Originally published by Maddie Stone on the Google Project Zero blog on 27 July 2020

Beginning in 2019, Project Zero began a program to systematically study 0-day exploits that are used in the wild. It’s another way we’re trying to make 0-day hard. We published our tracking spreadsheet for recording publicly known cases of detected 0-day exploits. Today we’re beginning to share the root cause analyses we perform on these detected 0-day exploits. To better understand our approach and reasoning behind these analyses, please read this blog post.

We will continue to publish new root cause analyses as they are completed, hopefully in a very timely manner. We hope other researchers who detect and/or analyze 0-day exploits will also publish this information to better inform actions and decision making in the security and tech communities. The template that we use is available here. We welcome pull requests!

Our goal is that this information helps the security and technical communities. Please reach out with any feedback or suggestions.


CVE Link
CVE-2019-11707: IonMonkey Type Confusion in Array.Pop
CVE-2019-1367: Internet Explorer JScript use-after-free
CVE-2019-13720: Chrome use-after-free in webaudio
CVE-2019-1458: Windows win32k uninitialized variable in task switching
CVE-2019-2215: Android use-after-free in Binder
CVE-2019-7286: iOS use-after-free in cfprefsd
CVE-2019-7287: iOS Buffer Overflow in ProvInfoIOKitUserClient
CVE-2019-17026: Firefox Type Confusion in IonMonkey
CVE-2020-0674: Internet Explorer use-after-free in JScript
CVE-2020-0938: Windows Font Driver Type 1 BlendDesignPositions stack corruption
CVE-2020-0986: Windows splwow64 Untrusted Pointer Dereference
CVE-2020-1020: Windows Font Driver Type 1 VToHOrigin stack corruption
CVE-2020-1027: Windows buffer overflow in CSRSS
CVE-2020-1380: Internet Explorer JScript9 Use-after-Free
CVE-2020-15999: FreeType Heap Buffer Overflow in Load_SBit_Png
CVE-2020-16009: Chrome Turbofan Type Confusion after Map Deprecation
CVE-2020-16010: Chrome for Android ConvertToJavaBitmap Heap Buffer Overflow
CVE-2020-17087: Windows pool buffer overflow in cng.sys IOCTL
CVE-2020-27930: Safari RCE in Type 1 fonts handled by libType1Scaler.dylib
CVE-2020-27932: iOS Kernel privesc with turnstiles
CVE-2020-27950: XNU Kernel Memory Disclosure in Mach Message Trailers
CVE-2020-6418: Chrome incorrect side-effect modelling issue in Turbofan leading to type confusions
CVE-2020-6820: Firefox use-after-free in Cache
CVE-2021-1647: Windows Defender mpengine remote code execution
CVE-2021-1732: Windows win32k flag setting out of sync in xxCreateWindowEx
CVE-2021-26411: Internet Explorer MSHTML Double-Free
CVE-2021-26855: Microsoft Exchange Server-Side Request Forgery
0-day Root Cause Analysis Template