Partly estimated, until May 2016, KeenLab has totally found 152 critical vulnerabilities with CVE IDs, ranging from mainstream OS to browsers and applications
Among those vulnerabilities we discovered, 13 was used directly in our 8 Pwn2Own winner categories in the past few years
CVE-2007-0071 got nomination of best client vulnerability at Pwnie Award 2008, which is Pwnie’s first to have Chinese researcher in the nomination list
Vulnerability CVE-2010-3333 affects all versions of Microsoft Office Word at that time with huge impact in that year
Vulnerability CVE-2015-3636 can root most of the Android devices in 2015. It got the nomination of best privilege escalation vulnerability at Pwnie Award 2015. It is also recognized by people from academic circle. We shared our research on ACM CCS 2015, Blackhat 2015, and USENIX WOOT 2015, etc.
CVE-2014-1303 and CVE-2014-1314 helped us pwn Safari on OS X in 2014, which is the first in Pwn2Own history to pwn 64bit browser on 64bit
CVE-2015-2435 and CVE-2015-2455 not only helped us win the Flash and Reader category in Pwn2Own 2015, but it is also the first team in Pwn2Own history to get SYSTEM privilege on Windows using TTF vulnerabilities. These two vulerabilities demonstrate KeenLab’s research strength on Windows font area as well as the Windows kernel. CVE-2015-2455 also got nomination of best privilege escalation vulnerability in Pwnie 2015
CVE-2016-1815 and its exploit successfully gained root privilege on latest OS X El Capitan in Pwn2Own 2016. The vulnerability resids in closed-source core graphics pipeline components of all Apple graphic drivers including the newest chipsets, and by our advanced exploitation approach we use single vulnerability to break Apple sandbox and get root.
These years, KeenLab has been shifting its research focus from PC to mobile. While continously discovering high quality + high number vulnerabilties on PC, research output on mobile platform is also outstanding.
Here is the list of CVEs:
Microsoft
CVE-2014-2819 (Pwn2Own 2014 Flash sandbox bypass on Windows 8.1)
Internet Explorer Elevation of Privilege Vulnerability
https://technet.microsoft.com/en-us/library/security/MS14-051
CVE-2015-2435 (Pwn2Own 2015 Flash sandbox bypass with System EoP on Windows 8.1)
TrueType Font Parsing Vulnerability
https://technet.microsoft.com/library/security/MS15-080
CVE-2015-2455 (Pwn2Own 2015 Reader sandbox bypass with System EoP on Windows 8.1 / Pwnie 2015 nomination)
TrueType Font Parsing Vulnerability
https://technet.microsoft.com/library/security/MS15-080
CVE-2016-0176 (Pwn2Own 2016 Edge sandbox bypass with System EoP on Windows 10
Microsoft DirectX Graphics Kernel Subsystem Elevation of Privilege Vulnerability
https://technet.microsoft.com/library/security/MS16-062
CVE-2010-3333
MICROSOFT WORD RTF FILE PARSING STACK BUFFER OVERFLOW VULNERABILITY
http://www.microsoft.com/technet/security/bulletin/ms10-087.mspx
CVE-2007-2931
MSN Messenger Video Conversation Buffer Overflow Vulnerability
http://www.microsoft.com/technet/security/Bulletin/MS07-054.mspx
CVE-2008-1091
Microsoft Office RTF Parsing Engine Memory Corruption Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms08-026.mspx
CVE-2008-3471
Microsoft Office Excel BIFF File Format Parsing Stack Overflow Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS08-057.mspx
CVE-2008-4027
Microsoft Office RTF Consecutive Drawing Object Parsing Heap Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-084/
CVE-2008-4028
Microsoft Office RTF Drawing Object Heap Overflow Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS08-072.mspx
CVE-2008-4837
Microsoft Office Word Document Table Property Stack Overflow Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS08-072.mspx
CVE-2009-1130
Microsoft Office PowerPoint Notes Container Heap Overflow Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS09-017.mspx
CVE-2009-0563
Microsoft Word Document Stack Based Buffer Overflow Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS09-027.mspx
CVE-2009-1530
Microsoft Internet Explorer Event Handler Memory Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-038/
CVE-2009-1531
Microsoft Internet Explorer onreadystatechange Memory Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-039/
CVE-2009-1918
Microsoft Internet Explorer getElementsByTagName Memory Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-047/
CVE-2009-1133
Microsoft Remote Desktop Client Arbitrary Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-057/
CVE-2009-1920
Microsoft Internet Explorer JScript arguments Invocation Memory Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-062/
CVE-2009-2502
MICROSOFT WINDOWS GDI+ TIFF FILE PARSING BUFFER OVERFLOW VULNERABILITY
http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx
CVE-2010-0244
Microsoft Internet Explorer Table Layout Col Tag Cache Update Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-011/
CVE-2010-0491
MICROSOFT INTERNET EXPLORER ‘ONREADYSTATECHANGE’ USE AFTER FREE VULNERABILITY
http://www.microsoft.com/technet/security/bulletin/ms10-018.mspx
CVE-2010-1900
Microsoft Office Word sprmCMajority Record Parsing Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-150/
CVE-2010-1901
MICROSOFT OFFICE RTF PARSING ENGINE MEMORY CORRUPTION VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=877
CVE-2010-1902
MICROSOFT WORD RTF FILE PARSING HEAP BUFFER OVERFLOW VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=876
CVE-2016-0193
Scripting Engine Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS16-052
CVE-2015-2383
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS15-065
CVE-2015-1753
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS15-056
CVE-2015-1689
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS15-043
CVE-2015-1691
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS15-043
CVE-2015-1718
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS15-043
CVE-2015-1657
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS15-032
CVE-2015-0056
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS15-018
CVE-2015-0039
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS15-009
CVE-2015-0066
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/MS15-009
CVE-2014-6375
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/ms14-080
CVE-2014-6339
Internet Explorer ASLR Bypass Vulnerability
https://technet.microsoft.com/library/security/MS14-065
CVE-2014-4130
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/ms14-056
CVE-2014-2773
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/ms14-035
CVE-2014-0267
Internet Explorer Memory Corruption Vulnerability
https://technet.microsoft.com/library/security/ms14-010
Google/Android related bugs
CVE-2016-1646
Out-of-bounds read in V8
http://googlechromereleases.blogspot.com/2016/03/stable-channel-update_24.html
CVE-2010-2297
Table layout crash bug from wushi
https://code.google.com/p/chromium/issues/detail?id=42723
CVE-2010-4206
chrome_55000000!WebCore::FEBlend::apply Memory corruption
https://code.google.com/p/chromium/issues/detail?id=60688
CVE-2014-8299
MTK TOCTTOU memory corruption
http://2014.zeronights.org/assets/files/slides/racingwithdroids.pdf
CVE-2016-2443
Qualcomm MDP escalation of privilege
https://source.android.com/security/bulletin/2016-05-01.html
CVE-2016-0811
libmediaplayerservice infoleak
https://source.android.com/security/bulletin/2016-02-01.html
CVE-2015-6637
misc-sd escalation of privilege
https://source.android.com/security/bulletin/2016-01-01.html
CVE-2015-6612
libmedia escalation of privilege
https://source.android.com/security/bulletin/2015-11-01.html
CVE-2015-6620
libstagefright escalation of privilege
https://source.android.com/security/bulletin/2015-12-01.html
CVE-2015-6622
Android Native Frameworks Library infoleak
https://source.android.com/security/bulletin/2015-12-01.html
CVE-2014-9410
Multiple Issues in Camera Drivers
https://www.codeaurora.org/projects/security-advisories/hall-of-fame
CVE-2014-4324
Multiple Issues in Camera Drivers
https://www.codeaurora.org/projects/security-advisories/hall-of-fame
CVE-2014-4321
Multiple Issues in Camera Drivers
https://www.codeaurora.org/projects/security-advisories/hall-of-fame
CVE-2014-0976
Multiple Issues in Camera Drivers
https://www.codeaurora.org/projects/security-advisories/hall-of-fame
CVE-2014-0975
Multiple Issues in Camera Drivers
https://www.codeaurora.org/projects/security-advisories/hall-of-fame
CVE-2015-3854
Permission leak in systemserver
https://blog.flanker017.me/series-of-vulnerabilities-in-system_server/
CVE-2015-3855
Permission leak in systemserver
https://blog.flanker017.me/series-of-vulnerabilities-in-system_server/
CVE-2015-3856
Denial of service in systemserver
https://blog.flanker017.me/series-of-vulnerabilities-in-system_server/
Apple
CVE-2013-5228 (Mobile Pwn2Own 2013 iOS 7)
Apple iOS Safari DocumentOrderedMap Remote Code Execution Vulnerability
https://support.apple.com/en-us/HT202897
CVE-2014-1303 (Pwn2Own 2014 Safari on OS X)
Apple Safari Heap Buffer Overflow Remote Code Execution Vulnerability
https://support.apple.com/zh-cn/HT202941
CVE-2014-1314 (Pwn2Own 2014 OS X sandbox bypass)
Apple OS X WindowsServer Sandbox Escape Vulnerability
https://support.apple.com/en-us/HT202966
CVE-2016-1859 (Pwn2Own 2016 Tencent Security Team Shield Safari on OS X)
Multiple memory corruption issues were addressed through improved memory handling in WebKit
https://support.apple.com/en-us/HT206565
CVE-2016-1804 (Pwn2Own 2016 Tencent Security Team Shield sandbox bypass on OS X)
Multi-Touch memory corruption
https://support.apple.com/en-us/HT206567
CVE-2016-1857 (Pwn2Own 2016 Tencent Security Team Sniper Safari on OS X)
Multiple memory corruption issues were addressed through improved memory handling in WebKit
https://support.apple.com/en-us/HT206565
CVE-2016-1815 (Pwn2Own 2016 Tencent Security Team Sniper sandbox bypass on OS X)
IOAcceleratorFamily memory corruption
https://support.apple.com/zh-cn/HT206567
CVE-2009-1690
MULTIPLE VENDOR WEBKIT ERROR HANDLING USE AFTER FREE VULNERABILITY
http://support.apple.com/kb/ht3613
CVE-2010-0047
Apple WebKit innerHTML element Substitution Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-029/
CVE-2010-0053
Apple WebKit CSS run-in Attribute Rendering Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-030/
CVE-2010-0050
Apple Webkit Blink Event Dangling Pointer Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-031/
CVE-2010-0048
Apple Webkit Anchor Tag Mouse Click Event Dispatch Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-146/
CVE-2010-0049
Apple WebKit RTL LineBox Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-152/
CVE-2010-1119
Apple Webkit Attribute Child Removal Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-091/
CVE-2010-1392
Apple Webkit Button First-Letter Style Rendering Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-154/
CVE-2010-1396
Apple Webkit Option Element ContentEditable Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-092/
CVE-2010-1397
Apple Webkit DOCUMENT_POSITION_DISCONNECTED Attribute Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-095/
CVE-2010-1398
Apple Webkit ContentEditable moveParagraphs Uninitialized Element Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-097/
CVE-2010-1399
Apple Webkit SelectionController via Marquee Event Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-094/
CVE-2010-1400
MULTIPLE VENDOR WEBKIT HTML CAPTION USE AFTER FREE VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index. xhtml?id=870
CVE-2010-1401
Apple Webkit First-Letter Pseudo-Element Style Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-098/
CVE-2010-1402
Apple Webkit ConditionEventListener Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-100/
CVE-2010-1403
Apple Webkit ProcessInstruction Target Error Message Insertion Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-099/
CVE-2010-1404
Apple Webkit Recursive Use Element Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-096/
CVE-2010-1665
aApple Webkit WebCore::FontFallbackList::determinePitch memory corruption
https://code.google.com/p/chromium/issues/detail?id=42294
CVE-2010-1749
Apple Webkit SVG RadialGradiant Run-in Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-101/
CVE-2010-1770
Apple Webkit CSS Charset Text Transformation Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-093/
CVE-2010-1786
Apple Webkit SVG ForeignObject Rendering Layout Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-141/
CVE-2010-1785
Apple Webkit SVG First-Letter Style Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-142/
CVE-2010-1784
Apple Webkit Rendering Counter Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-144/
CVE-2010-1787
Apple Webkit SVG Floating Text Element Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-153/
CVE-2010-3113
WebKit Security issue in SVGUseElement::buildShadowTree
http://www.securityfocus.com/bid/44199
CVE-2010-3114
WebKit Memory corruption with invalid text node cast for edit commands
https://code.google.com/p/chromium/issues/detail?id=49628
CVE-2010-1806
Apple Safari Webkit Runin Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-170/
CVE-2010-1822
Webkit Bad cast with svg:g element
https://code.google.com/p/chromium/issues/detail?id=55114
CVE-2010-1824
Apple Webkit Error Message Mutation Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-095/
CVE-2010-4198
Webkit Memory corruption in accessing floatptr of a textarea
https://code.google.com/p/chromium/issues/detail?id=55257
CVE-2010-3808
WebKit invalid cast issue exists in editing commands
http://support.apple.com/kb/HT4455
CVE-2010-3824
WebKit’s handling “use” elements in SVG documents
http://support.apple.com/kb/HT4455
CVE-2011-1118
WebKit Security:WebCore::HTMLTextAreaElement::updateValue
https://code.google.com/p/chromium/issues/detail?id=71388
CVE-2011-1117
WebKit Stale nodes in Document::recalcStyleSelector
https://code.google.com/p/chromium/issues/detail?id=71386
CVE-2011-1448
WebKit stale entries in gPercentHeightDescendantsMap
https://code.google.com/p/chromium/issues/detail?id=77130
CVE-2010-1823
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-0233
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-0234
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-0237
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-0240
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-1117
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-1449
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-1453
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-1462
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-1797
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-3438
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-2825
Webkit fontface Invalid Font Family Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-12-054/
CVE-2011-2855
MULTIPLE VENDOR WEBKIT SVG ELEMENT USE AFTER FREE VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index. xhtml?id=971
CVE-2011-3928
Webkit.org Webkit copyNonAttributeProperties Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-12-055/
CVE-2011-3035
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT5400
CVE-2012-0634
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT5191
CVE-2012-3683
APPLE SAFARI RENDERBOX INLINEBOX TYPE CONFUSION VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index. xhtml?id=998
CVE-2013-0961
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT5671
CVE-2012-1521
WebKit Heap-use-after-free in WebCore::RenderObjectChildList::destroyLeftoverChildren
http://googlechromereleases.blogspot.com/2011/04/chrome-stable-update. html
CVE-2014-1368
Multiple memory corruption issues existed in WebKit
https://support.apple.com/en-us/HT203007
CVE-2016-1824
IOHIDFamily memory corruption
https://support.apple.com/zh-cn/HT206567
CVE-2016-1860
Intel Graphics Driver memory corruption
https://support.apple.com/en-us/HT206567
CVE-2016-1716
AppleGraphicsPowerManagement memory corruption
https://support.apple.com/zh-cn/HT205731
CVE-2015-5768
AppleGraphicsControl memory corruption
https://support.apple.com/en-us/HT205031
CVE-2015-3676
AppleGraphicsControl memory corruption
https://support.apple.com/en-us/HT204942
CVE-2015-3702
Intel Graphics Driver memory corruption
https://support.apple.com/en-us/HT204942
CVE-2015-3705
IOAcceleratorFamily memory corruption
https://support.apple.com/en-us/HT204942
CVE-2015-3706
IOAcceleratorFamily memory corruption
https://support.apple.com/en-us/HT204942
Adobe
CVE-2007-0071 (Pwnie 2008 nomination)
Integer overflow in Adobe Flash Player 9.0.115.0 and earlier
http://www.securityfocus.com/bid/28695
CVE-2015-6678 (Pwn2Own 2015 Flash)
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-23.html
CVE-2015-5108 (Pwn2Own 2015 Adobe Reader)
Security Updates Available for Adobe Acrobat and Reader
https://helpx.adobe.com/security/products/acrobat/apsb15-15.html
CVE-2014-0510 (Pwn2Own 2014 Flash)
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb14-14.html
CVE-2011-2135
ADOBE FLASH PLAYER ACTIONSCRIPT DISPLAY MEMORY CORRUPTION VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index. xhtml?id=935
CVE-2012-2034
ADOBE FLASH PLAYER ACTIONSCRIPT DISPLAYOBJECT LAYOUT MEMORY CORRUPTION VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index. xhtml?id=987
CVE-2015-5087
Security Updates Available for Adobe Acrobat and Reader
https://helpx.adobe.com/security/products/acrobat/apsb15-15.html
CVE-2015-3124
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
CVE-2015-3083
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-09.html
CVE-2015-3082
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-09.html
CVE-2015-3081
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-09.html
CVE-2015-0351
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
CVE-2015-3040
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
CVE-2015-3041
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
CVE-2015-0342
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-05.html
CVE-2015-0322
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
Mozilla
CVE-2008-5021
Crash and remote code execution in nsFrameManager
http://www.mozilla.org/security/announce/2008/mfsa2008-55.html
CVE-2010-0183
Firefox Use-after-free error in nsCycleCollector::MarkRoots()
http://www.mozilla.org/security/announce/2010/mfsa2010-27.html
CVE-2010-3166
Firefox Heap buffer overflow in nsTextFrameUtils::TransformText
http://www.mozilla.org/security/announce/2010/mfsa2010-53.html
CVE-2010-3772
Firefox Crash and remote code execution using HTML tags inside a XUL tree
http://www.mozilla.org/security/announce/2010/mfsa2010-77.html
CVE-2012-0472
Firefox Potential memory corruption during font rendering using cairo-dwrite
http://www.mozilla.org/security/announce/2012/mfsa2012-25.html
Linux
CVE-2015-3636 (PingPong Root / Pwnie 2015 nomination)
Use-after-free flaw in the Linux kernel’s ipv4 ping support.
http://www.ubuntu.com/usn/usn-2631-1/
CVE-2016-4794
Linux Kernel bpf related UAF
http://seclists.org/oss-sec/2016/q2/332
CVE-2015-7292
Amazon Fire Phone kernel stack based buffer overflow
http://marcograss.github.io/security/android/cve/2016/01/15/cve-2015-7292-amazon-kernel-stack-buffer-overflow.html
Misc
CVE-2006-7222
Media Player Classic FLI File Processing Buffer Overflow
http://www.securityfocus.com/bid/25437