1 | Target | Type | Title | Bugid/CVE | Collided | Links/Notes | Public Exploit? | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | 1 | Python | 1st | Integer overflow in json.dumps | issue2015-24522 | ? | |||||||||||||||||||||||
3 | FCA1 | Chrome | RCE | Type confusion in Array.prototype.concat | CVE-2017-5030 | ? | Yes | ||||||||||||||||||||||
4 | FCA1 | Chrome | SBX | RenderFrameHost use-after-free | CVE-2017-5055 | Yes | |||||||||||||||||||||||
5 | 4 | Chrome | RCE | OOB write in Array.prototype.map | ? | Yes | |||||||||||||||||||||||
6 | 5 | Chrome | RCE | Type confusion in CollectValuesOrEntriesImpl | CVE-2018-6064 | Yes | |||||||||||||||||||||||
7 | 6 | Chrome | RCE | TypedArray use-after-free | ? | Yes | |||||||||||||||||||||||
8 | 7 | Chrome | RCE | TypedArray use-after-free | CVE-2018-16065 | ? | |||||||||||||||||||||||
9 | 8 | Chrome | RCE | OOB write in Array.prototype.map | CVE-2019-5825 | Yes | |||||||||||||||||||||||
10 | 9 | Facebook App | RCE | out-of-bounds write in AR (jsc) | ? | ? | Facebook AR used jsc before I worked there, jsc n-day to rce | ||||||||||||||||||||||
11 | 10 | ITW | global buffer overflow in RTCP processing | CVE-2019-3568 | ITW | Note: didn't find the bug, investigation | |||||||||||||||||||||||
12 | 11 | RCE | stack-buffer-overflow in RTCP processing | ? | ? | (note: worked there so no rev) | |||||||||||||||||||||||
13 | 12 | RCE | oob write in MP4 parsing | CVE-2019-11931 | ? | (note: worked there so no rev) | |||||||||||||||||||||||
14 | 13 | Facebook App | RCE | out-of-bounds write in AR (hermes) | ? | ? | (note: worked there so no rev) | ||||||||||||||||||||||
15 | 14 | Facebook App | RCE | out-of-bounds write in AR (hermes) | ? | ? | (note: worked there so no rev) | ||||||||||||||||||||||
16 | 15 | Facebook App | RCE | out-of-bounds write in AR (hermes) | ? | ? | (note: worked there so no rev) | ||||||||||||||||||||||
17 | 16 | Facebook App | RCE | out-of-bounds write in AR (hermes) | ? | ? | (note: worked there so no rev) | ||||||||||||||||||||||
18 | 17 | Facebook App | RCE | out-of-bounds write in AR (hermes) | ? | ? | (note: worked there so no rev) | ||||||||||||||||||||||
19 | 18 | Chrome | SBX | RFH UAF in OfflinePages | CVE-2019-5850 | ? | |||||||||||||||||||||||
20 | 19 | Chrome | SBX | RFH UAF in OfflinePages | CVE-2019-13686 | ? | |||||||||||||||||||||||
21 | 20 | Chrome | SBX | RFH UAF in DistillerJavaScriptService | CVE-2020-6465 | Yes | |||||||||||||||||||||||
22 | 21 | Chrome | RCE | Type confusion in map deprecation | CVE-2020-16009 | Yes | |||||||||||||||||||||||
23 | 22 | Chrome | Infoleak | UAF in WebCodecs | CVE-2020-16023 | ? | n/a | ||||||||||||||||||||||
24 | 23 | Chrome | SBX | UAF in RFH | CVE-2020-16017 | Yes | 32 bit | ||||||||||||||||||||||
25 | 24 | Chrome | 🌚 | Type confusion in IterateElements | CVE-2021-21225 | ? | Yes | ||||||||||||||||||||||
26 | 25 | Chrome | 🌚 | UAF in NavigationPredictor | CVE-2021-21226 | ? | |||||||||||||||||||||||
27 | FC2 | Chrome | SBX | Arb read/write in GPU process | ? | ? | fixed by partitionalloc-everywhere | ||||||||||||||||||||||
28 | FC2 | Chrome | RCE | WriteBarrier elision in EO | CVE-2021-4102 | Yes | RCA | ||||||||||||||||||||||
29 | 28 | WebRTC | RCE | WebRTC data munging leads to OOB read/write | CVE-2021-4079 | ? | Chrome + Webkit + Firefox (munging, so no messaging apps) | ||||||||||||||||||||||
30 | 29 | Chrome | SBX | UAF in RFH | CVE-2021-37973 | Yes | |||||||||||||||||||||||
31 | FC3 | Chrome | SBX | UAF in RFH | CVE-2022-0290 | ? | |||||||||||||||||||||||
32 | FC3 | Chrome | RCE | Type confusion in Object.assign | CVE-2022-0102 | ? | also uninitialized oddball leak | Yes | |||||||||||||||||||||
33 | 32 | Chrome | Logic | FencedFrame navigation to chrome:// and file:// | CVE-2022-0292 | ? | n/a | ||||||||||||||||||||||
34 | 33 | Chrome | RCE | UninitializedOddball leak in Blink, lead to type confusion | CVE-2022-1096 | Yes | Exploit technique in 40060575 | see 40060575 | |||||||||||||||||||||
35 | 34 | Chrome | RCE | UAF in RegEXP[@@replace] | CVE-2022-1310 | ? | Yes | ||||||||||||||||||||||
36 | 35 | Chrome | RCE | UninitializedOddball leak in InstallConditionFeatures | CVE-2022-1486 | ? | Exploit technique in 40060575 | see 40060575 | |||||||||||||||||||||
37 | 36 | Chrome | RCE | GetExecutionContext Type Confusion in OffscreenCanvas | 40059901 | ? | Note: started working at goog, so no more cves | ||||||||||||||||||||||
38 | 37 | Chrome | RCE | UAF in WebGPU TypedArray | 40059951 | ? | |||||||||||||||||||||||
39 | 38 | Chrome | SBX | OOB write in WebGPU | 40060113 | ? | |||||||||||||||||||||||
40 | 39 | Chrome | Infoleak | OOB read in WebGPU renderer | 40060339 | ? | |||||||||||||||||||||||
41 | 40 | Chrome | SBX | UAF in WebGPU | 40060448 | ? | |||||||||||||||||||||||
42 | 41 | Chrome | RCE | UninitializedOddbal leak in Blink | 40060575 | ? | Yes | ||||||||||||||||||||||
43 | 42 | Chrome | SBX | OOB write in WebGPU | 40061304 | ? | |||||||||||||||||||||||
44 | 43 | Chrome | SBX | UAF in WebGPU | 40061890 | ? | |||||||||||||||||||||||
45 | 44 | Chrome | SBX | OOB write in libMali rechable through webgl | 40063287 | ? | |||||||||||||||||||||||
46 | 45 | Chrome | SBX | UAF in WebGPU | 40063356 | ? | |||||||||||||||||||||||
47 | 46 | Chrome | SBX | UAF in WebGPU | 40063883 | ? | |||||||||||||||||||||||
48 | 47 | Chrome | SBX | OOB write in SwiftShader | 40063963 | ? | desktop only | ||||||||||||||||||||||
49 | 48 | Chrome | RCE | UAF in Promise.reject | 40071390 | ? | |||||||||||||||||||||||
50 | 49 | Chrome | Infoleak | PaintImage arb read | 327183408 | ? | |||||||||||||||||||||||
51 | 50 | Chrome | RCE | Buffer overflows in GLES commands | 340822365 | ? | |||||||||||||||||||||||
52 | 51 | Chrome | ITW | V8 Incorrect parsing leads to type confusions | 341663589 | ITW | Note: didn't find the bug, investigation | ||||||||||||||||||||||
53 | 52 | WebKit | RCE | UAF in webkit | CVE-2024-54502 | ? |