Originally published by Maddie Stone on the Google Project Zero blog on 27 July 2020

Beginning in 2019, Project Zero began a program to systematically study 0-day exploits that are used in the wild. It’s another way we’re trying to make 0-day hard. We published our tracking spreadsheet for recording publicly known cases of detected 0-day exploits. Today we’re beginning to share the root cause analyses we perform on these detected 0-day exploits. To better understand our approach and reasoning behind these analyses, please read this blog post.

We will continue to publish new root cause analyses as they are completed, hopefully in a very timely manner. We hope other researchers who detect and/or analyze 0-day exploits will also publish this information to better inform actions and decision making in the security and tech communities. The template that we use is available here. We welcome pull requests!

Our goal is that this information helps the security and technical communities. Please reach out with any feedback or suggestions.


CVE Link
CVE-2019-11707: IonMonkey Type Confusion in Array.Pop
CVE-2019-1367: Internet Explorer JScript use-after-free
CVE-2019-13720: Chrome use-after-free in webaudio
CVE-2019-1458: Windows win32k uninitialized variable in task switching
CVE-2019-2215: Android use-after-free in Binder
CVE-2019-7286: iOS use-after-free in cfprefsd
CVE-2019-7287: iOS Buffer Overflow in ProvInfoIOKitUserClient
CVE-2019-17026: Firefox Type Confusion in IonMonkey
CVE-2020-0674: Internet Explorer use-after-free in JScript
CVE-2020-0938: Windows Font Driver Type 1 BlendDesignPositions stack corruption
CVE-2020-0986: Windows splwow64 Untrusted Pointer Dereference
CVE-2020-1020: Windows Font Driver Type 1 VToHOrigin stack corruption
CVE-2020-1027: Windows buffer overflow in CSRSS
CVE-2020-1380: Internet Explorer JScript9 Use-after-Free
CVE-2020-15999: FreeType Heap Buffer Overflow in Load_SBit_Png
CVE-2020-16009: Chrome Turbofan Type Confusion after Map Deprecation
CVE-2020-16010: Chrome for Android ConvertToJavaBitmap Heap Buffer Overflow
CVE-2020-17087: Windows pool buffer overflow in cng.sys IOCTL
CVE-2020-27930: Safari RCE in Type 1 fonts handled by libType1Scaler.dylib
CVE-2020-27932: iOS Kernel privesc with turnstiles
CVE-2020-27950: XNU Kernel Memory Disclosure in Mach Message Trailers
CVE-2020-6418: Chrome incorrect side-effect modelling issue in Turbofan leading to type confusions
CVE-2020-6572: Chrome MediaCodecAudioDecoder Sandbox Escape
CVE-2020-6820: Firefox use-after-free in Cache
CVE-2021-0920: Android sk_buff use-after-free in Linux
CVE-2021-1048: Android kernel refcount increment on mid-destruction file
CVE-2021-1647: Windows Defender mpengine remote code execution
CVE-2021-1732: Windows win32k flag setting out of sync in xxCreateWindowEx
CVE-2021-1879: Use-After-Free in QuickTimePluginReplacement
CVE-2021-1905: Qualcomm Adreno GPU memory mapping use-after-free
CVE-2021-21166: Chrome Object Lifecycle Issue in Audio
CVE-2021-21206: Chrome Use-After-Free in Animations
CVE-2021-25337: Samsung file system r/w in clipboard provider
CVE-2021-25369: Samsung kernel info leak in sec_log
CVE-2021-26411: Internet Explorer MSHTML Double-Free
CVE-2021-26855: Microsoft Exchange Server-Side Request Forgery
CVE-2021-30551: Chrome Type Confusion in V8
CVE-2021-30632: Chrome Turbofan Type confusion in Global property access
CVE-2021-30858: WebKit use-after-free in IndexedDB
CVE-2021-33742: Internet Explorer out-of-bounds write in MSHTML
CVE-2021-37975: Chrome v8 garbage collector logic bug causing live objects to be collected
CVE-2021-38000: Chrome Intents Logic Flaw
CVE-2022-22706 / CVE-2021-39793: Mali GPU driver makes read-only imported pages host-writable
CVE-2021-4102: Chrome incorrect node elision in Turbofan leads to unexpected WriteBarrier elision
CVE-2022-1096: Chrome Type Confusion in Property Access Interceptor
CVE-2022-1364: Inconsistent Object Materialization in V8
CVE-2022-21882: Win32k Window Object Type Confusion
CVE-2022-22265: Samsung NPU device driver double free in Android
CVE-2022-22620: Use-after-free in Safari
CVE-2022-22675: AppleAVD Overflow in AVC_RBSP::parseHRD
CVE-2022-2294: Heap buffer overflow in WebRTC
CVE-2022-24521: Windows Common Log File System (CLFS) Logical-Error Vulnerability
CVE-2022-32917: AppleSPU out of bounds write
CVE-2022-3723: Logic Issue in Turbofan JIT Compiler
CVE-2022-41033: Type confusion in Windows COM+ Event System Service
CVE-2022-41073: Windows Activation Contexts EoP
CVE-2022-41128: Type confusion in Internet Explorer's JScript9 engine
CVE-2022-4135: Chrome heap buffer overflow in validating command decoder
CVE-2022-4262: Incorrect Bytecode Generation by JavaScript Parser
CVE-2023-20963: Android: mismatching parcel/unparcel logic for WorkSource
CVE-2023-26369: Adobe Acrobat PDF Reader RCE when processing TTF fonts
CVE-2023-28252: Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2023-33106: Qualcomm Adreno GPU KGSL_GPU_AUX_COMMAND_SYNC OOB
CVE-2023-33107: Qualcomm Adreno GPU KGSL_IOCTL_GPUOBJ_IMPORT integer overflow
CVE-2023-36033: Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2023-36802: Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability
CVE-2023-38831: RARLAB WinRAR Code Execution Vulnerability
CVE-2023-4211: Use-after-Free in ARM Mali GPU Driver
0-day Root Cause Analysis Template