PUBLIC MIRROR A read-only public view of Anvil. Only publicly-disclosed findings are shown; the Playbook, techniques, sessions and embargoed research are hidden.

← Targets

📖 Skia

active v488a6fc (2026-06-20) github.com/google/skia
73%
Research headroom
21/47
Modules examined
1 · 0 CVEs
Findings

Research map

Every module of the codebase — size and color it by attack surface, findings, or coverage, switch to the list / files view, and click a module to inspect its findings.

Where to look next

The platform ranks the highest-value modules and techniques to try next.

🔒 Next moves — internal

Per-module leads, untried techniques and the recommended sweep are part of the internal platform.

Disclosed findings (1, 0 CVEs)

More vulnerabilities will appear here as they are patched and publicly disclosed.

ID Title Class Severity Evidence Status CVE Discovered
SKIA-0005 SkOTUtils::RenameFont: unchecked 'name' table offset/length → heap OOB write from a crafted font (Windows font load) oob-write high ✓ public API verified 2026-06-22
Attack surface & downstream impact

Attack surface

Image codec decoders (BMP, JPEG, PNG, WEBP, ICO, WBMP, RAW/DNG, AVIF, JPEG-XL, GIF/wuffs)Image metadata parsers (EXIF, XMP, TIFF, ICC color profiles, HDR/gainmap)Vector/animation parsers (Skottie/Lottie JSON, SVG DOM)Font table parsing (SFNT/OpenType, FreeType font host)Markup/text parsing (XML/DOM, SkSL shader compiler)Geometry & rasterization core (paths, path-ops intersection, blitters)GPU command/resource handling (Ganesh, Graphite)

Downstream impact

Google Chrome / Chromium (2D graphics, image decode)Android (system graphics, framework image decode)Mozilla Firefox (Canvas/WebRender via Skia history)Flutter (rendering engine)OpenHarmony graphic_2d (vendors Skia — see OpenHarmony target)ChromeOS, numerous embedded/desktop apps
Disclosure timeline (1)
FindingReportedVendor ackPublicPatched in
SKIA-0005 2026-06-23 2026-06-24