Google Chrome Web browser
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Google Chrome.
Recent Google Chrome Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2026-05-12 | Chrome Releases: Chrome Stable for iOS Update (version 148) | May 12, 2026 |
| 2026-05-12 | Chrome Releases: Stable Channel Update for Desktop (version 148.0.7778.167) | May 12, 2026 |
| 2026-05-12 | Chrome Releases: Chrome for Android Update (version 148) | May 12, 2026 |
| 2026-05-07 | Chrome Releases: Stable Channel Update for ChromeOS / ChromeOS Flex | May 7, 2026 |
| 2026-05-05 | Chrome Releases: May 2026 | May 5, 2026 |
| 2026-05-05 | Chrome Releases: Chrome for Android Update (version 148) | May 5, 2026 |
| 2026-05-05 | Chrome Releases: Stable Channel Update for Desktop (version 148) | May 5, 2026 |
| 2026-04-29 | Chrome Releases: Chrome Stable for iOS Update (version 148) | April 29, 2026 |
| 2026-04-29 | Chrome Releases: Chrome for Android Update (version 147) | April 29, 2026 |
| 2026-04-28 | Chrome Releases: Stable Channel Update for Desktop (version 147.0.7727.137) | April 28, 2026 |
Known Exploited Google Chrome Vulnerabilities
The following Google Chrome vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Google Chrome Skia Integer Overflow Vulnerability |
Google Chrome Skia contains an integer overflow vulnerability. Specific impacts from exploitation are not available at this time. This vulnerability resides in Skia which serves as the graphics engine for Google Chrome and ChromeOS, Android, Flutter, and other products. CVE-2023-2136 Exploit Probability: 0.4% |
April 21, 2023 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption. CVE-2022-3038 Exploit Probability: 36.0% |
March 30, 2023 |
| Google Chrome Heap Buffer Overflow Vulnerability |
Google Chrome GPU contains a heap buffer overflow vulnerability that allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. CVE-2022-4135 Exploit Probability: 0.1% |
November 28, 2022 |
| Google Chrome Intents Insufficient Input Validation Vulnerability |
Google Chrome Intents allows for insufficient validation of untrusted input, causing unknown impacts. CISA will update this description if more information becomes available. CVE-2022-2856 Exploit Probability: 3.3% |
August 18, 2022 |
| Google Chrome Use-After-Free Vulnerability |
Use-after-free in WebAudio in Google Chrome allows a remote attacker to potentially exploit heap corruption. CVE-2019-13720 Exploit Probability: 89.6% |
May 23, 2022 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome contains a heap use-after-free vulnerability which allows an attacker to potentially perform out of bounds memory access. CVE-2019-5786 Exploit Probability: 89.4% |
May 23, 2022 |
| Google Chrome Use-After-Free Vulnerability |
The vulnerability exists due to a use-after-free error within the Animation component in Google Chrome. CVE-2022-0609 Exploit Probability: 49.3% |
February 15, 2022 |
| Google Chrome Prior to 81.0.4044.92 Use-After-Free Vulnerability |
Use-after-free vulnerability in Media in Google Chrome prior to 81.0.4044.92 allowed a Remote attacker to execute arbitrary code via a crafted HTML page. CVE-2020-6572 Exploit Probability: 19.1% |
January 10, 2022 |
| Google Chrome Browser V8 Arbitrary Code Execution |
Type Confusion in V8 in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30563 Exploit Probability: 3.1% |
November 3, 2021 |
| Google Chrome FreeType Memory Corruption |
Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-15999 Exploit Probability: 92.9% |
November 3, 2021 |
| Google Chrome WebGL Use-After-Free Vulnerability |
Use after free in WebGL in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30554 Exploit Probability: 3.9% |
November 3, 2021 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome use-after-free error within the V8 browser engine. CVE-2021-37975 Exploit Probability: 63.0% |
November 3, 2021 |
| Google Chrome Use-After-Free Vulnerability |
Use-after-free weakness in Portals, Google's new web page navigation system for Chrome. Successful exploitation can let attackers to execute code. CVE-2021-37973 Exploit Probability: 14.8% |
November 3, 2021 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome Use-After-Free vulnerability CVE-2021-30633 Exploit Probability: 35.0% |
November 3, 2021 |
| Google Chrome Out-of-bounds write |
Google Chrome out-of-bounds write that allows to execute arbitrary code on the target system. CVE-2021-30632 Exploit Probability: 84.5% |
November 3, 2021 |
| Google Chrome Information Leakage |
Information disclosure in Google Chrome that exists due to excessive data output in core. CVE-2021-37976 Exploit Probability: 15.8% |
November 3, 2021 |
| Google Chrome Site Isolation Component Use-After-Free Remote Code Execution vulnerability |
Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. CVE-2020-16017 Exploit Probability: 21.4% |
November 3, 2021 |
| Google Chrome Heap Buffer Overflow in WebAudio Vulnerability |
Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-21166 Exploit Probability: 38.0% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 4 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 7 known exploited Google Chrome vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
EOL Dates
Ensure that you are using a supported version of Google Chrome. Here are some end of life, and end of support dates for Google Chrome.
| Release | EOL Date | Status |
|---|---|---|
| 148 | June 5, 2026 |
EOL This Year
Google Chrome 148 will become EOL this year, in June 2026. |
| 147 | May 5, 2026 |
EOL
Google Chrome 147 became EOL in 2026. |
| 146 | April 7, 2026 |
EOL
Google Chrome 146 became EOL in 2026. |
| 145 | March 10, 2026 |
EOL
Google Chrome 145 became EOL in 2026. |
| 144 | February 10, 2026 |
EOL
Google Chrome 144 became EOL in 2026. |
| 143 | January 13, 2026 |
EOL
Google Chrome 143 became EOL in 2026. |
| 142 | December 2, 2025 |
EOL
Google Chrome 142 became EOL in 2025. |
| 141 | October 28, 2025 |
EOL
Google Chrome 141 became EOL in 2025. |
| 140 | September 30, 2025 |
EOL
Google Chrome 140 became EOL in 2025. |
| 139 | September 2, 2025 |
EOL
Google Chrome 139 became EOL in 2025. |
| 138 | August 5, 2025 |
EOL
Google Chrome 138 became EOL in 2025. |
| 137 | June 24, 2025 |
EOL
Google Chrome 137 became EOL in 2025. |
| 136 | May 27, 2025 |
EOL
Google Chrome 136 became EOL in 2025. |
| 135 | April 29, 2025 |
EOL
Google Chrome 135 became EOL in 2025. |
| 134 | April 1, 2025 |
EOL
Google Chrome 134 became EOL in 2025. |
| 133 | March 4, 2025 |
EOL
Google Chrome 133 became EOL in 2025. |
| 132 | February 4, 2025 |
EOL
Google Chrome 132 became EOL in 2025. |
| 131 | January 14, 2025 |
EOL
Google Chrome 131 became EOL in 2025. |
| 130 | November 12, 2024 |
EOL
Google Chrome 130 became EOL in 2024. |
| 129 | October 15, 2024 |
EOL
Google Chrome 129 became EOL in 2024. |
By the Year
In 2026 there have been 458 vulnerabilities in Google Chrome with an average score of 7.2 out of ten. Last year, in 2025 Chrome had 247 security vulnerabilities published. That is, 211 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.22.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 458 | 7.21 |
| 2025 | 247 | 6.99 |
| 2024 | 290 | 7.70 |
| 2023 | 331 | 7.40 |
| 2022 | 356 | 7.95 |
| 2021 | 373 | 7.96 |
| 2020 | 264 | 8.02 |
| 2019 | 353 | 7.34 |
| 2018 | 127 | 7.10 |
It may take a day or so for new Chrome vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Google Chrome Security Vulnerabilities
Use-after-free in Chrome Extensions <148.0.7778.168 (Mac)
CVE-2026-8587
8.8 - High
- May 14, 2026
Use after free in Extensions in Google Chrome on Mac prior to 148.0.7778.168 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Medium)
Dangling pointer
Chrome 148.0.7778.168 Chromoting Local ACL Bypass via Malicious File
CVE-2026-8586
5.5 - Medium
- May 14, 2026
Inappropriate implementation in Chromoting in Google Chrome prior to 148.0.7778.168 allowed a local attacker to bypass discretionary access control via a malicious file. (Chromium security severity: Medium)
Authorization
Chrome iOS <148.0.7778.168 Media OOB Memory Read
CVE-2026-8585
7.5 - High
- May 14, 2026
Inappropriate implementation in Media in Google Chrome on iOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)
Protection Mechanism Failure
Chrome iOS <148.0.7778.168 Views: UI Spoofing via Crafted HTML
CVE-2026-8584
4.2 - Medium
- May 14, 2026
Inappropriate implementation in Views in Google Chrome on iOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
User Interface (UI) Misrepresentation of Critical Information
Chrome WebXR Policy Bypass via Renderer Leak - <148.0.7778.168
CVE-2026-8583
5.3 - Medium
- May 14, 2026
Insufficient policy enforcement in WebXR in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Protection Mechanism Failure
Chrome 148.0.7778.168- Pre-148.0.7778.168 Dawn Obj Lifecycle flaw
CVE-2026-8582
5.3 - Medium
- May 14, 2026
Object lifecycle issue in Dawn in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Improper Control of a Resource Through its Lifetime
Chrome GPU Use-After-Free <148.0.7778.168 - Remote Code Exec
CVE-2026-8581
8.8 - High
- May 14, 2026
Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Dangling pointer
Use-after-free in Mojo (Chrome <148.0.7778.168) enables sandbox escape
CVE-2026-8580
9.6 - Critical
- May 14, 2026
Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Dangling pointer
Chrome 148.0.7778.168 Skia OOB Write via Untrusted Print File
CVE-2026-8579
3.1 - Low
- May 14, 2026
Insufficient validation of untrusted input in Skia in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted print file. (Chromium security severity: Medium)
Improper Input Validation
CVE-2026-8578: OOB read in Chrome GPU before 148.0.7778.168
CVE-2026-8578
3.1 - Low
- May 14, 2026
Out of bounds read in GPU in Google Chrome on Linux prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Out-of-bounds Read
Google Chrome v148.0.7778.168 Integer Overflow in Font Rendering Enables Arbitrary Code
CVE-2026-8577
8.8 - High
- May 14, 2026
Integer overflow in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Assumed-Immutable Parameter Tampering
Chrome CORS Data Leak <148.0.7778.168 (Linux/ChromeOS)
CVE-2026-8576
4.3 - Medium
- May 14, 2026
Inappropriate implementation in CORS in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Permissive Cross-domain Policy with Untrusted Domains
Chrome <148.0.7778.168 Use-After-Free in Renderer UI (Sandbox Escape)
CVE-2026-8575
8.3 - High
- May 14, 2026
Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Dangling pointer
Use-after-Free in Chrome Core (<148.0.7778.168) Enables Sandbox Escape
CVE-2026-8574
8.3 - High
- May 14, 2026
Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Dangling pointer
Chromium INT overflow CVE-2026-8573: Video File sandbox escape on Win<148.0.7778.168
CVE-2026-8573
8.3 - High
- May 14, 2026
Integer overflow in Codecs in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)
Assumed-Immutable Parameter Tampering
Google Chrome Android <=148.0.7778.168 Network Policy Leak (CVE-2026-8572)
CVE-2026-8572
3.1 - Low
- May 14, 2026
Insufficient policy enforcement in Network in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Protection Mechanism Failure
Chrome Android <148.0.7778.168: GPU policy flaw leads to sandbox escape
CVE-2026-8571
8.3 - High
- May 14, 2026
Insufficient policy enforcement in GPU in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Protection Mechanism Failure
Type Confusion in V8 (Prior to 148.0.7778.168) in Google Chrome
CVE-2026-8570
6.5 - Medium
- May 14, 2026
Type Confusion in V8 in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Object Type Confusion
Chrome OOB Write in Codecs before 148.0.7778.168 (Mac)
CVE-2026-8569
8.3 - High
- May 14, 2026
Out of bounds write in Codecs in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)
Memory Corruption
Chrome <148 AI Policy Bypass via Render Process
CVE-2026-8568
3.1 - Low
- May 14, 2026
Insufficient policy enforcement in AI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to bypass Site Isolation via a crafted HTML page. (Chromium security severity: Medium)
Protection Mechanism Failure
Chrome <148.0.7778.168: Integer overflow in ANGLE OOB write
CVE-2026-8567
4.3 - Medium
- May 14, 2026
Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Medium)
Assumed-Immutable Parameter Tampering
Chrome Android Payments policy enforcement flaw <148.0.7778.168
CVE-2026-8566
4.3 - Medium
- May 14, 2026
Insufficient policy enforcement in Payments in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium)
Authorization
Google Chrome Mac <148.0.7778.168: UI Spoof via Malicious Extension
CVE-2026-8565
4.7 - Medium
- May 14, 2026
Inappropriate implementation in Downloads in Google Chrome on Mac prior to 148.0.7778.168 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium)
User Interface (UI) Misrepresentation of Critical Information
Google Chrome <=148.0.7778.168: Downloads UI Spoofing
CVE-2026-8564
4.2 - Medium
- May 14, 2026
Incorrect security UI in Downloads in Google Chrome on Android and Mac prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
User Interface (UI) Misrepresentation of Critical Information
Chrome Vulnerability: IFrame Sandbox Bypass before 148.0.7778.168 Windows
CVE-2026-8563
4.3 - Medium
- May 14, 2026
Insufficient policy enforcement in IFrame Sandbox in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
Protection Mechanism Failure
Chrome Navigation VLE before 148.0.7778.168
CVE-2026-8562
4.3 - Medium
- May 14, 2026
Side-channel information leakage in Navigation in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Improper Protection Against Physical Side Channels
Google Chrome <148.0.7778.168: Fullscreen UI Spoofing
CVE-2026-8561
5.4 - Medium
- May 14, 2026
Incorrect security UI in Fullscreen in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
User Interface (UI) Misrepresentation of Critical Information
SwiftShader Heap Overflow in Chrome <148.0.7778.168 (Mac/iOS)
CVE-2026-8560
4.3 - Medium
- May 14, 2026
Heap buffer overflow in SwiftShader in Google Chrome on Mac and iOS prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)
Heap-based Buffer Overflow
Use after free in Google Chrome Accessibility before 148.0.7778.168
CVE-2026-8557
7.5 - High
- May 14, 2026
Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Chrome Integer Overflow in Intl (pre-148.0.7778.168) Out-of-bounds Write
CVE-2026-8559
4.3 - Medium
- May 14, 2026
Integer overflow in Internationalization in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Assumed-Immutable Parameter Tampering
Chrome ANGLE XOP Data Leak before 148.0.7778.168
CVE-2026-8556
3.1 - Low
- May 14, 2026
Inappropriate implementation in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Buffer Overflow
Chrome <148.0.7778.168: GTK Use-After-Free Remote Code Exec
CVE-2026-8555
8.8 - High
- May 14, 2026
Use after free in GTK in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Type Confusion in ANGLE, Chrome<148.0.7778.168 (Win), OOB Write
CVE-2026-8554
3.1 - Low
- May 14, 2026
Type Confusion in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Object Type Confusion
UAF in GPU, Chrome <148.0.7778.168
CVE-2026-8553
3.1 - Low
- May 14, 2026
Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Android Chrome <148.0.7778.168 GPU Heap Buffer Overflow
CVE-2026-8552
4.3 - Medium
- May 14, 2026
Heap buffer overflow in GPU in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Heap-based Buffer Overflow
Use-after-Free in Google Chrome Downloads (before 148.0.7778.168)
CVE-2026-8551
8.8 - High
- May 14, 2026
Use after free in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Use-after-free in Google Lens (Chrome <148.0.7778.168)
CVE-2026-8550
6.5 - Medium
- May 14, 2026
Use after free in Google Lens in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Google Chrome <148.0.7778.168 Use-after-Free (Media) Remote Code Execution
CVE-2026-8549
8.8 - High
- May 14, 2026
Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
OOB write in Chrome Media (pre-148.0.7778.168) sandbox escape
CVE-2026-8548
8.3 - High
- May 14, 2026
Out of bounds write in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Memory Corruption
Chrome 148.0.7778.168 GPU OOB Read via Remote Renderer
CVE-2026-8546
5.3 - Medium
- May 14, 2026
Out of bounds read in GPU in Google Chrome on Mac and Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Out-of-bounds Read
Chrome Windows <148.0.7778.168: PrivEsc via Rendered HTM Page
CVE-2026-8547
7.5 - High
- May 14, 2026
Insufficient policy enforcement in Passwords in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)
AuthZ
Chrome <148.0.7778.168 Object Corruption in Compositing (CrossOrigin Leak)
CVE-2026-8545
3.1 - Low
- May 14, 2026
Object corruption in Compositing in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Buffer Overflow
Use-After-Free in Chrome Media on <=148.0.7778.168 Enables Remote Code Exec
CVE-2026-8544
8.8 - High
- May 14, 2026
Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Google Chrome OOB FileSystem Read <148.0.7778.168 Mac
CVE-2026-8543
5.3 - Medium
- May 14, 2026
Out of bounds read in FileSystem in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Out-of-bounds Read
Chrome Core Use-After-Free before 148.0.7778.168
CVE-2026-8542
8.3 - High
- May 14, 2026
Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
OOB read in Chrome UI (<148.0.7778.168)
CVE-2026-8541
5.3 - Medium
- May 14, 2026
Out of bounds read in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Out-of-bounds Read
Type Confusion in V8 JS Engine of Chrome <148.0.7778.168
CVE-2026-8540
8.8 - High
- May 14, 2026
Type Confusion in V8 in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Object Type Confusion
Chrome <148: ViewTransitions policy flaw leaks Xorigin data
CVE-2026-8537
4.3 - Medium
- May 14, 2026
Insufficient policy enforcement in ViewTransitions in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Permissive Cross-domain Policy with Untrusted Domains
Insufficient validation in GPU component of Google Chrome <148.0.7778.168
CVE-2026-8538
5.3 - Medium
- May 14, 2026
Insufficient validation of untrusted input in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform a denial of service via a crafted HTML page. (Chromium security severity: High)
Improper Input Validation
High UXSS via SanitizerAPI in Google Chrome Android <148.0.7778.168
CVE-2026-8539
5.4 - Medium
- May 14, 2026
Script injection in SanitizerAPI in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
Code Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Google Chrome or by Google? Click the Watch button to subscribe.
