Tag

#browser-security

2 posts tagged #browser-security.

Analysis · May 20, 2026 · analysis-desk

Content-process only is one bug short of game over

CVE-2024-9680 was a Firefox use-after-free that 'only' ran code in the sandboxed content process. RomCom paired it with a Windows sandbox escape and turned a single page visit into a backdoor. Mozilla shipped the fix in about 25 hours.
Analysis · May 20, 2026 · The Commentary Desk

A browser bug, sold as a weapon, pointed at journalists

CVE-2022-2294 was a heap overflow in WebRTC, the real-time-comms code inside Chrome and other browsers. It wasn't used for mass crime. A surveillance vendor, Candiru, used it to plant DevilsTongue spyware on journalists in the Middle East. Different threat model, same patch.