Skip to main content
CVE-2026-11054 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker to execute arbitrary code inside the renderer sandbox by enticing a victim to visit a crafted HTML page that triggers a use-after-free condition in the WebRTC component. No public exploit identified at time of analysis, though the high CVSS score of 8.8 and the memory corruption class make this a priority browser patch. Chromium rates the security severity as Medium despite the CVSS score, suggesting sandbox containment limits real-world impact.

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11003 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 is possible through a use-after-free flaw in the WebRTC component, allowing a remote attacker to execute arbitrary code within the renderer sandbox when a victim visits a crafted HTML page. The issue carries a CVSS 3.1 score of 8.8 (High) and a vendor patch is available, though there is no public exploit identified at time of analysis and the flaw is rated Medium severity by Chromium's own security team.

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10982 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a user to visit a crafted HTML page that triggers a use-after-free in the WebXR component. Google rates the issue High severity and CVSS scores it 8.8, with user interaction required but no authentication or privileges needed; no public exploit identified at time of analysis.

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10975 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the WebRTC component, enabling a remote attacker to execute arbitrary code inside the renderer sandbox by luring a victim to a crafted HTML page. The issue is rated High severity by Chromium and carries a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:N/UI:R), reflecting low complexity and no privilege requirement but requiring user interaction. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10948 HIGH PATCH This Week

Remote code execution in Google Chrome prior to 149.0.7827.53 allows a remote attacker to trigger a use-after-free condition in the WebRTC component by enticing a victim to visit a crafted HTML page, resulting in arbitrary code execution within the renderer sandbox. Google rated this as High severity and a vendor patch is available; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Google Memory Corruption RCE Use After Free Denial Of Service
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10947 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the WebRTC component, enabling a remote attacker to execute arbitrary code within the renderer sandbox when a victim visits a crafted HTML page. Google rates the underlying Chromium severity as High, and the CVSS 3.1 score of 8.8 reflects network-reachable, low-complexity exploitation requiring only user interaction (visiting a page). No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Google Memory Corruption RCE Use After Free Denial Of Service
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10943 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the WebRTC component that allows a remote attacker to execute arbitrary code within the renderer sandbox via a crafted HTML page. Exploitation requires user interaction (UI:R) such as visiting a malicious site, and while no public exploit has been identified at time of analysis, Google rates the underlying Chromium severity as High and a vendor patch is available.

Google Memory Corruption RCE Use After Free Denial Of Service
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10939 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker to run arbitrary code inside the renderer sandbox by luring a victim to a crafted HTML page that triggers a use-after-free in the WebRTC component. The flaw carries a CVSS 3.1 score of 8.8 (High) and Chromium rates the security severity as High; no public exploit has been identified at time of analysis and the issue is not currently listed in CISA KEV.

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10903 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the WebRTC component that lets a remote attacker run arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. Google rates the underlying Chromium issue as High severity, and no public exploit is identified at time of analysis, though publicly available patch metadata and Chromium bug tracker entries (issue 503422316) confirm the fix.

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10952 HIGH PATCH This Week

Heap corruption in Google Chrome for iOS prior to 149.0.7827.53 allows remote attackers to potentially execute arbitrary code by luring a user to a crafted HTML page that triggers a use-after-free condition. Google has rated this as High severity and a vendor patch is available, though no public exploit has been identified at time of analysis. The CVSS 8.8 score reflects network-reachable exploitation with low complexity but requires user interaction (visiting a malicious page).

Google Memory Corruption Apple Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10932 HIGH PATCH This Week

Heap corruption in Google Chrome on Android before 149.0.7827.53 enables remote attackers to exploit a use-after-free condition in the browser's UI component through a malicious web page. The flaw carries a CVSS 8.8 (High) rating and requires user interaction (visiting a crafted page), with no public exploit identified at time of analysis. Google rates the underlying Chromium severity as High, and a vendor patch is available in the stable channel update.

Denial Of Service Use After Free Memory Corruption Google Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10907 HIGH PATCH This Week

Out-of-bounds write in the ANGLE graphics layer of Google Chrome versions prior to 149.0.7827.53 enables remote attackers to trigger heap corruption and potentially execute arbitrary code by luring a victim to a crafted HTML page. Chromium rates the severity as High and CVSS 8.8 reflects the network attack vector with required user interaction. No public exploit identified at time of analysis, though the bug class (memory corruption in a browser-exposed component) is historically a prime target for weaponization.

Google Memory Corruption Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10891 HIGH PATCH This Week

Heap corruption in Google Chrome's GFX component on Linux prior to version 149.0.7827.53 allows remote attackers to potentially achieve code execution when a victim visits a crafted HTML page. Google rates the underlying Chromium issue as Critical severity, and a vendor patch is available; no public exploit identified at time of analysis.

Denial Of Service Use After Free Memory Corruption Google Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10883 HIGH PATCH This Week

Heap corruption in Google Chrome's ANGLE graphics translation layer prior to version 149.0.7827.53 allows remote attackers to potentially achieve code execution by enticing a user to visit a crafted HTML page. Chromium rates the severity as Critical and the CVSS score is 8.8 (High), but no public exploit identified at time of analysis. The flaw is a type confusion issue that maps to CWE-787 (out-of-bounds write), affecting the browser's WebGL/graphics rendering path.

Google Memory Corruption Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-5066 HIGH This Week

Out-of-bounds write/read in Zephyr RTOS (versions ≤ 4.3) affects the TLS socket connect path when the TLS session cache is enabled, where tls_session_store() and tls_session_restore() memcpy a caller-supplied socket address into a fixed-size 24-byte stack buffer using an unvalidated, caller-controlled addrlen. Because struct net_sockaddr is opaque, an application can pass an oversized addrlen (e.g. 128 bytes), corrupting adjacent memory and causing a crash/denial of service, with potential for arbitrary code execution. Publicly available exploit code exists per the SSVC 'poc' status, but EPSS is very low (0.06%, 18th percentile) and it is not on CISA KEV.

Denial Of Service Memory Corruption Buffer Overflow RCE Zephyr
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-50205 HIGH This Week

Sensitive information disclosure in the Acer Connect M6E 5G Portable WiFi Router exposes cleartext SMTP authentication passwords and employee corporate identification data through system log files. With a CVSS 4.0 score of 8.8 (high confidentiality impact, network attack vector, no privileges or user interaction required) and no public exploit identified at time of analysis, the flaw enables remote attackers who can reach the log output to harvest credentials and PII without authentication.

Information Disclosure Connect M6E 5G Portable Wifi Router
NVD VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-49202 HIGH This Week

Unauthenticated exposure of internal multimedia session archives in the Acer Connect M6E 5G Portable WiFi Router lets remote attackers retrieve sensitive recorded session data, and overly permissive CORS rules amplify the issue by enabling cross-origin theft from any web context a victim visits. CVSS 4.0 rates this 8.8 (high) with network attack vector, no privileges, and no user interaction; no public exploit identified at time of analysis.

Authentication Bypass Connect M6E 5G Portable Wifi Router
NVD VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-11202 HIGH PATCH This Week

Sandbox escape in Google Chrome for iOS prior to 149.0.7827.53 allows a remote attacker who lures a victim to a malicious page to potentially break out of Chrome's renderer sandbox via crafted HTML. The flaw is rated CVSS 8.8 (High) due to high confidentiality, integrity, and availability impact, though Chromium internally classifies severity as Medium and EPSS exploitation probability is currently very low (0.05%). No public exploit identified at time of analysis.

Apple Information Disclosure Google Suse Chrome +1
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11079 HIGH PATCH This Week

Out-of-bounds memory write in Google Chrome's codec component prior to version 149.0.7827.53 allows a remote attacker to corrupt memory by serving a crafted video file to a victim who visits a malicious page or views attacker-supplied media. The flaw stems from insufficient input validation in media codec parsing and carries a CVSS 8.8 rating reflecting high impact across confidentiality, integrity, and availability, though no public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.05%.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11041 HIGH PATCH This Week

Sandbox escape in Google Chrome on Windows prior to 149.0.7827.53 enables a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that exploits insufficient input validation in the Media component. The flaw requires user interaction (visiting a malicious page) and a prior renderer compromise, making it a second-stage capability typically chained with another bug; no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.05%.

Information Disclosure Google Microsoft Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-50211 HIGH This Week

Exposed factory diagnostics in Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier) allow malicious applications to obtain write access to internal NVRAM registers, enabling persistent modification of device state and configuration. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the CVSS 4.0 base score of 8.8 reflects high confidentiality and availability impact. The vulnerability was self-reported by Acer and is tracked in the EU vulnerability database as EUVD-2026-34223.

Information Disclosure Connect M6E 5G Portable Wifi Router
NVD VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-50225 HIGH This Week

Database flooding via unauthenticated abuse of Acer Connect M6E 5G Portable WiFi Router's registration endpoint allows remote attackers to exhaust storage by repeatedly invoking /v1/account/register without rate limiting, CAPTCHA, or other bot mitigation. The flaw affects firmware up to and including M6E_AI_1.00.000019 and carries a CVSS 4.0 score of 8.8 driven primarily by a high availability impact; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Connect M6E 5G Portable Wifi Router
NVD VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-11211 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from an integer overflow in the V8 JavaScript engine that allows a remote attacker to execute arbitrary code within the renderer sandbox via a crafted HTML page. The flaw requires user interaction (visiting a malicious page) and currently has no public exploit identified at time of analysis, with an EPSS score of 0.04% indicating very low near-term exploitation probability. Chromium rates the security severity as Medium despite the 8.8 CVSS score, and SSVC indicates no observed exploitation though technical impact is total.

Google RCE Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11144 HIGH PATCH This Week

Remote code execution in Google Chrome's Media component prior to version 149.0.7827.53 allows a remote attacker to trigger a use-after-free via a crafted video file, achieving arbitrary code execution within the renderer sandbox. The flaw requires user interaction (UI:R) such as visiting a malicious page or opening a hostile video, and no public exploit identified at time of analysis. EPSS is very low (0.04%, 12th percentile), but the network-reachable RCE primitive and broad Chrome install base make timely patching essential.

Google Memory Corruption RCE Use After Free Denial Of Service +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11116 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 is possible through a use-after-free flaw in the Chromoting (Chrome Remote Desktop) component, triggered by malicious network traffic targeting a victim's session. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability, though successful exploitation requires user interaction. No public exploit has been identified at time of analysis and EPSS exploitation probability is very low at 0.04%.

Google Memory Corruption RCE Use After Free Denial Of Service +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-10904 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the browser sandbox by luring a user to a crafted HTML page. Rated High severity by Chromium with a CVSS 8.8, the flaw requires user interaction (visiting a malicious site) but no authentication or privileges. No public exploit has been identified at the time of analysis, and the issue is not currently listed in CISA KEV.

Google RCE Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-10893 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the Chromoting (Chrome Remote Desktop) component, which Google rated Critical internally. A remote attacker can deliver malicious network traffic to a user with an active Chromoting session and execute arbitrary code in the browser context, though user interaction is required per the CVSS vector. No public exploit identified at time of analysis, and EPSS probability is very low (0.04%).

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11191 HIGH PATCH This Week

Out-of-bounds memory access in the ANGLE graphics translation layer of Google Chrome before 149.0.7827.53 allows a remote attacker to read or corrupt memory by luring a user to a crafted HTML page. The flaw carries a CVSS 8.8 rating due to high impact on confidentiality, integrity, and availability, though Chromium rates the security severity as Medium and EPSS is very low (0.03%). No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Information Disclosure Google Buffer Overflow
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11188 HIGH PATCH This Week

Sandbox escape in Google Chrome for Android before 149.0.7827.53 lets a remote attacker exploit a use-after-free in the USB component by luring a victim to a crafted HTML page, potentially breaking out of the renderer sandbox. CVSS 8.8 reflects the high impact across confidentiality, integrity, and availability, though successful attack requires user interaction (visiting the page). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Denial Of Service Use After Free Memory Corruption Google Red Hat +2
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11177 HIGH PATCH This Week

Heap corruption in Google Chrome's Omnibox component prior to version 149.0.7827.53 allows remote attackers to potentially execute arbitrary code via a use-after-free condition triggered by a crafted HTML page combined with specific user interface gestures. The flaw carries a CVSS 8.8 (High) rating, though Chromium's internal triage assigned only Medium severity, and EPSS estimates exploitation probability at just 0.03%. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Denial Of Service Use After Free Memory Corruption Google Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11175 HIGH PATCH This Week

UI spoofing in Google Chrome for Android prior to 149.0.7827.53 allows remote attackers to deceive users via crafted HTML pages that abuse the Messages component's security UI. Exploitation requires user interaction with a malicious page, and no public exploit has been identified at time of analysis. Despite a CVSS score of 8.8, EPSS exploitation probability is very low (0.03%, 11th percentile) and the issue is rated Medium by Chromium's own severity scale.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11172 HIGH PATCH This Week

UI spoofing in Google Chrome on Android prior to 149.0.7827.53 allows remote attackers to misrepresent the Contact Picker security UI via a crafted HTML page, potentially tricking users into disclosing contact information. Chromium rates the underlying severity as Medium, and no public exploit has been identified at time of analysis. EPSS probability is very low (0.03%), and the issue is not listed in CISA KEV.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11124 HIGH PATCH This Week

Heap corruption in Google Chrome versions prior to 149.0.7827.53 stems from an integer overflow in the Skia graphics library that can be triggered by a crafted HTML page. Remote attackers can lure a victim to a malicious web page to potentially achieve arbitrary code execution within the renderer process. No public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.03% (11th percentile), though Chrome rendering bugs historically attract exploit development.

Heap Overflow Google Buffer Overflow Chrome Red Hat +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11108 HIGH PATCH This Week

Privilege escalation in Google Chrome on Android prior to 149.0.7827.53 allows a remote attacker to escape the browser's normal privilege boundaries by enticing a victim to visit a crafted HTML page that abuses the NFC implementation. The flaw carries a CVSS 8.8 (high) rating with high confidentiality, integrity, and availability impact, though Chromium itself classified its security severity as Medium. EPSS is very low (0.03%, 11th percentile) and there is no public exploit identified at time of analysis.

Google Privilege Escalation Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11091 HIGH PATCH This Week

Out-of-bounds memory read in the Dawn WebGPU implementation of Google Chrome prior to 149.0.7827.53 allows a remote attacker to access memory outside intended bounds via a crafted HTML page. Exploitation requires the victim to visit an attacker-controlled page, and no public exploit identified at time of analysis. Google rates the Chromium-internal severity as Medium, while NVD assigns CVSS 8.8 reflecting the broad impact on confidentiality, integrity, and availability if successfully triggered.

Information Disclosure Google Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11085 HIGH PATCH This Week

Out-of-bounds memory access in Google Chrome on Android before version 149.0.7827.53 allows remote attackers to corrupt GPU process memory by luring a user to a crafted HTML page that triggers an integer overflow. The flaw carries a CVSS 8.8 (high) rating with high confidentiality, integrity, and availability impact, but EPSS is only 0.03% and no public exploit identified at time of analysis, suggesting low near-term mass-exploitation likelihood despite the severity of the underlying bug class.

Google Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11071 HIGH PATCH This Week

Information disclosure in Google Chrome on Linux prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to read sensitive data from process memory by serving a crafted HTML page that triggers a use-after-free in the Base component. The flaw is rated Medium by Chromium but scored CVSS 8.8 in NVD, and no public exploit identified at time of analysis with an EPSS of 0.03%.

Denial Of Service Use After Free Memory Corruption Google Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11042 HIGH PATCH This Week

Heap corruption in Google Chrome's Views component prior to version 149.0.7827.53 allows a remote attacker to potentially execute code in the renderer when a user is convinced to perform specific UI gestures on a crafted HTML page. The flaw is a use-after-free (CWE-416) carrying a CVSS 8.8 rating, but EPSS is very low at 0.03% (11th percentile) and no public exploit is identified at time of analysis. Google has shipped a patched stable channel build, and Chromium rates the underlying issue as Medium severity.

Denial Of Service Use After Free Memory Corruption Google Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11030 HIGH PATCH This Week

Remote heap corruption in Google Chrome prior to 149.0.7827.53 allows attackers to exploit a use-after-free condition in the Network component via crafted network traffic when a user visits or interacts with attacker-controlled content. Rated CVSS 8.8 with a patch available from Google, though EPSS exploitation probability is currently very low (0.03%, 11th percentile) and no public exploit has been identified at time of analysis.

Denial Of Service Use After Free Memory Corruption Google Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-10989 HIGH PATCH This Week

Heap corruption in Google Chrome's V8 JavaScript engine prior to version 149.0.7827.53 allows remote attackers to potentially achieve code execution when a user visits a crafted HTML page and performs specific UI interactions. The flaw is rated High severity by Chromium and CVSS 8.8, though no public exploit identified at time of analysis and EPSS scoring places near-term mass exploitation probability at 0.03%. A vendor patch is already available through the Stable Channel update.

Heap Overflow Google Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-10988 HIGH PATCH This Week

Sandbox escape in Google Chrome prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a use-after-free in the Views component, triggered by a crafted HTML page. Google rates the Chromium security severity as High and a vendor patch is available, though no public exploit has been identified at time of analysis and EPSS exploitation probability is currently very low (0.03%).

Denial Of Service Use After Free Memory Corruption Google Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-10955 HIGH PATCH This Week

Type confusion in the ANGLE graphics translation layer of Google Chrome on Windows prior to 149.0.7827.53 enables remote attackers to trigger out-of-bounds memory access through a crafted HTML page, with potential for memory corruption leading to code execution in the renderer process. Chromium rates this High severity and a vendor patch is available, though no public exploit is identified at time of analysis and EPSS exploitation probability is currently 0.03%.

Microsoft Information Disclosure Google Memory Corruption Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-10951 HIGH PATCH This Week

Heap corruption in Google Chrome on iOS before version 149.0.7827.53 enables remote attackers to potentially execute arbitrary code by enticing a user to interact with a malicious HTML page that triggers a use-after-free in the Autofill component. Chromium rates the underlying flaw as High severity, and while a vendor patch is available, no public exploit has been identified at time of analysis and EPSS remains very low at 0.03%.

Google Memory Corruption Apple Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-10897 HIGH PATCH This Week

Sandbox escape in Google Chrome's GPU component prior to version 149.0.7827.53 allows remote attackers to break out of the renderer sandbox via a crafted HTML page when a user visits a malicious site. Google's Chromium team rated the underlying issue Critical severity, and while a patch is available, no public exploit identified at time of analysis and EPSS estimates exploitation probability at only 0.03%.

Google Memory Corruption Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11102 HIGH PATCH This Week

Arbitrary code execution within the Chrome sandbox affects Google Chrome desktop builds prior to 149.0.7827.53 due to an inappropriate implementation in the Isolated Web Apps (IWA) component. A remote attacker who convinces a user to open a malicious file can execute code confined to the sandbox process, with no public exploit identified at time of analysis and an EPSS score of only 0.03% (10th percentile) indicating low predicted exploitation likelihood. Google has shipped a fix in the stable channel update for desktop.

Google RCE Red Hat Suse Chrome
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11080 HIGH PATCH This Week

Heap corruption in Google Chrome for Android's WebView component prior to version 149.0.7827.53 allows remote attackers to potentially execute code or crash the browser by luring victims to a crafted HTML page. The flaw is a use-after-free (CWE-416) rated CVSS 8.8 due to network reach and high impact across confidentiality, integrity, and availability, though user interaction is required. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.03%).

Denial Of Service Use After Free Memory Corruption Google Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11024 HIGH PATCH This Week

Stack-based buffer overflow in the Skia graphics library shipped with Google Chrome versions prior to 149.0.7827.53 lets a remote attacker corrupt the renderer process stack by serving a crafted HTML page, with potential for arbitrary code execution within the sandbox. The flaw carries a CVSS 3.1 base score of 8.8 (network vector, user interaction required) and no public exploit identified at time of analysis, while a very low EPSS score of 0.03% (10th percentile) suggests no current mass-exploitation pressure despite the high impact rating.

Google Stack Overflow Buffer Overflow Chrome Red Hat +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-10995 HIGH PATCH This Week

Heap corruption in Google Chrome's TabStrip component before 149.0.7827.53 lets a remote attacker who can lure a user into specific UI interactions on a malicious HTML page trigger memory corruption with high impact to confidentiality, integrity, and availability. The flaw carries a CVSS 8.8 due to network reachability and lack of authentication, though user interaction is required; there is no public exploit identified at time of analysis and EPSS is very low at 0.03%.

Heap Overflow Google Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-10922 HIGH PATCH This Week

Same-origin policy bypass in Google Chrome's DevTools component prior to version 149.0.7827.53 allows remote attackers to violate browser security boundaries when victims perform specific UI gestures on attacker-controlled pages. The flaw stems from insufficient validation of untrusted input within DevTools and is rated High severity by Chromium with a CVSS of 8.8, though no public exploit identified at time of analysis and EPSS is very low at 0.02%.

Authentication Bypass Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11179 HIGH PATCH This Week

Site isolation bypass in Google Chrome versions prior to 149.0.7827.53 allows remote attackers to circumvent a core browser security boundary via a crafted HTML page. The flaw resides in the Opaque Response Blocking (ORB) implementation and requires user interaction (visiting a malicious page), with no public exploit identified at time of analysis and an EPSS score of 0.02% indicating low near-term exploitation likelihood.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
Prev Page 4 of 12 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy