Google Chrome Web browser
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Google Chrome.
Recent Google Chrome Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2026-06-27 | Chrome Releases: Stable Channel Update for ChromeOS / ChromeOS Flex | June 27, 2026 |
| 2026-06-26 | Chrome Releases: Stable Channel Update for Desktop (version 149.0.7827.200) | June 26, 2026 |
| 2026-06-26 | Chrome Releases: Chrome for Android Update (version 149) | June 26, 2026 |
| 2026-06-24 | Chrome Releases: Chrome Stable for iOS Update (version 150) | June 24, 2026 |
| 2026-06-24 | Chrome Releases: Chrome for Android Update (version 149) | June 24, 2026 |
| 2026-06-24 | Chrome Releases: Stable Channel Update for Desktop (version 149.0.7827.196) | June 24, 2026 |
| 2026-06-17 | Chrome Releases: Stable Channel Update for ChromeOS / ChromeOS Flex | June 17, 2026 |
| 2026-06-17 | Chrome Releases: Chrome Stable for iOS Update (version 150) | June 17, 2026 |
| 2026-06-17 | Chrome Releases: Stable Channel Update for Desktop (version 149.0.7827.155) | June 17, 2026 |
| 2026-06-17 | Chrome Releases: Chrome for Android Update (version 149) | June 17, 2026 |
Known Exploited Google Chrome Vulnerabilities
The following Google Chrome vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Google Chrome Skia Integer Overflow Vulnerability |
Google Chrome Skia contains an integer overflow vulnerability. Specific impacts from exploitation are not available at this time. This vulnerability resides in Skia which serves as the graphics engine for Google Chrome and ChromeOS, Android, Flutter, and other products. CVE-2023-2136 Exploit Probability: 5.8% |
April 21, 2023 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption. CVE-2022-3038 Exploit Probability: 24.7% |
March 30, 2023 |
| Google Chrome Heap Buffer Overflow Vulnerability |
Google Chrome GPU contains a heap buffer overflow vulnerability that allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. CVE-2022-4135 Exploit Probability: 31.9% |
November 28, 2022 |
| Google Chrome Intents Insufficient Input Validation Vulnerability |
Google Chrome Intents allows for insufficient validation of untrusted input, causing unknown impacts. CISA will update this description if more information becomes available. CVE-2022-2856 Exploit Probability: 4.5% |
August 18, 2022 |
| Google Chrome Use-After-Free Vulnerability |
Use-after-free in WebAudio in Google Chrome allows a remote attacker to potentially exploit heap corruption. CVE-2019-13720 Exploit Probability: 73.0% |
May 23, 2022 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome contains a heap use-after-free vulnerability which allows an attacker to potentially perform out of bounds memory access. CVE-2019-5786 Exploit Probability: 61.5% |
May 23, 2022 |
| Google Chrome Use-After-Free Vulnerability |
The vulnerability exists due to a use-after-free error within the Animation component in Google Chrome. CVE-2022-0609 Exploit Probability: 23.5% |
February 15, 2022 |
| Google Chrome Prior to 81.0.4044.92 Use-After-Free Vulnerability |
Use-after-free vulnerability in Media in Google Chrome prior to 81.0.4044.92 allowed a Remote attacker to execute arbitrary code via a crafted HTML page. CVE-2020-6572 Exploit Probability: 10.6% |
January 10, 2022 |
| Google Chrome Browser V8 Arbitrary Code Execution |
Type Confusion in V8 in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30563 Exploit Probability: 8.9% |
November 3, 2021 |
| Google Chrome FreeType Memory Corruption |
Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-15999 Exploit Probability: 50.6% |
November 3, 2021 |
| Google Chrome WebGL Use-After-Free Vulnerability |
Use after free in WebGL in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30554 Exploit Probability: 7.4% |
November 3, 2021 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome use-after-free error within the V8 browser engine. CVE-2021-37975 Exploit Probability: 34.9% |
November 3, 2021 |
| Google Chrome Use-After-Free Vulnerability |
Use-after-free weakness in Portals, Google's new web page navigation system for Chrome. Successful exploitation can let attackers to execute code. CVE-2021-37973 Exploit Probability: 11.7% |
November 3, 2021 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome Use-After-Free vulnerability CVE-2021-30633 Exploit Probability: 32.7% |
November 3, 2021 |
| Google Chrome Out-of-bounds write |
Google Chrome out-of-bounds write that allows to execute arbitrary code on the target system. CVE-2021-30632 Exploit Probability: 64.5% |
November 3, 2021 |
| Google Chrome Information Leakage |
Information disclosure in Google Chrome that exists due to excessive data output in core. CVE-2021-37976 Exploit Probability: 19.9% |
November 3, 2021 |
| Google Chrome Site Isolation Component Use-After-Free Remote Code Execution vulnerability |
Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. CVE-2020-16017 Exploit Probability: 2.7% |
November 3, 2021 |
| Google Chrome Heap Buffer Overflow in WebAudio Vulnerability |
Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-21166 Exploit Probability: 26.5% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 3 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 10 known exploited Google Chrome vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
EOL Dates
Ensure that you are using a supported version of Google Chrome. Here are some end of life, and end of support dates for Google Chrome.
| Release | EOL Date | Status |
|---|---|---|
| 149 | July 6, 2026 |
EOL This Year
Google Chrome 149 will become EOL this year, in July 2026. |
| 148 | June 2, 2026 |
EOL
Google Chrome 148 became EOL in 2026. |
| 147 | May 5, 2026 |
EOL
Google Chrome 147 became EOL in 2026. |
| 146 | April 7, 2026 |
EOL
Google Chrome 146 became EOL in 2026. |
| 145 | March 10, 2026 |
EOL
Google Chrome 145 became EOL in 2026. |
| 144 | February 10, 2026 |
EOL
Google Chrome 144 became EOL in 2026. |
| 143 | January 13, 2026 |
EOL
Google Chrome 143 became EOL in 2026. |
| 142 | December 2, 2025 |
EOL
Google Chrome 142 became EOL in 2025. |
| 141 | October 28, 2025 |
EOL
Google Chrome 141 became EOL in 2025. |
| 140 | September 30, 2025 |
EOL
Google Chrome 140 became EOL in 2025. |
| 139 | September 2, 2025 |
EOL
Google Chrome 139 became EOL in 2025. |
| 138 | August 5, 2025 |
EOL
Google Chrome 138 became EOL in 2025. |
| 137 | June 24, 2025 |
EOL
Google Chrome 137 became EOL in 2025. |
| 136 | May 27, 2025 |
EOL
Google Chrome 136 became EOL in 2025. |
| 135 | April 29, 2025 |
EOL
Google Chrome 135 became EOL in 2025. |
| 134 | April 1, 2025 |
EOL
Google Chrome 134 became EOL in 2025. |
| 133 | March 4, 2025 |
EOL
Google Chrome 133 became EOL in 2025. |
| 132 | February 4, 2025 |
EOL
Google Chrome 132 became EOL in 2025. |
| 131 | January 14, 2025 |
EOL
Google Chrome 131 became EOL in 2025. |
| 130 | November 12, 2024 |
EOL
Google Chrome 130 became EOL in 2024. |
By the Year
In 2026 there have been 1210 vulnerabilities in Google Chrome with an average score of 7.4 out of ten. Last year, in 2025 Chrome had 247 security vulnerabilities published. That is, 963 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.37.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1210 | 7.36 |
| 2025 | 247 | 6.99 |
| 2024 | 290 | 7.70 |
| 2023 | 331 | 7.40 |
| 2022 | 356 | 7.95 |
| 2021 | 373 | 7.96 |
| 2020 | 264 | 8.02 |
| 2019 | 353 | 7.34 |
| 2018 | 127 | 7.10 |
It may take a day or so for new Chrome vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Google Chrome Security Vulnerabilities
Timing Attack on AMD ASP HMAC
CVE-2023-20572
- June 26, 2026
An observable timing discrepancy in the ASP could allow a privileged attacker to perform a brute-force attack against the hash message authentication code, allowing the input of an arbitrary message, potentially leading to a loss of data integrity.
Observable Timing Discrepancy
Use-after-free in Chrome Android AdFilter before 149.0.7827.201
CVE-2026-13283
7.5 - High
- June 25, 2026
Use after free in AdFilter in Google Chrome on Android prior to 149.0.7827.201 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Use After Free in Chrome Android Payments before 149.0.7827.201
CVE-2026-13282
6.8 - Medium
- June 25, 2026
Use after free in Payments in Google Chrome on Android prior to 149.0.7827.201 allowed a local attacker to potentially exploit heap corruption via physical access to the device. (Chromium security severity: High)
Dangling pointer
Integer overflow in Mojo (Chrome <149.0.7827.201) may enable sandbox escape
CVE-2026-13281
8.3 - High
- June 25, 2026
Integer overflow in Mojo in Google Chrome prior to 149.0.7827.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)
Assumed-Immutable Parameter Tampering
UAF in Google Chrome WebView before 149.0.7827.197 (Android)
CVE-2026-13037
7.8 - High
- June 24, 2026
Use after free in WebView in Google Chrome on Android prior to 149.0.7827.197 allowed a local attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
UAFF in Blink before 149.0.7827.197 Chrome
CVE-2026-13036
8.8 - High
- June 24, 2026
Use after free in Blink in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Chrome <=149.0.7827.197 UAF in BTH on Mac
CVE-2026-13035
8.8 - High
- June 24, 2026
Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a malicious peripheral. (Chromium security severity: High)
Dangling pointer
Chrome <149.0.7827.197 Passwords Bypass Site Isolation
CVE-2026-13034
4.7 - Medium
- June 24, 2026
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Origin Validation Error
Use-after-Free in Blink of Chrome <149.0.7827.197
CVE-2026-13031
8.8 - High
- June 24, 2026
Use after free in Blink in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Chrome Android GPU Uninitialized Use Before 149.0.7827.197
CVE-2026-13030
5.3 - Medium
- June 24, 2026
Uninitialized Use in GPU in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Use of Uninitialized Variable
UA-Free in Chrome WebAuthn v<149 via Malicious Extension
CVE-2026-13029
7.5 - High
- June 24, 2026
Use after free in Web Authentication in Google Chrome prior to 149.0.7827.197 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)
Dangling pointer
Chrome 149.0.7827.197 UAF in FileSystem
CVE-2026-13027
8.8 - High
- June 24, 2026
Use after free in FileSystem in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Google Chrome before 149.0.7827.197 AAF in Digital Credentials
CVE-2026-13026
8.8 - High
- June 24, 2026
Use after free in Digital Credentials in Google Chrome on Mac prior to 149.0.7827.197 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Race in DevTools Sandbox Escape in Chrome <149.0.7827.197
CVE-2026-13025
8.3 - High
- June 24, 2026
Race in DevTools in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Improper Input Validation
Chromium Navigation Component Untrusted Input Bypass before v149.0.7827.197
CVE-2026-13024
4.2 - Medium
- June 24, 2026
Insufficient validation of untrusted input in Navigation in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Improper Input Validation
Uninit Use in GPU in Chrome <149.0.7827.197 (High)
CVE-2026-13023
5.3 - Medium
- June 24, 2026
Uninitialized Use in GPU in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Use of Uninitialized Variable
Google Chrome CVE-2026-13022: Autofill XSS via leaked data (149.0.7827.197)
CVE-2026-13022
- June 24, 2026
Inappropriate implementation in Autofill in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Chrome Autofill UAF before v149.0.7827.197
CVE-2026-13038
8.8 - High
- June 24, 2026
Use after free in Autofill in Google Chrome on Windows prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Dangling pointer
Chrome Blink InterestGroups OOB read/write <149.0.7827.197
CVE-2026-13033
8.8 - High
- June 24, 2026
Out of bounds read and write in Blink>InterestGroups in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Out-of-bounds Read
Google Chrome <149.0.7827.197: DeviceBoundSessionCredentials SOP Bypass
CVE-2026-13021
4.3 - Medium
- June 24, 2026
Inappropriate implementation in DeviceBoundSessionCredentials in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Origin Validation Error
WebGL UAF in Chrome v<149.0.7827.197 on Android
CVE-2026-13032
9.6 - Critical
- June 24, 2026
Use after free in WebGL in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Dangling pointer
UA-Free Sandbox Escape via WebGL in Chrome for Android <149.0.7827.197
CVE-2026-13028
9.6 - Critical
- June 24, 2026
Use after free in WebGL in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Dangling pointer
Chrome Android GPU UU <149.0.7827.155 Data Leak
CVE-2026-12469
4.3 - Medium
- June 17, 2026
Uninitialized Use in GPU in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Use of Uninitialized Variable
Chrome Updater Race Condition on Mac Pre-149.0.7827.155 Allow Sandbox Escape
CVE-2026-12468
8.3 - High
- June 17, 2026
Race in Updater in Google Chrome on Mac prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Race Condition
Google Chrome 149.0.7827.155 Use-After-Free in Extensions Allows Sandbox Escape
CVE-2026-12467
8.3 - High
- June 17, 2026
Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Chrome WebRTC Heap Buffer Overflow Remote Code Execution (pre149.0.7827.155)
CVE-2026-12466
8.8 - High
- June 17, 2026
Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Heap-based Buffer Overflow
Chrome Metrics OOB before 149.0.7827.155 Remote Sandbox Escape
CVE-2026-12465
8.3 - High
- June 17, 2026
Object lifecycle issue in Metrics in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Improper Input Validation
GA Chrome UA Free <149.0.7827.155 vuln allows sandbox escape
CVE-2026-12464
8.3 - High
- June 17, 2026
Use after free in Browser in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Google Chrome UXSS via Views on Linux pre-149.0.7827.155
CVE-2026-12463
4.7 - Medium
- June 17, 2026
Inappropriate implementation in Views in Google Chrome on Linux prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
XSS
Chrome <149.0.7827.155 Use-After-Free in Media component
CVE-2026-12462
7.5 - High
- June 17, 2026
Use after free in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
OOB read in WebRTC (Chrome <149.0.7827.155)
CVE-2026-12461
6.5 - Medium
- June 17, 2026
Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Out-of-bounds Read
Google Chrome 149.0.7827.155 FS Access Policy Bypass via PDF
CVE-2026-12460
4.2 - Medium
- June 17, 2026
Insufficient policy enforcement in File System Access in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted PDF file. (Chromium security severity: High)
Authorization
Google Chrome <149.0.7827.155 UXSS via Serial API
CVE-2026-12459
6.1 - Medium
- June 17, 2026
Inappropriate implementation in Serial in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
XSS
Google Chrome <149.0.7827.155: Passwords Leakage via UI Gesture
CVE-2026-12458
3.1 - Low
- June 17, 2026
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
User Interface (UI) Misrepresentation of Critical Information
Chrome 149.0.7827.155 - Site Isolation Bypass via Extensions (High Severity)
CVE-2026-12457
4.2 - Medium
- June 17, 2026
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Protection Mechanism Failure
Google Chrome <149.0.7827.155: Extensions Bypass SOP via Malicious Extension
CVE-2026-12456
4.2 - Medium
- June 17, 2026
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: High)
Improper Input Validation
Use after free in Chrome Tab Strip before 149.0.7827.155 Exploits Heap Corruption
CVE-2026-12455
7.5 - High
- June 17, 2026
Use after free in Tab Strip in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Race in Safe Browsing in Chrome <149.0.7827.155: sandbox escape
CVE-2026-12454
8.3 - High
- June 17, 2026
Race in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Race Condition
CVE-2026-12453 Chrome <149.0.7827.155: Insecure Input - Same-Origin Bypass
CVE-2026-12453
4.2 - Medium
- June 17, 2026
Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Improper Input Validation
Use After Free in Downloads: Chrome<149.0.7827.155 Android
CVE-2026-12452
8.8 - High
- June 17, 2026
Use after free in Downloads in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Use-after-free in Google Chrome DigiCred <149.0.7827.155 (sandbox escape)
CVE-2026-12451
8.3 - High
- June 17, 2026
Use after free in DigitalCredentials in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Chrome Media Memory Disclosure (pre-149.0.7827.155)
CVE-2026-12450
6.5 - Medium
- June 17, 2026
Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Improper Privilege Management
UA Free in Chromoting (Chrome <149.0.7827.155) PrivEsc via File
CVE-2026-12449
7.8 - High
- June 17, 2026
Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)
Dangling pointer
Chrome Android WebView PrivEsc via crafted HTML (before 149.0.7827.155)
CVE-2026-12448
8.8 - High
- June 17, 2026
Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)
Improper Privilege Management
Heap Buffer Overflow WebRTC in Chrome <149.0.7827.155
CVE-2026-12447
8.8 - High
- June 17, 2026
Heap buffer overflow in WebRTC in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Heap-based Buffer Overflow
Remote Cross-Origin Data Leak via Passwords in Google Chrome <149.0.7827.155
CVE-2026-12446
4.3 - Medium
- June 17, 2026
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
AuthZ
Chrome <149.0.7827.155: OOB Read in Chromoting allows local info leak
CVE-2026-12444
5.5 - Medium
- June 17, 2026
Out of bounds read in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: High)
Out-of-bounds Read
Chrome Use-After-Free via Malicious Extension (pre-149.0.7827.155)
CVE-2026-12445
7.5 - High
- June 17, 2026
Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)
Dangling pointer
UA-FREE in Chrome WebAuthn (pre-149.0.7827.155)
CVE-2026-12443
8.8 - High
- June 17, 2026
Use after free in Web Authentication in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Dangling pointer
Use After Free in Chrome Android Passwords <149.0.7827.155
CVE-2026-12442
8.8 - High
- June 17, 2026
Use after free in Passwords in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Dangling pointer
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Google Chrome or by Google? Click the Watch button to subscribe.
