There is a use-after-free vulnerability in jscript.dll related to how the lastIndex property of a RegExp object is handled. This vulnerability can be exploited through Internet Explorer or potentially through WPAD over local network. The vulnerability has been reproduced on multiple Windows versions with the most recent patches applied.
f62d6b1e08f80d9d1673d2fc9b2eeec824adb1729417fe99c60cc9f5f1203e01
There is a heap overflow in Skia when drawing paths with anti-aliasing turned off. This issue can be triggered in both Google Chrome and Mozilla Firefox by rendering a specially crafted SVG image. Proof of concepts included.
3f160181c8497dc4cf1f1145b96c07f641ce5f7ac700a9824ddcbbf59315795b
Skia and Firefox suffer from an issue where an integer overflow in SkTDArray can lead to an out-of-bounds write.
80e438c1f1bd3bccf77299b13af9143308a2335912da6260d8598c1f233e7851
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of revision 227958 on OSX.
16307c2a076e6eedaa5e405c5a3f96d724981d8afd372bf9e6385efaff3fb94f
Microsoft Edge suffers from an ACG bypass vulnerability with OpenProcess().
e13730c75ca6f8bb32812eaeb11c4e26810eb2412806aa44f43438d5b226c9b0
Microsoft Windows suffers from multiple use-after-free issues in jscript Array methods.
2f7ac558c542879acb965c4c06820f163464ea9dc3f6b7895a15dcadd6bca2f1
Microsoft Internet Explorer 11 suffers from a RegExp.lastMatch memory disclosure vulnerability.
d31d4d807418c373074dddb6b109a04ac380f06cff4cdd96d51d28909dfa8524
Microsoft IE11 suffers from a use-after-free vulnerability in Js::RegexHelper::RegexReplace.
734a98cbfc15f0c966a37c25c2d8f7d0f898a4d44f03218af7d92ba501bc2d76
Microsoft Edge suffers from an ACG bypass using UnmapViewOfFile.
75ecabd99428551cbe1014fc356b85e09fce1ebc3b0a7a93516a607cecbb55ca
WebKit suffers from a use-after-free vulnerability in detachWrapper.
d17589f8c87f68f43fdc0fdc6baa36cb0aad0bbdbb624cbb94def83e1f56fbfa
WebKit suffers from a use-after-free vulnerability in WebCore::FrameView::clientToLayoutViewportPoint.
4fb18455a7824410e8bc9a432a98671261c8e1cd41ff089a645fad3cbe7dc9bd
There is an out-of-bounds read in jscript.dll library (used in IE, WPAD and other places).
515090618f71572b31595b0c710c2e74b500c7981760cbca93b60481466fa253
There is an heap overflow vulnerability in jscript.dll library (used in IE, WPAD and other places). The bug affects 2 functions, JsArrayStringHeapSort and JsArrayFunctionHeapSort.
deac9cd1e6753834b079b602c10a506a085746a6093d25bcb66aa97015e0c366
There is a use-after-free in jscript.dll library that can be exploited in IE11.
532b95f0c945c3c74db85cabef11747d21ad3c48fe54f0e7aa07150204b08455
There is a use-after-free vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors.
99d64f82c3d7bf075a7abe383e8584579a9d5eb097d044428f5817c78c478888
There is a heap overflow in jscript.dll when compiling a regex. This issue could potentially be exploited through multiple vectors.
d5005d70833db3288d6f3582bebbc45f33bc2b359d5ffcd7ebdfc34a9678b7c2
There is an uninitialized variable vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors.
2ca8e665341886d4eb124c000b6d3ba9945621bca1bec2303b4938cb4e8e9611
Chakra suffers from a CFG bypass by overwriting JavaScript bytecode.
daeedb6b41591772a884afa12e566a242f6e1b0d3ee1312f4e2dfdeff93e89eb
Charka suffers from a CFG bypass due to a bug in ServerFreeAllocation.
3d19e7cbedb472d2428edd6222fbd45a4c7b0fc67382167d792c513a4d2719d5
Chakra suffers from a CFG bypass with leafInterpreterFrame. Every JavaScript variable in Chakra (except a tagged int) is a pointer. From this pointer, using an arbitrary read, it is possible to follow a chain of pointers and end up with a pointer to the native stack. This allows disclosing the stack location and subsequently overwriting a return address on the stack leading to CFG bypass.
e0fbcd6d6c6068eeac50241aac0d32bd46ce7a53f66113cb469ea260e17d8537
WebKit suffers from a use-after-free vulnerability in WebCore::FormSubmission::create.
c2e26605ef8814643236d5f9d97cb4faad8aeb808f52594ca616c0d971826d8a
WebKit suffers from a use-after-free vulnerability in WebCore::RenderObject::previousSibling.
8a278fe1a01bed0f7b17ac6fcc4317b1168ac683975a217d23d0e3a903eea3ea
WebKit suffers from a use-after-free vulnerability in WebCore::DocumentLoader::frameLoader.
f6596283db934d92384dd48f38e36757c9cab5b6ca671329f22f9f48e1aca7bc
WebKit suffers from a use-after-free vulnerability in WebCore::Style::TreeResolver::styleForElement.
ea5990dbcd10f10220871583d7e4a8f64595578bfb2375ec0419820b0ad1e27d
WebKit suffers from an out-of-bounds read in WebCore::SVGPatternElement::collectPatternAttributes.
a134d05e2659242ae6b08570b4062d0b03e9ec5b249c75b9adedd8e9d69fdb0a