Sec-Status-Needed B2G 2.2
- Resolution: FIXED
- Classification: Client Software, Components
- Updated: (is greater than or equal to) 2014-11-21
- Closed: (changed after) 2014-11-21
- Keywords: sec-critical, sec-high
- Group: core-security
- Whiteboard: (does not contain the string) [b2g-adv-
- status-b2g-v2.2: (is empty)
This result was limited to 500 bugs. See all search results for this query.
| ID | Product | Comp | Status▲ | Summary | status-firefox37 | status-b2g-v2.2 | status-b2g-v2.1 | Whiteboard | Keywords |
|---|---|---|---|---|---|---|---|---|---|
| 1422631 | Core | Audio/Video: cubeb | RESO |
suspect cubeb |
--- | --- | --- | [keep hidden while bugs 1426603 and 1418820 are][post-critsmash-triage][adv-main59+] | crash, csectype-wildptr, regression, sec-high |
| 1423770 | Core | WebRTC: Audio/Video | RESO |
Write out of bounds in Convert |
--- | --- | --- | [adv-main58+][post-critsmash-triage] | crash, csectype-bounds, sec-high |
| 1604117 | Core | Audio/Video: cubeb | RESO |
Crash in [@ memcpy |
--- | --- | --- | [post-critsmash-triage] | crash, csectype-wildptr, regression, sec-high |
| 1614101 | Core | Layout | RESO |
heap-use-after-free in [@ ns |
--- | --- | --- | crash, csectype-uaf, regression, sec-high, testcase | |
| 1415770 | Core | DOM: Core & HTML | RESO |
Assertion failure: is |
--- | --- | --- | [adv-main58+][post-critsmash-triage] | assertion, csectype-uaf, sec-high, testcase |
| 1628120 | Core | DOM: Navigation | RESO |
Intermittent GECKO(11228) | SUMMARY: Address |
--- | --- | --- | [post-critsmash-triage] | csectype-uaf, intermittent-failure, regression, sec-high |
| 1755081 | Core | DOM: Security | RESO |
Cross-origin embeds/objects can obtain permissions of the |
--- | --- | --- | [domsecurity-active][post-critsmash-triage][adv-main100+][adv-esr91.9+] | csectype-priv-escalation, csectype-spoof, sec-high |
| 1644561 | GeckoView | General | RESO |
org |
--- | --- | --- | [geckoview:m79][fxr:p1][post-critsmash-triage] | csectype-uaf, regression, sec-high |
| 1719088 | GeckoView | General | RESO |
Firefox for Android Lock Exit Fullscreen Mode with Recurs |
--- | --- | --- | [keep hidden while bug 1718796 is][reporter-external] [client-bounty-form] [verif?][adv-main91+] | csectype-spoof, sec-high |
| 1730637 | Core | Graphics: CanvasWebG | RESO |
Web |
--- | --- | --- | csectype-intoverflow, sec-high | |
| 1412643 | Core | Printing: Output | RESO |
Crash in PR |
--- | --- | --- | [post-critsmash-triage] | crash, csectype-uaf, regression, sec-high |
| 1533554 | Core | Widget: Win32 | RESO |
Write beyond bounds in ns |
--- | --- | --- | [adv-main67+][adv-esr60.7+] | csectype-intoverflow, regression, sec-high |
| 1647115 | Core | JavaScript Engine | RESO |
Address |
--- | --- | --- | [post-critsmash-triage][sec-survey] | crash, csectype-race, regression, sec-high |
| 1823568 | Core | Web Audio | RESO |
heap-use-after-free in [@ JS::loader::Script |
--- | --- | --- | [adv-main113+r] | csectype-uaf, pernosco, regression, sec-high, testcase |
| 1863391 | Core | JavaScript Engine | RESO |
Assertion failure: Current |
--- | --- | --- | [bugmon:update,bisect][fuzzblocker] | assertion, regression, sec-high, testcase |
| 1416519 | Core | Audio/Video: Playbac | RESO |
Assertion failure: Is |
--- | --- | --- | [adv-main58+][post-critsmash-triage] | assertion, csectype-uaf, regression, sec-high, testcase |
| 1745874 | Core | Audio/Video | RESO |
Use-after-free of Audio |
--- | --- | --- | [reporter-external] [client-bounty-form][adv-main96+][adv-ESR91.5+][sec-survey][post-critsmash-triage] | csectype-uaf, sec-high |
| 1814314 | Core | Audio/Video: Playbac | RESO |
Assertion failure: m |
--- | --- | --- | [adv-main112+r] | assertion, csectype-other, regression, sec-high, testcase |
| 1337418 | Core | WebRTC: Audio/Video | RESO |
Crash in ns |
--- | --- | --- | [adv-main53+][adv-esr52.1+] | crash, csectype-uaf, sec-high, testcase-wanted |
| 1452576 | Core | DOM: Core & HTML | RESO |
Crash [@ get] with Structured |
--- | --- | --- | [adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage] | crash, csectype-sandbox-escape, sec-high, testcase |
| 1493629 | Core | DOM: Security | RESO |
Address |
--- | --- | --- | [domsecurity-active][post-critsmash-triage] | crash, csectype-uaf, regression, sec-high |
| 1649347 | Core | DOM: Workers | RESO |
Address |
--- | --- | --- | [sec-survey][post-critsmash-triage][adv-main79+r][adv-ESR78.1+r] | csectype-race, regression, sec-high |
| 1325052 | Core | JavaScript Engine | RESO |
Assertion failure: !elements[i].is |
--- | --- | --- | [post-critsmash-triage][adv-main52+][adv-esr45.8+] | csectype-uaf, sec-critical |
| 1406398 | Core | JavaScript Engine | RESO |
Assertion failure: MOZ |
--- | --- | --- | [adv-main57+][adv-esr52.5+] | regression, sec-high |
| 1591019 | Core | JavaScript Engine | RESO |
Assertion failure: adjusted |
--- | --- | --- | [jsbugmon:update][post-critsmash-triage] | assertion, bugmon, regression, sec-high, testcase |
| 1593971 | Core | JavaScript Engine: J | RESO |
Assertion failure: input->type() == MIRType::Double, at j |
--- | --- | --- | [jsbugmon:update,bisect][post-critsmash-triage] | assertion, bugmon, csectype-jit, regression, sec-high, testcase |
| 1607665 | Core | JavaScript Engine | RESO |
Crash [@ ??] with Big |
--- | --- | --- | [fuzzblocker][jsbugmon:update][post-critsmash-triage] | bugmon, crash, regression, sec-high, testcase |
| 1607687 | Core | JavaScript Engine | RESO |
Crash [@ JS::Big |
--- | --- | --- | [jsbugmon:update,bisect][post-critsmash-triage] | bugmon, crash, regression, sec-high, testcase |
| 1614704 | Core | JavaScript Engine: J | RESO |
Alias-set for MCreate |
--- | --- | --- | [post-critsmash-triage][adv-main76+r][adv-ESR68.8+r] | csectype-jit, sec-high |
| 1791520 | Core | JavaScript Engine | RESO |
Nullptr dereference in Is |
--- | --- | --- | [post-critsmash-triage][adv-main106+][adv-esr102.4+] | csectype-uaf, sec-high |
| 1308688 | WebExtensions | Request Handling | RESO |
Prevent Web |
--- | --- | --- | [post-critsmash-triage][adv-main51+] triaged | csectype-priv-escalation, sec-high |
| 1769739 | Core | Graphics: CanvasWebG | RESO |
Address |
--- | --- | --- | [adv-main103+r][adv-esr102.1+r] | csectype-race, csectype-uaf, sec-high, testcase |
| 1833876 | Core | Graphics: Canvas2D | RESO |
Manipulation with Offscreen Canvas allows bypassing taint |
--- | --- | --- | [adv-main116+][adv-ESR102.14+][adv-ESR115.1+] | csectype-sop, sec-high |
| 1297099 | Core | Audio/Video: MediaSt | RESO |
Load |
--- | --- | --- | [post-critsmash-triage][adv-main49+] | sec-critical |
| 1317501 | Core | Audio/Video: MediaSt | RESO |
Media |
--- | --- | --- | [post-critsmash-triage][adv-main51+] | sec-high |
| 1360334 | Core | Audio/Video: MediaSt | RESO |
Crash in mozilla::Media |
--- | --- | --- | [adv-main56+][adv-esr52.4+][post-critsmash-triage] | crash, csectype-uaf, regression, sec-high, testcase-wanted |
| 1435036 | Core | WebRTC | RESO |
Address |
--- | --- | --- | [fuzzblocker][adv-main60+][post-critsmash-triage] | crash, csectype-uaf, sec-high |
| 1439655 | Core | WebRTC: Audio/Video | RESO |
Wild pointer read in copy |
--- | --- | --- | [adv-main60+][post-critsmash-triage] | csectype-wildptr, sec-high |
| 1440347 | Core | WebRTC: Audio/Video | RESO |
ASAN UAF in Media |
--- | --- | --- | csectype-uaf, regression, sec-high | |
| 1478575 | Core | WebRTC: Audio/Video | RESO |
Address |
--- | --- | --- | [adv-main62+][adv-esr60.2+][post-cristsmash-triage] | crash, csectype-uaf, regression, sec-high |
| 1571004 | Core | Audio/Video | RESO |
Address |
--- | --- | --- | [post-critsmash-triage] | crash, csectype-uaf, regression, sec-high, testcase-wanted |
| 1661710 | Core | Audio/Video: MediaSt | RESO |
Possible UAF in Cross |
--- | --- | --- | csectype-uaf, regression, sec-high | |
| 1662760 | Core | Audio/Video: MediaSt | RESO |
Address |
--- | --- | --- | [bugmon:confirm][post-critsmash-triage][sec-survey][adv-main82+r][adv-esr78.4+r] | csectype-uaf, regression, sec-high, testcase-wanted |
| 1728321 | Core | WebRTC: Audio/Video | RESO |
UAF in H264 encoder shutdown in Video |
--- | --- | --- | [sec-survey][adv-main93+r][adv-esr78.15+r][adv-esr91.2+r] | crash, csectype-uaf, sec-high |
| 1741118 | Core | WebRTC: Signaling | RESO |
Intermittent gtest | application crashed [@ webrtc::inter |
--- | --- | --- | [sec-survey] | csectype-uaf, intermittent-failure, sec-high |
| 1744081 | Core | WebRTC: Audio/Video | RESO |
Intermittent Main app process exited normally | applicati |
--- | --- | --- | [sec-survey] | crash, csectype-uaf, intermittent-failure, regression, sec-high |
| 1819465 | Core | XPCOM | RESO |
Intermittent browser/base/content/test/webrtc/ < test fil |
--- | --- | --- | [post-critsmash-triage][adv-main112+r] | crash, csectype-uaf, intermittent-failure, regression, sec-high |
| 1324810 | Core | JavaScript Engine: J | RESO |
Ion bug with Reg |
--- | --- | --- | [post-critsmash-triage][adv-main51+] | sec-critical |
| 1425691 | Core | JavaScript Engine | RESO |
Assertion failure: !unknown |
--- | --- | --- | [jsbugmon:update,bisect][post-critsmash-triage][adv-main59+] | assertion, bugmon, sec-high, testcase |
| 1460833 | Core | JavaScript Engine | RESO |
[Bin |
--- | --- | --- | [post-critsmash-triage] | crash, sec-high, testcase |
| 1739683 | Core | JavaScript: WebAssem | RESO |
Crash in Wasm Ion code when gczeal is used with reference |
--- | --- | --- | [sec-survey][adv-main95+][adv-ESR91.4.0+] | csectype-uaf, sec-high |
| 1631573 | NSS | Libraries | RESO | ECDSA Timing Countermeasure Bypass | --- | --- | --- | [sec-moderate for Firefox][RedHat INC1266620][disclosure date 2020-07-28][sec-survey][adv-main80+] | sec-high |
| 1295097 | Core | Audio/Video: Playbac | RESO |
heap-use-after-free in HTMLTrack |
--- | --- | --- | [rr] | csectype-uaf, regression, sec-high |
| 1371484 | Core | Storage: IndexedDB | RESO |
Write beyond bounds in Key::Encode |
--- | --- | --- | [adv-main55+][post-critsmash-triage] | csectype-bounds, sec-critical |
| 1325450 | Core | JavaScript Engine | RESO |
Assertion failure: !minimal |
--- | --- | --- | [post-critsmash-triage] | assertion, regression, sec-high, testcase |
| 1386490 | Core | JavaScript Engine | RESO |
Crash in js::Wrapper |
--- | --- | --- | [adv-main57+][post-critsmash-triage] | crash, csectype-wildptr, regression, sec-high |
| 1416523 | Core | JavaScript Engine: J | RESO |
Crash [@ js::Can |
--- | --- | --- | [jsbugmon:update,bisect][post-critsmash-triage][adv-main59+] | assertion, bugmon, crash, regression, sec-high, testcase |
| 1530958 | Core | JavaScript Engine | RESO |
Spidermonkey: Ion |
--- | --- | --- | [GP0 disclosure deadline May 27][jsbugmon:testComment=5,origRev=198cd4a81bf2][post-critsmash-triage][adv-main66+][adv-esr60.6+] | bugmon, sec-critical, testcase |
| 1386110 | Core | CSS Parsing and Comp | RESO |
stylo: Address |
--- | --- | --- | crash, csectype-uaf, regression, sec-critical, testcase | |
| 1319456 | Core | Printing: Output | RESO |
[e10s] Crash in std::_Hash<T>::equal |
--- | --- | --- | [post-critsmash-triage][adv-main51+] | crash, csectype-uaf, regression, sec-high |
| 1368268 | Core | Security: Process Sa | RESO |
Crash in `anonymous namespace''::Active |
--- | --- | --- | [post-critsmash-triage][adv-main61+] sb+ | crash, csectype-uaf, sec-high |
| 1451376 | Core | Printing: Output | RESO |
Use after free in Content |
--- | --- | --- | [adv-main60+][adv-esr52.8+][post-critsmash-triage] | csectype-sandbox-escape, csectype-uaf, sec-high |
| 1490234 | Core | IPC | RESO |
Shared memory should not allow executable images to be ma |
--- | --- | --- | [post-critsmash-triage][adv-main63+][adv-esr60.3+] | csectype-priv-escalation, csectype-sandbox-escape, sec-high |
| 1497749 | Core | IPC | RESO |
IPC channels created via Endpoint passing don't authentic |
--- | --- | --- | [post-critsmash-triage][adv-main65+][adv-esr60.5+] | csectype-priv-escalation, sec-high |
| 1554110 | Core | Security: Process Sa | RESO |
Windows sandbox: renderer processes can open each and unr |
--- | --- | --- | [reporter-external] [client-bounty-form][post-critsmash-triage][adv-main76+][adv-ESR68.8+] | csectype-priv-escalation, csectype-sandbox-escape, sec-high |
| 1599005 | Core | Security: Process Sa | RESO |
Race condition in firefox!sandbox::Shared |
--- | --- | --- | [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main72+][adv-esr68.4+] | csectype-priv-escalation, csectype-sandbox-escape, sec-high |
| 1618911 | Core | Security: Process Sa | RESO | Firefox: Default Content Process DACL Sandbox Escape | --- | --- | --- | [disclosure date is 2020-05-28][post-critsmash-triage][adv-main76+][adv-ESR68.8+] | csectype-priv-escalation, csectype-sandbox-escape, sec-critical |
| 1846687 | Core | Graphics | RESO |
use-after-free in m |
--- | --- | --- | [reporter-external] [client-bounty-form] [verif?] [adv-main117+] [adv-esr115.2+] [adv-esr102.15+] | csectype-sandbox-escape, csectype-uaf, sec-high, testcase |
| 1309469 | Core | WebRTC: Audio/Video | RESO |
Crash in ns |
--- | --- | --- | [post-critsmash-triage] | crash, csectype-uaf, sec-critical |
| 1317670 | Core | WebRTC | RESO |
ref |
--- | --- | --- | [post-critsmash-triage] | crash, csectype-uaf, regression, sec-high |
| 1353313 | Core | Audio/Video: Playbac | RESO |
Intermittent PROCESS-CRASH | dom/media/test/test |
--- | --- | --- | crash, csectype-uaf, intermittent-failure, sec-high | |
| 1419374 | Core | WebRTC: Audio/Video | RESO |
Crash in std::_Function |
--- | --- | --- | [clouseau] | crash, csectype-wildptr, regression, sec-high |
| 1279819 | Core | DOM: Animation | RESO |
heap-use-after-free in mozilla::Keyframe |
--- | --- | --- | csectype-uaf, regression, sec-high | |
| 1632717 | Core | Audio/Video: Playbac | RESO |
Potential Ua |
--- | --- | --- | [post-critsmash-triage][adv-main77+r][adv-esr68.9+r] | crash, csectype-uaf, sec-high |
| 1827359 | Core | JavaScript Engine | RESO |
Intermittent Assertion failure: a |
--- | --- | --- | [adv-main113+r][adv-ESR102.11+r] | assertion, csectype-bounds, intermittent-failure, sec-high |
| 1395598 | Core | DOM: Core & HTML | RESO |
Intermittent Address |
--- | --- | --- | [adv-main56+][adv-esr52.4+][post-critsmash-triage] | csectype-bounds, intermittent-failure, sec-critical |
| 1545345 | Core | DOM: Workers | RESO |
Web Workers - Use After Free with XMLHttp |
--- | --- | --- | [post-critsmash-triage][adv-main76+][adv-ESR68.8+] | csectype-uaf, sec-critical |
| 1626728 | Core | Storage: Cache API | RESO |
Address |
--- | --- | --- | csectype-uaf, sec-critical | |
| 1634872 | Core | DOM: Workers | RESO |
Leak of post-redirect url in error stacktrace when script |
--- | --- | --- | [reporter-external] [client-bounty-form] [sec-survey][adv-main79+][adv-ESR78.1+] [adv-esr68.11+] | csectype-sop, sec-high |
| 1755621 | Core | DOM: Web Authenticat | RESO |
Win |
--- | --- | --- | [reporter-external] [client-bounty-form] [verif?][sec-survey][adv-main99+][adv-esr91.8+] | csectype-bounds, csectype-sandbox-escape, sec-high |
| 1568862 | Core | Widget: Cocoa | RESO |
Crash in [@ objc |
--- | --- | --- | [post-critsmash-triage] | crash, csectype-uaf, regression, sec-high, topcrash |
| 1651705 | GeckoView | General | RESO |
UAF in ns |
--- | --- | --- | [geckoview:m80][geckoview:m81][geckoview:m82][post-critsmash-triage][adv-main83+r] | csectype-race, csectype-uaf, sec-high |
| 1830975 | Core | JavaScript: WebAssem | RESO |
Undefined |
--- | --- | --- | [bugmon:update,bisect] | crash, csectype-bounds, regression, sec-high, testcase |
| 1833681 | Core | JavaScript: WebAssem | RESO | Subtypes can leak through block params and results | --- | --- | --- | sec-high | |
| 1538042 | Core | Find Backend | RESO |
ns |
--- | --- | --- | [adv-main67+][adv-esr60.7+] | crash, csectype-bounds, regression, sec-high, testcase |
| 1552206 | Toolkit | Application Update | RESO |
Permissions overwrite via folder symlink TOCTOU by Mainte |
--- | --- | --- | [fixed in bug 1551913][reporter-external] [client-bounty-form] [verif?][adv-main69+][adv-esr68.1+][post-critsmash-triage] | csectype-priv-escalation, sec-high |
| 1732435 | Toolkit | Application Update | RESO |
Arbitrary permissions overwrite due to folder locking TOC |
--- | --- | --- | [reporter-external] [client-bounty-form] [verif?][fidedi-security][sec-survey][post-critsmash-triage][adv-main97+][adv-esr91.6+] | csectype-priv-escalation, sec-high |
| 1806394 | Toolkit | Application Update | RESO |
Mar File Lock Bypass Leads to Privilege Escalation via Mo |
--- | --- | --- | enterprisey [post-critsmash-triage][adv-main112+][adv-esr102.10+] | csectype-priv-escalation, sec-high |
| 1400599 | Core | DOM: Core & HTML | RESO |
Assertion failure: this != pres |
--- | --- | --- | [post-critsmash-triage] | assertion, csectype-uaf, regression, sec-high, testcase |
| 1530146 | Core | DOM: Core & HTML | RESO |
Tab Crash - Viewing Facebook [@ js::Context |
--- | --- | --- | [post-critsmash-triage] | crash, crashreportid, regression, sec-high, topcrash |
| 1521214 | Core | Audio/Video | RESO |
Update Buffer |
--- | --- | --- | [post-critsmash-triage][adv-main66+][adv-esr60.6+] | csectype-bounds, sec-high |
| 1614971 | Core | Audio/Video: cubeb | RESO |
Fix heap-use-after-free errors found by Address |
--- | --- | --- | [post-critsmash-triage][adv-main74+][adv-esr68.6+] | csectype-uaf, sec-high |
| 1620488 | Core | Audio/Video: cubeb | RESO | Switching device in a row can lead to a UAF | --- | --- | --- | [post-critsmash-triage][adv-main76+r] | csectype-uaf, sec-high |
| 1622291 | Core | Audio/Video: cubeb | RESO |
UAF when destroying cubeb context while device collection |
--- | --- | --- | [post-critsmash-triage][adv-main76+r] | csectype-race, csectype-uaf, sec-high |
| 1256065 | Core | Audio/Video: GMP | RESO |
crash in mozilla::GMPVideo |
--- | --- | --- | [post-critsmash-triage][adv-main46+][adv-esr45.1+] | crash, csectype-uaf, regression, sec-critical, topcrash-win |
| 1664453 | Core | JavaScript: WebAssem | RESO |
Hit MOZ |
--- | --- | --- | assertion, crash, regression, sec-high, testcase | |
| 1776655 | Core | DOM: Device Interfac | RESO |
Crash in [@ (anonymous namespace)::Darwin |
--- | --- | --- | [post-critsmash-triage][adv-main105+r][adv-esr102.3+r] | crash, csectype-uaf, sec-high |
| 1571223 | Core | DOM: Content Process | RESO |
heap-use-after-free in [@ mozilla::dom::Content |
--- | --- | --- | [post-critsmash-triage][adv-main70+][adv-main70+r][adv-esr68.2+][adv-esr68.2+r] | crash, csectype-uaf, sec-high, testcase-wanted |
| 1580288 | Core | Networking: HTTP | RESO |
Crash [@ Length] through [@ mozilla::net::ns |
--- | --- | --- | [adv-main71+r][necko-triaged][post-critsmash-triage][adv-esr68.3+r] | crash, csectype-race, sec-high, testcase |
| 1604851 | Core | Networking | RESO |
Assertion failure: Is |
--- | --- | --- | [necko-triaged][post-critsmash-triage][adv-main73+r] [adv-esr68.5+r] | crash, csectype-race, sec-high |
| 1339259 | Core | Widget: Win32 | RESO |
Crash in mozilla::widget::Audio |
--- | --- | --- | tpi:+, win7only[tbird crash][adv-main57+][adv-esr52.5+][post-critsmash-triage] | crash, csectype-uaf, sec-high |
| 1449388 | Core | Security: Process Sa | RESO |
Crash in CLocked |
--- | --- | --- | [post-critsmash-triage] | crash, csectype-wildptr, regression, sec-high |
| 1402014 | Core | Networking: HTTP | RESO |
Crash in mozilla::net::Http2Session::Flush |
--- | --- | --- | [necko-triaged][sec-survey] | crash, csectype-uaf, regression, sec-high |
| 1515459 | Core | Networking: HTTP | RESO |
Crash in mozilla::net::TLSFilter |
--- | --- | --- | [necko-triaged][post-cristsmash-triage] | crash, csectype-uaf, regression, sec-high |
| 1520483 | Core | Networking: HTTP | RESO |
Crash in mozilla::net::ns |
--- | --- | --- | [necko-triaged][post-cristsmash-triage][adv-main66+] | crash, csectype-uaf, regression, sec-high |
| 1618158 | Core | Networking | RESO |
PHC Crash in [@ neqo |
--- | --- | --- | [necko-triaged] [post-critsmash-triage] disabled on beta/release | crash, csectype-race, regression, sec-high |
| 1767590 | NSS | Libraries | RESO | Uninitialized variable leads to invalid/arbitrary memory ... | --- | --- | --- | [adv-main101+][adv-esr91.10+][post-critsmash-triage] | csectype-uninitialized, sec-high |
| 1770337 | Core | Security: PSM | RESO |
Upgrade Firefox 101 to use NSS 3 |
--- | --- | --- | [post-critsmash-triage][adv-main101-] | sec-high |
| 1368652 | Core | Security: PSM | RESO |
Get |
--- | --- | --- | [psm-assigned][adv-main55+][adv-esr52.3+][post-critsmash-triage] | crash, regression, sec-high |
| 1368870 | Core | Security | RESO |
the changes made by the bugs tracked by bug 1197205 may h |
--- | --- | --- | [adv-main57-][post-critsmash-triage] | csectype-bounds, meta, sec-audit, sec-critical |
| 1369561 | Core | Security | RESO | misc potentially unsafe snprintf and related calls | --- | --- | --- | [adv-main57+][adv-esr52.5+][post-critsmash-triage] | csectype-bounds, sec-high |
| 1411458 | Core | Security: PSM | RESO |
type confusion in Verify |
--- | --- | --- | [psm-assigned][adv-main57+][adv-esr52.5+][post-critsmash-triage] | sec-critical |
| 1483905 | Core | DOM: Device Interfac | RESO |
Address |
--- | --- | --- | [webauthn][adv-main63+][adv-esr60.3+] | crash, csectype-uaf, sec-high, testcase |
| 1598605 | Core | Security: PSM | RESO |
Address |
--- | --- | --- | [psm-assigned][post-critsmash-triage][adv-main72+r][adv-esr68.4+r] | crash, csectype-bounds, regression, sec-high |
| 1620972 | Core | Security: PSM | RESO |
Crash in [@ mozilla::psm::Transport |
--- | --- | --- | [psm-assigned][post-critsmash-triage][adv-main77+r] | crash, csectype-uaf, regression, sec-high |
| 1834862 | Core | Security: PSM | RESO |
Use-after-free crash in [@ HASH |
--- | --- | --- | [psm-assigned][adv-main115+r][adv-esr102.13+r] | crash, csectype-uaf, sec-high |
| 1314667 | Core | WebRTC: Audio/Video | RESO |
Adding too many Simulcast |
--- | --- | --- | [adv-main50+] | csectype-bounds, regression, sec-critical |
| 1368030 | Core | WebRTC: Audio/Video | RESO |
Intermittent dom/media/tests/mochitest/test |
--- | --- | --- | [adv-main55+][adv-esr52.3+][post-critsmash-triage] | csectype-uaf, intermittent-failure, sec-high |
| 1414829 | Core | WebRTC: Audio/Video | RESO |
Intermittent |
--- | --- | --- | [adv-main61+][adv-esr60.1+][post-critsmash-triage] | csectype-uaf, sec-high |
| 1417797 | Core | WebRTC: Audio/Video | RESO |
UAF in H264 decoder shutdown in VCMDecoded |
--- | --- | --- | [adv-main58+][adv-esr52.6+][post-critsmash-triage] | crash, csectype-uaf, sec-high |
| 1458048 | Core | WebRTC: Networking | RESO |
Likely write beyond bounds in sctp |
--- | --- | --- | [adv-main61+][adv-esr60.1+][adv-esr52.9+] | csectype-bounds, sec-high |
| 1480092 | Core | WebRTC: Audio/Video | RESO |
Web |
--- | --- | --- | [post-critsmash-triage][adv-main62+][adv-esr60.2+] | csectype-uaf, sec-high |
| 1506500 | Core | WebRTC | RESO |
Intermittent SUMMARY: Address |
--- | --- | --- | [post-critsmash-triage] | csectype-uaf, intermittent-failure, regression, sec-high |
| 1611938 | Core | WebRTC: Audio/Video | RESO |
UAF in webrtc::Video |
--- | --- | --- | [post-critsmash-triage][adv-main76+r] | crash, csectype-uaf, intermittent-failure, regression, sec-high |
| 1666570 | Core | WebRTC: Networking | RESO | Cherrypick use-after-free fix from upstream usrsctp | --- | --- | --- | [sec-survey][adv-main82+][adv-esr78.4+] | csectype-uaf, sec-high |
| 1211389 | Core | WebRTC: Networking | RESO |
Crash in nr |
--- | --- | --- | crash, sec-high | |
| 1218326 | Core | WebRTC | RESO |
UAF due to Data |
--- | --- | --- | [adv-main43+][adv-esr38.5+] | csectype-uaf, regression, sec-critical |
| 1280443 | Core | WebRTC: Networking | RESO |
Crash in nr |
--- | --- | --- | [adv-main48+] | csectype-race, csectype-uaf, sec-critical |
| 1293347 | Core | Networking | RESO |
UAF in sctp |
--- | --- | --- | [adv-main49+][adv-esr45.4+] | csectype-uaf, sec-high |
| 1406154 | Core | WebRTC: Networking | RESO |
Stack buffer overflow in nr |
--- | --- | --- | [adv-main57-][post-critsmash-triage] | crash, csectype-bounds, sec-critical |
| 1419325 | Core | WebRTC: Audio/Video | RESO |
SUMMARY: Address |
--- | --- | --- | csectype-uaf, sec-high | |
| 1493689 | Core | WebRTC: Networking | RESO |
SUMMARY: Address |
--- | --- | --- | [post-critsmash-triage] | crash, csectype-uaf, sec-high, testcase |
| 1550133 | Core | WebRTC | RESO | Intermittent /webrtc/<randomtest> | application crashed [... | --- | --- | --- | [sec-survey][post-critsmash-triage][adv-main79+r][adv-ESR78.1+r][adv-esr68.11+r] | crash, csectype-uaf, csectype-wildptr, intermittent-failure, regression, sec-high |
| 1551836 | Core | WebRTC | RESO |
heap-use-after-free and assertion with RTCPeer |
--- | --- | --- | [post-critsmash-triage] | csectype-uaf, regression, sec-high |
| 1592078 | Core | WebRTC: Signaling | RESO |
Potential reentrancy UAFs with Peer |
--- | --- | --- | [fixed in bug 1591199][post-critsmash-triage][adv-main74+r][adv-esr68.6+r] | csectype-uaf, sec-high |
| 1624405 | Core | WebRTC: Networking | RESO |
Crash in [@ nr |
--- | --- | --- | fix in bug 1634145[sec-survey] | crash, csectype-uaf, sec-high |
| 1642792 | Core | WebRTC: Networking | RESO |
Web |
--- | --- | --- | [disclosure date 2020-Jul-28][sec-survey][post-critsmash-triage][reporter is Natalie Silvanovich of Google Project Zero][adv-main79+][adv-ESR78.1+][adv-esr68.11+] | sec-high |
| 1643437 | Core | WebRTC: Networking | RESO |
Crash in [@ nr |
--- | --- | --- | [adv-main78+r][adv-esr68.10+r][sec-survey] | crash, csectype-uaf, sec-high |
| 1657739 | Core | WebRTC: Audio/Video | RESO |
Thread |
--- | --- | --- | [sec-survey][adv-main83+r][adv-esr78.5+r] | csectype-race, sec-high |
| 1671923 | Core | WebRTC: Audio/Video | RESO |
Thread |
--- | --- | --- | [sec-survey][adv-main83+r][adv-esr78.5+r] | sec-high |
| 1804626 | Core | JavaScript Engine: J | RESO |
Assertion failure: [barrier verifier] Unmarked edge: JS O |
--- | --- | --- | [bugmon:update,bisected,confirmed][post-critsmash-triage][adv-main109+r] | assertion, crash, csectype-uaf, regression, sec-high, testcase |
| 1372383 | Core | WebRTC: Signaling | RESO |
[Libfuzzer] Heap-buffer-overflow in sdp |
--- | --- | --- | [post-critsmash-triage][adv-main55-][adv-esr52.3-] don't disclose until upstream agrees to disclose | csectype-bounds, sec-high |
| 1372467 | Core | WebRTC: Signaling | RESO |
[Libfuzzer] Heap-buffer-overflow in sdp |
--- | --- | --- | [post-critsmash-triage][adv-main55-][adv-esr52.3-] don't disclose until upstream agrees to disclose | csectype-bounds, sec-high |
| 1384801 | Core | WebRTC: Signaling | RESO |
[Lib |
--- | --- | --- | [adv-main56-][adv-esr52.4-][post-critsmash-triage] don't disclose until upstream agrees to disclose | crash, csectype-bounds, sec-high, testcase |
| 1424342 | Core | WebRTC | RESO |
Web |
--- | --- | --- | regression, sec-high | |
| 1426988 | Core | WebRTC: Audio/Video | RESO |
UAF crash in libvpx 1 |
--- | --- | --- | [post-critsmash-triage][adv-main59+][adv-esr52.7+] | crash, csectype-uaf, sec-high |
| 1464063 | Core | WebRTC: Signaling | RESO |
[Lib |
--- | --- | --- | [adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage] | crash, csectype-bounds, sec-high, testcase |
| 1467938 | Core | WebRTC: Networking | RESO | VP9 Missing Frame Processing Out-of-Bounds Memory Access | --- | --- | --- | [adv-main61+][adv-esr60.1+][post-critsmash-triage] | csectype-bounds, sec-high |
| 1477253 | Core | Audio/Video: Playbac | RESO | AV1 decoder is turned on by default ! | --- | --- | --- | [post-critsmash-triage] | regression, sec-high |
| 1677590 | Core | WebRTC: Signaling | RESO |
stack-buffer-overflow in [@ sdp |
--- | --- | --- | [disclosure 2021-02-15][adv-main85+r][adv-esr78.7+r][sec-survey] | oss-fuzz, sec-high |
| 1683964 | Core | WebRTC: Networking | RESO | Use-after-free write when handling malicious COOKIE-ECHO | --- | --- | --- | [sec-survey] | csectype-uaf, sec-critical |
| 1856716 | Core | Panning and Zooming | RESO |
Crash in [@ mozilla::layers::Active |
--- | --- | --- | crash, csectype-uaf, regression, sec-high, topcrash | |
| 1578671 | Core | DOM: Core & HTML | RESO |
heap-use-after-free in mozilla::Identifier |
--- | --- | --- | [post-critsmash-triage] | csectype-uaf, regression, sec-high |
| 1546331 | Core | DOM: Workers | RESO |
Web Workers - Use After Free in Register |
--- | --- | --- | [adv-main71+][adv-esr68.3+] | csectype-uaf, sec-high |
| 1616079 | Core | DOM: Workers | RESO |
Crash in [@ Rtl |
--- | --- | --- | [post-critsmash-triage] | crash, csectype-uaf, regression, sec-high |
| 1631618 | Core | DOM: Service Workers | RESO |
[TALOS-2020-1053] use-after-free in Shared |
--- | --- | --- | [post-critsmash-triage][adv-main77+][adv-esr68.9+][sec-survey] | crash, csectype-uaf, sec-high, testcase |
| 1840273 | Core | Graphics: WebGPU | RESO |
Web |
--- | --- | --- | [fixed in wgpu#3936][reporter-external] [client-bounty-form] [verif?] | csectype-sandbox-escape, sec-high |
| 1330739 | Core | Disability Access AP | RESO |
crash near null and potential UAF [@mozilla::a11y::Doc |
--- | --- | --- | [fuzzblocker][adv-main55+][post-critsmash-triage] | crash, csectype-uaf, regression, sec-critical, testcase |
| 1387918 | Core | Disability Access AP | RESO |
heap-use-after-free in [@ mozilla::a11y::Doc |
--- | --- | --- | [adv-main56+][adv-esr52.4+][post-critsmash-triage] | crash, csectype-uaf, regressionwindow-wanted, sec-high, testcase |
| 1410808 | Core | CSS Parsing and Comp | RESO |
stylo: heap-use-after-free in mozilla::css::Rule::cycle |
--- | --- | --- | csectype-uaf, regression, sec-high | |
| 1535612 | Core | CSS Parsing and Comp | RESO |
SUMMARY: Address |
--- | --- | --- | [adv-main67+][adv-esr60.7+] | crash, csectype-uaf, sec-high, testcase |
| 1442010 | Toolkit | UI Widgets | RESO |
Crash in ns |
--- | --- | --- | [post-critsmash-triage][adv-main63+][adv-esr60.3+] | crash, csectype-uaf, sec-high |
| 1312294 | Firefox for iOS | Browser | RESO |
IDN implementation in Firefox for i |
--- | --- | --- | [mobileCore] | csectype-spoof, sec-high, testcase |
| 1497242 | Firefox for iOS | General | RESO |
Continuously revealing of Cross-Origin URL (history navig |
--- | --- | --- | [fixed by Apple] | csectype-sop, sec-high, sec-vector |
| 1557763 | Focus | Security: iOS | RESO |
Address bar and SSL spoofing issue in Firefox focus for i |
--- | --- | --- | csectype-spoof, sec-high | |
| 1586176 | NSS | Libraries | RESO |
Out-of-bounds write when passing an output buffer smaller |
--- | --- | --- | [adv-main71+][adv-esr68.3+] | csectype-bounds, sec-high |
| 1377959 | Core | WebRTC | RESO |
jvm |
--- | --- | --- | [adv-main55-][post-critsmash-triage] | csectype-other, sec-high |
| 1186715 | Core | Audio/Video: Playbac | RESO |
Stagefright: heap-buffer-overflow crash [@stagefright::Sa |
--- | --- | --- | crash, csectype-bounds, sec-high | |
| 1277614 | Core | IPC | RESO |
Crash in mozilla::dom::PBlob |
--- | --- | --- | [adv-main48-] btpp-active, e10s-only | crash, csectype-uaf, sec-high |
| 1186657 | Core | WebRTC: Audio/Video | RESO |
Crash (UAF) in Video |
--- | --- | --- | [adv-main41+] | crash, csectype-uaf, sec-high |
| 1189058 | Core | WebRTC: Audio/Video | RESO |
unresponsive g |
--- | --- | --- | sec-high | |
| 1247236 | Core | WebRTC: Audio/Video | RESO | UAF in Cameras Shutdown on channel errors | --- | --- | --- | [adv-main45+][post-critsmash-triage] | csectype-uaf, sec-high |
| 1542581 | Toolkit | Crash Reporting | RESO |
Race condition in google |
--- | --- | --- | [reporter-external] [client-bounty-form] [verif?][adv-main67+][adv-esr60.7+] | csectype-race, csectype-sandbox-escape, regression, sec-high |
| 1443748 | Core | IPC | RESO |
Crash in mozilla::ipc::IPDLParam |
--- | --- | --- | [post-critsmash-triage][adv-main63+][adv-esr60.3+] | crash, csectype-uaf, regression, sec-high |
| 1322291 | Core | DOM: Animation | RESO |
SEGV on unknown address [@ fetch |
--- | --- | --- | [post-critsmash-triage] | crash, csectype-wildptr, sec-high, testcase |
| 1607536 | Core | DOM: Animation | RESO |
Crash in [@ core::ptr::real |
--- | --- | --- | crash, csectype-uaf, sec-high | |
| 1540759 | Core | Networking: HTTP | RESO |
Address |
--- | --- | --- | [necko-triaged][post-critsmash-triage][adv-main68+][adv-esr60.8+] | crash, csectype-race, regression, sec-high |
| 1548822 | Core | Networking: HTTP | RESO |
Address |
--- | --- | --- | [necko-triaged][post-critsmash-triage][adv-main68+][adv-esr60.8+] | crash, csectype-uaf, regression, sec-high |
| 1550498 | Core | Networking: HTTP | RESO |
Clone connection info object with unprotected m |
--- | --- | --- | [necko-triaged][post-critsmash-triage][adv-main68+][adv-esr60.8+] | crash, csectype-uaf, sec-high |
| 1561912 | Core | Networking: File | RESO |
Crash in [@ mozilla::File |
--- | --- | --- | [geckoview:fenix:m8] [bcs:p1][necko-triaged] [fennec68.1][adv-main69+][adv-esr68.1+][post-critsmash-triage] | crash, csectype-uaf, regression, sec-high |
| 1575217 | Core | Networking: WebSocke | RESO |
Address |
--- | --- | --- | [necko-triaged][post-critsmash-triage][adv-main70+][adv-main70+r][adv-esr68.2+][adv-esr68.2+r] | crash, regression, sec-high, testcase |
| 1425520 | Core | DOM: Serializers | RESO |
Crash in ns |
--- | --- | --- | [safe crash on 58 and later][adv-main59+][adv-esr52.7+] | crash, regression, sec-high, testcase-wanted |
| 1562033 | Core | DOM: HTML Parser | RESO |
title |
--- | --- | --- | [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main69+][adv-esr68.1+][adv-esr60.9+], [wptsync upstream] | regression, sec-high |
| 1639590 | Core | JavaScript Engine | RESO |
Fix Get |
--- | --- | --- | [adv-main77+][adv-esr68.9+][post-critsmash-triage][sec-survey] | regression, sec-high |
| 1729269 | Core | JavaScript Engine: J | RESO |
Assertion failure: return |
--- | --- | --- | [bugmon:update,bisect][sec-survey] | crash, regression, sec-high, testcase |
| 1810711 | Core | JavaScript Engine | RESO |
Assertion failure: Is |
--- | --- | --- | [adv-main110+][adv-esr102.8+] | csectype-uaf, sec-high |
| 1814899 | Core | JavaScript Engine: J | RESO |
MOZ |
--- | --- | --- | [adv-main111+][adv-esr102.9+] | csectype-bounds, sec-high |
| 1851599 | Core | JavaScript Engine | RESO |
Assertion failure: baseline |
--- | --- | --- | [adv-main118+][adv-esr115.3+] | regression, sec-high |
| 1648964 | Testing | geckodriver | RESO | CSRF to RCE in geckodriver | --- | --- | --- | [reporter-external] [client-bounty-form] [post-critsmash-triage][adv-main80-][adv-esr78.2-] | sec-high |
| 1508776 | NSS | Libraries | RESO |
UAF in sftk |
--- | --- | --- | [post-critsmash-triage][adv-main71+] | crash, csectype-uaf, csectype-wildptr, sec-high |
| 1558548 | Core | Security: PSM | RESO |
Upgrade Firefox 60 ESR to use NSS 3 |
--- | --- | --- | [post-critsmash-triage] | csectype-other, sec-high |
| 1558549 | Core | Security: PSM | RESO |
Upgrade Firefox 68 to use NSS 3 |
--- | --- | --- | [post-critsmash-triage] | csectype-other, sec-high |
| 1324773 | Core | JavaScript Engine | RESO |
Crash [@ js::gc::Is |
--- | --- | --- | [jsbugmon:][post-critsmash-triage] | assertion, bugmon, crash, regression, sec-high, testcase |
| 1400003 | Core | JavaScript: GC | RESO |
ns |
--- | --- | --- | [adv-main57+][adv-esr52.5+][post-critsmash-triage] | csectype-uaf, sec-high |
| 1446811 | Core | JavaScript Engine | RESO |
Crash in js::gc::Store |
--- | --- | --- | crash, sec-high | |
| 1500759 | Core | DOM: Security | RESO |
Address |
--- | --- | --- | [domsecurity-active][post-critsmash-triage][adv-main64+][adv-esr60.4+] | crash, regression, sec-high |
| 1504816 | Core | DOM: Core & HTML | RESO | Buffer source patches from 1475228 may have introduced a ... | --- | --- | --- | [post-critsmash-triage][adv-main64+] | csectype-uaf, regression, sec-high |
| 1506640 | Core | JavaScript Engine | RESO |
Assertion failure: found() running jit-test basic/bug9089 |
--- | --- | --- | [adv-main64+][adv-esr60.4+] | assertion, csectype-uaf, sec-high |
| 1510145 | Core | JavaScript Engine | RESO |
Assertion failure: arena->buffered |
--- | --- | --- | [jsbugmon:][post-critsmash-triage][adv-main65+] | assertion, bugmon, regression, sec-high, testcase |
| 1518001 | Core | JavaScript: GC | RESO |
Assertion failure: current |
--- | --- | --- | [post-critsmash-triage][adv-main66+][adv-esr60.6+] | assertion, reproducible, sec-high |
| 1555936 | Core | JavaScript: GC | RESO |
Crash in [@ js::Atoms |
--- | --- | --- | crash, csectype-wildptr, regression, sec-high | |
| 1647325 | Core | JavaScript: GC | RESO |
Crash [@ js::Mutex::owned |
--- | --- | --- | [sec-survey][post-critsmash-triage] | crash, csectype-uaf, regression, sec-high, testcase |
| 1714066 | Core | JavaScript: GC | RESO |
Assertion failure: linear |
--- | --- | --- | [bugmon:update,bisect,confirmed][fuzzblocker][sec-survey][adv-main90+r] | assertion, regression, sec-high, testcase |
| 1756567 | Core | JavaScript: GC | RESO |
Use a Weak |
--- | --- | --- | [sec-survey] | regression, sec-high |
| 1791975 | Core | JavaScript Engine | RESO |
Segfault in js::gc::Is |
--- | --- | --- | [post-critsmash-triage][adv-main107+][adv-esr102.5+] | csectype-uaf, sec-high |
| 1796901 | Core | JavaScript: GC | RESO |
Assertion failure: zone |
--- | --- | --- | [post-critsmash-triage][adv-esr102.5+] | csectype-uaf, regression, sec-high, testcase |
| 1820543 | Core | JavaScript: GC | RESO |
Assertion failure: this->flags() == 0, at gc/Cell |
--- | --- | --- | [adv-main112+][adv-esr102.10+] | csectype-uaf, regression, sec-high |
| 1835886 | Core | JavaScript Engine | RESO | Reproducible Tab Crash while doing module load in iframe | --- | --- | --- | [adv-main115+r][adv-esr102.13+r] | csectype-wildptr, regression, sec-high |
| 1845248 | Core | JavaScript: GC | RESO |
Crash in js::gc::detail::Cell |
--- | --- | --- | csectype-uaf, regression, sec-high | |
| 1847397 | Core | JavaScript: GC | RESO |
Assertion failure: kind == JS::Tracer |
--- | --- | --- | [fixed in 118 by bug 1847017] [adv-main117+] [adv-esr115.2+] | csectype-uaf, pernosco, regression, sec-high, testcase |
| 1315856 | Core | JavaScript Engine: J | RESO |
Assertion failure: (ptr |
--- | --- | --- | [jsbugmon:][post-critsmash-triage] | assertion, bugmon, crash, regression, sec-critical, testcase |
| 1346140 | Core | JavaScript Engine | RESO |
Use-after-free when creating dependent strings with an ex |
--- | --- | --- | [adv-main53+][adv-esr52.1+] | csectype-uaf, regression, sec-critical |
| 1404636 | Core | JavaScript Engine: J | RESO | Differential Testing: Different output message involving ... | --- | --- | --- | [adv-main57+][adv-esr52.5+][post-critsmash-triage] | sec-high, testcase |
| 1408412 | Core | JavaScript Engine: J | RESO | Max number of actual arguments is not checked everywhere | --- | --- | --- | [adv-main57+][adv-esr52.5+] | sec-critical |
| 1412420 | Core | JavaScript Engine | RESO |
Crash [@ js::Type |
--- | --- | --- | [jsbugmon:][adv-main58+][adv-esr52.6+][post-critsmash-triage] | bugmon, crash, regression, sec-high, testcase |
| 1415883 | Core | JavaScript Engine | RESO | Heap-buffer-overflow READ 8 with async generators | --- | --- | --- | [adv-main58+][post-critsmash-triage] | csectype-bounds, oss-fuzz, sec-high |
| 1444668 | Core | JavaScript Engine: J | RESO |
Write beyond bounds caused by overlarge offset in WASM as |
--- | --- | --- | [adv-main60+][adv-esr52.8+] | csectype-bounds, csectype-intoverflow, sec-high |
| 1544386 | Core | JavaScript Engine: J | RESO |
Spidermonkey: Ion |
--- | --- | --- | csectype-jit, sec-critical | |
| 1546327 | Core | JavaScript Engine | RESO |
Bytecode length can overflow UINT32 |
--- | --- | --- | [adv-main67+][adv-esr60.7+] | csectype-intoverflow, sec-high |
| 1592524 | Core | JavaScript Engine | RESO |
Assertion failure: mir->resume |
--- | --- | --- | [jsbugmon:update][post-critsmash-triage] | assertion, bugmon, regression, sec-high, testcase |
| 1603055 | Core | XPConnect | RESO |
Big |
--- | --- | --- | [reporter-external] [client-bounty-form] [verif?][adv-main72+][adv-esr68.4+][sec-survey] | csectype-undefined, regression, sec-high |
| 1608256 | Core | JavaScript Engine | RESO |
Assertion failure: start |
--- | --- | --- | [jsbugmon:bisect][post-critsmash-triage][sec-survey][adv-main74+r][adv-esr68.6+r] | assertion, bugmon, csectype-bounds, regression, sec-high, testcase |
| 1608994 | Core | JavaScript Engine | RESO |
Assertion failure: Load |
--- | --- | --- | [Nightly only] [jsbugmon:bisect][post-critsmash-triage][sec-survey] | assertion, bugmon, crash, csectype-jit, regression, sec-high, testcase |
| 1640737 | Core | JavaScript Engine: J | RESO |
Assertion failure: Load |
--- | --- | --- | [post-critsmash-triage][sec-survey][adv-main78+][adv-esr68.10+] | sec-high |
| 1667685 | Core | JavaScript Engine | RESO |
[warp] Assertion failure: !ic |
--- | --- | --- | [sec-survey][post-critsmash-triage][adv-main83+] | regression, sec-high, testcase |
| 1720031 | Core | JavaScript Engine: J | RESO |
Assertion failure: !Is |
--- | --- | --- | [sec-survey][adv-main91+][adv-esr78.13+] | csectype-uaf, sec-high |
| 1808352 | Core | JavaScript Engine: J | RESO |
Crash in [@ mozilla::dom::Element::Class |
--- | --- | --- | [adv-main111+r][adv-esr102.9+r] | crash, csectype-jit, sec-high, topcrash |
| 1819486 | Core | JavaScript Engine: J | RESO |
Crash [@ js::jit::Call |
--- | --- | --- | [bugmon:update,bisected,confirmed][post-critsmash-triage][adv-main112+r] | assertion, crash, regression, sec-high, testcase |
| 1820602 | Core | JavaScript Engine: J | RESO |
Remaining crashes on JS |
--- | --- | --- | [post-critsmash-triage][adv-main112+r][adv-esr102.10+r] | csectype-jit, sec-high |
| 1827073 | Core | JavaScript Engine: J | RESO |
Assertion failure: m |
--- | --- | --- | [adv-main113-] | csectype-bounds, regression, sec-high |
| 1841682 | Core | JavaScript: GC | RESO |
Assertion failure: this->flags() == 0, at gc/Cell |
--- | --- | --- | [bugmon:update,bisected,confirmed][adv-main116+r][adv-ESR115.1+r] | assertion, csectype-uaf, regression, sec-high, testcase |
| 1422931 | Core | DOM: Core & HTML | RESO |
Address |
--- | --- | --- | csectype-bounds, sec-high | |
| 1842674 | Core | Graphics: Text | RESO |
Potential Double-Free race in gfx |
--- | --- | --- | [adv-main118+r][adv-esr115.3+r] | csectype-race, regression, sec-high |
| 1292534 | Core | Graphics: CanvasWebG | RESO | flex: buffer overflow in generated code | --- | --- | --- | [gfx-noted][adv-main53+][adv-esr52.1+][adv-esr45.9+] | csectype-intoverflow, sec-high |
| 1333858 | Core | Graphics: CanvasWebG | RESO |
SEGV in Address |
--- | --- | --- | gfx-noted [adv-main53+][adv-esr45.9+][adv-esr52.1+] | csectype-bounds, sec-critical, testcase |
| 1394265 | Core | Graphics: CanvasWebG | RESO |
Crash in OOM | large | NS |
--- | --- | --- | [gfx-noted][adv-main57+][adv-esr52.5+][post-critsmash-triage] | crash, csectype-uaf, regression, sec-high |
| 1402372 | Core | Graphics: CanvasWebG | RESO |
heap buffer overflow in Vertex |
--- | --- | --- | [gfx-noted][adv-main57+][adv-esr52.5.1+] | crash, csectype-bounds, regression, sec-critical, testcase |
| 1434400 | Core | Graphics: CanvasWebG | RESO |
using Web |
--- | --- | --- | [CVE-2018-10229][disclose 1442504 in advisory for release when this is public] gfx-noted | sec-high |
| 1442504 | Core | Graphics: CanvasWebG | RESO |
Disable disjoint timer queries to prevent use as a high-p |
--- | --- | --- | [embargo until 1434400 is fixed][adv-main59-][adv-esr52.7-] gfx-noted | sec-high |
| 1507696 | Core | Graphics: CanvasWebG | RESO |
ANGLE crash in copy |
--- | --- | --- | gfx-noted[post-critsmash-triage][adv-main68+] | csectype-uaf, regression, sec-high |
| 1527534 | Core | Graphics | RESO | On Android, Gecko always tries to load a library from an ... | --- | --- | --- | gfx-noted[post-critsmash-triage][adv-main66+] | csectype-priv-escalation, sec-high |
| 1550655 | Core | Graphics: CanvasWebG | RESO | Cherry-pick fixes to angle-66 | --- | --- | --- | [post-critsmash-triage] | regression, sec-high |
| 1608330 | Core | Graphics: CanvasWebG | RESO |
Address |
--- | --- | --- | [post-critsmash-triage] | crash, csectype-uaf, regression, sec-high, testcase |
| 1654211 | Core | Graphics | RESO |
Address |
--- | --- | --- | [sec-survey][post-critsmash-triage][adv-main81+] | crash, csectype-uaf, regression, sec-high |
| 1663466 | Core | Graphics: CanvasWebG | RESO |
Heap Overflow in web |
--- | --- | --- | [sec-survey][adv-main84+][adv-esr78.6+] | csectype-bounds, sec-high |
| 1664257 | Core | Graphics: WebRender | RESO |
Crash in [@ mozilla::Weak |
--- | --- | --- | [post-critsmash-triage][sec-survey][adv-main82+r] | crash, csectype-uaf, regression, sec-high |
| 1743767 | Core | Graphics: CanvasWebG | RESO |
heap-buffer-overflow in mozilla::gl::GLContext::raw |
--- | --- | --- | [post-critsmash-triage][adv-main101+][adv-esr91.10+] | csectype-bounds, sec-high |
| 1755806 | Core | Graphics: CanvasWebG | RESO |
webgl heap overflow (raw |
--- | --- | --- | [fixed by bug 1779800 in Fx106][post-critsmash-triage] | csectype-bounds, sec-high, sec-vector |
| 1770930 | Core | Graphics | RESO |
Address |
--- | --- | --- | [fixed by bug 1779800][adv-esr102.6+] | crash, csectype-bounds, regression, sec-high |
| 1550955 | Core | WebRTC: Audio/Video | RESO |
Crash in [@ mozilla::Source |
--- | --- | --- | [post-critsmash-triage] | crash, csectype-uaf, regression, sec-high |
| 1773396 | Core | Graphics: WebGPU | RESO |
stack-use-after-scope in [@ smallvec::Small |
--- | --- | --- | [bugmon:bisected,confirmed][fuzzblocker] [post-critsmash-triage] | crash, csectype-wildptr, regression, sec-high, testcase |
| 1800172 | Core | Graphics: WebGPU | RESO |
stack-use-after-scope [@ wgpu |
--- | --- | --- | [fuzzblocker][bugmon:bisected,confirmed][post-critsmash-triage] | crash, csectype-uaf, regression, sec-high, testcase |
| 1741201 | Core | Storage: IndexedDB | RESO |
Out-of-bounds write due to integer overflow [@ Object |
--- | --- | --- | [sec-survey][adv-main96+r][adv-ESR91.5+r] | csectype-intoverflow, csectype-sandbox-escape, regression, sec-high |
| 1744165 | Core | Storage: localStorag | RESO |
Intermittent browser/components/preferences/tests/site |
--- | --- | --- | [post-critsmash-triage][adv-main97+r][sec-survey][adv-esr91.6+r] | crash, csectype-uaf, intermittent-failure, sec-high |
| 1516325 | Core | Networking | RESO | Crash in poll | --- | --- | --- | [necko-triaged][adv-main67+][adv-esr60.7+] | crash, csectype-bounds, sec-high, testcase-wanted |
| 1565744 | Core | IPC | RESO |
Mem |
--- | --- | --- | [adv-main69+][adv-esr68.1+][post-critsmash-triage] | csectype-priv-escalation, sec-high |
| 1760611 | NSPR | NSPR | RESO |
Address |
--- | --- | --- | [necko-triaged][adv-main104+r][adv-esr102.2+r] [post-critsmash-triage] | csectype-bounds, sec-high, testcase-wanted |
| 1762078 | Core | DOM: Service Workers | RESO |
Service |
--- | --- | --- | [post-critsmash-triage][adv-main107+][adv-esr102.5+] | csectype-sop, sec-high |
| 1596826 | Core | Widget: Cocoa | RESO |
Crash in [@ -[NSView build |
--- | --- | --- | crash, csectype-uaf, intermittent-failure, regression, sec-high | |
| 1395138 | Core | Graphics: Layers | RESO |
Crash in mozilla::layers::Render |
--- | --- | --- | [gfx-noted][adv-main57+][adv-esr52.5+][post-critsmash-triage] | crash, csectype-uaf, regression, sec-high, topcrash |
| 1469472 | Core | Web Painting | RESO |
heap-buffer-overflow in [@ mozilla::Frame |
--- | --- | --- | crash, csectype-bounds, regression, sec-high, testcase | |
| 1848890 | Core | Graphics: Canvas2D | RESO |
Crash in [@ mozilla::fontlist::Font |
--- | --- | --- | [adv-main118+r][adv-esr115.3+r] | crash, csectype-race, csectype-uaf, sec-high, topcrash |
| 1662507 | Core | WebRTC: Audio/Video | RESO |
Racy access to Webrtc |
--- | --- | --- | [sec-survey][adv-main85+r][adv-esr78.7+r] | csectype-race, sec-high |
| 1330769 | Core | JavaScript Engine | RESO |
ASLR leak via pointer scrambling in Shape |
--- | --- | --- | [adv-main51+][adv-esr45.7+] Disclosure date ~Jan 21 2017 (note Fx51 scheduled for Jan 24) | csectype-disclosure, csectype-sop, sec-high |
| 1384615 | Core | JavaScript Engine | RESO |
Assertion failure: !wcompartment->lookup |
--- | --- | --- | [fixed by bug 1404107][adv-main57+][post-critsmash-triage] | assertion, sec-high, testcase |
| 1403716 | Core | JavaScript Engine | RESO |
Fix the underlying issues that make the patch for bug 135 |
--- | --- | --- | [adv-main57+][post-critsmash-triage] Fixed by bug 1404107 | csectype-uaf, sec-high |
| 1425612 | Core | JavaScript Engine | RESO |
Structured |
--- | --- | --- | [adv-main58+][adv-esr52.6+][post-critsmash-triage] | crash, csectype-sandbox-escape, csectype-wildptr, sec-high, testcase |
| 1426783 | Core | JavaScript Engine | RESO |
Address |
--- | --- | --- | [jsbugmon:update,bisect][adv-main58+][adv-esr52.6+] | bugmon, crash, csectype-sandbox-escape, regression, sec-high, testcase |
| 1459932 | Core | JavaScript Engine | RESO |
Crash in Name |
--- | --- | --- | [#jsapi:crashes-retriage][adv-main67+] | crash, csectype-wildptr, regression, sec-high |
| 1547561 | Core | JavaScript Engine | RESO |
Crash in [@ js::frontend::Rewriting |
--- | --- | --- | crash, csectype-wildptr, sec-high | |
| 1679003 | Core | JavaScript Engine | RESO |
Uninitialised memory read with Big |
--- | --- | --- | [also affects WebKit and Chrome][sec-survey][adv-main84+][adv-esr78.6+] | csectype-uninitialized, regression, sec-critical |
| 1745667 | NSS | Libraries | RESO |
Crash in [@ PR |
--- | --- | --- | [sec-moderate for Firefox][will be fixed in bug 1370866][sec-survey] [post-critsmash-triage][adv-main99+][adv-esr91.8+] | crash, csectype-race, csectype-uaf, sec-high |
| 1753535 | NSS | Libraries | RESO |
Address |
--- | --- | --- | [post-critsmash-triage][sec-survey][adv-main100+r] | crash, csectype-uaf, regression, sec-high, testcase |
| 1756271 | NSS | Libraries | RESO |
Crash in nss |
--- | --- | --- | [nss-fx][post-critsmash-triage][adv-main99-][sec-survey][adv-esr91.8-] | crash, csectype-race, csectype-uaf, sec-high |
| 1798823 | NSS | Libraries | RESO |
segmentation fault or buffer overflow when calling RSA |
--- | --- | --- | [post-critsmash-triage][adv-main110-][adv-esr102.8-] | csectype-bounds, sec-high |
| 1576969 | Core | JavaScript: WebAssem | RESO | thread '<unnamed>' panicked at 'assertion failed: `(left ... | --- | --- | --- | [jsbugmon:][post-critsmash-triage] | assertion, bugmon, crash, regression, sec-high, testcase |
| 1673555 | Core | JavaScript: WebAssem | RESO |
Hit MOZ |
--- | --- | --- | [sec-survey][post-critsmash-triage][adv-main85+r] | assertion, crash, regression, sec-high, testcase |
| 1673589 | Core | JavaScript: WebAssem | RESO |
Crash [@ ??] with SIGTRAP with Web |
--- | --- | --- | [bugmon:update,bisect][sec-survey][adv-main84+r][adv-esr78.6+r] | crash, regression, sec-high, testcase |
| 1678582 | Core | JavaScript: WebAssem | RESO | Crash [@ ??] with Cranelift | --- | --- | --- | [fuzzblocker][sec-survey][adv-main85+r] | crash, regression, sec-high, testcase |
| 1741869 | Core | DOM: Workers | RESO |
Address |
--- | --- | --- | [keep hidden while 1748401 is][fixed by 1650214][bugmon:confirm][adv-main96+r][adv-ESR91.5+r][sec-survey][post-critsmash-triage] | csectype-uaf, sec-high, testcase |
| 1447156 | Core | Storage: IndexedDB | RESO |
Crash in mozilla::dom::IDBFactory::Open |
--- | --- | --- | crash, csectype-uaf, regression, sec-high | |
| 1489020 | Core | Storage: IndexedDB | RESO |
Use after free in Indexed |
--- | --- | --- | [reporter-external] [client-bounty-form] [verif?],DWS_NEXT | csectype-uaf, sec-high, testcase |
| 1499108 | Core | Storage: IndexedDB | RESO |
Address |
--- | --- | --- | [fixed by bug 1538619][adv-main67+][adv-esr60.7+] | crash, csectype-uaf, sec-high, testcase-wanted |
| 1499719 | Core | Storage: IndexedDB | RESO |
Address |
--- | --- | --- | [fixed by bug 1538619][adv-main67+][adv-esr60.7+] | crash, csectype-uaf, sec-high, testcase-wanted |
| 1538619 | Core | Storage: IndexedDB | RESO |
Transaction |
--- | --- | --- | [adv-main67+][adv-esr60.7+] | csectype-uaf, sec-high |
| 1506969 | Core | JavaScript Engine | RESO |
Assertion failure: start |
--- | --- | --- | [disclosure deadline Feb 12, 2019][post-critsmash-triage] | assertion, crash, csectype-bounds, oss-fuzz, sec-high, testcase |
| 1596706 | Core | JavaScript Engine | RESO |
Assertion failure: chars |
--- | --- | --- | [jsbugmon:update,bisect][post-critsmash-triage][adv-main73+r][adv-esr68.5+r] | assertion, bugmon, crash, csectype-bounds, regression, sec-high, testcase |
| 1602497 | Core | JavaScript: Internat | RESO |
Intl |
--- | --- | --- | [sec-survey][post-critsmash-triage] | csectype-intoverflow, sec-high |
| 1612308 | Core | DOM: Networking | RESO |
Security: OOB access in js::Readable |
--- | --- | --- | [disclosure date is 2020-04-29][post-critsmash-triage][adv-main74+][adv-esr68.6+], [wptsync upstream] | sec-high |
| 1660954 | Core | DOM: Core & HTML | RESO |
Abort |
--- | --- | --- | [sec-survey][adv-main82+r][post-critsmash-triage][adv-esr78.4+r] | sec-high |
| 1542097 | Core | Audio/Video: Playbac | RESO |
heap-buffer-overflow in [@ mozilla::Audio |
--- | --- | --- | [adv-main67+][adv-esr60.7+] | crash, csectype-bounds, sec-high, testcase |
| 1561484 | Core | Audio/Video: Playbac | RESO |
Benchmark code doesn't keep Media |
--- | --- | --- | [post-critsmash-triage][adv-main69+][adv-esr68.1+] | crash, csectype-uaf, sec-high, testcase |
| 1673240 | MailNews Core | Security: OpenPGP | RESO |
RNP-01-014 WP1 Thunderbird: Key manipulation via uncertif |
--- | --- | --- | [RNP][fixed-in-rnp][needs tb adjustments] | sec-high |
| 1689613 | Chat Core | Security: OTR | RESO |
Update libgcrypt to 1 |
--- | --- | --- | sec-critical | |
| 1738501 | MailNews Core | Security: S/MIME | RESO |
Automatic S/MIME cert import should use additional verifi |
--- | --- | --- | sec-critical | |
| 1319271 | Core | IPC | RESO | IDB - Use After Free in ipc::IPCResult::Fail | --- | --- | --- | csectype-uaf, regression, sec-critical | |
| 1223670 | Core | Audio/Video: MediaSt | RESO |
"Assertion failure: cycle |
--- | --- | --- | [adv-main44+][adv-esr38.6+][post-critsmash-triage] | assertion, csectype-uaf, regression, sec-critical, testcase |
| 1408276 | Core | Audio/Video: MediaSt | RESO |
races with LIFECYCLE |
--- | --- | --- | [adv-main58+][adv-esr52.6+][post-critsmash-triage] | crash, csectype-wildptr, sec-high |
| 1471953 | Core | Audio/Video: MediaSt | RESO |
Address |
--- | --- | --- | [post-critsmash-triage][adv-main62+][adv-esr60.2+] | csectype-uaf, sec-high, testcase-wanted |
| 1606148 | Core | Web Audio | RESO |
addition of unsigned offset to 0xe4e4e4e4e4e4e4e4 overflo |
--- | --- | --- | [post-critsmash-triage] | csectype-uninitialized, sec-high |
| 1430589 | Core | Web Painting | RESO |
ASAN Stack-overflow on ns |
--- | --- | --- | csectype-uaf, regression, sec-high | |
| 1544526 | Core | Networking: HTTP | RESO |
IPC: heap-use-after-free crash [@mozilla::net::ns |
--- | --- | --- | [necko-triaged][post-critsmash-triage] | crash, csectype-sandbox-escape, csectype-uaf, regression, sec-high, testcase |
| 1656697 | Core | Networking: HTTP | RESO |
Thread |
--- | --- | --- | [post-critsmash-triage][sec-survey][adv-main83+r][adv-esr78.5+r] | crash, csectype-uaf, sec-high, testcase |
| 1662676 | Core | Networking: Cache | RESO |
Crash in [@ ns |
--- | --- | --- | [sec-survey][post-critsmash-triage][adv-main91+r][adv-esr78.13+r] | crash, csectype-uaf, sec-high |
| 1667102 | Core | Networking: HTTP | RESO |
Crash in [@ mozilla::net::Http2Stream::Transmit |
--- | --- | --- | [necko-triaged][sec-survey][adv-main93+][adv-esr91.3+] | crash, sec-high, testcase-wanted |
| 1715029 | Core | Networking | RESO |
Crash in [@ mozilla::net::ns |
--- | --- | --- | [necko-triaged][sec-survey] | crash, csectype-uaf, regression, regressionwindow-wanted, sec-high |
| 1740274 | Core | Networking: HTTP | RESO |
Crash in [@ mozilla::net::Http2Stream::Transmit |
--- | --- | --- | [necko-triaged][sec-survey][adv-main96+r][adv-ESR91.5+r] | crash, csectype-uaf, sec-high, testcase-wanted |
| 1746543 | Core | Networking: HTTP | RESO |
Use-after-free crash in [@ mozilla::net::Proxy |
--- | --- | --- | [necko-triaged][sec-survey][post-critsmash-triage] | crash, csectype-uaf, regression, sec-high |
| 1750688 | Core | Networking: WebSocke | RESO |
Crash in [@ mozilla::net::Web |
--- | --- | --- | [necko-triaged][sec-survey][post-critsmash-triage] | csectype-uaf, sec-high |
| 1794061 | Core | Networking: HTTP | RESO |
Crash in [@ ns |
--- | --- | --- | [necko-triaged][post-critsmash-triage][adv-main107+r][adv-esr102.5+r] | crash, csectype-uaf, sec-high |
| 1806974 | Core | Networking: HTTP | RESO |
Address |
--- | --- | --- | [necko-triaged][necko-priority-queue][post-critsmash-triage][adv-main109+r][adv-esr102.7+r] | crash, csectype-uaf, sec-high, testcase |
| 1814947 | Core | Networking | RESO |
UAF in Http3Web |
--- | --- | --- | [necko-triaged][post-critsmash-triage] | csectype-uaf, pernosco, sec-high |
| 1848999 | Core | Networking: Cache | RESO |
Poison crash in [@ mozilla::net::TLSTransport |
--- | --- | --- | [necko-triaged] [necko-priority-queue] [adv-main117+r] [adv-esr115.2+r] | crash, csectype-uaf, regression, sec-high |
| 1577953 | NSS | Libraries | RESO | HKDF SHA1 stack buffer overflow (write) | --- | --- | --- | [reporter-external] [client-bounty-form] [verif?][adv-main70+][adv-esr68.2+][post-critsmash-triage] | crash, csectype-bounds, sec-high, testcase |
| 1631583 | NSS | Libraries | RESO | Side channel attack on ECDSA signature generation | --- | --- | --- | [sec-moderate in Firefox][disclosure date 2020-07-28][RedHat INC1266630][sec-survey][adv-main80+] | csectype-disclosure, sec-high |
| 1450688 | Core | XBL | RESO |
Crash [@ JS::Get |
--- | --- | --- | [needs followup patch with comment][adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage] | crash, sec-high, testcase |
| 1516738 | Core | JavaScript: WebAssem | RESO |
Assertion failure: size |
--- | --- | --- | [jsbugmon:update][post-cristsmash-triage][adv-main65+][adv-esr60.5+] | assertion, bugmon, csectype-bounds, regression, sec-high, testcase |
| 1587050 | Core | JavaScript: WebAssem | RESO |
table |
--- | --- | --- | sec-high | |
| 1644550 | Core | JavaScript: WebAssem | RESO |
Crash [@ ??] with SIGTRAP with Web |
--- | --- | --- | [bugmon:update,bisect,confirmed][post-critsmash-triage][sec-survey] | crash, regression, sec-high, testcase |
| 1666140 | Core | JavaScript: WebAssem | RESO |
Crash [@ ??] with Web |
--- | --- | --- | [bugmon:update,bisected,confirmed][post-critsmash-triage][sec-survey][adv-main82+r][adv-esr78.4+r] | crash, regression, sec-high, testcase |
| 1675844 | Core | JavaScript: WebAssem | RESO |
Assertion failure: m |
--- | --- | --- | [adv-main85+r][adv-esr78.7+r][sec-survey] | assertion, csectype-bounds, regression, sec-high, testcase |
| 1707774 | Core | JavaScript Engine: J | RESO | Live range splitting can lead to conflicting assignments ... | --- | --- | --- | [sec-survey][post-critsmash-triage][adv-main91+] | csectype-bounds, regression, sec-high, testcase |
| 1710312 | Core | JavaScript Engine: J | RESO |
Address |
--- | --- | --- | [fuzzblocker][post-critsmash-triage][sec-survey] | regression, sec-high, testcase |
| 1713108 | Core | JavaScript: WebAssem | RESO |
Lowering and code generation of generic 32-bit wasm selec |
--- | --- | --- | [sec-survey] | sec-high |
| 1745170 | Core | JavaScript: WebAssem | RESO |
table |
--- | --- | --- | [sec-survey] | regression, sec-high |
| 1767177 | Core | JavaScript: WebAssem | RESO |
Address |
--- | --- | --- | [jsbugmon:update,bisect][post-critsmash-triage][adv-main101+r] | crash, regression, sec-high, testcase |
| 1366446 | Core | Graphics | RESO |
Address |
--- | --- | --- | [post-critsmash-triage][adv-main54+] | crash, csectype-uaf, sec-high |
| 1375842 | Core | Graphics | RESO |
Address |
--- | --- | --- | [gfx-noted] | crash, csectype-bounds, regressionwindow-wanted, sec-high, testcase |
| 1441941 | Core | Graphics | RESO |
Skia and Firefox: Integer overflow in Sk |
--- | --- | --- | [disclosure deadline May 30][adv-main60+][adv-esr52.8+] | csectype-intoverflow, sec-high |
| 1454692 | Core | Graphics | RESO | Backport relevant post-m55 Skia security fixes to ESR52 | --- | --- | --- | [adv-esr52.8+] | sec-critical |
| 1817336 | Core | Graphics | RESO |
Crash in [@ nouveau |
--- | --- | --- | [adv-main111+r] | crash, csectype-uaf, sec-high |
| 1437087 | Core | DOM: Editor | RESO |
heap-use-after-free in [@ mozilla::Editor |
--- | --- | --- | [post-critsmash-triage][adv-main59+][adv-esr52.7+] | csectype-uaf, sec-high |
| 1486314 | Core | DOM: Editor | RESO |
heap-buffer-overflow in [@ mozilla::Text |
--- | --- | --- | [post-critsmash-triage][adv-main63+] | crash, csectype-bounds, regression, sec-high, testcase |
| 1415291 | Core | JavaScript Engine | RESO |
Heap-buffer-overflow READ 8 · js::Wasm |
--- | --- | --- | [adv-main58+][post-critsmash-triage] | csectype-bounds, oss-fuzz, sec-high |
| 1559858 | Firefox | Security | RESO |
Sending `Prompt:Open` from the child allows for a sandbox |
--- | --- | --- | [post-critsmash-triage][adv-main67+][adv-esr60.7+] | csectype-priv-escalation, csectype-sandbox-escape, sec-high |
| 1415598 | Toolkit | Places | RESO |
Crash in ns |
--- | --- | --- | [fxsearch][adv-main58+][adv-esr52.6+][post-critsmash-triage] | crash, csectype-uaf, regression, sec-high |
| 1386915 | Core | CSS Parsing and Comp | RESO |
stylo: Address |
--- | --- | --- | crash, csectype-race, csectype-wildptr, sec-high, testcase | |
| 1823547 | Core | Networking: HTTP | RESO |
Crash in [@ ns |
--- | --- | --- | [necko-triaged][post-critsmash-triage][adv-main112+r] | crash, csectype-uaf, regression, sec-high |
| 1454126 | Core | DOM: Editor | RESO |
crash at null in [@ ns |
--- | --- | --- | [adv-main60+] | crash, csectype-bounds, regression, sec-high, testcase |
| 1850938 | Core | DOM: UI Events & Foc | RESO |
Crash in [@ JSContext::verify |
--- | --- | --- | crash, csectype-uaf, regression, sec-high | |
| 1340138 | Core | DOM: Core & HTML | RESO | table use-after-free | --- | --- | --- | [disclosure date May 17 2017][adv-main52+][adv-esr45.8+] | csectype-uaf, sec-critical, testcase |
| 1352295 | Core | Graphics: Canvas2D | RESO |
mozilla::dom::Canvas |
--- | --- | --- | [fixed by bug 1355873][post-critsmash-triage][adv-main54+][adv-esr52.2+] | crash, csectype-uaf, regression, sec-critical |
| 1490561 | Core | Layout | RESO |
heap-use-after-free in [@ mozilla::Scroll |
--- | --- | --- | [adv-main63+][adv-esr60.3+] | crash, csectype-uaf, sec-high, testcase |
| 1414282 | Core | Graphics: Layers | RESO |
Layer |
--- | --- | --- | [potential sandbox escape][post-critsmash-triage][adv-main59-] | csectype-other, csectype-sandbox-escape, sec-high |
| 1490396 | Core | Graphics: WebRender | RESO |
[lib |
--- | --- | --- | [post-critsmash-triage] | crash, csectype-bounds, sec-high, testcase |
| 1643874 | Core | DOM: Core & HTML | RESO |
Crash in [@ mozilla::dom::Promise::Maybe |
--- | --- | --- | [post-critsmash-triage][adv-main78+][adv-esr68.10+][sec-survey] | crash, csectype-uaf, sec-high |
| 1588353 | Core | DOM: Service Workers | RESO |
Intermittent GECKO(2373) | SUMMARY: Address |
--- | --- | --- | [post-critsmash-triage] | csectype-uaf, intermittent-failure, sec-high |
| 1597481 | Core | DOM: Workers | RESO |
Address |
--- | --- | --- | [post-critsmash-triage][adv-main72+r] | crash, csectype-uaf, sec-high, testcase-wanted |
| 1601024 | Core | DOM: Workers | RESO |
heap-use-after-free in [@ Get |
--- | --- | --- | [testcase reduction blocked by bug 1588357][adv-main73+r][post-critsmash-triage] | crash, csectype-uaf, regression, sec-high, testcase-wanted |
| 1604719 | Core | DOM: Service Workers | RESO |
Intermittent dom/serviceworkers/test/test |
--- | --- | --- | crash, csectype-uaf, intermittent-failure, sec-high | |
| 1607276 | Core | DOM: Service Workers | RESO |
heap-use-after-free in [@ mozilla::DOMEvent |
--- | --- | --- | [post-critsmash-triage] | crash, csectype-uaf, regression, sec-high |
| 1425780 | Core | WebRTC | RESO |
Address |
--- | --- | --- | [adv-main58+][adv-esr52.6+][post-critsmash-triage] | crash, csectype-uaf, sec-high, testcase |
| 1438556 | Core | JavaScript Engine: J | RESO | Avoid non-wrapper cross-compartment edges in ICs | --- | --- | --- | [adv-main61+][adv-esr60.1+][post-critsmash-triage] | sec-high |
| 1439235 | Core | JavaScript Engine | RESO |
Assertion failure: Integer input should be equal or highe |
--- | --- | --- | [jsbugmon:] | assertion, bugmon, crash, regression, sec-high, testcase |
| 1536768 | Core | JavaScript Engine: J | RESO |
Ion |
--- | --- | --- | [adv-main67+][adv-esr60.7+] | sec-high |
| 1616909 | Core | JavaScript Engine | RESO |
Hazard Introduced by Source |
--- | --- | --- | [post-critsmash-triage] | csectype-uaf, regression, sec-high |
| 1765343 | Core | DOM: Streams | RESO |
Address |
--- | --- | --- | [bugmon:confirm] | csectype-uaf, regression, sec-high, testcase |
| 1418854 | Core | Networking: Cache | RESO |
Intermittent SUMMARY: Address |
--- | --- | --- | [OA][necko-triaged][adv-main58+][adv-esr52.6+][post-critsmash-triage] | csectype-uaf, intermittent-failure, sec-high |
| 1528481 | Core | Networking: HTTP | RESO | use after free in HTTP2 code, mozilla::net::Http2Session:... | --- | --- | --- | [necko-triaged][post-critsmash-triage][adv-main68+][adv-esr60.8+] | csectype-uaf, sec-high, testcase-wanted |
| 1547266 | Core | Networking: HTTP | RESO |
Intermittent Address |
--- | --- | --- | [necko-triaged][post-critsmash-triage][adv-main68+][adv-esr60.8+] | csectype-uaf, intermittent-failure, regression, sec-high |
| 1601712 | Core | Networking: HTTP | RESO |
Address |
--- | --- | --- | [necko-triaged][post-critsmash-triage][adv-main73+r] | crash, csectype-uaf, regression, sec-high, testcase |
| 1380426 | WebExtensions | General | RESO |
ns |
--- | --- | --- | [post-critsmash-triage][adv-main55+][adv-esr52.3+] triaged | csectype-uaf, sec-high |
| 1860977 | MailNews Core | Security: OpenPGP | RESO | PGP encryption can change subject of E-Mail if selecting ... | --- | --- | --- | [see comment 32, 38] | regression, sec-high, testcase |
| 1204580 | Core | Audio/Video: Playbac | RESO |
Stagefright: crash [@stagefright::Sample |
--- | --- | --- | [post-critsmash-triage][adv-main42+][adv-esr38.4+] | crash, csectype-intoverflow, sec-high |
| 1216748 | Core | Audio/Video: Playbac | RESO |
stagefright: potential underflow in 'covr', unchecked all |
--- | --- | --- | [adv-main43+][adv-esr38.5+] AndroidID-20923261, published in August 2015; uplift 1206211 first on beta&esr-38 | csectype-bounds, sec-high |
| 1274637 | Core | Audio/Video: Playbac | RESO |
ZDI-CAN-3766: Mozilla Firefox Clear |
--- | --- | --- | [adv-main48+][adv-esr45.3+] | csectype-bounds, sec-high |
| 1289280 | Core | Audio/Video: Playbac | RESO |
FFMPEG: heap-buffer-overflow read in [@av |
--- | --- | --- | [adv-main49+][adv-esr45.4+] | crash, csectype-bounds, sec-high, testcase |
| 1404297 | Core | DOM: Core & HTML | RESO |
Crash in ns |
--- | --- | --- | [adv-main59+] | crash, csectype-uaf, sec-high, testcase-wanted |
| 1348424 | Core | Widget: Cocoa | RESO |
Crash in objc |
--- | --- | --- | [post-critsmash-triage][adv-main54+][adv-esr52.2+] tpi:+ | crash, csectype-uaf, sec-high |
| 1400563 | Core | WebRTC: Networking | RESO |
Crash in Win |
--- | --- | --- | [adv-main68+] | crash, csectype-race, csectype-uaf, regression, sec-high |
| 1580156 | Core | WebRTC | RESO |
Intermittent Address |
--- | --- | --- | Coordinate CVE w/Google [adv-main71+][adv-esr68.3+] | crash, csectype-bounds, intermittent-failure, sec-high, testcase-wanted |
| 1585760 | Core | Graphics: Canvas2D | RESO |
Address |
--- | --- | --- | [adv-main71+r][adv-esr68.3+r] | crash, csectype-uaf, sec-high, testcase-wanted |
| 1464829 | Core | JavaScript Engine: J | RESO |
Possible OOB read from RInstruction |
--- | --- | --- | [adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage] | sec-high |
| 1502013 | Core | JavaScript Engine: J | RESO |
js::jit::Remove |
--- | --- | --- | [post-critsmash-triage][adv-main64+][adv-esr60.4+] | sec-high |
| 1528829 | Core | JavaScript Engine: J | RESO |
Arbitrary range mis-inference due to loop phi range analy |
--- | --- | --- | [reporter-external] [client-bounty-form] [verif?][jsbugmon:update,testComment=2,origRev=dd4aa59c6a12][post-critsmash-triage][adv-main66+][adv-esr60.6+] | assertion, bugmon, sec-high, testcase |
| 1532599 | Core | JavaScript Engine: J | RESO |
Spidermonkey: Ion |
--- | --- | --- | [adv-main66+][adv-esr60.6+] | csectype-other, regression, sec-critical |
| 1546446 | Core | JavaScript Engine: J | RESO |
has |
--- | --- | --- | [post-critsmash-triage] | sec-critical |
| 1766283 | Core | JavaScript Engine | RESO |
Inline |
--- | --- | --- | [post-critsmash-triage][adv-main101+r][adv-esr91.10+r] | csectype-jit, sec-high |
| 1877357 | Core | JavaScript Engine: J | RESO |
Assertion failure: v |
--- | --- | --- | [sp3] | regression, sec-high, testcase |
| 1683490 | Core | DOM: Service Workers | RESO |
Crash in [@ mozilla::ipc::IProtocol::Actor |
--- | --- | --- | [post-critsmash-triage][sec-survey][adv-main86+r] | crash, csectype-uaf, sec-high |
| 1740797 | Core | DOM: File | RESO |
Address |
--- | --- | --- | [bugmon:confirm][sec-survey][adv-main96+r][adv-ESR91.5+r] | csectype-uaf, sec-high, testcase |
| 1757805 | Core | IPC | RESO | Shmem stores length in shared memory region | --- | --- | --- | [sec-survey][adv-main99+r][adv-esr91.8+r] | csectype-sandbox-escape, sec-high |
| 1761981 | Core | DOM: Core & HTML | RESO | Firefox sandbox iframe can execute scripts without allow-... | --- | --- | --- | [reporter-external] [client-bounty-form][post-critsmash-triage][adv-main100+][adv-esr91.9+] | sec-high |
| 1587681 | Firefox | Security | RESO |
Web |
--- | --- | --- | sec-high | |
| 1291702 | Core | Web Audio | RESO |
Web |
--- | --- | --- | [post-critsmash-triage] | crash, csectype-bounds, regression, sec-critical, testcase |
| 1302231 | Core | Audio/Video: MediaSt | RESO |
Crash in mozilla::Media |
--- | --- | --- | [fixed on trunk by bug 1314514][post-critsmash-triage][adv-main51+] | crash, regression, sec-high |
| 1388243 | Core | Audio/Video | RESO |
Heap-use-after-free in mozilla::Media |
--- | --- | --- | csectype-uaf, sec-high | |
| 1423916 | Core | WebRTC: Audio/Video | RESO | Crash in webrtc::Deinterleave<T> | --- | --- | --- | [clouseau] | crash, csectype-bounds, csectype-wildptr, regression, sec-high |
| 1424318 | Core | WebRTC | RESO |
Crash in webrtc::Float |
--- | --- | --- | crash, csectype-wildptr, regression, sec-high | |
| 1499426 | Core | WebRTC: Audio/Video | RESO |
Intermitent Address |
--- | --- | --- | [post-critsmash-triage][adv-main65+] | csectype-uaf, intermittent-failure, sec-high |
| 1607309 | Core | Audio/Video: MediaSt | RESO |
..application crashed [@ mozilla::Deadlock |
--- | --- | --- | [post-critsmash-triage] | crash, csectype-uaf, sec-high |
| 1626382 | Core | Web Audio | RESO |
Address |
--- | --- | --- | [post-critsmash-triage][adv-main76+r][adv-ESR68.8+r] | crash, csectype-uaf, sec-high, testcase |
| 1571439 | Core | JavaScript: GC | RESO |
Address |
--- | --- | --- | [fuzzblocker] [jsbugmon:][post-critsmash-triage] | assertion, bugmon, crash, regression, sec-high, testcase |
| 1538007 | Core | Internationalization | RESO | [ZDI-CAN-8374] Sandbox escape: XUL injection in language ... | --- | --- | --- | [adv-main68+][adv-esr60.8+] | csectype-priv-escalation, csectype-sandbox-escape, sec-high |
| 1619997 | GeckoView | General | RESO |
Gecko |
--- | --- | --- | [reporter-external] [client-bounty-form][post-critsmash-triage][adv-main75-] | csectype-priv-escalation, sec-high |
| 1798798 | Fenix | Browser Engine | RESO |
Window prompt with long description hides fullscreen noti |
--- | --- | --- | [reporter-external] [client-bounty-form] [verif?][geckoview][fxdroid][adv-main111+] | csectype-spoof, sec-high |
| 1401459 | Core | Networking: HTTP | RESO |
Address |
--- | --- | --- | [necko-triaged][post-critsmash-triage][adv-main58+] | csectype-race, csectype-uaf, regression, sec-high |
| 1516425 | Core | Graphics: Layers | RESO |
Crash in mozilla::layout::Get |
--- | --- | --- | [post-critsmash-triage][adv-main67+] | crash, csectype-uaf, regression, sec-high |
| 1637430 | Core | JavaScript: WebAssem | RESO |
Bounds check ref |
--- | --- | --- | [post-critsmash-triage][sec-survey] | csectype-bounds, regression, sec-high |
| 1747562 | Core | JavaScript: WebAssem | RESO |
Address |
--- | --- | --- | [bugmon:update,bisect][sec-survey][post-critsmash-triage] | crash, csectype-uaf, regression, sec-high, testcase |
| 1751699 | Core | JavaScript: WebAssem | RESO |
Assertion failure: a |
--- | --- | --- | [bugmon:update,bisect][sec-survey][post-critsmash-triage] | assertion, csectype-bounds, regression, sec-high, testcase |
| 1762441 | Core | JavaScript: WebAssem | RESO |
Stackmaps are not serialized/deserialized with Web |
--- | --- | --- | [sec-survey][post-critsmash-triage] | sec-critical |
| 1797685 | Core | JavaScript: WebAssem | RESO |
Address |
--- | --- | --- | [jsbugmon:update,bisect][post-critsmash-triage][adv-main108+r][adv-esr102.6+r] | assertion, crash, csectype-uaf, regression, sec-high, testcase |
| 1811559 | Core | JavaScript: WebAssem | RESO |
Emit |
--- | --- | --- | [adv-main111-] | csectype-uaf, regression, sec-high |
| 1833339 | Core | JavaScript: WebAssem | RESO |
Address |
--- | --- | --- | [bugmon:update,bisect][adv-main114+r][adv-esr102.12+r] | crash, csectype-bounds, regression, sec-high, testcase |
| 1219814 | Core | WebRTC: Audio/Video | RESO |
Overflow in Rtp |
--- | --- | --- | csectype-bounds, sec-high | |
| 1220493 | Core | WebRTC: Networking | RESO |
Underflow in RTPReceiver |
--- | --- | --- | [post-critsmash-triage][adv-main43+][adv-esr38.5+] | csectype-bounds, sec-high |
| 1254876 | Core | WebRTC: Audio/Video | RESO |
Intermittent 1113005 |
--- | --- | --- | [post-critsmash-triage][adv-main46+][adv-esr45.1+][adv-esr38.8+] | csectype-uaf, intermittent-failure, sec-high |
| 1258079 | Core | Audio/Video: MediaSt | RESO |
Intermittent test |
--- | --- | --- | [post-critsmash-triage][adv-main48+][adv-esr45.3+] | csectype-uaf, intermittent-failure, sec-high |
| 1258942 | Core | WebRTC | RESO |
Intermittent test |
--- | --- | --- | csectype-uaf, intermittent-failure, sec-high | |
| 1263384 | Core | WebRTC: Audio/Video | RESO |
VP8 encoder: Heap block overrun (writing) from copy |
--- | --- | --- | [post-critsmash-triage][adv-main47+][adv-esr45.2+] | csectype-bounds, sec-high |
| 1294407 | Core | WebRTC | RESO | Firefox crash when packets with missing headers are received | --- | --- | --- | [adv-main49+][adv-esr45.4+] | csectype-bounds, sec-high |
| 1311380 | Core | WebRTC: Networking | RESO |
Crash in mozilla::Data |
--- | --- | --- | crash, csectype-uaf, sec-high | |
| 1315288 | Core | WebRTC | RESO |
Crash in memcpy | copy |
--- | --- | --- | crash, csectype-bounds, regression, sec-high | |
| 1353476 | Core | WebRTC: Audio/Video | RESO |
Crash in mozilla::camera::Cameras |
--- | --- | --- | [adv-main53+][adv-esr52.1+] | crash, csectype-uaf, regression, sec-high |
| 1415582 | Core | WebRTC: Audio/Video | RESO |
Cleanup Web |
--- | --- | --- | [adv-main58+][adv-esr52.6+][post-critsmash-triage] | csectype-uaf, sec-high |
| 1421963 | Core | WebRTC: Audio/Video | RESO |
Intermittent GECKO(3202) | ==3255==ERROR: Address |
--- | --- | --- | [post-critsmash-triage][adv-main59+] | csectype-uaf, intermittent-failure, sec-high |
| 1425930 | GeckoView | General | RESO |
Crash in @0x0 | ns |
--- | --- | --- | [adv-main61+][adv-esr60.1+][post-critsmash-triage] | crash, csectype-uaf, regression, sec-high |
| 1426449 | Core | WebRTC | RESO |
Crash in webrtc::Simulcast |
--- | --- | --- | [adv-main58+][post-critsmash-triage] | crash, csectype-uaf, sec-high |
| 1429216 | Core | WebRTC | RESO | UAF due to webrtc codec init failure | --- | --- | --- | crash, csectype-uaf, sec-high | |
| 1544127 | Core | Networking | RESO |
Crash in [@ mozilla::net::Cookie |
--- | --- | --- | [necko-triaged] [necko-priority-review][adv-esr102.8+r] | crash, csectype-uaf, regression, sec-high |
| 1750565 | Toolkit | Add-ons Manager | RESO | Extension permission prompts skipped via dictionary | --- | --- | --- | [sec-survey][post-critsmash-triage][adv-main97+][adv-esr91.6+] | csectype-priv-escalation, sec-high |
| 1631576 | NSS | Libraries | RESO | Timing attack on DSA on NSS library | --- | --- | --- | [disclosure date 2020-06-02][RedHat INC1266622][post-critsmash-triage][adv-main77+][adv-esr68.9+][sec-survey] | sec-high |
| 1389561 | Core | Storage: IndexedDB | RESO |
crash in PLDHash |
--- | --- | --- | [adv-main58+][post-critsmash-triage] | crash, csectype-uaf, sec-high |
| 1628076 | Core | Storage: Cache API | RESO | Crash in [@ mozilla::dom::cache::Manager::Factory::Abort] | --- | --- | --- | [sec-survey][post-critsmash-triage][adv-main76+r][adv-ESR68.8+r] | crash, csectype-uaf, regression, sec-high |
| 1643613 | Core | DOM: Workers | RESO |
Intermittent PROCESS-CRASH | Main app process exited norm |
--- | --- | --- | [sec-survey][post-critsmash-triage][adv-main79+r][adv-ESR78.1+r] | crash, csectype-uaf, intermittent-failure, sec-high |
| 1646006 | Core | Storage: IndexedDB | RESO |
Crash in [@ mozilla::dom::indexed |
--- | --- | --- | [sec-survey][post-critsmash-triage][adv-main79+r][adv-ESR78.1+r] | crash, csectype-uaf, regression, sec-high |
| 1675868 | Core | DOM: postMessage | RESO |
Crash in [@ mozilla::detail::Support |
--- | --- | --- | [sec-survey][adv-main85+r][adv-esr78.7+r] | crash, csectype-uaf, sec-high, testcase-wanted |
| 1687597 | Core | DOM: Workers | RESO |
heap-use-after-free in [@ mozilla::dom::Worker |
--- | --- | --- | [sec-survey][adv-main86+r][adv-esr78.8+r] | csectype-uaf, regression, sec-high |
| 1317409 | Core | DOM: Core & HTML | RESO |
UAF involving mutation events, contenteditable iframes an |
--- | --- | --- | [adv-main50.1+][adv-esr45.6+] | csectype-uaf, sec-critical |
| 1346590 | Core | DOM: Core & HTML | RESO |
heap-use-after-free [@ Get |
--- | --- | --- | [adv-main55+][adv-esr52.3+][post-critsmash-triage] | crash, csectype-uaf, sec-high, testcase |
| 1416307 | Core | DOM: Navigation | RESO |
When Refresh |
--- | --- | --- | [keep hidden until 1414425 embargo ends][post-critsmash-triage][adv-main59-][adv-esr52.7-] | csectype-sop, sec-high |
| 1418922 | Core | DOM: Core & HTML | RESO |
heap-use-after-free in Get |
--- | --- | --- | [adv-esr52.6+][fixed on trunk in bug 1343037] | crash, csectype-uaf, sec-high, testcase |
| 1459693 | Core | DOM: Core & HTML | RESO |
heap-use-after-free in ns |
--- | --- | --- | [adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage] | csectype-uaf, sec-critical |
| 1544670 | Core | DOM: Core & HTML | RESO |
heap-use-after-free in mozilla::dom::Wake |
--- | --- | --- | [adv-main67+][adv-esr60.7+] | csectype-uaf, regression, sec-high |
| 1620818 | Core | DOM: Navigation | RESO |
Address |
--- | --- | --- | csectype-uaf, sec-critical, testcase-wanted | |
| 1666285 | Core | Graphics: Canvas2D | RESO |
Address |
--- | --- | --- | [sec-survey][adv-main85+r][adv-esr78.7+r] | crash, csectype-wildptr, sec-high, testcase-wanted |
| 1827655 | Core | DOM: Navigation | RESO |
Crash in [@ ns |
--- | --- | --- | [adv-main114+r][adv-esr102.12+r] | crash, csectype-sandbox-escape, csectype-uaf, sec-high |
| 1631597 | NSS | Libraries | RESO | side channel vulnerabilities during RSA key generation | --- | --- | --- | [sec-moderate for Firefox][disclosure date 2020-06-30][RedHat INC1266675][sec-survey][post-critsmash-triage][adv-main78+] | csectype-disclosure, sec-high |
| 1493497 | Core | Graphics: CanvasWebG | RESO | Crash in gl::Framebuffer::Framebuffer | --- | --- | --- | [post-critsmash-triage][adv-main65+] | crash, csectype-uaf, regression, sec-high |
| 1532525 | Core | Graphics: CanvasWebG | RESO |
could be trigger oom problem with Web |
--- | --- | --- | [adv-main67+][adv-esr60.7+] | csectype-intoverflow, sec-high |
| 1434384 | Core | JavaScript Engine | RESO |
Address |
--- | --- | --- | [adv-main59+][adv-esr52.7+] | crash, csectype-sandbox-escape, regression, sec-high, testcase |
| 1442722 | Core | JavaScript Engine | RESO |
Assertion failure: point |
--- | --- | --- | [adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage] | assertion, csectype-priv-escalation, csectype-sandbox-escape, sec-high, testcase |
| 1470921 | Core | JavaScript Engine | RESO |
Crash [@ Assert |
--- | --- | --- | [jsbugmon:][post-cristsmash-triage] | bugmon, crash, regression, sec-high, testcase |
| 1487167 | Core | DOM: Core & HTML | RESO | Rooting hazards, Aug 2018 edition | --- | --- | --- | [post-critsmash-triage][adv-main63+] | csectype-uaf, sec-high |
| 1556430 | Core | JavaScript: GC | RESO |
Intermittent SUMMARY: Address |
--- | --- | --- | [post-critsmash-triage] | csectype-uaf, intermittent-failure, regression, sec-high |
| 1583684 | Core | DOM: Core & HTML | RESO | Rooting hazards revealed by fixing JS::Value problem | --- | --- | --- | [adv-main70+][adv-main70+r][adv-esr68.2+][adv-esr68.2+r][post-critsmash-triage] | csectype-uaf, sec-critical |
| 1645415 | Core | JavaScript: GC | RESO |
SUMMARY: Address |
--- | --- | --- | [sec-survey][post-critsmash-triage] | csectype-uaf, intermittent-failure, regression, sec-high |
| 1667912 | Core | JavaScript: GC | RESO | Nonincremental weakmap marking incorrectly splits up Zones | --- | --- | --- | [sec-survey][adv-main83+r][adv-esr78.5+r] | csectype-uaf, regression, sec-high |
| 1715471 | Core | JavaScript: GC | RESO |
Assertion failure: !detail::Cell |
--- | --- | --- | [sec-survey] | assertion, regression, sec-high, testcase |
| 1736046 | Core | DOM: postMessage | RESO |
Assertion failure: data |
--- | --- | --- | [sec-survey][adv-main95+r][adv-ESR91.4.0+r] | assertion, sec-high, testcase |
| 1739366 | Core | IPC | RESO |
Assertion failure: token |
--- | --- | --- | [sec-survey][post-critsmash-triage][adv-main96+r][adv-ESR91.5+r] | assertion, csectype-bounds, csectype-sandbox-escape, sec-high, testcase |
| 1375146 | Core | DOM: Events | RESO |
heap-use-after-free in [@ mozilla::dom::Tab |
--- | --- | --- | [no-nag][adv-main57+][adv-esr52.5+][post-critsmash-triage] | crash, csectype-uaf, sec-high, testcase-wanted |
| 1408157 | Core | DOM: Events | RESO |
Crash in xul |
--- | --- | --- | [post-critsmash-triage] | crash, csectype-wildptr, regression, sec-critical |
| 1811637 | Core | Widget: Gtk | RESO |
Use-after-free crash in [@ g |
--- | --- | --- | [adv-main111+r][adv-esr102.9+r] | crash, csectype-uaf, regression, sec-high |
| 1259473 | Core | Audio/Video: Playbac | RESO |
[e10s] new crash with e10s enabled in Media |
--- | --- | --- | [post-critsmash-triage] | csectype-uaf, sec-high |
| 1315631 | Core | Audio/Video: Playbac | RESO |
xul |
--- | --- | --- | [adv-main50.1+][adv-esr45.6+] | assertion, crash, csectype-uaf, regression, sec-high |
| 1329403 | Core | Audio/Video: Playbac | RESO |
Base |
--- | --- | --- | [adv-main51+][adv-esr45.7+] | crash, csectype-uaf, sec-high, testcase |
| 1333576 | Core | Audio/Video: Playbac | RESO |
Crash in mozilla::Media |
--- | --- | --- | [post-critsmash-triage] | crash, csectype-uaf, sec-high |
| 1371982 | Core | XPCOM | RESO |
Intermittent Address |
--- | --- | --- | [adv-main55+][post-critsmash-triage] | csectype-uaf, intermittent-failure, regression, sec-critical |
| 1415441 | Core | Audio/Video: Playbac | RESO |
Crash in mozilla::detail::log |
--- | --- | --- | crash, csectype-uaf, csectype-wildptr, sec-high | |
| 1415788 | Core | Audio/Video: Playbac | RESO |
Crash in mozilla::dom::HTMLMedia |
--- | --- | --- | [clouseau][adv-main58+][post-critsmash-triage] | crash, csectype-wildptr, regression, sec-critical |
| 1367727 | Core | JavaScript Engine | RESO |
Crash in js::gc::Atom |
--- | --- | --- | [adv-main60+] | crash, csectype-uaf, regression, sec-high |
| 1384544 | Core | JavaScript Engine | RESO |
Crash in New |
--- | --- | --- | [adv-main58+][post-critsmash-triage] | crash, csectype-wildptr, leave-open, regression, sec-critical |
| 1409179 | Core | JavaScript Engine | RESO |
Crash in js::Interpreter |
--- | --- | --- | [adv-main58+][post-critsmash-triage] | crash, csectype-uaf, regression, sec-high |
| 1415748 | Core | JavaScript Engine | RESO |
Crash in js::Interpreter |
--- | --- | --- | [adv-main58+][post-critsmash-triage] | crash, csectype-uaf, sec-high |
| 1480521 | Core | JavaScript: GC | RESO | js::Shape is not Compacting-GC-safe (32-bit builds) | --- | --- | --- | [adv-main62+][adv-esr60.2+][post-cristsmash-triage] | regression, sec-critical |
| 1514682 | Core | JavaScript Engine: J | RESO |
Assertion failure: obj->is<Plain |
--- | --- | --- | [jsbugmon:update,origRev=edf1f05e9d00,testComment=2][post-critsmash-triage][adv-main66+][adv-esr60.6+] | sec-high |
| 1541580 | Core | JavaScript Engine | RESO |
OOM during Proxy |
--- | --- | --- | [adv-main67+][adv-esr60.7+] | csectype-uninitialized, regression, sec-high |
| 1548044 | Core | JavaScript Engine: J | RESO |
OOM in Auto |
--- | --- | --- | [post-critsmash-triage][adv-main70+][adv-main70+r][adv-esr68.2+][adv-esr68.2+r] | sec-high |
| 1631508 | Core | JavaScript Engine: J | RESO |
Fix Ion |
--- | --- | --- | [post-critsmash-triage][adv-main76+r][adv-ESR68.8+r] | csectype-jit, sec-critical |
| 1673567 | Core | JavaScript Engine | RESO |
UAF Crash in [@ js::Global |
--- | --- | --- | [adv-main84+r][sec-survey] | crash, csectype-uaf, regression, sec-high |
| 1821959 | Core | JavaScript Engine | RESO |
MOZ |
--- | --- | --- | [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main112+][adv-esr102.10+] | csectype-uaf, sec-high |
| 1305208 | Firefox for iOS | Reader View | RESO |
Background application can steal arbitrary web contents t |
--- | --- | --- | [MobileAS] | csectype-sop, sec-high |
| 1318897 | Focus-iOS | General | RESO | Address bar shows userinfo field of URI | --- | --- | --- | [MobileAS] | csectype-spoof, sec-high |
| 1538008 | Firefox | Sync | RESO |
[ ZDI-CAN-8375] UXSS priv-esc via sync (install arbitrary |
--- | --- | --- | [adv-main69+][adv-esr68.1+][adv-esr60.9+][do not publish until Bug 1538015 is shipped.] | csectype-priv-escalation, csectype-sandbox-escape, sec-high |
| 1315837 | Core | DOM: Core & HTML | RESO |
Crash in mozilla::dom::Element::Update |
--- | --- | --- | crash, csectype-uaf, regression, reproducible, sec-high, topcrash | |
| 1318998 | Core | DOM: Core & HTML | RESO |
Crash in mozilla::dom::Element::Unregister |
--- | --- | --- | [post-critsmash-triage] | crash, csectype-uaf, sec-high |
| 1416529 | Core | Networking: HTTP | RESO |
Address |
--- | --- | --- | [necko-triaged][post-critsmash-triage][adv-main59+][adv-esr52.7+] | csectype-uaf, sec-high |
| 1433609 | Core | Networking | RESO |
IPC: global-buffer-overflow crash [@ns |
--- | --- | --- | [necko-triaged][adv-main60+][adv-esr52.8+] | crash, csectype-bounds, sec-high |
| 1456975 | Core | Networking | RESO |
Segfault - buffer overflow / arbitrary memory read in IPC |
--- | --- | --- | [necko-triaged][adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage] | csectype-bounds, csectype-sandbox-escape, sec-high |
| 1586630 | Core | Networking: Cache | RESO | Appcache fallback can be corrupted allowing manifests to ... | --- | --- | --- | [necko-triaged][post-critsmash-triage][sec-survey][adv-main78+] | sec-high |
| 1625749 | Core | Networking: HTTP | RESO |
Crash in [@ mozilla::Sliced |
--- | --- | --- | [necko-triaged][post-critsmash-triage][adv-main76+r][adv-ESR68.8+r] | crash, csectype-uaf, regression, sec-high |
| 1665836 | Core | Networking: Cache | RESO | Intermittent PROCESS-CRASH | damp | application crashed [... | --- | --- | --- | [sec-survey][post-critsmash-triage][adv-main90+r] | crash, csectype-uaf, intermittent-failure, sec-high |
| 1675540 | Core | Networking: HTTP | RESO |
Crash in [@ mozilla::net::ns |
--- | --- | --- | [necko-triaged][sec-survey][adv-main87-] | crash, csectype-uaf, sec-high |
| 1700895 | Core | Networking: HTTP | RESO |
Crash in [@ mozilla::net::ns |
--- | --- | --- | [necko-triaged][sec-survey][adv-main90+r][adv-esr78.12+r] | crash, csectype-uaf, sec-high |
| 1742334 | Core | Networking: HTTP | RESO |
Use-after-free of Channel |
--- | --- | --- | [reporter-external] [client-bounty-form][necko-triaged][sec-survey][adv-main96+][adv-ESR91.5+][post-critsmash-triage] | csectype-uaf, sec-high |
| 1810536 | Core | Networking: HTTP | RESO | Crashes in Http/3 code | --- | --- | --- | [necko-triaged] [necko-priority-queue][adv-main110+r][adv-esr102.8+r] | csectype-uaf, sec-high |
| 1818357 | Core | Networking | RESO |
heap-use-after-free in [@ mozilla::net::ns |
--- | --- | --- | [necko-triaged] [necko-priority-queue][adv-main112+r][adv-esr102.10+r] | csectype-race, sec-high |
| 1479656 | Core | Audio/Video: GMP | RESO |
Open |
--- | --- | --- | crash, csectype-bounds, sec-high, testcase | |
| 1700610 | Core | JavaScript: WebAssem | RESO |
Assertion failure: size |
--- | --- | --- | [sec-survey] | assertion, csectype-bounds, regression, sec-high, testcase |
| 1766806 | Core | JavaScript: WebAssem | RESO |
Assertion failure: *def->output() == alloc, at jit/Regist |
--- | --- | --- | [post-critsmash-triage][adv-main101+][adv-esr91.10+] | regression, sec-high, testcase |
| 1866545 | Core | JavaScript: WebAssem | RESO | Crash [@ ??] with wasm module on 32-bit | --- | --- | --- | [bugmon:update,bisect] | crash, regression, sec-high, testcase |
| 1498784 | Core | DOM: Core & HTML | RESO |
Crash in mozilla::ipc::Optional |
--- | --- | --- | crash, csectype-uaf, regression, sec-high | |
| 1675097 | Core | DOM: Service Workers | RESO |
heap-use-after-free while running Client |
--- | --- | --- | [sec-survey][adv-main85+r][adv-esr78.7+r] | crash, csectype-uaf, sec-high |
| 1682928 | Core | DOM: Workers | RESO |
Thread |
--- | --- | --- | [sec-survey][adv-main86+r][adv-esr78.8+r] | csectype-race, sec-high |
| 1686334 | Core | DOM: Navigation | RESO |
Rejecting page load in on |
--- | --- | --- | [fixed by bug 1735613][sec-survey] | sec-high |
| 1824803 | Core | DOM: Workers | RESO | Use-after-free crash in [@ mozilla::dom::workerinternals:... | --- | --- | --- | [adv-main113+r] | crash, csectype-uaf, regression, sec-high |
| 1833503 | Core | DOM: Workers | RESO |
Crash in [@ mozilla::dom::Thread |
--- | --- | --- | [adv-main115+r] | crash, csectype-uaf, regression, sec-high |
| 1408987 | Core | Audio/Video: Playbac | RESO |
Intermittent SUMMARY: Address |
--- | --- | --- | csectype-race, csectype-uaf, intermittent-failure, regression, sec-high |
|
REST |
CSV |
Feed |
iCalendar
Change Columns |
Edit Search |