Chrome
Monthly
PIN lock bypass in Easyelife App Lock 1.9.2 for Android allows a local attacker with physical device access to reach applications that were supposedly secured behind a PIN. The root cause is architectural: the lock is implemented as a UI overlay rather than through Android's native secure authentication APIs (BiometricPrompt, KeyguardManager), meaning it can be circumvented by triggering advertisement or browser intents that cause the app to navigate cascading activity flows, effectively routing around the overlay. EPSS is very low at 0.05% (16th percentile), no public exploit is confirmed in CISA KEV, and a researcher disclosure with likely proof-of-concept steps is publicly available on GitHub.
PIN lock bypass in SailingLab AppLock 4.3.8 for Android exposes protected applications to anyone with brief physical device access. The root cause is architectural: the lock is implemented as a screen overlay rather than through Android's secure authentication APIs, meaning the underlying apps remain accessible via exposed intent routes triggered through advertisement or browser interactions. An attacker with physical access can navigate cascading UI flows to dismiss or circumvent the overlay entirely, gaining access to locked apps such as Chrome, resulting in information disclosure and unintended privilege escalation. No public exploit is confirmed in CISA KEV, but a researcher disclosure is publicly available on GitHub, and EPSS is negligible at 0.04% (11th percentile), consistent with the physical-access-only attack vector.
Physical-access PIN lock bypass in AppLockZ 4.2.11 for Android exposes protected applications to unauthorized access without valid credentials. The root cause is architectural: the lock mechanism is implemented as a UI overlay rather than through Android's secure authentication APIs, leaving it vulnerable to circumvention via exposed activity routes reachable through advertisement or browser intents. An attacker with physical possession of the device can navigate cascading interface flows to evade lockscreen verification and access apps protected by AppLockZ (e.g., Chrome), resulting in information disclosure. No active exploitation is confirmed in CISA KEV, and the EPSS score of 0.04% reflects minimal real-world exploitation probability at this time.
Cross-origin data leakage in Google Chrome prior to 148.0.7778.179 exposes sensitive information to attackers who have already achieved renderer process compromise. The flaw stems from insufficient input validation (CWE-20) in Chrome's Input handling, enabling a crafted HTML page to exfiltrate data across origin boundaries. No active exploitation is confirmed - SSVC assigns exploitation status 'none' and the vulnerability is not listed in CISA KEV - but the confidentiality impact is rated High by CVSS, warranting prompt patching.
Heap buffer overflow in the Chromecast component of Google Chrome on Android, Linux, and ChromeOS prior to version 148.0.7778.179 allows an adjacent-network attacker to execute arbitrary code within the renderer sandbox via malicious network traffic. Google's Chrome team reported the issue with a Medium severity rating, and no public exploit identified at time of analysis. The vulnerability requires adjacent network positioning rather than full internet-based access, limiting practical exploitation to attackers on the same local network segment.
Out-of-bounds read in the GPU process of Google Chrome on macOS prior to 148.0.7778.179 exposes potentially sensitive data from process memory to remote attackers. Exploitation requires a victim to visit a crafted HTML page (CVSS UI:R), limiting automation potential - consistent with SSVC's 'Automatable: no' determination. No public exploit identified at time of analysis and CISA has not added this to the Known Exploited Vulnerabilities catalog; Chrome's own severity rating is Medium.
Heap corruption in Google Chrome's GPU component prior to version 148.0.7778.179 allows remote attackers to exploit an out-of-bounds read via a crafted HTML page, potentially leading to arbitrary code execution or information disclosure within the renderer context. The flaw carries a CVSS 8.8 (High) rating due to network reachability and high impact across confidentiality, integrity, and availability, though exploitation requires user interaction (visiting a malicious page). There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as 'none', suggesting opportunistic rather than active targeting.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 allows a remote attacker to execute arbitrary code within the renderer sandbox via a crafted HTML page that triggers a use-after-free in the DOM implementation. The flaw requires user interaction (visiting a malicious page) but no authentication, and while Chromium rates its security severity as Medium, the CVSS 3.1 base score of 8.8 reflects high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, enabling a remote attacker to run arbitrary code when a victim visits a crafted HTML page. Chromium rates the severity as High and the CVSS 3.1 score is 8.8, but exploitation requires user interaction (UI:R); no public exploit identified at time of analysis.
Heap buffer overflow in the WebRTC component of Google Chrome before 148.0.7778.179 allows remote attackers to execute arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. The flaw was reported by Chrome's internal security team, has a patched stable channel build available, and carries a CVSS 8.8 score with no public exploit identified at time of analysis. SSVC currently rates exploitation as 'none' but technical impact as 'total', reflecting full compromise of the affected process if triggered.
Remote code execution in Google Chrome on Windows prior to 148.0.7778.179 stems from a use-after-free flaw in the XR (WebXR) component, enabling a remote attacker to run arbitrary code in the renderer process by enticing a user to visit a crafted HTML page. Chromium rates the issue High severity and CVSS scores it 8.8; no public exploit identified at time of analysis and SSVC reports exploitation status as none. A vendor patch is available via the Stable Channel update referenced in the Chrome Releases advisory.
Sandbox escape in Google Chrome (Linux and ChromeOS) prior to 148.0.7778.179 allows a remote attacker who has already compromised the renderer process to break out via a crafted video file processed by the GFX component. The flaw is a type confusion (CWE-843) rated High severity by Chromium, with no public exploit identified at time of analysis and SSVC indicating exploitation has not been observed. It requires user interaction and chained exploitation of a prior renderer compromise, which raises the bar despite the High CVSS of 7.5.
ServiceWorker policy enforcement failure in Google Chrome prior to version 148.0.7778.179 enables unauthenticated remote attackers to leak cross-origin data by luring a victim to a crafted HTML page. The vulnerability stems from Chrome's ServiceWorker layer failing to adequately enforce isolation boundaries (CWE-693), allowing a malicious origin to read data it should not have access to under the same-origin policy. No public exploit identified at time of analysis, and the CVSS score of 4.3 reflects limited confidentiality impact; however, the zero-privilege, network-accessible attack vector means any Chrome user browsing a malicious page could be affected.
Same-origin policy bypass in Google Chrome's Service Worker subsystem (all versions prior to 148.0.7778.179) allows remote unauthenticated attackers to read cross-origin data by luring a victim to a crafted HTML page. The flaw originates from insufficient policy enforcement (CWE-693) within the Service Worker layer, enabling unauthorized access to confidential data across origins. No public exploit code has been identified and no active exploitation is confirmed; Google has shipped a fix in stable channel version 148.0.7778.179.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free condition in the QUIC networking stack, allowing remote attackers to execute arbitrary code within the browser sandbox via malicious network traffic. Exploitation requires user interaction (visiting a malicious site or processing attacker-controlled QUIC traffic), and no public exploit has been identified at time of analysis. Chromium rates this as High severity, and a vendor patch is available.
Out-of-bounds memory read in the GPU component of Google Chrome on macOS exposes process memory to remote attackers via a crafted HTML page. Affected versions are all Chrome releases prior to 148.0.7778.179 on Mac; Windows and Linux are not identified as affected. No public exploit or active exploitation has been identified at time of analysis, and SSVC confirms exploitation status as none with non-automatable attack delivery.
Remote code execution in Google Chrome on Windows prior to version 148.0.7778.179 stems from a use-after-free condition in the GPU component, enabling a remote attacker to run arbitrary code within the renderer sandbox after the victim loads a crafted HTML page. Google has rated the issue High severity and shipped a fix; no public exploit identified at time of analysis and SSVC indicates exploitation status 'none' despite total technical impact.
UI spoofing in Google Chrome on Windows (prior to 148.0.7778.179) enables a remote attacker who has already achieved renderer process compromise to deceive end users through a crafted HTML page, exploiting CWE-451 (UI Misrepresentation of Critical Information). Affected users on Windows running any Chrome version below 148.0.7778.179 are exposed to potential phishing or credential-harvesting scenarios dressed up as legitimate browser UI. No public exploit code or CISA KEV listing exists at time of analysis, but the Chromium team assigned a Critical internal severity - a meaningful contrast with the NVD CVSS score of 4.2 - suggesting the spoofing potential carries downstream risk beyond what the base score reflects.
Remote code execution in Google Chrome on Linux before 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, allowing a remote attacker who lures a victim to a crafted HTML page to execute arbitrary code in the renderer process. Chromium rates the severity as Critical and a vendor patch is available, though there is no public exploit identified at time of analysis and SSVC indicates no observed exploitation. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability with required user interaction (visiting a page).
Arbitrary directory deletion in CloakBrowser's cloakserve CDP multiplexer (pip package cloakbrowser <= 0.3.27) allows unauthenticated network attackers to delete directories accessible to the service user by supplying path traversal sequences in the fingerprint query parameter. The service binds to 0.0.0.0 by default, dramatically widening exposure, and no public exploit identified at time of analysis though the vulnerability is trivially reproducible from the published advisory.
Open WebUI versions up to 0.8.8 expose admin-configured system prompts to authenticated regular (non-admin) users through the /api/models API endpoint, allowing information disclosure of sensitive model instructions and internal configuration details. The vulnerability requires valid user authentication but no administrative privileges, enabling any authenticated user to retrieve confidential system prompts via a simple HTTP GET request. This is confirmed actively exploited in production deployments with a publicly available proof-of-concept.
Use after free in Extensions in Google Chrome on Mac prior to 148.0.7778.168 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Medium)
Discretionary access control bypass in Chrome Remote Desktop (Chromoting) allows adjacent network attackers to achieve limited confidentiality, integrity, and availability impact through a malicious file requiring user interaction. Google released Chrome 148.0.7778.168 to address this medium-severity flaw. EPSS score of 0.01% (1st percentile) and CISA SSVC assessment indicate low real-world exploitation probability with no observed exploitation activity. The adjacent network attack vector (AV:A) significantly constrains attacker positioning compared to typical remote vulnerabilities.
Out-of-bounds memory read in Google Chrome on iOS versions before 148.0.7778.168 enables remote attackers to access sensitive memory contents through a compromised renderer process. The vulnerability requires user interaction to visit a malicious webpage and exploitation of a prior renderer compromise. With EPSS at 0.03% and no known active exploitation, this represents a moderate risk primarily in targeted attack chains.
Inappropriate implementation in Views in Google Chrome on iOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Insufficient policy enforcement in WebXR in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Object lifecycle issue in Dawn in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Out-of-bounds memory write in Google Chrome's Skia graphics library (versions prior to 148.0.7778.168) enables attackers with an already-compromised renderer process to escalate privileges via malicious print files. This represents a sandbox escape vulnerability requiring high attack complexity and user interaction (printing or opening a crafted print file). While CVSS rates this 3.1 (Low), the real-world risk depends on the attacker already having achieved renderer compromise — making this a second-stage attack vector. No active exploitation confirmed (EPSS 0.05%, not in CISA KEV), but vendor patch available as of Chrome 148.0.7778.168.
Google Chrome on Linux versions prior to 148.0.7778.168 suffers from an out-of-bounds read vulnerability in GPU processing that enables cross-origin data leakage. An attacker who has already compromised the renderer process can craft malicious HTML to read sensitive memory beyond allocated bounds, exposing data from other origins that should be isolated by the browser's same-origin policy. EPSS exploitation probability is very low (0.03%, 10th percentile) and no active exploitation or public POC has been identified. Google rates this Medium severity and released patch 148.0.7778.168 to address the issue.
Integer overflow in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Cross-origin data leakage in Google Chrome on Linux and ChromeOS allows remote attackers to read sensitive data from other origins via malicious HTML pages exploiting flawed CORS implementation. Affects versions prior to 148.0.7778.168. Google released a patch in their May 2026 stable channel update. EPSS score of 0.03% (10th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). SSVC assessment indicates no current exploitation, non-automatable attack requiring user interaction, with partial technical impact limited to confidentiality breach.
Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Integer overflow in Codecs in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)
Cross-origin data leakage in Google Chrome on Android allows compromised renderer processes to access sensitive information from other sites via malicious HTML pages. Affects Chrome versions prior to 148.0.7778.168 on Android platforms. Attack requires high complexity (user interaction with crafted content) and prior renderer compromise, limiting practical exploitation. EPSS score of 0.03% (10th percentile) and SSVC assessment indicating no active exploitation align with the limited real-world risk profile despite the cross-origin information disclosure capability.
Insufficient policy enforcement in GPU in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Type Confusion in V8 in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Out of bounds write in Codecs in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)
Site Isolation bypass in Google Chrome prior to 148.0.7778.168 allows remote attackers who have already compromised the renderer process to access cross-site data via crafted HTML pages. The vulnerability affects Chrome's AI policy enforcement, enabling a second-stage attack after initial renderer compromise. Attack complexity is high, requiring both initial renderer compromise and user interaction. EPSS score of 0.02% indicates very low exploitation probability, and no active exploitation or public POC has been identified. Vendor patch is available in Chrome 148.0.7778.168.
Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Medium)
Insufficient policy enforcement in Google Chrome's Android payment implementation allows remote attackers to bypass access control restrictions through specially crafted HTML pages, affecting Chrome versions prior to 148.0.7778.168 on Android. The vulnerability requires user interaction (visiting a malicious page) but can be exploited remotely without authentication. EPSS exploitation probability is low (0.02%, 4th percentile), and a vendor-released patch is available. While tagged as an authentication bypass, the CVSS impact indicates only low integrity compromise with no confidentiality or availability impact.
Inappropriate implementation in Downloads in Google Chrome on Mac prior to 148.0.7778.168 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium)
Incorrect security UI in Downloads in Google Chrome on Android and Mac prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Navigation restrictions can be bypassed in Google Chrome for Windows versions prior to 148.0.7778.168 when attackers craft malicious HTML pages that exploit insufficient sandbox policy enforcement in iframe elements. User interaction (opening/visiting the crafted page) is required for exploitation. Google released a patched version addressing this medium-severity flaw. With EPSS exploitation probability at 0.02% (4th percentile) and no KEV listing, this represents a moderate-priority issue primarily affecting organizations running outdated Chrome versions on Windows systems.
Cross-origin data leakage in Google Chrome versions prior to 148.0.7778.168 enables remote attackers to extract sensitive information from other origins through side-channel attacks in the Navigation component. The vulnerability requires user interaction with a malicious HTML page and exploits timing or behavioral characteristics to bypass same-origin policy protections. EPSS score of 0.03% (10th percentile) indicates low observed exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis. Google has released a patch in Chrome 148.0.7778.168.
Incorrect security UI in Fullscreen in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Heap buffer overflow in SwiftShader in Google Chrome on Mac and iOS prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)
Integer overflow in Internationalization in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)
Cross-origin data leakage in Google Chrome on Windows via ANGLE graphics library allows renderer-compromised attackers to steal sensitive data from other origins through specially crafted web pages. Affects Chrome versions prior to 148.0.7778.168 on Windows platforms. EPSS probability of 0.03% (10th percentile) indicates low observed exploitation likelihood, with CISA SSVC confirming no active exploitation and non-automatable attack chain. Vendor patch released in Chrome 148.0.7778.168 stable channel update. Attack requires successful renderer process compromise as prerequisite, combined with user interaction, creating a chained exploitation scenario rather than standalone vulnerability.
Use after free in GTK in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Out-of-bounds memory write in Google Chrome's ANGLE graphics library (Windows only) enables attackers who have already compromised the renderer process to corrupt memory via specially crafted HTML pages. Chrome 148.0.7778.168 patches this type confusion vulnerability. Despite high Chromium severity rating, CVSS 3.1 scores only 3.1 due to prerequisite renderer compromise, high attack complexity, and required user interaction. EPSS 0.03% (10th percentile) and SSVC indicating no known exploitation suggest limited real-world risk at time of analysis.
Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in GPU in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Use after free in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Use after free in Google Lens in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Out of bounds write in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Insufficient policy enforcement in Passwords in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)
Out of bounds read in GPU in Google Chrome on Mac and Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Cross-origin data leakage in Google Chrome versions prior to 148.0.7778.168 occurs when an attacker who has already compromised the renderer process exploits an object corruption flaw in the Compositing component. The vulnerability requires user interaction with a malicious HTML page and high attack complexity to leak sensitive cross-origin data. Google has released a patch in Chrome 148.0.7778.168, and with EPSS at 0.03% (10th percentile) and no evidence of active exploitation (SSVC: none), this represents a medium-priority targeted threat rather than widespread exploitation risk.
Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Out of bounds read in FileSystem in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Out of bounds read in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Type Confusion in V8 in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Script injection in SanitizerAPI in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
Insufficient validation of untrusted input in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform a denial of service via a crafted HTML page. (Chromium security severity: High)
Google Chrome versions prior to 148.0.7778.168 leak cross-origin data through insufficient policy enforcement in the ViewTransitions API when users interact with specially crafted HTML pages. The vulnerability enables remote attackers to bypass same-origin policy protections and extract sensitive information from other origins without authentication, though exploitation requires user interaction (clicking a link or visiting a malicious page). With EPSS at 0.03% (10th percentile) and no confirmed active exploitation, this represents a moderate information disclosure risk primarily affecting organizations where targeted phishing could deliver malicious pages to Chrome users.
Site Isolation bypass in Google Chrome on macOS allows attackers who have already compromised the renderer process to leak limited cross-origin data via malicious HTML in ReadingMode. Affects Chrome versions prior to 148.0.7778.168 on Mac only. EPSS score of 0.02% (6th percentile) indicates very low predicted exploitation probability. No active exploitation detected (not in CISA KEV), no public POC identified. CVSS 3.1 assigns Low severity despite High vendor severity rating due to requiring both renderer compromise and user interaction, with impact limited to confidentiality only.
Out of bounds read in Media in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted JPEG file. (Chromium security severity: High)
Integer overflow in GPU in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Integer overflow in XML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in WebML in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in Network in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in Codecs in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: High)
Site Isolation bypass in Google Chrome versions prior to 148.0.7778.168 enables attackers who have already compromised the renderer process to break out of security sandboxes via specially crafted HTML pages. This represents an escalation path within Chrome's multi-process architecture, allowing cross-origin data access after initial renderer compromise. Vendor patch available as of May 2026 stable channel update. EPSS score of 0.02% (6th percentile) indicates minimal observed exploitation activity, and no CISA KEV listing or public POC exists at time of analysis, suggesting lower immediate priority despite the architectural significance of Site Isolation failures.
Insufficient validation of untrusted input in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Out of bounds write in WebRTC in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Out of bounds write in WebAudio in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Out of bounds write in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Downloads in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Tab Groups in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)
Race in Payments in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
PIN lock bypass in Easyelife App Lock 1.9.2 for Android allows a local attacker with physical device access to reach applications that were supposedly secured behind a PIN. The root cause is architectural: the lock is implemented as a UI overlay rather than through Android's native secure authentication APIs (BiometricPrompt, KeyguardManager), meaning it can be circumvented by triggering advertisement or browser intents that cause the app to navigate cascading activity flows, effectively routing around the overlay. EPSS is very low at 0.05% (16th percentile), no public exploit is confirmed in CISA KEV, and a researcher disclosure with likely proof-of-concept steps is publicly available on GitHub.
PIN lock bypass in SailingLab AppLock 4.3.8 for Android exposes protected applications to anyone with brief physical device access. The root cause is architectural: the lock is implemented as a screen overlay rather than through Android's secure authentication APIs, meaning the underlying apps remain accessible via exposed intent routes triggered through advertisement or browser interactions. An attacker with physical access can navigate cascading UI flows to dismiss or circumvent the overlay entirely, gaining access to locked apps such as Chrome, resulting in information disclosure and unintended privilege escalation. No public exploit is confirmed in CISA KEV, but a researcher disclosure is publicly available on GitHub, and EPSS is negligible at 0.04% (11th percentile), consistent with the physical-access-only attack vector.
Physical-access PIN lock bypass in AppLockZ 4.2.11 for Android exposes protected applications to unauthorized access without valid credentials. The root cause is architectural: the lock mechanism is implemented as a UI overlay rather than through Android's secure authentication APIs, leaving it vulnerable to circumvention via exposed activity routes reachable through advertisement or browser intents. An attacker with physical possession of the device can navigate cascading interface flows to evade lockscreen verification and access apps protected by AppLockZ (e.g., Chrome), resulting in information disclosure. No active exploitation is confirmed in CISA KEV, and the EPSS score of 0.04% reflects minimal real-world exploitation probability at this time.
Cross-origin data leakage in Google Chrome prior to 148.0.7778.179 exposes sensitive information to attackers who have already achieved renderer process compromise. The flaw stems from insufficient input validation (CWE-20) in Chrome's Input handling, enabling a crafted HTML page to exfiltrate data across origin boundaries. No active exploitation is confirmed - SSVC assigns exploitation status 'none' and the vulnerability is not listed in CISA KEV - but the confidentiality impact is rated High by CVSS, warranting prompt patching.
Heap buffer overflow in the Chromecast component of Google Chrome on Android, Linux, and ChromeOS prior to version 148.0.7778.179 allows an adjacent-network attacker to execute arbitrary code within the renderer sandbox via malicious network traffic. Google's Chrome team reported the issue with a Medium severity rating, and no public exploit identified at time of analysis. The vulnerability requires adjacent network positioning rather than full internet-based access, limiting practical exploitation to attackers on the same local network segment.
Out-of-bounds read in the GPU process of Google Chrome on macOS prior to 148.0.7778.179 exposes potentially sensitive data from process memory to remote attackers. Exploitation requires a victim to visit a crafted HTML page (CVSS UI:R), limiting automation potential - consistent with SSVC's 'Automatable: no' determination. No public exploit identified at time of analysis and CISA has not added this to the Known Exploited Vulnerabilities catalog; Chrome's own severity rating is Medium.
Heap corruption in Google Chrome's GPU component prior to version 148.0.7778.179 allows remote attackers to exploit an out-of-bounds read via a crafted HTML page, potentially leading to arbitrary code execution or information disclosure within the renderer context. The flaw carries a CVSS 8.8 (High) rating due to network reachability and high impact across confidentiality, integrity, and availability, though exploitation requires user interaction (visiting a malicious page). There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as 'none', suggesting opportunistic rather than active targeting.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 allows a remote attacker to execute arbitrary code within the renderer sandbox via a crafted HTML page that triggers a use-after-free in the DOM implementation. The flaw requires user interaction (visiting a malicious page) but no authentication, and while Chromium rates its security severity as Medium, the CVSS 3.1 base score of 8.8 reflects high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, enabling a remote attacker to run arbitrary code when a victim visits a crafted HTML page. Chromium rates the severity as High and the CVSS 3.1 score is 8.8, but exploitation requires user interaction (UI:R); no public exploit identified at time of analysis.
Heap buffer overflow in the WebRTC component of Google Chrome before 148.0.7778.179 allows remote attackers to execute arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. The flaw was reported by Chrome's internal security team, has a patched stable channel build available, and carries a CVSS 8.8 score with no public exploit identified at time of analysis. SSVC currently rates exploitation as 'none' but technical impact as 'total', reflecting full compromise of the affected process if triggered.
Remote code execution in Google Chrome on Windows prior to 148.0.7778.179 stems from a use-after-free flaw in the XR (WebXR) component, enabling a remote attacker to run arbitrary code in the renderer process by enticing a user to visit a crafted HTML page. Chromium rates the issue High severity and CVSS scores it 8.8; no public exploit identified at time of analysis and SSVC reports exploitation status as none. A vendor patch is available via the Stable Channel update referenced in the Chrome Releases advisory.
Sandbox escape in Google Chrome (Linux and ChromeOS) prior to 148.0.7778.179 allows a remote attacker who has already compromised the renderer process to break out via a crafted video file processed by the GFX component. The flaw is a type confusion (CWE-843) rated High severity by Chromium, with no public exploit identified at time of analysis and SSVC indicating exploitation has not been observed. It requires user interaction and chained exploitation of a prior renderer compromise, which raises the bar despite the High CVSS of 7.5.
ServiceWorker policy enforcement failure in Google Chrome prior to version 148.0.7778.179 enables unauthenticated remote attackers to leak cross-origin data by luring a victim to a crafted HTML page. The vulnerability stems from Chrome's ServiceWorker layer failing to adequately enforce isolation boundaries (CWE-693), allowing a malicious origin to read data it should not have access to under the same-origin policy. No public exploit identified at time of analysis, and the CVSS score of 4.3 reflects limited confidentiality impact; however, the zero-privilege, network-accessible attack vector means any Chrome user browsing a malicious page could be affected.
Same-origin policy bypass in Google Chrome's Service Worker subsystem (all versions prior to 148.0.7778.179) allows remote unauthenticated attackers to read cross-origin data by luring a victim to a crafted HTML page. The flaw originates from insufficient policy enforcement (CWE-693) within the Service Worker layer, enabling unauthorized access to confidential data across origins. No public exploit code has been identified and no active exploitation is confirmed; Google has shipped a fix in stable channel version 148.0.7778.179.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free condition in the QUIC networking stack, allowing remote attackers to execute arbitrary code within the browser sandbox via malicious network traffic. Exploitation requires user interaction (visiting a malicious site or processing attacker-controlled QUIC traffic), and no public exploit has been identified at time of analysis. Chromium rates this as High severity, and a vendor patch is available.
Out-of-bounds memory read in the GPU component of Google Chrome on macOS exposes process memory to remote attackers via a crafted HTML page. Affected versions are all Chrome releases prior to 148.0.7778.179 on Mac; Windows and Linux are not identified as affected. No public exploit or active exploitation has been identified at time of analysis, and SSVC confirms exploitation status as none with non-automatable attack delivery.
Remote code execution in Google Chrome on Windows prior to version 148.0.7778.179 stems from a use-after-free condition in the GPU component, enabling a remote attacker to run arbitrary code within the renderer sandbox after the victim loads a crafted HTML page. Google has rated the issue High severity and shipped a fix; no public exploit identified at time of analysis and SSVC indicates exploitation status 'none' despite total technical impact.
UI spoofing in Google Chrome on Windows (prior to 148.0.7778.179) enables a remote attacker who has already achieved renderer process compromise to deceive end users through a crafted HTML page, exploiting CWE-451 (UI Misrepresentation of Critical Information). Affected users on Windows running any Chrome version below 148.0.7778.179 are exposed to potential phishing or credential-harvesting scenarios dressed up as legitimate browser UI. No public exploit code or CISA KEV listing exists at time of analysis, but the Chromium team assigned a Critical internal severity - a meaningful contrast with the NVD CVSS score of 4.2 - suggesting the spoofing potential carries downstream risk beyond what the base score reflects.
Remote code execution in Google Chrome on Linux before 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, allowing a remote attacker who lures a victim to a crafted HTML page to execute arbitrary code in the renderer process. Chromium rates the severity as Critical and a vendor patch is available, though there is no public exploit identified at time of analysis and SSVC indicates no observed exploitation. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability with required user interaction (visiting a page).
Arbitrary directory deletion in CloakBrowser's cloakserve CDP multiplexer (pip package cloakbrowser <= 0.3.27) allows unauthenticated network attackers to delete directories accessible to the service user by supplying path traversal sequences in the fingerprint query parameter. The service binds to 0.0.0.0 by default, dramatically widening exposure, and no public exploit identified at time of analysis though the vulnerability is trivially reproducible from the published advisory.
Open WebUI versions up to 0.8.8 expose admin-configured system prompts to authenticated regular (non-admin) users through the /api/models API endpoint, allowing information disclosure of sensitive model instructions and internal configuration details. The vulnerability requires valid user authentication but no administrative privileges, enabling any authenticated user to retrieve confidential system prompts via a simple HTTP GET request. This is confirmed actively exploited in production deployments with a publicly available proof-of-concept.
Use after free in Extensions in Google Chrome on Mac prior to 148.0.7778.168 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Medium)
Discretionary access control bypass in Chrome Remote Desktop (Chromoting) allows adjacent network attackers to achieve limited confidentiality, integrity, and availability impact through a malicious file requiring user interaction. Google released Chrome 148.0.7778.168 to address this medium-severity flaw. EPSS score of 0.01% (1st percentile) and CISA SSVC assessment indicate low real-world exploitation probability with no observed exploitation activity. The adjacent network attack vector (AV:A) significantly constrains attacker positioning compared to typical remote vulnerabilities.
Out-of-bounds memory read in Google Chrome on iOS versions before 148.0.7778.168 enables remote attackers to access sensitive memory contents through a compromised renderer process. The vulnerability requires user interaction to visit a malicious webpage and exploitation of a prior renderer compromise. With EPSS at 0.03% and no known active exploitation, this represents a moderate risk primarily in targeted attack chains.
Inappropriate implementation in Views in Google Chrome on iOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Insufficient policy enforcement in WebXR in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Object lifecycle issue in Dawn in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Out-of-bounds memory write in Google Chrome's Skia graphics library (versions prior to 148.0.7778.168) enables attackers with an already-compromised renderer process to escalate privileges via malicious print files. This represents a sandbox escape vulnerability requiring high attack complexity and user interaction (printing or opening a crafted print file). While CVSS rates this 3.1 (Low), the real-world risk depends on the attacker already having achieved renderer compromise — making this a second-stage attack vector. No active exploitation confirmed (EPSS 0.05%, not in CISA KEV), but vendor patch available as of Chrome 148.0.7778.168.
Google Chrome on Linux versions prior to 148.0.7778.168 suffers from an out-of-bounds read vulnerability in GPU processing that enables cross-origin data leakage. An attacker who has already compromised the renderer process can craft malicious HTML to read sensitive memory beyond allocated bounds, exposing data from other origins that should be isolated by the browser's same-origin policy. EPSS exploitation probability is very low (0.03%, 10th percentile) and no active exploitation or public POC has been identified. Google rates this Medium severity and released patch 148.0.7778.168 to address the issue.
Integer overflow in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Cross-origin data leakage in Google Chrome on Linux and ChromeOS allows remote attackers to read sensitive data from other origins via malicious HTML pages exploiting flawed CORS implementation. Affects versions prior to 148.0.7778.168. Google released a patch in their May 2026 stable channel update. EPSS score of 0.03% (10th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). SSVC assessment indicates no current exploitation, non-automatable attack requiring user interaction, with partial technical impact limited to confidentiality breach.
Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Integer overflow in Codecs in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)
Cross-origin data leakage in Google Chrome on Android allows compromised renderer processes to access sensitive information from other sites via malicious HTML pages. Affects Chrome versions prior to 148.0.7778.168 on Android platforms. Attack requires high complexity (user interaction with crafted content) and prior renderer compromise, limiting practical exploitation. EPSS score of 0.03% (10th percentile) and SSVC assessment indicating no active exploitation align with the limited real-world risk profile despite the cross-origin information disclosure capability.
Insufficient policy enforcement in GPU in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Type Confusion in V8 in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Out of bounds write in Codecs in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)
Site Isolation bypass in Google Chrome prior to 148.0.7778.168 allows remote attackers who have already compromised the renderer process to access cross-site data via crafted HTML pages. The vulnerability affects Chrome's AI policy enforcement, enabling a second-stage attack after initial renderer compromise. Attack complexity is high, requiring both initial renderer compromise and user interaction. EPSS score of 0.02% indicates very low exploitation probability, and no active exploitation or public POC has been identified. Vendor patch is available in Chrome 148.0.7778.168.
Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Medium)
Insufficient policy enforcement in Google Chrome's Android payment implementation allows remote attackers to bypass access control restrictions through specially crafted HTML pages, affecting Chrome versions prior to 148.0.7778.168 on Android. The vulnerability requires user interaction (visiting a malicious page) but can be exploited remotely without authentication. EPSS exploitation probability is low (0.02%, 4th percentile), and a vendor-released patch is available. While tagged as an authentication bypass, the CVSS impact indicates only low integrity compromise with no confidentiality or availability impact.
Inappropriate implementation in Downloads in Google Chrome on Mac prior to 148.0.7778.168 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium)
Incorrect security UI in Downloads in Google Chrome on Android and Mac prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Navigation restrictions can be bypassed in Google Chrome for Windows versions prior to 148.0.7778.168 when attackers craft malicious HTML pages that exploit insufficient sandbox policy enforcement in iframe elements. User interaction (opening/visiting the crafted page) is required for exploitation. Google released a patched version addressing this medium-severity flaw. With EPSS exploitation probability at 0.02% (4th percentile) and no KEV listing, this represents a moderate-priority issue primarily affecting organizations running outdated Chrome versions on Windows systems.
Cross-origin data leakage in Google Chrome versions prior to 148.0.7778.168 enables remote attackers to extract sensitive information from other origins through side-channel attacks in the Navigation component. The vulnerability requires user interaction with a malicious HTML page and exploits timing or behavioral characteristics to bypass same-origin policy protections. EPSS score of 0.03% (10th percentile) indicates low observed exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis. Google has released a patch in Chrome 148.0.7778.168.
Incorrect security UI in Fullscreen in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Heap buffer overflow in SwiftShader in Google Chrome on Mac and iOS prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)
Integer overflow in Internationalization in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)
Cross-origin data leakage in Google Chrome on Windows via ANGLE graphics library allows renderer-compromised attackers to steal sensitive data from other origins through specially crafted web pages. Affects Chrome versions prior to 148.0.7778.168 on Windows platforms. EPSS probability of 0.03% (10th percentile) indicates low observed exploitation likelihood, with CISA SSVC confirming no active exploitation and non-automatable attack chain. Vendor patch released in Chrome 148.0.7778.168 stable channel update. Attack requires successful renderer process compromise as prerequisite, combined with user interaction, creating a chained exploitation scenario rather than standalone vulnerability.
Use after free in GTK in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Out-of-bounds memory write in Google Chrome's ANGLE graphics library (Windows only) enables attackers who have already compromised the renderer process to corrupt memory via specially crafted HTML pages. Chrome 148.0.7778.168 patches this type confusion vulnerability. Despite high Chromium severity rating, CVSS 3.1 scores only 3.1 due to prerequisite renderer compromise, high attack complexity, and required user interaction. EPSS 0.03% (10th percentile) and SSVC indicating no known exploitation suggest limited real-world risk at time of analysis.
Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in GPU in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Use after free in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Use after free in Google Lens in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Out of bounds write in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Insufficient policy enforcement in Passwords in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)
Out of bounds read in GPU in Google Chrome on Mac and Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Cross-origin data leakage in Google Chrome versions prior to 148.0.7778.168 occurs when an attacker who has already compromised the renderer process exploits an object corruption flaw in the Compositing component. The vulnerability requires user interaction with a malicious HTML page and high attack complexity to leak sensitive cross-origin data. Google has released a patch in Chrome 148.0.7778.168, and with EPSS at 0.03% (10th percentile) and no evidence of active exploitation (SSVC: none), this represents a medium-priority targeted threat rather than widespread exploitation risk.
Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Out of bounds read in FileSystem in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Out of bounds read in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Type Confusion in V8 in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Script injection in SanitizerAPI in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
Insufficient validation of untrusted input in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform a denial of service via a crafted HTML page. (Chromium security severity: High)
Google Chrome versions prior to 148.0.7778.168 leak cross-origin data through insufficient policy enforcement in the ViewTransitions API when users interact with specially crafted HTML pages. The vulnerability enables remote attackers to bypass same-origin policy protections and extract sensitive information from other origins without authentication, though exploitation requires user interaction (clicking a link or visiting a malicious page). With EPSS at 0.03% (10th percentile) and no confirmed active exploitation, this represents a moderate information disclosure risk primarily affecting organizations where targeted phishing could deliver malicious pages to Chrome users.
Site Isolation bypass in Google Chrome on macOS allows attackers who have already compromised the renderer process to leak limited cross-origin data via malicious HTML in ReadingMode. Affects Chrome versions prior to 148.0.7778.168 on Mac only. EPSS score of 0.02% (6th percentile) indicates very low predicted exploitation probability. No active exploitation detected (not in CISA KEV), no public POC identified. CVSS 3.1 assigns Low severity despite High vendor severity rating due to requiring both renderer compromise and user interaction, with impact limited to confidentiality only.
Out of bounds read in Media in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted JPEG file. (Chromium security severity: High)
Integer overflow in GPU in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Integer overflow in XML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in WebML in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in Network in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in Codecs in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: High)
Site Isolation bypass in Google Chrome versions prior to 148.0.7778.168 enables attackers who have already compromised the renderer process to break out of security sandboxes via specially crafted HTML pages. This represents an escalation path within Chrome's multi-process architecture, allowing cross-origin data access after initial renderer compromise. Vendor patch available as of May 2026 stable channel update. EPSS score of 0.02% (6th percentile) indicates minimal observed exploitation activity, and no CISA KEV listing or public POC exists at time of analysis, suggesting lower immediate priority despite the architectural significance of Site Isolation failures.
Insufficient validation of untrusted input in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Out of bounds write in WebRTC in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Out of bounds write in WebAudio in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Out of bounds write in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Downloads in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Tab Groups in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)
Race in Payments in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)