Google Chrome Web browser
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Google Chrome.
Recent Google Chrome Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2026-04-16 | Chrome Releases: Chrome for Android Update (version 147) | April 16, 2026 |
| 2026-04-16 | Chrome Releases: Stable Channel Update for ChromeOS / ChromeOS Flex | April 16, 2026 |
| 2026-04-16 | Chrome Releases: Stable Channel Update for Desktop (version 147.0.7727.101) | April 16, 2026 |
| 2026-04-14 | Chrome Releases: Chrome Stable for iOS Update (version 147) | April 14, 2026 |
| 2026-04-08 | Chrome Releases: Chrome for Android Update (version 147) | April 8, 2026 |
| 2026-04-08 | Chrome Releases: Stable Channel Update for Desktop (version 147) | April 8, 2026 |
| 2026-04-06 | Chrome Releases: Stable Channel Update for ChromeOS / ChromeOS Flex | April 6, 2026 |
| 2026-04-02 | Chrome Releases: Chrome for Android Update (version 147) | April 2, 2026 |
| 2026-04-01 | Chrome Releases: April 2026 | April 1, 2026 |
| 2026-04-01 | Chrome Releases: Chrome for Android Update (version 146) | April 1, 2026 |
Known Exploited Google Chrome Vulnerabilities
The following Google Chrome vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Google Chrome Skia Integer Overflow Vulnerability |
Google Chrome Skia contains an integer overflow vulnerability. Specific impacts from exploitation are not available at this time. This vulnerability resides in Skia which serves as the graphics engine for Google Chrome and ChromeOS, Android, Flutter, and other products. CVE-2023-2136 Exploit Probability: 0.6% |
April 21, 2023 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption. CVE-2022-3038 Exploit Probability: 36.0% |
March 30, 2023 |
| Google Chrome Heap Buffer Overflow Vulnerability |
Google Chrome GPU contains a heap buffer overflow vulnerability that allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. CVE-2022-4135 Exploit Probability: 0.1% |
November 28, 2022 |
| Google Chrome Intents Insufficient Input Validation Vulnerability |
Google Chrome Intents allows for insufficient validation of untrusted input, causing unknown impacts. CISA will update this description if more information becomes available. CVE-2022-2856 Exploit Probability: 5.1% |
August 18, 2022 |
| Google Chrome Use-After-Free Vulnerability |
Use-after-free in WebAudio in Google Chrome allows a remote attacker to potentially exploit heap corruption. CVE-2019-13720 Exploit Probability: 89.6% |
May 23, 2022 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome contains a heap use-after-free vulnerability which allows an attacker to potentially perform out of bounds memory access. CVE-2019-5786 Exploit Probability: 89.4% |
May 23, 2022 |
| Google Chrome Use-After-Free Vulnerability |
The vulnerability exists due to a use-after-free error within the Animation component in Google Chrome. CVE-2022-0609 Exploit Probability: 43.0% |
February 15, 2022 |
| Google Chrome Prior to 81.0.4044.92 Use-After-Free Vulnerability |
Use-after-free vulnerability in Media in Google Chrome prior to 81.0.4044.92 allowed a Remote attacker to execute arbitrary code via a crafted HTML page. CVE-2020-6572 Exploit Probability: 19.1% |
January 10, 2022 |
| Google Chrome Browser V8 Arbitrary Code Execution |
Type Confusion in V8 in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30563 Exploit Probability: 3.1% |
November 3, 2021 |
| Google Chrome FreeType Memory Corruption |
Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-15999 Exploit Probability: 92.9% |
November 3, 2021 |
| Google Chrome WebGL Use-After-Free Vulnerability |
Use after free in WebGL in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30554 Exploit Probability: 3.9% |
November 3, 2021 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome use-after-free error within the V8 browser engine. CVE-2021-37975 Exploit Probability: 63.0% |
November 3, 2021 |
| Google Chrome Use-After-Free Vulnerability |
Use-after-free weakness in Portals, Google's new web page navigation system for Chrome. Successful exploitation can let attackers to execute code. CVE-2021-37973 Exploit Probability: 6.5% |
November 3, 2021 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome Use-After-Free vulnerability CVE-2021-30633 Exploit Probability: 38.2% |
November 3, 2021 |
| Google Chrome Out-of-bounds write |
Google Chrome out-of-bounds write that allows to execute arbitrary code on the target system. CVE-2021-30632 Exploit Probability: 84.9% |
November 3, 2021 |
| Google Chrome Information Leakage |
Information disclosure in Google Chrome that exists due to excessive data output in core. CVE-2021-37976 Exploit Probability: 7.7% |
November 3, 2021 |
| Google Chrome Site Isolation Component Use-After-Free Remote Code Execution vulnerability |
Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. CVE-2020-16017 Exploit Probability: 21.4% |
November 3, 2021 |
| Google Chrome Heap Buffer Overflow in WebAudio Vulnerability |
Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-21166 Exploit Probability: 36.3% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 4 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 7 known exploited Google Chrome vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
EOL Dates
Ensure that you are using a supported version of Google Chrome. Here are some end of life, and end of support dates for Google Chrome.
| Release | EOL Date | Status |
|---|---|---|
| 147 | - |
Active
|
| 146 | April 7, 2026 |
EOL
Google Chrome 146 became EOL in 2026. |
| 145 | March 10, 2026 |
EOL
Google Chrome 145 became EOL in 2026. |
| 144 | February 10, 2026 |
EOL
Google Chrome 144 became EOL in 2026. |
| 143 | January 13, 2026 |
EOL
Google Chrome 143 became EOL in 2026. |
| 142 | December 2, 2025 |
EOL
Google Chrome 142 became EOL in 2025. |
| 141 | October 28, 2025 |
EOL
Google Chrome 141 became EOL in 2025. |
| 140 | September 30, 2025 |
EOL
Google Chrome 140 became EOL in 2025. |
| 139 | September 2, 2025 |
EOL
Google Chrome 139 became EOL in 2025. |
| 138 | August 5, 2025 |
EOL
Google Chrome 138 became EOL in 2025. |
| 137 | June 24, 2025 |
EOL
Google Chrome 137 became EOL in 2025. |
| 136 | May 27, 2025 |
EOL
Google Chrome 136 became EOL in 2025. |
| 135 | April 29, 2025 |
EOL
Google Chrome 135 became EOL in 2025. |
| 134 | April 1, 2025 |
EOL
Google Chrome 134 became EOL in 2025. |
| 133 | March 4, 2025 |
EOL
Google Chrome 133 became EOL in 2025. |
| 132 | February 4, 2025 |
EOL
Google Chrome 132 became EOL in 2025. |
| 131 | January 14, 2025 |
EOL
Google Chrome 131 became EOL in 2025. |
| 130 | November 12, 2024 |
EOL
Google Chrome 130 became EOL in 2024. |
| 129 | October 15, 2024 |
EOL
Google Chrome 129 became EOL in 2024. |
| 128 | September 17, 2024 |
EOL
Google Chrome 128 became EOL in 2024. |
By the Year
In 2026 there have been 219 vulnerabilities in Google Chrome with an average score of 7.7 out of ten. Last year, in 2025 Chrome had 247 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Chrome in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.73.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 219 | 7.72 |
| 2025 | 247 | 6.99 |
| 2024 | 290 | 7.70 |
| 2023 | 331 | 7.39 |
| 2022 | 356 | 7.95 |
| 2021 | 373 | 7.96 |
| 2020 | 264 | 8.02 |
| 2019 | 353 | 7.34 |
| 2018 | 127 | 7.10 |
It may take a day or so for new Chrome vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Google Chrome Security Vulnerabilities
Google Chrome Android Use-After-Free in Payments prior to 147.0.7727.101
CVE-2026-6319
7.5 - High
- April 15, 2026
Use after free in Payments in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)
Dangling pointer
OOB Read in Skia of Chrome < 147.0.7727.101
CVE-2026-6364
6.5 - Medium
- April 15, 2026
Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file. (Chromium security severity: Medium)
Out-of-bounds Read
UAF in Chrome Codecs <147.0.7727.101 enables remote code exec
CVE-2026-6318
8.8 - High
- April 15, 2026
Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Dangling pointer
Type Confusion in V8 (Chrome <147.0.7727.101) allows OOB Memory Access
CVE-2026-6363
8.8 - High
- April 15, 2026
Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)
Object Type Confusion
Use After Free in Cast: Chrome <147.0.7727.101
CVE-2026-6317
8.8 - High
- April 15, 2026
Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Heap buffer overflow PDFium in Chrome <147.0.7727.101
CVE-2026-6361
7.2 - High
- April 15, 2026
Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)
Heap-based Buffer Overflow
Use-after-Free in Chrome Codecs before 147.0.7727.101
CVE-2026-6362
6.3 - Medium
- April 15, 2026
Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted video file. (Chromium security severity: High)
Dangling pointer
Chrome Forms UAF (v147.0.7727.x) Allows RCE in Sandbox
CVE-2026-6316
8.8 - High
- April 15, 2026
Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
AOF in Chrome Android Permissions (<147.0.7727.101)
CVE-2026-6315
8.8 - High
- April 15, 2026
Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Out-of-Bounds GPU Write in Google Chrome <147.0.7727.101 Allows Sandbox Escape
CVE-2026-6314
8.3 - High
- April 15, 2026
Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the GPU process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Memory Corruption
CORS Policy Violation in Google Chrome <147.0.7727.101 (Renderer Compromise)
CVE-2026-6313
3.1 - Low
- April 15, 2026
Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Authorization
Google Chrome <147.0.7727.101: Password Policy Leak via Renderer Compromise
CVE-2026-6312
3.1 - Low
- April 15, 2026
Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Uninitialized Use in Chrome Accessibility: <147.0.7727.101 sandbox escape Win
CVE-2026-6311
8.3 - High
- April 15, 2026
Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use of Uninitialized Variable
Use-After-Free in Chrome Dawn <147.0.7727.101 for sandbox escape
CVE-2026-6310
8.3 - High
- April 15, 2026
Use after free in Dawn in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Use After Free in FileSystem of Google Chrome <147.0.7727.101
CVE-2026-6360
8.8 - High
- April 15, 2026
Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Use-after-free in Viz enabling sandbox escape in Chrome <147.0.7727.101
CVE-2026-6309
8.3 - High
- April 15, 2026
Use after free in Viz in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Chrome 147 Media OOB Read Before 147.0.7727.101 (CVE-2026-6308)
CVE-2026-6308
7.5 - High
- April 15, 2026
Out of bounds read in Media in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Out-of-bounds Read
Chrome <147.0.7727.101: Turbofan Type Confusion RCE in Sandbox
CVE-2026-6307
8.8 - High
- April 15, 2026
Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Object Type Confusion
PDFium Heap Buffer Overflow in Chrome <147.0.7727.101
CVE-2026-6306
8.8 - High
- April 15, 2026
Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)
Heap-based Buffer Overflow
Google Chrome <147.0.7727.101: Heap buffer overflow in PDFium
CVE-2026-6305
8.8 - High
- April 15, 2026
Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)
Heap-based Buffer Overflow
Use-After-Free in Chrome Graphite <147.0.7727.101
CVE-2026-6304
8.3 - High
- April 15, 2026
Use after free in Graphite in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Chrome Use After Free in Codecs <147.0.7727.101 RCE via HTML
CVE-2026-6303
8.8 - High
- April 15, 2026
Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Use After Free in Google Chrome Video (<147.0.7727.101) Remote Code Exec
CVE-2026-6302
8.8 - High
- April 15, 2026
Use after free in Video in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Use-after-free in Chrome CSS before 147.0.7727.101
CVE-2026-6300
8.8 - High
- April 15, 2026
Use after free in CSS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Chrome Turbofan Type Confusion CVE-2026-6301 (before 147.0.7727.101)
CVE-2026-6301
8.8 - High
- April 15, 2026
Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Object Type Confusion
UAF in Chrome video component before 147.0.7727.101 (Windows)
CVE-2026-6359
8.8 - High
- April 15, 2026
Use after free in Video in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Use-after-free in Google Chrome XR on Android <147.0.7727.101: OOB memory read
CVE-2026-6358
8.8 - High
- April 15, 2026
Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Critical)
Dangling pointer
CVE-2026-6298: Skia Heap Overflow in Chrome <147.0.7727.101 (Critical)
CVE-2026-6298
4.3 - Medium
- April 15, 2026
Heap buffer overflow in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Critical)
Heap-based Buffer Overflow
Use after free in Prerender in Chrome <147.0.7727.101
CVE-2026-6299
8.8 - High
- April 15, 2026
Use after free in Prerender in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Dangling pointer
Google Chrome UAF in Proxy before 147.0.7727.101 (Sandbox Escape)
CVE-2026-6297
8.3 - High
- April 15, 2026
Use after free in Proxy in Google Chrome prior to 147.0.7727.101 allowed an attacker in a privileged network position to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Dangling pointer
ANGLE Heap Buffer Overflow in Chrome 147 Prior to 147.0.7727.101
CVE-2026-6296
9.6 - Critical
- April 15, 2026
Heap buffer overflow in ANGLE in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Heap-based Buffer Overflow
Google Chrome <147.0.7727.55: WebSocket Same-Origin Policy Bypass
CVE-2026-5919
6.5 - Medium
- April 08, 2026
Insufficient validation of untrusted input in WebSockets in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Improper Input Validation
Chrome <147.0.7727.55: CSS T. Confusion -> Heap Corrupt via Malicious Ext
CVE-2026-5914
8.8 - High
- April 08, 2026
Type Confusion in CSS in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low)
Object Type Confusion
Chrome Nav CVE-2026-5918: Cross-Origin Leak via Renderer <147.0.7727.55
CVE-2026-5918
4.3 - Medium
- April 08, 2026
Inappropriate implementation in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Session Riding
Google Chrome WebML OOB on <147.0.7727.55
CVE-2026-5915
8.1 - High
- April 08, 2026
Insufficient validation of untrusted input in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Low)
Improper Input Validation
Google Chrome WebRTC OOB Memory Write via Integer Overflow (CVE-2026-5912)
CVE-2026-5912
8.8 - High
- April 08, 2026
Integer overflow in WebRTC in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Low)
Assumed-Immutable Parameter Tampering
CVE-2026-5913: OOB Read in Blink (Chrome <147.0.7727.55)
CVE-2026-5913
8.1 - High
- April 08, 2026
Out of bounds read in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Low)
Out-of-bounds Read
Chrome CSP Bypass via ServiceWorkers (147.0.7727.55)
CVE-2026-5911
4.3 - Medium
- April 08, 2026
Policy bypass in ServiceWorkers in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
Protection Mechanism Failure
Chrome Integer Overflow in Media Component <147.0.7727.55
CVE-2026-5910
8.8 - High
- April 08, 2026
Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)
Assumed-Immutable Parameter Tampering
Google Chrome Integer Overflow in Media <147.0.7727.55 (Remote Heap Corruption)
CVE-2026-5909
8.8 - High
- April 08, 2026
Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)
Assumed-Immutable Parameter Tampering
Integer Overflow in Google Chrome Media (prior to 147.0.7727.55)
CVE-2026-5908
8.8 - High
- April 08, 2026
Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)
Assumed-Immutable Parameter Tampering
Google Chrome <147.0.7727.55 Media OOB Read via crafted video file
CVE-2026-5907
8.1 - High
- April 08, 2026
Insufficient data validation in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted video file. (Chromium security severity: Low)
Out-of-bounds Read
Chrome Android <147.0.7727.55: Omnibox spoofing via crafted page
CVE-2026-5906
4.3 - Medium
- April 08, 2026
Incorrect security UI in Omnibox in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)
User Interface (UI) Misrepresentation of Critical Information
Chrome Windows Prior 147.0.7727.55 Perms UI Bug Allows Domain Spoofing
CVE-2026-5905
6.5 - Medium
- April 08, 2026
Incorrect security UI in Permissions in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low)
User Interface (UI) Misrepresentation of Critical Information
Use-after-free in V8 before 147.0.7727.55 via malicious Chrome Extension
CVE-2026-5904
8.8 - High
- April 08, 2026
Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low)
Dangling pointer
Policy Bypass via IFrameSandbox in Chrome <147.0.7727.55
CVE-2026-5903
6.5 - Medium
- April 08, 2026
Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Protection Mechanism Failure
Google Chrome Android Race Condition in Media Metadata <147.0.7727.55
CVE-2026-5902
9.8 - Critical
- April 08, 2026
Race in Media in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to corrupt media stream metadata via a crafted HTML page. (Chromium security severity: Low)
Race Condition
UXSS in Chrome <=147.0.7727.55 via History Navigation
CVE-2026-5899
6.1 - Medium
- April 08, 2026
Insufficient policy enforcement in History Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)
Origin Validation Error
Chrome policy bypass via crafted HTML pre-147.0.7727.55
CVE-2026-5900
4.3 - Medium
- April 08, 2026
Policy bypass in Downloads in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass of multi-download protections via a crafted HTML page. (Chromium security severity: Low)
Protection Mechanism Failure
Chrome (pre-147.0.7727.55) DevTools policy bypass via malicious extension
CVE-2026-5901
6.5 - Medium
- April 08, 2026
Insufficient policy enforcement in DevTools in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to bypass enterprise host restrictions for cookie modification via a crafted Chrome Extension. (Chromium security severity: Low)
Client-Side Enforcement of Server-Side Security
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Google Chrome or by Google? Click the Watch button to subscribe.
