• Writeups
  • Bugs
  • Team
  • Files

Bugs

Product Version Identifier Credit Description / Write-up
Microsoft Edge RS5 CVE-2019-0151 bkth Type confusion in ChakraCore
Microsoft Edge RS5 CVE-2019-0922 bkth Type confusion in ChakraCore
Microsoft Edge RS5 CVE-2019-0812 bkth Type confusion in ChakraCore
Mozilla Firefox 66.0 CVE-2019-9793 bkth niklasb Improper bounds check removal
Microsoft Edge RS5 CVE-2019-0593 bkth Logic bug in Chakra's JIT
Microsoft Edge RS5 CVE-2019-0590 bkth Logic bug in Chakra's JIT
Microsoft Edge RS5 CVE-2018-8629 bkth Logic bug in Chakra's JIT leads to OOB R/W
Apple macOS / iOS 10.13.6 CVE-2018-4126 bkth Out-Of-Bounds read in CFNetwork
Apple macOS / iOS 10.13.6 CVE-2018-4203 bkth Out-Of-Bounds read in Symptom Framework
Mozilla Firefox 62.0.2 (ESR 60.2.1) CVE-2018-12387 bkth niklasb RCE bug in Spidermonkey's JIT
Mozilla Firefox 62.0.2 (ESR 60.2.1) CVE-2018-12386 bkth niklasb saelo RCE bug in Spidermonkey's JIT
Apple Safari 10.13.6 CVE-2018-4358 bkth niklasb saelo Uninitialized memory disclosure in Safari
Microsoft Edge RS4 (17134.81) CVE-2018-8266 bkth Logic bug inside Chakra's JIT leads to RCE
Oracle VirtualBox 5.2.14 CVE-2018-3085 niklasb crServerDispatchMessage OOB write
Oracle VirtualBox 5.2.14 CVE-2018-3055 niklasb crUnpackExtendAreProgramsResidentNV memory disclosure
Oracle VirtualBox 5.2.8 CVE-2018-2860 niklasb Full VM escape (Pwn2Own 2018)
Oracle VirtualBox 5.2.4 CVE-2018-2698 niklasb Full VM escape in default config via VDMA
Oracle VirtualBox 5.2.4 CVE-2018-2694 niklasb Local privilege escalation on a macOS host with VBox installed
Oracle VirtualBox 5.2.4 CVE-2018-2693 niklasb Privilege escalation via guest additions inside a Linux guest
Apple macOS / iOS 10.12.6 / 10.3.3 CVE-2017-13833 niklasb Memory corruption in nsurlstoraged
Apple macOS / iOS 10.12.6 / 10.3.3 CVE-2017-13829 niklasb Memory corruption in nsurlstoraged
Apple Safari 10.1.1 CVE-2017-7092 saelo Integer overflow in JavaScriptCore
Apple Safari 10.1.1 CVE-2017-7093 saelo Memory corruption in JavaScriptCore
Mozilla Firefox Beta 53 - saelo Use-after-free in Spidermonkey
Apple macOS 10.12.4 CVE-2017-2533 niklasb Race condition in diskarbitrationd (Pwn2Own 2017)
Apple macOS 10.12.4 CVE-2017-2535 saelo Logic issue in authd (Pwn2Own 2017)
Apple macOS 10.12.4 CVE-2017-2534 niklasb Quirky sandbox rule for speechsynthesisd (Pwn2Own 2017)
Apple macOS 10.12.4 CVE-2017-6977 niklasb NULL pointer dereference in system service (Pwn2Own 2017)
Apple Safari 10.1 CVE-2017-2536 saelo Integer overflow in JavaScriptCore
Apple Safari 10.0.3 CVE-2017-2491 saelo Use-after-free in JavaScriptCore (Pwn2Own 2017)
Mozilla Firefox 49 CVE-2016-9066 saelo Integer overflow in nsScriptLoader
Mozilla Firefox 47 CVE-2016-5261 saelo Integer overflow in WebSockets
Apple Safari 9.1 CVE-2016-4622 saelo Out-of-bounds access in JavaScriptCore

Microsoft Edge RS5 – CVE-2019-0151

by bkth

Type confusion in ChakraCore

Microsoft Edge RS5 – CVE-2019-0922

by bkth

Type confusion in ChakraCore

Microsoft Edge RS5 – CVE-2019-0812

by bkth

Type confusion in ChakraCore

Mozilla Firefox 66.0 – CVE-2019-9793

by bkth niklasb

Improper bounds check removal

Microsoft Edge RS5 – CVE-2019-0593

by bkth

Logic bug in Chakra's JIT

Microsoft Edge RS5 – CVE-2019-0590

by bkth

Logic bug in Chakra's JIT

Microsoft Edge RS5 – CVE-2018-8629

by bkth

Logic bug in Chakra's JIT leads to OOB R/W

Apple macOS / iOS 10.13.6 – CVE-2018-4126

by bkth

Out-Of-Bounds read in CFNetwork

Apple macOS / iOS 10.13.6 – CVE-2018-4203

by bkth

Out-Of-Bounds read in Symptom Framework

Mozilla Firefox 62.0.2 (ESR 60.2.1) – CVE-2018-12387

by bkth niklasb

RCE bug in Spidermonkey's JIT

Mozilla Firefox 62.0.2 (ESR 60.2.1) – CVE-2018-12386

by bkth niklasb saelo

RCE bug in Spidermonkey's JIT

Apple Safari 10.13.6 – CVE-2018-4358

by bkth niklasb saelo

Uninitialized memory disclosure in Safari

Microsoft Edge RS4 (17134.81) – CVE-2018-8266

by bkth

Logic bug inside Chakra's JIT leads to RCE

Oracle VirtualBox 5.2.14 – CVE-2018-3085

by niklasb

crServerDispatchMessage OOB write

Oracle VirtualBox 5.2.14 – CVE-2018-3055

by niklasb

crUnpackExtendAreProgramsResidentNV memory disclosure

Oracle VirtualBox 5.2.8 – CVE-2018-2860

by niklasb

Full VM escape (Pwn2Own 2018)

Oracle VirtualBox 5.2.4 – CVE-2018-2698

by niklasb

Full VM escape in default config via VDMA

Oracle VirtualBox 5.2.4 – CVE-2018-2694

by niklasb

Local privilege escalation on a macOS host with VBox installed

Oracle VirtualBox 5.2.4 – CVE-2018-2693

by niklasb

Privilege escalation via guest additions inside a Linux guest

Apple macOS / iOS 10.12.6 / 10.3.3 – CVE-2017-13833

by niklasb

Memory corruption in nsurlstoraged

Apple macOS / iOS 10.12.6 / 10.3.3 – CVE-2017-13829

by niklasb

Memory corruption in nsurlstoraged

Apple Safari 10.1.1 – CVE-2017-7092

by saelo

Integer overflow in JavaScriptCore

Apple Safari 10.1.1 – CVE-2017-7093

by saelo

Memory corruption in JavaScriptCore

Mozilla Firefox Beta 53 – -

by saelo

Use-after-free in Spidermonkey

Apple macOS 10.12.4 – CVE-2017-2533

by niklasb

Race condition in diskarbitrationd (Pwn2Own 2017)

Apple macOS 10.12.4 – CVE-2017-2535

by saelo

Logic issue in authd (Pwn2Own 2017)

Apple macOS 10.12.4 – CVE-2017-2534

by niklasb

Quirky sandbox rule for speechsynthesisd (Pwn2Own 2017)

Apple macOS 10.12.4 – CVE-2017-6977

by niklasb

NULL pointer dereference in system service (Pwn2Own 2017)

Apple Safari 10.1 – CVE-2017-2536

by saelo

Integer overflow in JavaScriptCore

Apple Safari 10.0.3 – CVE-2017-2491

by saelo

Use-after-free in JavaScriptCore (Pwn2Own 2017)

Mozilla Firefox 49 – CVE-2016-9066

by saelo

Integer overflow in nsScriptLoader

Mozilla Firefox 47 – CVE-2016-5261

by saelo

Integer overflow in WebSockets

Apple Safari 9.1 – CVE-2016-4622

by saelo

Out-of-bounds access in JavaScriptCore

github twitter @ email