Skip to main content

Google

13978 CVEs vendor

Monthly

CVE-2025-48630 HIGH This Week

Android versions up to 14.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 7.4).

Privilege Escalation Information Disclosure Android Google
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-48619 HIGH This Week

In multiple functions of ContentProvider.java, there is a possible way for an app with read-only access to truncate files due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-48613 HIGH This Week

In VBMeta, there is a possible way to modify and resign VBMeta using a test key, assuming the original image was previously signed with the same key. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.8 HIGH]

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48609 CRITICAL Act Now

Android MmsProvider has a vulnerability allowing arbitrary file deletion through improper handling of MMS data, potentially causing data loss on mobile devices.

Denial Of Service Path Traversal Android Google
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-48605 HIGH This Week

In multiple functions of KeyguardViewMediator.java, there is a possible lockscreen bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-48602 HIGH This Week

In exitKeyguardAndFinishSurfaceBehindRemoteAnimation of KeyguardViewMediator.java, there is a possible lockscreen bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-48587 MEDIUM This Month

In multiple functions of ProfilingService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. [CVSS 6.2 MEDIUM]

Denial Of Service Android Google
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-48585 MEDIUM This Month

In multiple functions of ProfilingService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. [CVSS 6.2 MEDIUM]

Denial Of Service Android Google
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-48582 HIGH This Week

In multiple locations, there is a possible way to delete media without the MANAGE_EXTERNAL_STORAGE permission due to an intent redirect. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-48579 HIGH This Week

Android versions up to 14.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 8.4).

Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-48578 HIGH This Week

In multiple functions of MediaProvider.java, there is a possible way to bypass the WRITE_EXTERNAL_STORAGE permission due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.8 HIGH]

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48577 HIGH This Week

In multiple functions of KeyguardViewMediator.java, there is a possible lockscreen bypass due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.4 HIGH]

Privilege Escalation Race Condition Android Google
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-48574 HIGH This Week

In validateAddingWindowLw of DisplayPolicy.java, there is a possible way for an app to intercept drag-and-drop events due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-48568 HIGH This Week

In multiple locations, there is a possible lockscreen bypass due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.4 HIGH]

Privilege Escalation Race Condition Android Google
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-48567 HIGH This Week

In multiple locations, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.8 HIGH]

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-32313 HIGH This Week

In UsageEvents of UsageEvents.java, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2024-43766 MEDIUM This Month

Android versions up to 14.0 is affected by cleartext transmission of sensitive information (CVSS 6.5).

Information Disclosure Android Google
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2024-31328 HIGH This Week

In broadcastIntentLockedTraced of BroadcastController.java, there is a possible way to launch arbitrary activities from the background on the paired companion phone due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.8 HIGH]

Privilege Escalation Android Google
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-20445 MEDIUM This Month

Android versions up to 14.0 contains a vulnerability that allows attackers to local denial of service if a malicious actor has already obtained the System pri (CVSS 4.4).

Denial Of Service Race Condition Android Google
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-20444 MEDIUM This Month

Local privilege escalation in Android's display module stems from insufficient bounds checking in memory operations, allowing system-level attackers to corrupt memory and gain elevated privileges without user interaction. The vulnerability affects Android devices where an adversary with existing system privileges can exploit this flaw to further escalate their access. No patch is currently available for this issue.

Memory Corruption Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20443 MEDIUM This Month

Local privilege escalation in Android's display subsystem exploits a use-after-free memory corruption vulnerability to elevate from system-level privileges, requiring no user interaction. An attacker with pre-existing system access can trigger the memory corruption to gain complete control over the affected device. No patch is currently available to remediate this issue.

Use After Free Memory Corruption Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20442 MEDIUM This Month

Android's display subsystem crashes due to a use-after-free memory error that allows a privileged local attacker to trigger a denial of service without user interaction. Exploitation requires pre-existing system-level access, limiting impact to scenarios where an attacker has already compromised the device at the highest privilege level. No patch is currently available for this vulnerability.

Use After Free Denial Of Service Android Google
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-20441 MEDIUM This Month

Android's MAE component contains an out-of-bounds write vulnerability due to insufficient bounds checking that enables local privilege escalation for attackers with existing system-level access. This memory corruption flaw requires no user interaction and could allow a privileged malicious actor to achieve arbitrary code execution, though exploitation is currently not publicly documented. No patch is currently available for this vulnerability.

Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20440 MEDIUM This Month

Android versions up to 15.0 contains a vulnerability that allows attackers to local escalation of privilege if a malicious actor has already obtained the Syst (CVSS 6.7).

Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20439 MEDIUM This Month

Android's imgsys component is vulnerable to a use-after-free condition that enables local denial of service attacks. Exploitation requires system-level privileges and causes immediate system crashes without user interaction. No patch is currently available for this vulnerability.

Use After Free Denial Of Service Android Google
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-20438 MEDIUM This Month

Android versions up to 15.0 contains a vulnerability that allows attackers to local escalation of privilege if a malicious actor has already obtained the Syst (CVSS 6.4).

Privilege Escalation Race Condition Android Google
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-20437 MEDIUM This Month

Android MAE component is vulnerable to a use-after-free condition that can trigger a system crash, resulting in denial of service for devices where an attacker has already obtained system-level privileges. No user interaction is required for exploitation. Currently, no patch is available for this vulnerability.

Use After Free Denial Of Service Android Google
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-20435 MEDIUM This Month

Device unique identifiers in the preloader of Openwrt, Android, Yocto, RDK-B, and Zephyr can be read by attackers with physical access due to a logic error, leading to local information disclosure without requiring additional privileges or user interaction. This vulnerability affects multiple embedded and IoT platforms where the preloader executes before operating system initialization. No patch is currently available for this issue.

Information Disclosure Openwrt Android Yocto Rdk B +2
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-20429 MEDIUM This Month

Android's display component fails to validate buffer boundaries during read operations, allowing a system-privileged attacker to access sensitive memory contents without user interaction. This out-of-bounds read vulnerability enables local information disclosure to any malicious process running with System privileges. No patch is currently available to address this issue.

Information Disclosure Android Google
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-20428 MEDIUM This Month

Improper bounds checking in Android's display subsystem enables local privilege escalation for attackers with system-level access, potentially allowing them to execute arbitrary code with elevated privileges. The vulnerability stems from an out-of-bounds write condition that requires no user interaction to exploit. No patch is currently available for this medium-severity issue.

Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20427 MEDIUM This Month

Android's display subsystem contains a buffer overflow vulnerability stemming from insufficient bounds validation, allowing attackers with system-level privileges to escalate their access further without user interaction. This local privilege escalation affects Android devices and requires an attacker to already possess system privileges, limiting the immediate threat scope. While no patch is currently available, the vulnerability poses a significant risk in multi-user or containerized Android environments where system compromise could lead to complete device control.

Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20426 MEDIUM This Month

Android's display component contains an out-of-bounds write vulnerability due to insufficient bounds checking that could allow a system-privileged attacker to escalate privileges without user interaction. The vulnerability affects devices where an adversary has already obtained system-level access, enabling potential memory corruption and further privilege elevation. No patch is currently available.

Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20425 MEDIUM This Month

Android's display module contains an out-of-bounds write vulnerability due to insufficient bounds validation, enabling local privilege escalation for attackers who already possess System-level access. The vulnerability requires no user interaction and could allow complete system compromise through memory corruption. No patch is currently available for this medium-severity issue.

Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20424 MEDIUM This Month

Android's display component contains an out-of-bounds read vulnerability stemming from insufficient bounds validation, allowing system-privileged attackers to disclose sensitive memory contents without user interaction. The vulnerability requires pre-existing system-level access but poses a high confidentiality risk through local information disclosure. No patch is currently available.

Information Disclosure Android Google
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-20416 HIGH This Week

Local privilege escalation in Android's PCIe driver allows system-level attackers to execute arbitrary code through an out-of-bounds write caused by insufficient bounds validation. Exploitation requires pre-existing system privileges but no user interaction, enabling a compromised system component to gain complete device control. No patch is currently available.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-3223 HIGH This Week

Arbitrary file write & potential privilege escalation exploiting zip slip vulnerability in Google Web Designer.

Google Privilege Escalation Path Traversal
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-26227 MEDIUM This Month

VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploita...

Authentication Bypass Google
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-26228 LOW Monitor

Authenticated attackers can read arbitrary files from a VLC for Android device running versions before 3.7.0 by exploiting a path traversal flaw in the Remote Access Server's download endpoint. The vulnerability allows directory traversal through an unsanitized file parameter, though impact is limited to files accessible within the Android app's sandbox and storage permissions. No patch is currently available for this medium-severity vulnerability.

Path Traversal Google
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-2244 This Week

A vulnerability in Google Cloud Vertex AI Workbench from 7/21/2025 to 01/30/2026 allows an attacker to exfiltrate valid Google Cloud access tokens of other users via abuse of a built-in startup script. All instances after January 30th, 2026 have been patched to protect from this vulnerability.

Google
NVD
EPSS
0.0%
CVE-2026-2800 CRITICAL PATCH Act Now

Spoofing in Firefox for Android WebAuthn component before 148. Allows phishing attacks through WebAuthn UI manipulation.

Mozilla Google Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-2794 HIGH PATCH This Week

Uninitialized memory in Firefox and Firefox Focus for Android versions prior to 148 enables remote attackers to read sensitive data without authentication or user interaction. The vulnerability allows information disclosure through memory that was not properly cleared before use, potentially exposing confidential user information to network-based attackers.

Information Disclosure Mozilla Google
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-3063 MEDIUM This Month

Google Chrome versions prior to 145.0.7632.116 allow attackers to inject malicious scripts or HTML into privileged pages through a compromised DevTools extension if a user can be tricked into installing it. The vulnerability requires user interaction to install a malicious extension but could enable unauthorized script execution in sensitive browser contexts. No patch is currently available.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-3062 CRITICAL PATCH Act Now

Out-of-bounds read and write in Chrome Tint shader compiler on Mac before 145.0.7632.116. More severe than CVE-2026-3061 due to additional write capability enabling potential code execution.

Chrome Google Red Hat Suse
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-3061 CRITICAL PATCH Act Now

Out-of-bounds read in Google Chrome Media component before 145.0.7632.116 allows remote attackers to perform memory reads via crafted media content.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-2974 LOW PATCH Monitor

A vulnerability was identified in AliasVault App up to 0.25.3 on Android/iOS. This vulnerability affects unknown code of the file shared_prefs/aliasvault.xml of the component Backup Handler. [CVSS 2.5 LOW]

Authentication Bypass Hashicorp Google
NVD GitHub VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-2473 PyPI PATCH Monitor

Predictable bucket naming in Vertex AI Experiments in Google Cloud Vertex AI from version 1.21.0 up to (but not including) 1.133.0 on Google Cloud Platform allows an unauthenticated remote attacker to achieve cross-tenant remote code execution, model theft, and poisoning via pre-creating predictably named Cloud Storage buckets (Bucket Squatting).

Google RCE
NVD
EPSS
0.3%
CVE-2026-2472 PyPI HIGH PATCH This Week

Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model evaluation results or dataset JSON data.

Google XSS
NVD GitHub
CVSS 4.0
8.6
EPSS
0.2%
CVE-2025-68834 HIGH This Week

Missing Authorization vulnerability in Saiful Islam Sync Master Sheet &#8211; Product Sync with Google Sheet for WooCommerce product-sync-master-sheet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sync Master Sheet &#8211; Product Sync with Google Sheet for WooCommerce: from n/a through <= 1.1.3.

WordPress Authentication Bypass Google
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68028 MEDIUM This Month

Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass Google
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-2274 This Week

A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet versions up to 2025-11 is affected by server-side request forgery (ssrf).

Google SSRF
NVD
EPSS
0.1%
CVE-2026-2650 HIGH PATCH This Week

Google Chrome versions before 145.0.7632.109 contain a heap buffer overflow in the Media component that can be triggered by a remote attacker through a specially crafted HTML page, potentially leading to heap corruption and arbitrary code execution. The vulnerability requires user interaction to exploit and affects all Chrome users who encounter a malicious webpage. No patch is currently available for this high-severity issue.

Google Buffer Overflow Chrome Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-2649 HIGH PATCH This Week

Heap corruption in Google Chrome's V8 engine prior to version 145.0.7632.109 can be triggered through integer overflow vulnerabilities when processing malicious HTML pages. An unauthenticated attacker can exploit this by tricking users into visiting a crafted webpage, potentially achieving arbitrary code execution with high impact to confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

Google Integer Overflow Chrome Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-2648 HIGH PATCH This Week

Google Chrome's PDFium library contains a heap buffer overflow vulnerability that enables remote attackers to execute arbitrary code or corrupt memory by opening specially crafted PDF files, affecting all users without requiring authentication or special user interaction. The vulnerability impacts Chrome versions prior to 145.0.7632.109 with a high CVSS score of 8.8, though no patch is currently available. An attacker can exploit this to achieve complete compromise of the affected system including confidentiality, integrity, and availability of data.

Buffer Overflow Chrome Google Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-23198 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: KVM: Don't clobber irqfd routing type when deassigning irqfd When deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's routing entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86 and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI.

Linux Null Pointer Dereference Amd Google Denial Of Service +2
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23167 MEDIUM PATCH This Month

A race condition in the Linux kernel NFC subsystem allows local attackers with low privileges to cause a denial of service by triggering a use-after-free condition between rfkill device unregistration and NCI command queue destruction. An attacker can exploit this by closing a virtual NCI device file while rfkill operations are in progress, causing the kernel to access a destroyed work queue. No patch is currently available for this vulnerability.

Linux Race Condition Information Disclosure Google Linux Kernel +2
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-23128 MEDIUM PATCH This Month

The Linux kernel's ARM64 hibernation resume function fails to disable Control Flow Integrity (CFI) checking, causing a data abort exception when resuming from hibernation on affected systems. A local attacker with hibernation access could trigger a denial of service by invoking the resume function without proper CFI validation. This affects Linux kernel deployments on ARM64 architecture, though no patch is currently available.

Linux Information Disclosure Google Linux Kernel Android +2
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-2441 HIGH POC KEV PATCH THREAT Act Now

Google Chrome's CSS engine contains a use-after-free vulnerability (CVE-2026-2441, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox through crafted HTML pages. KEV-listed with public PoC, this vulnerability enables drive-by exploitation when users visit malicious or compromised websites.

Google Use After Free Chrome Red Hat Suse
NVD GitHub VulDB Exploit-DB
CVSS 3.1
8.8
EPSS
0.1%
Threat
4.8
CVE-2026-26214 CRITICAL Act Now

Man-in-the-middle interception affects the Xiaomi Galaxy FDS Android SDK (galaxy-fds-sdk-android) version 3.0.8 and prior, which disables TLS hostname verification whenever HTTPS is enabled — the default. Because createHttpClient() installs Apache HttpClient's ALLOW_ALL_HOSTNAME_VERIFIER, any TLS certificate from any host is accepted, letting an on-path attacker impersonate Xiaomi FDS cloud storage endpoints and steal authentication credentials, file contents, and API responses. EPSS is very low (0.03%, 8th percentile) and there is no public exploit identified at time of analysis, but the project has reached end-of-life so no fix is expected.

Apache Google Information Disclosure
NVD GitHub VulDB
CVSS 4.0
9.1
EPSS
0.0%
CVE-2026-2323 MEDIUM PATCH This Month

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 4.3).

Google Chrome Red Hat Suse
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2322 MEDIUM PATCH This Month

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 5.4).

Google Chrome Red Hat Suse
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-2321 HIGH PATCH This Week

Heap corruption in Google Chrome's Ozone component (versions prior to 145.0.7632.45) stems from a use-after-free vulnerability that can be triggered when users interact with malicious HTML pages through specific UI gestures. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability. No patch is currently available, leaving affected Chrome users vulnerable to exploitation.

Google Use After Free Chrome Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-2320 MEDIUM PATCH This Month

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).

Google Chrome Red Hat Suse
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2319 HIGH PATCH This Week

Google Chrome versions prior to 145.0.7632.45 contain a race condition in DevTools that allows remote attackers to corrupt objects by convincing users to perform specific UI interactions and install a malicious extension. An attacker exploiting this vulnerability could achieve high-impact outcomes including information disclosure, data modification, or denial of service. The vulnerability currently has no available patch.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-2318 MEDIUM PATCH This Month

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).

Google Chrome Red Hat Suse
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2317 MEDIUM PATCH This Month

Google Chrome versions before 145.0.7632.45 contain an animation implementation flaw that allows remote attackers to exfiltrate cross-origin data through specially crafted HTML pages. The vulnerability requires user interaction to trigger and affects all Chrome users, potentially exposing sensitive information from other websites. No patch is currently available.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2316 MEDIUM PATCH This Month

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).

Google Chrome Red Hat Suse
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2315 HIGH PATCH This Week

Out of bounds memory access in Google Chrome's WebGPU implementation prior to version 145.0.7632.45 allows unauthenticated attackers to trigger memory corruption through a malicious HTML page. This vulnerability requires user interaction but carries high risk due to potential for arbitrary code execution or information disclosure. No patch is currently available.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-2314 HIGH PATCH This Week

Heap buffer overflow in Google Chrome's codec implementation prior to version 145.0.7632.45 enables remote attackers to corrupt heap memory and potentially achieve arbitrary code execution through a malicious HTML page. The vulnerability requires user interaction to visit a crafted webpage but does not require special privileges, affecting all Chrome users. No patch is currently available.

Google Buffer Overflow Chrome Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-2313 HIGH PATCH This Week

Heap corruption in Google Chrome's CSS engine prior to version 145.0.7632.45 can be triggered through crafted HTML pages, enabling remote attackers to achieve arbitrary code execution without user interaction beyond viewing a malicious webpage. The vulnerability stems from a use-after-free memory flaw that affects all Chrome users, and currently no patch is available. With a CVSS score of 8.8 and low exploit difficulty, this represents a critical risk to active Chrome installations.

Google Use After Free Chrome Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-0106 CRITICAL Act Now

Missing bounds check in Android VPU (Video Processing Unit) driver's vpu_mmap allows arbitrary address memory mapping, potentially leading to local privilege escalation on Android devices.

Privilege Escalation Android Google
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-23099 HIGH PATCH This Week

The Linux kernel bonding driver fails to validate device types before enabling 802.3AD mode, allowing local privileged attackers to trigger out-of-bounds memory reads via malformed hardware address operations. This vulnerability affects systems running vulnerable Linux kernel versions and could lead to denial of service or information disclosure. No patch is currently available for this high-severity vulnerability.

Linux Buffer Overflow Information Disclosure Google
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-1862 HIGH PATCH This Week

Chrome versions up to 144.0.7559.132 is affected by access of resource using incompatible type (type confusion) (CVSS 8.8).

Chrome Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-1861 HIGH PATCH This Week

Heap buffer overflow in Chrome's libvpx video codec allows remote attackers to achieve arbitrary code execution through a malicious webpage, requiring only user interaction to trigger exploitation. The vulnerability affects Chrome versions prior to 144.0.7559.132 and currently lacks a patch. With a CVSS score of 8.8, this high-severity flaw poses significant risk to users who visit compromised or attacker-controlled websites.

Buffer Overflow Chrome Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-20417 MEDIUM This Month

Local privilege escalation in Android's PCIe driver stems from an out-of-bounds write vulnerability caused by insufficient bounds validation, allowing attackers with system-level privileges to escalate their access without user interaction. This medium-severity vulnerability (CVSS 5.3) affects Android devices and currently has no available patch. The CWE-787 vulnerability requires an attacker to already possess system privileges, limiting the immediate exploitation scope.

Privilege Escalation Android Google
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-20415 MEDIUM This Month

Android versions up to 15.0 contains a vulnerability that allows attackers to local denial of service if a malicious actor has already obtained the System pri (CVSS 5.5).

Memory Corruption Denial Of Service Android Google
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20414 MEDIUM This Month

Android's imgsys component contains a use-after-free vulnerability that allows privilege escalation when exploited by an attacker who already has system-level access. The flaw requires no user interaction and could enable a malicious actor to escalate their privileges further within the device. Currently, no patch is available to address this vulnerability.

Use After Free Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20413 MEDIUM This Month

Android versions up to 15.0 contains a vulnerability that allows attackers to local escalation of privilege if a malicious actor has already obtained the Syst (CVSS 6.7).

Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20412 HIGH This Week

The Android cameraisp component contains an out-of-bounds write vulnerability due to insufficient bounds validation, enabling privilege escalation for attackers who have already gained system-level access. No user interaction is required for exploitation, and the vulnerability affects confidentiality, integrity, and availability of the device. No patch is currently available.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20411 HIGH This Week

A use-after-free vulnerability in Android's cameraisp component allows privilege escalation to local denial of service for attackers with system-level access, requiring no user interaction. The flaw enables malicious actors to manipulate memory safety boundaries and execute arbitrary actions within the camera service context. No patch is currently available for this vulnerability.

Use After Free Denial Of Service Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20410 MEDIUM This Month

Local privilege escalation in Android's imgsys component allows system-level processes to achieve full system compromise through an out-of-bounds write caused by insufficient bounds validation. An attacker with existing system privileges can exploit this flaw without user interaction to gain complete control over the affected device. No patch is currently available for this vulnerability.

Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20409 HIGH This Week

An out-of-bounds write vulnerability in Android's imgsys component allows a local attacker with system-level privileges to escalate permissions and gain complete control over the device due to insufficient bounds checking. The vulnerability requires no user interaction and cannot be patched in current versions. This affects Android devices where an attacker has already obtained elevated system access.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-1504 MEDIUM PATCH This Month

Cross-origin data disclosure in Google Chrome's Background Fetch API prior to version 144.0.7559.110 enables remote attackers to steal sensitive information from other websites through specially crafted HTML pages, requiring only user interaction. The vulnerability affects all Chrome users and has a patch available in the latest version.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23011 MEDIUM PATCH This Month

The Linux kernel's ipgre_header() function lacks proper validation when handling dynamically resized network device headers, allowing local attackers with network privileges to trigger kernel panics through memory corruption. This vulnerability affects systems using team or bonding drivers that can modify device headroom parameters, enabling denial of service attacks without requiring user interaction.

Linux Denial Of Service Google
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23010 HIGH PATCH This Week

A use-after-free vulnerability in the Linux kernel's IPv6 address deletion function allows local attackers with user privileges to corrupt memory and potentially execute arbitrary code or cause a denial of service. The flaw occurs when ipv6_del_addr() is called prematurely before temporary address flags are read, leaving a dangling pointer reference. No patch is currently available for this high-severity vulnerability affecting Linux systems.

Linux Use After Free Information Disclosure Memory Corruption Google
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23004 HIGH PATCH This Week

A race condition in Linux kernel routing code allows local authenticated attackers to cause a denial of service by triggering a kernel crash through unsynchronized list operations in rt6_uncached_list_del() and rt_del_uncached_list(). The vulnerability occurs when concurrent CPU operations on list data structures result in use-after-free conditions during list initialization. No patch is currently available for this medium-severity issue.

Linux Denial Of Service Google Race Condition
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23003 MEDIUM PATCH This Month

The Linux kernel's IPv6 tunnel implementation fails to properly handle VLAN-encapsulated packets in __ip6_tnl_rcv(), allowing a local attacker with user privileges to cause a denial of service through uninitialized memory access. The vulnerability stems from using an insufficient packet validation function that does not account for VLAN headers, triggering kernel crashes during ECN decapsulation. No patch is currently available for this medium-severity issue affecting Linux systems.

Linux Google Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23001 HIGH PATCH This Week

A use-after-free vulnerability in the Linux kernel's macvlan driver allows local attackers with user privileges to cause memory corruption and potential privilege escalation through improper RCU synchronization in the macvlan_forward_source() function. The flaw stems from missing RCU protection when clearing vlan pointers during source entry deletion, enabling attackers to access freed memory structures. No patch is currently available for this HIGH severity vulnerability affecting Linux distributions.

Linux Google Use After Free Memory Corruption Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-12836 MEDIUM This Month

VK Google Job Posting Manager (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS Google
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-24603 MEDIUM This Month

themebeez Universal Google Adsense and Ads manager universal-google-adsense-and-ads-manager is affected by missing authorization (CVSS 5.3).

Authentication Bypass Google
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24540 MEDIUM This Month

Prince Integrate Google Drive integrate-google-drive is affected by missing authorization (CVSS 5.4).

Google Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
EPSS 0% CVSS 7.4
HIGH This Week

Android versions up to 14.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 7.4).

Privilege Escalation Information Disclosure Android +1
NVD
EPSS 0% CVSS 8.4
HIGH This Week

In multiple functions of ContentProvider.java, there is a possible way for an app with read-only access to truncate files due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In VBMeta, there is a possible way to modify and resign VBMeta using a test key, assuming the original image was previously signed with the same key. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.8 HIGH]

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Android MmsProvider has a vulnerability allowing arbitrary file deletion through improper handling of MMS data, potentially causing data loss on mobile devices.

Denial Of Service Path Traversal Android +1
NVD
EPSS 0% CVSS 8.4
HIGH This Week

In multiple functions of KeyguardViewMediator.java, there is a possible lockscreen bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 8.4
HIGH This Week

In exitKeyguardAndFinishSurfaceBehindRemoteAnimation of KeyguardViewMediator.java, there is a possible lockscreen bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 6.2
MEDIUM This Month

In multiple functions of ProfilingService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. [CVSS 6.2 MEDIUM]

Denial Of Service Android Google
NVD
EPSS 0% CVSS 6.2
MEDIUM This Month

In multiple functions of ProfilingService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. [CVSS 6.2 MEDIUM]

Denial Of Service Android Google
NVD
EPSS 0% CVSS 8.4
HIGH This Week

In multiple locations, there is a possible way to delete media without the MANAGE_EXTERNAL_STORAGE permission due to an intent redirect. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Android versions up to 14.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 8.4).

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In multiple functions of MediaProvider.java, there is a possible way to bypass the WRITE_EXTERNAL_STORAGE permission due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.8 HIGH]

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 7.4
HIGH This Week

In multiple functions of KeyguardViewMediator.java, there is a possible lockscreen bypass due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.4 HIGH]

Privilege Escalation Race Condition Android +1
NVD
EPSS 0% CVSS 8.4
HIGH This Week

In validateAddingWindowLw of DisplayPolicy.java, there is a possible way for an app to intercept drag-and-drop events due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 7.4
HIGH This Week

In multiple locations, there is a possible lockscreen bypass due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.4 HIGH]

Privilege Escalation Race Condition Android +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In multiple locations, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.8 HIGH]

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 8.4
HIGH This Week

In UsageEvents of UsageEvents.java, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Android versions up to 14.0 is affected by cleartext transmission of sensitive information (CVSS 6.5).

Information Disclosure Android Google
NVD
EPSS 0% CVSS 8.8
HIGH This Week

In broadcastIntentLockedTraced of BroadcastController.java, there is a possible way to launch arbitrary activities from the background on the paired companion phone due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.8 HIGH]

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Android versions up to 14.0 contains a vulnerability that allows attackers to local denial of service if a malicious actor has already obtained the System pri (CVSS 4.4).

Denial Of Service Race Condition Android +1
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Local privilege escalation in Android's display module stems from insufficient bounds checking in memory operations, allowing system-level attackers to corrupt memory and gain elevated privileges without user interaction. The vulnerability affects Android devices where an adversary with existing system privileges can exploit this flaw to further escalate their access. No patch is currently available for this issue.

Memory Corruption Privilege Escalation Android +1
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Local privilege escalation in Android's display subsystem exploits a use-after-free memory corruption vulnerability to elevate from system-level privileges, requiring no user interaction. An attacker with pre-existing system access can trigger the memory corruption to gain complete control over the affected device. No patch is currently available to remediate this issue.

Use After Free Memory Corruption Privilege Escalation +2
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Android's display subsystem crashes due to a use-after-free memory error that allows a privileged local attacker to trigger a denial of service without user interaction. Exploitation requires pre-existing system-level access, limiting impact to scenarios where an attacker has already compromised the device at the highest privilege level. No patch is currently available for this vulnerability.

Use After Free Denial Of Service Android +1
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Android's MAE component contains an out-of-bounds write vulnerability due to insufficient bounds checking that enables local privilege escalation for attackers with existing system-level access. This memory corruption flaw requires no user interaction and could allow a privileged malicious actor to achieve arbitrary code execution, though exploitation is currently not publicly documented. No patch is currently available for this vulnerability.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Android versions up to 15.0 contains a vulnerability that allows attackers to local escalation of privilege if a malicious actor has already obtained the Syst (CVSS 6.7).

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Android's imgsys component is vulnerable to a use-after-free condition that enables local denial of service attacks. Exploitation requires system-level privileges and causes immediate system crashes without user interaction. No patch is currently available for this vulnerability.

Use After Free Denial Of Service Android +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Android versions up to 15.0 contains a vulnerability that allows attackers to local escalation of privilege if a malicious actor has already obtained the Syst (CVSS 6.4).

Privilege Escalation Race Condition Android +1
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Android MAE component is vulnerable to a use-after-free condition that can trigger a system crash, resulting in denial of service for devices where an attacker has already obtained system-level privileges. No user interaction is required for exploitation. Currently, no patch is available for this vulnerability.

Use After Free Denial Of Service Android +1
NVD
EPSS 0% CVSS 4.6
MEDIUM This Month

Device unique identifiers in the preloader of Openwrt, Android, Yocto, RDK-B, and Zephyr can be read by attackers with physical access due to a logic error, leading to local information disclosure without requiring additional privileges or user interaction. This vulnerability affects multiple embedded and IoT platforms where the preloader executes before operating system initialization. No patch is currently available for this issue.

Information Disclosure Openwrt Android +4
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Android's display component fails to validate buffer boundaries during read operations, allowing a system-privileged attacker to access sensitive memory contents without user interaction. This out-of-bounds read vulnerability enables local information disclosure to any malicious process running with System privileges. No patch is currently available to address this issue.

Information Disclosure Android Google
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Improper bounds checking in Android's display subsystem enables local privilege escalation for attackers with system-level access, potentially allowing them to execute arbitrary code with elevated privileges. The vulnerability stems from an out-of-bounds write condition that requires no user interaction to exploit. No patch is currently available for this medium-severity issue.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Android's display subsystem contains a buffer overflow vulnerability stemming from insufficient bounds validation, allowing attackers with system-level privileges to escalate their access further without user interaction. This local privilege escalation affects Android devices and requires an attacker to already possess system privileges, limiting the immediate threat scope. While no patch is currently available, the vulnerability poses a significant risk in multi-user or containerized Android environments where system compromise could lead to complete device control.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Android's display component contains an out-of-bounds write vulnerability due to insufficient bounds checking that could allow a system-privileged attacker to escalate privileges without user interaction. The vulnerability affects devices where an adversary has already obtained system-level access, enabling potential memory corruption and further privilege elevation. No patch is currently available.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Android's display module contains an out-of-bounds write vulnerability due to insufficient bounds validation, enabling local privilege escalation for attackers who already possess System-level access. The vulnerability requires no user interaction and could allow complete system compromise through memory corruption. No patch is currently available for this medium-severity issue.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Android's display component contains an out-of-bounds read vulnerability stemming from insufficient bounds validation, allowing system-privileged attackers to disclose sensitive memory contents without user interaction. The vulnerability requires pre-existing system-level access but poses a high confidentiality risk through local information disclosure. No patch is currently available.

Information Disclosure Android Google
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Local privilege escalation in Android's PCIe driver allows system-level attackers to execute arbitrary code through an out-of-bounds write caused by insufficient bounds validation. Exploitation requires pre-existing system privileges but no user interaction, enabling a compromised system component to gain complete device control. No patch is currently available.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Arbitrary file write & potential privilege escalation exploiting zip slip vulnerability in Google Web Designer.

Google Privilege Escalation Path Traversal
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploita...

Authentication Bypass Google
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW Monitor

Authenticated attackers can read arbitrary files from a VLC for Android device running versions before 3.7.0 by exploiting a path traversal flaw in the Remote Access Server's download endpoint. The vulnerability allows directory traversal through an unsanitized file parameter, though impact is limited to files accessible within the Android app's sandbox and storage permissions. No patch is currently available for this medium-severity vulnerability.

Path Traversal Google
NVD GitHub
EPSS 0%
This Week

A vulnerability in Google Cloud Vertex AI Workbench from 7/21/2025 to 01/30/2026 allows an attacker to exfiltrate valid Google Cloud access tokens of other users via abuse of a built-in startup script. All instances after January 30th, 2026 have been patched to protect from this vulnerability.

Google
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Spoofing in Firefox for Android WebAuthn component before 148. Allows phishing attacks through WebAuthn UI manipulation.

Mozilla Google Authentication Bypass
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Uninitialized memory in Firefox and Firefox Focus for Android versions prior to 148 enables remote attackers to read sensitive data without authentication or user interaction. The vulnerability allows information disclosure through memory that was not properly cleared before use, potentially exposing confidential user information to network-based attackers.

Information Disclosure Mozilla Google
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Google Chrome versions prior to 145.0.7632.116 allow attackers to inject malicious scripts or HTML into privileged pages through a compromised DevTools extension if a user can be tricked into installing it. The vulnerability requires user interaction to install a malicious extension but could enable unauthorized script execution in sensitive browser contexts. No patch is currently available.

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Out-of-bounds read and write in Chrome Tint shader compiler on Mac before 145.0.7632.116. More severe than CVE-2026-3061 due to additional write capability enabling potential code execution.

Chrome Google Red Hat +1
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds read in Google Chrome Media component before 145.0.7632.116 allows remote attackers to perform memory reads via crafted media content.

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 1.1
LOW PATCH Monitor

A vulnerability was identified in AliasVault App up to 0.25.3 on Android/iOS. This vulnerability affects unknown code of the file shared_prefs/aliasvault.xml of the component Backup Handler. [CVSS 2.5 LOW]

Authentication Bypass Hashicorp Google
NVD GitHub VulDB
EPSS 0%
PATCH Monitor

Predictable bucket naming in Vertex AI Experiments in Google Cloud Vertex AI from version 1.21.0 up to (but not including) 1.133.0 on Google Cloud Platform allows an unauthenticated remote attacker to achieve cross-tenant remote code execution, model theft, and poisoning via pre-creating predictably named Cloud Storage buckets (Bucket Squatting).

Google RCE
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model evaluation results or dataset JSON data.

Google XSS
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Missing Authorization vulnerability in Saiful Islam Sync Master Sheet &#8211; Product Sync with Google Sheet for WooCommerce product-sync-master-sheet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sync Master Sheet &#8211; Product Sync with Google Sheet for WooCommerce: from n/a through <= 1.1.3.

WordPress Authentication Bypass Google
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass Google
NVD
EPSS 0%
This Week

A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet versions up to 2025-11 is affected by server-side request forgery (ssrf).

Google SSRF
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Google Chrome versions before 145.0.7632.109 contain a heap buffer overflow in the Media component that can be triggered by a remote attacker through a specially crafted HTML page, potentially leading to heap corruption and arbitrary code execution. The vulnerability requires user interaction to exploit and affects all Chrome users who encounter a malicious webpage. No patch is currently available for this high-severity issue.

Google Buffer Overflow Chrome +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption in Google Chrome's V8 engine prior to version 145.0.7632.109 can be triggered through integer overflow vulnerabilities when processing malicious HTML pages. An unauthenticated attacker can exploit this by tricking users into visiting a crafted webpage, potentially achieving arbitrary code execution with high impact to confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

Google Integer Overflow Chrome +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Google Chrome's PDFium library contains a heap buffer overflow vulnerability that enables remote attackers to execute arbitrary code or corrupt memory by opening specially crafted PDF files, affecting all users without requiring authentication or special user interaction. The vulnerability impacts Chrome versions prior to 145.0.7632.109 with a high CVSS score of 8.8, though no patch is currently available. An attacker can exploit this to achieve complete compromise of the affected system including confidentiality, integrity, and availability of data.

Buffer Overflow Chrome Google +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: KVM: Don't clobber irqfd routing type when deassigning irqfd When deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's routing entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86 and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI.

Linux Null Pointer Dereference Amd +4
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

A race condition in the Linux kernel NFC subsystem allows local attackers with low privileges to cause a denial of service by triggering a use-after-free condition between rfkill device unregistration and NCI command queue destruction. An attacker can exploit this by closing a virtual NCI device file while rfkill operations are in progress, causing the kernel to access a destroyed work queue. No patch is currently available for this vulnerability.

Linux Race Condition Information Disclosure +4
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The Linux kernel's ARM64 hibernation resume function fails to disable Control Flow Integrity (CFI) checking, causing a data abort exception when resuming from hibernation on affected systems. A local attacker with hibernation access could trigger a denial of service by invoking the resume function without proper CFI validation. This affects Linux kernel deployments on ARM64 architecture, though no patch is currently available.

Linux Information Disclosure Google +4
NVD VulDB
EPSS 0% 4.8 CVSS 8.8
HIGH POC KEV PATCH THREAT Act Now

Google Chrome's CSS engine contains a use-after-free vulnerability (CVE-2026-2441, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox through crafted HTML pages. KEV-listed with public PoC, this vulnerability enables drive-by exploitation when users visit malicious or compromised websites.

Google Use After Free Chrome +2
NVD GitHub VulDB Exploit-DB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Man-in-the-middle interception affects the Xiaomi Galaxy FDS Android SDK (galaxy-fds-sdk-android) version 3.0.8 and prior, which disables TLS hostname verification whenever HTTPS is enabled — the default. Because createHttpClient() installs Apache HttpClient's ALLOW_ALL_HOSTNAME_VERIFIER, any TLS certificate from any host is accepted, letting an on-path attacker impersonate Xiaomi FDS cloud storage endpoints and steal authentication credentials, file contents, and API responses. EPSS is very low (0.03%, 8th percentile) and there is no public exploit identified at time of analysis, but the project has reached end-of-life so no fix is expected.

Apache Google Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 4.3).

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 5.4).

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption in Google Chrome's Ozone component (versions prior to 145.0.7632.45) stems from a use-after-free vulnerability that can be triggered when users interact with malicious HTML pages through specific UI gestures. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability. No patch is currently available, leaving affected Chrome users vulnerable to exploitation.

Google Use After Free Chrome +2
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Google Chrome versions prior to 145.0.7632.45 contain a race condition in DevTools that allows remote attackers to corrupt objects by convincing users to perform specific UI interactions and install a malicious extension. An attacker exploiting this vulnerability could achieve high-impact outcomes including information disclosure, data modification, or denial of service. The vulnerability currently has no available patch.

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Google Chrome versions before 145.0.7632.45 contain an animation implementation flaw that allows remote attackers to exfiltrate cross-origin data through specially crafted HTML pages. The vulnerability requires user interaction to trigger and affects all Chrome users, potentially exposing sensitive information from other websites. No patch is currently available.

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out of bounds memory access in Google Chrome's WebGPU implementation prior to version 145.0.7632.45 allows unauthenticated attackers to trigger memory corruption through a malicious HTML page. This vulnerability requires user interaction but carries high risk due to potential for arbitrary code execution or information disclosure. No patch is currently available.

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap buffer overflow in Google Chrome's codec implementation prior to version 145.0.7632.45 enables remote attackers to corrupt heap memory and potentially achieve arbitrary code execution through a malicious HTML page. The vulnerability requires user interaction to visit a crafted webpage but does not require special privileges, affecting all Chrome users. No patch is currently available.

Google Buffer Overflow Chrome +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption in Google Chrome's CSS engine prior to version 145.0.7632.45 can be triggered through crafted HTML pages, enabling remote attackers to achieve arbitrary code execution without user interaction beyond viewing a malicious webpage. The vulnerability stems from a use-after-free memory flaw that affects all Chrome users, and currently no patch is available. With a CVSS score of 8.8 and low exploit difficulty, this represents a critical risk to active Chrome installations.

Google Use After Free Chrome +2
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Missing bounds check in Android VPU (Video Processing Unit) driver's vpu_mmap allows arbitrary address memory mapping, potentially leading to local privilege escalation on Android devices.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

The Linux kernel bonding driver fails to validate device types before enabling 802.3AD mode, allowing local privileged attackers to trigger out-of-bounds memory reads via malformed hardware address operations. This vulnerability affects systems running vulnerable Linux kernel versions and could lead to denial of service or information disclosure. No patch is currently available for this high-severity vulnerability.

Linux Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Chrome versions up to 144.0.7559.132 is affected by access of resource using incompatible type (type confusion) (CVSS 8.8).

Chrome Google Suse
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap buffer overflow in Chrome's libvpx video codec allows remote attackers to achieve arbitrary code execution through a malicious webpage, requiring only user interaction to trigger exploitation. The vulnerability affects Chrome versions prior to 144.0.7559.132 and currently lacks a patch. With a CVSS score of 8.8, this high-severity flaw poses significant risk to users who visit compromised or attacker-controlled websites.

Buffer Overflow Chrome Google +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Local privilege escalation in Android's PCIe driver stems from an out-of-bounds write vulnerability caused by insufficient bounds validation, allowing attackers with system-level privileges to escalate their access without user interaction. This medium-severity vulnerability (CVSS 5.3) affects Android devices and currently has no available patch. The CWE-787 vulnerability requires an attacker to already possess system privileges, limiting the immediate exploitation scope.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Android versions up to 15.0 contains a vulnerability that allows attackers to local denial of service if a malicious actor has already obtained the System pri (CVSS 5.5).

Memory Corruption Denial Of Service Android +1
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Android's imgsys component contains a use-after-free vulnerability that allows privilege escalation when exploited by an attacker who already has system-level access. The flaw requires no user interaction and could enable a malicious actor to escalate their privileges further within the device. Currently, no patch is available to address this vulnerability.

Use After Free Privilege Escalation Android +1
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Android versions up to 15.0 contains a vulnerability that allows attackers to local escalation of privilege if a malicious actor has already obtained the Syst (CVSS 6.7).

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 7.8
HIGH This Week

The Android cameraisp component contains an out-of-bounds write vulnerability due to insufficient bounds validation, enabling privilege escalation for attackers who have already gained system-level access. No user interaction is required for exploitation, and the vulnerability affects confidentiality, integrity, and availability of the device. No patch is currently available.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 7.8
HIGH This Week

A use-after-free vulnerability in Android's cameraisp component allows privilege escalation to local denial of service for attackers with system-level access, requiring no user interaction. The flaw enables malicious actors to manipulate memory safety boundaries and execute arbitrary actions within the camera service context. No patch is currently available for this vulnerability.

Use After Free Denial Of Service Privilege Escalation +2
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Local privilege escalation in Android's imgsys component allows system-level processes to achieve full system compromise through an out-of-bounds write caused by insufficient bounds validation. An attacker with existing system privileges can exploit this flaw without user interaction to gain complete control over the affected device. No patch is currently available for this vulnerability.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 7.8
HIGH This Week

An out-of-bounds write vulnerability in Android's imgsys component allows a local attacker with system-level privileges to escalate permissions and gain complete control over the device due to insufficient bounds checking. The vulnerability requires no user interaction and cannot be patched in current versions. This affects Android devices where an attacker has already obtained elevated system access.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data disclosure in Google Chrome's Background Fetch API prior to version 144.0.7559.110 enables remote attackers to steal sensitive information from other websites through specially crafted HTML pages, requiring only user interaction. The vulnerability affects all Chrome users and has a patch available in the latest version.

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The Linux kernel's ipgre_header() function lacks proper validation when handling dynamically resized network device headers, allowing local attackers with network privileges to trigger kernel panics through memory corruption. This vulnerability affects systems using team or bonding drivers that can modify device headroom parameters, enabling denial of service attacks without requiring user interaction.

Linux Denial Of Service Google
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A use-after-free vulnerability in the Linux kernel's IPv6 address deletion function allows local attackers with user privileges to corrupt memory and potentially execute arbitrary code or cause a denial of service. The flaw occurs when ipv6_del_addr() is called prematurely before temporary address flags are read, leaving a dangling pointer reference. No patch is currently available for this high-severity vulnerability affecting Linux systems.

Linux Use After Free Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A race condition in Linux kernel routing code allows local authenticated attackers to cause a denial of service by triggering a kernel crash through unsynchronized list operations in rt6_uncached_list_del() and rt_del_uncached_list(). The vulnerability occurs when concurrent CPU operations on list data structures result in use-after-free conditions during list initialization. No patch is currently available for this medium-severity issue.

Linux Denial Of Service Google +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The Linux kernel's IPv6 tunnel implementation fails to properly handle VLAN-encapsulated packets in __ip6_tnl_rcv(), allowing a local attacker with user privileges to cause a denial of service through uninitialized memory access. The vulnerability stems from using an insufficient packet validation function that does not account for VLAN headers, triggering kernel crashes during ECN decapsulation. No patch is currently available for this medium-severity issue affecting Linux systems.

Linux Google Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A use-after-free vulnerability in the Linux kernel's macvlan driver allows local attackers with user privileges to cause memory corruption and potential privilege escalation through improper RCU synchronization in the macvlan_forward_source() function. The flaw stems from missing RCU protection when clearing vlan pointers during source entry deletion, enabling attackers to access freed memory structures. No patch is currently available for this HIGH severity vulnerability affecting Linux distributions.

Linux Google Use After Free +2
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

VK Google Job Posting Manager (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS Google
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

themebeez Universal Google Adsense and Ads manager universal-google-adsense-and-ads-manager is affected by missing authorization (CVSS 5.3).

Authentication Bypass Google
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Prince Integrate Google Drive integrate-google-drive is affected by missing authorization (CVSS 5.4).

Google Authentication Bypass
NVD
Prev Page 25 of 156 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy