New issue
Advanced search Search tips
ListGrid
Loading...
  ID Type  Status  Priority  Milestone  Owner  Summary + Labels ...
  21 ---- Fixed ---- ---- cevans@google.com OS X IOKit kernel memory disclosure due to lack of bounds checking in IOUSBControllerUserClient::ReadRegister  
  84 ---- Fixed ---- ---- groebert@google.com Out-of-bounds read in php_parserr with user-supplied dlen CCProjectZeroMembers  
  91 ---- Fixed ---- ---- hawkes@google.com Linux kernel HID report fixup multiple off-by-one issues CCProjectZeroMembers  
  127 ---- WontFix ---- ---- forshaw@google.com Windows 7: Admin Check Bypass in NtPowerInformation CCProjectZeroMembers  
  151 ---- Fixed ---- ---- mjurczyk@google.com FreeType 2.5.3 BDF parsing potential heap pointer disclosure CCProjectZeroMembers  
  155 ---- Fixed ---- ---- mjurczyk@google.com FreeType 2.5.3 Mac FOND resource parsing out-of-bounds read from stack CCProjectZeroMembers  
  157 ---- Fixed ---- ---- mjurczyk@google.com FreeType 2.5.3 PCF parsing NULL pointer dereference due to 32-bit integer overflow CCProjectZeroMembers  
  158 ---- Fixed ---- ---- mjurczyk@google.com FreeType 2.5.3 PCF parsing NULL pointer dereference due to 32-bit integer overflow CCProjectZeroMembers  
  160 ---- WontFix ---- ---- forshaw@google.com Windows: Profile API CreateEnvBlock Local Information Disclosure CCProjectZeroMembers  
  166 ---- Fixed ---- ---- mjurczyk@google.com FreeType 2.5.3 SFNT parsing integer overflows CCProjectZeroMembers  
  167 ---- Fixed ---- ---- mjurczyk@google.com FreeType 2.5.3 sbits parsing potential out-of-bounds read due to integer overflow CCProjectZeroMembers  
  169 ---- Fixed ---- ---- mjurczyk@google.com Windows Kernel ATMFD.DLL DoS via unlimited CharString program execution CCProjectZeroMembers  
  174 ---- Fixed ---- ---- mjurczyk@google.com Windows Kernel ATMFD.DLL out-of-bounds reads from the input CharString stream CCProjectZeroMembers  
  183 ---- Fixed ---- ---- mjurczyk@google.com FreeType 2.5.3 Type42 parsing out-of-bounds read in "ps_table_add" CCProjectZeroMembers  
  184 ---- Fixed ---- ---- mjurczyk@google.com FreeType 2.5.3 SFNT cmap parsing out-of-bounds read in "tt_cmap4_validate" CCProjectZeroMembers  
  188 ---- Fixed ---- ---- mjurczyk@google.com FreeType 2.5.3 BDF parsing NULL pointer dereference in "_bdf_parse_glyphs" CCProjectZeroMembers  
  189 ---- Fixed ---- ---- forshaw@google.com IE11: CShdocvwBroker::MOTWCreateFileW EPM Local File Information Disclosure CCProjectZeroMembers  
  194 ---- Fixed ---- ---- mjurczyk@google.com FreeType 2.5.3 SFNT kern parsing out-of-bounds read in "tt_face_load_kern" CCProjectZeroMembers  
  195 ---- Fixed ---- ---- mjurczyk@google.com FreeType 2.5.3 TrueType parsing heap-based out-of-bounds read in "tt_face_load_hdmx" CCProjectZeroMembers  
  196 ---- Fixed ---- ---- mjurczyk@google.com FreeType 2.5.3 OpenType parsing heap-based out-of-bounds read in "tt_sbit_decoder_load_image" CCProjectZeroMembers  
  200 ---- Fixed ---- ---- groebert@google.com LibreSSL vulnerable to Denial-of-Service (null pointer dereference) CCProjectZeroMembers  
  206 ---- Fixed ---- ---- forshaw@google.com Windows: Limited Bypass of Traverse Permissions in Kernel Object Manager CCProjectZeroMembers  
  213 ---- WontFix ---- ---- forshaw@google.com Windows: Console Driver Job Object Process Limit Bypass CCProjectZeroMembers  
  215 ---- Fixed ---- ---- forshaw@google.com Windows: Registry Virtualization TOCTOU User Check CCProjectZeroMembers  
  247 ---- Fixed ---- ---- mjurczyk@google.com Adobe Reader CoolType out-of-bounds reads from the input CharString stream CCProjectZeroMembers  
  248 ---- Fixed ---- ---- mjurczyk@google.com Adobe Reader CoolType use of uninitialized memory in transient array CCProjectZeroMembers  
  255 ---- Fixed ---- ---- hawkes@google.com SKIA ICO decoding information leak CCProjectZeroMembers  
  273 ---- Fixed ---- ---- forshaw@google.com iPrint Client: nipplpt.sys GetRegistryInfo Race Condition in Initialization CCProjectZeroMembers  
  276 ---- Fixed ---- ---- cevans@google.com Flash: not great ASLR for the Flash heap on Win7 64-bit CCProjectZeroMembers  
  277 ---- Fixed ---- ---- mjurczyk@google.com Microsoft Windows Presentation Foundation memory disclosure via uninitialized transient array CCProjectZeroMembers  
  282 ---- Fixed ---- ---- mjurczyk@google.com Oracle Java Runtime Environment memory disclosure via uninitialized operand stack CCProjectZeroMembers  
  306 ---- Fixed ---- ---- mjurczyk@google.com Oracle Java Runtime Environment multiple NULL pointer dereferences during TTF/Type1 font rendering CCProjectZeroMembers  
  310 ---- Fixed ---- ---- mjurczyk@google.com pdfium static out-of-bounds read in CXFA_ItemLayoutProcessor::CalculatePositionedContainerPos CCProjectZeroMembers  
  351 ---- WontFix ---- ---- forshaw@google.com Windows: DosDevices Impersonation Process Creation Elevation of Privilege CCProjectZeroMembers  
  361 ---- Fixed ---- ---- mjurczyk@google.com Adobe Flash out-of-bounds memory read while parsing a mutated SWF file CCProjectZeroMembers  
  362 ---- Fixed ---- ---- mjurczyk@google.com Adobe Flash out-of-bounds memory read while parsing a mutated SWF file CCProjectZeroMembers  
  363 ---- Fixed ---- ---- mjurczyk@google.com Adobe Flash out-of-bounds memory read while parsing a mutated TTF file embedded in SWF CCProjectZeroMembers  
  378 ---- Fixed ---- ---- cevans@google.com Flash: out-of-bounds read in UTF conversion CCProjectZeroMembers  
  382 ---- Fixed ---- ---- mjurczyk@google.com Windows Kernel ATMFD.DLL out-of-bounds reads from the input CharString stream CCProjectZeroMembers  
  409 ---- Fixed ---- ---- cevans@google.com Adobe Flash: Type Confusion in TextRenderer.setAdvancedAntialiasingTable CCProjectZeroMembers  
  435 ---- Fixed ---- ---- matttait@google.com Kernel-mode ASLR leak via win32k!xxxDeferredDesktopRotation CCProjectZeroMembers  
  436 ---- WontFix ---- ---- matttait@google.com Kernel-mode type-confusion vulnerability via NtUserSetInformationThread/UserThreadCsrApiPort CCProjectZeroMembers  
  441 ---- WontFix ---- ---- matttait@google.com Two kernel-mode type-confusion / memory-corruption vulnerabilities in win32k!xxxRemoteReconnect CCProjectZeroMembers  
  445 ---- WontFix ---- ---- cevans@google.com Placeholder: PoC for high-entropy ASLR bypass via MemoryProtector CCProjectZeroMembers  
  454 ---- Invalid ---- ---- forshaw@google.com Windows: wdmaud.drv/Microsoft GS Wavetable Synth Memory Corruption/OOB Read CCProjectZeroMembers  
  482 ---- Fixed ---- ---- cevans@google.com Flash: bypass of Vector.<uint> length vs. cookie validation CCProjectZeroMembers  
  486 ---- Fixed ---- ---- forshaw@google.com Windows: Sandboxed Mount Reparse Point Creation Mitigation Bypass CCProjectZeroMembers  
  488 ---- WontFix ---- ---- scvitti@google.com Microsoft Office 2007 and 2010 RTF frmtxtbrl EIP corruption CCProjectZeroMembers  
  496 ---- Fixed ---- ---- ianbeer@google.com OS X kernel panic due to bad patch for CVE-2015-3712 in GeForce.kext CCProjectZeroMembers  
  504 ---- Fixed ---- ---- forshaw@google.com Flash: No Checks on Vector.<uint> Capacity Field CCProjectZeroMembers  
  525 ---- Fixed ---- ---- taviso@google.com Kaspersky Antivirus ExeCryptor parsing memory corruption CCProjectZeroMembers  
  531 ---- Fixed ---- ---- forshaw@google.com Windows: Creating Hardlinks Doesn't Require Write Permissions to the Target CCProjectZeroMembers  
  537 ---- Fixed ---- ---- forshaw@google.com Truecrypt 7 Derived Code/Windows: Incorrect Impersonation Token Handling EoP CCProjectZeroMembers  
  573 ---- Fixed ---- ---- forshaw@google.com Windows: Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux CCProjectZeroMembers  
  589 ---- Fixed ---- ---- forshaw@google.com Windows: Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux 2 CCProjectZeroMembers  
  711 ---- Fixed ---- ---- forshaw@google.com Android: Information Disclosure in IOMX getConfig/getParameter CCProjectZeroMembers  
  725 ---- Invalid ---- ---- forshaw@google.com Android: Potential Stack Memory Corruption in System Services CCProjectZeroMembers  
  726 ---- Fixed ---- ---- forshaw@google.com Android: Service Manager Crashes on One Way Binder Transaction CCProjectZeroMembers  
  779 ---- Fixed ---- ---- forshaw@google.com Windows: Custom Font Disable Policy Bypass CCProjectZeroMembers  
  781 ---- WontFix ---- ---- mjurczyk@google.com Windows Kernel ATMFD.DLL NamedEscape 0x2511 out-of-bounds read CCProjectZeroMembers  
  852 ---- WontFix ---- ---- forshaw@google.com Windows: NtCreateProcessEx NULL Pointer Dereference CCProjectZeroMembers  
  854 ---- Fixed ---- ---- jannh@google.com Linux: SELinux W+X protection bypass via AIO CCProjectZeroMembers  
  855 ---- WontFix ---- ---- mjurczyk@google.com Windows Kernel win32k.sys FON font processing: divide-by-zero exception in win32k!MAPPER::bFoundExactMatch CCProjectZeroMembers  
  870 ---- Fixed ---- ---- forshaw@google.com Windows: RegLoadAppKey Hive Enumeration EoP CCProjectZeroMembers  
  891 ---- Fixed ---- ---- forshaw@google.com Windows: Linux Subsystem Arbitrary File/Directory Creation EoP CCProjectZeroMembers  
  892 ---- Fixed ---- ---- ochang@google.com NVIDIA: Escape code leaks uninitialised ExAllocatePoolWithTag memory to userspace. CCProjectZeroMembers  
  915 ---- Fixed ---- ---- forshaw@google.com Windows: VHDMP ZwDeleteFile Arbitrary File Deletion EoP CCProjectZeroMembers  
  924 ---- WontFix ---- ---- forshaw@google.com Windows: Object Manager Pathological Lookup EoP CCProjectZeroMembers  
  929 ---- Fixed ---- ---- laginimaineb@google.com Android: mitigation bypass - the guard page creation in IOMX can fail CCProjectZeroMembers  
  937 ---- Fixed ---- ---- ochang@google.com NVIDIA: Unchecked user provided pointer in escape 0x5000027 CCProjectZeroMembers  
  955 ---- WontFix ---- ---- laginimaineb@google.com Android: Code loading bypasses in system_server CCProjectZeroMembers  
  958 ---- Fixed ---- ---- markbrand@google.com Android - Stack overflow in WifiNative::setHotlist CCProjectZeroMembers  
  964 ---- Fixed ---- ---- laginimaineb@google.com Samsung: Kernel information disclosure in "maxdsm_read" CCProjectZeroMembers  
  971 ---- Fixed ---- ---- laginimaineb@google.com Samsung: KASLR bypass in "pm_qos" CCProjectZeroMembers  
  990 ---- Fixed ---- ---- markbrand@google.com LG: touchscreen driver write_log kernel read/write CCProjectZeroMembers  
  991 ---- Fixed ---- ---- markbrand@google.com LG: Felica driver dangerous set_fs usage CCProjectZeroMembers  
  997 ---- Invalid ---- ---- forshaw@google.com Windows: SCM Protected Process Light Service Security Feature Bypass CCProjectZeroMembers  
  1093 ---- Fixed ---- ---- forshaw@google.com Windows: IEETWCollector Arbitrary Directory/File Deletion EoP CCProjectZeroMembers  
  1164 ---- Fixed ---- ---- jannh@google.com MacOS: raw frame pointers in stackshot CCProjectZeroMembers  
  1248 ---- Fixed ---- ---- taviso@google.com MsMpEng: UIF decoder will spin forever processing sparse blocks CCProjectZeroMembers  
  1251 ---- Fixed ---- ---- jannh@google.com Linux: eBPF verifier log leaks lower half of map pointer CCProjectZeroMembers  
  1294 ---- Fixed ---- ---- laginimaineb@google.com Broadcom: Denial of service and OOB read in TCP KeepAlive Offloading CCProjectZeroMembers  
  1300 ---- Fixed ---- ---- laginimaineb@google.com Broadcom: Information Leak in ICMPv6 Router Advertisement Offloading CCProjectZeroMembers  
  1318 ---- Fixed ---- ---- laginimaineb@google.com Apple: Information Leak when handling WLC_E_COUNTRY_CODE_CHANGED event packets CCProjectZeroMembers  
  1328 ---- Fixed ---- ---- forshaw@google.com Windows: WLDP/MSHTML CLSID UMCI Bypass CCProjectZeroMembers  
  1360 ---- WontFix ---- ---- ifratric@google.com Chakra: CFG bypass with leafInterpreterFrame CCProjectZeroMembers  
  1405 ---- Fixed ---- ---- jannh@google.com MacOS getrusage stack leak through struct padding CCProjectZeroMembers  
  1418 ---- WontFix ---- ---- forshaw@google.com Windows Defender: Controlled Folder Bypass through UNC Path CCProjectZeroMembers  
  1424 ---- WontFix ---- ---- ifratric@google.com Chakra: CFG bypass by overwriting JavaScript bytecode CCProjectZeroMembers