Microsoft Edge Chakra JIT suffers from an ImplicitCallFlags check bypass vulnerability with Intl.
fa2ba833d2e86afeca1956fc5c100501e728bc7ca7779f47078461ffbd346bab
macOS and iOS suffer from a javascript injection bug in OfficeImporter.
e8a235449f752566cb48a2a1f6f65e02d52cbd77feb6354393a30e556c4552e2
Microsoft Edge Chakra JIT suffers from a type confusion vulnerability with hoisted SetConcatStrMultiItemBE instructions.
f4b986bf36dfb05720fc2029354aa57451279bbc79487e82145d40d7bd8a2aef
Microsoft Edge Chakra JIT suffers from a bug. BoundFunction::NewInstance is used to handle calls to a bound function. The method first allocates a new argument array and copies the prepended arguments and others into the new argument array and calls the actual function. The problem is, it doesn't care about the CallFlags_NewTarget flag which indicates that there's an extra argument (new.target) at the end of the argument array. So the size of the new argument array created with the CallFlags_NewTarget flag will be always 1 less then required, this leads to an out-of-bounds read.
aa1bde86d10b95d8ca0ccfc5d06fd9edd0e20688c8eadfbfc61a463d88cdead5
Microsoft Edge Chakra JIT suffers from multiple out of bounds reads and writes.
14c73972e0db8500904cd6efa9a56ea40e8f8fbd7ed64d7345ffa202523fbfe4
Chrome V8 suffers from a bug in KeyAccumulator that can cause a crash.
9e8f060d028a3d93afffe9ee1b45849ed961e276d79b29bac398a156e4412c41
Chrome V8 has an element confusion issue with PromiseAllResolveElementClosure.
414db37f793a7bfd21520d94faca5a6d43a070984dfd1b0f62a9b7631e014e17
Microsoft Edge Chakra suffers from an issue where EntrySimpleObjectSlotGetter can have side effects that cause a type confusion vulnerability.
dac02c231e7c37da88c204ab8918570d1df7d88c3ea07b2805f9d5afd9081f44
Microsoft Edge Chakra suffers from a cross context use-after-free vulnerability.
3b419c01f8a186a0bd97c1be1da5f223ed4332c77c38f000eedcab19808e3482
Microsoft Edge Chakra JIT suffers from an issue where a magic value can cause a type confusion vulnerability.
b607bd66ac346df35ba88f1fbce5078e0b85fdb7c50c28f6628624a5252e48aa
Chakra uses the InvariantBlockBackwardIterator class to backpropagate the information about the hoisted bound checks. But the class follows the linked list instead of the control flow. This may lead to incorrectly remove the bound checks.
fb86d007c56bfd6ada33e174da508e6d677ad9d0597953bd1d8e6d7694634532
Chrome V8 has a bug in the ObjectDescriptor class.
f26fccf07a6c7df134154a2d49e51e4045066a599ff0fc55583820893c867c31
Google Chrome V8 Await methods call ResolveNativePromise which calls InternalResolvePromise which can invoke a user JavaScript code through a "then" getter. If the AwaitedPromise is replaced by the user script, the AwaitedPromise will be immediately overwritten after the call to Await, this may lead the generator to an incorrect state.
78b2c24ff6a8f61df29a3ac781ec2f32f86061d57afb7512f75393705b8644f1
Google Chrome V8 suffers from an arrow function scope fixing bug.
24f3824206b56675fc861c6cdc7ec310f3cd9a072873f501aa8fd3d6295dfdca
Chrome V8 JIT suffers from a NodeProperties::InferReceiverMaps type confusion vulnerability.
8f66586231cd91aa2a08984a14f3311417775c1a4895253e34a83ed442b29952
Chrome V8 JIT has a bug in LoadElimination::ReduceTransitionElementsKind.
52130a23075fc5e0b4b4579f903a76984d5f42031dd384419293b72dcd72fee7
A security fix applied for Microsoft Edge Chakra JIT is incomplete.
7fa9ae7d44d240e41a8c31b515d60a4f1624eb25e026c49221e4151fba5ea6c4
A security fix applied for Microsoft Edge Chakra JIT is incomplete.
3218d20b4b0f7b38f5401ba0b1f959df90c67629ecd1eb26504d9375a5243f97
Chrome V8 has multiple bugs in Genesis::InitializeGlobal.
a4ae91099b943cc5ac37c117d80d600d10db590d6f64307f0ed1895f3364aaa1
Chrome V8 suffers from a type confusion vulnerability in ElementsAccessorBase::CollectValuesOrEntriesImpl.
ac6fee41baa624a52e82aa1b36ff3b3ed8a2add6a9505c1256898fb3cc24c9bb
Chrome V8 JIT suffers from a type confusion vulnerability in GetSpecializationContext.
99a6e3514cf19cca4fe6002bb305173115f88838cdba2875ffa1a4de4f173f43
Chrome V8 JIT JSBuiltinReducer::ReduceObjectCreate fails to ensure that the prototype is "null".
1dab39822e88deb84dbd34344ce1eae38572e48ff784b7a073deec1bb63b7b1d
Chrome V8 has an empty BytecodeJumpTable that may lead to an out-of-bounds read.
7acf9bc038faf16f44253fb9a2fe21825a81572b59e8ab231e65443fdd0db941
Chrome V8 JIT suffers from a simplified-lowererer IrOpcode::kStoreField, IrOpcode::kStoreElement optimization bug.
ea79bf295a09f5f37553a269c502167a1bf4e5dddb597b29e6fa88cd9179c5f8
Chrome V8 suffers from an integer overflow vulnerability with PropertyArray.
78544b73868b4a617f838b6eedac6007779756c897dfb03b1166522de63fa42c