Skip to main content

Google

13978 CVEs vendor

Monthly

CVE-2026-7986 MEDIUM PATCH This Month

Insufficient policy enforcement in Autofill in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Red Hat Suse Chrome
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7985 HIGH PATCH This Week

Sandbox escape in Google Chrome's GPU component affects versions prior to 148.0.7778.96. An attacker who has already compromised the renderer process can escalate privileges to break out of Chrome's sandbox by exploiting a use-after-free memory corruption vulnerability via a specially crafted HTML page. This requires high attack complexity and user interaction (visiting a malicious page). No active exploitation confirmed at time of analysis, and vendor-released patch (version 148.0.7778.96) is available. EPSS data not provided, but the combination of network vector, changed scope (S:C in CVSS), and sandbox escape capability makes this a priority update for Chrome deployments despite Chromium's 'Medium' internal severity rating.

Google Denial Of Service Use After Free Memory Corruption Red Hat +2
NVD
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-7984 HIGH PATCH This Week

Remote code execution in Google Chrome's ReadingMode component (versions prior to 148.0.7778.96) allows attackers who have already compromised the renderer process to escape sandbox restrictions and execute arbitrary code on the underlying system. The vulnerability requires user interaction to visit a malicious webpage but exploitation complexity is low once renderer compromise is achieved. EPSS data not available; no CISA KEV listing identified at time of analysis, indicating no confirmed widespread exploitation. Vendor-released patch available in Chrome 148.0.7778.96.

Denial Of Service Use After Free Memory Corruption RCE Google +3
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7983 MEDIUM PATCH This Month

Out of bounds read in Dawn in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Google Information Disclosure Buffer Overflow Red Hat Suse +1
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7982 MEDIUM PATCH This Month

Uninitialized Use in WebCodecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Red Hat Suse Chrome
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7981 HIGH PATCH This Week

Out-of-bounds read in Chrome's codec implementation allows remote attackers to extract potentially sensitive data from process memory by delivering a malicious media file. Affects Chrome versions prior to 148.0.7778.96. The vulnerability requires user interaction (opening or playing a crafted file) but operates over the network. Google rated this as Medium severity within the Chromium security framework.

Google Information Disclosure Buffer Overflow Red Hat Suse +1
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-7980 HIGH PATCH This Week

Remote code execution in Google Chrome's WebAudio implementation (versions before 148.0.7778.96) allows attackers to execute arbitrary code within the browser sandbox by exploiting a use-after-free vulnerability through a malicious HTML page. The vulnerability requires user interaction (visiting a crafted page) but no authentication. Google has released Chrome 148.0.7778.96 to address this issue. EPSS data not available; no KEV listing or public POC identified at time of analysis, suggesting limited real-world exploitation observed despite the high CVSS score.

Denial Of Service Use After Free Memory Corruption RCE Google +3
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7979 MEDIUM PATCH This Month

Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7978 HIGH PATCH This Week

OS-level privilege escalation in Google Chrome for macOS allows remote attackers to gain elevated system privileges through malicious network traffic exploiting the Companion component. Affects all Chrome versions prior to 148.0.7778.96 on Mac. Vendor-released patch available (Chrome 148.0.7778.96). No public exploit or active exploitation confirmed at time of analysis, though high-complexity network-based attack vector (CVSS AV:N/AC:H) suggests specialized exploitation requirements despite unauthenticated remote access.

Privilege Escalation Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-7977 MEDIUM PATCH This Month

Inappropriate implementation in Canvas in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-7976 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.96 via malicious extension exploitation of use-after-free in Views component. Successful exploitation requires convincing a user to install a crafted Chrome extension, after which the attacker can execute arbitrary code with Chrome's privileges. Google has released Chrome 148.0.7778.96 to address this vulnerability. No evidence of active exploitation (not listed in CISA KEV) or public proof-of-concept code identified at time of analysis. CVSS 7.5 severity driven by high attack complexity and required user interaction, which moderates real-world exploitation risk despite potential for full system compromise.

Denial Of Service Use After Free Memory Corruption RCE Google +3
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-7975 HIGH PATCH This Week

Sandbox escape in Google Chrome's DevTools component allows attackers who have already compromised the renderer process to break out of the browser sandbox and execute code on the underlying system. Affects all Chrome versions prior to 148.0.7778.96. Google has released version 148.0.7778.96 to patch this vulnerability. The attack requires high complexity and user interaction (visiting a malicious page), but successful exploitation enables complete system compromise with changed scope (S:C in CVSS vector), escalating from renderer-level access to full system access. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis.

Google Denial Of Service Use After Free Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-7974 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.96 allows attackers to execute arbitrary code within the browser's sandbox by exploiting a use-after-free vulnerability in the Blink rendering engine through a specially crafted HTML page. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, though exploitation requires user interaction (visiting a malicious webpage). EPSS data not available. Not listed in CISA KEV at time of analysis. Vendor-released patch available in Chrome 148.0.7778.96.

Denial Of Service Use After Free Memory Corruption RCE Google +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7973 HIGH PATCH This Week

Integer overflow in Chrome's Dawn graphics API (WebGPU) enables sandbox escape on Windows systems when users visit attacker-controlled web pages. Affects all Chrome versions prior to 148.0.7778.96 on Windows platforms. Vendor-released patch available in Chrome 148.0.7778.96 (confirmed by Google Stable Channel release). CVSS 8.8 reflects high impact but requires user interaction. No public exploit code or CISA KEV listing identified at time of analysis, indicating targeted or proof-of-concept stage exploitation risk rather than widespread active exploitation.

Microsoft Google Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7972 MEDIUM PATCH This Month

Uninitialized Use in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7971 MEDIUM PATCH This Month

Inappropriate implementation in ORB in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-7970 HIGH PATCH This Week

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox through a use-after-free vulnerability in the TopChrome component. Attack requires user interaction with a malicious HTML page and has high attack complexity. EPSS data not available; no active exploitation confirmed at time of analysis. Vendor-released patch available in Chrome 148.0.7778.96.

Google Denial Of Service Use After Free Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-7969 MEDIUM PATCH This Month

Integer overflow in Chrome's Network component prior to version 148.0.7778.96 allows remote attackers to bypass same-origin policy after compromising the renderer process via a crafted HTML page. The vulnerability requires renderer compromise and user interaction, limiting real-world risk despite network-accessible attack surface. No active exploitation has been confirmed; a vendor patch is available.

Buffer Overflow Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7968 LOW PATCH Monitor

Insufficient validation of untrusted input in CORS handling in Google Chrome prior to version 148.0.7778.96 allows a remote attacker who has compromised the renderer process to bypass the same-origin policy via a crafted HTML page, potentially leading to unauthorized information disclosure. The vulnerability requires renderer process compromise and user interaction, resulting in a CVSS score of 3.1 (low severity). No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-7967 HIGH PATCH This Week

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows attackers who have already compromised the renderer process to break out of Chrome's security sandbox through malicious HTML pages. The vulnerability stems from insufficient input validation in Chrome's Navigation component, requiring both network access and user interaction but enabling complete system compromise (high confidentiality, integrity, and availability impact) once the renderer is compromised. Vendor-released patch available in version 148.0.7778.96, announced via Google's stable channel update.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-7966 LOW PATCH Monitor

Insufficient input validation in SiteIsolation allows remote attackers who have compromised the Chrome renderer process to bypass site isolation protections via a crafted HTML page, potentially leaking sensitive data across site boundaries. The vulnerability affects Chrome versions prior to 148.0.7778.96 and requires prior renderer compromise and user interaction, resulting in low real-world exploitation probability despite the authentication bypass classification.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-7965 LOW PATCH Monitor

Google Chrome versions prior to 148.0.7778.96 contain insufficient input validation in DevTools that allows remote attackers with a compromised renderer process to leak cross-origin data through crafted HTML pages. The vulnerability requires user interaction and a pre-compromised renderer, limiting real-world exploitation but presenting a significant attack chaining vector for multi-stage exploits. Patch available from vendor.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-7964 MEDIUM PATCH This Month

Insufficient input validation in the FileSystem API in Google Chrome prior to version 148.0.7778.96 allows a remote attacker with a compromised renderer process to perform arbitrary file read and write operations through a malicious HTML page. The vulnerability requires prior renderer compromise and user interaction with a crafted page, limiting its attack surface despite network-accessible vectors. Vendor has released a patched version.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-7963 HIGH PATCH This Week

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox via crafted HTML pages exploiting ServiceWorker implementation flaws. This vulnerability requires high attack complexity and user interaction but enables complete system compromise once the initial renderer compromise is achieved. Vendor patch released in Chrome 148.0.7778.96 per official Chrome security bulletin.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-7962 MEDIUM PATCH This Month

Insufficient policy enforcement in DirectSockets API in Google Chrome prior to version 148.0.7778.96 allows remote attackers to perform arbitrary read and write operations through a crafted malicious Chrome extension. The vulnerability requires user interaction (extension installation) but affects the core security model of the browser's socket access control, exposing local network resources to unauthorized access by untrusted extensions.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-7961 MEDIUM PATCH This Month

Google Chrome prior to version 148.0.7778.96 contains insufficient validation of untrusted input in the Permissions system, allowing attackers on the local network segment to leak cross-origin data through malicious network traffic. The vulnerability requires network adjacency but no user interaction or authentication, affecting confidentiality with medium Chromium severity. Patch is available from Google.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7960 MEDIUM PATCH This Month

Information disclosure in Google Chrome prior to 148.0.7778.96 allows remote attackers who have compromised the renderer process to extract potentially sensitive data from process memory through a race condition triggered by a crafted HTML page. The vulnerability requires renderer process compromise and user interaction but results in high confidentiality impact with no integrity or availability consequences. Chromium security team rates this as Medium severity; no active exploitation has been publicly confirmed.

Race Condition Google Information Disclosure Red Hat Suse +1
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-7959 LOW PATCH Monitor

Bypass of Chrome's site isolation security feature in versions prior to 148.0.7778.96 allows a remote attacker with a compromised renderer process to access cross-site data via a crafted HTML page. The vulnerability requires renderer process compromise as a precondition, limiting real-world risk despite the criticality of bypassing site isolation. Vendor-released patch: version 148.0.7778.96 and later.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-7958 MEDIUM PATCH This Month

Uncontrolled XSS vulnerability in Google Chrome's ServiceWorker implementation prior to version 148.0.7778.96 allows attackers to inject arbitrary scripts or HTML into web pages when users install a malicious Chrome extension, bypassing same-origin policy protections. The vulnerability requires user interaction (extension installation) but can be exploited remotely with low attack complexity. CVSS score of 5.4 reflects medium severity; no active exploitation has been publicly reported.

XSS Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-7957 HIGH PATCH This Week

Remote code execution in Google Chrome's Media component on macOS and iOS versions prior to 148.0.7778.96 allows attackers to execute arbitrary code within the browser sandbox by exploiting an out-of-bounds write vulnerability. Attack requires the compromised renderer process prerequisite plus user interaction with a malicious HTML page. CVSS rates this 8.8 (High) due to network attack vector and no authentication required, though exploitation remains constrained by the sandbox boundary and requires initial renderer compromise. Vendor-released patch available in Chrome 148.0.7778.96. No active exploitation (CISA KEV) or public exploit code identified at time of analysis.

Buffer Overflow Memory Corruption RCE Apple Google +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7956 HIGH PATCH This Week

Sandbox escape in Google Chrome prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox via a use-after-free vulnerability in the Navigation component. This requires user interaction with a malicious HTML page and successful renderer compromise as a prerequisite, making it a two-stage attack requiring high attack complexity. Vendor-released patch available in Chrome 148.0.7778.96. No public exploit or active exploitation (CISA KEV) identified at time of analysis. CVSS 8.3 (High) reflects the severe post-compromise impact (sandbox escape enabling system-level access), but real-world risk depends heavily on successful initial renderer compromise.

Google Denial Of Service Use After Free Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-7955 MEDIUM PATCH This Month

Uninitialized memory use in the GPU component of Google Chrome prior to version 148.0.7778.96 allows remote attackers who have compromised the renderer process to extract potentially sensitive information from process memory through a malicious HTML page. The vulnerability requires renderer process compromise as a precondition and user interaction to trigger, but once achieved, enables confidentiality breach with no code execution or denial of service impact. Vendor-released patch available in Chrome 148.0.7778.96.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-7954 LOW PATCH Monitor

Google Chrome prior to version 148.0.7778.96 contains a race condition in shared storage that allows a remote attacker with a compromised renderer process to leak cross-origin data through a crafted HTML page. The vulnerability requires user interaction and renderer compromise but can disclose sensitive information across origin boundaries, classified as medium severity by Chromium security team.

Race Condition Google Information Disclosure Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-7953 MEDIUM PATCH This Month

Unvalidated Omnibox input in Google Chrome prior to version 148.0.7778.96 enables remote attackers to inject arbitrary scripts and HTML (universal XSS) via malicious network traffic, affecting users who click on crafted links. The vulnerability requires user interaction but crosses security boundaries due to its scope impact. No active exploitation has been publicly confirmed, though a patch is available from Google.

Code Injection Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-7952 MEDIUM PATCH This Month

Insufficient policy enforcement in Chrome Extensions prior to version 148.0.7778.96 allows a remote attacker with a compromised renderer process to bypass discretionary access controls via a crafted HTML page, potentially leading to unauthorized information disclosure or modification. The vulnerability requires user interaction and a pre-existing renderer compromise, limiting its practical exploitation scope. A vendor-released patch is available in Chrome 148.0.7778.96 and later.

Authentication Bypass Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-7951 HIGH PATCH This Week

Remote code execution within Chrome's sandbox affects all versions prior to 148.0.7778.96 through an out-of-bounds write in the WebRTC component. Attackers can achieve arbitrary code execution by convincing users to visit a specially crafted HTML page, though execution remains confined to Chrome's sandbox. EPSS data not available for this recent CVE (May 2026). Vendor-released patch version 148.0.7778.96 addresses the vulnerability with Chromium security severity rated Medium despite 8.8 CVSS score.

Google Memory Corruption Buffer Overflow RCE Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7950 MEDIUM PATCH This Month

Out-of-bounds read and write in the GFX component of Google Chrome prior to version 148.0.7778.96 allows remote attackers to perform arbitrary memory read and write operations through malicious network traffic. The vulnerability requires user interaction (clicking a link or visiting a malicious page) but does not require authentication. Chromium rated the security severity as Medium; CVSS 5.4 reflects moderate impact (confidentiality and integrity compromise without availability loss). No active exploitation confirmed in CISA KEV at time of analysis.

Google Information Disclosure Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-7949 LOW PATCH Monitor

Out-of-bounds read in Skia graphics library within Google Chrome prior to version 148.0.7778.96 allows remote attackers who have compromised the renderer process to leak cross-origin data through a crafted Chrome Extension. The vulnerability requires user interaction and relies on renderer compromise, limiting real-world exploitation despite the information disclosure impact. Chromium classified this as Medium severity; no active exploitation has been publicly confirmed.

Google Information Disclosure Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-7948 HIGH PATCH This Week

Local privilege escalation in Google Chrome Chromoting (remote desktop component) allows authenticated Windows users to gain elevated system privileges through a race condition exploit triggered by a malicious file. Fixed in Chrome 148.0.7778.96. The vulnerability requires user interaction and high attack complexity (AC:H), limiting automated exploitation despite the 7.5 CVSS score. No public exploit identified at time of analysis, and not listed in CISA KEV.

Privilege Escalation Microsoft Race Condition Google Red Hat +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-7947 MEDIUM PATCH This Month

UI spoofing via insufficient input validation in Google Chrome prior to 148.0.7778.96 allows a remote attacker who has already compromised the renderer process to craft malicious HTML pages that deceive users about the legitimate UI elements. The attack requires renderer process compromise as a prerequisite and user interaction with the crafted page, limiting real-world applicability to multi-stage attacks. Chromium assessed this as medium severity; no public exploit code or active exploitation has been identified.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-7946 MEDIUM PATCH This Month

Insufficient policy enforcement in Chrome's WebUI on Linux, Mac, Windows, and ChromeOS prior to 148.0.7778.96 allows a remote attacker with a compromised renderer process to bypass site isolation via a crafted HTML page, potentially exposing sensitive cross-site data. The vulnerability requires user interaction (UI:R) and prior renderer compromise, limiting its standalone exploitability. Vendor-released patch available in version 148.0.7778.96.

Authentication Bypass Microsoft Google Red Hat Suse +1
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7945 LOW PATCH Monitor

Insufficient validation of Cross-Origin-Opener-Policy (COOP) headers in Google Chrome prior to version 148.0.7778.96 allows a remote attacker with a compromised renderer process to bypass site isolation protections via a crafted HTML page. The vulnerability requires renderer compromise and user interaction, limiting real-world exploitation to targeted attacks against users whose Chrome renderer is already under attacker control. Chromium rates the security severity as Medium; vendor patch is available.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-7944 LOW PATCH Monitor

Insufficient validation of untrusted input in the Persistent Cache of Google Chrome prior to version 148.0.7778.96 allows a remote attacker who has already compromised the renderer process to bypass site isolation protections via a specially crafted HTML page, enabling unauthorized disclosure of sensitive information from other sites. The vulnerability requires prior renderer compromise and user interaction, limiting real-world exploitability despite network-accessible attack vector. No public exploit code or active exploitation has been identified.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-7943 MEDIUM PATCH This Month

Insufficient input validation in ANGLE (Almost Native Graphics Layer Engine) in Google Chrome prior to version 148.0.7778.96 allows remote attackers who have compromised the renderer process to perform arbitrary memory read and write operations via a crafted HTML page. The vulnerability requires renderer process compromise as a precondition, user interaction, and high attack complexity, making it a post-exploitation vector rather than a primary attack surface. Patch is available from vendor.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-7942 MEDIUM PATCH This Month

Integer overflow in ANGLE graphics library in Google Chrome prior to version 148.0.7778.96 allows remote attackers to leak cross-origin data by delivering a crafted HTML page that triggers the vulnerability. The vulnerability requires user interaction (visiting a malicious webpage) but can bypass same-origin policy protections, exposing sensitive data from other domains. No public exploit code or active exploitation has been confirmed at analysis time.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7941 MEDIUM PATCH This Month

Insufficient input validation in Google Chrome on Android prior to version 148.0.7778.96 allows local attackers to inject arbitrary scripts or HTML via a crafted Chrome Extension, leading to Universal Cross-Site Scripting (UXSS). The vulnerability requires user interaction and local system access but poses a medium risk due to its ability to bypass same-origin policy protections within the browser context. No public exploit has been identified at the time of analysis.

Code Injection Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-7940 HIGH PATCH This Week

Use-after-free in Chrome's V8 JavaScript engine enables remote code execution inside the sandbox when users install a malicious extension. Google Chrome versions prior to 148.0.7778.96 are vulnerable to arbitrary code execution through specially crafted Chrome Extensions exploiting memory corruption in V8. CVSS rates this 8.8 (High) with network attack vector requiring user interaction. Vendor-released patch available in Chrome 148.0.7778.96 per Google's May 2026 stable channel update. EPSS and KEV data not provided; exploitation requires social engineering to install malicious extension, limiting automated exploitation scenarios.

Denial Of Service Use After Free Memory Corruption RCE Google +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7939 MEDIUM PATCH This Month

Google Chrome versions prior to 148.0.7778.96 contain an XSS vulnerability in the SanitizerAPI that allows remote attackers to inject arbitrary scripts or HTML through crafted HTML pages. The vulnerability requires user interaction (visiting a malicious page) but carries medium severity due to its ability to compromise confidentiality and integrity. No public exploit code or active exploitation in CISA KEV has been identified at the time of analysis.

XSS Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-7938 HIGH PATCH This Week

Remote code execution in Google Chrome before 148.0.7778.96 allows unauthenticated attackers to execute arbitrary code within the Chrome sandbox by exploiting a use-after-free vulnerability in the CSS rendering engine through a malicious webpage. Requires victim interaction (visiting attacker-controlled page) but needs no authentication. Vendor-released patch available as Chrome 148.0.7778.96. EPSS score not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis, though browser vulnerabilities are high-value targets.

Denial Of Service Use After Free Memory Corruption RCE Google +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7937 LOW PATCH Monitor

Insufficient policy enforcement in Chrome DevTools prior to version 148.0.7778.96 allows attackers to bypass navigation restrictions through a malicious extension, requiring user installation and interaction. The vulnerability has a low CVSS score (3.1) due to high attack complexity and user interaction requirements, resulting in limited confidentiality impact with no integrity or availability effects. Patch is available from Google.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-7936 MEDIUM PATCH This Month

Out-of-bounds memory read in Google Chrome's V8 JavaScript engine allows remote attackers to disclose sensitive information via a crafted HTML page. Affects Chrome versions prior to 148.0.7778.96. The vulnerability requires user interaction (opening a malicious page) but operates over the network with no authentication required. While classified as medium severity by Chromium, the impact is limited to information disclosure without code execution capability.

Google Information Disclosure Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7935 MEDIUM PATCH This Month

UI spoofing vulnerability in Google Chrome prior to 148.0.7778.96 allows remote attackers to deceive users through crafted HTML pages that manipulate the speech interface, potentially disclosing sensitive information or causing denial of service. The vulnerability requires user interaction (clicking or interacting with the malicious page) and affects the speech component's visual presentation. Chromium severity is rated Medium; no active exploitation has been publicly confirmed.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-7934 MEDIUM PATCH This Month

Insufficient input validation in Google Chrome's Popup Blocker prior to version 148.0.7778.96 enables a remote attacker with a compromised renderer process to bypass navigation restrictions and access restricted content via a crafted HTML page. The vulnerability requires renderer process compromise and user interaction, limiting real-world exploitability despite its authentication bypass classification. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-7933 MEDIUM PATCH This Month

Out-of-bounds read in WebCodecs video processing in Google Chrome versions prior to 148.0.7778.96 allows remote attackers to leak sensitive memory contents via a crafted video file. The vulnerability requires user interaction to open a malicious video, but affects all users regardless of authentication. Chrome 148.0.7778.96 and later versions patch this information disclosure vulnerability, which could expose cryptographic keys, session tokens, or other sensitive data resident in adjacent memory.

Google Information Disclosure Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7932 MEDIUM PATCH This Month

Insufficient policy enforcement in Chrome's Downloads feature prior to version 148.0.7778.96 allows local attackers with user interaction to bypass navigation restrictions and access sensitive download locations via a crafted HTML page, potentially leading to information disclosure or file manipulation. The vulnerability requires local access and user engagement with a malicious page, limiting its scope to targeted social engineering rather than remote mass exploitation.

Authentication Bypass Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-7931 MEDIUM PATCH This Month

UI spoofing in Google Chrome on iOS prior to version 148.0.7778.96 allows remote attackers to deceive users through crafted HTML pages that manipulate the browser interface. The vulnerability stems from insufficient validation of untrusted input and has a CVSS score of 5.4 (medium severity). Exploitation requires user interaction with a malicious webpage but can result in information disclosure and denial of service on affected iOS devices.

Apple Google Information Disclosure Red Hat Suse +1
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-7930 HIGH PATCH This Week

Privilege escalation in Google Chrome versions prior to 148.0.7778.96 enables remote attackers to elevate privileges through malicious HTML pages exploiting improper cookie validation. The vulnerability requires user interaction (clicking a link or visiting a malicious site) but no authentication, making it viable for phishing or watering-hole attacks. CVSS score of 8.8 indicates high severity across confidentiality, integrity, and availability. Vendor-released patch available in Chrome 148.0.7778.96 per Google's stable channel update. EPSS and KEV data not provided; exploitation status unknown at time of analysis.

Privilege Escalation Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7929 HIGH PATCH This Week

Remote code execution in Google Chrome's MediaRecording component (versions prior to 148.0.7778.96) allows attackers to execute arbitrary code when victims perform specific UI interactions with a malicious webpage. The use-after-free vulnerability in memory management has been patched by Google in version 148.0.7778.96. EPSS data not available; no CISA KEV listing identified, suggesting no confirmed widespread exploitation at time of analysis, though publicly available exploit code exists per Chromium bug tracker disclosure.

Denial Of Service Use After Free Memory Corruption RCE Google +3
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-7928 HIGH PATCH This Week

Remote code execution in Google Chrome for Windows below version 148.0.7778.96 allows unauthenticated attackers to execute arbitrary code within Chrome's sandbox via specially crafted HTML pages exploiting a use-after-free vulnerability in the WebRTC implementation. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability. EPSS data not provided, but Google's 'High' severity classification and immediate patch release indicate active concern. No CISA KEV listing or public POC identified at time of analysis, though the vulnerability is already patched.

Denial Of Service Microsoft Use After Free Memory Corruption RCE +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7927 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.96 occurs when attackers exploit a type confusion vulnerability in the JavaScript runtime through malicious web pages. The vulnerability requires only that users visit a crafted HTML page, making it highly accessible for social engineering attacks. No active exploitation confirmed by CISA KEV at time of analysis, though Google has released patches addressing this high-severity memory corruption flaw with confirmed public disclosure through Chromium issue tracker.

Memory Corruption Google RCE Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7926 HIGH PATCH This Week

Remote code execution in Google Chrome prior to version 148.0.7778.96 allows attackers to execute arbitrary code within the browser's sandbox by exploiting a use-after-free vulnerability in the Presentation API through a specially crafted HTML page. User interaction is required (visiting a malicious webpage). EPSS data not available for this recent CVE. No public exploit confirmed at time of analysis, though the vulnerability has been patched by Google in the stable channel release.

Denial Of Service Use After Free Memory Corruption RCE Google +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7925 HIGH PATCH This Week

Use-after-free memory corruption in Chrome Remote Desktop (Chromoting) on Windows enables local privilege escalation to SYSTEM via malicious file interaction. Attackers with local access can gain OS-level administrative control by inducing users to open specially crafted files processed by the Chromoting component. Patch available in Chrome 148.0.7778.96. No evidence of active exploitation (not in CISA KEV), but the local attack vector with low complexity and high impact warrants immediate patching for Windows Chrome deployments, especially in multi-user environments where privilege boundaries are critical.

Denial Of Service Microsoft Use After Free Memory Corruption Privilege Escalation +4
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7924 MEDIUM PATCH This Month

Uninitialized memory use in Dawn (GPU abstraction layer) in Google Chrome prior to version 148.0.7778.96 allows remote attackers to read potentially sensitive information from process memory by opening a crafted HTML page. The vulnerability requires user interaction (clicking/viewing the malicious page) but no authentication, and has a high confidentiality impact. Chromium security team classified this as high severity; no public exploit code or active exploitation has been confirmed at time of analysis.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7923 HIGH PATCH This Week

Renderer sandbox escape in Google Chrome versions prior to 148.0.7778.96 leverages an out-of-bounds write in the Skia graphics library. An attacker who has already compromised Chrome's renderer process through other means (such as a separate browser vulnerability) can deliver a specially crafted HTML page to break out of Chrome's security sandbox, gaining elevated code execution on the underlying operating system. EPSS data not available; no CISA KEV listing identified. Google has released Chrome 148.0.7778.96 addressing this high-severity flaw, classified as CWE-787 (Out-of-bounds Write) affecting the Skia graphics rendering engine.

Google Memory Corruption Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-7922 HIGH PATCH This Week

Sandbox escape in Google Chrome via ServiceWorker use-after-free allows remote attackers to break out of Chrome's security sandbox through a specially crafted HTML page. Affects all Chrome versions prior to 148.0.7778.96. EPSS data not yet available for this recent CVE. Google has released a patch in version 148.0.7778.96. While rated high severity by Chromium project, the attack complexity is high (AC:H) and requires user interaction (UI:R), limiting widespread exploitation risk despite the critical scope change (S:C) indicating sandbox escape capability.

Google Denial Of Service Use After Free Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-7921 HIGH PATCH This Week

Remote code execution in Google Chrome prior to 148.0.7778.96 enables attackers to execute arbitrary code by exploiting a use-after-free vulnerability in the Passwords component through a malicious HTML page. User interaction (visiting the crafted page) is required. CVSS score of 8.8 reflects network-based attack requiring no authentication but requiring user interaction, with high impact to confidentiality, integrity, and availability. Vendor patch available in Chrome 148.0.7778.96. No public exploitation confirmed at time of analysis.

Denial Of Service Use After Free Memory Corruption RCE Google +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7920 HIGH PATCH This Week

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox through a use-after-free vulnerability in the Skia graphics library. Exploitation requires user interaction with a malicious HTML page and successful prior renderer compromise, representing a second-stage attack rather than initial access. No active exploitation confirmed (not in CISA KEV), though the vulnerability's sandbox escape capability makes it valuable for targeted attack chains.

Google Denial Of Service Use After Free Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-7919 HIGH PATCH This Week

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 enables remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox through a use-after-free vulnerability in the Aura UI framework. The attack requires user interaction with a malicious webpage and presents high attack complexity, but successfully chains renderer compromise with sandbox escape to achieve full system impact. No active exploitation confirmed (not in CISA KEV), though this vulnerability class is frequently targeted given Chrome's wide deployment and the high value of sandbox escapes.

Google Denial Of Service Use After Free Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-7918 HIGH PATCH This Week

Sandbox escape in Google Chrome's GPU component prior to version 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox via a use-after-free memory corruption vulnerability triggered by a malicious web page. This represents a critical second-stage attack where initial renderer compromise is chained with GPU exploitation to achieve full system access. Vendor-released patch available in Chrome 148.0.7778.96. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis.

Google Denial Of Service Use After Free Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-7917 HIGH PATCH This Week

Sandbox escape in Google Chrome on Windows allows attackers who have already compromised the renderer process to break out of Chrome's security sandbox via a use-after-free flaw in the Fullscreen API. Affects Chrome versions prior to 148.0.7778.96 on Windows platforms. Google has released a patch (version 148.0.7778.96) and rated this High severity. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code at time of analysis, though the vulnerability requires initial renderer compromise making it a second-stage exploitation vector.

Denial Of Service Microsoft Use After Free Memory Corruption Google +3
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-7916 HIGH PATCH This Week

Sandbox escape in Google Chrome prior to 148.0.7778.96 enables compromised renderer processes to break out of browser security isolation via malicious HTML. This two-stage attack requires first exploiting a separate renderer vulnerability, then leveraging insufficient validation in the InterestGroups component to escalate privileges. The vulnerability is confirmed patched by Google (chromereleases advisory) with no public exploit code or active exploitation identified at time of analysis. CVSS 8.3 (High) reflects the severe impact of full sandbox escape, though the High attack complexity (requiring prior renderer compromise) limits immediate risk compared to single-stage remote code execution vulnerabilities.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-7915 MEDIUM PATCH This Month

Insufficient data validation in DevTools in Google Chrome on Android prior to version 148.0.7778.96 allows remote attackers to bypass navigation restrictions by sending a crafted HTML page, requiring user interaction to open the malicious page. The vulnerability has a low CVSS score (4.3) due to limited confidentiality impact and requirement for user click, but affects all Android users running vulnerable versions. A vendor-released patch is available.

Authentication Bypass Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7914 HIGH PATCH This Week

Sandbox escape in Google Chrome on Windows versions prior to 148.0.7778.96 allows attackers who have already compromised the renderer process to break out of Chrome's security sandbox via type confusion in the Accessibility subsystem. The attack requires user interaction with a malicious webpage and successful renderer compromise as a prerequisite, representing a critical escalation path in multi-stage attacks. Vendor-released patch available in Chrome 148.0.7778.96. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Microsoft Information Disclosure Memory Corruption Google Red Hat +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-7913 HIGH PATCH This Week

Local privilege escalation in Google Chrome for Android prior to 148.0.7778.96 allows attackers to elevate privileges through malicious files exploiting insufficient policy enforcement in DevTools. The vulnerability requires user interaction to open a crafted file but grants no authentication requirement (PR:N) for the initial attack vector. Google released patch version 148.0.7778.96 addressing this high-severity flaw. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting exploitation remains theoretical or non-widespread.

Privilege Escalation Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7912 MEDIUM PATCH This Month

Integer overflow in the GPU component of Google Chrome on Android prior to version 148.0.7778.96 enables a remote attacker whose renderer process has been compromised to execute arbitrary read and write operations via a malicious HTML page. The vulnerability requires prior compromise of the renderer process and user interaction, limiting its standalone exploitability but creating a significant secondary threat following renderer exploitation. Chromium security team rated this as high severity; no public exploit code or active exploitation has been identified at time of analysis.

Buffer Overflow Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-7911 HIGH PATCH This Week

Sandbox escape in Google Chrome for Windows versions prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of the Chrome sandbox via a use-after-free vulnerability in the Aura UI framework. The attack requires user interaction with a specially crafted HTML page and has high attack complexity (AC:H), but grants complete control over confidentiality, integrity, and availability with changed scope (S:C). No active exploitation confirmed in CISA KEV at time of analysis. EPSS data not provided, but the vulnerability targets a browser component with over 3 billion users globally.

Denial Of Service Microsoft Use After Free Memory Corruption Google +3
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-7910 CRITICAL PATCH Act Now

Use-after-free in the Views component of Google Chrome versions prior to 148.0.7778.96 enables site isolation bypass after renderer compromise. A remote attacker who has already compromised the renderer process can escape sandbox protections via a malicious HTML page, potentially accessing cross-origin data or executing code outside the renderer sandbox. Patch released by Google in version 148.0.7778.96. EPSS score of 0.02% (3rd percentile) indicates very low probability of exploitation in the wild currently, with no evidence of active exploitation or public proof-of-concept at time of analysis.

Google Denial Of Service Use After Free Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-7909 LOW PATCH Monitor

Site isolation bypass in Google Chrome prior to version 148.0.7778.96 allows a remote attacker with a compromised renderer process to circumvent Chrome's site isolation security boundary through a crafted HTML page. The vulnerability requires user interaction and a pre-compromised renderer, limiting real-world impact despite being triggered remotely. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-7908 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers to break out of the browser's security sandbox through a use-after-free vulnerability in the Fullscreen API component. Attackers can deliver exploitation via a specially crafted HTML page requiring only user visit to the page (no additional interaction). With CVSS 9.6 (Critical) and scope change indicating containment breach, this represents a serious risk to browser security model integrity. No evidence of active exploitation (not in CISA KEV) and EPSS data not available at time of analysis.

Google Denial Of Service Use After Free Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-7907 HIGH PATCH This Week

Remote code execution within Chrome's sandbox affects all versions prior to 148.0.7778.96 via crafted HTML pages exploiting a use-after-free vulnerability in DOM handling. Remote unauthenticated attackers can achieve arbitrary code execution with high integrity and confidentiality impact by convincing users to visit a malicious webpage. Vendor patch released (Chrome 148.0.7778.96). No confirmed active exploitation (not in CISA KEV), but the low attack complexity (AC:L) and publicly disclosed bug tracker entry (Chromium issue 496292089) increase exploitation risk. EPSS data not provided but RCE in widely-deployed browser warrants immediate patching despite sandbox containment limiting full system compromise.

Denial Of Service Use After Free Memory Corruption RCE Google +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7906 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.96 allows attackers to execute arbitrary code within the browser's sandbox through a use-after-free vulnerability in SVG rendering. User interaction (visiting a malicious webpage) is required, but no authentication is needed. Vendor-released patch available in Chrome 148.0.7778.96. No public exploit identified at time of analysis, though CVSS score of 8.8 reflects high impact if successfully exploited.

Denial Of Service Use After Free Memory Corruption RCE Google +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7905 HIGH PATCH This Week

Renderer process compromise in Google Chrome for Android before 148.0.7778.96 enables sandbox escape through malicious HTML pages exploiting insufficient input validation in the Media component. Attacker requires user interaction to compromise the renderer first, then can break out of Chrome's security sandbox to execute code with broader system privileges. Vendor-released patch available in Chrome 148.0.7778.96 per Google's May 2026 stable channel update.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-7904 MEDIUM PATCH This Month

Out-of-bounds memory read in Google Chrome's font handling allows remote attackers to leak sensitive information via a crafted HTML page when users visit a malicious website. Chrome versions prior to 148.0.7778.96 are affected. The vulnerability requires user interaction (clicking a link or visiting a page) but occurs over the network without authentication. Information disclosure risk is limited (CVSS C:L) with no impact on integrity or availability, but the Chromium security severity designation of High indicates concern about potential information leakage in real-world exploitation.

Google Information Disclosure Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7903 HIGH PATCH This Week

Integer overflow in Chrome's ANGLE graphics layer (Mac/Windows) enables heap corruption via malicious web pages. Remote attackers can achieve arbitrary code execution by tricking users into visiting crafted HTML content. Google patched this in Chrome 148.0.7778.96, marking it high severity. Users must interact with the malicious page, but no authentication is required. EPSS data not available; no CISA KEV listing indicates exploitation not yet confirmed in the wild, though the Chromium bug tracker may contain additional context.

Microsoft Google Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7902 HIGH PATCH This Week

Remote code execution within Chrome's V8 sandbox affects all versions prior to 148.0.7778.96 when users visit malicious web pages. The out-of-bounds memory access vulnerability in V8 JavaScript engine enables arbitrary code execution with user interaction (visiting crafted HTML), rated high severity by Chromium team. EPSS and KEV data not available, but Google confirmed the vulnerability and released patches. Attack complexity is low (CVSS AC:L) with no authentication required, making this exploitable at scale once proof-of-concept becomes public.

RCE Google Memory Corruption Buffer Overflow Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7901 HIGH PATCH This Week

Remote code execution in Google Chrome for macOS (versions prior to 148.0.7778.96) allows attackers to execute arbitrary code within the browser's sandbox by exploiting a use-after-free vulnerability in the ANGLE graphics library through a malicious HTML page. The vulnerability requires user interaction (visiting a crafted webpage) but can be exploited remotely without authentication. Google has released Chrome 148.0.7778.96 to address this high-severity memory corruption issue, which affects the confidentiality, integrity, and availability of sandboxed browser processes.

Denial Of Service Use After Free Memory Corruption RCE Google +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7900 HIGH PATCH This Week

Heap buffer overflow in Chrome's ANGLE graphics layer enables sandbox escape for attackers who have already compromised the renderer process, requiring user interaction with a malicious webpage. Chrome 148.0.7778.96 patches this High-severity vulnerability. No active exploitation confirmed (not in CISA KEV), and CVSS 8.3 reflects the Changed scope indicating successful sandbox breakout - a critical security boundary failure that elevates renderer compromise to broader system access.

Heap Overflow Google Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-7899 HIGH PATCH This Week

Out-of-bounds memory access in Chrome's V8 JavaScript engine enables remote code execution within the browser sandbox when users visit malicious websites. Affects all Chrome versions prior to 148.0.7778.96 across Windows, macOS, and Linux. Google released patches in the stable channel update (build 148.0.7778.96) per May 2026 advisory. No active exploitation confirmed at time of analysis, but CVSS 8.8 indicates high severity and the vulnerability requires only user interaction (visiting a crafted webpage) with no authentication needed.

Google Information Disclosure RCE Buffer Overflow Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7898 HIGH PATCH This Week

Remote code execution in Google Chrome's Chromoting component (remote desktop feature) on Linux allows unauthenticated attackers to execute arbitrary code through specially crafted network packets when a user interacts with a malicious remote desktop session. Fixed in Chrome 148.0.7778.96. Vendor rates severity as Critical. No public exploit code identified at time of analysis, but the use-after-free class (CWE-416) is well-understood and exploitable. CVSS 8.8 reflects network attack vector with low complexity requiring only user interaction, enabling full system compromise (high confidentiality, integrity, and availability impact).

Denial Of Service Use After Free Memory Corruption RCE Google +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7897 HIGH PATCH This Week

Remote code execution in Google Chrome for iOS prior to version 148.0.7778.96 through use-after-free memory corruption in the mobile UI handler. Exploitation requires convincing a user to perform specific UI gestures while viewing a malicious HTML page. Google confirms Critical severity and has released a patched version. EPSS data unavailable; not currently listed in CISA KEV. Attack complexity is rated High due to the required user interaction pattern, limiting opportunistic exploitation but enabling targeted attacks via social engineering.

Denial Of Service Use After Free Memory Corruption RCE Apple +4
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient policy enforcement in Autofill in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Red Hat +2
NVD
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome's GPU component affects versions prior to 148.0.7778.96. An attacker who has already compromised the renderer process can escalate privileges to break out of Chrome's sandbox by exploiting a use-after-free memory corruption vulnerability via a specially crafted HTML page. This requires high attack complexity and user interaction (visiting a malicious page). No active exploitation confirmed at time of analysis, and vendor-released patch (version 148.0.7778.96) is available. EPSS data not provided, but the combination of network vector, changed scope (S:C in CVSS), and sandbox escape capability makes this a priority update for Chrome deployments despite Chromium's 'Medium' internal severity rating.

Google Denial Of Service Use After Free +4
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's ReadingMode component (versions prior to 148.0.7778.96) allows attackers who have already compromised the renderer process to escape sandbox restrictions and execute arbitrary code on the underlying system. The vulnerability requires user interaction to visit a malicious webpage but exploitation complexity is low once renderer compromise is achieved. EPSS data not available; no CISA KEV listing identified at time of analysis, indicating no confirmed widespread exploitation. Vendor-released patch available in Chrome 148.0.7778.96.

Denial Of Service Use After Free Memory Corruption +5
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Out of bounds read in Dawn in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Google Information Disclosure Buffer Overflow +3
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uninitialized Use in WebCodecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Red Hat +2
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out-of-bounds read in Chrome's codec implementation allows remote attackers to extract potentially sensitive data from process memory by delivering a malicious media file. Affects Chrome versions prior to 148.0.7778.96. The vulnerability requires user interaction (opening or playing a crafted file) but operates over the network. Google rated this as Medium severity within the Chromium security framework.

Google Information Disclosure Buffer Overflow +3
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's WebAudio implementation (versions before 148.0.7778.96) allows attackers to execute arbitrary code within the browser sandbox by exploiting a use-after-free vulnerability through a malicious HTML page. The vulnerability requires user interaction (visiting a crafted page) but no authentication. Google has released Chrome 148.0.7778.96 to address this issue. EPSS data not available; no KEV listing or public POC identified at time of analysis, suggesting limited real-world exploitation observed despite the high CVSS score.

Denial Of Service Use After Free Memory Corruption +5
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

OS-level privilege escalation in Google Chrome for macOS allows remote attackers to gain elevated system privileges through malicious network traffic exploiting the Companion component. Affects all Chrome versions prior to 148.0.7778.96 on Mac. Vendor-released patch available (Chrome 148.0.7778.96). No public exploit or active exploitation confirmed at time of analysis, though high-complexity network-based attack vector (CVSS AV:N/AC:H) suggests specialized exploitation requirements despite unauthenticated remote access.

Privilege Escalation Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Inappropriate implementation in Canvas in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.96 via malicious extension exploitation of use-after-free in Views component. Successful exploitation requires convincing a user to install a crafted Chrome extension, after which the attacker can execute arbitrary code with Chrome's privileges. Google has released Chrome 148.0.7778.96 to address this vulnerability. No evidence of active exploitation (not listed in CISA KEV) or public proof-of-concept code identified at time of analysis. CVSS 7.5 severity driven by high attack complexity and required user interaction, which moderates real-world exploitation risk despite potential for full system compromise.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome's DevTools component allows attackers who have already compromised the renderer process to break out of the browser sandbox and execute code on the underlying system. Affects all Chrome versions prior to 148.0.7778.96. Google has released version 148.0.7778.96 to patch this vulnerability. The attack requires high complexity and user interaction (visiting a malicious page), but successful exploitation enables complete system compromise with changed scope (S:C in CVSS vector), escalating from renderer-level access to full system access. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis.

Google Denial Of Service Use After Free +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.96 allows attackers to execute arbitrary code within the browser's sandbox by exploiting a use-after-free vulnerability in the Blink rendering engine through a specially crafted HTML page. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, though exploitation requires user interaction (visiting a malicious webpage). EPSS data not available. Not listed in CISA KEV at time of analysis. Vendor-released patch available in Chrome 148.0.7778.96.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Integer overflow in Chrome's Dawn graphics API (WebGPU) enables sandbox escape on Windows systems when users visit attacker-controlled web pages. Affects all Chrome versions prior to 148.0.7778.96 on Windows platforms. Vendor-released patch available in Chrome 148.0.7778.96 (confirmed by Google Stable Channel release). CVSS 8.8 reflects high impact but requires user interaction. No public exploit code or CISA KEV listing identified at time of analysis, indicating targeted or proof-of-concept stage exploitation risk rather than widespread active exploitation.

Microsoft Google Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Uninitialized Use in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Inappropriate implementation in ORB in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox through a use-after-free vulnerability in the TopChrome component. Attack requires user interaction with a malicious HTML page and has high attack complexity. EPSS data not available; no active exploitation confirmed at time of analysis. Vendor-released patch available in Chrome 148.0.7778.96.

Google Denial Of Service Use After Free +4
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Integer overflow in Chrome's Network component prior to version 148.0.7778.96 allows remote attackers to bypass same-origin policy after compromising the renderer process via a crafted HTML page. The vulnerability requires renderer compromise and user interaction, limiting real-world risk despite network-accessible attack surface. No active exploitation has been confirmed; a vendor patch is available.

Buffer Overflow Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Insufficient validation of untrusted input in CORS handling in Google Chrome prior to version 148.0.7778.96 allows a remote attacker who has compromised the renderer process to bypass the same-origin policy via a crafted HTML page, potentially leading to unauthorized information disclosure. The vulnerability requires renderer process compromise and user interaction, resulting in a CVSS score of 3.1 (low severity). No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows attackers who have already compromised the renderer process to break out of Chrome's security sandbox through malicious HTML pages. The vulnerability stems from insufficient input validation in Chrome's Navigation component, requiring both network access and user interaction but enabling complete system compromise (high confidentiality, integrity, and availability impact) once the renderer is compromised. Vendor-released patch available in version 148.0.7778.96, announced via Google's stable channel update.

Information Disclosure Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Insufficient input validation in SiteIsolation allows remote attackers who have compromised the Chrome renderer process to bypass site isolation protections via a crafted HTML page, potentially leaking sensitive data across site boundaries. The vulnerability affects Chrome versions prior to 148.0.7778.96 and requires prior renderer compromise and user interaction, resulting in low real-world exploitation probability despite the authentication bypass classification.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Google Chrome versions prior to 148.0.7778.96 contain insufficient input validation in DevTools that allows remote attackers with a compromised renderer process to leak cross-origin data through crafted HTML pages. The vulnerability requires user interaction and a pre-compromised renderer, limiting real-world exploitation but presenting a significant attack chaining vector for multi-stage exploits. Patch available from vendor.

Information Disclosure Google Chrome
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Insufficient input validation in the FileSystem API in Google Chrome prior to version 148.0.7778.96 allows a remote attacker with a compromised renderer process to perform arbitrary file read and write operations through a malicious HTML page. The vulnerability requires prior renderer compromise and user interaction with a crafted page, limiting its attack surface despite network-accessible vectors. Vendor has released a patched version.

Information Disclosure Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox via crafted HTML pages exploiting ServiceWorker implementation flaws. This vulnerability requires high attack complexity and user interaction but enables complete system compromise once the initial renderer compromise is achieved. Vendor patch released in Chrome 148.0.7778.96 per official Chrome security bulletin.

Information Disclosure Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Insufficient policy enforcement in DirectSockets API in Google Chrome prior to version 148.0.7778.96 allows remote attackers to perform arbitrary read and write operations through a crafted malicious Chrome extension. The vulnerability requires user interaction (extension installation) but affects the core security model of the browser's socket access control, exposing local network resources to unauthorized access by untrusted extensions.

Information Disclosure Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Google Chrome prior to version 148.0.7778.96 contains insufficient validation of untrusted input in the Permissions system, allowing attackers on the local network segment to leak cross-origin data through malicious network traffic. The vulnerability requires network adjacency but no user interaction or authentication, affecting confidentiality with medium Chromium severity. Patch is available from Google.

Information Disclosure Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Information disclosure in Google Chrome prior to 148.0.7778.96 allows remote attackers who have compromised the renderer process to extract potentially sensitive data from process memory through a race condition triggered by a crafted HTML page. The vulnerability requires renderer process compromise and user interaction but results in high confidentiality impact with no integrity or availability consequences. Chromium security team rates this as Medium severity; no active exploitation has been publicly confirmed.

Race Condition Google Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Bypass of Chrome's site isolation security feature in versions prior to 148.0.7778.96 allows a remote attacker with a compromised renderer process to access cross-site data via a crafted HTML page. The vulnerability requires renderer process compromise as a precondition, limiting real-world risk despite the criticality of bypassing site isolation. Vendor-released patch: version 148.0.7778.96 and later.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Uncontrolled XSS vulnerability in Google Chrome's ServiceWorker implementation prior to version 148.0.7778.96 allows attackers to inject arbitrary scripts or HTML into web pages when users install a malicious Chrome extension, bypassing same-origin policy protections. The vulnerability requires user interaction (extension installation) but can be exploited remotely with low attack complexity. CVSS score of 5.4 reflects medium severity; no active exploitation has been publicly reported.

XSS Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's Media component on macOS and iOS versions prior to 148.0.7778.96 allows attackers to execute arbitrary code within the browser sandbox by exploiting an out-of-bounds write vulnerability. Attack requires the compromised renderer process prerequisite plus user interaction with a malicious HTML page. CVSS rates this 8.8 (High) due to network attack vector and no authentication required, though exploitation remains constrained by the sandbox boundary and requires initial renderer compromise. Vendor-released patch available in Chrome 148.0.7778.96. No active exploitation (CISA KEV) or public exploit code identified at time of analysis.

Buffer Overflow Memory Corruption RCE +5
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox via a use-after-free vulnerability in the Navigation component. This requires user interaction with a malicious HTML page and successful renderer compromise as a prerequisite, making it a two-stage attack requiring high attack complexity. Vendor-released patch available in Chrome 148.0.7778.96. No public exploit or active exploitation (CISA KEV) identified at time of analysis. CVSS 8.3 (High) reflects the severe post-compromise impact (sandbox escape enabling system-level access), but real-world risk depends heavily on successful initial renderer compromise.

Google Denial Of Service Use After Free +4
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Uninitialized memory use in the GPU component of Google Chrome prior to version 148.0.7778.96 allows remote attackers who have compromised the renderer process to extract potentially sensitive information from process memory through a malicious HTML page. The vulnerability requires renderer process compromise as a precondition and user interaction to trigger, but once achieved, enables confidentiality breach with no code execution or denial of service impact. Vendor-released patch available in Chrome 148.0.7778.96.

Information Disclosure Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Google Chrome prior to version 148.0.7778.96 contains a race condition in shared storage that allows a remote attacker with a compromised renderer process to leak cross-origin data through a crafted HTML page. The vulnerability requires user interaction and renderer compromise but can disclose sensitive information across origin boundaries, classified as medium severity by Chromium security team.

Race Condition Google Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Unvalidated Omnibox input in Google Chrome prior to version 148.0.7778.96 enables remote attackers to inject arbitrary scripts and HTML (universal XSS) via malicious network traffic, affecting users who click on crafted links. The vulnerability requires user interaction but crosses security boundaries due to its scope impact. No active exploitation has been publicly confirmed, though a patch is available from Google.

Code Injection Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Insufficient policy enforcement in Chrome Extensions prior to version 148.0.7778.96 allows a remote attacker with a compromised renderer process to bypass discretionary access controls via a crafted HTML page, potentially leading to unauthorized information disclosure or modification. The vulnerability requires user interaction and a pre-existing renderer compromise, limiting its practical exploitation scope. A vendor-released patch is available in Chrome 148.0.7778.96 and later.

Authentication Bypass Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution within Chrome's sandbox affects all versions prior to 148.0.7778.96 through an out-of-bounds write in the WebRTC component. Attackers can achieve arbitrary code execution by convincing users to visit a specially crafted HTML page, though execution remains confined to Chrome's sandbox. EPSS data not available for this recent CVE (May 2026). Vendor-released patch version 148.0.7778.96 addresses the vulnerability with Chromium security severity rated Medium despite 8.8 CVSS score.

Google Memory Corruption Buffer Overflow +4
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Out-of-bounds read and write in the GFX component of Google Chrome prior to version 148.0.7778.96 allows remote attackers to perform arbitrary memory read and write operations through malicious network traffic. The vulnerability requires user interaction (clicking a link or visiting a malicious page) but does not require authentication. Chromium rated the security severity as Medium; CVSS 5.4 reflects moderate impact (confidentiality and integrity compromise without availability loss). No active exploitation confirmed in CISA KEV at time of analysis.

Google Information Disclosure Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Out-of-bounds read in Skia graphics library within Google Chrome prior to version 148.0.7778.96 allows remote attackers who have compromised the renderer process to leak cross-origin data through a crafted Chrome Extension. The vulnerability requires user interaction and relies on renderer compromise, limiting real-world exploitation despite the information disclosure impact. Chromium classified this as Medium severity; no active exploitation has been publicly confirmed.

Google Information Disclosure Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Local privilege escalation in Google Chrome Chromoting (remote desktop component) allows authenticated Windows users to gain elevated system privileges through a race condition exploit triggered by a malicious file. Fixed in Chrome 148.0.7778.96. The vulnerability requires user interaction and high attack complexity (AC:H), limiting automated exploitation despite the 7.5 CVSS score. No public exploit identified at time of analysis, and not listed in CISA KEV.

Privilege Escalation Microsoft Race Condition +4
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

UI spoofing via insufficient input validation in Google Chrome prior to 148.0.7778.96 allows a remote attacker who has already compromised the renderer process to craft malicious HTML pages that deceive users about the legitimate UI elements. The attack requires renderer process compromise as a prerequisite and user interaction with the crafted page, limiting real-world applicability to multi-stage attacks. Chromium assessed this as medium severity; no public exploit code or active exploitation has been identified.

Information Disclosure Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient policy enforcement in Chrome's WebUI on Linux, Mac, Windows, and ChromeOS prior to 148.0.7778.96 allows a remote attacker with a compromised renderer process to bypass site isolation via a crafted HTML page, potentially exposing sensitive cross-site data. The vulnerability requires user interaction (UI:R) and prior renderer compromise, limiting its standalone exploitability. Vendor-released patch available in version 148.0.7778.96.

Authentication Bypass Microsoft Google +3
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Insufficient validation of Cross-Origin-Opener-Policy (COOP) headers in Google Chrome prior to version 148.0.7778.96 allows a remote attacker with a compromised renderer process to bypass site isolation protections via a crafted HTML page. The vulnerability requires renderer compromise and user interaction, limiting real-world exploitation to targeted attacks against users whose Chrome renderer is already under attacker control. Chromium rates the security severity as Medium; vendor patch is available.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Insufficient validation of untrusted input in the Persistent Cache of Google Chrome prior to version 148.0.7778.96 allows a remote attacker who has already compromised the renderer process to bypass site isolation protections via a specially crafted HTML page, enabling unauthorized disclosure of sensitive information from other sites. The vulnerability requires prior renderer compromise and user interaction, limiting real-world exploitability despite network-accessible attack vector. No public exploit code or active exploitation has been identified.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Insufficient input validation in ANGLE (Almost Native Graphics Layer Engine) in Google Chrome prior to version 148.0.7778.96 allows remote attackers who have compromised the renderer process to perform arbitrary memory read and write operations via a crafted HTML page. The vulnerability requires renderer process compromise as a precondition, user interaction, and high attack complexity, making it a post-exploitation vector rather than a primary attack surface. Patch is available from vendor.

Information Disclosure Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Integer overflow in ANGLE graphics library in Google Chrome prior to version 148.0.7778.96 allows remote attackers to leak cross-origin data by delivering a crafted HTML page that triggers the vulnerability. The vulnerability requires user interaction (visiting a malicious webpage) but can bypass same-origin policy protections, exposing sensitive data from other domains. No public exploit code or active exploitation has been confirmed at analysis time.

Information Disclosure Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Insufficient input validation in Google Chrome on Android prior to version 148.0.7778.96 allows local attackers to inject arbitrary scripts or HTML via a crafted Chrome Extension, leading to Universal Cross-Site Scripting (UXSS). The vulnerability requires user interaction and local system access but poses a medium risk due to its ability to bypass same-origin policy protections within the browser context. No public exploit has been identified at the time of analysis.

Code Injection Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in Chrome's V8 JavaScript engine enables remote code execution inside the sandbox when users install a malicious extension. Google Chrome versions prior to 148.0.7778.96 are vulnerable to arbitrary code execution through specially crafted Chrome Extensions exploiting memory corruption in V8. CVSS rates this 8.8 (High) with network attack vector requiring user interaction. Vendor-released patch available in Chrome 148.0.7778.96 per Google's May 2026 stable channel update. EPSS and KEV data not provided; exploitation requires social engineering to install malicious extension, limiting automated exploitation scenarios.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Google Chrome versions prior to 148.0.7778.96 contain an XSS vulnerability in the SanitizerAPI that allows remote attackers to inject arbitrary scripts or HTML through crafted HTML pages. The vulnerability requires user interaction (visiting a malicious page) but carries medium severity due to its ability to compromise confidentiality and integrity. No public exploit code or active exploitation in CISA KEV has been identified at the time of analysis.

XSS Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome before 148.0.7778.96 allows unauthenticated attackers to execute arbitrary code within the Chrome sandbox by exploiting a use-after-free vulnerability in the CSS rendering engine through a malicious webpage. Requires victim interaction (visiting attacker-controlled page) but needs no authentication. Vendor-released patch available as Chrome 148.0.7778.96. EPSS score not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis, though browser vulnerabilities are high-value targets.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Insufficient policy enforcement in Chrome DevTools prior to version 148.0.7778.96 allows attackers to bypass navigation restrictions through a malicious extension, requiring user installation and interaction. The vulnerability has a low CVSS score (3.1) due to high attack complexity and user interaction requirements, resulting in limited confidentiality impact with no integrity or availability effects. Patch is available from Google.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Out-of-bounds memory read in Google Chrome's V8 JavaScript engine allows remote attackers to disclose sensitive information via a crafted HTML page. Affects Chrome versions prior to 148.0.7778.96. The vulnerability requires user interaction (opening a malicious page) but operates over the network with no authentication required. While classified as medium severity by Chromium, the impact is limited to information disclosure without code execution capability.

Google Information Disclosure Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

UI spoofing vulnerability in Google Chrome prior to 148.0.7778.96 allows remote attackers to deceive users through crafted HTML pages that manipulate the speech interface, potentially disclosing sensitive information or causing denial of service. The vulnerability requires user interaction (clicking or interacting with the malicious page) and affects the speech component's visual presentation. Chromium severity is rated Medium; no active exploitation has been publicly confirmed.

Information Disclosure Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Insufficient input validation in Google Chrome's Popup Blocker prior to version 148.0.7778.96 enables a remote attacker with a compromised renderer process to bypass navigation restrictions and access restricted content via a crafted HTML page. The vulnerability requires renderer process compromise and user interaction, limiting real-world exploitability despite its authentication bypass classification. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Out-of-bounds read in WebCodecs video processing in Google Chrome versions prior to 148.0.7778.96 allows remote attackers to leak sensitive memory contents via a crafted video file. The vulnerability requires user interaction to open a malicious video, but affects all users regardless of authentication. Chrome 148.0.7778.96 and later versions patch this information disclosure vulnerability, which could expose cryptographic keys, session tokens, or other sensitive data resident in adjacent memory.

Google Information Disclosure Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Insufficient policy enforcement in Chrome's Downloads feature prior to version 148.0.7778.96 allows local attackers with user interaction to bypass navigation restrictions and access sensitive download locations via a crafted HTML page, potentially leading to information disclosure or file manipulation. The vulnerability requires local access and user engagement with a malicious page, limiting its scope to targeted social engineering rather than remote mass exploitation.

Authentication Bypass Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

UI spoofing in Google Chrome on iOS prior to version 148.0.7778.96 allows remote attackers to deceive users through crafted HTML pages that manipulate the browser interface. The vulnerability stems from insufficient validation of untrusted input and has a CVSS score of 5.4 (medium severity). Exploitation requires user interaction with a malicious webpage but can result in information disclosure and denial of service on affected iOS devices.

Apple Google Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Google Chrome versions prior to 148.0.7778.96 enables remote attackers to elevate privileges through malicious HTML pages exploiting improper cookie validation. The vulnerability requires user interaction (clicking a link or visiting a malicious site) but no authentication, making it viable for phishing or watering-hole attacks. CVSS score of 8.8 indicates high severity across confidentiality, integrity, and availability. Vendor-released patch available in Chrome 148.0.7778.96 per Google's stable channel update. EPSS and KEV data not provided; exploitation status unknown at time of analysis.

Privilege Escalation Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Google Chrome's MediaRecording component (versions prior to 148.0.7778.96) allows attackers to execute arbitrary code when victims perform specific UI interactions with a malicious webpage. The use-after-free vulnerability in memory management has been patched by Google in version 148.0.7778.96. EPSS data not available; no CISA KEV listing identified, suggesting no confirmed widespread exploitation at time of analysis, though publicly available exploit code exists per Chromium bug tracker disclosure.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome for Windows below version 148.0.7778.96 allows unauthenticated attackers to execute arbitrary code within Chrome's sandbox via specially crafted HTML pages exploiting a use-after-free vulnerability in the WebRTC implementation. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability. EPSS data not provided, but Google's 'High' severity classification and immediate patch release indicate active concern. No CISA KEV listing or public POC identified at time of analysis, though the vulnerability is already patched.

Denial Of Service Microsoft Use After Free +6
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.96 occurs when attackers exploit a type confusion vulnerability in the JavaScript runtime through malicious web pages. The vulnerability requires only that users visit a crafted HTML page, making it highly accessible for social engineering attacks. No active exploitation confirmed by CISA KEV at time of analysis, though Google has released patches addressing this high-severity memory corruption flaw with confirmed public disclosure through Chromium issue tracker.

Memory Corruption Google RCE +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome prior to version 148.0.7778.96 allows attackers to execute arbitrary code within the browser's sandbox by exploiting a use-after-free vulnerability in the Presentation API through a specially crafted HTML page. User interaction is required (visiting a malicious webpage). EPSS data not available for this recent CVE. No public exploit confirmed at time of analysis, though the vulnerability has been patched by Google in the stable channel release.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free memory corruption in Chrome Remote Desktop (Chromoting) on Windows enables local privilege escalation to SYSTEM via malicious file interaction. Attackers with local access can gain OS-level administrative control by inducing users to open specially crafted files processed by the Chromoting component. Patch available in Chrome 148.0.7778.96. No evidence of active exploitation (not in CISA KEV), but the local attack vector with low complexity and high impact warrants immediate patching for Windows Chrome deployments, especially in multi-user environments where privilege boundaries are critical.

Denial Of Service Microsoft Use After Free +6
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uninitialized memory use in Dawn (GPU abstraction layer) in Google Chrome prior to version 148.0.7778.96 allows remote attackers to read potentially sensitive information from process memory by opening a crafted HTML page. The vulnerability requires user interaction (clicking/viewing the malicious page) but no authentication, and has a high confidentiality impact. Chromium security team classified this as high severity; no public exploit code or active exploitation has been confirmed at time of analysis.

Information Disclosure Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Renderer sandbox escape in Google Chrome versions prior to 148.0.7778.96 leverages an out-of-bounds write in the Skia graphics library. An attacker who has already compromised Chrome's renderer process through other means (such as a separate browser vulnerability) can deliver a specially crafted HTML page to break out of Chrome's security sandbox, gaining elevated code execution on the underlying operating system. EPSS data not available; no CISA KEV listing identified. Google has released Chrome 148.0.7778.96 addressing this high-severity flaw, classified as CWE-787 (Out-of-bounds Write) affecting the Skia graphics rendering engine.

Google Memory Corruption Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome via ServiceWorker use-after-free allows remote attackers to break out of Chrome's security sandbox through a specially crafted HTML page. Affects all Chrome versions prior to 148.0.7778.96. EPSS data not yet available for this recent CVE. Google has released a patch in version 148.0.7778.96. While rated high severity by Chromium project, the attack complexity is high (AC:H) and requires user interaction (UI:R), limiting widespread exploitation risk despite the critical scope change (S:C) indicating sandbox escape capability.

Google Denial Of Service Use After Free +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome prior to 148.0.7778.96 enables attackers to execute arbitrary code by exploiting a use-after-free vulnerability in the Passwords component through a malicious HTML page. User interaction (visiting the crafted page) is required. CVSS score of 8.8 reflects network-based attack requiring no authentication but requiring user interaction, with high impact to confidentiality, integrity, and availability. Vendor patch available in Chrome 148.0.7778.96. No public exploitation confirmed at time of analysis.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox through a use-after-free vulnerability in the Skia graphics library. Exploitation requires user interaction with a malicious HTML page and successful prior renderer compromise, representing a second-stage attack rather than initial access. No active exploitation confirmed (not in CISA KEV), though the vulnerability's sandbox escape capability makes it valuable for targeted attack chains.

Google Denial Of Service Use After Free +4
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 enables remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox through a use-after-free vulnerability in the Aura UI framework. The attack requires user interaction with a malicious webpage and presents high attack complexity, but successfully chains renderer compromise with sandbox escape to achieve full system impact. No active exploitation confirmed (not in CISA KEV), though this vulnerability class is frequently targeted given Chrome's wide deployment and the high value of sandbox escapes.

Google Denial Of Service Use After Free +4
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome's GPU component prior to version 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox via a use-after-free memory corruption vulnerability triggered by a malicious web page. This represents a critical second-stage attack where initial renderer compromise is chained with GPU exploitation to achieve full system access. Vendor-released patch available in Chrome 148.0.7778.96. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis.

Google Denial Of Service Use After Free +4
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome on Windows allows attackers who have already compromised the renderer process to break out of Chrome's security sandbox via a use-after-free flaw in the Fullscreen API. Affects Chrome versions prior to 148.0.7778.96 on Windows platforms. Google has released a patch (version 148.0.7778.96) and rated this High severity. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code at time of analysis, though the vulnerability requires initial renderer compromise making it a second-stage exploitation vector.

Denial Of Service Microsoft Use After Free +5
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome prior to 148.0.7778.96 enables compromised renderer processes to break out of browser security isolation via malicious HTML. This two-stage attack requires first exploiting a separate renderer vulnerability, then leveraging insufficient validation in the InterestGroups component to escalate privileges. The vulnerability is confirmed patched by Google (chromereleases advisory) with no public exploit code or active exploitation identified at time of analysis. CVSS 8.3 (High) reflects the severe impact of full sandbox escape, though the High attack complexity (requiring prior renderer compromise) limits immediate risk compared to single-stage remote code execution vulnerabilities.

Information Disclosure Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient data validation in DevTools in Google Chrome on Android prior to version 148.0.7778.96 allows remote attackers to bypass navigation restrictions by sending a crafted HTML page, requiring user interaction to open the malicious page. The vulnerability has a low CVSS score (4.3) due to limited confidentiality impact and requirement for user click, but affects all Android users running vulnerable versions. A vendor-released patch is available.

Authentication Bypass Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome on Windows versions prior to 148.0.7778.96 allows attackers who have already compromised the renderer process to break out of Chrome's security sandbox via type confusion in the Accessibility subsystem. The attack requires user interaction with a malicious webpage and successful renderer compromise as a prerequisite, representing a critical escalation path in multi-stage attacks. Vendor-released patch available in Chrome 148.0.7778.96. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Microsoft Information Disclosure Memory Corruption +4
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Google Chrome for Android prior to 148.0.7778.96 allows attackers to elevate privileges through malicious files exploiting insufficient policy enforcement in DevTools. The vulnerability requires user interaction to open a crafted file but grants no authentication requirement (PR:N) for the initial attack vector. Google released patch version 148.0.7778.96 addressing this high-severity flaw. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting exploitation remains theoretical or non-widespread.

Privilege Escalation Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Integer overflow in the GPU component of Google Chrome on Android prior to version 148.0.7778.96 enables a remote attacker whose renderer process has been compromised to execute arbitrary read and write operations via a malicious HTML page. The vulnerability requires prior compromise of the renderer process and user interaction, limiting its standalone exploitability but creating a significant secondary threat following renderer exploitation. Chromium security team rated this as high severity; no public exploit code or active exploitation has been identified at time of analysis.

Buffer Overflow Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome for Windows versions prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of the Chrome sandbox via a use-after-free vulnerability in the Aura UI framework. The attack requires user interaction with a specially crafted HTML page and has high attack complexity (AC:H), but grants complete control over confidentiality, integrity, and availability with changed scope (S:C). No active exploitation confirmed in CISA KEV at time of analysis. EPSS data not provided, but the vulnerability targets a browser component with over 3 billion users globally.

Denial Of Service Microsoft Use After Free +5
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Use-after-free in the Views component of Google Chrome versions prior to 148.0.7778.96 enables site isolation bypass after renderer compromise. A remote attacker who has already compromised the renderer process can escape sandbox protections via a malicious HTML page, potentially accessing cross-origin data or executing code outside the renderer sandbox. Patch released by Google in version 148.0.7778.96. EPSS score of 0.02% (3rd percentile) indicates very low probability of exploitation in the wild currently, with no evidence of active exploitation or public proof-of-concept at time of analysis.

Google Denial Of Service Use After Free +4
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Site isolation bypass in Google Chrome prior to version 148.0.7778.96 allows a remote attacker with a compromised renderer process to circumvent Chrome's site isolation security boundary through a crafted HTML page. The vulnerability requires user interaction and a pre-compromised renderer, limiting real-world impact despite being triggered remotely. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers to break out of the browser's security sandbox through a use-after-free vulnerability in the Fullscreen API component. Attackers can deliver exploitation via a specially crafted HTML page requiring only user visit to the page (no additional interaction). With CVSS 9.6 (Critical) and scope change indicating containment breach, this represents a serious risk to browser security model integrity. No evidence of active exploitation (not in CISA KEV) and EPSS data not available at time of analysis.

Google Denial Of Service Use After Free +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution within Chrome's sandbox affects all versions prior to 148.0.7778.96 via crafted HTML pages exploiting a use-after-free vulnerability in DOM handling. Remote unauthenticated attackers can achieve arbitrary code execution with high integrity and confidentiality impact by convincing users to visit a malicious webpage. Vendor patch released (Chrome 148.0.7778.96). No confirmed active exploitation (not in CISA KEV), but the low attack complexity (AC:L) and publicly disclosed bug tracker entry (Chromium issue 496292089) increase exploitation risk. EPSS data not provided but RCE in widely-deployed browser warrants immediate patching despite sandbox containment limiting full system compromise.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.96 allows attackers to execute arbitrary code within the browser's sandbox through a use-after-free vulnerability in SVG rendering. User interaction (visiting a malicious webpage) is required, but no authentication is needed. Vendor-released patch available in Chrome 148.0.7778.96. No public exploit identified at time of analysis, though CVSS score of 8.8 reflects high impact if successfully exploited.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Renderer process compromise in Google Chrome for Android before 148.0.7778.96 enables sandbox escape through malicious HTML pages exploiting insufficient input validation in the Media component. Attacker requires user interaction to compromise the renderer first, then can break out of Chrome's security sandbox to execute code with broader system privileges. Vendor-released patch available in Chrome 148.0.7778.96 per Google's May 2026 stable channel update.

Information Disclosure Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Out-of-bounds memory read in Google Chrome's font handling allows remote attackers to leak sensitive information via a crafted HTML page when users visit a malicious website. Chrome versions prior to 148.0.7778.96 are affected. The vulnerability requires user interaction (clicking a link or visiting a page) but occurs over the network without authentication. Information disclosure risk is limited (CVSS C:L) with no impact on integrity or availability, but the Chromium security severity designation of High indicates concern about potential information leakage in real-world exploitation.

Google Information Disclosure Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Integer overflow in Chrome's ANGLE graphics layer (Mac/Windows) enables heap corruption via malicious web pages. Remote attackers can achieve arbitrary code execution by tricking users into visiting crafted HTML content. Google patched this in Chrome 148.0.7778.96, marking it high severity. Users must interact with the malicious page, but no authentication is required. EPSS data not available; no CISA KEV listing indicates exploitation not yet confirmed in the wild, though the Chromium bug tracker may contain additional context.

Microsoft Google Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution within Chrome's V8 sandbox affects all versions prior to 148.0.7778.96 when users visit malicious web pages. The out-of-bounds memory access vulnerability in V8 JavaScript engine enables arbitrary code execution with user interaction (visiting crafted HTML), rated high severity by Chromium team. EPSS and KEV data not available, but Google confirmed the vulnerability and released patches. Attack complexity is low (CVSS AC:L) with no authentication required, making this exploitable at scale once proof-of-concept becomes public.

RCE Google Memory Corruption +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome for macOS (versions prior to 148.0.7778.96) allows attackers to execute arbitrary code within the browser's sandbox by exploiting a use-after-free vulnerability in the ANGLE graphics library through a malicious HTML page. The vulnerability requires user interaction (visiting a crafted webpage) but can be exploited remotely without authentication. Google has released Chrome 148.0.7778.96 to address this high-severity memory corruption issue, which affects the confidentiality, integrity, and availability of sandboxed browser processes.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Heap buffer overflow in Chrome's ANGLE graphics layer enables sandbox escape for attackers who have already compromised the renderer process, requiring user interaction with a malicious webpage. Chrome 148.0.7778.96 patches this High-severity vulnerability. No active exploitation confirmed (not in CISA KEV), and CVSS 8.3 reflects the Changed scope indicating successful sandbox breakout - a critical security boundary failure that elevates renderer compromise to broader system access.

Heap Overflow Google Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out-of-bounds memory access in Chrome's V8 JavaScript engine enables remote code execution within the browser sandbox when users visit malicious websites. Affects all Chrome versions prior to 148.0.7778.96 across Windows, macOS, and Linux. Google released patches in the stable channel update (build 148.0.7778.96) per May 2026 advisory. No active exploitation confirmed at time of analysis, but CVSS 8.8 indicates high severity and the vulnerability requires only user interaction (visiting a crafted webpage) with no authentication needed.

Google Information Disclosure RCE +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's Chromoting component (remote desktop feature) on Linux allows unauthenticated attackers to execute arbitrary code through specially crafted network packets when a user interacts with a malicious remote desktop session. Fixed in Chrome 148.0.7778.96. Vendor rates severity as Critical. No public exploit code identified at time of analysis, but the use-after-free class (CWE-416) is well-understood and exploitable. CVSS 8.8 reflects network attack vector with low complexity requiring only user interaction, enabling full system compromise (high confidentiality, integrity, and availability impact).

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Google Chrome for iOS prior to version 148.0.7778.96 through use-after-free memory corruption in the mobile UI handler. Exploitation requires convincing a user to perform specific UI gestures while viewing a malicious HTML page. Google confirms Critical severity and has released a patched version. EPSS data unavailable; not currently listed in CISA KEV. Attack complexity is rated High due to the required user interaction pattern, limiting opportunistic exploitation but enabling targeted attacks via social engineering.

Denial Of Service Use After Free Memory Corruption +6
NVD VulDB
Prev Page 19 of 156 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy