Google Chrome Web browser
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Google Chrome.
Recent Google Chrome Security Advisories
Known Exploited Google Chrome Vulnerabilities
The following Google Chrome vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Google Chrome Skia Integer Overflow Vulnerability |
Google Chrome Skia contains an integer overflow vulnerability. Specific impacts from exploitation are not available at this time. This vulnerability resides in Skia which serves as the graphics engine for Google Chrome and ChromeOS, Android, Flutter, and other products. CVE-2023-2136 Exploit Probability: 0.3% |
April 21, 2023 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption. CVE-2022-3038 Exploit Probability: 80.5% |
March 30, 2023 |
| Google Chrome Heap Buffer Overflow Vulnerability |
Google Chrome GPU contains a heap buffer overflow vulnerability that allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. CVE-2022-4135 Exploit Probability: 0.1% |
November 28, 2022 |
| Google Chrome Intents Insufficient Input Validation Vulnerability |
Google Chrome Intents allows for insufficient validation of untrusted input, causing unknown impacts. CISA will update this description if more information becomes available. CVE-2022-2856 Exploit Probability: 2.4% |
August 18, 2022 |
| Google Chrome Use-After-Free Vulnerability |
Use-after-free in WebAudio in Google Chrome allows a remote attacker to potentially exploit heap corruption. CVE-2019-13720 Exploit Probability: 90.8% |
May 23, 2022 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome contains a heap use-after-free vulnerability which allows an attacker to potentially perform out of bounds memory access. CVE-2019-5786 Exploit Probability: 90.8% |
May 23, 2022 |
| Google Chrome Use-After-Free Vulnerability |
The vulnerability exists due to a use-after-free error within the Animation component in Google Chrome. CVE-2022-0609 Exploit Probability: 64.6% |
February 15, 2022 |
| Google Chrome Prior to 81.0.4044.92 Use-After-Free Vulnerability |
Use-after-free vulnerability in Media in Google Chrome prior to 81.0.4044.92 allowed a Remote attacker to execute arbitrary code via a crafted HTML page. CVE-2020-6572 Exploit Probability: 20.4% |
January 10, 2022 |
| Google Chrome Browser V8 Arbitrary Code Execution |
Type Confusion in V8 in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30563 Exploit Probability: 8.8% |
November 3, 2021 |
| Google Chrome FreeType Memory Corruption |
Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-15999 Exploit Probability: 93.2% |
November 3, 2021 |
| Google Chrome WebGL Use-After-Free Vulnerability |
Use after free in WebGL in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30554 Exploit Probability: 17.7% |
November 3, 2021 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome use-after-free error within the V8 browser engine. CVE-2021-37975 Exploit Probability: 62.5% |
November 3, 2021 |
| Google Chrome Use-After-Free Vulnerability |
Use-after-free weakness in Portals, Google's new web page navigation system for Chrome. Successful exploitation can let attackers to execute code. CVE-2021-37973 Exploit Probability: 15.6% |
November 3, 2021 |
| Google Chrome Use-After-Free Vulnerability |
Google Chrome Use-After-Free vulnerability CVE-2021-30633 Exploit Probability: 46.8% |
November 3, 2021 |
| Google Chrome Out-of-bounds write |
Google Chrome out-of-bounds write that allows to execute arbitrary code on the target system. CVE-2021-30632 Exploit Probability: 83.3% |
November 3, 2021 |
| Google Chrome Information Leakage |
Information disclosure in Google Chrome that exists due to excessive data output in core. CVE-2021-37976 Exploit Probability: 11.9% |
November 3, 2021 |
| Google Chrome Site Isolation Component Use-After-Free Remote Code Execution vulnerability |
Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. CVE-2020-16017 Exploit Probability: 21.9% |
November 3, 2021 |
| Google Chrome Heap Buffer Overflow in WebAudio Vulnerability |
Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-21166 Exploit Probability: 41.9% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 5 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 6 known exploited Google Chrome vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
By the Year
In 2025 there have been 59 vulnerabilities in Google Chrome with an average score of 8.8 out of ten. Last year, in 2024 Chrome had 266 security vulnerabilities published. Right now, Chrome is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 1.05.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 59 | 8.80 |
| 2024 | 266 | 7.75 |
| 2023 | 262 | 7.52 |
| 2022 | 297 | 8.03 |
| 2021 | 330 | 8.00 |
| 2020 | 228 | 7.63 |
| 2019 | 304 | 7.07 |
| 2018 | 114 | 7.08 |
It may take a day or so for new Chrome vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Google Chrome Security Vulnerabilities
Out-of-Bounds Read in ip_set_bitmap_ip.c in Google ChromeOS Kernel Versions 6.1, 5.15, 5.10, 5.4, 4.19
CVE-2025-2073
- April 16, 2025
Out-of-Bounds Read in ip_set_bitmap_ip.c in Google ChromeOS Kernel Versions 6.1, 5.15, 5.10, 5.4, 4.19. on All devices where Termina is used allows an attacker with CAP_NET_ADMIN privileges to cause memory corruption and potentially escalate privileges via crafted ipset commands.
ComponentInstaller Modification in ComponentInstaller in Google ChromeOS 124.0.6367.34 on Chromebooks
CVE-2025-1704
- April 16, 2025
ComponentInstaller Modification in ComponentInstaller in Google ChromeOS 124.0.6367.34 on Chromebooks allows enrolled users with local access to unenroll devices and intercept device management requests via loading components from the unencrypted stateful partition.
Access Control Vulnerability in Gerrit chromiumos project configuration in Google ChromeOS 131.0.6778.268
CVE-2025-1568
- April 16, 2025
Access Control Vulnerability in Gerrit chromiumos project configuration in Google ChromeOS 131.0.6778.268 allows an attacker with a registered Gerrit account to inject malicious code into ChromeOS projects and potentially achieve Remote Code Execution and Denial of Service via editing trusted pipelines by insufficient access controls and misconfigurations in Gerrit's project.config.
DNS Leak in Native System VPN in Google ChromeOS Dev Channel on ChromeOS 129.0.6668.36
CVE-2025-1566
- April 16, 2025
DNS Leak in Native System VPN in Google ChromeOS Dev Channel on ChromeOS 129.0.6668.36 allows network observers to expose plaintext DNS queries via failure to properly tunnel DNS traffic during VPN state transitions.
Use after free in USB in Google Chrome prior to 135.0.7049.95
CVE-2025-3620
- April 16, 2025
Use after free in USB in Google Chrome prior to 135.0.7049.95 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Heap buffer overflow in Codecs in Google Chrome on Windows prior to 135.0.7049.95
CVE-2025-3619
- April 16, 2025
Heap buffer overflow in Codecs in Google Chrome on Windows prior to 135.0.7049.95 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Heap-based Buffer Overflow
Out-Of-Bounds Write in TPM2 Reference Library in Google ChromeOS 122.0.6261.132 stable on Cr50 Boards
CVE-2025-1292
- April 15, 2025
Out-Of-Bounds Write in TPM2 Reference Library in Google ChromeOS 122.0.6261.132 stable on Cr50 Boards allows an attacker with root access to gain persistence and bypass operating system verification via exploiting the NV_Read functionality during the Challenge-Response process.
Out-Of-Bounds Write in TPM2 Reference Library in Google ChromeOS 122.0.6261.132 stable on Cr50 Boards
CVE-2025-1122
- April 15, 2025
Out-Of-Bounds Write in TPM2 Reference Library in Google ChromeOS 122.0.6261.132 stable on Cr50 Boards allows an attacker with root access to gain persistence and Bypass operating system verification via exploiting the NV_Read functionality during the Challenge-Response process.
Inappropriate implementation in Downloads in Google Chrome prior to 135.0.7049.52
CVE-2025-3074
- April 02, 2025
Inappropriate implementation in Downloads in Google Chrome prior to 135.0.7049.52 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Inappropriate implementation in Autofill in Google Chrome prior to 135.0.7049.52
CVE-2025-3073
- April 02, 2025
Inappropriate implementation in Autofill in Google Chrome prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Inappropriate implementation in Custom Tabs in Google Chrome prior to 135.0.7049.52
CVE-2025-3072
- April 02, 2025
Inappropriate implementation in Custom Tabs in Google Chrome prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Inappropriate implementation in Navigations in Google Chrome prior to 135.0.7049.52
CVE-2025-3071
- April 02, 2025
Inappropriate implementation in Navigations in Google Chrome prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Insufficient validation of untrusted input in Extensions in Google Chrome prior to 135.0.7049.52
CVE-2025-3070
- April 02, 2025
Insufficient validation of untrusted input in Extensions in Google Chrome prior to 135.0.7049.52 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)
Improper Input Validation
Inappropriate implementation in Extensions in Google Chrome prior to 135.0.7049.52
CVE-2025-3069
- April 02, 2025
Inappropriate implementation in Extensions in Google Chrome prior to 135.0.7049.52 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)
Inappropriate implementation in Intents in Google Chrome on Android prior to 135.0.7049.52
CVE-2025-3068
- April 02, 2025
Inappropriate implementation in Intents in Google Chrome on Android prior to 135.0.7049.52 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)
Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 135.0.7049.52
CVE-2025-3067
- April 02, 2025
Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform privilege escalation via a crafted app. (Chromium security severity: Medium)
Use after free in Site Isolation in Google Chrome prior to 135.0.7049.84
CVE-2025-3066
- April 02, 2025
Use after free in Site Isolation in Google Chrome prior to 135.0.7049.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177
CVE-2025-2783
- March 26, 2025
Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High)
Use after free in Lens in Google Chrome prior to 134.0.6998.117
CVE-2025-2476
- March 19, 2025
Use after free in Lens in Google Chrome prior to 134.0.6998.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Dangling pointer
Out of bounds read in V8 in Google Chrome prior to 134.0.6998.88
CVE-2025-2137
- March 10, 2025
Out of bounds read in V8 in Google Chrome prior to 134.0.6998.88 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)
Out-of-bounds Read
Use after free in Inspector in Google Chrome prior to 134.0.6998.88
CVE-2025-2136
- March 10, 2025
Use after free in Inspector in Google Chrome prior to 134.0.6998.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Dangling pointer
Type Confusion in V8 in Google Chrome prior to 134.0.6998.88
CVE-2025-2135
- March 10, 2025
Type Confusion in V8 in Google Chrome prior to 134.0.6998.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Object Type Confusion
Type Confusion in V8 in Google Chrome prior to 134.0.6998.88
CVE-2025-1920
- March 10, 2025
Type Confusion in V8 in Google Chrome prior to 134.0.6998.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Object Type Confusion
Privilege escalation in Installer and Recovery image handling in Google ChromeOS 123.0.6312.112 on device
CVE-2025-1121
- March 07, 2025
Privilege escalation in Installer and Recovery image handling in Google ChromeOS 123.0.6312.112 on device allows an attacker with physical access to gain root code execution and potentially unenroll enterprise-managed devices via a specially crafted recovery image.
Inappropriate implementation in Permission Prompts in Google Chrome prior to 134.0.6998.35
CVE-2025-1923
- March 05, 2025
Inappropriate implementation in Permission Prompts in Google Chrome prior to 134.0.6998.35 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)
Clickjacking
Inappropriate implementation in Selection in Google Chrome on Android prior to 134.0.6998.35
CVE-2025-1922
- March 05, 2025
Inappropriate implementation in Selection in Google Chrome on Android prior to 134.0.6998.35 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
User Interface (UI) Misrepresentation of Critical Information
Inappropriate implementation in Media Stream in Google Chrome prior to 134.0.6998.35
CVE-2025-1921
- March 05, 2025
Inappropriate implementation in Media Stream in Google Chrome prior to 134.0.6998.35 allowed a remote attacker to obtain information about a peripheral via a crafted HTML page. (Chromium security severity: Medium)
Exposure of Sensitive Information Through Metadata
Out of bounds read in Media in Google Chrome prior to 134.0.6998.35
CVE-2025-1919
- March 05, 2025
Out of bounds read in Media in Google Chrome prior to 134.0.6998.35 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)
Out-of-bounds Read
Out of bounds read in PDFium in Google Chrome prior to 134.0.6998.35
CVE-2025-1918
- March 05, 2025
Out of bounds read in PDFium in Google Chrome prior to 134.0.6998.35 allowed a remote attacker to potentially perform out of bounds memory access via a crafted PDF file. (Chromium security severity: Medium)
Out-of-bounds Read
Inappropriate implementation in Browser UI in Google Chrome on Android prior to 134.0.6998.35
CVE-2025-1917
- March 05, 2025
Inappropriate implementation in Browser UI in Google Chrome on Android prior to 134.0.6998.35 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Clickjacking
Use after free in Profiles in Google Chrome prior to 134.0.6998.35
CVE-2025-1916
- March 05, 2025
Use after free in Profiles in Google Chrome prior to 134.0.6998.35 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Dangling pointer
Improper Limitation of a Pathname to a Restricted Directory in DevTools in Google Chrome on Windows prior to 134.0.6998.35
CVE-2025-1915
- March 05, 2025
Improper Limitation of a Pathname to a Restricted Directory in DevTools in Google Chrome on Windows prior to 134.0.6998.35 allowed an attacker who convinced a user to install a malicious extension to bypass file access restrictions via a crafted Chrome Extension. (Chromium security severity: Medium)
Directory traversal
Out of bounds read in V8 in Google Chrome prior to 134.0.6998.35
CVE-2025-1914
- March 05, 2025
Out of bounds read in V8 in Google Chrome prior to 134.0.6998.35 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Out-of-bounds Read
Heap buffer overflow in GPU in Google Chrome on Android prior to 133.0.6943.126
CVE-2025-1426
- February 19, 2025
Heap buffer overflow in GPU in Google Chrome on Android prior to 133.0.6943.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Heap-based Buffer Overflow
Use after free in Network in Google Chrome prior to 133.0.6943.126
CVE-2025-1006
- February 19, 2025
Use after free in Network in Google Chrome prior to 133.0.6943.126 allowed a remote attacker to potentially exploit heap corruption via a crafted web app. (Chromium security severity: Medium)
Dangling pointer
Heap buffer overflow in V8 in Google Chrome prior to 133.0.6943.126
CVE-2025-0999
- February 19, 2025
Heap buffer overflow in V8 in Google Chrome prior to 133.0.6943.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Heap-based Buffer Overflow
Use after free in Navigation in Google Chrome prior to 133.0.6943.98
CVE-2025-0997
- February 15, 2025
Use after free in Navigation in Google Chrome prior to 133.0.6943.98 allowed a remote attacker to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)
Dangling pointer
Inappropriate implementation in Browser UI in Google Chrome on Android prior to 133.0.6943.98
CVE-2025-0996
- February 15, 2025
Inappropriate implementation in Browser UI in Google Chrome on Android prior to 133.0.6943.98 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: High)
Homograph Attack
Use after free in V8 in Google Chrome prior to 133.0.6943.98
CVE-2025-0995
- February 15, 2025
Use after free in V8 in Google Chrome prior to 133.0.6943.98 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Inappropriate implementation in Extensions API in Google Chrome prior to 133.0.6943.53
CVE-2025-0451
- February 04, 2025
Inappropriate implementation in Extensions API in Google Chrome prior to 133.0.6943.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium)
Use after free in V8 in Google Chrome prior to 133.0.6943.53
CVE-2025-0445
- February 04, 2025
Use after free in V8 in Google Chrome prior to 133.0.6943.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Use after free in Skia in Google Chrome prior to 133.0.6943.53
CVE-2025-0444
- February 04, 2025
Use after free in Skia in Google Chrome prior to 133.0.6943.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Use after free in DevTools in Google Chrome prior to 132.0.6834.159
CVE-2025-0762
- January 29, 2025
Use after free in DevTools in Google Chrome prior to 132.0.6834.159 allowed a remote attacker to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium)
Dangling pointer
Out of bounds memory access in V8 in Google Chrome prior to 132.0.6834.110
CVE-2025-0612
- January 22, 2025
Out of bounds memory access in V8 in Google Chrome prior to 132.0.6834.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Object corruption in V8 in Google Chrome prior to 132.0.6834.110
CVE-2025-0611
- January 22, 2025
Object corruption in V8 in Google Chrome prior to 132.0.6834.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Inappropriate implementation in Compositing in Google Chrome prior to 132.0.6834.83
CVE-2025-0448
- January 15, 2025
Inappropriate implementation in Compositing in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Inappropriate implementation in Navigation in Google Chrome prior to 132.0.6834.83
CVE-2025-0447
- January 15, 2025
Inappropriate implementation in Navigation in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
Inappropriate implementation in Extensions in Google Chrome prior to 132.0.6834.83
CVE-2025-0446
- January 15, 2025
Inappropriate implementation in Extensions in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)
Insufficient data validation in Extensions in Google Chrome prior to 132.0.6834.83
CVE-2025-0443
- January 15, 2025
Insufficient data validation in Extensions in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)
Inappropriate implementation in Payments in Google Chrome prior to 132.0.6834.83
CVE-2025-0442
- January 15, 2025
Inappropriate implementation in Payments in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Inappropriate implementation in Fenced Frames in Google Chrome prior to 132.0.6834.83
CVE-2025-0441
- January 15, 2025
Inappropriate implementation in Fenced Frames in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to obtain potentially sensitive information from the system via a crafted HTML page. (Chromium security severity: Medium)
Inappropriate implementation in Fullscreen in Google Chrome on Windows prior to 132.0.6834.83
CVE-2025-0440
- January 15, 2025
Inappropriate implementation in Fullscreen in Google Chrome on Windows prior to 132.0.6834.83 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Race in Frames in Google Chrome prior to 132.0.6834.83
CVE-2025-0439
- January 15, 2025
Race in Frames in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Race Condition
Stack buffer overflow in Tracing in Google Chrome prior to 132.0.6834.83
CVE-2025-0438
- January 15, 2025
Stack buffer overflow in Tracing in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: High)
Stack Overflow
Out of bounds read in Metrics in Google Chrome prior to 132.0.6834.83
CVE-2025-0437
8.8 - High
- January 15, 2025
Out of bounds read in Metrics in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Out-of-bounds Read
Integer overflow in Skia in Google Chrome prior to 132.0.6834.83
CVE-2025-0436
- January 15, 2025
Integer overflow in Skia in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Assumed-Immutable Parameter Tampering
Inappropriate implementation in Navigation in Google Chrome on Android prior to 132.0.6834.83
CVE-2025-0435
- January 15, 2025
Inappropriate implementation in Navigation in Google Chrome on Android prior to 132.0.6834.83 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
Out of bounds memory access in V8 in Google Chrome prior to 132.0.6834.83
CVE-2025-0434
- January 15, 2025
Out of bounds memory access in V8 in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Type Confusion in V8 in Google Chrome prior to 131.0.6778.264
CVE-2025-0291
8.8 - High
- January 08, 2025
Type Confusion in V8 in Google Chrome prior to 131.0.6778.264 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Object Type Confusion
Google Chrome V8 Engine Type Confusion Vulnerability
CVE-2024-12692
8.8 - High
- December 18, 2024
Type Confusion in V8 in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Google Chrome V8 Engine Out-of-Bounds Memory Access Vulnerability
CVE-2024-12693
8.8 - High
- December 18, 2024
Out of bounds memory access in V8 in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Memory Corruption
Google Chrome Compositing Use After Free Vulnerability
CVE-2024-12694
8.8 - High
- December 18, 2024
Use after free in Compositing in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Google Chrome V8 Engine Out-of-Bounds Write Vulnerability
CVE-2024-12695
8.8 - High
- December 18, 2024
Out of bounds write in V8 in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Type Confusion in V8 in Google Chrome prior to 131.0.6778.139
CVE-2024-12381
8.8 - High
- December 12, 2024
Type Confusion in V8 in Google Chrome prior to 131.0.6778.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Object Type Confusion
Use after free in Translate in Google Chrome prior to 131.0.6778.139
CVE-2024-12382
8.8 - High
- December 12, 2024
Use after free in Translate in Google Chrome prior to 131.0.6778.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Documenso User Interface Misrepresentation of Critical Information Vulnerability
CVE-2024-52271
- December 05, 2024
User Interface (UI) Misrepresentation of Critical Information vulnerability in Documenso allows Content Spoofing.Displayed version does not show the layer flattened version, once download, If printed (e.g. via Google Chrome -> Examine the print preview): Will render the vulnerability only, not all layers are flattened. This issue affects Documenso: through 1.8.0, >1.8.0 and Documenso SaaS (Hosted) as of 2024-12-05.
DropBox Sign(HelloSign) User Interface Misrepresentation of Critical Information Vulnerability
CVE-2024-52270
- December 05, 2024
User Interface (UI) Misrepresentation of Critical Information vulnerability in DropBox Sign(HelloSign) allows Content Spoofing. Displayed version does not show the layer flattened version, once download, If printed (e.g. via Google Chrome -> Examine the print preview): Will render the vulnerability only, not all layers are flattened. This issue affects DropBox Sign(HelloSign): through 2024-12-04.
User Interface (UI) Misrepresentation of Critical Information vulnerability in DocuSeal
CVE-2024-52277
- December 04, 2024
User Interface (UI) Misrepresentation of Critical Information vulnerability in DocuSeal allows Content Spoofing.Displayed version does not show the layer flattened version, once download, If printed (e.g. via Google Chrome -> Examine the print preview): Will render the vulnerability only, not all layers are flattened. This issue affects DocuSeal: through 1.8.1, >1.8.1.
User Interface (UI) Misrepresentation of Critical Information vulnerability in DocuSign allows Content Spoofing
CVE-2024-52276
- December 04, 2024
User Interface (UI) Misrepresentation of Critical Information vulnerability in DocuSign allows Content Spoofing. 1. Displayed version does not show the layer flattened version, which is provided when the "Print" option is used. 2. Displayed version does not show the layer flattened version, which is provided when the combined download option is used. 3. Displayed version does not show the layer flattened version, which is also the provided version when downloading the result in the uncombined option. Once download, If printed (e.g. via Google Chrome -> Examine the print preview): Will render the vulnerability only, not all layers are flattened. This issue affects DocuSign: through 2024-12-04.
Google Chrome V8 Engine Type Confusion Vulnerability
CVE-2024-12053
8.8 - High
- December 03, 2024
Type Confusion in V8 in Google Chrome prior to 131.0.6778.108 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)
Object Type Confusion
Google Chrome Layout Integer Overflow Vulnerability
CVE-2024-7025
8.8 - High
- November 27, 2024
Integer overflow in Layout in Google Chrome prior to 129.0.6668.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Integer Overflow or Wraparound
Google Chrome Mojo Insufficient Data Validation Out-of-Bounds Write Vulnerability
CVE-2024-9369
9.6 - Critical
- November 27, 2024
Insufficient data validation in Mojo in Google Chrome prior to 129.0.6668.89 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Improper Validation of Specified Quantity in Input
Stored XSS Vulnerability in WordPress Plugin 'Dino Game Embed'
CVE-2024-11388
5.4 - Medium
- November 21, 2024
The Dino Game Embed Google Chrome Dinosaur Game in WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dino-game' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
Google Chrome V8 Engine Type Confusion Vulnerability
CVE-2024-11395
- November 19, 2024
Type Confusion in V8 in Google Chrome prior to 131.0.6778.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Google Chrome Extensions Site Isolation Bypass Vulnerability
CVE-2024-11110
6.5 - Medium
- November 12, 2024
Inappropriate implementation in Extensions in Google Chrome prior to 131.0.6778.69 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension. (Chromium security severity: High)
Google Chrome Autofill UI Spoofing Vulnerability
CVE-2024-11111
4.3 - Medium
- November 12, 2024
Inappropriate implementation in Autofill in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Google Chrome Media Component Use After Free Vulnerability
CVE-2024-11112
8.8 - High
- November 12, 2024
Use after free in Media in Google Chrome on Windows prior to 131.0.6778.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Dangling pointer
Google Chrome Accessibility Use After Free Vulnerability
CVE-2024-11113
8.8 - High
- November 12, 2024
Use after free in Accessibility in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Dangling pointer
Google Chrome Views Component Sandbox Escape Vulnerability
CVE-2024-11114
8.3 - High
- November 12, 2024
Inappropriate implementation in Views in Google Chrome on Windows prior to 131.0.6778.69 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Google Chrome on iOS Navigation Policy Enforcement Vulnerability
CVE-2024-11115
8.8 - High
- November 12, 2024
Insufficient policy enforcement in Navigation in Google Chrome on iOS prior to 131.0.6778.69 allowed a remote attacker to perform privilege escalation via a series of UI gestures. (Chromium security severity: Medium)
Google Chrome Blink UI Spoofing Vulnerability
CVE-2024-11116
4.3 - Medium
- November 12, 2024
Inappropriate implementation in Blink in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Google Chrome FileSystem Inappropriate Implementation Vulnerability
CVE-2024-11117
4.3 - Medium
- November 12, 2024
Inappropriate implementation in FileSystem in Google Chrome prior to 131.0.6778.69 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity: Low)
Google Chrome 130 Use After Free in Family Experiences
CVE-2024-10826
8.8 - High
- November 06, 2024
Use after free in Family Experiences in Google Chrome on Android prior to 130.0.6723.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Google Chrome 130 Serial Use-After-Free
CVE-2024-10827
8.8 - High
- November 06, 2024
Use after free in Serial in Google Chrome prior to 130.0.6723.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Out of bounds write in Dawn in Google Chrome prior to 130.0.6723.92
CVE-2024-10487
8.8 - High
- October 29, 2024
Out of bounds write in Dawn in Google Chrome prior to 130.0.6723.92 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical)
Memory Corruption
Use after free in WebRTC in Google Chrome prior to 130.0.6723.92
CVE-2024-10488
8.8 - High
- October 29, 2024
Use after free in WebRTC in Google Chrome prior to 130.0.6723.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Inappropriate implementation in Extensions in Google Chrome prior to 130.0.6723.69
CVE-2024-10229
8.1 - High
- October 22, 2024
Inappropriate implementation in Extensions in Google Chrome prior to 130.0.6723.69 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension. (Chromium security severity: High)
Type Confusion in V8 in Google Chrome prior to 130.0.6723.69
CVE-2024-10230
8.8 - High
- October 22, 2024
Type Confusion in V8 in Google Chrome prior to 130.0.6723.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Object Type Confusion
Type Confusion in V8 in Google Chrome prior to 130.0.6723.69
CVE-2024-10231
8.8 - High
- October 22, 2024
Type Confusion in V8 in Google Chrome prior to 130.0.6723.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Object Type Confusion
Use after free in AI in Google Chrome prior to 130.0.6723.58
CVE-2024-9954
8.8 - High
- October 15, 2024
Use after free in AI in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Dangling pointer
Use after free in WebAuthentication in Google Chrome prior to 130.0.6723.58
CVE-2024-9955
8.8 - High
- October 15, 2024
Use after free in WebAuthentication in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Dangling pointer
Inappropriate implementation in WebAuthentication in Google Chrome on Android prior to 130.0.6723.58
CVE-2024-9956
7.8 - High
- October 15, 2024
Inappropriate implementation in WebAuthentication in Google Chrome on Android prior to 130.0.6723.58 allowed a local attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)
Use after free in UI in Google Chrome on iOS prior to 130.0.6723.58
CVE-2024-9957
8.8 - High
- October 15, 2024
Use after free in UI in Google Chrome on iOS prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Dangling pointer
Inappropriate implementation in PictureInPicture in Google Chrome prior to 130.0.6723.58
CVE-2024-9958
4.3 - Medium
- October 15, 2024
Inappropriate implementation in PictureInPicture in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Use after free in DevTools in Google Chrome prior to 130.0.6723.58
CVE-2024-9959
8.8 - High
- October 15, 2024
Use after free in DevTools in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium)
Dangling pointer
Use after free in Dawn in Google Chrome prior to 130.0.6723.58
CVE-2024-9960
7.5 - High
- October 15, 2024
Use after free in Dawn in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Dangling pointer
Use after free in ParcelTracking in Google Chrome on iOS prior to 130.0.6723.58
CVE-2024-9961
8.8 - High
- October 15, 2024
Use after free in ParcelTracking in Google Chrome on iOS prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Dangling pointer
Inappropriate implementation in Permissions in Google Chrome prior to 130.0.6723.58
CVE-2024-9962
4.3 - Medium
- October 15, 2024
Inappropriate implementation in Permissions in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Insufficient data validation in Downloads in Google Chrome prior to 130.0.6723.58
CVE-2024-9963
4.3 - Medium
- October 15, 2024
Insufficient data validation in Downloads in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Inappropriate implementation in Payments in Google Chrome prior to 130.0.6723.58
CVE-2024-9964
4.3 - Medium
- October 15, 2024
Inappropriate implementation in Payments in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Google Chrome or by Google? Click the Watch button to subscribe.
