Issues - project-zero - Project Zero

ID ▼	Type ▼	Status ▼	Priority ▼	Milestone ▼	Owner ▼	Summary + Labels ▼
258	----	Fixed	----	----	mjurczyk@google.com	Adobe Reader CoolType unlimited out-of-bounds stack manipulation via BLEND operator CCProjectZeroMembers
285	----	Fixed	----	----	kost...@google.com	VMware Workstation: vprintproxy.exe multiple vulnerabilities when processing custom EMR 0x8002 CCProjectZeroMembers
286	----	Fixed	----	----	kost...@google.com	VMware Workstation: vprintproxy.exe multiple vulnerabilities when processing custom EMR 0x8000 CCProjectZeroMembers
287	----	Fixed	----	----	kost...@google.com	VMware Workstation: vprintproxy.exe stack overflow when processing a JPEG2000 CCProjectZeroMembers
288	----	Fixed	----	----	kost...@google.com	VMware Workstation: vprintproxy.exe multiple vulnerabilities in EMF record enumeration callback CCProjectZeroMembers
292	----	Fixed	----	----	kost...@google.com	VMware Workstation: vprintproxy.exe integer underflows when processing custom EMR CCProjectZeroMembers
364	----	Fixed	----	----	cevans@google.com	Chrome heap overflow in CertificateResourceHandler CCProjectZeroMembers
368	----	Fixed	----	----	mjurczyk@google.com	Windows Kernel win32k.sys TTF font processing: pool-based buffer overflow in the IUP[] program instruction CCProjectZeroMembers
369	----	Fixed	----	----	mjurczyk@google.com	Windows Kernel ATMFD.DLL OTF font processing: pool-based buffer overflow with malformed GPOS table CCProjectZeroMembers
370	----	Fixed	----	----	mjurczyk@google.com	Windows Kernel win32k.sys TTF font processing: pool-based buffer overflow in win32k!scl_ApplyTranslation CCProjectZeroMembers
383	----	Fixed	----	----	mjurczyk@google.com	Windows Kernel ATMFD.DLL invalid memory access due to malformed CFF table (ATMFD+0x34072 / ATMFD+0x3407b) CCProjectZeroMembers
384	----	Fixed	----	----	mjurczyk@google.com	Windows Kernel ATMFD.DLL invalid memory access due to malformed CFF table (ATMFD+0x3440b / ATMFD+0x3440e) CCProjectZeroMembers
385	----	Fixed	----	----	mjurczyk@google.com	Windows Kernel ATMFD.DLL write to uninitialized address due to malformed CFF table CCProjectZeroMembers
402	----	Fixed	----	----	mjurczyk@google.com	Windows Kernel win32k.sys TTF font processing: out-of-bounds pool write in win32k!fsc_BLTHoriz CCProjectZeroMembers
456	----	Fixed	----	----	taviso@google.com	ESET Emulation Vulnerability CCProjectZeroMembers
466	----	Fixed	----	----	hawkes@google.com	ESET NOD32 Heap overflow unpacking EPOC installation files. CCProjectZeroMembers
470	----	Fixed	----	----	cevans@google.com	ESET NOD32 emulator fails if you modify .idata after imports CCProjectZeroMembers
506	----	Fixed	----	----	mjurczyk@google.com	Windows Kernel win32k.sys TTF font processing: pool-based buffer overflow with malformed OS/2 table CCProjectZeroMembers
507	----	Fixed	----	----	mjurczyk@google.com	Windows Kernel win32k.sys TTF font processing: pool-based buffer overflow with malformed TrueType program CCProjectZeroMembers
518	----	Fixed	----	----	taviso@google.com	Kaspersky Antivirus ThinApp parser stack buffer overflow CCProjectZeroMembers
519	----	Fixed	----	----	taviso@google.com	Kaspersky Antivirus DEX file format parsing memory corruption CCProjectZeroMembers
520	----	Fixed	----	----	taviso@google.com	Kaspersky Antivirus RAR file format parsing memory corruption CCProjectZeroMembers
521	----	Fixed	----	----	taviso@google.com	Kaspersky Antivirus ZIP file format use after free vulnerability CCProjectZeroMembers
524	----	Fixed	----	----	taviso@google.com	Kaspersky Antivirus CHM parsing remote stack buffer overflow CCProjectZeroMembers
527	----	Fixed	----	----	taviso@google.com	Kaspersky Antivirus UPX parsing remote memory corruption CCProjectZeroMembers
528	----	Fixed	----	----	taviso@google.com	Kaspersky Antivirus "Yoda's Protector" unpacking remote memory corruption CCProjectZeroMembers
536	----	Fixed	----	----	taviso@google.com	Kaspersky Antivirus multiple memory corruption issues CCProjectZeroMembers
539	----	Fixed	----	----	taviso@google.com	Kaspersky Antivirus Certificate handling path traversal CCProjectZeroMembers
546	----	Fixed	----	----	taviso@google.com	Avast Antivirus: X.509 Error Rendering Command Execution CCProjectZeroMembers
552	----	Fixed	----	----	taviso@google.com	Avast: heap overflow unpacking MoleBox archives CCProjectZeroMembers
554	----	Fixed	----	----	taviso@google.com	Avast: OOB write decrypting PEncrypt packed executables CCProjectZeroMembers
575	----	Fixed	----	----	taviso@google.com	Avast: stack buffer overflow, strncpy length discarded CCProjectZeroMembers
666	----	Fixed	----	----	taviso@google.com	FireEye: Wormable Remote Code Execution in MIP JAR Analysis CCProjectZeroMembers
668	----	Fixed	----	----	taviso@google.com	Avast: authenticode parsing memory corruption CCProjectZeroMembers
675	----	Fixed	----	----	taviso@google.com	AVG: "Web TuneUP" extension multiple critical vulnerabilities CCProjectZeroMembers
679	----	Fixed	----	----	taviso@google.com	Avast: A web-accessible RPC endpoint can launch "SafeZone" (also called Avastium), a Chromium fork with critical security checks removed. CCProjectZeroMembers
682	----	Fixed	----	----	mjurczyk@google.com	Windows Kernel ATMFD.DLL OTF font processing: stack corruption due to malformed CFF table CCProjectZeroMembers
683	----	Fixed	----	----	mjurczyk@google.com	Windows Kernel ATMFD.DLL OTF font processing: pool-based buffer overflow with malformed CFF table CCProjectZeroMembers
684	----	Fixed	----	----	mjurczyk@google.com	Windows Kernel win32k.sys TTF font processing: pool corruption with malformed EBLC / EBSC tables CCProjectZeroMembers
693	----	Fixed	----	----	taviso@google.com	TrendMicro node.js HTTP server listening on localhost can execute commands CCProjectZeroMembers
704	----	Fixed	----	----	taviso@google.com	Comodo: Comodo "Chromodo" Browser disables same origin policy, Effectively turning off web security. CCProjectZeroMembers
713	----	Fixed	----	----	taviso@google.com	Comodo: Comodo "Chromodo" Browser disables same origin policy, Effectively turning off web security. CCProjectZeroMembers
737	----	Fixed	----	----	taviso@google.com	Comodo Antivirus Heap Overflow in LZX Decompression CCProjectZeroMembers
738	----	Fixed	----	----	taviso@google.com	Comodo: Integer Overflow leading to Heap Overflow in Win32 emulation CCProjectZeroMembers
753	----	Fixed	----	----	taviso@google.com	Comodo Antivirus: Emulator Stack Buffer Overflow handling PSUBUSB (Packed Subtract Unsigned with Saturation) CCProjectZeroMembers
762	----	Fixed	----	----	taviso@google.com	Comodo: Integer Overlow Leading to Heap Overflow Parsing Composite Documents CCProjectZeroMembers
763	----	Fixed	----	----	taviso@google.com	Comodo: LZMA Decoder Performs Insufficient Parameter Checks, Resulting in Heap Overflow CCProjectZeroMembers
764	----	Fixed	----	----	taviso@google.com	Comodo: PackMan unpacker insufficient parameter validation CCProjectZeroMembers
765	----	Fixed	----	----	taviso@google.com	Avira: Heap underflow parsing PE section headers CCProjectZeroMembers
769	----	Fixed	----	----	taviso@google.com	Comodo: Comodo Antivirus Forwards Emulated API calls to the Real API during scans CCProjectZeroMembers
773	----	Fixed	----	----	taviso@google.com	TrendMicro: A remote debugger stub is listening in default install
810	----	Fixed	----	----	taviso@google.com	Symantec Antivirus multiple remote memory corruption unpacking RAR CVE-2016-2207 CCProjectZeroMembers
814	----	Fixed	----	----	taviso@google.com	Symantec: Remote Stack Buffer Overflow in dec2lha library CVE-2016-2210 CCProjectZeroMembers
816	----	Fixed	----	----	taviso@google.com	Symantec: Symantec Antivirus multiple remote memory corruption unpacking MSPACK Archives CVE-2016-2211 CCProjectZeroMembers
817	----	Fixed	----	----	taviso@google.com	McAfee: memory corruption processing relocations CCProjectZeroMembers
818	----	Fixed	----	----	taviso@google.com	Symantec: Heap overflow modifying MIME messages CVE-2016-3644 CCProjectZeroMembers
819	----	Fixed	----	----	taviso@google.com	Symantec: Integer Overflow in TNEF decoder CVE-2016-3645 CCProjectZeroMembers
820	----	Fixed	----	----	taviso@google.com	Symantec/Norton Antivirus ASPack Remote Heap/Pool memory corruption Vulnerability CVE-2016-2208 CCProjectZeroMembers
821	----	Fixed	----	----	taviso@google.com	Symantec: missing bounds checks in dec2zip ALPkOldFormatDecompressor::UnShrink CVE-2016 -3646 CCProjectZeroMembers
823	----	Fixed	----	----	taviso@google.com	Symantec: PowerPoint misaligned stream-cache remote stack buffer overflow CVE-2016-2209 CCProjectZeroMembers
867	----	Fixed	----	----	taviso@google.com	Symantec: more issues with outdated rar decomposer CCProjectZeroMembers
868	----	Fixed	----	----	mjurczyk@google.com	Windows Kernel win32k.sys TTF font processing: use-after-free in win32k!sbit_Embolden / win32k!ttfdCloseFontContext CCProjectZeroMembers
884	----	Fixed	----	----	taviso@google.com	LastPass: design flaw in communication between privileged and unprivileged components
908	----	Fixed	----	----	taviso@google.com	Palo Alto Networks PanOS: appweb3 stack buffer overflow CCProjectZeroMembers
938	----	Fixed	----	----	laginimaineb@google.com	Samsung: Stack buffer overflow in OTP TrustZone trustlet CCProjectZeroMembers
939	----	Fixed	----	----	laginimaineb@google.com	Samsung: Stack buffer overflow and information disclosure in OTP TrustZone trustlet via OTP_GET_CRYPTO_DERIVED_KEY CCProjectZeroMembers
978	----	Fixed	----	----	taviso@google.com	Kaspersky: SSL interception differentiates certificates with a 32bit hash CCProjectZeroMembers
1088	----	Fixed	----	----	taviso@google.com	Adobe: Adobe Acrobat Force-Installed Vulnerable Chrome Extension CCProjectZeroMembers
1096	----	Fixed	----	----	taviso@google.com	Cisco: Magic WebEx URL Allows Arbitrary Remote Command Execution CCProjectZeroMembers
1100	----	Fixed	----	----	taviso@google.com	Cisco: WebEx: New Arbitrary Command Execution in 1.0.5 via Module Whitelist Bypass CCProjectZeroMembers
1139	----	Fixed	----	----	taviso@google.com	cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory CCProjectZeroMembers
1167	----	WontFix	----	----	laginimaineb@google.com	Android: Multiple Android devices do not revoke QSEE trustlets CCProjectZeroMembers
1209	----	Fixed	----	----	taviso@google.com	LastPass: websiteConnector.js content script allows proxying internal RPC commands CCProjectZeroMembers
1225	----	Fixed	----	----	taviso@google.com	LastPass: global properties can be modified across isolated worlds, allowing remote code execution CCProjectZeroMembers
1239	----	WontFix	----	----	laginimaineb@google.com	Samsung: Trustonic <t-base TEE does not perform revocation of trustlets CCProjectZeroMembers
1252	----	Fixed	----	----	taviso@google.com	MsMpEng: Remotely Exploitable Type Confusion in Windows 8, 8.1, 10, Windows Server, SCEP, Microsoft Security Essentials, and more. CCProjectZeroMembers
1258	----	Fixed	----	----	ianbeer@google.com	Windows MsMpEng remotely exploitable UaF due to design issue in GC engine CCProjectZeroMembers
1259	----	Fixed	----	----	lokihardt@google.com	MsMpEng: UAF via saved callers CCProjectZeroMembers
1260	----	Fixed	----	----	taviso@google.com	MsMpEng: Multiple problems handling ntdll!NtControlChannel commands CCProjectZeroMembers
1261	----	Fixed	----	----	mjurczyk@google.com	MsMpEng: multiple crashes while scanning malformed files CCProjectZeroMembers
1282	----	Fixed	----	----	taviso@google.com	MsMpEng: mpengine x86 Emulator Heap Corruption in VFS API CCProjectZeroMembers
1286	----	Fixed	----	----	thomasdullien@google.com	VMSF_DELTA filter in unrar allows arbitrary memory write CCProjectZeroMembers
1288	----	Fixed	----	----	laginimaineb@google.com	Broadcom: Heap overflow when handling 802.11v WNM Sleep Mode Response CCProjectZeroMembers
1289	----	Fixed	----	----	laginimaineb@google.com	Broadcom: OOB write when handling 802.11k Neighbor Report Response CCProjectZeroMembers
1291	----	Fixed	----	----	laginimaineb@google.com	Broadcom: Multiple overflows when handling 802.11r (FT) Reassociation Response CCProjectZeroMembers
1324	----	Fixed	----	----	taviso@google.com	Cisco: WebEx Various GPC Sanitization bypasses permit Arbitrary Remote Command Execution CCProjectZeroMembers

258

----

Fixed

----

mjurczyk@google.com

Adobe Reader CoolType unlimited out-of-bounds stack manipulation via BLEND operator CCProjectZeroMembers

285

----

Fixed

----

kost...@google.com

VMware Workstation: vprintproxy.exe multiple vulnerabilities when processing custom EMR 0x8002 CCProjectZeroMembers

286

----

Fixed

----

kost...@google.com

VMware Workstation: vprintproxy.exe multiple vulnerabilities when processing custom EMR 0x8000 CCProjectZeroMembers

287

----

Fixed

----

kost...@google.com

VMware Workstation: vprintproxy.exe stack overflow when processing a JPEG2000 CCProjectZeroMembers

288

----

Fixed

----

kost...@google.com

VMware Workstation: vprintproxy.exe multiple vulnerabilities in EMF record enumeration callback CCProjectZeroMembers

292

----

Fixed

----

kost...@google.com

VMware Workstation: vprintproxy.exe integer underflows when processing custom EMR CCProjectZeroMembers

364

----

Fixed

----

cevans@google.com

Chrome heap overflow in CertificateResourceHandler CCProjectZeroMembers

368

----

Fixed

----

mjurczyk@google.com

Windows Kernel win32k.sys TTF font processing: pool-based buffer overflow in the IUP[] program instruction CCProjectZeroMembers

369

----

Fixed

----

mjurczyk@google.com

Windows Kernel ATMFD.DLL OTF font processing: pool-based buffer overflow with malformed GPOS table CCProjectZeroMembers

370

----

Fixed

----

mjurczyk@google.com

Windows Kernel win32k.sys TTF font processing: pool-based buffer overflow in win32k!scl_ApplyTranslation CCProjectZeroMembers

383

----

Fixed

----

mjurczyk@google.com

Windows Kernel ATMFD.DLL invalid memory access due to malformed CFF table (ATMFD+0x34072 / ATMFD+0x3407b) CCProjectZeroMembers

384

----

Fixed

----

mjurczyk@google.com

Windows Kernel ATMFD.DLL invalid memory access due to malformed CFF table (ATMFD+0x3440b / ATMFD+0x3440e) CCProjectZeroMembers

385

----

Fixed

----

mjurczyk@google.com

Windows Kernel ATMFD.DLL write to uninitialized address due to malformed CFF table CCProjectZeroMembers

402

----

Fixed

----

mjurczyk@google.com

Windows Kernel win32k.sys TTF font processing: out-of-bounds pool write in win32k!fsc_BLTHoriz CCProjectZeroMembers

456

----

Fixed

----

taviso@google.com

ESET Emulation Vulnerability CCProjectZeroMembers

466

----

Fixed

----

hawkes@google.com

ESET NOD32 Heap overflow unpacking EPOC installation files. CCProjectZeroMembers

470

----

Fixed

----

cevans@google.com

ESET NOD32 emulator fails if you modify .idata after imports CCProjectZeroMembers

506

----

Fixed

----

mjurczyk@google.com

Windows Kernel win32k.sys TTF font processing: pool-based buffer overflow with malformed OS/2 table CCProjectZeroMembers

507

----

Fixed

----

mjurczyk@google.com

Windows Kernel win32k.sys TTF font processing: pool-based buffer overflow with malformed TrueType program CCProjectZeroMembers

518

----

Fixed

----

taviso@google.com

Kaspersky Antivirus ThinApp parser stack buffer overflow CCProjectZeroMembers

519

----

Fixed

----

taviso@google.com

Kaspersky Antivirus DEX file format parsing memory corruption CCProjectZeroMembers

520

----

Fixed

----

taviso@google.com

Kaspersky Antivirus RAR file format parsing memory corruption CCProjectZeroMembers

521

----

Fixed

----

taviso@google.com

Kaspersky Antivirus ZIP file format use after free vulnerability CCProjectZeroMembers

524

----

Fixed

----

taviso@google.com

Kaspersky Antivirus CHM parsing remote stack buffer overflow CCProjectZeroMembers

527

----

Fixed

----

taviso@google.com

Kaspersky Antivirus UPX parsing remote memory corruption CCProjectZeroMembers

528

----

Fixed

----

taviso@google.com

Kaspersky Antivirus "Yoda's Protector" unpacking remote memory corruption CCProjectZeroMembers

536

----

Fixed

----

taviso@google.com

Kaspersky Antivirus multiple memory corruption issues CCProjectZeroMembers

539

----

Fixed

----

taviso@google.com

Kaspersky Antivirus Certificate handling path traversal CCProjectZeroMembers

546

----

Fixed

----

taviso@google.com

Avast Antivirus: X.509 Error Rendering Command Execution CCProjectZeroMembers

552

----

Fixed

----

taviso@google.com

Avast: heap overflow unpacking MoleBox archives CCProjectZeroMembers

554

----

Fixed

----

taviso@google.com

Avast: OOB write decrypting PEncrypt packed executables CCProjectZeroMembers

575

----

Fixed

----

taviso@google.com

Avast: stack buffer overflow, strncpy length discarded CCProjectZeroMembers

666

----

Fixed

----

taviso@google.com

FireEye: Wormable Remote Code Execution in MIP JAR Analysis CCProjectZeroMembers

668

----

Fixed

----

taviso@google.com

Avast: authenticode parsing memory corruption CCProjectZeroMembers

675

----

Fixed

----

taviso@google.com

AVG: "Web TuneUP" extension multiple critical vulnerabilities CCProjectZeroMembers

679

----

Fixed

----

taviso@google.com

Avast: A web-accessible RPC endpoint can launch "SafeZone" (also called Avastium), a Chromium fork with critical security checks removed. CCProjectZeroMembers

682

----

Fixed

----

mjurczyk@google.com

Windows Kernel ATMFD.DLL OTF font processing: stack corruption due to malformed CFF table CCProjectZeroMembers

683

----

Fixed

----

mjurczyk@google.com

Windows Kernel ATMFD.DLL OTF font processing: pool-based buffer overflow with malformed CFF table CCProjectZeroMembers

684

----

Fixed

----

mjurczyk@google.com

Windows Kernel win32k.sys TTF font processing: pool corruption with malformed EBLC / EBSC tables CCProjectZeroMembers

693

----

Fixed

----

taviso@google.com

TrendMicro node.js HTTP server listening on localhost can execute commands CCProjectZeroMembers

704

----

Fixed

----

taviso@google.com

Comodo: Comodo "Chromodo" Browser disables same origin policy, Effectively turning off web security. CCProjectZeroMembers

713

----

Fixed

----

taviso@google.com

Comodo: Comodo "Chromodo" Browser disables same origin policy, Effectively turning off web security. CCProjectZeroMembers

737

----

Fixed

----

taviso@google.com

Comodo Antivirus Heap Overflow in LZX Decompression CCProjectZeroMembers

738

----

Fixed

----

taviso@google.com

Comodo: Integer Overflow leading to Heap Overflow in Win32 emulation CCProjectZeroMembers

753

----

Fixed

----

taviso@google.com

Comodo Antivirus: Emulator Stack Buffer Overflow handling PSUBUSB (Packed Subtract Unsigned with Saturation) CCProjectZeroMembers

762

----

Fixed

----

taviso@google.com

Comodo: Integer Overlow Leading to Heap Overflow Parsing Composite Documents CCProjectZeroMembers

763

----

Fixed

----

taviso@google.com

Comodo: LZMA Decoder Performs Insufficient Parameter Checks, Resulting in Heap Overflow CCProjectZeroMembers

764

----

Fixed

----

taviso@google.com

Comodo: PackMan unpacker insufficient parameter validation CCProjectZeroMembers

765

----

Fixed

----

taviso@google.com

Avira: Heap underflow parsing PE section headers CCProjectZeroMembers

769

----

Fixed

----

taviso@google.com

Comodo: Comodo Antivirus Forwards Emulated API calls to the Real API during scans CCProjectZeroMembers

773

----

Fixed

----

taviso@google.com

TrendMicro: A remote debugger stub is listening in default install

810

----

Fixed

----

taviso@google.com

Symantec Antivirus multiple remote memory corruption unpacking RAR CVE-2016-2207 CCProjectZeroMembers

814

----

Fixed

----

taviso@google.com

Symantec: Remote Stack Buffer Overflow in dec2lha library CVE-2016-2210 CCProjectZeroMembers

816

----

Fixed

----

taviso@google.com

Symantec: Symantec Antivirus multiple remote memory corruption unpacking MSPACK Archives CVE-2016-2211 CCProjectZeroMembers

817

----

Fixed

----

taviso@google.com

McAfee: memory corruption processing relocations CCProjectZeroMembers

818

----

Fixed

----

taviso@google.com

Symantec: Heap overflow modifying MIME messages CVE-2016-3644 CCProjectZeroMembers

819

----

Fixed

----

taviso@google.com

Symantec: Integer Overflow in TNEF decoder CVE-2016-3645 CCProjectZeroMembers

820

----

Fixed

----

taviso@google.com

Symantec/Norton Antivirus ASPack Remote Heap/Pool memory corruption Vulnerability CVE-2016-2208 CCProjectZeroMembers

821

----

Fixed

----

taviso@google.com

Symantec: missing bounds checks in dec2zip ALPkOldFormatDecompressor::UnShrink CVE-2016 -3646 CCProjectZeroMembers

823

----

Fixed

----

taviso@google.com

Symantec: PowerPoint misaligned stream-cache remote stack buffer overflow CVE-2016-2209 CCProjectZeroMembers

867

----

Fixed

----

taviso@google.com

Symantec: more issues with outdated rar decomposer CCProjectZeroMembers

868

----

Fixed

----

mjurczyk@google.com

Windows Kernel win32k.sys TTF font processing: use-after-free in win32k!sbit_Embolden / win32k!ttfdCloseFontContext CCProjectZeroMembers

884

----

Fixed

----

taviso@google.com

LastPass: design flaw in communication between privileged and unprivileged components

908

----

Fixed

----

taviso@google.com

Palo Alto Networks PanOS: appweb3 stack buffer overflow CCProjectZeroMembers

938

----

Fixed

----

laginimaineb@google.com

Samsung: Stack buffer overflow in OTP TrustZone trustlet CCProjectZeroMembers

939

----

Fixed

----

laginimaineb@google.com

Samsung: Stack buffer overflow and information disclosure in OTP TrustZone trustlet via OTP_GET_CRYPTO_DERIVED_KEY CCProjectZeroMembers

978

----

Fixed

----

taviso@google.com

Kaspersky: SSL interception differentiates certificates with a 32bit hash CCProjectZeroMembers

1088

----

Fixed

----

taviso@google.com

Adobe: Adobe Acrobat Force-Installed Vulnerable Chrome Extension CCProjectZeroMembers

1096

----

Fixed

----

taviso@google.com

Cisco: Magic WebEx URL Allows Arbitrary Remote Command Execution CCProjectZeroMembers

1100

----

Fixed

----

taviso@google.com

Cisco: WebEx: New Arbitrary Command Execution in 1.0.5 via Module Whitelist Bypass CCProjectZeroMembers

1139

----

Fixed

----

taviso@google.com

cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory CCProjectZeroMembers

1167

----

WontFix

----

laginimaineb@google.com

Android: Multiple Android devices do not revoke QSEE trustlets CCProjectZeroMembers

1209

----

Fixed

----

taviso@google.com

LastPass: websiteConnector.js content script allows proxying internal RPC commands CCProjectZeroMembers

1225

----

Fixed

----

taviso@google.com

LastPass: global properties can be modified across isolated worlds, allowing remote code execution CCProjectZeroMembers

1239

----

WontFix

----

laginimaineb@google.com

Samsung: Trustonic <t-base TEE does not perform revocation of trustlets CCProjectZeroMembers

1252

----

Fixed

----

taviso@google.com

MsMpEng: Remotely Exploitable Type Confusion in Windows 8, 8.1, 10, Windows Server, SCEP, Microsoft Security Essentials, and more. CCProjectZeroMembers

1258

----

Fixed

----

ianbeer@google.com

Windows MsMpEng remotely exploitable UaF due to design issue in GC engine CCProjectZeroMembers

1259

----

Fixed

----

lokihardt@google.com

MsMpEng: UAF via saved callers CCProjectZeroMembers

1260

----

Fixed

----

taviso@google.com

MsMpEng: Multiple problems handling ntdll!NtControlChannel commands CCProjectZeroMembers

1261

----

Fixed

----

mjurczyk@google.com

MsMpEng: multiple crashes while scanning malformed files CCProjectZeroMembers

1282

----

Fixed

----

taviso@google.com

MsMpEng: mpengine x86 Emulator Heap Corruption in VFS API CCProjectZeroMembers

1286

----

Fixed

----

thomasdullien@google.com

VMSF_DELTA filter in unrar allows arbitrary memory write CCProjectZeroMembers

1288

----

Fixed

----

laginimaineb@google.com

Broadcom: Heap overflow when handling 802.11v WNM Sleep Mode Response CCProjectZeroMembers

1289

----

Fixed

----

laginimaineb@google.com

Broadcom: OOB write when handling 802.11k Neighbor Report Response CCProjectZeroMembers

1291

----

Fixed

----

laginimaineb@google.com

Broadcom: Multiple overflows when handling 802.11r (FT) Reassociation Response CCProjectZeroMembers

1324

----

Fixed

----

taviso@google.com

Cisco: WebEx Various GPC Sanitization bypasses permit Arbitrary Remote Command Execution CCProjectZeroMembers

Show columns:
♦ ID
♦ Type
♦ Status
♦ Priority
♦ Milestone
♦ Owner
♦ Summary
AllLabels
Attachments
Blocked
BlockedOn
Blocking
CVE
Cc
Closed
Component
ComponentModified
Deadline
Finder
Fixed
MSRC
MergedInto
Methodology
Modified
OpSys
Opened
OwnerLastVisit
OwnerModified
Product
Project
Reported
Reporter
Restrict
SVE
Severity
Stars
StatusModified
Vendor
Edit column spec...