Webkit JSC JIT suffers from an uninitialized variable access vulnerability in ArgumentsEliminationPhase::transform.
13d8e2202cdebf7ff53e2e5906bdd6ba343e47a89003e53597579db4cb95bcdc
A bug in JSC YarrJIT initParenContextFreeList allows for bytes to be overwritten.
038399bf2390bfa66637b2a2feb687184873772e215bfdc1e773cfc1d47d7c58
JSC suffers from a data mishandling bug in ytecodeGenerator::emitEqualityOpImpl.
8bea8fb18d0ac7ce60485d227dcad33f12182219301a7157fc251e6f00c07bfb
WebKit JSC has an issue where reifyStaticProperty needs to set the PropertyAttribute::CustomAccessor flag for CustomGetterSetter.
8b5b037a7c556813e39c8ace7602b2465e0d1f1bd48644498c3c77c7c30f96e6
Microsoft Edge suffers from a Chakra related type confusion vulnerability in InlineArrayPush.
789b214a31a71d7137e78ec7849729dcb9e3b8a75a7308f4a4b8b569c079222e
In Microsoft Edge, the JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode method is used to execute JsBuiltIn.js which initializes some builtin objects. Because it is essentially written in JavaScript, it needs to clear the disable-implicit-call flag before calling the JavaScript code, otherwise it might not work properly. The problem is, it does not restore the previous status of the flag after the call. As setting the flag can prevent stack-allocated objects from leaking, this clearing-the-flag bug can lead to a stack-based use-after-free.
14479c28aa5ae1e0dc9a32a161983c6f54edccede8ffc1cffcdd19ac29ae8022
Microsoft Edge suffers from a type confusion vulnerability in InitClass.
367c15a86b6530dbd43aa9b2697e9a86c38d5e598f2ee86f71e076458456cbc2
Microsoft Edge has an issue where NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This can lead to type confusion in the JITed code.
834d31cccca1204e88d3a244cd1080b2a05229d26e439537775eea80ec254732
The doesGC function simply takes a node, and tells if it might cause a garbage collection. This function is used to determine whether to insert write barriers. But it is missing some cases such as StringCharAt, StringCharCodeAt and GetByVal that might cause a garbage collection via rope strings. As a result, it can lead to a use-after-free condition.
bc8f411013dffe95aeaebd8e26ff3d39ee578b4902d99f8e61e2efdb6d784584
WebKit JSC suffers from a use-after-free vulnerability that can be used to bypass write barriers.
e2420c7cbbee92aac272000675d9ecac14ee6bdf6f20e39b27fbf5fba2af6409
WebKit JSC suffers from out-of-bounds read and write vulnerabilities in JSArray::shiftCountWithArrayStorage.
c4b1f3aa03b2cfee8c12ef1dd3ea676dd2720b30657ed4e85a3e0f70a77f9a7c
WebKit JIT int32/double arrays can have proxy objects in the prototype chains.
b72e0f1dda78c9271d153bfcea2251e8e8076edf33feb8f85efce34262d3b258
WebKit JSC has an issue where BytecodeGenerator::hoistSloppyModeFunctionIfNecessary does not invalidate the ForInContext object.
2751e0f6a8f902aff80fed20940889e7b425689a3222eb806fc6878759565dbc
WebKit JIT has type confusion bugs in ByteCodeParser::handleIntrinsicCall.
80230144bdea861cdd786d198f4417655144fdae813a68d336ee57b1a9cea2fd
When a for-in loop is executed, a JSPropertyNameEnumerator object is created at the beginning and used to store the information of the input object to the for-in loop. Inside the loop, the structure ID of the "this" object of every get_by_id expression taking the loop variable as the index is compared to the cached structure ID from the JSPropertyNameEnumerator object. If it's the same, the "this" object of the get_by_id expression will be considered having the same structure as the input object to the for-in loop has. The problem is, it doesn't have anything to prevent the structure from which the cached structure ID from being freed. As structure IDs can be reused after their owners get freed, this can lead to type confusion.
8f4f4959d722f37276fc6cd1ba9725d214fa2d1eafa97af721346d7487bda487
Microsoft Edge suffers from a Chakra OP_Memset type confusion vulnerability.
611fa33be1a70a1567073da40901233c4521faaaa46eb3028856e6977091b785
Microsoft Edge suffers from a Chakra JIT type confusion bug.
f1c02ccc951ceda6d6a1421129878de1d9f26aadbd450419b54c25dda564411f
Microsoft Edge suffers from a Chakra JIT BailOutOnInvalidatedArrayHeadSegment check bypass vulnerability.
ec00b94941d6f0c365dbfe398115342baba4da955810b213e9dedced9dae355c
Microsoft Edge suffers from a sandbox escape vulnerability.
53dae687e4a4409c81987ce450a88ac52d2a2a51eac4971e2a0712be2ba423d2
Microsoft Edge Chakra suffers from a type confusion vulnerability with PathTypeHandlerBase::SetAttributesHelper.
4e5a6b1c1ad36809123bcb9eced0fa48ac450dae86ec04c8b0efbd7b86c77fd8
Microsoft Edge Chakra JIT suffers from a type confusion vulnerability in localeCompare.
78f38be2f2306af460f7ceb3b4272fa71d5e515678096e5f3e5ef2769afdf332
The InitializeNumberFormat function in Intl.js is used to initialize an Intl.NumberFormat object, and InitializeDateTimeFormat is used for an Intl.DateTimeFormat object. There are two versions of each initializer. One is for WinGlob and the other is for ICU. The problem is that the versions for ICU don't check whether the given object has been initialized. This allows to initialize the same object multiple times which can lead to type confusion.
f97ca7991e591cef05e7ed6feb1a7ced14a0b1f33f4e0b684d0bbfae83d9c790
Microsoft Edge Chakra JIT suffers from a type confusion vulnerability with InlineArrayPush.
4d7c1c0bd391258ccf4d2a6df0bbe9fce45d445b76d8eb5317891fd7fc1cfef5
Microsoft Edge Chakra has an issue where DictionaryPropertyDescriptor::CopyFrom does not copy all fields.
02a9af64a615a45ba93686901284c1ca585f8e53c27860a4cfcb2c7a25376b37
Microsoft Edge Chakra suffers from a parameter scope parsing bug.
a916e8ee259ed452ab0ef0b7d6f4f736a5c6609e52233de54ab3341897861228