cvp: session id leaks kernel pointers due to cryptographically-insecure hashing project-zero.issues.chromium.org/issues/3976959…

The Windows Registry Adventure #7: Attack surface analysis googleprojectzero.blogspot.com/2025/05/the-wi…

The Windows Registry Adventure #8: Practical exploitation of hive memory corruption googleprojectzero.blogspot.com/2025/05/the-wi…

Samsung S24: Out of bounds read in MP3 Decoder project-zero.issues.chromium.org/issues/3881150…

Samsung S24: Out of bounds write in VC1 Decoder (svc1d_rr_frm) project-zero.issues.chromium.org/issues/3962269…

Samsung S24: Out of bounds memset in VC1 Decoder project-zero.issues.chromium.org/issues/3959754…

Webkit: Cross-site CSS rule and redirect URL disclosure project-zero.issues.chromium.org/issues/4081721…

Linux >=6.13: io_uring: SQE/CQE UAF/OOB read in race between IORING_REGISTER_RESIZE_RINGS and io_uring_show_fdinfo project-zero.issues.chromium.org/issues/4175226…

MacOS Sandbox Escape via Double Free in coreaudiod/CoreAudio Framework project-zero.issues.chromium.org/issues/4062711…

Double-fetch of root_size in fastrpc_pack_root_sharedpage leads to buffer overflow project-zero.issues.chromium.org/issues/3994630…

libxslt: Type confusion in xmlNode.psvi between stylesheet and source nodes project-zero.issues.chromium.org/issues/4097619…

libxslt: heap-use-after-free in xmlFreeID caused by `atype` corruption project-zero.issues.chromium.org/issues/4105693…

libxml2: Integer overflow leading to heap-buffer-overflow in xmlRegEpxFromParse project-zero.issues.chromium.org/issues/4324508…

Android: dng_sdk DeltaPerRow out-of-bounds read project-zero.issues.chromium.org/issues/4124222…

Linux: hugetlb page table sharing races with VMA splitting, leading to page table UAF project-zero.issues.chromium.org/issues/4207157…

Policy and Disclosure: 2025 Edition googleprojectzero.blogspot.com/2025/07/report…

arm64: Linear mapping is mapped at the same static virtual address project-zero.issues.chromium.org/issues/4342084…

libxslt: use-after-free with key data stored cross-RVT project-zero.issues.chromium.org/issues/4159572…

Linux >=6.9: broken AF_UNIX MSG_OOB handling causes UAF read+write project-zero.issues.chromium.org/issues/4230239…

From Chrome renderer code exec to kernel with MSG_OOB googleprojectzero.blogspot.com/2025/08/from-c…