MINI-MCR3-6M72-VPH9

Bulletin has no description...

MINI-8M72-8J2M-XJ4X

Bulletin has no description...

Google Chrome < M72 - FileWriterImpl Use-After-Free Exploit

Google Chrome GetBlobDataFromBlobPtr std::moveblob, base::BindOnce&FileWriterImpl::DoWrite, base::Unretainedthis, std::movecallback, position; Note that the last argument to GetBlobDataFromBlobPtr is a callback object bound to base::Unretainedthis. And the implementation of GetBlobDataFromBlobPtr...

Google Chrome < M72 - PaymentRequest Service Use-After-Free Exploit

Google Chrome M72 - PaymentRequest Service Use-After-Free Exploit There are several object-lifetime issues in the browser process in the implementation of payments.mojom.PaymentRequest. The PaymentRequest object contains a std::uniqueptr to a PaymentRequestSpec, which is initialised during the ca...

Google Chrome < M72 - RenderFrameHostImpl::CreateMediaStreamDispatcherHost Use-After-Free

Google Chrome M72 - RenderFrameHostImpl::CreateMediaStreamDispatcherHost Use-After-Free There's a race-condition / object-lifetime issue in the browser process when the browser process shutdown races against the IO thread handling mojo messages from the renderer. It's at least possible to trigger...

Google Chrome < M72 - Use-After-Free in RenderProcessHostImpl Binding for P2PSocketDispatcherHost

Google Chrome M72 - Use-After-Free in RenderProcessHostImpl Binding for P2PSocketDispatcherHost There's an object-lifetime issue in the browser process in the handling of P2PSocketDispatcherHost binding in parallel with OnBloatedRenderer event handling. In RenderProcessHostImpl, we have a uniquep...

Google Chrome M72 - PaymentRequest Service Use-After-Free

Google Chrome M72 - PaymentRequest Service Use-After-Free There are several object-lifetime issues in the browser process in the implementation of payments.mojom.PaymentRequest. The PaymentRequest object contains a std::uniqueptr to a PaymentRequestSpec, which is initialised during the call to...

Google Chrome M72 - RenderFrameHostImpl::CreateMediaStreamDispatcherHost Use-After-Free

Google Chrome M72 - RenderFrameHostImpl::CreateMediaStreamDispatcherHost Use-After-Free There's a race-condition / object-lifetime issue in the browser process when the browser process shutdown races against the IO thread handling mojo messages from the renderer. It's at least possible to trigger...

Google Chrome M72 - FileWriterImpl Use-After-Free

Google Chrome M72 - FileWriterImpl Use-After-Free There's a use-after-free in the implementation of the FileWriter component of the mojo bindings for the filesystem API. The browser-process side of this API is defined in...

Google Chrome &lt; M72 - RenderFrameHostImpl::CreateMediaStreamDispatcherHost Use-After-Free

There's a race-condition / object-lifetime issue in the browser process when the browser process shutdown races against the IO thread handling mojo messages from the renderer. It's at least possible to trigger this by closing the browser while running the attached poc; I'm not sure if there's a...

Google Chrome M72 - Use-After-Free in RenderProcessHostImpl Binding for P2PSocketDispatcherHost

Google Chrome M72 - Use-After-Free in RenderProcessHostImpl Binding for P2PSocketDispatcherHost There's an object-lifetime issue in the browser process in the handling of P2PSocketDispatcherHost binding in parallel with OnBloatedRenderer event handling. In RenderProcessHostImpl, we have a uniquep...

Google Chrome &lt; M72 - PaymentRequest Service Use-After-Free

There are several object-lifetime issues in the browser process in the implementation of payments.mojom.PaymentRequest. The PaymentRequest object contains a std::uniqueptr to a PaymentRequestSpec, which is initialised during the call to PaymentRequest::Init...