CVE-2018-17481

CVE-2018-17481 describes a use-after-free in PDFium used by Google Chrome before 71.0.3578.98, enabling potential heap corruption via a crafted PDF file. Affected software/components: Google Chrome and the PDFium library. Impact per sources: remote attacker could exploit heap corruption; Chrome’s...

CVE-2018-18359

CVE-2018-18359 affects chromium-browser/chromium before 71.0.3578.80. According to the Arch Linux ASA-201812-2 and Debian/Debian tracker entries, it is an information-disclosure vulnerability caused by an out-of-bounds read in the V8 JavaScript engine. Impact is that a remote attacker could acces...

CVE-2018-18336

CVE-2018-18336 is a use-after-free in the PDFium component of Chromium/Google Chrome prior to version 71.0.3578.80, enabling potential heap corruption via a crafted PDF file. The Arch Linux security advisory ASA-201812-2 (and Debian/DSA-4352-1 apart from other sources) confirm the issue and state...

CVE-2018-18338

CVE-2018-18338 affects Chromium/Google Chrome’s canvas renderer. Arch Linux ASA-201812-2 documents a heap-based buffer overflow in the Canva component before 71.0.3578.80, enabling arbitrary code execution on a remote attacker. The fix is to upgrade to Chromium 71.0.3578.80-1 (or newer).

CVE-2018-18341

CVE-2018-18341 affects Chromium/Google Chrome prior to 71.0.3578.80. The Blink/WebKit component contains a heap-based buffer overflow that could allow a remote attacker to exploit heap corruption via a crafted HTML page. Impact is remote code execution potential as part of heap corruption; exploi...

CVE-2018-18346

CVE-2018-18346 affects Chromium/Google Chrome before 71.0.3578.80. Reported as an incorrect security UI issue in Blink, enabling a crafted HTML page to cause a confusing browser UI. The Arch Linux advisory confirms the issue set includes CVE-2018-18346 and recommends upgrading to 71.0.3578.80 or ...

CVE-2018-6073

CVE-2018-6073 is a WebGL heap-buffer overflow in Google Chrome before 65.0.3325.146 that allowed a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. The vulnerability is tied to the WebGL implementation in Chrome’s rendering stack. Debian security advisories list t...

CVE-2018-6092

The CVE-2018-6092 entry relates to an integer overflow in Chrome’s WebAssembly implementation on 32‑bit systems, allowing remote code execution inside the sandbox via a crafted HTML page. Affected software from the connected advisories includes Google Chrome/Chromium up to version 66.0.3359.117 (...

CVE-2018-17464

CVE-2018-17464 refers to a URL spoofing vulnerability in the Omnibox component of Chromium/Google Chrome for iOS, caused by incorrect handling of browsing history prior to version 70.0.3538.67. A remote attacker could craft HTML to spoof the Omnibox content. Connected advisories confirm the issue...

CVE-2018-17469

CVE-2018-17469 affects Google/Chromium’s PDFium component: a heap-based buffer overflow in PDFium prior to 70.0.3538.67 (in PDF filter chain handling) can enable a remote attacker to trigger out-of-bounds memory reads and potentially execute code. Public sources in connected docs confirm the issu...

CVE-2018-18339

CVE-2018-18339 affects Chromium/Google Chrome where a use-after-free in the WebAudio implementation (before 71.0.3578.80) can lead to remote code execution via crafted HTML pages. Arch Linux notes the fix is in Chromium 71.0.3578.80-1 (upgrade recommended). Other sources corroborate the vulnerabi...

CVE-2018-6066

CVE-2018-6066 affects Google Chrome (Blink) due to lack of CORS checking in ResourceFetcher/ResourceLoader, enabling a remote attacker to leak cross-origin data via crafted HTML. Publicly reported as a Same Origin Policy bypass in Chrome/Chromium before 65.0.3325.146; multiple vendors referenced ...

CVE-2018-6089

Google Chrome/Chromium prior to 66.0.3359.117 was affected by CVE-2018-6089, a Same Origin Policy bypass in Service Workers triggered by a cross-origin PDF redirect after a Safari-like CORS gap. The workaround is upgrading to 66.0.3359.117 or newer; Chrome’s 66 stable release notes confirm the fi...

CVE-2018-17462

CVE-2018-17462 concerns Google Chrome before 70.0.3538.67, where incorrect refcounting in AppCache could allow a remote attacker to escape the browser sandbox via a crafted HTML page. The practical impact is sandbox escape, enabling potential access to privileged context from a web page. Connecte...

CVE-2018-18337

The CVE-2018-18337 issue affects Chromium/Blink. A use-after-free vulnerability in Blink (Chromium’s rendering engine) was identified prior to version 71.0.3578.80, with attackers able to trigger heap corruption through a crafted HTML page. Upstream fixes address Blink use-after-free paths; affec...

CVE-2018-6088

CVE-2018-6088 affects Google Chrome/Chromium via a use-after-free in the PDFium library. The issue allows remote code execution inside the sandbox when processing crafted PDFs, currently mitigated by updating to Chrome/Chromium 66.0.3359.117 (and similarly updated Chromium packages in Debian/Fedo...

CVE-2018-6081

CVE-2018-6081 affects Google Chrome interstitials; a cross-site scripting flaw in Chrome prior to 65.0.3325.146 could be triggered by convincing a user to install a malicious extension or open Developer Console, via a crafted HTML page. Connected advisories confirm patches: Debian fixes in Chrome...

CVE-2018-18340

CVE-2018-18340 affects Chromium/Google Chrome MediaRecorder. The vulnerability is a use-after-free in the MediaRecorder implementation, leading to potential heap corruption and remote code execution via a crafted HTML page. Affected version range is before 71.0.3578.80 (the fix version per upstre...

CVE-2018-18343

CVE-2018-18343 affects Chromium/Chrome with a use-after-free in Skia prior to 71.0.3578.80. The issue is triggered via crafted HTML and can lead to heap corruption and remote code execution. Affected component: Skia (Chromium/WebKit rendering stack). The Arch Linux ASA-201812-2 entry confirms a s...

CVE-2018-6102

CVE-2018-6102 affects Google Chrome/Chromium, enabling an attacker to spoof the Omnibox (URL bar) via a crafted domain name. The vulnerability is described as a URL spoofing issue in Omnibox and is fixed in Chrome/Chromium around version 66.0.3359.117 (example Debian update notes reference 66.0.3...

CVE-2018-6116

CVE-2018-6116 concerns a null pointer dereference in WebAssembly within Google Chrome before 66.0.3359.117, enabling a remote attacker to potentially trigger out-of-bounds memory access via a crafted HTML page. Connected advisories confirm the vulnerability as part of Chrome/WebAssembly issues an...

CVE-2018-18347

CVE-2018-18347 affects Chromium/WebKit’s Navigation component. A flaw in handling failed navigations with invalid URLs allowed a remote attacker to craft an HTML page that tricks a user into running JavaScript in an arbitrary origin. The Arch Linux advisory (ASA-201812-2) and Debian advisories no...

CVE-2018-6071

CVE-2018-6071 is a heap/buffer overflow in Skia used by Google Chrome (pre-65.0.3325.146). Connected sources confirm a Skia-related overflow that could trigger an out-of-bounds memory access via a crafted HTML page. Affected context appears in Chrome/Chromium release notes and Debian/Gentoo advis...

CVE-2018-6076

CVE-2018-6076 affects Google Chrome (Blink) where URL fragment identifiers were not encoded correctly, enabling a remote attacker to trigger a DOM-based XSS via a crafted HTML page. Concrete details in connected records place the vulnerable component in Blink/Chrome prior to version 65.0.3325.146...

CVE-2018-6098

CVE-2018-6098 refers to a URL spoofing vulnerability in Google Chrome's URL Formatter caused by incorrect handling of confusable characters in IDN homographs. The issue affects Chrome prior to 66.0.3359.117, enabling a remote attacker to perform domain spoofing via a crafted domain name. The publ...

CVE-2018-6105

CVE-2018-6105 describes an issue in Google Chrome/Chromium where the Omnibox mishandled confusable characters in IDN homographs, enabling domain spoofing via a crafted domain name. Affected product: Google Chrome (Chromium core) prior to version 66.0.3359.117. Root cause: incorrect handling of co...

CVE-2018-6069

CVE-2018-6069: Stack overflow in Skia used by Google Chrome prior to 65.0.3325.146 allows remote code access via a crafted HTML page (out-of-bounds read). Affected software is Google Chrome/Chromium with Skia; remediation is upgrading to Chrome 65.0.3325.146+ or Chromium package versions that inc...

CVE-2018-6075

Chrome 65.0.3325.146+ fixes CVE-2018-6075 (information disclosure via overly permissive cross-origin downloads). Affected product: Google Chrome/Chromium. Root cause: bypass of Same Origin Policy enabling cross-origin data leakage through a crafted HTML page and user interaction. Remediation: upg...

CVE-2018-17473

CVE-2018-17473 is a URL spoofing vulnerability in Google Chrome/Chromium’s Omnibox prior to version 70.0.3538.67. The fixed release is 70.0.3538.67 (upstream) and Debian/Arch advisories document the remediation to update to 70.0.3538.67 or newer. Affected component is the Omnibox; root cause rela...

CVE-2018-6072

CVE-2018-6072 is a PDFium-related vulnerability in Google Chrome prior to 65.0.3325.146. Description: an integer overflow in the PDFium library could lead to heap corruption, potentially exploitable via a crafted PDF file. Connected sources confirm PDFium involvement and the Chrome 65.0.3325.146 ...

CVE-2018-6090

CVE-2018-6090 refers to a heap buffer overflow in Skia used by Google Chrome before 66.0.3359.117, allowing remote code execution inside the sandbox via a crafted HTML page. Connected sources confirm the flaw affects Chrome/Chromium’s Skia component and state that the fix is included in Chrome 66...

CVE-2018-6094

CVE-2018-6094 affects Google Chrome/Chromium, where a regression in GarbageCollection (Oilpan) could enable a remote attacker to exploit heap corruption via a crafted HTML page. The vulnerability is documented as fixed in Chrome/Chromium around version 66.0.3359.117 (e.g., Debian/ Gentoo advisori...

CVE-2018-6107

CVE-2018-6107 is a URL spoofing vulnerability in Google Chrome/Chromium caused by incorrect handling of confusable characters in the URL Formatter (IDN homographs). A remote attacker could spoof domains via crafted domain names. The issue affected Chrome/Chromium versions prior to 66.0.3359.117 a...

CVE-2018-6108

CVE-2018-6108 affects Google Chrome/Chromium URL Formatter, where incorrect handling of confusable characters (IDN homographs) could enable domain spoofing via a crafted HTML page. Affected product: Google Chrome (and Chromium) prior to Chrome 66.0.3359.117. Root cause: misprocessing of internati...

CVE-2018-6074

Google Chrome prior to version 65.0.3325.146 is vulnerable to a Mark-of-the-Web bypass in downloads. The root cause is the failure to apply the Mark-of-the-Web on downloaded pages, enabling a remote attacker to bypass OS-level protections via a crafted HTML page. The vulnerability is addressed in...

CVE-2018-6095

The CVE-2018-6095 entry relates to Google Chrome’s Blink component. It describes an issue where the file picker could be dismissed inappropriately on keyboard events, allowing a remote attacker to read local files via a crafted HTML page. Affected product: Google Chrome/Blink (before version 66.0...

CVE-2018-6103

CVE-2018-6103 is a Chrome/Chromium UI spoofing vulnerability in the Permissions prompt, where an attacker could bypass permission policy via a crafted HTML page. Connected sources identify the issue as a permissions UI spoof in Chrome/Chromium and note remediation via upgrading to Chrome 66.0.335...

CVE-2018-6068

CVE-2018-6068 describes an object lifecycle issue in Chrome Custom Tab that could let a remote attacker spoof the Omnibox (URL bar) in Google Chrome prior to 65.0.3325.146. Related connected advisories indicate Chromium/Chrome updates fixed this family of issues around version 65.0.3325.146 (and ...

CVE-2018-6101

CVE-2018-6101 affects Google Chrome DevTools (the DevTools remote debugging protocol). The issue is a lack of host validation in DevTools prior to 66.0.3359.117, enabling a remote attacker to execute arbitrary code via a crafted HTML page when a user is running a remote DevTools debugging server....

CVE-2018-6085

CVE-2018-6085 describes a use-after-free in Google Chrome’s Networking Disk Cache. The vulnerability affects Chrome/Chromium’s Disk Cache component and is triggered by a crafted HTML page, enabling a remote attacker to execute arbitrary code. The vulnerability is characterized as a use-after-free...

CVE-2018-6086

CVE-2018-6086 is a use-after-free in Google Chrome’s Networking Disk Cache caused by a double-eviction in Incognito mode. The issue affects Chrome/Chromium prior to version 66.0.3359.117 (fixed in the 66.0.3359.117 release, per Debian security advisories and the Chrome stable-channel blog). A rem...

CVE-2018-6104

CVE-2018-6104 affects Google Chrome/Chromium where the URL Formatter mishandled confusable characters (IDN homographs), enabling domain spoofing. The issue lies in the URL formatting component and could allow a remote attacker to lure users to a spoofed domain. Vulnerable versions are Chrome/Chro...

CVE-2018-6087

CVE-2018-6087 describes a use-after-free in WebAssembly in Google Chrome prior to 66.0.3359.117. The issue allowed a remote attacker to execute arbitrary code inside the sandbox via a crafted HTML page. The connected sources confirm the root cause (WebAssembly use-after-free) and the impact (remo...

CVE-2018-6099

Concretely, CVE-2018-6099 affects Google Chrome/Chromium by a Cross-Origin Resource Sharing bypass in Service Workers (Blink). The root cause is a lack of proper CORS checks in Blink/ServiceWorker handling, enabling a remote attacker to leak limited cross-origin data via a crafted HTML page. The ...