└── README.md /README.md: -------------------------------------------------------------------------------- 1 | - [Chrome](#Chrome) 2 | - [Chrome_V8_RCE](#Chrome_V8_RCE) 3 | - [Chrome_V8_cage_escape(V8_SBX)](#Chrome_V8_cage_escape(V8_SBX)) 4 | - [Chrome_Renderer_RCE](#Chrome_Renderer_RCE) 5 | - [Chrome_SBX](#Chrome_SBX) 6 | - [Safari](#Safari) 7 | - [Safari_JavaScriptCore_RCE](#Safari_JavaScriptCore_RCE) 8 | - [Safari_SBX](#Safari_SBX) 9 | - [Firefox](#Firefox) 10 | - [Firefox_Gecko_RCE](#Firefox_Gecko_RCE) 11 | - [Firefox_Renderer_RCE](#Firefox_Renderer_RCE) 12 | 13 | # Chrome 14 | ## Chrome_V8_RCE 15 | |Pwn|Target|Feature|CVE/issue|Vulnerability|Comment| 16 | |---|---|---|---|---|---| 17 | |N/A|N/A|N/A|[Utils](v8/Utils.md)|N/A|| 18 | ||wasm||[CVE-2017-5122](v8/CVE-2017-5122.md)|Out of bound read|| 19 | ||wasm|async,Side effect|[CVE-2018-6122](v8/CVE-2018-6122.md)|Type confusion|| 20 | ||wasm|GC|[CVE-2024-3156](v8/CVE-2024-3156.md)|Inappropriate implementation|| 21 | ||wasm||[CVE-2024-3832](v8/CVE-2024-3832.md)|Type confusion|Need more time| 22 | |O|wasm||[CVE-2023-4070](v8/CVE-2023-4070.md)|Type confusion|| 23 | |O|wasm||[CVE-2024-2887](v8/CVE-2024-2887.md)|Type confusion|| 24 | |▵|wasm||[CVE-2024-4761](v8/CVE-2024-4761.md)|Out of bound write|| 25 | |▵|wasm||[issue-339736513](v8/issue-339736513.md)| Type confusion, OOB read|| 26 | ||wasm||[CVE-2024-6100](v8/CVE-2024-6100.md)|Type confusion|Variant CVE-2024-2887| 27 | ||wasm||[CVE-2024-5158](v8/CVE-2024-5158.md)|Type confusion|| 28 | ||wasm|Turboshaft|[issue-352720899](v8/issue-352720899.md)|Type confusion|Regress| 29 | |O|TurboFan|Concurrent compilation|[CVE-2023-3420](v8/CVE-2023-3420.md)|Type confusion|| 30 | |O|TurboFan|Side effect|[CVE-2018-17463](v8/CVE-2018-17463.md)|Type confusion|| 31 | |O|TurboFan|Property access|[CVE-2021-30632](v8/CVE-2021-30632.md)|Type confusion|| 32 | |O|TurboFan||[CVE-2025-0612](v8/CVE-2025-0612.md)|Out of bounds||| 33 | |O|Maglev|MaglevGraphBuilder|[CVE-2024-4947](v8/CVE-2024-4947.md)|Type confusion|| 34 | |O|Maglev|MaglevGraphBuilder|[CVE-2023-4069](v8/CVE-2023-4069.md)|Type confusion|Man Yue Mo| 35 | ||Map transition|Value serializer|[CVE-2023-1214](v8/CVE-2023-1214.md)|Type confusion|Man Yue Mo| 36 | ||Map transition|TryFastAddDataProperty|[CVE-2024-5830](v8/CVE-2024-5830.md)|Type confusion|Man Yue Mo| 37 | |O|||[CVE-2017-5030](v8/CVE-2017-5030.md)|Out of bound read|| 38 | |O|||[18-issue-880207](v8/18-issue-880207.md)|Type confusion|| 39 | |O|||[CVE-2019-5825](v8/CVE-2019-5825.md)|Type confusion|| 40 | |O|||[CVE-2020-6383](v8/CVE-2020-6383.md)|Type confusion|| 41 | |O|||[CVE-2021-21225](v8/CVE-2021-21225.md)|Out of bound read|| 42 | |O|||[CVE-2021-38003](Renderer/CVE-2021-38003.md)|Type confusion|Leak Hole| 43 | |O|||[CVE-2022-1310](v8/CVE-2022-1310.md)|Use after free|| 44 | |O|||[CVE-2022-1364](v8/CVE-2022-1364.md)|Type confusion|Leak Hole| 45 | |O|||[CVE-2022-4174](v8/CVE-2022-4174.md)|Type confusion|Leak Hole| 46 | |O|||[CVE-2023-2033](v8/CVE-2023-2033.md)|Type confusion|Leak Hole| 47 | |O|||[CVE-2023-3079](v8/CVE-2023-3079.md)|Type confusion|Leak Hole| 48 | ||||[CVE-2023-3420](v8/CVE-2023-3420.md)|Type confusion|Man Yue Mo| 49 | ||||[CVE-2024-4761](v8/CVE-2024-4761.md)|Out of bound write|| 50 | |O|||[CVE-2023-4762](v8/CVE-2023-4762.md)|Type confusion|Leak Hole|| 51 | ||||[CVE-2024-4947](v8/CVE-2024-4947.md)|Type confusion||| 52 | |O||enum cache|[CVE-2023-4427](v8/CVE-2023-4427.md)|Out of bound read|| 53 | |||enum cache|[CVE-2024-3159](v8/CVE-2024-3159.md)|Out of bound read|| 54 | ||||[CVE-2024-0517](v8/CVE-2024-0517.md)|Out of Bounds|| 55 | ||||[CVE-2024-0519](v8/CVE-2024-0519)|Out of bounds||ITW| 56 | |O|Parser|Incorrect parsing|[CVE-2024-5274](v8/CVE-2024-5274.md)|Type confusion|| 57 | 58 | 59 | ## Chrome_V8_cage_escape(V8_SBX) 60 | |Pwn|Target|Feature|CVE/issue|Vulnerability|Comment| 61 | |---|---|---|---|---|---| 62 | |O|N/A||[v8sbx](v8/v8sbx.md)|N/A|| 63 | |O|Runtime||[my-v8sbx-bug](v8/my-v8sbx-bug.md)|Insufficient data validation|| 64 | ||wasm||[issue-349529650](v8/issue-349529650.md)|Function import signature check race|| 65 | |O|wasm||[issue-336009921](v8/issue-336009921.md)|Function signature confusion|| 66 | |O|wasm||[issue-354408144](v8/issue-354408144.md)|Function signature confusion|| 67 | |O|wasm||[CVE-2024-7024](v8/CVE-2024-7024.md)|Inappropriate implementation|| 68 | |O|wasm||[issue-369748454](v8/issue-369748454.md)|Inappropriate implementation|| 69 | |X|wasm|GC|[CVE-2024-3156](v8/CVE-2024-3156.md)|Inappropriate implementation|| 70 | |O|wasm|Runtime|[issue-361862752](v8/issue-361862752.md)|| 71 | |O|wasm|Builder|[CVE-2024-6779](v8/CVE-2024-6779.md)|Out of Bounds|| 72 | |▵|wasm||[issue-348084786](v8/issue-348084786.md)|Type confusion| 73 | |O|wasm|Liftoff|[issue-350292240](v8/issue-350292240.md)|Function signature confusion||| 74 | |O|wasm||[CVE-2024-8194](v8/CVE-2024-8194.md)|Type confusion|| 75 | ||wasm||[CVE-2024-11395](v8/CVE-2024-11395.md)|Type confusion|| 76 | ||wasm||[issue-394120667](v8/issue-394120667.md)||| 77 | |X|Runtime|Leaptiering|[issue-342297062](v8/issue-342297062.md)|Function signature confusion|| 78 | ||Runtime|TypedArrays|[issue-385775375](v8/issue-385775375.md)|memory access violaton|| 79 | ||Runtime|Heap|[issue-389713719](v8/issue-389713719.md)|Out of bound write|| 80 | ||||[issue-389970331](v8/issue-389970331.md)|Stack buffer overflow|| 81 | ||||[issue-412741811](v8/issue-412741811.md)|Out of Bound read|| 82 | ||||[issue-384186547](v8/issue-384186547.md)|Use after free|| 83 | ||||[issue-338381304](v8/issue-338381304.md)|Stack corruption|| 84 | |O|Torque|SortState|[issue-390639820](v8/issue-390639820.md)|Type confusion|| 85 | ||Torque||[issue-391169061](v8/issue-391169061.md)|Double fetch|| 86 | 87 | 88 | 89 | ## Chrome_Renderer_RCE 90 | |Pwn|Target|Feature|CVE/issue|Vulnerability|Comment| 91 | |---|---|---|---|---|---| 92 | |N/A|N/A|N/A|[Utils](Renderer/Utils.md)|N/A|| 93 | |O|||[CVE-2021-30551](v8/CVE-2021-30551.md)|Type confusion|Leak Hole| 94 | |O|||[2022-issue-1352549](Renderer/issue-1352549.md)|Type confusion|Leak Hole| 95 | ||||[CVE-2024-1669](Renderer/CVE-2024-1669.md)|Out of bound read|reward-7000| 96 | |O|||[CVE-2024-1283](Renderer/CVE-2024-1283.md)|Heap buf overflow|| 97 | ||Compositing||[CVE-2024-3157](Renderer/CVE-2024-3157.md)|Out of bound write|| 98 | 99 | ## Chrome_SBX 100 | |Pwn|Target|Feature|CVE/issue|Vulnerability|OS|Comment| 101 | |---|---|---|---|---|---|---| 102 | |N/A|N/A|N/A|[Utils](SBX/Utils.md)|N/A|N/A|| 103 | ||Mojo||[(19)75.0.3770.89](SBX/75.0.3770.89.md)|Use after free|All|Refactoring| 104 | |O|Mojo||[CVE-2019-13768](SBX/CVE-2019-13768.md)|Use after free|Windows|Mark Brand| 105 | |O|Mojo||[20-issue-1062091](SBX/20-issue-1062091.md)|Use after free|All|| 106 | ||Mojo||[CVE-2020-16045](SBX/CVE-2020-16045.md)|Use after free|Android|| 107 | |O|Mojo||[CVE-2021-30633](SBX/CVE-2021-30633.md)|Use after free|| 108 | |O|Mojo||[CVE-2022-3075](SBX/CVE-2022-3075.md)|Insufficient data validation|All|| 109 | ||Mojo||[CVE-2022-4178](SBX/CVE-2022-4178.md)|Use after free|All|| 110 | ||Mojo||[CVE-2023-6347](SBX/CVE-2023-6347.md)|Use after free|| 111 | |X|Mojo||[CVE-2023-0941](SBX/CVE-2023-0941.md)|Use after free||| 112 | ||Mojo||[CVE-2023-5218](SBX/CVE-2023-5218.md)|Use after free||| 113 | ||Mojo||[CVE-2023-2934](SBX/CVE-2023-2934.md)|TOCTOU|All|| 114 | |▵|Mojo|C++|[CVE-2021-21146](SBX/CVE-2021-21146.md)|Use after free|All|| 115 | |X|Mojo|C++|[CVE-2021-30528](SBX/CVE-2021-30528.md)|Use after free|Android|| 116 | ||Mojo|RFH|[20-issue-1068395](SBX/20-issue-1068395.md)|Use after free|Android|| 117 | ||Mojo|IPCZ|[22-issue-40062130](SBX/22-issue-40062130.md)|Use after free|All|| 118 | ||Mojo||[22-issue-40061915](SBX/22-issue-40061915.md)|Use after free|All|| 119 | ||Mojo|MojoPipe|[CVE-2023-6347](SBX/CVE-2023-6347.md)|Use after free|All|| 120 | |X|Mojo|Prompts|[CVE-2023-0941](SBX/CVE-2023-0941.md)|Use after free|All|| 121 | |X|Mojo|Site Isolation|[CVE-2023-5218](SBX/CVE-2023-5218.md)|Use after free|All|| 122 | ||Mojo|Visuals|[CVE-2024-3157](SBX/CVE-2024-3157.md)|Out of bounds|All|| 123 | |▵|Mojo|Visuals|[CVE-2024-4671](SBX/CVE-2024-4671.md)|Use after free|All|| 124 | |O|ANGLE|SwiftShader|[CVE-2023-1818](SBX/CVE-2023-1818.md)|Use after free|All|| 125 | ||ANGLE|SwiftShader|[CVE-2018-16069](SBX/CVE-2018-16069.md)|Heap buf overflow||| 126 | ||ANGLE|SwiftShader|[CVE-2022-4135](SBX/CVE-2022-4135.md)|Heap buf overflow|| 127 | ||ANGLE|SwiftShader|[CVE-2023-2929](SBX/CVE-2023-2929.md)|Out of bound write||| 128 | |O|ANGLE|SwiftShader|[CVE-2023-4072](CVE-2023-4072.md)|Out of bounds|All|| 129 | ||ANGLE|SwiftShader|[23-issue-40063963](SBX/23-issue-40063963.md)|Integer overflow|All|| 130 | |X|ANGLE|Translator|[CVE-2024-3516](SBX/CVE-2024-3516.md)|Heap buffer overflow||| 131 | ||ANGLE|Vulkan|[CVE-2024-2883](SBX/CVE-2024-2883.md)|Use after free||| 132 | ||ANGLE||[CVE-2023-1534](SBX/CVE-2023-1534.md)|Out of bound read|All|| 133 | |X|ANGLE|SwiftShader|[CVE-2024-4058](SBX/CVE-2024-4058.md)|Type confusion|All|| 134 | ||ANGLE||[CVE-2016-1649](SBX/CVE-2016-1649.md)|Heap buf overflow||| 135 | ||Skia||[CVE-2023-2136](SBX/CVE-2023-2136.md)|Integer overflow|Android|ITW| 136 | ||Skia||[CVE-2023-4354](SBX/CVE-2023-4354.md)|Heap buf overflow|| 137 | ||Skia||[CVE-2023-6345](SBX/CVE-2023-6345.md)|Integer overflow||ITW| 138 | ||Skia|Tag|[CVE-2018-6126](SBX/CVE-2018-6126.md)|Heap buf overflow|All|| 139 | ||Skia||[CVE-2021-37981](SBX/CVE-2021-37981.md)|Heap buf overflow|| 140 | ||Skia||[CVE-2023-4354](SBX/CVE-2023-4354.md)|Heap buf overflow|All|| 141 | ||Skia||[CVE-2023-6345](SBX/CVE-2023-6345.md)|Integer overflow||ITW| 142 | ||appcache||[2018-Hack2Win](SBX/2018-Hack2Win.md)|Use after free|Windows|| 143 | ||WebRTC||[CVE-2023-7024](SBX/CVE-2023-7024.md)|Heap buf overflow||ITW| 144 | ||COM||[CVE-2023-36719](SBX/CVE-2023-36719.md)|Use after free|Windows|| 145 | ||Kernel|NTOS|[CVE-2023–21674](SBX/CVE-2023–21674.md)|Use after free|Windows|| 146 | ||Driver|Binder|[CVE-2020-0041](SBX/CVE-2020-0041.md)|Use after free|Android|| 147 | |||Model|[CVE-2021-21201](SBX/CVE-2021-21201.md)|Use after free|All|| 148 | ||||[23-issue-40063125](SBX/23-issue-40063125.md)|Use after free|All|| 149 | |||Site Isolation|[CVE-2020-16017](SBX/CVE-2020-16017.md)|Use after free|| 150 | |||Site Isolation|[CVE-2022-0290](SBX/CVE-2022-0290.md)|Use after free|| 151 | |||Navigation|[CVE-2023-2721](SBX/CVE-2023-2721.md)|Use after free|All|| 152 | ||Extension|DevTools|[CVE-2024-5836](SBX/CVE-2024-5836.md)|Race condition|All|| 153 | 154 | # Safari 155 | ## Safari_JavaScriptCore_RCE 156 | |Pwn|Target|Feature|CVE/issue|Vulnerability|Comment| 157 | |---|---|---|---|---|---| 158 | |N/A|N/A|N/A|[Utils](Safari/jsc/Utils.md)|N/A|| 159 | |O|Array.slice|Side effect|[CVE-2016-4622](Safari/jsc/CVE-2016-4622.md)|Out of bounds|Phrack70| 160 | |O|Array.reverse||[CVE-2018-4192](Safari/jsc/CVE-2018-4192.md)|Use after free|pwn2own-2018| 161 | 162 | ## Safari_SBX 163 | |Pwn|Target|Feature|CVE/issue|Vulnerability|OS|Comment| 164 | |---|---|---|---|---|---|---| 165 | |N/A|N/A|N/A|[Utils](Safari/SBX/Utils.md)|N/A||| 166 | |O|WindowServer||[CVE-2018-4193](Safari/SBX/CVE-2018-4193.md)|Out of bounds|Mac|pwn2own-2018| 167 | ||SharedFileList||[CVE-2024-54498](Safari/SBX/CVE-2024-54498.md)|A path handling issue|Mac| 168 | ||WebGPU||[CVE-2023-28205](Safari/SBX/CVE-2023-28205.md)|Use after free|iOS|Project zero| 169 | 170 | # Firefox 171 | ## Firefox_Gecko_RCE 172 | |Pwn|Target|Feature|CVE/issue|Vulnerability|Comment| 173 | |---|---|---|---|---|---| 174 | |N/A|N/A|N/A|[Utils](Firefox/Gecko/Utils.md)|N/A|| 175 | |O|SpiderMonkey|Side effect|[CVE-2024-8381](Firefox/Gecko/CVE-2024-8381.md)|Type confusion|| 176 | 177 | 178 | ## Firefox_Renderer_RCE 179 | |Pwn|Target|Feature|CVE/issue|Vulnerability|Comment| 180 | |---|---|---|---|---|---| 181 | |N/A|N/A|N/A|[Utils](Firefox/Renderer/Utils.md)|N/A|| 182 | ||||[CVE-2022-1802](Firefox/Renderer/CVE-2022-1802.md)|Out of bounds|pwn2own-2022| 183 | --------------------------------------------------------------------------------