Beginning in 2019, Project Zero began a program to systematically study 0-day exploits that are used in the wild. It’s another way we’re trying to make 0-day hard. We published our tracking spreadsheet for recording publicly known cases of detected 0-day exploits. Today we’re beginning to share the root cause analyses we perform on these detected 0-day exploits. To better understand our approach and reasoning behind these analyses, please read this blog post.
We will continue to publish new root cause analyses as they are completed, hopefully in a very timely manner. We hope other researchers who detect and/or analyze 0-day exploits will also publish this information to better inform actions and decision making in the security and tech communities. The template that we use is available here. We welcome pull requests!
Our goal is that this information helps the security and technical communities. Please reach out with any feedback or suggestions.
| CVE |
Link |
| CVE-2019-11707: IonMonkey Type Confusion in Array.Pop |
|
| CVE-2019-1367: Internet Explorer JScript use-after-free |
|
| CVE-2019-13720: Chrome use-after-free in webaudio |
|
| CVE-2019-1458: Windows win32k uninitialized variable in task switching |
|
| CVE-2019-2215: Android use-after-free in Binder |
|
| CVE-2019-7286: iOS use-after-free in cfprefsd |
|
| CVE-2019-7287: iOS Buffer Overflow in ProvInfoIOKitUserClient |
|
| CVE-2019-17026: Firefox Type Confusion in IonMonkey |
|
| CVE-2020-0674: Internet Explorer use-after-free in JScript |
|
| CVE-2020-0938: Windows Font Driver Type 1 BlendDesignPositions stack corruption |
|
| CVE-2020-0986: Windows splwow64 Untrusted Pointer Dereference |
|
| CVE-2020-1020: Windows Font Driver Type 1 VToHOrigin stack corruption |
|
| CVE-2020-1027: Windows buffer overflow in CSRSS |
|
| CVE-2020-1380: Internet Explorer JScript9 Use-after-Free |
|
| CVE-2020-15999: FreeType Heap Buffer Overflow in Load_SBit_Png |
|
| CVE-2020-16009: Chrome Turbofan Type Confusion after Map Deprecation |
|
| CVE-2020-16010: Chrome for Android ConvertToJavaBitmap Heap Buffer Overflow |
|
| CVE-2020-17087: Windows pool buffer overflow in cng.sys IOCTL |
|
| CVE-2020-27930: Safari RCE in Type 1 fonts handled by libType1Scaler.dylib |
|
| CVE-2020-27932: iOS Kernel privesc with turnstiles |
|
| CVE-2020-27950: XNU Kernel Memory Disclosure in Mach Message Trailers |
|
| CVE-2020-6418: Chrome incorrect side-effect modelling issue in Turbofan leading to type confusions |
|
| CVE-2020-6572: Chrome MediaCodecAudioDecoder Sandbox Escape |
|
| CVE-2020-6820: Firefox use-after-free in Cache |
|
| CVE-2021-0920: Android sk_buff use-after-free in Linux |
|
| CVE-2021-1048: Android kernel refcount increment on mid-destruction file |
|
| CVE-2021-1647: Windows Defender mpengine remote code execution |
|
| CVE-2021-1732: Windows win32k flag setting out of sync in xxCreateWindowEx |
|
| CVE-2021-1879: Use-After-Free in QuickTimePluginReplacement |
|
| CVE-2021-1905: Qualcomm Adreno GPU memory mapping use-after-free |
|
| CVE-2021-21166: Chrome Object Lifecycle Issue in Audio |
|
| CVE-2021-21206: Chrome Use-After-Free in Animations |
|
| CVE-2021-25337: Samsung file system r/w in clipboard provider |
|
| CVE-2021-25369: Samsung kernel info leak in sec_log |
|
| CVE-2021-26411: Internet Explorer MSHTML Double-Free |
|
| CVE-2021-26855: Microsoft Exchange Server-Side Request Forgery |
|
| CVE-2021-30551: Chrome Type Confusion in V8 |
|
| CVE-2021-30632: Chrome Turbofan Type confusion in Global property access |
|
| CVE-2021-30858: WebKit use-after-free in IndexedDB |
|
| CVE-2021-33742: Internet Explorer out-of-bounds write in MSHTML |
|
| CVE-2021-37975: Chrome v8 garbage collector logic bug causing live objects to be collected |
|
| CVE-2021-38000: Chrome Intents Logic Flaw |
|
| CVE-2022-22706 / CVE-2021-39793: Mali GPU driver makes read-only imported pages host-writable |
|
| CVE-2021-4102: Chrome incorrect node elision in Turbofan leads to unexpected WriteBarrier elision |
|
| CVE-2022-1096: Chrome Type Confusion in Property Access Interceptor |
|
| CVE-2022-1364: Inconsistent Object Materialization in V8 |
|
| CVE-2022-21882: Win32k Window Object Type Confusion |
|
| CVE-2022-22265: Samsung NPU device driver double free in Android |
|
| CVE-2022-22620: Use-after-free in Safari |
|
| CVE-2022-22675: AppleAVD Overflow in AVC_RBSP::parseHRD |
|
| CVE-2022-2294: Heap buffer overflow in WebRTC |
|
| CVE-2022-24521: Windows Common Log File System (CLFS) Logical-Error Vulnerability |
|
| CVE-2022-32917: AppleSPU out of bounds write |
|
| CVE-2022-3723: Logic Issue in Turbofan JIT Compiler |
|
| CVE-2022-41033: Type confusion in Windows COM+ Event System Service |
|
| CVE-2022-41073: Windows Activation Contexts EoP |
|
| CVE-2022-41128: Type confusion in Internet Explorer's JScript9 engine |
|
| CVE-2022-4135: Chrome heap buffer overflow in validating command decoder |
|
| CVE-2022-4262: Incorrect Bytecode Generation by JavaScript Parser |
|
| CVE-2023-20963: Android: mismatching parcel/unparcel logic for WorkSource |
|
| CVE-2023-26369: Adobe Acrobat PDF Reader RCE when processing TTF fonts |
|
| CVE-2023-28252: Windows Common Log File System Driver Elevation of Privilege Vulnerability |
|
| CVE-2023-33106: Qualcomm Adreno GPU KGSL_GPU_AUX_COMMAND_SYNC OOB |
|
| CVE-2023-33107: Qualcomm Adreno GPU KGSL_IOCTL_GPUOBJ_IMPORT integer overflow |
|
| CVE-2023-36033: Windows DWM Core Library Elevation of Privilege Vulnerability |
|
| CVE-2023-36802: Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability |
|
| CVE-2023-38831: RARLAB WinRAR Code Execution Vulnerability |
|
| CVE-2023-4211: Use-after-Free in ARM Mali GPU Driver |
|
| CVE-2023-6345: Integer overflow in Skia MeshOp::onCombineIfPossible |
|
| CVE-2024-44068: Samsung m2m1shot_scaler0 device driver page use-after-free in Android |
|
| 0-day Root Cause Analysis Template |
|