "456547591", "title": "Maglev - CallBuiltin (input @0 = LoadHoleyFixedDoubleArrayElement) type HoleyFloat64 is not Tagged ", "url": "https://issues.chromium.org/issues/456547591", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 11000.0, "created_date": "2025-10-31T06:56:11+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/456547591", "has_markdown": true }, { "id": "455899538", "title": "Bypass #443948855 - Allows Arbitrary Code Execution via \"Copy as cURL (cmd)\" in DevTools", "url": "https://issues.chromium.org/issues/455899538", "status": "Accepted", "severity": "S3-Low", "component": "Platform>DevTools>Network", "bounty_amount": 1000.0, "created_date": "2025-10-29T01:47:09+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/455899538", "has_markdown": true }, { "id": "454927471", "title": "V8 Sandbox Bypass: AAW/PC control via CallKnownJSFunction reduction for builtins", "url": "https://issues.chromium.org/issues/454927471", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 22000.0, "created_date": "2025-10-25T02:05:07+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/454927471", "has_markdown": true }, { "id": "454485895", "title": "Incorrect Optimization of ArrayConstructor by Maglev Leads to Creation of Malformed JSArray Objects", "url": "https://issues.chromium.org/issues/454485895", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 50000.0, "created_date": "2025-10-23T14:39:58+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/454485895", "has_markdown": true }, { "id": "454354281", "title": "Chrome on Android: spoofing issue caused by bottom address bar", "url": "https://issues.chromium.org/issues/454354281", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Omnibox", "bounty_amount": 3000.0, "created_date": "2025-10-23T05:48:17+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/454354281", "has_markdown": true }, { "id": "453147449", "title": "DCHECK failure in TCPReadableStreamWrapper::Pull()", "url": "https://issues.chromium.org/issues/453147449", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Network>DirectSockets", "bounty_amount": 4000.0, "created_date": "2025-10-18T19:45:46+00:00", "year": 2025, "attachment_count": 6, "local_path": "issues/453147449", "has_markdown": true }, { "id": "453094710", "title": "Out-of-bound read in the jmp table of ActiveMediaSessionController leads to sandbox escape.", "url": "https://issues.chromium.org/issues/453094710", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>Session", "bounty_amount": 250000.0, "created_date": "2025-10-18T18:46:32+00:00", "year": 2025, "attachment_count": 5, "local_path": "issues/453094710", "has_markdown": true }, { "id": "452605804", "title": "V8 Sandbox Bypass: Wasm streaming compilation cache confusion via \"double streaming\"", "url": "https://issues.chromium.org/issues/452605804", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 20000.0, "created_date": "2025-10-16T17:05:33+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/452605804", "has_markdown": true }, { "id": "452605803", "title": "V8 Sandbox Bypass: WasmCPT handle UAF by import dispatch table corruption (multiple variants of b/446113730)", "url": "https://issues.chromium.org/issues/452605803", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 20000.0, "created_date": "2025-10-16T16:28:19+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/452605803", "has_markdown": true }, { "id": "452541294", "title": "Type confusion in v8 caused by incorrect unregistration of prototype users", "url": "https://issues.chromium.org/issues/452541294", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript", "bounty_amount": 10000.0, "created_date": "2025-10-16T15:11:48+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/452541294", "has_markdown": true }, { "id": "452392032", "title": "When in split-view mode, the mini address bar does not appear above the virtual keyboard, leading to a spoof.", "url": "https://issues.chromium.org/issues/452392032", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Omnibox", "bounty_amount": 500.0, "created_date": "2025-10-16T04:01:34+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/452392032", "has_markdown": true }, { "id": "452209495", "title": "truncated long domain on Digital Credentials API prompt lead to spoof", "url": "https://issues.chromium.org/issues/452209495", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Payments", "bounty_amount": 1000.0, "created_date": "2025-10-15T14:22:57+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/452209495", "has_markdown": true }, { "id": "452071845", "title": "Potential out-of-bounds read in Transform::ColMajorF on undersized buffer", "url": "https://issues.chromium.org/issues/452071845", "status": "Accepted", "severity": "S3-Low", "component": "Blink>WebXR", "bounty_amount": 2000.0, "created_date": "2025-10-15T11:32:02+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/452071845", "has_markdown": true }, { "id": "452071826", "title": "HTTP-Auth Passwords are not secured on MacOS", "url": "https://issues.chromium.org/issues/452071826", "status": "Fixed", "severity": "S3-Low", "component": "UI>Browser>Passwords", "bounty_amount": 1000.0, "created_date": "2025-10-14T19:23:21+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/452071826", "has_markdown": true }, { "id": "451355210", "title": "V8 Sandbox Bypass: AAW/PC control via OOB builtin in SharedFunctionInfo", "url": "https://issues.chromium.org/issues/451355210", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Runtime", "bounty_amount": 20000.0, "created_date": "2025-10-13T10:19:27+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/451355210", "has_markdown": true }, { "id": "450618029", "title": "TDZ check elision leading to hole leak", "url": "https://issues.chromium.org/issues/450618029", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Runtime", "bounty_amount": 50000.0, "created_date": "2025-10-10T07:58:42+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/450618029", "has_markdown": true }, { "id": "450044213", "title": "BluetoothAdapterWin UAF Issue", "url": "https://issues.chromium.org/issues/450044213", "status": "Assigned", "severity": "S4-Minimal", "component": "Unknown", "bounty_amount": 3000.0, "created_date": "2025-10-08T02:58:02+00:00", "year": 2025, "attachment_count": 5, "local_path": "issues/450044213", "has_markdown": true }, { "id": "449341185", "title": "SEGV_ACCERR in V8", "url": "https://issues.chromium.org/issues/449341185", "status": "Verified", "severity": "S3-Low", "component": "Blink>JavaScript, Blink>JavaScript>Regexp", "bounty_amount": 8000.0, "created_date": "2025-10-06T00:38:31+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/449341185", "has_markdown": true }, { "id": "448294721", "title": "[bugSWAT] GPU process crash via WebGPU shader - wild-deref in Mesa aco::combine_instruction", "url": "https://issues.chromium.org/issues/448294721", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU", "bounty_amount": 10000.0, "created_date": "2025-09-30T15:15:33+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/448294721", "has_markdown": true }, { "id": "448113221", "title": "LPE - Arbitrary File Write in Google Chrome Enterprise (MacOS): The GoogleUpdater, which is executed by root, follows symlinks when writing the file settings.dat in the user folder", "url": "https://issues.chromium.org/issues/448113221", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Updater", "bounty_amount": 3000.0, "created_date": "2025-09-29T16:53:28+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/448113221", "has_markdown": true }, { "id": "448046109", "title": "Use-After-Free in WebMediaPlayerMS::OnFirstFrameReceived", "url": "https://issues.chromium.org/issues/448046109", "status": "Assigned", "severity": "S3-Low", "component": "Blink>MediaStream", "bounty_amount": 3000.0, "created_date": "2025-09-29T11:50:44+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/448046109", "has_markdown": true }, { "id": "447613219", "title": "Debug check failed: has_latin1_bytecode().", "url": "https://issues.chromium.org/issues/447613219", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Runtime", "bounty_amount": 7000.0, "created_date": "2025-09-27T10:11:33+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/447613219", "has_markdown": true }, { "id": "447613211", "title": "Type confusion in inline cache prototype loading with Webassembly object prototype", "url": "https://issues.chromium.org/issues/447613211", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 50000.0, "created_date": "2025-09-26T21:54:54+00:00", "year": 2025, "attachment_count": 5, "local_path": "issues/447613211", "has_markdown": true }, { "id": "447307165", "title": "Sandbox violation: Still UAF in RemoveFromAsyncWaiterQueueList", "url": "https://issues.chromium.org/issues/447307165", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 5000.0, "created_date": "2025-09-25T11:43:24+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/447307165", "has_markdown": true }, { "id": "447172715", "title": "Security: Compromised renderer can control mouse after single tap (UXSS, sandbox escape, and more)", "url": "https://issues.chromium.org/issues/447172715", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Views", "bounty_amount": 30000.0, "created_date": "2025-09-25T06:51:00+00:00", "year": 2025, "attachment_count": 22, "local_path": "issues/447172715", "has_markdown": true }, { "id": "447192722", "title": "UAF in safe_browsing::RendererURLLoaderThrottle::WillRedirectRequest due to Mojo Remote being freed during resource load lifecycle", "url": "https://issues.chromium.org/issues/447192722", "status": "Assigned", "severity": "S3-Low", "component": "Services (Use Subcomponents)>Safebrowsing", "bounty_amount": 7000.0, "created_date": "2025-09-25T02:21:46+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/447192722", "has_markdown": true }, { "id": "446722008", "title": "heap-use-after-free in content::indexed_db::Database::connections_ when force_closing_ is true", "url": "https://issues.chromium.org/issues/446722008", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage>IndexedDB", "bounty_amount": 35000.0, "created_date": "2025-09-23T01:40:44+00:00", "year": 2025, "attachment_count": 23, "local_path": "issues/446722008", "has_markdown": true }, { "id": "446463993", "title": "Spoof on virtual keyboard", "url": "https://issues.chromium.org/issues/446463993", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Omnibox", "bounty_amount": 3000.0, "created_date": "2025-09-21T23:08:32+00:00", "year": 2025, "attachment_count": 12, "local_path": "issues/446463993", "has_markdown": true }, { "id": "446463984", "title": "Check failed: !WriteBarrier::IsRequired(heap_object, Tagged(value)).", "url": "https://issues.chromium.org/issues/446463984", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>GarbageCollection", "bounty_amount": 10000.0, "created_date": "2025-09-21T14:22:47+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/446463984", "has_markdown": true }, { "id": "446294487", "title": "heap-use-after-free C:\\b\\s\\w\\ir\\cache\\builder\\src\\chrome\\browser\\ui\\page_info\\page_info_infobar_dele", "url": "https://issues.chromium.org/issues/446294487", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Bubbles>PageInfo", "bounty_amount": 2000.0, "created_date": "2025-09-20T12:25:17+00:00", "year": 2025, "attachment_count": 5, "local_path": "issues/446294487", "has_markdown": true }, { "id": "446113732", "title": "Wasm type confusion due to spec unsoundness in `cast_desc` operations", "url": "https://issues.chromium.org/issues/446113732", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 55000.0, "created_date": "2025-09-19T13:58:19+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/446113732", "has_markdown": true }, { "id": "446122633", "title": "Wasm type confusion due to wrong reachability analysis in `WasmGCTypeAnalyzer::ProcessBranchOnTarget()` with custom descriptor casts", "url": "https://issues.chromium.org/issues/446122633", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 55000.0, "created_date": "2025-09-19T13:58:14+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/446122633", "has_markdown": true }, { "id": "446124893", "title": "Wasm type confusion due to custom descriptors spec ambiguity in `ref.get_desc` exactness typing", "url": "https://issues.chromium.org/issues/446124893", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 55000.0, "created_date": "2025-09-19T13:58:08+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/446124893", "has_markdown": true }, { "id": "446113731", "title": "Wasm type confusion due to custom descriptors spec unsoundness on `ref.func` exact typing", "url": "https://issues.chromium.org/issues/446113731", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 55000.0, "created_date": "2025-09-19T13:58:03+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/446113731", "has_markdown": true }, { "id": "446124892", "title": "Wasm type confusion due to missing exactness check on JS-Wasm boundary", "url": "https://issues.chromium.org/issues/446124892", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 55000.0, "created_date": "2025-09-19T13:57:58+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/446124892", "has_markdown": true }, { "id": "446113730", "title": "V8 Sandbox Bypass: WasmCPT handle UAF by import dispatch table growth", "url": "https://issues.chromium.org/issues/446113730", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 20000.0, "created_date": "2025-09-19T13:57:45+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/446113730", "has_markdown": true }, { "id": "445966259", "title": "V8 Sandbox Bypass: AAW/PC control via DebugBreakTrampoline", "url": "https://issues.chromium.org/issues/445966259", "status": "Verified", "severity": "S4-Minimal", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 20000.0, "created_date": "2025-09-18T23:39:56+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/445966259", "has_markdown": true }, { "id": "445209324", "title": "V8 Sandbox Bypass: AAW/PC control by dispatching CEntry and CCall functions", "url": "https://issues.chromium.org/issues/445209324", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 5000.0, "created_date": "2025-09-16T02:45:15+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/445209324", "has_markdown": true }, { "id": "444803530", "title": "Windows download logic flaw: % triggers double extension sanitization bypass (.lnk .lnk, .scf .scf)", "url": "https://issues.chromium.org/issues/444803530", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": 3000.0, "created_date": "2025-09-13T20:15:46+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/444803530", "has_markdown": true }, { "id": "444755026", "title": "Buffer Overflow in Y16 Video Capture", "url": "https://issues.chromium.org/issues/444755026", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Media>CameraCapture", "bounty_amount": 4000.0, "created_date": "2025-09-12T23:59:28+00:00", "year": 2025, "attachment_count": 10, "local_path": "issues/444755026", "has_markdown": true }, { "id": "444653104", "title": "File picker dialog can be shown over on different tab when focused on it (on split view)", "url": "https://issues.chromium.org/issues/444653104", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip>SplitView", "bounty_amount": 500.0, "created_date": "2025-09-12T19:57:15+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/444653104", "has_markdown": true }, { "id": "444048032", "title": "V8 Sandbox Bypass: OOB write in v8::bigint::AddAndReturnOverflow", "url": "https://issues.chromium.org/issues/444048032", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript", "bounty_amount": 5000.0, "created_date": "2025-09-10T12:45:03+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/444048032", "has_markdown": true }, { "id": "443948855", "title": "Allows Arbitrary Code Execution via \"Copy as cURL (cmd)\" in DevTools", "url": "https://issues.chromium.org/issues/443948855", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools>Network", "bounty_amount": 1000.0, "created_date": "2025-09-09T20:04:11+00:00", "year": 2025, "attachment_count": 6, "local_path": "issues/443948855", "has_markdown": true }, { "id": "443772809", "title": "V8 Sandbox Bypass: AAW/PC control via JSDispatchEntry UAF", "url": "https://issues.chromium.org/issues/443772809", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 20000.0, "created_date": "2025-09-08T22:04:22+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/443772809", "has_markdown": true }, { "id": "443475183", "title": "V8 Sandbox Bypass: OOB write to controlled address", "url": "https://issues.chromium.org/issues/443475183", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Runtime", "bounty_amount": 5000.0, "created_date": "2025-09-07T16:50:29+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/443475183", "has_markdown": true }, { "id": "443408317", "title": "Spoof on Address Bar", "url": "https://issues.chromium.org/issues/443408317", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Omnibox", "bounty_amount": 1000.0, "created_date": "2025-09-06T14:13:07+00:00", "year": 2025, "attachment_count": 6, "local_path": "issues/443408317", "has_markdown": true }, { "id": "443196747", "title": "out of bound in function ECPublicKeyFromBytes", "url": "https://issues.chromium.org/issues/443196747", "status": "Assigned", "severity": "S3-Low", "component": "Services (Use Subcomponents)>Sync", "bounty_amount": 5000.0, "created_date": "2025-09-05T14:19:18+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/443196747", "has_markdown": true }, { "id": "443182220", "title": "V8 Sandbox violation: UAF in RemoveFromAsyncWaiterQueueList", "url": "https://issues.chromium.org/issues/443182220", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 5000.0, "created_date": "2025-09-05T11:39:30+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/443182220", "has_markdown": true }, { "id": "442860743", "title": "Triggering screenshare from an unloading page in a cross-process navigation displays the wrong origin", "url": "https://issues.chromium.org/issues/442860743", "status": "Assigned", "severity": "S3-Low", "component": "Blink>MediaStream, Internals>Sandbox>SiteIsolation, UI>Browser>Navigation, UI>Browser>Navigation>BFCache", "bounty_amount": 10000.0, "created_date": "2025-09-04T01:00:21+00:00", "year": 2025, "attachment_count": 18, "local_path": "issues/442860743", "has_markdown": true }, { "id": "442636157", "title": "Chrome on Android: URL spoof triggered by address bar position Change", "url": "https://issues.chromium.org/issues/442636157", "status": "Fixed", "severity": "S3-Low", "component": "UI>Browser>Omnibox", "bounty_amount": null, "created_date": "2025-09-03T03:02:47+00:00", "year": 2025, "attachment_count": 8, "local_path": "issues/442636157", "has_markdown": true }, { "id": "442444724", "title": "Heap-buffer-overflow/wild-read in dawn::native::`anonymous namespace'::ReflectEntryPointUsingTint ", "url": "https://issues.chromium.org/issues/442444724", "status": "Assigned", "severity": "S4-Minimal", "component": "Dawn", "bounty_amount": 25000.0, "created_date": "2025-09-02T09:03:22+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/442444724", "has_markdown": true }, { "id": "442065550", "title": "libusc UAF via WebGPU shaders at MergeConsecutiveBarriersBP", "url": "https://issues.chromium.org/issues/442065550", "status": "Assigned", "severity": "S3-Low", "component": "Dawn>Tint", "bounty_amount": 25000.0, "created_date": "2025-08-30T18:29:57+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/442065550", "has_markdown": true }, { "id": "441949792", "title": "V8 Sandbox Bypass: Argument count inconsistency due to bound args double-fetch in Generate_PushBoundArguments", "url": "https://issues.chromium.org/issues/441949792", "status": "Accepted", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 5000.0, "created_date": "2025-08-29T16:13:56+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/441949792", "has_markdown": true }, { "id": "441917796", "title": "WebCodecs VideoFrame constructor crashes browser when non-even width and height are used", "url": "https://issues.chromium.org/issues/441917796", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>WebCodecs", "bounty_amount": 3000.0, "created_date": "2025-08-29T12:33:41+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/441917796", "has_markdown": true }, { "id": "441668149", "title": "Maglev type confusion via corrupted Phi node metadata", "url": "https://issues.chromium.org/issues/441668149", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 7000.0, "created_date": "2025-08-28T17:41:49+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/441668149", "has_markdown": true }, { "id": "441427753", "title": "Debug check failed: isolate()->CurrentLocalHeap()->IsRunning()", "url": "https://issues.chromium.org/issues/441427753", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 3000.0, "created_date": "2025-08-27T16:56:10+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/441427753", "has_markdown": true }, { "id": "440737137", "title": "Use-After-Free in MediaStreamDescriptor", "url": "https://issues.chromium.org/issues/440737137", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC", "bounty_amount": 10000.0, "created_date": "2025-08-23T14:50:57+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/440737137", "has_markdown": true }, { "id": "440523110", "title": "(Split View) UI spoofing Upload leads leaking confidential files, Photos to Attacker", "url": "https://issues.chromium.org/issues/440523110", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip>SplitView", "bounty_amount": 3000.0, "created_date": "2025-08-22T20:32:38+00:00", "year": 2025, "attachment_count": 5, "local_path": "issues/440523110", "has_markdown": true }, { "id": "440454442", "title": "Use After Free in ServiceWorkerVersion::FinishRequestWithFetchCount() in browser process.", "url": "https://issues.chromium.org/issues/440454442", "status": "New", "severity": "S3-Low", "component": "Blink>ServiceWorker", "bounty_amount": 43000.0, "created_date": "2025-08-22T10:33:45+00:00", "year": 2025, "attachment_count": 6, "local_path": "issues/440454442", "has_markdown": true }, { "id": "439305148", "title": "Mojo’s ChannelPosix incorrectly handles >128 file descriptors in a message, leading to fd confusion", "url": "https://issues.chromium.org/issues/439305148", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Mojo", "bounty_amount": 30000.0, "created_date": "2025-08-18T01:13:13+00:00", "year": 2025, "attachment_count": 7, "local_path": "issues/439305148", "has_markdown": true }, { "id": "439380004", "title": "V8 Sandbox Bypass: In-sandbox corruption allows execution of arbitrary runtime functions / intrinsics", "url": "https://issues.chromium.org/issues/439380004", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 20000.0, "created_date": "2025-08-17T23:32:25+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/439380004", "has_markdown": true }, { "id": "439058242", "title": "Extensions can run JS on any privileged origin by exploiting already-patched vulnerabilities under devtools:// scheme.", "url": "https://issues.chromium.org/issues/439058242", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools>Extensions", "bounty_amount": 4000.0, "created_date": "2025-08-16T00:44:01+00:00", "year": 2025, "attachment_count": 17, "local_path": "issues/439058242", "has_markdown": true }, { "id": "438226517", "title": "Address Bar Spoofing on Android", "url": "https://issues.chromium.org/issues/438226517", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Omnibox", "bounty_amount": 3000.0, "created_date": "2025-08-13T04:14:20+00:00", "year": 2025, "attachment_count": 15, "local_path": "issues/438226517", "has_markdown": true }, { "id": "437147699", "title": "Chrome on Android: Spoof issue triggered by bottom address bar", "url": "https://issues.chromium.org/issues/437147699", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Omnibox", "bounty_amount": 5000.0, "created_date": "2025-08-07T20:27:28+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/437147699", "has_markdown": true }, { "id": "436887350", "title": "Security: Extension can download file by resuming interrupted download", "url": "https://issues.chromium.org/issues/436887350", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": 4000.0, "created_date": "2025-08-06T19:38:23+00:00", "year": 2025, "attachment_count": 11, "local_path": "issues/436887350", "has_markdown": true }, { "id": "435875050", "title": "WebGPU dawn::native::d3d12::ResourceAllocatorManager::Tick Heap-Use-After-Free", "url": "https://issues.chromium.org/issues/435875050", "status": "Assigned", "severity": "S3-Low", "component": "Dawn", "bounty_amount": 15000.0, "created_date": "2025-08-03T03:54:17+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/435875050", "has_markdown": true }, { "id": "435630467", "title": "V8 Sandbox Bypass: In-sandbox corruption allows execution of DebugBreakTrampoline, leading to invalid tail call", "url": "https://issues.chromium.org/issues/435630467", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 20000.0, "created_date": "2025-08-02T05:40:21+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/435630467", "has_markdown": true }, { "id": "435630464", "title": "V8 Sandbox Bypass: In-sandbox corruption allows execution of dangerous / experimental code", "url": "https://issues.chromium.org/issues/435630464", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Runtime", "bounty_amount": 20000.0, "created_date": "2025-08-02T00:53:57+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/435630464", "has_markdown": true }, { "id": "435683799", "title": "heap-buffer-overflow in ANGLE for Chromium on MacOS", "url": "https://issues.chromium.org/issues/435683799", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 10000.0, "created_date": "2025-08-01T16:27:41+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/435683799", "has_markdown": true }, { "id": "435068768", "title": "Debug check failed: ValidationTag::validate", "url": "https://issues.chromium.org/issues/435068768", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 0.0, "created_date": "2025-07-30T15:42:26+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/435068768", "has_markdown": true }, { "id": "433800617", "title": "Security: Compromised renderer can steal cross-site data with minimal user interaction", "url": "https://issues.chromium.org/issues/433800617", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Sandbox>SiteIsolation, UI>Browser>Downloads", "bounty_amount": 5000.0, "created_date": "2025-07-23T22:13:43+00:00", "year": 2025, "attachment_count": 7, "local_path": "issues/433800617", "has_markdown": true }, { "id": "433533359", "title": "Consumers of ReadableStream subject to data race with SharedArrayBuffer, leading to RCE + V8 Sandbox bypass", "url": "https://issues.chromium.org/issues/433533359", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 70000.0, "created_date": "2025-07-23T07:06:44+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/433533359", "has_markdown": true }, { "id": "433407763", "title": "V8 sandbox bypass due to NativeModule swapping while module instantiation was ongoing", "url": "https://issues.chromium.org/issues/433407763", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 20000.0, "created_date": "2025-07-22T09:34:13+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/433407763", "has_markdown": true }, { "id": "433027577", "title": "heap-use-after-free in wl_proxy_marshal_array_flags", "url": "https://issues.chromium.org/issues/433027577", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Ozone", "bounty_amount": 1000.0, "created_date": "2025-07-20T15:06:55+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/433027577", "has_markdown": true }, { "id": "432497641", "title": "Security: heap-use-after-free on aura::Window::CleanupGestureState", "url": "https://issues.chromium.org/issues/432497641", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Input", "bounty_amount": 10000.0, "created_date": "2025-07-17T20:15:53+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/432497641", "has_markdown": true }, { "id": "432289371", "title": "V8 sandbox bypass due to recreating funcref for imported wasm function", "url": "https://issues.chromium.org/issues/432289371", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 5000.0, "created_date": "2025-07-17T06:24:14+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/432289371", "has_markdown": true }, { "id": "432035817", "title": "Crash with three-way self Jitsi Meet call", "url": "https://issues.chromium.org/issues/432035817", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Media>Codecs", "bounty_amount": 7000.0, "created_date": "2025-07-15T20:12:21+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/432035817", "has_markdown": true }, { "id": "431309019", "title": "Bypassing Mark of the Web with an HTML File and User Interaction", "url": "https://issues.chromium.org/issues/431309019", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": 2000.0, "created_date": "2025-07-12T00:35:33+00:00", "year": 2025, "attachment_count": 9, "local_path": "issues/431309019", "has_markdown": true }, { "id": "430960844", "title": "V8 Sandbox Bypass: InstantiateAsmJs builtin doesn't protect against mid-builtin dispatch handle swaps", "url": "https://issues.chromium.org/issues/430960844", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 20000.0, "created_date": "2025-07-11T01:56:10+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/430960844", "has_markdown": true }, { "id": "430635213", "title": "UAF in content::protocol::InputHandler::InputInjector::InjectMouseEvent through DevTools", "url": "https://issues.chromium.org/issues/430635213", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools", "bounty_amount": 1000.0, "created_date": "2025-07-10T10:18:25+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/430635213", "has_markdown": true }, { "id": "430572435", "title": "JIT type confusion via corrupted inlining metadata", "url": "https://issues.chromium.org/issues/430572435", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 7000.0, "created_date": "2025-07-09T19:10:15+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/430572435", "has_markdown": true }, { "id": "430555440", "title": "Autofill suggestions appear off-screen, allowing covert access to user data", "url": "https://issues.chromium.org/issues/430555440", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Autofill", "bounty_amount": 0.0, "created_date": "2025-07-09T15:33:38+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/430555440", "has_markdown": true }, { "id": "430498032", "title": "V8 Sandbox Bypass: Heap Buffer Overflow while Changing the Length of a Corrupted Array", "url": "https://issues.chromium.org/issues/430498032", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 5000.0, "created_date": "2025-07-09T13:30:03+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/430498032", "has_markdown": true }, { "id": "430336833", "title": "Cross-context string leakage via V8 string_table", "url": "https://issues.chromium.org/issues/430336833", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Bindings", "bounty_amount": 5000.0, "created_date": "2025-07-09T10:05:22+00:00", "year": 2025, "attachment_count": 12, "local_path": "issues/430336833", "has_markdown": true }, { "id": "430344952", "title": "Debug check failed: IsInBounds(index)", "url": "https://issues.chromium.org/issues/430344952", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Parser", "bounty_amount": 8000.0, "created_date": "2025-07-09T08:49:49+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/430344952", "has_markdown": true }, { "id": "429703123", "title": "V8 Sandbox Bypass: Arbitrary code execution via interpreter-to-baseline OSR Code type confusion", "url": "https://issues.chromium.org/issues/429703123", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 20000.0, "created_date": "2025-07-05T13:23:01+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/429703123", "has_markdown": true }, { "id": "428515091", "title": " GPU process crash via WebGPU shader - heap-use-after-free in Mesa aco:do_pack_2x16 ", "url": "https://issues.chromium.org/issues/428515091", "status": "Assigned", "severity": "S3-Low", "component": "Dawn>Tint", "bounty_amount": 10000.0, "created_date": "2025-06-29T16:19:47+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/428515091", "has_markdown": true }, { "id": "428484827", "title": "Confusion on permission prompt lead to spoof (using split view)", "url": "https://issues.chromium.org/issues/428484827", "status": "Verified", "severity": "S3-Low", "component": "UI>Browser>Permissions>Prompts, UI>Browser>TopChrome>TabStrip>SplitView", "bounty_amount": 1000.0, "created_date": "2025-06-29T14:44:16+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/428484827", "has_markdown": true }, { "id": "428455319", "title": "Permission element inner div with style text-emphasis:꧁; and text-emphasis-position: over right; can be abused if no element in the parent chain has any text-emphasis:꧁; and text-emphasis-position: over right; are set.", "url": "https://issues.chromium.org/issues/428455319", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Permissions>PermissionElement", "bounty_amount": 1000.0, "created_date": "2025-06-29T13:59:55+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/428455319", "has_markdown": true }, { "id": "428397712", "title": "Files of extensions with developer tools page are exposed to other extensions", "url": "https://issues.chromium.org/issues/428397712", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 1000.0, "created_date": "2025-06-29T01:44:18+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/428397712", "has_markdown": true }, { "id": "428189824", "title": "Security: PiP window obscures FSA API file picker dialog (env var leak)", "url": "https://issues.chromium.org/issues/428189824", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture, Blink>Storage>FileSystem", "bounty_amount": 5000.0, "created_date": "2025-06-27T22:25:13+00:00", "year": 2025, "attachment_count": 15, "local_path": "issues/428189824", "has_markdown": true }, { "id": "428131118", "title": " V8 Sandbox Bypass: OOB write in wasm::WellKnownImportsList::Update", "url": "https://issues.chromium.org/issues/428131118", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 5000.0, "created_date": "2025-06-27T11:04:51+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/428131118", "has_markdown": true }, { "id": "427918760", "title": "V8 Sandbox Bypass: OOB write in the WasmFullDecoder EndControl handler", "url": "https://issues.chromium.org/issues/427918760", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 5000.0, "created_date": "2025-06-26T13:56:28+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/427918760", "has_markdown": true }, { "id": "427662337", "title": "V8 Sandbox Bypass: Heap Use-After-Free in v8::internal::HeapLayout::CheckYoungGenerationConsistency", "url": "https://issues.chromium.org/issues/427662337", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript", "bounty_amount": 1000.0, "created_date": "2025-06-25T17:49:49+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/427662337", "has_markdown": true }, { "id": "427681143", "title": "P2PSocket(this) object is freed, causing Use-After-Free vulnerability", "url": "https://issues.chromium.org/issues/427681143", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC", "bounty_amount": 25000.0, "created_date": "2025-06-25T15:01:56+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/427681143", "has_markdown": true }, { "id": "427600180", "title": "V8 Sandbox Bypass: OOB write in bigint::ProcessorImpl::FromStringLarge", "url": "https://issues.chromium.org/issues/427600180", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript, Blink>JavaScript>Runtime", "bounty_amount": 5000.0, "created_date": "2025-06-25T14:41:08+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/427600180", "has_markdown": true }, { "id": "427367145", "title": "Command injection in \"Copy as cURL (cmd)\" due to improper sanitization", "url": "https://issues.chromium.org/issues/427367145", "status": "Accepted", "severity": "S3-Low", "component": "Platform>DevTools>Network", "bounty_amount": 1500.0, "created_date": "2025-06-24T08:46:39+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/427367145", "has_markdown": true }, { "id": "426480606", "title": "open link in split view view leads to the origin of an external protocol handler prompt obscured (Windows)", "url": "https://issues.chromium.org/issues/426480606", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip>SplitView", "bounty_amount": 3000.0, "created_date": "2025-06-20T17:53:59+00:00", "year": 2025, "attachment_count": 5, "local_path": "issues/426480606", "has_markdown": true }, { "id": "426054987", "title": "use-after-poison in blink::MediaStreamAudioTrack::StopAndNotify(class base::OnceCallback<(void)>)", "url": "https://issues.chromium.org/issues/426054987", "status": "Accepted", "severity": "S3-Low", "component": "Blink>MediaStream", "bounty_amount": 8000.0, "created_date": "2025-06-19T13:22:50+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/426054987", "has_markdown": true }, { "id": "425583995", "title": "Debug check failed: pc_offset() < unresolved_branches_first_limit()", "url": "https://issues.chromium.org/issues/425583995", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 7000.0, "created_date": "2025-06-17T16:37:00+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/425583995", "has_markdown": true }, { "id": "425390965", "title": "GPU process crash via WebGPU shader - wild-deref in Mesa try_opt_exclusive_scan_to_inclusive ", "url": "https://issues.chromium.org/issues/425390965", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU", "bounty_amount": 10000.0, "created_date": "2025-06-16T19:26:26+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/425390965", "has_markdown": true }, { "id": "425271170", "title": "GPU process crash via WebGPU shader - global-buffer-overflow in Mesa lower_mem_store", "url": "https://issues.chromium.org/issues/425271170", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU", "bounty_amount": 1000.0, "created_date": "2025-06-16T16:59:11+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/425271170", "has_markdown": true }, { "id": "425121216", "title": "V8 Sandbox Bypass: OOB write in JsonParser due to dangling GC callback", "url": "https://issues.chromium.org/issues/425121216", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript", "bounty_amount": 1000.0, "created_date": "2025-06-15T15:50:08+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/425121216", "has_markdown": true }, { "id": "425122187", "title": "V8 Sandbox Bypass: UB V8HeapExplorer::GetSystemEntryName leads to OOB write", "url": "https://issues.chromium.org/issues/425122187", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript", "bounty_amount": 1000.0, "created_date": "2025-06-15T14:04:16+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/425122187", "has_markdown": true }, { "id": "424760433", "title": "GPU process crash via WebGPU shader - heap-use-after-free in Mesa brw_live_variables::setup_one_read", "url": "https://issues.chromium.org/issues/424760433", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU", "bounty_amount": 11000.0, "created_date": "2025-06-13T15:52:30+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/424760433", "has_markdown": true }, { "id": "423670839", "title": "Permission element inner div with style text-decoration-line: line-through; and text-decoration-thickness can be abused if no element in the parent chain has any text-decoration-line: line-through; and text-decoration-thickness are set.", "url": "https://issues.chromium.org/issues/423670839", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Permissions>PermissionElement", "bounty_amount": 500.0, "created_date": "2025-06-10T04:30:33+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/423670839", "has_markdown": true }, { "id": "423459708", "title": "JSON.parse() Out-of-Bounds Access to DescriptorArray", "url": "https://issues.chromium.org/issues/423459708", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Runtime", "bounty_amount": 4000.0, "created_date": "2025-06-09T14:07:41+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/423459708", "has_markdown": true }, { "id": "423050527", "title": "Deoptimize: inconsistency in materialization can insert unexpected value to the interpreter stack frame", "url": "https://issues.chromium.org/issues/423050527", "status": "Accepted", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 10000.0, "created_date": "2025-06-07T05:58:53+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/423050527", "has_markdown": true }, { "id": "421399969", "title": "GPU process crash via WebGPU shader - heap-buffer-overflow in Mesa anv_nir_compute_push_layout", "url": "https://issues.chromium.org/issues/421399969", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU", "bounty_amount": 10000.0, "created_date": "2025-05-31T14:53:59+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/421399969", "has_markdown": true }, { "id": "421471016", "title": "UAF in StackSampler", "url": "https://issues.chromium.org/issues/421471016", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>Metrics>SamplingProfiler", "bounty_amount": 4000.0, "created_date": "2025-05-31T14:36:22+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/421471016", "has_markdown": true }, { "id": "421511847", "title": "Download origin spoofing using malformed data url.", "url": "https://issues.chromium.org/issues/421511847", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": 5000.0, "created_date": "2025-05-31T10:10:05+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/421511847", "has_markdown": true }, { "id": "421403261", "title": "V8 Sandbox Bypass: AAW via clobbered i32 high word on return value in Liftoff", "url": "https://issues.chromium.org/issues/421403261", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 20000.0, "created_date": "2025-05-31T05:02:11+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/421403261", "has_markdown": true }, { "id": "420734141", "title": "Screen Share Dialog - Domain Spoof (Similar to permission prompt)", "url": "https://issues.chromium.org/issues/420734141", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>MediaCapture", "bounty_amount": 2000.0, "created_date": "2025-05-28T02:32:49+00:00", "year": 2025, "attachment_count": 5, "local_path": "issues/420734141", "has_markdown": true }, { "id": "420697404", "title": "Debug check failed: escapes >= 0 (-2005397586 vs. 0)", "url": "https://issues.chromium.org/issues/420697404", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript", "bounty_amount": 7000.0, "created_date": "2025-05-27T21:26:33+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/420697404", "has_markdown": true }, { "id": "420150619", "title": "Security: Race condition in AudioRendererImpl", "url": "https://issues.chromium.org/issues/420150619", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Media>Video", "bounty_amount": 8000.0, "created_date": "2025-05-25T16:11:11+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/420150619", "has_markdown": true }, { "id": "419939693", "title": "GPU process crash via WebGPU shader - heap-buffer-overflow in Mesa build_interference_graph", "url": "https://issues.chromium.org/issues/419939693", "status": "Assigned", "severity": "S3-Low", "component": "Dawn>Tint", "bounty_amount": 10000.0, "created_date": "2025-05-24T07:23:11+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/419939693", "has_markdown": true }, { "id": "419721056", "title": "`showSaveFilePicker()` DIalog can Overlaid on Other Origin lead to Origin Spoofing", "url": "https://issues.chromium.org/issues/419721056", "status": "Fixed", "severity": "S3-Low", "component": "Blink>Storage>FileSystem", "bounty_amount": 1000.0, "created_date": "2025-05-23T08:47:57+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/419721056", "has_markdown": true }, { "id": "419035409", "title": "Malicious Site can Steal Other Site's Downloads", "url": "https://issues.chromium.org/issues/419035409", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage>FileSystem", "bounty_amount": 2000.0, "created_date": "2025-05-20T17:40:15+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/419035409", "has_markdown": true }, { "id": "417636716", "title": "V8 Sandbox Bypass: Stack corruption via signature mismatch during call baseline code", "url": "https://issues.chromium.org/issues/417636716", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Runtime", "bounty_amount": 20000.0, "created_date": "2025-05-14T16:40:25+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/417636716", "has_markdown": true }, { "id": "417215501", "title": "Speculation rules conflict with BFCache, causing potentially sensitive pages to be cached when they shouldn't", "url": "https://issues.chromium.org/issues/417215501", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Navigation>BFCache", "bounty_amount": 2000.0, "created_date": "2025-05-12T17:25:01+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/417215501", "has_markdown": true }, { "id": "417169470", "title": "V8 Turboshaft Late Load Elimination Aliasing bug leads to Memory Corruption", "url": "https://issues.chromium.org/issues/417169470", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 3000.0, "created_date": "2025-05-12T15:35:12+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/417169470", "has_markdown": true }, { "id": "416942878", "title": "SameSite Strict cookies are included when middle clicking a link to another site in a PDF document", "url": "https://issues.chromium.org/issues/416942878", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Network>Cookies, Internals>Plugins>PDF", "bounty_amount": 2000.0, "created_date": "2025-05-11T02:22:32+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/416942878", "has_markdown": true }, { "id": "415496161", "title": "\"File might be harmful\" dialog does not have origin", "url": "https://issues.chromium.org/issues/415496161", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": 1000.0, "created_date": "2025-05-04T13:43:16+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/415496161", "has_markdown": true }, { "id": "415523530", "title": "Debug check failed: CanElideWriteBarrier(object, value). in v8", "url": "https://issues.chromium.org/issues/415523530", "status": "Accepted", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 3000.0, "created_date": "2025-05-04T08:12:08+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/415523530", "has_markdown": true }, { "id": "414831374", "title": "V8 Sandbox Bypass: OOB writ in Module::GetModuleNamespace", "url": "https://issues.chromium.org/issues/414831374", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 5000.0, "created_date": "2025-04-30T19:31:47+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/414831374", "has_markdown": true }, { "id": "414760982", "title": "UAF in in extensions::ExtensionURLLoaderThrottle::WillProcessResponse", "url": "https://issues.chromium.org/issues/414760982", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools>Extensions, Platform>Extensions>API", "bounty_amount": 2000.0, "created_date": "2025-04-30T13:18:16+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/414760982", "has_markdown": true }, { "id": "412578726", "title": "ipcz bug can allow renderer duplicate browser process handle to escape sandbox", "url": "https://issues.chromium.org/issues/412578726", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Mojo>Core", "bounty_amount": 250000.0, "created_date": "2025-04-22T16:38:51+00:00", "year": 2025, "attachment_count": 8, "local_path": "issues/412578726", "has_markdown": true }, { "id": "412265459", "title": "Security: Security DCHECK failed in StringView", "url": "https://issues.chromium.org/issues/412265459", "status": "Assigned", "severity": "S3-Low", "component": "Blink>ViewTransitions", "bounty_amount": 7000.0, "created_date": "2025-04-21T15:08:49+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/412265459", "has_markdown": true }, { "id": "412057896", "title": "Security: Uaf in media::AudioBus", "url": "https://issues.chromium.org/issues/412057896", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Media", "bounty_amount": 7000.0, "created_date": "2025-04-20T15:39:05+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/412057896", "has_markdown": true }, { "id": "411802156", "title": "Security: Fatal error in src/compiler/turboshaft/operations.cc, line 152", "url": "https://issues.chromium.org/issues/411802156", "status": "Accepted", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 7000.0, "created_date": "2025-04-19T14:18:21+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/411802156", "has_markdown": true }, { "id": "411598604", "title": "V8 Sandbox Bypass: UAF during LargeObjectSpace tear down", "url": "https://issues.chromium.org/issues/411598604", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript", "bounty_amount": 5000.0, "created_date": "2025-04-18T19:52:55+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/411598604", "has_markdown": true }, { "id": "411573532", "title": "heap-use-after-free in cc::LayerTreeHost::NotifyTransitionRequestsFinished", "url": "https://issues.chromium.org/issues/411573532", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Animation, Internals>Services>Viz", "bounty_amount": 11000.0, "created_date": "2025-04-18T10:17:14+00:00", "year": 2025, "attachment_count": 9, "local_path": "issues/411573532", "has_markdown": true }, { "id": "411544197", "title": "A vulnerability in FileSystemFileHandle.move bypasses download restrictions.", "url": "https://issues.chromium.org/issues/411544197", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Storage>FileSystem", "bounty_amount": 2000.0, "created_date": "2025-04-18T09:20:44+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/411544197", "has_markdown": true }, { "id": "410960670", "title": "File Download Origin Spoof Using Long Subdomain", "url": "https://issues.chromium.org/issues/410960670", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": 500.0, "created_date": "2025-04-16T07:15:17+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/410960670", "has_markdown": true }, { "id": "409911705", "title": "container-overflow in blink::CloseWatcher::WatcherStack::Signal() close_watcher.cc:170:10", "url": "https://issues.chromium.org/issues/409911705", "status": "Assigned", "severity": "S3-Low", "component": "Blink>HTML, IO>Keyboard", "bounty_amount": 5000.0, "created_date": "2025-04-11T09:34:59+00:00", "year": 2025, "attachment_count": 10, "local_path": "issues/409911705", "has_markdown": true }, { "id": "409619251", "title": "Buffer Overflow (GPU process) in Chrome Windows Media Foundation Encode Accelerator", "url": "https://issues.chromium.org/issues/409619251", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>WebCodecs", "bounty_amount": 15000.0, "created_date": "2025-04-09T22:11:30+00:00", "year": 2025, "attachment_count": 6, "local_path": "issues/409619251", "has_markdown": true }, { "id": "409342999", "title": "page crash after breakpoint and resume, and in other cases", "url": "https://issues.chromium.org/issues/409342999", "status": "Assigned", "severity": "S4-Minimal", "component": "Platform>DevTools", "bounty_amount": 2000.0, "created_date": "2025-04-09T08:25:54+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/409342999", "has_markdown": true }, { "id": "409059706", "title": "Use After Free in CompressedPointer::Load inside WorkerThread::DidProcessTask", "url": "https://issues.chromium.org/issues/409059706", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Workers", "bounty_amount": 1000.0, "created_date": "2025-04-07T23:36:26+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/409059706", "has_markdown": true }, { "id": "408364839", "title": " GPU process crash via WebGPU shader - stack-buffer-overflow in Mesa nir_extract_bits ", "url": "https://issues.chromium.org/issues/408364839", "status": "Assigned", "severity": "S3-Low", "component": "Dawn", "bounty_amount": 10000.0, "created_date": "2025-04-04T16:28:33+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/408364839", "has_markdown": true }, { "id": "408132930", "title": "Security: heap-use-after-free in views::DesktopWindowTreeHostWin::~DesktopWindowTreeHostWin", "url": "https://issues.chromium.org/issues/408132930", "status": "Accepted", "severity": "S3-Low", "component": "UI>Aura", "bounty_amount": 3000.0, "created_date": "2025-04-03T11:40:08+00:00", "year": 2025, "attachment_count": 5, "local_path": "issues/408132930", "has_markdown": true }, { "id": "408093267", "title": "Chrome : WebGL DrawArrays Kernel Use-After-Free", "url": "https://issues.chromium.org/issues/408093267", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGL", "bounty_amount": 1000.0, "created_date": "2025-04-03T09:07:22+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/408093267", "has_markdown": true }, { "id": "407328533", "title": "Security: heap-use-after-free in blink::TransitionInterpolation on CSS custom properties", "url": "https://issues.chromium.org/issues/407328533", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Animation, Blink>CSS", "bounty_amount": 4000.0, "created_date": "2025-03-30T16:54:24+00:00", "year": 2025, "attachment_count": 9, "local_path": "issues/407328533", "has_markdown": true }, { "id": "407315793", "title": "Security: heap-use-after-free in gpu::CommandBufferProxyImpl::OnDisconnect", "url": "https://issues.chromium.org/issues/407315793", "status": "Fixed", "severity": "S3-Low", "component": "Internals>Services>GPU", "bounty_amount": 3000.0, "created_date": "2025-03-30T14:32:53+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/407315793", "has_markdown": true }, { "id": "406631048", "title": "Copy as Curl (CMD) Leads to code execution on windows", "url": "https://issues.chromium.org/issues/406631048", "status": "Accepted", "severity": "S3-Low", "component": "Platform>DevTools>Network", "bounty_amount": 1000.0, "created_date": "2025-03-27T11:22:58+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/406631048", "has_markdown": true }, { "id": "406034851", "title": "Insufficient fix for crbug/376625003 (local file read with chrome.devtools)", "url": "https://issues.chromium.org/issues/406034851", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools>Extensions", "bounty_amount": 1000.0, "created_date": "2025-03-26T19:29:04+00:00", "year": 2025, "attachment_count": 8, "local_path": "issues/406034851", "has_markdown": true }, { "id": "406054655", "title": "Heap-buffer-overflow in SkPngCodecBase::createColorTable", "url": "https://issues.chromium.org/issues/406054655", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>Images>Codecs, Internals>Skia", "bounty_amount": 9000.0, "created_date": "2025-03-25T18:59:19+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/406054655", "has_markdown": true }, { "id": "405910169", "title": "UAF in in BrowserTabStripTracker::Init() in browser process", "url": "https://issues.chromium.org/issues/405910169", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 1000.0, "created_date": "2025-03-24T13:04:40+00:00", "year": 2025, "attachment_count": 7, "local_path": "issues/405910169", "has_markdown": true }, { "id": "405727341", "title": "clickjacking (enterjacking) download notification when a window.alert() is closed", "url": "https://issues.chromium.org/issues/405727341", "status": "Fixed", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": 3000.0, "created_date": "2025-03-24T04:34:23+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/405727341", "has_markdown": true }, { "id": "405140652", "title": "UAF when accessing member variable after destruction of throttle (SubframeHistoryNavigationThrottle)", "url": "https://issues.chromium.org/issues/405140652", "status": "Assigned", "severity": "S3-Low", "component": "Internals", "bounty_amount": 4000.0, "created_date": "2025-03-21T08:26:42+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/405140652", "has_markdown": true }, { "id": "405292639", "title": "AddressSanitizer: heap-use-after-free on address 0x7da147715900 at pc 0x55baa6985542 bp 0x7ffe146adfd0 sp 0x7ffe146adfc8", "url": "https://issues.chromium.org/issues/405292639", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>USB", "bounty_amount": 11000.0, "created_date": "2025-03-21T07:55:07+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/405292639", "has_markdown": true }, { "id": "404285918", "title": "V8 Sandbox Bypass: SP/PC control via Wasm JSPI central stack top confusion", "url": "https://issues.chromium.org/issues/404285918", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 20000.0, "created_date": "2025-03-17T19:16:48+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/404285918", "has_markdown": true }, { "id": "404000989", "title": "DevTools frontend leaks breakpoint history to any remote WebSocket server it connects to", "url": "https://issues.chromium.org/issues/404000989", "status": "Accepted", "severity": "S3-Low", "component": "Platform>DevTools", "bounty_amount": 2000.0, "created_date": "2025-03-16T21:27:41+00:00", "year": 2025, "attachment_count": 11, "local_path": "issues/404000989", "has_markdown": true }, { "id": "403600260", "title": "V8 Sandbox Bypass: Uninitialized read to switch-case OOB jump in Maglev JSGeneratorObject allocation inlining", "url": "https://issues.chromium.org/issues/403600260", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 25000.0, "created_date": "2025-03-14T20:41:47+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/403600260", "has_markdown": true }, { "id": "403372467", "title": "V8 Sandbox Bypass: OOB write in icu_74::CharString::append", "url": "https://issues.chromium.org/issues/403372467", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript, Blink>JavaScript>Runtime", "bounty_amount": 5000.0, "created_date": "2025-03-14T13:02:46+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/403372467", "has_markdown": true }, { "id": "403211343", "title": "Improper Error Handling in LateLoadElimination for String Map in Turboshaft Leads to RCE", "url": "https://issues.chromium.org/issues/403211343", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 50000.0, "created_date": "2025-03-13T16:33:14+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/403211343", "has_markdown": true }, { "id": "402791076", "title": "Security: DevTools XSS allows sandbox escape, UXSS, CDP access, other impacts", "url": "https://issues.chromium.org/issues/402791076", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools", "bounty_amount": 4000.0, "created_date": "2025-03-13T05:34:21+00:00", "year": 2025, "attachment_count": 19, "local_path": "issues/402791076", "has_markdown": true }, { "id": "402646504", "title": "Type Confusion Vulnerability in Maglev When Handling TypedArray Length Loading", "url": "https://issues.chromium.org/issues/402646504", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 6000.0, "created_date": "2025-03-12T14:03:03+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/402646504", "has_markdown": true }, { "id": "401927528", "title": "DevTools Recorder Can Flip Internal Flags Without User Awareness", "url": "https://issues.chromium.org/issues/401927528", "status": "Accepted", "severity": "S3-Low", "component": "Platform>DevTools>Recorder", "bounty_amount": 1000.0, "created_date": "2025-03-10T10:20:58+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/401927528", "has_markdown": true }, { "id": "401823929", "title": "intent:// can bypass fido:/ URI bock (see: 370482421)", "url": "https://issues.chromium.org/issues/401823929", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebAuthentication", "bounty_amount": 2000.0, "created_date": "2025-03-09T23:58:29+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/401823929", "has_markdown": true }, { "id": "401846968", "title": "Heap-use-after-free in chromium_jpeg_read_scanlines", "url": "https://issues.chromium.org/issues/401846968", "status": "Assigned", "severity": "S4-Minimal", "component": "PDFium", "bounty_amount": 9000.0, "created_date": "2025-03-09T14:59:45+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/401846968", "has_markdown": true }, { "id": "401732698", "title": "V8 sandbox violation in v8", "url": "https://issues.chromium.org/issues/401732698", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 5000.0, "created_date": "2025-03-09T11:11:23+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/401732698", "has_markdown": true }, { "id": "401393576", "title": "UAF in in Tab::OnMouseReleased(class ui::MouseEvent const &) in browser process", "url": "https://issues.chromium.org/issues/401393576", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 3000.0, "created_date": "2025-03-07T08:21:45+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/401393576", "has_markdown": true }, { "id": "400761079", "title": "permission prompt obscured by black screen lead to spoof to allow permission", "url": "https://issues.chromium.org/issues/400761079", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Permissions>Prompts", "bounty_amount": 500.0, "created_date": "2025-03-04T20:53:46+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/400761079", "has_markdown": true }, { "id": "400740865", "title": "Chrome's updater.exe is prone to privilege escalation through privileged file deletion", "url": "https://issues.chromium.org/issues/400740865", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Updater>Client", "bounty_amount": 5000.0, "created_date": "2025-03-04T19:47:36+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/400740865", "has_markdown": true }, { "id": "400584607", "title": "The maglev-pretenure-store-values feature leads to bypass of write barrier check", "url": "https://issues.chromium.org/issues/400584607", "status": "Accepted", "severity": "S4-Minimal", "component": "Blink>JavaScript>GarbageCollection", "bounty_amount": 10000.0, "created_date": "2025-03-04T08:31:21+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/400584607", "has_markdown": true }, { "id": "400052777", "title": "Signal SIGTRAP in v8", "url": "https://issues.chromium.org/issues/400052777", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 55000.0, "created_date": "2025-03-02T06:55:34+00:00", "year": 2025, "attachment_count": 5, "local_path": "issues/400052777", "has_markdown": true }, { "id": "400086889", "title": "Arbitrary Wasm type confusion due to transient canonical index overflow", "url": "https://issues.chromium.org/issues/400086889", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 62000.0, "created_date": "2025-03-02T00:39:37+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/400086889", "has_markdown": true }, { "id": "399995424", "title": "UAF in net::HttpStreamPool::Group::ProcessPendingRequest", "url": "https://issues.chromium.org/issues/399995424", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Network", "bounty_amount": 10000.0, "created_date": "2025-03-02T00:18:09+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/399995424", "has_markdown": true }, { "id": "398999390", "title": "OOB read in JsonStringifier::SerializeString", "url": "https://issues.chromium.org/issues/398999390", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Runtime", "bounty_amount": 2000.0, "created_date": "2025-02-25T09:25:59+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/398999390", "has_markdown": true }, { "id": "398773898", "title": "V8 Sandbox Bypass: OOB write in JsonStringifier::TrySerializeSimplePropertyKey", "url": "https://issues.chromium.org/issues/398773898", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 5000.0, "created_date": "2025-02-24T12:48:12+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/398773898", "has_markdown": true }, { "id": "398431403", "title": "Security: Fatal error in src/compiler/turbofan-typer.cc, line 451", "url": "https://issues.chromium.org/issues/398431403", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler", "bounty_amount": 7000.0, "created_date": "2025-02-24T00:10:16+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/398431403", "has_markdown": true }, { "id": "398065918", "title": "V8 Maglev improper folded allocation handling (leading to memory safety issues)", "url": "https://issues.chromium.org/issues/398065918", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 7000.0, "created_date": "2025-02-21T10:02:32+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/398065918", "has_markdown": true }, { "id": "397878997", "title": "Video Document In Document spoof login box", "url": "https://issues.chromium.org/issues/397878997", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture", "bounty_amount": 3000.0, "created_date": "2025-02-20T10:38:40+00:00", "year": 2025, "attachment_count": 8, "local_path": "issues/397878997", "has_markdown": true }, { "id": "397720949", "title": "Some Float16Array Built-ins Fail to Account for Side Effects Causing Array OOB Access", "url": "https://issues.chromium.org/issues/397720949", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Runtime", "bounty_amount": 11000.0, "created_date": "2025-02-20T07:04:41+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/397720949", "has_markdown": true }, { "id": "397731718", "title": "Debug check failed: index < length_ (2200 vs. 2200).", "url": "https://issues.chromium.org/issues/397731718", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript, Blink>JavaScript>Runtime", "bounty_amount": 7000.0, "created_date": "2025-02-20T01:41:10+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/397731718", "has_markdown": true }, { "id": "397601495", "title": "AddressSanitizer: heap-use-after-free in cc::LayerTreeHost::RemoveSurfaceRange", "url": "https://issues.chromium.org/issues/397601495", "status": "New", "severity": "S3-Low", "component": "Internals>Services>Viz", "bounty_amount": 26000.0, "created_date": "2025-02-19T10:47:51+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/397601495", "has_markdown": true }, { "id": "396446145", "title": "V8 Sandbox Bypass: OOB write in JsonParser::DecodeString (double fetch)", "url": "https://issues.chromium.org/issues/396446145", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 5000.0, "created_date": "2025-02-14T09:27:04+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/396446145", "has_markdown": true }, { "id": "395895382", "title": "V8 Sandbox Bypass: AAW via array length corruption in Turbofan spread call inlining", "url": "https://issues.chromium.org/issues/395895382", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Turbofan, Blink>JavaScript>Sandbox", "bounty_amount": 20000.0, "created_date": "2025-02-12T08:48:29+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/395895382", "has_markdown": true }, { "id": "395659804", "title": "V8 Sandbox Bypass: Arbitrary code execution via OSR DeoptimizationData confusion", "url": "https://issues.chromium.org/issues/395659804", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 20000.0, "created_date": "2025-02-11T03:40:48+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/395659804", "has_markdown": true }, { "id": "395544225", "title": "custom tab doesnt show main domain in samsung s24 ultra ", "url": "https://issues.chromium.org/issues/395544225", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Mobile>CustomTabs", "bounty_amount": 3000.0, "created_date": "2025-02-10T17:32:00+00:00", "year": 2025, "attachment_count": 5, "local_path": "issues/395544225", "has_markdown": true }, { "id": "395032416", "title": "heap-use-after-free in blink::LegacyDOMSnapshotAgent::VisitNode", "url": "https://issues.chromium.org/issues/395032416", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools", "bounty_amount": 3000.0, "created_date": "2025-02-10T09:05:47+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/395032416", "has_markdown": true }, { "id": "395406957", "title": "Security UI Bypass - Response Injection in Chrome Devtools AI Assistance - links are not sanitized", "url": "https://issues.chromium.org/issues/395406957", "status": "Accepted", "severity": "S3-Low", "component": "Platform>DevTools", "bounty_amount": 1000.0, "created_date": "2025-02-09T12:48:14+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/395406957", "has_markdown": true }, { "id": "395029283", "title": "V8 sandbox violation in v8::base::GenerateCountedDigits", "url": "https://issues.chromium.org/issues/395029283", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 5000.0, "created_date": "2025-02-07T16:10:36+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/395029283", "has_markdown": true }, { "id": "394635429", "title": "V8 Sandbox Bypass: AAW & Control flow hijack via RegExp pattern parse TOCTOU to RegExpCapture OOB", "url": "https://issues.chromium.org/issues/394635429", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Regexp, Blink>JavaScript>Sandbox", "bounty_amount": 20000.0, "created_date": "2025-02-06T10:18:44+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/394635429", "has_markdown": true }, { "id": "394350433", "title": "Heap memory corruption due to overly large parameter count in WasmToJSWrapper tier-up", "url": "https://issues.chromium.org/issues/394350433", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 11000.0, "created_date": "2025-02-04T20:35:41+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/394350433", "has_markdown": true }, { "id": "393989622", "title": "V8 sandbox violation in icu_74::UnicodeString::doAppend", "url": "https://issues.chromium.org/issues/393989622", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Internationalization, Blink>JavaScript>Runtime", "bounty_amount": 5000.0, "created_date": "2025-02-03T11:28:45+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/393989622", "has_markdown": true }, { "id": "392818696", "title": "Bypass :// Characters in Download Security UI lead to Origin Spoofing", "url": "https://issues.chromium.org/issues/392818696", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": 500.0, "created_date": "2025-01-28T17:53:11+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/392818696", "has_markdown": true }, { "id": "392521083", "title": "Incorrect WriteBarrier Optimization in ObjectAssign FastPath Leads to Exploitable UAF Vulnerability", "url": "https://issues.chromium.org/issues/392521083", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Runtime", "bounty_amount": 50000.0, "created_date": "2025-01-27T18:02:12+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/392521083", "has_markdown": true }, { "id": "392541992", "title": "V8 Sandbox Bypass: UAF in ValueSerializer::WriteRawBytes", "url": "https://issues.chromium.org/issues/392541992", "status": "Verified", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 5000.0, "created_date": "2025-01-27T13:57:19+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/392541992", "has_markdown": true }, { "id": "392375329", "title": "clickjacking (enterjacking) download notification when a pip window closes", "url": "https://issues.chromium.org/issues/392375329", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": 1000.0, "created_date": "2025-01-27T02:10:36+00:00", "year": 2025, "attachment_count": 9, "local_path": "issues/392375329", "has_markdown": true }, { "id": "392375312", "title": "Information Leak via Out-of-Bounds Read in media::AudioBuffer", "url": "https://issues.chromium.org/issues/392375312", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Media", "bounty_amount": 2000.0, "created_date": "2025-01-26T13:50:07+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/392375312", "has_markdown": true }, { "id": "391907159", "title": "WasmCode \"resurrection\" using the WasmImportWrapperCache can lead to JIT allocation UaF, causing memory corruption", "url": "https://issues.chromium.org/issues/391907159", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 55000.0, "created_date": "2025-01-24T07:52:57+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/391907159", "has_markdown": true }, { "id": "391788835", "title": "googlelogoligature ligature can disguise security-sensitive surfaces", "url": "https://issues.chromium.org/issues/391788835", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>LookalikeChecks", "bounty_amount": 15000.0, "created_date": "2025-01-23T17:43:03+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/391788835", "has_markdown": true }, { "id": "391666328", "title": "heap-use-after-free in content::RenderFrameHostImpl::ProcessBeforeUnloadCompleted in browser process", "url": "https://issues.chromium.org/issues/391666328", "status": "Assigned", "severity": "S3-Low", "component": "Blink>DefaultNavigationTransitions, UI>Browser>Navigation", "bounty_amount": 5000.0, "created_date": "2025-01-23T01:25:10+00:00", "year": 2025, "attachment_count": 5, "local_path": "issues/391666328", "has_markdown": true }, { "id": "391284742", "title": "libGLES_mali UAF via WebGPU shaders at llvm::PatternMatch::undef_match::check", "url": "https://issues.chromium.org/issues/391284742", "status": "New", "severity": "S3-Low", "component": "Dawn>Tint", "bounty_amount": 5000.0, "created_date": "2025-01-21T16:02:55+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/391284742", "has_markdown": true }, { "id": "391169061", "title": "V8 Sandbox Bypass: AAW (wildcopy) due to %TypedArray%.prototype.set bounds check integer overflow", "url": "https://issues.chromium.org/issues/391169061", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 20000.0, "created_date": "2025-01-20T21:05:20+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/391169061", "has_markdown": true }, { "id": "391114799", "title": "Extensions without file URL access can open UNC paths through chrome.debugger", "url": "https://issues.chromium.org/issues/391114799", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 4000.0, "created_date": "2025-01-20T16:23:33+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/391114799", "has_markdown": true }, { "id": "390993097", "title": "V8 Sandbox Bypass: Potential memory corruption due to BytecodeGenerator asyncness inconsistency", "url": "https://issues.chromium.org/issues/390993097", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 5000.0, "created_date": "2025-01-20T05:29:13+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/390993097", "has_markdown": true }, { "id": "391018461", "title": "use-after-poison in AtomicWriteMemcpyImpl", "url": "https://issues.chromium.org/issues/391018461", "status": "Assigned", "severity": "S3-Low", "component": "Blink>GarbageCollection", "bounty_amount": 7000.0, "created_date": "2025-01-20T03:16:10+00:00", "year": 2025, "attachment_count": 4, "local_path": "issues/391018461", "has_markdown": true }, { "id": "390889644", "title": "AddressSanitizer: heap-use-after-free sk_careful_memcpy ", "url": "https://issues.chromium.org/issues/390889644", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Fonts", "bounty_amount": 7000.0, "created_date": "2025-01-19T17:10:35+00:00", "year": 2025, "attachment_count": 6, "local_path": "issues/390889644", "has_markdown": true }, { "id": "390743124", "title": "SIGSEGV in v8 regexp", "url": "https://issues.chromium.org/issues/390743124", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Turbofan, Blink>JavaScript>Sandbox", "bounty_amount": 7000.0, "created_date": "2025-01-18T14:37:08+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/390743124", "has_markdown": true }, { "id": "390633126", "title": "UAP due to largearray and removechild()", "url": "https://issues.chromium.org/issues/390633126", "status": "Assigned", "severity": "S3-Low", "component": "Blink>CSS, Blink>GarbageCollection", "bounty_amount": 2000.0, "created_date": "2025-01-18T04:25:12+00:00", "year": 2025, "attachment_count": 14, "local_path": "issues/390633126", "has_markdown": true }, { "id": "390639820", "title": "V8 Sandbox Bypass: Control flow hijack via Torque function type corruption", "url": "https://issues.chromium.org/issues/390639820", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 20000.0, "created_date": "2025-01-18T04:17:59+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/390639820", "has_markdown": true }, { "id": "390571618", "title": "Misuse of Permission Dialog Dismiss to Deceive Users About Fullscreen Status", "url": "https://issues.chromium.org/issues/390571618", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>FullScreen", "bounty_amount": 3000.0, "created_date": "2025-01-18T03:37:50+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/390571618", "has_markdown": true }, { "id": "390590778", "title": "Heap use-after-free in DirectSocket API", "url": "https://issues.chromium.org/issues/390590778", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>WebAppInstalls>Isolated", "bounty_amount": 4000.0, "created_date": "2025-01-18T02:25:04+00:00", "year": 2025, "attachment_count": 6, "local_path": "issues/390590778", "has_markdown": true }, { "id": "390453039", "title": "V8 Sandbox Bypass: UB in WebAssemblyMemoryGrow because AddressType is constructed from on-heap data", "url": "https://issues.chromium.org/issues/390453039", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 5000.0, "created_date": "2025-01-17T12:13:30+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/390453039", "has_markdown": true }, { "id": "390568183", "title": "V8 Sandbox Bypass: UB in MessageHandler::GetMessage because of invalid MessageTemplate variant", "url": "https://issues.chromium.org/issues/390568183", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 5000.0, "created_date": "2025-01-17T11:56:22+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/390568183", "has_markdown": true }, { "id": "390459306", "title": " heap-use-after-free in PrintDialogGtk::~PrintDialogGtk()", "url": "https://issues.chromium.org/issues/390459306", "status": "Verified", "severity": "S3-Low", "component": "Internals>Printing", "bounty_amount": 1000.0, "created_date": "2025-01-17T00:02:18+00:00", "year": 2025, "attachment_count": 5, "local_path": "issues/390459306", "has_markdown": true }, { "id": "390201806", "title": "V8 Sandbox Bypass: AAR/W due to length-tracking TypedArray length double fetch", "url": "https://issues.chromium.org/issues/390201806", "status": "Accepted", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 20000.0, "created_date": "2025-01-16T05:36:24+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/390201806", "has_markdown": true }, { "id": "389970331", "title": "V8 Sandbox Bypass: StringToBigIntHelper stack-buffer-overflow", "url": "https://issues.chromium.org/issues/389970331", "status": "Verified", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 5000.0, "created_date": "2025-01-15T13:02:59+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/389970331", "has_markdown": true }, { "id": "389713719", "title": "V8 Sandbox Bypass: MemoryChunk metadata_pointer_table OOB write", "url": "https://issues.chromium.org/issues/389713719", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript, Blink>JavaScript>Sandbox", "bounty_amount": 5000.0, "created_date": "2025-01-14T12:48:13+00:00", "year": 2025, "attachment_count": 0, "local_path": "issues/389713719", "has_markdown": true }, { "id": "388680893", "title": "the autofill prompt obscured by permission prompt lead to spoof", "url": "https://issues.chromium.org/issues/388680893", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Permissions>PermissionElement", "bounty_amount": 500.0, "created_date": "2025-01-09T08:15:20+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/388680893", "has_markdown": true }, { "id": "388557904", "title": " access-violation on unknown address 0x7ffde90a6f3c in chrome_pdf::`anonymous namespace'::GetRotatedRectF ", "url": "https://issues.chromium.org/issues/388557904", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>Plugins>PDF", "bounty_amount": 2000.0, "created_date": "2025-01-09T03:14:28+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/388557904", "has_markdown": true }, { "id": "388437270", "title": "V8 Sandbox Bypass: OOB write in JsonStringifier::SerializeString", "url": "https://issues.chromium.org/issues/388437270", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 5000.0, "created_date": "2025-01-08T14:33:05+00:00", "year": 2025, "attachment_count": 2, "local_path": "issues/388437270", "has_markdown": true }, { "id": "388400226", "title": "UAF in chrome::CloseAllBrowsers() with popin", "url": "https://issues.chromium.org/issues/388400226", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage", "bounty_amount": 1000.0, "created_date": "2025-01-08T10:58:15+00:00", "year": 2025, "attachment_count": 5, "local_path": "issues/388400226", "has_markdown": true }, { "id": "388290793", "title": "WebAssembly out-of-bounds memory access due to broken memory64 guard page assumptions", "url": "https://issues.chromium.org/issues/388290793", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 55000.0, "created_date": "2025-01-07T19:51:22+00:00", "year": 2025, "attachment_count": 3, "local_path": "issues/388290793", "has_markdown": true }, { "id": "387583503", "title": "devicechange event leaks for macbook's internal camera in sandboxed documents.", "url": "https://issues.chromium.org/issues/387583503", "status": "Assigned", "severity": "S3-Low", "component": "Blink>MediaStream", "bounty_amount": 1000.0, "created_date": "2025-01-04T09:00:12+00:00", "year": 2025, "attachment_count": 1, "local_path": "issues/387583503", "has_markdown": true }, { "id": "385355879", "title": "Use after free in AddressSignInPromoView.", "url": "https://issues.chromium.org/issues/385355879", "status": "Verified", "severity": "S3-Low", "component": "UI>Browser>Autofill>AddressesAndMore", "bounty_amount": 2000.0, "created_date": "2025-01-01T18:58:01+00:00", "year": 2025, "attachment_count": 5, "local_path": "issues/385355879", "has_markdown": true }, { "id": "386992811", "title": "Security: heap-use-after-free in cc::TileManager::MarkTilesOutOfMemory", "url": "https://issues.chromium.org/issues/386992811", "status": "Accepted", "severity": "S4-Minimal", "component": "Internals>Compositing", "bounty_amount": 11000.0, "created_date": "2025-01-01T11:41:22+00:00", "year": 2025, "attachment_count": 6, "local_path": "issues/386992811", "has_markdown": true }, { "id": "386565139", "title": "V8 Sandbox Bypass: Interger Overflow in TypedArraySet leading to out-of-sandbox write", "url": "https://issues.chromium.org/issues/386565139", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Runtime", "bounty_amount": 5000.0, "created_date": "2024-12-29T14:29:27+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/386565139", "has_markdown": true }, { "id": "386565127", "title": "GPU process crash via WebGPU compute shader (Linux)", "url": "https://issues.chromium.org/issues/386565127", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU", "bounty_amount": 15000.0, "created_date": "2024-12-29T07:42:30+00:00", "year": 2024, "attachment_count": 6, "local_path": "issues/386565127", "has_markdown": true }, { "id": "385775375", "title": "V8 sandbox violation due to concurrent ArrayBuffer modifications during std::sort", "url": "https://issues.chromium.org/issues/385775375", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Runtime", "bounty_amount": 5000.0, "created_date": "2024-12-24T11:12:37+00:00", "year": 2024, "attachment_count": 1, "local_path": "issues/385775375", "has_markdown": true }, { "id": "384531062", "title": "GPU process crash via WebGPU shader - heap-buffer-overflow in Mesa brw_fs_opt_register_coalesce", "url": "https://issues.chromium.org/issues/384531062", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU", "bounty_amount": 10000.0, "created_date": "2024-12-17T13:44:48+00:00", "year": 2024, "attachment_count": 3, "local_path": "issues/384531062", "has_markdown": true }, { "id": "384068255", "title": "The extension popup can appear over the PWA install prompt", "url": "https://issues.chromium.org/issues/384068255", "status": "Accepted", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 500.0, "created_date": "2024-12-15T02:10:50+00:00", "year": 2024, "attachment_count": 5, "local_path": "issues/384068255", "has_markdown": true }, { "id": "384050903", "title": "Save As file dialog steal focus behind the PictureinPictureAPI save malicious file at arbitrary path", "url": "https://issues.chromium.org/issues/384050903", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture", "bounty_amount": 1000.0, "created_date": "2024-12-14T10:57:17+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/384050903", "has_markdown": true }, { "id": "383465163", "title": "Android Chrome: Heap overflow in GLES2DecoderPassthroughImpl::DoEndQueryEXT", "url": "https://issues.chromium.org/issues/383465163", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU", "bounty_amount": 10000.0, "created_date": "2024-12-11T10:49:22+00:00", "year": 2024, "attachment_count": 1, "local_path": "issues/383465163", "has_markdown": true }, { "id": "382540635", "title": "Extension popup can appear over WebUSB permission prompt", "url": "https://issues.chromium.org/issues/382540635", "status": "Accepted", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 1000.0, "created_date": "2024-12-06T01:53:58+00:00", "year": 2024, "attachment_count": 5, "local_path": "issues/382540635", "has_markdown": true }, { "id": "382190924", "title": "Extension popup can render over PWA Install Prompt", "url": "https://issues.chromium.org/issues/382190924", "status": "Accepted", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 500.0, "created_date": "2024-12-04T18:39:06+00:00", "year": 2024, "attachment_count": 4, "local_path": "issues/382190924", "has_markdown": true }, { "id": "382190919", "title": "Array out-of-bounds access vulnerability in the maglev phi untagging optimization.", "url": "https://issues.chromium.org/issues/382190919", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript, Blink>JavaScript>Compiler>Maglev", "bounty_amount": 20000.0, "created_date": "2024-12-04T16:22:19+00:00", "year": 2024, "attachment_count": 0, "local_path": "issues/382190919", "has_markdown": true }, { "id": "380397544", "title": "Arbitrary WASM type confusion due to improper fix of b/379009132", "url": "https://issues.chromium.org/issues/380397544", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 55000.0, "created_date": "2024-11-23T00:56:29+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/380397544", "has_markdown": true }, { "id": "379818904", "title": "iOS QR code spoof: embedded backslashes", "url": "https://issues.chromium.org/issues/379818904", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Mobile", "bounty_amount": 1000.0, "created_date": "2024-11-19T18:24:37+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/379818904", "has_markdown": true }, { "id": "379652406", "title": "Security: Android address bar hidden after slow navigation finishes, if slow nav is initiated on page load", "url": "https://issues.chromium.org/issues/379652406", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Navigation", "bounty_amount": 7000.0, "created_date": "2024-11-18T23:16:41+00:00", "year": 2024, "attachment_count": 10, "local_path": "issues/379652406", "has_markdown": true }, { "id": "379551588", "title": "libGLES_mali memory safety violation via WebGPU shaders at llvm::Value::setNameImpl", "url": "https://issues.chromium.org/issues/379551588", "status": "Assigned", "severity": "S3-Low", "component": "Dawn>Tint", "bounty_amount": 35000.0, "created_date": "2024-11-18T17:02:57+00:00", "year": 2024, "attachment_count": 6, "local_path": "issues/379551588", "has_markdown": true }, { "id": "379516109", "title": "AddressSanitizer:heap-use-after-free on LanguageDetectionModel::NotifyModelLoaded\n", "url": "https://issues.chromium.org/issues/379516109", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Language>Translate", "bounty_amount": 50000.0, "created_date": "2024-11-18T01:42:42+00:00", "year": 2024, "attachment_count": 8, "local_path": "issues/379516109", "has_markdown": true }, { "id": "379337758", "title": "Service workers allowing redirects to data: URLs.", "url": "https://issues.chromium.org/issues/379337758", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 4000.0, "created_date": "2024-11-16T04:56:00+00:00", "year": 2024, "attachment_count": 0, "local_path": "issues/379337758", "has_markdown": true }, { "id": "379241460", "title": "the permission prompt is not in the correct position lead to spoofing", "url": "https://issues.chromium.org/issues/379241460", "status": "Accepted", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 500.0, "created_date": "2024-11-15T15:10:46+00:00", "year": 2024, "attachment_count": 18, "local_path": "issues/379241460", "has_markdown": true }, { "id": "379009132", "title": "Potential type confusion in wasm and js interaction", "url": "https://issues.chromium.org/issues/379009132", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Runtime, Blink>JavaScript>WebAssembly", "bounty_amount": 8000.0, "created_date": "2024-11-14T12:03:20+00:00", "year": 2024, "attachment_count": 3, "local_path": "issues/379009132", "has_markdown": true }, { "id": "377321465", "title": "GPU process crash via WebGPU shader - unknown-crash at fs_nir_emit_alu in brw_fs_nir.cpp", "url": "https://issues.chromium.org/issues/377321465", "status": "Accepted", "severity": "S3-Low", "component": "Dawn>Tint", "bounty_amount": 10000.0, "created_date": "2024-11-04T20:23:52+00:00", "year": 2024, "attachment_count": 1, "local_path": "issues/377321465", "has_markdown": true }, { "id": "376625003", "title": "Local file access restrictions in chrome.devtools can be bypassed through prototype manipulation.", "url": "https://issues.chromium.org/issues/376625003", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools>Extensions", "bounty_amount": 1000.0, "created_date": "2024-10-31T17:04:51+00:00", "year": 2024, "attachment_count": 4, "local_path": "issues/376625003", "has_markdown": true }, { "id": "376493203", "title": "ProfilePickerHandler UAF via UI", "url": "https://issues.chromium.org/issues/376493203", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Profiles", "bounty_amount": 3000.0, "created_date": "2024-10-31T09:48:28+00:00", "year": 2024, "attachment_count": 3, "local_path": "issues/376493203", "has_markdown": true }, { "id": "376491759", "title": "Tapjacking on Custom Tabs using animations", "url": "https://issues.chromium.org/issues/376491759", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Mobile", "bounty_amount": 10000.0, "created_date": "2024-10-31T09:11:02+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/376491759", "has_markdown": true }, { "id": "375123371", "title": "WebGPU: Out-of-bounds GPU buffer access caused by @align", "url": "https://issues.chromium.org/issues/375123371", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU", "bounty_amount": 35000.0, "created_date": "2024-10-23T19:07:49+00:00", "year": 2024, "attachment_count": 1, "local_path": "issues/375123371", "has_markdown": true }, { "id": "373794472", "title": "User can still unknowingly allow Permission Prompt Hidden behind PiP during Interaction", "url": "https://issues.chromium.org/issues/373794472", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Permissions", "bounty_amount": 500.0, "created_date": "2024-10-16T14:30:26+00:00", "year": 2024, "attachment_count": 4, "local_path": "issues/373794472", "has_markdown": true }, { "id": "373746918", "title": "Android fullscreen notification is not shown when Chrome is in split-screen", "url": "https://issues.chromium.org/issues/373746918", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Fullscreen", "bounty_amount": 1000.0, "created_date": "2024-10-16T13:24:27+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/373746918", "has_markdown": true }, { "id": "371011220", "title": "Chrome Extension context isolation bypass.", "url": "https://issues.chromium.org/issues/371011220", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 10000.0, "created_date": "2024-10-02T19:32:32+00:00", "year": 2024, "attachment_count": 9, "local_path": "issues/371011220", "has_markdown": true }, { "id": "370856871", "title": "Compromised renderer can control your mouse and escape sbx", "url": "https://issues.chromium.org/issues/370856871", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Views", "bounty_amount": 50000.0, "created_date": "2024-10-02T16:35:03+00:00", "year": 2024, "attachment_count": 15, "local_path": "issues/370856871", "has_markdown": true }, { "id": "368241697", "title": "Type confusion due to improper WASM module size check in `AsyncStreamingDecoder`", "url": "https://issues.chromium.org/issues/368241697", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 55000.0, "created_date": "2024-09-20T06:09:23+00:00", "year": 2024, "attachment_count": 4, "local_path": "issues/368241697", "has_markdown": true }, { "id": "367771116", "title": "Extension popup can render over downloaded file prompts", "url": "https://issues.chromium.org/issues/367771116", "status": "Accepted", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 1000.0, "created_date": "2024-09-18T07:40:09+00:00", "year": 2024, "attachment_count": 11, "local_path": "issues/367771116", "has_markdown": true }, { "id": "367475557", "title": "race condition on pip window lead to spoof address bar", "url": "https://issues.chromium.org/issues/367475557", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture", "bounty_amount": 500.0, "created_date": "2024-09-17T13:58:11+00:00", "year": 2024, "attachment_count": 4, "local_path": "issues/367475557", "has_markdown": true }, { "id": "366056651", "title": "Unintended File Upload via `webkitdirectory` triggered by Keyboard interactions on macOS Chrome", "url": "https://issues.chromium.org/issues/366056651", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Forms>File>Directory", "bounty_amount": 1000.0, "created_date": "2024-09-12T11:04:35+00:00", "year": 2024, "attachment_count": 5, "local_path": "issues/366056651", "has_markdown": true }, { "id": "365254285", "title": "GPU process crash via WebGPU shader - UAF in ScalarizePreciseVectorAlloca at DxilConditionalMem2Reg.cpp:275", "url": "https://issues.chromium.org/issues/365254285", "status": "Assigned", "severity": "S3-Low", "component": "Dawn>Tint", "bounty_amount": 10000.0, "created_date": "2024-09-08T14:24:13+00:00", "year": 2024, "attachment_count": 3, "local_path": "issues/365254285", "has_markdown": true }, { "id": "364508693", "title": "User can unknowingly Permission Prompt Hidden behind PiP during Interaction", "url": "https://issues.chromium.org/issues/364508693", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Permissions, UI>Browser>Permissions>Prompts", "bounty_amount": 1000.0, "created_date": "2024-09-04T18:08:19+00:00", "year": 2024, "attachment_count": 3, "local_path": "issues/364508693", "has_markdown": true }, { "id": "364119468", "title": "Clickjacking on permission prompt using PIP", "url": "https://issues.chromium.org/issues/364119468", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture, UI>Browser>Permissions, UI>Browser>Permissions>Prompts", "bounty_amount": 1000.0, "created_date": "2024-09-03T10:51:51+00:00", "year": 2024, "attachment_count": 8, "local_path": "issues/364119468", "has_markdown": true }, { "id": "363930141", "title": "User can unknowingly Execute External File Hidden behind PiP during Interaction", "url": "https://issues.chromium.org/issues/363930141", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture", "bounty_amount": 1000.0, "created_date": "2024-09-02T10:14:17+00:00", "year": 2024, "attachment_count": 3, "local_path": "issues/363930141", "has_markdown": true }, { "id": "361862752", "title": "V8 Sandbox Bypass: compiled JS-to-WASM wrappers don't guard against `trusted_function_data` overwrites", "url": "https://issues.chromium.org/issues/361862752", "status": "Fixed", "severity": "S4-Minimal", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 5000.0, "created_date": "2024-08-25T01:37:56+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/361862752", "has_markdown": true }, { "id": "361611809", "title": "[Security] Tapjacking on payment request dialog using window alert", "url": "https://issues.chromium.org/issues/361611809", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Payments", "bounty_amount": 1000.0, "created_date": "2024-08-23T09:23:59+00:00", "year": 2024, "attachment_count": 6, "local_path": "issues/361611809", "has_markdown": true }, { "id": "361369296", "title": "OOB in JSC::StackVisitor::readFrame in webkit/chrome ios", "url": "https://issues.chromium.org/issues/361369296", "status": "Accepted", "severity": "S3-Low", "component": "Mobile>iOSWeb", "bounty_amount": 7000.0, "created_date": "2024-08-22T02:51:34+00:00", "year": 2024, "attachment_count": 3, "local_path": "issues/361369296", "has_markdown": true }, { "id": "361116749", "title": "CSP doesn't block sourceMappingURL", "url": "https://issues.chromium.org/issues/361116749", "status": "Accepted", "severity": "S3-Low", "component": "Platform>DevTools>Sources", "bounty_amount": 1000.0, "created_date": "2024-08-20T19:06:16+00:00", "year": 2024, "attachment_count": 0, "local_path": "issues/361116749", "has_markdown": true }, { "id": "360520332", "title": "Google Chrome on iOS sad tabs with the following testcase.", "url": "https://issues.chromium.org/issues/360520332", "status": "Accepted", "severity": "S3-Low", "component": "Mobile>iOSWeb>Security", "bounty_amount": 5000.0, "created_date": "2024-08-18T20:05:43+00:00", "year": 2024, "attachment_count": 1, "local_path": "issues/360520332", "has_markdown": true }, { "id": "359909532", "title": "GPU process crash via WebGPU shader (Linux): OOB in mark_src_live mesa/src/compiler/nir/nir_opt_dce.c:39:9", "url": "https://issues.chromium.org/issues/359909532", "status": "Verified", "severity": "S3-Low", "component": "Blink>WebGPU", "bounty_amount": 10000.0, "created_date": "2024-08-15T08:45:37+00:00", "year": 2024, "attachment_count": 3, "local_path": "issues/359909532", "has_markdown": true }, { "id": "357484640", "title": " GPU process crash via WebGL2 shader - dynamic-stack-buffer-overflow in hash_phi", "url": "https://issues.chromium.org/issues/357484640", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGL, Blink>WebGPU", "bounty_amount": 10000.0, "created_date": "2024-08-05T11:36:07+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/357484640", "has_markdown": true }, { "id": "356658477", "title": "Android Chrome External Navigation Bubble Tapjacking", "url": "https://issues.chromium.org/issues/356658477", "status": "Assigned", "severity": "S3-Low", "component": "Mobile>Intents", "bounty_amount": 1000.0, "created_date": "2024-07-31T19:04:14+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/356658477", "has_markdown": true }, { "id": "356328460", "title": "\nChromium arbitrary file create/write and execute vulnerability", "url": "https://issues.chromium.org/issues/356328460", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Installer", "bounty_amount": 2000.0, "created_date": "2024-07-30T13:49:25+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/356328460", "has_markdown": true }, { "id": "354748063", "title": "heap-use-after-free dawn\\src\\dawn\\native\\Device.cpp:285 in dawn::native::DeviceBase::DeviceLostEvent::Complete", "url": "https://issues.chromium.org/issues/354748063", "status": "Assigned", "severity": "S3-Low", "component": "Dawn>Native", "bounty_amount": 2000.0, "created_date": "2024-07-23T03:39:01+00:00", "year": 2024, "attachment_count": 1, "local_path": "issues/354748063", "has_markdown": true }, { "id": "354748060", "title": "Security: Internal Compiler Error(OpTypeFunction may not take more than 255 arguments. OpTypeFunction '267[%267]' has 256 arguments) in tint::spirv::writer::IRFuzzer", "url": "https://issues.chromium.org/issues/354748060", "status": "Assigned", "severity": "S3-Low", "component": "Dawn>Tint", "bounty_amount": 10000.0, "created_date": "2024-07-23T02:43:34+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/354748060", "has_markdown": true }, { "id": "354627692", "title": "Security: Internal Compiler Error(The continue construct with the continue target '16[%16]' is not structurally post dominated by the back-edge block '38[%38]') in tint::spirv::writer::IRFuzzer", "url": "https://issues.chromium.org/issues/354627692", "status": "Assigned", "severity": "S3-Low", "component": "Dawn>Tint", "bounty_amount": 1000.0, "created_date": "2024-07-22T10:34:04+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/354627692", "has_markdown": true }, { "id": "353244363", "title": "File Might Be Harmful Warning Missing for HTTP-Only Sites on Android", "url": "https://issues.chromium.org/issues/353244363", "status": "Accepted", "severity": "S3-Low", "component": "Services (Use Subcomponents)>Safebrowsing, UI>Browser>Downloads", "bounty_amount": 500.0, "created_date": "2024-07-15T17:02:22+00:00", "year": 2024, "attachment_count": 4, "local_path": "issues/353244363", "has_markdown": true }, { "id": "353034820", "title": "TINT_ASSERT(to != nullptr) in src/tint/lang/wgsl/resolver/uniformity.cc:157", "url": "https://issues.chromium.org/issues/353034820", "status": "Assigned", "severity": "S3-Low", "component": "Dawn, Dawn>Tint", "bounty_amount": 10000.0, "created_date": "2024-07-15T00:59:53+00:00", "year": 2024, "attachment_count": 1, "local_path": "issues/353034820", "has_markdown": true }, { "id": "352690885", "title": "Fatal error in Bytecode mismatch at offset 8 in interpreter.cc", "url": "https://issues.chromium.org/issues/352690885", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript, Blink>JavaScript>GarbageCollection, Blink>JavaScript>Parser, Blink>JavaScript>Runtime", "bounty_amount": 8000.0, "created_date": "2024-07-12T13:40:18+00:00", "year": 2024, "attachment_count": 6, "local_path": "issues/352690885", "has_markdown": true }, { "id": "352681108", "title": "Incorrect security UI of files' download source at chrome://downloads", "url": "https://issues.chromium.org/issues/352681108", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": 2000.0, "created_date": "2024-07-12T08:23:29+00:00", "year": 2024, "attachment_count": 6, "local_path": "issues/352681108", "has_markdown": true }, { "id": "352610611", "title": "UAF in dawn::wire::client::Device::HandleError", "url": "https://issues.chromium.org/issues/352610611", "status": "Assigned", "severity": "S3-Low", "component": "Dawn, Dawn>Wire", "bounty_amount": 8000.0, "created_date": "2024-07-12T05:54:56+00:00", "year": 2024, "attachment_count": 3, "local_path": "issues/352610611", "has_markdown": true }, { "id": "352516283", "title": "Android Chrome Incognito Mode Leaving Alert Dialog Box Origin Confusion", "url": "https://issues.chromium.org/issues/352516283", "status": "Accepted", "severity": "S3-Low", "component": "Mobile>Intents, UI>Browser>Navigation", "bounty_amount": 2000.0, "created_date": "2024-07-11T19:16:17+00:00", "year": 2024, "attachment_count": 3, "local_path": "issues/352516283", "has_markdown": true }, { "id": "351865302", "title": "Fatal error in ../../src/compiler/simplified-lowering.cc, line 568", "url": "https://issues.chromium.org/issues/351865302", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler, Blink>JavaScript>Compiler>Maglev, Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 7000.0, "created_date": "2024-07-09T05:11:06+00:00", "year": 2024, "attachment_count": 1, "local_path": "issues/351865302", "has_markdown": true }, { "id": "351564774", "title": "The PWA's installation dialog isn't being dismissed after redirects, which allows an attacker to sho", "url": "https://issues.chromium.org/issues/351564774", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Mobile>Messages, UI>Browser>WebAppInstalls>Android", "bounty_amount": 500.0, "created_date": "2024-07-07T19:54:12+00:00", "year": 2024, "attachment_count": 7, "local_path": "issues/351564774", "has_markdown": true }, { "id": "349653218", "title": "AddressSanitizer: heap-use-after-free on NetExportMessageHandler::SendEmail", "url": "https://issues.chromium.org/issues/349653218", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>Network>Logging", "bounty_amount": 1000.0, "created_date": "2024-06-27T04:42:51+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/349653218", "has_markdown": true }, { "id": "349529650", "title": "V8 Sandbox Bypass: AAR/W via function import signature check race", "url": "https://issues.chromium.org/issues/349529650", "status": "Accepted", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 5000.0, "created_date": "2024-06-26T10:32:13+00:00", "year": 2024, "attachment_count": 1, "local_path": "issues/349529650", "has_markdown": true }, { "id": "349342289", "title": "Security: possible heap UaF in ThrottlingURLLoader+HttpsUpgradesInterceptor+MaybeCreateLoaderForResponse", "url": "https://issues.chromium.org/issues/349342289", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Loader>WebPackaging, Internals>Network>SSL>HttpsUpgrades, UI>Browser>Navigation", "bounty_amount": 8000.0, "created_date": "2024-06-25T15:12:53+00:00", "year": 2024, "attachment_count": 1, "local_path": "issues/349342289", "has_markdown": true }, { "id": "348793144", "title": "Abrt in Builtins_CEntry_Return1_ArgvOnStack_NoBuiltinExit", "url": "https://issues.chromium.org/issues/348793144", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Runtime, Blink>JavaScript>WebAssembly", "bounty_amount": 8000.0, "created_date": "2024-06-23T03:07:05+00:00", "year": 2024, "attachment_count": 1, "local_path": "issues/348793144", "has_markdown": true }, { "id": "346618785", "title": "GPU process crash via WebGPU shader - Stack use-after-return at HLMatrixLowerPass.cpp:63", "url": "https://issues.chromium.org/issues/346618785", "status": "Assigned", "severity": "S3-Low", "component": "Dawn>Tint", "bounty_amount": 10000.0, "created_date": "2024-06-12T11:10:17+00:00", "year": 2024, "attachment_count": 5, "local_path": "issues/346618785", "has_markdown": true }, { "id": "345960102", "title": "Turbofan incorrectly optimizes 64 bit bigint shifts.", "url": "https://issues.chromium.org/issues/345960102", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 11000.0, "created_date": "2024-06-10T01:18:57+00:00", "year": 2024, "attachment_count": 1, "local_path": "issues/345960102", "has_markdown": true }, { "id": "345993680", "title": "GPU process crash via WebGPU shader - UAF in RecursivelyDeleteTriviallyDeadInstructions at Transforms\\Utils\\Local.cpp:368", "url": "https://issues.chromium.org/issues/345993680", "status": "Assigned", "severity": "S3-Low", "component": "Dawn>Tint, Internals>GPU>Dawn", "bounty_amount": 10000.0, "created_date": "2024-06-09T08:35:07+00:00", "year": 2024, "attachment_count": 4, "local_path": "issues/345993680", "has_markdown": true }, { "id": "345822331", "title": " AddressSanitizer: heap-use-after-free on Dawn", "url": "https://issues.chromium.org/issues/345822331", "status": "Assigned", "severity": "S3-Low", "component": "Dawn>Tint", "bounty_amount": 10000.0, "created_date": "2024-06-08T05:45:41+00:00", "year": 2024, "attachment_count": 3, "local_path": "issues/345822331", "has_markdown": true }, { "id": "345688415", "title": "Android APK Spoof in Chrome Download Menu ", "url": "https://issues.chromium.org/issues/345688415", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": null, "created_date": "2024-06-07T11:44:03+00:00", "year": 2024, "attachment_count": 9, "local_path": "issues/345688415", "has_markdown": true }, { "id": "345352978", "title": "libicu multiple vulnerabilities in lastate chromium", "url": "https://issues.chromium.org/issues/345352978", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Internationalization", "bounty_amount": 500.0, "created_date": "2024-06-06T09:26:30+00:00", "year": 2024, "attachment_count": 0, "local_path": "issues/345352978", "has_markdown": true }, { "id": "344963941", "title": "V8 Sandbox Bypass: Irregexp engine bytecode modification leads to arbitrary read/write outside the sandbox", "url": "https://issues.chromium.org/issues/344963941", "status": "Accepted", "severity": "S4-Minimal", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 5250.0, "created_date": "2024-06-05T00:07:16+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/344963941", "has_markdown": true }, { "id": "344639860", "title": "GPU process crash via WebGPU shader - UAF in SimplifyCFG at SimplifyCFG.cpp:4743", "url": "https://issues.chromium.org/issues/344639860", "status": "Assigned", "severity": "S3-Low", "component": "Dawn>Tint, Internals>GPU>Dawn", "bounty_amount": 10000.0, "created_date": "2024-06-04T14:47:44+00:00", "year": 2024, "attachment_count": 4, "local_path": "issues/344639860", "has_markdown": true }, { "id": "344343031", "title": "V8 Sandbox Bypass: Code Pointer Table Index Confusion leading to Stack Corruption", "url": "https://issues.chromium.org/issues/344343031", "status": "Verified", "severity": "S3-Low", "component": "Blink>JavaScript>Sandbox", "bounty_amount": 5000.0, "created_date": "2024-06-02T14:24:19+00:00", "year": 2024, "attachment_count": 4, "local_path": "issues/344343031", "has_markdown": true }, { "id": "343938078", "title": "Security: Android address bar URL spoof if page is scrolling and tab is switched", "url": "https://issues.chromium.org/issues/343938078", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 6000.0, "created_date": "2024-06-01T03:56:23+00:00", "year": 2024, "attachment_count": 5, "local_path": "issues/343938078", "has_markdown": true }, { "id": "342840932", "title": "Security: Internal Compiler Error(Duplicate non-aggregate type declarations are not allowed) in tint::spirv::writer::IRFuzzer", "url": "https://issues.chromium.org/issues/342840932", "status": "Assigned", "severity": "S3-Low", "component": "Dawn>Tint", "bounty_amount": 5000.0, "created_date": "2024-05-26T15:17:16+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/342840932", "has_markdown": true }, { "id": "342545100", "title": " GPU process crash via WebGPU shader - UAF in combineInstructionsOverFunction at InstructionCombining.cpp:3008", "url": "https://issues.chromium.org/issues/342545100", "status": "Assigned", "severity": "S3-Low", "component": "Dawn>Tint", "bounty_amount": 10000.0, "created_date": "2024-05-24T21:19:40+00:00", "year": 2024, "attachment_count": 4, "local_path": "issues/342545100", "has_markdown": true }, { "id": "342579972", "title": "Drag and Drop Can Navigate to File and Chrome URIs Without Restriction", "url": "https://issues.chromium.org/issues/342579972", "status": "Accepted", "severity": "S4-Minimal", "component": "Blink>DataTransfer, UI>Browser>Navigation, UI>Browser>TopChrome>TabStrip", "bounty_amount": 500.0, "created_date": "2024-05-24T17:44:58+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/342579972", "has_markdown": true }, { "id": "342428008", "title": " GPU process crash via WebGPU shader - UAF in GlobalIsNeeded at GlobalDCE.cpp:244", "url": "https://issues.chromium.org/issues/342428008", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU, Dawn>Tint", "bounty_amount": 10000.0, "created_date": "2024-05-23T18:15:24+00:00", "year": 2024, "attachment_count": 4, "local_path": "issues/342428008", "has_markdown": true }, { "id": "340196361", "title": "GPU process crash via WebGPU shader - UAF in GetIfCondition at BasicBlockUtils.cpp:810", "url": "https://issues.chromium.org/issues/340196361", "status": "Assigned", "severity": "S3-Low", "component": "Dawn>Tint", "bounty_amount": 10000.0, "created_date": "2024-05-13T18:51:24+00:00", "year": 2024, "attachment_count": 4, "local_path": "issues/340196361", "has_markdown": true }, { "id": "340221135", "title": "RCE in V8 maglev", "url": "https://issues.chromium.org/issues/340221135", "status": "New", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 7000.0, "created_date": "2024-05-13T15:08:08+00:00", "year": 2024, "attachment_count": 6, "local_path": "issues/340221135", "has_markdown": true }, { "id": "340122160", "title": "MiraclePtr bypass due to PtrCount overflow", "url": "https://issues.chromium.org/issues/340122160", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 100115.0, "created_date": "2024-05-13T04:16:20+00:00", "year": 2024, "attachment_count": 0, "local_path": "issues/340122160", "has_markdown": true }, { "id": "339588211", "title": " Use After Free in PresentationConnectionCallbacks::OnSuccess", "url": "https://issues.chromium.org/issues/339588211", "status": "Assigned", "severity": "S3-Low", "component": "Blink>PresentationAPI", "bounty_amount": 1000.0, "created_date": "2024-05-09T10:51:13+00:00", "year": 2024, "attachment_count": 0, "local_path": "issues/339588211", "has_markdown": true }, { "id": "339169163", "title": "GPU process crash via WebGPU shader - OOB in ComputeExitLimit at", "url": "https://issues.chromium.org/issues/339169163", "status": "Assigned", "severity": "S3-Low", "component": "Dawn>Tint", "bounty_amount": 10000.0, "created_date": "2024-05-07T14:54:28+00:00", "year": 2024, "attachment_count": 9, "local_path": "issues/339169163", "has_markdown": true }, { "id": "339141099", "title": "v8::Value string with unmatched UTF8 surrogate pair causes crash when converted to base::Value", "url": "https://issues.chromium.org/issues/339141099", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 3000.0, "created_date": "2024-05-07T14:53:37+00:00", "year": 2024, "attachment_count": 3, "local_path": "issues/339141099", "has_markdown": true }, { "id": "339171223", "title": "GPU process crash via WebGPU shader - UAF in ConstantFoldTerminator at Transforms\\Utils\\Local.cpp:93", "url": "https://issues.chromium.org/issues/339171223", "status": "Assigned", "severity": "S3-Low", "component": "Dawn>Tint", "bounty_amount": 10000.0, "created_date": "2024-05-07T14:30:15+00:00", "year": 2024, "attachment_count": 8, "local_path": "issues/339171223", "has_markdown": true }, { "id": "338248595", "title": "Sandbox escape from extensions due to insufficent checks in chrome.devtools.inspectedWindow.reload and chrome://policy", "url": "https://issues.chromium.org/issues/338248595", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools", "bounty_amount": 20000.0, "created_date": "2024-05-01T22:57:43+00:00", "year": 2024, "attachment_count": 10, "local_path": "issues/338248595", "has_markdown": true }, { "id": "338103465", "title": "GPU process crash via WebGPU shader - UAF in SimplifyTerminatorOnSelect at SimplifyCFG.cpp:2637", "url": "https://issues.chromium.org/issues/338103465", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU, Dawn>Tint, Internals>GPU>Dawn, Internals>GPU>Tint", "bounty_amount": 10000.0, "created_date": "2024-05-01T12:16:43+00:00", "year": 2024, "attachment_count": 4, "local_path": "issues/338103465", "has_markdown": true }, { "id": "338161969", "title": " GPU process crash via WebGPU shader - OOB in WriteInstruction at BitcodeWriter.cpp:1720", "url": "https://issues.chromium.org/issues/338161969", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU, Dawn>Tint, Internals>GPU>Dawn, Internals>GPU>Tint", "bounty_amount": 10000.0, "created_date": "2024-05-01T09:50:53+00:00", "year": 2024, "attachment_count": 6, "local_path": "issues/338161969", "has_markdown": true }, { "id": "338071106", "title": "GPU process crash via WebGPU shader - UAF in ProcessValue at DxilValueCache.cpp:555", "url": "https://issues.chromium.org/issues/338071106", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU, Dawn>Tint, Internals>GPU>Dawn, Internals>GPU>Tint", "bounty_amount": 10000.0, "created_date": "2024-05-01T08:09:53+00:00", "year": 2024, "attachment_count": 4, "local_path": "issues/338071106", "has_markdown": true }, { "id": "337356054", "title": "Cross origin dialog spoof", "url": "https://issues.chromium.org/issues/337356054", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage>FileAPI, Blink>Storage>FileSystem", "bounty_amount": 3000.0, "created_date": "2024-04-27T07:08:08+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/337356054", "has_markdown": true }, { "id": "335611025", "title": "Chrome on IOS ignores Content-Type header (and nosniff) when rendering XHTML content", "url": "https://issues.chromium.org/issues/335611025", "status": "Accepted", "severity": "S3-Low", "component": "Mobile>iOSWeb", "bounty_amount": 1000.0, "created_date": "2024-04-18T12:30:02+00:00", "year": 2024, "attachment_count": 1, "local_path": "issues/335611025", "has_markdown": true }, { "id": "333508731", "title": "GPU process crash via WebGPU shader - placeSplitBlockCarefully in LoopSimplify.cpp", "url": "https://issues.chromium.org/issues/333508731", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU, Dawn>Tint, Internals>GPU>Dawn, Internals>GPU>Tint", "bounty_amount": 10000.0, "created_date": "2024-04-09T17:07:07+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/333508731", "has_markdown": true }, { "id": "333420620", "title": "GPU process crash via WebGPU shader - dynamic_cast exception in DXC", "url": "https://issues.chromium.org/issues/333420620", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU, Internals>GPU>Dawn, Internals>GPU>Tint", "bounty_amount": 10000.0, "created_date": "2024-04-09T14:24:36+00:00", "year": 2024, "attachment_count": 4, "local_path": "issues/333420620", "has_markdown": true }, { "id": "333414294", "title": "GPU process crash via WebGPU shader - SimplifyInstruction in InstructionSimplify.cpp", "url": "https://issues.chromium.org/issues/333414294", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU, Internals>GPU>Dawn, Internals>GPU>Tint", "bounty_amount": 10000.0, "created_date": "2024-04-09T12:10:31+00:00", "year": 2024, "attachment_count": 3, "local_path": "issues/333414294", "has_markdown": true }, { "id": "333313912", "title": "WebAuthn Attestation dialog can hide the full-screen notification.", "url": "https://issues.chromium.org/issues/333313912", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>FullScreen", "bounty_amount": 1000.0, "created_date": "2024-04-08T06:54:59+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/333313912", "has_markdown": true }, { "id": "331123811", "title": "GPU process crash via WebGPU shader - DeleteMemcpy in ScalarReplAggregatesHLSL.cpp", "url": "https://issues.chromium.org/issues/331123811", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU, Internals>GPU>Dawn", "bounty_amount": 10000.0, "created_date": "2024-03-25T09:27:53+00:00", "year": 2024, "attachment_count": 1, "local_path": "issues/331123811", "has_markdown": true }, { "id": "329476341", "title": "Text Selection menu able to overlap URL bar ", "url": "https://issues.chromium.org/issues/329476341", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser, UI>Browser>Mobile>ContextMenu, UI>Browser>Selection", "bounty_amount": 2000.0, "created_date": "2024-03-14T08:23:08+00:00", "year": 2024, "attachment_count": 5, "local_path": "issues/329476341", "has_markdown": true }, { "id": "329271490", "title": "Stack buffer overflow in angle shader translation", "url": "https://issues.chromium.org/issues/329271490", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>WebGL, Internals>GPU, Internals>GPU>ANGLE", "bounty_amount": 2000.0, "created_date": "2024-03-13T10:36:06+00:00", "year": 2024, "attachment_count": 2, "local_path": "issues/329271490", "has_markdown": true }, { "id": "328958020", "title": "GPU process crash via WebGPU shader", "url": "https://issues.chromium.org/issues/328958020", "status": "Assigned", "severity": "S3-Low", "component": "Dawn, Internals>GPU>Dawn", "bounty_amount": 10000.0, "created_date": "2024-03-11T09:14:12+00:00", "year": 2024, "attachment_count": 1, "local_path": "issues/328958020", "has_markdown": true }, { "id": "324930013", "title": "monorail: issue chart page leaks unredacted emails", "url": "https://issues.chromium.org/issues/324930013", "status": "Assigned", "severity": "S3-Low", "component": "Issue Tracker, Platform>DevTools", "bounty_amount": 500.0, "created_date": "2024-02-13T04:02:41+00:00", "year": 2024, "attachment_count": 3, "local_path": "issues/324930013", "has_markdown": true }, { "id": "41496084", "title": "Security: Download & Execute File Silently Without Knowing User in Chrome", "url": "https://issues.chromium.org/issues/41496084", "status": "Assigned", "severity": "S3-Low", "component": "Blink>DataTransfer, Blink>Fullscreen, UI>Browser>Downloads, UI>Browser>FullScreen", "bounty_amount": 1000.0, "created_date": "2024-01-30T06:57:41+00:00", "year": 2024, "attachment_count": 5, "local_path": "issues/41496084", "has_markdown": true }, { "id": "41493771", "title": "Security: Capture Autofill Data using showPicker Spoofing", "url": "https://issues.chromium.org/issues/41493771", "status": "Accepted", "severity": "S3-Low", "component": "Privacy, UI>Browser>Autofill", "bounty_amount": 1000.0, "created_date": "2024-01-23T10:26:10+00:00", "year": 2024, "attachment_count": 8, "local_path": "issues/41493771", "has_markdown": true }, { "id": "41492103", "title": "Security: Directory listing no-cors issue", "url": "https://issues.chromium.org/issues/41492103", "status": "Assigned", "severity": "S3-Low", "component": "Blink>SecurityFeature>CORS", "bounty_amount": 5000.0, "created_date": "2024-01-17T12:31:17+00:00", "year": 2024, "attachment_count": 9, "local_path": "issues/41492103", "has_markdown": true }, { "id": "41489926", "title": "Security: use-after-poison in blink::MLGraphXnnpack::ComputeAsyncImpl", "url": "https://issues.chromium.org/issues/41489926", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>WebML", "bounty_amount": 10000.0, "created_date": "2024-01-09T17:37:53+00:00", "year": 2024, "attachment_count": 5, "local_path": "issues/41489926", "has_markdown": true }, { "id": "41487933", "title": "Security: about:srcdoc session history entries leak document state cross-origin", "url": "https://issues.chromium.org/issues/41487933", "status": "Assigned", "severity": "S3-Low", "component": "Blink>History, Internals>Sandbox>SiteIsolation, UI>Browser>Navigation", "bounty_amount": 8000.0, "created_date": "2024-01-03T20:49:14+00:00", "year": 2024, "attachment_count": 9, "local_path": "issues/41487933", "has_markdown": true }, { "id": "41487330", "title": "[webrtc]UAF in RTCPeerConnectionHandler::OnIceCandidate", "url": "https://issues.chromium.org/issues/41487330", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC, Blink>WebRTC>PeerConnection", "bounty_amount": 3000.0, "created_date": "2023-12-29T13:34:17+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/41487330", "has_markdown": true }, { "id": "41486862", "title": "Security: Memory Corrupt in V8 Webassembly", "url": "https://issues.chromium.org/issues/41486862", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Turbofan, Blink>JavaScript>WebAssembly", "bounty_amount": 7000.0, "created_date": "2023-12-26T04:14:16+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/41486862", "has_markdown": true }, { "id": "41486859", "title": "Security: container-overflow in FileSystemAccessManagerImpl::DidCleanupAccessHandleCapacityAllocation", "url": "https://issues.chromium.org/issues/41486859", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage>FileSystem", "bounty_amount": 20000.0, "created_date": "2023-12-26T02:13:22+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/41486859", "has_markdown": true }, { "id": "41486690", "title": "Extension sanitization bypass - Setting file extension as \"%%\" resorts to the previous text", "url": "https://issues.chromium.org/issues/41486690", "status": "Assigned", "severity": "S4-Minimal", "component": "UI>Browser>Downloads", "bounty_amount": 1000.0, "created_date": "2023-12-24T21:59:41+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/41486690", "has_markdown": true }, { "id": "41486636", "title": "Security: SEGV in v8_wasm_compile_fuzzer ", "url": "https://issues.chromium.org/issues/41486636", "status": "Accepted", "severity": "S3-Low", "component": "Blink>JavaScript", "bounty_amount": 7000.0, "created_date": "2023-12-24T00:53:52+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/41486636", "has_markdown": true }, { "id": "41486208", "title": "Security: Downloading .scf files possible with a drag and drop, stealing NTLM hashes", "url": "https://issues.chromium.org/issues/41486208", "status": "Assigned", "severity": "S3-Low", "component": "Blink>DataTransfer", "bounty_amount": 1000.0, "created_date": "2023-12-21T09:59:58+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/41486208", "has_markdown": true }, { "id": "41486190", "title": "Security: opens a new window in fullscreen mode at same time , leading to address bar spoof", "url": "https://issues.chromium.org/issues/41486190", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Fullscreen, Blink>WindowDialog, UI>Browser>FullScreen", "bounty_amount": null, "created_date": "2023-12-21T08:19:08+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/41486190", "has_markdown": true }, { "id": "41486150", "title": "Security: Debug check failed: displacement == 0 . in v8", "url": "https://issues.chromium.org/issues/41486150", "status": "Accepted", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Turbofan, Blink>JavaScript>WebAssembly", "bounty_amount": 7000.0, "created_date": "2023-12-21T02:38:29+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/41486150", "has_markdown": true }, { "id": "41485950", "title": "Security: CRX3 File Signature Verification Bypass via Embedded ZIP64 Payload", "url": "https://issues.chromium.org/issues/41485950", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Cast, Internals>Installer>Components, Internals>Updater, Platform>Extensions", "bounty_amount": 5000.0, "created_date": "2023-12-20T10:13:42+00:00", "year": 2023, "attachment_count": 8, "local_path": "issues/41485950", "has_markdown": true }, { "id": "41485789", "title": "Improper handling of duplicate `` and `` tags enables CSP nonce leakage", "url": "https://issues.chromium.org/issues/41485789", "status": "Assigned", "severity": "S3-Low", "component": "Blink>SecurityFeature>ContentSecurityPolicy", "bounty_amount": 3000.0, "created_date": "2023-12-19T18:08:24+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/41485789", "has_markdown": true }, { "id": "41485769", "title": "Security: Spoof to allow permission", "url": "https://issues.chromium.org/issues/41485769", "status": "Fixed", "severity": "S3-Low", "component": "Internals>Preload", "bounty_amount": 1000.0, "created_date": "2023-12-19T17:05:40+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/41485769", "has_markdown": true }, { "id": "41485059", "title": "Security: Debug check failed: var.has_value(). in v8", "url": "https://issues.chromium.org/issues/41485059", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript, Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 7000.0, "created_date": "2023-12-18T02:48:45+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/41485059", "has_markdown": true }, { "id": "41484965", "title": "Security: Enterprise Policy Bypass Vulnerability Allows Download of Internal/Blocked Files", "url": "https://issues.chromium.org/issues/41484965", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage>FileSystem, UI>Browser>Downloads", "bounty_amount": 1000.0, "created_date": "2023-12-16T20:51:14+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/41484965", "has_markdown": true }, { "id": "41484431", "title": "Security: Debug check failed: inlinee.sig->return_count() == sig->return_count() . in v8", "url": "https://issues.chromium.org/issues/41484431", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler>Turbofan, Blink>JavaScript>WebAssembly", "bounty_amount": 10000.0, "created_date": "2023-12-15T02:42:54+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/41484431", "has_markdown": true }, { "id": "41484151", "title": "Security: Heap-use-after-free blink::BaseRenderingContext2D::DrawTextInternal base_rendering_context_2d.cc:2856", "url": "https://issues.chromium.org/issues/41484151", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Canvas", "bounty_amount": 4000.0, "created_date": "2023-12-14T09:30:11+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/41484151", "has_markdown": true }, { "id": "41483793", "title": "Security: Omnibox Spoofing in MacOS", "url": "https://issues.chromium.org/issues/41483793", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>FullScreen", "bounty_amount": 5000.0, "created_date": "2023-12-13T11:30:29+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/41483793", "has_markdown": true }, { "id": "41483711", "title": "Security: Title : Debug check failed: Asm().current_block()->IsMerge() && inputs.size() == Asm().current_block()->Predecessors().size(). in v8, leading to SEGV", "url": "https://issues.chromium.org/issues/41483711", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 7000.0, "created_date": "2023-12-13T03:45:13+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/41483711", "has_markdown": true }, { "id": "41483350", "title": "Security: Heap-use-after-free in Accessibility", "url": "https://issues.chromium.org/issues/41483350", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>Accessibility", "bounty_amount": 1000.0, "created_date": "2023-12-12T05:52:02+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/41483350", "has_markdown": true }, { "id": "41483297", "title": "Security: Type confusion in Harmony Set methods (Leads to RCE)", "url": "https://issues.chromium.org/issues/41483297", "status": "Fixed", "severity": "S4-Minimal", "component": "Blink>JavaScript, Blink>JavaScript>Runtime", "bounty_amount": 7000.0, "created_date": "2023-12-12T01:29:07+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/41483297", "has_markdown": true }, { "id": "41481877", "title": "Running JavaScript on file:// URI allowing to access information and access camera for iOS Chrome ", "url": "https://issues.chromium.org/issues/41481877", "status": "Assigned", "severity": "S3-Low", "component": "Mobile>Fundamentals>Security", "bounty_amount": 1000.0, "created_date": "2023-12-07T04:33:43+00:00", "year": 2023, "attachment_count": 15, "local_path": "issues/41481877", "has_markdown": true }, { "id": "41481374", "title": "UAF in mojo::WaitSet::State::Context::OnNotification", "url": "https://issues.chromium.org/issues/41481374", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage, Internals>Mojo", "bounty_amount": 5000.0, "created_date": "2023-12-06T06:15:17+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/41481374", "has_markdown": true }, { "id": "40948927", "title": "Security: Debug check failed: idx.offset() / sizeof(OperationStorageSlot) < size(), leading to segment fault.", "url": "https://issues.chromium.org/issues/40948927", "status": "Accepted", "severity": "S4-Minimal", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 10000.0, "created_date": "2023-12-05T02:35:34+00:00", "year": 2023, "attachment_count": 11, "local_path": "issues/40948927", "has_markdown": true }, { "id": "40948479", "title": "Security: Debug check failed: !can_be_invalid implies result.valid().", "url": "https://issues.chromium.org/issues/40948479", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 10000.0, "created_date": "2023-12-04T10:52:08+00:00", "year": 2023, "attachment_count": 8, "local_path": "issues/40948479", "has_markdown": true }, { "id": "40948441", "title": "Security: Debug check failed: use->opcode() == IrOpcode::kLoopExitEffect || use->opcode() == IrOpcode::kLoopExitValue.", "url": "https://issues.chromium.org/issues/40948441", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 7000.0, "created_date": "2023-12-04T07:44:08+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40948441", "has_markdown": true }, { "id": "40948126", "title": "Security: Extensions are able to inject resources into Chrome URLs.", "url": "https://issues.chromium.org/issues/40948126", "status": "Accepted", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 500.0, "created_date": "2023-12-02T19:59:41+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40948126", "has_markdown": true }, { "id": "40948107", "title": "Security: Debug check failed: HasFeedbackMetadata(kAcquireLoad)", "url": "https://issues.chromium.org/issues/40948107", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Maglev, Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 1000.0, "created_date": "2023-12-02T16:28:57+00:00", "year": 2023, "attachment_count": 9, "local_path": "issues/40948107", "has_markdown": true }, { "id": "40947602", "title": "Security: Heap-use-after-free WRITE 16 · cppgc::internal::PersistentRegionBase::ClearAllUsedNodes", "url": "https://issues.chromium.org/issues/40947602", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU", "bounty_amount": 10000.0, "created_date": "2023-12-01T09:21:46+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40947602", "has_markdown": true }, { "id": "40946724", "title": "Security: Security UI Spoofing on Chrome for Android due to the tabstrip hiding the fullscreen notification ", "url": "https://issues.chromium.org/issues/40946724", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>FullScreen, UI>Browser>Mobile>TabStrip", "bounty_amount": 1000.0, "created_date": "2023-11-29T16:09:33+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40946724", "has_markdown": true }, { "id": "40946348", "title": "UAF in blink::RTCEncodedAudioUnderlyingSource::OnFrameFromSource ", "url": "https://issues.chromium.org/issues/40946348", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC", "bounty_amount": 7000.0, "created_date": "2023-11-28T11:14:38+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40946348", "has_markdown": true }, { "id": "40946325", "title": "Elevation of Privilege in GoogleUpdate with Windows", "url": "https://issues.chromium.org/issues/40946325", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Updater", "bounty_amount": 5000.0, "created_date": "2023-11-28T09:15:28+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40946325", "has_markdown": true }, { "id": "40945830", "title": "embed element allows to access camera and Pan-Tilt-Zoom on legitimate webcam site with no ua", "url": "https://issues.chromium.org/issues/40945830", "status": "Assigned", "severity": "S3-Low", "component": "Mobile>iOSWeb>Media", "bounty_amount": 1000.0, "created_date": "2023-11-25T23:21:19+00:00", "year": 2023, "attachment_count": 8, "local_path": "issues/40945830", "has_markdown": true }, { "id": "40945804", "title": "Security: iOS file picker dialog can be shown over a different tab", "url": "https://issues.chromium.org/issues/40945804", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Navigation", "bounty_amount": 2000.0, "created_date": "2023-11-25T17:13:01+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40945804", "has_markdown": true }, { "id": "40945774", "title": "Security: AddressSanitizer: heap-use-after-free on address 0x11f602026080 at pc 0x7ffc02e5a899 bp 0x000bbe7fed80 sp 0x000bbe7fedc8", "url": "https://issues.chromium.org/issues/40945774", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Passwords", "bounty_amount": 1000.0, "created_date": "2023-11-25T08:57:10+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40945774", "has_markdown": true }, { "id": "40945761", "title": "Security: use-after-poison in blink::InlineLayoutAlgorithm::CreateLine", "url": "https://issues.chromium.org/issues/40945761", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>CSS, Blink>Layout", "bounty_amount": 0.0, "created_date": "2023-11-25T03:21:10+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40945761", "has_markdown": true }, { "id": "40945677", "title": "Security: use-after-free of AudioArray in blink::DelayHandler::Process", "url": "https://issues.chromium.org/issues/40945677", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>Media>Audio, Blink>WebAudio", "bounty_amount": 10000.0, "created_date": "2023-11-24T16:27:08+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40945677", "has_markdown": true }, { "id": "40945671", "title": "Security: SincResampler buffer UAF", "url": "https://issues.chromium.org/issues/40945671", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>WebAudio", "bounty_amount": 10000.0, "created_date": "2023-11-24T16:08:30+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40945671", "has_markdown": true }, { "id": "40945594", "title": "Security: WebGL Vulkan Spirv bytecode builder length truncate lead to heap overflow", "url": "https://issues.chromium.org/issues/40945594", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE, Internals>GPU>SwiftShader", "bounty_amount": 15000.0, "created_date": "2023-11-24T10:03:37+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40945594", "has_markdown": true }, { "id": "40945587", "title": "Security: Heap-use-after-free in WebUIBubbleDialogView::ClearContentsWrapper", "url": "https://issues.chromium.org/issues/40945587", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>ContentSuggestions", "bounty_amount": 1000.0, "created_date": "2023-11-24T09:12:20+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40945587", "has_markdown": true }, { "id": "40945515", "title": "Security: Stack-buffer-underflow in DataPack::GetStringPieceFromOffset when loading a malicious theme", "url": "https://issues.chromium.org/issues/40945515", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Themes, UI>Browser>WebUI", "bounty_amount": 6000.0, "created_date": "2023-11-24T00:16:12+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40945515", "has_markdown": true }, { "id": "40945359", "title": "Security: heap-use-after-free in libavif when decode the crafted avif file.", "url": "https://issues.chromium.org/issues/40945359", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>Images>Codecs", "bounty_amount": 7000.0, "created_date": "2023-11-23T12:41:55+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40945359", "has_markdown": true }, { "id": "40945098", "title": "memory corruption in sw::SpirvEmitter::getImageSampler", "url": "https://issues.chromium.org/issues/40945098", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>SwiftShader", "bounty_amount": 10000.0, "created_date": "2023-11-22T15:32:47+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40945098", "has_markdown": true }, { "id": "40944847", "title": "Security: File picker dialog can be shown over a different tab", "url": "https://issues.chromium.org/issues/40944847", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Forms>File, UI>Browser>Navigation", "bounty_amount": 1000.0, "created_date": "2023-11-21T22:58:57+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40944847", "has_markdown": true }, { "id": "40944020", "title": "Opening the Sidepanel results in plaintext HTTP requests to gstatic URLs", "url": "https://issues.chromium.org/issues/40944020", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>TopChrome>SidePanel", "bounty_amount": 2000.0, "created_date": "2023-11-20T06:55:42+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40944020", "has_markdown": true }, { "id": "40943982", "title": "Security: [V8] [turboshaft] Yet another minus zero case missing when typing divisions.", "url": "https://issues.chromium.org/issues/40943982", "status": "Fixed", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 10000.0, "created_date": "2023-11-19T22:22:23+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40943982", "has_markdown": true }, { "id": "40942995", "title": "SwiftShader: UAF in isCubeCompatible ", "url": "https://issues.chromium.org/issues/40942995", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>SwiftShader", "bounty_amount": 4000.0, "created_date": "2023-11-15T19:11:13+00:00", "year": 2023, "attachment_count": 13, "local_path": "issues/40942995", "has_markdown": true }, { "id": "40942837", "title": "UAF in WallpaperSearch", "url": "https://issues.chromium.org/issues/40942837", "status": "Accepted", "severity": "S4-Minimal", "component": "Unknown", "bounty_amount": 1000.0, "created_date": "2023-11-15T12:33:39+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40942837", "has_markdown": true }, { "id": "40942531", "title": "Security: Origin spoof caused by navigation that doesn't paint any content", "url": "https://issues.chromium.org/issues/40942531", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Paint, UI>Browser>Navigation, UI>Browser>Omnibox", "bounty_amount": 3000.0, "created_date": "2023-11-14T17:46:55+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40942531", "has_markdown": true }, { "id": "40942439", "title": "use-after-poison in mojo::SimpleWatcher::OnHandleReady - image_bitmap_factories.cc Check failed: script_state->ContextIsValid(). ", "url": "https://issues.chromium.org/issues/40942439", "status": "Assigned", "severity": "S3-Low", "component": "Blink>GarbageCollection, Internals>Mojo", "bounty_amount": 7000.0, "created_date": "2023-11-14T11:28:28+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40942439", "has_markdown": true }, { "id": "40942152", "title": "Security: Attacker Can Execute Arbitrary JavaScript Code in the Highly Privileged \"devtools://devtools\" Origin", "url": "https://issues.chromium.org/issues/40942152", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools", "bounty_amount": 6000.0, "created_date": "2023-11-13T15:37:15+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/40942152", "has_markdown": true }, { "id": "40942112", "title": "Security: WebGL Texture RenderTarget Vulkan backend UAF", "url": "https://issues.chromium.org/issues/40942112", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 15000.0, "created_date": "2023-11-13T13:24:12+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40942112", "has_markdown": true }, { "id": "40942082", "title": "Security: heap-use-after-free in libavif when decode the crafted avif file.", "url": "https://issues.chromium.org/issues/40942082", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Images>Codecs", "bounty_amount": 7000.0, "created_date": "2023-11-13T11:12:13+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40942082", "has_markdown": true }, { "id": "40942077", "title": "Security: heap-buffer-overflow in libavif when decode the crafted avif file", "url": "https://issues.chromium.org/issues/40942077", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Images>Codecs", "bounty_amount": 7000.0, "created_date": "2023-11-13T11:03:10+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40942077", "has_markdown": true }, { "id": "40942069", "title": "Security: Content-Type x-mixed-replace can be abused to bypass CSP on iOS", "url": "https://issues.chromium.org/issues/40942069", "status": "Accepted", "severity": "S4-Minimal", "component": "Blink>SecurityFeature", "bounty_amount": 2000.0, "created_date": "2023-11-13T10:23:46+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40942069", "has_markdown": true }, { "id": "40941600", "title": "Security: V8 Debug check failed: LAST_TYPE >= value", "url": "https://issues.chromium.org/issues/40941600", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Runtime", "bounty_amount": 16000.0, "created_date": "2023-11-10T13:24:28+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40941600", "has_markdown": true }, { "id": "40941179", "title": "Security: UAF in FedCmAccountSelectionView::Show", "url": "https://issues.chromium.org/issues/40941179", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Identity>FedCM", "bounty_amount": 5000.0, "created_date": "2023-11-09T12:23:08+00:00", "year": 2023, "attachment_count": 8, "local_path": "issues/40941179", "has_markdown": true }, { "id": "40941111", "title": "Security: WebAudio UAF caused by setSinkId", "url": "https://issues.chromium.org/issues/40941111", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>WebAudio", "bounty_amount": 10000.0, "created_date": "2023-11-09T07:38:24+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40941111", "has_markdown": true }, { "id": "40940854", "title": "Security: Bypass the Protection of PaymentRequest dialog saved chrome Data, Bypass of Issue 1403539", "url": "https://issues.chromium.org/issues/40940854", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture, Blink>Payments", "bounty_amount": 2000.0, "created_date": "2023-11-08T13:48:25+00:00", "year": 2023, "attachment_count": 9, "local_path": "issues/40940854", "has_markdown": true }, { "id": "40940815", "title": "Security: UAF in DigitalCredentialProviderAndroid", "url": "https://issues.chromium.org/issues/40940815", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Identity>FedCM", "bounty_amount": 37000.0, "created_date": "2023-11-08T10:58:05+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40940815", "has_markdown": true }, { "id": "40076226", "title": "Security: Heap-use-after-free in ChromeComposeClient::ShowComposeDialog", "url": "https://issues.chromium.org/issues/40076226", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>ContentSuggestions", "bounty_amount": 2000.0, "created_date": "2023-11-06T11:45:49+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40076226", "has_markdown": true }, { "id": "40076120", "title": "Security: Document Picture-in-Picture API can be used to spoof file reads and writes", "url": "https://issues.chromium.org/issues/40076120", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture", "bounty_amount": 5000.0, "created_date": "2023-11-02T18:18:40+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40076120", "has_markdown": true }, { "id": "40076065", "title": "Security: Bypass the Protection of input fields cache (Autofill) 1395164", "url": "https://issues.chromium.org/issues/40076065", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Autofill", "bounty_amount": 5000.0, "created_date": "2023-11-01T14:18:54+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/40076065", "has_markdown": true }, { "id": "40075982", "title": "Security: heap-use-after-free in blink::FormData::append form_data.cc:151", "url": "https://issues.chromium.org/issues/40075982", "status": "Assigned", "severity": "S3-Low", "component": "Blink>GarbageCollection, Blink>Network>FetchAPI", "bounty_amount": 10000.0, "created_date": "2023-10-31T15:00:20+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40075982", "has_markdown": true }, { "id": "40075980", "title": "Security: Bypass and Semi Regression of Issue 1472404 fix which Bypass the Protection of input fields cache (Autofill) ", "url": "https://issues.chromium.org/issues/40075980", "status": "Accepted", "severity": "S4-Minimal", "component": "UI>Browser>Autofill", "bounty_amount": 2000.0, "created_date": "2023-10-31T14:14:47+00:00", "year": 2023, "attachment_count": 10, "local_path": "issues/40075980", "has_markdown": true }, { "id": "40075979", "title": "[module:breakout_box]use-after-poison in blink::FrameQueueUnderlyingSource", "url": "https://issues.chromium.org/issues/40075979", "status": "Assigned", "severity": "S3-Low", "component": "Blink>MediaStream", "bounty_amount": 10000.0, "created_date": "2023-10-31T14:10:19+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40075979", "has_markdown": true }, { "id": "40075944", "title": "UAP in permissions::PermissionRequestQueue::Peek", "url": "https://issues.chromium.org/issues/40075944", "status": "New", "severity": "S3-Low", "component": "UI>Browser>Permissions>Prompts", "bounty_amount": 30000.0, "created_date": "2023-10-31T03:04:35+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40075944", "has_markdown": true }, { "id": "40075849", "title": "Security: Elevation of Privilege via Vulnerability in Keystone for macOS", "url": "https://issues.chromium.org/issues/40075849", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Updater", "bounty_amount": 5000.0, "created_date": "2023-10-29T07:35:39+00:00", "year": 2023, "attachment_count": 17, "local_path": "issues/40075849", "has_markdown": true }, { "id": "40075744", "title": "Security: Check failed: !v8::internal::v8_flags.enable_slow_asserts.value() || (IsSharedFunctionInfo_NonInline(*this)).", "url": "https://issues.chromium.org/issues/40075744", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 7000.0, "created_date": "2023-10-27T02:15:36+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40075744", "has_markdown": true }, { "id": "40075672", "title": "Security: chrome.debugger API can capture cookies of host blocked by Enterprise Policy", "url": "https://issues.chromium.org/issues/40075672", "status": "Assigned", "severity": "S3-Low", "component": "Enterprise, Platform>Extensions", "bounty_amount": 2000.0, "created_date": "2023-10-26T11:13:32+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/40075672", "has_markdown": true }, { "id": "40075655", "title": "UAF in GrDrawOpAtlas (with --headless mode)", "url": "https://issues.chromium.org/issues/40075655", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Skia", "bounty_amount": 10000.0, "created_date": "2023-10-26T07:45:36+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40075655", "has_markdown": true }, { "id": "40075535", "title": "iOS Chrome Media Permission Privilege Escalation", "url": "https://issues.chromium.org/issues/40075535", "status": "Assigned", "severity": "S3-Low", "component": "Blink>GetUserMedia, Internals>Permissions>Model", "bounty_amount": 3000.0, "created_date": "2023-10-24T21:30:01+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40075535", "has_markdown": true }, { "id": "40075409", "title": "Security: UAF in gcm::GCMDriver::Shutdown", "url": "https://issues.chromium.org/issues/40075409", "status": "Fixed", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 1000.0, "created_date": "2023-10-23T00:53:02+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40075409", "has_markdown": true }, { "id": "40937251", "title": "UAF in vk::Format::getAspectFormat(unsigned int)", "url": "https://issues.chromium.org/issues/40937251", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>SwiftShader", "bounty_amount": 10000.0, "created_date": "2023-10-22T02:09:01+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40937251", "has_markdown": true }, { "id": "40075363", "title": "heap-buffer-overflow in ~SingleShotFrameHandler(imagecapture/image_capture_frame_grabber.cc)", "url": "https://issues.chromium.org/issues/40075363", "status": "Assigned", "severity": "S3-Low", "component": "Blink>ImageCapture, Blink>Scheduling", "bounty_amount": 7000.0, "created_date": "2023-10-21T05:38:57+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40075363", "has_markdown": true }, { "id": "40075359", "title": "Security: Heap-use-after-free in lens::OpenLensRegionSearchInstructions", "url": "https://issues.chromium.org/issues/40075359", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>SearchSidePanel", "bounty_amount": 1000.0, "created_date": "2023-10-21T04:19:45+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40075359", "has_markdown": true }, { "id": "40075342", "title": "Security: UAF in MojoPipe", "url": "https://issues.chromium.org/issues/40075342", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Mojo, Internals>Mojo>Bindings", "bounty_amount": 30000.0, "created_date": "2023-10-20T19:10:08+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40075342", "has_markdown": true }, { "id": "40936633", "title": "Security: Heap-use-after-free in ReadAnythingUntrustedPageHandler::LogTextStyle", "url": "https://issues.chromium.org/issues/40936633", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>TopChrome>SidePanel", "bounty_amount": 2000.0, "created_date": "2023-10-17T15:57:26+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40936633", "has_markdown": true }, { "id": "40075024", "title": "Security: Popup window tab doesn't show the origin elided from the right", "url": "https://issues.chromium.org/issues/40075024", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip>HoverCards", "bounty_amount": 500.0, "created_date": "2023-10-17T02:10:35+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40075024", "has_markdown": true }, { "id": "40074918", "title": "Security: Bypass the Protection of input fields cache (Autofill) Similar to (1358647 ,1395164 ,1108181) with Different Vector", "url": "https://issues.chromium.org/issues/40074918", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Autofill", "bounty_amount": 3000.0, "created_date": "2023-10-14T22:21:20+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/40074918", "has_markdown": true }, { "id": "40936265", "title": "Security: Persistent XSS via malicious user-uploaded PaymentRequest manifest and service worker", "url": "https://issues.chromium.org/issues/40936265", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Payments", "bounty_amount": 15000.0, "created_date": "2023-10-14T08:17:28+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/40936265", "has_markdown": true }, { "id": "40074800", "title": "Security: opens a new window at the same time as the previous window in fullscreen mode, (the window enters fullscreen mode which is closed by another new window) leads to spoof", "url": "https://issues.chromium.org/issues/40074800", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Fullscreen", "bounty_amount": 1000.0, "created_date": "2023-10-13T07:44:09+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40074800", "has_markdown": true }, { "id": "40936128", "title": "Security: readanything render frame UAF fix of crbug.com/1488268 is not robust.", "url": "https://issues.chromium.org/issues/40936128", "status": "Assigned", "severity": "S4-Minimal", "component": "UI>Accessibility>ReadingMode", "bounty_amount": 2000.0, "created_date": "2023-10-13T07:42:25+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40936128", "has_markdown": true }, { "id": "40074795", "title": "Uaf in EmbeddedPermissionPrompt::~EmbeddedPermissionPrompt And defects in raw_ptr with ASAN", "url": "https://issues.chromium.org/issues/40074795", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Permissions>Prompts", "bounty_amount": 3000.0, "created_date": "2023-10-13T06:37:27+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40074795", "has_markdown": true }, { "id": "40074794", "title": "Security: UAF in UsbDeviceHandleMac::AsyncIoCallback", "url": "https://issues.chromium.org/issues/40074794", "status": "Assigned", "severity": "S3-Low", "component": "IO>USB", "bounty_amount": 8000.0, "created_date": "2023-10-13T06:33:12+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40074794", "has_markdown": true }, { "id": "40074792", "title": "Security: Out of bounds access in UsbDeviceHandleUsbfs::IsochronousTransferInternal", "url": "https://issues.chromium.org/issues/40074792", "status": "Assigned", "severity": "S3-Low", "component": "IO>USB", "bounty_amount": 10000.0, "created_date": "2023-10-13T06:29:33+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40074792", "has_markdown": true }, { "id": "40074630", "title": "Security: Google Chrome MetalCompiler OOB Access Vulnerability", "url": "https://issues.chromium.org/issues/40074630", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGL, Internals>GPU, Internals>GPU>ANGLE", "bounty_amount": 7000.0, "created_date": "2023-10-11T14:43:45+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40074630", "has_markdown": true }, { "id": "40935719", "title": "Security: heap-use-after-free on BrandcodeConfigFetcher::OnSimpleLoaderComplete", "url": "https://issues.chromium.org/issues/40935719", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Profiles", "bounty_amount": 2000.0, "created_date": "2023-10-10T04:02:12+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40935719", "has_markdown": true }, { "id": "40074483", "title": "Security: Inappropriate implementation in Fullscreen API", "url": "https://issues.chromium.org/issues/40074483", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>FullScreen, UI>Browser>Mobile>EdgeToEdge", "bounty_amount": 500.0, "created_date": "2023-10-10T02:08:13+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40074483", "has_markdown": true }, { "id": "40074376", "title": "Security: XSS in contenteditable elements via svg>use xlink:href ", "url": "https://issues.chromium.org/issues/40074376", "status": "Accepted", "severity": "S3-Low", "component": "Blink>DataTransfer, Blink>Editing>Paste, Blink>SecurityFeature>SanitizerAPI", "bounty_amount": 500.0, "created_date": "2023-10-07T16:26:52+00:00", "year": 2023, "attachment_count": 8, "local_path": "issues/40074376", "has_markdown": true }, { "id": "40074269", "title": "Security: Extension has access to a custom NTP", "url": "https://issues.chromium.org/issues/40074269", "status": "Accepted", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 2000.0, "created_date": "2023-10-06T11:58:46+00:00", "year": 2023, "attachment_count": 9, "local_path": "issues/40074269", "has_markdown": true }, { "id": "40073847", "title": "Chrome's Reading Mode UAF", "url": "https://issues.chromium.org/issues/40073847", "status": "Assigned", "severity": "S4-Minimal", "component": "UI>Accessibility", "bounty_amount": 2000.0, "created_date": "2023-10-01T10:29:11+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40073847", "has_markdown": true }, { "id": "40934491", "title": "Chrome's Profile Picker UAF", "url": "https://issues.chromium.org/issues/40934491", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Profiles", "bounty_amount": 1000.0, "created_date": "2023-10-01T10:26:34+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40934491", "has_markdown": true }, { "id": "40073846", "title": "Crash in v8::internal::EvacuationVerifier::VerifyEvacuation", "url": "https://issues.chromium.org/issues/40073846", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>GarbageCollection", "bounty_amount": 7000.0, "created_date": "2023-10-01T08:55:42+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40073846", "has_markdown": true }, { "id": "40073817", "title": "Security: Download started notification can suppressed \"exit full screen\" notification lead to spoof", "url": "https://issues.chromium.org/issues/40073817", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Fullscreen, UI>Browser>Downloads, UI>Browser>FullScreen", "bounty_amount": 1000.0, "created_date": "2023-09-30T03:53:10+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40073817", "has_markdown": true }, { "id": "40073792", "title": "UAF in vk::Buffer::getOffsetPointer", "url": "https://issues.chromium.org/issues/40073792", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>SwiftShader", "bounty_amount": 10000.0, "created_date": "2023-09-29T19:08:33+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40073792", "has_markdown": true }, { "id": "40073505", "title": "Security: heap-use-after-free on RenderFrameHostImpl::Init", "url": "https://issues.chromium.org/issues/40073505", "status": "New", "severity": "S3-Low", "component": "Internals>Sandbox>SiteIsolation, Platform>Apps>BrowserTag", "bounty_amount": 20000.0, "created_date": "2023-09-27T09:02:12+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40073505", "has_markdown": true }, { "id": "40073339", "title": "Security: Debug check failed: output_instr_index_ == definition_block->last_instruction_index() in v8/src/compiler/backend/mid-tier-register-allocator.cc:583", "url": "https://issues.chromium.org/issues/40073339", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Turbofan, Blink>JavaScript>WebAssembly", "bounty_amount": 7000.0, "created_date": "2023-09-25T16:29:10+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40073339", "has_markdown": true }, { "id": "40073299", "title": "potentional UAF ", "url": "https://issues.chromium.org/issues/40073299", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Network>Logging", "bounty_amount": 0.0, "created_date": "2023-09-25T10:36:35+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40073299", "has_markdown": true }, { "id": "40073252", "title": "Security: Out Of Bound in PDF web view plugin", "url": "https://issues.chromium.org/issues/40073252", "status": "Fixed", "severity": "S3-Low", "component": "Internals>Plugins>PDF", "bounty_amount": null, "created_date": "2023-09-24T09:49:59+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40073252", "has_markdown": true }, { "id": "40072988", "title": "Security: Android: URL spoofing in address bar if scheme is later in URL", "url": "https://issues.chromium.org/issues/40072988", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Omnibox", "bounty_amount": 7500.0, "created_date": "2023-09-21T07:35:22+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40072988", "has_markdown": true }, { "id": "40072724", "title": "GPU failure in blink::AXObject::RepairMissingParent", "url": "https://issues.chromium.org/issues/40072724", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Accessibility", "bounty_amount": 7000.0, "created_date": "2023-09-19T01:09:39+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40072724", "has_markdown": true }, { "id": "40072664", "title": "Security: UAF in cast_channel::CastSocketServiceImpl::OpenSocket", "url": "https://issues.chromium.org/issues/40072664", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Cast", "bounty_amount": 1000.0, "created_date": "2023-09-18T09:35:47+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40072664", "has_markdown": true }, { "id": "40072651", "title": "Security: UAF in base::win::MessageWindow::WindowProc", "url": "https://issues.chromium.org/issues/40072651", "status": "Assigned", "severity": "S3-Low", "component": "Internals>PlatformIntegration", "bounty_amount": 3000.0, "created_date": "2023-09-18T01:43:49+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40072651", "has_markdown": true }, { "id": "40072430", "title": "Security: Container-Overflow in chrome_pdf::PDFiumRange::GetScreenRects", "url": "https://issues.chromium.org/issues/40072430", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Plugins>PDF", "bounty_amount": 1000.0, "created_date": "2023-09-15T08:52:50+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40072430", "has_markdown": true }, { "id": "40072334", "title": "Security: SOP bypass: Portal activation bypasses same-page drag and drop source check", "url": "https://issues.chromium.org/issues/40072334", "status": "Accepted", "severity": "S3-Low", "component": "Blink>DataTransfer, Blink>Portals", "bounty_amount": 3000.0, "created_date": "2023-09-14T15:25:15+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40072334", "has_markdown": true }, { "id": "40072287", "title": "Security: Fatal error in ../../src/ast/ast.h, line 1477", "url": "https://issues.chromium.org/issues/40072287", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler, Blink>JavaScript>Interpreter, Blink>JavaScript>Parser", "bounty_amount": 7000.0, "created_date": "2023-09-14T08:50:10+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40072287", "has_markdown": true }, { "id": "40072274", "title": "Bypass PaymentRequest.show() calls after the first.", "url": "https://issues.chromium.org/issues/40072274", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Payments", "bounty_amount": 1000.0, "created_date": "2023-09-14T04:13:54+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/40072274", "has_markdown": true }, { "id": "40072134", "title": "URL Spoofing in Document PiP; related to issue 1450376; regression?", "url": "https://issues.chromium.org/issues/40072134", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture", "bounty_amount": 500.0, "created_date": "2023-09-13T05:34:06+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40072134", "has_markdown": true }, { "id": "40071901", "title": "UAF in AutocompleteController::Observer", "url": "https://issues.chromium.org/issues/40071901", "status": "Assigned", "severity": "S4-Minimal", "component": "UI>Browser>Omnibox", "bounty_amount": 5000.0, "created_date": "2023-09-11T04:17:26+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/40071901", "has_markdown": true }, { "id": "40930463", "title": "Security: Use-After-Free in chrome_pdf::PdfViewWebPlugin::PrintEnd", "url": "https://issues.chromium.org/issues/40930463", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Printing", "bounty_amount": 2000.0, "created_date": "2023-09-10T13:22:02+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40930463", "has_markdown": true }, { "id": "40071686", "title": "Security: Use-After-Free in WebContentsFrameTracker::OnPossibleTargetChange", "url": "https://issues.chromium.org/issues/40071686", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Media>SurfaceCapture", "bounty_amount": 1000.0, "created_date": "2023-09-07T22:36:06+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40071686", "has_markdown": true }, { "id": "40071366", "title": "Security: heap-buffer-overflow vrend_read_from_iovec", "url": "https://issues.chromium.org/issues/40071366", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 250.0, "created_date": "2023-09-05T12:29:39+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40071366", "has_markdown": true }, { "id": "40071324", "title": "Security: Use-After-Free in PasswordManagerPorter::FileSelectionCanceled", "url": "https://issues.chromium.org/issues/40071324", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Passwords", "bounty_amount": 3000.0, "created_date": "2023-09-05T03:02:43+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40071324", "has_markdown": true }, { "id": "40071255", "title": "Security: Bypass the Protection of input fields cache (Autofill) due to inappropriate code design (Bypass 1472404),Similar to(1449874)", "url": "https://issues.chromium.org/issues/40071255", "status": "Accepted", "severity": "S4-Minimal", "component": "UI>Browser>Autofill", "bounty_amount": 2000.0, "created_date": "2023-09-03T20:48:16+00:00", "year": 2023, "attachment_count": 8, "local_path": "issues/40071255", "has_markdown": true }, { "id": "40071186", "title": "Security: Pdfium heap-buffer-overflow in downsample_3_2()", "url": "https://issues.chromium.org/issues/40071186", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Plugins>PDF", "bounty_amount": 2000.0, "created_date": "2023-09-01T21:28:23+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40071186", "has_markdown": true }, { "id": "40071155", "title": "UAF in v8_inspector DomainDispatcherImpl", "url": "https://issues.chromium.org/issues/40071155", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools>Extensions", "bounty_amount": 1000.0, "created_date": "2023-09-01T16:25:22+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40071155", "has_markdown": true }, { "id": "40071138", "title": "Security: Cookie leaking from the request object in chrome.devtools.network in onRequestFinished event", "url": "https://issues.chromium.org/issues/40071138", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions>API", "bounty_amount": 500.0, "created_date": "2023-09-01T11:55:43+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40071138", "has_markdown": true }, { "id": "40071126", "title": "Security: UAF in: gpu::raster::RasterDecoderImpl::Initialize", "url": "https://issues.chromium.org/issues/40071126", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Compositing>OOP-Raster", "bounty_amount": 15000.0, "created_date": "2023-09-01T10:00:16+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40071126", "has_markdown": true }, { "id": "40071026", "title": "Security: Trick user into thinking they have escaped fullscreen on MacOS", "url": "https://issues.chromium.org/issues/40071026", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>FullScreen, UI>Browser>Permissions>Prompts", "bounty_amount": 3000.0, "created_date": "2023-08-31T10:56:13+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40071026", "has_markdown": true }, { "id": "40070964", "title": "Security: https://bugs.chromium.org/p/chromium/issues/detail?id=1259694 can be reproduced", "url": "https://issues.chromium.org/issues/40070964", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Contacts", "bounty_amount": 1000.0, "created_date": "2023-08-30T15:10:38+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40070964", "has_markdown": true }, { "id": "40070902", "title": "heap-use-after-free in ReadAnythingAppController::OnActiveAXTreeIDChanged(ui::AXTreeID const&, long long, GURL const&)", "url": "https://issues.chromium.org/issues/40070902", "status": "Assigned", "severity": "S4-Minimal", "component": "UI>Accessibility>ReadingMode, UI>Browser>TopChrome>SidePanel", "bounty_amount": 1000.0, "created_date": "2023-08-30T07:23:45+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40070902", "has_markdown": true }, { "id": "40070873", "title": "Security: Bypassing of security interstitials using devtools API", "url": "https://issues.chromium.org/issues/40070873", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools>Extensions", "bounty_amount": 1000.0, "created_date": "2023-08-29T18:47:45+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40070873", "has_markdown": true }, { "id": "40070732", "title": "Security: V8: Fatal error in ../../src/objects/property-array-inl.h", "url": "https://issues.chromium.org/issues/40070732", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Runtime", "bounty_amount": 7000.0, "created_date": "2023-08-28T01:18:40+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40070732", "has_markdown": true }, { "id": "40070513", "title": "Security: heap-use-after-free in mojo::StringDataSource::Read", "url": "https://issues.chromium.org/issues/40070513", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 2000.0, "created_date": "2023-08-24T21:29:10+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40070513", "has_markdown": true }, { "id": "40070322", "title": "Security: DoS due to check missing", "url": "https://issues.chromium.org/issues/40070322", "status": "Accepted", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 500.0, "created_date": "2023-08-23T12:02:26+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40070322", "has_markdown": true }, { "id": "40070305", "title": "UAF in blink::IDBFactoryClient::DeleteSuccess", "url": "https://issues.chromium.org/issues/40070305", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage>IndexedDB", "bounty_amount": 2000.0, "created_date": "2023-08-23T10:24:40+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40070305", "has_markdown": true }, { "id": "40070055", "title": "Security: V8 SEGV_ACCERR 02b6beadbef2", "url": "https://issues.chromium.org/issues/40070055", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript, Blink>JavaScript>GarbageCollection", "bounty_amount": 5000.0, "created_date": "2023-08-21T01:22:12+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40070055", "has_markdown": true }, { "id": "40070041", "title": "Security: UAF in UnblockPendingSubframeNavigationRequestsIfNeeded", "url": "https://issues.chromium.org/issues/40070041", "status": "Assigned", "severity": "S3-Low", "component": "Blink>History", "bounty_amount": 1000.0, "created_date": "2023-08-20T15:13:35+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40070041", "has_markdown": true }, { "id": "40070037", "title": "Security: OOB read in TGSI_OPCODE_EMIT", "url": "https://issues.chromium.org/issues/40070037", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 1000.0, "created_date": "2023-08-20T11:24:54+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40070037", "has_markdown": true }, { "id": "40069958", "title": "use-after-poison in blink::CollectChildrenAndRemoveFromOldParent", "url": "https://issues.chromium.org/issues/40069958", "status": "Accepted", "severity": "S3-Low", "component": "Blink>DOM", "bounty_amount": 7000.0, "created_date": "2023-08-18T16:18:51+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40069958", "has_markdown": true }, { "id": "40927191", "title": "Security: Chrome Download UI Clickjacking", "url": "https://issues.chromium.org/issues/40927191", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Bubbles>Download", "bounty_amount": 3000.0, "created_date": "2023-08-18T14:15:54+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40927191", "has_markdown": true }, { "id": "40069946", "title": "Security: Heap buffer overflow write due to bound check missing", "url": "https://issues.chromium.org/issues/40069946", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 7000.0, "created_date": "2023-08-18T14:13:54+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40069946", "has_markdown": true }, { "id": "40069798", "title": "Security: CSA_DCHECK failed: Torque assert 'Is(o)' failed", "url": "https://issues.chromium.org/issues/40069798", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript, Blink>JavaScript>Runtime", "bounty_amount": 15000.0, "created_date": "2023-08-17T13:26:55+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40069798", "has_markdown": true }, { "id": "40069646", "title": "Security: UAP in IDBFactory::DidAllowIndexedDB", "url": "https://issues.chromium.org/issues/40069646", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Storage>IndexedDB", "bounty_amount": 7000.0, "created_date": "2023-08-16T02:23:42+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/40069646", "has_markdown": true }, { "id": "40069622", "title": "Iframe sandbox allow-popups-to-escape-sandbox bypass", "url": "https://issues.chromium.org/issues/40069622", "status": "Accepted", "severity": "S3-Low", "component": "Blink>SecurityFeature>IFrameSandbox", "bounty_amount": 3000.0, "created_date": "2023-08-15T16:59:26+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40069622", "has_markdown": true }, { "id": "40069603", "title": "Security: Heap buffer overflow", "url": "https://issues.chromium.org/issues/40069603", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 1000.0, "created_date": "2023-08-15T12:47:24+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40069603", "has_markdown": true }, { "id": "40069590", "title": "Security: Experimental features : ASAN error : GetNamedPropertyHandler", "url": "https://issues.chromium.org/issues/40069590", "status": "Accepted", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 7000.0, "created_date": "2023-08-15T09:01:34+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40069590", "has_markdown": true }, { "id": "40069581", "title": "Security: heap-use-after-free in vkr_ring_start", "url": "https://issues.chromium.org/issues/40069581", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 5000.0, "created_date": "2023-08-15T05:12:41+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40069581", "has_markdown": true }, { "id": "40069571", "title": "chrome.inspectedWindow.eval execution on Web Store with trailing URL dot", "url": "https://issues.chromium.org/issues/40069571", "status": "Accepted", "severity": "S3-Low", "component": "Platform>Extensions>API", "bounty_amount": 5000.0, "created_date": "2023-08-14T23:15:53+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/40069571", "has_markdown": true }, { "id": "40069462", "title": "Security: Heap buffer overflow due to Integer Overflow", "url": "https://issues.chromium.org/issues/40069462", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 5000.0, "created_date": "2023-08-13T13:42:56+00:00", "year": 2023, "attachment_count": 8, "local_path": "issues/40069462", "has_markdown": true }, { "id": "40069458", "title": " Inadequate Registry management within the Chrome uninstaller resulting in privilege escalation", "url": "https://issues.chromium.org/issues/40069458", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Installer", "bounty_amount": 3000.0, "created_date": "2023-08-13T10:36:07+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40069458", "has_markdown": true }, { "id": "40069440", "title": "Use-After-Free in MediaStreamDeviceObserver::OnDeviceStopped", "url": "https://issues.chromium.org/issues/40069440", "status": "Assigned", "severity": "S3-Low", "component": "Blink>MediaStream", "bounty_amount": 3000.0, "created_date": "2023-08-12T06:23:33+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40069440", "has_markdown": true }, { "id": "40069416", "title": "heap-buffer-overflow in StringForwardingTable::UpdateAfterFullEvacuation", "url": "https://issues.chromium.org/issues/40069416", "status": "Accepted", "severity": "S3-Low", "component": "Blink>JavaScript>GarbageCollection", "bounty_amount": 7000.0, "created_date": "2023-08-11T18:47:18+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40069416", "has_markdown": true }, { "id": "40069340", "title": "Security: UAF in SimpleHostResolverImpl::ResolveHost with chrome", "url": "https://issues.chromium.org/issues/40069340", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Network, Internals>Services>Network", "bounty_amount": 7000.0, "created_date": "2023-08-11T01:45:55+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40069340", "has_markdown": true }, { "id": "40069061", "title": "Security: Cookie for enterprise-policy blocked hosts leaking from the request object in chrome.devtools.network. ", "url": "https://issues.chromium.org/issues/40069061", "status": "Accepted", "severity": "S3-Low", "component": "Platform>Extensions>API", "bounty_amount": 500.0, "created_date": "2023-08-08T20:30:43+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40069061", "has_markdown": true }, { "id": "40926043", "title": "Security: Overflow in compareUTF32Strings()", "url": "https://issues.chromium.org/issues/40926043", "status": "Fixed", "severity": "S3-Low", "component": "Mobile>iOSWeb", "bounty_amount": 7000.0, "created_date": "2023-08-08T09:40:26+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40926043", "has_markdown": true }, { "id": "40069005", "title": "UAF in webrtc::SctpDataChannel::UpdateState (WEBRTC)", "url": "https://issues.chromium.org/issues/40069005", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC>DataChannel", "bounty_amount": 10000.0, "created_date": "2023-08-08T07:15:03+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40069005", "has_markdown": true }, { "id": "40068868", "title": "Security: UAF in It2MeNativeMessagingHostLacros::OnSupportSessionStarted", "url": "https://issues.chromium.org/issues/40068868", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 10000.0, "created_date": "2023-08-06T15:15:14+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40068868", "has_markdown": true }, { "id": "40068844", "title": "Security: stack-use-after-scope", "url": "https://issues.chromium.org/issues/40068844", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>CSS", "bounty_amount": 2000.0, "created_date": "2023-08-05T17:40:56+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40068844", "has_markdown": true }, { "id": "40068825", "title": "Security: Debug check failed: HasBytecodeArray()", "url": "https://issues.chromium.org/issues/40068825", "status": "Accepted", "severity": "S3-Low", "component": "Blink>JavaScript>Runtime, Blink>JavaScript>WebAssembly", "bounty_amount": 2000.0, "created_date": "2023-08-05T04:18:42+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40068825", "has_markdown": true }, { "id": "40068664", "title": "Security: Use After Free in NetworkStateNotifier", "url": "https://issues.chromium.org/issues/40068664", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Network, Platform", "bounty_amount": 10000.0, "created_date": "2023-08-03T16:26:11+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40068664", "has_markdown": true }, { "id": "40068612", "title": "Security: Type cast failed in v8", "url": "https://issues.chromium.org/issues/40068612", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript, Blink>JavaScript>Runtime", "bounty_amount": 7000.0, "created_date": "2023-08-03T08:55:40+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40068612", "has_markdown": true }, { "id": "40068607", "title": "Security: Hide Fullscreen Notification ", "url": "https://issues.chromium.org/issues/40068607", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>FullScreen", "bounty_amount": 5000.0, "created_date": "2023-08-03T06:26:49+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40068607", "has_markdown": true }, { "id": "40068602", "title": "Security: Heap-use-after-free in blink::ThrottlingURLLoader::OnReceiveResponse", "url": "https://issues.chromium.org/issues/40068602", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Loader, Platform>Extensions", "bounty_amount": 2000.0, "created_date": "2023-08-03T02:41:49+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40068602", "has_markdown": true }, { "id": "40068570", "title": "Security: Bypass about:blank#blocked In Drag & Drop", "url": "https://issues.chromium.org/issues/40068570", "status": "Accepted", "severity": "S3-Low", "component": "Blink>DataTransfer, UI>Browser>Omnibox", "bounty_amount": 500.0, "created_date": "2023-08-02T13:50:42+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40068570", "has_markdown": true }, { "id": "40068543", "title": "UAF in rx::vk::DynamicDescriptorPool::destroyCachedDescriptorSet", "url": "https://issues.chromium.org/issues/40068543", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>Vulkan", "bounty_amount": 10000.0, "created_date": "2023-08-02T10:36:05+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40068543", "has_markdown": true }, { "id": "40068394", "title": "Uaf in OmniboxPopupPresenter::WaitForHandler", "url": "https://issues.chromium.org/issues/40068394", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Omnibox", "bounty_amount": 2000.0, "created_date": "2023-07-31T06:43:47+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40068394", "has_markdown": true }, { "id": "40068389", "title": "Security: stack-use-after-return in tint::wgsl::writer::ASTPrinter::EmitStructType", "url": "https://issues.chromium.org/issues/40068389", "status": "Fixed", "severity": "S3-Low", "component": "Dawn>Tint", "bounty_amount": 10000.0, "created_date": "2023-07-30T23:09:39+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40068389", "has_markdown": true }, { "id": "40068379", "title": "Security: heap-use-after-free on ash/wm/overview/overview_item.cc", "url": "https://issues.chromium.org/issues/40068379", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 2000.0, "created_date": "2023-07-30T16:08:50+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40068379", "has_markdown": true }, { "id": "40068268", "title": "Security: Debug check failed: page->area_size() >= static_cast(page->live_bytes())", "url": "https://issues.chromium.org/issues/40068268", "status": "Assigned", "severity": "S3-Low", "component": "Blink>GarbageCollection", "bounty_amount": 10000.0, "created_date": "2023-07-28T06:46:21+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40068268", "has_markdown": true }, { "id": "40068263", "title": "Security: heap-use-after-free in vkr_context_submit_fence", "url": "https://issues.chromium.org/issues/40068263", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 2000.0, "created_date": "2023-07-28T02:13:10+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40068263", "has_markdown": true }, { "id": "40068144", "title": "Security: heap-use-after-free on ash/wm/desks/desks_controller.cc", "url": "https://issues.chromium.org/issues/40068144", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 2000.0, "created_date": "2023-07-26T19:01:51+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40068144", "has_markdown": true }, { "id": "40068096", "title": "Security: chrome.devtools.inspectedWindow.eval can bypass enterprise-policy blocked hosts using subframes", "url": "https://issues.chromium.org/issues/40068096", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions>API", "bounty_amount": 500.0, "created_date": "2023-07-26T06:54:29+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40068096", "has_markdown": true }, { "id": "40068091", "title": "Security: chrome.devtools.inspectedWindow.getResources allows resources from enterprise policy-blocked hosts", "url": "https://issues.chromium.org/issues/40068091", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions>API", "bounty_amount": 500.0, "created_date": "2023-07-26T06:23:47+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40068091", "has_markdown": true }, { "id": "40068001", "title": "Security: Bypass the Protection of input fields cache (Autofill) ,and Autofill popup can be made hidden", "url": "https://issues.chromium.org/issues/40068001", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Autofill", "bounty_amount": 1000.0, "created_date": "2023-07-24T21:41:51+00:00", "year": 2023, "attachment_count": 11, "local_path": "issues/40068001", "has_markdown": true }, { "id": "40067954", "title": "Security: Extension Has Access to File URL Despite Access is Disabled", "url": "https://issues.chromium.org/issues/40067954", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 5000.0, "created_date": "2023-07-24T07:31:31+00:00", "year": 2023, "attachment_count": 9, "local_path": "issues/40067954", "has_markdown": true }, { "id": "40067948", "title": "Security: Heap-use-after-free in GetAuthorizationRightsWithPrompt", "url": "https://issues.chromium.org/issues/40067948", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Passwords", "bounty_amount": 3000.0, "created_date": "2023-07-24T06:18:07+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40067948", "has_markdown": true }, { "id": "40067943", "title": "Security: V8: Debug check failed: result_type.IsSubtypeOf(output_graph_types_[index]).", "url": "https://issues.chromium.org/issues/40067943", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 7000.0, "created_date": "2023-07-24T02:35:17+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40067943", "has_markdown": true }, { "id": "40067914", "title": "Security: [Esc] KeyPress Does Not Work in FullScreen While navigator.share Is Active", "url": "https://issues.chromium.org/issues/40067914", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebShare, UI>Browser>FullScreen", "bounty_amount": 5000.0, "created_date": "2023-07-22T09:30:23+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40067914", "has_markdown": true }, { "id": "40067758", "title": "Security: Heap-use-after-free in HostResolverManager::Job::RunNextTask", "url": "https://issues.chromium.org/issues/40067758", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Network>DNS", "bounty_amount": 3000.0, "created_date": "2023-07-20T09:27:56+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40067758", "has_markdown": true }, { "id": "40067712", "title": "Security: Memory corrupt in v8, leading to RCE", "url": "https://issues.chromium.org/issues/40067712", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 23000.0, "created_date": "2023-07-19T17:07:59+00:00", "year": 2023, "attachment_count": 16, "local_path": "issues/40067712", "has_markdown": true }, { "id": "40067612", "title": "Security: heap-use-after-free in network::NetworkContext::DestroyURLLoaderFactory", "url": "https://issues.chromium.org/issues/40067612", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Loader, Blink>SecurityFeature>CORS, Internals>Network", "bounty_amount": 2000.0, "created_date": "2023-07-18T12:30:37+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40067612", "has_markdown": true }, { "id": "40067530", "title": "Security: Type confusion in VisitFindNonDefaultConstructorOrConstruct of Maglev", "url": "https://issues.chromium.org/issues/40067530", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 20000.0, "created_date": "2023-07-17T12:25:03+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40067530", "has_markdown": true }, { "id": "40067522", "title": "Security: Heap-use-after-free in BrowsingTopicsServiceImpl::GetBrowsingTopicsStateForWebUi", "url": "https://issues.chromium.org/issues/40067522", "status": "Assigned", "severity": "S3-Low", "component": "Blink>TopicsAPI", "bounty_amount": 1000.0, "created_date": "2023-07-17T09:20:40+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40067522", "has_markdown": true }, { "id": "40067505", "title": "[Autofill] Keyboard accessory, bottom sheet accept unintentional user input", "url": "https://issues.chromium.org/issues/40067505", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Autofill", "bounty_amount": 2000.0, "created_date": "2023-07-16T22:39:41+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40067505", "has_markdown": true }, { "id": "40067499", "title": "XSS on Image Loader extension and chrome://resources, abusable by extensions to access private APIs", "url": "https://issues.chromium.org/issues/40067499", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 5000.0, "created_date": "2023-07-16T16:34:09+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40067499", "has_markdown": true }, { "id": "40067496", "title": "Security: Memory corruption due to HeapVector iterator invalidation", "url": "https://issues.chromium.org/issues/40067496", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools", "bounty_amount": 3000.0, "created_date": "2023-07-16T13:57:32+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40067496", "has_markdown": true }, { "id": "40067485", "title": "Security: Debug check failed: !s.InSharedHeap().", "url": "https://issues.chromium.org/issues/40067485", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 7000.0, "created_date": "2023-07-15T12:30:02+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40067485", "has_markdown": true }, { "id": "40067456", "title": "Security: Desktop permission prompt tapjacking", "url": "https://issues.chromium.org/issues/40067456", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Views", "bounty_amount": 1000.0, "created_date": "2023-07-14T19:32:15+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40067456", "has_markdown": true }, { "id": "40067406", "title": "Security: UaF in Mirroring", "url": "https://issues.chromium.org/issues/40067406", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Cast>Streaming", "bounty_amount": 2000.0, "created_date": "2023-07-14T00:29:07+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40067406", "has_markdown": true }, { "id": "40067401", "title": "Security: PiP window can obscure sensitive UI: External protocol dialog", "url": "https://issues.chromium.org/issues/40067401", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture", "bounty_amount": 1000.0, "created_date": "2023-07-13T22:16:05+00:00", "year": 2023, "attachment_count": 10, "local_path": "issues/40067401", "has_markdown": true }, { "id": "40067380", "title": "Security: UAF in VisualSearchClassifierHost::StartClassificationWithModel", "url": "https://issues.chromium.org/issues/40067380", "status": "Accepted", "severity": "S4-Minimal", "component": "UI>Browser", "bounty_amount": 2000.0, "created_date": "2023-07-13T16:19:05+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40067380", "has_markdown": true }, { "id": "40067329", "title": "XSS on chrome://file-manager, abusable by extensions", "url": "https://issues.chromium.org/issues/40067329", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Sandbox>SiteIsolation, Platform>Extensions", "bounty_amount": 5000.0, "created_date": "2023-07-13T04:49:48+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/40067329", "has_markdown": true }, { "id": "40067327", "title": "UAF in gsm_cleanup_mux", "url": "https://issues.chromium.org/issues/40067327", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 1500.0, "created_date": "2023-07-13T03:59:55+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40067327", "has_markdown": true }, { "id": "40067324", "title": "Security: Chrome OS: bluez missed patch can cause remotely information leak in function cli_feat_read_cb", "url": "https://issues.chromium.org/issues/40067324", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 500.0, "created_date": "2023-07-13T03:04:27+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40067324", "has_markdown": true }, { "id": "40067259", "title": "Race Condition UAF in DRM_IOCTL_MODE_ATOMIC", "url": "https://issues.chromium.org/issues/40067259", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 750.0, "created_date": "2023-07-12T04:42:55+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40067259", "has_markdown": true }, { "id": "40067239", "title": "I'm reporting an incomplete fix for a prior report (1451211) and (1427865).", "url": "https://issues.chromium.org/issues/40067239", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGL, Blink>WebGPU, Internals>GPU>ANGLE, Internals>GPU>SwiftShader", "bounty_amount": 15000.0, "created_date": "2023-07-11T20:11:40+00:00", "year": 2023, "attachment_count": 8, "local_path": "issues/40067239", "has_markdown": true }, { "id": "40067231", "title": "Extensions on lens.google.com can bypass host permissions and open chrome-untrusted:// URLs with side panel", "url": "https://issues.chromium.org/issues/40067231", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Sandbox>SiteIsolation, Platform>Extensions, UI>Browser>TopChrome>SidePanel", "bounty_amount": 3000.0, "created_date": "2023-07-11T18:22:04+00:00", "year": 2023, "attachment_count": 9, "local_path": "issues/40067231", "has_markdown": true }, { "id": "40067195", "title": "Security: ChromeOS: Information leak due to type confusion in u32 classifier", "url": "https://issues.chromium.org/issues/40067195", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 750.0, "created_date": "2023-07-11T10:18:07+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40067195", "has_markdown": true }, { "id": "40067152", "title": "Extensions can open chrome-untrusted:// URLs with identity.launchWebAuthFlow", "url": "https://issues.chromium.org/issues/40067152", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 750.0, "created_date": "2023-07-10T15:53:17+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40067152", "has_markdown": true }, { "id": "40067111", "title": "memory corruption in perfetto", "url": "https://issues.chromium.org/issues/40067111", "status": "Accepted", "severity": "S3-Low", "component": "Speed>Tracing", "bounty_amount": 2000.0, "created_date": "2023-07-09T16:36:39+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40067111", "has_markdown": true }, { "id": "40067050", "title": "Security: Type Confusion in V8 WebAssembly, leading to RCE", "url": "https://issues.chromium.org/issues/40067050", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 20000.0, "created_date": "2023-07-07T15:46:44+00:00", "year": 2023, "attachment_count": 8, "local_path": "issues/40067050", "has_markdown": true }, { "id": "40066990", "title": "Security: Eyedropper API can confuse real cursor position which can cause users to be tricked into clicking unwanted positions (ie. accepting permission prompts)", "url": "https://issues.chromium.org/issues/40066990", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Forms>Color", "bounty_amount": 2000.0, "created_date": "2023-07-06T20:46:52+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40066990", "has_markdown": true }, { "id": "40066948", "title": "Security: Chrome OS : Two security bugs of mwifiex", "url": "https://issues.chromium.org/issues/40066948", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 1500.0, "created_date": "2023-07-06T09:27:34+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40066948", "has_markdown": true }, { "id": "40066828", "title": "Incognito Mode Leaving Alert Dialog Box Tapjacking on DoubleClick", "url": "https://issues.chromium.org/issues/40066828", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Incognito", "bounty_amount": 2000.0, "created_date": "2023-07-04T11:06:40+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40066828", "has_markdown": true }, { "id": "40066811", "title": "Race Condition UAF in KVM_DEV_VFIO_GROUP", "url": "https://issues.chromium.org/issues/40066811", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 9500.0, "created_date": "2023-07-04T05:43:36+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40066811", "has_markdown": true }, { "id": "40066798", "title": "chrome.devtools.inspectedWindow origin limitations are very broken and can be bypassed", "url": "https://issues.chromium.org/issues/40066798", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools>Extensions", "bounty_amount": 1000.0, "created_date": "2023-07-03T18:36:42+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40066798", "has_markdown": true }, { "id": "40066780", "title": "Security: Document PIP URL address spoofing using long about:blank URL", "url": "https://issues.chromium.org/issues/40066780", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture", "bounty_amount": 3000.0, "created_date": "2023-07-03T14:53:22+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40066780", "has_markdown": true }, { "id": "40066756", "title": "Security: Heap-use-after-free in WaitForStoreInitializeTask::UpgradeDone", "url": "https://issues.chromium.org/issues/40066756", "status": "Fixed", "severity": "S3-Low", "component": "Internals>Media>Feeds, UI>Browser>ContentSuggestions>Feed", "bounty_amount": 2000.0, "created_date": "2023-07-03T10:04:49+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40066756", "has_markdown": true }, { "id": "40066754", "title": "Security: Heap-use-after-free in Browser::GetBrowserForOpeningWebUi", "url": "https://issues.chromium.org/issues/40066754", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture", "bounty_amount": 3000.0, "created_date": "2023-07-03T10:03:07+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40066754", "has_markdown": true }, { "id": "40066643", "title": "Security: about:blank origin shown in Bluetooth and other permission dialogs", "url": "https://issues.chromium.org/issues/40066643", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Bluetooth, Blink>HID, Blink>Serial, Blink>USB, UI>Browser>Permissions>Prompts", "bounty_amount": 3000.0, "created_date": "2023-06-29T16:12:11+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40066643", "has_markdown": true }, { "id": "40066578", "title": "Security: Bypass Spoofing download domain Chrome Windows ", "url": "https://issues.chromium.org/issues/40066578", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": 1000.0, "created_date": "2023-06-28T16:16:42+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40066578", "has_markdown": true }, { "id": "40066577", "title": "Security: Libxslt arbitrary file reading using document() method and external entities.", "url": "https://issues.chromium.org/issues/40066577", "status": "Assigned", "severity": "S3-Low", "component": "Blink>XML", "bounty_amount": 3000.0, "created_date": "2023-06-28T16:00:21+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40066577", "has_markdown": true }, { "id": "40066575", "title": "Security: Heap-buffer-overflow in CompositorFrameSinkSupport::DidPresentCompositorFrame", "url": "https://issues.chromium.org/issues/40066575", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU, Internals>Services>Viz", "bounty_amount": 15000.0, "created_date": "2023-06-28T13:39:59+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40066575", "has_markdown": true }, { "id": "40066572", "title": "Security: Chrome OS : Multiple bugs in cros_gralloc", "url": "https://issues.chromium.org/issues/40066572", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 1000.0, "created_date": "2023-06-28T12:51:50+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40066572", "has_markdown": true }, { "id": "40066476", "title": "Security: Heap-use-after-free in KeyRotationLauncherImpl::SynchronizePublicKey", "url": "https://issues.chromium.org/issues/40066476", "status": "Assigned", "severity": "S3-Low", "component": "Enterprise>Connectors", "bounty_amount": 4000.0, "created_date": "2023-06-27T06:58:01+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40066476", "has_markdown": true }, { "id": "40066473", "title": "Security: V8: Fatal error in ../../src/api/api-inl.h, line 55", "url": "https://issues.chromium.org/issues/40066473", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 7000.0, "created_date": "2023-06-27T06:05:26+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40066473", "has_markdown": true }, { "id": "40066392", "title": "Security: [ANGLE] metal : Out-of-bounds memory can be accessed on DrawCmd", "url": "https://issues.chromium.org/issues/40066392", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGL, Internals>GPU>ANGLE", "bounty_amount": 10000.0, "created_date": "2023-06-26T07:04:11+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40066392", "has_markdown": true }, { "id": "40066368", "title": "UAF in media_router::IssuesObserver::~IssuesObserver()", "url": "https://issues.chromium.org/issues/40066368", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Cast", "bounty_amount": 5000.0, "created_date": "2023-06-25T06:14:59+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40066368", "has_markdown": true }, { "id": "40066351", "title": "memory corruption in MarkCompactCollector::ProcessMarkingWorklist(v8)", "url": "https://issues.chromium.org/issues/40066351", "status": "Accepted", "severity": "S3-Low", "component": "Blink>JavaScript>GarbageCollection", "bounty_amount": 7000.0, "created_date": "2023-06-24T15:47:36+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40066351", "has_markdown": true }, { "id": "40918488", "title": "Security: [Fix bypass] PWA Install prompt can still be overlaid over other origins", "url": "https://issues.chromium.org/issues/40918488", "status": "Accepted", "severity": "S4-Minimal", "component": "Platform>WebAppProvider", "bounty_amount": 2000.0, "created_date": "2023-06-24T06:42:06+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40918488", "has_markdown": true }, { "id": "40066280", "title": "Security: UAF in webrtc::SctpDataChannel::SetState", "url": "https://issues.chromium.org/issues/40066280", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC>DataChannel", "bounty_amount": 7000.0, "created_date": "2023-06-23T04:30:21+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40066280", "has_markdown": true }, { "id": "40066213", "title": "Security: use-after-free/data-race (in off-by-default JavaScriptExperimentalSharedMemory feature)", "url": "https://issues.chromium.org/issues/40066213", "status": "Fixed", "severity": "S3-Low", "component": "Blink>JavaScript", "bounty_amount": 10000.0, "created_date": "2023-06-22T05:37:35+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40066213", "has_markdown": true }, { "id": "40066208", "title": "Security: SoftNavigation + first-paint can leak history information", "url": "https://issues.chromium.org/issues/40066208", "status": "Assigned", "severity": "S3-Low", "component": "Blink>PerformanceAPIs", "bounty_amount": 5000.0, "created_date": "2023-06-22T00:27:27+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40066208", "has_markdown": true }, { "id": "40918159", "title": "Security: (Android) file download with long name cannot show the extension file it lead to spoof", "url": "https://issues.chromium.org/issues/40918159", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": 1000.0, "created_date": "2023-06-21T19:47:54+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40918159", "has_markdown": true }, { "id": "40066145", "title": "Race Condition UAF in amdgpu_cs_wait_fences_ioctl", "url": "https://issues.chromium.org/issues/40066145", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 1000.0, "created_date": "2023-06-21T00:28:02+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40066145", "has_markdown": true }, { "id": "40066076", "title": "Security: [ANGLE] opengl : Out-of-bounds memory can be accessed using offsets in vertexAttribPointer", "url": "https://issues.chromium.org/issues/40066076", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGL, Internals>GPU>ANGLE", "bounty_amount": 10000.0, "created_date": "2023-06-20T06:09:42+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40066076", "has_markdown": true }, { "id": "40065952", "title": "Security: Local privilege escalation & sandbox escaping via chromeos-6.1 kernel BUG (DirtyVMA)", "url": "https://issues.chromium.org/issues/40065952", "status": "Accepted", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 500.0, "created_date": "2023-06-17T02:11:38+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40065952", "has_markdown": true }, { "id": "40065894", "title": "Security: Heap-use-after-free in ui::PropertyHandler::GetPropertyInternal", "url": "https://issues.chromium.org/issues/40065894", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Views, UI>Browser>Sharing", "bounty_amount": 2000.0, "created_date": "2023-06-16T01:00:28+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40065894", "has_markdown": true }, { "id": "40065872", "title": "Security: Autofill Exploit Using Custom CSS Cursor", "url": "https://issues.chromium.org/issues/40065872", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Autofill", "bounty_amount": 2000.0, "created_date": "2023-06-15T16:08:59+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/40065872", "has_markdown": true }, { "id": "40065810", "title": "Security: Users cannot escape the full screen mode in this offline .html file", "url": "https://issues.chromium.org/issues/40065810", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>FullScreen", "bounty_amount": 3000.0, "created_date": "2023-06-14T15:53:02+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40065810", "has_markdown": true }, { "id": "40065759", "title": "Security: Cursor hijacking mitigation bypass if iframe's content area is outside the top-layer content area", "url": "https://issues.chromium.org/issues/40065759", "status": "Assigned", "severity": "S3-Low", "component": "Blink>CSS, Blink>HTML>IFrame, Blink>Input", "bounty_amount": 1000.0, "created_date": "2023-06-13T17:24:42+00:00", "year": 2023, "attachment_count": 9, "local_path": "issues/40065759", "has_markdown": true }, { "id": "40065715", "title": "Security: OOB in evdi_gem_fault", "url": "https://issues.chromium.org/issues/40065715", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 1500.0, "created_date": "2023-06-13T07:24:04+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40065715", "has_markdown": true }, { "id": "40065704", "title": "Security: Out of bound in intel_pxp_sm_ioctl_query_pxp_tag", "url": "https://issues.chromium.org/issues/40065704", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 1250.0, "created_date": "2023-06-13T02:26:50+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40065704", "has_markdown": true }, { "id": "40065676", "title": "Security: heap-buffer-overflow in vkr_dispatch_vkAllocateMemory", "url": "https://issues.chromium.org/issues/40065676", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 1000.0, "created_date": "2023-06-12T14:58:04+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40065676", "has_markdown": true }, { "id": "40065675", "title": "UAF in webrtc::DataChannelController::OnChannelStateChanged", "url": "https://issues.chromium.org/issues/40065675", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC>DataChannel", "bounty_amount": 7000.0, "created_date": "2023-06-12T14:09:18+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40065675", "has_markdown": true }, { "id": "40065644", "title": "Security: Fatal error in ../../src/compiler/turboshaft/types.h", "url": "https://issues.chromium.org/issues/40065644", "status": "Accepted", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler", "bounty_amount": 7000.0, "created_date": "2023-06-12T02:35:14+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40065644", "has_markdown": true }, { "id": "40065634", "title": "Security: Chrome OS: OOB write in function session_get_prop_buf_req of venus driver", "url": "https://issues.chromium.org/issues/40065634", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 500.0, "created_date": "2023-06-11T13:46:09+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40065634", "has_markdown": true }, { "id": "40065633", "title": "Security: Chrome OS: Multiple Heap Buffer OOB write bugs in venus driver because of reenter in hfi_parser function", "url": "https://issues.chromium.org/issues/40065633", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 500.0, "created_date": "2023-06-11T12:24:15+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40065633", "has_markdown": true }, { "id": "40065632", "title": "Security: Chrome OS: Heap Buffer OOB write in function init_codecs of venus driver", "url": "https://issues.chromium.org/issues/40065632", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 500.0, "created_date": "2023-06-11T12:02:23+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40065632", "has_markdown": true }, { "id": "40065630", "title": "Security: Chrome OS: Buffer overflow in function parse_raw_formats of venus driver", "url": "https://issues.chromium.org/issues/40065630", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 500.0, "created_date": "2023-06-11T10:05:46+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40065630", "has_markdown": true }, { "id": "40065604", "title": "Security: Page can obtain autofill data with two consecutive taps using EyeDropper API (bypass of multiple prior fixes)", "url": "https://issues.chromium.org/issues/40065604", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Autofill>AddressesAndMore, UI>Browser>Autofill>Payments", "bounty_amount": 10000.0, "created_date": "2023-06-09T23:50:10+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/40065604", "has_markdown": true }, { "id": "40065577", "title": "Security: Stack-use-after-return in BrowserAttestationService::OnChallengeValidated", "url": "https://issues.chromium.org/issues/40065577", "status": "Accepted", "severity": "S3-Low", "component": "Enterprise>Connectors", "bounty_amount": 5000.0, "created_date": "2023-06-09T13:37:15+00:00", "year": 2023, "attachment_count": 8, "local_path": "issues/40065577", "has_markdown": true }, { "id": "40065570", "title": "Security: UAF in gpu::ClientSharedImageInterface::DestroySharedImage(browser process)", "url": "https://issues.chromium.org/issues/40065570", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Services>Viz", "bounty_amount": 2000.0, "created_date": "2023-06-09T10:42:08+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40065570", "has_markdown": true }, { "id": "40065552", "title": "Security: Multiple cros_ec bugs when handling host commands from Application Processor", "url": "https://issues.chromium.org/issues/40065552", "status": "Accepted", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 500.0, "created_date": "2023-06-09T05:51:24+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40065552", "has_markdown": true }, { "id": "40065551", "title": "Security: URLBlocklist can be bypassed using chrome://download-internals", "url": "https://issues.chromium.org/issues/40065551", "status": "Assigned", "severity": "S3-Low", "component": "Enterprise, UI>Browser>Downloads, UI>Browser>WebUI", "bounty_amount": 1000.0, "created_date": "2023-06-09T05:27:16+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40065551", "has_markdown": true }, { "id": "40065546", "title": "Security: heap-use-after-free on chrome/browser/ui/views/tabs/tab_strip.cc:220:5", "url": "https://issues.chromium.org/issues/40065546", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip>TabGroups", "bounty_amount": 2000.0, "created_date": "2023-06-09T01:22:30+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40065546", "has_markdown": true }, { "id": "40065507", "title": "Security: Heap-use-after-free in UploadToReportingServer", "url": "https://issues.chromium.org/issues/40065507", "status": "Assigned", "severity": "S3-Low", "component": "Enterprise", "bounty_amount": 2000.0, "created_date": "2023-06-08T10:25:28+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40065507", "has_markdown": true }, { "id": "40065473", "title": "Security: Type confusion in v8 caused by incorrect side effect modelling of JSStackCheck", "url": "https://issues.chromium.org/issues/40065473", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript, Blink>JavaScript>Runtime", "bounty_amount": 20000.0, "created_date": "2023-06-07T14:58:26+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40065473", "has_markdown": true }, { "id": "40065422", "title": "Security : Heap UaF on ash/wm/splitview/split_view_divider_view.cc:168:23", "url": "https://issues.chromium.org/issues/40065422", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 2000.0, "created_date": "2023-06-06T15:32:25+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40065422", "has_markdown": true }, { "id": "40065403", "title": "Security: Tapjacking Android Chrome APK Warning", "url": "https://issues.chromium.org/issues/40065403", "status": "Accepted", "severity": "S4-Minimal", "component": "UI>Browser>Downloads", "bounty_amount": 1000.0, "created_date": "2023-06-06T08:47:47+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40065403", "has_markdown": true }, { "id": "40065395", "title": "Security: OOB in vb2ops_venc_queue_setup", "url": "https://issues.chromium.org/issues/40065395", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 500.0, "created_date": "2023-06-06T04:07:51+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40065395", "has_markdown": true }, { "id": "40065384", "title": "Security: Spoof empty titlebar via javascript: URI in Document PIP", "url": "https://issues.chromium.org/issues/40065384", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture", "bounty_amount": 1000.0, "created_date": "2023-06-05T19:12:28+00:00", "year": 2023, "attachment_count": 11, "local_path": "issues/40065384", "has_markdown": true }, { "id": "40065267", "title": "Security: UAF in ash::diagnostics::AsyncLog::Append", "url": "https://issues.chromium.org/issues/40065267", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 2000.0, "created_date": "2023-06-04T05:53:30+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40065267", "has_markdown": true }, { "id": "40065258", "title": "chrome.devtools.inspectedWindow.reload can run scripts on the Chrome Web Store", "url": "https://issues.chromium.org/issues/40065258", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 3000.0, "created_date": "2023-06-03T20:43:21+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40065258", "has_markdown": true }, { "id": "40065256", "title": "Heap-use-after-free in ui::AXTreeSerializer::AnyDescendantWasReparented", "url": "https://issues.chromium.org/issues/40065256", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Accessibility, Internals>Accessibility", "bounty_amount": 7000.0, "created_date": "2023-06-03T17:44:18+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40065256", "has_markdown": true }, { "id": "40065200", "title": "UAF in MarkingWorklists::Local::IsEmpty(v8)", "url": "https://issues.chromium.org/issues/40065200", "status": "Accepted", "severity": "S3-Low", "component": "Blink>JavaScript>GarbageCollection", "bounty_amount": 7000.0, "created_date": "2023-06-02T08:26:07+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/40065200", "has_markdown": true }, { "id": "40065191", "title": "Security: UAF in extensions::OffscreenCreateDocumentFunction::OnExtensionHostDestroyed (browser process)", "url": "https://issues.chromium.org/issues/40065191", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 1000.0, "created_date": "2023-06-02T05:03:34+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40065191", "has_markdown": true }, { "id": "40065188", "title": "Security: v8 crash Bytecode mismatch at offset 78", "url": "https://issues.chromium.org/issues/40065188", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Interpreter", "bounty_amount": 7000.0, "created_date": "2023-06-02T02:35:44+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40065188", "has_markdown": true }, { "id": "40065154", "title": "Security: UAF in AutofillSnackbarController", "url": "https://issues.chromium.org/issues/40065154", "status": "New", "severity": "S3-Low", "component": "UI>Browser>Autofill>Payments", "bounty_amount": 20000.0, "created_date": "2023-06-01T13:12:25+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40065154", "has_markdown": true }, { "id": "40065124", "title": "Security: UAF in guest_view::GuestViewManager::EmbedderProcessDestroyed(browser process)", "url": "https://issues.chromium.org/issues/40065124", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Apps>BrowserTag", "bounty_amount": 5000.0, "created_date": "2023-05-31T23:41:47+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/40065124", "has_markdown": true }, { "id": "40065117", "title": "Security: Document PiP URL spoof", "url": "https://issues.chromium.org/issues/40065117", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture", "bounty_amount": 5000.0, "created_date": "2023-05-31T22:38:42+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40065117", "has_markdown": true }, { "id": "40065050", "title": "CHECK failure: !v8::internal::v8_flags.enable_slow_asserts.value() || (IsSeqOneByteString_NonIn", "url": "https://issues.chromium.org/issues/40065050", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript", "bounty_amount": 5000.0, "created_date": "2023-05-31T02:18:07+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40065050", "has_markdown": true }, { "id": "40065022", "title": "Security: heap-use-after-free on AudioManagerWin", "url": "https://issues.chromium.org/issues/40065022", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Media>Audio", "bounty_amount": 4000.0, "created_date": "2023-05-30T15:25:04+00:00", "year": 2023, "attachment_count": 11, "local_path": "issues/40065022", "has_markdown": true }, { "id": "40065011", "title": "Security: SEGV on emit_ios_generic_outputs", "url": "https://issues.chromium.org/issues/40065011", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 7000.0, "created_date": "2023-05-30T12:26:58+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40065011", "has_markdown": true }, { "id": "40065003", "title": "Security: Bypass the Protection of input fields cache (Autofill) due to inappropriate code design (Bypass 1108181)", "url": "https://issues.chromium.org/issues/40065003", "status": "Accepted", "severity": "S4-Minimal", "component": "UI>Browser>Autofill", "bounty_amount": 5000.0, "created_date": "2023-05-30T11:11:16+00:00", "year": 2023, "attachment_count": 10, "local_path": "issues/40065003", "has_markdown": true }, { "id": "40064983", "title": "Security: type mismatch with jit,0 vs 65536", "url": "https://issues.chromium.org/issues/40064983", "status": "Fixed", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler", "bounty_amount": 7000.0, "created_date": "2023-05-29T23:53:35+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40064983", "has_markdown": true }, { "id": "40064965", "title": "Security: heap-use-after-free on LibcastSocketService", "url": "https://issues.chromium.org/issues/40064965", "status": "New", "severity": "S3-Low", "component": "Internals>Cast>Providers", "bounty_amount": 16000.0, "created_date": "2023-05-29T14:27:06+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40064965", "has_markdown": true }, { "id": "40064841", "title": "Security: Forced user interaction for Hidden permission prompts by freezing/resizing the browser Bypass of 1371215 ", "url": "https://issues.chromium.org/issues/40064841", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Permissions>Prompts", "bounty_amount": 3000.0, "created_date": "2023-05-25T21:37:54+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40064841", "has_markdown": true }, { "id": "40064789", "title": "Security: UAF in AcquireFileAccessPermissionDoneForScheduleDownload", "url": "https://issues.chromium.org/issues/40064789", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Network, UI>Browser>Offline", "bounty_amount": 30000.0, "created_date": "2023-05-24T14:37:06+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40064789", "has_markdown": true }, { "id": "40064754", "title": "Security: Spoofing Permission Prompts UI behind PIP overlay-Bypass of 1394410 ", "url": "https://issues.chromium.org/issues/40064754", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture, UI>Browser>Permissions>Prompts", "bounty_amount": 2000.0, "created_date": "2023-05-23T15:44:46+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/40064754", "has_markdown": true }, { "id": "40064747", "title": "Security: Heap Buffer Overflow and Security DCHECK failed: IsA(from) in MediaStreamTrackImpl::stopTrack", "url": "https://issues.chromium.org/issues/40064747", "status": "Assigned", "severity": "S3-Low", "component": "Blink>MediaStream", "bounty_amount": 10000.0, "created_date": "2023-05-23T10:13:04+00:00", "year": 2023, "attachment_count": 8, "local_path": "issues/40064747", "has_markdown": true }, { "id": "40064728", "title": "Security: TALOS-2023-1751 - Google Chrome VideoEncoder av1_svc_check_reset_layer_rc_flag use-after-free vulnerability", "url": "https://issues.chromium.org/issues/40064728", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Media", "bounty_amount": 10000.0, "created_date": "2023-05-22T15:25:55+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40064728", "has_markdown": true }, { "id": "40064697", "title": "Integer overflow in vkr_cs_encoder_set_stream", "url": "https://issues.chromium.org/issues/40064697", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>Internals", "bounty_amount": 7000.0, "created_date": "2023-05-21T07:51:58+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40064697", "has_markdown": true }, { "id": "40064696", "title": "Security:Integer overflow in vn_decode_vkExecuteCommandStreamsMESA_args_temp", "url": "https://issues.chromium.org/issues/40064696", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>Internals", "bounty_amount": 7000.0, "created_date": "2023-05-21T06:59:00+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40064696", "has_markdown": true }, { "id": "40064688", "title": "Security: the autofill prompt appears together with the requesfullscreen, the autofill prompt does not close it can confuse lead to spoof", "url": "https://issues.chromium.org/issues/40064688", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Autofill", "bounty_amount": 1000.0, "created_date": "2023-05-19T23:22:08+00:00", "year": 2023, "attachment_count": 8, "local_path": "issues/40064688", "has_markdown": true }, { "id": "40064686", "title": "Security: Chrome for Android Slowdown with JS then Navigate able to Hide Omnibox", "url": "https://issues.chromium.org/issues/40064686", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Navigation>BFCache", "bounty_amount": 7500.0, "created_date": "2023-05-19T21:26:33+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40064686", "has_markdown": true }, { "id": "40064642", "title": "Security: Bypass Of 1342072", "url": "https://issues.chromium.org/issues/40064642", "status": "Assigned", "severity": "S3-Low", "component": "Blink>PresentationAPI, UI>Security (Use Subcomponent)>UrlFormatting", "bounty_amount": 2000.0, "created_date": "2023-05-18T19:23:31+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/40064642", "has_markdown": true }, { "id": "40064636", "title": "Security: (Android) PWA Install Dialogs can be overlaid over other origins (PWA install dialog spoofing while navigation).", "url": "https://issues.chromium.org/issues/40064636", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Mobile>CompositedUI, UI>Browser>Mobile>CustomTabs, UI>Browser>Mobile>Messages, UI>Browser>WebAppInstalls>Android", "bounty_amount": 1000.0, "created_date": "2023-05-18T16:38:35+00:00", "year": 2023, "attachment_count": 8, "local_path": "issues/40064636", "has_markdown": true }, { "id": "40064616", "title": "Security: Side-channel attack allows accessing the browsing history", "url": "https://issues.chromium.org/issues/40064616", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Paint, Internals>GPU", "bounty_amount": 1000.0, "created_date": "2023-05-17T12:12:17+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40064616", "has_markdown": true }, { "id": "40064615", "title": "Security: UAF in webrtc::PeerConnection::ReportTransportStats()", "url": "https://issues.chromium.org/issues/40064615", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC", "bounty_amount": 3000.0, "created_date": "2023-05-17T11:22:13+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40064615", "has_markdown": true }, { "id": "40064598", "title": "intent:// restrictions bypassed via firebase dynamic links", "url": "https://issues.chromium.org/issues/40064598", "status": "Assigned", "severity": "S3-Low", "component": "Blink>SecurityFeature>ContentSecurityPolicy, Mobile>Intents", "bounty_amount": 3000.0, "created_date": "2023-05-16T16:10:07+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40064598", "has_markdown": true }, { "id": "40064579", "title": "Security: Chrome iOS iframe SandBox Download", "url": "https://issues.chromium.org/issues/40064579", "status": "Accepted", "severity": "S3-Low", "component": "Mobile>iOSWeb>Security", "bounty_amount": 1000.0, "created_date": "2023-05-15T18:54:37+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40064579", "has_markdown": true }, { "id": "40064571", "title": "Security: Heap-use-after-free in AboutThisSiteSidePanelView::HandleKeyboardEvent", "url": "https://issues.chromium.org/issues/40064571", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Bubbles>PageInfo", "bounty_amount": 2000.0, "created_date": "2023-05-15T11:29:42+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40064571", "has_markdown": true }, { "id": "40064564", "title": "Security: Use-after-free in CPWL_ComboBox::OnKeyDown", "url": "https://issues.chromium.org/issues/40064564", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Plugins>PDF", "bounty_amount": 7000.0, "created_date": "2023-05-15T04:42:40+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40064564", "has_markdown": true }, { "id": "40064538", "title": "Security: Chrome German capital sharp s \"ẞ\"", "url": "https://issues.chromium.org/issues/40064538", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Network, Internals>Network, UI>Security (Use Subcomponent)>UrlFormatting", "bounty_amount": 2000.0, "created_date": "2023-05-12T22:35:55+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40064538", "has_markdown": true }, { "id": "40064508", "title": "Security: A use after free vulnerability exists in ChromeOS Kernel", "url": "https://issues.chromium.org/issues/40064508", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 15000.0, "created_date": "2023-05-11T16:20:57+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40064508", "has_markdown": true }, { "id": "40064493", "title": "Security: another UAF in content::SyntheticPointerAction::ForwardTouchOrMouseInputEvents(browser process)", "url": "https://issues.chromium.org/issues/40064493", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Input", "bounty_amount": 2000.0, "created_date": "2023-05-11T00:54:35+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40064493", "has_markdown": true }, { "id": "40064490", "title": "Security: PDFium (XFA) Use-after-free in CFFL_ListBox::SaveData", "url": "https://issues.chromium.org/issues/40064490", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Plugins>PDF", "bounty_amount": 7000.0, "created_date": "2023-05-10T23:51:50+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40064490", "has_markdown": true }, { "id": "40064476", "title": "Security: UAF in CommitErrorPage", "url": "https://issues.chromium.org/issues/40064476", "status": "New", "severity": "S3-Low", "component": "UI>Browser>Navigation", "bounty_amount": 30000.0, "created_date": "2023-05-10T10:39:31+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40064476", "has_markdown": true }, { "id": "40064463", "title": "Security: PDFium (XFA) Use-after-free in CPWL_ComboBox::OnChar", "url": "https://issues.chromium.org/issues/40064463", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Plugins>PDF", "bounty_amount": 7000.0, "created_date": "2023-05-09T23:37:12+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40064463", "has_markdown": true }, { "id": "40064452", "title": "Heap-use-after-free in v8::internal::TracedHandles::Destroy", "url": "https://issues.chromium.org/issues/40064452", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>API, Blink>JavaScript>Runtime", "bounty_amount": 7000.0, "created_date": "2023-05-09T13:12:28+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40064452", "has_markdown": true }, { "id": "40064447", "title": "Security: Chrome OS cros_camera_service OOB write in function CameraDeviceAdapter::RegisterBufferLocked", "url": "https://issues.chromium.org/issues/40064447", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 7000.0, "created_date": "2023-05-09T10:47:32+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40064447", "has_markdown": true }, { "id": "40064446", "title": "Security: Chrome OS cros_camera_service OOB read and write when handling metadata_entry", "url": "https://issues.chromium.org/issues/40064446", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 7000.0, "created_date": "2023-05-09T10:34:40+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40064446", "has_markdown": true }, { "id": "40064445", "title": "Security: Chrome OS cros_camera_service integer overflow in calculate_camera_metadata_size can cause OOB write ", "url": "https://issues.chromium.org/issues/40064445", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 10000.0, "created_date": "2023-05-09T10:05:00+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40064445", "has_markdown": true }, { "id": "40064444", "title": "Security:stack-buffer-overflow in vrend_shader_sampler_views_mask_get bypassed", "url": "https://issues.chromium.org/issues/40064444", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 7000.0, "created_date": "2023-05-09T10:04:18+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40064444", "has_markdown": true }, { "id": "40064442", "title": "Regression: External protocol confirmation dialog may overlap with other origins", "url": "https://issues.chromium.org/issues/40064442", "status": "Assigned", "severity": "S3-Low", "component": "Mobile>Intents, UI>Browser>Navigation", "bounty_amount": 2000.0, "created_date": "2023-05-09T02:41:20+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40064442", "has_markdown": true }, { "id": "40064432", "title": "Security: Chrome iOS", "url": "https://issues.chromium.org/issues/40064432", "status": "Accepted", "severity": "S3-Low", "component": "Mobile>iOSWeb>Security", "bounty_amount": 1000.0, "created_date": "2023-05-08T19:21:44+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40064432", "has_markdown": true }, { "id": "40064425", "title": "Security: UAF in extensions::WebViewFindHelper::FindReply in browser process", "url": "https://issues.chromium.org/issues/40064425", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 10000.0, "created_date": "2023-05-08T12:29:55+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40064425", "has_markdown": true }, { "id": "40064420", "title": "Security: adb wireless debugging bugfix bypass", "url": "https://issues.chromium.org/issues/40064420", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 3000.0, "created_date": "2023-05-08T05:01:15+00:00", "year": 2023, "attachment_count": 13, "local_path": "issues/40064420", "has_markdown": true }, { "id": "40064410", "title": "Security: Chrome iOS", "url": "https://issues.chromium.org/issues/40064410", "status": "Accepted", "severity": "S3-Low", "component": "Blink>SecurityFeature>Referrer", "bounty_amount": 1000.0, "created_date": "2023-05-07T16:46:38+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40064410", "has_markdown": true }, { "id": "40064398", "title": "Security: Chrome iOS", "url": "https://issues.chromium.org/issues/40064398", "status": "Assigned", "severity": "S3-Low", "component": "Mobile>iOSWeb>Security, Mobile>iOSWeb>WebPlatform", "bounty_amount": 1000.0, "created_date": "2023-05-06T11:44:03+00:00", "year": 2023, "attachment_count": 14, "local_path": "issues/40064398", "has_markdown": true }, { "id": "40064393", "title": "Security: Race Condition in amdgpu_ttm_tt_get_user_pages", "url": "https://issues.chromium.org/issues/40064393", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 1000.0, "created_date": "2023-05-06T02:35:35+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40064393", "has_markdown": true }, { "id": "40064365", "title": "Security: UAF in content::BrowserPluginGuest::GetProspectiveOuterDocument() in browser process", "url": "https://issues.chromium.org/issues/40064365", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Apps>BrowserTag, Platform>Extensions", "bounty_amount": 10000.0, "created_date": "2023-05-04T11:39:33+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40064365", "has_markdown": true }, { "id": "40064307", "title": "Security:OOB read in vrend_set_single_image_view", "url": "https://issues.chromium.org/issues/40064307", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>Internals", "bounty_amount": 2000.0, "created_date": "2023-05-01T13:38:53+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40064307", "has_markdown": true }, { "id": "40064290", "title": "Security: Calling ash::DiagnosticsDialog::ShowDialog multiple times can result in an Use-After-Free (UAF) error in ash::diagnostics::NetworkingLog::UpdateNetworkList.", "url": "https://issues.chromium.org/issues/40064290", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 1000.0, "created_date": "2023-04-30T06:29:05+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40064290", "has_markdown": true }, { "id": "40064282", "title": "Security:Debug check failed: HasBuiltinId() implies builtin_id() != Builtin::kCompileLazy.", "url": "https://issues.chromium.org/issues/40064282", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript, Blink>JavaScript>Runtime", "bounty_amount": 7000.0, "created_date": "2023-04-29T14:43:16+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40064282", "has_markdown": true }, { "id": "40064274", "title": "Security: Select option can cover permission buble , lead to spoof", "url": "https://issues.chromium.org/issues/40064274", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Permissions>Prompts", "bounty_amount": 500.0, "created_date": "2023-04-29T04:45:14+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40064274", "has_markdown": true }, { "id": "40064253", "title": "Security: [swiftshader] heap-use-after-free on vk::Query::start (another)", "url": "https://issues.chromium.org/issues/40064253", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>GPU>SwiftShader", "bounty_amount": 10000.0, "created_date": "2023-04-27T16:16:20+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40064253", "has_markdown": true }, { "id": "40064246", "title": "Security: heap-use-after-free in vrend_apply_sampler_state", "url": "https://issues.chromium.org/issues/40064246", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 7000.0, "created_date": "2023-04-27T11:10:52+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40064246", "has_markdown": true }, { "id": "40064228", "title": "Security: heap-use-after-free in vrend_set_single_image_view", "url": "https://issues.chromium.org/issues/40064228", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 5000.0, "created_date": "2023-04-25T23:44:55+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40064228", "has_markdown": true }, { "id": "40064227", "title": "Security: heap-use-after-free in vrend_set_uniform_buffer", "url": "https://issues.chromium.org/issues/40064227", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 5000.0, "created_date": "2023-04-25T23:44:32+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40064227", "has_markdown": true }, { "id": "40064191", "title": "Security: UAF in SaveUPIOfferBubbleViews::WindowClosing", "url": "https://issues.chromium.org/issues/40064191", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Autofill", "bounty_amount": 5000.0, "created_date": "2023-04-24T09:30:58+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40064191", "has_markdown": true }, { "id": "40064189", "title": "Security: Heap-use-after-free in SearchCompanionSidePanelCoordinator::CreateCompanionEntry", "url": "https://issues.chromium.org/issues/40064189", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>TopChrome>SidePanel", "bounty_amount": 4000.0, "created_date": "2023-04-24T09:14:10+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40064189", "has_markdown": true }, { "id": "40064176", "title": "Security: Chrome OS amd drm gpu driver UAF bug in amdgpu_sched_ioctl which can be triggered from chrome browser context", "url": "https://issues.chromium.org/issues/40064176", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>Internals", "bounty_amount": 10000.0, "created_date": "2023-04-23T07:33:41+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40064176", "has_markdown": true }, { "id": "40064170", "title": "Portals URL spoof after crash", "url": "https://issues.chromium.org/issues/40064170", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Portals", "bounty_amount": 2000.0, "created_date": "2023-04-23T02:43:43+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40064170", "has_markdown": true }, { "id": "40064169", "title": "Security: out-of-bounds access in tgsi_scan_shader", "url": "https://issues.chromium.org/issues/40064169", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 7000.0, "created_date": "2023-04-23T02:06:33+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40064169", "has_markdown": true }, { "id": "40064163", "title": "Security: out-of-bounds write in tgsi_scan_shader", "url": "https://issues.chromium.org/issues/40064163", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 7000.0, "created_date": "2023-04-22T10:03:06+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40064163", "has_markdown": true }, { "id": "40064150", "title": "Security: stack-buffer-overflow in prepare_so_movs", "url": "https://issues.chromium.org/issues/40064150", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 7000.0, "created_date": "2023-04-21T14:19:07+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40064150", "has_markdown": true }, { "id": "40064142", "title": "Security: UAF in DevToolsDataSource::OnLoadComplete", "url": "https://issues.chromium.org/issues/40064142", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools, UI>Browser>WebUI", "bounty_amount": 3000.0, "created_date": "2023-04-21T00:29:05+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40064142", "has_markdown": true }, { "id": "40064140", "title": "Security: UAF in base::ObserverListShell", "bounty_amount": 1000.0, "created_date": "2023-04-20T23:38:04+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40064140", "has_markdown": true }, { "id": "40064112", "title": "Security: UAF in ReadAnythingAppController::OnAXTreeDistilled", "url": "https://issues.chromium.org/issues/40064112", "status": "Accepted", "severity": "S3-Low", "component": "UI>Accessibility", "bounty_amount": 7000.0, "created_date": "2023-04-19T13:59:43+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40064112", "has_markdown": true }, { "id": "40064099", "title": "Security: Custom Tab Scroll Inference", "url": "https://issues.chromium.org/issues/40064099", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Scroll, UI>Browser>Mobile>CustomTabs", "bounty_amount": 2000.0, "created_date": "2023-04-18T20:02:26+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40064099", "has_markdown": true }, { "id": "40064089", "title": "Security: cursor pointer can cover autofill prompt", "url": "https://issues.chromium.org/issues/40064089", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Autofill", "bounty_amount": 1000.0, "created_date": "2023-04-18T14:51:04+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40064089", "has_markdown": true }, { "id": "40064086", "title": "Security:heap-buffer-overflow in rewrite_1d_image_coordinate", "url": "https://issues.chromium.org/issues/40064086", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 2000.0, "created_date": "2023-04-18T09:20:51+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40064086", "has_markdown": true }, { "id": "40064080", "title": "Security: arbitrary address write in allocate_temp_range", "url": "https://issues.chromium.org/issues/40064080", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 7000.0, "created_date": "2023-04-17T12:35:17+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40064080", "has_markdown": true }, { "id": "40064072", "title": "Security: heap-use-after-free ui/ozone/platform/wayland/host/wayland_connection.cc", "url": "https://issues.chromium.org/issues/40064072", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Ozone", "bounty_amount": 2000.0, "created_date": "2023-04-17T06:18:22+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40064072", "has_markdown": true }, { "id": "40064067", "title": "Security: heap-use-after-free in vrend_draw_bind_abo_shader", "url": "https://issues.chromium.org/issues/40064067", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 7000.0, "created_date": "2023-04-16T03:40:38+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40064067", "has_markdown": true }, { "id": "40064062", "title": "Security:stack buffer overflow in set_stream_out_varyings", "url": "https://issues.chromium.org/issues/40064062", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 7000.0, "created_date": "2023-04-15T13:27:53+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40064062", "has_markdown": true }, { "id": "40064061", "title": "Security: Chrome OS i915 drm gpu driver create_clone UAF", "url": "https://issues.chromium.org/issues/40064061", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 10000.0, "created_date": "2023-04-15T10:59:36+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40064061", "has_markdown": true }, { "id": "40064054", "title": " heap-buffer-overflow in SavedTabGroup", "url": "https://issues.chromium.org/issues/40064054", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip>TabGroups", "bounty_amount": 3000.0, "created_date": "2023-04-14T16:52:26+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40064054", "has_markdown": true }, { "id": "40064044", "title": "Security: use-after-poison libANGLE\\renderer\\d3d\\d3d11\\VertexBuffer11.cpp:129 in rx::VertexBuffer11::storeVertexAttributes", "url": "https://issues.chromium.org/issues/40064044", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGL", "bounty_amount": 10000.0, "created_date": "2023-04-14T04:51:50+00:00", "year": 2023, "attachment_count": 9, "local_path": "issues/40064044", "has_markdown": true }, { "id": "40064002", "title": "Security: CSA_DCHECK failed: Torque assert 'IsConstructor(target)'", "url": "https://issues.chromium.org/issues/40064002", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler", "bounty_amount": 10000.0, "created_date": "2023-04-12T06:40:33+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40064002", "has_markdown": true }, { "id": "40063918", "title": "Security: Picture in picture can hide fullscreen notification", "url": "https://issues.chromium.org/issues/40063918", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>FullScreen", "bounty_amount": 1000.0, "created_date": "2023-04-06T03:25:22+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40063918", "has_markdown": true }, { "id": "40063907", "title": "Permission Tapjacking Is Possible In Android Custom Tabs", "url": "https://issues.chromium.org/issues/40063907", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Mobile>CustomTabs, UI>Browser>Permissions>Prompts", "bounty_amount": 3000.0, "created_date": "2023-04-05T17:03:21+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40063907", "has_markdown": true }, { "id": "40063900", "title": "Security: heap-buffer-overflow on WebSQL sqlite3VdbeSorterInit", "url": "https://issues.chromium.org/issues/40063900", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>Storage", "bounty_amount": 1000.0, "created_date": "2023-04-05T02:35:22+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063900", "has_markdown": true }, { "id": "40063894", "title": "Security: UAF in vrend_renderer_pipe_resource_set_type", "url": "https://issues.chromium.org/issues/40063894", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU", "bounty_amount": 7000.0, "created_date": "2023-04-04T10:54:16+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40063894", "has_markdown": true }, { "id": "40063893", "title": "Security: UAF in vrend_update_stencil_state", "url": "https://issues.chromium.org/issues/40063893", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>Internals", "bounty_amount": 7000.0, "created_date": "2023-04-04T03:39:44+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063893", "has_markdown": true }, { "id": "40063880", "title": "Security: UAF in sampler_state", "url": "https://issues.chromium.org/issues/40063880", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 10000.0, "created_date": "2023-04-03T15:23:41+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40063880", "has_markdown": true }, { "id": "40063879", "title": "Security: heap-use-after-free on ash/drag_drop/tab_drag_drop_windows_hider.cc", "url": "https://issues.chromium.org/issues/40063879", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 2000.0, "created_date": "2023-04-03T14:46:53+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40063879", "has_markdown": true }, { "id": "40063876", "title": "Security: Heap-use-after-free in SavedTabGroupButton::MoveGroupToNewWindowPressed", "url": "https://issues.chromium.org/issues/40063876", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip>TabGroups", "bounty_amount": 2000.0, "created_date": "2023-04-03T08:52:45+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40063876", "has_markdown": true }, { "id": "40063868", "title": "Service workers bypass PrivateNetworkAccess for localhost", "url": "https://issues.chromium.org/issues/40063868", "status": "Accepted", "severity": "S3-Low", "component": "Blink>SecurityFeature>CORS>PrivateNetworkAccess", "bounty_amount": 1000.0, "created_date": "2023-04-02T02:48:52+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40063868", "has_markdown": true }, { "id": "40063861", "title": "Security: Heap-use-after-free in views::View::VisibilityChangedImpl ", "url": "https://issues.chromium.org/issues/40063861", "status": "Accepted", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 2000.0, "created_date": "2023-04-01T04:53:46+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40063861", "has_markdown": true }, { "id": "40063839", "title": "Security: Memory corruption due to HeapVector iterator invalidation", "url": "https://issues.chromium.org/issues/40063839", "status": "Assigned", "severity": "S3-Low", "component": "Blink>ServiceWorker", "bounty_amount": 7000.0, "created_date": "2023-03-30T10:19:35+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40063839", "has_markdown": true }, { "id": "40063838", "title": "Security: Memory corruption due to accessing invalid context", "url": "https://issues.chromium.org/issues/40063838", "status": "Assigned", "severity": "S3-Low", "component": "Blink>ServiceWorker", "bounty_amount": 7000.0, "created_date": "2023-03-30T10:01:42+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063838", "has_markdown": true }, { "id": "40063818", "title": "memory corruption in v8", "url": "https://issues.chromium.org/issues/40063818", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>GarbageCollection", "bounty_amount": 7000.0, "created_date": "2023-03-29T04:51:11+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063818", "has_markdown": true }, { "id": "40063810", "title": "Security: Chrome on IOS ignores Content-Type header when rendering XML and SVG content", "url": "https://issues.chromium.org/issues/40063810", "status": "Fixed", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 3000.0, "created_date": "2023-03-28T22:04:57+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40063810", "has_markdown": true }, { "id": "40063799", "title": "Security: Heap-use-after-free in ScreenAIService::TriggerProcessingNextTaskInQueue", "url": "https://issues.chromium.org/issues/40063799", "status": "Assigned", "severity": "S4-Minimal", "component": "UI>Accessibility, UI>Accessibility>MachineIntelligence", "bounty_amount": 10000.0, "created_date": "2023-03-28T03:16:11+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40063799", "has_markdown": true }, { "id": "40063777", "title": "Security:UAF in content::SyntheticPointerAction::ForwardTouchOrMouseInputEvents(browser process)", "url": "https://issues.chromium.org/issues/40063777", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Input", "bounty_amount": 3000.0, "created_date": "2023-03-27T01:50:07+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40063777", "has_markdown": true }, { "id": "40063770", "title": "Arbitrary OOB read and write with WebGL via SwiftShader", "url": "https://issues.chromium.org/issues/40063770", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGL, Internals>GPU>ANGLE", "bounty_amount": 10000.0, "created_date": "2023-03-26T10:34:26+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40063770", "has_markdown": true }, { "id": "40063759", "title": "Security: UAF in extensions::SupervisedUserExtensionsDelegateImpl::ShowParentPermissionDialogForExtension", "url": "https://issues.chromium.org/issues/40063759", "status": "Accepted", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 3000.0, "created_date": "2023-03-25T09:55:09+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/40063759", "has_markdown": true }, { "id": "40063748", "title": "UAF in content::NavigationState::RunCommitSameDocumentNavigationCallback", "url": "https://issues.chromium.org/issues/40063748", "status": "Assigned", "severity": "S4-Minimal", "component": "UI>Browser>Navigation", "bounty_amount": 7000.0, "created_date": "2023-03-24T15:21:13+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063748", "has_markdown": true }, { "id": "40063745", "title": "Chrome Crashpad arbitrary file create", "url": "https://issues.chromium.org/issues/40063745", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Installer", "bounty_amount": 3000.0, "created_date": "2023-03-24T13:47:24+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40063745", "has_markdown": true }, { "id": "40063734", "title": "Heap-use-after-free in SavedTabGroupBar", "url": "https://issues.chromium.org/issues/40063734", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip>TabGroups", "bounty_amount": 2000.0, "created_date": "2023-03-23T08:41:22+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40063734", "has_markdown": true }, { "id": "40063731", "title": "Security: Race Condition UAF in l2cap_disconnect_req and l2cap_disconnect_rsp", "url": "https://issues.chromium.org/issues/40063731", "status": "Accepted", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 5000.0, "created_date": "2023-03-23T04:00:00+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40063731", "has_markdown": true }, { "id": "40063723", "title": "Security: Extensions with \"download\" permissions can read local files by using FSA API", "url": "https://issues.chromium.org/issues/40063723", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions>API, UI>Browser>Downloads", "bounty_amount": 2000.0, "created_date": "2023-03-22T13:50:31+00:00", "year": 2023, "attachment_count": 8, "local_path": "issues/40063723", "has_markdown": true }, { "id": "40063714", "title": "Security: Heap-use-after-free in ExclusiveAccessBubbleViews::UpdateBounds", "url": "https://issues.chromium.org/issues/40063714", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser", "bounty_amount": 10000.0, "created_date": "2023-03-21T16:49:02+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063714", "has_markdown": true }, { "id": "40063713", "title": "Security: Heap-use-after-free in ash::DeskMiniView::UpdateDeskButtonVisibility", "url": "https://issues.chromium.org/issues/40063713", "status": "Assigned", "severity": "S3-Low", "component": "UI>Shell", "bounty_amount": 1000.0, "created_date": "2023-03-21T16:44:54+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063713", "has_markdown": true }, { "id": "40063703", "title": "Security: Heap-use-after-free in ProfileTokenNavigationThrottle::WillProcessRespons ", "url": "https://issues.chromium.org/issues/40063703", "status": "Accepted", "severity": "S3-Low", "component": "Enterprise", "bounty_amount": 3000.0, "created_date": "2023-03-21T07:59:18+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40063703", "has_markdown": true }, { "id": "40063688", "title": "Security: UAF in blink::MLGraphXnnpack::ComputeOnBackgroundThread", "url": "https://issues.chromium.org/issues/40063688", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebML", "bounty_amount": 7000.0, "created_date": "2023-03-20T13:57:44+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063688", "has_markdown": true }, { "id": "40063673", "title": "Security: segv in JsonStringifier::SerializeString", "url": "https://issues.chromium.org/issues/40063673", "status": "Accepted", "severity": "S4-Minimal", "component": "Blink>JavaScript>API, Blink>JavaScript>GarbageCollection, Blink>JavaScript>Runtime", "bounty_amount": 8000.0, "created_date": "2023-03-20T01:49:06+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063673", "has_markdown": true }, { "id": "40063655", "title": "Security: Race Condition UAF in evdi_gem_create", "url": "https://issues.chromium.org/issues/40063655", "status": "Assigned", "severity": "S3-Low", "component": "OS>Packages", "bounty_amount": 10000.0, "created_date": "2023-03-18T07:59:19+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063655", "has_markdown": true }, { "id": "40063635", "title": "Security: UAF in MLGraphXnnpack::BuildOnBackgroundThread", "url": "https://issues.chromium.org/issues/40063635", "status": "Fixed", "severity": "S3-Low", "component": "Blink>WebML", "bounty_amount": 10000.0, "created_date": "2023-03-17T10:18:51+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40063635", "has_markdown": true }, { "id": "40063634", "title": "Security: Intent URLs also bypass CSP sandbox with \"allow-popups\" set", "url": "https://issues.chromium.org/issues/40063634", "status": "Assigned", "severity": "S3-Low", "component": "Blink>SecurityFeature, Mobile>Intents", "bounty_amount": 1000.0, "created_date": "2023-03-17T09:03:41+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40063634", "has_markdown": true }, { "id": "40063633", "title": "Security: Heap-use-after-free in LocalTabGroupListener::AddWebContents ", "url": "https://issues.chromium.org/issues/40063633", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip>TabGroups", "bounty_amount": 4000.0, "created_date": "2023-03-17T07:47:43+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40063633", "has_markdown": true }, { "id": "40063621", "title": "Security: UAF in base::ObserverListBrowser>Profiles, UI>Shell", "bounty_amount": 1000.0, "created_date": "2023-03-16T12:17:57+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40063621", "has_markdown": true }, { "id": "40063617", "title": "Security: Heap-use-after-free in TabGroupModel::GetTabGroup", "url": "https://issues.chromium.org/issues/40063617", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip>TabGroups", "bounty_amount": 3000.0, "created_date": "2023-03-16T07:39:39+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40063617", "has_markdown": true }, { "id": "40063616", "title": "Security: Debug check failed: IsSweepingInProgress()", "url": "https://issues.chromium.org/issues/40063616", "status": "Accepted", "severity": "S3-Low", "component": "Blink>JavaScript>GarbageCollection", "bounty_amount": 7000.0, "created_date": "2023-03-16T01:45:03+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40063616", "has_markdown": true }, { "id": "40063589", "title": "UAF in DevToolsAgentHostImpl::ForceDetachAllSessions(with headless mode and puppeteer) ", "url": "https://issues.chromium.org/issues/40063589", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools", "bounty_amount": 2000.0, "created_date": "2023-03-14T10:14:47+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40063589", "has_markdown": true }, { "id": "40063581", "title": "Security: out of bound read in vfd_out_locked", "url": "https://issues.chromium.org/issues/40063581", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 1000.0, "created_date": "2023-03-14T04:48:51+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40063581", "has_markdown": true }, { "id": "40063572", "title": "LAN9500, LAN75xx driver information leak", "url": "https://issues.chromium.org/issues/40063572", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Core", "bounty_amount": 1000.0, "created_date": "2023-03-13T20:53:55+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063572", "has_markdown": true }, { "id": "40063545", "title": "Security: OOB Access in intel_pxp_sm_ioctl_mark_session_in_play", "url": "https://issues.chromium.org/issues/40063545", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>GPU>VendorSpecific", "bounty_amount": 10000.0, "created_date": "2023-03-11T12:20:36+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063545", "has_markdown": true }, { "id": "40063542", "title": "Security: SEGV_ACCERR in v8", "url": "https://issues.chromium.org/issues/40063542", "status": "Accepted", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 20000.0, "created_date": "2023-03-11T07:05:25+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40063542", "has_markdown": true }, { "id": "40063511", "title": "Security: Permission bypass due to not erase request properly", "url": "https://issues.chromium.org/issues/40063511", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Permissions>Prompts", "bounty_amount": 7500.0, "created_date": "2023-03-10T10:37:50+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40063511", "has_markdown": true }, { "id": "40063506", "title": "Security: ChromeOS: Local privilege escalation due to use-after-free in u32 classifier", "url": "https://issues.chromium.org/issues/40063506", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 500.0, "created_date": "2023-03-10T07:36:08+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063506", "has_markdown": true }, { "id": "40063505", "title": "Security: Bypass https://chromium-review.googlesource.com/c/chromium/src/+/4294941 using upper-cased file: protocol (Source maps support for file:// URLs gives devtools_page extensions local file access)", "url": "https://issues.chromium.org/issues/40063505", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 5000.0, "created_date": "2023-03-10T06:35:49+00:00", "year": 2023, "attachment_count": 8, "local_path": "issues/40063505", "has_markdown": true }, { "id": "40063469", "title": "UAF in v8_inspector", "url": "https://issues.chromium.org/issues/40063469", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 1000.0, "created_date": "2023-03-09T02:29:54+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40063469", "has_markdown": true }, { "id": "40063458", "title": "Heap-use-after-free in blink::NGTextDecorationPainter::UpdateDecorationInfo", "url": "https://issues.chromium.org/issues/40063458", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Paint", "bounty_amount": 10000.0, "created_date": "2023-03-08T10:36:53+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40063458", "has_markdown": true }, { "id": "40063438", "title": "Security: Using popups, Incognito Mode-specific external protocol prompts can be overlaid on other origins on Android.", "url": "https://issues.chromium.org/issues/40063438", "status": "Fixed", "severity": "S3-Low", "component": "Mobile>Intents, UI>Browser>Incognito", "bounty_amount": 500.0, "created_date": "2023-03-07T16:06:15+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40063438", "has_markdown": true }, { "id": "40063434", "title": "Security: Race Condition UAF in evdi_painter_mode_changed_notify", "url": "https://issues.chromium.org/issues/40063434", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 5000.0, "created_date": "2023-03-07T14:40:59+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40063434", "has_markdown": true }, { "id": "40063426", "title": "Security DCHECK failed: IsA(from) blink::TimelineOffset::Create timeline_offset.cc:82", "url": "https://issues.chromium.org/issues/40063426", "status": "Fixed", "severity": "S4-Minimal", "component": "Blink>Animation", "bounty_amount": 7000.0, "created_date": "2023-03-07T02:53:28+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063426", "has_markdown": true }, { "id": "40063412", "title": "Security: use-after-free in ManagePasswordsUIController::OnChooseCredentials", "url": "https://issues.chromium.org/issues/40063412", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Passwords", "bounty_amount": 10000.0, "created_date": "2023-03-06T16:29:25+00:00", "year": 2023, "attachment_count": 18, "local_path": "issues/40063412", "has_markdown": true }, { "id": "40063372", "title": "Crash in Builtins_StoreTypedElementJSAny_Int16Elements_0", "url": "https://issues.chromium.org/issues/40063372", "status": "Accepted", "severity": "S4-Minimal", "component": "Blink>JavaScript>API, Blink>JavaScript>Runtime", "bounty_amount": 7000.0, "created_date": "2023-03-04T03:15:13+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40063372", "has_markdown": true }, { "id": "40063342", "title": "ServiceWorkers in credentialless iframes could access long lived cookies", "url": "https://issues.chromium.org/issues/40063342", "status": "Assigned", "severity": "S3-Low", "component": "Blink>SecurityFeature>AnonymousIframe, Blink>ServiceWorker, Internals>Network>Cookies>PartitionedCookies, Internals>Sandbox>SiteIsolation", "bounty_amount": 2000.0, "created_date": "2023-03-02T08:55:38+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40063342", "has_markdown": true }, { "id": "40063314", "title": "Security: heap-use-after-free in blink::WebString::WebString", "url": "https://issues.chromium.org/issues/40063314", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Input", "bounty_amount": 3000.0, "created_date": "2023-03-01T06:48:37+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40063314", "has_markdown": true }, { "id": "40063293", "title": "Security: Chrome Vulnerability Leaves Android One UI Users at Risk of Spoofing Attacks", "url": "https://issues.chromium.org/issues/40063293", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Fullscreen", "bounty_amount": 1000.0, "created_date": "2023-02-28T13:19:06+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40063293", "has_markdown": true }, { "id": "40063285", "title": "Security: Double-free in libwebp WebPEncode (with alpha) under OOM condition", "url": "https://issues.chromium.org/issues/40063285", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Images>Codecs", "bounty_amount": 1337.0, "created_date": "2023-02-28T01:02:01+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40063285", "has_markdown": true }, { "id": "40063272", "title": "Security: PDFium UAF vulns", "url": "https://issues.chromium.org/issues/40063272", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Plugins>PDF", "bounty_amount": 7000.0, "created_date": "2023-02-27T11:30:02+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40063272", "has_markdown": true }, { "id": "40063268", "title": "Security: Heap-use-after-free in UserNotesPageHandler::GetNoteOverviews", "url": "https://issues.chromium.org/issues/40063268", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>TopChrome>SidePanel", "bounty_amount": 3000.0, "created_date": "2023-02-27T07:02:21+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063268", "has_markdown": true }, { "id": "40063259", "title": "Bypass 1349146, local file access checks can be bypassed by using `file:` instead of `file://`", "url": "https://issues.chromium.org/issues/40063259", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 5000.0, "created_date": "2023-02-26T22:16:27+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40063259", "has_markdown": true }, { "id": "40063257", "title": "Security: web HID memory corruption bug", "url": "https://issues.chromium.org/issues/40063257", "status": "Assigned", "severity": "S3-Low", "component": "Blink>HID", "bounty_amount": 8000.0, "created_date": "2023-02-26T16:19:35+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063257", "has_markdown": true }, { "id": "40063230", "title": "Security: After refactor, page can use EyeDropper API to bypass mouse movement/keyboard input requirements for autofill (regression of issue 1287364)", "url": "https://issues.chromium.org/issues/40063230", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Autofill", "bounty_amount": 3000.0, "created_date": "2023-02-24T01:35:41+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063230", "has_markdown": true }, { "id": "40063209", "title": "Security: heap-use-after-free worker_thread.cc:671 in blink::WorkerThread::InitializeOnWorkerThread", "url": "https://issues.chromium.org/issues/40063209", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Workers", "bounty_amount": 7000.0, "created_date": "2023-02-23T02:58:40+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40063209", "has_markdown": true }, { "id": "40063208", "title": "Security: Document PIP inherits wrong origin when opened from an extension popup", "url": "https://issues.chromium.org/issues/40063208", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture", "bounty_amount": 2000.0, "created_date": "2023-02-23T01:29:21+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40063208", "has_markdown": true }, { "id": "40063194", "title": "Security: String with different encoding mismatch, leading Out-of-bounds access.", "url": "https://issues.chromium.org/issues/40063194", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Bindings", "bounty_amount": 5000.0, "created_date": "2023-02-22T04:38:27+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40063194", "has_markdown": true }, { "id": "40063183", "title": "Security: Chrome on Android can self-intent into CCT, allowing sandboxed iframe allow-popups-to-escape-sandbox bypass.", "url": "https://issues.chromium.org/issues/40063183", "status": "Assigned", "severity": "S3-Low", "component": "Blink>SecurityFeature>IFrameSandbox, Mobile>Intents", "bounty_amount": 1000.0, "created_date": "2023-02-21T17:11:59+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40063183", "has_markdown": true }, { "id": "40063167", "title": "Security: UAF in simple_devtools_protocol_client::SimpleDevToolsProtocolClient::DispatchProtocolMessageTask(", "url": "https://issues.chromium.org/issues/40063167", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Headless", "bounty_amount": 2000.0, "created_date": "2023-02-20T16:01:16+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40063167", "has_markdown": true }, { "id": "40063148", "title": "[Security] V8 Debug check failed: OFFSET_OF(Isolate, string_stream_current_security_token_) == strin", "url": "https://issues.chromium.org/issues/40063148", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript", "bounty_amount": 7000.0, "created_date": "2023-02-18T10:48:15+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40063148", "has_markdown": true }, { "id": "40063139", "title": "Security: Safe Browsing bypass via data URI, no warning if SB fails", "url": "https://issues.chromium.org/issues/40063139", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 3000.0, "created_date": "2023-02-17T22:54:55+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40063139", "has_markdown": true }, { "id": "40063132", "title": "Security: Security DCHECK failed: IsA(from) blink::StylePropertyMap::append style_property_map.cc:384", "url": "https://issues.chromium.org/issues/40063132", "status": "Assigned", "severity": "S3-Low", "component": "Blink>CSS", "bounty_amount": 7000.0, "created_date": "2023-02-17T13:35:08+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40063132", "has_markdown": true }, { "id": "40063128", "title": "Security: UAF when code runs after NavigationThrottle's Resume() or CancelDeferredNavigation() are called", "url": "https://issues.chromium.org/issues/40063128", "status": "New", "severity": "S3-Low", "component": "Internals>Sandbox>SiteIsolation, UI>Browser>Navigation", "bounty_amount": 10000.0, "created_date": "2023-02-17T09:56:04+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40063128", "has_markdown": true }, { "id": "40063127", "title": "Security: UAF in PlatformAuthNavigationThrottle::FetchHeadersCallback", "url": "https://issues.chromium.org/issues/40063127", "status": "New", "severity": "S3-Low", "component": "Enterprise", "bounty_amount": 30000.0, "created_date": "2023-02-17T08:56:57+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/40063127", "has_markdown": true }, { "id": "40063071", "title": "Security: Document PiP window can be resized and moved by compromised renderer, user can interact with sensitive UI using keyboard without being aware", "url": "https://issues.chromium.org/issues/40063071", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture", "bounty_amount": 1000.0, "created_date": "2023-02-14T23:52:04+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40063071", "has_markdown": true }, { "id": "40063068", "title": "Security: Document PiP can spoof top-level page origin, show attacker content in PiP window, open PiP windows from iframes", "url": "https://issues.chromium.org/issues/40063068", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture", "bounty_amount": 4000.0, "created_date": "2023-02-14T22:19:15+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40063068", "has_markdown": true }, { "id": "40063055", "title": "UAF in permissions::PermissionRequest::request_type", "url": "https://issues.chromium.org/issues/40063055", "status": "New", "severity": "S3-Low", "component": "UI>Browser>Permissions>Prompts", "bounty_amount": 41000.0, "created_date": "2023-02-13T17:10:18+00:00", "year": 2023, "attachment_count": 8, "local_path": "issues/40063055", "has_markdown": true }, { "id": "40063051", "title": "Security: TALOS-2023-1724 - Google Chrome WebGL rx::Image11::disassociateStorage use-after-free vulnerability ", "url": "https://issues.chromium.org/issues/40063051", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGL, Internals>GPU>ANGLE", "bounty_amount": 15000.0, "created_date": "2023-02-13T15:08:47+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063051", "has_markdown": true }, { "id": "40063041", "title": "Security: Fullscreen Confusion Attack in Chrome with Mail Application", "url": "https://issues.chromium.org/issues/40063041", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Fullscreen", "bounty_amount": 1000.0, "created_date": "2023-02-12T13:04:03+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40063041", "has_markdown": true }, { "id": "40063040", "title": "Security: Uninitialized Pointer in `msm_parse_post_deps`", "url": "https://issues.chromium.org/issues/40063040", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>VendorSpecific", "bounty_amount": 15000.0, "created_date": "2023-02-12T11:46:34+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40063040", "has_markdown": true }, { "id": "40063029", "title": "Security: Possible UAF in PinManager::NotifyDelete", "url": "https://issues.chromium.org/issues/40063029", "status": "Assigned", "severity": "S3-Low", "component": "UI>Shell", "bounty_amount": 1000.0, "created_date": "2023-02-11T13:17:40+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063029", "has_markdown": true }, { "id": "40063023", "title": "Security: Document PIP origin spoof", "url": "https://issues.chromium.org/issues/40063023", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture, UI>Browser>Navigation", "bounty_amount": 3000.0, "created_date": "2023-02-11T05:37:30+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40063023", "has_markdown": true }, { "id": "40063021", "title": "Security: Android file picker dialog can be shown over a different tab", "url": "https://issues.chromium.org/issues/40063021", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Forms>File, UI>Browser>Navigation", "bounty_amount": 5000.0, "created_date": "2023-02-10T23:50:03+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40063021", "has_markdown": true }, { "id": "40063014", "title": "LZ and ZST files which are another form of Archive file is missing into the gesture file types", "url": "https://issues.chromium.org/issues/40063014", "status": "Accepted", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 500.0, "created_date": "2023-02-10T16:32:10+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40063014", "has_markdown": true }, { "id": "40063010", "title": "Security: UAF in AppFinder::OnGetAppDescriptions", "url": "https://issues.chromium.org/issues/40063010", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Payments", "bounty_amount": 30000.0, "created_date": "2023-02-10T11:23:07+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40063010", "has_markdown": true }, { "id": "40063005", "title": "Security: Heap-use-after-free in ash::WizardController::HandleAccelerator", "url": "https://issues.chromium.org/issues/40063005", "status": "Assigned", "severity": "S3-Low", "component": "UI>Shell", "bounty_amount": 1000.0, "created_date": "2023-02-09T23:43:00+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40063005", "has_markdown": true }, { "id": "40063002", "title": "Security: ChromeOS root privilege escalation (mount-passthrough-jailed)", "url": "https://issues.chromium.org/issues/40063002", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 30000.0, "created_date": "2023-02-09T20:51:43+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40063002", "has_markdown": true }, { "id": "40062996", "title": "Security: Bypass Issue 1385343 Extension with permission can read arbitrary local files although (Allow access to file URLs) is disabled", "url": "https://issues.chromium.org/issues/40062996", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions>API", "bounty_amount": 5000.0, "created_date": "2023-02-09T14:56:53+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40062996", "has_markdown": true }, { "id": "40062988", "title": "UAF in aura::Window", "url": "https://issues.chromium.org/issues/40062988", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Aura", "bounty_amount": 1000.0, "created_date": "2023-02-09T06:29:12+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40062988", "has_markdown": true }, { "id": "40062970", "title": "Security: Heap-buffer-overflow in FrameSinkManagerImpl::UnregisterFrameSinkHierarchy", "url": "https://issues.chromium.org/issues/40062970", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Services>Viz", "bounty_amount": 4000.0, "created_date": "2023-02-08T10:52:40+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40062970", "has_markdown": true }, { "id": "40062962", "title": "Security: Security DCHECK failed: IsA(from) blink::LayoutMultiColumnFlowThread::ComputeSize layout_multi_column_flow_thread.cc:1666", "url": "https://issues.chromium.org/issues/40062962", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Layout", "bounty_amount": 7000.0, "created_date": "2023-02-08T02:53:43+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40062962", "has_markdown": true }, { "id": "40062959", "title": "documentPictureInPicture UI spoof via opener", "url": "https://issues.chromium.org/issues/40062959", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture, UI>Browser>Navigation", "bounty_amount": 1000.0, "created_date": "2023-02-08T01:34:08+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40062959", "has_markdown": true }, { "id": "40062954", "title": "Fenced frame spoof documentPictureInPicture", "url": "https://issues.chromium.org/issues/40062954", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>PictureInPicture", "bounty_amount": 4000.0, "created_date": "2023-02-07T19:53:25+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40062954", "has_markdown": true }, { "id": "40062949", "title": "Security: UAF in void perfetto::DataSourceTracing", "bounty_amount": 3000.0, "created_date": "2023-02-07T13:53:34+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40062949", "has_markdown": true }, { "id": "40062944", "title": "Security: use-after-poison rtp_contributing_source_cache.cc:215 in blink::RtpContributingSourceCache::ClearCache", "url": "https://issues.chromium.org/issues/40062944", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC>PeerConnection", "bounty_amount": 2000.0, "created_date": "2023-02-07T09:05:18+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40062944", "has_markdown": true }, { "id": "40062941", "title": "Security: Bug 1238631 regression (Share dialog on Windows can render over address bar, window controls)", "url": "https://issues.chromium.org/issues/40062941", "status": "Accepted", "severity": "S3-Low", "component": "Blink>WebShare", "bounty_amount": 1000.0, "created_date": "2023-02-07T08:16:32+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40062941", "has_markdown": true }, { "id": "40062938", "title": "Security: Android permission prompt tapjacking", "url": "https://issues.chromium.org/issues/40062938", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Permissions>Prompts", "bounty_amount": 2000.0, "created_date": "2023-02-07T03:45:04+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40062938", "has_markdown": true }, { "id": "40062927", "title": "Security: Race Condition UAF in hci_cmd_sync_work(2)", "url": "https://issues.chromium.org/issues/40062927", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 4000.0, "created_date": "2023-02-06T06:36:56+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40062927", "has_markdown": true }, { "id": "40062919", "title": "Security: Race Condition UAF in hci_cmd_sync_work", "url": "https://issues.chromium.org/issues/40062919", "status": "Assigned", "severity": "S3-Low", "component": "Platform", "bounty_amount": 7500.0, "created_date": "2023-02-05T12:09:49+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40062919", "has_markdown": true }, { "id": "40062915", "title": "Security: A UAF in WebRTC", "url": "https://issues.chromium.org/issues/40062915", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC, Internals>Media>ScreenCapture", "bounty_amount": 2000.0, "created_date": "2023-02-04T22:56:21+00:00", "year": 2023, "attachment_count": 7, "local_path": "issues/40062915", "has_markdown": true }, { "id": "40062907", "title": "Security: use of uninitialized member variable in omnibox_popup_view_views.cc:575", "url": "https://issues.chromium.org/issues/40062907", "status": "Fixed", "severity": "S3-Low", "component": "UI>Browser>Omnibox", "bounty_amount": 3000.0, "created_date": "2023-02-04T10:09:30+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40062907", "has_markdown": true }, { "id": "40062893", "title": "Security: stack-buffer-overflow in crashpad ", "url": "https://issues.chromium.org/issues/40062893", "status": "Assigned", "severity": "S3-Low", "component": "Internals>CrashReporting", "bounty_amount": 3000.0, "created_date": "2023-02-03T03:07:54+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40062893", "has_markdown": true }, { "id": "40062890", "title": "type mismatch with turboshaft,1 vs NaN", "url": "https://issues.chromium.org/issues/40062890", "status": "Accepted", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 7000.0, "created_date": "2023-02-03T01:03:28+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40062890", "has_markdown": true }, { "id": "40062884", "title": "Security: Type confusion in v8 value serializer", "url": "https://issues.chromium.org/issues/40062884", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Runtime", "bounty_amount": 10000.0, "created_date": "2023-02-02T17:46:42+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40062884", "has_markdown": true }, { "id": "40062875", "title": "v8 oob read in turboshaft::Graph::IncrementInputUses", "url": "https://issues.chromium.org/issues/40062875", "status": "Accepted", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 7000.0, "created_date": "2023-02-02T09:51:36+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40062875", "has_markdown": true }, { "id": "40062849", "title": "heap-use-after-free in Read Anything", "url": "https://issues.chromium.org/issues/40062849", "status": "Accepted", "severity": "S3-Low", "component": "UI>Accessibility", "bounty_amount": 1000.0, "created_date": "2023-01-31T22:54:40+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40062849", "has_markdown": true }, { "id": "40062839", "title": "Segv on unknown address in v8::internal::TracedHandlesImpl::Create", "url": "https://issues.chromium.org/issues/40062839", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>API, Blink>JavaScript>GarbageCollection, Blink>ViewTransitions", "bounty_amount": 7000.0, "created_date": "2023-01-31T03:13:19+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40062839", "has_markdown": true }, { "id": "40062832", "title": "Security: [swiftshader] heap-use-after-free on vk::Query::start", "url": "https://issues.chromium.org/issues/40062832", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>SwiftShader", "bounty_amount": 15000.0, "created_date": "2023-01-30T09:35:42+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40062832", "has_markdown": true }, { "id": "40062829", "title": "Security: Debug check failed: kCanBeWeak || (!IsSmi() == HAS_STRONG_HEAP_OBJECT_TAG(ptr_))", "url": "https://issues.chromium.org/issues/40062829", "status": "Fixed", "severity": "S4-Minimal", "component": "Blink>JavaScript", "bounty_amount": 7000.0, "created_date": "2023-01-30T03:20:04+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40062829", "has_markdown": true }, { "id": "40062823", "title": "Security: Android - Bypass the Protection of input fields cache (Autofill) Bypass 1398579", "url": "https://issues.chromium.org/issues/40062823", "status": "Assigned", "severity": "S4-Minimal", "component": "UI>Browser>Autofill", "bounty_amount": 3000.0, "created_date": "2023-01-29T19:55:00+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40062823", "has_markdown": true }, { "id": "40062816", "title": "Security: SEGV_ACCERR in Maglev", "url": "https://issues.chromium.org/issues/40062816", "status": "Fixed", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 7000.0, "created_date": "2023-01-28T03:56:47+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40062816", "has_markdown": true }, { "id": "40062808", "title": "heap-buffer-overflow in aom_yv12_copy_v_c", "url": "https://issues.chromium.org/issues/40062808", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Media>Video", "bounty_amount": 10000.0, "created_date": "2023-01-27T14:18:34+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40062808", "has_markdown": true }, { "id": "40062792", "title": "Crash in vk::ImageView::clear", "url": "https://issues.chromium.org/issues/40062792", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>SwiftShader", "bounty_amount": 15000.0, "created_date": "2023-01-25T15:58:52+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40062792", "has_markdown": true }, { "id": "40062778", "title": "Security: Race Condition Double Free in i915_gem_set_tiling_ioctl", "url": "https://issues.chromium.org/issues/40062778", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>Internals", "bounty_amount": 20000.0, "created_date": "2023-01-24T03:33:26+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40062778", "has_markdown": true }, { "id": "40062770", "title": "Security: SwiftShader binaries are included in the following Dockerfile by just pulling them from a bucket", "url": "https://issues.chromium.org/issues/40062770", "status": "Assigned", "severity": "S3-Low", "component": "Infra", "bounty_amount": 2000.0, "created_date": "2023-01-23T20:14:04+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40062770", "has_markdown": true }, { "id": "40062739", "title": "Security: Security DCHECK failed: IsA(from) blink::`anonymous namespace'::CalcToNumericValue:css_numeric_value.cc:162", "url": "https://issues.chromium.org/issues/40062739", "status": "Fixed", "severity": "S3-Low", "component": "Blink>CSS", "bounty_amount": 7000.0, "created_date": "2023-01-20T09:15:11+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40062739", "has_markdown": true }, { "id": "40062720", "title": "Crash in blink::HTMLFastPathParser::ParseAttributes", "url": "https://issues.chromium.org/issues/40062720", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>HTML>Parser", "bounty_amount": 4000.0, "created_date": "2023-01-18T17:24:44+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40062720", "has_markdown": true }, { "id": "40062717", "title": "Security: Debug check failed: pred_reverse_index != -1 (-1 vs. -1)", "url": "https://issues.chromium.org/issues/40062717", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 7000.0, "created_date": "2023-01-18T07:40:42+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40062717", "has_markdown": true }, { "id": "40062710", "title": "heap overflow in ForeignSessionHandler::OpenForeignSessionWindows", "url": "https://issues.chromium.org/issues/40062710", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>History", "bounty_amount": 3000.0, "created_date": "2023-01-17T14:41:06+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40062710", "has_markdown": true }, { "id": "40062700", "title": "Security DCHECK failure: IsA(from) in casting.h", "url": "https://issues.chromium.org/issues/40062700", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>CSS", "bounty_amount": 7000.0, "created_date": "2023-01-17T00:00:42+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40062700", "has_markdown": true }, { "id": "40062697", "title": "UAF in blink::VideoFrameSubmitter::OnContextLost", "url": "https://issues.chromium.org/issues/40062697", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>Video", "bounty_amount": 3000.0, "created_date": "2023-01-16T17:51:06+00:00", "year": 2023, "attachment_count": 9, "local_path": "issues/40062697", "has_markdown": true }, { "id": "40062684", "title": "[TF::OptimizationBug] After optimization, running the \"poc.js\" yields segmentation fault", "url": "https://issues.chromium.org/issues/40062684", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>API, Blink>JavaScript>Compiler, Blink>JavaScript>Runtime", "bounty_amount": 7000.0, "created_date": "2023-01-16T05:25:31+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40062684", "has_markdown": true }, { "id": "40062671", "title": "Security: unreachable code in maglev::MaglevGraphBuilder::VisitStaCurrentContextSlot", "url": "https://issues.chromium.org/issues/40062671", "status": "Fixed", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 7000.0, "created_date": "2023-01-15T05:10:04+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40062671", "has_markdown": true }, { "id": "40062647", "title": "Security: Debug check failed: begin.valid().", "url": "https://issues.chromium.org/issues/40062647", "status": "Fixed", "severity": "S4-Minimal", "component": "Blink>JavaScript", "bounty_amount": 7000.0, "created_date": "2023-01-14T00:25:49+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40062647", "has_markdown": true }, { "id": "40062622", "title": " heap-use-after-free at browser.cc:869 in Browser::TryToCloseWindow (browser process)", "url": "https://issues.chromium.org/issues/40062622", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Profiles, UI>Browser>TopChrome>TabStrip", "bounty_amount": 1000.0, "created_date": "2023-01-12T21:35:02+00:00", "year": 2023, "attachment_count": 8, "local_path": "issues/40062622", "has_markdown": true }, { "id": "40062619", "title": "Security: Forced user interaction for permission prompts by closing a popup window", "url": "https://issues.chromium.org/issues/40062619", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Permissions>Indicators", "bounty_amount": 1000.0, "created_date": "2023-01-12T19:15:24+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40062619", "has_markdown": true }, { "id": "40062618", "title": "Security: FedCM should have clickjacking protection", "url": "https://issues.chromium.org/issues/40062618", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Identity>FedCM", "bounty_amount": 1000.0, "created_date": "2023-01-12T17:50:22+00:00", "year": 2023, "attachment_count": 8, "local_path": "issues/40062618", "has_markdown": true }, { "id": "40062610", "title": "Security: Debug check failed: old_entry.IsRegularEntry() in v8", "url": "https://issues.chromium.org/issues/40062610", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript", "bounty_amount": 7000.0, "created_date": "2023-01-12T03:51:14+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40062610", "has_markdown": true }, { "id": "40062594", "title": "v8 oobr on an obj", "url": "https://issues.chromium.org/issues/40062594", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>API, Blink>JavaScript>Runtime", "bounty_amount": 7000.0, "created_date": "2023-01-11T06:34:57+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40062594", "has_markdown": true }, { "id": "40062584", "title": "UAP in blink::WebGPUSwapBufferProvider::DiscardCurrentSwapBuffer(with --enable-unsafe-webgpu)", "url": "https://issues.chromium.org/issues/40062584", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU", "bounty_amount": 7000.0, "created_date": "2023-01-10T17:26:55+00:00", "year": 2023, "attachment_count": 6, "local_path": "issues/40062584", "has_markdown": true }, { "id": "40062572", "title": "v8 crash in maglev::UseMarkingProcessor::MarkUse with maglev compiler", "url": "https://issues.chromium.org/issues/40062572", "status": "Accepted", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 7000.0, "created_date": "2023-01-10T07:59:36+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40062572", "has_markdown": true }, { "id": "40062567", "title": "Security: Android Text Selection Menu Able to Overlap Fullscreen Notification Toast", "url": "https://issues.chromium.org/issues/40062567", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>FullScreen", "bounty_amount": 2000.0, "created_date": "2023-01-10T02:35:34+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40062567", "has_markdown": true }, { "id": "40062564", "title": "memory corruption in blink::ReadableStreamDefaultControllerWithScriptScope::Enqueue", "url": "https://issues.chromium.org/issues/40062564", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC", "bounty_amount": 3000.0, "created_date": "2023-01-09T19:50:01+00:00", "year": 2023, "attachment_count": 8, "local_path": "issues/40062564", "has_markdown": true }, { "id": "40062543", "title": "type confusion in chrome", "url": "https://issues.chromium.org/issues/40062543", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools", "bounty_amount": 1000.0, "created_date": "2023-01-07T07:12:29+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40062543", "has_markdown": true }, { "id": "40062534", "title": "Security: Directory Picker Dialog gives access to write .exe/.bat files", "url": "https://issues.chromium.org/issues/40062534", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Storage>FileSystem, UI>Browser>Downloads", "bounty_amount": 1000.0, "created_date": "2023-01-06T12:00:03+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40062534", "has_markdown": true }, { "id": "40062526", "title": "UAF in blink::RTCPeerConnectionHandler::OnIceCandidate", "url": "https://issues.chromium.org/issues/40062526", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC", "bounty_amount": 3000.0, "created_date": "2023-01-05T18:37:42+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40062526", "has_markdown": true }, { "id": "40062523", "title": "Chrome Theme contains link to malware, safe browser does not catch it", "url": "https://issues.chromium.org/issues/40062523", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Themes", "bounty_amount": 1000.0, "created_date": "2023-01-05T16:05:17+00:00", "year": 2023, "attachment_count": 3, "local_path": "issues/40062523", "has_markdown": true }, { "id": "40062510", "title": "Google Chrome Console WebUI Heap-Overflow Vulnerability", "url": "https://issues.chromium.org/issues/40062510", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>WebUI", "bounty_amount": 2000.0, "created_date": "2023-01-05T06:37:01+00:00", "year": 2023, "attachment_count": 0, "local_path": "issues/40062510", "has_markdown": true }, { "id": "40062495", "title": "Security: Integer overflows in CountPages", "url": "https://issues.chromium.org/issues/40062495", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Plugins>PDF", "bounty_amount": 10000.0, "created_date": "2023-01-04T06:49:15+00:00", "year": 2023, "attachment_count": 4, "local_path": "issues/40062495", "has_markdown": true }, { "id": "40062478", "title": "V8 type confusion of object as v8::Function in CallMethodOnFrame", "url": "https://issues.chromium.org/issues/40062478", "status": "Accepted", "severity": "S3-Low", "component": "Platform>DevTools", "bounty_amount": 1000.0, "created_date": "2023-01-03T14:21:30+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40062478", "has_markdown": true }, { "id": "40062472", "title": "V8 type confusion of Undefined as v8::Function in ServiceWorkerGlobalScope::FetchHandlerType", "url": "https://issues.chromium.org/issues/40062472", "status": "Assigned", "severity": "S3-Low", "component": "Blink>ServiceWorker", "bounty_amount": 7000.0, "created_date": "2023-01-03T09:02:51+00:00", "year": 2023, "attachment_count": 2, "local_path": "issues/40062472", "has_markdown": true }, { "id": "40062470", "title": "Security: Incognito Mode-specific external protocol prompts can be overlaid on other origins on Android.", "url": "https://issues.chromium.org/issues/40062470", "status": "Accepted", "severity": "S3-Low", "component": "Mobile>Intents, UI>Browser>Incognito", "bounty_amount": 1000.0, "created_date": "2023-01-03T05:55:14+00:00", "year": 2023, "attachment_count": 1, "local_path": "issues/40062470", "has_markdown": true }, { "id": "40062462", "title": "Security: Possible to include mixed content in an about:blank popup opened by a https page", "url": "https://issues.chromium.org/issues/40062462", "status": "Accepted", "severity": "S3-Low", "component": "Blink>SecurityFeature", "bounty_amount": 1000.0, "created_date": "2023-01-02T16:08:01+00:00", "year": 2023, "attachment_count": 5, "local_path": "issues/40062462", "has_markdown": true }, { "id": "40062445", "title": "Security: (Android) PWA Install prompt can be overlaid over other origins.", "url": "https://issues.chromium.org/issues/40062445", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>WebAppInstalls>Android", "bounty_amount": 2000.0, "created_date": "2022-12-30T07:47:47+00:00", "year": 2022, "attachment_count": 8, "local_path": "issues/40062445", "has_markdown": true }, { "id": "40062432", "title": "Security: segmentation fault in ResizableArrayBuffer in v8", "url": "https://issues.chromium.org/issues/40062432", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>API, Blink>JavaScript>Runtime", "bounty_amount": 7000.0, "created_date": "2022-12-29T07:13:31+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40062432", "has_markdown": true }, { "id": "40062430", "title": "Security: Debug check failed: ReadOnlyHeap::Contains(object) || heap_->Contains(object)", "url": "https://issues.chromium.org/issues/40062430", "status": "Fixed", "severity": "S3-Low", "component": "Blink>JavaScript", "bounty_amount": 7000.0, "created_date": "2022-12-29T03:58:40+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40062430", "has_markdown": true }, { "id": "40062426", "title": "[ChromeOS Security] Multiple Share Memory TOCTOU Vulnerabilities in Qualcomm Snapdragon 7c Gen 2 Camera Drivers Which can be triggered from Chome Browser Context", "url": "https://issues.chromium.org/issues/40062426", "status": "Assigned", "severity": "S3-Low", "component": "OS>Packages", "bounty_amount": 10000.0, "created_date": "2022-12-29T00:22:38+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40062426", "has_markdown": true }, { "id": "40062424", "title": "Security: PWA Install prompt can be overlaid over other origins.", "url": "https://issues.chromium.org/issues/40062424", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>WebAppInstalls", "bounty_amount": 4000.0, "created_date": "2022-12-28T20:17:16+00:00", "year": 2022, "attachment_count": 7, "local_path": "issues/40062424", "has_markdown": true }, { "id": "40062412", "title": "Security: PWA Installation can be unknowingly installed and launched into by pressing the \"Enter\" button repeatedly", "url": "https://issues.chromium.org/issues/40062412", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>WebAppInstalls", "bounty_amount": 1000.0, "created_date": "2022-12-27T17:51:58+00:00", "year": 2022, "attachment_count": 7, "local_path": "issues/40062412", "has_markdown": true }, { "id": "40062398", "title": "Security: Improper origin elision in downloads prompt initiated in Chrome Custom Tab (Android)", "url": "https://issues.chromium.org/issues/40062398", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": 1000.0, "created_date": "2022-12-26T18:52:46+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40062398", "has_markdown": true }, { "id": "40062384", "title": "register assign error with jit", "url": "https://issues.chromium.org/issues/40062384", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>API, Blink>JavaScript>Runtime", "bounty_amount": 7000.0, "created_date": "2022-12-25T09:15:34+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40062384", "has_markdown": true }, { "id": "40062383", "title": "oob in RTCStatsCollector::ProduceTransportStats_n", "url": "https://issues.chromium.org/issues/40062383", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC>PeerConnection", "bounty_amount": 2000.0, "created_date": "2022-12-25T09:13:47+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40062383", "has_markdown": true }, { "id": "40062377", "title": "Security: PaymentRequest dialog selects an accept button by default", "url": "https://issues.chromium.org/issues/40062377", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Payments", "bounty_amount": 5000.0, "created_date": "2022-12-24T17:23:32+00:00", "year": 2022, "attachment_count": 6, "local_path": "issues/40062377", "has_markdown": true }, { "id": "40062372", "title": "UAF in AsyncCompileJob::Abort", "url": "https://issues.chromium.org/issues/40062372", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 10000.0, "created_date": "2022-12-24T15:08:02+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40062372", "has_markdown": true }, { "id": "40062369", "title": "Heap Buffer Overflow in AudioWorkletProcessor::ClonePortTopology", "url": "https://issues.chromium.org/issues/40062369", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>WebAudio", "bounty_amount": 7000.0, "created_date": "2022-12-24T08:30:11+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40062369", "has_markdown": true }, { "id": "40062366", "title": "Security: PaymentRequest dialog susceptible to clickjacking", "url": "https://issues.chromium.org/issues/40062366", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Payments", "bounty_amount": 1000.0, "created_date": "2022-12-24T00:51:24+00:00", "year": 2022, "attachment_count": 6, "local_path": "issues/40062366", "has_markdown": true }, { "id": "40062350", "title": "Security: Heap-use-after-free in ExtensionViewHost::OnDidStopFirstLoad", "url": "https://issues.chromium.org/issues/40062350", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 3000.0, "created_date": "2022-12-22T07:07:36+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40062350", "has_markdown": true }, { "id": "40062345", "title": "Security: Fatal error in ../../src/heap/mark-compact.cc", "url": "https://issues.chromium.org/issues/40062345", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript", "bounty_amount": 7000.0, "created_date": "2022-12-22T03:19:20+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40062345", "has_markdown": true }, { "id": "40062302", "title": "Security: heap-buffer-overflow in HidDeviceManager::GetApiDevicesFromList", "url": "https://issues.chromium.org/issues/40062302", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Apps>API>HID, Platform>Extensions>API", "bounty_amount": 2000.0, "created_date": "2022-12-17T11:04:48+00:00", "year": 2022, "attachment_count": 14, "local_path": "issues/40062302", "has_markdown": true }, { "id": "40062298", "title": "Security: Container-overflow in SavedTabGroupModel::RemoveTabFromGroup", "url": "https://issues.chromium.org/issues/40062298", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip>TabGroups", "bounty_amount": 2000.0, "created_date": "2022-12-17T02:15:24+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40062298", "has_markdown": true }, { "id": "40062221", "title": "Security: UAF in GuestViewBase::StopTrackingEmbedderZoomLevel", "url": "https://issues.chromium.org/issues/40062221", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Apps>BrowserTag", "bounty_amount": 7000.0, "created_date": "2022-12-14T01:35:26+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40062221", "has_markdown": true }, { "id": "40062211", "title": "Buffer overflow in the rndis_wlan driver for Linux kernel", "url": "https://issues.chromium.org/issues/40062211", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 20000.0, "created_date": "2022-12-13T08:09:35+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40062211", "has_markdown": true }, { "id": "40062206", "title": "Security: heap-use-after-free in blink::PropertyTreeManager::EnsureCompositorTransformNode", "url": "https://issues.chromium.org/issues/40062206", "status": "Fixed", "severity": "S3-Low", "component": "Internals>Compositing", "bounty_amount": 7000.0, "created_date": "2022-12-13T01:09:46+00:00", "year": 2022, "attachment_count": 6, "local_path": "issues/40062206", "has_markdown": true }, { "id": "40062170", "title": "Security: Race Condition UAF in panfrost_ioctl_create_bo", "url": "https://issues.chromium.org/issues/40062170", "status": "Assigned", "severity": "S3-Low", "component": "OS>Packages", "bounty_amount": 20000.0, "created_date": "2022-12-11T08:34:42+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40062170", "has_markdown": true }, { "id": "40062164", "title": "Security: Debug check failed: Shared heap must not have clients at teardown, leading to SEGV_ACCERR", "url": "https://issues.chromium.org/issues/40062164", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Runtime", "bounty_amount": 7000.0, "created_date": "2022-12-10T08:13:29+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40062164", "has_markdown": true }, { "id": "40062163", "title": "Security: Debug check failed: string->InSharedHeap() in v8", "url": "https://issues.chromium.org/issues/40062163", "status": "Fixed", "severity": "S3-Low", "component": "Blink>JavaScript>Runtime", "bounty_amount": 7000.0, "created_date": "2022-12-10T07:21:06+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40062163", "has_markdown": true }, { "id": "40062161", "title": "Security: UAF in VIRTGPU_RESOURCE_CREATE and VIRTGPU_RESOURCE_CREATE_BLOB", "url": "https://issues.chromium.org/issues/40062161", "status": "Accepted", "severity": "S3-Low", "component": "OS>Packages", "bounty_amount": 20000.0, "created_date": "2022-12-10T03:37:56+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40062161", "has_markdown": true }, { "id": "40062153", "title": "Security: Container Overflow in UDPSocket::OnLeaveGroupCompleted", "url": "https://issues.chromium.org/issues/40062153", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Apps>API", "bounty_amount": 10000.0, "created_date": "2022-12-09T20:11:18+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40062153", "has_markdown": true }, { "id": "40062152", "title": "Insufficient fix for Cross-Origin (Partial) Status Code leak (XS-Leak)", "url": "https://issues.chromium.org/issues/40062152", "status": "Assigned", "severity": "S3-Low", "component": "Blink>SecurityFeature>CORS", "bounty_amount": 1000.0, "created_date": "2022-12-09T17:23:50+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40062152", "has_markdown": true }, { "id": "40062145", "title": "stack use after return in gpu::raster::(anonymous namespace)::OnReadYUVImagePixelsDone", "url": "https://issues.chromium.org/issues/40062145", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>Vulkan", "bounty_amount": 10000.0, "created_date": "2022-12-09T07:38:06+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40062145", "has_markdown": true }, { "id": "40062130", "title": "Security: UAF in MojoQueryQuotaIpcz", "url": "https://issues.chromium.org/issues/40062130", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Mojo", "bounty_amount": 30000.0, "created_date": "2022-12-08T14:16:10+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40062130", "has_markdown": true }, { "id": "40062108", "title": "Security: ChromeOS pluginvm arbitrary chmod 777", "url": "https://issues.chromium.org/issues/40062108", "status": "Accepted", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 5000.0, "created_date": "2022-12-07T17:28:12+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40062108", "has_markdown": true }, { "id": "40062107", "title": "Security: ChromeOS Arbitrary Root File Delete", "url": "https://issues.chromium.org/issues/40062107", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 5000.0, "created_date": "2022-12-07T17:28:10+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40062107", "has_markdown": true }, { "id": "40062106", "title": "Security: ChromeOS On halt/reboot root file overwrite", "url": "https://issues.chromium.org/issues/40062106", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 20000.0, "created_date": "2022-12-07T17:28:07+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40062106", "has_markdown": true }, { "id": "40062098", "title": "Security: Android - Bypass the Protection of input fields cache (Autofill) ", "url": "https://issues.chromium.org/issues/40062098", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Autofill", "bounty_amount": 5000.0, "created_date": "2022-12-07T14:33:16+00:00", "year": 2022, "attachment_count": 6, "local_path": "issues/40062098", "has_markdown": true }, { "id": "40062087", "title": "memory corruption in v8", "url": "https://issues.chromium.org/issues/40062087", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler", "bounty_amount": 7000.0, "created_date": "2022-12-07T05:43:01+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40062087", "has_markdown": true }, { "id": "40062078", "title": "Use-after-poison in content::InspectorMediaEventHandler::SendQueuedMediaEvents", "url": "https://issues.chromium.org/issues/40062078", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>Core, Internals>Media", "bounty_amount": 7000.0, "created_date": "2022-12-07T00:47:49+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40062078", "has_markdown": true }, { "id": "40062066", "title": "UAF in GpuChannel", "url": "https://issues.chromium.org/issues/40062066", "status": "Accepted", "severity": "S3-Low", "component": "Internals>GPU", "bounty_amount": 5000.0, "created_date": "2022-12-06T12:38:21+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40062066", "has_markdown": true }, { "id": "40062062", "title": "Security: CVE-2022-3970 was fixed in libtiff and published but not propagated to Pdfium yet", "url": "https://issues.chromium.org/issues/40062062", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Plugins>PDF", "bounty_amount": 1000.0, "created_date": "2022-12-06T10:21:03+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40062062", "has_markdown": true }, { "id": "40062058", "title": "Security: Fatal error in ../../src/heap/sweeper.cc", "url": "https://issues.chromium.org/issues/40062058", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>GarbageCollection", "bounty_amount": 7000.0, "created_date": "2022-12-06T08:37:14+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40062058", "has_markdown": true }, { "id": "40062056", "title": "UAF in SharedImageManager of GPU", "url": "https://issues.chromium.org/issues/40062056", "status": "Accepted", "severity": "S3-Low", "component": "Internals>GPU", "bounty_amount": 5000.0, "created_date": "2022-12-06T07:01:07+00:00", "year": 2022, "attachment_count": 6, "local_path": "issues/40062056", "has_markdown": true }, { "id": "40062042", "title": "Security: UAF in HandleExpandedPaths", "url": "https://issues.chromium.org/issues/40062042", "status": "Assigned", "severity": "S3-Low", "component": "Enterprise, Enterprise>Connectors", "bounty_amount": 30000.0, "created_date": "2022-12-05T06:44:28+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40062042", "has_markdown": true }, { "id": "40062027", "title": "Security: heap-use-after-free third_party/swiftshader/src/WSI/VkSwapchainKHR.cpp:43:13", "url": "https://issues.chromium.org/issues/40062027", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>Vulkan", "bounty_amount": 2000.0, "created_date": "2022-12-03T01:26:37+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40062027", "has_markdown": true }, { "id": "40062021", "title": "Security:UAF in content::SyntheticPointerAction::ForwardTouchOrMouseInputEvents(browser process)", "url": "https://issues.chromium.org/issues/40062021", "status": "Fixed", "severity": "S3-Low", "component": "Blink>Input", "bounty_amount": 7000.0, "created_date": "2022-12-02T13:23:49+00:00", "year": 2022, "attachment_count": 6, "local_path": "issues/40062021", "has_markdown": true }, { "id": "40062019", "title": "Security: ChromeOS Guest User Can Force Persistent Rollback on Stable Channel", "url": "https://issues.chromium.org/issues/40062019", "status": "Accepted", "severity": "S3-Low", "component": "Enterprise", "bounty_amount": 500.0, "created_date": "2022-12-02T11:02:24+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40062019", "has_markdown": true }, { "id": "40061975", "title": "Security:UAF in content::SyntheticMouseDriver::DispatchEvent(browser process)", "url": "https://issues.chromium.org/issues/40061975", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Input, Internals>Core", "bounty_amount": 2000.0, "created_date": "2022-11-30T14:26:31+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40061975", "has_markdown": true }, { "id": "40061973", "title": "UAF in OnSyncMessageEventReady", "url": "https://issues.chromium.org/issues/40061973", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Mojo>Bindings", "bounty_amount": 4000.0, "created_date": "2022-11-30T10:43:59+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40061973", "has_markdown": true }, { "id": "40061953", "title": "Security: Permission Prompts can be made totally hidden and user can Accept and interact with sensitive data without being aware Similar to (1358647)", "url": "https://issues.chromium.org/issues/40061953", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Permissions>Prompts", "bounty_amount": 2000.0, "created_date": "2022-11-29T14:13:34+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40061953", "has_markdown": true }, { "id": "40061952", "title": "Security: Debug check failed: enum_length == map->NumberOfEnumerableProperties()", "url": "https://issues.chromium.org/issues/40061952", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Runtime", "bounty_amount": 10000.0, "created_date": "2022-11-29T14:02:19+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40061952", "has_markdown": true }, { "id": "40061945", "title": "Security: stack-use-after-scope in dawn::native::CommandEncoder::BeginRenderPass", "url": "https://issues.chromium.org/issues/40061945", "status": "Fixed", "severity": "S3-Low", "component": "Internals>GPU>Dawn, Internals>Skia", "bounty_amount": 10000.0, "created_date": "2022-11-29T01:07:29+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40061945", "has_markdown": true }, { "id": "40061930", "title": "Turbofan-Optimization Bug: \"Check failed: IsBigInt()\"", "url": "https://issues.chromium.org/issues/40061930", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler", "bounty_amount": 7000.0, "created_date": "2022-11-28T01:57:50+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40061930", "has_markdown": true }, { "id": "40061921", "title": "Security: Download notification can hide \"Press and hold Esc to exit full screen\" ", "url": "https://issues.chromium.org/issues/40061921", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Bubbles>Download, UI>Browser>Downloads", "bounty_amount": 3000.0, "created_date": "2022-11-26T04:22:15+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40061921", "has_markdown": true }, { "id": "40061920", "title": "Security: stack-use-after-scope in dawn::native::d3d12::ShaderModule::Compile", "url": "https://issues.chromium.org/issues/40061920", "status": "Assigned", "severity": "S3-Low", "component": "Dawn", "bounty_amount": 10000.0, "created_date": "2022-11-26T01:59:22+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40061920", "has_markdown": true }, { "id": "40061915", "title": "Security: UAF in content::NavigationRequest::SetViewTransitionState in browser process", "url": "https://issues.chromium.org/issues/40061915", "status": "Fixed", "severity": "S3-Low", "component": "Blink>ViewTransitions", "bounty_amount": 20000.0, "created_date": "2022-11-25T11:26:18+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40061915", "has_markdown": true }, { "id": "40061894", "title": "Security: dcheck failed in object.InSharedHeap ", "url": "https://issues.chromium.org/issues/40061894", "status": "Fixed", "severity": "S4-Minimal", "component": "Blink>JavaScript>Runtime", "bounty_amount": 7000.0, "created_date": "2022-11-24T02:52:35+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40061894", "has_markdown": true }, { "id": "40061881", "title": "Optimization bug in TurboShaft::MachineOptimizationReducer::ReduceSignedDiv", "url": "https://issues.chromium.org/issues/40061881", "status": "Accepted", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler", "bounty_amount": 10000.0, "created_date": "2022-11-23T07:45:42+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40061881", "has_markdown": true }, { "id": "40061872", "title": "Security: heap-use-after-free on chromeOS using PhoneHub + Screensharing", "url": "https://issues.chromium.org/issues/40061872", "status": "Assigned", "severity": "S3-Low", "component": "UI>Shell", "bounty_amount": 2000.0, "created_date": "2022-11-22T14:10:07+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40061872", "has_markdown": true }, { "id": "40061867", "title": "Security: heap-use-after-free drop_target_event.cc:28 in ui::DropTargetEvent::DropTargetEvent", "url": "https://issues.chromium.org/issues/40061867", "status": "Assigned", "severity": "S3-Low", "component": "UI>Aura", "bounty_amount": 5000.0, "created_date": "2022-11-22T10:19:46+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40061867", "has_markdown": true }, { "id": "40061865", "title": "Security: Security DCHECK failed: IsA(from) blink::CSSPrimitiveValue::ConvertToLength", "url": "https://issues.chromium.org/issues/40061865", "status": "Fixed", "severity": "S4-Minimal", "component": "Blink>Animation, Blink>CSS", "bounty_amount": 7000.0, "created_date": "2022-11-22T03:29:56+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40061865", "has_markdown": true }, { "id": "40061849", "title": "Security: Debug check failed: IsPrimitiveMap()", "url": "https://issues.chromium.org/issues/40061849", "status": "Fixed", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 10000.0, "created_date": "2022-11-21T11:07:21+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40061849", "has_markdown": true }, { "id": "40061815", "title": "Security: Unretained() can be used for objects on the Oilpan heap", "url": "https://issues.chromium.org/issues/40061815", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Workers", "bounty_amount": 3000.0, "created_date": "2022-11-18T21:46:13+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40061815", "has_markdown": true }, { "id": "40061803", "title": "UAF in MerchantViewerDataManager", "url": "https://issues.chromium.org/issues/40061803", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Shopping>Cart", "bounty_amount": 1000.0, "created_date": "2022-11-18T06:56:04+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40061803", "has_markdown": true }, { "id": "40061801", "title": "Security: Escape the page sandbox to the Chromium debugger via Chrome headless snapshots", "url": "https://issues.chromium.org/issues/40061801", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Headless, Platform>DevTools", "bounty_amount": 2000.0, "created_date": "2022-11-18T04:08:51+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40061801", "has_markdown": true }, { "id": "40061793", "title": "UAF in CartService", "url": "https://issues.chromium.org/issues/40061793", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Shopping>Cart", "bounty_amount": 2500.0, "created_date": "2022-11-17T17:59:37+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40061793", "has_markdown": true }, { "id": "40061784", "title": "Security: Debug check failed: slot < sentinel_ in UpdateUntypedOldToSharedPointers", "url": "https://issues.chromium.org/issues/40061784", "status": "Fixed", "severity": "S3-Low", "component": "Blink>JavaScript>GarbageCollection", "bounty_amount": 7000.0, "created_date": "2022-11-17T12:03:07+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40061784", "has_markdown": true }, { "id": "40061783", "title": "Security: Permissions Prompt UI spoof through a custom CSS cursor", "url": "https://issues.chromium.org/issues/40061783", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser, UI>Browser>Permissions>Prompts", "bounty_amount": 3000.0, "created_date": "2022-11-17T11:54:27+00:00", "year": 2022, "attachment_count": 6, "local_path": "issues/40061783", "has_markdown": true }, { "id": "40061782", "title": "UAF in CartHandler", "url": "https://issues.chromium.org/issues/40061782", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Shopping>Cart", "bounty_amount": 2500.0, "created_date": "2022-11-17T11:27:16+00:00", "year": 2022, "attachment_count": 7, "local_path": "issues/40061782", "has_markdown": true }, { "id": "40061781", "title": "Security: global-buffer-overflow css_property.cc:27 in blink::CSSProperty::Get", "url": "https://issues.chromium.org/issues/40061781", "status": "Assigned", "severity": "S3-Low", "component": "Blink>CSS", "bounty_amount": 7000.0, "created_date": "2022-11-17T10:41:03+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40061781", "has_markdown": true }, { "id": "40061773", "title": "Security: Debug check failed: s->IsFlat().", "url": "https://issues.chromium.org/issues/40061773", "status": "Accepted", "severity": "S4-Minimal", "component": "Blink>JavaScript, Blink>JavaScript>Internationalization, Blink>JavaScript>Runtime", "bounty_amount": 7000.0, "created_date": "2022-11-16T12:16:49+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40061773", "has_markdown": true }, { "id": "40061772", "title": "Security: Extension with permission can read arbitrary local files although (Allow access to file URLs) is disabled", "url": "https://issues.chromium.org/issues/40061772", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions>API", "bounty_amount": 10000.0, "created_date": "2022-11-16T11:10:26+00:00", "year": 2022, "attachment_count": 8, "local_path": "issues/40061772", "has_markdown": true }, { "id": "40061735", "title": "blink::MediaInspectorContextImpl::CullPlayers", "url": "https://issues.chromium.org/issues/40061735", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>WebCodecs, Blink>Scheduling", "bounty_amount": 7000.0, "created_date": "2022-11-14T17:28:22+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40061735", "has_markdown": true }, { "id": "40061718", "title": "Security: UAF in lens::LensStaticPageController::LoadChromeLens", "url": "https://issues.chromium.org/issues/40061718", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser", "bounty_amount": 3000.0, "created_date": "2022-11-13T08:08:06+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40061718", "has_markdown": true }, { "id": "40061705", "title": "Security: UAF IN video_capture::VideoSourceImpl::OnClientDisconnected() services/video_capture/video_source_impl.cc:88:14", "url": "https://issues.chromium.org/issues/40061705", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Media>CameraCapture", "bounty_amount": 15000.0, "created_date": "2022-11-11T10:04:52+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40061705", "has_markdown": true }, { "id": "40061704", "title": "Security: Heap-buffer-overflow in CommerceHintAgent::DidFinishLoadCallback ", "url": "https://issues.chromium.org/issues/40061704", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Shopping", "bounty_amount": 2500.0, "created_date": "2022-11-11T08:05:26+00:00", "year": 2022, "attachment_count": 6, "local_path": "issues/40061704", "has_markdown": true }, { "id": "40061682", "title": "Security: UAF in content::RenderFrameDevToolsAgentHost::RenderProcessExited", "url": "https://issues.chromium.org/issues/40061682", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Headless", "bounty_amount": 30000.0, "created_date": "2022-11-10T03:16:19+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40061682", "has_markdown": true }, { "id": "40061678", "title": "Security: heap-use-after-free in observer_list.h triggered via Notes/Annotation feature", "url": "https://issues.chromium.org/issues/40061678", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>TopChrome>SidePanel", "bounty_amount": 1000.0, "created_date": "2022-11-10T01:05:10+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40061678", "has_markdown": true }, { "id": "40061670", "title": "UAF in search::(anonymous namespace)::NewTabURLDetails::ForProfile(Profile*)", "url": "https://issues.chromium.org/issues/40061670", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Core, Internals>Sandbox>SiteIsolation, UI>Browser>Profiles", "bounty_amount": 3000.0, "created_date": "2022-11-09T12:49:12+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40061670", "has_markdown": true }, { "id": "40061666", "title": "UAF in ScreenAIServiceRouter", "url": "https://issues.chromium.org/issues/40061666", "status": "Assigned", "severity": "S4-Minimal", "component": "UI>Accessibility", "bounty_amount": 4000.0, "created_date": "2022-11-09T07:48:04+00:00", "year": 2022, "attachment_count": 10, "local_path": "issues/40061666", "has_markdown": true }, { "id": "40061660", "title": "Security: UAF in validation_message_overlay_delegate", "url": "https://issues.chromium.org/issues/40061660", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Forms", "bounty_amount": 7000.0, "created_date": "2022-11-08T22:39:42+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40061660", "has_markdown": true }, { "id": "40061657", "title": "Security: Chrome on Android Keyboard Able to Overlap Fullscreen Notification Toast", "url": "https://issues.chromium.org/issues/40061657", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Fullscreen, UI>Browser>FullScreen", "bounty_amount": 7500.0, "created_date": "2022-11-08T18:18:25+00:00", "year": 2022, "attachment_count": 9, "local_path": "issues/40061657", "has_markdown": true }, { "id": "40061649", "title": "UAF in ScreenAIService", "url": "https://issues.chromium.org/issues/40061649", "status": "Assigned", "severity": "S4-Minimal", "component": "UI>Accessibility", "bounty_amount": 1500.0, "created_date": "2022-11-08T11:57:26+00:00", "year": 2022, "attachment_count": 10, "local_path": "issues/40061649", "has_markdown": true }, { "id": "40061636", "title": "Security: heap-buffer-overflow in network::ThrottlingNetworkInterceptor::UpdateThrottledRecords", "url": "https://issues.chromium.org/issues/40061636", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Services>Network, Platform>DevTools>Network", "bounty_amount": 2000.0, "created_date": "2022-11-07T14:41:15+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40061636", "has_markdown": true }, { "id": "40061620", "title": "UAF in blink::WidgetBase::BeginMainFrame(base::TimeTicks)", "url": "https://issues.chromium.org/issues/40061620", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Internals>Frames, Platform>DevTools, UI>Browser>Navigation", "bounty_amount": 1500.0, "created_date": "2022-11-06T17:02:02+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40061620", "has_markdown": true }, { "id": "40061617", "title": "Security: ChromiumOS CRAS Server D-Bus SetGlobalOutputChannelRemix heap-over-flow", "url": "https://issues.chromium.org/issues/40061617", "status": "New", "severity": "S4-Minimal", "component": "Internals>Media>Audio", "bounty_amount": 13000.0, "created_date": "2022-11-06T12:50:08+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40061617", "has_markdown": true }, { "id": "40061616", "title": "Memory corruption in PresentationRequest", "url": "https://issues.chromium.org/issues/40061616", "status": "Assigned", "severity": "S3-Low", "component": "Blink>PresentationAPI", "bounty_amount": 7000.0, "created_date": "2022-11-06T07:32:47+00:00", "year": 2022, "attachment_count": 6, "local_path": "issues/40061616", "has_markdown": true }, { "id": "40061594", "title": "Use-after-free in the filepicker", "url": "https://issues.chromium.org/issues/40061594", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Views", "bounty_amount": 1000.0, "created_date": "2022-11-04T11:46:38+00:00", "year": 2022, "attachment_count": 7, "local_path": "issues/40061594", "has_markdown": true }, { "id": "40061592", "title": "Security: UAF in VideoCaptureDeviceWin", "url": "https://issues.chromium.org/issues/40061592", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Media>CameraCapture", "bounty_amount": 7000.0, "created_date": "2022-11-04T08:43:02+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40061592", "has_markdown": true }, { "id": "40061591", "title": "Security: UAF in device_del", "url": "https://issues.chromium.org/issues/40061591", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 5000.0, "created_date": "2022-11-04T05:17:45+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40061591", "has_markdown": true }, { "id": "40061589", "title": "Security: Debug check failed: kCanBeWeak || (!IsSmi() == HAS_STRONG_HEAP_OBJECT_TAG(ptr_)).", "url": "https://issues.chromium.org/issues/40061589", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 10000.0, "created_date": "2022-11-04T03:07:45+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40061589", "has_markdown": true }, { "id": "40061586", "title": "Security: Bypass 1342722, sourceMappingURL directive allows use of UNC paths on Windows", "url": "https://issues.chromium.org/issues/40061586", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 5000.0, "created_date": "2022-11-03T19:39:34+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40061586", "has_markdown": true }, { "id": "40061558", "title": "Security: Use After Free in PasswordsPrivateDelegateImpl::OsReauthTimeoutCall,", "url": "https://issues.chromium.org/issues/40061558", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Passwords, UI>Settings", "bounty_amount": 1000.0, "created_date": "2022-11-02T03:34:29+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40061558", "has_markdown": true }, { "id": "40061557", "title": "Security: heap-use-after-free ui/views/view.cc:1921:7 in views::View::HandleAccessibleAction", "url": "https://issues.chromium.org/issues/40061557", "status": "Assigned", "severity": "S4-Minimal", "component": "UI>Accessibility", "bounty_amount": 2000.0, "created_date": "2022-11-02T00:04:03+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40061557", "has_markdown": true }, { "id": "40061543", "title": "Use-after-poison in blink::CSSSelector::SelectorListOrParent", "url": "https://issues.chromium.org/issues/40061543", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>CSS", "bounty_amount": 10000.0, "created_date": "2022-11-01T08:39:59+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40061543", "has_markdown": true }, { "id": "40061519", "title": "Security: heap-use-after-free browser\\renderer_host\\render_process_host_impl.cc:2068 in content::RenderProcessHostImpl::CreateNotificationService", "url": "https://issues.chromium.org/issues/40061519", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Navigation>BFCache, UI>Notifications", "bounty_amount": 7000.0, "created_date": "2022-10-29T14:56:24+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40061519", "has_markdown": true }, { "id": "40061509", "title": "Incorrect handle of url scheme lead to rce+sbx escape", "url": "https://issues.chromium.org/issues/40061509", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Permissions>Prompts", "bounty_amount": 1000.0, "created_date": "2022-10-28T14:27:21+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40061509", "has_markdown": true }, { "id": "40061505", "title": "UAF in ExtensionInstalledWaiter", "url": "https://issues.chromium.org/issues/40061505", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 2000.0, "created_date": "2022-10-28T08:36:50+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40061505", "has_markdown": true }, { "id": "40061504", "title": "Security: Stack-buffer-overflow in WebGL vulkan backend", "url": "https://issues.chromium.org/issues/40061504", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 10000.0, "created_date": "2022-10-28T03:02:57+00:00", "year": 2022, "attachment_count": 7, "local_path": "issues/40061504", "has_markdown": true }, { "id": "40061500", "title": "Security: Promise.any.call leak hole, leading to RCE", "url": "https://issues.chromium.org/issues/40061500", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Runtime", "bounty_amount": 15000.0, "created_date": "2022-10-27T16:08:43+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40061500", "has_markdown": true }, { "id": "40061499", "title": "Security: FileChooserImpl still traverse symlink in symlink to directory", "url": "https://issues.chromium.org/issues/40061499", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Forms>File>Directory", "bounty_amount": 3000.0, "created_date": "2022-10-27T14:34:14+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40061499", "has_markdown": true }, { "id": "40061482", "title": "Security: UAF in MultiplexEncoderFactory", "url": "https://issues.chromium.org/issues/40061482", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC", "bounty_amount": 10000.0, "created_date": "2022-10-26T12:23:48+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40061482", "has_markdown": true }, { "id": "40061481", "title": "Use-after-free in Mojo ChannelMac::SendMessageLocked", "url": "https://issues.chromium.org/issues/40061481", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Mojo", "bounty_amount": 30000.0, "created_date": "2022-10-26T12:02:41+00:00", "year": 2022, "attachment_count": 6, "local_path": "issues/40061481", "has_markdown": true }, { "id": "40061476", "title": "Out of bound write in GPU", "url": "https://issues.chromium.org/issues/40061476", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE, Internals>GPU>SwiftShader, Internals>GPU>Testing", "bounty_amount": 15000.0, "created_date": "2022-10-26T07:27:28+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40061476", "has_markdown": true }, { "id": "40061475", "title": "Security: UAF in PasswordAutofillManager::OnBiometricReauthCompleted", "url": "https://issues.chromium.org/issues/40061475", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Autofill", "bounty_amount": 7000.0, "created_date": "2022-10-26T04:09:05+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40061475", "has_markdown": true }, { "id": "40061467", "title": "Security: Heap-use-after-free in InstallablePaymentAppCrawler::OnPaymentMethodManifestParsed", "url": "https://issues.chromium.org/issues/40061467", "status": "New", "severity": "S3-Low", "component": "Blink>Payments", "bounty_amount": 30000.0, "created_date": "2022-10-25T16:00:34+00:00", "year": 2022, "attachment_count": 8, "local_path": "issues/40061467", "has_markdown": true }, { "id": "40061453", "title": "Security: WebAssembly UAF in catch block with stale memory start pointer", "url": "https://issues.chromium.org/issues/40061453", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Runtime", "bounty_amount": 20000.0, "created_date": "2022-10-24T14:40:47+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40061453", "has_markdown": true }, { "id": "40061426", "title": "Reading local files through an extension that only has the \"downloads\" permission", "url": "https://issues.chromium.org/issues/40061426", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions>API, UI>Browser>Downloads", "bounty_amount": 5000.0, "created_date": "2022-10-21T01:01:23+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40061426", "has_markdown": true }, { "id": "40061424", "title": "uaf in FederatedAuthRequestimpl", "url": "https://issues.chromium.org/issues/40061424", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Identity>FedCM", "bounty_amount": 7000.0, "created_date": "2022-10-20T16:41:20+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40061424", "has_markdown": true }, { "id": "40061408", "title": "UAF in network::WebTransport::TearDown", "url": "https://issues.chromium.org/issues/40061408", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Network>WebTransport", "bounty_amount": 16000.0, "created_date": "2022-10-19T05:50:16+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40061408", "has_markdown": true }, { "id": "40061374", "title": "Security: Device chooser dialogs do not show origin if initiator origin is opaque", "url": "https://issues.chromium.org/issues/40061374", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Bluetooth, Blink>HID, Blink>Serial, Blink>USB, UI>Browser>Permissions>Prompts", "bounty_amount": 3000.0, "created_date": "2022-10-16T23:59:15+00:00", "year": 2022, "attachment_count": 10, "local_path": "issues/40061374", "has_markdown": true }, { "id": "40061373", "title": "Security: Android: Bluetooth and USB chooser dialogs do not use top-level origin with permission delegation", "url": "https://issues.chromium.org/issues/40061373", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Bluetooth, Blink>USB, UI>Browser>Permissions>Prompts", "bounty_amount": 3000.0, "created_date": "2022-10-16T23:56:53+00:00", "year": 2022, "attachment_count": 7, "local_path": "issues/40061373", "has_markdown": true }, { "id": "40061370", "title": "Security: UAF in webgpu\\gpu.cc in blink::`anonymous namespace'::CreateContextProviderOnMainThread", "url": "https://issues.chromium.org/issues/40061370", "status": "Assigned", "severity": "S3-Low", "component": "Dawn", "bounty_amount": 7000.0, "created_date": "2022-10-16T08:04:40+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40061370", "has_markdown": true }, { "id": "40061367", "title": "Multiple checks fail, cross process crash, maybe race condition & use-after-free in video_encoder.cc", "url": "https://issues.chromium.org/issues/40061367", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>WebCodecs", "bounty_amount": 7000.0, "created_date": "2022-10-15T21:32:15+00:00", "year": 2022, "attachment_count": 7, "local_path": "issues/40061367", "has_markdown": true }, { "id": "40061363", "title": "uaf in FederatedAuthRequestImpl", "url": "https://issues.chromium.org/issues/40061363", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Identity>FedCM", "bounty_amount": 7000.0, "created_date": "2022-10-15T06:29:10+00:00", "year": 2022, "attachment_count": 7, "local_path": "issues/40061363", "has_markdown": true }, { "id": "40061335", "title": "Security: access-violation src\\v8\\src\\api\\api.cc:5809 in v8::String::WriteOneByte", "url": "https://issues.chromium.org/issues/40061335", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Bindings, Blink>ImageCapture, Blink>JavaScript>API", "bounty_amount": 5000.0, "created_date": "2022-10-13T14:23:50+00:00", "year": 2022, "attachment_count": 9, "local_path": "issues/40061335", "has_markdown": true }, { "id": "40061321", "title": "Security: heap-use-after-free in ProfileDestroyer::DestroyProfileNow", "url": "https://issues.chromium.org/issues/40061321", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 2000.0, "created_date": "2022-10-12T16:47:27+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40061321", "has_markdown": true }, { "id": "40061297", "title": "iOS Chrome Modal Dialog Spoof resulting to URL Spoof", "url": "https://issues.chromium.org/issues/40061297", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Navigation", "bounty_amount": 5000.0, "created_date": "2022-10-10T11:11:34+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40061297", "has_markdown": true }, { "id": "40061294", "title": "Security: Heap-use-after-free in SpeechRecognitionRecognizerImpl::ChangeLanguage", "url": "https://issues.chromium.org/issues/40061294", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Speech", "bounty_amount": 10000.0, "created_date": "2022-10-10T08:57:11+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40061294", "has_markdown": true }, { "id": "40061289", "title": "The PWA's installation dialog isn't being dismissed after redirects, which allows an attacker to show it on cross-origin pages", "url": "https://issues.chromium.org/issues/40061289", "status": "Fixed", "severity": "S3-Low", "component": "UI>Browser>WebAppInstalls", "bounty_amount": 4000.0, "created_date": "2022-10-09T18:37:18+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40061289", "has_markdown": true }, { "id": "40061287", "title": "The name attribute length on a PWA's manifest doesn't have a limit, which allows an attacker to spoof its message and origin", "url": "https://issues.chromium.org/issues/40061287", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>WebAppInstalls", "bounty_amount": 1000.0, "created_date": "2022-10-09T17:05:08+00:00", "year": 2022, "attachment_count": 8, "local_path": "issues/40061287", "has_markdown": true }, { "id": "40061280", "title": "use after poison in HeapObjectHeader::LoadEncoded()", "url": "https://issues.chromium.org/issues/40061280", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>GarbageCollection", "bounty_amount": 10000.0, "created_date": "2022-10-08T19:21:04+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40061280", "has_markdown": true }, { "id": "40061279", "title": "Security: Heap-use-after-free in ash::OverviewItem::ShowWindowInOverview", "url": "https://issues.chromium.org/issues/40061279", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Views>Desktop", "bounty_amount": 1500.0, "created_date": "2022-10-08T14:58:34+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40061279", "has_markdown": true }, { "id": "40061277", "title": "Security: Heap-use-after-free in ash::ScopedOverviewHideWindows::~ScopedOverviewHideWindows", "url": "https://issues.chromium.org/issues/40061277", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Views>Desktop", "bounty_amount": 2000.0, "created_date": "2022-10-08T13:28:14+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40061277", "has_markdown": true }, { "id": "40061275", "title": "Security: heap-use-after-free third_party\\blink\\renderer\\core\\workers\\worker_thread.cc:905 in blink::WorkerThread::PauseOrFreezeOnWorkerThread", "url": "https://issues.chromium.org/issues/40061275", "status": "Assigned", "severity": "S3-Low", "component": "Blink>GarbageCollection, Blink>WebAudio, Blink>Workers", "bounty_amount": 7000.0, "created_date": "2022-10-08T07:10:48+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40061275", "has_markdown": true }, { "id": "40061250", "title": "Security: UAF in mojo::SimpleWatcher::Context in MojoIpcz feature (browser process)", "url": "https://issues.chromium.org/issues/40061250", "status": "Fixed", "severity": "S3-Low", "component": "Internals>Mojo", "bounty_amount": 20000.0, "created_date": "2022-10-06T12:27:12+00:00", "year": 2022, "attachment_count": 13, "local_path": "issues/40061250", "has_markdown": true }, { "id": "40061249", "title": "stack-use-after-return in gpu::gles2::ProgramInfoManager::Program::UpdateES2", "url": "https://issues.chromium.org/issues/40061249", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>Internals", "bounty_amount": 3000.0, "created_date": "2022-10-06T12:26:40+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40061249", "has_markdown": true }, { "id": "40061248", "title": "Security: UAF in PluginVmInstaller::DetectImageType", "url": "https://issues.chromium.org/issues/40061248", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 1000.0, "created_date": "2022-10-06T11:39:07+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40061248", "has_markdown": true }, { "id": "40061230", "title": "Security: Forced user interaction for permission prompts by freezing the browser", "url": "https://issues.chromium.org/issues/40061230", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Permissions>Prompts", "bounty_amount": 3000.0, "created_date": "2022-10-04T20:38:03+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40061230", "has_markdown": true }, { "id": "40061217", "title": "Arbitrary URI Origin Spoof on Chrome Android Incognito mode", "url": "https://issues.chromium.org/issues/40061217", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Navigation", "bounty_amount": 1000.0, "created_date": "2022-10-03T17:25:39+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40061217", "has_markdown": true }, { "id": "40061216", "title": "uaf in ui::PropertyHandler::GetPropertyInternal(with )", "url": "https://issues.chromium.org/issues/40061216", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>Accessibility, UI>Accessibility", "bounty_amount": 2000.0, "created_date": "2022-10-03T16:06:09+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40061216", "has_markdown": true }, { "id": "40061212", "title": "UAF in SelectFileDialogLinuxKde::CallKDialogOutput", "url": "https://issues.chromium.org/issues/40061212", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser", "bounty_amount": 7000.0, "created_date": "2022-10-03T01:54:00+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40061212", "has_markdown": true }, { "id": "40061190", "title": "Security: Chrome on Android the Fullscreen Notification Toast Not shown when fullscreen (screen lock mode landscape)", "url": "https://issues.chromium.org/issues/40061190", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Fullscreen", "bounty_amount": 5000.0, "created_date": "2022-09-30T15:05:35+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40061190", "has_markdown": true }, { "id": "40061186", "title": "Security: use-after-poison interface_endpoint_client.cc:900 in mojo::InterfaceEndpointClient::HandleValidatedMessage", "url": "https://issues.chromium.org/issues/40061186", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC>PeerConnection", "bounty_amount": 10000.0, "created_date": "2022-09-30T08:00:12+00:00", "year": 2022, "attachment_count": 7, "local_path": "issues/40061186", "has_markdown": true }, { "id": "40061184", "title": "Security: Race condition in JSCreateLowering, leading to RCE", "url": "https://issues.chromium.org/issues/40061184", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler", "bounty_amount": 20000.0, "created_date": "2022-09-30T07:11:08+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40061184", "has_markdown": true }, { "id": "40061164", "title": "Security: FencedFrame - Two way communication between embedder and frame", "url": "https://issues.chromium.org/issues/40061164", "status": "Assigned", "severity": "S3-Low", "component": "Blink>FencedFrames", "bounty_amount": 5000.0, "created_date": "2022-09-27T19:15:00+00:00", "year": 2022, "attachment_count": 12, "local_path": "issues/40061164", "has_markdown": true }, { "id": "40061152", "title": "Security: SameSite cookie bypass on Android by redirecting to to intent-picker", "url": "https://issues.chromium.org/issues/40061152", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Network>Cookies, Mobile>Intents", "bounty_amount": 5000.0, "created_date": "2022-09-26T18:23:22+00:00", "year": 2022, "attachment_count": 6, "local_path": "issues/40061152", "has_markdown": true }, { "id": "40061151", "title": "Security: Report 2 Vulnerabilities in WebSQL", "url": "https://issues.chromium.org/issues/40061151", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage>WebSQL", "bounty_amount": 10000.0, "created_date": "2022-09-26T12:47:19+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40061151", "has_markdown": true }, { "id": "40061150", "title": "Security: Type confusion in V8", "url": "https://issues.chromium.org/issues/40061150", "status": "Fixed", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler>Maglev", "bounty_amount": 10000.0, "created_date": "2022-09-26T11:06:14+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40061150", "has_markdown": true }, { "id": "40061129", "title": "Security: Extension sanitization bypass by using %% ", "url": "https://issues.chromium.org/issues/40061129", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": 2000.0, "created_date": "2022-09-24T13:19:29+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40061129", "has_markdown": true }, { "id": "40061108", "title": "Security: [webkit] heap-use-after-free in WebCore::DOMWrapperWorld::~DOMWrapperWorld()+0x25b", "url": "https://issues.chromium.org/issues/40061108", "status": "Assigned", "severity": "S3-Low", "component": "Mobile>iOSWeb", "bounty_amount": 7000.0, "created_date": "2022-09-23T03:24:46+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40061108", "has_markdown": true }, { "id": "40061104", "title": "Security: Web Share dialog URL is incorrectly elided in Android (ineffective fix for issue 1329541)", "url": "https://issues.chromium.org/issues/40061104", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebShare, UI>Security (Use Subcomponent)>UrlFormatting", "bounty_amount": 500.0, "created_date": "2022-09-23T00:41:41+00:00", "year": 2022, "attachment_count": 13, "local_path": "issues/40061104", "has_markdown": true }, { "id": "40061099", "title": "uaf in v8_inspector::InjectedScript::addPromiseCallback", "url": "https://issues.chromium.org/issues/40061099", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 1000.0, "created_date": "2022-09-22T15:03:51+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40061099", "has_markdown": true }, { "id": "40061097", "title": "Security: custom_element_registry use-after-poison", "url": "https://issues.chromium.org/issues/40061097", "status": "Assigned", "severity": "S3-Low", "component": "Blink>HTML>CustomElements", "bounty_amount": 7000.0, "created_date": "2022-09-22T13:34:49+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40061097", "has_markdown": true }, { "id": "40061096", "title": "Security: UAF in content::DevToolsSession::DispatchProtocolResponse (browser process)", "url": "https://issues.chromium.org/issues/40061096", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools>Extensions", "bounty_amount": 1000.0, "created_date": "2022-09-22T13:31:52+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40061096", "has_markdown": true }, { "id": "40061095", "title": "Security: Heap-use-after-free in InstallablePaymentAppCrawler::OnPaymentMethodManifestParsed", "url": "https://issues.chromium.org/issues/40061095", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Payments", "bounty_amount": 30000.0, "created_date": "2022-09-22T13:15:03+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40061095", "has_markdown": true }, { "id": "40061060", "title": "Security: UAF in ash::network_diagnostics::DnsResolutionRoutine::CreateHostResolver() (browser process)", "url": "https://issues.chromium.org/issues/40061060", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Apps>Diagnostics>Connectivity", "bounty_amount": 3000.0, "created_date": "2022-09-20T13:41:32+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40061060", "has_markdown": true }, { "id": "40061046", "title": "Security: [maglev] VisitSwitchOnGeneratorState function JumpTableTargetOffsets can be 0 ", "url": "https://issues.chromium.org/issues/40061046", "status": "Fixed", "severity": "S3-Low", "component": "Blink>JavaScript", "bounty_amount": 7000.0, "created_date": "2022-09-19T13:35:29+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40061046", "has_markdown": true }, { "id": "40061026", "title": "Security: Extension can obscure active window with an unfocused window, allows interaction with permission API prompt dialog without awareness", "url": "https://issues.chromium.org/issues/40061026", "status": "Accepted", "severity": "S3-Low", "component": "Platform>Extensions>API", "bounty_amount": 2000.0, "created_date": "2022-09-18T08:28:50+00:00", "year": 2022, "attachment_count": 15, "local_path": "issues/40061026", "has_markdown": true }, { "id": "40061025", "title": "Security: Bypass iframe sandbox on Android via intent:// URLs (possibly due to intent:// url popups not inheriting sandbox)", "url": "https://issues.chromium.org/issues/40061025", "status": "Assigned", "severity": "S3-Low", "component": "Blink>SecurityFeature>IFrameSandbox, Mobile>Intents", "bounty_amount": 3000.0, "created_date": "2022-09-18T08:04:45+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40061025", "has_markdown": true }, { "id": "40061003", "title": "Security: UAF in in safe_browsing::IncidentReportingService::AddIncident(browser process)", "url": "https://issues.chromium.org/issues/40061003", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 7000.0, "created_date": "2022-09-16T17:48:48+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40061003", "has_markdown": true }, { "id": "40061001", "title": "Security: heap-use-after-free in GrClientMappedBufferManager::owningDirectContext", "url": "https://issues.chromium.org/issues/40061001", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGL, Internals>GPU, Internals>Skia", "bounty_amount": 15000.0, "created_date": "2022-09-16T14:04:07+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40061001", "has_markdown": true }, { "id": "40060996", "title": "Security: Heap-use-after-free in UnusedSitePermissionsService::UpdateUnusedPermissionsAsync", "url": "https://issues.chromium.org/issues/40060996", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Permissions", "bounty_amount": 1000.0, "created_date": "2022-09-16T08:14:32+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060996", "has_markdown": true }, { "id": "40060987", "title": "Security: UAF in device_is_authenticating", "url": "https://issues.chromium.org/issues/40060987", "status": "Assigned", "severity": "S3-Low", "component": "IO>Bluetooth", "bounty_amount": 500.0, "created_date": "2022-09-15T15:08:21+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40060987", "has_markdown": true }, { "id": "40060984", "title": "Security: UAF in TransportClientSocket", "url": "https://issues.chromium.org/issues/40060984", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Network", "bounty_amount": 10000.0, "created_date": "2022-09-15T09:22:45+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060984", "has_markdown": true }, { "id": "40060968", "title": "Security: Heap-use-after-free in UserNoteService::OnNoteCreationDone", "url": "https://issues.chromium.org/issues/40060968", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Creation", "bounty_amount": 5000.0, "created_date": "2022-09-14T12:15:08+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40060968", "has_markdown": true }, { "id": "40060951", "title": "uaf in PermissionStatus::OnPermissionStatusChange", "url": "https://issues.chromium.org/issues/40060951", "status": "Assigned", "severity": "S3-Low", "component": "Blink>PermissionsAPI", "bounty_amount": 1500.0, "created_date": "2022-09-13T07:08:21+00:00", "year": 2022, "attachment_count": 8, "local_path": "issues/40060951", "has_markdown": true }, { "id": "40060925", "title": "Generic CORS bypass that enables Cross-Site-Tracing (XST)", "url": "https://issues.chromium.org/issues/40060925", "status": "Assigned", "severity": "S3-Low", "component": "Blink>SecurityFeature>CORS", "bounty_amount": 1000.0, "created_date": "2022-09-11T20:06:31+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40060925", "has_markdown": true }, { "id": "40060875", "title": "Security: heap-buffer-overflow components/ui_devtools/ui_element.cc:112:5", "url": "https://issues.chromium.org/issues/40060875", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Views>UIDevtools", "bounty_amount": 2000.0, "created_date": "2022-09-08T05:30:36+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40060875", "has_markdown": true }, { "id": "40060864", "title": "Security: Lockscreen - phone options available", "url": "https://issues.chromium.org/issues/40060864", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Sharing", "bounty_amount": 1000.0, "created_date": "2022-09-07T21:28:44+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40060864", "has_markdown": true }, { "id": "40060852", "title": "Security: heap-use-after-free in the Metal features in the GPU process", "url": "https://issues.chromium.org/issues/40060852", "status": "Fixed", "severity": "S3-Low", "component": "Internals>Skia", "bounty_amount": 1000.0, "created_date": "2022-09-07T07:54:00+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060852", "has_markdown": true }, { "id": "40060848", "title": "Security: Custom cursor can overlay parts of the permission prompt.", "url": "https://issues.chromium.org/issues/40060848", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Input", "bounty_amount": 2000.0, "created_date": "2022-09-07T05:53:38+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060848", "has_markdown": true }, { "id": "40060755", "title": "Security: SOP bypass leaks navigation history of iframe from other subdomain if location changed to about:blank", "url": "https://issues.chromium.org/issues/40060755", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Sandbox>SiteIsolation, UI>Browser>Navigation", "bounty_amount": 2000.0, "created_date": "2022-09-01T22:05:59+00:00", "year": 2022, "attachment_count": 9, "local_path": "issues/40060755", "has_markdown": true }, { "id": "40060747", "title": "Heap-use-after-free in blink::StyleVariables::operator==", "url": "https://issues.chromium.org/issues/40060747", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Animation, Blink>CSS", "bounty_amount": 7000.0, "created_date": "2022-09-01T12:56:10+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40060747", "has_markdown": true }, { "id": "40060744", "title": "Security: UAF in CompoundTabContainer", "url": "https://issues.chromium.org/issues/40060744", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip", "bounty_amount": 7000.0, "created_date": "2022-09-01T10:42:58+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40060744", "has_markdown": true }, { "id": "40060742", "title": "Security: Bypass the Protection of input fields cache (Autofill) 1108181", "url": "https://issues.chromium.org/issues/40060742", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Autofill", "bounty_amount": 5000.0, "created_date": "2022-08-31T19:16:56+00:00", "year": 2022, "attachment_count": 11, "local_path": "issues/40060742", "has_markdown": true }, { "id": "40060740", "title": "heap-use-after-free html_element.cc:1850 in blink::HTMLElement::offsetTopForBinding", "url": "https://issues.chromium.org/issues/40060740", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>DOM", "bounty_amount": 7000.0, "created_date": "2022-08-31T17:59:13+00:00", "year": 2022, "attachment_count": 9, "local_path": "issues/40060740", "has_markdown": true }, { "id": "40060728", "title": "Security: OOB Write in sqlite3FindInIndex", "url": "https://issues.chromium.org/issues/40060728", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Storage", "bounty_amount": 7000.0, "created_date": "2022-08-31T03:03:33+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40060728", "has_markdown": true }, { "id": "40060720", "title": "Security: heap-use-after-free in CPDF_FormField::ResetField()", "url": "https://issues.chromium.org/issues/40060720", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Plugins>PDF", "bounty_amount": 10000.0, "created_date": "2022-08-30T14:16:19+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060720", "has_markdown": true }, { "id": "40060719", "title": "Security: heap-use-after-free in SearchNameNodeByNameInternal", "url": "https://issues.chromium.org/issues/40060719", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Plugins>PDF", "bounty_amount": 10000.0, "created_date": "2022-08-30T13:23:11+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060719", "has_markdown": true }, { "id": "40060715", "title": "Security: Heap-use-after-free in FrameUserNoteChanges", "url": "https://issues.chromium.org/issues/40060715", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Creation", "bounty_amount": 7000.0, "created_date": "2022-08-30T10:28:25+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40060715", "has_markdown": true }, { "id": "40060702", "title": "Security: Draw Mouse Cursor to hide omni box", "url": "https://issues.chromium.org/issues/40060702", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Input, UI>HighDPI", "bounty_amount": 1000.0, "created_date": "2022-08-29T02:44:28+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060702", "has_markdown": true }, { "id": "40060701", "title": "uaf in webrtc::VideoStreamEncoder::RequestRefreshFrame", "url": "https://issues.chromium.org/issues/40060701", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>WebRTC", "bounty_amount": 7000.0, "created_date": "2022-08-28T19:47:56+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40060701", "has_markdown": true }, { "id": "40060700", "title": "Security: UAF in ash::PrintServersProviderImpl::NotifyObservers", "url": "https://issues.chromium.org/issues/40060700", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Printing", "bounty_amount": 2000.0, "created_date": "2022-08-28T16:00:07+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40060700", "has_markdown": true }, { "id": "40060695", "title": "Sandbox bypass \"allow-downloads\"", "url": "https://issues.chromium.org/issues/40060695", "status": "Assigned", "severity": "S3-Low", "component": "Blink>SecurityFeature>IFrameSandbox", "bounty_amount": 3000.0, "created_date": "2022-08-28T03:03:49+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40060695", "has_markdown": true }, { "id": "40060691", "title": "Security: PDFium OOB Write in OpenJPEG due to a missed patch", "url": "https://issues.chromium.org/issues/40060691", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>Plugins>PDF", "bounty_amount": 7000.0, "created_date": "2022-08-27T10:49:07+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060691", "has_markdown": true }, { "id": "40060685", "title": "Security: External notifications from external apps (such as Telegram) can block Android fullscreen notification. (Testes on latest Chrome stable)", "url": "https://issues.chromium.org/issues/40060685", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Fullscreen, UI>Browser>FullScreen", "bounty_amount": 2000.0, "created_date": "2022-08-26T13:13:03+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060685", "has_markdown": true }, { "id": "40060669", "title": "Security: XML object's heap memory difference leaking or potential ASLR bypass in libXML", "url": "https://issues.chromium.org/issues/40060669", "status": "Fixed", "severity": "S3-Low", "component": "Blink>XML", "bounty_amount": 1000.0, "created_date": "2022-08-24T14:36:40+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060669", "has_markdown": true }, { "id": "40060660", "title": "Security: UAF in content::CrOSSystemTracingSession::StartTracingCallbackProxy (browser process)", "url": "https://issues.chromium.org/issues/40060660", "status": "Assigned", "severity": "S3-Low", "component": "Speed>Tracing", "bounty_amount": 5000.0, "created_date": "2022-08-23T17:10:57+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40060660", "has_markdown": true }, { "id": "40060649", "title": "Security: PDFium OOB Access in CXFA_ViewLayoutProcessor::GetNextAvailContentHeight", "url": "https://issues.chromium.org/issues/40060649", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Plugins>PDF", "bounty_amount": 7000.0, "created_date": "2022-08-23T02:39:49+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40060649", "has_markdown": true }, { "id": "40060647", "title": "heap-use-after-free ui/views/view.cc:1898:7 in views::View::HandleAccessibleAction", "url": "https://issues.chromium.org/issues/40060647", "status": "Assigned", "severity": "S4-Minimal", "component": "UI>Accessibility, UI>Accessibility>Compatibility", "bounty_amount": 2000.0, "created_date": "2022-08-22T19:54:17+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40060647", "has_markdown": true }, { "id": "40060644", "title": "use-after-free in BrowserCrashEventRouter", "url": "https://issues.chromium.org/issues/40060644", "status": "Assigned", "severity": "S3-Low", "component": "Internals>CrashReporting", "bounty_amount": 4000.0, "created_date": "2022-08-22T12:42:00+00:00", "year": 2022, "attachment_count": 6, "local_path": "issues/40060644", "has_markdown": true }, { "id": "40060643", "title": "use-after-poison local_frame_view.cc:816 in blink::LocalFrameView::PerformLayout", "url": "https://issues.chromium.org/issues/40060643", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Internals>Frames", "bounty_amount": 7000.0, "created_date": "2022-08-22T12:13:12+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060643", "has_markdown": true }, { "id": "40060617", "title": "Security: .url files can be saved via getFileHandle and redirect showSaveFilePicker to arbitrary file", "url": "https://issues.chromium.org/issues/40060617", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage>FileSystem", "bounty_amount": 1000.0, "created_date": "2022-08-19T10:18:10+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40060617", "has_markdown": true }, { "id": "40060615", "title": "Security: Hide real extension of file by many white spaces via suggestedName parameter - showSaveFilePicker", "url": "https://issues.chromium.org/issues/40060615", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage>FileSystem", "bounty_amount": 1000.0, "created_date": "2022-08-19T09:47:13+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060615", "has_markdown": true }, { "id": "40060610", "title": "Security: [ANGLE] Heap-buffer-overflow caused by writing exceeding the querypool size", "url": "https://issues.chromium.org/issues/40060610", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>Vulkan", "bounty_amount": 15000.0, "created_date": "2022-08-18T18:44:26+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40060610", "has_markdown": true }, { "id": "40060580", "title": "Security: Use After Free of Device object in GPU process.", "url": "https://issues.chromium.org/issues/40060580", "status": "Assigned", "severity": "S3-Low", "component": "Dawn", "bounty_amount": 15000.0, "created_date": "2022-08-14T09:58:55+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060580", "has_markdown": true }, { "id": "40060572", "title": "Security: Download notification can hide 'Press Esc to exit fullscreen' warning", "url": "https://issues.chromium.org/issues/40060572", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Bubbles>Download, UI>Browser>Downloads", "bounty_amount": 3000.0, "created_date": "2022-08-12T07:41:08+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060572", "has_markdown": true }, { "id": "40060559", "title": "Security: Heap-use-after-free in ManagePasswordsUIController::SavePassword", "url": "https://issues.chromium.org/issues/40060559", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Passwords", "bounty_amount": 4000.0, "created_date": "2022-08-11T02:23:24+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40060559", "has_markdown": true }, { "id": "40060531", "title": "Security: Potential UAF in WebstoreInstallWithPrompt", "url": "https://issues.chromium.org/issues/40060531", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 2000.0, "created_date": "2022-08-08T21:15:24+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40060531", "has_markdown": true }, { "id": "40060530", "title": "Security: [ANGLE] Heap use-after-free caused by changing the framebuffer cache to sharing in context", "url": "https://issues.chromium.org/issues/40060530", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 15000.0, "created_date": "2022-08-08T20:58:13+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40060530", "has_markdown": true }, { "id": "40060520", "title": "Security: access-violation on unknown address 0x12dfa490bbaa in dawn::native::TextureBase::TextureBase(browser process) ", "url": "https://issues.chromium.org/issues/40060520", "status": "Accepted", "severity": "S3-Low", "component": "Internals>GPU>Dawn, Internals>Skia>Compositing", "bounty_amount": 5000.0, "created_date": "2022-08-06T12:24:35+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40060520", "has_markdown": true }, { "id": "40060513", "title": "Security: heap-use-after-free ui/events/event_processor.cc:77:26 in ui::EventProcessor::OnEventFromSource(ui::Event*)", "url": "https://issues.chromium.org/issues/40060513", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Aura, OS>Inputs", "bounty_amount": 3000.0, "created_date": "2022-08-05T19:16:46+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060513", "has_markdown": true }, { "id": "40060508", "title": "Security: UAF in BackForwardCache", "url": "https://issues.chromium.org/issues/40060508", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Sandbox>SiteIsolation, UI>Browser>Navigation>BFCache", "bounty_amount": 30000.0, "created_date": "2022-08-05T12:21:10+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40060508", "has_markdown": true }, { "id": "40060492", "title": "Security: compromised renderer is able to send extension message to another tab", "url": "https://issues.chromium.org/issues/40060492", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Sandbox>SiteIsolation, Platform>Extensions", "bounty_amount": 3000.0, "created_date": "2022-08-04T13:24:18+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40060492", "has_markdown": true }, { "id": "40060490", "title": "Security: UI spoofing for external protocol dialogues via iframe srcdoc on the malicious site", "url": "https://issues.chromium.org/issues/40060490", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Navigation", "bounty_amount": 1000.0, "created_date": "2022-08-04T06:30:20+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060490", "has_markdown": true }, { "id": "40060480", "title": "Security: Heap-use-after-free in WebContentsImpl::OpenURL", "url": "https://issues.chromium.org/issues/40060480", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Pogo, UI>Browser>TopChrome>SidePanel", "bounty_amount": 3000.0, "created_date": "2022-08-03T07:33:59+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060480", "has_markdown": true }, { "id": "40060475", "title": "Security: console.log still allows loading images via %c formatter", "url": "https://issues.chromium.org/issues/40060475", "status": "Accepted", "severity": "S3-Low", "component": "Blink>SecurityFeature>ContentSecurityPolicy, Platform>DevTools", "bounty_amount": 500.0, "created_date": "2022-08-02T20:04:04+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40060475", "has_markdown": true }, { "id": "40060465", "title": "Security: Source maps support for file:// URLs gives devtools_page extensions local file access", "url": "https://issues.chromium.org/issues/40060465", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 5000.0, "created_date": "2022-08-01T21:24:27+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40060465", "has_markdown": true }, { "id": "40060446", "title": "Security DCHECK failed: !NeedsLayout() || ChildLayoutBlockedByDisplayLock()", "url": "https://issues.chromium.org/issues/40060446", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Layout>MultiCol", "bounty_amount": 7000.0, "created_date": "2022-07-30T03:28:43+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40060446", "has_markdown": true }, { "id": "40060437", "title": "UAP style_invalidator.cc:192 in blink::StyleInvalidator::PushInvalidationSetsForContainerNode", "url": "https://issues.chromium.org/issues/40060437", "status": "Assigned", "severity": "S3-Low", "component": "Blink>CSS", "bounty_amount": 7000.0, "created_date": "2022-07-29T07:59:10+00:00", "year": 2022, "attachment_count": 13, "local_path": "issues/40060437", "has_markdown": true }, { "id": "40060436", "title": "Security: container-overflow in HistoryClustersHandler::OpenVisitUrlsInTabGroup", "url": "https://issues.chromium.org/issues/40060436", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Journeys", "bounty_amount": 2000.0, "created_date": "2022-07-29T07:10:15+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060436", "has_markdown": true }, { "id": "40060426", "title": "Security: heap-buffer-overflow in TableView", "url": "https://issues.chromium.org/issues/40060426", "status": "Assigned", "severity": "S4-Minimal", "component": "UI>TaskManager", "bounty_amount": 4000.0, "created_date": "2022-07-28T05:08:34+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060426", "has_markdown": true }, { "id": "40060417", "title": "Security: UAF in UserNoteService", "url": "https://issues.chromium.org/issues/40060417", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Creation", "bounty_amount": 30000.0, "created_date": "2022-07-27T06:41:16+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060417", "has_markdown": true }, { "id": "40060395", "title": "Security: UAF in HidService::GetDevices", "url": "https://issues.chromium.org/issues/40060395", "status": "Accepted", "severity": "S3-Low", "component": "Blink>HID", "bounty_amount": 5000.0, "created_date": "2022-07-25T10:06:41+00:00", "year": 2022, "attachment_count": 8, "local_path": "issues/40060395", "has_markdown": true }, { "id": "40060394", "title": "TypeConfuse in blink::NGLayoutInputNode::IsEmptyTableSection ng_layout_input_node.cc:87", "url": "https://issues.chromium.org/issues/40060394", "status": "Assigned", "severity": "S3-Low", "component": "Blink>CSS", "bounty_amount": 7500.0, "created_date": "2022-07-25T07:02:08+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060394", "has_markdown": true }, { "id": "40060392", "title": "Security: ResourceTiming entries are not generated for responses with 204, 205 status codes when loaded in a iframe", "url": "https://issues.chromium.org/issues/40060392", "status": "Accepted", "severity": "S3-Low", "component": "Blink>PerformanceAPIs>ResourceTiming", "bounty_amount": 2000.0, "created_date": "2022-07-24T15:27:56+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060392", "has_markdown": true }, { "id": "40060367", "title": "Security: UTF chartorune heap-buffer-overflow crash", "url": "https://issues.chromium.org/issues/40060367", "status": "Accepted", "severity": "S3-Low", "component": "Internals>OptimizationGuide", "bounty_amount": 7000.0, "created_date": "2022-07-22T17:14:11+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060367", "has_markdown": true }, { "id": "40060358", "title": "SameSite strict cookies bypass/cross-origin download via `e.dataTransfer.setData('DownloadURL', ...`", "url": "https://issues.chromium.org/issues/40060358", "status": "Assigned", "severity": "S3-Low", "component": "Blink>DataTransfer, UI>Browser>Downloads", "bounty_amount": 1000.0, "created_date": "2022-07-21T22:58:45+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060358", "has_markdown": true }, { "id": "40060350", "title": "Security: UAF in AppWindowContentsImpl::~AppWindowContentsImpl", "url": "https://issues.chromium.org/issues/40060350", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Apps, Platform>Apps>BrowserTag", "bounty_amount": 10000.0, "created_date": "2022-07-21T11:02:08+00:00", "year": 2022, "attachment_count": 7, "local_path": "issues/40060350", "has_markdown": true }, { "id": "40060348", "title": "Security: Code Injection in WebUI page leading to sandbox escape", "url": "https://issues.chromium.org/issues/40060348", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools, Platform>Extensions", "bounty_amount": 5000.0, "created_date": "2022-07-21T10:07:36+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40060348", "has_markdown": true }, { "id": "40060340", "title": "heap-use-after-free in WebDragSourceAura::CancelDrag", "url": "https://issues.chromium.org/issues/40060340", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Portals", "bounty_amount": 10000.0, "created_date": "2022-07-20T20:13:53+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060340", "has_markdown": true }, { "id": "40060336", "title": "Security: Another UAF in WebSQL sqlite3Select", "url": "https://issues.chromium.org/issues/40060336", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage>WebSQL, Internals>Storage", "bounty_amount": 7500.0, "created_date": "2022-07-20T15:12:19+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40060336", "has_markdown": true }, { "id": "40060334", "title": "UAF in AccessCodeCastSinkService", "url": "https://issues.chromium.org/issues/40060334", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>Cast", "bounty_amount": 9500.0, "created_date": "2022-07-20T12:58:02+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40060334", "has_markdown": true }, { "id": "40060332", "title": "TypeConfuse in blink::LayoutTable::AddChild layout_table.cc:194", "url": "https://issues.chromium.org/issues/40060332", "status": "Assigned", "severity": "S3-Low", "component": "Blink>CSS", "bounty_amount": 5000.0, "created_date": "2022-07-20T11:22:06+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060332", "has_markdown": true }, { "id": "40060325", "title": "Security: Use-After-Free in WebUIBubbleDialogView::ClearContentsWrapper", "url": "https://issues.chromium.org/issues/40060325", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Bubbles", "bounty_amount": 3000.0, "created_date": "2022-07-19T06:06:03+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40060325", "has_markdown": true }, { "id": "40060322", "title": "Security: Symbolic Link Following + Upload Warning Bypass", "url": "https://issues.chromium.org/issues/40060322", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Forms>File, Blink>Storage>FileSystem", "bounty_amount": 3000.0, "created_date": "2022-07-18T16:33:23+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40060322", "has_markdown": true }, { "id": "40060321", "title": "Security: heap-buffer-overflow on components/exo/shell_surface_util.cc:230:40 (Lacros)", "url": "https://issues.chromium.org/issues/40060321", "status": "Assigned", "severity": "S3-Low", "component": "UI>Shell>UIFoundations", "bounty_amount": 2000.0, "created_date": "2022-07-18T14:12:11+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40060321", "has_markdown": true }, { "id": "40060319", "title": "Security: = prepended in document.cookie allows to bypass __Secure and __Host prefixes", "url": "https://issues.chromium.org/issues/40060319", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Network>Cookies", "bounty_amount": 2000.0, "created_date": "2022-07-18T09:42:42+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40060319", "has_markdown": true }, { "id": "40060314", "title": "Security: type confusion in chrome", "url": "https://issues.chromium.org/issues/40060314", "status": "Assigned", "severity": "S4-Minimal", "component": "UI>Accessibility", "bounty_amount": 1000.0, "created_date": "2022-07-17T10:06:54+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40060314", "has_markdown": true }, { "id": "40060310", "title": "CSP Bypass (Old Issue)", "url": "https://issues.chromium.org/issues/40060310", "status": "Assigned", "severity": "S3-Low", "component": "Mobile>iOSWeb>Security", "bounty_amount": 3000.0, "created_date": "2022-07-16T12:20:43+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40060310", "has_markdown": true }, { "id": "40060309", "title": "wild read in DrawCall::run", "url": "https://issues.chromium.org/issues/40060309", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGL, Internals>GPU>ANGLE, Internals>GPU>SwiftShader", "bounty_amount": 7000.0, "created_date": "2022-07-16T09:42:35+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40060309", "has_markdown": true }, { "id": "40060298", "title": "use-after-free in Serial", "url": "https://issues.chromium.org/issues/40060298", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Serial, Platform>Apps>API>Serial", "bounty_amount": 3000.0, "created_date": "2022-07-15T16:19:29+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060298", "has_markdown": true }, { "id": "40060292", "title": "Security: Heap-use-after-free in user_notes::FrameUserNoteChanges::Apply (Annotation - deleting a note that was just created in another tab causes crash)", "url": "https://issues.chromium.org/issues/40060292", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Creation", "bounty_amount": 3000.0, "created_date": "2022-07-15T11:27:51+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060292", "has_markdown": true }, { "id": "40060288", "title": "Security: Heap-use-after-free in ReadAnythingCoordinator::CreateAndRegisterEntry", "url": "https://issues.chromium.org/issues/40060288", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>TopChrome>SidePanel", "bounty_amount": 4000.0, "created_date": "2022-07-15T07:46:18+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060288", "has_markdown": true }, { "id": "40060283", "title": "chrome.debugger API bypasses the runtime_blocked_hosts cookie protection", "url": "https://issues.chromium.org/issues/40060283", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions>API", "bounty_amount": 3000.0, "created_date": "2022-07-14T21:50:59+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060283", "has_markdown": true }, { "id": "40060279", "title": "Heap-use-after-free on CaptionBubble::BackToTabButtonPressed", "url": "https://issues.chromium.org/issues/40060279", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Media>LiveCaption", "bounty_amount": 1000.0, "created_date": "2022-07-14T14:54:18+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40060279", "has_markdown": true }, { "id": "40060238", "title": "Security: UAF in WebSQL sqlite3Select, Potential RCE in Chrome", "url": "https://issues.chromium.org/issues/40060238", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage>WebSQL, Internals>Storage", "bounty_amount": 10000.0, "created_date": "2022-07-11T12:21:01+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40060238", "has_markdown": true }, { "id": "40060220", "title": "Security: UAF in OnAccessTokenRefreshFailed", "url": "https://issues.chromium.org/issues/40060220", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 3000.0, "created_date": "2022-07-09T07:08:57+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40060220", "has_markdown": true }, { "id": "40060213", "title": "Security: UAF in PermissionAuditingService multiple functions", "url": "https://issues.chromium.org/issues/40060213", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Permissions", "bounty_amount": 3000.0, "created_date": "2022-07-08T10:03:05+00:00", "year": 2022, "attachment_count": 9, "local_path": "issues/40060213", "has_markdown": true }, { "id": "40060207", "title": "sourceMappingURL directive allows use of UNC paths on Windows", "url": "https://issues.chromium.org/issues/40060207", "status": "Accepted", "severity": "S3-Low", "component": "Blink>JavaScript", "bounty_amount": 7500.0, "created_date": "2022-07-07T19:58:49+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060207", "has_markdown": true }, { "id": "40060202", "title": "Security: `chrome.downloads.onDeterminingFilename` can be used to bypass the fix for issue 1310461 and steal environment variables", "url": "https://issues.chromium.org/issues/40060202", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions>API", "bounty_amount": 7000.0, "created_date": "2022-07-07T12:50:43+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40060202", "has_markdown": true }, { "id": "40060180", "title": "Security: Heap-use-after-free in UserNoteUICoordinator::Invalidate", "url": "https://issues.chromium.org/issues/40060180", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>TopChrome>SidePanel", "bounty_amount": 7000.0, "created_date": "2022-07-06T10:29:27+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060180", "has_markdown": true }, { "id": "40060179", "title": "Security: Use After Free of GPUExternalTexture object in renderer process.", "url": "https://issues.chromium.org/issues/40060179", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU", "bounty_amount": 7500.0, "created_date": "2022-07-06T09:39:20+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40060179", "has_markdown": true }, { "id": "40060174", "title": "Security: V8 Typer hardening bypass via ReduceArrayPrototypeAt", "url": "https://issues.chromium.org/issues/40060174", "status": "Accepted", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler", "bounty_amount": 5000.0, "created_date": "2022-07-06T03:53:03+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40060174", "has_markdown": true }, { "id": "40060172", "title": "Security: Pdfium heap bof in CFDE_TextOut::RetrievePieces()", "url": "https://issues.chromium.org/issues/40060172", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Plugins>PDF", "bounty_amount": 7500.0, "created_date": "2022-07-05T20:48:52+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40060172", "has_markdown": true }, { "id": "40060166", "title": "Security: use after free in DiceWebSigninInterceptor", "url": "https://issues.chromium.org/issues/40060166", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 5000.0, "created_date": "2022-07-05T07:02:17+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060166", "has_markdown": true }, { "id": "40060165", "title": "Security: use after free in AccountReconcilor", "url": "https://issues.chromium.org/issues/40060165", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 5000.0, "created_date": "2022-07-05T06:26:07+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060165", "has_markdown": true }, { "id": "40060162", "title": "Security: use after free in IPH DemoMode NeverAvailabilityModel", "url": "https://issues.chromium.org/issues/40060162", "status": "Assigned", "severity": "S3-Low", "component": "Internals>FeatureEngagement", "bounty_amount": 3000.0, "created_date": "2022-07-05T03:42:30+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060162", "has_markdown": true }, { "id": "40060157", "title": "Typeconfuse in blink::LayoutTableRow::AddChild layout_table_row.cc:193", "url": "https://issues.chromium.org/issues/40060157", "status": "Assigned", "severity": "S3-Low", "component": "Blink>CSS", "bounty_amount": 5000.0, "created_date": "2022-07-04T07:26:29+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060157", "has_markdown": true }, { "id": "40060156", "title": "Security: UAF in CloseBubbleOnTabActivationHelper::~CloseBubbleOnTabActivationHelper", "url": "https://issues.chromium.org/issues/40060156", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Views, UI>Browser>WebUI", "bounty_amount": 2000.0, "created_date": "2022-07-04T05:34:43+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40060156", "has_markdown": true }, { "id": "40060151", "title": "Security: Bypass(1301873)Chrome for Android Hide Custom Fullscreen Toast View with Repeated delayed Enter Fullscreen Request ", "url": "https://issues.chromium.org/issues/40060151", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>FullScreen", "bounty_amount": 4000.0, "created_date": "2022-07-03T12:46:10+00:00", "year": 2022, "attachment_count": 22, "local_path": "issues/40060151", "has_markdown": true }, { "id": "40060150", "title": "heap-overflow in blink::TableLayoutAlgorithmAuto::InsertSpanCell table_layout_algorithm_auto.cc", "url": "https://issues.chromium.org/issues/40060150", "status": "Assigned", "severity": "S3-Low", "component": "Blink>GarbageCollection", "bounty_amount": 7500.0, "created_date": "2022-07-03T10:13:05+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060150", "has_markdown": true }, { "id": "40060134", "title": "Security: Page can obtain autofill data with two consecutive taps with minimal user awareness, bypasses issue 1240472 and issue 1279268 fixes", "url": "https://issues.chromium.org/issues/40060134", "status": "Assigned", "severity": "S3-Low", "component": "Privacy", "bounty_amount": 3000.0, "created_date": "2022-07-02T01:05:02+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060134", "has_markdown": true }, { "id": "40060125", "title": "Security: Heap-use-after-free in SidePanelCoordinator::PopulateSidePanel", "url": "https://issues.chromium.org/issues/40060125", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>TopChrome>SidePanel", "bounty_amount": 3000.0, "created_date": "2022-07-01T04:24:10+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060125", "has_markdown": true }, { "id": "40060115", "title": "Security: Custom Tab HTTP Header Injection", "url": "https://issues.chromium.org/issues/40060115", "status": "Assigned", "severity": "S3-Low", "component": "Blink>SecurityFeature>CORS", "bounty_amount": 3000.0, "created_date": "2022-06-30T09:49:33+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40060115", "has_markdown": true }, { "id": "40060084", "title": "Security: container-overflow in chrome_pdf::PDFiumEngine::SelectFindResult", "url": "https://issues.chromium.org/issues/40060084", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Plugins>PDF", "bounty_amount": 2000.0, "created_date": "2022-06-27T08:21:42+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40060084", "has_markdown": true }, { "id": "40060083", "title": "Security: type confusion in chrome", "url": "https://issues.chromium.org/issues/40060083", "status": "Fixed", "severity": "S3-Low", "component": "Blink>Storage>SharedStorage", "bounty_amount": 8500.0, "created_date": "2022-06-27T07:53:49+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40060083", "has_markdown": true }, { "id": "40060077", "title": "Security: v8: corrupt typed array from bad deserializer input", "url": "https://issues.chromium.org/issues/40060077", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript, Blink>JavaScript>Runtime", "bounty_amount": 15000.0, "created_date": "2022-06-26T05:36:46+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40060077", "has_markdown": true }, { "id": "40060076", "title": "Prevent server redirect to non web accessible resource", "url": "https://issues.chromium.org/issues/40060076", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions, UI>Browser>Omnibox", "bounty_amount": 1000.0, "created_date": "2022-06-26T02:20:47+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40060076", "has_markdown": true }, { "id": "40060062", "title": "Security: container-overflow in TabStripModel::AddToNewGroupImpl", "url": "https://issues.chromium.org/issues/40060062", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Journeys", "bounty_amount": 2000.0, "created_date": "2022-06-24T04:27:39+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060062", "has_markdown": true }, { "id": "40060046", "title": "Security: UAF in WebContentsFrameTracker", "url": "https://issues.chromium.org/issues/40060046", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Media>SurfaceCapture", "bounty_amount": 20000.0, "created_date": "2022-06-22T16:06:35+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40060046", "has_markdown": true }, { "id": "40060044", "title": "Incorrect use of weakptr lead to UAF in NearbyShare", "url": "https://issues.chromium.org/issues/40060044", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 3000.0, "created_date": "2022-06-22T14:18:44+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40060044", "has_markdown": true }, { "id": "40060043", "title": "Incorrect use of weakptr lead to uaf", "url": "https://issues.chromium.org/issues/40060043", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 5000.0, "created_date": "2022-06-22T14:00:49+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40060043", "has_markdown": true }, { "id": "40060042", "title": "Security: Invalid function pointer in ~ExternalImageDXGI() in D3D backend", "url": "https://issues.chromium.org/issues/40060042", "status": "Assigned", "severity": "S3-Low", "component": "Dawn", "bounty_amount": 7000.0, "created_date": "2022-06-22T10:47:38+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40060042", "has_markdown": true }, { "id": "40060039", "title": "Security: UAF in chromeos::multidevice::MultidevicePhoneHubHandler", "url": "https://issues.chromium.org/issues/40060039", "status": "Assigned", "severity": "S3-Low", "component": "UI>Shell", "bounty_amount": 3000.0, "created_date": "2022-06-22T07:45:04+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060039", "has_markdown": true }, { "id": "40060030", "title": "AddressSanitizer: heap-use-after-free html_element.cc:1802 in blink::HTMLElement::offsetTopForBindin", "url": "https://issues.chromium.org/issues/40060030", "status": "Assigned", "severity": "S3-Low", "component": "Blink>DOM", "bounty_amount": 5000.0, "created_date": "2022-06-21T11:29:09+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40060030", "has_markdown": true }, { "id": "40060025", "title": " heap-use-after-free in RenderViewContextMenu::ExecuteCommand", "url": "https://issues.chromium.org/issues/40060025", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Views, UI>Browser>QuickCommands", "bounty_amount": 2000.0, "created_date": "2022-06-21T05:01:24+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060025", "has_markdown": true }, { "id": "40060019", "title": "Security: potential use after free in OfflinePageModelTaskified::Unpublish", "url": "https://issues.chromium.org/issues/40060019", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Offline", "bounty_amount": 1000.0, "created_date": "2022-06-20T15:03:13+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40060019", "has_markdown": true }, { "id": "40060009", "title": "Security: use after free in DiceWebSigninInterceptor::OnAccountLevelManagedAccountsSigninRestrictionReceived", "url": "https://issues.chromium.org/issues/40060009", "status": "Accepted", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 1000.0, "created_date": "2022-06-20T02:50:47+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40060009", "has_markdown": true }, { "id": "40060000", "title": "Security: use after free in GraphicsPipeline::containsImageWrite", "url": "https://issues.chromium.org/issues/40060000", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>SwiftShader", "bounty_amount": 7000.0, "created_date": "2022-06-18T11:13:51+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40060000", "has_markdown": true }, { "id": "40059994", "title": "Security: heap-use-after-free chrome/browser/profiles/profile_destroyer.cc:137:16 (chromeOS)", "url": "https://issues.chromium.org/issues/40059994", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 1000.0, "created_date": "2022-06-17T18:35:18+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40059994", "has_markdown": true }, { "id": "40059988", "title": "Security: HeapOverflow in PluralStringHandler::HandleGetPluralString ", "url": "https://issues.chromium.org/issues/40059988", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>WebUI", "bounty_amount": 3000.0, "created_date": "2022-06-17T01:04:29+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40059988", "has_markdown": true }, { "id": "40059985", "title": "Security: heap-use-after-free ash/drag_drop/drag_drop_tracker.cc:111:1 (chromeOS)", "url": "https://issues.chromium.org/issues/40059985", "status": "Assigned", "severity": "S3-Low", "component": "UI>Shell>UIFoundations", "bounty_amount": 3000.0, "created_date": "2022-06-16T16:09:31+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059985", "has_markdown": true }, { "id": "40059984", "title": "Security: heap-buffer-overflow ui/wm/core/transient_window_stacking_client.cc (chromeOS)", "url": "https://issues.chromium.org/issues/40059984", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Aura", "bounty_amount": 2000.0, "created_date": "2022-06-16T14:35:30+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40059984", "has_markdown": true }, { "id": "40059980", "title": "An iframe on a different domain can change the location to about:blank which enables you to access properties on the window. document.baseURI is leaked from the parent frame.", "url": "https://issues.chromium.org/issues/40059980", "status": "Assigned", "severity": "S3-Low", "component": "Blink>SecurityFeature>IFrameSandbox", "bounty_amount": 2000.0, "created_date": "2022-06-16T08:37:01+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059980", "has_markdown": true }, { "id": "40059979", "title": "Security: Misuse of CanCover", "url": "https://issues.chromium.org/issues/40059979", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler", "bounty_amount": 7500.0, "created_date": "2022-06-16T04:09:59+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059979", "has_markdown": true }, { "id": "40059973", "title": "Security: UAF in CacheAliasSearchPrefetchURLLoader::StartPrefetchRequest", "url": "https://issues.chromium.org/issues/40059973", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Preload", "bounty_amount": 1000.0, "created_date": "2022-06-15T13:16:23+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40059973", "has_markdown": true }, { "id": "40059963", "title": "Security DCHECK failure: IsA(from) in casting.h", "url": "https://issues.chromium.org/issues/40059963", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>Layout", "bounty_amount": 5000.0, "created_date": "2022-06-14T18:49:33+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059963", "has_markdown": true }, { "id": "40059961", "title": "Security: Use After Free in JavaScriptDialogHelper::OnPermissionResponse", "url": "https://issues.chromium.org/issues/40059961", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Apps>BrowserTag", "bounty_amount": 16000.0, "created_date": "2022-06-14T14:22:42+00:00", "year": 2022, "attachment_count": 7, "local_path": "issues/40059961", "has_markdown": true }, { "id": "40059949", "title": "Security: chromeos Root priv escalation to write file", "url": "https://issues.chromium.org/issues/40059949", "status": "Accepted", "severity": "S3-Low", "component": "UI>Shell", "bounty_amount": 1000.0, "created_date": "2022-06-13T14:24:18+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40059949", "has_markdown": true }, { "id": "40059947", "title": "Security: heap-use-after-free in SearchNameNodeByNameInternal", "url": "https://issues.chromium.org/issues/40059947", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Plugins>PDF", "bounty_amount": 7500.0, "created_date": "2022-06-13T12:15:31+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059947", "has_markdown": true }, { "id": "40059929", "title": "WebGL glCompressedTexImage3D Heap-Based Buffer Overflow Vulnerability", "url": "https://issues.chromium.org/issues/40059929", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGL, Internals>GPU>ANGLE", "bounty_amount": 5000.0, "created_date": "2022-06-12T07:01:41+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059929", "has_markdown": true }, { "id": "40059914", "title": "Security: Use-After-Free in safe_browsing::ExtensionTelemetryPersister::InitHelper", "url": "https://issues.chromium.org/issues/40059914", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 10000.0, "created_date": "2022-06-10T07:47:59+00:00", "year": 2022, "attachment_count": 6, "local_path": "issues/40059914", "has_markdown": true }, { "id": "40059882", "title": "Security: heap-use-after-free on IsLacrosWindow ash/drag_drop/tab_drag_drop_delegate.cc (Lacros)", "url": "https://issues.chromium.org/issues/40059882", "status": "Assigned", "severity": "S3-Low", "component": "OS>LaCrOS>Tablet, UI>Browser>TopChrome>TabStrip>ThumbnailTabStrip", "bounty_amount": 3000.0, "created_date": "2022-06-07T01:44:58+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059882", "has_markdown": true }, { "id": "40059875", "title": "Safebrowsing does not trigger a malware warning for malware loaded through an embed", "url": "https://issues.chromium.org/issues/40059875", "status": "Accepted", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 5000.0, "created_date": "2022-06-06T20:23:32+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059875", "has_markdown": true }, { "id": "40059871", "title": "Security: heap-buffer-overflow in chrome_pdf::PDFiumEngine::GetNamedDestination", "url": "https://issues.chromium.org/issues/40059871", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>Plugins>PDF", "bounty_amount": 7500.0, "created_date": "2022-06-06T05:55:26+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059871", "has_markdown": true }, { "id": "40059870", "title": "Use-after-poison in content::InspectorMediaEventHandler::SendQueuedMediaEvents", "url": "https://issues.chromium.org/issues/40059870", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>Media", "bounty_amount": 5000.0, "created_date": "2022-06-05T22:13:23+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40059870", "has_markdown": true }, { "id": "40059860", "title": "Security: XSS in Chrome UI (password settings) with malicious extension name", "url": "https://issues.chromium.org/issues/40059860", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions, UI>Settings", "bounty_amount": 2000.0, "created_date": "2022-06-03T22:23:02+00:00", "year": 2022, "attachment_count": 9, "local_path": "issues/40059860", "has_markdown": true }, { "id": "40059843", "title": "Diagcab file extension is not blocklisted to prevent users from downloading harmful files", "url": "https://issues.chromium.org/issues/40059843", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": 1000.0, "created_date": "2022-06-03T02:33:10+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059843", "has_markdown": true }, { "id": "40059808", "title": "Security: UAF in ManagedConfigurationAPI::GetConfigurationOnBackend", "url": "https://issues.chromium.org/issues/40059808", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Managed, Enterprise", "bounty_amount": 5000.0, "created_date": "2022-05-31T08:52:53+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40059808", "has_markdown": true }, { "id": "40059796", "title": "Security: Heap use-after-free when bind/unbind TransformFeedback after deleting buffer", "url": "https://issues.chromium.org/issues/40059796", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 10000.0, "created_date": "2022-05-30T17:35:34+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059796", "has_markdown": true }, { "id": "40059795", "title": "Security: heap-use-after-free in views::DialogDelegate::CancelDialog", "url": "https://issues.chromium.org/issues/40059795", "status": "Assigned", "severity": "S3-Low", "component": "Platform>WebAppProvider", "bounty_amount": 3000.0, "created_date": "2022-05-30T12:18:17+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059795", "has_markdown": true }, { "id": "40059790", "title": "Security: heap-after-free on components/exo/extended_drag_source.cc (Lacros)", "url": "https://issues.chromium.org/issues/40059790", "status": "Assigned", "severity": "S3-Low", "component": "UI>Shell>UIFoundations", "bounty_amount": 3000.0, "created_date": "2022-05-29T03:21:18+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059790", "has_markdown": true }, { "id": "40059787", "title": "Security: Heap-use-after-free in ash::OverviewItem::DestroyPhantomsForDragging", "url": "https://issues.chromium.org/issues/40059787", "status": "Assigned", "severity": "S3-Low", "component": "UI>Shell", "bounty_amount": 3000.0, "created_date": "2022-05-28T02:54:35+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059787", "has_markdown": true }, { "id": "40059784", "title": "Security: Heap-use-after-free in ash::TabletModeBrowserWindowDragSessionWindowsHider::~TabletModeBrowserWindowDragSessionWindowsHider", "url": "https://issues.chromium.org/issues/40059784", "status": "Assigned", "severity": "S3-Low", "component": "UI>Shell", "bounty_amount": 3000.0, "created_date": "2022-05-28T02:25:34+00:00", "year": 2022, "attachment_count": 7, "local_path": "issues/40059784", "has_markdown": true }, { "id": "40059777", "title": "AddressSanitizer: heap-buffer-overflow in content::BucketManagerHost::DidGetBucket content/browser/b", "url": "https://issues.chromium.org/issues/40059777", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage>Buckets", "bounty_amount": 20000.0, "created_date": "2022-05-27T16:23:10+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059777", "has_markdown": true }, { "id": "40059774", "title": "Security: UAF in PermissionPromptBubbleView", "url": "https://issues.chromium.org/issues/40059774", "status": "New", "severity": "S3-Low", "component": "Internals>Views, UI>Browser>Permissions>Prompts", "bounty_amount": 20000.0, "created_date": "2022-05-27T13:02:18+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059774", "has_markdown": true }, { "id": "40059765", "title": "Security: Web Share dialog URL is not elided correctly on Android", "url": "https://issues.chromium.org/issues/40059765", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebShare, UI>Security (Use Subcomponent)>UrlFormatting", "bounty_amount": 500.0, "created_date": "2022-05-26T16:50:35+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059765", "has_markdown": true }, { "id": "40059762", "title": "'unsafe-inline' is not ignored even though 'strict-dynamic' is specified in dafault-src.", "url": "https://issues.chromium.org/issues/40059762", "status": "Accepted", "severity": "S3-Low", "component": "Blink>SecurityFeature>ContentSecurityPolicy", "bounty_amount": 3000.0, "created_date": "2022-05-26T10:20:36+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40059762", "has_markdown": true }, { "id": "40059725", "title": "AddressSanitizer: heap-use-after-free in content::ScreenlockMonitor::RemoveObserver content/browser/", "url": "https://issues.chromium.org/issues/40059725", "status": "Assigned", "severity": "S3-Low", "component": "Blink>GetUserMedia", "bounty_amount": 10000.0, "created_date": "2022-05-23T09:54:27+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059725", "has_markdown": true }, { "id": "40059717", "title": "AddressSanitizer: heap-use-after-free storage::QuotaDatabase::CreateBucketInternal quota_database.cc", "url": "https://issues.chromium.org/issues/40059717", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage>Quota", "bounty_amount": 15000.0, "created_date": "2022-05-22T08:24:23+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059717", "has_markdown": true }, { "id": "40059710", "title": "Security: Chrome on Android Tablet Mode Select Dropdown Spinner able to Overlap Fullscreen Notification Toast", "url": "https://issues.chromium.org/issues/40059710", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>FullScreen", "bounty_amount": 1000.0, "created_date": "2022-05-20T02:01:14+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059710", "has_markdown": true }, { "id": "40059705", "title": "Security: UAF in InterestGroupPermissionsChecker::OnRequestComplete", "url": "https://issues.chromium.org/issues/40059705", "status": "Assigned", "severity": "S3-Low", "component": "Blink>InterestGroups", "bounty_amount": 20000.0, "created_date": "2022-05-19T16:30:57+00:00", "year": 2022, "attachment_count": 8, "local_path": "issues/40059705", "has_markdown": true }, { "id": "40059699", "title": "Security: Heap-use-after-free in ash::SavedDeskDialogController::CreateDialogWidget", "url": "https://issues.chromium.org/issues/40059699", "status": "Assigned", "severity": "S3-Low", "component": "UI>Shell", "bounty_amount": 3000.0, "created_date": "2022-05-18T23:34:49+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059699", "has_markdown": true }, { "id": "40059686", "title": "Security: Lackluster \"File System Access API\" block-list provides full disk read/write access", "url": "https://issues.chromium.org/issues/40059686", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Storage>FileSystem", "bounty_amount": 1000.0, "created_date": "2022-05-18T06:22:19+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059686", "has_markdown": true }, { "id": "40059681", "title": "Security: Use-after-free in WebGPU", "url": "https://issues.chromium.org/issues/40059681", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU", "bounty_amount": 10000.0, "created_date": "2022-05-16T18:42:05+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059681", "has_markdown": true }, { "id": "40059675", "title": "AddressSanitizer: heap-use-after-free location_bar\\permission_request_chip.cc:127 in PermissionReque", "url": "https://issues.chromium.org/issues/40059675", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Omnibox, UI>Browser>Permissions>Prompts", "bounty_amount": 15000.0, "created_date": "2022-05-16T03:20:43+00:00", "year": 2022, "attachment_count": 8, "local_path": "issues/40059675", "has_markdown": true }, { "id": "40059668", "title": "Security: heap-after-free on iOS 15.4 simulator + Chromium Dev Asan", "url": "https://issues.chromium.org/issues/40059668", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Mobile>AppMenu", "bounty_amount": 2000.0, "created_date": "2022-05-14T22:36:19+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40059668", "has_markdown": true }, { "id": "40059663", "title": "Security: UAF in WebAuthnIconView", "url": "https://issues.chromium.org/issues/40059663", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebAuthentication", "bounty_amount": 10000.0, "created_date": "2022-05-13T15:50:08+00:00", "year": 2022, "attachment_count": 6, "local_path": "issues/40059663", "has_markdown": true }, { "id": "40059660", "title": "AddressSanitizer: use-after-poison blink\\renderer\\bindings\\core\\v8\\script_promise_resolver.h:164 in ", "url": "https://issues.chromium.org/issues/40059660", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Bindings", "bounty_amount": 5000.0, "created_date": "2022-05-13T09:39:47+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059660", "has_markdown": true }, { "id": "40059659", "title": "UAF in GestureRecognizerImpl.", "url": "https://issues.chromium.org/issues/40059659", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Input, UI>Input", "bounty_amount": 5000.0, "created_date": "2022-05-13T09:23:53+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40059659", "has_markdown": true }, { "id": "40059651", "title": "AddressSanitizer: heap-use-after-free __memory/unique_ptr.h:312:28 in mojo::Connector::HandleError(b", "url": "https://issues.chromium.org/issues/40059651", "status": "New", "severity": "S3-Low", "component": "Blink>Storage>IndexedDB", "bounty_amount": 20000.0, "created_date": "2022-05-12T08:15:06+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059651", "has_markdown": true }, { "id": "40059630", "title": "Heap-use-after-free in blink::NGHighlightPainter::NGHighlightPainter", "url": "https://issues.chromium.org/issues/40059630", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>Paint", "bounty_amount": 6000.0, "created_date": "2022-05-10T19:15:08+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40059630", "has_markdown": true }, { "id": "40059595", "title": "Security: Share hub dialog doesn't show the origin elided from the right", "url": "https://issues.chromium.org/issues/40059595", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Sharing", "bounty_amount": 500.0, "created_date": "2022-05-09T00:24:28+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059595", "has_markdown": true }, { "id": "40059591", "title": "memeory corruption in frame_queue_underlying_source.cc", "url": "https://issues.chromium.org/issues/40059591", "status": "Assigned", "severity": "S3-Low", "component": "Blink>MediaStream", "bounty_amount": 3000.0, "created_date": "2022-05-07T17:03:05+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40059591", "has_markdown": true }, { "id": "40059589", "title": "Security: Use-after-Free in InstallUpdateCallback", "url": "https://issues.chromium.org/issues/40059589", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 1000.0, "created_date": "2022-05-07T09:22:16+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40059589", "has_markdown": true }, { "id": "40059582", "title": "Security: UAF in UserEducationInternalsPageHandlerImpl::GetFeaturePromos", "url": "https://issues.chromium.org/issues/40059582", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>UserEducation", "bounty_amount": 3000.0, "created_date": "2022-05-06T12:53:08+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059582", "has_markdown": true }, { "id": "40059571", "title": "Security DCHECK(TypeConfuse) failed: IsA(from) in blink::VisualViewport::StartTrackingPinch", "url": "https://issues.chromium.org/issues/40059571", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Input", "bounty_amount": 7000.0, "created_date": "2022-05-05T09:25:52+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059571", "has_markdown": true }, { "id": "40059569", "title": "Security: UAF in DiscardsGraphDumpImpl", "url": "https://issues.chromium.org/issues/40059569", "status": "Assigned", "severity": "S3-Low", "component": "Internals>PerformanceManager", "bounty_amount": 1000.0, "created_date": "2022-05-05T03:35:04+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40059569", "has_markdown": true }, { "id": "40059532", "title": "Security: Keystroke side-channel leakage ", "url": "https://issues.chromium.org/issues/40059532", "status": "Assigned", "severity": "S3-Low", "component": "IO>Keyboard", "bounty_amount": 5000.0, "created_date": "2022-04-30T12:20:19+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40059532", "has_markdown": true }, { "id": "40059525", "title": "Security: bypass CSP navigate-to feature with serviceWorker navigate function", "url": "https://issues.chromium.org/issues/40059525", "status": "Accepted", "severity": "S4-Minimal", "component": "Blink>SecurityFeature>ContentSecurityPolicy", "bounty_amount": 1000.0, "created_date": "2022-04-29T16:01:04+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059525", "has_markdown": true }, { "id": "40059520", "title": "Security: Debug check failed: marking_state_->IsBlackOrGrey(heap_object).", "url": "https://issues.chromium.org/issues/40059520", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript", "bounty_amount": 7500.0, "created_date": "2022-04-29T11:02:11+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059520", "has_markdown": true }, { "id": "40059505", "title": "Use-after-Free on BuildWebAppInternalsJson", "url": "https://issues.chromium.org/issues/40059505", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>WebAppInstalls", "bounty_amount": 5000.0, "created_date": "2022-04-28T07:27:16+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40059505", "has_markdown": true }, { "id": "40059502", "title": "Security: Heap-use-after-free in sharing_hub::SharingHubBubbleController::OnBubbleClosed", "url": "https://issues.chromium.org/issues/40059502", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Sharing", "bounty_amount": 3000.0, "created_date": "2022-04-28T03:50:10+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059502", "has_markdown": true }, { "id": "40059501", "title": "Security: Chrome on Android Hide Fullscreen Notification Toast When Multiple Times Enter and Exit Fullscreen", "url": "https://issues.chromium.org/issues/40059501", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Fullscreen", "bounty_amount": 5000.0, "created_date": "2022-04-27T23:33:11+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059501", "has_markdown": true }, { "id": "40059492", "title": "Security: Heap-use-after-free in ReadAnythingToolbarView ", "url": "https://issues.chromium.org/issues/40059492", "status": "Assigned", "severity": "S4-Minimal", "component": "UI>Accessibility", "bounty_amount": 3000.0, "created_date": "2022-04-27T07:13:30+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059492", "has_markdown": true }, { "id": "40059489", "title": "UAF in ash::HatsDialog::Show", "url": "https://issues.chromium.org/issues/40059489", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>HaTS", "bounty_amount": 2000.0, "created_date": "2022-04-27T04:28:55+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059489", "has_markdown": true }, { "id": "40059482", "title": "Security: [ANGLE] Heap use-after-free when deleting TransformFeedback", "url": "https://issues.chromium.org/issues/40059482", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 10000.0, "created_date": "2022-04-26T20:17:05+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059482", "has_markdown": true }, { "id": "40059476", "title": "Security: Type Confusion in Portal::ActivateImpl", "url": "https://issues.chromium.org/issues/40059476", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Portals", "bounty_amount": 20000.0, "created_date": "2022-04-26T11:58:51+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40059476", "has_markdown": true }, { "id": "40059473", "title": "AddressSanitizer: heap-use-after-free in PermissionRequestChip::CreateBubble", "url": "https://issues.chromium.org/issues/40059473", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Omnibox, UI>Browser>Permissions>Prompts", "bounty_amount": 3000.0, "created_date": "2022-04-26T09:23:35+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059473", "has_markdown": true }, { "id": "40059457", "title": "heap-use-after-free on content::DevToolsAgentHostImpl::ForceDetachAllSessions", "url": "https://issues.chromium.org/issues/40059457", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Portals, Platform>DevTools", "bounty_amount": 3000.0, "created_date": "2022-04-25T04:02:54+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059457", "has_markdown": true }, { "id": "40059453", "title": "UAF in ash::HatsDialog", "url": "https://issues.chromium.org/issues/40059453", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>HaTS", "bounty_amount": 3000.0, "created_date": "2022-04-24T14:06:01+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059453", "has_markdown": true }, { "id": "40059417", "title": "Security: Select dropdown able to overlap fullscreen notification toast", "url": "https://issues.chromium.org/issues/40059417", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>FullScreen", "bounty_amount": 3000.0, "created_date": "2022-04-20T03:26:27+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40059417", "has_markdown": true }, { "id": "40059416", "title": "Security: container-overflow in ui::Compositor::StopThroughtputTracker", "url": "https://issues.chromium.org/issues/40059416", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Compositing", "bounty_amount": 3000.0, "created_date": "2022-04-19T19:42:03+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059416", "has_markdown": true }, { "id": "40059414", "title": "use after free in SendQueuedMediaEvents", "url": "https://issues.chromium.org/issues/40059414", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Media", "bounty_amount": 5000.0, "created_date": "2022-04-19T17:55:38+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059414", "has_markdown": true }, { "id": "40059411", "title": "Security: webgl2 CompileShader Heap Corruption", "url": "https://issues.chromium.org/issues/40059411", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGL, Internals>GPU>ANGLE", "bounty_amount": 7000.0, "created_date": "2022-04-19T16:13:29+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40059411", "has_markdown": true }, { "id": "40059410", "title": "Security: [ANGLE] Heap use-after-free caused by State::detachBuffer", "url": "https://issues.chromium.org/issues/40059410", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 10000.0, "created_date": "2022-04-19T14:34:36+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059410", "has_markdown": true }, { "id": "40059400", "title": "[v8] Integer overflow leading to OOB/CHECK in icu_71::FormattedStringBuilder::prepareForInsertHelper", "url": "https://issues.chromium.org/issues/40059400", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Internationalization", "bounty_amount": 5000.0, "created_date": "2022-04-17T16:15:22+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40059400", "has_markdown": true }, { "id": "40059395", "title": "heap-use-after-free in DevToolsWindow::ActivateWindow", "url": "https://issues.chromium.org/issues/40059395", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools", "bounty_amount": 3000.0, "created_date": "2022-04-16T21:46:27+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059395", "has_markdown": true }, { "id": "40059392", "title": "Security: Heap-use-after-free in location::nearby::chrome::ScheduledExecutor::PendingTaskWithTimer", "url": "https://issues.chromium.org/issues/40059392", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Sharing", "bounty_amount": 3000.0, "created_date": "2022-04-16T04:36:11+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059392", "has_markdown": true }, { "id": "40059390", "title": "Security: heap-use-after-free in views::View::GetEffectiveViewTargeter", "url": "https://issues.chromium.org/issues/40059390", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Views", "bounty_amount": 5000.0, "created_date": "2022-04-15T22:24:45+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059390", "has_markdown": true }, { "id": "40059381", "title": "Security: Heap Buffer Overflow in mojo Message", "url": "https://issues.chromium.org/issues/40059381", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>API, Internals>Mojo>Bindings", "bounty_amount": 1000.0, "created_date": "2022-04-14T16:11:18+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40059381", "has_markdown": true }, { "id": "40059378", "title": "DCHECK failure at blink::WebFrameWidgetImpl::DragTargetDragEnter", "url": "https://issues.chromium.org/issues/40059378", "status": "Assigned", "severity": "S3-Low", "component": "Blink>DataTransfer", "bounty_amount": 1500.0, "created_date": "2022-04-14T11:35:12+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40059378", "has_markdown": true }, { "id": "40059358", "title": "Security: navigator.clipboard.read() can lead to mutation XSS", "url": "https://issues.chromium.org/issues/40059358", "status": "Assigned", "severity": "S3-Low", "component": "Blink>DataTransfer", "bounty_amount": 3000.0, "created_date": "2022-04-12T12:55:37+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40059358", "has_markdown": true }, { "id": "40059351", "title": "Security: oob read in AudioDelayDSPKernel::ProcessKRate", "url": "https://issues.chromium.org/issues/40059351", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebAudio", "bounty_amount": 2000.0, "created_date": "2022-04-11T14:18:35+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40059351", "has_markdown": true }, { "id": "40059349", "title": "Security: Segv on unknown address in views::internal::NativeWidgetPrivate::ReparentNativeView", "url": "https://issues.chromium.org/issues/40059349", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip", "bounty_amount": 3000.0, "created_date": "2022-04-11T05:02:59+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059349", "has_markdown": true }, { "id": "40059347", "title": "Security: Drag and Drop XSS", "url": "https://issues.chromium.org/issues/40059347", "status": "Assigned", "severity": "S3-Low", "component": "Blink>DataTransfer, Blink>Editing, Blink>SVG", "bounty_amount": 2000.0, "created_date": "2022-04-10T19:35:57+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059347", "has_markdown": true }, { "id": "40059339", "title": "Security: Heap-use-after-free in remote_cocoa::NativeWidgetNSWindowBridge::SetVisibilityState", "url": "https://issues.chromium.org/issues/40059339", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser", "bounty_amount": 3000.0, "created_date": "2022-04-09T05:18:00+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059339", "has_markdown": true }, { "id": "40059331", "title": "Security: UAF in SegmentationPlatformServiceImpl", "url": "https://issues.chromium.org/issues/40059331", "status": "Assigned", "severity": "S3-Low", "component": "Internals>SegmentationPlatform", "bounty_amount": 3000.0, "created_date": "2022-04-08T10:43:25+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059331", "has_markdown": true }, { "id": "40059327", "title": "Security: heap-use-after-free in PDFium CPDFSDK_AppStream::Write", "url": "https://issues.chromium.org/issues/40059327", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>Plugins>PDF", "bounty_amount": 5000.0, "created_date": "2022-04-08T09:38:13+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059327", "has_markdown": true }, { "id": "40059323", "title": "Security: JS object corruption in WasmJS::InstallConditionFeatures (CVE-2021-30561 variant)", "url": "https://issues.chromium.org/issues/40059323", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>WebAssembly", "bounty_amount": 7500.0, "created_date": "2022-04-08T05:37:43+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40059323", "has_markdown": true }, { "id": "40059319", "title": "bad free in gpu ~PackedEnumMap", "url": "https://issues.chromium.org/issues/40059319", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU, Internals>GPU>ANGLE, Internals>GPU>SwiftShader, Internals>GPU>Vulkan", "bounty_amount": 7000.0, "created_date": "2022-04-07T17:08:17+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059319", "has_markdown": true }, { "id": "40059305", "title": "Security: heap-buffer-overflow on ash/wm/window_animations.cc (chromeOS)", "url": "https://issues.chromium.org/issues/40059305", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Cast", "bounty_amount": 3000.0, "created_date": "2022-04-06T16:51:25+00:00", "year": 2022, "attachment_count": 8, "local_path": "issues/40059305", "has_markdown": true }, { "id": "40059304", "title": "Security: [ANGLE] Heap use-after-free in ContextVk::onBeginTransformFeedback", "url": "https://issues.chromium.org/issues/40059304", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>Vulkan", "bounty_amount": 10000.0, "created_date": "2022-04-06T12:54:31+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059304", "has_markdown": true }, { "id": "40059299", "title": "Security: heap-buffer-overflow on components/ui_devtools/views/devtools_server_util.cc", "url": "https://issues.chromium.org/issues/40059299", "status": "Accepted", "severity": "S3-Low", "component": "Platform>DevTools", "bounty_amount": 2000.0, "created_date": "2022-04-05T20:15:48+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40059299", "has_markdown": true }, { "id": "40059289", "title": "Google Chrome WebGPU DoBufferDestroy kDirect allocation use-after-free vulnerability - TALOS-2022-1508", "url": "https://issues.chromium.org/issues/40059289", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU", "bounty_amount": 10000.0, "created_date": "2022-04-04T20:10:54+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059289", "has_markdown": true }, { "id": "40059281", "title": "AddressSanitizer: heap-use-after-free element.cc:3611 in blink::Element::RecalcOwnStyle", "url": "https://issues.chromium.org/issues/40059281", "status": "Assigned", "severity": "S3-Low", "component": "Blink>CSS", "bounty_amount": 5000.0, "created_date": "2022-04-02T07:08:28+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059281", "has_markdown": true }, { "id": "40059279", "title": "VideoTrackGenerator fails Security DCHECK(TypeConfuse) failure: IsA(from) in casting.h", "url": "https://issues.chromium.org/issues/40059279", "status": "Accepted", "severity": "S3-Low", "component": "Blink>GetUserMedia", "bounty_amount": 7000.0, "created_date": "2022-04-02T03:21:55+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059279", "has_markdown": true }, { "id": "40059272", "title": "Security: heap-use-after-free on components/global_media_controls/public/views/media_item_ui_list_view.cc", "url": "https://issues.chromium.org/issues/40059272", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Media>UI", "bounty_amount": 3000.0, "created_date": "2022-04-01T14:43:32+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40059272", "has_markdown": true }, { "id": "40059268", "title": "heap-buffer-overflow on ui_devtools::UIElement::ReorderChild", "url": "https://issues.chromium.org/issues/40059268", "status": "Accepted", "severity": "S3-Low", "component": "Platform>DevTools", "bounty_amount": 2000.0, "created_date": "2022-04-01T01:43:24+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059268", "has_markdown": true }, { "id": "40059265", "title": "Security: heap-use-after-free in content::WebContentsViewAura::StartDragging", "url": "https://issues.chromium.org/issues/40059265", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Portals", "bounty_amount": 10000.0, "created_date": "2022-03-31T19:48:58+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059265", "has_markdown": true }, { "id": "40059254", "title": "Security: heap-use-after-free ash/host/ash_window_tree_host_unified.cc", "url": "https://issues.chromium.org/issues/40059254", "status": "Assigned", "severity": "S3-Low", "component": "UI>Shell", "bounty_amount": 2000.0, "created_date": "2022-03-31T02:46:51+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059254", "has_markdown": true }, { "id": "40059251", "title": "Security: Browser-side origin confusion for javascript/data URLs opened in a new window/tab by cross-origin iframe", "url": "https://issues.chromium.org/issues/40059251", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Sandbox>SiteIsolation, UI>Browser>Navigation, UI>Browser>Permissions", "bounty_amount": 20000.0, "created_date": "2022-03-30T21:21:42+00:00", "year": 2022, "attachment_count": 28, "local_path": "issues/40059251", "has_markdown": true }, { "id": "40059248", "title": "Security: UAF in DumpDatabaseHandler", "url": "https://issues.chromium.org/issues/40059248", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage>FileSystem", "bounty_amount": 15000.0, "created_date": "2022-03-30T16:03:42+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059248", "has_markdown": true }, { "id": "40059247", "title": "Android Chrome FullScreen Notification Can be Overlapped by Pop-up Blocker Notification", "url": "https://issues.chromium.org/issues/40059247", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>FullScreen, UI>Browser>Mobile>Messages", "bounty_amount": 3000.0, "created_date": "2022-03-30T15:21:07+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40059247", "has_markdown": true }, { "id": "40059215", "title": "Use-after-Free on crostini::CrostiniExportImport::OpenFileDialog", "url": "https://issues.chromium.org/issues/40059215", "status": "Assigned", "severity": "S3-Low", "component": "UI>Shell", "bounty_amount": 7000.0, "created_date": "2022-03-28T09:19:54+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059215", "has_markdown": true }, { "id": "40059207", "title": "Security: chrome.downloads.download could be abused to steal user's environment variables like secrets, tokens or keys on windows.", "url": "https://issues.chromium.org/issues/40059207", "status": "Accepted", "severity": "S3-Low", "component": "Platform>Extensions>API", "bounty_amount": 7000.0, "created_date": "2022-03-26T03:23:32+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40059207", "has_markdown": true }, { "id": "40059172", "title": "AddressSanitizer: heap-use-after-free in isCubeCompatible third_party/swiftshader/src/Vulkan/VkImage.cpp:905:25", "url": "https://issues.chromium.org/issues/40059172", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>SwiftShader", "bounty_amount": 10000.0, "created_date": "2022-03-22T10:42:42+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059172", "has_markdown": true }, { "id": "40059165", "title": "Security: Abuse the user's system environment variables in download attribute may cause DLL Hijacking or Path Interception ", "url": "https://issues.chromium.org/issues/40059165", "status": "Assigned", "severity": "S3-Low", "component": "Internals>PlatformIntegration, UI>Browser>Downloads", "bounty_amount": 2000.0, "created_date": "2022-03-21T15:16:04+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059165", "has_markdown": true }, { "id": "40059164", "title": "Security: UAF in SyncConfirmation", "url": "https://issues.chromium.org/issues/40059164", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Sandbox>SiteIsolation", "bounty_amount": 10000.0, "created_date": "2022-03-21T13:49:38+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059164", "has_markdown": true }, { "id": "40059152", "title": "Security: Chrome Apps: Possible to read environment variables using suggestedName in chrome.fileSystem.chooseEntry", "url": "https://issues.chromium.org/issues/40059152", "status": "Accepted", "severity": "S3-Low", "component": "Platform>Apps>API", "bounty_amount": 7000.0, "created_date": "2022-03-20T17:44:19+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40059152", "has_markdown": true }, { "id": "40059141", "title": "Security: .url files can redirect showSaveFilePicker into an arbitrary file", "url": "https://issues.chromium.org/issues/40059141", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage>FileSystem", "bounty_amount": 2000.0, "created_date": "2022-03-18T22:27:06+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059141", "has_markdown": true }, { "id": "40059136", "title": "Type confuse in blink::To layout_table.cc:175", "url": "https://issues.chromium.org/issues/40059136", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Layout", "bounty_amount": 5000.0, "created_date": "2022-03-18T08:49:29+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059136", "has_markdown": true }, { "id": "40059133", "title": "Security: RegExp[@@replace] missing write barrier, leading to RCE", "url": "https://issues.chromium.org/issues/40059133", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Regexp", "bounty_amount": 20000.0, "created_date": "2022-03-18T03:22:13+00:00", "year": 2022, "attachment_count": 9, "local_path": "issues/40059133", "has_markdown": true }, { "id": "40059112", "title": "Security: Incomplete patch for issue 1246631 (CVE-2021-37981) and inaccurate scaling in EyeDropperView", "url": "https://issues.chromium.org/issues/40059112", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Forms>Color", "bounty_amount": 7000.0, "created_date": "2022-03-16T15:54:14+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40059112", "has_markdown": true }, { "id": "40059105", "title": "AddressSanitizer: heap-use-after-free components/history/core/browser/history_backend.cc:2542:22 in history::HistoryBackend::KillHistoryDatabase()", "url": "https://issues.chromium.org/issues/40059105", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>History", "bounty_amount": 15000.0, "created_date": "2022-03-15T15:53:28+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059105", "has_markdown": true }, { "id": "40059102", "title": "Security: Sanitizer API bypass via prototype pollution", "url": "https://issues.chromium.org/issues/40059102", "status": "Fixed", "severity": "S3-Low", "component": "Blink>SecurityFeature>SanitizerAPI", "bounty_amount": 1000.0, "created_date": "2022-03-15T12:23:28+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40059102", "has_markdown": true }, { "id": "40059077", "title": "AddressSanitizer: use-after-poison in blink::WebrtcVideoPerfReporter::InitializeOnTaskRunner webrtc_video_perf_reporter.cc:36", "url": "https://issues.chromium.org/issues/40059077", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC>Perf", "bounty_amount": 5000.0, "created_date": "2022-03-13T03:35:02+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059077", "has_markdown": true }, { "id": "40059074", "title": "uaf in BookmarkBarView::OnTabGroupButtonPressed", "url": "https://issues.chromium.org/issues/40059074", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip>TabGroups", "bounty_amount": 2000.0, "created_date": "2022-03-12T12:58:15+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059074", "has_markdown": true }, { "id": "40059071", "title": "File picker UI spoof", "url": "https://issues.chromium.org/issues/40059071", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Forms>File, UI>Browser>Navigation", "bounty_amount": 2000.0, "created_date": "2022-03-11T22:15:30+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059071", "has_markdown": true }, { "id": "40059047", "title": "[ANGLE] Vulkan Use After Free in onBeginTransformFeedback", "url": "https://issues.chromium.org/issues/40059047", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>GPU>ANGLE", "bounty_amount": 7000.0, "created_date": "2022-03-10T13:52:19+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40059047", "has_markdown": true }, { "id": "40059038", "title": "Security: use after free in cups_printers_handler", "url": "https://issues.chromium.org/issues/40059038", "status": "Fixed", "severity": "S3-Low", "component": "Internals>Printing", "bounty_amount": 3000.0, "created_date": "2022-03-09T20:26:37+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40059038", "has_markdown": true }, { "id": "40059026", "title": "Security: Debug check failed: type.representation() == MachineRepresentation::kFloat64 || type.representation() == MachineRepresentation::kTagged.", "url": "https://issues.chromium.org/issues/40059026", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 7500.0, "created_date": "2022-03-09T11:59:34+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40059026", "has_markdown": true }, { "id": "40059019", "title": "Security: UAF in ui/ozone/platform/wayland/host/wayland_window.cc", "url": "https://issues.chromium.org/issues/40059019", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Ozone", "bounty_amount": 7000.0, "created_date": "2022-03-08T20:20:55+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059019", "has_markdown": true }, { "id": "40059011", "title": "Security: UAF in ScanningHandler", "url": "https://issues.chromium.org/issues/40059011", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>WebUI", "bounty_amount": 5000.0, "created_date": "2022-03-08T11:44:19+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059011", "has_markdown": true }, { "id": "40059009", "title": "uaf in FrameSinkVideoCaptureDevice::OnLog", "url": "https://issues.chromium.org/issues/40059009", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Media", "bounty_amount": 500.0, "created_date": "2022-03-08T07:57:48+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40059009", "has_markdown": true }, { "id": "40059003", "title": "Security: HeapOverflow in CertificatesHandler", "url": "https://issues.chromium.org/issues/40059003", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>WebUI", "bounty_amount": 3000.0, "created_date": "2022-03-07T15:31:03+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059003", "has_markdown": true }, { "id": "40059002", "title": "Security: HeapOverflow in Diagnostics", "url": "https://issues.chromium.org/issues/40059002", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>WebUI", "bounty_amount": 5000.0, "created_date": "2022-03-07T15:30:58+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059002", "has_markdown": true }, { "id": "40059001", "title": "Security: HeapOverflow in ScanningHandler", "url": "https://issues.chromium.org/issues/40059001", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>WebUI", "bounty_amount": 3000.0, "created_date": "2022-03-07T15:30:53+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40059001", "has_markdown": true }, { "id": "40059000", "title": "Heap-use-after-free in blink::BoxPainterBase::PaintFillLayer", "url": "https://issues.chromium.org/issues/40059000", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>Canvas, Blink>JavaScript", "bounty_amount": 10000.0, "created_date": "2022-03-07T14:56:27+00:00", "year": 2022, "attachment_count": 6, "local_path": "issues/40059000", "has_markdown": true }, { "id": "40058995", "title": "[TurboFan]v8 crashed when compling optimization", "url": "https://issues.chromium.org/issues/40058995", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler", "bounty_amount": 5000.0, "created_date": "2022-03-07T03:59:05+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40058995", "has_markdown": true }, { "id": "40058989", "title": "Security: heap-use-after-free in ui::EventTarget::RemovePreTargetHandler", "url": "https://issues.chromium.org/issues/40058989", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Forms>Color, Blink>Portals", "bounty_amount": 15000.0, "created_date": "2022-03-05T23:01:20+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40058989", "has_markdown": true }, { "id": "40058985", "title": "Security: Locked devices - VPN adding possible", "url": "https://issues.chromium.org/issues/40058985", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Network>VPN", "bounty_amount": 5000.0, "created_date": "2022-03-05T18:41:59+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40058985", "has_markdown": true }, { "id": "40058969", "title": "Security: Extension permission escalation", "url": "https://issues.chromium.org/issues/40058969", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions>API", "bounty_amount": 5000.0, "created_date": "2022-03-04T12:19:23+00:00", "year": 2022, "attachment_count": 8, "local_path": "issues/40058969", "has_markdown": true }, { "id": "40058968", "title": "Security: Heap-use-after-free in send_tab_to_self::SendTabToSelfBubbleController::OnBubbleClosed", "url": "https://issues.chromium.org/issues/40058968", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Sharing", "bounty_amount": 5000.0, "created_date": "2022-03-04T11:41:36+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40058968", "has_markdown": true }, { "id": "40058962", "title": "Heap-use-after-free in ImportDataHandler::~ImportDataHandler", "url": "https://issues.chromium.org/issues/40058962", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Import", "bounty_amount": 2000.0, "created_date": "2022-03-03T22:56:14+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40058962", "has_markdown": true }, { "id": "40058958", "title": "Security: Use After Free in ChromePasswordProtectionService::HandleUserActionOnModalWarning", "url": "https://issues.chromium.org/issues/40058958", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 15000.0, "created_date": "2022-03-03T14:31:15+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40058958", "has_markdown": true }, { "id": "40058935", "title": "Security: Extension can obscure active window with an inactive window, user can interact with sensitive UI using keyboard without being aware", "url": "https://issues.chromium.org/issues/40058935", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions>API", "bounty_amount": 3000.0, "created_date": "2022-03-02T02:03:33+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40058935", "has_markdown": true }, { "id": "40058934", "title": "Security: Heap-use-after-free in ~ExtensionUninstallDialogViews", "url": "https://issues.chromium.org/issues/40058934", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 3000.0, "created_date": "2022-03-02T01:58:53+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40058934", "has_markdown": true }, { "id": "40058931", "title": "Security: Web Share API allows to write in UNC paths and/or in C:/Users//AppData/Local/Temp/ on Windows ", "url": "https://issues.chromium.org/issues/40058931", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebShare", "bounty_amount": 5000.0, "created_date": "2022-03-01T11:32:13+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40058931", "has_markdown": true }, { "id": "40058929", "title": "Security: Chrome for Android Hide Custom Fullscreen Toast View with Repeated Exit Enter Fullscreen Request", "url": "https://issues.chromium.org/issues/40058929", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>FullScreen", "bounty_amount": 3000.0, "created_date": "2022-03-01T04:48:25+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40058929", "has_markdown": true }, { "id": "40058928", "title": "uaf in browser_switcher::`anonymous namespace'::OpenBrowserSwitchPage", "url": "https://issues.chromium.org/issues/40058928", "status": "Assigned", "severity": "S3-Low", "component": "Enterprise>BrowserSwitcher", "bounty_amount": 2000.0, "created_date": "2022-03-01T01:34:44+00:00", "year": 2022, "attachment_count": 6, "local_path": "issues/40058928", "has_markdown": true }, { "id": "40058920", "title": "Security: bypass resource requests whose URLs contained both removed whitespace (`\\n`, `\\r`, `\\t`) characters and less-than characters (`<`) in the fencedframe element", "url": "https://issues.chromium.org/issues/40058920", "status": "Assigned", "severity": "S3-Low", "component": "Blink>FencedFrames", "bounty_amount": 1000.0, "created_date": "2022-02-28T14:00:20+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40058920", "has_markdown": true }, { "id": "40058916", "title": "Security: Extension can move window off screen, user can interact with sensitive UI using keyboard without being aware", "url": "https://issues.chromium.org/issues/40058916", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions>API", "bounty_amount": 3000.0, "created_date": "2022-02-27T22:18:45+00:00", "year": 2022, "attachment_count": 10, "local_path": "issues/40058916", "has_markdown": true }, { "id": "40058914", "title": "Security: Bypass Apk Warning In Andriod", "url": "https://issues.chromium.org/issues/40058914", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": 1000.0, "created_date": "2022-02-27T19:59:34+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40058914", "has_markdown": true }, { "id": "40058896", "title": "Security: Url Hijacking using intent:// when onload web page using bookmark (Google Chrome Android)", "url": "https://issues.chromium.org/issues/40058896", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Sandbox>SiteIsolation, Mobile>Intents, UI>Browser>Bookmarks", "bounty_amount": 2000.0, "created_date": "2022-02-24T14:40:27+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40058896", "has_markdown": true }, { "id": "40058878", "title": "Security: Chrome for Android Cancel Enter Fullscreen able to Hide Omnibox", "url": "https://issues.chromium.org/issues/40058878", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Fullscreen, UI>Browser>FullScreen, UI>Browser>Omnibox", "bounty_amount": 3000.0, "created_date": "2022-02-23T19:22:56+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40058878", "has_markdown": true }, { "id": "40058874", "title": "Security: Private Network Access (PNA) Bypass Allows Access to localhost on macOS & Linux using 0.0.0.0", "url": "https://issues.chromium.org/issues/40058874", "status": "Accepted", "severity": "S3-Low", "component": "Blink>SecurityFeature>CORS>PrivateNetworkAccess", "bounty_amount": 1000.0, "created_date": "2022-02-23T01:02:07+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40058874", "has_markdown": true }, { "id": "40058873", "title": "Security: Extension popup can render over permission prompts and screen share dialog", "url": "https://issues.chromium.org/issues/40058873", "status": "Accepted", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 5000.0, "created_date": "2022-02-23T00:20:24+00:00", "year": 2022, "attachment_count": 26, "local_path": "issues/40058873", "has_markdown": true }, { "id": "40058856", "title": "Security: heap-use-after-free in FileSystemAccessRegularFileDelegate::DoFlush", "url": "https://issues.chromium.org/issues/40058856", "status": "Assigned", "severity": "S3-Low", "component": "Blink>GarbageCollection, Blink>Storage>FileSystem", "bounty_amount": 7500.0, "created_date": "2022-02-22T11:51:56+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40058856", "has_markdown": true }, { "id": "40041791", "title": "Video escapes content area", "url": "https://issues.chromium.org/issues/40041791", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Compositing, Internals>GPU>Video", "bounty_amount": 3000.0, "created_date": "2022-02-20T20:57:51+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40041791", "has_markdown": true }, { "id": "40058839", "title": "use after free in rx::FramebufferVk::startNewRenderPass", "url": "https://issues.chromium.org/issues/40058839", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 7000.0, "created_date": "2022-02-20T15:06:38+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40058839", "has_markdown": true }, { "id": "40058837", "title": "Security: [ANGLE] Heap overflow read in vk::IndexBuffer::getIndexBuffers", "url": "https://issues.chromium.org/issues/40058837", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE, Internals>GPU>SwiftShader", "bounty_amount": 7000.0, "created_date": "2022-02-20T14:03:03+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40058837", "has_markdown": true }, { "id": "40058833", "title": "Security: Heap-use-after-free in QuickAnswersUiController::CloseQuickAnswersView", "url": "https://issues.chromium.org/issues/40058833", "status": "Assigned", "severity": "S3-Low", "component": "UI", "bounty_amount": 3000.0, "created_date": "2022-02-19T23:06:14+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40058833", "has_markdown": true }, { "id": "40058831", "title": "Use After Free in TextureVk::releaseAndDeleteImageAndViews", "url": "https://issues.chromium.org/issues/40058831", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 10000.0, "created_date": "2022-02-19T18:19:40+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40058831", "has_markdown": true }, { "id": "40058806", "title": "Heap-use-after-free in blink::WorkerOrWorkletGlobalScope::CountUse", "url": "https://issues.chromium.org/issues/40058806", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Workers", "bounty_amount": 5000.0, "created_date": "2022-02-17T12:29:03+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40058806", "has_markdown": true }, { "id": "40058794", "title": "Security: heap-use-after-free in base::SupportsUserData::GetUserData", "url": "https://issues.chromium.org/issues/40058794", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Omnibox, UI>Browser>Sharing", "bounty_amount": 7000.0, "created_date": "2022-02-16T12:36:23+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40058794", "has_markdown": true }, { "id": "40058786", "title": "Security: heap-use-after-free ash/drag_drop/drag_drop_tracker.cc:109", "url": "https://issues.chromium.org/issues/40058786", "status": "Accepted", "severity": "S3-Low", "component": "UI>Shell>UIFoundations", "bounty_amount": 3000.0, "created_date": "2022-02-15T18:12:02+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40058786", "has_markdown": true }, { "id": "40058778", "title": "[WebUI] StartupPagesHandler does not adequately verify arguments from JS", "url": "https://issues.chromium.org/issues/40058778", "status": "Assigned", "severity": "S3-Low", "component": "UI>Settings", "bounty_amount": 7500.0, "created_date": "2022-02-15T05:15:55+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40058778", "has_markdown": true }, { "id": "40058773", "title": "Security: Chrome Enterprise MSI installer Elevation of Privileges Vulnerability", "url": "https://issues.chromium.org/issues/40058773", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Installer", "bounty_amount": 20000.0, "created_date": "2022-02-14T20:42:50+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40058773", "has_markdown": true }, { "id": "40058771", "title": "Security: memory bug on webui tab dragging", "url": "https://issues.chromium.org/issues/40058771", "status": "Assigned", "severity": "S3-Low", "component": "UI>Shell>UIFoundations", "bounty_amount": 3000.0, "created_date": "2022-02-14T18:05:25+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40058771", "has_markdown": true }, { "id": "40058766", "title": "Spoof omnibar", "url": "https://issues.chromium.org/issues/40058766", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Omnibox", "bounty_amount": 1000.0, "created_date": "2022-02-13T17:43:52+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40058766", "has_markdown": true }, { "id": "40058759", "title": "Security: heap-buffer-overflow in getImageActualFormat", "url": "https://issues.chromium.org/issues/40058759", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>GPU", "bounty_amount": 7000.0, "created_date": "2022-02-12T21:31:30+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40058759", "has_markdown": true }, { "id": "40058750", "title": "Security: [ANGLE] Heap use-after-free in BufferHelper::recordReadBarrier", "url": "https://issues.chromium.org/issues/40058750", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>Vulkan", "bounty_amount": 7000.0, "created_date": "2022-02-11T05:39:03+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40058750", "has_markdown": true }, { "id": "40058732", "title": "uaf in blink::MediaInspectorContextImpl::CullPlayers(blink::WebString const&)", "url": "https://issues.chromium.org/issues/40058732", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Media", "bounty_amount": 5000.0, "created_date": "2022-02-09T18:32:10+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40058732", "has_markdown": true }, { "id": "40058730", "title": "Residual UAF in token fetcher code", "url": "https://issues.chromium.org/issues/40058730", "status": "Assigned", "severity": "S3-Low", "component": "Internals>WebLayer", "bounty_amount": 1000.0, "created_date": "2022-02-09T14:11:57+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40058730", "has_markdown": true }, { "id": "40058718", "title": "Security: [ANGLE] Heap use-after-free in CommandBufferHelperCommon::bufferWrite", "url": "https://issues.chromium.org/issues/40058718", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>GPU>ANGLE", "bounty_amount": 7000.0, "created_date": "2022-02-08T19:53:58+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40058718", "has_markdown": true }, { "id": "40058679", "title": "Security: Heap-use-after-free in NearbyShareAction::HandleKeyboardEvent", "url": "https://issues.chromium.org/issues/40058679", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebShare", "bounty_amount": 7000.0, "created_date": "2022-02-04T03:31:47+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40058679", "has_markdown": true }, { "id": "40058651", "title": "Security DCHECK failure: IsA(from) in casting.h", "url": "https://issues.chromium.org/issues/40058651", "status": "Assigned", "severity": "S3-Low", "component": "Blink>CSS", "bounty_amount": 5000.0, "created_date": "2022-02-01T08:27:11+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40058651", "has_markdown": true }, { "id": "40058650", "title": "Security: UAF after adding undocked DevTools tab to a group", "url": "https://issues.chromium.org/issues/40058650", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip>TabGroups", "bounty_amount": 5000.0, "created_date": "2022-02-01T06:39:33+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40058650", "has_markdown": true }, { "id": "40058643", "title": "Security: heap-use-after-free on third_party/abseil-cpp/absl/types/internal/optional.h:208:13 in optional_data (chromeOS)", "url": "https://issues.chromium.org/issues/40058643", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions>API, UI>Browser>TopChrome>TabStrip", "bounty_amount": 2000.0, "created_date": "2022-01-31T08:34:02+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40058643", "has_markdown": true }, { "id": "40058635", "title": "Security: heap-use-after-free on ash/wm/desks/desks_controller.cc (chromeOS)", "url": "https://issues.chromium.org/issues/40058635", "status": "Assigned", "severity": "S3-Low", "component": "UI>Shell", "bounty_amount": 7000.0, "created_date": "2022-01-29T07:57:31+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40058635", "has_markdown": true }, { "id": "40058633", "title": "Security: Heap-use-after-free in BrowserList::AddBrowser", "url": "https://issues.chromium.org/issues/40058633", "status": "Fixed", "severity": "S3-Low", "component": "Blink>Portals, Blink>WindowDialog", "bounty_amount": 7000.0, "created_date": "2022-01-29T05:15:35+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40058633", "has_markdown": true }, { "id": "40058623", "title": "Uaf in qrcode_generator::QRCodeGeneratorBubbleController::OnBubbleClosed", "url": "https://issues.chromium.org/issues/40058623", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Sharing", "bounty_amount": 5000.0, "created_date": "2022-01-28T08:28:57+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40058623", "has_markdown": true }, { "id": "40058617", "title": "Security: heap-use-after-free in base::ObserverList::RemoveObserver", "url": "https://issues.chromium.org/issues/40058617", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Cast", "bounty_amount": 7000.0, "created_date": "2022-01-27T22:51:35+00:00", "year": 2022, "attachment_count": 8, "local_path": "issues/40058617", "has_markdown": true }, { "id": "40058585", "title": "Uaf in OmniboxPopup", "url": "https://issues.chromium.org/issues/40058585", "status": "Fixed", "severity": "S3-Low", "component": "UI>Browser>Omnibox", "bounty_amount": 3000.0, "created_date": "2022-01-25T07:54:20+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40058585", "has_markdown": true }, { "id": "40058583", "title": "uaf in BrowserSwitchHandler::OnLaunchFinished", "url": "https://issues.chromium.org/issues/40058583", "status": "Assigned", "severity": "S3-Low", "component": "Enterprise>BrowserSwitcher", "bounty_amount": 2000.0, "created_date": "2022-01-25T06:40:35+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40058583", "has_markdown": true }, { "id": "40058582", "title": "Security: Autofill prompt can be obscured by Picture-in-Picture overlay, allows stealthy autofill data theft", "url": "https://issues.chromium.org/issues/40058582", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Autofill", "bounty_amount": 5000.0, "created_date": "2022-01-25T02:49:41+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40058582", "has_markdown": true }, { "id": "40058575", "title": "Security: CDP Runtime.queryObjects leaks internal objects in JS heap, allowing CDP clients to compromise V8 process", "url": "https://issues.chromium.org/issues/40058575", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 1000.0, "created_date": "2022-01-24T07:26:43+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40058575", "has_markdown": true }, { "id": "40058572", "title": "Security: redirect detection via Performance API", "url": "https://issues.chromium.org/issues/40058572", "status": "Accepted", "severity": "S3-Low", "component": "Blink>PerformanceAPIs>NavigationTiming, Blink>PerformanceAPIs>ServerTiming, Internals>Network", "bounty_amount": 1000.0, "created_date": "2022-01-23T15:59:22+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40058572", "has_markdown": true }, { "id": "40058555", "title": "Security: CSS keylogger extension using PageStateMatcher and chrome.action.openPopup()", "url": "https://issues.chromium.org/issues/40058555", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 5000.0, "created_date": "2022-01-21T22:36:30+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40058555", "has_markdown": true }, { "id": "40058550", "title": "Security: heap-use-after-free in ExtensionFunction::Shutdown", "url": "https://issues.chromium.org/issues/40058550", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 15000.0, "created_date": "2022-01-21T17:17:38+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40058550", "has_markdown": true }, { "id": "40058541", "title": "Security: heap-use-after-free in TemplateURLFetcher::RequestDelegate::OnTemplateURLParsed ", "url": "https://issues.chromium.org/issues/40058541", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Search", "bounty_amount": 7000.0, "created_date": "2022-01-21T06:06:47+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40058541", "has_markdown": true }, { "id": "40058536", "title": "Security: [ANGLE] Heap-buffer-overflow in ImageHelper::SubresourceUpdate::isUpdateToLayers", "url": "https://issues.chromium.org/issues/40058536", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 10000.0, "created_date": "2022-01-20T21:43:36+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40058536", "has_markdown": true }, { "id": "40058534", "title": "Security: UAF in BookmarkDragHelper", "url": "https://issues.chromium.org/issues/40058534", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Bookmarks", "bounty_amount": 3000.0, "created_date": "2022-01-20T11:56:05+00:00", "year": 2022, "attachment_count": 9, "local_path": "issues/40058534", "has_markdown": true }, { "id": "40058517", "title": "AddressSanitizer: heap-use-after-free asan-linux-release-960248 content::StoragePartitionImpl::GetLockManager() content/browser/storage_partition_impl.cc:1493", "url": "https://issues.chromium.org/issues/40058517", "status": "New", "severity": "S3-Low", "component": "Internals>Core", "bounty_amount": 15000.0, "created_date": "2022-01-18T14:00:36+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40058517", "has_markdown": true }, { "id": "40058513", "title": "heap buffer overflow in sw::Blitter::fastResolve", "url": "https://issues.chromium.org/issues/40058513", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE, Internals>GPU>SwiftShader", "bounty_amount": 7000.0, "created_date": "2022-01-17T14:45:57+00:00", "year": 2022, "attachment_count": 1, "local_path": "issues/40058513", "has_markdown": true }, { "id": "40058509", "title": "Security: [ANGLE] Heap-buffer-overflow in TextureVk::prepareForGenerateMipmap", "url": "https://issues.chromium.org/issues/40058509", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 10000.0, "created_date": "2022-01-17T10:24:11+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40058509", "has_markdown": true }, { "id": "40058496", "title": "Page can use EyeDropper API to bypass mouse movement/keyboard input requirements for autofill (bypass of issue 1240472 fix)", "url": "https://issues.chromium.org/issues/40058496", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Forms>Color, UI>Browser>Autofill", "bounty_amount": 2000.0, "created_date": "2022-01-14T05:25:38+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40058496", "has_markdown": true }, { "id": "40058486", "title": "Security: heap-use-after-free in ProfileImpl::IsSameOrParent", "url": "https://issues.chromium.org/issues/40058486", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions>API, Webstore", "bounty_amount": 7000.0, "created_date": "2022-01-13T00:40:44+00:00", "year": 2022, "attachment_count": 9, "local_path": "issues/40058486", "has_markdown": true }, { "id": "40058468", "title": "Security: Potential UaF in TabStripModel (chromeOS)", "url": "https://issues.chromium.org/issues/40058468", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip>ThumbnailTabStrip", "bounty_amount": 3000.0, "created_date": "2022-01-11T06:37:15+00:00", "year": 2022, "attachment_count": 22, "local_path": "issues/40058468", "has_markdown": true }, { "id": "40058461", "title": "Security: [ANGLE] Vulkan : Out-of-bounds memory can be accessed using bound offsets", "url": "https://issues.chromium.org/issues/40058461", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 7000.0, "created_date": "2022-01-10T16:41:17+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40058461", "has_markdown": true }, { "id": "40058448", "title": "Security: double-free in content::RenderFrameHostImpl::ResetNavigationRequests", "url": "https://issues.chromium.org/issues/40058448", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Core, Internals>Sandbox>SiteIsolation, UI>Browser>Navigation, UI>Browser>TopChrome>TabStrip", "bounty_amount": 5000.0, "created_date": "2022-01-10T07:03:34+00:00", "year": 2022, "attachment_count": 2, "local_path": "issues/40058448", "has_markdown": true }, { "id": "40058435", "title": "Security: heap-use-after-use in DiscountURLLoader::NavigateToDiscountURL", "url": "https://issues.chromium.org/issues/40058435", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Shopping>Cart", "bounty_amount": 16000.0, "created_date": "2022-01-08T16:11:44+00:00", "year": 2022, "attachment_count": 0, "local_path": "issues/40058435", "has_markdown": true }, { "id": "40058426", "title": "AddressSanitizer: heap-use-after-free in blink::BlobBytesProvider::AppendData", "url": "https://issues.chromium.org/issues/40058426", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage", "bounty_amount": 5000.0, "created_date": "2022-01-07T10:06:52+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40058426", "has_markdown": true }, { "id": "40058418", "title": "Security: heap-use-after-free in web_app::ShortcutInfoForExtensionAndProfile ", "url": "https://issues.chromium.org/issues/40058418", "status": "Assigned", "severity": "S4-Minimal", "component": "Platform>Extensions", "bounty_amount": 2000.0, "created_date": "2022-01-06T23:46:06+00:00", "year": 2022, "attachment_count": 5, "local_path": "issues/40058418", "has_markdown": true }, { "id": "40058411", "title": "Security: UAF in DistilledPagePrefs::SetFontScaling", "url": "https://issues.chromium.org/issues/40058411", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>ReaderMode", "bounty_amount": 20000.0, "created_date": "2022-01-06T11:00:48+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40058411", "has_markdown": true }, { "id": "40058405", "title": "Security: UAF in safe_browsing::DownloadRequestMaker::Start", "url": "https://issues.chromium.org/issues/40058405", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 20000.0, "created_date": "2022-01-05T12:08:17+00:00", "year": 2022, "attachment_count": 7, "local_path": "issues/40058405", "has_markdown": true }, { "id": "40058399", "title": "AddressSanitizer: heap-use-after-free in TryProcess ui/base/accelerators/accelerator_manager.cc:152:17", "url": "https://issues.chromium.org/issues/40058399", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Accessibility", "bounty_amount": 7000.0, "created_date": "2022-01-04T16:28:11+00:00", "year": 2022, "attachment_count": 4, "local_path": "issues/40058399", "has_markdown": true }, { "id": "40058392", "title": "Container-overflow in TableView::UpdateVirtualAccessibilityChildrenBounds", "url": "https://issues.chromium.org/issues/40058392", "status": "Assigned", "severity": "S3-Low", "component": "UI>TaskManager", "bounty_amount": 0.0, "created_date": "2022-01-02T23:19:53+00:00", "year": 2022, "attachment_count": 3, "local_path": "issues/40058392", "has_markdown": true }, { "id": "40058379", "title": "Security: UAF in ProtocolHandlerThrottle using PlzDedicatedWorker", "url": "https://issues.chromium.org/issues/40058379", "status": "New", "severity": "S3-Low", "component": "Blink>Loader, Blink>Workers", "bounty_amount": 20000.0, "created_date": "2021-12-31T03:26:49+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40058379", "has_markdown": true }, { "id": "40058372", "title": "Heap-use-after-free in ChromePermissionsClient::OverrideCanonicalOrigin", "url": "https://issues.chromium.org/issues/40058372", "status": "Assigned", "severity": "S3-Low", "component": "Blink>MediaStream", "bounty_amount": 15000.0, "created_date": "2021-12-30T12:04:03+00:00", "year": 2021, "attachment_count": 6, "local_path": "issues/40058372", "has_markdown": true }, { "id": "40058368", "title": "Security: UAF in ChromeContentBrowserClient::CreateURLLoaderThrottles", "url": "https://issues.chromium.org/issues/40058368", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Loader>WebPackaging, Internals>Network", "bounty_amount": 15000.0, "created_date": "2021-12-30T09:28:13+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40058368", "has_markdown": true }, { "id": "40058360", "title": "AddressSanitizer: use-after-poison cc\\layers\\texture_layer.cc:169 in cc::TextureLayer::Update", "url": "https://issues.chromium.org/issues/40058360", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Compositing", "bounty_amount": 5000.0, "created_date": "2021-12-29T03:04:55+00:00", "year": 2021, "attachment_count": 5, "local_path": "issues/40058360", "has_markdown": true }, { "id": "40058345", "title": "Type Confuse Security DCHECK failed: !node || IsTextControl(*node) text_control_element.h(268) ", "url": "https://issues.chromium.org/issues/40058345", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>Forms>Text, Blink>Layout", "bounty_amount": 5000.0, "created_date": "2021-12-26T16:16:55+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40058345", "has_markdown": true }, { "id": "40058333", "title": "Security: AddressSanitizer: heap-use-after-free on drag_drop_controller.cc (chromeOS and Lacros)", "url": "https://issues.chromium.org/issues/40058333", "status": "Assigned", "severity": "S3-Low", "component": "Blink>DataTransfer", "bounty_amount": 2000.0, "created_date": "2021-12-23T17:14:14+00:00", "year": 2021, "attachment_count": 11, "local_path": "issues/40058333", "has_markdown": true }, { "id": "40058330", "title": "Security: UAF in FocusController::SetFocusedWindow", "url": "https://issues.chromium.org/issues/40058330", "status": "Assigned", "severity": "S4-Minimal", "component": "UI>Accessibility", "bounty_amount": 20000.0, "created_date": "2021-12-23T08:31:35+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40058330", "has_markdown": true }, { "id": "40058319", "title": "Security: UAF in BookmarkDragHelper::OnBookmarkIconLoaded", "url": "https://issues.chromium.org/issues/40058319", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Views, UI>Browser>Bookmarks", "bounty_amount": 10000.0, "created_date": "2021-12-22T09:21:08+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40058319", "has_markdown": true }, { "id": "40058315", "title": "File Download Origin Spoof Using Long Subdomain", "url": "https://issues.chromium.org/issues/40058315", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": 3000.0, "created_date": "2021-12-21T19:48:28+00:00", "year": 2021, "attachment_count": 5, "local_path": "issues/40058315", "has_markdown": true }, { "id": "40058314", "title": "Heap-use-after-free in extensions::ChromeExtensionsBrowserClient::GetOriginalContext", "url": "https://issues.chromium.org/issues/40058314", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions, UI>Browser>Profiles", "bounty_amount": 1000.0, "created_date": "2021-12-21T17:43:10+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40058314", "has_markdown": true }, { "id": "40058312", "title": "Heap-use-after-free in optimization_guide::OptimizationGuideStore::ClearFetchedHintsFromDatabase", "url": "https://issues.chromium.org/issues/40058312", "status": "Assigned", "severity": "S3-Low", "component": "Internals>OptimizationGuide", "bounty_amount": 2000.0, "created_date": "2021-12-21T13:48:28+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40058312", "has_markdown": true }, { "id": "40058306", "title": "Security: UAF in AXVirtualViewWrapper", "url": "https://issues.chromium.org/issues/40058306", "status": "Fixed", "severity": "S3-Low", "component": "UI>Accessibility", "bounty_amount": 15000.0, "created_date": "2021-12-21T08:55:33+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40058306", "has_markdown": true }, { "id": "40058303", "title": "Security: UAF in GoogleSearchDomainMixingMetricsEmitter", "url": "https://issues.chromium.org/issues/40058303", "status": "Fixed", "severity": "S3-Low", "component": "Internals", "bounty_amount": 10000.0, "created_date": "2021-12-21T03:42:46+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40058303", "has_markdown": true }, { "id": "40058283", "title": "Security: heap-buffer-overflow in TabStripModel::MoveWebContentsAtImpl", "url": "https://issues.chromium.org/issues/40058283", "status": "Assigned", "severity": "S4-Minimal", "component": "UI>Browser>TopChrome>TabStrip>TabGroups", "bounty_amount": 7000.0, "created_date": "2021-12-18T14:28:26+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40058283", "has_markdown": true }, { "id": "40058259", "title": "Security: Stack-Buffer-Overflow in WebRtcPcm16b_Decode", "url": "https://issues.chromium.org/issues/40058259", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC, Blink>WebRTC>Audio", "bounty_amount": 5000.0, "created_date": "2021-12-17T06:05:59+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40058259", "has_markdown": true }, { "id": "40058243", "title": "Origin spoofing in WebUSB", "url": "https://issues.chromium.org/issues/40058243", "status": "Assigned", "severity": "S3-Low", "component": "Blink>HID, Blink>Serial, Blink>USB", "bounty_amount": 3000.0, "created_date": "2021-12-15T12:24:20+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40058243", "has_markdown": true }, { "id": "40058241", "title": "Security: Heap-use-after-free in TabStrip::OnGroupCreated", "url": "https://issues.chromium.org/issues/40058241", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip>TabGroups", "bounty_amount": 7000.0, "created_date": "2021-12-15T10:53:55+00:00", "year": 2021, "attachment_count": 7, "local_path": "issues/40058241", "has_markdown": true }, { "id": "40058237", "title": "Security DCHECK failed: IsA(from) in ng_block_node.cc:1032 blink::NGBlockNode::FirstChild", "url": "https://issues.chromium.org/issues/40058237", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Layout", "bounty_amount": 5000.0, "created_date": "2021-12-15T05:08:56+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40058237", "has_markdown": true }, { "id": "40058225", "title": "Security DCHECK failed: IsA(from) in ng_layout_input_node.cc:96 blink::NGLayoutInputNode::TableCellColspan ", "url": "https://issues.chromium.org/issues/40058225", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Layout", "bounty_amount": 5000.0, "created_date": "2021-12-14T03:04:39+00:00", "year": 2021, "attachment_count": 7, "local_path": "issues/40058225", "has_markdown": true }, { "id": "40058217", "title": "Security: Page can cause autofill prompt to render near cursor in order to bypass intentional mouse movement input requirements for autofill (Bypass of issue 1240472 fix)", "url": "https://issues.chromium.org/issues/40058217", "status": "Assigned", "severity": "S3-Low", "component": "Privacy", "bounty_amount": 3000.0, "created_date": "2021-12-13T00:58:46+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40058217", "has_markdown": true }, { "id": "40058213", "title": "Security: Elevation of Privileges in chrome installer when removing scoped directory during updates", "url": "https://issues.chromium.org/issues/40058213", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Installer", "bounty_amount": 10000.0, "created_date": "2021-12-12T12:48:25+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40058213", "has_markdown": true }, { "id": "40058210", "title": "crash in v8 heap(--js-flags=--experimental-wasm-gc)", "url": "https://issues.chromium.org/issues/40058210", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript, Blink>JavaScript>GarbageCollection", "bounty_amount": 5000.0, "created_date": "2021-12-12T04:53:51+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40058210", "has_markdown": true }, { "id": "40058204", "title": "Security: Heap-use-after-free in autofill::EditAddressProfileView::WindowClosing", "url": "https://issues.chromium.org/issues/40058204", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Autofill", "bounty_amount": 7000.0, "created_date": "2021-12-10T23:41:14+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40058204", "has_markdown": true }, { "id": "40058195", "title": "AddressSanitizer: heap-use-after-free in blink::NetworkStateNotifier::NotifyObserversOnTaskRunner", "url": "https://issues.chromium.org/issues/40058195", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Network", "bounty_amount": 2000.0, "created_date": "2021-12-10T11:08:34+00:00", "year": 2021, "attachment_count": 6, "local_path": "issues/40058195", "has_markdown": true }, { "id": "40058181", "title": "Security: stack-buffer-overflow in views::ScrollView::OnMouseWheel(ui::MouseWheelEvent const&) in the browser process", "url": "https://issues.chromium.org/issues/40058181", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Mobile>TabStrip", "bounty_amount": 3000.0, "created_date": "2021-12-09T16:23:11+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40058181", "has_markdown": true }, { "id": "40058177", "title": "Security: heap-use-after-free in TemplateURLRef::ParseHostAndSearchTermKey", "url": "https://issues.chromium.org/issues/40058177", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Omnibox", "bounty_amount": 7000.0, "created_date": "2021-12-09T14:04:19+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40058177", "has_markdown": true }, { "id": "40058171", "title": "Security: BackgroundFetch leaks URL of cross-origin redirects", "url": "https://issues.chromium.org/issues/40058171", "status": "Assigned", "severity": "S3-Low", "component": "Blink>BackgroundFetch", "bounty_amount": 5000.0, "created_date": "2021-12-09T09:13:02+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40058171", "has_markdown": true }, { "id": "40058166", "title": "Security: Heap-use-after-free in ui::MenuModel::GetModelAndIndexForCommandId", "url": "https://issues.chromium.org/issues/40058166", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Omnibox", "bounty_amount": 10000.0, "created_date": "2021-12-09T02:52:05+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40058166", "has_markdown": true }, { "id": "40058146", "title": "Security: heap-use-after-free ui::AXEventRecorder::OnEvent", "url": "https://issues.chromium.org/issues/40058146", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>Accessibility", "bounty_amount": 7000.0, "created_date": "2021-12-07T02:16:33+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40058146", "has_markdown": true }, { "id": "40058134", "title": "Security: Debug Check failed in HAS_WEAK_HEAP_OBJECT_TAG", "url": "https://issues.chromium.org/issues/40058134", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 5000.0, "created_date": "2021-12-06T10:51:45+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40058134", "has_markdown": true }, { "id": "40058133", "title": "AddressSanitizer: use-after-poison ng_physical_fragment.h:316 in blink::NGPhysicalFragment::HasSelfPaintingLayer", "url": "https://issues.chromium.org/issues/40058133", "status": "Assigned", "severity": "S3-Low", "component": "Blink>CSS", "bounty_amount": 5000.0, "created_date": "2021-12-06T08:29:42+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40058133", "has_markdown": true }, { "id": "40058131", "title": "UAF in AutofillPopupControllerImpl::HandleKeyPressEvent", "url": "https://issues.chromium.org/issues/40058131", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Autofill", "bounty_amount": 20000.0, "created_date": "2021-12-06T01:08:05+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40058131", "has_markdown": true }, { "id": "40058102", "title": "Security: fencedframe element bypass the security policy restrictions of the devtools preview limit", "url": "https://issues.chromium.org/issues/40058102", "status": "Assigned", "severity": "S3-Low", "component": "Blink>FencedFrames, UI>Browser>Navigation>MPArch", "bounty_amount": 3000.0, "created_date": "2021-12-02T16:11:27+00:00", "year": 2021, "attachment_count": 5, "local_path": "issues/40058102", "has_markdown": true }, { "id": "40058099", "title": "Security: UAF in ScreenCaptureMachineAndroid::OnActivityResult", "url": "https://issues.chromium.org/issues/40058099", "status": "Assigned", "severity": "S3-Low", "component": "Blink>GetUserMedia, Internals>Media>ScreenCapture", "bounty_amount": 15000.0, "created_date": "2021-12-02T08:33:05+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40058099", "has_markdown": true }, { "id": "40058092", "title": "Security: UAF in ViewsAXTreeManager", "url": "https://issues.chromium.org/issues/40058092", "status": "New", "severity": "S4-Minimal", "component": "UI>Accessibility", "bounty_amount": 20000.0, "created_date": "2021-12-01T15:58:29+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40058092", "has_markdown": true }, { "id": "40058085", "title": "Security: heap-use-after-free in network::server::HttpServer::FindConnection", "url": "https://issues.chromium.org/issues/40058085", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools", "bounty_amount": 1000.0, "created_date": "2021-12-01T05:22:41+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40058085", "has_markdown": true }, { "id": "40058074", "title": "SUMMARY: AddressSanitizer: heap-use-after-free base/bind_internal.h:535:12 in BindState", "url": "https://issues.chromium.org/issues/40058074", "status": "New", "severity": "S3-Low", "component": "Blink>Storage", "bounty_amount": 20000.0, "created_date": "2021-11-30T08:42:10+00:00", "year": 2021, "attachment_count": 5, "local_path": "issues/40058074", "has_markdown": true }, { "id": "40058068", "title": "Security: Bypass of Issue 1239709: Cross-Origin Response Leak If wildcard ACAO is sent", "url": "https://issues.chromium.org/issues/40058068", "status": "Assigned", "severity": "S3-Low", "component": "Blink>BackgroundFetch", "bounty_amount": 4000.0, "created_date": "2021-11-29T12:02:47+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40058068", "has_markdown": true }, { "id": "40058064", "title": "Security: [ANGLE] D3D11 : Integer Underflow in ElementsInBuffer results in wild copy", "url": "https://issues.chromium.org/issues/40058064", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 7500.0, "created_date": "2021-11-29T09:13:05+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40058064", "has_markdown": true }, { "id": "40058061", "title": "Security: v8 Debug check failed: target_inobject < GetInObjectProperties().", "url": "https://issues.chromium.org/issues/40058061", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler>Turbofan", "bounty_amount": 5000.0, "created_date": "2021-11-29T02:18:35+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40058061", "has_markdown": true }, { "id": "40058058", "title": "uaf in chrome_pdf::PdfViewPluginBase::LoadAccessibility", "url": "https://issues.chromium.org/issues/40058058", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>Plugins>PDF>Accessibility", "bounty_amount": 5000.0, "created_date": "2021-11-28T17:32:41+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40058058", "has_markdown": true }, { "id": "40058054", "title": "Crash in SkArenaAllocWithReset::reset", "url": "https://issues.chromium.org/issues/40058054", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>Skia", "bounty_amount": 5000.0, "created_date": "2021-11-28T10:57:10+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40058054", "has_markdown": true }, { "id": "40058051", "title": "uaf in rx::vk::CommandBufferHelper::bufferWrite", "url": "https://issues.chromium.org/issues/40058051", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>GPU>ANGLE, Internals>GPU>Vulkan", "bounty_amount": 5000.0, "created_date": "2021-11-28T08:45:31+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40058051", "has_markdown": true }, { "id": "40058015", "title": "Security: webgl global-buffer-overflow in getIncompleteTexture", "url": "https://issues.chromium.org/issues/40058015", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>GPU>ANGLE, Internals>GPU>Vulkan", "bounty_amount": 5000.0, "created_date": "2021-11-25T01:04:01+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40058015", "has_markdown": true }, { "id": "40058007", "title": "Security: Heap-buffer-overflow in tabgroup", "url": "https://issues.chromium.org/issues/40058007", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip>TabGroups", "bounty_amount": 7000.0, "created_date": "2021-11-24T11:35:45+00:00", "year": 2021, "attachment_count": 5, "local_path": "issues/40058007", "has_markdown": true }, { "id": "40057994", "title": "Security: Inappropriate implementation in PushMessaging", "url": "https://issues.chromium.org/issues/40057994", "status": "Assigned", "severity": "S3-Low", "component": "Blink>PushAPI, Internals>Sandbox>SiteIsolation", "bounty_amount": 10000.0, "created_date": "2021-11-23T11:12:24+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057994", "has_markdown": true }, { "id": "40057990", "title": "Security: UAF in P2PSocketTcpServer::DoAccept", "url": "https://issues.chromium.org/issues/40057990", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC>Network", "bounty_amount": 5000.0, "created_date": "2021-11-23T06:54:06+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40057990", "has_markdown": true }, { "id": "40057988", "title": "Security: HeapOverflow in PageLoadMetrics", "url": "https://issues.chromium.org/issues/40057988", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Navigation>BFCache", "bounty_amount": 15000.0, "created_date": "2021-11-22T09:18:53+00:00", "year": 2021, "attachment_count": 6, "local_path": "issues/40057988", "has_markdown": true }, { "id": "40057980", "title": "Security: swiftshader heap-use-after-free in getOffsetPointer", "url": "https://issues.chromium.org/issues/40057980", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>GPU>SwiftShader", "bounty_amount": 5000.0, "created_date": "2021-11-21T02:29:06+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057980", "has_markdown": true }, { "id": "40057979", "title": "Security: CSS transform and backface-visibility: hidden allow to render over Chrome UI", "url": "https://issues.chromium.org/issues/40057979", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Compositing, Internals>Skia>Compositing", "bounty_amount": 1000.0, "created_date": "2021-11-20T22:36:42+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057979", "has_markdown": true }, { "id": "40057977", "title": "Security: heap-use-after-free in the media::AudioManagerBase in the browser process", "url": "https://issues.chromium.org/issues/40057977", "status": "Assigned", "severity": "S3-Low", "component": "Blink>GetUserMedia", "bounty_amount": 15000.0, "created_date": "2021-11-20T11:43:31+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057977", "has_markdown": true }, { "id": "40057972", "title": "Security: Wild read with renderbuffers", "url": "https://issues.chromium.org/issues/40057972", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE, Internals>GPU>Internals, Internals>GPU>SwiftShader", "bounty_amount": 5000.0, "created_date": "2021-11-19T21:04:56+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057972", "has_markdown": true }, { "id": "40057937", "title": "Performance API is not consistent for preloaded requests which can be used to leak the size of cross-origin resources", "url": "https://issues.chromium.org/issues/40057937", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Loader>Preload, Blink>PerformanceAPIs, Blink>ServiceWorker", "bounty_amount": 2000.0, "created_date": "2021-11-17T02:12:41+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057937", "has_markdown": true }, { "id": "40057932", "title": "Security: use after free in swiftshader", "url": "https://issues.chromium.org/issues/40057932", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>GPU>SwiftShader", "bounty_amount": 5000.0, "created_date": "2021-11-16T08:40:15+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057932", "has_markdown": true }, { "id": "40057930", "title": "Security: Chrome for Android Delay Navigate then requestFullScreen will Hide Omnibox ", "url": "https://issues.chromium.org/issues/40057930", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>FullScreen, UI>Browser>Omnibox", "bounty_amount": 7500.0, "created_date": "2021-11-16T03:02:57+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057930", "has_markdown": true }, { "id": "40057929", "title": "heap-use-after-free in TabGroupModel::GetTabGroup", "url": "https://issues.chromium.org/issues/40057929", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip>TabGroups", "bounty_amount": 3000.0, "created_date": "2021-11-15T23:49:47+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40057929", "has_markdown": true }, { "id": "40057926", "title": "Security: Scrolls are detectable cross-site upon using the Scroll to text fragment feature. ", "url": "https://issues.chromium.org/issues/40057926", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Scroll", "bounty_amount": 2000.0, "created_date": "2021-11-15T20:45:43+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40057926", "has_markdown": true }, { "id": "40057925", "title": "Security: FencedFrames reachable from compromised renderer due to lacking features::isEnabled(kFencedFrames) checks in Browser Process and FencedFrame::Navigate can navigate to file:// and chrome:// origins", "url": "https://issues.chromium.org/issues/40057925", "status": "Assigned", "severity": "S3-Low", "component": "Blink>FencedFrames, Internals>Sandbox>SiteIsolation, UI>Browser>Navigation", "bounty_amount": 17000.0, "created_date": "2021-11-15T17:29:52+00:00", "year": 2021, "attachment_count": 7, "local_path": "issues/40057925", "has_markdown": true }, { "id": "40057906", "title": "Security: Chrome for Android Hide Entering Fullscreen Notification Toast with HTML Select Dropdown", "url": "https://issues.chromium.org/issues/40057906", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>FullScreen", "bounty_amount": 3000.0, "created_date": "2021-11-13T20:18:45+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057906", "has_markdown": true }, { "id": "40057890", "title": "uaf in content::BroadcastChannelService::ConnectToChannel", "url": "https://issues.chromium.org/issues/40057890", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Messaging", "bounty_amount": 20000.0, "created_date": "2021-11-11T17:07:46+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057890", "has_markdown": true }, { "id": "40057888", "title": "Security: Use after free in WebApkIconHasher", "url": "https://issues.chromium.org/issues/40057888", "status": "Assigned", "severity": "S3-Low", "component": "Mobile>WebAPKs", "bounty_amount": 20000.0, "created_date": "2021-11-11T15:35:22+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057888", "has_markdown": true }, { "id": "40057886", "title": "Security: Memory corruption in renderer process", "url": "https://issues.chromium.org/issues/40057886", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript, Blink>JavaScript>Runtime", "bounty_amount": 5000.0, "created_date": "2021-11-11T11:41:41+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057886", "has_markdown": true }, { "id": "40057869", "title": "Security: Continued cookie bypasses", "url": "https://issues.chromium.org/issues/40057869", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Network>Cookies", "bounty_amount": 4000.0, "created_date": "2021-11-09T22:09:32+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057869", "has_markdown": true }, { "id": "40057867", "title": "Security: Another Cross-Origin Response Size Leak Via BackgroundFetch", "url": "https://issues.chromium.org/issues/40057867", "status": "Assigned", "severity": "S3-Low", "component": "Blink>BackgroundFetch", "bounty_amount": 3000.0, "created_date": "2021-11-09T20:18:47+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40057867", "has_markdown": true }, { "id": "40057865", "title": "Security: Bypassing of security interstitials using debugger API", "url": "https://issues.chromium.org/issues/40057865", "status": "Accepted", "severity": "S3-Low", "component": "Platform>Extensions>API", "bounty_amount": 1000.0, "created_date": "2021-11-09T16:20:08+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057865", "has_markdown": true }, { "id": "40057864", "title": "Security: Heap-use-after-free in ui::EventDispatcher::DispatchEventToEventHandlers()", "url": "https://issues.chromium.org/issues/40057864", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Sharing", "bounty_amount": 1000.0, "created_date": "2021-11-09T13:48:42+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40057864", "has_markdown": true }, { "id": "40057858", "title": "Security: It is possible to lock the pointer while window is not focused.", "url": "https://issues.chromium.org/issues/40057858", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Input>PointerLock", "bounty_amount": 1000.0, "created_date": "2021-11-08T12:19:46+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057858", "has_markdown": true }, { "id": "40057854", "title": "[ozone/wayland]use-after-free in WaylandWindow", "url": "https://issues.chromium.org/issues/40057854", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Ozone, UI>Browser>TopChrome>TabStrip", "bounty_amount": 10000.0, "created_date": "2021-11-08T06:52:56+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40057854", "has_markdown": true }, { "id": "40057845", "title": "Security: heap-use-after-free in content::WebContentsObserver::web_contents", "url": "https://issues.chromium.org/issues/40057845", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>WebAppInstalls", "bounty_amount": 15000.0, "created_date": "2021-11-07T06:55:33+00:00", "year": 2021, "attachment_count": 5, "local_path": "issues/40057845", "has_markdown": true }, { "id": "40057844", "title": "Security: Web Serial - Out of bound read in SerialPortUnderlyingSink::WriteData().", "url": "https://issues.chromium.org/issues/40057844", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Serial", "bounty_amount": 7500.0, "created_date": "2021-11-06T22:57:35+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40057844", "has_markdown": true }, { "id": "40057843", "title": "Security: Wild write in angle", "url": "https://issues.chromium.org/issues/40057843", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>GPU>ANGLE", "bounty_amount": 5000.0, "created_date": "2021-11-06T22:19:08+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057843", "has_markdown": true }, { "id": "40057837", "title": "Security: webgl heap-buffer-overflow LoadCompressedToNative", "url": "https://issues.chromium.org/issues/40057837", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 2000.0, "created_date": "2021-11-06T01:24:48+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057837", "has_markdown": true }, { "id": "40057835", "title": "Security: webgl heap-buffer-overflow getDrawSubresourceSerial", "url": "https://issues.chromium.org/issues/40057835", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 5000.0, "created_date": "2021-11-05T21:38:09+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057835", "has_markdown": true }, { "id": "40057825", "title": "Security: webgl heap-use-after-free in BitSetT", "url": "https://issues.chromium.org/issues/40057825", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 5000.0, "created_date": "2021-11-04T23:16:04+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057825", "has_markdown": true }, { "id": "40057810", "title": "Cross-site information leak - CSP Violation reports contain blockedURI's hostname", "url": "https://issues.chromium.org/issues/40057810", "status": "Assigned", "severity": "S3-Low", "component": "Mobile>iOSWeb>Security", "bounty_amount": 2000.0, "created_date": "2021-11-03T23:52:27+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057810", "has_markdown": true }, { "id": "40057806", "title": "Security: container-overflow in ExtensionsToolbarContainer::SetExtensionIconVisibility", "url": "https://issues.chromium.org/issues/40057806", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions", "bounty_amount": 1000.0, "created_date": "2021-11-03T17:58:16+00:00", "year": 2021, "attachment_count": 5, "local_path": "issues/40057806", "has_markdown": true }, { "id": "40057804", "title": "Use after free in getSamplerTexture", "url": "https://issues.chromium.org/issues/40057804", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>GPU>ANGLE", "bounty_amount": 5000.0, "created_date": "2021-11-03T15:20:22+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40057804", "has_markdown": true }, { "id": "40057791", "title": "Security: webrtc: out-of-bounds write in audio channel processing", "url": "https://issues.chromium.org/issues/40057791", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC>Audio", "bounty_amount": 8500.0, "created_date": "2021-11-02T05:50:20+00:00", "year": 2021, "attachment_count": 5, "local_path": "issues/40057791", "has_markdown": true }, { "id": "40057776", "title": "Referrer leakage via object & embed tags despite setting referrer policy to no-referrer", "url": "https://issues.chromium.org/issues/40057776", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>SecurityFeature>Referrer", "bounty_amount": 2000.0, "created_date": "2021-10-31T02:27:51+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057776", "has_markdown": true }, { "id": "40057770", "title": "Security: ASan reports wild reads in swiftshader", "url": "https://issues.chromium.org/issues/40057770", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU, Internals>GPU>SwiftShader", "bounty_amount": 5000.0, "created_date": "2021-10-29T22:13:33+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057770", "has_markdown": true }, { "id": "40057760", "title": "Security: Heap-use-after-free in sharing_hub::SharingHubBubbleController::~SharingHubBubbleController", "url": "https://issues.chromium.org/issues/40057760", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Sharing", "bounty_amount": 5000.0, "created_date": "2021-10-29T05:27:27+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057760", "has_markdown": true }, { "id": "40057755", "title": "Security: Chrome for Android Hide Entering Fullscreen Notification Toast using Multiple Toast from Failed to Copy", "url": "https://issues.chromium.org/issues/40057755", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>FullScreen", "bounty_amount": 2500.0, "created_date": "2021-10-28T20:32:13+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40057755", "has_markdown": true }, { "id": "40057716", "title": "Google Chrome MediaStreamTrackGenerator use after free vulnerability (TALOS-2021-1398)", "url": "https://issues.chromium.org/issues/40057716", "status": "Assigned", "severity": "S3-Low", "component": "Blink>MediaStream", "bounty_amount": 7500.0, "created_date": "2021-10-26T19:21:11+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057716", "has_markdown": true }, { "id": "40057696", "title": "Improper restriction in password saving form, while navigation from one site to another site", "url": "https://issues.chromium.org/issues/40057696", "status": "Accepted", "severity": "S3-Low", "component": "Privacy, UI>Browser>Passwords", "bounty_amount": 500.0, "created_date": "2021-10-25T10:37:43+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057696", "has_markdown": true }, { "id": "40057694", "title": "Security: Heap-use-after-free in AccessibilityUIMessageHandler::RequestWebContentsTree", "url": "https://issues.chromium.org/issues/40057694", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Accessibility", "bounty_amount": 7000.0, "created_date": "2021-10-25T06:29:22+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057694", "has_markdown": true }, { "id": "40057691", "title": "Security: Chrome for Android Prevent Back Button to Exit Fullscreen Mode using Text Selection", "url": "https://issues.chromium.org/issues/40057691", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>FullScreen, UI>Browser>Selection", "bounty_amount": 3000.0, "created_date": "2021-10-24T20:13:11+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40057691", "has_markdown": true }, { "id": "40057686", "title": "Security: Type confusion in UnderlyingSinkBase::start", "url": "https://issues.chromium.org/issues/40057686", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript", "bounty_amount": 15000.0, "created_date": "2021-10-24T05:06:50+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057686", "has_markdown": true }, { "id": "40057683", "title": "SUMMARY: AddressSanitizer: access-violation regexp-interpreter.cc:461 in v8::internal::`anonymous namespace'::RawMatch", "url": "https://issues.chromium.org/issues/40057683", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript, Blink>JavaScript>Regexp", "bounty_amount": 5000.0, "created_date": "2021-10-23T05:19:18+00:00", "year": 2021, "attachment_count": 5, "local_path": "issues/40057683", "has_markdown": true }, { "id": "40057672", "title": "Security: heap-use-after-free swiftshader getCurrentViewCount", "url": "https://issues.chromium.org/issues/40057672", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>Internals, Internals>GPU>SwiftShader", "bounty_amount": 5000.0, "created_date": "2021-10-21T11:03:04+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057672", "has_markdown": true }, { "id": "40057671", "title": "Security: heap-buffer-overflow swiftshader Image::copy", "url": "https://issues.chromium.org/issues/40057671", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>SwiftShader", "bounty_amount": 5000.0, "created_date": "2021-10-21T09:59:02+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40057671", "has_markdown": true }, { "id": "40057665", "title": "Security: Heap-use-after-free in feedback::FeedbackData::SendReport", "url": "https://issues.chromium.org/issues/40057665", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Profiles, UI>Browser>ReportAnIssue", "bounty_amount": 1000.0, "created_date": "2021-10-20T04:22:57+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057665", "has_markdown": true }, { "id": "40057661", "title": "Security: scrollTop of ListBox autofill preview discloses sensitive information", "url": "https://issues.chromium.org/issues/40057661", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Autofill", "bounty_amount": 4000.0, "created_date": "2021-10-20T02:20:46+00:00", "year": 2021, "attachment_count": 5, "local_path": "issues/40057661", "has_markdown": true }, { "id": "40057645", "title": "Security: Form validation UI dialog can cover whole page", "url": "https://issues.chromium.org/issues/40057645", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Forms>Validation", "bounty_amount": 1000.0, "created_date": "2021-10-18T20:32:14+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40057645", "has_markdown": true }, { "id": "40057640", "title": "Security: TFC 2021 loader bug", "url": "https://issues.chromium.org/issues/40057640", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Loader", "bounty_amount": 10000.0, "created_date": "2021-10-18T16:14:41+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40057640", "has_markdown": true }, { "id": "40057634", "title": "Heap-use-after-free in color input on switching screens (MacOS)", "url": "https://issues.chromium.org/issues/40057634", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Forms>Color", "bounty_amount": 10000.0, "created_date": "2021-10-18T12:20:07+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40057634", "has_markdown": true }, { "id": "40057631", "title": "Use after free in gl::VertexArray::setDependentDirtyBit", "url": "https://issues.chromium.org/issues/40057631", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 5000.0, "created_date": "2021-10-18T05:41:44+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057631", "has_markdown": true }, { "id": "40057626", "title": "Leaking size of cross-origin resources by using Range Requests, Service Workers, Fetch API, and the Cache API", "url": "https://issues.chromium.org/issues/40057626", "status": "Assigned", "severity": "S3-Low", "component": "Blink>PerformanceAPIs>ResourceTiming, Blink>ServiceWorker, Internals>Media>Network", "bounty_amount": 2000.0, "created_date": "2021-10-16T19:59:49+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057626", "has_markdown": true }, { "id": "40057625", "title": "Security: PDFium Use-After-Free in v8::internal::ArrayBufferExtension::Mark", "url": "https://issues.chromium.org/issues/40057625", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler, Blink>JavaScript>GarbageCollection, Internals>Plugins>PDF", "bounty_amount": 1000.0, "created_date": "2021-10-16T14:10:17+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057625", "has_markdown": true }, { "id": "40057616", "title": "Security: the contents of iframe is placed outside of iframe when CSS \"column-width\" is defined in main frame.", "url": "https://issues.chromium.org/issues/40057616", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Paint", "bounty_amount": 3000.0, "created_date": "2021-10-15T04:34:54+00:00", "year": 2021, "attachment_count": 6, "local_path": "issues/40057616", "has_markdown": true }, { "id": "40057610", "title": "Security: RenderFrameHostImpl logic error leading browser UAF", "url": "https://issues.chromium.org/issues/40057610", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Portals, Internals>Sandbox>SiteIsolation, Platform>Apps>BrowserTag", "bounty_amount": 20000.0, "created_date": "2021-10-14T21:46:18+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057610", "has_markdown": true }, { "id": "40057609", "title": "Security: V8 CreateLiteral type confusion when processing ..spread leads to RCE", "url": "https://issues.chromium.org/issues/40057609", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>API", "bounty_amount": 20000.0, "created_date": "2021-10-14T21:24:32+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057609", "has_markdown": true }, { "id": "40057601", "title": "Security: heap-use-after-free in ForceSigninVerifier::SendRequestIfNetworkAvailable", "url": "https://issues.chromium.org/issues/40057601", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 10000.0, "created_date": "2021-10-14T06:28:33+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40057601", "has_markdown": true }, { "id": "40057597", "title": "Contact dialog can be shown over a cross-origin page which might confuse a user into leaking sensitive information to an attacker", "url": "https://issues.chromium.org/issues/40057597", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Contacts", "bounty_amount": 1000.0, "created_date": "2021-10-13T18:09:00+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057597", "has_markdown": true }, { "id": "40057594", "title": "Security: UAP on creating WebAssembly memories on document reload", "url": "https://issues.chromium.org/issues/40057594", "status": "Assigned", "severity": "S3-Low", "component": "Blink>GarbageCollection", "bounty_amount": 7500.0, "created_date": "2021-10-13T11:54:23+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057594", "has_markdown": true }, { "id": "40057591", "title": "Security UI Spoofing on Chrome for Android due to the Contact permission dialog hiding the fullscreen alert message", "url": "https://issues.chromium.org/issues/40057591", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Contacts, Blink>Fullscreen, Blink>PermissionsAPI, UI>Browser>FullScreen", "bounty_amount": 7500.0, "created_date": "2021-10-13T01:59:59+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40057591", "has_markdown": true }, { "id": "40057561", "title": "URL Spoof after crash", "url": "https://issues.chromium.org/issues/40057561", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Loader, Internals>Sandbox>SiteIsolation, UI>Browser>Navigation", "bounty_amount": 1000.0, "created_date": "2021-10-10T02:06:57+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057561", "has_markdown": true }, { "id": "40057545", "title": "heap-buffer-overflow in WebMediaPlayerMSCompositor::ReplaceCurrentFrameWithACopyInternal()", "url": "https://issues.chromium.org/issues/40057545", "status": "Assigned", "severity": "S3-Low", "component": "Blink>GetUserMedia, Blink>WebRTC>Video", "bounty_amount": 7500.0, "created_date": "2021-10-08T03:53:50+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40057545", "has_markdown": true }, { "id": "40057525", "title": "Sandbox escape: bypass allow-popups-to-escape-sandbox", "url": "https://issues.chromium.org/issues/40057525", "status": "Assigned", "severity": "S3-Low", "component": "Blink>SecurityFeature>IFrameSandbox", "bounty_amount": 2500.0, "created_date": "2021-10-05T16:01:14+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40057525", "has_markdown": true }, { "id": "40057508", "title": "Security: UI spoofing using a very long URL", "url": "https://issues.chromium.org/issues/40057508", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>MediaCapture, UI>Browser>Permissions>Prompts, UI>Security (Use Subcomponent)>UrlFormatting", "bounty_amount": 3000.0, "created_date": "2021-10-04T16:07:12+00:00", "year": 2021, "attachment_count": 9, "local_path": "issues/40057508", "has_markdown": true }, { "id": "40057482", "title": "UaF in PDF accessibility due to relayout", "url": "https://issues.chromium.org/issues/40057482", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>Plugins>PDF, UI>Accessibility", "bounty_amount": 5000.0, "created_date": "2021-10-02T04:46:39+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40057482", "has_markdown": true }, { "id": "40057460", "title": "SUMMARY: AddressSanitizer: stack-use-after-scope renderer11_utils.cpp:2299 in rx::d3d11::SetDebugName", "url": "https://issues.chromium.org/issues/40057460", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 5000.0, "created_date": "2021-09-30T14:44:52+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057460", "has_markdown": true }, { "id": "40057453", "title": "Security: Chrome 94 does not correctly set Integrity level of all processes to Untrusted", "url": "https://issues.chromium.org/issues/40057453", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Sandbox", "bounty_amount": 3000.0, "created_date": "2021-09-30T07:07:14+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40057453", "has_markdown": true }, { "id": "40057438", "title": "Primitive type confusion in ia32 AssembleCodePhase", "url": "https://issues.chromium.org/issues/40057438", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler", "bounty_amount": 7500.0, "created_date": "2021-09-29T03:23:44+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057438", "has_markdown": true }, { "id": "40057427", "title": "Security: WebAudio oob read in AudioDelayDSPKernel::ProcessKRate", "url": "https://issues.chromium.org/issues/40057427", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebAudio", "bounty_amount": 2000.0, "created_date": "2021-09-28T05:33:44+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40057427", "has_markdown": true }, { "id": "40057422", "title": "Security: pdfium heap buffer overflow in cfx_dibbase.cpp", "url": "https://issues.chromium.org/issues/40057422", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Plugins>PDF", "bounty_amount": 7500.0, "created_date": "2021-09-27T16:45:08+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057422", "has_markdown": true }, { "id": "40057389", "title": "Security: negative-size-param in image_editor::ScreenshotFlow::RemoveUIOverlay", "url": "https://issues.chromium.org/issues/40057389", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Sharing", "bounty_amount": 5000.0, "created_date": "2021-09-25T04:12:11+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057389", "has_markdown": true }, { "id": "40057384", "title": "use after poison in blink::Element::DidMoveToNewDocument", "url": "https://issues.chromium.org/issues/40057384", "status": "Assigned", "severity": "S3-Low", "component": "Blink>GarbageCollection", "bounty_amount": 10000.0, "created_date": "2021-09-24T18:13:31+00:00", "year": 2021, "attachment_count": 8, "local_path": "issues/40057384", "has_markdown": true }, { "id": "40057377", "title": "Security: heap-use-after-free in PrefChangeRegistrar::~PrefChangeRegistrar", "url": "https://issues.chromium.org/issues/40057377", "status": "Accepted", "severity": "S3-Low", "component": "Blink>Payments, Internals", "bounty_amount": 10000.0, "created_date": "2021-09-24T10:06:21+00:00", "year": 2021, "attachment_count": 11, "local_path": "issues/40057377", "has_markdown": true }, { "id": "40057362", "title": "Security: UAF in IdentityDialogController::ShowIdProviderWindow", "url": "https://issues.chromium.org/issues/40057362", "status": "Fixed", "severity": "S3-Low", "component": "Blink>Identity>FedCM", "bounty_amount": 25000.0, "created_date": "2021-09-23T11:50:22+00:00", "year": 2021, "attachment_count": 5, "local_path": "issues/40057362", "has_markdown": true }, { "id": "40057349", "title": "Security: Top-level redirect from cross-origin iframe by setting `Content-Security-Policy: sandbox allow-top-navigation`", "url": "https://issues.chromium.org/issues/40057349", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>PopupBlocker", "bounty_amount": 5000.0, "created_date": "2021-09-21T21:57:19+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40057349", "has_markdown": true }, { "id": "40057322", "title": "Security: Fetch leaks information about cross-origin redirects", "url": "https://issues.chromium.org/issues/40057322", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript, Blink>SecurityFeature>CORS, Privacy", "bounty_amount": 1000.0, "created_date": "2021-09-20T14:53:00+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40057322", "has_markdown": true }, { "id": "40057320", "title": "Chrome downgrades long-running requests from HTTPS to HTTP after 3 s.", "url": "https://issues.chromium.org/issues/40057320", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Network, UI>Browser>Omnibox", "bounty_amount": 3000.0, "created_date": "2021-09-20T06:53:28+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057320", "has_markdown": true }, { "id": "40057314", "title": "Security: URL spoofing using LATIN SMALL LETTER L WITH STROKE", "url": "https://issues.chromium.org/issues/40057314", "status": "Accepted", "severity": "S3-Low", "component": "UI>Security (Use Subcomponent)>UrlFormatting", "bounty_amount": 500.0, "created_date": "2021-09-19T15:55:19+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057314", "has_markdown": true }, { "id": "40057297", "title": "#Summary SUMMARY: AddressSanitizer: heap-use-after-free in gpu::CommandBufferProxyImpl::OnDisconnect", "url": "https://issues.chromium.org/issues/40057297", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU", "bounty_amount": 7000.0, "created_date": "2021-09-17T09:26:40+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057297", "has_markdown": true }, { "id": "40057288", "title": "SUMMARY: AddressSanitizer: heap-use-after-free web_view_impl.cc:1020 in blink::WebViewImpl::ClosePagePopup", "url": "https://issues.chromium.org/issues/40057288", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WindowDialog", "bounty_amount": 7500.0, "created_date": "2021-09-16T08:29:05+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057288", "has_markdown": true }, { "id": "40057268", "title": "Security: Use After Free in DevToolsFileHelper::GetFileSystems", "url": "https://issues.chromium.org/issues/40057268", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools>Extensions", "bounty_amount": 10000.0, "created_date": "2021-09-15T11:43:36+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40057268", "has_markdown": true }, { "id": "40057260", "title": "use after free in ash::sharesheet::SharesheetBubbleView::CloseBubble", "url": "https://issues.chromium.org/issues/40057260", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Sharing", "bounty_amount": 7500.0, "created_date": "2021-09-14T16:01:31+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40057260", "has_markdown": true }, { "id": "40057258", "title": "heap buffer overflow in BookmarkManagerPrivateDropFunction::RunOnReady", "url": "https://issues.chromium.org/issues/40057258", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Bookmarks", "bounty_amount": 1000.0, "created_date": "2021-09-14T11:55:54+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057258", "has_markdown": true }, { "id": "40057239", "title": "CSP Violation reports contain blockedURI's hostname", "url": "https://issues.chromium.org/issues/40057239", "status": "Assigned", "severity": "S3-Low", "component": "Mobile>iOSWeb>Security", "bounty_amount": 1000.0, "created_date": "2021-09-13T04:45:19+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057239", "has_markdown": true }, { "id": "40057229", "title": "Security: heap-use-after-free in app_controller_mac.mm", "url": "https://issues.chromium.org/issues/40057229", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Incognito", "bounty_amount": 10000.0, "created_date": "2021-09-11T02:14:16+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057229", "has_markdown": true }, { "id": "40057228", "title": "SEGV in vk::Image::clear()", "url": "https://issues.chromium.org/issues/40057228", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>GPU>SwiftShader", "bounty_amount": 5000.0, "created_date": "2021-09-10T21:03:36+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057228", "has_markdown": true }, { "id": "40057223", "title": "Guessing the URL a cross-origin iframe was redirected to by listening to the load event", "url": "https://issues.chromium.org/issues/40057223", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Sandbox>SiteIsolation, UI>Browser>Navigation", "bounty_amount": 5000.0, "created_date": "2021-09-10T16:06:34+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40057223", "has_markdown": true }, { "id": "40057221", "title": "SUMMARY: AddressSanitizer: use-after-poison event_listener_map.cc:144 in blink::EventListenerMap::Add", "url": "https://issues.chromium.org/issues/40057221", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>GarbageCollection", "bounty_amount": 7500.0, "created_date": "2021-09-10T15:23:23+00:00", "year": 2021, "attachment_count": 13, "local_path": "issues/40057221", "has_markdown": true }, { "id": "40057217", "title": "Security: heap-use-after-free in the views::Widget::GetNativeTheme in the browser process ", "url": "https://issues.chromium.org/issues/40057217", "status": "Fixed", "severity": "S3-Low", "component": "UI>Browser>Omnibox", "bounty_amount": 3000.0, "created_date": "2021-09-09T14:08:37+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057217", "has_markdown": true }, { "id": "40057215", "title": "Security: Use After Free in FileSystemAccessManagerImpl", "url": "https://issues.chromium.org/issues/40057215", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage>FileSystem", "bounty_amount": 15000.0, "created_date": "2021-09-09T12:21:28+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057215", "has_markdown": true }, { "id": "40057200", "title": "Security: Possible to see the user's system environment variables like secrets, tokens or keys", "url": "https://issues.chromium.org/issues/40057200", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage>FileSystem", "bounty_amount": 10000.0, "created_date": "2021-09-07T20:40:09+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40057200", "has_markdown": true }, { "id": "40057198", "title": "Google Chrome WebRTC RTPSenderVideoFrameTransformerDelegate memory corruption vulnerability (TALOS-2021-1372)", "url": "https://issues.chromium.org/issues/40057198", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC>Video", "bounty_amount": 7500.0, "created_date": "2021-09-07T13:54:56+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40057198", "has_markdown": true }, { "id": "40057185", "title": "SUMMARY: AddressSanitizer: use-after-poison timer.cc:217 in base::internal::TimerBase::OnScheduledTaskInvoked", "url": "https://issues.chromium.org/issues/40057185", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Media>Controls", "bounty_amount": 7500.0, "created_date": "2021-09-06T03:43:50+00:00", "year": 2021, "attachment_count": 7, "local_path": "issues/40057185", "has_markdown": true }, { "id": "40057168", "title": "SUMMARY: AddressSanitizer: heap-buffer-overflow SkPixmap.cpp:321 in SkPixmap::getColor", "url": "https://issues.chromium.org/issues/40057168", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Forms>Color", "bounty_amount": 20000.0, "created_date": "2021-09-04T15:25:35+00:00", "year": 2021, "attachment_count": 6, "local_path": "issues/40057168", "has_markdown": true }, { "id": "40057153", "title": "Security: heap-use-after-free C:\\b\\s\\w\\ir\\cache\\builder\\src\\chrome\\browser\\ui\\views\\media_router\\web_contents_display_observer_view.cc:56:22 in media_router::WebContentsDisplayObserverView::OnBrowserSetLastActive(class Browser *)", "url": "https://issues.chromium.org/issues/40057153", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Cast>UI", "bounty_amount": 15000.0, "created_date": "2021-09-03T14:51:13+00:00", "year": 2021, "attachment_count": 21, "local_path": "issues/40057153", "has_markdown": true }, { "id": "40057147", "title": "Security: Compromised renderer can set custom cursor up to 1024px over browser UI and other windows", "url": "https://issues.chromium.org/issues/40057147", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Input", "bounty_amount": 2000.0, "created_date": "2021-09-02T23:32:20+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40057147", "has_markdown": true }, { "id": "40057133", "title": "AddressSanitizer: use-after-poison execution_context_lifecycle_observer.cc:40 in blink::ExecutionContextLifecycleObserver::GetExecutionContext", "url": "https://issues.chromium.org/issues/40057133", "status": "Assigned", "severity": "S3-Low", "component": "Blink>GetDisplayMedia", "bounty_amount": 5000.0, "created_date": "2021-09-02T03:40:38+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40057133", "has_markdown": true }, { "id": "40057132", "title": "Security: Incomplete fix for CVE-2021-30577", "url": "https://issues.chromium.org/issues/40057132", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Updater", "bounty_amount": 10000.0, "created_date": "2021-09-02T03:39:01+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057132", "has_markdown": true }, { "id": "40057126", "title": "Security: Security DCHECK failure at blink::LayoutInline", "url": "https://issues.chromium.org/issues/40057126", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>Internals>WTF, Blink>Layout", "bounty_amount": 5000.0, "created_date": "2021-09-01T21:24:51+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057126", "has_markdown": true }, { "id": "40057118", "title": "heap-use-after-free in OnBrowserSetLastActive", "url": "https://issues.chromium.org/issues/40057118", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 5000.0, "created_date": "2021-09-01T13:41:03+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40057118", "has_markdown": true }, { "id": "40057113", "title": "Security: heap-use-after-free in PPAPIDownloadRequest::AllowlistCheckComplete", "url": "https://issues.chromium.org/issues/40057113", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 20000.0, "created_date": "2021-09-01T10:34:12+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057113", "has_markdown": true }, { "id": "40057097", "title": "Security: Cross-Origin Response Size Leak Via BackgroundFetch", "url": "https://issues.chromium.org/issues/40057097", "status": "Assigned", "severity": "S3-Low", "component": "Blink>BackgroundFetch", "bounty_amount": 3000.0, "created_date": "2021-08-30T20:48:11+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40057097", "has_markdown": true }, { "id": "40057086", "title": "Security: Cross-Origin information leak or delete in ContentIndex", "url": "https://issues.chromium.org/issues/40057086", "status": "Assigned", "severity": "S3-Low", "component": "Blink>ContentIndexing", "bounty_amount": 5000.0, "created_date": "2021-08-30T12:54:47+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40057086", "has_markdown": true }, { "id": "40057069", "title": "Security: Heap-use-after-free in ui::EventDispatcher::DispatchEventToEventHandlers", "url": "https://issues.chromium.org/issues/40057069", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Mobile", "bounty_amount": 15000.0, "created_date": "2021-08-29T01:52:33+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40057069", "has_markdown": true }, { "id": "40057062", "title": "Security: SameSite Cookie Bypass via BackgroundFetch", "url": "https://issues.chromium.org/issues/40057062", "status": "Assigned", "severity": "S3-Low", "component": "Blink>BackgroundFetch, Internals>Network>Cookies", "bounty_amount": 3000.0, "created_date": "2021-08-28T11:14:13+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40057062", "has_markdown": true }, { "id": "40057030", "title": "Security: RCE - Download Silently *.exe or *.dll to users Desktop or Downloads folder ", "url": "https://issues.chromium.org/issues/40057030", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Storage>FileSystem", "bounty_amount": 3000.0, "created_date": "2021-08-26T20:11:00+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40057030", "has_markdown": true }, { "id": "40057026", "title": "Security: container-overflow in RecordEngagementMetric", "url": "https://issues.chromium.org/issues/40057026", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Permissions>Prompts", "bounty_amount": 20000.0, "created_date": "2021-08-26T11:24:43+00:00", "year": 2021, "attachment_count": 7, "local_path": "issues/40057026", "has_markdown": true }, { "id": "40057025", "title": "Security: Cross-Origin information leak in GetDeveloperIdsTask", "url": "https://issues.chromium.org/issues/40057025", "status": "Assigned", "severity": "S3-Low", "component": "Blink>BackgroundFetch", "bounty_amount": 2000.0, "created_date": "2021-08-26T09:31:48+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40057025", "has_markdown": true }, { "id": "40057001", "title": "Security: UAF in AvailableOfflineContentProvider", "url": "https://issues.chromium.org/issues/40057001", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Offline", "bounty_amount": 15000.0, "created_date": "2021-08-24T23:59:35+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40057001", "has_markdown": true }, { "id": "40056997", "title": "Security: heap-buffer-overflow in SelectFileDialogImpl::OnSelectFileExecuted", "url": "https://issues.chromium.org/issues/40056997", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Cast>UI", "bounty_amount": 7000.0, "created_date": "2021-08-24T16:23:15+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40056997", "has_markdown": true }, { "id": "40056991", "title": "Security: UAF in WebAppIdentityUpdate", "url": "https://issues.chromium.org/issues/40056991", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>WebAppInstalls", "bounty_amount": 7000.0, "created_date": "2021-08-24T10:04:48+00:00", "year": 2021, "attachment_count": 5, "local_path": "issues/40056991", "has_markdown": true }, { "id": "40056988", "title": "Security: heap-buffer-overflow in TabStripModel::MoveWebContentsAtImpl", "url": "https://issues.chromium.org/issues/40056988", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip>ThumbnailTabStrip", "bounty_amount": 10000.0, "created_date": "2021-08-23T23:40:01+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40056988", "has_markdown": true }, { "id": "40056980", "title": "Security: History Cached Page of the Lens region search cause url spoof", "url": "https://issues.chromium.org/issues/40056980", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Permissions>SearchEngineGeolocation, UI>Browser>Navigation, UI>Browser>Navigation>BFCache", "bounty_amount": 2000.0, "created_date": "2021-08-23T15:05:46+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40056980", "has_markdown": true }, { "id": "40056977", "title": "oob in function StartupPagesHandler::HandleEditStartupPage", "url": "https://issues.chromium.org/issues/40056977", "status": "Assigned", "severity": "S3-Low", "component": "UI>Settings", "bounty_amount": 6000.0, "created_date": "2021-08-23T14:32:05+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40056977", "has_markdown": true }, { "id": "40056972", "title": "Security: Manifest.json can display overlay on non-origin tabs", "url": "https://issues.chromium.org/issues/40056972", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>WebAppInstalls>Android", "bounty_amount": 1000.0, "created_date": "2021-08-23T09:03:02+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40056972", "has_markdown": true }, { "id": "40056969", "title": "Security: Blink - Use After Free of DawnCallback.", "url": "https://issues.chromium.org/issues/40056969", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU", "bounty_amount": 7500.0, "created_date": "2021-08-23T04:24:53+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40056969", "has_markdown": true }, { "id": "40056968", "title": "Heap-use-after-free in ui::SendDamagedRectsRecursive", "url": "https://issues.chromium.org/issues/40056968", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Compositing", "bounty_amount": 15000.0, "created_date": "2021-08-23T03:52:30+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40056968", "has_markdown": true }, { "id": "40056951", "title": "SUMMARY: AddressSanitizer: heap-use-after-free Runtime.cpp:439 in v8_inspector::protocol::Runtime::Frontend::exceptionThrown", "url": "https://issues.chromium.org/issues/40056951", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript", "bounty_amount": 5000.0, "created_date": "2021-08-20T15:32:10+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40056951", "has_markdown": true }, { "id": "40056924", "title": "Security: \"Origin\" header incorrectly set for cross-site request via service worker", "url": "https://issues.chromium.org/issues/40056924", "status": "Assigned", "severity": "S3-Low", "component": "Blink>ServiceWorker, UI>Browser>Navigation", "bounty_amount": 3000.0, "created_date": "2021-08-18T21:33:45+00:00", "year": 2021, "attachment_count": 8, "local_path": "issues/40056924", "has_markdown": true }, { "id": "40056923", "title": "Security: [ANGLE] Stack buffer overwrite in rx::StateManager11::syncVertexBuffersAndInputLayout", "url": "https://issues.chromium.org/issues/40056923", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 7500.0, "created_date": "2021-08-18T18:30:14+00:00", "year": 2021, "attachment_count": 5, "local_path": "issues/40056923", "has_markdown": true }, { "id": "40056920", "title": "Chrome ANGLE Out-of-Bound in texStorage3D", "url": "https://issues.chromium.org/issues/40056920", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGL, Internals>GPU>ANGLE", "bounty_amount": 7500.0, "created_date": "2021-08-18T14:40:08+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40056920", "has_markdown": true }, { "id": "40056909", "title": "Security: UAF in EditAddressProfileView::WindowClosing", "url": "https://issues.chromium.org/issues/40056909", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Autofill", "bounty_amount": 17000.0, "created_date": "2021-08-18T04:35:10+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40056909", "has_markdown": true }, { "id": "40056900", "title": "Security: Page can cause autofill prompt to render under cursor in order to bypass mouse movement/keyboard input requirements for autofill", "url": "https://issues.chromium.org/issues/40056900", "status": "Assigned", "severity": "S3-Low", "component": "Privacy", "bounty_amount": 3000.0, "created_date": "2021-08-17T04:15:04+00:00", "year": 2021, "attachment_count": 9, "local_path": "issues/40056900", "has_markdown": true }, { "id": "40056885", "title": "Security: Web GPU - Out of bound object manupilation in WebGPUImplementation::OnGpuControlReturnData()", "url": "https://issues.chromium.org/issues/40056885", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebGPU", "bounty_amount": 7500.0, "created_date": "2021-08-15T00:29:12+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40056885", "has_markdown": true }, { "id": "40056879", "title": "Security: Insufficient CORS Check Leads to Cross-Origin Size Leak via BackgroundFetch API", "url": "https://issues.chromium.org/issues/40056879", "status": "Assigned", "severity": "S3-Low", "component": "Blink>BackgroundFetch", "bounty_amount": 3000.0, "created_date": "2021-08-13T19:58:45+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40056879", "has_markdown": true }, { "id": "40056878", "title": "use after free in DiceTurnSyncOnHelperDelegateImpl::ShowEnterpriseAccountConfirmation(", "url": "https://issues.chromium.org/issues/40056878", "status": "Assigned", "severity": "S3-Low", "component": "Unknown", "bounty_amount": 5000.0, "created_date": "2021-08-13T12:00:57+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40056878", "has_markdown": true }, { "id": "40056871", "title": "use after free in sharing_hub::ScreenshotCapturedBubbleController::Capture", "url": "https://issues.chromium.org/issues/40056871", "status": "Accepted", "severity": "S3-Low", "component": "UI>Browser>Sharing", "bounty_amount": 10000.0, "created_date": "2021-08-13T07:38:05+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40056871", "has_markdown": true }, { "id": "40056870", "title": "Security: Pointer lock can be used to bypass mouse movement/keyboard input requirements for autofill", "url": "https://issues.chromium.org/issues/40056870", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Input>PointerLock, UI>Browser>Autofill", "bounty_amount": 3000.0, "created_date": "2021-08-13T06:09:28+00:00", "year": 2021, "attachment_count": 5, "local_path": "issues/40056870", "has_markdown": true }, { "id": "40056868", "title": "Security: UAF in dav1d_get_bits function", "url": "https://issues.chromium.org/issues/40056868", "status": "Assigned", "severity": "S4-Minimal", "component": "Internals>Media>Codecs", "bounty_amount": 5000.0, "created_date": "2021-08-13T03:06:33+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40056868", "has_markdown": true }, { "id": "40056857", "title": "Security: UaF in TabStripModel::MoveWebContentsAtImpl", "url": "https://issues.chromium.org/issues/40056857", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>TopChrome>TabStrip, UI>Browser>TopChrome>TabStrip>TabGroups", "bounty_amount": 10000.0, "created_date": "2021-08-12T01:16:26+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40056857", "has_markdown": true }, { "id": "40056854", "title": "Android Chrome & Chromium Browsers Address Bar Spoofing", "url": "https://issues.chromium.org/issues/40056854", "status": "Assigned", "severity": "S3-Low", "component": "Internals>Compositing, Internals>Sandbox>SiteIsolation, UI>Browser>Navigation", "bounty_amount": 3000.0, "created_date": "2021-08-11T19:41:31+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40056854", "has_markdown": true }, { "id": "40056849", "title": "Security: Refcount overflow in RefCountedThreadSafeBase", "url": "https://issues.chromium.org/issues/40056849", "status": "Accepted", "severity": "S3-Low", "component": "Internals>Core", "bounty_amount": 1000.0, "created_date": "2021-08-11T05:06:00+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40056849", "has_markdown": true }, { "id": "40056839", "title": "Security: heap-use-after-free in in download::NetworkStatusListenerImpl::OnNetworkStatusReady", "url": "https://issues.chromium.org/issues/40056839", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Downloads", "bounty_amount": 20000.0, "created_date": "2021-08-10T08:26:13+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40056839", "has_markdown": true }, { "id": "40056837", "title": "container-overflow in blink::UserMediaProcessor::DetermineExistingAudioSessionId", "url": "https://issues.chromium.org/issues/40056837", "status": "Assigned", "severity": "S3-Low", "component": "Blink>GetUserMedia", "bounty_amount": 5000.0, "created_date": "2021-08-10T04:46:51+00:00", "year": 2021, "attachment_count": 10, "local_path": "issues/40056837", "has_markdown": true }, { "id": "40056819", "title": "Security: v8 CHECK Failed IsStruct_NonInline in Torgue Struct-Tq-Inl", "url": "https://issues.chromium.org/issues/40056819", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Runtime", "bounty_amount": 5000.0, "created_date": "2021-08-08T08:10:46+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40056819", "has_markdown": true }, { "id": "40056812", "title": " TALOS-2021-1352: Google Chrome Blink setBaseAndExtent use after free vulnerability", "url": "https://issues.chromium.org/issues/40056812", "status": "Assigned", "severity": "S3-Low", "component": "Blink>Editing>Selection", "bounty_amount": 7500.0, "created_date": "2021-08-06T19:04:12+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40056812", "has_markdown": true }, { "id": "40056781", "title": "Security: UAF in Screens::UpdateScreenInfos due to iterator invalidation", "url": "https://issues.chromium.org/issues/40056781", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>WebAppInstalls", "bounty_amount": 7500.0, "created_date": "2021-08-04T19:51:47+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40056781", "has_markdown": true }, { "id": "40056780", "title": "Security: BigInt ToStringFormatter Crash ", "url": "https://issues.chromium.org/issues/40056780", "status": "Accepted", "severity": "S3-Low", "component": "Blink>JavaScript", "bounty_amount": 5000.0, "created_date": "2021-08-04T19:28:26+00:00", "year": 2021, "attachment_count": 0, "local_path": "issues/40056780", "has_markdown": true }, { "id": "40056776", "title": "Security: Extensions with debugger permission can list URLs and send commands to incognito tabs and other profile tabs", "url": "https://issues.chromium.org/issues/40056776", "status": "Assigned", "severity": "S3-Low", "component": "Platform>DevTools, Platform>Extensions", "bounty_amount": 5000.0, "created_date": "2021-08-04T03:47:35+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40056776", "has_markdown": true }, { "id": "40056774", "title": "AddressSanitizer: heap-buffer-overflow mojo::internal::Serializer::Serialize", "url": "https://issues.chromium.org/issues/40056774", "status": "Assigned", "severity": "S3-Low", "component": "Blink>ShapeDetection, Internals>Core, Internals>Mojo>Bindings", "bounty_amount": 7500.0, "created_date": "2021-08-04T02:51:42+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40056774", "has_markdown": true }, { "id": "40056766", "title": "Security: heap-use-after-free in ~PermissionRequestChip", "url": "https://issues.chromium.org/issues/40056766", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Permissions>Prompts", "bounty_amount": 10000.0, "created_date": "2021-08-03T05:38:51+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40056766", "has_markdown": true }, { "id": "40056756", "title": "use after free in blink::FrameLoader::DetachDocument", "url": "https://issues.chromium.org/issues/40056756", "status": "Assigned", "severity": "S3-Low", "component": "Blink>GarbageCollection, Blink>Internals>WTF, Blink>Loader, UI>Browser>Navigation", "bounty_amount": 7500.0, "created_date": "2021-08-02T13:53:09+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40056756", "has_markdown": true }, { "id": "40056733", "title": "Security: [ANGLE] Heap use-after-free in TextureD3D::releaseTexStorage", "url": "https://issues.chromium.org/issues/40056733", "status": "Assigned", "severity": "S3-Low", "component": "Internals>GPU>ANGLE", "bounty_amount": 9500.0, "created_date": "2021-07-30T17:30:29+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40056733", "has_markdown": true }, { "id": "40056730", "title": "v8/Turbofan: Wrong optimization of bitfield checks", "url": "https://issues.chromium.org/issues/40056730", "status": "Assigned", "severity": "S3-Low", "component": "Blink>JavaScript>Compiler", "bounty_amount": 21000.0, "created_date": "2021-07-30T13:49:10+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40056730", "has_markdown": true }, { "id": "40056720", "title": "Use-after-Free in AudioDebugRecordingsHandler::StartAudioDebugRecordings", "url": "https://issues.chromium.org/issues/40056720", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC, Platform>Extensions>API", "bounty_amount": 20000.0, "created_date": "2021-07-29T07:18:44+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40056720", "has_markdown": true }, { "id": "40056717", "title": "Security: a READ memory access in jsimd_huff_encode_one_block_sse2", "url": "https://issues.chromium.org/issues/40056717", "status": "Accepted", "severity": "S4-Minimal", "component": "Internals>Images>Codecs", "bounty_amount": 5000.0, "created_date": "2021-07-29T05:55:37+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40056717", "has_markdown": true }, { "id": "40056709", "title": "Nearby Share UI incorrectly appears in non-ChromeOS browsers: causes UAF", "url": "https://issues.chromium.org/issues/40056709", "status": "Assigned", "severity": "S3-Low", "component": "UI>Browser>Sharing", "bounty_amount": 15000.0, "created_date": "2021-07-28T17:17:35+00:00", "year": 2021, "attachment_count": 4, "local_path": "issues/40056709", "has_markdown": true }, { "id": "40056708", "title": "Use-after-Free in FileSystemChooseEntryFunction::FilesSelected", "url": "https://issues.chromium.org/issues/40056708", "status": "Assigned", "severity": "S3-Low", "component": "Platform>Extensions>API", "bounty_amount": 20000.0, "created_date": "2021-07-28T15:59:49+00:00", "year": 2021, "attachment_count": 8, "local_path": "issues/40056708", "has_markdown": true }, { "id": "40056706", "title": "Use-after-Free on HandleOnPerformDrop", "url": "https://issues.chromium.org/issues/40056706", "status": "Assigned", "severity": "S3-Low", "component": "Blink>DataTransfer", "bounty_amount": 20000.0, "created_date": "2021-07-28T14:03:48+00:00", "year": 2021, "attachment_count": 3, "local_path": "issues/40056706", "has_markdown": true }, { "id": "40056704", "title": "Use-after-Free on AudioDebugRecordingsHandler::StopAudioDebugRecordings", "url": "https://issues.chromium.org/issues/40056704", "status": "Assigned", "severity": "S3-Low", "component": "Blink>WebRTC, Platform>Extensions>API", "bounty_amount": 20000.0, "created_date": "2021-07-28T12:38:11+00:00", "year": 2021, "attachment_count": 5, "local_path": "issues/40056704", "has_markdown": true }, { "id": "40056683", "title": "Type confusion in blink::StyleBuilderConverterBase::ConvertFontSize Security DCHECK failed: IsA(from). ", "url": "https://issues.chromium.org/issues/40056683", "status": "Assigned", "severity": "S3-Low", "component": "Blink>CSS", "bounty_amount": 5000.0, "created_date": "2021-07-27T09:20:38+00:00", "year": 2021, "attachment_count": 2, "local_path": "issues/40056683", "has_markdown": true }, { "id": "40056682", "title": "Security: Out of bounds memory access in BigInt", "url": "https://issues.chromium.org/issues/40056682", "status": "Assigned", "severity": "S4-Minimal", "component": "Blink>JavaScript", "bounty_amount": 15000.0, "created_date": "2021-07-27T07:03:09+00:00", "year": 2021, "attachment_count": 1, "local_path": "issues/40056682", "has_markdown": true }, { "id": "40056681", "title": "Referrer Spoof using and