Google Software and search
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Google product.
RSS Feeds for Google security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Google products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Google Sorted by Most Security Vulnerabilities since 2018
Recent Google Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2026-03-06 | Chrome Releases: Chrome for Android Update (version 146) | March 6, 2026 |
| 2026-03-05 | Chrome Releases: February 2026 | March 5, 2026 |
| 2026-03-05 | Chrome Releases: March 2026 | March 5, 2026 |
| 2026-03-04 | Chrome Releases: Chrome Stable for iOS Update (version 146) | March 4, 2026 |
| 2026-03-04 | Chrome Releases: Chrome for Android Update (version 145) | March 4, 2026 |
| 2026-03-03 | Chrome Releases: Stable Channel Update for Desktop (version 145.0.7632.159) | March 3, 2026 |
| 2026-02-26 | Chrome Releases: Chrome for Android Update (version 146) | February 26, 2026 |
| 2026-02-26 | Chrome Releases: Chrome Stable for iOS Update (version 146) | February 26, 2026 |
| 2026-02-24 | Chrome Releases: Chrome for Android Update (version 145) | February 24, 2026 |
| 2026-02-23 | Chrome Releases: Stable Channel Update for Desktop (version 145.0.7632.116) | February 23, 2026 |
Known Exploited Google Vulnerabilities
The following Google vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Google Chromium CSS Use-After-Free Vulnerability |
Google Chromium CSS contains a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2026-2441 Exploit Probability: 0.1% |
February 17, 2026 |
| Google Chromium Out of Bounds Memory Access Vulnerability |
Google Chromium contains an out of bounds memory access vulnerability in ANGLE that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2025-14174 Exploit Probability: 0.8% |
December 12, 2025 |
| Google Chromium V8 Type Confusion Vulnerability |
Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption. CVE-2025-13223 Exploit Probability: 2.1% |
November 19, 2025 |
| Google Chromium V8 Type Confusion Vulnerability |
Google Chromium contains a type confusion vulnerability in the V8 JavaScript and WebAssembly engine. CVE-2025-10585 Exploit Probability: 0.7% |
September 23, 2025 |
| Google Chromium ANGLE and GPU Improper Input Validation Vulnerability |
Google Chromium contains an improper input validation vulnerability in ANGLE and GPU. This vulnerability could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2025-6558 Exploit Probability: 0.2% |
July 22, 2025 |
| Google Chromium V8 Type Confusion Vulnerability |
Google Chromium V8 contains a type confusion vulnerability that could allow a remote attacker to perform arbitrary read/write via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2025-6554 Exploit Probability: 0.5% |
July 2, 2025 |
| Google Chromium V8 Out-of-Bounds Read and Write Vulnerability |
Google Chromium V8 contains an out-of-bounds read and write vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2025-5419 Exploit Probability: 2.6% |
June 5, 2025 |
| Google Chromium Loader Insufficient Policy Enforcement Vulnerability |
Google Chromium contains an insufficient policy enforcement vulnerability that allows a remote attacker to leak cross-origin data via a crafted HTML page. CVE-2025-4664 Exploit Probability: 0.0% |
May 15, 2025 |
| Google Chromium Mojo Sandbox Escape Vulnerability |
Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being provided in unspecified circumstances. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2025-2783 Exploit Probability: 40.9% |
March 27, 2025 |
| Google Chromium V8 Inappropriate Implementation Vulnerability |
Google Chromium V8 contains an inappropriate implementation vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2024-7965 Exploit Probability: 27.1% |
August 28, 2024 |
| Google Chromium V8 Type Confusion Vulnerability |
Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2024-7971 Exploit Probability: 1.5% |
August 26, 2024 |
| Google Chromium V8 Type Confusion Vulnerability |
Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2024-5274 Exploit Probability: 3.6% |
May 28, 2024 |
| Google Chromium V8 Type Confusion Vulnerability |
Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page. CVE-2024-4947 Exploit Probability: 0.4% |
May 20, 2024 |
| Google Chromium V8 Out-of-Bounds Memory Write Vulnerability |
Google Chromium V8 Engine contains an unspecified out-of-bounds memory write vulnerability via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2024-4761 Exploit Probability: 5.6% |
May 16, 2024 |
| Google Chromium Visuals Use-After-Free Vulnerability |
Google Chromium Visuals contains a use-after-free vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. CVE-2024-4671 Exploit Probability: 0.5% |
May 13, 2024 |
| Google Chromium V8 Type Confusion Vulnerability |
Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page. CVE-2023-4762 Exploit Probability: 54.8% |
February 6, 2024 |
| Google Chromium V8 Out-of-Bounds Memory Access Vulnerability |
Google Chromium V8 contains an out-of-bounds memory access vulnerability. Specific impacts from exploitation are not available at this time. CVE-2024-0519 Exploit Probability: 0.4% |
January 17, 2024 |
| Google Skia Integer Overflow Vulnerability |
Google Skia contains an integer overflow vulnerability affecting Google Chrome and ChromeOS, Android, Flutter, and possibly other products. CVE-2023-6345 Exploit Probability: 0.6% |
November 30, 2023 |
| Google Chrome libvpx Heap Buffer Overflow Vulnerability |
Google Chrome libvpx contains a heap buffer overflow vulnerability in vp8 encoding that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2023-5217 Exploit Probability: 3.5% |
October 2, 2023 |
| Google Chromium Heap-Based Buffer Overflow Vulnerability |
Google Chromium contains a heap-based buffer overflow vulnerability in WebP that allows a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. CVE-2023-4863 Exploit Probability: 94.1% |
September 13, 2023 |
The vulnerability CVE-2023-4863: Google Chromium Heap-Based Buffer Overflow Vulnerability is in the top 1% of the currently known exploitable vulnerabilities. 3 known exploited Google vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
Top 10 Riskiest Google Vulnerabilities
Based on the current exploit probability, these Google vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.
| Rank | CVE | EPSS | Vulnerability |
|---|---|---|---|
| 1 | CVE-2023-4863 | 94.1% | Google Chromium Heap-Based Buffer Overflow Vulnerability |
| 2 | CVE-2020-15999 | 92.9% | Google Chrome FreeType Memory Corruption |
| 3 | CVE-2021-21220 | 92.6% | Chromium V8 Input Validation Vulnerability |
| 4 | CVE-2018-17463 | 92.2% | Google Chromium V8 Remote Code Execution Vulnerability |
| 5 | CVE-2019-5786 | 89.5% | Google Chrome Use-After-Free Vulnerability |
| 6 | CVE-2018-6065 | 88.8% | Google Chromium V8 Integer Overflow Vulnerability |
| 7 | CVE-2019-13720 | 88.2% | Google Chrome Use-After-Free Vulnerability |
| 8 | CVE-2020-6418 | 85.9% | Chromium V8 Type Confusion Vulnerability |
| 9 | CVE-2021-30632 | 84.9% | Google Chrome Out-of-bounds write |
| 10 | CVE-2020-16009 | 84.4% | Chromium V8 Implementation Vulnerability |
By the Year
In 2026 there have been 114 vulnerabilities in Google with an average score of 7.9 out of ten. Last year, in 2025 Google had 679 security vulnerabilities published. Right now, Google is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.80.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 114 | 7.93 |
| 2025 | 679 | 7.12 |
| 2024 | 1106 | 7.28 |
| 2023 | 1537 | 6.65 |
| 2022 | 1579 | 6.84 |
| 2021 | 1135 | 7.09 |
| 2020 | 1016 | 6.85 |
| 2019 | 828 | 7.33 |
| 2018 | 557 | 7.43 |
It may take a day or so for new Google vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Google Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-3545 | Mar 04, 2026 |
Chrome 145 Sandbox Escape via Navigation Insufficient Data ValidationInsufficient data validation in Navigation in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-3544 | Mar 04, 2026 |
CVE-2026-3544: Chrome 145.0.7632.159 WebCodecs Heap OverflowHeap buffer overflow in WebCodecs in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-3543 | Mar 04, 2026 |
V8 OOB memory access in Google Chrome <145.0.7632.159Inappropriate implementation in V8 in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-3542 | Mar 04, 2026 |
Google Chrome OOB Memory Access via WebAssembly (Pre-145.0.7632.159)Inappropriate implementation in WebAssembly in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-3541 | Mar 04, 2026 |
Google Chrome <=145: CSS OOB Memory Read via Crafted HTMLInappropriate implementation in CSS in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-3540 | Mar 04, 2026 |
Chrome WebAudio OOB Access <145.0.7632.159Inappropriate implementation in WebAudio in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) |
Chrome
|
| CVE-2026-3538 | Mar 04, 2026 |
Chrome <145.0.7632.159 Skia Integer Overflow OOB Memory AccessInteger overflow in Skia in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical) |
Chrome
|
| CVE-2026-3537 | Mar 04, 2026 |
Chrome Android <145.0.7632.159 Remote Heap Corruption via PowerVRObject lifecycle issue in PowerVR in Google Chrome on Android prior to 145.0.7632.159 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) |
Chrome
|
| CVE-2026-3539 | Mar 04, 2026 |
Chrome DevTools Obj Lifecycle Heap Corrupt (v<145.0.7632.159)Object lifecycle issue in DevTools in Google Chrome prior to 145.0.7632.159 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High) |
Chrome
|
| CVE-2026-3536 | Mar 04, 2026 |
ANGLE Integer Overflow in Chrome <145.0.7632.159Integer overflow in ANGLE in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical) |
Chrome
|
| CVE-2026-3136 | Mar 03, 2026 |
Improper Auth: GitHub Trigger in Google Cloud BuildAn improper authorization vulnerability in GitHub Trigger Comment Control in Google Cloud Build prior to 2026-1-26 allows a remote attacker to execute arbitrary code in the build environment. This vulnerability was patched on 26 January 2026, and no customer action is needed. |
|
| CVE-2025-48636 | Mar 02, 2026 |
Android BugreportContentProvider Path Traversal PrivEscIn openFile of BugreportContentProvider.java, there is a possible way to read and write unauthorized files due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2024-31328 | Mar 02, 2026 |
Android BroadcastController arbitrary activity launch flaw (CVE-2024-31328)In broadcastIntentLockedTraced of BroadcastController.java, there is a possible way to launch arbitrary activities from the background on the paired companion phone due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0047 | Mar 02, 2026 |
Android ActivityManagerService Local PrivEsc via Missing Permission CheckIn dumpBitmapsProto of ActivityManagerService.java, there is a possible way for an app to access private information due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0038 | Mar 02, 2026 |
Local Priv Escalation via mem_protect.c Logic Error in AndroidIn multiple functions of mem_protect.c, there is a possible way to execute arbitrary code due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0037 | Mar 02, 2026 |
Android FFA.c Buffer Overflow Enables Local Priv EscalationIn multiple functions of ffa.c, there is a possible memory corruption due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0035 | Mar 02, 2026 |
Android MediaProvider LPE via File Access Logic ErrorIn createRequest of MediaProvider.java, there is a possible way for an app to gain read/write access to non-existing files due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0034 | Mar 02, 2026 |
Android Notification Policy Desync via setPackageOrComponentEnabledIn setPackageOrComponentEnabled of ManagedServices.java, there is a possible notification policy desync due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0032 | Mar 02, 2026 |
Android MemProtect OOB Write Leads to Local Priv EscalationIn multiple functions of mem_protect.c, there is a possible out-of-bounds write due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0031 | Mar 02, 2026 |
Android kernel mem_protect.c OOB write int overflow local privilege escalationIn multiple functions of mem_protect.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0030 | Mar 02, 2026 |
Android Mem Protect OOB Write in __host_check_page_state_rangeIn __host_check_page_state_range of mem_protect.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0029 | Mar 02, 2026 |
Android pkvm Init Memory Corruption: Local Priv EscIn __pkvm_init_vm of pkvm.c, there is a possible memory corruption due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0028 | Mar 02, 2026 |
Android Kernel OOB Write via __pkvm_host_share_guest Int OverflowIn __pkvm_host_share_guest of mem_protect.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0027 | Mar 02, 2026 |
ARM SMMU V3 smmu_detach_dev UAF OOB write -> local privilege escalationIn smmu_detach_dev of arm-smmu-v3.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0026 | Mar 02, 2026 |
Android PermissionManagerServiceImpl Logic Error Enables Local Priv EscalationIn removePermission of PermissionManagerServiceImpl.java, there is a possible way to override any system permission due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. |
Android
|
| CVE-2026-0025 | Mar 02, 2026 |
Android OS Permission Bypass in Notification.hasImage Local Priv EscalationIn hasImage of Notification.java, there is a possible way to reveal information across users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0024 | Mar 02, 2026 |
Android MediaProvider 'isRedactionNeededForOpenViaContentResolver' Info DisclosureIn isRedactionNeededForOpenViaContentResolver of MediaProvider.java, there is a possible way to reveal the location of media due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0023 | Mar 02, 2026 |
Android PackageInstallerService Priv Escalation via Permission BypassIn createSessionInternal of PackageInstallerService.java, there is a possible way for an app to update its ownership due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0021 | Mar 02, 2026 |
Android AppInfoBase cross-user permission bypass (CVE20260021)In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible cross-user permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0020 | Mar 02, 2026 |
Android LPE via Permission Bypass in ParsedPermissionUtilsIn parsePermissionGroup of ParsedPermissionUtils.java, there is a possible way to bypass a consent dialog to obtain permissions due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0017 | Mar 02, 2026 |
Android BiometricService Logic Error Enables Local PrivEscIn onChange of BiometricService.java, there is a possible way to enable fingerprint unlock due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0015 | Mar 02, 2026 |
Android AppOpsService Persistent DoS via Input ValidationIn multiple locations of AppOpsService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0014 | Mar 02, 2026 |
Android AppOpsService DoS via isPackageNullOrSystemIn isPackageNullOrSystem of AppOpsService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0013 | Mar 02, 2026 |
Android DocsUI Confused Deputy PrivEsc via PickActivityIn setupLayout of PickActivity.java, there is a possible way to start any activity as a DocumentsUI app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0012 | Mar 02, 2026 |
Android OS CVE-2026-0012: Contact Name Leak via ExpandableNotificationRowIn setHideSensitive of ExpandableNotificationRow.java, there is a possible contact name leak due due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0011 | Mar 02, 2026 |
Android Settings.java Logic Flaw Denies Location & Enables Local Priv EscalationIn enableSystemPackageLPw of Settings.java, there is a possible way to prevent location access from working due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0010 | Mar 02, 2026 |
Android IDrmManagerService OOB Write Local Priv EscalationIn onTransact of IDrmManagerService.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0008 | Mar 02, 2026 |
Android Privilege Escalation via Confused Deputy - CVE-2026-0008In multiple locations, there is a possible privilege escalation due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0007 | Mar 02, 2026 |
Android WindowInfo.cpp Tapjacking Escalation to Local PrivilegeIn writeToParcel of WindowInfo.cpp, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0006 | Mar 02, 2026 |
Android OS: Heap Buffer Overflow RCEIn multiple locations, there is a possible out of bounds read and write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2026-0005 | Mar 02, 2026 |
Android KeyguardServiceDelegate missing permission check: app pinning bypassIn onServiceDisconnected of KeyguardServiceDelegate.java, there is a possible partial bypass of app pinning allowing limited interaction with other apps without knowing the LSKF due to a missing permission check. This could lead to local information disclosure where the extent of interaction and impact is app-dependent with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2025-48654 | Mar 02, 2026 |
Android CompDeviceMgrService Confused Deputy Local Priv EscalationIn onStart of CompanionDeviceManagerService.java, there is a possible confused deputy due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2025-48653 | Mar 02, 2026 |
Android WebView LPE: Obscured Permission via loadDataAndPostValueIn loadDataAndPostValue of multiple files, there is a possible way to obscure permission usage due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2025-48650 | Mar 02, 2026 |
Android OS SQLi -> Local Priv EscalationIn multiple locations, there is a possible information disclosure due to SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2025-48646 | Mar 02, 2026 |
Android ActivityStarter Confused Deputy LPE (user interaction required)In executeRequest of ActivityStarter.java, there is a possible launch anywhere due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. |
Android
|
| CVE-2025-48645 | Mar 02, 2026 |
Android DeviceAdminInfo LPE via persistent packageIn loadDescription of DeviceAdminInfo.java, there is a possible persistent package due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2025-48644 | Mar 02, 2026 |
Android Local DoS via Improper Input ValidationIn multiple locations, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2025-48642 | Mar 02, 2026 |
Android OS: Local info disclosure via jump_to_payload logic errorIn jump_to_payload of payload.rs, there is a possible information disclosure due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2025-48641 | Mar 02, 2026 |
Android NFC Use-After-Free in Nfc.h Enables Local Priv EscIn multiple functions of Nfc.h, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|
| CVE-2025-48635 | Mar 02, 2026 |
Android TaskFragmentOrganizerController TOKEN leak: local privilege escalationIn multiple functions of TaskFragmentOrganizerController.java, there is a possible activity token leak due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
Android
|