| Pwn | Target | Feature | CVE/issue | Vulnerability | Comment |
|---|---|---|---|---|---|
| N/A | N/A | N/A | Utils | N/A | |
| wasm | CVE-2017-5122 | Out of bound read | |||
| wasm | async,Side effect | CVE-2018-6122 | Type confusion | ||
| wasm | GC | CVE-2024-3156 | Inappropriate implementation | ||
| wasm | CVE-2024-3832 | Type confusion | Need more time | ||
| O | wasm | CVE-2023-4070 | Type confusion | ||
| O | wasm | CVE-2024-2887 | Type confusion | ||
| ▵ | wasm | CVE-2024-4761 | Out of bound write | ||
| ▵ | wasm | issue-339736513 | Type confusion, OOB read | ||
| wasm | CVE-2024-6100 | Type confusion | Variant CVE-2024-2887 | ||
| wasm | CVE-2024-5158 | Type confusion | |||
| wasm | Turboshaft | issue-352720899 | Type confusion | Regress | |
| O | TurboFan | Concurrent compilation | CVE-2023-3420 | Type confusion | |
| O | TurboFan | Side effect | CVE-2018-17463 | Type confusion | |
| O | TurboFan | Property access | CVE-2021-30632 | Type confusion | |
| O | TurboFan | CVE-2025-0612 | Out of bounds | ||
| O | Maglev | MaglevGraphBuilder | CVE-2024-4947 | Type confusion | |
| O | Maglev | MaglevGraphBuilder | CVE-2023-4069 | Type confusion | Man Yue Mo |
| Map transition | Value serializer | CVE-2023-1214 | Type confusion | Man Yue Mo | |
| Map transition | TryFastAddDataProperty | CVE-2024-5830 | Type confusion | Man Yue Mo | |
| O | CVE-2017-5030 | Out of bound read | |||
| O | 18-issue-880207 | Type confusion | |||
| O | CVE-2019-5825 | Type confusion | |||
| O | CVE-2020-6383 | Type confusion | |||
| O | CVE-2021-21225 | Out of bound read | |||
| O | CVE-2021-38003 | Type confusion | Leak Hole | ||
| O | CVE-2022-1310 | Use after free | |||
| O | CVE-2022-1364 | Type confusion | Leak Hole | ||
| O | CVE-2022-4174 | Type confusion | Leak Hole | ||
| O | CVE-2023-2033 | Type confusion | Leak Hole | ||
| O | CVE-2023-3079 | Type confusion | Leak Hole | ||
| CVE-2023-3420 | Type confusion | Man Yue Mo | |||
| CVE-2024-4761 | Out of bound write | ||||
| O | CVE-2023-4762 | Type confusion | Leak Hole | ||
| CVE-2024-4947 | Type confusion | ||||
| O | enum cache | CVE-2023-4427 | Out of bound read | ||
| enum cache | CVE-2024-3159 | Out of bound read | |||
| CVE-2024-0517 | Out of Bounds | ||||
| CVE-2024-0519 | Out of bounds | ||||
| O | Parser | Incorrect parsing | CVE-2024-5274 | Type confusion |
| Pwn | Target | Feature | CVE/issue | Vulnerability | Comment |
|---|---|---|---|---|---|
| N/A | N/A | N/A | Utils | N/A | |
| O | N/A | Cage_escape | 2024.6.6 | ||
| wasm | issue-349529650 | function import signature check race | |||
| wasm | issue-336009921 | function signature confusion | |||
| wasm | issue-354408144 | function signature confusion | |||
| O | wasm | CVE-2024-7024 | function signature confusion | ||
| O | wasm | CVE-2024-8904 | Type confusion | ||
| wasm | CVE-2024-6779 | Out of Bounds | |||
| O | wasm | CVE-2024-8194 | Type confusion | incomplete CVE-2024-6100 | |
| ▵ | wasm | issue-348084786 | Type confusion | ||
| wasm | issue-373703277 | Type confusion |
| Pwn | Target | Feature | CVE/issue | Vulnerability | Comment |
|---|---|---|---|---|---|
| N/A | N/A | N/A | Utils | N/A | |
| O | CVE-2021-30551 | Type confusion | Leak Hole | ||
| O | 2022-issue-1352549 | Type confusion | Leak Hole | ||
| CVE-2024-1669 | Out of bound read | reward-7000 | |||
| O | CVE-2024-1283 | Heap buf overflow | |||
| Compositing | CVE-2024-3157 | Out of bound write |
| Pwn | Target | Feature | CVE/issue | Vulnerability | OS | Comment |
|---|---|---|---|---|---|---|
| N/A | N/A | N/A | Utils | N/A | N/A | |
| Mojo | (19)75.0.3770.89 | Use after free | All | Refactoring | ||
| O | Mojo | CVE-2019-13768 | Use after free | Windows | Mark Brand | |
| O | Mojo | 20-issue-1062091 | Use after free | All | ||
| Mojo | CVE-2020-16045 | Use after free | Android | |||
| O | Mojo | CVE-2021-30633 | Use after free | |||
| O | Mojo | CVE-2022-3075 | Insufficient data validation | All | ||
| Mojo | CVE-2022-4178 | Use after free | All | |||
| Mojo | CVE-2023-6347 | Use after free | ||||
| X | Mojo | CVE-2023-0941 | Use after free | |||
| Mojo | CVE-2023-5218 | Use after free | ||||
| Mojo | CVE-2023-2934 | TOCTOU | All | |||
| ▵ | Mojo | C++ | CVE-2021-21146 | Use after free | All | |
| X | Mojo | C++ | CVE-2021-30528 | Use after free | Android | |
| Mojo | RFH | 20-issue-1068395 | Use after free | Android | ||
| Mojo | IPCZ | 22-issue-40062130 | Use after free | All | ||
| Mojo | 22-issue-40061915 | Use after free | All | |||
| Mojo | MojoPipe | CVE-2023-6347 | Use after free | All | ||
| X | Mojo | Prompts | CVE-2023-0941 | Use after free | All | |
| X | Mojo | Site Isolation | CVE-2023-5218 | Use after free | All | |
| Mojo | Visuals | CVE-2024-3157 | Out of bounds | All | ||
| ▵ | Mojo | Visuals | CVE-2024-4671 | Use after free | All | |
| O | ANGLE | SwiftShader | CVE-2023-1818 | Use after free | All | |
| ANGLE | SwiftShader | CVE-2018-16069 | Heap buf overflow | |||
| ANGLE | SwiftShader | CVE-2022-4135 | Heap buf overflow | |||
| ANGLE | SwiftShader | CVE-2023-2929 | Out of bound write | |||
| O | ANGLE | SwiftShader | CVE-2023-4072 | Out of bounds | All | |
| ANGLE | SwiftShader | 23-issue-40063963 | Integer overflow | All | ||
| X | ANGLE | Translator | CVE-2024-3516 | Heap buffer overflow | ||
| ANGLE | Vulkan | CVE-2024-2883 | Use after free | |||
| ANGLE | CVE-2023-1534 | Out of bound read | All | |||
| X | ANGLE | SwiftShader | CVE-2024-4058 | Type confusion | All | |
| ANGLE | CVE-2016-1649 | Heap buf overflow | ||||
| Skia | CVE-2023-2136 | Integer overflow | Android | ITW | ||
| Skia | CVE-2023-4354 | Heap buf overflow | ||||
| Skia | CVE-2023-6345 | Integer overflow | ITW | |||
| Skia | Tag | CVE-2018-6126 | Heap buf overflow | All | ||
| Skia | CVE-2021-37981 | Heap buf overflow | ||||
| Skia | CVE-2023-4354 | Heap buf overflow | All | |||
| Skia | CVE-2023-6345 | Integer overflow | ITW | |||
| appcache | 2018-Hack2Win | Use after free | Windows | |||
| WebRTC | CVE-2023-7024 | Heap buf overflow | ITW | |||
| COM | CVE-2023-36719 | Use after free | Windows | |||
| Kernel | NTOS | CVE-2023–21674 | Use after free | Windows | ||
| Driver | Binder | CVE-2020-0041 | Use after free | Android | ||
| Model | CVE-2021-21201 | Use after free | All | |||
| 23-issue-40063125 | Use after free | All | ||||
| Site Isolation | CVE-2020-16017 | Use after free | ||||
| Site Isolation | CVE-2022-0290 | Use after free | ||||
| Navigation | CVE-2023-2721 | Use after free | All | |||
| Extension | DevTools | CVE-2024-5836 | Race condition | All |
| Pwn | Target | Feature | CVE/issue | Vulnerability | Comment |
|---|---|---|---|---|---|
| N/A | N/A | N/A | Utils | N/A | |
| O | Array.slice | Side effect | CVE-2016-4622 | Out of bounds | Phrack70 |
| O | Array.reverse | CVE-2018-4192 | Use after free | pwn2own-2018 |
| Pwn | Target | Feature | CVE/issue | Vulnerability | OS | Comment |
|---|---|---|---|---|---|---|
| N/A | N/A | N/A | Utils | N/A | ||
| O | WindowServer | CVE-2018-4193 | Out of bounds | Mac | pwn2own-2018 | |
| SharedFileList | CVE-2024-54498 | A path handling issue | Mac | |||
| WebGPU | CVE-2023-28205 | Use after free | iOS | Project zero |
| Pwn | Target | Feature | CVE/issue | Vulnerability | Comment |
|---|---|---|---|---|---|
| N/A | N/A | N/A | Utils | N/A | |
| O | SpiderMonkey | Side effect | CVE-2024-8381 | Type confusion |
| Pwn | Target | Feature | CVE/issue | Vulnerability | Comment |
|---|---|---|---|---|---|
| N/A | N/A | N/A | Utils | N/A | |
| CVE-2022-1802 | Out of bounds | pwn2own-2022 |