Google Chrome Web browser
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Google Chrome.
Recent Google Chrome Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2026-06-03 | Chrome Releases: Stable Channel Update for Desktop (version 149) | June 3, 2026 |
| 2026-06-03 | Chrome Releases: Chrome for Android Update (version 149) | June 3, 2026 |
| 2026-06-01 | Chrome Releases: June 2026 | June 1, 2026 |
| 2026-05-28 | Chrome Releases: Chrome for Android Update (version 148) | May 28, 2026 |
| 2026-05-28 | Chrome Releases: Chrome Stable for iOS Update (version 149) | May 28, 2026 |
| 2026-05-28 | Chrome Releases: Stable Channel Update for Desktop (version 148.0.7778.216) | May 28, 2026 |
| 2026-05-21 | Chrome Releases: Chrome Stable for iOS Update (version 149) | May 21, 2026 |
| 2026-05-20 | Chrome Releases: Chrome for Android Update (version 148) | May 20, 2026 |
| 2026-05-20 | Chrome Releases: Stable Channel Update for Desktop (version 148.0.7778.178) | May 20, 2026 |
| 2026-05-12 | Chrome Releases: Chrome Stable for iOS Update (version 148) | May 12, 2026 |
Known Exploited Google Chrome Vulnerabilities
The following Google Chrome vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Google Chrome Skia Integer Overflow Vulnerability |
Google Chrome Skia contains an integer overflow vulnerability. Specific impacts from exploitation are not available at this time. This vulnerability resides in Skia which serves as the graphics engine for Google Chrome and ChromeOS, Android, Flutter, and other products. CVE-2023-2136 Exploit Probability: 0.4% |
April 21, 2023 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption. CVE-2022-3038 Exploit Probability: 36.0% |
March 30, 2023 |
| Google Chrome Heap Buffer Overflow Vulnerability |
Google Chrome GPU contains a heap buffer overflow vulnerability that allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. CVE-2022-4135 Exploit Probability: 0.1% |
November 28, 2022 |
| Google Chrome Intents Insufficient Input Validation Vulnerability |
Google Chrome Intents allows for insufficient validation of untrusted input, causing unknown impacts. CISA will update this description if more information becomes available. CVE-2022-2856 Exploit Probability: 3.3% |
August 18, 2022 |
| Google Chrome Use-After-Free Vulnerability |
Use-after-free in WebAudio in Google Chrome allows a remote attacker to potentially exploit heap corruption. CVE-2019-13720 Exploit Probability: 89.6% |
May 23, 2022 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome contains a heap use-after-free vulnerability which allows an attacker to potentially perform out of bounds memory access. CVE-2019-5786 Exploit Probability: 89.9% |
May 23, 2022 |
| Google Chrome Use-After-Free Vulnerability |
The vulnerability exists due to a use-after-free error within the Animation component in Google Chrome. CVE-2022-0609 Exploit Probability: 49.0% |
February 15, 2022 |
| Google Chrome Prior to 81.0.4044.92 Use-After-Free Vulnerability |
Use-after-free vulnerability in Media in Google Chrome prior to 81.0.4044.92 allowed a Remote attacker to execute arbitrary code via a crafted HTML page. CVE-2020-6572 Exploit Probability: 19.1% |
January 10, 2022 |
| Google Chrome Browser V8 Arbitrary Code Execution |
Type Confusion in V8 in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30563 Exploit Probability: 2.6% |
November 3, 2021 |
| Google Chrome FreeType Memory Corruption |
Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-15999 Exploit Probability: 93.0% |
November 3, 2021 |
| Google Chrome WebGL Use-After-Free Vulnerability |
Use after free in WebGL in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30554 Exploit Probability: 5.8% |
November 3, 2021 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome use-after-free error within the V8 browser engine. CVE-2021-37975 Exploit Probability: 63.0% |
November 3, 2021 |
| Google Chrome Use-After-Free Vulnerability |
Use-after-free weakness in Portals, Google's new web page navigation system for Chrome. Successful exploitation can let attackers to execute code. CVE-2021-37973 Exploit Probability: 14.8% |
November 3, 2021 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome Use-After-Free vulnerability CVE-2021-30633 Exploit Probability: 30.1% |
November 3, 2021 |
| Google Chrome Out-of-bounds write |
Google Chrome out-of-bounds write that allows to execute arbitrary code on the target system. CVE-2021-30632 Exploit Probability: 83.8% |
November 3, 2021 |
| Google Chrome Information Leakage |
Information disclosure in Google Chrome that exists due to excessive data output in core. CVE-2021-37976 Exploit Probability: 20.1% |
November 3, 2021 |
| Google Chrome Site Isolation Component Use-After-Free Remote Code Execution vulnerability |
Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. CVE-2020-16017 Exploit Probability: 21.4% |
November 3, 2021 |
| Google Chrome Heap Buffer Overflow in WebAudio Vulnerability |
Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-21166 Exploit Probability: 38.0% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 4 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 8 known exploited Google Chrome vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
EOL Dates
Ensure that you are using a supported version of Google Chrome. Here are some end of life, and end of support dates for Google Chrome.
| Release | EOL Date | Status |
|---|---|---|
| 149 | July 6, 2026 |
EOL This Year
Google Chrome 149 will become EOL this year, in July 2026. |
| 148 | June 2, 2026 |
EOL
Google Chrome 148 became EOL in 2026. |
| 147 | May 5, 2026 |
EOL
Google Chrome 147 became EOL in 2026. |
| 146 | April 7, 2026 |
EOL
Google Chrome 146 became EOL in 2026. |
| 145 | March 10, 2026 |
EOL
Google Chrome 145 became EOL in 2026. |
| 144 | February 10, 2026 |
EOL
Google Chrome 144 became EOL in 2026. |
| 143 | January 13, 2026 |
EOL
Google Chrome 143 became EOL in 2026. |
| 142 | December 2, 2025 |
EOL
Google Chrome 142 became EOL in 2025. |
| 141 | October 28, 2025 |
EOL
Google Chrome 141 became EOL in 2025. |
| 140 | September 30, 2025 |
EOL
Google Chrome 140 became EOL in 2025. |
| 139 | September 2, 2025 |
EOL
Google Chrome 139 became EOL in 2025. |
| 138 | August 5, 2025 |
EOL
Google Chrome 138 became EOL in 2025. |
| 137 | June 24, 2025 |
EOL
Google Chrome 137 became EOL in 2025. |
| 136 | May 27, 2025 |
EOL
Google Chrome 136 became EOL in 2025. |
| 135 | April 29, 2025 |
EOL
Google Chrome 135 became EOL in 2025. |
| 134 | April 1, 2025 |
EOL
Google Chrome 134 became EOL in 2025. |
| 133 | March 4, 2025 |
EOL
Google Chrome 133 became EOL in 2025. |
| 132 | February 4, 2025 |
EOL
Google Chrome 132 became EOL in 2025. |
| 131 | January 14, 2025 |
EOL
Google Chrome 131 became EOL in 2025. |
| 130 | November 12, 2024 |
EOL
Google Chrome 130 became EOL in 2024. |
By the Year
In 2026 there have been 1052 vulnerabilities in Google Chrome with an average score of 7.3 out of ten. Last year, in 2025 Chrome had 247 security vulnerabilities published. That is, 805 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.35.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1052 | 7.34 |
| 2025 | 247 | 6.99 |
| 2024 | 290 | 7.70 |
| 2023 | 331 | 7.40 |
| 2022 | 356 | 7.95 |
| 2021 | 373 | 7.96 |
| 2020 | 264 | 8.02 |
| 2019 | 353 | 7.34 |
| 2018 | 127 | 7.10 |
It may take a day or so for new Chrome vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Google Chrome Security Vulnerabilities
Google Chrome <149.0.7827.53: UI Spoofing via History API
CVE-2026-11309
4.3 - Medium
- June 04, 2026
Insufficient policy enforcement in History in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Origin Validation Error
Google Chrome <149.0.7827.53 Priv Escalation via Malicious Extension
CVE-2026-11308
6.3 - Medium
- June 04, 2026
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to perform privilege escalation via a crafted Chrome Extension. (Chromium security severity: Low)
Improper Privilege Management
Use-after-free in PDFium (Chrome <149.0.7827.53)
CVE-2026-11307
8.8 - High
- June 04, 2026
Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)
Dangling pointer
Use-After-Free in PDFium (Chrome <149.0.7827.53) via crafted PDF
CVE-2026-11306
8.8 - High
- June 04, 2026
Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)
Dangling pointer
UAF in PDFium before Chrome 149.0.7827.53
CVE-2026-11305
8.8 - High
- June 04, 2026
Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)
Dangling pointer
UA Free PDFium in Chrome <149.0.7827.53 (CVE-2026-11304)
CVE-2026-11304
8.8 - High
- June 04, 2026
Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Low)
Dangling pointer
UAF in PDFium (Chrome < 149.0.7827.53) rc exec
CVE-2026-11303
8.8 - High
- June 04, 2026
Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)
Dangling pointer
Chrome iOS <149.0.7827.53: DACL Bypass via Crafted HTML
CVE-2026-11302
4.3 - Medium
- June 04, 2026
Insufficient policy enforcement in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)
Authorization
Google Chrome <149.0.7827.53 LiveCaption OOB Memory Access
CVE-2026-11301
8.8 - High
- June 04, 2026
Inappropriate implementation in LiveCaption in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform out of bounds memory access via malicious network traffic. (Chromium security severity: Low)
Out-of-bounds Read
UI Spoofing in Google Chrome <149.0.7827.53 via HTML
CVE-2026-11300
4.3 - Medium
- June 04, 2026
Inappropriate implementation in Permissions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
User Interface (UI) Misrepresentation of Critical Information
Google Chrome <149.0.7827.53 Int Overflow - Memory Leak
CVE-2026-11299
6.5 - Medium
- June 04, 2026
Integer overflow in Fonts in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)
Out-of-bounds Read
Chrome for iOS <=149.0.7827.53 Same-Origin Policy bypass
CVE-2026-11298
4.3 - Medium
- June 04, 2026
Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Origin Validation Error
Chrome Android Reader Mode Input Validation Bypass <149.0.7827.53
CVE-2026-11297
7.7 - High
- June 04, 2026
Insufficient validation of untrusted input in Reader Mode in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to bypass navigation restrictions via a malicious file. (Chromium security severity: Low)
Improper Input Validation
Chrome ImageCapture PrivEsc via crafted HTML in Chrome <=149.0.7827.53
CVE-2026-11296
7.5 - High
- June 04, 2026
Inappropriate implementation in ImageCapture in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
Improper Privilege Management
Chrome Android WebView Priv Escal via Crafted HTML (<149.0.7827.53)
CVE-2026-11295
8.8 - High
- June 04, 2026
Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
Improper Privilege Management
Chrome Passwords UI Spoofing before 149.0.7827.53
CVE-2026-11294
4.3 - Medium
- June 04, 2026
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
User Interface (UI) Misrepresentation of Critical Information
Google Chrome <=149.0.7827.53 UAF in Input -> sandbox escape
CVE-2026-11293
9.6 - Critical
- June 04, 2026
Use after free in Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
Dangling pointer
Chrome<149.0.7827.53 Bypass CSP via Blink policy flaw
CVE-2026-11292
4.3 - Medium
- June 04, 2026
Insufficient policy enforcement in Blink in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
Protection Mechanism Failure
Chrome Android Autofill Same Origin Policy Bypass pre-149.0.7827.53
CVE-2026-11291
4.3 - Medium
- June 04, 2026
Inappropriate implementation in Android Autofill in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Origin Validation Error
Integer overflow in Chrome WebView on Android 149.0.7827.53
CVE-2026-11290
5 - Medium
- June 04, 2026
Integer overflow in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to cause a denial of service via a malicious file. (Chromium security severity: Low)
Assumed-Immutable Parameter Tampering
Paint Component Side-Channel Leak in Chrome before 149.0.7827.53
CVE-2026-11289
6.5 - Medium
- June 04, 2026
Side-channel information leakage in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Improper Protection Against Physical Side Channels
Google Chrome <149.0.7827.53 CSS Policy Leak
CVE-2026-11288
6.5 - Medium
- June 04, 2026
Insufficient policy enforcement in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Protection Mechanism Failure
Insufficient Policy Enforcement in Nav Chrome Android <149.0.7827.53
CVE-2026-11287
6.5 - Medium
- June 04, 2026
Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Improper Input Validation
Google Chrome <=149.0.7827.53 Wallet UI Spoofing via untrusted input
CVE-2026-11286
4.3 - Medium
- June 04, 2026
Insufficient validation of untrusted input in Wallet in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Improper Input Validation
Chrome <149.0.7827.53>: PerformanceAPI Side-Channel Leak
CVE-2026-11284
6.5 - Medium
- June 04, 2026
Side-channel information leakage in PerformanceAPIs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Improper Protection Against Physical Side Channels
Google Chrome Mac <149.0.7827.53: Shortcuts Input Validation Flaw
CVE-2026-11283
6.5 - Medium
- June 04, 2026
Insufficient validation of untrusted input in Shortcuts in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a malicious file. (Chromium security severity: Low)
Improper Input Validation
Chrome iOS UI Spoofing <=149.0.7827.53
CVE-2026-11285
4.3 - Medium
- June 04, 2026
Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
User Interface (UI) Misrepresentation of Critical Information
Chrome Linux <149.0.7827.53: Sandbox Escap via HTML
CVE-2026-11282
9.6 - Critical
- June 04, 2026
Insufficient policy enforcement in Sandbox in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
Protection Mechanism Failure
Int overflow in Chromoting (Chrome <149.0.7827.53) local info leak
CVE-2026-11281
5 - Medium
- June 04, 2026
Integer overflow in Chromoting in Google Chrome on Windows prior to 149.0.7827.53 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted ETW event. (Chromium security severity: Low)
Assumed-Immutable Parameter Tampering
Google Chrome iOS UI Spoofing via Signin before 149.0.7827.53
CVE-2026-11280
4.3 - Medium
- June 04, 2026
Inappropriate implementation in Signin in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Improper Input Validation
OOB Read in Chrome DevTools <149.0.7827.53 RCE via Crafted Page
CVE-2026-11279
8.8 - High
- June 04, 2026
Out of bounds read in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)
Out-of-bounds Read
Chrome Android CustomTabs 149.0.7827.53 Cross-Origin Leak
CVE-2026-11278
6.5 - Medium
- June 04, 2026
Inappropriate implementation in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Origin Validation Error
Google Chrome on iOS <149.0.7827.53: Remote ATO via crafted HTML
CVE-2026-11277
4.3 - Medium
- June 04, 2026
Insufficient policy enforcement in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)
Authorization
Google Chrome Cast DACL Bypass <149.0.7827.53
CVE-2026-11276
5.1 - Medium
- June 04, 2026
Inappropriate implementation in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to bypass discretionary access control via malicious network traffic. (Chromium security severity: Low)
Improper Privilege Management
Chrome Android <149.0.7827.53 PageInfo Nav Restriction Bypass
CVE-2026-11275
6.5 - Medium
- June 04, 2026
Inappropriate implementation in Page Info in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Authorization
Google Chrome iOS DOM Distiller Nav Bypass <149.0.7827.53
CVE-2026-11274
4.3 - Medium
- June 04, 2026
Inappropriate implementation in DOM Distiller in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Authorization
Google Chrome <149.0.7827.53: Password leak via crafted HTML
CVE-2026-11271
6.5 - Medium
- June 04, 2026
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Chrome iOS: Priv Esc via Unvalidated Reading List Input (149.0.7827.53)
CVE-2026-11272
8.8 - High
- June 04, 2026
Insufficient validation of untrusted input in Reading List in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
Improper Input Validation
UXSS via Untrusted Input in Omnibox in Google Chrome <149.0.7827.53
CVE-2026-11273
6.1 - Medium
- June 04, 2026
Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)
Improper Input Validation
Google Chrome Android <149.0.7827.53 CVE-2026-11270: UI OOB Leak
CVE-2026-11270
6.5 - Medium
- June 04, 2026
Inappropriate implementation in UI in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Session Riding
Chrome Extension CVE-2026-11269: Exec via Privileged Network Pre-149.0.7827.53
CVE-2026-11269
7.1 - High
- June 04, 2026
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker in a privileged network position to execute arbitrary code inside a sandbox via a crafted Chrome Extension. (Chromium security severity: Low)
Inclusion of Functionality from Untrusted Control Sphere
Uninitialized Use in ANGLE Chrome <149.0.7827.53 Windows Data Leak
CVE-2026-11268
6.5 - Medium
- June 04, 2026
Uninitialized Use in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Use of Uninitialized Variable
Chrome SafeBrowsing Bypass via Malicious File (149.0.7827.52)
CVE-2026-11266
4.3 - Medium
- June 04, 2026
Inappropriate implementation in SafeBrowsing in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass Safe Browsing via a malicious file. (Chromium security severity: Low)
Protection Mechanism Failure
Chrome Extension Policy Defect 149.0.7827.53 Bypass CSP
CVE-2026-11267
4.3 - Medium
- June 04, 2026
Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. (Chromium security severity: Low)
Client-Side Enforcement of Server-Side Security
Chrome Autofill XSS Leak Prior to v149
CVE-2026-11265
7.5 - High
- June 04, 2026
Inappropriate implementation in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Session Riding
Chrome<149 CSP Bypass via Crafted HTML (CVE-2026-11264)
CVE-2026-11264
4.3 - Medium
- June 04, 2026
Policy bypass in Content Security Policy in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
Protection Mechanism Failure
Insecure PDF Rendering in Google Chrome <149.0.7827.53 Enables UI Spoofing
CVE-2026-11261
4.3 - Medium
- June 04, 2026
Inappropriate implementation in PDF in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Improper Input Validation
Use after free in TabStrip Chrome <149.0.7827.53 (UAF)
CVE-2026-11262
8.8 - High
- June 04, 2026
Use after free in TabStrip in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)
Dangling pointer
Chrome Android 149.0.7827.53 WebAuth Insuff Policy Leak
CVE-2026-11263
6.5 - Medium
- June 04, 2026
Insufficient policy enforcement in WebAuthentication in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Protection Mechanism Failure
Google Chrome <149.0.7827.53 Cast Same-Origin Policy Bypass
CVE-2026-11259
4.3 - Medium
- June 04, 2026
Insufficient validation of untrusted input in Cast in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Improper Input Validation
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Google Chrome or by Google? Click the Watch button to subscribe.
