1452576
|
|
Crash [@ get] with StructuredCloneHolder ending up in [@ mozilla::dom::ImageBitmap::CreateFromCloneData] although DifferentProcess
|
Core
|
DOM: Core & HTML
|
amarchesini
|
RESO
|
FIXE
|
2021-10-06
|
1451376
|
|
Use after free in ContentParent::AllocPPrintingParent
|
Core
|
Printing: Output
|
bobowencode
|
RESO
|
FIXE
|
2021-11-18
|
1490234
|
|
Shared memory should not allow executable images to be mapped on Windows.
|
Core
|
IPC
|
bobowencode
|
RESO
|
FIXE
|
2021-10-21
|
1554110
|
|
Windows sandbox: renderer processes can open each and unrelated Chromium processes
|
Core
|
Security: Process Sa
|
bobowencode
|
RESO
|
FIXE
|
2024-05-30
|
1599005
|
|
Race condition in firefox!sandbox::SharedMemIPCServer::Init leading to relative out-of-bounds read/write in the broker process (Sandbox escape / LPE)
|
Core
|
Security: Process Sa
|
bobowencode
|
RESO
|
FIXE
|
2024-05-30
|
1618911
|
|
Firefox: Default Content Process DACL Sandbox Escape
|
Core
|
Security: Process Sa
|
bobowencode
|
RESO
|
FIXE
|
2021-10-20
|
1846687
|
|
use-after-free in mStream
|
Core
|
Graphics
|
bobowencode
|
RESO
|
FIXE
|
2024-05-30
|
1755621
|
|
WinWebAuthnManager::Register stack-buffer overflow
|
Core
|
DOM: Web Authenticat
|
bugs
|
RESO
|
FIXE
|
2024-05-30
|
1765610
|
|
Compromised content process can generate gamepad events via PGamepadTestChannelChild::SendGamepadTestEvent
|
Core
|
DOM: Device Interfac
|
cmartin
|
RESO
|
FIXE
|
2023-01-16
|
1017616
|
|
"export" in Certificate Viewer can cause navigation to arbitrary filesystem paths
|
Core
|
Security: PSM
|
cykesiopka.bmo+mozbz
|
RESO
|
FIXE
|
2024-05-30
|
1410140
|
|
PluginModuleChromeParent::AnswerGetFileName - Heap Buffer Overflow
|
Core Graveyard
|
Plug-ins
|
davidp99
|
RESO
|
FIXE
|
2022-05-16
|
1411631
|
|
PluginModuleChromeParent::AnswerGetFileName - Grant Arbitrary File Read Access.
|
Core Graveyard
|
Plug-ins
|
davidp99
|
RESO
|
FIXE
|
2022-05-16
|
1840273
|
|
WebGPU - Invalid function pointer in `wgpu_hal` in GPU Process using D3D on Windows
|
Core
|
Graphics: WebGPU
|
egubler
|
RESO
|
FIXE
|
2024-05-30
|
1542581
|
|
Race condition in google_breakpad::CrashGenerationServer::AddClient leading to UAF write in broker (Sandbox escape / LPE)
|
Toolkit
|
Crash Reporting
|
gsvelto
|
RESO
|
FIXE
|
2024-05-30
|
1652612
|
|
DNS-rebinding vulnerability to RCE in geckodriver
|
Testing
|
geckodriver
|
james
|
RESO
|
FIXE
|
2024-05-30
|
1771084
|
|
Try to automatically seal Object/Array/Function constructors/prototypes in the shared system global
|
Core
|
JavaScript Engine
|
jdemooij
|
RESO
|
FIXE
|
2023-10-12
|
1741201
|
|
Out-of-bounds write due to integer overflow [@ ObjectStoreAddOrPutRequestOp::DoDatabaseWork]
|
Core
|
Storage: IndexedDB
|
jjalkanen
|
RESO
|
FIXE
|
2022-08-26
|
1855306
|
|
Stack memory disclosure in Linux sandbox broker stat/lstat handler
|
Core
|
Security: Process Sa
|
jld
|
RESO
|
FIXE
|
2024-04-28
|
1425612
|
|
StructuredClone crash reading invalid data
|
Core
|
JavaScript Engine
|
jorendorff
|
RESO
|
FIXE
|
2021-10-06
|
1426783
|
|
AddressSanitizer: heap-buffer-overflow [@ __asan_memcpy] with arbitrary WRITE in JSStructuredCloneReader
|
Core
|
JavaScript Engine
|
jorendorff
|
RESO
|
FIXE
|
2021-10-06
|
1544526
|
|
IPC: heap-use-after-free crash [@mozilla::net::nsHttpHandler::EnsureHSTSDataReadyNative]
|
Core
|
Networking: HTTP
|
kershaw
|
RESO
|
FIXE
|
2022-01-06
|
1559858
|
|
Sending `Prompt:Open` from the child allows for a sandbox escape
|
Firefox
|
Security
|
mail
|
RESO
|
FIXE
|
2024-05-02
|
1414282
|
|
LayerTransactionParent::RecvUpdate - Arbitrary gfx::ScaledFont Object Pointer
|
Core
|
Graphics: Layers
|
matt.woodrow
|
RESO
|
FIXE
|
2021-10-20
|
1757805
|
|
Shmem stores length in shared memory region
|
Core
|
IPC
|
nika
|
RESO
|
FIXE
|
2022-08-27
|
1800149
|
|
Use parent process values rather than content process values in ClickHandlerParent and ContextMenuParent
|
Firefox
|
Tabbed Browser
|
nika
|
RESO
|
FIXE
|
2023-10-17
|
1538007
|
|
[ZDI-CAN-8374] Sandbox escape: XUL injection in language pack
|
Core
|
Internationalization
|
peterv
|
RESO
|
FIXE
|
2021-10-20
|
1827655
|
|
Crash in [@ nsCOMPtr<T>::nsCOMPtr | mozilla::net::nsRedirectHistoryEntry::GetReferrerURI ] on poison values in session history recv methods
|
Core
|
DOM: Navigation
|
smaug
|
RESO
|
FIXE
|
2023-10-17
|
1434384
|
|
AddressSanitizer: BUS on unknown address 0x000000000000 [@ __asan::asan_free] with clobbered bp involving StructuredClone
|
Core
|
JavaScript Engine
|
sphink
|
RESO
|
FIXE
|
2021-10-06
|
1442722
|
|
Assertion failure: point.canPeek(), at js/src/vm/StructuredClone.cpp:648 or various crashes with invalid free
|
Core
|
JavaScript Engine
|
sphink
|
RESO
|
FIXE
|
2021-10-06
|
1739366
|
|
Assertion failure: tokenOffsetArg <= linebufLengthArg, at js/src/jsapi.cpp:3742 through StructuredClone
|
Core
|
IPC
|
sphink
|
RESO
|
FIXE
|
2022-08-26
|
1538008
|
|
[ ZDI-CAN-8375] UXSS priv-esc via sync (install arbitrary extensions & set arbitrary preferences)
|
Firefox
|
Sync
|
tom
|
RESO
|
FIXE
|
2021-10-20
|
1456975
|
|
Segfault - buffer overflow / arbitrary memory read in IPC due to unvalidated field in nsMozIconURI deserialization
|
Core
|
Networking
|
valentin.gosu
|
RESO
|
FIXE
|
2021-11-18
|
1846694
|
|
Integer Overflow in RecordedSourceSurfaceCreation
|
Core
|
Graphics
|
bwerth
|
RESO
|
FIXE
|
2024-05-30
|
1566608
|
|
IPC passing of Windows HANDLEs and macOS Mach ports is insecure
|
Core
|
IPC
|
jld
|
RESO
|
FIXE
|
2022-08-26
|
1758155
|
|
PBackground-managed Actors can be opened for the wrong process
|
Core
|
Networking
|
kershaw
|
RESO
|
FIXE
|
2024-05-22
|
1393362
|
|
Unchecked size can lead to zero byte allocation or undefined behavior
|
Core
|
Graphics
|
lsalzman
|
RESO
|
FIXE
|
2022-08-26
|
1538028
|
|
Privilege escalation from web to file process
|
Core
|
DOM: Navigation
|
nika
|
RESO
|
FIXE
|
2024-05-30
|
1843038
|
|
Stack buffer overflow in NSSCipherStrategy::DeserializeKey
|
Core
|
Storage: Quota Manag
|
nika
|
RESO
|
FIXE
|
2024-06-02
|
1392739
|
|
IPC: wild-addr-read in various messages [@CharAt]
|
Core
|
Networking
|
valentin.gosu
|
RESO
|
FIXE
|
2021-11-18
|
1846688
|
|
use-after-free in ColorPickerShownCallback
|
Core
|
DOM: Content Process
|
vhilla
|
RESO
|
FIXE
|
2024-05-30
|
1768337
|
|
out-of-bounds read/write in WebGPU IPC Framework
|
Core
|
Graphics: WebGPU
|
aosmond
|
RESO
|
FIXE
|
2024-05-30
|
1530709
|
|
Use CSSOM to insert rules in SelectParentHelper.
|
Core
|
Layout: Form Control
|
fbraun
|
RESO
|
FIXE
|
2024-02-06
|
1799692
|
|
Track TriggeringRemoteType for worker-triggered navigations
|
Core
|
DOM: Workers
|
nika
|
RESO
|
FIXE
|
2023-07-17
|
1412313
|
|
ParamTraits<nsAString> Deserialization - Integer Overflow
|
Core
|
IPC
|
alex.gaynor
|
RESO
|
FIXE
|
2022-01-04
|
1456189
|
|
AddressSanitizer: bad-free deserializing JSStructuredCloneData
|
Core
|
IPC
|
alex.gaynor
|
RESO
|
FIXE
|
2021-11-18
|
1344415
|
|
Privilege escalation/Sandbox escape using PFileSystemRequestConstructor
|
Core
|
Security: Process Sa
|
amarchesini
|
RESO
|
FIXE
|
2021-10-20
|
1344957
|
|
Read file system access sandbox bypass using FileCreationRequest from PContent.ipdl
|
Core
|
DOM: Content Process
|
amarchesini
|
RESO
|
FIXE
|
2022-01-04
|
1459206
|
|
Arbitrary file listing (content disclosure?) by compromised content process
|
Core
|
DOM: Content Process
|
amarchesini
|
RESO
|
FIXE
|
2021-12-03
|
1854669
|
|
VideoBridge allows any content process to use any texture produced by remote decoder
|
Core
|
Audio/Video
|
aosmond
|
RESO
|
FIXE
|
2024-04-28
|
1873927
|
|
CanvasManagerParent should refuse to remote WebGL or recording canvases if disabled
|
Core
|
Graphics
|
aosmond
|
RESO
|
FIXE
|
2024-05-14
|
1087565
|
|
IPC Channel does not validate the listener.
|
Core
|
IPC
|
bobowencode
|
RESO
|
FIXE
|
2021-10-21
|
1846683
|
|
Missing array size check in FilterNodeD2D1
|
Core
|
Graphics
|
bobowencode
|
RESO
|
FIXE
|
2024-05-30
|
1846686
|
|
heap memory leak in memory shared with compromised content process due to wrong GetPreparedMap
|
Core
|
Graphics
|
bobowencode
|
RESO
|
FIXE
|
2024-05-30
|
1236724
|
|
Improper unserialization of bluetooth::BluetoothGattResponse leads to memory corruption
|
Core
|
IPC
|
brsun
|
RESO
|
FIXE
|
2022-01-04
|
1758549
|
|
Prevent the creation of WebVR IPDL actors when WebVR is disabled
|
Core
|
WebVR
|
continuation
|
RESO
|
FIXE
|
2022-08-27
|
1758776
|
|
Use-after-free of VRLayerParent with compromised content process
|
Core
|
WebVR
|
continuation
|
RESO
|
FIXE
|
2022-08-27
|
1764778
|
|
PSpeechSynthesis can be started by a compromised child process even with the pref disabled
|
Core
|
Web Speech
|
continuation
|
RESO
|
FIXE
|
2023-01-16
|
1771381
|
|
Don't copy attributes from the prototype
|
Firefox
|
Session Restore
|
continuation
|
RESO
|
FIXE
|
2023-01-16
|
1851195
|
|
SimulateDeviceReset() can be triggered from a compromised content process
|
Core
|
Graphics
|
continuation
|
RESO
|
FIXE
|
2024-01-03
|
1725854
|
|
IPC Parent Crash [@ wgpu_core::hub::Storage$LT$T$C$I$GT$::iter::_$u7b$$u7b$closure$u7d$$u7d$] with potential use-after-free
|
Core
|
Graphics: WebGPU
|
dmalyshau
|
RESO
|
FIXE
|
2023-08-03
|
1836550
|
|
Potential Integer Overflow from malicious content process
|
Core
|
DOM: Copy & Paste an
|
echen
|
RESO
|
FIXE
|
2024-03-21
|
1837450
|
|
Potential Integer Overflow from malicious content process with custom cursors
|
Core
|
CSS Parsing and Comp
|
emilio
|
RESO
|
FIXE
|
2023-10-17
|
1303713
|
|
Array out-of-bounds memory read/write/exec in CamerasParent
|
Core
|
Audio/Video
|
gpascutto
|
RESO
|
FIXE
|
2022-01-04
|
1465898
|
|
Heap-buffer-underflow READ 8 from HalParent::RecvEnableSwitchNotifications
|
Core
|
Hardware Abstraction
|
gsvelto
|
RESO
|
FIXE
|
2021-11-18
|
1469309
|
|
Heap-buffer-underflow READ 8 from HalParent::RecvEnableSensorNotifications
|
Core
|
Hardware Abstraction
|
gsvelto
|
RESO
|
FIXE
|
2021-11-18
|
1469914
|
|
HalParent's use of observers has many UAFs
|
Core
|
Hardware Abstraction
|
gsvelto
|
RESO
|
FIXE
|
2021-11-18
|
1610426
|
|
No validation of array index (key) in xul!mozilla::ipc::CrashReporterMetadataShmem::ReadAppNotes leads to Stack Out-Of-Bounds write in the broker process (Sandbox Escape / LPE)
|
Toolkit
|
Crash Reporting
|
gsvelto
|
RESO
|
FIXE
|
2024-05-30
|
1769266
|
|
Possible use-after-free with SetStatusRunnable::mPort
|
Core
|
DOM: Device Interfac
|
gsvelto
|
RESO
|
FIXE
|
2023-01-16
|
1607494
|
|
Run PAC Scripts without Javascript Optimizations
|
Core
|
Networking
|
jdemooij
|
RESO
|
FIXE
|
2021-10-20
|
1847529
|
|
AddressSanitizer: stack-buffer-underflow [@ __asan_memcpy] with READ of size 16781312 with potentially corrupted FontEntry
|
Core
|
Graphics: Text
|
jfkthame
|
RESO
|
FIXE
|
2024-01-03
|
1723920
|
|
Crash [@ mozilla::dom::StorageDBThread::Get] with out-of-bounds access via IPC
|
Core
|
Storage: localStorag
|
jjalkanen
|
RESO
|
FIXE
|
2022-08-26
|
1568047
|
|
IPC “bulk reading” a bool can cause undefined behavior
|
Core
|
IPC
|
jld
|
RESO
|
FIXE
|
2022-01-10
|
1117140
|
|
GMP sandbox break-out on Windows through process handle
|
Core
|
IPC
|
jmathies
|
RESO
|
FIXE
|
2024-05-30
|
1773363
|
|
wr::BuiltDisplayListDescriptor is serialized unsafely
|
Core
|
Graphics: WebRender
|
jmuizelaar
|
RESO
|
FIXE
|
2023-11-27
|
1871445
|
|
Potential issue in `RecvCloneDocumentTreeInto`
|
Core
|
DOM: Content Process
|
jstutte
|
RESO
|
FIXE
|
2024-05-14
|
1758070
|
|
UAF in Webgpu status manager [exploited in the wild]
|
Core
|
Graphics: WebGPU
|
nical.bugzilla
|
RESO
|
FIXE
|
2024-05-30
|
1758156
|
|
A compromised content process can cause the parent to use WebGPU even if preffed off
|
Core
|
Graphics: WebGPU
|
nical.bugzilla
|
RESO
|
FIXE
|
2024-05-30
|
1789440
|
|
MessageChannel IPC reply potential type confusion
|
Core
|
IPC
|
nika
|
RESO
|
FIXE
|
2023-01-16
|
1821306
|
|
MOZ_DIAGNOSTIC_ASSERT(mSelection->EndOffset() <= mText->Length()) in widget/ContentCache.cpp
|
Core
|
DOM: UI Events & Foc
|
nobody
|
RESO
|
FIXE
|
2024-05-14
|
1042387
|
|
Possible memory corruption when Read()ing FenceHandleFromChild or FenceHandle
|
Core
|
Graphics: Layers
|
sotaro.ikeda.g
|
RESO
|
FIXE
|
2022-01-04
|
1238602
|
|
Improper unserialization of GonkNativeHandle
|
Core
|
Graphics
|
sotaro.ikeda.g
|
RESO
|
FIXE
|
2022-01-04
|
1412329
|
|
CompositorBridgeParent::RecvMakeSnapshot - Arbitrary Memory Write
|
Core
|
Graphics: Layers
|
sotaro.ikeda.g
|
RESO
|
INVA
|
2021-10-21
|
1328325
|
|
JavaScript injection on FxA domain through firefox://?fxa scheme
|
Firefox for iOS
|
Firefox Accounts
|
vbudhram
|
RESO
|
FIXE
|
2024-05-30
|
1846689
|
|
use-after-free in FilePickerShownCallback
|
Core
|
DOM: Core & HTML
|
vhilla
|
RESO
|
FIXE
|
2024-05-30
|
1722204
|
|
AddressSanitizer: attempting double-free from gfx::RecordedFillGlyphs and UAF (0xe5e5e5e5e5e5e5e5 on crash report)
|
Core
|
Graphics: Layers
|
bobowencode
|
VERI
|
FIXE
|
2024-05-30
|
1372509
|
|
Self-XSS XUL Injection in about:webrtc
|
Core
|
WebRTC
|
jib
|
VERI
|
FIXE
|
2021-10-21
|
1760765
|
|
Intermittent SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50 in mozilla::RefPtrTraits<mozilla::media::OriginKeyStore>::Release
|
Core
|
WebRTC: Audio/Video
|
jib
|
VERI
|
FIXE
|
2023-01-16
|
1432778
|
|
Chrome level XSS in LightWeight theme prompts
|
WebExtensions
|
Frontend
|
kmaglione+bmo
|
VERI
|
FIXE
|
2021-11-19
|
1752888
|
|
Confirming install prompt for trusted addon may execute arbitrary privileged code instead
|
Toolkit
|
Add-ons Manager
|
nobody
|
VERI
|
FIXE
|
2024-05-30
|
873966
|
|
Arbitrary code execution from Profiler
|
DevTools
|
Performance Tools (P
|
anton
|
VERI
|
FIXE
|
2024-05-30
|
1776658
|
|
Crash [@ std::__atomic_base<unsigned long>::load] through [@ JSObject::shape]
|
Core
|
XPConnect
|
kmaglione+bmo
|
VERI
|
FIXE
|
2023-02-28
|
1763634
|
|
Assertion failure: aGUIEvent->IsTrusted(), at layout/base/PresShell.cpp:6805
|
Core
|
DOM: Events
|
masayuki
|
VERI
|
FIXE
|
2022-11-20
|
1832306
|
|
Crash [@ nsIContent::GetEventTargetParent] through [@ mozilla::dom::BrowserParent::RecvAccessKeyNotHandled]
|
Core
|
DOM: UI Events & Foc
|
masayuki
|
VERI
|
FIXE
|
2023-10-17
|
1770137
|
|
Spot fix for pwn2own-2022 sandbox escape
|
Toolkit Graveyard
|
Notifications and Al
|
peterv
|
VERI
|
FIXE
|
2024-03-21
|
1799156
|
|
Potential Linux arbitrary read sandbox bypass using clipboard
|
Core
|
DOM: Copy & Paste an
|
tschuster
|
VERI
|
FIXE
|
2023-07-17
|
1800425
|
|
Arbitrary file exposure with Drag&Drop on GTK (maybe only across Firefox instances?)
|
Core
|
DOM: Copy & Paste an
|
tschuster
|
VERI
|
FIXE
|
2023-07-17
|