Public Disclosures
Vulnerabilities discovered by FuzzingBrain that are fixed or confirmed/accepted upstream and publicly verifiable — every row links to the public report, PR, issue, or advisory.
74 findings across 31 projects · fixed 67 confirmed 7
| # | Project | Vulnerability | Type | Severity | Status | Public report |
|---|---|---|---|---|---|---|
| 1 | auth0-spa-js | Worker retains refresh tokens after logout() — silent token re-mint post-logout | insufficient-session-expiration / use-after-release (CWE-613, CWE-672) | high | fixed | GitHub issue ↗ |
| 2 | avro | Decompression bomb causes OutOfMemoryError via unbounded codec decompression | Decompression Bomb (CWE-409) | high | fixed | GitHub PR ↗ |
| 3 | avro | Negative block size causes allocation-size-too-big crash | Uncontrolled Memory Allocation (CWE-789) | high | fixed | GitHub PR ↗ |
| 4 | avro | Negative string length causes allocation-size-too-big crash | Uncontrolled Memory Allocation (CWE-789) | high | fixed | GitHub PR ↗ |
| 5 | binutils | OOM in rust_demangle via unbounded lifetime count in demangle_binder | Out-of-Memory / Denial of Service (CWE-400) | medium | fixed | Sourceware ↗ |
| 6 | brotli | brotli CLI CopyStat path-based chmod/chown after fclose() — TOCTOU symlink-following | toctou-race / symlink-following (CWE-367) | high | fixed | GitHub PR ↗ |
| 7 | chromium | Assertion Failure in aom_rb_read_literal via AV1 Config Parser | assertion-failure | medium | fixed | aomedia.issues.chromium.org issue ↗ |
| 8 | chromium | Data race on GrTextureProxy::fProxyProvider — recorder dtor vs direct-context flush | data-race | medium | fixed | Chromium issue ↗ |
| 9 | chromium | Denial of Service via Infinite Recode Loop in libaom AV1 SVC Encoder (encode_with_recode_loop_and_filter → av1_resize_plane) | uncontrolled-resource-consumption | medium | fixed | Chromium issue ↗ |
| 10 | chromium | Empty-Vector OOB in printing::ParsePpdCapabilities PaperList Default Selection (Browser-Process DoS via Rogue Printer) | oob-read | medium | fixed | Chromium issue ↗ |
| 11 | chromium | Heap Buffer Overflow in AV1RateControlRTC via av1_restore_layer_context | heap-buffer-overflow | high | fixed | Chromium issue ↗ |
| 12 | chromium | Heap Buffer Overflow in VP9 Encoder via vpx_codec_enc_config_set When Increasing Resolution | heap-buffer-overflow | high | fixed | WebM issue ↗ |
| 13 | chromium | Heap Buffer Overflow Read in FriendlyNameMapper::ParseInstruction OpTypePointer Arm via emitAsUnknown Bypass | heap-buffer-overflow | medium | fixed | GitHub issue ↗ |
| 14 | chromium | Heap Buffer Overflow Read in jsoncpp Json::OurReader::getLocationLineAndColumn via CR-LF Look-ahead Past end_ | heap-buffer-overflow | medium | fixed | GitHub issue ↗ |
| 15 | chromium | NULL Pointer Dereference in WebPMuxAssemble (muxedit.c) | null-pointer-dereference | high | fixed | WebM issue ↗ |
| 16 | chromium | OOB Pixel Pointer in Skia Raster8888BlurAlgorithm via eval_blur_passes X→Y Rebind Off-by-One (Release Build Memory Safety) | out-of-bounds-access | medium | fixed | Chromium issue ↗ |
| 17 | chromium | OOB Read in libsharpyuv FixedPointInterpolation via Unclamped High-Bit-Depth Pixel Index into kGammaToLinearTabS | oob-read | high | fixed | WebM issue ↗ |
| 18 | chromium | Out-of-Bounds Read in SharpYuvConvert() via Missing Stride Validation | heap-buffer-overflow | high | fixed | WebM issue ↗ |
| 19 | chromium | Pre-Auth DoS in openscreen Cast ANSWER Parser via jsoncpp Non-Object find() Abort (AudioConstraints::TryParse et al.) | denial-of-service | medium | fixed | Chromium issue ↗ |
| 20 | chromium | Pre-Auth DoS in openscreen ReceiverMessage::Parse via jsoncpp Non-Object find() Abort | denial-of-service | medium | fixed | Chromium issue ↗ |
| 21 | chromium | Pre-Auth DoS in openscreen SenderMessage::Parse via jsoncpp Non-Object find() Abort | denial-of-service | medium | fixed | Chromium issue ↗ |
| 22 | chromium | SEGV in spvtools::Disassembler::OrderBlocks via Empty Block Vector after OpFunctionEnd Without OpLabel | segv | medium | fixed | GitHub issue ↗ |
| 23 | chromium | Unbounded Heap Allocation (~1.6 GB) in HashMgr::load_tables via Unvalidated tablesize Field in .dic File | unbounded-allocation-dos | medium | fixed | GitHub issue ↗ |
| 24 | chromium | Undefined Behavior in libvpx VP9 SVC Rate-Control via NaN-to-int Cast in saturate_cast_double_to_int (vp9_update_buffer_level_svc_preencode) | undefined-behavior | medium | fixed | WebM issue ↗ |
| 25 | chromium | Undefined Behavior in libvpx vpx_img_flip via Pointer Arithmetic on NULL planes[VPX_PLANE_ALPHA] | undefined-behavior | low | fixed | WebM issue ↗ |
| 26 | chromium | Use-After-Free / Null Pointer Dereference in TransliterationRule Destructor | use-after-free | high | fixed | Unicode Jira ↗ |
| 27 | curl | curl: option credentials leak across https->http same-host redirect (scheme ignored in origin comparison) | credential leakage / improper origin comparison | low | fixed | GitHub PR ↗ |
| 28 | dtc | Misaligned Memory Access in fdt32_to_cpu() During FDT Node Traversal | undefined-behavior-misaligned-access | medium | fixed | GitHub issue ↗ |
| 29 | FreeRDP | Pre-Auth Memory Leak in FreeRDP NTLM AuthenticateMessage Parser Failure Path | memory-leak | high | fixed | GitHub issue ↗ |
| 30 | fwupd | CAB MSZIP Decompression Bomb | Decompression Bomb (CWE-409) | medium | fixed | GitHub issue ↗ |
| 31 | fwupd | Integer Underflow in sbatlevel Section Parser | Integer Underflow (CWE-191) | medium | fixed | GitHub issue ↗ |
| 32 | Ghidra | OOM in cplus_demangle due to malformed symbol | Out-of-Memory / Denial of Service (CWE-400) | medium | fixed | GitHub advisory ↗ |
| 33 | Ghidra | OOM in rust_demangle due to nested generic parameters | Out-of-Memory / Denial of Service (CWE-400) | medium | fixed | GitHub advisory ↗ |
| 34 | goose | Deeplink module-state race causes cross-window deep link contamination | race-condition | high | fixed | GitHub issue ↗ |
| 35 | goose | OIDC proxy MAX_TOKEN_AGE_SECONDS bypasses exp check (expired token replay) | authentication-bypass | high | fixed | GitHub issue ↗ |
| 36 | goose | SSRF via fetch-metadata IPC handler to cloud metadata and internal hosts | server-side-request-forgery | high | fixed | GitHub issue ↗ |
| 37 | graaljs | IllformedLocaleException treated as Internal Error in Intl API | improper-exception-handling | medium | fixed | GitHub issue ↗ |
| 38 | graaljs | StringIndexOutOfBoundsException in RegexLexer.consumeChar causes Internal Error | uncaught-exception | medium | fixed | GitHub issue ↗ |
| 39 | harfbuzz | OOB Write in HarfBuzz fontations Glyph-Name Callback with size == 0 | out-of-bounds-write | medium | fixed | GitHub issue ↗ |
| 40 | icu | Use-After-Free / Null Pointer Dereference in TransliterationRule Destructor | use-after-free | high | fixed | Unicode Jira ↗ |
| 41 | jq | NULL Pointer Dereference in dump_operation | NULL Pointer Dereference (CWE-476) | medium | fixed | GitHub issue ↗ |
| 42 | json-java | ClassCastException in JSONML.toJSONArray due to unsafe type cast | Type Confusion | medium | fixed | GitHub issue ↗ |
| 43 | json-java | NumberFormatException in XMLTokener.unescapeEntity due to missing input validation | Input Validation Error | medium | fixed | GitHub issue ↗ |
| 44 | json-java | StringIndexOutOfBoundsException in XMLTokener.unescapeEntity due to missing length check | Input Validation Error | medium | fixed | GitHub issue ↗ |
| 45 | libavif | Heap Buffer Overflow in libavif Android JNI via Signed-Int Length Sign-Extension | heap-buffer-overflow | high | fixed | GitHub issue ↗ |
| 46 | libheif | Heap Buffer Overflow in libheif heif_image_crop (pixelimage.cc) | heap-buffer-overflow | high | fixed | GitHub issue ↗ |
| 47 | mongoose | Heap Buffer Overflow in mg_match | Heap Buffer Overflow (CWE-122) | medium | fixed | GitHub issue ↗ |
| 48 | mongoose | Heap Buffer Overflow in mg_match - s.buf[j] access without bounds check | Heap Buffer Overflow (CWE-125 Out-of-bounds Read) | medium | fixed | GitHub issue ↗ |
| 49 | mongoose | Heap Buffer Overflow in mg_mqtt_next_prop - MQTT5 property parsing OOB read | Heap Buffer Overflow (CWE-125 Out-of-bounds Read) | high | fixed | GitHub issue ↗ |
| 50 | ndpi | nDPI Heap OOB Read in ndpi_hex_decode via Unbounded sscanf Over Non-NUL-Terminated Borrowed Buffer (ndpi_decode_tls_blocks) | heap-buffer-overflow-read | medium | fixed | GitHub issue ↗ |
| 51 | net-snmp | net-snmp: heap-use-after-free in smux_rreq_process (SMUX RReq DELETE) dereferences freed handler reginfo | heap-use-after-free | medium | fixed | GitHub issue ↗ |
| 52 | net-snmp | NULL Pointer Dereference in vacm_parse_config_group | null-pointer-dereference | medium | fixed | GitHub issue ↗ |
| 53 | opc-ua | Assertion Failure in PubSub JSON NetworkMessage Decoder | assertion-failure | medium | fixed | GitHub PR ↗ |
| 54 | opencv | Heap buffer overflow in YAML parser parseKey() when key is empty | heap-buffer-overflow | low | fixed | GitHub issue ↗ |
| 55 | OpenPrint CUPS | Heap buffer overflow in cupsUTF8ToCharset when processing truncated UTF-8 sequences | Out-of-bounds Read (CWE-125) | high | fixed | GitHub issue ↗ |
| 56 | OpenPrint CUPS | NULL Pointer Dereference in cupsResolveConflicts() | NULL Pointer Dereference (CWE-476) | high | fixed | GitHub commit ↗ |
| 57 | OpenPrint CUPS | Open redirect issue in OAuth login flow | Open Redirect (CWE-601) | high | fixed | GitHub issue ↗ |
| 58 | openssl | Stack Buffer Over-Read in DES OFB/CFB64 via Unchecked num Parameter | stack-buffer-overflow | low | fixed | GitHub issue ↗ |
| 59 | ots | NULL Pointer Dereference in OTS ProcessGeneric() with TABLE_ACTION_PASSTHRU | null-pointer-dereference | medium | fixed | GitHub issue ↗ |
| 60 | paddle | Paddle Download Helpers TAR extraction path traversal / arbitrary file write | Path Traversal (CWE-22) | high | fixed | GitHub ↗ |
| 61 | simdutf | Heap buffer overflow in convert_utf16_to_utf8_safe due to write-before-check pattern | Heap Buffer Overflow (CWE-787) | high | fixed | GitHub issue ↗ |
| 62 | systemd | Algorithmic-Complexity DoS in systemd PE/UKI Parser (382-byte PE wedges parser >10s) | algorithmic-complexity-dos | low | fixed | GitHub PR ↗ |
| 63 | systemd | Out-of-Bounds Reads in sd-hwdb Trie Walker (offset dereferenced before bounds check) | out-of-bounds-read | high | fixed | GitHub PR ↗ |
| 64 | upx | Heap Buffer Overflow in UPX PackLinuxElf64::generateElfHdr when packing malformed ELF64 files | Heap Buffer Overflow (CWE-122) | high | fixed | GitHub issue ↗ |
| 65 | upx | Heap Buffer Overflow in UPX PeFile::processLoadConf when packing malformed PE32 files | Heap Buffer Overflow (CWE-122) | critical | fixed | GitHub issue ↗ |
| 66 | upx | Memory Leak in UPX PackLinuxElf32::pack2 when packing ELF executables | Memory Leak (CWE-401) | medium | fixed | GitHub issue ↗ |
| 67 | upx | Memory Leak in UPX PeFile::Resource::convert() when processing PE resources | Memory Leak (CWE-401) | low | fixed | GitHub issue ↗ |
| 68 | chromium | Double-Free in FlatBuffers Parser::Deserialize (idl_parser.cpp) | double-free | high | confirmed | GitHub issue ↗ |
| 69 | chromium | Heap Buffer Overflow in flatbuffers::Verify via Reflection VerifyObject | heap-buffer-overflow | high | confirmed | GitHub issue ↗ |
| 70 | chromium | Heap Buffer Overflow in FlexBuffers ToString (flexbuffers.h) | heap-buffer-overflow | high | confirmed | GitHub issue ↗ |
| 71 | chromium | Integer Overflow / Assertion Failure in VP9 Encoder (vp9_aq_complexity.c) | integer-overflow | high | confirmed | WebM issue ↗ |
| 72 | chromium | NULL Pointer Dereference in GenerateBinary | NULL Pointer Dereference (CWE-476) | medium | confirmed | GitHub issue ↗ |
| 73 | chromium | Uncontrolled Resource Consumption in PDFium XObject Processing Causes OOM and Tab Crash | resource-exhaustion | medium | confirmed | Chromium issue ↗ |
| 74 | openh264 | Heap Buffer Overflow in Scene Change Detection (WelsSampleSad8x8_c) | heap-buffer-overflow | high | confirmed | GitHub issue ↗ |