Findings tracker
All vulnerabilities across targets. 85 total — 7 real-world verified, 47 harness-only.
🔒 Public mirror — showing the 26 publicly-disclosed findings. The other 68 are embargoed, undisclosed, or still under research and are hidden; the counts above remain the real totals across all 85. More findings appear here as they are patched and publicly disclosed.
85
Total findings
47
Harness reproduced
2
Public API reachable
2
Real application verified
0
Platform verified
3
Disclosure ready
By severity
Filter
| ID | Title | Target | Class | Severity | Evidence | Status | CVE | Discovered |
|---|---|---|---|---|---|---|---|---|
| SKIA-0005 | SkOTUtils::RenameFont: unchecked 'name' table offset/length → heap OOB write from a crafted font (Windows font load) | skia | oob-write | high | ✓ public API | verified | — | 2026-06-22 |
| LIBHEIF-0007 | Uncompressed encoder: heap OOB write in rgb_block_pixel_interleave for RRGGBB images with bit-depth <= 8 | libheif | oob-write | medium | ✓ disclosure | verified | — | 2026-06-21 |
| LIBHEIF-0008 | Color conversion: heap OOB read converting odd-dimension uncompressed 4:2:0 (decoder floor-allocates chroma; multiple ceil-assuming conversion sinks incl. the common 4:2:0→RGB path) | libheif | oob-read | medium | ✓ real app | verified | — | 2026-06-21 |
| LIBHEIF-0010 | Image sequences: unbounded allocation reading a sample (append_data_from_file_range ignores security limits) → memory-exhaustion DoS | libheif | dos | medium | harness | harness-verified | — | 2026-06-21 |
| LIBHEIF-0009 | VVC decode glue: reachable assert(false) in parse_sps_for_vvcC_configuration on crafted SPS (gci/subpic TODO paths) | libheif | dos | low | harness | harness-verified | — | 2026-06-21 |
| GROK-0008 | PNM writer: packed_row_bytes/packer precision mismatch in streaming-strip output → heap overflow for precision not in {8,16} | grok | oob-write | low | static | confirmed | — | 2026-06-16 |
| GROK-0003 | MJ2 box parser: headerSize underflow in read_url/read_urn yields heap out-of-bounds read | grok | oob-read | low | static | confirmed | — | 2026-06-16 |
| GROK-0001 | BMP reader: stack buffer overflow in readInfoHeader (biSize read into fixed buffer before validation) | grok | oob-write | high | harness | harness-verified | — | 2026-06-16 |
| GROK-0002 | BMP reader: heap out-of-bounds read in RLE8/RLE4 decoders (input pointer never bounded by biSizeImage) | grok | oob-read | medium | harness | harness-verified | — | 2026-06-16 |
| GROK-0004 | JPEG reader: stack buffer overflow on CMYK/YCCK (4-component) JPEG — fixed [3] arrays indexed by output_components | grok | oob-write | high | harness | harness-verified | — | 2026-06-16 |
| GROK-0005 | TIFF reader: heap out-of-bounds read when component count (photometric+extrasamples) exceeds SamplesPerPixel | grok | oob-read | medium | harness | harness-verified | — | 2026-06-16 |
| GROK-0006 | TileProcessor: use-after-free of an LRU-evicted Tile on re-decompress (reinitForReDecompress) | grok | use-after-free | high | harness | harness-verified | — | 2026-06-16 |
| GROK-0007 | MJ2: sample offset/size from STCO/STSZ used as a raw file pointer with no bounds check → out-of-bounds read | grok | oob-read | high | harness | harness-verified | — | 2026-06-16 |
| GROK-0009 | MJ2 STTS: unbounded samples_count_ drives ~4 billion allocations (decompression bomb / DoS) + num_samples_ overflow | grok | dos | low | harness | harness-verified | — | 2026-06-16 |
| GROK-0010 | Decompress strip composite: first-tile-row buffer under-allocated vs interior tile-row height → heap OOB write | grok | oob-write | high | harness | harness-verified | — | 2026-06-16 |
| GROK-0011 | JP2 asoc box: unbounded nesting recursion in read_asoc → stack-exhaustion DoS | grok | dos | medium | harness | harness-verified | — | 2026-06-16 |
| GROK-0012 | HTJ2K SIMD decoder: MagSgn frwd_read 16-byte vector load over-reads the 8-byte-padded code-block buffer | grok | oob-read | low | static | confirmed | — | 2026-06-16 |
| GROK-0013 | MJ2 read_url/read_urn: NULL-pointer dereference of current_track_ when a dref/url box has no preceding tkhd | grok | dos | low | harness | harness-verified | — | 2026-06-16 |
| GROK-0014 | Wavelet: unbounded DWT scratch-pool allocation from attacker tile dimension → memory-exhaustion DoS | grok | dos | medium | harness | harness-verified | — | 2026-06-16 |
| LIBPNG-0004 | Pull-vs-push APNG decode divergence (CVE-2026-40930 class parser differential) | libpng | logic | low | static | confirmed | — | 2026-06-13 |
| LIBHEIF-0004 | JPEG decoder plugin: memory leak on longjmp past jpeg_finish_decompress | libheif | dos | low | ✓ public API | verified | — | 2026-05-04 |
| LIBHEIF-0001 | Grid NULL-pointer dereference in decode_grid_tile on missing tile reference | libheif | dos | medium | ✓ disclosure | verified | — | 2026-05-03 |
| LIBHEIF-0002 | Grid uint32 underflow → heap out-of-bounds read in decode_grid_tile | libheif | oob-read | high | ✓ disclosure | patched | CVE-2026-48029 | 2026-05-03 |
| LIBPNG-0002 | APNG write-side per-frame row_buf/prev_row leak across png_write_reset | libpng | dos | low | static | confirmed | — | 2026-05-02 |
| LIBPNG-0003 | APNG write-side heap-buffer-overflow on width-varying multi-frame re-encode | libpng | oob-write | high | harness | harness-verified | — | 2026-05-02 |
| LIBPNG-0001 | Sub-byte grayscale padding-bit propagation into re-encoded IDAT (png_combine_row) | libpng | info-leak | low | static | confirmed | — | 2026-05-01 |