Closed Bug 1984824 Opened 8 months ago Closed 8 months ago

Sandbox escape from the content to the browser process

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1984825

People

(Reporter: oskarlindberg348, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [client-bounty-form])

Oskar

Reporter

Description

•

8 months ago

Using the Canvas2D subsystem one can cause a memory corruption in the browser process which allows a sandbox escape from a content process.

Writeup will follow.

Flags: sec-bounty?

Oskar

Reporter

Updated

•

8 months ago

Status: UNCONFIRMED → RESOLVED

Closed: 8 months ago

Duplicate of bug: CVE-2025-10527

Resolution: --- → DUPLICATE

Andrew McCreight [:mccr8]

Updated

•

8 months ago

Group: firefox-core-security → gfx-core-security

Component: Security → Graphics: Canvas2D

Product: Firefox → Core

Daniel Veditz [:dveditz]

Updated

•

8 months ago

Flags: sec-bounty? → sec-bounty-

Daniel Veditz [:dveditz]

Updated

•

28 days ago

Group: gfx-core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Sandbox escape from the content to the browser process

Categories

(Core :: Graphics: Canvas2D, defect)

Tracking

()

People

(Reporter: oskarlindberg348, Unassigned)

References

Details

(Keywords: reporter-external, Whiteboard: [client-bounty-form])

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Updated

Updated