Google Google Software and search

  1. Vendors
  2. Google

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Google product.

RSS Feeds for Google security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Google products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Google Sorted by Most Security Vulnerabilities since 2018

Google Android6109 vulnerabilities
Mobile operating system

Google Chrome4098 vulnerabilities
Web browser

Google Tensorflow432 vulnerabilities
Open source machine learning / AI library

Google ChromeOS51 vulnerabilities

Google Asylo16 vulnerabilities

Google Protobuf8 vulnerabilities

Google Gvisor7 vulnerabilities

Google Fuchsia5 vulnerabilities

Google Gerrit5 vulnerabilities

Google Protobuf Java5 vulnerabilities

Google Protobuf Javalite4 vulnerabilities

Google Protobuf Kotlin3 vulnerabilities

Google Web Toolkit3 vulnerabilities

Google Web Stories3 vulnerabilities

Google Web Designer3 vulnerabilities

Google Chromecast Firmware2 vulnerabilities

Google Firebase Php Jwt2 vulnerabilities

Google Nearby2 vulnerabilities

Google Protobuf Kotlin Lite2 vulnerabilities

Google Protobuf Python2 vulnerabilities

Google Updater2 vulnerabilities

Google Androidx Car App1 vulnerability

Google Application Integration1 vulnerability

Google Application Load Balancer1 vulnerability

Google Bazel For Android Studio1 vulnerability

Google Bazel For Clion1 vulnerability

Google Bazel For Intellij1 vulnerability

Google Car1 vulnerability

Google Cloud Looker1 vulnerability

Google Custom Search Engine1 vulnerability

Google Firebase Command Line Interface1 vulnerability

Google Firebase Javascript Sdk1 vulnerability

Google Secops Soar1 vulnerability

Google Looker1 vulnerability

Google Migrate To Containers1 vulnerability

Google Nftables1 vulnerability

Google Osv Scalibr1 vulnerability

Google Pixel1 vulnerability

Google Pixel Watch Firmware1 vulnerability

Google Reverb1 vulnerability

Google Safearchive1 vulnerability

Google Tensorflow Serving1 vulnerability

Google Tink C1 vulnerability

Google Tink Java1 vulnerability

Google Vertex Ai1 vulnerability

Google Vertex Gemini Api1 vulnerability

Recent Google Security Advisories

Advisory Title Published
2026-05-12 Chrome Releases: Chrome Stable for iOS Update (version 148) May 12, 2026
2026-05-12 Chrome Releases: Stable Channel Update for Desktop (version 148.0.7778.167) May 12, 2026
2026-05-12 Chrome Releases: Chrome for Android Update (version 148) May 12, 2026
2026-05-07 Chrome Releases: Stable Channel Update for ChromeOS / ChromeOS Flex May 7, 2026
2026-05-05 Chrome Releases: May 2026 May 5, 2026
2026-05-05 Chrome Releases: Chrome for Android Update (version 148) May 5, 2026
2026-05-05 Chrome Releases: Stable Channel Update for Desktop (version 148) May 5, 2026
2026-05-01 Android Security Bulletin—May 2026 May 1, 2026
2026-04-29 Chrome Releases: Chrome Stable for iOS Update (version 148) April 29, 2026
2026-04-29 Chrome Releases: Chrome for Android Update (version 147) April 29, 2026

Known Exploited Google Vulnerabilities

The following Google vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Google Dawn Use-After-Free Vulnerability Google Dawn contains an use-after-free vulnerability that could allow a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. This vulnerability could affect multiple Chromium-based products including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
CVE-2026-5281 Exploit Probability: 3.3% 		April 1, 2026
Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer Vulnerabi Google Chromium V8 contains an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
CVE-2026-3910 Exploit Probability: 0.7% 		March 13, 2026
Google Skia Out-of-Bounds Write Vulnerability Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products.
CVE-2026-3909 Exploit Probability: 0.3% 		March 13, 2026
Google Chromium CSS Use-After-Free Vulnerability Google Chromium CSS contains a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
CVE-2026-2441 Exploit Probability: 0.4% 		February 17, 2026
Google Chromium Out of Bounds Memory Access Vulnerability Google Chromium contains an out of bounds memory access vulnerability in ANGLE that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
CVE-2025-14174 Exploit Probability: 0.4% 		December 12, 2025
Google Chromium V8 Type Confusion Vulnerability Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption.
CVE-2025-13223 Exploit Probability: 2.8% 		November 19, 2025
Google Chromium V8 Type Confusion Vulnerability Google Chromium contains a type confusion vulnerability in the V8 JavaScript and WebAssembly engine.
CVE-2025-10585 Exploit Probability: 0.7% 		September 23, 2025
Google Chromium ANGLE and GPU Improper Input Validation Vulnerability Google Chromium contains an improper input validation vulnerability in ANGLE and GPU. This vulnerability could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
CVE-2025-6558 Exploit Probability: 0.2% 		July 22, 2025
Google Chromium V8 Type Confusion Vulnerability Google Chromium V8 contains a type confusion vulnerability that could allow a remote attacker to perform arbitrary read/write via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
CVE-2025-6554 Exploit Probability: 1.6% 		July 2, 2025
Google Chromium V8 Out-of-Bounds Read and Write Vulnerability Google Chromium V8 contains an out-of-bounds read and write vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
CVE-2025-5419 Exploit Probability: 3.5% 		June 5, 2025
Google Chromium Loader Insufficient Policy Enforcement Vulnerability Google Chromium contains an insufficient policy enforcement vulnerability that allows a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2025-4664 Exploit Probability: 0.1% 		May 15, 2025
Google Chromium Mojo Sandbox Escape Vulnerability Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being provided in unspecified circumstances. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
CVE-2025-2783 Exploit Probability: 47.5% 		March 27, 2025
Google Chromium V8 Inappropriate Implementation Vulnerability Google Chromium V8 contains an inappropriate implementation vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
CVE-2024-7965 Exploit Probability: 23.8% 		August 28, 2024
Google Chromium V8 Type Confusion Vulnerability Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
CVE-2024-7971 Exploit Probability: 1.0% 		August 26, 2024
Google Chromium V8 Type Confusion Vulnerability Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
CVE-2024-5274 Exploit Probability: 5.0% 		May 28, 2024
Google Chromium V8 Type Confusion Vulnerability Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page.
CVE-2024-4947 Exploit Probability: 0.3% 		May 20, 2024
Google Chromium V8 Out-of-Bounds Memory Write Vulnerability Google Chromium V8 Engine contains an unspecified out-of-bounds memory write vulnerability via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
CVE-2024-4761 Exploit Probability: 3.1% 		May 16, 2024
Google Chromium Visuals Use-After-Free Vulnerability Google Chromium Visuals contains a use-after-free vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
CVE-2024-4671 Exploit Probability: 0.2% 		May 13, 2024
Google Chromium V8 Type Confusion Vulnerability Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page.
CVE-2023-4762 Exploit Probability: 55.8% 		February 6, 2024
Google Chromium V8 Out-of-Bounds Memory Access Vulnerability Google Chromium V8 contains an out-of-bounds memory access vulnerability. Specific impacts from exploitation are not available at this time.
CVE-2024-0519 Exploit Probability: 0.4% 		January 17, 2024

3 known exploited Google vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

Top 10 Riskiest Google Vulnerabilities

Based on the current exploit probability, these Google vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.

Rank CVE EPSS Vulnerability
1 CVE-2023-4863 94.1% Google Chromium Heap-Based Buffer Overflow Vulnerability
2 CVE-2020-15999 92.9% Google Chrome FreeType Memory Corruption
3 CVE-2021-21220 92.6% Chromium V8 Input Validation Vulnerability
4 CVE-2018-17463 92.2% Google Chromium V8 Remote Code Execution Vulnerability
5 CVE-2019-13720 89.6% Google Chrome Use-After-Free Vulnerability
6 CVE-2018-6065 89.6% Google Chromium V8 Integer Overflow Vulnerability
7 CVE-2019-5786 89.4% Google Chrome Use-After-Free Vulnerability
8 CVE-2020-6418 86.4% Chromium V8 Type Confusion Vulnerability
9 CVE-2021-30632 84.5% Google Chrome Out-of-bounds write
10 CVE-2020-16009 84.4% Chromium V8 Implementation Vulnerability

By the Year

In 2026 there have been 525 vulnerabilities in Google with an average score of 7.4 out of ten. Last year, in 2025 Google had 716 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Google in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.24.




Year Vulnerabilities Average Score
2026 525 7.38
2025 716 7.14
2024 1125 7.28
2023 1564 6.66
2022 1592 6.85
2021 1166 7.11
2020 1033 6.87
2019 858 7.33
2018 570 7.43

It may take a day or so for new Google vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Google Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-2725 May 13, 2026
Gerrit 2.12+ auth bypass via 'submitted' allows force push to restricted branches Incorrect authorization in the "submitted together" feature in Gerrit versions 2.12 and later allows an authenticated attacker with force push permissions on a secondary branch to bypass code review and forcefully submit code to restricted branches via a crafted submission matching the "topic" tag of an unapproved change.
Gerrit
CVE-2026-7428 May 12, 2026
Insecure Default Password via Terraform/REST API in GCP AlloyDB for PostgreSQL Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited by a remote attacker to gain full administrative access to the database. Exploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it.
CVE-2026-8022 May 06, 2026
MHTML Data Leak in Google Chrome <=148.0.7778.96 Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted MHTML page. (Chromium security severity: Low)
Chrome
CVE-2026-8021 May 06, 2026
Chrome UXSS via UI Script Injection, vulnerable before 148.0.7778.96 Script injection in UI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)
Chrome
CVE-2026-8020 May 06, 2026
Google Chrome Android <148.0.7778.96 GPU Uninitialized Use Data Leak Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)
Chrome
CVE-2026-8019 May 06, 2026
Chrome UI Spoofing via Crafted HTML <148.0.7778.96 Insufficient policy enforcement in WebApp in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Chrome
CVE-2026-8018 May 06, 2026
Chrome <148.0.7778.96: DevTools Policy Escalation Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: Low)
Chrome
CVE-2026-8017 May 06, 2026
Chrome Media SideChannel Leak (<148.0.7778.96) Allows CORS Data Exfiltration Side-channel information leakage in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Chrome
CVE-2026-8016 May 06, 2026
Use-After-Free in WebRTC (Chrome <148.0.7778.96) via crafted HTML Use after free in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)
Chrome
CVE-2026-8015 May 06, 2026
Chrome <148.0.7778.96 Media UI Spoofing Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Chrome
CVE-2026-8014 May 06, 2026
Leak Cross-Origin Data via Preload in Google Chrome <148.0.7778.96 Inappropriate implementation in Preload in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Chrome
CVE-2026-8013 May 06, 2026
Chrome FedCM Cross-Origin Data Leak <148.0.7778.96 Insufficient validation of untrusted input in FedCM in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Chrome
CVE-2026-8012 May 06, 2026
UXSS via crafted MHTML in Google Chrome < 148.0.7778.96 Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)
Chrome
CVE-2026-8011 May 06, 2026
Chrome Search before 148.0.7778.96 Allows XRD Leak via Crafted Page Insufficient policy enforcement in Search in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Chrome
CVE-2026-8010 May 06, 2026
Chrome SiteIsolation Bypass via Untrusted Input (pre 148.0.7778.96) Insufficient validation of untrusted input in SiteIsolation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Low)
Chrome
CVE-2026-8009 May 06, 2026
Chrome Cast Impl. Nav Bypass 148.0.7778.96 Inappropriate implementation in Cast in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Chrome
CVE-2026-8008 May 06, 2026
Chrome UI Spoofing via Malicious Extension in DevTools 148.0.7778.96 Inappropriate implementation in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)
Chrome
CVE-2026-8007 May 06, 2026
Chrome Cast Input Validation Flaw <148.0.7778.96 RCE via HTML Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
Chrome
CVE-2026-8006 May 06, 2026
DevTools policy flaw Chrome <148.0.7778.96 UI spoofing via malicious extension Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)
Chrome
CVE-2026-8005 May 06, 2026
Insufficient validation of Cast (Chrome <148.0.7778.96) bypasses SOP Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed an attacker on the local network segment to bypass same origin policy via malicious network traffic. (Chromium security severity: Low)
Chrome
CVE-2026-8004 May 06, 2026
Chrome DevTools Policy Flaw: CrossOrigin Leak <148.0.7778.96 Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Low)
Chrome
CVE-2026-8003 May 06, 2026
Insufficient validation in Chrome TabGroups UI spoofing (pre-148.0.7778.96) Insufficient validation of untrusted input in TabGroups in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Low)
Chrome
CVE-2026-8002 May 06, 2026
Use-After-Free in Chrome Audio (Mac <148.0.7778.96) Use after free in Audio in Google Chrome on Mac prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)
Chrome
CVE-2026-8001 May 06, 2026
UA-Free in Chrome Printing (148.0.7778.96) Remote Sandbox Escape Use After Free in Printing in Google Chrome on Linux, Mac, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
Chrome
CVE-2026-8000 May 06, 2026
ChromeDriver Untrusted Input CVE-2026-8000 (pre148.0.7778.96) Insufficient validation of untrusted input in ChromeDriver in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)
Chrome
CVE-2026-7999 May 06, 2026
Chrome V8 Memory Leak via Crafted HTML (pre-148) Inappropriate implementation in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)
Chrome
CVE-2026-7996 May 06, 2026
Chrome <148 SSL Input Validation Flaw Enables UI Spoofing Insufficient validation of untrusted input in SSL in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Chrome
CVE-2026-7997 May 06, 2026
Chrome 148.0.7778.96 Updater: Local PrivEsc via Untrusted Input (Mac) Insufficient validation of untrusted input in Updater in Google Chrome on Mac prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Low)
Chrome
CVE-2026-7998 May 06, 2026
Chrome <148.0.7778.96 - UI Spoofing via Dialog (Insufficient Validation) Insufficient validation of untrusted input in Dialog in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Chrome
CVE-2026-7995 May 06, 2026
OOB read in AdFilter Remote code exec in Chrome <148.0.7778.96 Out of bounds read in AdFilter in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Chrome
CVE-2026-7994 May 06, 2026
Google Chrome Windows Chromoting PrivEsc Before 148.0.7778.96 Inappropriate implementation in Chromoting in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium)
Chrome
CVE-2026-7993 May 06, 2026
Google Chrome Android Omnibox Spoof via Untrusted Input (pre-148.0.7778.96) Insufficient validation of untrusted input in Payments in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)
Chrome
CVE-2026-7992 May 06, 2026
Google Chrome UI Gesture Validation Flaw (Before 148.0.7778.96) Insufficient validation of untrusted input in UI in Google Chrome on Linux, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)
Chrome
CVE-2026-7991 May 06, 2026
Use-after-free in Chrome UI before 148.0.7778.96 Use after free in UI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Chrome
CVE-2026-7990 May 06, 2026
Google Chrome Windows PrivEsc via Updater untrusted input (<=148.0.7778.96) Insufficient validation of untrusted input in Updater in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium)
Chrome
CVE-2026-7989 May 06, 2026
Chrome DataTransfer Arbitrary Read/Write CVE-2026-7989 (Pre 148.0.7778.96) Insufficient data validation in DataTransfer in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Medium)
Chrome
CVE-2026-7988 May 06, 2026
CVE-2026-7988: WebRTC Type Confusion <148.0.7778.96 Allows RCE in sandbox Chrome Type Confusion in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Chrome
CVE-2026-7987 May 06, 2026
Use-after-free in WebRTC on Google Chrome <148.0.7778.96 Use after free in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Chrome
CVE-2026-7986 May 06, 2026
Google Chrome <=148.0.7778.96 Autofill Policy Bypass Leak Insufficient policy enforcement in Autofill in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Chrome
CVE-2026-7985 May 06, 2026
GPU use-after-free prior to Chrome 148.0.7778.96 Use after free in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Chrome
CVE-2026-7984 May 06, 2026
UA-Free in Chrome ReadingMode <148.0.7778.96 Exposes Sandbox Code Use after free in ReadingMode in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Chrome
CVE-2026-7983 May 06, 2026
OOB read in Dawn (Chrome <148.0.7778.96) leaking crossorigin data Out of bounds read in Dawn in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Chrome
CVE-2026-7982 May 06, 2026
Uninitialized Use in WebCodecs (Chrome <148.0.7778.96) Uninitialized Use in WebCodecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Chrome
CVE-2026-7981 May 06, 2026
Google Chrome OOB Read in Codecs Before 148.0.7778.96 Out of bounds read in Codecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: Medium)
Chrome
CVE-2026-7979 May 06, 2026
Chrome Media XSS (148<148.0.7778.96) via crafted HTML Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Chrome
CVE-2026-7980 May 06, 2026
Use after free in WebAudio in Chrome before 148.0.7778.96 Use after free in WebAudio in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Chrome
CVE-2026-7976 May 06, 2026
UAF in Chrome Views before 148.0.7778.96 via malicious extension Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Medium)
Chrome
CVE-2026-7977 May 06, 2026
Google Chrome <148.0.7778.96: Canvas SOP bypass via crafted HTML Inappropriate implementation in Canvas in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
Chrome
CVE-2026-7978 May 06, 2026
Chrome OS-level PrivEsc via Companion before 148.0.7778.96 Inappropriate implementation in Companion in Google Chrome on Mac prior to 148.0.7778.96 allowed a remote attacker to perform OS-level privilege escalation via malicious network traffic. (Chromium security severity: Medium)
Chrome
CVE-2026-7974 May 06, 2026
Google Chrome <148.0.7778.96 Use-after-Free in Blink Use after free in Blink in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Chrome
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.