Chrome Google Chrome Web browser

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Google Chrome.

Recent Google Chrome Security Advisories

Advisory Title Published
Chrome Releases: Stable Channel Update for Desktop December 12, 2024
Chrome Releases: Stable Channel Update for Desktop October 15, 2024
Chrome Releases: Stable Channel Update for Desktop August 21, 2024
Chrome Releases: Stable Channel Update for Desktop August 1, 2024
Chrome Releases: Stable Channel Update for Desktop July 16, 2024
Chrome Releases: Stable Channel Update for Desktop July 16, 2024
Chrome Releases: Stable Channel Update for Desktop July 16, 2024
Chrome Releases: Stable Channel Update for Desktop May 28, 2024
Chrome Releases: Stable Channel Update for Desktop May 15, 2024
Chrome Releases: Stable Channel Update for Desktop May 14, 2024

Known Exploited Google Chrome Vulnerabilities

The following Google Chrome vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Google Chrome Skia Integer Overflow Vulnerability Google Chrome Skia contains an integer overflow vulnerability. Specific impacts from exploitation are not available at this time. This vulnerability resides in Skia which serves as the graphics engine for Google Chrome and ChromeOS, Android, Flutter, and other products.
CVE-2023-2136 Exploit Probability: 0.9%
April 21, 2023
Google Chrome Use-After-Free Vulnerability Google Chrome contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption.
CVE-2022-3038 Exploit Probability: 26.0%
March 30, 2023
Google Chrome Heap Buffer Overflow Vulnerability Google Chrome GPU contains a heap buffer overflow vulnerability that allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2022-4135 Exploit Probability: 15.1%
November 28, 2022
Google Chrome Intents Insufficient Input Validation Vulnerability Google Chrome Intents allows for insufficient validation of untrusted input, causing unknown impacts. CISA will update this description if more information becomes available.
CVE-2022-2856 Exploit Probability: 11.4%
August 18, 2022
Google Chrome Use-After-Free Vulnerability Use-after-free in WebAudio in Google Chrome allows a remote attacker to potentially exploit heap corruption.
CVE-2019-13720 Exploit Probability: 96.9%
May 23, 2022
Google Chrome Use-After-Free Vulnerability Google Chrome contains a heap use-after-free vulnerability which allows an attacker to potentially perform out of bounds memory access.
CVE-2019-5786 Exploit Probability: 96.9%
May 23, 2022
Google Chrome Use-After-Free Vulnerability The vulnerability exists due to a use-after-free error within the Animation component in Google Chrome.
CVE-2022-0609 Exploit Probability: 2.7%
February 15, 2022
Google Chrome Prior to 81.0.4044.92 Use-After-Free Vulnerability Use-after-free vulnerability in Media in Google Chrome prior to 81.0.4044.92 allowed a Remote attacker to execute arbitrary code via a crafted HTML page.
CVE-2020-6572 Exploit Probability: 0.5%
January 10, 2022
Google Chrome Browser V8 Arbitrary Code Execution Type Confusion in V8 in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-30563 Exploit Probability: 0.4%
November 3, 2021
Google Chrome FreeType Memory Corruption Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2020-15999 Exploit Probability: 7.9%
November 3, 2021
Google Chrome WebGL Use-After-Free Vulnerability Use after free in WebGL in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-30554 Exploit Probability: 1.2%
November 3, 2021
Google Chrome Use-After-Free Vulnerability Google Chrome use-after-free error within the V8 browser engine.
CVE-2021-37975 Exploit Probability: 7.6%
November 3, 2021
Google Chrome Use-After-Free Vulnerability Use-after-free weakness in Portals, Google's new web page navigation system for Chrome. Successful exploitation can let attackers to execute code.
CVE-2021-37973 Exploit Probability: 0.4%
November 3, 2021
Google Chrome Use-After-Free Vulnerability Google Chrome Use-After-Free vulnerability
CVE-2021-30633 Exploit Probability: 0.7%
November 3, 2021
Google Chrome Out-of-bounds write Google Chrome out-of-bounds write that allows to execute arbitrary code on the target system.
CVE-2021-30632 Exploit Probability: 61.6%
November 3, 2021
Google Chrome Information Leakage Information disclosure in Google Chrome that exists due to excessive data output in core.
CVE-2021-37976 Exploit Probability: 8.2%
November 3, 2021
Google Chrome Site Isolation Component Use-After-Free Remote Code Execution vulnerability Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2020-16017 Exploit Probability: 0.3%
November 3, 2021
Google Chrome Heap Buffer Overflow in WebAudio Vulnerability Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21166 Exploit Probability: 2.1%
November 3, 2021

Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 4 known exploited Google Chrome vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

By the Year

In 2025 there have been 14 vulnerabilities in Google Chrome. Last year, in 2024 Chrome had 266 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Chrome in 2025 could surpass last years number.




Year Vulnerabilities Average Score
2025 14 0.00
2024 266 7.73
2023 258 7.54
2022 297 8.03
2021 330 8.00
2020 227 7.62
2019 304 7.07
2018 114 7.08

It may take a day or so for new Chrome vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Google Chrome Security Vulnerabilities

Inappropriate implementation in Payments in Google Chrome prior to 132.0.6834.83

CVE-2025-0442 - January 15, 2025

Inappropriate implementation in Payments in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in Navigation in Google Chrome prior to 132.0.6834.83

CVE-2025-0447 - January 15, 2025

Inappropriate implementation in Navigation in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)

Inappropriate implementation in Compositing in Google Chrome prior to 132.0.6834.83

CVE-2025-0448 - January 15, 2025

Inappropriate implementation in Compositing in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Inappropriate implementation in Extensions in Google Chrome prior to 132.0.6834.83

CVE-2025-0446 - January 15, 2025

Inappropriate implementation in Extensions in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)

Insufficient data validation in Extensions in Google Chrome prior to 132.0.6834.83

CVE-2025-0443 - January 15, 2025

Insufficient data validation in Extensions in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in Fenced Frames in Google Chrome prior to 132.0.6834.83

CVE-2025-0441 - January 15, 2025

Inappropriate implementation in Fenced Frames in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to obtain potentially sensitive information from the system via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in Fullscreen in Google Chrome on Windows prior to 132.0.6834.83

CVE-2025-0440 - January 15, 2025

Inappropriate implementation in Fullscreen in Google Chrome on Windows prior to 132.0.6834.83 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Race in Frames in Google Chrome prior to 132.0.6834.83

CVE-2025-0439 - January 15, 2025

Race in Frames in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Race Condition

Stack buffer overflow in Tracing in Google Chrome prior to 132.0.6834.83

CVE-2025-0438 - January 15, 2025

Stack buffer overflow in Tracing in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: High)

Stack Overflow

Out of bounds read in Metrics in Google Chrome prior to 132.0.6834.83

CVE-2025-0437 - January 15, 2025

Out of bounds read in Metrics in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Out-of-bounds Read

Integer overflow in Skia in Google Chrome prior to 132.0.6834.83

CVE-2025-0436 - January 15, 2025

Integer overflow in Skia in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Assumed-Immutable Parameter Tampering

Inappropriate implementation in Navigation in Google Chrome on Android prior to 132.0.6834.83

CVE-2025-0435 - January 15, 2025

Inappropriate implementation in Navigation in Google Chrome on Android prior to 132.0.6834.83 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)

Out of bounds memory access in V8 in Google Chrome prior to 132.0.6834.83

CVE-2025-0434 - January 15, 2025

Out of bounds memory access in V8 in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Type Confusion in V8 in Google Chrome prior to 131.0.6778.264

CVE-2025-0291 - January 08, 2025

Type Confusion in V8 in Google Chrome prior to 131.0.6778.264 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Google Chrome V8 Engine Type Confusion Vulnerability

CVE-2024-12692 - December 18, 2024

Type Confusion in V8 in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Google Chrome V8 Engine Out-of-Bounds Memory Access Vulnerability

CVE-2024-12693 - December 18, 2024

Out of bounds memory access in V8 in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Google Chrome Compositing Use After Free Vulnerability

CVE-2024-12694 - December 18, 2024

Use after free in Compositing in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Google Chrome V8 Engine Out-of-Bounds Write Vulnerability

CVE-2024-12695 - December 18, 2024

Out of bounds write in V8 in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Type Confusion in V8 in Google Chrome prior to 131.0.6778.139

CVE-2024-12381 8.8 - High - December 12, 2024

Type Confusion in V8 in Google Chrome prior to 131.0.6778.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Use after free in Translate in Google Chrome prior to 131.0.6778.139

CVE-2024-12382 8.8 - High - December 12, 2024

Use after free in Translate in Google Chrome prior to 131.0.6778.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Documenso User Interface Misrepresentation of Critical Information Vulnerability

CVE-2024-52271 - December 05, 2024

User Interface (UI) Misrepresentation of Critical Information vulnerability in Documenso allows Content Spoofing.Displayed version does not show the layer flattened version, once download, If printed (e.g. via Google Chrome -> Examine the print preview): Will render the vulnerability only, not all layers are flattened. This issue affects Documenso: through 1.8.0, >1.8.0 and Documenso SaaS (Hosted) as of 2024-12-05.

DropBox Sign(HelloSign) User Interface Misrepresentation of Critical Information Vulnerability

CVE-2024-52270 - December 05, 2024

User Interface (UI) Misrepresentation of Critical Information vulnerability in DropBox Sign(HelloSign) allows Content Spoofing. Displayed version does not show the layer flattened version, once download, If printed (e.g. via Google Chrome -> Examine the print preview): Will render the vulnerability only, not all layers are flattened. This issue affects DropBox Sign(HelloSign): through 2024-12-04.

User Interface (UI) Misrepresentation of Critical Information vulnerability in DocuSeal

CVE-2024-52277 - December 04, 2024

User Interface (UI) Misrepresentation of Critical Information vulnerability in DocuSeal allows Content Spoofing.Displayed version does not show the layer flattened version, once download, If printed (e.g. via Google Chrome -> Examine the print preview): Will render the vulnerability only, not all layers are flattened. This issue affects DocuSeal: through 1.8.1, >1.8.1.

User Interface (UI) Misrepresentation of Critical Information vulnerability in DocuSign allows Content Spoofing

CVE-2024-52276 - December 04, 2024

User Interface (UI) Misrepresentation of Critical Information vulnerability in DocuSign allows Content Spoofing. 1. Displayed version does not show the layer flattened version, which is provided when the "Print" option is used. 2. Displayed version does not show the layer flattened version, which is provided when the combined download option is used. 3. Displayed version does not show the layer flattened version, which is also the provided version when downloading the result in the uncombined option. Once download, If printed (e.g. via Google Chrome -> Examine the print preview): Will render the vulnerability only, not all layers are flattened. This issue affects DocuSign: through 2024-12-04.

Google Chrome V8 Engine Type Confusion Vulnerability

CVE-2024-12053 8.8 - High - December 03, 2024

Type Confusion in V8 in Google Chrome prior to 131.0.6778.108 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Google Chrome Layout Integer Overflow Vulnerability

CVE-2024-7025 8.8 - High - November 27, 2024

Integer overflow in Layout in Google Chrome prior to 129.0.6668.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Integer Overflow or Wraparound

Google Chrome Mojo Insufficient Data Validation Out-of-Bounds Write Vulnerability

CVE-2024-9369 9.6 - Critical - November 27, 2024

Insufficient data validation in Mojo in Google Chrome prior to 129.0.6668.89 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

Improper Validation of Specified Quantity in Input

Stored XSS Vulnerability in WordPress Plugin 'Dino Game Embed'

CVE-2024-11388 5.4 - Medium - November 21, 2024

The Dino Game Embed Google Chrome Dinosaur Game in WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dino-game' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Google Chrome V8 Engine Type Confusion Vulnerability

CVE-2024-11395 - November 19, 2024

Type Confusion in V8 in Google Chrome prior to 131.0.6778.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Google Chrome Extensions Site Isolation Bypass Vulnerability

CVE-2024-11110 6.5 - Medium - November 12, 2024

Inappropriate implementation in Extensions in Google Chrome prior to 131.0.6778.69 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension. (Chromium security severity: High)

Google Chrome Autofill UI Spoofing Vulnerability

CVE-2024-11111 4.3 - Medium - November 12, 2024

Inappropriate implementation in Autofill in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Google Chrome Media Component Use After Free Vulnerability

CVE-2024-11112 8.8 - High - November 12, 2024

Use after free in Media in Google Chrome on Windows prior to 131.0.6778.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Dangling pointer

Google Chrome Accessibility Use After Free Vulnerability

CVE-2024-11113 8.8 - High - November 12, 2024

Use after free in Accessibility in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Dangling pointer

Google Chrome Views Component Sandbox Escape Vulnerability

CVE-2024-11114 8.3 - High - November 12, 2024

Inappropriate implementation in Views in Google Chrome on Windows prior to 131.0.6778.69 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Google Chrome on iOS Navigation Policy Enforcement Vulnerability

CVE-2024-11115 8.8 - High - November 12, 2024

Insufficient policy enforcement in Navigation in Google Chrome on iOS prior to 131.0.6778.69 allowed a remote attacker to perform privilege escalation via a series of UI gestures. (Chromium security severity: Medium)

Google Chrome Blink UI Spoofing Vulnerability

CVE-2024-11116 4.3 - Medium - November 12, 2024

Inappropriate implementation in Blink in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Google Chrome FileSystem Inappropriate Implementation Vulnerability

CVE-2024-11117 4.3 - Medium - November 12, 2024

Inappropriate implementation in FileSystem in Google Chrome prior to 131.0.6778.69 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity: Low)

Google Chrome 130 Use After Free in Family Experiences

CVE-2024-10826 8.8 - High - November 06, 2024

Use after free in Family Experiences in Google Chrome on Android prior to 130.0.6723.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Google Chrome 130 Serial Use-After-Free

CVE-2024-10827 8.8 - High - November 06, 2024

Use after free in Serial in Google Chrome prior to 130.0.6723.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Out of bounds write in Dawn in Google Chrome prior to 130.0.6723.92

CVE-2024-10487 8.8 - High - October 29, 2024

Out of bounds write in Dawn in Google Chrome prior to 130.0.6723.92 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical)

Memory Corruption

Use after free in WebRTC in Google Chrome prior to 130.0.6723.92

CVE-2024-10488 8.8 - High - October 29, 2024

Use after free in WebRTC in Google Chrome prior to 130.0.6723.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Inappropriate implementation in Extensions in Google Chrome prior to 130.0.6723.69

CVE-2024-10229 8.1 - High - October 22, 2024

Inappropriate implementation in Extensions in Google Chrome prior to 130.0.6723.69 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension. (Chromium security severity: High)

Type Confusion in V8 in Google Chrome prior to 130.0.6723.69

CVE-2024-10230 8.8 - High - October 22, 2024

Type Confusion in V8 in Google Chrome prior to 130.0.6723.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Type Confusion in V8 in Google Chrome prior to 130.0.6723.69

CVE-2024-10231 8.8 - High - October 22, 2024

Type Confusion in V8 in Google Chrome prior to 130.0.6723.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Use after free in AI in Google Chrome prior to 130.0.6723.58

CVE-2024-9954 8.8 - High - October 15, 2024

Use after free in AI in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Use after free in WebAuthentication in Google Chrome prior to 130.0.6723.58

CVE-2024-9955 8.8 - High - October 15, 2024

Use after free in WebAuthentication in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Dangling pointer

Inappropriate implementation in WebAuthentication in Google Chrome on Android prior to 130.0.6723.58

CVE-2024-9956 7.8 - High - October 15, 2024

Inappropriate implementation in WebAuthentication in Google Chrome on Android prior to 130.0.6723.58 allowed a local attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

Use after free in UI in Google Chrome on iOS prior to 130.0.6723.58

CVE-2024-9957 8.8 - High - October 15, 2024

Use after free in UI in Google Chrome on iOS prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Dangling pointer

Inappropriate implementation in PictureInPicture in Google Chrome prior to 130.0.6723.58

CVE-2024-9958 4.3 - Medium - October 15, 2024

Inappropriate implementation in PictureInPicture in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Use after free in DevTools in Google Chrome prior to 130.0.6723.58

CVE-2024-9959 8.8 - High - October 15, 2024

Use after free in DevTools in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium)

Dangling pointer

Use after free in Dawn in Google Chrome prior to 130.0.6723.58

CVE-2024-9960 7.5 - High - October 15, 2024

Use after free in Dawn in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Dangling pointer

Use after free in ParcelTracking in Google Chrome on iOS prior to 130.0.6723.58

CVE-2024-9961 8.8 - High - October 15, 2024

Use after free in ParcelTracking in Google Chrome on iOS prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Dangling pointer

Inappropriate implementation in Permissions in Google Chrome prior to 130.0.6723.58

CVE-2024-9962 4.3 - Medium - October 15, 2024

Inappropriate implementation in Permissions in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Insufficient data validation in Downloads in Google Chrome prior to 130.0.6723.58

CVE-2024-9963 4.3 - Medium - October 15, 2024

Insufficient data validation in Downloads in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in Payments in Google Chrome prior to 130.0.6723.58

CVE-2024-9964 4.3 - Medium - October 15, 2024

Inappropriate implementation in Payments in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)

Insufficient data validation in DevTools in Google Chrome on Windows prior to 130.0.6723.58

CVE-2024-9965 8.8 - High - October 15, 2024

Insufficient data validation in DevTools in Google Chrome on Windows prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)

Inappropriate implementation in Navigations in Google Chrome prior to 130.0.6723.58

CVE-2024-9966 5.3 - Medium - October 15, 2024

Inappropriate implementation in Navigations in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)

Type confusion in WebAssembly in Google Chrome prior to 126.0.6478.126

CVE-2024-9859 8.8 - High - October 11, 2024

Type confusion in WebAssembly in Google Chrome prior to 126.0.6478.126 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Type Confusion in V8 in Google Chrome prior to 129.0.6668.100

CVE-2024-9602 8.8 - High - October 08, 2024

Type Confusion in V8 in Google Chrome prior to 129.0.6668.100 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Type Confusion in V8 in Google Chrome prior to 129.0.6668.100

CVE-2024-9603 8.8 - High - October 08, 2024

Type Confusion in V8 in Google Chrome prior to 129.0.6668.100 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Use after free in Dawn in Google Chrome on Windows prior to 129.0.6668.70

CVE-2024-9120 8.8 - High - September 25, 2024

Use after free in Dawn in Google Chrome on Windows prior to 129.0.6668.70 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Inappropriate implementation in V8 in Google Chrome prior to 129.0.6668.70

CVE-2024-9121 8.8 - High - September 25, 2024

Inappropriate implementation in V8 in Google Chrome prior to 129.0.6668.70 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

Type Confusion in V8 in Google Chrome prior to 129.0.6668.70

CVE-2024-9122 8.8 - High - September 25, 2024

Type Confusion in V8 in Google Chrome prior to 129.0.6668.70 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Integer overflow in Skia in Google Chrome prior to 129.0.6668.70

CVE-2024-9123 8.8 - High - September 25, 2024

Integer overflow in Skia in Google Chrome prior to 129.0.6668.70 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

Integer Overflow or Wraparound

Insufficient data validation in Updater in Google Chrome prior to 128.0.6537.0

CVE-2024-7023 8.8 - High - September 23, 2024

Insufficient data validation in Updater in Google Chrome prior to 128.0.6537.0 allowed a remote attacker to perform privilege escalation via a malicious file. (Chromium security severity: Medium)

Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.54

CVE-2024-7024 9.6 - Critical - September 23, 2024

Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)

Memory Corruption

Insufficient data validation in PDF in Google Chrome prior to 73.0.3683.75

CVE-2018-20072 7.8 - High - September 23, 2024

Insufficient data validation in PDF in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform out of bounds memory access via a crafted PDF file. (Chromium security severity: Low)

Use after free in Extensions in Google Chrome prior to 92.0.4515.107

CVE-2021-38023 8.8 - High - September 23, 2024

Use after free in Extensions in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Inappropriate implementation in Compositing in Google Chrome prior to 119.0.6045.105

CVE-2023-7281 4.3 - Medium - September 23, 2024

Inappropriate implementation in Compositing in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in Navigation in Google Chrome prior to 113.0.5672.63

CVE-2023-7282 4.3 - Medium - September 23, 2024

Inappropriate implementation in Navigation in Google Chrome prior to 113.0.5672.63 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low)

Heap buffer overflow in PDF in Google Chrome prior to 124.0.6367.78

CVE-2024-7018 7.8 - High - September 23, 2024

Heap buffer overflow in PDF in Google Chrome prior to 124.0.6367.78 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Medium)

Memory Corruption

Inappropriate implementation in UI in Google Chrome prior to 124.0.6367.60

CVE-2024-7019 4.3 - Medium - September 23, 2024

Inappropriate implementation in UI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in Autofill in Google Chrome prior to 124.0.6367.60

CVE-2024-7020 4.3 - Medium - September 23, 2024

Inappropriate implementation in Autofill in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Uninitialized Use in V8 in Google Chrome prior to 123.0.6312.58

CVE-2024-7022 4.3 - Medium - September 23, 2024

Uninitialized Use in V8 in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)

Use of Uninitialized Resource

Type Confusion in V8 in Google Chrome prior to 129.0.6668.58

CVE-2024-8904 8.8 - High - September 17, 2024

Type Confusion in V8 in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Inappropriate implementation in V8 in Google Chrome prior to 129.0.6668.58

CVE-2024-8905 8.8 - High - September 17, 2024

Inappropriate implementation in V8 in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption

Incorrect security UI in Downloads in Google Chrome prior to 129.0.6668.58

CVE-2024-8906 4.3 - Medium - September 17, 2024

Incorrect security UI in Downloads in Google Chrome prior to 129.0.6668.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Insufficient data validation in Omnibox in Google Chrome on Android prior to 129.0.6668.58

CVE-2024-8907 6.1 - Medium - September 17, 2024

Insufficient data validation in Omnibox in Google Chrome on Android prior to 129.0.6668.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (XSS) via a crafted set of UI gestures. (Chromium security severity: Medium)

XSS

Inappropriate implementation in Autofill in Google Chrome prior to 129.0.6668.58

CVE-2024-8908 4.3 - Medium - September 17, 2024

Inappropriate implementation in Autofill in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Inappropriate implementation in UI in Google Chrome on iOS prior to 129.0.6668.58

CVE-2024-8909 4.3 - Medium - September 17, 2024

Inappropriate implementation in UI in Google Chrome on iOS prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.137

CVE-2024-8636 8.8 - High - September 11, 2024

Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

Use after free in Media Router in Google Chrome on Android prior to 128.0.6613.137

CVE-2024-8637 8.8 - High - September 11, 2024

Use after free in Media Router in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Type Confusion in V8 in Google Chrome prior to 128.0.6613.137

CVE-2024-8638 8.8 - High - September 11, 2024

Type Confusion in V8 in Google Chrome prior to 128.0.6613.137 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Use after free in Autofill in Google Chrome on Android prior to 128.0.6613.137

CVE-2024-8639 8.8 - High - September 11, 2024

Use after free in Autofill in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Out of bounds write in V8 in Google Chrome prior to 128.0.6613.119

CVE-2024-7970 8.8 - High - September 03, 2024

Out of bounds write in V8 in Google Chrome prior to 128.0.6613.119 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

Use after free in WebAudio in Google Chrome prior to 128.0.6613.119

CVE-2024-8362 8.8 - High - September 03, 2024

Use after free in WebAudio in Google Chrome prior to 128.0.6613.119 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.113

CVE-2024-8198 8.8 - High - August 28, 2024

Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.113 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

Type Confusion in V8 in Google Chrome prior to 128.0.6613.113

CVE-2024-8194 8.8 - High - August 28, 2024

Type Confusion in V8 in Google Chrome prior to 128.0.6613.113 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.113

CVE-2024-8193 8.8 - High - August 28, 2024

Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.113 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84

CVE-2024-7977 7.8 - High - August 21, 2024

Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: Medium)

Inappropriate implementation in Extensions in Google Chrome on Windows prior to 128.0.6613.84

CVE-2024-8035 4.3 - Medium - August 21, 2024

Inappropriate implementation in Extensions in Google Chrome on Windows prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 128.0.6613.84

CVE-2024-8034 4.3 - Medium - August 21, 2024

Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Inappropriate implementation in WebApp Installs in Google Chrome on Windows prior to 128.0.6613.84

CVE-2024-8033 4.3 - Medium - August 21, 2024

Inappropriate implementation in WebApp Installs in Google Chrome on Windows prior to 128.0.6613.84 allowed an attacker who convinced a user to install a malicious application to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Inappropriate implementation in Views in Google Chrome prior to 128.0.6613.84

CVE-2024-7981 4.3 - Medium - August 21, 2024

Inappropriate implementation in Views in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84

CVE-2024-7980 7.8 - High - August 21, 2024

Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84 allowed a local attacker to perform privilege escalation via a crafted symbolic link. (Chromium security severity: Medium)

Insufficient Verification of Data Authenticity

Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84

CVE-2024-7979 7.8 - High - August 21, 2024

Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84 allowed a local attacker to perform privilege escalation via a crafted symbolic link. (Chromium security severity: Medium)

Insufficient Verification of Data Authenticity

Insufficient policy enforcement in Data Transfer in Google Chrome prior to 128.0.6613.84

CVE-2024-7978 4.3 - Medium - August 21, 2024

Insufficient policy enforcement in Data Transfer in Google Chrome prior to 128.0.6613.84 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in FedCM in Google Chrome prior to 128.0.6613.84

CVE-2024-7976 4.3 - Medium - August 21, 2024

Inappropriate implementation in FedCM in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in Permissions in Google Chrome prior to 128.0.6613.84

CVE-2024-7975 4.3 - Medium - August 21, 2024

Inappropriate implementation in Permissions in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Insufficient data validation in V8 API in Google Chrome prior to 128.0.6613.84

CVE-2024-7974 8.8 - High - August 21, 2024

Insufficient data validation in V8 API in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium)

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Google Chrome or by Google? Click the Watch button to subscribe.

Google
Vendor

Google Chrome
Web browser

subscribe