Chrome Google Chrome Web browser

Do you want an email whenever new security vulnerabilities are reported in Google Chrome?

Recent Google Chrome Security Advisories

Advisory Title Published
Chrome Releases: Stable Channel Update for Desktop August 21, 2024
Chrome Releases: Stable Channel Update for Desktop August 1, 2024
Chrome Releases: Stable Channel Update for Desktop July 16, 2024
Chrome Releases: Stable Channel Update for Desktop May 28, 2024
Chrome Releases: Stable Channel Update for Desktop May 15, 2024
Chrome Releases: Stable Channel Update for Desktop May 14, 2024
Chrome Releases: Stable Channel Update for Desktop May 14, 2024
Chrome Releases: Stable Channel Update for Desktop May 1, 2024
Chrome Releases: Stable Channel Update for Desktop April 17, 2024
Chrome Releases: Stable Channel Update for Desktop April 6, 2024

Known Exploited Google Chrome Vulnerabilities

The following Google Chrome vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Google Chrome Skia Integer Overflow Vulnerability Google Chrome Skia contains an integer overflow vulnerability. Specific impacts from exploitation are not available at this time. This vulnerability resides in Skia which serves as the graphics engine for Google Chrome and ChromeOS, Android, Flutter, and other products. CVE-2023-2136 April 21, 2023
Google Chrome Use-After-Free Vulnerability Google Chrome contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption. CVE-2022-3038 March 30, 2023
Google Chrome Heap Buffer Overflow Vulnerability Google Chrome GPU contains a heap buffer overflow vulnerability that allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. CVE-2022-4135 November 28, 2022
Google Chrome Intents Insufficient Input Validation Vulnerability Google Chrome Intents allows for insufficient validation of untrusted input, causing unknown impacts. CISA will update this description if more information becomes available. CVE-2022-2856 August 18, 2022
Google Chrome Use-After-Free Vulnerability Use-after-free in WebAudio in Google Chrome allows a remote attacker to potentially exploit heap corruption. CVE-2019-13720 May 23, 2022
Google Chrome Use-After-Free Vulnerability Google Chrome contains a heap use-after-free vulnerability which allows an attacker to potentially perform out of bounds memory access. CVE-2019-5786 May 23, 2022
Google Chrome Use-After-Free Vulnerability The vulnerability exists due to a use-after-free error within the Animation component in Google Chrome. CVE-2022-0609 February 15, 2022
Google Chrome Prior to 81.0.4044.92 Use-After-Free Vulnerability Use-after-free vulnerability in Media in Google Chrome prior to 81.0.4044.92 allowed a Remote attacker to execute arbitrary code via a crafted HTML page. CVE-2020-6572 January 10, 2022
Google Chrome Browser V8 Arbitrary Code Execution Type Confusion in V8 in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30563 November 3, 2021
Google Chrome FreeType Memory Corruption Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-15999 November 3, 2021
Google Chrome WebGL Use-After-Free Vulnerability Use after free in WebGL in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30554 November 3, 2021
Google Chrome Use-After-Free Vulnerability Google Chrome use-after-free error within the V8 browser engine. CVE-2021-37975 November 3, 2021
Google Chrome Use-After-Free Vulnerability Use-after-free weakness in Portals, Google's new web page navigation system for Chrome. Successful exploitation can let attackers to execute code. CVE-2021-37973 November 3, 2021
Google Chrome Use-After-Free Vulnerability Google Chrome Use-After-Free vulnerability CVE-2021-30633 November 3, 2021
Google Chrome Out-of-bounds write Google Chrome out-of-bounds write that allows to execute arbitrary code on the target system. CVE-2021-30632 November 3, 2021
Google Chrome Information Leakage Information disclosure in Google Chrome that exists due to excessive data output in core. CVE-2021-37976 November 3, 2021
Google Chrome Site Isolation Component Use-After-Free Remote Code Execution vulnerability Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. CVE-2020-16017 November 3, 2021
Google Chrome Heap Buffer Overflow in WebAudio Vulnerability Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-21166 November 3, 2021

By the Year

In 2024 there have been 174 vulnerabilities in Google Chrome with an average score of 7.7 out of ten. Last year Chrome had 249 security vulnerabilities published. Right now, Chrome is on track to have less security vulnerabilities in 2024 than it did last year. However, the average CVE base score of the vulnerabilities in 2024 is greater by 0.16.

Year Vulnerabilities Average Score
2024 174 7.70
2023 249 7.54
2022 296 8.05
2021 330 8.00
2020 227 7.62
2019 304 7.07
2018 114 7.08

It may take a day or so for new Chrome vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Google Chrome Security Vulnerabilities

Integer overflow in Skia in Google Chrome prior to 129.0.6668.70

CVE-2024-9123 - September 25, 2024

Integer overflow in Skia in Google Chrome prior to 129.0.6668.70 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

Use after free in Dawn in Google Chrome on Windows prior to 129.0.6668.70

CVE-2024-9120 - September 25, 2024

Use after free in Dawn in Google Chrome on Windows prior to 129.0.6668.70 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Inappropriate implementation in V8 in Google Chrome prior to 129.0.6668.70

CVE-2024-9121 - September 25, 2024

Inappropriate implementation in V8 in Google Chrome prior to 129.0.6668.70 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Type Confusion in V8 in Google Chrome prior to 129.0.6668.70

CVE-2024-9122 - September 25, 2024

Type Confusion in V8 in Google Chrome prior to 129.0.6668.70 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Insufficient data validation in Updater in Google Chrome prior to 128.0.6537.0

CVE-2024-7023 - September 23, 2024

Insufficient data validation in Updater in Google Chrome prior to 128.0.6537.0 allowed a remote attacker to perform privilege escalation via a malicious file. (Chromium security severity: Medium)

Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.54

CVE-2024-7024 - September 23, 2024

Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)

Inappropriate implementation in UI in Google Chrome prior to 124.0.6367.60

CVE-2024-7019 - September 23, 2024

Inappropriate implementation in UI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in Autofill in Google Chrome prior to 124.0.6367.60

CVE-2024-7020 - September 23, 2024

Inappropriate implementation in Autofill in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Uninitialized Use in V8 in Google Chrome prior to 123.0.6312.58

CVE-2024-7022 - September 23, 2024

Uninitialized Use in V8 in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)

Insufficient data validation in PDF in Google Chrome prior to 73.0.3683.75

CVE-2018-20072 7.8 - High - September 23, 2024

Insufficient data validation in PDF in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform out of bounds memory access via a crafted PDF file. (Chromium security severity: Low)

Use after free in Extensions in Google Chrome prior to 92.0.4515.107

CVE-2021-38023 - September 23, 2024

Use after free in Extensions in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Inappropriate implementation in Compositing in Google Chrome prior to 119.0.6045.105

CVE-2023-7281 - September 23, 2024

Inappropriate implementation in Compositing in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in Navigation in Google Chrome prior to 113.0.5672.63

CVE-2023-7282 - September 23, 2024

Inappropriate implementation in Navigation in Google Chrome prior to 113.0.5672.63 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low)

Heap buffer overflow in PDF in Google Chrome prior to 124.0.6367.78

CVE-2024-7018 - September 23, 2024

Heap buffer overflow in PDF in Google Chrome prior to 124.0.6367.78 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Medium)

Type Confusion in V8 in Google Chrome prior to 129.0.6668.58

CVE-2024-8904 - September 17, 2024

Type Confusion in V8 in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Inappropriate implementation in V8 in Google Chrome prior to 129.0.6668.58

CVE-2024-8905 - September 17, 2024

Inappropriate implementation in V8 in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: Medium)

Incorrect security UI in Downloads in Google Chrome prior to 129.0.6668.58

CVE-2024-8906 4.3 - Medium - September 17, 2024

Incorrect security UI in Downloads in Google Chrome prior to 129.0.6668.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Insufficient data validation in Omnibox in Google Chrome on Android prior to 129.0.6668.58

CVE-2024-8907 6.1 - Medium - September 17, 2024

Insufficient data validation in Omnibox in Google Chrome on Android prior to 129.0.6668.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (XSS) via a crafted set of UI gestures. (Chromium security severity: Medium)

XSS

Inappropriate implementation in Autofill in Google Chrome prior to 129.0.6668.58

CVE-2024-8908 4.3 - Medium - September 17, 2024

Inappropriate implementation in Autofill in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Inappropriate implementation in UI in Google Chrome on iOS prior to 129.0.6668.58

CVE-2024-8909 4.3 - Medium - September 17, 2024

Inappropriate implementation in UI in Google Chrome on iOS prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.137

CVE-2024-8636 8.8 - High - September 11, 2024

Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

Use after free in Media Router in Google Chrome on Android prior to 128.0.6613.137

CVE-2024-8637 8.8 - High - September 11, 2024

Use after free in Media Router in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Type Confusion in V8 in Google Chrome prior to 128.0.6613.137

CVE-2024-8638 8.8 - High - September 11, 2024

Type Confusion in V8 in Google Chrome prior to 128.0.6613.137 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Use after free in Autofill in Google Chrome on Android prior to 128.0.6613.137

CVE-2024-8639 8.8 - High - September 11, 2024

Use after free in Autofill in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Out of bounds write in V8 in Google Chrome prior to 128.0.6613.119

CVE-2024-7970 - September 03, 2024

Out of bounds write in V8 in Google Chrome prior to 128.0.6613.119 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Use after free in WebAudio in Google Chrome prior to 128.0.6613.119

CVE-2024-8362 - September 03, 2024

Use after free in WebAudio in Google Chrome prior to 128.0.6613.119 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.113

CVE-2024-8193 8.8 - High - August 28, 2024

Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.113 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

Type Confusion in V8 in Google Chrome prior to 128.0.6613.113

CVE-2024-8194 8.8 - High - August 28, 2024

Type Confusion in V8 in Google Chrome prior to 128.0.6613.113 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.113

CVE-2024-8198 8.8 - High - August 28, 2024

Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.113 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 128.0.6613.84

CVE-2024-8034 4.3 - Medium - August 21, 2024

Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Inappropriate implementation in Views in Google Chrome prior to 128.0.6613.84

CVE-2024-7981 4.3 - Medium - August 21, 2024

Inappropriate implementation in Views in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Inappropriate implementation in WebApp Installs in Google Chrome on Windows prior to 128.0.6613.84

CVE-2024-8033 4.3 - Medium - August 21, 2024

Inappropriate implementation in WebApp Installs in Google Chrome on Windows prior to 128.0.6613.84 allowed an attacker who convinced a user to install a malicious application to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Type Confusion in V8 in Google Chrome prior to 128.0.6613.113

CVE-2024-7969 8.8 - High - August 21, 2024

Type Confusion in V8 in Google Chrome prior to 128.0.6613.113 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Insufficient policy enforcement in Data Transfer in Google Chrome prior to 128.0.6613.84

CVE-2024-7978 4.3 - Medium - August 21, 2024

Insufficient policy enforcement in Data Transfer in Google Chrome prior to 128.0.6613.84 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84

CVE-2024-7979 7.8 - High - August 21, 2024

Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84 allowed a local attacker to perform privilege escalation via a crafted symbolic link. (Chromium security severity: Medium)

Insufficient Verification of Data Authenticity

Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84

CVE-2024-7980 7.8 - High - August 21, 2024

Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84 allowed a local attacker to perform privilege escalation via a crafted symbolic link. (Chromium security severity: Medium)

Insufficient Verification of Data Authenticity

Inappropriate implementation in Extensions in Google Chrome on Windows prior to 128.0.6613.84

CVE-2024-8035 4.3 - Medium - August 21, 2024

Inappropriate implementation in Extensions in Google Chrome on Windows prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Use after free in Passwords in Google Chrome on Android prior to 128.0.6613.84

CVE-2024-7964 8.8 - High - August 21, 2024

Use after free in Passwords in Google Chrome on Android prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84

CVE-2024-7965 8.8 - High - August 21, 2024

Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

Out of bounds memory access in Skia in Google Chrome prior to 128.0.6613.84

CVE-2024-7966 8.8 - High - August 21, 2024

Out of bounds memory access in Skia in Google Chrome prior to 128.0.6613.84 allowed a remote attacker who had compromised the renderer process to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Buffer Overflow

Heap buffer overflow in Fonts in Google Chrome prior to 128.0.6613.84

CVE-2024-7967 8.8 - High - August 21, 2024

Heap buffer overflow in Fonts in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

Use after free in Autofill in Google Chrome prior to 128.0.6613.84

CVE-2024-7968 8.8 - High - August 21, 2024

Use after free in Autofill in Google Chrome prior to 128.0.6613.84 allowed a remote attacker who had convinced the user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page

CVE-2024-7971 8.8 - High - August 21, 2024

Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84

CVE-2024-7972 8.8 - High - August 21, 2024

Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)

Heap buffer overflow in PDFium in Google Chrome prior to 128.0.6613.84

CVE-2024-7973 8.8 - High - August 21, 2024

Heap buffer overflow in PDFium in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform an out of bounds memory read via a crafted PDF file. (Chromium security severity: Medium)

Memory Corruption

Insufficient data validation in V8 API in Google Chrome prior to 128.0.6613.84

CVE-2024-7974 8.8 - High - August 21, 2024

Insufficient data validation in V8 API in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium)

Inappropriate implementation in Permissions in Google Chrome prior to 128.0.6613.84

CVE-2024-7975 4.3 - Medium - August 21, 2024

Inappropriate implementation in Permissions in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in FedCM in Google Chrome prior to 128.0.6613.84

CVE-2024-7976 4.3 - Medium - August 21, 2024

Inappropriate implementation in FedCM in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84

CVE-2024-7977 7.8 - High - August 21, 2024

Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: Medium)

Out of bounds memory access in ANGLE in Google Chrome prior to 127.0.6533.99

CVE-2024-7532 8.8 - High - August 06, 2024

Out of bounds memory access in ANGLE in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

Memory Corruption

Heap buffer overflow in Layout in Google Chrome prior to 127.0.6533.99

CVE-2024-7534 8.8 - High - August 06, 2024

Heap buffer overflow in Layout in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

Use after free in WebAudio in Google Chrome prior to 127.0.6533.99

CVE-2024-7536 8.8 - High - August 06, 2024

Use after free in WebAudio in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Type Confusion in V8 in Google Chrome prior to 127.0.6533.99

CVE-2024-7550 8.8 - High - August 06, 2024

Type Confusion in V8 in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Use after free in Sharing in Google Chrome on iOS prior to 127.0.6533.99

CVE-2024-7533 8.8 - High - August 06, 2024

Use after free in Sharing in Google Chrome on iOS prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Inappropriate implementation in V8 in Google Chrome prior to 127.0.6533.99

CVE-2024-7535 8.8 - High - August 06, 2024

Inappropriate implementation in V8 in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

Use after free in Downloads in Google Chrome on iOS prior to 127.0.6533.72

CVE-2024-6988 8.8 - High - August 06, 2024

Use after free in Downloads in Google Chrome on iOS prior to 127.0.6533.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Inappropriate implementation in Fullscreen in Google Chrome on Android prior to 127.0.6533.72

CVE-2024-6995 4.7 - Medium - August 06, 2024

Inappropriate implementation in Fullscreen in Google Chrome on Android prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in FedCM in Google Chrome prior to 127.0.6533.72

CVE-2024-6999 4.3 - Medium - August 06, 2024

Inappropriate implementation in FedCM in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 127.0.6533.72

CVE-2024-7004 4.3 - Medium - August 06, 2024

Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a malicious file. (Chromium security severity: Low)

Use after free in Dawn in Google Chrome prior to 127.0.6533.72

CVE-2024-6991 8.8 - High - August 06, 2024

Use after free in Dawn in Google Chrome prior to 127.0.6533.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Heap buffer overflow in Layout in Google Chrome prior to 127.0.6533.72

CVE-2024-6994 8.8 - High - August 06, 2024

Heap buffer overflow in Layout in Google Chrome prior to 127.0.6533.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption

Use after free in Tabs in Google Chrome prior to 127.0.6533.72

CVE-2024-6997 8.8 - High - August 06, 2024

Use after free in Tabs in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Dangling pointer

Use after free in User Education in Google Chrome prior to 127.0.6533.72

CVE-2024-6998 8.8 - High - August 06, 2024

Use after free in User Education in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Dangling pointer

Inappropriate implementation in HTML in Google Chrome prior to 127.0.6533.72

CVE-2024-7001 4.3 - Medium - August 06, 2024

Inappropriate implementation in HTML in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in FedCM in Google Chrome prior to 127.0.6533.72

CVE-2024-7003 4.3 - Medium - August 06, 2024

Inappropriate implementation in FedCM in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Use after free in Loader in Google Chrome prior to 127.0.6533.72

CVE-2024-6989 8.8 - High - August 06, 2024

Use after free in Loader in Google Chrome prior to 127.0.6533.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Race in Frames in Google Chrome prior to 127.0.6533.72

CVE-2024-6996 3.1 - Low - August 06, 2024

Race in Frames in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Race Condition

Use after free in CSS in Google Chrome prior to 127.0.6533.72

CVE-2024-7000 8.8 - High - August 06, 2024

Use after free in CSS in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Dangling pointer

Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 127.0.6533.72

CVE-2024-7005 4.3 - Medium - August 06, 2024

Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a malicious file. (Chromium security severity: Low)

Insufficient data validation in Dawn in Google Chrome on Android prior to 127.0.6533.88

CVE-2024-7256 - August 01, 2024

Insufficient data validation in Dawn in Google Chrome on Android prior to 127.0.6533.88 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Uninitialized Use in Dawn in Google Chrome on Android prior to 127.0.6533.88

CVE-2024-6990 8.8 - High - August 01, 2024

Uninitialized Use in Dawn in Google Chrome on Android prior to 127.0.6533.88 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical)

Use of Uninitialized Resource

Out of bounds read in WebTransport in Google Chrome prior to 127.0.6533.88

CVE-2024-7255 8.8 - High - August 01, 2024

Out of bounds read in WebTransport in Google Chrome prior to 127.0.6533.88 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Out-of-bounds Read

Use after free in WebRTC in Google Chrome prior to 121.0.6167.85

CVE-2024-3170 8.8 - High - July 16, 2024

Use after free in WebRTC in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Insufficient data validation in DevTools in Google Chrome prior to 121.0.6167.85

CVE-2024-3172 8.8 - High - July 16, 2024

Insufficient data validation in DevTools in Google Chrome prior to 121.0.6167.85 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Use after free in V8 in Google Chrome prior to 121.0.6167.139

CVE-2024-3169 8.8 - High - July 16, 2024

Use after free in V8 in Google Chrome prior to 121.0.6167.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Use after free in Accessibility in Google Chrome prior to 122.0.6261.57

CVE-2024-3171 8.8 - High - July 16, 2024

Use after free in Accessibility in Google Chrome prior to 122.0.6261.57 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via specific UI gestures. (Chromium security severity: Medium)

Dangling pointer

Out of bounds read in V8 in Google Chrome prior to 121.0.6167.139

CVE-2024-2884 6.5 - Medium - July 16, 2024

Out of bounds read in V8 in Google Chrome prior to 121.0.6167.139 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)

Out-of-bounds Read

Inappropriate implementation in V8 in Google Chrome prior to 119.0.6045.105

CVE-2024-3174 8.8 - High - July 16, 2024

Inappropriate implementation in V8 in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

Out of bounds write in SwiftShader in Google Chrome prior to 117.0.5938.62

CVE-2024-3176 8.8 - High - July 16, 2024

Out of bounds write in SwiftShader in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

Use after free in DevTools in Google Chrome prior to 122.0.6261.57

CVE-2024-3168 8.8 - High - July 16, 2024

Use after free in DevTools in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Dangling pointer

Inappropriate implementation in Picture in Picture in Google Chrome prior to 119.0.6045.105

CVE-2023-7011 - July 16, 2024

Inappropriate implementation in Picture in Picture in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)

Insufficient data validation in Permission Prompts in Google Chrome prior to 117.0.5938.62

CVE-2023-7012 - July 16, 2024

Insufficient data validation in Permission Prompts in Google Chrome prior to 117.0.5938.62 allowed an attacker who convinced a user to install a malicious app to potentially perform a sandbox escape via a malicious file. (Chromium security severity: Medium)

Insufficient data validation in Extensions in Google Chrome prior to 120.0.6099.62

CVE-2024-3175 6.3 - Medium - July 16, 2024

Insufficient data validation in Extensions in Google Chrome prior to 120.0.6099.62 allowed a remote attacker to perform privilege escalation via a crafted Chrome Extension. (Chromium security severity: Low)

Insufficient data validation in Updater in Google Chrome prior to 120.0.6099.62

CVE-2024-3173 8.8 - High - July 16, 2024

Insufficient data validation in Updater in Google Chrome prior to 120.0.6099.62 allowed a remote attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)

Insufficient Verification of Data Authenticity

Inappropriate implementation in Sign-In in Google Chrome prior to 1.3.36.351

CVE-2024-5500 6.5 - Medium - July 16, 2024

Inappropriate implementation in Sign-In in Google Chrome prior to 1.3.36.351 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in Skia in Google Chrome prior to 115.0.5790.98

CVE-2023-4860 - July 16, 2024

Inappropriate implementation in Skia in Google Chrome prior to 115.0.5790.98 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Use after free in WebRTC in Google Chrome prior to 117.0.5938.62

CVE-2023-7010 - July 16, 2024

Use after free in WebRTC in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Race in DevTools in Google Chrome prior to 126.0.6478.182

CVE-2024-6778 - July 16, 2024

Race in DevTools in Google Chrome prior to 126.0.6478.182 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High)

Out of bounds memory access in V8 in Google Chrome prior to 126.0.6478.182

CVE-2024-6779 - July 16, 2024

Out of bounds memory access in V8 in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Use after free in Screen Capture in Google Chrome prior to 126.0.6478.182

CVE-2024-6774 - July 16, 2024

Use after free in Screen Capture in Google Chrome prior to 126.0.6478.182 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Use after free in Navigation in Google Chrome prior to 126.0.6478.182

CVE-2024-6777 - July 16, 2024

Use after free in Navigation in Google Chrome prior to 126.0.6478.182 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)

Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.182

CVE-2024-6772 - July 16, 2024

Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.182

CVE-2024-6773 - July 16, 2024

Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Use after free in Audio in Google Chrome prior to 126.0.6478.182

CVE-2024-6776 - July 16, 2024

Use after free in Audio in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Use after free in Media Stream in Google Chrome prior to 126.0.6478.182

CVE-2024-6775 - July 16, 2024

Use after free in Media Stream in Google Chrome prior to 126.0.6478.182 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Out of bounds memory access in Dawn in Google Chrome prior to 126.0.6478.114

CVE-2024-6102 8.8 - High - June 20, 2024

Out of bounds memory access in Dawn in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

Type Confusion in V8 in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to execute arbitrary code via a crafted HTML page

CVE-2024-6100 8.8 - High - June 20, 2024

Type Confusion in V8 in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Use after free in Dawn in Google Chrome prior to 126.0.6478.114

CVE-2024-6103 8.8 - High - June 20, 2024

Use after free in Dawn in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.114

CVE-2024-6101 8.8 - High - June 20, 2024

Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Type Confusion in V8 in Google Chrome prior to 126.0.6478.54

CVE-2024-5833 8.8 - High - June 11, 2024

Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Fedora Project Fedora or by Google? Click the Watch button to subscribe.

Google
Vendor

Google Chrome
Web browser

subscribe