Google Software and search
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Google product.
RSS Feeds for Google security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Google products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Google Sorted by Most Security Vulnerabilities since 2018
Recent Google Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2026-06-24 | Chrome Releases: Stable Channel Update for Desktop (version 149.0.7827.196) | June 24, 2026 |
| 2026-06-24 | Chrome Releases: Chrome for Android Update (version 149) | June 24, 2026 |
| 2026-06-17 | Chrome Releases: Stable Channel Update for ChromeOS / ChromeOS Flex | June 17, 2026 |
| 2026-06-17 | Chrome Releases: Chrome Stable for iOS Update (version 150) | June 17, 2026 |
| 2026-06-17 | Chrome Releases: Stable Channel Update for Desktop (version 149.0.7827.155) | June 17, 2026 |
| 2026-06-17 | Chrome Releases: Chrome for Android Update (version 149) | June 17, 2026 |
| 2026-06-12 | Chrome Releases: Chrome for Android Update (version 149) | June 12, 2026 |
| 2026-06-11 | Chrome Releases: Stable Channel Update for Desktop (version 149.0.7827.114) | June 11, 2026 |
| 2026-06-10 | Chrome Releases: Chrome Stable for iOS Update (version 149) | June 10, 2026 |
| 2026-06-09 | Chrome Releases: Stable Channel Update for Desktop (version 149.0.7827.102) | June 9, 2026 |
Known Exploited Google Vulnerabilities
The following Google vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Google Chromium V8 Out-of-Bounds Read and Write Vulnerability |
Google Chromium V8 out-of-bounds read and write vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2026-11645 Exploit Probability: 0.7% |
June 9, 2026 |
| Google Dawn Use-After-Free Vulnerability |
Google Dawn contains an use-after-free vulnerability that could allow a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. This vulnerability could affect multiple Chromium-based products including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2026-5281 Exploit Probability: 5.5% |
April 1, 2026 |
| Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer Vulnerabi |
Google Chromium V8 contains an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2026-3910 Exploit Probability: 2.1% |
March 13, 2026 |
| Google Skia Out-of-Bounds Write Vulnerability |
Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products. CVE-2026-3909 Exploit Probability: 1.6% |
March 13, 2026 |
| Google Chromium CSS Use-After-Free Vulnerability |
Google Chromium CSS contains a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2026-2441 Exploit Probability: 22.0% |
February 17, 2026 |
| Google Chromium Out of Bounds Memory Access Vulnerability |
Google Chromium contains an out of bounds memory access vulnerability in ANGLE that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2025-14174 Exploit Probability: 22.2% |
December 12, 2025 |
| Google Chromium V8 Type Confusion Vulnerability |
Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption. CVE-2025-13223 Exploit Probability: 4.8% |
November 19, 2025 |
| Google Chromium V8 Type Confusion Vulnerability |
Google Chromium contains a type confusion vulnerability in the V8 JavaScript and WebAssembly engine. CVE-2025-10585 Exploit Probability: 5.4% |
September 23, 2025 |
| Google Chromium ANGLE and GPU Improper Input Validation Vulnerability |
Google Chromium contains an improper input validation vulnerability in ANGLE and GPU. This vulnerability could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2025-6558 Exploit Probability: 9.5% |
July 22, 2025 |
| Google Chromium V8 Type Confusion Vulnerability |
Google Chromium V8 contains a type confusion vulnerability that could allow a remote attacker to perform arbitrary read/write via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2025-6554 Exploit Probability: 6.6% |
July 2, 2025 |
| Google Chromium V8 Out-of-Bounds Read and Write Vulnerability |
Google Chromium V8 contains an out-of-bounds read and write vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2025-5419 Exploit Probability: 6.5% |
June 5, 2025 |
| Google Chromium Loader Insufficient Policy Enforcement Vulnerability |
Google Chromium contains an insufficient policy enforcement vulnerability that allows a remote attacker to leak cross-origin data via a crafted HTML page. CVE-2025-4664 Exploit Probability: 5.1% |
May 15, 2025 |
| Google Chromium Mojo Sandbox Escape Vulnerability |
Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being provided in unspecified circumstances. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2025-2783 Exploit Probability: 8.6% |
March 27, 2025 |
| Google Chromium V8 Inappropriate Implementation Vulnerability |
Google Chromium V8 contains an inappropriate implementation vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2024-7965 Exploit Probability: 17.2% |
August 28, 2024 |
| Google Chromium V8 Type Confusion Vulnerability |
Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2024-7971 Exploit Probability: 19.3% |
August 26, 2024 |
| Google Chromium V8 Type Confusion Vulnerability |
Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2024-5274 Exploit Probability: 10.0% |
May 28, 2024 |
| Google Chromium V8 Type Confusion Vulnerability |
Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page. CVE-2024-4947 Exploit Probability: 15.1% |
May 20, 2024 |
| Google Chromium V8 Out-of-Bounds Memory Write Vulnerability |
Google Chromium V8 Engine contains an unspecified out-of-bounds memory write vulnerability via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2024-4761 Exploit Probability: 11.0% |
May 16, 2024 |
| Google Chromium Visuals Use-After-Free Vulnerability |
Google Chromium Visuals contains a use-after-free vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2024-4671 Exploit Probability: 8.3% |
May 13, 2024 |
| Google Chromium V8 Type Confusion Vulnerability |
Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page. CVE-2023-4762 Exploit Probability: 38.0% |
February 6, 2024 |
8 known exploited Google vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
Top 10 Riskiest Google Vulnerabilities
Based on the current exploit probability, these Google vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.
| Rank | CVE | EPSS | Vulnerability |
|---|---|---|---|
| 1 | CVE-2023-4863 | 99.7% | Google Chromium Heap-Based Buffer Overflow Vulnerability |
| 2 | CVE-2018-17463 | 83.9% | Google Chromium V8 Remote Code Execution Vulnerability |
| 3 | CVE-2020-6418 | 78.8% | Chromium V8 Type Confusion Vulnerability |
| 4 | CVE-2019-13720 | 73.0% | Google Chrome Use-After-Free Vulnerability |
| 5 | CVE-2021-21220 | 70.4% | Chromium V8 Input Validation Vulnerability |
| 6 | CVE-2021-30551 | 64.7% | Chromium V8 Type Confusion Vulnerability |
| 7 | CVE-2021-30632 | 64.5% | Google Chrome Out-of-bounds write |
| 8 | CVE-2019-5786 | 61.5% | Google Chrome Use-After-Free Vulnerability |
| 9 | CVE-2018-6065 | 58.8% | Google Chromium V8 Integer Overflow Vulnerability |
| 10 | CVE-2021-21224 | 57.7% | Chromium V8 JavaScript Engine Remote Code Execution Vulnerability |
By the Year
In 2026 there have been 1506 vulnerabilities in Google with an average score of 7.3 out of ten. Last year, in 2025 Google had 720 security vulnerabilities published. That is, 786 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.20.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1506 | 7.33 |
| 2025 | 720 | 7.13 |
| 2024 | 1125 | 7.28 |
| 2023 | 1564 | 6.66 |
| 2022 | 1592 | 6.85 |
| 2021 | 1166 | 7.11 |
| 2020 | 1033 | 6.87 |
| 2019 | 858 | 7.33 |
| 2018 | 570 | 7.43 |
It may take a day or so for new Google vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Google Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-12681 | Jun 24, 2026 |
Idx Validation Flaw in go-attestation 0.6.0 Allows to Inject SHA256 HashesImproper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList() does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended to the trusted SHA256 hash list. A crafted TPM event log could inject arbitrary SHA256 hashes into the verifier's trusted measurement database, enabling a remote attestation verifier to accept a compromised boot state. This issue affects go-attestation: through 0.6.0. |
|
| CVE-2026-8934 | Jun 22, 2026 |
Google Cloud App Engine GraphQL API: Missing Auth LeakageA Missing Authorization vulnerability in a GraphQL private API operation of the Google App Engine section of the Cloud Console allows an unauthenticated remote attacker to leak sensitive App Engine request logs from other projects using a specially crafted request. This vulnerability was patched on 7 April 2026, and no customer action is needed. |
|
| CVE-2026-11719 | Jun 18, 2026 |
Auth Bypass in MCP Toolbox for Databases via Old MCP-Protocol-VersionAn authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers. While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol versions (2025-06-18, 2025-03-26, and 2024-11-05) omit this check. An authenticated client with low-privilege tokens (e.g., read) can bypass the intended per-tool scope restrictions and execute high-privilege tools (e.g., admin) simply by specifying an older protocol version in the MCP-Protocol-Version header, or by omitting the header entirely (which causes the server to default to the vulnerable 2024-11-05 handler). |
|
| CVE-2026-11718 | Jun 18, 2026 |
Auth Bypass validateOpaqueToken in googleapis/mcp-toolboxAn authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), it decodes the response into an introspectResp struct. However, the subsequent claim-checking logic (validateClaims) evaluates the issuer condition as if a.issuer != "" && iss != "". If the external OAuth provider's introspection response omits the optional iss (issuer) field completely, the variable iss defaults to an empty string. This causes the conditional block to evaluate to false and be skipped silently. Consequently, the application accepts tokens issued by unauthorized or unintended third-party identity providers. |
|
| CVE-2026-11717 | Jun 18, 2026 |
Google mcp-toolbox Auth Bypass: OAuth2 Introspection Token Missing 'active'An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), the toolbox decodes the response into an introspectResp struct where the Active field is declared as a pointer to a boolean (*bool). The code only explicitly rejects a token if the response contains a populated active field set to false (if introspectResp.Active != nil && !*introspectResp.Active). If an introspection endpoint responds with a payload that completely omits the mandatory active key, the internal variable remains nil, causing the conditional check to short-circuit. As a result, Toolbox accepts authorization tokens missing the "active" field, granting access to protected tools and underlying data sources. |
|
| CVE-2026-28573 | Jun 18, 2026 |
Android OS DoS: Missing Permission Check in AndroidManifest.xmlIn AndroidManifest.xml, there is a possible persistent denial of service due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0063 | Jun 17, 2026 |
Android PhoneInterfaceManager Local Priv Escalation via Carrier BypassIn setAllowedCarriers of PhoneInterfaceManager.java, there is a possible way to disable carrier restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-28587 | Jun 17, 2026 |
Android MmsSmsProvider.java Local Info Disclosure via Missing PermissionIn MmsSmsProvider of MmsSmsProvider.java, there is a possible way to retrieve sensitive information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-28615 | Jun 17, 2026 |
Android Telecomm Auth Bypass Unauthorized Calls (CVE-2026-28615)In Telecomm, there is a possible way to initiate an unauthorized phone call due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0083 | Jun 17, 2026 |
Android NFC UAF in Nfc::eventCallback (CVE-2026-0083)In Nfc::eventCallback() of Nfc.h, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0082 | Jun 17, 2026 |
Google Android: NFC Dispatcher Auto-Assign Special Permission LPEIn tryStartActivity of NfcDispatcher.java, there is a possible automatic special app access permission assignment due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0081 | Jun 17, 2026 |
Android NFC Event Spoofing via Missing Permission CheckIn NFC, there is a possible way to spoof an NFC event due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0071 | Jun 17, 2026 |
Android SettingsLib Local Escalation via Missing Permission CheckIn SettingsLib, there is a possible missing permission check due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-28575 | Jun 17, 2026 |
Android PackageInstallerSession Local DoS via Memory ExhaustionIn PackageInstaller.Session#transfer of frameworks/base/services/core/java/com/android/server/pm/PackageInstallerSession.java, there is a possible memory exhaustion attack due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0064 | Jun 17, 2026 |
Android Local DoS via Resource ExhaustionIn multiple places, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0092 | Jun 17, 2026 |
Android Package Manager Device Lock Bypass LPE (APK)In Package Manager, there is a possible device lock controller bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0068 | Jun 17, 2026 |
Local Priv Esc via PackageInstallerService on Android (CVE-2026-0068)In createSessionInternal of PackageInstallerService.java, there is a possible method to remove a DPC app from a managed device without DO consent due to desync from persistence. This could lead to local escalation of privilege if a user can install a malicious app with no additional execution privileges needed. User interaction is needed for exploitation. |
Android
|
| CVE-2026-0057 | Jun 17, 2026 |
Android Contacts Provider Info Disclosure via Missing Permission CheckIn Contacts Provider, there is a possible way to access an incoming call's phone number and associated metadata due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0019 | Jun 17, 2026 |
Android SettingsLib Escalation of Privilege via Component DisablingIn SettingsLib, there is a possible way to disable system components due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2025-48643 | Jun 17, 2026 |
Android Provisioning Bypass via Improper Input Local Priv EscalationIn multiple locations there is a possible provisioning bypass due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2025-48640 | Jun 17, 2026 |
Android Passkey Escalation via Missing Permission CheckIn multiple locations, there is a possible 3rd party passkey entry pairing approval due to a missing permission check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2025-48617 | Jun 17, 2026 |
Android CarrierConfigLoader UID Bypass in overrideConfigIn overrideConfig of CarrierConfigLoader.java, there is a possible way to bypass UID check due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2025-48571 | Jun 17, 2026 |
Android Bluetooth btm_sec.cc logic flaw lets attacker intercept SMSIn multiple functions of btm_sec.cc, there is a possible way for an attacker to intercept SMS messages due to a logic error in the code. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. |
Android
|
| CVE-2026-12469 | Jun 17, 2026 |
Chrome Android GPU UU <149.0.7827.155 Data LeakUninitialized Use in GPU in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12468 | Jun 17, 2026 |
Chrome Updater Race Condition on Mac Pre-149.0.7827.155 Allow Sandbox EscapeRace in Updater in Google Chrome on Mac prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12467 | Jun 17, 2026 |
Google Chrome 149.0.7827.155 Use-After-Free in Extensions Allows Sandbox EscapeUse after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12466 | Jun 17, 2026 |
Chrome WebRTC Heap Buffer Overflow Remote Code Execution (pre149.0.7827.155)Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12465 | Jun 17, 2026 |
Chrome Metrics OOB before 149.0.7827.155 Remote Sandbox EscapeObject lifecycle issue in Metrics in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12464 | Jun 17, 2026 |
GA Chrome UA Free <149.0.7827.155 vuln allows sandbox escapeUse after free in Browser in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12463 | Jun 17, 2026 |
Google Chrome UXSS via Views on Linux pre-149.0.7827.155Inappropriate implementation in Views in Google Chrome on Linux prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12462 | Jun 17, 2026 |
Chrome <149.0.7827.155 Use-After-Free in Media componentUse after free in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12461 | Jun 17, 2026 |
OOB read in WebRTC (Chrome <149.0.7827.155)Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12460 | Jun 17, 2026 |
Google Chrome 149.0.7827.155 FS Access Policy Bypass via PDFInsufficient policy enforcement in File System Access in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted PDF file. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12459 | Jun 17, 2026 |
Google Chrome <149.0.7827.155 UXSS via Serial APIInappropriate implementation in Serial in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12457 | Jun 17, 2026 |
Chrome 149.0.7827.155 - Site Isolation Bypass via Extensions (High Severity)Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12458 | Jun 17, 2026 |
Google Chrome <149.0.7827.155: Passwords Leakage via UI GestureInappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12456 | Jun 17, 2026 |
Google Chrome <149.0.7827.155: Extensions Bypass SOP via Malicious ExtensionInappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12455 | Jun 17, 2026 |
Use after free in Chrome Tab Strip before 149.0.7827.155 Exploits Heap CorruptionUse after free in Tab Strip in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12454 | Jun 17, 2026 |
Race in Safe Browsing in Chrome <149.0.7827.155: sandbox escapeRace in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12453 | Jun 17, 2026 |
CVE-2026-12453 Chrome <149.0.7827.155: Insecure Input - Same-Origin BypassInsufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12452 | Jun 17, 2026 |
Use After Free in Downloads: Chrome<149.0.7827.155 AndroidUse after free in Downloads in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12451 | Jun 17, 2026 |
Use-after-free in Google Chrome DigiCred <149.0.7827.155 (sandbox escape)Use after free in DigitalCredentials in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12450 | Jun 17, 2026 |
Chrome Media Memory Disclosure (pre-149.0.7827.155)Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12449 | Jun 17, 2026 |
UA Free in Chromoting (Chrome <149.0.7827.155) PrivEsc via FileUse after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12448 | Jun 17, 2026 |
Chrome Android WebView PrivEsc via crafted HTML (before 149.0.7827.155)Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12447 | Jun 17, 2026 |
Heap Buffer Overflow WebRTC in Chrome <149.0.7827.155Heap buffer overflow in WebRTC in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12446 | Jun 17, 2026 |
Remote Cross-Origin Data Leak via Passwords in Google Chrome <149.0.7827.155Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12445 | Jun 17, 2026 |
Chrome Use-After-Free via Malicious Extension (pre-149.0.7827.155)Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12444 | Jun 17, 2026 |
Chrome <149.0.7827.155: OOB Read in Chromoting allows local info leakOut of bounds read in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: High) |
Chrome
|
| CVE-2026-12443 | Jun 17, 2026 |
UA-FREE in Chrome WebAuthn (pre-149.0.7827.155)Use after free in Web Authentication in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) |
Chrome
|