Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
ListGrid
Loading...
  ID Type  Status  Priority  Milestone  Owner  Summary + Labels ...
  1336 ---- WontFix ---- ---- forshaw@google.com Windows: PPL Process Injection EoP CCProjectZeroMembers  
  1327 ---- Fixed ---- ---- lokihardt@google.com Microsoft Edge: Chakra: JavascriptFunction::ReparseAsmJsModule incorrectly re-parses CCProjectZeroMembers  
  1326 ---- Fixed ---- ---- lokihardt@google.com Microsoft Edge: Chakra: Parser::ParseCatch doesn't handle "eval" CCProjectZeroMembers  
  1324 ---- Fixed ---- ---- taviso@google.com Cisco: WebEx Various GPC Sanitization bypasses permit Arbitrary Remote Command Execution CCProjectZeroMembers  
  1323 ---- Fixed ---- ---- natashenka@google.com Adobe Flash: Out-of-bounds read in applyToRange CCProjectZeroMembers  
  1322 ---- Fixed ---- ---- natashenka@google.com Adobe Flash: Out-of-bounds write in MP4 Edge Processing CCProjectZeroMembers  
  1321 ---- Fixed ---- ---- natashenka@google.com Adobe Flash: Out-of-bounds memory read in MP4 parsing CCProjectZeroMembers  
  1320 ---- Fixed ---- ---- natashenka@google.com Adobe Flash: Invoke Accesses Trait Out-of-bounds CCProjectZeroMembers  
  1319 ---- Fixed ---- ---- lokihardt@google.com WebKit: JSC: Incorrect for-in optimization #2 CCProjectZeroMembers  
  1318 ---- Fixed ---- ---- laginimaineb@google.com Apple: Information Leak when handling WLC_E_COUNTRY_CODE_CHANGED event packets CCProjectZeroMembers  
  1317 ---- Fixed ---- ---- laginimaineb@google.com Apple: Multiple Race Conditions in PCIe Message Ring protocol leading to OOB Write and OOB Read CCProjectZeroMembers  
  1316 ---- Fixed ---- ---- lokihardt@google.com Microsoft Edge: Chakra: incorrect jit optimization with TypedArray setter #3 CCProjectZeroMembers  
  1315 ---- Fixed ---- ---- lokihardt@google.com Microsoft Edge: Chakra: Integer overflow in EmitNew CCProjectZeroMembers  
  1314 ---- Fixed ---- ---- laginimaineb@google.com Apple: OOB NUL byte write when handling WLC_E_TRACE event packets CCProjectZeroMembers  
  1313 ---- Fixed ---- ---- laginimaineb@google.com Apple: Heap overflow and information disclosure in "setVendorIE" when handling ioctl results CCProjectZeroMembers  
  1312 ---- Fixed ---- ---- laginimaineb@google.com Apple: Heap overflow in "updateRateSetAsyncCallback" when handling ioctl results CCProjectZeroMembers  
  1310 ---- Fixed ---- ---- lokihardt@google.com Microsoft Edge: Chakra: Deferred parsing makes wrong scopes CCProjectZeroMembers  
  1309 ---- Fixed ---- ---- ifratric@google.com Microsoft Edge: Memory corruption with partial page loading CCProjectZeroMembers  
  1308 ---- Fixed ---- ---- lokihardt@google.com Microsoft Edge: Chakra incorrectly parses object patterns CCProjectZeroMembers  
  1307 ---- Fixed ---- ---- mjurczyk@google.com Windows Kernel stack memory disclosure in win32k!NtQueryCompositionSurfaceBinding CCProjectZeroMembers  
  1306 ---- Fixed ---- ---- mjurczyk@google.com Windows Kernel stack memory disclosure in win32k!NtGdiHLSurfGetInformation (information class 3) CCProjectZeroMembers  
  1305 ---- Fixed ---- ---- laginimaineb@google.com Apple: Heap overflow in "assembleBGScanResults" when handling ioctl results CCProjectZeroMembers  
  1304 ---- Fixed ---- ---- mjurczyk@google.com Windows Kernel stack memory disclosure in win32k!NtGdiDoBanding CCProjectZeroMembers  
  1302 ---- Fixed ---- ---- laginimaineb@google.com Apple: Heap Overflow in AppleBCMWLANCore driver when handling Completed Firmware Timestamp messages (0x27) CCProjectZeroMembers  
  1301 ---- Fixed ---- ---- ifratric@google.com Microsoft Edge: out-of-bounds read in COptionsCollectionCacheItem::GetAt CCProjectZeroMembers  
  1300 ---- Fixed ---- ---- laginimaineb@google.com Broadcom: Information Leak in ICMPv6 Router Advertisement Offloading CCProjectZeroMembers  
  1299 ---- Fixed ---- ---- ifratric@google.com Microsoft Edge: ACG bypass using DuplicateHandle CCProjectZeroMembers  
  1298 ---- Fixed ---- ---- lokihardt@google.com Microsoft Edge: Chakra: Uninitialized arguments 2 CCProjectZeroMembers  
  1297 ---- Fixed ---- ---- lokihardt@google.com Microsoft Edge: Chakra: Uninitialized arguments CCProjectZeroMembers  
  1296 ---- Fixed ---- ---- forshaw@google.com VirtualBox: Windows Process DLL UNC Path Signature Bypass EoP CCProjectZeroMembers  
  1295 ---- Fixed ---- ---- lokihardt@google.com Microsoft Edge: Chakra: JavascriptFunction::EntryCall doesn't handle CallInfo properly CCProjectZeroMembers  
  1294 ---- Fixed ---- ---- laginimaineb@google.com Broadcom: Denial of service and OOB read in TCP KeepAlive Offloading CCProjectZeroMembers  
  1293 ---- Fixed ---- ---- jannh@google.com Tor: Linux sandbox breakout via X11 CCProjectZeroMembers  
  1292 ---- Fixed ---- ---- lokihardt@google.com Microsoft Edge: Chakra: Type confusion in JavascriptArray::ConcatArgs CCProjectZeroMembers  
  1291 ---- Fixed ---- ---- laginimaineb@google.com Broadcom: Multiple overflows when handling 802.11r (FT) Reassociation Response CCProjectZeroMembers  
  1290 ---- Fixed ---- ---- lokihardt@google.com Microsoft Edge: Chakra: incorrect jit optimization with TypedArray setter #2 CCProjectZeroMembers  
  1289 ---- Fixed ---- ---- laginimaineb@google.com Broadcom: OOB write when handling 802.11k Neighbor Report Response CCProjectZeroMembers  
  1288 ---- Fixed ---- ---- laginimaineb@google.com Broadcom: Heap overflow when handling 802.11v WNM Sleep Mode Response CCProjectZeroMembers  
  1287 ---- Fixed ---- ---- ifratric@google.com Microsoft Chakra JIT server out-of-bounds write when processing Js::OpCode::ProfiledLoopStart opcode CCProjectZeroMembers  
  1286 ---- Fixed ---- ---- thomasdullien@google.com VMSF_DELTA filter in unrar allows arbitrary memory write CCProjectZeroMembers  
  1284 ---- Fixed ---- ---- ifratric@google.com Microsoft Chakra JIT server integer overflow in IRBuilder::Build CCProjectZeroMembers  
  1283 ---- Fixed ---- ---- lokihardt@google.com Microsoft Edge: Chakra: EmitAssignment uses the "this" register without initializing CCProjectZeroMembers  
  1282 ---- Fixed ---- ---- taviso@google.com MsMpEng: mpengine x86 Emulator Heap Corruption in VFS API CCProjectZeroMembers  
  1281 ---- Fixed ---- ---- lokihardt@google.com Microsoft Edge: Chakra: Incorrect usage of TryUndeleteProperty CCProjectZeroMembers  
  1280 ---- Invalid ---- ---- thomasdullien@google.com QuickHeal AV crashes on malicious RAR files from 2013 CCProjectZeroMembers  
  1279 ---- Invalid ---- ---- thomasdullien@google.com Invalid: GDATA AV crashes on malicious RAR files from 2013 CCProjectZeroMembers  
  1278 ---- Fixed ---- ---- thomasdullien@google.com Bitdefender AV crashes on malicious RAR files from 2013 CCProjectZeroMembers  
  1277 ---- Fixed ---- ---- lokihardt@google.com Microsoft Edge: Chakra: Incorrect usage of PushPopFrameHelper in InterpreterStackFrame::ProcessLinkFailedAsmJsModule CCProjectZeroMembers  
  1276 ---- Fixed ---- ---- mjurczyk@google.com Windows Kernel stack memory disclosure in win32k!NtGdiEngCreatePalette CCProjectZeroMembers  
  1275 ---- Fixed ---- ---- mjurczyk@google.com Windows Kernel stack memory disclosure in win32k!NtGdiGetFontResourceInfoInternalW CCProjectZeroMembers  
  1274 ---- Fixed ---- ---- mjurczyk@google.com Windows Kernel win32k.sys TTF font processing: out-of-bounds read with malformed "glyf" table (win32k!fsc_CalcGrayRow) CCProjectZeroMembers  
  1273 ---- Fixed ---- ---- mjurczyk@google.com Windows Kernel win32k.sys TTF font processing: out-of-bounds reads/writes with malformed "fpgm" table (win32k!bGeneratePath) CCProjectZeroMembers  
  1271 ---- Fixed ---- ---- lokihardt@google.com Microsoft Edge: Chakra: InterpreterStackFrame::ProcessLinkFailedAsmJsModule incorrectly re-parses CCProjectZeroMembers  
  1270 ---- Fixed ---- ---- natashenka@google.com Microsoft Edge: Out-of-bounds access when fetching source CCProjectZeroMembers  
  1269 ---- Fixed ---- ---- mjurczyk@google.com Windows Kernel pool memory disclosure in nt!NtSetIoCompletion / nt!NtRemoveIoCompletion CCProjectZeroMembers  
  1268 ---- Fixed ---- ---- mjurczyk@google.com Windows Kernel stack memory disclosure in win32k!NtGdiGetPhysicalMonitorDescription CCProjectZeroMembers  
  1267 ---- Fixed ---- ---- mjurczyk@google.com Windows Kernel pool memory disclosure in win32k!NtGdiGetGlyphOutline CCProjectZeroMembers  
  1266 ---- Fixed ---- ---- lokihardt@google.com Microsoft Edge: Chakra: PreVisitCatch doesn't call SetIsCatch for all cases CCProjectZeroMembers  
  1264 ---- Fixed ---- ---- ifratric@google.com Microsoft Edge: Out-of-bounds read in CInputDateTimeScrollerElement::_SelectValueInternal CCProjectZeroMembers  
  1263 ---- Fixed ---- ---- lokihardt@google.com WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal CCProjectZeroMembers  
  1262 ---- Fixed ---- ---- lokihardt@google.com WebKit: JSC: Incorrect LoadVarargs handling in ArgumentsEliminationPhase::transform CCProjectZeroMembers  
  1261 ---- Fixed ---- ---- mjurczyk@google.com MsMpEng: multiple crashes while scanning malformed files CCProjectZeroMembers  
  1260 ---- Fixed ---- ---- taviso@google.com MsMpEng: Multiple problems handling ntdll!NtControlChannel commands CCProjectZeroMembers  
  1259 ---- Fixed ---- ---- lokihardt@google.com MsMpEng: UAF via saved callers CCProjectZeroMembers  
  1258 ---- Fixed ---- ---- ianbeer@google.com Windows MsMpEng remotely exploitable UaF due to design issue in GC engine CCProjectZeroMembers  
  1257 ---- Fixed ---- ---- forshaw@google.com VirtualBox: Windows Process DLL Signature Bypass EoP CCProjectZeroMembers  
  1256 ---- Fixed ---- ---- lokihardt@google.com WebKit: JSC: Stack-Use-After-Free in ObjectPatternNode::appendEntry CCProjectZeroMembers  
  1255 ---- Fixed ---- ---- ifratric@google.com Microsoft Edge: textarea.defaultValue memory disclosure CCProjectZeroMembers  
  1254 ---- Fixed ---- ---- ifratric@google.com Microsoft Edge: Type confusion in CssParser::RecordProperty CCProjectZeroMembers  
  1252 ---- Fixed ---- ---- taviso@google.com MsMpEng: Remotely Exploitable Type Confusion in Windows 8, 8.1, 10, Windows Server, SCEP, Microsoft Security Essentials, and more. CCProjectZeroMembers  
  1251 ---- Fixed ---- ---- jannh@google.com Linux: eBPF verifier log leaks lower half of map pointer CCProjectZeroMembers  
  1250 ---- Fixed ---- ---- ifratric@google.com WebKit: heap-buffer-overflow in WebCore::RenderSearchField::addSearchResult CCProjectZeroMembers  
  1249 ---- Fixed ---- ---- ifratric@google.com WebKit: use-after-free in WebCore::AccessibilityNodeObject::textUnderElement CCProjectZeroMembers  
  1248 ---- Fixed ---- ---- taviso@google.com MsMpEng: UIF decoder will spin forever processing sparse blocks CCProjectZeroMembers  
  1247 ---- Fixed ---- ---- ianbeer@google.com Many iOS/MacOS sandbox escapes/privescs due to unexpected shared memory-backed xpc_data objects CCProjectZeroMembers  
  1246 ---- Fixed ---- ---- ifratric@google.com WebKit: use-after-free in WebCore::RenderObject with accessibility enabled CCProjectZeroMembers  
  1245 ---- Fixed ---- ---- ifratric@google.com WebKit: use-after-free in WebCore::AccessibilityRenderObject::handleAriaExpandedChanged CCProjectZeroMembers  
  1244 ---- Fixed ---- ---- ifratric@google.com WebKit: use-after-free in WebCore::InputType::element CCProjectZeroMembers  
  1243 ---- Fixed ---- ---- ifratric@google.com WebKit: use-after-free in WebCore::Node::getFlag CCProjectZeroMembers  
  1242 ---- Fixed ---- ---- ifratric@google.com WebKit: use-after-free in WebCore::getCachedWrapper CCProjectZeroMembers  
  1241 ---- Fixed ---- ---- ifratric@google.com WebKit: use-after-free in WebCore::Node::nextSibling CCProjectZeroMembers  
  1240 ---- Fixed ---- ---- lokihardt@google.com WebKit: JSC: UXSS via JSObject::putInlineSlow and JSValue::putToPrimitive CCProjectZeroMembers  
  1239 ---- WontFix ---- ---- laginimaineb@google.com Samsung: Trustonic <t-base TEE does not perform revocation of trustlets CCProjectZeroMembers  
  1238 ---- Fixed ---- ---- mjurczyk@google.com Windows Kernel nsiproxy/netio pool memory disclosure in the handling of IOCTL 0x120007 (NsiGetParameter) CCProjectZeroMembers  
  1237 ---- Fixed ---- ---- ifratric@google.com Microsoft IE: Type confusion in VBScript arithmetic functions CCProjectZeroMembers  
  1236 ---- Fixed ---- ---- lokihardt@google.com WebKit: JSC: JSArray::appendMemcpy uninitialized memory copy CCProjectZeroMembers  
  1234 ---- Fixed ---- ---- lokihardt@google.com WebKit: JSC: Incorrect scope register handling in DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry) CCProjectZeroMembers  
  1233 ---- Fixed ---- ---- ifratric@google.com Microsoft IE: Memory curruption in CMarkup::DestroySplayTree CCProjectZeroMembers  
  1232 ---- Fixed ---- ---- natashenka@google.com Google Chrome: OOB access in RegExp Stubs CCProjectZeroMembers  
  1231 ---- Fixed ---- ---- jannh@google.com Xen: 64bit PV guest breakout via pagetable use-after-type-change CCProjectZeroMembers  
  1230 ---- Fixed ---- ---- lokihardt@google.com WebKit: JSC: uninitialized memory reference in arrayProtoFuncSplice CCProjectZeroMembers  
  1229 ---- Fixed ---- ---- lokihardt@google.com WebKit: JSC: heap buffer overflow in Intl.getCanonicalLocales CCProjectZeroMembers  
  1227 ---- Fixed ---- ---- mjurczyk@google.com Oracle VirtualBox Guest Additions (Shared Folders) double-free from unprivileged Windows user-mode guest code CCProjectZeroMembers  
  1226 ---- Fixed ---- ---- markbrand@google.com LG: Stack overflows in ASFParser::SetMetaData CCProjectZeroMembers  
  1225 ---- Fixed ---- ---- taviso@google.com LastPass: global properties can be modified across isolated worlds, allowing remote code execution CCProjectZeroMembers  
  1224 ---- Fixed ---- ---- forshaw@google.com Windows: Bad Fix for COM Session Moniker EoP CCProjectZeroMembers  
  1223 ---- Fixed ---- ---- ianbeer@google.com MacOS/iOS userspace entitlement checking is racy CCProjectZeroMembers  
  1222 ---- Fixed ---- ---- markbrand@google.com LG: Missing bounds checking in ASFParser::ParseHeaderExtensionObjects CCProjectZeroMembers  
  1221 ---- Fixed ---- ---- markbrand@google.com LG: Out-of-bounds heap read in CAVIFileParser::Destroy resulting in invalid free CCProjectZeroMembers  
  1220 ---- Fixed ---- ---- lokihardt@google.com WebKit: JSC: JIT optimization check failed in IntegerCheckCombiningPhase::handleBlock CCProjectZeroMembers